From jad at jadickinson.co.uk Wed Oct 1 17:14:27 2008 From: jad at jadickinson.co.uk (John Dickinson) Date: Wed, 1 Oct 2008 18:14:27 +0100 Subject: [Fedora-directory-users] Replicating o=NetscapeRoot for admin server failover Message-ID: <7C14B064-3254-4939-B05C-70BBABF00508@jadickinson.co.uk> Hi, Using Fedora DS 1.1.2 (compiled from source) on CentOS 5.1. I am trying to replicate o=NetscapeRoot for admin server failover and having a few problems. (I have read http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html) The detailed notes I have written on the steps for doing this can be found here http://jadickinson.co.uk/test/howto/replicating-netscaperoot-on-fedora-ds/ In short I 1. have server 1 already running 2. Add replication info to server 1 3. Install server 2 4. on server 2 run setup-ds.pl -f /tmp/config.inf 5. On server 1 initialize the consumer So now server 2 has the replicated o=netscaperoot 6. on server 2 run register-ds-admin.pl When I do this I can connect with the console to server 1 and see both servers listed. I can browse the ds and admin console for server 1 OK. However, if I double click to open the directory console for server 2 and click on the configuration tab I get a message saying that uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot doesn't have permission to perform this operation. If I connect as cn=Directory Manager it works fine. The difference seems to be that server 2 lacks the following entries in the slapd-server2/dse.ldif aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, ou=T opologyManagement, o=NetscapeRoot";) aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a ll) userdn="ldap:///uid=admin, ou=Administrators, ou=TopologyManagement, o=N etscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l dap:///cn=slapd-server1, cn=Fedora Directory Server, cn=Server Group, cn=server1.example.com, ou=example.com, o=NetscapeRoot";) Adding them to dse.ldif on server 2 seems to fix things but I don't understand why they don't exist on server 2 and am concerned that this is a sign of something that I have failed to do correctly. Also what is the correct way to specify password in nsDS5ReplicaCredentials and userPassword when a) using ldapmodify or b) editing dse.ldif? The documentation seems to say that you should use the hash of the password but that seems to give odd results. Plain text passwords seem to work... Thanks John From rmeggins at redhat.com Wed Oct 1 17:18:46 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 01 Oct 2008 11:18:46 -0600 Subject: [Fedora-directory-users] Replicating o=NetscapeRoot for admin server failover In-Reply-To: <7C14B064-3254-4939-B05C-70BBABF00508@jadickinson.co.uk> References: <7C14B064-3254-4939-B05C-70BBABF00508@jadickinson.co.uk> Message-ID: <48E3B0F6.7070209@redhat.com> John Dickinson wrote: > Hi, > > Using Fedora DS 1.1.2 (compiled from source) on CentOS 5.1. > > I am trying to replicate o=NetscapeRoot for admin server failover and > having a few problems. > > (I have read > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html) > > > The detailed notes I have written on the steps for doing this can be > found here > http://jadickinson.co.uk/test/howto/replicating-netscaperoot-on-fedora-ds/ > > > In short I > 1. have server 1 already running > 2. Add replication info to server 1 > 3. Install server 2 > 4. on server 2 run setup-ds.pl -f /tmp/config.inf > 5. On server 1 initialize the consumer > So now server 2 has the replicated o=netscaperoot > 6. on server 2 run register-ds-admin.pl > > When I do this I can connect with the console to server 1 and see both > servers listed. I can browse the ds and admin console for server 1 OK. > However, if I double click to open the directory console for server 2 > and click on the configuration tab I get a message saying that > uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot > doesn't have permission to perform this operation. If I connect as > cn=Directory Manager it works fine. > > The difference seems to be that server 2 lacks the following entries > in the slapd-server2/dse.ldif > > aci: (targetattr="*")(version 3.0; acl "Configuration Administrators > Group"; a > llow (all) groupdn="ldap:///cn=Configuration Administrators, > ou=Groups, ou=T > opologyManagement, o=NetscapeRoot";) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; > allow (a > ll) userdn="ldap:///uid=admin, ou=Administrators, > ou=TopologyManagement, o=N > etscapeRoot";) > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) > groupdn = "l > dap:///cn=slapd-server1, cn=Fedora Directory Server, cn=Server Group, > cn=server1.example.com, ou=example.com, o=NetscapeRoot";) > > Adding them to dse.ldif on server 2 seems to fix things but I don't > understand why they don't exist on server 2 and am concerned that this > is a sign of something that I have failed to do correctly. It's probably a bug in the failover setup procedures. > > Also what is the correct way to specify password in > nsDS5ReplicaCredentials and userPassword when a) using ldapmodify Provide the plain text > or b) editing dse.ldif? Don't do that. > The documentation seems to say that you should use the hash of the > password but that seems to give odd results. Where does the documentation say that? > Plain text passwords seem to work... Yes - please use plain text passwords. That's the only way password policy can be enforced, among other reasons. > > Thanks > John > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jonas.courteau at bravenet.com Thu Oct 2 01:10:54 2008 From: jonas.courteau at bravenet.com (Jonas Courteau) Date: Wed, 01 Oct 2008 18:10:54 -0700 Subject: [Fedora-directory-users] Windows Sync service - unsupported attribute when syncing Message-ID: <1222909854.8108.58.camel@jcourteau-desktop> Hello: I've got the Windows Sync service set up to sync with an AD server. For some unknown reason, several of the groups on the AD server have an email address and the mail:, the mailNickname: and several exchange-related attributes set. How would I go about modifying the schema that the Windows Sync service is using to create the groups on the DS side of things? I believe adding the mailrecipient object class should do the trick, but I can't find any documentation on doing this. Alternately, if there's a way of just dropping incompatible attributes when syncing, that would work too. The error I currently get when syncing: Entry "cn=Support,ou=Groups, dc=example, dc=com" -- attribute "mail" not allowed NSMMReplicationPlugin - add operation of entry cn=Support,ou=Groups, dc=example, dc=com returned: 65 Any suggestions would be helpful! - Jonas From beyonddc.storage at gmail.com Thu Oct 2 14:51:58 2008 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Thu, 2 Oct 2008 10:51:58 -0400 Subject: [Fedora-directory-users] GOsa install In-Reply-To: <48DCA628.5030908@zd-lj.si> References: <48DC90EF.9060000@zd-lj.si> <48DCA628.5030908@zd-lj.si> Message-ID: <20e4c38c0810020751k5dfd0fdm81def3d5107fd541@mail.gmail.com> *Hi Alan, I don't have any experience with gosa, but the simplest way to install schema into Fedora Directory Server is simply copy your custom schema into the Fedora Directory Server schema directory and then restart the slapd process. There is a new dynamic schema loading functionality introduced in Fedora Directory Server 1.1.2 that doesn't require to restart slapd process to install new schema, but I haven't try it yet. Good luck David * 2008/9/26 Alan Orli? Bel?ak > Hello, > > found out where the schemas files of Gosa are, anyone has any experience > what to copy to my schema dir? > > Bye, Alan > > Alan Orli? Bel?ak pravi: > > Hello, >> >> maybe someone will be able to help me, in the istallation of GOsa I get >> the following error message: >> >> LDAP error: Object class violation (unknown object class "gosaAccount" >> >> How to add new object class with that name and is there any extra things >> to do? >> >> Bye, Alan >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dave at posthost.com Thu Oct 2 23:57:54 2008 From: dave at posthost.com (Dave) Date: Thu, 02 Oct 2008 19:57:54 -0400 Subject: [Fedora-directory-users] Migrating Netscape DS to FDS Message-ID: <48E56002.2040905@posthost.com> Hi, I have an old Netscape Directory Server version 4.1 (circa 2001) that I need to migrate to Fedora Directory Server, but I am confused as to the proper migration path. I've been reading the Red Hat DS install guides at http://www.redhat.com/docs/manuals/dir-server/ (as there doesn't appear to be as a comprehensive guide for Fedora DS. The Redhat DS 8.0 guide says that migrating Netscape DS 4.x is not supported (only version 6 and above), so I read the Red Hat DS 6.0 install guide and it says that Netscape DS 4.x is indeed supported. So am I right to presume that a step-upgrade will be required, from my current version 4.x to 6.x and then to the current version 8.0? Also, what version of the Fedora-DS is equivalent to Red Hat DS 6.0? Thanks -Dave p.s. If somebody can tell me how to search this list's archives that would be much appreciated! From solarflow99 at gmail.com Fri Oct 3 09:33:54 2008 From: solarflow99 at gmail.com (solarflow99) Date: Fri, 3 Oct 2008 10:33:54 +0100 Subject: [Fedora-directory-users] Migrating Netscape DS to FDS In-Reply-To: <48E56002.2040905@posthost.com> References: <48E56002.2040905@posthost.com> Message-ID: <7020fd000810030233k41e80e8ds21323041b4578b20@mail.gmail.com> how extensive is it, can you export/import to LDIF? On Fri, Oct 3, 2008 at 12:57 AM, Dave wrote: > > Hi, I have an old Netscape Directory Server version 4.1 (circa 2001) that > I need to migrate to Fedora Directory Server, but I am confused as to the > proper migration path. > > I've been reading the Red Hat DS install guides at > http://www.redhat.com/docs/manuals/dir-server/ (as there doesn't appear > to be as a comprehensive guide for Fedora DS. > > The Redhat DS 8.0 guide says that migrating Netscape DS 4.x is not > supported (only version 6 and above), so I read the Red Hat DS 6.0 install > guide and it says that Netscape DS 4.x is indeed supported. > So am I right to presume that a step-upgrade will be required, from my > current version 4.x to 6.x and then to the current version 8.0? > > Also, what version of the Fedora-DS is equivalent to Red Hat DS 6.0? > Thanks -Dave > > p.s. If somebody can tell me how to search this list's archives that would > be much appreciated! > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mhalpern at accoona.com Fri Oct 3 14:55:54 2008 From: mhalpern at accoona.com (Marcelo N. Halpern) Date: Fri, 03 Oct 2008 10:55:54 -0400 Subject: [Fedora-directory-users] Migrating Netscape DS to FDS In-Reply-To: <7020fd000810030233k41e80e8ds21323041b4578b20@mail.gmail.com> References: <48E56002.2040905@posthost.com> <7020fd000810030233k41e80e8ds21323041b4578b20@mail.gmail.com> Message-ID: <48E6327A.4060700@accoona.com> I think you will find the most trouble in o=NetscapeRoot. More than likely you will have to recreate acls, roles, replication agreements, etc. by hand. I'm sure the data in o=UserRoot will not be a big deal. You just have to keep in mind that schemas may have varied slightly. Certificates and keys will have to be imported/exported to the new server also. In all, i think you can go from Netscape 4.1 -> FDS 1.1.3 manually if you are well prepared. You can always bring up a cloned instance of Netscape 4.1 and try the step upgrade. solarflow99 wrote: > how extensive is it, can you export/import to LDIF? > > > > On Fri, Oct 3, 2008 at 12:57 AM, Dave > wrote: > > > Hi, I have an old Netscape Directory Server version 4.1 (circa > 2001) that I need to migrate to Fedora Directory Server, but I am > confused as to the proper migration path. > > I've been reading the Red Hat DS install guides at > http://www.redhat.com/docs/manuals/dir-server/ (as there doesn't > appear to be as a comprehensive guide for Fedora DS. > > The Redhat DS 8.0 guide says that migrating Netscape DS 4.x is not > supported (only version 6 and above), so I read the Red Hat DS 6.0 > install guide and it says that Netscape DS 4.x is indeed supported. > So am I right to presume that a step-upgrade will be required, from > my current version 4.x to 6.x and then to the current version 8.0? > > Also, what version of the Fedora-DS is equivalent to Red Hat DS 6.0? > Thanks -Dave > > p.s. If somebody can tell me how to search this list's archives that > would be much appreciated! > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Marcelo Nicol?s Halpern Systems Administrator Accoona Corporation T: +1-201-377-3424 B: +1-201-850-3135 aim:mnhxacna y!:mnhxacna msn:mnhxacna at hotmail.com From rmeggins at redhat.com Fri Oct 3 15:20:37 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 03 Oct 2008 09:20:37 -0600 Subject: [Fedora-directory-users] Migrating Netscape DS to FDS In-Reply-To: <48E56002.2040905@posthost.com> References: <48E56002.2040905@posthost.com> Message-ID: <48E63845.4070603@redhat.com> Dave wrote: > > Hi, I have an old Netscape Directory Server version 4.1 (circa 2001) > that I need to migrate to Fedora Directory Server, but I am confused > as to the proper migration path. > > I've been reading the Red Hat DS install guides at > http://www.redhat.com/docs/manuals/dir-server/ (as there doesn't > appear to be as a comprehensive guide for Fedora DS. The Red Hat Guides are pretty good, but refer to the wiki for information about where the differ. > > The Redhat DS 8.0 guide says that migrating Netscape DS 4.x is not > supported (only version 6 and above), so I read the Red Hat DS 6.0 > install guide and it says that Netscape DS 4.x is indeed supported. > So am I right to presume that a step-upgrade will be required, from my > current version 4.x to 6.x and then to the current version 8.0? Yes. I hope you are a perl hacker . . . If you look here - http://cvs.fedoraproject.org/viewvc/ldapserver/ldap/admin/src/scripts/?hideattic=0&root=dirsec - you will see several dead migration scripts. The main one you want to start with is template-migrateTo5 - http://cvs.fedoraproject.org/viewvc/ldapserver/ldap/admin/src/scripts/template-migrateTo5?hideattic=0&revision=1.7&root=dirsec&view=markup - that file contains the code to convert the config and schema settings from the old style to the new ldif style. > > Also, what version of the Fedora-DS is equivalent to Red Hat DS 6.0? There isn't one. The first version of Fedora DS was 7.1 which was essentially the same as Red Hat DS 7.1 > Thanks -Dave > > p.s. If somebody can tell me how to search this list's archives that > would be much appreciated! > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Oct 3 15:23:00 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 03 Oct 2008 09:23:00 -0600 Subject: [Fedora-directory-users] Windows Sync service - unsupported attribute when syncing In-Reply-To: <1222909854.8108.58.camel@jcourteau-desktop> References: <1222909854.8108.58.camel@jcourteau-desktop> Message-ID: <48E638D4.4010204@redhat.com> Jonas Courteau wrote: > Hello: > > I've got the Windows Sync service set up to sync with an AD server. For > some unknown reason, several of the groups on the AD server have an > email address and the mail:, the mailNickname: and several > exchange-related attributes set. > > How would I go about modifying the schema that the Windows Sync service > is using to create the groups on the DS side of things? I believe > adding the mailrecipient object class should do the trick, but I can't > find any documentation on doing this. > > Alternately, if there's a way of just dropping incompatible attributes > when syncing, that would work too. The error I currently get when > syncing: > > Entry "cn=Support,ou=Groups, dc=example, dc=com" -- attribute "mail" not > allowed > NSMMReplicationPlugin - add operation of entry cn=Support,ou=Groups, > dc=example, dc=com returned: 65 > What are the objectclasses for cn=Support,ou=Groups, dc=example, dc=com ? Windows Sync is not extensible. If you need something extensible, I suggest you investigate Penrose Virtual Directory - http://docs.safehaus.org/display/PENROSE/Home > Any suggestions would be helpful! > > - Jonas > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From edlinuxguru at gmail.com Fri Oct 3 15:28:44 2008 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Fri, 3 Oct 2008 11:28:44 -0400 Subject: [Fedora-directory-users] Migrating Netscape DS to FDS In-Reply-To: <48E56002.2040905@posthost.com> References: <48E56002.2040905@posthost.com> Message-ID: Everyone here hit on the main points. The products are made from the same code base so usually you only face minor schema changes. If you directory is small you can usually use the ldapsearch and ldapmodify command line tools. Some entire corporate directories are less then 4000 entries and export in less then a second. They import in less then 1 minute. I suggest exporting the data using an ldapsearch and try to load it on a fresh system using ldapmodify/add. The tools will stop on a schema violation and you investigate why that particular object did not load. What you are facing now is similar to a situation you may face with an upgrade from mysql 3.0 upgrade to mysql 5.0. It might be hard to find an upgrade path from vendor documentation, but a plain old mysqldump/mysqlimport will likely work. As mentioned you may have to specifically deal with acls, roles, replication agreements- but you would likely want to add those by hand so you can audit them in the process. From rvandolson at esri.com Fri Oct 3 19:23:43 2008 From: rvandolson at esri.com (Ray Van Dolson) Date: Fri, 3 Oct 2008 12:23:43 -0700 Subject: [Fedora-directory-users] Letting users see a tree in the console. Message-ID: <20081003192343.GA20008@esri.com> Not a big LDAP guy, just trying to get a task done fairly quickly. :) I want to give a user access to cn=OracleContext,dc=example,dc=com in my Fedora DS setup (v1.0.4). I've created the user: uid=ouser,ou=People,dc=example,dc=com And set an ACI on cn=OracleContext,dc=example,dc=com: (targetattr = "*") (target = "ldap:///cn=OracleContext,dc=example,dc=com") (version 3.0; acl "OracleACI"; allow (all) (userdn = "ldap:///uid=ouser,ou=People, dc=example,dc=com") ;) Just for giggles, I also set one on dc=example,dc=com as well: (targetattr = "*") (target = "ldap:///dc=example, dc=com") (version 3.0;acl "OracleACI";allow (all) (userdn = "ldap:///uid=ouser,ou=People, dc=example,dc=com");) Via ldapsearch, this user can see everything I'd expect (at least under the OracleContext container), but when I log in as the user to the java console, the only objects I see available in the tree are schema, monitor and config. Why can't this user see the dc=example,dc=com tree? I don't see any way to set ACI's at a higher level... Thanks, Ray From glenn at mail.txwes.edu Fri Oct 3 22:06:01 2008 From: glenn at mail.txwes.edu (Glenn) Date: Fri, 3 Oct 2008 17:06:01 -0500 Subject: [Fedora-directory-users] Windows Sync Certificate Trouble? Message-ID: <20081003220244.M14582@mail.txwes.edu> All of a sudden, Windows Sync is broken and I'm getting this error message in the Fedora Directory 1.0.4 log: [02/Oct/2008:06:08:10 -0500] NSMMReplicationPlugin - agmt="cn=AD- LawFacultyStaff" (boccherini:636): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable Runtime error -8181 (Peer's Certificate has expired.) The problem is that no certificate has expired. I checked them all, and they are still valid. Anyone got a clue? Thanks. -G. From glenn at mail.txwes.edu Fri Oct 3 22:37:37 2008 From: glenn at mail.txwes.edu (Glenn) Date: Fri, 3 Oct 2008 17:37:37 -0500 Subject: [Fedora-directory-users] Fw: Windows Sync Certificate Trouble? In-Reply-To: <20081003220244.M14582@mail.txwes.edu> References: <20081003220244.M14582@mail.txwes.edu> Message-ID: <20081003223644.M54746@mail.txwes.edu> Never mind. I rebooted the Active Directory domain controller and the problem went away. Thanks. -G. ---------- Forwarded Message ----------- From: "Glenn" To: "Fedora DS List" Sent: Fri, 3 Oct 2008 17:06:01 -0500 Subject: Windows Sync Certificate Trouble? All of a sudden, Windows Sync is broken and I'm getting this error message in the Fedora Directory 1.0.4 log: [02/Oct/2008:06:08:10 -0500] NSMMReplicationPlugin - agmt="cn=AD- LawFacultyStaff" (boccherini:636): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable Runtime error -8181 (Peer's Certificate has expired.) The problem is that no certificate has expired. I checked them all, and they are still valid. Anyone got a clue? Thanks. -G. ------- End of Forwarded Message ------- From michael at stroeder.com Sat Oct 4 15:46:16 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 04 Oct 2008 17:46:16 +0200 Subject: [Fedora-directory-users] Migrating Netscape DS to FDS In-Reply-To: References: <48E56002.2040905@posthost.com> Message-ID: <48E78FC8.1090803@stroeder.com> Edward Capriolo wrote: > Everyone here hit on the main points. The products are made from the > same code base so usually you only face minor schema changes. Edward, please don't take it personally but without knowing the original poster's directory deployment you cannot assume only minor schema changes. I've setup Netscape DS 4.x deployments myself with massive schema changes. > If you > directory is small you can usually use the ldapsearch and ldapmodify > command line tools. Some entire corporate directories are less then > 4000 entries and export in less then a second. They import in less > then 1 minute. Using ldapsearch/ldapmodify for migration has the disadvantage of loosing the operational attributes. This might be ok for this migration but has to be considered carefully. I'd strongly recommend to export with db2ldif and sanitize the LDIF data if needed before doing an import. Without knowing further details detailed recommendations are hard to give. Ciao, Michael. From dave at posthost.com Sun Oct 5 17:01:50 2008 From: dave at posthost.com (Dave) Date: Sun, 05 Oct 2008 13:01:50 -0400 Subject: [Fedora-directory-users] Migrating Netscape DS to FDS In-Reply-To: References: <48E56002.2040905@posthost.com> Message-ID: <48E8F2FE.1040807@posthost.com> Hey everybody thanks for all the responses. I am new to this (if you couldn't tell), but this is a relatively small directory installation of about 500 people in the database. There is also iPlanet messaging server, app server, and web server installed, but job is to migrate off those platforms onto open source so I am not too concerned about the config schema for those services. With respect to exporting/import an LDIF file, yes there are about 20 custom fields in the schema for varying types of data such as user preferences. This is one reason I was trying to avoid an import/export of LDIF as it would require some cleansing. The challenge of doing the step-upgrade now appears to be in finding version 6 iPlanet Directory Server to download somewhere... By the way, f anyone is willing to take a crack at this I'd be more than happy to compensate... I have a Red Hat test server set up with fedora-ds installed and an LDIF file containing a dump of the Netscape DS 4.1 server. About Ed's comment about MySQL: I've never had so much trouble with SQL files as much as LDIF files... don't SQL files usually have the data and schema right in the same file so everything can be done on a single import without much need for cleansing? Thanks again -Dave Edward Capriolo wrote: > Everyone here hit on the main points. The products are made from the > same code base so usually you only face minor schema changes. If you > directory is small you can usually use the ldapsearch and ldapmodify > command line tools. Some entire corporate directories are less then > 4000 entries and export in less then a second. They import in less > then 1 minute. > > I suggest exporting the data using an ldapsearch and try to load it on > a fresh system using ldapmodify/add. The tools will stop on a schema > violation and you investigate why that particular object did not load. > > What you are facing now is similar to a situation you may face with an > upgrade from mysql 3.0 upgrade to mysql 5.0. It might be hard to find > an upgrade path from vendor documentation, but a plain old > mysqldump/mysqlimport will likely work. As mentioned you may have to > specifically deal with acls, roles, replication agreements- but you > would likely want to add those by hand so you can audit them in the > process. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From michael at stroeder.com Sun Oct 5 18:38:37 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sun, 05 Oct 2008 20:38:37 +0200 Subject: [Fedora-directory-users] Migrating Netscape DS to FDS In-Reply-To: <48E8F2FE.1040807@posthost.com> References: <48E56002.2040905@posthost.com> <48E8F2FE.1040807@posthost.com> Message-ID: <48E909AD.2050608@stroeder.com> Dave wrote: > With respect to exporting/import an LDIF file, yes there are about 20 > custom fields in the schema for varying types of data such as user > preferences. This is one reason I was trying to avoid an > import/export of LDIF as it would require some cleansing. The > challenge of doing the step-upgrade now appears to be in finding version > 6 iPlanet Directory Server to download somewhere... By the way, f > anyone is willing to take a crack at this I'd be more than happy to > compensate... I have a Red Hat test server set up with fedora-ds > installed and an LDIF file containing a dump of the Netscape DS 4.1 server. Still I'd recommend to directly migrate to FDS by bulk-importing the LDIF. If that does not work you can come to the mailing list for asking why it fails. Ciao, Michael. From dave at posthost.com Mon Oct 6 22:44:14 2008 From: dave at posthost.com (Dave) Date: Mon, 06 Oct 2008 18:44:14 -0400 Subject: [Fedora-directory-users] Migrating Netscape DS to FDS In-Reply-To: <48E909AD.2050608@stroeder.com> References: <48E56002.2040905@posthost.com> <48E8F2FE.1040807@posthost.com> <48E909AD.2050608@stroeder.com> Message-ID: <48EA94BE.2020303@posthost.com> OK exporting/importing the LDIF worked, but I had to do some sleuth work to determine the custom objects and attributes in the slapd.user_oc.conf slapd.user_at.conf respectively, then manually create these in the new server using the same object and attribute types. I suppose this is what the migration scripts would have done in version 6.0... not sure why they couldn't do the same work in version 8.0. They build this software to last decades, but we're supposed to discard it after a few years when the support discontinues? good grief. Thanks again to all who chimed in. cheers -Dave Michael Str?der wrote: > Dave wrote: > >> With respect to exporting/import an LDIF file, yes there are about 20 >> custom fields in the schema for varying types of data such as user >> preferences. This is one reason I was trying to avoid an >> import/export of LDIF as it would require some cleansing. The >> challenge of doing the step-upgrade now appears to be in finding version >> 6 iPlanet Directory Server to download somewhere... By the way, f >> anyone is willing to take a crack at this I'd be more than happy to >> compensate... I have a Red Hat test server set up with fedora-ds >> installed and an LDIF file containing a dump of the Netscape DS 4.1 server. >> > > Still I'd recommend to directly migrate to FDS by bulk-importing the > LDIF. If that does not work you can come to the mailing list for asking > why it fails. > > Ciao, Michael. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From lukasz.sobczak at altkom.pl Tue Oct 7 15:07:30 2008 From: lukasz.sobczak at altkom.pl (=?UTF-8?Q?=C5=81ukasz?= Sobczak) Date: Tue, 07 Oct 2008 17:07:30 +0200 Subject: [Fedora-directory-users] adminutil update... Message-ID: <1223392051.6555.18.camel@klapa> Hi, I'm writting here first time, so first of all, I'd like to say hello to everyone :). During updating process of my CenOS 5.2 server, I've encountered following problem: [root at nmail ~]$ yum update adminutil (...) Setting up Update Process Resolving Dependencies --> Running transaction check ---> Package adminutil.x86_64 0:1.1.7-1.fc6 set to be updated --> Processing Dependency: adminutil = 1.1.5-1 for package: adminutil-devel --> Finished Dependency Resolution Error: Missing Dependency: adminutil = 1.1.5-1 is needed by package adminutil-devel Does anyone know what happened to adminutil-devel? There's no adminutil-devel package in dirsrv's repo (I have checked it with web browser). So, adminutil-devel is lost: is it bug or feature? :) Best regards, LukaszS. -- ?ukasz Sobczak Postmaster Altkom Akademia S.A. http://www.altkom.pl Warszawa, ul. Ch?odna 51 S?d Rejonowy dla m.st. Warszawy w Warszawie, XII Wydzia? Gospodarczy Krajowego Rejestru S?dowego, KRS: 0000120139, NIP 118-00-08-391, Kapita? zak?adowy: 1000 000 PLN. Adres rejestrowy Firmy - ul. Stawki 2, 00-193 Warszawa. Niniejsza wiadomo?? zawiera informacje zastrze?one i stanowi?ce tajemnic? przedsi?biorstwa firmy Altkom Akademia S.A. Ujawnianie tych informacji osobom trzecim lub nieuprawnione wykorzystanie ich do w?asnych cel?w jest zabronione. Je?eli otrzymali?cie Pa?stwo niniejsz? wiadomo?? omy?kowo, prosimy o niezw?oczne skontaktowanie si? z nadawc? oraz usuni?cie wszelkich kopii niniejszej wiadomo?ci. This message contains proprietary information and trade secrets of Altkom Akademia S.A. company. Unauthorized use or disclosure of this information to any third party is prohibited. If you received this message by mistake, please contact the sender immediately and delete all copies of this message. From rmeggins at redhat.com Wed Oct 8 16:45:41 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 08 Oct 2008 10:45:41 -0600 Subject: [Fedora-directory-users] adminutil update... In-Reply-To: <1223392051.6555.18.camel@klapa> References: <1223392051.6555.18.camel@klapa> Message-ID: <48ECE3B5.2050501@redhat.com> ?ukasz Sobczak wrote: > Hi, > > I'm writting here first time, so first of all, I'd like to say hello to > everyone :). > > During updating process of my CenOS 5.2 server, I've encountered > following problem: > > [root at nmail ~]$ yum update adminutil > (...) > Setting up Update Process > Resolving Dependencies > --> Running transaction check > ---> Package adminutil.x86_64 0:1.1.7-1.fc6 set to be updated > --> Processing Dependency: adminutil = 1.1.5-1 for package: > adminutil-devel > --> Finished Dependency Resolution > Error: Missing Dependency: adminutil = 1.1.5-1 is needed by package > adminutil-devel > > Does anyone know what happened to adminutil-devel? There's no > adminutil-devel package in dirsrv's repo (I have checked it with web > browser). So, adminutil-devel is lost: is it bug or feature? :) > Sorry about that. It is now in the dirsrv repo. > Best regards, > LukaszS. > > -- > ?ukasz Sobczak > Postmaster > Altkom Akademia S.A. http://www.altkom.pl > Warszawa, ul. Ch?odna 51 > > > > S?d Rejonowy dla m.st. Warszawy w Warszawie, XII Wydzia? Gospodarczy Krajowego Rejestru S?dowego, > KRS: 0000120139, NIP 118-00-08-391, Kapita? zak?adowy: 1000 000 PLN. Adres rejestrowy Firmy - ul. Stawki 2, 00-193 Warszawa. > Niniejsza wiadomo?? zawiera informacje zastrze?one i stanowi?ce tajemnic? przedsi?biorstwa firmy Altkom Akademia S.A. > Ujawnianie tych informacji osobom trzecim lub nieuprawnione wykorzystanie ich do w?asnych cel?w jest zabronione. > Je?eli otrzymali?cie Pa?stwo niniejsz? wiadomo?? omy?kowo, prosimy o niezw?oczne skontaktowanie si? z nadawc? oraz usuni?cie wszelkich kopii niniejszej wiadomo?ci. > This message contains proprietary information and trade secrets of Altkom Akademia S.A. company. > Unauthorized use or disclosure of this information to any third party is prohibited. > If you received this message by mistake, please contact the sender immediately and delete all copies of this message. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From erlingre at gmail.com Thu Oct 9 09:03:13 2008 From: erlingre at gmail.com (Erling Ringen Elvsrud) Date: Thu, 9 Oct 2008 11:03:13 +0200 Subject: [Fedora-directory-users] Windows Sync: Full re-syncronization fails Message-ID: <664c5a070810090203v7bade230s46a4fdcb05327b77@mail.gmail.com> I have just configured Windows sync (I use RHDS 8.0/RHEL 5.1). When initiating a full re-syncronization I get these log-entries from the Linux side: [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - Running Dirsync [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - agmt="cn=testsync" (e24dcvw001:389): State: wait_for_changes -> wait_for_changes [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - agmt="cn=testsync" (e24dcvw001:389): State: wait_for_changes -> ready_to_acquire_replica [03/Oct/2008:13:05:40 +0200] - acquire_replica, supplier RUV: [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - supplier: {replicageneration} 48e5d6030000ffff0000 [03/Oct/2008:13:05:40 +0200] - acquire_replica, consumer RUV: [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - consumer: {replicageneration} 48e5d6030000ffff0000 [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - agmt="cn=testsync" (e24dcvw001:389): Trying non-secure slapi_ldap_init [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - agmt="cn=testsync" (e24dcvw001:389): binddn = Cn=srvLinuxLDAP, cn=users,dc=utv,dc=internsone2,dc=local, passwd = {DES}5OZLz0E4j2onl1VNZhRT3g== [03/Oct/2008:13:05:40 +0200] - windows_conn_connect : detected Win2k3 peer [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - agmt="cn=testsync" (e24dcvw001:389): No linger to cancel on the connection [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - windows_acquire_replica returned success (101) [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - agmt="cn=testsync" (e24dcvw001:389): State: ready_to_acquire_replica -> sending_updates [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - agmt="cn=testsync" (e24dcvw001:389): No changes to send [03/Oct/2008:13:05:40 +0200] - Sending dirsync search request [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - agmt="cn=testsync" (e24dcvw001:389): Beginning linger on the connection [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - agmt="cn=testsync" (e24dcvw001:389): Linger timeout has expired on the connection [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - agmt="cn=testsync" (e24dcvw001:389): State: sending_updates -> wait_for_changes [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - agmt="cn=testsync" (e24dcvw001:389): Disconnected from the consumer >From the AD side I get this in the event-log: Internal event: The LDAP server returned an error. Additional Data Error value: 00002105: LdapErr: DSID-0C0907C9, comment: Error processing control, data 0, vece Anyone familiar with these problems? Do you know if it is possible to log all ldap-queries sent to AD from DS? I have enabled all possible logging, but I cannot find the query from the full re-sync operation in the logs. Best regards, Erling From mrb137 at gmail.com Wed Oct 8 16:01:16 2008 From: mrb137 at gmail.com (Michael Brown) Date: Wed, 8 Oct 2008 12:01:16 -0400 Subject: [Fedora-directory-users] SunOne 5.2 Migration to FDS/RHDS Message-ID: <6b893dc90810080901t4f9c3f70s4b13455dfdfc4c77@mail.gmail.com> I have a question on a couple of configuration parameters I see in a SunOne 5.2 dse.ldif but don't see referenced in a FDS or RHDS dse.ldif or in the FDS or RHDS documentation. Specifically, nsslapd-maxconnections nsslapd-threadnumber Are these supported in FDS or RHDS? If so, do they still operate in the same manner as they would on a SunOne 5.2 DS instance? The SunOne 5.2 docs indicate that if nsslapd-maxconnections is not set, then the value defaults to the max number of file descriptors. On SunOne, the nsslapd-threadnumber defaults to 30. Thanks Michael . From rmeggins at redhat.com Thu Oct 9 13:18:12 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 09 Oct 2008 07:18:12 -0600 Subject: [Fedora-directory-users] SunOne 5.2 Migration to FDS/RHDS In-Reply-To: <6b893dc90810080901t4f9c3f70s4b13455dfdfc4c77@mail.gmail.com> References: <6b893dc90810080901t4f9c3f70s4b13455dfdfc4c77@mail.gmail.com> Message-ID: <48EE0494.6050408@redhat.com> Michael Brown wrote: > I have a question on a couple of configuration parameters I see in a > SunOne 5.2 dse.ldif but don't see referenced in a FDS or RHDS dse.ldif > or in the FDS or RHDS documentation. Specifically, > > nsslapd-maxconnections > nsslapd-threadnumber > > Are these supported in FDS or RHDS? If so, do they still operate in > the same manner as they would on a SunOne 5.2 DS instance? > > The SunOne 5.2 docs indicate that if nsslapd-maxconnections is not > set, then the value defaults to the max number of file descriptors. > On SunOne, the nsslapd-threadnumber defaults to 30. > If config parameters are set to their default values, they will not show up in dse.ldif. Do an LDAP search of cn=config to see all config parameters with their default values. I'm not sure what nsslapd-maxconnections is - Fedora DS has a parameter called nsslapd-conntablesize that may be related. > Thanks > > Michael > > . > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Oct 9 13:20:18 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 09 Oct 2008 07:20:18 -0600 Subject: [Fedora-directory-users] Windows Sync: Full re-syncronization fails In-Reply-To: <664c5a070810090203v7bade230s46a4fdcb05327b77@mail.gmail.com> References: <664c5a070810090203v7bade230s46a4fdcb05327b77@mail.gmail.com> Message-ID: <48EE0512.2000606@redhat.com> Erling Ringen Elvsrud wrote: > I have just configured Windows sync (I use RHDS 8.0/RHEL 5.1). When > initiating a full re-syncronization I get these log-entries from the > Linux side: > > [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - Running Dirsync > [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - > agmt="cn=testsync" (e24dcvw001:389): State: wait_for_changes -> > wait_for_changes > [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - > agmt="cn=testsync" (e24dcvw001:389): State: wait_for_changes -> > ready_to_acquire_replica > [03/Oct/2008:13:05:40 +0200] - acquire_replica, supplier RUV: > [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - supplier: > {replicageneration} 48e5d6030000ffff0000 > [03/Oct/2008:13:05:40 +0200] - acquire_replica, consumer RUV: > [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - consumer: > {replicageneration} 48e5d6030000ffff0000 > [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - > agmt="cn=testsync" (e24dcvw001:389): Trying non-secure slapi_ldap_init > [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - > agmt="cn=testsync" (e24dcvw001:389): binddn = Cn=srvLinuxLDAP, > cn=users,dc=utv,dc=internsone2,dc=local, passwd = > {DES}5OZLz0E4j2onl1VNZhRT3g== > [03/Oct/2008:13:05:40 +0200] - windows_conn_connect : detected Win2k3 peer > [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - > agmt="cn=testsync" (e24dcvw001:389): No linger to cancel on the > connection > [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - > windows_acquire_replica returned success (101) > [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - > agmt="cn=testsync" (e24dcvw001:389): State: ready_to_acquire_replica > -> sending_updates > [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - > agmt="cn=testsync" (e24dcvw001:389): No changes to send > [03/Oct/2008:13:05:40 +0200] - Sending dirsync search request > [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - > agmt="cn=testsync" (e24dcvw001:389): Beginning linger on the > connection > [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - > agmt="cn=testsync" (e24dcvw001:389): Linger timeout has expired on the > connection > [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - > agmt="cn=testsync" (e24dcvw001:389): State: sending_updates -> > wait_for_changes > [03/Oct/2008:13:05:40 +0200] NSMMReplicationPlugin - > agmt="cn=testsync" (e24dcvw001:389): Disconnected from the consumer > > >From the AD side I get this in the event-log: > > Internal event: The LDAP server returned an error. > > Additional Data > Error value: > 00002105: LdapErr: DSID-0C0907C9, comment: Error processing control, > data 0, vece > > Anyone familiar with these problems? > Looks like AD received an invalid LDAP message. I've seen this before when the DirSync control is not formed correctly. But I'm not sure how this could happen. I suggest running tcpdump or wireshark to capture the LDAP traffic between Fedora DS and AD to see what LDAP message is being sent. > Do you know if it is possible to log all ldap-queries sent to AD from DS? I have > enabled all possible logging, but I cannot find the query from the full re-sync > operation in the logs. > > Best regards, > > Erling > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From erlingre at gmail.com Thu Oct 9 15:34:50 2008 From: erlingre at gmail.com (Erling Ringen Elvsrud) Date: Thu, 9 Oct 2008 17:34:50 +0200 Subject: [Fedora-directory-users] Windows Sync: Full re-syncronization fails In-Reply-To: <48EE0512.2000606@redhat.com> References: <664c5a070810090203v7bade230s46a4fdcb05327b77@mail.gmail.com> <48EE0512.2000606@redhat.com> Message-ID: <664c5a070810090834t4d1f3f9ci7142231cf2d7b128@mail.gmail.com> On Thu, Oct 9, 2008 at 3:20 PM, Rich Megginson wrote: [...] > > Looks like AD received an invalid LDAP message. I've seen this before when > the DirSync control is not formed correctly. But I'm not sure how this > could happen. I suggest running tcpdump or wireshark to capture the LDAP > traffic between Fedora DS and AD to see what LDAP message is being sent. Thanks for the suggestion. I will try tomorrow. Erling From orion at cora.nwra.com Thu Oct 9 16:26:26 2008 From: orion at cora.nwra.com (Orion Poplawski) Date: Thu, 09 Oct 2008 10:26:26 -0600 Subject: [Fedora-directory-users] URL for ldaploadcacert? Message-ID: <48EE30B2.2040008@cora.nwra.com> Does FDS automatically provide a URL that can be used with authconfig's ldaploadcacert option to download and install the CA cert for the directory server? -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion at cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com From rmeggins at redhat.com Thu Oct 9 17:13:15 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 09 Oct 2008 11:13:15 -0600 Subject: [Fedora-directory-users] URL for ldaploadcacert? In-Reply-To: <48EE30B2.2040008@cora.nwra.com> References: <48EE30B2.2040008@cora.nwra.com> Message-ID: <48EE3BAB.1060100@redhat.com> Orion Poplawski wrote: > Does FDS automatically provide a URL that can be used with > authconfig's ldaploadcacert option to download and install the CA cert > for the directory server? > No, not afaik -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vujin at fon.rs Mon Oct 13 12:08:24 2008 From: vujin at fon.rs (vujin at fon.rs) Date: Mon, 13 Oct 2008 14:08:24 +0200 Subject: [Fedora-directory-users] how to windows sync crypted userPassword ? Message-ID: <20081013140824.xnqc6kte88kw8wso@fon.fon.rs> I migrate users from openldap (export in ldif) to FDS (import from ldif), windows sync working between FDS and windows AD, except for attribut userPassword, attribut userPassword is Unix-style "crypt"ed passwords {crypt} is it posible, and how to sync crypted userPassword ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From zahra.bahar at gmail.com Tue Oct 14 11:14:56 2008 From: zahra.bahar at gmail.com (zahra baharlooi) Date: Tue, 14 Oct 2008 14:44:56 +0330 Subject: [Fedora-directory-users] java error in console parts Message-ID: Hi I want to get certificate for DS server. when i want to open "Manage certificate" in task of console ,it sends this error: java.net.ConnectException: Connection refused but other parts of console work without any problem. what's the reason of this error? -------------- next part -------------- An HTML attachment was scrubbed... URL: From hugo.etievant at inrp.fr Tue Oct 14 15:08:16 2008 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Tue, 14 Oct 2008 17:08:16 +0200 Subject: [Fedora-directory-users] How to obtain detailled stats about replication lock out ? Message-ID: <48F4B5E0.9010103@inrp.fr> hello, I search to obtain some detailled stats about multimaster replication (FDS MMR) : - time during a supplier use an exclusive access to a consumer to send updates - number of updates during a 'supplier push connexion' - number of "Replica busy errors" - into a consumer, frequency of other suppliers locked out Where can i find these informations ? Informations found in error log file (log level 8192) are too limited.|| -- * Hugo ?ti?vant **Service commun informatique **Institut National de Recherche P?dagogique * From rmeggins at redhat.com Tue Oct 14 15:19:50 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 14 Oct 2008 09:19:50 -0600 Subject: [Fedora-directory-users] How to obtain detailled stats about replication lock out ? In-Reply-To: <48F4B5E0.9010103@inrp.fr> References: <48F4B5E0.9010103@inrp.fr> Message-ID: <48F4B896.2070409@redhat.com> Hugo Etievant wrote: > hello, > > I search to obtain some detailled stats about multimaster replication > (FDS MMR) : > - time during a supplier use an exclusive access to a consumer to send > updates > - number of updates during a 'supplier push connexion' > - number of "Replica busy errors" > - into a consumer, frequency of other suppliers locked out > > Where can i find these informations ? You can get most of this information by querying the replication agreement entry on each supplier - *http://tinyurl.com/35qddb* See nsDS5ReplicaChangesSentSinceStartup nsDS5ReplicaLastUpdateStatus nsDS5ReplicaUpdateInProgress nsDS5ReplicaLastUpdateStart nsDS5ReplicaLastUpdateEnd > Informations found in error log file (log level 8192) are too limited.|| > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Tue Oct 14 20:39:43 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Tue, 14 Oct 2008 13:39:43 -0700 Subject: [Fedora-directory-users] how to disable SSL on Directory console Message-ID: Well, I enabled SSL on Directory console and restarted directory dirser-admin . Now i am not able to login .. how do i disable from configuration file ??? thanks .. -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Oct 14 20:45:13 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 14 Oct 2008 14:45:13 -0600 Subject: [Fedora-directory-users] how to disable SSL on Directory console In-Reply-To: References: Message-ID: <48F504D9.8030500@redhat.com> Vipul Ramani wrote: > Well, > > I enabled SSL on Directory console and restarted directory dirser-admin . > > Now i am not able to login .. how do i disable from configuration > file ??? It depends. What is the problem you are seeing? fedora-idm-console -D 9 -f console.log will provide a lot more information. How did you create your certs and enable SSL? What steps did you follow? Did you see this - http://directory.fedoraproject.org/wiki/Howto:SSL#Console_SSL_Information > > > thanks .. > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Tue Oct 14 21:07:40 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Tue, 14 Oct 2008 14:07:40 -0700 Subject: [Fedora-directory-users] Re: how to disable SSL on Directory console In-Reply-To: References: Message-ID: Acutally i just try to using console GUI ( but did not imported certificate ) your host and DNS configuration [Tue Oct 14 07:02:17 2008] [crit] buildUGInfo(): unable to initialize TLS connection to LDAP host linux2.test.com port 636: 4 [Tue Oct 14 07:02:17 2008] [error] [client 192.168.1.205] user admin: authentication failure for "/admin-serv/authenticate": Password Mismatch and also changed password admpw @ /etc/dirsrv/admin-serv . I am not able to admin or cn=Directory Manager .... so . I want to revert configuration to disable SSL configuration .. On Tue, Oct 14, 2008 at 1:39 PM, Vipul Ramani wrote: > Well, > > I enabled SSL on Directory console and restarted directory dirser-admin . > > Now i am not able to login .. how do i disable from configuration file ??? > > > > thanks .. > > -- > Regards > > Vipul Ramani > > -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Oct 14 21:15:16 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 14 Oct 2008 15:15:16 -0600 Subject: [Fedora-directory-users] Re: how to disable SSL on Directory console In-Reply-To: References: Message-ID: <48F50BE4.8090502@redhat.com> Vipul Ramani wrote: > Acutally i just try to using console GUI ( but did not imported > certificate ) > > your host and DNS configuration > [Tue Oct 14 07:02:17 2008] [crit] buildUGInfo(): unable to initialize > TLS connection to LDAP host linux2.test.com > port 636: 4 So you did not configure the directory server to use TLS/SSL? > [Tue Oct 14 07:02:17 2008] [error] [client 192.168.1.205 > ] user admin: authentication failure for > "/admin-serv/authenticate": Password Mismatch > > and also changed password admpw @ /etc/dirsrv/admin-serv . How? Just in the admpw file? > > I am not able to admin or cn=Directory Manager .... so . Why not cn=Directory Manager? > > > I want to revert configuration to disable SSL configuration .. See - http://directory.fedoraproject.org/wiki/Howto:SSL#Console_SSL_Information > > > > > On Tue, Oct 14, 2008 at 1:39 PM, Vipul Ramani > wrote: > > Well, > > I enabled SSL on Directory console and restarted directory > dirser-admin . > > Now i am not able to login .. how do i disable from configuration > file ??? > > > thanks .. > > -- > Regards > > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Tue Oct 14 22:12:31 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Tue, 14 Oct 2008 15:12:31 -0700 Subject: [Fedora-directory-users] Re: how to disable SSL on Directory console In-Reply-To: References: Message-ID: it is solved .. in adm.conf ldapurl: ldap://linux2.test.com:389/o=NetscapeRoot from ldapurl: ldap*s:*// linux2.test.com:*636*/o=NetscapeRoot thanks On Tue, Oct 14, 2008 at 2:07 PM, Vipul Ramani wrote: > Acutally i just try to using console GUI ( but did not imported certificate > ) > > your host and DNS configuration > [Tue Oct 14 07:02:17 2008] [crit] buildUGInfo(): unable to initialize TLS > connection to LDAP host linux2.test.com port 636: 4 > [Tue Oct 14 07:02:17 2008] [error] [client 192.168.1.205] user admin: > authentication failure for "/admin-serv/authenticate": Password Mismatch > > and also changed password admpw @ /etc/dirsrv/admin-serv . > > I am not able to admin or cn=Directory Manager .... so . > > > I want to revert configuration to disable SSL configuration .. > > > > > On Tue, Oct 14, 2008 at 1:39 PM, Vipul Ramani wrote: > >> Well, >> >> I enabled SSL on Directory console and restarted directory dirser-admin . >> >> Now i am not able to login .. how do i disable from configuration file >> ??? >> >> >> thanks .. >> >> -- >> Regards >> >> Vipul Ramani >> >> > > > -- > Regards > > Vipul Ramani > > -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From vipulramani at gmail.com Tue Oct 14 22:42:06 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Tue, 14 Oct 2008 15:42:06 -0700 Subject: [Fedora-directory-users] SYNC without password ... Message-ID: Hi All , I am doing Active directory ----> FDS ( ssl) , all attribute is replicated from ADC ---> FDS .. But i am not able to see password attribute in FDS ? Replication FDS - working as master Passync for replication replication is happening from Active Directory:636 ---- > FDS : 636 . Am i am missing something ... ------Adc user profile , which is replicated in FDS ------- dn: uid=vramani, ou=People, dc=tf-lab,dc=test,dc=com ntUniqueId: f96921fe188c4b47a243ab088512103d givenName: vipul sn: r objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetOrgPerson objectClass: ntUser uid: vramani ntUserDeleteAccount: true cn: vipul r ntUserDomainId: vramani ntUserAcctExpires: 9223372036854775807 ntUserCodePage: 0 ------ ----acess------ [14/Oct/2008:08:37:16 -0700] conn=4 op=170 SRCH base="ou=People, dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [14/Oct/2008:08:37:16 -0700] conn=4 op=170 RESULT err=0 tag=101 nentries=1 etime=0 [14/Oct/2008:08:37:17 -0700] conn=4 op=171 SRCH base="ou=People, dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" attrs="objectClass" [14/Oct/2008:08:37:17 -0700] conn=4 op=171 RESULT err=0 tag=101 nentries=0 etime=1 [14/Oct/2008:08:37:19 -0700] conn=4 op=173 SRCH base="dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL[14/Oct/2008:08:37:19 -0700] conn=4 op=173 RESULT err=0 tag=101 nentries=1 etime=0 [14/Oct/2008:08:37:19 -0700] conn=4 op=174 SRCH base="dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" attrs="objectClass" [14/Oct/2008:08:37:19 -0700] conn=4 op=174 RESULT err=0 tag=101 nentries=1 etime=0 [14/Oct/2008:08:37:20 -0700] conn=4 op=175 SRCH base="ou=People, dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [14/Oct/2008:08:37:20 -0700] conn=4 op=175 RESULT err=0 tag=101 nentries=1 etime=0[14/Oct/2008:08:37:26 -0700] conn=3 op=122 SRCH base="cn=replication,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL [14/Oct/2008:08:37:26 -0700] conn=3 op=122 RESULT err=0 tag=101 nentries=1 etime=0 [14/Oct/2008:08:37:27 -0700] conn=3 op=124 MOD dn="cn=Vedant, cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" [14/Oct/2008:08:37:27 -0700] conn=3 op=124 RESULT err=0 tag=103 nentries=0 etime=0[14/Oct/2008:08:37:27 -0700] conn=3 op=125 SRCH base="cn=Vedant, cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" [14/Oct/2008:08:37:27 -0700] conn=3 op=125 RESULT err=0 tag=101 nentries=1 etime=0 [14/Oct/2008:08:37:31 -0700] conn=3 op=126 SRCH base="cn=replication,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL[14/Oct/2008:08:37:31 -0700] conn=3 op=126 RESULT err=0 tag=101 nentries=1 etime=0 [14/Oct/2008:08:37:31 -0700] conn=3 op=127 MOD dn="cn=Vedant, cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" [14/Oct/2008:08:37:31 -0700] conn=3 op=127 RESULT err=0 tag=103 nentries=0 etime=0[14/Oct/2008:08:37:31 -0700] conn=3 op=128 MOD dn="cn=Vedant, cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" [14/Oct/2008:08:37:31 -0700] conn=3 op=128 RESULT err=0 tag=103 nentries=0 etime=0 [14/Oct/2008:08:37:37 -0700] conn=4 op=176 SRCH base="ou=People, dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" attrs="objectClass" [14/Oct/2008:08:37:37 -0700] conn=4 op=176 RESULT err=0 tag=101 nentries=18 etime=0 ------ thanks in Adv... -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From vipulramani at gmail.com Wed Oct 15 00:10:03 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Tue, 14 Oct 2008 17:10:03 -0700 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: --- passyc log --- 10/14/08 17:05:56: Failed to load entries from file 10/14/08 17:05:56: Ldap bind error in Connect 48: Inappropriate authentication 10/14/08 17:05:56: Can not connect to ldap server in SyncPasswords ----------------------------- ADC ( where passysnc installed ) # On the Directory Server, export the server certificate using pk12util. FDS# pk12util -d . -o servercert.pfx -n Server-Cert then , Import the server certificate from the Directory Server into the new certificate databases using pk12util.exe. pk12util.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -i servercert.pfx then Give trusted peer status to the server. certutil.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -M -n Server-Cert -t "P,P,P" C:\Program Files (x86)\Red Hat Directory Password Synchronization>certutil.exe - L -d . -P CA certificate c,c,c Server-Cert Pu,Pu,Pu <-- imported from FDS C:\Program Files (x86)\Red Hat Directory Password Synchronization> --------------------------- still same error . ... On Tue, Oct 14, 2008 at 3:42 PM, Vipul Ramani wrote: > Hi All , > > I am doing Active directory ----> FDS ( ssl) , all attribute is replicated > from ADC ---> FDS .. But i am not able to see password attribute in FDS ? > > Replication > FDS - working as master > Passync for replication > > replication is happening from Active Directory:636 ---- > FDS : 636 . > > > Am i am missing something ... > > ------Adc user profile , which is replicated in FDS ------- > dn: uid=vramani, ou=People, dc=tf-lab,dc=test,dc=com > ntUniqueId: f96921fe188c4b47a243ab088512103d > givenName: vipul > sn: r > objectClass: top > objectClass: person > objectClass: organizationalperson > objectClass: inetOrgPerson > objectClass: ntUser > uid: vramani > ntUserDeleteAccount: true > cn: vipul r > ntUserDomainId: vramani > ntUserAcctExpires: 9223372036854775807 > ntUserCodePage: 0 > ------ > ----acess------ > > > [14/Oct/2008:08:37:16 -0700] conn=4 op=170 SRCH base="ou=People, > dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL > [14/Oct/2008:08:37:16 -0700] conn=4 op=170 RESULT err=0 tag=101 nentries=1 > etime=0 > [14/Oct/2008:08:37:17 -0700] conn=4 op=171 SRCH base="ou=People, > dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" > attrs="objectClass" > [14/Oct/2008:08:37:17 -0700] conn=4 op=171 RESULT err=0 tag=101 nentries=0 > etime=1 > [14/Oct/2008:08:37:19 -0700] conn=4 op=173 SRCH > base="dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" > attrs=ALL[14/Oct/2008:08:37:19 -0700] conn=4 op=173 RESULT err=0 tag=101 > nentries=1 etime=0 > [14/Oct/2008:08:37:19 -0700] conn=4 op=174 SRCH > base="dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" > attrs="objectClass" > [14/Oct/2008:08:37:19 -0700] conn=4 op=174 RESULT err=0 tag=101 nentries=1 > etime=0 > [14/Oct/2008:08:37:20 -0700] conn=4 op=175 SRCH base="ou=People, > dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL > [14/Oct/2008:08:37:20 -0700] conn=4 op=175 RESULT err=0 tag=101 nentries=1 > etime=0[14/Oct/2008:08:37:26 -0700] conn=3 op=122 SRCH > base="cn=replication,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL > [14/Oct/2008:08:37:26 -0700] conn=3 op=122 RESULT err=0 tag=101 nentries=1 > etime=0 > [14/Oct/2008:08:37:27 -0700] conn=3 op=124 MOD dn="cn=Vedant, cn=replica, > cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" > [14/Oct/2008:08:37:27 -0700] conn=3 op=124 RESULT err=0 tag=103 nentries=0 > etime=0[14/Oct/2008:08:37:27 -0700] conn=3 op=125 SRCH base="cn=Vedant, > cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" > scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" > attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd > nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus > nsds5replicaUpdateInProgress nsds5replicaLastInitStart > nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" > [14/Oct/2008:08:37:27 -0700] conn=3 op=125 RESULT err=0 tag=101 nentries=1 > etime=0 > [14/Oct/2008:08:37:31 -0700] conn=3 op=126 SRCH > base="cn=replication,cn=config" scope=2 filter="(objectClass=*)" > attrs=ALL[14/Oct/2008:08:37:31 -0700] conn=3 op=126 RESULT err=0 tag=101 > nentries=1 etime=0 > [14/Oct/2008:08:37:31 -0700] conn=3 op=127 MOD dn="cn=Vedant, cn=replica, > cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" > [14/Oct/2008:08:37:31 -0700] conn=3 op=127 RESULT err=0 tag=103 nentries=0 > etime=0[14/Oct/2008:08:37:31 -0700] conn=3 op=128 MOD dn="cn=Vedant, > cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" > [14/Oct/2008:08:37:31 -0700] conn=3 op=128 RESULT err=0 tag=103 nentries=0 > etime=0 > [14/Oct/2008:08:37:37 -0700] conn=4 op=176 SRCH base="ou=People, > dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" > attrs="objectClass" > [14/Oct/2008:08:37:37 -0700] conn=4 op=176 RESULT err=0 tag=101 nentries=18 > etime=0 > ------ > > > thanks in Adv... > > > > > -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From vipulramani at gmail.com Wed Oct 15 00:26:16 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Tue, 14 Oct 2008 17:26:16 -0700 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: I feel i am so close to solve this problem ..since long time .. if any 1 have clue where what i forgot ... I changed password of cn=replication,cn=config and now only i am getting error ----passsync log ---- 10/14/08 17:24:19: Failed to load entries from file ##### I dont know Failed to load entires from FILE ( WHICH PassSync talking about ) ##### 10/14/08 17:26:41: Failed to load entries from file 10/14/08 17:26:41: PassSync service stopped 10/14/08 17:26:42: PassSync service started 10/14/08 17:26:42: Failed to load entries from file ---------------- /var/log/dir-serv/slapd-linux2/access [14/Oct/2008:10:21:20 -0700] conn=38 fd=69 slot=69 SSL connection from 192.168.1.200 to 192.168.1.210 [14/Oct/2008:10:21:20 -0700] conn=38 SSL 128-bit RC4 [14/Oct/2008:10:21:20 -0700] conn=38 op=0 BIND dn="cn=replication,cn=config" method=128 version=2 [14/Oct/2008:10:21:20 -0700] conn=38 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication,cn=config" [14/Oct/2008:10:21:20 -0700] conn=38 op=1 UNBIND [14/Oct/2008:10:21:20 -0700] conn=38 op=1 fd=69 closed - U1 [14/Oct/2008:10:21:21 -0700] conn=39 fd=69 slot=69 SSL connection from 192.168.1.200 to 192.168.1.210 [14/Oct/2008:10:21:21 -0700] conn=39 SSL 128-bit RC4 [14/Oct/2008:10:21:21 -0700] conn=39 op=0 BIND dn="cn=replication,cn=config" method=128 version=2 [14/Oct/2008:10:21:21 -0700] conn=39 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=replication,cn=config" [14/Oct/2008:10:21:21 -0700] conn=39 op=1 UNBIND [14/Oct/2008:10:21:21 -0700] conn=39 op=1 fd=69 closed - U1 /var/log/dir-serv/slapd-linux2/errors NO ERRORs .. On Tue, Oct 14, 2008 at 5:10 PM, Vipul Ramani wrote: > > --- passyc log --- > > 10/14/08 17:05:56: Failed to load entries from file > 10/14/08 17:05:56: Ldap bind error in Connect > 48: Inappropriate authentication > 10/14/08 17:05:56: Can not connect to ldap server in SyncPasswords > ----------------------------- > > ADC ( where passysnc installed ) # > > On the Directory Server, export the server certificate using pk12util. > > FDS# pk12util -d . -o servercert.pfx -n Server-Cert > > > then , > > Import the server certificate from the Directory Server into the new > certificate databases using pk12util.exe. > > pk12util.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -i servercert.pfx > > then > > Give trusted peer status to the server. > > certutil.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -M > -n Server-Cert -t "P,P,P" > > > > C:\Program Files (x86)\Red Hat Directory Password > Synchronization>certutil.exe - > L -d . -P > CA certificate c,c,c > Server-Cert Pu,Pu,Pu <-- > imported from FDS > > C:\Program Files (x86)\Red Hat Directory Password Synchronization> > --------------------------- > > still same error . ... > > > > > > On Tue, Oct 14, 2008 at 3:42 PM, Vipul Ramani wrote: > >> Hi All , >> >> I am doing Active directory ----> FDS ( ssl) , all attribute is replicated >> from ADC ---> FDS .. But i am not able to see password attribute in FDS ? >> >> Replication >> FDS - working as master >> Passync for replication >> >> replication is happening from Active Directory:636 ---- > FDS : 636 . >> >> >> Am i am missing something ... >> >> ------Adc user profile , which is replicated in FDS ------- >> dn: uid=vramani, ou=People, dc=tf-lab,dc=test,dc=com >> ntUniqueId: f96921fe188c4b47a243ab088512103d >> givenName: vipul >> sn: r >> objectClass: top >> objectClass: person >> objectClass: organizationalperson >> objectClass: inetOrgPerson >> objectClass: ntUser >> uid: vramani >> ntUserDeleteAccount: true >> cn: vipul r >> ntUserDomainId: vramani >> ntUserAcctExpires: 9223372036854775807 >> ntUserCodePage: 0 >> ------ >> ----acess------ >> >> >> [14/Oct/2008:08:37:16 -0700] conn=4 op=170 SRCH base="ou=People, >> dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL >> [14/Oct/2008:08:37:16 -0700] conn=4 op=170 RESULT err=0 tag=101 nentries=1 >> etime=0 >> [14/Oct/2008:08:37:17 -0700] conn=4 op=171 SRCH base="ou=People, >> dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" >> attrs="objectClass" >> [14/Oct/2008:08:37:17 -0700] conn=4 op=171 RESULT err=0 tag=101 nentries=0 >> etime=1 >> [14/Oct/2008:08:37:19 -0700] conn=4 op=173 SRCH >> base="dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" >> attrs=ALL[14/Oct/2008:08:37:19 -0700] conn=4 op=173 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [14/Oct/2008:08:37:19 -0700] conn=4 op=174 SRCH >> base="dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" >> attrs="objectClass" >> [14/Oct/2008:08:37:19 -0700] conn=4 op=174 RESULT err=0 tag=101 nentries=1 >> etime=0 >> [14/Oct/2008:08:37:20 -0700] conn=4 op=175 SRCH base="ou=People, >> dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL >> [14/Oct/2008:08:37:20 -0700] conn=4 op=175 RESULT err=0 tag=101 nentries=1 >> etime=0[14/Oct/2008:08:37:26 -0700] conn=3 op=122 SRCH >> base="cn=replication,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL >> [14/Oct/2008:08:37:26 -0700] conn=3 op=122 RESULT err=0 tag=101 nentries=1 >> etime=0 >> [14/Oct/2008:08:37:27 -0700] conn=3 op=124 MOD dn="cn=Vedant, cn=replica, >> cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" >> [14/Oct/2008:08:37:27 -0700] conn=3 op=124 RESULT err=0 tag=103 nentries=0 >> etime=0[14/Oct/2008:08:37:27 -0700] conn=3 op=125 SRCH base="cn=Vedant, >> cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" >> scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" >> attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd >> nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus >> nsds5replicaUpdateInProgress nsds5replicaLastInitStart >> nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" >> [14/Oct/2008:08:37:27 -0700] conn=3 op=125 RESULT err=0 tag=101 nentries=1 >> etime=0 >> [14/Oct/2008:08:37:31 -0700] conn=3 op=126 SRCH >> base="cn=replication,cn=config" scope=2 filter="(objectClass=*)" >> attrs=ALL[14/Oct/2008:08:37:31 -0700] conn=3 op=126 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [14/Oct/2008:08:37:31 -0700] conn=3 op=127 MOD dn="cn=Vedant, cn=replica, >> cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" >> [14/Oct/2008:08:37:31 -0700] conn=3 op=127 RESULT err=0 tag=103 nentries=0 >> etime=0[14/Oct/2008:08:37:31 -0700] conn=3 op=128 MOD dn="cn=Vedant, >> cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" >> [14/Oct/2008:08:37:31 -0700] conn=3 op=128 RESULT err=0 tag=103 nentries=0 >> etime=0 >> [14/Oct/2008:08:37:37 -0700] conn=4 op=176 SRCH base="ou=People, >> dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" >> attrs="objectClass" >> [14/Oct/2008:08:37:37 -0700] conn=4 op=176 RESULT err=0 tag=101 >> nentries=18 etime=0 >> ------ >> >> >> thanks in Adv... >> >> >> >> >> > -- > Regards > > Vipul Ramani > > -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From bbahar3 at gmail.com Wed Oct 15 07:48:15 2008 From: bbahar3 at gmail.com (bahar bahar) Date: Wed, 15 Oct 2008 11:18:15 +0330 Subject: [Fedora-directory-users] java error in console task Message-ID: <38a27c8c0810150048gcec01e1u2d7b00dee198de2c@mail.gmail.com> Hi. I want to use "Manage certificate" in console tasks for ssl. but when click i receive error as: java.net.connectionException: connection refused other tabs of console work well. what's the reason of this problem? -------------- next part -------------- An HTML attachment was scrubbed... URL: From lukasz.sobczak at altkom.pl Wed Oct 15 08:01:34 2008 From: lukasz.sobczak at altkom.pl (=?UTF-8?Q?=C5=81ukasz?= Sobczak) Date: Wed, 15 Oct 2008 10:01:34 +0200 Subject: [Fedora-directory-users] java error in console task In-Reply-To: <38a27c8c0810150048gcec01e1u2d7b00dee198de2c@mail.gmail.com> References: <38a27c8c0810150048gcec01e1u2d7b00dee198de2c@mail.gmail.com> Message-ID: <1224057694.6508.5.camel@klapa> Dnia 2008-10-15, ?ro o godzinie 11:18 +0330, bahar bahar pisze: > Hi. > I want to use "Manage certificate" in console tasks for ssl. but when > click i receive error as: > java.net.connectionException: connection refused > other tabs of console work well. > what's the reason of this problem? Hi, I have similar problem, but I receive other error: Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException at com.netscape.management.client.security.CertificateDialog.(Unknown Source) at com.netscape.management.client.security.CertificateDialog.(Unknown Source) at com.netscape.admin.dirserv.task.KeyCert.run(Unknown Source) at com.netscape.management.client.TaskModel.actionObjectRun(Unknown Source) at com.netscape.management.client.TaskPage$TaskList $ButtonMouseListener.mouseClicked(Unknown Source) at java.awt.AWTEventMulticaster.mouseClicked(Unknown Source) at java.awt.Component.processMouseEvent(Unknown Source) at javax.swing.JComponent.processMouseEvent(Unknown Source) at java.awt.Component.processEvent(Unknown Source) at java.awt.Container.processEvent(Unknown Source) at java.awt.Component.dispatchEventImpl(Unknown Source) at java.awt.Container.dispatchEventImpl(Unknown Source) at java.awt.Component.dispatchEvent(Unknown Source) at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source) at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source) at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source) at java.awt.Container.dispatchEventImpl(Unknown Source) at java.awt.Window.dispatchEventImpl(Unknown Source) at java.awt.Component.dispatchEvent(Unknown Source) at java.awt.EventQueue.dispatchEvent(Unknown Source) at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source) at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source) at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source) at java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.awt.EventDispatchThread.run(Unknown Source) This problem appears only in Directory Server console. When I click "Manage Certificates" button in Administration Server console, everything works fine. My OS is CentOS 5.2. Anyone has any ideas how to solve it? I'm very bad in Java, so I don't even know how to start research. Best regards, Lukasz Sobczak. -- ?ukasz Sobczak Postmaster Altkom Akademia S.A. http://www.altkom.pl Warszawa, ul. Ch?odna 51 kom. 501054841 S?d Rejonowy dla m.st. Warszawy w Warszawie, XII Wydzia? Gospodarczy Krajowego Rejestru S?dowego, KRS: 0000120139, NIP 118-00-08-391, Kapita? zak?adowy: 1000 000 PLN. Adres rejestrowy Firmy - ul. Stawki 2, 00-193 Warszawa. Niniejsza wiadomo?? zawiera informacje zastrze?one i stanowi?ce tajemnic? przedsi?biorstwa firmy Altkom Akademia S.A. Ujawnianie tych informacji osobom trzecim lub nieuprawnione wykorzystanie ich do w?asnych cel?w jest zabronione. Je?eli otrzymali?cie Pa?stwo niniejsz? wiadomo?? omy?kowo, prosimy o niezw?oczne skontaktowanie si? z nadawc? oraz usuni?cie wszelkich kopii niniejszej wiadomo?ci. This message contains proprietary information and trade secrets of Altkom Akademia S.A. company. Unauthorized use or disclosure of this information to any third party is prohibited. If you received this message by mistake, please contact the sender immediately and delete all copies of this message. From vipulramani at gmail.com Wed Oct 15 20:59:16 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Wed, 15 Oct 2008 13:59:16 -0700 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: Any luck ??? any 1 one who had pass through same problem ... Clueless no errors ( FDS , ADC ) only PassSync Error ..which is mentioned below ... On Tue, Oct 14, 2008 at 5:26 PM, Vipul Ramani wrote: > > I feel i am so close to solve this problem ..since long time .. if any 1 > have clue where what i forgot ... > > > I changed password of cn=replication,cn=config > > and now only i am getting error > ----passsync log ---- > > 10/14/08 17:24:19: Failed to load entries from file ##### I dont know > Failed to load entires from FILE *( PassSync talking about which file ) > *##### > 10/14/08 17:26:41: Failed to load entries from file > 10/14/08 17:26:41: PassSync service stopped > 10/14/08 17:26:42: PassSync service started > 10/14/08 17:26:42: Failed to load entries from file > > ---------------- > /var/log/dir-serv/slapd-linux2/access > > > [14/Oct/2008:10:21:20 -0700] conn=38 fd=69 slot=69 SSL connection from > 192.168.1.200 to 192.168.1.210 > [14/Oct/2008:10:21:20 -0700] conn=38 SSL 128-bit RC4 > [14/Oct/2008:10:21:20 -0700] conn=38 op=0 BIND > dn="cn=replication,cn=config" method=128 version=2 > [14/Oct/2008:10:21:20 -0700] conn=38 op=0 RESULT err=0 tag=97 nentries=0 > etime=0 dn="cn=replication,cn=config" > [14/Oct/2008:10:21:20 -0700] conn=38 op=1 UNBIND > [14/Oct/2008:10:21:20 -0700] conn=38 op=1 fd=69 closed - U1 > [14/Oct/2008:10:21:21 -0700] conn=39 fd=69 slot=69 SSL connection from > 192.168.1.200 to 192.168.1.210 > [14/Oct/2008:10:21:21 -0700] conn=39 SSL 128-bit RC4 > [14/Oct/2008:10:21:21 -0700] conn=39 op=0 BIND > dn="cn=replication,cn=config" method=128 version=2 > [14/Oct/2008:10:21:21 -0700] conn=39 op=0 RESULT err=0 tag=97 nentries=0 > etime=0 dn="cn=replication,cn=config" > [14/Oct/2008:10:21:21 -0700] conn=39 op=1 UNBIND > [14/Oct/2008:10:21:21 -0700] conn=39 op=1 fd=69 closed - U1 > > /var/log/dir-serv/slapd-linux2/errors NO ERRORs .. > > On Tue, Oct 14, 2008 at 5:10 PM, Vipul Ramani wrote: > >> >> --- passyc log --- >> >> 10/14/08 17:05:56: Failed to load entries from file >> 10/14/08 17:05:56: Ldap bind error in Connect >> 48: Inappropriate authentication >> 10/14/08 17:05:56: Can not connect to ldap server in SyncPasswords >> ----------------------------- >> >> ADC ( where passysnc installed ) # >> >> On the Directory Server, export the server certificate using pk12util. >> >> FDS# pk12util -d . -o servercert.pfx -n Server-Cert >> >> >> then , >> >> Import the server certificate from the Directory Server into the new >> certificate databases using pk12util.exe. >> >> pk12util.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -i servercert.pfx >> >> then >> >> Give trusted peer status to the server. >> >> certutil.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -M >> -n Server-Cert -t "P,P,P" >> >> >> >> C:\Program Files (x86)\Red Hat Directory Password >> Synchronization>certutil.exe - >> L -d . -P >> CA certificate c,c,c >> Server-Cert Pu,Pu,Pu >> <-- imported from FDS >> >> C:\Program Files (x86)\Red Hat Directory Password Synchronization> >> --------------------------- >> >> still same error . ... >> >> >> >> >> >> On Tue, Oct 14, 2008 at 3:42 PM, Vipul Ramani wrote: >> >>> Hi All , >>> >>> I am doing Active directory ----> FDS ( ssl) , all attribute is >>> replicated from ADC ---> FDS .. But i am not able to see password attribute >>> in FDS ? >>> >>> Replication >>> FDS - working as master >>> Passync for replication >>> >>> replication is happening from Active Directory:636 ---- > FDS : 636 . >>> >>> >>> Am i am missing something ... >>> >>> ------Adc user profile , which is replicated in FDS ------- >>> dn: uid=vramani, ou=People, dc=tf-lab,dc=test,dc=com >>> ntUniqueId: f96921fe188c4b47a243ab088512103d >>> givenName: vipul >>> sn: r >>> objectClass: top >>> objectClass: person >>> objectClass: organizationalperson >>> objectClass: inetOrgPerson >>> objectClass: ntUser >>> uid: vramani >>> ntUserDeleteAccount: true >>> cn: vipul r >>> ntUserDomainId: vramani >>> ntUserAcctExpires: 9223372036854775807 >>> ntUserCodePage: 0 >>> ------ >>> ----acess------ >>> >>> >>> [14/Oct/2008:08:37:16 -0700] conn=4 op=170 SRCH base="ou=People, >>> dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL >>> [14/Oct/2008:08:37:16 -0700] conn=4 op=170 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [14/Oct/2008:08:37:17 -0700] conn=4 op=171 SRCH base="ou=People, >>> dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" >>> attrs="objectClass" >>> [14/Oct/2008:08:37:17 -0700] conn=4 op=171 RESULT err=0 tag=101 >>> nentries=0 etime=1 >>> [14/Oct/2008:08:37:19 -0700] conn=4 op=173 SRCH >>> base="dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" >>> attrs=ALL[14/Oct/2008:08:37:19 -0700] conn=4 op=173 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [14/Oct/2008:08:37:19 -0700] conn=4 op=174 SRCH >>> base="dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" >>> attrs="objectClass" >>> [14/Oct/2008:08:37:19 -0700] conn=4 op=174 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [14/Oct/2008:08:37:20 -0700] conn=4 op=175 SRCH base="ou=People, >>> dc=tf-lab,dc=test,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL >>> [14/Oct/2008:08:37:20 -0700] conn=4 op=175 RESULT err=0 tag=101 >>> nentries=1 etime=0[14/Oct/2008:08:37:26 -0700] conn=3 op=122 SRCH >>> base="cn=replication,cn=config" scope=2 filter="(objectClass=*)" attrs=ALL >>> [14/Oct/2008:08:37:26 -0700] conn=3 op=122 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [14/Oct/2008:08:37:27 -0700] conn=3 op=124 MOD dn="cn=Vedant, cn=replica, >>> cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" >>> [14/Oct/2008:08:37:27 -0700] conn=3 op=124 RESULT err=0 tag=103 nentries=0 >>> etime=0[14/Oct/2008:08:37:27 -0700] conn=3 op=125 SRCH base="cn=Vedant, >>> cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" >>> scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>> attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd >>> nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus >>> nsds5replicaUpdateInProgress nsds5replicaLastInitStart >>> nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" >>> [14/Oct/2008:08:37:27 -0700] conn=3 op=125 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [14/Oct/2008:08:37:31 -0700] conn=3 op=126 SRCH >>> base="cn=replication,cn=config" scope=2 filter="(objectClass=*)" >>> attrs=ALL[14/Oct/2008:08:37:31 -0700] conn=3 op=126 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [14/Oct/2008:08:37:31 -0700] conn=3 op=127 MOD dn="cn=Vedant, cn=replica, >>> cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" >>> [14/Oct/2008:08:37:31 -0700] conn=3 op=127 RESULT err=0 tag=103 >>> nentries=0 etime=0[14/Oct/2008:08:37:31 -0700] conn=3 op=128 MOD >>> dn="cn=Vedant, cn=replica, cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping >>> tree, cn=config" >>> [14/Oct/2008:08:37:31 -0700] conn=3 op=128 RESULT err=0 tag=103 >>> nentries=0 etime=0 >>> [14/Oct/2008:08:37:37 -0700] conn=4 op=176 SRCH base="ou=People, >>> dc=tf-lab,dc=test,dc=com" scope=1 filter="(objectClass=*)" >>> attrs="objectClass" >>> [14/Oct/2008:08:37:37 -0700] conn=4 op=176 RESULT err=0 tag=101 >>> nentries=18 etime=0 >>> ------ >>> >>> >>> thanks in Adv... >>> >>> >>> >>> >>> >> -- >> Regards >> >> Vipul Ramani >> >> > > > -- > Regards > > Vipul Ramani > > -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Oct 15 21:05:07 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 15 Oct 2008 15:05:07 -0600 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: <48F65B03.4030403@redhat.com> Vipul Ramani wrote: > Any luck ??? any 1 one who had pass through same problem ... > > Clueless no errors ( FDS , ADC ) only PassSync Error ..which is > mentioned below ... > > > > On Tue, Oct 14, 2008 at 5:26 PM, Vipul Ramani > wrote: > > > I feel i am so close to solve this problem ..since long time .. if > any 1 have clue where what i forgot ... > > > I changed password of cn=replication,cn=config > > and now only i am getting error > ----passsync log ---- > > 10/14/08 17:24:19: Failed to load entries from file ##### I > dont know Failed to load entires from FILE *( PassSync talking > about which file ) *##### > 10/14/08 17:26:41: Failed to load entries from file > 10/14/08 17:26:41: PassSync service stopped > 10/14/08 17:26:42: PassSync service started > 10/14/08 17:26:42: Failed to load entries from file > I'm not sure, but I think this means that there were no passwords to sync from AD to Fedora DS. It keeps a queue of passwords to send in a file (encrypted). > > > ---------------- > /var/log/dir-serv/slapd-linux2/access > > > [14/Oct/2008:10:21:20 -0700] conn=38 fd=69 slot=69 SSL connection > from 192.168.1.200 to 192.168.1.210 > > [14/Oct/2008:10:21:20 -0700] conn=38 SSL 128-bit RC4 > [14/Oct/2008:10:21:20 -0700] conn=38 op=0 BIND > dn="cn=replication,cn=config" method=128 version=2 > [14/Oct/2008:10:21:20 -0700] conn=38 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="cn=replication,cn=config" > [14/Oct/2008:10:21:20 -0700] conn=38 op=1 UNBIND > [14/Oct/2008:10:21:20 -0700] conn=38 op=1 fd=69 closed - U1 > [14/Oct/2008:10:21:21 -0700] conn=39 fd=69 slot=69 SSL connection > from 192.168.1.200 to 192.168.1.210 > > [14/Oct/2008:10:21:21 -0700] conn=39 SSL 128-bit RC4 > [14/Oct/2008:10:21:21 -0700] conn=39 op=0 BIND > dn="cn=replication,cn=config" method=128 version=2 > [14/Oct/2008:10:21:21 -0700] conn=39 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="cn=replication,cn=config" > [14/Oct/2008:10:21:21 -0700] conn=39 op=1 UNBIND > [14/Oct/2008:10:21:21 -0700] conn=39 op=1 fd=69 closed - U1 > > /var/log/dir-serv/slapd-linux2/errors NO ERRORs .. > > On Tue, Oct 14, 2008 at 5:10 PM, Vipul Ramani > > wrote: > > > --- passyc log --- > > 10/14/08 17:05:56: Failed to load entries from file > 10/14/08 17:05:56: Ldap bind error in Connect > 48: Inappropriate authentication > 10/14/08 17:05:56: Can not connect to ldap server in SyncPasswords > ----------------------------- > > ADC ( where passysnc installed ) # > > On the Directory Server, export the server certificate using > |pk12util|. > > FDS# pk12util -d . -o servercert.pfx -n Server-Cert > > > then , > > Import the server certificate from the Directory Server into > the new certificate databases using p|k12util.exe|. > > pk12util.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -i servercert.pfx > > > then > > Give trusted peer status to the server. > > certutil.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" -M > -n Server-Cert -t "P,P,P" > > > > > C:\Program Files (x86)\Red Hat Directory Password > Synchronization>certutil.exe - > L -d . -P > CA certificate c,c,c > Server-Cert > Pu,Pu,Pu <-- imported from FDS > > C:\Program Files (x86)\Red Hat Directory Password Synchronization> > --------------------------- > > still same error . ... > > > > > > On Tue, Oct 14, 2008 at 3:42 PM, Vipul Ramani > > wrote: > > Hi All , > > I am doing Active directory ----> FDS ( ssl) , all > attribute is replicated from ADC ---> FDS .. But i am not > able to see password attribute in FDS ? > > Replication > FDS - working as master > Passync for replication > > replication is happening from Active Directory:636 ---- > > FDS : 636 . > > > Am i am missing something ... > > ------Adc user profile , which is replicated in FDS ------- > dn: uid=vramani, ou=People, dc=tf-lab,dc=test,dc=com > ntUniqueId: f96921fe188c4b47a243ab088512103d > givenName: vipul > sn: r > objectClass: top > objectClass: person > objectClass: organizationalperson > objectClass: inetOrgPerson > objectClass: ntUser > uid: vramani > ntUserDeleteAccount: true > cn: vipul r > ntUserDomainId: vramani > ntUserAcctExpires: 9223372036854775807 > ntUserCodePage: 0 > ------ > ----acess------ > > > [14/Oct/2008:08:37:16 -0700] conn=4 op=170 SRCH > base="ou=People, dc=tf-lab,dc=test,dc=com" scope=0 > filter="(objectClass=*)" attrs=ALL > [14/Oct/2008:08:37:16 -0700] conn=4 op=170 RESULT err=0 > tag=101 nentries=1 etime=0 > [14/Oct/2008:08:37:17 -0700] conn=4 op=171 SRCH > base="ou=People, dc=tf-lab,dc=test,dc=com" scope=1 > filter="(objectClass=*)" attrs="objectClass" > [14/Oct/2008:08:37:17 -0700] conn=4 op=171 RESULT err=0 > tag=101 nentries=0 etime=1 > [14/Oct/2008:08:37:19 -0700] conn=4 op=173 SRCH > base="dc=tf-lab,dc=test,dc=com" scope=0 > filter="(objectClass=*)" attrs=ALL[14/Oct/2008:08:37:19 > -0700] conn=4 op=173 RESULT err=0 tag=101 nentries=1 etime=0 > [14/Oct/2008:08:37:19 -0700] conn=4 op=174 SRCH > base="dc=tf-lab,dc=test,dc=com" scope=1 > filter="(objectClass=*)" attrs="objectClass" > [14/Oct/2008:08:37:19 -0700] conn=4 op=174 RESULT err=0 > tag=101 nentries=1 etime=0 > [14/Oct/2008:08:37:20 -0700] conn=4 op=175 SRCH > base="ou=People, dc=tf-lab,dc=test,dc=com" scope=0 > filter="(objectClass=*)" attrs=ALL > [14/Oct/2008:08:37:20 -0700] conn=4 op=175 RESULT err=0 > tag=101 nentries=1 etime=0[14/Oct/2008:08:37:26 -0700] > conn=3 op=122 SRCH base="cn=replication,cn=config" scope=2 > filter="(objectClass=*)" attrs=ALL > [14/Oct/2008:08:37:26 -0700] conn=3 op=122 RESULT err=0 > tag=101 nentries=1 etime=0 > [14/Oct/2008:08:37:27 -0700] conn=3 op=124 MOD > dn="cn=Vedant, cn=replica, > cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, > cn=config" [14/Oct/2008:08:37:27 -0700] conn=3 op=124 > RESULT err=0 tag=103 nentries=0 > etime=0[14/Oct/2008:08:37:27 -0700] conn=3 op=125 SRCH > base="cn=Vedant, cn=replica, > cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, > cn=config" scope=0 > filter="(|(objectClass=*)(objectClass=ldapsubentry))" > attrs="nsds5replicaLastUpdateStart > nsds5replicaLastUpdateEnd > nsds5replicaChangesSentSinceStartup > nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress > nsds5replicaLastInitStart nsds5replicaLastInitEnd > nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" > [14/Oct/2008:08:37:27 -0700] conn=3 op=125 RESULT err=0 > tag=101 nentries=1 etime=0 > [14/Oct/2008:08:37:31 -0700] conn=3 op=126 SRCH > base="cn=replication,cn=config" scope=2 > filter="(objectClass=*)" attrs=ALL[14/Oct/2008:08:37:31 > -0700] conn=3 op=126 RESULT err=0 tag=101 nentries=1 etime=0 > [14/Oct/2008:08:37:31 -0700] conn=3 op=127 MOD > dn="cn=Vedant, cn=replica, > cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" > [14/Oct/2008:08:37:31 -0700] conn=3 op=127 RESULT err=0 > tag=103 nentries=0 etime=0[14/Oct/2008:08:37:31 -0700] > conn=3 op=128 MOD dn="cn=Vedant, cn=replica, > cn=\22dc=tf-lab,dc=test,dc=com\22, cn=mapping tree, cn=config" > [14/Oct/2008:08:37:31 -0700] conn=3 op=128 RESULT err=0 > tag=103 nentries=0 etime=0 > [14/Oct/2008:08:37:37 -0700] conn=4 op=176 SRCH > base="ou=People, dc=tf-lab,dc=test,dc=com" scope=1 > filter="(objectClass=*)" attrs="objectClass" > [14/Oct/2008:08:37:37 -0700] conn=4 op=176 RESULT err=0 > tag=101 nentries=18 etime=0 > ------ > > > thanks in Adv... > > > > > > -- > Regards > > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Oct 15 21:05:59 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 15 Oct 2008 15:05:59 -0600 Subject: [Fedora-directory-users] java error in console task In-Reply-To: <38a27c8c0810150048gcec01e1u2d7b00dee198de2c@mail.gmail.com> References: <38a27c8c0810150048gcec01e1u2d7b00dee198de2c@mail.gmail.com> Message-ID: <48F65B37.6010800@redhat.com> bahar bahar wrote: > Hi. > I want to use "Manage certificate" in console tasks for ssl. but when > click i receive error as: > java.net.connectionException: connection refused > other tabs of console work well. > what's the reason of this problem? What version? What platform? rpm -qi fedora-ds-base fedora-ds-admin fedora-idm-console -D 9 -f console.log might give you some clues > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Wed Oct 15 21:15:39 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Wed, 15 Oct 2008 14:15:39 -0700 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: Hi Rich , But i can login and changed the password of ADC users. :( is there any other way to debug in to the deep ??? Kindly suggest i am ready .... I'm not sure, but I think this means that there were no passwords to sync from AD to Fedora DS. It keeps a queue of passwords to send in a file (encrypted). Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Oct 15 21:20:46 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 15 Oct 2008 15:20:46 -0600 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: <48F65EAE.2050501@redhat.com> Vipul Ramani wrote: > > > Hi Rich , > > But i can login and changed the password of ADC users. :( > > is there any other way to debug in to the deep ??? Kindly suggest i am > ready .... I don't know. > > > I'm not sure, but I think this means that there were no passwords to > sync from AD to Fedora DS. It keeps a queue of passwords to send in a > file (encrypted). > > > > > > Regards > Vipul Ramani > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From ebeda at udsm.ac.tz Thu Oct 16 08:10:02 2008 From: ebeda at udsm.ac.tz (Eric Beda) Date: Thu, 16 Oct 2008 11:10:02 +0300 (EAT) Subject: [Fedora-directory-users] Recovering Directory Server Admin Password In-Reply-To: <48F65EAE.2050501@redhat.com> References: <48F65EAE.2050501@redhat.com> Message-ID: <37755.196.44.161.242.1224144602.squirrel@mail.udsm.ac.tz> Hi, I've lost my directory server admin password, how do i recover it ?, so that i can manage the DS via GUI interface on the machine Help Please From diaa.radwan at gmail.com Thu Oct 16 08:36:50 2008 From: diaa.radwan at gmail.com (Diaa Radwan) Date: Thu, 16 Oct 2008 10:36:50 +0200 Subject: [Fedora-directory-users] Recovering Directory Server Admin Password In-Reply-To: <37755.196.44.161.242.1224144602.squirrel@mail.udsm.ac.tz> References: <48F65EAE.2050501@redhat.com> <37755.196.44.161.242.1224144602.squirrel@mail.udsm.ac.tz> Message-ID: <182b9f450810160136o58b0fc70y1331d2b5cb01dd8b@mail.gmail.com> On Thu, Oct 16, 2008 at 10:10 AM, Eric Beda wrote: > Hi, > > I've lost my directory server admin password, how do i recover it ?, so > that i can manage the DS via GUI interface on the machine If you mean the directory manager password check this link : http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword If you remember the password of your directory manager password you can log with directory manager through the console and change the admin user under o=netscaperoot or you can perform the following : $ slappasswd -v -c '$1$%.8s' -h {CRYPT} run the above command and supply your new password, then copy the output Then issue ldapmodify command: $ ldapmodify -x -h localhost -D"cn=Directory Manager" -W dn : uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot changetype: modify replace: userPassword userPassword: 'paste clipboard' > > Help Please > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Diaa Radwan http://fossology.net From vipulramani at gmail.com Thu Oct 16 21:44:41 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Thu, 16 Oct 2008 14:44:41 -0700 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: I enabled logleve 8192 in error log of FDS linux2.test2.com is FDS and LABDC01 is ADC I created sync aggrement between LDAP:636 and ADC:636 , but in logs it shows still *ldap://linux2.test2.com:389 --- ---- error of FDS ---- * 16/Oct/2008:07:33:15 -0700] - acquire_replica, supplier RUV is newer [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): Cancelling linger on the connection [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - windows_acquire_replica returned success (101) [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): State: ready_to_acquire_replica -> sending_updates[16/Oct/2008:07:33:15 -0700] - csngen_adjust_time: gen state before 48f750ab0003:1224167595:0:0 [16/Oct/2008:07:33:15 -0700] - _cl5PositionCursorForReplay (agmt="cn=Vedant" (LABDC01:636)): Consumer RUV: [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): {replicageneration} 48f373b90000014d0000[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): {replica 333 ldap://linux2.test2.com:389} 48f3772f0000014d0000 48f74f7b0013014d0000 48f74f7b [16/Oct/2008:07:33:15 -0700] - _cl5PositionCursorForReplay (agmt="cn=Vedant" *(LABDC01:636)*): Supplier RUV:[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): {replicageneration} 48f373b90000014d0000 [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): {replica 333 *ldap://linux2.test2.com:389*} 48f3772f0000014d0000 48f750ab0001014d0000 48f750ab [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - session start: anchorcsn=48f74f7b0013014d0000 [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - changelog program - agmt="cn=Vedant" (LABDC01:636): CSN 48f74f7b0013014d0000 found , position set for replay [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - load=1 rec=1 csn=48f750ab0001014d0000[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): windows_replay_update: Looking at modify operation local dn="uid=vramani,ou=people,dc=tf-lab,dc=test2,dc=com" (ours,user,not group) [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): map_entry_dn_outbound: looking for AD entry for DS dn="uid=vramani,ou=People, dc=tf-lab,dc=test2,dc=com" guid="f96921fe188c4b47a243ab088512103d" [16/Oct/2008:07:33:15 -0700] - Calling windows entry search request plugin[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): Linger timeout has expired on the connection [16/Oct/2008:07:33:15 -0700] - windows_search_entry: recieved 2 messages, 1 entries, 0 references [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): map_entry_dn_outbound: return code 0 from search f or AD entry dn="" or dn="CN=vipul r,CN=Users,DC=tf-lab,DC=test2,DC=com" [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): windows_replay_update: Processing modify operation local dn="uid=vramani,ou=people,dc=tf-lab,dc=test2,dc=com" remote dn="" [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - clcache_load_buffer: rc=-30989 ----- i see this *" Linger time out has expired the connection " * 16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): Beginning linger on the connection [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): State: sending_updates -> wait_for_changes [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): *Linger timeout has expired on the connection* [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): Disconnected from the consumer Any any clue On Wed, Oct 15, 2008 at 2:15 PM, Vipul Ramani wrote: > > > Hi Rich , > > But i can login and changed the password of ADC users. :( > > is there any other way to debug in to the deep ??? Kindly suggest i am > ready .... > > > I'm not sure, but I think this means that there were no passwords to sync > from AD to Fedora DS. It keeps a queue of passwords to send in a file > (encrypted). > > > > > > > Regards > Vipul Ramani > -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Oct 16 22:10:49 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 16 Oct 2008 16:10:49 -0600 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: <48F7BBE9.80609@redhat.com> Vipul Ramani wrote: > I enabled logleve 8192 in error log of FDS > > linux2.test2.com is FDS and LABDC01 is ADC > > I created sync aggrement between LDAP:636 and ADC:636 , but in logs it > shows still *ldap://linux2.test2.com:389 > --- > * That's just the "name" of the agreement not the actual protocol and port used to connect. It looks as though the code is successfully connecting to AD. > * > ---- error of FDS ---- > * > > 16/Oct/2008:07:33:15 -0700] - acquire_replica, supplier RUV is newer > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): Cancelling linger on the connection > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > windows_acquire_replica returned success (101) > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): State: ready_to_acquire_replica -> > sending_updates[16/Oct/2008:07:33:15 -0700] - csngen_adjust_time: gen > state before 48f750ab0003:1224167595:0:0 > [16/Oct/2008:07:33:15 -0700] - _cl5PositionCursorForReplay > (agmt="cn=Vedant" (LABDC01:636)): Consumer RUV: > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): {replicageneration} > 48f373b90000014d0000[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin > - agmt="cn=Vedant" (LABDC01:636): {replica 333 > ldap://linux2.test2.com:389 } > 48f3772f0000014d0000 48f74f7b0013014d0000 48f74f7b > [16/Oct/2008:07:33:15 -0700] - _cl5PositionCursorForReplay > (agmt="cn=Vedant" *(LABDC01:636)*): Supplier RUV:[16/Oct/2008:07:33:15 > -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): > {replicageneration} 48f373b90000014d0000 > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): {replica 333 *ldap://linux2.test2.com:389 > *} 48f3772f0000014d0000 > 48f750ab0001014d0000 48f750ab > [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - session > start: anchorcsn=48f74f7b0013014d0000 > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - changelog program > - agmt="cn=Vedant" (LABDC01:636): CSN 48f74f7b0013014d0000 found > , position set for replay > [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - load=1 > rec=1 csn=48f750ab0001014d0000[16/Oct/2008:07:33:15 -0700] > NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): > windows_replay_update: Looking at modify operation > local dn="uid=vramani,ou=people,dc=tf-lab,dc=test2,dc=com" > (ours,user,not group) [16/Oct/2008:07:33:15 -0700] > NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): > map_entry_dn_outbound: looking for AD entry for DS > dn="uid=vramani,ou=People, dc=tf-lab,dc=test2,dc=com" > guid="f96921fe188c4b47a243ab088512103d" > [16/Oct/2008:07:33:15 -0700] - Calling windows entry search request > plugin[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): Linger timeout has expired on the > connection > [16/Oct/2008:07:33:15 -0700] - windows_search_entry: recieved 2 > messages, 1 entries, 0 references > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): map_entry_dn_outbound: return code 0 from search f > or AD entry dn="" or > dn="CN=vipul r,CN=Users,DC=tf-lab,DC=test2,DC=com" > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): windows_replay_update: Processing modify operation > local dn="uid=vramani,ou=people,dc=tf-lab,dc=test2,dc=com" remote > dn="" > [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - > clcache_load_buffer: rc=-30989 > > > ----- > > i see this *" Linger time out has expired the connection " * > > 16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): Beginning linger on the connection > [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): State: sending_updates -> wait_for_changes > [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): *Linger timeout has expired on the connection* > [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): Disconnected from the consumer > > > Any any clue That's normal. I don't see any errors here. > > > On Wed, Oct 15, 2008 at 2:15 PM, Vipul Ramani > wrote: > > > > Hi Rich , > > But i can login and changed the password of ADC users. :( > > is there any other way to debug in to the deep ??? Kindly suggest > i am ready .... > > > I'm not sure, but I think this means that there were no passwords > to sync from AD to Fedora DS. It keeps a queue of passwords to > send in a file (encrypted). > > > > > > > > Regards > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Fri Oct 17 00:30:52 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Thu, 16 Oct 2008 17:30:52 -0700 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: Hey Rich , Do really need *Password policy @ Active directory and Password policy @ FDS needs to be same .... is that i am missing ... * On Thu, Oct 16, 2008 at 2:44 PM, Vipul Ramani wrote: > I enabled logleve 8192 in error log of FDS > > linux2.test2.com is FDS and LABDC01 is ADC > > I created sync aggrement between LDAP:636 and ADC:636 , but in logs it > shows still *ldap://linux2.test2.com:389 --- > > ---- error of FDS ---- > * > > 16/Oct/2008:07:33:15 -0700] - acquire_replica, supplier RUV is newer > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): Cancelling linger on the connection > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > windows_acquire_replica returned success (101) > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): State: ready_to_acquire_replica -> > sending_updates[16/Oct/2008:07:33:15 -0700] - csngen_adjust_time: gen state > before 48f750ab0003:1224167595:0:0 > [16/Oct/2008:07:33:15 -0700] - _cl5PositionCursorForReplay > (agmt="cn=Vedant" (LABDC01:636)): Consumer RUV: > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): {replicageneration} 48f373b90000014d0000[16/Oct/2008:07:33:15 > -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): {replica 333 > ldap://linux2.test2.com:389} 48f3772f0000014d0000 48f74f7b0013014d0000 > 48f74f7b > [16/Oct/2008:07:33:15 -0700] - _cl5PositionCursorForReplay > (agmt="cn=Vedant" *(LABDC01:636)*): Supplier RUV:[16/Oct/2008:07:33:15 > -0700] NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): > {replicageneration} 48f373b90000014d0000 > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): {replica 333 *ldap://linux2.test2.com:389*} > 48f3772f0000014d0000 48f750ab0001014d0000 48f750ab > [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - session > start: anchorcsn=48f74f7b0013014d0000 > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - changelog program - > agmt="cn=Vedant" (LABDC01:636): CSN 48f74f7b0013014d0000 found > , position set for replay > [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - load=1 rec=1 > csn=48f750ab0001014d0000[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): windows_replay_update: Looking at modify > operation > local dn="uid=vramani,ou=people,dc=tf-lab,dc=test2,dc=com" (ours,user,not > group) [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): map_entry_dn_outbound: looking for AD entry for DS > dn="uid=vramani,ou=People, dc=tf-lab,dc=test2,dc=com" > guid="f96921fe188c4b47a243ab088512103d" > [16/Oct/2008:07:33:15 -0700] - Calling windows entry search request > plugin[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): Linger timeout has expired on the connection > [16/Oct/2008:07:33:15 -0700] - windows_search_entry: recieved 2 messages, 1 > entries, 0 references > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): map_entry_dn_outbound: return code 0 from search f > or AD entry dn="" or dn="CN=vipul > r,CN=Users,DC=tf-lab,DC=test2,DC=com" > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): windows_replay_update: Processing modify operation > local dn="uid=vramani,ou=people,dc=tf-lab,dc=test2,dc=com" remote > dn="" > [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - > clcache_load_buffer: rc=-30989 > > > ----- > > i see this *" Linger time out has expired the connection " * > > 16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): Beginning linger on the connection > [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): State: sending_updates -> wait_for_changes > [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): *Linger timeout has expired on the connection* > [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - agmt="cn=Vedant" > (LABDC01:636): Disconnected from the consumer > > > Any any clue > > > > On Wed, Oct 15, 2008 at 2:15 PM, Vipul Ramani wrote: > >> >> >> Hi Rich , >> >> But i can login and changed the password of ADC users. :( >> >> is there any other way to debug in to the deep ??? Kindly suggest i am >> ready .... >> >> >> I'm not sure, but I think this means that there were no passwords to sync >> from AD to Fedora DS. It keeps a queue of passwords to send in a file >> (encrypted). >> >> >> >> >> >> >> Regards >> Vipul Ramani >> > > > > -- > Regards > > Vipul Ramani > > -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From vipulramani at gmail.com Fri Oct 17 22:02:54 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Fri, 17 Oct 2008 15:02:54 -0700 Subject: [Fedora-directory-users] PassSync 64bit Window2003 Message-ID: Hi All, is anyone has tested PassSync on window 2003 64 - bit ??? -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Oct 17 22:42:41 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 17 Oct 2008 16:42:41 -0600 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: <48F914E1.3010800@redhat.com> Vipul Ramani wrote: > Hey Rich , > > > Do really need *Password policy @ Active directory and Password policy > @ FDS needs to be same .... is that i am missing ... > * If you don't manually make them the same, then you run the risk that a password accepted on AD will be rejected on FDS, or vice versa. > > > > > > On Thu, Oct 16, 2008 at 2:44 PM, Vipul Ramani > wrote: > > I enabled logleve 8192 in error log of FDS > > linux2.test2.com is FDS and LABDC01 is ADC > > I created sync aggrement between LDAP:636 and ADC:636 , but in > logs it shows still *ldap://linux2.test2.com:389 > --- > > ---- error of FDS ---- > * > > 16/Oct/2008:07:33:15 -0700] - acquire_replica, supplier RUV is newer > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): Cancelling linger on the connection > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > windows_acquire_replica returned success (101) > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): State: ready_to_acquire_replica -> > sending_updates[16/Oct/2008:07:33:15 -0700] - csngen_adjust_time: > gen state before 48f750ab0003:1224167595:0:0 > [16/Oct/2008:07:33:15 -0700] - _cl5PositionCursorForReplay > (agmt="cn=Vedant" (LABDC01:636)): Consumer RUV: > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): {replicageneration} > 48f373b90000014d0000[16/Oct/2008:07:33:15 -0700] > NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): {replica > 333 ldap://linux2.test2.com:389 } > 48f3772f0000014d0000 48f74f7b0013014d0000 48f74f7b > [16/Oct/2008:07:33:15 -0700] - _cl5PositionCursorForReplay > (agmt="cn=Vedant" *(LABDC01:636)*): Supplier > RUV:[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): {replicageneration} > 48f373b90000014d0000 > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): {replica 333 > *ldap://linux2.test2.com:389 *} > 48f3772f0000014d0000 48f750ab0001014d0000 48f750ab > [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - > session start: anchorcsn=48f74f7b0013014d0000 > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - changelog > program - agmt="cn=Vedant" (LABDC01:636): CSN 48f74f7b0013014d0000 > found > , position set for replay > [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - > load=1 rec=1 csn=48f750ab0001014d0000[16/Oct/2008:07:33:15 -0700] > NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): > windows_replay_update: Looking at modify operation > local dn="uid=vramani,ou=people,dc=tf-lab,dc=test2,dc=com" > (ours,user,not group) [16/Oct/2008:07:33:15 -0700] > NSMMReplicationPlugin - agmt="cn=Vedant" (LABDC01:636): > map_entry_dn_outbound: looking for AD entry for DS > dn="uid=vramani,ou=People, dc=tf-lab,dc=test2,dc=com" > guid="f96921fe188c4b47a243ab088512103d" > [16/Oct/2008:07:33:15 -0700] - Calling windows entry search > request plugin[16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): Linger timeout has expired on the > connection > [16/Oct/2008:07:33:15 -0700] - windows_search_entry: recieved 2 > messages, 1 entries, 0 references > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): map_entry_dn_outbound: return code > 0 from search f > or AD entry dn="" or > dn="CN=vipul r,CN=Users,DC=tf-lab,DC=test2,DC=com" > [16/Oct/2008:07:33:15 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): windows_replay_update: Processing > modify operation > local dn="uid=vramani,ou=people,dc=tf-lab,dc=test2,dc=com" remote > dn="" > [16/Oct/2008:07:33:15 -0700] agmt="cn=Vedant" (LABDC01:636) - > clcache_load_buffer: rc=-30989 > > > ----- > > i see this *" Linger time out has expired the connection " * > > 16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): Beginning linger on the connection > [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): State: sending_updates -> > wait_for_changes > [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): *Linger timeout has expired on the > connection* > [16/Oct/2008:07:43:16 -0700] NSMMReplicationPlugin - > agmt="cn=Vedant" (LABDC01:636): Disconnected from the consumer > > > Any any clue > > > > On Wed, Oct 15, 2008 at 2:15 PM, Vipul Ramani > > wrote: > > > > Hi Rich , > > But i can login and changed the password of ADC users. :( > > is there any other way to debug in to the deep ??? Kindly > suggest i am ready .... > > > I'm not sure, but I think this means that there were no > passwords to sync from AD to Fedora DS. It keeps a queue of > passwords to send in a file (encrypted). > > > > > > > > Regards > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Mon Oct 20 05:21:39 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Sun, 19 Oct 2008 22:21:39 -0700 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: Hi Rich , i have done setup from scratch ... again ...acutally this is my ( 9th time i am testing... ) for CA - i generated certification of requst from FDS and and that CSR is signed by ADC - CA . Then i installed @ CA @ FDS .. ------------ error -- ------------- NSMMReplicationPlugin - agmt ="cn=vedant " ( labdc01:636) : simple bind failed , LDAP sdk error 91 ( Can't connect to the LDAP server ) , Netscape Portable Runtime error - 8179 ( Peer's Certificate issuer is not recoginzed ) ------------ I have one question - I ADC it installted i think StandAlone CA - not Enterprise CA ( i am not Windows Admin and i dont know much about ADC ) ... so , to work PassSYN - FDS CSR must be signed by *" Enterprise CA "* ??? *and Any tip how to do i check on win2003 ( x64 edition ) Enterprise CA is installed or not ???? ... * thanks in adv to all ... FDS users ... Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From bbahar3 at gmail.com Mon Oct 20 08:22:11 2008 From: bbahar3 at gmail.com (bahar bahar) Date: Mon, 20 Oct 2008 11:52:11 +0330 Subject: [Fedora-directory-users] Re:Re: java error in console task Message-ID: <38a27c8c0810200122y25bd4451w75e712e874edf4fd@mail.gmail.com> the system is centos 5, fedora-ds version is fedora-ds-1.0.2-1.Linux. the result of ./startconsole -D when clicking "manage certificate" is: *CommManager> New CommRecord ( http://ldap.iut.ac.ir:61312/admin-serv/tasks/configuration/SecurityOp) java.net.ConnectException: Connection refused admserv version = null Focus lost javax.swing.JButton[,0,0,38x37,layout=javax.swing.OverlayLayout,alignmentX=0.0,alignmentY=0.5, border=javax.swing.plaf.BorderUIResource$CompoundBorderUIResource at 7df60a ,flags=296,maximumSize=, minimumSize=,preferredSize=,defaultIcon=com/netscape/management/client/images/task.gif,disabledIcon=, disabledSelectedIcon=,margin=java.awt.Insets[top=0,left=0,bottom=0,right=0],paintBorder=true,paintFocus=true, pressedIcon=,rolloverEnabled=false,rolloverIcon=,rolloverSelectedIcon=,selectedIcon=,text=,defaultCapable=true] *I couldn't find out why only this tab of console has problem. other parts work well!the system is centos 5, fedora-ds version is fedora-ds-1.0.2-1.Linux. the result of ./startconsole -D when clicking "manage certificate" is: *CommManager> New CommRecord ( http://ldap.iut.ac.ir:61312/admin-serv/tasks/configuration/SecurityOp) java.net.ConnectException: Connection refused admserv version = null Focus lost javax.swing.JButton[,0,0,38x37,layout=javax.swing.OverlayLayout,alignmentX=0.0,alignmentY=0.5, border=javax.swing.plaf.BorderUIResource$CompoundBorderUIResource at 7df60a ,flags=296,maximumSize=, minimumSize=,preferredSize=,defaultIcon=com/netscape/management/client/images/task.gif,disabledIcon=, disabledSelectedIcon=,margin=java.awt.Insets[top=0,left=0,bottom=0,right=0],paintBorder=true,paintFocus=true, pressedIcon=,rolloverEnabled=false,rolloverIcon=,rolloverSelectedIcon=,selectedIcon=,text=,defaultCapable=true] *I couldn't find out why only this tab of console has problem. other parts work well! -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Oct 20 14:14:58 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Oct 2008 08:14:58 -0600 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: <48FC9262.7050800@redhat.com> Vipul Ramani wrote: > > > Hi Rich , > > i have done setup from scratch ... again ...acutally this is my ( 9th > time i am testing... ) > > for CA - i generated certification of requst from FDS and and that > CSR is signed by ADC - CA . Then i installed @ CA @ FDS .. > > ------------ error -- ------------- > NSMMReplicationPlugin - agmt ="cn=vedant " ( labdc01:636) : simple > bind failed , LDAP sdk error 91 ( Can't connect to the LDAP server ) > , Netscape Portable Runtime error - 8179 ( Peer's Certificate issuer > is not recoginzed ) How did you install the MS CA cert into Fedora DS? certutil -L -d /etc/dirsrv/slapd-instancename > > ------------ > > I have one question - I ADC it installted i think StandAlone CA - > not Enterprise CA ( i am not Windows Admin and i dont know much about > ADC ) ... > > so , to work PassSYN - FDS CSR must be signed by *" Enterprise CA "* ??? > > *and Any tip how to do i check on win2003 ( x64 edition ) Enterprise > CA is installed or not ???? ... > * I've only used Enterprise CA, because if you do that, AD will automatically get an SSL server cert. Otherwise, I'm not sure how to configure AD to be an SSL server. Note that we only provide a 32-bit binary for passsync. I have no idea if it will work on 64-bit Windows - we've never tested that. The code is all open source though, and should be buildable with the free microsoft visual studio C++. > > > > thanks in adv to all ... FDS users ... > > Regards > Vipul Ramani > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Oct 20 14:41:13 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Oct 2008 08:41:13 -0600 Subject: [Fedora-directory-users] Re:Re: java error in console task In-Reply-To: <38a27c8c0810200122y25bd4451w75e712e874edf4fd@mail.gmail.com> References: <38a27c8c0810200122y25bd4451w75e712e874edf4fd@mail.gmail.com> Message-ID: <48FC9889.7050809@redhat.com> bahar bahar wrote: > the system is centos 5, fedora-ds version is fedora-ds-1.0.2-1.Linux. rpm -qi fedora-ds-admin fedora-ds-base > the result of ./startconsole -D when clicking "manage certificate" is: > > */CommManager> New CommRecord > (http://ldap.iut.ac.ir:61312/admin-serv/tasks/configuration/SecurityOp) > java.net.ConnectException: Connection refused > admserv version = null > /* Can you paste the full output of startconsole -D 9 -f console.log? Are you running into https://bugzilla.redhat.com/show_bug.cgi?id=430499 or https://bugzilla.redhat.com/show_bug.cgi?id=442103 > */ > Focus lost > javax.swing.JButton[,0,0,38x37,layout=javax.swing.OverlayLayout,alignmentX=0.0,alignmentY=0.5, > border=javax.swing.plaf.BorderUIResource$CompoundBorderUIResource at 7df60a,flags=296,maximumSize=, > minimumSize=,preferredSize=,defaultIcon=com/netscape/management/client/images/task.gif,disabledIcon=, > disabledSelectedIcon=,margin=java.awt.Insets[top=0,left=0,bottom=0,right=0],paintBorder=true,paintFocus=true, > pressedIcon=,rolloverEnabled=false,rolloverIcon=,rolloverSelectedIcon=,selectedIcon=,text=,defaultCapable=true] > > /*I couldn't find out why only this tab of console has problem. other > parts work well!the system is centos 5, fedora-ds version is > fedora-ds-1.0.2-1.Linux. > the result of ./startconsole -D when clicking "manage certificate" is: > > */CommManager> New CommRecord > (http://ldap.iut.ac.ir:61312/admin-serv/tasks/configuration/SecurityOp) > java.net.ConnectException: Connection refused > admserv version = null > > Focus lost > javax.swing.JButton[,0,0,38x37,layout=javax.swing.OverlayLayout,alignmentX=0.0,alignmentY=0.5, > border=javax.swing.plaf.BorderUIResource$CompoundBorderUIResource at 7df60a,flags=296,maximumSize=, > minimumSize=,preferredSize=,defaultIcon=com/netscape/management/client/images/task.gif,disabledIcon=, > disabledSelectedIcon=,margin=java.awt.Insets[top=0,left=0,bottom=0,right=0],paintBorder=true,paintFocus=true, > pressedIcon=,rolloverEnabled=false,rolloverIcon=,rolloverSelectedIcon=,selectedIcon=,text=,defaultCapable=true] > > /*I couldn't find out why only this tab of console has problem. other > parts work well! > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Mon Oct 20 17:00:51 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Mon, 20 Oct 2008 10:00:51 -0700 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: Hi Rich , I installed from Fedora console - i copied MS CA on Window box then i did install using Fedora directory Console. Vipul Ramani wrote: Hi Rich , i have done setup from scratch ... again ...acutally this is my ( 9th time i am testing... ) for CA - i generated certification of requst from FDS and and that CSR is signed by ADC - CA . Then i installed @ CA @ FDS .. ------------ error -- ------------- NSMMReplicationPlugin - agmt ="cn=vedant " ( labdc01:636) : simple bind failed , LDAP sdk error 91 ( Can't connect to the LDAP server ) , Netscape Portable Runtime error - 8179 ( Peer's Certificate issuer is not recoginzed ) How did you install the MS CA cert into Fedora DS? certutil -L -d /etc/dirsrv/slapd-instancename ------------ I have one question - I ADC it installted i think StandAlone CA - not Enterprise CA ( i am not Windows Admin and i dont know much about ADC ) ... so , to work PassSYN - FDS CSR must be signed by *" Enterprise CA "* ??? *and Any tip how to do i check on win2003 ( x64 edition ) Enterprise CA is installed or not ???? ... * I've only used Enterprise CA, because if you do that, AD will automatically get an SSL server cert. Otherwise, I'm not sure how to configure AD to be an SSL server. Note that we only provide a 32-bit binary for passsync. I have no idea if it will work on 64-bit Windows - we've never tested that. The code is all open source though, and should be buildable with the free microsoft visual studio C++. On Sun, Oct 19, 2008 at 10:21 PM, Vipul Ramani wrote: > > > Hi Rich , > > i have done setup from scratch ... again ...acutally this is my ( 9th time > i am testing... ) > > for CA - i generated certification of requst from FDS and and that CSR is > signed by ADC - CA . Then i installed @ CA @ FDS .. > > ------------ error -- ------------- > NSMMReplicationPlugin - agmt ="cn=vedant " ( labdc01:636) : simple bind > failed , LDAP sdk error 91 ( Can't connect to the LDAP server ) , Netscape > Portable Runtime error - 8179 ( Peer's Certificate issuer is not recoginzed > ) > > ------------ > > I have one question - I ADC it installted i think StandAlone CA - not > Enterprise CA ( i am not Windows Admin and i dont know much about ADC ) ... > > so , to work PassSYN - FDS CSR must be signed by *" Enterprise CA "* ??? > > *and Any tip how to do i check on win2003 ( x64 edition ) Enterprise CA > is installed or not ???? ... > * > > > thanks in adv to all ... FDS users ... > > Regards > Vipul Ramani > -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Oct 20 18:19:19 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Oct 2008 12:19:19 -0600 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: <48FCCBA7.4010204@redhat.com> Vipul Ramani wrote: > Hi Rich , > > > I installed from Fedora console - i copied MS CA on Window box then i did install using Fedora directory Console. certutil -L -d /etc/dirsrv/slapd-instancename > > > > > > Vipul Ramani wrote: > > > > Hi Rich , > > > > i have done setup from scratch ... again ...acutally this is my ( > 9th time i am testing... ) for CA - i generated certification of > requst from FDS and and that CSR is signed by ADC - CA . Then i > installed @ CA @ FDS .. > > ------------ error -- ------------- > > > NSMMReplicationPlugin - agmt ="cn=vedant " ( labdc01:636) : simple > bind failed , LDAP sdk error 91 ( Can't connect to the LDAP server > ) , Netscape Portable Runtime error - 8179 ( Peer's Certificate > issuer is not recoginzed ) > > How did you install the MS CA cert into Fedora DS? > certutil -L -d /etc/dirsrv/slapd-instancename > > > ------------ > > > > I have one question - I ADC it installted i think StandAlone CA - > not Enterprise CA ( i am not Windows Admin and i dont know much > about ADC ) ... > > so , to work PassSYN - FDS CSR must be signed by *" Enterprise CA "* ??? > > > > *and Any tip how to do i check on win2003 ( x64 edition ) > Enterprise CA is installed or not ???? ... > > * > > > I've only used Enterprise CA, because if you do that, AD will > automatically get an SSL server cert. Otherwise, I'm not sure how to > configure AD to be an SSL server. Note that we only provide a 32-bit > binary for passsync. I have no idea if it will work on 64-bit Windows > - we've never tested that. The code is all open source though, and > should be buildable with the free microsoft visual studio C++. > > > > On Sun, Oct 19, 2008 at 10:21 PM, Vipul Ramani > wrote: > > > > Hi Rich , > > i have done setup from scratch ... again ...acutally this is my ( > 9th time i am testing... ) > > for CA - i generated certification of requst from FDS and and > that CSR is signed by ADC - CA . Then i installed @ CA @ FDS .. > > ------------ error -- ------------- > NSMMReplicationPlugin - agmt ="cn=vedant " ( labdc01:636) : > simple bind failed , LDAP sdk error 91 ( Can't connect to the > LDAP server ) , Netscape Portable Runtime error - 8179 ( Peer's > Certificate issuer is not recoginzed ) > > ------------ > > I have one question - I ADC it installted i think StandAlone CA > - not Enterprise CA ( i am not Windows Admin and i dont know much > about ADC ) ... > > so , to work PassSYN - FDS CSR must be signed by *" Enterprise CA > "* ??? > > *and Any tip how to do i check on win2003 ( x64 edition ) > Enterprise CA is installed or not ???? ... > * > > > thanks in adv to all ... FDS users ... > > Regards > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Mon Oct 20 18:36:54 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Mon, 20 Oct 2008 11:36:54 -0700 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: Vipul Ramani wrote: Hi Rich , I installed from Fedora console - i copied MS CA on Window box then i did install using Fedora directory Console. certutil -L -d /etc/dirsrv/slapd-instancename [root at linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA CTu,u,u Server-Cert u,u,u linux2 CTu,u,u <-- this Cert is signed by ADC CA [root at linux2 ~]# And Sample profile which is replicated from ADC dn: uid=vramani, ou=People, dc=tf-lab,dc=test2,dc=com ntUniqueId: f6bcff406f334d46824236fc82f2b762 ntUserLastLogoff: 0 givenName: vipul sn: ramani ntUserParms:: bSAgICAgICAgICAgICAgICAgICAgIGQBICAgICAgICAgICAgICAgICAgICAgICA gUAQaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm44Cy44C 5EggBQ3R4U2hhZG9345Cw44Cw44Cw44CwKgIBQ3R4TWluRW5jcnlwdGlvbkxldmVs44Sw objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetOrgPerson objectClass: ntUser uid: vramani ntUserDeleteAccount: true cn: vipul ramani ntUserLastLogon: 128687513442500000 ntUserDomainId: vramani ntUserAcctExpires: 9223372036854775807 ntUserCodePage: 0 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Oct 20 18:42:55 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Oct 2008 12:42:55 -0600 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: <48FCD12F.80009@redhat.com> Vipul Ramani wrote: > Vipul Ramani wrote: > > > Hi Rich , > > > I installed from Fedora console - i copied MS CA on Window box then i did install using Fedora directory Console. > > > > certutil -L -d /etc/dirsrv/slapd-instancename > > [root at linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > CA CTu,u,u > Server-Cert u,u,u > > linux2 CTu,u,u <-- this Cert is signed by ADC CA > [root at linux2 ~]# Which one is the MS CA cert? The MS CA cert is required. > > > And Sample profile which is replicated from ADC > > > dn: uid=vramani, ou=People, dc=tf-lab,dc=test2,dc=com > > ntUniqueId: f6bcff406f334d46824236fc82f2b762 > ntUserLastLogoff: 0 > givenName: vipul > sn: ramani > ntUserParms:: bSAgICAgICAgICAgICAgICAgICAgIGQBICAgICAgICAgICAgICAgICAgICAgICA > gUAQaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm44Cy44C > > 5EggBQ3R4U2hhZG9345Cw44Cw44Cw44CwKgIBQ3R4TWluRW5jcnlwdGlvbkxldmVs44Sw > objectClass: top > objectClass: person > objectClass: organizationalperson > objectClass: inetOrgPerson > objectClass: ntUser > uid: vramani > > ntUserDeleteAccount: true > cn: vipul ramani > ntUserLastLogon: 128687513442500000 > ntUserDomainId: vramani > ntUserAcctExpires: 9223372036854775807 > ntUserCodePage: 0 > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Mon Oct 20 18:46:27 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Mon, 20 Oct 2008 11:46:27 -0700 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: Rich , i tell you how i did https://localhosts/certsrv/ ---> download cert in DER form and imported in FDS console ... [root at linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA CTu,u,u Server-Cert u,u,u linux2 CTu,u,u <-- this Cert is signed by ADC CA *labdc01 CT,, <---- MS CA Cert * sorry i missed last line ... last email . But no Luck ... On Mon, Oct 20, 2008 at 11:36 AM, Vipul Ramani wrote: > Vipul Ramani wrote: > > Hi Rich , > > > I installed from Fedora console - i copied MS CA on Window box then i did install using Fedora directory Console. > > certutil -L -d /etc/dirsrv/slapd-instancename > > [root at linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > CA CTu,u,u > Server-Cert u,u,u > > linux2 CTu,u,u <-- this Cert is signed by ADC CA > [root at linux2 ~]# > > > And Sample profile which is replicated from ADC > > > dn: uid=vramani, ou=People, dc=tf-lab,dc=test2,dc=com > > ntUniqueId: f6bcff406f334d46824236fc82f2b762 > ntUserLastLogoff: 0 > givenName: vipul > sn: ramani > ntUserParms:: bSAgICAgICAgICAgICAgICAgICAgIGQBICAgICAgICAgICAgICAgICAgICAgICA > gUAQaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm44Cy44C > > 5EggBQ3R4U2hhZG9345Cw44Cw44Cw44CwKgIBQ3R4TWluRW5jcnlwdGlvbkxldmVs44Sw > objectClass: top > objectClass: person > objectClass: organizationalperson > objectClass: inetOrgPerson > objectClass: ntUser > uid: vramani > > ntUserDeleteAccount: true > cn: vipul ramani > ntUserLastLogon: 128687513442500000 > ntUserDomainId: vramani > ntUserAcctExpires: 9223372036854775807 > ntUserCodePage: 0 > > > > -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Oct 20 19:00:46 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Oct 2008 13:00:46 -0600 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: <48FCD55E.7050307@redhat.com> Vipul Ramani wrote: > > > Rich , > > i tell you how i did > > https://localhosts/certsrv/ ---> download cert in DER form and > imported in FDS console ... > > > [root at linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > CA CTu,u,u What is this CA? certutil -L -d /etc/dirsrv/slapd-linux2 -n "CA" > Server-Cert u,u,u > linux2 > CTu,u,u <-- this Cert is signed by ADC CA certutil -L -d /etc/dirsrv/slapd-linux2 -n "linux2" Make sure the subjectDN starts with cn=fqdn where fqdn is the FQDN of linux2 > *labdc01 > CT,, <---- MS CA Cert * > > sorry i missed last line ... last email . > > But no Luck ... A good way to test TLS/SSL is to use ldapsearch: /usr/lib/mozldap/ldapsearch -h windowshost -p 636 -Z -P /etc/dirsrv/slapd-linux2 -3 -s base -b "" "objectclass=*" If that works, then you have the CA installed correctly, and the AD server cert is correct. > > > > > On Mon, Oct 20, 2008 at 11:36 AM, Vipul Ramani > wrote: > > Vipul Ramani wrote: > > > Hi Rich , > > > I installed from Fedora console - i copied MS CA on Window box then i did install using Fedora directory Console. > > > > certutil -L -d /etc/dirsrv/slapd-instancename > [root at linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 > > Certificate Nickname Trust Attributes > > > SSL,S/MIME,JAR/XPI > > CA CTu,u,u > Server-Cert u,u,u > > > linux2 CTu,u,u <-- this Cert is signed by ADC CA > [root at linux2 ~]# > > > And Sample profile which is replicated from ADC > dn: uid=vramani, ou=People, dc=tf-lab,dc=test2,dc=com > > ntUniqueId: f6bcff406f334d46824236fc82f2b762 > ntUserLastLogoff: 0 > givenName: vipul > sn: ramani > ntUserParms:: bSAgICAgICAgICAgICAgICAgICAgIGQBICAgICAgICAgICAgICAgICAgICAgICA > gUAQaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm44Cy44C > > > 5EggBQ3R4U2hhZG9345Cw44Cw44Cw44CwKgIBQ3R4TWluRW5jcnlwdGlvbkxldmVs44Sw > objectClass: top objectClass: person objectClass: > organizationalperson objectClass: inetOrgPerson objectClass: > ntUser uid: vramani ntUserDeleteAccount: true > cn: vipul ramani > ntUserLastLogon: 128687513442500000 > ntUserDomainId: vramani ntUserAcctExpires: 9223372036854775807 > ntUserCodePage: 0 > > > > > > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Mon Oct 20 19:07:51 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Mon, 20 Oct 2008 12:07:51 -0700 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: CA is self-signed generated certificate . by Linux2 it self. [root at linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 -n "CA" Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Certificate: Data: Version: 3 (0x2) Serial Number: 1000 (0x3e8) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=CAcert" Validity: Not Before: Fri Oct 17 15:11:18 2008 Not After : Wed Oct 17 15:11:18 2018 Subject: "CN=CAcert" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: c8:40:4b:86:0b:70:3d:5d:6a:f6:f4:a5:86:e9:1c:98: d0:dd:19:31:e3:b8:18:3b:0a:c8:9f:83:33:98:cd:98: 54:83:9d:73:97:69:04:26:b8:75:4a:95:7e:ed:92:62: 51:2c:70:8a:a6:f2:a6:8b:b5:c6:53:d3:f8:cc:01:c9: e8:78:55:1f:69:e3:c4:5c:5e:e8:a6:bf:dc:53:ac:a6: ce:75:14:98:2f:a7:c0:da:ae:be:5d:91:e6:f2:96:84: 02:a0:ec:df:e4:de:91:25:2d:65:d8:bd:79:3d:07:ea: 8c:9f:9e:5b:ee:04:a3:18:2e:98:c6:ab:15:a1:d5:d9 Exponent: 65537 (0x10001) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature: 55:bd:f2:f7:37:e5:60:e0:87:20:a7:d7:69:b2:eb:79: e6:98:7e:72:f1:b1:dc:11:08:94:fd:c3:56:a8:14:37: 2b:1b:cd:bc:05:3d:54:45:73:7f:b2:dc:f8:f1:f4:44: 61:25:54:c6:e2:c2:68:1f:d7:cc:d3:37:16:37:98:b8: 37:c3:7e:49:48:12:58:17:26:fe:87:bc:d4:ef:ee:6b: 5d:35:1f:1f:72:a5:5e:6b:b7:94:e6:c3:63:7c:2a:24: 4c:43:39:cd:74:7b:56:08:15:f9:85:3f:ed:c9:ba:01: 88:d0:90:84:1d:e6:0e:84:7f:83:8e:bf:9e:9a:b2:a3 Fingerprint (MD5): 2C:77:B6:61:BA:3D:F0:E2:8E:EB:BA:4D:74:A4:E4:0C Fingerprint (SHA1): 06:FE:B9:62:26:E7:56:1E:2B:84:C0:5E:AC:DC:F7:1A:AE:A8:58:0E Certificate Trust Flags: SSL Flags: Valid CA Trusted CA User Trusted Client CA Email Flags: User Object Signing Flags: User [root at linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 -n "linux2" Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Certificate: Data: Version: 3 (0x2) Serial Number: 14:fc:4e:02:00:00:00:00:00:16 Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=labdc01,DC=tf-lab,DC=test2,DC=com" Validity: Not Before: Fri Oct 17 23:35:13 2008 Not After : Sun Oct 17 23:35:13 2010 Subject: "CN=linux2,OU=Ops,O=Exponential,L=Emeryville,ST=California,C =US" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: da:db:9b:d8:c2:aa:42:4e:85:69:b2:0a:19:46:87:2d: 67:e6:4b:9b:4d:97:96:6a:e3:bf:90:c2:ab:a7:0d:17: --removed-some-part--- 24:72:dc:18:5c:7e:1a:16:b3:bd:38:1b:0a:0f:a6:48: ae:4e:ef:5a:eb:cd:12:6f:5e:16:8f:6c:ce:ff:fa:71 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Subject Key ID Data: 75:e0:f9:0d:9f:77:24:61:38:87:17:87:43:ee:25:5d: c0:b2:4f:d3 Name: Certificate Authority Key Identifier Key ID: 83:c2:a6:03:eb:b2:a8:ea:40:d0:63:42:01:68:8f:a8: 11:9e:ec:f9 Name: CRL Distribution Points URI: "ldap:///CN=labdc01,CN=labdc01,CN=CDP,CN=Public%20Key%20Serv ices,CN=Services,CN=Configuration,DC=tf-lab,DC=test2,D C=com?certificateRevocationList?base?objectClass=cRLDistribut ionPoint" URI: "http://labdc01.tf-lab.test2.com/CertEnroll/labdc01.c rl" Name: Authority Information Access Method: PKIX CA issuers access method Location: URI: "ldap:///CN=labdc01,CN=AIA,CN=Public%20Key%20Services,CN =Services,CN=Configuration,DC=tf-lab,DC=test2,DC=c om?cACertificate?base?objectClass=certificationAuthority" Method: PKIX CA issuers access method Location: URI: "*http://labdc01.tf-lab.test2.com*/CertEnroll/labdc 01.tf-lab.test2.com_labdc01.crt" Name: Microsoft Enrollment Cert Type Extension Data: "WebServer" Name: Certificate Basic Constraints Critical: True Data: Is not a CA. Name: Certificate Key Usage Usages: Digital Signature Key Encipherment Name: Extended Key Usage TLS Web Server Authentication Certificate Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature: 0b:f7:2f:25:e5:99:aa:27:59:5d:76:96:5a:64:0b:a7: 91:7d:48:49:fd:a8:46:db:cc:39:7b:97:34:94:3c:0c: 7c:fe:4d:f7:99:5e:da:a6:7d:53:5c:36:ba:ed:a7:05: 60:04:2a:76:6e:02:75:a0:1c:59:bd:ad:82:db:fc:61: --removed some--part-- 6d:11:23:4c:77:60:18:ec:fd:47:63:72:d3:00:ee:04: c2:01:3a:d8:dc:f1:4b:55:c5:7a:39:09:83:9b:09:bd: 65:64:4c:6f:8d:19:86:94:95:76:1b:07:08:ad:03:70 Fingerprint (MD5): BD:3D:31:6C:27:A8:82:1A:11:81:5B:F6:56:D7:FA:E3 Fingerprint (SHA1): 89:45:EE:8E:7D:B7:01:EB:72:80:F2:86:91:B8:02:D4:60:3A:19:FA Certificate Trust Flags: SSL Flags: Valid CA Trusted CA User Trusted Client CA Email Flags: User Object Signing Flags: User *| /usr/lib/mozldap/ldapsearch -h windowshost -p 636 -Z -P /etc/dirsrv/slapd-linux2 -3 -s base -b "" "objectclass=*" * *When i do this i am getting cordump ... :(( * -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Oct 20 19:35:48 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Oct 2008 13:35:48 -0600 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: <48FCDD94.7090308@redhat.com> Vipul Ramani wrote: > > > CA is self-signed generated certificate . by Linux2 it self. > > > [root at linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 -n "CA" > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1000 (0x3e8) > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Issuer: "CN=CAcert" > Validity: > Not Before: Fri Oct 17 15:11:18 2008 > Not After : Wed Oct 17 15:11:18 2018 > Subject: "CN=CAcert" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > c8:40:4b:86:0b:70:3d:5d:6a:f6:f4:a5:86:e9:1c:98: > d0:dd:19:31:e3:b8:18:3b:0a:c8:9f:83:33:98:cd:98: > 54:83:9d:73:97:69:04:26:b8:75:4a:95:7e:ed:92:62: > 51:2c:70:8a:a6:f2:a6:8b:b5:c6:53:d3:f8:cc:01:c9: > e8:78:55:1f:69:e3:c4:5c:5e:e8:a6:bf:dc:53:ac:a6: > ce:75:14:98:2f:a7:c0:da:ae:be:5d:91:e6:f2:96:84: > 02:a0:ec:df:e4:de:91:25:2d:65:d8:bd:79:3d:07:ea: > 8c:9f:9e:5b:ee:04:a3:18:2e:98:c6:ab:15:a1:d5:d9 > Exponent: 65537 (0x10001) > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Signature: > 55:bd:f2:f7:37:e5:60:e0:87:20:a7:d7:69:b2:eb:79: > e6:98:7e:72:f1:b1:dc:11:08:94:fd:c3:56:a8:14:37: > 2b:1b:cd:bc:05:3d:54:45:73:7f:b2:dc:f8:f1:f4:44: > 61:25:54:c6:e2:c2:68:1f:d7:cc:d3:37:16:37:98:b8: > 37:c3:7e:49:48:12:58:17:26:fe:87:bc:d4:ef:ee:6b: > 5d:35:1f:1f:72:a5:5e:6b:b7:94:e6:c3:63:7c:2a:24: > 4c:43:39:cd:74:7b:56:08:15:f9:85:3f:ed:c9:ba:01: > 88:d0:90:84:1d:e6:0e:84:7f:83:8e:bf:9e:9a:b2:a3 > Fingerprint (MD5): > 2C:77:B6:61:BA:3D:F0:E2:8E:EB:BA:4D:74:A4:E4:0C > Fingerprint (SHA1): > 06:FE:B9:62:26:E7:56:1E:2B:84:C0:5E:AC:DC:F7:1A:AE:A8:58:0E > > Certificate Trust Flags: > SSL Flags: > Valid CA > Trusted CA > User > Trusted Client CA > Email Flags: > User > Object Signing Flags: > User > > [root at linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 -n "linux2" > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 14:fc:4e:02:00:00:00:00:00:16 > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Issuer: "CN=labdc01,DC=tf-lab,DC=test2,DC=com" > Validity: > Not Before: Fri Oct 17 23:35:13 2008 > Not After : Sun Oct 17 23:35:13 2010 > Subject: > "CN=linux2,OU=Ops,O=Exponential,L=Emeryville,ST=California,C > =US" This is not correct. instead of CN=linux2, you should have CN=linux2.tf-lab.test2.com or whatever your domain is. Although I don't think this is the cause of the failure to connect. > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > da:db:9b:d8:c2:aa:42:4e:85:69:b2:0a:19:46:87:2d: > 67:e6:4b:9b:4d:97:96:6a:e3:bf:90:c2:ab:a7:0d:17: > --removed-some-part--- > 24:72:dc:18:5c:7e:1a:16:b3:bd:38:1b:0a:0f:a6:48: > ae:4e:ef:5a:eb:cd:12:6f:5e:16:8f:6c:ce:ff:fa:71 > Exponent: 65537 (0x10001) > Signed Extensions: > Name: Certificate Subject Key ID > Data: > 75:e0:f9:0d:9f:77:24:61:38:87:17:87:43:ee:25:5d: > c0:b2:4f:d3 > > Name: Certificate Authority Key Identifier > Key ID: > 83:c2:a6:03:eb:b2:a8:ea:40:d0:63:42:01:68:8f:a8: > 11:9e:ec:f9 > > Name: CRL Distribution Points > URI: > "ldap:///CN=labdc01,CN=labdc01,CN=CDP,CN=Public%20Key%20Serv > ices,CN=Services,CN=Configuration,DC=tf-lab,DC=test2,D > > C=com?certificateRevocationList?base?objectClass=cRLDistribut > ionPoint" > URI: "http://labdc01.tf-lab.test2.com/CertEnroll/labdc01.c > rl" > > Name: Authority Information Access > Method: PKIX CA issuers access method > Location: > URI: > "ldap:///CN=labdc01,CN=AIA,CN=Public%20Key%20Services,CN > =Services,CN=Configuration,DC=tf-lab,DC=test2,DC=c > > om?cACertificate?base?objectClass=certificationAuthority" > Method: PKIX CA issuers access method > Location: > URI: "*http://labdc01.tf-lab.test2.com*/CertEnroll/labdc > 01.tf-lab.test2.com_labdc01.crt" > > Name: Microsoft Enrollment Cert Type Extension > Data: "WebServer" > > Name: Certificate Basic Constraints > Critical: True > Data: Is not a CA. > > Name: Certificate Key Usage > Usages: Digital Signature > Key Encipherment > > Name: Extended Key Usage > TLS Web Server Authentication Certificate > > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Signature: > 0b:f7:2f:25:e5:99:aa:27:59:5d:76:96:5a:64:0b:a7: > 91:7d:48:49:fd:a8:46:db:cc:39:7b:97:34:94:3c:0c: > 7c:fe:4d:f7:99:5e:da:a6:7d:53:5c:36:ba:ed:a7:05: > 60:04:2a:76:6e:02:75:a0:1c:59:bd:ad:82:db:fc:61: > --removed some--part-- > 6d:11:23:4c:77:60:18:ec:fd:47:63:72:d3:00:ee:04: > c2:01:3a:d8:dc:f1:4b:55:c5:7a:39:09:83:9b:09:bd: > 65:64:4c:6f:8d:19:86:94:95:76:1b:07:08:ad:03:70 > Fingerprint (MD5): > BD:3D:31:6C:27:A8:82:1A:11:81:5B:F6:56:D7:FA:E3 > Fingerprint (SHA1): > 89:45:EE:8E:7D:B7:01:EB:72:80:F2:86:91:B8:02:D4:60:3A:19:FA > > Certificate Trust Flags: > SSL Flags: > Valid CA > Trusted CA > User > Trusted Client CA > Email Flags: > User > Object Signing Flags: > User > > > > *| /usr/lib/mozldap/ldapsearch -h windowshost -p 636 -Z -P > /etc/dirsrv/slapd-linux2 -3 -s base -b "" "objectclass=*" * > Sorry, try /usr/lib/mozldap/ldapsearch -h windowshost -p 636 -Z -P /etc/dirsrv/slapd-linux2/cert8.db -3 -s base -b "" "objectclass=*" > *When i do this i am getting cordump ... :(( * > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Mon Oct 20 20:29:37 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Mon, 20 Oct 2008 13:29:37 -0700 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: i think we are head to solutions ... do i need to re-install certificate in passync again ??? after we install new CSR with FQDN ... ??? root at linux2 slapd-linux2]# /usr/lib/mozldap/ldapsearch -v -h labdc01.tf-lab.test2.com -p 636 -Z -P /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db -3 -s base -b "" "objectclass=*" ldapsearch: started Mon Oct 20 06:18:20 2008 ldap_init( labdc01.tf-lab.test2.com, 636 ) ldaptool_getcertpath -- /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db ldaptool_getkeypath -- /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db ldaptool_getmodpath -- (null) ldaptool_getdonglefilename -- (null) filter pattern: objectclass=* returning: ALL filter is: (objectclass=*) version: 1 dn: currentTime: 20081020202134.0Z subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=tf-lab,DC=tribal fusion,DC=com dsServiceName: CN=NTDS Settings,CN=LABDC01,CN=Servers,CN=Default-First-Site-Na me,CN=Sites,CN=Configuration,DC=tf-lab,DC=test2,DC=com namingContexts: DC=tf-lab,DC=test2,DC=com namingContexts: CN=Configuration,DC=tf-lab,DC=test2,DC=com namingContexts: CN=Schema,CN=Configuration,DC=tf-lab,DC=test2,DC=com namingContexts: DC=DomainDnsZones,DC=tf-lab,DC=test2,DC=com namingContexts: DC=ForestDnsZones,DC=tf-lab,DC=test2,DC=com defaultNamingContext: DC=tf-lab,DC=test2,DC=com schemaNamingContext: CN=Schema,CN=Configuration,DC=tf-lab,DC=test2,DC=c om configurationNamingContext: CN=Configuration,DC=tf-lab,DC=test2,DC=com rootDomainNamingContext: DC=tf-lab,DC=test2,DC=com supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.840.113556.1.4.801 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 1.2.840.113556.1.4.528 supportedControl: 1.2.840.113556.1.4.417 supportedControl: 1.2.840.113556.1.4.619 supportedControl: 1.2.840.113556.1.4.841 supportedControl: 1.2.840.113556.1.4.529 supportedControl: 1.2.840.113556.1.4.805 supportedControl: 1.2.840.113556.1.4.521 supportedControl: 1.2.840.113556.1.4.1948 supportedLDAPVersion: 3 supportedLDAPVersion: 2 supportedLDAPPolicies: MaxPoolThreads supportedLDAPPolicies: MaxDatagramRecv supportedLDAPPolicies: MaxReceiveBuffer supportedLDAPPolicies: InitRecvTimeout supportedLDAPPolicies: MaxConnections supportedLDAPPolicies: MaxConnIdleTime supportedLDAPPolicies: MaxPageSize supportedLDAPPolicies: MaxQueryDuration supportedLDAPPolicies: MaxTempTableSize supportedLDAPPolicies: MaxResultSetSize supportedLDAPPolicies: MaxNotificationPerConn supportedLDAPPolicies: MaxValRange highestCommittedUSN: 90680 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 dnsHostName: labdc01.tf-lab.test2.com ldapServiceName: tf-lab.test2.com:labdc01$@TF-LAB.TEST2.COM serverName: CN=LABDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tf-lab,DC=test2,DC=com supportedCapabilities: 1.2.840.113556.1.4.800 supportedCapabilities: 1.2.840.113556.1.4.1670 supportedCapabilities: 1.2.840.113556.1.4.1791 isSynchronized: TRUE isGlobalCatalogReady: TRUE domainFunctionality: 0 forestFunctionality: 0 domainControllerFunctionality: 2 root at linux2 slapd-linux2]# grep err /var/log/dirsrv/slapd-linux2/errors [root at linux2 slapd-linux2]# On Mon, Oct 20, 2008 at 12:07 PM, Vipul Ramani wrote: > > > CA is self-signed generated certificate . by Linux2 it self. > > > [root at linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 -n "CA" > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1000 (0x3e8) > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Issuer: "CN=CAcert" > Validity: > Not Before: Fri Oct 17 15:11:18 2008 > Not After : Wed Oct 17 15:11:18 2018 > Subject: "CN=CAcert" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > c8:40:4b:86:0b:70:3d:5d:6a:f6:f4:a5:86:e9:1c:98: > d0:dd:19:31:e3:b8:18:3b:0a:c8:9f:83:33:98:cd:98: > 54:83:9d:73:97:69:04:26:b8:75:4a:95:7e:ed:92:62: > 51:2c:70:8a:a6:f2:a6:8b:b5:c6:53:d3:f8:cc:01:c9: > e8:78:55:1f:69:e3:c4:5c:5e:e8:a6:bf:dc:53:ac:a6: > ce:75:14:98:2f:a7:c0:da:ae:be:5d:91:e6:f2:96:84: > 02:a0:ec:df:e4:de:91:25:2d:65:d8:bd:79:3d:07:ea: > 8c:9f:9e:5b:ee:04:a3:18:2e:98:c6:ab:15:a1:d5:d9 > Exponent: 65537 (0x10001) > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Signature: > 55:bd:f2:f7:37:e5:60:e0:87:20:a7:d7:69:b2:eb:79: > e6:98:7e:72:f1:b1:dc:11:08:94:fd:c3:56:a8:14:37: > 2b:1b:cd:bc:05:3d:54:45:73:7f:b2:dc:f8:f1:f4:44: > 61:25:54:c6:e2:c2:68:1f:d7:cc:d3:37:16:37:98:b8: > 37:c3:7e:49:48:12:58:17:26:fe:87:bc:d4:ef:ee:6b: > 5d:35:1f:1f:72:a5:5e:6b:b7:94:e6:c3:63:7c:2a:24: > 4c:43:39:cd:74:7b:56:08:15:f9:85:3f:ed:c9:ba:01: > 88:d0:90:84:1d:e6:0e:84:7f:83:8e:bf:9e:9a:b2:a3 > Fingerprint (MD5): > 2C:77:B6:61:BA:3D:F0:E2:8E:EB:BA:4D:74:A4:E4:0C > Fingerprint (SHA1): > 06:FE:B9:62:26:E7:56:1E:2B:84:C0:5E:AC:DC:F7:1A:AE:A8:58:0E > > Certificate Trust Flags: > SSL Flags: > Valid CA > Trusted CA > User > Trusted Client CA > Email Flags: > User > Object Signing Flags: > User > > [root at linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 -n "linux2" > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 14:fc:4e:02:00:00:00:00:00:16 > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Issuer: "CN=labdc01,DC=tf-lab,DC=test2,DC=com" > Validity: > Not Before: Fri Oct 17 23:35:13 2008 > Not After : Sun Oct 17 23:35:13 2010 > Subject: > "CN=linux2,OU=Ops,O=Exponential,L=Emeryville,ST=California,C > =US" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > da:db:9b:d8:c2:aa:42:4e:85:69:b2:0a:19:46:87:2d: > 67:e6:4b:9b:4d:97:96:6a:e3:bf:90:c2:ab:a7:0d:17: > --removed-some-part--- > 24:72:dc:18:5c:7e:1a:16:b3:bd:38:1b:0a:0f:a6:48: > ae:4e:ef:5a:eb:cd:12:6f:5e:16:8f:6c:ce:ff:fa:71 > Exponent: 65537 (0x10001) > Signed Extensions: > Name: Certificate Subject Key ID > Data: > 75:e0:f9:0d:9f:77:24:61:38:87:17:87:43:ee:25:5d: > c0:b2:4f:d3 > > Name: Certificate Authority Key Identifier > Key ID: > 83:c2:a6:03:eb:b2:a8:ea:40:d0:63:42:01:68:8f:a8: > 11:9e:ec:f9 > > Name: CRL Distribution Points > URI: > "ldap:///CN=labdc01,CN=labdc01,CN=CDP,CN=Public%20Key%20Serv > ices,CN=Services,CN=Configuration,DC=tf-lab,DC=test2,D > > C=com?certificateRevocationList?base?objectClass=cRLDistribut > ionPoint" > URI: "http://labdc01.tf-lab.test2.com/CertEnroll/labdc01.c > rl" > > Name: Authority Information Access > Method: PKIX CA issuers access method > Location: > URI: > "ldap:///CN=labdc01,CN=AIA,CN=Public%20Key%20Services,CN > =Services,CN=Configuration,DC=tf-lab,DC=test2,DC=c > > om?cACertificate?base?objectClass=certificationAuthority" > Method: PKIX CA issuers access method > Location: > URI: "*http://labdc01.tf-lab.test2.com*/CertEnroll/labdc > 01.tf-lab.test2.com_labdc01.crt" > > Name: Microsoft Enrollment Cert Type Extension > Data: "WebServer" > > Name: Certificate Basic Constraints > Critical: True > Data: Is not a CA. > > Name: Certificate Key Usage > Usages: Digital Signature > Key Encipherment > > Name: Extended Key Usage > TLS Web Server Authentication Certificate > > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Signature: > 0b:f7:2f:25:e5:99:aa:27:59:5d:76:96:5a:64:0b:a7: > 91:7d:48:49:fd:a8:46:db:cc:39:7b:97:34:94:3c:0c: > 7c:fe:4d:f7:99:5e:da:a6:7d:53:5c:36:ba:ed:a7:05: > 60:04:2a:76:6e:02:75:a0:1c:59:bd:ad:82:db:fc:61: > --removed some--part-- > 6d:11:23:4c:77:60:18:ec:fd:47:63:72:d3:00:ee:04: > c2:01:3a:d8:dc:f1:4b:55:c5:7a:39:09:83:9b:09:bd: > 65:64:4c:6f:8d:19:86:94:95:76:1b:07:08:ad:03:70 > Fingerprint (MD5): > BD:3D:31:6C:27:A8:82:1A:11:81:5B:F6:56:D7:FA:E3 > Fingerprint (SHA1): > 89:45:EE:8E:7D:B7:01:EB:72:80:F2:86:91:B8:02:D4:60:3A:19:FA > > Certificate Trust Flags: > SSL Flags: > Valid CA > Trusted CA > User > Trusted Client CA > Email Flags: > User > Object Signing Flags: > User > > > > *| /usr/lib/mozldap/ldapsearch -h windowshost -p 636 -Z -P > /etc/dirsrv/slapd-linux2 -3 -s base -b "" "objectclass=*" * > > > *When i do this i am getting cordump ... :(( * > > > -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Oct 20 20:57:01 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Oct 2008 14:57:01 -0600 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: <48FCF09D.8020403@redhat.com> Vipul Ramani wrote: > i think we are head to solutions ... > > do i need to re-install certificate in passync again ??? after we > install new CSR with FQDN ... ??? No, at least, not yet. The ldapsearch output below looks correct. In your sync agreement, did you use labdc01.tf-lab.test2.com or just labdc01? You have to use the FQDN. Is /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db a symlink to /etc/dirsrv/slapd-linux2/cert8.db? What is the relationship between slapd-linux2cert8.db and cert8.db? > > > root at linux2 slapd-linux2]# /usr/lib/mozldap/ldapsearch -v -h > labdc01.tf-lab.test2.com -p 636 -Z > -P /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db -3 -s base -b "" > "objectclass=*" > ldapsearch: started Mon Oct 20 06:18:20 2008 > > ldap_init( labdc01.tf-lab.test2.com , > 636 ) > ldaptool_getcertpath -- /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db > ldaptool_getkeypath -- /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db > ldaptool_getmodpath -- (null) > ldaptool_getdonglefilename -- (null) > filter pattern: objectclass=* > returning: ALL > filter is: (objectclass=*) > version: 1 > dn: > currentTime: 20081020202134.0Z > subschemaSubentry: > CN=Aggregate,CN=Schema,CN=Configuration,DC=tf-lab,DC=tribal > fusion,DC=com > dsServiceName: CN=NTDS > Settings,CN=LABDC01,CN=Servers,CN=Default-First-Site-Na > me,CN=Sites,CN=Configuration,DC=tf-lab,DC=test2,DC=com > namingContexts: DC=tf-lab,DC=test2,DC=com > namingContexts: CN=Configuration,DC=tf-lab,DC=test2,DC=com > namingContexts: CN=Schema,CN=Configuration,DC=tf-lab,DC=test2,DC=com > namingContexts: DC=DomainDnsZones,DC=tf-lab,DC=test2,DC=com > namingContexts: DC=ForestDnsZones,DC=tf-lab,DC=test2,DC=com > defaultNamingContext: DC=tf-lab,DC=test2,DC=com > schemaNamingContext: CN=Schema,CN=Configuration,DC=tf-lab,DC=test2,DC=c > om > configurationNamingContext: CN=Configuration,DC=tf-lab,DC=test2,DC=com > rootDomainNamingContext: DC=tf-lab,DC=test2,DC=com > supportedControl: 1.2.840.113556.1.4.319 > supportedControl: 1.2.840.113556.1.4.801 > supportedControl: 1.2.840.113556.1.4.473 > supportedControl: 1.2.840.113556.1.4.528 > supportedControl: 1.2.840.113556.1.4.417 > supportedControl: 1.2.840.113556.1.4.619 > supportedControl: 1.2.840.113556.1.4.841 > supportedControl: 1.2.840.113556.1.4.529 > supportedControl: 1.2.840.113556.1.4.805 > supportedControl: 1.2.840.113556.1.4.521 > supportedControl: 1.2.840.113556.1.4.1948 > supportedLDAPVersion: 3 > supportedLDAPVersion: 2 > supportedLDAPPolicies: MaxPoolThreads > supportedLDAPPolicies: MaxDatagramRecv > supportedLDAPPolicies: MaxReceiveBuffer > supportedLDAPPolicies: InitRecvTimeout > supportedLDAPPolicies: MaxConnections > supportedLDAPPolicies: MaxConnIdleTime > supportedLDAPPolicies: MaxPageSize > supportedLDAPPolicies: MaxQueryDuration > supportedLDAPPolicies: MaxTempTableSize > supportedLDAPPolicies: MaxResultSetSize > supportedLDAPPolicies: MaxNotificationPerConn > supportedLDAPPolicies: MaxValRange > highestCommittedUSN: 90680 > supportedSASLMechanisms: GSSAPI > supportedSASLMechanisms: GSS-SPNEGO > supportedSASLMechanisms: EXTERNAL > supportedSASLMechanisms: DIGEST-MD5 > dnsHostName: labdc01.tf-lab.test2.com > ldapServiceName: tf-lab.test2.com:labdc01$@TF-LAB.TEST2.COM > > serverName: > CN=LABDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tf-lab,DC=test2,DC=com > supportedCapabilities: 1.2.840.113556.1.4.800 > supportedCapabilities: 1.2.840.113556.1.4.1670 > supportedCapabilities: 1.2.840.113556.1.4.1791 > isSynchronized: TRUE > isGlobalCatalogReady: TRUE > domainFunctionality: 0 > forestFunctionality: 0 > domainControllerFunctionality: 2 > > > root at linux2 slapd-linux2]# grep err /var/log/dirsrv/slapd-linux2/errors > [root at linux2 slapd-linux2]# > > > > > > > > On Mon, Oct 20, 2008 at 12:07 PM, Vipul Ramani > wrote: > > > > CA is self-signed generated certificate . by Linux2 it self. > > > [root at linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 -n "CA" > > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1000 (0x3e8) > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Issuer: "CN=CAcert" > Validity: > Not Before: Fri Oct 17 15:11:18 2008 > Not After : Wed Oct 17 15:11:18 2018 > Subject: "CN=CAcert" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > c8:40:4b:86:0b:70:3d:5d:6a:f6:f4:a5:86:e9:1c:98: > d0:dd:19:31:e3:b8:18:3b:0a:c8:9f:83:33:98:cd:98: > 54:83:9d:73:97:69:04:26:b8:75:4a:95:7e:ed:92:62: > 51:2c:70:8a:a6:f2:a6:8b:b5:c6:53:d3:f8:cc:01:c9: > e8:78:55:1f:69:e3:c4:5c:5e:e8:a6:bf:dc:53:ac:a6: > ce:75:14:98:2f:a7:c0:da:ae:be:5d:91:e6:f2:96:84: > 02:a0:ec:df:e4:de:91:25:2d:65:d8:bd:79:3d:07:ea: > 8c:9f:9e:5b:ee:04:a3:18:2e:98:c6:ab:15:a1:d5:d9 > Exponent: 65537 (0x10001) > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Signature: > 55:bd:f2:f7:37:e5:60:e0:87:20:a7:d7:69:b2:eb:79: > e6:98:7e:72:f1:b1:dc:11:08:94:fd:c3:56:a8:14:37: > 2b:1b:cd:bc:05:3d:54:45:73:7f:b2:dc:f8:f1:f4:44: > 61:25:54:c6:e2:c2:68:1f:d7:cc:d3:37:16:37:98:b8: > 37:c3:7e:49:48:12:58:17:26:fe:87:bc:d4:ef:ee:6b: > 5d:35:1f:1f:72:a5:5e:6b:b7:94:e6:c3:63:7c:2a:24: > 4c:43:39:cd:74:7b:56:08:15:f9:85:3f:ed:c9:ba:01: > 88:d0:90:84:1d:e6:0e:84:7f:83:8e:bf:9e:9a:b2:a3 > Fingerprint (MD5): > 2C:77:B6:61:BA:3D:F0:E2:8E:EB:BA:4D:74:A4:E4:0C > Fingerprint (SHA1): > 06:FE:B9:62:26:E7:56:1E:2B:84:C0:5E:AC:DC:F7:1A:AE:A8:58:0E > > Certificate Trust Flags: > SSL Flags: > Valid CA > Trusted CA > User > Trusted Client CA > Email Flags: > User > Object Signing Flags: > User > > [root at linux2 ~]# certutil -L -d /etc/dirsrv/slapd-linux2 -n "linux2" > > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 14:fc:4e:02:00:00:00:00:00:16 > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Issuer: "CN=labdc01,DC=tf-lab,DC=test2,DC=com" > Validity: > Not Before: Fri Oct 17 23:35:13 2008 > Not After : Sun Oct 17 23:35:13 2010 > Subject: > "CN=linux2,OU=Ops,O=Exponential,L=Emeryville,ST=California,C > =US" > Subject Public Key Info: > Public Key Algorithm: PKCS #1 RSA Encryption > RSA Public Key: > Modulus: > da:db:9b:d8:c2:aa:42:4e:85:69:b2:0a:19:46:87:2d: > 67:e6:4b:9b:4d:97:96:6a:e3:bf:90:c2:ab:a7:0d:17: > --removed-some-part--- > 24:72:dc:18:5c:7e:1a:16:b3:bd:38:1b:0a:0f:a6:48: > ae:4e:ef:5a:eb:cd:12:6f:5e:16:8f:6c:ce:ff:fa:71 > Exponent: 65537 (0x10001) > Signed Extensions: > Name: Certificate Subject Key ID > Data: > 75:e0:f9:0d:9f:77:24:61:38:87:17:87:43:ee:25:5d: > c0:b2:4f:d3 > > Name: Certificate Authority Key Identifier > Key ID: > 83:c2:a6:03:eb:b2:a8:ea:40:d0:63:42:01:68:8f:a8: > 11:9e:ec:f9 > > Name: CRL Distribution Points > URI: > "ldap:///CN=labdc01,CN=labdc01,CN=CDP,CN=Public%20Key%20Serv > ices,CN=Services,CN=Configuration,DC=tf-lab,DC=test2,D > > C=com?certificateRevocationList?base?objectClass=cRLDistribut > ionPoint" > URI: "http://labdc01.tf-lab.test2.com/CertEnroll/labdc01.c > rl" > > Name: Authority Information Access > Method: PKIX CA issuers access method > Location: > URI: > "ldap:///CN=labdc01,CN=AIA,CN=Public%20Key%20Services,CN > =Services,CN=Configuration,DC=tf-lab,DC=test2,DC=c > > om?cACertificate?base?objectClass=certificationAuthority" > Method: PKIX CA issuers access method > Location: > URI: > "*http://labdc01.tf-lab.test2.com*/CertEnroll/labdc > 01.tf-lab.test2.com_labdc01.crt" > > Name: Microsoft Enrollment Cert Type Extension > Data: "WebServer" > > Name: Certificate Basic Constraints > Critical: True > Data: Is not a CA. > > Name: Certificate Key Usage > Usages: Digital Signature > Key Encipherment > > Name: Extended Key Usage > TLS Web Server Authentication Certificate > > Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption > Signature: > 0b:f7:2f:25:e5:99:aa:27:59:5d:76:96:5a:64:0b:a7: > 91:7d:48:49:fd:a8:46:db:cc:39:7b:97:34:94:3c:0c: > 7c:fe:4d:f7:99:5e:da:a6:7d:53:5c:36:ba:ed:a7:05: > 60:04:2a:76:6e:02:75:a0:1c:59:bd:ad:82:db:fc:61: > --removed some--part-- > 6d:11:23:4c:77:60:18:ec:fd:47:63:72:d3:00:ee:04: > c2:01:3a:d8:dc:f1:4b:55:c5:7a:39:09:83:9b:09:bd: > 65:64:4c:6f:8d:19:86:94:95:76:1b:07:08:ad:03:70 > Fingerprint (MD5): > BD:3D:31:6C:27:A8:82:1A:11:81:5B:F6:56:D7:FA:E3 > Fingerprint (SHA1): > 89:45:EE:8E:7D:B7:01:EB:72:80:F2:86:91:B8:02:D4:60:3A:19:FA > > Certificate Trust Flags: > SSL Flags: > Valid CA > Trusted CA > User > Trusted Client CA > Email Flags: > User > Object Signing Flags: > User > > > > > *| /usr/lib/mozldap/ldapsearch -h windowshost -p 636 -Z -P > /etc/dirsrv/slapd-linux2 -3 -s base -b "" "objectclass=*" * > > *When i do this i am getting cordump ... :(( * > > > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Mon Oct 20 21:29:48 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Mon, 20 Oct 2008 14:29:48 -0700 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: HI Rich The ldapsearch output below looks correct. In your sync agreement, did you use labdc01.tf-lab.test2.com or just labdc01? You have to use the FQDN. Is in winsync Aggreement i used FQDN ... /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db a symlink to /etc/dirsrv/slapd-linux2/cert8.db? What is the relationship between slapd-linux2cert8.db and cert8.db? Yes you are right it is sym link. /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db a symlink to /etc/dirsrv/slapd-linux2/cert8.db .... Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Oct 20 21:38:22 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Oct 2008 15:38:22 -0600 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: <48FCFA4E.5040607@redhat.com> Vipul Ramani wrote: > HI Rich > > The ldapsearch output below looks correct. In your sync agreement, did > you use labdc01.tf-lab.test2.com or > just labdc01? You have to use the FQDN. Is > > > in winsync Aggreement i used FQDN ... > > > > > > > /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db a symlink to > /etc/dirsrv/slapd-linux2/cert8.db? What is the relationship between > slapd-linux2cert8.db and cert8.db? > > > > Yes you are right it is sym link. > /etc/dirsrv/slapd-linux2/slapd-linux2cert8.db a symlink to > /etc/dirsrv/slapd-linux2/cert8.db .... The original error is this: https://www.redhat.com/archives/fedora-directory-users/2008-October/msg00056.html NSMMReplicationPlugin - agmt ="cn=vedant " ( labdc01:636) : simple bind failed , LDAP sdk error 91 ( Can't connect to the LDAP server ) , Netscape Portable Runtime error - 8179 ( Peer's Certificate issuer is not recoginzed ) That usually means that Fedora DS cannot verify the AD SSL server cert. This is usually because Fedora DS doesn't have or trust the CA cert of the CA that issued the AD SSL cert. The Peer in this case is the AD SSL server, the issuer is the CA that issued the AD SSL server cert. I'm not sure what the problem could be. > > > > > Regards > Vipul Ramani > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Mon Oct 20 21:43:21 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Mon, 20 Oct 2008 14:43:21 -0700 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: look new error ... 20/Oct/2008:06:36:22 -0700] conn=4 op=92 SRCH base="cn=Vedant, cn=replica, cn=\22dc=tf-lab,dc=test2,dc=com\22, cn=mapping tree, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus nsds5replicaUpdateInProgress nsds5replicaLastInitStart nsds5replicaLastInitEnd nsds5replicaLastInitStatus nsds5BeginReplicaRefresh" [20/Oct/2008:06:36:22 -0700] conn=4 op=92 RESULT err=0 tag=101 nentries=1 etime=0 [20/Oct/2008:06:37:12 -0700] conn=12 fd=68 slot=68 SSL connection from 192.168.1.200 to 192.168.1.210 *[20/Oct/2008:06:37:12 -0700] conn=12 op=-1 fd=68 closed - Peer does not recognize and trust the CA that issued your certificate*. [20/Oct/2008:06:37:13 -0700] conn=13 fd=68 slot=68 SSL connection from 192.168.1.200 to 192.168.1.210 *[20/Oct/2008:06:37:13 -0700] conn=13 op=-1 fd=68 closed - Peer does not recognize and trust the CA that issued your certificate.* [20/Oct/2008:06:44:34 -0700] conn=5 op=111 SRCH base="cn=RAS and IAS Servers, ou=People, dc=tf-lab,dc=test2,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL [20/Oct/2008:06:44:34 -0700] conn=5 op=111 RESULT err=0 tag=101 nentries=1 etime=0 [20/Oct/2008:06:44:35 -0 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Oct 20 22:17:34 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Oct 2008 16:17:34 -0600 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: <48FD037E.9030202@redhat.com> Vipul Ramani wrote: > look new error ... > > > 20/Oct/2008:06:36:22 -0700] conn=4 op=92 SRCH base="cn=Vedant, > cn=replica, cn=\22dc=tf-lab,dc=test2,dc=com\22, cn=mapping tree, > cn=config" scope=0 > filter="(|(objectClass=*)(objectClass=ldapsubentry))" > attrs="nsds5replicaLastUpdateStart nsds5replicaLastUpdateEnd > nsds5replicaChangesSentSinceStartup nsds5replicaLastUpdateStatus > nsds5replicaUpdateInProgress nsds5replicaLastInitStart > nsds5replicaLastInitEnd nsds5replicaLastInitStatus > nsds5BeginReplicaRefresh" > [20/Oct/2008:06:36:22 -0700] conn=4 op=92 RESULT err=0 tag=101 > nentries=1 etime=0 > [20/Oct/2008:06:37:12 -0700] conn=12 fd=68 slot=68 SSL connection from > 192.168.1.200 to 192.168.1.210 > > *[20/Oct/2008:06:37:12 -0700] conn=12 op=-1 fd=68 closed - Peer does > not recognize and trust the CA that issued your certificate*. > [20/Oct/2008:06:37:13 -0700] conn=13 fd=68 slot=68 SSL connection from > 192.168.1.200 to 192.168.1.210 > > *[20/Oct/2008:06:37:13 -0700] conn=13 op=-1 fd=68 closed - Peer does > not recognize and trust the CA that issued your certificate.* I'm not sure what this means - are you trying to use SSL client cert auth or simple bind? > [20/Oct/2008:06:44:34 -0700] conn=5 op=111 SRCH base="cn=RAS and IAS > Servers, ou=People, dc=tf-lab,dc=test2,dc=com" scope=0 > filter="(objectClass=*)" attrs=ALL > [20/Oct/2008:06:44:34 -0700] conn=5 op=111 RESULT err=0 tag=101 > nentries=1 etime=0 > [20/Oct/2008:06:44:35 -0 > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jonas.courteau at bravenet.com Mon Oct 20 22:31:01 2008 From: jonas.courteau at bravenet.com (Jonas Courteau) Date: Mon, 20 Oct 2008 15:31:01 -0700 Subject: [Fedora-directory-users] Confusion over what can/can't be synced with Windows Sync Message-ID: <1224541861.8108.77.camel@jcourteau-desktop> Hello all: I've been fiddling around off and on getting a fedora DS box sync'd with our AD server. The problem is, the way the users are arranged on the AD server, I'm not sure how to sync everything at once. The layout (appropriately anonymized) on the AD server: - dc=example,dc=com |- ou=Groups | |- a bunch of groups | |- ou=Unit1 | |- a bunch of users belonging to one business unit | |- ou=Unit2 | |- more users, different business unit | |- ou=Users |- system users On the DS side of things, I've manually created the appropriate OUs, but the question is - how do I configure the sync agreement to sync all the OUs at once? It only seems to work if I configure the sync agreement to a subtree including only one of the OUs. I'm trying to do this without having to convince the AD administrator to change his odd layout of users - any ideas? Thanks! Jonas Courteau From vipulramani at gmail.com Mon Oct 20 23:01:00 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Mon, 20 Oct 2008 16:01:00 -0700 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: Yes i am using simple authentication . NOT SSL based client auth .. Any plans for PassSyn Support for 64 - bit OS ??? > > > -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Oct 20 23:04:44 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Oct 2008 17:04:44 -0600 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: <48FD0E8C.9090701@redhat.com> Vipul Ramani wrote: > > > Yes i am using simple authentication . NOT SSL based client auth .. I don't understand why you're getting the peer cert error then. Try enabling the replication log level - http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting - to get some more detail about the bind procedure > > Any plans for PassSyn Support for 64 - bit OS ??? No. No plans currently. > > > > > > > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Mon Oct 20 23:10:04 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Mon, 20 Oct 2008 16:10:04 -0700 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: already enabled 8192 log-level !!! ... And what does it mean 640-bit does not supported - does mean FDS community wont be able to support or PassSyn not work at all !!! Can you please explain ... do u know any other piece of code which will replace PassSync and i can come out of this 64-bit limitation ??? On Mon, Oct 20, 2008 at 4:01 PM, Vipul Ramani wrote: > > > Yes i am using simple authentication . NOT SSL based client auth .. > > Any plans for PassSyn Support for 64 - bit OS ??? > > > > > >> >> >> > > > -- > Regards > > Vipul Ramani > > -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Oct 21 01:41:30 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Oct 2008 19:41:30 -0600 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: <48FD334A.4040105@redhat.com> Vipul Ramani wrote: > > already enabled 8192 log-level !!! ... > > And what does it mean 640-bit does not supported - does mean FDS > community wont be able to support or PassSyn not work at all !!! Can > you please explain ... That means we don't have a 64-bit Windows development environment with which to develop and test 64-bit winsync. AFAIK, the code is 64-bit clean - it just needs to be built and tested. > > do u know any other piece of code which will replace PassSync and i > can come out of this 64-bit limitation ??? No, not that I know of. > > > > > > On Mon, Oct 20, 2008 at 4:01 PM, Vipul Ramani > wrote: > > > > Yes i am using simple authentication . NOT SSL based client auth .. > > Any plans for PassSyn Support for 64 - bit OS ??? > > > > > > > > > > > -- > Regards > > Vipul Ramani > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From vipulramani at gmail.com Tue Oct 21 17:16:35 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Tue, 21 Oct 2008 10:16:35 -0700 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: Rich, Any Luck ?? What to do now .. is it possible to build 64-bit PassSync - i wish to use it .... > > -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Oct 21 17:31:14 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 21 Oct 2008 11:31:14 -0600 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: <48FE11E2.2090908@redhat.com> Vipul Ramani wrote: > > Rich, > > Any Luck ?? What to do now .. I'm not sure. It seems like some sort of SSL cert issuance or CA trust issue. > > is it possible to build 64-bit PassSync - i wish to use it .... Yes, it is possible for you to build it. > > > > > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From vipulramani at gmail.com Tue Oct 21 18:00:22 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Tue, 21 Oct 2008 11:00:22 -0700 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: then i am waiting for PassSync 64 bit version . On Tue, Oct 21, 2008 at 10:16 AM, Vipul Ramani wrote: > > Rich, > > Any Luck ?? What to do now .. > > is it possible to build 64-bit PassSync - i wish to use it .... > > > >> >> > > > -- > Regards > > Vipul Ramani > > -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From vipulramani at gmail.com Tue Oct 21 19:07:35 2008 From: vipulramani at gmail.com (Vipul Ramani) Date: Tue, 21 Oct 2008 12:07:35 -0700 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: Rich , do you think this is problem due to password policy ?? - but if we disable password policy on FDS . It must copied data right ??? or it will failed .. ?? what do you say ... Yes - we are getting error relatd to CA related .... [ it does not say anything about password policy related .... ] Can we do initial winsync replication without same password policy @ ADC and @ FDS ?? - i guess it should - reason it is simple replication. what is your view ??? As per document if password policy does not same @ FDS AND @ ADC , then if any password changed on ADC it wont replicated to FDS right .... ? -- Regards Vipul Ramani -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Oct 21 19:17:15 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 21 Oct 2008 13:17:15 -0600 Subject: [Fedora-directory-users] Re: SYNC without password ... In-Reply-To: References: Message-ID: <48FE2ABB.9010503@redhat.com> Vipul Ramani wrote: > Rich , > > do you think this is problem due to password policy ?? All of the problems I have seen so far are SSL related. So, no. > - but if we disable password policy on FDS . It must copied data > right ??? Right. If Fedora DS accepts the password change, it will attempt to replay it to AD, and vice versa. > or it will failed .. ?? what do you say ... > > Yes - we are getting error relatd to CA related .... [ it does not > say anything about password policy related .... ] > > > Can we do initial winsync replication without same password policy @ > ADC and @ FDS ?? - i guess it should - reason it is simple replication. > > what is your view ??? Yes. You can sync everything except passwords. > > As per document if password policy does not same @ FDS AND @ ADC , > then if any password changed on ADC it wont replicated to FDS right .... ? Right. You could have a case where the password policy on FDS is more restrictive than on AD, or vice versa. > > > > -- > Regards > > Vipul Ramani > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From hugo.etievant at inrp.fr Mon Oct 27 15:10:26 2008 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Mon, 27 Oct 2008 16:10:26 +0100 Subject: [Fedora-directory-users] Problem with Password Policy : dirsrv service restart required ! Message-ID: <4905D9E2.5010908@inrp.fr> Hello, I try to use the global password policy in order to forbid the change of user password. I put the field "User may change password" unchecked with console. But normal users can change their own password with /usr/lib/mozldap/ldappasswd command : # /usr/lib/mozldap/ldappasswd -P /etc/dirsrv/slapd-fds1/ -m /etc/dirsrv/slapd-fds1/ -D "uid=user1,ou=People,dc=example,dc=com" -w - -S New Password: Re-enter new Password: Enter bind password: ldappasswd: password successfully changed a command-line verification into cn=config entree of DIT show the passwordChange attribut value as "Off" : # /usr/lib/mozldap/ldapsearch -s base -b "cn=config" -D "cn=Directory Manager" -w - "(cn=config)" passwordChange Enter bind password: version: 1 dn: cn=config passwordChange: off I have created local password policy for my "ou=People" subtree and for my user "User1", but user can change their own password !!!!!! If i restart the dirsrv service on system, this item of policy is used. CONCLUSION = All change of the field "User may change password" on Password Policy require a restart of the LDAP daemon ! -- * Hugo ?ti?vant * From rmeggins at redhat.com Mon Oct 27 15:29:10 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 27 Oct 2008 09:29:10 -0600 Subject: [Fedora-directory-users] Problem with Password Policy : dirsrv service restart required ! In-Reply-To: <4905D9E2.5010908@inrp.fr> References: <4905D9E2.5010908@inrp.fr> Message-ID: <4905DE46.6040307@redhat.com> Hugo Etievant wrote: > Hello, > > I try to use the global password policy in order to forbid the change > of user password. > > I put the field "User may change password" unchecked with console. > > But normal users can change their own password with > /usr/lib/mozldap/ldappasswd command : > # /usr/lib/mozldap/ldappasswd -P /etc/dirsrv/slapd-fds1/ -m > /etc/dirsrv/slapd-fds1/ -D "uid=user1,ou=People,dc=example,dc=com" -w > - -S > New Password: > Re-enter new Password: > Enter bind password: > ldappasswd: password successfully changed What if you use ldapmodify to modify the userPassword attribute directly - same result? > > a command-line verification into cn=config entree of DIT show the > passwordChange attribut value as "Off" : > # /usr/lib/mozldap/ldapsearch -s base -b "cn=config" -D "cn=Directory > Manager" -w - "(cn=config)" passwordChange > Enter bind password: > version: 1 > dn: cn=config > passwordChange: off > > > I have created local password policy for my "ou=People" subtree and > for my user "User1", but user can change their own password !!!!!! > If i restart the dirsrv service on system, this item of policy is used. > > > CONCLUSION = All change of the field "User may change password" on > Password Policy require a restart of the LDAP daemon ! > > > From hugo.etievant at inrp.fr Mon Oct 27 15:40:38 2008 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Mon, 27 Oct 2008 16:40:38 +0100 Subject: [Fedora-directory-users] Problem with Password Policy : dirsrv service restart required ! In-Reply-To: <4905DE46.6040307@redhat.com> References: <4905D9E2.5010908@inrp.fr> <4905DE46.6040307@redhat.com> Message-ID: <4905E0F6.5030505@inrp.fr> hello, If i use ldapmodify command, some change of password policy's "User may change password" attribute is used immedialety without ldap deamon restart, but if y use ldappassword, i have to restart ldap deamon !!! why this difference ? Rich Megginson a ?crit : > Hugo Etievant wrote: >> Hello, >> >> I try to use the global password policy in order to forbid the change >> of user password. >> >> I put the field "User may change password" unchecked with console. >> >> But normal users can change their own password with >> /usr/lib/mozldap/ldappasswd command : >> # /usr/lib/mozldap/ldappasswd -P /etc/dirsrv/slapd-fds1/ -m >> /etc/dirsrv/slapd-fds1/ -D "uid=user1,ou=People,dc=example,dc=com" -w >> - -S >> ldappasswd: password successfully changed > What if you use ldapmodify to modify the userPassword attribute > directly - same result? >> CONCLUSION = All change of the field "User may change password" on >> Password Policy require a restart of the LDAP daemon ! -- * Hugo ?ti?vant * From rmeggins at redhat.com Mon Oct 27 15:46:29 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 27 Oct 2008 09:46:29 -0600 Subject: [Fedora-directory-users] Problem with Password Policy : dirsrv service restart required ! In-Reply-To: <4905E0F6.5030505@inrp.fr> References: <4905D9E2.5010908@inrp.fr> <4905DE46.6040307@redhat.com> <4905E0F6.5030505@inrp.fr> Message-ID: <4905E255.5000508@redhat.com> Hugo Etievant wrote: > hello, > > If i use ldapmodify command, some change of password policy's "User > may change password" attribute is used immedialety without ldap deamon > restart, > but if y use ldappassword, i have to restart ldap deamon !!! > > why this difference ? Let me see if I understand. After changing the password policy to "User may change password": If you use ldapmodify to change the userPassword attribute, the policy is in effect immediately without a server restart If you use ldappasswd to change the user's password, the policy is not in effect until after a server restart Is this correct? If so, sounds like a bug - in either case, the change should take effect immediately. > > > Rich Megginson a ?crit : >> Hugo Etievant wrote: >>> Hello, >>> >>> I try to use the global password policy in order to forbid the >>> change of user password. >>> >>> I put the field "User may change password" unchecked with console. >>> >>> But normal users can change their own password with >>> /usr/lib/mozldap/ldappasswd command : >>> # /usr/lib/mozldap/ldappasswd -P /etc/dirsrv/slapd-fds1/ -m >>> /etc/dirsrv/slapd-fds1/ -D "uid=user1,ou=People,dc=example,dc=com" >>> -w - -S >>> ldappasswd: password successfully changed >> What if you use ldapmodify to modify the userPassword attribute >> directly - same result? >>> CONCLUSION = All change of the field "User may change password" on >>> Password Policy require a restart of the LDAP daemon ! > From hugo.etievant at inrp.fr Mon Oct 27 16:12:33 2008 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Mon, 27 Oct 2008 17:12:33 +0100 Subject: [Fedora-directory-users] Problem with Password Policy : dirsrv service restart required ! In-Reply-To: <4905E255.5000508@redhat.com> References: <4905D9E2.5010908@inrp.fr> <4905DE46.6040307@redhat.com> <4905E0F6.5030505@inrp.fr> <4905E255.5000508@redhat.com> Message-ID: <4905E871.7070505@inrp.fr> Rich Megginson a ?crit : > Hugo Etievant wrote: >> hello, >> >> If i use ldapmodify command, some change of password policy's "User >> may change password" attribute is used immedialety without ldap >> deamon restart, >> but if y use ldappassword, i have to restart ldap deamon !!! >> >> why this difference ? > Let me see if I understand. After changing the password policy to > "User may change password": > If you use ldapmodify to change the userPassword attribute, the policy > is in effect immediately without a server restart > If you use ldappasswd to change the user's password, the policy is not > in effect until after a server restart > > Is this correct? Yes, it is ! Exactly. > If so, sounds like a bug - in either case, the change should take > effect immediately. I think, too ! -- * Hugo ?ti?vant *0 From wilmer at fedoraproject.org Tue Oct 28 01:30:36 2008 From: wilmer at fedoraproject.org (Wilmer Jaramillo M.) Date: Tue, 28 Oct 2008 21:00:36 +1930 Subject: [Fedora-directory-users] FDS - The whoami Response Message-ID: <2b26c4260810271830k648a97dcqc6e13a1f987d1fb4@mail.gmail.com> I was writing a program in python and trying a response "Who am I Operation(RFC4532)" implemented in the python API with ldap.whoami_s(), working with a FDS backend I get the following error: "unsupported extended operation - desc: Protocol Error" so, the LDAP Who Am I extended operation is unsupported in FDS? Thanks. -- Wilmer Jaramillo M., Fedora Project yum isn't useful for geeks, is just for lazy people irc.freenode.net: k0k @ #fedora-ve, #talug GPG Key Fingerprint = 0666 D0D3 24CE 8935 9C24 BBF1 87DD BEA2 A4B2 1E8A From rmeggins at redhat.com Tue Oct 28 01:54:03 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 27 Oct 2008 19:54:03 -0600 Subject: [Fedora-directory-users] FDS - The whoami Response In-Reply-To: <2b26c4260810271830k648a97dcqc6e13a1f987d1fb4@mail.gmail.com> References: <2b26c4260810271830k648a97dcqc6e13a1f987d1fb4@mail.gmail.com> Message-ID: <490670BB.4010808@redhat.com> Wilmer Jaramillo M. wrote: > I was writing a program in python and trying a response "Who am I > Operation(RFC4532)" implemented in the python API with > ldap.whoami_s(), working with a FDS backend I get the following error: > "unsupported extended operation - desc: Protocol Error" > so, the LDAP Who Am I extended operation is unsupported in FDS? > No, it is not. We have no plans currently to support it. > Thanks. > > From wilmer at fedoraproject.org Tue Oct 28 02:02:52 2008 From: wilmer at fedoraproject.org (Wilmer Jaramillo M.) Date: Tue, 28 Oct 2008 21:32:52 +1930 Subject: [Fedora-directory-users] FDS - The whoami Response In-Reply-To: <490670BB.4010808@redhat.com> References: <2b26c4260810271830k648a97dcqc6e13a1f987d1fb4@mail.gmail.com> <490670BB.4010808@redhat.com> Message-ID: <2b26c4260810271902q3ea944c0mede510685a053a7d@mail.gmail.com> On Tue, Oct 28, 2008 at 9:24 PM, Rich Megginson wrote: > Wilmer Jaramillo M. wrote: >> >> I was writing a program in python and trying a response "Who am I >> Operation(RFC4532)" implemented in the python API with >> ldap.whoami_s(), working with a FDS backend I get the following error: >> "unsupported extended operation - desc: Protocol Error" >> so, the LDAP Who Am I extended operation is unsupported in FDS? >> > > No, it is not. We have no plans currently to support it. Oks maybe you/I can add it to wishlist wiki page? -- Wilmer Jaramillo M., Fedora Project yum isn't useful for geeks, is just for lazy people irc.freenode.net: k0k @ #fedora-ve, #talug GPG Key Fingerprint = 0666 D0D3 24CE 8935 9C24 BBF1 87DD BEA2 A4B2 1E8A From rmeggins at redhat.com Tue Oct 28 02:11:28 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 27 Oct 2008 20:11:28 -0600 Subject: [Fedora-directory-users] FDS - The whoami Response In-Reply-To: <2b26c4260810271902q3ea944c0mede510685a053a7d@mail.gmail.com> References: <2b26c4260810271830k648a97dcqc6e13a1f987d1fb4@mail.gmail.com> <490670BB.4010808@redhat.com> <2b26c4260810271902q3ea944c0mede510685a053a7d@mail.gmail.com> Message-ID: <490674D0.9080105@redhat.com> Wilmer Jaramillo M. wrote: > On Tue, Oct 28, 2008 at 9:24 PM, Rich Megginson wrote: > >> Wilmer Jaramillo M. wrote: >> >>> I was writing a program in python and trying a response "Who am I >>> Operation(RFC4532)" implemented in the python API with >>> ldap.whoami_s(), working with a FDS backend I get the following error: >>> "unsupported extended operation - desc: Protocol Error" >>> so, the LDAP Who Am I extended operation is unsupported in FDS? >>> >>> >> No, it is not. We have no plans currently to support it. >> > > Oks maybe you/I can add it to wishlist wiki page? > > Sure. From andrey.ivanov at polytechnique.fr Tue Oct 28 08:34:30 2008 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Tue, 28 Oct 2008 09:34:30 +0100 Subject: [Fedora-directory-users] FDS - The whoami Response In-Reply-To: <2b26c4260810271830k648a97dcqc6e13a1f987d1fb4@mail.gmail.com> References: <2b26c4260810271830k648a97dcqc6e13a1f987d1fb4@mail.gmail.com> Message-ID: <1601b8650810280134u411577a6qea8b7462b384aaee@mail.gmail.com> Hi, It is not supported in the current version. I have already made a feature request in bugzilla : https://bugzilla.redhat.com/show_bug.cgi?id=437632 2008/10/28 Wilmer Jaramillo M. > I was writing a program in python and trying a response "Who am I > Operation(RFC4532)" implemented in the python API with > ldap.whoami_s(), working with a FDS backend I get the following error: > "unsupported extended operation - desc: Protocol Error" > so, the LDAP Who Am I extended operation is unsupported in FDS? > > Thanks. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Tue Oct 28 10:11:56 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 28 Oct 2008 11:11:56 +0100 Subject: [Fedora-directory-users] FDS - The whoami Response In-Reply-To: <2b26c4260810271902q3ea944c0mede510685a053a7d@mail.gmail.com> References: <2b26c4260810271830k648a97dcqc6e13a1f987d1fb4@mail.gmail.com> <490670BB.4010808@redhat.com> <2b26c4260810271902q3ea944c0mede510685a053a7d@mail.gmail.com> Message-ID: <4906E56C.6050207@stroeder.com> Wilmer Jaramillo M. wrote: > On Tue, Oct 28, 2008 at 9:24 PM, Rich Megginson wrote: >> Wilmer Jaramillo M. wrote: >>> I was writing a program in python and trying a response "Who am I >>> Operation(RFC4532)" implemented in the python API with >>> ldap.whoami_s(), Wilmer, out of curiosity: Are you using SASL bind with server-side identity mapping? Or why are you doing this? >>> working with a FDS backend I get the following error: >>> "unsupported extended operation - desc: Protocol Error" >>> so, the LDAP Who Am I extended operation is unsupported in FDS? >>> >> No, it is not. We have no plans currently to support it. > > Oks maybe you/I can add it to wishlist wiki page? It seems FDS implements something similar: an extended control to be sent along with the bind request/response (see RFC 3829, OID values 2.16.840.1.113730.3.4.15/2.16.840.1.113730.3.4.16 in attribute supportedControl of rootDSE). Currently python-ldap does not support this control though. Patches for python-ldap welcome. ;-) Ciao, Michael. From jonas.courteau at bravenet.com Tue Oct 28 17:59:39 2008 From: jonas.courteau at bravenet.com (Jonas Courteau) Date: Tue, 28 Oct 2008 10:59:39 -0700 Subject: [Fedora-directory-users] Re: Confusion over what can/can't be synced with Windows Sync In-Reply-To: <1224541861.8108.77.camel@jcourteau-desktop> References: <1224541861.8108.77.camel@jcourteau-desktop> Message-ID: <1225216779.561.9.camel@jcourteau-desktop> Hello: I was hoping someone, anyone, would have some ideas on this. Is it just expected that you'd only want to sync something like ou=Users,dc=example,dc=com? Thanks! Jonas Courteau On Mon, 2008-10-20 at 15:31 -0700, Jonas Courteau wrote: > Hello all: > > I've been fiddling around off and on getting a fedora DS box sync'd with > our AD server. The problem is, the way the users are arranged on the AD > server, I'm not sure how to sync everything at once. > > The layout (appropriately anonymized) on the AD server: > - dc=example,dc=com > |- ou=Groups > | |- a bunch of groups > | > |- ou=Unit1 > | |- a bunch of users belonging to one business unit > | > |- ou=Unit2 > | |- more users, different business unit > | > |- ou=Users > |- system users > > On the DS side of things, I've manually created the appropriate OUs, but > the question is - how do I configure the sync agreement to sync all the > OUs at once? It only seems to work if I configure the sync agreement to > a subtree including only one of the OUs. > > I'm trying to do this without having to convince the AD administrator to > change his odd layout of users - any ideas? > > Thanks! > > Jonas Courteau From dlannom at umd.umich.edu Tue Oct 28 19:02:33 2008 From: dlannom at umd.umich.edu (Dan Lannom) Date: Tue, 28 Oct 2008 15:02:33 -0400 Subject: [Fedora-directory-users] dbverify Message-ID: <490761C9.8050705@umd.umich.edu> I plan to migrate to fds from SunOne 5.2 and so I want to validate the system. I'm currently running version 1.1.3-2 of the directory on RHEL 5.2. When I do searches against the server everything seems to work fine, but When I run /usr/lib/dirsrv/slapd-{{hostname}}/dbverify, with the server off, it fails with errors like: [28/Oct/2008:10:52:16 -0400] - libdb: Page 4: out-of-order key at entry 2 [28/Oct/2008:10:52:16 -0400] - libdb: Page 4: out-of-order key at entry 8 [28/Oct/2008:10:52:16 -0400] - libdb: Page 4: out-of-order key at entry 11 [28/Oct/2008:10:52:16 -0400] - libdb: Page 4: out-of-order key at entry 14 ... [28/Oct/2008:10:52:16 -0400] - libdb: /var/lib/dirsrv/slapd-hume/db/{{SUFFIX}}/{{attribute}}.db4: DB_VERIFY_BAD: Database verification failed [28/Oct/2008:10:52:16 -0400] DB verify - verify failed(-30975): /var/lib/dirsrv/slapd-{{hostname}}/db/userdata/{{attribute}}.db4 reindexing does not change anything and I find the same errors for both i386 and x86_64 and the errors are almost identical for the master and the slaves. Since I can find any evidence of the indexes identified as corrupted not working I wonder why dbverify is generating these errors. Thanks for any help, Dan Lannom UM-Dearborn From wilmer at fedoraproject.org Wed Oct 29 19:17:06 2008 From: wilmer at fedoraproject.org (Wilmer Jaramillo M.) Date: Thu, 30 Oct 2008 14:47:06 +1930 Subject: [Fedora-directory-users] FDS - The whoami Response In-Reply-To: <4906E56C.6050207@stroeder.com> References: <2b26c4260810271830k648a97dcqc6e13a1f987d1fb4@mail.gmail.com> <490670BB.4010808@redhat.com> <2b26c4260810271902q3ea944c0mede510685a053a7d@mail.gmail.com> <4906E56C.6050207@stroeder.com> Message-ID: <2b26c4260810291217m4ab6d947m676134280bcb45a9@mail.gmail.com> On Wed, Oct 29, 2008 at 5:41 AM, Michael Str?der wrote: > Wilmer Jaramillo M. wrote: >> On Tue, Oct 28, 2008 at 9:24 PM, Rich Megginson wrote: >>> Wilmer Jaramillo M. wrote: >>>> I was writing a program in python and trying a response "Who am I >>>> Operation(RFC4532)" implemented in the python API with >>>> ldap.whoami_s(), I just try associated one user dn with my apps using the whoami_s() ldap method. > It seems FDS implements something similar: an extended control to be > sent along with the bind request/response (see RFC 3829, OID values > 2.16.840.1.113730.3.4.15/2.16.840.1.113730.3.4.16 in attribute > supportedControl of rootDSE). Interesting, the RFC4532 is the replace of RFC3829 but isn't supported by python :( -- Wilmer Jaramillo M., Fedora Project yum isn't useful for geeks, is just for lazy people irc.freenode.net: k0k @ #fedora-ve, #talug GPG Key Fingerprint = 0666 D0D3 24CE 8935 9C24 BBF1 87DD BEA2 A4B2 1E8A From michael at stroeder.com Wed Oct 29 21:53:22 2008 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 29 Oct 2008 22:53:22 +0100 Subject: [Fedora-directory-users] FDS - The whoami Response In-Reply-To: <2b26c4260810291217m4ab6d947m676134280bcb45a9@mail.gmail.com> References: <2b26c4260810271830k648a97dcqc6e13a1f987d1fb4@mail.gmail.com> <490670BB.4010808@redhat.com> <2b26c4260810271902q3ea944c0mede510685a053a7d@mail.gmail.com> <4906E56C.6050207@stroeder.com> <2b26c4260810291217m4ab6d947m676134280bcb45a9@mail.gmail.com> Message-ID: <4908DB52.2020708@stroeder.com> Wilmer Jaramillo M. wrote: > On Wed, Oct 29, 2008 at 5:41 AM, Michael Str?der wrote: >> Wilmer Jaramillo M. wrote: >>> On Tue, Oct 28, 2008 at 9:24 PM, Rich Megginson wrote: >>>> Wilmer Jaramillo M. wrote: >>>>> I was writing a program in python and trying a response "Who am I >>>>> Operation(RFC4532)" implemented in the python API with >>>>> ldap.whoami_s(), > > I just try associated one user dn with my apps using the whoami_s() ldap method. You could also do this by a search. Not sure how general usable your code has to be. >> It seems FDS implements something similar: an extended control to be >> sent along with the bind request/response (see RFC 3829, OID values >> 2.16.840.1.113730.3.4.15/2.16.840.1.113730.3.4.16 in attribute >> supportedControl of rootDSE). > > Interesting, the RFC4532 is the replace of RFC3829 but isn't supported > by python :( Please read my e-mails more carefully since you probably misunderstood my last message. RFC 3829 is "Informational" and is currently not supported by python-ldap. But this is what to use with FDS. Feel free to implement support for it in python-ldap. As the maintainer of python-ldap I say: Contributions welcome. RFC 4532 is "Standards Track" and is supported by python-ldap thanks to the OpenLDAP LDAP C libs supporting it. Ciao, Michael. From Andrey.Ivanov at polytechnique.fr Thu Oct 30 07:30:52 2008 From: Andrey.Ivanov at polytechnique.fr (Andrey Ivanov) Date: Thu, 30 Oct 2008 08:30:52 +0100 Subject: [Fedora-directory-users] LDAP Replication default window (nsDS5ReplicaUpdateSchedule) Message-ID: <1276505801.20081030083052@polytechnique.edu> Hi, I have noticed that the attribute nsDS5ReplicaUpdateSchedule works in a strange way (maybe it's how it is supposed to work). When i put it to nsDS5ReplicaUpdateSchedule: 0000-2359 0123456 the replication at midnight (00:00) seems to be blocked. The message that i observe in the logs every midnight is [28/Oct/2008:00:00:00 +0100] NSMMReplicationPlugin - agmt="cn="Replication from ldap-1.polytechnique.fr to ldap-2.example.com"" (ldap-2:636): Incremental protocol: event update_window_opened should not occur in state wait_for_changes [29/Oct/2008:00:00:00 +0100] NSMMReplicationPlugin - agmt="cn="Replication from ldap-1.polytechnique.fr to ldap-2.example.com"" (ldap-2:636): Incremental protocol: event update_window_opened should not occur in state wait_for_changes If i suppress the schedule (the attrribute nsDS5ReplicaUpdateSchedule) completely, everything is fine. So, it seems that the server excludes the first value in the time range (xxxx-yyyy ddddddd) from the authorized interval. Is it a bug or it is supposed to work that way? Andrey Ivanov tel +33-(0)1-69-33-99-24 fax +33-(0)1-69-33-99-55 Direction des Systemes d'Information Ecole Polytechnique 91128 Palaiseau CEDEX France From jad at jadickinson.co.uk Thu Oct 30 10:00:15 2008 From: jad at jadickinson.co.uk (John Dickinson) Date: Thu, 30 Oct 2008 10:00:15 +0000 Subject: [Fedora-directory-users] Win Sync and userAccountControl Message-ID: Hi, I am testing what happens when you create a new user and sync it to AD. Using Fedora DS 1.1.3 and AD 2003 R2 SP2. If I use the console to create a new user and tick the Enable NT User Attributes, Create New NT Account etc the new user appears in AD but is disabled. Looking at the code it seems that send_accountcontrol_modify() gets the userAccountControl settings from AD adds 0x0200 (Normal Account) and sends it back. Looking at the traffic between Fedora DS and AD it appears that Fedora DS is getting ACCOUNTDISABLE in userAccountControl from AD. Should FedoraDS be unsetting ACCOUNTDISABLE or should AD not be setting it in the first place? If it is a problem with AD then can anyone point me to where I tell it to do the right thing? Thanks John From daniel.cruz at sc.senai.br Thu Oct 30 10:18:22 2008 From: daniel.cruz at sc.senai.br (DANIEL CRISTIAN CRUZ) Date: Thu, 30 Oct 2008 08:18:22 -0200 Subject: [Fedora-directory-users] Bug using a Browse Index and Replication? Message-ID: <86ba152f48b59eb70cd3ec48a153fbcc@intranet.sc.senai.br> Hi all, Does someone had an environment like this: * Two multi-master servers and many consumers; * A tree with a user container: ou=Users,ou=Unit,o=Organization and a few accounts; * A browse Index in all servers inside ou=Users,ou=Unit,o=Organization; * Delete ou=Users,ou=Unit,o=Organization and accounts with Fedora Console in one master; * The other master and all others consumers became frozen; * Had to kill -9 all frozen servers and restart dirsrv. May I write a bug report on this, or not? Kind regards, -- Daniel Cristian Cruz Administrador de Banco de Dados Dire??o Regional?- N?cleo de Tecnologia da Informa??o SENAI - SC Telefone: 48-3239-1422 (ramal 1422) -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Oct 30 14:39:11 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 30 Oct 2008 08:39:11 -0600 Subject: [Fedora-directory-users] Bug using a Browse Index and Replication? In-Reply-To: <86ba152f48b59eb70cd3ec48a153fbcc@intranet.sc.senai.br> References: <86ba152f48b59eb70cd3ec48a153fbcc@intranet.sc.senai.br> Message-ID: <4909C70F.6020806@redhat.com> DANIEL CRISTIAN CRUZ wrote: > > Hi all, > > Does someone had an environment like this: > > * Two multi-master servers and many consumers; > * A tree with a user container: ou=Users,ou=Unit,o=Organization > and a few accounts; > * A browse Index in all servers inside > ou=Users,ou=Unit,o=Organization; > * Delete ou=Users,ou=Unit,o=Organization and accounts with Fedora > Console in one master; > * The other master and all others consumers became frozen; > Doing a huge deletion like this is going to cause a lot of processing and network traffic, and the servers may be slow for some time, but they should eventually respond. > > * Had to kill -9 all frozen servers and restart dirsrv. > Then what happened? Had all of the deletions been propagated before you did the kill? Had any of the deletions been propagated? When you restarted, did you see a lot of traffic from the master sending the deletions to the other servers? > > May I write a bug report on this, or not? > Sure. > > Kind regards, > > ------------------------------------------------------------------------ > > *Daniel Cristian Cruz* > *Administrador de Banco de Dados > *Dire??o Regional - *N?cleo de Tecnologia da Informa??o > SENAI - SC > Telefone: 48-3239-1422 (ramal 1422)* > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Thu Oct 30 14:41:44 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 30 Oct 2008 08:41:44 -0600 Subject: [Fedora-directory-users] Win Sync and userAccountControl In-Reply-To: References: Message-ID: <4909C7A8.8080600@redhat.com> John Dickinson wrote: > Hi, > > I am testing what happens when you create a new user and sync it to > AD. Using Fedora DS 1.1.3 and AD 2003 R2 SP2. > > If I use the console to create a new user and tick the Enable NT User > Attributes, Create New NT Account etc the new user appears in AD but > is disabled. > > Looking at the code it seems that send_accountcontrol_modify() gets > the userAccountControl settings from AD adds 0x0200 (Normal Account) > and sends it back. > > Looking at the traffic between Fedora DS and AD it appears that Fedora > DS is getting ACCOUNTDISABLE in userAccountControl from AD. > > Should FedoraDS be unsetting ACCOUNTDISABLE or should AD not be > setting it in the first place? If it is a problem with AD then can > anyone point me to where I tell it to do the right thing? Does AD have some sort of setting that tells it to disable new accounts? What happens if you create new accounts directly in AD? > > Thanks > John > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Thu Oct 30 14:42:35 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 30 Oct 2008 08:42:35 -0600 Subject: [Fedora-directory-users] LDAP Replication default window (nsDS5ReplicaUpdateSchedule) In-Reply-To: <1276505801.20081030083052@polytechnique.edu> References: <1276505801.20081030083052@polytechnique.edu> Message-ID: <4909C7DB.2010301@redhat.com> Andrey Ivanov wrote: > Hi, > > I have noticed that the attribute nsDS5ReplicaUpdateSchedule works in > a strange way (maybe it's how it is supposed to work). When i put it > to > > nsDS5ReplicaUpdateSchedule: 0000-2359 0123456 > > the replication at midnight (00:00) seems to be blocked. The message > that i observe in the logs every midnight is > > [28/Oct/2008:00:00:00 +0100] NSMMReplicationPlugin - > agmt="cn="Replication from ldap-1.polytechnique.fr to ldap-2.example.com"" (ldap-2:636): Incremental protocol: event update_window_opened should not occur in state wait_for_changes > [29/Oct/2008:00:00:00 +0100] NSMMReplicationPlugin - > agmt="cn="Replication from ldap-1.polytechnique.fr to ldap-2.example.com"" (ldap-2:636): Incremental protocol: event update_window_opened should not occur in state wait_for_changes > > > If i suppress the schedule (the attrribute nsDS5ReplicaUpdateSchedule) > completely, everything is fine. > > So, it seems that the server excludes the first value in the time > range (xxxx-yyyy ddddddd) from the authorized interval. Is it a bug or > it is supposed to work that way? > That's the way it is supposed to work. > > Andrey Ivanov > tel +33-(0)1-69-33-99-24 > fax +33-(0)1-69-33-99-55 > > Direction des Systemes d'Information > Ecole Polytechnique > 91128 Palaiseau CEDEX > France > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From daniel.cruz at sc.senai.br Thu Oct 30 16:11:47 2008 From: daniel.cruz at sc.senai.br (DANIEL CRISTIAN CRUZ) Date: Thu, 30 Oct 2008 14:11:47 -0200 Subject: [Fedora-directory-users] Bug using a Browse Index and Replication? In-Reply-To: <4909C70F.6020806@redhat.com> Message-ID: <35fd74902a52b24f065a7d6a8c410a79@intranet.sc.senai.br> "Rich Megginson" escreveu: > DANIEL CRISTIAN CRUZ wrote: >> >> Hi all, >> >> Does someone had an environment like this: >> >> * Two multi-master servers and many consumers; >> * A tree with a user container: ou=Users,ou=Unit,o=Organization >> and a few accounts; >> * A browse Index in all servers inside >> ou=Users,ou=Unit,o=Organization; >> * Delete ou=Users,ou=Unit,o=Organization and accounts with Fedora >> Console in one master; >> * The other master and all others consumers became frozen; >> > Doing a huge deletion like this is going to cause a lot of processing > and network traffic, and the servers may be slow for some time, but they > should eventually respond. One server that we had a problem to access the console was frozen for more than one hour... >> >> * Had to kill -9 all frozen servers and restart dirsrv. >> > Then what happened? Had all of the deletions been propagated before you > did the kill? Had any of the deletions been propagated? When you > restarted, did you see a lot of traffic from the master sending the > deletions to the other servers? The servers came online with the new "ou=Users,ou=Unit,o=Organization" and one user only (the user recreated in the working master), except the second master that needed an initialize (maybe deleting the browse index could solve, but didn't got it at that moment). >> >> May I write a bug report on this, or not? >> > Sure. Gonna do it as soon as possible. >> >> Kind regards, >> >> ------------------------------------------------------------------------ >> >> *Daniel Cristian Cruz* >> *Administrador de Banco de Dados >> *Dire??o Regional - *N?cleo de Tecnologia da Informa??o >> SENAI - SC >> Telefone: 48-3239-1422 (ramal 1422)* >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Daniel Cristian Cruz Administrador de Banco de Dados Dire??o Regional?- N?cleo de Tecnologia da Informa??o SENAI - SC Telefone: 48-3239-1422 (ramal 1422) From erlingre at gmail.com Fri Oct 31 11:38:04 2008 From: erlingre at gmail.com (Erling Ringen Elvsrud) Date: Fri, 31 Oct 2008 12:38:04 +0100 Subject: [Fedora-directory-users] Re: Confusion over what can/can't be synced with Windows Sync In-Reply-To: <1225216779.561.9.camel@jcourteau-desktop> References: <1224541861.8108.77.camel@jcourteau-desktop> <1225216779.561.9.camel@jcourteau-desktop> Message-ID: <664c5a070810310438o2268feaasd9a9954d598df462@mail.gmail.com> On 10/28/08, Jonas Courteau wrote: > Hello: > > I was hoping someone, anyone, would have some ideas on this. Is it just > expected that you'd only want to sync something like > ou=Users,dc=example,dc=com? According to the Red Hat Directory Server 8.0 Administrator's guide: "A single Active Directory subtree is synchronized with a single Directory Server Subtree, and vice versa. Unlike replication, which connects databases, synchronization is between suffixes, parts of the directory tree structure." So you probably have to to set up one synchronization agreement for each ou you want to synchronize. Erling From dlannom at umd.umich.edu Fri Oct 31 17:41:46 2008 From: dlannom at umd.umich.edu (Dan Lannom) Date: Fri, 31 Oct 2008 13:41:46 -0400 Subject: [Fedora-directory-users] dbverify In-Reply-To: <490761C9.8050705@umd.umich.edu> References: <490761C9.8050705@umd.umich.edu> Message-ID: <490B435A.5000806@umd.umich.edu> I've done exhaustive verification of equality and presence indexes for my directory to verify that ldap is working properly so I'm going to treat dbverify as buggy for now. I can't find any pattern in my data to explain what the bug is though. 22 of the 45 indexes are affected syntaxes are oid,directorystring,ia5string,integer and telephonenumber index types are either e,ep,eps or aeps I'll fill out a bug report later tonight, Dan Lannom I wrote in my earlier email: > I plan to migrate to fds from SunOne 5.2 and so I want to validate the > system. > I'm currently running version 1.1.3-2 of the directory on RHEL 5.2. > > When I do searches against the server everything seems to work fine, but > When I run /usr/lib/dirsrv/slapd-{{hostname}}/dbverify, with the > server off, it fails with > errors like: > [28/Oct/2008:10:52:16 -0400] - libdb: Page 4: out-of-order key at entry 2 > [28/Oct/2008:10:52:16 -0400] - libdb: Page 4: out-of-order key at entry 8 > [28/Oct/2008:10:52:16 -0400] - libdb: Page 4: out-of-order key at > entry 11 > [28/Oct/2008:10:52:16 -0400] - libdb: Page 4: out-of-order key at > entry 14 > ... > [28/Oct/2008:10:52:16 -0400] - libdb: > /var/lib/dirsrv/slapd-hume/db/{{SUFFIX}}/{{attribute}}.db4: > DB_VERIFY_BAD: Database verification failed > [28/Oct/2008:10:52:16 -0400] DB verify - verify failed(-30975): > /var/lib/dirsrv/slapd-{{hostname}}/db/userdata/{{attribute}}.db4 > > reindexing does not change anything and I find the same errors for > both i386 and x86_64 and the errors are almost identical for the > master and the slaves. > > Since I can find any evidence of the indexes identified as corrupted > not working I wonder why dbverify is generating these errors. > > Thanks for any help, > > Dan Lannom > UM-Dearborn > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users