From hyc at symas.com Sun Nov 2 05:25:28 2008 From: hyc at symas.com (Howard Chu) Date: Sat, 01 Nov 2008 22:25:28 -0700 Subject: [Fedora-directory-users] dbverify In-Reply-To: <20081101160007.8A65161B8C8@hormel.redhat.com> References: <20081101160007.8A65161B8C8@hormel.redhat.com> Message-ID: <490D39C8.3060301@symas.com> fedora-directory-users-request at redhat.com wrote: > Date: Fri, 31 Oct 2008 13:41:46 -0400 > From: Dan Lannom > I've done exhaustive verification of equality and presence indexes for > my directory to verify that ldap is working properly so I'm going to > treat dbverify as buggy for now. dbverify is certainly not buggy. Most likely you're running on a Little-Endian machine, and FDS is not canonicalizing its keys into Big-Endian format. (Instead it must be using a custom key comparison function internally.) Since dbverify only uses the default key comparison function, it will see the keys as being out of order (even though they're in correct order according to FDS's custom function). > I can't find any pattern in my data to explain what the bug is though. > 22 of the 45 indexes are affected > syntaxes are oid,directorystring,ia5string,integer and telephonenumber > index types are either e,ep,eps or aeps > > I'll fill out a bug report later tonight, > > Dan Lannom > > I wrote in my earlier email: >> I plan to migrate to fds from SunOne 5.2 and so I want to validate the >> system. >> I'm currently running version 1.1.3-2 of the directory on RHEL 5.2. >> >> When I do searches against the server everything seems to work fine, but >> When I run /usr/lib/dirsrv/slapd-{{hostname}}/dbverify, with the >> server off, it fails with >> errors like: >> [28/Oct/2008:10:52:16 -0400] - libdb: Page 4: out-of-order key at entry 2 >> [28/Oct/2008:10:52:16 -0400] - libdb: Page 4: out-of-order key at entry 8 >> [28/Oct/2008:10:52:16 -0400] - libdb: Page 4: out-of-order key at >> entry 11 >> [28/Oct/2008:10:52:16 -0400] - libdb: Page 4: out-of-order key at >> entry 14 >> ... >> [28/Oct/2008:10:52:16 -0400] - libdb: >> /var/lib/dirsrv/slapd-hume/db/{{SUFFIX}}/{{attribute}}.db4: >> DB_VERIFY_BAD: Database verification failed >> [28/Oct/2008:10:52:16 -0400] DB verify - verify failed(-30975): >> /var/lib/dirsrv/slapd-{{hostname}}/db/userdata/{{attribute}}.db4 >> >> reindexing does not change anything and I find the same errors for >> both i386 and x86_64 and the errors are almost identical for the >> master and the slaves. >> >> Since I can find any evidence of the indexes identified as corrupted >> not working I wonder why dbverify is generating these errors. >> >> Thanks for any help, >> >> Dan Lannom >> UM-Dearborn -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From bbahar3 at gmail.com Sun Nov 2 10:16:08 2008 From: bbahar3 at gmail.com (Eric) Date: Sun, 2 Nov 2008 13:46:08 +0330 Subject: [Fedora-directory-users] removing an entry using fedora-ds folder Message-ID: <38a27c8c0811020216l5575ed3egd95f0c8af65d6607@mail.gmail.com> Hi, I use fedora-ds 4.0. I had a view part.I made a Role in a wrong part ( under the another role) after that my ds hanged. slapd and admin are running but I cant open console to remove that wrong. when I want to use command line it can't. the error massage is: ldap_bind: Can't contact LDAP server (-1) how can I solve the problem? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Nov 3 16:35:35 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 03 Nov 2008 09:35:35 -0700 Subject: [Fedora-directory-users] removing an entry using fedora-ds folder In-Reply-To: <38a27c8c0811020216l5575ed3egd95f0c8af65d6607@mail.gmail.com> References: <38a27c8c0811020216l5575ed3egd95f0c8af65d6607@mail.gmail.com> Message-ID: <490F2857.7050804@redhat.com> Eric wrote: > Hi, > I use fedora-ds 4.0. ? What version is that? rpm -qi fedora-ds-base > I had a view part.I made a Role in a wrong part ( under the another > role) after that my ds hanged. Check your directory server error log. > slapd and admin are running but I cant open console to remove that > wrong. when I want to use command line it can't. the error massage is: > ldap_bind: Can't contact LDAP server (-1) Are you sure slapd is running? > how can I solve the problem? > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From jad at jadickinson.co.uk Tue Nov 4 12:05:27 2008 From: jad at jadickinson.co.uk (John Dickinson) Date: Tue, 4 Nov 2008 12:05:27 +0000 Subject: [Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 41, Issue 24 In-Reply-To: <20081030160008.1FD6E61B45C@hormel.redhat.com> References: <20081030160008.1FD6E61B45C@hormel.redhat.com> Message-ID: On 30 Oct 2008, at 16:00, Rich Megginson wrote: > John Dickinson wrote: >> Hi, >> >> I am testing what happens when you create a new user and sync it to >> AD. Using Fedora DS 1.1.3 and AD 2003 R2 SP2. >> >> If I use the console to create a new user and tick the Enable NT User >> Attributes, Create New NT Account etc the new user appears in AD but >> is disabled. >> >> Looking at the code it seems that send_accountcontrol_modify() gets >> the userAccountControl settings from AD adds 0x0200 (Normal Account) >> and sends it back. >> >> Looking at the traffic between Fedora DS and AD it appears that >> Fedora >> DS is getting ACCOUNTDISABLE in userAccountControl from AD. >> >> Should FedoraDS be unsetting ACCOUNTDISABLE or should AD not be >> setting it in the first place? If it is a problem with AD then can >> anyone point me to where I tell it to do the right thing? > Does AD have some sort of setting that tells it to disable new > accounts? Not that I know about. But I am no windows expert. > What happens if you create new accounts directly in AD? When you create a new user in windows there is a tick box to disable the account but it is not ticked by default and the user is created in an enabled state. I see the following when: - Both Windows and Fedora DS set to enforce no password complexity constraints - Windows sync agreement and password sync working - When creating a user in AD only one option is selected by default - user must change password at next login. - The following options are not ticked by default: -- User cannot change password -- Password never expires -- Account is disabled create user in AD userAccountControl: 512 (Normal) create user in Fedora DS (console) userAccountControl: 546 (Normal + PASSWD_NOTREQ + ACCOUNTDISABLE) Would there be anything wrong with Fedora DS just forcing userAccountControl = 512? Or are more options needed in the user creation dialog? John From rmeggins at redhat.com Tue Nov 4 15:13:08 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 04 Nov 2008 08:13:08 -0700 Subject: [Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 41, Issue 24 In-Reply-To: References: <20081030160008.1FD6E61B45C@hormel.redhat.com> Message-ID: <49106684.4020903@redhat.com> John Dickinson wrote: > > On 30 Oct 2008, at 16:00, Rich Megginson wrote: > >> John Dickinson wrote: >>> Hi, >>> >>> I am testing what happens when you create a new user and sync it to >>> AD. Using Fedora DS 1.1.3 and AD 2003 R2 SP2. >>> >>> If I use the console to create a new user and tick the Enable NT User >>> Attributes, Create New NT Account etc the new user appears in AD but >>> is disabled. >>> >>> Looking at the code it seems that send_accountcontrol_modify() gets >>> the userAccountControl settings from AD adds 0x0200 (Normal Account) >>> and sends it back. >>> >>> Looking at the traffic between Fedora DS and AD it appears that Fedora >>> DS is getting ACCOUNTDISABLE in userAccountControl from AD. >>> >>> Should FedoraDS be unsetting ACCOUNTDISABLE or should AD not be >>> setting it in the first place? If it is a problem with AD then can >>> anyone point me to where I tell it to do the right thing? >> Does AD have some sort of setting that tells it to disable new >> accounts? > > Not that I know about. But I am no windows expert. > >> What happens if you create new accounts directly in AD? > > When you create a new user in windows there is a tick box to disable > the account but it is not ticked by default and the user is created in > an enabled state. > > I see the following when: > - Both Windows and Fedora DS set to enforce no password complexity > constraints > - Windows sync agreement and password sync working > - When creating a user in AD only one option is selected by default - > user must change password at next login. > - The following options are not ticked by default: > -- User cannot change password > -- Password never expires > -- Account is disabled > > create user in AD userAccountControl: 512 (Normal) > create user in Fedora DS (console) userAccountControl: 546 (Normal + > PASSWD_NOTREQ + ACCOUNTDISABLE) > > Would there be anything wrong with Fedora DS just forcing > userAccountControl = 512? Or are more options needed in the user > creation dialog? I'm not sure. 1.1.3 included a "fix" for userAccountControl. The way it works now is this: add new AD entry over LDAP - no userAccountControl attribute is present, so it must use some sort of AD default value read the new AD entry - get the userAccountControl value set AD entry userAccountControl |= 0x200 # 512 == normal account) So you might try a simple test - add a new AD entry over LDAP outside of windows sync - see what the default userAccountControl value is - I'm guessing that adding a new AD entry without specifying userAccountControl sets it to PASSWD_NOTREQ + ACCOUNTDISABLE > > John > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From hyc at symas.com Tue Nov 4 17:05:44 2008 From: hyc at symas.com (Howard Chu) Date: Tue, 04 Nov 2008 09:05:44 -0800 Subject: [Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 42, Issue 4 In-Reply-To: <20081104170010.01443619C9D@hormel.redhat.com> References: <20081104170010.01443619C9D@hormel.redhat.com> Message-ID: <491080E8.301@symas.com> > Date: Tue, 04 Nov 2008 08:13:08 -0700 > From: Rich Megginson > John Dickinson wrote: >> On 30 Oct 2008, at 16:00, Rich Megginson wrote: >> create user in AD userAccountControl: 512 (Normal) >> create user in Fedora DS (console) userAccountControl: 546 (Normal + >> PASSWD_NOTREQ + ACCOUNTDISABLE) >> >> Would there be anything wrong with Fedora DS just forcing >> userAccountControl = 512? Or are more options needed in the user >> creation dialog? > I'm not sure. 1.1.3 included a "fix" for userAccountControl. The way > it works now is this: > add new AD entry over LDAP - no userAccountControl attribute is present, > so it must use some sort of AD default value > read the new AD entry - get the userAccountControl value > set AD entry userAccountControl |= 0x200 # 512 == normal account) > > So you might try a simple test - add a new AD entry over LDAP outside of > windows sync - see what the default userAccountControl value is - I'm > guessing that adding a new AD entry without specifying > userAccountControl sets it to PASSWD_NOTREQ + ACCOUNTDISABLE Yes, users created via LDAP are disabled unless you explicitly provide the userAccountControl attribute (with proper flags) in the LDAP Add operation. I tripped over this myself the first time I loaded up a test database in AD. (It also gave me a Fine Opportunity to time how long it took to LDAP Modify all of the users in my test database. ugh...) -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From rmeggins at redhat.com Tue Nov 4 18:38:06 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 04 Nov 2008 11:38:06 -0700 Subject: [Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 42, Issue 4 In-Reply-To: <491080E8.301@symas.com> References: <20081104170010.01443619C9D@hormel.redhat.com> <491080E8.301@symas.com> Message-ID: <4910968E.1000504@redhat.com> Howard Chu wrote: >> Date: Tue, 04 Nov 2008 08:13:08 -0700 >> From: Rich Megginson > >> John Dickinson wrote: >>> On 30 Oct 2008, at 16:00, Rich Megginson wrote: > >>> create user in AD userAccountControl: 512 (Normal) >>> create user in Fedora DS (console) userAccountControl: 546 (Normal + >>> PASSWD_NOTREQ + ACCOUNTDISABLE) >>> >>> Would there be anything wrong with Fedora DS just forcing >>> userAccountControl = 512? Or are more options needed in the user >>> creation dialog? >> I'm not sure. 1.1.3 included a "fix" for userAccountControl. The way >> it works now is this: >> add new AD entry over LDAP - no userAccountControl attribute is present, >> so it must use some sort of AD default value >> read the new AD entry - get the userAccountControl value >> set AD entry userAccountControl |= 0x200 # 512 == normal account) >> >> So you might try a simple test - add a new AD entry over LDAP outside of >> windows sync - see what the default userAccountControl value is - I'm >> guessing that adding a new AD entry without specifying >> userAccountControl sets it to PASSWD_NOTREQ + ACCOUNTDISABLE > > Yes, users created via LDAP are disabled unless you explicitly provide > the userAccountControl attribute (with proper flags) in the LDAP Add > operation. I tripped over this myself the first time I loaded up a > test database in AD. (It also gave me a Fine Opportunity to time how > long it took to LDAP Modify all of the users in my test database. ugh...) > Then this is a bug in the winsync code. In the ADD case, it should just force userAccountControl to the Normal value. In the MOD case, it should |= the value. John, can you open a bug about this issue? Thanks. From david_list at boreham.org Tue Nov 4 18:52:02 2008 From: david_list at boreham.org (David Boreham) Date: Tue, 04 Nov 2008 11:52:02 -0700 Subject: [Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 42, Issue 4 In-Reply-To: <4910968E.1000504@redhat.com> References: <20081104170010.01443619C9D@hormel.redhat.com> <491080E8.301@symas.com> <4910968E.1000504@redhat.com> Message-ID: <491099D2.2000702@boreham.org> Memory is hazy about this, but I seem to remember that it was done as two steps because AD didn't allow userAccountControl to be set in the ADD. It had to be set by a separate MOD. Perhaps AD has changed since that time in this respect though. Rich Megginson wrote: > Howard Chu wrote: >>> Date: Tue, 04 Nov 2008 08:13:08 -0700 >>> From: Rich Megginson >> >>> John Dickinson wrote: >>>> On 30 Oct 2008, at 16:00, Rich Megginson wrote: >> >>>> create user in AD userAccountControl: 512 (Normal) >>>> create user in Fedora DS (console) userAccountControl: 546 (Normal + >>>> PASSWD_NOTREQ + ACCOUNTDISABLE) >>>> >>>> Would there be anything wrong with Fedora DS just forcing >>>> userAccountControl = 512? Or are more options needed in the user >>>> creation dialog? >>> I'm not sure. 1.1.3 included a "fix" for userAccountControl. The way >>> it works now is this: >>> add new AD entry over LDAP - no userAccountControl attribute is >>> present, >>> so it must use some sort of AD default value >>> read the new AD entry - get the userAccountControl value >>> set AD entry userAccountControl |= 0x200 # 512 == normal account) >>> >>> So you might try a simple test - add a new AD entry over LDAP >>> outside of >>> windows sync - see what the default userAccountControl value is - I'm >>> guessing that adding a new AD entry without specifying >>> userAccountControl sets it to PASSWD_NOTREQ + ACCOUNTDISABLE >> >> Yes, users created via LDAP are disabled unless you explicitly >> provide the userAccountControl attribute (with proper flags) in the >> LDAP Add operation. I tripped over this myself the first time I >> loaded up a test database in AD. (It also gave me a Fine Opportunity >> to time how long it took to LDAP Modify all of the users in my test >> database. ugh...) >> > Then this is a bug in the winsync code. In the ADD case, it should > just force userAccountControl to the Normal value. In the MOD case, > it should |= the value. John, can you open a bug about this issue? > Thanks. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Tue Nov 4 19:27:59 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 04 Nov 2008 12:27:59 -0700 Subject: [Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 42, Issue 4 In-Reply-To: <491099D2.2000702@boreham.org> References: <20081104170010.01443619C9D@hormel.redhat.com> <491080E8.301@symas.com> <4910968E.1000504@redhat.com> <491099D2.2000702@boreham.org> Message-ID: <4910A23F.6050808@redhat.com> David Boreham wrote: > > Memory is hazy about this, but I seem to remember that it was done as > two steps because AD didn't allow userAccountControl to be set in the > ADD. It had to be set by a separate MOD. Perhaps AD has changed since > that time in this respect though. No, I broke this in 1.1.3 - it was working fine in 1.1.2. > > Rich Megginson wrote: >> Howard Chu wrote: >>>> Date: Tue, 04 Nov 2008 08:13:08 -0700 >>>> From: Rich Megginson >>> >>>> John Dickinson wrote: >>>>> On 30 Oct 2008, at 16:00, Rich Megginson wrote: >>> >>>>> create user in AD userAccountControl: 512 (Normal) >>>>> create user in Fedora DS (console) userAccountControl: 546 >>>>> (Normal + >>>>> PASSWD_NOTREQ + ACCOUNTDISABLE) >>>>> >>>>> Would there be anything wrong with Fedora DS just forcing >>>>> userAccountControl = 512? Or are more options needed in the user >>>>> creation dialog? >>>> I'm not sure. 1.1.3 included a "fix" for userAccountControl. The way >>>> it works now is this: >>>> add new AD entry over LDAP - no userAccountControl attribute is >>>> present, >>>> so it must use some sort of AD default value >>>> read the new AD entry - get the userAccountControl value >>>> set AD entry userAccountControl |= 0x200 # 512 == normal account) >>>> >>>> So you might try a simple test - add a new AD entry over LDAP >>>> outside of >>>> windows sync - see what the default userAccountControl value is - I'm >>>> guessing that adding a new AD entry without specifying >>>> userAccountControl sets it to PASSWD_NOTREQ + ACCOUNTDISABLE >>> >>> Yes, users created via LDAP are disabled unless you explicitly >>> provide the userAccountControl attribute (with proper flags) in the >>> LDAP Add operation. I tripped over this myself the first time I >>> loaded up a test database in AD. (It also gave me a Fine Opportunity >>> to time how long it took to LDAP Modify all of the users in my test >>> database. ugh...) >>> >> Then this is a bug in the winsync code. In the ADD case, it should >> just force userAccountControl to the Normal value. In the MOD case, >> it should |= the value. John, can you open a bug about this issue? >> Thanks. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From bbahar3 at gmail.com Wed Nov 5 04:54:41 2008 From: bbahar3 at gmail.com (Eric) Date: Wed, 5 Nov 2008 08:24:41 +0330 Subject: [Fedora-directory-users] Re:Re: Fedora-directory-users Digest, Vol 42, Issue 3 In-Reply-To: <20081103170007.558E3619818@hormel.redhat.com> References: <20081103170007.558E3619818@hormel.redhat.com> Message-ID: <38a27c8c0811042054m5f77eb8dgfa10b309f377d8f5@mail.gmail.com> oh I take a mistake, my ds is version 1.0.4, my question is 1.How can I remove a role from ds by using db or related files? I don't have console and my command part has error too. 2. I want to use last versions of fedora ds, I have backup of my fedora ds version 1.0.4, can I install last version on another system ( not upgrade this version) and then restore this backup? ( I saw that the directory of ds version 1.1 are differ from 1.0) On Mon, Nov 3, 2008 at 8:30 PM, wrote: > Send Fedora-directory-users mailing list submissions to > fedora-directory-users at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/fedora-directory-users > or, via email, send a message with subject or body 'help' to > fedora-directory-users-request at redhat.com > > You can reach the person managing the list at > fedora-directory-users-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Fedora-directory-users digest..." > > > Today's Topics: > > 1. Re: removing an entry using fedora-ds folder (Rich Megginson) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 03 Nov 2008 09:35:35 -0700 > From: Rich Megginson > Subject: Re: [Fedora-directory-users] removing an entry using > fedora-ds folder > To: "General discussion list for the Fedora Directory server project." > > Message-ID: <490F2857.7050804 at redhat.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Eric wrote: > > Hi, > > I use fedora-ds 4.0. > ? What version is that? > rpm -qi fedora-ds-base > > I had a view part.I made a Role in a wrong part ( under the another > > role) after that my ds hanged. > Check your directory server error log. > > slapd and admin are running but I cant open console to remove that > > wrong. when I want to use command line it can't. the error massage is: > > ldap_bind: Can't contact LDAP server (-1) > Are you sure slapd is running? > > how can I solve the problem? > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > ------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > End of Fedora-directory-users Digest, Vol 42, Issue 3 > ***************************************************** > -------------- next part -------------- An HTML attachment was scrubbed... URL: From erlingre at gmail.com Wed Nov 5 12:23:42 2008 From: erlingre at gmail.com (Erling Ringen Elvsrud) Date: Wed, 5 Nov 2008 13:23:42 +0100 Subject: [Fedora-directory-users] Re: Windows sync: how do you populate the posixUser attributes? In-Reply-To: <6cddb0580811050421y568f2cdblb54873380da49fb6@mail.gmail.com> References: <6cddb0580811050406o3d19874du137ea66161b471f2@mail.gmail.com> <6cddb0580811050421y568f2cdblb54873380da49fb6@mail.gmail.com> Message-ID: <664c5a070811050423q6253eba7xb4af734adfae8b1e@mail.gmail.com> I have managed to make Windows sync work and have one user synced from AD in my directory. The posixUser-attributes are still empty. How do you populate those attributes in an effective way? If I have an empty directory, and the users alredy exists in AD I have been thinking of this manual approach: 1. Perform a full re-sync from AD. 2. Export all the users in directory server in a LDIF-file and with scripts populate the needed attributes like uid, shell, home, etc. 3. Write the changes back in directory server. For new users, if not too many, perform the needed changes manually. What do you think? Is it possible to do this automatically with Windows Sync or do I have to use approaches like I described? Thanks, Erling From morenisco at noc-root.net Wed Nov 5 13:50:40 2008 From: morenisco at noc-root.net (Morenisco) Date: Wed, 5 Nov 2008 06:50:40 -0700 (MST) Subject: [Fedora-directory-users] How to configure Multimaster Replication - doubts with the documentation Message-ID: <61684.148.87.1.167.1225893040.squirrel@noc-root.net> Hi, I worked by almost a year with OID (Oracle Internet Directory), and now I would like to learn Fedora Directory Server with multimaster replication. I'm reviewing the existing documentation and I found information related to multimaster replication in the URL: http://directory.fedoraproject.org/wiki/Howto:MultiMasterReplication But I have the following doubt: In the requeriments I understand that I need three scripts; the old-mmr.pl, the newer mmr.pl and the modified mmr.pl. Then, really I need to apply these three scritps, or just I can use the newer mmr.pl script if I want to use the standard ports? Thanks a lot. -- Morenisco. Centro de Difusi?n del Software Libre. http://www.cdsl.cl Blog: http://morenisco.belvil.eu From rmeggins at redhat.com Wed Nov 5 14:24:22 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 05 Nov 2008 07:24:22 -0700 Subject: [Fedora-directory-users] Re: Windows sync: how do you populate the posixUser attributes? In-Reply-To: <664c5a070811050423q6253eba7xb4af734adfae8b1e@mail.gmail.com> References: <6cddb0580811050406o3d19874du137ea66161b471f2@mail.gmail.com> <6cddb0580811050421y568f2cdblb54873380da49fb6@mail.gmail.com> <664c5a070811050423q6253eba7xb4af734adfae8b1e@mail.gmail.com> Message-ID: <4911AC96.9060808@redhat.com> Erling Ringen Elvsrud wrote: > I have managed to make Windows sync work and have one user synced from AD in > my directory. > The posixUser-attributes are still empty. How do you populate those > attributes in an effective way? > You can't, really, and even if you did, they would not be synced. Windows Sync ignores them. > If I have an empty directory, and the users alredy exists in AD I have > been thinking of this manual approach: > > 1. Perform a full re-sync from AD. > 2. Export all the users in directory server in a LDIF-file and with scripts > populate the needed attributes like uid, shell, home, etc. > 3. Write the changes back in directory server. > > For new users, if not too many, perform the needed changes manually. > > What do you think? Is it possible to do this automatically with Windows > Sync or do I have to use approaches like I described? > That should work. But note that posix attributes will not sync to AD. And even if you did manage to find a posix schema that worked with AD, and added the posix schema on the AD side, those attributes would not be synced to Fedora DS. > Thanks, > > Erling > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Wed Nov 5 14:25:39 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 05 Nov 2008 07:25:39 -0700 Subject: [Fedora-directory-users] Re:Re: Fedora-directory-users Digest, Vol 42, Issue 3 In-Reply-To: <38a27c8c0811042054m5f77eb8dgfa10b309f377d8f5@mail.gmail.com> References: <20081103170007.558E3619818@hormel.redhat.com> <38a27c8c0811042054m5f77eb8dgfa10b309f377d8f5@mail.gmail.com> Message-ID: <4911ACE3.8020301@redhat.com> Eric wrote: > oh I take a mistake, my ds is version 1.0.4, my question is > 1.How can I remove a role from ds by using db or related files? I > don't have console and my command part has error too. You could dump the database to LDIF using db2ldif, then fix the LDIF, then re-import. > 2. I want to use last versions of fedora ds, I have backup of my > fedora ds version 1.0.4, can I install last version on another system > ( not upgrade this version) and then restore this backup? ( I saw that > the directory of ds version 1.1 are differ from 1.0) There is a migration script provided - migrate-ds-admin.pl > > > On Mon, Nov 3, 2008 at 8:30 PM, > > wrote: > > Send Fedora-directory-users mailing list submissions to > fedora-directory-users at redhat.com > > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/fedora-directory-users > or, via email, send a message with subject or body 'help' to > fedora-directory-users-request at redhat.com > > > You can reach the person managing the list at > fedora-directory-users-owner at redhat.com > > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Fedora-directory-users digest..." > > > Today's Topics: > > 1. Re: removing an entry using fedora-ds folder (Rich Megginson) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 03 Nov 2008 09:35:35 -0700 > From: Rich Megginson > > Subject: Re: [Fedora-directory-users] removing an entry using > fedora-ds folder > To: "General discussion list for the Fedora Directory server project." > > > Message-ID: <490F2857.7050804 at redhat.com > > > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Eric wrote: > > Hi, > > I use fedora-ds 4.0. > ? What version is that? > rpm -qi fedora-ds-base > > I had a view part.I made a Role in a wrong part ( under the another > > role) after that my ds hanged. > Check your directory server error log. > > slapd and admin are running but I cant open console to remove that > > wrong. when I want to use command line it can't. the error > massage is: > > ldap_bind: Can't contact LDAP server (-1) > Are you sure slapd is running? > > how can I solve the problem? > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > ------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > End of Fedora-directory-users Digest, Vol 42, Issue 3 > ***************************************************** > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From G.Seaman at lse.ac.uk Wed Nov 5 16:15:34 2008 From: G.Seaman at lse.ac.uk (Graham Seaman) Date: Wed, 05 Nov 2008 16:15:34 +0000 Subject: [Fedora-directory-users] enforcing ssl Message-ID: <4911C6A6.2050009@lse.ac.uk> Hi, I'm trying to set up Fedora DS to be accessible only with SSL. My DS is on a standalone remote server, with most ports firewalled. If I open ports 389 and 636, I can run ldapsearch ok using SSL (the access log shows 'SSL connection.. using 256-bit AES') but I can also choose not to use SSL and still make queries. If I close port 389, I can't connect to the server with or without SSL - I just get 'ldap_start_tls: Can't contact LDAP server (-1)'. This is even if I explicitly specify port 636, not just relying on the '-Z' flag for ldapsearch. Is it possible to close down non-SSL access? (I am not using the admin server, so this needs to be through manual configuration) Thanks for any advice Graham From rmeggins at redhat.com Wed Nov 5 16:19:05 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 05 Nov 2008 09:19:05 -0700 Subject: [Fedora-directory-users] enforcing ssl In-Reply-To: <4911C6A6.2050009@lse.ac.uk> References: <4911C6A6.2050009@lse.ac.uk> Message-ID: <4911C779.6040303@redhat.com> Graham Seaman wrote: > Hi, > > I'm trying to set up Fedora DS to be accessible only with SSL. My DS > is on a standalone remote server, with most ports firewalled. If I > open ports 389 and 636, I can run ldapsearch ok using SSL (the access > log shows 'SSL connection.. using 256-bit AES') but I can also choose > not to use SSL and still make queries. If I close port 389, I can't > connect to the server with or without SSL - I just get > 'ldap_start_tls: Can't contact LDAP server (-1)'. This is even if I > explicitly specify port 636, not just relying on the '-Z' flag for > ldapsearch. > > Is it possible to close down non-SSL access? (I am not using the admin > server, so this needs to be through manual configuration) No. There is no way to say "connections on port 389 must use startTLS". You can set nsslapd-port to 0 in dse.ldif to shut off all ldap traffic and rely solely on ldaps (636), but that will not work with clients that expect startTLS. > > Thanks for any advice > > Graham > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From vitty at altlinux.ru Wed Nov 5 16:52:50 2008 From: vitty at altlinux.ru (Vitaly Kuznetsov) Date: Wed, 05 Nov 2008 19:52:50 +0300 Subject: [Fedora-directory-users] Problems migrating from libdb-4.4 to libdb-4.7 Message-ID: <4911CF62.1080308@altlinux.ru> Hello! I'm trying to build Fedora-DS for ALT Linux project with new libdb-4.7. Old instances use libdb-4.4. I have some problems with data migration. FDS with db4.7 does not want to read old (db4.4) data with errors. I tried to delete logs and do db_upgrade - without success. New instances work fine. Fedora DS versions (old and new) are both 1.1.3. Errors: [05/Nov/2008:13:56:37 +0300] - Fedora-Directory/1.1.3 B2008.310.1047 starting up [05/Nov/2008:13:56:37 +0300] - Clean up db environment and start from archive. [05/Nov/2008:13:56:37 +0300] - libdb: Program version 4.7 doesn't match environment version 4.4 [05/Nov/2008:13:56:37 +0300] - libdb: Program version 4.7 doesn't match environment version 4.4 [05/Nov/2008:13:56:37 +0300] - Deleting log file: (/var/lib/fedora-ds/slapd-ldap1/db/log.0000000001) [05/Nov/2008:13:56:37 +0300] - Deleting log file: (/var/lib/fedora-ds/slapd-ldap1/db/log.0000000147) [05/Nov/2008:13:56:38 +0300] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [05/Nov/2008:13:56:38 +0300] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [05/Nov/2008:13:56:38 +0300] - Failed to initialize cipher AES in attrcrypt_init [05/Nov/2008:13:56:38 +0300] - libdb: file userRoot/id2entry.db4 has LSN 134/2584752, past end of log at 1/140 [05/Nov/2008:13:56:38 +0300] - libdb: Commonly caused by moving a database from one database environment [05/Nov/2008:13:56:38 +0300] - libdb: to another without clearing the database LSNs, or by removing all of [05/Nov/2008:13:56:38 +0300] - libdb: the log files from a database environment [05/Nov/2008:13:56:38 +0300] - libdb: /var/lib/fedora-ds/slapd-ldap1/db/userRoot/id2entry.db4: unexpected file type or format [05/Nov/2008:13:56:38 +0300] - dbp->open("userRoot/id2entry.db4") failed: Invalid argument (22) [05/Nov/2008:13:56:38 +0300] - dblayer_instance_start fail: Invalid argument (22) [05/Nov/2008:13:56:38 +0300] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [05/Nov/2008:13:56:38 +0300] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [05/Nov/2008:13:56:38 +0300] - Failed to initialize cipher AES in attrcrypt_init [05/Nov/2008:13:56:38 +0300] - libdb: file NetscapeRoot/id2entry.db4 has LSN 1/3096357, past end of log at 1/140 [05/Nov/2008:13:56:38 +0300] - libdb: Commonly caused by moving a database from one database environment [05/Nov/2008:13:56:38 +0300] - libdb: to another without clearing the database LSNs, or by removing all of [05/Nov/2008:13:56:38 +0300] - libdb: the log files from a database environment [05/Nov/2008:13:56:38 +0300] - libdb: /var/lib/fedora-ds/slapd-ldap1/db/NetscapeRoot/id2entry.db4: unexpected file type or format [05/Nov/2008:13:56:38 +0300] - dbp->open("NetscapeRoot/id2entry.db4") failed: Invalid argument (22) [05/Nov/2008:13:56:38 +0300] - dblayer_instance_start fail: Invalid argument (22) [05/Nov/2008:13:56:38 +0300] - start: Failed to start databases, err=22 Invalid argument [05/Nov/2008:13:56:38 +0300] - Failed to allocate 10000000 byte dbcache. Please reduce nsslapd-cache-autosize and Restart the server. [05/Nov/2008:13:56:38 +0300] - Failed to start database plugin ldbm database [05/Nov/2008:13:56:38 +0300] - WARNING: ldbm instance userRoot already exists [05/Nov/2008:13:56:38 +0300] - WARNING: ldbm instance NetscapeRoot already exists [05/Nov/2008:13:56:38 +0300] binder-based resource limits - nsLookThroughLimit: parameter error (slapi_reslimit_register() already registered) [05/Nov/2008:13:56:38 +0300] - start: Resource limit registration failed [05/Nov/2008:13:56:38 +0300] - Failed to start database plugin ldbm database [05/Nov/2008:13:56:38 +0300] - Error: Failed to resolve plugin dependencies [05/Nov/2008:13:56:38 +0300] - Error: preoperation plugin 7-bit check is not started [05/Nov/2008:13:56:38 +0300] - Error: accesscontrol plugin ACL Plugin is not started [05/Nov/2008:13:56:38 +0300] - Error: preoperation plugin ACL preoperation is not started Any ideas? From rmeggins at redhat.com Wed Nov 5 17:14:17 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 05 Nov 2008 10:14:17 -0700 Subject: [Fedora-directory-users] Problems migrating from libdb-4.4 to libdb-4.7 In-Reply-To: <4911CF62.1080308@altlinux.ru> References: <4911CF62.1080308@altlinux.ru> Message-ID: <4911D469.5090408@redhat.com> Vitaly Kuznetsov wrote: > Hello! > > I'm trying to build Fedora-DS for ALT Linux project with new libdb-4.7. > Old instances use libdb-4.4. I have some problems with data migration. > FDS with db4.7 does not want to read old (db4.4) data with errors. I > tried to delete logs and do db_upgrade - without success. New instances > work fine. Fedora DS versions (old and new) are both 1.1.3. > Looks like a bug. Please file a bug. In the meantime, you can use db2ldif to export your old data, and ldif2db to import into your new database. > Errors: > > [05/Nov/2008:13:56:37 +0300] - Fedora-Directory/1.1.3 B2008.310.1047 > starting up > [05/Nov/2008:13:56:37 +0300] - Clean up db environment and start from > archive. > [05/Nov/2008:13:56:37 +0300] - libdb: Program version 4.7 doesn't match > environment version 4.4 > [05/Nov/2008:13:56:37 +0300] - libdb: Program version 4.7 doesn't match > environment version 4.4 > [05/Nov/2008:13:56:37 +0300] - Deleting log file: > (/var/lib/fedora-ds/slapd-ldap1/db/log.0000000001) > [05/Nov/2008:13:56:37 +0300] - Deleting log file: > (/var/lib/fedora-ds/slapd-ldap1/db/log.0000000147) > [05/Nov/2008:13:56:38 +0300] - attrcrypt_unwrap_key: failed to unwrap > key for cipher AES > [05/Nov/2008:13:56:38 +0300] - Failed to retrieve key for cipher AES in > attrcrypt_cipher_init > [05/Nov/2008:13:56:38 +0300] - Failed to initialize cipher AES in > attrcrypt_init > [05/Nov/2008:13:56:38 +0300] - libdb: file userRoot/id2entry.db4 has LSN > 134/2584752, past end of log at 1/140 > [05/Nov/2008:13:56:38 +0300] - libdb: Commonly caused by moving a > database from one database environment > [05/Nov/2008:13:56:38 +0300] - libdb: to another without clearing the > database LSNs, or by removing all of > [05/Nov/2008:13:56:38 +0300] - libdb: the log files from a database > environment > [05/Nov/2008:13:56:38 +0300] - libdb: > /var/lib/fedora-ds/slapd-ldap1/db/userRoot/id2entry.db4: unexpected file > type or format > [05/Nov/2008:13:56:38 +0300] - dbp->open("userRoot/id2entry.db4") > failed: Invalid argument (22) > [05/Nov/2008:13:56:38 +0300] - dblayer_instance_start fail: Invalid > argument (22) > [05/Nov/2008:13:56:38 +0300] - attrcrypt_unwrap_key: failed to unwrap > key for cipher AES > [05/Nov/2008:13:56:38 +0300] - Failed to retrieve key for cipher AES in > attrcrypt_cipher_init > [05/Nov/2008:13:56:38 +0300] - Failed to initialize cipher AES in > attrcrypt_init > [05/Nov/2008:13:56:38 +0300] - libdb: file NetscapeRoot/id2entry.db4 has > LSN 1/3096357, past end of log at 1/140 > [05/Nov/2008:13:56:38 +0300] - libdb: Commonly caused by moving a > database from one database environment > [05/Nov/2008:13:56:38 +0300] - libdb: to another without clearing the > database LSNs, or by removing all of > [05/Nov/2008:13:56:38 +0300] - libdb: the log files from a database > environment > [05/Nov/2008:13:56:38 +0300] - libdb: > /var/lib/fedora-ds/slapd-ldap1/db/NetscapeRoot/id2entry.db4: unexpected > file type or format > [05/Nov/2008:13:56:38 +0300] - dbp->open("NetscapeRoot/id2entry.db4") > failed: Invalid argument (22) > [05/Nov/2008:13:56:38 +0300] - dblayer_instance_start fail: Invalid > argument (22) > [05/Nov/2008:13:56:38 +0300] - start: Failed to start databases, err=22 > Invalid argument > [05/Nov/2008:13:56:38 +0300] - Failed to allocate 10000000 byte dbcache. > Please reduce nsslapd-cache-autosize and Restart the server. > [05/Nov/2008:13:56:38 +0300] - Failed to start database plugin ldbm database > [05/Nov/2008:13:56:38 +0300] - WARNING: ldbm instance userRoot already > exists > [05/Nov/2008:13:56:38 +0300] - WARNING: ldbm instance NetscapeRoot > already exists > [05/Nov/2008:13:56:38 +0300] binder-based resource limits - > nsLookThroughLimit: parameter error (slapi_reslimit_register() already > registered) > [05/Nov/2008:13:56:38 +0300] - start: Resource limit registration failed > [05/Nov/2008:13:56:38 +0300] - Failed to start database plugin ldbm database > [05/Nov/2008:13:56:38 +0300] - Error: Failed to resolve plugin dependencies > [05/Nov/2008:13:56:38 +0300] - Error: preoperation plugin 7-bit check is > not started > [05/Nov/2008:13:56:38 +0300] - Error: accesscontrol plugin ACL Plugin is > not started > [05/Nov/2008:13:56:38 +0300] - Error: preoperation plugin ACL > preoperation is not started > > Any ideas? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From sigidwu at gmail.com Thu Nov 6 00:58:49 2008 From: sigidwu at gmail.com (sigid@JINLab) Date: Thu, 06 Nov 2008 07:58:49 +0700 Subject: [Fedora-directory-users] How to configure Multimaster Replication - doubts with the documentation In-Reply-To: <61684.148.87.1.167.1225893040.squirrel@noc-root.net> References: <61684.148.87.1.167.1225893040.squirrel@noc-root.net> Message-ID: <49124149.7050702@gmail.com> Morenisco wrote: > Hi, > > I worked by almost a year with OID (Oracle Internet Directory), and now I > would like to learn Fedora Directory Server with multimaster replication. > > I'm reviewing the existing documentation and I found information related > to multimaster replication in the URL: > > http://directory.fedoraproject.org/wiki/Howto:MultiMasterReplication afaik, above script is only works with FDS 1.0.x but doesn't with FDS 1.1. As suggested by one of this mailing list member i would prefer using guidance on this link: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Configuring_Multi_Master_Replication.html -- http://sigidwu.blogspot.com Save a tree. Don't print this e-mail unless it's necessary. From G.Seaman at lse.ac.uk Thu Nov 6 10:25:59 2008 From: G.Seaman at lse.ac.uk (Graham Seaman) Date: Thu, 06 Nov 2008 10:25:59 +0000 Subject: [Fedora-directory-users] enforcing ssl In-Reply-To: <4911C779.6040303@redhat.com> References: <4911C6A6.2050009@lse.ac.uk> <4911C779.6040303@redhat.com> Message-ID: <4912C637.8030502@lse.ac.uk> Rich Megginson wrote: > Graham Seaman wrote: >> Is it possible to close down non-SSL access? (I am not using the >> admin server, so this needs to be through manual configuration) > No. There is no way to say "connections on port 389 must use > startTLS". You can set nsslapd-port to 0 in dse.ldif to shut off all > ldap traffic and rely solely on ldaps (636), but that will not work > with clients that expect startTLS. I seem to be misunderstanding the general security model around ldap directory connections. I read in the wikipedia article on ldap that use of both ldaps and port 663 are deprecated. Are there any pages on the Fedora DS wiki or elsewhere that describe good practice for safe connections? Graham From jad at jadickinson.co.uk Thu Nov 6 14:03:42 2008 From: jad at jadickinson.co.uk (John Dickinson) Date: Thu, 6 Nov 2008 14:03:42 +0000 Subject: [Fedora-directory-users] Re: WinSync userAccountControl bug (was Fedora-directory-users Digest, Vol 42, Issue 4) Message-ID: <071A086C-04D2-4FBD-8A03-D2A3D7946569@jadickinson.co.uk> Rich Megginson wrote: > Howard Chu wrote: >>> Date: Tue, 04 Nov 2008 08:13:08 -0700 >>> From: Rich Megginson >> >>> John Dickinson wrote: >>>> On 30 Oct 2008, at 16:00, Rich Megginson >>>> wrote: >> >>>> create user in AD userAccountControl: 512 >>>> (Normal) >>>> create user in Fedora DS (console) userAccountControl: 546 >>>> (Normal + >>>> PASSWD_NOTREQ + ACCOUNTDISABLE) >>>> >>>> Would there be anything wrong with Fedora DS just forcing >>>> userAccountControl = 512? Or are more options needed in the user >>>> creation dialog? >>> I'm not sure. 1.1.3 included a "fix" for userAccountControl. The >>> way >>> it works now is this: >>> add new AD entry over LDAP - no userAccountControl attribute is >>> present, >>> so it must use some sort of AD default value >>> read the new AD entry - get the userAccountControl value >>> set AD entry userAccountControl |= 0x200 # 512 == normal account) >>> >>> So you might try a simple test - add a new AD entry over LDAP >>> outside of >>> windows sync - see what the default userAccountControl value is - >>> I'm >>> guessing that adding a new AD entry without specifying >>> userAccountControl sets it to PASSWD_NOTREQ + ACCOUNTDISABLE >> >> Yes, users created via LDAP are disabled unless you explicitly >> provide >> the userAccountControl attribute (with proper flags) in the LDAP Add >> operation. I tripped over this myself the first time I loaded up a >> test database in AD. (It also gave me a Fine Opportunity to time how >> long it took to LDAP Modify all of the users in my test database. >> ugh...) >> > Then this is a bug in the winsync code. In the ADD case, it should > just > force userAccountControl to the Normal value. In the MOD case, it > should |= the value. John, can you open a bug about this issue? > Thanks. Done - https://bugzilla.redhat.com/show_bug.cgi?id=470224 There are other values of userAccountControl that an administrator might want to set when creating users. One example is DONT_EXPIRE_PASSWORD - so is there a need for the userAccountControl flags to be configurable on a create user dialog such as that in fedora-idm-console or phpldapadmin rather than hard coded? John P.S. Sorry about the totally useless subject line earlier in this thread. From rmeggins at redhat.com Thu Nov 6 14:30:04 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 06 Nov 2008 07:30:04 -0700 Subject: [Fedora-directory-users] enforcing ssl In-Reply-To: <4912C637.8030502@lse.ac.uk> References: <4911C6A6.2050009@lse.ac.uk> <4911C779.6040303@redhat.com> <4912C637.8030502@lse.ac.uk> Message-ID: <4912FF6C.4010107@redhat.com> Graham Seaman wrote: > Rich Megginson wrote: >> Graham Seaman wrote: >>> Is it possible to close down non-SSL access? (I am not using the >>> admin server, so this needs to be through manual configuration) >> No. There is no way to say "connections on port 389 must use >> startTLS". You can set nsslapd-port to 0 in dse.ldif to shut off all >> ldap traffic and rely solely on ldaps (636), but that will not work >> with clients that expect startTLS. > > I seem to be misunderstanding the general security model around ldap > directory connections. I read in the wikipedia article on ldap that > use of both ldaps and port 663 are deprecated. That is correct - however, there are many, many clients that still support ldaps, many of which also do not support startTLS. > Are there any pages on the Fedora DS wiki or elsewhere that describe > good practice for safe connections? It really depends on the client. If the client supports startTLS, I encourage you to use it. > > Graham > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Thu Nov 6 14:30:51 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 06 Nov 2008 07:30:51 -0700 Subject: [Fedora-directory-users] Re: WinSync userAccountControl bug (was Fedora-directory-users Digest, Vol 42, Issue 4) In-Reply-To: <071A086C-04D2-4FBD-8A03-D2A3D7946569@jadickinson.co.uk> References: <071A086C-04D2-4FBD-8A03-D2A3D7946569@jadickinson.co.uk> Message-ID: <4912FF9B.2060006@redhat.com> John Dickinson wrote: > Rich Megginson wrote: > >> Howard Chu wrote: >>>> Date: Tue, 04 Nov 2008 08:13:08 -0700 >>>> From: Rich Megginson >>> >>>> John Dickinson wrote: >>>>> On 30 Oct 2008, at 16:00, Rich Megginson wrote: >>> >>>>> create user in AD userAccountControl: 512 (Normal) >>>>> create user in Fedora DS (console) userAccountControl: 546 >>>>> (Normal + >>>>> PASSWD_NOTREQ + ACCOUNTDISABLE) >>>>> >>>>> Would there be anything wrong with Fedora DS just forcing >>>>> userAccountControl = 512? Or are more options needed in the user >>>>> creation dialog? >>>> I'm not sure. 1.1.3 included a "fix" for userAccountControl. The way >>>> it works now is this: >>>> add new AD entry over LDAP - no userAccountControl attribute is >>>> present, >>>> so it must use some sort of AD default value >>>> read the new AD entry - get the userAccountControl value >>>> set AD entry userAccountControl |= 0x200 # 512 == normal account) >>>> >>>> So you might try a simple test - add a new AD entry over LDAP >>>> outside of >>>> windows sync - see what the default userAccountControl value is - I'm >>>> guessing that adding a new AD entry without specifying >>>> userAccountControl sets it to PASSWD_NOTREQ + ACCOUNTDISABLE >>> >>> Yes, users created via LDAP are disabled unless you explicitly provide >>> the userAccountControl attribute (with proper flags) in the LDAP Add >>> operation. I tripped over this myself the first time I loaded up a >>> test database in AD. (It also gave me a Fine Opportunity to time how >>> long it took to LDAP Modify all of the users in my test database. >>> ugh...) >>> >> Then this is a bug in the winsync code. In the ADD case, it should just >> force userAccountControl to the Normal value. In the MOD case, it >> should |= the value. John, can you open a bug about this issue? >> Thanks. > > Done - https://bugzilla.redhat.com/show_bug.cgi?id=470224 Thanks. > > There are other values of userAccountControl that an administrator > might want to set when creating users. One example is > DONT_EXPIRE_PASSWORD - so is there a need for the userAccountControl > flags to be configurable on a create user dialog such as that in > fedora-idm-console or phpldapadmin rather than hard coded? Probably, but that's for another bug/enhancement request. > > John > > P.S. Sorry about the totally useless subject line earlier in this thread. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From hugo.etievant at inrp.fr Thu Nov 6 15:02:50 2008 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Thu, 06 Nov 2008 16:02:50 +0100 Subject: [Fedora-directory-users] Discussion about "Configuration DS" & "User DS" settings in Admin Server Console Message-ID: <4913071A.40708@inrp.fr> hello, In the general "Configuration" tab of "Administration Server" Console, what differences between connexion settings in "User DS" and "Configuration DS" tabs ? Theses settings are redundant, no ? "User DS" settings are used by Administration Server to be connected to the Directory Server configuration database (netscapeRoot). But what additional information is supplied by "Configuration DS" ??? bye -- * Hugo ?ti?vant *** From rmeggins at redhat.com Thu Nov 6 15:41:41 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 06 Nov 2008 08:41:41 -0700 Subject: [Fedora-directory-users] Discussion about "Configuration DS" & "User DS" settings in Admin Server Console In-Reply-To: <4913071A.40708@inrp.fr> References: <4913071A.40708@inrp.fr> Message-ID: <49131035.5070700@redhat.com> Hugo Etievant wrote: > hello, > > In the general "Configuration" tab of "Administration Server" Console, > what differences between connexion settings in "User DS" and > "Configuration DS" tabs ? > Theses settings are redundant, no ? > "User DS" settings are used by Administration Server to be connected > to the Directory Server configuration database (netscapeRoot). No, that is what "Configuration DS" is for. > But what additional information is supplied by "Configuration DS" ??? Fedora DS supports the idea of having a separate directory server used for User&Group and other organizational data, and a directory server exclusively for Configuration (console & admin server) data. However, by default, these are usually one and the same, and for most folks this is fine. > > bye From erlingre at gmail.com Thu Nov 6 19:54:33 2008 From: erlingre at gmail.com (Erling Ringen Elvsrud) Date: Thu, 6 Nov 2008 20:54:33 +0100 Subject: [Fedora-directory-users] Re: Windows sync: how do you populate the posixUser attributes? In-Reply-To: <4911AC96.9060808@redhat.com> References: <6cddb0580811050406o3d19874du137ea66161b471f2@mail.gmail.com> <6cddb0580811050421y568f2cdblb54873380da49fb6@mail.gmail.com> <664c5a070811050423q6253eba7xb4af734adfae8b1e@mail.gmail.com> <4911AC96.9060808@redhat.com> Message-ID: <664c5a070811061154k1ef54933r53e02f0740ac2b84@mail.gmail.com> On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson wrote: [...] > That should work. But note that posix attributes will not sync to AD. And > even if you did manage to find a posix schema that worked with AD, and added > the posix schema on the AD side, those attributes would not be synced to > Fedora DS. Thanks for your answer. I start to wonder if Windows sync is worth the trouble. At my site we will probably not implement password sync as the AD-side is very restrictive about installing anything. So what I get is basically a skeleton that I have to populate with the posixUser attributes. Another issue is groups in AD. I suppose those groups will become regular unix-groups on the directory server side, which might not be enough for all policing needs (may need netgroups in addition). We will probably have maximum a few hundred users in the directory, do you think Windows-sync is worth the bother? Erling From rmeggins at redhat.com Thu Nov 6 20:00:35 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 06 Nov 2008 13:00:35 -0700 Subject: [Fedora-directory-users] Re: Windows sync: how do you populate the posixUser attributes? In-Reply-To: <664c5a070811061154k1ef54933r53e02f0740ac2b84@mail.gmail.com> References: <6cddb0580811050406o3d19874du137ea66161b471f2@mail.gmail.com> <6cddb0580811050421y568f2cdblb54873380da49fb6@mail.gmail.com> <664c5a070811050423q6253eba7xb4af734adfae8b1e@mail.gmail.com> <4911AC96.9060808@redhat.com> <664c5a070811061154k1ef54933r53e02f0740ac2b84@mail.gmail.com> Message-ID: <49134CE3.2020707@redhat.com> Erling Ringen Elvsrud wrote: > On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson wrote: > [...] > >> That should work. But note that posix attributes will not sync to AD. And >> even if you did manage to find a posix schema that worked with AD, and added >> the posix schema on the AD side, those attributes would not be synced to >> Fedora DS. >> > > Thanks for your answer. > > I start to wonder if Windows sync is worth the trouble. At my site we > will probably not implement password sync as the AD-side is very > restrictive about installing anything. I hear this all the time - AD admins are very touchy about installing anything, especially some piece of random open source software that's going to intercept clear text passwords and send them who-knows-where > So what I get is basically a > skeleton that I have to populate with the posixUser attributes. > > Another issue is groups in AD. I suppose those groups will become > regular unix-groups on the directory server side, Yes. But note - not posix groups (posixGroup) but plain groups (groupOfUniqueNames) > which might not > be enough for all policing needs (may need netgroups in addition). > Sure. > We will probably have maximum a few hundred users in the directory, do > you think Windows-sync is worth the bother? > I suggest you take a look at Penrose http://docs.safehaus.org/display/PENROSE/Home > Erling > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From philipp.rusch at gw-world.com Fri Nov 7 07:55:51 2008 From: philipp.rusch at gw-world.com (Rusch Philipp pru09) Date: Fri, 7 Nov 2008 08:55:51 +0100 Subject: [Fedora-directory-users] Exporting the Fedora DS certificate Message-ID: Hi together, I have successfully set up my directory server. For a disaster tolerant topology I want to load balance the two servers over a F5 LTM load balancer. My problem is, that I have tried to export the certificate ( I have a self generated one ) without a result. The load balancer could only read certificates in pem format. So, if anyone of you know what type of certificate the DS uses let me know about it ;-) The certificate was generated with the gencert.sh script which is available under http://github.com/richm/scripts/tree/master%2Fsetupssl.sh?raw=true I don't know very much about the SSL stuff so I am not sure If I have tried the right tools/commands. Which one is the certificate the slapd-yourhost-cert8.db or is it only stored in there? Thank you in advance! Cheers phru -------------- next part -------------- An HTML attachment was scrubbed... URL: From nicolas.carel at inrp.fr Fri Nov 7 08:46:04 2008 From: nicolas.carel at inrp.fr (Nicolas CAREL) Date: Fri, 07 Nov 2008 09:46:04 +0100 Subject: [Fedora-directory-users] Exporting the Fedora DS certificate In-Reply-To: References: Message-ID: <4914004C.7070303@inrp.fr> Hi all, Rusch Philipp pru09 a ?crit : > > Hi together, > > > > I have successfully set up my directory server. For a disaster > tolerant topology I want to load balance the two servers over a F5 LTM > load balancer. My problem is, that I have tried to export the > certificate ( I have a self generated one ) without a result. The load > balancer could only read certificates in pem format. So, if anyone of > you know what type of certificate the DS uses let me know about it ;-) > > > > The certificate was generated with the gencert.sh script which is > available under > > http://github.com/richm/scripts/tree/master%2Fsetupssl.sh?raw=true > > > > I don't know very much about the SSL stuff so I am not sure If I have > tried the right tools/commands. > > > > Which one is the certificate the slapd-yourhost-cert8.db or is it only > stored in there? > > > > Thank you in advance! > > > > Cheers > > phru > I had the same issue exporting my certificate in pkcs12 format to import it to the radius part of my authentification server. Indeed, there are two certificates in the pkcs12 file for chaining with root certificat, you must specify to write options to extract only the good one (or edit the pem on you own to cut off the bad one). # certutil --d . -L # pk12util --d . --o ldap-server.pk12 --n ?certificate name ? # pk12util --d /etc/dirsrv/slapd-server/ -i ldap-server.pk12 --n ?certificat name? # openssl pcks12 -clcerts : no client certificate -cacerts : no CA certificate I think the option -cacerts will fix your issue as it fixed mine. In fact, it's a bug with poor implementations of pem file reading (like freeradius does). Hope it would help. Regards. -- *Nicolas CAREL **Service Commun Informatique *Chef de service Tel : 04 72 76 61 43 - e-mail : nicolas.carel at inrp.fr *Institut National de Recherche P?dagogique *19 all?e de Fontenay - B.P. 17424 - 69347 LYON CEDEX 07 Standard : 04 72 76 61 00 - T?l?copie : 04 72 76 61 10 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4503 bytes Desc: S/MIME Cryptographic Signature URL: From philipp.rusch at gw-world.com Fri Nov 7 09:17:29 2008 From: philipp.rusch at gw-world.com (Rusch Philipp pru09) Date: Fri, 7 Nov 2008 10:17:29 +0100 Subject: [Fedora-directory-users] Exporting the Fedora DS certificate Message-ID: I had the same issue exporting my certificate in pkcs12 format to import it to the radius part of my authentification server. Indeed, there are two certificates in the pkcs12 file for chaining with root certificat, you must specify to write options to extract only the good one (or edit the pem on you own to cut off the bad one). # certutil -d . -L # pk12util -d . -o ldap-server.pk12 -n ?certificate name ? # pk12util -d /etc/dirsrv/slapd-server/ -i ldap-server.pk12 -n ?certificat name? # openssl pcks12 -clcerts : no client certificate -cacerts : no CA certificate I think the option -cacerts will fix your issue as it fixed mine. In fact, it's a bug with poor implementations of pem file reading (like freeradius does). Hope it would help. Regards. -- Nicolas CAREL Service Commun Informatique Chef de service Tel : 04 72 76 61 43 - e-mail : nicolas carel inrp fr Institut National de Recherche P?dagogique 19 all?e de Fontenay - B.P. 17424 - 69347 LYON CEDEX 07 Standard : 04 72 76 61 00 - T?l?copie : 04 72 76 61 10 Attachment: smime.p7s Description: S/MIME Cryptographic Signature Hi, Thank you for your help. I am using fedora-ds 1.0.4-1 (RH4). When I try to run the certutil -d . -L command there is no output or certificate available?! Where is the mistake? /opt/fedora-ds/alias /opt/fedora-ds/shared/bin/certutil -d . -L In the directory /opt/fedora-ds/alias I have the following files: admin-serv-host-cert8.db admin-serv-host-key3.db adminserver.p12 cacert.asc cert8.db gencert.sh key3.db libnssckbi.so noise.txt password.conf pwdfile.txt secmod.db slapd-host-cert8.db slapd- host -cert8.db.bak slapd- host -key3.db slapd- host -key3.db.bak slapd- host -pin.txt The secured LDAP connection from a client to the server is working properly, therefore I think the certificates are installed right. Thank you in advance Regards Phru -------------- next part -------------- An HTML attachment was scrubbed... URL: From kenneho.ndu at gmail.com Fri Nov 7 11:30:45 2008 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Fri, 7 Nov 2008 12:30:45 +0100 Subject: [Fedora-directory-users] Re: Windows sync: how do you populate the posixUser attributes? In-Reply-To: <49134CE3.2020707@redhat.com> References: <6cddb0580811050406o3d19874du137ea66161b471f2@mail.gmail.com> <6cddb0580811050421y568f2cdblb54873380da49fb6@mail.gmail.com> <664c5a070811050423q6253eba7xb4af734adfae8b1e@mail.gmail.com> <4911AC96.9060808@redhat.com> <664c5a070811061154k1ef54933r53e02f0740ac2b84@mail.gmail.com> <49134CE3.2020707@redhat.com> Message-ID: I'm not very into fedora/redhat direcoty server (DS), but thought I'd just drop a quick question: It doesn't seems like Windows Sync is intended for syncing AD users to DS so that users defined on AD can be allowed to log into Linux machines. It is possible to get this working, however, through a series of manual steps. So what is the intended purpose for Windows Sync, if I might ask, as it seems a lot simpler just to manage everything directly from DS without syncing with AD? Regards, Kenneth Holter On 11/6/08, Rich Megginson wrote: > > Erling Ringen Elvsrud wrote: > >> On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson >> wrote: >> [...] >> >> >>> That should work. But note that posix attributes will not sync to AD. >>> And >>> even if you did manage to find a posix schema that worked with AD, and >>> added >>> the posix schema on the AD side, those attributes would not be synced to >>> Fedora DS. >>> >>> >> >> Thanks for your answer. >> >> I start to wonder if Windows sync is worth the trouble. At my site we >> will probably not implement password sync as the AD-side is very >> restrictive about installing anything. >> > I hear this all the time - AD admins are very touchy about installing > anything, especially some piece of random open source software that's going > to intercept clear text passwords and send them who-knows-where > >> So what I get is basically a >> skeleton that I have to populate with the posixUser attributes. >> >> Another issue is groups in AD. I suppose those groups will become >> regular unix-groups on the directory server side, >> > Yes. But note - not posix groups (posixGroup) but plain groups > (groupOfUniqueNames) > >> which might not >> be enough for all policing needs (may need netgroups in addition). >> >> > Sure. > >> We will probably have maximum a few hundred users in the directory, do >> you think Windows-sync is worth the bother? >> >> > I suggest you take a look at Penrose > http://docs.safehaus.org/display/PENROSE/Home > >> Erling >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From hugo.etievant at inrp.fr Fri Nov 7 13:25:58 2008 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Fri, 07 Nov 2008 14:25:58 +0100 Subject: [Fedora-directory-users] PassSync : Windows Active Directory remember my last 2 passwords Message-ID: <491441E6.1010307@inrp.fr> hello, I discovered a strange behavior with Active Directory LDAP protocol ! My config : - an Active Directory on MS Windows Server 2003 SP2 + PassSync service - a Fedora Directory Server 1.1.3 + Replication Agreement for Windows synchronization Bidirectional synchronization of accounts is running, it is OKAY. When an administrator reset an user password with Administration Server Console, this user can connects him to Windows LDAP with the new password choosed by administrator (the sync of password is OK), But this user can also uses the previous password (big surprise) ! => both are accepted by Windows LDAP : the last and the previous password !!! How that can be possible ???! And how to stop this strange behavior ? User connexions are made with ldapsearch command : /usr/lib/mozldap/ldapsearch -h adfds -P /etc/dirsrv/slapd-fds3/ -m /etc/dirsrv/slapd-fds3/ -D "cn=Gontran Bonheur,cn=Users,dc=example,dc=fr" -b "cn=Users,dc=example,dc=fr" -w - "(cn=Gontran Bonheur)" dn This request accepts the new and the previous passwords !!!!!! If I force "Send and Receive Updates Now" in the Console, the behavior does not change. If my user uses Windows login banner, this behavior doesn't appear. Regards. -- * Hugo ?ti?vant *** From philipp.rusch at gw-world.com Thu Nov 6 16:34:06 2008 From: philipp.rusch at gw-world.com (Rusch Philipp pru09) Date: Thu, 6 Nov 2008 17:34:06 +0100 Subject: [Fedora-directory-users] Exporting the Fedora DS certificate Message-ID: Hi together, I have successfully set up my directory server. For a disaster tolerant topology I want to load balance the two servers over a F5 LTM load balancer. My problem is, that I have tried to export the certificate ( I have a self generated one ) without a result. The load balancer could only read certificates in pem format. So, if anyone of you know what type of certificate the DS uses let me know about it ;-) The certificate was generated with the gencert.sh script which is available under http://github.com/richm/scripts/tree/master%2Fsetupssl.sh?raw=true I don't know very much about the SSL stuff so I am not sure If I have tried the right tools/commands. Which one is the certificate the slapd-yourhost-cert8.db or is it only stored in there? Thank you in advance! Cheers phru -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Nov 7 15:30:02 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 07 Nov 2008 08:30:02 -0700 Subject: [Fedora-directory-users] Re: Windows sync: how do you populate the posixUser attributes? In-Reply-To: References: <6cddb0580811050406o3d19874du137ea66161b471f2@mail.gmail.com> <6cddb0580811050421y568f2cdblb54873380da49fb6@mail.gmail.com> <664c5a070811050423q6253eba7xb4af734adfae8b1e@mail.gmail.com> <4911AC96.9060808@redhat.com> <664c5a070811061154k1ef54933r53e02f0740ac2b84@mail.gmail.com> <49134CE3.2020707@redhat.com> Message-ID: <49145EFA.9050501@redhat.com> Kenneth Holter wrote: > > I'm not very into fedora/redhat direcoty server (DS), but thought I'd > just drop a quick question: It doesn't seems like Windows Sync is > intended for syncing AD users to DS so that users defined on AD can > be allowed to log into Linux machines. I'm not sure what you mean by that. Do you mean because the posix attributes are not synced, you cannot create a user in AD that is synced to Fedora DS and Linux machine login "just works" with no additional work? > It is possible to get this working, however, through a series of > manual steps. So what is the intended purpose for Windows Sync, if I > might ask, as it seems a lot simpler just to manage everything > directly from DS without syncing with AD? I think most people use it to sync passwords, so that you can have the same password on AD as Unix/Linux, and when you change the password on one side, that change is synced to the other side. > > > Regards, > Kenneth Holter > > > On 11/6/08, *Rich Megginson* > wrote: > > Erling Ringen Elvsrud wrote: > > On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson > > wrote: > [...] > > > That should work. But note that posix attributes will not > sync to AD. And > even if you did manage to find a posix schema that worked > with AD, and added > the posix schema on the AD side, those attributes would > not be synced to > Fedora DS. > > > > Thanks for your answer. > > I start to wonder if Windows sync is worth the trouble. At my > site we > will probably not implement password sync as the AD-side is very > restrictive about installing anything. > > I hear this all the time - AD admins are very touchy about > installing anything, especially some piece of random open source > software that's going to intercept clear text passwords and send > them who-knows-where > > So what I get is basically a > skeleton that I have to populate with the posixUser attributes. > > Another issue is groups in AD. I suppose those groups will become > regular unix-groups on the directory server side, > > Yes. But note - not posix groups (posixGroup) but plain groups > (groupOfUniqueNames) > > which might not > be enough for all policing needs (may need netgroups in addition). > > > Sure. > > We will probably have maximum a few hundred users in the > directory, do > you think Windows-sync is worth the bother? > > > I suggest you take a look at Penrose > http://docs.safehaus.org/display/PENROSE/Home > > Erling > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri Nov 7 15:31:13 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 07 Nov 2008 08:31:13 -0700 Subject: [Fedora-directory-users] Exporting the Fedora DS certificate In-Reply-To: References: Message-ID: <49145F41.4020506@redhat.com> Rusch Philipp pru09 wrote: > > Hi together, > > I have successfully set up my directory server. For a disaster > tolerant topology I want to load balance the two servers over a F5 LTM > load balancer. My problem is, that I have tried to export the > certificate ( I have a self generated one ) without a result. The load > balancer could only read certificates in pem format. So, if anyone of > you know what type of certificate the DS uses let me know about it ;-) > > The certificate was generated with the gencert.sh script which is > available under > > http://github.com/richm/scripts/tree/master%2Fsetupssl.sh?raw=true > > I don?t know very much about the SSL stuff so I am not sure If I have > tried the right tools/commands. > > Which one is the certificate the slapd-yourhost-cert8.db or is it only > stored in there? > What version of Fedora DS are you using? Do you need both the cert and the key, or just the cert? > > Thank you in advance! > > Cheers > > phru > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From vipulramani at gmail.com Fri Nov 7 22:33:51 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Fri, 7 Nov 2008 14:33:51 -0800 Subject: [Fedora-directory-users] PassSync : Windows Active Directory remember my last 2 passwords Message-ID: Well It is not FDS problem - this is something MS changed in win2003 http://support.microsoft.com/?kbid=906305 -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From erlingre at gmail.com Mon Nov 10 07:21:24 2008 From: erlingre at gmail.com (Erling Ringen Elvsrud) Date: Mon, 10 Nov 2008 08:21:24 +0100 Subject: [Fedora-directory-users] Errors when a full re-sync is initiated in Windows Sync. Could temp. changes in binding-user rights be the cause? Message-ID: <664c5a070811092321r295dc617vbd5b4a1cec64b9db@mail.gmail.com> When right clicking on the win-sync agreement and selecting initiate full re-synchronization I get these errors in /var/log/dirsrv/slapd-xyz/errors: "[10/Nov/2008:08:05:52 +0100] NSMMReplicationPlugin - changelog program - libdb: txn_checkpoint: failed to flush the buffer cache No such file or directory [10/Nov/2008:08:05:53 +0100] NSMMReplicationPlugin - changelog program - libdb: 26fdcb82-912411dd-8d71b7a1-43daa7e9_48e5d6030000ffff0000.db4: unable to flush: No such file or directory [10/Nov/2008:08:05:53 +0100] NSMMReplicationPlugin - changelog program - libdb: txn_checkpoint: failed to flush the buffer cache No such file or directory [10/Nov/2008:08:05:53 +0100] NSMMReplicationPlugin - changelog program - libdb: 26fdcb82-912411dd-8d71b7a1-43daa7e9_48e5d6030000ffff0000.db4: unable to flush: No such file or directory [10/Nov/2008:08:05:53 +0100] NSMMReplicationPlugin - changelog program - libdb: txn_checkpoint: failed to flush the buffer cache No such file or directory" A dialog box also appears with the following text: "An error occured during the consumer initialization The error received by the replica is '12 Total update aborted: Replication agreement for agmnt=xyz can not be updated while the replica is disabled (if the suffix is disabled you must enable it then restart the server for replication to take place).'. To check the initialization status, go to the 'status' tab and click on 'Replication status' in the left pane. The status of the initialization appears in the right pane." Before the problems occured we temporarily disabled "domain admins" rights for the user WIndows Sync uses to bind to AD. While the binding-user only had read acess for the suffix we wanted to sync with we started a full re-sync (with the errors above). The dirsrv was also restarted. We have re-enabled "domain admins" rights for the binding-user but the errors still appear. The directory server is searchable and seems to work exept for syncing. Could it be that the temporary changes in rights for the binding-user could have caused this? Also, is it absolutely needed to have domain admin rights for the binding-user RHDS uses to connect to AD? We do not want to write any changes back to AD and those attributes synced with Windows sync will not be changed anyway. Thanks, Erling From kenneho.ndu at gmail.com Mon Nov 10 07:54:38 2008 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Mon, 10 Nov 2008 08:54:38 +0100 Subject: [Fedora-directory-users] Re: Windows sync: how do you populate the posixUser attributes? In-Reply-To: <49145EFA.9050501@redhat.com> References: <6cddb0580811050406o3d19874du137ea66161b471f2@mail.gmail.com> <6cddb0580811050421y568f2cdblb54873380da49fb6@mail.gmail.com> <664c5a070811050423q6253eba7xb4af734adfae8b1e@mail.gmail.com> <4911AC96.9060808@redhat.com> <664c5a070811061154k1ef54933r53e02f0740ac2b84@mail.gmail.com> <49134CE3.2020707@redhat.com> <49145EFA.9050501@redhat.com> Message-ID: Thank you for your reply. Yes you understood me correctly - I ment it doesn't seem like Windows Sync is intended for Linux machine login (via SSH to be precise) to "just work" with no additional work. I'm sorry that I wasn't too clear on this. Is it so that one usually has a AD/DS setup like this: - users/passwords are synced from AD to DS - the new users are exported to ldif file, added things such as posix attributes, and reimported into DS - users can now log into linux servers (via SSH) that are properly configured as LDAP clients ? Just trying to get an understanding of how one usualy set up AD and DS to work together. On 11/7/08, Rich Megginson wrote: > > Kenneth Holter wrote: > >> I'm not very into fedora/redhat direcoty server (DS), but thought I'd >> just drop a quick question: It doesn't seems like Windows Sync is intended >> for syncing AD users to DS so that users defined on AD can be allowed to >> log into Linux machines. >> > I'm not sure what you mean by that. Do you mean because the posix > attributes are not synced, you cannot create a user in AD that is synced to > Fedora DS and Linux machine login "just works" with no additional work? > >> It is possible to get this working, however, through a series of manual >> steps. So what is the intended purpose for Windows Sync, if I might ask, as >> it seems a lot simpler just to manage everything directly from DS without >> syncing with AD? >> > I think most people use it to sync passwords, so that you can have the same > password on AD as Unix/Linux, and when you change the password on one side, > that change is synced to the other side. > >> Regards, >> Kenneth Holter >> >> On 11/6/08, *Rich Megginson* > rmeggins at redhat.com>> wrote: >> >> Erling Ringen Elvsrud wrote: >> >> On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson >> > wrote: >> [...] >> >> That should work. But note that posix attributes will not >> sync to AD. And >> even if you did manage to find a posix schema that worked >> with AD, and added >> the posix schema on the AD side, those attributes would >> not be synced to >> Fedora DS. >> >> >> Thanks for your answer. >> >> I start to wonder if Windows sync is worth the trouble. At my >> site we >> will probably not implement password sync as the AD-side is very >> restrictive about installing anything. >> >> I hear this all the time - AD admins are very touchy about >> installing anything, especially some piece of random open source >> software that's going to intercept clear text passwords and send >> them who-knows-where >> >> So what I get is basically a >> skeleton that I have to populate with the posixUser attributes. >> >> Another issue is groups in AD. I suppose those groups will become >> regular unix-groups on the directory server side, >> >> Yes. But note - not posix groups (posixGroup) but plain groups >> (groupOfUniqueNames) >> >> which might not >> be enough for all policing needs (may need netgroups in addition). >> >> Sure. >> >> We will probably have maximum a few hundred users in the >> directory, do >> you think Windows-sync is worth the bother? >> >> I suggest you take a look at Penrose >> http://docs.safehaus.org/display/PENROSE/Home >> >> Erling >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From philipp.rusch at gw-world.com Mon Nov 10 09:11:22 2008 From: philipp.rusch at gw-world.com (Rusch Philipp pru09) Date: Mon, 10 Nov 2008 10:11:22 +0100 Subject: [Fedora-directory-users] Exporting the Fedora DS certificate Message-ID: Hi, Thank you for your help. I am using fedora-ds 1.0.4-1 (RH4). I need both, the certificate and the key. Rgds Phru -------------- next part -------------- An HTML attachment was scrubbed... URL: From bbahar3 at gmail.com Mon Nov 10 10:19:30 2008 From: bbahar3 at gmail.com (Eric) Date: Mon, 10 Nov 2008 13:49:30 +0330 Subject: [Fedora-directory-users] remote connection to console Message-ID: <38a27c8c0811100219v51ec6123tf531df5243b39c50@mail.gmail.com> Hi, there was a fedora ds version 1.0.4. admin had a remote console via an intermadiate machine using ssh tunnel. fedora-ds folder was destroyed then I replaced it with a copy of fedora-ds folder from another installation. the server works well but the admin hasn't remote console. the ssh file that worked before is: ssh -L 389:ldap server IP:389 -L 8080:ldap server IP:port of fedora-ds installation -l admin intermadiate _machine _IP I only changed the port number of fedora-ds installation with new port number. shuld I change another thing? -------------- next part -------------- An HTML attachment was scrubbed... URL: From yersinia.spiros at gmail.com Mon Nov 10 11:48:21 2008 From: yersinia.spiros at gmail.com (yersinia) Date: Mon, 10 Nov 2008 12:48:21 +0100 Subject: [Fedora-directory-users] PassSync : Windows Active Directory remember my last 2 passwords In-Reply-To: References: <491441E6.1010307@inrp.fr> Message-ID: > > Not so strange. It is a Windows Feature well know (sigh) > > On Fri, Nov 7, 2008 at 2:25 PM, Hugo Etievant wrote: > >> hello, >> >> I discovered a strange behavior with Active Directory LDAP protocol ! >> >> My config : >> - an Active Directory on MS Windows Server 2003 SP2 + PassSync service >> - a Fedora Directory Server 1.1.3 + Replication Agreement for Windows >> synchronization >> >> Bidirectional synchronization of accounts is running, it is OKAY. >> >> When an administrator reset an user password with Administration Server >> Console, >> this user can connects him to Windows LDAP with the new password choosed >> by administrator (the sync of password is OK), >> But this user can also uses the previous password (big surprise) ! >> => both are accepted by Windows LDAP : the last and the previous password >> !!! >> >> How that can be possible ???! >> And how to stop this strange behavior ? >> >> >> User connexions are made with ldapsearch command : >> /usr/lib/mozldap/ldapsearch -h adfds -P /etc/dirsrv/slapd-fds3/ -m >> /etc/dirsrv/slapd-fds3/ -D "cn=Gontran Bonheur,cn=Users,dc=example,dc=fr" -b >> "cn=Users,dc=example,dc=fr" -w - "(cn=Gontran Bonheur)" dn >> This request accepts the new and the previous passwords !!!!!! >> >> If I force "Send and Receive Updates Now" in the Console, the behavior >> does not change. >> >> If my user uses Windows login banner, this behavior doesn't appear. >> >> >> Regards. >> -- >> * Hugo ?ti?vant >> *** >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pinto.elia at gmail.com Mon Nov 10 11:46:32 2008 From: pinto.elia at gmail.com (devzero2000) Date: Mon, 10 Nov 2008 12:46:32 +0100 Subject: [Fedora-directory-users] PassSync : Windows Active Directory remember my last 2 passwords In-Reply-To: <491441E6.1010307@inrp.fr> References: <491441E6.1010307@inrp.fr> Message-ID: Not so strange. It is a Windows Feature well know (sigh) On Fri, Nov 7, 2008 at 2:25 PM, Hugo Etievant wrote: > hello, > > I discovered a strange behavior with Active Directory LDAP protocol ! > > My config : > - an Active Directory on MS Windows Server 2003 SP2 + PassSync service > - a Fedora Directory Server 1.1.3 + Replication Agreement for Windows > synchronization > > Bidirectional synchronization of accounts is running, it is OKAY. > > When an administrator reset an user password with Administration Server > Console, > this user can connects him to Windows LDAP with the new password choosed by > administrator (the sync of password is OK), > But this user can also uses the previous password (big surprise) ! > => both are accepted by Windows LDAP : the last and the previous password > !!! > > How that can be possible ???! > And how to stop this strange behavior ? > > > User connexions are made with ldapsearch command : > /usr/lib/mozldap/ldapsearch -h adfds -P /etc/dirsrv/slapd-fds3/ -m > /etc/dirsrv/slapd-fds3/ -D "cn=Gontran Bonheur,cn=Users,dc=example,dc=fr" -b > "cn=Users,dc=example,dc=fr" -w - "(cn=Gontran Bonheur)" dn > This request accepts the new and the previous passwords !!!!!! > > If I force "Send and Receive Updates Now" in the Console, the behavior does > not change. > > If my user uses Windows login banner, this behavior doesn't appear. > > > Regards. > -- > * Hugo ?ti?vant > *** > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Nov 10 15:56:25 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 10 Nov 2008 08:56:25 -0700 Subject: [Fedora-directory-users] Re: Windows sync: how do you populate the posixUser attributes? In-Reply-To: References: <6cddb0580811050406o3d19874du137ea66161b471f2@mail.gmail.com> <6cddb0580811050421y568f2cdblb54873380da49fb6@mail.gmail.com> <664c5a070811050423q6253eba7xb4af734adfae8b1e@mail.gmail.com> <4911AC96.9060808@redhat.com> <664c5a070811061154k1ef54933r53e02f0740ac2b84@mail.gmail.com> <49134CE3.2020707@redhat.com> <49145EFA.9050501@redhat.com> Message-ID: <491859A9.3080509@redhat.com> Kenneth Holter wrote: > Thank you for your reply. > > Yes you understood me correctly - I ment it doesn't seem like Windows > Sync is intended for Linux machine login (via SSH to be precise) to > "just work" with no additional work. I'm sorry that I wasn't too clear > on this. > > Is it so that one usually has a AD/DS setup like this: > > * users/passwords are synced from AD to DS > * the new users are exported to ldif file, added things such as > posix attributes, and reimported into DS > * users can now log into linux servers (via SSH) that are properly > configured as LDAP clients > > ? Just trying to get an understanding of how one usualy set up AD and > DS to work together. I think that's how it usually goes. Perhaps some other folks that are doing this will chime in. freeIPA will soon have support for automatic creation of AD user accounts in IPA, including all of the posix and kerberos attributes needed for OS login. See freeipa.org > > > > On 11/7/08, *Rich Megginson* > wrote: > > Kenneth Holter wrote: > > I'm not very into fedora/redhat direcoty server (DS), but > thought I'd just drop a quick question: It doesn't seems like > Windows Sync is intended for syncing AD users to DS so that > users defined on AD can be allowed to log into Linux machines. > > I'm not sure what you mean by that. Do you mean because the posix > attributes are not synced, you cannot create a user in AD that is > synced to Fedora DS and Linux machine login "just works" with no > additional work? > > It is possible to get this working, however, through a series > of manual steps. So what is the intended purpose for Windows > Sync, if I might ask, as it seems a lot simpler just to manage > everything directly from DS without syncing with AD? > > I think most people use it to sync passwords, so that you can have > the same password on AD as Unix/Linux, and when you change the > password on one side, that change is synced to the other side. > > Regards, > Kenneth Holter > > On 11/6/08, *Rich Megginson* >> wrote: > > Erling Ringen Elvsrud wrote: > > On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson > > >> wrote: > [...] > > That should work. But note that posix attributes > will not > sync to AD. And > even if you did manage to find a posix schema that > worked > with AD, and added > the posix schema on the AD side, those attributes would > not be synced to > Fedora DS. > > > Thanks for your answer. > > I start to wonder if Windows sync is worth the trouble. > At my > site we > will probably not implement password sync as the > AD-side is very > restrictive about installing anything. > > I hear this all the time - AD admins are very touchy about > installing anything, especially some piece of random open > source > software that's going to intercept clear text passwords and > send > them who-knows-where > > So what I get is basically a > skeleton that I have to populate with the posixUser > attributes. > > Another issue is groups in AD. I suppose those groups > will become > regular unix-groups on the directory server side, > > Yes. But note - not posix groups (posixGroup) but plain groups > (groupOfUniqueNames) > > which might not > be enough for all policing needs (may need netgroups in > addition). > > Sure. > > We will probably have maximum a few hundred users in the > directory, do > you think Windows-sync is worth the bother? > > I suggest you take a look at Penrose > http://docs.safehaus.org/display/PENROSE/Home > > Erling > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Mon Nov 10 15:58:24 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 10 Nov 2008 08:58:24 -0700 Subject: [Fedora-directory-users] Errors when a full re-sync is initiated in Windows Sync. Could temp. changes in binding-user rights be the cause? In-Reply-To: <664c5a070811092321r295dc617vbd5b4a1cec64b9db@mail.gmail.com> References: <664c5a070811092321r295dc617vbd5b4a1cec64b9db@mail.gmail.com> Message-ID: <49185A20.9060501@redhat.com> Erling Ringen Elvsrud wrote: > When right clicking on the win-sync agreement and selecting initiate > full re-synchronization I get these errors in > /var/log/dirsrv/slapd-xyz/errors: > > "[10/Nov/2008:08:05:52 +0100] NSMMReplicationPlugin - changelog > program - libdb: txn_checkpoint: failed to flush the buffer cache No > such file or directory > > [10/Nov/2008:08:05:53 +0100] NSMMReplicationPlugin - changelog program > - libdb: 26fdcb82-912411dd-8d71b7a1-43daa7e9_48e5d6030000ffff0000.db4: > unable to flush: No such file or directory > > [10/Nov/2008:08:05:53 +0100] NSMMReplicationPlugin - changelog program > - libdb: txn_checkpoint: failed to flush the buffer cache No such file > or directory > > [10/Nov/2008:08:05:53 +0100] NSMMReplicationPlugin - changelog program > - libdb: 26fdcb82-912411dd-8d71b7a1-43daa7e9_48e5d6030000ffff0000.db4: > unable to flush: No such file or directory > > [10/Nov/2008:08:05:53 +0100] NSMMReplicationPlugin - changelog program > - libdb: txn_checkpoint: failed to flush the buffer cache No such file > or directory" > > A dialog box also appears with the following text: > > "An error occured during the consumer initialization > The error received by the replica is '12 Total update aborted: > Replication agreement for agmnt=xyz can not be updated while the > replica is disabled > (if the suffix is disabled you must enable it then restart the server > for replication to take place).'. > To check the initialization status, go to the 'status' tab and click > on 'Replication status' in the left pane. The status of the > initialization appears in the right pane." > > Before the problems occured we temporarily disabled "domain admins" > rights for the user WIndows Sync uses to bind to AD. While the > binding-user only had read acess for the suffix we wanted to sync with > we started a full re-sync (with the errors above). The dirsrv was also > restarted. > We have re-enabled "domain admins" rights for the binding-user but the > errors still appear. The directory server is searchable and seems to > work exept for syncing. > > Could it be that the temporary changes in rights for the binding-user > could have caused this? > Could be. The bind user used by windows sync must have read and write rights to the AD subtree. But are you sure you have correctly configured Fedora DS to be a replication master with a changelog? > Also, is it absolutely needed to have domain admin rights for the > binding-user RHDS uses to connect to AD? We do not want to write any > changes back to AD and those attributes synced with Windows sync will > not be changed anyway. > I don't know if the windows sync code can handle that gracefully - it will definitely attempt to write to AD and there is no way to turn that off. I don't know if it will handle gracefully the error of not being able to write. > Thanks, > > Erling > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From erlingre at gmail.com Tue Nov 11 09:34:50 2008 From: erlingre at gmail.com (Erling Ringen Elvsrud) Date: Tue, 11 Nov 2008 10:34:50 +0100 Subject: [Fedora-directory-users] Windows sync: Synchronization of group membership Message-ID: <664c5a070811110134j3ff47a54k7853fcfab02c0fc4@mail.gmail.com> Hello list, According to the RHDS Administration Guide in the chapter on Windows Sync(page 531): "The membership of groups is synchronized with the constraint that only those members that are also within the scope of the agreement are propagated" (note that I did not read this before the test) I have tried the following: In AD I have: ou=LinuxUsers ou=LinuxGroups I have configured two separate synchronization agreements in RHDS, one that populate ou=People from ou=LinuxUsers in AD and one that populate ou=Groups from ou=LinuxGroups in AD. The synchronization works, and after it is complete I use ldapsearch on ou=Groups in RHDS and ou=LinuxGroups in AD and the member-attributes is indeed missing on the RHDS side. So, in order to keep group-membership I need to synchronize the parent ou of both users and groups. So something like ou=LinuxUsers,ou=Linux, dc=... and ou=LinuxGroups, ou=Linux, dc=... must be created in AD, and in the synchronization agreement I will sync ou=Linux and get both users and groups. The alternative is to synchronize with the current parrent of LinuxUsers and LinuxGruops. Is this correct? Do you know why this "limitation" exists? Thanks Erling From zach.casper at gmail.com Mon Nov 10 22:04:14 2008 From: zach.casper at gmail.com (Zach Casper) Date: Mon, 10 Nov 2008 17:04:14 -0500 Subject: [Fedora-directory-users] Coolkey Message-ID: I'm currently attempting to use the Coolkey applet but we are not Gemalto users/developers. Does a version exist in a CAP file versus the IJC built Java Card applet or Does a non-Cyberflex dependent src exist? I don't believe that SDK is available but non-the-less it was still a "for fee" piece. Where is the true Open Source non-dependent Coolkey solution? We have already been using MUSCLE and others but I understand Coolkey has matured from v0.9.1 and current MUSCLE is at v0.9.8 Zach -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Nov 11 15:20:31 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 11 Nov 2008 08:20:31 -0700 Subject: [Fedora-directory-users] Windows sync: Synchronization of group membership In-Reply-To: <664c5a070811110134j3ff47a54k7853fcfab02c0fc4@mail.gmail.com> References: <664c5a070811110134j3ff47a54k7853fcfab02c0fc4@mail.gmail.com> Message-ID: <4919A2BF.3080705@redhat.com> Erling Ringen Elvsrud wrote: > Hello list, > > According to the RHDS Administration Guide in the chapter on > Windows Sync(page 531): > > "The membership of groups is synchronized with the constraint that > only those members that are also within the scope of the agreement are > propagated" > (note that I did not read this before the test) > > I have tried the following: > > In AD I have: > > ou=LinuxUsers > ou=LinuxGroups > > I have configured two separate synchronization agreements in RHDS, one > that populate ou=People from ou=LinuxUsers in AD and one that > populate ou=Groups from ou=LinuxGroups in AD. > > The synchronization works, and after it is complete I use ldapsearch > on ou=Groups in RHDS and ou=LinuxGroups in AD and the > member-attributes is indeed missing on the RHDS side. > > So, in order to keep group-membership I need to synchronize the parent ou of > both users and groups. So something like > ou=LinuxUsers,ou=Linux, dc=... and > ou=LinuxGroups, ou=Linux, dc=... must be created in AD, and in the > synchronization agreement I will sync ou=Linux and get both users and groups. > The alternative is to synchronize with the current parrent of > LinuxUsers and LinuxGruops. > > Is this correct? > > Do you know why this "limitation" exists? > I think it is a side effect of the way the AD DirSync control works - it applies to the domain suffix (dc=company,dc=com) and all sub containers (OUs, CNs) under that suffix. It does not apply only to specific subtrees under the domain suffix. http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx http://support.microsoft.com/kb/891995 > Thanks > > Erling > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From Jeff.Williams at infospace.com Tue Nov 11 20:44:28 2008 From: Jeff.Williams at infospace.com (Jeff Williams) Date: Tue, 11 Nov 2008 12:44:28 -0800 Subject: [Fedora-directory-users] Removing attributes from Active Directory on sync Message-ID: <9598680C8A333F49AC6A9B78095E4D4A2E0143EC@CPWPRX01N.inspinc.ad> Hello, I'm trying to create a AD<->FDS sync Our AD has the following layout: uid=myuser,Ou=User,OU=CompanyGroup,dc=ourADdomain,dc=com While our LDAP structure has the following layout: uid=myuser,ou=people,dc=ldapdomain,dc=com How can I make sure that the users from the AD ou=user,ou=CompanyGroup,dc=ouraddomain,dc=com are placed in the ou=people,dc=ldapdomain,dc=com container? I'm not sure how to consistently remove the excessive AD attribute? Thanks, Jeff Williams -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Nov 11 20:47:17 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 11 Nov 2008 13:47:17 -0700 Subject: [Fedora-directory-users] Removing attributes from Active Directory on sync In-Reply-To: <9598680C8A333F49AC6A9B78095E4D4A2E0143EC@CPWPRX01N.inspinc.ad> References: <9598680C8A333F49AC6A9B78095E4D4A2E0143EC@CPWPRX01N.inspinc.ad> Message-ID: <4919EF55.3060109@redhat.com> Jeff Williams wrote: > > Hello, > > I?m trying to create a AD<->FDS sync > > Our AD has the following layout: > > uid=myuser,Ou=User,OU=CompanyGroup,dc=ourADdomain,dc=com > > While our LDAP structure has the following layout: > > uid=myuser,ou=people,dc=ldapdomain,dc=com > > How can I make sure that the users from the AD > ou=user,ou=CompanyGroup,dc=ouraddomain,dc=com are placed in the > ou=people,dc=ldapdomain,dc=com container? > What does it do if you specify Ou=User,OU=CompanyGroup,dc=ourADdomain,dc=com as your AD subtree and ou=people,dc=ldapdomain,dc=com as your DS subtree? > > I'm not sure how to consistently remove the excessive AD attribute? > I don't understand. > > Thanks, > > Jeff Williams > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From Jeff.Williams at infospace.com Tue Nov 11 22:09:37 2008 From: Jeff.Williams at infospace.com (Jeff Williams) Date: Tue, 11 Nov 2008 14:09:37 -0800 Subject: [Fedora-directory-users] Removing attributes from Active Directory on sync In-Reply-To: <4919EF55.3060109@redhat.com> References: <9598680C8A333F49AC6A9B78095E4D4A2E0143EC@CPWPRX01N.inspinc.ad> <4919EF55.3060109@redhat.com> Message-ID: <9598680C8A333F49AC6A9B78095E4D4A2E0143EE@CPWPRX01N.inspinc.ad> -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Tuesday, November 11, 2008 12:47 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Removing attributes from Active Directory on sync Jeff Williams wrote: > > Hello, > > I'm trying to create a AD<->FDS sync > > Our AD has the following layout: > > uid=myuser,Ou=User,OU=CompanyGroup,dc=ourADdomain,dc=com > > While our LDAP structure has the following layout: > > uid=myuser,ou=people,dc=ldapdomain,dc=com > > How can I make sure that the users from the AD > ou=user,ou=CompanyGroup,dc=ouraddomain,dc=com are placed in the > ou=people,dc=ldapdomain,dc=com container? > What does it do if you specify Ou=User,OU=CompanyGroup,dc=ourADdomain,dc=com as your AD subtree and ou=people,dc=ldapdomain,dc=com as your DS subtree? I'm sorry, I didn't fully express what I am trying to do. Is there a way to build the sync so that all ou=user,ou=*,dc=ourADdomain,dc=com AD subtrees are pulled? Or will I have to build a different sync for each subtree? Thanks, Jeff Williams From rmeggins at redhat.com Tue Nov 11 22:21:34 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 11 Nov 2008 15:21:34 -0700 Subject: [Fedora-directory-users] Removing attributes from Active Directory on sync In-Reply-To: <9598680C8A333F49AC6A9B78095E4D4A2E0143EE@CPWPRX01N.inspinc.ad> References: <9598680C8A333F49AC6A9B78095E4D4A2E0143EC@CPWPRX01N.inspinc.ad> <4919EF55.3060109@redhat.com> <9598680C8A333F49AC6A9B78095E4D4A2E0143EE@CPWPRX01N.inspinc.ad> Message-ID: <491A056E.7090302@redhat.com> Jeff Williams wrote: > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson > Sent: Tuesday, November 11, 2008 12:47 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Removing attributes from Active Directory on sync > > Jeff Williams wrote: > >> Hello, >> >> I'm trying to create a AD<->FDS sync >> >> Our AD has the following layout: >> >> uid=myuser,Ou=User,OU=CompanyGroup,dc=ourADdomain,dc=com >> >> While our LDAP structure has the following layout: >> >> uid=myuser,ou=people,dc=ldapdomain,dc=com >> >> How can I make sure that the users from the AD >> ou=user,ou=CompanyGroup,dc=ouraddomain,dc=com are placed in the >> ou=people,dc=ldapdomain,dc=com container? >> >> > What does it do if you specify > Ou=User,OU=CompanyGroup,dc=ourADdomain,dc=com as your AD subtree and > ou=people,dc=ldapdomain,dc=com as your DS subtree? > > I'm sorry, I didn't fully express what I am trying to do. Is there a way to build the sync so that all ou=user,ou=*,dc=ourADdomain,dc=com AD subtrees are pulled? No. > Or will I have to build a different sync for each subtree? > Yes. Painful, I know. > Thanks, > > Jeff Williams > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From hugo.etievant at inrp.fr Wed Nov 12 10:37:19 2008 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Wed, 12 Nov 2008 11:37:19 +0100 Subject: [Fedora-directory-users] PassSync : Windows Active Directory remember my last 2 passwords In-Reply-To: References: <491441E6.1010307@inrp.fr> Message-ID: <491AB1DF.8000906@inrp.fr> It is not a bug, it is a feature ! thanks devzero2000 a ?crit : > Not so strange. It is a Windows Feature well know (sigh) > > On Fri, Nov 7, 2008 at 2:25 PM, Hugo Etievant > wrote: > > hello, > > I discovered a strange behavior with Active Directory LDAP protocol ! > > My config : > - an Active Directory on MS Windows Server 2003 SP2 + PassSync service > - a Fedora Directory Server 1.1.3 + Replication Agreement for > Windows synchronization > > Bidirectional synchronization of accounts is running, it is OKAY. > > When an administrator reset an user password with Administration > Server Console, > this user can connects him to Windows LDAP with the new password > choosed by administrator (the sync of password is OK), > But this user can also uses the previous password (big surprise) ! > => both are accepted by Windows LDAP : the last and the previous > password !!! > > How that can be possible ???! > And how to stop this strange behavior ? > > > User connexions are made with ldapsearch command : > /usr/lib/mozldap/ldapsearch -h adfds -P /etc/dirsrv/slapd-fds3/ -m > /etc/dirsrv/slapd-fds3/ -D "cn=Gontran > Bonheur,cn=Users,dc=example,dc=fr" -b "cn=Users,dc=example,dc=fr" > -w - "(cn=Gontran Bonheur)" dn > This request accepts the new and the previous passwords !!!!!! > > If I force "Send and Receive Updates Now" in the Console, the > behavior does not change. > > If my user uses Windows login banner, this behavior doesn't appear. > -- * Hugo ?ti?vant * From niranjan.ashok at gmail.com Wed Nov 12 13:01:35 2008 From: niranjan.ashok at gmail.com (mallapadi niranjan) Date: Wed, 12 Nov 2008 18:31:35 +0530 Subject: [Fedora-directory-users] Unable to create certificate request if O=Example, Inc. Message-ID: <73e979680811120501g4f8a773ek2b271db3cfbc5e68@mail.gmail.com> Hi all I have Fedora Directory Server installed on F9 box (fedora-ds-base-1.1.3-2.fc9.x86_64). Due to sum bug i guess , i am unable to create the certificate request through Console that is Directory Server->Manager Certificates-> Request -> Request Certificate Manually. In the Server Name:dhcp7-92.example.com Organization: Example, Inc. City/Locality: Raleigh State/Province: North Carolina Country/Region: US United States Click on Show DN and i remove all the double quotes and my DN looks as below CN="dhcp7-92.example.com, O=Example, Inc., L=Raleigh, ST=North Carolina, C=US When i click on Next it says "Unable to convert DN to certificate name So i tried with certutil command. $cd /etc/dirsrv/slapd-dhcp7-92/ $certutil -R -s "C=US, ST=North Carolina, L=Raleigh, O=Example, Inc., CN= dhcp7-92.example.com" -o mycert.req -d . I got the below output certutil -s: improperly formatted name: "C=US, ST=North Carolina, L=Raleigh, O=Example, Inc., CN=dhcp7-92.pnq.redhat.com" Now if i modify it as "certutil -R -s "C=US, ST=North Carolina, L=Raleigh, O=Example, CN=dhcp7-92.pnq.redhat.com" -o mycert.req -d ." it works. The same with the console i.e If Organization title is modified from "Example, Inc. " to "Example" it works. So the space and period symbol in (Example, Inc.) is an issue ? But this doesn't happen when i create certifcate requests with openssl commands. Regards Niranjan -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Nov 12 17:56:17 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 12 Nov 2008 10:56:17 -0700 Subject: [Fedora-directory-users] Unable to create certificate request if O=Example, Inc. In-Reply-To: <73e979680811120501g4f8a773ek2b271db3cfbc5e68@mail.gmail.com> References: <73e979680811120501g4f8a773ek2b271db3cfbc5e68@mail.gmail.com> Message-ID: <491B18C1.7040404@redhat.com> mallapadi niranjan wrote: > Hi all > > I have Fedora Directory Server installed on F9 box > (fedora-ds-base-1.1.3-2.fc9.x86_64). Due to sum bug i guess , i am > unable to create the certificate request through Console that is > Directory Server->Manager Certificates-> Request -> Request > Certificate Manually. > > In the Server Name:dhcp7-92.example.com > Organization: Example, Inc. > City/Locality: Raleigh > State/Province: North Carolina > Country/Region: US United States > > Click on Show DN and i remove all the double quotes and my DN looks > as below > > CN="dhcp7-92.example.com , O=Example, > Inc., L=Raleigh, ST=North Carolina, C=US > > When i click on Next it says "Unable to convert DN to certificate name > > So i tried with certutil command. > $cd /etc/dirsrv/slapd-dhcp7-92/ > $certutil -R -s "C=US, ST=North Carolina, L=Raleigh, O=Example, Inc., > CN=dhcp7-92.example.com " -o mycert.req -d . > > I got the below output > certutil -s: improperly formatted name: "C=US, ST=North Carolina, > L=Raleigh, O=Example, Inc., CN=dhcp7-92.pnq.redhat.com > " > > Now if i modify it as "certutil -R -s "C=US, ST=North Carolina, > L=Raleigh, O=Example, CN=dhcp7-92.pnq.redhat.com > " -o mycert.req -d ." > it works. > > The same with the console i.e If Organization title is modified from > "Example, Inc. " to "Example" it works. > > So the space and period symbol in (Example, Inc.) is an issue ? I think space and period are fine - you don't have a problem with them in other parts of your DN. The problem is the comma ',' after Example - try escaping the comma e.g. "C=US, ST=North Carolina, L=Raleigh, O=Example\\, Inc.,CN=dhcp7-92.pnq.redhat.com " Not sure about the correct escape syntax > > But this doesn't happen when i create certifcate requests with openssl > commands. Hmm - maybe openssl is smart enough to handle the comma? > > Regards > Niranjan > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From erlingre at gmail.com Thu Nov 13 12:01:12 2008 From: erlingre at gmail.com (Erling Ringen Elvsrud) Date: Thu, 13 Nov 2008 13:01:12 +0100 Subject: [Fedora-directory-users] Errors when a full re-sync is initiated in Windows Sync. Could temp. changes in binding-user rights be the cause? In-Reply-To: <49185A20.9060501@redhat.com> References: <664c5a070811092321r295dc617vbd5b4a1cec64b9db@mail.gmail.com> <49185A20.9060501@redhat.com> Message-ID: <664c5a070811130401w22b2eb58u9601cff9fa396a59@mail.gmail.com> On 11/10/08, Rich Megginson wrote: [...] > Could be. The bind user used by windows sync must have read and write > rights to the AD subtree. If I have for instance, ou=Linux,ou=delegation,dc=foo, dc=bar, dc=baz in AD and in the synchronization agreement the "Windows subtree" value is: ou=Linux,ou=delegation,dc=foo, dc=bar, dc=baz I have tried to limit the write-permissions for the binding-user to only ou=Linux, but that causes synchronization to fail. In which parts of the AD-tree does the binding-user need write access? Does it need write access in dc=foo and all siblings? Thanks again, Erling From hugo.etievant at inrp.fr Thu Nov 13 13:57:30 2008 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Thu, 13 Nov 2008 14:57:30 +0100 Subject: [Fedora-directory-users] Frequency of sync windows Message-ID: <491C324A.2030204@inrp.fr> hello, The admin manual say : "Synchronization occurs every five minutes. However, an incremental update can be done manually if there are changes that need synchronized immediately." ( http://www.redhat.com/docs/manuals/dir-server/ag/8.0/ Windows_Sync-Using_Windows_Sync.html ) But my tests show that the synchro of users accounts, passwords and attributes of entries is being in real time between FDS and Active Directory without forcing "receive and send update" action in Fedora IDM Console ! What are the real rules and frequencies of synchronization ? How can we change those parameters ? regards -- * Hugo ?ti?vant *** From jad at jadickinson.co.uk Thu Nov 13 14:22:03 2008 From: jad at jadickinson.co.uk (John Dickinson) Date: Thu, 13 Nov 2008 14:22:03 +0000 Subject: [Fedora-directory-users] Frequency of sync windows In-Reply-To: <491C324A.2030204@inrp.fr> References: <491C324A.2030204@inrp.fr> Message-ID: <180E500C-51A8-4EBD-BB3A-3D6465301DE9@jadickinson.co.uk> On 13 Nov 2008, at 13:57, Hugo Etievant wrote: > hello, > > The admin manual say : "Synchronization occurs every five minutes. > However, an incremental update can be done manually if there are > changes that need synchronized immediately." ( http://www.redhat.com/docs/manuals/dir-server/ag/8.0/ > Windows_Sync-Using_Windows_Sync.html ) > > But my tests show that the synchro of users accounts, passwords and > attributes of entries is being in real time between FDS and Active > Directory without forcing "receive and send update" action in Fedora > IDM Console ! From my experience, it is real time from FDS -> AD but every 5 mins from AD -> FDS. Presumably this is because all the replication (with the exception of passwords going from AD -> FDS) is performed by FDS. FDS knows when an event occurs in FDS and can replicate it immediately to AD but has to poll (every 5 mins) for an event in AD. > > What are the real rules and frequencies of synchronization ? > How can we change those parameters ? I am not sure but I expect you have to change the code. John From rmeggins at redhat.com Thu Nov 13 14:45:19 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 13 Nov 2008 07:45:19 -0700 Subject: [Fedora-directory-users] Errors when a full re-sync is initiated in Windows Sync. Could temp. changes in binding-user rights be the cause? In-Reply-To: <664c5a070811130401w22b2eb58u9601cff9fa396a59@mail.gmail.com> References: <664c5a070811092321r295dc617vbd5b4a1cec64b9db@mail.gmail.com> <49185A20.9060501@redhat.com> <664c5a070811130401w22b2eb58u9601cff9fa396a59@mail.gmail.com> Message-ID: <491C3D7F.1060801@redhat.com> Erling Ringen Elvsrud wrote: > On 11/10/08, Rich Megginson wrote: > [...] > >> Could be. The bind user used by windows sync must have read and write >> rights to the AD subtree. >> > > If I have for instance, > > ou=Linux,ou=delegation,dc=foo, dc=bar, dc=baz in AD > > and in the synchronization agreement the > "Windows subtree" value is: > ou=Linux,ou=delegation,dc=foo, dc=bar, dc=baz > > I have tried to limit the write-permissions for the binding-user to > only ou=Linux, but that causes synchronization to fail. > > In which parts of the AD-tree does the binding-user need write access? > Does it need write access in dc=foo and all siblings? > For read access - see http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx and http://support.microsoft.com/kb/891995 for more information about how the DirSync Search works. For write access - should only need access to ou=Linux > Thanks again, > > Erling > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Thu Nov 13 14:46:29 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 13 Nov 2008 07:46:29 -0700 Subject: [Fedora-directory-users] Frequency of sync windows In-Reply-To: <491C324A.2030204@inrp.fr> References: <491C324A.2030204@inrp.fr> Message-ID: <491C3DC5.2080606@redhat.com> Hugo Etievant wrote: > hello, > > The admin manual say : "Synchronization occurs every five minutes. > However, an incremental update can be done manually if there are > changes that need synchronized immediately." ( > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/ > Windows_Sync-Using_Windows_Sync.html ) > > But my tests show that the synchro of users accounts, passwords and > attributes of entries is being in real time between FDS and Active > Directory without forcing "receive and send update" action in Fedora > IDM Console ! Yes. FDS -> AD happens immediately. AD -> FDS happens every 5 minutes. > > What are the real rules and frequencies of synchronization ? > How can we change those parameters ? They cannot currently be changed. > > > regards > From hugo.etievant at inrp.fr Thu Nov 13 15:00:19 2008 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Thu, 13 Nov 2008 16:00:19 +0100 Subject: [Fedora-directory-users] Frequency of sync windows In-Reply-To: <491C3DC5.2080606@redhat.com> References: <491C324A.2030204@inrp.fr> <491C3DC5.2080606@redhat.com> Message-ID: <491C4103.5060103@inrp.fr> Thanks Rich and John for infos. Perhaps the capacity for admin to change of this parameter (5 minutes) can joins the TODO list ? best regards Rich Megginson a ?crit : > Hugo Etievant wrote: >> hello, >> >> The admin manual say : "Synchronization occurs every five minutes. >> However, an incremental update can be done manually if there are >> changes that need synchronized immediately." ( >> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/ >> Windows_Sync-Using_Windows_Sync.html ) >> >> But my tests show that the synchro of users accounts, passwords and >> attributes of entries is being in real time between FDS and Active >> Directory without forcing "receive and send update" action in Fedora >> IDM Console ! > Yes. FDS -> AD happens immediately. AD -> FDS happens every 5 minutes. >> >> What are the real rules and frequencies of synchronization ? >> How can we change those parameters ? > They cannot currently be changed. -- * Hugo ?ti?vant * From rcritten at redhat.com Thu Nov 13 15:08:51 2008 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 13 Nov 2008 10:08:51 -0500 Subject: [Fedora-directory-users] Frequency of sync windows In-Reply-To: <491C4103.5060103@inrp.fr> References: <491C324A.2030204@inrp.fr> <491C3DC5.2080606@redhat.com> <491C4103.5060103@inrp.fr> Message-ID: <491C4303.10201@redhat.com> Hugo Etievant wrote: > Thanks Rich and John for infos. > > Perhaps the capacity for admin to change of this parameter (5 minutes) > can joins the TODO list ? > The best way to get this added to the list is to file a bug requesting it. regards rob > > > > Rich Megginson a ?crit : >> Hugo Etievant wrote: >>> hello, >>> >>> The admin manual say : "Synchronization occurs every five minutes. >>> However, an incremental update can be done manually if there are >>> changes that need synchronized immediately." ( >>> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/ >>> Windows_Sync-Using_Windows_Sync.html ) >>> >>> But my tests show that the synchro of users accounts, passwords and >>> attributes of entries is being in real time between FDS and Active >>> Directory without forcing "receive and send update" action in Fedora >>> IDM Console ! >> Yes. FDS -> AD happens immediately. AD -> FDS happens every 5 minutes. >>> >>> What are the real rules and frequencies of synchronization ? >>> How can we change those parameters ? >> They cannot currently be changed. > > From kenneho.ndu at gmail.com Thu Nov 13 15:12:53 2008 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Thu, 13 Nov 2008 16:12:53 +0100 Subject: [Fedora-directory-users] Re: Windows sync: how do you populate the posixUser attributes? In-Reply-To: <491859A9.3080509@redhat.com> References: <6cddb0580811050406o3d19874du137ea66161b471f2@mail.gmail.com> <6cddb0580811050421y568f2cdblb54873380da49fb6@mail.gmail.com> <664c5a070811050423q6253eba7xb4af734adfae8b1e@mail.gmail.com> <4911AC96.9060808@redhat.com> <664c5a070811061154k1ef54933r53e02f0740ac2b84@mail.gmail.com> <49134CE3.2020707@redhat.com> <49145EFA.9050501@redhat.com> <491859A9.3080509@redhat.com> Message-ID: The IPA documentation states that it ships with (Fedora/Red Hat) Directory Server. Won't we get the same sync issues with (free/Red Hat) IPA as with Directory Server alone? And is there a link between IPA and Penrose? On 11/10/08, Rich Megginson wrote: > > > freeIPA will soon have support for automatic creation of AD user accounts > in IPA, including all of the posix and kerberos attributes needed for OS > login. See freeipa.org > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Nov 13 15:26:00 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 13 Nov 2008 08:26:00 -0700 Subject: [Fedora-directory-users] Re: Windows sync: how do you populate the posixUser attributes? In-Reply-To: References: <6cddb0580811050406o3d19874du137ea66161b471f2@mail.gmail.com> <6cddb0580811050421y568f2cdblb54873380da49fb6@mail.gmail.com> <664c5a070811050423q6253eba7xb4af734adfae8b1e@mail.gmail.com> <4911AC96.9060808@redhat.com> <664c5a070811061154k1ef54933r53e02f0740ac2b84@mail.gmail.com> <49134CE3.2020707@redhat.com> <49145EFA.9050501@redhat.com> <491859A9.3080509@redhat.com> Message-ID: <491C4708.5020601@redhat.com> Kenneth Holter wrote: > > The IPA documentation states that it ships with (Fedora/Red Hat) > Directory Server. Won't we get the same sync issues with (free/Red > Hat) IPA as with Directory Server alone? No. IPA winsync (coming Real Soon Now) extends regular DS windows sync in a couple of ways: * AD users synced over to IPA will get the full kerberos and posix (and other) schema, including a uidNumber automatically assigned. * If a user is disabled in AD, that user will be disabled in IPA, and vice versa * There is the ability to force sync - if there is an already existing IPA user with the same user id (uid attribute) as an already existing AD user (samAccountName attribute) they will be automatically synced - you do not have to manually add the ntUser objectclass and ntUserDomainID attribute with the samAccountName value to the IPA entry > > And is there a link between IPA and Penrose? > > > On 11/10/08, *Rich Megginson* > wrote: > > > freeIPA will soon have support for automatic creation of AD user > accounts in IPA, including all of the posix and kerberos > attributes needed for OS login. See freeipa.org > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From stupid.tech at gmail.com Thu Nov 13 21:58:09 2008 From: stupid.tech at gmail.com (stupid stupid) Date: Thu, 13 Nov 2008 16:58:09 -0500 Subject: [Fedora-directory-users] Personal Address book In FDS Message-ID: <96d404fe0811131358q46becc5al446aa8e2bb704740@mail.gmail.com> Hello, I am new to FDS and LDAP world. I have installed FDS on a server and would like to use it for Address book lookup. The address book look up is working from different mail clients, but I wanted to know how to allow users to add their own Personal Address book entries to the Fedora DS. Please help. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From G.Seaman at lse.ac.uk Fri Nov 14 11:45:13 2008 From: G.Seaman at lse.ac.uk (Graham Seaman) Date: Fri, 14 Nov 2008 11:45:13 +0000 Subject: [Fedora-directory-users] surgery on existing directory Message-ID: <491D64C9.6010909@lse.ac.uk> Hi, I have an existing populated directory supporting a live application. The next development version will have some fairly large scale changes - changes to schema, objectClasses, attribute names and attribute values - but I can't lose the actual data we already have. The approach I've been trying is: 1. Use db2ldif to dump the groups and users (the only bit of the data which is 'mine') from the live directory on the live system: /usr/lib/dirsrv/slapd-flame/db2ldif -U -n userRoot -a /opt/backups/original.ldif -s "dc=lse,dc=ac,dc=uk" -s "ou=My Groups" -s "ou=My Users" 2. Edit the ldif file with the changes I need 3. Load the ldif file into a new fedora directory on my development system with ldif2db.pl: /usr/lib/dirsrv/slapd-dam/ldif2db.pl -D "cn=directory manager" -w MYPASS -n userRoot -s "dc=lse,dc=ac,dc=uk" -s "ou=New Groups" -s "ou=New Users" -i /opt/backups/new.ldif ldif2db.pl terminates almost immediately, clearly without having read most of the file. The fedora log shows: [14/Nov/2008:11:35:54 +0000] conn=2 op=1 ADD dn="cn=import_2008_11_14_11_35_55, cn=import, cn=tasks, cn=config" [14/Nov/2008:11:35:54 +0000] conn=2 op=1 RESULT err=0 tag=105 nentries=0 etime=0 If I repeat the operation I get 'operation error'; and if I try to access the directory, it appears to be completely empty. So, two questions: - is this a reasonable way to go about this task, or are there other tools I should use? - any suggestions for debugging? Thanks Graham From stupid.tech at gmail.com Fri Nov 14 13:50:05 2008 From: stupid.tech at gmail.com (stupid stupid) Date: Fri, 14 Nov 2008 08:50:05 -0500 Subject: [Fedora-directory-users] Personal Address book In FDS Message-ID: <96d404fe0811140550u5cf6893dhdfc7928f36ca719a@mail.gmail.com> Hello, I am new to FDS and LDAP world. I have installed FDS on a server and would like to use it for Address book lookup. The address book look up is working from different mail clients, but I wanted to know how to allow users to add their own Personal Address book entries to the Fedora DS. Please help. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From cwaltham at bowdoin.edu Fri Nov 14 14:43:38 2008 From: cwaltham at bowdoin.edu (Christopher Waltham) Date: Fri, 14 Nov 2008 09:43:38 -0500 Subject: [Fedora-directory-users] "Server failed to start !!!" when installing FDS 1.1.3 in RHEL5.2 Message-ID: <1C9FE8C3-9A00-4545-88C5-12761F7AF094@bowdoin.edu> I'm using RHEL5.2 (i386) and installing RPMs from the FDS repository that's mentioned on the FDS wiki. But I'm having trouble configuring FDS 1.1.3 due to errors that I believe are related to permissions on / var/run/dirsrv. Before installing DS, here are the permission on /var/run/dirsrv: [root at falls ~]# ls -ald /var/run/dirsrv drwxr-xr-x 3 root root 4096 Nov 14 09:24 /var/run/dirsrv When finishing the end of setup-ds-admin.pl, I see these messages: Are you ready to set up your servers? [yes]: Creating directory server . . . Server failed to start !!! Please check errors log for problems Possible timeout starting server: timeout=1226673415 now=1226673416 Could not start the directory server using command '/usr/lib/dirsrv/ slapd-falls/start-slapd'. The last line from the error log was '[14/ Nov/2008:09:26:55 -0500] - Fedora-Directory/1.1.3 B2008.269.157 starting up '. Error: Unknown error 256 Error: Could not create directory server instance 'falls'. Exiting . . . Log file is '/tmp/setupblsNWZ.log' There is nothing else of relevance in either /tmp/setupblsNWZ.log or / var/log/dirsrv/slapd-falls/errors If I try and start the directory server after the installation failed, I get this error: [root at falls ~]# /etc/init.d/dirsrv start Starting dirsrv: falls... [FAILED] *** Warning: 1 instance(s) failed to start If I manually chmod & chown the /var/run/dirsrv directory, it will start: [root at falls ~]# chmod 770 /var/run/dirsrv && chown nobody:nobody /var/ run/dirsrv [root at falls ~]# /etc/init.d/dirsrv start Starting dirsrv: falls... [ OK ] However, because the setup-ds-admin.pl process never completed, the admin server hasn't been configured (and I don't want to have to do that by hand). Note that I am using nobody:nobody in the FDS installer when asked who I want to run the services as. When I manually ( chmod 770 /var/run/dirsrv && chown nobody:nobody / var/run/dirsrv ) *before* I run setup-ds-admin.pl I get this error: [08/11/14:09:00:33] - [Setup] Info Are you ready to set up your servers? [08/11/14:09:00:34] - [Setup] Info yes [08/11/14:09:00:34] - [Setup] Info Creating directory server . . . [08/11/14:09:00:36] - [Setup] Info Your new DS instance 'ldap' was successfully created. [08/11/14:09:00:36] - [Setup] Info Creating the configuration directory server . . . [08/11/14:09:00:36] - [Setup] Fatal The suffix 'o=NetscapeRoot' already exists. Config entry DN 'cn="o=NetscapeRoot",cn=mapping tree,cn=config'. [08/11/14:09:00:36] - [Setup] Fatal Failed to create the configuration directory server [08/11/14:09:00:36] - [Setup] Fatal Exiting . . . Any thoughts? This is getting pretty frustrating :-\ Thanks, Chris From rmeggins at redhat.com Fri Nov 14 15:59:49 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 14 Nov 2008 08:59:49 -0700 Subject: [Fedora-directory-users] "Server failed to start !!!" when installing FDS 1.1.3 in RHEL5.2 In-Reply-To: <1C9FE8C3-9A00-4545-88C5-12761F7AF094@bowdoin.edu> References: <1C9FE8C3-9A00-4545-88C5-12761F7AF094@bowdoin.edu> Message-ID: <491DA075.5020804@redhat.com> Christopher Waltham wrote: > I'm using RHEL5.2 (i386) and installing RPMs from the FDS repository > that's mentioned on the FDS wiki. But I'm having trouble configuring > FDS 1.1.3 due to errors that I believe are related to permissions on > /var/run/dirsrv. > > Before installing DS, here are the permission on /var/run/dirsrv: > > [root at falls ~]# ls -ald /var/run/dirsrv > drwxr-xr-x 3 root root 4096 Nov 14 09:24 /var/run/dirsrv > > When finishing the end of setup-ds-admin.pl, I see these messages: > > Are you ready to set up your servers? [yes]: > Creating directory server . . . > Server failed to start !!! Please check errors log for problems > Possible timeout starting server: timeout=1226673415 now=1226673416 > Could not start the directory server using command > '/usr/lib/dirsrv/slapd-falls/start-slapd'. The last line from the > error log was '[14/Nov/2008:09:26:55 -0500] - Fedora-Directory/1.1.3 > B2008.269.157 starting up > '. Error: Unknown error 256 > Error: Could not create directory server instance 'falls'. > Exiting . . . > Log file is '/tmp/setupblsNWZ.log' > > There is nothing else of relevance in either /tmp/setupblsNWZ.log or > /var/log/dirsrv/slapd-falls/errors > > If I try and start the directory server after the installation failed, > I get this error: > > [root at falls ~]# /etc/init.d/dirsrv start > Starting dirsrv: > falls... [FAILED] > *** Warning: 1 instance(s) failed to start > > If I manually chmod & chown the /var/run/dirsrv directory, it will start: > > [root at falls ~]# chmod 770 /var/run/dirsrv && chown nobody:nobody > /var/run/dirsrv > [root at falls ~]# /etc/init.d/dirsrv start > Starting dirsrv: > falls... [ OK ] > > However, because the setup-ds-admin.pl process never completed, the > admin server hasn't been configured (and I don't want to have to do > that by hand). Note that I am using nobody:nobody in the FDS installer > when asked who I want to run the services as. > > When I manually ( chmod 770 /var/run/dirsrv && chown nobody:nobody > /var/run/dirsrv ) *before* I run setup-ds-admin.pl I get this error: > > [08/11/14:09:00:33] - [Setup] Info Are you ready to set up your servers? > [08/11/14:09:00:34] - [Setup] Info yes > [08/11/14:09:00:34] - [Setup] Info Creating directory server . . . > [08/11/14:09:00:36] - [Setup] Info Your new DS instance 'ldap' was > successfully created. > [08/11/14:09:00:36] - [Setup] Info Creating the configuration > directory server . . . > [08/11/14:09:00:36] - [Setup] Fatal The suffix 'o=NetscapeRoot' > already exists. Config entry DN 'cn="o=NetscapeRoot",cn=mapping > tree,cn=config'. > > [08/11/14:09:00:36] - [Setup] Fatal Failed to create the configuration > directory server > [08/11/14:09:00:36] - [Setup] Fatal Exiting . . . > > Any thoughts? This is getting pretty frustrating :-\ Yes. The first problem caused the second. The first problem is the permissions on /var/run/dirsrv, which allowed you to get past "the point of no return" with setup. That is, your system is already configured to the point that subsequent runs of setup think it has been set up correctly. Try running ds_removal first - you may have to use the -f argument to force removal. Then, try this: service dirsrv stop # may error if not running - that is ok service dirsrv-admin stop # may error if not running - that is ok find /etc/dirsrv /usr/lib/dirsrv /usr/lib64/dirsrv /var -name slapd-\* If that list looks ok, do rm -rf `find /etc/dirsrv /usr/lib/dirsrv /usr/lib64/dirsrv /var -name slapd-\*` Finally, rm everything in /etc/dirsrv/admin-serv EXCEPT admserv.conf httpd.conf console.conf nss.conf - do not remove these files or the directory Then you should have a clean system to start over with > > Thanks, > > > Chris > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Nov 14 16:06:09 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 14 Nov 2008 09:06:09 -0700 Subject: [Fedora-directory-users] surgery on existing directory In-Reply-To: <491D64C9.6010909@lse.ac.uk> References: <491D64C9.6010909@lse.ac.uk> Message-ID: <491DA1F1.4070604@redhat.com> Graham Seaman wrote: > Hi, > > I have an existing populated directory supporting a live application. > The next development version will have some fairly large scale changes > - changes to schema, objectClasses, attribute names and attribute > values - but I can't lose the actual data we already have. > > The approach I've been trying is: > > 1. Use db2ldif to dump the groups and users (the only bit of the data > which is 'mine') from the live directory on the live system: > > /usr/lib/dirsrv/slapd-flame/db2ldif -U -n userRoot -a > /opt/backups/original.ldif -s "dc=lse,dc=ac,dc=uk" -s "ou=My Groups" > -s "ou=My Users" That's not really the purpose of db2ldif - it really wants to operate on the entire contents of the database. If you need to edit selective parts of the tree, you'll have to use one of the following approaches: Use db2ldif to get everything, but only modify the parts you want Use ldapsearch to selectively get what you want - then, either use ldapdelete to remove entire entries and ldapmodify -a to add them back, or if you can just modify the entries in place, use ldif change statements (changetype: modify) and use ldapmodify (no -a) > > 2. Edit the ldif file with the changes I need > > 3. Load the ldif file into a new fedora directory on my development > system with ldif2db.pl: > > /usr/lib/dirsrv/slapd-dam/ldif2db.pl -D "cn=directory manager" -w > MYPASS -n userRoot -s "dc=lse,dc=ac,dc=uk" -s "ou=New Groups" -s > "ou=New Users" -i /opt/backups/new.ldif > > ldif2db.pl terminates almost immediately, clearly without having read > most of the file. The fedora log shows: > > [14/Nov/2008:11:35:54 +0000] conn=2 op=1 ADD > dn="cn=import_2008_11_14_11_35_55, cn=import, cn=tasks, cn=config" > [14/Nov/2008:11:35:54 +0000] conn=2 op=1 RESULT err=0 tag=105 > nentries=0 etime=0 This is because ldif2db.pl just invokes an internal task using a task entry. If you want to monitor the progress of the import, you'll have to look at the errors log, or use ldapsearch to query the entry that ldif2db.pl spits out (cn=import_2008_11_14_11_35_55, cn=import, cn=tasks, cn=config) > > If I repeat the operation I get 'operation error'; and if I try to > access the directory, it appears to be completely empty. Probably what happened is that you attempted to import from an LDIF file that did not contain the parent entries - the LDIF only contained your users and groups. Import (ldif2db) is a _destructive_ operation - it will completely wipe out the contents of your database before adding the new entries. In order to add an entry in LDAP, the parent entry must exist. This means that if you want to import an LDIF file, and dc=lse,dc=ac,dc=uk is your base suffix, the LDIF file must contain the entry dn: dc=lse,dc=ac,dc=uk ... and any other parent entries of the entries you want to import. > > So, two questions: > > - is this a reasonable way to go about this task, or are there other > tools I should use? > - any suggestions for debugging? > > Thanks > Graham > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From hugo.etievant at inrp.fr Fri Nov 14 16:13:44 2008 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Fri, 14 Nov 2008 17:13:44 +0100 Subject: [Fedora-directory-users] I can not write dse.ldif file Message-ID: <491DA3B8.8000700@inrp.fr> hello, When I do some updates in the content of the dse.ldif file for an instance (/etc/dirsrv/slapd-instance/), my file is rewrited and restored back to the previous version automatically by FDS without my permission ! How can I ensure durability of my updates for this config file ? regards -- * Hugo ?ti?vant * From rmeggins at redhat.com Fri Nov 14 16:21:23 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 14 Nov 2008 09:21:23 -0700 Subject: [Fedora-directory-users] I can not write dse.ldif file In-Reply-To: <491DA3B8.8000700@inrp.fr> References: <491DA3B8.8000700@inrp.fr> Message-ID: <491DA583.9050208@redhat.com> Hugo Etievant wrote: > hello, > > When I do some updates in the content of the dse.ldif file for an > instance (/etc/dirsrv/slapd-instance/), my file is rewrited and > restored back to the previous version automatically by FDS without my > permission ! > How can I ensure durability of my updates for this config file ? You have to shutdown the server first before writing dse.ldif. The server uses dse.ldif as it's dynamic configuration backing store. The server periodically writes out its config to this file. If you really want to edit dse.ldif (not recommended) you must first shutdown the server. The better way to do it is to use ldapmodify to dynamically edit the configuration in the running server. > > regards -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From cwaltham at bowdoin.edu Fri Nov 14 16:24:22 2008 From: cwaltham at bowdoin.edu (Christopher Waltham) Date: Fri, 14 Nov 2008 11:24:22 -0500 Subject: [Fedora-directory-users] "Server failed to start !!!" when installing FDS 1.1.3 in RHEL5.2 In-Reply-To: <491DA075.5020804@redhat.com> References: <1C9FE8C3-9A00-4545-88C5-12761F7AF094@bowdoin.edu> <491DA075.5020804@redhat.com> Message-ID: <72BB646C-EFF7-4FE4-9972-7B1C8B07DB70@bowdoin.edu> Thanks for the reply, Rich: On Nov 14, 2008, at 10:59 AM, Rich Megginson wrote: >> [root at falls ~]# /etc/init.d/dirsrv start >> Starting dirsrv: >> falls... [FAILED] >> *** Warning: 1 instance(s) failed to start >> >> If I manually chmod & chown the /var/run/dirsrv directory, it will >> start: >> >> [root at falls ~]# chmod 770 /var/run/dirsrv && chown nobody:nobody / >> var/run/dirsrv >> [root at falls ~]# /etc/init.d/dirsrv start >> Starting dirsrv: >> falls... [ OK ] >> >> However, because the setup-ds-admin.pl process never completed, the >> admin server hasn't been configured (and I don't want to have to do >> that by hand). Note that I am using nobody:nobody in the FDS >> installer when asked who I want to run the services as. >> >> When I manually ( chmod 770 /var/run/dirsrv && chown nobody:nobody / >> var/run/dirsrv ) *before* I run setup-ds-admin.pl I get this error: >> >> [08/11/14:09:00:33] - [Setup] Info Are you ready to set up your >> servers? >> [08/11/14:09:00:34] - [Setup] Info yes >> [08/11/14:09:00:34] - [Setup] Info Creating directory server . . . >> [08/11/14:09:00:36] - [Setup] Info Your new DS instance 'ldap' was >> successfully created. >> [08/11/14:09:00:36] - [Setup] Info Creating the configuration >> directory server . . . >> [08/11/14:09:00:36] - [Setup] Fatal The suffix 'o=NetscapeRoot' >> already exists. Config entry DN 'cn="o=NetscapeRoot",cn=mapping >> tree,cn=config'. >> >> [08/11/14:09:00:36] - [Setup] Fatal Failed to create the >> configuration directory server >> [08/11/14:09:00:36] - [Setup] Fatal Exiting . . . >> >> Any thoughts? This is getting pretty frustrating :-\ > Yes. The first problem caused the second. The first problem is the > permissions on /var/run/dirsrv, which allowed you to get past "the > point of no return" with setup. That is, your system is already > configured to the point that subsequent runs of setup think it has > been set up correctly. > > Try running ds_removal first - you may have to use the -f argument > to force removal. Ok, that's done. > Then, try this: > service dirsrv stop # may error if not running - that is ok > service dirsrv-admin stop # may error if not running - that is ok Done. > find /etc/dirsrv /usr/lib/dirsrv /usr/lib64/dirsrv /var -name slapd-\* [root at falls sbin]# find /etc/dirsrv /usr/lib/dirsrv /usr/lib64/dirsrv / var -name slapd-\* /etc/dirsrv/config/slapd-collations.conf /etc/dirsrv/slapd-falls.removed find: /usr/lib64: No such file or directory This is i386, so that looks fine. > If that list looks ok, do > rm -rf `find /etc/dirsrv /usr/lib/dirsrv /usr/lib64/dirsrv /var - > name slapd-\*` Done... > Finally, rm everything in /etc/dirsrv/admin-serv EXCEPT admserv.conf > httpd.conf console.conf nss.conf - do not remove these files or the > directory Those were the only files in there, so no problem. > Then you should have a clean system to start over with Okay, so I can start again with the setup-ds-admin.pl script? And, I don't mean to be rude, but has the root cause of the problem been identified? :P I can easily replicate it... Chris From rmeggins at redhat.com Fri Nov 14 16:32:36 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 14 Nov 2008 09:32:36 -0700 Subject: [Fedora-directory-users] "Server failed to start !!!" when installing FDS 1.1.3 in RHEL5.2 In-Reply-To: <72BB646C-EFF7-4FE4-9972-7B1C8B07DB70@bowdoin.edu> References: <1C9FE8C3-9A00-4545-88C5-12761F7AF094@bowdoin.edu> <491DA075.5020804@redhat.com> <72BB646C-EFF7-4FE4-9972-7B1C8B07DB70@bowdoin.edu> Message-ID: <491DA824.4040909@redhat.com> Christopher Waltham wrote: > Thanks for the reply, Rich: > > On Nov 14, 2008, at 10:59 AM, Rich Megginson wrote: > >>> [root at falls ~]# /etc/init.d/dirsrv start >>> Starting dirsrv: >>> falls... [FAILED] >>> *** Warning: 1 instance(s) failed to start >>> >>> If I manually chmod & chown the /var/run/dirsrv directory, it will >>> start: >>> >>> [root at falls ~]# chmod 770 /var/run/dirsrv && chown nobody:nobody >>> /var/run/dirsrv >>> [root at falls ~]# /etc/init.d/dirsrv start >>> Starting dirsrv: >>> falls... [ OK ] >>> >>> However, because the setup-ds-admin.pl process never completed, the >>> admin server hasn't been configured (and I don't want to have to do >>> that by hand). Note that I am using nobody:nobody in the FDS >>> installer when asked who I want to run the services as. >>> >>> When I manually ( chmod 770 /var/run/dirsrv && chown nobody:nobody >>> /var/run/dirsrv ) *before* I run setup-ds-admin.pl I get this error: >>> >>> [08/11/14:09:00:33] - [Setup] Info Are you ready to set up your >>> servers? >>> [08/11/14:09:00:34] - [Setup] Info yes >>> [08/11/14:09:00:34] - [Setup] Info Creating directory server . . . >>> [08/11/14:09:00:36] - [Setup] Info Your new DS instance 'ldap' was >>> successfully created. >>> [08/11/14:09:00:36] - [Setup] Info Creating the configuration >>> directory server . . . >>> [08/11/14:09:00:36] - [Setup] Fatal The suffix 'o=NetscapeRoot' >>> already exists. Config entry DN 'cn="o=NetscapeRoot",cn=mapping >>> tree,cn=config'. >>> >>> [08/11/14:09:00:36] - [Setup] Fatal Failed to create the >>> configuration directory server >>> [08/11/14:09:00:36] - [Setup] Fatal Exiting . . . >>> >>> Any thoughts? This is getting pretty frustrating :-\ >> Yes. The first problem caused the second. The first problem is the >> permissions on /var/run/dirsrv, which allowed you to get past "the >> point of no return" with setup. That is, your system is already >> configured to the point that subsequent runs of setup think it has >> been set up correctly. >> >> Try running ds_removal first - you may have to use the -f argument to >> force removal. > > Ok, that's done. > >> Then, try this: >> service dirsrv stop # may error if not running - that is ok >> service dirsrv-admin stop # may error if not running - that is ok > > Done. > >> find /etc/dirsrv /usr/lib/dirsrv /usr/lib64/dirsrv /var -name slapd-\* > > [root at falls sbin]# find /etc/dirsrv /usr/lib/dirsrv /usr/lib64/dirsrv > /var -name slapd-\* > /etc/dirsrv/config/slapd-collations.conf > /etc/dirsrv/slapd-falls.removed > find: /usr/lib64: No such file or directory > > This is i386, so that looks fine. > >> If that list looks ok, do >> rm -rf `find /etc/dirsrv /usr/lib/dirsrv /usr/lib64/dirsrv /var -name >> slapd-\*` > > Done... > >> Finally, rm everything in /etc/dirsrv/admin-serv EXCEPT admserv.conf >> httpd.conf console.conf nss.conf - do not remove these files or the >> directory > > Those were the only files in there, so no problem. > >> Then you should have a clean system to start over with > > Okay, so I can start again with the setup-ds-admin.pl script? Yes. > And, I don't mean to be rude, but has the root cause of the problem > been identified? :P I can easily replicate it... The root cause is the bogus ownership/permissions on /var/run/dirsrv - the directory server user id (default: nobody) must be able to write to this directory. We are working to fix this problem. > > > Chris > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From cwaltham at bowdoin.edu Fri Nov 14 16:36:06 2008 From: cwaltham at bowdoin.edu (Christopher Waltham) Date: Fri, 14 Nov 2008 11:36:06 -0500 Subject: [Fedora-directory-users] "Server failed to start !!!" when installing FDS 1.1.3 in RHEL5.2 In-Reply-To: <491DA824.4040909@redhat.com> References: <1C9FE8C3-9A00-4545-88C5-12761F7AF094@bowdoin.edu> <491DA075.5020804@redhat.com> <72BB646C-EFF7-4FE4-9972-7B1C8B07DB70@bowdoin.edu> <491DA824.4040909@redhat.com> Message-ID: <973239F4-9869-4049-8F27-D31F0086CE2E@bowdoin.edu> On Nov 14, 2008, at 11:32 AM, Rich Megginson wrote: > Christopher Waltham wrote: >> Thanks for the reply, Rich: >> >> On Nov 14, 2008, at 10:59 AM, Rich Megginson wrote: >> >>>> [root at falls ~]# /etc/init.d/dirsrv start >>>> Starting dirsrv: >>>> falls... [FAILED] >>>> *** Warning: 1 instance(s) failed to start >>>> >>>> If I manually chmod & chown the /var/run/dirsrv directory, it >>>> will start: >>>> >>>> [root at falls ~]# chmod 770 /var/run/dirsrv && chown nobody:nobody / >>>> var/run/dirsrv >>>> [root at falls ~]# /etc/init.d/dirsrv start >>>> Starting dirsrv: >>>> falls... [ OK ] >>>> >>>> However, because the setup-ds-admin.pl process never completed, >>>> the admin server hasn't been configured (and I don't want to have >>>> to do that by hand). Note that I am using nobody:nobody in the >>>> FDS installer when asked who I want to run the services as. >>>> >>>> When I manually ( chmod 770 /var/run/dirsrv && chown >>>> nobody:nobody /var/run/dirsrv ) *before* I run setup-ds-admin.pl >>>> I get this error: >>>> >>>> [08/11/14:09:00:33] - [Setup] Info Are you ready to set up your >>>> servers? >>>> [08/11/14:09:00:34] - [Setup] Info yes >>>> [08/11/14:09:00:34] - [Setup] Info Creating directory server . . . >>>> [08/11/14:09:00:36] - [Setup] Info Your new DS instance 'ldap' >>>> was successfully created. >>>> [08/11/14:09:00:36] - [Setup] Info Creating the configuration >>>> directory server . . . >>>> [08/11/14:09:00:36] - [Setup] Fatal The suffix 'o=NetscapeRoot' >>>> already exists. Config entry DN 'cn="o=NetscapeRoot",cn=mapping >>>> tree,cn=config'. >>>> >>>> [08/11/14:09:00:36] - [Setup] Fatal Failed to create the >>>> configuration directory server >>>> [08/11/14:09:00:36] - [Setup] Fatal Exiting . . . >>>> >>>> Any thoughts? This is getting pretty frustrating :-\ >>> Yes. The first problem caused the second. The first problem is >>> the permissions on /var/run/dirsrv, which allowed you to get past >>> "the point of no return" with setup. That is, your system is >>> already configured to the point that subsequent runs of setup >>> think it has been set up correctly. >>> >>> Try running ds_removal first - you may have to use the -f argument >>> to force removal. >> >> Ok, that's done. >> >>> Then, try this: >>> service dirsrv stop # may error if not running - that is ok >>> service dirsrv-admin stop # may error if not running - that is ok >> >> Done. >> >>> find /etc/dirsrv /usr/lib/dirsrv /usr/lib64/dirsrv /var -name >>> slapd-\* >> >> [root at falls sbin]# find /etc/dirsrv /usr/lib/dirsrv /usr/lib64/ >> dirsrv /var -name slapd-\* >> /etc/dirsrv/config/slapd-collations.conf >> /etc/dirsrv/slapd-falls.removed >> find: /usr/lib64: No such file or directory >> >> This is i386, so that looks fine. >> >>> If that list looks ok, do >>> rm -rf `find /etc/dirsrv /usr/lib/dirsrv /usr/lib64/dirsrv /var - >>> name slapd-\*` >> >> Done... >> >>> Finally, rm everything in /etc/dirsrv/admin-serv EXCEPT >>> admserv.conf httpd.conf console.conf nss.conf - do not remove >>> these files or the directory >> >> Those were the only files in there, so no problem. >> >>> Then you should have a clean system to start over with >> >> Okay, so I can start again with the setup-ds-admin.pl script? > Yes. Hmm, no dice. Are you ready to set up your servers? [yes]: Creating directory server . . . Could not copy file '/etc/dirsrv/config/slapd-collations.conf' to '/ etc/dirsrv/slapd-ldap/slapd-collations.conf'. Error: No such file or directory Error: Could not create directory server instance 'ldap'. Exiting . . . Log file is '/tmp/setup8I0wbR.log' [root at falls config]# ls -al /etc/dirsrv/config/ total 24 drwxr-xr-x 2 root root 4096 Nov 14 11:22 . drwxrwxr-x 7 root nobody 4096 Nov 14 11:31 .. -rw-r--r-- 1 root root 3595 Sep 24 21:58 certmap.conf [root at falls config]# I'm not sure where that file would have gone? Chris > >> And, I don't mean to be rude, but has the root cause of the problem >> been identified? :P I can easily replicate it... > The root cause is the bogus ownership/permissions on /var/run/dirsrv > - the directory server user id (default: nobody) must be able to > write to this directory. We are working to fix this problem. >> >> >> Chris From rmeggins at redhat.com Fri Nov 14 16:41:19 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 14 Nov 2008 09:41:19 -0700 Subject: [Fedora-directory-users] "Server failed to start !!!" when installing FDS 1.1.3 in RHEL5.2 In-Reply-To: <973239F4-9869-4049-8F27-D31F0086CE2E@bowdoin.edu> References: <1C9FE8C3-9A00-4545-88C5-12761F7AF094@bowdoin.edu> <491DA075.5020804@redhat.com> <72BB646C-EFF7-4FE4-9972-7B1C8B07DB70@bowdoin.edu> <491DA824.4040909@redhat.com> <973239F4-9869-4049-8F27-D31F0086CE2E@bowdoin.edu> Message-ID: <491DAA2F.6090007@redhat.com> Christopher Waltham wrote: > On Nov 14, 2008, at 11:32 AM, Rich Megginson wrote: > >> Christopher Waltham wrote: >>> Thanks for the reply, Rich: >>> >>> On Nov 14, 2008, at 10:59 AM, Rich Megginson wrote: >>> >>>>> [root at falls ~]# /etc/init.d/dirsrv start >>>>> Starting dirsrv: >>>>> falls... [FAILED] >>>>> *** Warning: 1 instance(s) failed to start >>>>> >>>>> If I manually chmod & chown the /var/run/dirsrv directory, it will >>>>> start: >>>>> >>>>> [root at falls ~]# chmod 770 /var/run/dirsrv && chown nobody:nobody >>>>> /var/run/dirsrv >>>>> [root at falls ~]# /etc/init.d/dirsrv start >>>>> Starting dirsrv: >>>>> falls... [ OK ] >>>>> >>>>> However, because the setup-ds-admin.pl process never completed, >>>>> the admin server hasn't been configured (and I don't want to have >>>>> to do that by hand). Note that I am using nobody:nobody in the FDS >>>>> installer when asked who I want to run the services as. >>>>> >>>>> When I manually ( chmod 770 /var/run/dirsrv && chown nobody:nobody >>>>> /var/run/dirsrv ) *before* I run setup-ds-admin.pl I get this error: >>>>> >>>>> [08/11/14:09:00:33] - [Setup] Info Are you ready to set up your >>>>> servers? >>>>> [08/11/14:09:00:34] - [Setup] Info yes >>>>> [08/11/14:09:00:34] - [Setup] Info Creating directory server . . . >>>>> [08/11/14:09:00:36] - [Setup] Info Your new DS instance 'ldap' was >>>>> successfully created. >>>>> [08/11/14:09:00:36] - [Setup] Info Creating the configuration >>>>> directory server . . . >>>>> [08/11/14:09:00:36] - [Setup] Fatal The suffix 'o=NetscapeRoot' >>>>> already exists. Config entry DN 'cn="o=NetscapeRoot",cn=mapping >>>>> tree,cn=config'. >>>>> >>>>> [08/11/14:09:00:36] - [Setup] Fatal Failed to create the >>>>> configuration directory server >>>>> [08/11/14:09:00:36] - [Setup] Fatal Exiting . . . >>>>> >>>>> Any thoughts? This is getting pretty frustrating :-\ >>>> Yes. The first problem caused the second. The first problem is >>>> the permissions on /var/run/dirsrv, which allowed you to get past >>>> "the point of no return" with setup. That is, your system is >>>> already configured to the point that subsequent runs of setup think >>>> it has been set up correctly. >>>> >>>> Try running ds_removal first - you may have to use the -f argument >>>> to force removal. >>> >>> Ok, that's done. >>> >>>> Then, try this: >>>> service dirsrv stop # may error if not running - that is ok >>>> service dirsrv-admin stop # may error if not running - that is ok >>> >>> Done. >>> >>>> find /etc/dirsrv /usr/lib/dirsrv /usr/lib64/dirsrv /var -name slapd-\* >>> >>> [root at falls sbin]# find /etc/dirsrv /usr/lib/dirsrv >>> /usr/lib64/dirsrv /var -name slapd-\* >>> /etc/dirsrv/config/slapd-collations.conf >>> /etc/dirsrv/slapd-falls.removed >>> find: /usr/lib64: No such file or directory >>> >>> This is i386, so that looks fine. >>> >>>> If that list looks ok, do >>>> rm -rf `find /etc/dirsrv /usr/lib/dirsrv /usr/lib64/dirsrv /var >>>> -name slapd-\*` >>> >>> Done... >>> >>>> Finally, rm everything in /etc/dirsrv/admin-serv EXCEPT >>>> admserv.conf httpd.conf console.conf nss.conf - do not remove these >>>> files or the directory >>> >>> Those were the only files in there, so no problem. >>> >>>> Then you should have a clean system to start over with >>> >>> Okay, so I can start again with the setup-ds-admin.pl script? >> Yes. > > Hmm, no dice. > > Are you ready to set up your servers? [yes]: > Creating directory server . . . > Could not copy file '/etc/dirsrv/config/slapd-collations.conf' to > '/etc/dirsrv/slapd-ldap/slapd-collations.conf'. Error: No such file > or directory > Error: Could not create directory server instance 'ldap'. > Exiting . . . > Log file is '/tmp/setup8I0wbR.log' > > [root at falls config]# ls -al /etc/dirsrv/config/ > total 24 > drwxr-xr-x 2 root root 4096 Nov 14 11:22 . > drwxrwxr-x 7 root nobody 4096 Nov 14 11:31 .. > -rw-r--r-- 1 root root 3595 Sep 24 21:58 certmap.conf > [root at falls config]# > > I'm not sure where that file would have gone? You removed it, unfortunately :-( I neglected to tell you not to remove it :-( For now, unless you need to support different languages, just touch /etc/dirsrv/config/slapd-collations.conf before running setup You can get the real file here - http://cvs.fedoraproject.org/viewvc/ldapserver/ldap/schema/slapd-collations.conf?revision=1.6&root=dirsec&view=markup > > > Chris > > > >> >>> And, I don't mean to be rude, but has the root cause of the problem >>> been identified? :P I can easily replicate it... >> The root cause is the bogus ownership/permissions on /var/run/dirsrv >> - the directory server user id (default: nobody) must be able to >> write to this directory. We are working to fix this problem. >>> >>> >>> Chris > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From cwaltham at bowdoin.edu Fri Nov 14 16:49:27 2008 From: cwaltham at bowdoin.edu (Christopher Waltham) Date: Fri, 14 Nov 2008 11:49:27 -0500 Subject: [Fedora-directory-users] "Server failed to start !!!" when installing FDS 1.1.3 in RHEL5.2 In-Reply-To: <491DAA2F.6090007@redhat.com> References: <1C9FE8C3-9A00-4545-88C5-12761F7AF094@bowdoin.edu> <491DA075.5020804@redhat.com> <72BB646C-EFF7-4FE4-9972-7B1C8B07DB70@bowdoin.edu> <491DA824.4040909@redhat.com> <973239F4-9869-4049-8F27-D31F0086CE2E@bowdoin.edu> <491DAA2F.6090007@redhat.com> Message-ID: On Nov 14, 2008, at 11:41 AM, Rich Megginson wrote: > Christopher Waltham wrote: >>>>> Okay, so I can start again with the setup-ds-admin.pl script? >>> Yes. >> >> Hmm, no dice. >> >> Are you ready to set up your servers? [yes]: >> Creating directory server . . . >> Could not copy file '/etc/dirsrv/config/slapd-collations.conf' to '/ >> etc/dirsrv/slapd-ldap/slapd-collations.conf'. Error: No such file >> or directory >> Error: Could not create directory server instance 'ldap'. >> Exiting . . . >> Log file is '/tmp/setup8I0wbR.log' >> >> [root at falls config]# ls -al /etc/dirsrv/config/ >> total 24 >> drwxr-xr-x 2 root root 4096 Nov 14 11:22 . >> drwxrwxr-x 7 root nobody 4096 Nov 14 11:31 .. >> -rw-r--r-- 1 root root 3595 Sep 24 21:58 certmap.conf >> [root at falls config]# >> >> I'm not sure where that file would have gone? > You removed it, unfortunately :-( I neglected to tell you not to > remove it :-( LOL, no problem... > For now, unless you need to support different languages, just > touch /etc/dirsrv/config/slapd-collations.conf > before running setup Thanks! I'll give that a shot. Chris From G.Seaman at lse.ac.uk Fri Nov 14 16:54:46 2008 From: G.Seaman at lse.ac.uk (Graham Seaman) Date: Fri, 14 Nov 2008 16:54:46 +0000 Subject: [Fedora-directory-users] surgery on existing directory In-Reply-To: <491DA1F1.4070604@redhat.com> References: <491D64C9.6010909@lse.ac.uk> <491DA1F1.4070604@redhat.com> Message-ID: <491DAD56.9000902@lse.ac.uk> Dumping the entire thing, editing, and restoring worked fine. Thank you! Graham Rich Megginson wrote: > Graham Seaman wrote: >> Hi, >> >> I have an existing populated directory supporting a live application. >> The next development version will have some fairly large scale >> changes - changes to schema, objectClasses, attribute names and >> attribute values - but I can't lose the actual data we already have. >> >> The approach I've been trying is: >> >> 1. Use db2ldif to dump the groups and users (the only bit of the data >> which is 'mine') from the live directory on the live system: >> >> /usr/lib/dirsrv/slapd-flame/db2ldif -U -n userRoot -a >> /opt/backups/original.ldif -s "dc=lse,dc=ac,dc=uk" -s "ou=My Groups" >> -s "ou=My Users" > That's not really the purpose of db2ldif - it really wants to operate > on the entire contents of the database. If you need to edit selective > parts of the tree, you'll have to use one of the following approaches: > Use db2ldif to get everything, but only modify the parts you want > Use ldapsearch to selectively get what you want - then, either use > ldapdelete to remove entire entries and ldapmodify -a to add them > back, or if you can just modify the entries in place, use ldif change > statements (changetype: modify) and use ldapmodify (no -a) >> >> 2. Edit the ldif file with the changes I need >> >> 3. Load the ldif file into a new fedora directory on my >> development system with ldif2db.pl: >> >> /usr/lib/dirsrv/slapd-dam/ldif2db.pl -D "cn=directory manager" -w >> MYPASS -n userRoot -s "dc=lse,dc=ac,dc=uk" -s "ou=New Groups" -s >> "ou=New Users" -i /opt/backups/new.ldif >> >> ldif2db.pl terminates almost immediately, clearly without having read >> most of the file. The fedora log shows: >> >> [14/Nov/2008:11:35:54 +0000] conn=2 op=1 ADD >> dn="cn=import_2008_11_14_11_35_55, cn=import, cn=tasks, cn=config" >> [14/Nov/2008:11:35:54 +0000] conn=2 op=1 RESULT err=0 tag=105 >> nentries=0 etime=0 > This is because ldif2db.pl just invokes an internal task using a task > entry. If you want to monitor the progress of the import, you'll have > to look at the errors log, or use ldapsearch to query the entry that > ldif2db.pl spits out (cn=import_2008_11_14_11_35_55, cn=import, > cn=tasks, cn=config) >> >> If I repeat the operation I get 'operation error'; and if I try to >> access the directory, it appears to be completely empty. > Probably what happened is that you attempted to import from an LDIF > file that did not contain the parent entries - the LDIF only contained > your users and groups. Import (ldif2db) is a _destructive_ operation > - it will completely wipe out the contents of your database before > adding the new entries. In order to add an entry in LDAP, the parent > entry must exist. This means that if you want to import an LDIF > file, and dc=lse,dc=ac,dc=uk is your base suffix, the LDIF file must > contain the entry > dn: dc=lse,dc=ac,dc=uk > ... > > and any other parent entries of the entries you want to import. >> >> So, two questions: >> >> - is this a reasonable way to go about this task, or are there other >> tools I should use? >> - any suggestions for debugging? >> >> Thanks >> Graham >> >> >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From prabhat3107 at gmail.com Fri Nov 14 19:16:38 2008 From: prabhat3107 at gmail.com (Prabhat Ranjan Pradhan) Date: Sat, 15 Nov 2008 00:46:38 +0530 Subject: [Fedora-directory-users] "Server failed to start !!!" when installing FDS 1.1.3 in RHEL5.2 In-Reply-To: <1C9FE8C3-9A00-4545-88C5-12761F7AF094@bowdoin.edu> References: <1C9FE8C3-9A00-4545-88C5-12761F7AF094@bowdoin.edu> Message-ID: <990360ae0811141116ga3b0f31uaa529dd11a0bc3c8@mail.gmail.com> Hi Chris and all, I too struggled for the same problem for almost 4 months. I googled several times to find any solution. At last I discovered a link Posted by Pieter de Rijk. I must say thanks to this gentleman who did a splendid job to pinpoint the error. getting hint from this link what I did is: 1. disabled SELinux 2. created a user (and default group) fedora-ds 3. installed fedora-ds using yum. 4. changed the ownership of /var/run/dirsrv to fedora-ds # chwon -R fedora-ds:fedora-ds /var/run/dirsrv 5. started installation with setup-ds-admin.pl. 6. entered fedora-ds as user and group name when prompted by the installer.. 7. Hurray!!! my installation was successfull. I had repeated this procedure several times on vmware virtual machines runing fedora9 and fedora8. May I bring this issue to the notice of development team that the file permission of /var/run/dirsrv is an issue to be looked into. The authentic reason for this can be fond in Mr Pieter de Rijk's work. at http://blog.adslweb.net/serendipity/article/244/Fedora-directory-server Prabhat On Fri, Nov 14, 2008 at 8:13 PM, Christopher Waltham wrote: > I'm using RHEL5.2 (i386) and installing RPMs from the FDS repository that's > mentioned on the FDS wiki. But I'm having trouble configuring FDS 1.1.3 due > to errors that I believe are related to permissions on /var/run/dirsrv. > > Before installing DS, here are the permission on /var/run/dirsrv: > > [root at falls ~]# ls -ald /var/run/dirsrv > drwxr-xr-x 3 root root 4096 Nov 14 09:24 /var/run/dirsrv > > When finishing the end of setup-ds-admin.pl, I see these messages: > > Are you ready to set up your servers? [yes]: > Creating directory server . . . > Server failed to start !!! Please check errors log for problems > Possible timeout starting server: timeout=1226673415 now=1226673416 > Could not start the directory server using command > '/usr/lib/dirsrv/slapd-falls/start-slapd'. The last line from the error log > was '[14/Nov/2008:09:26:55 -0500] - Fedora-Directory/1.1.3 B2008.269.157 > starting up > '. Error: Unknown error 256 > Error: Could not create directory server instance 'falls'. > Exiting . . . > Log file is '/tmp/setupblsNWZ.log' > > There is nothing else of relevance in either /tmp/setupblsNWZ.log or > /var/log/dirsrv/slapd-falls/errors > > If I try and start the directory server after the installation failed, I > get this error: > > [root at falls ~]# /etc/init.d/dirsrv start > Starting dirsrv: > falls... [FAILED] > *** Warning: 1 instance(s) failed to start > > If I manually chmod & chown the /var/run/dirsrv directory, it will start: > > [root at falls ~]# chmod 770 /var/run/dirsrv && chown nobody:nobody > /var/run/dirsrv > [root at falls ~]# /etc/init.d/dirsrv start > Starting dirsrv: > falls... [ OK ] > > However, because the setup-ds-admin.pl process never completed, the admin > server hasn't been configured (and I don't want to have to do that by hand). > Note that I am using nobody:nobody in the FDS installer when asked who I > want to run the services as. > > When I manually ( chmod 770 /var/run/dirsrv && chown nobody:nobody > /var/run/dirsrv ) *before* I run setup-ds-admin.pl I get this error: > > [08/11/14:09:00:33] - [Setup] Info Are you ready to set up your servers? > [08/11/14:09:00:34] - [Setup] Info yes > [08/11/14:09:00:34] - [Setup] Info Creating directory server . . . > [08/11/14:09:00:36] - [Setup] Info Your new DS instance 'ldap' was > successfully created. > [08/11/14:09:00:36] - [Setup] Info Creating the configuration directory > server . . . > [08/11/14:09:00:36] - [Setup] Fatal The suffix 'o=NetscapeRoot' already > exists. Config entry DN 'cn="o=NetscapeRoot",cn=mapping tree,cn=config'. > > [08/11/14:09:00:36] - [Setup] Fatal Failed to create the configuration > directory server > [08/11/14:09:00:36] - [Setup] Fatal Exiting . . . > > Any thoughts? This is getting pretty frustrating :-\ > > Thanks, > > > Chris > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From stupid.tech at gmail.com Fri Nov 14 21:48:30 2008 From: stupid.tech at gmail.com (stupid stupid) Date: Fri, 14 Nov 2008 16:48:30 -0500 Subject: [Fedora-directory-users] Re: Personal Address book In FDS In-Reply-To: <96d404fe0811140550u5cf6893dhdfc7928f36ca719a@mail.gmail.com> References: <96d404fe0811140550u5cf6893dhdfc7928f36ca719a@mail.gmail.com> Message-ID: <96d404fe0811141348m164b58b4x85be0e85a300899b@mail.gmail.com> Anybody??? On Fri, Nov 14, 2008 at 8:50 AM, stupid stupid wrote: > Hello, > I am new to FDS and LDAP world. I have installed FDS on a server and would > like to use it for Address book lookup. > The address book look up is working from different mail clients, > but I wanted to know how to allow users to add their own Personal Address > book entries to the Fedora DS. > > Please help. > > Thanks > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cwaltham at bowdoin.edu Fri Nov 14 23:47:53 2008 From: cwaltham at bowdoin.edu (Christopher Waltham) Date: Fri, 14 Nov 2008 18:47:53 -0500 Subject: [Fedora-directory-users] "Server failed to start !!!" when installing FDS 1.1.3 in RHEL5.2 In-Reply-To: <990360ae0811141116ga3b0f31uaa529dd11a0bc3c8@mail.gmail.com> References: <1C9FE8C3-9A00-4545-88C5-12761F7AF094@bowdoin.edu> <990360ae0811141116ga3b0f31uaa529dd11a0bc3c8@mail.gmail.com> Message-ID: Hi Prabhat, On Nov 14, 2008, at 2:16 PM, Prabhat Ranjan Pradhan wrote: > Hi Chris and all, > > I too struggled for the same problem for almost 4 months. I googled > several times to find any solution. > > At last I discovered a link Posted by Pieter de Rijk . I must say > thanks to this gentleman who did a splendid job to pinpoint the error. > > > getting hint from this link what I did is: > > 1. disabled SELinux > 2. created a user (and default group) fedora-ds > 3. installed fedora-ds using yum. > 4. changed the ownership of /var/run/dirsrv to fedora-ds > # chwon -R fedora-ds:fedora-ds /var/run/dirsrv > 5. started installation with setup-ds-admin.pl. > 6. entered fedora-ds as user and group name when prompted by the > installer.. > 7. Hurray!!! my installation was successfull. > > I had repeated this procedure several times on vmware virtual > machines runing fedora9 and fedora8. Thanks for the note! I'm using VMware ESX so I'm taking snapshots to make troubleshooting easier. I didn't realize SELinux was still enabled, so I disabled it. Then I followed the rest of your instructions, but I still had problems: Are you ready to set up your servers? [yes]: Creating directory server . . . Your new DS instance 'ldap' was successfully created. Creating the configuration directory server . . . The suffix 'o=NetscapeRoot' already exists. Config entry DN 'cn="o=NetscapeRoot",cn=mapping tree,cn=config'. That's using fedora-ds as both user and group. Curiously, if I do a chmod/chown and set /var/run/dirsrv to to nobody:nobody (and then choose the "nobody" user in setup-ds-admin.pl), I get exactly the same problem... Chris > > > > May I bring this issue to the notice of development team that the > file permission of /var/run/dirsrv is an issue to be looked into. > The authentic reason for this can be fond in Mr Pieter de Rijk's > work. at http://blog.adslweb.net/serendipity/article/244/Fedora-directory-server > > Prabhat > > > > > On Fri, Nov 14, 2008 at 8:13 PM, Christopher Waltham > wrote: > I'm using RHEL5.2 (i386) and installing RPMs from the FDS repository > that's mentioned on the FDS wiki. But I'm having trouble configuring > FDS 1.1.3 due to errors that I believe are related to permissions > on /var/run/dirsrv. > > Before installing DS, here are the permission on /var/run/dirsrv: > > [root at falls ~]# ls -ald /var/run/dirsrv > drwxr-xr-x 3 root root 4096 Nov 14 09:24 /var/run/dirsrv > > When finishing the end of setup-ds-admin.pl, I see these messages: > > Are you ready to set up your servers? [yes]: > Creating directory server . . . > Server failed to start !!! Please check errors log for problems > Possible timeout starting server: timeout=1226673415 now=1226673416 > Could not start the directory server using command '/usr/lib/dirsrv/ > slapd-falls/start-slapd'. The last line from the error log was '[14/ > Nov/2008:09:26:55 -0500] - Fedora-Directory/1.1.3 B2008.269.157 > starting up > '. Error: Unknown error 256 > Error: Could not create directory server instance 'falls'. > Exiting . . . > Log file is '/tmp/setupblsNWZ.log' > > There is nothing else of relevance in either /tmp/setupblsNWZ.log > or /var/log/dirsrv/slapd-falls/errors > > If I try and start the directory server after the installation > failed, I get this error: > > [root at falls ~]# /etc/init.d/dirsrv start > Starting dirsrv: > falls... [FAILED] > *** Warning: 1 instance(s) failed to start > > If I manually chmod & chown the /var/run/dirsrv directory, it will > start: > > [root at falls ~]# chmod 770 /var/run/dirsrv && chown nobody:nobody / > var/run/dirsrv > [root at falls ~]# /etc/init.d/dirsrv start > Starting dirsrv: > falls... [ OK ] > > However, because the setup-ds-admin.pl process never completed, the > admin server hasn't been configured (and I don't want to have to do > that by hand). Note that I am using nobody:nobody in the FDS > installer when asked who I want to run the services as. > > When I manually ( chmod 770 /var/run/dirsrv && chown nobody:nobody / > var/run/dirsrv ) *before* I run setup-ds-admin.pl I get this error: > > [08/11/14:09:00:33] - [Setup] Info Are you ready to set up your > servers? > [08/11/14:09:00:34] - [Setup] Info yes > [08/11/14:09:00:34] - [Setup] Info Creating directory server . . . > [08/11/14:09:00:36] - [Setup] Info Your new DS instance 'ldap' was > successfully created. > [08/11/14:09:00:36] - [Setup] Info Creating the configuration > directory server . . . > [08/11/14:09:00:36] - [Setup] Fatal The suffix 'o=NetscapeRoot' > already exists. Config entry DN 'cn="o=NetscapeRoot",cn=mapping > tree,cn=config'. > > [08/11/14:09:00:36] - [Setup] Fatal Failed to create the > configuration directory server > [08/11/14:09:00:36] - [Setup] Fatal Exiting . . . > > Any thoughts? This is getting pretty frustrating :-\ > > Thanks, > > > Chris > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Nov 14 23:53:50 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 14 Nov 2008 16:53:50 -0700 Subject: [Fedora-directory-users] "Server failed to start !!!" when installing FDS 1.1.3 in RHEL5.2 In-Reply-To: References: <1C9FE8C3-9A00-4545-88C5-12761F7AF094@bowdoin.edu> <990360ae0811141116ga3b0f31uaa529dd11a0bc3c8@mail.gmail.com> Message-ID: <491E0F8E.8070003@redhat.com> Christopher Waltham wrote: > Hi Prabhat, > > On Nov 14, 2008, at 2:16 PM, Prabhat Ranjan Pradhan wrote: > >> Hi Chris and all, >> >> I too struggled for the same problem for almost 4 months. I googled >> several times to find any solution. >> >> At last I discovered a link Posted by Pieter de Rijk >> . I >> must say thanks to this gentleman who did a splendid job to pinpoint >> the error. >> >> >> getting hint from this link what I did is: >> >> 1. disabled SELinux >> 2. created a user (and default group) fedora-ds >> 3. installed fedora-ds using yum. >> 4. changed the ownership of /var/run/dirsrv to fedora-ds >> # chwon -R fedora-ds:fedora-ds /var/run/dirsrv >> 5. started installation with setup-ds-admin.pl. >> 6. entered fedora-ds as user and group name when prompted by the >> installer.. >> 7. Hurray!!! my installation was successfull. >> >> I had repeated this procedure several times on vmware virtual >> machines runing fedora9 and fedora8. > > Thanks for the note! I'm using VMware ESX so I'm taking snapshots to > make troubleshooting easier. > > I didn't realize SELinux was still enabled, so I disabled it. Then I > followed the rest of your instructions, but I still had problems: > > Are you ready to set up your servers? [yes]: > Creating directory server . . . > Your new DS instance 'ldap' was successfully created. > Creating the configuration directory server . . . > The suffix 'o=NetscapeRoot' already exists. Config entry DN > 'cn="o=NetscapeRoot",cn=mapping tree,cn=config'. > > That's using fedora-ds as both user and group. Curiously, if I do a > chmod/chown and set /var/run/dirsrv to to nobody:nobody (and then > choose the "nobody" user in setup-ds-admin.pl), I get exactly the same > problem... This looks like a different problem. This is what usually happens if you run setup again without having first cleaned up everything from the prior run. One problem with setup-ds-admin.pl is that you cannot simply run it again - it will detect the previous configuration (however broken it may be). > > > Chris > >> >> >> >> May I bring this issue to the notice of development team that the >> file permission of /var/run/dirsrv is an issue to be looked into. >> The authentic reason for this can be fond in Mr Pieter de Rijk >> 's >> work. at >> http://blog.adslweb.net/serendipity/article/244/Fedora-directory-server >> >> Prabhat >> >> >> >> >> On Fri, Nov 14, 2008 at 8:13 PM, Christopher Waltham >> > wrote: >> >> I'm using RHEL5.2 (i386) and installing RPMs from the FDS >> repository that's mentioned on the FDS wiki. But I'm having >> trouble configuring FDS 1.1.3 due to errors that I believe are >> related to permissions on /var/run/dirsrv. >> >> Before installing DS, here are the permission on /var/run/dirsrv: >> >> [root at falls ~]# ls -ald /var/run/dirsrv >> drwxr-xr-x 3 root root 4096 Nov 14 09:24 /var/run/dirsrv >> >> When finishing the end of setup-ds-admin.pl, I see these messages: >> >> Are you ready to set up your servers? [yes]: >> Creating directory server . . . >> Server failed to start !!! Please check errors log for problems >> Possible timeout starting server: timeout=1226673415 now=1226673416 >> Could not start the directory server using command >> '/usr/lib/dirsrv/slapd-falls/start-slapd'. The last line from >> the error log was '[14/Nov/2008:09:26:55 -0500] - >> Fedora-Directory/1.1.3 B2008.269.157 starting up >> '. Error: Unknown error 256 >> Error: Could not create directory server instance 'falls'. >> Exiting . . . >> Log file is '/tmp/setupblsNWZ.log' >> >> There is nothing else of relevance in either /tmp/setupblsNWZ.log >> or /var/log/dirsrv/slapd-falls/errors >> >> If I try and start the directory server after the installation >> failed, I get this error: >> >> [root at falls ~]# /etc/init.d/dirsrv start >> Starting dirsrv: >> falls... [FAILED] >> *** Warning: 1 instance(s) failed to start >> >> If I manually chmod & chown the /var/run/dirsrv directory, it >> will start: >> >> [root at falls ~]# chmod 770 /var/run/dirsrv && chown nobody:nobody >> /var/run/dirsrv >> [root at falls ~]# /etc/init.d/dirsrv start >> Starting dirsrv: >> falls... [ OK ] >> >> However, because the setup-ds-admin.pl process never completed, >> the admin server hasn't been configured (and I don't want to have >> to do that by hand). Note that I am using nobody:nobody in the >> FDS installer when asked who I want to run the services as. >> >> When I manually ( chmod 770 /var/run/dirsrv && chown >> nobody:nobody /var/run/dirsrv ) *before* I run setup-ds-admin.pl >> I get this error: >> >> [08/11/14:09:00:33] - [Setup] Info Are you ready to set up your >> servers? >> [08/11/14:09:00:34] - [Setup] Info yes >> [08/11/14:09:00:34] - [Setup] Info Creating directory server . . . >> [08/11/14:09:00:36] - [Setup] Info Your new DS instance 'ldap' >> was successfully created. >> [08/11/14:09:00:36] - [Setup] Info Creating the configuration >> directory server . . . >> [08/11/14:09:00:36] - [Setup] Fatal The suffix 'o=NetscapeRoot' >> already exists. Config entry DN 'cn="o=NetscapeRoot",cn=mapping >> tree,cn=config'. >> >> [08/11/14:09:00:36] - [Setup] Fatal Failed to create the >> configuration directory server >> [08/11/14:09:00:36] - [Setup] Fatal Exiting . . . >> >> Any thoughts? This is getting pretty frustrating :-\ >> >> Thanks, >> >> >> Chris >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From cwaltham at bowdoin.edu Sat Nov 15 00:39:49 2008 From: cwaltham at bowdoin.edu (Christopher Waltham) Date: Fri, 14 Nov 2008 19:39:49 -0500 Subject: [Fedora-directory-users] "Server failed to start !!!" when installing FDS 1.1.3 in RHEL5.2 In-Reply-To: <491E0F8E.8070003@redhat.com> References: <1C9FE8C3-9A00-4545-88C5-12761F7AF094@bowdoin.edu> <990360ae0811141116ga3b0f31uaa529dd11a0bc3c8@mail.gmail.com> <491E0F8E.8070003@redhat.com> Message-ID: <9125C8C9-7C43-42C1-825C-CDDEF750C1B0@bowdoin.edu> On Nov 14, 2008, at 6:53 PM, Rich Megginson wrote: > Christopher Waltham wrote: >> Hi Prabhat, >> >> On Nov 14, 2008, at 2:16 PM, Prabhat Ranjan Pradhan wrote: >> >>> Hi Chris and all, >>> >>> I too struggled for the same problem for almost 4 months. I >>> googled several times to find any solution. >>> >>> At last I discovered a link Posted by Pieter de Rijk >> > . I must say thanks to this gentleman who did a splendid job to >>> pinpoint the error. >>> >>> >>> getting hint from this link what I did is: >>> >>> 1. disabled SELinux >>> 2. created a user (and default group) fedora-ds >>> 3. installed fedora-ds using yum. >>> 4. changed the ownership of /var/run/dirsrv to fedora-ds >>> # chwon -R fedora-ds:fedora-ds /var/run/dirsrv >>> 5. started installation with setup-ds-admin.pl. >>> 6. entered fedora-ds as user and group name when prompted by the >>> installer.. >>> 7. Hurray!!! my installation was successfull. >>> >>> I had repeated this procedure several times on vmware virtual >>> machines runing fedora9 and fedora8. >> >> Thanks for the note! I'm using VMware ESX so I'm taking snapshots >> to make troubleshooting easier. >> >> I didn't realize SELinux was still enabled, so I disabled it. Then >> I followed the rest of your instructions, but I still had problems: >> >> Are you ready to set up your servers? [yes]: Creating directory >> server . . . >> Your new DS instance 'ldap' was successfully created. >> Creating the configuration directory server . . . >> The suffix 'o=NetscapeRoot' already exists. Config entry DN >> 'cn="o=NetscapeRoot",cn=mapping tree,cn=config'. >> >> That's using fedora-ds as both user and group. Curiously, if I do a >> chmod/chown and set /var/run/dirsrv to to nobody:nobody (and then >> choose the "nobody" user in setup-ds-admin.pl), I get exactly the >> same problem... > This looks like a different problem. This is what usually happens > if you run setup again without having first cleaned up everything > from the prior run. One problem with setup-ds-admin.pl is that you > cannot simply run it again - it will detect the previous > configuration (however broken it may be). That's what I thought -- and can't understand. :) This is a fresh install of RHEL; I did a find / -name dirsrv and it came up with nada. Zero. Zilch! I'm not sure what else to look for? Chris From rmeggins at redhat.com Sat Nov 15 03:45:31 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 14 Nov 2008 20:45:31 -0700 Subject: [Fedora-directory-users] "Server failed to start !!!" when installing FDS 1.1.3 in RHEL5.2 In-Reply-To: <9125C8C9-7C43-42C1-825C-CDDEF750C1B0@bowdoin.edu> References: <1C9FE8C3-9A00-4545-88C5-12761F7AF094@bowdoin.edu> <990360ae0811141116ga3b0f31uaa529dd11a0bc3c8@mail.gmail.com> <491E0F8E.8070003@redhat.com> <9125C8C9-7C43-42C1-825C-CDDEF750C1B0@bowdoin.edu> Message-ID: <491E45DB.9020900@redhat.com> Christopher Waltham wrote: > > On Nov 14, 2008, at 6:53 PM, Rich Megginson wrote: > >> Christopher Waltham wrote: >>> Hi Prabhat, >>> >>> On Nov 14, 2008, at 2:16 PM, Prabhat Ranjan Pradhan wrote: >>> >>>> Hi Chris and all, >>>> >>>> I too struggled for the same problem for almost 4 months. I googled >>>> several times to find any solution. >>>> >>>> At last I discovered a link Posted by Pieter de Rijk >>>> . I >>>> must say thanks to this gentleman who did a splendid job to >>>> pinpoint the error. >>>> >>>> >>>> getting hint from this link what I did is: >>>> >>>> 1. disabled SELinux >>>> 2. created a user (and default group) fedora-ds >>>> 3. installed fedora-ds using yum. >>>> 4. changed the ownership of /var/run/dirsrv to fedora-ds >>>> # chwon -R fedora-ds:fedora-ds /var/run/dirsrv >>>> 5. started installation with setup-ds-admin.pl. >>>> 6. entered fedora-ds as user and group name when prompted by the >>>> installer.. >>>> 7. Hurray!!! my installation was successfull. >>>> >>>> I had repeated this procedure several times on vmware virtual >>>> machines runing fedora9 and fedora8. >>> >>> Thanks for the note! I'm using VMware ESX so I'm taking snapshots to >>> make troubleshooting easier. >>> >>> I didn't realize SELinux was still enabled, so I disabled it. Then I >>> followed the rest of your instructions, but I still had problems: >>> >>> Are you ready to set up your servers? [yes]: Creating directory >>> server . . . >>> Your new DS instance 'ldap' was successfully created. >>> Creating the configuration directory server . . . >>> The suffix 'o=NetscapeRoot' already exists. Config entry DN >>> 'cn="o=NetscapeRoot",cn=mapping tree,cn=config'. >>> >>> That's using fedora-ds as both user and group. Curiously, if I do a >>> chmod/chown and set /var/run/dirsrv to to nobody:nobody (and then >>> choose the "nobody" user in setup-ds-admin.pl), I get exactly the >>> same problem... >> This looks like a different problem. This is what usually happens if >> you run setup again without having first cleaned up everything from >> the prior run. One problem with setup-ds-admin.pl is that you cannot >> simply run it again - it will detect the previous configuration >> (however broken it may be). > > That's what I thought -- and can't understand. :) This is a fresh > install of RHEL; I did a find / -name dirsrv and it came up with nada. > Zero. Zilch! I'm not sure what else to look for? No dirsrv directories at all? There should be some - try rpm -V fedora-ds-base - if that has problems, try yum reinstall fedora-ds-base finally, try setup-ds-admin.pl -ddd to generate debug output - log file is in /tmp > > > Chris > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From prabhat3107 at gmail.com Sat Nov 15 16:20:44 2008 From: prabhat3107 at gmail.com (Prabhat Ranjan Pradhan) Date: Sat, 15 Nov 2008 08:20:44 -0800 Subject: [Fedora-directory-users] "Server failed to start !!!" when installing FDS 1.1.3 in RHEL5.2 In-Reply-To: References: <1C9FE8C3-9A00-4545-88C5-12761F7AF094@bowdoin.edu> <990360ae0811141116ga3b0f31uaa529dd11a0bc3c8@mail.gmail.com> Message-ID: <990360ae0811150820y2b9c249ahb25ec00d56f94bda@mail.gmail.com> Hi Chris, I am sorry that I forgot few setps. These have to be performed especially to install after an unsuccessful attempt. 1. uninstall fedora-ds #yum remove fedora-ds 2. remove the following directories. # rm -r /etc/dirsrv #rm -r /etc/sysconfig/dirsrv #rm -r /var/lock/dirsrv #rm -r /var/lib/dirsrv Then follow the steps I had already mentioned to complete your installation. Hope you will get a clean installation. Prabhat On Fri, Nov 14, 2008 at 3:47 PM, Christopher Waltham wrote: > Hi Prabhat, > On Nov 14, 2008, at 2:16 PM, Prabhat Ranjan Pradhan wrote: > > Hi Chris and all, > > I too struggled for the same problem for almost 4 months. I googled several > times to find any solution. > > At last I discovered a link Posted by Pieter de Rijk. I must say thanks to this gentleman who did a splendid job to pinpoint the > error. > > > getting hint from this link what I did is: > > 1. disabled SELinux > 2. created a user (and default group) fedora-ds > 3. installed fedora-ds using yum. > 4. changed the ownership of /var/run/dirsrv to fedora-ds > # chwon -R fedora-ds:fedora-ds /var/run/dirsrv > 5. started installation with setup-ds-admin.pl. > 6. entered fedora-ds as user and group name when prompted by the > installer.. > 7. Hurray!!! my installation was successfull. > > I had repeated this procedure several times on vmware virtual machines > runing fedora9 and fedora8. > > > Thanks for the note! I'm using VMware ESX so I'm taking snapshots to make > troubleshooting easier. > > I didn't realize SELinux was still enabled, so I disabled it. Then I > followed the rest of your instructions, but I still had problems: > > Are you ready to set up your servers? [yes]: > Creating directory server . . . > Your new DS instance 'ldap' was successfully created. > Creating the configuration directory server . . . > The suffix 'o=NetscapeRoot' already exists. Config entry DN > 'cn="o=NetscapeRoot",cn=mapping tree,cn=config'. > > That's using fedora-ds as both user and group. Curiously, if I do a > chmod/chown and set /var/run/dirsrv to to nobody:nobody (and then choose the > "nobody" user in setup-ds-admin.pl), I get exactly the same problem... > > > Chris > > > > > May I bring this issue to the notice of development team that the file > permission of /var/run/dirsrv is an issue to be looked into. > The authentic reason for this can be fond in Mr Pieter de Rijk's > work. at > http://blog.adslweb.net/serendipity/article/244/Fedora-directory-server > > Prabhat > > > > > On Fri, Nov 14, 2008 at 8:13 PM, Christopher Waltham > wrote: > >> I'm using RHEL5.2 (i386) and installing RPMs from the FDS repository >> that's mentioned on the FDS wiki. But I'm having trouble configuring FDS >> 1.1.3 due to errors that I believe are related to permissions on >> /var/run/dirsrv. >> >> Before installing DS, here are the permission on /var/run/dirsrv: >> >> [root at falls ~]# ls -ald /var/run/dirsrv >> drwxr-xr-x 3 root root 4096 Nov 14 09:24 /var/run/dirsrv >> >> When finishing the end of setup-ds-admin.pl, I see these messages: >> >> Are you ready to set up your servers? [yes]: >> Creating directory server . . . >> Server failed to start !!! Please check errors log for problems >> Possible timeout starting server: timeout=1226673415 now=1226673416 >> Could not start the directory server using command >> '/usr/lib/dirsrv/slapd-falls/start-slapd'. The last line from the error log >> was '[14/Nov/2008:09:26:55 -0500] - Fedora-Directory/1.1.3 B2008.269.157 >> starting up >> '. Error: Unknown error 256 >> Error: Could not create directory server instance 'falls'. >> Exiting . . . >> Log file is '/tmp/setupblsNWZ.log' >> >> There is nothing else of relevance in either /tmp/setupblsNWZ.log or >> /var/log/dirsrv/slapd-falls/errors >> >> If I try and start the directory server after the installation failed, I >> get this error: >> >> [root at falls ~]# /etc/init.d/dirsrv start >> Starting dirsrv: >> falls... [FAILED] >> *** Warning: 1 instance(s) failed to start >> >> If I manually chmod & chown the /var/run/dirsrv directory, it will start: >> >> [root at falls ~]# chmod 770 /var/run/dirsrv && chown nobody:nobody >> /var/run/dirsrv >> [root at falls ~]# /etc/init.d/dirsrv start >> Starting dirsrv: >> falls... [ OK ] >> >> However, because the setup-ds-admin.pl process never completed, the admin >> server hasn't been configured (and I don't want to have to do that by hand). >> Note that I am using nobody:nobody in the FDS installer when asked who I >> want to run the services as. >> >> When I manually ( chmod 770 /var/run/dirsrv && chown nobody:nobody >> /var/run/dirsrv ) *before* I run setup-ds-admin.pl I get this error: >> >> [08/11/14:09:00:33] - [Setup] Info Are you ready to set up your servers? >> [08/11/14:09:00:34] - [Setup] Info yes >> [08/11/14:09:00:34] - [Setup] Info Creating directory server . . . >> [08/11/14:09:00:36] - [Setup] Info Your new DS instance 'ldap' was >> successfully created. >> [08/11/14:09:00:36] - [Setup] Info Creating the configuration directory >> server . . . >> [08/11/14:09:00:36] - [Setup] Fatal The suffix 'o=NetscapeRoot' already >> exists. Config entry DN 'cn="o=NetscapeRoot",cn=mapping tree,cn=config'. >> >> [08/11/14:09:00:36] - [Setup] Fatal Failed to create the configuration >> directory server >> [08/11/14:09:00:36] - [Setup] Fatal Exiting . . . >> >> Any thoughts? This is getting pretty frustrating :-\ >> >> Thanks, >> >> >> Chris >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From realrichardsharpe at gmail.com Sat Nov 15 17:17:38 2008 From: realrichardsharpe at gmail.com (Richard Sharpe) Date: Sat, 15 Nov 2008 09:17:38 -0800 Subject: [Fedora-directory-users] Restored dirsrv on another system but now it does not return any entries for queries Message-ID: <46b8a8850811150917r3bd075c9g95a62dce4800e2b0@mail.gmail.com> Hi, I was trying to move our dirsrv to another machine, so I installed Fedora-DS on the new server, backed up the original machine, restored it on the new server, which seemed to go OK. If I do "ldapsearch -x '*'" on the new server, I seem to get the correct results, however, if I do 'getent passwd' I do not get any entries from dirsrv. I grabbed packet captures from doing 'getent passwd' where LDAP points at the original dirsrv server and the new one (boy, I knew that all that work I did on Ethereal would come in handy one day) and the difference is that against the original dirsrv server I get back all the posixAccount (or something) entries, but against the new dirsrv server, I get back zero entries. However, the queries are the same. The log file on the new dirsrv server also says zero entries returned. What have I forgotten? I haven't yet switched on lots of debugging to find out what is wrong on the new server, but I guess that is the next step if no one can think of something obvious I have done wrong. -- Regards, Richard Sharpe From matt.adams at cypressinteractive.com Sat Nov 15 18:09:24 2008 From: matt.adams at cypressinteractive.com (Matt Adams) Date: Sat, 15 Nov 2008 13:09:24 -0500 Subject: [Fedora-directory-users] Unable to access server group Message-ID: <491F1054.5020301@cypressinteractive.com> Folks: We recently changed the name of our LDAP server. We had a domain name change so ldaphost.subdomain.example.org effectively became ldaphost.new.subdomain.example.org). I changed every instance of subdomain.example.org throughout the Fedora DS configuration files and LDAP tree under o=NetscapeRoot. Everything appears to run okay: the directory server and admin server start up, answer queries and none of the integrated applications have had any trouble with this change. The only problem seems to be that I cannot access either the admin server or directory server through the Fedora management console. The "Server Group" entry under our administrative domain & host is empty (e.g., Administrative Server & Directory Server refuse to show up like they used to). Does anyone have any idea what might be happening here? I cannot find any errors that stand out in the logs. FWIW, we are running 1.0.4. Thanks in advance, Matt -- Matt Adams Development & Network Services Cypress Interactive http://cypressinteractive.com, http://edsuite.com From matt.adams at cypressinteractive.com Sat Nov 15 19:45:25 2008 From: matt.adams at cypressinteractive.com (Matt Adams) Date: Sat, 15 Nov 2008 14:45:25 -0500 Subject: [Fedora-directory-users] Unable to access server group In-Reply-To: <491F1054.5020301@cypressinteractive.com> References: <491F1054.5020301@cypressinteractive.com> Message-ID: <491F26D5.9060402@cypressinteractive.com> Matt Adams wrote: > The only problem seems to be that I cannot access either the admin > server or directory server through the Fedora management console. The > "Server Group" entry under our administrative domain & host is empty > (e.g., Administrative Server & Directory Server refuse to show up like > they used to). Apologies - I found my mistake. cn=configuration for the relevant admin-serv entry under cn=Fedora Administration Server seems to have been pooched. I recreated this entry and all appears as it should in the management console. Thanks, Matt -- Matt Adams Development & Network Services Cypress Interactive http://cypressinteractive.com, http://edsuite.com From realrichardsharpe at gmail.com Sun Nov 16 19:29:18 2008 From: realrichardsharpe at gmail.com (Richard Sharpe) Date: Sun, 16 Nov 2008 11:29:18 -0800 Subject: [Fedora-directory-users] Re: Restored dirsrv on another system but now it does not return any entries for queries In-Reply-To: <46b8a8850811150917r3bd075c9g95a62dce4800e2b0@mail.gmail.com> References: <46b8a8850811150917r3bd075c9g95a62dce4800e2b0@mail.gmail.com> Message-ID: <46b8a8850811161129m8543db6i3d6698af585baf7c@mail.gmail.com> On Sat, Nov 15, 2008 at 9:17 AM, Richard Sharpe wrote: > Hi, > > I was trying to move our dirsrv to another machine, so I installed > Fedora-DS on the new server, backed up the original machine, restored > it on the new server, which seemed to go OK. > > If I do "ldapsearch -x '*'" on the new server, I seem to get the > correct results, however, if I do 'getent passwd' I do not get any > entries from dirsrv. > > I grabbed packet captures from doing 'getent passwd' where LDAP points > at the original dirsrv server and the new one (boy, I knew that all > that work I did on Ethereal would come in handy one day) and the > difference is that against the original dirsrv server I get back all > the posixAccount (or something) entries, but against the new dirsrv > server, I get back zero entries. However, the queries are the same. > > The log file on the new dirsrv server also says zero entries returned. > > What have I forgotten? I haven't yet switched on lots of debugging to > find out what is wrong on the new server, but I guess that is the next > step if no one can think of something obvious I have done wrong. Some additional info here. The source server is CentOS 5.2 with the CentOS version of Fedora DS on it. It claims to be 8.0.0. The target server is RHEL 5.2 with the FC6 Fedora DS 1.1.3 on it. -- Regards, Richard Sharpe From cwaltham at bowdoin.edu Mon Nov 17 19:36:51 2008 From: cwaltham at bowdoin.edu (Christopher Waltham) Date: Mon, 17 Nov 2008 14:36:51 -0500 Subject: [Fedora-directory-users] "Server failed to start !!!" when installing FDS 1.1.3 in RHEL5.2 In-Reply-To: <491E45DB.9020900@redhat.com> References: <1C9FE8C3-9A00-4545-88C5-12761F7AF094@bowdoin.edu> <990360ae0811141116ga3b0f31uaa529dd11a0bc3c8@mail.gmail.com> <491E0F8E.8070003@redhat.com> <9125C8C9-7C43-42C1-825C-CDDEF750C1B0@bowdoin.edu> <491E45DB.9020900@redhat.com> Message-ID: <3250F5A2-CA0B-4E16-B140-2A2875624F47@bowdoin.edu> On Nov 14, 2008, at 10:45 PM, Rich Megginson wrote: >>> This looks like a different problem. This is what usually happens >>> if you run setup again without having first cleaned up everything >>> from the prior run. One problem with setup-ds-admin.pl is that >>> you cannot simply run it again - it will detect the previous >>> configuration (however broken it may be). >> >> That's what I thought -- and can't understand. :) This is a fresh >> install of RHEL; I did a find / -name dirsrv and it came up with >> nada. Zero. Zilch! I'm not sure what else to look for? > No dirsrv directories at all? There should be some - try rpm -V > fedora-ds-base - if that has problems, try yum reinstall fedora-ds- > base > finally, try setup-ds-admin.pl -ddd to generate debug output - log > file is in /tmp Thanks, guys. The problem was this: I was trying to create a new LDAP server with the same name (i.e., hostname) as a server that already existed on my network. So, the admin server configuration utility was freaking out. I played with the /etc/hosts file and now life is good. Thanks for the help! Now I have another problem, but I'll create a new thread :) Chris From cwaltham at bowdoin.edu Mon Nov 17 19:48:58 2008 From: cwaltham at bowdoin.edu (Christopher Waltham) Date: Mon, 17 Nov 2008 14:48:58 -0500 Subject: [Fedora-directory-users] Error generating certificate-signing request Message-ID: <0927137E-1F69-432D-AF0F-8BEA638E5CB7@bowdoin.edu> I'm having trouble generating a CSR on a pair of new DS 1.1.3 installs. I get this error message: "An error has occured. Unable to convert DN to certificate name. -----BEGIN NEW CERTIFICATE REQUEST-----" " (There is actually nothing listed under the "BEGIN NEW CERTIFICATE REQUEST" part). This is my DN of the request: CN="falls", OU="Information Technology",O="Bowdoin College",L="Brunswick",ST="Maine",C="US". I found this thread: http://www.linux-archive.org/fedora-directory/160707-error-creating-certificate-request.html online and tried the suggestion, i.e. removing the " quotes in the DN. After that, the request was generated successfully -- however, I don't think that this is good behavior.. has anyone seen this issue before? Chris From dudko at fnal.gov Mon Nov 17 19:51:01 2008 From: dudko at fnal.gov (Lev Dudko) Date: Mon, 17 Nov 2008 20:51:01 +0100 Subject: [Fedora-directory-users] DSGW user authorization problem Message-ID: <1226951461.8797.96.camel@note1.sinp.msu.ru> Dear Directory server experts, could you help me, please, to solve the problem with DSGW authorization. I have successfully setup FDS on Fedora 9 with setup-ds-admin.pl setup ssl with the help of script from this page: http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/ and run setup-ds-dsgw Now, the directory server works, administration server works and I can configure everything in DS and Admin server with console fedora-idm-console -a https://localhost:9830 ldap and ldaps ports are open and accept requests. I can point my browser to https://localhost:9830 and use DSGW to search successfully, but I can not do authorization, when I try to authorize as some user (normal user, Directory Manager or admin) I got the error: Authentication Failed Authentication failed because the password you supplied is incorrect. Please click the Retry button and try again. If you have forgotten the password for this entry, a directory administrator must reset the password for you. Of course, I am sure that the password is correct. There are no so much useful information in the log files. The executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization. I have read available documentation rather careful, but did not find the answer. Looks like one of the solution is to use binddnfile directive with special text file, but it looks strange for me that it is impossible to use normal authorization in LDAP with DSGW. Have I missed something during the configuration or forgot to add some special ACL? Lev -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: ??? ????? ????????? ????????? ???????? ???????? URL: From rmeggins at redhat.com Mon Nov 17 20:21:36 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 17 Nov 2008 13:21:36 -0700 Subject: [Fedora-directory-users] DSGW user authorization problem In-Reply-To: <1226951461.8797.96.camel@note1.sinp.msu.ru> References: <1226951461.8797.96.camel@note1.sinp.msu.ru> Message-ID: <4921D250.50401@redhat.com> Lev Dudko wrote: > Dear Directory server experts, > could you help me, please, to solve the problem with DSGW > authorization. > I have successfully setup FDS on Fedora 9 with > setup-ds-admin.pl > setup ssl with the help of script from this page: > http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/ > and run setup-ds-dsgw > Now, the directory server works, administration server works and > I can configure everything in DS and Admin server with console > fedora-idm-console -a https://localhost:9830 > ldap and ldaps ports are open and accept requests. > > I can point my browser to https://localhost:9830 and use DSGW to > search successfully, > but I can not do authorization, when I try to authorize as some user > (normal user, Directory Manager or admin) I got the error: > Authentication Failed > Authentication failed because the password you supplied is incorrect. > Please click the Retry button and try again. If you have forgotten the > password for this entry, a directory administrator must reset the > password for you. > > Of course, I am sure that the password is correct. There are no so much > useful information in the log files. The > executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization. > > I have read available documentation rather careful, but did not find the > answer. Looks like one of the solution is to use binddnfile directive > with special text file, but it looks strange for me that it is > impossible to use normal authorization in LDAP with DSGW. > > Have I missed something during the configuration or forgot to add some > special ACL? > What platform? Any information in your admin server logs at /var/log/dirsrv/admin-serv? > Lev > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From dudko at fnal.gov Mon Nov 17 21:24:06 2008 From: dudko at fnal.gov (Lev Dudko) Date: Mon, 17 Nov 2008 22:24:06 +0100 Subject: [Fedora-directory-users] DSGW user authorization problem In-Reply-To: <4921D250.50401@redhat.com> References: <1226951461.8797.96.camel@note1.sinp.msu.ru> <4921D250.50401@redhat.com> Message-ID: <1226957046.8797.128.camel@note1.sinp.msu.ru> Hello Rich, the OS is Fedora 9 (64) with all of the recent updates rpm -qa | grep fedora-ds fedora-ds-1.1.2-1.fc9.x86_64 fedora-ds-dsgw-1.1.1-1.fc9.x86_64 fedora-ds-admin-1.1.6-1.fc9.x86_64 fedora-ds-admin-console-1.1.2-1.fc9.noarch fedora-ds-console-1.1.2-2.fc9.noarch fedora-ds-base-1.1.3-2.fc9.x86_64 Parts of the log files for DSGW authorisation /var/log/dirsrv/admin-serv/access - [17/Nov/2008:23:43:45 +0300] "POST /dsgwcmd/dosearch HTTP/1.1" 200 4088 - [17/Nov/2008:23:43:46 +0300] "GET /dsgwcmd/lang?context=dsgw&file=style.css HTTP/1.1" 302 231 - [17/Nov/2008:23:43:55 +0300] "POST /dsgwcmd/doauth HTTP/1.1" 200 1402 /var/log/dirsrv/admin-serv/error (here is the strange point, the marked port in this log is 443, but in reality it is 9830. I have stop apache and close 443 port at all, but in the log file it is still 443; address and ip here is the same computer which is localhost for all of the operations) [Mon Nov 17 23:43:45 2008] [info] Connection to child 12 established (server www...:443, client 213.131....) [Mon Nov 17 23:43:45 2008] [info] Initial (No.1) HTTPS request received for child 12 (server www...:443) [Mon Nov 17 23:43:46 2008] [info] Connection to child 12 closed (server www-hep.sinp.msu.ru:443, client 213.131...) [Mon Nov 17 23:43:46 2008] [info] Connection to child 11 established (server www...:443, client 213.131....) [Mon Nov 17 23:43:46 2008] [info] Initial (No.1) HTTPS request received for child 11 (server www...:443) [Mon Nov 17 23:43:46 2008] [info] Connection to child 11 closed (server www-hep.sinp.msu.ru:443, client 213.131....) /var/log/dirsrv/slapd-hep/access [17/Nov/2008:23:43:45 +0300] conn=140 SSL 128-bit RC4 [17/Nov/2008:23:43:45 +0300] conn=140 op=0 BIND dn="" method=128 version=3 [17/Nov/2008:23:43:45 +0300] conn=140 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [17/Nov/2008:23:43:45 +0300] conn=140 op=1 SRCH base="dc=sinp, dc=msu, dc=ru" scope=2 filter="(&(objectClass=person)(|(cn=dudko)(sn=dudko)(uid=dudko)))" attrs="objectClass title" [17/Nov/2008:23:43:46 +0300] conn=140 op=1 ENTRY dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" [17/Nov/2008:23:43:46 +0300] conn=140 op=1 RESULT err=0 tag=101 nentries=1 etime=1 [17/Nov/2008:23:43:46 +0300] conn=140 op=2 UNBIND [17/Nov/2008:23:43:46 +0300] conn=140 op=2 fd=70 closed - U1 [17/Nov/2008:23:43:55 +0300] conn=141 fd=70 slot=70 SSL connection from 127.0.0.1 to 127.0.0.1 [17/Nov/2008:23:43:55 +0300] conn=141 SSL 128-bit RC4 [17/Nov/2008:23:43:55 +0300] conn=141 op=0 BIND dn="" method=128 version=3 [17/Nov/2008:23:43:55 +0300] conn=141 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [17/Nov/2008:23:43:55 +0300] conn=141 op=1 BIND dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" method=128 version=3 [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 SRCH base="uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru" scope=0 filter="(|(objectclass=*)(objectclass=ldapsubentry))" attrs=ALL [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 ENTRY dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1 etime=0 [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 MOD dn="uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru" [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 etime=0 [17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97 nentries=0 etime=0 [17/Nov/2008:23:43:55 +0300] conn=141 op=-1 fd=70 closed - B1 [17/Nov/2008:23:45:16 +0300] conn=124 op=7 SRCH base="dc=sinp,dc=msu,dc=ru" scope=2 filter="(&(objectClass=posixAccount)(uid=dudko))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [17/Nov/2008:23:45:18 +0300] conn=124 op=7 ENTRY dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" [17/Nov/2008:23:45:18 +0300] conn=124 op=7 RESULT err=0 tag=101 nentries=1 etime=2 /var/log/dirsrv/slapd-hep/error [17/Nov/2008:23:43:45 +0300] NSACLPlugin - #### conn=140 op=1 binddn="" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Searching AVL tree for update:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru: container:-1 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Searching AVL tree for update:ou=people,dc=sinp,dc=msu,dc=ru: container:2 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ************ RESOURCE INFO STARTS ********* [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Client DN: [17/Nov/2008:23:43:46 +0300] NSACLPlugin - resource type:256(search target_DN ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN: uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ATTR: objectClass [17/Nov/2008:23:43:46 +0300] NSACLPlugin - rights:search [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ************ RESOURCE INFO ENDS ********* [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:objectClass for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access"" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow search on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(objectCl ass) to anonymous: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=sinp,dc=msu,dc=ru" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:cn for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access"" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Found SEARCH ALLOW in cache [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow search on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(cn) to a nonymous: cached allow by aci(2) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:sn;lang-ru for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access"" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow read on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(sn;lang-ru ) to anonymous: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=sinp,dc=msu,dc=ru" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:objectClass for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access"" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Found READ ALLOW in cache [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow read on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(objectClas s) to anonymous: cached allow by aci(2) Just in case, the list of the configuration directories: /etc/dirsrv/admin-serv/ -rw-r--r-- 1 root root 3984 19:02 admserv.conf -rw------- 1 nobody root 16384 23:22 secmod.db -r-------- 1 nobody nobody 50 23:27 password.conf -r-------- 1 nobody nobody 4581 23:27 nss.conf -rw-r--r-- 1 root root 27061 03:39 httpd.conf -rw------- 1 root root 394016 04:52 console.conf -rw------- 1 nobody root 40 04:56 admpw -rw------- 1 nobody root 532 05:32 adm.conf -rw------- 1 nobody root 16384 23:39 key3.db -rw------- 1 nobody root 65536 23:39 cert8.db -rw------- 1 nobody root 10259 00:04 local.conf /etc/dirsrv/dsgw/ -r-------- 1 nobody root 7939 Nov 16 22:16 pb.conf -r-------- 1 nobody root 9734 Nov 16 22:16 orgchart.conf -r-------- 1 nobody root 8875 Nov 16 22:16 default.conf -rw------- 1 nobody root 8867 Nov 16 23:41 dsgw.conf -rw-r--r-- 1 root root 3192 Nov 16 23:42 dsgw-httpd.conf One more strange point which is not connected with the main problem. In the /etc/dirsrv/admin-serv/local.conf I use only addresses access filter, not hosts. The last one is blank (looks like * does not work) configuration.nsAdminAccessAddresses: (127.0.0.1|.....) configuration.nsAdminAccessHosts: But with restart of admin server the directive configuration.nsAdminAccessHosts: removed from local.conf and server do not start, need to add manually this directive to start the server. Looks like this is a bug. Lev On ???, 2008-11-17 at 13:21 -0700, Rich Megginson wrote: > Lev Dudko wrote: > > Dear Directory server experts, > > could you help me, please, to solve the problem with DSGW > > authorization. > > I have successfully setup FDS on Fedora 9 with > > setup-ds-admin.pl > > setup ssl with the help of script from this page: > > http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/ > > and run setup-ds-dsgw > > Now, the directory server works, administration server works and > > I can configure everything in DS and Admin server with console > > fedora-idm-console -a https://localhost:9830 > > ldap and ldaps ports are open and accept requests. > > > > I can point my browser to https://localhost:9830 and use DSGW to > > search successfully, > > but I can not do authorization, when I try to authorize as some user > > (normal user, Directory Manager or admin) I got the error: > > Authentication Failed > > Authentication failed because the password you supplied is incorrect. > > Please click the Retry button and try again. If you have forgotten the > > password for this entry, a directory administrator must reset the > > password for you. > > > > Of course, I am sure that the password is correct. There are no so much > > useful information in the log files. The > > executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization. > > > > I have read available documentation rather careful, but did not find the > > answer. Looks like one of the solution is to use binddnfile directive > > with special text file, but it looks strange for me that it is > > impossible to use normal authorization in LDAP with DSGW. > > > > Have I missed something during the configuration or forgot to add some > > special ACL? > > > What platform? > Any information in your admin server logs at /var/log/dirsrv/admin-serv? > > Lev > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- Lev V. Dudko e-mail:dudko at fnal.gov t. +41(22)7670778 http://top.sinp.msu.ru -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: ??? ????? ????????? ????????? ???????? ???????? URL: From rmeggins at redhat.com Mon Nov 17 21:36:10 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 17 Nov 2008 14:36:10 -0700 Subject: [Fedora-directory-users] DSGW user authorization problem In-Reply-To: <1226957046.8797.128.camel@note1.sinp.msu.ru> References: <1226951461.8797.96.camel@note1.sinp.msu.ru> <4921D250.50401@redhat.com> <1226957046.8797.128.camel@note1.sinp.msu.ru> Message-ID: <4921E3CA.7070402@redhat.com> Lev Dudko wrote: > Hello Rich, > the OS is Fedora 9 (64) with all of the recent updates > rpm -qa | grep fedora-ds > fedora-ds-1.1.2-1.fc9.x86_64 > fedora-ds-dsgw-1.1.1-1.fc9.x86_64 > fedora-ds-admin-1.1.6-1.fc9.x86_64 > fedora-ds-admin-console-1.1.2-1.fc9.noarch > fedora-ds-console-1.1.2-2.fc9.noarch > fedora-ds-base-1.1.3-2.fc9.x86_64 > > Parts of the log files for DSGW authorisation > > /var/log/dirsrv/admin-serv/access > > - [17/Nov/2008:23:43:45 +0300] "POST /dsgwcmd/dosearch HTTP/1.1" 200 > 4088 > - [17/Nov/2008:23:43:46 +0300] > "GET /dsgwcmd/lang?context=dsgw&file=style.css HTTP/1.1" 302 231 > - [17/Nov/2008:23:43:55 +0300] "POST /dsgwcmd/doauth HTTP/1.1" 200 1402 > > /var/log/dirsrv/admin-serv/error > > (here is the strange point, the marked port in this log is 443, but in > reality it is 9830. I have stop apache and close 443 port at all, but in > the log file it is still 443; address and ip here is the same computer > which is localhost for all of the operations) > > [Mon Nov 17 23:43:45 2008] [info] Connection to child 12 established > (server www...:443, client 213.131....) > [Mon Nov 17 23:43:45 2008] [info] Initial (No.1) HTTPS request received > for child 12 (server www...:443) > [Mon Nov 17 23:43:46 2008] [info] Connection to child 12 closed (server > www-hep.sinp.msu.ru:443, client 213.131...) > [Mon Nov 17 23:43:46 2008] [info] Connection to child 11 established > (server www...:443, client 213.131....) > [Mon Nov 17 23:43:46 2008] [info] Initial (No.1) HTTPS request received > for child 11 (server www...:443) > [Mon Nov 17 23:43:46 2008] [info] Connection to child 11 closed (server > www-hep.sinp.msu.ru:443, client 213.131....) > Do you have some sort of proxy running? netstat -an | grep 9830 and netstat -an | grep 443 > > /var/log/dirsrv/slapd-hep/access > > [17/Nov/2008:23:43:45 +0300] conn=140 SSL 128-bit RC4 > [17/Nov/2008:23:43:45 +0300] conn=140 op=0 BIND dn="" method=128 > version=3 > [17/Nov/2008:23:43:45 +0300] conn=140 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="" > [17/Nov/2008:23:43:45 +0300] conn=140 op=1 SRCH base="dc=sinp, dc=msu, > dc=ru" scope=2 > filter="(&(objectClass=person)(|(cn=dudko)(sn=dudko)(uid=dudko)))" > attrs="objectClass title" > [17/Nov/2008:23:43:46 +0300] conn=140 op=1 ENTRY > dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" > [17/Nov/2008:23:43:46 +0300] conn=140 op=1 RESULT err=0 tag=101 > nentries=1 etime=1 > [17/Nov/2008:23:43:46 +0300] conn=140 op=2 UNBIND > [17/Nov/2008:23:43:46 +0300] conn=140 op=2 fd=70 closed - U1 > [17/Nov/2008:23:43:55 +0300] conn=141 fd=70 slot=70 SSL connection from > 127.0.0.1 to 127.0.0.1 > [17/Nov/2008:23:43:55 +0300] conn=141 SSL 128-bit RC4 > [17/Nov/2008:23:43:55 +0300] conn=141 op=0 BIND dn="" method=128 > version=3 > [17/Nov/2008:23:43:55 +0300] conn=141 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="" > [17/Nov/2008:23:43:55 +0300] conn=141 op=1 BIND dn="uid=dudko,ou=People, > dc=sinp, dc=msu, dc=ru" method=128 version=3 > [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 SRCH > base="uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru" scope=0 > filter="(|(objectclass=*)(objectclass=ldapsubentry))" attrs=ALL > [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 ENTRY > dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" > [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 RESULT err=0 tag=48 > nentries=1 etime=0 > [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 MOD > dn="uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru" > [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 RESULT err=0 tag=48 > nentries=0 etime=0 > [17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97 > nentries=0 etime=0 > [17/Nov/2008:23:43:55 +0300] conn=141 op=-1 fd=70 closed - B1 > [17/Nov/2008:23:45:16 +0300] conn=124 op=7 SRCH > base="dc=sinp,dc=msu,dc=ru" scope=2 > filter="(&(objectClass=posixAccount)(uid=dudko))" attrs="uid > userPassword uidNumber gidNumber cn homeDirectory loginShell gecos > description objectClass" > [17/Nov/2008:23:45:18 +0300] conn=124 op=7 ENTRY > dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" > [17/Nov/2008:23:45:18 +0300] conn=124 op=7 RESULT err=0 tag=101 > nentries=1 etime=2 > What access log level are you using? I suggest using the default. [17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97 nentries=0 etime=0 This usually means "incorrect password". You can verify yourself by using ldapsearch: ldapsearch -x -D "uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" -w yourpassword -s base -b "" If you get err=49 here, this means your password is not correct. > /var/log/dirsrv/slapd-hep/error > > [17/Nov/2008:23:43:45 +0300] NSACLPlugin - #### conn=140 op=1 binddn="" > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Searching AVL tree for update:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru: container:-1 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Searching AVL tree for update:ou=people,dc=sinp,dc=msu,dc=ru: container:2 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ************ RESOURCE INFO STARTS ********* > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Client DN: > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - resource type:256(search target_DN ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN: uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ATTR: objectClass > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - rights:search > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ************ RESOURCE INFO ENDS ********* > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]*** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]*** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]*** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]*** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]*** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:objectClass for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access"" > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow search on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(objectCl > ass) to anonymous: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=sinp,dc=msu,dc=ru" > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]*** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]*** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]*** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]*** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]*** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:cn for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access"" > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Found SEARCH ALLOW in cache > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow search on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(cn) to a > nonymous: cached allow by aci(2) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]*** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]*** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]*** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]*** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]*** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:sn;lang-ru for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access"" > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow read on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(sn;lang-ru > ) to anonymous: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=sinp,dc=msu,dc=ru" > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]*** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]*** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]*** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]*** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]*** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ) > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0 > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:objectClass for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access"" > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Found READ ALLOW in cache > [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow read on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(objectClas > s) to anonymous: cached allow by aci(2) > Agh - my eyes - I think you need to change the errorlog level back to 0 - I don't think the problem is ACI related - err=49 means incorrect password. > Just in case, the list of the configuration directories: > /etc/dirsrv/admin-serv/ > -rw-r--r-- 1 root root 3984 19:02 admserv.conf > -rw------- 1 nobody root 16384 23:22 secmod.db > -r-------- 1 nobody nobody 50 23:27 password.conf > -r-------- 1 nobody nobody 4581 23:27 nss.conf > -rw-r--r-- 1 root root 27061 03:39 httpd.conf > -rw------- 1 root root 394016 04:52 console.conf > -rw------- 1 nobody root 40 04:56 admpw > -rw------- 1 nobody root 532 05:32 adm.conf > -rw------- 1 nobody root 16384 23:39 key3.db > -rw------- 1 nobody root 65536 23:39 cert8.db > -rw------- 1 nobody root 10259 00:04 local.conf > > /etc/dirsrv/dsgw/ > -r-------- 1 nobody root 7939 Nov 16 22:16 pb.conf > -r-------- 1 nobody root 9734 Nov 16 22:16 orgchart.conf > -r-------- 1 nobody root 8875 Nov 16 22:16 default.conf > -rw------- 1 nobody root 8867 Nov 16 23:41 dsgw.conf > -rw-r--r-- 1 root root 3192 Nov 16 23:42 dsgw-httpd.conf > > > > One more strange point which is not connected with the main problem. In > the /etc/dirsrv/admin-serv/local.conf > I use only addresses access filter, not hosts. The last one is blank > (looks like * does not work) > configuration.nsAdminAccessAddresses: (127.0.0.1|.....) > configuration.nsAdminAccessHosts: > > But with restart of admin server the directive configuration.nsAdminAccessHosts: removed from local.conf > and server do not start, need to add manually this directive to start the server. Looks like this is a bug. > It is a feature. You cannot edit local.conf directly. You have to update that information in LDAP. local.conf is a read-only cache of the LDAP information. See - http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt > Lev > > > On ???, 2008-11-17 at 13:21 -0700, Rich Megginson wrote: > >> Lev Dudko wrote: >> >>> Dear Directory server experts, >>> could you help me, please, to solve the problem with DSGW >>> authorization. >>> I have successfully setup FDS on Fedora 9 with >>> setup-ds-admin.pl >>> setup ssl with the help of script from this page: >>> http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/ >>> and run setup-ds-dsgw >>> Now, the directory server works, administration server works and >>> I can configure everything in DS and Admin server with console >>> fedora-idm-console -a https://localhost:9830 >>> ldap and ldaps ports are open and accept requests. >>> >>> I can point my browser to https://localhost:9830 and use DSGW to >>> search successfully, >>> but I can not do authorization, when I try to authorize as some user >>> (normal user, Directory Manager or admin) I got the error: >>> Authentication Failed >>> Authentication failed because the password you supplied is incorrect. >>> Please click the Retry button and try again. If you have forgotten the >>> password for this entry, a directory administrator must reset the >>> password for you. >>> >>> Of course, I am sure that the password is correct. There are no so much >>> useful information in the log files. The >>> executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization. >>> >>> I have read available documentation rather careful, but did not find the >>> answer. Looks like one of the solution is to use binddnfile directive >>> with special text file, but it looks strange for me that it is >>> impossible to use normal authorization in LDAP with DSGW. >>> >>> Have I missed something during the configuration or forgot to add some >>> special ACL? >>> >>> >> What platform? >> Any information in your admin server logs at /var/log/dirsrv/admin-serv? >> >>> Lev >>> >>> ------------------------------------------------------------------------ >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From dudko at fnal.gov Mon Nov 17 22:15:26 2008 From: dudko at fnal.gov (Lev Dudko) Date: Mon, 17 Nov 2008 23:15:26 +0100 Subject: [Fedora-directory-users] DSGW user authorization problem In-Reply-To: <4921E3CA.7070402@redhat.com> References: <1226951461.8797.96.camel@note1.sinp.msu.ru> <4921D250.50401@redhat.com> <1226957046.8797.128.camel@note1.sinp.msu.ru> <4921E3CA.7070402@redhat.com> Message-ID: <1226960126.8797.149.camel@note1.sinp.msu.ru> Hello Rich, The answers are below. > Do you have some sort of proxy running? > netstat -an | grep 9830 > and > netstat -an | grep 443 > > > No, I have a direct link: netstat -an | grep 9830 tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN netstat -an | grep 443 unix 2 [ ACC ] STREAM LISTENING 4857378 /tmp/orbit-sherstnv/linc-1d58-0-25f8c4437879e unix 3 [ ] STREAM CONNECTED 1724431 when the apache is down (to avoid possible interferences) netstat -an | grep 443 tcp 0 0 :::443 :::* LISTEN tcp 0 0 :::8443 :::* LISTEN unix 2 [ ACC ] STREAM LISTENING 4857378 /tmp/orbit-sherstnv/linc-1d58-0-25f8c4437879e unix 3 [ ] STREAM CONNECTED 1724431 (apache is up) > What access log level are you using? I suggest using the default. > I will check, but I do not remember that I could change the level of access log, only the error log. > [17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97 > nentries=0 etime=0 > > This usually means "incorrect password". You can verify yourself by > using ldapsearch: > ldapsearch -x -D "uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" -w > yourpassword -s base -b "" > I use the same login and password for logging to the system, so I am sure that it is correct, but in any case the output of the command above is: # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 By the way, the browser which I use to communicate with DSGW is firefox-3.0.4-1.fc9.x86_64 and I did not have any problem with translation of my passwords to some site authorization systems. > If you get err=49 here, this means your password is not correct. > Agh - my eyes - I think you need to change the errorlog level back to 0 > - I don't think the problem is ACI related - err=49 means incorrect > password. Sorry, I tried to provide all of the information which I have. > It is a feature. You cannot edit local.conf directly. You have to > update that information in LDAP. local.conf is a read-only cache of the > LDAP information. See - > http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt Thank you for the explanation, first of all I did it from console, but with the same result (need to put something in this field to keep it). In any way I will check again that HOWTO. Lev > > > > On ???, 2008-11-17 at 13:21 -0700, Rich Megginson wrote: > > > >> Lev Dudko wrote: > >> > >>> Dear Directory server experts, > >>> could you help me, please, to solve the problem with DSGW > >>> authorization. > >>> I have successfully setup FDS on Fedora 9 with > >>> setup-ds-admin.pl > >>> setup ssl with the help of script from this page: > >>> http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/ > >>> and run setup-ds-dsgw > >>> Now, the directory server works, administration server works and > >>> I can configure everything in DS and Admin server with console > >>> fedora-idm-console -a https://localhost:9830 > >>> ldap and ldaps ports are open and accept requests. > >>> > >>> I can point my browser to https://localhost:9830 and use DSGW to > >>> search successfully, > >>> but I can not do authorization, when I try to authorize as some user > >>> (normal user, Directory Manager or admin) I got the error: > >>> Authentication Failed > >>> Authentication failed because the password you supplied is incorrect. > >>> Please click the Retry button and try again. If you have forgotten the > >>> password for this entry, a directory administrator must reset the > >>> password for you. > >>> > >>> Of course, I am sure that the password is correct. There are no so much > >>> useful information in the log files. The > >>> executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization. > >>> > >>> I have read available documentation rather careful, but did not find the > >>> answer. Looks like one of the solution is to use binddnfile directive > >>> with special text file, but it looks strange for me that it is > >>> impossible to use normal authorization in LDAP with DSGW. > >>> > >>> Have I missed something during the configuration or forgot to add some > >>> special ACL? > >>> > >>> > >> What platform? > >> Any information in your admin server logs at /var/log/dirsrv/admin-serv? > >> > >>> Lev > >>> > >>> ------------------------------------------------------------------------ > >>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >>> > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: ??? ????? ????????? ????????? ???????? ???????? URL: From rmeggins at redhat.com Mon Nov 17 23:04:06 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 17 Nov 2008 16:04:06 -0700 Subject: [Fedora-directory-users] DSGW user authorization problem In-Reply-To: <1226960126.8797.149.camel@note1.sinp.msu.ru> References: <1226951461.8797.96.camel@note1.sinp.msu.ru> <4921D250.50401@redhat.com> <1226957046.8797.128.camel@note1.sinp.msu.ru> <4921E3CA.7070402@redhat.com> <1226960126.8797.149.camel@note1.sinp.msu.ru> Message-ID: <4921F866.5000606@redhat.com> Lev Dudko wrote: > Hello Rich, > The answers are below. > > >> Do you have some sort of proxy running? >> netstat -an | grep 9830 >> and >> netstat -an | grep 443 >> >> >> > > No, I have a direct link: > netstat -an | grep 9830 > tcp 0 0 0.0.0.0:9830 0.0.0.0:* > LISTEN > > netstat -an | grep 443 > unix 2 [ ACC ] STREAM LISTENING > 4857378 /tmp/orbit-sherstnv/linc-1d58-0-25f8c4437879e > unix 3 [ ] STREAM CONNECTED 1724431 > when the apache is down (to avoid possible interferences) > > netstat -an | grep 443 > tcp 0 0 :::443 :::* > LISTEN > tcp 0 0 :::8443 :::* > LISTEN > unix 2 [ ACC ] STREAM LISTENING > 4857378 /tmp/orbit-sherstnv/linc-1d58-0-25f8c4437879e > unix 3 [ ] STREAM CONNECTED 1724431 > (apache is up) > > >> What access log level are you using? I suggest using the default. >> >> > > I will check, but I do not remember that I could change the level of > access log, only the error log. > The reason I said is that the access log does not usually log internal operations. > >> [17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97 >> nentries=0 etime=0 >> >> This usually means "incorrect password". You can verify yourself by >> using ldapsearch: >> ldapsearch -x -D "uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" -w >> yourpassword -s base -b "" >> >> > I use the same login and password for logging to the system, so I am > sure that it is correct, but in any case the output of the command above > is: > > # extended LDIF > # > # LDAPv3 > # base <> with scope baseObject > # filter: (objectclass=*) > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success > > # numResponses: 1 > > > By the way, the browser which I use to communicate with DSGW is > firefox-3.0.4-1.fc9.x86_64 > and I did not have any problem with translation of my passwords to some > site authorization systems. > Do you have any 8-bit characters in any of your passwords? I wonder if the gateway is corrupting them somehow. > >> If you get err=49 here, this means your password is not correct. >> Agh - my eyes - I think you need to change the errorlog level back to 0 >> - I don't think the problem is ACI related - err=49 means incorrect >> password. >> > > Sorry, I tried to provide all of the information which I have. > > > >> It is a feature. You cannot edit local.conf directly. You have to >> update that information in LDAP. local.conf is a read-only cache of the >> LDAP information. See - >> http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt >> > > > Thank you for the explanation, first of all I did it from console, > but with the same result (need to put something in this field to keep > it). In any way I will check again that HOWTO. > Lev > > > >>> On ???, 2008-11-17 at 13:21 -0700, Rich Megginson wrote: >>> >>> >>>> Lev Dudko wrote: >>>> >>>> >>>>> Dear Directory server experts, >>>>> could you help me, please, to solve the problem with DSGW >>>>> authorization. >>>>> I have successfully setup FDS on Fedora 9 with >>>>> setup-ds-admin.pl >>>>> setup ssl with the help of script from this page: >>>>> http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/ >>>>> and run setup-ds-dsgw >>>>> Now, the directory server works, administration server works and >>>>> I can configure everything in DS and Admin server with console >>>>> fedora-idm-console -a https://localhost:9830 >>>>> ldap and ldaps ports are open and accept requests. >>>>> >>>>> I can point my browser to https://localhost:9830 and use DSGW to >>>>> search successfully, >>>>> but I can not do authorization, when I try to authorize as some user >>>>> (normal user, Directory Manager or admin) I got the error: >>>>> Authentication Failed >>>>> Authentication failed because the password you supplied is incorrect. >>>>> Please click the Retry button and try again. If you have forgotten the >>>>> password for this entry, a directory administrator must reset the >>>>> password for you. >>>>> >>>>> Of course, I am sure that the password is correct. There are no so much >>>>> useful information in the log files. The >>>>> executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization. >>>>> >>>>> I have read available documentation rather careful, but did not find the >>>>> answer. Looks like one of the solution is to use binddnfile directive >>>>> with special text file, but it looks strange for me that it is >>>>> impossible to use normal authorization in LDAP with DSGW. >>>>> >>>>> Have I missed something during the configuration or forgot to add some >>>>> special ACL? >>>>> >>>>> >>>>> >>>> What platform? >>>> Any information in your admin server logs at /var/log/dirsrv/admin-serv? >>>> >>>> >>>>> Lev >>>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From dudko at fnal.gov Mon Nov 17 23:13:32 2008 From: dudko at fnal.gov (Lev Dudko) Date: Tue, 18 Nov 2008 00:13:32 +0100 Subject: [Fedora-directory-users] DSGW user authorization problem In-Reply-To: <4921F866.5000606@redhat.com> References: <1226951461.8797.96.camel@note1.sinp.msu.ru> <4921D250.50401@redhat.com> <1226957046.8797.128.camel@note1.sinp.msu.ru> <4921E3CA.7070402@redhat.com> <1226960126.8797.149.camel@note1.sinp.msu.ru> <4921F866.5000606@redhat.com> Message-ID: <1226963612.8797.186.camel@note1.sinp.msu.ru> > Do you have any 8-bit characters in any of your passwords? I wonder if > the gateway is corrupting them somehow. > > In the passwords there are & @ or $ characters, I am not sure is it 8-bit characters. The locale is ru_RU.UTF-8 everywhere. You are right, I just changed the password to very simple and the authorization is successful. The reason is found, but is there a way to correct this corruption? > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: ??? ????? ????????? ????????? ???????? ???????? URL: From rmeggins at redhat.com Mon Nov 17 23:32:20 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 17 Nov 2008 16:32:20 -0700 Subject: [Fedora-directory-users] DSGW user authorization problem In-Reply-To: <1226963612.8797.186.camel@note1.sinp.msu.ru> References: <1226951461.8797.96.camel@note1.sinp.msu.ru> <4921D250.50401@redhat.com> <1226957046.8797.128.camel@note1.sinp.msu.ru> <4921E3CA.7070402@redhat.com> <1226960126.8797.149.camel@note1.sinp.msu.ru> <4921F866.5000606@redhat.com> <1226963612.8797.186.camel@note1.sinp.msu.ru> Message-ID: <4921FF04.9040509@redhat.com> Lev Dudko wrote: >> Do you have any 8-bit characters in any of your passwords? I wonder if >> the gateway is corrupting them somehow. >> >>> >>> > > In the passwords there are & @ or $ characters, I am not sure is it > 8-bit characters. > The locale is ru_RU.UTF-8 everywhere. > > You are right, I just changed the password to very simple and the > authorization is successful. The reason is found, but is there a way to > correct this corruption? > I don't know. Please file a bug. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From dudko at fnal.gov Sun Nov 16 21:38:57 2008 From: dudko at fnal.gov (Lev Dudko) Date: Sun, 16 Nov 2008 22:38:57 +0100 Subject: [Fedora-directory-users] DSGW user authorization problem Message-ID: <1226871537.3831.225.camel@note1.sinp.msu.ru> Dear Directory server experts, could you help me, please, to solve the problem with DSGW authorization. I have successfully setup FDS on Fedora 9 with setup-ds-admin.pl setup ssl with the help of script from this page: http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/ run setup-ds-dsgw Now, the directory server works, administration server works and I can configure everything in DS and Admin server with console fedora-idm-console -a https://localhost:9830 I can point my browser to https://localhost:9830 and use DSGW to search successfully, but I can not do authorization, when I try to authorize as some user (normal user, Directory Manager or admin) I got the error: Authentication Failed Authentication failed because the password you supplied is incorrect. Please click the Retry button and try again. If you have forgotten the password for this entry, a directory administrator must reset the password for you. Of course, I am sure that the password is correct. There are no so much useful information in the log files. The executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization. I have read available documentation rather careful, but did not find the answer. Looks like one of the solution is to use binddnfile directive with special text file, but it looks strange for me that it is impossible to use normal authorization in LDAP with DSGW. Do I missed something during the configuration or forgot to add some special ACL? Lev -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: ??? ????? ????????? ????????? ???????? ???????? URL: From howard at cohtech.com Mon Nov 17 16:07:48 2008 From: howard at cohtech.com (Howard Wilkinson) Date: Mon, 17 Nov 2008 16:07:48 +0000 Subject: [Fedora-directory-users] Recover directory database files when disk fills up! In-Reply-To: <4899A673.7020704@redhat.com> References: <488EDA1E.1000005@cohtech.com> <488F2D9E.1000805@redhat.com> <4896CF89.3020600@cohtech.com> <489711FA.7060007@redhat.com> <48971A18.1060907@cohtech.com> <48971F86.9000604@redhat.com> <48996F35.2050603@cohtech.com> <4899A673.7020704@redhat.com> Message-ID: <492196D4.1050103@cohtech.com> Finally got back to diagnosing the problem with the console and behold the behaviour has changed. Still not working right but I am now getting 3 slightly different failures depending on which server I try to connect to. 1. Connecting to rebuilt directory server when I look at the encryption tab for the server configuration I get a pop up failure that says 'SSL related initialization failed'. After pressing OK the tab fills in correctly and the error does not reappear until I reopen the server. 2. Connecting to the rebuilt administration server and select the Configuration tab I get the same error message as a pop up. When I press OK the window show 'failed to load data'. 3. Connecting to another administration server from our Multi-master farm I get the error message on the Configuration Tab - 'no protocol: admin-server/tasks/Sonfiguration/ServerSetup' and again 'failed to load data' after pressing OK. The debug console logs are attached fro each case. No errors are reported in the logs for the admin servers. Where do I look next? Howard. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: console.log.1 Type: application/x-troff-man Size: 196136 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: console.log.2 Type: application/x-troff-man Size: 111910 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: console.log.3 Type: application/x-troff-man Size: 105692 bytes Desc: not available URL: From jsullivan at opensourcedevel.com Tue Nov 18 04:18:26 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 17 Nov 2008 23:18:26 -0500 Subject: [Fedora-directory-users] ACI deny matching with macros Message-ID: <1226981906.6432.43.camel@jaspav.missionsit.net.missionsit.net> Hello, all. This post is a follow up to an IRC chat with Rich Megginson and others. Rich, I did not report the problem as a bug because upon several more hours of testing, it does not appear to be a conflict between userdn and roledn permissions. Rather, it appears to be a wildcard globbing issue. To bring the everyone else up to speed, in a multi-tenant environment, we have an allow ACI to permit clients to administer their own portion of the tree. However, their portions of the tree also contain some system type accounts used to by the host to enable certain client functions. These should not be viewable by the client admins so there is an ACI to deny access to these. We also want to use macros to create a single ACI at the root which will apply to all clients rather than creating ACIs for each client. To grant client access, we create a role at the top of their tree named ldapadmins and assign it to the appropriate client admins. We create a root level ACI as follows: (targetattr = "*") (target = "ldap:///($dn),dc=ssiservices, dc=biz") (version 3.0;acl "Client Administrators";allow (all)(roledn = "ldap:///cn=ldapadmins,[$dn],dc=ssiservices,dc=biz");) It works fine. The tree looks something like this: root /com /client1 /Users /Internal /Contacts /SysAccounts No one would have access to SysAccounts except client ldapadmins from the above ACI. We don't want that so we create the following ACI to deny access to SysAccounts: (targetattr = "*") (target = "ldap:///ou=sysaccounts,($dn),dc=ssiservices,dc=biz") (version 3.0;acl "Protect sysaccounts";deny (all)(userdn = "ldap:///uid=*,ou=users,[$dn],dc=ssiservices,dc=biz");) We had contemplated (targetattr = "*") (target = "ldap:///ou=sysaccounts,($dn),dc=ssiservices,dc=biz") (version 3.0;acl "Protect sysaccounts";deny (all)(userdn = "ldap:///uid=*[$dn],dc=ssiservices,dc=biz");) but did not want to take the chance that the SysAccounts uses could not see themselves. Let's say we have a client admin at uid=terry,ou=internal,ou=users,dc=client1,dc=com,dc=ssiservices,dc=biz. The * after uid and with no comma before ou=users should match anything in users including "uid=terry,ou=internal,". It doesn't. The deny rule is not applied to Terry. If I change the ACI to: (targetattr = "*") (target = "ldap:///ou=sysaccounts,($dn),dc=ssiservices,dc=biz") (version 3.0;acl "Protect sysaccounts";deny (all)(userdn = "ldap:///uid=*ou=internal,ou=users,[$dn],dc=ssiservices,dc=biz");) it still fails. However, if I change it to: (targetattr = "*") (target = "ldap:///ou=sysaccounts,($dn),dc=ssiservices,dc=biz") (version 3.0;acl "Protect sysaccounts";deny (all)(userdn = "ldap:///uid=*,ou=internal,ou=users,[$dn],dc=ssiservices,dc=biz");) it works. The deny matches Terry and is enforced. This seems to be an explicit contradiction of the documentation. http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control-Bind_Rules.html#Bind_Rules-Defining_User_Access___userdn_Keyword userdn = "ldap:///uid=*,dc=example,dc=com"; The bind rule is evaluated to be true if the user binds to the directory using any distinguished name of the specified pattern. For example, both of the following bind DNs would be evaluated to be true: uid=ssarette,dc=example,dc=com uid=tjaz,ou=Accounting,dc=example,dc=com Are we doing something wrong or is this just a mismatch between code and docs? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From stupid.tech at gmail.com Tue Nov 18 13:59:35 2008 From: stupid.tech at gmail.com (stupid stupid) Date: Tue, 18 Nov 2008 08:59:35 -0500 Subject: [Fedora-directory-users] Re: Personal Address book In FDS In-Reply-To: <96d404fe0811131358q46becc5al446aa8e2bb704740@mail.gmail.com> References: <96d404fe0811131358q46becc5al446aa8e2bb704740@mail.gmail.com> Message-ID: <96d404fe0811180559t232da34bqf7141f1ff4de2ec3@mail.gmail.com> Hello, Am I posting the question to a wrong user group ? Please let me know. No body has replied to my issue yet. just wondering! Thanks, On Thu, Nov 13, 2008 at 4:58 PM, stupid stupid wrote: > Hello, > I am new to FDS and LDAP world. I have installed FDS on a server and would > like to use it for Address book lookup. > The address book look up is working from different mail clients, > but I wanted to know how to allow users to add their own Personal Address > book entries to the Fedora DS. > > Please help. > > Thanks > -------------- next part -------------- An HTML attachment was scrubbed... URL: From hugo.etievant at inrp.fr Tue Nov 18 15:41:13 2008 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Tue, 18 Nov 2008 16:41:13 +0100 Subject: [Fedora-directory-users] Windows Sync and Active Directory password complexity policies Message-ID: <4922E219.4010107@inrp.fr> hello, The admin Guid says that : "Make sure that the Active Directory password complexity policies are enabled so that the *Password Sync* service will run. Run |secpol.msc|, and select *Security Settings*, then *Account Policies*, and *Password Policy*. Make sure that |Password must meet complexity requirements| is selected. " ( cf http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html ) I done the installation same as required. But after a week, I have reconfigured Active Directory and unactivate the "|Password must meet complexity requirements|" attribute. Windows Sync continue to work without problem : new very simple password (for example, password identical to login) are synchronized between AD and FDS. Why the Admin Guide says this attribute is mandatory ? The facts show that it is not ! Is it a bug ? The |complexity requirements are too much complicated for my users (and are no configurable), i must unactivate it.| Regards -- * Hugo ?ti?vant * From rmeggins at redhat.com Tue Nov 18 15:51:44 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 18 Nov 2008 08:51:44 -0700 Subject: [Fedora-directory-users] Recover directory database files when disk fills up! In-Reply-To: <492196D4.1050103@cohtech.com> References: <488EDA1E.1000005@cohtech.com> <488F2D9E.1000805@redhat.com> <4896CF89.3020600@cohtech.com> <489711FA.7060007@redhat.com> <48971A18.1060907@cohtech.com> <48971F86.9000604@redhat.com> <48996F35.2050603@cohtech.com> <4899A673.7020704@redhat.com> <492196D4.1050103@cohtech.com> Message-ID: <4922E490.2070900@redhat.com> Howard Wilkinson wrote: > Finally got back to diagnosing the problem with the console and behold > the behaviour has changed. Still not working right but I am now > getting 3 slightly different failures depending on which server I try > to connect to. > > 1. Connecting to rebuilt directory server when I look at the > encryption tab for the server configuration I get a pop up > failure that says 'SSL related initialization failed'. After > pressing OK the tab fills in correctly and the error does not > reappear until I reopen the server. > 2. Connecting to the rebuilt administration server and select the > Configuration tab I get the same error message as a pop up. When > I press OK the window show 'failed to load data'. > 3. Connecting to another administration server from our > Multi-master farm I get the error message on the Configuration > Tab - 'no protocol: > admin-server/tasks/Sonfiguration/ServerSetup' and again 'failed > to load data' after pressing OK. > What is happening is that the console invokes a CGI via the admin server to create and/or manage those files. The following permissions are required: The admin server user id (default: nobody - grep User /etc/dirsrv/admin-serv/console.conf to see what the userid is) must have permission to create new files in /etc/dirsrv/slapd-instancename and /etc/dirsrv/admin-serv, and read and write cert8.db, key3.db, and secmod.db in those directories. If you need/want to run the directory server and the admin server as different users, then you should create a group to which both of those users belong (and no other users) - you will need to make sure those files and directories have the appropriate group permissions, since the directory server needs to read/write files in /etc/dirsrv/slapd-instancename as well as the admin server. > The debug console logs are attached fro each case. > > No errors are reported in the logs for the admin servers. > > Where do I look next? > > Howard. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jad at jadickinson.co.uk Tue Nov 18 15:56:09 2008 From: jad at jadickinson.co.uk (John Dickinson) Date: Tue, 18 Nov 2008 15:56:09 +0000 Subject: [Fedora-directory-users] Windows Sync and Active Directory password complexity policies In-Reply-To: <4922E219.4010107@inrp.fr> References: <4922E219.4010107@inrp.fr> Message-ID: <8016CF80-82AE-4F60-B580-51F6065E1979@jadickinson.co.uk> On 18 Nov 2008, at 15:41, Hugo Etievant wrote: > hello, > > The admin Guid says that : "Make sure that the Active Directory > password complexity policies are enabled so that the *Password Sync* > service will run. Run |secpol.msc|, and select *Security Settings*, > then *Account Policies*, and *Password Policy*. Make sure that | > Password must meet complexity requirements| is selected. " ( cf http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html > ) > > I done the installation same as required. > > But after a week, I have reconfigured Active Directory and > unactivate the "|Password must meet complexity requirements|" > attribute. > Windows Sync continue to work without problem : new very simple > password (for example, password identical to login) are synchronized > between AD and FDS. > > Why the Admin Guide says this attribute is mandatory ? The facts > show that it is not ! > > Is it a bug ? > > > The |complexity requirements are too much complicated for my users > (and are no configurable), i must unactivate it.| Based on my experiments, you don't have to have complexity requirements turned on in AD and FDS but it would be a good idea to ensure any requirements are the same in both. Otherwise some passwords might work and others not. You can turn off the requirement in FDS - I don't remember where and don't have access to my system right now - but try right clicking in the directory console at the userRoot, I think there is something about this in the menu. John From rpolli at babel.it Tue Nov 18 19:59:39 2008 From: rpolli at babel.it (rpolli at babel.it) Date: Tue, 18 Nov 2008 20:59:39 +0100 Subject: [Fedora-directory-users] [ioggstream] peculiar deploy of fedorads Message-ID: <200811182059.39521.rpolli@babel.it> Hi all, I'm planning a mid-size deploy of fedora-ds. let's call the units of this deploy "island" islands are independent, data must be physically isolated betwen them * an island represent a scalable, multi-mastered deploy of fedora-ds made of 6+ nodes * I have more islands: island1, island2, .. * one island contains many mailDomain (foo.it, foo.net, foo.com) * a mailDomain is hosted on one island: if foo.it is on island1, it won't be on island2 * each island has its own services accessing ldap There's one Rule-Them-All (RTA) island with shared services. Services on the "RTA" must access all ldap using the same search for all the island ex. ldapsearch -h ruleThemAll "(mail=foo at bar.com)" should find the user independently on which island it is. question: how will you implement this requirements trying to limit the overhead? (somebody told me about a VirtualDS but I'd like to do it with FDS..) Peace, R. From nhosoi at redhat.com Wed Nov 19 02:33:16 2008 From: nhosoi at redhat.com (Noriko Hosoi) Date: Tue, 18 Nov 2008 18:33:16 -0800 Subject: [Fedora-directory-users] dbverify In-Reply-To: <490B435A.5000806@umd.umich.edu> References: <490761C9.8050705@umd.umich.edu> <490B435A.5000806@umd.umich.edu> Message-ID: <49237AEC.5060105@redhat.com> Hello, I could reproduce the problem and filed a bug: Summary: dbverify: when a duplicate is large enough to have internal page(s), dbverify issues bogus out-of-order key errors https://bugzilla.redhat.com/show_bug.cgi?id=472131 I've also posted a question/bug report to Berkeley DB forum today. If you are interested in, please take a look at the following link. Posted to the Oracle/Berkeley DB forum: http://forums.oracle.com/forums/thread.jspa?threadID=828256&stqc=true verify reports bogus out-of-order key messages Thanks, --noriko Dan Lannom wrote: > I've done exhaustive verification of equality and presence indexes for > my directory to verify that ldap is working properly so I'm going to > treat dbverify as buggy for now. > > I can't find any pattern in my data to explain what the bug is though. > 22 of the 45 indexes are affected > syntaxes are oid,directorystring,ia5string,integer and telephonenumber > index types are either e,ep,eps or aeps > > I'll fill out a bug report later tonight, > > Dan Lannom > > I wrote in my earlier email: >> I plan to migrate to fds from SunOne 5.2 and so I want to validate >> the system. >> I'm currently running version 1.1.3-2 of the directory on RHEL 5.2. >> >> When I do searches against the server everything seems to work fine, but >> When I run /usr/lib/dirsrv/slapd-{{hostname}}/dbverify, with the >> server off, it fails with >> errors like: >> [28/Oct/2008:10:52:16 -0400] - libdb: Page 4: out-of-order key at >> entry 2 >> [28/Oct/2008:10:52:16 -0400] - libdb: Page 4: out-of-order key at >> entry 8 >> [28/Oct/2008:10:52:16 -0400] - libdb: Page 4: out-of-order key at >> entry 11 >> [28/Oct/2008:10:52:16 -0400] - libdb: Page 4: out-of-order key at >> entry 14 >> ... >> [28/Oct/2008:10:52:16 -0400] - libdb: >> /var/lib/dirsrv/slapd-hume/db/{{SUFFIX}}/{{attribute}}.db4: >> DB_VERIFY_BAD: Database verification failed >> [28/Oct/2008:10:52:16 -0400] DB verify - verify failed(-30975): >> /var/lib/dirsrv/slapd-{{hostname}}/db/userdata/{{attribute}}.db4 >> >> reindexing does not change anything and I find the same errors for >> both i386 and x86_64 and the errors are almost identical for the >> master and the slaves. >> >> Since I can find any evidence of the indexes identified as corrupted >> not working I wonder why dbverify is generating these errors. >> >> Thanks for any help, >> >> Dan Lannom >> UM-Dearborn >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From hugo.etievant at inrp.fr Wed Nov 19 09:09:58 2008 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Wed, 19 Nov 2008 10:09:58 +0100 Subject: [Fedora-directory-users] Replicate o=NetscapeRoot database Message-ID: <4923D7E6.5060801@inrp.fr> hello, - I have installed 2 Directory servers, the second (DS2) is registered on the first (DS1). - I have installed multi master replication between the both (DS1 and DS2) for user data on userRoot database. Here, that is working. - Finally, I try to configure multi master replication for o=NetscapeRoot database between 2 DS with the same way of conventional replication, after copying o=NetscapeRoot database from DS1 to DS2. Replication work, but Administration Server of DS2 refuse to start on the replica of NetscapeRoot. The Admin Guide is not clear about NetscapeRoot replication (8.14. Replicating o=NetscapeRoot for Administration Server Failover http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html ) It exists a way with GUI Console to configure replication for o=NetscapeRoot on existing architecture ? Who have experimented this point ? regards -- * Hugo ?ti?vant *** From kenneho.ndu at gmail.com Wed Nov 19 09:35:45 2008 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Wed, 19 Nov 2008 10:35:45 +0100 Subject: [Fedora-directory-users] Re: Windows sync: how do you populate the posixUser attributes? In-Reply-To: <491859A9.3080509@redhat.com> References: <6cddb0580811050406o3d19874du137ea66161b471f2@mail.gmail.com> <6cddb0580811050421y568f2cdblb54873380da49fb6@mail.gmail.com> <664c5a070811050423q6253eba7xb4af734adfae8b1e@mail.gmail.com> <4911AC96.9060808@redhat.com> <664c5a070811061154k1ef54933r53e02f0740ac2b84@mail.gmail.com> <49134CE3.2020707@redhat.com> <49145EFA.9050501@redhat.com> <491859A9.3080509@redhat.com> Message-ID: Has anyone on the list set up such as scheme for adding posix attributes to users synced from AD, and would like to comment on this approach? I'm thinking that maybe running a cron job (for example a couple of times an hour) that searches for newly added users, then using "ldapmodify" to add the required posix attributes, may be the way to go. Regards, Kenneth On 11/10/08, Rich Megginson wrote: > > Kenneth Holter wrote: > >> Thank you for your reply. >> Yes you understood me correctly - I ment it doesn't seem like Windows >> Sync is intended for Linux machine login (via SSH to be precise) to "just >> work" with no additional work. I'm sorry that I wasn't too clear on this. >> Is it so that one usually has a AD/DS setup like this: >> >> * users/passwords are synced from AD to DS >> * the new users are exported to ldif file, added things such as >> posix attributes, and reimported into DS >> * users can now log into linux servers (via SSH) that are properly >> configured as LDAP clients >> >> ? Just trying to get an understanding of how one usualy set up AD and DS >> to work together. >> > I think that's how it usually goes. Perhaps some other folks that are > doing this will chime in. > > freeIPA will soon have support for automatic creation of AD user accounts > in IPA, including all of the posix and kerberos attributes needed for OS > login. See freeipa.org > >> >> On 11/7/08, *Rich Megginson* > rmeggins at redhat.com>> wrote: >> >> Kenneth Holter wrote: >> >> I'm not very into fedora/redhat direcoty server (DS), but >> thought I'd just drop a quick question: It doesn't seems like >> Windows Sync is intended for syncing AD users to DS so that >> users defined on AD can be allowed to log into Linux machines. >> >> I'm not sure what you mean by that. Do you mean because the posix >> attributes are not synced, you cannot create a user in AD that is >> synced to Fedora DS and Linux machine login "just works" with no >> additional work? >> >> It is possible to get this working, however, through a series >> of manual steps. So what is the intended purpose for Windows >> Sync, if I might ask, as it seems a lot simpler just to manage >> everything directly from DS without syncing with AD? >> >> I think most people use it to sync passwords, so that you can have >> the same password on AD as Unix/Linux, and when you change the >> password on one side, that change is synced to the other side. >> >> Regards, >> Kenneth Holter >> >> On 11/6/08, *Rich Megginson* > > >> wrote: >> >> Erling Ringen Elvsrud wrote: >> >> On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson >> >> >> wrote: >> [...] >> That should work. But note that posix >> attributes >> will not >> sync to AD. And >> even if you did manage to find a posix schema that >> worked >> with AD, and added >> the posix schema on the AD side, those attributes would >> not be synced to >> Fedora DS. >> >> Thanks for your answer. >> >> I start to wonder if Windows sync is worth the trouble. >> At my >> site we >> will probably not implement password sync as the >> AD-side is very >> restrictive about installing anything. >> >> I hear this all the time - AD admins are very touchy about >> installing anything, especially some piece of random open >> source >> software that's going to intercept clear text passwords and >> send >> them who-knows-where >> >> So what I get is basically a >> skeleton that I have to populate with the posixUser >> attributes. >> >> Another issue is groups in AD. I suppose those groups >> will become >> regular unix-groups on the directory server side, >> >> Yes. But note - not posix groups (posixGroup) but plain groups >> (groupOfUniqueNames) >> >> which might not >> be enough for all policing needs (may need netgroups in >> addition). >> Sure. >> >> We will probably have maximum a few hundred users in the >> directory, do >> you think Windows-sync is worth the bother? >> I suggest you take a look at Penrose >> http://docs.safehaus.org/display/PENROSE/Home >> >> Erling >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> > > >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> > > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jad at jadickinson.co.uk Wed Nov 19 09:46:11 2008 From: jad at jadickinson.co.uk (John Dickinson) Date: Wed, 19 Nov 2008 09:46:11 +0000 Subject: [Fedora-directory-users] Replicate o=NetscapeRoot database In-Reply-To: <4923D7E6.5060801@inrp.fr> References: <4923D7E6.5060801@inrp.fr> Message-ID: <42E0D100-F4D3-434C-92B7-3BD5067880E3@jadickinson.co.uk> On 19 Nov 2008, at 09:09, Hugo Etievant wrote: > hello, > > - I have installed 2 Directory servers, the second (DS2) is > registered on the first (DS1). > - I have installed multi master replication between the both (DS1 > and DS2) for user data on userRoot database. > Here, that is working. > > - Finally, I try to configure multi master replication for > o=NetscapeRoot database between 2 DS with the same way of > conventional replication, after copying o=NetscapeRoot database from > DS1 to DS2. Replication work, but Administration Server of DS2 > refuse to start on the replica of NetscapeRoot. > > The Admin Guide is not clear about NetscapeRoot replication (8.14. > Replicating o=NetscapeRoot for Administration Server Failover http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html > ) > > It exists a way with GUI Console to configure replication for > o=NetscapeRoot on existing architecture ? > > Who have experimented this point ? > I have put together some notes here: http://jadickinson.co.uk/test/howto/replicating-netscaperoot-on-fedora-ds/ they could do with testing - please let me know if you find any problems. Thanks John From hugo.etievant at inrp.fr Wed Nov 19 13:02:24 2008 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Wed, 19 Nov 2008 14:02:24 +0100 Subject: [Fedora-directory-users] Replicate o=NetscapeRoot database In-Reply-To: <42E0D100-F4D3-434C-92B7-3BD5067880E3@jadickinson.co.uk> References: <4923D7E6.5060801@inrp.fr> <42E0D100-F4D3-434C-92B7-3BD5067880E3@jadickinson.co.uk> Message-ID: <49240E60.40407@inrp.fr> John Dickinson a ?crit : > I have put together some notes here: > > http://jadickinson.co.uk/test/howto/replicating-netscaperoot-on-fedora-ds/ > > > they could do with testing - please let me know if you find any problems. thanks, but that does not work too the script /usr/sbin/register-ds-admin.pl does not accept my password : "Please input the password for the Administrator User uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot: Error: failed to clean up the configuration info from the old Configuration Directory Server ." if i use the script /usr/sbin/setup-ds-admin.pl -u my Administration Server become not accessible via Fedora IDM Console Do you have any idea? regards -- * Hugo ?ti?vant * From rmeggins at redhat.com Wed Nov 19 14:29:04 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 19 Nov 2008 07:29:04 -0700 Subject: [Fedora-directory-users] Re: Windows sync: how do you populate the posixUser attributes? In-Reply-To: References: <6cddb0580811050406o3d19874du137ea66161b471f2@mail.gmail.com> <6cddb0580811050421y568f2cdblb54873380da49fb6@mail.gmail.com> <664c5a070811050423q6253eba7xb4af734adfae8b1e@mail.gmail.com> <4911AC96.9060808@redhat.com> <664c5a070811061154k1ef54933r53e02f0740ac2b84@mail.gmail.com> <49134CE3.2020707@redhat.com> <49145EFA.9050501@redhat.com> <491859A9.3080509@redhat.com> Message-ID: <492422B0.6020203@redhat.com> Kenneth Holter wrote: > > Has anyone on the list set up such as scheme for adding posix > attributes to users synced from AD, and would like to comment on this > approach? > > I'm thinking that maybe running a cron job (for example a couple of > times an hour) that searches for newly added users, then using > "ldapmodify" to add the required posix attributes, may be the way to go. That might work. There is some documentation about how to poll Active Directory for changes to entries: http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx and http://support.microsoft.com/kb/891995 I have a python-ldap script that implements support for the DirSync control - http://github.com/richm/scripts/tree/master/dirsyncctrl.py > > > Regards, > Kenneth > > > On 11/10/08, *Rich Megginson* > wrote: > > Kenneth Holter wrote: > > Thank you for your reply. > Yes you understood me correctly - I ment it doesn't seem like > Windows Sync is intended for Linux machine login (via SSH to > be precise) to "just work" with no additional work. I'm sorry > that I wasn't too clear on this. > Is it so that one usually has a AD/DS setup like this: > > * users/passwords are synced from AD to DS > * the new users are exported to ldif file, added things such as > posix attributes, and reimported into DS > * users can now log into linux servers (via SSH) that are > properly > configured as LDAP clients > > ? Just trying to get an understanding of how one usualy set up > AD and DS to work together. > > I think that's how it usually goes. Perhaps some other folks that > are doing this will chime in. > > freeIPA will soon have support for automatic creation of AD user > accounts in IPA, including all of the posix and kerberos > attributes needed for OS login. See freeipa.org > > > On 11/7/08, *Rich Megginson* >> wrote: > > Kenneth Holter wrote: > > I'm not very into fedora/redhat direcoty server (DS), but > thought I'd just drop a quick question: It doesn't > seems like > Windows Sync is intended for syncing AD users to DS so > that > users defined on AD can be allowed to log into Linux > machines. > > I'm not sure what you mean by that. Do you mean because > the posix > attributes are not synced, you cannot create a user in AD > that is > synced to Fedora DS and Linux machine login "just works" > with no > additional work? > > It is possible to get this working, however, through a > series > of manual steps. So what is the intended purpose for > Windows > Sync, if I might ask, as it seems a lot simpler just to > manage > everything directly from DS without syncing with AD? > > I think most people use it to sync passwords, so that you > can have > the same password on AD as Unix/Linux, and when you change the > password on one side, that change is synced to the other side. > > Regards, > Kenneth Holter > > On 11/6/08, *Rich Megginson* > > > >>> wrote: > > Erling Ringen Elvsrud wrote: > > On Wed, Nov 5, 2008 at 3:24 PM, Rich Megginson > > > >>> wrote: > [...] > That should work. But note > that posix attributes > will not > sync to AD. And > even if you did manage to find a posix > schema that > worked > with AD, and added > the posix schema on the AD side, those > attributes would > not be synced to > Fedora DS. > > Thanks for your answer. > > I start to wonder if Windows sync is worth the > trouble. > At my > site we > will probably not implement password sync as the > AD-side is very > restrictive about installing anything. > > I hear this all the time - AD admins are very touchy > about > installing anything, especially some piece of random > open > source > software that's going to intercept clear text > passwords and > send > them who-knows-where > > So what I get is basically a > skeleton that I have to populate with the posixUser > attributes. > > Another issue is groups in AD. I suppose those > groups > will become > regular unix-groups on the directory server side, > > Yes. But note - not posix groups (posixGroup) but > plain groups > (groupOfUniqueNames) > > which might not > be enough for all policing needs (may need > netgroups in > addition). > Sure. > > We will probably have maximum a few hundred > users in the > directory, do > you think Windows-sync is worth the bother? > I suggest you take a look at Penrose > http://docs.safehaus.org/display/PENROSE/Home > > Erling > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > > > > >> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > > > > >> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From hugo.etievant at inrp.fr Wed Nov 19 15:14:11 2008 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Wed, 19 Nov 2008 16:14:11 +0100 Subject: [Fedora-directory-users] Replicate o=NetscapeRoot database In-Reply-To: <42E0D100-F4D3-434C-92B7-3BD5067880E3@jadickinson.co.uk> References: <4923D7E6.5060801@inrp.fr> <42E0D100-F4D3-434C-92B7-3BD5067880E3@jadickinson.co.uk> Message-ID: <49242D43.7030802@inrp.fr> hello, > I have put together some notes here: > > http://jadickinson.co.uk/test/howto/replicating-netscaperoot-on-fedora-ds/ > > > they could do with testing - please let me know if you find any problems. > With your procedure, initialization of consumer fails. I apply your LDAP script but on server1, i have the following errors : [19/Nov/2008:15:20:45 +0100] NSMMReplicationPlugin - agmt="cn=RA12" (server2:389): Incremental update failed and requires administrator action [19/Nov/2008:15:20:46 +0100] NSMMReplicationPlugin - agmt="cn=RA12" (server2:389): Unable to acquire replica: Excessive clock skew between the supplier and the consumer. Replication is aborting. what "administrator action" is needed ? regards -- * Hugo ?ti?vant * From rmeggins at redhat.com Wed Nov 19 15:23:50 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 19 Nov 2008 08:23:50 -0700 Subject: [Fedora-directory-users] Replicate o=NetscapeRoot database In-Reply-To: <49242D43.7030802@inrp.fr> References: <4923D7E6.5060801@inrp.fr> <42E0D100-F4D3-434C-92B7-3BD5067880E3@jadickinson.co.uk> <49242D43.7030802@inrp.fr> Message-ID: <49242F86.1000208@redhat.com> Hugo Etievant wrote: > hello, > >> I have put together some notes here: >> >> http://jadickinson.co.uk/test/howto/replicating-netscaperoot-on-fedora-ds/ >> >> >> they could do with testing - please let me know if you find any >> problems. >> > > With your procedure, initialization of consumer fails. > > I apply your LDAP script but on server1, i have the following errors : > > [19/Nov/2008:15:20:45 +0100] NSMMReplicationPlugin - agmt="cn=RA12" > (server2:389): Incremental update failed and requires administrator > action > [19/Nov/2008:15:20:46 +0100] NSMMReplicationPlugin - agmt="cn=RA12" > (server2:389): Unable to acquire replica: Excessive clock skew between > the supplier and the consumer. Replication is aborting. This either means you need to make sure your clocks on all your systems are in sync, or you are encountering https://bugzilla.redhat.com/show_bug.cgi?id=233642 What platform? What version of fedora ds? rpm -qi fedora-ds-base Are you running in a VM? > > what "administrator action" is needed ? > > regards > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jad at jadickinson.co.uk Wed Nov 19 15:25:13 2008 From: jad at jadickinson.co.uk (John Dickinson) Date: Wed, 19 Nov 2008 15:25:13 +0000 Subject: [Fedora-directory-users] Replicate o=NetscapeRoot database In-Reply-To: <49242D43.7030802@inrp.fr> References: <4923D7E6.5060801@inrp.fr> <42E0D100-F4D3-434C-92B7-3BD5067880E3@jadickinson.co.uk> <49242D43.7030802@inrp.fr> Message-ID: On 19 Nov 2008, at 15:14, Hugo Etievant wrote: > hello, > >> I have put together some notes here: >> >> http://jadickinson.co.uk/test/howto/replicating-netscaperoot-on-fedora-ds/ >> >> they could do with testing - please let me know if you find any >> problems. >> > > With your procedure, initialization of consumer fails. > > I apply your LDAP script but on server1, i have the following errors : > > [19/Nov/2008:15:20:45 +0100] NSMMReplicationPlugin - > agmt="cn=RA12" (server2:389): Incremental update failed and requires > administrator action > [19/Nov/2008:15:20:46 +0100] NSMMReplicationPlugin - > agmt="cn=RA12" (server2:389): Unable to acquire replica: Excessive > clock skew between the supplier and the consumer. Replication is > aborting. > > what "administrator action" is needed ? It looks like the clocks are not synced on your two servers. Are you using ntp? John From hugo.etievant at inrp.fr Wed Nov 19 16:21:58 2008 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Wed, 19 Nov 2008 17:21:58 +0100 Subject: [Fedora-directory-users] Replicate o=NetscapeRoot database In-Reply-To: References: <4923D7E6.5060801@inrp.fr> <42E0D100-F4D3-434C-92B7-3BD5067880E3@jadickinson.co.uk> <49242D43.7030802@inrp.fr> Message-ID: <49243D26.3040007@inrp.fr> John Dickinson a ?crit : > > On 19 Nov 2008, at 15:14, Hugo Etievant wrote: > >> hello, >> >>> I have put together some notes here: >>> >>> http://jadickinson.co.uk/test/howto/replicating-netscaperoot-on-fedora-ds/ >>> >>> >>> they could do with testing - please let me know if you find any >>> problems. >>> >> >> With your procedure, initialization of consumer fails. >> >> I apply your LDAP script but on server1, i have the following errors : >> >> [19/Nov/2008:15:20:45 +0100] NSMMReplicationPlugin - agmt="cn=RA12" >> (server2:389): Incremental update failed and requires administrator >> action >> [19/Nov/2008:15:20:46 +0100] NSMMReplicationPlugin - agmt="cn=RA12" >> (server2:389): Unable to acquire replica: Excessive clock skew >> between the supplier and the consumer. Replication is aborting. >> >> what "administrator action" is needed ? > > It looks like the clocks are not synced on your two servers. Are you > using ntp? > Thanks John, my server time config was not the required. I change this, and the replication is working :-) Your tutorial permits me to make up replication for NetscapeRoot config suffix. My Administration Server Console is working too, it is very good ! It is pity that there is not GUI way to configure replication for NetscapeRoot ! best regards -- * Hugo ?ti?vant * From jsullivan at opensourcedevel.com Wed Nov 19 16:55:36 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Wed, 19 Nov 2008 11:55:36 -0500 Subject: [Fedora-directory-users] posixgroup name lookups Message-ID: <1227113736.6420.43.camel@jaspav.missionsit.net.missionsit.net> Hello, all. We're trying to move all our user access control to DS including file system rights management and thus group management. We've hit a few problems and would like to share how we've gotten around them both for documentation and so someone with more experience can tell us if we are going about this the wrong way. The first problem we hit was the various hosts could not resolve the gidnumber to a name: -sh-3.2$ id -gn id: cannot find name for group ID 2000 2000 We noticed in the access query that the hosts were looking for posixgroups: SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixGroup)(gidNumber=2000))" attrs="cn userPassword memberUid uniqueMember gidNumber" The problem comes with user's initial groups which are typically named after the uid. Since we had not created these explicitly as DS groups but rather simply assigned the gidnumber in the posixaccount's gidnumber attribute, there was no posixgroup to seek. I suppose the ideal way to address this is the change the query to look for a posixgroup or a posixaccount. I do not see how one does this. Instead, we added posixgroup as an objectclass to the users. Is this a reasonable way to go about this? Then we hit our next problem. The user's initial group is usually the same as their uid, e.g., user bsmith belongs to group bsmith. However, the query is looking for cn rather than uid. I suppose this is because a posixgroup, as opposed to a user, does not have a uid but does have a cn. This turned up as a problem where we wanted to control the umask in bashrc which uses logic such as: if [ $UID -gt 99 ] && [ "`id -gn`" = "`id -un`" ]; then umask 002 id -un would return bsmith but id -gn would return something like Brian Smith. Thus, we will need to make it a user creation procedure to override the cn to be the same as the uid rather than FirstName LastName. Is this the correct approach? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From gholbert at broadcom.com Wed Nov 19 19:17:26 2008 From: gholbert at broadcom.com (George Holbert) Date: Wed, 19 Nov 2008 11:17:26 -0800 Subject: [Fedora-directory-users] posixgroup name lookups In-Reply-To: <1227113736.6420.43.camel@jaspav.missionsit.net.missionsit.net> References: <1227113736.6420.43.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <49246646.6010800@broadcom.com> > > -sh-3.2$ id -gn > id: cannot find name for group ID 2000 > 2000 ... > Instead, we added posixgroup as an objectclass to the users. Is this a > reasonable way to go about this? Not really... id is asking your name service "what is the group name for gid 2000". You have no groups defined in your name service with that gid. The most common way to address this is to add a posixGroup object in your LDAP directory with gid 2000, and whatever name (cn) you like. I would suggest doing this for each account's primary gid. John A. Sullivan III wrote: > Hello, all. We're trying to move all our user access control to DS > including file system rights management and thus group management. > We've hit a few problems and would like to share how we've gotten around > them both for documentation and so someone with more experience can tell > us if we are going about this the wrong way. > > The first problem we hit was the various hosts could not resolve the > gidnumber to a name: > -sh-3.2$ id -gn > id: cannot find name for group ID 2000 > 2000 > > We noticed in the access query that the hosts were looking for > posixgroups: > SRCH base="dc=ssiservices,dc=biz" scope=2 > filter="(&(objectClass=posixGroup)(gidNumber=2000))" attrs="cn > userPassword memberUid uniqueMember gidNumber" > > The problem comes with user's initial groups which are typically named > after the uid. Since we had not created these explicitly as DS groups > but rather simply assigned the gidnumber in the posixaccount's gidnumber > attribute, there was no posixgroup to seek. > > I suppose the ideal way to address this is the change the query to look > for a posixgroup or a posixaccount. I do not see how one does this. > Instead, we added posixgroup as an objectclass to the users. Is this a > reasonable way to go about this? > > Then we hit our next problem. The user's initial group is usually the > same as their uid, e.g., user bsmith belongs to group bsmith. However, > the query is looking for cn rather than uid. I suppose this is because > a posixgroup, as opposed to a user, does not have a uid but does have a > cn. This turned up as a problem where we wanted to control the umask in > bashrc which uses logic such as: > if [ $UID -gt 99 ] && [ "`id -gn`" = "`id -un`" ]; then > umask 002 > id -un would return bsmith but id -gn would return something like Brian > Smith. > > Thus, we will need to make it a user creation procedure to override the > cn to be the same as the uid rather than FirstName LastName. Is this > the correct approach? Thanks - John > From jsullivan at opensourcedevel.com Wed Nov 19 19:57:57 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Wed, 19 Nov 2008 14:57:57 -0500 Subject: [Fedora-directory-users] posixgroup name lookups In-Reply-To: <49246646.6010800@broadcom.com> References: <1227113736.6420.43.camel@jaspav.missionsit.net.missionsit.net> <49246646.6010800@broadcom.com> Message-ID: <1227124677.6420.55.camel@jaspav.missionsit.net.missionsit.net> > John A. Sullivan III wrote: > > Hello, all. We're trying to move all our user access control to DS > > including file system rights management and thus group management. > > We've hit a few problems and would like to share how we've gotten around > > them both for documentation and so someone with more experience can tell > > us if we are going about this the wrong way. > > > > The first problem we hit was the various hosts could not resolve the > > gidnumber to a name: > > -sh-3.2$ id -gn > > id: cannot find name for group ID 2000 > > 2000 > > > > We noticed in the access query that the hosts were looking for > > posixgroups: > > SRCH base="dc=ssiservices,dc=biz" scope=2 > > filter="(&(objectClass=posixGroup)(gidNumber=2000))" attrs="cn > > userPassword memberUid uniqueMember gidNumber" > > > > The problem comes with user's initial groups which are typically named > > after the uid. Since we had not created these explicitly as DS groups > > but rather simply assigned the gidnumber in the posixaccount's gidnumber > > attribute, there was no posixgroup to seek. > > > > I suppose the ideal way to address this is the change the query to look > > for a posixgroup or a posixaccount. I do not see how one does this. > > Instead, we added posixgroup as an objectclass to the users. Is this a > > reasonable way to go about this? > > > > Then we hit our next problem. The user's initial group is usually the > > same as their uid, e.g., user bsmith belongs to group bsmith. However, > > the query is looking for cn rather than uid. I suppose this is because > > a posixgroup, as opposed to a user, does not have a uid but does have a > > cn. This turned up as a problem where we wanted to control the umask in > > bashrc which uses logic such as: > > if [ $UID -gt 99 ] && [ "`id -gn`" = "`id -un`" ]; then > > umask 002 > > id -un would return bsmith but id -gn would return something like Brian > > Smith. > > > > Thus, we will need to make it a user creation procedure to override the > > cn to be the same as the uid rather than FirstName LastName. Is this > > the correct approach? Thanks - John > > > On Wed, 2008-11-19 at 11:17 -0800, George Holbert wrote: > > > > -sh-3.2$ id -gn > > id: cannot find name for group ID 2000 > > 2000 > ... > > Instead, we added posixgroup as an objectclass to the users. Is this a > > reasonable way to go about this? > > Not really... > id is asking your name service "what is the group name for gid 2000". > You have no groups defined in your name service with that gid. > The most common way to address this is to add a posixGroup object in > your LDAP directory with gid 2000, and whatever name (cn) you like. > I would suggest doing this for each account's primary gid. Thanks for the reply. Perhaps this is a better approach but I have some reservations (which may be more my ignorance than a real problem). If I do this, I have the separate step of maintaining posixgroups for each user in a separate entity. Not only must I create two instead of one (times however many thousands of users I have) but I must keep them in sync (user delete, user rename). By adding a posixgroup objectclass to my users, I solve those problems and still give my name service a way to resolve the group name. It seems much simpler to manage but I'm just not sure if this does something "bad". Am I missing something? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From gholbert at broadcom.com Wed Nov 19 20:21:42 2008 From: gholbert at broadcom.com (George Holbert) Date: Wed, 19 Nov 2008 12:21:42 -0800 Subject: [Fedora-directory-users] posixgroup name lookups In-Reply-To: <1227124677.6420.55.camel@jaspav.missionsit.net.missionsit.net> References: <1227113736.6420.43.camel@jaspav.missionsit.net.missionsit.net> <49246646.6010800@broadcom.com> <1227124677.6420.55.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <49247556.5040609@broadcom.com> John A. Sullivan III wrote: >> John A. Sullivan III wrote: >> >>> Hello, all. We're trying to move all our user access control to DS >>> including file system rights management and thus group management. >>> We've hit a few problems and would like to share how we've gotten around >>> them both for documentation and so someone with more experience can tell >>> us if we are going about this the wrong way. >>> >>> The first problem we hit was the various hosts could not resolve the >>> gidnumber to a name: >>> -sh-3.2$ id -gn >>> id: cannot find name for group ID 2000 >>> 2000 >>> >>> We noticed in the access query that the hosts were looking for >>> posixgroups: >>> SRCH base="dc=ssiservices,dc=biz" scope=2 >>> filter="(&(objectClass=posixGroup)(gidNumber=2000))" attrs="cn >>> userPassword memberUid uniqueMember gidNumber" >>> >>> The problem comes with user's initial groups which are typically named >>> after the uid. Since we had not created these explicitly as DS groups >>> but rather simply assigned the gidnumber in the posixaccount's gidnumber >>> attribute, there was no posixgroup to seek. >>> >>> I suppose the ideal way to address this is the change the query to look >>> for a posixgroup or a posixaccount. I do not see how one does this. >>> Instead, we added posixgroup as an objectclass to the users. Is this a >>> reasonable way to go about this? >>> >>> Then we hit our next problem. The user's initial group is usually the >>> same as their uid, e.g., user bsmith belongs to group bsmith. However, >>> the query is looking for cn rather than uid. I suppose this is because >>> a posixgroup, as opposed to a user, does not have a uid but does have a >>> cn. This turned up as a problem where we wanted to control the umask in >>> bashrc which uses logic such as: >>> if [ $UID -gt 99 ] && [ "`id -gn`" = "`id -un`" ]; then >>> umask 002 >>> id -un would return bsmith but id -gn would return something like Brian >>> Smith. >>> >>> Thus, we will need to make it a user creation procedure to override the >>> cn to be the same as the uid rather than FirstName LastName. Is this >>> the correct approach? Thanks - John >>> >>> > On Wed, 2008-11-19 at 11:17 -0800, George Holbert wrote: > >>> -sh-3.2$ id -gn >>> id: cannot find name for group ID 2000 >>> 2000 >>> >> ... >> >>> Instead, we added posixgroup as an objectclass to the users. Is this a >>> reasonable way to go about this? >>> >> Not really... >> id is asking your name service "what is the group name for gid 2000". >> You have no groups defined in your name service with that gid. >> The most common way to address this is to add a posixGroup object in >> your LDAP directory with gid 2000, and whatever name (cn) you like. >> I would suggest doing this for each account's primary gid. >> > > > Thanks for the reply. Perhaps this is a better approach but I have some > reservations (which may be more my ignorance than a real problem). If I > do this, I have the separate step of maintaining posixgroups for each > user in a separate entity. Not only must I create two instead of one > (times however many thousands of users I have) but I must keep them in > sync (user delete, user rename). > > By adding a posixgroup objectclass to my users, I solve those problems > and still give my name service a way to resolve the group name. It > seems much simpler to manage but I'm just not sure if this does > something "bad". Am I missing something? Thanks - John > Most (if not all) LDAP client software that accesses posix attributes will not expect this arrangement. Most sysadmins or developers that might work with your directory probably would also not expect this. Those are the biggest drawbacks that come immediately to mind. But depending on your usage, might never be a serious problem. This is a good time to ask yourself: Do you really need a corresponding groupname / gid for every username / uid in your name service? The answer might certainly be "yes". But since you're spending time to accommodate this, could be helpful to be sure you have reasons beyond rote tradition. From jsullivan at opensourcedevel.com Wed Nov 19 20:32:28 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Wed, 19 Nov 2008 15:32:28 -0500 Subject: [Fedora-directory-users] posixgroup name lookups In-Reply-To: <49247556.5040609@broadcom.com> References: <1227113736.6420.43.camel@jaspav.missionsit.net.missionsit.net> <49246646.6010800@broadcom.com> <1227124677.6420.55.camel@jaspav.missionsit.net.missionsit.net> <49247556.5040609@broadcom.com> Message-ID: <1227126748.6420.61.camel@jaspav.missionsit.net.missionsit.net> On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote: > John A. Sullivan III wrote: > >> John A. Sullivan III wrote: > >> > >>> Hello, all. We're trying to move all our user access control to DS > >>> including file system rights management and thus group management. > >>> We've hit a few problems and would like to share how we've gotten around > >>> them both for documentation and so someone with more experience can tell > >>> us if we are going about this the wrong way. > >>> > >>> The first problem we hit was the various hosts could not resolve the > >>> gidnumber to a name: > >>> -sh-3.2$ id -gn > >>> id: cannot find name for group ID 2000 > >>> 2000 > >>> > >>> We noticed in the access query that the hosts were looking for > >>> posixgroups: > >>> SRCH base="dc=ssiservices,dc=biz" scope=2 > >>> filter="(&(objectClass=posixGroup)(gidNumber=2000))" attrs="cn > >>> userPassword memberUid uniqueMember gidNumber" > >>> > >>> The problem comes with user's initial groups which are typically named > >>> after the uid. Since we had not created these explicitly as DS groups > >>> but rather simply assigned the gidnumber in the posixaccount's gidnumber > >>> attribute, there was no posixgroup to seek. > >>> > >>> I suppose the ideal way to address this is the change the query to look > >>> for a posixgroup or a posixaccount. I do not see how one does this. > >>> Instead, we added posixgroup as an objectclass to the users. Is this a > >>> reasonable way to go about this? > >>> > >>> Then we hit our next problem. The user's initial group is usually the > >>> same as their uid, e.g., user bsmith belongs to group bsmith. However, > >>> the query is looking for cn rather than uid. I suppose this is because > >>> a posixgroup, as opposed to a user, does not have a uid but does have a > >>> cn. This turned up as a problem where we wanted to control the umask in > >>> bashrc which uses logic such as: > >>> if [ $UID -gt 99 ] && [ "`id -gn`" = "`id -un`" ]; then > >>> umask 002 > >>> id -un would return bsmith but id -gn would return something like Brian > >>> Smith. > >>> > >>> Thus, we will need to make it a user creation procedure to override the > >>> cn to be the same as the uid rather than FirstName LastName. Is this > >>> the correct approach? Thanks - John > >>> > >>> > > On Wed, 2008-11-19 at 11:17 -0800, George Holbert wrote: > > > >>> -sh-3.2$ id -gn > >>> id: cannot find name for group ID 2000 > >>> 2000 > >>> > >> ... > >> > >>> Instead, we added posixgroup as an objectclass to the users. Is this a > >>> reasonable way to go about this? > >>> > >> Not really... > >> id is asking your name service "what is the group name for gid 2000". > >> You have no groups defined in your name service with that gid. > >> The most common way to address this is to add a posixGroup object in > >> your LDAP directory with gid 2000, and whatever name (cn) you like. > >> I would suggest doing this for each account's primary gid. > >> > > > > > > Thanks for the reply. Perhaps this is a better approach but I have some > > reservations (which may be more my ignorance than a real problem). If I > > do this, I have the separate step of maintaining posixgroups for each > > user in a separate entity. Not only must I create two instead of one > > (times however many thousands of users I have) but I must keep them in > > sync (user delete, user rename). > > > > By adding a posixgroup objectclass to my users, I solve those problems > > and still give my name service a way to resolve the group name. It > > seems much simpler to manage but I'm just not sure if this does > > something "bad". Am I missing something? Thanks - John > > > > Most (if not all) LDAP client software that accesses posix attributes > will not expect this arrangement. > Most sysadmins or developers that might work with your directory > probably would also not expect this. > Those are the biggest drawbacks that come immediately to mind. > But depending on your usage, might never be a serious problem. > > This is a good time to ask yourself: > Do you really need a corresponding groupname / gid for every username / > uid in your name service? > > The answer might certainly be "yes". > But since you're spending time to accommodate this, could be helpful to > be sure you have reasons beyond rote tradition. > Thanks for the very thoughtful answer. I'm not only new to LDAP but also to Linux based file servers. I've been in a management role for the last decade and before then was doing NDS and NetWare for directory/file. We were planning to use a umask of 007 for standard users and set the sgid bit for shared folders. That's where we thought it would be helpful to have a group associated with each user. In fact, it finally made the default setup of creating a group for each user make sense as I always wondered why that was done. I suppose we'll also need to activate file system acls for more complex setups as when multiple groups need varying access to a shared file system directory. If that's a silly approach, kindly let me know and point me to some good documentation on the subject. Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From gholbert at broadcom.com Wed Nov 19 20:45:33 2008 From: gholbert at broadcom.com (George Holbert) Date: Wed, 19 Nov 2008 12:45:33 -0800 Subject: [Fedora-directory-users] posixgroup name lookups In-Reply-To: <1227126748.6420.61.camel@jaspav.missionsit.net.missionsit.net> References: <1227113736.6420.43.camel@jaspav.missionsit.net.missionsit.net> <49246646.6010800@broadcom.com> <1227124677.6420.55.camel@jaspav.missionsit.net.missionsit.net> <49247556.5040609@broadcom.com> <1227126748.6420.61.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <49247AED.5090405@broadcom.com> John A. Sullivan III wrote: > On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote: > >> John A. Sullivan III wrote: >> >>>> John A. Sullivan III wrote: >>>> >>>> >>>>> Hello, all. We're trying to move all our user access control to DS >>>>> including file system rights management and thus group management. >>>>> We've hit a few problems and would like to share how we've gotten around >>>>> them both for documentation and so someone with more experience can tell >>>>> us if we are going about this the wrong way. >>>>> >>>>> The first problem we hit was the various hosts could not resolve the >>>>> gidnumber to a name: >>>>> -sh-3.2$ id -gn >>>>> id: cannot find name for group ID 2000 >>>>> 2000 >>>>> >>>>> We noticed in the access query that the hosts were looking for >>>>> posixgroups: >>>>> SRCH base="dc=ssiservices,dc=biz" scope=2 >>>>> filter="(&(objectClass=posixGroup)(gidNumber=2000))" attrs="cn >>>>> userPassword memberUid uniqueMember gidNumber" >>>>> >>>>> The problem comes with user's initial groups which are typically named >>>>> after the uid. Since we had not created these explicitly as DS groups >>>>> but rather simply assigned the gidnumber in the posixaccount's gidnumber >>>>> attribute, there was no posixgroup to seek. >>>>> >>>>> I suppose the ideal way to address this is the change the query to look >>>>> for a posixgroup or a posixaccount. I do not see how one does this. >>>>> Instead, we added posixgroup as an objectclass to the users. Is this a >>>>> reasonable way to go about this? >>>>> >>>>> Then we hit our next problem. The user's initial group is usually the >>>>> same as their uid, e.g., user bsmith belongs to group bsmith. However, >>>>> the query is looking for cn rather than uid. I suppose this is because >>>>> a posixgroup, as opposed to a user, does not have a uid but does have a >>>>> cn. This turned up as a problem where we wanted to control the umask in >>>>> bashrc which uses logic such as: >>>>> if [ $UID -gt 99 ] && [ "`id -gn`" = "`id -un`" ]; then >>>>> umask 002 >>>>> id -un would return bsmith but id -gn would return something like Brian >>>>> Smith. >>>>> >>>>> Thus, we will need to make it a user creation procedure to override the >>>>> cn to be the same as the uid rather than FirstName LastName. Is this >>>>> the correct approach? Thanks - John >>>>> >>>>> >>>>> >>> On Wed, 2008-11-19 at 11:17 -0800, George Holbert wrote: >>> >>> >>>>> -sh-3.2$ id -gn >>>>> id: cannot find name for group ID 2000 >>>>> 2000 >>>>> >>>>> >>>> ... >>>> >>>> >>>>> Instead, we added posixgroup as an objectclass to the users. Is this a >>>>> reasonable way to go about this? >>>>> >>>>> >>>> Not really... >>>> id is asking your name service "what is the group name for gid 2000". >>>> You have no groups defined in your name service with that gid. >>>> The most common way to address this is to add a posixGroup object in >>>> your LDAP directory with gid 2000, and whatever name (cn) you like. >>>> I would suggest doing this for each account's primary gid. >>>> >>>> >>> >>> >>> Thanks for the reply. Perhaps this is a better approach but I have some >>> reservations (which may be more my ignorance than a real problem). If I >>> do this, I have the separate step of maintaining posixgroups for each >>> user in a separate entity. Not only must I create two instead of one >>> (times however many thousands of users I have) but I must keep them in >>> sync (user delete, user rename). >>> >>> By adding a posixgroup objectclass to my users, I solve those problems >>> and still give my name service a way to resolve the group name. It >>> seems much simpler to manage but I'm just not sure if this does >>> something "bad". Am I missing something? Thanks - John >>> >>> >> Most (if not all) LDAP client software that accesses posix attributes >> will not expect this arrangement. >> Most sysadmins or developers that might work with your directory >> probably would also not expect this. >> Those are the biggest drawbacks that come immediately to mind. >> But depending on your usage, might never be a serious problem. >> >> This is a good time to ask yourself: >> Do you really need a corresponding groupname / gid for every username / >> uid in your name service? >> >> The answer might certainly be "yes". >> But since you're spending time to accommodate this, could be helpful to >> be sure you have reasons beyond rote tradition. >> >> > > Thanks for the very thoughtful answer. I'm not only new to LDAP but > also to Linux based file servers. I've been in a management role for > the last decade and before then was doing NDS and NetWare for > directory/file. > > We were planning to use a umask of 007 for standard users and set the > sgid bit for shared folders. That's where we thought it would be > helpful to have a group associated with each user. In fact, it finally > made the default setup of creating a group for each user make sense as I > always wondered why that was done. I suppose we'll also need to > activate file system acls for more complex setups as when multiple > groups need varying access to a shared file system directory. > > If that's a silly approach, kindly let me know and point me to some good > documentation on the subject. Thanks - John > Sounds like you do have some good (non-silly) reasons. Just be aware the hybrid posixGroup / posixAccount thing is a unique approach, that might well set you up for uniqueness you won't want down the road. From j.barber at dundee.ac.uk Thu Nov 20 08:38:59 2008 From: j.barber at dundee.ac.uk (Jonathan Barber) Date: Thu, 20 Nov 2008 08:38:59 +0000 Subject: [Fedora-directory-users] posixgroup name lookups In-Reply-To: <1227126748.6420.61.camel@jaspav.missionsit.net.missionsit.net> References: <1227113736.6420.43.camel@jaspav.missionsit.net.missionsit.net> <49246646.6010800@broadcom.com> <1227124677.6420.55.camel@jaspav.missionsit.net.missionsit.net> <49247556.5040609@broadcom.com> <1227126748.6420.61.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <20081120083859.GB25474@flea.lifesci.dundee.ac.uk> On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote: > On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote: > > John A. Sullivan III wrote: > > >> John A. Sullivan III wrote: [snip] > > Thanks for the very thoughtful answer. I'm not only new to LDAP but > also to Linux based file servers. I've been in a management role for > the last decade and before then was doing NDS and NetWare for > directory/file. > > We were planning to use a umask of 007 for standard users and set the > sgid bit for shared folders. That's where we thought it would be > helpful to have a group associated with each user. In fact, it finally > made the default setup of creating a group for each user make sense as I > always wondered why that was done. I suppose we'll also need to > activate file system acls for more complex setups as when multiple > groups need varying access to a shared file system directory. This arrangement is known (at least by Redhat) as User Private Groups (UPG): http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html The primary reason for doing it is that group access to files is managed via secondary group membership, not primary group membership If each of your users has their own group, then adding a posixGroup objectclass to each user makes perfect sense. You may also want to place an uniqueness constraint on the gidNumber attribute as well: http://www.centos.org/docs/5/html/CDS/ag/8.0/Administering_DSPPR-Server_Plug_in_Functionality_Reference.html#Server_Plug_in_Functionality_Reference-UID_Uniqueness_Plug_in WRT to linux, the only gotcha I can think of is that you'll have to set the nss_ldap nss_base_group option in /etc/ldap.conf to an entry that's the common parent to both your users and groups - otherwise it'll never find the UPG's. > If that's a silly approach, kindly let me know and point me to some good > documentation on the subject. Thanks - John > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan at opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From hugo.hendriks at ciber.nl Thu Nov 20 11:48:10 2008 From: hugo.hendriks at ciber.nl (Hugo Hendriks) Date: Thu, 20 Nov 2008 12:48:10 +0100 Subject: [Fedora-directory-users] synchronize fedora with Lotus Domino and MS Active directory Message-ID: <7C655C04B6F59643A1EF66056C0E095E042A77@eusex01.sweden.ecsoft> Hi, I have a brief question. I'm not really experienced in the whole LDAP field but I was trying to figure out if the following setup is possible. I have 2 different directory servers...a Lotus Notes/Domino server and a Active Directory server. Can we use Fedora as a central LDAP server and is it possible to easily synchronize/replicate the Fedora server with the Notes and AD server? I tried to find some documentation about this but only found http://directory.fedoraproject.org/wiki/Howto:WindowsSync so I guess synchronization with AD is covered but is this also possible with Notes? It also seems quite technical....are there perhaps certain tools which makes this more easy for you? Much thanks is advance! Best Regards, Hugo -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Thu Nov 20 12:57:49 2008 From: michael at stroeder.com (=?windows-1252?Q?Michael_Str=F6der?=) Date: Thu, 20 Nov 2008 13:57:49 +0100 Subject: [Fedora-directory-users] synchronize fedora with Lotus Domino and MS Active directory In-Reply-To: <7C655C04B6F59643A1EF66056C0E095E042A77@eusex01.sweden.ecsoft> References: <7C655C04B6F59643A1EF66056C0E095E042A77@eusex01.sweden.ecsoft> Message-ID: <49255ECD.4020305@stroeder.com> Hugo Hendriks wrote: > I have 2 different directory servers?a Lotus Notes/Domino server and a > Active Directory server. That's almost exactly my job in a customer project (source DB is different). > so I guess synchronization with AD is covered but is this also possible > with Notes? Depends on what you want on Domino (Notes). It's fairly easy to add person entries to the Notes address book via Domino/LDAP (needs some Domino server configuration tweaks) but these cannot be turned into real Notes users with ID and mailbox files. If you want to create real Notes users you have to add entries in the certreq database. I'm still figuring out whether I use the Notes client with pywin32 for that or whether to do that via DIIOP (or whether I leave that out and just generate tickets). Several meta directory agents also seem to take the Win32 programming approach with the Notes client. > It also seems quite technical?.are there perhaps certain tools which > makes this more easy for you? I'm curious on whether you find open source tools. Ciao, Michael. From hugo.hendriks at ciber.nl Thu Nov 20 13:38:21 2008 From: hugo.hendriks at ciber.nl (Hugo Hendriks) Date: Thu, 20 Nov 2008 14:38:21 +0100 Subject: [Fedora-directory-users] synchronize fedora with Lotus Dominoand MS Active directory In-Reply-To: <49255ECD.4020305@stroeder.com> References: <7C655C04B6F59643A1EF66056C0E095E042A77@eusex01.sweden.ecsoft> <49255ECD.4020305@stroeder.com> Message-ID: <7C655C04B6F59643A1EF66056C0E095E042A78@eusex01.sweden.ecsoft> Fedora is only going to be used as central access point. So we only need to synchronize the Domino(notes) server with Fedora and also the Active Directory server with Fedora. So say I add a user to the Active Directory server. This user then needs to be synchronized to the Fedora server and then synchronized to the Domino(Notus) server....and vice versa. -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Michael Str?der Sent: donderdag 20 november 2008 13:58 To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] synchronize fedora with Lotus Dominoand MS Active directory Hugo Hendriks wrote: > I have 2 different directory servers...a Lotus Notes/Domino server and a > Active Directory server. That's almost exactly my job in a customer project (source DB is different). > so I guess synchronization with AD is covered but is this also possible > with Notes? Depends on what you want on Domino (Notes). It's fairly easy to add person entries to the Notes address book via Domino/LDAP (needs some Domino server configuration tweaks) but these cannot be turned into real Notes users with ID and mailbox files. If you want to create real Notes users you have to add entries in the certreq database. I'm still figuring out whether I use the Notes client with pywin32 for that or whether to do that via DIIOP (or whether I leave that out and just generate tickets). Several meta directory agents also seem to take the Win32 programming approach with the Notes client. > It also seems quite technical....are there perhaps certain tools which > makes this more easy for you? I'm curious on whether you find open source tools. Ciao, Michael. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From michael at stroeder.com Thu Nov 20 15:01:24 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 20 Nov 2008 16:01:24 +0100 Subject: [Fedora-directory-users] synchronize fedora with Lotus Dominoand MS Active directory In-Reply-To: <7C655C04B6F59643A1EF66056C0E095E042A78@eusex01.sweden.ecsoft> References: <7C655C04B6F59643A1EF66056C0E095E042A77@eusex01.sweden.ecsoft> <49255ECD.4020305@stroeder.com> <7C655C04B6F59643A1EF66056C0E095E042A78@eusex01.sweden.ecsoft> Message-ID: <49257BC4.7060703@stroeder.com> Hugo Hendriks wrote: > This user then needs to be synchronized to > the Fedora server and then synchronized to the Domino(Notus) > server....and vice versa. Whatever "synchronized to the Domino(Notus) server" means. > Michael Str?der wrote: >> Depends on what you want on Domino (Notes). It's fairly easy to add >> person entries to the Notes address book via Domino/LDAP (needs some >> Domino server configuration tweaks) but these cannot be turned into real >> Notes users with ID and mailbox files. If you want to create real Notes >> users you have to add entries in the certreq database. Adding a fully usable notes user account usually requires going through a process for generating the user's Notes ID file and a mailbox database. This is not as simple as adding a AD or FDS account via LDAP. Adding a simple person entry to be listed in the Notes address book is simple though. But I guess you want to have full Notes user accounts. That's off-topic here though. Ciao, Michael. From hugo.hendriks at ciber.nl Thu Nov 20 16:12:11 2008 From: hugo.hendriks at ciber.nl (Hugo Hendriks) Date: Thu, 20 Nov 2008 17:12:11 +0100 Subject: [Fedora-directory-users] synchronize fedora with Lotus DominoandMS Active directory In-Reply-To: <49257BC4.7060703@stroeder.com> References: <7C655C04B6F59643A1EF66056C0E095E042A77@eusex01.sweden.ecsoft> <49255ECD.4020305@stroeder.com><7C655C04B6F59643A1EF66056C0E095E042A78@eusex01.sweden.ecsoft> <49257BC4.7060703@stroeder.com> Message-ID: <7C655C04B6F59643A1EF66056C0E095E042A79@eusex01.sweden.ecsoft> Like I said, I'm not really an expert on what is all involved in the creation of a notes account. All I know we need the address books equal on both server and I guess that means also the creation of a full notes account like you said. Thanks for your info Michael! Best regards, Hugo -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Michael Str?der Sent: donderdag 20 november 2008 16:01 To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] synchronize fedora with Lotus DominoandMS Active directory Hugo Hendriks wrote: > This user then needs to be synchronized to > the Fedora server and then synchronized to the Domino(Notus) > server....and vice versa. Whatever "synchronized to the Domino(Notus) server" means. > Michael Str?der wrote: >> Depends on what you want on Domino (Notes). It's fairly easy to add >> person entries to the Notes address book via Domino/LDAP (needs some >> Domino server configuration tweaks) but these cannot be turned into real >> Notes users with ID and mailbox files. If you want to create real Notes >> users you have to add entries in the certreq database. Adding a fully usable notes user account usually requires going through a process for generating the user's Notes ID file and a mailbox database. This is not as simple as adding a AD or FDS account via LDAP. Adding a simple person entry to be listed in the Notes address book is simple though. But I guess you want to have full Notes user accounts. That's off-topic here though. Ciao, Michael. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From gholbert at broadcom.com Thu Nov 20 17:01:44 2008 From: gholbert at broadcom.com (George Holbert) Date: Thu, 20 Nov 2008 09:01:44 -0800 Subject: [Fedora-directory-users] posixgroup name lookups In-Reply-To: <20081120083859.GB25474@flea.lifesci.dundee.ac.uk> References: <1227113736.6420.43.camel@jaspav.missionsit.net.missionsit.net> <49246646.6010800@broadcom.com> <1227124677.6420.55.camel@jaspav.missionsit.net.missionsit.net> <49247556.5040609@broadcom.com> <1227126748.6420.61.camel@jaspav.missionsit.net.missionsit.net> <20081120083859.GB25474@flea.lifesci.dundee.ac.uk> Message-ID: <492597F8.1040708@broadcom.com> Jonathan Barber wrote: > On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote: > >> On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote: >> >>> John A. Sullivan III wrote: >>> >>>>> John A. Sullivan III wrote: >>>>> > > [snip] > > >> >> Thanks for the very thoughtful answer. I'm not only new to LDAP but >> also to Linux based file servers. I've been in a management role for >> the last decade and before then was doing NDS and NetWare for >> directory/file. >> >> We were planning to use a umask of 007 for standard users and set the >> sgid bit for shared folders. That's where we thought it would be >> helpful to have a group associated with each user. In fact, it finally >> made the default setup of creating a group for each user make sense as I >> always wondered why that was done. I suppose we'll also need to >> activate file system acls for more complex setups as when multiple >> groups need varying access to a shared file system directory. >> > > This arrangement is known (at least by Redhat) as User Private Groups > (UPG): > http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html > > The primary reason for doing it is that group access to files is managed > via secondary group membership, not primary group membership > > If each of your users has their own group, then adding a posixGroup > objectclass to each user makes perfect sense. You may also want to place > an uniqueness constraint on the gidNumber attribute as well: > http://www.centos.org/docs/5/html/CDS/ag/8.0/Administering_DSPPR-Server_Plug_in_Functionality_Reference.html#Server_Plug_in_Functionality_Reference-UID_Uniqueness_Plug_in > > WRT to linux, the only gotcha I can think of is that you'll have to set > the nss_ldap nss_base_group option in /etc/ldap.conf to an entry that's > the common parent to both your users and groups - otherwise it'll never > find the UPG's. > > Another way would be to omit the addition of the posixGroup on your account objects, and just modify the filter on nss_base_group to include posixAccounts. e.g.: nss_base_group dc=example,dc=com?sub?(|(objectClass=posixGroup)(objectClass=posixAccount)) posixAccount already includes the gidNumber and cn attributes, which is all you're really after here... unless you want to start adding memberUid attributes to your account objects (which doesn't make any obvious sense). You will almost certainly have to modify your nss_base_group setting in either case, as Jonathan suggested. >> If that's a silly approach, kindly let me know and point me to some good >> documentation on the subject. Thanks - John >> -- >> John A. Sullivan III >> Open Source Development Corporation >> +1 207-985-7880 >> jsullivan at opensourcedevel.com >> >> http://www.spiritualoutreach.com >> Making Christianity intelligible to secular society >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > From michael at stroeder.com Thu Nov 20 17:11:02 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 20 Nov 2008 18:11:02 +0100 Subject: [Fedora-directory-users] synchronize fedora with Lotus DominoandMS Active directory In-Reply-To: <7C655C04B6F59643A1EF66056C0E095E042A79@eusex01.sweden.ecsoft> References: <7C655C04B6F59643A1EF66056C0E095E042A77@eusex01.sweden.ecsoft> <49255ECD.4020305@stroeder.com><7C655C04B6F59643A1EF66056C0E095E042A78@eusex01.sweden.ecsoft> <49257BC4.7060703@stroeder.com> <7C655C04B6F59643A1EF66056C0E095E042A79@eusex01.sweden.ecsoft> Message-ID: <49259A26.60802@stroeder.com> Hugo Hendriks wrote: > Like I said, I'm not really an expert on what is all involved in the > creation of a notes account. I'd suggest to first look at how it's done manually. Then you have a far better view on the necessary details. Ciao, Michael. From jsullivan at opensourcedevel.com Thu Nov 20 18:49:22 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Thu, 20 Nov 2008 13:49:22 -0500 Subject: [Fedora-directory-users] posixgroup name lookups In-Reply-To: <492597F8.1040708@broadcom.com> References: <1227113736.6420.43.camel@jaspav.missionsit.net.missionsit.net> <49246646.6010800@broadcom.com> <1227124677.6420.55.camel@jaspav.missionsit.net.missionsit.net> <49247556.5040609@broadcom.com> <1227126748.6420.61.camel@jaspav.missionsit.net.missionsit.net> <20081120083859.GB25474@flea.lifesci.dundee.ac.uk> <492597F8.1040708@broadcom.com> Message-ID: <1227206962.6411.9.camel@jaspav.missionsit.net.missionsit.net> On Thu, 2008-11-20 at 09:01 -0800, George Holbert wrote: > Jonathan Barber wrote: > > On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote: > > > >> On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote: > >> > >>> John A. Sullivan III wrote: > >>> > >>>>> John A. Sullivan III wrote: > >>>>> > > > > [snip] > > > > > >> > >> Thanks for the very thoughtful answer. I'm not only new to LDAP but > >> also to Linux based file servers. I've been in a management role for > >> the last decade and before then was doing NDS and NetWare for > >> directory/file. > >> > >> We were planning to use a umask of 007 for standard users and set the > >> sgid bit for shared folders. That's where we thought it would be > >> helpful to have a group associated with each user. In fact, it finally > >> made the default setup of creating a group for each user make sense as I > >> always wondered why that was done. I suppose we'll also need to > >> activate file system acls for more complex setups as when multiple > >> groups need varying access to a shared file system directory. > >> > > > > This arrangement is known (at least by Redhat) as User Private Groups > > (UPG): > > http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html > > > > The primary reason for doing it is that group access to files is managed > > via secondary group membership, not primary group membership > > > > If each of your users has their own group, then adding a posixGroup > > objectclass to each user makes perfect sense. You may also want to place > > an uniqueness constraint on the gidNumber attribute as well: > > http://www.centos.org/docs/5/html/CDS/ag/8.0/Administering_DSPPR-Server_Plug_in_Functionality_Reference.html#Server_Plug_in_Functionality_Reference-UID_Uniqueness_Plug_in > > > > WRT to linux, the only gotcha I can think of is that you'll have to set > > the nss_ldap nss_base_group option in /etc/ldap.conf to an entry that's > > the common parent to both your users and groups - otherwise it'll never > > find the UPG's. > > > > > Another way would be to omit the addition of the posixGroup on your > account objects, and just modify the filter on nss_base_group to include > posixAccounts. > e.g.: > nss_base_group > dc=example,dc=com?sub?(|(objectClass=posixGroup)(objectClass=posixAccount)) > > posixAccount already includes the gidNumber and cn attributes, which is > all you're really after here... unless you want to start adding > memberUid attributes to your account objects (which doesn't make any > obvious sense). > > You will almost certainly have to modify your nss_base_group setting in > either case, as Jonathan suggested. > That's what I had first attempted to do but I do not see where to set that filter. I didn't see anything in ldap.conf or nsswitch.conf. Where is it set? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From rmeggins at redhat.com Thu Nov 20 18:51:21 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 20 Nov 2008 11:51:21 -0700 Subject: [Fedora-directory-users] posixgroup name lookups In-Reply-To: <1227206962.6411.9.camel@jaspav.missionsit.net.missionsit.net> References: <1227113736.6420.43.camel@jaspav.missionsit.net.missionsit.net> <49246646.6010800@broadcom.com> <1227124677.6420.55.camel@jaspav.missionsit.net.missionsit.net> <49247556.5040609@broadcom.com> <1227126748.6420.61.camel@jaspav.missionsit.net.missionsit.net> <20081120083859.GB25474@flea.lifesci.dundee.ac.uk> <492597F8.1040708@broadcom.com> <1227206962.6411.9.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <4925B1A9.8050507@redhat.com> John A. Sullivan III wrote: > On Thu, 2008-11-20 at 09:01 -0800, George Holbert wrote: > >> Jonathan Barber wrote: >> >>> On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote: >>> >>> >>>> On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote: >>>> >>>> >>>>> John A. Sullivan III wrote: >>>>> >>>>> >>>>>>> John A. Sullivan III wrote: >>>>>>> >>>>>>> >>> [snip] >>> >>> >>> >>>> >>>> Thanks for the very thoughtful answer. I'm not only new to LDAP but >>>> also to Linux based file servers. I've been in a management role for >>>> the last decade and before then was doing NDS and NetWare for >>>> directory/file. >>>> >>>> We were planning to use a umask of 007 for standard users and set the >>>> sgid bit for shared folders. That's where we thought it would be >>>> helpful to have a group associated with each user. In fact, it finally >>>> made the default setup of creating a group for each user make sense as I >>>> always wondered why that was done. I suppose we'll also need to >>>> activate file system acls for more complex setups as when multiple >>>> groups need varying access to a shared file system directory. >>>> >>>> >>> This arrangement is known (at least by Redhat) as User Private Groups >>> (UPG): >>> http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html >>> >>> The primary reason for doing it is that group access to files is managed >>> via secondary group membership, not primary group membership >>> >>> If each of your users has their own group, then adding a posixGroup >>> objectclass to each user makes perfect sense. You may also want to place >>> an uniqueness constraint on the gidNumber attribute as well: >>> http://www.centos.org/docs/5/html/CDS/ag/8.0/Administering_DSPPR-Server_Plug_in_Functionality_Reference.html#Server_Plug_in_Functionality_Reference-UID_Uniqueness_Plug_in >>> >>> WRT to linux, the only gotcha I can think of is that you'll have to set >>> the nss_ldap nss_base_group option in /etc/ldap.conf to an entry that's >>> the common parent to both your users and groups - otherwise it'll never >>> find the UPG's. >>> >>> >>> >> Another way would be to omit the addition of the posixGroup on your >> account objects, and just modify the filter on nss_base_group to include >> posixAccounts. >> e.g.: >> nss_base_group >> dc=example,dc=com?sub?(|(objectClass=posixGroup)(objectClass=posixAccount)) >> >> posixAccount already includes the gidNumber and cn attributes, which is >> all you're really after here... unless you want to start adding >> memberUid attributes to your account objects (which doesn't make any >> obvious sense). >> >> You will almost certainly have to modify your nss_base_group setting in >> either case, as Jonathan suggested. >> >> > > That's what I had first attempted to do but I do not see where to set > that filter. I didn't see anything in ldap.conf or nsswitch.conf. > Where is it set? Thanks - John > /etc/ldap.conf - do man nss_ldap - look for this: nss_base_ Specify the search base, scope and filter to be used for spe- cific maps. (Note that map forms part of the configuration file ... -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jsullivan at opensourcedevel.com Thu Nov 20 22:24:58 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Thu, 20 Nov 2008 17:24:58 -0500 Subject: [Fedora-directory-users] posixgroup name lookups In-Reply-To: <492597F8.1040708@broadcom.com> References: <1227113736.6420.43.camel@jaspav.missionsit.net.missionsit.net> <49246646.6010800@broadcom.com> <1227124677.6420.55.camel@jaspav.missionsit.net.missionsit.net> <49247556.5040609@broadcom.com> <1227126748.6420.61.camel@jaspav.missionsit.net.missionsit.net> <20081120083859.GB25474@flea.lifesci.dundee.ac.uk> <492597F8.1040708@broadcom.com> Message-ID: <1227219898.6411.31.camel@jaspav.missionsit.net.missionsit.net> On Thu, 2008-11-20 at 09:01 -0800, George Holbert wrote: > Jonathan Barber wrote: > > On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote: > > > >> On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote: > >> > >>> John A. Sullivan III wrote: > >>> > >>>>> John A. Sullivan III wrote: > >>>>> > > > > [snip] > > > > > >> > >> Thanks for the very thoughtful answer. I'm not only new to LDAP but > >> also to Linux based file servers. I've been in a management role for > >> the last decade and before then was doing NDS and NetWare for > >> directory/file. > >> > >> We were planning to use a umask of 007 for standard users and set the > >> sgid bit for shared folders. That's where we thought it would be > >> helpful to have a group associated with each user. In fact, it finally > >> made the default setup of creating a group for each user make sense as I > >> always wondered why that was done. I suppose we'll also need to > >> activate file system acls for more complex setups as when multiple > >> groups need varying access to a shared file system directory. > >> > > > > This arrangement is known (at least by Redhat) as User Private Groups > > (UPG): > > http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html > > > > The primary reason for doing it is that group access to files is managed > > via secondary group membership, not primary group membership > > > > If each of your users has their own group, then adding a posixGroup > > objectclass to each user makes perfect sense. You may also want to place > > an uniqueness constraint on the gidNumber attribute as well: > > http://www.centos.org/docs/5/html/CDS/ag/8.0/Administering_DSPPR-Server_Plug_in_Functionality_Reference.html#Server_Plug_in_Functionality_Reference-UID_Uniqueness_Plug_in > > > > WRT to linux, the only gotcha I can think of is that you'll have to set > > the nss_ldap nss_base_group option in /etc/ldap.conf to an entry that's > > the common parent to both your users and groups - otherwise it'll never > > find the UPG's. > > > > > Another way would be to omit the addition of the posixGroup on your > account objects, and just modify the filter on nss_base_group to include > posixAccounts. > e.g.: > nss_base_group > dc=example,dc=com?sub?(|(objectClass=posixGroup)(objectClass=posixAccount)) > > posixAccount already includes the gidNumber and cn attributes, which is > all you're really after here... unless you want to start adding > memberUid attributes to your account objects (which doesn't make any > obvious sense). > > You will almost certainly have to modify your nss_base_group setting in > either case, as Jonathan suggested. > Alas, I'm not sure this is going to work as expected but it could be my ignorance. I've read the man page and whatever documentation I could find. It appears it does an & operation with the additional filter whereas I need an |. I gather the default is: &(objectClass=posixgroup)(cn=group_name) I think I need it to be: |((&(objectClass=posixgroup)(cn=group_name))(&(objectClass=posixaccount)(uid=group_name))) If it does an &, I think I get: &((&(objectClass=posixgroup)(cn=group_name))(&(objectClass=posixaccount)(uid=group_name))) Nevertheless, I tried all of the following without success: nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?|(objectClass=posixAccount) nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?|(&(objectClass=posixAccount)(uid=group_name)) this broke the posixgroup filter, too! nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?&(objectClass=posixAccount)(uid=group_name) this broke the posixgroup filter, too! nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount)(uid=group_name) this broke the posixgroup filter, too! nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount) this broke the posixgroup filter, too! nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?&(objectClass=posixAccount) I did flush the nscd group database between each try. What am I doing wrong? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From gholbert at broadcom.com Thu Nov 20 22:43:56 2008 From: gholbert at broadcom.com (George Holbert) Date: Thu, 20 Nov 2008 14:43:56 -0800 Subject: [Fedora-directory-users] posixgroup name lookups In-Reply-To: <1227219898.6411.31.camel@jaspav.missionsit.net.missionsit.net> References: <1227113736.6420.43.camel@jaspav.missionsit.net.missionsit.net> <49246646.6010800@broadcom.com> <1227124677.6420.55.camel@jaspav.missionsit.net.missionsit.net> <49247556.5040609@broadcom.com> <1227126748.6420.61.camel@jaspav.missionsit.net.missionsit.net> <20081120083859.GB25474@flea.lifesci.dundee.ac.uk> <492597F8.1040708@broadcom.com> <1227219898.6411.31.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <4925E82C.7060501@broadcom.com> John A. Sullivan III wrote: > On Thu, 2008-11-20 at 09:01 -0800, George Holbert wrote: > >> Jonathan Barber wrote: >> >>> On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote: >>> >>> >>>> On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote: >>>> >>>> >>>>> John A. Sullivan III wrote: >>>>> >>>>> >>>>>>> John A. Sullivan III wrote: >>>>>>> >>>>>>> >>> [snip] >>> >>> >>> >>>> >>>> Thanks for the very thoughtful answer. I'm not only new to LDAP but >>>> also to Linux based file servers. I've been in a management role for >>>> the last decade and before then was doing NDS and NetWare for >>>> directory/file. >>>> >>>> We were planning to use a umask of 007 for standard users and set the >>>> sgid bit for shared folders. That's where we thought it would be >>>> helpful to have a group associated with each user. In fact, it finally >>>> made the default setup of creating a group for each user make sense as I >>>> always wondered why that was done. I suppose we'll also need to >>>> activate file system acls for more complex setups as when multiple >>>> groups need varying access to a shared file system directory. >>>> >>>> >>> This arrangement is known (at least by Redhat) as User Private Groups >>> (UPG): >>> http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html >>> >>> The primary reason for doing it is that group access to files is managed >>> via secondary group membership, not primary group membership >>> >>> If each of your users has their own group, then adding a posixGroup >>> objectclass to each user makes perfect sense. You may also want to place >>> an uniqueness constraint on the gidNumber attribute as well: >>> http://www.centos.org/docs/5/html/CDS/ag/8.0/Administering_DSPPR-Server_Plug_in_Functionality_Reference.html#Server_Plug_in_Functionality_Reference-UID_Uniqueness_Plug_in >>> >>> WRT to linux, the only gotcha I can think of is that you'll have to set >>> the nss_ldap nss_base_group option in /etc/ldap.conf to an entry that's >>> the common parent to both your users and groups - otherwise it'll never >>> find the UPG's. >>> >>> >>> >> Another way would be to omit the addition of the posixGroup on your >> account objects, and just modify the filter on nss_base_group to include >> posixAccounts. >> e.g.: >> nss_base_group >> dc=example,dc=com?sub?(|(objectClass=posixGroup)(objectClass=posixAccount)) >> >> posixAccount already includes the gidNumber and cn attributes, which is >> all you're really after here... unless you want to start adding >> memberUid attributes to your account objects (which doesn't make any >> obvious sense). >> >> You will almost certainly have to modify your nss_base_group setting in >> either case, as Jonathan suggested. >> >> > > Alas, I'm not sure this is going to work as expected but it could be my > ignorance. I've read the man page and whatever documentation I could > find. It appears it does an & operation with the additional filter > whereas I need an |. > > I gather the default is: > &(objectClass=posixgroup)(cn=group_name) > > I think I need it to be: > |((&(objectClass=posixgroup)(cn=group_name))(&(objectClass=posixaccount)(uid=group_name))) > > If it does an &, I think I get: > &((&(objectClass=posixgroup)(cn=group_name))(&(objectClass=posixaccount)(uid=group_name))) > > Nevertheless, I tried all of the following without success: > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?|(objectClass=posixAccount) > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?|(&(objectClass=posixAccount)(uid=group_name)) > this broke the posixgroup filter, too! > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?&(objectClass=posixAccount)(uid=group_name) > this broke the posixgroup filter, too! > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount)(uid=group_name) > this broke the posixgroup filter, too! > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount) > this broke the posixgroup filter, too! > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?&(objectClass=posixAccount) > > I did flush the nscd group database between each try. What am I doing > wrong? Thanks - John > It's not immediately obvious to me where the problem is. But, have you tried reviewing your LDAP server's access log? That's often a huge help for troubleshooting this kind of thing. From jsullivan at opensourcedevel.com Fri Nov 21 00:16:12 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Thu, 20 Nov 2008 19:16:12 -0500 Subject: [Fedora-directory-users] posixgroup name lookups In-Reply-To: <4925E82C.7060501@broadcom.com> References: <1227113736.6420.43.camel@jaspav.missionsit.net.missionsit.net> <49246646.6010800@broadcom.com> <1227124677.6420.55.camel@jaspav.missionsit.net.missionsit.net> <49247556.5040609@broadcom.com> <1227126748.6420.61.camel@jaspav.missionsit.net.missionsit.net> <20081120083859.GB25474@flea.lifesci.dundee.ac.uk> <492597F8.1040708@broadcom.com> <1227219898.6411.31.camel@jaspav.missionsit.net.missionsit.net> <4925E82C.7060501@broadcom.com> Message-ID: <1227226572.6411.38.camel@jaspav.missionsit.net.missionsit.net> On Thu, 2008-11-20 at 14:43 -0800, George Holbert wrote: > John A. Sullivan III wrote: > > On Thu, 2008-11-20 at 09:01 -0800, George Holbert wrote: > > > >> Jonathan Barber wrote: > >> > >>> On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote: > >>> > >>> > >>>> On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote: > >>>> > >>>> > >>>>> John A. Sullivan III wrote: > >>>>> > >>>>> > >>>>>>> John A. Sullivan III wrote: > >>>>>>> > >>>>>>> > >>> [snip] > >>> > >>> > >>> > >>>> > >>>> Thanks for the very thoughtful answer. I'm not only new to LDAP but > >>>> also to Linux based file servers. I've been in a management role for > >>>> the last decade and before then was doing NDS and NetWare for > >>>> directory/file. > >>>> > >>>> We were planning to use a umask of 007 for standard users and set the > >>>> sgid bit for shared folders. That's where we thought it would be > >>>> helpful to have a group associated with each user. In fact, it finally > >>>> made the default setup of creating a group for each user make sense as I > >>>> always wondered why that was done. I suppose we'll also need to > >>>> activate file system acls for more complex setups as when multiple > >>>> groups need varying access to a shared file system directory. > >>>> > >>>> > >>> This arrangement is known (at least by Redhat) as User Private Groups > >>> (UPG): > >>> http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html > >>> > >>> The primary reason for doing it is that group access to files is managed > >>> via secondary group membership, not primary group membership > >>> > >>> If each of your users has their own group, then adding a posixGroup > >>> objectclass to each user makes perfect sense. You may also want to place > >>> an uniqueness constraint on the gidNumber attribute as well: > >>> http://www.centos.org/docs/5/html/CDS/ag/8.0/Administering_DSPPR-Server_Plug_in_Functionality_Reference.html#Server_Plug_in_Functionality_Reference-UID_Uniqueness_Plug_in > >>> > >>> WRT to linux, the only gotcha I can think of is that you'll have to set > >>> the nss_ldap nss_base_group option in /etc/ldap.conf to an entry that's > >>> the common parent to both your users and groups - otherwise it'll never > >>> find the UPG's. > >>> > >>> > >>> > >> Another way would be to omit the addition of the posixGroup on your > >> account objects, and just modify the filter on nss_base_group to include > >> posixAccounts. > >> e.g.: > >> nss_base_group > >> dc=example,dc=com?sub?(|(objectClass=posixGroup)(objectClass=posixAccount)) > >> > >> posixAccount already includes the gidNumber and cn attributes, which is > >> all you're really after here... unless you want to start adding > >> memberUid attributes to your account objects (which doesn't make any > >> obvious sense). > >> > >> You will almost certainly have to modify your nss_base_group setting in > >> either case, as Jonathan suggested. > >> > >> > > > > Alas, I'm not sure this is going to work as expected but it could be my > > ignorance. I've read the man page and whatever documentation I could > > find. It appears it does an & operation with the additional filter > > whereas I need an |. > > > > I gather the default is: > > &(objectClass=posixgroup)(cn=group_name) > > > > I think I need it to be: > > |((&(objectClass=posixgroup)(cn=group_name))(&(objectClass=posixaccount)(uid=group_name))) > > > > If it does an &, I think I get: > > &((&(objectClass=posixgroup)(cn=group_name))(&(objectClass=posixaccount)(uid=group_name))) > > > > Nevertheless, I tried all of the following without success: > > > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?|(objectClass=posixAccount) > > > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?|(&(objectClass=posixAccount)(uid=group_name)) > > this broke the posixgroup filter, too! > > > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?&(objectClass=posixAccount)(uid=group_name) > > this broke the posixgroup filter, too! > > > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount)(uid=group_name) > > this broke the posixgroup filter, too! > > > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount) > > this broke the posixgroup filter, too! > > > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?&(objectClass=posixAccount) > > > > I did flush the nscd group database between each try. What am I doing > > wrong? Thanks - John > > > It's not immediately obvious to me where the problem is. > But, have you tried reviewing your LDAP server's access log? > That's often a huge help for troubleshooting this kind of thing. Thanks. I do see what it is doing but I'm still not sure how to configure the nss_base_group for two reasons which I'll state in a second. Here is a query when I do an ls -l on a directory so it needs to resolve the gidnumber to a group name: filter="(&(objectClass=posixGroup)(gidNumber=103000)(|(&(objectClass=posixAccount)(gidNumber=group_number))))" This is what happens if I try to do a chgrp and it thus needs to resolve a name to a number: filter="(&(objectClass=posixGroup)(cn=barry.knowles)(|(&(objectClass=posixAccount))))" The first question is where to find the variables which are replaced by the actual values. You can see I guessed at group_number in the first case and was wrong. How do I build a filter which will substitute 103000 when I am seeking that particular gidnumber? The second question is the sought attribute seems to vary depending on the function. How do I create the filter to search on gidnumber in the first case and cn in the second? Sorry if I'm being dense. I'm quite new to all this - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From jsullivan at opensourcedevel.com Fri Nov 21 03:13:01 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Thu, 20 Nov 2008 22:13:01 -0500 Subject: [Fedora-directory-users] Dynamic groups not supplying posixgroup membership Message-ID: <1227237181.6411.51.camel@jaspav.missionsit.net.missionsit.net> Hello, all. We have a multi-tenant set up where each client has a group which contains all their internal users. We thought we would save time by creating a dynamic group using a filter such as: ldap:///ou=internal,ou=users,dc=X,dc=com,dc=ssiservices, dc=biz??sub?(&(objectclass=person)(uid=*)) This appears to work and adequately populates the group. However, when the user logs in to a Linux system, the Linux system queries for group membership. We are noticing that we do not get any results when using dynamic groups. If we make the same group managed, we see the group membership. Notice these two records from the access log (truncated because of screen scraping): filter="(&(objectClass=posixGroup)(|(memberUid=te.kee)(uniqueMember=uid=te.kee,ou=internal,ou=Users,dc=ebc-co,dc=com,dc=ssiservices,dc= RESULT err=0 tag=101 nentries=1 etime=0 N.B. we have an entry. This used managed groups. When we change to dynamic groups, we see this: filter="(&(objectClass=posixGroup)(|(memberUid=te.kee)(uniqueMember=uid=te.kee,ou=internal,ou=Users,dc=ebc-co,dc=com,dc=ssiservices,dc RESULT err=0 tag=101 nentries=0 etime=0 N.B. no entries! Have we done something wrong? Is this a bug or is it the way it is supposed to work? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From j.barber at dundee.ac.uk Fri Nov 21 12:22:20 2008 From: j.barber at dundee.ac.uk (Jonathan Barber) Date: Fri, 21 Nov 2008 12:22:20 +0000 Subject: [Fedora-directory-users] Dynamic groups not supplying posixgroup membership In-Reply-To: <1227237181.6411.51.camel@jaspav.missionsit.net.missionsit.net> References: <1227237181.6411.51.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <20081121122220.GG25474@flea.lifesci.dundee.ac.uk> On Thu, Nov 20, 2008 at 10:13:01PM -0500, John A. Sullivan III wrote: > Hello, all. We have a multi-tenant set up where each client has a group > which contains all their internal users. We thought we would save time > by creating a dynamic group using a filter such as: > > ldap:///ou=internal,ou=users,dc=X,dc=com,dc=ssiservices, > dc=biz??sub?(&(objectclass=person)(uid=*)) > > This appears to work and adequately populates the group. However, when > the user logs in to a Linux system, the Linux system queries for group > membership. We are noticing that we do not get any results when using > dynamic groups. If we make the same group managed, we see the group > membership. Notice these two records from the access log (truncated > because of screen scraping): > > filter="(&(objectClass=posixGroup)(|(memberUid=te.kee)(uniqueMember=uid=te.kee,ou=internal,ou=Users,dc=ebc-co,dc=com,dc=ssiservices,dc= > RESULT err=0 tag=101 nentries=1 etime=0 > N.B. we have an entry. This used managed groups. > > When we change to dynamic groups, we see this: > filter="(&(objectClass=posixGroup)(|(memberUid=te.kee)(uniqueMember=uid=te.kee,ou=internal,ou=Users,dc=ebc-co,dc=com,dc=ssiservices,dc > RESULT err=0 tag=101 nentries=0 etime=0 > N.B. no entries! > > Have we done something wrong? Is this a bug or is it the way it is > supposed to work? Thanks - John Dynamic groups just specifiy an LDAP filter which can be used to find which LDAP entries are members of the group. It doesn't populate the attribute of the dynamic group entry with member entry DN's. Try doing an ldapsearch for your group entry, and see what you get back, it won't include an uniqueMember attributes (unless you've added some). > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan at opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From rmeggins at redhat.com Fri Nov 21 16:10:16 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 21 Nov 2008 09:10:16 -0700 Subject: [Fedora-directory-users] posixgroup name lookups In-Reply-To: <1227219898.6411.31.camel@jaspav.missionsit.net.missionsit.net> References: <1227113736.6420.43.camel@jaspav.missionsit.net.missionsit.net> <49246646.6010800@broadcom.com> <1227124677.6420.55.camel@jaspav.missionsit.net.missionsit.net> <49247556.5040609@broadcom.com> <1227126748.6420.61.camel@jaspav.missionsit.net.missionsit.net> <20081120083859.GB25474@flea.lifesci.dundee.ac.uk> <492597F8.1040708@broadcom.com> <1227219898.6411.31.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <4926DD68.2080901@redhat.com> John A. Sullivan III wrote: > On Thu, 2008-11-20 at 09:01 -0800, George Holbert wrote: > >> Jonathan Barber wrote: >> >>> On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote: >>> >>> >>>> On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote: >>>> >>>> >>>>> John A. Sullivan III wrote: >>>>> >>>>> >>>>>>> John A. Sullivan III wrote: >>>>>>> >>>>>>> >>> [snip] >>> >>> >>> >>>> >>>> Thanks for the very thoughtful answer. I'm not only new to LDAP but >>>> also to Linux based file servers. I've been in a management role for >>>> the last decade and before then was doing NDS and NetWare for >>>> directory/file. >>>> >>>> We were planning to use a umask of 007 for standard users and set the >>>> sgid bit for shared folders. That's where we thought it would be >>>> helpful to have a group associated with each user. In fact, it finally >>>> made the default setup of creating a group for each user make sense as I >>>> always wondered why that was done. I suppose we'll also need to >>>> activate file system acls for more complex setups as when multiple >>>> groups need varying access to a shared file system directory. >>>> >>>> >>> This arrangement is known (at least by Redhat) as User Private Groups >>> (UPG): >>> http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html >>> >>> The primary reason for doing it is that group access to files is managed >>> via secondary group membership, not primary group membership >>> >>> If each of your users has their own group, then adding a posixGroup >>> objectclass to each user makes perfect sense. You may also want to place >>> an uniqueness constraint on the gidNumber attribute as well: >>> http://www.centos.org/docs/5/html/CDS/ag/8.0/Administering_DSPPR-Server_Plug_in_Functionality_Reference.html#Server_Plug_in_Functionality_Reference-UID_Uniqueness_Plug_in >>> >>> WRT to linux, the only gotcha I can think of is that you'll have to set >>> the nss_ldap nss_base_group option in /etc/ldap.conf to an entry that's >>> the common parent to both your users and groups - otherwise it'll never >>> find the UPG's. >>> >>> >>> >> Another way would be to omit the addition of the posixGroup on your >> account objects, and just modify the filter on nss_base_group to include >> posixAccounts. >> e.g.: >> nss_base_group >> dc=example,dc=com?sub?(|(objectClass=posixGroup)(objectClass=posixAccount)) >> >> posixAccount already includes the gidNumber and cn attributes, which is >> all you're really after here... unless you want to start adding >> memberUid attributes to your account objects (which doesn't make any >> obvious sense). >> >> You will almost certainly have to modify your nss_base_group setting in >> either case, as Jonathan suggested. >> >> > > Alas, I'm not sure this is going to work as expected but it could be my > ignorance. I've read the man page and whatever documentation I could > find. It appears it does an & operation with the additional filter > whereas I need an |. > > I gather the default is: > &(objectClass=posixgroup)(cn=group_name) > > I think I need it to be: > |((&(objectClass=posixgroup)(cn=group_name))(&(objectClass=posixaccount)(uid=group_name))) > > If it does an &, I think I get: > &((&(objectClass=posixgroup)(cn=group_name))(&(objectClass=posixaccount)(uid=group_name))) > > Nevertheless, I tried all of the following without success: > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?|(objectClass=posixAccount) > Invalid filter - the "|" character does not belong there. > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?|(&(objectClass=posixAccount)(uid=group_name)) > this broke the posixgroup filter, too! > Also invalid - "|" character > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?&(objectClass=posixAccount)(uid=group_name) > this broke the posixgroup filter, too! > Invalid filter - a filter must begin with ( and end with ) - so (&(objectClass=posixAccount)(uid=group_name)) > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount)(uid=group_name) > this broke the posixgroup filter, too! > Invalid filter - (&(objectClass=posixAccount)(uid=group_name)) > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount) > this broke the posixgroup filter, too! > Not sure what's wrong with this one - looks ok > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?&(objectClass=posixAccount) > Invalid filter - should just be (objectClass=posixAccount) > I did flush the nscd group database between each try. What am I doing > wrong? Thanks - John > It looks as though nss_base_group uses LDAP URL syntax - see http://www.ietf.org/rfc/rfc2255.txt for more information about LDAP URLs, and http://www.ietf.org/rfc/rfc2254.txt for information about LDAP filters -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jsullivan at opensourcedevel.com Fri Nov 21 18:38:46 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Fri, 21 Nov 2008 13:38:46 -0500 Subject: [Fedora-directory-users] posixgroup name lookups In-Reply-To: <4926DD68.2080901@redhat.com> References: <1227113736.6420.43.camel@jaspav.missionsit.net.missionsit.net> <49246646.6010800@broadcom.com> <1227124677.6420.55.camel@jaspav.missionsit.net.missionsit.net> <49247556.5040609@broadcom.com> <1227126748.6420.61.camel@jaspav.missionsit.net.missionsit.net> <20081120083859.GB25474@flea.lifesci.dundee.ac.uk> <492597F8.1040708@broadcom.com> <1227219898.6411.31.camel@jaspav.missionsit.net.missionsit.net> <4926DD68.2080901@redhat.com> Message-ID: <1227292726.6415.11.camel@jaspav.missionsit.net.missionsit.net> On Fri, 2008-11-21 at 09:10 -0700, Rich Megginson wrote: > John A. Sullivan III wrote: > > On Thu, 2008-11-20 at 09:01 -0800, George Holbert wrote: > > > >> Jonathan Barber wrote: > >> > >>> On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote: > >>> > >>> > >>>> On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote: > >>>> > >>>> > >>>>> John A. Sullivan III wrote: > >>>>> > >>>>> > >>>>>>> John A. Sullivan III wrote: > >>>>>>> > >>>>>>> > >>> [snip] > >>> > >>> > >>> > >>>> > >>>> Thanks for the very thoughtful answer. I'm not only new to LDAP but > >>>> also to Linux based file servers. I've been in a management role for > >>>> the last decade and before then was doing NDS and NetWare for > >>>> directory/file. > >>>> > >>>> We were planning to use a umask of 007 for standard users and set the > >>>> sgid bit for shared folders. That's where we thought it would be > >>>> helpful to have a group associated with each user. In fact, it finally > >>>> made the default setup of creating a group for each user make sense as I > >>>> always wondered why that was done. I suppose we'll also need to > >>>> activate file system acls for more complex setups as when multiple > >>>> groups need varying access to a shared file system directory. > >>>> > >>>> > >>> This arrangement is known (at least by Redhat) as User Private Groups > >>> (UPG): > >>> http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html > >>> > >>> The primary reason for doing it is that group access to files is managed > >>> via secondary group membership, not primary group membership > >>> > >>> If each of your users has their own group, then adding a posixGroup > >>> objectclass to each user makes perfect sense. You may also want to place > >>> an uniqueness constraint on the gidNumber attribute as well: > >>> http://www.centos.org/docs/5/html/CDS/ag/8.0/Administering_DSPPR-Server_Plug_in_Functionality_Reference.html#Server_Plug_in_Functionality_Reference-UID_Uniqueness_Plug_in > >>> > >>> WRT to linux, the only gotcha I can think of is that you'll have to set > >>> the nss_ldap nss_base_group option in /etc/ldap.conf to an entry that's > >>> the common parent to both your users and groups - otherwise it'll never > >>> find the UPG's. > >>> > >>> > >>> > >> Another way would be to omit the addition of the posixGroup on your > >> account objects, and just modify the filter on nss_base_group to include > >> posixAccounts. > >> e.g.: > >> nss_base_group > >> dc=example,dc=com?sub?(|(objectClass=posixGroup)(objectClass=posixAccount)) > >> > >> posixAccount already includes the gidNumber and cn attributes, which is > >> all you're really after here... unless you want to start adding > >> memberUid attributes to your account objects (which doesn't make any > >> obvious sense). > >> > >> You will almost certainly have to modify your nss_base_group setting in > >> either case, as Jonathan suggested. > >> > >> > > > > Alas, I'm not sure this is going to work as expected but it could be my > > ignorance. I've read the man page and whatever documentation I could > > find. It appears it does an & operation with the additional filter > > whereas I need an |. > > > > I gather the default is: > > &(objectClass=posixgroup)(cn=group_name) > > > > I think I need it to be: > > |((&(objectClass=posixgroup)(cn=group_name))(&(objectClass=posixaccount)(uid=group_name))) > > > > If it does an &, I think I get: > > &((&(objectClass=posixgroup)(cn=group_name))(&(objectClass=posixaccount)(uid=group_name))) > > > > Nevertheless, I tried all of the following without success: > > > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?|(objectClass=posixAccount) > > > Invalid filter - the "|" character does not belong there. > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?|(&(objectClass=posixAccount)(uid=group_name)) > > this broke the posixgroup filter, too! > > > Also invalid - "|" character > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?&(objectClass=posixAccount)(uid=group_name) > > this broke the posixgroup filter, too! > > > Invalid filter - a filter must begin with ( and end with ) - so > (&(objectClass=posixAccount)(uid=group_name)) > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount)(uid=group_name) > > this broke the posixgroup filter, too! > > > Invalid filter - (&(objectClass=posixAccount)(uid=group_name)) > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount) > > this broke the posixgroup filter, too! > > > Not sure what's wrong with this one - looks ok > > nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?&(objectClass=posixAccount) > > > Invalid filter - should just be (objectClass=posixAccount) > > I did flush the nscd group database between each try. What am I doing > > wrong? Thanks - John > > > It looks as though nss_base_group uses LDAP URL syntax - see > http://www.ietf.org/rfc/rfc2255.txt for more information about LDAP > URLs, and http://www.ietf.org/rfc/rfc2254.txt for information about LDAP > filters Thanks very much. The reason I did not have the initial and ending () is it appears nss puts them there itself when it does the &. At least, that's the way it looked in the access log. How does one pass the values to the ldap query, i.e., what the sought cn or gidnumber is? - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From ryan.manikowski at 2ergo.com Fri Nov 21 18:53:16 2008 From: ryan.manikowski at 2ergo.com (Ryan Manikowski) Date: Fri, 21 Nov 2008 13:53:16 -0500 Subject: [Fedora-directory-users] Question about upgrading Message-ID: <4927039C.1060404@2ergo.com> Long time fedora-ds user here with a few questions about upgrading and hoping knowledgeable folks can provide some feedback. I am currently running Fedora DS on Centos 4.7 and Centos 5 servers. All servers run v1.0.1. 1) Can the Centos 4 machines running v1.0.1 upgrade to the latest v1.1.3 without any problems? 2) Is v1.1.3 even supported on Centos 4? Are there rpm's for it? 3) When upgrading Fedora DS versions, must they all be upgraded simultaneously? 4) Say one server is running v1.0.1 and another server is running 1.1.3, can data be replicated from a v1.0.1 server to a v1.1.3 server? How about vice-a-versa? 3 of our 4 Fedora DS servers can be upgraded to run Centos 5 w/ Fedora DS v1.1.3 but we'd like to keep one server running Centos 4.7 for the time being due to legacy software requirements. -- Ryan Manikowski System Administrator 2ergo Americas Inc. :703.677.8499: www.2ergo.com Arlington, Virginia This message (including attachments) is confidential and may be legally privileged. The content and views expressed are those of the sender and not necessarily the 2ergo Group. If you are not the intended recipient, you must not disclose, copy or use any part of it. Please delete all copies immediately and notify the sender. 2ergo Americas Inc. was formerly known as Proteus Inc. From rmeggins at redhat.com Fri Nov 21 20:44:40 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 21 Nov 2008 13:44:40 -0700 Subject: [Fedora-directory-users] Question about upgrading In-Reply-To: <4927039C.1060404@2ergo.com> References: <4927039C.1060404@2ergo.com> Message-ID: <49271DB8.9040600@redhat.com> Ryan Manikowski wrote: > Long time fedora-ds user here with a few questions about upgrading and > hoping knowledgeable folks can provide some feedback. > > I am currently running Fedora DS on Centos 4.7 and Centos 5 servers. All > servers run v1.0.1. > > 1) Can the Centos 4 machines running v1.0.1 upgrade to the latest v1.1.3 > without any problems? > Yes, but you'll have to build it yourself - we do not have pre-built binaries for el4 > 2) Is v1.1.3 even supported on Centos 4? Are there rpm's for it? > There are no rpms for el4 - you'll have to build it yourself. > 3) When upgrading Fedora DS versions, must they all be upgraded > simultaneously? > No. One at a time is fine. Replication should just work regardless of the version. > 4) Say one server is running v1.0.1 and another server is running 1.1.3, > can data be replicated from a v1.0.1 server to a v1.1.3 server? How > about vice-a-versa? > Yes, no problems. > 3 of our 4 Fedora DS servers can be upgraded to run Centos 5 w/ Fedora > DS v1.1.3 but we'd like to keep one server running Centos 4.7 for the > time being due to legacy software requirements -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Nov 21 20:45:35 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 21 Nov 2008 13:45:35 -0700 Subject: [Fedora-directory-users] posixgroup name lookups In-Reply-To: <1227292726.6415.11.camel@jaspav.missionsit.net.missionsit.net> References: <1227113736.6420.43.camel@jaspav.missionsit.net.missionsit.net> <49246646.6010800@broadcom.com> <1227124677.6420.55.camel@jaspav.missionsit.net.missionsit.net> <49247556.5040609@broadcom.com> <1227126748.6420.61.camel@jaspav.missionsit.net.missionsit.net> <20081120083859.GB25474@flea.lifesci.dundee.ac.uk> <492597F8.1040708@broadcom.com> <1227219898.6411.31.camel@jaspav.missionsit.net.missionsit.net> <4926DD68.2080901@redhat.com> <1227292726.6415.11.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <49271DEF.7090600@redhat.com> John A. Sullivan III wrote: > On Fri, 2008-11-21 at 09:10 -0700, Rich Megginson wrote: > >> John A. Sullivan III wrote: >> >>> On Thu, 2008-11-20 at 09:01 -0800, George Holbert wrote: >>> >>> >>>> Jonathan Barber wrote: >>>> >>>> >>>>> On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote: >>>>> >>>>> >>>>> >>>>>> On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote: >>>>>> >>>>>> >>>>>> >>>>>>> John A. Sullivan III wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>>>> John A. Sullivan III wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>> [snip] >>>>> >>>>> >>>>> >>>>> >>>>>> >>>>>> Thanks for the very thoughtful answer. I'm not only new to LDAP but >>>>>> also to Linux based file servers. I've been in a management role for >>>>>> the last decade and before then was doing NDS and NetWare for >>>>>> directory/file. >>>>>> >>>>>> We were planning to use a umask of 007 for standard users and set the >>>>>> sgid bit for shared folders. That's where we thought it would be >>>>>> helpful to have a group associated with each user. In fact, it finally >>>>>> made the default setup of creating a group for each user make sense as I >>>>>> always wondered why that was done. I suppose we'll also need to >>>>>> activate file system acls for more complex setups as when multiple >>>>>> groups need varying access to a shared file system directory. >>>>>> >>>>>> >>>>>> >>>>> This arrangement is known (at least by Redhat) as User Private Groups >>>>> (UPG): >>>>> http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html >>>>> >>>>> The primary reason for doing it is that group access to files is managed >>>>> via secondary group membership, not primary group membership >>>>> >>>>> If each of your users has their own group, then adding a posixGroup >>>>> objectclass to each user makes perfect sense. You may also want to place >>>>> an uniqueness constraint on the gidNumber attribute as well: >>>>> http://www.centos.org/docs/5/html/CDS/ag/8.0/Administering_DSPPR-Server_Plug_in_Functionality_Reference.html#Server_Plug_in_Functionality_Reference-UID_Uniqueness_Plug_in >>>>> >>>>> WRT to linux, the only gotcha I can think of is that you'll have to set >>>>> the nss_ldap nss_base_group option in /etc/ldap.conf to an entry that's >>>>> the common parent to both your users and groups - otherwise it'll never >>>>> find the UPG's. >>>>> >>>>> >>>>> >>>>> >>>> Another way would be to omit the addition of the posixGroup on your >>>> account objects, and just modify the filter on nss_base_group to include >>>> posixAccounts. >>>> e.g.: >>>> nss_base_group >>>> dc=example,dc=com?sub?(|(objectClass=posixGroup)(objectClass=posixAccount)) >>>> >>>> posixAccount already includes the gidNumber and cn attributes, which is >>>> all you're really after here... unless you want to start adding >>>> memberUid attributes to your account objects (which doesn't make any >>>> obvious sense). >>>> >>>> You will almost certainly have to modify your nss_base_group setting in >>>> either case, as Jonathan suggested. >>>> >>>> >>>> >>> >>> Alas, I'm not sure this is going to work as expected but it could be my >>> ignorance. I've read the man page and whatever documentation I could >>> find. It appears it does an & operation with the additional filter >>> whereas I need an |. >>> >>> I gather the default is: >>> &(objectClass=posixgroup)(cn=group_name) >>> >>> I think I need it to be: >>> |((&(objectClass=posixgroup)(cn=group_name))(&(objectClass=posixaccount)(uid=group_name))) >>> >>> If it does an &, I think I get: >>> &((&(objectClass=posixgroup)(cn=group_name))(&(objectClass=posixaccount)(uid=group_name))) >>> >>> Nevertheless, I tried all of the following without success: >>> >>> nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?|(objectClass=posixAccount) >>> >>> >> Invalid filter - the "|" character does not belong there. >> >>> nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?|(&(objectClass=posixAccount)(uid=group_name)) >>> this broke the posixgroup filter, too! >>> >>> >> Also invalid - "|" character >> >>> nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?&(objectClass=posixAccount)(uid=group_name) >>> this broke the posixgroup filter, too! >>> >>> >> Invalid filter - a filter must begin with ( and end with ) - so >> (&(objectClass=posixAccount)(uid=group_name)) >> >>> nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount)(uid=group_name) >>> this broke the posixgroup filter, too! >>> >>> >> Invalid filter - (&(objectClass=posixAccount)(uid=group_name)) >> >>> nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount) >>> this broke the posixgroup filter, too! >>> >>> >> Not sure what's wrong with this one - looks ok >> >>> nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?&(objectClass=posixAccount) >>> >>> >> Invalid filter - should just be (objectClass=posixAccount) >> >>> I did flush the nscd group database between each try. What am I doing >>> wrong? Thanks - John >>> >>> >> It looks as though nss_base_group uses LDAP URL syntax - see >> http://www.ietf.org/rfc/rfc2255.txt for more information about LDAP >> URLs, and http://www.ietf.org/rfc/rfc2254.txt for information about LDAP >> filters >> > > Thanks very much. The reason I did not have the initial and ending () > is it appears nss puts them there itself when it does the &. At least, > that's the way it looked in the access log. > Hmm - dunno > How does one pass the values to the ldap query, i.e., what the sought cn > or gidnumber is? - John > I suppose getent/nss_ldap does that automatically - check the access log on the directory server. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From cw-news at gmx.de Fri Nov 21 21:53:03 2008 From: cw-news at gmx.de (Carsten Witt) Date: Fri, 21 Nov 2008 22:53:03 +0100 Subject: [Fedora-directory-users] LDAP authentication against SAMBA? Message-ID: <20081121215303.217880@gmx.net> Hi Fedora Directory User Group, I am Carsten from Cologne, Germany. I am searching for a solution where i can import all my ActiveDirectory Users to LDAP. If one of this "Imported" users try to authenticate via LDAP this request should be done against the real AD password. I don`t want install something on the ActiveDirectory! -> NoPAssSync! I found a lot of solution where samba is able to authenticate against LDAP. Is there a possibility that LDAP authenticate against SAMBA -> ActiveDirectory. I found the PassThrough PAM Plugin, would it be possible to combine that with SAMBA PAM? Thanks for any Input. Best regards carsten -- Sensationsangebot nur bis 30.11: GMX FreeDSL - Telefonanschluss + DSL f?r nur 16,37 Euro/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K11308T4569a From Dharmin.Mandalia at TangaNet.Net Mon Nov 24 03:04:06 2008 From: Dharmin.Mandalia at TangaNet.Net (Dharmin Mandalia) Date: Mon, 24 Nov 2008 03:04:06 +0000 Subject: [Fedora-directory-users] userPassword Message-ID: <492A19A6.9020900@TangaNet.Net> Hi I used below script to assign password(123.com) to user test1 account which has no password assigned and it does assign the password, when try to login as user test1 with password 123.com, am unable to login. Assigned passwords to few test accounts using below script and same issue unable to login. # ./script test1 123.com ######### START ###################################### #!/bin/ksh -x uid=$1 ; password=$2 PASSWD=`slappasswd -v -h {SSHA} -s "$password"` ldapmodify -x -D "cn=Directory Manager" -w `cat /tmp/p` << ALLDONE dn: uid=$uid,ou=People, dc=trust, dc=co, dc=uk changetype: modify add: userpassword userpassword: "$PASSWD" ALLDONE ######### END #################### When I export the database do see the the userPassword entry as :- userPassword: {SSHA}Q7B+QFu2iRXxH8Ys8bfW/i3O0HrjSKfwbZHn4A== In the script I also tried PASSWD=123.com , still the same , unable to login. Any helpers to why above script assigns the password but unable to login and what should I do so am able to login. Thanks Regards Dharmin From rmeggins at redhat.com Mon Nov 24 15:27:29 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 24 Nov 2008 08:27:29 -0700 Subject: [Fedora-directory-users] userPassword In-Reply-To: <492A19A6.9020900@TangaNet.Net> References: <492A19A6.9020900@TangaNet.Net> Message-ID: <492AC7E1.9010700@redhat.com> Dharmin Mandalia wrote: > Hi > > I used below script to assign password(123.com) to user test1 account > which has no password assigned and it does assign the password, when > try to login as user test1 with password 123.com, am unable to login. > Assigned passwords to few test accounts using below script and same > issue unable to login. > # ./script test1 123.com > ######### START ###################################### > #!/bin/ksh -x > uid=$1 ; password=$2 > PASSWD=`slappasswd -v -h {SSHA} -s "$password"` > > ldapmodify -x -D "cn=Directory Manager" -w `cat /tmp/p` << > ALLDONE > dn: uid=$uid,ou=People, dc=trust, dc=co, dc=uk > changetype: modify > add: userpassword > userpassword: "$PASSWD" > ALLDONE > ######### END #################### > > When I export the database do see the the userPassword entry as :- > userPassword: {SSHA}Q7B+QFu2iRXxH8Ys8bfW/i3O0HrjSKfwbZHn4A== Have you tried it without the quotes in the here document? I think the quotes may be interpreted literally in here documents. e.g. userpassword: $PASSWD > > In the script I also tried PASSWD=123.com , still the same , unable to > login. > > Any helpers to why above script assigns the password but unable to > login and what should I do so am able to login. > > Thanks > > Regards > Dharmin > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From forn at ngs.ru Sun Nov 23 08:29:07 2008 From: forn at ngs.ru (forn) Date: Sun, 23 Nov 2008 14:29:07 +0600 Subject: [Fedora-directory-users] FDS silent setup: Could not find user "admin" in the server 'ldap://ldap.testdomain.local:389/o=NetscapeRoot. Error: No such object Message-ID: <49291453.9070107@ngs.ru> Hello. I'm trying to automate FDS installation. I provide the .inf file with required parameters to setup-ds-admin.pl script. In particular, ConfigDirectoryAdminID=admin. Directory server installs fine, but admin server fails with "Could not find user "admin" in the server 'ldap://ldap.testdomain.local:389/o=NetscapeRoot. Error: No such object" error. Looking in slapd log, there is no such object, indeed. It just not getting created. If I use setup-ds-admin scipt manually, all is ok. I also tried to provide ConfigDirectoryAdminID from command line (found this method somewhere in CentOS mailing lists). "setup-ds-admin.pl -s -f fds.inf General.ConfigDirectoryAdminID=admin" results in the very same error. The system is Fedora 9 i386 and FDS version is 1.1.3, if i if of any interest. I'd be grateful for any assistance. From rmeggins at redhat.com Mon Nov 24 17:47:31 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 24 Nov 2008 10:47:31 -0700 Subject: [Fedora-directory-users] FDS silent setup: Could not find user "admin" in the server 'ldap://ldap.testdomain.local:389/o=NetscapeRoot. Error: No such object In-Reply-To: <49291453.9070107@ngs.ru> References: <49291453.9070107@ngs.ru> Message-ID: <492AE8B3.2010106@redhat.com> forn wrote: > Hello. I'm trying to automate FDS installation. I provide the .inf > file with required parameters to setup-ds-admin.pl script. In > particular, ConfigDirectoryAdminID=admin. Directory server installs > fine, but admin server fails with "Could not find user "admin" in the > server 'ldap://ldap.testdomain.local:389/o=NetscapeRoot. Error: No > such object" error. Looking in slapd log, there is no such object, > indeed. It just not getting created. If I use setup-ds-admin scipt > manually, all is ok. I also tried to provide ConfigDirectoryAdminID > from command line (found this method somewhere in CentOS mailing > lists). "setup-ds-admin.pl -s -f fds.inf > General.ConfigDirectoryAdminID=admin" results in the very same error. > The system is Fedora 9 i386 and FDS version is 1.1.3, if i if of any > interest. Can you post your fds.inf file? Be sure to first obscure any sensitive information. Also, you can use setup-ds-admin.pl -k to create a .inf file for you. The file is created in /tmp > I'd be grateful for any assistance. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From Dharmin.Mandalia at TangaNet.Net Mon Nov 24 22:53:58 2008 From: Dharmin.Mandalia at TangaNet.Net (Dharmin Mandalia) Date: Mon, 24 Nov 2008 22:53:58 +0000 Subject: [Fedora-directory-users] RE: userPassword In-Reply-To: <20081124170007.021E1619942@hormel.redhat.com> References: <20081124170007.021E1619942@hormel.redhat.com> Message-ID: <492B3086.9000702@TangaNet.Net> Hello Rich Megginson Thanks... without "" am able to login. Regards Dharmin Re: [Fedora-directory-users] userPassword Rich Megginson Mon, 24 Nov 2008 07:26:56 -0800 Dharmin Mandalia wrote: >> Hi >> >> I used below script to assign password(123.com) to user test1 account >> which has no password assigned and it does assign the password, when >> try to login as user test1 with password 123.com, am unable to login. >> Assigned passwords to few test accounts using below script and same >> issue unable to login. >> # ./script test1 123.com >> ######### START ###################################### >> #!/bin/ksh -x >> uid=$1 ; password=$2 >> PASSWD=`slappasswd -v -h {SSHA} -s "$password"` >> >> ldapmodify -x -D "cn=Directory Manager" -w `cat /tmp/p` << >> ALLDONE >> dn: uid=$uid,ou=People, dc=trust, dc=co, dc=uk >> changetype: modify >> add: userpassword >> userpassword: "$PASSWD" >> ALLDONE >> ######### END #################### >> >> When I export the database do see the the userPassword entry as :- >> userPassword: {SSHA}Q7B+QFu2iRXxH8Ys8bfW/i3O0HrjSKfwbZHn4A== >> > Have you tried it without the quotes in the here document? I think the > quotes may be interpreted literally in here documents. e.g. > userpassword: $PASSWD > >> In the script I also tried PASSWD=123.com , still the same , unable to >> login. >> >> Any helpers to why above script assigns the password but unable to >> login and what should I do so am able to login. >> >> Thanks >> >> Regards >> Dharmin >> >> >> From bbahar3 at gmail.com Tue Nov 25 08:27:01 2008 From: bbahar3 at gmail.com (Eric) Date: Tue, 25 Nov 2008 11:57:01 +0330 Subject: [Fedora-directory-users] error in yum fedora-ds Message-ID: <38a27c8c0811250027v39796890rcbb1aa95960d9c3d@mail.gmail.com> Hi I tried yum install fedora-ds. all parts installed but at the last: warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 1ac70ce6 Importing GPG key 0x1AC70CE6 "Fedora Project < fedora-extras at fedoraproject.org>" Is this ok [y/N]: y warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID a7b02652 Public key for fedora-ds-1.1.2-1.fc6.i386.rpm is not installed hwo acn I install it? -------------- next part -------------- An HTML attachment was scrubbed... URL: From kenneho.ndu at gmail.com Tue Nov 25 09:31:11 2008 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Tue, 25 Nov 2008 10:31:11 +0100 Subject: [Fedora-directory-users] Re: Windows sync: how do you populate the posixUser attributes? In-Reply-To: <492422B0.6020203@redhat.com> References: <6cddb0580811050406o3d19874du137ea66161b471f2@mail.gmail.com> <4911AC96.9060808@redhat.com> <664c5a070811061154k1ef54933r53e02f0740ac2b84@mail.gmail.com> <49134CE3.2020707@redhat.com> <49145EFA.9050501@redhat.com> <491859A9.3080509@redhat.com> <492422B0.6020203@redhat.com> Message-ID: Hi. I may be missing something here, but why not simply search the RHDS for new entries (i.e. entries which doesn't have the posix attributes set) instead of polling AD? The entries found after such a search are simply added the required posix (and maybe other) attributes, and then the users is good to go. Kenneth On 11/19/08, Rich Megginson wrote: > > > > That might work. There is some documentation about how to poll Active > Directory for changes to entries: > http://msdn.microsoft.com/en-us/library/ms677626(VS.85).aspx > and > http://support.microsoft.com/kb/891995 > > I have a python-ldap script that implements support for the DirSync control > - http://github.com/richm/scripts/tree/master/dirsyncctrl.py -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Nov 25 15:38:00 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 25 Nov 2008 08:38:00 -0700 Subject: [Fedora-directory-users] error in yum fedora-ds In-Reply-To: <38a27c8c0811250027v39796890rcbb1aa95960d9c3d@mail.gmail.com> References: <38a27c8c0811250027v39796890rcbb1aa95960d9c3d@mail.gmail.com> Message-ID: <492C1BD8.5010304@redhat.com> Eric wrote: > Hi > I tried yum install fedora-ds. all parts installed but at the last: > > warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID > 1ac70ce6 > Importing GPG key 0x1AC70CE6 "Fedora Project > >" > Is this ok [y/N]: y > warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID > a7b02652 > Public key for fedora-ds-1.1.2-1.fc6.i386.rpm is not installed > > hwo acn I install it? Are you running Fedora Core 6, or EL5? Note that Fedora Core 6 is no longer supported - the fc6 binary rpms are provided primarily for el5 platforms. See http://directory.fedoraproject.org/wiki/Download - see especially "Enterprise Linux 5" - the directions there are also applicable to Fedora Core 6 > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From cwaltham at bowdoin.edu Tue Nov 25 16:23:15 2008 From: cwaltham at bowdoin.edu (Christopher Waltham) Date: Tue, 25 Nov 2008 11:23:15 -0500 Subject: [Fedora-directory-users] error in yum fedora-ds In-Reply-To: <492C1BD8.5010304@redhat.com> References: <38a27c8c0811250027v39796890rcbb1aa95960d9c3d@mail.gmail.com> <492C1BD8.5010304@redhat.com> Message-ID: On Nov 25, 2008, at 10:38 AM, Rich Megginson wrote: > Eric wrote: >> Hi >> I tried yum install fedora-ds. all parts installed but at the last: >> >> warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID >> 1ac70ce6 >> Importing GPG key 0x1AC70CE6 "Fedora Project > >" >> Is this ok [y/N]: y >> warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID >> a7b02652 >> Public key for fedora-ds-1.1.2-1.fc6.i386.rpm is not installed >> >> hwo acn I install it? > Are you running Fedora Core 6, or EL5? Note that Fedora Core 6 is > no longer supported - the fc6 binary rpms are provided primarily for > el5 platforms. > > See http://directory.fedoraproject.org/wiki/Download - see > especially "Enterprise Linux 5" - the directions there are also > applicable to Fedora Core 6 Those directions specify these two commands: rpm --import http://download.fedoraproject.org/pub/fedora/linux/core/6/i386/os/RPM-GPG-KEY-fedora rpm --import http://download.fedoraproject.org/pub/fedora/linux/extras/RPM-GPG-KEY-Fedora-Extras When following the first link, it directs me here: http://mirrors.rit.edu/fedora/linux/core/6/i386/os/RPM-GPG-KEY-fedora but gives me a HTTP/403 Forbidden. Chris > >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Nov 25 16:37:03 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 25 Nov 2008 09:37:03 -0700 Subject: [Fedora-directory-users] error in yum fedora-ds In-Reply-To: References: <38a27c8c0811250027v39796890rcbb1aa95960d9c3d@mail.gmail.com> <492C1BD8.5010304@redhat.com> Message-ID: <492C29AF.6030000@redhat.com> Christopher Waltham wrote: > On Nov 25, 2008, at 10:38 AM, Rich Megginson wrote: > >> Eric wrote: >>> Hi >>> I tried yum install fedora-ds. all parts installed but at the last: >>> >>> warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID >>> 1ac70ce6 >>> Importing GPG key 0x1AC70CE6 "Fedora Project >>> >> >" >>> Is this ok [y/N]: y >>> warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID >>> a7b02652 >>> Public key for fedora-ds-1.1.2-1.fc6.i386.rpm is not installed >>> >>> hwo acn I install it? >> Are you running Fedora Core 6, or EL5? Note that Fedora Core 6 is no >> longer supported - the fc6 binary rpms are provided primarily for el5 >> platforms. >> >> See http://directory.fedoraproject.org/wiki/Download - see especially >> "Enterprise Linux 5" - the directions there are also applicable to >> Fedora Core 6 > > Those directions specify these two commands: > > rpm --import http://download.fedoraproject.org/pub/fedora/linux/core/6/i386/os/RPM-GPG-KEY-fedora > rpm --import http://download.fedoraproject.org/pub/fedora/linux/extras/RPM-GPG-KEY-Fedora-Extras > > When following the first link, it directs me > here: http://mirrors.rit.edu/fedora/linux/core/6/i386/os/RPM-GPG-KEY-fedora > but gives me a HTTP/403 Forbidden. Ok. I guess they finally shut those off. Try the keys from the archive: http://archives.fedoraproject.org/pub/archive/fedora/linux/core/6/i386/os/ > > > Chris > > >> >>> ------------------------------------------------------------------------ >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sg4all at gmail.com Tue Nov 25 18:22:36 2008 From: sg4all at gmail.com (sg4all) Date: Tue, 25 Nov 2008 19:22:36 +0100 Subject: [Fedora-directory-users] mod_nss OCSP failover to CRL Message-ID: <8524b1f20811251022p5771045s634d108ec72d5133@mail.gmail.com> Hi, I'm trying to set up a apache webserver with mod_nss. When available, OCSP should be used to verify the validity of the certificate. When the OCSP is unavailable, CRLs are used. I installed the CRLS, and configured everything. (My nss.conf is included in this message). When I comment out "NSSOCSP On": it validates the certificates using CRL correctly. When "NSSOCSP on" is used, it validates the certificates using OCSP correctly. However, when NSSOCSP is enabled, but I make the OCSP server unavailable (e.g. by putting an extra entry in /etc/hosts), a request takes a long time (I guess mod_nss tries a few times to get to the OCSP) and eventually fails. Is what I want supported? If so, does anyone have a clue what I do wrong? I tried this on CentOS5. I tried this configuration file on 2 versions of mod_nss. First using version 1.0.3-4.el5 which is installed using 'yum install mod_nss'. I also tried it on version 1.0.8 (which I built from source) thanks! My nss.conf file: # # This is the Apache server configuration file providing SSL support using. # the mod_nss plugin. It contains the configuration directives to instruct # the server how to serve pages over an https connection. # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # LoadModule nss_module modules/libmodnss.so # # When we also provide SSL we have to listen to the # standard HTTP port (see above) and to the HTTPS port # # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" # Listen 443 ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. NSSPassPhraseDialog builtin # Pass Phrase Helper: # This helper program stores the token password pins between # restarts of Apache. NSSPassPhraseHelper /usr/sbin/nss_pcache # Configure the SSL Session Cache. # NSSSessionCacheSize is the number of entries in the cache. # NSSSessionCacheTimeout is the SSL2 session timeout (in seconds). # NSSSession3CacheTimeout is the SSL3/TLS session timeout (in seconds). NSSSessionCacheSize 10000 NSSSessionCacheTimeout 100 NSSSession3CacheTimeout 86400 # # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the SSL library. # The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. Those platforms usually also provide a non-blocking # device, /dev/urandom, which may be used instead. # # This does not support seeding the RNG with each connection. NSSRandomSeed startup builtin #NSSRandomSeed startup file:/dev/random 512 #NSSRandomSeed startup file:/dev/urandom 512 ## ## SSL Virtual Host Context ## # General setup for the virtual host #DocumentRoot "/etc/httpd/htdocs" #ServerName www.example.com:443 #ServerAdmin you at example.com # Use separate log files for the SSL virtual host; note that LogLevel # is not inherited from httpd.conf. #ErrorLog /etc/httpd/logs/nss_error_log #TransferLog /etc/httpd/logs/nss_access_log LogLevel debug # SSL Engine Switch: # Enable/Disable SSL for this virtual host. NSSEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_nss documentation for a complete list. # SSL 3 ciphers. SSL 2 is disabled by default. NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha #NSSCipherSuite -ALL:SSLv3+HIGH:-aNULL # SSL 3 ciphers + ECC ciphers. SSL 2 is disabled by default. # # Comment out the NSSCipherSuite line above and use the one below if you have # ECC enabled NSS and mod_nss and want to use Elliptical Curve Cryptography #NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha,-ecdh_ecdsa_null_sha,+ecdh_ecdsa_rc4_128_sha,+ecdh_ecdsa_3des_sha,+ecdh_ecdsa_aes_128_sha,+ecdh_ecdsa_aes_256_sha,-ecdhe_ecdsa_null_sha,+ecdhe_ecdsa_rc4_128_sha,+ecdhe_ecdsa_3des_sha,+ecdhe_ecdsa_aes_128_sha,+ecdhe_ecdsa_aes_256_sha,-ecdh_rsa_null_sha,+ecdh_rsa_128_sha,+ecdh_rsa_3des_sha,+ecdh_rsa_aes_128_sha,+ecdh_rsa_aes_256_sha,-echde_rsa_null,+ecdhe_rsa_rc4_128_sha,+ecdhe_rsa_3des_sha,+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha #NSSProtocol SSLv3,TLSv1 NSSProtocol -ALL +SSLv3 +TLSv1 # SSL Certificate Nickname: # The nickname of the RSA server certificate you are going to use. NSSNickname Server-Cert # SSL Certificate Nickname: # The nickname of the ECC server certificate you are going to use, if you # have an ECC-enabled version of NSS and mod_nss #NSSECCNickname Server-Cert-ecc # Server Certificate Database: # The NSS security database directory that holds the certificates and # keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. # Provide the directory that these files exist. NSSCertificateDatabase /etc/httpd/alias # Database Prefix: # In order to be able to store multiple NSS databases in one directory # they need unique names. This option sets the database prefix used for # cert8.db and key3.db. #NSSDBPrefix my-prefix- # Client Authentication (Type): # Client certificate verification type. Types are none, optional and # require. NSSVerifyClient require # # Online Certificate Status Protocol (OCSP). # Verify that certificates have not been revoked before accepting them. NSSOCSP On # Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_nss documentation # for more details. # #NSSRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ # # SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA'. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o StrictRequire: # This denies access when "NSSRequireSSL" or "NSSRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. NSSOptions +FakeBasicAuth +ExportCertData +StrictRequire ## # NSSOptions +StdEnvVars # # # NSSOptions +StdEnvVars # # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis. #CustomLog /home/rcrit/redhat/apache/logs/ssl_request_log \ # "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" NSSRequireSSL -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsullivan at opensourcedevel.com Wed Nov 26 01:47:38 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Tue, 25 Nov 2008 20:47:38 -0500 Subject: [Fedora-directory-users] Command line created posix user shows posix disabled in console Message-ID: <1227664058.8904.62.camel@jaspav.missionsit.net.missionsit.net> I've created a bash script to add ds entries for new clients as we bring them on board. It automatically creates their user accounts which include the posixaccount object class (as well as account (to allow the host attribute) and posixgroup (to allow gidnumber for personal groups)). They appear to be created fine. Users can login, change passwords, etc. However, when I view the user in the idm-console, the posix attributes are present but the enable checkbox is unchecked and the attributes are greyed out and uneditable. If I click the enable check box, the fields are enabled but when I attempt to save the change I get an error: Cannot save to directory server: netscape.ldap.LDAPException: error result(1): Operations error I would not doubt this is because it's trying to add a posixaccount value to objectclass when one already exists. In any event, if I enable posix and change an attribute, I get the same error. However, if I go to the advanced page instead, and change a posix attribute there, the change saves perfectly fine. Any idea what is happening and what I've done wrong? In case more information is needed, here are some of the gory details. There are attribute uniqueness constraints. uidnumber and gidnumber are globally unique. uid and cn are unique within an ou within an o - fairly granular. I did try disabling the global constraints but to no avail. By the way, those users with NT attributes show up fine with the NT User enabled check box checked. Here is a typical LDIF entry: dn: uid=userx,ou=Users,ou=Internal,o=a0000-0002,dc=ssiservices,dc=biz changetype: add objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson objectclass: posixaccount objectclass: account objectclass: posixgroup uid: userx cn: userx userpassword: ea4cb9eedc uidnumber: 2001 gidnumber: 2001 homedirectory: /data/users/userx loginshell: /bin/sh givenname: John A. sn: Sullivan III mail: userx at somecompany.biz telephonenumber: +1 (207) 999-9999 I can't imagine it is significant but, just in case, here is the LDIF creation from the script: The input syntax is: uid|givenname|sn|emailuser(no domain)|phone|location|W|"|" delimited attribute=value pairs UIDNUMBERS[$counter]=${CIDU} PWS=$(echo ${CIDU}${FIRST} | md5sum) PWS=${PWS:0:10} echo -e "${FIRST} ${PWS}\n\n" >> ${CID}.temp TEMPS="dn: uid=${FIRST},${USUFFIX}\n${ADDPERSON}uid: ${FIRST}\ncn: ${FIRST}\nuserpassword: ${PWS}\nuidnumber: ${CIDU}\ngidnumber: ${CIDU}\nhomedirectory: /data/users/${FIRST}\nloginshell: /bin/sh\n" c=0 for var in ${REST} do if [ -n "${var}" ]; then case ${c} in 0) TEMPS="${TEMPS}givenname: ${var}\n";; 1) TEMPS="${TEMPS}sn: ${var}\n";; 2) TEMPS="${TEMPS}mail: ${var}${EDOMAIN}\n";; 3) TEMPS="${TEMPS}telephonenumber: ${var}\n";; 4) TEMPS="${TEMPS}physicaldeliveryofficename: ${var}\n";; 5) TEMPS="${TEMPS}${ADDWIN}ntuserdomainid: ${FIRST}\nntusercreatenewaccount: true\nntuserdeleteaccount: true\n";; *) var=${var/=/: } TEMPS="${TEMPS}${var}\n";; esac fi ((c = c + 1)) done TEMPS="${TEMPS}\n" echo -e ${TEMPS} >> ${LDIF} ((counter = counter + 1)) ((CIDU = CIDU + 1)) Here are some of the variable definitions: BASE="dc=ssiservices,dc=biz" NEWO="o=${CID},${BASE}" SYSACCOUNTS="ou=SysAccounts,${NEWO}" USUFFIX="ou=Users,ou=Internal,${NEWO}" ADDS="changetype: add\n" TOPS="${ADDS}objectclass: top\n" ADDO="${TOPS}objectclass: organization\n" ADDOU="${TOPS}objectclass: organizationalUnit\n" ADDSYSPERSON="${TOPS}objectclass: person\nobjectclass: organizationalPerson\nobjectclass: inetOrgPerson\n" ADDPERSON="${ADDSYSPERSON}objectclass: posixaccount\nobjectclass: account\nobjectclass: posixgroup\n" ADDGROUP="${TOPS}objectclass: groupofuniquenames\nobjectclass: posixgroup\n" ADDWIN="objectclass: ntuser\n" What is going on? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From bbahar3 at gmail.com Wed Nov 26 10:47:18 2008 From: bbahar3 at gmail.com (Eric) Date: Wed, 26 Nov 2008 14:17:18 +0330 Subject: [Fedora-directory-users] Re: error in yum fedora-ds Message-ID: <38a27c8c0811260247y342fd674j6ea00e22b314f9bc@mail.gmail.com> yes,I use fc6. I got the key from rpm --import http://archives.fedoraproject.org/pub/archive/fedora/linux/core/6/i386/os/ and then I did: yum in stall fedora-ds ,but there is the same problem!! 1- in above link there are RPM-GPG-KEY-fedora and some other keys which one should I use? only RPM-GPG-KEY-fedora ? 2- in http://directory.fedoraproject.org/wiki/Download ,in addition of the key problem, there are some problems for centos5 . should I do those too? for example: yum install svrcore mozldap perl-Mozilla-LDAP libicu -------------- next part -------------- An HTML attachment was scrubbed... URL: From bbahar3 at gmail.com Wed Nov 26 11:38:44 2008 From: bbahar3 at gmail.com (Eric) Date: Wed, 26 Nov 2008 15:08:44 +0330 Subject: [Fedora-directory-users] Re: error in yum fedora-ds In-Reply-To: <38a27c8c0811260247y342fd674j6ea00e22b314f9bc@mail.gmail.com> References: <38a27c8c0811260247y342fd674j6ea00e22b314f9bc@mail.gmail.com> Message-ID: <38a27c8c0811260338v10a03d5dl664e1e6f2a3e0779@mail.gmail.com> I used :rpm --import ' http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA7B02652' and the problem solved. I installed fedora-ds then used /usr/sbin/migrate-ds-admin.pl for migration from fedora ds-1.0.4. I stoped slapd-instance before this. it faild in start server: /usr/sbin/migrate-ds-admin.pl General.ConfigDirectoryAdminPwd=mypassword Beginning migration of Directory and Administration servers from /opt/fedora-ds . . . Beginning migration of directory server instances in /opt/fedora-ds . . . Your new DS instance 'slapd-ldap' was successfully created. Server failed to start !!! Please check errors log for problems Beginning migration of Administration server from /opt/fedora-ds . . . Creating Admin Server files and directories . . . Updating the configuration for the httpd engine . . . Starting admin server . . . The admin server was successfully started. Registering the directory server instances with the configuration directory server . . . Directory and Administration servers migration is complete. Please check output and log files for details. Exiting . . . what is wrong? now the slapd in /opt/fedora-ds doesn't work too! -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Nov 26 15:25:31 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 26 Nov 2008 08:25:31 -0700 Subject: [Fedora-directory-users] Re: error in yum fedora-ds In-Reply-To: <38a27c8c0811260338v10a03d5dl664e1e6f2a3e0779@mail.gmail.com> References: <38a27c8c0811260247y342fd674j6ea00e22b314f9bc@mail.gmail.com> <38a27c8c0811260338v10a03d5dl664e1e6f2a3e0779@mail.gmail.com> Message-ID: <492D6A6B.2080802@redhat.com> Eric wrote: > I used :rpm --import > 'http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA7B02652' > > and the problem solved. I installed fedora-ds then used > /usr/sbin/migrate-ds-admin.pl for migration from fedora ds-1.0.4. > I stoped slapd-instance before this. it faild in start server: mkdir /var/run/dirsrv make sure that directory is writable by your directory server user > > /usr/sbin/migrate-ds-admin.pl General.ConfigDirectoryAdminPwd=mypassword > Beginning migration of Directory and Administration servers from > /opt/fedora-ds . . . > Beginning migration of directory server instances in /opt/fedora-ds . . . > Your new DS instance 'slapd-ldap' was successfully created. > Server failed to start !!! Please check errors log for problems > Beginning migration of Administration server from /opt/fedora-ds . . . > Creating Admin Server files and directories . . . > Updating the configuration for the httpd engine . . . > Starting admin server . . . > The admin server was successfully started. > Registering the directory server instances with the configuration > directory server . . . > Directory and Administration servers migration is complete. Please > check output and log files for details. > Exiting . . . > > what is wrong? now the slapd in /opt/fedora-ds doesn't work too! > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Nov 26 15:27:10 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 26 Nov 2008 08:27:10 -0700 Subject: [Fedora-directory-users] Command line created posix user shows posix disabled in console In-Reply-To: <1227664058.8904.62.camel@jaspav.missionsit.net.missionsit.net> References: <1227664058.8904.62.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <492D6ACE.7050102@redhat.com> John A. Sullivan III wrote: > I've created a bash script to add ds entries for new clients as we bring > them on board. It automatically creates their user accounts which > include the posixaccount object class (as well as account (to allow the > host attribute) and posixgroup (to allow gidnumber for personal > groups)). > > They appear to be created fine. Users can login, change passwords, etc. > However, when I view the user in the idm-console, the posix attributes > are present but the enable checkbox is unchecked and the attributes are > greyed out and uneditable. > > If I click the enable check box, the fields are enabled but when I > attempt to save the change I get an error: > Cannot save to directory server: > netscape.ldap.LDAPException: error result(1): Operations error > run the console like this fedora-idm-console -D 9 -f console.log the log should contain much more detailed information you should also look at the directory server access log to see exactly what operation it is performing > I would not doubt this is because it's trying to add a posixaccount > value to objectclass when one already exists. In any event, if I enable > posix and change an attribute, I get the same error. However, if I go > to the advanced page instead, and change a posix attribute there, the > change saves perfectly fine. > > Any idea what is happening and what I've done wrong? In case more > information is needed, here are some of the gory details. > > There are attribute uniqueness constraints. uidnumber and gidnumber are > globally unique. uid and cn are unique within an ou within an o - > fairly granular. I did try disabling the global constraints but to no > avail. > > By the way, those users with NT attributes show up fine with the NT User > enabled check box checked. > > Here is a typical LDIF entry: > > dn: uid=userx,ou=Users,ou=Internal,o=a0000-0002,dc=ssiservices,dc=biz > changetype: add > objectclass: top > objectclass: person > objectclass: organizationalPerson > objectclass: inetOrgPerson > objectclass: posixaccount > objectclass: account > objectclass: posixgroup > uid: userx > cn: userx > userpassword: ea4cb9eedc > uidnumber: 2001 > gidnumber: 2001 > homedirectory: /data/users/userx > loginshell: /bin/sh > givenname: John A. > sn: Sullivan III > mail: userx at somecompany.biz > telephonenumber: +1 (207) 999-9999 > > I can't imagine it is significant but, just in case, here is the LDIF creation from the script: > The input syntax is: > uid|givenname|sn|emailuser(no domain)|phone|location|W|"|" delimited attribute=value pairs > > UIDNUMBERS[$counter]=${CIDU} > PWS=$(echo ${CIDU}${FIRST} | md5sum) > PWS=${PWS:0:10} > echo -e "${FIRST} ${PWS}\n\n" >> ${CID}.temp > TEMPS="dn: uid=${FIRST},${USUFFIX}\n${ADDPERSON}uid: ${FIRST}\ncn: ${FIRST}\nuserpassword: ${PWS}\nuidnumber: ${CIDU}\ngidnumber: ${CIDU}\nhomedirectory: /data/users/${FIRST}\nloginshell: /bin/sh\n" > c=0 > for var in ${REST} > do > if [ -n "${var}" ]; then > case ${c} in > 0) > TEMPS="${TEMPS}givenname: ${var}\n";; > 1) > TEMPS="${TEMPS}sn: ${var}\n";; > 2) > TEMPS="${TEMPS}mail: ${var}${EDOMAIN}\n";; > 3) > TEMPS="${TEMPS}telephonenumber: ${var}\n";; > 4) > TEMPS="${TEMPS}physicaldeliveryofficename: ${var}\n";; > 5) > TEMPS="${TEMPS}${ADDWIN}ntuserdomainid: ${FIRST}\nntusercreatenewaccount: true\nntuserdeleteaccount: true\n";; > *) > var=${var/=/: } > TEMPS="${TEMPS}${var}\n";; > esac > fi > ((c = c + 1)) > done > TEMPS="${TEMPS}\n" > echo -e ${TEMPS} >> ${LDIF} > ((counter = counter + 1)) > ((CIDU = CIDU + 1)) > > Here are some of the variable definitions: > BASE="dc=ssiservices,dc=biz" > NEWO="o=${CID},${BASE}" > SYSACCOUNTS="ou=SysAccounts,${NEWO}" > USUFFIX="ou=Users,ou=Internal,${NEWO}" > ADDS="changetype: add\n" > TOPS="${ADDS}objectclass: top\n" > ADDO="${TOPS}objectclass: organization\n" > ADDOU="${TOPS}objectclass: organizationalUnit\n" > ADDSYSPERSON="${TOPS}objectclass: person\nobjectclass: organizationalPerson\nobjectclass: inetOrgPerson\n" > ADDPERSON="${ADDSYSPERSON}objectclass: posixaccount\nobjectclass: account\nobjectclass: posixgroup\n" > ADDGROUP="${TOPS}objectclass: groupofuniquenames\nobjectclass: posixgroup\n" > ADDWIN="objectclass: ntuser\n" > > What is going on? Thanks - John > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jsullivan at opensourcedevel.com Wed Nov 26 17:25:09 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Wed, 26 Nov 2008 12:25:09 -0500 Subject: [Fedora-directory-users] Command line created posix user shows posix disabled in console In-Reply-To: <492D6ACE.7050102@redhat.com> References: <1227664058.8904.62.camel@jaspav.missionsit.net.missionsit.net> <492D6ACE.7050102@redhat.com> Message-ID: <1227720309.6618.23.camel@jaspav.missionsit.net.missionsit.net> On Wed, 2008-11-26 at 08:27 -0700, Rich Megginson wrote: > John A. Sullivan III wrote: > > I've created a bash script to add ds entries for new clients as we bring > > them on board. It automatically creates their user accounts which > > include the posixaccount object class (as well as account (to allow the > > host attribute) and posixgroup (to allow gidnumber for personal > > groups)). > > > > They appear to be created fine. Users can login, change passwords, etc. > > However, when I view the user in the idm-console, the posix attributes > > are present but the enable checkbox is unchecked and the attributes are > > greyed out and uneditable. > > > > If I click the enable check box, the fields are enabled but when I > > attempt to save the change I get an error: > > Cannot save to directory server: > > netscape.ldap.LDAPException: error result(1): Operations error > > > run the console like this > fedora-idm-console -D 9 -f console.log > the log should contain much more detailed information > you should also look at the directory server access log to see exactly > what operation it is performing > > I would not doubt this is because it's trying to add a posixaccount > > value to objectclass when one already exists. In any event, if I enable > > posix and change an attribute, I get the same error. However, if I go > > to the advanced page instead, and change a posix attribute there, the > > change saves perfectly fine. > > > > Any idea what is happening and what I've done wrong? In case more > > information is needed, here are some of the gory details. > > > > There are attribute uniqueness constraints. uidnumber and gidnumber are > > globally unique. uid and cn are unique within an ou within an o - > > fairly granular. I did try disabling the global constraints but to no > > avail. > > > > By the way, those users with NT attributes show up fine with the NT User > > enabled check box checked. > > > > Here is a typical LDIF entry: > > > > dn: uid=userx,ou=Users,ou=Internal,o=a0000-0002,dc=ssiservices,dc=biz > > changetype: add > > objectclass: top > > objectclass: person > > objectclass: organizationalPerson > > objectclass: inetOrgPerson > > objectclass: posixaccount > > objectclass: account > > objectclass: posixgroup > > uid: userx > > cn: userx > > userpassword: ea4cb9eedc > > uidnumber: 2001 > > gidnumber: 2001 > > homedirectory: /data/users/userx > > loginshell: /bin/sh > > givenname: John A. > > sn: Sullivan III > > mail: userx at somecompany.biz > > telephonenumber: +1 (207) 999-9999 > > > > I can't imagine it is significant but, just in case, here is the LDIF creation from the script: > > The input syntax is: > > uid|givenname|sn|emailuser(no domain)|phone|location|W|"|" delimited attribute=value pairs > > > > UIDNUMBERS[$counter]=${CIDU} > > PWS=$(echo ${CIDU}${FIRST} | md5sum) > > PWS=${PWS:0:10} > > echo -e "${FIRST} ${PWS}\n\n" >> ${CID}.temp > > TEMPS="dn: uid=${FIRST},${USUFFIX}\n${ADDPERSON}uid: ${FIRST}\ncn: ${FIRST}\nuserpassword: ${PWS}\nuidnumber: ${CIDU}\ngidnumber: ${CIDU}\nhomedirectory: /data/users/${FIRST}\nloginshell: /bin/sh\n" > > c=0 > > for var in ${REST} > > do > > if [ -n "${var}" ]; then > > case ${c} in > > 0) > > TEMPS="${TEMPS}givenname: ${var}\n";; > > 1) > > TEMPS="${TEMPS}sn: ${var}\n";; > > 2) > > TEMPS="${TEMPS}mail: ${var}${EDOMAIN}\n";; > > 3) > > TEMPS="${TEMPS}telephonenumber: ${var}\n";; > > 4) > > TEMPS="${TEMPS}physicaldeliveryofficename: ${var}\n";; > > 5) > > TEMPS="${TEMPS}${ADDWIN}ntuserdomainid: ${FIRST}\nntusercreatenewaccount: true\nntuserdeleteaccount: true\n";; > > *) > > var=${var/=/: } > > TEMPS="${TEMPS}${var}\n";; > > esac > > fi > > ((c = c + 1)) > > done > > TEMPS="${TEMPS}\n" > > echo -e ${TEMPS} >> ${LDIF} > > ((counter = counter + 1)) > > ((CIDU = CIDU + 1)) > > > > Here are some of the variable definitions: > > BASE="dc=ssiservices,dc=biz" > > NEWO="o=${CID},${BASE}" > > SYSACCOUNTS="ou=SysAccounts,${NEWO}" > > USUFFIX="ou=Users,ou=Internal,${NEWO}" > > ADDS="changetype: add\n" > > TOPS="${ADDS}objectclass: top\n" > > ADDO="${TOPS}objectclass: organization\n" > > ADDOU="${TOPS}objectclass: organizationalUnit\n" > > ADDSYSPERSON="${TOPS}objectclass: person\nobjectclass: organizationalPerson\nobjectclass: inetOrgPerson\n" > > ADDPERSON="${ADDSYSPERSON}objectclass: posixaccount\nobjectclass: account\nobjectclass: posixgroup\n" > > ADDGROUP="${TOPS}objectclass: groupofuniquenames\nobjectclass: posixgroup\n" > > ADDWIN="objectclass: ntuser\n" > > > > What is going on? Thanks - John > > Thanks. This is what the console gives me when I click on the posix tab on the left side of the edit dialog: ResourceEditor.valueChanged: o=com.netscape.management.client.ug.ResEditorPosixUser[,2,2,506x335,invalid,hidden,layout=java.awt.BorderLayout,alignmentX=0.0,alignmentY=0.0,border=,flags=9,maximumSize=,minimumSize=,preferredSize=] ResourceEditor.valueChanged: o=com.netscape.management.client.ug.ResEditorPosixUser[,2,2,506x335,layout=java.awt.BorderLayout,alignmentX=0.0,alignmentY=0.0,border=,flags=9,maximumSize=,minimumSize=,preferredSize=] As suspected, I think the error is because it is trying to add posixAccount to the objectClass attribute when it already exists. I am assuming that is the action associated with checking the posix check box. Here is the log section: ResourcePageObservable.save: mod.rep=LDAPAttribute {type='objectclass', values='top,person,organizationalPerson,inetOrgPerson,posixaccount,account,posixgroup,posixAccount'} ResourcePageObservable.save: RDN=uid=jasiii ResourcePageObservable.save: newRDN=uid=jasiii ResourcePageObservable.java:MODIFY LDAP ENTRY:netscape.ldap.LDAPException: error result (1); Operations error I suppose the question is why the check box is unchecked to begin with. I wonder if the application is case sensitive (posixAccount versus posixaccount). I thought the attribute values were case insensitive. Let me give that a try. That was it! Users created from the command line with posixaccount show as posix disabled while those created with posixAccount show as enabled. Is this a GUI bug or are they supposed to be case sensitive? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From rmeggins at redhat.com Wed Nov 26 17:38:15 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 26 Nov 2008 10:38:15 -0700 Subject: [Fedora-directory-users] Command line created posix user shows posix disabled in console In-Reply-To: <1227720309.6618.23.camel@jaspav.missionsit.net.missionsit.net> References: <1227664058.8904.62.camel@jaspav.missionsit.net.missionsit.net> <492D6ACE.7050102@redhat.com> <1227720309.6618.23.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <492D8987.5020506@redhat.com> John A. Sullivan III wrote: > On Wed, 2008-11-26 at 08:27 -0700, Rich Megginson wrote: > >> John A. Sullivan III wrote: >> >>> I've created a bash script to add ds entries for new clients as we bring >>> them on board. It automatically creates their user accounts which >>> include the posixaccount object class (as well as account (to allow the >>> host attribute) and posixgroup (to allow gidnumber for personal >>> groups)). >>> >>> They appear to be created fine. Users can login, change passwords, etc. >>> However, when I view the user in the idm-console, the posix attributes >>> are present but the enable checkbox is unchecked and the attributes are >>> greyed out and uneditable. >>> >>> If I click the enable check box, the fields are enabled but when I >>> attempt to save the change I get an error: >>> Cannot save to directory server: >>> netscape.ldap.LDAPException: error result(1): Operations error >>> >>> >> run the console like this >> fedora-idm-console -D 9 -f console.log >> the log should contain much more detailed information >> you should also look at the directory server access log to see exactly >> what operation it is performing >> >>> I would not doubt this is because it's trying to add a posixaccount >>> value to objectclass when one already exists. In any event, if I enable >>> posix and change an attribute, I get the same error. However, if I go >>> to the advanced page instead, and change a posix attribute there, the >>> change saves perfectly fine. >>> >>> Any idea what is happening and what I've done wrong? In case more >>> information is needed, here are some of the gory details. >>> >>> There are attribute uniqueness constraints. uidnumber and gidnumber are >>> globally unique. uid and cn are unique within an ou within an o - >>> fairly granular. I did try disabling the global constraints but to no >>> avail. >>> >>> By the way, those users with NT attributes show up fine with the NT User >>> enabled check box checked. >>> >>> Here is a typical LDIF entry: >>> >>> dn: uid=userx,ou=Users,ou=Internal,o=a0000-0002,dc=ssiservices,dc=biz >>> changetype: add >>> objectclass: top >>> objectclass: person >>> objectclass: organizationalPerson >>> objectclass: inetOrgPerson >>> objectclass: posixaccount >>> objectclass: account >>> objectclass: posixgroup >>> uid: userx >>> cn: userx >>> userpassword: ea4cb9eedc >>> uidnumber: 2001 >>> gidnumber: 2001 >>> homedirectory: /data/users/userx >>> loginshell: /bin/sh >>> givenname: John A. >>> sn: Sullivan III >>> mail: userx at somecompany.biz >>> telephonenumber: +1 (207) 999-9999 >>> >>> I can't imagine it is significant but, just in case, here is the LDIF creation from the script: >>> The input syntax is: >>> uid|givenname|sn|emailuser(no domain)|phone|location|W|"|" delimited attribute=value pairs >>> >>> UIDNUMBERS[$counter]=${CIDU} >>> PWS=$(echo ${CIDU}${FIRST} | md5sum) >>> PWS=${PWS:0:10} >>> echo -e "${FIRST} ${PWS}\n\n" >> ${CID}.temp >>> TEMPS="dn: uid=${FIRST},${USUFFIX}\n${ADDPERSON}uid: ${FIRST}\ncn: ${FIRST}\nuserpassword: ${PWS}\nuidnumber: ${CIDU}\ngidnumber: ${CIDU}\nhomedirectory: /data/users/${FIRST}\nloginshell: /bin/sh\n" >>> c=0 >>> for var in ${REST} >>> do >>> if [ -n "${var}" ]; then >>> case ${c} in >>> 0) >>> TEMPS="${TEMPS}givenname: ${var}\n";; >>> 1) >>> TEMPS="${TEMPS}sn: ${var}\n";; >>> 2) >>> TEMPS="${TEMPS}mail: ${var}${EDOMAIN}\n";; >>> 3) >>> TEMPS="${TEMPS}telephonenumber: ${var}\n";; >>> 4) >>> TEMPS="${TEMPS}physicaldeliveryofficename: ${var}\n";; >>> 5) >>> TEMPS="${TEMPS}${ADDWIN}ntuserdomainid: ${FIRST}\nntusercreatenewaccount: true\nntuserdeleteaccount: true\n";; >>> *) >>> var=${var/=/: } >>> TEMPS="${TEMPS}${var}\n";; >>> esac >>> fi >>> ((c = c + 1)) >>> done >>> TEMPS="${TEMPS}\n" >>> echo -e ${TEMPS} >> ${LDIF} >>> ((counter = counter + 1)) >>> ((CIDU = CIDU + 1)) >>> >>> Here are some of the variable definitions: >>> BASE="dc=ssiservices,dc=biz" >>> NEWO="o=${CID},${BASE}" >>> SYSACCOUNTS="ou=SysAccounts,${NEWO}" >>> USUFFIX="ou=Users,ou=Internal,${NEWO}" >>> ADDS="changetype: add\n" >>> TOPS="${ADDS}objectclass: top\n" >>> ADDO="${TOPS}objectclass: organization\n" >>> ADDOU="${TOPS}objectclass: organizationalUnit\n" >>> ADDSYSPERSON="${TOPS}objectclass: person\nobjectclass: organizationalPerson\nobjectclass: inetOrgPerson\n" >>> ADDPERSON="${ADDSYSPERSON}objectclass: posixaccount\nobjectclass: account\nobjectclass: posixgroup\n" >>> ADDGROUP="${TOPS}objectclass: groupofuniquenames\nobjectclass: posixgroup\n" >>> ADDWIN="objectclass: ntuser\n" >>> >>> What is going on? Thanks - John >>> >>> > > Thanks. > This is what the console gives me when I click on the posix tab on the > left side of the edit dialog: > > ResourceEditor.valueChanged: > o=com.netscape.management.client.ug.ResEditorPosixUser[,2,2,506x335,invalid,hidden,layout=java.awt.BorderLayout,alignmentX=0.0,alignmentY=0.0,border=,flags=9,maximumSize=,minimumSize=,preferredSize=] > ResourceEditor.valueChanged: > o=com.netscape.management.client.ug.ResEditorPosixUser[,2,2,506x335,layout=java.awt.BorderLayout,alignmentX=0.0,alignmentY=0.0,border=,flags=9,maximumSize=,minimumSize=,preferredSize=] > > As suspected, I think the error is because it is trying to add > posixAccount to the objectClass attribute when it already exists. I am > assuming that is the action associated with checking the posix check > box. Here is the log section: > > ResourcePageObservable.save: mod.rep=LDAPAttribute {type='objectclass', > values='top,person,organizationalPerson,inetOrgPerson,posixaccount,account,posixgroup,posixAccount'} > ResourcePageObservable.save: RDN=uid=jasiii > ResourcePageObservable.save: newRDN=uid=jasiii > ResourcePageObservable.java:MODIFY LDAP > ENTRY:netscape.ldap.LDAPException: error result (1); Operations error > > I suppose the question is why the check box is unchecked to begin with. > I wonder if the application is case sensitive (posixAccount versus > posixaccount). I thought the attribute values were case insensitive. > > Let me give that a try. That was it! Users created from the command > line with posixaccount show as posix disabled while those created with > posixAccount show as enabled. Is this a GUI bug or are they supposed to > be case sensitive? Thanks - John > This is a GUI bug - they are not supposed to be case sensitive. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From erlingre at gmail.com Thu Nov 27 10:08:24 2008 From: erlingre at gmail.com (Erling Ringen Elvsrud) Date: Thu, 27 Nov 2008 11:08:24 +0100 Subject: [Fedora-directory-users] Sudo in directory server Message-ID: <664c5a070811270208k22fdda22s17b8b1e3af470dcb@mail.gmail.com> I try to add the schema for sudoers from README.LDAP in the srpm-file of sudo-1.6.8p12. I assume the iPlanet-version will work best, but get this problem when I restart directory server: [root at testserver schema]# service dirsrv restart Shutting down dirsrv: testserver... [ OK ] Starting dirsrv: testserver...[27/Nov/2008:10:37:31 +0100] - Entry "cn=schema attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseE" required attribute "objectclass" missing [ OK ] [root at testserver schema]# cat 99sudoers.ldif dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseE xactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseEx actIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match S YNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1 .3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1 .3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sud oHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) X-ORIGIN 'SUDO' ) Any help to get the schema for sudo correctly added is appreciated. Thanks, Erling From premodd at decho.com Thu Nov 27 10:16:07 2008 From: premodd at decho.com (Premod Dev) Date: Thu, 27 Nov 2008 03:16:07 -0700 (MST) Subject: [Fedora-directory-users] SAMBA PDC+Fedora Dirsrv In-Reply-To: <664c5a070811270208k22fdda22s17b8b1e3af470dcb@mail.gmail.com> Message-ID: <483626.01227781001711.JavaMail.premod@premod.picorp.com> Hi All, Can anybody have a good experience with SAMBA PDC with Fedora Directory Server as the backend LDAP server? I have a working SAMBA PDC with OpenLDAP as the backend directory server for user,group and computer management. Is it possible to use Fedora Directory server as the backend LDAP server for Samba PDC? I want all users,groups and computers to be available in the Directory. Thanks in Advance. Premod -------------- next part -------------- An HTML attachment was scrubbed... URL: From j.barber at dundee.ac.uk Thu Nov 27 11:01:58 2008 From: j.barber at dundee.ac.uk (Jonathan Barber) Date: Thu, 27 Nov 2008 11:01:58 +0000 Subject: [Fedora-directory-users] SAMBA PDC+Fedora Dirsrv In-Reply-To: <483626.01227781001711.JavaMail.premod@premod.picorp.com> References: <664c5a070811270208k22fdda22s17b8b1e3af470dcb@mail.gmail.com> <483626.01227781001711.JavaMail.premod@premod.picorp.com> Message-ID: <20081127110158.GE31239@flea.lifesci.dundee.ac.uk> On Thu, Nov 27, 2008 at 03:16:07AM -0700, Premod Dev wrote: > Hi All, > > > Can anybody have a good experience with SAMBA PDC with Fedora > Directory Server as the backend LDAP server? > > I have a working SAMBA PDC with OpenLDAP as the backend directory > server for user,group and computer management. > > Is it possible to use Fedora Directory server as the backend LDAP > server for Samba PDC? Yes. > I want all users,groups and computers to be available in the > Directory. The Samba configuration for LDAP is identical between OpenLDAP and FDS. The only problem is if you allow password changes via Samba via the LDAP password change exop, in which case you'll have to investigate the FreeIPA password-change exop plugin for FDS. > Thanks in Advance. > > > Premod > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From realrichardsharpe at gmail.com Thu Nov 27 11:07:49 2008 From: realrichardsharpe at gmail.com (Richard Sharpe) Date: Thu, 27 Nov 2008 03:07:49 -0800 Subject: [Fedora-directory-users] SAMBA PDC+Fedora Dirsrv In-Reply-To: <483626.01227781001711.JavaMail.premod@premod.picorp.com> References: <664c5a070811270208k22fdda22s17b8b1e3af470dcb@mail.gmail.com> <483626.01227781001711.JavaMail.premod@premod.picorp.com> Message-ID: <46b8a8850811270307k2b727a5dp2c4a9c92fbd1f69d@mail.gmail.com> On Thu, Nov 27, 2008 at 2:16 AM, Premod Dev wrote: > Hi All, > > > Can anybody have a good experience with SAMBA PDC with Fedora Directory > Server as the backend LDAP server? > > I have a working SAMBA PDC with OpenLDAP as the backend directory server > for user,group and computer management. > > Is it possible to use Fedora Directory server as the backend LDAP server > for Samba PDC? > > I want all users,groups and computers to be available in the Directory. > While I don't currently use Samba as a PDC, I am using it with Fedora Directory Services and don't see why it can't also be used for computer accounts as well as users and groups. -- Regards, Richard Sharpe -------------- next part -------------- An HTML attachment was scrubbed... URL: From siedler at hrd-asia.com Thu Nov 27 11:27:29 2008 From: siedler at hrd-asia.com (Wolf Siedler) Date: Thu, 27 Nov 2008 19:27:29 +0800 Subject: [Fedora-directory-users] SAMBA PDC+Fedora Dirsrv In-Reply-To: <483626.01227781001711.JavaMail.premod@premod.picorp.com> References: <483626.01227781001711.JavaMail.premod@premod.picorp.com> Message-ID: <492E8421.5050300@hrd-asia.com> > Is it possible to use Fedora Directory server as the backend LDAP > server for Samba PDC? Yes. > I want all users,groups and computers to be available in the > Directory. That is what a friend of mine recently set up. And it has been working satisactorily so far for 60+ users. If you want to know more, it might be a good idea to contact me via direct email. Regards, Wolf From kenneho.ndu at gmail.com Thu Nov 27 11:53:49 2008 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Thu, 27 Nov 2008 12:53:49 +0100 Subject: [Fedora-directory-users] Script for populating posix attributes after syncing users from AD Message-ID: Hi. We're setting up RHDS to sync users from AD, and are in need of a script for populating the users with posix attributes (and other relevant ones). Does anyone already have this kind of script, and are willing to share it? Regards, Kenneth Holter -------------- next part -------------- An HTML attachment was scrubbed... URL: From edlinuxguru at gmail.com Thu Nov 27 14:32:37 2008 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Thu, 27 Nov 2008 09:32:37 -0500 Subject: [Fedora-directory-users] Sudo in directory server In-Reply-To: <664c5a070811270208k22fdda22s17b8b1e3af470dcb@mail.gmail.com> References: <664c5a070811270208k22fdda22s17b8b1e3af470dcb@mail.gmail.com> Message-ID: I think sudo provides a sample open ldap schema. The syntax is slightly different /etc/dirsrv/slapd-ldapslave1/schema/71sudo.ldif dn: cn=schema attributetypes :( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetypes :( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetypes :( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetypes :( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetypes :( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) objectclasses :( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) ) It would be interesting to find a tool to convert schema from open LDAP to FDS format since this comes up often. From rpolli at babel.it Fri Nov 28 00:10:26 2008 From: rpolli at babel.it (Roberto Polli) Date: Fri, 28 Nov 2008 01:10:26 +0100 Subject: [Fedora-directory-users] Script for populating posix attributes after syncing users from AD In-Reply-To: References: Message-ID: <200811280110.26448.rpolli@babel.it> Alle gioved? 27 novembre 2008, Kenneth Holter ha scritto: > in need of a script > for populating the users use makeldif Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altres? a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." From sigidwu at gmail.com Fri Nov 28 00:40:19 2008 From: sigidwu at gmail.com (sigid@JINLab) Date: Fri, 28 Nov 2008 07:40:19 +0700 Subject: [Fedora-directory-users] SAMBA PDC+Fedora Dirsrv In-Reply-To: <483626.01227781001711.JavaMail.premod@premod.picorp.com> References: <483626.01227781001711.JavaMail.premod@premod.picorp.com> Message-ID: <492F3DF3.2030207@gmail.com> Premod Dev wrote: > Hi All, > > > Can anybody have a good experience with SAMBA PDC with Fedora Directory > Server as the backend LDAP server? > > I have a working SAMBA PDC with OpenLDAP as the backend directory server > for user,group and computer management. > > Is it possible to use Fedora Directory server as the backend LDAP server > for Samba PDC? > > I want all users,groups and computers to be available in the Directory. Ofcourse its possible. You may want to look at this link for further guidance. http://directory.fedoraproject.org/wiki/Howto:Samba -- http://sigidwu.blogspot.com Save a tree. Don't print any documents unless it's necessary. From premodd at decho.com Fri Nov 28 04:45:05 2008 From: premodd at decho.com (Premod Dev) Date: Thu, 27 Nov 2008 21:45:05 -0700 (MST) Subject: [Fedora-directory-users] SAMBA PDC+Fedora Dirsrv In-Reply-To: <492F3DF3.2030207@gmail.com> Message-ID: <7757452.01227847541707.JavaMail.premod@premod.picorp.com> Hi Sigid, Please see the following comment from the wiki, NOTE: These instructions only apply to basic user and group management. If you use or plan to use Samba for computer management, you will be better off using the migration scripts from IDEALX - http://www.idealx.org/prj/samba/index.en.html I want to use SAMBA for computer management also. Thanks, #!Premod ----- Original Message ----- From: "sigid at JINLab" To: "General discussion list for the Fedora Directory server project." Sent: Friday, November 28, 2008 6:10:19 AM GMT +05:30 Chennai, Kolkata, Mumbai, New Delhi Subject: Re: [Fedora-directory-users] SAMBA PDC+Fedora Dirsrv Premod Dev wrote: > Hi All, > > > Can anybody have a good experience with SAMBA PDC with Fedora Directory > Server as the backend LDAP server? > > I have a working SAMBA PDC with OpenLDAP as the backend directory server > for user,group and computer management. > > Is it possible to use Fedora Directory server as the backend LDAP server > for Samba PDC? > > I want all users,groups and computers to be available in the Directory. Ofcourse its possible. You may want to look at this link for further guidance. http://directory.fedoraproject.org/wiki/Howto:Samba -- http://sigidwu.blogspot.com Save a tree. Don't print any documents unless it's necessary. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsullivan at opensourcedevel.com Fri Nov 28 05:49:11 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Fri, 28 Nov 2008 00:49:11 -0500 Subject: [Fedora-directory-users] Ubuntu not enforcing password policies Message-ID: <1227851351.6618.47.camel@jaspav.missionsit.net.missionsit.net> Hello, all. We're continuing to dive ever deeper into DS. Our thanks to the developers for such a powerful product. Our integration with the RedHat family has gone well but now we're working on Ubuntu. Most is working well but we are finding Ubuntu is not enforcing password policies. For example, we require a user to change their password after a reset. When a user logs into a RedHat system, they are prompted for the change. However, Ubuntu just lets them right in again and again with the same reset password. Any pointers on what to look for to fix this in our configuration before we scour the world for a solution? We've already done quite a bit of googling. We've tried enabling pam_lookup_policy but that didn't work. /etc/pam.d/common-password reads: password requisite pam_cracklib.so retry=3 minlen=8 difok=3 password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so We've also tried disabling that last pam_permit.so. That didn't help. Where should we look? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From erlingre at gmail.com Fri Nov 28 07:51:49 2008 From: erlingre at gmail.com (Erling Ringen Elvsrud) Date: Fri, 28 Nov 2008 08:51:49 +0100 Subject: [Fedora-directory-users] Sudo in directory server In-Reply-To: References: <664c5a070811270208k22fdda22s17b8b1e3af470dcb@mail.gmail.com> Message-ID: <664c5a070811272351s2ad5b689iedd3585b145d4346@mail.gmail.com> On 11/27/08, Edward Capriolo wrote: > I think sudo provides a sample open ldap schema. The syntax is > slightly different Thanks for your reply, I try to use your schema, but still get errors: [root at testserver schema]# service dirsrv restart Shutting down dirsrv: testserver... [ OK ] Starting dirsrv: testserver...[28/Nov/2008:08:44:51 +0100] - Entry "cn=schema attributetypes :( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC" required attribute "objectclass" missing [ OK ] [root at testserver schema]# cat 99sudoers.ldif dn: cn=schema attributetypes :( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetypes :( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetypes :( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetypes :( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetypes :( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) objectclasses :( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) ) Could you please send me a copy of the schema directly? Just to make sure all linebreaks and formatting is correct. How did you get the schema? The README.LDAP in sudo provides two schema, one for OpenLDAP and one for iPlanet and similar directory-servers (like Fedora DS if I have understood correctly). Best regards, Erling From kenneho.ndu at gmail.com Fri Nov 28 10:55:26 2008 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Fri, 28 Nov 2008 11:55:26 +0100 Subject: [Fedora-directory-users] Script for populating posix attributes after syncing users from AD In-Reply-To: <200811280110.26448.rpolli@babel.it> References: <200811280110.26448.rpolli@babel.it> Message-ID: Thanks. It seems like makeldif only generates random data used for things such as performance testing. If I'm correct, this is of very little use for us. Do you have links to documentation that describes how makeldif can solve the issues described in my first post? Kenneth On 11/28/08, Roberto Polli wrote: > > Alle gioved? 27 novembre 2008, Kenneth Holter ha scritto: > > in need of a script > > for populating the users > use makeldif > > Peace, R. > > > > -- > > Roberto Polli > Babel S.r.l. - http://www.babel.it > Tel. +39.06.91801075 - fax +39.06.91612446 > P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) > > "Il seguente messaggio contiene informazioni riservate. Qualora questo > messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene > notizia a mezzo e-mail. Vi sollecitiamo altres? a distruggere il messaggio > erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto > della legge in materia di protezione dei dati personali." > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From edlinuxguru at gmail.com Fri Nov 28 17:18:37 2008 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Fri, 28 Nov 2008 12:18:37 -0500 Subject: [Fedora-directory-users] Sudo in directory server In-Reply-To: <664c5a070811272351s2ad5b689iedd3585b145d4346@mail.gmail.com> References: <664c5a070811270208k22fdda22s17b8b1e3af470dcb@mail.gmail.com> <664c5a070811272351s2ad5b689iedd3585b145d4346@mail.gmail.com> Message-ID: Last time I installed sudo the iplanet schema was not part of the package. I-planet should be close to FDS. The one I sent I did myself 6 months back. If you think the problem is a format issue, I checked my system. Every entry is on its own line. It is working for me with this version. fedora-ds-base-1.1.0-3.fc6 fedora-ds-1.1.0-3.fc6 From bbahar3 at gmail.com Sat Nov 29 12:08:38 2008 From: bbahar3 at gmail.com (Eric) Date: Sat, 29 Nov 2008 15:38:38 +0330 Subject: [Fedora-directory-users] Re: fedora ds migration error Message-ID: <38a27c8c0811290408l21220919j58e5096759b2c250@mail.gmail.com> there is /var/run/dirsrv on my system and there is dsgw/cookies in it. why server fails to start? Date: Wed, 26 Nov 2008 08:25:31 -0700 From: Rich Megginson Subject: Re: [Fedora-directory-users] Re: error in yum fedora-ds To: "General discussion list for the Fedora Directory server project." Message-ID: <492D6A6B.2080802 at redhat.com> Content-Type: text/plain; charset="iso-8859-1" Eric wrote: > I used :rpm --import > 'http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA7B02652' > > and the problem solved. I installed fedora-ds then used > /usr/sbin/migrate-ds-admin.pl for migration from fedora ds-1.0.4. > I stoped slapd-instance before this. it faild in start server: mkdir /var/run/dirsrv make sure that directory is writable by your directory server user > > /usr/sbin/migrate-ds-admin.pl General.ConfigDirectoryAdminPwd=mypassword > Beginning migration of Directory and Administration servers from > /opt/fedora-ds . . . > Beginning migration of directory server instances in /opt/fedora-ds . . . > Your new DS instance 'slapd-ldap' was successfully created. > Server failed to start !!! Please check errors log for problems > Beginning migration of Administration server from /opt/fedora-ds . . . > Creating Admin Server files and directories . . . > Updating the configuration for the httpd engine . . . > Starting admin server . . . > The admin server was successfully started. > Registering the directory server instances with the configuration > directory server . . . > Directory and Administration servers migration is complete. Please > check output and log files for details. > Exiting . . . > > what is wrong? now the slapd in /opt/fedora-ds doesn't work too! -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsullivan at opensourcedevel.com Sun Nov 30 00:14:00 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Sat, 29 Nov 2008 19:14:00 -0500 Subject: [Fedora-directory-users] Many DSGW authentication problems Message-ID: <1228004040.6407.55.camel@jaspav.missionsit.net.missionsit.net> I'm finding several weird issues with DSGW authentication which make it very difficult for our users to use. Not to complain - great DS - but we're experiencing some problems. We do not allow anonymous browsing of the tree. Each client has a user who has rights to search only their portion of the tree for possible DSGW logins. The ACI, place on the root, is thus: (target = "ldap:///ou=Users,($dn),o=Internal,dc=ssiservices,dc=biz")(targetattr = "uid || st || sn || ou || name || entrydn || dn || dc || objectClass || cn || o || l || c || givenName") (version 3.0;acl "Client DSGW Lister";allow (search,read)(userdn = "ldap:///uid=*dsgwlister,[$dn],o=sysaccounts,dc=ssiservices,dc=biz");) We have an example test user named sue.sutter. The full dn is uid=sue.sutter,ou=users,o=a0000-0006,o=internal,dc=ssiservices,dc=biz The first step is to go the authentication page where we read: "The first step in authenticating to the directory is identifying yourself." This is why we created a user with rights to browse for other users and defined it with a binddnfile entry. That part is working fine. If I enter sue.sutter, it does not find her directly but rather offers a list with a single hyperlinked choice. That's the first problem (a problem for anyone with a "." in their uid). The query has replaced the "." with a space: filter="(&(objectClass=person)(|(sn=sue sutter)(cn=sue sutter))) I tried surrounding it with quotes and escaping it with a back slash but the quote was interpreted literally and the back slash gave the same results as the period alone. Is this a bug, a configuration error, or just the way it's supposed to be? If the latter, this is very user unfriendly. A techie might understand escape characters or special encoding but not an everyday user. It wouldn't be so bad if they could simply click on the hyperlink and be allowed to login. However, the hyperlink does not work. Mousing over gives: javascript:authSubmit('uid%3Dsue.sutter%2Cou%3DUsers%2Co%3Da0000-0006% 2Co%3DInternal%2Cdc%3Dssiservices%2Cdc%3Dbiz');%20onMouseOver= but it goes nowhere. A packet trace shows no packets coming from the browser to the DS. What might we have configured incorrectly to cause this? We see the same thing in Konqueror as we see in Firefox3 all running on fully patched Ubuntu 8.0.4. Hmmm . . . this is getting long. I'll put the other problem into another email. Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From jsullivan at opensourcedevel.com Sun Nov 30 00:19:51 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Sat, 29 Nov 2008 19:19:51 -0500 Subject: [Fedora-directory-users] Many DSGW authentication problems In-Reply-To: <1228004040.6407.55.camel@jaspav.missionsit.net.missionsit.net> References: <1228004040.6407.55.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <1228004391.6407.62.camel@jaspav.missionsit.net.missionsit.net> On Sat, 2008-11-29 at 19:14 -0500, John A. Sullivan III wrote: > I'm finding several weird issues with DSGW authentication which make it > very difficult for our users to use. Not to complain - great DS - but > we're experiencing some problems. > > We do not allow anonymous browsing of the tree. Each client has a user > who has rights to search only their portion of the tree for possible > DSGW logins. The ACI, place on the root, is thus: > > (target = > "ldap:///ou=Users,($dn),o=Internal,dc=ssiservices,dc=biz")(targetattr = > "uid || st || sn || ou || name || entrydn || dn || dc || objectClass || > cn || o || l || c || givenName") (version 3.0;acl "Client DSGW > Lister";allow (search,read)(userdn = > "ldap:///uid=*dsgwlister,[$dn],o=sysaccounts,dc=ssiservices,dc=biz");) > > We have an example test user named sue.sutter. The full dn is > uid=sue.sutter,ou=users,o=a0000-0006,o=internal,dc=ssiservices,dc=biz > > The first step is to go the authentication page where we read: > "The first step in authenticating to the directory is identifying > yourself." > This is why we created a user with rights to browse for other users and > defined it with a binddnfile entry. That part is working fine. > > If I enter sue.sutter, it does not find her directly but rather offers a > list with a single hyperlinked choice. That's the first problem (a > problem for anyone with a "." in their uid). The query has replaced the > "." with a space: > filter="(&(objectClass=person)(|(sn=sue sutter)(cn=sue sutter))) > I tried surrounding it with quotes and escaping it with a back slash but > the quote was interpreted literally and the back slash gave the same > results as the period alone. > > Is this a bug, a configuration error, or just the way it's supposed to > be? If the latter, this is very user unfriendly. A techie might > understand escape characters or special encoding but not an everyday > user. > > It wouldn't be so bad if they could simply click on the hyperlink and be > allowed to login. However, the hyperlink does not work. Mousing over > gives: > javascript:authSubmit('uid%3Dsue.sutter%2Cou%3DUsers%2Co%3Da0000-0006% > 2Co%3DInternal%2Cdc%3Dssiservices%2Cdc%3Dbiz');%20onMouseOver= > > but it goes nowhere. A packet trace shows no packets coming from the > browser to the DS. What might we have configured incorrectly to cause > this? We see the same thing in Konqueror as we see in Firefox3 all > running on fully patched Ubuntu 8.0.4. > > Hmmm . . . this is getting long. I'll put the other problem into > another email. Thanks - John I should mention I also tried this after giving full rights to all attributes to all portions of the tree to the browsing user but had the exactly same results. Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From jsullivan at opensourcedevel.com Sun Nov 30 00:20:02 2008 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Sat, 29 Nov 2008 19:20:02 -0500 Subject: [Fedora-directory-users] DSGW problem - browser user tries to change password Message-ID: <1228004402.6407.64.camel@jaspav.missionsit.net.missionsit.net> Hello, all. As explained in the last email, we do not allow anonymous browsing but have a specific user with limited rights browsing the tree to find users' identities for logging into DSGW. We also have a policy that users must change their passwords after a reset. We have a test user sue.sutter. We reset her password and then had her attempt to login to DSGW. Sure enough, she was told she needed to changed her password and was given the option to do so. However, the attempt failed with the below error messages: Editing sue.sutter... Sending changes to the directory server... An error occurred while contacting the LDAP server. (Insufficient access - Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=sue.sutter,ou=users,o=a0000-0006,o=internal,dc=ssiservices,dc=biz'. ) You do not have sufficient privileges to perform the operation. That seemed very strange because when we test changing passwords using her posix account, it works just fine. We then gave the browsing user (not sue.sutter) full rights to the tree and, lo and behold, it worked: Giving the directory browser user all rights allowed a successful password change. It appears the browsing user is the one attempting to change the user's password and not the user. Is that the way it's supposed to be? I certainly would not want a browse only utility user able to change user passwords. Perhaps I am missing something. Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From bbahar3 at gmail.com Sun Nov 30 11:31:34 2008 From: bbahar3 at gmail.com (Eric) Date: Sun, 30 Nov 2008 15:01:34 +0330 Subject: [Fedora-directory-users] fedora-idm-console error Message-ID: <38a27c8c0811300331s2f5086bcr6a18335fa44ea8d1@mail.gmail.com> Hi, I have migrated from fedora-ds 1.0.4 on the same system. when I stoped admin and slapd in /opt/fedora-ds. in starting fedora-idm-console I use the port that I had from installing fedora-ds 1.0.4. it has this error: cannot connect to the directory server netscape.ldap.LDAPException:error result(32); no such object. -------------- next part -------------- An HTML attachment was scrubbed... URL: