From franta at hanzlici.cz Thu Jan 1 10:50:52 2009 From: franta at hanzlici.cz (Frantisek Hanzlik) Date: Thu, 01 Jan 2009 11:50:52 +0100 Subject: [Fedora-directory-users] Exporting MD5 Hash from FD-DS into /etc/shadow Message-ID: <495CA00C.4080502@hanzlici.cz> Howard Chu wrote: >> fedora-directory-users-request redhat com wrote: >> dennis demarco com wrote: >>> I would like to export the MD5 hash from the Fedora directory user's password >>> attribute into /etc/shadow of a Linux machine not in LDAP (Redhat). >>> It appears this isn't working, is there a way for me to do this? >>> Not all machines are using ldap but I would like to export from ldap. >>> >> Hi, >> I haven't tried this, but here's an idea just off the top of my head which _might_ work: >> >> 1. take away the {MD5} from the string >> 2. base64 decode the rest of the string >> 3. convert the string to hex >> 4. put the $1$ at the front of the hex string >> 5. put the whole string into the password field in /etc/shadow and test >> >> If that works, you could write a perl script to automate the procedure. And report back to the list as well :-) >> > No, the password field is not in hex, it uses the same 6-bit encoding > that DES crypt() uses, which is different from base64. > base64 uses the characters [A-Z][a-z][0-9]+/ while crypt uses > the characters ./[0-9][A-Z][a-z] (in those exact orders). > > -- > -- Howard Chu > Chief Architect, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc > OpenLDAP Core Team http://www.openldap.org/project/ -- Hello, I found this 2 years old thread. I have same task - convert LDAP values to passwd/shadow, and solve password conversion. But I'm still out of luck. I have idea utilize something as MD5 crypt() with empty salt - this probably work, as when I create password in manner: openssl passwd -1 -salt "" "heslo" $1$$1dziKo9JPNdLlVrGfqIBG. then result is working, with it in shadow I can authenticate and all work OK. Salt is empty - after "$1$" signature immediately follow salt/hash delimiter "$", and then as usually 22 chars hash. But result of MD5 password created e.g. with command: slappasswd -h {MD5} -s "heslo" {MD5}lV2wuB7xmJtKTf6ugGGppg== (values coded in this manner I have in LDAP DB. Isn't problem convert among different formats, eg: echo -n "heslo"|md5sum 955db0b81ef1989b4a4dfeae8061a9a6 echo -n "heslo"|openssl dgst -md5 -hex 955db0b81ef1989b4a4dfeae8061a9a6 echo '' | php lV2wuB7xmJtKTf6ugGGppg== And it is simple to obtain full 128-bit hex MD5 hash by reverting LDAP values: echo ''|php 955db0b81ef1989b4a4dfeae8061a9a6 ) Generally, I have convert 22 char long base-64 value to 22 char long value as generated by MD5 crypt(): lV2wuB7xmJtKTf6ugGGppg # LDAP base-64 value 1dziKo9JPNdLlVrGfqIBG. # MD5 crypt() value Both uses 6-bit encoding, first with charset "[A-Z][a-z][0-9]+/", second the characters "./[0-9][A-Z][a-z]". But simple conversion as this: CRYPT_HASH=`echo "$BASE64_HASH"|tr 'A-Za-z0-9+/' './0-9A-Za-z'` not work. Is this problem ever solvable? Had someone in this thread success with solving this problem? Is idea of empty salt real, and problem is only in conversion between 6-bit DES crypt() encoding and base-64 encoding? Have someone any knowledge about this? Thanks in advance, Franta Hanzlik From morenisco at noc-root.net Fri Jan 2 00:36:43 2009 From: morenisco at noc-root.net (Morenisco) Date: Thu, 01 Jan 2009 21:36:43 -0300 Subject: [Fedora-directory-users] FDS 1.1 is not starting on Fedora 10 In-Reply-To: <495A49B5.3060903@gmx.de> References: <49580225.2030502@noc-root.net> <495A49B5.3060903@gmx.de> Message-ID: <495D619B.7070605@noc-root.net> cw-news wrote: [...] > Hi, > > i have installed 1.1 on Centos 5 64bit. I had some equal. My error was > that the system tried to load wrong sasl libs. I had in > /var/log/messages wrong elf version. > > After i fixed it, the setup works perfectly. > > Could you please check? Well, I uninstalled the fedora-ds* packages, I reinstalled only the i386 packages, I reinstalled the sasl* packages, and I was able to start the directory service. Unfortunately, I wasn't able to start the dirsrv-admin service, and I got another error (in both CentOS 5 and Fedora 10). Mabe still FDS 1.1 is too green to run. Thanks. -- Morenisco. Centro de Difusi?n del Software Libre. http://www.cdsl.cl http://santiago.flisol.cl Blog: http://morenisco.belvil.eu From abdellah.alaoui2006 at gmail.com Fri Jan 2 11:28:07 2009 From: abdellah.alaoui2006 at gmail.com (Abdellah Alaoui Ismaili) Date: Fri, 2 Jan 2009 11:28:07 +0000 Subject: Fwd: [Fedora-directory-users] config of SSL on ADs and FDS In-Reply-To: <49574F3D.6010200@redhat.com> References: <69c6e0a70812250422n32ec4e8cu7c4cc5a951aa9390@mail.gmail.com> <49539D06.60604@redhat.com> <69c6e0a70812250827m33372bf6h28b588e3de2623a9@mail.gmail.com> <69c6e0a70812280151k1e4be396o5bd5c30d3e97c597@mail.gmail.com> <49574F3D.6010200@redhat.com> Message-ID: <69c6e0a70901020328r715f27c8t4d2e03435e17e02@mail.gmail.com> I can not install the certificate in Active Directory 2003 ... I type that under Fedora. # openssl s_client -host dc.sers.ma -port 636 I get this error. Verify return code: 21 (unable to verify the first certificate). is that someone has an ides. -------------- next part -------------- An HTML attachment was scrubbed... URL: From premodd at decho.com Fri Jan 2 12:49:26 2009 From: premodd at decho.com (Premod Dev) Date: Fri, 2 Jan 2009 05:49:26 -0700 (MST) Subject: [Fedora-directory-users] Sync FDS with Active Directory. In-Reply-To: <18735322.481230900232423.JavaMail.premod@premod.picorp.com> Message-ID: <22241652.521230900640000.JavaMail.premod@premod.picorp.com> Hi All, I have a working AD in production and I want to sync user,group,password information with FDS. Can I get an end to end documentation for this? Thanks in advance. #!Premod -------------- next part -------------- An HTML attachment was scrubbed... URL: From yyovkov at solitex.biz Sat Jan 3 12:26:03 2009 From: yyovkov at solitex.biz (=?UTF-8?Q?=D0=99=D0=BE=D0=B2=D0=BA=D0=BE_=D0=98=D0=BB=D1=87=D0=B5?= =?UTF-8?Q?=D0=B2_?= =?UTF-8?Q?=D0=99=D0=BE=D0=B2=D0=BA=D0=BE=D0=B2?=) Date: Sat, 03 Jan 2009 14:26:03 +0200 Subject: [Fedora-directory-users] Custom DSGW for FDS Message-ID: <1230985563.17399.9.camel@vaio.castle.yyovkov.net> Hi all, I am trying to create my company directory structure based on FDS and FDS-DSGW. My schema requires attributes as homeDirectory, uidNumber, gidNumber and so on. I would like, when I enter new username, the field connected to homeDirectory in DSGW web interface to be autofilled with values as "/home/". Did some can help me with this issue? Regards, ????? ?????? ?????????? ???????? Solitex Intelligent Business Solutions | www.solitex.biz ??????? +359-899-973800 | ??????? +359-2-4224119 ???. ??? ?????" No 15 | 1111 ????? | ???????? ? SugarCRM ??????? ???????? ??? ????? ??????! -------------- next part -------------- An HTML attachment was scrubbed... URL: From james.chavez at sanmina-sci.com Mon Jan 5 07:23:15 2009 From: james.chavez at sanmina-sci.com (James Chavez) Date: Mon, 5 Jan 2009 00:23:15 -0700 Subject: [Fedora-directory-users] ACI help Message-ID: <1231140195.4496.89.camel@PHX1AMUX269160.sanmina-sci.com> Hello, I am using FDS as a replacement for NIS for user authentication and group and host entries. I am looking to allow anonymous searches of the directory but to disallow the visibility of the userPassword attribute. I would like to allow access to the userPassword attribute to only the user that is authenticating to the directory for logins. I have read the ACI chapter on the Directory services Administrator's guide but I am still struggling a bit. Thank you James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From jsullivan at opensourcedevel.com Mon Jan 5 10:41:41 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 05 Jan 2009 05:41:41 -0500 Subject: [Fedora-directory-users] ACI help In-Reply-To: <1231140195.4496.89.camel@PHX1AMUX269160.sanmina-sci.com> References: <1231140195.4496.89.camel@PHX1AMUX269160.sanmina-sci.com> Message-ID: <1231152101.6461.5.camel@jaspav.missionsit.net.missionsit.net> On Mon, 2009-01-05 at 00:23 -0700, James Chavez wrote: > Hello, > > I am using FDS as a replacement for NIS for user authentication and > group and host entries. > > I am looking to allow anonymous searches of the directory but to > disallow the visibility of the userPassword attribute. > > I would like to allow access to the userPassword attribute to only the > user that is authenticating to the directory for logins. > > I have read the ACI chapter on the Directory services Administrator's > guide but I am still struggling a bit. > We deleted the anonymous access rule so I don't have it in front of me but I believe it defaults to not allowing access to the userPassword attribute. I don't have an idm-console handy but I believe you can check by right clicking on your top level container, viewing the ACIs, selecting the anonymous access, going to the attribute tab, clicking on the attribute column header to sort alphabetically and scrolling toward the end. See if the usePassword attribute is unchecked. If not, uncheck it. If you have enabled SAMBA extensions, you may also want to uncheck the NTPassword and, oops! - forgot the other one but something like LMPassword. Hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From kenneho.ndu at gmail.com Mon Jan 5 14:49:38 2009 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Mon, 5 Jan 2009 15:49:38 +0100 Subject: [Fedora-directory-users] WindowSync and Netgroups: Where to add netgroup attributes? Message-ID: Hi. We're planning on using netgroups to control user access to the different servers within our organization, and the netgroups will be populated based on group memberships on the AD-side (we'll use WindowsSync to sync groups from AD to DS). The basic idea is this: - Sync AD-group entry "group1" over to DS-group entry "group1". This is done automatically with WindowsSync. - Populate netgroup entry "netgroup1" based on DS-group entry "group1". Alternately, add "netGroup" object class to DS-group entry. - Configure clients to use netgroup based authentication. A script will be created to manage netgroup membership dynamically, but creation of netgroups will probably be done manually. Anyway, we need to decide on whether to have a separate netgroup entry and populate netgroup attributes here, or if we should simply add netgroup attributes to the DS-group itself. I believe that both options will work just fine, but would like to hear from others who may have implemented a similar scheme. Maybe there are some pitfalls that we should be aware of. Regards, Kenneth Holter -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jan 5 17:05:36 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 05 Jan 2009 10:05:36 -0700 Subject: [Fedora-directory-users] Windows Sync and UserprincipalName In-Reply-To: <495629E0.4050407@gmx.de> References: <495629E0.4050407@gmx.de> Message-ID: <49623DE0.8020603@redhat.com> cw-news wrote: > Hi, > > at the moment I am playing with the windows Sync feature. > > I would like to sync users from AD -> FDS. > Is it possible to change the existing mapping? > > I would like to use the Userprincipalname in fds? I'm not sure what you mean. Could you provide more details? > > Thanks for any hint or input > carsten > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jan 5 17:06:59 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 05 Jan 2009 10:06:59 -0700 Subject: [Fedora-directory-users] FDS 1.1 is not starting on CentOS 5 In-Reply-To: <4957CFA9.1010809@noc-root.net> References: <4957CFA9.1010809@noc-root.net> Message-ID: <49623E33.2050000@redhat.com> Morenisco wrote: > Hi, > > I was able to install and configure FDS 1.1 on CentOS 5, but in the > latest step of the configuration, the service doesn't start. > > 1) I saw the following messages in the last part of the installation: > > Are you ready to set up your servers? [yes]: > Creating directory server . . . > Server failed to start !!! Please check errors log for problems > Could not start the directory server using command > '/usr/lib/dirsrv/slapd-dirserver1/start-slapd'. The last line from > the error log was '[28/Dec/2008:11:18:14 -0300] - > Fedora-Directory/1.1.3 B2008.269.157 starting up > '. Error: Unknown error 256 > Error: Could not create directory server instance 'dirserver1'. > Exiting . . . > Log file is '/tmp/setupRikE7Y.log' > > > 2 ) The error log just says the following: > > [28/Dec/2008:12:41:07 -0300] - Fedora-Directory/1.1.3 B2008.269.157 > starting up > > > 3) The log file /tmp/setupRikE7Y.log says the following: > > [08/12/28:11:13:10] - [Setup] Info Are you ready to set up your servers? > [08/12/28:11:13:16] - [Setup] Info yes > [08/12/28:11:13:16] - [Setup] Info Creating directory server . . . > [08/12/28:11:23:18] - [Setup] Info Could not start the directory > server using command '/usr/lib/dirsrv/slapd-dirserver1/start-slapd'. > The last line from the error log was '[28/Dec/2008:11:18:14 -0300] - > Fedora-Directory/1.1.3 B2008.269.157 starting up > '. Error: Unknown error 256 > [08/12/28:11:23:18] - [Setup] Fatal Error: Could not create directory > server instance 'dirserver1'. > [08/12/28:11:23:18] - [Setup] Fatal Exiting . . . > > Well, I'm using the user 'nobody' and group 'nobody'. > > 4) When I try to run the command by hand as root, I get the same: > > [root at dirserver1 slapd-dirserver1]# pwd > /usr/lib/dirsrv/slapd-dirserver1 > [root at dirserver1 slapd-dirserver1]# ./start-slapd > Server failed to start !!! Please check errors log for problems > > 5) Running the command with sh -x, I got the line that it not starting > the command: > > + cd /usr/sbin > + ./ns-slapd -D /etc/dirsrv/slapd-dirserver1 -i > /var/run/dirsrv/slapd-dirserver1.pid -w > /var/run/dirsrv/slapd-dirserver1.startpid > > 6) Running the last command by hand: > > [root at dirserver1 sbin]# ./ns-slapd -D /etc/dirsrv/slapd-dirserver1 -i > /var/run/dirsrv/slapd-dirserver1.pid -w > /var/run/dirsrv/slapd-dirserver1.startpid > [root at dirserver1 sbin]# > [root at dirserver1 sbin]# ps -fea | grep slapd > root 6893 6729 0 12:55 pts/3 00:00:00 grep slapd > > ==> this is not starting. > > 7) Trying the same, but with trace level: > > ./ns-slapd -d 1 -D /etc/dirsrv/slapd-dirserver1 -i > /var/run/dirsrv/slapd-dirserver1.pid -w > /var/run/dirsrv/slapd-dirserver1.startpid > > [28/Dec/2008:12:58:18 -0300] - <= send_ldap_result > [28/Dec/2008:12:58:18 -0300] - Fedora-Directory/1.1.3 B2008.269.157 > starting up > Failed to open stats file (/var/run/dirsrv/slapd-dirserver1.stats) > (error 1). > > Then, the binary ns-slapd is not creating the file > /var/run/dirsrv/slapd-dirserver1.stats (I think). Yes. There is a bug in the spec file - it does not create /var/run/dirsrv, and it can mess up the permissions/ownership on that directory. After you install/yum upgrade fedora-ds-base and the other packages, but before you run setup-ds-admin.pl, make sure /var/run/dirsrv exists and has the correct permissions and ownership. > > 8) Some details of the binary and my kernel version: > > [root at dirserver1 sbin]# file ns-slapd > ns-slapd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), > for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for > GNU/Linux 2.6.9, stripped > [root at dirserver1 sbin]# > [root at dirserver1 sbin]# uname -a > Linux dirserver1.cdsl.cl 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 EDT > 2008 i686 i686 i386 GNU/Linux > > > Could it be related to the difference of the kernel version? > > Thanks! > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jan 5 17:07:34 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 05 Jan 2009 10:07:34 -0700 Subject: [Fedora-directory-users] FDS 1.1 is not starting on Fedora 10 In-Reply-To: <495B4B87.1060002@gmx.de> References: <49580225.2030502@noc-root.net> <495A49B5.3060903@gmx.de> <495ADAE5.8050906@noc-root.net> <495B4B87.1060002@gmx.de> Message-ID: <49623E56.2010501@redhat.com> cw-news wrote: > Morenisco schrieb: >> cw-news wrote: >> >> [...] >>> Hi, >>> >>> i have installed 1.1 on Centos 5 64bit. I had some equal. My error >>> was that the system tried to load wrong sasl libs. I had in >>> /var/log/messages wrong elf version. >>> >>> After i fixed it, the setup works perfectly. >>> >>> Could you please check? >>> regards >>> carsten >> Hi, >> >> Unfortunatelly I don't receive the same message in the >> /var/log/message log file, I don't get nothing there. >> What package/version did you installed to fix the issue please? >> >> Thanks. >> > Hi, > > I had entries like this: > ----------------- > messages.1:Dec 25 13:08:33 fds1 ns-slapd: unable to dlopen > /usr/lib/sasl/liblogin.so.2: /usr/lib/sasl/liblogin.so.2: wrong ELF > class: ELFCLASS32 > messages.1:Dec 25 13:08:33 fds1 ns-slapd: unable to dlopen > /usr/lib/sasl/libplain.so.2: /usr/lib/sasl/libplain.so.2: wrong ELF > class: ELFCLASS32 > messages.1:Dec 25 13:08:33 fds1 ns-slapd: unable to dlopen > /usr/lib/sasl/libanonymous.so.2: /usr/lib/sasl/libanonymous.so.2: > wrong ELF class: ELFCLASS32 > ------------------------ These messages are informational only - you can ignore them - they do not cause any problems. > > > I had installed - why ever - > > cyrus-sasl-plain-2.1.22.i386 > cyrus-sasl-lib-2.1.22.i386 > cyrus-sasl-plain-2.1.22.x86_64 > cyrus-sasl-lib-2.1.22.x86_64 > > In /usr/lib/sasl/ where the i386 version, i removed the complete > folder and it works perfectly. > > I have installed the following fds pakets: > fedora-idm-console-1.1.1.x86_64 > fedora-ds-1.1.2.x86_64 > fedora-ds-console-1.1.2.noarch > fedora-ds-admin-1.1.6.x86_64 > fedora-ds-admin-console-1.1.2.noarch > fedora-ds-base-1.1.3.x86_64 > fedora-ds-dsgw-1.1.1.x86_64 > > I hope that helps. > > regards > carsten > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jan 5 17:08:24 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 05 Jan 2009 10:08:24 -0700 Subject: [Fedora-directory-users] Sync FDS with Active Directory. In-Reply-To: <22241652.521230900640000.JavaMail.premod@premod.picorp.com> References: <22241652.521230900640000.JavaMail.premod@premod.picorp.com> Message-ID: <49623E88.8080703@redhat.com> Premod Dev wrote: > Hi All, > > I have a working AD in production and I want to sync > user,group,password information with FDS. > > Can I get an end to end documentation for this? Start here - http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html > > > Thanks in advance. > > > #!Premod > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jan 5 17:09:14 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 05 Jan 2009 10:09:14 -0700 Subject: [Fedora-directory-users] Custom DSGW for FDS In-Reply-To: <1230985563.17399.9.camel@vaio.castle.yyovkov.net> References: <1230985563.17399.9.camel@vaio.castle.yyovkov.net> Message-ID: <49623EBA.20401@redhat.com> ????? ????? ?????? wrote: > Hi all, > > I am trying to create my company directory structure based on FDS and > FDS-DSGW. My schema requires attributes as homeDirectory, uidNumber, > gidNumber and so on. > I would like, when I enter new username, the field connected to > homeDirectory in DSGW web interface to be autofilled with values as > "/home/". > Did some can help me with this issue? Try this - http://www.redhat.com/docs/manuals/dir-server/pdf/ds71gwcust.pdf > > Regards, > > ????? ?????? > ?????????? ???????? > Solitex Intelligent Business Solutions | www.solitex.biz > > ??????? +359-899-973800 | ??????? +359-2-4224119 > ???. ??? ?????" No 15 | 1111 ????? | ???????? > > ? SugarCRM ??????? ???????? ??? ????? ??????! > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From christopher.barry at qlogic.com Tue Jan 6 16:04:36 2009 From: christopher.barry at qlogic.com (Christopher Barry) Date: Tue, 6 Jan 2009 10:04:36 -0600 Subject: [Fedora-directory-users] sequence of events Message-ID: <0F3ACA1C9E6FCA4BBABFC2B45BF279343BF37E669F@MNEXMB1.qlogic.org> Greetings all, Trying to wrap my head around how a linux laptop interacts with AD/FDS when these are reachable - and not. Can you all have a look and edit this post as required to bring me up to speed? A. User is added to AD B. WinSync pulls changes to FDS over SSL 1a. Newly added user on Linux laptop logs into laptop plugged into domain LAN 1a.1 pam_krb5 acquires TGT from AD 1a.2 nss_ldap acquires authorization/automount and other map data from FDS (SSL?) 2a. User uses TGT to access NetApp to automount their home directory Domain login completes. Accessing other kerberized services in an SSO mode functions. ==================== 1b. User logs into laptop off LAN 1b.1 pam_unix authenticates the user from passwd/group/shadow and he mounts local home directory. Local login completes. 3b. User vpns into office w/ vpnc. 3b.1 accesses various servers/services with domain username/password resolved from FDS - no kerberos. Please edit/flesh out as appropriate. Thanks All, Christopher From glenn at mail.txwes.edu Wed Jan 7 15:16:22 2009 From: glenn at mail.txwes.edu (Glenn) Date: Wed, 7 Jan 2009 10:16:22 -0500 Subject: [Fedora-directory-users] FD-AD Password Sync Trouble Message-ID: <20090107150302.M79487@mail.txwes.edu> We have Windows Sync replication set up between Fedora Directory 1.04 and Active Directory. When we change a user's password in FD, it replicates to AD. When we change a user's password on the AD server, it replicates to FD. But when we change the user's password on the user's local AD computer (using Ctrl-Alt-Del, Change Password), the password is changed in AD but does not replicate to FD. Anyone know how to fix this? Thanks. -G. From rmeggins at redhat.com Wed Jan 7 15:19:19 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 07 Jan 2009 08:19:19 -0700 Subject: [Fedora-directory-users] FD-AD Password Sync Trouble In-Reply-To: <20090107150302.M79487@mail.txwes.edu> References: <20090107150302.M79487@mail.txwes.edu> Message-ID: <4964C7F7.5050001@redhat.com> Glenn wrote: > We have Windows Sync replication set up between Fedora Directory 1.04 and > Active Directory. When we change a user's password in FD, it replicates to > AD. When we change a user's password on the AD server, it replicates to FD. > > But when we change the user's password on the user's local AD computer (using > Ctrl-Alt-Del, Change Password), the password is changed in AD but does not > replicate to FD. Anyone know how to fix this? Thanks. -G. > You probably need to install passsync on the domain controller that this particular password change operation is sent to. > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From glenn at mail.txwes.edu Wed Jan 7 17:44:09 2009 From: glenn at mail.txwes.edu (Glenn) Date: Wed, 7 Jan 2009 12:44:09 -0500 Subject: [Fedora-directory-users] FD-AD Password Sync Trouble In-Reply-To: <4964C7F7.5050001@redhat.com> References: <20090107150302.M79487@mail.txwes.edu> <4964C7F7.5050001@redhat.com> Message-ID: <20090107173625.M43993@mail.txwes.edu> Rich - Yes, this does work. I believe password change requests in Active Directory are sent to various domain controllers on a somewhat random basis. If true, this means that Passsync must be installed (along with appropriate SSL certificates) on all domain controllers in an AD domain in order to get dependable password sync with Fedora Directory. This is what I've done, and it does seem to work now. Thanks. -G. ---------- Original Message ----------- From: Rich Megginson To: "General discussion list for the Fedora Directory server project." Sent: Wed, 07 Jan 2009 08:19:19 -0700 Subject: Re: [Fedora-directory-users] FD-AD Password Sync Trouble > Glenn wrote: > > We have Windows Sync replication set up between Fedora Directory 1.04 and > > Active Directory. When we change a user's password in FD, it replicates to > > AD. When we change a user's password on the AD server, it replicates to FD. > > > > But when we change the user's password on the user's local AD computer (using > > Ctrl-Alt-Del, Change Password), the password is changed in AD but does not > > replicate to FD. Anyone know how to fix this? Thanks. -G. > > > You probably need to install passsync on the domain controller that > this particular password change operation is sent to. > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------- End of Original Message ------- From Chris.Hendry at turner.com Wed Jan 7 17:46:51 2009 From: Chris.Hendry at turner.com (Hendry, Chris) Date: Wed, 7 Jan 2009 12:46:51 -0500 Subject: [Fedora-directory-users] Bug 388021 - MMR breaks from master that has been reinited In-Reply-To: <4964C7F7.5050001@redhat.com> Message-ID: Rich, I think I have the same issue as in BUG 388021. I have read: https://bugzilla.redhat.com/show_bug.cgi?id=388021 I have tried the deleting of the changelog files, do not work. Please explain in detail how to: "The solution is for the master to just use the min CSN in its own RUV as the new starting point" My error log says: [07/Jan/2009:12:43:42 -0500] agmt="cn=p3ds02" (p3ds02:389) - Can't locate CSN 4964cfd5000001bc0000 in the changelog (DB rc=-30990). The consumer may need to be reinitialized. Chris From rmeggins at redhat.com Wed Jan 7 17:55:22 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 07 Jan 2009 10:55:22 -0700 Subject: [Fedora-directory-users] Bug 388021 - MMR breaks from master that has been reinited In-Reply-To: References: Message-ID: <4964EC8A.7090609@redhat.com> Hendry, Chris wrote: > Rich, I think I have the same issue as in BUG 388021. > I have read: https://bugzilla.redhat.com/show_bug.cgi?id=388021 > > I have tried the deleting of the changelog files, do not work. > Please explain in detail how to: "The solution is for the master to > just use the min CSN in its own RUV as the new starting point" > > My error log says: > > [07/Jan/2009:12:43:42 -0500] agmt="cn=p3ds02" (p3ds02:389) - Can't > locate CSN 4964cfd5000001bc0000 in the changelog (DB rc=-30990). The > consumer may need to be reinitialized. > What version of Fedora DS? What platform? > Chris > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From Chris.Hendry at turner.com Thu Jan 8 18:58:58 2009 From: Chris.Hendry at turner.com (Hendry, Chris) Date: Thu, 8 Jan 2009 13:58:58 -0500 Subject: [Fedora-directory-users] Bug 388021 - MMR breaks from masterthat has been reinited In-Reply-To: <4964EC8A.7090609@redhat.com> Message-ID: Release: Fedora Core release 6 (Zod) Kernel: 2.6.18-1.2798.fc6 FDS: fedora-ds-1.0.4-1.Linux -----Original Message----- From: Rich Megginson [mailto:rmeggins at redhat.com] Sent: Wednesday, January 07, 2009 12:55 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Bug 388021 - MMR breaks from masterthat has been reinited Hendry, Chris wrote: > Rich, I think I have the same issue as in BUG 388021. > I have read: https://bugzilla.redhat.com/show_bug.cgi?id=388021 > > I have tried the deleting of the changelog files, do not work. > Please explain in detail how to: "The solution is for the master to > just use the min CSN in its own RUV as the new starting point" > > My error log says: > > [07/Jan/2009:12:43:42 -0500] agmt="cn=p3ds02" (p3ds02:389) - Can't > locate CSN 4964cfd5000001bc0000 in the changelog (DB rc=-30990). The > consumer may need to be reinitialized. > What version of Fedora DS? What platform? > Chris > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From james.chavez at sanmina-sci.com Thu Jan 8 19:24:43 2009 From: james.chavez at sanmina-sci.com (James Chavez) Date: Thu, 8 Jan 2009 12:24:43 -0700 Subject: [Fedora-directory-users] Help replicating other Directory service data to FDS Message-ID: <1231442683.4355.13.camel@PHX1AMUX269160.sanmina-sci.com> Hello List, Can anyone help me to understand how to replicate user account information from say Edir to FDS? Is there any documentation to help me to setup on the FDS side what needs to be done? From FDS to FDS I set up the replication agreements and it works great. But in this case I want to receive my initial account info from Edir and then would like to be able to edit on the FDS console and have the attributes sync back up when necessary. Sounds reasonable to me. Thank you in advance. James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From rmeggins at redhat.com Thu Jan 8 19:31:17 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 08 Jan 2009 12:31:17 -0700 Subject: [Fedora-directory-users] Bug 388021 - MMR breaks from masterthat has been reinited In-Reply-To: References: Message-ID: <49665485.4030702@redhat.com> Hendry, Chris wrote: > Release: Fedora Core release 6 (Zod) > Kernel: 2.6.18-1.2798.fc6 > FDS: fedora-ds-1.0.4-1.Linux > If this is indeed the same problem as in bug 388021, and you tried the workarounds mentioned in comment https://bugzilla.redhat.com/show_bug.cgi?id=388021#c3 and later, then I suggest upgrading to Fedora DS 1.1.3 on Fedora Core 6. We do have rpms for FC6. You'll just have to change your yum config as in http://directory.fedoraproject.org/wiki/Install_Guide#Installation_via_yum since the latest rpms are not in the regular Fedora repos (because FC6 is dead). > -----Original Message----- > From: Rich Megginson [mailto:rmeggins at redhat.com] > Sent: Wednesday, January 07, 2009 12:55 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Bug 388021 - MMR breaks from > masterthat has been reinited > > Hendry, Chris wrote: > >> Rich, I think I have the same issue as in BUG 388021. >> I have read: https://bugzilla.redhat.com/show_bug.cgi?id=388021 >> >> I have tried the deleting of the changelog files, do not work. >> Please explain in detail how to: "The solution is for the master to >> just use the min CSN in its own RUV as the new starting point" >> >> My error log says: >> >> [07/Jan/2009:12:43:42 -0500] agmt="cn=p3ds02" (p3ds02:389) - Can't >> locate CSN 4964cfd5000001bc0000 in the changelog (DB rc=-30990). The >> consumer may need to be reinitialized. >> >> > What version of Fedora DS? What platform? > >> Chris >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From hartmann at fas.harvard.edu Thu Jan 8 19:43:55 2009 From: hartmann at fas.harvard.edu (Tim Hartmann) Date: Thu, 08 Jan 2009 14:43:55 -0500 Subject: [Fedora-directory-users] Binding to Directory Server with Kerberos Tickets Message-ID: <4966577B.7040907@fas.harvard.edu> Hi, I've been configuring our Directory Server implementation to use gss-api for authentication, and it works great! However I ran into a bit of a snag and was hoping someone on the list might have a suggestion for a resolution! I followed the docs during my configuration and all went well http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Introduction_to_SASL-Configuring_Kerberos.html I'm able to bind to our ldap replicas with my TGT when I search the real hostname, however we load balance our replicas behind a Cisco SLB which serves out a second hostname and IP. I've updated the ldap keytab file to include both the Kerberos principles for the real hostname, and the slb hostname, and am still able to sucessfully bind with Kerberos to the real hostname, but not through the SLB. I had a similar problem with kerberized ssh a while back, and the solution there was a patch to openssh which allowed Kerberos to use any principle in the keytab file. (the GSSAPIStrictAcceptorCheck flag in ssh provides this) Does FDS have any similar configuration option? Or had anyone run into this sort of issue while trying to bind to ldap via kerberos? I'd also be willing to load balance the servers useing some other means beside the SLB. Thanks!! Tim From bbahar3 at gmail.com Sat Jan 10 06:19:31 2009 From: bbahar3 at gmail.com (Eric) Date: Sat, 10 Jan 2009 09:49:31 +0330 Subject: [Fedora-directory-users] Re:freeradius doesn't sent information to mysql Message-ID: <38a27c8c0901092219wc82bd22o94eac96099de6baf@mail.gmail.com> I sent an instance of accounting request from my vpn server to radius server. you send me that I haven't got anything configured in the accounting section. do you mean that vpn server frame is correct but accounting section in radius server doesn't work? >rad_recv: Accounting-Request packet from host 10.10.10.3:11858, id=133, >length=260 > Acct-Status-Type = Start > Acct-Delay-Time = 0 > NAS-IP-Address = 10.10.10.3 > Service-Type = Framed-User > Framed-Protocol = PPP > NAS-Port = 4 > MS-RAS-Vendor = 311 > MS-RAS-Version = "MSRASV5.20" > NAS-Port-Type = Virtual > Tunnel-Type:0 = PPTP > Tunnel-Medium-Type:0 = IP > Calling-Station-Id = "192.168.201.59" > Tunnel-Client-Endpoint:0 = "192.168.201.59" > Microsoft-Attr-35 = 0x4d5352415356352e3130 > Microsoft-Attr-34 = 0x4d535241532d302d312d34304432454332364243374334 > Acct-Session-Id = "118382" > User-Name = "school" > Framed-IP-Address = 10.10.10.4 > Framed-MTU = 1400 > Session-Timeout = 389554 > Idle-Timeout = 1200 > Acct-Multi-Session-Id = "953" > Acct-Link-Count = 1 > Event-Timestamp = "Dec 31 2008 15:45:03 IRST" > Acct-Authentic = RADIUS > MS-MPPE-Encryption-Types = 0x00000000 >Sending Accounting-Response of id 133 to 10.10.10.3 port 11858 -------------- next part -------------- An HTML attachment was scrubbed... URL: From cw-news at gmx.de Sat Jan 10 16:35:16 2009 From: cw-news at gmx.de (Seppel) Date: Sat, 10 Jan 2009 17:35:16 +0100 Subject: [Fedora-directory-users] FDS and Kerberos in Windows Domain In-Reply-To: <38a27c8c0901092219wc82bd22o94eac96099de6baf@mail.gmail.com> References: <38a27c8c0901092219wc82bd22o94eac96099de6baf@mail.gmail.com> Message-ID: <4968CE44.4000609@gmx.de> Hi, I have installed a fds 1.1 on centos. I would like to use the kerberos authentication feature from my MS ActiveDirectory Dom?in. I am new with kerberos. I found a howto but this howto is for Linux Kerberos and not for MS Kerberos. Does anybody can provide a howto use MS Kerberos for FDS authentication? Thanks in advance seppel From cw-news at gmx.de Sat Jan 10 16:50:54 2009 From: cw-news at gmx.de (Seppel) Date: Sat, 10 Jan 2009 17:50:54 +0100 Subject: [Fedora-directory-users] FDS and Kerberos in Windows Domain Message-ID: <4968D1EE.9070902@gmx.de> Hi, I have installed a fds 1.1 on centos. I would like to use the kerberos authentication feature from my MS ActiveDirectory Dom?in. I am new with kerberos. I found a howto but this howto is for Linux Kerberos and not for MS Kerberos. Does anybody can provide a howto use MS Kerberos for FDS authentication? Thanks in advance seppel From bbahar3 at gmail.com Tue Jan 13 05:57:17 2009 From: bbahar3 at gmail.com (Eric) Date: Tue, 13 Jan 2009 09:27:17 +0330 Subject: [Fedora-directory-users] installing fedora ds on vps (xen) Message-ID: <38a27c8c0901122157x619a67a4vd3a09426dc444059@mail.gmail.com> Hi, I have created a xen vps. I installed fedora ds on it. it hasn't console. How can I have console on it? Or remotre console? I tried to have remote console but can't. -------------- next part -------------- An HTML attachment was scrubbed... URL: From james_roman at ssaihq.com Tue Jan 13 13:45:31 2009 From: james_roman at ssaihq.com (James Roman) Date: Tue, 13 Jan 2009 08:45:31 -0500 Subject: [Fedora-directory-users] installing fedora ds on vps (xen) In-Reply-To: <38a27c8c0901122157x619a67a4vd3a09426dc444059@mail.gmail.com> References: <38a27c8c0901122157x619a67a4vd3a09426dc444059@mail.gmail.com> Message-ID: <496C9AFB.5030506@ssaihq.com> Eric wrote: > Hi, > I have created a xen vps. I installed fedora ds on it. it hasn't > console. How can I have console on it? Or remotre console? > I tried to have remote console but can't. We have our FDS server installed in a Xen VM. You don't mention any information about how you have your Xen server (or VM) configured. My guess is that you used the default configuration for your network setup. In this scenario, your Xen host server builds an internal virtual network and performs Port Address Translation (PAT or Port NAT). Your internal VM is not directly accessible from the outside world. If this is the case, it really is a question that belongs in the Xen-users mailing list. My suggestion is that you ensure you can bring up a secure shell into your VM server. You will most likely need to use the vif-bridge Xen scripts. -- James D. Roman Sr. Network Administrator Science Systems and Application, Inc. Phone: 301-867-2101 From cw-news at gmx.de Tue Jan 13 18:34:55 2009 From: cw-news at gmx.de (Seppel) Date: Tue, 13 Jan 2009 19:34:55 +0100 Subject: [Fedora-directory-users] Windows Sync and UserprincipalName In-Reply-To: <49623DE0.8020603@redhat.com> References: <495629E0.4050407@gmx.de> <49623DE0.8020603@redhat.com> Message-ID: <496CDECF.9020107@gmx.de> Rich Megginson schrieb: > cw-news wrote: >> Hi, >> >> at the moment I am playing with the windows Sync feature. >> >> I would like to sync users from AD -> FDS. >> Is it possible to change the existing mapping? >> >> I would like to use the Userprincipalname in fds? > I'm not sure what you mean. Could you provide more details? >> >> Thanks for any hint or input >> carsten >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > Hi , sorry to be late. Does exists any kind of mapping which attributes from ActiveDirectory should be imported to FDS? I would like to an object userprincipalname in fds. thanks seppel From cw-news at gmx.de Tue Jan 13 18:36:24 2009 From: cw-news at gmx.de (Seppel) Date: Tue, 13 Jan 2009 19:36:24 +0100 Subject: [Fedora-directory-users] FDS and Kerberos in Windows Domain In-Reply-To: <4968D1EE.9070902@gmx.de> References: <4968D1EE.9070902@gmx.de> Message-ID: <496CDF28.3030206@gmx.de> Seppel schrieb: > Hi, > > I have installed a fds 1.1 on centos. > > I would like to use the kerberos authentication feature from my MS > ActiveDirectory Dom?in. > I am new with kerberos. > I found a howto but this howto is for Linux Kerberos and not for MS > Kerberos. Does anybody can provide a howto use MS Kerberos for FDS > authentication? > > Thanks in advance > seppel > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > Did nobody use kerberos authentication with fds? Nobody in MS Kerberos? thanks seppel From rmeggins at redhat.com Tue Jan 13 18:42:19 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 13 Jan 2009 11:42:19 -0700 Subject: [Fedora-directory-users] Windows Sync and UserprincipalName In-Reply-To: <496CDECF.9020107@gmx.de> References: <495629E0.4050407@gmx.de> <49623DE0.8020603@redhat.com> <496CDECF.9020107@gmx.de> Message-ID: <496CE08B.60103@redhat.com> Seppel wrote: > Rich Megginson schrieb: >> cw-news wrote: >>> Hi, >>> >>> at the moment I am playing with the windows Sync feature. >>> >>> I would like to sync users from AD -> FDS. >>> Is it possible to change the existing mapping? >>> >>> I would like to use the Userprincipalname in fds? >> I'm not sure what you mean. Could you provide more details? >>> >>> Thanks for any hint or input >>> carsten >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > Hi , > > sorry to be late. > > Does exists any kind of mapping which attributes from ActiveDirectory > should be imported to FDS? > I would like to an object userprincipalname in fds. Ok, I see. The attribute mapping is hardcoded and is not extensible. You might try Penrose virtual directory if you need a customized attribute list. IPA windows sync will map AD userprincipalname to krbPrincipalName. > > thanks > seppel > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From emmanuel.billot at ird.fr Tue Jan 13 19:37:38 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Tue, 13 Jan 2009 20:37:38 +0100 Subject: [Fedora-directory-users] Fedora DS or RedHat Directory Server Message-ID: <496CED82.4060508@ird.fr> Hi, We want to deploy a LDAP directory server for 3000 users worldwide. We found FDS/RHDS as the best solution for our systems and compatibility. What is the real differences between FDS and RHDS ? What product should be used for production ? Regards, -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From rmeggins at redhat.com Tue Jan 13 19:49:26 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 13 Jan 2009 12:49:26 -0700 Subject: [Fedora-directory-users] Fedora DS or RedHat Directory Server In-Reply-To: <496CED82.4060508@ird.fr> References: <496CED82.4060508@ird.fr> Message-ID: <496CF046.3060903@redhat.com> Emmanuel BILLOT wrote: > Hi, > > We want to deploy a LDAP directory server for 3000 users worldwide. We > found FDS/RHDS as the best solution for our systems and compatibility. > What is the real differences between FDS and RHDS ? What product > should be used for production ? RHDS usually lags behind FDS in terms of features. Other than that, they are identical. > > Regards, > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From emmanuel.billot at ird.fr Tue Jan 13 19:56:26 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Tue, 13 Jan 2009 20:56:26 +0100 Subject: [Fedora-directory-users] Fedora DS or RedHat Directory Server In-Reply-To: <496CF046.3060903@redhat.com> References: <496CED82.4060508@ird.fr> <496CF046.3060903@redhat.com> Message-ID: <496CF1EA.1040703@ird.fr> Rich Megginson a ?crit : > Emmanuel BILLOT wrote: >> Hi, >> >> We want to deploy a LDAP directory server for 3000 users worldwide. >> We found FDS/RHDS as the best solution for our systems and >> compatibility. >> What is the real differences between FDS and RHDS ? What product >> should be used for production ? > RHDS usually lags behind FDS in terms of features. Other than that, > they are identical. >> >> Regards, >> >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > Ok thanks for replying. However, RHDS should be better for support ? -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From rmeggins at redhat.com Tue Jan 13 20:00:21 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 13 Jan 2009 13:00:21 -0700 Subject: [Fedora-directory-users] Fedora DS or RedHat Directory Server In-Reply-To: <496CF1EA.1040703@ird.fr> References: <496CED82.4060508@ird.fr> <496CF046.3060903@redhat.com> <496CF1EA.1040703@ird.fr> Message-ID: <496CF2D5.3050103@redhat.com> Emmanuel BILLOT wrote: > Rich Megginson a ?crit : >> Emmanuel BILLOT wrote: >>> Hi, >>> >>> We want to deploy a LDAP directory server for 3000 users worldwide. >>> We found FDS/RHDS as the best solution for our systems and >>> compatibility. >>> What is the real differences between FDS and RHDS ? What product >>> should be used for production ? >> RHDS usually lags behind FDS in terms of features. Other than that, >> they are identical. >>> >>> Regards, >>> >>> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > Ok thanks for replying. > However, RHDS should be better for support ? > Yes -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From bkosick at mxlogic.com Tue Jan 13 23:09:17 2009 From: bkosick at mxlogic.com (Brian Kosick) Date: Tue, 13 Jan 2009 16:09:17 -0700 Subject: [Fedora-directory-users] autofs + LDAP Message-ID: <1231888157.3319.13.camel@localhost.localdomain> Hi All, I've been following the Autofs Tutorial and it works great, however I have one last thing to do to fully emulate in LDAP what I had in the auto.master file. How do I add autofs options like "--ghost"? http://directory.fedoraproject.org/wiki/Howto:Automount Any help would be greatly appreciated. Brian From bkosick at mxlogic.com Tue Jan 13 23:12:45 2009 From: bkosick at mxlogic.com (Brian Kosick) Date: Tue, 13 Jan 2009 16:12:45 -0700 Subject: [Fedora-directory-users] Sudo in directory server In-Reply-To: <664c5a070811270208k22fdda22s17b8b1e3af470dcb@mail.gmail.com> References: <664c5a070811270208k22fdda22s17b8b1e3af470dcb@mail.gmail.com> Message-ID: <1231888365.3319.14.camel@localhost.localdomain> Try sending the schema through this first http://directory.fedoraproject.org/download/ol-schema-migrate.pl Brian On Thu, 2008-11-27 at 03:08 -0700, Erling Ringen Elvsrud wrote: > I try to add the schema for sudoers from README.LDAP in > the srpm-file of sudo-1.6.8p12. I assume the iPlanet-version will work best, but > get this problem when I restart directory server: > > [root at testserver schema]# service dirsrv restart > Shutting down dirsrv: > testserver... [ OK ] > Starting dirsrv: > testserver...[27/Nov/2008:10:37:31 +0100] - Entry "cn=schema > attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC > 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseE" > required attribute "objectclass" missing > > [ OK ] > [root at testserver schema]# cat 99sudoers.ldif > dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME > 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match > SUBSTR caseE > > xactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) > attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC > 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseEx > > actIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) > attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC > 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match S > > YNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) > attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC > 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1 > > .3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) > attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC > 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1 > > .3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) > objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top > STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sud > > oHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) X-ORIGIN 'SUDO' ) > > Any help to get the schema for sudo correctly added is appreciated. > > Thanks, > > Erling > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From bkosick at mxlogic.com Tue Jan 13 23:26:25 2009 From: bkosick at mxlogic.com (Brian Kosick) Date: Tue, 13 Jan 2009 16:26:25 -0700 Subject: [Fedora-directory-users] autofs + LDAP In-Reply-To: <1231888157.3319.13.camel@localhost.localdomain> References: <1231888157.3319.13.camel@localhost.localdomain> Message-ID: <1231889185.3319.17.camel@localhost.localdomain> I should clarify... My original looked like this: dn: cn=internal,ou=auto.software,dc=corp,dc=mxlogic,dc=com cn: internal objectClass: automount automountInformation: -soft,intr,nodev,tcp,ro itchy.corp.mxlogic.com:/var/qa Which worked but I want to use the --ghost option so I tried.... dn: cn=internal,ou=auto.software,dc=corp,dc=mxlogic,dc=com cn: internal objectClass: automount automountInformation: -soft,intr,nodev,tcp,ro itchy.corp.mxlogic.com:/var/qa --ghost Which broke it. Brian On Tue, 2009-01-13 at 16:09 -0700, Brian Kosick wrote: > Hi All, > > I've been following the Autofs Tutorial and it works great, however I > have one last thing to do to fully emulate in LDAP what I had in the > auto.master file. How do I add autofs options like "--ghost"? > > http://directory.fedoraproject.org/wiki/Howto:Automount > > Any help would be greatly appreciated. > Brian > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From bkosick at mxlogic.com Tue Jan 13 23:37:38 2009 From: bkosick at mxlogic.com (Brian Kosick) Date: Tue, 13 Jan 2009 16:37:38 -0700 Subject: [Fedora-directory-users] autofs + LDAP In-Reply-To: <1231889185.3319.17.camel@localhost.localdomain> References: <1231888157.3319.13.camel@localhost.localdomain> <1231889185.3319.17.camel@localhost.localdomain> Message-ID: <1231889858.3319.20.camel@localhost.localdomain> I found this, but I do not want to enable --ghost on all autofs maps, just the ones that I have configured in /software... http://www.mail-archive.com/autofs at linux.kernel.org/msg05452.html Brian On Tue, 2009-01-13 at 16:26 -0700, Brian Kosick wrote: > I should clarify... My original looked like this: > > dn: cn=internal,ou=auto.software,dc=corp,dc=mxlogic,dc=com > cn: internal > objectClass: automount > automountInformation: -soft,intr,nodev,tcp,ro > itchy.corp.mxlogic.com:/var/qa > > Which worked but I want to use the --ghost option so I tried.... > > dn: cn=internal,ou=auto.software,dc=corp,dc=mxlogic,dc=com > cn: internal > objectClass: automount > automountInformation: -soft,intr,nodev,tcp,ro > itchy.corp.mxlogic.com:/var/qa --ghost > > Which broke it. > Brian > > > > On Tue, 2009-01-13 at 16:09 -0700, Brian Kosick wrote: > > Hi All, > > > > I've been following the Autofs Tutorial and it works great, however I > > have one last thing to do to fully emulate in LDAP what I had in the > > auto.master file. How do I add autofs options like "--ghost"? > > > > http://directory.fedoraproject.org/wiki/Howto:Automount > > > > Any help would be greatly appreciated. > > Brian > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From patrick.morris at hp.com Wed Jan 14 00:27:10 2009 From: patrick.morris at hp.com (Patrick Morris) Date: Tue, 13 Jan 2009 16:27:10 -0800 Subject: [Fedora-directory-users] autofs + LDAP In-Reply-To: <1231889185.3319.17.camel@localhost.localdomain> References: <1231888157.3319.13.camel@localhost.localdomain> <1231889185.3319.17.camel@localhost.localdomain> Message-ID: <20090114002710.GR26044@bakgwai.americas.hpqcorp.net> On Tue, 13 Jan 2009, Brian Kosick wrote: > I should clarify... My original looked like this: > > dn: cn=internal,ou=auto.software,dc=corp,dc=mxlogic,dc=com > cn: internal > objectClass: automount > automountInformation: -soft,intr,nodev,tcp,ro > itchy.corp.mxlogic.com:/var/qa > > Which worked but I want to use the --ghost option so I tried.... > > dn: cn=internal,ou=auto.software,dc=corp,dc=mxlogic,dc=com > cn: internal > objectClass: automount > automountInformation: -soft,intr,nodev,tcp,ro > itchy.corp.mxlogic.com:/var/qa --ghost > > Which broke it. > Brian As far as I know this is an unresolved bug in autofs's LDAP support. There may be workarounds depending on which OS/distribution you're on. From bkosick at mxlogic.com Wed Jan 14 00:42:31 2009 From: bkosick at mxlogic.com (Brian Kosick) Date: Tue, 13 Jan 2009 17:42:31 -0700 Subject: [Fedora-directory-users] autofs + LDAP In-Reply-To: <1231889858.3319.20.camel@localhost.localdomain> References: <1231888157.3319.13.camel@localhost.localdomain> <1231889185.3319.17.camel@localhost.localdomain> <1231889858.3319.20.camel@localhost.localdomain> Message-ID: <1231893751.3319.43.camel@localhost.localdomain> Hello all, A little more info.. I'm using the 75autofs.ldif schema.... I tried adding --ghost to both the end and the beginning of the automountinformation entry... automountInformation: -soft,intr,nodev,tcp,ro itchy.corp.mxlogic.com:/var/qa --ghost causes autofs not to mount at all... automountInformation: --ghost -soft,intr,nodev,tcp,ro itchy.corp.mxlogic.com:/var/qa Causes autofs to mount like so: itchy.qa.mxlogic.com:/var/qa on /software/internal type nfs (ro,nodev,-ghost,soft,intr,tcp,addr=10.70.0.185) -ghost should not be a NFS mount option.... Would using a different Schema help? There seems to be at least 2 schemas floating around the nis one and the 2307bis one. and one that has a automountKey entry (Though this one may be part of one of the other two) Thanks, Brian On Tue, 2009-01-13 at 16:37 -0700, Brian Kosick wrote: > I found this, but I do not want to enable --ghost on all autofs maps, > just the ones that I have configured in /software... > > http://www.mail-archive.com/autofs at linux.kernel.org/msg05452.html > > Brian > > On Tue, 2009-01-13 at 16:26 -0700, Brian Kosick wrote: > > I should clarify... My original looked like this: > > > > dn: cn=internal,ou=auto.software,dc=corp,dc=mxlogic,dc=com > > cn: internal > > objectClass: automount > > automountInformation: -soft,intr,nodev,tcp,ro > > itchy.corp.mxlogic.com:/var/qa > > > > Which worked but I want to use the --ghost option so I tried.... > > > > dn: cn=internal,ou=auto.software,dc=corp,dc=mxlogic,dc=com > > cn: internal > > objectClass: automount > > automountInformation: -soft,intr,nodev,tcp,ro > > itchy.corp.mxlogic.com:/var/qa --ghost > > > > Which broke it. > > Brian > > > > > > > > On Tue, 2009-01-13 at 16:09 -0700, Brian Kosick wrote: > > > Hi All, > > > > > > I've been following the Autofs Tutorial and it works great, however I > > > have one last thing to do to fully emulate in LDAP what I had in the > > > auto.master file. How do I add autofs options like "--ghost"? > > > > > > http://directory.fedoraproject.org/wiki/Howto:Automount > > > > > > Any help would be greatly appreciated. > > > Brian > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From bkosick at mxlogic.com Wed Jan 14 00:53:54 2009 From: bkosick at mxlogic.com (Brian Kosick) Date: Tue, 13 Jan 2009 17:53:54 -0700 Subject: [Fedora-directory-users] autofs + LDAP In-Reply-To: <20090114002710.GR26044@bakgwai.americas.hpqcorp.net> References: <1231888157.3319.13.camel@localhost.localdomain> <1231889185.3319.17.camel@localhost.localdomain> <20090114002710.GR26044@bakgwai.americas.hpqcorp.net> Message-ID: <1231894434.3319.52.camel@localhost.localdomain> Hrrrm thanks, I believe that it is an unresolved bug, based on the info regarding this issue that I've already found via google.... It looks like the autofs author back in 2006 came _real close_ to looking into this, but a workaround seemed to have put this issue back into the deep dark corners of his mind. In fact he probably has dreams that he forgot about something to this day because of it. I'm joining the list to see if I can't get anyone to look into this.... Brian On Tue, 2009-01-13 at 17:27 -0700, Patrick Morris wrote: > On Tue, 13 Jan 2009, Brian Kosick wrote: > > > I should clarify... My original looked like this: > > > > dn: cn=internal,ou=auto.software,dc=corp,dc=mxlogic,dc=com > > cn: internal > > objectClass: automount > > automountInformation: -soft,intr,nodev,tcp,ro > > itchy.corp.mxlogic.com:/var/qa > > > > Which worked but I want to use the --ghost option so I tried.... > > > > dn: cn=internal,ou=auto.software,dc=corp,dc=mxlogic,dc=com > > cn: internal > > objectClass: automount > > automountInformation: -soft,intr,nodev,tcp,ro > > itchy.corp.mxlogic.com:/var/qa --ghost > > > > Which broke it. > > Brian > > As far as I know this is an unresolved bug in autofs's LDAP support. > > There may be workarounds depending on which OS/distribution you're on. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From bbahar3 at gmail.com Wed Jan 14 04:57:46 2009 From: bbahar3 at gmail.com (Eric) Date: Wed, 14 Jan 2009 08:27:46 +0330 Subject: [Fedora-directory-users] Re: Re: installing fedora ds on vps (xen) Message-ID: <38a27c8c0901132057g3c7690a6tc67a26803ffcd479@mail.gmail.com> we has an image on a pc and a config file in /etc/xen with this config: name = "ldap" memory = "1000" disk = [ 'file:/root/ldap_image,xvda,w', ] vif = [ 'bridge=xenbr0', ] bootloader="/usr/bin/pygrub" vcpus=1 on_reboot = 'restart' on_crash = 'restart' then used : xm create ldap and xm console ldap. after this I could ssh to this vps. On Tue, Jan 13, 2009 at 8:30 PM, wrote: > Send Fedora-directory-users mailing list submissions to > fedora-directory-users at redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/fedora-directory-users > or, via email, send a message with subject or body 'help' to > fedora-directory-users-request at redhat.com > > You can reach the person managing the list at > fedora-directory-users-owner at redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Fedora-directory-users digest..." > > > Today's Topics: > > 1. installing fedora ds on vps (xen) (Eric) > 2. Re: installing fedora ds on vps (xen) (James Roman) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 13 Jan 2009 09:27:17 +0330 > From: Eric > Subject: [Fedora-directory-users] installing fedora ds on vps (xen) > To: fedora-directory-users at redhat.com > Message-ID: > <38a27c8c0901122157x619a67a4vd3a09426dc444059 at mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Hi, > I have created a xen vps. I installed fedora ds on it. it hasn't console. > How can I have console on it? Or remotre console? > I tried to have remote console but can't. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > https://www.redhat.com/archives/fedora-directory-users/attachments/20090113/9357d70b/attachment.html > > ------------------------------ > > Message: 2 > Date: Tue, 13 Jan 2009 08:45:31 -0500 > From: James Roman > Subject: Re: [Fedora-directory-users] installing fedora ds on vps > (xen) > To: "General discussion list for the Fedora Directory server project." > > Message-ID: <496C9AFB.5030506 at ssaihq.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Eric wrote: > > Hi, > > I have created a xen vps. I installed fedora ds on it. it hasn't > > console. How can I have console on it? Or remotre console? > > I tried to have remote console but can't. > We have our FDS server installed in a Xen VM. You don't mention any > information about how you have your Xen server (or VM) configured. My > guess is that you used the default configuration for your network setup. > In this scenario, your Xen host server builds an internal virtual > network and performs Port Address Translation (PAT or Port NAT). Your > internal VM is not directly accessible from the outside world. If this > is the case, it really is a question that belongs in the Xen-users > mailing list. My suggestion is that you ensure you can bring up a secure > shell into your VM server. You will most likely need to use the > vif-bridge Xen scripts. > > -- > > James D. Roman > Sr. Network Administrator > Science Systems and Application, Inc. > Phone: 301-867-2101 > > > > ------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > End of Fedora-directory-users Digest, Vol 44, Issue 10 > ****************************************************** > -------------- next part -------------- An HTML attachment was scrubbed... URL: From debajit_kataki at rediffmail.com Wed Jan 14 06:18:49 2009 From: debajit_kataki at rediffmail.com (debu) Date: 14 Jan 2009 06:18:49 -0000 Subject: [Fedora-directory-users] FDS DB fatal error Message-ID: <20090114061849.12037.qmail@f4mail-235-141.rediffmail.com> ? HI, Suddenly today our FDS got a fatal error. and was a panic all of a sudden, need you guys help/pointer on this. thanks... Fedora-Directory/1.1.3 B2008.269.157 NMLUDB01.edc.mihi.com:8888 (/etc/dirsrv/slapd-NMLUDB01) [14/Jan/2009:10:55:27 +051800] - libdb: DB_ENV->log_flush: LSN of 5436/8995196 past current end-of-log of 5436/625098 [14/Jan/2009:10:55:27 +051800] - libdb: Database environment corrupt; the wrong log files may have been removed or incompatible database files imported from another environment [14/Jan/2009:10:55:27 +051800] - libdb: PANIC: DB_RUNRECOVERY: Fatal error, run database recovery [14/Jan/2009:10:55:27 +051800] - libdb: mihRoot/guid.db4: unable to flush page: 212875 [14/Jan/2009:10:55:27 +051800] - Serious Error---Failed to trickle, err=-30977 (DB_RUNRECOVERY: Fatal error, run database recovery) [14/Jan/2009:10:55:27 +051800] - libdb: PANIC: fatal region error detected; run recovery [14/Jan/2009:10:55:27 +051800] - Serious Error---Failed in deadlock detect (aborted at 0x0), err=-30977 (DB_RUNRECOVERY: Fatal error, run database recovery) [14/Jan/2009:10:55:27 +051800] - libdb: PANIC: fatal region error detected; run recovery [14/Jan/2009:10:55:27 +051800] - FATAL ERROR at idl_new.c (1); server stopping as database recovery needed. [14/Jan/2009:10:55:27 +051800] - libdb: PANIC: fatal region error detected; run recovery [14/Jan/2009:10:55:27 +051800] - FATAL ERROR at idl_new.c (1); server stopping as database recovery needed. [14/Jan/2009:10:55:27 +051800] - libdb: PANIC: fatal region error detected; run recovery [14/Jan/2009:10:55:27 +051800] - Serious Error---Failed in deadlock detect (aborted at 0x0), err=-30977 (DB_RUNRECOVERY: Fatal error, run database recovery) Fedora-Directory/1.1.3 B2008.269.157 NMLUDB01.edc.mihi.com:8888 (/etc/dirsrv/slapd-NMLUDB01) [14/Jan/2009:11:01:44 +051800] - Fedora-Directory/1.1.3 B2008.269.157 starting up [14/Jan/2009:11:01:44 +051800] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [14/Jan/2009:11:17:20 +051800] - slapd started. Listening on All Interfaces port 8888 for LDAP requests and it took 23 mins to recover we have RHEL 5 32 bit, with Supplier-consumer setup. REgards Debu -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Wed Jan 14 06:18:30 2009 From: david_list at boreham.org (David Boreham) Date: Tue, 13 Jan 2009 23:18:30 -0700 Subject: [Fedora-directory-users] FDS DB fatal error In-Reply-To: <20090114061849.12037.qmail@f4mail-235-141.rediffmail.com> References: <20090114061849.12037.qmail@f4mail-235-141.rediffmail.com> Message-ID: <496D83B6.3030105@boreham.org> An HTML attachment was scrubbed... URL: From christopher.barry at qlogic.com Wed Jan 14 14:57:32 2009 From: christopher.barry at qlogic.com (Christopher Barry) Date: Wed, 14 Jan 2009 08:57:32 -0600 Subject: [Fedora-directory-users] RE: sequence of events In-Reply-To: <0F3ACA1C9E6FCA4BBABFC2B45BF279343BF37E669F@MNEXMB1.qlogic.org> References: <0F3ACA1C9E6FCA4BBABFC2B45BF279343BF37E669F@MNEXMB1.qlogic.org> Message-ID: <0F3ACA1C9E6FCA4BBABFC2B45BF279343BF37E6B94@MNEXMB1.qlogic.org> > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf > Of Christopher Barry > Sent: Tuesday, January 06, 2009 11:05 AM > To: General discussion list for the Fedora Directory server project. > Subject: [Fedora-directory-users] sequence of events > > Greetings all, > > Trying to wrap my head around how a linux laptop interacts > with AD/FDS when these are reachable - and not. Can you all > have a look and edit this post as required to bring me up to speed? > > A. User is added to AD > B. WinSync pulls changes to FDS over SSL > > 1a. Newly added user on Linux laptop logs into laptop plugged > into domain LAN > 1a.1 pam_krb5 acquires TGT from AD > 1a.2 nss_ldap acquires authorization/automount and other map > data from FDS (SSL?) > > 2a. User uses TGT to access NetApp to automount their home directory > > Domain login completes. Accessing other kerberized services > in an SSO mode functions. > > ==================== > > 1b. User logs into laptop off LAN > 1b.1 pam_unix authenticates the user from passwd/group/shadow > and he mounts local home directory. > > Local login completes. > > 3b. User vpns into office w/ vpnc. > 3b.1 accesses various servers/services with domain > username/password resolved from FDS - no kerberos. > > > Please edit/flesh out as appropriate. > > Thanks All, > Christopher Hello, Sorry to repost, but no one commented on the above. Can someone review above and let me know if I'm on the right track with my statements or clear up any misconceptions I may have? Thanks again, -C From cw-news at gmx.de Wed Jan 14 15:53:10 2009 From: cw-news at gmx.de (Seppel) Date: Wed, 14 Jan 2009 16:53:10 +0100 Subject: [Fedora-directory-users] Windows Sync and UserprincipalName In-Reply-To: <496CE08B.60103@redhat.com> References: <495629E0.4050407@gmx.de> <49623DE0.8020603@redhat.com> <496CDECF.9020107@gmx.de> <496CE08B.60103@redhat.com> Message-ID: <496E0A66.7020000@gmx.de> Rich Megginson schrieb: > Seppel wrote: >> Rich Megginson schrieb: >>> cw-news wrote: >>>> Hi, >>>> >>>> at the moment I am playing with the windows Sync feature. >>>> >>>> I would like to sync users from AD -> FDS. >>>> Is it possible to change the existing mapping? >>>> >>>> I would like to use the Userprincipalname in fds? >>> I'm not sure what you mean. Could you provide more details? >>>> >>>> Thanks for any hint or input >>>> carsten >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> Hi , >> >> sorry to be late. >> >> Does exists any kind of mapping which attributes from ActiveDirectory >> should be imported to FDS? >> I would like to an object userprincipalname in fds. > Ok, I see. The attribute mapping is hardcoded and is not extensible. > You might try Penrose virtual directory if you need a customized > attribute list. > IPA windows sync will map AD userprincipalname to krbPrincipalName. >> >> thanks >> seppel >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > Thanks. For that information, in between i wrote my own. I that way I am totaly free in what i am doing. regards > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From bkosick at mxlogic.com Wed Jan 14 19:46:58 2009 From: bkosick at mxlogic.com (Brian Kosick) Date: Wed, 14 Jan 2009 12:46:58 -0700 Subject: [Fedora-directory-users] autofs + LDAP In-Reply-To: <1231894434.3319.52.camel@localhost.localdomain> References: <1231888157.3319.13.camel@localhost.localdomain> <1231889185.3319.17.camel@localhost.localdomain> <20090114002710.GR26044@bakgwai.americas.hpqcorp.net> <1231894434.3319.52.camel@localhost.localdomain> Message-ID: <1231962418.3316.8.camel@localhost.localdomain> Hi All, Sorry for the top post but I wanted to put the solution first... It turns out that I need to lay off the crack pipe a little bit. As soon as I added --ghost to the correct place everything started working fine. This was a little frustrating as everything that I found on the Net seemed to indicate that the --ghost option goes in the wrong place. Example: I WAS trying combinations of this, which doesn't work. dn: cn=internal,ou=auto.software,dc=corp,dc=example,dc=com cn: internal objectClass: automount automountInformation: -soft,intr,nodev,tcp,ro nfs.example.com:/var/qa --ghost It works just fine when you add it here: dn: cn=/software,ou=auto.master,dc=corp,dc=example,dc=com objectClass: automount cn: /software automountInformation: ldap:qapxe.qa.mxlogic.com:ou=auto.software,dc=corp,dc=example,dc=com --ghost I apologize for wasting everyones time, Brian On Tue, 2009-01-13 at 17:53 -0700, Brian Kosick wrote: > Hrrrm thanks, > > I believe that it is an unresolved bug, based on the info regarding this > issue that I've already found via google.... > > It looks like the autofs author back in 2006 came _real close_ to > looking into this, but a workaround seemed to have put this issue back > into the deep dark corners of his mind. In fact he probably has dreams > that he forgot about something to this day because of it. > > I'm joining the list to see if I can't get anyone to look into this.... > > Brian > > On Tue, 2009-01-13 at 17:27 -0700, Patrick Morris wrote: > > On Tue, 13 Jan 2009, Brian Kosick wrote: > > > > > I should clarify... My original looked like this: > > > > > > dn: cn=internal,ou=auto.software,dc=corp,dc=mxlogic,dc=com > > > cn: internal > > > objectClass: automount > > > automountInformation: -soft,intr,nodev,tcp,ro > > > itchy.corp.mxlogic.com:/var/qa > > > > > > Which worked but I want to use the --ghost option so I tried.... > > > > > > dn: cn=internal,ou=auto.software,dc=corp,dc=mxlogic,dc=com > > > cn: internal > > > objectClass: automount > > > automountInformation: -soft,intr,nodev,tcp,ro > > > itchy.corp.mxlogic.com:/var/qa --ghost > > > > > > Which broke it. > > > Brian > > > > As far as I know this is an unresolved bug in autofs's LDAP support. > > > > There may be workarounds depending on which OS/distribution you're on. > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From a.orsaria at gmail.com Wed Jan 14 20:17:19 2009 From: a.orsaria at gmail.com (Alessandro Orsaria) Date: Wed, 14 Jan 2009 21:17:19 +0100 Subject: [Fedora-directory-users] FDS and Kerberos in Windows Domain In-Reply-To: <496CDF28.3030206@gmx.de> References: <4968D1EE.9070902@gmx.de> <496CDF28.3030206@gmx.de> Message-ID: <210ffe5d0901141217w29b9fa94g71e6cf5a96011ac5@mail.gmail.com> Hi, To use MS Kerberos for authentication and FDS for authorization, configure your Linux as a Kerberos client (/etc/krb5.conf). Then, in /etc/pam.d/system-auth you should have 3 lines like: auth sufficient pam_krb5.so try_first_pass account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_access.so accessfile=/etc/security/access.conf and map which users/groups should be allowed to access your machines in access.conf. A. 2009/1/13 Seppel : > Seppel schrieb: >> >> Hi, >> >> I have installed a fds 1.1 on centos. >> >> I would like to use the kerberos authentication feature from my MS >> ActiveDirectory Dom?in. >> I am new with kerberos. >> I found a howto but this howto is for Linux Kerberos and not for MS >> Kerberos. Does anybody can provide a howto use MS Kerberos for FDS >> authentication? >> >> Thanks in advance >> seppel >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > Did nobody use kerberos authentication with fds? > > Nobody in MS Kerberos? > > thanks > seppel > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rcritten at redhat.com Wed Jan 14 20:30:17 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 14 Jan 2009 15:30:17 -0500 Subject: [Fedora-directory-users] autofs + LDAP In-Reply-To: <1231962418.3316.8.camel@localhost.localdomain> References: <1231888157.3319.13.camel@localhost.localdomain> <1231889185.3319.17.camel@localhost.localdomain> <20090114002710.GR26044@bakgwai.americas.hpqcorp.net> <1231894434.3319.52.camel@localhost.localdomain> <1231962418.3316.8.camel@localhost.localdomain> Message-ID: <496E4B59.2030209@redhat.com> Brian Kosick wrote: > Hi All, > > Sorry for the top post but I wanted to put the solution first... > It turns out that I need to lay off the crack pipe a little bit. As > soon as I added --ghost to the correct place everything started working > fine. This was a little frustrating as everything that I found on the > Net seemed to indicate that the --ghost option goes in the wrong place. > > Example: I WAS trying combinations of this, which doesn't work. > > dn: cn=internal,ou=auto.software,dc=corp,dc=example,dc=com > cn: internal > objectClass: automount > automountInformation: -soft,intr,nodev,tcp,ro nfs.example.com:/var/qa > --ghost > > It works just fine when you add it here: > > dn: cn=/software,ou=auto.master,dc=corp,dc=example,dc=com > objectClass: automount > cn: /software > automountInformation: > ldap:qapxe.qa.mxlogic.com:ou=auto.software,dc=corp,dc=example,dc=com > --ghost > > I apologize for wasting everyones time, Apologize!? Heck, thanks for tracking this down! Do you know if this works without the ldap syntax in automountInformation? E.g. can you use just: automountInformation: auto.software --ghost cheers rob > Brian > > On Tue, 2009-01-13 at 17:53 -0700, Brian Kosick wrote: >> Hrrrm thanks, >> >> I believe that it is an unresolved bug, based on the info regarding this >> issue that I've already found via google.... >> >> It looks like the autofs author back in 2006 came _real close_ to >> looking into this, but a workaround seemed to have put this issue back >> into the deep dark corners of his mind. In fact he probably has dreams >> that he forgot about something to this day because of it. >> >> I'm joining the list to see if I can't get anyone to look into this.... >> >> Brian >> >> On Tue, 2009-01-13 at 17:27 -0700, Patrick Morris wrote: >>> On Tue, 13 Jan 2009, Brian Kosick wrote: >>> >>>> I should clarify... My original looked like this: >>>> >>>> dn: cn=internal,ou=auto.software,dc=corp,dc=mxlogic,dc=com >>>> cn: internal >>>> objectClass: automount >>>> automountInformation: -soft,intr,nodev,tcp,ro >>>> itchy.corp.mxlogic.com:/var/qa >>>> >>>> Which worked but I want to use the --ghost option so I tried.... >>>> >>>> dn: cn=internal,ou=auto.software,dc=corp,dc=mxlogic,dc=com >>>> cn: internal >>>> objectClass: automount >>>> automountInformation: -soft,intr,nodev,tcp,ro >>>> itchy.corp.mxlogic.com:/var/qa --ghost >>>> >>>> Which broke it. >>>> Brian >>> As far as I know this is an unresolved bug in autofs's LDAP support. >>> >>> There may be workarounds depending on which OS/distribution you're on. >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From bkosick at mxlogic.com Wed Jan 14 20:58:17 2009 From: bkosick at mxlogic.com (Brian Kosick) Date: Wed, 14 Jan 2009 13:58:17 -0700 Subject: [Fedora-directory-users] autofs + LDAP In-Reply-To: <496E4B59.2030209@redhat.com> References: <1231888157.3319.13.camel@localhost.localdomain> <1231889185.3319.17.camel@localhost.localdomain> <20090114002710.GR26044@bakgwai.americas.hpqcorp.net> <1231894434.3319.52.camel@localhost.localdomain> <1231962418.3316.8.camel@localhost.localdomain> <496E4B59.2030209@redhat.com> Message-ID: <1231966697.3316.12.camel@localhost.localdomain> On Wed, 2009-01-14 at 13:30 -0700, Rob Crittenden wrote: > Brian Kosick wrote: > > Hi All, > > > > Sorry for the top post but I wanted to put the solution first... > > It turns out that I need to lay off the crack pipe a little bit. As > > soon as I added --ghost to the correct place everything started working > > fine. This was a little frustrating as everything that I found on the > > Net seemed to indicate that the --ghost option goes in the wrong place. > > > > Example: I WAS trying combinations of this, which doesn't work. > > > > dn: cn=internal,ou=auto.software,dc=corp,dc=example,dc=com > > cn: internal > > objectClass: automount > > automountInformation: -soft,intr,nodev,tcp,ro nfs.example.com:/var/qa > > --ghost > > > > It works just fine when you add it here: > > > > dn: cn=/software,ou=auto.master,dc=corp,dc=example,dc=com > > objectClass: automount > > cn: /software > > automountInformation: > > ldap:qapxe.qa.mxlogic.com:ou=auto.software,dc=corp,dc=example,dc=com > > --ghost > > > > I apologize for wasting everyones time, > > Apologize!? Heck, thanks for tracking this down! > > Do you know if this works without the ldap syntax in > automountInformation? E.g. can you use just: > > automountInformation: auto.software --ghost > > cheers > > rob Hrrm I don't know. From my understanding of how it works, wouldn't that be using LDAP to point back to the local /etc/auto.software file? Or just break it entirely? I can probably give it a try a little later... Brian From hartmann at fas.harvard.edu Thu Jan 15 03:35:11 2009 From: hartmann at fas.harvard.edu (Tim Hartmann) Date: Wed, 14 Jan 2009 22:35:11 -0500 Subject: [Fedora-directory-users] Re: Binding to Directory Server with Kerberos Tickets In-Reply-To: <4966577B.7040907@fas.harvard.edu> References: <4966577B.7040907@fas.harvard.edu> Message-ID: <496EAEEF.9080404@fas.harvard.edu> Hi, I was just wondering if anyone had any thoughts on this... if not, perhaps a recomendation for the best way to load balance a number of replicas and still allow LDAP to bind using a Kerberos ticket? Thanks! Tim Tim Hartmann wrote: > Hi, > > I've been configuring our Directory Server implementation to use gss-api > for authentication, and it works great! However I ran into a bit of a > snag and was hoping someone on the list might have a suggestion for a > resolution! > > I followed the docs during my configuration and all went well > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Introduction_to_SASL-Configuring_Kerberos.html > > I'm able to bind to our ldap replicas with my TGT when I search the real hostname, however we load balance our replicas behind a Cisco SLB which serves out a second hostname and IP. > > I've updated the ldap keytab file to include both the Kerberos principles for the real hostname, and the slb hostname, and am still able to sucessfully bind with Kerberos to the real hostname, but not through the SLB. > > I had a similar problem with kerberized ssh a while back, and the solution there was a patch to openssh which allowed Kerberos to use any principle in the keytab file. (the GSSAPIStrictAcceptorCheck flag in ssh provides this) Does FDS have any similar configuration option? Or had anyone run into this sort of issue while trying to bind to ldap via kerberos? > > I'd also be willing to load balance the servers useing some other means beside the SLB. > > Thanks!! > > > Tim > > > > > From s at victornet.de Thu Jan 15 16:58:40 2009 From: s at victornet.de (Simon Victor) Date: Thu, 15 Jan 2009 17:58:40 +0100 Subject: [Fedora-directory-users] Strange: authentication works only in debug mode?! Message-ID: <92b80c850901150858w6f73269biae62ec4bcd2ee97f@mail.gmail.com> Hello, i have a strange problem here: Environment: Ubuntu Server 8.10, Fedora Directory 1.1.0 B2009.09.419 (self built, see http://victornet.de/wiki/howto:buildfdsonubuntu). Now, the server seems to be run as expected: ./ns-slapd -d accesscontrol+connections -D ./ldapsearch -x -w password -D "cn=Directory Manager" -b dc=acme,dc=com "(objectclass=*") gives me results, works correctly. But: /opt/dirsrv/lib/dirsrv/slapd-/start-slapd ./ldapsearch -x -w password -D "cn=Directory Manager" -b dc=acme,dc=com "(objectclass=*") always dies with "ldap_simple_bind: Invalid credentials". I'm stuck at this issue about 4 hours and have no ideas anymore. Maybe somebody can help me with that. Thanks in advance, regards, Simon Setup: fds From hartmann at fas.harvard.edu Fri Jan 16 03:56:47 2009 From: hartmann at fas.harvard.edu (Tim Hartmann) Date: Thu, 15 Jan 2009 22:56:47 -0500 Subject: [Fedora-directory-users] LDAP Proxy in Fedora Directory Server Message-ID: <4970057F.5060408@fas.harvard.edu> Hi I've got a question on referrals and proxy in RHDS. I'm in mid migration from OpenLDAP and I ran into this stansa in the slapd.conf of the old replicas. database ldap suffix "cn=OracleContext,dc=school,dc=edu" uri ldap://oidnames.sub.school.edu:8010/ >From what I understand this is a proxy to one of our sister organizations LDAP servers (Sun Directory Server I think) I've been trying to replicate this functionality in my RHDS installation, and so far i've not been able to. I've tried default referrals and that doesn't seem to work. I've tried to use smart referrals, but that doesn't seem to be the right usage for smart referrals. Will RHDS / FDS do LDAP proxying? Is there some other way that I should set up referrals to allow this sort of functionality to work? Thanks in advance for your help! Tim From rmeggins at redhat.com Fri Jan 16 04:05:14 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 15 Jan 2009 21:05:14 -0700 Subject: [Fedora-directory-users] LDAP Proxy in Fedora Directory Server In-Reply-To: <4970057F.5060408@fas.harvard.edu> References: <4970057F.5060408@fas.harvard.edu> Message-ID: <4970077A.5070406@redhat.com> Tim Hartmann wrote: > Hi > > I've got a question on referrals and proxy in RHDS. I'm in mid migration > from OpenLDAP and I ran into this stansa in the slapd.conf of the old > replicas. > > database ldap > suffix "cn=OracleContext,dc=school,dc=edu" > uri ldap://oidnames.sub.school.edu:8010/ > > >From what I understand this is a proxy to one of our sister > organizations LDAP servers (Sun Directory Server I think) > > I've been trying to replicate this functionality in my RHDS > installation, and so far i've not been able to. I've tried default > referrals and that doesn't seem to work. I've tried to use smart > referrals, but that doesn't seem to be the right usage for smart referrals. > > Will RHDS / FDS do LDAP proxying? Is there some other way that I should > set up referrals to allow this sort of functionality to work? > Referrals might work, if all of your clients are smart enough to know how to follow them. I suggesting Chaining Database (aka Database Links) - http://www.redhat.com/docs/manuals/dir-server/ag/8.0/index.html > Thanks in advance for your help! > > Tim > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From lambam80 at hotmail.com Fri Jan 16 11:12:50 2009 From: lambam80 at hotmail.com (lambam80 at hotmail.com) Date: Fri, 16 Jan 2009 06:12:50 -0500 Subject: [Fedora-directory-users] Windows Sync (via changelog) only works with front-ends sending uncenctyped passwords Message-ID: Hello everybody and a BIG thanks to Rich, and the rest of you, for your kind aid. Can you please help with something else ? HISTORY------- We're currently investigating using Windows SYNC but only the password part of the SYNC functionality - no accounts. My prototype works fine - if I change a password with Windows Cntl+Alt+Del itis propogated to Redhat Directory Server (RHDS). If I change the RHDS password with a simple front end itis propogated to Windows Active-Directory (Netscape console, for example, or a script with userpassword: secret-password ). I read the following: Directory Server passwords are synchronized along with other entry attributes because plain-text passwords are retained in the Directory Server changelog. Source: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html#Windows_Sync-About_Windows_Sync PROBLEM ?--------- I think this only works with RHDS and password changing front-ends that send the password unencrypted. For example, if I do something like the following with RHDS: ./ldapmodify -P "/root/.mozilla/firefox/acu5w0yl.default/cert8.db" -c -h ${DEST_HOST} -p ${DEST_PORT} -D "${DEST_BIND}" -w $DESTDN_PASSWORD < From rmeggins at redhat.com Fri Jan 16 15:31:09 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 16 Jan 2009 08:31:09 -0700 Subject: [Fedora-directory-users] Windows Sync (via changelog) only works with front-ends sending uncenctyped passwords In-Reply-To: References: Message-ID: <4970A83D.8080508@redhat.com> lambam80 at hotmail.com wrote: > Hello everybody and a BIG thanks to Rich, and the rest of you, for > your kind aid. Can you please help with something else ? > > HISTORY > ------- > > We're currently investigating using Windows SYNC but only the password > part of the SYNC functionality - no accounts. > > My prototype works fine - if I change a password with Windows > Cntl+Alt+Del it > is propogated to Redhat Directory Server (RHDS). If I change the RHDS > password with a simple front end it > is propogated to Windows Active-Directory (Netscape console, for > example, or a script with userpassword: secret-password ). > > I read the following: > Directory Server passwords are synchronized along with other entry > attributes because plain-text passwords are retained in the Directory > Server changelog. > Source: > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html#Windows_Sync-About_Windows_Sync > > PROBLEM ? > --------- > > I think this only works with RHDS and password changing front-ends > that send the password unencrypted. > > For example, if I do something like the following with RHDS: > > ./ldapmodify -P "/root/.mozilla/firefox/acu5w0yl.default/cert8.db" -c > -h ${DEST_HOST} -p ${DEST_PORT} -D "${DEST_BIND}" -w $DESTDN_PASSWORD > < dn: uid=${TGI},ou=People,${DEST_SUFFIX} > changetype: modify > replace: userpassword > userpassword: {SHA}v9KDMpMQgX13LuXtmWzmSaIcNGM= > EOF > > Note: Please note the {SHA} stuff in 'userpassword'. > > I cannot see how, using the changelog, RHDS can unencrypt the password > from {SHA} so as to > re-encode it in unicodePwd for sending to Active-Directory. > unicodePwd: good link > http://www.eyrie.org/~eagle/journal/2007-07/010.html > > > My tests show that it doesn't work: After running the script I cannot > login to Windows > using my account/secret-password. > > If however, I change my script to use the password unencrypted > (userpassword: secret-password) the propogation works again and I can > log into my Windows client. > > Q1. Am I correct that it only works with RHDS front-ends that send the > password unencrypted ? Yes. SHA and other hashes are one way only - it is practically impossible to convert a SHA hash to the original clear text password. In addition, AD must have the clear text password sent to it in order for it to generate its hashes and keys used for Windows authentication. > Thanks, > > ------------------------------------------------------------------------ > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From hartmann at fas.harvard.edu Fri Jan 16 18:36:18 2009 From: hartmann at fas.harvard.edu (Tim Hartmann) Date: Fri, 16 Jan 2009 13:36:18 -0500 Subject: [Fedora-directory-users] LDAP Proxy in Fedora Directory Server In-Reply-To: <4970077A.5070406@redhat.com> References: <4970057F.5060408@fas.harvard.edu> <4970077A.5070406@redhat.com> Message-ID: <4970D3A2.9010003@fas.harvard.edu> Rich, Thanks for the tip! So far that seems to be exactly what i need! I had to set nsProxiedAuthorization to "no" for my proxy to work, once i did that I started getting the expected results of my query! I've set this up on one server, and I DO have a question about the best way to push this out to my replica's. Can Linking directories be replicated like other root suffix's, or should i be manually adding them to all the replica's. Can you set a replication agreement up for a Link /Chain at all, and if you can, should you? Thanks! And thanks again for steering me in the right direction! Tim Rich Megginson wrote: > Tim Hartmann wrote: >> Hi >> >> I've got a question on referrals and proxy in RHDS. I'm in mid migration >> from OpenLDAP and I ran into this stansa in the slapd.conf of the old >> replicas. >> >> database ldap >> suffix "cn=OracleContext,dc=school,dc=edu" >> uri ldap://oidnames.sub.school.edu:8010/ >> >> >From what I understand this is a proxy to one of our sister >> organizations LDAP servers (Sun Directory Server I think) >> >> I've been trying to replicate this functionality in my RHDS >> installation, and so far i've not been able to. I've tried default >> referrals and that doesn't seem to work. I've tried to use smart >> referrals, but that doesn't seem to be the right usage for smart >> referrals. >> >> Will RHDS / FDS do LDAP proxying? Is there some other way that I should >> set up referrals to allow this sort of functionality to work? >> > Referrals might work, if all of your clients are smart enough to know > how to follow them. > > I suggesting Chaining Database (aka Database Links) - > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/index.html >> Thanks in advance for your help! >> >> Tim >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri Jan 16 19:43:13 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 16 Jan 2009 12:43:13 -0700 Subject: [Fedora-directory-users] LDAP Proxy in Fedora Directory Server In-Reply-To: <4970D3A2.9010003@fas.harvard.edu> References: <4970057F.5060408@fas.harvard.edu> <4970077A.5070406@redhat.com> <4970D3A2.9010003@fas.harvard.edu> Message-ID: <4970E351.1060500@redhat.com> Tim Hartmann wrote: > Rich, > > Thanks for the tip! So far that seems to be exactly what i need! I had > to set > > nsProxiedAuthorization to "no" for my proxy to work, once i did that I > started getting the expected results of my query! > > I've set this up on one server, and I DO have a question about the best > way to push this out to my replica's. Can Linking directories be > replicated like other root suffix's, or should i be manually adding them > to all the replica's. Can you set a replication agreement up for a Link > /Chain at all, and if you can, should you? > I'm not sure what you mean - do you mean replicate the definition of the database link? If so, then no, you cannot replicate cn=config. However, you can add the database link definition over LDAP, so you could easily script it with ldapmodify to add it to all of your replicas. > Thanks! And thanks again for steering me in the right direction! > > Tim > > > Rich Megginson wrote: > >> Tim Hartmann wrote: >> >>> Hi >>> >>> I've got a question on referrals and proxy in RHDS. I'm in mid migration >>> from OpenLDAP and I ran into this stansa in the slapd.conf of the old >>> replicas. >>> >>> database ldap >>> suffix "cn=OracleContext,dc=school,dc=edu" >>> uri ldap://oidnames.sub.school.edu:8010/ >>> >>> >From what I understand this is a proxy to one of our sister >>> organizations LDAP servers (Sun Directory Server I think) >>> >>> I've been trying to replicate this functionality in my RHDS >>> installation, and so far i've not been able to. I've tried default >>> referrals and that doesn't seem to work. I've tried to use smart >>> referrals, but that doesn't seem to be the right usage for smart >>> referrals. >>> >>> Will RHDS / FDS do LDAP proxying? Is there some other way that I should >>> set up referrals to allow this sort of functionality to work? >>> >>> >> Referrals might work, if all of your clients are smart enough to know >> how to follow them. >> >> I suggesting Chaining Database (aka Database Links) - >> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/index.html >> >>> Thanks in advance for your help! >>> >>> Tim >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From hartmann at fas.harvard.edu Fri Jan 16 20:05:43 2009 From: hartmann at fas.harvard.edu (Tim Hartmann) Date: Fri, 16 Jan 2009 15:05:43 -0500 Subject: [Fedora-directory-users] LDAP Proxy in Fedora Directory Server In-Reply-To: <4970E351.1060500@redhat.com> References: <4970057F.5060408@fas.harvard.edu> <4970077A.5070406@redhat.com> <4970D3A2.9010003@fas.harvard.edu> <4970E351.1060500@redhat.com> Message-ID: <4970E897.8050103@fas.harvard.edu> Rich Megginson wrote: >> > I'm not sure what you mean - do you mean replicate the definition of > the database link? If so, then no, you cannot replicate cn=config. > However, you can add the database link definition over LDAP, so you > could easily script it with ldapmodify to add it to all of your replicas. > Yup, I was asking if you could replicate the definition of the link! Thanks! This is one more checkmark off my list of things that "MUST WORK!" Thanks much! Tim From jsullivan at opensourcedevel.com Sun Jan 18 00:59:49 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Sat, 17 Jan 2009 19:59:49 -0500 Subject: [Fedora-directory-users] idm-console does not accept cert Message-ID: <1232240389.6499.60.camel@jaspav.missionsit.net.missionsit.net> Hello, all. We are working on implementing SSL on our directory server. Our test environment is using Centos using console framework 1.1.1 and ds centos-ds-8.0.0-1.4.el5.centos.4. When we attempt to login to centos-idm-console, we receive an error that the certificate this server presents is either untrusted or unknown. When we view the cert, the note under details says "Untrusted issuer". However, if we look in Manage Certificates for the Administration Server (I assume the console is logging into the Administration Server but the same is true for the Directory Server), we see the CA cert as trusted and see the certificate chain. Everything looks correct. Why is the console not trusting the CA cert? Is it looking for it someplace else? If so, where? More details: I'm assuming the problem is the CA cert. The admin server cert details are: cn=ldap01admin.ssiservices.biz There are DNS entries in subjAltName of: ldap01.ssiservices.biz ldap01 ldap01admin and there is an IP address entry. I get the same problem connecting to https://ldap01admin.ssiservices.biz:9830 as https://ldap01.ssiservices.biz:9830 -- John A. Sullivan III Open Source Development Corporation Street Preacher: Are you SAVED?????!!!!!! Educated Skeptic: Saved from WHAT?????!!!!!! Educated Believer: From our selfishness that hurts the ones we love and condemns us to an eternity of hurting each other. http://www.spiritualoutreach.com Christianity that makes sense From jsullivan at opensourcedevel.com Sun Jan 18 01:09:17 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Sat, 17 Jan 2009 20:09:17 -0500 Subject: [Fedora-directory-users] idm-console does not accept cert In-Reply-To: <1232240389.6499.60.camel@jaspav.missionsit.net.missionsit.net> References: <1232240389.6499.60.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <1232240957.6499.66.camel@jaspav.missionsit.net.missionsit.net> On Sat, 2009-01-17 at 19:59 -0500, John A. Sullivan III wrote: > Hello, all. We are working on implementing SSL on our directory server. > Our test environment is using Centos using console framework 1.1.1 and > ds centos-ds-8.0.0-1.4.el5.centos.4. When we attempt to login to > centos-idm-console, we receive an error that the certificate this server > presents is either untrusted or unknown. When we view the cert, the > note under details says "Untrusted issuer". However, if we look in > Manage Certificates for the Administration Server (I assume the console > is logging into the Administration Server but the same is true for the > Directory Server), we see the CA cert as trusted and see the certificate > chain. Everything looks correct. Why is the console not trusting the > CA cert? Is it looking for it someplace else? If so, where? > > More details: > I'm assuming the problem is the CA cert. The admin server cert details > are: > cn=ldap01admin.ssiservices.biz > There are DNS entries in subjAltName of: > ldap01.ssiservices.biz > ldap01 > ldap01admin > and there is an IP address entry. > > I get the same problem connecting to > https://ldap01admin.ssiservices.biz:9830 as > https://ldap01.ssiservices.biz:9830 > On a lark, I took a look in my home directory and, sure enough, found a .centos-idm-console directory. I entered it and issue the following command to import the CA cert into the individual user's database: certutil -A -d . -n "CA certificate" -t "CT,," -a -i /etc/dirsrv/admin-serv/SSICA.pem It all works now. Perhaps I overlooked it but I did not see that step in the documentation. I've also noticed that the manage certificate dialogs reverse the OU and O fields on the details page. Finally, it appears idm-console can use the entries in the subjAltName, i.e., I can login using both ldap01 and ldap01admin for the host but it does not like the IP field, i.e., I cannot login to https://10.1.1.1:9830 without generating a cert warning - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From jsullivan at opensourcedevel.com Sun Jan 18 02:37:04 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Sat, 17 Jan 2009 21:37:04 -0500 Subject: [Fedora-directory-users] Clarification of User DS tab Message-ID: <1232246224.6499.77.camel@jaspav.missionsit.net.missionsit.net> I'm in the midst of setting up a DS replica using SSL and find myself a bit confused on the purpose of the User DS and Configuration DS tabs in the Administration Server Configuration. Could someone point me to some documentation on them? What do they represent? I am guessing the Configuration DS is how we connect to the portion of the tree holding configuration (o=NetscapeRoot?). When the LDAP server is part of another administrative domain, should this point to the local LDAP server or to the LDAP server which manages the administrative domain? I am also guessing the User DS is that portion of the tree holding the user directory, i.e., most of the directory. In the case of a read-only replica, should this point to the read/write master? Thanks - John -- John A. Sullivan III Open Source Development Corporation Street Preacher: Are you SAVED?????!!!!!! Educated Skeptic: Saved from WHAT?????!!!!!! Educated Believer: From our selfishness that hurts the ones we love and condemns us to an eternity of hurting each other. http://www.spiritualoutreach.com Christianity that makes sense From jsullivan at opensourcedevel.com Sun Jan 18 04:31:03 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Sat, 17 Jan 2009 23:31:03 -0500 Subject: [Fedora-directory-users] Problems with replication and granular password policies Message-ID: <1232253063.6499.85.camel@jaspav.missionsit.net.missionsit.net> Hello, all. I've had major grief tonight trying to set up replication in our test environment. I'll submit this email to document our workarounds in case other hit the same problems and to solicit corrections in case them problem was not the product and documentation but rather our approach. First we have the issue of the Supplier Bind DN. We attempted to create the user by stopping dirsrv on the RO replica and add the following to dse.ldif: dn: cn=repliman,cn=config uid: repliman objectClass: inetorgperson objectClass: person objectClass: top cn: repliman givenname: Replication sn: Manager userPassword: passwordExpirationTime: 20380119031407Z We've never gotten it to work. The replication agreement wizard cannot find the dn. We've always had to create the user through the console in the config branch and then we can find the user. Once we did that, we hit a second problem. We had enabled fine grained password policies and required users to change their password when reset. This, of course, applied to the Supplier Bind DN user but we did not realize that at first. Perhaps a note in the documentation would have helped. Once we created the custom password policy for the user, all finally worked fine. -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From bbahar3 at gmail.com Sun Jan 18 05:26:55 2009 From: bbahar3 at gmail.com (Eric) Date: Sun, 18 Jan 2009 08:56:55 +0330 Subject: [Fedora-directory-users] migrating from fedora-ds-1.0.4 to fedora-ds-1.1- problem Message-ID: <38a27c8c0901172126h127c8ef3qe8822bfc42026985@mail.gmail.com> Hi, I had fedora-ds-1.0.4 on centos 5.2. I migrated to fedora-ds-1.1. fedora-idm-console runs and all data are there. command line search works too. but there are some problems. when I use: rpm -q fedora-ds version is fedora-1.0.4. when I search passwords of users it shows : {cypt}mypasswd but when I used 1.0.4 it was showing encrypted password. why there are these deferences? Is there any problem in installing or migrating? -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsullivan at opensourcedevel.com Sun Jan 18 06:40:11 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Sun, 18 Jan 2009 01:40:11 -0500 Subject: [Fedora-directory-users] DSGW on LDAP server Message-ID: <1232260811.6499.94.camel@jaspav.missionsit.net.missionsit.net> If installing DSGW on the same server as Directory Server, should it be compiled with --with-adminserver=no? Thanks - John -- John A. Sullivan III Open Source Development Corporation Street Preacher: Are you SAVED?????!!!!!! Educated Skeptic: Saved from WHAT?????!!!!!! Educated Believer: From our selfishness that hurts the ones we love and condemns us to an eternity of hurting each other. http://www.spiritualoutreach.com Christianity that makes sense From tscherf at redhat.com Sun Jan 18 12:40:48 2009 From: tscherf at redhat.com (Thorsten Scherf) Date: Sun, 18 Jan 2009 13:40:48 +0100 Subject: [Fedora-directory-users] Re: Clarification of User DS tab In-Reply-To: <1232246224.6499.77.camel@jaspav.missionsit.net.missionsit.net> References: <1232246224.6499.77.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <20090118124048.GB2769@tscherf.redhat.com> On [Sat, 17.01.2009 21:37], John A. Sullivan III wrote: >I'm in the midst of setting up a DS replica using SSL and find myself a >bit confused on the purpose of the User DS and Configuration DS tabs in >the Administration Server Configuration. Could someone point me to some >documentation on them? > >What do they represent? I am guessing the Configuration DS is how we >connect to the portion of the tree holding configuration >(o=NetscapeRoot?). When the LDAP server is part of another >administrative domain, should this point to the local LDAP server or to >the LDAP server which manages the administrative domain? The Configuration DS is o=Netscaperoot and User DS is the dn of your DIT, eg. dc=example,dc=com. Since you can setup a dedicated DS just for your Configuration, it makes sense to have seperated SSL-Configuration settings for accessing the Configuration and User DS. When you have a setup where several LDAP instances sharing the same Configuration Directory, then you have to point the User DS to the local running instances and for the Configuration Directory you point to the server which holds a copy of o=NetscapeRoot. Happy Day. Thorsten -- "Eternity is a very long time, especially towards the end." ? Stephen Hawking -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3855 bytes Desc: not available URL: From ldapgroup at visolve.com Mon Jan 19 10:47:31 2009 From: ldapgroup at visolve.com (ldapgroup) Date: Mon, 19 Jan 2009 16:17:31 +0530 Subject: [Fedora-directory-users] Re: Referrals in RHDS Message-ID: <3E4A354DB9C44DCE9126ADF87BB0FA00@gorco> Hi Tim, It is possible to configure Referrals (default ,smart and suffix referrals also). Referrals Configuration: dn: cn=config changetype: modify replace: nsslapd-referral nsslapd-referral: ldap://$LdapHost:$PORT2/o=referral.com Here PORT2 and LdapHost is the port number and hostname of server two to which the server1 will be referring. This is the configuration of DEFAULT Referrals Regards, R.Gopinath >> Tim Hartmann wrote: >> >>> Hi >>> >>> I've got a question on referrals and proxy in RHDS. I'm in mid migration >>> from OpenLDAP and I ran into this stansa in the slapd.conf of the old >>> replicas. >>> >>> database ldap >>> suffix "cn=OracleContext,dc=school,dc=edu" >>> uri ldap://oidnames.sub.school.edu:8010/ >>> >>> >From what I understand this is a proxy to one of our sister >>> organizations LDAP servers (Sun Directory Server I think) >>> >>> I've been trying to replicate this functionality in my RHDS >>> installation, and so far i've not been able to. I've tried default >>> referrals and that doesn't seem to work. I've tried to use smart >>> referrals, but that doesn't seem to be the right usage for smart >>> referrals. >>> >>> Will RHDS / FDS do LDAP proxying? Is there some other way that I should >>> set up referrals to allow this sort of functionality to work? >>> >>> >> Referrals might work, if all of your clients are smart enough to know >> how to follow them. >> >> I suggesting Chaining Database (aka Database Links) - >> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/index.html >> >>> Thanks in advance for your help! >>> >>> Tim From jsullivan at opensourcedevel.com Mon Jan 19 11:25:40 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 19 Jan 2009 06:25:40 -0500 Subject: [Fedora-directory-users] Re: Clarification of User DS tab In-Reply-To: <20090118124048.GB2769@tscherf.redhat.com> References: <1232246224.6499.77.camel@jaspav.missionsit.net.missionsit.net> <20090118124048.GB2769@tscherf.redhat.com> Message-ID: <1232364340.6479.9.camel@jaspav.missionsit.net.missionsit.net> On Sun, 2009-01-18 at 13:40 +0100, Thorsten Scherf wrote: > On [Sat, 17.01.2009 21:37], John A. Sullivan III wrote: > >I'm in the midst of setting up a DS replica using SSL and find myself a > >bit confused on the purpose of the User DS and Configuration DS tabs in > >the Administration Server Configuration. Could someone point me to some > >documentation on them? > > > >What do they represent? I am guessing the Configuration DS is how we > >connect to the portion of the tree holding configuration > >(o=NetscapeRoot?). When the LDAP server is part of another > >administrative domain, should this point to the local LDAP server or to > >the LDAP server which manages the administrative domain? > > The Configuration DS is o=Netscaperoot and User DS is the dn of your > DIT, eg. dc=example,dc=com. Since you can setup a dedicated DS just > for your Configuration, it makes sense to have seperated > SSL-Configuration settings for accessing the Configuration and User DS. > > When you have a setup where several LDAP instances sharing the same > Configuration Directory, then you have to point the User DS to the local > running instances and for the Configuration Directory you point to the > server which holds a copy of o=NetscapeRoot. > > Happy Day. > Thorsten Thank you, Thorsten. I assume when you say "several LDAP instances" you are not referring to replicas but separate trees. Is that correct? Thus, in the case of replicas, the User DS would point to the RW Master? - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From lambam80 at hotmail.com Mon Jan 19 11:33:39 2009 From: lambam80 at hotmail.com (lambam80 at hotmail.com) Date: Mon, 19 Jan 2009 06:33:39 -0500 Subject: [Fedora-directory-users] Windows Sync Not working with AD password = P@ssw0rd ? Message-ID: Hello everybody and thanks for the tremendous support to date. Firstly, yes I'm a paranoid personality ... It's too late for me to try recreating this problem using my existing machines. Is it possible that accounts created on RHDS are not 'replicated' to Active-Directoryif the AD Administrator password is 'P at ssw0rd' ? Please note, shame on me, I'm performing my replication using the AD Administrator account. If you've not yet died laughing, at my expense :-) , any help would be greatly appreciated. _________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From gopinath at visolve.com Mon Jan 19 03:46:55 2009 From: gopinath at visolve.com (gopinath) Date: Mon, 19 Jan 2009 09:16:55 +0530 Subject: [Fedora-directory-users] RE: Referrals in RHDS In-Reply-To: <20090117170010.1B32D61A907@hormel.redhat.com> Message-ID: Hi Tim, It is possible to configure Referrals (default ,smart and suffix referrals also). Referrals Configuration: dn: cn=config changetype: modify replace: nsslapd-referral nsslapd-referral: ldap://$LdapHost:$PORT2/o=referral.com Here PORT2 and LdapHost is the port number and hostname of server two to which the server1 will be referring. This is the configuration of DEFAULT Referrals Regards, R.Gopinath >> Tim Hartmann wrote: >> >>> Hi >>> >>> I've got a question on referrals and proxy in RHDS. I'm in mid migration >>> from OpenLDAP and I ran into this stansa in the slapd.conf of the old >>> replicas. >>> >>> database ldap >>> suffix "cn=OracleContext,dc=school,dc=edu" >>> uri ldap://oidnames.sub.school.edu:8010/ >>> >>> >From what I understand this is a proxy to one of our sister >>> organizations LDAP servers (Sun Directory Server I think) >>> >>> I've been trying to replicate this functionality in my RHDS >>> installation, and so far i've not been able to. I've tried default >>> referrals and that doesn't seem to work. I've tried to use smart >>> referrals, but that doesn't seem to be the right usage for smart >>> referrals. >>> >>> Will RHDS / FDS do LDAP proxying? Is there some other way that I should >>> set up referrals to allow this sort of functionality to work? >>> >>> >> Referrals might work, if all of your clients are smart enough to know >> how to follow them. >> >> I suggesting Chaining Database (aka Database Links) - >> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/index.html >> >>> Thanks in advance for your help! >>> >>> Tim From janfrode at tanso.net Mon Jan 19 14:53:13 2009 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Mon, 19 Jan 2009 15:53:13 +0100 Subject: [Fedora-directory-users] nested groups Message-ID: Is there any ways of nesting groups in fedora directory server ? I tried creating a group "testgroup" with another group as uniqueMember, but "getent group testgroup" didn't nest in any users from the uniqueMember-group. -jf From rmeggins at redhat.com Tue Jan 20 15:43:09 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 20 Jan 2009 08:43:09 -0700 Subject: [Fedora-directory-users] idm-console does not accept cert In-Reply-To: <1232240957.6499.66.camel@jaspav.missionsit.net.missionsit.net> References: <1232240389.6499.60.camel@jaspav.missionsit.net.missionsit.net> <1232240957.6499.66.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <4975F10D.8090307@redhat.com> John A. Sullivan III wrote: > On Sat, 2009-01-17 at 19:59 -0500, John A. Sullivan III wrote: > >> Hello, all. We are working on implementing SSL on our directory server. >> Our test environment is using Centos using console framework 1.1.1 and >> ds centos-ds-8.0.0-1.4.el5.centos.4. When we attempt to login to >> centos-idm-console, we receive an error that the certificate this server >> presents is either untrusted or unknown. When we view the cert, the >> note under details says "Untrusted issuer". However, if we look in >> Manage Certificates for the Administration Server (I assume the console >> is logging into the Administration Server but the same is true for the >> Directory Server), we see the CA cert as trusted and see the certificate >> chain. Everything looks correct. Why is the console not trusting the >> CA cert? Is it looking for it someplace else? If so, where? >> >> More details: >> I'm assuming the problem is the CA cert. The admin server cert details >> are: >> cn=ldap01admin.ssiservices.biz >> There are DNS entries in subjAltName of: >> ldap01.ssiservices.biz >> ldap01 >> ldap01admin >> and there is an IP address entry. >> >> I get the same problem connecting to >> https://ldap01admin.ssiservices.biz:9830 as >> https://ldap01.ssiservices.biz:9830 >> >> > On a lark, I took a look in my home directory and, sure enough, found > a .centos-idm-console directory. I entered it and issue the following > command to import the CA cert into the individual user's database: > > certutil -A -d . -n "CA certificate" -t "CT,," -a > -i /etc/dirsrv/admin-serv/SSICA.pem > > It all works now. Perhaps I overlooked it but I did not see that step > in the documentation. > Please file a doc bug. The way it should work is if there is no CA cert, you should get a dialog asking you if you want to temporarily accept the connection. Is it possible there was an old CA cert in ~/.centos-idm-console/cert8.db? > I've also noticed that the manage certificate dialogs reverse the OU and > O fields on the details page. > This has been fixed and the fix will be in the next release. > Finally, it appears idm-console can use the entries in the subjAltName, > i.e., I can login using both ldap01 and ldap01admin for the host but it > does not like the IP field, i.e., I cannot login to > https://10.1.1.1:9830 without generating a cert warning - John > I'm not sure if IP addresses are supposed to play well with subjectAltName - do other software packages work like this? I'm not sure what the standards say about this. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 20 15:45:14 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 20 Jan 2009 08:45:14 -0700 Subject: [Fedora-directory-users] Problems with replication and granular password policies In-Reply-To: <1232253063.6499.85.camel@jaspav.missionsit.net.missionsit.net> References: <1232253063.6499.85.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <4975F18A.8030704@redhat.com> John A. Sullivan III wrote: > Hello, all. I've had major grief tonight trying to set up replication > in our test environment. I'll submit this email to document our > workarounds in case other hit the same problems and to solicit > corrections in case them problem was not the product and documentation > but rather our approach. > > First we have the issue of the Supplier Bind DN. We attempted to create > the user by stopping dirsrv on the RO replica and add the following to > dse.ldif: > > dn: cn=repliman,cn=config > > uid: repliman > > objectClass: inetorgperson > > objectClass: person > > objectClass: top > > cn: repliman > > givenname: Replication > > sn: Manager > > userPassword: > > passwordExpirationTime: 20380119031407Z > > We've never gotten it to work. The replication agreement wizard cannot > find the dn. I'm not sure what you mean by this. > We've always had to create the user through the console in > the config branch and then we can find the user. > > Once we did that, we hit a second problem. We had enabled fine grained > password policies and required users to change their password when > reset. This, of course, applied to the Supplier Bind DN user but we did > not realize that at first. Perhaps a note in the documentation would > have helped. Once we created the custom password policy for the user, > all finally worked fine. > Please file a doc bug. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 20 15:49:51 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 20 Jan 2009 08:49:51 -0700 Subject: [Fedora-directory-users] migrating from fedora-ds-1.0.4 to fedora-ds-1.1- problem In-Reply-To: <38a27c8c0901172126h127c8ef3qe8822bfc42026985@mail.gmail.com> References: <38a27c8c0901172126h127c8ef3qe8822bfc42026985@mail.gmail.com> Message-ID: <4975F29F.8000607@redhat.com> Eric wrote: > Hi, > I had fedora-ds-1.0.4 on centos 5.2. I migrated to fedora-ds-1.1. > fedora-idm-console runs and all data are there. command line search > works too. but there are some problems. when I use: rpm -q fedora-ds > version is fedora-1.0.4. fedora-ds is just a "meta" package - you can remove it if you like. To check for the "real" versions: rpm -qi fedora-ds-base rpm -qi fedora-ds-admin > when I search passwords of users it shows : {cypt}mypasswd but when I > used 1.0.4 it was showing encrypted password. why there are these > deferences? I don't know. What exactly did it show before? The base64 encoded password? > Is there any problem in installing or migrating? Not that I know of. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 20 15:51:55 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 20 Jan 2009 08:51:55 -0700 Subject: [Fedora-directory-users] DSGW on LDAP server In-Reply-To: <1232260811.6499.94.camel@jaspav.missionsit.net.missionsit.net> References: <1232260811.6499.94.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <4975F31B.9040602@redhat.com> John A. Sullivan III wrote: > If installing DSGW on the same server as Directory Server, should it be > compiled with --with-adminserver=no? Thanks - John > I don't think so. The --with-adminserver=no was intended to be used if you wanted to have DSGW without fedora-ds-admin e.g. just a plain old apache installation. But it will take some work to make it work that way. What exactly are you trying to do? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jan 20 15:55:53 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 20 Jan 2009 08:55:53 -0700 Subject: [Fedora-directory-users] Windows Sync Not working with AD password = P@ssw0rd ? In-Reply-To: References: Message-ID: <4975F409.203@redhat.com> lambam80 at hotmail.com wrote: > Hello everybody and thanks for the tremendous support to date. > > Firstly, yes I'm a paranoid personality ... > > It's too late for me to try recreating this problem using my existing > machines. > > Is it possible that accounts created on RHDS are not 'replicated' to > Active-Directory > if the AD Administrator password is 'P at ssw0rd' > ? Please note, shame on me, > I'm performing my replication using the AD Administrator account. > > If you've not yet died laughing, at my expense :-) , any help would be > greatly appreciated. So, if you use a windows sync user password of 'P at ssw0rd', windows sync doesn't work? But if you use a password that does not contain the @ character, it does work? Have you tried using ldapsearch from the command line to test your username and password? e.g. something like ldapsearch -x -h adhostname -D "cn=administrator,cn=users,dc=domain,dc=com" -w 'P at ssw0rd' -s base -b "" Try turning on error log level 8192 and attempt windows sync again - http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > > > ------------------------------------------------------------------------ > Share your holiday memories for free with Windows LiveT Photos. Get > started now. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jsullivan at opensourcedevel.com Tue Jan 20 19:45:09 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Tue, 20 Jan 2009 14:45:09 -0500 Subject: [Fedora-directory-users] idm-console does not accept cert In-Reply-To: <4975F10D.8090307@redhat.com> References: <1232240389.6499.60.camel@jaspav.missionsit.net.missionsit.net> <1232240957.6499.66.camel@jaspav.missionsit.net.missionsit.net> <4975F10D.8090307@redhat.com> Message-ID: <1232480709.6473.51.camel@jaspav.missionsit.net.missionsit.net> On Tue, 2009-01-20 at 08:43 -0700, Rich Megginson wrote: > John A. Sullivan III wrote: > > On Sat, 2009-01-17 at 19:59 -0500, John A. Sullivan III wrote: > > > >> Hello, all. We are working on implementing SSL on our directory server. > >> Our test environment is using Centos using console framework 1.1.1 and > >> ds centos-ds-8.0.0-1.4.el5.centos.4. When we attempt to login to > >> centos-idm-console, we receive an error that the certificate this server > >> presents is either untrusted or unknown. When we view the cert, the > >> note under details says "Untrusted issuer". However, if we look in > >> Manage Certificates for the Administration Server (I assume the console > >> is logging into the Administration Server but the same is true for the > >> Directory Server), we see the CA cert as trusted and see the certificate > >> chain. Everything looks correct. Why is the console not trusting the > >> CA cert? Is it looking for it someplace else? If so, where? > >> > >> More details: > >> I'm assuming the problem is the CA cert. The admin server cert details > >> are: > >> cn=ldap01admin.ssiservices.biz > >> There are DNS entries in subjAltName of: > >> ldap01.ssiservices.biz > >> ldap01 > >> ldap01admin > >> and there is an IP address entry. > >> > >> I get the same problem connecting to > >> https://ldap01admin.ssiservices.biz:9830 as > >> https://ldap01.ssiservices.biz:9830 > >> > >> > > On a lark, I took a look in my home directory and, sure enough, found > > a .centos-idm-console directory. I entered it and issue the following > > command to import the CA cert into the individual user's database: > > > > certutil -A -d . -n "CA certificate" -t "CT,," -a > > -i /etc/dirsrv/admin-serv/SSICA.pem > > > > It all works now. Perhaps I overlooked it but I did not see that step > > in the documentation. > > > Please file a doc bug. > > The way it should work is if there is no CA cert, you should get a > dialog asking you if you want to temporarily accept the connection. Is > it possible there was an old CA cert in ~/.centos-idm-console/cert8.db? Oh, that is the way it was working. I was just expecting it to work without having to manually accept the cert. The key was telling the user to trust the CA. It makes perfect sense now that I understand what is happening - of course the user application is not using the CA trust already established within the directory server to authenticate to the directory server! Thus it needs to trust the CA independently. > > I've also noticed that the manage certificate dialogs reverse the OU and > > O fields on the details page. > > > This has been fixed and the fix will be in the next release. > > Finally, it appears idm-console can use the entries in the subjAltName, > > i.e., I can login using both ldap01 and ldap01admin for the host but it > > does not like the IP field, i.e., I cannot login to > > https://10.1.1.1:9830 without generating a cert warning - John > > > I'm not sure if IP addresses are supposed to play well with > subjectAltName - do other software packages work like this? I'm not > sure what the standards say about this. Web browsers will indeed accept the IP values of the subjAltName to identify the entity (at least Firefox does and I believe the spec (I don't recall the RFC number) does call for such behavior). It appears idm-console has not been so coded. > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From jsullivan at opensourcedevel.com Tue Jan 20 20:21:18 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Tue, 20 Jan 2009 15:21:18 -0500 Subject: [Fedora-directory-users] DSGW on LDAP server In-Reply-To: <4975F31B.9040602@redhat.com> References: <1232260811.6499.94.camel@jaspav.missionsit.net.missionsit.net> <4975F31B.9040602@redhat.com> Message-ID: <1232482878.6473.63.camel@jaspav.missionsit.net.missionsit.net> On Tue, 2009-01-20 at 08:51 -0700, Rich Megginson wrote: > John A. Sullivan III wrote: > > If installing DSGW on the same server as Directory Server, should it be > > compiled with --with-adminserver=no? Thanks - John > > > I don't think so. The --with-adminserver=no was intended to be used if > you wanted to have DSGW without fedora-ds-admin e.g. just a plain old > apache installation. But it will take some work to make it work that way. > > What exactly are you trying to do? Just a simple DSGW installation. I didn't know what the option meant and wondered if DSGW installed its own version of admin-serv. Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From emmanuel.billot at ird.fr Wed Jan 21 09:31:36 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Wed, 21 Jan 2009 10:31:36 +0100 Subject: [Fedora-directory-users] High CPU load on FDS Message-ID: <4976EB78.4090800@ird.fr> Hi, Does anyones know how can we explain a 90% CPU utilization on FDS ? Many forum on the web speak about index problem or memory variables misconfiguration (|nsslapd-idlistscanlimit and co).| || |Howerver, i do not found any good web ites which explains howto | |- monitor indexes utilization| |- build/rebuilt indexes (if this is the problem)| |- configure properly FDS for having good performance| || |Our directory tree contains 15000 entries.| || |Does anyone know what can we do ? Best pratices ?| |How to know if there is a problem on our config ?| || |Regards,| |||| -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From lambam80 at hotmail.com Wed Jan 21 10:09:08 2009 From: lambam80 at hotmail.com (lambam80 at hotmail.com) Date: Wed, 21 Jan 2009 05:09:08 -0500 Subject: [Fedora-directory-users] Windows Sync Not working with AD password = P@ssw0rd ? In-Reply-To: <4975F409.203@redhat.com> References: <4975F409.203@redhat.com> Message-ID: Rich, as ever, thanks for your help with what must seem a silly problem. I sent the Email simply to ensure there is a record of this potential problem in case someone else stumbles upon it :-) We can drop it for now - if I find the time, I'll create a new virtual Active-Directory machine and re-test specifically with the recommended log level. If I can re-create the problem, I'll log a BUG of course. ldapsearch with an '@' worked fine at the time. -D "Administrateur" -w p at ssw0rd -h sh... Note: Administrateur - I ought to have told you the Windows 2003 Server (Active Directory) is using a French locale (worth noting - might be important): Windows Server 2003 R2 Version 5.2 R2 (num?ro 3790.srv03_sp1_rtm.050324-1447: Service Pack The current password (without '@' - yeah, that's my theory also) works fine - it has a capital letter and two '9's. Thanks again for your help. ------> Date: Tue, 20 Jan 2009 08:55:53 -0700> From: rmeggins at redhat.com> To: fedora-directory-users at redhat.com> CC: lambam80 at hotmail.com> Subject: Re: [Fedora-directory-users] Windows Sync Not working with AD password = P at ssw0rd ?> > lambam80 at hotmail.com wrote:> > Hello everybody and thanks for the tremendous support to date.> > > > Firstly, yes I'm a paranoid personality ...> > > > It's too late for me to try recreating this problem using my existing > > machines.> > > > Is it possible that accounts created on RHDS are not 'replicated' to > > Active-Directory> > if the AD Administrator password is 'P at ssw0rd' > > ? Please note, shame on me,> > I'm performing my replication using the AD Administrator account.> > > > If you've not yet died laughing, at my expense :-) , any help would be > > greatly appreciated.> So, if you use a windows sync user password of 'P at ssw0rd', windows sync > doesn't work? But if you use a password that does not contain the @ > character, it does work? Have you tried using ldapsearch from the > command line to test your username and password? e.g. something like> ldapsearch -x -h adhostname -D > "cn=administrator,cn=users,dc=domain,dc=com" -w 'P at ssw0rd' -s base -b ""> > Try turning on error log level 8192 and attempt windows sync again - > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting> >> >> > ------------------------------------------------------------------------> > Share your holiday memories for free with Windows LiveT Photos. Get > > started now. > > ------------------------------------------------------------------------> >> > --> > Fedora-directory-users mailing list> > Fedora-directory-users at redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > _________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jan 21 15:40:56 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 21 Jan 2009 08:40:56 -0700 Subject: [Fedora-directory-users] High CPU load on FDS In-Reply-To: <4976EB78.4090800@ird.fr> References: <4976EB78.4090800@ird.fr> Message-ID: <49774208.2030502@redhat.com> Emmanuel BILLOT wrote: > Hi, > > Does anyones know how can we explain a 90% CPU utilization on FDS ? > Many forum on the web speak about index problem or memory variables > misconfiguration (|nsslapd-idlistscanlimit and co).| > || > |Howerver, i do not found any good web ites which explains howto | > |- monitor indexes utilization| > |- build/rebuilt indexes (if this is the problem)| > |- configure properly FDS for having good performance| > || > |Our directory tree contains 15000 entries.| > || > |Does anyone know what can we do ? Best pratices ?| What version of FDS? What platform? What sort of hardware? The logconv.pl tool is a good place to start to diagnose indexing issues. > |How to know if there is a problem on our config ?| > || > |Regards,| > |||| > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From emmanuel.billot at ird.fr Wed Jan 21 15:59:37 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Wed, 21 Jan 2009 16:59:37 +0100 Subject: [Fedora-directory-users] High CPU load on FDS In-Reply-To: <49774208.2030502@redhat.com> References: <4976EB78.4090800@ird.fr> <49774208.2030502@redhat.com> Message-ID: <49774669.7070609@ird.fr> Rich Megginson a ?crit : Hi, It seems to be an index pb, so i try to determinate what attribut Is there any method to know if an request does not use an index tab ? How can i found the wrong indexed attribut ? > Emmanuel BILLOT wrote: >> Hi, >> >> Does anyones know how can we explain a 90% CPU utilization on FDS ? >> Many forum on the web speak about index problem or memory variables >> misconfiguration (|nsslapd-idlistscanlimit and co).| >> || >> |Howerver, i do not found any good web ites which explains howto | >> |- monitor indexes utilization| >> |- build/rebuilt indexes (if this is the problem)| >> |- configure properly FDS for having good performance| >> || >> |Our directory tree contains 15000 entries.| >> || >> |Does anyone know what can we do ? Best pratices ?| > What version of FDS? What platform? What sort of hardware? > > The logconv.pl tool is a good place to start to diagnose indexing issues. >> |How to know if there is a problem on our config ?| >> || >> |Regards,| >> |||| >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From emmanuel.billot at ird.fr Wed Jan 21 16:04:29 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Wed, 21 Jan 2009 17:04:29 +0100 Subject: [Fedora-directory-users] High CPU load on FDS In-Reply-To: <49774208.2030502@redhat.com> References: <4976EB78.4090800@ird.fr> <49774208.2030502@redhat.com> Message-ID: <4977478D.9090709@ird.fr> Rich Megginson a ?crit : > Emmanuel BILLOT wrote: >> Hi, >> >> Does anyones know how can we explain a 90% CPU utilization on FDS ? >> Many forum on the web speak about index problem or memory variables >> misconfiguration (|nsslapd-idlistscanlimit and co).| >> || >> |Howerver, i do not found any good web ites which explains howto | >> |- monitor indexes utilization| >> |- build/rebuilt indexes (if this is the problem)| >> |- configure properly FDS for having good performance| >> || >> |Our directory tree contains 15000 entries.| >> || >> |Does anyone know what can we do ? Best pratices ?| > What version of FDS? What platform? What sort of hardware? > > The logconv.pl tool is a good place to start to diagnose indexing issues. >> |How to know if there is a problem on our config ?| >> || >> |Regards,| >> |||| >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > Sorry i've the logconv utility, which says Unindexed Searches: 0 So i dan't explain why the CPU is so high. FDS 1.1.3 on Centos 5.1, VMWare -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From rmeggins at redhat.com Wed Jan 21 16:11:40 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 21 Jan 2009 09:11:40 -0700 Subject: [Fedora-directory-users] High CPU load on FDS In-Reply-To: <4977478D.9090709@ird.fr> References: <4976EB78.4090800@ird.fr> <49774208.2030502@redhat.com> <4977478D.9090709@ird.fr> Message-ID: <4977493C.4000708@redhat.com> Emmanuel BILLOT wrote: > Rich Megginson a ?crit : >> Emmanuel BILLOT wrote: >>> Hi, >>> >>> Does anyones know how can we explain a 90% CPU utilization on FDS ? >>> Many forum on the web speak about index problem or memory variables >>> misconfiguration (|nsslapd-idlistscanlimit and co).| >>> || >>> |Howerver, i do not found any good web ites which explains howto | >>> |- monitor indexes utilization| >>> |- build/rebuilt indexes (if this is the problem)| >>> |- configure properly FDS for having good performance| >>> || >>> |Our directory tree contains 15000 entries.| >>> || >>> |Does anyone know what can we do ? Best pratices ?| >> What version of FDS? What platform? What sort of hardware? >> >> The logconv.pl tool is a good place to start to diagnose indexing >> issues. >>> |How to know if there is a problem on our config ?| >>> || >>> |Regards,| >>> |||| >>> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > Sorry i've the logconv utility, which says > Unindexed Searches: 0 > > So i dan't explain why the CPU is so high. > > FDS 1.1.3 on Centos 5.1, VMWare > logconv.pl has more output - you might try looking at the operation times, then refer back to the access log to see what operations are taking a long time -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jeff.garner at sanmina-sci.com Thu Jan 22 20:47:23 2009 From: jeff.garner at sanmina-sci.com (Jeff Garner) Date: Thu, 22 Jan 2009 14:47:23 -0600 Subject: [Fedora-directory-users] FDS sync to eDirectory Message-ID: <1232657243.5501.25.camel@DFW1AMUX498090.AM.SANM.CORP> currently we have AD, eDir syncing using the Novell DirXML driver and a 'shim' installed on all AD DC's worldwide. TO avoid having to replicate this structure from Active Directory using FDS, we have decided to use eDirectory sync to FDS. Currently we can sync FROM eDir to FDS, including passwords. No issues there. The problem is that we want to sync only password changes from FDS back into eDir. I can understand some of the complexities on this, however can anyone point me in a direction of information to do this task? basically I want one way from eDir to FDS for all attributes, and bi-directional sync of password attribute from FDS to eDIR and eDir to FDS. I had imagined going in, that this would be as simple as some sort of an ldapmodify driver from FDS to eDir, but it seems that might have been too simplistic. So, anyone have an idea on how I could accomplish this task, if can even be done, or if I should not waste my time trying? Regards, J.Garner CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. -------------- next part -------------- An HTML attachment was scrubbed... URL: From hartmann at fas.harvard.edu Sat Jan 24 01:11:58 2009 From: hartmann at fas.harvard.edu (Tim Hartmann) Date: Fri, 23 Jan 2009 20:11:58 -0500 Subject: [Fedora-directory-users] Update user passwords with "passwd" Message-ID: <497A6ADE.9070601@fas.harvard.edu> Hi! So I can into yet another pot-hole in the road to LDAP bliss... We have a root suffix in our directory that stores the basic Posix attributes including password, I've been able to configure my client to use ldap for directory services, and authenticate against my replica's, so far so good! Then I tried to change my users password .. and thats where I started getting a bit hung up.. At first I thought that it was because my replicas weren't sending the update request/ referrals back to the masters. (We have two masters that sit behind four consumers) Then I decided to change my ldap.conf files to point directly to my masters.... but I still receaved the same errors "Can't contact LDAP Server" , which was strange since I can do ldap searches against it all day, and even bind to the servers to do searches! and Insufficient write privileges, which made me think that maybe it was an ACI.. but I have selfwrite enabled for the userPassword attribute... Here's the output of my failed attempt to change my user's password after logging in successfully to the server.. Changing password for user foo. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Can't contact LDAP server Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=foo,ou=people,dc=dept,dc=school,dc=edu'. passwd: Permission denied If anyone has any thought I'd be grateful! I'm pretty perplexed! Best, Tim From gholbert at broadcom.com Sat Jan 24 01:18:42 2009 From: gholbert at broadcom.com (George Holbert) Date: Fri, 23 Jan 2009 17:18:42 -0800 Subject: [Fedora-directory-users] Update user passwords with "passwd" In-Reply-To: <497A6ADE.9070601@fas.harvard.edu> References: <497A6ADE.9070601@fas.harvard.edu> Message-ID: <497A6C72.7060301@broadcom.com> Tim Hartmann wrote: > Hi! > > So I can into yet another pot-hole in the road to LDAP bliss... > > We have a root suffix in our directory that stores the basic Posix > attributes including password, I've been able to configure my client to > use ldap for directory services, and authenticate against my replica's, > so far so good! Then I tried to change my users password .. and thats > where I started getting a bit hung up.. > > At first I thought that it was because my replicas weren't sending the > update request/ referrals back to the masters. (We have two masters that > sit behind four consumers) > > Then I decided to change my ldap.conf files to point directly to my > masters.... but I still receaved the same errors "Can't contact LDAP > Server" , which was strange since I can do ldap searches against it all > day, and even bind to the servers to do searches! and Insufficient write > privileges, which made me think that maybe it was an ACI.. but I have > selfwrite enabled for the userPassword attribute... > > Here's the output of my failed attempt to change my user's password > after logging in successfully to the server.. > > Changing password for user foo. > Enter login(LDAP) password: > New UNIX password: > Retype new UNIX password: > LDAP password information update failed: Can't contact LDAP server > Insufficient 'write' privilege to the 'userPassword' attribute of entry > 'uid=foo,ou=people,dc=dept,dc=school,dc=edu'. > > passwd: Permission denied > > What do your LDAP server access and error logs show at the time of the attempted password change? > If anyone has any thought I'd be grateful! I'm pretty perplexed! > > > Best, > > Tim > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From hartmann at fas.harvard.edu Sat Jan 24 02:16:43 2009 From: hartmann at fas.harvard.edu (Tim Hartmann) Date: Fri, 23 Jan 2009 21:16:43 -0500 Subject: [Fedora-directory-users] Update user passwords with "passwd" In-Reply-To: <497A6C72.7060301@broadcom.com> References: <497A6ADE.9070601@fas.harvard.edu> <497A6C72.7060301@broadcom.com> Message-ID: <497A7A0B.20609@fas.harvard.edu> This is what I see in access from my master: I don't see any output from error... [23/Jan/2009:21:12:08 -0500] conn=1939 fd=67 slot=67 SSL connection from 140.247.35.169 to 140.247.30.52 [23/Jan/2009:21:12:08 -0500] conn=1939 SSL 256-bit AES [23/Jan/2009:21:12:08 -0500] conn=1939 op=0 BIND dn="" method=128 version=3 [23/Jan/2009:21:12:08 -0500] conn=1939 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [23/Jan/2009:21:12:08 -0500] conn=1939 op=1 SRCH base="dc=dept,dc=school,dc=edu" scope=2 filter="(&(objectClass=posixAccount)(uidNumber=23030))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [23/Jan/2009:21:12:08 -0500] conn=1939 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [23/Jan/2009:21:12:08 -0500] conn=1939 op=2 SRCH base="dc=dept,dc=school,dc=edu" scope=2 filter="(&(objectClass=posixAccount)(uid=foo))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [23/Jan/2009:21:12:08 -0500] conn=1939 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [23/Jan/2009:21:12:08 -0500] conn=1940 fd=68 slot=68 SSL connection from 140.247.35.169 to 140.247.30.52 [23/Jan/2009:21:12:08 -0500] conn=1940 SSL 256-bit AES [23/Jan/2009:21:12:08 -0500] conn=1940 op=0 BIND dn="" method=128 version=3 [23/Jan/2009:21:12:08 -0500] conn=1940 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [23/Jan/2009:21:12:08 -0500] conn=1940 op=1 SRCH base="dc=dept,dc=school,dc=edu" scope=2 filter="(uid=foo)" attrs=ALL [23/Jan/2009:21:12:08 -0500] conn=1940 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [23/Jan/2009:21:12:13 -0500] conn=1940 op=2 BIND dn="uid=foo,ou=People,dc=dept,dc=school,dc=edu" method=128 version=3 [23/Jan/2009:21:12:13 -0500] conn=1940 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=foo,ou=people,dc=dept,dc=school,dc=edu" [23/Jan/2009:21:12:13 -0500] conn=1940 op=3 BIND dn="" method=128 version=3 [23/Jan/2009:21:12:13 -0500] conn=1940 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [23/Jan/2009:21:12:18 -0500] conn=1939 op=3 SRCH base="dc=dept,dc=school,dc=edu" scope=2 filter="(&(objectClass=posixAccount)(uidNumber=23030))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [23/Jan/2009:21:12:18 -0500] conn=1939 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [23/Jan/2009:21:12:21 -0500] conn=1940 op=4 BIND dn="uid=foo,ou=People,dc=dept,dc=school,dc=edu" method=128 version=3 [23/Jan/2009:21:12:21 -0500] conn=1940 op=4 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=foo,ou=people,dc=dept,dc=school,dc=edu" [23/Jan/2009:21:12:21 -0500] conn=1940 op=5 RESULT err=50 tag=103 nentries=0 etime=0 George Holbert wrote: > Tim Hartmann wrote: >> Hi! >> >> So I can into yet another pot-hole in the road to LDAP bliss... >> We have a root suffix in our directory that stores the basic Posix >> attributes including password, I've been able to configure my client to >> use ldap for directory services, and authenticate against my replica's, >> so far so good! Then I tried to change my users password .. and thats >> where I started getting a bit hung up.. >> >> At first I thought that it was because my replicas weren't sending the >> update request/ referrals back to the masters. (We have two masters that >> sit behind four consumers) >> >> Then I decided to change my ldap.conf files to point directly to my >> masters.... but I still receaved the same errors "Can't contact LDAP >> Server" , which was strange since I can do ldap searches against it all >> day, and even bind to the servers to do searches! and Insufficient write >> privileges, which made me think that maybe it was an ACI.. but I have >> selfwrite enabled for the userPassword attribute... >> >> Here's the output of my failed attempt to change my user's password >> after logging in successfully to the server.. >> >> Changing password for user foo. >> Enter login(LDAP) password: >> New UNIX password: >> Retype new UNIX password: >> LDAP password information update failed: Can't contact LDAP server >> Insufficient 'write' privilege to the 'userPassword' attribute of entry >> 'uid=foo,ou=people,dc=dept,dc=school,dc=edu'. >> >> passwd: Permission denied >> >> > What do your LDAP server access and error logs show at the time of the > attempted password change? > > >> If anyone has any thought I'd be grateful! I'm pretty perplexed! >> >> >> Best, >> >> Tim >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From jsullivan at opensourcedevel.com Sat Jan 24 03:02:26 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Fri, 23 Jan 2009 22:02:26 -0500 Subject: [Fedora-directory-users] Update user passwords with "passwd" In-Reply-To: <497A6ADE.9070601@fas.harvard.edu> References: <497A6ADE.9070601@fas.harvard.edu> Message-ID: <1232766146.6567.33.camel@jaspav.missionsit.net.missionsit.net> On Fri, 2009-01-23 at 20:11 -0500, Tim Hartmann wrote: > Hi! > > So I can into yet another pot-hole in the road to LDAP bliss... > > We have a root suffix in our directory that stores the basic Posix > attributes including password, I've been able to configure my client to > use ldap for directory services, and authenticate against my replica's, > so far so good! Then I tried to change my users password .. and thats > where I started getting a bit hung up.. > > At first I thought that it was because my replicas weren't sending the > update request/ referrals back to the masters. (We have two masters that > sit behind four consumers) > > Then I decided to change my ldap.conf files to point directly to my > masters.... but I still receaved the same errors "Can't contact LDAP > Server" , which was strange since I can do ldap searches against it all > day, and even bind to the servers to do searches! and Insufficient write > privileges, which made me think that maybe it was an ACI.. but I have > selfwrite enabled for the userPassword attribute... > > Here's the output of my failed attempt to change my user's password > after logging in successfully to the server.. > > Changing password for user foo. > Enter login(LDAP) password: > New UNIX password: > Retype new UNIX password: > LDAP password information update failed: Can't contact LDAP server > Insufficient 'write' privilege to the 'userPassword' attribute of entry > 'uid=foo,ou=people,dc=dept,dc=school,dc=edu'. > > passwd: Permission denied > > > If anyone has any thought I'd be grateful! I'm pretty perplexed! I'm an LDAP ignoramus so take this for what it's worth -- is it possible it's a PAM configuration problem and not an LDAP or ldap.conf problem? - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From hartmann at fas.harvard.edu Sat Jan 24 03:35:43 2009 From: hartmann at fas.harvard.edu (Tim Hartmann) Date: Fri, 23 Jan 2009 22:35:43 -0500 Subject: [Fedora-directory-users] Update user passwords with "passwd" In-Reply-To: <1232766146.6567.33.camel@jaspav.missionsit.net.missionsit.net> References: <497A6ADE.9070601@fas.harvard.edu> <1232766146.6567.33.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <497A8C8F.3090400@fas.harvard.edu> Could be, but the test server I'm using has a copy of the pam configs from a production server, that works fine in our OpenLDAP environment, I'm in the process of testing our new Directories Server in order to replace the old servers... So same OS, and the same config files... which is part of why I'm stumped! It's maddening being so close to the end of this project! :) Best Tim John A. Sullivan III wrote: > On Fri, 2009-01-23 at 20:11 -0500, Tim Hartmann wrote: > >> Hi! >> >> So I can into yet another pot-hole in the road to LDAP bliss... >> >> We have a root suffix in our directory that stores the basic Posix >> attributes including password, I've been able to configure my client to >> use ldap for directory services, and authenticate against my replica's, >> so far so good! Then I tried to change my users password .. and thats >> where I started getting a bit hung up.. >> >> At first I thought that it was because my replicas weren't sending the >> update request/ referrals back to the masters. (We have two masters that >> sit behind four consumers) >> >> Then I decided to change my ldap.conf files to point directly to my >> masters.... but I still receaved the same errors "Can't contact LDAP >> Server" , which was strange since I can do ldap searches against it all >> day, and even bind to the servers to do searches! and Insufficient write >> privileges, which made me think that maybe it was an ACI.. but I have >> selfwrite enabled for the userPassword attribute... >> >> Here's the output of my failed attempt to change my user's password >> after logging in successfully to the server.. >> >> Changing password for user foo. >> Enter login(LDAP) password: >> New UNIX password: >> Retype new UNIX password: >> LDAP password information update failed: Can't contact LDAP server >> Insufficient 'write' privilege to the 'userPassword' attribute of entry >> 'uid=foo,ou=people,dc=dept,dc=school,dc=edu'. >> >> passwd: Permission denied >> >> >> If anyone has any thought I'd be grateful! I'm pretty perplexed! >> > > I'm an LDAP ignoramus so take this for what it's worth -- is it possible > it's a PAM configuration problem and not an LDAP or ldap.conf problem? - > John > From sas.jamal at linkagemobile.com Sun Jan 25 07:47:30 2009 From: sas.jamal at linkagemobile.com (Sas Jamal) Date: Sun, 25 Jan 2009 09:47:30 +0200 Subject: [Fedora-directory-users] New to Fedora Directory Server (Questions) Message-ID: <497c1912.096c100a.7236.ffffaacb@mx.google.com> Hi guys, I am relatively new to Linux, and LDAP (I have some experience with Active Directory). I have recently inherited a message board installation (Vbulletin), and some custom apps, each with their own user database. I noticed that VBulletin had a LDAP Plugin which was used by several members of the community, and a friend suggested I implement LDAP as a centralized system for manging user accounts, since it is scalable and easy to backup (All of the applications are on different networks on different servers). It seemed like a good idea, but I am a bit lost J I have installed Fedoara Directory Server, and I need to have the passwords for all users stored as MD5 hashes, and I also want to modify the schema to support fields which are common throughout all of our systems. I also want to use E-Mail Addresses as a Unique Identifier. I am a bit overwhelmed, and new to LDAP as well, are there are any resources or tutorials or books you guys can point me to. Thanks, Sas -------------- next part -------------- An HTML attachment was scrubbed... URL: From hartmann at fas.harvard.edu Mon Jan 26 15:53:28 2009 From: hartmann at fas.harvard.edu (Tim Hartmann) Date: Mon, 26 Jan 2009 10:53:28 -0500 Subject: [Fedora-directory-users] Update user passwords with "passwd" In-Reply-To: <497A8C8F.3090400@fas.harvard.edu> References: <497A6ADE.9070601@fas.harvard.edu> <1232766146.6567.33.camel@jaspav.missionsit.net.missionsit.net> <497A8C8F.3090400@fas.harvard.edu> Message-ID: <497DDC78.9030501@fas.harvard.edu> Well, I made some progress on this! In part it turns out that I had my ACI's set to tightly in my "enable self write for common attributes" ACI. So once I made some changes to that ACI I was able to update my user password so long as the client server was pointing at one of the Masters in /etc/ldap.conf and /etc/openldap.conf however, once I pointed those conf files back to my LDAP Replica's, I was back to getting the same errors! One small step closer to LDAP bliss! Tim Tim Hartmann wrote: > Could be, but the test server I'm using has a copy of the pam configs > from a production server, that works fine in our OpenLDAP environment, > I'm in the process of testing our new Directories Server in order to > replace the old servers... So same OS, and the same config files... > which is part of why I'm stumped! It's maddening being so close to the > end of this project! :) > > Best > > Tim > > > > John A. Sullivan III wrote: > >> On Fri, 2009-01-23 at 20:11 -0500, Tim Hartmann wrote: >> >> >>> Hi! >>> >>> So I can into yet another pot-hole in the road to LDAP bliss... >>> >>> We have a root suffix in our directory that stores the basic Posix >>> attributes including password, I've been able to configure my client to >>> use ldap for directory services, and authenticate against my replica's, >>> so far so good! Then I tried to change my users password .. and thats >>> where I started getting a bit hung up.. >>> >>> At first I thought that it was because my replicas weren't sending the >>> update request/ referrals back to the masters. (We have two masters that >>> sit behind four consumers) >>> >>> Then I decided to change my ldap.conf files to point directly to my >>> masters.... but I still receaved the same errors "Can't contact LDAP >>> Server" , which was strange since I can do ldap searches against it all >>> day, and even bind to the servers to do searches! and Insufficient write >>> privileges, which made me think that maybe it was an ACI.. but I have >>> selfwrite enabled for the userPassword attribute... >>> >>> Here's the output of my failed attempt to change my user's password >>> after logging in successfully to the server.. >>> >>> Changing password for user foo. >>> Enter login(LDAP) password: >>> New UNIX password: >>> Retype new UNIX password: >>> LDAP password information update failed: Can't contact LDAP server >>> Insufficient 'write' privilege to the 'userPassword' attribute of entry >>> 'uid=foo,ou=people,dc=dept,dc=school,dc=edu'. >>> >>> passwd: Permission denied >>> >>> >>> If anyone has any thought I'd be grateful! I'm pretty perplexed! >>> >>> >> >> I'm an LDAP ignoramus so take this for what it's worth -- is it possible >> it's a PAM configuration problem and not an LDAP or ldap.conf problem? - >> John >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Mon Jan 26 15:56:29 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 26 Jan 2009 08:56:29 -0700 Subject: [Fedora-directory-users] Update user passwords with "passwd" In-Reply-To: <497A7A0B.20609@fas.harvard.edu> References: <497A6ADE.9070601@fas.harvard.edu> <497A6C72.7060301@broadcom.com> <497A7A0B.20609@fas.harvard.edu> Message-ID: <497DDD2D.5020205@redhat.com> Tim Hartmann wrote: > This is what I see in access from my master: > > I don't see any output from error... > > > > [23/Jan/2009:21:12:08 -0500] conn=1939 fd=67 slot=67 SSL connection from > 140.247.35.169 to 140.247.30.52 > [23/Jan/2009:21:12:08 -0500] conn=1939 SSL 256-bit AES > [23/Jan/2009:21:12:08 -0500] conn=1939 op=0 BIND dn="" method=128 version=3 > [23/Jan/2009:21:12:08 -0500] conn=1939 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="" > [23/Jan/2009:21:12:08 -0500] conn=1939 op=1 SRCH > base="dc=dept,dc=school,dc=edu" scope=2 > filter="(&(objectClass=posixAccount)(uidNumber=23030))" attrs="uid > userPassword uidNumber gidNumber cn homeDirectory loginShell gecos > description objectClass" > [23/Jan/2009:21:12:08 -0500] conn=1939 op=1 RESULT err=0 tag=101 > nentries=1 etime=0 > [23/Jan/2009:21:12:08 -0500] conn=1939 op=2 SRCH > base="dc=dept,dc=school,dc=edu" scope=2 > filter="(&(objectClass=posixAccount)(uid=foo))" attrs="uid userPassword > uidNumber gidNumber cn homeDirectory loginShell gecos description > objectClass" > [23/Jan/2009:21:12:08 -0500] conn=1939 op=2 RESULT err=0 tag=101 > nentries=1 etime=0 > [23/Jan/2009:21:12:08 -0500] conn=1940 fd=68 slot=68 SSL connection from > 140.247.35.169 to 140.247.30.52 > [23/Jan/2009:21:12:08 -0500] conn=1940 SSL 256-bit AES > [23/Jan/2009:21:12:08 -0500] conn=1940 op=0 BIND dn="" method=128 version=3 > [23/Jan/2009:21:12:08 -0500] conn=1940 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="" > [23/Jan/2009:21:12:08 -0500] conn=1940 op=1 SRCH > base="dc=dept,dc=school,dc=edu" scope=2 filter="(uid=foo)" attrs=ALL > [23/Jan/2009:21:12:08 -0500] conn=1940 op=1 RESULT err=0 tag=101 > nentries=1 etime=0 > [23/Jan/2009:21:12:13 -0500] conn=1940 op=2 BIND > dn="uid=foo,ou=People,dc=dept,dc=school,dc=edu" method=128 version=3 > [23/Jan/2009:21:12:13 -0500] conn=1940 op=2 RESULT err=0 tag=97 > nentries=0 etime=0 dn="uid=foo,ou=people,dc=dept,dc=school,dc=edu" > [23/Jan/2009:21:12:13 -0500] conn=1940 op=3 BIND dn="" method=128 version=3 > [23/Jan/2009:21:12:13 -0500] conn=1940 op=3 RESULT err=0 tag=97 > nentries=0 etime=0 dn="" > [23/Jan/2009:21:12:18 -0500] conn=1939 op=3 SRCH > base="dc=dept,dc=school,dc=edu" scope=2 > filter="(&(objectClass=posixAccount)(uidNumber=23030))" attrs="uid > userPassword uidNumber gidNumber cn homeDirectory loginShell gecos > description objectClass" > [23/Jan/2009:21:12:18 -0500] conn=1939 op=3 RESULT err=0 tag=101 > nentries=1 etime=0 > [23/Jan/2009:21:12:21 -0500] conn=1940 op=4 BIND > dn="uid=foo,ou=People,dc=dept,dc=school,dc=edu" method=128 version=3 > [23/Jan/2009:21:12:21 -0500] conn=1940 op=4 RESULT err=0 tag=97 > nentries=0 etime=0 dn="uid=foo,ou=people,dc=dept,dc=school,dc=edu" > [23/Jan/2009:21:12:21 -0500] conn=1940 op=5 RESULT err=50 tag=103 > nentries=0 etime=0 > We're missing the actual request that's causing the problem - there is a line for conn=1940 op=5 RESULT, but there is no line that has the actual operation e.g. conn=1940 op=5 MOD dn="uid=foo,..." etc. > > > > > > > > > > George Holbert wrote: > >> Tim Hartmann wrote: >> >>> Hi! >>> >>> So I can into yet another pot-hole in the road to LDAP bliss... >>> We have a root suffix in our directory that stores the basic Posix >>> attributes including password, I've been able to configure my client to >>> use ldap for directory services, and authenticate against my replica's, >>> so far so good! Then I tried to change my users password .. and thats >>> where I started getting a bit hung up.. >>> >>> At first I thought that it was because my replicas weren't sending the >>> update request/ referrals back to the masters. (We have two masters that >>> sit behind four consumers) >>> >>> Then I decided to change my ldap.conf files to point directly to my >>> masters.... but I still receaved the same errors "Can't contact LDAP >>> Server" , which was strange since I can do ldap searches against it all >>> day, and even bind to the servers to do searches! and Insufficient write >>> privileges, which made me think that maybe it was an ACI.. but I have >>> selfwrite enabled for the userPassword attribute... >>> >>> Here's the output of my failed attempt to change my user's password >>> after logging in successfully to the server.. >>> >>> Changing password for user foo. >>> Enter login(LDAP) password: >>> New UNIX password: >>> Retype new UNIX password: >>> LDAP password information update failed: Can't contact LDAP server >>> Insufficient 'write' privilege to the 'userPassword' attribute of entry >>> 'uid=foo,ou=people,dc=dept,dc=school,dc=edu'. >>> >>> passwd: Permission denied >>> >>> >>> >> What do your LDAP server access and error logs show at the time of the >> attempted password change? >> >> >> >>> If anyone has any thought I'd be grateful! I'm pretty perplexed! >>> >>> >>> Best, >>> >>> Tim >>> >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From hartmann at fas.harvard.edu Mon Jan 26 16:08:32 2009 From: hartmann at fas.harvard.edu (Tim Hartmann) Date: Mon, 26 Jan 2009 11:08:32 -0500 Subject: [Fedora-directory-users] Update user passwords with "passwd" In-Reply-To: <497DDD2D.5020205@redhat.com> References: <497A6ADE.9070601@fas.harvard.edu> <497A6C72.7060301@broadcom.com> <497A7A0B.20609@fas.harvard.edu> <497DDD2D.5020205@redhat.com> Message-ID: <497DE000.7090903@fas.harvard.edu> Guys, I think i've gotten it! So the two things that looked like I hadn't set up correctly were this: First: ACL's on self write. I'd locked those down so tight that I wasn't able to actually write to my own user attribute. Second: The referrals under the Configurations Tab. Configurations Tab -> Data -> dc=foo,dc=bar -> referrals tab were set to refer only to ldap://master.server:389/dc=foo,dc=bar only Once i added a referral to port 636, I was able to update my user password correctly, and through the Replica! This Documentation was helpful in getting that set up correctly! http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Configuring_Directory_Databases-Using_Referrals.html#Using_Referrals-Creating_Suffix_Referrals Thanks for all the help troubleshooting this everyone! Tim Rich Megginson wrote: > Tim Hartmann wrote: >> This is what I see in access from my master: >> >> I don't see any output from error... >> >> >> >> [23/Jan/2009:21:12:08 -0500] conn=1939 fd=67 slot=67 SSL connection from >> 140.247.35.169 to 140.247.30.52 >> [23/Jan/2009:21:12:08 -0500] conn=1939 SSL 256-bit AES >> [23/Jan/2009:21:12:08 -0500] conn=1939 op=0 BIND dn="" method=128 >> version=3 >> [23/Jan/2009:21:12:08 -0500] conn=1939 op=0 RESULT err=0 tag=97 >> nentries=0 etime=0 dn="" >> [23/Jan/2009:21:12:08 -0500] conn=1939 op=1 SRCH >> base="dc=dept,dc=school,dc=edu" scope=2 >> filter="(&(objectClass=posixAccount)(uidNumber=23030))" attrs="uid >> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos >> description objectClass" >> [23/Jan/2009:21:12:08 -0500] conn=1939 op=1 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [23/Jan/2009:21:12:08 -0500] conn=1939 op=2 SRCH >> base="dc=dept,dc=school,dc=edu" scope=2 >> filter="(&(objectClass=posixAccount)(uid=foo))" attrs="uid userPassword >> uidNumber gidNumber cn homeDirectory loginShell gecos description >> objectClass" >> [23/Jan/2009:21:12:08 -0500] conn=1939 op=2 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [23/Jan/2009:21:12:08 -0500] conn=1940 fd=68 slot=68 SSL connection from >> 140.247.35.169 to 140.247.30.52 >> [23/Jan/2009:21:12:08 -0500] conn=1940 SSL 256-bit AES >> [23/Jan/2009:21:12:08 -0500] conn=1940 op=0 BIND dn="" method=128 >> version=3 >> [23/Jan/2009:21:12:08 -0500] conn=1940 op=0 RESULT err=0 tag=97 >> nentries=0 etime=0 dn="" >> [23/Jan/2009:21:12:08 -0500] conn=1940 op=1 SRCH >> base="dc=dept,dc=school,dc=edu" scope=2 filter="(uid=foo)" attrs=ALL >> [23/Jan/2009:21:12:08 -0500] conn=1940 op=1 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [23/Jan/2009:21:12:13 -0500] conn=1940 op=2 BIND >> dn="uid=foo,ou=People,dc=dept,dc=school,dc=edu" method=128 version=3 >> [23/Jan/2009:21:12:13 -0500] conn=1940 op=2 RESULT err=0 tag=97 >> nentries=0 etime=0 dn="uid=foo,ou=people,dc=dept,dc=school,dc=edu" >> [23/Jan/2009:21:12:13 -0500] conn=1940 op=3 BIND dn="" method=128 >> version=3 >> [23/Jan/2009:21:12:13 -0500] conn=1940 op=3 RESULT err=0 tag=97 >> nentries=0 etime=0 dn="" >> [23/Jan/2009:21:12:18 -0500] conn=1939 op=3 SRCH >> base="dc=dept,dc=school,dc=edu" scope=2 >> filter="(&(objectClass=posixAccount)(uidNumber=23030))" attrs="uid >> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos >> description objectClass" >> [23/Jan/2009:21:12:18 -0500] conn=1939 op=3 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [23/Jan/2009:21:12:21 -0500] conn=1940 op=4 BIND >> dn="uid=foo,ou=People,dc=dept,dc=school,dc=edu" method=128 version=3 >> [23/Jan/2009:21:12:21 -0500] conn=1940 op=4 RESULT err=0 tag=97 >> nentries=0 etime=0 dn="uid=foo,ou=people,dc=dept,dc=school,dc=edu" >> [23/Jan/2009:21:12:21 -0500] conn=1940 op=5 RESULT err=50 tag=103 >> nentries=0 etime=0 >> > We're missing the actual request that's causing the problem - there is > a line for conn=1940 op=5 RESULT, but there is no line that has the > actual operation e.g. conn=1940 op=5 MOD dn="uid=foo,..." etc. >> >> >> >> >> >> >> >> >> >> George Holbert wrote: >> >>> Tim Hartmann wrote: >>> >>>> Hi! >>>> >>>> So I can into yet another pot-hole in the road to LDAP bliss... >>>> We have a root suffix in our directory that stores the basic Posix >>>> attributes including password, I've been able to configure my >>>> client to >>>> use ldap for directory services, and authenticate against my >>>> replica's, >>>> so far so good! Then I tried to change my users password .. and thats >>>> where I started getting a bit hung up.. >>>> >>>> At first I thought that it was because my replicas weren't sending the >>>> update request/ referrals back to the masters. (We have two masters >>>> that >>>> sit behind four consumers) >>>> >>>> Then I decided to change my ldap.conf files to point directly to my >>>> masters.... but I still receaved the same errors "Can't contact LDAP >>>> Server" , which was strange since I can do ldap searches against it >>>> all >>>> day, and even bind to the servers to do searches! and Insufficient >>>> write >>>> privileges, which made me think that maybe it was an ACI.. but I have >>>> selfwrite enabled for the userPassword attribute... >>>> >>>> Here's the output of my failed attempt to change my user's password >>>> after logging in successfully to the server.. >>>> >>>> Changing password for user foo. >>>> Enter login(LDAP) password: >>>> New UNIX password: >>>> Retype new UNIX password: >>>> LDAP password information update failed: Can't contact LDAP server >>>> Insufficient 'write' privilege to the 'userPassword' attribute of >>>> entry >>>> 'uid=foo,ou=people,dc=dept,dc=school,dc=edu'. >>>> >>>> passwd: Permission denied >>>> >>>> >>> What do your LDAP server access and error logs show at the time of the >>> attempted password change? >>> >>> >>> >>>> If anyone has any thought I'd be grateful! I'm pretty perplexed! >>>> >>>> >>>> Best, >>>> >>>> Tim >>>> >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From beyonddc.storage at gmail.com Tue Jan 27 00:16:27 2009 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Mon, 26 Jan 2009 19:16:27 -0500 Subject: [Fedora-directory-users] Modify Admin Port via LDIF Message-ID: <20e4c38c0901261616l1c539b0meef61a3442217fab@mail.gmail.com> Hi all, I have a question. Can you modify the admin port via LDIF? If so, can you tell me where is the admin port located and what attributes I should set. Thanks in advance! - dc -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jan 27 21:42:38 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 27 Jan 2009 14:42:38 -0700 Subject: [Fedora-directory-users] Do you use WinSync for group sync? Message-ID: <497F7FCE.3080605@redhat.com> We're currently investigating the group sync feature of Windows Sync, and we wanted to know how it is deployed. Do you sync groups? What types of groups? Security or Distribution? Global or Local? Do the groups have "meaning" in both AD and Fedora DS, or only in one side? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From james.chavez at sanmina-sci.com Wed Jan 28 00:37:48 2009 From: james.chavez at sanmina-sci.com (James Chavez) Date: Tue, 27 Jan 2009 17:37:48 -0700 Subject: [Fedora-directory-users] Proper way to generate a server certificate. Message-ID: <1233103068.6137.51.camel@PHX1AMUX269160.sanmina-sci.com> Hello List, I am trying to setup SSL between an AD or edir box and my FDS box. I want to generate a server cert for the AD or edir box and import it into edir/AD and import the CA cert into AD/edir as well. What commands do i use to accomplish this. Also what format does the cert need to be to successfully import into AD or edir. I have generated a self signed CA cert named "FDS CA" exported with certutil -L -d . -n "FDS CA" -a > ca.asc and certutil -L -d . -n "FDS CA" -r > ca.der I have generated a server cert for the AD/edir box with certutil -S -n "server-Cert" -s "cn=host.example.com" -c "FDS CA" -t "u,u,u" -m 3002 -v 120 -d . -z ./noise.txt -f ./pwdfile.txt And exported it with.. pk12util -d . -o /tmp/server-cert.p12 -n "server-Cert" I then send the CA cert in ascii and .der format along with the server-cert.p12 to the admin but he gets errors below trying to import into edir. Need help on this one please. .. -1240 FFFFFB28 PKI E PARSE CERTIFICATE Source Novell(r) Certificate Server Explanation Novell Certificate Server was unable to parse a certificate that has been stored or is being stored. Possible Cause The user attempted to store a certificate or a certificate chain with an invalid encoding into a Server Certificate object. The certificate or certificate chain obtained from the Certificate Authority is invalid. Action Perform the following operations: * Contact the Certificate Authority that issued the server certificate to obtain the Certificate Authority's certificate. * Using ConsoleOne(r), view the Server Certificate object. Click Import. * Import the Certificate Authority's certificate as the trusted root. * Import the server's certificate as the object certificate. If the problem persists, contact the Certificate Authority. Any body out there can help out please. Thanks James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From per at norhex.com Wed Jan 28 09:53:51 2009 From: per at norhex.com (Per Qvindesland) Date: Wed, 28 Jan 2009 10:53:51 +0100 Subject: [Fedora-directory-users] Authentication problems Message-ID: Hi List After having installed Directory Server with no problems and created a test user account I then go ahead to configure a client to test the authentication to my new directory server, sadly after a reboot I can't login with my new user account that I created, I have spent a few days reading up about what the problem may be but until now I have had very little joy. If I try ldapsearch -v then I get error message: SASL/EXTERNAL authentication started Ldap_sasl_interactive_bind_s:unknown authentication method (-6) additional info: SASL(-4): no mechanism available: If i use ldapsearch -x then I get the output of a ldif file with all groups, users and domains available so there is apparently nothing rong with the communication, I truly belive that this is a security problem that sits somewhere but I have no idea. Could anyone give me some pointers to how I could fix this problem? Regards Per Qvindesland From janfrode at tanso.net Wed Jan 28 14:44:06 2009 From: janfrode at tanso.net (Jan-Frode Myklebust) Date: Wed, 28 Jan 2009 15:44:06 +0100 Subject: [Fedora-directory-users] Re: nested groups References: Message-ID: On 2009-01-19, Jan-Frode Myklebust wrote: > Is there any ways of nesting groups in fedora directory server ? > > I tried creating a group "testgroup" with another group as > uniqueMember, but "getent group testgroup" didn't nest in any > users from the uniqueMember-group. Just discovered the ldap.conf/nss_ldap setting "nss_schema rfc2307bis", which seems to say it should resolve nested groups on the client side. Some testing: 1 - Running "nscd" without "nss_schema rfc2307bis": "groups username" -- not listing nested group "getent group nestedgroup" -- not un-nesting. 2 - Not running "nscd", and without "nss_schema rfc2307bis": "groups username" -- listing nested groups ! "getent group nestedgroup" -- not un-nesting 3 - Not running "nscd", with "nss_schema rfc2307bis": "groups username" -- listing nested groups ! "getent group nestedgroup" -- not un-nesting 4 - Running "nscd", with "nss_schema rfc2307bis": "groups username" -- not listing nested group "getent group nestedgroup" -- not un-nesting. So "nss_schema rfc2307bis" doesn't seem to have any effect, only "nscd" on/off seems to affect the un-nesting.. Does anybody know what else I can do to get nested groups functioning on RHEL4/RHEL4/RHEL5 ? Or is there some way of getting the directory server to do the un-nesting for me ? -jf From rpolli at babel.it Wed Jan 28 15:25:11 2009 From: rpolli at babel.it (Roberto Polli) Date: Wed, 28 Jan 2009 16:25:11 +0100 Subject: [Fedora-directory-users] chainings and views (aka views don't follow chains) Message-ID: <200901281625.11382.rpolli@babel.it> hi all, I'm implementing an ldap proxy with chaining, but seems that views don't follow the chains.. on real servers I got the following structure: dc=top o=sample dc=sample.com and dc=nsroot ou=view nsviewfilter: (dc=*) so that I can access domain directly under dc=nsroot when I made such structure on the proxy i put a chain dc=top o=sample ---> realserver after creating the ou=view, I found nothing under it.. Hope someone can help.. Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altres? a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." From per at norhex.com Wed Jan 28 14:58:33 2009 From: per at norhex.com (Per Qvindesland) Date: Wed, 28 Jan 2009 15:58:33 +0100 Subject: [Fedora-directory-users] Authentication problems In-Reply-To: Message-ID: Hello again list I am coming a bit to my wits end on this one, let me rather top post my own post :) After having configured the client machine to authenticate and to look for users on the directory server and then try to login into a user that sits on the directory server then I get a error message saying that there is no such user, is there any special configuration that needs to be done to get the directory server to authenticate on a standard install on both the directory server and the client? Regards Per On 1/28/09 10:53 AM, "Per Qvindesland" wrote: > Hi List > > After having installed Directory Server with no problems and created a test > user account I then go ahead to configure a client to test the > authentication to my new directory server, sadly after a reboot I can't > login with my new user account that I created, I have spent a few days > reading up about what the problem may be but until now I have had very > little joy. > > If I try ldapsearch -v then I get error message: > SASL/EXTERNAL authentication started > Ldap_sasl_interactive_bind_s:unknown authentication method (-6) > additional info: SASL(-4): no mechanism available: > If i use ldapsearch -x then I get the output of a ldif file with all groups, > users and domains available so there is apparently nothing rong with the > communication, I truly belive that this is a security problem that sits > somewhere but I have no idea. > > Could anyone give me some pointers to how I could fix this problem? > > Regards > Per Qvindesland > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Wed Jan 28 15:37:55 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 28 Jan 2009 08:37:55 -0700 Subject: [Fedora-directory-users] Authentication problems In-Reply-To: References: Message-ID: <49807BD3.2040008@redhat.com> Per Qvindesland wrote: > Hi List > > After having installed Directory Server with no problems and created a test > user account I then go ahead to configure a client to test the > authentication to my new directory server, sadly after a reboot I can't > login with my new user account that I created, I have spent a few days > reading up about what the problem may be but until now I have had very > little joy. > > If I try ldapsearch -v then I get error message: > SASL/EXTERNAL authentication started > Ldap_sasl_interactive_bind_s:unknown authentication method (-6) > additional info: SASL(-4): no mechanism available: > This is because the openldap ldapsearch client attempts SASL authentication by default. You have to specify -x to make it use simple (username/password or anonymous) authentication. > If i use ldapsearch -x then I get the output of a ldif file with all groups, > users and domains available so there is apparently nothing rong with the > communication, I truly belive that this is a security problem that sits > somewhere but I have no idea. > I don't think this is a security problem. > Could anyone give me some pointers to how I could fix this problem? > > Regards > Per Qvindesland > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jan 28 20:47:47 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 28 Jan 2009 13:47:47 -0700 Subject: [Fedora-directory-users] Proper way to generate a server certificate. In-Reply-To: <1233103068.6137.51.camel@PHX1AMUX269160.sanmina-sci.com> References: <1233103068.6137.51.camel@PHX1AMUX269160.sanmina-sci.com> Message-ID: <4980C473.8010109@redhat.com> James Chavez wrote: > Hello List, > > I am trying to setup SSL between an AD or edir box and my FDS box. > I want to generate a server cert for the AD or edir box and import it > into edir/AD and import the CA cert into AD/edir as well. > > What commands do i use to accomplish this. > Also what format does the cert need to be to successfully import into AD > or edir. > > I have generated a self signed CA cert named "FDS CA" > exported with > certutil -L -d . -n "FDS CA" -a > ca.asc and > certutil -L -d . -n "FDS CA" -r > ca.der > > > > I have generated a server cert for the AD/edir box with > > certutil -S -n "server-Cert" -s "cn=host.example.com" -c "FDS CA" -t > "u,u,u" -m 3002 -v 120 -d . -z ./noise.txt -f ./pwdfile.txt > > And exported it with.. > pk12util -d . -o /tmp/server-cert.p12 -n "server-Cert" > > I then send the CA cert in ascii and .der format along with the > server-cert.p12 to the admin but he gets errors below trying to import > into edir. > Need help on this one please. > .. > > -1240 FFFFFB28 PKI E PARSE CERTIFICATE > I'm not sure, but why not just use Novell Certificate Server to generate all of your server certs? > Source > > Novell(r) Certificate Server > > Explanation > > Novell Certificate Server was unable to parse a certificate that has > been stored or is being stored. > > Possible Cause > > The user attempted to store a certificate or a certificate chain with an > invalid encoding into a Server Certificate object. The certificate or > certificate chain obtained from the Certificate Authority is invalid. > > Action > > Perform the following operations: > > * Contact the Certificate Authority that issued the server > certificate to obtain the Certificate Authority's certificate. > * Using ConsoleOne(r), view the Server Certificate object. Click > Import. > * Import the Certificate Authority's certificate as the trusted > root. > * Import the server's certificate as the object certificate. > > If the problem persists, contact the Certificate Authority. > > > Any body out there can help out please. > > Thanks > James > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jan 28 20:55:57 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 28 Jan 2009 13:55:57 -0700 Subject: [Fedora-directory-users] chainings and views (aka views don't follow chains) In-Reply-To: <200901281625.11382.rpolli@babel.it> References: <200901281625.11382.rpolli@babel.it> Message-ID: <4980C65D.6040505@redhat.com> Roberto Polli wrote: > hi all, > > I'm implementing an ldap proxy with chaining, but seems that views don't > follow the chains.. > > > on real servers I got the following structure: > dc=top > o=sample > dc=sample.com > > and > dc=nsroot > ou=view > nsviewfilter: (dc=*) > > so that I can access domain directly under dc=nsroot > > when I made such structure on the proxy > i put a chain > dc=top > o=sample ---> realserver > > after creating the ou=view, I found nothing under it.. > > Hope someone can help.. > > Peace, R. > > I don't think you can use views to have a view through a chained backend. Please file a bug. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jan 28 21:07:35 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 28 Jan 2009 14:07:35 -0700 Subject: [Fedora-directory-users] Modify Admin Port via LDIF In-Reply-To: <20e4c38c0901261616l1c539b0meef61a3442217fab@mail.gmail.com> References: <20e4c38c0901261616l1c539b0meef61a3442217fab@mail.gmail.com> Message-ID: <4980C917.3000202@redhat.com> Chun Tat David Chu wrote: > Hi all, > > I have a question. Can you modify the admin port via LDIF? No, not entirely. You have to change it in both LDAP and in the console.conf file. In LDAP, do a search like this: ldapsearch -x -D "cn=directory manager" -w password -b o=netscaperoot nsServerPort=9830 to find the entry , then use ldapmodify on that entry. After you do that, edit console.conf and change the Listen directive. Then restart the admin server - it should listen on the new port. > If so, can you tell me where is the admin port located and what > attributes I should set. > > Thanks in advance! > > - dc > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From james.chavez at sanmina-sci.com Wed Jan 28 21:24:16 2009 From: james.chavez at sanmina-sci.com (Chavez, James R.) Date: Wed, 28 Jan 2009 13:24:16 -0800 Subject: [Fedora-directory-users] Proper way to generate a server certificate. In-Reply-To: <4980C473.8010109@redhat.com> Message-ID: <19A4A238A352AD40B65B3D88780DDBC6BEC94F@sjc1amfpew04.am.sanm.corp> Mr. Rich, you responded!! Thank you Thing is I generate a certificate request but am having issues importing it... I generate a key and cert with.. "openssl genrsa -des3 -out server.key 2048" for the key "openssl req -new -key server.key -out server.csr" I send it to the Novell Admin and sends back a server.b64 file. I try and import it through the gui as a server cert and it fails saying that. " Either the certificate is for another server or the certificate was not requested using this server and the selected security device "internal (software)"" I can import it as a CA cert but it shows as a broken chain and it is supposed to be server cert anyway. Any ideas on how to properly import this base 64 signed cert? Perhaps certutil or openssl commands? Thank You James Openssl -----Original Message----- From: Rich Megginson [mailto:rmeggins at redhat.com] Sent: Wednesday, January 28, 2009 1:48 PM To: Chavez, James R.; General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Proper way to generate a server certificate. James Chavez wrote: > Hello List, > > I am trying to setup SSL between an AD or edir box and my FDS box. > I want to generate a server cert for the AD or edir box and import it > into edir/AD and import the CA cert into AD/edir as well. > > What commands do i use to accomplish this. > Also what format does the cert need to be to successfully import into > AD or edir. > > I have generated a self signed CA cert named "FDS CA" > exported with > certutil -L -d . -n "FDS CA" -a > ca.asc and > certutil -L -d . -n "FDS CA" -r > ca.der > > > > I have generated a server cert for the AD/edir box with > > certutil -S -n "server-Cert" -s "cn=host.example.com" -c "FDS CA" -t > "u,u,u" -m 3002 -v 120 -d . -z ./noise.txt -f ./pwdfile.txt > > And exported it with.. > pk12util -d . -o /tmp/server-cert.p12 -n "server-Cert" > > I then send the CA cert in ascii and .der format along with the > server-cert.p12 to the admin but he gets errors below trying to import > into edir. > Need help on this one please. > .. > > -1240 FFFFFB28 PKI E PARSE CERTIFICATE > I'm not sure, but why not just use Novell Certificate Server to generate all of your server certs? > Source > > Novell(r) Certificate Server > > Explanation > > Novell Certificate Server was unable to parse a certificate that has > been stored or is being stored. > > Possible Cause > > The user attempted to store a certificate or a certificate chain with > an invalid encoding into a Server Certificate object. The certificate > or certificate chain obtained from the Certificate Authority is invalid. > > Action > > Perform the following operations: > > * Contact the Certificate Authority that issued the server > certificate to obtain the Certificate Authority's certificate. > * Using ConsoleOne(r), view the Server Certificate object. Click > Import. > * Import the Certificate Authority's certificate as the trusted > root. > * Import the server's certificate as the object certificate. > > If the problem persists, contact the Certificate Authority. > > > Any body out there can help out please. > > Thanks > James > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From rmeggins at redhat.com Wed Jan 28 22:20:38 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 28 Jan 2009 15:20:38 -0700 Subject: [Fedora-directory-users] Proper way to generate a server certificate. In-Reply-To: <19A4A238A352AD40B65B3D88780DDBC6BEC94F@sjc1amfpew04.am.sanm.corp> References: <19A4A238A352AD40B65B3D88780DDBC6BEC94F@sjc1amfpew04.am.sanm.corp> Message-ID: <4980DA36.6080204@redhat.com> Chavez, James R. wrote: > Mr. Rich, you responded!! > Thank you > > Thing is I generate a certificate request but am having issues importing > it... > I generate a key and cert with.. > "openssl genrsa -des3 -out server.key 2048" for the key > "openssl req -new -key server.key -out server.csr" > I send it to the Novell Admin and sends back a server.b64 file. > I try and import it through the gui as a server cert and it fails saying > that. > > " Either the certificate is for another server or the certificate was > not requested using this server and the selected security device > "internal (software)"" > > I can import it as a CA cert but it shows as a broken chain and it is > supposed to be server cert anyway. > > Any ideas on how to properly import this base 64 signed cert? > Perhaps certutil or openssl commands? > If you are going to generate a server cert request, and you are going to use the GUI, you should just use the GUI to generate the server cert request. Then you can submit that request to your CA and have it generate the server cert, then you can use the GUI again to install your new server cert. You will also need to install the CA cert using the Fedora DS console GUI. > Thank You > James > > Openssl > -----Original Message----- > From: Rich Megginson [mailto:rmeggins at redhat.com] > Sent: Wednesday, January 28, 2009 1:48 PM > To: Chavez, James R.; General discussion list for the Fedora Directory > server project. > Subject: Re: [Fedora-directory-users] Proper way to generate a server > certificate. > > James Chavez wrote: > >> Hello List, >> >> I am trying to setup SSL between an AD or edir box and my FDS box. >> I want to generate a server cert for the AD or edir box and import it >> into edir/AD and import the CA cert into AD/edir as well. >> >> What commands do i use to accomplish this. >> Also what format does the cert need to be to successfully import into >> AD or edir. >> >> I have generated a self signed CA cert named "FDS CA" >> exported with >> certutil -L -d . -n "FDS CA" -a > ca.asc and >> certutil -L -d . -n "FDS CA" -r > ca.der >> >> >> >> I have generated a server cert for the AD/edir box with >> >> certutil -S -n "server-Cert" -s "cn=host.example.com" -c "FDS CA" -t >> "u,u,u" -m 3002 -v 120 -d . -z ./noise.txt -f ./pwdfile.txt >> >> And exported it with.. >> pk12util -d . -o /tmp/server-cert.p12 -n "server-Cert" >> >> I then send the CA cert in ascii and .der format along with the >> server-cert.p12 to the admin but he gets errors below trying to import >> > > >> into edir. >> Need help on this one please. >> .. >> >> -1240 FFFFFB28 PKI E PARSE CERTIFICATE >> >> > I'm not sure, but why not just use Novell Certificate Server to generate > all of your server certs? > >> Source >> >> Novell(r) Certificate Server >> >> Explanation >> >> Novell Certificate Server was unable to parse a certificate that has >> been stored or is being stored. >> >> Possible Cause >> >> The user attempted to store a certificate or a certificate chain with >> an invalid encoding into a Server Certificate object. The certificate >> or certificate chain obtained from the Certificate Authority is >> > invalid. > >> Action >> >> Perform the following operations: >> >> * Contact the Certificate Authority that issued the server >> certificate to obtain the Certificate Authority's certificate. >> * Using ConsoleOne(r), view the Server Certificate object. Click >> Import. >> * Import the Certificate Authority's certificate as the trusted >> root. >> * Import the server's certificate as the object certificate. >> >> If the problem persists, contact the Certificate Authority. >> >> >> Any body out there can help out please. >> >> Thanks >> James >> >> CONFIDENTIALITY >> This e-mail message and any attachments thereto, is intended only for >> > use by the addressee(s) named herein and may contain legally privileged > and/or confidential information. If you are not the intended recipient > of this e-mail message, you are hereby notified that any dissemination, > distribution or copying of this e-mail message, and any attachments > thereto, is strictly prohibited. If you have received this e-mail > message in error, please immediately notify the sender and permanently > delete the original and any copies of this email and any prints thereof. > >> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL >> > IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the > Uniform Electronic Transactions Act or the applicability of any other > law of similar substance and effect, absent an express statement to the > contrary hereinabove, this e-mail message its contents, and any > attachments hereto are not intended to represent an offer or acceptance > to enter into a contract and are not otherwise intended to bind the > sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any > other person or entity. > >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From james.chavez at sanmina-sci.com Wed Jan 28 22:58:02 2009 From: james.chavez at sanmina-sci.com (Chavez, James R.) Date: Wed, 28 Jan 2009 14:58:02 -0800 Subject: [Fedora-directory-users] Proper way to generate a server certificate. In-Reply-To: <4980DA36.6080204@redhat.com> Message-ID: <19A4A238A352AD40B65B3D88780DDBC6BEC954@sjc1amfpew04.am.sanm.corp> Rich, Thank you again. The GUI console will not allow me to get past the 3rd screen where it asks for a password to the internal software store..I enter the correct password and it just sits there. I know the pass is correct because from the command line the same pass works to access the store. It will not go past. I have done this on various machines and it is the same result. Is there some kind of bug or needed software I need to have this function. All boxes are running. Fedora 9 and fedora-ds version 1.1.1 Release 3.fc9 Also, I sent a cert request (CSR) to the needed Novell CA and had them sign it and return it. I successfully imported it. The server cert I imported shows as having a broken chain on the certification path tab. And issued by null. I am assuming this is due to not having imported the CA cert that issued this cert yet..Is that a valid assumption? Do I need the CA certificate in order to properly use this server cert that was generated? Thank you James -----Original Message----- From: Rich Megginson [mailto:rmeggins at redhat.com] Sent: Wednesday, January 28, 2009 3:21 PM To: Chavez, James R. Cc: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Proper way to generate a server certificate. Chavez, James R. wrote: > Mr. Rich, you responded!! > Thank you > > Thing is I generate a certificate request but am having issues > importing it... > I generate a key and cert with.. > "openssl genrsa -des3 -out server.key 2048" for the key "openssl req > -new -key server.key -out server.csr" > I send it to the Novell Admin and sends back a server.b64 file. > I try and import it through the gui as a server cert and it fails > saying that. > > " Either the certificate is for another server or the certificate was > not requested using this server and the selected security device > "internal (software)"" > > I can import it as a CA cert but it shows as a broken chain and it is > supposed to be server cert anyway. > > Any ideas on how to properly import this base 64 signed cert? > Perhaps certutil or openssl commands? > If you are going to generate a server cert request, and you are going to use the GUI, you should just use the GUI to generate the server cert request. Then you can submit that request to your CA and have it generate the server cert, then you can use the GUI again to install your new server cert. You will also need to install the CA cert using the Fedora DS console GUI. > Thank You > James > > Openssl > -----Original Message----- > From: Rich Megginson [mailto:rmeggins at redhat.com] > Sent: Wednesday, January 28, 2009 1:48 PM > To: Chavez, James R.; General discussion list for the Fedora Directory > server project. > Subject: Re: [Fedora-directory-users] Proper way to generate a server > certificate. > > James Chavez wrote: > >> Hello List, >> >> I am trying to setup SSL between an AD or edir box and my FDS box. >> I want to generate a server cert for the AD or edir box and import it >> into edir/AD and import the CA cert into AD/edir as well. >> >> What commands do i use to accomplish this. >> Also what format does the cert need to be to successfully import into >> AD or edir. >> >> I have generated a self signed CA cert named "FDS CA" >> exported with >> certutil -L -d . -n "FDS CA" -a > ca.asc and >> certutil -L -d . -n "FDS CA" -r > ca.der >> >> >> >> I have generated a server cert for the AD/edir box with >> >> certutil -S -n "server-Cert" -s "cn=host.example.com" -c "FDS CA" -t >> "u,u,u" -m 3002 -v 120 -d . -z ./noise.txt -f ./pwdfile.txt >> >> And exported it with.. >> pk12util -d . -o /tmp/server-cert.p12 -n "server-Cert" >> >> I then send the CA cert in ascii and .der format along with the >> server-cert.p12 to the admin but he gets errors below trying to >> import >> > > >> into edir. >> Need help on this one please. >> .. >> >> -1240 FFFFFB28 PKI E PARSE CERTIFICATE >> >> > I'm not sure, but why not just use Novell Certificate Server to > generate all of your server certs? > >> Source >> >> Novell(r) Certificate Server >> >> Explanation >> >> Novell Certificate Server was unable to parse a certificate that has >> been stored or is being stored. >> >> Possible Cause >> >> The user attempted to store a certificate or a certificate chain with >> an invalid encoding into a Server Certificate object. The certificate >> or certificate chain obtained from the Certificate Authority is >> > invalid. > >> Action >> >> Perform the following operations: >> >> * Contact the Certificate Authority that issued the server >> certificate to obtain the Certificate Authority's certificate. >> * Using ConsoleOne(r), view the Server Certificate object. Click >> Import. >> * Import the Certificate Authority's certificate as the trusted >> root. >> * Import the server's certificate as the object certificate. >> >> If the problem persists, contact the Certificate Authority. >> >> >> Any body out there can help out please. >> >> Thanks >> James >> >> CONFIDENTIALITY >> This e-mail message and any attachments thereto, is intended only for >> > use by the addressee(s) named herein and may contain legally > privileged and/or confidential information. If you are not the > intended recipient of this e-mail message, you are hereby notified > that any dissemination, distribution or copying of this e-mail > message, and any attachments thereto, is strictly prohibited. If you > have received this e-mail message in error, please immediately notify > the sender and permanently delete the original and any copies of this email and any prints thereof. > >> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL >> > IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the > Uniform Electronic Transactions Act or the applicability of any other > law of similar substance and effect, absent an express statement to > the contrary hereinabove, this e-mail message its contents, and any > attachments hereto are not intended to represent an offer or > acceptance to enter into a contract and are not otherwise intended to > bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), > or any other person or entity. > >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. > CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From rmeggins at redhat.com Wed Jan 28 23:02:41 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 28 Jan 2009 16:02:41 -0700 Subject: [Fedora-directory-users] Proper way to generate a server certificate. In-Reply-To: <19A4A238A352AD40B65B3D88780DDBC6BEC954@sjc1amfpew04.am.sanm.corp> References: <19A4A238A352AD40B65B3D88780DDBC6BEC954@sjc1amfpew04.am.sanm.corp> Message-ID: <4980E411.7030601@redhat.com> Chavez, James R. wrote: > Rich, > Thank you again. > The GUI console will not allow me to get past the 3rd screen where it > asks for a password to the internal software store..I enter the correct > password and it just sits there. I know the pass is correct because from > the command line the same pass works to access the store. > It will not go past. I have done this on various machines and it is the > same result. Is there some kind of bug or needed software I need to have > this function. All boxes are running. > Try running fedora-idm-console -D 9 -f console.log email me the console.log also check the admin server error log - /var/log/dirsrv/admin-serv/error > Fedora 9 and > > fedora-ds > version 1.1.1 > Release 3.fc9 > > > Also, I sent a cert request (CSR) to the needed Novell CA and had them > sign it and return it. > I successfully imported it. > The server cert I imported shows as having a broken chain on the > certification path tab. And issued by null. > I am assuming this is due to not having imported the CA cert that issued > this cert yet..Is that a valid assumption? > Yes. > Do I need the CA certificate in order to properly use this server cert > that was generated? > Yes. > > Thank you > James > > > > -----Original Message----- > From: Rich Megginson [mailto:rmeggins at redhat.com] > Sent: Wednesday, January 28, 2009 3:21 PM > To: Chavez, James R. > Cc: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Proper way to generate a server > certificate. > > Chavez, James R. wrote: > >> Mr. Rich, you responded!! >> Thank you >> >> Thing is I generate a certificate request but am having issues >> importing it... >> I generate a key and cert with.. >> "openssl genrsa -des3 -out server.key 2048" for the key "openssl req >> -new -key server.key -out server.csr" >> I send it to the Novell Admin and sends back a server.b64 file. >> I try and import it through the gui as a server cert and it fails >> saying that. >> >> " Either the certificate is for another server or the certificate was >> not requested using this server and the selected security device >> "internal (software)"" >> >> I can import it as a CA cert but it shows as a broken chain and it is >> supposed to be server cert anyway. >> >> Any ideas on how to properly import this base 64 signed cert? >> Perhaps certutil or openssl commands? >> >> > If you are going to generate a server cert request, and you are going to > use the GUI, you should just use the GUI to generate the server cert > request. Then you can submit that request to your CA and have it > generate the server cert, then you can use the GUI again to install your > new server cert. You will also need to install the CA cert using the > Fedora DS console GUI. > >> Thank You >> James >> >> Openssl >> -----Original Message----- >> From: Rich Megginson [mailto:rmeggins at redhat.com] >> Sent: Wednesday, January 28, 2009 1:48 PM >> To: Chavez, James R.; General discussion list for the Fedora Directory >> > > >> server project. >> Subject: Re: [Fedora-directory-users] Proper way to generate a server >> certificate. >> >> James Chavez wrote: >> >> >>> Hello List, >>> >>> I am trying to setup SSL between an AD or edir box and my FDS box. >>> I want to generate a server cert for the AD or edir box and import it >>> > > >>> into edir/AD and import the CA cert into AD/edir as well. >>> >>> What commands do i use to accomplish this. >>> Also what format does the cert need to be to successfully import into >>> > > >>> AD or edir. >>> >>> I have generated a self signed CA cert named "FDS CA" >>> exported with >>> certutil -L -d . -n "FDS CA" -a > ca.asc and >>> certutil -L -d . -n "FDS CA" -r > ca.der >>> >>> >>> >>> I have generated a server cert for the AD/edir box with >>> >>> certutil -S -n "server-Cert" -s "cn=host.example.com" -c "FDS CA" -t >>> > > >>> "u,u,u" -m 3002 -v 120 -d . -z ./noise.txt -f ./pwdfile.txt >>> >>> And exported it with.. >>> pk12util -d . -o /tmp/server-cert.p12 -n "server-Cert" >>> >>> I then send the CA cert in ascii and .der format along with the >>> server-cert.p12 to the admin but he gets errors below trying to >>> import >>> >>> >> >> >>> into edir. >>> Need help on this one please. >>> .. >>> >>> -1240 FFFFFB28 PKI E PARSE CERTIFICATE >>> >>> >>> >> I'm not sure, but why not just use Novell Certificate Server to >> generate all of your server certs? >> >> >>> Source >>> >>> Novell(r) Certificate Server >>> >>> Explanation >>> >>> Novell Certificate Server was unable to parse a certificate that has >>> been stored or is being stored. >>> >>> Possible Cause >>> >>> The user attempted to store a certificate or a certificate chain with >>> > > >>> an invalid encoding into a Server Certificate object. The certificate >>> > > >>> or certificate chain obtained from the Certificate Authority is >>> >>> >> invalid. >> >> >>> Action >>> >>> Perform the following operations: >>> >>> * Contact the Certificate Authority that issued the server >>> certificate to obtain the Certificate Authority's certificate. >>> * Using ConsoleOne(r), view the Server Certificate object. Click >>> Import. >>> * Import the Certificate Authority's certificate as the trusted >>> root. >>> * Import the server's certificate as the object certificate. >>> >>> If the problem persists, contact the Certificate Authority. >>> >>> >>> Any body out there can help out please. >>> >>> Thanks >>> James >>> >>> CONFIDENTIALITY >>> This e-mail message and any attachments thereto, is intended only for >>> >>> >> use by the addressee(s) named herein and may contain legally >> privileged and/or confidential information. If you are not the >> intended recipient of this e-mail message, you are hereby notified >> that any dissemination, distribution or copying of this e-mail >> message, and any attachments thereto, is strictly prohibited. If you >> have received this e-mail message in error, please immediately notify >> the sender and permanently delete the original and any copies of this >> > email and any prints thereof. > >> >> >>> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL >>> >>> >> IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the >> Uniform Electronic Transactions Act or the applicability of any other >> law of similar substance and effect, absent an express statement to >> the contrary hereinabove, this e-mail message its contents, and any >> attachments hereto are not intended to represent an offer or >> acceptance to enter into a contract and are not otherwise intended to >> bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), >> > > >> or any other person or entity. >> >> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> CONFIDENTIALITY >> This e-mail message and any attachments thereto, is intended only for >> > use by the addressee(s) named herein and may contain legally privileged > and/or confidential information. If you are not the intended recipient > of this e-mail message, you are hereby notified that any dissemination, > distribution or copying of this e-mail message, and any attachments > thereto, is strictly prohibited. If you have received this e-mail > message in error, please immediately notify the sender and permanently > delete the original and any copies of this email and any prints thereof. > >> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL >> > IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the > Uniform Electronic Transactions Act or the applicability of any other > law of similar substance and effect, absent an express statement to the > contrary hereinabove, this e-mail message its contents, and any > attachments hereto are not intended to represent an offer or acceptance > to enter into a contract and are not otherwise intended to bind the > sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any > other person or entity. > >> >> > > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From james.chavez at sanmina-sci.com Wed Jan 28 23:21:28 2009 From: james.chavez at sanmina-sci.com (Chavez, James R.) Date: Wed, 28 Jan 2009 15:21:28 -0800 Subject: [Fedora-directory-users] Proper way to generate a server certificate. In-Reply-To: <4980E411.7030601@redhat.com> Message-ID: <19A4A238A352AD40B65B3D88780DDBC6BEC956@sjc1amfpew04.am.sanm.corp> Rich , Thanks again, Do I email the log to the entire list? Or can I shoot it to you? Thank you James -----Original Message----- From: Rich Megginson [mailto:rmeggins at redhat.com] Sent: Wednesday, January 28, 2009 4:03 PM To: Chavez, James R. Cc: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Proper way to generate a server certificate. Chavez, James R. wrote: > Rich, > Thank you again. > The GUI console will not allow me to get past the 3rd screen where it > asks for a password to the internal software store..I enter the > correct password and it just sits there. I know the pass is correct > because from the command line the same pass works to access the store. > It will not go past. I have done this on various machines and it is > the same result. Is there some kind of bug or needed software I need > to have this function. All boxes are running. > Try running fedora-idm-console -D 9 -f console.log email me the console.log also check the admin server error log - /var/log/dirsrv/admin-serv/error > Fedora 9 and > > fedora-ds > version 1.1.1 > Release 3.fc9 > > > Also, I sent a cert request (CSR) to the needed Novell CA and had them > sign it and return it. > I successfully imported it. > The server cert I imported shows as having a broken chain on the > certification path tab. And issued by null. > I am assuming this is due to not having imported the CA cert that issued > this cert yet..Is that a valid assumption? > Yes. > Do I need the CA certificate in order to properly use this server cert > that was generated? > Yes. > > Thank you > James > > > > -----Original Message----- > From: Rich Megginson [mailto:rmeggins at redhat.com] > Sent: Wednesday, January 28, 2009 3:21 PM > To: Chavez, James R. > Cc: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Proper way to generate a server > certificate. > > Chavez, James R. wrote: > >> Mr. Rich, you responded!! >> Thank you >> >> Thing is I generate a certificate request but am having issues >> importing it... >> I generate a key and cert with.. >> "openssl genrsa -des3 -out server.key 2048" for the key "openssl req >> -new -key server.key -out server.csr" >> I send it to the Novell Admin and sends back a server.b64 file. >> I try and import it through the gui as a server cert and it fails >> saying that. >> >> " Either the certificate is for another server or the certificate was >> not requested using this server and the selected security device >> "internal (software)"" >> >> I can import it as a CA cert but it shows as a broken chain and it is >> supposed to be server cert anyway. >> >> Any ideas on how to properly import this base 64 signed cert? >> Perhaps certutil or openssl commands? >> >> > If you are going to generate a server cert request, and you are going to > use the GUI, you should just use the GUI to generate the server cert > request. Then you can submit that request to your CA and have it > generate the server cert, then you can use the GUI again to install your > new server cert. You will also need to install the CA cert using the > Fedora DS console GUI. > >> Thank You >> James >> >> Openssl >> -----Original Message----- >> From: Rich Megginson [mailto:rmeggins at redhat.com] >> Sent: Wednesday, January 28, 2009 1:48 PM >> To: Chavez, James R.; General discussion list for the Fedora Directory >> > > >> server project. >> Subject: Re: [Fedora-directory-users] Proper way to generate a server >> certificate. >> >> James Chavez wrote: >> >> >>> Hello List, >>> >>> I am trying to setup SSL between an AD or edir box and my FDS box. >>> I want to generate a server cert for the AD or edir box and import it >>> > > >>> into edir/AD and import the CA cert into AD/edir as well. >>> >>> What commands do i use to accomplish this. >>> Also what format does the cert need to be to successfully import into >>> > > >>> AD or edir. >>> >>> I have generated a self signed CA cert named "FDS CA" >>> exported with >>> certutil -L -d . -n "FDS CA" -a > ca.asc and >>> certutil -L -d . -n "FDS CA" -r > ca.der >>> >>> >>> >>> I have generated a server cert for the AD/edir box with >>> >>> certutil -S -n "server-Cert" -s "cn=host.example.com" -c "FDS CA" -t >>> > > >>> "u,u,u" -m 3002 -v 120 -d . -z ./noise.txt -f ./pwdfile.txt >>> >>> And exported it with.. >>> pk12util -d . -o /tmp/server-cert.p12 -n "server-Cert" >>> >>> I then send the CA cert in ascii and .der format along with the >>> server-cert.p12 to the admin but he gets errors below trying to >>> import >>> >>> >> >> >>> into edir. >>> Need help on this one please. >>> .. >>> >>> -1240 FFFFFB28 PKI E PARSE CERTIFICATE >>> >>> >>> >> I'm not sure, but why not just use Novell Certificate Server to >> generate all of your server certs? >> >> >>> Source >>> >>> Novell(r) Certificate Server >>> >>> Explanation >>> >>> Novell Certificate Server was unable to parse a certificate that has >>> been stored or is being stored. >>> >>> Possible Cause >>> >>> The user attempted to store a certificate or a certificate chain with >>> > > >>> an invalid encoding into a Server Certificate object. The certificate >>> > > >>> or certificate chain obtained from the Certificate Authority is >>> >>> >> invalid. >> >> >>> Action >>> >>> Perform the following operations: >>> >>> * Contact the Certificate Authority that issued the server >>> certificate to obtain the Certificate Authority's certificate. >>> * Using ConsoleOne(r), view the Server Certificate object. Click >>> Import. >>> * Import the Certificate Authority's certificate as the trusted >>> root. >>> * Import the server's certificate as the object certificate. >>> >>> If the problem persists, contact the Certificate Authority. >>> >>> >>> Any body out there can help out please. >>> >>> Thanks >>> James >>> >>> CONFIDENTIALITY >>> This e-mail message and any attachments thereto, is intended only for >>> >>> >> use by the addressee(s) named herein and may contain legally >> privileged and/or confidential information. If you are not the >> intended recipient of this e-mail message, you are hereby notified >> that any dissemination, distribution or copying of this e-mail >> message, and any attachments thereto, is strictly prohibited. If you >> have received this e-mail message in error, please immediately notify >> the sender and permanently delete the original and any copies of this >> > email and any prints thereof. > >> >> >>> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL >>> >>> >> IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the >> Uniform Electronic Transactions Act or the applicability of any other >> law of similar substance and effect, absent an express statement to >> the contrary hereinabove, this e-mail message its contents, and any >> attachments hereto are not intended to represent an offer or >> acceptance to enter into a contract and are not otherwise intended to >> bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), >> > > >> or any other person or entity. >> >> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> CONFIDENTIALITY >> This e-mail message and any attachments thereto, is intended only for >> > use by the addressee(s) named herein and may contain legally privileged > and/or confidential information. If you are not the intended recipient > of this e-mail message, you are hereby notified that any dissemination, > distribution or copying of this e-mail message, and any attachments > thereto, is strictly prohibited. If you have received this e-mail > message in error, please immediately notify the sender and permanently > delete the original and any copies of this email and any prints thereof. > >> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL >> > IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the > Uniform Electronic Transactions Act or the applicability of any other > law of similar substance and effect, absent an express statement to the > contrary hereinabove, this e-mail message its contents, and any > attachments hereto are not intended to represent an offer or acceptance > to enter into a contract and are not otherwise intended to bind the > sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any > other person or entity. > >> >> > > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. > CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. From rmeggins at redhat.com Wed Jan 28 23:25:19 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 28 Jan 2009 16:25:19 -0700 Subject: [Fedora-directory-users] Proper way to generate a server certificate. In-Reply-To: <19A4A238A352AD40B65B3D88780DDBC6BEC956@sjc1amfpew04.am.sanm.corp> References: <19A4A238A352AD40B65B3D88780DDBC6BEC956@sjc1amfpew04.am.sanm.corp> Message-ID: <4980E95F.9060308@redhat.com> Chavez, James R. wrote: > Rich , Thanks again, > > Do I email the log to the entire list? > No > Or can I shoot it to you? > Yes - or just paste it to fpaste.org and email the link > Thank you > James > > -----Original Message----- > From: Rich Megginson [mailto:rmeggins at redhat.com] > Sent: Wednesday, January 28, 2009 4:03 PM > To: Chavez, James R. > Cc: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] Proper way to generate a server > certificate. > > Chavez, James R. wrote: > >> Rich, >> Thank you again. >> The GUI console will not allow me to get past the 3rd screen where it >> asks for a password to the internal software store..I enter the >> correct password and it just sits there. I know the pass is correct >> because from the command line the same pass works to access the store. >> It will not go past. I have done this on various machines and it is >> the same result. Is there some kind of bug or needed software I need >> to have this function. All boxes are running. >> >> > Try running fedora-idm-console -D 9 -f console.log email me the > console.log also check the admin server error log - > /var/log/dirsrv/admin-serv/error > >> Fedora 9 and >> >> fedora-ds >> version 1.1.1 >> Release 3.fc9 >> >> >> Also, I sent a cert request (CSR) to the needed Novell CA and had them >> sign it and return it. >> I successfully imported it. >> The server cert I imported shows as having a broken chain on the >> certification path tab. And issued by null. >> I am assuming this is due to not having imported the CA cert that >> > issued > >> this cert yet..Is that a valid assumption? >> >> > Yes. > >> Do I need the CA certificate in order to properly use this server cert >> that was generated? >> >> > Yes. > >> Thank you >> James >> >> >> >> -----Original Message----- >> From: Rich Megginson [mailto:rmeggins at redhat.com] >> Sent: Wednesday, January 28, 2009 3:21 PM >> To: Chavez, James R. >> Cc: General discussion list for the Fedora Directory server project. >> Subject: Re: [Fedora-directory-users] Proper way to generate a server >> certificate. >> >> Chavez, James R. wrote: >> >> >>> Mr. Rich, you responded!! >>> Thank you >>> >>> Thing is I generate a certificate request but am having issues >>> importing it... >>> I generate a key and cert with.. >>> "openssl genrsa -des3 -out server.key 2048" for the key "openssl req >>> -new -key server.key -out server.csr" >>> I send it to the Novell Admin and sends back a server.b64 file. >>> I try and import it through the gui as a server cert and it fails >>> saying that. >>> >>> " Either the certificate is for another server or the certificate was >>> > > >>> not requested using this server and the selected security device >>> "internal (software)"" >>> >>> I can import it as a CA cert but it shows as a broken chain and it is >>> > > >>> supposed to be server cert anyway. >>> >>> Any ideas on how to properly import this base 64 signed cert? >>> Perhaps certutil or openssl commands? >>> >>> >>> >> If you are going to generate a server cert request, and you are going >> > to > >> use the GUI, you should just use the GUI to generate the server cert >> request. Then you can submit that request to your CA and have it >> generate the server cert, then you can use the GUI again to install >> > your > >> new server cert. You will also need to install the CA cert using the >> Fedora DS console GUI. >> >> >>> Thank You >>> James >>> >>> Openssl >>> -----Original Message----- >>> From: Rich Megginson [mailto:rmeggins at redhat.com] >>> Sent: Wednesday, January 28, 2009 1:48 PM >>> To: Chavez, James R.; General discussion list for the Fedora >>> > Directory > >>> >>> >> >> >>> server project. >>> Subject: Re: [Fedora-directory-users] Proper way to generate a server >>> > > >>> certificate. >>> >>> James Chavez wrote: >>> >>> >>> >>>> Hello List, >>>> >>>> I am trying to setup SSL between an AD or edir box and my FDS box. >>>> I want to generate a server cert for the AD or edir box and import >>>> > it > >>>> >>>> >> >> >>>> into edir/AD and import the CA cert into AD/edir as well. >>>> >>>> What commands do i use to accomplish this. >>>> Also what format does the cert need to be to successfully import >>>> > into > >>>> >>>> >> >> >>>> AD or edir. >>>> >>>> I have generated a self signed CA cert named "FDS CA" >>>> exported with >>>> certutil -L -d . -n "FDS CA" -a > ca.asc and >>>> certutil -L -d . -n "FDS CA" -r > ca.der >>>> >>>> >>>> >>>> I have generated a server cert for the AD/edir box with >>>> >>>> certutil -S -n "server-Cert" -s "cn=host.example.com" -c "FDS CA" >>>> > -t > >>>> >>>> >> >> >>>> "u,u,u" -m 3002 -v 120 -d . -z ./noise.txt -f ./pwdfile.txt >>>> >>>> And exported it with.. >>>> pk12util -d . -o /tmp/server-cert.p12 -n "server-Cert" >>>> >>>> I then send the CA cert in ascii and .der format along with the >>>> server-cert.p12 to the admin but he gets errors below trying to >>>> import >>>> >>>> >>>> >>> >>> >>> >>>> into edir. >>>> Need help on this one please. >>>> .. >>>> >>>> -1240 FFFFFB28 PKI E PARSE CERTIFICATE >>>> >>>> >>>> >>>> >>> I'm not sure, but why not just use Novell Certificate Server to >>> generate all of your server certs? >>> >>> >>> >>>> Source >>>> >>>> Novell(r) Certificate Server >>>> >>>> Explanation >>>> >>>> Novell Certificate Server was unable to parse a certificate that has >>>> > > >>>> been stored or is being stored. >>>> >>>> Possible Cause >>>> >>>> The user attempted to store a certificate or a certificate chain >>>> > with > >>>> >>>> >> >> >>>> an invalid encoding into a Server Certificate object. The >>>> > certificate > >>>> >>>> >> >> >>>> or certificate chain obtained from the Certificate Authority is >>>> >>>> >>>> >>> invalid. >>> >>> >>> >>>> Action >>>> >>>> Perform the following operations: >>>> >>>> * Contact the Certificate Authority that issued the server >>>> certificate to obtain the Certificate Authority's certificate. >>>> * Using ConsoleOne(r), view the Server Certificate object. Click >>>> > > >>>> Import. >>>> * Import the Certificate Authority's certificate as the trusted >>>> root. >>>> * Import the server's certificate as the object certificate. >>>> >>>> If the problem persists, contact the Certificate Authority. >>>> >>>> >>>> Any body out there can help out please. >>>> >>>> Thanks >>>> James >>>> >>>> CONFIDENTIALITY >>>> This e-mail message and any attachments thereto, is intended only >>>> > for > >>>> >>>> >>>> >>> use by the addressee(s) named herein and may contain legally >>> privileged and/or confidential information. If you are not the >>> intended recipient of this e-mail message, you are hereby notified >>> that any dissemination, distribution or copying of this e-mail >>> message, and any attachments thereto, is strictly prohibited. If you >>> > > >>> have received this e-mail message in error, please immediately notify >>> > > >>> the sender and permanently delete the original and any copies of this >>> >>> >> email and any prints thereof. >> >> >>> >>> >>> >>>> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL >>>> >>>> >>>> >>> IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the >>> Uniform Electronic Transactions Act or the applicability of any other >>> > > >>> law of similar substance and effect, absent an express statement to >>> the contrary hereinabove, this e-mail message its contents, and any >>> attachments hereto are not intended to represent an offer or >>> acceptance to enter into a contract and are not otherwise intended to >>> > > >>> bind the sender, Sanmina-SCI Corporation (or any of its >>> > subsidiaries), > >>> >>> >> >> >>> or any other person or entity. >>> >>> >>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>> CONFIDENTIALITY >>> This e-mail message and any attachments thereto, is intended only for >>> >>> >> use by the addressee(s) named herein and may contain legally >> > privileged > >> and/or confidential information. If you are not the intended recipient >> of this e-mail message, you are hereby notified that any >> > dissemination, > >> distribution or copying of this e-mail message, and any attachments >> thereto, is strictly prohibited. If you have received this e-mail >> message in error, please immediately notify the sender and permanently >> delete the original and any copies of this email and any prints >> > thereof. > >> >> >>> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL >>> >>> >> IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the >> Uniform Electronic Transactions Act or the applicability of any other >> law of similar substance and effect, absent an express statement to >> > the > >> contrary hereinabove, this e-mail message its contents, and any >> attachments hereto are not intended to represent an offer or >> > acceptance > >> to enter into a contract and are not otherwise intended to bind the >> sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any >> other person or entity. >> >> >>> >>> >>> >> CONFIDENTIALITY >> This e-mail message and any attachments thereto, is intended only for >> > use by the addressee(s) named herein and may contain legally privileged > and/or confidential information. If you are not the intended recipient > of this e-mail message, you are hereby notified that any dissemination, > distribution or copying of this e-mail message, and any attachments > thereto, is strictly prohibited. If you have received this e-mail > message in error, please immediately notify the sender and permanently > delete the original and any copies of this email and any prints thereof. > >> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL >> > IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the > Uniform Electronic Transactions Act or the applicability of any other > law of similar substance and effect, absent an express statement to the > contrary hereinabove, this e-mail message its contents, and any > attachments hereto are not intended to represent an offer or acceptance > to enter into a contract and are not otherwise intended to bind the > sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any > other person or entity. > >> >> > > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From per at norhex.com Thu Jan 29 12:31:39 2009 From: per at norhex.com (Per Qvindesland) Date: Thu, 29 Jan 2009 13:31:39 +0100 Subject: [Fedora-directory-users] Authentication problems In-Reply-To: <49807BD3.2040008@redhat.com> Message-ID: Hi Thanks so much for responding to my post. I managed to find out this but from what I don't get is why after having installed and configured clients to authenticate towards the server correctly they still don't do it, I have looked for any log files that could give me some clue of what I have done rong but no luck the error log in the admin interface says nothing that is of use, I have also read the manual from one side to the other but I can not find anything that tells me what steps that I have been forgetting. Is there any error logs that it generats that it generates that can give me some more clues? Regards Per Qvindesland On 1/28/09 4:37 PM, "Rich Megginson" wrote: > Per Qvindesland wrote: >> Hi List >> >> After having installed Directory Server with no problems and created a test >> user account I then go ahead to configure a client to test the >> authentication to my new directory server, sadly after a reboot I can't >> login with my new user account that I created, I have spent a few days >> reading up about what the problem may be but until now I have had very >> little joy. >> >> If I try ldapsearch -v then I get error message: >> SASL/EXTERNAL authentication started >> Ldap_sasl_interactive_bind_s:unknown authentication method (-6) >> additional info: SASL(-4): no mechanism available: >> > This is because the openldap ldapsearch client attempts SASL > authentication by default. You have to specify -x to make it use simple > (username/password or anonymous) authentication. >> If i use ldapsearch -x then I get the output of a ldif file with all groups, >> users and domains available so there is apparently nothing rong with the >> communication, I truly belive that this is a security problem that sits >> somewhere but I have no idea. >> > I don't think this is a security problem. >> Could anyone give me some pointers to how I could fix this problem? >> >> Regards >> Per Qvindesland >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Thu Jan 29 15:18:28 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 29 Jan 2009 08:18:28 -0700 Subject: [Fedora-directory-users] Authentication problems In-Reply-To: References: Message-ID: <4981C8C4.3090104@redhat.com> Per Qvindesland wrote: > Hi > > Thanks so much for responding to my post. > > I managed to find out this but from what I don't get is why after having > installed and configured clients to authenticate towards the server > correctly they still don't do it, I have looked for any log files that could > give me some clue of what I have done rong but no luck the error log in the > admin interface says nothing that is of use, I have also read the manual > from one side to the other but I can not find anything that tells me what > steps that I have been forgetting. > > Is there any error logs that it generats that it generates that can give me > some more clues? > I'm not sure where pam and nss log - possibly /var/log/secure You can see what searches are being performed against the directory server by looking at /var/log/dirsrv/slapd-yourinstance/access > Regards > Per Qvindesland > > > On 1/28/09 4:37 PM, "Rich Megginson" wrote: > > >> Per Qvindesland wrote: >> >>> Hi List >>> >>> After having installed Directory Server with no problems and created a test >>> user account I then go ahead to configure a client to test the >>> authentication to my new directory server, sadly after a reboot I can't >>> login with my new user account that I created, I have spent a few days >>> reading up about what the problem may be but until now I have had very >>> little joy. >>> >>> If I try ldapsearch -v then I get error message: >>> SASL/EXTERNAL authentication started >>> Ldap_sasl_interactive_bind_s:unknown authentication method (-6) >>> additional info: SASL(-4): no mechanism available: >>> >>> >> This is because the openldap ldapsearch client attempts SASL >> authentication by default. You have to specify -x to make it use simple >> (username/password or anonymous) authentication. >> >>> If i use ldapsearch -x then I get the output of a ldif file with all groups, >>> users and domains available so there is apparently nothing rong with the >>> communication, I truly belive that this is a security problem that sits >>> somewhere but I have no idea. >>> >>> >> I don't think this is a security problem. >> >>> Could anyone give me some pointers to how I could fix this problem? >>> >>> Regards >>> Per Qvindesland >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From kenneho.ndu at gmail.com Thu Jan 29 15:19:29 2009 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Thu, 29 Jan 2009 16:19:29 +0100 Subject: [Fedora-directory-users] Do you use WinSync for group sync? In-Reply-To: <497F7FCE.3080605@redhat.com> References: <497F7FCE.3080605@redhat.com> Message-ID: Hi Rich. I haven't worked with the WindowsSync feature much myself, so I'm not sure about the group type details your requesting. But what we're working on is syncing AD groups over to DS, and use the group member information to build our own nis netgroups. These netgroups are then used by PAM to authenticate users. On 1/27/09, Rich Megginson wrote: > > We're currently investigating the group sync feature of Windows Sync, and > we wanted to know how it is deployed. Do you sync groups? What types of > groups? Security or Distribution? Global or Local? Do the groups have > "meaning" in both AD and Fedora DS, or only in one side? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jan 29 15:44:20 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 29 Jan 2009 08:44:20 -0700 Subject: [Fedora-directory-users] Do you use WinSync for group sync? In-Reply-To: References: <497F7FCE.3080605@redhat.com> Message-ID: <4981CED4.1000606@redhat.com> Kenneth Holter wrote: > Hi Rich. > > > I haven't worked with the WindowsSync feature much myself, so I'm not > sure about the group type details your requesting. But what we're > working on is syncing AD groups over to DS, and use the group member > information to build our own nis netgroups. These netgroups are then > used by PAM to authenticate users. What are the AD groups used for in AD? Are they Security Groups or Distribution Groups or both? Are they Global or Local (or Universal)? We're just trying to get a sense of what people use Groups for on both sides. > > > > On 1/27/09, *Rich Megginson* > wrote: > > We're currently investigating the group sync feature of Windows > Sync, and we wanted to know how it is deployed. Do you sync > groups? What types of groups? Security or Distribution? Global > or Local? Do the groups have "meaning" in both AD and Fedora DS, > or only in one side? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From emmanuel.billot at ird.fr Thu Jan 29 16:38:04 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Thu, 29 Jan 2009 17:38:04 +0100 Subject: [Fedora-directory-users] Do you use WinSync for group sync? In-Reply-To: <497F7FCE.3080605@redhat.com> References: <497F7FCE.3080605@redhat.com> Message-ID: <4981DB6C.8080703@ird.fr> Rich Megginson a ?crit : > We're currently investigating the group sync feature of Windows Sync, > and we wanted to know how it is deployed. Do you sync groups? What > types of groups? Security or Distribution? Global or Local? Do the > groups have "meaning" in both AD and Fedora DS, or only in one side? Hi, We are very interested in Windows Sync. We want to share as database between AD ans Fedora DS, because both have qualities in our environnement. AD is used for domain management (client computers) and file sharing (NTFS), indeed AD basic work. We also need a "real LDAP" (RFC compliant, opensource, easy to modify structure, etc...) for compatibility with the OpenSource environment, authentification and directory. Fedora/RedHat directory seems to be the best way for use with windows sync. Howerver, this functionnality is quite difficult to configure (essentially for password) and field matching between AD and FDS should be more opened. I mean Windows Sync should be perfect is thoses additionnal function were implemented : * choose matching between AD and FDS fileds (eq mail with kerberos login, sn and givenname with MS specific ones) * sync sub trees with much more precision (eq sync ou=users,ou=microsoft,dc=europe,dc=priv with ou=people,dc=microsoft,dc=example,dc=fr) For group sync we should use security groups, with global type. In fact, windows groups are used for file rights management and security, like posix group in unix, and for global authorization like roles. is Windows sync going to be enhanced ? br, > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From rmeggins at redhat.com Thu Jan 29 16:44:08 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 29 Jan 2009 09:44:08 -0700 Subject: [Fedora-directory-users] Do you use WinSync for group sync? In-Reply-To: <4981DB6C.8080703@ird.fr> References: <497F7FCE.3080605@redhat.com> <4981DB6C.8080703@ird.fr> Message-ID: <4981DCD8.1040804@redhat.com> Emmanuel BILLOT wrote: > Rich Megginson a ?crit : >> We're currently investigating the group sync feature of Windows Sync, >> and we wanted to know how it is deployed. Do you sync groups? What >> types of groups? Security or Distribution? Global or Local? Do the >> groups have "meaning" in both AD and Fedora DS, or only in one side? > Hi, > > We are very interested in Windows Sync. We want to share as database > between AD ans Fedora DS, because both have qualities in our > environnement. AD is used for domain management (client computers) and > file sharing (NTFS), indeed AD basic work. > We also need a "real LDAP" (RFC compliant, opensource, easy to modify > structure, etc...) for compatibility with the OpenSource environment, > authentification and directory. > > Fedora/RedHat directory seems to be the best way for use with windows > sync. Howerver, this functionnality is quite difficult to configure > (essentially for password) and field matching between AD and FDS > should be more opened. I mean Windows Sync should be perfect is thoses > additionnal function were implemented : > * choose matching between AD and FDS fileds (eq mail with kerberos > login, sn and givenname with MS specific ones) > * sync sub trees with much more precision (eq sync > ou=users,ou=microsoft,dc=europe,dc=priv with > ou=people,dc=microsoft,dc=example,dc=fr) > > For group sync we should use security groups, with global type. In > fact, windows groups are used for file rights management and security, > like posix group in unix, and for global authorization like roles. So in AD, you use Security Groups, and you use them for access control. > > is Windows sync going to be enhanced ? No. Windows Sync is only for the bare minimum user/group/password sync. If you need to do more than that, I suggest you look at Penrose Virtual Directory - http://docs.safehaus.org/display/PENROSE/Home > > br, >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jsullivan at opensourcedevel.com Thu Jan 29 18:32:12 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Thu, 29 Jan 2009 13:32:12 -0500 Subject: [Fedora-directory-users] [OT?] tls_checkpeer yes problems Message-ID: <1233253932.6466.191.camel@jaspav.missionsit.net.missionsit.net> Hello, all. This may be a bit off-topic as it is primarily an ldap client issue but I am having a bear of a time getting my test centos clients to access fds. The problem is tls_checkpeer. I do want it set to yes but this breaks access. It is as if the directory server's cert cannot be validated against the CA cert. Here are the pertinent settings from my centos client ldap.conf (as you can see, I've tried many combinations): uri ldap://ldap.mycompany.com/ #host ldap.mycompany.com #ssl on ssl start_tls #tls_cacertdir /etc/pki/tls/certs tls_cacertfile /etc/pki/tls/certs/SSICA.pem pam_password md5 tls_checkpeer yes tls_ciphers TLSv1 An strace shows that the SSICA.pem file is opened. Apparently, this is a problem in Ubuntu because of a change to gnutls. However, I can confirm the combination of uri ldap://, ssl start_tls, and tls_certfile rather than tls_certdir work on Ubuntu. My problem is redhat style systems. Our test bed is CentOS 5.2. Does anyone have this working on newer redhat based systems? If so, with what configuration? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From jsullivan at opensourcedevel.com Thu Jan 29 20:23:37 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Thu, 29 Jan 2009 15:23:37 -0500 Subject: [Fedora-directory-users] posix root user in ds Message-ID: <1233260617.6466.198.camel@jaspav.missionsit.net.missionsit.net> Hello, all. I'm intentionally doing some things the hard way to understand how they work. I'd like to place the root user into my directory. The client with which I am testing can query ldap and allows login for users defined in ldap. I then tried to add the root user without using an import script. I created a user with both uidnumber and gidnumber set to 0 and uid and cn set to root. I then set a password in ldap different from the one on the local system and attempted to login to my test system as root. It failed with the LDAP password but succeeded with the local password. /etc/nsswitch.conf has "file ldap" for both passwd and shadow. I tried changing the password both from the local station and from ldap and they did not synchronize. I then added an objectclass of shadowaccount and added attributes for shadowmin, shadowmax, shadowwarning, shadowlastchange as in the /etc/shadow file. Still no luck. What must one do to synchronize an existing local account with an ldap account? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From per at norhex.com Fri Jan 30 15:31:57 2009 From: per at norhex.com (Per Qvindesland) Date: Fri, 30 Jan 2009 16:31:57 +0100 Subject: [Fedora-directory-users] Authentication problems In-Reply-To: <4981C8C4.3090104@redhat.com> Message-ID: Hi Thanks again for the response. I have managed to find some logs now that to Rich's message but I am unsure of what they mean: [30/Jan/2009:10:28:49 -0500] conn=46 fd=66 slot=66 connection from 83.140.187.52 to 83.140.187.43 [30/Jan/2009:10:28:49 -0500] conn=46 op=0 BIND dn="" method=128 version=3 [30/Jan/2009:10:28:49 -0500] conn=46 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [30/Jan/2009:10:28:49 -0500] conn=46 op=1 SRCH base="dc=sms,dc=mycompany,dc=com" scope=2 filter="(&(objectClass=posixAccount)(uid=pq))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [30/Jan/2009:10:28:49 -0500] conn=46 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [30/Jan/2009:10:28:49 -0500] conn=46 op=-1 fd=66 closed - B1 Does any one have any idea? Regards Per Qvindesland On 1/29/09 4:18 PM, "Rich Megginson" wrote: > Per Qvindesland wrote: >> Hi >> >> Thanks so much for responding to my post. >> >> I managed to find out this but from what I don't get is why after having >> installed and configured clients to authenticate towards the server >> correctly they still don't do it, I have looked for any log files that could >> give me some clue of what I have done rong but no luck the error log in the >> admin interface says nothing that is of use, I have also read the manual >> from one side to the other but I can not find anything that tells me what >> steps that I have been forgetting. >> >> Is there any error logs that it generats that it generates that can give me >> some more clues? >> > I'm not sure where pam and nss log - possibly /var/log/secure > You can see what searches are being performed against the directory > server by looking at /var/log/dirsrv/slapd-yourinstance/access >> Regards >> Per Qvindesland >> >> >> On 1/28/09 4:37 PM, "Rich Megginson" wrote: >> >> >>> Per Qvindesland wrote: >>> >>>> Hi List >>>> >>>> After having installed Directory Server with no problems and created a test >>>> user account I then go ahead to configure a client to test the >>>> authentication to my new directory server, sadly after a reboot I can't >>>> login with my new user account that I created, I have spent a few days >>>> reading up about what the problem may be but until now I have had very >>>> little joy. >>>> >>>> If I try ldapsearch -v then I get error message: >>>> SASL/EXTERNAL authentication started >>>> Ldap_sasl_interactive_bind_s:unknown authentication method (-6) >>>> additional info: SASL(-4): no mechanism available: >>>> >>>> >>> This is because the openldap ldapsearch client attempts SASL >>> authentication by default. You have to specify -x to make it use simple >>> (username/password or anonymous) authentication. >>> >>>> If i use ldapsearch -x then I get the output of a ldif file with all >>>> groups, >>>> users and domains available so there is apparently nothing rong with the >>>> communication, I truly belive that this is a security problem that sits >>>> somewhere but I have no idea. >>>> >>>> >>> I don't think this is a security problem. >>> >>>> Could anyone give me some pointers to how I could fix this problem? >>>> >>>> Regards >>>> Per Qvindesland >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From hartmann at fas.harvard.edu Fri Jan 30 15:41:55 2009 From: hartmann at fas.harvard.edu (Tim Hartmann) Date: Fri, 30 Jan 2009 10:41:55 -0500 Subject: [Fedora-directory-users] Referential Integrity Message-ID: <49831FC3.8040302@fas.harvard.edu> So After my trials and tribulations with " Referrals for Update Operations" (thanks again, you guys rock!) hence known as "Tim's continuing LDAP Saga and Viking Cha-Cha" I came across "Referential Integrity" in the docs, and boy howdy does it look useful! http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Creating_Directory_Entries-Maintaining_Referential_Integrity.html I had a couple of concerns, before I enabled it that I was hoping people could chime in on! 1) I'd like to have Referential Integrity monitor the memberUid field as well, but I was unclear in the documentation if when scanning the directory if it scans ALL the directories hosted by a given server, or just searches in the directory where the user was deleted? for example, I have two root suffixes, both of which contain users and groups , and more often then we'd like user "foo" exists in both... dc=example,dc=edu dc=dept,dc=example,dc=edu if I delete user uid=foo,ou=People,dc=dept,dc=example,dc=edu would the Referential Integrity plug in know to leave any instance of "uid=foo" and "memberUid=foo" in the dc=example,dc=edu branch alone? 2) I have 2 Masters (set up to be Multi Masters) and 4 Replica's, There are a number of warnings about setting this up only on 1 of the Masters (which shouldn't be a problem), in the case that M1 is configured with the Referential Integrity plug in, and it goes down for some amount of time, and a user is deleted, will the plugin "Catch up" once M1 has been brought back online? Thanks for the input! Tim From rmeggins at redhat.com Fri Jan 30 15:50:57 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 30 Jan 2009 08:50:57 -0700 Subject: [Fedora-directory-users] Authentication problems In-Reply-To: References: Message-ID: <498321E1.5080008@redhat.com> Per Qvindesland wrote: > Hi > > Thanks again for the response. > > > I have managed to find some logs now that to Rich's message but I am unsure > of what they mean: > [30/Jan/2009:10:28:49 -0500] conn=46 fd=66 slot=66 connection from > 83.140.187.52 to 83.140.187.43 > [30/Jan/2009:10:28:49 -0500] conn=46 op=0 BIND dn="" method=128 version=3 > Bind as anonymous (dn="") > [30/Jan/2009:10:28:49 -0500] conn=46 op=0 RESULT err=0 tag=97 nentries=0 > etime=0 dn="" > Result is good (err=0) > [30/Jan/2009:10:28:49 -0500] conn=46 op=1 SRCH > base="dc=sms,dc=mycompany,dc=com" scope=2 > filter="(&(objectClass=posixAccount)(uid=pq))" attrs="uid userPassword > uidNumber gidNumber cn homeDirectory loginShell gecos description > objectClass" > Search for user uid=pq with objectClass=posixAccount anywhere under dc=sms,dc=mycompany,dc=com and return the attributes uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass > [30/Jan/2009:10:28:49 -0500] conn=46 op=1 RESULT err=0 tag=101 nentries=0 > etime=0 > There were no errors (err=0), but no entries were found that matched. > [30/Jan/2009:10:28:49 -0500] conn=46 op=-1 fd=66 closed - B1 > > Does any one have any idea? > > Regards > Per Qvindesland > > On 1/29/09 4:18 PM, "Rich Megginson" wrote: > > >> Per Qvindesland wrote: >> >>> Hi >>> >>> Thanks so much for responding to my post. >>> >>> I managed to find out this but from what I don't get is why after having >>> installed and configured clients to authenticate towards the server >>> correctly they still don't do it, I have looked for any log files that could >>> give me some clue of what I have done rong but no luck the error log in the >>> admin interface says nothing that is of use, I have also read the manual >>> from one side to the other but I can not find anything that tells me what >>> steps that I have been forgetting. >>> >>> Is there any error logs that it generats that it generates that can give me >>> some more clues? >>> >>> >> I'm not sure where pam and nss log - possibly /var/log/secure >> You can see what searches are being performed against the directory >> server by looking at /var/log/dirsrv/slapd-yourinstance/access >> >>> Regards >>> Per Qvindesland >>> >>> >>> On 1/28/09 4:37 PM, "Rich Megginson" wrote: >>> >>> >>> >>>> Per Qvindesland wrote: >>>> >>>> >>>>> Hi List >>>>> >>>>> After having installed Directory Server with no problems and created a test >>>>> user account I then go ahead to configure a client to test the >>>>> authentication to my new directory server, sadly after a reboot I can't >>>>> login with my new user account that I created, I have spent a few days >>>>> reading up about what the problem may be but until now I have had very >>>>> little joy. >>>>> >>>>> If I try ldapsearch -v then I get error message: >>>>> SASL/EXTERNAL authentication started >>>>> Ldap_sasl_interactive_bind_s:unknown authentication method (-6) >>>>> additional info: SASL(-4): no mechanism available: >>>>> >>>>> >>>>> >>>> This is because the openldap ldapsearch client attempts SASL >>>> authentication by default. You have to specify -x to make it use simple >>>> (username/password or anonymous) authentication. >>>> >>>> >>>>> If i use ldapsearch -x then I get the output of a ldif file with all >>>>> groups, >>>>> users and domains available so there is apparently nothing rong with the >>>>> communication, I truly belive that this is a security problem that sits >>>>> somewhere but I have no idea. >>>>> >>>>> >>>>> >>>> I don't think this is a security problem. >>>> >>>> >>>>> Could anyone give me some pointers to how I could fix this problem? >>>>> >>>>> Regards >>>>> Per Qvindesland >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: