From steve.ngu at hotmail.fr Mon Sep 1 13:10:38 2008 From: steve.ngu at hotmail.fr (steve nguyen) Date: Mon, 1 Sep 2008 15:10:38 +0200 Subject: [Fedora-directory-users] LDAP Error with sync agreement using ssl Message-ID: Hi everybody, I have created two sync agreement in FDS. I've got an error message with the one using ssl : "LDAP error: Can't contact LDAP server. Error Code 81.The second sync agreement without ssl works. I think this error should come from a certificate that I've create.To create my certificate on Fedora I've used the second script from the fds wiki. I want to know another thing : I selected a single master in the replica role column. If I choose multiple master, will the sync happen from both side : ad and fds ? ps : escuse me for my bad english. _________________________________________________________________ T?l?phonez gratuitement ? tous vos proches avec Windows Live Messenger? !? T?l?chargez-le maintenant ! http://www.windowslive.fr/messenger/1.asp -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve.ngu at hotmail.fr Mon Sep 1 09:09:54 2008 From: steve.ngu at hotmail.fr (steve nguyen) Date: Mon, 1 Sep 2008 11:09:54 +0200 Subject: [Fedora-directory-users] LDAP Error with sync agreement using ssl Message-ID: Hi everybody, I have created two sync agreement in FDS. I've got an error message with the one using ssl : "LDAP error: Can't contact LDAP server. Error Code 81. The second sync agreement without ssl works. I think this error should come from a certificate that I've create. To create my certificate on Fedora I've used the second script from the fds wiki. I want to know another thing : I selected a single master in the replica role column. If I choose multiple master, will the sync happen from both side : ad and fds ? ps : escuse me for my bad english. _________________________________________________________________ Contr?lez les personnes autoris?es ? parler ? vos enfants sur MSN / Windows Live Messenger ! http://www.windowslive.fr/controleparental/default.asp -------------- next part -------------- An HTML attachment was scrubbed... URL: From math.de.groot at logica.com Tue Sep 2 13:06:29 2008 From: math.de.groot at logica.com (Groot, Mathijs de (IDT Competence Java)) Date: Tue, 2 Sep 2008 15:06:29 +0200 Subject: [Fedora-directory-users] LDAP Error with sync agreement using ssl In-Reply-To: References: Message-ID: <72965855C48009408D297A78108567160714E66D@nl-ex008.groupinfra.com> Hi, I have / had the same problem. The first question is, what architecture are you running, a 32bit of 64bits version? Im working with a Red Hat Directory Server, Ive set up the SSL and the certificates for a few times now on 64bit RHEL servers, but it is just not working I'm working on it with the Red Hat Support team but haven't got the solution yet. Ive set up a couple of 32bits servers and they are working fine with the windows synchronization over SSL. If more people have it same problem (32bits vs 64bits SSL Sync), I would like to hear from it. And if you are running a 64bits Red Hat Enterprise 5 server and the Windows Sync over SSL is working fine, I would like to know what version you are running. Best regards, Mathijs de Groot From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of steve nguyen Sent: maandag 1 september 2008 11:10 To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] LDAP Error with sync agreement using ssl Hi everybody, I have created two sync agreement in FDS. I've got an error message with the one using ssl : "LDAP error: Can't contact LDAP server. Error Code 81. The second sync agreement without ssl works. I think this error should come from a certificate that I've create. To create my certificate on Fedora I've used the second script from the fds wiki. I want to know another thing : I selected a single master in the replica role column. If I choose multiple master, will the sync happen from both side : ad and fds ? ps : escuse me for my bad english. ________________________________ Avec une webcam et Messenger partagez vos ?motions en vid?o ! T?l?chargez gratuitement ! This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve.ngu at hotmail.fr Tue Sep 2 13:34:29 2008 From: steve.ngu at hotmail.fr (steve nguyen) Date: Tue, 2 Sep 2008 15:34:29 +0200 Subject: [Fedora-directory-users] LDAP Error with sync agreement using ssl In-Reply-To: <72965855C48009408D297A78108567160714E66D@nl-ex008.groupinfra.com> References: <72965855C48009408D297A78108567160714E66D@nl-ex008.groupinfra.com> Message-ID: Hi, I'm using a 32 bit version thanks Subject: RE: [Fedora-directory-users] LDAP Error with sync agreement using sslDate: Tue, 2 Sep 2008 15:06:29 +0200From: math.de.groot at logica.comTo: fedora-directory-users at redhat.com Hi, I have / had the same problem. The first question is, what architecture are you running, a 32bit of 64bits version? Im working with a Red Hat Directory Server, Ive set up the SSL and the certificates for a few times now on 64bit RHEL servers, but it is just not working I?m working on it with the Red Hat Support team but haven?t got the solution yet. Ive set up a couple of 32bits servers and they are working fine with the windows synchronization over SSL. If more people have it same problem (32bits vs 64bits SSL Sync), I would like to hear from it. And if you are running a 64bits Red Hat Enterprise 5 server and the Windows Sync over SSL is working fine, I would like to know what version you are running. Best regards, Mathijs de Groot _________________________________________________________________ Email envoy? avec Windows Live Hotmail. Dites adieux aux spam et virus, passez ? Hotmail?! C'est gratuit ! http://www.windowslive.fr/hotmail/default.asp -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Sep 2 15:24:19 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 02 Sep 2008 09:24:19 -0600 Subject: [Fedora-directory-users] LDAP Error with sync agreement using ssl In-Reply-To: References: Message-ID: <48BD5AA3.90502@redhat.com> steve nguyen wrote: > Hi everybody, > > I have created two sync agreement in FDS. I've got an error message > with the one using ssl : "LDAP error: Can't contact LDAP server. Error > Code 81. You'll have to provide more information, like the CA that issued your AD server cert, and other messages in the DS error log. > The second sync agreement without ssl works. > > I think this error should come from a certificate that I've create. > To create my certificate on Fedora I've used the second script from > the fds wiki. > > I want to know another thing : I selected a single master in the > replica role column. If I choose multiple master, will the sync happen > from both side : ad and fds ? The setting for single vs. multiple master is not applicable with Windows Sync - it shouldn't matter as long as the DS side is a master. Windows sync is always 2 way. > > ps : escuse me for my bad english. > > > > ------------------------------------------------------------------------ > Avec une webcam et Messenger partagez vos ?motions en vid?o ! > T?l?chargez gratuitement ! > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Sep 2 15:25:45 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 02 Sep 2008 09:25:45 -0600 Subject: [Fedora-directory-users] LDAP Error with sync agreement using ssl In-Reply-To: <72965855C48009408D297A78108567160714E66D@nl-ex008.groupinfra.com> References: <72965855C48009408D297A78108567160714E66D@nl-ex008.groupinfra.com> Message-ID: <48BD5AF9.6050607@redhat.com> Groot, Mathijs de (IDT Competence Java) wrote: > > Hi, > > I have / had the same problem. > > The first question is, what architecture are you running, a 32bit of > 64bits version? > Windows Sync does not support 64-bit Windows - it should work fine on 64-bit RHEL/Fedora. > > Im working with a Red Hat Directory Server, Ive set up the SSL and the > certificates for a few times now on 64bit RHEL servers, but it is just > not working > > I?m working on it with the Red Hat Support team but haven?t got the > solution yet. > > Ive set up a couple of 32bits servers and they are working fine with > the windows synchronization over SSL. > I'm not sure why it would make a difference - 32-bit should work the same as 64-bit. > > If more people have it same problem (32bits vs 64bits SSL Sync), I > would like to hear from it. > > And if you are running a 64bits Red Hat Enterprise 5 server and the > Windows Sync over SSL is working fine, I would like to know what > version you are running. > > Best regards, > > Mathijs de Groot > > *From:* fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of > *steve nguyen > *Sent:* maandag 1 september 2008 11:10 > *To:* fedora-directory-users at redhat.com > *Subject:* [Fedora-directory-users] LDAP Error with sync agreement > using ssl > > Hi everybody, > > I have created two sync agreement in FDS. I've got an error message > with the one using ssl : "LDAP error: Can't contact LDAP server. Error > Code 81. > The second sync agreement without ssl works. > > I think this error should come from a certificate that I've create. > To create my certificate on Fedora I've used the second script from > the fds wiki. > > I want to know another thing : I selected a single master in the > replica role column. If I choose multiple master, will the sync happen > from both side : ad and fds ? > > ps : escuse me for my bad english. > > ------------------------------------------------------------------------ > > Avec une webcam et Messenger partagez vos ?motions en vid?o ! > T?l?chargez gratuitement ! > > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be > copied, disclosed to, retained or used by, any other party. If you are > not an intended recipient then please promptly delete this e-mail and > any attachment and all copies and inform the sender. Thank you. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Sep 2 15:26:29 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 02 Sep 2008 09:26:29 -0600 Subject: [Fedora-directory-users] ACI help In-Reply-To: <1220209232.16070.8.camel@lin-workstation.azapple.com> References: <1219956831.2903.243.camel@lin-workstation.azapple.com> <1220209232.16070.8.camel@lin-workstation.azapple.com> Message-ID: <48BD5B25.5010706@redhat.com> Craig White wrote: > On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote: > >> I have users personal address books as an ou under their accounts... >> >> ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc=example,dc=com >> >> but when I try to add an entry, I am blocked... >> >> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD >> dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc=example,dc=com" >> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105 >> nentries=0 etime=0 >> >> I need an ACi that allows each uid account to read/write entries in OU's >> under their own accounts and the only ACi's I have are the ones >> inherited >> > ---- > It would be great if I could get some help here. > The ACL Summary error log level can provide some clues. http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > I know that in OpenLDAP, ACL's are processed top down and so I'm looking > at the ACi's that would govern here. > > dc=example,dc=com has the following ACI (the second one after anonymous > access)... > > (targetattr = "carLicense ||description ||displayName > ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials > ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo > ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod > ||preferredLanguage ||registeredAddress ||roomNumber ||secretary > ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title > ||userCertificate ||userPassword ||userSMIMECertificate > ||x500UniqueIdentifier") > (version 3.0; > acl "Enable self write for common attributes"; > allow (write) > (userdn = "ldap:///self") > ;) > > and I added one more (it's on the bottom of the list - #7)... > > (targetattr = "*") (version 3.0;acl "Personal Address Books";allow > (write)(userdn = "ldap:///self");) > > but still... > > [31/Aug/2008:10:27:57 -0700] conn=2625 op=0 BIND > dn="uid=administrator,ou=People,ou=Accounts,dc=example,dc=com" > method=128 version=3 > [31/Aug/2008:10:27:57 -0700] conn=2625 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 > dn="uid=administrator,ou=people,ou=accounts,dc=example,dc=com" > [31/Aug/2008:10:27:57 -0700] conn=2625 op=1 ADD > dn="cn=Test,ou=AddressBook,uid=administrator,ou=People,ou=Accounts,dc=example,dc=com" > [31/Aug/2008:10:27:57 -0700] conn=2625 op=1 RESULT err=50 tag=105 > nentries=0 etime=0 > > Craig > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From craigwhite at azapple.com Tue Sep 2 15:35:44 2008 From: craigwhite at azapple.com (Craig White) Date: Tue, 02 Sep 2008 08:35:44 -0700 Subject: [Fedora-directory-users] ACI help In-Reply-To: <48BD5B25.5010706@redhat.com> References: <1219956831.2903.243.camel@lin-workstation.azapple.com> <1220209232.16070.8.camel@lin-workstation.azapple.com> <48BD5B25.5010706@redhat.com> Message-ID: <1220369744.16070.28.camel@lin-workstation.azapple.com> On Tue, 2008-09-02 at 09:26 -0600, Rich Megginson wrote: > Craig White wrote: > > On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote: > > > >> I have users personal address books as an ou under their accounts... > >> > >> ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc=example,dc=com > >> > >> but when I try to add an entry, I am blocked... > >> > >> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD > >> dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc=example,dc=com" > >> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105 > >> nentries=0 etime=0 > >> > >> I need an ACi that allows each uid account to read/write entries in OU's > >> under their own accounts and the only ACi's I have are the ones > >> inherited > >> > > ---- > > It would be great if I could get some help here. > > > The ACL Summary error log level can provide some clues. > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting ---- I've been all over that and I understand that err=50 is insufficient access and I've read all the pages I can find on the wiki and the 7.1 support pages but it's not helping. I hate to say this but I can do this so simply with OpenLDAP and I'm mystified why it is so difficult to do on Fedora-DS Craig From rmeggins at redhat.com Tue Sep 2 15:59:44 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 02 Sep 2008 09:59:44 -0600 Subject: [Fedora-directory-users] ACI help In-Reply-To: <48BD5B25.5010706@redhat.com> References: <1219956831.2903.243.camel@lin-workstation.azapple.com> <1220209232.16070.8.camel@lin-workstation.azapple.com> <48BD5B25.5010706@redhat.com> Message-ID: <48BD62F0.1000604@redhat.com> Rich Megginson wrote: > Craig White wrote: >> On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote: >> >>> I have users personal address books as an ou under their accounts... >>> >>> ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc=example,dc=com >>> >>> but when I try to add an entry, I am blocked... >>> >>> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD >>> dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc=example,dc=com" >>> >>> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105 >>> nentries=0 etime=0 >>> >>> I need an ACi that allows each uid account to read/write entries in >>> OU's >>> under their own accounts and the only ACi's I have are the ones >>> inherited >>> >> ---- >> It would be great if I could get some help here. >> > The ACL Summary error log level can provide some clues. > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >> I know that in OpenLDAP, ACL's are processed top down and so I'm looking >> at the ACi's that would govern here. >> >> dc=example,dc=com has the following ACI (the second one after anonymous >> access)... >> >> (targetattr = "carLicense ||description ||displayName >> ||facsimileTelephoneNumber ||homePhone ||homePostalAddress >> ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo >> ||postOfficeBox ||postalAddress ||postalCode >> ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress >> ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber >> ||telexNumber ||title ||userCertificate ||userPassword >> ||userSMIMECertificate ||x500UniqueIdentifier") >> (version 3.0; >> acl "Enable self write for common attributes"; >> allow (write) >> (userdn = "ldap:///self") >> ;) >> >> and I added one more (it's on the bottom of the list - #7)... >> >> (targetattr = "*") (version 3.0;acl "Personal Address Books";allow >> (write)(userdn = "ldap:///self");) Have you tried the "add" right, to allow users to add entries under their entries? *http://tinyurl.com/3yo88r* I'm not sure if self will work here - you might have to use a macro ACI in which the uid part of the target matches the uid part of the subject - see http://tinyurl.com/59ehxh >> >> but still... >> >> [31/Aug/2008:10:27:57 -0700] conn=2625 op=0 BIND >> dn="uid=administrator,ou=People,ou=Accounts,dc=example,dc=com" >> method=128 version=3 >> [31/Aug/2008:10:27:57 -0700] conn=2625 op=0 RESULT err=0 tag=97 >> nentries=0 etime=0 >> dn="uid=administrator,ou=people,ou=accounts,dc=example,dc=com" >> [31/Aug/2008:10:27:57 -0700] conn=2625 op=1 ADD >> dn="cn=Test,ou=AddressBook,uid=administrator,ou=People,ou=Accounts,dc=example,dc=com" >> >> [31/Aug/2008:10:27:57 -0700] conn=2625 op=1 RESULT err=50 tag=105 >> nentries=0 etime=0 >> >> Craig >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From luke-fds at schierer.org Tue Sep 2 17:00:38 2008 From: luke-fds at schierer.org (Luke Schierer) Date: Tue, 2 Sep 2008 13:00:38 -0400 Subject: [Fedora-directory-users] questions about 2 node multi-master setup In-Reply-To: <20080829190604.GH14861@gabriel.twocrazyguys.net> References: <20080829190604.GH14861@gabriel.twocrazyguys.net> Message-ID: <20080902170038.GI14861@gabriel.twocrazyguys.net> On Fri, Aug 29, 2008 at 03:06:04PM -0400, Luke Schierer wrote: > Hi, > I just set up Fedora Directory Server on two nodes, and have set up > multi-master replication between them following the directions at > http://directory.fedoraproject.org/wiki/Howto:WalkthroughMultimasterSSL > > It seems to mostly work, but I have a few questions. > > 1)After initializing nodeB and restarting nodesA and B, I can no > longer connect to nodeB with the Console application. If I type in > its hostname, it connects, but I can only open up the slapd directory > if nodeA is up. I can continue to log into nodes authenticating > against the pair, and I can use the command line utities to connect to > nodeB. Any ideas what I might be doing wrong? > > > 2)if I change a password (using the passwd command on a client) while > nodeA is down, or add a user with ldapmodify while nodeA is down, the > change does not seem to replicate back to nodeA after it comes back > up. Do I have to force an initialization in such cases? > > Thanks, > Luke A couple of additional details. This is on a 32-bit Redhat Enterprise 5 server. The first issue only happens if I set it to replicate ou=NetscapeRoot, which appears to be necessary for the global password policy to replicate. Is there a better way to achieve this? I tried using the fdstool script in one archived email, but that gave me errors when I tried to run it, and so I turned to the more manual instructions in the MultimasterSSL guide. I removed my fedora-ds install between trying with the script and doing it myself following the guide. Thanks, Luke From rmeggins at redhat.com Tue Sep 2 17:19:55 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 02 Sep 2008 11:19:55 -0600 Subject: [Fedora-directory-users] questions about 2 node multi-master setup In-Reply-To: <20080902170038.GI14861@gabriel.twocrazyguys.net> References: <20080829190604.GH14861@gabriel.twocrazyguys.net> <20080902170038.GI14861@gabriel.twocrazyguys.net> Message-ID: <48BD75BB.2030005@redhat.com> Luke Schierer wrote: > On Fri, Aug 29, 2008 at 03:06:04PM -0400, Luke Schierer wrote: > >> Hi, >> I just set up Fedora Directory Server on two nodes, and have set up >> multi-master replication between them following the directions at >> http://directory.fedoraproject.org/wiki/Howto:WalkthroughMultimasterSSL >> >> It seems to mostly work, but I have a few questions. >> >> 1)After initializing nodeB and restarting nodesA and B, I can no >> longer connect to nodeB with the Console application. If I type in >> its hostname, it connects, but I can only open up the slapd directory >> if nodeA is up. I can continue to log into nodes authenticating >> against the pair, and I can use the command line utities to connect to >> nodeB. Any ideas what I might be doing wrong? >> >> >> 2)if I change a password (using the passwd command on a client) while >> nodeA is down, or add a user with ldapmodify while nodeA is down, the >> change does not seem to replicate back to nodeA after it comes back >> up. Do I have to force an initialization in such cases? >> >> Thanks, >> Luke >> > > A couple of additional details. This is on a 32-bit Redhat Enterprise > 5 server. The first issue only happens if I set it to replicate > ou=NetscapeRoot, which appears to be necessary for the global password > policy to replicate. I don't think that is true. What leads you to believe that? > Is there a better way to achieve this? > Have you seen this - http://tinyurl.com/6apcfq > I tried using the fdstool script in one archived email, but that gave > me errors when I tried to run it, and so I turned to the more manual > instructions in the MultimasterSSL guide. I removed my fedora-ds > install between trying with the script and doing it myself following > the guide. > > Thanks, > Luke > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From craigwhite at azapple.com Tue Sep 2 17:58:40 2008 From: craigwhite at azapple.com (Craig White) Date: Tue, 02 Sep 2008 10:58:40 -0700 Subject: [Fedora-directory-users] ACI help In-Reply-To: <48BD62F0.1000604@redhat.com> References: <1219956831.2903.243.camel@lin-workstation.azapple.com> <1220209232.16070.8.camel@lin-workstation.azapple.com> <48BD5B25.5010706@redhat.com> <48BD62F0.1000604@redhat.com> Message-ID: <1220378320.16070.36.camel@lin-workstation.azapple.com> On Tue, 2008-09-02 at 09:59 -0600, Rich Megginson wrote: > Rich Megginson wrote: > > Craig White wrote: > >> On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote: > >> > >>> I have users personal address books as an ou under their accounts... > >>> > >>> ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc=example,dc=com > >>> > >>> but when I try to add an entry, I am blocked... > >>> > >>> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD > >>> dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc=example,dc=com" > >>> > >>> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105 > >>> nentries=0 etime=0 > >>> > >>> I need an ACi that allows each uid account to read/write entries in > >>> OU's > >>> under their own accounts and the only ACi's I have are the ones > >>> inherited > >>> > >> ---- > >> It would be great if I could get some help here. > >> > > The ACL Summary error log level can provide some clues. > > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > >> I know that in OpenLDAP, ACL's are processed top down and so I'm looking > >> at the ACi's that would govern here. > >> > >> dc=example,dc=com has the following ACI (the second one after anonymous > >> access)... > >> > >> (targetattr = "carLicense ||description ||displayName > >> ||facsimileTelephoneNumber ||homePhone ||homePostalAddress > >> ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo > >> ||postOfficeBox ||postalAddress ||postalCode > >> ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress > >> ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber > >> ||telexNumber ||title ||userCertificate ||userPassword > >> ||userSMIMECertificate ||x500UniqueIdentifier") > >> (version 3.0; > >> acl "Enable self write for common attributes"; > >> allow (write) > >> (userdn = "ldap:///self") > >> ;) > >> > >> and I added one more (it's on the bottom of the list - #7)... > >> > >> (targetattr = "*") (version 3.0;acl "Personal Address Books";allow > >> (write)(userdn = "ldap:///self");) > Have you tried the "add" right, to allow users to add entries under > their entries? > *http://tinyurl.com/3yo88r* > > I'm not sure if self will work here - you might have to use a macro ACI > in which the uid part of the target matches the uid part of the subject > - see > http://tinyurl.com/59ehxh > >> ---- I'm not sure if 'self' will work here either...nothing seems to work. This is the ACL that works for me in OpenLDAP... access to dn.regex="^ou=AddressBook,uid=([^,]+),ou=People,dc=example,dc=com$$" attrs=children,entry,inetOrgPerson,organizationalPerson by dn.exact,expand="uid=$1,ou=People,dc=example,dc=com" write by dn.exact="uid=administrator,ou=People,dc=example,dc=com" write by * none I am hesitant to fool with the access control while there are people working on the network but the above is exactly what I want to work in Fedora-DS Craig From rmeggins at redhat.com Tue Sep 2 18:10:26 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 02 Sep 2008 12:10:26 -0600 Subject: [Fedora-directory-users] ACI help In-Reply-To: <1220378320.16070.36.camel@lin-workstation.azapple.com> References: <1219956831.2903.243.camel@lin-workstation.azapple.com> <1220209232.16070.8.camel@lin-workstation.azapple.com> <48BD5B25.5010706@redhat.com> <48BD62F0.1000604@redhat.com> <1220378320.16070.36.camel@lin-workstation.azapple.com> Message-ID: <48BD8192.9080303@redhat.com> Craig White wrote: > On Tue, 2008-09-02 at 09:59 -0600, Rich Megginson wrote: > >> Rich Megginson wrote: >> >>> Craig White wrote: >>> >>>> On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote: >>>> >>>> >>>>> I have users personal address books as an ou under their accounts... >>>>> >>>>> ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc=example,dc=com >>>>> >>>>> but when I try to add an entry, I am blocked... >>>>> >>>>> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD >>>>> dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc=example,dc=com" >>>>> >>>>> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105 >>>>> nentries=0 etime=0 >>>>> >>>>> I need an ACi that allows each uid account to read/write entries in >>>>> OU's >>>>> under their own accounts and the only ACi's I have are the ones >>>>> inherited >>>>> >>>>> >>>> ---- >>>> It would be great if I could get some help here. >>>> >>>> >>> The ACL Summary error log level can provide some clues. >>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >>> >>>> I know that in OpenLDAP, ACL's are processed top down and so I'm looking >>>> at the ACi's that would govern here. >>>> >>>> dc=example,dc=com has the following ACI (the second one after anonymous >>>> access)... >>>> >>>> (targetattr = "carLicense ||description ||displayName >>>> ||facsimileTelephoneNumber ||homePhone ||homePostalAddress >>>> ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo >>>> ||postOfficeBox ||postalAddress ||postalCode >>>> ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress >>>> ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber >>>> ||telexNumber ||title ||userCertificate ||userPassword >>>> ||userSMIMECertificate ||x500UniqueIdentifier") >>>> (version 3.0; >>>> acl "Enable self write for common attributes"; >>>> allow (write) >>>> (userdn = "ldap:///self") >>>> ;) >>>> >>>> and I added one more (it's on the bottom of the list - #7)... >>>> >>>> (targetattr = "*") (version 3.0;acl "Personal Address Books";allow >>>> (write)(userdn = "ldap:///self");) >>>> >> Have you tried the "add" right, to allow users to add entries under >> their entries? >> *http://tinyurl.com/3yo88r* >> >> I'm not sure if self will work here - you might have to use a macro ACI >> in which the uid part of the target matches the uid part of the subject >> - see >> http://tinyurl.com/59ehxh >> > ---- > I'm not sure if 'self' will work here either...nothing seems to work. > > This is the ACL that works for me in OpenLDAP... > > access to > dn.regex="^ou=AddressBook,uid=([^,]+),ou=People,dc=example,dc=com$$" > attrs=children,entry,inetOrgPerson,organizationalPerson > by dn.exact,expand="uid=$1,ou=People,dc=example,dc=com" write > by dn.exact="uid=administrator,ou=People,dc=example,dc=com" > write > by * none > > This looks like a macro ACI. Have you tried a macro ACI in conjunction with the "add" right? > I am hesitant to fool with the access control while there are people > working on the network but the above is exactly what I want to work in > Fedora-DS > > Craig > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From luke-fds at schierer.org Tue Sep 2 19:00:23 2008 From: luke-fds at schierer.org (Luke Schierer) Date: Tue, 2 Sep 2008 15:00:23 -0400 Subject: [Fedora-directory-users] questions about 2 node multi-master setup In-Reply-To: <48BD75BB.2030005@redhat.com> References: <20080829190604.GH14861@gabriel.twocrazyguys.net> <20080902170038.GI14861@gabriel.twocrazyguys.net> <48BD75BB.2030005@redhat.com> Message-ID: <20080902190023.GJ14861@gabriel.twocrazyguys.net> On Tue, Sep 02, 2008 at 11:19:55AM -0600, Rich Megginson wrote: > Luke Schierer wrote: >> On Fri, Aug 29, 2008 at 03:06:04PM -0400, Luke Schierer wrote: >> >>> Hi, >>> I just set up Fedora Directory Server on two nodes, and have set up >>> multi-master replication between them following the directions at >>> http://directory.fedoraproject.org/wiki/Howto:WalkthroughMultimasterSSL >>> >>> It seems to mostly work, but I have a few questions. >>> >>> 1)After initializing nodeB and restarting nodesA and B, I can no >>> longer connect to nodeB with the Console application. If I type in >>> its hostname, it connects, but I can only open up the slapd directory >>> if nodeA is up. I can continue to log into nodes authenticating >>> against the pair, and I can use the command line utities to connect to >>> nodeB. Any ideas what I might be doing wrong? >>> >>> >>> 2)if I change a password (using the passwd command on a client) while >>> nodeA is down, or add a user with ldapmodify while nodeA is down, the >>> change does not seem to replicate back to nodeA after it comes back >>> up. Do I have to force an initialization in such cases? >>> >>> Thanks, >>> Luke >>> >> >> A couple of additional details. This is on a 32-bit Redhat Enterprise >> 5 server. The first issue only happens if I set it to replicate >> ou=NetscapeRoot, which appears to be necessary for the global password >> policy to replicate. > I don't think that is true. What leads you to believe that? Because I tried once without having the ou=NetscapeRoot set to replicate, and the password policy did not show as set on the other console. Still, perhaps I did something wrong. >> Is there a better way to achieve this? >> > Have you seen this - http://tinyurl.com/6apcfq I had not, my fault for now reading the full manual it appears, as it has extra steps for setting up the second instance. I will try with these directions. Thanks for the pointer!! Luke From rmeggins at redhat.com Tue Sep 2 19:04:53 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 02 Sep 2008 13:04:53 -0600 Subject: [Fedora-directory-users] questions about 2 node multi-master setup In-Reply-To: <20080902190023.GJ14861@gabriel.twocrazyguys.net> References: <20080829190604.GH14861@gabriel.twocrazyguys.net> <20080902170038.GI14861@gabriel.twocrazyguys.net> <48BD75BB.2030005@redhat.com> <20080902190023.GJ14861@gabriel.twocrazyguys.net> Message-ID: <48BD8E55.60104@redhat.com> Luke Schierer wrote: > On Tue, Sep 02, 2008 at 11:19:55AM -0600, Rich Megginson wrote: > >> Luke Schierer wrote: >> >>> On Fri, Aug 29, 2008 at 03:06:04PM -0400, Luke Schierer wrote: >>> >>> >>>> Hi, >>>> I just set up Fedora Directory Server on two nodes, and have set up >>>> multi-master replication between them following the directions at >>>> http://directory.fedoraproject.org/wiki/Howto:WalkthroughMultimasterSSL >>>> >>>> It seems to mostly work, but I have a few questions. >>>> >>>> 1)After initializing nodeB and restarting nodesA and B, I can no >>>> longer connect to nodeB with the Console application. If I type in >>>> its hostname, it connects, but I can only open up the slapd directory >>>> if nodeA is up. I can continue to log into nodes authenticating >>>> against the pair, and I can use the command line utities to connect to >>>> nodeB. Any ideas what I might be doing wrong? >>>> >>>> >>>> 2)if I change a password (using the passwd command on a client) while >>>> nodeA is down, or add a user with ldapmodify while nodeA is down, the >>>> change does not seem to replicate back to nodeA after it comes back >>>> up. Do I have to force an initialization in such cases? >>>> >>>> Thanks, >>>> Luke >>>> >>>> >>> A couple of additional details. This is on a 32-bit Redhat Enterprise >>> 5 server. The first issue only happens if I set it to replicate >>> ou=NetscapeRoot, which appears to be necessary for the global password >>> policy to replicate. >>> >> I don't think that is true. What leads you to believe that? >> > > Because I tried once without having the ou=NetscapeRoot set to > replicate, and the password policy did not show as set on the other > console. Still, perhaps I did something wrong. > That's really weird - the global password policy is stored in cn=config, not in o=NetscapeRoot, so I'm not sure why replication would have anything to do with this. > >>> Is there a better way to achieve this? >>> >>> >> Have you seen this - http://tinyurl.com/6apcfq >> > > I had not, my fault for now reading the full manual it appears, as it > has extra steps for setting up the second instance. I will try with > these directions. > > Thanks for the pointer!! > > Luke > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From Ross.Johnson at itsa.gov.au Wed Sep 3 07:13:38 2008 From: Ross.Johnson at itsa.gov.au (Ross Johnson) Date: Wed, 03 Sep 2008 17:13:38 +1000 Subject: [Fedora-directory-users] User password change which syntax checking Message-ID: <48BE3922.1020005@itsa.gov.au> I have FDS 1.1.1 running with password policy and syntax checking working for user passwords via the console, but I haven't been able to get ldappasswd (from mozldap-tools package) to pay attention to those password constraints that I know work via the console. That is, ldappasswd succeeds even when given passwords that fail in the console. Is this what I should expect to see? AFAICS from looking at source code, manual pages etc, ldappasswd passes the plaintext password to the server to be encrypted and if that's the case then I'm assuming that password checks should be working. I understand that password checks can't be done if the userPassword attribute is modified directly, e.g. by ldapmodify. I get the feeling I'm missing something very basic, so any clarification would be greatly appreciated. -- Ross Johnson Unix Specialist, IT Infrastructure Insolvency and Trustee Service Australia Ph: +61 2 6270 3483 Fax: +61 2 6270 3413 Important: This transmission is intended only for the use of the addressee and may contain confidential or legally privileged information. If you are not the intended recipient, you are notified that any use or dissemination of this communication is strictly prohibited. If you have received this transmission in error, please notify immediately by telephone and delete all copies of this transmission, together with any attachments. -------------- next part -------------- A non-text attachment was scrubbed... Name: Ross_Johnson.vcf Type: text/x-vcard Size: 729 bytes Desc: not available URL: From goni at selimins.co.kr Thu Sep 4 02:22:30 2008 From: goni at selimins.co.kr (=?ks_c_5601-1987?B?sejBpLDv?=) Date: Thu, 4 Sep 2008 11:22:30 +0900 Subject: [Fedora-directory-users] Can't connect to Redhat AS5 by 'telnet' !!! Message-ID: <005001c90e35$15ae2680$410a7380$@co.kr> Hi everyone. I have a problem. I am using FDS-1.0.4, and have Linux machines, Redhat AS4 and Redhat AS5. But I can?t connect to Redhat AS5 machine by telnet. but I can connect to the machine by ?su? using. Redhat AS4 machine has no any problem. Did you have a experience? Would you please help me? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From Ross.Johnson at itsa.gov.au Thu Sep 4 05:42:33 2008 From: Ross.Johnson at itsa.gov.au (Ross Johnson) Date: Thu, 04 Sep 2008 15:42:33 +1000 Subject: [Fedora-directory-users] User password change which syntax checking In-Reply-To: <48BE3922.1020005@itsa.gov.au> References: <48BE3922.1020005@itsa.gov.au> Message-ID: <48BF7549.9020607@itsa.gov.au> Ross Johnson wrote: > I have FDS 1.1.1 running with password policy and syntax checking > working for user passwords via the console, but I haven't been able to > get ldappasswd (from mozldap-tools package) to pay attention to those > password constraints that I know work via the console. That is, > ldappasswd succeeds even when given passwords that fail in the > console. Is this what I should expect to see? I've now learnt that FDS will accept a plaintext password in the LDIF from ldapmodify, which is policy checked (I had assumed only a hashed value could be provided - duh) so I can at least move on but I'm still puzzled by ldappasswd since that would be the most obvious choice for scripting password changes. It's possibly only the mozldap-tools version because I see that other implementations provide parameters to send either plaintext passwords or encrypted. -- Ross Johnson Unix Specialist, IT Infrastructure Insolvency and Trustee Service Australia Ph: +61 2 6270 3483 Fax: +61 2 6270 3413 Important: This transmission is intended only for the use of the addressee and may contain confidential or legally privileged information. If you are not the intended recipient, you are notified that any use or dissemination of this communication is strictly prohibited. If you have received this transmission in error, please notify immediately by telephone and delete all copies of this transmission, together with any attachments. From hijinks at gmail.com Fri Sep 5 13:23:26 2008 From: hijinks at gmail.com (Mike Zupan) Date: Fri, 5 Sep 2008 09:23:26 -0400 Subject: [Fedora-directory-users] multiple groups in the admin console Message-ID: <7227c6c70809050623g5e50ad6aibf042b3d49d711a9@mail.gmail.com> I am wondering how I add a posix account to multiple group id's. I really can only do this in the admin console. I can't seem to figure it out. I setup the new posixgroup as Full Name: mailgrp gidnumber: 809 Thanks Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: From benetage at hotmail.com Fri Sep 5 18:28:11 2008 From: benetage at hotmail.com (Mister Anonyme) Date: Fri, 5 Sep 2008 14:28:11 -0400 Subject: [Fedora-directory-users] Export the Windows Agreement in LDIF format Message-ID: Hi, The subject says it all, I'm wondering if it's possible to export a Windows Agreement in LDIF format so I can install a new Directory Server automatically next time. Thank you. _________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From apujana at gmail.com Fri Sep 5 19:01:19 2008 From: apujana at gmail.com (Axel Pujana Iturbe) Date: Fri, 5 Sep 2008 21:01:19 +0200 Subject: [Fedora-directory-users] Export the Windows Agreement in LDIF format In-Reply-To: References: Message-ID: <7C786DFE-FD80-47F0-B0FA-974B062E5760@gmail.com> Adscrewrtyhgg cv Ifonne Enviado desde mi iPhone El 05/09/2008, a las 20:28, Mister Anonyme escribi?: > Hi, > > The subject says it all, I'm wondering if it's possible to export a > Windows Agreement in LDIF format so I can install a new Directory > Server automatically next time. > > Thank you. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Sep 5 19:16:12 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 05 Sep 2008 13:16:12 -0600 Subject: [Fedora-directory-users] Export the Windows Agreement in LDIF format In-Reply-To: References: Message-ID: <48C1857C.7040502@redhat.com> Mister Anonyme wrote: > Hi, > > The subject says it all, I'm wondering if it's possible to export a > Windows Agreement in LDIF format so I can install a new Directory > Server automatically next time. Sure. You can either extract it from the dse.ldif or grab it via ldapsearch using -s sub -b cn=config (objectclass=nsDSWindowsReplicationAgreement) You can put this in a file e.g. winsync.ldif and use silent setup to create a new directory server instance with this enabled: http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide-Advanced_Configuration-Silent.html Use the .inf file directive ConfigFile to specify additional config for the new instance: [General] FullMachineName=ldap.example.com ... [slapd] ServerPort=389 ... ConfigFile=/full/path/to/winsync.ldif Then setup-ds-admin.pl -s -f /path/to/file.inf You can also pass this in on the command line e.g. setup-ds-admin.pl ..... slapd.ConfigFile=/full/path/to/winsync.ldif ConfigFile is multi-valued so you can pass in many configs this way > > Thank you. > > ------------------------------------------------------------------------ > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From solarflow99 at gmail.com Sat Sep 6 12:25:46 2008 From: solarflow99 at gmail.com (solarflow99) Date: Sat, 6 Sep 2008 13:25:46 +0100 Subject: [Fedora-directory-users] multiple groups in the admin console In-Reply-To: <7227c6c70809050623g5e50ad6aibf042b3d49d711a9@mail.gmail.com> References: <7227c6c70809050623g5e50ad6aibf042b3d49d711a9@mail.gmail.com> Message-ID: <7020fd000809060525r74c513a6n1b922f9c4a9fb62a@mail.gmail.com> There is another front end that you might find useful, have a look at: ldapadmin on sourceforge On Fri, Sep 5, 2008 at 2:23 PM, Mike Zupan wrote: > I am wondering how I add a posix account to multiple group id's. I really > can only do this in the admin console. I can't seem to figure it out. > > I setup the new posixgroup as > > Full Name: mailgrp > gidnumber: 809 > > Thanks > Mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From solarflow99 at gmail.com Mon Sep 8 09:36:38 2008 From: solarflow99 at gmail.com (solarflow99) Date: Mon, 8 Sep 2008 10:36:38 +0100 Subject: [Fedora-directory-users] Can't connect to Redhat AS5 by 'telnet' !!! In-Reply-To: <005001c90e35$15ae2680$410a7380$@co.kr> References: <005001c90e35$15ae2680$410a7380$@co.kr> Message-ID: <7020fd000809080236q53bb6083k88119d4888cff2bc@mail.gmail.com> Its generally recommended to use ssh instead, just ensure the sshd service is started on the AS5 machine so it will work. hope this helps.. 2008/9/4 ??? > Hi everyone. > > > > I have a problem. I am using FDS-1.0.4, and have Linux machines, Redhat AS4 > and Redhat AS5. > > But I can't connect to Redhat AS5 machine by telnet. but I can connect to > the machine by 'su' using. > > > > Redhat AS4 machine has no any problem. > > > > Did you have a experience? > > Would you please help me? > > > > Thanks > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve.ngu at hotmail.fr Mon Sep 8 13:24:20 2008 From: steve.ngu at hotmail.fr (steve nguyen) Date: Mon, 8 Sep 2008 15:24:20 +0200 Subject: [Fedora-directory-users] LDAP Error with sync agreement using ssl In-Reply-To: <48BD5AA3.90502@redhat.com> References: <48BD5AA3.90502@redhat.com> Message-ID: OK So in the passsync log I have this error message : Error initializing SSL: err=-8192 Ensure that your SSL is setup correctly Failed to load entries from file Ldap bind error in Connect 49: Invalid credentials Can not connect to ldap server in SyncPasswords Ldap bind error in Connect 81: Can't contact LDAP server Ldap bind error in Connect 91: Can't connect to the LDAP server In the FDS log (replication status) I've got this : "LDAP error: Can't contact LDAP server. Error > > Code 81. In AD, I set up SSL using IIS because I had some troubles usiing certreq I enter this url http:///certsrv in my browser and I ask for a user certificate. And I import it in the Trusted Root CA. After the passync installation in Windows 2003 Server : I enter this commands : certutil.exe -d . -N I export my certs from FDS by doing this : pk12util -d . -o dscert.p12 -n Server-Cert In 2003 Server I put the FDS cert in the passync installation folder and I export : pk12util.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" ?i dscert.p12 And I give the trusted peer status : certutil.exe -d "C:\Program Files\Red Hat Directory Password Synchronization" ?M -n Server-Cert -t "P,P,P" I also do the same for the cascert cert but I give this attributes trust attributes "CT,CT,CT" because it was mention in the FDS wiki. That's all I do to set up SSL Did you see what I did wrong ? Thanks -------------------------------------------------------------------------------------------------------------------------> Date: Tue, 2 Sep 2008 09:24:19 -0600> From: rmeggins at redhat.com> To: fedora-directory-users at redhat.com> Subject: Re: [Fedora-directory-users] LDAP Error with sync agreement using ssl> > steve nguyen wrote:> > Hi everybody,> > > > I have created two sync agreement in FDS. I've got an error message > > with the one using ssl : "LDAP error: Can't contact LDAP server. Error > > Code 81.> You'll have to provide more information, like the CA that issued your AD > server cert, and other messages in the DS error log.> > The second sync agreement without ssl works.> > > > I think this error should come from a certificate that I've create.> > To create my certificate on Fedora I've used the second script from > > the fds wiki.> > > > I want to know another thing : I selected a single master in the > > replica role column. If I choose multiple master, will the sync happen > > from both side : ad and fds ?> The setting for single vs. multiple master is not applicable with > Windows Sync - it shouldn't matter as long as the DS side is a master. > Windows sync is always 2 way.> > > > ps : escuse me for my bad english. _________________________________________________________________ T?l?phonez gratuitement ? tous vos proches avec Windows Live Messenger? !? T?l?chargez-le maintenant ! http://www.windowslive.fr/messenger/1.asp -------------- next part -------------- An HTML attachment was scrubbed... URL: From solarflow99 at gmail.com Mon Sep 8 15:12:00 2008 From: solarflow99 at gmail.com (solarflow99) Date: Mon, 8 Sep 2008 16:12:00 +0100 Subject: [Fedora-directory-users] email clients In-Reply-To: <48B71FE4.8070409@saafinternational.com> References: <48B71FE4.8070409@saafinternational.com> Message-ID: <7020fd000809080812h158c7576x719676db8a08cfa8@mail.gmail.com> This question might be a bit off topic, but I see there is another email program called zimbra, I never saw it used myself but it seems pretty good. On Thu, Aug 28, 2008 at 11:00 PM, Malcolm Amir Hussain-Gambles < malcolm at saafinternational.com> wrote: > Just wondering what email clients people use for address books. > I've tried evolution, but it seems completely unstable for ldap, I've had > no choice but to revert to people using thunderbird. (this is the fc9 > version) > Thunderbird is stable but lacks features. > Claws is probably the best, but doesn't have that corporate feel like > evolution. > Are most people using outlook? > > Cheers, > > Malcolm > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From malcolm at saafinternational.com Mon Sep 8 20:33:50 2008 From: malcolm at saafinternational.com (Malcolm Amir Hussain-Gambles) Date: Mon, 08 Sep 2008 21:33:50 +0100 Subject: [Fedora-directory-users] email clients In-Reply-To: <7020fd000809080812h158c7576x719676db8a08cfa8@mail.gmail.com> References: <48B71FE4.8070409@saafinternational.com> <7020fd000809080812h158c7576x719676db8a08cfa8@mail.gmail.com> Message-ID: <1220906030.3129.4.camel@malcolm.saafinternational.com> I had a look round and the only choice seems the horde suite, as there are no decent and stable clients around at the moment. It's pretty good and also avoids any client stability issues (read vista and evolution) Zimbra seems to want to do _everything_ for you, and I don't have long to get the update done and live. Reading up on zimbra and splitting it off didn't seem a good idea. But it does look good. Cheers, Malcolm On Mon, 2008-09-08 at 16:12 +0100, solarflow99 wrote: > This question might be a bit off topic, but I see there is another > email program called zimbra, I never saw it used myself but it seems > pretty good. > > > > > On Thu, Aug 28, 2008 at 11:00 PM, Malcolm Amir Hussain-Gambles > wrote: > Just wondering what email clients people use for address > books. > I've tried evolution, but it seems completely unstable for > ldap, I've had no choice but to revert to people using > thunderbird. (this is the fc9 version) > Thunderbird is stable but lacks features. > Claws is probably the best, but doesn't have that corporate > feel like evolution. > Are most people using outlook? > > Cheers, > > Malcolm > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From snake007uk at gmail.com Tue Sep 9 20:39:04 2008 From: snake007uk at gmail.com (Kashif Ali) Date: Tue, 9 Sep 2008 21:39:04 +0100 Subject: [Fedora-directory-users] Sudo and Ldap Message-ID: <879a677e0809091339q7d3c0ec9h1fdf7862a3c109c2@mail.gmail.com> Hello all, I have successfully setup FDS on Centos 5.2, and manage to get users signing on without any issues. However if I edit the sudoers file to allow a group on ldap use sudo, the sudo command does not see the members of the group or I think the group itself? I have no idea why this is: if I run the command 'id' as the given user you can clear see the group memberships, however if I do: getent group linuxops I see: linuxops:*:6000: with no members??? however SSHD AllowGroups works? I have configured sshd to only allow members of the linxops group to login and this works fine? so my question is why is sudo behaving differently? -------------- next part -------------- An HTML attachment was scrubbed... URL: From malcolm at saafinternational.com Tue Sep 9 21:42:26 2008 From: malcolm at saafinternational.com (Malcolm Amir Hussain-Gambles) Date: Tue, 09 Sep 2008 22:42:26 +0100 Subject: [Fedora-directory-users] Sudo and Ldap In-Reply-To: <879a677e0809091339q7d3c0ec9h1fdf7862a3c109c2@mail.gmail.com> References: <879a677e0809091339q7d3c0ec9h1fdf7862a3c109c2@mail.gmail.com> Message-ID: <1220996546.3325.4.camel@malcolm.saafinternational.com> Redhat sudo doesn't support ldap, recompile it with ldap support and add the sudoers base to /etc/ldap.conf and it should work then, annoying! Cheers Malcolm On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: > Hello all, > > I have successfully setup FDS on Centos 5.2, and manage to get users > signing on without any issues. However if I edit the sudoers file to > allow a group on ldap use sudo, the sudo command does not see the > members of the group or I think the group itself? > > I have no idea why this is: > > if I run the command 'id' as the given user you can clear see the > group memberships, however if I do: getent group linuxops I see: > > linuxops:*:6000: > > with no members??? however SSHD AllowGroups works? I have configured > sshd to only allow members of the linxops group to login and this > works fine? so my question is why is sudo behaving differently? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From abliss at brockport.edu Tue Sep 9 20:43:16 2008 From: abliss at brockport.edu (Aaron Bliss) Date: Tue, 9 Sep 2008 16:43:16 -0400 Subject: [Fedora-directory-users] Sudo and Ldap In-Reply-To: <879a677e0809091339q7d3c0ec9h1fdf7862a3c109c2@mail.gmail.com> References: <879a677e0809091339q7d3c0ec9h1fdf7862a3c109c2@mail.gmail.com> Message-ID: <017401c912bc$afd39340$0f7ab9c0$@edu> Kashif, Make sure you have defined the group in ldap and added the posix attributes and object class to the group. At a bare minimum, you'll need the top, groupofuniquenames and posixgroup objecclassess. Aaron From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Kashif Ali Sent: Tuesday, September 09, 2008 4:39 PM To: Fedora-directory-users at redhat.com Subject: [Fedora-directory-users] Sudo and Ldap Hello all, I have successfully setup FDS on Centos 5.2, and manage to get users signing on without any issues. However if I edit the sudoers file to allow a group on ldap use sudo, the sudo command does not see the members of the group or I think the group itself? I have no idea why this is: if I run the command 'id' as the given user you can clear see the group memberships, however if I do: getent group linuxops I see: linuxops:*:6000: with no members??? however SSHD AllowGroups works? I have configured sshd to only allow members of the linxops group to login and this works fine? so my question is why is sudo behaving differently? -------------- next part -------------- An HTML attachment was scrubbed... URL: From snake007uk at gmail.com Tue Sep 9 20:54:51 2008 From: snake007uk at gmail.com (Kashif Ali) Date: Tue, 9 Sep 2008 21:54:51 +0100 Subject: [Fedora-directory-users] Sudo and Ldap In-Reply-To: <1220996546.3325.4.camel@malcolm.saafinternational.com> References: <879a677e0809091339q7d3c0ec9h1fdf7862a3c109c2@mail.gmail.com> <1220996546.3325.4.camel@malcolm.saafinternational.com> Message-ID: <879a677e0809091354r3cbac5aeu65182e70f9917746@mail.gmail.com> when you say add sudo base? are you talking about ldif file? Is there no way to continue to use the original ldif file? 2008/9/9 Malcolm Amir Hussain-Gambles > Redhat sudo doesn't support ldap, recompile it with ldap support and add > the sudoers base to /etc/ldap.conf and it should work then, annoying! > > Cheers > > Malcolm > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: > > Hello all, > > > > I have successfully setup FDS on Centos 5.2, and manage to get users > > signing on without any issues. However if I edit the sudoers file to > > allow a group on ldap use sudo, the sudo command does not see the > > members of the group or I think the group itself? > > > > I have no idea why this is: > > > > if I run the command 'id' as the given user you can clear see the > > group memberships, however if I do: getent group linuxops I see: > > > > linuxops:*:6000: > > > > with no members??? however SSHD AllowGroups works? I have configured > > sshd to only allow members of the linxops group to login and this > > works fine? so my question is why is sudo behaving differently? > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From malcolm at saafinternational.com Tue Sep 9 22:06:07 2008 From: malcolm at saafinternational.com (Malcolm Amir Hussain-Gambles) Date: Tue, 09 Sep 2008 23:06:07 +0100 Subject: [Fedora-directory-users] Sudo and Ldap In-Reply-To: <879a677e0809091354r3cbac5aeu65182e70f9917746@mail.gmail.com> References: <879a677e0809091339q7d3c0ec9h1fdf7862a3c109c2@mail.gmail.com> <1220996546.3325.4.camel@malcolm.saafinternational.com> <879a677e0809091354r3cbac5aeu65182e70f9917746@mail.gmail.com> Message-ID: <1220997967.3325.11.camel@malcolm.saafinternational.com> This is how I've always done it: I usually just pull the src.rpm and add ldap in the .spec file, recompile then I can add it to standard build image / kickstart Then add something like: sudoers_base ou=SUDOers,dc=example,dc=com to /etc/ldap.conf and that should be it Cheers, Malcolm On Tue, 2008-09-09 at 21:54 +0100, Kashif Ali wrote: > when you say add sudo base? are you talking about ldif file? > > Is there no way to continue to use the original ldif file? > > > 2008/9/9 Malcolm Amir Hussain-Gambles > Redhat sudo doesn't support ldap, recompile it with ldap > support and add > the sudoers base to /etc/ldap.conf and it should work then, > annoying! > > Cheers > > Malcolm > > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: > > Hello all, > > > > I have successfully setup FDS on Centos 5.2, and manage to > get users > > signing on without any issues. However if I edit the sudoers > file to > > allow a group on ldap use sudo, the sudo command does not > see the > > members of the group or I think the group itself? > > > > I have no idea why this is: > > > > if I run the command 'id' as the given user you can clear > see the > > group memberships, however if I do: getent group linuxops I > see: > > > > linuxops:*:6000: > > > > with no members??? however SSHD AllowGroups works? I have > configured > > sshd to only allow members of the linxops group to login and > this > > works fine? so my question is why is sudo behaving > differently? > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From snake007uk at gmail.com Tue Sep 9 21:42:06 2008 From: snake007uk at gmail.com (Kashif Ali) Date: Tue, 9 Sep 2008 22:42:06 +0100 Subject: [Fedora-directory-users] Sudo and Ldap In-Reply-To: <1220997967.3325.11.camel@malcolm.saafinternational.com> References: <879a677e0809091339q7d3c0ec9h1fdf7862a3c109c2@mail.gmail.com> <1220996546.3325.4.camel@malcolm.saafinternational.com> <879a677e0809091354r3cbac5aeu65182e70f9917746@mail.gmail.com> <1220997967.3325.11.camel@malcolm.saafinternational.com> Message-ID: <879a677e0809091442m35864eceoff34df8caa9a1167@mail.gmail.com> i believe in centos 5.x and redhat they have ldap suppor built in: http://kbase.redhat.com/faq/FAQ_80_12975.shtm I am not sure how to include ldif file in the directory server, and also once its included how to manage the sudoers? let me give you some more background on the environmnt: we have the following environments: Production Staging Test Load Testing Development Each of the environments have various number of servers ranging from 30 and goign upto 150+. we have three main categories of users Linuxops = Linux Sys admins SuperUsers = Developers who have sudo rights (ALL) on dev/load test environments, but only for less, cat, more, command for Test/Staging/Production environments (this is mainly for log and config file viewing). Dev = Developers who have full sudo rights on development and only access development environment I am restricting access to each environemnt via SSHD_CONFIG variable allow groups. I have the following groups linuxops prodlogs staginglog testlogs ltlogs dev What I would need is to someone configure ldap with sudo, so that if you were in the correct groups you can login to which ever environment and have the correct privilages. The problem I Will have is with superusers. They would be members of the dev group (so have all rights on dev env) but then I would be added to prodlogs etc... so they have restricted sudo on prod. However since there would only be one sudo file in ldap, sshd would let them logon to production server via prodlogs group, and sudo would find the dev group and give them full rights!!!! I would appreciate any advice in configuring this setup, currently I have written a wiki to cover the installation of Centos/fedora DS and configure it for central authentication with Shared home directories, this would be the final icing on the cake if I could get it working: Please have a look at the following link to get the idea of what I have done to get ldap up and running: http://wiki.unixcraft.com/display/MainPage/Fedora+Directory+Server What I really need help is would sudo under ldap in the above scenario. I hope I have given enough information, if you require more information please just say I will provide ASAP. Regards Kashif 2008/9/9 Malcolm Amir Hussain-Gambles > This is how I've always done it: > > I usually just pull the src.rpm and add ldap in the .spec file, > recompile then I can add it to standard build image / kickstart > > Then add something like: > sudoers_base ou=SUDOers,dc=example,dc=com > > to /etc/ldap.conf and that should be it > > > Cheers, > > Malcolm > > On Tue, 2008-09-09 at 21:54 +0100, Kashif Ali wrote: > > when you say add sudo base? are you talking about ldif file? > > > > Is there no way to continue to use the original ldif file? > > > > > > 2008/9/9 Malcolm Amir Hussain-Gambles > > Redhat sudo doesn't support ldap, recompile it with ldap > > support and add > > the sudoers base to /etc/ldap.conf and it should work then, > > annoying! > > > > Cheers > > > > Malcolm > > > > > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: > > > Hello all, > > > > > > I have successfully setup FDS on Centos 5.2, and manage to > > get users > > > signing on without any issues. However if I edit the sudoers > > file to > > > allow a group on ldap use sudo, the sudo command does not > > see the > > > members of the group or I think the group itself? > > > > > > I have no idea why this is: > > > > > > if I run the command 'id' as the given user you can clear > > see the > > > group memberships, however if I do: getent group linuxops I > > see: > > > > > > linuxops:*:6000: > > > > > > with no members??? however SSHD AllowGroups works? I have > > configured > > > sshd to only allow members of the linxops group to login and > > this > > > works fine? so my question is why is sudo behaving > > differently? > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Dharmin.Mandalia at TangaNet.Net Tue Sep 9 22:35:46 2008 From: Dharmin.Mandalia at TangaNet.Net (Dharmin Mandalia) Date: Tue, 09 Sep 2008 23:35:46 +0100 Subject: [Fedora-directory-users] User privileges Message-ID: <48C6FA42.6080407@TangaNet.Net> Hello On our Directory Server, we have different OU's for each department, under which we have dept users. Is it possible to allow each department admin's to add/delete/edit user/group/other entries for their own department OU ONLY , over Directory console, so basically one admin from each department have full access/rights over user/group/other entries under their dept OU, over Dir Console. If you know how above can be done, please tell me.... Appreciate your reply. Regards Dharmin fedora-directory-users at redhat.com From pgnet.trash at gmail.com Wed Sep 10 00:06:58 2008 From: pgnet.trash at gmail.com (PGNet) Date: Tue, 9 Sep 2008 17:06:58 -0700 Subject: [Fedora-directory-users] missing "console.conf" in headless FedoraDS install Message-ID: I'm building & installing FedoraDS on a headless server. For the moment, remote management via shell login is fine; no graphical consoles required. I've built/installed from cvs source FedoraDirSvr_1_1_2 ldapserver adminutil_1_1_7 adminutil mod_nss108 mod_nss FedoraDirSrvAdmin_1_1_6 adminserver FedoraDirSrvAdmin_1_1_6 mod_admserv FedoraDirSrvAdmin_1_1_6 mod_restartd @ Setup exec of, setup-ds-admin.pl I get, Creating directory server . . . Your new DS instance 'FedoraDS' was successfully created. Creating the configuration directory server . . . Beginning Admin Server creation . . . Creating Admin Server files and directories . . . Updating adm.conf . . . Updating admpw . . . Registering admin server with the configuration directory server . . . Updating adm.conf with information from configuration directory server . . . Updating the configuration for the httpd engine . . . Error opening /etc/dirsrv/admin-serv/console.conf: No such file or directoryCould not update the httpd engine configuration. Failed to create and configure the admin server Exiting . . . Log file is '/tmp/setup4lZetX.log' And, checking, ls -1 /etc/dirsrv/admin-serv/ adm.conf admpw cert8.db key3.db local.conf secmod.db Is 'console.conf', in fact, required for console-less operation? If so, where's it originate? Have I missed a required install, perhaps "FedoraConsoleFramework_1_1_2"? If not, where can I fix the dependency? Remove @ #174: } else { # set up directory server instance to be managed by the console/adminserver $setup->msg('create_subds'); if (!createSubDSNoConn($setup->{inf}, \@errs)) { $setup->msg($FATAL, @errs); $setup->msg($FATAL, 'error_create_configds'); $setup->doExit(1); from "setup-ds-admin.pl"? A preference setting somewhere? Thanks. From pgnet.trash at gmail.com Wed Sep 10 00:42:58 2008 From: pgnet.trash at gmail.com (PGNet) Date: Tue, 9 Sep 2008 17:42:58 -0700 Subject: [Fedora-directory-users] mod_cgi or mod_cgid for adminserver? Message-ID: Per docs @ http://directory.fedoraproject.org/wiki/AdminServer, "Admin Server is ... formerly based on the Netscape Enterprise Server but has been ported to use the Apache 2.x webserver using the Worker model (multi-threaded mode, not multi process)." I've installed as prereq, httpd2 -V | grep MPM Server MPM: Worker -D APACHE_MPM_DIR="server/mpm/worker" Per, "Apache Module mod_cgid" (http://httpd.apache.org/docs/2.2/mod/mod_cgid.html(, "This module (mod_cgid) is used by default instead of mod_cgi whenever a multi-threaded MPM is selected during the compilation process. At the user level, this module is identical in configuration and operation to mod_cgi. The only exception is the additional directive ScriptSock which gives the name of the socket to use for communication with the cgi daemon." In FedoraDS' install of adminserver, mod_cgi is loaded (and fails @exec, as it's not installed by default), @ #144 /etc/dirsrv/admin-serv/httpd.conf LoadModule cgi_module /usr/lib64/apache2-worker/mod_cgi.so and, also references mod_cgid.c, @ #392 /etc/dirsrv/admin-serv/httpd.conf ... which will never hit as mod_cgid is not @ LoadModule. Should mod_cgi, then, be loaded for FedoraDS use, or mod_cgid? Thanks. From snake007uk at gmail.com Wed Sep 10 06:17:45 2008 From: snake007uk at gmail.com (Kashif Ali) Date: Wed, 10 Sep 2008 07:17:45 +0100 Subject: [Fedora-directory-users] Sudo and Ldap In-Reply-To: <879a677e0809091442m35864eceoff34df8caa9a1167@mail.gmail.com> References: <879a677e0809091339q7d3c0ec9h1fdf7862a3c109c2@mail.gmail.com> <1220996546.3325.4.camel@malcolm.saafinternational.com> <879a677e0809091354r3cbac5aeu65182e70f9917746@mail.gmail.com> <1220997967.3325.11.camel@malcolm.saafinternational.com> <879a677e0809091442m35864eceoff34df8caa9a1167@mail.gmail.com> Message-ID: <879a677e0809092317h69218ccbja86659b3b850b753@mail.gmail.com> I have a quick work around currently, what you can do is create a local group and add ldap user to the local group. Sudo will accept the group including users. sudo will also accept a list of users from ldap, it just doesnt acknowledge members for groups in FDS? 2008/9/9 Kashif Ali > i believe in centos 5.x and redhat they have ldap suppor built in: > > http://kbase.redhat.com/faq/FAQ_80_12975.shtm > > I am not sure how to include ldif file in the directory server, and also > once its included how to manage the sudoers? > > let me give you some more background on the environmnt: > > we have the following environments: > > Production > Staging > Test > Load Testing > Development > > Each of the environments have various number of servers ranging from 30 and > goign upto 150+. > > we have three main categories of users > > Linuxops = Linux Sys admins > SuperUsers = Developers who have sudo rights (ALL) on dev/load test > environments, but only for less, cat, more, command for > Test/Staging/Production environments (this is mainly for log and config file > viewing). > Dev = Developers who have full sudo rights on development and only access > development environment > > > I am restricting access to each environemnt via SSHD_CONFIG variable allow > groups. I have the following groups > > linuxops > prodlogs > staginglog > testlogs > ltlogs > dev > > What I would need is to someone configure ldap with sudo, so that if you > were in the correct groups you can login to which ever environment and have > the correct privilages. > > The problem I Will have is with superusers. They would be members of the > dev group (so have all rights on dev env) but then I would be added to > prodlogs etc... so they have restricted sudo on prod. However since there > would only be one sudo file in ldap, sshd would let them logon to production > server via prodlogs group, and sudo would find the dev group and give them > full rights!!!! > > I would appreciate any advice in configuring this setup, currently I have > written a wiki to cover the installation of Centos/fedora DS and configure > it for central authentication with Shared home directories, this would be > the final icing on the cake if I could get it working: > > Please have a look at the following link to get the idea of what I have > done to get ldap up and running: > > http://wiki.unixcraft.com/display/MainPage/Fedora+Directory+Server > > > What I really need help is would sudo under ldap in the above scenario. I > hope I have given enough information, if you require more information please > just say I will provide ASAP. > > Regards > > Kashif > > > > > 2008/9/9 Malcolm Amir Hussain-Gambles > >> This is how I've always done it: >> >> I usually just pull the src.rpm and add ldap in the .spec file, >> recompile then I can add it to standard build image / kickstart >> >> Then add something like: >> sudoers_base ou=SUDOers,dc=example,dc=com >> >> to /etc/ldap.conf and that should be it >> >> >> Cheers, >> >> Malcolm >> >> On Tue, 2008-09-09 at 21:54 +0100, Kashif Ali wrote: >> > when you say add sudo base? are you talking about ldif file? >> > >> > Is there no way to continue to use the original ldif file? >> > >> > >> > 2008/9/9 Malcolm Amir Hussain-Gambles >> > Redhat sudo doesn't support ldap, recompile it with ldap >> > support and add >> > the sudoers base to /etc/ldap.conf and it should work then, >> > annoying! >> > >> > Cheers >> > >> > Malcolm >> > >> > >> > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: >> > > Hello all, >> > > >> > > I have successfully setup FDS on Centos 5.2, and manage to >> > get users >> > > signing on without any issues. However if I edit the sudoers >> > file to >> > > allow a group on ldap use sudo, the sudo command does not >> > see the >> > > members of the group or I think the group itself? >> > > >> > > I have no idea why this is: >> > > >> > > if I run the command 'id' as the given user you can clear >> > see the >> > > group memberships, however if I do: getent group linuxops I >> > see: >> > > >> > > linuxops:*:6000: >> > > >> > > with no members??? however SSHD AllowGroups works? I have >> > configured >> > > sshd to only allow members of the linxops group to login and >> > this >> > > works fine? so my question is why is sudo behaving >> > differently? >> > > >> > >> > > -- >> > > Fedora-directory-users mailing list >> > > Fedora-directory-users at redhat.com >> > > >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From j.barber at dundee.ac.uk Wed Sep 10 08:33:12 2008 From: j.barber at dundee.ac.uk (Jonathan Barber) Date: Wed, 10 Sep 2008 09:33:12 +0100 Subject: [Fedora-directory-users] Sudo and Ldap In-Reply-To: <1220996546.3325.4.camel@malcolm.saafinternational.com> References: <879a677e0809091339q7d3c0ec9h1fdf7862a3c109c2@mail.gmail.com> <1220996546.3325.4.camel@malcolm.saafinternational.com> Message-ID: <20080910083312.GJ29794@flea.lifesci.dundee.ac.uk> On Tue, Sep 09, 2008 at 10:42:26PM +0100, Malcolm Amir Hussain-Gambles wrote: > Redhat sudo doesn't support ldap, recompile it with ldap support and add > the sudoers base to /etc/ldap.conf and it should work then, annoying! I don't know about RHEL5, but centos 5.2 does: [root at pirez ~]# rpm -q centos-release centos-release-5-2.el5.centos [root at pirez ~]# rpm -q sudo sudo-1.6.8p12-12.el5 [root at pirez ~]# ldd $(type -p sudo) | grep ldap libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00762000) And I believe it's been present for all the 5.0 series. > Cheers > > Malcolm > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: > > Hello all, > > > > I have successfully setup FDS on Centos 5.2, and manage to get users > > signing on without any issues. However if I edit the sudoers file to > > allow a group on ldap use sudo, the sudo command does not see the > > members of the group or I think the group itself? > > > > I have no idea why this is: > > > > if I run the command 'id' as the given user you can clear see the > > group memberships, however if I do: getent group linuxops I see: > > > > linuxops:*:6000: > > > > with no members??? however SSHD AllowGroups works? I have configured > > sshd to only allow members of the linxops group to login and this > > works fine? so my question is why is sudo behaving differently? > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From j.barber at dundee.ac.uk Wed Sep 10 08:53:35 2008 From: j.barber at dundee.ac.uk (Jonathan Barber) Date: Wed, 10 Sep 2008 09:53:35 +0100 Subject: [Fedora-directory-users] Sudo and Ldap In-Reply-To: <879a677e0809091442m35864eceoff34df8caa9a1167@mail.gmail.com> References: <879a677e0809091339q7d3c0ec9h1fdf7862a3c109c2@mail.gmail.com> <1220996546.3325.4.camel@malcolm.saafinternational.com> <879a677e0809091354r3cbac5aeu65182e70f9917746@mail.gmail.com> <1220997967.3325.11.camel@malcolm.saafinternational.com> <879a677e0809091442m35864eceoff34df8caa9a1167@mail.gmail.com> Message-ID: <20080910085335.GK29794@flea.lifesci.dundee.ac.uk> On Tue, Sep 09, 2008 at 10:42:06PM +0100, Kashif Ali wrote: > i believe in centos 5.x and redhat they have ldap suppor built in: > > http://kbase.redhat.com/faq/FAQ_80_12975.shtm > > I am not sure how to include ldif file in the directory server, and also > once its included how to manage the sudoers? > > let me give you some more background on the environmnt: > > we have the following environments: > > Production > Staging > Test > Load Testing > Development > > Each of the environments have various number of servers ranging from 30 and > goign upto 150+. > > we have three main categories of users > > Linuxops = Linux Sys admins > SuperUsers = Developers who have sudo rights (ALL) on dev/load test > environments, but only for less, cat, more, command for > Test/Staging/Production environments (this is mainly for log and config file > viewing). > Dev = Developers who have full sudo rights on development and only access > development environment > > > I am restricting access to each environemnt via SSHD_CONFIG variable allow > groups. I have the following groups > > linuxops > prodlogs > staginglog > testlogs > ltlogs > dev > > What I would need is to someone configure ldap with sudo, so that if you > were in the correct groups you can login to which ever environment and have > the correct privilages. > > The problem I Will have is with superusers. They would be members of the dev > group (so have all rights on dev env) but then I would be added to prodlogs > etc... so they have restricted sudo on prod. However since there would only > be one sudo file in ldap, sshd would let them logon to production server via > prodlogs group, and sudo would find the dev group and give them full > rights!!!! sudo has the Host_Alias feature to restrict command aliases to particular hosts, which I think would achieve your aims. See the EXAMPLES section of the sudoers(5) man page. There's a sudoers2ldif utility provided with the sudo distribution, it's well worth developing your sudoer's file with visudo for its syntax checking before converting to ldif with the sudoers2ldif utility. -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From snake007uk at gmail.com Wed Sep 10 09:03:32 2008 From: snake007uk at gmail.com (Kashif Ali) Date: Wed, 10 Sep 2008 10:03:32 +0100 Subject: [Fedora-directory-users] Sudo and Ldap In-Reply-To: <20080910083312.GJ29794@flea.lifesci.dundee.ac.uk> References: <879a677e0809091339q7d3c0ec9h1fdf7862a3c109c2@mail.gmail.com> <1220996546.3325.4.camel@malcolm.saafinternational.com> <20080910083312.GJ29794@flea.lifesci.dundee.ac.uk> Message-ID: <879a677e0809100203n67ba0257v6d8212918a49dd2@mail.gmail.com> If I could get the correct info from getent group which would show the group members, I am sure sudo would work, I am not sure what is involved in getting sudo into ldap and the configuring it. Anyone have a link to howto/wiki? 2008/9/10 Jonathan Barber > On Tue, Sep 09, 2008 at 10:42:26PM +0100, Malcolm Amir Hussain-Gambles > wrote: > > Redhat sudo doesn't support ldap, recompile it with ldap support and add > > the sudoers base to /etc/ldap.conf and it should work then, annoying! > > I don't know about RHEL5, but centos 5.2 does: > > [root at pirez ~]# rpm -q centos-release > centos-release-5-2.el5.centos > [root at pirez ~]# rpm -q sudo > sudo-1.6.8p12-12.el5 > [root at pirez ~]# ldd $(type -p sudo) | grep ldap > libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00762000) > > And I believe it's been present for all the 5.0 series. > > > Cheers > > > > Malcolm > > > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: > > > Hello all, > > > > > > I have successfully setup FDS on Centos 5.2, and manage to get users > > > signing on without any issues. However if I edit the sudoers file to > > > allow a group on ldap use sudo, the sudo command does not see the > > > members of the group or I think the group itself? > > > > > > I have no idea why this is: > > > > > > if I run the command 'id' as the given user you can clear see the > > > group memberships, however if I do: getent group linuxops I see: > > > > > > linuxops:*:6000: > > > > > > with no members??? however SSHD AllowGroups works? I have configured > > > sshd to only allow members of the linxops group to login and this > > > works fine? so my question is why is sudo behaving differently? > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Jonathan Barber > High Performance Computing Analyst > Tel. +44 (0) 1382 386389 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From j.barber at dundee.ac.uk Wed Sep 10 10:05:54 2008 From: j.barber at dundee.ac.uk (Jonathan Barber) Date: Wed, 10 Sep 2008 11:05:54 +0100 Subject: [Fedora-directory-users] Sudo and Ldap In-Reply-To: <879a677e0809100203n67ba0257v6d8212918a49dd2@mail.gmail.com> References: <879a677e0809091339q7d3c0ec9h1fdf7862a3c109c2@mail.gmail.com> <1220996546.3325.4.camel@malcolm.saafinternational.com> <20080910083312.GJ29794@flea.lifesci.dundee.ac.uk> <879a677e0809100203n67ba0257v6d8212918a49dd2@mail.gmail.com> Message-ID: <20080910100554.GL29794@flea.lifesci.dundee.ac.uk> On Wed, Sep 10, 2008 at 10:03:32AM +0100, Kashif Ali wrote: > If I could get the correct info from getent group > > which would show the group members, I am sure sudo would work, I am not sure > what is involved in getting sudo into ldap and the configuring it. Anyone > have a link to howto/wiki? Just following the sudo ldap readme: http://www.gratisoft.us/sudo/readme_ldap.html got me there. Bascically you have import the sudo schema (which I got from converting the openldap schema supplied with the source RPM via the ol-schema-migrate.pl script), create an entry to put your sudo config under, import your sudo config, and then configure /etc/ldap.conf to point at that entry. > 2008/9/10 Jonathan Barber > > > On Tue, Sep 09, 2008 at 10:42:26PM +0100, Malcolm Amir Hussain-Gambles > > wrote: > > > Redhat sudo doesn't support ldap, recompile it with ldap support and add > > > the sudoers base to /etc/ldap.conf and it should work then, annoying! > > > > I don't know about RHEL5, but centos 5.2 does: > > > > [root at pirez ~]# rpm -q centos-release > > centos-release-5-2.el5.centos > > [root at pirez ~]# rpm -q sudo > > sudo-1.6.8p12-12.el5 > > [root at pirez ~]# ldd $(type -p sudo) | grep ldap > > libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00762000) > > > > And I believe it's been present for all the 5.0 series. > > > > > Cheers > > > > > > Malcolm > > > > > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: > > > > Hello all, > > > > > > > > I have successfully setup FDS on Centos 5.2, and manage to get users > > > > signing on without any issues. However if I edit the sudoers file to > > > > allow a group on ldap use sudo, the sudo command does not see the > > > > members of the group or I think the group itself? > > > > > > > > I have no idea why this is: > > > > > > > > if I run the command 'id' as the given user you can clear see the > > > > group memberships, however if I do: getent group linuxops I see: > > > > > > > > linuxops:*:6000: > > > > > > > > with no members??? however SSHD AllowGroups works? I have configured > > > > sshd to only allow members of the linxops group to login and this > > > > works fine? so my question is why is sudo behaving differently? > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > > Jonathan Barber > > High Performance Computing Analyst > > Tel. +44 (0) 1382 386389 > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jonathan Barber High Performance Computing Analyst Tel. +44 (0) 1382 386389 From snake007uk at gmail.com Wed Sep 10 10:12:39 2008 From: snake007uk at gmail.com (Kashif Ali) Date: Wed, 10 Sep 2008 11:12:39 +0100 Subject: [Fedora-directory-users] Sudo and Ldap In-Reply-To: <20080910100554.GL29794@flea.lifesci.dundee.ac.uk> References: <879a677e0809091339q7d3c0ec9h1fdf7862a3c109c2@mail.gmail.com> <1220996546.3325.4.camel@malcolm.saafinternational.com> <20080910083312.GJ29794@flea.lifesci.dundee.ac.uk> <879a677e0809100203n67ba0257v6d8212918a49dd2@mail.gmail.com> <20080910100554.GL29794@flea.lifesci.dundee.ac.uk> Message-ID: <879a677e0809100312w670ac247j68d899fb0846930d@mail.gmail.com> So the schema is not part of the Fedora-DS. I will try it and then update my wiki covering this. 2008/9/10 Jonathan Barber > On Wed, Sep 10, 2008 at 10:03:32AM +0100, Kashif Ali wrote: > > If I could get the correct info from getent group > > > > which would show the group members, I am sure sudo would work, I am not > sure > > what is involved in getting sudo into ldap and the configuring it. Anyone > > have a link to howto/wiki? > > Just following the sudo ldap readme: > http://www.gratisoft.us/sudo/readme_ldap.html > > got me there. > > Bascically you have import the sudo schema (which I got from converting > the openldap schema supplied with the source RPM via the > ol-schema-migrate.pl script), create an entry to put your sudo config > under, import your sudo config, and then configure /etc/ldap.conf to > point at that entry. > > > 2008/9/10 Jonathan Barber > > > > > On Tue, Sep 09, 2008 at 10:42:26PM +0100, Malcolm Amir Hussain-Gambles > > > wrote: > > > > Redhat sudo doesn't support ldap, recompile it with ldap support and > add > > > > the sudoers base to /etc/ldap.conf and it should work then, annoying! > > > > > > I don't know about RHEL5, but centos 5.2 does: > > > > > > [root at pirez ~]# rpm -q centos-release > > > centos-release-5-2.el5.centos > > > [root at pirez ~]# rpm -q sudo > > > sudo-1.6.8p12-12.el5 > > > [root at pirez ~]# ldd $(type -p sudo) | grep ldap > > > libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00762000) > > > > > > And I believe it's been present for all the 5.0 series. > > > > > > > Cheers > > > > > > > > Malcolm > > > > > > > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: > > > > > Hello all, > > > > > > > > > > I have successfully setup FDS on Centos 5.2, and manage to get > users > > > > > signing on without any issues. However if I edit the sudoers file > to > > > > > allow a group on ldap use sudo, the sudo command does not see the > > > > > members of the group or I think the group itself? > > > > > > > > > > I have no idea why this is: > > > > > > > > > > if I run the command 'id' as the given user you can clear see the > > > > > group memberships, however if I do: getent group linuxops I see: > > > > > > > > > > linuxops:*:6000: > > > > > > > > > > with no members??? however SSHD AllowGroups works? I have > configured > > > > > sshd to only allow members of the linxops group to login and this > > > > > works fine? so my question is why is sudo behaving differently? > > > > > > > > > > -- > > > > > Fedora-directory-users mailing list > > > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > > Jonathan Barber > > > High Performance Computing Analyst > > > Tel. +44 (0) 1382 386389 > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Jonathan Barber > High Performance Computing Analyst > Tel. +44 (0) 1382 386389 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ryan.braun at ec.gc.ca Wed Sep 10 15:18:13 2008 From: ryan.braun at ec.gc.ca (Ryan Braun [ADS]) Date: Wed, 10 Sep 2008 15:18:13 +0000 Subject: [Fedora-directory-users] fds 1.1+ not setting nsslapd-instancedir on install? Message-ID: <200809101518.13205.ryan.braun@ec.gc.ca> Hey guys. I have some perl replication scripts (fdstool) that I developed on fds 1.0.4. On my first attempt to use them on a 1.1+ (in this particular case 1.1.2), the changelog object creation bails because the nsslapd-instancedir attribute in cn=config isn't set. ############################## # find the instance-dir ############################## $msg = $ldap->search ( base => "cn=config", scope => "base", filter => "(objectClass=*)", ); my $instance_dir = $msg->entry(0)->get_value("nsslapd-instancedir"); ends up as null as there isn't anything at said attribute. Also, shodan:/home/ryan/fdstools# ldapsearch -x -h yzxXXXX0 -D "cn=Directory Manager" -W -b "cn=config" "objectclass=*"|grep instancedir Enter LDAP Password: nsslapd-instancedir: shodan:/home/ryan/fdstools# ldapsearch -x -h yzxXXXX0 -D "cn=Directory Manager" -W -b "cn=config" "objectclass=*"|grep nsslapd-ldifdir Enter LDAP Password: nsslapd-ldifdir: /var/lib/dirsrv/slapd-yzxdmns0/ldif For now I'm useing nsslapd-ldifdir and just ~ s/\/ldif// to cut off the ldir directory, but am just confirming this behavior is intended. FWIW I built the packages myself, so it could very well be my own fault :P Ryan From rmeggins at redhat.com Wed Sep 10 16:57:40 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 10 Sep 2008 10:57:40 -0600 Subject: [Fedora-directory-users] fds 1.1+ not setting nsslapd-instancedir on install? In-Reply-To: <200809101518.13205.ryan.braun@ec.gc.ca> References: <200809101518.13205.ryan.braun@ec.gc.ca> Message-ID: <48C7FC84.9030004@redhat.com> Ryan Braun [ADS] wrote: > Hey guys. I have some perl replication scripts (fdstool) that I developed on > fds 1.0.4. On my first attempt to use them on a 1.1+ (in this particular > case 1.1.2), the changelog object creation bails because the > nsslapd-instancedir attribute in cn=config isn't set. > > ############################## > # find the instance-dir > ############################## > $msg = $ldap->search ( > base => "cn=config", > scope => "base", > filter => "(objectClass=*)", > ); > my $instance_dir = $msg->entry(0)->get_value("nsslapd-instancedir"); > > ends up as null as there isn't anything at said attribute. > > Also, > > shodan:/home/ryan/fdstools# ldapsearch -x -h yzxXXXX0 -D "cn=Directory > Manager" -W -b "cn=config" "objectclass=*"|grep instancedir > Enter LDAP Password: > nsslapd-instancedir: > shodan:/home/ryan/fdstools# ldapsearch -x -h yzxXXXX0 -D "cn=Directory > Manager" -W -b "cn=config" "objectclass=*"|grep nsslapd-ldifdir > Enter LDAP Password: > nsslapd-ldifdir: /var/lib/dirsrv/slapd-yzxdmns0/ldif > > > For now I'm useing nsslapd-ldifdir and just ~ s/\/ldif// to cut off the ldir > directory, but am just confirming this behavior is intended. FWIW I built > the packages myself, so it could very well be my own fault :P > Well, it depends - what were you using nsslapd-instancedir for? There are several other attributes you could use now, depending on what you're trying to do. > Ryan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From ryan.braun at ec.gc.ca Wed Sep 10 17:18:10 2008 From: ryan.braun at ec.gc.ca (Ryan Braun [ADS]) Date: Wed, 10 Sep 2008 17:18:10 +0000 Subject: [Fedora-directory-users] fds 1.1+ not setting nsslapd-instancedir on install? In-Reply-To: <48C7FC84.9030004@redhat.com> References: <200809101518.13205.ryan.braun@ec.gc.ca> <48C7FC84.9030004@redhat.com> Message-ID: <200809101718.10955.ryan.braun@ec.gc.ca> On Wednesday 10 September 2008 16:57, Rich Megginson wrote: > > shodan:/home/ryan/fdstools# ldapsearch -x -h yzxXXXX0 -D "cn=Directory > > Manager" -W -b "cn=config" "objectclass=*"|grep instancedir > > Enter LDAP Password: > > nsslapd-instancedir: > > shodan:/home/ryan/fdstools# ldapsearch -x -h yzxXXXX0 -D "cn=Directory > > Manager" -W -b "cn=config" "objectclass=*"|grep nsslapd-ldifdir > > Enter LDAP Password: > > nsslapd-ldifdir: /var/lib/dirsrv/slapd-yzxdmns0/ldif > > > > > > For now I'm useing nsslapd-ldifdir and just ~ s/\/ldif// to cut off the > > ldir directory, but am just confirming this behavior is intended. FWIW > > I built the packages myself, so it could very well be my own fault :P > > Well, it depends - what were you using nsslapd-instancedir for? There > are several other attributes you could use now, depending on what you're > trying to do. > I was using nsslapd-instancedir to as the ref point on where to put the changelog db files. Which by default in the console (1.1+) is /var/lib/dirsrv/slapd-INSTANCE/changelog. But I couldn't find any attributes that would just point to /var/lib/dirsrv/slapd-INSTANCE/. Which was what I assumed nsslapd-instancedir was for. I guess when I was working on the script for 1.0.4 it just happened to be set to the correct location so I used that value. Ryan From rmeggins at redhat.com Wed Sep 10 17:30:26 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 10 Sep 2008 11:30:26 -0600 Subject: [Fedora-directory-users] fds 1.1+ not setting nsslapd-instancedir on install? In-Reply-To: <200809101718.10955.ryan.braun@ec.gc.ca> References: <200809101518.13205.ryan.braun@ec.gc.ca> <48C7FC84.9030004@redhat.com> <200809101718.10955.ryan.braun@ec.gc.ca> Message-ID: <48C80432.9070205@redhat.com> Ryan Braun [ADS] wrote: > On Wednesday 10 September 2008 16:57, Rich Megginson wrote: > >>> shodan:/home/ryan/fdstools# ldapsearch -x -h yzxXXXX0 -D "cn=Directory >>> Manager" -W -b "cn=config" "objectclass=*"|grep instancedir >>> Enter LDAP Password: >>> nsslapd-instancedir: >>> shodan:/home/ryan/fdstools# ldapsearch -x -h yzxXXXX0 -D "cn=Directory >>> Manager" -W -b "cn=config" "objectclass=*"|grep nsslapd-ldifdir >>> Enter LDAP Password: >>> nsslapd-ldifdir: /var/lib/dirsrv/slapd-yzxdmns0/ldif >>> >>> >>> For now I'm useing nsslapd-ldifdir and just ~ s/\/ldif// to cut off the >>> ldir directory, but am just confirming this behavior is intended. FWIW >>> I built the packages myself, so it could very well be my own fault :P >>> >> Well, it depends - what were you using nsslapd-instancedir for? There >> are several other attributes you could use now, depending on what you're >> trying to do. >> >> > > I was using nsslapd-instancedir to as the ref point on where to put the > changelog db files. Which by default in the console (1.1+) > is /var/lib/dirsrv/slapd-INSTANCE/changelog. > If you want the changelog directory, use nsslapd-directory, and see http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command_File_Reference-Plug_in_Implemented_Server_Functionality_Reference-Database_Plug_in_Attributes.html#Configuration_Command_File_Reference-Database_Attributes_under_cnconfig_cnldbm_database_cnplugins_cnconfig-nsslapd_directory when you grab that attribute, just replace /db$ with /cldb to construct the changelog directory. > But I couldn't find any attributes that would just point > to /var/lib/dirsrv/slapd-INSTANCE/. Which was what I assumed > nsslapd-instancedir was for. > No. Fedora 1.0 put everything under /opt/fedora-ds/slapd-instance - so there was a single "instance" directory. Fedora DS 1.1 is FHS-ified - see http://directory.fedoraproject.org/wiki/FHS_Packaging > I guess when I was working on the script for 1.0.4 it just happened to be set > to the correct location so I used that value. > > Ryan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From malcolm at saafinternational.com Wed Sep 10 19:14:37 2008 From: malcolm at saafinternational.com (Malcolm Amir Hussain-Gambles) Date: Wed, 10 Sep 2008 20:14:37 +0100 Subject: [Fedora-directory-users] Sudo and Ldap In-Reply-To: <20080910083312.GJ29794@flea.lifesci.dundee.ac.uk> References: <879a677e0809091339q7d3c0ec9h1fdf7862a3c109c2@mail.gmail.com> <1220996546.3325.4.camel@malcolm.saafinternational.com> <20080910083312.GJ29794@flea.lifesci.dundee.ac.uk> Message-ID: <1221074077.3157.1.camel@malcolm.saafinternational.com> I mainly work on rhel4 servers at the moment, good to know though. It was annoying that sudo didn't include it, glad it does now! Cheers Malcolm On Wed, 2008-09-10 at 09:33 +0100, Jonathan Barber wrote: > On Tue, Sep 09, 2008 at 10:42:26PM +0100, Malcolm Amir Hussain-Gambles wrote: > > Redhat sudo doesn't support ldap, recompile it with ldap support and add > > the sudoers base to /etc/ldap.conf and it should work then, annoying! > > I don't know about RHEL5, but centos 5.2 does: > > [root at pirez ~]# rpm -q centos-release > centos-release-5-2.el5.centos > [root at pirez ~]# rpm -q sudo > sudo-1.6.8p12-12.el5 > [root at pirez ~]# ldd $(type -p sudo) | grep ldap > libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00762000) > > And I believe it's been present for all the 5.0 series. > > > Cheers > > > > Malcolm > > > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: > > > Hello all, > > > > > > I have successfully setup FDS on Centos 5.2, and manage to get users > > > signing on without any issues. However if I edit the sudoers file to > > > allow a group on ldap use sudo, the sudo command does not see the > > > members of the group or I think the group itself? > > > > > > I have no idea why this is: > > > > > > if I run the command 'id' as the given user you can clear see the > > > group memberships, however if I do: getent group linuxops I see: > > > > > > linuxops:*:6000: > > > > > > with no members??? however SSHD AllowGroups works? I have configured > > > sshd to only allow members of the linxops group to login and this > > > works fine? so my question is why is sudo behaving differently? > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From snake007uk at gmail.com Wed Sep 10 20:39:59 2008 From: snake007uk at gmail.com (Kashif Ali) Date: Wed, 10 Sep 2008 21:39:59 +0100 Subject: [Fedora-directory-users] Sudo and Ldap In-Reply-To: <1221074077.3157.1.camel@malcolm.saafinternational.com> References: <879a677e0809091339q7d3c0ec9h1fdf7862a3c109c2@mail.gmail.com> <1220996546.3325.4.camel@malcolm.saafinternational.com> <20080910083312.GJ29794@flea.lifesci.dundee.ac.uk> <1221074077.3157.1.camel@malcolm.saafinternational.com> Message-ID: <879a677e0809101339h19dd3710k7ff4708cb59177d0@mail.gmail.com> I am currently in the process of documenting the schema install into the DS server, as well as adding the sudoers into ldap. 2008/9/10 Malcolm Amir Hussain-Gambles > I mainly work on rhel4 servers at the moment, good to know though. > It was annoying that sudo didn't include it, glad it does now! > > Cheers > > Malcolm > > On Wed, 2008-09-10 at 09:33 +0100, Jonathan Barber wrote: > > On Tue, Sep 09, 2008 at 10:42:26PM +0100, Malcolm Amir Hussain-Gambles > wrote: > > > Redhat sudo doesn't support ldap, recompile it with ldap support and > add > > > the sudoers base to /etc/ldap.conf and it should work then, annoying! > > > > I don't know about RHEL5, but centos 5.2 does: > > > > [root at pirez ~]# rpm -q centos-release > > centos-release-5-2.el5.centos > > [root at pirez ~]# rpm -q sudo > > sudo-1.6.8p12-12.el5 > > [root at pirez ~]# ldd $(type -p sudo) | grep ldap > > libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00762000) > > > > And I believe it's been present for all the 5.0 series. > > > > > Cheers > > > > > > Malcolm > > > > > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: > > > > Hello all, > > > > > > > > I have successfully setup FDS on Centos 5.2, and manage to get users > > > > signing on without any issues. However if I edit the sudoers file to > > > > allow a group on ldap use sudo, the sudo command does not see the > > > > members of the group or I think the group itself? > > > > > > > > I have no idea why this is: > > > > > > > > if I run the command 'id' as the given user you can clear see the > > > > group memberships, however if I do: getent group linuxops I see: > > > > > > > > linuxops:*:6000: > > > > > > > > with no members??? however SSHD AllowGroups works? I have configured > > > > sshd to only allow members of the linxops group to login and this > > > > works fine? so my question is why is sudo behaving differently? > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From snake007uk at gmail.com Thu Sep 11 13:20:20 2008 From: snake007uk at gmail.com (Kashif Ali) Date: Thu, 11 Sep 2008 14:20:20 +0100 Subject: [Fedora-directory-users] Sudo and Ldap In-Reply-To: <879a677e0809101339h19dd3710k7ff4708cb59177d0@mail.gmail.com> References: <879a677e0809091339q7d3c0ec9h1fdf7862a3c109c2@mail.gmail.com> <1220996546.3325.4.camel@malcolm.saafinternational.com> <20080910083312.GJ29794@flea.lifesci.dundee.ac.uk> <1221074077.3157.1.camel@malcolm.saafinternational.com> <879a677e0809101339h19dd3710k7ff4708cb59177d0@mail.gmail.com> Message-ID: <879a677e0809110620m534a77adte5794492f1dc94af@mail.gmail.com> I have now updated my wiki covering the sudo setup, I hope it makes it simpler for others to understand. http://wiki.unixcraft.com/display/MainPage/Sudo+in+Centos+Directory+Server 2008/9/10 Kashif Ali > I am currently in the process of documenting the schema install into the DS > server, as well as adding the sudoers into ldap. > > 2008/9/10 Malcolm Amir Hussain-Gambles > > I mainly work on rhel4 servers at the moment, good to know though. >> It was annoying that sudo didn't include it, glad it does now! >> >> Cheers >> >> Malcolm >> >> On Wed, 2008-09-10 at 09:33 +0100, Jonathan Barber wrote: >> > On Tue, Sep 09, 2008 at 10:42:26PM +0100, Malcolm Amir Hussain-Gambles >> wrote: >> > > Redhat sudo doesn't support ldap, recompile it with ldap support and >> add >> > > the sudoers base to /etc/ldap.conf and it should work then, annoying! >> > >> > I don't know about RHEL5, but centos 5.2 does: >> > >> > [root at pirez ~]# rpm -q centos-release >> > centos-release-5-2.el5.centos >> > [root at pirez ~]# rpm -q sudo >> > sudo-1.6.8p12-12.el5 >> > [root at pirez ~]# ldd $(type -p sudo) | grep ldap >> > libldap-2.3.so.0 => /usr/lib/libldap-2.3.so.0 (0x00762000) >> > >> > And I believe it's been present for all the 5.0 series. >> > >> > > Cheers >> > > >> > > Malcolm >> > > >> > > On Tue, 2008-09-09 at 21:39 +0100, Kashif Ali wrote: >> > > > Hello all, >> > > > >> > > > I have successfully setup FDS on Centos 5.2, and manage to get users >> > > > signing on without any issues. However if I edit the sudoers file to >> > > > allow a group on ldap use sudo, the sudo command does not see the >> > > > members of the group or I think the group itself? >> > > > >> > > > I have no idea why this is: >> > > > >> > > > if I run the command 'id' as the given user you can clear see the >> > > > group memberships, however if I do: getent group linuxops I see: >> > > > >> > > > linuxops:*:6000: >> > > > >> > > > with no members??? however SSHD AllowGroups works? I have configured >> > > > sshd to only allow members of the linxops group to login and this >> > > > works fine? so my question is why is sudo behaving differently? >> > > > >> > > > -- >> > > > Fedora-directory-users mailing list >> > > > Fedora-directory-users at redhat.com >> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > >> > > -- >> > > Fedora-directory-users mailing list >> > > Fedora-directory-users at redhat.com >> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ryan.braun at ec.gc.ca Thu Sep 11 15:42:19 2008 From: ryan.braun at ec.gc.ca (Ryan Braun [ADS]) Date: Thu, 11 Sep 2008 15:42:19 +0000 Subject: [Fedora-directory-users] Encryption works, but odd entries in the error log on startup. Message-ID: <200809111542.19414.ryan.braun@ec.gc.ca> I had setup encryption on one of my test fds servers (1.1.2), generated a CAcert and a Server-Cert and turned on encryption. It all worked fine. I shut down fds, removed the Server-Cert and created a new Server-Cert with a few Subject Alt Name entries. I didn't import a p12 cert, I just used certutil to create a new cert in the database. I restarted the server and tested with ldapsearch -ZZ and it all still worked. When I had a look in the log recently, I noticed these entries everytime i restart the service. [11/Sep/2008:15:11:18 +0000] - Fedora-Directory/1.1.2 B2008.253.1749 starting up [11/Sep/2008:15:11:19 +0000] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [11/Sep/2008:15:11:19 +0000] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [11/Sep/2008:15:11:19 +0000] - Failed to initialize cipher AES in attrcrypt_init [11/Sep/2008:15:11:19 +0000] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [11/Sep/2008:15:11:19 +0000] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [11/Sep/2008:15:11:19 +0000] - Failed to initialize cipher AES in attrcrypt_init [11/Sep/2008:15:11:19 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests [11/Sep/2008:15:11:19 +0000] - Listening on All Interfaces port 636 for LDAPS requests Looking back to when I first turned on encryption, I see [10/Sep/2008:19:41:20 +0000] - Fedora-Directory/1.1.2 B2008.253.1749 starting up [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher AES in backend userRoot, attempting to create one... [10/Sep/2008:19:41:20 +0000] - Key for cipher AES successfully generated and stored [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher 3DES in backend userRoot, attempting to create one... [10/Sep/2008:19:41:20 +0000] - Key for cipher 3DES successfully generated and stored [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher AES in backend NetscapeRoot, attempting to create one... [10/Sep/2008:19:41:20 +0000] - Key for cipher AES successfully generated and stored [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher 3DES in backend NetscapeRoot, attempting to create one... [10/Sep/2008:19:41:20 +0000] - Key for cipher 3DES successfully generated and stored [10/Sep/2008:19:41:20 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests [10/Sep/2008:19:41:20 +0000] - Listening on All Interfaces port 636 for LDAPS requests So I'm wondering if I need to somehow reinit some of the encryption keys? Or maybe I missed a step for replacing a Server-Cert? But from the docs it looks like a straight forward turn off fds, remove old cert, create/import new cert (with same name), restart fds. Ryan From rmeggins at redhat.com Thu Sep 11 15:44:41 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 11 Sep 2008 09:44:41 -0600 Subject: [Fedora-directory-users] Encryption works, but odd entries in the error log on startup. In-Reply-To: <200809111542.19414.ryan.braun@ec.gc.ca> References: <200809111542.19414.ryan.braun@ec.gc.ca> Message-ID: <48C93CE9.8030801@redhat.com> Ryan Braun [ADS] wrote: > I had setup encryption on one of my test fds servers (1.1.2), generated a > CAcert and a Server-Cert and turned on encryption. It all worked fine. I > shut down fds, removed the Server-Cert and created a new Server-Cert with a > few Subject Alt Name entries. I didn't import a p12 cert, I just used > certutil to create a new cert in the database. > > I restarted the server and tested with ldapsearch -ZZ and it all still worked. > > When I had a look in the log recently, I noticed these entries everytime i > restart the service. > > [11/Sep/2008:15:11:18 +0000] - Fedora-Directory/1.1.2 B2008.253.1749 starting > up > [11/Sep/2008:15:11:19 +0000] - attrcrypt_unwrap_key: failed to unwrap key for > cipher AES > [11/Sep/2008:15:11:19 +0000] - Failed to retrieve key for cipher AES in > attrcrypt_cipher_init > [11/Sep/2008:15:11:19 +0000] - Failed to initialize cipher AES in > attrcrypt_init > [11/Sep/2008:15:11:19 +0000] - attrcrypt_unwrap_key: failed to unwrap key for > cipher AES > [11/Sep/2008:15:11:19 +0000] - Failed to retrieve key for cipher AES in > attrcrypt_cipher_init > [11/Sep/2008:15:11:19 +0000] - Failed to initialize cipher AES in > attrcrypt_init > [11/Sep/2008:15:11:19 +0000] - slapd started. Listening on All Interfaces > port 389 for LDAP requests > [11/Sep/2008:15:11:19 +0000] - Listening on All Interfaces port 636 for LDAPS > requests > > Looking back to when I first turned on encryption, I see > > [10/Sep/2008:19:41:20 +0000] - Fedora-Directory/1.1.2 B2008.253.1749 starting > up > [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher AES in > backend userRoot, attempting to create one... > [10/Sep/2008:19:41:20 +0000] - Key for cipher AES successfully generated and > stored > [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher 3DES in > backend userRoot, attempting to create one... > [10/Sep/2008:19:41:20 +0000] - Key for cipher 3DES successfully generated and > stored > [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher AES in > backend NetscapeRoot, attempting to create one... > [10/Sep/2008:19:41:20 +0000] - Key for cipher AES successfully generated and > stored > [10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher 3DES in > backend NetscapeRoot, attempting to create one... > [10/Sep/2008:19:41:20 +0000] - Key for cipher 3DES successfully generated and > stored > [10/Sep/2008:19:41:20 +0000] - slapd started. Listening on All Interfaces > port 389 for LDAP requests > [10/Sep/2008:19:41:20 +0000] - Listening on All Interfaces port 636 for LDAPS > requests > > So I'm wondering if I need to somehow reinit some of the encryption keys? Or > maybe I missed a step for replacing a Server-Cert? But from the docs it > looks like a straight forward turn off fds, remove old cert, create/import > new cert (with same name), restart fds. > Unfortunately, those keys were encrypted with the old key/cert. But as long as you don't want to use reversible attribute encryption, you can ignore those messages. > Ryan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From ryan.braun at ec.gc.ca Thu Sep 11 15:53:22 2008 From: ryan.braun at ec.gc.ca (Ryan Braun [ADS]) Date: Thu, 11 Sep 2008 15:53:22 +0000 Subject: [Fedora-directory-users] Encryption works, =?iso-8859-15?q?=09but_odd_entries_in_the_error_log_on?= startup. In-Reply-To: <48C93CE9.8030801@redhat.com> References: <200809111542.19414.ryan.braun@ec.gc.ca> <48C93CE9.8030801@redhat.com> Message-ID: <200809111553.22838.ryan.braun@ec.gc.ca> On Thursday 11 September 2008 15:44, Rich Megginson wrote: > > So I'm wondering if I need to somehow reinit some of the encryption keys? > > Or maybe I missed a step for replacing a Server-Cert? But from the docs > > it looks like a straight forward turn off fds, remove old cert, > > create/import new cert (with same name), restart fds. > > Unfortunately, those keys were encrypted with the old key/cert. But as > long as you don't want to use reversible attribute encryption, you can > ignore those messages. For the sake of argument and potential future issues ( I don't know enough about how the whole encryption system works unfortunately ), lets say I did want to use reversible attribute encryption :) Ryan From ryan.braun at ec.gc.ca Thu Sep 11 15:57:17 2008 From: ryan.braun at ec.gc.ca (Ryan Braun [ADS]) Date: Thu, 11 Sep 2008 15:57:17 +0000 Subject: [Fedora-directory-users] fds 1.1+ not setting nsslapd-instancedir on install? In-Reply-To: <48C80432.9070205@redhat.com> References: <200809101518.13205.ryan.braun@ec.gc.ca> <200809101718.10955.ryan.braun@ec.gc.ca> <48C80432.9070205@redhat.com> Message-ID: <200809111557.17777.ryan.braun@ec.gc.ca> On Wednesday 10 September 2008 17:30, Rich Megginson wrote: > >> > >> Well, it depends - what were you using nsslapd-instancedir for? There > >> are several other attributes you could use now, depending on what you're > >> trying to do. > > > > I was using nsslapd-instancedir to as the ref point on where to put the > > changelog db files. Which by default in the console (1.1+) > > is /var/lib/dirsrv/slapd-INSTANCE/changelog. > > If you want the changelog directory, use nsslapd-directory, and see > http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command >_File_Reference-Plug_in_Implemented_Server_Functionality_Reference-Database_ >Plug_in_Attributes.html#Configuration_Command_File_Reference-Database_Attrib >utes_under_cnconfig_cnldbm_database_cnplugins_cnconfig-nsslapd_directory > > when you grab that attribute, just replace /db$ with /cldb to construct > the changelog directory. > Roger that, got it working with ############################## # find the instance-dir ############################## $msg = $ldap->search ( base => "cn=config, cn=ldbm database, cn=plugins, cn=config", scope => "sub", filter => "(objectClass=*)", ); my $instance_dir = $msg->entry(0)->get_value("nsslapd-directory"); if (!defined($instance_dir)) { print "Unable to determine the instancedir, pretty big issue, puking\n"; exit 1; } $instance_dir =~ s/\/db//; Thanks Rich. Ryan From rmeggins at redhat.com Thu Sep 11 16:09:29 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 11 Sep 2008 10:09:29 -0600 Subject: [Fedora-directory-users] Encryption works, but odd entries in the error log on startup. In-Reply-To: <200809111553.22838.ryan.braun@ec.gc.ca> References: <200809111542.19414.ryan.braun@ec.gc.ca> <48C93CE9.8030801@redhat.com> <200809111553.22838.ryan.braun@ec.gc.ca> Message-ID: <48C942B9.4070500@redhat.com> Ryan Braun [ADS] wrote: > On Thursday 11 September 2008 15:44, Rich Megginson wrote: > >>> So I'm wondering if I need to somehow reinit some of the encryption keys? >>> Or maybe I missed a step for replacing a Server-Cert? But from the docs >>> it looks like a straight forward turn off fds, remove old cert, >>> create/import new cert (with same name), restart fds. >>> >> Unfortunately, those keys were encrypted with the old key/cert. But as >> long as you don't want to use reversible attribute encryption, you can >> ignore those messages. >> > > For the sake of argument and potential future issues ( I don't know enough > about how the whole encryption system works unfortunately ), lets say I did > want to use reversible attribute encryption :) > I think reversible attribute encryption creates some config entries under the parent database entry in dse.ldif (cn=config) - I think you just have to remove those entries. Of course, if you do this, and you have used reversible attribute encryption, your encrypted attribute values will be lost forever. > Ryan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Sep 11 16:11:21 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 11 Sep 2008 10:11:21 -0600 Subject: [Fedora-directory-users] fds 1.1+ not setting nsslapd-instancedir on install? In-Reply-To: <200809111557.17777.ryan.braun@ec.gc.ca> References: <200809101518.13205.ryan.braun@ec.gc.ca> <200809101718.10955.ryan.braun@ec.gc.ca> <48C80432.9070205@redhat.com> <200809111557.17777.ryan.braun@ec.gc.ca> Message-ID: <48C94329.1060802@redhat.com> Ryan Braun [ADS] wrote: > On Wednesday 10 September 2008 17:30, Rich Megginson wrote: > >>>> Well, it depends - what were you using nsslapd-instancedir for? There >>>> are several other attributes you could use now, depending on what you're >>>> trying to do. >>>> >>> I was using nsslapd-instancedir to as the ref point on where to put the >>> changelog db files. Which by default in the console (1.1+) >>> is /var/lib/dirsrv/slapd-INSTANCE/changelog. >>> >> If you want the changelog directory, use nsslapd-directory, and see >> http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command >> _File_Reference-Plug_in_Implemented_Server_Functionality_Reference-Database_ >> Plug_in_Attributes.html#Configuration_Command_File_Reference-Database_Attrib >> utes_under_cnconfig_cnldbm_database_cnplugins_cnconfig-nsslapd_directory >> >> when you grab that attribute, just replace /db$ with /cldb to construct >> the changelog directory. >> >> > > Roger that, got it working with > > ############################## > # find the instance-dir > ############################## > $msg = $ldap->search ( > base => "cn=config, cn=ldbm database, cn=plugins, cn=config", > scope => "sub", > filter => "(objectClass=*)", > ); > > my $instance_dir = $msg->entry(0)->get_value("nsslapd-directory"); > if (!defined($instance_dir)) { > print "Unable to determine the instancedir, pretty big issue, puking\n"; > exit 1; > } > $instance_dir =~ s/\/db//; > I would suggest using \/db$, but otherwise, yes, that's it. It's not really an instance dir anymore, more like a database instance dir - you will find under there the db dir, the changelog db dir, the default ldif db export dir, and the default db backup dir. > Thanks Rich. > > Ryan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From steve.ngu at hotmail.fr Fri Sep 12 08:44:34 2008 From: steve.ngu at hotmail.fr (steve nguyen) Date: Fri, 12 Sep 2008 10:44:34 +0200 Subject: [Fedora-directory-users] CA certificate trouble Message-ID: Hi everybody, If you remember me I've got some problem with SSL in my sync agreement : https://www.redhat.com/archives/fedora-directory-users/2008-September/msg00000.html https://www.redhat.com/archives/fedora-directory-users/2008-September/msg00024.html I think I have found what's wrong in my SSL set up. I tried this command to verify if ssl is enabled in FDS : ldapsearch -x -ZZ '(uid=testuser)' I check the access log, and I've got this message : EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" RESULT err=0 tag=120 nentries=0 etime=0DISCONNECT fd=67 closed - Peer does not recognize and trust the CA that issued your certific... As I said before I set up SSL using the second script from the FDS wiki page. So my question is what can I do now : - Can I fix this ? - Should I do a full set up of SSL ? Thanks _________________________________________________________________ Installez gratuitement les 20 ?m?ticones Windows Live Messenger les plus fous ! Cliquez ici ! http://www.emoticones-messenger.fr/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From ryan.braun at ec.gc.ca Fri Sep 12 14:03:53 2008 From: ryan.braun at ec.gc.ca (Ryan Braun [ADS]) Date: Fri, 12 Sep 2008 14:03:53 +0000 Subject: [Fedora-directory-users] CA certificate trouble In-Reply-To: References: Message-ID: <200809121403.53125.ryan.braun@ec.gc.ca> On Friday 12 September 2008 08:44, steve nguyen wrote: > Hi everybody, > > If you remember me I've got some problem with SSL in my sync agreement : > > https://www.redhat.com/archives/fedora-directory-users/2008-September/msg00 >000.html > https://www.redhat.com/archives/fedora-directory-users/2008-September/msg00 >024.html > > I think I have found what's wrong in my SSL set up. > I tried this command to verify if ssl is enabled in FDS : ldapsearch -x -ZZ > '(uid=testuser)' I check the access log, and I've got this message : > EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" > RESULT err=0 tag=120 nentries=0 etime=0DISCONNECT fd=67 closed - Peer does > not recognize and trust the CA that issued your certific... > > As I said before I set up SSL using the second script from the FDS wiki > page. So my question is what can I do now : > - Can I fix this ? > - Should I do a full set up of SSL ? > > Thanks I've been working on an all-in-one ssl management perl script for fds. It's been working over here but I'm sure there are some quirks in it. Make sure you edit /etc/fdstools/ssl.conf to point to your correct SEC_DIR and INSTANCE values. Then just move out your old $SEC_DIR/cert8.db key3.db and secmod.db files to some backup directory and run fdssl.pl -h or -e for examples on how to use it. Let me know how it works for you. Ryan -------------- next part -------------- A non-text attachment was scrubbed... Name: fdstools.tar.bz2 Type: application/x-tbz Size: 16092 bytes Desc: not available URL: From steve.ngu at hotmail.fr Fri Sep 12 21:49:11 2008 From: steve.ngu at hotmail.fr (steve nguyen) Date: Fri, 12 Sep 2008 23:49:11 +0200 Subject: [Fedora-directory-users] CA certificate trouble In-Reply-To: <200809121403.53125.ryan.braun@ec.gc.ca> References: <200809121403.53125.ryan.braun@ec.gc.ca> Message-ID: Thank you I will try it monday at work And I will give you some feedback ! Steve > From: ryan.braun at ec.gc.ca > To: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] CA certificate trouble > Date: Fri, 12 Sep 2008 14:03:53 +0000 > > > I've been working on an all-in-one ssl management perl script for fds. It's > been working over here but I'm sure there are some quirks in it. > > Make sure you edit /etc/fdstools/ssl.conf to point to your correct SEC_DIR and > INSTANCE values. Then just move out your old $SEC_DIR/cert8.db key3.db and > secmod.db files to some backup directory and run fdssl.pl -h or -e for > examples on how to use it. > > Let me know how it works for you. > > Ryan _________________________________________________________________ T?l?phonez gratuitement ? tous vos proches avec Windows Live Messenger? !? T?l?chargez-le maintenant !? http://www.windowslive.fr/messenger/1.asp -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve.ngu at hotmail.fr Mon Sep 15 09:02:56 2008 From: steve.ngu at hotmail.fr (steve nguyen) Date: Mon, 15 Sep 2008 11:02:56 +0200 Subject: [Fedora-directory-users] CA certificate trouble In-Reply-To: <200809121403.53125.ryan.braun@ec.gc.ca> References: <200809121403.53125.ryan.braun@ec.gc.ca> Message-ID: Hi, I tried your script after doing all the things you suggest. And I got this error message after running the script : Can't locate Sys/Hostname/Long.pm in @INC (@INC contains: /usr/lib/perl5/5.10.0/i386-linux-thread-multi /usr/lib/perl5/5.10.0 /usr/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.10.0 /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.10.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl .) at ./fdsssl.pl line 9.BEGIN failed--compilation aborted at ./fdsssl.pl line 9. Do you have you an idea what's wrong ? Should I edit a conf file or install a package to correct this ? thanks> From: ryan.braun at ec.gc.ca> To: fedora-directory-users at redhat.com> Subject: Re: [Fedora-directory-users] CA certificate trouble> Date: Fri, 12 Sep 2008 14:03:53 +0000> > On Friday 12 September 2008 08:44, steve nguyen wrote:> > Hi everybody,> >> > If you remember me I've got some problem with SSL in my sync agreement :> >> > https://www.redhat.com/archives/fedora-directory-users/2008-September/msg00> >000.html> > https://www.redhat.com/archives/fedora-directory-users/2008-September/msg00> >024.html> >> > I think I have found what's wrong in my SSL set up.> > I tried this command to verify if ssl is enabled in FDS : ldapsearch -x -ZZ> > '(uid=testuser)' I check the access log, and I've got this message :> > EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"> > RESULT err=0 tag=120 nentries=0 etime=0DISCONNECT fd=67 closed - Peer does> > not recognize and trust the CA that issued your certific...> >> > As I said before I set up SSL using the second script from the FDS wiki> > page. So my question is what can I do now :> > - Can I fix this ?> > - Should I do a full set up of SSL ?> >> > Thanks> > > I've been working on an all-in-one ssl management perl script for fds. It's > been working over here but I'm sure there are some quirks in it. > > Make sure you edit /etc/fdstools/ssl.conf to point to your correct SEC_DIR and > INSTANCE values. Then just move out your old $SEC_DIR/cert8.db key3.db and > secmod.db files to some backup directory and run fdssl.pl -h or -e for > examples on how to use it.> > Let me know how it works for you.> > Ryan _________________________________________________________________ Installez gratuitement les 20 ?m?ticones Windows Live Messenger les plus fous ! Cliquez ici ! http://www.emoticones-messenger.fr/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From mhalpern at accoona.com Mon Sep 15 20:47:31 2008 From: mhalpern at accoona.com (Marcelo N. Halpern) Date: Mon, 15 Sep 2008 16:47:31 -0400 Subject: [Fedora-directory-users] installation problems on FC8 Message-ID: <48CEC9E3.3060408@accoona.com> Hello list, Perhaps someone can point me in the right direction. I just installed ds-1.1 and related packages. I ran /usr/sbin/setup-ds-admin.pl in 'express' mode, and created the directory server instance. The process fails at the very end, when the script attempts to register the admin instance. Basic ldapsearch binding as cn="Directory Manager" also fails. Am I missing something essential, and if so, what? This is on Fedora 8/i386 with the following packages: fedora-ds-console-1.1.1-2.fc6 Mon 15 Sep 2008 03:48:59 PM EDT fedora-ds-admin-console-1.1.1-2.fc6 Mon 15 Sep 2008 03:48:57 PM EDT fedora-ds-admin-1.1.6-1.fc8 Mon 15 Sep 2008 03:48:55 PM EDT fedora-ds-base-1.1.0-1.2.fc8 Mon 15 Sep 2008 03:48:48 PM EDT [15/Sep/2008:16:12:56 -0400] conn=0 fd=64 slot=64 connection from 127.0.0.1 to 127.0.0.1 [15/Sep/2008:16:12:56 -0400] conn=0 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Sep/2008:16:12:56 -0400] conn=0 op=0 RESULT err=49 tag=97 nentries=0 etime=0 [15/Sep/2008:16:12:56 -0400] conn=0 op=1 UNBIND [15/Sep/2008:16:12:56 -0400] conn=0 op=1 fd=64 closed - U1 [15/Sep/2008:16:13:44 -0400] conn=1 fd=64 slot=64 connection from 127.0.0.1 to 127.0.0.1 [15/Sep/2008:16:13:44 -0400] conn=1 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [15/Sep/2008:16:13:44 -0400] conn=1 op=0 RESULT err=49 tag=97 nentries=0 etime=0 [15/Sep/2008:16:13:44 -0400] conn=1 op=-1 fd=64 closed - B1 Thank you, nh -- Marcelo Nicol?s Halpern Systems Administrator Accoona Corporation From orion at cora.nwra.com Mon Sep 15 21:46:28 2008 From: orion at cora.nwra.com (Orion Poplawski) Date: Mon, 15 Sep 2008 15:46:28 -0600 Subject: [Fedora-directory-users] Error creating certificate request Message-ID: <48CED7B4.5010009@cora.nwra.com> I'm running fedora-idm-console on my F-9 box connecting to an FDS install of the latest FDS (compiled from Fedora rawhide sources) on a CentOS 5.2 machine. I'm trying to create a certificate request. The DN: CN="ldap.cora.nwra.com", OU="CoRA", O="NWRA", L="Boulder", ST="Colorado", C="US" After entering the private key password (step 3 of 4) I get an error: Unable to convert DN to certificate name. Ideas? -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion at cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com From orion at cora.nwra.com Mon Sep 15 22:14:21 2008 From: orion at cora.nwra.com (Orion Poplawski) Date: Mon, 15 Sep 2008 16:14:21 -0600 Subject: [Fedora-directory-users] Strange fonts Message-ID: <48CEDE3D.4080307@cora.nwra.com> I've got the latest FDS code from rawhide built and installed on CentOS 5.2. If I run fedora-idm-console on the CentOS machine and display on my F9 machine the fonts are such that the display is almost completely blank and unreadable. The fonts are fine if I run locally on the F9 box. Any particular fonts needed to be installed on the EL machine? -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion at cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com From orion at cora.nwra.com Mon Sep 15 22:20:50 2008 From: orion at cora.nwra.com (Orion Poplawski) Date: Mon, 15 Sep 2008 16:20:50 -0600 Subject: [Fedora-directory-users] Strange fonts In-Reply-To: <48CEDE3D.4080307@cora.nwra.com> References: <48CEDE3D.4080307@cora.nwra.com> Message-ID: <48CEDFC2.5050001@cora.nwra.com> Orion Poplawski wrote: > I've got the latest FDS code from rawhide built and installed on CentOS > 5.2. If I run fedora-idm-console on the CentOS machine and display on > my F9 machine the fonts are such that the display is almost completely > blank and unreadable. The fonts are fine if I run locally on the F9 box. > > Any particular fonts needed to be installed on the EL machine? > I installed liberation-fonts and that works. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion at cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com From orion at cora.nwra.com Mon Sep 15 22:22:14 2008 From: orion at cora.nwra.com (Orion Poplawski) Date: Mon, 15 Sep 2008 16:22:14 -0600 Subject: [Fedora-directory-users] Error creating certificate request In-Reply-To: <48CED7B4.5010009@cora.nwra.com> References: <48CED7B4.5010009@cora.nwra.com> Message-ID: <48CEE016.9060007@cora.nwra.com> Orion Poplawski wrote: > I'm running fedora-idm-console on my F-9 box connecting to an FDS > install of the latest FDS (compiled from Fedora rawhide sources) on a > CentOS 5.2 machine. I'm trying to create a certificate request. > > The DN: CN="ldap.cora.nwra.com", OU="CoRA", O="NWRA", L="Boulder", > ST="Colorado", C="US" > > After entering the private key password (step 3 of 4) I get an error: > > Unable to convert DN to certificate name. > > Ideas? > Also fails if I run fedora-idm-console on the EL box. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion at cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com From orion at cora.nwra.com Mon Sep 15 22:59:56 2008 From: orion at cora.nwra.com (Orion Poplawski) Date: Mon, 15 Sep 2008 16:59:56 -0600 Subject: [Fedora-directory-users] Error creating certificate request In-Reply-To: <48CEE016.9060007@cora.nwra.com> References: <48CED7B4.5010009@cora.nwra.com> <48CEE016.9060007@cora.nwra.com> Message-ID: <48CEE8EC.1070302@cora.nwra.com> Orion Poplawski wrote: > Orion Poplawski wrote: >> I'm running fedora-idm-console on my F-9 box connecting to an FDS >> install of the latest FDS (compiled from Fedora rawhide sources) on a >> CentOS 5.2 machine. I'm trying to create a certificate request. >> >> The DN: CN="ldap.cora.nwra.com", OU="CoRA", O="NWRA", L="Boulder", >> ST="Colorado", C="US" >> >> After entering the private key password (step 3 of 4) I get an error: >> >> Unable to convert DN to certificate name. >> >> Ideas? >> > > Also fails if I run fedora-idm-console on the EL box. > I manually removed all of the "'s from the DN and that appears to have worked. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion at cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com From antweilers at googlemail.com Tue Sep 16 10:46:32 2008 From: antweilers at googlemail.com (Joerg Antweiler) Date: Tue, 16 Sep 2008 12:46:32 +0200 Subject: [Fedora-directory-users] User privileges In-Reply-To: <48C6FA42.6080407@TangaNet.Net> References: <48C6FA42.6080407@TangaNet.Net> Message-ID: <9e2ee8f50809160346p69539777ue559677d9daac2a6@mail.gmail.com> Hi Dharmin, you might want to work with aci's. One way to achieve what you want : define your admin users in a meaningful ou : your admin ou : dn: ou=myadmins,o=some-root-suffix ou:myadmins objectClass: top objectClass: organizationalunit one of your admins : dn: uid=Serviceadmin,ou=myadmins, o=some-root-suffix givenName: Serviceadmin sn: Serviceadmin objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top uid: Serviceadmin cn: Serviceadmin userPassword: some-password define one corresponding aci for every ou dn: ou=myorganizationalunit,o=some-root-suffix aci: (targetattr = "*") (target = "ldap:///ou=myorganizationalunit,o=some-root-suffix") (version 3.0;acl "Admin for myou Access ACI";allow (all)(userdn = "ldap:///uid=Serviceadmin,ou=myadmins, o=some-root-suffix");) ou: myorganizationalunit objectClass: top objectClass: organizationalunit Finetune security in terms of which attributes can be accessed, modified etc. ( targetattr ) allowed operations ( in my example, all operations are allowed ) Hope it gives you an idea, Regards, Joerg 2008/9/10 Dharmin Mandalia > Hello > > On our Directory Server, we have different OU's for each department, under > which we have dept users. Is it possible to allow each department admin's to > add/delete/edit user/group/other entries for their own department OU ONLY , > over Directory console, so basically one admin from each department have > full access/rights over user/group/other entries under their dept OU, over > Dir Console. > > If you know how above can be done, please tell me.... > > Appreciate your reply. > > Regards > Dharmin > > > > fedora-directory-users at redhat.com > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Dharmin.Mandalia at TangaNet.net Tue Sep 16 15:33:05 2008 From: Dharmin.Mandalia at TangaNet.net (Dharmin Mandalia) Date: Tue, 16 Sep 2008 16:33:05 +0100 (BST) Subject: [Fedora-directory-users] User privileges Message-ID: <40801.199.46.244.227.1221579185.squirrel@mail.tanganet.net> Hi Joerg Thanks.. will soon try what you've suggested. Regards Dharmin Re: [Fedora-directory-users] User privileges Joerg Antweiler Tue, 16 Sep 2008 03:46:58 -0700 Hi Dharmin, you might want to work with aci's. One way to achieve what you want : define your admin users in a meaningful ou : your admin ou : dn: ou=myadmins,o=some-root-suffix ou:myadmins objectClass: top objectClass: organizationalunit one of your admins : dn: uid=Serviceadmin,ou=myadmins, o=some-root-suffix givenName: Serviceadmin sn: Serviceadmin objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top uid: Serviceadmin cn: Serviceadmin userPassword: some-password define one corresponding aci for every ou dn: ou=myorganizationalunit,o=some-root-suffix aci: (targetattr = "*") (target = "ldap:///ou=myorganizationalunit,o=some-root-suffix";) (version 3.0;acl "Admin for myou Access ACI";allow (all)(userdn = "ldap:///uid=Serviceadmin,ou=myadmins, o=some-root-suffix");) ou: myorganizationalunit objectClass: top objectClass: organizationalunit Finetune security in terms of which attributes can be accessed, modified etc. ( targetattr ) allowed operations ( in my example, all operations are allowed ) Hope it gives you an idea, Regards, Joerg 2008/9/10 Dharmin Mandalia <[EMAIL PROTECTED]> > Hello > > On our Directory Server, we have different OU's for each department, under > which we have dept users. Is it possible to allow each department admin's to > add/delete/edit user/group/other entries for their own department OU ONLY , > over Directory console, so basically one admin from each department have > full access/rights over user/group/other entries under their dept OU, over > Dir Console. > > If you know how above can be done, please tell me.... > > Appreciate your reply. > > Regards > Dharmin > > > > fedora-directory-users at redhat.com > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From jad at jadickinson.co.uk Tue Sep 16 15:34:10 2008 From: jad at jadickinson.co.uk (John Dickinson) Date: Tue, 16 Sep 2008 16:34:10 +0100 Subject: [Fedora-directory-users] FDS 1.1.2? Message-ID: Hi I am looking to build FDS from source and noticed that the source page on the wiki lists FDS 1.1.2 but I can not see it in the news or on the announce list. Is it the current release so should I stick with 1.1.1? If it is the current release can anyone give me any pointers on getting the console built. It seems to be missing the fedora-idm- console tarball - or is that just not needed now? Thanks John From kenoh23 at yahoo.fr Tue Sep 16 16:11:28 2008 From: kenoh23 at yahoo.fr (ken oh) Date: Tue, 16 Sep 2008 16:11:28 +0000 (GMT) Subject: [Fedora-directory-users] cert token in password sync setup ? Message-ID: <671471.41768.qm@web26004.mail.ukl.yahoo.com> Hi, ? What's the cert token they are asking in the password sync setup ? Is it the same?cert password they are asking during a cert?import/export ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Sep 16 16:43:47 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 16 Sep 2008 10:43:47 -0600 Subject: [Fedora-directory-users] Announcement: Fedora Directory Server 1.1.2 is released Message-ID: <48CFE243.7030701@redhat.com> Fedora Directory Server 1.1.2 is now available We are pleased to announce the availability of Fedora Directory Server 1.1.2. This is release has many, many bug fixes and several new features. Please read the Release Notes before installing or upgrading! http://directory.fedoraproject.org/wiki/Release_Notes From rmeggins at redhat.com Tue Sep 16 19:32:33 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 16 Sep 2008 13:32:33 -0600 Subject: [Fedora-directory-users] User password change which syntax checking In-Reply-To: <48BE3922.1020005@itsa.gov.au> References: <48BE3922.1020005@itsa.gov.au> Message-ID: <48D009D1.2090803@redhat.com> Ross Johnson wrote: > I have FDS 1.1.1 running with password policy and syntax checking > working for user passwords via the console, but I haven't been able to > get ldappasswd (from mozldap-tools package) to pay attention to those > password constraints that I know work via the console. That is, > ldappasswd succeeds even when given passwords that fail in the > console. Is this what I should expect to see? No. > > AFAICS from looking at source code, manual pages etc, ldappasswd > passes the plaintext password to the server to be encrypted and if > that's the case then I'm assuming that password checks should be > working. I understand that password checks can't be done if the > userPassword attribute is modified directly, e.g. by ldapmodify. > > I get the feeling I'm missing something very basic, so any > clarification would be greatly appreciated. Do you have the same problem with Fedora DS 1.1.2? Are you sure the password is being sent unencrypted? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From Andrey.Ivanov at polytechnique.fr Wed Sep 17 06:43:52 2008 From: Andrey.Ivanov at polytechnique.fr (Andrey Ivanov) Date: Wed, 17 Sep 2008 08:43:52 +0200 Subject: [Fedora-directory-users] CVS commits mailing list Message-ID: <486543559.20080917084352@polytechnique.edu> Hi, the mailing list of the fds cvs commits (fedora-directory-commits at redhat.com) does not seem to have any commits to cvs since ~ one month. Does it mean that this list is no longer supported or there was really absolutely no changes in the cvs of FDS during the last month?? Andrey Ivanov tel +33-(0)1-69-33-99-24 fax +33-(0)1-69-33-99-55 Direction des Syst?mes d'Information Ecole Polytechnique 91128 Palaiseau CEDEX France From rmeggins at redhat.com Wed Sep 17 14:37:37 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 17 Sep 2008 08:37:37 -0600 Subject: [Fedora-directory-users] CVS commits mailing list In-Reply-To: <486543559.20080917084352@polytechnique.edu> References: <486543559.20080917084352@polytechnique.edu> Message-ID: <48D11631.9060307@redhat.com> Andrey Ivanov wrote: > Hi, > > the mailing list of the fds cvs commits > (fedora-directory-commits at redhat.com) does not seem to have any > commits to cvs since ~ one month. Does it mean that this list is no > longer supported or there was really absolutely no changes in the cvs > of FDS during the last month?? > No, it means the CVS mailing lists were affected by the same outage that affected most of the other fedora infrastructure. They are working on it, but I don't know the current status. > > Andrey Ivanov > tel +33-(0)1-69-33-99-24 > fax +33-(0)1-69-33-99-55 > > Direction des Syst?mes d'Information > Ecole Polytechnique > 91128 Palaiseau CEDEX > France > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rnappert at juniper.net Wed Sep 17 16:09:56 2008 From: rnappert at juniper.net (Reinhard Nappert) Date: Wed, 17 Sep 2008 12:09:56 -0400 Subject: [Fedora-directory-users] Upgrade MMR from 1.0.4 to 1.1.0 Message-ID: <3525C9833C09ED418C6FD6CD9514668C04B53F0B@emailwf1.jnpr.net> Hi all, I have an MMR setup, working fine with 1.0.4. When I upgrade (migrate) both servers to 1.1.0, the replica entry and the agreement object within dse.ldif still look fine, but I get the following messages in errors: [17/Sep/2008:11:45:11 -0400] NSMMReplicationPlugin - agmt="cn=srv12srv2" (srv2:389): Incremental update failed and requires administrator action [17/Sep/2008:11:46:05 -0400] NSMMReplicationPlugin - conn=96 op=3 replica="o=UMC ": Unable to acquire replica: error: duplicate replica ID detected On both servers. Again, the ReplicaId are different on both boxes: nsDS5ReplicaId: 1 nsDS5ReplicaId: 2 To make matters worse, just disabling replication on both boxes and enabling it afterwards does not fix the issue. It looks like that only exporting the db, getting rid of the directory instances on both boxes, setup the instance from scratch and importing the data and setting up replication agreement makes it work again. Did anybody encounter this issue? If so, is there a possibility to fix it without reloading the data from scratch. Thanks, -Reinhard -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Sep 17 16:55:39 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 17 Sep 2008 10:55:39 -0600 Subject: [Fedora-directory-users] Upgrade MMR from 1.0.4 to 1.1.0 In-Reply-To: <3525C9833C09ED418C6FD6CD9514668C04B53F0B@emailwf1.jnpr.net> References: <3525C9833C09ED418C6FD6CD9514668C04B53F0B@emailwf1.jnpr.net> Message-ID: <48D1368B.9060205@redhat.com> Reinhard Nappert wrote: > > Hi all, > > I have an MMR setup, working fine with 1.0.4. When I upgrade (migrate) > both servers to 1.1.0, the replica entry and the agreement object > within dse.ldif still look fine, but I get the following messages in > errors: > > [17/Sep/2008:11:45:11 -0400] NSMMReplicationPlugin - > agmt="cn=srv12srv2" (srv2:389): Incremental update failed and requires > administrator action > > [17/Sep/2008:11:46:05 -0400] NSMMReplicationPlugin - conn=96 op=3 > replica="o=UMC > ": Unable to acquire replica: error: duplicate replica ID detected > On both servers. > Again, the ReplicaId are different on both boxes: > nsDS5ReplicaId: 1 > > nsDS5ReplicaId: 2 > > To make matters worse, just disabling replication on both boxes and > enabling it afterwards does not fix the issue. > > It looks like that only exporting the db, getting rid of the directory > instances on both boxes, setup the instance from scratch and importing > the data and setting up replication agreement makes it work again. > > Did anybody encounter this issue? If so, is there a possibility to fix > it without reloading the data from scratch. > How did you upgrade/migrate? Did you use the migrate-ds-admin.pl script? If not, you are definitely going to need to reset the password in the replication agreement on the supplier side. *http://tinyurl.com/35qddb* > > Thanks, > -Reinhard > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rnappert at juniper.net Wed Sep 17 16:59:49 2008 From: rnappert at juniper.net (Reinhard Nappert) Date: Wed, 17 Sep 2008 12:59:49 -0400 Subject: [Fedora-directory-users] Upgrade MMR from 1.0.4 to 1.1.0 In-Reply-To: <48D1368B.9060205@redhat.com> References: <3525C9833C09ED418C6FD6CD9514668C04B53F0B@emailwf1.jnpr.net> <48D1368B.9060205@redhat.com> Message-ID: <3525C9833C09ED418C6FD6CD9514668C04B53F3F@emailwf1.jnpr.net> I use migrate-ds.pl, since I do not care about the admin-console. It is weird, that it comes up with the duplicate Replica ID. Do you think, I still have to password? -Reinhard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Wednesday, September 17, 2008 12:56 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Upgrade MMR from 1.0.4 to 1.1.0 Reinhard Nappert wrote: > > Hi all, > > I have an MMR setup, working fine with 1.0.4. When I upgrade (migrate) > both servers to 1.1.0, the replica entry and the agreement object > within dse.ldif still look fine, but I get the following messages in > errors: > > [17/Sep/2008:11:45:11 -0400] NSMMReplicationPlugin - > agmt="cn=srv12srv2" (srv2:389): Incremental update failed and requires > administrator action > > [17/Sep/2008:11:46:05 -0400] NSMMReplicationPlugin - conn=96 op=3 > replica="o=UMC > ": Unable to acquire replica: error: duplicate replica ID detected On > both servers. > Again, the ReplicaId are different on both boxes: > nsDS5ReplicaId: 1 > > nsDS5ReplicaId: 2 > > To make matters worse, just disabling replication on both boxes and > enabling it afterwards does not fix the issue. > > It looks like that only exporting the db, getting rid of the directory > instances on both boxes, setup the instance from scratch and importing > the data and setting up replication agreement makes it work again. > > Did anybody encounter this issue? If so, is there a possibility to fix > it without reloading the data from scratch. > How did you upgrade/migrate? Did you use the migrate-ds-admin.pl script? If not, you are definitely going to need to reset the password in the replication agreement on the supplier side. *http://tinyurl.com/35qddb* > > Thanks, > -Reinhard > > ---------------------------------------------------------------------- > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Wed Sep 17 17:15:51 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 17 Sep 2008 11:15:51 -0600 Subject: [Fedora-directory-users] Upgrade MMR from 1.0.4 to 1.1.0 In-Reply-To: <3525C9833C09ED418C6FD6CD9514668C04B53F3F@emailwf1.jnpr.net> References: <3525C9833C09ED418C6FD6CD9514668C04B53F0B@emailwf1.jnpr.net> <48D1368B.9060205@redhat.com> <3525C9833C09ED418C6FD6CD9514668C04B53F3F@emailwf1.jnpr.net> Message-ID: <48D13B47.7020001@redhat.com> Reinhard Nappert wrote: > I use migrate-ds.pl, since I do not care about the admin-console. It is > weird, that it comes up with the duplicate Replica ID. > > Do you think, I still have to password? > No, that doesn't appear to be the problem. Did you try an offline replica init? > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Wednesday, September 17, 2008 12:56 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Upgrade MMR from 1.0.4 to 1.1.0 > > Reinhard Nappert wrote: > >> Hi all, >> >> I have an MMR setup, working fine with 1.0.4. When I upgrade (migrate) >> > > >> both servers to 1.1.0, the replica entry and the agreement object >> within dse.ldif still look fine, but I get the following messages in >> errors: >> >> [17/Sep/2008:11:45:11 -0400] NSMMReplicationPlugin - >> agmt="cn=srv12srv2" (srv2:389): Incremental update failed and requires >> > > >> administrator action >> >> [17/Sep/2008:11:46:05 -0400] NSMMReplicationPlugin - conn=96 op=3 >> replica="o=UMC >> ": Unable to acquire replica: error: duplicate replica ID detected On >> both servers. >> Again, the ReplicaId are different on both boxes: >> nsDS5ReplicaId: 1 >> >> nsDS5ReplicaId: 2 >> >> To make matters worse, just disabling replication on both boxes and >> enabling it afterwards does not fix the issue. >> >> It looks like that only exporting the db, getting rid of the directory >> > > >> instances on both boxes, setup the instance from scratch and importing >> > > >> the data and setting up replication agreement makes it work again. >> >> Did anybody encounter this issue? If so, is there a possibility to fix >> > > >> it without reloading the data from scratch. >> >> > How did you upgrade/migrate? Did you use the migrate-ds-admin.pl > script? If not, you are definitely going to need to reset the password > in the replication agreement on the supplier side. > *http://tinyurl.com/35qddb* > >> Thanks, >> -Reinhard >> >> ---------------------------------------------------------------------- >> -- >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rnappert at juniper.net Wed Sep 17 17:21:16 2008 From: rnappert at juniper.net (Reinhard Nappert) Date: Wed, 17 Sep 2008 13:21:16 -0400 Subject: [Fedora-directory-users] Upgrade MMR from 1.0.4 to 1.1.0 In-Reply-To: <48D13B47.7020001@redhat.com> References: <3525C9833C09ED418C6FD6CD9514668C04B53F0B@emailwf1.jnpr.net> <48D1368B.9060205@redhat.com><3525C9833C09ED418C6FD6CD9514668C04B53F3F@emailwf1.jnpr.net> <48D13B47.7020001@redhat.com> Message-ID: <3525C9833C09ED418C6FD6CD9514668C04B53F61@emailwf1.jnpr.net> How do I do this? -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Wednesday, September 17, 2008 1:16 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Upgrade MMR from 1.0.4 to 1.1.0 Reinhard Nappert wrote: > I use migrate-ds.pl, since I do not care about the admin-console. It > is weird, that it comes up with the duplicate Replica ID. > > Do you think, I still have to password? > No, that doesn't appear to be the problem. Did you try an offline replica init? > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Wednesday, September 17, 2008 12:56 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Upgrade MMR from 1.0.4 to 1.1.0 > > Reinhard Nappert wrote: > >> Hi all, >> >> I have an MMR setup, working fine with 1.0.4. When I upgrade >> (migrate) >> > > >> both servers to 1.1.0, the replica entry and the agreement object >> within dse.ldif still look fine, but I get the following messages in >> errors: >> >> [17/Sep/2008:11:45:11 -0400] NSMMReplicationPlugin - >> agmt="cn=srv12srv2" (srv2:389): Incremental update failed and >> requires >> > > >> administrator action >> >> [17/Sep/2008:11:46:05 -0400] NSMMReplicationPlugin - conn=96 op=3 >> replica="o=UMC >> ": Unable to acquire replica: error: duplicate replica ID detected On >> both servers. >> Again, the ReplicaId are different on both boxes: >> nsDS5ReplicaId: 1 >> >> nsDS5ReplicaId: 2 >> >> To make matters worse, just disabling replication on both boxes and >> enabling it afterwards does not fix the issue. >> >> It looks like that only exporting the db, getting rid of the >> directory >> > > >> instances on both boxes, setup the instance from scratch and >> importing >> > > >> the data and setting up replication agreement makes it work again. >> >> Did anybody encounter this issue? If so, is there a possibility to >> fix >> > > >> it without reloading the data from scratch. >> >> > How did you upgrade/migrate? Did you use the migrate-ds-admin.pl > script? If not, you are definitely going to need to reset the > password in the replication agreement on the supplier side. > *http://tinyurl.com/35qddb* > >> Thanks, >> -Reinhard >> >> --------------------------------------------------------------------- >> - >> -- >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From kwan.lowe at gmail.com Wed Sep 17 18:49:18 2008 From: kwan.lowe at gmail.com (Kwan Lowe) Date: Wed, 17 Sep 2008 14:49:18 -0400 Subject: [Fedora-directory-users] Group based access control Message-ID: Hello All: I am in the process of migrating from OpenLDAP to Fedora Directory Server. Actually most of my testing has been with the RH/CentOS spins, but it appears to be very similar. So far I've gotten the main things working: 1) Host based access via AuthorizedHost 2) Service based access via AuthorizedService 3) AIX/Linux <-> LDAP 4) PosixGroup support The one thing I would like is to have group based host access control. E.g., I would like to define a new LDAP group (say, DBA-Production) that includes a bunch of host entries. When needed, I could add a user to the DBA-Production group and automatically give him/her access to the list of defined hosts. Anyone have suggestions on how to approach this? Thanks, Kwan -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Sep 17 18:55:09 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 17 Sep 2008 12:55:09 -0600 Subject: [Fedora-directory-users] Group based access control In-Reply-To: References: Message-ID: <48D1528D.7070402@redhat.com> Kwan Lowe wrote: > Hello All: > I am in the process of migrating from OpenLDAP to Fedora Directory > Server. Actually most of my testing has been with the RH/CentOS spins, > but it appears to be very similar. > > So far I've gotten the main things working: > 1) Host based access via AuthorizedHost > 2) Service based access via AuthorizedService > 3) AIX/Linux <-> LDAP > 4) PosixGroup support > > The one thing I would like is to have group based host access > control. E.g., I would like to define a new LDAP group (say, > DBA-Production) that includes a bunch of host entries. When needed, I > could add a user to the DBA-Production group and automatically give > him/her access to the list of defined hosts. Anyone have suggestions > on how to approach this? see http://directory.fedoraproject.org/wiki/Howto:Netgroups > > Thanks, > Kwan > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From kwan.lowe at gmail.com Thu Sep 18 00:16:45 2008 From: kwan.lowe at gmail.com (Kwan Lowe) Date: Wed, 17 Sep 2008 20:16:45 -0400 Subject: [Fedora-directory-users] Group based access control In-Reply-To: <48D1528D.7070402@redhat.com> References: <48D1528D.7070402@redhat.com> Message-ID: On Wed, Sep 17, 2008 at 2:55 PM, Rich Megginson wrote: > >> The one thing I would like is to have group based host access control. >> E.g., I would like to define a new LDAP group (say, DBA-Production) that >> includes a bunch of host entries. When needed, I could add a user to the >> DBA-Production group and automatically give him/her access to the list of >> defined hosts. Anyone have suggestions on how to approach this? >> > see http://directory.fedoraproject.org/wiki/Howto:Netgroups > Wow. Thank you. It seems it will do exactly what I'm looking for... -------------- next part -------------- An HTML attachment was scrubbed... URL: From dcarter at entertain-me.com Thu Sep 18 10:27:57 2008 From: dcarter at entertain-me.com (David Carter) Date: Thu, 18 Sep 2008 07:57:57 -0230 Subject: [Fedora-directory-users] Problems installing on FC9 Message-ID: <4430F939-2DD5-4B9F-BEE9-4A1238151313@entertain-me.com> When I run either setup-ds.pl or setup-ds-admin.pl, I go through all the prompts and get an error saying it's unable to start the server and that I should check the error logs. Here's the contents of the error log: [18/Sep/2008:11:46:35 -021800] - dblayer_instance_start: pagesize: 4096, pages: 128743, procpages: 7693 [18/Sep/2008:11:46:36 -021800] - cache autosizing: import cache: 204800k [18/Sep/2008:11:46:36 -021800] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [18/Sep/2008:11:46:36 -021800] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [18/Sep/2008:11:46:36 -021800] - dblayer_instance_start: pagesize: 4096, pages: 128743, procpages: 7693 [18/Sep/2008:11:46:36 -021800] - cache autosizing: import cache: 204800k [18/Sep/2008:11:46:36 -021800] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [18/Sep/2008:11:46:36 -021800] - import userRoot: Beginning import job... [18/Sep/2008:11:46:36 -021800] - import userRoot: Index buffering enabled with bucket size 100 [18/Sep/2008:11:46:36 -021800] - import userRoot: Processing file "/ tmp/ldif20a8Hl.ldif" [18/Sep/2008:11:46:36 -021800] - import userRoot: Finished scanning file "/tmp/ldif20a8Hl.ldif" (9 entries) [18/Sep/2008:11:46:37 -021800] - import userRoot: Workers finished; cleaning up... [18/Sep/2008:11:46:37 -021800] - import userRoot: Workers cleaned up. [18/Sep/2008:11:46:37 -021800] - import userRoot: Cleaning up producer thread... [18/Sep/2008:11:46:37 -021800] - import userRoot: Indexing complete. Post-processing... [18/Sep/2008:11:46:37 -021800] - import userRoot: Flushing caches... [18/Sep/2008:11:46:37 -021800] - import userRoot: Closing files... [18/Sep/2008:11:46:37 -021800] - All database threads now stopped [18/Sep/2008:11:46:37 -021800] - import userRoot: Import complete. Processed 9 entries in 1 seconds. (9.00 entries/sec) [18/Sep/2008:11:46:38 -021800] - Fedora-Directory/1.1.2 B2008.248.1443 starting up [18/Sep/2008:11:48:06 -021800] - Fedora-Directory/1.1.2 B2008.248.1443 starting up [18/Sep/2008:11:52:46 -021800] - Fedora-Directory/1.1.2 B2008.248.1443 starting up [18/Sep/2008:11:53:31 -021800] - Fedora-Directory/1.1.2 B2008.248.1443 starting up [18/Sep/2008:12:06:02 -021800] - dblayer_instance_start: pagesize: 4096, pages: 128743, procpages: 7693 [18/Sep/2008:12:06:02 -021800] - cache autosizing: import cache: 204800k [18/Sep/2008:12:06:02 -021800] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [18/Sep/2008:12:06:02 -021800] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [18/Sep/2008:12:06:02 -021800] - dblayer_instance_start: pagesize: 4096, pages: 128743, procpages: 7693 [18/Sep/2008:12:06:02 -021800] - cache autosizing: import cache: 204800k [18/Sep/2008:12:06:02 -021800] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [18/Sep/2008:12:06:03 -021800] - import userRoot: Beginning import job... [18/Sep/2008:12:06:03 -021800] - import userRoot: Index buffering enabled with bucket size 100 [18/Sep/2008:12:06:03 -021800] - import userRoot: Processing file "/ tmp/ldif8U2ox1.ldif" [18/Sep/2008:12:06:03 -021800] - import userRoot: Finished scanning file "/tmp/ldif8U2ox1.ldif" (9 entries) [18/Sep/2008:12:06:04 -021800] - import userRoot: Workers finished; cleaning up... [18/Sep/2008:12:06:04 -021800] - import userRoot: Workers cleaned up. [18/Sep/2008:12:06:04 -021800] - import userRoot: Cleaning up producer thread... [18/Sep/2008:12:06:04 -021800] - import userRoot: Indexing complete. Post-processing... [18/Sep/2008:12:06:04 -021800] - import userRoot: Flushing caches... [18/Sep/2008:12:06:04 -021800] - import userRoot: Closing files... [18/Sep/2008:12:06:04 -021800] - All database threads now stopped [18/Sep/2008:12:06:04 -021800] - import userRoot: Import complete. Processed 9 entries in 1 seconds. (9.00 entries/sec) [18/Sep/2008:12:06:04 -021800] - Fedora-Directory/1.1.2 B2008.248.1443 starting up It seems to think we've started. Not a lot of help. So I run 'sevice dirsrv start', which fails. The only new line in the error log is: [18/Sep/2008:13:20:57 -021800] - Fedora-Directory/1.1.2 B2008.248.1443 starting up Again, not much help. So I changed the debug level by modifying the startup script and adding a -d option to the ns-slapd command. When I try to start from the command line, I get this: Starting dirsrv: ldap...[18/Sep/2008:13:57:33 -021800] Fedora-Directory/1.1.2 - debug level: accesscontrol (128) [18/Sep/2008:13:57:33 -021800] - Fedora-Directory/1.1.2 B2008.248.1443 starting up Failed to open stats file (/var/run/dirsrv/slapd-ldap.stats) (error 1). [FAILED] *** Warning: 1 instance(s) failed to start Finally, something helpful! First, why isn't this going to the error log? Second, and most importantly, what do I do about it? I don't know if it's trying to read the file, write the file, do it as root, or as nobody. I turned selinux off just to be sure that isn't the issue, but I'd prefer to run with it on. It's a fresh FC9 install, with all patches applied. TIA, Dave From math.de.groot at logica.com Thu Sep 18 10:56:43 2008 From: math.de.groot at logica.com (Groot, Mathijs de (IDT Competence Java)) Date: Thu, 18 Sep 2008 12:56:43 +0200 Subject: [Fedora-directory-users] Synchronization Message-ID: <72965855C48009408D297A78108567160714E6AD@nl-ex008.groupinfra.com> Hi All, I have a synchronization set up between a Red Hat Directory Server 8 and a test Windows 2003 server with Active Directory. Is it possible to test up a one-way synchronization from Active Directory to Red Hat DS? If changes are made on the Red Hat Directory Server they must never be synchronized back to the Windows Active Directory. It will be no problem if those changes made in the RedHat DS are overwritten with the next sync from Windows AD. The Red Hat Directory Server is not a exact copy of the Windows Active Directory, the Windows AD just syncs with a sub tree in the RedHat DS, other sub trees will contain other entries or will be set up with other synchronizations. Thanks, Mathijs de Groot This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mhalpern at accoona.com Thu Sep 18 11:10:51 2008 From: mhalpern at accoona.com (Marcelo (Nico) Halpern) Date: Thu, 18 Sep 2008 07:10:51 -0400 Subject: [Fedora-directory-users] Problems installing on FC9 In-Reply-To: <4430F939-2DD5-4B9F-BEE9-4A1238151313@entertain-me.com> References: <4430F939-2DD5-4B9F-BEE9-4A1238151313@entertain-me.com> Message-ID: <4D4DD13B-6442-47C8-93B0-C980DEE9DCBC@accoona.com> I had the same exact problem on CentOS 5.2 yesterday. ns-slapd fails trying to open the status file read/write. The directory if owned by root, and it should be owned by ns-slapd's uid (nobody by default). I believe the directory is /var/run/dirsrv. nh On Sep 18, 2008, at 6:27 AM, David Carter wrote: > When I run either setup-ds.pl or setup-ds-admin.pl, I go through all > the prompts and get an error saying it's unable to start the server > and that I should check the error logs. Here's the contents of the > error log: > > [18/Sep/2008:11:46:35 -021800] - dblayer_instance_start: pagesize: > 4096, pages: 128743, procpages: 7693 > [18/Sep/2008:11:46:36 -021800] - cache autosizing: import cache: > 204800k > [18/Sep/2008:11:46:36 -021800] - li_import_cache_autosize: 50, > import_pages: 51200, pagesize: 4096 > [18/Sep/2008:11:46:36 -021800] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [18/Sep/2008:11:46:36 -021800] - dblayer_instance_start: pagesize: > 4096, pages: 128743, procpages: 7693 > [18/Sep/2008:11:46:36 -021800] - cache autosizing: import cache: > 204800k > [18/Sep/2008:11:46:36 -021800] - li_import_cache_autosize: 50, > import_pages: 51200, pagesize: 4096 > [18/Sep/2008:11:46:36 -021800] - import userRoot: Beginning import > job... > [18/Sep/2008:11:46:36 -021800] - import userRoot: Index buffering > enabled with bucket size 100 > [18/Sep/2008:11:46:36 -021800] - import userRoot: Processing file "/ > tmp/ldif20a8Hl.ldif" > [18/Sep/2008:11:46:36 -021800] - import userRoot: Finished scanning > file "/tmp/ldif20a8Hl.ldif" (9 entries) > [18/Sep/2008:11:46:37 -021800] - import userRoot: Workers finished; > cleaning up... > [18/Sep/2008:11:46:37 -021800] - import userRoot: Workers cleaned up. > [18/Sep/2008:11:46:37 -021800] - import userRoot: Cleaning up producer > thread... > [18/Sep/2008:11:46:37 -021800] - import userRoot: Indexing complete. > Post-processing... > [18/Sep/2008:11:46:37 -021800] - import userRoot: Flushing caches... > [18/Sep/2008:11:46:37 -021800] - import userRoot: Closing files... > [18/Sep/2008:11:46:37 -021800] - All database threads now stopped > [18/Sep/2008:11:46:37 -021800] - import userRoot: Import complete. > Processed 9 entries in 1 seconds. (9.00 entries/sec) > [18/Sep/2008:11:46:38 -021800] - Fedora-Directory/1.1.2 B2008.248.1443 > starting up > [18/Sep/2008:11:48:06 -021800] - Fedora-Directory/1.1.2 B2008.248.1443 > starting up > [18/Sep/2008:11:52:46 -021800] - Fedora-Directory/1.1.2 B2008.248.1443 > starting up > [18/Sep/2008:11:53:31 -021800] - Fedora-Directory/1.1.2 B2008.248.1443 > starting up > [18/Sep/2008:12:06:02 -021800] - dblayer_instance_start: pagesize: > 4096, pages: 128743, procpages: 7693 > [18/Sep/2008:12:06:02 -021800] - cache autosizing: import cache: > 204800k > [18/Sep/2008:12:06:02 -021800] - li_import_cache_autosize: 50, > import_pages: 51200, pagesize: 4096 > [18/Sep/2008:12:06:02 -021800] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [18/Sep/2008:12:06:02 -021800] - dblayer_instance_start: pagesize: > 4096, pages: 128743, procpages: 7693 > [18/Sep/2008:12:06:02 -021800] - cache autosizing: import cache: > 204800k > [18/Sep/2008:12:06:02 -021800] - li_import_cache_autosize: 50, > import_pages: 51200, pagesize: 4096 > [18/Sep/2008:12:06:03 -021800] - import userRoot: Beginning import > job... > [18/Sep/2008:12:06:03 -021800] - import userRoot: Index buffering > enabled with bucket size 100 > [18/Sep/2008:12:06:03 -021800] - import userRoot: Processing file "/ > tmp/ldif8U2ox1.ldif" > [18/Sep/2008:12:06:03 -021800] - import userRoot: Finished scanning > file "/tmp/ldif8U2ox1.ldif" (9 entries) > [18/Sep/2008:12:06:04 -021800] - import userRoot: Workers finished; > cleaning up... > [18/Sep/2008:12:06:04 -021800] - import userRoot: Workers cleaned up. > [18/Sep/2008:12:06:04 -021800] - import userRoot: Cleaning up producer > thread... > [18/Sep/2008:12:06:04 -021800] - import userRoot: Indexing complete. > Post-processing... > [18/Sep/2008:12:06:04 -021800] - import userRoot: Flushing caches... > [18/Sep/2008:12:06:04 -021800] - import userRoot: Closing files... > [18/Sep/2008:12:06:04 -021800] - All database threads now stopped > [18/Sep/2008:12:06:04 -021800] - import userRoot: Import complete. > Processed 9 entries in 1 seconds. (9.00 entries/sec) > [18/Sep/2008:12:06:04 -021800] - Fedora-Directory/1.1.2 B2008.248.1443 > starting up > > It seems to think we've started. Not a lot of help. So I run 'sevice > dirsrv start', which fails. The only new line in the error log is: > > [18/Sep/2008:13:20:57 -021800] - Fedora-Directory/1.1.2 B2008.248.1443 > starting up > > Again, not much help. So I changed the debug level by modifying the > startup script and adding a -d option to the ns-slapd command. When I > try to start from the command line, I get this: > > Starting dirsrv: > ldap...[18/Sep/2008:13:57:33 -021800] Fedora-Directory/1.1.2 - > debug level: accesscontrol (128) > [18/Sep/2008:13:57:33 -021800] - Fedora-Directory/1.1.2 B2008.248.1443 > starting up > Failed to open stats file (/var/run/dirsrv/slapd-ldap.stats) (error > 1). > [FAILED] > *** Warning: 1 instance(s) failed to start > > Finally, something helpful! First, why isn't this going to the error > log? Second, and most importantly, what do I do about it? > > I don't know if it's trying to read the file, write the file, do it as > root, or as nobody. I turned selinux off just to be sure that isn't > the issue, but I'd prefer to run with it on. > > It's a fresh FC9 install, with all patches applied. > > TIA, > Dave > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rnappert at juniper.net Thu Sep 18 16:27:07 2008 From: rnappert at juniper.net (Reinhard Nappert) Date: Thu, 18 Sep 2008 12:27:07 -0400 Subject: [Fedora-directory-users] Warning with vlvindex.... Message-ID: <3525C9833C09ED418C6FD6CD9514668C04B54307@emailwf1.jnpr.net> Hi, I built FDS 1.1.2 from scratch and installed and configured it. I get the following warning, when I run a vlvindex. This used to run in any 1.0.x and 1.1.0 release. [18/Sep/2008:12:20:18 -0400] - warning: ancestorid not indexed on 1 [18/Sep/2008:12:20:18 -0400] - userRoot: WARNING: Failed to fetch subtree lists: (-30990) DB_NOTFOUND: No matching key/data pair found [18/Sep/2008:12:20:18 -0400] - userRoot: Possibly the entrydn or ancestorid index is corrupted or does not exist. [18/Sep/2008:12:20:18 -0400] - userRoot: Attempting brute-force method instead. [18/Sep/2008:12:20:18 -0400] - userRoot: Finished indexing. Dows anybody has an idea? Thanks, -Reinhard -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Sep 18 16:45:45 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 18 Sep 2008 10:45:45 -0600 Subject: [Fedora-directory-users] Warning with vlvindex.... In-Reply-To: <3525C9833C09ED418C6FD6CD9514668C04B54307@emailwf1.jnpr.net> References: <3525C9833C09ED418C6FD6CD9514668C04B54307@emailwf1.jnpr.net> Message-ID: <48D285B9.2090807@redhat.com> Reinhard Nappert wrote: > > Hi, > > I built FDS 1.1.2 from scratch and installed and configured it. I get > the following warning, when I run a vlvindex. This used to run in any > 1.0.x and 1.1.0 release. > > [18/Sep/2008:12:20:18 -0400] - warning: ancestorid not indexed on 1 > [18/Sep/2008:12:20:18 -0400] - userRoot: WARNING: Failed to fetch > subtree lists: (-30990) DB_NOTFOUND: No matching key/data pair found > > [18/Sep/2008:12:20:18 -0400] - userRoot: Possibly the entrydn or > ancestorid index is corrupted or does not exist. > [18/Sep/2008:12:20:18 -0400] - userRoot: Attempting brute-force method > instead. > [18/Sep/2008:12:20:18 -0400] - userRoot: Finished indexing. > > Dows anybody has an idea? > Was the database empty when you started? It looks as though it completed - does the vlv index work? > > Thanks, > -Reinhard > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rnappert at juniper.net Thu Sep 18 17:01:48 2008 From: rnappert at juniper.net (Reinhard Nappert) Date: Thu, 18 Sep 2008 13:01:48 -0400 Subject: [Fedora-directory-users] Warning with vlvindex.... In-Reply-To: <48D285B9.2090807@redhat.com> References: <3525C9833C09ED418C6FD6CD9514668C04B54307@emailwf1.jnpr.net> <48D285B9.2090807@redhat.com> Message-ID: <3525C9833C09ED418C6FD6CD9514668C04B54328@emailwf1.jnpr.net> Rich, It seems to work. I will load a couple of thousands entries and do some tests.... -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Thursday, September 18, 2008 12:46 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Warning with vlvindex.... Reinhard Nappert wrote: > > Hi, > > I built FDS 1.1.2 from scratch and installed and configured it. I get > the following warning, when I run a vlvindex. This used to run in any > 1.0.x and 1.1.0 release. > > [18/Sep/2008:12:20:18 -0400] - warning: ancestorid not indexed on 1 > [18/Sep/2008:12:20:18 -0400] - userRoot: WARNING: Failed to fetch > subtree lists: (-30990) DB_NOTFOUND: No matching key/data pair found > > [18/Sep/2008:12:20:18 -0400] - userRoot: Possibly the entrydn or > ancestorid index is corrupted or does not exist. > [18/Sep/2008:12:20:18 -0400] - userRoot: Attempting brute-force method > instead. > [18/Sep/2008:12:20:18 -0400] - userRoot: Finished indexing. > > Dows anybody has an idea? > Was the database empty when you started? It looks as though it completed - does the vlv index work? > > Thanks, > -Reinhard > > ---------------------------------------------------------------------- > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Thu Sep 18 17:32:01 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 18 Sep 2008 11:32:01 -0600 Subject: [Fedora-directory-users] Warning with vlvindex.... In-Reply-To: <3525C9833C09ED418C6FD6CD9514668C04B54328@emailwf1.jnpr.net> References: <3525C9833C09ED418C6FD6CD9514668C04B54307@emailwf1.jnpr.net> <48D285B9.2090807@redhat.com> <3525C9833C09ED418C6FD6CD9514668C04B54328@emailwf1.jnpr.net> Message-ID: <48D29091.9060103@redhat.com> Reinhard Nappert wrote: > Rich, > > It seems to work. I will load a couple of thousands entries and do some > tests.... > Was the database empty when you ran vlvindex? If not, what was in it? > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Thursday, September 18, 2008 12:46 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Warning with vlvindex.... > > Reinhard Nappert wrote: > >> Hi, >> >> I built FDS 1.1.2 from scratch and installed and configured it. I get >> the following warning, when I run a vlvindex. This used to run in any >> 1.0.x and 1.1.0 release. >> >> [18/Sep/2008:12:20:18 -0400] - warning: ancestorid not indexed on 1 >> [18/Sep/2008:12:20:18 -0400] - userRoot: WARNING: Failed to fetch >> subtree lists: (-30990) DB_NOTFOUND: No matching key/data pair found >> >> [18/Sep/2008:12:20:18 -0400] - userRoot: Possibly the entrydn or >> ancestorid index is corrupted or does not exist. >> [18/Sep/2008:12:20:18 -0400] - userRoot: Attempting brute-force method >> > > >> instead. >> [18/Sep/2008:12:20:18 -0400] - userRoot: Finished indexing. >> >> Dows anybody has an idea? >> >> > Was the database empty when you started? It looks as though it > completed - does the vlv index work? > >> Thanks, >> -Reinhard >> >> ---------------------------------------------------------------------- >> -- >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rnappert at juniper.net Thu Sep 18 17:46:57 2008 From: rnappert at juniper.net (Reinhard Nappert) Date: Thu, 18 Sep 2008 13:46:57 -0400 Subject: [Fedora-directory-users] Warning with vlvindex.... In-Reply-To: <48D29091.9060103@redhat.com> References: <3525C9833C09ED418C6FD6CD9514668C04B54307@emailwf1.jnpr.net> <48D285B9.2090807@redhat.com><3525C9833C09ED418C6FD6CD9514668C04B54328@emailwf1.jnpr.net> <48D29091.9060103@redhat.com> Message-ID: <3525C9833C09ED418C6FD6CD9514668C04B54362@emailwf1.jnpr.net> Rich, I have just the suffix entry in the directory at this point. I load this ldif script during setup: This seems to be fine: [18/Sep/2008:13:02:53 -0400] - import userRoot: Workers finished; cleaning up... [18/Sep/2008:13:02:53 -0400] - import userRoot: Workers cleaned up. [18/Sep/2008:13:02:53 -0400] - import userRoot: Cleaning up producer thread... [18/Sep/2008:13:02:53 -0400] - import userRoot: Indexing complete. Post-process ing... [18/Sep/2008:13:02:53 -0400] - Nothing to do to build ancestorid index [18/Sep/2008:13:02:53 -0400] - import userRoot: Flushing caches... [18/Sep/2008:13:02:53 -0400] - import userRoot: Closing files... [18/Sep/2008:13:02:53 -0400] - All database threads now stopped [18/Sep/2008:13:02:53 -0400] - import userRoot: Import complete. Processed 1 en tries in 0 seconds. (inf entries/sec) Afterwards, I do my vlvindex on the timestamps. I guess that the import does not set createTimestamp and this is why I get the warning. What do you think? -Reinhard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Thursday, September 18, 2008 1:32 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Warning with vlvindex.... Reinhard Nappert wrote: > Rich, > > It seems to work. I will load a couple of thousands entries and do > some tests.... > Was the database empty when you ran vlvindex? If not, what was in it? > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Thursday, September 18, 2008 12:46 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Warning with vlvindex.... > > Reinhard Nappert wrote: > >> Hi, >> >> I built FDS 1.1.2 from scratch and installed and configured it. I get >> the following warning, when I run a vlvindex. This used to run in any >> 1.0.x and 1.1.0 release. >> >> [18/Sep/2008:12:20:18 -0400] - warning: ancestorid not indexed on 1 >> [18/Sep/2008:12:20:18 -0400] - userRoot: WARNING: Failed to fetch >> subtree lists: (-30990) DB_NOTFOUND: No matching key/data pair found >> >> [18/Sep/2008:12:20:18 -0400] - userRoot: Possibly the entrydn or >> ancestorid index is corrupted or does not exist. >> [18/Sep/2008:12:20:18 -0400] - userRoot: Attempting brute-force >> method >> > > >> instead. >> [18/Sep/2008:12:20:18 -0400] - userRoot: Finished indexing. >> >> Dows anybody has an idea? >> >> > Was the database empty when you started? It looks as though it > completed - does the vlv index work? > >> Thanks, >> -Reinhard >> >> --------------------------------------------------------------------- >> - >> -- >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Thu Sep 18 18:07:58 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 18 Sep 2008 12:07:58 -0600 Subject: [Fedora-directory-users] Warning with vlvindex.... In-Reply-To: <3525C9833C09ED418C6FD6CD9514668C04B54362@emailwf1.jnpr.net> References: <3525C9833C09ED418C6FD6CD9514668C04B54307@emailwf1.jnpr.net> <48D285B9.2090807@redhat.com><3525C9833C09ED418C6FD6CD9514668C04B54328@emailwf1.jnpr.net> <48D29091.9060103@redhat.com> <3525C9833C09ED418C6FD6CD9514668C04B54362@emailwf1.jnpr.net> Message-ID: <48D298FE.70607@redhat.com> Reinhard Nappert wrote: > Rich, I have just the suffix entry in the directory at this point. I > load this ldif script during setup: > This seems to be fine: > [18/Sep/2008:13:02:53 -0400] - import userRoot: Workers finished; > cleaning up... > [18/Sep/2008:13:02:53 -0400] - import userRoot: Workers cleaned up. > [18/Sep/2008:13:02:53 -0400] - import userRoot: Cleaning up producer > thread... > [18/Sep/2008:13:02:53 -0400] - import userRoot: Indexing complete. > Post-process > ing... > [18/Sep/2008:13:02:53 -0400] - Nothing to do to build ancestorid index > [18/Sep/2008:13:02:53 -0400] - import userRoot: Flushing caches... > [18/Sep/2008:13:02:53 -0400] - import userRoot: Closing files... > [18/Sep/2008:13:02:53 -0400] - All database threads now stopped > [18/Sep/2008:13:02:53 -0400] - import userRoot: Import complete. > Processed 1 en > tries in 0 seconds. (inf entries/sec) > > Afterwards, I do my vlvindex on the timestamps. I guess that the import > does not set createTimestamp and this is why I get the warning. > > What do you think? > Sounds like at least two bugs 1) createTimestamp should be present, unless you have nsslapd-lastmod turned off. 2) vlvindex should not give an error message - either its a real error (not sure why) or the error message is spurious and should not be printed by default > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Thursday, September 18, 2008 1:32 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Warning with vlvindex.... > > Reinhard Nappert wrote: > >> Rich, >> >> It seems to work. I will load a couple of thousands entries and do >> some tests.... >> >> > Was the database empty when you ran vlvindex? If not, what was in it? > >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >> Megginson >> Sent: Thursday, September 18, 2008 12:46 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Warning with vlvindex.... >> >> Reinhard Nappert wrote: >> >> >>> Hi, >>> >>> I built FDS 1.1.2 from scratch and installed and configured it. I get >>> > > >>> the following warning, when I run a vlvindex. This used to run in any >>> > > >>> 1.0.x and 1.1.0 release. >>> >>> [18/Sep/2008:12:20:18 -0400] - warning: ancestorid not indexed on 1 >>> [18/Sep/2008:12:20:18 -0400] - userRoot: WARNING: Failed to fetch >>> subtree lists: (-30990) DB_NOTFOUND: No matching key/data pair found >>> >>> [18/Sep/2008:12:20:18 -0400] - userRoot: Possibly the entrydn or >>> ancestorid index is corrupted or does not exist. >>> [18/Sep/2008:12:20:18 -0400] - userRoot: Attempting brute-force >>> method >>> >>> >> >> >>> instead. >>> [18/Sep/2008:12:20:18 -0400] - userRoot: Finished indexing. >>> >>> Dows anybody has an idea? >>> >>> >>> >> Was the database empty when you started? It looks as though it >> completed - does the vlv index work? >> >> >>> Thanks, >>> -Reinhard >>> >>> --------------------------------------------------------------------- >>> - >>> -- >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sigidwu at gmail.com Fri Sep 19 00:30:48 2008 From: sigidwu at gmail.com (sigid@JINLab) Date: Fri, 19 Sep 2008 07:30:48 +0700 Subject: [Fedora-directory-users] Problems installing on FC9 In-Reply-To: <4D4DD13B-6442-47C8-93B0-C980DEE9DCBC@accoona.com> References: <4430F939-2DD5-4B9F-BEE9-4A1238151313@entertain-me.com> <4D4DD13B-6442-47C8-93B0-C980DEE9DCBC@accoona.com> Message-ID: <48D2F2B8.1020200@gmail.com> Marcelo (Nico) Halpern wrote: > I had the same exact problem on CentOS 5.2 yesterday. ns-slapd fails > trying to open the status file read/write. The directory if owned by > root, and it should be owned by ns-slapd's uid (nobody by default). I > believe the directory is /var/run/dirsrv. Is FDS 1.1 could runs on CentOS 5.2? Is there any available repo to be added to CentOS repo configurations? From rmeggins at redhat.com Fri Sep 19 00:37:19 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 18 Sep 2008 18:37:19 -0600 Subject: [Fedora-directory-users] Problems installing on FC9 In-Reply-To: <48D2F2B8.1020200@gmail.com> References: <4430F939-2DD5-4B9F-BEE9-4A1238151313@entertain-me.com> <4D4DD13B-6442-47C8-93B0-C980DEE9DCBC@accoona.com> <48D2F2B8.1020200@gmail.com> Message-ID: <48D2F43F.6020602@redhat.com> sigid at JINLab wrote: > Marcelo (Nico) Halpern wrote: >> I had the same exact problem on CentOS 5.2 yesterday. ns-slapd fails >> trying to open the status file read/write. The directory if owned by >> root, and it should be owned by ns-slapd's uid (nobody by default). I >> believe the directory is /var/run/dirsrv. > > Is FDS 1.1 could runs on CentOS 5.2? Yes. Start with http://directory.fedoraproject.org/wiki/Release_Notes Then move to http://directory.fedoraproject.org/wiki/Download - "Enterprise Linux 5" > Is there any available repo to be added to CentOS repo configurations? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From kekkou.a at cs.ucy.ac.cy Fri Sep 19 09:45:48 2008 From: kekkou.a at cs.ucy.ac.cy (Andreas Kekkou) Date: Fri, 19 Sep 2008 12:45:48 +0300 Subject: [Fedora-directory-users] fds 1.1 Performance tuning Message-ID: <48D374CC.2000708@cs.ucy.ac.cy> Hi all, I have recently upgraded one my fds servers from 1.0.4 to 1.1. The new server has been fine tuned using the performance tuning guide . At the bottom of the page is mentioning how to change the number of maximum descriptors from 1024 to 8192. There is a note there that this is only valid for 1.0.4 installations and when I tried to change this on 1.1 the server refused to start. The problem is that fds 1.1 stops unexpectedly at irregular intervals with nothing on the logs that can help resolve the problem. I remember a similar problem on my 1.0.4 installation was solved by changing nss-descriptors from 1024 to 8192. Is there any way to increase this number on 1.1? Andreas -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: kekkou_a.vcf Type: text/x-vcard Size: 369 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3307 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Sep 19 13:52:32 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 19 Sep 2008 07:52:32 -0600 Subject: [Fedora-directory-users] fds 1.1 Performance tuning In-Reply-To: <48D374CC.2000708@cs.ucy.ac.cy> References: <48D374CC.2000708@cs.ucy.ac.cy> Message-ID: <48D3AEA0.6010503@redhat.com> Andreas Kekkou wrote: > Hi all, > > I have recently upgraded one my fds servers from 1.0.4 to 1.1. The new > server has been fine tuned using the performance tuning guide > . At the > bottom of the page is mentioning how to change the number of maximum > descriptors from 1024 to 8192. There is a note there that this is only > valid for 1.0.4 installations and when I tried to change this on 1.1 > the server refused to start. The problem is that fds 1.1 stops > unexpectedly at irregular intervals with nothing on the logs that can > help resolve the problem. I remember a similar problem on my 1.0.4 > installation was solved by changing nss-descriptors from 1024 to 8192. > Is there any way to increase this number on 1.1? Should work the same way - where does it say that it is only valid for 1.0.4? What errors do you get in the error log? > > Andreas > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From janfrode at tanso.net Fri Sep 19 14:32:51 2008 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Fri, 19 Sep 2008 16:32:51 +0200 Subject: [Fedora-directory-users] add sudorole cause idm-console to crash/hang Message-ID: I've added the ldif from the sudo source, created an ou=SUDOers, and when I try to add a "sudorole" using the idm-console it causes the console to just hang or crash. fedora-idm-console-1.1.1-1.fc6 just gives me a spinning cursor that never finish, while centos-idm-console-1.0.0-17.el5.centos.4 gives the following traceback. Adding sudorole's using ldapadd works fine. Any ideas what's up with the consoles ? I have no problem adding other kinds of objects. [janfrode at sim2 ~]$ centos-idm-console Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException at com.netscape.admin.dirserv.propedit.DSEntryPanel.createActionPanel(Unknown Source) at com.netscape.admin.dirserv.propedit.DSEntryPanel.(Unknown Source) at com.netscape.admin.dirserv.EntryEditor.doGenericDialog(Unknown Source) at com.netscape.admin.dirserv.EntryEditor.addGeneric(Unknown Source) at com.netscape.admin.dirserv.EntryEditor.createObject(Unknown Source) at com.netscape.admin.dirserv.DSContentPage.actionNewObject(Unknown Source) at com.netscape.admin.dirserv.DSContentPage.actionPerformed(Unknown Source) at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2012) at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2335) at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:404) at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259) at javax.swing.AbstractButton.doClick(AbstractButton.java:374) at javax.swing.plaf.basic.BasicMenuItemUI.doClick(BasicMenuItemUI.java:1688) at javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(BasicMenuItemUI.java:1732) at java.awt.Component.processMouseEvent(Component.java:6101) at javax.swing.JComponent.processMouseEvent(JComponent.java:3276) at java.awt.Component.processEvent(Component.java:5866) at java.awt.Container.processEvent(Container.java:2105) at java.awt.Component.dispatchEventImpl(Component.java:4462) at java.awt.Container.dispatchEventImpl(Container.java:2163) at java.awt.Component.dispatchEvent(Component.java:4288) at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4461) at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4125) at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4055) at java.awt.Container.dispatchEventImpl(Container.java:2149) at java.awt.Window.dispatchEventImpl(Window.java:2478) at java.awt.Component.dispatchEvent(Component.java:4288) at java.awt.EventQueue.dispatchEvent(EventQueue.java:604) at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:275) at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:200) at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:190) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:185) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:177) at java.awt.EventDispatchThread.run(EventDispatchThread.java:138) -jf From rmeggins at redhat.com Fri Sep 19 14:37:14 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 19 Sep 2008 08:37:14 -0600 Subject: [Fedora-directory-users] add sudorole cause idm-console to crash/hang In-Reply-To: References: Message-ID: <48D3B91A.4060506@redhat.com> Jan-Frode Myklebust wrote: > I've added the ldif from the sudo source, created an ou=SUDOers, and when I > try to add a "sudorole" using the idm-console it causes the console to just > hang or crash. > > fedora-idm-console-1.1.1-1.fc6 just gives me a spinning cursor that never finish, > while centos-idm-console-1.0.0-17.el5.centos.4 gives the following traceback. Adding > sudorole's using ldapadd works fine. Any ideas what's up with the consoles ? I have > no problem adding other kinds of objects. > Not sure. You can get more detail by using fedora-idm-console -D 9 -f console.log Please file a bug and attach the console.log with reproducible test case. Thanks! > [janfrode at sim2 ~]$ centos-idm-console > Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException > at com.netscape.admin.dirserv.propedit.DSEntryPanel.createActionPanel(Unknown Source) > at com.netscape.admin.dirserv.propedit.DSEntryPanel.(Unknown Source) > at com.netscape.admin.dirserv.EntryEditor.doGenericDialog(Unknown Source) > at com.netscape.admin.dirserv.EntryEditor.addGeneric(Unknown Source) > at com.netscape.admin.dirserv.EntryEditor.createObject(Unknown Source) > at com.netscape.admin.dirserv.DSContentPage.actionNewObject(Unknown Source) > at com.netscape.admin.dirserv.DSContentPage.actionPerformed(Unknown Source) > at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2012) > at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2335) > at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:404) > at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259) > at javax.swing.AbstractButton.doClick(AbstractButton.java:374) > at javax.swing.plaf.basic.BasicMenuItemUI.doClick(BasicMenuItemUI.java:1688) > at javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(BasicMenuItemUI.java:1732) > at java.awt.Component.processMouseEvent(Component.java:6101) > at javax.swing.JComponent.processMouseEvent(JComponent.java:3276) > at java.awt.Component.processEvent(Component.java:5866) > at java.awt.Container.processEvent(Container.java:2105) > at java.awt.Component.dispatchEventImpl(Component.java:4462) > at java.awt.Container.dispatchEventImpl(Container.java:2163) > at java.awt.Component.dispatchEvent(Component.java:4288) > at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4461) > at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4125) > at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4055) > at java.awt.Container.dispatchEventImpl(Container.java:2149) > at java.awt.Window.dispatchEventImpl(Window.java:2478) > at java.awt.Component.dispatchEvent(Component.java:4288) > at java.awt.EventQueue.dispatchEvent(EventQueue.java:604) > at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:275) > at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:200) > at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:190) > at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:185) > at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:177) > at java.awt.EventDispatchThread.run(EventDispatchThread.java:138) > > > > > -jf > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From janfrode at tanso.net Fri Sep 19 14:53:40 2008 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Fri, 19 Sep 2008 16:53:40 +0200 Subject: [Fedora-directory-users] Re: add sudorole cause idm-console to crash/hang References: <48D3B91A.4060506@redhat.com> Message-ID: On 2008-09-19, Rich Megginson wrote: >> > Not sure. You can get more detail by using fedora-idm-console -D 9 -f > console.log > Please file a bug and attach the console.log with reproducible test > case. Thanks! Ooops, fedora-idm-console (without -D 9 -f) was already giving tracebacks too. And "-D 9 -f" will need some anonymization before I can upload it. Where do you want the bug reported ? [janfrode at lc4eb5760521341 tmp]$ fedora-idm-console Java Accessibility Bridge for GNOME loaded. Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException at com.netscape.admin.dirserv.propedit.DSEntryPanel.createActionPanel(Unknown Source) at com.netscape.admin.dirserv.propedit.DSEntryPanel.(Unknown Source) at com.netscape.admin.dirserv.EntryEditor.doGenericDialog(Unknown Source) at com.netscape.admin.dirserv.EntryEditor.addGeneric(Unknown Source) at com.netscape.admin.dirserv.EntryEditor.createObject(Unknown Source) at com.netscape.admin.dirserv.DSContentPage.actionNewObject(Unknown Source) at com.netscape.admin.dirserv.DSContentPage.actionPerformed(Unknown Source) at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2008) at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2331) at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:400) at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:255) at javax.swing.AbstractButton.doClick(AbstractButton.java:370) at javax.swing.plaf.basic.BasicMenuItemUI.doClick(BasicMenuItemUI.java:1233) at javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(BasicMenuItemUI.java:1274) at java.awt.Component.processMouseEvent(Component.java:6054) at javax.swing.JComponent.processMouseEvent(JComponent.java:3278) at java.awt.Component.processEvent(Component.java:5819) at java.awt.Container.processEvent(Container.java:2071) at java.awt.Component.dispatchEventImpl(Component.java:4426) at java.awt.Container.dispatchEventImpl(Container.java:2129) at java.awt.Component.dispatchEvent(Component.java:4256) at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4335) at java.awt.LightweightDispatcher.processMouseEvent(Container.java:3999) at java.awt.LightweightDispatcher.dispatchEvent(Container.java:3929) at java.awt.Container.dispatchEventImpl(Container.java:2115) at java.awt.Window.dispatchEventImpl(Window.java:2453) at java.awt.Component.dispatchEvent(Component.java:4256) at java.awt.EventQueue.dispatchEvent(EventQueue.java:612) at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:286) at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:196) at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:186) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:181) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:173) at java.awt.EventDispatchThread.run(EventDispatchThread.java:134) While the cursor was spinning here.. with "-D 9" it was writing to stderr: AbstractServerObject.StatusThread: waiting for change listeners to register DSUtil.checkServerStatus: begin DSUtil.checkServerStatus: ldc={host=ldap1.mydomain.net} {port=389} {authdn=uid=myadmin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot} state=true DSUtil.checkServerStatus: end state = true DSAdmin.getServerStatus(): end state = true AbstractServerObject.StatusThread: Check Status CGI = 1 exe time: 0.0010 AbstractServerObject.StatusThread: change listener count=1 AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register DSUtil.checkServerStatus: begin DSUtil.checkServerStatus: ldc={host=ldap1.mydomain.net} {port=389} {authdn=uid=myadmin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot} state=true DSUtil.checkServerStatus: end state = true DSAdmin.getServerStatus(): end state = true AbstractServerObject.StatusThread: Check Status CGI = 1 exe time: 0.0 AbstractServerObject.StatusThread: change listener count=1 AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register -jf From rmeggins at redhat.com Fri Sep 19 15:06:13 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 19 Sep 2008 09:06:13 -0600 Subject: [Fedora-directory-users] Re: add sudorole cause idm-console to crash/hang In-Reply-To: References: <48D3B91A.4060506@redhat.com> Message-ID: <48D3BFE5.3050808@redhat.com> Jan-Frode Myklebust wrote: > On 2008-09-19, Rich Megginson wrote: > >> Not sure. You can get more detail by using fedora-idm-console -D 9 -f >> console.log >> Please file a bug and attach the console.log with reproducible test >> case. Thanks! >> > > > Ooops, fedora-idm-console (without -D 9 -f) was already giving tracebacks > too. And "-D 9 -f" will need some anonymization before I can upload it. Where > do you want the bug reported ? > Please file a bug at bugzilla.redhat.com - product Fedora Directory Server > [janfrode at lc4eb5760521341 tmp]$ fedora-idm-console > Java Accessibility Bridge for GNOME loaded. > > Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException > at com.netscape.admin.dirserv.propedit.DSEntryPanel.createActionPanel(Unknown Source) > at com.netscape.admin.dirserv.propedit.DSEntryPanel.(Unknown Source) > at com.netscape.admin.dirserv.EntryEditor.doGenericDialog(Unknown Source) > at com.netscape.admin.dirserv.EntryEditor.addGeneric(Unknown Source) > at com.netscape.admin.dirserv.EntryEditor.createObject(Unknown Source) > at com.netscape.admin.dirserv.DSContentPage.actionNewObject(Unknown Source) > at com.netscape.admin.dirserv.DSContentPage.actionPerformed(Unknown Source) > at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2008) > at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2331) > at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:400) > at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:255) > at javax.swing.AbstractButton.doClick(AbstractButton.java:370) > at javax.swing.plaf.basic.BasicMenuItemUI.doClick(BasicMenuItemUI.java:1233) > at javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(BasicMenuItemUI.java:1274) > at java.awt.Component.processMouseEvent(Component.java:6054) > at javax.swing.JComponent.processMouseEvent(JComponent.java:3278) > at java.awt.Component.processEvent(Component.java:5819) > at java.awt.Container.processEvent(Container.java:2071) > at java.awt.Component.dispatchEventImpl(Component.java:4426) > at java.awt.Container.dispatchEventImpl(Container.java:2129) > at java.awt.Component.dispatchEvent(Component.java:4256) > at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4335) > at java.awt.LightweightDispatcher.processMouseEvent(Container.java:3999) > at java.awt.LightweightDispatcher.dispatchEvent(Container.java:3929) > at java.awt.Container.dispatchEventImpl(Container.java:2115) > at java.awt.Window.dispatchEventImpl(Window.java:2453) > at java.awt.Component.dispatchEvent(Component.java:4256) > at java.awt.EventQueue.dispatchEvent(EventQueue.java:612) > at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:286) > at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:196) > at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:186) > at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:181) > at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:173) > at java.awt.EventDispatchThread.run(EventDispatchThread.java:134) > > > While the cursor was spinning here.. with "-D 9" it was writing to stderr: > > AbstractServerObject.StatusThread: waiting for change listeners to register > DSUtil.checkServerStatus: begin > DSUtil.checkServerStatus: ldc={host=ldap1.mydomain.net} {port=389} {authdn=uid=myadmin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot} state=true > DSUtil.checkServerStatus: end state = true > DSAdmin.getServerStatus(): end state = true > AbstractServerObject.StatusThread: Check Status CGI = 1 exe time: 0.0010 > AbstractServerObject.StatusThread: change listener count=1 > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > DSUtil.checkServerStatus: begin > DSUtil.checkServerStatus: ldc={host=ldap1.mydomain.net} {port=389} {authdn=uid=myadmin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot} state=true > DSUtil.checkServerStatus: end state = true > DSAdmin.getServerStatus(): end state = true > AbstractServerObject.StatusThread: Check Status CGI = 1 exe time: 0.0 > AbstractServerObject.StatusThread: change listener count=1 > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > AbstractServerObject.StatusThread: waiting for change listeners to register > > > -jf > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rnappert at juniper.net Fri Sep 19 17:52:27 2008 From: rnappert at juniper.net (Reinhard Nappert) Date: Fri, 19 Sep 2008 13:52:27 -0400 Subject: [Fedora-directory-users] Warning with vlvindex.... In-Reply-To: <48D298FE.70607@redhat.com> References: <3525C9833C09ED418C6FD6CD9514668C04B54307@emailwf1.jnpr.net> <48D285B9.2090807@redhat.com><3525C9833C09ED418C6FD6CD9514668C04B54328@emailwf1.jnpr.net> <48D29091.9060103@redhat.com><3525C9833C09ED418C6FD6CD9514668C04B54362@emailwf1.jnpr.net> <48D298FE.70607@redhat.com> Message-ID: <3525C9833C09ED418C6FD6CD9514668C04B5472E@emailwf1.jnpr.net> Rich, nsslapd-lastmod is not set, which means it is turned on. I assume that you would the timestamps anyway, if you have replicated environment. Are you going to open a bug, or should I do it? -Reinhard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Thursday, September 18, 2008 2:08 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Warning with vlvindex.... Reinhard Nappert wrote: > Rich, I have just the suffix entry in the directory at this point. I > load this ldif script during setup: > This seems to be fine: > [18/Sep/2008:13:02:53 -0400] - import userRoot: Workers finished; > cleaning up... > [18/Sep/2008:13:02:53 -0400] - import userRoot: Workers cleaned up. > [18/Sep/2008:13:02:53 -0400] - import userRoot: Cleaning up producer > thread... > [18/Sep/2008:13:02:53 -0400] - import userRoot: Indexing complete. > Post-process > ing... > [18/Sep/2008:13:02:53 -0400] - Nothing to do to build ancestorid index > [18/Sep/2008:13:02:53 -0400] - import userRoot: Flushing caches... > [18/Sep/2008:13:02:53 -0400] - import userRoot: Closing files... > [18/Sep/2008:13:02:53 -0400] - All database threads now stopped > [18/Sep/2008:13:02:53 -0400] - import userRoot: Import complete. > Processed 1 en > tries in 0 seconds. (inf entries/sec) > > Afterwards, I do my vlvindex on the timestamps. I guess that the > import does not set createTimestamp and this is why I get the warning. > > What do you think? > Sounds like at least two bugs 1) createTimestamp should be present, unless you have nsslapd-lastmod turned off. 2) vlvindex should not give an error message - either its a real error (not sure why) or the error message is spurious and should not be printed by default > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Thursday, September 18, 2008 1:32 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Warning with vlvindex.... > > Reinhard Nappert wrote: > >> Rich, >> >> It seems to work. I will load a couple of thousands entries and do >> some tests.... >> >> > Was the database empty when you ran vlvindex? If not, what was in it? > >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >> Megginson >> Sent: Thursday, September 18, 2008 12:46 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Warning with vlvindex.... >> >> Reinhard Nappert wrote: >> >> >>> Hi, >>> >>> I built FDS 1.1.2 from scratch and installed and configured it. I >>> get >>> > > >>> the following warning, when I run a vlvindex. This used to run in >>> any >>> > > >>> 1.0.x and 1.1.0 release. >>> >>> [18/Sep/2008:12:20:18 -0400] - warning: ancestorid not indexed on 1 >>> [18/Sep/2008:12:20:18 -0400] - userRoot: WARNING: Failed to fetch >>> subtree lists: (-30990) DB_NOTFOUND: No matching key/data pair >>> found >>> >>> [18/Sep/2008:12:20:18 -0400] - userRoot: Possibly the entrydn or >>> ancestorid index is corrupted or does not exist. >>> [18/Sep/2008:12:20:18 -0400] - userRoot: Attempting brute-force >>> method >>> >>> >> >> >>> instead. >>> [18/Sep/2008:12:20:18 -0400] - userRoot: Finished indexing. >>> >>> Dows anybody has an idea? >>> >>> >>> >> Was the database empty when you started? It looks as though it >> completed - does the vlv index work? >> >> >>> Thanks, >>> -Reinhard >>> >>> -------------------------------------------------------------------- >>> - >>> - >>> -- >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri Sep 19 18:05:53 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 19 Sep 2008 12:05:53 -0600 Subject: [Fedora-directory-users] Warning with vlvindex.... In-Reply-To: <3525C9833C09ED418C6FD6CD9514668C04B5472E@emailwf1.jnpr.net> References: <3525C9833C09ED418C6FD6CD9514668C04B54307@emailwf1.jnpr.net> <48D285B9.2090807@redhat.com><3525C9833C09ED418C6FD6CD9514668C04B54328@emailwf1.jnpr.net> <48D29091.9060103@redhat.com><3525C9833C09ED418C6FD6CD9514668C04B54362@emailwf1.jnpr.net> <48D298FE.70607@redhat.com> <3525C9833C09ED418C6FD6CD9514668C04B5472E@emailwf1.jnpr.net> Message-ID: <48D3EA01.7070803@redhat.com> Reinhard Nappert wrote: > Rich, > > nsslapd-lastmod is not set, which means it is turned on. I assume that > you would the timestamps anyway, if you have replicated environment. > > Are you going to open a bug, or should I do it? > Go ahead and open a bug for this. Thanks! > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Thursday, September 18, 2008 2:08 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Warning with vlvindex.... > > Reinhard Nappert wrote: > >> Rich, I have just the suffix entry in the directory at this point. I >> load this ldif script during setup: >> This seems to be fine: >> [18/Sep/2008:13:02:53 -0400] - import userRoot: Workers finished; >> cleaning up... >> [18/Sep/2008:13:02:53 -0400] - import userRoot: Workers cleaned up. >> [18/Sep/2008:13:02:53 -0400] - import userRoot: Cleaning up producer >> thread... >> [18/Sep/2008:13:02:53 -0400] - import userRoot: Indexing complete. >> Post-process >> ing... >> [18/Sep/2008:13:02:53 -0400] - Nothing to do to build ancestorid index >> [18/Sep/2008:13:02:53 -0400] - import userRoot: Flushing caches... >> [18/Sep/2008:13:02:53 -0400] - import userRoot: Closing files... >> [18/Sep/2008:13:02:53 -0400] - All database threads now stopped >> [18/Sep/2008:13:02:53 -0400] - import userRoot: Import complete. >> Processed 1 en >> tries in 0 seconds. (inf entries/sec) >> >> Afterwards, I do my vlvindex on the timestamps. I guess that the >> import does not set createTimestamp and this is why I get the warning. >> >> What do you think? >> >> > Sounds like at least two bugs > 1) createTimestamp should be present, unless you have nsslapd-lastmod > turned off. > 2) vlvindex should not give an error message - either its a real error > (not sure why) or the error message is spurious and should not be > printed by default > >> -Reinhard >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >> Megginson >> Sent: Thursday, September 18, 2008 1:32 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Warning with vlvindex.... >> >> Reinhard Nappert wrote: >> >> >>> Rich, >>> >>> It seems to work. I will load a couple of thousands entries and do >>> some tests.... >>> >>> >>> >> Was the database empty when you ran vlvindex? If not, what was in it? >> >> >>> -----Original Message----- >>> From: fedora-directory-users-bounces at redhat.com >>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >>> Megginson >>> Sent: Thursday, September 18, 2008 12:46 PM >>> To: General discussion list for the Fedora Directory server project. >>> Subject: Re: [Fedora-directory-users] Warning with vlvindex.... >>> >>> Reinhard Nappert wrote: >>> >>> >>> >>>> Hi, >>>> >>>> I built FDS 1.1.2 from scratch and installed and configured it. I >>>> get >>>> >>>> >> >> >>>> the following warning, when I run a vlvindex. This used to run in >>>> any >>>> >>>> >> >> >>>> 1.0.x and 1.1.0 release. >>>> >>>> [18/Sep/2008:12:20:18 -0400] - warning: ancestorid not indexed on 1 >>>> [18/Sep/2008:12:20:18 -0400] - userRoot: WARNING: Failed to fetch >>>> subtree lists: (-30990) DB_NOTFOUND: No matching key/data pair >>>> found >>>> >>>> [18/Sep/2008:12:20:18 -0400] - userRoot: Possibly the entrydn or >>>> ancestorid index is corrupted or does not exist. >>>> [18/Sep/2008:12:20:18 -0400] - userRoot: Attempting brute-force >>>> method >>>> >>>> >>>> >>> >>> >>> >>>> instead. >>>> [18/Sep/2008:12:20:18 -0400] - userRoot: Finished indexing. >>>> >>>> Dows anybody has an idea? >>>> >>>> >>>> >>>> >>> Was the database empty when you started? It looks as though it >>> completed - does the vlv index work? >>> >>> >>> >>>> Thanks, >>>> -Reinhard >>>> >>>> -------------------------------------------------------------------- >>>> - >>>> - >>>> -- >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From janfrode at tanso.net Fri Sep 19 22:16:50 2008 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Sat, 20 Sep 2008 00:16:50 +0200 Subject: [Fedora-directory-users] Re: add sudorole cause idm-console to crash/hang References: <48D3B91A.4060506@redhat.com> <48D3BFE5.3050808@redhat.com> Message-ID: On 2008-09-19, Rich Megginson wrote: > Please file a bug at bugzilla.redhat.com - product Fedora Directory Server Done: https://bugzilla.redhat.com/show_bug.cgi?id=462970 -jf From kekkou.a at cs.ucy.ac.cy Mon Sep 22 09:57:55 2008 From: kekkou.a at cs.ucy.ac.cy (Andreas Kekkou) Date: Mon, 22 Sep 2008 12:57:55 +0300 Subject: [Fedora-directory-users] fds 1.1 Performance tuning In-Reply-To: <48D3AEA0.6010503@redhat.com> References: <48D374CC.2000708@cs.ucy.ac.cy> <48D3AEA0.6010503@redhat.com> Message-ID: <48D76C23.6030201@cs.ucy.ac.cy> Hi Rich, My mistake. For some reason I thought that the ulimit -n 8192 has to be changed only on v1.04. Regards, Andreas Rich Megginson wrote: > Andreas Kekkou wrote: >> Hi all, >> >> I have recently upgraded one my fds servers from 1.0.4 to 1.1. The >> new server has been fine tuned using the performance tuning guide >> . At the >> bottom of the page is mentioning how to change the number of maximum >> descriptors from 1024 to 8192. There is a note there that this is >> only valid for 1.0.4 installations and when I tried to change this on >> 1.1 the server refused to start. The problem is that fds 1.1 stops >> unexpectedly at irregular intervals with nothing on the logs that can >> help resolve the problem. I remember a similar problem on my 1.0.4 >> installation was solved by changing nss-descriptors from 1024 to >> 8192. Is there any way to increase this number on 1.1? > Should work the same way - where does it say that it is only valid for > 1.0.4? What errors do you get in the error log? >> >> Andreas >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: kekkou_a.vcf Type: text/x-vcard Size: 369 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3307 bytes Desc: S/MIME Cryptographic Signature URL: From doug.mallory at tempurpedic.com Mon Sep 22 15:52:50 2008 From: doug.mallory at tempurpedic.com (Mallory, Doug (TPUSA)) Date: Mon, 22 Sep 2008 11:52:50 -0400 Subject: [Fedora-directory-users] Fedora-ds unable to connect to ldap server In-Reply-To: References: <48D3B91A.4060506@redhat.com><48D3BFE5.3050808@redhat.com> Message-ID: Hear lately I am getting : password information update failed: Can't contact LDAP server Service fedora-ds restart does not help. Doug Mallory, CISM, CISSP From rmeggins at redhat.com Mon Sep 22 16:20:01 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 22 Sep 2008 10:20:01 -0600 Subject: [Fedora-directory-users] Fedora-ds unable to connect to ldap server In-Reply-To: References: <48D3B91A.4060506@redhat.com><48D3BFE5.3050808@redhat.com> Message-ID: <48D7C5B1.1000400@redhat.com> Mallory, Doug (TPUSA) wrote: > Hear lately I am getting : > password information update failed: Can't contact LDAP server > > > Service fedora-ds restart does not help. > What fedora ds version? What platform? Note with fedora ds 1.1 the service name was changed to "dirsrv" What app are you using to change the password? What is the full command line? If you are using "passwd" are your /etc/nsswitch.conf and /etc/ldap.conf settings correct? If you are using /usr/bin/ldappasswd are your /etc/openldap/ldap.conf settings correct? Any clues in your directory server access log file? > > Doug Mallory, CISM, CISSP > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From doug.mallory at tempurpedic.com Mon Sep 22 17:16:02 2008 From: doug.mallory at tempurpedic.com (Mallory, Doug (TPUSA)) Date: Mon, 22 Sep 2008 13:16:02 -0400 Subject: [Fedora-directory-users] Fedora-ds unable to connect to ldapserver In-Reply-To: <48D7C5B1.1000400@redhat.com> References: <48D3B91A.4060506@redhat.com><48D3BFE5.3050808@redhat.com> <48D7C5B1.1000400@redhat.com> Message-ID: It is Fedora-ds 1.0 on ES 4 I found it was a false error. The reason it would not change was the password was in my history file. Doug Mallory, -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Monday, September 22, 2008 12:20 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Fedora-ds unable to connect to ldapserver Mallory, Doug (TPUSA) wrote: > Hear lately I am getting : > password information update failed: Can't contact LDAP server > > > Service fedora-ds restart does not help. > What fedora ds version? What platform? Note with fedora ds 1.1 the service name was changed to "dirsrv" What app are you using to change the password? What is the full command line? If you are using "passwd" are your /etc/nsswitch.conf and /etc/ldap.conf settings correct? If you are using /usr/bin/ldappasswd are your /etc/openldap/ldap.conf settings correct? Any clues in your directory server access log file? > > Doug Mallory, CISM, CISSP > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From jyanga at esri.com Mon Sep 22 19:26:38 2008 From: jyanga at esri.com (Jerome Yanga) Date: Mon, 22 Sep 2008 12:26:38 -0700 Subject: [Fedora-directory-users] setup-ds-admin.pl issue? Message-ID: <5774D66D5EC83645A99B3A905527BB71092D49B7@zipwire.esri.com> Fedora Directory Server 1.1.2 seems to have a broken setup-ds-admin.pl. Is anybody else getting the same error below? I have tried Express, Typical and Custom setup types and all of them give me this error. I have even rebuilt the server and started from scratch. The console gives me the following messages... "Creating directory server . . . Server failed to start !!! Please check errors log for problems Possible timeout starting server: timeout=1222110628 now=1222110629 Could not start the directory server using command '/usr/lib/dirsrv/slapd-basis/start-slapd'. The last line from the error log was '[22/Sep/2008:12:00:29 -0700] - Fedora-Directory/1.1.2 B2008.248.1448 starting up '. Error: Unknown error 256 Error: Could not create directory server instance 'instance_name'. Exiting . . ." The setup log shows the following... "[08/09/22:12:10:29] - [Setup] Info Could not start the directory server using command '/usr/lib/dirs rv/slapd-basis/start-slapd'. The last line from the error log was '[22/Sep/2008:12:00:29 -0700] - F edora-Directory/1.1.2 B2008.248.1448 starting up '. Error: Unknown error 256 [08/09/22:12:10:29] - [Setup] Fatal Error: Could not create directory server instance 'instance_name'. [08/09/22:12:10:29] - [Setup] Fatal Exiting . . ." FYI, I followed the same procedure and setup answers with Fedora Directory Server 1.1.1 a few weeks ago and it worked. Help. Regards, Jerome From rmeggins at redhat.com Mon Sep 22 19:34:43 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 22 Sep 2008 13:34:43 -0600 Subject: [Fedora-directory-users] setup-ds-admin.pl issue? In-Reply-To: <5774D66D5EC83645A99B3A905527BB71092D49B7@zipwire.esri.com> References: <5774D66D5EC83645A99B3A905527BB71092D49B7@zipwire.esri.com> Message-ID: <48D7F353.1040806@redhat.com> Jerome Yanga wrote: > Fedora Directory Server 1.1.2 seems to have a broken setup-ds-admin.pl. > > Is anybody else getting the same error below? I have tried Express, > Typical and Custom setup types and all of them give me this error. I > have even rebuilt the server and started from scratch. > > The console gives me the following messages... > > "Creating directory server . . . > Server failed to start !!! Please check errors log for problems > Possible timeout starting server: timeout=1222110628 now=1222110629 > Could not start the directory server using command > '/usr/lib/dirsrv/slapd-basis/start-slapd'. The last line from the error > log was '[22/Sep/2008:12:00:29 -0700] - Fedora-Directory/1.1.2 > B2008.248.1448 starting up > '. Error: Unknown error 256 > Error: Could not create directory server instance 'instance_name'. > Exiting . . ." > > The setup log shows the following... > > "[08/09/22:12:10:29] - [Setup] Info Could not start the directory server > using command '/usr/lib/dirs > rv/slapd-basis/start-slapd'. The last line from the error log was > '[22/Sep/2008:12:00:29 -0700] - F > edora-Directory/1.1.2 B2008.248.1448 starting up > '. Error: Unknown error 256 > [08/09/22:12:10:29] - [Setup] Fatal Error: Could not create directory > server instance 'instance_name'. > [08/09/22:12:10:29] - [Setup] Fatal Exiting . . ." > > FYI, I followed the same procedure and setup answers with Fedora > Directory Server 1.1.1 a few weeks ago and it worked. > Try this: setup-ds-admin.pl -ddd -k -ddd will output lots of debugging info (to /tmp/setupXXXXX.log) and -k will tell setup to keep the /tmp/setupXXXXX.inf file. WARNING - the .inf file will contain your clear text passwords, so be sure to protect that file appropriately. Then, paste each file to fpaste.org and paste the links in a reply email. Again, be sure to scrub each file for sensitive information before pasting. > Help. > > Regards, > Jerome > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From tom at loran3.net Mon Sep 22 19:50:50 2008 From: tom at loran3.net (Thomas Loran) Date: Mon, 22 Sep 2008 13:50:50 -0600 Subject: [Fedora-directory-users] setup-ds-admin.pl issue? In-Reply-To: <5774D66D5EC83645A99B3A905527BB71092D49B7@zipwire.esri.com> References: <5774D66D5EC83645A99B3A905527BB71092D49B7@zipwire.esri.com> Message-ID: <48D7F71A.8070504@loran3.net> Jerome Yanga wrote: > Fedora Directory Server 1.1.2 seems to have a broken setup-ds-admin.pl. > > Is anybody else getting the same error below? I have tried Express, > Typical and Custom setup types and all of them give me this error. I > have even rebuilt the server and started from scratch. > > The console gives me the following messages... > > "Creating directory server . . . > Server failed to start !!! Please check errors log for problems > Possible timeout starting server: timeout=1222110628 now=1222110629 > Could not start the directory server using command > '/usr/lib/dirsrv/slapd-basis/start-slapd'. The last line from the error > log was '[22/Sep/2008:12:00:29 -0700] - Fedora-Directory/1.1.2 > B2008.248.1448 starting up > '. Error: Unknown error 256 > Error: Could not create directory server instance 'instance_name'. > Exiting . . ." > > The setup log shows the following... > > "[08/09/22:12:10:29] - [Setup] Info Could not start the directory server > using command '/usr/lib/dirs > rv/slapd-basis/start-slapd'. The last line from the error log was > '[22/Sep/2008:12:00:29 -0700] - F > edora-Directory/1.1.2 B2008.248.1448 starting up > '. Error: Unknown error 256 > [08/09/22:12:10:29] - [Setup] Fatal Error: Could not create directory > server instance 'instance_name'. > [08/09/22:12:10:29] - [Setup] Fatal Exiting . . ." > > FYI, I followed the same procedure and setup answers with Fedora > Directory Server 1.1.1 a few weeks ago and it worked. > > Help. > > Regards, > Jerome > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users Jermoe, I had the same issue yesterday and found that the owner on /var/run/dirsrv were set to root. I changed it to "nobody" the default for FDS, and was able to install just fine. I found this bug which might be helpful. Bug 430368 - Running setup-ds.pl on Fedora 8 fails: Server failed to start !!! / Failed to open stats file Tom From jyanga at esri.com Tue Sep 23 17:16:44 2008 From: jyanga at esri.com (Jerome Yanga) Date: Tue, 23 Sep 2008 10:16:44 -0700 Subject: [Fedora-directory-users] setup-ds-admin.pl issue? Message-ID: <5774D66D5EC83645A99B3A905527BB710933DC00@zipwire.esri.com> Thank you, Thomas and Rich, for the quick response. Changing the ownership of /var/run/dirsrv worked like a charm. Regards, Jerome -----Original Message----- From: Jerome Yanga Sent: Monday, September 22, 2008 12:27 PM To: 'fedora-directory-users at redhat.com' Subject: setup-ds-admin.pl issue? Fedora Directory Server 1.1.2 seems to have a broken setup-ds-admin.pl. Is anybody else getting the same error below? I have tried Express, Typical and Custom setup types and all of them give me this error. I have even rebuilt the server and started from scratch. The console gives me the following messages... "Creating directory server . . . Server failed to start !!! Please check errors log for problems Possible timeout starting server: timeout=1222110628 now=1222110629 Could not start the directory server using command '/usr/lib/dirsrv/slapd-basis/start-slapd'. The last line from the error log was '[22/Sep/2008:12:00:29 -0700] - Fedora-Directory/1.1.2 B2008.248.1448 starting up '. Error: Unknown error 256 Error: Could not create directory server instance 'instance_name'. Exiting . . ." The setup log shows the following... "[08/09/22:12:10:29] - [Setup] Info Could not start the directory server using command '/usr/lib/dirs rv/slapd-basis/start-slapd'. The last line from the error log was '[22/Sep/2008:12:00:29 -0700] - F edora-Directory/1.1.2 B2008.248.1448 starting up '. Error: Unknown error 256 [08/09/22:12:10:29] - [Setup] Fatal Error: Could not create directory server instance 'instance_name'. [08/09/22:12:10:29] - [Setup] Fatal Exiting . . ." FYI, I followed the same procedure and setup answers with Fedora Directory Server 1.1.1 a few weeks ago and it worked. Help. Regards, Jerome From jyanga at esri.com Tue Sep 23 19:33:06 2008 From: jyanga at esri.com (Jerome Yanga) Date: Tue, 23 Sep 2008 12:33:06 -0700 Subject: [Fedora-directory-users] Cannot find perl script mentioned in the Howto:SolarisClient Message-ID: <5774D66D5EC83645A99B3A905527BB710933DF1E@zipwire.esri.com> I am trying to setup a Solaris 10 client to use the FDS 1.1.2. The directions in the site below say "Import the duaconfigprofile schema into FDS. I used the perl script on the FDS doc site to create the rfc-compliant LDIF for FDS ". However, I cannot find the perl script mentioned. I do not even know what to search for in my server as the filename was not provided. http://directory.fedoraproject.org/wiki/Howto:SolarisClient I have been testing on this for a few weeks now and I still cannot get the Solaris client to use the FDS server. Help. Regards, Jerome From mhalpern at accoona.com Tue Sep 23 20:35:12 2008 From: mhalpern at accoona.com (Marcelo N. Halpern) Date: Tue, 23 Sep 2008 16:35:12 -0400 Subject: [Fedora-directory-users] classes of service? question Message-ID: <48D95300.1030005@accoona.com> Hello list, here's the situation: I have a large number of {centos,rhel}{4,5} hosts on which I will be configuring ldap authentication via nss_ldap. Hosts are segregated onto different groups according to their function. This is based on their ip address and FQDN. For instance: Group "A": red team: 10.10.0.0/16, dbhost_01.nyc.red, wwhost_01.nyc.red, aphost_03.nyc.red, Group "B": blueteam: 10.20.0.0/16, dbhost_01.nyc.blue, wwhost_03.nyc.blue, aphost_01.nyc.blue, Group "C": greenteam 10.30.0.0/16, dbhost_01.nyc.green, wwhost_03.nyc.green, aphost_01.nyc.green, etc. My intention is to control host access entirely from ldap, using a single ldap.conf for all servers. Nss_ldap provides a "pam_check_host_attr" hook where the host in question will check its FQDN against the entry's "host" attribute. The entry dn: uid=mhalpern,ou=people,dc=foo.com host: dbhost_01.nyc.red host: dbhost_02.nyc.red would then be able to login to either one of these two hosts. At first I thought it should be really simple: I should be able define a container which specifies the different host groups, and use classes of service to pull in the rest of the information. This solution would be ideal for me, as users are also segregated into groups. To this effect I configured classes of service (and roles...) in a variety of combinations, with limited amount of success. Although I was able to make these "profile expansions" work as advertised, I could not get them to append values to the existing attribute set. For instance, a lookup on uid=mhalpern,ou=people,dc=foo.com with the following entries: dn: uid=mhalpern,ou=people,dc=foo.com ou=blue host: dbhost_01.nyc.red ... cn=cosTemplate,ou=people,dc=foo.com cosAttribute: host cosSpecifier: ou ... dn: blue,cn=cosTemplate,ou=people,dc=foo.com host: dbhost_01.nyc.blue host: dbhost_02.nyc.blue host: dbhost_03.nyc.blue would render dn: uid=mhalpern,ou=people,dc=foo.com ou=blue host: dbhost_01.nyc.red and I would expect: dn: uid=mhalpern,ou=people,dc=foo.com ou=blue host: dbhost_01.nyc.red host: dbhost_01.nyc.blue host: dbhost_02.nyc.blue host: dbhost_03.nyc.blue because classes of service are designed to replace, or be the default value of a particular attribute. I am open to any solutions to this problem... how have other people approached this issue? Thanks for any suggestions. -- Marcelo Nicol?s Halpern Systems Administrator From ryan.braun at ec.gc.ca Wed Sep 24 21:05:00 2008 From: ryan.braun at ec.gc.ca (Ryan Braun [ADS]) Date: Wed, 24 Sep 2008 21:05:00 +0000 Subject: [Fedora-directory-users] Need to escape space when adding referrals from scripts? Message-ID: <200809242105.00618.ryan.braun@ec.gc.ca> I have a perl script I've been working on to setup replication. The replication works great for replication from master to master. But I've been running into problems with dedicated consumers and their referrals. If I disable the add_replical_referral sub in my script, and let fds handle the referrals on the fly it works (go figure :) ). But it doesn't set it up how I want so I need to customize it. It seems like when I set the referrals manually via perl, the space in the url of the referal is causing the whole dn of the update to get truncated as soon as it detects a space. Here is what I mean. The following snippets are from myself updating an object on the consumer and it failing. All referrals have been created from my script. Not sure what the nsdisablerole is doing... On the dedicated consumer [24/Sep/2008:19:58:50 +0000] conn=14 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [24/Sep/2008:19:58:51 +0000] conn=14 op=0 RESULT err=0 tag=97 nentries=0 etime=1 dn="cn=directory manager" [24/Sep/2008:19:58:51 +0000] conn=14 op=1 SRCH base="uid=goodgut,ou=People, dc=xxx,dc=ec,dc=gc,dc=ca" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nscpEntryDN nsICQStatusText nsAIMStatusText copiedFrom passwordExpirationTime passwordAllowChangeTime nsICQStatusGraphic hasSubordinates nsRole nsRoleDN aci modifyTimestamp passwordExpWarned nsAccountLock nsAIMStatusGraphic nsds5ReplConflict nsIdleTimeout pwdpolicysubentry nsLookThroughLimit nsSizeLimit entryid nsUniqueId passwordRetryCount dncomp creatorsName nsSchemaCSN passwordGraceUserTime nsYIMStatusGraphic nsTimeLimit entrydn copyingFrom subschemaSubentry accountUnlockTime createTimestamp numSubordinates passwordHistory retryCountResetTime parentid ldapSchemas ldapSyntaxes modifiersName nsYIMStatusText nsBackendSuffix * aci" [24/Sep/2008:19:58:51 +0000] conn=14 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [24/Sep/2008:19:58:51 +0000] conn=14 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" [24/Sep/2008:19:58:51 +0000] conn=14 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [24/Sep/2008:19:58:51 +0000] conn=14 op=3 SRCH base="cn=nsdisabledrole,dc=xxx,dc=ec,dc=gc,dc=ca" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="cn userPassword nsRole nsRoleDN objectClass nsAccountLock" [24/Sep/2008:19:58:51 +0000] conn=14 op=3 RESULT err=32 tag=101 nentries=0 etime=0 [24/Sep/2008:19:58:56 +0000] conn=14 op=4 MOD dn="uid=goodgut,ou=People,dc=xxx,dc=ec,dc=gc,dc=ca" [24/Sep/2008:19:58:56 +0000] conn=14 op=4 RESULT err=10 tag=103 nentries=0 etime=0 On the MMR server [24/Sep/2008:19:58:57 +0000] conn=59 fd=70 slot=70 connection from x.x.x.x to x.x.x.x [24/Sep/2008:19:58:57 +0000] conn=59 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [24/Sep/2008:19:58:57 +0000] conn=59 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [24/Sep/2008:19:58:57 +0000] conn=59 op=1 MOD dn="uid=goodgut,ou=people,dc=xxx," [24/Sep/2008:19:58:57 +0000] conn=59 op=1 RESULT err=32 tag=103 nentries=0 etime=0 [24/Sep/2008:19:58:57 +0000] conn=59 op=2 UNBIND [24/Sep/2008:19:58:57 +0000] conn=59 op=2 fd=70 closed - U1 You can see in the mod request, it's not getting the whole DN, it seems to truncate it at the first space it detects. Here is the referral entries from the consumer xxxsrvr4:/etc/dirsrv/slapd-xxxsrvr4# ldapsearch -x -h xxxsrvr4 -D "cn=directory manager" -b "cn=config" -W "objectclass=*"|grep dmns Enter LDAP Password: nsslapd-referral: ldap://xxxdmns0:389/dc=xxx, dc=ec, dc=gc, dc=ca nsDS5ReplicaReferral: ldap://xxxdmns0:389/dc=xxx, dc=ec, dc=gc, dc=ca If I blow away the rep agreement, and create it from the console, the referrals work fine and look like so. [24/Sep/2008:20:17:29 +0000] conn=60 fd=70 slot=70 connection from x.x.x.x to x.x.x.x [24/Sep/2008:20:17:29 +0000] conn=60 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [24/Sep/2008:20:17:29 +0000] conn=60 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [24/Sep/2008:20:17:29 +0000] conn=60 op=1 MOD dn="uid=goodgut,ou=People,dc=xxx,dc=ec,dc=gc,dc=ca" [24/Sep/2008:20:17:29 +0000] conn=60 op=1 RESULT err=0 tag=103 nentries=0 etime=0 csn=48daa05a000000010000 [24/Sep/2008:20:17:29 +0000] conn=61 fd=71 slot=71 connection from x.x.x.x to x.x.x.x [24/Sep/2008:20:17:29 +0000] conn=61 op=0 BIND dn="uid=RManager,cn=config" method=128 version=3 [24/Sep/2008:20:17:29 +0000] conn=61 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=rmanager,cn=config" [24/Sep/2008:20:17:29 +0000] conn=61 op=1 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [24/Sep/2008:20:17:29 +0000] conn=61 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [24/Sep/2008:20:17:29 +0000] conn=61 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [24/Sep/2008:20:17:29 +0000] conn=61 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [24/Sep/2008:20:17:29 +0000] conn=61 op=3 EXT oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session" [24/Sep/2008:20:17:29 +0000] conn=61 op=3 RESULT err=0 tag=120 nentries=0 etime=0 [24/Sep/2008:20:17:29 +0000] conn=61 op=4 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [24/Sep/2008:20:17:29 +0000] conn=61 op=4 RESULT err=0 tag=120 nentries=0 etime=0 [24/Sep/2008:20:17:29 +0000] conn=60 op=2 UNBIND But the referals look like they've been added with ascii codes in the console. xxxsrvr4:/etc/dirsrv/slapd-xxxsrvr4# ldapsearch -x -h xxxsrvr4 -D "cn=directory manager" -b "cn=config" -W "objectclass=*"|grep dmns Enter LDAP Password: nsslapd-referral: ldap://xxxdmns0.xxx.ec.gc.ca:389/dc%3Dxxx%2C%20dc%3Dec%2C%20 nsslapd-referral: ldap://xxxdmns1.xxx.ec.gc.ca:389/dc%3Dxxx%2C%20dc%3Dec%2C%20 xxxrvr4:/etc/dirsrv/slapd-xxxsrvr4# So my question, is do I need to convert the spaces in my referral entries to ascii codes before creating the referral entries? Here is the sub I use for reference. sub add_replica_referral { # adds referral to the multivalued attribute nsDS5ReplicaReferral in dn: cn=replica,cn="$config{BASE_DN}",cn=mapping tree,cn=config # should only need to add this to a read only consumer!! # the first entry will be created automatically by the add_rep_object, this will add more referrals # TODO add check to make sure the replica object exists, otherwise it will fail silently and throw and err=32 no such object # in the servers log. my ($server, $server_port, $referral, $referral_port, $bind_pw) = @_; my ($ldap, $msg); if ( ($ldap = conn_bind($server,$server_port,$passwd)) eq 0 ) { print "\t*********** bind/connect failed to $server on port $server_port ***************\n"; return 0; } print "Adding referral on $server back to $referral\n"; # dn: cn=replica,cn="$config{BASE_DN}",cn=mapping tree,cn=config # nsDS5ReplicaReferral: ldap://xxxx:389/dc=xxx,dc=ec,dc=gc,dc=ca $msg = $ldap->modify("cn=replica,cn=\"$config{BASE_DN}\",cn=mapping tree,cn=config", add => { 'nsDS5ReplicaReferral' => "ldap://$referral:$referral_port/$config{BASE_DN}" }); if ($msg->code == LDAP_ALREADY_EXISTS) { print "\t -> already exists\n\n"; } disconnect($ldap); } Ryan From ando at sys-net.it Thu Sep 25 04:59:38 2008 From: ando at sys-net.it (Pierangelo Masarati) Date: Thu, 25 Sep 2008 06:59:38 +0200 Subject: [Fedora-directory-users] Need to escape space when adding referrals from scripts? In-Reply-To: <200809242105.00618.ryan.braun@ec.gc.ca> References: <200809242105.00618.ryan.braun@ec.gc.ca> Message-ID: <48DB1ABA.3050603@sys-net.it> Ryan Braun [ADS] wrote: > I have a perl script I've been working on to setup replication. The > replication works great for replication from master to master. But > I've been running into problems with dedicated consumers and their > referrals. > > If I disable the add_replical_referral sub in my script, and let fds > handle the referrals on the fly it works (go figure :) ). But it > doesn't set it up how I want so I need to customize it. It seems > like when I set the referrals manually via perl, the space in the > url of the referal is causing the whole dn of the update to get > truncated as soon as it detects a space. Here is what I mean. The syntax of the "ref" attribute is labeledURI. This consists in a URI and an optional label, separated by a blank. The URI must have special chars, which include spaces, URL-escaped (e.g. spaces must be "%20"). p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando at sys-net.it ----------------------------------- From jyanga at esri.com Thu Sep 25 16:49:49 2008 From: jyanga at esri.com (Jerome Yanga) Date: Thu, 25 Sep 2008 09:49:49 -0700 Subject: [Fedora-directory-users] How do I setup FDS so that Solaris clients will work with it? Message-ID: <5774D66D5EC83645A99B3A905527BB71093B2959@zipwire.esri.com> Help. Can someone point me to a set of instructions that will help me setup FDS 1.1.2 so that Solaris 10 clients will work with it? I cannot setup the FDS properly using the instructions below as it seems to be missing some information. http://directory.fedoraproject.org/wiki/Howto:SolarisClient Please advice. Regards, Jerome -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at michael.cl Thu Sep 25 20:46:37 2008 From: michael at michael.cl (Michael =?ISO-8859-1?Q?Fern=E1ndez?= M) Date: Thu, 25 Sep 2008 16:46:37 -0400 Subject: [Fedora-directory-users] Sync AD and FDS. In-Reply-To: <5774D66D5EC83645A99B3A905527BB71093B2959@zipwire.esri.com> References: <5774D66D5EC83645A99B3A905527BB71093B2959@zipwire.esri.com> Message-ID: <1222375597.10141.7.camel@amokk.microserv.cl> Hi... I have working this in one way... i mean... If i change a password for an account on ADS this is change on FDS... (good) But it is possible to do it in the other way?, i mean change the password on FDS and then this is change on ADS? Where I have to set the FDS to connect with the ADS in order to change the passwords? Thanks in advance!!! Michael.- From hartmann at fas.harvard.edu Thu Sep 25 19:58:39 2008 From: hartmann at fas.harvard.edu (Tim Hartmann) Date: Thu, 25 Sep 2008 15:58:39 -0400 Subject: [Fedora-directory-users] Directory Server Authentication Pass through with Kerberos or saslauthd Message-ID: <48DBED6F.401@fas.harvard.edu> Hi all, I've run into some configuration trouble with our Red Hat Directory server V 8.0 and was hoping someone on this list might be able to shed a little light on my darkened, troubled and confused brow! We've got the directory running pretty and have enabled gssapi to allow us to bind with our Kerberos Tickets, so if I do an LDAP query and bind with gssapi with a valid TGT all is well! (hurray) However thats really only PART of what we hope to do with Kerberos and Red Hat Directory Server... we'd also like to be able to use Kerberos as the password database for LDAP... so that a non kerberos aware application which just wants to bind to ldap will be able to bind to the directory, unaware that Kerberos is actually being used as the password store and means of auth.. I found a pretty good HOWTO for how to do this with open ldap: http://www.ba.infn.it/~domenico/docs/AAIFiles/openLDAP.html Way down at the bottom where it says "Kerberos as back-end database for LDAP password" is exactly what I'd like to accomplish! Is there a means to do the same thing in FDS? I also found this documentations: http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through Which seems like it could work, but seems kind of like a hack for what i'm trying to do and it seemed like I couldn't be the only one who wanted to do it! I suspect there's something I'm just missing! Thanks for the time, and any help would be much appreciated! Tim From rmeggins at redhat.com Thu Sep 25 20:13:36 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 25 Sep 2008 14:13:36 -0600 Subject: [Fedora-directory-users] Sync AD and FDS. In-Reply-To: <1222375597.10141.7.camel@amokk.microserv.cl> References: <5774D66D5EC83645A99B3A905527BB71093B2959@zipwire.esri.com> <1222375597.10141.7.camel@amokk.microserv.cl> Message-ID: <48DBF0F0.4060704@redhat.com> Michael Fern?ndez M wrote: > Hi... > > I have working this in one way... i mean... > > If i change a password for an account on ADS this is change on FDS... > (good) > > But it is possible to do it in the other way?, i mean change the > password on FDS and then this is change on ADS? > > Where I have to set the FDS to connect with the ADS in order to change > the passwords? > It should just work. What problems do you see? Any messages in the error log? One thing is that AD requires password changes to be sent over a secure channel, which means you'll need to use TLS/SSL. > > Thanks in advance!!! > > Michael.- > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Sep 25 20:15:25 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 25 Sep 2008 14:15:25 -0600 Subject: [Fedora-directory-users] Directory Server Authentication Pass through with Kerberos or saslauthd In-Reply-To: <48DBED6F.401@fas.harvard.edu> References: <48DBED6F.401@fas.harvard.edu> Message-ID: <48DBF15D.8080406@redhat.com> Tim Hartmann wrote: > Hi all, I've run into some configuration trouble with our Red Hat Directory server V 8.0 and was hoping someone on this list might be able to shed a little light on my darkened, troubled and confused brow! > > We've got the directory running pretty and have enabled gssapi to allow > us to bind with our Kerberos Tickets, so if I do an LDAP query and bind with gssapi with a valid TGT all is well! (hurray) However thats really only PART of what we hope to do with Kerberos and Red Hat Directory Server... we'd also like to be able to use Kerberos as the password database for LDAP... so that a non kerberos aware application which just wants to bind to ldap will be able to bind to the directory, unaware that Kerberos is actually being used as the password store and means of auth.. > > I found a pretty good HOWTO for how to do this with open ldap: > http://www.ba.infn.it/~domenico/docs/AAIFiles/openLDAP.html > > Way down at the bottom where it says "Kerberos as back-end database for LDAP password" is exactly what I'd like to accomplish! Is there a means to do the same thing in FDS? I also found this documentations: > > http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through > > Which seems like it could work, but seems kind of like a hack for what i'm trying to do and it seemed like I couldn't be the only one who wanted to do it! I suspect there's something I'm just missing! > That hack was invented for those who wanted to use Kerberos as the authoritative source for password information. pampassthru passes the password to Kerberos via pam. If you're really interested in using Fedora DS as the authoritative source for password information, and have Kerberos use Fedora DS to store the passwords, you really need freeipa.org > Thanks for the time, and any help would be much appreciated! > > Tim > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From hartmann at fas.harvard.edu Thu Sep 25 21:15:43 2008 From: hartmann at fas.harvard.edu (Tim Hartmann) Date: Thu, 25 Sep 2008 17:15:43 -0400 Subject: [Fedora-directory-users] Directory Server Authentication Pass through with Kerberos or saslauthd In-Reply-To: <48DBF15D.8080406@redhat.com> References: <48DBED6F.401@fas.harvard.edu> <48DBF15D.8080406@redhat.com> Message-ID: <48DBFF7F.6040906@fas.harvard.edu> Hi Rich thanks for the reply! Rich Megginson wrote: >> http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through >> >> Which seems like it could work, but seems kind of like a hack for >> what i'm trying to do and it seemed like I couldn't be the only one >> who wanted to do it! I suspect there's something I'm just missing! > That hack was invented for those who wanted to use Kerberos as the > authoritative source for password information. pampassthru passes the > password to Kerberos via pam. > Thats *really* what I'd like to do... actually keep Kerberos as my authoritative source for password data, I was hoping there might have been a saslauthd plugin that I may have missed to proxy passwords back to ldap as well, or maybe some other step that I'd missed in my research. > If you're really interested in using Fedora DS as the authoritative > source for password information, and have Kerberos use Fedora DS to > store the passwords, you really need freeipa.org We took a look at Freeipa.org but it didn't seem to as good a fit for us especially since we wanted to keep Kerberos as our password store. If I can get simple binds to work through pam for those applications that don't support GSS/SASL that would be a huge win! Out of curiosity, was there any reason for proxing though pam rather then something like saslauthd? Thanks again! Tim From rmeggins at redhat.com Thu Sep 25 21:35:08 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 25 Sep 2008 15:35:08 -0600 Subject: [Fedora-directory-users] Directory Server Authentication Pass through with Kerberos or saslauthd In-Reply-To: <48DBFF7F.6040906@fas.harvard.edu> References: <48DBED6F.401@fas.harvard.edu> <48DBF15D.8080406@redhat.com> <48DBFF7F.6040906@fas.harvard.edu> Message-ID: <48DC040C.5030307@redhat.com> Tim Hartmann wrote: > Hi Rich thanks for the reply! > > Rich Megginson wrote: > >>> http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through >>> >>> Which seems like it could work, but seems kind of like a hack for >>> what i'm trying to do and it seemed like I couldn't be the only one >>> who wanted to do it! I suspect there's something I'm just missing! >>> >> That hack was invented for those who wanted to use Kerberos as the >> authoritative source for password information. pampassthru passes the >> password to Kerberos via pam. >> >> > Thats *really* what I'd like to do... actually keep Kerberos as my > authoritative source for password data, I was hoping there might have > been a saslauthd plugin that I may have missed to proxy passwords back > to ldap as well, or maybe some other step that I'd missed in my research. > > > >> If you're really interested in using Fedora DS as the authoritative >> source for password information, and have Kerberos use Fedora DS to >> store the passwords, you really need freeipa.org >> > > We took a look at Freeipa.org but it didn't seem to as good a fit for us > especially since we wanted to keep Kerberos as our password store. If I > can get simple binds to work through pam for those applications that > don't support GSS/SASL that would be a huge win! > > > Out of curiosity, was there any reason for proxing though pam rather > then something like saslauthd? > The people who wanted this feature didn't want the overhead of an additional server daemon (saslauthd). They already had a pam stack that did kerberos auth and they just wanted Fedora DS to use that - pam passthru. > > Thanks again! > > Tim > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From hartmann at fas.harvard.edu Thu Sep 25 21:15:43 2008 From: hartmann at fas.harvard.edu (Tim Hartmann) Date: Thu, 25 Sep 2008 17:15:43 -0400 Subject: [Fedora-directory-users] Directory Server Authentication Pass through with Kerberos or saslauthd In-Reply-To: <48DBF15D.8080406@redhat.com> References: <48DBED6F.401@fas.harvard.edu> <48DBF15D.8080406@redhat.com> Message-ID: <48DBFF7F.6040906@fas.harvard.edu> Hi Rich thanks for the reply! Rich Megginson wrote: >> http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through >> >> Which seems like it could work, but seems kind of like a hack for >> what i'm trying to do and it seemed like I couldn't be the only one >> who wanted to do it! I suspect there's something I'm just missing! > That hack was invented for those who wanted to use Kerberos as the > authoritative source for password information. pampassthru passes the > password to Kerberos via pam. > Thats *really* what I'd like to do... actually keep Kerberos as my authoritative source for password data, I was hoping there might have been a saslauthd plugin that I may have missed to proxy passwords back to ldap as well, or maybe some other step that I'd missed in my research. > If you're really interested in using Fedora DS as the authoritative > source for password information, and have Kerberos use Fedora DS to > store the passwords, you really need freeipa.org We took a look at Freeipa.org but it didn't seem to as good a fit for us especially since we wanted to keep Kerberos as our password store. If I can get simple binds to work through pam for those applications that don't support GSS/SASL that would be a huge win! Out of curiosity, was there any reason for proxing though pam rather then something like saslauthd? Thanks again! Tim From alan.orlic at zd-lj.si Fri Sep 26 07:36:15 2008 From: alan.orlic at zd-lj.si (=?ISO-8859-2?Q?Alan_Orli=E8_Bel=B9ak?=) Date: Fri, 26 Sep 2008 09:36:15 +0200 Subject: [Fedora-directory-users] GOsa install Message-ID: <48DC90EF.9060000@zd-lj.si> Hello, maybe someone will be able to help me, in the istallation of GOsa I get the following error message: LDAP error: Object class violation (unknown object class "gosaAccount" How to add new object class with that name and is there any extra things to do? Bye, Alan From satish at suburbia.org.au Fri Sep 26 07:44:55 2008 From: satish at suburbia.org.au (Satish Chetty) Date: Fri, 26 Sep 2008 15:44:55 +0800 Subject: [Fedora-directory-users] How do I setup FDS so that Solaris clients will work with it? In-Reply-To: <5774D66D5EC83645A99B3A905527BB71093B2959@zipwire.esri.com> References: <5774D66D5EC83645A99B3A905527BB71093B2959@zipwire.esri.com> Message-ID: <48DC92F7.6080502@suburbia.org.au> Jerome, The instructions on the wiki are fairly accurate. I would check Solaris 10 OS patches. Thanks, -Satish. Jerome Yanga wrote: > Help. > > > > Can someone point me to a set of instructions that will help me setup > FDS 1.1.2 so that Solaris 10 clients will work with it? > > > > I cannot setup the FDS properly using the instructions below as it seems > to be missing some information. > > > > http://directory.fedoraproject.org/wiki/Howto:SolarisClient > > > > > > Please advice. > > > > Regards, > > Jerome > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From alan.orlic at zd-lj.si Fri Sep 26 09:06:48 2008 From: alan.orlic at zd-lj.si (=?ISO-8859-2?Q?Alan_Orli=E8_Bel=B9ak?=) Date: Fri, 26 Sep 2008 11:06:48 +0200 Subject: [Fedora-directory-users] GOsa install In-Reply-To: <48DC90EF.9060000@zd-lj.si> References: <48DC90EF.9060000@zd-lj.si> Message-ID: <48DCA628.5030908@zd-lj.si> Hello, found out where the schemas files of Gosa are, anyone has any experience what to copy to my schema dir? Bye, Alan Alan Orli? Bel?ak pravi: > Hello, > > maybe someone will be able to help me, in the istallation of GOsa I > get the following error message: > > LDAP error: Object class violation (unknown object class "gosaAccount" > > How to add new object class with that name and is there any extra > things to do? > > Bye, Alan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri Sep 26 18:56:40 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 26 Sep 2008 12:56:40 -0600 Subject: [Fedora-directory-users] Announcement - Fedora Directory Server 1.1.3 Message-ID: <48DD3068.3080009@redhat.com> Fedora Directory Server 1.1.3 is now available We are pleased to announce the availability of Fedora Directory Server 1.1.3. This is a minor bug fix release, to address a bug in the Windows Sync code introduced in 1.1.2. No other changes have been made. See the Release Notes for more information - http://directory.fedoraproject.org/wiki/Release_Notes -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From hartmann at fas.harvard.edu Fri Sep 26 19:33:30 2008 From: hartmann at fas.harvard.edu (Tim Hartmann) Date: Fri, 26 Sep 2008 15:33:30 -0400 Subject: [Fedora-directory-users] Directory Server Authentication Pass through with Kerberos or saslauthd In-Reply-To: <48DC040C.5030307@redhat.com> References: <48DBED6F.401@fas.harvard.edu> <48DBF15D.8080406@redhat.com> <48DBFF7F.6040906@fas.harvard.edu> <48DC040C.5030307@redhat.com> Message-ID: <48DD390A.5030902@fas.harvard.edu> Rich, Configuring the pam plugin went really well, and was really straighforward to follow, thanks for putting up the docs online and writing the pam plugin. I did have to pull over the libpam-passthru-plugin.so file from a copy of Fedora Directory Server v1.1, since it doesn't look like Red Hat Directory Server 8.0 ships with it, the plugin lists as version 1.1 is that the appropriate version of the library? -Tim Rich Megginson wrote: > Tim Hartmann wrote: >> Hi Rich thanks for the reply! >> >> Rich Megginson wrote: >> >>>> http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through >>>> >>>> Which seems like it could work, but seems kind of like a hack for >>>> what i'm trying to do and it seemed like I couldn't be the only one >>>> who wanted to do it! I suspect there's something I'm just >>>> missing! >>> That hack was invented for those who wanted to use Kerberos as the >>> authoritative source for password information. pampassthru passes the >>> password to Kerberos via pam. >>> >>> >> Thats *really* what I'd like to do... actually keep Kerberos as my >> authoritative source for password data, I was hoping there might have >> been a saslauthd plugin that I may have missed to proxy passwords back >> to ldap as well, or maybe some other step that I'd missed in my >> research. >> >> >> >>> If you're really interested in using Fedora DS as the authoritative >>> source for password information, and have Kerberos use Fedora DS to >>> store the passwords, you really need freeipa.org >>> >> >> We took a look at Freeipa.org but it didn't seem to as good a fit for us >> especially since we wanted to keep Kerberos as our password store. If I >> can get simple binds to work through pam for those applications that >> don't support GSS/SASL that would be a huge win! >> >> >> Out of curiosity, was there any reason for proxing though pam rather >> then something like saslauthd? > The people who wanted this feature didn't want the overhead of an > additional server daemon (saslauthd). They already had a pam stack > that did kerberos auth and they just wanted Fedora DS to use that - > pam passthru. >> >> Thanks again! >> >> Tim >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri Sep 26 20:11:39 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 26 Sep 2008 14:11:39 -0600 Subject: [Fedora-directory-users] Directory Server Authentication Pass through with Kerberos or saslauthd In-Reply-To: <48DD390A.5030902@fas.harvard.edu> References: <48DBED6F.401@fas.harvard.edu> <48DBF15D.8080406@redhat.com> <48DBFF7F.6040906@fas.harvard.edu> <48DC040C.5030307@redhat.com> <48DD390A.5030902@fas.harvard.edu> Message-ID: <48DD41FB.1000301@redhat.com> Tim Hartmann wrote: > Rich, > > Configuring the pam plugin went really well, and was really > straighforward to follow, thanks for putting up the docs online and > writing the pam plugin. I did have to pull over the > libpam-passthru-plugin.so file from a copy of Fedora Directory Server > v1.1, since it doesn't look like Red Hat Directory Server 8.0 ships > with it, the plugin lists as version 1.1 is that the appropriate > version of the library? > Yes. Just make sure you use the FC-6 binary since that most closely corresponds to RHEL5. > -Tim > > > > > > Rich Megginson wrote: > >> Tim Hartmann wrote: >> >>> Hi Rich thanks for the reply! >>> >>> Rich Megginson wrote: >>> >>> >>>>> http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through >>>>> >>>>> Which seems like it could work, but seems kind of like a hack for >>>>> what i'm trying to do and it seemed like I couldn't be the only one >>>>> who wanted to do it! I suspect there's something I'm just >>>>> missing! >>>>> >>>> That hack was invented for those who wanted to use Kerberos as the >>>> authoritative source for password information. pampassthru passes the >>>> password to Kerberos via pam. >>>> >>>> >>>> >>> Thats *really* what I'd like to do... actually keep Kerberos as my >>> authoritative source for password data, I was hoping there might have >>> been a saslauthd plugin that I may have missed to proxy passwords back >>> to ldap as well, or maybe some other step that I'd missed in my >>> research. >>> >>> >>> >>> >>>> If you're really interested in using Fedora DS as the authoritative >>>> source for password information, and have Kerberos use Fedora DS to >>>> store the passwords, you really need freeipa.org >>>> >>>> >>> We took a look at Freeipa.org but it didn't seem to as good a fit for us >>> especially since we wanted to keep Kerberos as our password store. If I >>> can get simple binds to work through pam for those applications that >>> don't support GSS/SASL that would be a huge win! >>> >>> >>> Out of curiosity, was there any reason for proxing though pam rather >>> then something like saslauthd? >>> >> The people who wanted this feature didn't want the overhead of an >> additional server daemon (saslauthd). They already had a pam stack >> that did kerberos auth and they just wanted Fedora DS to use that - >> pam passthru. >> >>> Thanks again! >>> >>> Tim >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jyanga at esri.com Fri Sep 26 22:28:10 2008 From: jyanga at esri.com (Jerome Yanga) Date: Fri, 26 Sep 2008 15:28:10 -0700 Subject: [Fedora-directory-users] How do I setup FDS so that Solaris clients will work with it? Message-ID: <5774D66D5EC83645A99B3A905527BB710948228E@zipwire.esri.com> Thanks, Satish, but I used the same DUAConfigProfile specified in the link below. http://directory.fedoraproject.org/wiki/Howto:SolarisClient Here is the exact contents of DUAConfigProfile I used from Gary Tay's article which was referenced by the link above(http://web.singnet.com.sg/~garyttt/Configuring%20Solaris%20Native% 20LDAP%20Client%20for%20Fedora%20Directory%20Server.htm). "dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live, in seconds, before a client DUA should re-read this configuration profile' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by a DUA' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server for a specific service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) objectClasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP top STRUCTURAL DESC 'Abstraction of a base configuration for a DUA' MUST ( cn ) MAY ( defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL ) )" When I import import it, I get the error below. "cn=schema: Error adding object 'dn: cn=schema'. The error sent by the server was 'null. missing required attribute "objectclass" '. The object is: LDAPEntry: cn=schema; LDAPAttributeSet: LDAPAttribute {type='objectclasses', values='( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP top STRUCTURAL DESC 'Abstraction of a base configuration for a DUA' MUST ( cn ) MAY ( defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL ) )'} LDAPAttribute {type='attributetypes', values='( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ),( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ),( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ),( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ),( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ),( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ),( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ),( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live, in seconds, before a client DUA should re-read this configuration profile' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ),( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by a DUA' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ),( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ),( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ),( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ),( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ),( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server for a specific service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ),( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )'}." What does the error mean? I apologize for the noob question. Help. Regards, Jerome ________________________________________ From: Jerome Yanga Sent: Thursday, September 25, 2008 9:50 AM To: 'fedora-directory-users at redhat.com' Subject: How do I setup FDS so that Solaris clients will work with it? Help. Can someone point me to a set of instructions that will help me setup FDS 1.1.2 so that Solaris 10 clients will work with it? I cannot setup the FDS properly using the instructions below as it seems to be missing some information. http://directory.fedoraproject.org/wiki/Howto:SolarisClient Please advice. Regards, Jerome From jad at jadickinson.co.uk Sun Sep 28 10:28:59 2008 From: jad at jadickinson.co.uk (John Dickinson) Date: Sun, 28 Sep 2008 11:28:59 +0100 Subject: [Fedora-directory-users] Re: java.lang.ClassCastException @ exec of standalone fedora-idm-console on osx Message-ID: <7260F3F8-6CA8-4C9D-88E7-287DB6F71264@jadickinson.co.uk> (I moved this from the devel list as users seemed more appropriate to me.) PGNet said: > If, in the Fedora Management Console GUI I click through to the > Servers & Applications Tab, and select the Server, I get a "Class > Loader Error" dialog, > "Failed to instantiate Server Object for Directory Server (fds): > com.netscape.admin.dirserv.DSAdmin" I get the same error if I build all the components of the console in to the same built directory (../built or whatever you changed it to). Try deleting it between each one. My notes on building the console on OS X can be found here http://jadickinson.co.uk/test/howto/fedora-ds-console-on-os-x/ John From michael at michael.cl Mon Sep 29 17:52:19 2008 From: michael at michael.cl (Michael =?ISO-8859-1?Q?Fern=E1ndez?= M) Date: Mon, 29 Sep 2008 13:52:19 -0400 Subject: [Fedora-directory-users] Sync AD and FDS. In-Reply-To: <48DBF0F0.4060704@redhat.com> References: <5774D66D5EC83645A99B3A905527BB71093B2959@zipwire.esri.com> <1222375597.10141.7.camel@amokk.microserv.cl> <48DBF0F0.4060704@redhat.com> Message-ID: <1222710739.2655.12.camel@amokk.microserv.cl> On Thu, 2008-09-25 at 14:13 -0600, Rich Megginson wrote: > Michael Fern?ndez M wrote: > > Hi... > > > > I have working this in one way... i mean... > > > > If i change a password for an account on ADS this is change on FDS... > > (good) > > > > But it is possible to do it in the other way?, i mean change the > > password on FDS and then this is change on ADS? > > > > Where I have to set the FDS to connect with the ADS in order to change > > the passwords? > > > It should just work. What problems do you see? Any messages in the > error log? > One thing is that AD requires password changes to be sent over a secure > channel, which means you'll need to use TLS/SSL. Hi.. (thanks for reply...) when i run a : /usr/lib/mozldap/ldapsearch -Z -p 636 -P /etc/dirsrv/slapd-justo/cert8.db -h ads_ip -D "cn=administrator,cn=users,dc=ads,dc=cl" -w lol -s base -b "ou=users,dc=ads,dc=cl" "objectclass=*" it connect to the ADS by ssl (636) but when i change a pass from FDS, FDS do not change anything on ADS, tshark does not show packets.... that's why i ask where i have to configure FDS to connect with the ADS service.... However in the other way ADS to FDS works without problems.... Thanks!!! Michael.- > > > > Thanks in advance!!! > > > > Michael.- > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From michael at michael.cl Mon Sep 29 20:43:47 2008 From: michael at michael.cl (Michael =?ISO-8859-1?Q?Fern=E1ndez?= M) Date: Mon, 29 Sep 2008 16:43:47 -0400 Subject: [Fedora-directory-users] Sync AD and FDS. In-Reply-To: <1222710739.2655.12.camel@amokk.microserv.cl> References: <5774D66D5EC83645A99B3A905527BB71093B2959@zipwire.esri.com> <1222375597.10141.7.camel@amokk.microserv.cl> <48DBF0F0.4060704@redhat.com> <1222710739.2655.12.camel@amokk.microserv.cl> Message-ID: <1222721027.4711.3.camel@amokk.microserv.cl> On Mon, 2008-09-29 at 13:52 -0400, Michael Fern?ndez M wrote: > On Thu, 2008-09-25 at 14:13 -0600, Rich Megginson wrote: > > Michael Fern?ndez M wrote: > > > Hi... > > > > > > I have working this in one way... i mean... > > > > > > If i change a password for an account on ADS this is change on FDS... > > > (good) > > > > > > But it is possible to do it in the other way?, i mean change the > > > password on FDS and then this is change on ADS? > > > > > > Where I have to set the FDS to connect with the ADS in order to change > > > the passwords? > > > > > It should just work. What problems do you see? Any messages in the > > error log? > > One thing is that AD requires password changes to be sent over a secure > > channel, which means you'll need to use TLS/SSL. > > Hi.. (thanks for reply...) > > when i run a : > > /usr/lib/mozldap/ldapsearch -Z -p 636 > -P /etc/dirsrv/slapd-justo/cert8.db -h ads_ip -D > "cn=administrator,cn=users,dc=ads,dc=cl" -w lol -s base -b > "ou=users,dc=ads,dc=cl" "objectclass=*" it connect to the ADS by ssl > (636) > > but when i change a pass from FDS, FDS do not change anything on ADS, > tshark does not show packets.... > > that's why i ask where i have to configure FDS to connect with the ADS > service.... > > However in the other way ADS to FDS works without problems.... > I think i solved this.... I set replica on FDS, but when i change a password (on FDS) for a user that exist on FDS and ADS on the logs i see: NSMMReplicationPlugin - agmt="cn=windows" (procurador:636): windows_replay_update: failed map dn for modify operation dn="uid=lolo,ou=people,dc=ads,dc=cl" Any ideas? Regards!!! Michael.- > Thanks!!! > > Michael.- > > > > > > > > > > > Thanks in advance!!! > > > > > > Michael.- > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Mon Sep 29 20:01:23 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 29 Sep 2008 14:01:23 -0600 Subject: [Fedora-directory-users] Sync AD and FDS. In-Reply-To: <1222721027.4711.3.camel@amokk.microserv.cl> References: <5774D66D5EC83645A99B3A905527BB71093B2959@zipwire.esri.com> <1222375597.10141.7.camel@amokk.microserv.cl> <48DBF0F0.4060704@redhat.com> <1222710739.2655.12.camel@amokk.microserv.cl> <1222721027.4711.3.camel@amokk.microserv.cl> Message-ID: <48E13413.8060808@redhat.com> Michael Fern?ndez M wrote: > On Mon, 2008-09-29 at 13:52 -0400, Michael Fern?ndez M wrote: > >> On Thu, 2008-09-25 at 14:13 -0600, Rich Megginson wrote: >> >>> Michael Fern?ndez M wrote: >>> >>>> Hi... >>>> >>>> I have working this in one way... i mean... >>>> >>>> If i change a password for an account on ADS this is change on FDS... >>>> (good) >>>> >>>> But it is possible to do it in the other way?, i mean change the >>>> password on FDS and then this is change on ADS? >>>> >>>> Where I have to set the FDS to connect with the ADS in order to change >>>> the passwords? >>>> >>>> >>> It should just work. What problems do you see? Any messages in the >>> error log? >>> One thing is that AD requires password changes to be sent over a secure >>> channel, which means you'll need to use TLS/SSL. >>> >> Hi.. (thanks for reply...) >> >> when i run a : >> >> /usr/lib/mozldap/ldapsearch -Z -p 636 >> -P /etc/dirsrv/slapd-justo/cert8.db -h ads_ip -D >> "cn=administrator,cn=users,dc=ads,dc=cl" -w lol -s base -b >> "ou=users,dc=ads,dc=cl" "objectclass=*" it connect to the ADS by ssl >> (636) >> >> but when i change a pass from FDS, FDS do not change anything on ADS, >> tshark does not show packets.... >> >> that's why i ask where i have to configure FDS to connect with the ADS >> service.... >> >> However in the other way ADS to FDS works without problems.... >> >> > > I think i solved this.... > > I set replica on FDS, but when i change a password (on FDS) for a user > that exist on FDS and ADS on the logs i see: > > NSMMReplicationPlugin - agmt="cn=windows" (procurador:636): > windows_replay_update: failed map dn for modify operation > dn="uid=lolo,ou=people,dc=ads,dc=cl" > > Any ideas? > Not sure. If you have a user that exists in both FDS and ADS, did they already exist that way before you did the initial sync? If so, the existing user in FDS must have the ntUser objectclass, and must have the attribute ntUserDomainID set to the Windows userid (e.g. the samAccountName). Then try changing something like the description for the user in FDS or ADS to see if it gets synced across. Note that you may have to wait up to 5 minutes for changes to go from ADS to FDS (FDS to ADS changes should happen almost immediately). See *http://tinyurl.com/4n3yzo for more information * > Regards!!! > > Michael.- > > > > >> Thanks!!! >> >> Michael.- >> >> >> >> >> >> >>>> Thanks in advance!!! >>>> >>>> Michael.- >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From michael at michael.cl Mon Sep 29 21:43:04 2008 From: michael at michael.cl (Michael =?ISO-8859-1?Q?Fern=E1ndez?= M) Date: Mon, 29 Sep 2008 17:43:04 -0400 Subject: [Fedora-directory-users] Sync AD and FDS. In-Reply-To: <48E13413.8060808@redhat.com> References: <5774D66D5EC83645A99B3A905527BB71093B2959@zipwire.esri.com> <1222375597.10141.7.camel@amokk.microserv.cl> <48DBF0F0.4060704@redhat.com> <1222710739.2655.12.camel@amokk.microserv.cl> <1222721027.4711.3.camel@amokk.microserv.cl> <48E13413.8060808@redhat.com> Message-ID: <1222724584.4711.8.camel@amokk.microserv.cl> On Mon, 2008-09-29 at 14:01 -0600, Rich Megginson wrote: > Michael Fern?ndez M wrote: > > On Mon, 2008-09-29 at 13:52 -0400, Michael Fern?ndez M wrote: > > > >> On Thu, 2008-09-25 at 14:13 -0600, Rich Megginson wrote: > >> > >>> Michael Fern?ndez M wrote: > >>> > >>>> Hi... > >>>> > >>>> I have working this in one way... i mean... > >>>> > >>>> If i change a password for an account on ADS this is change on FDS... > >>>> (good) > >>>> > >>>> But it is possible to do it in the other way?, i mean change the > >>>> password on FDS and then this is change on ADS? > >>>> > >>>> Where I have to set the FDS to connect with the ADS in order to change > >>>> the passwords? > >>>> > >>>> > >>> It should just work. What problems do you see? Any messages in the > >>> error log? > >>> One thing is that AD requires password changes to be sent over a secure > >>> channel, which means you'll need to use TLS/SSL. > >>> > >> Hi.. (thanks for reply...) > >> > >> when i run a : > >> > >> /usr/lib/mozldap/ldapsearch -Z -p 636 > >> -P /etc/dirsrv/slapd-justo/cert8.db -h ads_ip -D > >> "cn=administrator,cn=users,dc=ads,dc=cl" -w lol -s base -b > >> "ou=users,dc=ads,dc=cl" "objectclass=*" it connect to the ADS by ssl > >> (636) > >> > >> but when i change a pass from FDS, FDS do not change anything on ADS, > >> tshark does not show packets.... > >> > >> that's why i ask where i have to configure FDS to connect with the ADS > >> service.... > >> > >> However in the other way ADS to FDS works without problems.... > >> > >> > > > > I think i solved this.... > > > > I set replica on FDS, but when i change a password (on FDS) for a user > > that exist on FDS and ADS on the logs i see: > > > > NSMMReplicationPlugin - agmt="cn=windows" (procurador:636): > > windows_replay_update: failed map dn for modify operation > > dn="uid=lolo,ou=people,dc=ads,dc=cl" > > > > Any ideas? > > > Not sure. If you have a user that exists in both FDS and ADS, did they > already exist that way before you did the initial sync? If so, the > existing user in FDS must have the ntUser objectclass, and must have the > attribute ntUserDomainID set to the Windows userid (e.g. the > samAccountName). Then try changing something like the description for > the user in FDS or ADS to see if it gets synced across. Note that you > may have to wait up to 5 minutes for changes to go from ADS to FDS (FDS > to ADS changes should happen almost immediately). > Yes i created the users in a separated way. And the user created on FDS have the ntUserDomainID and ntUser objectclass. When i modify and attr on ADS this is replicated to FDS, but not on the other way.... > See *http://tinyurl.com/4n3yzo for more information > * Thanks! > > Regards!!! > > > > Michael.- > > > > > > > > > >> Thanks!!! > >> > >> Michael.- > >> > >> > >> > >> > >> > >> > >>>> Thanks in advance!!! > >>>> > >>>> Michael.- > >>>> > >>>> > >>>> -- > >>>> Fedora-directory-users mailing list > >>>> Fedora-directory-users at redhat.com > >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>> > >>>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users