From rmeggins at redhat.com Wed Apr 1 02:29:52 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 31 Mar 2009 20:29:52 -0600 Subject: [Fedora-directory-users] Proposed new features for 1.3 Message-ID: <49D2D1A0.3070307@redhat.com> Here are some features we are considering for the next major version (tentatively called 1.3). These are not in any particular order, and this is quite an ambitious list, so we're not likely to complete all of these in a single release. We would appreciate your help in prioritizing this list, filling in any missing details, helping with requirements/design/coding/testing/docs, and letting us know if there are other features which would be nice to have. In addition, we are considering using GIT instead of CVS for our SCM. http://directory.fedoraproject.org/wiki/Roadmap#Version_1.3 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From neuronring at gmail.com Wed Apr 1 13:51:40 2009 From: neuronring at gmail.com (neuron ring) Date: Wed, 1 Apr 2009 19:21:40 +0530 Subject: [Fedora-directory-users] PAM pass through auth plugin Message-ID: <30abda540904010651r648f808ah3191c6c777bc100c@mail.gmail.com> Hi, I am trying to do PAM Pass through authentication using the ?cn=PAM Pass Through Auth,cn=plugins,cn=config? plugin. I followed the steps mentioned in the following URL. http://www.directory.fedora.redhat.com/wiki/Howto:PAM_Pass_Through I cannot follow steps 2 and 3 mentioned in ?Testing? topic in my os. Mine in hp-ux. It is shown clearly that the /etc/pam.d exists in linux machines. Is there any alternate way I can follow to use Pam passthrough authentication plugin in my operating system. ldapsearch -x -D "uid=scarter,ou=people,dc=example,dc=com" -w thepassword -s base -b "" Where I have to add the user scarter. useradd scarter in step 4 likely to say adding user in unix account and not in ldapserver instance. Correct me where I am wrong. Can anyone tell me the steps in precise. I am able to bind as a normal user even when the PAM Pass Through Auth plugin is ?Off? (without aci also). No changes in pam.conf file is made. Thanks, Neuron Ring. From stpierre at NebrWesleyan.edu Wed Apr 1 21:25:57 2009 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Wed, 1 Apr 2009 16:25:57 -0500 (CDT) Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <49D2D1A0.3070307@redhat.com> References: <49D2D1A0.3070307@redhat.com> Message-ID: On Tue, 31 Mar 2009, Rich Megginson wrote: > Here are some features we are considering for the next major version > (tentatively called 1.3). These are not in any particular order, and this is > quite an ambitious list, so we're not likely to complete all of these in a > single release. We would appreciate your help in prioritizing this list, > filling in any missing details, helping with > requirements/design/coding/testing/docs, and letting us know if there are > other features which would be nice to have. The "Security Enhancements" section contains several particularly important items, particularly the ability to disallow plain text binds. That gets asked for quite frequently on IRC. The named pipe for logging is needed, too; I helped one FDS user who was using my Fedora DS Graph, but FDS produced such an enormous volume of log information that the Perl File::Tail module I use in Fedora DS Graph literally couldn't read the entire log before it was rotated. I remember mentioning that using a named pipe could very well solve the problem -- particularly if it could be put on a RAM disk, e.g. If syntax validation checking is added (which I support), there should be three modes, much like SELinux: Enforcing (syntax checking enabled, invalid values not allowed), Permissive (syntax checking enabled, invalid values permitted but a warning raised in the log), and Disabled. Additionally, there should be a way to check entire branches of an LDAP tree for syntax compliance -- i.e., a comprehensive auditing tool beyond just enabling Permissive mode and watching the logs. Thanks for all your hard work on this! Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From gopalsachin at gmail.com Thu Apr 2 06:10:39 2009 From: gopalsachin at gmail.com (Sachin Gopal) Date: Thu, 2 Apr 2009 11:40:39 +0530 Subject: [Fedora-directory-users] Movin from openldap Message-ID: <7833b03c0904012310r704faadaxa88b5020a9554738@mail.gmail.com> Hi We have presently a openldap authentication with samba pdc running. What are the changes I need to do to move it to fedora directory services. When I tried importing the ldiff file it never showed up inside Directory server. ANy suggestions ? -- Sachin -------------- next part -------------- An HTML attachment was scrubbed... URL: From tscherf at redhat.com Thu Apr 2 10:13:59 2009 From: tscherf at redhat.com (Thorsten Scherf) Date: Thu, 2 Apr 2009 12:13:59 +0200 Subject: [Fedora-directory-users] Re: Movin from openldap In-Reply-To: <7833b03c0904012310r704faadaxa88b5020a9554738@mail.gmail.com> References: <7833b03c0904012310r704faadaxa88b5020a9554738@mail.gmail.com> Message-ID: <20090402101359.GS5485@tscherf.redhat.com> On [Thu, 02.04.2009 11:40], Sachin Gopal wrote: > We have presently a openldap authentication with samba pdc running. What > are > the changes I need to do to move it to fedora directory services. When I > tried > importing the ldiff file it never showed up inside Directory server. ANy > suggestions ? http://directory.fedoraproject.org/wiki/Howto:OpenLDAPMigration -- "Eternity is a very long time, especially towards the end." ? Stephen Hawking -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3855 bytes Desc: not available URL: From browndeigo at gmail.com Fri Apr 3 14:04:12 2009 From: browndeigo at gmail.com (Brown Diego) Date: Fri, 3 Apr 2009 19:34:12 +0530 Subject: [Fedora-directory-users] Trouble using presence plugin Message-ID: <53859ceb0904030704s4c80d5e0w6d9e0e33c7e91a88@mail.gmail.com> Hello all, I do need some suggestions about ?presence? plugin. Can anyone throw some light about what is the presence plugin. I found a ldif file presence.ldif in /plugins/presence path. What can I do with that. There is no suffix called cn=Presence,cn=plugins,cn=config as given in that file. There is a file found at /etc/opt/dirsrv/schema/10presence.ldif. It contains schema definition for cn=Schema which includes some attributes in it. Is there anything that I can do with that file? Somebody explain me how to implement presence plugin. Thanks in advance, Brown Diego. -------------- next part -------------- An HTML attachment was scrubbed... URL: From nhosoi at redhat.com Fri Apr 3 20:44:51 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Fri, 03 Apr 2009 13:44:51 -0700 Subject: [Fedora-directory-users] Trouble using presence plugin In-Reply-To: <53859ceb0904030704s4c80d5e0w6d9e0e33c7e91a88@mail.gmail.com> References: <53859ceb0904030704s4c80d5e0w6d9e0e33c7e91a88@mail.gmail.com> Message-ID: <49D67543.9020208@redhat.com> Presence plugin was implemented to monitor the users' IM status at the Netscape Directory Server 6.0 time frame. Is that what you are interested in? > http://www.redhat.com/docs/manuals/dir-server/ag/6.2/presence.htm > Netscape Directory Server (Directory Server) 6.0 included a preview > release of a new feature called /Instant Messenger (IM) Presence > Information/. This chapter provides an overview of this feature and > information that will help you configure Directory Server to provide > an IM user's online-status information as a part of the user-profile > information stored in the directory. --noriko Brown Diego wrote: > Hello all, > > I do need some suggestions about ?presence? plugin. Can anyone throw > some light about what is the presence plugin. > I found a ldif file presence.ldif in /plugins/presence path. What can > I do with that. There is no suffix called > cn=Presence,cn=plugins,cn=config as given in that file. > > There is a file found at /etc/opt/dirsrv/schema/10presence.ldif. It > contains schema definition for cn=Schema which includes some > attributes in it. Is there anything that I can do with that file? > > Somebody explain me how to implement presence plugin. > > Thanks in advance, > Brown Diego. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From guillaume.chardin at gmail.com Tue Apr 7 14:06:28 2009 From: guillaume.chardin at gmail.com (Guillaume CHARDIN) Date: Tue, 7 Apr 2009 16:06:28 +0200 Subject: [Fedora-directory-users] Problem configuring ldapphpadmin & fedora directory server In-Reply-To: References: Message-ID: Hello, I write this mail few days ago on the fedora users ML. But now i tought it's not the right place to post. So, i forward to this ML my message about some problem with phpldapadmin & FDS. Maybe someone of you will be able to help me. ---------- Forwarded message ---------- Hi, I setup a new Fedora Directory Server (v1.1.3-6) on fedora 10. And then, I install ldapphpadmin (v1.1.0.5-2) to create new entry/populate the database. But here is the problem. Each time i try to connect to ldapphpadmin, I can't ! Because the username/password does not exist. Except if i bind anonymously. And then I can see default entries, except the "cn=Directory manager" user specified at the init of the directory srver. I think this issue is related to the netscape root used by FDS (but im not sure). Maybe i have to change the base DN used by PLA to match it to the "core" netscapeDN. Below are the config files used on this installation. Maybe someonce have an idea about this issue and my own config. ####/etc/phpldapadmin/config.php##### $config->custom->session['blowfish'] = '8276d3d6bbb59656fc600b8d7f324788'; # Autogenerated for auth.local $i=0; $ldapservers = new LDAPServers; $ldapservers->SetValue($i,'server','name','[auth.local]'); $ldapservers->SetValue($i,'server','host','127.0.0.1'); $ldapservers->SetValue($i,'server','port','389'); $ldapservers->SetValue($i,'server','base',array('dc=local')); $ldapservers->SetValue($i,'server','auth_type','session'); $ldapservers->SetValue($i,'server','sasl_mech','CRAM-MD5'); $ldapservers->SetValue($i,'appearance','password_hash','md5'); $ldapservers->SetValue($i,'login','attr','uid'); ##### Thanks for your help. -- Guillaume -------------- next part -------------- An HTML attachment was scrubbed... URL: From jasanchez at ccnt-spain.com Wed Apr 8 13:02:19 2009 From: jasanchez at ccnt-spain.com (Juan Asensio =?ISO-8859-1?Q?S=E1nchez?=) Date: Wed, 08 Apr 2009 15:02:19 +0200 Subject: [Fedora-directory-users] SSL Hub replication Message-ID: <1239195739.11608.13.camel@grsgscvalx001.sacyl.es> Hi I am trying to setup the replication with SSL. I have two buildings, each building has two servers. Each building has its own organization in a separate database. Each organization has the replica enabled. This is a schema of the replication agreements (C1->Center1, S1->Server1, S2->Server2): C1S1: - C1 Org.: Multimaster agreement with C1S2 and C2S1 - C2 Org.: Hub agreement with C1S2 C1S2: - C1 Org.: Multimaster agreement with C1S1 and C2S2 - C2 Org.: Hub agreement with C1S1 C2S1: - C1 Org.: Hub agreement with C2S2 - C2 Org.: Multimaster agreement with C1S1 and C2S2 C2S2: - C1 Org.: Hub agreement with C2S1 - C2 Org.: Multimaster agreement with C1S1 and C2S1 Non-SSL connections are disabled in all servers. I can connect with console trough SSL, and make request to the directory server with SSL also. The problem is the replication agreements with the hub agreements. When I try to add a user in the C2 Org. from any server in C1 Org. I get this error: Cannot save to directory server: netscape.ldap.LDAPException: Referrral connect failed: failed to connect to server ldap://server11.center1.org.local:389 (91). cannot connect to the LDAP server, Failed to follow referral It looks like trying to connect to the remote server in non-SSL, although i have configured it to make the replication agreements with SSL. This only occurrs with hub replicas. With multimaster replicas, the updates are sent fine. Any idea? Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Apr 8 14:24:24 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 08 Apr 2009 08:24:24 -0600 Subject: [Fedora-directory-users] SSL Hub replication In-Reply-To: <1239195739.11608.13.camel@grsgscvalx001.sacyl.es> References: <1239195739.11608.13.camel@grsgscvalx001.sacyl.es> Message-ID: <49DCB398.7020101@redhat.com> Juan Asensio S?nchez wrote: > Hi > > I am trying to setup the replication with SSL. I have two buildings, > each building has two servers. Each building has its own organization > in a separate database. Each organization has the replica enabled. > This is a schema of the replication agreements (C1->Center1, > S1->Server1, S2->Server2): > > C1S1: > - C1 Org.: Multimaster agreement with C1S2 and C2S1 > - C2 Org.: Hub agreement with C1S2 > C1S2: > - C1 Org.: Multimaster agreement with C1S1 and C2S2 > - C2 Org.: Hub agreement with C1S1 > C2S1: > - C1 Org.: Hub agreement with C2S2 > - C2 Org.: Multimaster agreement with C1S1 and C2S2 > C2S2: > - C1 Org.: Hub agreement with C2S1 > - C2 Org.: Multimaster agreement with C1S1 and C2S1 > > Non-SSL connections are disabled in all servers. I can connect with > console trough SSL, and make request to the directory server with SSL > also. The problem is the replication agreements with the hub > agreements. When I try to add a user in the C2 Org. from any server in > C1 Org. I get this error: > > Cannot save to directory server: > netscape.ldap.LDAPException: Referrral connect failed: failed to > connect to server ldap://server11.center1.org.local:389 (91). cannot > connect to the LDAP server, Failed to follow referral > > It looks like trying to connect to the remote server in non-SSL, > although i have configured it to make the replication agreements with > SSL. This only occurrs with hub replicas. With multimaster replicas, > the updates are sent fine. > > Any idea? Thanks in advance. Unfortunately the replication code does not know how to send SSL/TLS referrals. Fortunately, you can set your own by using the nsDS5ReplicaReferral attribute in your cn=replica entry on your hubs/consumers: *http://tinyurl.com/35qddb* Note that the doc says "This should only be defined on a consumer." It means hub or consumer (i.e. read-only replicas). > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Apr 8 16:18:24 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 08 Apr 2009 10:18:24 -0600 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: References: <49D2D1A0.3070307@redhat.com> Message-ID: <49DCCE50.7040106@redhat.com> Chris St. Pierre wrote: > On Tue, 31 Mar 2009, Rich Megginson wrote: > >> Here are some features we are considering for the next major version >> (tentatively called 1.3). These are not in any particular order, and >> this is quite an ambitious list, so we're not likely to complete all >> of these in a single release. We would appreciate your help in >> prioritizing this list, filling in any missing details, helping with >> requirements/design/coding/testing/docs, and letting us know if there >> are other features which would be nice to have. > > The "Security Enhancements" section contains several particularly > important items, particularly the ability to disallow plain text > binds. That gets asked for quite frequently on IRC. > > The named pipe for logging is needed, too; I helped one FDS user who > was using my Fedora DS Graph, but FDS produced such an enormous volume > of log information that the Perl File::Tail module I use in Fedora DS > Graph literally couldn't read the entire log before it was rotated. I > remember mentioning that using a named pipe could very well solve the > problem -- particularly if it could be put on a RAM disk, e.g. > > If syntax validation checking is added (which I support), there should > be three modes, much like SELinux: Enforcing (syntax checking enabled, > invalid values not allowed), Permissive (syntax checking enabled, > invalid values permitted but a warning raised in the log), and > Disabled. Additionally, there should be a way to check entire > branches of an LDAP tree for syntax compliance -- i.e., a > comprehensive auditing tool beyond just enabling Permissive mode and > watching the logs. Thanks - I've added these notes to http://directory.fedoraproject.org/wiki/Roadmap#Version_1.3 Anyone else? C'mon - surely you have an opinion about a new feature. > > Thanks for all your hard work on this! > > Chris St. Pierre > Unix Systems Administrator > Nebraska Wesleyan University > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jsullivan at opensourcedevel.com Wed Apr 8 17:02:31 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Wed, 08 Apr 2009 13:02:31 -0400 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <49DCCE50.7040106@redhat.com> References: <49D2D1A0.3070307@redhat.com> <49DCCE50.7040106@redhat.com> Message-ID: <1239210151.6495.27.camel@jaspav.missionsit.net.missionsit.net> On Wed, 2009-04-08 at 10:18 -0600, Rich Megginson wrote: > Anyone else? C'mon - surely you have an opinion about a new feature. Certainly - the ability to move a populated container is very high on our list. Thanks for the invitation - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From rmeggins at redhat.com Wed Apr 8 17:20:59 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 08 Apr 2009 11:20:59 -0600 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <1239210151.6495.27.camel@jaspav.missionsit.net.missionsit.net> References: <49D2D1A0.3070307@redhat.com> <49DCCE50.7040106@redhat.com> <1239210151.6495.27.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <49DCDCFB.9060504@redhat.com> John A. Sullivan III wrote: > On Wed, 2009-04-08 at 10:18 -0600, Rich Megginson wrote: > > >> Anyone else? C'mon - surely you have an opinion about a new feature. >> > > Certainly - the ability to move a populated container is very high on > our list. Thanks for the invitation - John > Yep - that's what we're calling "Subtree Rename" on the roadmap. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From andrey.ivanov at polytechnique.fr Wed Apr 8 20:23:29 2009 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Wed, 8 Apr 2009 22:23:29 +0200 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <49DCCE50.7040106@redhat.com> References: <49D2D1A0.3070307@redhat.com> <49DCCE50.7040106@redhat.com> Message-ID: <1601b8650904081323m6c59ac0y786719b11f0dab04@mail.gmail.com> The new features/adjustments that would be very useful for us (most of them are already on the wish list): * subtree rename (should not change nsUniqueId) * internal (plug-in, like memberOf) operations should not change the modifiersName, modifyTimestamp operational attribute (or it should be configurable) of an entry, otherwise it becomes very difficult to trace the activity of users * the server should be able to return the members of dynamic groups, the membership attribute should be configurable - uniqueMember, member or another Thanks - I've added these notes to > http://directory.fedoraproject.org/wiki/Roadmap#Version_1.3 > > Anyone else? C'mon - surely you have an opinion about a new feature. > > >> Thanks for all your hard work on this! >> >> Chris St. Pierre >> Unix Systems Administrator >> Nebraska Wesleyan University >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrey.ivanov at polytechnique.fr Wed Apr 8 21:02:40 2009 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Wed, 8 Apr 2009 23:02:40 +0200 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <1601b8650904081323m6c59ac0y786719b11f0dab04@mail.gmail.com> References: <49D2D1A0.3070307@redhat.com> <49DCCE50.7040106@redhat.com> <1601b8650904081323m6c59ac0y786719b11f0dab04@mail.gmail.com> Message-ID: <1601b8650904081402x5ee82febqae4416735aca37bd@mail.gmail.com> I continue with my list * the server should be able to return the members of dynamic groups "on the fly" as if it were real members, the membership attribute should be configurable - uniqueMember, member or another * support of other virtual attributes generated "on the fly" * pam passthrough plug-in should take into account at least the account activation/desactivation (bug *470684*). There is a comment about some additional useful features it in th README file of this plug-in : We need to worry about account expiration or lockout e.g. the user's credentials are valid but the user has been locked out of his/her account, or the password has expired, or something like that. Some of this can be handled by LDAP e.g. returning password policy control values when the password has expired. * a way to synchronise the configuration of indexes (each time we add an index on one of the replicated servers we need to make it manually on all the others) and some other parameters in "cn=config" between the replicated servers (a little like the "configuration" partition in active directory), the schema changes are already replicated which is very good * enforced attribute syntax validation * re-verify and validate conformance of the syntaxes, case sensitivity and their matching rules to RFC ( https://www.redhat.com/archives/fedora-directory-users/2008-July/msg00041.html ) * unix socket autobind still does not seem to work (ldapi) - https://www.redhat.com/archives/fedora-directory-users/2009-February/msg00112.html. It could be very useful for various maintenance scripts running on the server. * verification of the server from the viewpoint of memory leaks. Th size of the memory used by the server grows with time (normally we don't restart the sevrr during several months, so i can follow the stats) * logconv.pl - very useful script, add some more options/ adjustments (for example, a switch to hide unindexed searches in verbose mode). We use it as logwatch. * a perl script to show the replication statistics (there is one for the we page generation statistics, something more basic, text-only would be very welcome) in text mode - to receiveth reports by mail once per day like logwatch for example * regular expressions in ACIs (i know, it is very difficult to do, so maybe somewhere in the timescale of the version 10.0 ? :)) - for example, allow a user to add or modify a value just in case the new value mathes the regex. Or the group or dn of the user matches the regex... * simplify the creation of new syntaxes and their validation/ enforcement (version 11.0? :)) * virtual views allowing to map not only the trees but also the attributes ('cn' instead of 'uid' in a subtree, for example) * enable regex in certmap.conf for mapping the CNs of the certificates during the certificate authentification of users Other than that i just want to emphasize the great job you are doing adding new features and especially the fantastic reactivity in fixing some critical server bugs (usually it takes only one or two days to have the necessary diff in bugzilla!) Thank you and please continue the development of this directory server! > > > > Thanks - I've added these notes to >> http://directory.fedoraproject.org/wiki/Roadmap#Version_1.3 >> >> Anyone else? C'mon - surely you have an opinion about a new feature. >> >> >>> Thanks for all your hard work on this! >>> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From fortunato.montresor at earthlink.net Thu Apr 9 22:54:14 2009 From: fortunato.montresor at earthlink.net (Fortunato) Date: Thu, 9 Apr 2009 18:54:14 -0400 (EDT) Subject: [Fedora-directory-users] Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException Message-ID: <19643025.1239317654752.JavaMail.root@mswamui-billy.atl.sa.earthlink.net> Hello all, I'll assume this has already been addressed, so a pointer to a good solution to try would help. But if not, here's my prob. I just got Fedora 10 with ds-base installed: yum info fedora-ds-base Loaded plugins: refresh-packagekit Installed Packages Name : fedora-ds-base Arch : i386 Version : 1.1.3 Release : 6.fc10 Size : 4.6 M And everything looks great: #/usr/bin/fedora-idm-console -a http://localhost:9830 Until I try to Open the Directory Server tree with the following errors.... Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException ... I've read something about an OpenJDK 1.5.0 versioning problem, but I can't seem to find anything earlier than OpenJDK 1.6.0 ... Any ideas? From rmeggins at redhat.com Thu Apr 9 23:02:35 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 09 Apr 2009 17:02:35 -0600 Subject: [Fedora-directory-users] Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException In-Reply-To: <19643025.1239317654752.JavaMail.root@mswamui-billy.atl.sa.earthlink.net> References: <19643025.1239317654752.JavaMail.root@mswamui-billy.atl.sa.earthlink.net> Message-ID: <49DE7E8B.80407@redhat.com> Fortunato wrote: > Hello all, > > I'll assume this has already been addressed, so a pointer to a good solution to try would help. But if not, here's my prob. > > I just got Fedora 10 with ds-base installed: > > yum info fedora-ds-base > Loaded plugins: refresh-packagekit > Installed Packages > Name : fedora-ds-base > Arch : i386 > Version : 1.1.3 > Release : 6.fc10 > Size : 4.6 M > > And everything looks great: > Was this a fresh install or an upgrade? If an upgrade, did you first run setup-ds-admin.pl -u? > #/usr/bin/fedora-idm-console -a http://localhost:9830 > > Until I try to Open the Directory Server tree with the following errors.... > > Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException > ... > > I've read something about an OpenJDK 1.5.0 versioning problem, but I can't seem to find anything earlier than OpenJDK 1.6.0 ... > java -version > Any ideas? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From fortunato.montresor at earthlink.net Thu Apr 9 23:13:06 2009 From: fortunato.montresor at earthlink.net (Fortunato) Date: Thu, 9 Apr 2009 19:13:06 -0400 (EDT) Subject: [Fedora-directory-users] Exception in thread Message-ID: <28327374.1239318786804.JavaMail.root@mswamui-billy.atl.sa.earthlink.net> This is a fresh install. Here's the java info: # java -version java version "1.6.0_0" IcedTea6 1.4 (fedora-15.b14.fc10-i386) Runtime Environment (build 1.6.0_0-b14) OpenJDK Client VM (build 14.0-b08, mixed mode) -----Original Message----- >From: Rich Megginson >Sent: Apr 9, 2009 7:02 PM >To: Fortunato , "General discussion list for the Fedora Directory server project." >Subject: Re: [Fedora-directory-users] Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException > >Fortunato wrote: >> Hello all, >> >> I'll assume this has already been addressed, so a pointer to a good solution to try would help. But if not, here's my prob. >> >> I just got Fedora 10 with ds-base installed: >> >> yum info fedora-ds-base >> Loaded plugins: refresh-packagekit >> Installed Packages >> Name : fedora-ds-base >> Arch : i386 >> Version : 1.1.3 >> Release : 6.fc10 >> Size : 4.6 M >> >> And everything looks great: >> >Was this a fresh install or an upgrade? If an upgrade, did you first >run setup-ds-admin.pl -u? >> #/usr/bin/fedora-idm-console -a http://localhost:9830 >> >> Until I try to Open the Directory Server tree with the following errors.... >> >> Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException >> ... >> >> I've read something about an OpenJDK 1.5.0 versioning problem, but I can't seem to find anything earlier than OpenJDK 1.6.0 ... >> >java -version >> Any ideas? >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > From rmeggins at redhat.com Thu Apr 9 23:23:41 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 09 Apr 2009 17:23:41 -0600 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <1601b8650904081402x5ee82febqae4416735aca37bd@mail.gmail.com> References: <49D2D1A0.3070307@redhat.com> <49DCCE50.7040106@redhat.com> <1601b8650904081323m6c59ac0y786719b11f0dab04@mail.gmail.com> <1601b8650904081402x5ee82febqae4416735aca37bd@mail.gmail.com> Message-ID: <49DE837D.7070205@redhat.com> Andrey Ivanov wrote: > I continue with my list Thanks - I've added many of these to the list - questions below. > > * the server should be able to return the members of dynamic groups > "on the fly" as if it were real members, the membership attribute > should be configurable - uniqueMember, member or another I put this on the Future list: Dynamic group expansion * Define a dynamic group, and have the member/uniqueMember attribute of this group automatically be populated by the server * clients can then just search for member like with a regular static posix group > > * support of other virtual attributes generated "on the fly" Can you explain this a little more? > > * pam passthrough plug-in should take into account at least the > account activation/desactivation (bug *470684* > ). There is a > comment about some additional useful features it in th README file of > this plug-in : > We need to worry about account expiration or lockout e.g. the user's > credentials are valid but the user has been locked out of his/her > account, or the password has expired, or something like that. Some of > > > this can be handled by LDAP e.g. returning password policy control > values when the password has expired. > > > * a way to synchronise the configuration of indexes (each time we add > an index on one of the replicated servers we need to make it manually > on all the others) and some other parameters in "cn=config" between > the replicated servers (a little like the "configuration" partition > in active directory), the schema changes are already replicated which > is very good I'm calling this feature "Configuration replication" - I think it could be useful for other sorts of configuration. > > * enforced attribute syntax validation Already on the list - Syntax validation checking > > * re-verify and validate conformance of the syntaxes, case sensitivity > and their matching rules to RFC > (https://www.redhat.com/archives/fedora-directory-users/2008-July/msg00041.html) > Already on the list > * unix socket autobind still does not seem to work (ldapi) - > https://www.redhat.com/archives/fedora-directory-users/2009-February/msg00112.html. > It could be very useful for various maintenance scripts running on the > server. We tested this with 1.2.0 and it seems to work. You tested a build from source? Did you use --enable-autobind with configure? Did you restart the server after configuring your autobind and sasl mapping? > > * verification of the server from the viewpoint of memory leaks. Th > size of the memory used by the server grows with time (normally we > don't restart the sevrr during several months, so i can follow the stats) We regularly run the server test suite with valgrind enabled. I'm not aware of any per connection or per operation leaks. What exactly are you seeing? > > * logconv.pl - very useful script, add some more options/ adjustments > (for example, a switch to hide unindexed searches in verbose mode). We > use it as logwatch. > > * a perl script to show the replication statistics (there is one for > the we page generation statistics, something more basic, text-only > would be very welcome) in text mode - to receiveth reports by mail > once per day like logwatch for example What sort of information are you looking for? ldapsearch can provide most of the useful information. > > * regular expressions in ACIs (i know, it is very difficult to do, so > maybe somewhere in the timescale of the version 10.0 ? :)) - for > example, allow a user to add or modify a value just in case the new > value mathes the regex. Or the group or dn of the user matches the > regex... You can do some of that currently with targetattrfilters - see *http://tinyurl.com/3yo88r We added support in 1.2.0 to allow you to specify group membership with LDAP search specifications, which does allow some wildcarding, so that might help too. * > > * simplify the creation of new syntaxes and their validation/ > enforcement (version 11.0? :)) Can you elaborate? > > * virtual views allowing to map not only the trees but also the > attributes ('cn' instead of 'uid' in a subtree, for example) Can you elaborate? > > * enable regex in certmap.conf for mapping the CNs of the certificates > during the certificate authentification of users This is on the list as Get rid of certmap.conf - use SASL mapping (cert auth is really just SASL/EXTERNAL) The sasl mapping code uses regular expressions > > > > > Other than that i just want to emphasize the great job you are doing > adding new features and especially the fantastic reactivity in fixing > some critical server bugs (usually it takes only one or two days to > have the necessary diff in bugzilla!) > > Thank you and please continue the development of this directory server! And thank you for your suggestions. > > > > > > > > Thanks - I've added these notes to > http://directory.fedoraproject.org/wiki/Roadmap#Version_1.3 > > Anyone else? C'mon - surely you have an opinion about a new > feature. > > > Thanks for all your hard work on this! > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Apr 9 23:36:27 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 09 Apr 2009 17:36:27 -0600 Subject: [Fedora-directory-users] Exception in thread In-Reply-To: <28327374.1239318786804.JavaMail.root@mswamui-billy.atl.sa.earthlink.net> References: <28327374.1239318786804.JavaMail.root@mswamui-billy.atl.sa.earthlink.net> Message-ID: <49DE867B.90201@redhat.com> Fortunato wrote: > This is a fresh install. > > Here's the java info: > > # java -version > java version "1.6.0_0" > IcedTea6 1.4 (fedora-15.b14.fc10-i386) Runtime Environment (build 1.6.0_0-b14) > OpenJDK Client VM (build 14.0-b08, mixed mode) > That looks correct. Can you confirm the version of the following packages: rpm -qi fedora-ds-admin rpm -qi fedora-ds-base rpm -qi jss rpm -qi idm-console-framework rpm -qi fedora-idm-console rpm -qi fedora-ds-console rpm -qi fedora-ds-admin-console I have an up to date F10 system - I could not reproduce this problem. > -----Original Message----- > >> From: Rich Megginson >> Sent: Apr 9, 2009 7:02 PM >> To: Fortunato , "General discussion list for the Fedora Directory server project." >> Subject: Re: [Fedora-directory-users] Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException >> >> Fortunato wrote: >> >>> Hello all, >>> >>> I'll assume this has already been addressed, so a pointer to a good solution to try would help. But if not, here's my prob. >>> >>> I just got Fedora 10 with ds-base installed: >>> >>> yum info fedora-ds-base >>> Loaded plugins: refresh-packagekit >>> Installed Packages >>> Name : fedora-ds-base >>> Arch : i386 >>> Version : 1.1.3 >>> Release : 6.fc10 >>> Size : 4.6 M >>> >>> And everything looks great: >>> >>> >> Was this a fresh install or an upgrade? If an upgrade, did you first >> run setup-ds-admin.pl -u? >> >>> #/usr/bin/fedora-idm-console -a http://localhost:9830 >>> >>> Until I try to Open the Directory Server tree with the following errors.... >>> >>> Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException >>> ... >>> >>> I've read something about an OpenJDK 1.5.0 versioning problem, but I can't seem to find anything earlier than OpenJDK 1.6.0 ... >>> >>> >> java -version >> >>> Any ideas? >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From fortunato.montresor at earthlink.net Fri Apr 10 00:43:39 2009 From: fortunato.montresor at earthlink.net (Fortunato) Date: Thu, 9 Apr 2009 20:43:39 -0400 (EDT) Subject: [Fedora-directory-users] Exception in thread Message-ID: <17444907.1239324219333.JavaMail.root@mswamui-billy.atl.sa.earthlink.net> Yum is nice but Fed10 is a moving target. This is on a VM. Inline... -----Original Message----- >From: Rich Megginson >Sent: Apr 9, 2009 7:36 PM >To: Fortunato , "General discussion list for the Fedora Directory server project." >Subject: Re: [Fedora-directory-users] Exception in thread > >Fortunato wrote: >> This is a fresh install. >> >> Here's the java info: >> >> # java -version >> java version "1.6.0_0" >> IcedTea6 1.4 (fedora-15.b14.fc10-i386) Runtime Environment (build 1.6.0_0-b14) >> OpenJDK Client VM (build 14.0-b08, mixed mode) >> >That looks correct. Can you confirm the version of the following packages: >rpm -qi fedora-ds-admin # rpm -qi fedora-ds-admin Name : fedora-ds-admin Relocations: (not relocatable) Version : 1.1.6 Vendor: Fedora Project Release : 2.fc10 Build Date: Mon 15 Sep 2008 10:53:21 AM PDT Install Date: Tue 07 Apr 2009 01:24:03 PM PDT Build Host: x86-2.fedora.phx.redhat.com Group : System Environment/Daemons Source RPM: fedora-ds-admin-1.1.6-2.fc10.src.rpm Size : 1051306 License: GPLv2 Signature : DSA/SHA1, Tue 28 Oct 2008 11:10:23 AM PDT, Key ID bf226fcc4ebfc273 Packager : Fedora Project URL : http://directory.fedoraproject.org/ Summary : Fedora Administration Server (admin) Description : Fedora Administration Server is an HTTP agent that provides management features for Fedora Directory Server. It provides some management web apps that can be used through a web browser. It provides the authentication, access control, and CGI utilities used by the console. >rpm -qi fedora-ds-base # rpm -qi fedora-ds-base Name : fedora-ds-base Relocations: (not relocatable) Version : 1.2.0 Vendor: Fedora Project Release : 2.fc10 Build Date: Thu 02 Apr 2009 07:21:57 AM PDT Install Date: Thu 09 Apr 2009 03:37:43 PM PDT Build Host: xenbuilder4.fedora.phx.redhat.com Group : System Environment/Daemons Source RPM: fedora-ds-base-1.2.0-2.fc10.src.rpm Size : 5007672 License: GPLv2 with exceptions Signature : DSA/SHA1, Mon 06 Apr 2009 09:57:30 AM PDT, Key ID bf226fcc4ebfc273 Packager : Fedora Project URL : http://directory.fedoraproject.org/ Summary : Fedora Directory Server (base) Description : Fedora Directory Server is an LDAPv3 compliant server. The base package includes the LDAP server and command line utilities for server administration. >rpm -qi jss # rpm -qi jss Name : jss Relocations: (not relocatable) Version : 4.2.5 Vendor: Fedora Project Release : 3.fc10 Build Date: Tue 05 Aug 2008 08:16:36 AM PDT Install Date: Tue 07 Apr 2009 12:54:01 PM PDT Build Host: x86-1 Group : System Environment/Libraries Source RPM: jss-4.2.5-3.fc10.src.rpm Size : 973803 License: MPLv1.1 or GPLv2+ or LGPLv2+ Signature : DSA/SHA1, Tue 28 Oct 2008 04:23:59 PM PDT, Key ID bf226fcc4ebfc273 Packager : Fedora Project URL : http://www.mozilla.org/projects/security/pki/jss/ Summary : Java Security Services (JSS) Description : Java Security Services (JSS) is a java native interface which provides a bridge for java-based applications to use native Network Security Services (NSS). This only works with gcj. Other JREs require that JCE providers be signed. # rpm -qi fedora-idm-console Name : fedora-idm-console Relocations: (not relocatable) Version : 1.1.1 Vendor: Fedora Project Release : 2.fc9 Build Date: Wed 16 Apr 2008 07:30:06 AM PDT Install Date: Tue 07 Apr 2009 01:25:39 PM PDT Build Host: xenbuilder2.fedora.redhat.com Group : Applications/System Source RPM: fedora-idm-console-1.1.1-2.fc9.src.rpm Size : 58324 License: LGPLv2 Signature : DSA/SHA1, Tue 28 Oct 2008 11:10:29 AM PDT, Key ID bf226fcc4ebfc273 Packager : Fedora Project URL : http://directory.fedoraproject.org Summary : Fedora Management Console Description : A Java based remote management console used for Managing Fedora Administration Server and Fedora Directory Server. # rpm -qi fedora-ds-admin-console Name : fedora-ds-admin-console Relocations: (not relocatable) Version : 1.1.3 Vendor: Fedora Project Release : 1.fc10 Build Date: Wed 01 Apr 2009 10:07:38 AM PDT Install Date: Thu 09 Apr 2009 11:40:34 AM PDT Build Host: x86-5.fedora.phx.redhat.com Group : Applications/System Source RPM: fedora-ds-admin-console-1.1.3-1.fc10.src.rpm Size : 327034 License: GPLv2 Signature : DSA/SHA1, Mon 06 Apr 2009 09:57:29 AM PDT, Key ID bf226fcc4ebfc273 Packager : Fedora Project URL : http://directory.fedoraproject.org Summary : Fedora Admin Server Management Console Description : A Java based remote management console used for Managing Fedora Admin Server. >rpm -qi idm-console-framework # rpm -qi idm-console-framework Name : idm-console-framework Relocations: (not relocatable) Version : 1.1.2 Vendor: Fedora Project Release : 1.fc10 Build Date: Thu 04 Sep 2008 08:24:30 AM PDT Install Date: Tue 07 Apr 2009 01:25:38 PM PDT Build Host: x86-6.fedora.phx.redhat.com Group : System Environment/Libraries Source RPM: idm-console-framework-1.1.2-1.fc10.src.rpm Size : 1227677 License: LGPLv2 Signature : DSA/SHA1, Tue 28 Oct 2008 04:08:53 PM PDT, Key ID bf226fcc4ebfc273 Packager : Fedora Project URL : http://directory.fedoraproject.org Summary : Identity Management Console Framework Description : A Java Management Console framework used for remote server management. >rpm -qi fedora-idm-console # rpm -qi fedora-idm-console Name : fedora-idm-console Relocations: (not relocatable) Version : 1.1.1 Vendor: Fedora Project Release : 2.fc9 Build Date: Wed 16 Apr 2008 07:30:06 AM PDT Install Date: Tue 07 Apr 2009 01:25:39 PM PDT Build Host: xenbuilder2.fedora.redhat.com Group : Applications/System Source RPM: fedora-idm-console-1.1.1-2.fc9.src.rpm Size : 58324 License: LGPLv2 Signature : DSA/SHA1, Tue 28 Oct 2008 11:10:29 AM PDT, Key ID bf226fcc4ebfc273 Packager : Fedora Project URL : http://directory.fedoraproject.org Summary : Fedora Management Console Description : A Java based remote management console used for Managing Fedora Administration Server and Fedora Directory Server. >rpm -qi fedora-ds-console # rpm -qi fedora-ds-console Name : fedora-ds-console Relocations: (not relocatable) Version : 1.1.2 Vendor: Fedora Project Release : 2.fc8 Build Date: Thu 04 Sep 2008 09:08:06 AM PDT Install Date: Thu 09 Apr 2009 02:10:25 PM PDT Build Host: x86-7.fedora.phx.redhat.com Group : Applications/System Source RPM: fedora-ds-console-1.1.2-2.fc8.src.rpm Size : 1705889 License: GPLv2 Signature : DSA/SHA1, Wed 10 Sep 2008 12:27:02 PM PDT, Key ID 62aec3dc6df2196f Packager : Fedora Project URL : http://directory.fedoraproject.org Summary : Fedora Directory Server Management Console Description : A Java based remote management console used for Managing Fedora Directory Server. >rpm -qi fedora-ds-admin-console # rpm -qi fedora-ds-admin-console Name : fedora-ds-admin-console Relocations: (not relocatable) Version : 1.1.3 Vendor: Fedora Project Release : 1.fc10 Build Date: Wed 01 Apr 2009 10:07:38 AM PDT Install Date: Thu 09 Apr 2009 11:40:34 AM PDT Build Host: x86-5.fedora.phx.redhat.com Group : Applications/System Source RPM: fedora-ds-admin-console-1.1.3-1.fc10.src.rpm Size : 327034 License: GPLv2 Signature : DSA/SHA1, Mon 06 Apr 2009 09:57:29 AM PDT, Key ID bf226fcc4ebfc273 Packager : Fedora Project URL : http://directory.fedoraproject.org Summary : Fedora Admin Server Management Console Description : A Java based remote management console used for Managing Fedora Admin Server. >I have an up to date F10 system - I could not reproduce this problem. >> -----Original Message----- >> >>> From: Rich Megginson >>> Sent: Apr 9, 2009 7:02 PM >>> To: Fortunato , "General discussion list for the Fedora Directory server project." >>> Subject: Re: [Fedora-directory-users] Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException >>> >>> Fortunato wrote: >>> >>>> Hello all, >>>> >>>> I'll assume this has already been addressed, so a pointer to a good solution to try would help. But if not, here's my prob. >>>> >>>> I just got Fedora 10 with ds-base installed: >>>> >>>> yum info fedora-ds-base >>>> Loaded plugins: refresh-packagekit >>>> Installed Packages >>>> Name : fedora-ds-base >>>> Arch : i386 >>>> Version : 1.1.3 >>>> Release : 6.fc10 >>>> Size : 4.6 M >>>> >>>> And everything looks great: >>>> >>>> >>> Was this a fresh install or an upgrade? If an upgrade, did you first >>> run setup-ds-admin.pl -u? >>> >>>> #/usr/bin/fedora-idm-console -a http://localhost:9830 >>>> >>>> Until I try to Open the Directory Server tree with the following errors.... >>>> >>>> Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException >>>> ... >>>> >>>> I've read something about an OpenJDK 1.5.0 versioning problem, but I can't seem to find anything earlier than OpenJDK 1.6.0 ... >>>> >>>> >>> java -version >>> >>>> Any ideas? >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > From rmeggins at redhat.com Fri Apr 10 00:48:51 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 09 Apr 2009 18:48:51 -0600 Subject: [Fedora-directory-users] Exception in thread In-Reply-To: <17444907.1239324219333.JavaMail.root@mswamui-billy.atl.sa.earthlink.net> References: <17444907.1239324219333.JavaMail.root@mswamui-billy.atl.sa.earthlink.net> Message-ID: <49DE9773.6050402@redhat.com> Fortunato wrote: > Yum is nice but Fed10 is a moving target. This is on a VM. > I'm not sure what you mean, but you do not have up-to-date packages. That's likely the problem. > Inline... > > -----Original Message----- > >> From: Rich Megginson >> Sent: Apr 9, 2009 7:36 PM >> To: Fortunato , "General discussion list for the Fedora Directory server project." >> Subject: Re: [Fedora-directory-users] Exception in thread >> >> Fortunato wrote: >> >>> This is a fresh install. >>> >>> Here's the java info: >>> >>> # java -version >>> java version "1.6.0_0" >>> IcedTea6 1.4 (fedora-15.b14.fc10-i386) Runtime Environment (build 1.6.0_0-b14) >>> OpenJDK Client VM (build 14.0-b08, mixed mode) >>> >>> >> That looks correct. Can you confirm the version of the following packages: >> rpm -qi fedora-ds-admin >> > > # rpm -qi fedora-ds-admin > Name : fedora-ds-admin Relocations: (not relocatable) > Version : 1.1.6 Vendor: Fedora Project > Release : 2.fc10 Build Date: Mon 15 Sep 2008 10:53:21 AM PDT > Install Date: Tue 07 Apr 2009 01:24:03 PM PDT Build Host: x86-2.fedora.phx.redhat.com > Group : System Environment/Daemons Source RPM: fedora-ds-admin-1.1.6-2.fc10.src.rpm > Size : 1051306 License: GPLv2 > Signature : DSA/SHA1, Tue 28 Oct 2008 11:10:23 AM PDT, Key ID bf226fcc4ebfc273 > Packager : Fedora Project > URL : http://directory.fedoraproject.org/ > Summary : Fedora Administration Server (admin) > Description : > Fedora Administration Server is an HTTP agent that provides management features > for Fedora Directory Server. It provides some management web apps that can > be used through a web browser. It provides the authentication, access control, > and CGI utilities used by the console. > > >> rpm -qi fedora-ds-base >> > > # rpm -qi fedora-ds-base > Name : fedora-ds-base Relocations: (not relocatable) > Version : 1.2.0 Vendor: Fedora Project > Release : 2.fc10 Build Date: Thu 02 Apr 2009 07:21:57 AM PDT > Install Date: Thu 09 Apr 2009 03:37:43 PM PDT Build Host: xenbuilder4.fedora.phx.redhat.com > Group : System Environment/Daemons Source RPM: fedora-ds-base-1.2.0-2.fc10.src.rpm > Size : 5007672 License: GPLv2 with exceptions > Signature : DSA/SHA1, Mon 06 Apr 2009 09:57:30 AM PDT, Key ID bf226fcc4ebfc273 > Packager : Fedora Project > URL : http://directory.fedoraproject.org/ > Summary : Fedora Directory Server (base) > Description : > Fedora Directory Server is an LDAPv3 compliant server. The base package includes > the LDAP server and command line utilities for server administration. > > >> rpm -qi jss >> > > # rpm -qi jss > Name : jss Relocations: (not relocatable) > Version : 4.2.5 Vendor: Fedora Project > Release : 3.fc10 Build Date: Tue 05 Aug 2008 08:16:36 AM PDT > Install Date: Tue 07 Apr 2009 12:54:01 PM PDT Build Host: x86-1 > Group : System Environment/Libraries Source RPM: jss-4.2.5-3.fc10.src.rpm > Size : 973803 License: MPLv1.1 or GPLv2+ or LGPLv2+ > Signature : DSA/SHA1, Tue 28 Oct 2008 04:23:59 PM PDT, Key ID bf226fcc4ebfc273 > Packager : Fedora Project > URL : http://www.mozilla.org/projects/security/pki/jss/ > Summary : Java Security Services (JSS) > Description : > Java Security Services (JSS) is a java native interface which provides a bridge > for java-based applications to use native Network Security Services (NSS). > This only works with gcj. Other JREs require that JCE providers be signed. > > # rpm -qi fedora-idm-console > Name : fedora-idm-console Relocations: (not relocatable) > Version : 1.1.1 Vendor: Fedora Project > Release : 2.fc9 Build Date: Wed 16 Apr 2008 07:30:06 AM PDT > Install Date: Tue 07 Apr 2009 01:25:39 PM PDT Build Host: xenbuilder2.fedora.redhat.com > Group : Applications/System Source RPM: fedora-idm-console-1.1.1-2.fc9.src.rpm > Size : 58324 License: LGPLv2 > Signature : DSA/SHA1, Tue 28 Oct 2008 11:10:29 AM PDT, Key ID bf226fcc4ebfc273 > Packager : Fedora Project > URL : http://directory.fedoraproject.org > Summary : Fedora Management Console > Description : > A Java based remote management console used for Managing Fedora > Administration Server and Fedora Directory Server. > > # rpm -qi fedora-ds-admin-console > Name : fedora-ds-admin-console Relocations: (not relocatable) > Version : 1.1.3 Vendor: Fedora Project > Release : 1.fc10 Build Date: Wed 01 Apr 2009 10:07:38 AM PDT > Install Date: Thu 09 Apr 2009 11:40:34 AM PDT Build Host: x86-5.fedora.phx.redhat.com > Group : Applications/System Source RPM: fedora-ds-admin-console-1.1.3-1.fc10.src.rpm > Size : 327034 License: GPLv2 > Signature : DSA/SHA1, Mon 06 Apr 2009 09:57:29 AM PDT, Key ID bf226fcc4ebfc273 > Packager : Fedora Project > URL : http://directory.fedoraproject.org > Summary : Fedora Admin Server Management Console > Description : > A Java based remote management console used for Managing Fedora > Admin Server. > > >> rpm -qi idm-console-framework >> > > # rpm -qi idm-console-framework > Name : idm-console-framework Relocations: (not relocatable) > Version : 1.1.2 Vendor: Fedora Project > Release : 1.fc10 Build Date: Thu 04 Sep 2008 08:24:30 AM PDT > Install Date: Tue 07 Apr 2009 01:25:38 PM PDT Build Host: x86-6.fedora.phx.redhat.com > Group : System Environment/Libraries Source RPM: idm-console-framework-1.1.2-1.fc10.src.rpm > Size : 1227677 License: LGPLv2 > Signature : DSA/SHA1, Tue 28 Oct 2008 04:08:53 PM PDT, Key ID bf226fcc4ebfc273 > Packager : Fedora Project > URL : http://directory.fedoraproject.org > Summary : Identity Management Console Framework > Description : > A Java Management Console framework used for remote server management. > > >> rpm -qi fedora-idm-console >> > > # rpm -qi fedora-idm-console > Name : fedora-idm-console Relocations: (not relocatable) > Version : 1.1.1 Vendor: Fedora Project > Release : 2.fc9 Build Date: Wed 16 Apr 2008 07:30:06 AM PDT > Install Date: Tue 07 Apr 2009 01:25:39 PM PDT Build Host: xenbuilder2.fedora.redhat.com > Group : Applications/System Source RPM: fedora-idm-console-1.1.1-2.fc9.src.rpm > Size : 58324 License: LGPLv2 > Signature : DSA/SHA1, Tue 28 Oct 2008 11:10:29 AM PDT, Key ID bf226fcc4ebfc273 > Packager : Fedora Project > URL : http://directory.fedoraproject.org > Summary : Fedora Management Console > Description : > A Java based remote management console used for Managing Fedora > Administration Server and Fedora Directory Server. > > >> rpm -qi fedora-ds-console >> > > # rpm -qi fedora-ds-console > Name : fedora-ds-console Relocations: (not relocatable) > Version : 1.1.2 Vendor: Fedora Project > Release : 2.fc8 Build Date: Thu 04 Sep 2008 09:08:06 AM PDT > Install Date: Thu 09 Apr 2009 02:10:25 PM PDT Build Host: x86-7.fedora.phx.redhat.com > Group : Applications/System Source RPM: fedora-ds-console-1.1.2-2.fc8.src.rpm > Size : 1705889 License: GPLv2 > Signature : DSA/SHA1, Wed 10 Sep 2008 12:27:02 PM PDT, Key ID 62aec3dc6df2196f > Packager : Fedora Project > URL : http://directory.fedoraproject.org > Summary : Fedora Directory Server Management Console > Description : > A Java based remote management console used for Managing Fedora > Directory Server. > > >> rpm -qi fedora-ds-admin-console >> > > # rpm -qi fedora-ds-admin-console > Name : fedora-ds-admin-console Relocations: (not relocatable) > Version : 1.1.3 Vendor: Fedora Project > Release : 1.fc10 Build Date: Wed 01 Apr 2009 10:07:38 AM PDT > Install Date: Thu 09 Apr 2009 11:40:34 AM PDT Build Host: x86-5.fedora.phx.redhat.com > Group : Applications/System Source RPM: fedora-ds-admin-console-1.1.3-1.fc10.src.rpm > Size : 327034 License: GPLv2 > Signature : DSA/SHA1, Mon 06 Apr 2009 09:57:29 AM PDT, Key ID bf226fcc4ebfc273 > Packager : Fedora Project > URL : http://directory.fedoraproject.org > Summary : Fedora Admin Server Management Console > Description : > A Java based remote management console used for Managing Fedora > Admin Server. > > >> I have an up to date F10 system - I could not reproduce this problem. >> >>> -----Original Message----- >>> >>> >>>> From: Rich Megginson >>>> Sent: Apr 9, 2009 7:02 PM >>>> To: Fortunato , "General discussion list for the Fedora Directory server project." >>>> Subject: Re: [Fedora-directory-users] Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException >>>> >>>> Fortunato wrote: >>>> >>>> >>>>> Hello all, >>>>> >>>>> I'll assume this has already been addressed, so a pointer to a good solution to try would help. But if not, here's my prob. >>>>> >>>>> I just got Fedora 10 with ds-base installed: >>>>> >>>>> yum info fedora-ds-base >>>>> Loaded plugins: refresh-packagekit >>>>> Installed Packages >>>>> Name : fedora-ds-base >>>>> Arch : i386 >>>>> Version : 1.1.3 >>>>> Release : 6.fc10 >>>>> Size : 4.6 M >>>>> >>>>> And everything looks great: >>>>> >>>>> >>>>> >>>> Was this a fresh install or an upgrade? If an upgrade, did you first >>>> run setup-ds-admin.pl -u? >>>> >>>> >>>>> #/usr/bin/fedora-idm-console -a http://localhost:9830 >>>>> >>>>> Until I try to Open the Directory Server tree with the following errors.... >>>>> >>>>> Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException >>>>> ... >>>>> >>>>> I've read something about an OpenJDK 1.5.0 versioning problem, but I can't seem to find anything earlier than OpenJDK 1.6.0 ... >>>>> >>>>> >>>>> >>>> java -version >>>> >>>> >>>>> Any ideas? >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From fortunato.montresor at earthlink.net Fri Apr 10 01:06:24 2009 From: fortunato.montresor at earthlink.net (Fortunato) Date: Thu, 9 Apr 2009 21:06:24 -0400 (EDT) Subject: [Fedora-directory-users] Exception in thread Message-ID: <23353299.1239325584279.JavaMail.root@mswamui-billy.atl.sa.earthlink.net> I just installed fedora-ds-base about 6 days ago using yum and it was at version 1.1.3 - it's now (today) at 1.2.0. I just updated the packages: $ rpm -qi fedora-ds-admin Name : fedora-ds-admin Relocations: (not relocatable) Version : 1.1.7 Vendor: Fedora Project Release : 3.fc10 Build Date: Wed 08 Apr 2009 06:15:40 PM PDT Install Date: Thu 09 Apr 2009 05:49:36 PM PDT Build Host: x86-6.fedora.phx.redhat.com Group : System Environment/Daemons Source RPM: fedora-ds-admin-1.1.7-3.fc10.src.rpm Size : 1073278 License: GPLv2 Signature : DSA/SHA1, Thu 09 Apr 2009 05:10:15 AM PDT, Key ID bf226fcc4ebfc273 Packager : Fedora Project URL : http://directory.fedoraproject.org/ Summary : Fedora Administration Server (admin) Description : Fedora Administration Server is an HTTP agent that provides management features for Fedora Directory Server. It provides some management web apps that can be used through a web browser. It provides the authentication, access control, and CGI utilities used by the console. $ rpm -qi fedora-ds-base Name : fedora-ds-base Relocations: (not relocatable) Version : 1.2.0 Vendor: Fedora Project Release : 2.fc10 Build Date: Thu 02 Apr 2009 07:21:57 AM PDT Install Date: Thu 09 Apr 2009 03:37:43 PM PDT Build Host: xenbuilder4.fedora.phx.redhat.com Group : System Environment/Daemons Source RPM: fedora-ds-base-1.2.0-2.fc10.src.rpm Size : 5007672 License: GPLv2 with exceptions Signature : DSA/SHA1, Mon 06 Apr 2009 09:57:30 AM PDT, Key ID bf226fcc4ebfc273 Packager : Fedora Project URL : http://directory.fedoraproject.org/ Summary : Fedora Directory Server (base) Description : Fedora Directory Server is an LDAPv3 compliant server. The base package includes the LDAP server and command line utilities for server administration. $ rpm -qi jss Name : jss Relocations: (not relocatable) Version : 4.2.5 Vendor: Fedora Project Release : 3.fc10 Build Date: Tue 05 Aug 2008 08:16:36 AM PDT Install Date: Tue 07 Apr 2009 12:54:01 PM PDT Build Host: x86-1 Group : System Environment/Libraries Source RPM: jss-4.2.5-3.fc10.src.rpm Size : 973803 License: MPLv1.1 or GPLv2+ or LGPLv2+ Signature : DSA/SHA1, Tue 28 Oct 2008 04:23:59 PM PDT, Key ID bf226fcc4ebfc273 Packager : Fedora Project URL : http://www.mozilla.org/projects/security/pki/jss/ Summary : Java Security Services (JSS) Description : Java Security Services (JSS) is a java native interface which provides a bridge for java-based applications to use native Network Security Services (NSS). This only works with gcj. Other JREs require that JCE providers be signed. $ rpm -qi idm-console-framework Name : idm-console-framework Relocations: (not relocatable) Version : 1.1.3 Vendor: Fedora Project Release : 1.fc10 Build Date: Tue 31 Mar 2009 02:06:17 PM PDT Install Date: Thu 09 Apr 2009 05:51:30 PM PDT Build Host: ppc2.fedora.redhat.com Group : System Environment/Libraries Source RPM: idm-console-framework-1.1.3-1.fc10.src.rpm Size : 1229453 License: LGPLv2 Signature : DSA/SHA1, Wed 01 Apr 2009 07:14:26 PM PDT, Key ID bf226fcc4ebfc273 Packager : Fedora Project URL : http://directory.fedoraproject.org Summary : Identity Management Console Framework Description : A Java Management Console framework used for remote server management. $ rpm -qi fedora-idm-console Name : fedora-idm-console Relocations: (not relocatable) Version : 1.1.3 Vendor: Fedora Project Release : 1.fc10 Build Date: Tue 31 Mar 2009 02:57:19 PM PDT Install Date: Thu 09 Apr 2009 05:50:18 PM PDT Build Host: x86-2.fedora.phx.redhat.com Group : Applications/System Source RPM: fedora-idm-console-1.1.3-1.fc10.src.rpm Size : 58328 License: LGPLv2 Signature : DSA/SHA1, Wed 01 Apr 2009 07:14:18 PM PDT, Key ID bf226fcc4ebfc273 Packager : Fedora Project URL : http://directory.fedoraproject.org Summary : Fedora Management Console Description : A Java based remote management console used for Managing Fedora Administration Server and Fedora Directory Server. $ rpm -qi fedora-ds-console Name : fedora-ds-console Relocations: (not relocatable) Version : 1.2.0 Vendor: Fedora Project Release : 1.fc10 Build Date: Wed 01 Apr 2009 10:05:11 AM PDT Install Date: Thu 09 Apr 2009 05:52:30 PM PDT Build Host: xenbuilder4.fedora.phx.redhat.com Group : Applications/System Source RPM: fedora-ds-console-1.2.0-1.fc10.src.rpm Size : 1730554 License: GPLv2 Signature : DSA/SHA1, Mon 06 Apr 2009 09:57:31 AM PDT, Key ID bf226fcc4ebfc273 Packager : Fedora Project URL : http://directory.fedoraproject.org Summary : Fedora Directory Server Management Console Description : A Java based remote management console used for Managing Fedora Directory Server. $ rpm -qi fedora-ds-admin-console Name : fedora-ds-admin-console Relocations: (not relocatable) Version : 1.1.3 Vendor: Fedora Project Release : 1.fc10 Build Date: Wed 01 Apr 2009 10:07:38 AM PDT Install Date: Thu 09 Apr 2009 11:40:34 AM PDT Build Host: x86-5.fedora.phx.redhat.com Group : Applications/System Source RPM: fedora-ds-admin-console-1.1.3-1.fc10.src.rpm Size : 327034 License: GPLv2 Signature : DSA/SHA1, Mon 06 Apr 2009 09:57:29 AM PDT, Key ID bf226fcc4ebfc273 Packager : Fedora Project URL : http://directory.fedoraproject.org Summary : Fedora Admin Server Management Console Description : A Java based remote management console used for Managing Fedora Admin Server. -----Original Message----- >From: Rich Megginson >Sent: Apr 9, 2009 8:48 PM >To: Fortunato , "General discussion list for the Fedora Directory server project." >Subject: Re: [Fedora-directory-users] Exception in thread > >Fortunato wrote: >> Yum is nice but Fed10 is a moving target. This is on a VM. >> >I'm not sure what you mean, but you do not have up-to-date packages. >That's likely the problem. >> Inline... >> >> -----Original Message----- >> >>> From: Rich Megginson >>> Sent: Apr 9, 2009 7:36 PM >>> To: Fortunato , "General discussion list for the Fedora Directory server project." >>> Subject: Re: [Fedora-directory-users] Exception in thread >>> >>> Fortunato wrote: >>> >>>> This is a fresh install. >>>> >>>> Here's the java info: >>>> >>>> # java -version >>>> java version "1.6.0_0" >>>> IcedTea6 1.4 (fedora-15.b14.fc10-i386) Runtime Environment (build 1.6.0_0-b14) >>>> OpenJDK Client VM (build 14.0-b08, mixed mode) >>>> >>>> >>> That looks correct. Can you confirm the version of the following packages: >>> rpm -qi fedora-ds-admin >>> >> >> # rpm -qi fedora-ds-admin >> Name : fedora-ds-admin Relocations: (not relocatable) >> Version : 1.1.6 Vendor: Fedora Project >> Release : 2.fc10 Build Date: Mon 15 Sep 2008 10:53:21 AM PDT >> Install Date: Tue 07 Apr 2009 01:24:03 PM PDT Build Host: x86-2.fedora.phx.redhat.com >> Group : System Environment/Daemons Source RPM: fedora-ds-admin-1.1.6-2.fc10.src.rpm >> Size : 1051306 License: GPLv2 >> Signature : DSA/SHA1, Tue 28 Oct 2008 11:10:23 AM PDT, Key ID bf226fcc4ebfc273 >> Packager : Fedora Project >> URL : http://directory.fedoraproject.org/ >> Summary : Fedora Administration Server (admin) >> Description : >> Fedora Administration Server is an HTTP agent that provides management features >> for Fedora Directory Server. It provides some management web apps that can >> be used through a web browser. It provides the authentication, access control, >> and CGI utilities used by the console. >> >> >>> rpm -qi fedora-ds-base >>> >> >> # rpm -qi fedora-ds-base >> Name : fedora-ds-base Relocations: (not relocatable) >> Version : 1.2.0 Vendor: Fedora Project >> Release : 2.fc10 Build Date: Thu 02 Apr 2009 07:21:57 AM PDT >> Install Date: Thu 09 Apr 2009 03:37:43 PM PDT Build Host: xenbuilder4.fedora.phx.redhat.com >> Group : System Environment/Daemons Source RPM: fedora-ds-base-1.2.0-2.fc10.src.rpm >> Size : 5007672 License: GPLv2 with exceptions >> Signature : DSA/SHA1, Mon 06 Apr 2009 09:57:30 AM PDT, Key ID bf226fcc4ebfc273 >> Packager : Fedora Project >> URL : http://directory.fedoraproject.org/ >> Summary : Fedora Directory Server (base) >> Description : >> Fedora Directory Server is an LDAPv3 compliant server. The base package includes >> the LDAP server and command line utilities for server administration. >> >> >>> rpm -qi jss >>> >> >> # rpm -qi jss >> Name : jss Relocations: (not relocatable) >> Version : 4.2.5 Vendor: Fedora Project >> Release : 3.fc10 Build Date: Tue 05 Aug 2008 08:16:36 AM PDT >> Install Date: Tue 07 Apr 2009 12:54:01 PM PDT Build Host: x86-1 >> Group : System Environment/Libraries Source RPM: jss-4.2.5-3.fc10.src.rpm >> Size : 973803 License: MPLv1.1 or GPLv2+ or LGPLv2+ >> Signature : DSA/SHA1, Tue 28 Oct 2008 04:23:59 PM PDT, Key ID bf226fcc4ebfc273 >> Packager : Fedora Project >> URL : http://www.mozilla.org/projects/security/pki/jss/ >> Summary : Java Security Services (JSS) >> Description : >> Java Security Services (JSS) is a java native interface which provides a bridge >> for java-based applications to use native Network Security Services (NSS). >> This only works with gcj. Other JREs require that JCE providers be signed. >> >> # rpm -qi fedora-idm-console >> Name : fedora-idm-console Relocations: (not relocatable) >> Version : 1.1.1 Vendor: Fedora Project >> Release : 2.fc9 Build Date: Wed 16 Apr 2008 07:30:06 AM PDT >> Install Date: Tue 07 Apr 2009 01:25:39 PM PDT Build Host: xenbuilder2.fedora.redhat.com >> Group : Applications/System Source RPM: fedora-idm-console-1.1.1-2.fc9.src.rpm >> Size : 58324 License: LGPLv2 >> Signature : DSA/SHA1, Tue 28 Oct 2008 11:10:29 AM PDT, Key ID bf226fcc4ebfc273 >> Packager : Fedora Project >> URL : http://directory.fedoraproject.org >> Summary : Fedora Management Console >> Description : >> A Java based remote management console used for Managing Fedora >> Administration Server and Fedora Directory Server. >> >> # rpm -qi fedora-ds-admin-console >> Name : fedora-ds-admin-console Relocations: (not relocatable) >> Version : 1.1.3 Vendor: Fedora Project >> Release : 1.fc10 Build Date: Wed 01 Apr 2009 10:07:38 AM PDT >> Install Date: Thu 09 Apr 2009 11:40:34 AM PDT Build Host: x86-5.fedora.phx.redhat.com >> Group : Applications/System Source RPM: fedora-ds-admin-console-1.1.3-1.fc10.src.rpm >> Size : 327034 License: GPLv2 >> Signature : DSA/SHA1, Mon 06 Apr 2009 09:57:29 AM PDT, Key ID bf226fcc4ebfc273 >> Packager : Fedora Project >> URL : http://directory.fedoraproject.org >> Summary : Fedora Admin Server Management Console >> Description : >> A Java based remote management console used for Managing Fedora >> Admin Server. >> >> >>> rpm -qi idm-console-framework >>> >> >> # rpm -qi idm-console-framework >> Name : idm-console-framework Relocations: (not relocatable) >> Version : 1.1.2 Vendor: Fedora Project >> Release : 1.fc10 Build Date: Thu 04 Sep 2008 08:24:30 AM PDT >> Install Date: Tue 07 Apr 2009 01:25:38 PM PDT Build Host: x86-6.fedora.phx.redhat.com >> Group : System Environment/Libraries Source RPM: idm-console-framework-1.1.2-1.fc10.src.rpm >> Size : 1227677 License: LGPLv2 >> Signature : DSA/SHA1, Tue 28 Oct 2008 04:08:53 PM PDT, Key ID bf226fcc4ebfc273 >> Packager : Fedora Project >> URL : http://directory.fedoraproject.org >> Summary : Identity Management Console Framework >> Description : >> A Java Management Console framework used for remote server management. >> >> >>> rpm -qi fedora-idm-console >>> >> >> # rpm -qi fedora-idm-console >> Name : fedora-idm-console Relocations: (not relocatable) >> Version : 1.1.1 Vendor: Fedora Project >> Release : 2.fc9 Build Date: Wed 16 Apr 2008 07:30:06 AM PDT >> Install Date: Tue 07 Apr 2009 01:25:39 PM PDT Build Host: xenbuilder2.fedora.redhat.com >> Group : Applications/System Source RPM: fedora-idm-console-1.1.1-2.fc9.src.rpm >> Size : 58324 License: LGPLv2 >> Signature : DSA/SHA1, Tue 28 Oct 2008 11:10:29 AM PDT, Key ID bf226fcc4ebfc273 >> Packager : Fedora Project >> URL : http://directory.fedoraproject.org >> Summary : Fedora Management Console >> Description : >> A Java based remote management console used for Managing Fedora >> Administration Server and Fedora Directory Server. >> >> >>> rpm -qi fedora-ds-console >>> >> >> # rpm -qi fedora-ds-console >> Name : fedora-ds-console Relocations: (not relocatable) >> Version : 1.1.2 Vendor: Fedora Project >> Release : 2.fc8 Build Date: Thu 04 Sep 2008 09:08:06 AM PDT >> Install Date: Thu 09 Apr 2009 02:10:25 PM PDT Build Host: x86-7.fedora.phx.redhat.com >> Group : Applications/System Source RPM: fedora-ds-console-1.1.2-2.fc8.src.rpm >> Size : 1705889 License: GPLv2 >> Signature : DSA/SHA1, Wed 10 Sep 2008 12:27:02 PM PDT, Key ID 62aec3dc6df2196f >> Packager : Fedora Project >> URL : http://directory.fedoraproject.org >> Summary : Fedora Directory Server Management Console >> Description : >> A Java based remote management console used for Managing Fedora >> Directory Server. >> >> >>> rpm -qi fedora-ds-admin-console >>> >> >> # rpm -qi fedora-ds-admin-console >> Name : fedora-ds-admin-console Relocations: (not relocatable) >> Version : 1.1.3 Vendor: Fedora Project >> Release : 1.fc10 Build Date: Wed 01 Apr 2009 10:07:38 AM PDT >> Install Date: Thu 09 Apr 2009 11:40:34 AM PDT Build Host: x86-5.fedora.phx.redhat.com >> Group : Applications/System Source RPM: fedora-ds-admin-console-1.1.3-1.fc10.src.rpm >> Size : 327034 License: GPLv2 >> Signature : DSA/SHA1, Mon 06 Apr 2009 09:57:29 AM PDT, Key ID bf226fcc4ebfc273 >> Packager : Fedora Project >> URL : http://directory.fedoraproject.org >> Summary : Fedora Admin Server Management Console >> Description : >> A Java based remote management console used for Managing Fedora >> Admin Server. >> >> >>> I have an up to date F10 system - I could not reproduce this problem. >>> >>>> -----Original Message----- >>>> >>>> >>>>> From: Rich Megginson >>>>> Sent: Apr 9, 2009 7:02 PM >>>>> To: Fortunato , "General discussion list for the Fedora Directory server project." >>>>> Subject: Re: [Fedora-directory-users] Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException >>>>> >>>>> Fortunato wrote: >>>>> >>>>> >>>>>> Hello all, >>>>>> >>>>>> I'll assume this has already been addressed, so a pointer to a good solution to try would help. But if not, here's my prob. >>>>>> >>>>>> I just got Fedora 10 with ds-base installed: >>>>>> >>>>>> yum info fedora-ds-base >>>>>> Loaded plugins: refresh-packagekit >>>>>> Installed Packages >>>>>> Name : fedora-ds-base >>>>>> Arch : i386 >>>>>> Version : 1.1.3 >>>>>> Release : 6.fc10 >>>>>> Size : 4.6 M >>>>>> >>>>>> And everything looks great: >>>>>> >>>>>> >>>>>> >>>>> Was this a fresh install or an upgrade? If an upgrade, did you first >>>>> run setup-ds-admin.pl -u? >>>>> >>>>> >>>>>> #/usr/bin/fedora-idm-console -a http://localhost:9830 >>>>>> >>>>>> Until I try to Open the Directory Server tree with the following errors.... >>>>>> >>>>>> Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException >>>>>> ... >>>>>> >>>>>> I've read something about an OpenJDK 1.5.0 versioning problem, but I can't seem to find anything earlier than OpenJDK 1.6.0 ... >>>>>> >>>>>> >>>>>> >>>>> java -version >>>>> >>>>> >>>>>> Any ideas? >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > From dpartridge at tangible.net Fri Apr 10 01:41:21 2009 From: dpartridge at tangible.net (David Partridge) Date: Thu, 9 Apr 2009 21:41:21 -0400 Subject: [Fedora-directory-users] Proposed new features for 1.3 Message-ID: <018901c9b97d$d775f130$0b05a8c0@tangiblesoftware.com> Would like to see additional monitoring flexibility for snmp - when configuring multiple ds instances with same port on single multihomed host monitoring information is agregated by port in the monitoring not by instance and port. Please provide more information on deprecation of certmap.conf. Need flexibility to not rely on dn in cert mapping to anything in directory and rely on successful tls mutual authentication and truststore configuration. Script to provide index analysis based on data in the directory to provide the following info: Search performance efficiency of index and index type based on return limits, and scanidslistlimit. Compressed ldif(gzip) capability for export, import, and initialization usage. Dave Partridge Sent from my Windows Mobile? phone. -----Original Message----- From: Rich Megginson Sent: Thursday, April 09, 2009 7:23 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Proposed new features for 1.3 Andrey Ivanov wrote: > I continue with my list Thanks - I've added many of these to the list - questions below. > > * the server should be able to return the members of dynamic groups > "on the fly" as if it were real members, the membership attribute > should be configurable - uniqueMember, member or another I put this on the Future list: Dynamic group expansion * Define a dynamic group, and have the member/uniqueMember attribute of this group automatically be populated by the server * clients can then just search for member like with a regular static posix group > > * support of other virtual attributes generated "on the fly" Can you explain this a little more? > > * pam passthrough plug-in should take into account at least the > account activation/desactivation (bug *470684* > ). There is a > comment about some additional useful features it in th README file of > this plug-in : > We need to worry about account expiration or lockout e.g. the user's > credentials are valid but the user has been locked out of his/her > account, or the password has expired, or something like that. Some of > > > this can be handled by LDAP e.g. returning password policy control > values when the password has expired. > > > * a way to synchronise the configuration of indexes (each time we add > an index on one of the replicated servers we need to make it manually > on all the others) and some other parameters in "cn=config" between > the replicated servers (a little like the "configuration" partition > in active directory), the schema changes are already replicated which > is very good I'm calling this feature "Configuration replication" - I think it could be useful for other sorts of configuration. > > * enforced attribute syntax validation Already on the list - Syntax validation checking > > * re-verify and validate conformance of the syntaxes, case sensitivity > and their matching rules to RFC > (https://www.redhat.com/archives/fedora-directory-users/2008-July/msg00041.html) > Already on the list > * unix socket autobind still does not seem to work (ldapi) - > https://www.redhat.com/archives/fedora-directory-users/2009-February/msg00112.html. > It could be very useful for various maintenance scripts running on the > server. We tested this with 1.2.0 and it seems to work. You tested a build from source? Did you use --enable-autobind with configure? Did you restart the server after configuring your autobind and sasl mapping? > > * verification of the server from the viewpoint of memory leaks. Th > size of the memory used by the server grows with time (normally we > don't restart the sevrr during several months, so i can follow the stats) We regularly run the server test suite with valgrind enabled. I'm not aware of any per connection or per operation leaks. What exactly are you seeing? > > * logconv.pl - very useful script, add some more options/ adjustments > (for example, a switch to hide unindexed searches in verbose mode). We > use it as logwatch. > > * a perl script to show the replication statistics (there is one for > the we page generation statistics, something more basic, text-only > would be very welcome) in text mode - to receiveth reports by mail > once per day like logwatch for example What sort of information are you looking for? ldapsearch can provide most of the useful information. > > * regular expressions in ACIs (i know, it is very difficult to do, so > maybe somewhere in the timescale of the version 10.0 ? :)) - for > example, allow a user to add or modify a value just in case the new > value mathes the regex. Or the group or dn of the user matches the > regex... You can do some of that currently with targetattrfilters - see *http://tinyurl.com/3yo88r We added support in 1.2.0 to allow you to specify group membership with LDAP search specifications, which does allow some wildcarding, so that might help too. * > > * simplify the creation of new syntaxes and their validation/ > enforcement (version 11.0? :)) Can you elaborate? > > * virtual views allowing to map not only the trees but also the > attributes ('cn' instead of 'uid' in a subtree, for example) Can you elaborate? > > * enable regex in certmap.conf for mapping the CNs of the certificates > during the certificate authentification of users This is on the list as Get rid of certmap.conf - use SASL mapping (cert auth is really just SASL/EXTERNAL) The sasl mapping code uses regular expressions > > > > > Other than that i just want to emphasize the great job you are doing > adding new features and especially the fantastic reactivity in fixing > some critical server bugs (usually it takes only one or two days to > have the necessary diff in bugzilla!) > > Thank you and please continue the development of this directory server! And thank you for your suggestions. > > > > > > > > Thanks - I've added these notes to > http://directory.fedoraproject.org/wiki/Roadmap#Version_1.3 > > Anyone else? C'mon - surely you have an opinion about a new > feature. > > > Thanks for all your hard work on this! > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > This e-mail and any attachment is intended for the above name recipient(s) only and may contain confidential or privileged information. If you are not an intended recipient, please notify the sender and delete the message. Failure to maintain the confidentiality of this e-mail and any attachment may subject you to penalties under applicable law. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information or otherwise be protected by law. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From rmeggins at redhat.com Fri Apr 10 03:37:42 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 09 Apr 2009 21:37:42 -0600 Subject: [Fedora-directory-users] Exception in thread In-Reply-To: <23353299.1239325584279.JavaMail.root@mswamui-billy.atl.sa.earthlink.net> References: <23353299.1239325584279.JavaMail.root@mswamui-billy.atl.sa.earthlink.net> Message-ID: <49DEBF06.50201@redhat.com> Fortunato wrote: > I just installed fedora-ds-base about 6 days ago using yum and it was at version 1.1.3 - it's now (today) at 1.2.0. > > I just updated the packages: > These are the versions I expect to see if your system is up to date. However, if you have already run setup-ds-admin.pl, then did the update and updated these packages, you will have to run setup-ds-admin.pl -u to update your configuration so the console will work properly. > $ rpm -qi fedora-ds-admin > Name : fedora-ds-admin Relocations: (not relocatable) > Version : 1.1.7 Vendor: Fedora Project > Release : 3.fc10 Build Date: Wed 08 Apr 2009 06:15:40 PM PDT > Install Date: Thu 09 Apr 2009 05:49:36 PM PDT Build Host: x86-6.fedora.phx.redhat.com > Group : System Environment/Daemons Source RPM: fedora-ds-admin-1.1.7-3.fc10.src.rpm > Size : 1073278 License: GPLv2 > Signature : DSA/SHA1, Thu 09 Apr 2009 05:10:15 AM PDT, Key ID bf226fcc4ebfc273 > Packager : Fedora Project > URL : http://directory.fedoraproject.org/ > Summary : Fedora Administration Server (admin) > Description : > Fedora Administration Server is an HTTP agent that provides management features > for Fedora Directory Server. It provides some management web apps that can > be used through a web browser. It provides the authentication, access control, > and CGI utilities used by the console. > > $ rpm -qi fedora-ds-base > Name : fedora-ds-base Relocations: (not relocatable) > Version : 1.2.0 Vendor: Fedora Project > Release : 2.fc10 Build Date: Thu 02 Apr 2009 07:21:57 AM PDT > Install Date: Thu 09 Apr 2009 03:37:43 PM PDT Build Host: xenbuilder4.fedora.phx.redhat.com > Group : System Environment/Daemons Source RPM: fedora-ds-base-1.2.0-2.fc10.src.rpm > Size : 5007672 License: GPLv2 with exceptions > Signature : DSA/SHA1, Mon 06 Apr 2009 09:57:30 AM PDT, Key ID bf226fcc4ebfc273 > Packager : Fedora Project > URL : http://directory.fedoraproject.org/ > Summary : Fedora Directory Server (base) > Description : > Fedora Directory Server is an LDAPv3 compliant server. The base package includes > the LDAP server and command line utilities for server administration. > > $ rpm -qi jss > Name : jss Relocations: (not relocatable) > Version : 4.2.5 Vendor: Fedora Project > Release : 3.fc10 Build Date: Tue 05 Aug 2008 08:16:36 AM PDT > Install Date: Tue 07 Apr 2009 12:54:01 PM PDT Build Host: x86-1 > Group : System Environment/Libraries Source RPM: jss-4.2.5-3.fc10.src.rpm > Size : 973803 License: MPLv1.1 or GPLv2+ or LGPLv2+ > Signature : DSA/SHA1, Tue 28 Oct 2008 04:23:59 PM PDT, Key ID bf226fcc4ebfc273 > Packager : Fedora Project > URL : http://www.mozilla.org/projects/security/pki/jss/ > Summary : Java Security Services (JSS) > Description : > Java Security Services (JSS) is a java native interface which provides a bridge > for java-based applications to use native Network Security Services (NSS). > This only works with gcj. Other JREs require that JCE providers be signed. > > $ rpm -qi idm-console-framework > Name : idm-console-framework Relocations: (not relocatable) > Version : 1.1.3 Vendor: Fedora Project > Release : 1.fc10 Build Date: Tue 31 Mar 2009 02:06:17 PM PDT > Install Date: Thu 09 Apr 2009 05:51:30 PM PDT Build Host: ppc2.fedora.redhat.com > Group : System Environment/Libraries Source RPM: idm-console-framework-1.1.3-1.fc10.src.rpm > Size : 1229453 License: LGPLv2 > Signature : DSA/SHA1, Wed 01 Apr 2009 07:14:26 PM PDT, Key ID bf226fcc4ebfc273 > Packager : Fedora Project > URL : http://directory.fedoraproject.org > Summary : Identity Management Console Framework > Description : > A Java Management Console framework used for remote server management. > > $ rpm -qi fedora-idm-console > Name : fedora-idm-console Relocations: (not relocatable) > Version : 1.1.3 Vendor: Fedora Project > Release : 1.fc10 Build Date: Tue 31 Mar 2009 02:57:19 PM PDT > Install Date: Thu 09 Apr 2009 05:50:18 PM PDT Build Host: x86-2.fedora.phx.redhat.com > Group : Applications/System Source RPM: fedora-idm-console-1.1.3-1.fc10.src.rpm > Size : 58328 License: LGPLv2 > Signature : DSA/SHA1, Wed 01 Apr 2009 07:14:18 PM PDT, Key ID bf226fcc4ebfc273 > Packager : Fedora Project > URL : http://directory.fedoraproject.org > Summary : Fedora Management Console > Description : > A Java based remote management console used for Managing Fedora > Administration Server and Fedora Directory Server. > > $ rpm -qi fedora-ds-console > Name : fedora-ds-console Relocations: (not relocatable) > Version : 1.2.0 Vendor: Fedora Project > Release : 1.fc10 Build Date: Wed 01 Apr 2009 10:05:11 AM PDT > Install Date: Thu 09 Apr 2009 05:52:30 PM PDT Build Host: xenbuilder4.fedora.phx.redhat.com > Group : Applications/System Source RPM: fedora-ds-console-1.2.0-1.fc10.src.rpm > Size : 1730554 License: GPLv2 > Signature : DSA/SHA1, Mon 06 Apr 2009 09:57:31 AM PDT, Key ID bf226fcc4ebfc273 > Packager : Fedora Project > URL : http://directory.fedoraproject.org > Summary : Fedora Directory Server Management Console > Description : > A Java based remote management console used for Managing Fedora > Directory Server. > > $ rpm -qi fedora-ds-admin-console > Name : fedora-ds-admin-console Relocations: (not relocatable) > Version : 1.1.3 Vendor: Fedora Project > Release : 1.fc10 Build Date: Wed 01 Apr 2009 10:07:38 AM PDT > Install Date: Thu 09 Apr 2009 11:40:34 AM PDT Build Host: x86-5.fedora.phx.redhat.com > Group : Applications/System Source RPM: fedora-ds-admin-console-1.1.3-1.fc10.src.rpm > Size : 327034 License: GPLv2 > Signature : DSA/SHA1, Mon 06 Apr 2009 09:57:29 AM PDT, Key ID bf226fcc4ebfc273 > Packager : Fedora Project > URL : http://directory.fedoraproject.org > Summary : Fedora Admin Server Management Console > Description : > A Java based remote management console used for Managing Fedora > Admin Server. > > > > -----Original Message----- > >> From: Rich Megginson >> Sent: Apr 9, 2009 8:48 PM >> To: Fortunato , "General discussion list for the Fedora Directory server project." >> Subject: Re: [Fedora-directory-users] Exception in thread >> >> Fortunato wrote: >> >>> Yum is nice but Fed10 is a moving target. This is on a VM. >>> >>> >> I'm not sure what you mean, but you do not have up-to-date packages. >> That's likely the problem. >> >>> Inline... >>> >>> -----Original Message----- >>> >>> >>>> From: Rich Megginson >>>> Sent: Apr 9, 2009 7:36 PM >>>> To: Fortunato , "General discussion list for the Fedora Directory server project." >>>> Subject: Re: [Fedora-directory-users] Exception in thread >>>> >>>> Fortunato wrote: >>>> >>>> >>>>> This is a fresh install. >>>>> >>>>> Here's the java info: >>>>> >>>>> # java -version >>>>> java version "1.6.0_0" >>>>> IcedTea6 1.4 (fedora-15.b14.fc10-i386) Runtime Environment (build 1.6.0_0-b14) >>>>> OpenJDK Client VM (build 14.0-b08, mixed mode) >>>>> >>>>> >>>>> >>>> That looks correct. Can you confirm the version of the following packages: >>>> rpm -qi fedora-ds-admin >>>> >>>> >>> # rpm -qi fedora-ds-admin >>> Name : fedora-ds-admin Relocations: (not relocatable) >>> Version : 1.1.6 Vendor: Fedora Project >>> Release : 2.fc10 Build Date: Mon 15 Sep 2008 10:53:21 AM PDT >>> Install Date: Tue 07 Apr 2009 01:24:03 PM PDT Build Host: x86-2.fedora.phx.redhat.com >>> Group : System Environment/Daemons Source RPM: fedora-ds-admin-1.1.6-2.fc10.src.rpm >>> Size : 1051306 License: GPLv2 >>> Signature : DSA/SHA1, Tue 28 Oct 2008 11:10:23 AM PDT, Key ID bf226fcc4ebfc273 >>> Packager : Fedora Project >>> URL : http://directory.fedoraproject.org/ >>> Summary : Fedora Administration Server (admin) >>> Description : >>> Fedora Administration Server is an HTTP agent that provides management features >>> for Fedora Directory Server. It provides some management web apps that can >>> be used through a web browser. It provides the authentication, access control, >>> and CGI utilities used by the console. >>> >>> >>> >>>> rpm -qi fedora-ds-base >>>> >>>> >>> # rpm -qi fedora-ds-base >>> Name : fedora-ds-base Relocations: (not relocatable) >>> Version : 1.2.0 Vendor: Fedora Project >>> Release : 2.fc10 Build Date: Thu 02 Apr 2009 07:21:57 AM PDT >>> Install Date: Thu 09 Apr 2009 03:37:43 PM PDT Build Host: xenbuilder4.fedora.phx.redhat.com >>> Group : System Environment/Daemons Source RPM: fedora-ds-base-1.2.0-2.fc10.src.rpm >>> Size : 5007672 License: GPLv2 with exceptions >>> Signature : DSA/SHA1, Mon 06 Apr 2009 09:57:30 AM PDT, Key ID bf226fcc4ebfc273 >>> Packager : Fedora Project >>> URL : http://directory.fedoraproject.org/ >>> Summary : Fedora Directory Server (base) >>> Description : >>> Fedora Directory Server is an LDAPv3 compliant server. The base package includes >>> the LDAP server and command line utilities for server administration. >>> >>> >>> >>>> rpm -qi jss >>>> >>>> >>> # rpm -qi jss >>> Name : jss Relocations: (not relocatable) >>> Version : 4.2.5 Vendor: Fedora Project >>> Release : 3.fc10 Build Date: Tue 05 Aug 2008 08:16:36 AM PDT >>> Install Date: Tue 07 Apr 2009 12:54:01 PM PDT Build Host: x86-1 >>> Group : System Environment/Libraries Source RPM: jss-4.2.5-3.fc10.src.rpm >>> Size : 973803 License: MPLv1.1 or GPLv2+ or LGPLv2+ >>> Signature : DSA/SHA1, Tue 28 Oct 2008 04:23:59 PM PDT, Key ID bf226fcc4ebfc273 >>> Packager : Fedora Project >>> URL : http://www.mozilla.org/projects/security/pki/jss/ >>> Summary : Java Security Services (JSS) >>> Description : >>> Java Security Services (JSS) is a java native interface which provides a bridge >>> for java-based applications to use native Network Security Services (NSS). >>> This only works with gcj. Other JREs require that JCE providers be signed. >>> >>> # rpm -qi fedora-idm-console >>> Name : fedora-idm-console Relocations: (not relocatable) >>> Version : 1.1.1 Vendor: Fedora Project >>> Release : 2.fc9 Build Date: Wed 16 Apr 2008 07:30:06 AM PDT >>> Install Date: Tue 07 Apr 2009 01:25:39 PM PDT Build Host: xenbuilder2.fedora.redhat.com >>> Group : Applications/System Source RPM: fedora-idm-console-1.1.1-2.fc9.src.rpm >>> Size : 58324 License: LGPLv2 >>> Signature : DSA/SHA1, Tue 28 Oct 2008 11:10:29 AM PDT, Key ID bf226fcc4ebfc273 >>> Packager : Fedora Project >>> URL : http://directory.fedoraproject.org >>> Summary : Fedora Management Console >>> Description : >>> A Java based remote management console used for Managing Fedora >>> Administration Server and Fedora Directory Server. >>> >>> # rpm -qi fedora-ds-admin-console >>> Name : fedora-ds-admin-console Relocations: (not relocatable) >>> Version : 1.1.3 Vendor: Fedora Project >>> Release : 1.fc10 Build Date: Wed 01 Apr 2009 10:07:38 AM PDT >>> Install Date: Thu 09 Apr 2009 11:40:34 AM PDT Build Host: x86-5.fedora.phx.redhat.com >>> Group : Applications/System Source RPM: fedora-ds-admin-console-1.1.3-1.fc10.src.rpm >>> Size : 327034 License: GPLv2 >>> Signature : DSA/SHA1, Mon 06 Apr 2009 09:57:29 AM PDT, Key ID bf226fcc4ebfc273 >>> Packager : Fedora Project >>> URL : http://directory.fedoraproject.org >>> Summary : Fedora Admin Server Management Console >>> Description : >>> A Java based remote management console used for Managing Fedora >>> Admin Server. >>> >>> >>> >>>> rpm -qi idm-console-framework >>>> >>>> >>> # rpm -qi idm-console-framework >>> Name : idm-console-framework Relocations: (not relocatable) >>> Version : 1.1.2 Vendor: Fedora Project >>> Release : 1.fc10 Build Date: Thu 04 Sep 2008 08:24:30 AM PDT >>> Install Date: Tue 07 Apr 2009 01:25:38 PM PDT Build Host: x86-6.fedora.phx.redhat.com >>> Group : System Environment/Libraries Source RPM: idm-console-framework-1.1.2-1.fc10.src.rpm >>> Size : 1227677 License: LGPLv2 >>> Signature : DSA/SHA1, Tue 28 Oct 2008 04:08:53 PM PDT, Key ID bf226fcc4ebfc273 >>> Packager : Fedora Project >>> URL : http://directory.fedoraproject.org >>> Summary : Identity Management Console Framework >>> Description : >>> A Java Management Console framework used for remote server management. >>> >>> >>> >>>> rpm -qi fedora-idm-console >>>> >>>> >>> # rpm -qi fedora-idm-console >>> Name : fedora-idm-console Relocations: (not relocatable) >>> Version : 1.1.1 Vendor: Fedora Project >>> Release : 2.fc9 Build Date: Wed 16 Apr 2008 07:30:06 AM PDT >>> Install Date: Tue 07 Apr 2009 01:25:39 PM PDT Build Host: xenbuilder2.fedora.redhat.com >>> Group : Applications/System Source RPM: fedora-idm-console-1.1.1-2.fc9.src.rpm >>> Size : 58324 License: LGPLv2 >>> Signature : DSA/SHA1, Tue 28 Oct 2008 11:10:29 AM PDT, Key ID bf226fcc4ebfc273 >>> Packager : Fedora Project >>> URL : http://directory.fedoraproject.org >>> Summary : Fedora Management Console >>> Description : >>> A Java based remote management console used for Managing Fedora >>> Administration Server and Fedora Directory Server. >>> >>> >>> >>>> rpm -qi fedora-ds-console >>>> >>>> >>> # rpm -qi fedora-ds-console >>> Name : fedora-ds-console Relocations: (not relocatable) >>> Version : 1.1.2 Vendor: Fedora Project >>> Release : 2.fc8 Build Date: Thu 04 Sep 2008 09:08:06 AM PDT >>> Install Date: Thu 09 Apr 2009 02:10:25 PM PDT Build Host: x86-7.fedora.phx.redhat.com >>> Group : Applications/System Source RPM: fedora-ds-console-1.1.2-2.fc8.src.rpm >>> Size : 1705889 License: GPLv2 >>> Signature : DSA/SHA1, Wed 10 Sep 2008 12:27:02 PM PDT, Key ID 62aec3dc6df2196f >>> Packager : Fedora Project >>> URL : http://directory.fedoraproject.org >>> Summary : Fedora Directory Server Management Console >>> Description : >>> A Java based remote management console used for Managing Fedora >>> Directory Server. >>> >>> >>> >>>> rpm -qi fedora-ds-admin-console >>>> >>>> >>> # rpm -qi fedora-ds-admin-console >>> Name : fedora-ds-admin-console Relocations: (not relocatable) >>> Version : 1.1.3 Vendor: Fedora Project >>> Release : 1.fc10 Build Date: Wed 01 Apr 2009 10:07:38 AM PDT >>> Install Date: Thu 09 Apr 2009 11:40:34 AM PDT Build Host: x86-5.fedora.phx.redhat.com >>> Group : Applications/System Source RPM: fedora-ds-admin-console-1.1.3-1.fc10.src.rpm >>> Size : 327034 License: GPLv2 >>> Signature : DSA/SHA1, Mon 06 Apr 2009 09:57:29 AM PDT, Key ID bf226fcc4ebfc273 >>> Packager : Fedora Project >>> URL : http://directory.fedoraproject.org >>> Summary : Fedora Admin Server Management Console >>> Description : >>> A Java based remote management console used for Managing Fedora >>> Admin Server. >>> >>> >>> >>>> I have an up to date F10 system - I could not reproduce this problem. >>>> >>>> >>>>> -----Original Message----- >>>>> >>>>> >>>>> >>>>>> From: Rich Megginson >>>>>> Sent: Apr 9, 2009 7:02 PM >>>>>> To: Fortunato , "General discussion list for the Fedora Directory server project." >>>>>> Subject: Re: [Fedora-directory-users] Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException >>>>>> >>>>>> Fortunato wrote: >>>>>> >>>>>> >>>>>> >>>>>>> Hello all, >>>>>>> >>>>>>> I'll assume this has already been addressed, so a pointer to a good solution to try would help. But if not, here's my prob. >>>>>>> >>>>>>> I just got Fedora 10 with ds-base installed: >>>>>>> >>>>>>> yum info fedora-ds-base >>>>>>> Loaded plugins: refresh-packagekit >>>>>>> Installed Packages >>>>>>> Name : fedora-ds-base >>>>>>> Arch : i386 >>>>>>> Version : 1.1.3 >>>>>>> Release : 6.fc10 >>>>>>> Size : 4.6 M >>>>>>> >>>>>>> And everything looks great: >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> Was this a fresh install or an upgrade? If an upgrade, did you first >>>>>> run setup-ds-admin.pl -u? >>>>>> >>>>>> >>>>>> >>>>>>> #/usr/bin/fedora-idm-console -a http://localhost:9830 >>>>>>> >>>>>>> Until I try to Open the Directory Server tree with the following errors.... >>>>>>> >>>>>>> Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException >>>>>>> ... >>>>>>> >>>>>>> I've read something about an OpenJDK 1.5.0 versioning problem, but I can't seem to find anything earlier than OpenJDK 1.6.0 ... >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> java -version >>>>>> >>>>>> >>>>>> >>>>>>> Any ideas? >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Apr 10 03:46:50 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 09 Apr 2009 21:46:50 -0600 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <018901c9b97d$d775f130$0b05a8c0@tangiblesoftware.com> References: <018901c9b97d$d775f130$0b05a8c0@tangiblesoftware.com> Message-ID: <49DEC12A.6090704@redhat.com> David Partridge wrote: > Would like to see additional monitoring flexibility for snmp - when configuring multiple ds instances with same port on single multihomed host monitoring information is agregated by port in the monitoring not by instance and port. > > Please provide more information on deprecation of certmap.conf. We would instead use the SASL mapping functionality to map the subjectDN in the cert to a DN that the DS knows about. The SASL mapping code is much more powerful and flexible than the certmap.conf code. *http://tinyurl.com/cqe42v * > Need flexibility to not rely on dn in cert mapping to anything in directory and rely on successful tls mutual authentication and truststore configuration. > I'm not sure I understand - do you want the ability to do cert auth without having to have a real entry in the directory server that corresponds to the subjectDN? > Script to provide index analysis based on data in the directory to provide the following info: > Search performance efficiency of index and index type based on return limits, and scanidslistlimit. > > Compressed ldif(gzip) capability for export, import, and initialization usage. > Ok - Thanks - this is all good stuff. > > Dave Partridge > Sent from my Windows Mobile? phone. > > -----Original Message----- > From: Rich Megginson > Sent: Thursday, April 09, 2009 7:23 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Proposed new features for 1.3 > > Andrey Ivanov wrote: > >> I continue with my list >> > Thanks - I've added many of these to the list - questions below. > >> * the server should be able to return the members of dynamic groups >> "on the fly" as if it were real members, the membership attribute >> should be configurable - uniqueMember, member or another >> > I put this on the Future list: > Dynamic group expansion > > * Define a dynamic group, and have the member/uniqueMember attribute > of this group automatically be populated by the server > * clients can then just search for member like with a regular static > posix group > > > >> * support of other virtual attributes generated "on the fly" >> > Can you explain this a little more? > >> * pam passthrough plug-in should take into account at least the >> account activation/desactivation (bug *470684* >> ). There is a >> comment about some additional useful features it in th README file of >> this plug-in : >> We need to worry about account expiration or lockout e.g. the user's >> credentials are valid but the user has been locked out of his/her >> account, or the password has expired, or something like that. Some of >> >> >> this can be handled by LDAP e.g. returning password policy control >> values when the password has expired. >> >> >> * a way to synchronise the configuration of indexes (each time we add >> an index on one of the replicated servers we need to make it manually >> on all the others) and some other parameters in "cn=config" between >> the replicated servers (a little like the "configuration" partition >> in active directory), the schema changes are already replicated which >> is very good >> > I'm calling this feature "Configuration replication" - I think it could > be useful for other sorts of configuration. > >> * enforced attribute syntax validation >> > Already on the list - Syntax validation checking > >> * re-verify and validate conformance of the syntaxes, case sensitivity >> and their matching rules to RFC >> (https://www.redhat.com/archives/fedora-directory-users/2008-July/msg00041.html) >> >> > Already on the list > >> * unix socket autobind still does not seem to work (ldapi) - >> https://www.redhat.com/archives/fedora-directory-users/2009-February/msg00112.html. >> It could be very useful for various maintenance scripts running on the >> server. >> > We tested this with 1.2.0 and it seems to work. You tested a build from > source? Did you use --enable-autobind with configure? Did you restart > the server after configuring your autobind and sasl mapping? > >> * verification of the server from the viewpoint of memory leaks. Th >> size of the memory used by the server grows with time (normally we >> don't restart the sevrr during several months, so i can follow the stats) >> > We regularly run the server test suite with valgrind enabled. I'm not > aware of any per connection or per operation leaks. What exactly are > you seeing? > >> * logconv.pl - very useful script, add some more options/ adjustments >> (for example, a switch to hide unindexed searches in verbose mode). We >> use it as logwatch. >> >> * a perl script to show the replication statistics (there is one for >> the we page generation statistics, something more basic, text-only >> would be very welcome) in text mode - to receiveth reports by mail >> once per day like logwatch for example >> > What sort of information are you looking for? ldapsearch can provide > most of the useful information. > >> * regular expressions in ACIs (i know, it is very difficult to do, so >> maybe somewhere in the timescale of the version 10.0 ? :)) - for >> example, allow a user to add or modify a value just in case the new >> value mathes the regex. Or the group or dn of the user matches the >> regex... >> > You can do some of that currently with targetattrfilters - see > *http://tinyurl.com/3yo88r > > We added support in 1.2.0 to allow you to specify group membership with > LDAP search specifications, which does allow some wildcarding, so that > might help too. > * > >> * simplify the creation of new syntaxes and their validation/ >> enforcement (version 11.0? :)) >> > Can you elaborate? > >> * virtual views allowing to map not only the trees but also the >> attributes ('cn' instead of 'uid' in a subtree, for example) >> > Can you elaborate? > >> * enable regex in certmap.conf for mapping the CNs of the certificates >> during the certificate authentification of users >> > This is on the list as > Get rid of certmap.conf - use SASL mapping (cert auth is really just > SASL/EXTERNAL) > The sasl mapping code uses regular expressions > >> >> >> Other than that i just want to emphasize the great job you are doing >> adding new features and especially the fantastic reactivity in fixing >> some critical server bugs (usually it takes only one or two days to >> have the necessary diff in bugzilla!) >> >> Thank you and please continue the development of this directory server! >> > And thank you for your suggestions. > >> >> >> >> >> >> Thanks - I've added these notes to >> http://directory.fedoraproject.org/wiki/Roadmap#Version_1.3 >> >> Anyone else? C'mon - surely you have an opinion about a new >> feature. >> >> >> Thanks for all your hard work on this! >> >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > > > > > > > > > This e-mail and any attachment is intended for the above name recipient(s) only and may contain confidential or privileged information. If you are not an intended recipient, please notify the sender and delete the message. Failure to maintain the confidentiality of this e-mail and any attachment may subject you to penalties under applicable law. > > > CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information or otherwise be protected by law. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From mrejda at kerio.com Fri Apr 10 12:32:47 2009 From: mrejda at kerio.com (Michal Rejda) Date: Fri, 10 Apr 2009 14:32:47 +0200 Subject: [Fedora-directory-users] LDAP proxy Message-ID: <0d03b175-b186-48f6-9965-727ae0838d0c@kerio.com> Hi all, I?m trying to setup proxy on FDS to another LDAP server (OpenLDAP and Active Directory). I tried two ways, but none of these works: 1) New database link to LDAP server. - The remote LDAP server (OpenLDAP) returns: null. manageDSAit control value not found 2) Create multiple-master replication and setup other server as consumer. - But this show error: 255 Replication error acquiring replica: unknown error. My question is: Is there way how to setup proxy to access another LDAP server from Fedora DS? I know that is possible to use AD sync, but I cannot install anything on the AD server. The second reason why I need to setup proxy is to use data stored in LDAP server (OpenLDAP, Open Direcoty Server and Active Directory) in one place. I need to update them too. It is not necessary to synchronize passwords. Thank you for reply. Regards, Michal -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpartridge at tangible.net Fri Apr 10 12:40:19 2009 From: dpartridge at tangible.net (David Partridge) Date: Fri, 10 Apr 2009 08:40:19 -0400 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <49DEC12A.6090704@redhat.com> References: <018901c9b97d$d775f130$0b05a8c0@tangiblesoftware.com> <49DEC12A.6090704@redhat.com> Message-ID: <2F3DC4D41FA5994686AFFC36F1D661BE01F8063E@wolverine.tangiblesoftware.com> Use case example for certmap.conf for end user: Customer has desire to share Enterprise Directory information across WAN for contact information sharing, but has requirement for strong authentication using PKI. PKI trust is a PKI Mesh utilizing cross certification. Users information in Directory Server One (DS1) are associated with users issued certificates from PKI One (PKI1). Users information in Directory Server Two (DS2) are associated with users issued certificates from PKI Two (PKI2). DS1 has no awareness or cross population of entries with DS2, but PKI1 is cross certified with PKI2 and trusted by both populations. Users associated with PKI1 have a business requirement to strongly authenticate with DS2 to locate and collaborate with population of users in DS2, but have no entry in DS2 and vice versa. By removing current capability to strongly authenticate based on TLS configuration but have NO DN in DS you are removing capability to use SASL External in a cross certified PKI environment. User of the product will be forced to use SASL GSSAPI that causes other security issues or requirements to setup all of these Kerberos trust and ticketing handling that should not be required, difficult to sustain and place external dependencies on usage of the DS product in a federated environment as described. If directory is utilized as something OTHER than repository for people similar challenges will present themselves when certificates are issued for devices, roles, and groups. Examples include but are not limited to VOIP device address book capabilities such as CISCO VOIP phones or call managers, Potentially for extending security capability in hosts that have host based certificates that may require use of the directory for backend business processes were Certificate trust and regular expression checks of DN utilized for the TLS session may be sufficient to utilize for ACI binding rules. David M. Partridge Tangible Software Inc. dpartridge at tangiblesoftware.com > -----Original Message----- > From: Rich Megginson [mailto:rmeggins at redhat.com] > Sent: Thursday, April 09, 2009 11:47 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Proposed new features for 1.3 > > David Partridge wrote: > > Would like to see additional monitoring flexibility for snmp - when > configuring multiple ds instances with same port on single multihomed host > monitoring information is agregated by port in the monitoring not by > instance and port. > > > > Please provide more information on deprecation of certmap.conf. > We would instead use the SASL mapping functionality to map the subjectDN > in the cert to a DN that the DS knows about. The SASL mapping code is > much more powerful and flexible than the certmap.conf code. > *http://tinyurl.com/cqe42v > * > > Need flexibility to not rely on dn in cert mapping to anything in > directory and rely on successful tls mutual authentication and truststore > configuration. > > > I'm not sure I understand - do you want the ability to do cert auth > without having to have a real entry in the directory server that > corresponds to the subjectDN? > > Script to provide index analysis based on data in the directory to > provide the following info: > > Search performance efficiency of index and index type based on return > limits, and scanidslistlimit. > > > > Compressed ldif(gzip) capability for export, import, and initialization > usage. > > > Ok - Thanks - this is all good stuff. > > > > Dave Partridge > > Sent from my Windows Mobile(r) phone. > > > > -----Original Message----- > > From: Rich Megginson > > Sent: Thursday, April 09, 2009 7:23 PM > > To: General discussion list for the Fedora Directory server project. > > > Subject: Re: [Fedora-directory-users] Proposed new features for 1.3 > > > > Andrey Ivanov wrote: > > > >> I continue with my list > >> > > Thanks - I've added many of these to the list - questions below. > > > >> * the server should be able to return the members of dynamic groups > >> "on the fly" as if it were real members, the membership attribute > >> should be configurable - uniqueMember, member or another > >> > > I put this on the Future list: > > Dynamic group expansion > > > > * Define a dynamic group, and have the member/uniqueMember attribute > > of this group automatically be populated by the server > > * clients can then just search for member like with a regular static > > posix group > > > > > > > >> * support of other virtual attributes generated "on the fly" > >> > > Can you explain this a little more? > > > >> * pam passthrough plug-in should take into account at least the > >> account activation/desactivation (bug *470684* > >> ). There is a > >> comment about some additional useful features it in th README file of > >> this plug-in : > >> We need to worry about account expiration or lockout e.g. the user's > >> credentials are valid but the user has been locked out of his/her > >> account, or the password has expired, or something like that. Some of > >> > >> > >> this can be handled by LDAP e.g. returning password policy control > >> values when the password has expired. > >> > >> > >> * a way to synchronise the configuration of indexes (each time we add > >> an index on one of the replicated servers we need to make it manually > >> on all the others) and some other parameters in "cn=config" between > >> the replicated servers (a little like the "configuration" partition > >> in active directory), the schema changes are already replicated which > >> is very good > >> > > I'm calling this feature "Configuration replication" - I think it could > > be useful for other sorts of configuration. > > > >> * enforced attribute syntax validation > >> > > Already on the list - Syntax validation checking > > > >> * re-verify and validate conformance of the syntaxes, case sensitivity > >> and their matching rules to RFC > >> (https://www.redhat.com/archives/fedora-directory-users/2008- > July/msg00041.html) > >> > >> > > Already on the list > > > >> * unix socket autobind still does not seem to work (ldapi) - > >> https://www.redhat.com/archives/fedora-directory-users/2009- > February/msg00112.html. > >> It could be very useful for various maintenance scripts running on the > >> server. > >> > > We tested this with 1.2.0 and it seems to work. You tested a build from > > source? Did you use --enable-autobind with configure? Did you restart > > the server after configuring your autobind and sasl mapping? > > > >> * verification of the server from the viewpoint of memory leaks. Th > >> size of the memory used by the server grows with time (normally we > >> don't restart the sevrr during several months, so i can follow the > stats) > >> > > We regularly run the server test suite with valgrind enabled. I'm not > > aware of any per connection or per operation leaks. What exactly are > > you seeing? > > > >> * logconv.pl - very useful script, add some more options/ adjustments > >> (for example, a switch to hide unindexed searches in verbose mode). We > >> use it as logwatch. > >> > >> * a perl script to show the replication statistics (there is one for > >> the we page generation statistics, something more basic, text-only > >> would be very welcome) in text mode - to receiveth reports by mail > >> once per day like logwatch for example > >> > > What sort of information are you looking for? ldapsearch can provide > > most of the useful information. > > > >> * regular expressions in ACIs (i know, it is very difficult to do, so > >> maybe somewhere in the timescale of the version 10.0 ? :)) - for > >> example, allow a user to add or modify a value just in case the new > >> value mathes the regex. Or the group or dn of the user matches the > >> regex... > >> > > You can do some of that currently with targetattrfilters - see > > *http://tinyurl.com/3yo88r > > > > We added support in 1.2.0 to allow you to specify group membership with > > LDAP search specifications, which does allow some wildcarding, so that > > might help too. > > * > > > >> * simplify the creation of new syntaxes and their validation/ > >> enforcement (version 11.0? :)) > >> > > Can you elaborate? > > > >> * virtual views allowing to map not only the trees but also the > >> attributes ('cn' instead of 'uid' in a subtree, for example) > >> > > Can you elaborate? > > > >> * enable regex in certmap.conf for mapping the CNs of the certificates > >> during the certificate authentification of users > >> > > This is on the list as > > Get rid of certmap.conf - use SASL mapping (cert auth is really just > > SASL/EXTERNAL) > > The sasl mapping code uses regular expressions > > > >> > >> > >> Other than that i just want to emphasize the great job you are doing > >> adding new features and especially the fantastic reactivity in fixing > >> some critical server bugs (usually it takes only one or two days to > >> have the necessary diff in bugzilla!) > >> > >> Thank you and please continue the development of this directory server! > >> > > And thank you for your suggestions. > > > >> > >> > >> > >> > >> > >> Thanks - I've added these notes to > >> http://directory.fedoraproject.org/wiki/Roadmap#Version_1.3 > >> > >> Anyone else? C'mon - surely you have an opinion about a new > >> feature. > >> > >> > >> Thanks for all your hard work on this! > >> > >> > >> > >> ----------------------------------------------------------------------- > - > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > > > > > > > > > > > > > > > > > > > > > > This e-mail and any attachment is intended for the above name > recipient(s) only and may contain confidential or privileged information. > If you are not an intended recipient, please notify the sender and delete > the message. Failure to maintain the confidentiality of this e-mail and > any attachment may subject you to penalties under applicable law. > > > > > > CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, > is for the sole use of the intended recipient(s) and may contain > confidential and privileged information or otherwise be protected by law. > Any unauthorized review, use, disclosure or distribution is prohibited. If > you are not the intended recipient, please contact the sender by reply e- > mail and destroy all copies of the original message. > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > This e-mail and any attachment is intended for the above name recipient(s) only and may contain confidential or privileged information. If you are not an intended recipient, please notify the sender and delete the message. Failure to maintain the confidentiality of this e-mail and any attachment may subject you to penalties under applicable law. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information or otherwise be protected by law. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From ckannan at redhat.com Fri Apr 10 12:44:18 2009 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Fri, 10 Apr 2009 05:44:18 -0700 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <49D2D1A0.3070307@redhat.com> References: <49D2D1A0.3070307@redhat.com> Message-ID: <1239367458.3047.4.camel@localhost.localdomain> One of my pet peeves .. a plugin that can compress/decompress binary data. When we store large binary data (that can be easily compressed and stored ) in attributes , for example CRLs, I would like to see a ds plugin that compresses the data prior to storage. stores in compressed form. When asked to retrieve, decompress it on-the-fly. On Tue, 2009-03-31 at 20:29 -0600, Rich Megginson wrote: > Here are some features we are considering for the next major version > (tentatively called 1.3). These are not in any particular order, and > this is quite an ambitious list, so we're not likely to complete all of > these in a single release. We would appreciate your help in > prioritizing this list, filling in any missing details, helping with > requirements/design/coding/testing/docs, and letting us know if there > are other features which would be nice to have. > > In addition, we are considering using GIT instead of CVS for our SCM. > > http://directory.fedoraproject.org/wiki/Roadmap#Version_1.3 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From david_list at boreham.org Fri Apr 10 12:50:52 2009 From: david_list at boreham.org (David Boreham) Date: Fri, 10 Apr 2009 06:50:52 -0600 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <1239367458.3047.4.camel@localhost.localdomain> References: <49D2D1A0.3070307@redhat.com> <1239367458.3047.4.camel@localhost.localdomain> Message-ID: <49DF40AC.4090502@boreham.org> Chandrasekar Kannan wrote: > One of my pet peeves .. a plugin that can compress/decompress binary > data. > > When we store large binary data (that can be easily compressed > and stored ) in attributes , for example CRLs, I would like to see > a ds plugin that compresses the data prior to storage. stores in > compressed form. When asked to retrieve, decompress it on-the-fly. > BerkeleyDB (the storage manager used by FDS) has a feature (added after the DS was developed) that allows compression of the data stored. This might give you what you want, and it could also be handy in compressing entries in general. As far as I know nobody has tried to enable it with the DS. Perhaps it's been testing with OpenLDAP, I'm not sure. From rmeggins at redhat.com Fri Apr 10 13:29:28 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 10 Apr 2009 07:29:28 -0600 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <018901c9b97d$d775f130$0b05a8c0@tangiblesoftware.com> References: <018901c9b97d$d775f130$0b05a8c0@tangiblesoftware.com> Message-ID: <49DF49B8.5010309@redhat.com> David Partridge wrote: > Would like to see additional monitoring flexibility for snmp - when configuring multiple ds instances with same port on single multihomed host monitoring information is agregated by port in the monitoring not by instance and port. > > Please provide more information on deprecation of certmap.conf. Need flexibility to not rely on dn in cert mapping to anything in directory and rely on successful tls mutual authentication and truststore configuration. > > Script to provide index analysis based on data in the directory to provide the following info: > Search performance efficiency of index and index type based on return limits, and scanidslistlimit. > > Compressed ldif(gzip) capability for export, import, and initialization usage. > A follow up to this - directory server can import from stdin and export to stdout, so you can do this: db2ldif -n userRoot -a - | gzip > db.ldif.gz and gunzip -c db.ldif.gz | ldif2db -n userRoot -i - For initialization usage, I guess that would mean online init (or remote bulk load using ldapmodify -B). In that case, since the data is BER encoded already, it would be better to investigate attribute value compression, as discussed elsewhere in this thread. > > Dave Partridge > Sent from my Windows Mobile? phone. > > -----Original Message----- > From: Rich Megginson > Sent: Thursday, April 09, 2009 7:23 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Proposed new features for 1.3 > > Andrey Ivanov wrote: > >> I continue with my list >> > Thanks - I've added many of these to the list - questions below. > >> * the server should be able to return the members of dynamic groups >> "on the fly" as if it were real members, the membership attribute >> should be configurable - uniqueMember, member or another >> > I put this on the Future list: > Dynamic group expansion > > * Define a dynamic group, and have the member/uniqueMember attribute > of this group automatically be populated by the server > * clients can then just search for member like with a regular static > posix group > > > >> * support of other virtual attributes generated "on the fly" >> > Can you explain this a little more? > >> * pam passthrough plug-in should take into account at least the >> account activation/desactivation (bug *470684* >> ). There is a >> comment about some additional useful features it in th README file of >> this plug-in : >> We need to worry about account expiration or lockout e.g. the user's >> credentials are valid but the user has been locked out of his/her >> account, or the password has expired, or something like that. Some of >> >> >> this can be handled by LDAP e.g. returning password policy control >> values when the password has expired. >> >> >> * a way to synchronise the configuration of indexes (each time we add >> an index on one of the replicated servers we need to make it manually >> on all the others) and some other parameters in "cn=config" between >> the replicated servers (a little like the "configuration" partition >> in active directory), the schema changes are already replicated which >> is very good >> > I'm calling this feature "Configuration replication" - I think it could > be useful for other sorts of configuration. > >> * enforced attribute syntax validation >> > Already on the list - Syntax validation checking > >> * re-verify and validate conformance of the syntaxes, case sensitivity >> and their matching rules to RFC >> (https://www.redhat.com/archives/fedora-directory-users/2008-July/msg00041.html) >> >> > Already on the list > >> * unix socket autobind still does not seem to work (ldapi) - >> https://www.redhat.com/archives/fedora-directory-users/2009-February/msg00112.html. >> It could be very useful for various maintenance scripts running on the >> server. >> > We tested this with 1.2.0 and it seems to work. You tested a build from > source? Did you use --enable-autobind with configure? Did you restart > the server after configuring your autobind and sasl mapping? > >> * verification of the server from the viewpoint of memory leaks. Th >> size of the memory used by the server grows with time (normally we >> don't restart the sevrr during several months, so i can follow the stats) >> > We regularly run the server test suite with valgrind enabled. I'm not > aware of any per connection or per operation leaks. What exactly are > you seeing? > >> * logconv.pl - very useful script, add some more options/ adjustments >> (for example, a switch to hide unindexed searches in verbose mode). We >> use it as logwatch. >> >> * a perl script to show the replication statistics (there is one for >> the we page generation statistics, something more basic, text-only >> would be very welcome) in text mode - to receiveth reports by mail >> once per day like logwatch for example >> > What sort of information are you looking for? ldapsearch can provide > most of the useful information. > >> * regular expressions in ACIs (i know, it is very difficult to do, so >> maybe somewhere in the timescale of the version 10.0 ? :)) - for >> example, allow a user to add or modify a value just in case the new >> value mathes the regex. Or the group or dn of the user matches the >> regex... >> > You can do some of that currently with targetattrfilters - see > *http://tinyurl.com/3yo88r > > We added support in 1.2.0 to allow you to specify group membership with > LDAP search specifications, which does allow some wildcarding, so that > might help too. > * > >> * simplify the creation of new syntaxes and their validation/ >> enforcement (version 11.0? :)) >> > Can you elaborate? > >> * virtual views allowing to map not only the trees but also the >> attributes ('cn' instead of 'uid' in a subtree, for example) >> > Can you elaborate? > >> * enable regex in certmap.conf for mapping the CNs of the certificates >> during the certificate authentification of users >> > This is on the list as > Get rid of certmap.conf - use SASL mapping (cert auth is really just > SASL/EXTERNAL) > The sasl mapping code uses regular expressions > >> >> >> Other than that i just want to emphasize the great job you are doing >> adding new features and especially the fantastic reactivity in fixing >> some critical server bugs (usually it takes only one or two days to >> have the necessary diff in bugzilla!) >> >> Thank you and please continue the development of this directory server! >> > And thank you for your suggestions. > >> >> >> >> >> >> Thanks - I've added these notes to >> http://directory.fedoraproject.org/wiki/Roadmap#Version_1.3 >> >> Anyone else? C'mon - surely you have an opinion about a new >> feature. >> >> >> Thanks for all your hard work on this! >> >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > > > > > > > > > This e-mail and any attachment is intended for the above name recipient(s) only and may contain confidential or privileged information. If you are not an intended recipient, please notify the sender and delete the message. Failure to maintain the confidentiality of this e-mail and any attachment may subject you to penalties under applicable law. > > > CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information or otherwise be protected by law. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Apr 10 14:39:41 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 10 Apr 2009 08:39:41 -0600 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <2F3DC4D41FA5994686AFFC36F1D661BE01F8063E@wolverine.tangiblesoftware.com> References: <018901c9b97d$d775f130$0b05a8c0@tangiblesoftware.com> <49DEC12A.6090704@redhat.com> <2F3DC4D41FA5994686AFFC36F1D661BE01F8063E@wolverine.tangiblesoftware.com> Message-ID: <49DF5A2D.6080502@redhat.com> David Partridge wrote: > Use case example for certmap.conf for end user: > > Customer has desire to share Enterprise Directory information across WAN > for contact information sharing, but has requirement for strong > authentication using PKI. PKI trust is a PKI Mesh utilizing cross > certification. Users information in Directory Server One (DS1) are > associated with users issued certificates from PKI One (PKI1). Users > information in Directory Server Two (DS2) are associated with users > issued certificates from PKI Two (PKI2). > > DS1 has no awareness or cross population of entries with DS2, but PKI1 > is cross certified with PKI2 and trusted by both populations. Users > associated with PKI1 have a business requirement to strongly > authenticate with DS2 to locate and collaborate with population of users > in DS2, but have no entry in DS2 and vice versa. By removing current > capability to strongly authenticate based on TLS configuration but have > NO DN in DS you are removing capability to use SASL External in a cross > certified PKI environment. User of the product will be forced to use > SASL GSSAPI that causes other security issues or requirements to setup > all of these Kerberos trust and ticketing handling that should not be > required, difficult to sustain and place external dependencies on usage > of the DS product in a federated environment as described. > > If directory is utilized as something OTHER than repository for people > similar challenges will present themselves when certificates are issued > for devices, roles, and groups. Examples include but are not limited to > VOIP device address book capabilities such as CISCO VOIP phones or call > managers, Potentially for extending security capability in hosts that > have host based certificates that may require use of the directory for > backend business processes were Certificate trust and regular expression > checks of DN utilized for the TLS session may be sufficient to utilize > for ACI binding rules. > So you want to allow a user from DS1 to authenticate to DS2, without having a user entry in DS2. Then use access control, bind resource limits, groups, roles, CoS, etc. without having a real user entry. I think that would be useful for auth in general, not just cert based auth. It comes up often in SASL/GSSAPI auth (wanting to use Kerberos auth without having to have a user entry), and is necessary to support the types of devices you mention. One of the things that cert based auth does now is to retrieve the userCertificate from the user's entry and compare it against the cert presented in the auth request. But that (verifyCert) can be turned off now. Would you want the ability to compare the cert presented for auth against the known cert for that identity? > David M. Partridge > Tangible Software Inc. > dpartridge at tangiblesoftware.com > > >> -----Original Message----- >> From: Rich Megginson [mailto:rmeggins at redhat.com] >> Sent: Thursday, April 09, 2009 11:47 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Proposed new features for 1.3 >> >> David Partridge wrote: >> >>> Would like to see additional monitoring flexibility for snmp - when >>> >> configuring multiple ds instances with same port on single multihomed >> > host > >> monitoring information is agregated by port in the monitoring not by >> instance and port. >> >>> Please provide more information on deprecation of certmap.conf. >>> >> We would instead use the SASL mapping functionality to map the >> > subjectDN > >> in the cert to a DN that the DS knows about. The SASL mapping code is >> much more powerful and flexible than the certmap.conf code. >> *http://tinyurl.com/cqe42v >> * >> >>> Need flexibility to not rely on dn in cert mapping to anything in >>> >> directory and rely on successful tls mutual authentication and >> > truststore > >> configuration. >> >> I'm not sure I understand - do you want the ability to do cert auth >> without having to have a real entry in the directory server that >> corresponds to the subjectDN? >> >>> Script to provide index analysis based on data in the directory to >>> >> provide the following info: >> >>> Search performance efficiency of index and index type based on >>> > return > >> limits, and scanidslistlimit. >> >>> Compressed ldif(gzip) capability for export, import, and >>> > initialization > >> usage. >> >> Ok - Thanks - this is all good stuff. >> >>> Dave Partridge >>> Sent from my Windows Mobile(r) phone. >>> >>> -----Original Message----- >>> From: Rich Megginson >>> Sent: Thursday, April 09, 2009 7:23 PM >>> To: General discussion list for the Fedora Directory server project. >>> >> >> >>> Subject: Re: [Fedora-directory-users] Proposed new features for 1.3 >>> >>> Andrey Ivanov wrote: >>> >>> >>>> I continue with my list >>>> >>>> >>> Thanks - I've added many of these to the list - questions below. >>> >>> >>>> * the server should be able to return the members of dynamic groups >>>> "on the fly" as if it were real members, the membership attribute >>>> should be configurable - uniqueMember, member or another >>>> >>>> >>> I put this on the Future list: >>> Dynamic group expansion >>> >>> * Define a dynamic group, and have the member/uniqueMember >>> > attribute > >>> of this group automatically be populated by the server >>> * clients can then just search for member like with a regular >>> > static > >>> posix group >>> >>> >>> >>> >>>> * support of other virtual attributes generated "on the fly" >>>> >>>> >>> Can you explain this a little more? >>> >>> >>>> * pam passthrough plug-in should take into account at least the >>>> account activation/desactivation (bug *470684* >>>> ). There is a >>>> comment about some additional useful features it in th README file >>>> > of > >>>> this plug-in : >>>> We need to worry about account expiration or lockout e.g. the >>>> > user's > >>>> credentials are valid but the user has been locked out of his/her >>>> account, or the password has expired, or something like that. Some >>>> > of > >>>> this can be handled by LDAP e.g. returning password policy control >>>> values when the password has expired. >>>> >>>> >>>> * a way to synchronise the configuration of indexes (each time we >>>> > add > >>>> an index on one of the replicated servers we need to make it >>>> > manually > >>>> on all the others) and some other parameters in "cn=config" between >>>> the replicated servers (a little like the "configuration" >>>> > partition > >>>> in active directory), the schema changes are already replicated >>>> > which > >>>> is very good >>>> >>>> >>> I'm calling this feature "Configuration replication" - I think it >>> > could > >>> be useful for other sorts of configuration. >>> >>> >>>> * enforced attribute syntax validation >>>> >>>> >>> Already on the list - Syntax validation checking >>> >>> >>>> * re-verify and validate conformance of the syntaxes, case >>>> > sensitivity > >>>> and their matching rules to RFC >>>> (https://www.redhat.com/archives/fedora-directory-users/2008- >>>> >> July/msg00041.html) >> >>>> >>> Already on the list >>> >>> >>>> * unix socket autobind still does not seem to work (ldapi) - >>>> https://www.redhat.com/archives/fedora-directory-users/2009- >>>> >> February/msg00112.html. >> >>>> It could be very useful for various maintenance scripts running on >>>> > the > >>>> server. >>>> >>>> >>> We tested this with 1.2.0 and it seems to work. You tested a build >>> > from > >>> source? Did you use --enable-autobind with configure? Did you >>> > restart > >>> the server after configuring your autobind and sasl mapping? >>> >>> >>>> * verification of the server from the viewpoint of memory leaks. Th >>>> size of the memory used by the server grows with time (normally we >>>> don't restart the sevrr during several months, so i can follow the >>>> >> stats) >> >>> We regularly run the server test suite with valgrind enabled. I'm >>> > not > >>> aware of any per connection or per operation leaks. What exactly >>> > are > >>> you seeing? >>> >>> >>>> * logconv.pl - very useful script, add some more options/ >>>> > adjustments > >>>> (for example, a switch to hide unindexed searches in verbose mode). >>>> > We > >>>> use it as logwatch. >>>> >>>> * a perl script to show the replication statistics (there is one >>>> > for > >>>> the we page generation statistics, something more basic, text-only >>>> would be very welcome) in text mode - to receiveth reports by mail >>>> once per day like logwatch for example >>>> >>>> >>> What sort of information are you looking for? ldapsearch can >>> > provide > >>> most of the useful information. >>> >>> >>>> * regular expressions in ACIs (i know, it is very difficult to do, >>>> > so > >>>> maybe somewhere in the timescale of the version 10.0 ? :)) - for >>>> example, allow a user to add or modify a value just in case the new >>>> value mathes the regex. Or the group or dn of the user matches the >>>> regex... >>>> >>>> >>> You can do some of that currently with targetattrfilters - see >>> *http://tinyurl.com/3yo88r >>> >>> We added support in 1.2.0 to allow you to specify group membership >>> > with > >>> LDAP search specifications, which does allow some wildcarding, so >>> > that > >>> might help too. >>> * >>> >>> >>>> * simplify the creation of new syntaxes and their validation/ >>>> enforcement (version 11.0? :)) >>>> >>>> >>> Can you elaborate? >>> >>> >>>> * virtual views allowing to map not only the trees but also the >>>> attributes ('cn' instead of 'uid' in a subtree, for example) >>>> >>>> >>> Can you elaborate? >>> >>> >>>> * enable regex in certmap.conf for mapping the CNs of the >>>> > certificates > >>>> during the certificate authentification of users >>>> >>>> >>> This is on the list as >>> Get rid of certmap.conf - use SASL mapping (cert auth is really just >>> SASL/EXTERNAL) >>> The sasl mapping code uses regular expressions >>> >>> >>>> Other than that i just want to emphasize the great job you are >>>> > doing > >>>> adding new features and especially the fantastic reactivity in >>>> > fixing > >>>> some critical server bugs (usually it takes only one or two days to >>>> have the necessary diff in bugzilla!) >>>> >>>> Thank you and please continue the development of this directory >>>> > server! > >>> And thank you for your suggestions. >>> >>> >>>> >>>> >>>> >>>> Thanks - I've added these notes to >>>> http://directory.fedoraproject.org/wiki/Roadmap#Version_1.3 >>>> >>>> Anyone else? C'mon - surely you have an opinion about a >>>> > new > >>>> feature. >>>> >>>> >>>> Thanks for all your hard work on this! >>>> >>>> >>>> >>>> >>>> > ----------------------------------------------------------------------- > >> - >> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>> >>> >>> >>> >>> >>> >>> >>> >>> This e-mail and any attachment is intended for the above name >>> >> recipient(s) only and may contain confidential or privileged >> > information. > >> If you are not an intended recipient, please notify the sender and >> > delete > >> the message. Failure to maintain the confidentiality of this e-mail >> > and > >> any attachment may subject you to penalties under applicable law. >> >>> CONFIDENTIALITY NOTICE: This e-mail message, including any >>> > attachments, > >> is for the sole use of the intended recipient(s) and may contain >> confidential and privileged information or otherwise be protected by >> > law. > >> Any unauthorized review, use, disclosure or distribution is >> > prohibited. If > >> you are not the intended recipient, please contact the sender by reply >> > e- > >> mail and destroy all copies of the original message. >> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > > > > > > > > > > This e-mail and any attachment is intended for the above name recipient(s) only and may contain confidential or privileged information. If you are not an intended recipient, please notify the sender and delete the message. Failure to maintain the confidentiality of this e-mail and any attachment may subject you to penalties under applicable law. > > > CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information or otherwise be protected by law. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Apr 10 14:43:47 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 10 Apr 2009 08:43:47 -0600 Subject: [Fedora-directory-users] LDAP proxy In-Reply-To: <0d03b175-b186-48f6-9965-727ae0838d0c@kerio.com> References: <0d03b175-b186-48f6-9965-727ae0838d0c@kerio.com> Message-ID: <49DF5B23.2060702@redhat.com> Michal Rejda wrote: > > Hi all, > > I?m trying to setup proxy on FDS to another LDAP server (OpenLDAP and > Active Directory). I tried two ways, but none of these works: > > 1) New database link to LDAP server. > > - The remote LDAP server (OpenLDAP) returns: null. manageDSAit control > value not found > You might have to tweak the controls used by chaining - see http://tinyurl.com/culeft > > 2) Create multiple-master replication and setup other server as consumer. > > - But this show error: 255 Replication error acquiring replica: > unknown error. > Replication will only work to a SunDS, not to any other vendor. > > My question is: Is there way how to setup proxy to access another LDAP > server from Fedora DS? I know that is possible to use AD sync, but I > cannot install anything on the AD server. The second reason why I need > to setup proxy is to use data stored in LDAP server (OpenLDAP, Open > Direcoty Server and Active Directory) in one place. I need to update > them too. It is not necessary to synchronize passwords. > See also http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration > > Thank you for reply. > > Regards, > > Michal > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From dpartridge at tangible.net Fri Apr 10 16:35:44 2009 From: dpartridge at tangible.net (David Partridge) Date: Fri, 10 Apr 2009 12:35:44 -0400 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <49DF49B8.5010309@redhat.com> References: <018901c9b97d$d775f130$0b05a8c0@tangiblesoftware.com> <49DF49B8.5010309@redhat.com> Message-ID: <2F3DC4D41FA5994686AFFC36F1D661BE01F806DB@wolverine.tangiblesoftware.com> Agreed, BUT how do I do this with features of Task Invocation Via LDAP if it is not part of the core product? David M. Partridge Tangible Software Inc. Sr. Security Engineer 2010 Corporate Ridge Suite 620 McLean, Virginia 22102 Office 800-913-9901 x 3001 Mobile 571-286-9628 Fax 703-288-1226 dpartridge at tangiblesoftware.com > -----Original Message----- > From: Rich Megginson [mailto:rmeggins at redhat.com] > Sent: Friday, April 10, 2009 9:29 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Proposed new features for 1.3 > > David Partridge wrote: > > Would like to see additional monitoring flexibility for snmp - when > configuring multiple ds instances with same port on single multihomed host > monitoring information is agregated by port in the monitoring not by > instance and port. > > > > Please provide more information on deprecation of certmap.conf. Need > flexibility to not rely on dn in cert mapping to anything in directory and > rely on successful tls mutual authentication and truststore configuration. > > > > Script to provide index analysis based on data in the directory to > provide the following info: > > Search performance efficiency of index and index type based on return > limits, and scanidslistlimit. > > > > Compressed ldif(gzip) capability for export, import, and initialization > usage. > > > A follow up to this - directory server can import from stdin and export > to stdout, so you can do this: > db2ldif -n userRoot -a - | gzip > db.ldif.gz > and > gunzip -c db.ldif.gz | ldif2db -n userRoot -i - > > For initialization usage, I guess that would mean online init (or remote > bulk load using ldapmodify -B). In that case, since the data is BER > encoded already, it would be better to investigate attribute value > compression, as discussed elsewhere in this thread. > > > > Dave Partridge > > Sent from my Windows Mobile(r) phone. > > > > -----Original Message----- > > From: Rich Megginson > > Sent: Thursday, April 09, 2009 7:23 PM > > To: General discussion list for the Fedora Directory server project. > > > Subject: Re: [Fedora-directory-users] Proposed new features for 1.3 > > > > Andrey Ivanov wrote: > > > >> I continue with my list > >> > > Thanks - I've added many of these to the list - questions below. > > > >> * the server should be able to return the members of dynamic groups > >> "on the fly" as if it were real members, the membership attribute > >> should be configurable - uniqueMember, member or another > >> > > I put this on the Future list: > > Dynamic group expansion > > > > * Define a dynamic group, and have the member/uniqueMember attribute > > of this group automatically be populated by the server > > * clients can then just search for member like with a regular static > > posix group > > > > > > > >> * support of other virtual attributes generated "on the fly" > >> > > Can you explain this a little more? > > > >> * pam passthrough plug-in should take into account at least the > >> account activation/desactivation (bug *470684* > >> ). There is a > >> comment about some additional useful features it in th README file of > >> this plug-in : > >> We need to worry about account expiration or lockout e.g. the user's > >> credentials are valid but the user has been locked out of his/her > >> account, or the password has expired, or something like that. Some of > >> > >> > >> this can be handled by LDAP e.g. returning password policy control > >> values when the password has expired. > >> > >> > >> * a way to synchronise the configuration of indexes (each time we add > >> an index on one of the replicated servers we need to make it manually > >> on all the others) and some other parameters in "cn=config" between > >> the replicated servers (a little like the "configuration" partition > >> in active directory), the schema changes are already replicated which > >> is very good > >> > > I'm calling this feature "Configuration replication" - I think it could > > be useful for other sorts of configuration. > > > >> * enforced attribute syntax validation > >> > > Already on the list - Syntax validation checking > > > >> * re-verify and validate conformance of the syntaxes, case sensitivity > >> and their matching rules to RFC > >> (https://www.redhat.com/archives/fedora-directory-users/2008- > July/msg00041.html) > >> > >> > > Already on the list > > > >> * unix socket autobind still does not seem to work (ldapi) - > >> https://www.redhat.com/archives/fedora-directory-users/2009- > February/msg00112.html. > >> It could be very useful for various maintenance scripts running on the > >> server. > >> > > We tested this with 1.2.0 and it seems to work. You tested a build from > > source? Did you use --enable-autobind with configure? Did you restart > > the server after configuring your autobind and sasl mapping? > > > >> * verification of the server from the viewpoint of memory leaks. Th > >> size of the memory used by the server grows with time (normally we > >> don't restart the sevrr during several months, so i can follow the > stats) > >> > > We regularly run the server test suite with valgrind enabled. I'm not > > aware of any per connection or per operation leaks. What exactly are > > you seeing? > > > >> * logconv.pl - very useful script, add some more options/ adjustments > >> (for example, a switch to hide unindexed searches in verbose mode). We > >> use it as logwatch. > >> > >> * a perl script to show the replication statistics (there is one for > >> the we page generation statistics, something more basic, text-only > >> would be very welcome) in text mode - to receiveth reports by mail > >> once per day like logwatch for example > >> > > What sort of information are you looking for? ldapsearch can provide > > most of the useful information. > > > >> * regular expressions in ACIs (i know, it is very difficult to do, so > >> maybe somewhere in the timescale of the version 10.0 ? :)) - for > >> example, allow a user to add or modify a value just in case the new > >> value mathes the regex. Or the group or dn of the user matches the > >> regex... > >> > > You can do some of that currently with targetattrfilters - see > > *http://tinyurl.com/3yo88r > > > > We added support in 1.2.0 to allow you to specify group membership with > > LDAP search specifications, which does allow some wildcarding, so that > > might help too. > > * > > > >> * simplify the creation of new syntaxes and their validation/ > >> enforcement (version 11.0? :)) > >> > > Can you elaborate? > > > >> * virtual views allowing to map not only the trees but also the > >> attributes ('cn' instead of 'uid' in a subtree, for example) > >> > > Can you elaborate? > > > >> * enable regex in certmap.conf for mapping the CNs of the certificates > >> during the certificate authentification of users > >> > > This is on the list as > > Get rid of certmap.conf - use SASL mapping (cert auth is really just > > SASL/EXTERNAL) > > The sasl mapping code uses regular expressions > > > >> > >> > >> Other than that i just want to emphasize the great job you are doing > >> adding new features and especially the fantastic reactivity in fixing > >> some critical server bugs (usually it takes only one or two days to > >> have the necessary diff in bugzilla!) > >> > >> Thank you and please continue the development of this directory server! > >> > > And thank you for your suggestions. > > > >> > >> > >> > >> > >> > >> Thanks - I've added these notes to > >> http://directory.fedoraproject.org/wiki/Roadmap#Version_1.3 > >> > >> Anyone else? C'mon - surely you have an opinion about a new > >> feature. > >> > >> > >> Thanks for all your hard work on this! > >> > >> > >> > >> ----------------------------------------------------------------------- > - > >> > >> -- > >> Fedora-directory-users mailing list > >> Fedora-directory-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > >> > > > > > > > > > > > > > > > > > > > > > > This e-mail and any attachment is intended for the above name > recipient(s) only and may contain confidential or privileged information. > If you are not an intended recipient, please notify the sender and delete > the message. Failure to maintain the confidentiality of this e-mail and > any attachment may subject you to penalties under applicable law. > > > > > > CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, > is for the sole use of the intended recipient(s) and may contain > confidential and privileged information or otherwise be protected by law. > Any unauthorized review, use, disclosure or distribution is prohibited. If > you are not the intended recipient, please contact the sender by reply e- > mail and destroy all copies of the original message. > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > This e-mail and any attachment is intended for the above name recipient(s) only and may contain confidential or privileged information. If you are not an intended recipient, please notify the sender and delete the message. Failure to maintain the confidentiality of this e-mail and any attachment may subject you to penalties under applicable law. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information or otherwise be protected by law. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From rmeggins at redhat.com Fri Apr 10 16:58:09 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 10 Apr 2009 10:58:09 -0600 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <2F3DC4D41FA5994686AFFC36F1D661BE01F806DB@wolverine.tangiblesoftware.com> References: <018901c9b97d$d775f130$0b05a8c0@tangiblesoftware.com> <49DF49B8.5010309@redhat.com> <2F3DC4D41FA5994686AFFC36F1D661BE01F806DB@wolverine.tangiblesoftware.com> Message-ID: <49DF7AA1.50800@redhat.com> David Partridge wrote: > Agreed, BUT how do I do this with features of Task Invocation Via LDAP > if it is not part of the core product? > Right. The gzip/gunzip needs to be in the server itself to do that. > David M. Partridge > Tangible Software Inc. > Sr. Security Engineer > 2010 Corporate Ridge > Suite 620 > McLean, Virginia 22102 > Office 800-913-9901 x 3001 > Mobile 571-286-9628 > Fax 703-288-1226 > dpartridge at tangiblesoftware.com > > > >> -----Original Message----- >> From: Rich Megginson [mailto:rmeggins at redhat.com] >> Sent: Friday, April 10, 2009 9:29 AM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Proposed new features for 1.3 >> >> David Partridge wrote: >> >>> Would like to see additional monitoring flexibility for snmp - when >>> >> configuring multiple ds instances with same port on single multihomed >> > host > >> monitoring information is agregated by port in the monitoring not by >> instance and port. >> >>> Please provide more information on deprecation of certmap.conf. >>> > Need > >> flexibility to not rely on dn in cert mapping to anything in directory >> > and > >> rely on successful tls mutual authentication and truststore >> > configuration. > >>> Script to provide index analysis based on data in the directory to >>> >> provide the following info: >> >>> Search performance efficiency of index and index type based on >>> > return > >> limits, and scanidslistlimit. >> >>> Compressed ldif(gzip) capability for export, import, and >>> > initialization > >> usage. >> >> A follow up to this - directory server can import from stdin and >> > export > >> to stdout, so you can do this: >> db2ldif -n userRoot -a - | gzip > db.ldif.gz >> and >> gunzip -c db.ldif.gz | ldif2db -n userRoot -i - >> >> For initialization usage, I guess that would mean online init (or >> > remote > >> bulk load using ldapmodify -B). In that case, since the data is BER >> encoded already, it would be better to investigate attribute value >> compression, as discussed elsewhere in this thread. >> >>> Dave Partridge >>> Sent from my Windows Mobile(r) phone. >>> >>> -----Original Message----- >>> From: Rich Megginson >>> Sent: Thursday, April 09, 2009 7:23 PM >>> To: General discussion list for the Fedora Directory server project. >>> >> >> >>> Subject: Re: [Fedora-directory-users] Proposed new features for 1.3 >>> >>> Andrey Ivanov wrote: >>> >>> >>>> I continue with my list >>>> >>>> >>> Thanks - I've added many of these to the list - questions below. >>> >>> >>>> * the server should be able to return the members of dynamic groups >>>> "on the fly" as if it were real members, the membership attribute >>>> should be configurable - uniqueMember, member or another >>>> >>>> >>> I put this on the Future list: >>> Dynamic group expansion >>> >>> * Define a dynamic group, and have the member/uniqueMember >>> > attribute > >>> of this group automatically be populated by the server >>> * clients can then just search for member like with a regular >>> > static > >>> posix group >>> >>> >>> >>> >>>> * support of other virtual attributes generated "on the fly" >>>> >>>> >>> Can you explain this a little more? >>> >>> >>>> * pam passthrough plug-in should take into account at least the >>>> account activation/desactivation (bug *470684* >>>> ). There is a >>>> comment about some additional useful features it in th README file >>>> > of > >>>> this plug-in : >>>> We need to worry about account expiration or lockout e.g. the >>>> > user's > >>>> credentials are valid but the user has been locked out of his/her >>>> account, or the password has expired, or something like that. Some >>>> > of > >>>> this can be handled by LDAP e.g. returning password policy control >>>> values when the password has expired. >>>> >>>> >>>> * a way to synchronise the configuration of indexes (each time we >>>> > add > >>>> an index on one of the replicated servers we need to make it >>>> > manually > >>>> on all the others) and some other parameters in "cn=config" between >>>> the replicated servers (a little like the "configuration" >>>> > partition > >>>> in active directory), the schema changes are already replicated >>>> > which > >>>> is very good >>>> >>>> >>> I'm calling this feature "Configuration replication" - I think it >>> > could > >>> be useful for other sorts of configuration. >>> >>> >>>> * enforced attribute syntax validation >>>> >>>> >>> Already on the list - Syntax validation checking >>> >>> >>>> * re-verify and validate conformance of the syntaxes, case >>>> > sensitivity > >>>> and their matching rules to RFC >>>> (https://www.redhat.com/archives/fedora-directory-users/2008- >>>> >> July/msg00041.html) >> >>>> >>> Already on the list >>> >>> >>>> * unix socket autobind still does not seem to work (ldapi) - >>>> https://www.redhat.com/archives/fedora-directory-users/2009- >>>> >> February/msg00112.html. >> >>>> It could be very useful for various maintenance scripts running on >>>> > the > >>>> server. >>>> >>>> >>> We tested this with 1.2.0 and it seems to work. You tested a build >>> > from > >>> source? Did you use --enable-autobind with configure? Did you >>> > restart > >>> the server after configuring your autobind and sasl mapping? >>> >>> >>>> * verification of the server from the viewpoint of memory leaks. Th >>>> size of the memory used by the server grows with time (normally we >>>> don't restart the sevrr during several months, so i can follow the >>>> >> stats) >> >>> We regularly run the server test suite with valgrind enabled. I'm >>> > not > >>> aware of any per connection or per operation leaks. What exactly >>> > are > >>> you seeing? >>> >>> >>>> * logconv.pl - very useful script, add some more options/ >>>> > adjustments > >>>> (for example, a switch to hide unindexed searches in verbose mode). >>>> > We > >>>> use it as logwatch. >>>> >>>> * a perl script to show the replication statistics (there is one >>>> > for > >>>> the we page generation statistics, something more basic, text-only >>>> would be very welcome) in text mode - to receiveth reports by mail >>>> once per day like logwatch for example >>>> >>>> >>> What sort of information are you looking for? ldapsearch can >>> > provide > >>> most of the useful information. >>> >>> >>>> * regular expressions in ACIs (i know, it is very difficult to do, >>>> > so > >>>> maybe somewhere in the timescale of the version 10.0 ? :)) - for >>>> example, allow a user to add or modify a value just in case the new >>>> value mathes the regex. Or the group or dn of the user matches the >>>> regex... >>>> >>>> >>> You can do some of that currently with targetattrfilters - see >>> *http://tinyurl.com/3yo88r >>> >>> We added support in 1.2.0 to allow you to specify group membership >>> > with > >>> LDAP search specifications, which does allow some wildcarding, so >>> > that > >>> might help too. >>> * >>> >>> >>>> * simplify the creation of new syntaxes and their validation/ >>>> enforcement (version 11.0? :)) >>>> >>>> >>> Can you elaborate? >>> >>> >>>> * virtual views allowing to map not only the trees but also the >>>> attributes ('cn' instead of 'uid' in a subtree, for example) >>>> >>>> >>> Can you elaborate? >>> >>> >>>> * enable regex in certmap.conf for mapping the CNs of the >>>> > certificates > >>>> during the certificate authentification of users >>>> >>>> >>> This is on the list as >>> Get rid of certmap.conf - use SASL mapping (cert auth is really just >>> SASL/EXTERNAL) >>> The sasl mapping code uses regular expressions >>> >>> >>>> Other than that i just want to emphasize the great job you are >>>> > doing > >>>> adding new features and especially the fantastic reactivity in >>>> > fixing > >>>> some critical server bugs (usually it takes only one or two days to >>>> have the necessary diff in bugzilla!) >>>> >>>> Thank you and please continue the development of this directory >>>> > server! > >>> And thank you for your suggestions. >>> >>> >>>> >>>> >>>> >>>> Thanks - I've added these notes to >>>> http://directory.fedoraproject.org/wiki/Roadmap#Version_1.3 >>>> >>>> Anyone else? C'mon - surely you have an opinion about a >>>> > new > >>>> feature. >>>> >>>> >>>> Thanks for all your hard work on this! >>>> >>>> >>>> >>>> >>>> > ----------------------------------------------------------------------- > >> - >> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>> >>> >>> >>> >>> >>> >>> >>> >>> This e-mail and any attachment is intended for the above name >>> >> recipient(s) only and may contain confidential or privileged >> > information. > >> If you are not an intended recipient, please notify the sender and >> > delete > >> the message. Failure to maintain the confidentiality of this e-mail >> > and > >> any attachment may subject you to penalties under applicable law. >> >>> CONFIDENTIALITY NOTICE: This e-mail message, including any >>> > attachments, > >> is for the sole use of the intended recipient(s) and may contain >> confidential and privileged information or otherwise be protected by >> > law. > >> Any unauthorized review, use, disclosure or distribution is >> > prohibited. If > >> you are not the intended recipient, please contact the sender by reply >> > e- > >> mail and destroy all copies of the original message. >> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > > > > > > > > > > This e-mail and any attachment is intended for the above name recipient(s) only and may contain confidential or privileged information. If you are not an intended recipient, please notify the sender and delete the message. Failure to maintain the confidentiality of this e-mail and any attachment may subject you to penalties under applicable law. > > > CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information or otherwise be protected by law. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From dpartridge at tangible.net Fri Apr 10 17:20:55 2009 From: dpartridge at tangible.net (David Partridge) Date: Fri, 10 Apr 2009 13:20:55 -0400 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <49DF5A2D.6080502@redhat.com> References: <018901c9b97d$d775f130$0b05a8c0@tangiblesoftware.com> <49DEC12A.6090704@redhat.com><2F3DC4D41FA5994686AFFC36F1D661BE01F8063E@wolverine.tangiblesoftware.com> <49DF5A2D.6080502@redhat.com> Message-ID: <2F3DC4D41FA5994686AFFC36F1D661BE01F806FA@wolverine.tangiblesoftware.com> David M. Partridge Tangible Software Inc. Sr. Security Engineer 2010 Corporate Ridge Suite 620 McLean, Virginia 22102 Office 800-913-9901 x 3001 Mobile 571-286-9628 Fax 703-288-1226 dpartridge at tangiblesoftware.com > -----Original Message----- > From: Rich Megginson [mailto:rmeggins at redhat.com] > Sent: Friday, April 10, 2009 10:40 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Proposed new features for 1.3 > > David Partridge wrote: > > Use case example for certmap.conf for end user: > > > > Customer has desire to share Enterprise Directory information across WAN > > for contact information sharing, but has requirement for strong > > authentication using PKI. PKI trust is a PKI Mesh utilizing cross > > certification. Users information in Directory Server One (DS1) are > > associated with users issued certificates from PKI One (PKI1). Users > > information in Directory Server Two (DS2) are associated with users > > issued certificates from PKI Two (PKI2). > > > > DS1 has no awareness or cross population of entries with DS2, but PKI1 > > is cross certified with PKI2 and trusted by both populations. Users > > associated with PKI1 have a business requirement to strongly > > authenticate with DS2 to locate and collaborate with population of users > > in DS2, but have no entry in DS2 and vice versa. By removing current > > capability to strongly authenticate based on TLS configuration but have > > NO DN in DS you are removing capability to use SASL External in a cross > > certified PKI environment. User of the product will be forced to use > > SASL GSSAPI that causes other security issues or requirements to setup > > all of these Kerberos trust and ticketing handling that should not be > > required, difficult to sustain and place external dependencies on usage > > of the DS product in a federated environment as described. > > > > If directory is utilized as something OTHER than repository for people > > similar challenges will present themselves when certificates are issued > > for devices, roles, and groups. Examples include but are not limited to > > VOIP device address book capabilities such as CISCO VOIP phones or call > > managers, Potentially for extending security capability in hosts that > > have host based certificates that may require use of the directory for > > backend business processes were Certificate trust and regular expression > > checks of DN utilized for the TLS session may be sufficient to utilize > > for ACI binding rules. > > > > So you want to allow a user from DS1 to authenticate to DS2, without > having a user entry in DS2. Then use access control, bind resource > limits, groups, roles, CoS, etc. without having a real user entry. I > think that would be useful for auth in general, not just cert based > auth. It comes up often in SASL/GSSAPI auth (wanting to use Kerberos > auth without having to have a user entry), and is necessary to support > the types of devices you mention. [David Partridge] DS1 and DS2 for clarity are only containers of information for users to consume. A user may have data in neither, one or both DS, but has PKI credentials that are trusted by neither, one or both DS. If trusted the user should be authenticated via TLS using mutual authentication using PKI. If not trusted user is turned away by TLS mutual authentication. Authentication and access control are two separate and distinct processes. If user is not authenticated why should I allow them to get to the point of exposing internal directory resources to evaluate access control, bind resource limits, groups, roles, CoS, etc. Believe I had this conversation with Bob Lord long time ago when we discovered a previous security issue. If user is authenticated capabilities of DN mapping with sophisticated access control, bind resource limits, groups, roles, CoS, etc. continue to be valuable for providing different privileges and capabilities. But the ability should not be absolute to requiring a DN in the directory NOR would I want to try to build rules based on every PKI end user DN that may have a chain of trust that is acceptable based on adding to NSS Truststore. There will be some cases that the fact that they authenticated regardless of SASL mechanism should be able to provide 'SOME' access. > > One of the things that cert based auth does now is to retrieve the > userCertificate from the user's entry and compare it against the cert > presented in the auth request. But that (verifyCert) can be turned off > now. Would you want the ability to compare the cert presented for auth > against the known cert for that identity? [David Partridge] Depends - For our use cases identity certificates [ digital signature, nonrepudiation key usage] are NEVER published or stored outside of PKI CA infrastructure (will let the Dogtag team explain reasons). Therefore the certificate used for SSL will NEVER be a match to the certificate attribute in the directory which is merely one or more email encryption certificates [key encipherment key usage] that corresponds to mail attribute in directory. If directory was for PKI CA infrastructure matching the certificate binary value may be useful, but unnecessary if implementation of PKI done correctly. Matching binary contradicts why the PKI exists in the first place. In most cases PKI exists so you do not need prior knowledge of the end user of the certificate to know that the individual/system met identity vetting requirements and is the only individual/system that possessed private key to make it do what it does. > > David M. Partridge > > Tangible Software Inc. > > dpartridge at tangiblesoftware.com > > > > > >> -----Original Message----- > >> From: Rich Megginson [mailto:rmeggins at redhat.com] > >> Sent: Thursday, April 09, 2009 11:47 PM > >> To: General discussion list for the Fedora Directory server project. > >> Subject: Re: [Fedora-directory-users] Proposed new features for 1.3 > >> > >> David Partridge wrote: > >> > >>> Would like to see additional monitoring flexibility for snmp - when > >>> > >> configuring multiple ds instances with same port on single multihomed > >> > > host > > > >> monitoring information is agregated by port in the monitoring not by > >> instance and port. > >> > >>> Please provide more information on deprecation of certmap.conf. > >>> > >> We would instead use the SASL mapping functionality to map the > >> > > subjectDN > > > >> in the cert to a DN that the DS knows about. The SASL mapping code is > >> much more powerful and flexible than the certmap.conf code. > >> *http://tinyurl.com/cqe42v > >> * > >> > >>> Need flexibility to not rely on dn in cert mapping to anything in > >>> > >> directory and rely on successful tls mutual authentication and > >> > > truststore > > > >> configuration. > >> > >> I'm not sure I understand - do you want the ability to do cert auth > >> without having to have a real entry in the directory server that > >> corresponds to the subjectDN? > >> > >>> Script to provide index analysis based on data in the directory to > >>> > >> provide the following info: > >> > >>> Search performance efficiency of index and index type based on > >>> > > return > > > >> limits, and scanidslistlimit. > >> > >>> Compressed ldif(gzip) capability for export, import, and > >>> > > initialization > > > >> usage. > >> > >> Ok - Thanks - this is all good stuff. > >> > >>> Dave Partridge > >>> Sent from my Windows Mobile(r) phone. > >>> > >>> -----Original Message----- > >>> From: Rich Megginson > >>> Sent: Thursday, April 09, 2009 7:23 PM > >>> To: General discussion list for the Fedora Directory server project. > >>> > >> > >> > >>> Subject: Re: [Fedora-directory-users] Proposed new features for 1.3 > >>> > >>> Andrey Ivanov wrote: > >>> > >>> > >>>> I continue with my list > >>>> > >>>> > >>> Thanks - I've added many of these to the list - questions below. > >>> > >>> > >>>> * the server should be able to return the members of dynamic groups > >>>> "on the fly" as if it were real members, the membership attribute > >>>> should be configurable - uniqueMember, member or another > >>>> > >>>> > >>> I put this on the Future list: > >>> Dynamic group expansion > >>> > >>> * Define a dynamic group, and have the member/uniqueMember > >>> > > attribute > > > >>> of this group automatically be populated by the server > >>> * clients can then just search for member like with a regular > >>> > > static > > > >>> posix group > >>> > >>> > >>> > >>> > >>>> * support of other virtual attributes generated "on the fly" > >>>> > >>>> > >>> Can you explain this a little more? > >>> > >>> > >>>> * pam passthrough plug-in should take into account at least the > >>>> account activation/desactivation (bug *470684* > >>>> ). There is a > >>>> comment about some additional useful features it in th README file > >>>> > > of > > > >>>> this plug-in : > >>>> We need to worry about account expiration or lockout e.g. the > >>>> > > user's > > > >>>> credentials are valid but the user has been locked out of his/her > >>>> account, or the password has expired, or something like that. Some > >>>> > > of > > > >>>> this can be handled by LDAP e.g. returning password policy control > >>>> values when the password has expired. > >>>> > >>>> > >>>> * a way to synchronise the configuration of indexes (each time we > >>>> > > add > > > >>>> an index on one of the replicated servers we need to make it > >>>> > > manually > > > >>>> on all the others) and some other parameters in "cn=config" between > >>>> the replicated servers (a little like the "configuration" > >>>> > > partition > > > >>>> in active directory), the schema changes are already replicated > >>>> > > which > > > >>>> is very good > >>>> > >>>> > >>> I'm calling this feature "Configuration replication" - I think it > >>> > > could > > > >>> be useful for other sorts of configuration. > >>> > >>> > >>>> * enforced attribute syntax validation > >>>> > >>>> > >>> Already on the list - Syntax validation checking > >>> > >>> > >>>> * re-verify and validate conformance of the syntaxes, case > >>>> > > sensitivity > > > >>>> and their matching rules to RFC > >>>> (https://www.redhat.com/archives/fedora-directory-users/2008- > >>>> > >> July/msg00041.html) > >> > >>>> > >>> Already on the list > >>> > >>> > >>>> * unix socket autobind still does not seem to work (ldapi) - > >>>> https://www.redhat.com/archives/fedora-directory-users/2009- > >>>> > >> February/msg00112.html. > >> > >>>> It could be very useful for various maintenance scripts running on > >>>> > > the > > > >>>> server. > >>>> > >>>> > >>> We tested this with 1.2.0 and it seems to work. You tested a build > >>> > > from > > > >>> source? Did you use --enable-autobind with configure? Did you > >>> > > restart > > > >>> the server after configuring your autobind and sasl mapping? > >>> > >>> > >>>> * verification of the server from the viewpoint of memory leaks. Th > >>>> size of the memory used by the server grows with time (normally we > >>>> don't restart the sevrr during several months, so i can follow the > >>>> > >> stats) > >> > >>> We regularly run the server test suite with valgrind enabled. I'm > >>> > > not > > > >>> aware of any per connection or per operation leaks. What exactly > >>> > > are > > > >>> you seeing? > >>> > >>> > >>>> * logconv.pl - very useful script, add some more options/ > >>>> > > adjustments > > > >>>> (for example, a switch to hide unindexed searches in verbose mode). > >>>> > > We > > > >>>> use it as logwatch. > >>>> > >>>> * a perl script to show the replication statistics (there is one > >>>> > > for > > > >>>> the we page generation statistics, something more basic, text-only > >>>> would be very welcome) in text mode - to receiveth reports by mail > >>>> once per day like logwatch for example > >>>> > >>>> > >>> What sort of information are you looking for? ldapsearch can > >>> > > provide > > > >>> most of the useful information. > >>> > >>> > >>>> * regular expressions in ACIs (i know, it is very difficult to do, > >>>> > > so > > > >>>> maybe somewhere in the timescale of the version 10.0 ? :)) - for > >>>> example, allow a user to add or modify a value just in case the new > >>>> value mathes the regex. Or the group or dn of the user matches the > >>>> regex... > >>>> > >>>> > >>> You can do some of that currently with targetattrfilters - see > >>> *http://tinyurl.com/3yo88r > >>> > >>> We added support in 1.2.0 to allow you to specify group membership > >>> > > with > > > >>> LDAP search specifications, which does allow some wildcarding, so > >>> > > that > > > >>> might help too. > >>> * > >>> > >>> > >>>> * simplify the creation of new syntaxes and their validation/ > >>>> enforcement (version 11.0? :)) > >>>> > >>>> > >>> Can you elaborate? > >>> > >>> > >>>> * virtual views allowing to map not only the trees but also the > >>>> attributes ('cn' instead of 'uid' in a subtree, for example) > >>>> > >>>> > >>> Can you elaborate? > >>> > >>> > >>>> * enable regex in certmap.conf for mapping the CNs of the > >>>> > > certificates > > > >>>> during the certificate authentification of users > >>>> > >>>> > >>> This is on the list as > >>> Get rid of certmap.conf - use SASL mapping (cert auth is really just > >>> SASL/EXTERNAL) > >>> The sasl mapping code uses regular expressions > >>> > >>> > >>>> Other than that i just want to emphasize the great job you are > >>>> > > doing > > > >>>> adding new features and especially the fantastic reactivity in > >>>> > > fixing > > > >>>> some critical server bugs (usually it takes only one or two days to > >>>> have the necessary diff in bugzilla!) > >>>> > >>>> Thank you and please continue the development of this directory > >>>> > > server! > > > >>> And thank you for your suggestions. > >>> > >>> > >>>> > >>>> > >>>> > >>>> Thanks - I've added these notes to > >>>> http://directory.fedoraproject.org/wiki/Roadmap#Version_1.3 > >>>> > >>>> Anyone else? C'mon - surely you have an opinion about a > >>>> > > new > > > >>>> feature. > >>>> > >>>> > >>>> Thanks for all your hard work on this! > >>>> > >>>> > >>>> > >>>> > >>>> > > ----------------------------------------------------------------------- > > > >> - > >> > >>>> -- > >>>> Fedora-directory-users mailing list > >>>> Fedora-directory-users at redhat.com > >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>> > >>>> > >>>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> This e-mail and any attachment is intended for the above name > >>> > >> recipient(s) only and may contain confidential or privileged > >> > > information. > > > >> If you are not an intended recipient, please notify the sender and > >> > > delete > > > >> the message. Failure to maintain the confidentiality of this e-mail > >> > > and > > > >> any attachment may subject you to penalties under applicable law. > >> > >>> CONFIDENTIALITY NOTICE: This e-mail message, including any > >>> > > attachments, > > > >> is for the sole use of the intended recipient(s) and may contain > >> confidential and privileged information or otherwise be protected by > >> > > law. > > > >> Any unauthorized review, use, disclosure or distribution is > >> > > prohibited. If > > > >> you are not the intended recipient, please contact the sender by reply > >> > > e- > > > >> mail and destroy all copies of the original message. > >> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >>> > > > > > > > > > > > > > > > > > > > > > > This e-mail and any attachment is intended for the above name > recipient(s) only and may contain confidential or privileged information. > If you are not an intended recipient, please notify the sender and delete > the message. Failure to maintain the confidentiality of this e-mail and > any attachment may subject you to penalties under applicable law. > > > > > > CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, > is for the sole use of the intended recipient(s) and may contain > confidential and privileged information or otherwise be protected by law. > Any unauthorized review, use, disclosure or distribution is prohibited. If > you are not the intended recipient, please contact the sender by reply e- > mail and destroy all copies of the original message. > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > This e-mail and any attachment is intended for the above name recipient(s) only and may contain confidential or privileged information. If you are not an intended recipient, please notify the sender and delete the message. Failure to maintain the confidentiality of this e-mail and any attachment may subject you to penalties under applicable law. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information or otherwise be protected by law. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From rmeggins at redhat.com Fri Apr 10 18:07:55 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 10 Apr 2009 12:07:55 -0600 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <2F3DC4D41FA5994686AFFC36F1D661BE01F806FA@wolverine.tangiblesoftware.com> References: <018901c9b97d$d775f130$0b05a8c0@tangiblesoftware.com> <49DEC12A.6090704@redhat.com><2F3DC4D41FA5994686AFFC36F1D661BE01F8063E@wolverine.tangiblesoftware.com> <49DF5A2D.6080502@redhat.com> <2F3DC4D41FA5994686AFFC36F1D661BE01F806FA@wolverine.tangiblesoftware.com> Message-ID: <49DF8AFB.4050100@redhat.com> David Partridge wrote: > David M. Partridge > Tangible Software Inc. > Sr. Security Engineer > 2010 Corporate Ridge > Suite 620 > McLean, Virginia 22102 > Office 800-913-9901 x 3001 > Mobile 571-286-9628 > Fax 703-288-1226 > dpartridge at tangiblesoftware.com > > > >> -----Original Message----- >> From: Rich Megginson [mailto:rmeggins at redhat.com] >> Sent: Friday, April 10, 2009 10:40 AM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Proposed new features for 1.3 >> >> David Partridge wrote: >> >>> Use case example for certmap.conf for end user: >>> >>> Customer has desire to share Enterprise Directory information across >>> > WAN > >>> for contact information sharing, but has requirement for strong >>> authentication using PKI. PKI trust is a PKI Mesh utilizing cross >>> certification. Users information in Directory Server One (DS1) are >>> associated with users issued certificates from PKI One (PKI1). >>> > Users > >>> information in Directory Server Two (DS2) are associated with users >>> issued certificates from PKI Two (PKI2). >>> >>> DS1 has no awareness or cross population of entries with DS2, but >>> > PKI1 > >>> is cross certified with PKI2 and trusted by both populations. Users >>> associated with PKI1 have a business requirement to strongly >>> authenticate with DS2 to locate and collaborate with population of >>> > users > >>> in DS2, but have no entry in DS2 and vice versa. By removing >>> > current > >>> capability to strongly authenticate based on TLS configuration but >>> > have > >>> NO DN in DS you are removing capability to use SASL External in a >>> > cross > >>> certified PKI environment. User of the product will be forced to >>> > use > >>> SASL GSSAPI that causes other security issues or requirements to >>> > setup > >>> all of these Kerberos trust and ticketing handling that should not >>> > be > >>> required, difficult to sustain and place external dependencies on >>> > usage > >>> of the DS product in a federated environment as described. >>> >>> If directory is utilized as something OTHER than repository for >>> > people > >>> similar challenges will present themselves when certificates are >>> > issued > >>> for devices, roles, and groups. Examples include but are not >>> > limited to > >>> VOIP device address book capabilities such as CISCO VOIP phones or >>> > call > >>> managers, Potentially for extending security capability in hosts >>> > that > >>> have host based certificates that may require use of the directory >>> > for > >>> backend business processes were Certificate trust and regular >>> > expression > >>> checks of DN utilized for the TLS session may be sufficient to >>> > utilize > >>> for ACI binding rules. >>> >>> >> So you want to allow a user from DS1 to authenticate to DS2, without >> having a user entry in DS2. Then use access control, bind resource >> limits, groups, roles, CoS, etc. without having a real user entry. I >> think that would be useful for auth in general, not just cert based >> auth. It comes up often in SASL/GSSAPI auth (wanting to use Kerberos >> auth without having to have a user entry), and is necessary to support >> the types of devices you mention. >> > > [David Partridge] > DS1 and DS2 for clarity are only containers of information for users to > consume. A user may have data in neither, one or both DS, but has PKI > credentials that are trusted by neither, one or both DS. If trusted the > user should be authenticated via TLS using mutual authentication using > PKI. If not trusted user is turned away by TLS mutual authentication. > Ok. So just in general allow authentication if user doesn't exist. > Authentication and access control are two separate and distinct > processes. > > If user is not authenticated why should I allow them to get to the point > of exposing internal directory resources to evaluate access control, > bind resource limits, groups, roles, CoS, etc. Believe I had this > conversation with Bob Lord long time ago when we discovered a previous > security issue. > Sure. Unauthenticated users should not be allowed to consume resources or discover information. We have some roadmap items to disallow and lockdown anonymous users even more than we do today. > If user is authenticated capabilities of DN mapping with sophisticated > access control, bind resource limits, groups, roles, CoS, etc. continue > to be valuable for providing different privileges and capabilities. But > the ability should not be absolute to requiring a DN in the directory > NOR would I want to try to build rules based on every PKI end user DN > that may have a chain of trust that is acceptable based on adding to NSS > Truststore. There will be some cases that the fact that they > authenticated regardless of SASL mechanism should be able to provide > 'SOME' access. > Ok. Right - I want to allow those capabilities without requiring a DN in the directory. > >> One of the things that cert based auth does now is to retrieve the >> userCertificate from the user's entry and compare it against the cert >> presented in the auth request. But that (verifyCert) can be turned >> > off > >> now. Would you want the ability to compare the cert presented for >> > auth > >> against the known cert for that identity? >> > > [David Partridge] Depends - For our use cases identity certificates [ > digital signature, nonrepudiation key usage] are NEVER published or > stored outside of PKI CA infrastructure (will let the Dogtag team > explain reasons). Therefore the certificate used for SSL will NEVER be > a match to the certificate attribute in the directory which is merely > one or more email encryption certificates [key encipherment key usage] > that corresponds to mail attribute in directory. > > If directory was for PKI CA infrastructure matching the certificate > binary value may be useful, but unnecessary if implementation of PKI > done correctly. Matching binary contradicts why the PKI exists in the > first place. In most cases PKI exists so you do not need prior > knowledge of the end user of the certificate to know that the > individual/system met identity vetting requirements and is the only > individual/system that possessed private key to make it do what it does. > Ok. > > >>> David M. Partridge >>> Tangible Software Inc. >>> dpartridge at tangiblesoftware.com >>> >>> >>> >>>> -----Original Message----- >>>> From: Rich Megginson [mailto:rmeggins at redhat.com] >>>> Sent: Thursday, April 09, 2009 11:47 PM >>>> To: General discussion list for the Fedora Directory server >>>> > project. > >>>> Subject: Re: [Fedora-directory-users] Proposed new features for 1.3 >>>> >>>> David Partridge wrote: >>>> >>>> >>>>> Would like to see additional monitoring flexibility for snmp - >>>>> > when > >>>> configuring multiple ds instances with same port on single >>>> > multihomed > >>> host >>> >>> >>>> monitoring information is agregated by port in the monitoring not >>>> > by > >>>> instance and port. >>>> >>>> >>>>> Please provide more information on deprecation of certmap.conf. >>>>> >>>>> >>>> We would instead use the SASL mapping functionality to map the >>>> >>>> >>> subjectDN >>> >>> >>>> in the cert to a DN that the DS knows about. The SASL mapping code >>>> > is > >>>> much more powerful and flexible than the certmap.conf code. >>>> *http://tinyurl.com/cqe42v >>>> * >>>> >>>> >>>>> Need flexibility to not rely on dn in cert mapping to anything in >>>>> >>>>> >>>> directory and rely on successful tls mutual authentication and >>>> >>>> >>> truststore >>> >>> >>>> configuration. >>>> >>>> I'm not sure I understand - do you want the ability to do cert auth >>>> without having to have a real entry in the directory server that >>>> corresponds to the subjectDN? >>>> >>>> >>>>> Script to provide index analysis based on data in the directory >>>>> > to > >>>> provide the following info: >>>> >>>> >>>>> Search performance efficiency of index and index type based on >>>>> >>>>> >>> return >>> >>> >>>> limits, and scanidslistlimit. >>>> >>>> >>>>> Compressed ldif(gzip) capability for export, import, and >>>>> >>>>> >>> initialization >>> >>> >>>> usage. >>>> >>>> Ok - Thanks - this is all good stuff. >>>> >>>> >>>>> Dave Partridge >>>>> Sent from my Windows Mobile(r) phone. >>>>> >>>>> -----Original Message----- >>>>> From: Rich Megginson >>>>> Sent: Thursday, April 09, 2009 7:23 PM >>>>> To: General discussion list for the Fedora Directory server >>>>> > project. > >>>> >>>> >>>> >>>>> Subject: Re: [Fedora-directory-users] Proposed new features for >>>>> > 1.3 > >>>>> Andrey Ivanov wrote: >>>>> >>>>> >>>>> >>>>>> I continue with my list >>>>>> >>>>>> >>>>>> >>>>> Thanks - I've added many of these to the list - questions below. >>>>> >>>>> >>>>> >>>>>> * the server should be able to return the members of dynamic >>>>>> > groups > >>>>>> "on the fly" as if it were real members, the membership attribute >>>>>> should be configurable - uniqueMember, member or another >>>>>> >>>>>> >>>>>> >>>>> I put this on the Future list: >>>>> Dynamic group expansion >>>>> >>>>> * Define a dynamic group, and have the member/uniqueMember >>>>> >>>>> >>> attribute >>> >>> >>>>> of this group automatically be populated by the server >>>>> * clients can then just search for member like with a regular >>>>> >>>>> >>> static >>> >>> >>>>> posix group >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> * support of other virtual attributes generated "on the fly" >>>>>> >>>>>> >>>>>> >>>>> Can you explain this a little more? >>>>> >>>>> >>>>> >>>>>> * pam passthrough plug-in should take into account at least the >>>>>> account activation/desactivation (bug *470684* >>>>>> ). There is >>>>>> > a > >>>>>> comment about some additional useful features it in th README >>>>>> > file > >>> of >>> >>> >>>>>> this plug-in : >>>>>> We need to worry about account expiration or lockout e.g. the >>>>>> >>>>>> >>> user's >>> >>> >>>>>> credentials are valid but the user has been locked out of his/her >>>>>> account, or the password has expired, or something like that. >>>>>> > Some > >>> of >>> >>> >>>>>> this can be handled by LDAP e.g. returning password policy >>>>>> > control > >>>>>> values when the password has expired. >>>>>> >>>>>> >>>>>> * a way to synchronise the configuration of indexes (each time we >>>>>> >>>>>> >>> add >>> >>> >>>>>> an index on one of the replicated servers we need to make it >>>>>> >>>>>> >>> manually >>> >>> >>>>>> on all the others) and some other parameters in "cn=config" >>>>>> > between > >>>>>> the replicated servers (a little like the "configuration" >>>>>> >>>>>> >>> partition >>> >>> >>>>>> in active directory), the schema changes are already replicated >>>>>> >>>>>> >>> which >>> >>> >>>>>> is very good >>>>>> >>>>>> >>>>>> >>>>> I'm calling this feature "Configuration replication" - I think it >>>>> >>>>> >>> could >>> >>> >>>>> be useful for other sorts of configuration. >>>>> >>>>> >>>>> >>>>>> * enforced attribute syntax validation >>>>>> >>>>>> >>>>>> >>>>> Already on the list - Syntax validation checking >>>>> >>>>> >>>>> >>>>>> * re-verify and validate conformance of the syntaxes, case >>>>>> >>>>>> >>> sensitivity >>> >>> >>>>>> and their matching rules to RFC >>>>>> (https://www.redhat.com/archives/fedora-directory-users/2008- >>>>>> >>>>>> >>>> July/msg00041.html) >>>> >>>> >>>>> Already on the list >>>>> >>>>> >>>>> >>>>>> * unix socket autobind still does not seem to work (ldapi) - >>>>>> https://www.redhat.com/archives/fedora-directory-users/2009- >>>>>> >>>>>> >>>> February/msg00112.html. >>>> >>>> >>>>>> It could be very useful for various maintenance scripts running >>>>>> > on > >>> the >>> >>> >>>>>> server. >>>>>> >>>>>> >>>>>> >>>>> We tested this with 1.2.0 and it seems to work. You tested a >>>>> > build > >>> from >>> >>> >>>>> source? Did you use --enable-autobind with configure? Did you >>>>> >>>>> >>> restart >>> >>> >>>>> the server after configuring your autobind and sasl mapping? >>>>> >>>>> >>>>> >>>>>> * verification of the server from the viewpoint of memory leaks. >>>>>> > Th > >>>>>> size of the memory used by the server grows with time (normally >>>>>> > we > >>>>>> don't restart the sevrr during several months, so i can follow >>>>>> > the > >>>> stats) >>>> >>>> >>>>> We regularly run the server test suite with valgrind enabled. I'm >>>>> >>>>> >>> not >>> >>> >>>>> aware of any per connection or per operation leaks. What exactly >>>>> >>>>> >>> are >>> >>> >>>>> you seeing? >>>>> >>>>> >>>>> >>>>>> * logconv.pl - very useful script, add some more options/ >>>>>> >>>>>> >>> adjustments >>> >>> >>>>>> (for example, a switch to hide unindexed searches in verbose >>>>>> > mode). > >>> We >>> >>> >>>>>> use it as logwatch. >>>>>> >>>>>> * a perl script to show the replication statistics (there is one >>>>>> >>>>>> >>> for >>> >>> >>>>>> the we page generation statistics, something more basic, >>>>>> > text-only > >>>>>> would be very welcome) in text mode - to receiveth reports by >>>>>> > mail > >>>>>> once per day like logwatch for example >>>>>> >>>>>> >>>>>> >>>>> What sort of information are you looking for? ldapsearch can >>>>> >>>>> >>> provide >>> >>> >>>>> most of the useful information. >>>>> >>>>> >>>>> >>>>>> * regular expressions in ACIs (i know, it is very difficult to >>>>>> > do, > >>> so >>> >>> >>>>>> maybe somewhere in the timescale of the version 10.0 ? :)) - for >>>>>> example, allow a user to add or modify a value just in case the >>>>>> > new > >>>>>> value mathes the regex. Or the group or dn of the user matches >>>>>> > the > >>>>>> regex... >>>>>> >>>>>> >>>>>> >>>>> You can do some of that currently with targetattrfilters - see >>>>> *http://tinyurl.com/3yo88r >>>>> >>>>> We added support in 1.2.0 to allow you to specify group membership >>>>> >>>>> >>> with >>> >>> >>>>> LDAP search specifications, which does allow some wildcarding, so >>>>> >>>>> >>> that >>> >>> >>>>> might help too. >>>>> * >>>>> >>>>> >>>>> >>>>>> * simplify the creation of new syntaxes and their validation/ >>>>>> enforcement (version 11.0? :)) >>>>>> >>>>>> >>>>>> >>>>> Can you elaborate? >>>>> >>>>> >>>>> >>>>>> * virtual views allowing to map not only the trees but also the >>>>>> attributes ('cn' instead of 'uid' in a subtree, for example) >>>>>> >>>>>> >>>>>> >>>>> Can you elaborate? >>>>> >>>>> >>>>> >>>>>> * enable regex in certmap.conf for mapping the CNs of the >>>>>> >>>>>> >>> certificates >>> >>> >>>>>> during the certificate authentification of users >>>>>> >>>>>> >>>>>> >>>>> This is on the list as >>>>> Get rid of certmap.conf - use SASL mapping (cert auth is really >>>>> > just > >>>>> SASL/EXTERNAL) >>>>> The sasl mapping code uses regular expressions >>>>> >>>>> >>>>> >>>>>> Other than that i just want to emphasize the great job you are >>>>>> >>>>>> >>> doing >>> >>> >>>>>> adding new features and especially the fantastic reactivity in >>>>>> >>>>>> >>> fixing >>> >>> >>>>>> some critical server bugs (usually it takes only one or two days >>>>>> > to > >>>>>> have the necessary diff in bugzilla!) >>>>>> >>>>>> Thank you and please continue the development of this directory >>>>>> >>>>>> >>> server! >>> >>> >>>>> And thank you for your suggestions. >>>>> >>>>> >>>>> >>>>>> >>>>>> Thanks - I've added these notes to >>>>>> >>>>>> > http://directory.fedoraproject.org/wiki/Roadmap#Version_1.3 > >>>>>> Anyone else? C'mon - surely you have an opinion about a >>>>>> >>>>>> >>> new >>> >>> >>>>>> feature. >>>>>> >>>>>> >>>>>> Thanks for all your hard work on this! >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> > ----------------------------------------------------------------------- > >>>> - >>>> >>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> This e-mail and any attachment is intended for the above name >>>>> >>>>> >>>> recipient(s) only and may contain confidential or privileged >>>> >>>> >>> information. >>> >>> >>>> If you are not an intended recipient, please notify the sender and >>>> >>>> >>> delete >>> >>> >>>> the message. Failure to maintain the confidentiality of this >>>> > e-mail > >>> and >>> >>> >>>> any attachment may subject you to penalties under applicable law. >>>> >>>> >>>>> CONFIDENTIALITY NOTICE: This e-mail message, including any >>>>> >>>>> >>> attachments, >>> >>> >>>> is for the sole use of the intended recipient(s) and may contain >>>> confidential and privileged information or otherwise be protected >>>> > by > >>> law. >>> >>> >>>> Any unauthorized review, use, disclosure or distribution is >>>> >>>> >>> prohibited. If >>> >>> >>>> you are not the intended recipient, please contact the sender by >>>> > reply > >>> e- >>> >>> >>>> mail and destroy all copies of the original message. >>>> >>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>> >>> >>> >>> >>> >>> >>> >>> >>> This e-mail and any attachment is intended for the above name >>> >> recipient(s) only and may contain confidential or privileged >> > information. > >> If you are not an intended recipient, please notify the sender and >> > delete > >> the message. Failure to maintain the confidentiality of this e-mail >> > and > >> any attachment may subject you to penalties under applicable law. >> >>> CONFIDENTIALITY NOTICE: This e-mail message, including any >>> > attachments, > >> is for the sole use of the intended recipient(s) and may contain >> confidential and privileged information or otherwise be protected by >> > law. > >> Any unauthorized review, use, disclosure or distribution is >> > prohibited. If > >> you are not the intended recipient, please contact the sender by reply >> > e- > >> mail and destroy all copies of the original message. >> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > > > > > > > > > > This e-mail and any attachment is intended for the above name recipient(s) only and may contain confidential or privileged information. If you are not an intended recipient, please notify the sender and delete the message. Failure to maintain the confidentiality of this e-mail and any attachment may subject you to penalties under applicable law. > > > CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information or otherwise be protected by law. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From james.chavez at sanmina-sci.com Sat Apr 11 06:50:30 2009 From: james.chavez at sanmina-sci.com (Chavez, James R.) Date: Fri, 10 Apr 2009 23:50:30 -0700 Subject: [Fedora-directory-users] Admin Server console question. Message-ID: <19A4A238A352AD40B65B3D88780DDBC6013F13D8@sjc1amfpew04.am.sanm.corp> Hello, I am looking to use the Directory Server Admin Console similar to how the Active Directory user's and Computers tool is used. More specifically I would like to create an administrative group with permission to perform certain functions such as reset user passwords and change certain other attributes. I would like to login to the console with these users instead of Directory Manager or admin to limit the access and damage that can be done. I have created a group of users with full access to my suffix with ability to add and remove objects. I can do pretty much any operation with ldapmodify, ldapadd, ldapdelete from the command line. However I cannot login to the Directory server console with these users to admin the directory. If I login as Directory Manager to the admin console and then select "login as new user" I am able to login with the users, however the Directory is not visible. I do not have the correct access somewhere obviously. How can I configure FDS to allow these users to admin the directory in a limited role? I am assuming I need to set aci's in certain places to allow logging into the FDS admin server console . I am assuming this is possible. I am able to access with a third party tool but would like to use the FDS admin console. Thank you James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From andrey.ivanov at polytechnique.fr Sat Apr 11 14:17:02 2009 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Sat, 11 Apr 2009 16:17:02 +0200 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <49DE837D.7070205@redhat.com> References: <49D2D1A0.3070307@redhat.com> <49DCCE50.7040106@redhat.com> <1601b8650904081323m6c59ac0y786719b11f0dab04@mail.gmail.com> <1601b8650904081402x5ee82febqae4416735aca37bd@mail.gmail.com> <49DE837D.7070205@redhat.com> Message-ID: <1601b8650904110717j43ac4c62n20ab4eb8d577e818@mail.gmail.com> Another thought regarding subtree/modrdn with a different parent renames - referential integrity and memberOf attributes should be adjusted during these renames, it adds a certain difficulty to the realisation, maybe even rewriting some parts of referential integrity and memberof plugins... > * Define a dynamic group, and have the member/uniqueMember attribute > of this group automatically be populated by the server > * clients can then just search for member like with a regular static > posix group > > > >> * support of other virtual attributes generated "on the fly" >> > Can you explain this a little more? For example, the memberOf attribute now generated by memberOf plugin and written into the db could be generated dynamically. The attributes like entryLevelRights and attributeLevelRights are already created dynamically, nsRole/CoS also (one of the main drawbacks of the roles is that they are only applicable to a sub-tree). I'm talking about this type of "virtual" attributes generated by some filters or regular expressions or plug-ins, maybe creation of some sort of framework or mechanism to generalize the creation of such attribiutes. At the same time they may be a major performance hit so the dynamically generated attributes should be considered with some precautions. > * unix socket autobind still does not seem to work (ldapi) - >> https://www.redhat.com/archives/fedora-directory-users/2009-February/msg00112.html. >> It could be very useful for various maintenance scripts running on the >> server. >> > We tested this with 1.2.0 and it seems to work. You tested a build from > source? Did you use --enable-autobind with configure? Did you restart the > server after configuring your autobind and sasl mapping? Yes, you are right, i have just tested it, in the release version 1.2.0 it works. Perfect! Thank you! > > >> * verification of the server from the viewpoint of memory leaks. Th size >> of the memory used by the server grows with time (normally we don't restart >> the sevrr during several months, so i can follow the stats) >> > We regularly run the server test suite with valgrind enabled. I'm not > aware of any per connection or per operation leaks. What exactly are you > seeing? I have made a simple cron like this : 5 0,12 * * * root ps auxww |grep slapd|grep -v grep >> /Admin/memory.txt and i see that the VSZ/RSS of the server grows constantly though very slowly (without a change in the number of entries but with regular modifications). Example (time span ~ 2 months) : ldap 23920 0.7 10.3 1452432 417464 ? Sl Feb17 19:36 /Local/dirsrv/sbin/ns-slapd -D /Local/dirsrv/etc/dirsrv/slapd-ens -i /Local/dirsrv/var/r un/dirsrv/slapd-ens.pid -w /Local/dirsrv/var/run/dirsrv/slapd-ens.startpid ... ldap 23920 0.5 13.6 1517968 550568 ? Sl Feb17 105:16 /Local/dirsrv/sbin/ns-slapd -D /Local/dirsrv/etc/dirsrv/slapd-ens -i /Local/dirsrv/var/r un/dirsrv/slapd-ens.pid -w /Local/dirsrv/var/run/dirsrv/slapd-ens.startpid ... ldap 23920 0.7 13.7 1517968 554696 ? Sl Feb17 220:58 /Local/dirsrv/sbin/ns-slapd -D /Local/dirsrv/etc/dirsrv/slapd-ens -i /Local/dirsrv/var/r un/dirsrv/slapd-ens.pid -w /Local/dirsrv/var/run/dirsrv/slapd-ens.startpid ... ldap 23920 0.9 13.8 1517968 559328 ? Sl Feb17 351:14 /Local/dirsrv/sbin/ns-slapd -D /Local/dirsrv/etc/dirsrv/slapd-ens -i /Local/dirsrv/var/r un/dirsrv/slapd-ens.pid -w /Local/dirsrv/var/run/dirsrv/slapd-ens.startpid ... ldap 23920 0.7 14.0 1517968 569804 ? Sl Feb17 448:17 /Local/dirsrv/sbin/ns-slapd -D /Local/dirsrv/etc/dirsrv/slapd-ens -i /Local/dirsrv/var/r un/dirsrv/slapd-ens.pid -w /Local/dirsrv/var/run/dirsrv/slapd-ens.startpid Maybe it's just the change of the data size anyway... > >> * logconv.pl - very useful script, add some more options/ adjustments (for >> example, a switch to hide unindexed searches in verbose mode). We use it as >> logwatch. >> >> * a perl script to show the replication statistics (there is one for the >> we page generation statistics, something more basic, text-only would be very >> welcome) in text mode - to receiveth reports by mail once per day like >> logwatch for example >> > What sort of information are you looking for? ldapsearch can provide most > of the useful information. The same stats as provided by repl-monitor.pl. But in a simple text file form, without any bells and whistles. But you are right, simple ldapsearch formatted by perl can do the thing. > >> * regular expressions in ACIs (i know, it is very difficult to do, so >> maybe somewhere in the timescale of the version 10.0 ? :)) - for example, >> allow a user to add or modify a value just in case the new value mathes the >> regex. Or the group or dn of the user matches the regex... >> > You can do some of that currently with targetattrfilters - see * > http://tinyurl.com/3yo88r Yes, we already use it - for example, to enforce the entered telephone numbers to start with a certain prefix etc > > > We added support in 1.2.0 to allow you to specify group membership with > LDAP search specifications, which does allow some wildcarding, so that might > help too. Yep > > * > >> >> * simplify the creation of new syntaxes and their validation/ enforcement >> (version 11.0? :)) >> > Can you elaborate? Today if i remember right from reading the docs one needs to write a plug-in or a library to add some new syntaxes. It would be nice, for example, to have a possibility to define a new custom syntax by a simple regex. As for the matching rules for this new syntax, i agree, it's a bit more difficult... > > >> * virtual views allowing to map not only the trees but also the attributes >> ('cn' instead of 'uid' in a subtree, for example) >> > Can you elaborate? some LDAP-enabled programs/applications (example: Onboard Administrator of the HP c3000/c7000 Blades Enclosure) expect a pre-defined hard-coded naming attribute (RDN) that cannot be changed (for the HP c7000 it is "cn", i think they tested mainly against Active Directory). In our FDS installation the naming attribute is uid. So if we could have a virtual subtree view with the changed naming attribute we would be able use our LDAP to serve as an authentification/autorization back-end for that soft. It is something like the "Present AD DIT style read-only view of the data stored in the DS part of the tree " feature on the Roadmap page but with larger mapping possibilities. -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrey.ivanov at polytechnique.fr Sat Apr 11 14:44:08 2009 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Sat, 11 Apr 2009 16:44:08 +0200 Subject: [Fedora-directory-users] Admin Server console question. In-Reply-To: <19A4A238A352AD40B65B3D88780DDBC6013F13D8@sjc1amfpew04.am.sanm.corp> References: <19A4A238A352AD40B65B3D88780DDBC6013F13D8@sjc1amfpew04.am.sanm.corp> Message-ID: <1601b8650904110744l4a0ea1b1l4e71911844fb15ce@mail.gmail.com> I think it is somehow linked to the ACIs on the "o=NetscapeRoot" tree. If you allow to all the authentified users read some of the subtrees of o=NetscapeRoot" you should have a better directory visibility in the console for a "normal" user. But it would be an interesting request for the future roadmap in order to leverage the FDS console: * adjust the ACIs in the o=NetscapeRoot branch to allow non-administrative users take advantage of the FDS console. Also when entering the DN during the console authentification allow just the RDN part - i.e. the possibility to put "john.doe" instead of "uid=john.doe,ou=Engineering,dc=example,dc=com" in the console authentification dialogue. 2009/4/11 Chavez, James R. > Hello, > I am looking to use the Directory Server Admin Console similar to how > the Active Directory user's and Computers tool is used. > More specifically I would like to create an administrative group with > permission to perform certain functions such as reset user passwords and > change certain other attributes. I would like to login to the console > with these users instead of Directory Manager or admin to limit the > access and damage that can be done. > > I have created a group of users with full access to my suffix with > ability to add and remove objects. I can do pretty much any operation > with ldapmodify, ldapadd, ldapdelete from the command line. > > However I cannot login to the Directory server console with these users > to admin the directory. > If I login as Directory Manager to the admin console and then select > "login as new user" I am able to login with the users, however the > Directory is not visible. I do not have the correct access somewhere > obviously. > > How can I configure FDS to allow these users to admin the directory in a > limited role? I am assuming I need to set aci's in certain places to > allow logging into the FDS admin server console . > I am assuming this is possible. I am able to access with a third party > tool but would like to use the FDS admin console. > > Thank you > James > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From james.chavez at sanmina-sci.com Sat Apr 11 19:35:34 2009 From: james.chavez at sanmina-sci.com (Chavez, James R.) Date: Sat, 11 Apr 2009 12:35:34 -0700 Subject: [Fedora-directory-users] Admin Server console question. In-Reply-To: <1601b8650904110744l4a0ea1b1l4e71911844fb15ce@mail.gmail.com> Message-ID: <19A4A238A352AD40B65B3D88780DDBC6013F13DA@sjc1amfpew04.am.sanm.corp> Andrey thanks for the response. Rich, is this something that can be accomplished in the current release? Is there something that can be added similar to the aci showed for the phpldapadmin functionality? I would prefer not to use phpldapadmin or any other 3rd party tool if we can grant limited access with the admin console I also agree with Andrey that this is a nice feature to have in future releases if possible, definitely on my wish list!! Thank you James ________________________________ From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Andrey Ivanov Sent: Saturday, April 11, 2009 7:44 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Admin Server console question. I think it is somehow linked to the ACIs on the "o=NetscapeRoot" tree. If you allow to all the authentified users read some of the subtrees of o=NetscapeRoot" you should have a better directory visibility in the console for a "normal" user. But it would be an interesting request for the future roadmap in order to leverage the FDS console: * adjust the ACIs in the o=NetscapeRoot branch to allow non-administrative users take advantage of the FDS console. Also when entering the DN during the console authentification allow just the RDN part - i.e. the possibility to put "john.doe" instead of "uid=john.doe,ou=Engineering,dc=example,dc=com" in the console authentification dialogue. 2009/4/11 Chavez, James R. Hello, I am looking to use the Directory Server Admin Console similar to how the Active Directory user's and Computers tool is used. More specifically I would like to create an administrative group with permission to perform certain functions such as reset user passwords and change certain other attributes. I would like to login to the console with these users instead of Directory Manager or admin to limit the access and damage that can be done. I have created a group of users with full access to my suffix with ability to add and remove objects. I can do pretty much any operation with ldapmodify, ldapadd, ldapdelete from the command line. However I cannot login to the Directory server console with these users to admin the directory. If I login as Directory Manager to the admin console and then select "login as new user" I am able to login with the users, however the Directory is not visible. I do not have the correct access somewhere obviously. How can I configure FDS to allow these users to admin the directory in a limited role? I am assuming I need to set aci's in certain places to allow logging into the FDS admin server console . I am assuming this is possible. I am able to access with a third party tool but would like to use the FDS admin console. Thank you James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. -------------- next part -------------- An HTML attachment was scrubbed... URL: From emmanuel.billot at ird.fr Mon Apr 13 18:26:44 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Mon, 13 Apr 2009 20:26:44 +0200 Subject: [Fedora-directory-users] Proposed new feature (if not too late...) Message-ID: <49E383E4.4040407@ird.fr> Hi, Sorry for answering so late... One major reason in choosing RHDS was the RFC compliance and interoperability. There are two features wich should be very interesting * AD/RHDS map attribute configuration (even simple) * multiple script programming (API for PHP, Java, Perl) for plug in developpement Hoping it's not ridiculous... BR, -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From rmeggins at redhat.com Mon Apr 13 19:04:41 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 13 Apr 2009 13:04:41 -0600 Subject: [Fedora-directory-users] Admin Server console question. In-Reply-To: <19A4A238A352AD40B65B3D88780DDBC6013F13D8@sjc1amfpew04.am.sanm.corp> References: <19A4A238A352AD40B65B3D88780DDBC6013F13D8@sjc1amfpew04.am.sanm.corp> Message-ID: <49E38CC9.9090700@redhat.com> Chavez, James R. wrote: > Hello, > I am looking to use the Directory Server Admin Console similar to how > the Active Directory user's and Computers tool is used. > More specifically I would like to create an administrative group with > permission to perform certain functions such as reset user passwords and > change certain other attributes. I would like to login to the console > with these users instead of Directory Manager or admin to limit the > access and damage that can be done. > > I have created a group of users with full access to my suffix with > ability to add and remove objects. I can do pretty much any operation > with ldapmodify, ldapadd, ldapdelete from the command line. > > However I cannot login to the Directory server console with these users > to admin the directory. > If I login as Directory Manager to the admin console and then select > "login as new user" I am able to login with the users, however the > Directory is not visible. I do not have the correct access somewhere > obviously. > > How can I configure FDS to allow these users to admin the directory in a > limited role? I am assuming I need to set aci's in certain places to > allow logging into the FDS admin server console . > I am assuming this is possible. I am able to access with a third party > tool but would like to use the FDS admin console. > Access to the console is controlled by acis under o=NetscapeRoot - to see these do the following search ldapsearch -x -D "cn=directory manager" -w yourpassword -b o=netscaperoot "aci=*" aci You will notice there are two main groups which are used with these acis: ldap:///cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot for all administrators there is an entry corresponding to each server - for example: dn: cn=slapd-ds, cn=Fedora Directory Server, cn=Server Group, cn=ldap.example.com, ou=example.com, o=NetscapeRoot This entry is also a group entry - members of the server group entry are supposed to have access to the server: aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read, s earch, compare) groupdn="ldap:///cn=slapd-ds, cn=Fedora Directory Server, cn= Server Group, cn=ldap.example.com, ou=example.com, o=NetscapeRoot";) aci: (targetattr="uniquemember || serverProductName || userpassword || descrip tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl "Enable ac cess delegation"; allow (write) groupdn="ldap:///cn=slapd-ds, cn=Fedora Direc tory Server, cn=Server Group, cn=ldap.example.com, ou=example.com, o= NetscapeRoot";) I'm not sure if this will work if the user entry is in a different directory server. > Thank you > James > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Apr 13 19:11:42 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 13 Apr 2009 13:11:42 -0600 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <1601b8650904110717j43ac4c62n20ab4eb8d577e818@mail.gmail.com> References: <49D2D1A0.3070307@redhat.com> <49DCCE50.7040106@redhat.com> <1601b8650904081323m6c59ac0y786719b11f0dab04@mail.gmail.com> <1601b8650904081402x5ee82febqae4416735aca37bd@mail.gmail.com> <49DE837D.7070205@redhat.com> <1601b8650904110717j43ac4c62n20ab4eb8d577e818@mail.gmail.com> Message-ID: <49E38E6E.5000001@redhat.com> Andrey Ivanov wrote: > > Another thought regarding subtree/modrdn with a different parent > renames - referential integrity and memberOf attributes should be > adjusted during these renames, it adds a certain difficulty to the > realisation, maybe even rewriting some parts of referential integrity > and memberof plugins... Yes . . . It would be nice to get away from using full DNs for group and group member references, and use instead some sort of unique ID. But in the short term, these are going to be problems we have to solve. > > > * Define a dynamic group, and have the member/uniqueMember attribute > of this group automatically be populated by the server > * clients can then just search for member like with a regular static > posix group > > > > > * support of other virtual attributes generated "on the fly" > > Can you explain this a little more? > > > For example, the memberOf attribute now generated by memberOf plugin > and written into the db could be generated dynamically. For the particular case of memberOf, we decided against using virtual attributes. One reason is that it's harder to do filtering/indexing on virtual attributes e.g. supporting searches like (memberof=somegroup). > The attributes like entryLevelRights and attributeLevelRights are > already created dynamically, nsRole/CoS also (one of the main > drawbacks of the roles is that they are only applicable to a sub-tree). One of the drawbacks of groups is that they do not apply to the sub-tree - makes it difficult in general to replicate them. Roles/CoS are scoped along with the data they apply to, so they go along with replication quite easily. > I'm talking about this type of "virtual" attributes generated by some > filters or regular expressions or plug-ins, maybe creation of some > sort of framework or mechanism to generalize the creation of such > attribiutes. There already is a framework, but not many want to delve into the C code. Can you provide some examples of what you mean? > At the same time they may be a major performance hit so the > dynamically generated attributes should be considered with some > precautions. Most virtual attribute schemes using caching of some sort to make searches go quickly. > > > > * unix socket autobind still does not seem to work (ldapi) - > https://www.redhat.com/archives/fedora-directory-users/2009-February/msg00112.html. > It could be very useful for various maintenance scripts > running on the server. > > We tested this with 1.2.0 and it seems to work. You tested a > build from source? Did you use --enable-autobind with configure? > Did you restart the server after configuring your autobind and > sasl mapping? > > Yes, you are right, i have just tested it, in the release version > 1.2.0 it works. Perfect! Thank you! > > > > > > > * verification of the server from the viewpoint of memory > leaks. Th size of the memory used by the server grows with > time (normally we don't restart the sevrr during several > months, so i can follow the stats) > > We regularly run the server test suite with valgrind enabled. I'm > not aware of any per connection or per operation leaks. What > exactly are you seeing? > > > I have made a simple cron like this : > 5 0,12 * * * root ps auxww |grep slapd|grep -v grep >> /Admin/memory.txt > > and i see that the VSZ/RSS of the server grows constantly though very > slowly (without a change in the number of entries but with regular > modifications). Example (time span ~ 2 months) : > > ldap 23920 0.7 10.3 1452432 417464 ? Sl Feb17 19:36 > /Local/dirsrv/sbin/ns-slapd -D /Local/dirsrv/etc/dirsrv/slapd-ens -i > /Local/dirsrv/var/r > un/dirsrv/slapd-ens.pid -w /Local/dirsrv/var/run/dirsrv/slapd-ens.startpid > ... > ldap 23920 0.5 13.6 1517968 550568 ? Sl Feb17 105:16 > /Local/dirsrv/sbin/ns-slapd -D /Local/dirsrv/etc/dirsrv/slapd-ens -i > /Local/dirsrv/var/r > un/dirsrv/slapd-ens.pid -w /Local/dirsrv/var/run/dirsrv/slapd-ens.startpid > ... > ldap 23920 0.7 13.7 1517968 554696 ? Sl Feb17 220:58 > /Local/dirsrv/sbin/ns-slapd -D /Local/dirsrv/etc/dirsrv/slapd-ens -i > /Local/dirsrv/var/r > un/dirsrv/slapd-ens.pid -w /Local/dirsrv/var/run/dirsrv/slapd-ens.startpid > ... > ldap 23920 0.9 13.8 1517968 559328 ? Sl Feb17 351:14 > /Local/dirsrv/sbin/ns-slapd -D /Local/dirsrv/etc/dirsrv/slapd-ens -i > /Local/dirsrv/var/r > un/dirsrv/slapd-ens.pid -w /Local/dirsrv/var/run/dirsrv/slapd-ens.startpid > ... > ldap 23920 0.7 14.0 1517968 569804 ? Sl Feb17 448:17 > /Local/dirsrv/sbin/ns-slapd -D /Local/dirsrv/etc/dirsrv/slapd-ens -i > /Local/dirsrv/var/r > un/dirsrv/slapd-ens.pid -w /Local/dirsrv/var/run/dirsrv/slapd-ens.startpid > > > Maybe it's just the change of the data size anyway... > > > > > * logconv.pl - very useful script, add some more options/ > adjustments (for example, a switch to hide unindexed searches > in verbose mode). We use it as logwatch. > > * a perl script to show the replication statistics (there is > one for the we page generation statistics, something more > basic, text-only would be very welcome) in text mode - to > receiveth reports by mail once per day like logwatch for example > > What sort of information are you looking for? ldapsearch can > provide most of the useful information. > > The same stats as provided by repl-monitor.pl. But in a simple text > file form, without any bells and whistles. But you are right, simple > ldapsearch formatted by perl can do the thing. > > > > * regular expressions in ACIs (i know, it is very difficult to > do, so maybe somewhere in the timescale of the version 10.0 ? > :)) - for example, allow a user to add or modify a value just > in case the new value mathes the regex. Or the group or dn of > the user matches the regex... > > You can do some of that currently with targetattrfilters - see > *http://tinyurl.com/3yo88r > > Yes, we already use it - for example, to enforce the entered telephone > numbers to start with a certain prefix etc > > > > > We added support in 1.2.0 to allow you to specify group membership > with LDAP search specifications, which does allow some > wildcarding, so that might help too. > > Yep > > > > * > > > * simplify the creation of new syntaxes and their validation/ > enforcement (version 11.0? :)) > > Can you elaborate? > > Today if i remember right from reading the docs one needs to write a > plug-in or a library to add some new syntaxes. It would be nice, for > example, to have a possibility to define a new custom syntax by a > simple regex. As for the matching rules for this new syntax, i agree, > it's a bit more difficult... > > > > > * virtual views allowing to map not only the trees but also > the attributes ('cn' instead of 'uid' in a subtree, for example) > > Can you elaborate? > > some LDAP-enabled programs/applications (example: Onboard > Administrator of the HP c3000/c7000 Blades Enclosure) expect a > pre-defined hard-coded naming attribute (RDN) that cannot be changed > (for the HP c7000 it is "cn", i think they tested mainly against > Active Directory). In our FDS installation the naming attribute is > uid. So if we could have a virtual subtree view with the changed > naming attribute we would be able use our LDAP to serve as an > authentification/autorization back-end for that soft. It is something > like the "Present AD DIT style read-only view of the data stored in > the DS part of the tree " feature on the Roadmap page but with larger > mapping possibilities. > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From mrejda at kerio.com Tue Apr 14 11:21:14 2009 From: mrejda at kerio.com (Michal Rejda) Date: Tue, 14 Apr 2009 13:21:14 +0200 Subject: [Fedora-directory-users] LDAP proxy Message-ID: <5eac100a-5d2b-4a8a-b5c7-20343b7c2df7@kerio.com> I tried to use http://tinyurl.com/culeft. But the database link doesn't work. I setup the database link to the Active Directory (and OpenLDAP). When I looked into Wireshark log, FDS send search request with controls: 2.16.840.1.113730.3.4.2 2.16.840.1.113730.3.4.12 And the AD server responded: Unavailable Critical Extension. I tried to remove this two controls from Database Link Settings (in administration console) but it didn't help. The server didn't return the message above, but the administrative console show error dialog. > Michal Rejda wrote: > > > > Hi all, > > > > I?m trying to setup proxy on FDS to another LDAP server (OpenLDAP and > > Active Directory). I tried two ways, but none of these works: > > > > 1) New database link to LDAP server. > > > > - The remote LDAP server (OpenLDAP) returns: null. manageDSAit > control > > value not found > > > You might have to tweak the controls used by chaining - see > http://tinyurl.com/culeft > > > > 2) Create multiple-master replication and setup other server as > consumer. > > > > - But this show error: 255 Replication error acquiring replica: > > unknown error. > > > Replication will only work to a SunDS, not to any other vendor. > > > > My question is: Is there way how to setup proxy to access another > LDAP > > server from Fedora DS? I know that is possible to use AD sync, but I > > cannot install anything on the AD server. The second reason why I > need > > to setup proxy is to use data stored in LDAP server (OpenLDAP, Open > > Direcoty Server and Active Directory) in one place. I need to update > > them too. It is not necessary to synchronize passwords. > > > See also > http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration > > > > Thank you for reply. > > > > Regards, > > > > Michal > > From tamarinp at gmail.com Tue Apr 14 12:56:49 2009 From: tamarinp at gmail.com (tamarin p) Date: Tue, 14 Apr 2009 14:56:49 +0200 Subject: [Fedora-directory-users] Source RPMS for 1.2.0 Message-ID: <4dd1b3eb0904140556q3f430e5bt6a6c9c9282ecbe4@mail.gmail.com> I can't seem to find any SRPMS alongside the ones for 1.1.3 in the yum repository. Any estimate on when source rpms will be released? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Apr 14 13:19:15 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Apr 2009 09:19:15 -0400 Subject: [Fedora-directory-users] Source RPMS for 1.2.0 In-Reply-To: <4dd1b3eb0904140556q3f430e5bt6a6c9c9282ecbe4@mail.gmail.com> References: <4dd1b3eb0904140556q3f430e5bt6a6c9c9282ecbe4@mail.gmail.com> Message-ID: <49E48D53.4000204@redhat.com> tamarin p wrote: > I can't seem to find any SRPMS alongside the ones for 1.1.3 in the yum > repository. Any estimate on when source rpms will be released? > What yum repo is that? You can always get it from koji. The F-9 build is available here: http://koji.fedoraproject.org/koji/buildinfo?buildID=96751 rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From philipp.rusch at gw-world.com Tue Apr 14 13:31:10 2009 From: philipp.rusch at gw-world.com (Rusch Philipp pru09) Date: Tue, 14 Apr 2009 15:31:10 +0200 Subject: [Fedora-directory-users] Concatenate two ca certs Message-ID: Hello all, I am struggling with the concatenation oft wo ca certs. I have two fedora-ds (version 1.0.4 ? on two RHEL4 boxes) and I have generated two self signed certificates. Everytime I try to concatenate them one server is not reachable with ldapsearch ?Z ?xxx ?username?. If I change the order in the cacert.asc file the search request works fine. I have tried to ?cat cacert1.asc >> cacert.asc? and ?cat cacert2.asc >> cacert.asc? without any achievement. Does anyone of you know how to do it? Thank you in advance. Regards Philipp P Im Sinne unserer Umwelt: Bitte bedenken Sie,?dass ein Ausdruck dieser Nachricht wertvolle Ressourcen verbraucht. For the sake of our environment: Please be aware of the fact that printing this message consumes valuable resources. -------------- next part -------------- An HTML attachment was scrubbed... URL: From philipp.rusch at gw-world.com Tue Apr 14 14:12:08 2009 From: philipp.rusch at gw-world.com (Rusch Philipp pru09) Date: Tue, 14 Apr 2009 16:12:08 +0200 Subject: [Fedora-directory-users] AW: Concatenate two ca certs In-Reply-To: References: Message-ID: Hello again, I always receive the following error: ldap_start_tls: Connect error (-11) additional info: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 Thanks. P Im Sinne unserer Umwelt: Bitte bedenken Sie,?dass ein Ausdruck dieser Nachricht wertvolle Ressourcen verbraucht. For the sake of our environment: Please be aware of the fact that printing this message consumes valuable resources. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Apr 14 14:25:16 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 14 Apr 2009 08:25:16 -0600 Subject: [Fedora-directory-users] LDAP proxy In-Reply-To: <5eac100a-5d2b-4a8a-b5c7-20343b7c2df7@kerio.com> References: <5eac100a-5d2b-4a8a-b5c7-20343b7c2df7@kerio.com> Message-ID: <49E49CCC.9020704@redhat.com> Michal Rejda wrote: > I tried to use http://tinyurl.com/culeft. But the database link doesn't work. I setup the database link to the Active Directory (and OpenLDAP). When I looked into Wireshark log, FDS send search request with controls: > 2.16.840.1.113730.3.4.2 > 2.16.840.1.113730.3.4.12 > And the AD server responded: Unavailable Critical Extension. > > I tried to remove this two controls from Database Link Settings (in administration console) but it didn't help. The server didn't return the message above, but the administrative console show error dialog. > What error? > >> Michal Rejda wrote: >> >>> Hi all, >>> >>> I?m trying to setup proxy on FDS to another LDAP server (OpenLDAP and >>> Active Directory). I tried two ways, but none of these works: >>> >>> 1) New database link to LDAP server. >>> >>> - The remote LDAP server (OpenLDAP) returns: null. manageDSAit >>> >> control >> >>> value not found >>> >>> >> You might have to tweak the controls used by chaining - see >> http://tinyurl.com/culeft >> >>> 2) Create multiple-master replication and setup other server as >>> >> consumer. >> >>> - But this show error: 255 Replication error acquiring replica: >>> unknown error. >>> >>> >> Replication will only work to a SunDS, not to any other vendor. >> >>> My question is: Is there way how to setup proxy to access another >>> >> LDAP >> >>> server from Fedora DS? I know that is possible to use AD sync, but I >>> cannot install anything on the AD server. The second reason why I >>> >> need >> >>> to setup proxy is to use data stored in LDAP server (OpenLDAP, Open >>> Direcoty Server and Active Directory) in one place. I need to update >>> them too. It is not necessary to synchronize passwords. >>> >>> >> See also >> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration >> >>> Thank you for reply. >>> >>> Regards, >>> >>> Michal >>> >>> > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From tamarinp at gmail.com Tue Apr 14 14:50:31 2009 From: tamarinp at gmail.com (tamarin p) Date: Tue, 14 Apr 2009 16:50:31 +0200 Subject: [Fedora-directory-users] Source RPMS for 1.2.0 In-Reply-To: <49E48D53.4000204@redhat.com> References: <4dd1b3eb0904140556q3f430e5bt6a6c9c9282ecbe4@mail.gmail.com> <49E48D53.4000204@redhat.com> Message-ID: <4dd1b3eb0904140750q40c7111cy9ced93963c916899@mail.gmail.com> 2009/4/14 Rob Crittenden > tamarin p wrote: > >> I can't seem to find any SRPMS alongside the ones for 1.1.3 in the yum >> repository. Any estimate on when source rpms will be released? >> >> > What yum repo is that? > > You can always get it from koji. The F-9 build is available here: > http://koji.fedoraproject.org/koji/buildinfo?buildID=96751 > > rob Thanks for the pointer. I was browsing http://directory.fedoraproject.org/yum/dirsrv/fedora/6/x86_64/SRPMS/ but the FC9 SRPMs on the site you listed seem to build and install on my RHEL5 test box also. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tamarinp at gmail.com Tue Apr 14 15:00:40 2009 From: tamarinp at gmail.com (tamarin p) Date: Tue, 14 Apr 2009 17:00:40 +0200 Subject: [Fedora-directory-users] ds_removal error message when removing server with NetscapeRoot Message-ID: <4dd1b3eb0904140800l651c7a7eu13ed4e7ab745af43@mail.gmail.com> When removing a server instance that has the o=NetscapeRoot with ds_removal, I get the following error message in 1.2.0: Error:The server 'ldap://ldap.test.org:389/o=NetscapeRoot' is not reachable. Error: unknown error The server directories and configuration seems to be properly removed, but it looks as if an additional connection attempt is made after the server is shut down and removed. Don't remember seeing this before upgrading from 1.1.3. This is not much of a problem though because the server seems to be removed just fine besides the trailing error message. There is no error message when deleting additional instances registered with the first config directory. Only when removing the config directory itself. Here's the inf-file used to create the config directory instance. [General] AdminDomain = test.org SuiteSpotGroup = nobody ConfigDirectoryLdapURL = ldap://ldap.test.org:389/o=NetscapeRoot ConfigDirectoryAdminID = admin ConfigDirectoryAdminPwd = pwd SuiteSpotUserID = nobody FullMachineName = ldap.test.org [slapd] InstallLdifFile = suggest ServerIdentifier = test ServerPort = 389 AddOrgEntries = No RootDN = cn=Directory Manager RootDNPwd = pwd SlapdConfigForMC = yes Suffix = dc=test,dc=org UseExistingMC = 0 AddSampleEntries = No [admin] ServerAdminID = admin ServerAdminPwd = pwd SysUser = nobody Port = 9830 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Apr 14 15:16:03 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 14 Apr 2009 09:16:03 -0600 Subject: [Fedora-directory-users] ds_removal error message when removing server with NetscapeRoot In-Reply-To: <4dd1b3eb0904140800l651c7a7eu13ed4e7ab745af43@mail.gmail.com> References: <4dd1b3eb0904140800l651c7a7eu13ed4e7ab745af43@mail.gmail.com> Message-ID: <49E4A8B3.1070208@redhat.com> tamarin p wrote: > When removing a server instance that has the o=NetscapeRoot with > ds_removal, I get the following error message in 1.2.0: > Error:The server 'ldap://ldap.test.org:389/o=NetscapeRoot > ' is not reachable. Error: > unknown error > > The server directories and configuration seems to be properly removed, > but it looks as if an additional connection attempt is made after the > server is shut down and removed. > Don't remember seeing this before upgrading from 1.1.3. This is not > much of a problem though because the server seems to be removed just > fine besides the trailing error message. > > There is no error message when deleting additional instances > registered with the first config directory. Only when removing the > config directory itself. I think the problem is that it is trying to unregister itself from itself. I think ds_removal has the -f option to force it to continue if unregistration fails. However, since ds_removal is mostly useful for removing and unregistering, and you don't care about the unregistration part for the o=NetscapeRoot instance, you can also use remove-ds.pl > > Here's the inf-file used to create the config directory instance. > > [General] > AdminDomain = test.org > SuiteSpotGroup = nobody > ConfigDirectoryLdapURL = ldap://ldap.test.org:389/o=NetscapeRoot > > ConfigDirectoryAdminID = admin > ConfigDirectoryAdminPwd = pwd > SuiteSpotUserID = nobody > FullMachineName = ldap.test.org > > [slapd] > InstallLdifFile = suggest > ServerIdentifier = test > ServerPort = 389 > AddOrgEntries = No > RootDN = cn=Directory Manager > RootDNPwd = pwd > SlapdConfigForMC = yes > Suffix = dc=test,dc=org > UseExistingMC = 0 > AddSampleEntries = No > > [admin] > ServerAdminID = admin > ServerAdminPwd = pwd > SysUser = nobody > Port = 9830 > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From gopalsachin at gmail.com Tue Apr 14 18:27:13 2009 From: gopalsachin at gmail.com (Sachin Gopal) Date: Tue, 14 Apr 2009 23:57:13 +0530 Subject: [Fedora-directory-users] Moving from Openldap to Directory server Message-ID: <7833b03c0904141127w1911f3d9t1cb416cad28b69d8@mail.gmail.com> Hi, After much efforts I was able to have a samba pdc going with Fedora directory server. Now there are 100 user who are on openldap- pdc and I need to move them to directory server. Is there a tried-tested way or tools available for this. Please suggest. -- Sachin Gopal -------------- next part -------------- An HTML attachment was scrubbed... URL: From ryan.braun at ec.gc.ca Tue Apr 14 19:15:56 2009 From: ryan.braun at ec.gc.ca (Ryan Braun [ADS]) Date: Tue, 14 Apr 2009 19:15:56 +0000 Subject: [Fedora-directory-users] Trouble starting 1.2.0 on debian lenny. Message-ID: <200904141915.56539.ryan.braun@ec.gc.ca> I just got finished building some lenny packages for fds 1.2.0 and I am having some issues getting the DS running properly. Using my buildscripts (which create a working 1.2.0 and 1.1.3 for etch, incrementing lenny package names as required), the build works, but when I try to create an instance, I get an error about Netscape Portable Runtime failing to load a library. lenny:/opt/dirsrv/sbin# ./setup-ds.pl ============================================================================== This program will set up the Fedora Directory Server. SNIP Directory Manager DN [cn=Directory Manager]: Password: Password (confirm): Could not import LDIF file '/tmp/ldifUjjWfx.ldif'. Error: 256. Output: importing data ... [14/Apr/2009:12:58:17 -0400] - SSL alert: Security Initialization: NSS initialization failed (Netscape Portable Runtime error -5977 - Failure to load dynamic library.): certdir: /etc/dirsrv/slapd-lenny [14/Apr/2009:12:58:17 -0400] - ERROR: NSS Initialization Failed. Error: Could not create directory server instance 'lenny'. Exiting . . . Log file is '/tmp/setupuyjm1M.log' I first noticed an issue when building mozldap, this came up gcc -shared -Wl,-soname -Wl,libssldap60.so -o libssldap60.so ./clientinit.o ./ldapsinit.o ./errormap.o -L../../../../../dist/lib -lldap60 -lprldap60 -L/usr/lib/ -lssl3 -lnss3 -lsoftokn3 -L/usr/lib/ -lplc4 -lplds4 - lnspr4 /usr/bin/ld: cannot find -lsoftokn3 Which led my to find out lenny libnss3-1d has libsofttokn3.so in /usr/lib/nss and not /usr/lib. So I added a symlink to /usr/lib. After that mozldap and everything built ok. But now I'm wondering if I need some kind of special -- with-nss-lib statements in my ./configure's. lenny:~/fdsbuildscripts/mozldap# dpkg -L libnss3-1d /usr /usr/lib /usr/lib/nss /usr/lib/nss/libfreebl3.so /usr/lib/nss/libsoftokn3.so /usr/lib/nss/libnssdbm3.so /usr/lib/nss/libnssckbi.so /usr/lib/nss/libsoftokn3.chk /usr/lib/nss/libfreebl3.chk /usr/lib/libnss3.so.1d /usr/lib/libnssutil3.so.1d /usr/lib/libsmime3.so.1d /usr/lib/libssl3.so.1d /usr/share /usr/share/doc /usr/share/doc/libnss3-1d /usr/share/doc/libnss3-1d/copyright /usr/share/doc/libnss3-1d/changelog.Debian.gz /usr/lib/libssl3.so /usr/lib/libsmime3.so /usr/lib/libnssutil3.so /usr/lib/libnss3.so vs etch /usr /usr/share /usr/share/doc /usr/share/doc/libnss3-0d /usr/share/doc/libnss3-0d/copyright /usr/share/doc/libnss3-0d/changelog.Debian.gz /usr/share/doc/libnss3-0d/MPL.gz /usr/lib /usr/lib/libnss3.so.0d /usr/lib/libsmime3.so.0d /usr/lib/libsoftokn3.so.0d /usr/lib/libssl3.so.0d /usr/lib/xulrunner /usr/lib/xulrunner/libfreebl3.so /usr/lib/xulrunner/libnssckbi.so /usr/lib/xulrunner/libfreebl3.chk /usr/lib/libsoftokn3.0d.chk Here are my ./configure options when building mozldap and fedora-ds-base mozldap ./configure --prefix=/ \ --libdir=/usr/lib/ \ --includedir=/usr/include/mozldap \ --oldincludedir=/usr/include/mozldap \ --sysconfdir=/usr/share/mozldap/etc/ \ --bindir=/usr/lib/mozldap/ \ --enable-clu \ --with-nss-inc=/usr/include/nss/ \ --with-nss-lib=/usr/lib/ \ --with-nspr-inc=/usr/include/nspr/ \ --with-nspr-lib=/usr/lib/ \ --with-svrcore-inc=/usr/include \ --with-svrcore-lib=/usr/lib \ --with-sasl fedora-ds-base CPPFLAGS=-DNETSNMP_USE_INLINE=1 ./configure \ --prefix=/opt/dirsrv \ --enable-bundle \ --localstatedir=/var \ --sysconfdir=/etc \ --datadir=/usr/share \ --with-svrcore-inc=/usr/include \ --with-svrcore-lib=/usr/lib \ --with-ldapsdk-inc=/usr/include/mozldap/ \ --with-ldapsdk-lib=/usr/lib/ \ --with-ldapsdk-bin=/usr/lib/mozldap \ --with-nss-inc=/usr/include/nss/ \ --with-nss-lib=/usr/lib/ \ --with-nspr-inc=/usr/include/nspr/ \ --with-nspr-lib=/usr/lib/ \ --with-icu-inc=/usr/include/unicode \ --with-icu-lib=/usr/lib \ --with-icu-bin=/usr/bin \ --with-sasl \ --with-net-snmp \ --with-kerberos Thanks Ryan From rcritten at redhat.com Tue Apr 14 19:41:26 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Apr 2009 15:41:26 -0400 Subject: [Fedora-directory-users] Trouble starting 1.2.0 on debian lenny. In-Reply-To: <200904141915.56539.ryan.braun@ec.gc.ca> References: <200904141915.56539.ryan.braun@ec.gc.ca> Message-ID: <49E4E6E6.9040804@redhat.com> Ryan Braun [ADS] wrote: > I just got finished building some lenny packages for fds 1.2.0 and I am having > some issues getting the DS running properly. Using my buildscripts (which > create a working 1.2.0 and 1.1.3 for etch, incrementing lenny package names > as required), the build works, but when I try to create an instance, I get > an error about Netscape Portable Runtime failing to load a library. > > lenny:/opt/dirsrv/sbin# ./setup-ds.pl > > ============================================================================== > This program will set up the Fedora Directory Server. > SNIP > Directory Manager DN [cn=Directory Manager]: > Password: > Password (confirm): > Could not import LDIF file '/tmp/ldifUjjWfx.ldif'. Error: 256. Output: > importing data ... > [14/Apr/2009:12:58:17 -0400] - SSL alert: Security Initialization: NSS > initialization failed (Netscape Portable Runtime error -5977 - Failure to load > dynamic library.): certdir: /etc/dirsrv/slapd-lenny > [14/Apr/2009:12:58:17 -0400] - ERROR: NSS Initialization Failed. > > Error: Could not create directory server instance 'lenny'. > Exiting . . . > Log file is '/tmp/setupuyjm1M.log' > > I first noticed an issue when building mozldap, this came up > > gcc -shared -Wl,-soname -Wl,libssldap60.so -o libssldap60.so > ./clientinit.o ./ldapsinit.o ./errormap.o -L../../../../../dist/lib -lldap60 > -lprldap60 -L/usr/lib/ -lssl3 -lnss3 -lsoftokn3 -L/usr/lib/ -lplc4 -lplds4 - > lnspr4 > /usr/bin/ld: cannot find -lsoftokn3 You shouldn't need to link this in at all. http://www.mozilla.org/projects/security/pki/nss/nss-3.4/nss-3.4-release-notes.html rob From ngolnik at gmail.com Tue Apr 14 19:56:35 2009 From: ngolnik at gmail.com (Nate Golnik) Date: Tue, 14 Apr 2009 15:56:35 -0400 Subject: [Fedora-directory-users] Moving from Openldap to Directory server In-Reply-To: <7833b03c0904141127w1911f3d9t1cb416cad28b69d8@mail.gmail.com> References: <7833b03c0904141127w1911f3d9t1cb416cad28b69d8@mail.gmail.com> Message-ID: <4358ce6b0904141256h16211fc0g6b799d5a6c6f0e5f@mail.gmail.com> On Tue, Apr 14, 2009 at 2:27 PM, Sachin Gopal wrote: > Hi, > > After much efforts I was able to have a samba pdc going with Fedora > directory server. Now there > are 100 user who are on openldap- pdc and I need to move them to directory > server. Is there a > tried-tested way or tools available for this. Please suggest. > > -- > Sachin Gopal > I just went through this last week. 1) slapcat on the openldap server to dump everything to an ldif. 2) removed the entries I didn't want to import (entryCSN, entryUUID, structuralObjectClass, creat*, modif* etc). 3) Renamed the tree information for the entries to match the new structure. 4) Import database using fedora-idm-console under the task tab That's it. -Nate From mrejda at kerio.com Wed Apr 15 07:49:41 2009 From: mrejda at kerio.com (Michal Rejda) Date: Wed, 15 Apr 2009 09:49:41 +0200 Subject: [Fedora-directory-users] LDAP proxy Message-ID: <951cebd9-4ce3-40d0-b74f-a63290e2ff99@kerio.com> > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora- > directory-users-bounces at redhat.com] On Behalf Of Rich Megginson > Sent: Tuesday, April 14, 2009 4:25 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] LDAP proxy > > Michal Rejda wrote: > > I tried to use http://tinyurl.com/culeft. But the database link > doesn't work. I setup the database link to the Active Directory (and > OpenLDAP). When I looked into Wireshark log, FDS send search request > with controls: > > 2.16.840.1.113730.3.4.2 > > 2.16.840.1.113730.3.4.12 > > And the AD server responded: Unavailable Critical Extension. > > > > I tried to remove this two controls from Database Link Settings (in > administration console) but it didn't help. The server didn't return > the message above, but the administrative console show error dialog. > > > What error? I tried it again and the error message is exactly: Error fading object 'dn: dc=example, dc=com'. The error send by the server was: ". In the Whireshark log was still the search request witch control: 2.16.840.1.113730.3.4.2 Why is this control needed by the server when I removed it from Database link settings? > > > >> Michal Rejda wrote: > >> > >>> Hi all, > >>> > >>> I?m trying to setup proxy on FDS to another LDAP server (OpenLDAP > >>> and Active Directory). I tried two ways, but none of these works: > >>> > >>> 1) New database link to LDAP server. > >>> > >>> - The remote LDAP server (OpenLDAP) returns: null. manageDSAit > >>> > >> control > >> > >>> value not found > >>> > >>> > >> You might have to tweak the controls used by chaining - see > >> http://tinyurl.com/culeft > >> > >>> 2) Create multiple-master replication and setup other server as > >>> > >> consumer. > >> > >>> - But this show error: 255 Replication error acquiring replica: > >>> unknown error. > >>> > >>> > >> Replication will only work to a SunDS, not to any other vendor. > >> > >>> My question is: Is there way how to setup proxy to access another > >>> > >> LDAP > >> > >>> server from Fedora DS? I know that is possible to use AD sync, but > I > >>> cannot install anything on the AD server. The second reason why I > >>> > >> need > >> > >>> to setup proxy is to use data stored in LDAP server (OpenLDAP, Open > >>> Direcoty Server and Active Directory) in one place. I need to > update > >>> them too. It is not necessary to synchronize passwords. > >>> > >>> > >> See also > >> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration > >> > >>> Thank you for reply. > >>> > >>> Regards, > >>> > >>> Michal > >>> > >>> > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > From ryan.braun at ec.gc.ca Wed Apr 15 16:32:26 2009 From: ryan.braun at ec.gc.ca (Ryan Braun [ADS]) Date: Wed, 15 Apr 2009 16:32:26 +0000 Subject: [Fedora-directory-users] Trouble starting 1.2.0 on debian lenny. In-Reply-To: <49E4E6E6.9040804@redhat.com> References: <200904141915.56539.ryan.braun@ec.gc.ca> <49E4E6E6.9040804@redhat.com> Message-ID: <200904151632.26998.ryan.braun@ec.gc.ca> On Tuesday 14 April 2009 19:41:26 Rob Crittenden wrote: > > gcc -shared -Wl,-soname -Wl,libssldap60.so -o libssldap60.so > > ./clientinit.o ./ldapsinit.o ./errormap.o -L../../../../../dist/lib > > -lldap60 -lprldap60 -L/usr/lib/ -lssl3 -lnss3 -lsoftokn3 -L/usr/lib/ > > -lplc4 -lplds4 - lnspr4 > > /usr/bin/ld: cannot find -lsoftokn3 > > You shouldn't need to link this in at all. > > http://www.mozilla.org/projects/security/pki/nss/nss-3.4/nss-3.4-release-no >tes.html > I've tried adding a CC=/usr/bin/gcc-4.1 -Wl, '-rpath=/usr/lib/nss' and the configure bailed here checking whether we are using GNU C++... yes checking whether c++ accepts -g... yes checking for gcc... /usr/bin/gcc-4.1 -Wl, -rpath-link=/usr/lib/nss checking whether the C compiler (/usr/bin/gcc-4.1 -Wl, -rpath-link=/usr/lib/nss ) works... no configure: error: installation or configuration problem: C compiler cannot create executables. Also tried adding a CC=/usr/bin/gcc-4.1 -Wl, -Xlinker -rpath-link -Xlinker /usr/lib/nss, and that also failed. But it at least made it passed the check. gcc-4.1: -rpath-link: linker input file unused because linking not done gcc-4.1: /usr/lib/nss: linker input file unused because linking not done /usr/bin/gcc-4.1 -Xlinker -rpath-link -Xlinker /usr/lib/nss -o errormap.o -c -pipe -ansi -Wall -pthread -g -fno-inline -fPIC -DDEBUG_root -DDEBUG=1 -DXP_UNIX=1 -D_POSIX_SOURCE=1 -D_BSD_SOURCE=1 -D_SVID_SOURCE=1 - D_LARGEFILE64_SOURCE=1 -DHAVE_FCNTL_FILE_LOCKING=1 -DLINUX=1 -Dlinux=1 -Di386=1 -DHAVE_LCHOWN=1 -DHAVE_STRERROR=1 -DHAVE_GETADDRINFO=1 -DHAVE_GETNAMEINFO=1 -DHAVE_SASL=1 -DHAVE_SASL_OPTIONS=1 - DLDAP_SASLIO_HOOKS=1 -D_REENTRANT=1 -DFORCE_PR_LOG -D_PR_PTHREADS -UHAVE_CVAR_BUILT_ON_SEM -DUSE_WAITPID -DNEEDPROTOS -DLDAP_DEBUG -DNET_SSL -DNO_LIBLCACHE -DLDAP_REFERRALS -DNS_DOMESTIC -DLINUX2_0 -DLINUX1_2 -DLINUX2_1 -I../../../../../dist/public/ldap -I../../../ldap/include -I../../../../../dist/./include -I../../../../../dist/include -I/usr/include/nss/ -I/usr/include/nspr/ errormap.c gcc-4.1: -rpath-link: linker input file unused because linking not done gcc-4.1: /usr/lib/nss: linker input file unused because linking not done ======= making ./libssldap60.so /usr/bin/gcc-4.1 -Xlinker -rpath-link -Xlinker /usr/lib/nss -shared -Wl,-soname -Wl,libssldap60.so -o libssldap60.so ./clientinit.o ./ldapsinit.o ./errormap.o -L../../../../../dist/lib -lldap60 -lprldap60 -L/usr/lib/ -lssl3 -lnss3 -lsoftokn3 -L/usr/lib/ - lplc4 -lplds4 -lnspr4 /usr/bin/ld: cannot find -lsoftokn3 collect2: ld returned 1 exit status make[3]: *** [libssldap60.so] Error 1 make[3]: Leaving directory `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/directory/c-sdk/ldap/libraries/libssldap' make[2]: *** [export] Error 2 make[2]: Leaving directory `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/directory/c-sdk/ldap/libraries' make[1]: *** [export] Error 2 make[1]: Leaving directory `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/directory/c-sdk/ldap' make: *** [export] Error 2 /usr/bin/install: cannot stat `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/dist/lib/libssldap60.so': No such file or directory /usr/bin/install: cannot stat `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/dist/bin/ldapsearch': No such file or directory /usr/bin/install: cannot stat `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/dist/bin/ldapmodify': No such file or directory /usr/bin/install: cannot stat `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/dist/bin/ldapdelete': No such file or directory /usr/bin/install: cannot stat `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/dist/bin/ldapcmp': No such file or directory /usr/bin/install: cannot stat `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/dist/bin/ldapcompare': No such file or directory /usr/bin/install: cannot stat `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/dist/bin/ldappasswd': No such file or directory dpkg-deb: building package `mozldap' in `/usr/src/debs/mozldap-lenny-6.0.5.deb'. dpkg-deb: building package `mozldap-dev' in `/usr/src/debs/mozldap-dev-lenny-6.0.5.deb'. dpkg-deb: building package `mozldap-tools' in `/usr/src/debs/mozldap-tools-lenny-6.0.5.deb'. Would I be safe to assume, the original error, [14/Apr/2009:12:58:17 -0400] - SSL alert: Security Initialization: NSS initialization failed (Netscape Portable Runtime error -5977 - Failure to load dynamic library.): certdir: /etc/dirsrv/slapd-lenny [14/Apr/2009:12:58:17 -0400] - ERROR: NSS Initialization Failed. Is a problem with mozldap not being linked properly? If so, how do I pass the proper options to ld? Ryan From rmeggins at redhat.com Wed Apr 15 16:50:21 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 15 Apr 2009 10:50:21 -0600 Subject: [Fedora-directory-users] Trouble starting 1.2.0 on debian lenny. In-Reply-To: <200904151632.26998.ryan.braun@ec.gc.ca> References: <200904141915.56539.ryan.braun@ec.gc.ca> <49E4E6E6.9040804@redhat.com> <200904151632.26998.ryan.braun@ec.gc.ca> Message-ID: <49E6104D.5020805@redhat.com> Ryan Braun [ADS] wrote: > On Tuesday 14 April 2009 19:41:26 Rob Crittenden wrote: > >>> gcc -shared -Wl,-soname -Wl,libssldap60.so -o libssldap60.so >>> ./clientinit.o ./ldapsinit.o ./errormap.o -L../../../../../dist/lib >>> -lldap60 -lprldap60 -L/usr/lib/ -lssl3 -lnss3 -lsoftokn3 -L/usr/lib/ >>> -lplc4 -lplds4 - lnspr4 >>> /usr/bin/ld: cannot find -lsoftokn3 >>> >> You shouldn't need to link this in at all. >> >> http://www.mozilla.org/projects/security/pki/nss/nss-3.4/nss-3.4-release-no >> tes.html >> >> > > I've tried adding a CC=/usr/bin/gcc-4.1 -Wl, '-rpath=/usr/lib/nss' and the configure bailed here > > checking whether we are using GNU C++... yes > checking whether c++ accepts -g... yes > checking for gcc... /usr/bin/gcc-4.1 -Wl, -rpath-link=/usr/lib/nss > checking whether the C compiler (/usr/bin/gcc-4.1 -Wl, -rpath-link=/usr/lib/nss ) works... no > configure: error: installation or configuration problem: C compiler cannot create executables. > What about using LDFLAGS="-L/usr/lib/nss" ? The real problem is that mozldap should not link directly against softokn3 anymore - please file a bug at bugzilla.mozilla.org against the LDAP C SDK component. > Also tried adding a CC=/usr/bin/gcc-4.1 -Wl, -Xlinker -rpath-link -Xlinker /usr/lib/nss, and that also failed. But it at least made it passed the check. > > gcc-4.1: -rpath-link: linker input file unused because linking not done > gcc-4.1: /usr/lib/nss: linker input file unused because linking not done > /usr/bin/gcc-4.1 -Xlinker -rpath-link -Xlinker /usr/lib/nss -o errormap.o -c -pipe -ansi -Wall -pthread -g -fno-inline -fPIC -DDEBUG_root -DDEBUG=1 -DXP_UNIX=1 -D_POSIX_SOURCE=1 -D_BSD_SOURCE=1 -D_SVID_SOURCE=1 - > D_LARGEFILE64_SOURCE=1 -DHAVE_FCNTL_FILE_LOCKING=1 -DLINUX=1 -Dlinux=1 -Di386=1 -DHAVE_LCHOWN=1 -DHAVE_STRERROR=1 -DHAVE_GETADDRINFO=1 -DHAVE_GETNAMEINFO=1 -DHAVE_SASL=1 -DHAVE_SASL_OPTIONS=1 - > DLDAP_SASLIO_HOOKS=1 -D_REENTRANT=1 -DFORCE_PR_LOG -D_PR_PTHREADS -UHAVE_CVAR_BUILT_ON_SEM -DUSE_WAITPID -DNEEDPROTOS -DLDAP_DEBUG -DNET_SSL -DNO_LIBLCACHE -DLDAP_REFERRALS -DNS_DOMESTIC -DLINUX2_0 > -DLINUX1_2 -DLINUX2_1 -I../../../../../dist/public/ldap -I../../../ldap/include -I../../../../../dist/./include -I../../../../../dist/include -I/usr/include/nss/ -I/usr/include/nspr/ errormap.c > gcc-4.1: -rpath-link: linker input file unused because linking not done > gcc-4.1: /usr/lib/nss: linker input file unused because linking not done > ======= making ./libssldap60.so > /usr/bin/gcc-4.1 -Xlinker -rpath-link -Xlinker /usr/lib/nss -shared -Wl,-soname -Wl,libssldap60.so -o libssldap60.so ./clientinit.o ./ldapsinit.o ./errormap.o -L../../../../../dist/lib -lldap60 -lprldap60 -L/usr/lib/ -lssl3 -lnss3 -lsoftokn3 -L/usr/lib/ - > lplc4 -lplds4 -lnspr4 > /usr/bin/ld: cannot find -lsoftokn3 > collect2: ld returned 1 exit status > make[3]: *** [libssldap60.so] Error 1 > make[3]: Leaving directory `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/directory/c-sdk/ldap/libraries/libssldap' > make[2]: *** [export] Error 2 > make[2]: Leaving directory `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/directory/c-sdk/ldap/libraries' > make[1]: *** [export] Error 2 > make[1]: Leaving directory `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/directory/c-sdk/ldap' > make: *** [export] Error 2 > /usr/bin/install: cannot stat `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/dist/lib/libssldap60.so': No such file or directory > /usr/bin/install: cannot stat `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/dist/bin/ldapsearch': No such file or directory > /usr/bin/install: cannot stat `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/dist/bin/ldapmodify': No such file or directory > /usr/bin/install: cannot stat `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/dist/bin/ldapdelete': No such file or directory > /usr/bin/install: cannot stat `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/dist/bin/ldapcmp': No such file or directory > /usr/bin/install: cannot stat `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/dist/bin/ldapcompare': No such file or directory > /usr/bin/install: cannot stat `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/dist/bin/ldappasswd': No such file or directory > dpkg-deb: building package `mozldap' in `/usr/src/debs/mozldap-lenny-6.0.5.deb'. > dpkg-deb: building package `mozldap-dev' in `/usr/src/debs/mozldap-dev-lenny-6.0.5.deb'. > dpkg-deb: building package `mozldap-tools' in `/usr/src/debs/mozldap-tools-lenny-6.0.5.deb'. > > Would I be safe to assume, the original error, > > [14/Apr/2009:12:58:17 -0400] - SSL alert: Security Initialization: NSS > initialization failed (Netscape Portable Runtime error -5977 - Failure to load > dynamic library.): certdir: /etc/dirsrv/slapd-lenny > [14/Apr/2009:12:58:17 -0400] - ERROR: NSS Initialization Failed. > > Is a problem with mozldap not being linked properly? If so, how do I pass the proper options to ld? > > Ryan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Apr 15 16:59:25 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 15 Apr 2009 10:59:25 -0600 Subject: [Fedora-directory-users] LDAP proxy In-Reply-To: <951cebd9-4ce3-40d0-b74f-a63290e2ff99@kerio.com> References: <951cebd9-4ce3-40d0-b74f-a63290e2ff99@kerio.com> Message-ID: <49E6126D.20301@redhat.com> Michal Rejda wrote: > >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com [mailto:fedora- >> directory-users-bounces at redhat.com] On Behalf Of Rich Megginson >> Sent: Tuesday, April 14, 2009 4:25 PM >> To: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] LDAP proxy >> >> Michal Rejda wrote: >> >>> I tried to use http://tinyurl.com/culeft. But the database link >>> >> doesn't work. I setup the database link to the Active Directory (and >> OpenLDAP). When I looked into Wireshark log, FDS send search request >> with controls: >> >>> 2.16.840.1.113730.3.4.2 >>> 2.16.840.1.113730.3.4.12 >>> And the AD server responded: Unavailable Critical Extension. >>> >>> I tried to remove this two controls from Database Link Settings (in >>> >> administration console) but it didn't help. The server didn't return >> the message above, but the administrative console show error dialog. >> >> What error? >> > I tried it again and the error message is exactly: > > Error fading object 'dn: dc=example, dc=com'. > The error send by the server was: > ". > > In the Whireshark log was still the search request witch control: > 2.16.840.1.113730.3.4.2 > > Why is this control needed by the server when I removed it from Database link settings? > I'm not sure - maybe the console is not working correctly. Try this: 1) Shutdown the server 2) cd /etc/dirsrv/slapd-yourinstance 3) edit dse.ldif - look for the entry dn: cn=config,cn=chaining database,cn=plugins,cn=config 4) edit the nsTransmittedControls attribute - remove 2.16.840.1.113730.3.4.2 5) save and restart the server > >>>> Michal Rejda wrote: >>>> >>>> >>>>> Hi all, >>>>> >>>>> I?m trying to setup proxy on FDS to another LDAP server (OpenLDAP >>>>> and Active Directory). I tried two ways, but none of these works: >>>>> >>>>> 1) New database link to LDAP server. >>>>> >>>>> - The remote LDAP server (OpenLDAP) returns: null. manageDSAit >>>>> >>>>> >>>> control >>>> >>>> >>>>> value not found >>>>> >>>>> >>>>> >>>> You might have to tweak the controls used by chaining - see >>>> http://tinyurl.com/culeft >>>> >>>> >>>>> 2) Create multiple-master replication and setup other server as >>>>> >>>>> >>>> consumer. >>>> >>>> >>>>> - But this show error: 255 Replication error acquiring replica: >>>>> unknown error. >>>>> >>>>> >>>>> >>>> Replication will only work to a SunDS, not to any other vendor. >>>> >>>> >>>>> My question is: Is there way how to setup proxy to access another >>>>> >>>>> >>>> LDAP >>>> >>>> >>>>> server from Fedora DS? I know that is possible to use AD sync, but >>>>> >> I >> >>>>> cannot install anything on the AD server. The second reason why I >>>>> >>>>> >>>> need >>>> >>>> >>>>> to setup proxy is to use data stored in LDAP server (OpenLDAP, Open >>>>> Direcoty Server and Active Directory) in one place. I need to >>>>> >> update >> >>>>> them too. It is not necessary to synchronize passwords. >>>>> >>>>> >>>>> >>>> See also >>>> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration >>>> >>>> >>>>> Thank you for reply. >>>>> >>>>> Regards, >>>>> >>>>> Michal >>>>> >>>>> >>>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From ryan.braun at ec.gc.ca Wed Apr 15 17:00:28 2009 From: ryan.braun at ec.gc.ca (Ryan Braun [ADS]) Date: Wed, 15 Apr 2009 17:00:28 +0000 Subject: [Fedora-directory-users] Trouble starting 1.2.0 on debian lenny. In-Reply-To: <49E6104D.5020805@redhat.com> References: <200904141915.56539.ryan.braun@ec.gc.ca> <200904151632.26998.ryan.braun@ec.gc.ca> <49E6104D.5020805@redhat.com> Message-ID: <200904151700.28332.ryan.braun@ec.gc.ca> On Wednesday 15 April 2009 16:50:21 Rich Megginson wrote: > Ryan Braun [ADS] wrote: > > On Tuesday 14 April 2009 19:41:26 Rob Crittenden wrote: > >>> gcc -shared -Wl,-soname -Wl,libssldap60.so -o libssldap60.so > >>> ./clientinit.o ./ldapsinit.o ./errormap.o -L../../../../../dist/lib > >>> -lldap60 -lprldap60 -L/usr/lib/ -lssl3 -lnss3 -lsoftokn3 -L/usr/lib/ > >>> -lplc4 -lplds4 - lnspr4 > >>> /usr/bin/ld: cannot find -lsoftokn3 > >> > >> You shouldn't need to link this in at all. > >> > >> http://www.mozilla.org/projects/security/pki/nss/nss-3.4/nss-3.4-release > >>-no tes.html > > > > I've tried adding a CC=/usr/bin/gcc-4.1 -Wl, '-rpath=/usr/lib/nss' and > > the configure bailed here > > > > checking whether we are using GNU C++... yes > > checking whether c++ accepts -g... yes > > checking for gcc... /usr/bin/gcc-4.1 -Wl, -rpath-link=/usr/lib/nss > > checking whether the C compiler (/usr/bin/gcc-4.1 -Wl, > > -rpath-link=/usr/lib/nss ) works... no configure: error: installation or > > configuration problem: C compiler cannot create executables. > > What about using LDFLAGS="-L/usr/lib/nss" ? > > The real problem is that mozldap should not link directly against > softokn3 anymore - please file a bug at bugzilla.mozilla.org against the > LDAP C SDK component. > Will do Rich, but setting the LDFLAGS variable didn't help either. make[3]: Entering directory `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/directory/c-sdk/ldap/libraries/libssldap' ======= making ./libssldap60.so gcc -shared -Wl,-soname -Wl,libssldap60.so -o libssldap60.so ./clientinit.o ./ldapsinit.o ./errormap.o -L../../../../../dist/lib -lldap60 -lprldap60 -L/usr/lib/ -lssl3 -lnss3 -lsoftokn3 -L/usr/lib/ -lplc4 -lplds4 -lnspr4 /usr/bin/ld: cannot find -lsoftokn3 collect2: ld returned 1 exit status make[3]: *** [libssldap60.so] Error 1 make[3]: Leaving directory `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/directory/c-sdk/ldap/libraries/libssldap' make[2]: *** [export] Error 2 make[2]: Leaving directory `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/directory/c-sdk/ldap/libraries' make[1]: *** [export] Error 2 make[1]: Leaving directory `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/directory/c-sdk/ldap' make: *** [export] Error 2 Here is some of config.log showing that LDFLAGS was set properly. This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. configure:662: checking host system type configure:683: checking target system type configure:701: checking build system type configure:971: checking for --with-svrcore configure:1237: checking for --with-nss configure:1260: checking for --with-nss-inc configure:1282: checking for --with-nss-lib configure:1525: checking for --with-nspr configure:1553: checking for --with-nspr-inc configure:1574: checking for --with-nspr-lib configure:1937: checking for whoami configure:2027: checking for c++ configure:2059: checking whether the C++ compiler (c++ -L ) works configure:2075: c++ -o conftest -L/usr/lib/nss conftest.C 1>&5 configure:2101: checking whether the C++ compiler (c++ -L/usr/lib/nss) is a cross-compiler configure:2106: checking whether we are using GNU C++ configure:2115: c++ -E conftest.C configure:2134: checking whether c++ accepts -g configure:2183: cc -c conftest.c 1>&5 configure:2200: cc -c conftest.c 1>&5 configure: In function 'main': configure:2196: warning: incompatible implicit declaration of built-in function 'exit' configure:2222: checking for gcc configure:2335: checking whether the C compiler (gcc -L/usr/lib/nss) works configure:2351: gcc -o conftest -L/usr/lib/nss conftest.c 1>&5 configure:2377: checking whether the C compiler (gcc -L/usr/lib/nss) is a cross-compiler From rmeggins at redhat.com Wed Apr 15 17:34:01 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 15 Apr 2009 11:34:01 -0600 Subject: [Fedora-directory-users] Trouble starting 1.2.0 on debian lenny. In-Reply-To: <200904151700.28332.ryan.braun@ec.gc.ca> References: <200904141915.56539.ryan.braun@ec.gc.ca> <200904151632.26998.ryan.braun@ec.gc.ca> <49E6104D.5020805@redhat.com> <200904151700.28332.ryan.braun@ec.gc.ca> Message-ID: <49E61A89.4060604@redhat.com> Ryan Braun [ADS] wrote: > On Wednesday 15 April 2009 16:50:21 Rich Megginson wrote: > >> Ryan Braun [ADS] wrote: >> >>> On Tuesday 14 April 2009 19:41:26 Rob Crittenden wrote: >>> >>>>> gcc -shared -Wl,-soname -Wl,libssldap60.so -o libssldap60.so >>>>> ./clientinit.o ./ldapsinit.o ./errormap.o -L../../../../../dist/lib >>>>> -lldap60 -lprldap60 -L/usr/lib/ -lssl3 -lnss3 -lsoftokn3 -L/usr/lib/ >>>>> -lplc4 -lplds4 - lnspr4 >>>>> /usr/bin/ld: cannot find -lsoftokn3 >>>>> >>>> You shouldn't need to link this in at all. >>>> >>>> http://www.mozilla.org/projects/security/pki/nss/nss-3.4/nss-3.4-release >>>> -no tes.html >>>> >>> I've tried adding a CC=/usr/bin/gcc-4.1 -Wl, '-rpath=/usr/lib/nss' and >>> the configure bailed here >>> >>> checking whether we are using GNU C++... yes >>> checking whether c++ accepts -g... yes >>> checking for gcc... /usr/bin/gcc-4.1 -Wl, -rpath-link=/usr/lib/nss >>> checking whether the C compiler (/usr/bin/gcc-4.1 -Wl, >>> -rpath-link=/usr/lib/nss ) works... no configure: error: installation or >>> configuration problem: C compiler cannot create executables. >>> >> What about using LDFLAGS="-L/usr/lib/nss" ? >> >> The real problem is that mozldap should not link directly against >> softokn3 anymore - please file a bug at bugzilla.mozilla.org against the >> LDAP C SDK component. >> >> > > Will do Rich, but setting the LDFLAGS variable didn't help either. > If you want to use an rpath, do configure --with-rpath=/some/path If you look at mozilla/directory/c-sdk/build.mk starting at around line 504 you will see the various commands (LINK_DLL) used to build shared libraries on linux and other *nix. You could try setting ALDFLAGS or DLL_LDFLAGS > > make[3]: Entering directory `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/directory/c-sdk/ldap/libraries/libssldap' > ======= making ./libssldap60.so > gcc -shared -Wl,-soname -Wl,libssldap60.so -o libssldap60.so ./clientinit.o ./ldapsinit.o ./errormap.o -L../../../../../dist/lib -lldap60 -lprldap60 -L/usr/lib/ -lssl3 -lnss3 -lsoftokn3 -L/usr/lib/ -lplc4 -lplds4 -lnspr4 > /usr/bin/ld: cannot find -lsoftokn3 > collect2: ld returned 1 exit status > make[3]: *** [libssldap60.so] Error 1 > make[3]: Leaving directory `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/directory/c-sdk/ldap/libraries/libssldap' > make[2]: *** [export] Error 2 > make[2]: Leaving directory `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/directory/c-sdk/ldap/libraries' > make[1]: *** [export] Error 2 > make[1]: Leaving directory `/tmp/fdsbuildscripts/mozldap/mozldap-6.0.5/mozilla/directory/c-sdk/ldap' > make: *** [export] Error 2 > > > > Here is some of config.log showing that LDFLAGS was set properly. > > This file contains any messages produced by compilers while > running configure, to aid debugging if configure makes a mistake. > > configure:662: checking host system type > configure:683: checking target system type > configure:701: checking build system type > configure:971: checking for --with-svrcore > configure:1237: checking for --with-nss > configure:1260: checking for --with-nss-inc > configure:1282: checking for --with-nss-lib > configure:1525: checking for --with-nspr > configure:1553: checking for --with-nspr-inc > configure:1574: checking for --with-nspr-lib > configure:1937: checking for whoami > configure:2027: checking for c++ > configure:2059: checking whether the C++ compiler (c++ -L ) works > configure:2075: c++ -o conftest -L/usr/lib/nss conftest.C 1>&5 > configure:2101: checking whether the C++ compiler (c++ -L/usr/lib/nss) is a cross-compiler > configure:2106: checking whether we are using GNU C++ > configure:2115: c++ -E conftest.C > configure:2134: checking whether c++ accepts -g > configure:2183: cc -c conftest.c 1>&5 > configure:2200: cc -c conftest.c 1>&5 > configure: In function 'main': > configure:2196: warning: incompatible implicit declaration of built-in function 'exit' > configure:2222: checking for gcc > configure:2335: checking whether the C compiler (gcc -L/usr/lib/nss) works > configure:2351: gcc -o conftest -L/usr/lib/nss conftest.c 1>&5 > configure:2377: checking whether the C compiler (gcc -L/usr/lib/nss) is a cross-compiler > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From andrey.ivanov at polytechnique.fr Wed Apr 15 19:21:34 2009 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Wed, 15 Apr 2009 21:21:34 +0200 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <49E38E6E.5000001@redhat.com> References: <49D2D1A0.3070307@redhat.com> <49DCCE50.7040106@redhat.com> <1601b8650904081323m6c59ac0y786719b11f0dab04@mail.gmail.com> <1601b8650904081402x5ee82febqae4416735aca37bd@mail.gmail.com> <49DE837D.7070205@redhat.com> <1601b8650904110717j43ac4c62n20ab4eb8d577e818@mail.gmail.com> <49E38E6E.5000001@redhat.com> Message-ID: <1601b8650904151221l7370c86ajc9ca79525edf1eff@mail.gmail.com> > > * support of other virtual attributes generated "on the fly" >> >> Can you explain this a little more? >> >> >> For example, the memberOf attribute now generated by memberOf plugin and >> written into the db could be generated dynamically. >> > For the particular case of memberOf, we decided against using virtual > attributes. One reason is that it's harder to do filtering/indexing on > virtual attributes e.g. supporting searches like (memberof=somegroup). Yes, i remember this reasoning - i was following quite closely the development of this plug-in as it was sine qua non for our production environment... > > The attributes like entryLevelRights and attributeLevelRights are already >> created dynamically, nsRole/CoS also (one of the main drawbacks of the roles >> is that they are only applicable to a sub-tree). >> > One of the drawbacks of groups is that they do not apply to the sub-tree - > makes it difficult in general to replicate them. Roles/CoS are scoped along > with the data they apply to, so they go along with replication quite easily. Yep.You're talking about the drawbacks concerning the difficulty of the code development. But for us the sub-tree application that was an essential limitation of Roles - we couldn't use it to make the same thing as memberof, that's why i was looking forward eagerly for the memberof plugin... > I'm talking about this type of "virtual" attributes generated by some >> filters or regular expressions or plug-ins, maybe creation of some sort of >> framework or mechanism to generalize the creation of such attribiutes. >> > There already is a framework, but not many want to delve into the C code. > > Can you provide some examples of what you mean? For example, automatic generation of a virtual attribute describing the location (or type) of the person by applying regex to his/her telephoneNumber (first n digits). But then again you are right about indexing and filters with these attributes... Another example: in our production environment we have a "ou" attribute containing the DNs of the units where the person belongs. It would be nice to convert it automatically to an attribute "displayOu" with slashes instead of ",ou=": ou: ou=lpp,ou=lab,ou=dgar,ou=dg,ou=organisation,dc=example,dc=com displayOu: LPP/LAB/DGAR/DG Today we are using scripts. This type of attribute conversion can easily be made inside an application if you write it internally, otherwise one needs to add this type of "converted" attributes... -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Apr 15 19:47:27 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 15 Apr 2009 13:47:27 -0600 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <1601b8650904151221l7370c86ajc9ca79525edf1eff@mail.gmail.com> References: <49D2D1A0.3070307@redhat.com> <49DCCE50.7040106@redhat.com> <1601b8650904081323m6c59ac0y786719b11f0dab04@mail.gmail.com> <1601b8650904081402x5ee82febqae4416735aca37bd@mail.gmail.com> <49DE837D.7070205@redhat.com> <1601b8650904110717j43ac4c62n20ab4eb8d577e818@mail.gmail.com> <49E38E6E.5000001@redhat.com> <1601b8650904151221l7370c86ajc9ca79525edf1eff@mail.gmail.com> Message-ID: <49E639CF.5020602@redhat.com> Andrey Ivanov wrote: > > * support of other virtual attributes generated "on the > fly" > > Can you explain this a little more? > > > For example, the memberOf attribute now generated by memberOf > plugin and written into the db could be generated dynamically. > > For the particular case of memberOf, we decided against using > virtual attributes. One reason is that it's harder to do > filtering/indexing on virtual attributes e.g. supporting searches > like (memberof=somegroup). > > Yes, i remember this reasoning - i was following quite closely the > development of this plug-in as it was sine qua non for our production > environment... > > > > The attributes like entryLevelRights and attributeLevelRights > are already created dynamically, nsRole/CoS also (one of the > main drawbacks of the roles is that they are only applicable > to a sub-tree). > > One of the drawbacks of groups is that they do not apply to the > sub-tree - makes it difficult in general to replicate them. > Roles/CoS are scoped along with the data they apply to, so they > go along with replication quite easily. > > Yep.You're talking about the drawbacks concerning the difficulty of > the code development. But for us the sub-tree application that was an > essential limitation of Roles - we couldn't use it to make the same > thing as memberof, that's why i was looking forward eagerly for the > memberof plugin... Do you want to do something like this dc=example,dc=com +ou=people +ou=roles ++cn=my role And have cn=my role be a role that applies to users under ou=people? e.g. by adding a roleSubtree: ou=people,dc=example,dc=com to the role definition? > > > I'm talking about this type of "virtual" attributes generated > by some filters or regular expressions or plug-ins, maybe > creation of some sort of framework or mechanism to generalize > the creation of such attribiutes. > > There already is a framework, but not many want to delve into the > C code. > > Can you provide some examples of what you mean? > > For example, automatic generation of a virtual attribute describing > the location (or type) of the person by applying regex to his/her > telephoneNumber (first n digits). But then again you are right about > indexing and filters with these attributes... Another example: in our > production environment we have a "ou" attribute containing the DNs of > the units where the person belongs. It would be nice to convert it > automatically to an attribute "displayOu" with slashes instead of ",ou=": > > ou: ou=lpp,ou=lab,ou=dgar,ou=dg,ou=organisation,dc=example,dc=com > displayOu: LPP/LAB/DGAR/DG > > Today we are using scripts. This type of attribute conversion can > easily be made inside an application if you write it internally, > otherwise one needs to add this type of "converted" attributes... Ok. So something like CoS, but with a couple of additional attributes: cosDestinationAttribute - grab the value from cosAttribute, but write to this attribute instead cosRegex - apply this regex to the value e.g. cosAttribute: ou cosDestinationAttribute: displayOu cosRegex: s|ou=(\S)+,ou=(\S)+,ou=(\S+),ou=(\S+)|\1/\2/\3/\4/| It would be difficult to create indexes on these (e.g. if you wanted to do searches like (displayOu=LPP/*) Something like that would be useful for posix homeDirectory too cosAttribute: uid cosDestinationAttribute: homeDirectory cosRegex: s,(.+),/home/\1, > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From mrejda at kerio.com Thu Apr 16 11:57:24 2009 From: mrejda at kerio.com (Michal Rejda) Date: Thu, 16 Apr 2009 13:57:24 +0200 Subject: [Fedora-directory-users] LDAP proxy Message-ID: <72e017b6-12e7-4004-affb-2c146bac0837@kerio.com> > Michal Rejda wrote: > > > >> -----Original Message----- > >> From: fedora-directory-users-bounces at redhat.com [mailto:fedora- > >> directory-users-bounces at redhat.com] On Behalf Of Rich Megginson > >> Sent: Tuesday, April 14, 2009 4:25 PM > >> To: General discussion list for the Fedora Directory server project. > >> Subject: Re: [Fedora-directory-users] LDAP proxy > >> > >> Michal Rejda wrote: > >> > >>> I tried to use http://tinyurl.com/culeft. But the database link > >>> > >> doesn't work. I setup the database link to the Active Directory (and > >> OpenLDAP). When I looked into Wireshark log, FDS send search request > >> with controls: > >> > >>> 2.16.840.1.113730.3.4.2 > >>> 2.16.840.1.113730.3.4.12 > >>> And the AD server responded: Unavailable Critical Extension. > >>> > >>> I tried to remove this two controls from Database Link Settings (in > >>> > >> administration console) but it didn't help. The server didn't return > >> the message above, but the administrative console show error dialog. > >> > >> What error? > >> > > I tried it again and the error message is exactly: > > > > Error fading object 'dn: dc=example, dc=com'. > > The error send by the server was: > > ". > > > > In the Whireshark log was still the search request witch control: > > 2.16.840.1.113730.3.4.2 > > > > Why is this control needed by the server when I removed it from > Database link settings? > > > I'm not sure - maybe the console is not working correctly. Try this: > 1) Shutdown the server > 2) cd /etc/dirsrv/slapd-yourinstance > 3) edit dse.ldif - look for the entry > dn: cn=config,cn=chaining database,cn=plugins,cn=config > 4) edit the nsTransmittedControls attribute - remove > 2.16.840.1.113730.3.4.2 > 5) save and restart the server I looked into dse.ldif for a nsTransmittedControls attribute. There is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic 2.16.840.1.113730.3.4.2. Isn't the 2.16.840.1.113730.3.4.2 hardcoded? Why is this so necessary? > > > >>>> Michal Rejda wrote: > >>>> > >>>> > >>>>> Hi all, > >>>>> > >>>>> I?m trying to setup proxy on FDS to another LDAP server (OpenLDAP > >>>>> and Active Directory). I tried two ways, but none of these works: > >>>>> > >>>>> 1) New database link to LDAP server. > >>>>> > >>>>> - The remote LDAP server (OpenLDAP) returns: null. manageDSAit > >>>>> > >>>>> > >>>> control > >>>> > >>>> > >>>>> value not found > >>>>> > >>>>> > >>>>> > >>>> You might have to tweak the controls used by chaining - see > >>>> http://tinyurl.com/culeft > >>>> > >>>> > >>>>> 2) Create multiple-master replication and setup other server as > >>>>> > >>>>> > >>>> consumer. > >>>> > >>>> > >>>>> - But this show error: 255 Replication error acquiring replica: > >>>>> unknown error. > >>>>> > >>>>> > >>>>> > >>>> Replication will only work to a SunDS, not to any other vendor. > >>>> > >>>> > >>>>> My question is: Is there way how to setup proxy to access another > >>>>> > >>>>> > >>>> LDAP > >>>> > >>>> > >>>>> server from Fedora DS? I know that is possible to use AD sync, > but > >>>>> > >> I > >> > >>>>> cannot install anything on the AD server. The second reason why I > >>>>> > >>>>> > >>>> need > >>>> > >>>> > >>>>> to setup proxy is to use data stored in LDAP server (OpenLDAP, > >>>>> Open Direcoty Server and Active Directory) in one place. I need > to > >>>>> > >> update > >> > >>>>> them too. It is not necessary to synchronize passwords. > >>>>> > >>>>> > >>>>> > >>>> See also > >>>> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration > >>>> > >>>> > >>>>> Thank you for reply. > >>>>> > >>>>> Regards, > >>>>> > >>>>> Michal > >>>>> > >>>>> From samuel.germain at gmail.com Wed Apr 15 16:18:00 2009 From: samuel.germain at gmail.com (Samuel Germain) Date: Wed, 15 Apr 2009 18:18:00 +0200 Subject: [Fedora-directory-users] Installation error Message-ID: Hello, I am trying to install Fedora Directory Server on Fedora Core 10 but the last step of the installation is going wrong. The log file is following below Anybody can help me ? Thanks a lot Best regards * [09/04/15:18:49:53] - [Setup] Info Would you like to continue? [09/04/15:18:50:18] - [Setup] Info yes [09/04/15:18:50:18] - [Setup] Info Choose a setup type: 1. Express Allows you to quickly set up the servers using the most common options and pre-defined defaults. Useful for quick evaluation of the products. 2. Typical Allows you to specify common defaults and options. 3. Custom Allows you to specify more advanced options. This is recommended for experienced server administrators only. To accept the default shown in brackets, press the Enter key. [09/04/15:18:50:18] - [Setup] Info Choose a setup type [09/04/15:18:50:19] - [Setup] Info 2 [09/04/15:18:50:19] - [Setup] Info Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: eros.example.com. To accept the default shown in brackets, press the Enter key. [09/04/15:18:50:20] - [Setup] Info Computer name [09/04/15:18:50:22] - [Setup] Info localhost.fr [09/04/15:18:50:22] - [Setup] Info The servers must run as a specific user in a specific group. It is strongly recommended that this user should have no privileges on the computer (i.e. a non-root user). The setup procedure will give this user/group some permissions in specific paths/files to perform server-specific operations. If you have not yet created a user and group for the servers, create this user and group using your native operating system utilities. [09/04/15:18:50:22] - [Setup] Info System User [09/04/15:18:50:26] - [Setup] Info samuel [09/04/15:18:50:26] - [Setup] Info System Group [09/04/15:18:50:28] - [Setup] Info samuel [09/04/15:18:50:28] - [Setup] Info Server information is stored in the configuration directory server. This information is used by the console and administration server to configure and manage your servers. If you have already set up a configuration directory server, you should register any servers you set up or create with the configuration server. To do so, the following information about the configuration server is required: the fully qualified host name of the form .(e.g. hostname.example.com), the port number (default 389), the suffix, the DN and password of a user having permission to write the configuration information, usually the configuration directory administrator, and if you are using security (TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port number (default 636) instead of the regular LDAP port number, and provide the CA certificate (in PEM/ASCII format). If you do not yet have a configuration directory server, enter 'No' to be prompted to set up one. [09/04/15:18:50:28] - [Setup] Info Do you want to register this software with an existing configuration directory server? [09/04/15:18:50:32] - [Setup] Info no [09/04/15:18:50:32] - [Setup] Info Please enter the administrator ID for the configuration directory server. This is the ID typically used to log in to the console. You will also be prompted for the password. [09/04/15:18:50:32] - [Setup] Info Configuration directory server administrator ID [09/04/15:18:50:34] - [Setup] Info admin [09/04/15:18:50:34] - [Setup] Info Password [09/04/15:18:50:37] - [Setup] Info Password (confirm) [09/04/15:18:50:39] - [Setup] Info The information stored in the configuration directory server can be separated into different Administration Domains. If you are managing multiple software releases at the same time, or managing information about multiple domains, you may use the Administration Domain to keep them separate. If you are not using administrative domains, press Enter to select the default. Otherwise, enter some descriptive, unique name for the administration domain, such as the name of the organization responsible for managing the domain. [09/04/15:18:50:39] - [Setup] Info Administration Domain [09/04/15:18:50:41] - [Setup] Info fr [09/04/15:18:50:41] - [Setup] Info The standard directory server network port number is 389. However, if you are not logged as the superuser, or port 389 is in use, the default value will be a random unused port number greater than 1024. If you want to use port 389, make sure that you are logged in as the superuser, that port 389 is not in use. [09/04/15:18:50:41] - [Setup] Info Directory server network port [09/04/15:18:50:44] - [Setup] Info 389 [09/04/15:18:50:44] - [Setup] Info Each instance of a directory server requires a unique identifier. This identifier is used to name the various instance specific files and directories in the file system, as well as for other uses as a server instance identifier. [09/04/15:18:50:44] - [Setup] Info Directory server identifier [09/04/15:18:50:46] - [Setup] Info localhost [09/04/15:18:50:46] - [Setup] Info The suffix is the root of your directory tree. The suffix must be a valid DN. It is recommended that you use the dc=domaincomponent suffix convention. For example, if your domain is example.com, you should use dc=example,dc=com for your suffix. Setup will create this initial suffix for you, but you may have more than one suffix. Use the directory server utilities to create additional suffixes. [09/04/15:18:50:46] - [Setup] Info Suffix [09/04/15:18:50:48] - [Setup] Info dc=fr [09/04/15:18:50:48] - [Setup] Info Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and typically has a bind Distinguished Name (DN) of cn=Directory Manager. You will also be prompted for the password for this user. The password must be at least 8 characters long, and contain no spaces. Press Control-B or type the word "back", then Enter to back up and start over. [09/04/15:18:50:48] - [Setup] Info Directory Manager DN [09/04/15:18:50:49] - [Setup] Info cn=Directory Manager [09/04/15:18:50:49] - [Setup] Info Password [09/04/15:18:50:57] - [Setup] Info Password (confirm) [09/04/15:18:51:05] - [Setup] Info The Administration Server is separate from any of your web or application servers since it listens to a different port and access to it is restricted. Pick a port number between 1024 and 65535 to run your Administration Server on. You should NOT use a port number which you plan to run a web or application server on, rather, select a number which you will remember and which will not be used for anything else. [09/04/15:18:51:05] - [Setup] Info Administration port [09/04/15:18:51:08] - [Setup] Info 9830 [09/04/15:18:51:08] - [Setup] Info The interactive phase is complete. The script will now set up your servers. Enter No or go Back if you want to change something. [09/04/15:18:51:08] - [Setup] Info Are you ready to set up your servers? [09/04/15:18:51:10] - [Setup] Info yes [09/04/15:18:51:10] - [Setup] Info Creating directory server . . . [09/04/15:18:51:13] - [Setup] Info Your new DS instance 'localhost' was successfully created. [09/04/15:18:51:13] - [Setup] Info Creating the configuration directory server . . . [09/04/15:18:54:22] - [Setup] Fatal Error: failed to open an LDAP connection to host 'localhost.fr' port '389' as user 'cn=Directory Manager'. Error: unknown. [09/04/15:18:54:22] - [Setup] Fatal Failed to create the configuration directory server [09/04/15:18:54:22] - [Setup] Fatal Exiting . . . Log file is '/tmp/setupZf31Ze.log'* -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Apr 16 14:18:25 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 16 Apr 2009 08:18:25 -0600 Subject: [Fedora-directory-users] LDAP proxy In-Reply-To: <72e017b6-12e7-4004-affb-2c146bac0837@kerio.com> References: <72e017b6-12e7-4004-affb-2c146bac0837@kerio.com> Message-ID: <49E73E31.2040507@redhat.com> Michal Rejda wrote: >> Michal Rejda wrote: >> >>>> -----Original Message----- >>>> From: fedora-directory-users-bounces at redhat.com [mailto:fedora- >>>> directory-users-bounces at redhat.com] On Behalf Of Rich Megginson >>>> Sent: Tuesday, April 14, 2009 4:25 PM >>>> To: General discussion list for the Fedora Directory server project. >>>> Subject: Re: [Fedora-directory-users] LDAP proxy >>>> >>>> Michal Rejda wrote: >>>> >>>> >>>>> I tried to use http://tinyurl.com/culeft. But the database link >>>>> >>>>> >>>> doesn't work. I setup the database link to the Active Directory (and >>>> OpenLDAP). When I looked into Wireshark log, FDS send search request >>>> with controls: >>>> >>>> >>>>> 2.16.840.1.113730.3.4.2 >>>>> 2.16.840.1.113730.3.4.12 >>>>> And the AD server responded: Unavailable Critical Extension. >>>>> >>>>> I tried to remove this two controls from Database Link Settings (in >>>>> >>>>> >>>> administration console) but it didn't help. The server didn't return >>>> the message above, but the administrative console show error dialog. >>>> >>>> What error? >>>> >>>> >>> I tried it again and the error message is exactly: >>> >>> Error fading object 'dn: dc=example, dc=com'. >>> The error send by the server was: >>> ". >>> >>> In the Whireshark log was still the search request witch control: >>> 2.16.840.1.113730.3.4.2 >>> >>> Why is this control needed by the server when I removed it from >>> >> Database link settings? >> >> I'm not sure - maybe the console is not working correctly. Try this: >> 1) Shutdown the server >> 2) cd /etc/dirsrv/slapd-yourinstance >> 3) edit dse.ldif - look for the entry >> dn: cn=config,cn=chaining database,cn=plugins,cn=config >> 4) edit the nsTransmittedControls attribute - remove >> 2.16.840.1.113730.3.4.2 >> 5) save and restart the server >> > > I looked into dse.ldif for a nsTransmittedControls attribute. There is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic 2.16.840.1.113730.3.4.2. > Isn't the 2.16.840.1.113730.3.4.2 hardcoded? If it is, I don't see it. There is no mention of managedsa or 2.16.840.1.113730.3.4.2 anywhere in the chaining backend code. The only place it is mentioned is in the default list of nsTransmittedControls in the template-dse.ldif used during new instance creation. > Why is this so necessary? > It's not necessary, and I'm not sure where it is coming from. Once place might be an internal operation, but I'm not sure what internal operation would be doing this. You might also try to remove nsActiveChainingComponents and nsPossibleChainingComponents to see if one of those components is doing an internal operation with managedsait set. > >>>>>> Michal Rejda wrote: >>>>>> >>>>>> >>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> I?m trying to setup proxy on FDS to another LDAP server (OpenLDAP >>>>>>> and Active Directory). I tried two ways, but none of these works: >>>>>>> >>>>>>> 1) New database link to LDAP server. >>>>>>> >>>>>>> - The remote LDAP server (OpenLDAP) returns: null. manageDSAit >>>>>>> >>>>>>> >>>>>>> >>>>>> control >>>>>> >>>>>> >>>>>> >>>>>>> value not found >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> You might have to tweak the controls used by chaining - see >>>>>> http://tinyurl.com/culeft >>>>>> >>>>>> >>>>>> >>>>>>> 2) Create multiple-master replication and setup other server as >>>>>>> >>>>>>> >>>>>>> >>>>>> consumer. >>>>>> >>>>>> >>>>>> >>>>>>> - But this show error: 255 Replication error acquiring replica: >>>>>>> unknown error. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> Replication will only work to a SunDS, not to any other vendor. >>>>>> >>>>>> >>>>>> >>>>>>> My question is: Is there way how to setup proxy to access another >>>>>>> >>>>>>> >>>>>>> >>>>>> LDAP >>>>>> >>>>>> >>>>>> >>>>>>> server from Fedora DS? I know that is possible to use AD sync, >>>>>>> >> but >> >>>> I >>>> >>>> >>>>>>> cannot install anything on the AD server. The second reason why I >>>>>>> >>>>>>> >>>>>>> >>>>>> need >>>>>> >>>>>> >>>>>> >>>>>>> to setup proxy is to use data stored in LDAP server (OpenLDAP, >>>>>>> Open Direcoty Server and Active Directory) in one place. I need >>>>>>> >> to >> >>>> update >>>> >>>> >>>>>>> them too. It is not necessary to synchronize passwords. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> See also >>>>>> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration >>>>>> >>>>>> >>>>>> >>>>>>> Thank you for reply. >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> Michal >>>>>>> >>>>>>> >>>>>>> > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From andrey.ivanov at polytechnique.fr Thu Apr 16 18:37:42 2009 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Thu, 16 Apr 2009 20:37:42 +0200 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <49E639CF.5020602@redhat.com> References: <49D2D1A0.3070307@redhat.com> <49DCCE50.7040106@redhat.com> <1601b8650904081323m6c59ac0y786719b11f0dab04@mail.gmail.com> <1601b8650904081402x5ee82febqae4416735aca37bd@mail.gmail.com> <49DE837D.7070205@redhat.com> <1601b8650904110717j43ac4c62n20ab4eb8d577e818@mail.gmail.com> <49E38E6E.5000001@redhat.com> <1601b8650904151221l7370c86ajc9ca79525edf1eff@mail.gmail.com> <49E639CF.5020602@redhat.com> Message-ID: <1601b8650904161137g378e51a9t9f70a6f1119b5704@mail.gmail.com> > > >> One of the drawbacks of groups is that they do not apply to the >> sub-tree - makes it difficult in general to replicate them. >> Roles/CoS are scoped along with the data they apply to, so they >> go along with replication quite easily. >> >> Yep.You're talking about the drawbacks concerning the difficulty of the >> code development. But for us the sub-tree application that was an essential >> limitation of Roles - we couldn't use it to make the same thing as memberof, >> that's why i was looking forward eagerly for the memberof plugin... >> > Do you want to do something like this > dc=example,dc=com > +ou=people > +ou=roles > ++cn=my role > > And have cn=my role be a role that applies to users under ou=people? e.g. > by adding a roleSubtree: ou=people,dc=example,dc=com to the role definition? Yes. An attribute like that is already a good step forward that would permit to organise the roles in the way that is independent of the sub-trees to which they are applied. For example, automatic generation of a virtual attribute describing the > location (or type) of the person by applying regex to his/her > telephoneNumber (first n digits). But then again you are right about > indexing and filters with these attributes... Another example: in our > production environment we have a "ou" attribute containing the DNs of the > units where the person belongs. It would be nice to convert it automatically > to an attribute "displayOu" with slashes instead of ",ou=": > > ou: ou=lpp,ou=lab,ou=dgar,ou=dg,ou=organisation,dc=example,dc=com > displayOu: LPP/LAB/DGAR/DG > > Today we are using scripts. This type of attribute conversion can easily be > made inside an application if you write it internally, otherwise one needs > to add this type of "converted" attributes... > Ok. So something like CoS, but with a couple of additional attributes: > cosDestinationAttribute - grab the value from cosAttribute, but write to > this attribute instead > cosRegex - apply this regex to the value e.g. > cosAttribute: ou > cosDestinationAttribute: displayOu > cosRegex: s|ou=(\S)+,ou=(\S)+,ou=(\S+),ou=(\S+)|\1/\2/\3/\4/| Yes, something like that. > > > It would be difficult to create indexes on these (e.g. if you wanted to do > searches like (displayOu=LPP/*) Exactly. That why i have told that it is not a high-order priority for us but it would be a nice feature in one of the future versions... > > Something like that would be useful for posix homeDirectory too > cosAttribute: uid > cosDestinationAttribute: homeDirectory > cosRegex: s,(.+),/home/\1, > yes, in our production environment we often need attributes that are generated automatically from other ones... Thank you for taking your time to understand our needs and to formalize the requests! :) -------------- next part -------------- An HTML attachment was scrubbed... URL: From agiggins at wcg.net.au Thu Apr 16 22:34:17 2009 From: agiggins at wcg.net.au (Anthony Giggins) Date: Fri, 17 Apr 2009 08:34:17 +1000 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <1601b8650904161137g378e51a9t9f70a6f1119b5704@mail.gmail.com> References: <49D2D1A0.3070307@redhat.com><49DCCE50.7040106@redhat.com><1601b8650904081323m6c59ac0y786719b11f0dab04@mail.gmail.com> <1601b8650904081402x5ee82febqae4416735aca37bd@mail.gmail.com> <49DE837D.7070205@redhat.com><1601b8650904110717j43ac4c62n20ab4eb8d577e818@mail.gmail.com> <49E38E6E.5000001@redhat.com><1601b8650904151221l7370c86ajc9ca79525edf1eff@mail.gmail.com> <49E639CF.5020602@redhat.com> <1601b8650904161137g378e51a9t9f70a6f1119b5704@mail.gmail.com> Message-ID: How about some Centos and RHEL rpms? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Apr 16 23:11:18 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 16 Apr 2009 17:11:18 -0600 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: References: <49D2D1A0.3070307@redhat.com><49DCCE50.7040106@redhat.com><1601b8650904081323m6c59ac0y786719b11f0dab04@mail.gmail.com> <1601b8650904081402x5ee82febqae4416735aca37bd@mail.gmail.com> <49DE837D.7070205@redhat.com><1601b8650904110717j43ac4c62n20ab4eb8d577e818@mail.gmail.com> <49E38E6E.5000001@redhat.com><1601b8650904151221l7370c86ajc9ca79525edf1eff@mail.gmail.com> <49E639CF.5020602@redhat.com> <1601b8650904161137g378e51a9t9f70a6f1119b5704@mail.gmail.com> Message-ID: <49E7BB16.3040801@redhat.com> Anthony Giggins wrote: > > How about some Centos and RHEL rpms? > You can use the Fedora Core 6 rpms on Centos/RHEL 5.3 > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jplorier at montecarlotv.com.uy Fri Apr 17 01:14:41 2009 From: jplorier at montecarlotv.com.uy (Juan Pablo Lorier) Date: Thu, 16 Apr 2009 22:14:41 -0300 Subject: [Fedora-directory-users] Samba 3 + FDS Message-ID: <1239930881.31765.4.camel@jpl-laptop> Hi there. I'm installing samba 3 + Centos Directory Server on a Centos 5 server. I've followed the fds samba howto but when I get to the line where it uses pdbedit, there's nothing listed by pdbedit. I checked pdbedit -L and nothing comes back. As I'm new to fds (and ldap) I don't know what can be wrong. how can I check if samba is able to work with fds authentication? I suspect that samba is not accesing fds and so it can't see the administrator entry. Regards, JPL -- Este mensaje ha sido analizado por MailScanner en busca de virus y otros contenidos peligrosos, y se considera que est? limpio. From mrejda at kerio.com Fri Apr 17 10:13:05 2009 From: mrejda at kerio.com (Michal Rejda) Date: Fri, 17 Apr 2009 12:13:05 +0200 Subject: [Fedora-directory-users] LDAP proxy Message-ID: <6cc8d566-8661-45eb-9f7a-c682d2c8cf2e@kerio.com> > Michal Rejda wrote: > >> Michal Rejda wrote: > >> > >>>> -----Original Message----- > >>>> From: fedora-directory-users-bounces at redhat.com [mailto:fedora- > >>>> directory-users-bounces at redhat.com] On Behalf Of Rich Megginson > >>>> Sent: Tuesday, April 14, 2009 4:25 PM > >>>> To: General discussion list for the Fedora Directory server > project. > >>>> Subject: Re: [Fedora-directory-users] LDAP proxy > >>>> > >>>> Michal Rejda wrote: > >>>> > >>>> > >>>>> I tried to use http://tinyurl.com/culeft. But the database link > >>>>> > >>>>> > >>>> doesn't work. I setup the database link to the Active Directory > (and > >>>> OpenLDAP). When I looked into Wireshark log, FDS send search > request > >>>> with controls: > >>>> > >>>> > >>>>> 2.16.840.1.113730.3.4.2 > >>>>> 2.16.840.1.113730.3.4.12 > >>>>> And the AD server responded: Unavailable Critical Extension. > >>>>> > >>>>> I tried to remove this two controls from Database Link Settings > (in > >>>>> > >>>>> > >>>> administration console) but it didn't help. The server didn't > return > >>>> the message above, but the administrative console show error > dialog. > >>>> > >>>> What error? > >>>> > >>>> > >>> I tried it again and the error message is exactly: > >>> > >>> Error fading object 'dn: dc=example, dc=com'. > >>> The error send by the server was: > >>> ". > >>> > >>> In the Whireshark log was still the search request witch control: > >>> 2.16.840.1.113730.3.4.2 > >>> > >>> Why is this control needed by the server when I removed it from > >>> > >> Database link settings? > >> > >> I'm not sure - maybe the console is not working correctly. Try this: > >> 1) Shutdown the server > >> 2) cd /etc/dirsrv/slapd-yourinstance > >> 3) edit dse.ldif - look for the entry > >> dn: cn=config,cn=chaining database,cn=plugins,cn=config > >> 4) edit the nsTransmittedControls attribute - remove > >> 2.16.840.1.113730.3.4.2 > >> 5) save and restart the server > >> > > > > I looked into dse.ldif for a nsTransmittedControls attribute. There > is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic > 2.16.840.1.113730.3.4.2. > > Isn't the 2.16.840.1.113730.3.4.2 hardcoded? > If it is, I don't see it. There is no mention of managedsa or > 2.16.840.1.113730.3.4.2 anywhere in the chaining backend code. The only > place it is mentioned is in the default list of nsTransmittedControls > in > the template-dse.ldif used during new instance creation. > > Why is this so necessary? > > > It's not necessary, and I'm not sure where it is coming from. Once > place > might be an internal operation, but I'm not sure what internal > operation > would be doing this. You might also try to remove > nsActiveChainingComponents and nsPossibleChainingComponents to see if > one of those components is doing an internal operation with managedsait > set. I removed nsActiveChainingComponents and nsPossibleChainingComponents and it didn't help. > > > >>>>>> Michal Rejda wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>>> Hi all, > >>>>>>> > >>>>>>> I?m trying to setup proxy on FDS to another LDAP server > (OpenLDAP > >>>>>>> and Active Directory). I tried two ways, but none of these > works: > >>>>>>> > >>>>>>> 1) New database link to LDAP server. > >>>>>>> > >>>>>>> - The remote LDAP server (OpenLDAP) returns: null. manageDSAit > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> control > >>>>>> > >>>>>> > >>>>>> > >>>>>>> value not found > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> You might have to tweak the controls used by chaining - see > >>>>>> http://tinyurl.com/culeft > >>>>>> > >>>>>> > >>>>>> > >>>>>>> 2) Create multiple-master replication and setup other server as > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> consumer. > >>>>>> > >>>>>> > >>>>>> > >>>>>>> - But this show error: 255 Replication error acquiring replica: > >>>>>>> unknown error. > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> Replication will only work to a SunDS, not to any other vendor. > >>>>>> > >>>>>> > >>>>>> > >>>>>>> My question is: Is there way how to setup proxy to access > another > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> LDAP > >>>>>> > >>>>>> > >>>>>> > >>>>>>> server from Fedora DS? I know that is possible to use AD sync, > >>>>>>> > >> but > >> > >>>> I > >>>> > >>>> > >>>>>>> cannot install anything on the AD server. The second reason why > I > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> need > >>>>>> > >>>>>> > >>>>>> > >>>>>>> to setup proxy is to use data stored in LDAP server (OpenLDAP, > >>>>>>> Open Direcoty Server and Active Directory) in one place. I need > >>>>>>> > >> to > >> > >>>> update > >>>> > >>>> > >>>>>>> them too. It is not necessary to synchronize passwords. > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> See also > >>>>>> > http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration > >>>>>> > >>>>>> > >>>>>> > >>>>>>> Thank you for reply. > >>>>>>> > >>>>>>> Regards, > >>>>>>> > >>>>>>> Michal > >>>>>>> > >>>>>>> > >>>>>>> > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > From rpolli at babel.it Fri Apr 17 14:04:38 2009 From: rpolli at babel.it (Roberto Polli) Date: Fri, 17 Apr 2009 16:04:38 +0200 Subject: [Fedora-directory-users] atomically delete subtree (non leaf) Message-ID: <200904171604.39241.rpolli@babel.it> hi all, usually ldap isn't able to atomically delete a subtree (non-leaf). This is annoying while cleaning eg. an user addressbook of thousands of contacts. Can fedora directory server manage in some way this kind of deletion atomically? If not, do you think it's an interesting feature? Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altres? a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." From rmeggins at redhat.com Fri Apr 17 15:17:21 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 17 Apr 2009 09:17:21 -0600 Subject: [Fedora-directory-users] atomically delete subtree (non leaf) In-Reply-To: <200904171604.39241.rpolli@babel.it> References: <200904171604.39241.rpolli@babel.it> Message-ID: <49E89D81.8080903@redhat.com> Roberto Polli wrote: > hi all, > > usually ldap isn't able to atomically delete a subtree (non-leaf). This is > annoying while cleaning eg. an user addressbook of thousands of contacts. > > Can fedora directory server manage in some way this kind of deletion > atomically? > No. > If not, do you think it's an interesting feature? > Yes. We should investigate this as part of subtree rename. At the very least, you could rename your subtree (e.g. move ou=contacts to ou=deletedcontacts then delete ou=deletedcontacts while you repopulate ou=contacts). > Peace, R. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rpolli at babel.it Fri Apr 17 15:44:38 2009 From: rpolli at babel.it (Roberto Polli) Date: Fri, 17 Apr 2009 17:44:38 +0200 Subject: [Fedora-directory-users] atomically delete subtree (non leaf) In-Reply-To: <49E89D81.8080903@redhat.com> References: <200904171604.39241.rpolli@babel.it> <49E89D81.8080903@redhat.com> Message-ID: <200904171744.39278.rpolli@babel.it> On venerd? 17 aprile 2009 17:17:21 Rich Megginson wrote: > We should investigate this as part of subtree rename. At the very > least, you could rename your subtree (e.g. move ou=contacts to > ou=deletedcontacts then delete ou=deletedcontacts while you repopulate > ou=contacts). I'll try and let you know. Just to know, why removing subtree have never be implemented in ldap? Thx+Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altres? a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." From rmeggins at redhat.com Fri Apr 17 15:50:39 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 17 Apr 2009 09:50:39 -0600 Subject: [Fedora-directory-users] atomically delete subtree (non leaf) In-Reply-To: <200904171744.39278.rpolli@babel.it> References: <200904171604.39241.rpolli@babel.it> <49E89D81.8080903@redhat.com> <200904171744.39278.rpolli@babel.it> Message-ID: <49E8A54F.6040000@redhat.com> Roberto Polli wrote: > On venerd? 17 aprile 2009 17:17:21 Rich Megginson wrote: > >> We should investigate this as part of subtree rename. At the very >> least, you could rename your subtree (e.g. move ou=contacts to >> ou=deletedcontacts then delete ou=deletedcontacts while you repopulate >> ou=contacts). >> > I'll try and let you know. > Try what? subtree rename is not currently implemented. > Just to know, why removing subtree have never be implemented in ldap? > Good question. > Thx+Peace, > R. > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Apr 17 15:57:21 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 17 Apr 2009 09:57:21 -0600 Subject: [Fedora-directory-users] LDAP proxy In-Reply-To: <6cc8d566-8661-45eb-9f7a-c682d2c8cf2e@kerio.com> References: <6cc8d566-8661-45eb-9f7a-c682d2c8cf2e@kerio.com> Message-ID: <49E8A6E1.9070002@redhat.com> Michal Rejda wrote: >> Michal Rejda wrote: >> >>>> Michal Rejda wrote: >>>> >>>> >>>>>> -----Original Message----- >>>>>> From: fedora-directory-users-bounces at redhat.com [mailto:fedora- >>>>>> directory-users-bounces at redhat.com] On Behalf Of Rich Megginson >>>>>> Sent: Tuesday, April 14, 2009 4:25 PM >>>>>> To: General discussion list for the Fedora Directory server >>>>>> >> project. >> >>>>>> Subject: Re: [Fedora-directory-users] LDAP proxy >>>>>> >>>>>> Michal Rejda wrote: >>>>>> >>>>>> >>>>>> >>>>>>> I tried to use http://tinyurl.com/culeft. But the database link >>>>>>> >>>>>>> >>>>>>> >>>>>> doesn't work. I setup the database link to the Active Directory >>>>>> >> (and >> >>>>>> OpenLDAP). When I looked into Wireshark log, FDS send search >>>>>> >> request >> >>>>>> with controls: >>>>>> >>>>>> >>>>>> >>>>>>> 2.16.840.1.113730.3.4.2 >>>>>>> 2.16.840.1.113730.3.4.12 >>>>>>> And the AD server responded: Unavailable Critical Extension. >>>>>>> >>>>>>> I tried to remove this two controls from Database Link Settings >>>>>>> >> (in >> >>>>>>> >>>>>> administration console) but it didn't help. The server didn't >>>>>> >> return >> >>>>>> the message above, but the administrative console show error >>>>>> >> dialog. >> >>>>>> What error? >>>>>> >>>>>> >>>>>> >>>>> I tried it again and the error message is exactly: >>>>> >>>>> Error fading object 'dn: dc=example, dc=com'. >>>>> The error send by the server was: >>>>> ". >>>>> >>>>> In the Whireshark log was still the search request witch control: >>>>> 2.16.840.1.113730.3.4.2 >>>>> >>>>> Why is this control needed by the server when I removed it from >>>>> >>>>> >>>> Database link settings? >>>> >>>> I'm not sure - maybe the console is not working correctly. Try this: >>>> 1) Shutdown the server >>>> 2) cd /etc/dirsrv/slapd-yourinstance >>>> 3) edit dse.ldif - look for the entry >>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config >>>> 4) edit the nsTransmittedControls attribute - remove >>>> 2.16.840.1.113730.3.4.2 >>>> 5) save and restart the server >>>> >>>> >>> I looked into dse.ldif for a nsTransmittedControls attribute. There >>> >> is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic >> 2.16.840.1.113730.3.4.2. >> >>> Isn't the 2.16.840.1.113730.3.4.2 hardcoded? >>> >> If it is, I don't see it. There is no mention of managedsa or >> 2.16.840.1.113730.3.4.2 anywhere in the chaining backend code. The only >> place it is mentioned is in the default list of nsTransmittedControls >> in >> the template-dse.ldif used during new instance creation. >> >>> Why is this so necessary? >>> >>> >> It's not necessary, and I'm not sure where it is coming from. Once >> place >> might be an internal operation, but I'm not sure what internal >> operation >> would be doing this. You might also try to remove >> nsActiveChainingComponents and nsPossibleChainingComponents to see if >> one of those components is doing an internal operation with managedsait >> set. >> > > I removed nsActiveChainingComponents and nsPossibleChainingComponents and it didn't help. > Then I'm not sure where it's coming from. I suppose you could enable tracing in the directory server and see if there is anything interesting in the error log - see http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > >>>>>>>> Michal Rejda wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> I?m trying to setup proxy on FDS to another LDAP server >>>>>>>>> >> (OpenLDAP >> >>>>>>>>> and Active Directory). I tried two ways, but none of these >>>>>>>>> >> works: >> >>>>>>>>> 1) New database link to LDAP server. >>>>>>>>> >>>>>>>>> - The remote LDAP server (OpenLDAP) returns: null. manageDSAit >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> control >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> value not found >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> You might have to tweak the controls used by chaining - see >>>>>>>> http://tinyurl.com/culeft >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> 2) Create multiple-master replication and setup other server as >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> consumer. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> - But this show error: 255 Replication error acquiring replica: >>>>>>>>> unknown error. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> Replication will only work to a SunDS, not to any other vendor. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> My question is: Is there way how to setup proxy to access >>>>>>>>> >> another >> >>>>>>>>> >>>>>>>>> >>>>>>>> LDAP >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> server from Fedora DS? I know that is possible to use AD sync, >>>>>>>>> >>>>>>>>> >>>> but >>>> >>>> >>>>>> I >>>>>> >>>>>> >>>>>> >>>>>>>>> cannot install anything on the AD server. The second reason why >>>>>>>>> >> I >> >>>>>>>>> >>>>>>>>> >>>>>>>> need >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> to setup proxy is to use data stored in LDAP server (OpenLDAP, >>>>>>>>> Open Direcoty Server and Active Directory) in one place. I need >>>>>>>>> >>>>>>>>> >>>> to >>>> >>>> >>>>>> update >>>>>> >>>>>> >>>>>> >>>>>>>>> them too. It is not necessary to synchronize passwords. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> See also >>>>>>>> >>>>>>>> >> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration >> >>>>>>>> >>>>>>>> >>>>>>>>> Thank you for reply. >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> >>>>>>>>> Michal >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Fri Apr 17 16:14:30 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 17 Apr 2009 18:14:30 +0200 Subject: [Fedora-directory-users] atomically delete subtree (non leaf) In-Reply-To: <49E89D81.8080903@redhat.com> References: <200904171604.39241.rpolli@babel.it> <49E89D81.8080903@redhat.com> Message-ID: <49E8AAE6.2030806@stroeder.com> Rich Megginson wrote: > Roberto Polli wrote: >> usually ldap isn't able to atomically delete a subtree (non-leaf). >> [..] >> If not, do you think it's an interesting feature? >> > Yes. We should investigate this as part of subtree rename. Most LDAP servers implement this control (also supported in my web2ldap): http://tools.ietf.org/draft/draft-armijo-ldap-treedelete/ Ciao, Michael. From ryan.braun at ec.gc.ca Fri Apr 17 17:03:21 2009 From: ryan.braun at ec.gc.ca (Ryan Braun [ADS]) Date: Fri, 17 Apr 2009 17:03:21 +0000 Subject: [Fedora-directory-users] Trouble starting 1.2.0 on debian lenny. In-Reply-To: <49E61A89.4060604@redhat.com> References: <200904141915.56539.ryan.braun@ec.gc.ca> <200904151700.28332.ryan.braun@ec.gc.ca> <49E61A89.4060604@redhat.com> Message-ID: <200904171703.21977.ryan.braun@ec.gc.ca> On Wednesday 15 April 2009 17:34:01 Rich Megginson wrote: > >> What about using LDFLAGS="-L/usr/lib/nss" ? > >> > >> The real problem is that mozldap should not link directly against > >> softokn3 anymore - please file a bug at bugzilla.mozilla.org against the > >> LDAP C SDK component. > > > > Will do Rich, but setting the LDFLAGS variable didn't help either. > > If you want to use an rpath, do > configure --with-rpath=/some/path > > If you look at mozilla/directory/c-sdk/build.mk starting at around line > 504 you will see the various commands (LINK_DLL) used to build shared > libraries on linux and other *nix. You could try setting ALDFLAGS or > DLL_LDFLAGS > Adding --with-rpath=/usr/lib/nss to the ./configure arguments doesn't help. It looks like the rpath argument is getting passed properly to gcc though. ======= making ./libssldap60.so gcc -shared -Wl,-soname -Wl,libssldap60.so -Wl,-rpath,/usr/lib/nss -o libssldap60.so ./clientinit.o ./ldapsinit.o ./errormap.o -L../../../../../dist/lib -lldap60 -lprldap60 -L/usr/lib/ -lssl3 -lnss3 -lsoftokn3 -L/usr/lib/ -lplc4 -lplds4 -lnspr4 /usr/bin/ld: cannot find -lsoftokn3 collect2: ld returned 1 exit status make[3]: *** [libssldap60.so] Error 1 make[3]: Leaving directory `/tmp/fdsbuildscripts/mozldap-6.0.5/mozilla/directory/c-sdk/ldap/libraries/libssldap' I haven't done much monkeying around in build.mk (it looks a bit over my head), but I was able to at least "make it work" in the meantime by symlinking everything in /usr/lib/nss into /usr/lib. I'll keep plugging away at it and see about a more sensible solution. Ryan From rmeggins at redhat.com Fri Apr 17 17:07:41 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 17 Apr 2009 11:07:41 -0600 Subject: [Fedora-directory-users] Trouble starting 1.2.0 on debian lenny. In-Reply-To: <200904171703.21977.ryan.braun@ec.gc.ca> References: <200904141915.56539.ryan.braun@ec.gc.ca> <200904151700.28332.ryan.braun@ec.gc.ca> <49E61A89.4060604@redhat.com> <200904171703.21977.ryan.braun@ec.gc.ca> Message-ID: <49E8B75D.1000903@redhat.com> Ryan Braun [ADS] wrote: > On Wednesday 15 April 2009 17:34:01 Rich Megginson wrote: > >>>> What about using LDFLAGS="-L/usr/lib/nss" ? >>>> >>>> The real problem is that mozldap should not link directly against >>>> softokn3 anymore - please file a bug at bugzilla.mozilla.org against the >>>> LDAP C SDK component. >>>> >>> Will do Rich, but setting the LDFLAGS variable didn't help either. >>> >> If you want to use an rpath, do >> configure --with-rpath=/some/path >> >> If you look at mozilla/directory/c-sdk/build.mk starting at around line >> 504 you will see the various commands (LINK_DLL) used to build shared >> libraries on linux and other *nix. You could try setting ALDFLAGS or >> DLL_LDFLAGS >> >> > > Adding --with-rpath=/usr/lib/nss to the ./configure arguments doesn't help. It looks like the rpath argument is getting passed properly to gcc though. > I guess rpath is only for the runtime behavior - you still have to pass in -L/usr/lib/nss somehow so the linker knows where to find the lib at link time. In fact, you probably don't need rpath - if NSS is built correctly, it should be able to find softokn3 at runtime. Did you try ALDFLAGS or DLL_LDFLAGS? > ======= making ./libssldap60.so > gcc -shared -Wl,-soname -Wl,libssldap60.so -Wl,-rpath,/usr/lib/nss -o libssldap60.so ./clientinit.o ./ldapsinit.o ./errormap.o -L../../../../../dist/lib -lldap60 -lprldap60 -L/usr/lib/ -lssl3 -lnss3 -lsoftokn3 -L/usr/lib/ -lplc4 -lplds4 -lnspr4 > /usr/bin/ld: cannot find -lsoftokn3 > collect2: ld returned 1 exit status > make[3]: *** [libssldap60.so] Error 1 > make[3]: Leaving directory `/tmp/fdsbuildscripts/mozldap-6.0.5/mozilla/directory/c-sdk/ldap/libraries/libssldap' > > > I haven't done much monkeying around in build.mk (it looks a bit over my head), but I was able to at least "make it work" in the meantime by symlinking everything in /usr/lib/nss into /usr/lib. > > I'll keep plugging away at it and see about a more sensible solution. > > Ryan > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rpolli at babel.it Fri Apr 17 17:18:24 2009 From: rpolli at babel.it (Roberto Polli) Date: Fri, 17 Apr 2009 19:18:24 +0200 Subject: [Fedora-directory-users] atomically delete subtree (non leaf) In-Reply-To: <49E8AAE6.2030806@stroeder.com> References: <200904171604.39241.rpolli@babel.it> <49E89D81.8080903@redhat.com> <49E8AAE6.2030806@stroeder.com> Message-ID: <200904171918.25277.rpolli@babel.it> On venerd? 17 aprile 2009 18:14:30 Michael Str?der wrote: > Most LDAP servers implement this control (also supported in my web2ldap): > http://tools.ietf.org/draft/draft-armijo-ldap-treedelete/ it was the first thing I saw, but seems that only OpenDS Server supports it.. do you know other servers? richm wrote: > ..you could rename your subtree .. ;) it seemed strange to me, but I thought it was a new feature :))) Thx+Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altres? a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." From michael at stroeder.com Sat Apr 18 11:13:36 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 18 Apr 2009 13:13:36 +0200 Subject: [Fedora-directory-users] atomically delete subtree (non leaf) In-Reply-To: <200904171918.25277.rpolli@babel.it> References: <200904171604.39241.rpolli@babel.it> <49E89D81.8080903@redhat.com> <49E8AAE6.2030806@stroeder.com> <200904171918.25277.rpolli@babel.it> Message-ID: <49E9B5E0.9020107@stroeder.com> Roberto Polli wrote: > On venerd? 17 aprile 2009 18:14:30 Michael Str?der wrote: >> Most LDAP servers implement this control (also supported in my web2ldap): >> http://tools.ietf.org/draft/draft-armijo-ldap-treedelete/ > it was the first thing I saw, but seems that only OpenDS Server supports it.. > do you know other servers? >From memory MS AD and OpenLDAP (at least for back-sql). There might be others but I'm too lazy to look through all the ones listed at http://www.web2ldap.de/compability.html#ldap_servers Ciao, Michael. From bbahar3 at gmail.com Sun Apr 19 10:29:26 2009 From: bbahar3 at gmail.com (Eric) Date: Sun, 19 Apr 2009 13:59:26 +0330 Subject: [Fedora-directory-users] fedora ds problem with updating centos Message-ID: <38a27c8c0904190329j53679cc3p86e68218af8dbf6f@mail.gmail.com> Hi all, I had fedora-ds-1.1.3-1.fc6 installed on centos 5. I have updated centos to 5.3. now fedora ds cann't be start. when I use: service dirsrv start there is this error: ldap...[19/Apr/2009:06:46:14 -0400] - Unable to access nsslapd-rundir: Bad address [19/Apr/2009:06:46:14 -0400] - Ensure that user "ldap" has read and write permissions on (null) [19/Apr/2009:06:46:14 -0400] - Shutting down. [FAILED] -------------- next part -------------- An HTML attachment was scrubbed... URL: From mrejda at kerio.com Mon Apr 20 07:41:33 2009 From: mrejda at kerio.com (Michal Rejda) Date: Mon, 20 Apr 2009 09:41:33 +0200 Subject: [Fedora-directory-users] LDAP proxy Message-ID: <5483a99a-8dec-42ad-b1e0-cd2f39007161@kerio.com> > Michal Rejda wrote: > >> Michal Rejda wrote: > >> > >>>> Michal Rejda wrote: > >>>> > >>>> > >>>>>> -----Original Message----- > >>>>>> From: fedora-directory-users-bounces at redhat.com [mailto:fedora- > >>>>>> directory-users-bounces at redhat.com] On Behalf Of Rich Megginson > >>>>>> Sent: Tuesday, April 14, 2009 4:25 PM > >>>>>> To: General discussion list for the Fedora Directory server > >>>>>> > >> project. > >> > >>>>>> Subject: Re: [Fedora-directory-users] LDAP proxy > >>>>>> > >>>>>> Michal Rejda wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>>> I tried to use http://tinyurl.com/culeft. But the database link > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> doesn't work. I setup the database link to the Active Directory > >>>>>> > >> (and > >> > >>>>>> OpenLDAP). When I looked into Wireshark log, FDS send search > >>>>>> > >> request > >> > >>>>>> with controls: > >>>>>> > >>>>>> > >>>>>> > >>>>>>> 2.16.840.1.113730.3.4.2 > >>>>>>> 2.16.840.1.113730.3.4.12 > >>>>>>> And the AD server responded: Unavailable Critical Extension. > >>>>>>> > >>>>>>> I tried to remove this two controls from Database Link Settings > >>>>>>> > >> (in > >> > >>>>>>> > >>>>>> administration console) but it didn't help. The server didn't > >>>>>> > >> return > >> > >>>>>> the message above, but the administrative console show error > >>>>>> > >> dialog. > >> > >>>>>> What error? > >>>>>> > >>>>>> > >>>>>> > >>>>> I tried it again and the error message is exactly: > >>>>> > >>>>> Error fading object 'dn: dc=example, dc=com'. > >>>>> The error send by the server was: > >>>>> ". > >>>>> > >>>>> In the Whireshark log was still the search request witch control: > >>>>> 2.16.840.1.113730.3.4.2 > >>>>> > >>>>> Why is this control needed by the server when I removed it from > >>>>> > >>>>> > >>>> Database link settings? > >>>> > >>>> I'm not sure - maybe the console is not working correctly. Try > this: > >>>> 1) Shutdown the server > >>>> 2) cd /etc/dirsrv/slapd-yourinstance > >>>> 3) edit dse.ldif - look for the entry > >>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config > >>>> 4) edit the nsTransmittedControls attribute - remove > >>>> 2.16.840.1.113730.3.4.2 > >>>> 5) save and restart the server > >>>> > >>>> > >>> I looked into dse.ldif for a nsTransmittedControls attribute. There > >>> > >> is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic > >> 2.16.840.1.113730.3.4.2. > >> > >>> Isn't the 2.16.840.1.113730.3.4.2 hardcoded? > >>> > >> If it is, I don't see it. There is no mention of managedsa or > >> 2.16.840.1.113730.3.4.2 anywhere in the chaining backend code. The > >> only place it is mentioned is in the default list of > >> nsTransmittedControls in the template-dse.ldif used during new > >> instance creation. > >> > >>> Why is this so necessary? > >>> > >>> > >> It's not necessary, and I'm not sure where it is coming from. Once > >> place might be an internal operation, but I'm not sure what internal > >> operation would be doing this. You might also try to remove > >> nsActiveChainingComponents and nsPossibleChainingComponents to see > if > >> one of those components is doing an internal operation with > >> managedsait set. > >> > > > > I removed nsActiveChainingComponents and nsPossibleChainingComponents > and it didn't help. > > > Then I'm not sure where it's coming from. I suppose you could enable > tracing in the directory server and see if there is anything > interesting in the error log - see > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting In the attachment is the part of the server error log. I removed all messages before I click on the exclamation mark before the DN in the Fedora administration console -> Directory folder tab. I don't understand this log. It is helpful for you? > > > >>>>>>>> Michal Rejda wrote: > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> Hi all, > >>>>>>>>> > >>>>>>>>> I?m trying to setup proxy on FDS to another LDAP server > >>>>>>>>> > >> (OpenLDAP > >> > >>>>>>>>> and Active Directory). I tried two ways, but none of these > >>>>>>>>> > >> works: > >> > >>>>>>>>> 1) New database link to LDAP server. > >>>>>>>>> > >>>>>>>>> - The remote LDAP server (OpenLDAP) returns: null. > manageDSAit > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> control > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> value not found > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> You might have to tweak the controls used by chaining - see > >>>>>>>> http://tinyurl.com/culeft > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> 2) Create multiple-master replication and setup other server > >>>>>>>>> as > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> consumer. > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> - But this show error: 255 Replication error acquiring > replica: > >>>>>>>>> unknown error. > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> Replication will only work to a SunDS, not to any other > vendor. > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> My question is: Is there way how to setup proxy to access > >>>>>>>>> > >> another > >> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> LDAP > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> server from Fedora DS? I know that is possible to use AD > sync, > >>>>>>>>> > >>>>>>>>> > >>>> but > >>>> > >>>> > >>>>>> I > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>> cannot install anything on the AD server. The second reason > >>>>>>>>> why > >>>>>>>>> > >> I > >> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> need > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> to setup proxy is to use data stored in LDAP server > (OpenLDAP, > >>>>>>>>> Open Direcoty Server and Active Directory) in one place. I > >>>>>>>>> need > >>>>>>>>> > >>>>>>>>> > >>>> to > >>>> > >>>> > >>>>>> update > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>> them too. It is not necessary to synchronize passwords. > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> See also > >>>>>>>> > >>>>>>>> > >> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration > >> > >>>>>>>> > >>>>>>>> > >>>>>>>>> Thank you for reply. > >>>>>>>>> > >>>>>>>>> Regards, > >>>>>>>>> > >>>>>>>>> Michal > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >>> > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: errors.log Type: application/octet-stream Size: 8623 bytes Desc: not available URL: From rpolli at babel.it Mon Apr 20 08:55:03 2009 From: rpolli at babel.it (Roberto Polli) Date: Mon, 20 Apr 2009 10:55:03 +0200 Subject: [Fedora-directory-users] atomically delete subtree (non leaf) In-Reply-To: <49E9B5E0.9020107@stroeder.com> References: <200904171604.39241.rpolli@babel.it> <200904171918.25277.rpolli@babel.it> <49E9B5E0.9020107@stroeder.com> Message-ID: <200904201055.04569.rpolli@babel.it> On sabato 18 aprile 2009 13:13:36 Michael Str?der wrote: > There might be others but I'm too lazy to look through all the ones > listed at http://www.web2ldap.de/compability.html#ldap_servers as I got time I'll let you know more, thx++ Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altres? a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." From rmeggins at redhat.com Mon Apr 20 13:53:05 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Apr 2009 07:53:05 -0600 Subject: [Fedora-directory-users] fedora ds problem with updating centos In-Reply-To: <38a27c8c0904190329j53679cc3p86e68218af8dbf6f@mail.gmail.com> References: <38a27c8c0904190329j53679cc3p86e68218af8dbf6f@mail.gmail.com> Message-ID: <49EC7E41.9010505@redhat.com> Eric wrote: > Hi all, > I had fedora-ds-1.1.3-1.fc6 installed on centos 5. I have updated > centos to 5.3. now fedora ds cann't be start. when I use: service > dirsrv start there is this error: > ldap...[19/Apr/2009:06:46:14 -0400] - Unable to access nsslapd-rundir: > Bad address > [19/Apr/2009:06:46:14 -0400] - Ensure that user "ldap" has read and > write permissions on (null) > [19/Apr/2009:06:46:14 -0400] - Shutting down. > [FAILED] You upgraded fedora ds first, then upgraded CentOS to 5.3? ls -al /var/run/dirsrv > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Apr 20 13:56:12 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Apr 2009 07:56:12 -0600 Subject: [Fedora-directory-users] LDAP proxy In-Reply-To: <5483a99a-8dec-42ad-b1e0-cd2f39007161@kerio.com> References: <5483a99a-8dec-42ad-b1e0-cd2f39007161@kerio.com> Message-ID: <49EC7EFC.3060608@redhat.com> Michal Rejda wrote: >> Michal Rejda wrote: >> >>>> Michal Rejda wrote: >>>> >>>> >>>>>> Michal Rejda wrote: >>>>>> >>>>>> >>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: fedora-directory-users-bounces at redhat.com [mailto:fedora- >>>>>>>> directory-users-bounces at redhat.com] On Behalf Of Rich Megginson >>>>>>>> Sent: Tuesday, April 14, 2009 4:25 PM >>>>>>>> To: General discussion list for the Fedora Directory server >>>>>>>> >>>>>>>> >>>> project. >>>> >>>> >>>>>>>> Subject: Re: [Fedora-directory-users] LDAP proxy >>>>>>>> >>>>>>>> Michal Rejda wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> I tried to use http://tinyurl.com/culeft. But the database link >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> doesn't work. I setup the database link to the Active Directory >>>>>>>> >>>>>>>> >>>> (and >>>> >>>> >>>>>>>> OpenLDAP). When I looked into Wireshark log, FDS send search >>>>>>>> >>>>>>>> >>>> request >>>> >>>> >>>>>>>> with controls: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> 2.16.840.1.113730.3.4.2 >>>>>>>>> 2.16.840.1.113730.3.4.12 >>>>>>>>> And the AD server responded: Unavailable Critical Extension. >>>>>>>>> >>>>>>>>> I tried to remove this two controls from Database Link Settings >>>>>>>>> >>>>>>>>> >>>> (in >>>> >>>> >>>>>>>> administration console) but it didn't help. The server didn't >>>>>>>> >>>>>>>> >>>> return >>>> >>>> >>>>>>>> the message above, but the administrative console show error >>>>>>>> >>>>>>>> >>>> dialog. >>>> >>>> >>>>>>>> What error? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> I tried it again and the error message is exactly: >>>>>>> >>>>>>> Error fading object 'dn: dc=example, dc=com'. >>>>>>> The error send by the server was: >>>>>>> ". >>>>>>> >>>>>>> In the Whireshark log was still the search request witch control: >>>>>>> 2.16.840.1.113730.3.4.2 >>>>>>> >>>>>>> Why is this control needed by the server when I removed it from >>>>>>> >>>>>>> >>>>>>> >>>>>> Database link settings? >>>>>> >>>>>> I'm not sure - maybe the console is not working correctly. Try >>>>>> >> this: >> >>>>>> 1) Shutdown the server >>>>>> 2) cd /etc/dirsrv/slapd-yourinstance >>>>>> 3) edit dse.ldif - look for the entry >>>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config >>>>>> 4) edit the nsTransmittedControls attribute - remove >>>>>> 2.16.840.1.113730.3.4.2 >>>>>> 5) save and restart the server >>>>>> >>>>>> >>>>>> >>>>> I looked into dse.ldif for a nsTransmittedControls attribute. There >>>>> >>>>> >>>> is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic >>>> 2.16.840.1.113730.3.4.2. >>>> >>>> >>>>> Isn't the 2.16.840.1.113730.3.4.2 hardcoded? >>>>> >>>>> >>>> If it is, I don't see it. There is no mention of managedsa or >>>> 2.16.840.1.113730.3.4.2 anywhere in the chaining backend code. The >>>> only place it is mentioned is in the default list of >>>> nsTransmittedControls in the template-dse.ldif used during new >>>> instance creation. >>>> >>>> >>>>> Why is this so necessary? >>>>> >>>>> >>>>> >>>> It's not necessary, and I'm not sure where it is coming from. Once >>>> place might be an internal operation, but I'm not sure what internal >>>> operation would be doing this. You might also try to remove >>>> nsActiveChainingComponents and nsPossibleChainingComponents to see >>>> >> if >> >>>> one of those components is doing an internal operation with >>>> managedsait set. >>>> >>>> >>> I removed nsActiveChainingComponents and nsPossibleChainingComponents >>> >> and it didn't help. >> >> Then I'm not sure where it's coming from. I suppose you could enable >> tracing in the directory server and see if there is anything >> interesting in the error log - see >> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >> > > In the attachment is the part of the server error log. I removed all messages before I click on the exclamation mark before the DN in the Fedora administration console -> Directory folder tab. I don't understand this log. It is helpful for you? > > Ah, I see. You are using the console to try to browse the AD tree? And you are using the console admin user "admin"? Try ldapsearch from the command line, and attempt to authenticate as an AD user (e.g. cn=administrator,cn=users,dc=example,dc=com). >>>>>>>>>> Michal Rejda wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Hi all, >>>>>>>>>>> >>>>>>>>>>> I?m trying to setup proxy on FDS to another LDAP server >>>>>>>>>>> >>>>>>>>>>> >>>> (OpenLDAP >>>> >>>> >>>>>>>>>>> and Active Directory). I tried two ways, but none of these >>>>>>>>>>> >>>>>>>>>>> >>>> works: >>>> >>>> >>>>>>>>>>> 1) New database link to LDAP server. >>>>>>>>>>> >>>>>>>>>>> - The remote LDAP server (OpenLDAP) returns: null. >>>>>>>>>>> >> manageDSAit >> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> control >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> value not found >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> You might have to tweak the controls used by chaining - see >>>>>>>>>> http://tinyurl.com/culeft >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> 2) Create multiple-master replication and setup other server >>>>>>>>>>> as >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> consumer. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> - But this show error: 255 Replication error acquiring >>>>>>>>>>> >> replica: >> >>>>>>>>>>> unknown error. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> Replication will only work to a SunDS, not to any other >>>>>>>>>> >> vendor. >> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> My question is: Is there way how to setup proxy to access >>>>>>>>>>> >>>>>>>>>>> >>>> another >>>> >>>> >>>>>>>>>>> >>>>>>>>>> LDAP >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> server from Fedora DS? I know that is possible to use AD >>>>>>>>>>> >> sync, >> >>>>>>>>>>> >>>>>> but >>>>>> >>>>>> >>>>>> >>>>>>>> I >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>> cannot install anything on the AD server. The second reason >>>>>>>>>>> why >>>>>>>>>>> >>>>>>>>>>> >>>> I >>>> >>>> >>>>>>>>>>> >>>>>>>>>> need >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> to setup proxy is to use data stored in LDAP server >>>>>>>>>>> >> (OpenLDAP, >> >>>>>>>>>>> Open Direcoty Server and Active Directory) in one place. I >>>>>>>>>>> need >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>> to >>>>>> >>>>>> >>>>>> >>>>>>>> update >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>> them too. It is not necessary to synchronize passwords. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> See also >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration >>>> >>>> >>>>>>>>>> >>>>>>>>>>> Thank you for reply. >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> >>>>>>>>>>> Michal >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From ajs at th.ph.bham.ac.uk Mon Apr 20 17:18:11 2009 From: ajs at th.ph.bham.ac.uk (Andy Schofield) Date: Mon, 20 Apr 2009 18:18:11 +0100 Subject: [Fedora-directory-users] Re: fedora ds problem with updating centos Message-ID: <49ECAE53.2020006@th.ph.bham.ac.uk> I have exactly the same error: > ldap...[19/Apr/2009:06:46:14 -0400] - Unable to access nsslapd-rundir: > Bad address In my case this is nothing to do with the upgrade to CentOS 5.3 (which went smoothly). Instead it is when I upgrade to fedora-ds-base-1.2.0 from fedora-ds-base-1.1.3-2. It does not seem to make any difference what the permissions are on the /var/run/dirsrv directory. To show this I have made the directory world writable and I still get the error. At the moment the permissions are: ls -ld /var/run/dirsrv drwxrwxrwx 2 ldap root 4096 Apr 20 18:09 /var/run/dirsrv Previously it was 750 Any other ideas? Andy PS I am running a production system so I have had to revert to 1.1.3 until this is fixed. From james_roman at ssaihq.com Mon Apr 20 17:39:29 2009 From: james_roman at ssaihq.com (James Roman) Date: Mon, 20 Apr 2009 13:39:29 -0400 Subject: [Fedora-directory-users] Re: fedora ds problem with updating centos In-Reply-To: <49ECAE53.2020006@th.ph.bham.ac.uk> References: <49ECAE53.2020006@th.ph.bham.ac.uk> Message-ID: <49ECB351.70303@ssaihq.com> Sounds like selinux is enabled/enforcing. Try setting it to permissive. Andy Schofield wrote: > I have exactly the same error: > > > ldap...[19/Apr/2009:06:46:14 -0400] - Unable to access > nsslapd-rundir: > Bad address > > In my case this is nothing to do with the upgrade to CentOS 5.3 (which > went smoothly). Instead it is when I upgrade to fedora-ds-base-1.2.0 > from fedora-ds-base-1.1.3-2. It does not seem to make any difference > what the permissions are on the /var/run/dirsrv directory. To show > this I have made the directory world writable and I still get the error. > At the moment the permissions are: ls -ld /var/run/dirsrv > > drwxrwxrwx 2 ldap root 4096 Apr 20 18:09 /var/run/dirsrv > > > Previously it was 750 > Any other ideas? > > Andy > > PS I am running a production system so I have had to revert to 1.1.3 > until this is fixed. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Mon Apr 20 18:31:27 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Apr 2009 12:31:27 -0600 Subject: [Fedora-directory-users] Re: fedora ds problem with updating centos In-Reply-To: <49ECAE53.2020006@th.ph.bham.ac.uk> References: <49ECAE53.2020006@th.ph.bham.ac.uk> Message-ID: <49ECBF7F.4080005@redhat.com> Andy Schofield wrote: > I have exactly the same error: > > > ldap...[19/Apr/2009:06:46:14 -0400] - Unable to access > nsslapd-rundir: > Bad address > > In my case this is nothing to do with the upgrade to CentOS 5.3 (which > went smoothly). Instead it is when I upgrade to fedora-ds-base-1.2.0 > from fedora-ds-base-1.1.3-2. It does not seem to make any difference > what the permissions are on the /var/run/dirsrv directory. To show > this I have made the directory world writable and I still get the error. > At the moment the permissions are: ls -ld /var/run/dirsrv > > drwxrwxrwx 2 ldap root 4096 Apr 20 18:09 /var/run/dirsrv The set up script setup- > > > Previously it was 750 > Any other ideas? > > Andy > > PS I am running a production system so I have had to revert to 1.1.3 > until this is fixed. mkdir -p /var/run/dirsrv/slapd-yourinstancename - chown to your server user id - chmod to make it rwx by the server user ID shutdown the directory server - Edit dse.ldif, the cn=config entry - add nsslapd-rundir: /var/run/dirsrv/slapd-yourinstancename I'm not sure why this happened - the rpm is supposed to not touch /var/run/dirsrv if it already exists > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From ajs at th.ph.bham.ac.uk Mon Apr 20 19:16:06 2009 From: ajs at th.ph.bham.ac.uk (Andy Schofield) Date: Mon, 20 Apr 2009 20:16:06 +0100 Subject: [Fedora-directory-users] Re: fedora ds problem with updating centos Message-ID: <49ECC9F6.9040605@th.ph.bham.ac.uk> > Andy Schofield wrote: > I have exactly the same error: > > ldap...[19/Apr/2009:06:46:14 -0400] - Unable to access > > nsslapd-rundir: Bad address Thanks Rich - it was fixed by your suggestion: > mkdir -p /var/run/dirsrv/slapd-yourinstancename - chown to your server > user id - chmod to make it rwx by the server user ID > shutdown the directory server - Edit dse.ldif, the cn=config entry - > add nsslapd-rundir: /var/run/dirsrv/slapd-yourinstancename (SELinux was already running in permissive mode - sorry I should have mentioned that in my initial post). All seems to be working fine with 1.2.0 now. From orion at cora.nwra.com Mon Apr 20 21:49:53 2009 From: orion at cora.nwra.com (Orion Poplawski) Date: Mon, 20 Apr 2009 15:49:53 -0600 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: References: <49D2D1A0.3070307@redhat.com><49DCCE50.7040106@redhat.com><1601b8650904081323m6c59ac0y786719b11f0dab04@mail.gmail.com> <1601b8650904081402x5ee82febqae4416735aca37bd@mail.gmail.com> <49DE837D.7070205@redhat.com><1601b8650904110717j43ac4c62n20ab4eb8d577e818@mail.gmail.com> <49E38E6E.5000001@redhat.com><1601b8650904151221l7370c86ajc9ca79525edf1eff@mail.gmail.com> <49E639CF.5020602@redhat.com> <1601b8650904161137g378e51a9t9f70a6f1119b5704@mail.gmail.com> Message-ID: <49ECEE01.8020905@cora.nwra.com> Better log handling: - Compress old logs - Don't stop working when log volume fills up. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion at cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com From jplorier at montecarlotv.com.uy Tue Apr 21 00:42:33 2009 From: jplorier at montecarlotv.com.uy (Juan Pablo Lorier) Date: Mon, 20 Apr 2009 21:42:33 -0300 Subject: [Fedora-directory-users] Am I on the right list? Message-ID: <1240274553.30040.2.camel@jpl-laptop> Hi guys, I posted about samba + fds a few days ago but didn't get any reply. Maybe it's because this is not the right list?. I just need a had because I can get openldap + samba working, but not with fds. regards -- Este mensaje ha sido analizado por MailScanner en busca de virus y otros contenidos peligrosos, y se considera que est? limpio. From jsullivan at opensourcedevel.com Tue Apr 21 02:21:58 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 20 Apr 2009 22:21:58 -0400 Subject: [Fedora-directory-users] Windows sync woes Message-ID: <1240280518.6413.19.camel@jaspav.missionsit.net.missionsit.net> Hello, all. I'm having grief trying to get DS 8.0 to synchronize with Active Directory on Windows 2003 Server R2. I first tried to synchronize an existing branch of DS with ntuser ids to a fresh AD. That kept failing with sync total update aborted LDAP error operations error code 1 and messages about failing to replay creation in the errors log. I then deleted the agreement, created a new empty branch in DS, and set up a windows synchronization agreement. All the errors went away. I also verified communication with /usr/lib64/mozldap/ldapsearch -Z -P ./cert8.db -h -p 636 -D "cn=Synch Manager,cn=users,dc=some,dc=domain" -w - -s sub -b "cn=Users,dc=some,dc=domain" "cn=*" However, when I create a new user in DS, it does not propagate to AD. I create the user, add the NT user option and set the uid as well as check the create new account and delete account boxes. The DS is set up as a single master. We do not want entries from AD propagating to DS, just from DS to AD. We initially created the synchronization user in AD as a member of domain admins. We also tried making it a member of enterprise and schema admins. Nothing seems to work. We see nothing in the AD logs to indicate where the failure is. We see very little on DS: [20/Apr/2009:21:41:21 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=TestWinSync" (timberline:636)". [20/Apr/2009:21:41:22 -0400] - Entry "uid=Guest,o=a0000-0012,o=Internal, dc=ssiservices, dc=biz" missing attribute "sn" required by object class "person" [20/Apr/2009:21:41:22 -0400] - Entry "uid=SUPPORT_388945a0,o=a0000-0012,o=Internal, dc=ssiservices, dc=biz" missing attribute "sn" required by object clas [20/Apr/2009:21:41:22 -0400] - Entry "uid=Administrator,o=a0000-0012,o=Internal, dc=ssiservices, dc=biz" missing attribute "sn" required by object class " [20/Apr/2009:21:41:22 -0400] - Entry "uid=krbtgt,o=a0000-0012,o=Internal, dc=ssiservices, dc=biz" missing attribute "sn" required by object class "person" [20/Apr/2009:21:41:22 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=TestWinSync" (timberline:636)". Sent 18 entries. [20/Apr/2009:21:43:07 -0400] NSMMReplicationPlugin - agmt="cn=TestWinSync" (timberline:636): windows_replay_update: Cannot replay add operation. [20/Apr/2009:21:43:07 -0400] NSMMReplicationPlugin - agmt="cn=TestWinSync" (timberline:636): Simple bind resumed [20/Apr/2009:21:48:06 -0400] NSMMReplicationPlugin - agmt="cn=TestWinSync" (timberline:636): Simple bind resumed [20/Apr/2009:21:55:58 -0400] NSMMReplicationPlugin - agmt="cn=TestWinSync" (timberline:636): windows_replay_update: Cannot replay add operation. [20/Apr/2009:21:55:58 -0400] NSMMReplicationPlugin - agmt="cn=TestWinSync" (timberline:636): Simple bind resumed [20/Apr/2009:22:00:59 -0400] NSMMReplicationPlugin - agmt="cn=TestWinSync" (timberline:636): Simple bind resumed I was surprised to see the entries for the Windows based users propagating. They do not show up in DS. I'm assuming the replay add operation failures are the attempts to add the user defined in DS. The user was most minimal with only SN, givenname, cn, uid, password and the above mentioned nt attributes set. Not being very versed in AD, I'm sure I must be making some dumb mistake but I don't see what it is. Any suggestions on where to look? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From bbahar3 at gmail.com Tue Apr 21 05:24:55 2009 From: bbahar3 at gmail.com (Eric) Date: Tue, 21 Apr 2009 08:54:55 +0330 Subject: [Fedora-directory-users] fedora ds problem with updating centos Message-ID: <38a27c8c0904202224n4d232fc5q6b8ba04e4f4fd0f@mail.gmail.com> > > Thanks Rich. My problem was fixed with your suggestion too. I had upgraded > OS without updating fedora ds.Is it the reson of problem? > > > Message: 3 > Date: Mon, 20 Apr 2009 07:53:05 -0600 > From: Rich Megginson > Subject: Re: [Fedora-directory-users] fedora ds problem with updating > centos > To: "General discussion list for the Fedora Directory server project." > > Message-ID: <49EC7E41.9010505 at redhat.com> > Content-Type: text/plain; charset="iso-8859-1" > > Eric wrote: > > Hi all, > > I had fedora-ds-1.1.3-1.fc6 installed on centos 5. I have updated > > centos to 5.3. now fedora ds cann't be start. when I use: service > > dirsrv start there is this error: > > ldap...[19/Apr/2009:06:46:14 -0400] - Unable to access nsslapd-rundir: > > Bad address > > [19/Apr/2009:06:46:14 -0400] - Ensure that user "ldap" has read and > > write permissions on (null) > > [19/Apr/2009:06:46:14 -0400] - Shutting down. > > [FAILED] > You upgraded fedora ds first, then upgraded CentOS to 5.3? ls -al > /var/run/dirsrv > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3258 bytes > Desc: S/MIME Cryptographic Signature > Url : > https://www.redhat.com/archives/fedora-directory-users/attachments/20090420/a4e757c1/smime.bin > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From james.chavez at sanmina-sci.com Tue Apr 21 05:29:51 2009 From: james.chavez at sanmina-sci.com (James Chavez) Date: Mon, 20 Apr 2009 22:29:51 -0700 Subject: [Fedora-directory-users] logconv showing unindexed searches on indexed attributes. Message-ID: Hello List, I have a directory with 20,000 plus users. The output from logconv is showing me that I have unindexed searches with a search filter of '(uidNumber=*)'. However my uidNumber attribute is indeed indexed. The documentation states the following " In Directory Server, when examining an index, if more than a certain number of entries are found, the server stops reading the index and marks the search as unindexed for that particular index." I believe this is what is going on because if i increase the idlistscanlimit the searches no longer show as unindexed. So a few questions. Is this a serious warning or error and does it effect performance? It seems to me that it renders the indexes useless for directories with more than 4,000 entries unless the idlistscanlimit is increased. Can I increase it only for the uidNumber or chosen attributes attributes? I am assuming the answer to this is no since it seems to be set globally. Is there a tool similar to OpenLDAP's slapindex utility to maintain index integrity in FDS or is it not necessary? Thank you -------------- next part -------------- An HTML attachment was scrubbed... URL: From mrejda at kerio.com Tue Apr 21 07:12:10 2009 From: mrejda at kerio.com (Michal Rejda) Date: Tue, 21 Apr 2009 09:12:10 +0200 Subject: [Fedora-directory-users] LDAP proxy Message-ID: <4d4d8d90-8abb-4852-bbaf-b2e6321276af@kerio.com> > Michal Rejda wrote: > >> Michal Rejda wrote: > >> > >>>> Michal Rejda wrote: > >>>> > >>>> > >>>>>> Michal Rejda wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>>>> -----Original Message----- > >>>>>>>> From: fedora-directory-users-bounces at redhat.com > [mailto:fedora- > >>>>>>>> directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > >>>>>>>> Sent: Tuesday, April 14, 2009 4:25 PM > >>>>>>>> To: General discussion list for the Fedora Directory server > >>>>>>>> > >>>>>>>> > >>>> project. > >>>> > >>>> > >>>>>>>> Subject: Re: [Fedora-directory-users] LDAP proxy > >>>>>>>> > >>>>>>>> Michal Rejda wrote: > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> I tried to use http://tinyurl.com/culeft. But the database > >>>>>>>>> link > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> doesn't work. I setup the database link to the Active > Directory > >>>>>>>> > >>>>>>>> > >>>> (and > >>>> > >>>> > >>>>>>>> OpenLDAP). When I looked into Wireshark log, FDS send search > >>>>>>>> > >>>>>>>> > >>>> request > >>>> > >>>> > >>>>>>>> with controls: > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> 2.16.840.1.113730.3.4.2 > >>>>>>>>> 2.16.840.1.113730.3.4.12 > >>>>>>>>> And the AD server responded: Unavailable Critical Extension. > >>>>>>>>> > >>>>>>>>> I tried to remove this two controls from Database Link > >>>>>>>>> Settings > >>>>>>>>> > >>>>>>>>> > >>>> (in > >>>> > >>>> > >>>>>>>> administration console) but it didn't help. The server didn't > >>>>>>>> > >>>>>>>> > >>>> return > >>>> > >>>> > >>>>>>>> the message above, but the administrative console show error > >>>>>>>> > >>>>>>>> > >>>> dialog. > >>>> > >>>> > >>>>>>>> What error? > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> I tried it again and the error message is exactly: > >>>>>>> > >>>>>>> Error fading object 'dn: dc=example, dc=com'. > >>>>>>> The error send by the server was: > >>>>>>> ". > >>>>>>> > >>>>>>> In the Whireshark log was still the search request witch > control: > >>>>>>> 2.16.840.1.113730.3.4.2 > >>>>>>> > >>>>>>> Why is this control needed by the server when I removed it from > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> Database link settings? > >>>>>> > >>>>>> I'm not sure - maybe the console is not working correctly. Try > >>>>>> > >> this: > >> > >>>>>> 1) Shutdown the server > >>>>>> 2) cd /etc/dirsrv/slapd-yourinstance > >>>>>> 3) edit dse.ldif - look for the entry > >>>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config > >>>>>> 4) edit the nsTransmittedControls attribute - remove > >>>>>> 2.16.840.1.113730.3.4.2 > >>>>>> 5) save and restart the server > >>>>>> > >>>>>> > >>>>>> > >>>>> I looked into dse.ldif for a nsTransmittedControls attribute. > >>>>> There > >>>>> > >>>>> > >>>> is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic > >>>> 2.16.840.1.113730.3.4.2. > >>>> > >>>> > >>>>> Isn't the 2.16.840.1.113730.3.4.2 hardcoded? > >>>>> > >>>>> > >>>> If it is, I don't see it. There is no mention of managedsa or > >>>> 2.16.840.1.113730.3.4.2 anywhere in the chaining backend code. The > >>>> only place it is mentioned is in the default list of > >>>> nsTransmittedControls in the template-dse.ldif used during new > >>>> instance creation. > >>>> > >>>> > >>>>> Why is this so necessary? > >>>>> > >>>>> > >>>>> > >>>> It's not necessary, and I'm not sure where it is coming from. Once > >>>> place might be an internal operation, but I'm not sure what > >>>> internal operation would be doing this. You might also try to > >>>> remove nsActiveChainingComponents and nsPossibleChainingComponents > >>>> to see > >>>> > >> if > >> > >>>> one of those components is doing an internal operation with > >>>> managedsait set. > >>>> > >>>> > >>> I removed nsActiveChainingComponents and > >>> nsPossibleChainingComponents > >>> > >> and it didn't help. > >> > >> Then I'm not sure where it's coming from. I suppose you could enable > >> tracing in the directory server and see if there is anything > >> interesting in the error log - see > >> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > >> > > > > In the attachment is the part of the server error log. I removed all > > messages before I click on the exclamation mark before the DN in the > > Fedora administration console -> Directory folder tab. I don't > > understand this log. It is helpful for you? > > > > > Ah, I see. You are using the console to try to browse the AD tree? And > you are using the console admin user "admin"? Try ldapsearch from the > command line, and attempt to authenticate as an AD user (e.g. > cn=administrator,cn=users,dc=example,dc=com). Yes, you are right. I use the console to browse AD tree. But I do this because there is attention marker before the root suffix (lib-w2k3r2) in the Directory tab and I just double click on it. I tried ldapsearch using AD user (Administrator). I'm able to login but the ldapsearch don't show any results (I use Apache Directory Studio). When I looked into Whireshark log, I now see that another critical extension is missing: 2.16.840.1.113730.3.4.12. The log is in the attachment. > >>>>>>>>>> Michal Rejda wrote: > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>> Hi all, > >>>>>>>>>>> > >>>>>>>>>>> I?m trying to setup proxy on FDS to another LDAP server > >>>>>>>>>>> > >>>>>>>>>>> > >>>> (OpenLDAP > >>>> > >>>> > >>>>>>>>>>> and Active Directory). I tried two ways, but none of these > >>>>>>>>>>> > >>>>>>>>>>> > >>>> works: > >>>> > >>>> > >>>>>>>>>>> 1) New database link to LDAP server. > >>>>>>>>>>> > >>>>>>>>>>> - The remote LDAP server (OpenLDAP) returns: null. > >>>>>>>>>>> > >> manageDSAit > >> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> control > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>> value not found > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> You might have to tweak the controls used by chaining - see > >>>>>>>>>> http://tinyurl.com/culeft > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>> 2) Create multiple-master replication and setup other > server > >>>>>>>>>>> as > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> consumer. > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>> - But this show error: 255 Replication error acquiring > >>>>>>>>>>> > >> replica: > >> > >>>>>>>>>>> unknown error. > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> Replication will only work to a SunDS, not to any other > >>>>>>>>>> > >> vendor. > >> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>> My question is: Is there way how to setup proxy to access > >>>>>>>>>>> > >>>>>>>>>>> > >>>> another > >>>> > >>>> > >>>>>>>>>>> > >>>>>>>>>> LDAP > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>> server from Fedora DS? I know that is possible to use AD > >>>>>>>>>>> > >> sync, > >> > >>>>>>>>>>> > >>>>>> but > >>>>>> > >>>>>> > >>>>>> > >>>>>>>> I > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>> cannot install anything on the AD server. The second reason > >>>>>>>>>>> why > >>>>>>>>>>> > >>>>>>>>>>> > >>>> I > >>>> > >>>> > >>>>>>>>>>> > >>>>>>>>>> need > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>> to setup proxy is to use data stored in LDAP server > >>>>>>>>>>> > >> (OpenLDAP, > >> > >>>>>>>>>>> Open Direcoty Server and Active Directory) in one place. I > >>>>>>>>>>> need > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>> to > >>>>>> > >>>>>> > >>>>>> > >>>>>>>> update > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>> them too. It is not necessary to synchronize passwords. > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> See also > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration > >>>> > >>>> > >>>>>>>>>> > >>>>>>>>>>> Thank you for reply. > >>>>>>>>>>> > >>>>>>>>>>> Regards, > >>>>>>>>>>> > >>>>>>>>>>> Michal > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>> -- > >>>>> Fedora-directory-users mailing list > >>>>> Fedora-directory-users at redhat.com > >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>> > >>>>> > >>>>> > >>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >>> > > > > > > --------------------------------------------------------------------- > - > > -- > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: errors.log Type: application/octet-stream Size: 50493 bytes Desc: not available URL: From lambam80 at hotmail.com Tue Apr 21 07:54:36 2009 From: lambam80 at hotmail.com (lambam80 at hotmail.com) Date: Tue, 21 Apr 2009 03:54:36 -0400 Subject: [Fedora-directory-users] Where to search mail archives, cannot find the command: remove-ds-admin.pl Message-ID: Hello everybody and thanks for all your help in the past. Q1: Fistly, what is the recommended means to search the mail archives ? I don't fancy downloading all the GZIP files found here: https://www.redhat.com/archives/fedora-directory-users/ http://www.redhat.com/mailman/listinfo/fedora-directory-users Q2. I have the following version of Directory Server running on Fedora 10: [root at ldap4 dirsrv]# cat /etc/redhat-release Fedora release 10 (Cambridge) [root at ldap4 sbin]# /usr/sbin/ns-slapd -v Fedora Project Fedora-Directory/1.1.3 B2008.289.115 Q2: I cannot find the command remove-ds-admin.pl as documented here: http://directory.fedoraproject.org/wiki/FDS_Setup#remove-ds-admin.pl Even with the find command. Where might I find this command, please ? Cdlt, Dave _________________________________________________________________ Internet Explorer 8 helps keep your personal info safe. http://go.microsoft.com/?linkid=9655581 -------------- next part -------------- An HTML attachment was scrubbed... URL: From ckannan at redhat.com Tue Apr 21 08:11:20 2009 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Tue, 21 Apr 2009 01:11:20 -0700 Subject: [Fedora-directory-users] Where to search mail archives, cannot find the command: remove-ds-admin.pl In-Reply-To: References: Message-ID: <1240301480.3246.3.camel@localhost.localdomain> On Tue, 2009-04-21 at 03:54 -0400, lambam80 at hotmail.com wrote: > Hello everybody and thanks for all your help in the past. > > Q1: Fistly, what is the recommended means to search the mail > archives ? > I don't fancy downloading all the GZIP files found here: > > https://www.redhat.com/archives/fedora-directory-users/ > > http://www.redhat.com/mailman/listinfo/fedora-directory-users Try this http://www.mail-archive.com/fedora-directory-users at redhat.com/ > > Q2. I have the following version of Directory Server running on Fedora > 10: > > [root at ldap4 dirsrv]# cat /etc/redhat-release > Fedora release 10 (Cambridge) > > [root at ldap4 sbin]# /usr/sbin/ns-slapd -v > Fedora Project > Fedora-Directory/1.1.3 B2008.289.115 > > Q2: I cannot find the command remove-ds-admin.pl as documented here: > > http://directory.fedoraproject.org/wiki/FDS_Setup#remove-ds-admin.pl > > Even with the find command. Where might I find this command, please ? > > Cdlt, Dave > > > ______________________________________________________________________ > Internet Explorer 8 makes surfing easier. Get it now! > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Chandrasekar Kannan -- ckannan at redhat.com Quality Engineering -- http://www.redhat.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From andrey.ivanov at polytechnique.fr Tue Apr 21 08:36:27 2009 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Tue, 21 Apr 2009 10:36:27 +0200 Subject: [Fedora-directory-users] logconv showing unindexed searches on indexed attributes. In-Reply-To: References: Message-ID: <1601b8650904210136k6e89f100ub9b2b6e74bfe4b18@mail.gmail.com> It should be indexed for PRESENCE in order for this search to be indexed. I think it is indexed on equality in your case. 2009/4/21 James Chavez > Hello List, > I have a directory with 20,000 plus users. > The output from logconv is showing me that I have unindexed searches with a > search filter of '(uidNumber=*)'. > However my uidNumber attribute is indeed indexed. > > The documentation states the following > " In Directory Server, when examining an index, if more than a certain > number of entries are found, the server stops reading the index and marks > the search as unindexed for that particular index." > > I believe this is what is going on because if i increase the > idlistscanlimit the searches no longer show as unindexed. > > So a few questions. > Is this a serious warning or error and does it effect performance? It seems > to me that it renders the indexes useless for directories with more than > 4,000 entries unless the idlistscanlimit is increased. > > Can I increase it only for the uidNumber or chosen attributes attributes? I > am assuming the answer to this is no since it seems to be set globally. > > Is there a tool similar to OpenLDAP's slapindex utility to maintain index > integrity in FDS or is it not necessary? > > Thank you > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jasanchez at ccnt-spain.com Tue Apr 21 10:25:33 2009 From: jasanchez at ccnt-spain.com (Juan Asensio =?ISO-8859-1?Q?S=E1nchez?=) Date: Tue, 21 Apr 2009 12:25:33 +0200 Subject: [Fedora-directory-users] Replication agreement trouble Message-ID: <1240309533.6624.229.camel@grsgscvalx001.sacyl.es> Hi Since yesterday I am having troubles with replication between two servers. The replica is in multimaster mode in both servers, and everything is configured OK (database, suffixes, changelog, replica, agreements; until yesterday everything worked OK). [21/Apr/2009:11:04:57 +0200] NSMMReplicationPlugin - Replication agreement for agmt="cn=GRS_back-GRS_ppal" (grsgscvalp0101:636) could not be updated. For replication to take place, please enable the suffix and restart the server The only thing to mention are replication problems with other databases and replicas, but not for the replica of the agreement in the message. They were fixed re-initializing the consumers of those replicas. Any idea? Regards and thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: From philipp.rusch at gw-world.com Tue Apr 21 12:03:37 2009 From: philipp.rusch at gw-world.com (Rusch Philipp pru09) Date: Tue, 21 Apr 2009 14:03:37 +0200 Subject: [Fedora-directory-users] Configure LDAP clients Message-ID: Hello all, my last try to move on with the SSL certificates. I have installed fedora-ds 1.0.4 and have used the setupssl.sh script to generate the certificates on my both servers. After that I jumped tot he ?configure ldap clients? section and there it says: ?If you have more than 1 CA cert, you will have to concatenate them into a single file.? Can anyone tell me how I have to concatenate the two cacert.asc files? I have tried several things without any result (e.g cat cacert1.asc cacert2.asc > cacert.asc). Only the first certificate is used to establish a new tls connection. I woul appreciate any help about this problem! Thank you in advance. Rgds Philipp P Im Sinne unserer Umwelt: Bitte bedenken Sie,?dass ein Ausdruck dieser Nachricht wertvolle Ressourcen verbraucht. For the sake of our environment: Please be aware of the fact that printing this message consumes valuable resources. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Apr 21 12:27:54 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 21 Apr 2009 08:27:54 -0400 Subject: [Fedora-directory-users] Configure LDAP clients In-Reply-To: References: Message-ID: <49EDBBCA.6020706@redhat.com> Rusch Philipp pru09 wrote: > Hello all, > > > > my last try to move on with the SSL certificates. I have installed > fedora-ds 1.0.4 and have used the setupssl.sh script to generate the > certificates on my both servers. After that I jumped tot he ?configure > ldap clients? section and there it says: ?If you have more than 1 CA > cert, you will have to concatenate them into a single file.? > > > > Can anyone tell me how I have to concatenate the two cacert.asc files? I > have tried several things without any result (e.g cat cacert1.asc > cacert2.asc > cacert.asc). Only the first certificate is used to > establish a new tls connection. > > > > I woul appreciate any help about this problem! > > > > Thank you in advance. > > This is just an educated guess but if you ran setupssl.sh twice and didn't change anything then you have 2 Certificate Authorities with the same subject and same serial number just different signing keys. My guess is this is confusing the heck out of openssl. I'm not sure using TLS_CACERTDIR would change anything either. Ideally you would create just 1 CA and use that to generate the server certs for your FDS installation. How to do this isn't particularly obvious though. You'd have to poke at the setupssl.sh script to see how the Server-Cert is being issued and generate a new CSR and get the CA to sign it. Something simpler/quicker to try would be to modify the subject and CA name in setupssl.sh on one of the FDS servers and try again. The subject is set by the -s argument to certutil (e.g. cn=CAcert). rob From lambam80 at hotmail.com Tue Apr 21 13:13:26 2009 From: lambam80 at hotmail.com (lambam80 at hotmail.com) Date: Tue, 21 Apr 2009 09:13:26 -0400 Subject: [Fedora-directory-users] RE: Where to search mail archives, cannot find the command: remove-ds-admin.pl - don't worry Message-ID: Hello again. Don't worry, I simply re-ran /usr/sbin/setup-ds-admin.pl and it worked. Thanks, Dave From: lambam80 at hotmail.com To: fedora-directory-users at redhat.com; lambam80 at hotmail.com Subject: Where to search mail archives, cannot find the command: remove-ds-admin.pl Date: Tue, 21 Apr 2009 03:54:36 -0400 Hello everybody and thanks for all your help in the past. Q1: Fistly, what is the recommended means to search the mail archives ? I don't fancy downloading all the GZIP files found here: https://www.redhat.com/archives/fedora-directory-users/ http://www.redhat.com/mailman/listinfo/fedora-directory-users Q2. I have the following version of Directory Server running on Fedora 10: [root at ldap4 dirsrv]# cat /etc/redhat-release Fedora release 10 (Cambridge) [root at ldap4 sbin]# /usr/sbin/ns-slapd -v Fedora Project Fedora-Directory/1.1.3 B2008.289.115 Q2: I cannot find the command remove-ds-admin.pl as documented here: http://directory.fedoraproject.org/wiki/FDS_Setup#remove-ds-admin.pl Even with the find command. Where might I find this command, please ? Cdlt, Dave Internet Explorer 8 makes surfing easier. Get it now! _________________________________________________________________ Internet Explorer 8 helps keep your personal info safe. http://go.microsoft.com/?linkid=9655581 -------------- next part -------------- An HTML attachment was scrubbed... URL: From tamarinp at gmail.com Tue Apr 21 14:12:49 2009 From: tamarinp at gmail.com (tamarin p) Date: Tue, 21 Apr 2009 16:12:49 +0200 Subject: [Fedora-directory-users] aliasedObjectName problem Message-ID: <4dd1b3eb0904210712u69967e80u3649ff8239162990@mail.gmail.com> I'm running into some problems when trying to add some alias entries and importing with ldapmodify or ldif2db. I'm using the directory server version 1.2.0. Example of LDIF dn: aliasedobjectname="ou=foo,dc=test,dc=com",ou=bar,ou=test,dc=com changetype: add aliasedObjectName: ou=foo,dc=test,dc=com objectClass: top objectClass: alias When I run this I get: ldapmodify: Object class violation (65) additional info: single-valued attribute "aliasedObjectName" has multiple values Same when I use ldif2db.. What am I doing wrong? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Apr 21 15:18:47 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 21 Apr 2009 09:18:47 -0600 Subject: [Fedora-directory-users] LDAP proxy In-Reply-To: <4d4d8d90-8abb-4852-bbaf-b2e6321276af@kerio.com> References: <4d4d8d90-8abb-4852-bbaf-b2e6321276af@kerio.com> Message-ID: <49EDE3D7.2030007@redhat.com> Michal Rejda wrote: >> Michal Rejda wrote: >> >>>> Michal Rejda wrote: >>>> >>>> >>>>>> Michal Rejda wrote: >>>>>> >>>>>> >>>>>> >>>>>>>> Michal Rejda wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>> -----Original Message----- >>>>>>>>>> From: fedora-directory-users-bounces at redhat.com >>>>>>>>>> >> [mailto:fedora- >> >>>>>>>>>> directory-users-bounces at redhat.com] On Behalf Of Rich >>>>>>>>>> >> Megginson >> >>>>>>>>>> Sent: Tuesday, April 14, 2009 4:25 PM >>>>>>>>>> To: General discussion list for the Fedora Directory server >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>> project. >>>>>> >>>>>> >>>>>> >>>>>>>>>> Subject: Re: [Fedora-directory-users] LDAP proxy >>>>>>>>>> >>>>>>>>>> Michal Rejda wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> I tried to use http://tinyurl.com/culeft. But the database >>>>>>>>>>> link >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> doesn't work. I setup the database link to the Active >>>>>>>>>> >> Directory >> >>>>>>>>>> >>>>>> (and >>>>>> >>>>>> >>>>>> >>>>>>>>>> OpenLDAP). When I looked into Wireshark log, FDS send search >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>> request >>>>>> >>>>>> >>>>>> >>>>>>>>>> with controls: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> 2.16.840.1.113730.3.4.2 >>>>>>>>>>> 2.16.840.1.113730.3.4.12 >>>>>>>>>>> And the AD server responded: Unavailable Critical Extension. >>>>>>>>>>> >>>>>>>>>>> I tried to remove this two controls from Database Link >>>>>>>>>>> Settings >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>> (in >>>>>> >>>>>> >>>>>> >>>>>>>>>> administration console) but it didn't help. The server didn't >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>> return >>>>>> >>>>>> >>>>>> >>>>>>>>>> the message above, but the administrative console show error >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>> dialog. >>>>>> >>>>>> >>>>>> >>>>>>>>>> What error? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> I tried it again and the error message is exactly: >>>>>>>>> >>>>>>>>> Error fading object 'dn: dc=example, dc=com'. >>>>>>>>> The error send by the server was: >>>>>>>>> ". >>>>>>>>> >>>>>>>>> In the Whireshark log was still the search request witch >>>>>>>>> >> control: >> >>>>>>>>> 2.16.840.1.113730.3.4.2 >>>>>>>>> >>>>>>>>> Why is this control needed by the server when I removed it from >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> Database link settings? >>>>>>>> >>>>>>>> I'm not sure - maybe the console is not working correctly. Try >>>>>>>> >>>>>>>> >>>> this: >>>> >>>> >>>>>>>> 1) Shutdown the server >>>>>>>> 2) cd /etc/dirsrv/slapd-yourinstance >>>>>>>> 3) edit dse.ldif - look for the entry >>>>>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config >>>>>>>> 4) edit the nsTransmittedControls attribute - remove >>>>>>>> 2.16.840.1.113730.3.4.2 >>>>>>>> 5) save and restart the server >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> I looked into dse.ldif for a nsTransmittedControls attribute. >>>>>>> There >>>>>>> >>>>>>> >>>>>>> >>>>>> is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic >>>>>> 2.16.840.1.113730.3.4.2. >>>>>> >>>>>> >>>>>> >>>>>>> Isn't the 2.16.840.1.113730.3.4.2 hardcoded? >>>>>>> >>>>>>> >>>>>>> >>>>>> If it is, I don't see it. There is no mention of managedsa or >>>>>> 2.16.840.1.113730.3.4.2 anywhere in the chaining backend code. The >>>>>> only place it is mentioned is in the default list of >>>>>> nsTransmittedControls in the template-dse.ldif used during new >>>>>> instance creation. >>>>>> >>>>>> >>>>>> >>>>>>> Why is this so necessary? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> It's not necessary, and I'm not sure where it is coming from. Once >>>>>> place might be an internal operation, but I'm not sure what >>>>>> internal operation would be doing this. You might also try to >>>>>> remove nsActiveChainingComponents and nsPossibleChainingComponents >>>>>> to see >>>>>> >>>>>> >>>> if >>>> >>>> >>>>>> one of those components is doing an internal operation with >>>>>> managedsait set. >>>>>> >>>>>> >>>>>> >>>>> I removed nsActiveChainingComponents and >>>>> nsPossibleChainingComponents >>>>> >>>>> >>>> and it didn't help. >>>> >>>> Then I'm not sure where it's coming from. I suppose you could enable >>>> tracing in the directory server and see if there is anything >>>> interesting in the error log - see >>>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >>>> >>>> >>> In the attachment is the part of the server error log. I removed all >>> messages before I click on the exclamation mark before the DN in the >>> Fedora administration console -> Directory folder tab. I don't >>> understand this log. It is helpful for you? >>> >>> >>> >> Ah, I see. You are using the console to try to browse the AD tree? And >> you are using the console admin user "admin"? Try ldapsearch from the >> command line, and attempt to authenticate as an AD user (e.g. >> cn=administrator,cn=users,dc=example,dc=com). >> > > Yes, you are right. I use the console to browse AD tree. But I do this because there is attention marker before the root suffix (lib-w2k3r2) in the Directory tab and I just double click on it. > I tried ldapsearch using AD user (Administrator). I'm able to login but the ldapsearch don't show any results (I use Apache Directory Studio). When I looked into Whireshark log, I now see that another critical extension is missing: 2.16.840.1.113730.3.4.12. The log is in the attachment. > Make sure 2.16.840.1.113730.3.4.12 is not in the transmitted controls. Set nsProxiedAuthorization to 0 - that should make it not use 2.16.840.1.113730.3.4.12 which is the proxyauth control. > >>>>>>>>>>>> Michal Rejda wrote: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> Hi all, >>>>>>>>>>>>> >>>>>>>>>>>>> I?m trying to setup proxy on FDS to another LDAP server >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>> (OpenLDAP >>>>>> >>>>>> >>>>>> >>>>>>>>>>>>> and Active Directory). I tried two ways, but none of these >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>> works: >>>>>> >>>>>> >>>>>> >>>>>>>>>>>>> 1) New database link to LDAP server. >>>>>>>>>>>>> >>>>>>>>>>>>> - The remote LDAP server (OpenLDAP) returns: null. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>> manageDSAit >>>> >>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> control >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> value not found >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> You might have to tweak the controls used by chaining - see >>>>>>>>>>>> http://tinyurl.com/culeft >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> 2) Create multiple-master replication and setup other >>>>>>>>>>>>> >> server >> >>>>>>>>>>>>> as >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> consumer. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> - But this show error: 255 Replication error acquiring >>>>>>>>>>>>> >>>>>>>>>>>>> >>>> replica: >>>> >>>> >>>>>>>>>>>>> unknown error. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> Replication will only work to a SunDS, not to any other >>>>>>>>>>>> >>>>>>>>>>>> >>>> vendor. >>>> >>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> My question is: Is there way how to setup proxy to access >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>> another >>>>>> >>>>>> >>>>>> >>>>>>>>>>>> LDAP >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> server from Fedora DS? I know that is possible to use AD >>>>>>>>>>>>> >>>>>>>>>>>>> >>>> sync, >>>> >>>> >>>>>>>> but >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>> I >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>>> cannot install anything on the AD server. The second reason >>>>>>>>>>>>> why >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>> I >>>>>> >>>>>> >>>>>> >>>>>>>>>>>> need >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> to setup proxy is to use data stored in LDAP server >>>>>>>>>>>>> >>>>>>>>>>>>> >>>> (OpenLDAP, >>>> >>>> >>>>>>>>>>>>> Open Direcoty Server and Active Directory) in one place. I >>>>>>>>>>>>> need >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>> to >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>> update >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>>> them too. It is not necessary to synchronize passwords. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> See also >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration >>>>>> >>>>>> >>>>>> >>>>>>>>>>>>> Thank you for reply. >>>>>>>>>>>>> >>>>>>>>>>>>> Regards, >>>>>>>>>>>>> >>>>>>>>>>>>> Michal >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>> --------------------------------------------------------------------- >>> >> - >> >>> -- >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Apr 21 15:20:09 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 21 Apr 2009 09:20:09 -0600 Subject: [Fedora-directory-users] Where to search mail archives, cannot find the command: remove-ds-admin.pl In-Reply-To: References: Message-ID: <49EDE429.1080707@redhat.com> lambam80 at hotmail.com wrote: > Hello everybody and thanks for all your help in the past. > > Q1: Fistly, what is the recommended means to search the mail archives ? > I don't fancy downloading all the GZIP files found here: > > https://www.redhat.com/archives/fedora-directory-users/ > > http://www.redhat.com/mailman/listinfo/fedora-directory-users > > Q2. I have the following version of Directory Server running on Fedora 10: > > [root at ldap4 dirsrv]# cat /etc/redhat-release > Fedora release 10 (Cambridge) > > [root at ldap4 sbin]# /usr/sbin/ns-slapd -v > Fedora Project > Fedora-Directory/1.1.3 B2008.289.115 > > Q2: I cannot find the command remove-ds-admin.pl as documented here: > > http://directory.fedoraproject.org/wiki/FDS_Setup#remove-ds-admin.pl > > Even with the find command. Where might I find this command, please ? You should upgrade - you should have fedora-ds-base version 1.2.0 fedora-ds-admin version 1.1.7 fedora-ds 1.1.3 > > Cdlt, Dave > > ------------------------------------------------------------------------ > Internet Explorer 8 makes surfing easier. Get it now! > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Apr 21 15:21:49 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 21 Apr 2009 09:21:49 -0600 Subject: [Fedora-directory-users] Replication agreement trouble In-Reply-To: <1240309533.6624.229.camel@grsgscvalx001.sacyl.es> References: <1240309533.6624.229.camel@grsgscvalx001.sacyl.es> Message-ID: <49EDE48D.4070004@redhat.com> Juan Asensio S?nchez wrote: > Hi > > Since yesterday I am having troubles with replication between two > servers. The replica is in multimaster mode in both servers, and > everything is configured OK (database, suffixes, changelog, replica, > agreements; until yesterday everything worked OK). > > [21/Apr/2009:11:04:57 +0200] NSMMReplicationPlugin - Replication > agreement for agmt="cn=GRS_back-GRS_ppal" (grsgscvalp0101:636) could > not be updated. For replication to take place, please enable the > suffix and restart the server What changed? Everything was working, then suddenly it's not? Something must have changed, perhaps even something that did not seem related to this problem. Do you know when things started failing? Did you examine the access and error logs on the supplier and consumer from around the time of the failure? > > The only thing to mention are replication problems with other > databases and replicas, but not for the replica of the agreement in > the message. They were fixed re-initializing the consumers of those > replicas. Any idea? > > Regards and thanks in advance. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Apr 21 15:23:13 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 21 Apr 2009 09:23:13 -0600 Subject: [Fedora-directory-users] aliasedObjectName problem In-Reply-To: <4dd1b3eb0904210712u69967e80u3649ff8239162990@mail.gmail.com> References: <4dd1b3eb0904210712u69967e80u3649ff8239162990@mail.gmail.com> Message-ID: <49EDE4E1.2060903@redhat.com> tamarin p wrote: > I'm running into some problems when trying to add some alias entries > and importing with ldapmodify or ldif2db. I'm using the directory > server version 1.2.0. > > Example of LDIF > dn: aliasedobjectname="ou=foo,dc=test,dc=com",ou=bar,ou=test,dc=com > changetype: add > aliasedObjectName: ou=foo,dc=test,dc=com > objectClass: top > objectClass: alias > > When I run this I get: > ldapmodify: Object class violation (65) > additional info: single-valued attribute "aliasedObjectName" > has multiple values > > Same when I use ldif2db.. What am I doing wrong? Fedora DS does not support aliases - see http://directory.fedoraproject.org/wiki/Roadmap > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Apr 21 15:47:00 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 21 Apr 2009 09:47:00 -0600 Subject: [Fedora-directory-users] fedora ds problem with updating centos In-Reply-To: <38a27c8c0904202224n4d232fc5q6b8ba04e4f4fd0f@mail.gmail.com> References: <38a27c8c0904202224n4d232fc5q6b8ba04e4f4fd0f@mail.gmail.com> Message-ID: <49EDEA74.7080304@redhat.com> Eric wrote: > > Thanks Rich. My problem was fixed with your suggestion too. I had > upgraded OS without updating fedora ds.Is it the reson of problem? > I'm not sure what the problem is. For those folks who are having rundir problems - what version of fedora-ds-base were you using before you did the upgrade? the nsslapd-rundir attribute was added in fedora ds-base 1.1.0, and the problem with yum overwriting the ownership/permission in /var/run/dirsrv was fixed in fedora-ds-base 1.2.0 > > > > Message: 3 > Date: Mon, 20 Apr 2009 07:53:05 -0600 > From: Rich Megginson > > Subject: Re: [Fedora-directory-users] fedora ds problem with updating > centos > To: "General discussion list for the Fedora Directory server project." > > > Message-ID: <49EC7E41.9010505 at redhat.com > > > Content-Type: text/plain; charset="iso-8859-1" > > Eric wrote: > > Hi all, > > I had fedora-ds-1.1.3-1.fc6 installed on centos 5. I have updated > > centos to 5.3. now fedora ds cann't be start. when I use: service > > dirsrv start there is this error: > > ldap...[19/Apr/2009:06:46:14 -0400] - Unable to access > nsslapd-rundir: > > Bad address > > [19/Apr/2009:06:46:14 -0400] - Ensure that user "ldap" has read and > > write permissions on (null) > > [19/Apr/2009:06:46:14 -0400] - Shutting down. > > [FAILED] > You upgraded fedora ds first, then upgraded CentOS to 5.3? ls -al > /var/run/dirsrv > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3258 bytes > Desc: S/MIME Cryptographic Signature > Url : > https://www.redhat.com/archives/fedora-directory-users/attachments/20090420/a4e757c1/smime.bin > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From orion at cora.nwra.com Tue Apr 21 17:35:10 2009 From: orion at cora.nwra.com (Orion Poplawski) Date: Tue, 21 Apr 2009 11:35:10 -0600 Subject: [Fedora-directory-users] FDS for EPEL 5 Message-ID: <49EE03CE.9020009@cora.nwra.com> Any reason we couldn't get FDS 1.2 packages into EPEL? I'm happy to drive it. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion at cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com From jasanchez at ccnt-spain.com Wed Apr 22 06:38:51 2009 From: jasanchez at ccnt-spain.com (Juan Asensio =?ISO-8859-1?Q?S=E1nchez?=) Date: Wed, 22 Apr 2009 08:38:51 +0200 Subject: [Fedora-directory-users] Replication agreement trouble In-Reply-To: <49EDE48D.4070004@redhat.com> References: <1240309533.6624.229.camel@grsgscvalx001.sacyl.es> <49EDE48D.4070004@redhat.com> Message-ID: <1240382331.6597.13.camel@grsgscvalx001.sacyl.es> The day before the date in the error (when the errors started), we we had to delete two suffix databases from the console (they were damaged), create them again, and reinitialize those databases from other supplier. The database of the agreement throwing errors is the userRoot (dc=example,dc=com). The databases recreated were the suffixes o=cabu,dc=sacyl,dc=es and o=husa,dc=sacyl,dc=es. This is the error log from server1 (this did not crash, this server initialized the server2, that crashed): =========================== [20/Apr/2009:14:18:28 +0200] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=CABU_ppal-GRS_back" (grsgscvalp0102:636)". [20/Apr/2009:14:18:39 +0200] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=CABU_ppal-GRS_back" (grsgscvalp0102:636)". Sent 4108 entries. [20/Apr/2009:14:25:33 +0200] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=HUSA_ppal-GRS_back" (grsgscvalp0102:636)". [20/Apr/2009:14:25:43 +0200] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=HUSA_ppal-GRS_back" (grsgscvalp0102:636)". Sent 2650 entries. [21/Apr/2009:10:50:47 +0200] - slapd shutting down - signaling operation threads =========================== And this is the log from server2, where the databases crashed. The log shows the deletion of the agreements, the deletion of the databases, the creation of the databases and the initialization of them from server1. The messages from day 21 are when we tried to force to send the updates: =========================== [20/Apr/2009:14:13:20 +0200] NSMMReplicationPlugin - agmt_delete: begin [20/Apr/2009:14:13:21 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=sacyl,dc=es is about to be deleted; disabling replication [20/Apr/2009:14:14:16 +0200] - ldbm: Bringing o_cabu_dc_sacyl_dc_es offline... [20/Apr/2009:14:14:16 +0200] - ldbm: removing 'o_cabu_dc_sacyl_dc_es'. [20/Apr/2009:14:14:16 +0200] - Destructor for instance o_cabu_dc_sacyl_dc_es called [20/Apr/2009:14:14:44 +0200] - No symmetric key found for cipher AES in backend o_cabu_dc_sacyl_dc_es, attempting to create one... [20/Apr/2009:14:14:44 +0200] - Key for cipher AES successfully generated and stored [20/Apr/2009:14:14:44 +0200] - No symmetric key found for cipher 3DES in backend o_cabu_dc_sacyl_dc_es, attempting to create one... [20/Apr/2009:14:14:45 +0200] - Key for cipher 3DES successfully generated and stored [20/Apr/2009:14:17:08 +0200] NSMMReplicationPlugin - agmt="cn=CABU_back-GRS_ppal" (grsgscvalp0101:636): Replica has a different generation ID than the local data. [20/Apr/2009:14:18:11 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica o=cabu,dc=sacyl,dc=es is going offline; disabling replication [20/Apr/2009:14:18:13 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [20/Apr/2009:14:18:35 +0200] - import o_cabu_dc_sacyl_dc_es: Workers finished; cleaning up... [20/Apr/2009:14:18:36 +0200] - import o_cabu_dc_sacyl_dc_es: Workers cleaned up. [20/Apr/2009:14:18:36 +0200] - import o_cabu_dc_sacyl_dc_es: Indexing complete. Post-processing... [20/Apr/2009:14:18:36 +0200] - import o_cabu_dc_sacyl_dc_es: Flushing caches... [20/Apr/2009:14:18:36 +0200] - import o_cabu_dc_sacyl_dc_es: Closing files... [20/Apr/2009:14:18:38 +0200] - import o_cabu_dc_sacyl_dc_es: Import complete. Processed 4108 entries in 12 seconds. (342.33 entries/sec) [20/Apr/2009:14:18:39 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica o=cabu,dc=sacyl,dc=es is coming online; enabling replication [20/Apr/2009:14:20:09 +0200] NSMMReplicationPlugin - replica_config_delete: Warning: The changelog for replica o=husa,dc=sacyl,dc=es is no longer valid since the replica config is being deleted. Removing the changelog. [20/Apr/2009:14:20:10 +0200] NSMMReplicationPlugin - agmt_delete: begin [20/Apr/2009:14:20:12 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=sacyl,dc=es is about to be deleted; disabling replication [20/Apr/2009:14:20:42 +0200] - ldbm: Bringing o_husa_dc_sacyl_dc_es offline... [20/Apr/2009:14:20:42 +0200] - ldbm: removing 'o_husa_dc_sacyl_dc_es'. [20/Apr/2009:14:20:42 +0200] - Destructor for instance o_husa_dc_sacyl_dc_es called [20/Apr/2009:14:21:10 +0200] - No symmetric key found for cipher AES in backend o_husa_dc_sacyl_dc_es, attempting to create one... [20/Apr/2009:14:21:10 +0200] - Key for cipher AES successfully generated and stored [20/Apr/2009:14:21:10 +0200] - No symmetric key found for cipher 3DES in backend o_husa_dc_sacyl_dc_es, attempting to create one... [20/Apr/2009:14:21:10 +0200] - Key for cipher 3DES successfully generated and stored [20/Apr/2009:14:24:23 +0200] NSMMReplicationPlugin - agmt="cn=HUSA_back-GRS_ppal" (grsgscvalp0101:636): Replica has a different generation ID than the local data. [20/Apr/2009:14:25:18 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica o=husa,dc=sacyl,dc=es is going offline; disabling replication [20/Apr/2009:14:25:20 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [20/Apr/2009:14:25:39 +0200] - import o_husa_dc_sacyl_dc_es: Workers finished; cleaning up... [20/Apr/2009:14:25:40 +0200] - import o_husa_dc_sacyl_dc_es: Workers cleaned up. [20/Apr/2009:14:25:40 +0200] - import o_husa_dc_sacyl_dc_es: Indexing complete. Post-processing... [20/Apr/2009:14:25:40 +0200] - import o_husa_dc_sacyl_dc_es: Flushing caches... [20/Apr/2009:14:25:40 +0200] - import o_husa_dc_sacyl_dc_es: Closing files... [20/Apr/2009:14:25:42 +0200] - import o_husa_dc_sacyl_dc_es: Import complete. Processed 2650 entries in 8 seconds. (331.25 entries/sec) [20/Apr/2009:14:25:42 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica o=husa,dc=sacyl,dc=es is coming online; enabling replication [21/Apr/2009:10:50:07 +0200] NSMMReplicationPlugin - Replication agreement for agmt="cn=GRS_back-GRS_ppal" (grsgscvalp0101:636) could not be updated. For rep lication to take place, please enable the suffix and restart the server [21/Apr/2009:10:50:07 +0200] NSMMReplicationPlugin - Replication agreement for agmt="cn=GRS_back-GRS_ppal" (grsgscvalp0101:636) could not be updated. For rep lication to take place, please enable the suffix and restart the server =========================== El mar, 21-04-2009 a las 09:21 -0600, Rich Megginson escribi?: > Juan Asensio S?nchez wrote: > > Hi > > > > Since yesterday I am having troubles with replication between two > > servers. The replica is in multimaster mode in both servers, and > > everything is configured OK (database, suffixes, changelog, replica, > > agreements; until yesterday everything worked OK). > > > > [21/Apr/2009:11:04:57 +0200] NSMMReplicationPlugin - Replication > > agreement for agmt="cn=GRS_back-GRS_ppal" (grsgscvalp0101:636) could > > not be updated. For replication to take place, please enable the > > suffix and restart the server > What changed? Everything was working, then suddenly it's not? > Something must have changed, perhaps even something that did not seem > related to this problem. Do you know when things started failing? Did > you examine the access and error logs on the supplier and consumer from > around the time of the failure? > > > > The only thing to mention are replication problems with other > > databases and replicas, but not for the replica of the agreement in > > the message. They were fixed re-initializing the consumers of those > > replicas. Any idea? > > > > Regards and thanks in advance. > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From mrejda at kerio.com Wed Apr 22 12:26:45 2009 From: mrejda at kerio.com (Michal Rejda) Date: Wed, 22 Apr 2009 14:26:45 +0200 Subject: [Fedora-directory-users] LDAP proxy Message-ID: <98103a23-e83a-4e47-86a6-82ecdfd32ec8@kerio.com> > Michal Rejda wrote: > >> Michal Rejda wrote: > >> > >>>> Michal Rejda wrote: > >>>> > >>>> > >>>>>> Michal Rejda wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>>>> Michal Rejda wrote: > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>> -----Original Message----- > >>>>>>>>>> From: fedora-directory-users-bounces at redhat.com > >>>>>>>>>> > >> [mailto:fedora- > >> > >>>>>>>>>> directory-users-bounces at redhat.com] On Behalf Of Rich > >>>>>>>>>> > >> Megginson > >> > >>>>>>>>>> Sent: Tuesday, April 14, 2009 4:25 PM > >>>>>>>>>> To: General discussion list for the Fedora Directory server > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>> project. > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>> Subject: Re: [Fedora-directory-users] LDAP proxy > >>>>>>>>>> > >>>>>>>>>> Michal Rejda wrote: > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>> I tried to use http://tinyurl.com/culeft. But the database > >>>>>>>>>>> link > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> doesn't work. I setup the database link to the Active > >>>>>>>>>> > >> Directory > >> > >>>>>>>>>> > >>>>>> (and > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>> OpenLDAP). When I looked into Wireshark log, FDS send search > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>> request > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>> with controls: > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>> 2.16.840.1.113730.3.4.2 > >>>>>>>>>>> 2.16.840.1.113730.3.4.12 > >>>>>>>>>>> And the AD server responded: Unavailable Critical > Extension. > >>>>>>>>>>> > >>>>>>>>>>> I tried to remove this two controls from Database Link > >>>>>>>>>>> Settings > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>> (in > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>> administration console) but it didn't help. The server > didn't > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>> return > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>> the message above, but the administrative console show error > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>> dialog. > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>> What error? > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> I tried it again and the error message is exactly: > >>>>>>>>> > >>>>>>>>> Error fading object 'dn: dc=example, dc=com'. > >>>>>>>>> The error send by the server was: > >>>>>>>>> ". > >>>>>>>>> > >>>>>>>>> In the Whireshark log was still the search request witch > >>>>>>>>> > >> control: > >> > >>>>>>>>> 2.16.840.1.113730.3.4.2 > >>>>>>>>> > >>>>>>>>> Why is this control needed by the server when I removed it > >>>>>>>>> from > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> Database link settings? > >>>>>>>> > >>>>>>>> I'm not sure - maybe the console is not working correctly. Try > >>>>>>>> > >>>>>>>> > >>>> this: > >>>> > >>>> > >>>>>>>> 1) Shutdown the server > >>>>>>>> 2) cd /etc/dirsrv/slapd-yourinstance > >>>>>>>> 3) edit dse.ldif - look for the entry > >>>>>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config > >>>>>>>> 4) edit the nsTransmittedControls attribute - remove > >>>>>>>> 2.16.840.1.113730.3.4.2 > >>>>>>>> 5) save and restart the server > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> I looked into dse.ldif for a nsTransmittedControls attribute. > >>>>>>> There > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic > >>>>>> 2.16.840.1.113730.3.4.2. > >>>>>> > >>>>>> > >>>>>> > >>>>>>> Isn't the 2.16.840.1.113730.3.4.2 hardcoded? > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> If it is, I don't see it. There is no mention of managedsa or > >>>>>> 2.16.840.1.113730.3.4.2 anywhere in the chaining backend code. > >>>>>> The only place it is mentioned is in the default list of > >>>>>> nsTransmittedControls in the template-dse.ldif used during new > >>>>>> instance creation. > >>>>>> > >>>>>> > >>>>>> > >>>>>>> Why is this so necessary? > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> It's not necessary, and I'm not sure where it is coming from. > >>>>>> Once place might be an internal operation, but I'm not sure what > >>>>>> internal operation would be doing this. You might also try to > >>>>>> remove nsActiveChainingComponents and > >>>>>> nsPossibleChainingComponents to see > >>>>>> > >>>>>> > >>>> if > >>>> > >>>> > >>>>>> one of those components is doing an internal operation with > >>>>>> managedsait set. > >>>>>> > >>>>>> > >>>>>> > >>>>> I removed nsActiveChainingComponents and > >>>>> nsPossibleChainingComponents > >>>>> > >>>>> > >>>> and it didn't help. > >>>> > >>>> Then I'm not sure where it's coming from. I suppose you could > >>>> enable tracing in the directory server and see if there is > anything > >>>> interesting in the error log - see > >>>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > >>>> > >>>> > >>> In the attachment is the part of the server error log. I removed > all > >>> messages before I click on the exclamation mark before the DN in > the > >>> Fedora administration console -> Directory folder tab. I don't > >>> understand this log. It is helpful for you? > >>> > >>> > >>> > >> Ah, I see. You are using the console to try to browse the AD tree? > >> And you are using the console admin user "admin"? Try ldapsearch > from > >> the command line, and attempt to authenticate as an AD user (e.g. > >> cn=administrator,cn=users,dc=example,dc=com). > >> > > > > Yes, you are right. I use the console to browse AD tree. But I do > this because there is attention marker before the root suffix (lib- > w2k3r2) in the Directory tab and I just double click on it. > > I tried ldapsearch using AD user (Administrator). I'm able to login > but the ldapsearch don't show any results (I use Apache Directory > Studio). When I looked into Whireshark log, I now see that another > critical extension is missing: 2.16.840.1.113730.3.4.12. The log is in > the attachment. > > > Make sure 2.16.840.1.113730.3.4.12 is not in the transmitted controls. > Set nsProxiedAuthorization to 0 - that should make it not use > 2.16.840.1.113730.3.4.12 which is the proxyauth control. It works. Thank you very much! I can connect to the AD and list users and whatever I want. I have one more difficulty. When I send ldapmodify to the node in the AD, FDS add to this request two more attributes (modifiersname, modifytimestamp). AD don't know these attributes and returns the error (errorMessage: 00000057: LdapErr: DSID-0C090A85, comment: Error in attribute conversion operation, data 0, vece). Is it possible to disable this functionality or rewrite attributes name into AD attributes name (e.g. modifytimestamp -> whenChanged)? I cannot change AD schema. > > > >>>>>>>>>>>> Michal Rejda wrote: > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>>> Hi all, > >>>>>>>>>>>>> > >>>>>>>>>>>>> I?m trying to setup proxy on FDS to another LDAP server > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>> (OpenLDAP > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>>>>> and Active Directory). I tried two ways, but none of > these > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>> works: > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>>>>> 1) New database link to LDAP server. > >>>>>>>>>>>>> > >>>>>>>>>>>>> - The remote LDAP server (OpenLDAP) returns: null. > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>> manageDSAit > >>>> > >>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>> control > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>>> value not found > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>> You might have to tweak the controls used by chaining - > see > >>>>>>>>>>>> http://tinyurl.com/culeft > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>>> 2) Create multiple-master replication and setup other > >>>>>>>>>>>>> > >> server > >> > >>>>>>>>>>>>> as > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>> consumer. > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>>> - But this show error: 255 Replication error acquiring > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>> replica: > >>>> > >>>> > >>>>>>>>>>>>> unknown error. > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>> Replication will only work to a SunDS, not to any other > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>> vendor. > >>>> > >>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>>> My question is: Is there way how to setup proxy to access > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>> another > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>>>> LDAP > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>>> server from Fedora DS? I know that is possible to use AD > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>> sync, > >>>> > >>>> > >>>>>>>> but > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>> I > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>>>> cannot install anything on the AD server. The second > >>>>>>>>>>>>> reason why > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>> I > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>>>> need > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>>> to setup proxy is to use data stored in LDAP server > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>> (OpenLDAP, > >>>> > >>>> > >>>>>>>>>>>>> Open Direcoty Server and Active Directory) in one place. > I > >>>>>>>>>>>>> need > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>> to > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>> update > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>>>> them too. It is not necessary to synchronize passwords. > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>> See also > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>> > http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>>>>> Thank you for reply. > >>>>>>>>>>>>> > >>>>>>>>>>>>> Regards, > >>>>>>>>>>>>> > >>>>>>>>>>>>> Michal > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>> -- > >>>>>>> Fedora-directory-users mailing list > >>>>>>> Fedora-directory-users at redhat.com > >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>> -- > >>>>> Fedora-directory-users mailing list > >>>>> Fedora-directory-users at redhat.com > >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>> > >>>>> > >>>>> > >>> ------------------------------------------------------------------- > - > >>> - > >>> > >> - > >> > >>> -- > >>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >>> > > > > > > --------------------------------------------------------------------- > - > > -- > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: errors.log Type: application/octet-stream Size: 7054 bytes Desc: not available URL: From lambam80 at hotmail.com Wed Apr 22 12:37:47 2009 From: lambam80 at hotmail.com (lambam80 at hotmail.com) Date: Wed, 22 Apr 2009 08:37:47 -0400 Subject: [Fedora-directory-users] Where to search mail archives, cannot find the command: remove-ds-admin.pl In-Reply-To: <49EDE429.1080707@redhat.com> References: <49EDE429.1080707@redhat.com> Message-ID: Rich, hello and as ever thanks for the pertinent reply. Please note that I have Fedora 10 installed. I'll try fedora-ds-admin version 1.1.7, first: # yum install fedora-ds-admin Loaded plugins: refresh-packagekit Setting up Install Process Parsing package install arguments Package fedora-ds-admin-1.1.6-2.fc10.i386 already installed and latest version Nothing to do I have the following: # ls -talr /etc/yum.repos.d -rwxrwxrwx 1 root root 284 2009-04-08 13:08 wget.sh -rw-r--r-- 1 root root 291 2009-04-20 10:52 fedora10.repo # cat /etc/yum.repos.d/fedora10.repo [fedora] name = Fedora 10 i386 base baseurl=http://download.fedora.redhat.com/pub/fedora/linux/releases/10/Everything/i386/os/ mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-10&arch=i386 enabled=1 Q1: Any idea why I cannot 'find' version 1.1.7 ? Thanks, Dave --------- > Date: Tue, 21 Apr 2009 09:20:09 -0600 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > CC: lambam80 at hotmail.com > Subject: Re: [Fedora-directory-users] Where to search mail archives, cannot find the command: remove-ds-admin.pl > > lambam80 at hotmail.com wrote: > > Hello everybody and thanks for all your help in the past. > > > > Q1: Fistly, what is the recommended means to search the mail archives ? > > I don't fancy downloading all the GZIP files found here: > > > > https://www.redhat.com/archives/fedora-directory-users/ > > > > http://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > Q2. I have the following version of Directory Server running on Fedora 10: > > > > [root at ldap4 dirsrv]# cat /etc/redhat-release > > Fedora release 10 (Cambridge) > > > > [root at ldap4 sbin]# /usr/sbin/ns-slapd -v > > Fedora Project > > Fedora-Directory/1.1.3 B2008.289.115 > > > > Q2: I cannot find the command remove-ds-admin.pl as documented here: > > > > http://directory.fedoraproject.org/wiki/FDS_Setup#remove-ds-admin.pl > > > > Even with the find command. Where might I find this command, please ? > You should upgrade - you should have > fedora-ds-base version 1.2.0 > fedora-ds-admin version 1.1.7 > fedora-ds 1.1.3 > > > > Cdlt, Dave > > > > ------------------------------------------------------------------------ > > Internet Explorer 8 makes surfing easier. Get it now! > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > _________________________________________________________________ Experience all of the new features, and Reconnect with your life. http://go.microsoft.com/?linkid=9650730 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Apr 22 13:22:43 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 22 Apr 2009 07:22:43 -0600 Subject: [Fedora-directory-users] Where to search mail archives, cannot find the command: remove-ds-admin.pl In-Reply-To: References: <49EDE429.1080707@redhat.com> Message-ID: <49EF1A23.8080900@redhat.com> lambam80 at hotmail.com wrote: > Rich, hello and as ever thanks for the pertinent reply. Please note > that I have Fedora 10 installed. > > I'll try fedora-ds-admin version 1.1.7, first: > > # yum install fedora-ds-admin > Loaded plugins: refresh-packagekit > Setting up Install Process > Parsing package install arguments > Package fedora-ds-admin-1.1.6-2.fc10.i386 already installed and latest > version > Nothing to do > > I have the following: > > # ls -talr /etc/yum.repos.d > -rwxrwxrwx 1 root root 284 2009-04-08 13:08 wget.sh > -rw-r--r-- 1 root root 291 2009-04-20 10:52 fedora10.repo > > # cat /etc/yum.repos.d/fedora10.repo > [fedora] > name = Fedora 10 i386 base > baseurl=http://download.fedora.redhat.com/pub/fedora/linux/releases/10/Everything/i386/os/ > mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-10&arch=i386 > enabled=1 > > Q1: Any idea why I cannot 'find' version 1.1.7 ? I have no idea - it's been up on the mirrors for a while - I guess try yum clean all then yum update > > Thanks, Dave > --------- > > > Date: Tue, 21 Apr 2009 09:20:09 -0600 > > From: rmeggins at redhat.com > > To: fedora-directory-users at redhat.com > > CC: lambam80 at hotmail.com > > Subject: Re: [Fedora-directory-users] Where to search mail archives, > cannot find the command: remove-ds-admin.pl > > > > lambam80 at hotmail.com wrote: > > > Hello everybody and thanks for all your help in the past. > > > > > > Q1: Fistly, what is the recommended means to search the mail > archives ? > > > I don't fancy downloading all the GZIP files found here: > > > > > > https://www.redhat.com/archives/fedora-directory-users/ > > > > > > http://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > Q2. I have the following version of Directory Server running on > Fedora 10: > > > > > > [root at ldap4 dirsrv]# cat /etc/redhat-release > > > Fedora release 10 (Cambridge) > > > > > > [root at ldap4 sbin]# /usr/sbin/ns-slapd -v > > > Fedora Project > > > Fedora-Directory/1.1.3 B2008.289.115 > > > > > > Q2: I cannot find the command remove-ds-admin.pl as documented here: > > > > > > http://directory.fedoraproject.org/wiki/FDS_Setup#remove-ds-admin.pl > > > > > > Even with the find command. Where might I find this command, please ? > > You should upgrade - you should have > > fedora-ds-base version 1.2.0 > > fedora-ds-admin version 1.1.7 > > fedora-ds 1.1.3 > > > > > > Cdlt, Dave > > > > > > > ------------------------------------------------------------------------ > > > Internet Explorer 8 makes surfing easier. Get it now! > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > ------------------------------------------------------------------------ > Tell the whole story with photos, right from your Messenger window. > Learn how! -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Apr 22 13:25:12 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 22 Apr 2009 07:25:12 -0600 Subject: [Fedora-directory-users] LDAP proxy In-Reply-To: <98103a23-e83a-4e47-86a6-82ecdfd32ec8@kerio.com> References: <98103a23-e83a-4e47-86a6-82ecdfd32ec8@kerio.com> Message-ID: <49EF1AB8.6040204@redhat.com> Michal Rejda wrote: >> Michal Rejda wrote: >> >>>> Michal Rejda wrote: >>>> >>>> >>>>>> Michal Rejda wrote: >>>>>> >>>>>> >>>>>> >>>>>>>> Michal Rejda wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>> Michal Rejda wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>> From: fedora-directory-users-bounces at redhat.com >>>>>>>>>>>> >>>>>>>>>>>> >>>> [mailto:fedora- >>>> >>>> >>>>>>>>>>>> directory-users-bounces at redhat.com] On Behalf Of Rich >>>>>>>>>>>> >>>>>>>>>>>> >>>> Megginson >>>> >>>> >>>>>>>>>>>> Sent: Tuesday, April 14, 2009 4:25 PM >>>>>>>>>>>> To: General discussion list for the Fedora Directory server >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>> project. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>> Subject: Re: [Fedora-directory-users] LDAP proxy >>>>>>>>>>>> >>>>>>>>>>>> Michal Rejda wrote: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> I tried to use http://tinyurl.com/culeft. But the database >>>>>>>>>>>>> link >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> doesn't work. I setup the database link to the Active >>>>>>>>>>>> >>>>>>>>>>>> >>>> Directory >>>> >>>> >>>>>>>> (and >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>> OpenLDAP). When I looked into Wireshark log, FDS send search >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>> request >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>> with controls: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> 2.16.840.1.113730.3.4.2 >>>>>>>>>>>>> 2.16.840.1.113730.3.4.12 >>>>>>>>>>>>> And the AD server responded: Unavailable Critical >>>>>>>>>>>>> >> Extension. >> >>>>>>>>>>>>> I tried to remove this two controls from Database Link >>>>>>>>>>>>> Settings >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>> (in >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>> administration console) but it didn't help. The server >>>>>>>>>>>> >> didn't >> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>> return >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>> the message above, but the administrative console show error >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>> dialog. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>> What error? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> I tried it again and the error message is exactly: >>>>>>>>>>> >>>>>>>>>>> Error fading object 'dn: dc=example, dc=com'. >>>>>>>>>>> The error send by the server was: >>>>>>>>>>> ". >>>>>>>>>>> >>>>>>>>>>> In the Whireshark log was still the search request witch >>>>>>>>>>> >>>>>>>>>>> >>>> control: >>>> >>>> >>>>>>>>>>> 2.16.840.1.113730.3.4.2 >>>>>>>>>>> >>>>>>>>>>> Why is this control needed by the server when I removed it >>>>>>>>>>> from >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> Database link settings? >>>>>>>>>> >>>>>>>>>> I'm not sure - maybe the console is not working correctly. Try >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>> this: >>>>>> >>>>>> >>>>>> >>>>>>>>>> 1) Shutdown the server >>>>>>>>>> 2) cd /etc/dirsrv/slapd-yourinstance >>>>>>>>>> 3) edit dse.ldif - look for the entry >>>>>>>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config >>>>>>>>>> 4) edit the nsTransmittedControls attribute - remove >>>>>>>>>> 2.16.840.1.113730.3.4.2 >>>>>>>>>> 5) save and restart the server >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> I looked into dse.ldif for a nsTransmittedControls attribute. >>>>>>>>> There >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic >>>>>>>> 2.16.840.1.113730.3.4.2. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> Isn't the 2.16.840.1.113730.3.4.2 hardcoded? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> If it is, I don't see it. There is no mention of managedsa or >>>>>>>> 2.16.840.1.113730.3.4.2 anywhere in the chaining backend code. >>>>>>>> The only place it is mentioned is in the default list of >>>>>>>> nsTransmittedControls in the template-dse.ldif used during new >>>>>>>> instance creation. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> Why is this so necessary? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> It's not necessary, and I'm not sure where it is coming from. >>>>>>>> Once place might be an internal operation, but I'm not sure what >>>>>>>> internal operation would be doing this. You might also try to >>>>>>>> remove nsActiveChainingComponents and >>>>>>>> nsPossibleChainingComponents to see >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> if >>>>>> >>>>>> >>>>>> >>>>>>>> one of those components is doing an internal operation with >>>>>>>> managedsait set. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> I removed nsActiveChainingComponents and >>>>>>> nsPossibleChainingComponents >>>>>>> >>>>>>> >>>>>>> >>>>>> and it didn't help. >>>>>> >>>>>> Then I'm not sure where it's coming from. I suppose you could >>>>>> enable tracing in the directory server and see if there is >>>>>> >> anything >> >>>>>> interesting in the error log - see >>>>>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >>>>>> >>>>>> >>>>>> >>>>> In the attachment is the part of the server error log. I removed >>>>> >> all >> >>>>> messages before I click on the exclamation mark before the DN in >>>>> >> the >> >>>>> Fedora administration console -> Directory folder tab. I don't >>>>> understand this log. It is helpful for you? >>>>> >>>>> >>>>> >>>>> >>>> Ah, I see. You are using the console to try to browse the AD tree? >>>> And you are using the console admin user "admin"? Try ldapsearch >>>> >> from >> >>>> the command line, and attempt to authenticate as an AD user (e.g. >>>> cn=administrator,cn=users,dc=example,dc=com). >>>> >>>> >>> Yes, you are right. I use the console to browse AD tree. But I do >>> >> this because there is attention marker before the root suffix (lib- >> w2k3r2) in the Directory tab and I just double click on it. >> >>> I tried ldapsearch using AD user (Administrator). I'm able to login >>> >> but the ldapsearch don't show any results (I use Apache Directory >> Studio). When I looked into Whireshark log, I now see that another >> critical extension is missing: 2.16.840.1.113730.3.4.12. The log is in >> the attachment. >> >> Make sure 2.16.840.1.113730.3.4.12 is not in the transmitted controls. >> Set nsProxiedAuthorization to 0 - that should make it not use >> 2.16.840.1.113730.3.4.12 which is the proxyauth control. >> > > It works. Thank you very much! I can connect to the AD and list users and whatever I want. > I have one more difficulty. When I send ldapmodify to the node in the AD, FDS add to this request two more attributes (modifiersname, modifytimestamp). AD don't know these attributes and returns the error (errorMessage: 00000057: LdapErr: DSID-0C090A85, comment: Error in attribute conversion operation, data 0, vece). Is it possible to disable this functionality Yes. This is the nsslapd-lastmod attribute in cn=config - set this to 0 > or rewrite attributes name into AD attributes name (e.g. modifytimestamp -> whenChanged)? I cannot change AD schema. > No, it's not possible to map it. BTW, I would really appreciate it if you could write up something for the wiki about "using chaining to create an AD 'view'" - if you would rather just send me the info in an email, that would be fine too. > >>>>>>>>>>>>>> Michal Rejda wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I?m trying to setup proxy on FDS to another LDAP server >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>> (OpenLDAP >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>>>>> and Active Directory). I tried two ways, but none of >>>>>>>>>>>>>>> >> these >> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>> works: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>>>>> 1) New database link to LDAP server. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> - The remote LDAP server (OpenLDAP) returns: null. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>> manageDSAit >>>>>> >>>>>> >>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> control >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> value not found >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> You might have to tweak the controls used by chaining - >>>>>>>>>>>>>> >> see >> >>>>>>>>>>>>>> http://tinyurl.com/culeft >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> 2) Create multiple-master replication and setup other >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>> server >>>> >>>> >>>>>>>>>>>>>>> as >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> consumer. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> - But this show error: 255 Replication error acquiring >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>> replica: >>>>>> >>>>>> >>>>>> >>>>>>>>>>>>>>> unknown error. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> Replication will only work to a SunDS, not to any other >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>> vendor. >>>>>> >>>>>> >>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> My question is: Is there way how to setup proxy to access >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>> another >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>>>> LDAP >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> server from Fedora DS? I know that is possible to use AD >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>> sync, >>>>>> >>>>>> >>>>>> >>>>>>>>>> but >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>> I >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>>>> cannot install anything on the AD server. The second >>>>>>>>>>>>>>> reason why >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>> I >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>>>> need >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> to setup proxy is to use data stored in LDAP server >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>> (OpenLDAP, >>>>>> >>>>>> >>>>>> >>>>>>>>>>>>>>> Open Direcoty Server and Active Directory) in one place. >>>>>>>>>>>>>>> >> I >> >>>>>>>>>>>>>>> need >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>> to >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>> update >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>>>> them too. It is not necessary to synchronize passwords. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> See also >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration >> >>>>>>>> >>>>>>>> >>>>>>>>>>>>>>> Thank you for reply. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Michal >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> ------------------------------------------------------------------- >>>>> >> - >> >>>>> - >>>>> >>>>> >>>> - >>>> >>>> >>>>> -- >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>> --------------------------------------------------------------------- >>> >> - >> >>> -- >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From tamarinp at gmail.com Wed Apr 22 14:00:35 2009 From: tamarinp at gmail.com (tamarin p) Date: Wed, 22 Apr 2009 16:00:35 +0200 Subject: [Fedora-directory-users] ConfigFile directives in .inf-files Message-ID: <4dd1b3eb0904220700l5ccb2ae5q9e0fbf047d106461@mail.gmail.com> I'm (still :) trying to fully automate ldap installation for our specific deployment with setup-ds.pl in silent mode.. I have an inf which uses ConfigFile directives to try to define indexes, cache sizes and other settings for the directory server. My problem is, only a small part of those ConfigFiles are applied when I check dse.ldif after, but no errors anywhere. I tried using --debug but the only output I could see of relevance was: "+Processing config.ldif ..." "+Processing indexes.ldif ..." NONE of the settings in the ConfigFile make it to dse.ldif except "nsslapd-dbcachesize" and "nsslapd-cachememsize".. These are both set properly, or I would doubt if the files had been processed at all. But the the replication manager isn't created and size/timelimits are not set and so on, and the same with indexes. I can see nothing in the output log from the script and there's nothing in the logs for the newly created server. If I instead add the ConfigFiles with ldapmodify, things work fine. My guess is I'm trying to modify attributes that don't exist yet? The Red Hat documentation at http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide-Advanced_Configuration-Silent.htmlseems to indicate that I should be able to create a replication manager, but the difference I can tell from the docs is that their RM is made in the directory itself while I'm trying to use the cn=config database. Here's a snippet from my config.ldif: # doesnt get created dn: cn=replication manager,cn=config changetype: add objectClass: inetorgperson objectClass: person objectClass: top cn: replication manager sn: RM userPassword: password passwordExpirationTime: 20380119031407Z # is set properly dn: cn=config,cn=ldbm database,cn=plugins,cn=config changetype: modify replace: nsslapd-dbcachesize nsslapd-dbcachesize: 512000000 # is not set dn: cn=default instance config,cn=chaining database,cn=plugins,cn=config changetype: modify replace: nsslapd-sizelimit nsslapd-sizelimit: 20000 - replace: nsslapd-timelimit nsslapd-timelimit: 120 # is set dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config changetype: modify replace: nsslapd-cachememsize nsslapd-cachememsize: 512000000 -------------- next part -------------- An HTML attachment was scrubbed... URL: From tamarinp at gmail.com Wed Apr 22 14:28:45 2009 From: tamarinp at gmail.com (tamarin p) Date: Wed, 22 Apr 2009 16:28:45 +0200 Subject: [Fedora-directory-users] aliasedObjectName problem In-Reply-To: <49EDE4E1.2060903@redhat.com> References: <4dd1b3eb0904210712u69967e80u3649ff8239162990@mail.gmail.com> <49EDE4E1.2060903@redhat.com> Message-ID: <4dd1b3eb0904220728g1ff6709ao172ee22420453e84@mail.gmail.com> 2009/4/21 Rich Megginson > tamarin p wrote: > >> I'm running into some problems when trying to add some alias entries and >> importing with ldapmodify or ldif2db. I'm using the directory server version >> 1.2.0. >> >> Example of LDIF >> dn: aliasedobjectname="ou=foo,dc=test,dc=com",ou=bar,ou=test,dc=com >> changetype: add >> aliasedObjectName: ou=foo,dc=test,dc=com >> objectClass: top >> objectClass: alias >> >> When I run this I get: >> ldapmodify: Object class violation (65) >> additional info: single-valued attribute "aliasedObjectName" has >> multiple values >> >> Same when I use ldif2db.. What am I doing wrong? >> > The application running on top of the ldap uses aliases as pointers and the objectclass exists in the schemata for FDS, so there isnt a requirement that the aliases get dereferenced by the ldap. In any case it currently uses an older fedorads version. I discovered that that if I changed dn: aliasedobjectname="ou=foo,dc=test,dc=com",ou=bar,ou=test,dc=com in the LDIF to dn: aliasedobjectname=ou=foo\,dc=test\,dc=com,ou=bar,ou=test,dc=com (escape the commas instead of surrounding "" for the alias part in the dn), then I could add the entry and it seems to look ok in an ldap browser and satisfy whatever it is the application uses it for. Should the two be considered equivalent? Then, when I dump the database to ldif with db2ldif, the entry is represented the same way: escaped comma for the alias part. One Strange thing is I could have sworn I added the same ldif with ""-aliases in FDS 1.1.3 and not only that: The ldif itself is actually dumped from a FDS 7.x server (which has schema checking off, if that could explain how they the entries were added in the first place). Were there any changes between 1.1.3 and 1.2.0 that could explain this? Also it does not appear to have broken replication of those aliases (tested with a quick replica initialize that I didn't run long enough to finish more than 20% of the db, I'll run the whole init tonight) between the 7.x and 1.2.0 server so maybe it's just tools issue.. but if so it happened with both ldif2db and ldapmodify from openldap-clients. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Apr 22 14:31:53 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 22 Apr 2009 08:31:53 -0600 Subject: [Fedora-directory-users] aliasedObjectName problem In-Reply-To: <4dd1b3eb0904220728g1ff6709ao172ee22420453e84@mail.gmail.com> References: <4dd1b3eb0904210712u69967e80u3649ff8239162990@mail.gmail.com> <49EDE4E1.2060903@redhat.com> <4dd1b3eb0904220728g1ff6709ao172ee22420453e84@mail.gmail.com> Message-ID: <49EF2A59.1000706@redhat.com> tamarin p wrote: > > 2009/4/21 Rich Megginson > > > tamarin p wrote: > > I'm running into some problems when trying to add some alias > entries and importing with ldapmodify or ldif2db. I'm using > the directory server version 1.2.0. > > Example of LDIF > dn: > aliasedobjectname="ou=foo,dc=test,dc=com",ou=bar,ou=test,dc=com > changetype: add > aliasedObjectName: ou=foo,dc=test,dc=com > objectClass: top > objectClass: alias > > When I run this I get: > ldapmodify: Object class violation (65) > additional info: single-valued attribute > "aliasedObjectName" has multiple values > > Same when I use ldif2db.. What am I doing wrong? > > > The application running on top of the ldap uses aliases as pointers > and the objectclass exists in the schemata for FDS, so there isnt a > requirement that the aliases get dereferenced by the ldap. In any case > it currently uses an older fedorads version. > > I discovered that that if I changed dn: > aliasedobjectname="ou=foo,dc=test,dc=com",ou=bar,ou=test,dc=com in the > LDIF to dn: > aliasedobjectname=ou=foo\,dc=test\,dc=com,ou=bar,ou=test,dc=com > (escape the commas instead of surrounding "" for the alias part in the > dn), then I could add the entry and it seems to look ok in an ldap > browser and satisfy whatever it is the application uses it for. Should > the two be considered equivalent? Yes. The double quoted style is deprecated - the \ escapes should be used instead. > > Then, when I dump the database to ldif with db2ldif, the entry is > represented the same way: escaped comma for the alias part. One > Strange thing is I could have sworn I added the same ldif with > ""-aliases in FDS 1.1.3 and not only that: The ldif itself is actually > dumped from a FDS 7.x server (which has schema checking off, if that > could explain how they the entries were added in the first place). I don't believe it has anything to do with schema checking. > Were there any changes between 1.1.3 and 1.2.0 that could explain this? Not that I am aware of. I think we did fix some bugs in DN parsing and normalization - it's possible we broke the double quote behavior. > Also it does not appear to have broken replication of those aliases > (tested with a quick replica initialize that I didn't run long enough > to finish more than 20% of the db, I'll run the whole init tonight) > between the 7.x and 1.2.0 server so maybe it's just tools issue.. but > if so it happened with both ldif2db and ldapmodify from openldap-clients. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Apr 22 14:39:59 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 22 Apr 2009 08:39:59 -0600 Subject: [Fedora-directory-users] ConfigFile directives in .inf-files In-Reply-To: <4dd1b3eb0904220700l5ccb2ae5q9e0fbf047d106461@mail.gmail.com> References: <4dd1b3eb0904220700l5ccb2ae5q9e0fbf047d106461@mail.gmail.com> Message-ID: <49EF2C3F.5080309@redhat.com> tamarin p wrote: > I'm (still :) trying to fully automate ldap installation for our > specific deployment with setup-ds.pl in silent mode.. I have an inf > which uses ConfigFile directives to try to define indexes, cache sizes > and other settings for the directory server. My problem is, only a > small part of those ConfigFiles are applied when I check dse.ldif > after, but no errors anywhere. I tried using --debug but the only > output I could see of relevance was: > "+Processing config.ldif ..." > "+Processing indexes.ldif ..." > > NONE of the settings in the ConfigFile make it to dse.ldif except > "nsslapd-dbcachesize" and "nsslapd-cachememsize".. These are both set > properly, or I would doubt if the files had been processed at all. But > the the replication manager isn't created and size/timelimits are not > set and so on, and the same with indexes. I can see nothing in the > output log from the script and there's nothing in the logs for the > newly created server. > > If I instead add the ConfigFiles with ldapmodify, things work fine. > > My guess is I'm trying to modify attributes that don't exist yet? The > Red Hat documentation at > http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide-Advanced_Configuration-Silent.html > seems to indicate that I should be able to create a replication > manager, but the difference I can tell from the docs is that their RM > is made in the directory itself while I'm trying to use the cn=config > database. Unfortunately, the LDIF modify parser does not work correctly - it does not support the full LDIF modify statement syntax (due to a bug in Mozilla::LDAP). So there are a few limitations, all of which you seem to have run into: > > Here's a snippet from my config.ldif: > > # doesnt get created > dn: cn=replication manager,cn=config > changetype: add > objectClass: inetorgperson > objectClass: person > objectClass: top > cn: replication manager > sn: RM > userPassword: password > passwordExpirationTime: 20380119031407Z Don't use changetype: add - if there is no changetype, the parser assumes you want to add the entry. > > # is set properly > dn: cn=config,cn=ldbm database,cn=plugins,cn=config > changetype: modify > replace: nsslapd-dbcachesize > nsslapd-dbcachesize: 512000000 > > # is not set > dn: cn=default instance config,cn=chaining database,cn=plugins,cn=config > changetype: modify > replace: nsslapd-sizelimit > nsslapd-sizelimit: 20000 > - > replace: nsslapd-timelimit > nsslapd-timelimit: 120 The parser doesn't understand the '-'. So instead, do this: changetype: modify replace: nsslapd-sizelimit replace: nsslapd-timelimit nsslapd-sizelimit: 20000 nsslapd-timelimit: 120 That is, group all of the command statements together, then the attributes and values, without using any '-'. > > # is set > dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config > changetype: modify > replace: nsslapd-cachememsize > nsslapd-cachememsize: 512000000 > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Apr 22 14:41:49 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 22 Apr 2009 08:41:49 -0600 Subject: [Fedora-directory-users] Replication agreement trouble In-Reply-To: <1240382331.6597.13.camel@grsgscvalx001.sacyl.es> References: <1240309533.6624.229.camel@grsgscvalx001.sacyl.es> <49EDE48D.4070004@redhat.com> <1240382331.6597.13.camel@grsgscvalx001.sacyl.es> Message-ID: <49EF2CAD.8040608@redhat.com> Juan Asensio S?nchez wrote: > The day before the date in the error (when the errors started), we we > had to delete two suffix databases from the console (they were > damaged), create them again, and reinitialize those databases from > other supplier. The database of the agreement throwing errors is the > userRoot (dc=example,dc=com). The databases recreated were the > suffixes o=cabu,dc=sacyl,dc=es and o=husa,dc=sacyl,dc=es. > > This is the error log from server1 (this did not crash, this server > initialized the server2, that crashed): > > =========================== > > [20/Apr/2009:14:18:28 +0200] NSMMReplicationPlugin - Beginning total > update of replica "agmt="cn=CABU_ppal-GRS_back" (grsgscvalp0102:636)". > [20/Apr/2009:14:18:39 +0200] NSMMReplicationPlugin - Finished total > update of replica "agmt="cn=CABU_ppal-GRS_back" (grsgscvalp0102:636)". > Sent 4108 entries. > [20/Apr/2009:14:25:33 +0200] NSMMReplicationPlugin - Beginning total > update of replica "agmt="cn=HUSA_ppal-GRS_back" (grsgscvalp0102:636)". > [20/Apr/2009:14:25:43 +0200] NSMMReplicationPlugin - Finished total > update of replica "agmt="cn=HUSA_ppal-GRS_back" (grsgscvalp0102:636)". > Sent 2650 entries. > [21/Apr/2009:10:50:47 +0200] - slapd shutting down - signaling > operation threads > > =========================== > > And this is the log from server2, where the databases crashed. The log > shows the deletion of the agreements, the deletion of the databases, > the creation of the databases and the initialization of them from > server1. The messages from day 21 are when we tried to force to send > the updates: > > =========================== > > [20/Apr/2009:14:13:20 +0200] NSMMReplicationPlugin - agmt_delete: begin > [20/Apr/2009:14:13:21 +0200] NSMMReplicationPlugin - > multimaster_be_state_change: replica dc=sacyl,dc=es is about to be > deleted; disabling replication > [20/Apr/2009:14:14:16 +0200] - ldbm: Bringing o_cabu_dc_sacyl_dc_es > offline... > [20/Apr/2009:14:14:16 +0200] - ldbm: removing 'o_cabu_dc_sacyl_dc_es'. > [20/Apr/2009:14:14:16 +0200] - Destructor for instance > o_cabu_dc_sacyl_dc_es called > [20/Apr/2009:14:14:44 +0200] - No symmetric key found for cipher AES > in backend o_cabu_dc_sacyl_dc_es, attempting to create one... > [20/Apr/2009:14:14:44 +0200] - Key for cipher AES successfully > generated and stored > [20/Apr/2009:14:14:44 +0200] - No symmetric key found for cipher 3DES > in backend o_cabu_dc_sacyl_dc_es, attempting to create one... > [20/Apr/2009:14:14:45 +0200] - Key for cipher 3DES successfully > generated and stored > [20/Apr/2009:14:17:08 +0200] NSMMReplicationPlugin - > agmt="cn=CABU_back-GRS_ppal" (grsgscvalp0101:636): Replica has a > different generation ID than the local > data. > [20/Apr/2009:14:18:11 +0200] NSMMReplicationPlugin - > multimaster_be_state_change: replica o=cabu,dc=sacyl,dc=es is going > offline; disabling replication > [20/Apr/2009:14:18:13 +0200] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [20/Apr/2009:14:18:35 +0200] - import o_cabu_dc_sacyl_dc_es: Workers > finished; cleaning up... > [20/Apr/2009:14:18:36 +0200] - import o_cabu_dc_sacyl_dc_es: Workers > cleaned up. > [20/Apr/2009:14:18:36 +0200] - import o_cabu_dc_sacyl_dc_es: Indexing > complete. Post-processing... > [20/Apr/2009:14:18:36 +0200] - import o_cabu_dc_sacyl_dc_es: Flushing > caches... > [20/Apr/2009:14:18:36 +0200] - import o_cabu_dc_sacyl_dc_es: Closing > files... > [20/Apr/2009:14:18:38 +0200] - import o_cabu_dc_sacyl_dc_es: Import > complete. Processed 4108 entries in 12 seconds. (342.33 entries/sec) > [20/Apr/2009:14:18:39 +0200] NSMMReplicationPlugin - > multimaster_be_state_change: replica o=cabu,dc=sacyl,dc=es is coming > online; enabling replication > [20/Apr/2009:14:20:09 +0200] NSMMReplicationPlugin - > replica_config_delete: Warning: The changelog for replica > o=husa,dc=sacyl,dc=es is no longer valid since > the replica config is being deleted. Removing the changelog. > [20/Apr/2009:14:20:10 +0200] NSMMReplicationPlugin - agmt_delete: begin > [20/Apr/2009:14:20:12 +0200] NSMMReplicationPlugin - > multimaster_be_state_change: replica dc=sacyl,dc=es is about to be > deleted; disabling replication > [20/Apr/2009:14:20:42 +0200] - ldbm: Bringing o_husa_dc_sacyl_dc_es > offline... > [20/Apr/2009:14:20:42 +0200] - ldbm: removing 'o_husa_dc_sacyl_dc_es'. > [20/Apr/2009:14:20:42 +0200] - Destructor for instance > o_husa_dc_sacyl_dc_es called > [20/Apr/2009:14:21:10 +0200] - No symmetric key found for cipher AES > in backend o_husa_dc_sacyl_dc_es, attempting to create one... > [20/Apr/2009:14:21:10 +0200] - Key for cipher AES successfully > generated and stored > [20/Apr/2009:14:21:10 +0200] - No symmetric key found for cipher 3DES > in backend o_husa_dc_sacyl_dc_es, attempting to create one... > [20/Apr/2009:14:21:10 +0200] - Key for cipher 3DES successfully > generated and stored > [20/Apr/2009:14:24:23 +0200] NSMMReplicationPlugin - > agmt="cn=HUSA_back-GRS_ppal" (grsgscvalp0101:636): Replica has a > different generation ID than the local > data. > [20/Apr/2009:14:25:18 +0200] NSMMReplicationPlugin - > multimaster_be_state_change: replica o=husa,dc=sacyl,dc=es is going > offline; disabling replication > [20/Apr/2009:14:25:20 +0200] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [20/Apr/2009:14:25:39 +0200] - import o_husa_dc_sacyl_dc_es: Workers > finished; cleaning up... > [20/Apr/2009:14:25:40 +0200] - import o_husa_dc_sacyl_dc_es: Workers > cleaned up. > [20/Apr/2009:14:25:40 +0200] - import o_husa_dc_sacyl_dc_es: Indexing > complete. Post-processing... > [20/Apr/2009:14:25:40 +0200] - import o_husa_dc_sacyl_dc_es: Flushing > caches... > [20/Apr/2009:14:25:40 +0200] - import o_husa_dc_sacyl_dc_es: Closing > files... > [20/Apr/2009:14:25:42 +0200] - import o_husa_dc_sacyl_dc_es: Import > complete. Processed 2650 entries in 8 seconds. (331.25 entries/sec) > [20/Apr/2009:14:25:42 +0200] NSMMReplicationPlugin - > multimaster_be_state_change: replica o=husa,dc=sacyl,dc=es is coming > online; enabling replication > [21/Apr/2009:10:50:07 +0200] NSMMReplicationPlugin - Replication > agreement for agmt="cn=GRS_back-GRS_ppal" (grsgscvalp0101:636) could > not be updated. For rep > lication to take place, please enable the suffix and restart the server > [21/Apr/2009:10:50:07 +0200] NSMMReplicationPlugin - Replication > agreement for agmt="cn=GRS_back-GRS_ppal" (grsgscvalp0101:636) could > not be updated. For rep > lication to take place, please enable the suffix and restart the server Is this with the latest version of fedora-ds-base (1.2.0)? I know we fixed some bugs having to do with suffix database deletion. > > > =========================== > > > El mar, 21-04-2009 a las 09:21 -0600, Rich Megginson escribi?: >> Juan Asensio S?nchez wrote: >> > Hi >> > >> > Since yesterday I am having troubles with replication between two >> > servers. The replica is in multimaster mode in both servers, and >> > everything is configured OK (database, suffixes, changelog, replica, >> > agreements; until yesterday everything worked OK). >> > >> > [21/Apr/2009:11:04:57 +0200] NSMMReplicationPlugin - Replication >> > agreement for agmt="cn=GRS_back-GRS_ppal" (grsgscvalp0101:636) could >> > not be updated. For replication to take place, please enable the >> > suffix and restart the server >> What changed? Everything was working, then suddenly it's not? >> Something must have changed, perhaps even something that did not seem >> related to this problem. Do you know when things started failing? Did >> you examine the access and error logs on the supplier and consumer from >> around the time of the failure? >> > >> > The only thing to mention are replication problems with other >> > databases and replicas, but not for the replica of the agreement in >> > the message. They were fixed re-initializing the consumers of those >> > replicas. Any idea? >> > >> > Regards and thanks in advance. >> > ------------------------------------------------------------------------ >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From fortunato.montresor at earthlink.net Thu Apr 23 01:47:53 2009 From: fortunato.montresor at earthlink.net (Fortunato) Date: Wed, 22 Apr 2009 18:47:53 -0700 (GMT-07:00) Subject: [Fedora-directory-users] dirsrv on IPv6 and dirsrv-admin on IPv4 Message-ID: <10686228.1240451273953.JavaMail.root@mswamui-valley.atl.sa.earthlink.net> Hello, According to netstat, it looks like the ns-slapd is listening on the IPv6 address but the dirsrv process is on IPv4. Is there a quick way to put dirsrv on IPv6 as well? # netstat -tlpn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN 2591/httpd.worker tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2158/rpcbind tcp 0 0 0.0.0.0:34129 0.0.0.0:* LISTEN 2171/rpc.statd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2902/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2919/sendmail: acce tcp 0 0 :::389 :::* LISTEN 2491/ns-slapd tcp 0 0 :::111 :::* LISTEN 2158/rpcbind tcp 0 0 :::22 :::* LISTEN 2902/sshd Thanks in advance, From peter.green at bexleyitsolutions.co.uk Thu Apr 23 09:47:39 2009 From: peter.green at bexleyitsolutions.co.uk (Peter Green) Date: Thu, 23 Apr 2009 10:47:39 +0100 Subject: [Fedora-directory-users] DSGW Unable to Authenticate Message-ID: <1240480059.20073.11.camel@sekhmet.headshift.local> Hi, I have recently set up FDS on CentOS 5.2 (i386), following the installation instructions: http://directory.fedoraproject.org/wiki/Install_Guide I have also enabled SSL on the system: http://directory.fedoraproject.org/wiki/Howto:SSL I've also created a certificate DB and imported my CA certificate into it, as per the instructions here: http://directory.fedoraproject.org/wiki/DSGW However, the DSGW is unable to authenticate me, displaying the following error message: "Authentication failed because the server was unable to generate authentication credentials. The authentication database could not be opened." The odd thing is that the Directory Server Express tool (which allows users to edit their profile and change their password via a web page) _can_ authenticate users. I can't see anything useful output in the admin server logs (/var/log/dirsrv/admin-serv/*), so I'm a bit stuck and not sure what else to investigate. I did pop onto the #fedora-ds IRC channel yesterday and was informed that the DSGW component isn't used much. So, my next port of call is this mailing list! I really need some sort of web-based management tool for administering users and groups, at a minimum. phpLDAPadmin has been suggested and I notice a page on the FDS wiki for this, but I wondered if anyone could assist with DSGW first? Otherwise, anybody have any pointers about using phpLDAPadmin? Thank you in advance, -- Peter Green B.Sc. (Hons) M.B.C.S. Director / Technical Lead Bexley I.T. Solutions Ltd. M: +44 (0) 7908 135 070 From peter.green at bexleyitsolutions.co.uk Thu Apr 23 11:07:04 2009 From: peter.green at bexleyitsolutions.co.uk (Peter Green) Date: Thu, 23 Apr 2009 12:07:04 +0100 Subject: [Fedora-directory-users] dirsrv on IPv6 and dirsrv-admin on IPv4 In-Reply-To: <10686228.1240451273953.JavaMail.root@mswamui-valley.atl.sa.earthlink.net> References: <10686228.1240451273953.JavaMail.root@mswamui-valley.atl.sa.earthlink.net> Message-ID: <1240484824.20073.16.camel@sekhmet.headshift.local> Hi, Have you tried changing the "Listen" directive in the file /etc/dirsrv/admin-serv/console.conf? >From the file itself: [quote] # # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, in addition to the default. See also the # directive. # # Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses (0.0.0.0) # e.g. "Listen 12.34.56.78:80" # # To allow connections to IPv6 addresses add "Listen [::]:80" # Listen 0.0.0.0:9830 [/quote] You will need to restart the admin server component afterwards. A quick "service dirsrv-admin restart" will suffice on Red Hat-based systems. HTH, Pete On Wed, 2009-04-22 at 18:47 -0700, Fortunato wrote: > Hello, > > According to netstat, it looks like the ns-slapd is listening on the IPv6 address but the dirsrv process is on IPv4. Is there a quick way to put dirsrv on IPv6 as well? > > # netstat -tlpn > Active Internet connections (only servers) > Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name > tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN 2591/httpd.worker > tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2158/rpcbind > tcp 0 0 0.0.0.0:34129 0.0.0.0:* LISTEN 2171/rpc.statd > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2902/sshd > tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2919/sendmail: acce > tcp 0 0 :::389 :::* LISTEN 2491/ns-slapd > tcp 0 0 :::111 :::* LISTEN 2158/rpcbind > tcp 0 0 :::22 :::* LISTEN 2902/sshd > > Thanks in advance, > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Peter Green B.Sc. (Hons) M.B.C.S. Director / Technical Lead Bexley I.T. Solutions Ltd. M: +44 (0) 7908 135 070 From tamarinp at gmail.com Thu Apr 23 11:49:42 2009 From: tamarinp at gmail.com (tamarin p) Date: Thu, 23 Apr 2009 13:49:42 +0200 Subject: [Fedora-directory-users] ConfigFile directives in .inf-files In-Reply-To: <49EF2C3F.5080309@redhat.com> References: <4dd1b3eb0904220700l5ccb2ae5q9e0fbf047d106461@mail.gmail.com> <49EF2C3F.5080309@redhat.com> Message-ID: <4dd1b3eb0904230449qd1ecb4aofc6d33f58de75ccb@mail.gmail.com> 2009/4/22 Rich Megginson > Don't use changetype: add - if there is no changetype, the parser assumes > you want to add the entry. > That did the trick for the replication manager, it gets added now. The parser doesn't understand the '-'. So instead, do this: > changetype: modify > replace: nsslapd-sizelimit > replace: nsslapd-timelimit > nsslapd-sizelimit: 20000 > nsslapd-timelimit: 120 > > That is, group all of the command statements together, then the attributes > and values, without using any '-'. This doesn't appear to work. nsslapd-sizelimit and nsslapd-timelimit under cn=default instance config,cn=chaining database,cn=plugins,cn=config are still not updated with this change. I also tried splitting them up into two entirely separate changetype: modify blocks but they aren't set then either. It works either way with ldapmodify though. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mrejda at kerio.com Thu Apr 23 12:07:49 2009 From: mrejda at kerio.com (Michal Rejda) Date: Thu, 23 Apr 2009 14:07:49 +0200 Subject: [Fedora-directory-users] LDAP proxy Message-ID: <51377c8d-5b8a-4ca8-b126-50d23a1b7912@kerio.com> > Michal Rejda wrote: > >> Michal Rejda wrote: > >> > >>>> Michal Rejda wrote: > >>>> > >>>> > >>>>>> Michal Rejda wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>>>> Michal Rejda wrote: > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>> Michal Rejda wrote: > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>>> -----Original Message----- > >>>>>>>>>>>> From: fedora-directory-users-bounces at redhat.com > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>> [mailto:fedora- > >>>> > >>>> > >>>>>>>>>>>> directory-users-bounces at redhat.com] On Behalf Of Rich > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>> Megginson > >>>> > >>>> > >>>>>>>>>>>> Sent: Tuesday, April 14, 2009 4:25 PM > >>>>>>>>>>>> To: General discussion list for the Fedora Directory > server > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>> project. > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>>> Subject: Re: [Fedora-directory-users] LDAP proxy > >>>>>>>>>>>> > >>>>>>>>>>>> Michal Rejda wrote: > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>>> I tried to use http://tinyurl.com/culeft. But the > database > >>>>>>>>>>>>> link > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>> doesn't work. I setup the database link to the Active > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>> Directory > >>>> > >>>> > >>>>>>>> (and > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>>> OpenLDAP). When I looked into Wireshark log, FDS send > >>>>>>>>>>>> search > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>> request > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>>> with controls: > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>>> 2.16.840.1.113730.3.4.2 > >>>>>>>>>>>>> 2.16.840.1.113730.3.4.12 > >>>>>>>>>>>>> And the AD server responded: Unavailable Critical > >>>>>>>>>>>>> > >> Extension. > >> > >>>>>>>>>>>>> I tried to remove this two controls from Database Link > >>>>>>>>>>>>> Settings > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>> (in > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>>> administration console) but it didn't help. The server > >>>>>>>>>>>> > >> didn't > >> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>> return > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>>> the message above, but the administrative console show > >>>>>>>>>>>> error > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>> dialog. > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>>> What error? > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>> I tried it again and the error message is exactly: > >>>>>>>>>>> > >>>>>>>>>>> Error fading object 'dn: dc=example, dc=com'. > >>>>>>>>>>> The error send by the server was: > >>>>>>>>>>> ". > >>>>>>>>>>> > >>>>>>>>>>> In the Whireshark log was still the search request witch > >>>>>>>>>>> > >>>>>>>>>>> > >>>> control: > >>>> > >>>> > >>>>>>>>>>> 2.16.840.1.113730.3.4.2 > >>>>>>>>>>> > >>>>>>>>>>> Why is this control needed by the server when I removed it > >>>>>>>>>>> from > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> Database link settings? > >>>>>>>>>> > >>>>>>>>>> I'm not sure - maybe the console is not working correctly. > >>>>>>>>>> Try > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>> this: > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>> 1) Shutdown the server > >>>>>>>>>> 2) cd /etc/dirsrv/slapd-yourinstance > >>>>>>>>>> 3) edit dse.ldif - look for the entry > >>>>>>>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config > >>>>>>>>>> 4) edit the nsTransmittedControls attribute - remove > >>>>>>>>>> 2.16.840.1.113730.3.4.2 > >>>>>>>>>> 5) save and restart the server > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> I looked into dse.ldif for a nsTransmittedControls attribute. > >>>>>>>>> There > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic > >>>>>>>> 2.16.840.1.113730.3.4.2. > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> Isn't the 2.16.840.1.113730.3.4.2 hardcoded? > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> If it is, I don't see it. There is no mention of managedsa or > >>>>>>>> 2.16.840.1.113730.3.4.2 anywhere in the chaining backend code. > >>>>>>>> The only place it is mentioned is in the default list of > >>>>>>>> nsTransmittedControls in the template-dse.ldif used during new > >>>>>>>> instance creation. > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> Why is this so necessary? > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> It's not necessary, and I'm not sure where it is coming from. > >>>>>>>> Once place might be an internal operation, but I'm not sure > >>>>>>>> what internal operation would be doing this. You might also > try > >>>>>>>> to remove nsActiveChainingComponents and > >>>>>>>> nsPossibleChainingComponents to see > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>> if > >>>>>> > >>>>>> > >>>>>> > >>>>>>>> one of those components is doing an internal operation with > >>>>>>>> managedsait set. > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> I removed nsActiveChainingComponents and > >>>>>>> nsPossibleChainingComponents > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> and it didn't help. > >>>>>> > >>>>>> Then I'm not sure where it's coming from. I suppose you could > >>>>>> enable tracing in the directory server and see if there is > >>>>>> > >> anything > >> > >>>>>> interesting in the error log - see > >>>>>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > >>>>>> > >>>>>> > >>>>>> > >>>>> In the attachment is the part of the server error log. I removed > >>>>> > >> all > >> > >>>>> messages before I click on the exclamation mark before the DN in > >>>>> > >> the > >> > >>>>> Fedora administration console -> Directory folder tab. I don't > >>>>> understand this log. It is helpful for you? > >>>>> > >>>>> > >>>>> > >>>>> > >>>> Ah, I see. You are using the console to try to browse the AD tree? > >>>> And you are using the console admin user "admin"? Try ldapsearch > >>>> > >> from > >> > >>>> the command line, and attempt to authenticate as an AD user (e.g. > >>>> cn=administrator,cn=users,dc=example,dc=com). > >>>> > >>>> > >>> Yes, you are right. I use the console to browse AD tree. But I do > >>> > >> this because there is attention marker before the root suffix (lib- > >> w2k3r2) in the Directory tab and I just double click on it. > >> > >>> I tried ldapsearch using AD user (Administrator). I'm able to login > >>> > >> but the ldapsearch don't show any results (I use Apache Directory > >> Studio). When I looked into Whireshark log, I now see that another > >> critical extension is missing: 2.16.840.1.113730.3.4.12. The log is > >> in the attachment. > >> > >> Make sure 2.16.840.1.113730.3.4.12 is not in the transmitted > controls. > >> Set nsProxiedAuthorization to 0 - that should make it not use > >> 2.16.840.1.113730.3.4.12 which is the proxyauth control. > >> > > > > It works. Thank you very much! I can connect to the AD and list users > and whatever I want. > > I have one more difficulty. When I send ldapmodify to the node in the > > AD, FDS add to this request two more attributes (modifiersname, > > modifytimestamp). AD don't know these attributes and returns the > error > > (errorMessage: 00000057: LdapErr: DSID-0C090A85, comment: Error in > > attribute conversion operation, data 0, vece). Is it possible to > > disable this functionality > Yes. This is the nsslapd-lastmod attribute in cn=config - set this to 0 > > or rewrite attributes name into AD attributes name (e.g. > modifytimestamp -> whenChanged)? I cannot change AD schema. > > > No, it's not possible to map it. Perhaps one of last questions on LDAP proxy :-) Is there a way how to setup permissions to list/searching AD using chaining? I'm looking into administration guide and if I see it well, I have to setup ACI on the AD. But AD does not have ACI attributes. I tried to add ACI on the cn=link-ads,cn=chaining database,cn=plugins,cn=config but it didn't help. > > BTW, I would really appreciate it if you could write up something for > the wiki about "using chaining to create an AD 'view'" - if you would > rather just send me the info in an email, that would be fine too. > > > >>>>>>>>>>>>>> Michal Rejda wrote: > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Hi all, > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> I?m trying to setup proxy on FDS to another LDAP server > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>> (OpenLDAP > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>>>>>> and Active Directory). I tried two ways, but none of > >>>>>>>>>>>>>>> > >> these > >> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>> works: > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>>>>>> 1) New database link to LDAP server. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> - The remote LDAP server (OpenLDAP) returns: null. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>> manageDSAit > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> control > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> value not found > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> You might have to tweak the controls used by chaining - > >>>>>>>>>>>>>> > >> see > >> > >>>>>>>>>>>>>> http://tinyurl.com/culeft > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 2) Create multiple-master replication and setup other > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>> server > >>>> > >>>> > >>>>>>>>>>>>>>> as > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> consumer. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> - But this show error: 255 Replication error acquiring > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>> replica: > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>>>>>>> unknown error. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> Replication will only work to a SunDS, not to any other > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>> vendor. > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> My question is: Is there way how to setup proxy to > >>>>>>>>>>>>>>> access > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>> another > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>>>>> LDAP > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> server from Fedora DS? I know that is possible to use > AD > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>> sync, > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>> but > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>>> I > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>>>>> cannot install anything on the AD server. The second > >>>>>>>>>>>>>>> reason why > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>> I > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>>>>> need > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> to setup proxy is to use data stored in LDAP server > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>> (OpenLDAP, > >>>>>> > >>>>>> > >>>>>> > >>>>>>>>>>>>>>> Open Direcoty Server and Active Directory) in one > place. > >>>>>>>>>>>>>>> > >> I > >> > >>>>>>>>>>>>>>> need > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>> to > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>>> update > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>>>>> them too. It is not necessary to synchronize passwords. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> See also > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration > >> > >>>>>>>> > >>>>>>>> > >>>>>>>>>>>>>>> Thank you for reply. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Regards, > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Michal > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>> -- > >>>>>>>>> Fedora-directory-users mailing list > >>>>>>>>> Fedora-directory-users at redhat.com > >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory- > users > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>> -- > >>>>>>> Fedora-directory-users mailing list > >>>>>>> Fedora-directory-users at redhat.com > >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>> ----------------------------------------------------------------- > - > >>>>> - > >>>>> > >> - > >> > >>>>> - > >>>>> > >>>>> > >>>> - > >>>> > >>>> > >>>>> -- > >>>>> > >>>>> -- > >>>>> Fedora-directory-users mailing list > >>>>> Fedora-directory-users at redhat.com > >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>> > >>>>> > >>>>> > >>> ------------------------------------------------------------------- > - > >>> - > >>> > >> - > >> > >>> -- > >>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >>> > > > > > > --------------------------------------------------------------------- > - > > -- > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > From dudko at fnal.gov Thu Apr 23 12:25:43 2009 From: dudko at fnal.gov (Lev Dudko) Date: Thu, 23 Apr 2009 16:25:43 +0400 Subject: [Fedora-directory-users] DSGW Unable to Authenticate In-Reply-To: <1240480059.20073.11.camel@sekhmet.headshift.local> References: <1240480059.20073.11.camel@sekhmet.headshift.local> Message-ID: <1240489543.12135.125.camel@note1.sinp.msu.ru> Dear Experts, probably I have the same problem. After the upgrade to new version of FDS 1.2 on Fedora 9 (standard repos upgrade), my DSGW stops authenticate users. All other FDS operations looks good and works (including Directory Express Tool). Search for users in DSGW works well, only the authentication is became failed after the upgrade. I still could not trace the problem in the log files and any advice will be helpful. The list of the packages: fedora-ds-graph-1.1.0-1.fc9.noarch fedora-ds-admin-1.1.7-3.fc9.x86_64 fedora-ds-admin-console-1.1.3-1.fc9.noarch fedora-ds-base-1.2.0-2.fc9.x86_64 fedora-ds-1.1.3-1.fc9.noarch fedora-ds-console-1.2.0-1.fc9.noarch fedora-ds-dsgw-1.1.2-1.fc9.x86_64 adminutil-1.1.8-1.fc9.x86_64 The message from DSGW is the same as in original post. Before the upgrade, in previous version, DSGW works well and I did not change anything in configuration. Best regards, Lev ? ???, 23/04/2009 ? 10:47 +0100, Peter Green ?????: > Hi, > > I have recently set up FDS on CentOS 5.2 (i386), following the > installation instructions: > > http://directory.fedoraproject.org/wiki/Install_Guide > > I have also enabled SSL on the system: > > http://directory.fedoraproject.org/wiki/Howto:SSL > > I've also created a certificate DB and imported my CA certificate into > it, as per the instructions here: > > http://directory.fedoraproject.org/wiki/DSGW > > However, the DSGW is unable to authenticate me, displaying the following > error message: "Authentication failed because the server was unable to > generate authentication credentials. The authentication database could > not be opened." > > The odd thing is that the Directory Server Express tool (which allows > users to edit their profile and change their password via a web page) > _can_ authenticate users. > > I can't see anything useful output in the admin server logs > (/var/log/dirsrv/admin-serv/*), so I'm a bit stuck and not sure what > else to investigate. > > I did pop onto the #fedora-ds IRC channel yesterday and was informed > that the DSGW component isn't used much. So, my next port of call is > this mailing list! > > I really need some sort of web-based management tool for administering > users and groups, at a minimum. phpLDAPadmin has been suggested and I > notice a page on the FDS wiki for this, but I wondered if anyone could > assist with DSGW first? Otherwise, anybody have any pointers about using > phpLDAPadmin? > > Thank you in advance, > -- Lev V. Dudko e-mail:dudko at fnal.gov t. +1(630)8408339 http://top.sinp.msu.ru -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: ??? ????? ????????? ????????? ???????? ???????? URL: From rmeggins at redhat.com Thu Apr 23 13:25:09 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 23 Apr 2009 07:25:09 -0600 Subject: [Fedora-directory-users] LDAP proxy In-Reply-To: <51377c8d-5b8a-4ca8-b126-50d23a1b7912@kerio.com> References: <51377c8d-5b8a-4ca8-b126-50d23a1b7912@kerio.com> Message-ID: <49F06C35.4020806@redhat.com> Michal Rejda wrote: >> Michal Rejda wrote: >> >>>> Michal Rejda wrote: >>>> >>>> >>>>>> Michal Rejda wrote: >>>>>> >>>>>> >>>>>> >>>>>>>> Michal Rejda wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>> Michal Rejda wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>> Michal Rejda wrote: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>>> -----Original Message----- >>>>>>>>>>>>>> From: fedora-directory-users-bounces at redhat.com >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>> [mailto:fedora- >>>>>> >>>>>> >>>>>> >>>>>>>>>>>>>> directory-users-bounces at redhat.com] On Behalf Of Rich >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>> Megginson >>>>>> >>>>>> >>>>>> >>>>>>>>>>>>>> Sent: Tuesday, April 14, 2009 4:25 PM >>>>>>>>>>>>>> To: General discussion list for the Fedora Directory >>>>>>>>>>>>>> >> server >> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>> project. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>>>> Subject: Re: [Fedora-directory-users] LDAP proxy >>>>>>>>>>>>>> >>>>>>>>>>>>>> Michal Rejda wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> I tried to use http://tinyurl.com/culeft. But the >>>>>>>>>>>>>>> >> database >> >>>>>>>>>>>>>>> link >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> doesn't work. I setup the database link to the Active >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>> Directory >>>>>> >>>>>> >>>>>> >>>>>>>>>> (and >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>>>> OpenLDAP). When I looked into Wireshark log, FDS send >>>>>>>>>>>>>> search >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>> request >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>>>> with controls: >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> 2.16.840.1.113730.3.4.2 >>>>>>>>>>>>>>> 2.16.840.1.113730.3.4.12 >>>>>>>>>>>>>>> And the AD server responded: Unavailable Critical >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>> Extension. >>>> >>>> >>>>>>>>>>>>>>> I tried to remove this two controls from Database Link >>>>>>>>>>>>>>> Settings >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>> (in >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>>>> administration console) but it didn't help. The server >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>> didn't >>>> >>>> >>>>>>>>>>>>>> >>>>>>>>>> return >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>>>> the message above, but the administrative console show >>>>>>>>>>>>>> error >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>> dialog. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>>>> What error? >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> I tried it again and the error message is exactly: >>>>>>>>>>>>> >>>>>>>>>>>>> Error fading object 'dn: dc=example, dc=com'. >>>>>>>>>>>>> The error send by the server was: >>>>>>>>>>>>> ". >>>>>>>>>>>>> >>>>>>>>>>>>> In the Whireshark log was still the search request witch >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>> control: >>>>>> >>>>>> >>>>>> >>>>>>>>>>>>> 2.16.840.1.113730.3.4.2 >>>>>>>>>>>>> >>>>>>>>>>>>> Why is this control needed by the server when I removed it >>>>>>>>>>>>> from >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> Database link settings? >>>>>>>>>>>> >>>>>>>>>>>> I'm not sure - maybe the console is not working correctly. >>>>>>>>>>>> Try >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>> this: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>> 1) Shutdown the server >>>>>>>>>>>> 2) cd /etc/dirsrv/slapd-yourinstance >>>>>>>>>>>> 3) edit dse.ldif - look for the entry >>>>>>>>>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config >>>>>>>>>>>> 4) edit the nsTransmittedControls attribute - remove >>>>>>>>>>>> 2.16.840.1.113730.3.4.2 >>>>>>>>>>>> 5) save and restart the server >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> I looked into dse.ldif for a nsTransmittedControls attribute. >>>>>>>>>>> There >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> is only the 1.3.6.1.4.1.1466.29539.12. , not the problematic >>>>>>>>>> 2.16.840.1.113730.3.4.2. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Isn't the 2.16.840.1.113730.3.4.2 hardcoded? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> If it is, I don't see it. There is no mention of managedsa or >>>>>>>>>> 2.16.840.1.113730.3.4.2 anywhere in the chaining backend code. >>>>>>>>>> The only place it is mentioned is in the default list of >>>>>>>>>> nsTransmittedControls in the template-dse.ldif used during new >>>>>>>>>> instance creation. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Why is this so necessary? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> It's not necessary, and I'm not sure where it is coming from. >>>>>>>>>> Once place might be an internal operation, but I'm not sure >>>>>>>>>> what internal operation would be doing this. You might also >>>>>>>>>> >> try >> >>>>>>>>>> to remove nsActiveChainingComponents and >>>>>>>>>> nsPossibleChainingComponents to see >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>> if >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>> one of those components is doing an internal operation with >>>>>>>>>> managedsait set. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> I removed nsActiveChainingComponents and >>>>>>>>> nsPossibleChainingComponents >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> and it didn't help. >>>>>>>> >>>>>>>> Then I'm not sure where it's coming from. I suppose you could >>>>>>>> enable tracing in the directory server and see if there is >>>>>>>> >>>>>>>> >>>> anything >>>> >>>> >>>>>>>> interesting in the error log - see >>>>>>>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> In the attachment is the part of the server error log. I removed >>>>>>> >>>>>>> >>>> all >>>> >>>> >>>>>>> messages before I click on the exclamation mark before the DN in >>>>>>> >>>>>>> >>>> the >>>> >>>> >>>>>>> Fedora administration console -> Directory folder tab. I don't >>>>>>> understand this log. It is helpful for you? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> Ah, I see. You are using the console to try to browse the AD tree? >>>>>> And you are using the console admin user "admin"? Try ldapsearch >>>>>> >>>>>> >>>> from >>>> >>>> >>>>>> the command line, and attempt to authenticate as an AD user (e.g. >>>>>> cn=administrator,cn=users,dc=example,dc=com). >>>>>> >>>>>> >>>>>> >>>>> Yes, you are right. I use the console to browse AD tree. But I do >>>>> >>>>> >>>> this because there is attention marker before the root suffix (lib- >>>> w2k3r2) in the Directory tab and I just double click on it. >>>> >>>> >>>>> I tried ldapsearch using AD user (Administrator). I'm able to login >>>>> >>>>> >>>> but the ldapsearch don't show any results (I use Apache Directory >>>> Studio). When I looked into Whireshark log, I now see that another >>>> critical extension is missing: 2.16.840.1.113730.3.4.12. The log is >>>> in the attachment. >>>> >>>> Make sure 2.16.840.1.113730.3.4.12 is not in the transmitted >>>> >> controls. >> >>>> Set nsProxiedAuthorization to 0 - that should make it not use >>>> 2.16.840.1.113730.3.4.12 which is the proxyauth control. >>>> >>>> >>> It works. Thank you very much! I can connect to the AD and list users >>> >> and whatever I want. >> >>> I have one more difficulty. When I send ldapmodify to the node in the >>> AD, FDS add to this request two more attributes (modifiersname, >>> modifytimestamp). AD don't know these attributes and returns the >>> >> error >> >>> (errorMessage: 00000057: LdapErr: DSID-0C090A85, comment: Error in >>> attribute conversion operation, data 0, vece). Is it possible to >>> disable this functionality >>> >> Yes. This is the nsslapd-lastmod attribute in cn=config - set this to 0 >> >>> or rewrite attributes name into AD attributes name (e.g. >>> >> modifytimestamp -> whenChanged)? I cannot change AD schema. >> >> No, it's not possible to map it. >> > > Perhaps one of last questions on LDAP proxy :-) Is there a way how to setup permissions to list/searching AD using chaining? I'm looking into administration guide and if I see it well, I have to setup ACI on the AD. But AD does not have ACI attributes. I tried to add ACI on the cn=link-ads,cn=chaining database,cn=plugins,cn=config but it didn't help. > Right. AD access control is completely different, and Fedora DS is not smart enough to translate its acis into AD access control. If you have a real local suffix as the parent of your AD suffix, you could set acis in that suffix. > >> BTW, I would really appreciate it if you could write up something for >> the wiki about "using chaining to create an AD 'view'" - if you would >> rather just send me the info in an email, that would be fine too. >> >>>>>>>>>>>>>>>> Michal Rejda wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Hi all, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I?m trying to setup proxy on FDS to another LDAP server >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>> (OpenLDAP >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>>>>>>> and Active Directory). I tried two ways, but none of >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>> these >>>> >>>> >>>>>>>>>>>>>>>>> >>>>>>>>>> works: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>>>>>>> 1) New database link to LDAP server. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> - The remote LDAP server (OpenLDAP) returns: null. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>> manageDSAit >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>>>>>> control >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> value not found >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> You might have to tweak the controls used by chaining - >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>> see >>>> >>>> >>>>>>>>>>>>>>>> http://tinyurl.com/culeft >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 2) Create multiple-master replication and setup other >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>> server >>>>>> >>>>>> >>>>>> >>>>>>>>>>>>>>>>> as >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> consumer. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> - But this show error: 255 Replication error acquiring >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>> replica: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>>>>>>> unknown error. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Replication will only work to a SunDS, not to any other >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>> vendor. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>>>>>>> My question is: Is there way how to setup proxy to >>>>>>>>>>>>>>>>> access >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>> another >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>>>>>> LDAP >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> server from Fedora DS? I know that is possible to use >>>>>>>>>>>>>>>>> >> AD >> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>> sync, >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>> but >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>>> I >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> cannot install anything on the AD server. The second >>>>>>>>>>>>>>>>> reason why >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>> I >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>>>>>> need >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> to setup proxy is to use data stored in LDAP server >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>> (OpenLDAP, >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>>>>>>>>> Open Direcoty Server and Active Directory) in one >>>>>>>>>>>>>>>>> >> place. >> >>>> I >>>> >>>> >>>>>>>>>>>>>>>>> need >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>> to >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>>> update >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> them too. It is not necessary to synchronize passwords. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> See also >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration >>>> >>>> >>>>>>>>>> >>>>>>>>>>>>>>>>> Thank you for reply. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Michal >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory- >>>>>>>>>>> >> users >> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>> ----------------------------------------------------------------- >>>>>>> >> - >> >>>>>>> - >>>>>>> >>>>>>> >>>> - >>>> >>>> >>>>>>> - >>>>>>> >>>>>>> >>>>>>> >>>>>> - >>>>>> >>>>>> >>>>>> >>>>>>> -- >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> ------------------------------------------------------------------- >>>>> >> - >> >>>>> - >>>>> >>>>> >>>> - >>>> >>>> >>>>> -- >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>> --------------------------------------------------------------------- >>> >> - >> >>> -- >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Apr 23 13:27:11 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 23 Apr 2009 07:27:11 -0600 Subject: [Fedora-directory-users] DSGW Unable to Authenticate In-Reply-To: <1240489543.12135.125.camel@note1.sinp.msu.ru> References: <1240480059.20073.11.camel@sekhmet.headshift.local> <1240489543.12135.125.camel@note1.sinp.msu.ru> Message-ID: <49F06CAF.5030704@redhat.com> Lev Dudko wrote: > Dear Experts, > probably I have the same problem. After the upgrade to new version of > FDS 1.2 on Fedora 9 (standard repos upgrade), my DSGW stops authenticate > users. All other FDS operations looks good and works (including > Directory Express Tool). Search for users in DSGW works well, only the > authentication is became failed after the upgrade. I still could not > trace the problem in the log files and any advice will be helpful. > The list of the packages: > fedora-ds-graph-1.1.0-1.fc9.noarch > fedora-ds-admin-1.1.7-3.fc9.x86_64 > fedora-ds-admin-console-1.1.3-1.fc9.noarch > fedora-ds-base-1.2.0-2.fc9.x86_64 > fedora-ds-1.1.3-1.fc9.noarch > fedora-ds-console-1.2.0-1.fc9.noarch > fedora-ds-dsgw-1.1.2-1.fc9.x86_64 > adminutil-1.1.8-1.fc9.x86_64 > > The message from DSGW is the same as in original post. Before the > upgrade, in previous version, DSGW works well and I did not change > anything in configuration. > Take a look at the admin server access log - see what requests are being made to the dsgw and what that http response is. Also take a look at the directory server access log - see what connections and BIND attempts are being made, and what the response is. > Best regards, > Lev > > > ? ???, 23/04/2009 ? 10:47 +0100, Peter Green ?????: > >> Hi, >> >> I have recently set up FDS on CentOS 5.2 (i386), following the >> installation instructions: >> >> http://directory.fedoraproject.org/wiki/Install_Guide >> >> I have also enabled SSL on the system: >> >> http://directory.fedoraproject.org/wiki/Howto:SSL >> >> I've also created a certificate DB and imported my CA certificate into >> it, as per the instructions here: >> >> http://directory.fedoraproject.org/wiki/DSGW >> >> However, the DSGW is unable to authenticate me, displaying the following >> error message: "Authentication failed because the server was unable to >> generate authentication credentials. The authentication database could >> not be opened." >> >> The odd thing is that the Directory Server Express tool (which allows >> users to edit their profile and change their password via a web page) >> _can_ authenticate users. >> >> I can't see anything useful output in the admin server logs >> (/var/log/dirsrv/admin-serv/*), so I'm a bit stuck and not sure what >> else to investigate. >> >> I did pop onto the #fedora-ds IRC channel yesterday and was informed >> that the DSGW component isn't used much. So, my next port of call is >> this mailing list! >> >> I really need some sort of web-based management tool for administering >> users and groups, at a minimum. phpLDAPadmin has been suggested and I >> notice a page on the FDS wiki for this, but I wondered if anyone could >> assist with DSGW first? Otherwise, anybody have any pointers about using >> phpLDAPadmin? >> >> Thank you in advance, >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Apr 23 13:28:46 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 23 Apr 2009 07:28:46 -0600 Subject: [Fedora-directory-users] ConfigFile directives in .inf-files In-Reply-To: <4dd1b3eb0904230449qd1ecb4aofc6d33f58de75ccb@mail.gmail.com> References: <4dd1b3eb0904220700l5ccb2ae5q9e0fbf047d106461@mail.gmail.com> <49EF2C3F.5080309@redhat.com> <4dd1b3eb0904230449qd1ecb4aofc6d33f58de75ccb@mail.gmail.com> Message-ID: <49F06D0E.5000703@redhat.com> tamarin p wrote: > > 2009/4/22 Rich Megginson > > > Don't use changetype: add - if there is no changetype, the parser > assumes you want to add the entry. > > > That did the trick for the replication manager, it gets added now. > > The parser doesn't understand the '-'. So instead, do this: > > changetype: modify > replace: nsslapd-sizelimit > replace: nsslapd-timelimit > nsslapd-sizelimit: 20000 > nsslapd-timelimit: 120 > > That is, group all of the command statements together, then the > attributes and values, without using any '-'. > > > This doesn't appear to work. nsslapd-sizelimit and nsslapd-timelimit > under cn=default instance config,cn=chaining > database,cn=plugins,cn=config are still not updated with this change. > I also tried splitting them up into two entirely separate changetype: > modify blocks but they aren't set then either. It works either way > with ldapmodify though. But other changetype: modify replace: foo work with your ConfigFile setting, correct? So is it just this one for the chaining default instance config that does not work? > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From lambam80 at hotmail.com Thu Apr 23 13:39:50 2009 From: lambam80 at hotmail.com (lambam80 at hotmail.com) Date: Thu, 23 Apr 2009 09:39:50 -0400 Subject: [Fedora-directory-users] fedora-ds-admin version 1.1.7 not found here: http://download.fedora.redhat.com/pub/fedora/linux/releases/10/Everything/i386/os/Packages/ In-Reply-To: <49EF1A23.8080900@redhat.com> References: <49EDE429.1080707@redhat.com> <49EF1A23.8080900@redhat.com> Message-ID: Rich hello again. Reminder: Rich wrote, > You should upgrade - you should have ... fedora-ds-admin version 1.1.7 ... I'm looking at the following URL (using 'baseurl' from /etc/yum.repos.d/fedora10.repo and drilling into the Packages subdirectory): http://download.fedora.redhat.com/pub/fedora/linux/releases/10/Everything/i386/os/Packages/ I've used Cntl+F (find) in my browser and searched for 'fedora-ds-admin' I find only one occurance and it's the old version 1.1.6.....: fedora-ds-admin-1.1.6-2.fc10.i386.rpm fedora-ds-admin-console-1.1.2-1.fc10.noarch.rpm Is my fedora10.repo file pointing to the correct server(s) ? > > # cat /etc/yum.repos.d/fedora10.repo > > [fedora] > > name = Fedora 10 i386 base > > baseurl=http://download.fedora.redhat.com/pub/fedora/linux/releases/10/Everything/i386/os/ > > mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-10&arch=i386 > > enabled=1 Thanks, Dave > Date: Wed, 22 Apr 2009 07:22:43 -0600 > From: rmeggins at redhat.com > To: lambam80 at hotmail.com > CC: fedora-directory-users at redhat.com > Subject: Re: [Fedora-directory-users] Where to search mail archives, cannot find the command: remove-ds-admin.pl > > lambam80 at hotmail.com wrote: > > Rich, hello and as ever thanks for the pertinent reply. Please note > > that I have Fedora 10 installed. > > > > I'll try fedora-ds-admin version 1.1.7, first: > > > > # yum install fedora-ds-admin > > Loaded plugins: refresh-packagekit > > Setting up Install Process > > Parsing package install arguments > > Package fedora-ds-admin-1.1.6-2.fc10.i386 already installed and latest > > version > > Nothing to do > > > > I have the following: > > > > # ls -talr /etc/yum.repos.d > > -rwxrwxrwx 1 root root 284 2009-04-08 13:08 wget.sh > > -rw-r--r-- 1 root root 291 2009-04-20 10:52 fedora10.repo > > > > # cat /etc/yum.repos.d/fedora10.repo > > [fedora] > > name = Fedora 10 i386 base > > baseurl=http://download.fedora.redhat.com/pub/fedora/linux/releases/10/Everything/i386/os/ > > mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-10&arch=i386 > > enabled=1 > > > > Q1: Any idea why I cannot 'find' version 1.1.7 ? > I have no idea - it's been up on the mirrors for a while - I guess try > yum clean all > then yum update > > > > Thanks, Dave > > --------- > > > > > Date: Tue, 21 Apr 2009 09:20:09 -0600 > > > From: rmeggins at redhat.com > > > To: fedora-directory-users at redhat.com > > > CC: lambam80 at hotmail.com > > > Subject: Re: [Fedora-directory-users] Where to search mail archives, > > cannot find the command: remove-ds-admin.pl > > > > > > lambam80 at hotmail.com wrote: > > > > Hello everybody and thanks for all your help in the past. > > > > > > > > Q1: Fistly, what is the recommended means to search the mail > > archives ? > > > > I don't fancy downloading all the GZIP files found here: > > > > > > > > https://www.redhat.com/archives/fedora-directory-users/ > > > > > > > > http://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > Q2. I have the following version of Directory Server running on > > Fedora 10: > > > > > > > > [root at ldap4 dirsrv]# cat /etc/redhat-release > > > > Fedora release 10 (Cambridge) > > > > > > > > [root at ldap4 sbin]# /usr/sbin/ns-slapd -v > > > > Fedora Project > > > > Fedora-Directory/1.1.3 B2008.289.115 > > > > > > > > Q2: I cannot find the command remove-ds-admin.pl as documented here: > > > > > > > > http://directory.fedoraproject.org/wiki/FDS_Setup#remove-ds-admin.pl > > > > > > > > Even with the find command. Where might I find this command, please ? > > > You should upgrade - you should have > > > fedora-ds-base version 1.2.0 > > > fedora-ds-admin version 1.1.7 > > > fedora-ds 1.1.3 > > > > > > > > Cdlt, Dave > > > > > > > > > > ------------------------------------------------------------------------ > > > > Internet Explorer 8 makes surfing easier. Get it now! > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > ------------------------------------------------------------------------ > > Tell the whole story with photos, right from your Messenger window. > > Learn how! > _________________________________________________________________ Internet Explorer 8 helps keep your personal info safe. http://go.microsoft.com/?linkid=9655581 -------------- next part -------------- An HTML attachment was scrubbed... URL: From tamarinp at gmail.com Thu Apr 23 15:24:15 2009 From: tamarinp at gmail.com (tamarin p) Date: Thu, 23 Apr 2009 17:24:15 +0200 Subject: [Fedora-directory-users] ConfigFile directives in .inf-files In-Reply-To: <49F06D0E.5000703@redhat.com> References: <4dd1b3eb0904220700l5ccb2ae5q9e0fbf047d106461@mail.gmail.com> <49EF2C3F.5080309@redhat.com> <4dd1b3eb0904230449qd1ecb4aofc6d33f58de75ccb@mail.gmail.com> <49F06D0E.5000703@redhat.com> Message-ID: <4dd1b3eb0904230824h3f56af54p76c8d2885d2401e3@mail.gmail.com> 2009/4/23 Rich Megginson > But other changetype: modify replace: foo work with your ConfigFile > setting, correct? So is it just this one for the chaining default instance > config that does not work? > >> That is correct. Your calling the dn "chaining default instance" just now has made me realize I'm trying to set the wrong attributes however. I shouldve looked at the dn more closely rather than just search for the attribute name to set. I'm not using chaining at all and have skipped the whole chapter of the admin guide. I was searching dse.ldif to find where the values found under "Performance" in the console could be set "programmatically". On a fresh instance with defaults, it turns out that these values arent found in dse.ldif yet. Not until you change them from their default, when they show up under cn=config. That sidesteps my original problem. Thanks for clearing it up and sorry about the confusion. -------------- next part -------------- An HTML attachment was scrubbed... URL: From fortunato.montresor at earthlink.net Thu Apr 23 18:18:48 2009 From: fortunato.montresor at earthlink.net (Fortunato) Date: Thu, 23 Apr 2009 11:18:48 -0700 (GMT-07:00) Subject: [Fedora-directory-users] dirsrv on IPv6 and dirsrv-admin on IPv4 Message-ID: <5054338.1240510728793.JavaMail.root@mswamui-valley.atl.sa.earthlink.net> Thanks! That's the conf file used by the httpd.worker service. -----Original Message----- >From: Peter Green >Sent: Apr 23, 2009 4:07 AM >To: Fortunato , "General discussion list for the Fedora Directory server project." >Subject: Re: [Fedora-directory-users] dirsrv on IPv6 and dirsrv-admin on IPv4 > >Hi, > >Have you tried changing the "Listen" directive in the >file /etc/dirsrv/admin-serv/console.conf? > >>From the file itself: > >[quote] ># ># Listen: Allows you to bind Apache to specific IP addresses and/or ># ports, in addition to the default. See also the ># directive. ># ># Change this to Listen on specific IP addresses as shown below to ># prevent Apache from glomming onto all bound IP addresses (0.0.0.0) ># e.g. "Listen 12.34.56.78:80" ># ># To allow connections to IPv6 addresses add "Listen [::]:80" ># >Listen 0.0.0.0:9830 >[/quote] > >You will need to restart the admin server component afterwards. A quick >"service dirsrv-admin restart" will suffice on Red Hat-based systems. > >HTH, > >Pete > >On Wed, 2009-04-22 at 18:47 -0700, Fortunato wrote: >> Hello, >> >> According to netstat, it looks like the ns-slapd is listening on the IPv6 address but the dirsrv process is on IPv4. Is there a quick way to put dirsrv on IPv6 as well? >> >> # netstat -tlpn >> Active Internet connections (only servers) >> Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name >> tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN 2591/httpd.worker >> tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2158/rpcbind >> tcp 0 0 0.0.0.0:34129 0.0.0.0:* LISTEN 2171/rpc.statd >> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2902/sshd >> tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2919/sendmail: acce >> tcp 0 0 :::389 :::* LISTEN 2491/ns-slapd >> tcp 0 0 :::111 :::* LISTEN 2158/rpcbind >> tcp 0 0 :::22 :::* LISTEN 2902/sshd >> >> Thanks in advance, >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >-- >Peter Green B.Sc. (Hons) M.B.C.S. >Director / Technical Lead >Bexley I.T. Solutions Ltd. > >M: +44 (0) 7908 135 070 > From konetzed at quixoticagony.com Fri Apr 24 01:16:50 2009 From: konetzed at quixoticagony.com (Edward Konetzko) Date: Thu, 23 Apr 2009 20:16:50 -0500 Subject: [Fedora-directory-users] dna Message-ID: <49F11302.3040408@quixoticagony.com> I have been wanting to test out lib dna, can anyone tell me why the redhat-ds-base packages have on their configure line "--disable-dna". Are there problems with dns in the 8.0.4 release? Also if there is a better way of using dna with Redhat Directory Server can someone point me in that direction? I do not have official Redhat support for Directory Server as I am testing it out before we go through the whole process of purchasing it. Thank you for your help in advance. Edward From rmeggins at redhat.com Fri Apr 24 01:25:44 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 23 Apr 2009 19:25:44 -0600 Subject: [Fedora-directory-users] dna In-Reply-To: <49F11302.3040408@quixoticagony.com> References: <49F11302.3040408@quixoticagony.com> Message-ID: <49F11518.8000806@redhat.com> Edward Konetzko wrote: > I have been wanting to test out lib dna, can anyone tell me why the > redhat-ds-base packages have on their configure line "--disable-dna". > Are there problems with dns in the 8.0.4 release? Yes. It is fully supported in RHDS 8.1, which will be released soon. > Also if there is a better way of using dna with Redhat Directory > Server can someone point me in that direction? I do not have official > Redhat support for Directory Server as I am testing it out before we > go through the whole process of purchasing it. I suggest you try out fedora-ds-base 1.2.0. > > Thank you for your help in advance. > Edward > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From agiggins at wcg.net.au Fri Apr 24 03:04:18 2009 From: agiggins at wcg.net.au (Anthony Giggins) Date: Fri, 24 Apr 2009 13:04:18 +1000 Subject: [Fedora-directory-users] LDAP proxy In-Reply-To: <49EF1AB8.6040204@redhat.com> References: <98103a23-e83a-4e47-86a6-82ecdfd32ec8@kerio.com> <49EF1AB8.6040204@redhat.com> Message-ID: > > BTW, I would really appreciate it if you could write up something for > the wiki about "using chaining to create an AD 'view'" - if you would > rather just send me the info in an email, that would be fine too. Yes this information would be great, please advise when it is available. Cheers, Anthony From mrejda at kerio.com Fri Apr 24 06:00:34 2009 From: mrejda at kerio.com (Michal Rejda) Date: Fri, 24 Apr 2009 08:00:34 +0200 Subject: [Fedora-directory-users] LDAP proxy Message-ID: <8461450e-90a2-4d5e-847d-dbeaa75f933a@kerio.com> > > > > BTW, I would really appreciate it if you could write up something for > > the wiki about "using chaining to create an AD 'view'" - if you would > > rather just send me the info in an email, that would be fine too. > > Yes this information would be great, please advise when it is > available. It is available at: http://directory.fedoraproject.org/wiki/Howto:ChainToAD > > Cheers, > > Anthony > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From jasanchez at ccnt-spain.com Fri Apr 24 08:03:51 2009 From: jasanchez at ccnt-spain.com (Juan Asensio =?ISO-8859-1?Q?S=E1nchez?=) Date: Fri, 24 Apr 2009 10:03:51 +0200 Subject: [Fedora-directory-users] Force schema replication Message-ID: <1240560231.6603.2.camel@grsgscvalx001.sacyl.es> Hi Is there anyt way to force only the replication of the schema from one server to another? I am having this error: [24/Apr/2009:09:53:44 +0200] NSMMReplicationPlugin - agmt="cn=GRS_ppal-GAPBU_back" (gapbu02bulp0102:636): Schema replication update failed: Type or value exists [24/Apr/2009:09:53:44 +0200] NSMMReplicationPlugin - agmt="cn=GRS_ppal-GAPBU_back" (gapbu02bulp0102:636): Warning: unable to replicate schema: rc=2 How can I get more info about this error? Regards. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tamarinp at gmail.com Fri Apr 24 12:48:10 2009 From: tamarinp at gmail.com (tamarin p) Date: Fri, 24 Apr 2009 14:48:10 +0200 Subject: [Fedora-directory-users] Admin-server/config-server In-Reply-To: <49B90B97.5060605@redhat.com> References: <4dd1b3eb0903110909j12e494a8y2810bd6f596808d9@mail.gmail.com> <49B7EA83.9010903@redhat.com> <4dd1b3eb0903120425h62858127j487931478104ff18@mail.gmail.com> <49B90B97.5060605@redhat.com> Message-ID: <4dd1b3eb0904240548x4860c42co99ad1fbc07e63ea6@mail.gmail.com> 2009/3/12 Rich Megginson > One additional question with regards to the above, though, if I may: >> Does this mean it's not intended/possible to register ldap instance(s) on >> machine A with the config-server on machine B? I assumed it was because >> answering "yes" on the register-with-existing-configserv step in >> setup-ds-admin.pl prompts you for a full ldap-URL. >> > You usually have a single configuration directory server for a single admin > domain, which may consist of many machines. So yes, that's what that dialog > does - it registers your directory server with a (possibly) remote > configuration directory server, used to store configuration for many > machines. > >> However, creating an instance with setup-ds.pl and then later running >> register-ds-admin.pl it only seems possible to register locally by >> folder/identifier, not ldap-URL. >> > It should be possible both ways. Following up on this, I think I discovered a small bug in the script: the first time you run setup-ds-admin.pl the adm.conf ldapurl property isn't updated correctly and the instance wont find the config directory for registration. I have two machines: ldap1.test.com and ldap2.test.com. ldap1 has the instances slapd-config on port 4000 (holding NetscapeRoot) and slapd-test1 on port 4001. ldap2 only has slapd-test2 on port 4002. (different ports so I can use the same infs to create all instances on same machine if I need to). I have been able to set this up successfully, and I can can see them both under the same admin domain in the fedora-idm-console. The problem surfaces when I create slapd-test2 instance on ldap2 with setup-ds-admin.pl -s -f slapd-test2.inf for the first time only (ensured by running remove-ds-admin.pl -y first). The first time I create the server I get normal log output and the instance is started successfully but it does not show up in the idm-console. Then I try to remove it with ds_removal and I get this: Error:The server 'ldap://:4002/o=NetscapeRoot' is not reachable. Error: unknown error Checking /etc/dirsrv/admin-serv/adm.conf and notice that it has the wrong ldapurl: ldap://:4002/o=NetscapeRoot.. Then I run setup-ds-admin.pl again exactly like before, and then it works. I can see the new instance in the idm-console and I can ds_removal it again without errors. /etc/dirsrv/admin-serv/adm.conf now holds the right ldapurl for the configdirectory: ldapurl: ldap://ldap1.test.com:4000/o=NetscapeRoot. The rest of the adm.conf is identical in both cases. If I add FullMachineName directive to the inf then this is added instead of empty string, but according to the docs http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide-Advanced_Configuration-Silent.htmlthis should be the hostname of the machine you're installing ON. Additionally this still leaves me with the wrong port, ie ldap:// ldap01.test.com:4002 (it uses the FullMachineName but local port for the instance being created). But on the second run it is always corrected. So the workaround I have found is to just make sure adm.conf exists already. Then it always works, even when the file is blank. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Apr 24 14:31:04 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 24 Apr 2009 08:31:04 -0600 Subject: [Fedora-directory-users] Admin-server/config-server In-Reply-To: <4dd1b3eb0904240548x4860c42co99ad1fbc07e63ea6@mail.gmail.com> References: <4dd1b3eb0903110909j12e494a8y2810bd6f596808d9@mail.gmail.com> <49B7EA83.9010903@redhat.com> <4dd1b3eb0903120425h62858127j487931478104ff18@mail.gmail.com> <49B90B97.5060605@redhat.com> <4dd1b3eb0904240548x4860c42co99ad1fbc07e63ea6@mail.gmail.com> Message-ID: <49F1CD28.2050507@redhat.com> tamarin p wrote: > > > 2009/3/12 Rich Megginson > > > One additional question with regards to the above, though, if > I may: > Does this mean it's not intended/possible to register ldap > instance(s) on machine A with the config-server on machine B? > I assumed it was because answering "yes" on the > register-with-existing-configserv step in setup-ds-admin.pl > prompts you for a full ldap-URL. > > You usually have a single configuration directory server for a > single admin domain, which may consist of many machines. So yes, > that's what that dialog does - it registers your directory server > with a (possibly) remote configuration directory server, used to > store configuration for many machines. > > However, creating an instance with setup-ds.pl and then later > running register-ds-admin.pl it only seems possible to > register locally by folder/identifier, not ldap-URL. > > It should be possible both ways. > > > Following up on this, I think I discovered a small bug in the script: > the first time you run setup-ds-admin.pl the adm.conf ldapurl property > isn't updated correctly and the instance wont find the config > directory for registration. > > I have two machines: ldap1.test.com and > ldap2.test.com . ldap1 has the instances > slapd-config on port 4000 (holding NetscapeRoot) and slapd-test1 on > port 4001. ldap2 only has slapd-test2 on port 4002. (different ports > so I can use the same infs to create all instances on same machine if > I need to). I have been able to set this up successfully, and I can > can see them both under the same admin domain in the fedora-idm-console. > > The problem surfaces when I create slapd-test2 instance on ldap2 with > setup-ds-admin.pl -s -f slapd-test2.inf for the first time only > (ensured by running remove-ds-admin.pl -y first). The first time I > create the server I get normal log output and the instance is started > successfully but it does not show up in the idm-console. Then I try to > remove it with ds_removal and I get this: > Error:The server 'ldap://:4002/o=NetscapeRoot' is not reachable. > Error: unknown error Can you post your slapd-test2.inf? Be sure to obscure any sensitive info first. > > Checking /etc/dirsrv/admin-serv/adm.conf and notice that it has the > wrong ldapurl: ldap://:4002/o=NetscapeRoot.. Then I run > setup-ds-admin.pl again exactly like before, and then it works. I can > see the new instance in the idm-console and I can ds_removal it again > without errors. /etc/dirsrv/admin-serv/adm.conf now holds the right > ldapurl for the configdirectory: ldapurl: > ldap://ldap1.test.com:4000/o=NetscapeRoot > . The rest of the adm.conf > is identical in both cases. > > If I add FullMachineName directive to the inf then this is added > instead of empty string, but according to the docs > http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide-Advanced_Configuration-Silent.html > this should be the hostname of the machine you're installing ON. > Additionally this still leaves me with the wrong port, ie > ldap://ldap01.test.com:4002 (it uses the > FullMachineName but local port for the instance being created). But on > the second run it is always corrected. So the workaround I have found > is to just make sure adm.conf exists already. Then it always works, > even when the file is blank. Ok. Looks like the auto hostname thing is not working. We use perl Net::Domain hostfqdn if FullMachineName is absent - it uses some complicated formula involving sys::hostname, /etc/resolv.conf, etc. I'm not sure why it would fail completely though. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Apr 24 14:31:50 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 24 Apr 2009 08:31:50 -0600 Subject: [Fedora-directory-users] Force schema replication In-Reply-To: <1240560231.6603.2.camel@grsgscvalx001.sacyl.es> References: <1240560231.6603.2.camel@grsgscvalx001.sacyl.es> Message-ID: <49F1CD56.70702@redhat.com> Juan Asensio S?nchez wrote: > Hi > > Is there anyt way to force only the replication of the schema from one > server to another? I am having this error: > > [24/Apr/2009:09:53:44 +0200] NSMMReplicationPlugin - > agmt="cn=GRS_ppal-GAPBU_back" (gapbu02bulp0102:636): Schema > replication update failed: Type or value exists > [24/Apr/2009:09:53:44 +0200] NSMMReplicationPlugin - > agmt="cn=GRS_ppal-GAPBU_back" (gapbu02bulp0102:636): Warning: unable > to replicate schema: rc=2 > > How can I get more info about this error? Did you update schema over LDAP on more than one master? > > Regards. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From tamarinp at gmail.com Fri Apr 24 15:02:00 2009 From: tamarinp at gmail.com (tamarin p) Date: Fri, 24 Apr 2009 17:02:00 +0200 Subject: [Fedora-directory-users] Admin-server/config-server In-Reply-To: <49F1CD28.2050507@redhat.com> References: <4dd1b3eb0903110909j12e494a8y2810bd6f596808d9@mail.gmail.com> <49B7EA83.9010903@redhat.com> <4dd1b3eb0903120425h62858127j487931478104ff18@mail.gmail.com> <49B90B97.5060605@redhat.com> <4dd1b3eb0904240548x4860c42co99ad1fbc07e63ea6@mail.gmail.com> <49F1CD28.2050507@redhat.com> Message-ID: <4dd1b3eb0904240802t46defabcmd87afb36051e5dec@mail.gmail.com> 2009/4/24 Rich Megginson > tamarin p wrote: > Can you post your slapd-test2.inf? Be sure to obscure any sensitive info > first. Here it is. It is mostly a copy of the example 6.2 in the installation doc for silent installs. # slapd-test2.inf for installation on ldap2.test.com # config directory on ldap1.test.com [General] AdminDomain = test.com SuiteSpotGroup = nobody ConfigDirectoryLdapURL = ldap://ldap1.test.com:4000/o=NetscapeRoot ConfigDirectoryAdminID = admin ConfigDirectoryAdminPwd = pwd SuiteSpotUserID = nobody [slapd] InstallLdifFile = suggest ServerIdentifier = test2 ServerPort = 4002 AddOrgEntries = No RootDN = cn=Directory Manager RootDNPwd = pwd Suffix = dc=test,dc=com UseExistingMC = Yes UseExistingUG= No AddSampleEntries = No [admin] ServerAdminID = admin ServerAdminPwd = pwd ServerIpAddress = 0.0.0.0 Port = 9830 > If I add FullMachineName directive to the inf then this is added instead of >> empty string, but according to the docs >> http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide-Advanced_Configuration-Silent.htmlthis should be the hostname of the machine you're installing ON. >> Additionally this still leaves me with the wrong port, ie ldap:// >> ldap01.test.com:4002 (it uses the >> FullMachineName but local port for the instance being created). But on the >> second run it is always corrected. So the workaround I have found is to just >> make sure adm.conf exists already. Then it always works, even when the file >> is blank. >> > Ok. Looks like the auto hostname thing is not working. We use perl > Net::Domain hostfqdn if FullMachineName is absent - it uses some complicated > formula involving sys::hostname, /etc/resolv.conf, etc. I'm not sure why it > would fail completely though. Could be I'm missing some lib, but on the other hand, it looks as if the ldapurl in adm.conf must point to the config directory so it wouldn't do any good if it did correctly set the hostname of the machine you install on ( ldap2.test.com in my case), since the configdir is on another machine. The correct ldap url for config directory is always going to be ldap:// ldap1.test.com:4000 and looks like the script should always just use the host:port from ConfigDirectoryLdapURL for ldapurl in adm.conf. Also, regardless if fullmachinename is set or not, when adm.conf already exists on running setup-ds-admin, the property is always set correctly to ldap:// ldap1.test.com:4000 and the registration/unregistration works after. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Apr 24 15:14:40 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 24 Apr 2009 09:14:40 -0600 Subject: [Fedora-directory-users] Admin-server/config-server In-Reply-To: <4dd1b3eb0904240802t46defabcmd87afb36051e5dec@mail.gmail.com> References: <4dd1b3eb0903110909j12e494a8y2810bd6f596808d9@mail.gmail.com> <49B7EA83.9010903@redhat.com> <4dd1b3eb0903120425h62858127j487931478104ff18@mail.gmail.com> <49B90B97.5060605@redhat.com> <4dd1b3eb0904240548x4860c42co99ad1fbc07e63ea6@mail.gmail.com> <49F1CD28.2050507@redhat.com> <4dd1b3eb0904240802t46defabcmd87afb36051e5dec@mail.gmail.com> Message-ID: <49F1D760.2080601@redhat.com> tamarin p wrote: > 2009/4/24 Rich Megginson > > > tamarin p wrote: > Can you post your slapd-test2.inf? Be sure to obscure any > sensitive info first. > > > Here it is. It is mostly a copy of the example 6.2 in the installation > doc for silent installs. > > # slapd-test2.inf for installation on ldap2.test.com > > # config directory on ldap1.test.com > [General] > AdminDomain = test.com > SuiteSpotGroup = nobody > ConfigDirectoryLdapURL = ldap://ldap1.test.com:4000/o=NetscapeRoot > > ConfigDirectoryAdminID = admin > ConfigDirectoryAdminPwd = pwd > SuiteSpotUserID = nobody > > [slapd] > InstallLdifFile = suggest > ServerIdentifier = test2 > ServerPort = 4002 > AddOrgEntries = No > RootDN = cn=Directory Manager > RootDNPwd = pwd > Suffix = dc=test,dc=com > UseExistingMC = Yes > UseExistingUG= No > AddSampleEntries = No > > [admin] > ServerAdminID = admin > ServerAdminPwd = pwd > ServerIpAddress = 0.0.0.0 > Port = 9830 > > > > If I add FullMachineName directive to the inf then this is > added instead of empty string, but according to the docs > http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide-Advanced_Configuration-Silent.html > this should be the hostname of the machine you're installing > ON. Additionally this still leaves me with the wrong port, ie > ldap://ldap01.test.com:4002 > (it uses the FullMachineName but > local port for the instance being created). But on the second > run it is always corrected. So the workaround I have found is > to just make sure adm.conf exists already. Then it always > works, even when the file is blank. > > Ok. Looks like the auto hostname thing is not working. We use > perl Net::Domain hostfqdn if FullMachineName is absent - it uses > some complicated formula involving sys::hostname, > /etc/resolv.conf, etc. I'm not sure why it would fail completely > though. > > > Could be I'm missing some lib, but on the other hand, it looks as if > the ldapurl in adm.conf must point to the config directory so it > wouldn't do any good if it did correctly set the hostname of the > machine you install on (ldap2.test.com in my > case), since the configdir is on another machine. The correct ldap url > for config directory is always going to be ldap://ldap1.test.com:4000 > and looks like the script should always > just use the host:port from ConfigDirectoryLdapURL for ldapurl in > adm.conf. Also, regardless if fullmachinename is set or not, when > adm.conf already exists on running setup-ds-admin, the property is > always set correctly to ldap://ldap1.test.com:4000 > and the registration/unregistration works > after. So the problem is that it does not correctly parse the host:port from the ConfigDirectoryLdapURL? > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From tamarinp at gmail.com Fri Apr 24 16:18:36 2009 From: tamarinp at gmail.com (tamarin p) Date: Fri, 24 Apr 2009 18:18:36 +0200 Subject: [Fedora-directory-users] Admin-server/config-server In-Reply-To: <49F1D760.2080601@redhat.com> References: <4dd1b3eb0903110909j12e494a8y2810bd6f596808d9@mail.gmail.com> <49B7EA83.9010903@redhat.com> <4dd1b3eb0903120425h62858127j487931478104ff18@mail.gmail.com> <49B90B97.5060605@redhat.com> <4dd1b3eb0904240548x4860c42co99ad1fbc07e63ea6@mail.gmail.com> <49F1CD28.2050507@redhat.com> <4dd1b3eb0904240802t46defabcmd87afb36051e5dec@mail.gmail.com> <49F1D760.2080601@redhat.com> Message-ID: <4dd1b3eb0904240918v1f5cbcbbj4b8200a1f3bbd578@mail.gmail.com> 2009/4/24 Rich Megginson > tamarin p wrote: > >> Could be I'm missing some lib, but on the other hand, it looks as if the >> ldapurl in adm.conf must point to the config directory so it wouldn't do any >> good if it did correctly set the hostname of the machine you install on ( >> ldap2.test.com in my case), since the configdir >> is on another machine. The correct ldap url for config directory is always >> going to be ldap://ldap1.test.com:4000 and >> looks like the script should always just use the host:port from >> ConfigDirectoryLdapURL for ldapurl in adm.conf. Also, regardless if >> fullmachinename is set or not, when adm.conf already exists on running >> setup-ds-admin, the property is always set correctly to ldap:// >> ldap1.test.com:4000 and the >> registration/unregistration works after. >> > So the problem is that it does not correctly parse the host:port from the > ConfigDirectoryLdapURL? Not really. There seems to be two things to what the script ends up doing. 1. if /etc/dirsrv/admin-serv/adm.conf exists, it applies the value in ConfigDirectoryLdapURL correctly and everything works 2. if /etc/dirsrv/admin-serv/adm.conf does NOT exist, it tries to use (based on observation) ldap://: (no error to see from the script output though I haven't tried with --debug) It seems to me option 1 is what it should ayways do, even when the file doesn't exist. Option 2 is not likely to be correct for any multihomed install. In my case, without FullMachineName, the result is ldap://:4002. No hostname and the wrong port. This is the port of the instance I'm creating with the inf, not the config dir. If I set FullMachineName to point to the host with the config directory (assuming this doesn't have other side effects elsewhere, the docs do say it should be the full hostname for the machine you're installing on after all) I would get ldap:// ldap1.test.com:4002 which is still the wrong port as my actual ConfigDirectoryLdapURL is ldap://ldap1.test.com:4000/ (plus o=NetscapeRoot) Note that I dont actually know what ldapuri in adm.conf is used for. I'm just guessing based on observation, but it seems to be used by register-ds-admin and ds_removal among others, since ds_removal seems to try that URL when unregistering (see error message from a previous post in this thread) -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Sat Apr 25 00:36:23 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 24 Apr 2009 18:36:23 -0600 Subject: [Fedora-directory-users] Admin-server/config-server In-Reply-To: <4dd1b3eb0904240918v1f5cbcbbj4b8200a1f3bbd578@mail.gmail.com> References: <4dd1b3eb0903110909j12e494a8y2810bd6f596808d9@mail.gmail.com> <49B7EA83.9010903@redhat.com> <4dd1b3eb0903120425h62858127j487931478104ff18@mail.gmail.com> <49B90B97.5060605@redhat.com> <4dd1b3eb0904240548x4860c42co99ad1fbc07e63ea6@mail.gmail.com> <49F1CD28.2050507@redhat.com> <4dd1b3eb0904240802t46defabcmd87afb36051e5dec@mail.gmail.com> <49F1D760.2080601@redhat.com> <4dd1b3eb0904240918v1f5cbcbbj4b8200a1f3bbd578@mail.gmail.com> Message-ID: <49F25B07.6080609@redhat.com> tamarin p wrote: > > > 2009/4/24 Rich Megginson > > > tamarin p wrote: > > Could be I'm missing some lib, but on the other hand, it looks > as if the ldapurl in adm.conf must point to the config > directory so it wouldn't do any good if it did correctly set > the hostname of the machine you install on (ldap2.test.com > in my case), > since the configdir is on another machine. The correct ldap > url for config directory is always going to be > ldap://ldap1.test.com:4000 > and looks like the script should > always just use the host:port from ConfigDirectoryLdapURL for > ldapurl in adm.conf. Also, regardless if fullmachinename is > set or not, when adm.conf already exists on running > setup-ds-admin, the property is always set correctly to > ldap://ldap1.test.com:4000 > and the > registration/unregistration works after. > > So the problem is that it does not correctly parse the host:port > from the ConfigDirectoryLdapURL? > > Not really. There seems to be two things to what the script ends up doing. > 1. if /etc/dirsrv/admin-serv/adm.conf exists, it applies the value > in ConfigDirectoryLdapURL correctly and everything works If adm.conf exists, and did not have a correct ldapurl, then something went wrong with the original/initial setup. > 2. if /etc/dirsrv/admin-serv/adm.conf does NOT exist, it tries to use > (based on observation) ldap://: (no error > to see from the script output though I haven't tried with --debug) Right - see below > It seems to me option 1 is what it should ayways do, even when the > file doesn't exist. Option 2 is not likely to be correct for any > multihomed install. In my case, without FullMachineName, the result is > ldap://:4002. No hostname and the wrong port. This is the port of the > instance I'm creating with the inf, not the config dir. If I set > FullMachineName to point to the host with the config directory > (assuming this doesn't have other side effects elsewhere, the docs do > say it should be the full hostname for the machine you're installing > on after all) I would get ldap://ldap1.test.com:4002 > which is still the wrong port as my > actual ConfigDirectoryLdapURL is ldap://ldap1.test.com:4000/ > (plus o=NetscapeRoot) The way it should work is that if you are registering a non-config DS with the config DS, you should provide ConfigDirectoryLdapURL. If you do not, the script tries to use the one from adm.conf. If that is not available, the script assumes that you have not yet set up a Config DS and admin server, and therefore assumes you are going to be creating the Config DS, so it tries to construct a URL based on the FullMachineName and ServerPort. So it looks as though something somehow went wrong with the original/initial setup, and it wrote a bogus ldapurl without the hostname in adm.conf. > Note that I dont actually know what ldapuri in adm.conf is used for. > I'm just guessing based on observation, but it seems to be used by > register-ds-admin and ds_removal among others, since ds_removal seems > to try that URL when unregistering (see error message from a previous > post in this thread) It's used by the admin server to find the configuration DS (where it stores its config information and information needed by the console). If ldapurl is not correct, then admin server and console operations will likely fail. It's also used by the scripts to find default config DS information (as your have surmised). > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From alex-saf at npc.vrn.ru Sun Apr 26 12:52:57 2009 From: alex-saf at npc.vrn.ru (=?utf-8?B?0KHQsNGE0L7QvdC+0LIg0JDQu9C10LrRgdC10Lk=?=) Date: Sun, 26 Apr 2009 16:52:57 +0400 (MSD) Subject: [Fedora-directory-users] Slowly the network under control of FDS works In-Reply-To: <11612143.01240750342318.JavaMail.root@proxy1.npc.vrn.ru> Message-ID: <27934294.21240750377740.JavaMail.root@proxy1.npc.vrn.ru> Colleagues! At me the network on the basis of FDS 1.1 is developed. At the moment the quantity of computers - clients FDS does not exceed 40. Client computers on the basis of Fedora 10. Nevertheless, on computers of clients after a while all starts to work very slowly. Slowly start programs and etc. It occurs only to users FDS. If to come on the computer under the local user - all is normal. Tuning of productivity FDS (http://directory.fedoraproject.org/wiki/Performance_Tuning) has been made. How it is possible to solve a problem? From jfenal at gmail.com Sun Apr 26 13:44:08 2009 From: jfenal at gmail.com (=?UTF-8?B?SsOpcsO0bWUgRmVuYWw=?=) Date: Sun, 26 Apr 2009 15:44:08 +0200 Subject: [Fedora-directory-users] Slowly the network under control of FDS works In-Reply-To: <27934294.21240750377740.JavaMail.root@proxy1.npc.vrn.ru> References: <11612143.01240750342318.JavaMail.root@proxy1.npc.vrn.ru> <27934294.21240750377740.JavaMail.root@proxy1.npc.vrn.ru> Message-ID: <40a14bc10904260644q396cc20ejf39f901d3fb36529@mail.gmail.com> 2009/4/26 ??????? ??????? : > Colleagues! > > At me the network on the basis of FDS 1.1 is developed. At the moment the quantity of computers - clients FDS does not exceed 40. Client computers on the basis of Fedora 10. Nevertheless, on computers of clients after a while all starts to work very slowly. Slowly start programs and etc. It occurs only to users FDS. If to come on the computer under the local user - all is normal. > Tuning of productivity FDS (http://directory.fedoraproject.org/wiki/Performance_Tuning) has been made. > > How it is possible to solve a problem? Where is the problem ? on clients (run nscd ?) or on the server(s) ? Can you caracterize better the problem than "starts to work very slowly" ? What is slow ? Login ? Password validation ? You'll need to tell more information about your setup, and modules using LDAP on your clients. If the problem looks to be on the server, then how it is setup, on what kind of hardware (or VM hypervisor). Regards, J. -- J?r?me Fenal - jfenal AT gmail.com - http://fenal.org/ Paris.pm - http://paris.mongueurs.net/ From andrey.ivanov at polytechnique.fr Sun Apr 26 13:53:05 2009 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Sun, 26 Apr 2009 15:53:05 +0200 Subject: [Fedora-directory-users] Slowly the network under control of FDS works In-Reply-To: <27934294.21240750377740.JavaMail.root@proxy1.npc.vrn.ru> References: <11612143.01240750342318.JavaMail.root@proxy1.npc.vrn.ru> <27934294.21240750377740.JavaMail.root@proxy1.npc.vrn.ru> Message-ID: <1601b8650904260653x1c242988ved0053c91e623458@mail.gmail.com> Try to use nscd (man nscd for more details) on the clients. Other than that, index the attributes used during the searches. The utility that will show you the unindexed searches is logconv.pl ("locate logconv.pl" to find it): logconv.pl -V Compared to the the default FDS indexes we add the presence and equality indexes on uidnumber, gidnumber and memberuid for this type of service. We have no slowdowns or loss of performance over time with ~10000 accounts and 200 workstations, so for your infrastructure it should be no problem either... 2009/4/26 ??????? ??????? > Colleagues! > > At me the network on the basis of FDS 1.1 is developed. At the moment the > quantity of computers - clients FDS does not exceed 40. Client computers on > the basis of Fedora 10. Nevertheless, on computers of clients after a while > all starts to work very slowly. Slowly start programs and etc. It occurs > only to users FDS. If to come on the computer under the local user - all is > normal. > Tuning of productivity FDS ( > http://directory.fedoraproject.org/wiki/Performance_Tuning) has been made. > > How it is possible to solve a problem? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex-saf at npc.vrn.ru Sun Apr 26 15:50:45 2009 From: alex-saf at npc.vrn.ru (=?utf-8?B?0KHQsNGE0L7QvdC+0LIg0JDQu9C10LrRgdC10Lk=?=) Date: Sun, 26 Apr 2009 19:50:45 +0400 (MSD) Subject: [Fedora-directory-users] Slowly the network under control of FDS works In-Reply-To: <8150524.101240760886574.JavaMail.root@proxy1.npc.vrn.ru> Message-ID: <14243213.121240761045571.JavaMail.root@proxy1.npc.vrn.ru> Hi! Classical display of low speed of work in the following: - we carry out an input under user FDS - the long input in system is received; - it is worked under user FDS (GNOME) - we start the console (gnome-terminal). The console appears quickly, and here the invitation in it of a kind [user1 at comp1 ~] $ appears 20-25 seconds. At work under the local user of the such does not occur. Concerning, nscd. This demon too often falls. At least that is delivered with Fedora 10. ----- ???????? ????????? ----- ??: "J?r?me Fenal" ????: "General discussion list for the Fedora Directory server project." ????????????: ???????????, 26 ?????? 2009 ? 17:44:08 GMT +03:00 ??????, ?????-?????????, ????????? ????: Re: [Fedora-directory-users] Slowly the network under control of FDS works 2009/4/26 ??????? ??????? : > Colleagues! > > At me the network on the basis of FDS 1.1 is developed. At the moment the quantity of computers - clients FDS does not exceed 40. Client computers on the basis of Fedora 10. Nevertheless, on computers of clients after a while all starts to work very slowly. Slowly start programs and etc. It occurs only to users FDS. If to come on the computer under the local user - all is normal. > Tuning of productivity FDS (http://directory.fedoraproject.org/wiki/Performance_Tuning) has been made. > > How it is possible to solve a problem? Where is the problem ? on clients (run nscd ?) or on the server(s) ? Can you caracterize better the problem than "starts to work very slowly" ? What is slow ? Login ? Password validation ? You'll need to tell more information about your setup, and modules using LDAP on your clients. If the problem looks to be on the server, then how it is setup, on what kind of hardware (or VM hypervisor). Regards, J. -- J?r?me Fenal - jfenal AT gmail.com - http://fenal.org/ Paris.pm - http://paris.mongueurs.net/ -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From rpolli at babel.it Mon Apr 27 09:30:05 2009 From: rpolli at babel.it (Roberto Polli) Date: Mon, 27 Apr 2009 11:30:05 +0200 Subject: [Fedora-directory-users] Proposed new features for 1.3 - logs In-Reply-To: <49ECEE01.8020905@cora.nwra.com> References: <49D2D1A0.3070307@redhat.com> <49ECEE01.8020905@cora.nwra.com> Message-ID: <200904271130.06076.rpolli@babel.it> On luned? 20 aprile 2009 23:49:53 Orion Poplawski wrote: > Better log handling: > > - Compress old logs > - Don't stop working when log volume fills up. - put logs on another partition ;) -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altres? a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." From rpolli at babel.it Mon Apr 27 09:45:08 2009 From: rpolli at babel.it (Roberto Polli) Date: Mon, 27 Apr 2009 11:45:08 +0200 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <49D2D1A0.3070307@redhat.com> References: <49D2D1A0.3070307@redhat.com> Message-ID: <200904271145.09126.rpolli@babel.it> If I'm in late it's good for 1.4 ;) * the ability to set attribute values using a set of internal functions (eg. timestamp, incremental log value) * search in subtrees of view: when I create a view (eg. a view of domains) I can't search in its subentries (eg. in ou=people, dc=domain) Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altres? a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." From booleong at gmail.com Mon Apr 27 15:53:58 2009 From: booleong at gmail.com (Barramundi K) Date: Mon, 27 Apr 2009 23:53:58 +0800 Subject: [Fedora-directory-users] Fedora DS startup problem Message-ID: <672fdf7e0904270853j5bf408co5a9acea47d365e24@mail.gmail.com> > kb9vqf at pearsoncomputing.net wrote: > Ok - try this - /usr/lib/dirsrv/slapd-yourinstance/start-slapd -d 1 >Thank you for the -d 1 option--dirsrv finally told me what is wrong: >Error - Problem accessing the lockfile /var/lock/dirsrv/slapd-odin/lock >[02/Feb/2009:12:56:53 -0600] - Shutting down due to possible conflicts >with other slapd processes >Sure beats 8 hours of trial and error... >Tim Hi Tim, So what did you do to solve the lock file access problem ? Thanks a bunch. Leonard -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsullivan at opensourcedevel.com Mon Apr 27 21:07:07 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 27 Apr 2009 17:07:07 -0400 Subject: [Fedora-directory-users] shadowLastChange error and Active Directory synchronization Message-ID: <1240866427.6629.58.camel@jaspav.missionsit.net.missionsit.net> Hello, all. I'm seeing a strange problem in our set up to synchronize passwords between Directory Server 8.0 and Active Directory. If I change a user's password from idm-console, the password synchronizes. If I change it from Active Directory, the password synchronizes. However, if the user changes their own password (they use Ubuntu 8.0.4 KDE desktops), the passwords do not synchronize. We do see an entry in the error log: Entry "uid=mlap,ou=Desks,o=a0,o=Int,dc=mycompany,dc=com" -- attribute "shadowLastChange" not allowed That seemed straightforward so I checked the ACIs and we do allow users to change this attribute: (targetattr != "nsroledn||aci") (version 3.0; acl "Allow self entry modification except for nsroledn and aci attributes"; allow (read,compare,search,write) (userdn = "ldap:///self") ;) Any idea why we are receiving these errors? Would this cause password synchronization to fail? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From gholbert at broadcom.com Mon Apr 27 21:15:50 2009 From: gholbert at broadcom.com (George Holbert) Date: Mon, 27 Apr 2009 14:15:50 -0700 Subject: [Fedora-directory-users] shadowLastChange error and Active Directory synchronization In-Reply-To: <1240866427.6629.58.camel@jaspav.missionsit.net.missionsit.net> References: <1240866427.6629.58.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <49F62086.40206@broadcom.com> John A. Sullivan III wrote: > Hello, all. I'm seeing a strange problem in our set up to synchronize > passwords between Directory Server 8.0 and Active Directory. If I > change a user's password from idm-console, the password synchronizes. > If I change it from Active Directory, the password synchronizes. > > However, if the user changes their own password (they use Ubuntu 8.0.4 > KDE desktops), the passwords do not synchronize. We do see an entry in > the error log: > > Entry "uid=mlap,ou=Desks,o=a0,o=Int,dc=mycompany,dc=com" -- attribute "shadowLastChange" not allowed > Do your account objects have the shadowAccount objectClass? > That seemed straightforward so I checked the ACIs and we do allow users > to change this attribute: > > (targetattr != "nsroledn||aci") > (version 3.0; > acl "Allow self entry modification except for nsroledn and aci > attributes"; > allow (read,compare,search,write) > (userdn = "ldap:///self") > ;) > > Any idea why we are receiving these errors? Would this cause password > synchronization to fail? Thanks - John > From jsullivan at opensourcedevel.com Mon Apr 27 21:35:40 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 27 Apr 2009 17:35:40 -0400 Subject: [Fedora-directory-users] shadowLastChange error and Active Directory synchronization In-Reply-To: <49F62086.40206@broadcom.com> References: <1240866427.6629.58.camel@jaspav.missionsit.net.missionsit.net> <49F62086.40206@broadcom.com> Message-ID: <1240868140.6629.60.camel@jaspav.missionsit.net.missionsit.net> On Mon, 2009-04-27 at 14:15 -0700, George Holbert wrote: > John A. Sullivan III wrote: > > Hello, all. I'm seeing a strange problem in our set up to synchronize > > passwords between Directory Server 8.0 and Active Directory. If I > > change a user's password from idm-console, the password synchronizes. > > If I change it from Active Directory, the password synchronizes. > > > > However, if the user changes their own password (they use Ubuntu 8.0.4 > > KDE desktops), the passwords do not synchronize. We do see an entry in > > the error log: > > > > Entry "uid=mlap,ou=Desks,o=a0,o=Int,dc=mycompany,dc=com" -- attribute "shadowLastChange" not allowed > > > > Do your account objects have the shadowAccount objectClass? Argh!! Embarrassment, embarrassment. I had checked several and they did . . . except for the one I was testing with! Would that torpedo Windows synchronization? Thanks - John > > > That seemed straightforward so I checked the ACIs and we do allow users > > to change this attribute: > > > > (targetattr != "nsroledn||aci") > > (version 3.0; > > acl "Allow self entry modification except for nsroledn and aci > > attributes"; > > allow (read,compare,search,write) > > (userdn = "ldap:///self") > > ;) > > > > Any idea why we are receiving these errors? Would this cause password > > synchronization to fail? Thanks - John > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From gholbert at broadcom.com Mon Apr 27 21:45:26 2009 From: gholbert at broadcom.com (George Holbert) Date: Mon, 27 Apr 2009 14:45:26 -0700 Subject: [Fedora-directory-users] shadowLastChange error and Active Directory synchronization In-Reply-To: <1240868140.6629.60.camel@jaspav.missionsit.net.missionsit.net> References: <1240866427.6629.58.camel@jaspav.missionsit.net.missionsit.net> <49F62086.40206@broadcom.com> <1240868140.6629.60.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <49F62776.4090907@broadcom.com> John A. Sullivan III wrote: > On Mon, 2009-04-27 at 14:15 -0700, George Holbert wrote: > >> John A. Sullivan III wrote: >> >>> Hello, all. I'm seeing a strange problem in our set up to synchronize >>> passwords between Directory Server 8.0 and Active Directory. If I >>> change a user's password from idm-console, the password synchronizes. >>> If I change it from Active Directory, the password synchronizes. >>> >>> However, if the user changes their own password (they use Ubuntu 8.0.4 >>> KDE desktops), the passwords do not synchronize. We do see an entry in >>> the error log: >>> >>> Entry "uid=mlap,ou=Desks,o=a0,o=Int,dc=mycompany,dc=com" -- attribute "shadowLastChange" not allowed >>> >>> >> Do your account objects have the shadowAccount objectClass? >> > Argh!! Embarrassment, embarrassment. I had checked several and they > did . . . except for the one I was testing with! Would that torpedo > Windows synchronization? Thanks - John > I think it would just torpedo these password changes being accepted by FDS. If you don't need or use the shadow attributes, then you might look into seeing if your Ubuntu workstations can be configured to not try modifying them as part of password changes... and perhaps also ditching the shadowAccount objectClass altogether on your accounts. My hunch is if you accept password changes from both Windows and Ubuntu, you're not really using shadow attributes (not intentionally, at least). >>> That seemed straightforward so I checked the ACIs and we do allow users >>> to change this attribute: >>> >>> (targetattr != "nsroledn||aci") >>> (version 3.0; >>> acl "Allow self entry modification except for nsroledn and aci >>> attributes"; >>> allow (read,compare,search,write) >>> (userdn = "ldap:///self") >>> ;) >>> >>> Any idea why we are receiving these errors? Would this cause password >>> synchronization to fail? Thanks - John >>> >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> From jsullivan at opensourcedevel.com Mon Apr 27 23:44:03 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 27 Apr 2009 19:44:03 -0400 Subject: [Fedora-directory-users] Active Directory PW sync works for console but not user initiated PW changes Message-ID: <1240875843.6629.117.camel@jaspav.missionsit.net.missionsit.net> Hello, all. This is a sequel to the last email on this subject now that we've resolved the shadowLastChange problem. Fixing that problem did not fix the DS 8.0 / AD password synchronization problem. To reiterate, the passwords synchronize if the change is made from idm-console or from AD. But they do not change when our Ubuntu/KDE users change their own passwords. It fails when changed from both the KDE password change interface and using passwd at the command line. Windows Event Viewer is not giving me any useful information. There is quite a bit of information in the DS logs but I'm not quite sure what they are telling me. I'll post pertinent snippets below (please pardon the left truncation but I'm screen scraping): icationPlugin - ruv_add_csn_inprogress: successfully inserted csn 49f632dd000000010000 into pending list icationPlugin - Purged state information from entry uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz up to CSN 49ecf604000200010000 icationPlugin - ruv_add_csn_inprogress: successfully inserted csn 49f632dd000100010000 into pending list icationPlugin - Purged state information from entry uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz up to CSN 49ecf604000200010000 icationPlugin - ruv_update_ruv: successfully committed csn 49f632dd000100010000 icationPlugin - ruv_add_csn_inprogress: successfully inserted csn 49f632dd000200010000 into pending list icationPlugin - Purged state information from entry uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz up to CSN 49ecf604000200010000 icationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): State: wait_for_changes -> wait_for_changes icationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): State: wait_for_changes -> ready_to_acquire_replica (this seemed to happen immediately upon password change and not in the normal five minute sync routine) . . . [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 49f632dd000200010000 [27/Apr/2009:18:34:05 -0400] - acquire_replica, supplier RUV: . . . r/2009:18:34:05 -0400] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 49f632dd000000010000 r/2009:18:34:05 -0400] NSMMReplicationPlugin - supplier: {replicageneration} 49e5ebb3000000010000 r/2009:18:34:05 -0400] NSMMReplicationPlugin - supplier: {replica 1 ldap://ldap01.ssiservices.biz:389} 49e70122000000010000 49f632dd000200010000 49f632dd r/2009:18:34:05 -0400] - acquire_replica, consumer RUV: r/2009:18:34:05 -0400] NSMMReplicationPlugin - consumer: {replicageneration} 49e5ebb3000000010000 r/2009:18:34:05 -0400] NSMMReplicationPlugin - consumer: {replica 1 ldap://ldap01.ssiservices.biz:389} 49e70122000000010000 49f63084000200010000 49f63084 r/2009:18:34:05 -0400] - acquire_replica, supplier RUV is newer r/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): Trying secure slapi_ldap_init NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): binddn = cn=Synch Manager,cn=Users,dc=mycompany,dc=com, passwd = {DES}tOBO . . . [27/Apr/2009:18:34:05 -0400] - windows_conn_connect : detected Win2k3 peer [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): No linger to cancel on the connection [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - windows_acquire_replica returned success (101) [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): State: ready_to_acquire_replica -> sending_updates [27/Apr/2009:18:34:05 -0400] - _cl5PositionCursorForReplay (agmt="cn=a0000-0010(EBC)" (timberline:636)): Consumer RUV: [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): {replicageneration} 49e5ebb3000000010000 tionPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): {replica 1 ldap://ldap01.ssiservices.biz:389} 49e70122000000010000 49f63084000200010000 49f63084 [27/Apr/2009:18:34:05 -0400] - _cl5PositionCursorForReplay (agmt="cn=a0000-0010(EBC)" (timberline:636)): Supplier RUV: [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): {replicageneration} 49e5ebb3000000010000 tionPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): {replica 1 ldap://ldap01.ssiservices.biz:389} 49e70122000000010000 49f632dd000200010000 49f632dd 05 -0400] agmt="cn=a0000-0010(EBC)" (timberline:636) - session start: anchorcsn=49f63084000200010000 05 -0400] NSMMReplicationPlugin - changelog program - agmt="cn=a0000-0010(EBC)" (timberline:636): CSN 49f63084000200010000 found, position set for replay 05 -0400] agmt="cn=a0000-0010(EBC)" (timberline:636) - load=1 rec=1 csn=49f632dd000000010000 8:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): windows_replay_update: Looking at modify operation local dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=biz" (ours,user,not group) 8:34:05 -0400] NSMMReplicationPlugin - agmt="cn=ssiservices.biz ldap01->ldap02" (ldap02:636): No linger to cancel on the connection 8:34:05 -0400] - windows_search_entry: recieved 2 messages, 1 entries, 0 references 8:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): windows_replay_update: Processing modify operation local dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=biz" remote dn="" 8:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): windows_create_remote_entry: Password is already hashed. Not syncing. **** THIS ENTRY ABOUT NOT SYNCING CERTAINLY JUMPED OUT AT ME BUT I DON'T KNOW WHAT IT MEANS ***** 8:34:05 -0400] agmt="cn=a0000-0010(EBC)" (timberline:636) - load=1 rec=2 csn=49f632dd000100010000 NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): windows_replay_update: Looking at modify operation local dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=biz" (ours,user,not group) . . . - windows_search_entry: recieved 2 messages, 1 entries, 0 references NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): windows_replay_update: Processing modify operation local dn="uid=mlap,ou=desks,,o=a0000-0010,o=internal,dc=ssiservices,dc=biz" remote dn="" agmt="cn=a0000-0010(EBC)" (timberline:636) - load=1 rec=3 csn=49f632dd000200010000 NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): windows_replay_update: Looking at modify operation local dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=biz" (ours,user,not group) . . . [27/Apr/2009:18:34:05 -0400] - repl5_inc_result_threadmain starting [27/Apr/2009:18:34:05 -0400] - windows_search_entry: recieved 2 messages, 1 entries, 0 references NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): windows_replay_update: Processing modify operation local dn="uid=mlap,ou=desks,,o=a0000-0010,o=internal,dc=ssiservices,dc=biz" remote dn="" - repl5_inc_result_threadmain: read result for message_id 0 [27/Apr/2009:18:34:05 -0400] - repl5_inc_result_threadmain: read result for message_id 0 . . . [27/Apr/2009:18:34:05 -0400] - repl5_inc_result_threadmain: read result for message_id 0 [27/Apr/2009:18:34:05 -0400] agmt="cn=a0000-0010(EBC)" (timberline:636) - clcache_load_buffer: rc=-30989 [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): No more updates to send (cl5GetNextOperationToReplay) [27/Apr/2009:18:34:05 -0400] agmt="cn=a0000-0010(EBC)" (timberline:636) - session end: state=5 load=1 sent=3 skipped=0 [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): Beginning linger on the connection [27/Apr/2009:18:34:05 -0400] - repl5_inc_result_threadmain: read result for message_id 0 [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): Linger timeout has expired on the connection [27/Apr/2009:18:34:05 -0400] - repl5_inc_result_threadmain: read result for message_id 6 [27/Apr/2009:18:34:05 -0400] - repl5_inc_result_threadmain: result 3, 0, 0, 6, (null) [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=ssiservices.biz ldap01->ldap02" (ldap02:636): replay_update: Consumer successfully sent oper [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): Disconnected from the consumer [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): State: sending_updates -> wait_for_changes [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): State: wait_for_changes -> ready_to_acquire_replica [27/Apr/2009:18:34:05 -0400] - acquire_replica, supplier RUV: r/2009:18:34:05 -0400] NSMMReplicationPlugin - supplier: {replicageneration} 49e5ebb3000000010000 r/2009:18:34:05 -0400] NSMMReplicationPlugin - supplier: {replica 1 ldap://ldap01.ssiservices.biz:389} 49e70122000000010000 49f632dd000200010000 49f632dd r/2009:18:34:05 -0400] - acquire_replica, consumer RUV: r/2009:18:34:05 -0400] NSMMReplicationPlugin - consumer: {replicageneration} 49e5ebb3000000010000 r/2009:18:34:05 -0400] NSMMReplicationPlugin - consumer: {replica 1 ldap://ldap01.ssiservices.biz:389} 49e70122000000010000 49f632dd000200010000 49f632dd r/2009:18:34:05 -0400] NSMMReplicationPlugin - windows_acquire_replica returned consumer_was_uptodate (104) r/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): State: ready_to_acquire_replica -> wait_for_changes . . . . r/2009:18:34:05 -0400] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 49f632dd000500010000 r/2009:18:34:05 -0400] - repl5_inc_result_threadmain: read result for message_id 7 r/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): State: wait_for_changes -> wait_for_changes r/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): State: wait_for_changes -> ready_to_acquire_replica r/2009:18:34:05 -0400] - acquire_replica, supplier RUV: r/2009:18:34:05 -0400] NSMMReplicationPlugin - supplier: {replicageneration} 49e5ebb3000000010000 r/2009:18:34:05 -0400] NSMMReplicationPlugin - supplier: {replica 1 ldap://ldap01.ssiservices.biz:389} 49e70122000000010000 49f632dd000500010000 49f632dd r/2009:18:34:05 -0400] - acquire_replica, consumer RUV: r/2009:18:34:05 -0400] NSMMReplicationPlugin - consumer: {replicageneration} 49e5ebb3000000010000 r/2009:18:34:05 -0400] NSMMReplicationPlugin - consumer: {replica 1 ldap://ldap01.ssiservices.biz:389} 49e70122000000010000 49f632dd000200010000 49f632dd r/2009:18:34:05 -0400] - acquire_replica, supplier RUV is newer r/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): Trying secure slapi_ldap_init r/2009:18:34:05 -0400] - repl5_inc_result_threadmain: read result for message_id 7 r/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): binddn = cn=SSI Synchronization Manager,cn=Users,dc=ebc-co,dc=c r/2009:18:34:05 -0400] - repl5_inc_result_threadmain: read result for message_id 8 r/2009:18:34:05 -0400] - repl5_inc_result_threadmain: result 3, 0, 0, 8, (null) r/2009:18:34:05 -0400] - windows_conn_connect : detected Win2k3 peer r/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): No linger to cancel on the connection r/2009:18:34:05 -0400] - repl5_inc_result_threadmain: read result for message_id 8 r/2009:18:34:05 -0400] NSMMReplicationPlugin - windows_acquire_replica returned success (101) r/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): State: ready_to_acquire_replica -> sending_updates r/2009:18:34:05 -0400] - repl5_inc_result_threadmain: read result for message_id 8 r/2009:18:34:05 -0400] - _cl5PositionCursorForReplay (agmt="cn=a0000-0010(EBC)" (timberline:636)): Consumer RUV: r/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): {replicageneration} 49e5ebb3000000010000 r/2009:18:34:05 -0400] - repl5_inc_result_threadmain: read result for message_id 8 r/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): {replica 1 ldap://ldap01.ssiservices.biz:389} 49e70122000000010000 49f632dd000200010000 49f632dd r/2009:18:34:05 -0400] - _cl5PositionCursorForReplay (agmt="cn=a0000-0010(EBC)" (timberline:636)): Supplier RUV: r/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): {replicageneration} 49e5ebb3000000010000 tionPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): {replica 1 ldap://ldap01.ssiservices.biz:389} 49e70122000000010000 49f632dd000500010000 49f632dd 5 -0400] - repl5_inc_result_threadmain: read result for message_id 8 5 -0400] agmt="cn=a0000-0010(EBC)" (timberline:636) - session start: anchorcsn=49f632dd000200010000 5 -0400] NSMMReplicationPlugin - changelog program - agmt="cn=a0000-0010(EBC)" (timberline:636): CSN 49f632dd000200010000 found, position set for replay 5 -0400] agmt="cn=a0000-0010(EBC)" (timberline:636) - load=1 rec=1 csn=49f632dd000500010000 5 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): windows_replay_update: Looking at modify operation local dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=biz" (ours,user,not group) 5 -0400] - windows_search_entry: recieved 2 messages, 1 entries, 0 references 5 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): windows_replay_update: Processing modify operation local dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=biz" remote dn="" 5 -0400] agmt="cn=a0000-0010(EBC)" (timberline:636) - clcache_load_buffer: rc=-30989 5 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): No more updates to send (cl5GetNextOperationToReplay) 5 -0400] agmt="cn=a0000-0010(EBC)" (timberline:636) - session end: state=5 load=1 sent=1 skipped=0 5 -0400] - repl5_inc_result_threadmain: read result for message_id 8 5 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): Beginning linger on the connection 5 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): State: sending_updates -> wait_for_changes 5 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): Linger timeout has expired on the connection 5 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): Disconnected from the consumer 5 -0400] - repl5_inc_result_threadmain: read result for message_id 8 5 -0400] - repl5_inc_result_threadmain: read result for message_id 8 5 -0400] - repl5_inc_result_threadmain: read result for message_id 8 5 -0400] - repl5_inc_result_threadmain: read result for message_id 8 6 -0400] - repl5_inc_result_threadmain: read result for message_id 8 6 -0400] - repl5_inc_waitfor_async_results: 8 8 6 -0400] - repl5_inc_result_threadmain: read result for message_id 8 7 -0400] - repl5_inc_result_threadmain exiting . . . . 27/Apr/2009:18:34:07 -0400] - repl5_inc_waitfor_async_results: 0 12 [27/Apr/2009:18:34:07 -0400] - repl5_inc_result_threadmain: read result for message_id 0 [27/Apr/2009:18:34:07 -0400] - repl5_inc_result_threadmain: read result for message_id 12 [27/Apr/2009:18:34:07 -0400] - repl5_inc_result_threadmain: result 3, 0, 0, 12, (null) [27/Apr/2009:18:34:07 -0400] - repl5_inc_result_threadmain: read result for message_id 12 [27/Apr/2009:18:34:07 -0400] - repl5_inc_result_threadmain: read result for message_id 12 [27/Apr/2009:18:34:07 -0400] - repl5_inc_result_threadmain: read result for message_id 12 [27/Apr/2009:18:34:07 -0400] - repl5_inc_result_threadmain: read result for message_id 12 [27/Apr/2009:18:34:07 -0400] - repl5_inc_result_threadmain: read result for message_id 12 [27/Apr/2009:18:34:07 -0400] - repl5_inc_result_threadmain: read result for message_id 12 [27/Apr/2009:18:34:07 -0400] - repl5_inc_result_threadmain: read result for message_id 12 [27/Apr/2009:18:34:07 -0400] - repl5_inc_result_threadmain: read result for message_id 12 [27/Apr/2009:18:34:08 -0400] - repl5_inc_result_threadmain: read result for message_id 12 [27/Apr/2009:18:34:08 -0400] - repl5_inc_result_threadmain: read result for message_id 12 [27/Apr/2009:18:34:08 -0400] - repl5_inc_waitfor_async_results: 12 12 [27/Apr/2009:18:34:08 -0400] - repl5_inc_result_threadmain: read result for message_id 12 [27/Apr/2009:18:34:09 -0400] - repl5_inc_result_threadmain exiting [27/Apr/2009:18:34:09 -0400] agmt="cn=ssiservices.biz ldap01->ldap02" (ldap02:636) - session end: state=5 load=1 sent=1 skipped=0 Does anyone see the problem? How do I get synchronization working when the users change their own passwords? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From rmeggins at redhat.com Tue Apr 28 01:07:40 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 27 Apr 2009 19:07:40 -0600 Subject: [Fedora-directory-users] Active Directory PW sync works for console but not user initiated PW changes In-Reply-To: <1240875843.6629.117.camel@jaspav.missionsit.net.missionsit.net> References: <1240875843.6629.117.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <49F656DC.5070905@redhat.com> John A. Sullivan III wrote: > Hello, all. This is a sequel to the last email on this subject now that > we've resolved the shadowLastChange problem. Fixing that problem did > not fix the DS 8.0 / AD password synchronization problem. To reiterate, > the passwords synchronize if the change is made from idm-console or from > AD. But they do not change when our Ubuntu/KDE users change their own > passwords. It fails when changed from both the KDE password change > interface and using passwd at the command line. > Take a look at the directory server access log - I think the change is being rejected before it even gets into the replication code, which is why the error log output below is not too helpful. > Windows Event Viewer is not giving me any useful information. There is > quite a bit of information in the DS logs but I'm not quite sure what > they are telling me. I'll post pertinent snippets below (please pardon > the left truncation but I'm screen scraping): > > icationPlugin - ruv_add_csn_inprogress: successfully inserted csn 49f632dd000000010000 into pending list > icationPlugin - Purged state information from entry uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz up to CSN 49ecf604000200010000 > icationPlugin - ruv_add_csn_inprogress: successfully inserted csn 49f632dd000100010000 into pending list > icationPlugin - Purged state information from entry uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz up to CSN 49ecf604000200010000 > icationPlugin - ruv_update_ruv: successfully committed csn 49f632dd000100010000 > icationPlugin - ruv_add_csn_inprogress: successfully inserted csn 49f632dd000200010000 into pending list > icationPlugin - Purged state information from entry uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz up to CSN 49ecf604000200010000 > icationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): State: wait_for_changes -> wait_for_changes > icationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): State: wait_for_changes -> ready_to_acquire_replica > (this seemed to happen immediately upon password change and not in the normal five minute sync routine) > . > . > . > [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 49f632dd000200010000 > [27/Apr/2009:18:34:05 -0400] - acquire_replica, supplier RUV: > . > . > . > r/2009:18:34:05 -0400] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 49f632dd000000010000 > r/2009:18:34:05 -0400] NSMMReplicationPlugin - supplier: {replicageneration} 49e5ebb3000000010000 > r/2009:18:34:05 -0400] NSMMReplicationPlugin - supplier: {replica 1 ldap://ldap01.ssiservices.biz:389} 49e70122000000010000 49f632dd000200010000 49f632dd > r/2009:18:34:05 -0400] - acquire_replica, consumer RUV: > r/2009:18:34:05 -0400] NSMMReplicationPlugin - consumer: {replicageneration} 49e5ebb3000000010000 > r/2009:18:34:05 -0400] NSMMReplicationPlugin - consumer: {replica 1 ldap://ldap01.ssiservices.biz:389} 49e70122000000010000 49f63084000200010000 49f63084 > r/2009:18:34:05 -0400] - acquire_replica, supplier RUV is newer > r/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): Trying secure slapi_ldap_init > NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): binddn = cn=Synch Manager,cn=Users,dc=mycompany,dc=com, passwd = {DES}tOBO > . > . > . > [27/Apr/2009:18:34:05 -0400] - windows_conn_connect : detected Win2k3 peer > [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): No linger to cancel on the connection > [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - windows_acquire_replica returned success (101) > [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): State: ready_to_acquire_replica -> sending_updates > [27/Apr/2009:18:34:05 -0400] - _cl5PositionCursorForReplay (agmt="cn=a0000-0010(EBC)" (timberline:636)): Consumer RUV: > [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): {replicageneration} 49e5ebb3000000010000 > tionPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): {replica 1 ldap://ldap01.ssiservices.biz:389} 49e70122000000010000 49f63084000200010000 49f63084 > [27/Apr/2009:18:34:05 -0400] - _cl5PositionCursorForReplay (agmt="cn=a0000-0010(EBC)" (timberline:636)): Supplier RUV: > [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): {replicageneration} 49e5ebb3000000010000 > tionPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): {replica 1 ldap://ldap01.ssiservices.biz:389} 49e70122000000010000 49f632dd000200010000 49f632dd > 05 -0400] agmt="cn=a0000-0010(EBC)" (timberline:636) - session start: anchorcsn=49f63084000200010000 > 05 -0400] NSMMReplicationPlugin - changelog program - agmt="cn=a0000-0010(EBC)" (timberline:636): CSN 49f63084000200010000 found, position set for replay > 05 -0400] agmt="cn=a0000-0010(EBC)" (timberline:636) - load=1 rec=1 csn=49f632dd000000010000 > 8:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): windows_replay_update: Looking at modify operation local dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=biz" (ours,user,not group) > 8:34:05 -0400] NSMMReplicationPlugin - agmt="cn=ssiservices.biz ldap01->ldap02" (ldap02:636): No linger to cancel on the connection > 8:34:05 -0400] - windows_search_entry: recieved 2 messages, 1 entries, 0 references > 8:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): windows_replay_update: Processing modify operation local dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=biz" remote dn="" > 8:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): windows_create_remote_entry: Password is already hashed. Not syncing. > **** THIS ENTRY ABOUT NOT SYNCING CERTAINLY JUMPED OUT AT ME BUT I DON'T KNOW WHAT IT MEANS ***** > 8:34:05 -0400] agmt="cn=a0000-0010(EBC)" (timberline:636) - load=1 rec=2 csn=49f632dd000100010000 > NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): windows_replay_update: Looking at modify operation local dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=biz" (ours,user,not group) > . > . > . > - windows_search_entry: recieved 2 messages, 1 entries, 0 references > NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): windows_replay_update: Processing modify operation local dn="uid=mlap,ou=desks,,o=a0000-0010,o=internal,dc=ssiservices,dc=biz" remote dn="" > agmt="cn=a0000-0010(EBC)" (timberline:636) - load=1 rec=3 csn=49f632dd000200010000 > NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): windows_replay_update: Looking at modify operation local dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=biz" (ours,user,not group) > . > . > . > [27/Apr/2009:18:34:05 -0400] - repl5_inc_result_threadmain starting > [27/Apr/2009:18:34:05 -0400] - windows_search_entry: recieved 2 messages, 1 entries, 0 references > NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): windows_replay_update: Processing modify operation local dn="uid=mlap,ou=desks,,o=a0000-0010,o=internal,dc=ssiservices,dc=biz" remote dn="" > - repl5_inc_result_threadmain: read result for message_id 0 > [27/Apr/2009:18:34:05 -0400] - repl5_inc_result_threadmain: read result for message_id 0 > . > . > . > [27/Apr/2009:18:34:05 -0400] - repl5_inc_result_threadmain: read result for message_id 0 > [27/Apr/2009:18:34:05 -0400] agmt="cn=a0000-0010(EBC)" (timberline:636) - clcache_load_buffer: rc=-30989 > [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): No more updates to send (cl5GetNextOperationToReplay) > [27/Apr/2009:18:34:05 -0400] agmt="cn=a0000-0010(EBC)" (timberline:636) - session end: state=5 load=1 sent=3 skipped=0 > [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): Beginning linger on the connection > [27/Apr/2009:18:34:05 -0400] - repl5_inc_result_threadmain: read result for message_id 0 > [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): Linger timeout has expired on the connection > [27/Apr/2009:18:34:05 -0400] - repl5_inc_result_threadmain: read result for message_id 6 > [27/Apr/2009:18:34:05 -0400] - repl5_inc_result_threadmain: result 3, 0, 0, 6, (null) > [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=ssiservices.biz ldap01->ldap02" (ldap02:636): replay_update: Consumer successfully sent oper > [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): Disconnected from the consumer > [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): State: sending_updates -> wait_for_changes > [27/Apr/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): State: wait_for_changes -> ready_to_acquire_replica > [27/Apr/2009:18:34:05 -0400] - acquire_replica, supplier RUV: > r/2009:18:34:05 -0400] NSMMReplicationPlugin - supplier: {replicageneration} 49e5ebb3000000010000 > r/2009:18:34:05 -0400] NSMMReplicationPlugin - supplier: {replica 1 ldap://ldap01.ssiservices.biz:389} 49e70122000000010000 49f632dd000200010000 49f632dd > r/2009:18:34:05 -0400] - acquire_replica, consumer RUV: > r/2009:18:34:05 -0400] NSMMReplicationPlugin - consumer: {replicageneration} 49e5ebb3000000010000 > r/2009:18:34:05 -0400] NSMMReplicationPlugin - consumer: {replica 1 ldap://ldap01.ssiservices.biz:389} 49e70122000000010000 49f632dd000200010000 49f632dd > r/2009:18:34:05 -0400] NSMMReplicationPlugin - windows_acquire_replica returned consumer_was_uptodate (104) > r/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): State: ready_to_acquire_replica -> wait_for_changes > . > . > . > . > r/2009:18:34:05 -0400] NSMMReplicationPlugin - ruv_update_ruv: successfully committed csn 49f632dd000500010000 > r/2009:18:34:05 -0400] - repl5_inc_result_threadmain: read result for message_id 7 > r/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): State: wait_for_changes -> wait_for_changes > r/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): State: wait_for_changes -> ready_to_acquire_replica > r/2009:18:34:05 -0400] - acquire_replica, supplier RUV: > r/2009:18:34:05 -0400] NSMMReplicationPlugin - supplier: {replicageneration} 49e5ebb3000000010000 > r/2009:18:34:05 -0400] NSMMReplicationPlugin - supplier: {replica 1 ldap://ldap01.ssiservices.biz:389} 49e70122000000010000 49f632dd000500010000 49f632dd > r/2009:18:34:05 -0400] - acquire_replica, consumer RUV: > r/2009:18:34:05 -0400] NSMMReplicationPlugin - consumer: {replicageneration} 49e5ebb3000000010000 > r/2009:18:34:05 -0400] NSMMReplicationPlugin - consumer: {replica 1 ldap://ldap01.ssiservices.biz:389} 49e70122000000010000 49f632dd000200010000 49f632dd > r/2009:18:34:05 -0400] - acquire_replica, supplier RUV is newer > r/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): Trying secure slapi_ldap_init > r/2009:18:34:05 -0400] - repl5_inc_result_threadmain: read result for message_id 7 > r/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): binddn = cn=SSI Synchronization Manager,cn=Users,dc=ebc-co,dc=c > r/2009:18:34:05 -0400] - repl5_inc_result_threadmain: read result for message_id 8 > r/2009:18:34:05 -0400] - repl5_inc_result_threadmain: result 3, 0, 0, 8, (null) > r/2009:18:34:05 -0400] - windows_conn_connect : detected Win2k3 peer > r/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): No linger to cancel on the connection > r/2009:18:34:05 -0400] - repl5_inc_result_threadmain: read result for message_id 8 > r/2009:18:34:05 -0400] NSMMReplicationPlugin - windows_acquire_replica returned success (101) > r/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): State: ready_to_acquire_replica -> sending_updates > r/2009:18:34:05 -0400] - repl5_inc_result_threadmain: read result for message_id 8 > r/2009:18:34:05 -0400] - _cl5PositionCursorForReplay (agmt="cn=a0000-0010(EBC)" (timberline:636)): Consumer RUV: > r/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): {replicageneration} 49e5ebb3000000010000 > r/2009:18:34:05 -0400] - repl5_inc_result_threadmain: read result for message_id 8 > r/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): {replica 1 ldap://ldap01.ssiservices.biz:389} 49e70122000000010000 49f632dd000200010000 49f632dd > r/2009:18:34:05 -0400] - _cl5PositionCursorForReplay (agmt="cn=a0000-0010(EBC)" (timberline:636)): Supplier RUV: > r/2009:18:34:05 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): {replicageneration} 49e5ebb3000000010000 > tionPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): {replica 1 ldap://ldap01.ssiservices.biz:389} 49e70122000000010000 49f632dd000500010000 49f632dd > 5 -0400] - repl5_inc_result_threadmain: read result for message_id 8 > 5 -0400] agmt="cn=a0000-0010(EBC)" (timberline:636) - session start: anchorcsn=49f632dd000200010000 > 5 -0400] NSMMReplicationPlugin - changelog program - agmt="cn=a0000-0010(EBC)" (timberline:636): CSN 49f632dd000200010000 found, position set for replay > 5 -0400] agmt="cn=a0000-0010(EBC)" (timberline:636) - load=1 rec=1 csn=49f632dd000500010000 > 5 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): windows_replay_update: Looking at modify operation local dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=biz" (ours,user,not group) > 5 -0400] - windows_search_entry: recieved 2 messages, 1 entries, 0 references > 5 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): windows_replay_update: Processing modify operation local dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=biz" remote dn="" > 5 -0400] agmt="cn=a0000-0010(EBC)" (timberline:636) - clcache_load_buffer: rc=-30989 > 5 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): No more updates to send (cl5GetNextOperationToReplay) > 5 -0400] agmt="cn=a0000-0010(EBC)" (timberline:636) - session end: state=5 load=1 sent=1 skipped=0 > 5 -0400] - repl5_inc_result_threadmain: read result for message_id 8 > 5 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): Beginning linger on the connection > 5 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): State: sending_updates -> wait_for_changes > 5 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): Linger timeout has expired on the connection > 5 -0400] NSMMReplicationPlugin - agmt="cn=a0000-0010(EBC)" (timberline:636): Disconnected from the consumer > 5 -0400] - repl5_inc_result_threadmain: read result for message_id 8 > 5 -0400] - repl5_inc_result_threadmain: read result for message_id 8 > 5 -0400] - repl5_inc_result_threadmain: read result for message_id 8 > 5 -0400] - repl5_inc_result_threadmain: read result for message_id 8 > 6 -0400] - repl5_inc_result_threadmain: read result for message_id 8 > 6 -0400] - repl5_inc_waitfor_async_results: 8 8 > 6 -0400] - repl5_inc_result_threadmain: read result for message_id 8 > 7 -0400] - repl5_inc_result_threadmain exiting > . > . > . > . > 27/Apr/2009:18:34:07 -0400] - repl5_inc_waitfor_async_results: 0 12 > [27/Apr/2009:18:34:07 -0400] - repl5_inc_result_threadmain: read result for message_id 0 > [27/Apr/2009:18:34:07 -0400] - repl5_inc_result_threadmain: read result for message_id 12 > [27/Apr/2009:18:34:07 -0400] - repl5_inc_result_threadmain: result 3, 0, 0, 12, (null) > [27/Apr/2009:18:34:07 -0400] - repl5_inc_result_threadmain: read result for message_id 12 > [27/Apr/2009:18:34:07 -0400] - repl5_inc_result_threadmain: read result for message_id 12 > [27/Apr/2009:18:34:07 -0400] - repl5_inc_result_threadmain: read result for message_id 12 > [27/Apr/2009:18:34:07 -0400] - repl5_inc_result_threadmain: read result for message_id 12 > [27/Apr/2009:18:34:07 -0400] - repl5_inc_result_threadmain: read result for message_id 12 > [27/Apr/2009:18:34:07 -0400] - repl5_inc_result_threadmain: read result for message_id 12 > [27/Apr/2009:18:34:07 -0400] - repl5_inc_result_threadmain: read result for message_id 12 > [27/Apr/2009:18:34:07 -0400] - repl5_inc_result_threadmain: read result for message_id 12 > [27/Apr/2009:18:34:08 -0400] - repl5_inc_result_threadmain: read result for message_id 12 > [27/Apr/2009:18:34:08 -0400] - repl5_inc_result_threadmain: read result for message_id 12 > [27/Apr/2009:18:34:08 -0400] - repl5_inc_waitfor_async_results: 12 12 > [27/Apr/2009:18:34:08 -0400] - repl5_inc_result_threadmain: read result for message_id 12 > [27/Apr/2009:18:34:09 -0400] - repl5_inc_result_threadmain exiting > [27/Apr/2009:18:34:09 -0400] agmt="cn=ssiservices.biz ldap01->ldap02" (ldap02:636) - session end: state=5 load=1 sent=1 skipped=0 > > Does anyone see the problem? How do I get synchronization working when > the users change their own passwords? Thanks - John > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jsullivan at opensourcedevel.com Tue Apr 28 01:17:55 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 27 Apr 2009 21:17:55 -0400 Subject: [Fedora-directory-users] Active Directory PW sync works for console but not user initiated PW changes In-Reply-To: <49F656DC.5070905@redhat.com> References: <1240875843.6629.117.camel@jaspav.missionsit.net.missionsit.net> <49F656DC.5070905@redhat.com> Message-ID: <1240881475.6629.131.camel@jaspav.missionsit.net.missionsit.net> On Mon, 2009-04-27 at 19:07 -0600, Rich Megginson wrote: > John A. Sullivan III wrote: > > Hello, all. This is a sequel to the last email on this subject now that > > we've resolved the shadowLastChange problem. Fixing that problem did > > not fix the DS 8.0 / AD password synchronization problem. To reiterate, > > the passwords synchronize if the change is made from idm-console or from > > AD. But they do not change when our Ubuntu/KDE users change their own > > passwords. It fails when changed from both the KDE password change > > interface and using passwd at the command line. > > > Take a look at the directory server access log - I think the change is > being rejected before it even gets into the replication code, which is > why the error log output below is not too helpful. Ah, I forgot to mention that the password change is successful in DS. It just doesn't synchronize. Would that be the case if there was an access failure? I'll enable the access logs and give it a check - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From jsullivan at opensourcedevel.com Tue Apr 28 01:52:58 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 27 Apr 2009 21:52:58 -0400 Subject: [Fedora-directory-users] Active Directory PW sync works for console but not user initiated PW changes In-Reply-To: <1240881475.6629.131.camel@jaspav.missionsit.net.missionsit.net> References: <1240875843.6629.117.camel@jaspav.missionsit.net.missionsit.net> <49F656DC.5070905@redhat.com> <1240881475.6629.131.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <1240883578.6629.145.camel@jaspav.missionsit.net.missionsit.net> On Mon, 2009-04-27 at 21:17 -0400, John A. Sullivan III wrote: > On Mon, 2009-04-27 at 19:07 -0600, Rich Megginson wrote: > > John A. Sullivan III wrote: > > > Hello, all. This is a sequel to the last email on this subject now that > > > we've resolved the shadowLastChange problem. Fixing that problem did > > > not fix the DS 8.0 / AD password synchronization problem. To reiterate, > > > the passwords synchronize if the change is made from idm-console or from > > > AD. But they do not change when our Ubuntu/KDE users change their own > > > passwords. It fails when changed from both the KDE password change > > > interface and using passwd at the command line. > > > > > Take a look at the directory server access log - I think the change is > > being rejected before it even gets into the replication code, which is > > why the error log output below is not too helpful. > > Ah, I forgot to mention that the password change is successful in DS. > It just doesn't synchronize. Would that be the case if there was an > access failure? I'll enable the access logs and give it a check - John Oops! I forgot to mention that we had enabled the access logs and followed them in case the change was being made by some ID other than the user but the access logs look fine as far as we can tell. Here is what we see: [27/Apr/2009:21:43:50 -0400] conn=359 fd=66 slot=66 connection from 172.29.32.12 to 172.30.10.48 [27/Apr/2009:21:43:50 -0400] conn=359 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [27/Apr/2009:21:43:50 -0400] conn=359 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [27/Apr/2009:21:43:50 -0400] conn=359 SSL 256-bit AES [27/Apr/2009:21:43:50 -0400] conn=359 op=1 BIND dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz" method=128 version=3 [27/Apr/2009:21:43:50 -0400] conn=359 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=b [27/Apr/2009:21:43:50 -0400] conn=359 op=2 MOD dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz" [27/Apr/2009:21:43:50 -0400] conn=359 op=2 RESULT err=0 tag=103 nentries=0 etime=0 csn=49f65f56000000010000 [27/Apr/2009:21:43:50 -0400] conn=359 op=3 UNBIND [27/Apr/2009:21:43:50 -0400] conn=359 op=3 fd=66 closed - U1 [27/Apr/2009:21:43:51 -0400] conn=360 fd=66 slot=66 connection from 172.29.32.12 to 172.30.10.48 [27/Apr/2009:21:43:51 -0400] conn=360 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [27/Apr/2009:21:43:51 -0400] conn=360 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [27/Apr/2009:21:43:51 -0400] conn=360 SSL 256-bit AES [27/Apr/2009:21:43:51 -0400] conn=360 op=1 BIND dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz" method=128 version=3 [27/Apr/2009:21:43:51 -0400] conn=360 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=b [27/Apr/2009:21:43:51 -0400] conn=360 op=2 MOD dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz" [27/Apr/2009:21:43:51 -0400] conn=360 op=2 RESULT err=0 tag=103 nentries=0 etime=0 csn=49f65f57000000010000 [27/Apr/2009:21:43:51 -0400] conn=360 op=3 UNBIND [27/Apr/2009:21:43:51 -0400] conn=360 op=3 fd=66 closed - U1 I'm assuming this shows success and an entry into the Change log. Is that correct? If so, where do we look next to solve this problem? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From rmeggins at redhat.com Tue Apr 28 14:05:00 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 28 Apr 2009 08:05:00 -0600 Subject: [Fedora-directory-users] Active Directory PW sync works for console but not user initiated PW changes In-Reply-To: <1240883578.6629.145.camel@jaspav.missionsit.net.missionsit.net> References: <1240875843.6629.117.camel@jaspav.missionsit.net.missionsit.net> <49F656DC.5070905@redhat.com> <1240881475.6629.131.camel@jaspav.missionsit.net.missionsit.net> <1240883578.6629.145.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <49F70D0C.3010503@redhat.com> John A. Sullivan III wrote: > On Mon, 2009-04-27 at 21:17 -0400, John A. Sullivan III wrote: > >> On Mon, 2009-04-27 at 19:07 -0600, Rich Megginson wrote: >> >>> John A. Sullivan III wrote: >>> >>>> Hello, all. This is a sequel to the last email on this subject now that >>>> we've resolved the shadowLastChange problem. Fixing that problem did >>>> not fix the DS 8.0 / AD password synchronization problem. To reiterate, >>>> the passwords synchronize if the change is made from idm-console or from >>>> AD. But they do not change when our Ubuntu/KDE users change their own >>>> passwords. It fails when changed from both the KDE password change >>>> interface and using passwd at the command line. >>>> >>>> >>> Take a look at the directory server access log - I think the change is >>> being rejected before it even gets into the replication code, which is >>> why the error log output below is not too helpful. >>> >> >> Ah, I forgot to mention that the password change is successful in DS. >> It just doesn't synchronize. Would that be the case if there was an >> access failure? I'll enable the access logs and give it a check - John >> > Oops! I forgot to mention that we had enabled the access logs and > followed them in case the change was being made by some ID other than > the user but the access logs look fine as far as we can tell. Here is > what we see: > > [27/Apr/2009:21:43:50 -0400] conn=359 fd=66 slot=66 connection from 172.29.32.12 to 172.30.10.48 > [27/Apr/2009:21:43:50 -0400] conn=359 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [27/Apr/2009:21:43:50 -0400] conn=359 op=0 RESULT err=0 tag=120 nentries=0 etime=0 > [27/Apr/2009:21:43:50 -0400] conn=359 SSL 256-bit AES > [27/Apr/2009:21:43:50 -0400] conn=359 op=1 BIND dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz" method=128 version=3 > [27/Apr/2009:21:43:50 -0400] conn=359 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=b > [27/Apr/2009:21:43:50 -0400] conn=359 op=2 MOD dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz" > [27/Apr/2009:21:43:50 -0400] conn=359 op=2 RESULT err=0 tag=103 nentries=0 etime=0 csn=49f65f56000000010000 > [27/Apr/2009:21:43:50 -0400] conn=359 op=3 UNBIND > [27/Apr/2009:21:43:50 -0400] conn=359 op=3 fd=66 closed - U1 > [27/Apr/2009:21:43:51 -0400] conn=360 fd=66 slot=66 connection from 172.29.32.12 to 172.30.10.48 > [27/Apr/2009:21:43:51 -0400] conn=360 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" > [27/Apr/2009:21:43:51 -0400] conn=360 op=0 RESULT err=0 tag=120 nentries=0 etime=0 > [27/Apr/2009:21:43:51 -0400] conn=360 SSL 256-bit AES > [27/Apr/2009:21:43:51 -0400] conn=360 op=1 BIND dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz" method=128 version=3 > [27/Apr/2009:21:43:51 -0400] conn=360 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=b > [27/Apr/2009:21:43:51 -0400] conn=360 op=2 MOD dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz" > [27/Apr/2009:21:43:51 -0400] conn=360 op=2 RESULT err=0 tag=103 nentries=0 etime=0 csn=49f65f57000000010000 > [27/Apr/2009:21:43:51 -0400] conn=360 op=3 UNBIND > [27/Apr/2009:21:43:51 -0400] conn=360 op=3 fd=66 closed - U1 > > I'm assuming this shows success and an entry into the Change log. Is > that correct? If so, where do we look next to solve this problem? Thanks > - John > I suppose you could try to enable the audit log - see what attribute it is modifying, and what value. nss_ldap/pam_ldap (e.g. the interface that the passwd command uses) can be configured to store a pre-hashed password which will not work with winsync. You must have the clear text password in order to sync it to AD. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jsullivan at opensourcedevel.com Tue Apr 28 15:16:40 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Tue, 28 Apr 2009 11:16:40 -0400 Subject: [Fedora-directory-users] Storing email distribution lists in DS Message-ID: <1240931800.6629.166.camel@jaspav.missionsit.net.missionsit.net> Hello, all. A bunch of tired googling hasn't quite given us what we need so I thought I'd ask the list. Is there a way to store email distribution lists in DS? We are in the midst of integrating DS and Zimbra. We elected to not use DS as the LDAP store for Zimbra despite the excellent community contributions to make it possible. We did this in case a future upgrade to Zimbra makes major schema changes which could potentially break our setup. Instead, we opted to use DS as an external LDAP authentication source and GAL for Zimbra. This is working very nicely but we've hit a bit of a wall with distribution lists. We don't want to store them in Zimbra because they do not show up in our exclusively external GAL but we do not know how to store them in DS. The groupofmailenhanceduniquenames looks interesting but is apparently reserved for future use. mailgroup looks useful but we are not sure how to use it. It looks like an object class which is added to a user object and not a group object. Can anyone point us in the right direction? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From jsullivan at opensourcedevel.com Tue Apr 28 15:24:29 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Tue, 28 Apr 2009 11:24:29 -0400 Subject: [Fedora-directory-users] Active Directory PW sync works for console but not user initiated PW changes In-Reply-To: <49F70D0C.3010503@redhat.com> References: <1240875843.6629.117.camel@jaspav.missionsit.net.missionsit.net> <49F656DC.5070905@redhat.com> <1240881475.6629.131.camel@jaspav.missionsit.net.missionsit.net> <1240883578.6629.145.camel@jaspav.missionsit.net.missionsit.net> <49F70D0C.3010503@redhat.com> Message-ID: <1240932269.6629.172.camel@jaspav.missionsit.net.missionsit.net> On Tue, 2009-04-28 at 08:05 -0600, Rich Megginson wrote: > John A. Sullivan III wrote: > > On Mon, 2009-04-27 at 21:17 -0400, John A. Sullivan III wrote: > > > >> On Mon, 2009-04-27 at 19:07 -0600, Rich Megginson wrote: > >> > >>> John A. Sullivan III wrote: > >>> > >>>> Hello, all. This is a sequel to the last email on this subject now that > >>>> we've resolved the shadowLastChange problem. Fixing that problem did > >>>> not fix the DS 8.0 / AD password synchronization problem. To reiterate, > >>>> the passwords synchronize if the change is made from idm-console or from > >>>> AD. But they do not change when our Ubuntu/KDE users change their own > >>>> passwords. It fails when changed from both the KDE password change > >>>> interface and using passwd at the command line. > >>>> > >>>> > >>> Take a look at the directory server access log - I think the change is > >>> being rejected before it even gets into the replication code, which is > >>> why the error log output below is not too helpful. > >>> > >> > >> Ah, I forgot to mention that the password change is successful in DS. > >> It just doesn't synchronize. Would that be the case if there was an > >> access failure? I'll enable the access logs and give it a check - John > >> > > Oops! I forgot to mention that we had enabled the access logs and > > followed them in case the change was being made by some ID other than > > the user but the access logs look fine as far as we can tell. Here is > > what we see: > > > > [27/Apr/2009:21:43:50 -0400] conn=359 fd=66 slot=66 connection from 172.29.32.12 to 172.30.10.48 > > [27/Apr/2009:21:43:50 -0400] conn=359 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" > > [27/Apr/2009:21:43:50 -0400] conn=359 op=0 RESULT err=0 tag=120 nentries=0 etime=0 > > [27/Apr/2009:21:43:50 -0400] conn=359 SSL 256-bit AES > > [27/Apr/2009:21:43:50 -0400] conn=359 op=1 BIND dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz" method=128 version=3 > > [27/Apr/2009:21:43:50 -0400] conn=359 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=b > > [27/Apr/2009:21:43:50 -0400] conn=359 op=2 MOD dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz" > > [27/Apr/2009:21:43:50 -0400] conn=359 op=2 RESULT err=0 tag=103 nentries=0 etime=0 csn=49f65f56000000010000 > > [27/Apr/2009:21:43:50 -0400] conn=359 op=3 UNBIND > > [27/Apr/2009:21:43:50 -0400] conn=359 op=3 fd=66 closed - U1 > > [27/Apr/2009:21:43:51 -0400] conn=360 fd=66 slot=66 connection from 172.29.32.12 to 172.30.10.48 > > [27/Apr/2009:21:43:51 -0400] conn=360 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" > > [27/Apr/2009:21:43:51 -0400] conn=360 op=0 RESULT err=0 tag=120 nentries=0 etime=0 > > [27/Apr/2009:21:43:51 -0400] conn=360 SSL 256-bit AES > > [27/Apr/2009:21:43:51 -0400] conn=360 op=1 BIND dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz" method=128 version=3 > > [27/Apr/2009:21:43:51 -0400] conn=360 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=b > > [27/Apr/2009:21:43:51 -0400] conn=360 op=2 MOD dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz" > > [27/Apr/2009:21:43:51 -0400] conn=360 op=2 RESULT err=0 tag=103 nentries=0 etime=0 csn=49f65f57000000010000 > > [27/Apr/2009:21:43:51 -0400] conn=360 op=3 UNBIND > > [27/Apr/2009:21:43:51 -0400] conn=360 op=3 fd=66 closed - U1 > > > > I'm assuming this shows success and an entry into the Change log. Is > > that correct? If so, where do we look next to solve this problem? Thanks > > - John > > > I suppose you could try to enable the audit log - see what attribute it > is modifying, and what value. nss_ldap/pam_ldap (e.g. the interface > that the passwd command uses) can be configured to store a pre-hashed > password which will not work with winsync. You must have the clear text > password in order to sync it to AD. Thankfully, we do have audit logging enabled and I do see a difference. When the admin changes the password, we see: replace: userPassword userPassword: {SSHA}7HPjLII39xB1e9thS1El28NXGPiootUlbqhn+g== and when the user changes the password, we see: replace: userPassword userPassword: {crypt}$1$bY3o6YfX$HubSLAtZfgY65mx942Xm41 I am guessing that is what you are referring to. I'll take a look and see if I can figure out how to change pam_ldap to handle it differently. Would anyone know off-hand what needs to be done? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From jsullivan at opensourcedevel.com Tue Apr 28 16:19:52 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Tue, 28 Apr 2009 12:19:52 -0400 Subject: [Fedora-directory-users] Active Directory PW sync works for console but not user initiated PW changes In-Reply-To: <49F70D0C.3010503@redhat.com> References: <1240875843.6629.117.camel@jaspav.missionsit.net.missionsit.net> <49F656DC.5070905@redhat.com> <1240881475.6629.131.camel@jaspav.missionsit.net.missionsit.net> <1240883578.6629.145.camel@jaspav.missionsit.net.missionsit.net> <49F70D0C.3010503@redhat.com> Message-ID: <1240935592.6629.178.camel@jaspav.missionsit.net.missionsit.net> On Tue, 2009-04-28 at 08:05 -0600, Rich Megginson wrote: > John A. Sullivan III wrote: > > On Mon, 2009-04-27 at 21:17 -0400, John A. Sullivan III wrote: > > > >> On Mon, 2009-04-27 at 19:07 -0600, Rich Megginson wrote: > >> > >>> John A. Sullivan III wrote: > >>> > >>>> Hello, all. This is a sequel to the last email on this subject now that > >>>> we've resolved the shadowLastChange problem. Fixing that problem did > >>>> not fix the DS 8.0 / AD password synchronization problem. To reiterate, > >>>> the passwords synchronize if the change is made from idm-console or from > >>>> AD. But they do not change when our Ubuntu/KDE users change their own > >>>> passwords. It fails when changed from both the KDE password change > >>>> interface and using passwd at the command line. > >>>> > >>>> > >>> Take a look at the directory server access log - I think the change is > >>> being rejected before it even gets into the replication code, which is > >>> why the error log output below is not too helpful. > >>> > >> > >> Ah, I forgot to mention that the password change is successful in DS. > >> It just doesn't synchronize. Would that be the case if there was an > >> access failure? I'll enable the access logs and give it a check - John > >> > > Oops! I forgot to mention that we had enabled the access logs and > > followed them in case the change was being made by some ID other than > > the user but the access logs look fine as far as we can tell. Here is > > what we see: > > > > [27/Apr/2009:21:43:50 -0400] conn=359 fd=66 slot=66 connection from 172.29.32.12 to 172.30.10.48 > > [27/Apr/2009:21:43:50 -0400] conn=359 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" > > [27/Apr/2009:21:43:50 -0400] conn=359 op=0 RESULT err=0 tag=120 nentries=0 etime=0 > > [27/Apr/2009:21:43:50 -0400] conn=359 SSL 256-bit AES > > [27/Apr/2009:21:43:50 -0400] conn=359 op=1 BIND dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz" method=128 version=3 > > [27/Apr/2009:21:43:50 -0400] conn=359 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=b > > [27/Apr/2009:21:43:50 -0400] conn=359 op=2 MOD dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz" > > [27/Apr/2009:21:43:50 -0400] conn=359 op=2 RESULT err=0 tag=103 nentries=0 etime=0 csn=49f65f56000000010000 > > [27/Apr/2009:21:43:50 -0400] conn=359 op=3 UNBIND > > [27/Apr/2009:21:43:50 -0400] conn=359 op=3 fd=66 closed - U1 > > [27/Apr/2009:21:43:51 -0400] conn=360 fd=66 slot=66 connection from 172.29.32.12 to 172.30.10.48 > > [27/Apr/2009:21:43:51 -0400] conn=360 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" > > [27/Apr/2009:21:43:51 -0400] conn=360 op=0 RESULT err=0 tag=120 nentries=0 etime=0 > > [27/Apr/2009:21:43:51 -0400] conn=360 SSL 256-bit AES > > [27/Apr/2009:21:43:51 -0400] conn=360 op=1 BIND dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz" method=128 version=3 > > [27/Apr/2009:21:43:51 -0400] conn=360 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=b > > [27/Apr/2009:21:43:51 -0400] conn=360 op=2 MOD dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz" > > [27/Apr/2009:21:43:51 -0400] conn=360 op=2 RESULT err=0 tag=103 nentries=0 etime=0 csn=49f65f57000000010000 > > [27/Apr/2009:21:43:51 -0400] conn=360 op=3 UNBIND > > [27/Apr/2009:21:43:51 -0400] conn=360 op=3 fd=66 closed - U1 > > > > I'm assuming this shows success and an entry into the Change log. Is > > that correct? If so, where do we look next to solve this problem? Thanks > > - John > > > I suppose you could try to enable the audit log - see what attribute it > is modifying, and what value. nss_ldap/pam_ldap (e.g. the interface > that the passwd command uses) can be configured to store a pre-hashed > password which will not work with winsync. You must have the clear text > password in order to sync it to AD. That was it. Ubuntu defaulted to pam_password md5 in /etc/ldap.conf. I changed this to pam_password clear and it worked. Am I correct to assume this is safe as long and only as long as I am using tls to encrypt the communication between the client and the ldap server? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From rmeggins at redhat.com Tue Apr 28 16:24:08 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 28 Apr 2009 10:24:08 -0600 Subject: [Fedora-directory-users] Active Directory PW sync works for console but not user initiated PW changes In-Reply-To: <1240935592.6629.178.camel@jaspav.missionsit.net.missionsit.net> References: <1240875843.6629.117.camel@jaspav.missionsit.net.missionsit.net> <49F656DC.5070905@redhat.com> <1240881475.6629.131.camel@jaspav.missionsit.net.missionsit.net> <1240883578.6629.145.camel@jaspav.missionsit.net.missionsit.net> <49F70D0C.3010503@redhat.com> <1240935592.6629.178.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <49F72DA8.7080808@redhat.com> John A. Sullivan III wrote: > On Tue, 2009-04-28 at 08:05 -0600, Rich Megginson wrote: > >> John A. Sullivan III wrote: >> >>> On Mon, 2009-04-27 at 21:17 -0400, John A. Sullivan III wrote: >>> >>> >>>> On Mon, 2009-04-27 at 19:07 -0600, Rich Megginson wrote: >>>> >>>> >>>>> John A. Sullivan III wrote: >>>>> >>>>> >>>>>> Hello, all. This is a sequel to the last email on this subject now that >>>>>> we've resolved the shadowLastChange problem. Fixing that problem did >>>>>> not fix the DS 8.0 / AD password synchronization problem. To reiterate, >>>>>> the passwords synchronize if the change is made from idm-console or from >>>>>> AD. But they do not change when our Ubuntu/KDE users change their own >>>>>> passwords. It fails when changed from both the KDE password change >>>>>> interface and using passwd at the command line. >>>>>> >>>>>> >>>>>> >>>>> Take a look at the directory server access log - I think the change is >>>>> being rejected before it even gets into the replication code, which is >>>>> why the error log output below is not too helpful. >>>>> >>>>> >>>> >>>> Ah, I forgot to mention that the password change is successful in DS. >>>> It just doesn't synchronize. Would that be the case if there was an >>>> access failure? I'll enable the access logs and give it a check - John >>>> >>>> >>> Oops! I forgot to mention that we had enabled the access logs and >>> followed them in case the change was being made by some ID other than >>> the user but the access logs look fine as far as we can tell. Here is >>> what we see: >>> >>> [27/Apr/2009:21:43:50 -0400] conn=359 fd=66 slot=66 connection from 172.29.32.12 to 172.30.10.48 >>> [27/Apr/2009:21:43:50 -0400] conn=359 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>> [27/Apr/2009:21:43:50 -0400] conn=359 op=0 RESULT err=0 tag=120 nentries=0 etime=0 >>> [27/Apr/2009:21:43:50 -0400] conn=359 SSL 256-bit AES >>> [27/Apr/2009:21:43:50 -0400] conn=359 op=1 BIND dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz" method=128 version=3 >>> [27/Apr/2009:21:43:50 -0400] conn=359 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=b >>> [27/Apr/2009:21:43:50 -0400] conn=359 op=2 MOD dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz" >>> [27/Apr/2009:21:43:50 -0400] conn=359 op=2 RESULT err=0 tag=103 nentries=0 etime=0 csn=49f65f56000000010000 >>> [27/Apr/2009:21:43:50 -0400] conn=359 op=3 UNBIND >>> [27/Apr/2009:21:43:50 -0400] conn=359 op=3 fd=66 closed - U1 >>> [27/Apr/2009:21:43:51 -0400] conn=360 fd=66 slot=66 connection from 172.29.32.12 to 172.30.10.48 >>> [27/Apr/2009:21:43:51 -0400] conn=360 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" >>> [27/Apr/2009:21:43:51 -0400] conn=360 op=0 RESULT err=0 tag=120 nentries=0 etime=0 >>> [27/Apr/2009:21:43:51 -0400] conn=360 SSL 256-bit AES >>> [27/Apr/2009:21:43:51 -0400] conn=360 op=1 BIND dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz" method=128 version=3 >>> [27/Apr/2009:21:43:51 -0400] conn=360 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=mlap,ou=desks,o=a0000-0010,o=internal,dc=ssiservices,dc=b >>> [27/Apr/2009:21:43:51 -0400] conn=360 op=2 MOD dn="uid=mlap,ou=Desks,o=a0000-0010,o=Internal,dc=ssiservices,dc=biz" >>> [27/Apr/2009:21:43:51 -0400] conn=360 op=2 RESULT err=0 tag=103 nentries=0 etime=0 csn=49f65f57000000010000 >>> [27/Apr/2009:21:43:51 -0400] conn=360 op=3 UNBIND >>> [27/Apr/2009:21:43:51 -0400] conn=360 op=3 fd=66 closed - U1 >>> >>> I'm assuming this shows success and an entry into the Change log. Is >>> that correct? If so, where do we look next to solve this problem? Thanks >>> - John >>> >>> >> I suppose you could try to enable the audit log - see what attribute it >> is modifying, and what value. nss_ldap/pam_ldap (e.g. the interface >> that the passwd command uses) can be configured to store a pre-hashed >> password which will not work with winsync. You must have the clear text >> password in order to sync it to AD. >> > > That was it. Ubuntu defaulted to pam_password md5 in /etc/ldap.conf. I > changed this to pam_password clear and it worked. Am I correct to > assume this is safe as long and only as long as I am using tls to > encrypt the communication between the client and the ldap server? Thanks > Yes. > - John > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From james.chavez at sanmina-sci.com Wed Apr 29 00:06:19 2009 From: james.chavez at sanmina-sci.com (James Chavez) Date: Tue, 28 Apr 2009 17:06:19 -0700 Subject: [Fedora-directory-users] Unknown attribute nsslapd-ldapiautonsuffix will be ignored Message-ID: Hello list, I upgraded my FDS install (yum upgrade fedora-ds, yum upggrade fedora-ds-base etc..) on one of my boxes and the directory restarts fine. However I receive the following messages in the error log. I am hoping that someone has seen this message before and can decipher it for me. The entry exists in the dse file so I figure it is some new configuration parameter as it is new since upgrade. I tried Google before the list and nothing turned up. config - Unknown attribute nsslapd-*ldapiautonsuffix* will be ignored Here is what I have installed. fedora-ds-base-1.2.0-3.fc9.i386 fedora-ds-admin-1.1.7-3.fc9.i386 fedora-ds-1.1.3-1.fc9.noarch fedora-ds-dsgw-1.1.2-1.fc9.i386 fedora-ds-admin-console-1.1.3-1.fc9.noarch fedora-ds-console-1.2.0-1.fc9.noarch Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From orion at cora.nwra.com Wed Apr 29 19:22:17 2009 From: orion at cora.nwra.com (Orion Poplawski) Date: Wed, 29 Apr 2009 13:22:17 -0600 Subject: [Fedora-directory-users] Allow root to change user's passwords In-Reply-To: <4941A48F.2050604@cora.nwra.com> References: <4941A48F.2050604@cora.nwra.com> Message-ID: <49F8A8E9.4080901@cora.nwra.com> Orion Poplawski wrote: > I'm used to being able to change user's passwords as root using the > "passwd" command on my main server (this was with NIS and the master > shadow file kept on the server). Now with FDS, I get: > > # passwd orion > Changing password for user orion. > Enter login(LDAP) password: > > and I must enter the password for the user "orion". This gets tricky > when the user has forgotten their password. > > Is there a way to avoid this first check and allow root to force a > change of the password? > The answer is to set rootbinddn in /etc/ldap.conf and put the directory manager password into /etc/ldap.secret. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From goni at selimins.co.kr Thu Apr 30 07:53:40 2009 From: goni at selimins.co.kr (=?ks_c_5601-1987?B?sejBpLDv?=) Date: Thu, 30 Apr 2009 16:53:40 +0900 Subject: [Fedora-directory-users] What doesn't a user access the system directly? Message-ID: <001801c9c968$c6ffe290$54ffa7b0$@co.kr> Hi everyone. I want to limit accessing logon machines a user directly. Can someone ask me the method for solve? I try to apply ?inactivate? option a user. However, this user can access machine as ever. thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From goni at selimins.co.kr Thu Apr 30 08:14:38 2009 From: goni at selimins.co.kr (=?ks_c_5601-1987?B?sejBpLDv?=) Date: Thu, 30 Apr 2009 17:14:38 +0900 Subject: [Fedora-directory-users] What doesn't a user access the system directly? In-Reply-To: <001801c9c968$c6ffe290$54ffa7b0$@co.kr> References: <001801c9c968$c6ffe290$54ffa7b0$@co.kr> Message-ID: <002301c9c96b$b505a720$1f10f560$@co.kr> Sorry, my mistake.. I solved.. Thanks From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory- users-bounces at redhat.com] On Behalf Of ??? Sent: Thursday, April 30, 2009 4:54 PM To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] What doesn't a user access the system directly? Hi everyone. I want to limit accessing logon machines a user directly. Can someone ask me the method for solve? I try to apply ?inactivate? option a user. However, this user can access machine as ever. thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: