[389-users] Re: Fedora-directory-users Digest, Vol 55, Issue 24

Rich Megginson rmeggins at redhat.com
Tue Dec 15 22:03:05 UTC 2009 

Dimon wrote:
> ----------------------
>   
>> Message: 8
>> Date: Tue, 15 Dec 2009 09:45:11 -0700
>> From: Rich Megginson <rmeggins at redhat.com>
>> Subject: Re: [389-users] I need some help!
>> To: "General discussion list for the 389 Directory server project."
>> 	<fedora-directory-users at redhat.com>
>> Message-ID: <4B27BD17.5080504 at redhat.com>
>> Content-Type: text/plain; charset=windows-1251; format=flowed
>>
>> Dimon wrote:
>>     
>>> Hi everyone!  I'm a beginer in Fedora Directory (389 project) server so I hope that you will give me an advice to solve my problem.
>>>
>>> I want to synchronize my diectory server with Active Directory's users (centos-ds-8.1.0). I read the manual Red Hat 8.1 and had success. But my AD users have Posix atributes (home directory, gidnumber, uidnumber, Nis Domain) and they did not synchronize. 
>>>       
>> Right.  Windows Sync does not work with posix attributes.
>>     
>>> I've read about DNA plugin in DS. It't written that I have to check pugin int my cn=plugins,cn=config and initialize it. I did so. I didn't have success. The probles is: my centos-ds doesn't match with the example described in the Rd Hat manual. 
>>>   
>>>       
>> How so?  What example?  Can you provide a link?
>>     
>
>  I found some Installing guide about directory-server in pdf - format... And found there examples how to configure DNA using  dnagidnumber,dnauidnumber, dnaNextvalue parameters. As I said ldap shema doesn't have any of them.
Right.  These attributes are not published in the LDAP schema - they are 
known about by the plugin only.
> If it necessary i will send you the Installing guide! 
>   
No, just a link (URL - http://..something) and the chapter/section will 
suffice.
>   
>>> It's written that I must have parameters such dnagidnumber,dnauidnumber, dnaNextvalue and others (it is showed on the pictures). I don't have any parameters connected with dna...My Ldap schema doesn't have any dna* nevertheless plugin DNA (libdna.so) present even in my ds-tree.
>>>       
>> These attributes and objectclasses are defined internally and not exported.
>>     
>>> When I filled check box in order co configure DNA nothing happend!
>>>       
>
>
> YES this parameters are internal - I wanted to see them in Directory -> config->plugins->DNS ->Properties->advanced.
You won't see them there.
> I saw classes, any other parameters but I didn't se dna* in the way how it is showed in manual!
I'm not sure what you're looking at in the manual, so I can't comment on 
that.  Please provide a link to the section in the manual you are 
referring to.
> I didn't see. I tryed to add them from ldap schema - but it doesn't content any off them!
Right.  As I have said previously, those attributes are used internally 
in the plugin only.  You cannot "see" them from the outside.
> I tryed to Reconfigure it from file - witch content somthing like dn: cn= Distributed Advanced Plugin,cn=plugin,cn=config
> Objectclass ... dnauidnumber, dnaguidnumber, dnaNextvalue and others... But when I tryed to add it via command line - I had an error - invalid dna (or nknown parameters - I'am not sure now!).
Exact error messages are most helpful.
> I followed the manual. Configure DNA via command line!
>   
Again, without a link to the context, it's hard to know what you are 
referring to.
>   
>> What check box?
>>     
> On or off Configuration->DNA plugin cn=plugins,cn=config 
>
>   
>>> Duaring synchronization I still have no Posix account activated and parameters which I need
>>>       
>> Do you think DNA is going to fill in home directory and  NIS domain?
>>     
>
> Acctually I thought that I will have an oportunity to  fill guid and uid automatically using DNA or replicate it from my AD with it.
DNA can be configured to fill in uidNumber and gidNumber.  DNA will not 
help with any Windows/AD sync.
> Cause AD accounts content them all. 
>   
There's no way the directory server will sync posix attributes from AD, 
without or without DNA.  If you really need to do this, you'll have to 
write some sort of script external to the directory server to do that.
>   
>>> I use centos-idm-console-1.0.1 in order to manage the server. When I try to turn off DNA plugin - server says that "Server in unwilling to perform the operation. Cause the DNA plugin doesn't configure properly" - or somthing like that.
>>>       
>> check the directory server access and errors logs for more information.
>>     
>>> I found manual about configure centos-ds with pictures - and as I said (it's written that I have to turn on DNA plugin - just fill check box).
>>>   
>>>       
>> Enabling and disabling plugin requires a server restart.
>>     
> It doesn't work! Because when I'am trying to turn off DNA plugin and  push save button - I have the error. Otherwise my settings don't save! Of cource I tryed to reboot my server! And plugin is still on. So I found it in my .lde config and turned it off manually. I have no additional information about it in my log-files! 
>   
If you run the console using 389-console -D 9 -f console.log you should 
see additional information about the error.  If this is an LDAP error, 
you will see the request and error result in the directory server access 
log.
>   
>>> I have no idea how to solve it. May be you will have some time to give me a clue about it. I need it very much. And I have the other problem with it. I want to change the password using ldappasswd. It's required using LDAPS port 636. When I'm trying to use  ldpapasswd - or ldapsearch on 636 port, session waiting for something and it seams nothing happens, session just waits. I tryed to debug it using ldapsearch with -d. I didn't see any mistakes. I have feeling that it is connected with ldap.conf (client) but I don't know how to solve it yet. Using ldapsearch on 389 port - everything is fine.
>>>   
>>>       
>> Can you paste the output of ldappasswd -d 1 to fpaste.org and paste the 
>> link here?
>>     
>
> I solved this problem I tryed to use ldappasswd  -x -h localhost -p 636 -D "" -W  -b "" and I didn't  work. ldappasswd needs secure connection - so I read some articles and use  -Z and -p 389 instead of 636 and everything works fine. Now I can change passwords in my DS using only one command line.
>
>   
>>> Thank you in advance!
>>>       
>
> -- реклама -----------------------------------------------------------
> http://FREEhost.UA - при покупке хостинга домен в подарок!
> Получи свою персональную скидку http://freehost.com.ua/cuponakciya.php
>
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

More information about the Fedora-directory-users mailing list