From sobi_altkom at o2.pl Wed Jul 1 14:28:09 2009 From: sobi_altkom at o2.pl (=?UTF-8?Q?Luke_Altkom?=) Date: Wed, 01 Jul 2009 16:28:09 +0200 Subject: =?UTF-8?Q?Re:_[389-users]_Replication_error?= In-Reply-To: <4A4A2D05.4090103@redhat.com> References: <7e86d437.647cd029.4a48d4ce.78af@o2.pl> <4A4A2D05.4090103@redhat.com> Message-ID: > Did you initialize d1 and d2 from directory? Nope. How can I do it? These servers few month ago were synchronizing properly with each other. But one day SSL certificate on directory have lapsed, and directory went out of synchro with directory1 and directory2. Since then no one cared about that situation, until now, when I decided to fix it. I don't think, that current error on directory is related with new certificate, because before I have imported a new one, I had on directory "Error 81", and now "Incremental update has failed and requires administrator actionSystem error" - so I think I have made a step forward in good direction :). Am I right? Thanks for help! Best regards, Luke. From rmeggins at redhat.com Wed Jul 1 16:17:37 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 01 Jul 2009 10:17:37 -0600 Subject: [389-users] Replication error In-Reply-To: References: <7e86d437.647cd029.4a48d4ce.78af@o2.pl> <4A4A2D05.4090103@redhat.com> Message-ID: <4A4B8C21.6020802@redhat.com> Luke Altkom wrote: >> Did you initialize d1 and d2 from directory? >> > Nope. How can I do it? > > These servers few month ago were synchronizing properly with each other. But one day SSL certificate on directory have lapsed, and directory went out of synchro with directory1 and directory2. Since then no one cared about that situation, until now, when I decided to fix it. > > I don't think, that current error on directory is related with new certificate, because before I have imported a new one, I had on directory "Error 81", and now "Incremental update has failed and requires administrator actionSystem error" - so I think I have made a step forward in good direction :). Am I right? > Yes. How long were the servers out of sync due to this problem? If the servers get too far out of sync, you will have to do a re-init. > Thanks for help! > > Best regards, > Luke. > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From lbigum at iseek.com.au Wed Jul 1 22:44:13 2009 From: lbigum at iseek.com.au (Luke Bigum) Date: Thu, 2 Jul 2009 08:44:13 +1000 Subject: [389-users] bulk initialization with MMR In-Reply-To: <4A4A2D50.9050407@redhat.com> References: <4A4A2D50.9050407@redhat.com> Message-ID: Hi Gary, I used to work for a university that does something similar to what you are trying to do. I'll explain their setup and it might give you a few ideas. They have a custom user management database that's the authoritative source of computer account information, a series of FDS servers are used for identification and authentication. A Perl script is used to turn the database contents into LDIF format as it would be used to populate an empty database (like one of your ldif2db batch extracts). They then take a dump of the LDAP directory into LDIF format and compare the database LDIF to directory LDIF and come up with a delta LDIF file. This delta LDIF is then run on the directory server to bring it in line with the database contents. This update process runs every couple minutes, so the delta never really gets that big and password changes / new users only take a few minutes to propagate around the university. They would never need to batch import the entire database contents unless there was a catastrophe. So, for your scenario, you might consider scrapping the nightly bulk initialisations, turn your servers into MMR and look at doing more frequent updates with delta files to provide faster synchronisation between your data sources. If you actually need to do real real-time updates, you can do that with the same setup above, you just need to fire off a specific LDAP update to your load balanced LDAP from Peoplesoft. Luke Bigum Systems Administrator (p) 1300 661 668 (f) 1300 661 540 (e) lbigum at iseek.com.au http://www.iseek.com.au Level 1, 100 Ipswich Road Woolloongabba QLD 4102 This e-mail and any files transmitted with it may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorised to receive for the recipient), please contact the sender by reply e-mail and delete all copies of this message. -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Wednesday 1 July 2009 1:21 AM To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] bulk initialization with MMR Gary Windham wrote: > We have a setup where we are running 2 servers behind a load balancer > (for HA purposes), where each of these servers is bulk-initialized > daily (via ldif2db.pl) with a large set of data fed to us via batch > extracts from various administrative systems. Up till now, there has > been no need to configure replication between these 2 servers, as all > of the data is read-only. However, we now have a requirement to > update some of the directory data in a "real-time" fashion (e.g., when > particular events fire in our PeopleSoft system we want to update the > directory)--hence, the need for MMR. The batch extracts will still be > our "checkpoints", so we will want to load them in once-per-day, as we > do now. How does the data get from peoplesoft to the directory server? > > So, the question is: what would be the "recommended" approach for a > scenario like this? How do we (can we?) make MMR coexist peacefully > with frequent bulk initializations? In general, it's not a good idea to do a bulk load daily. > > TIA, > --Gary > > -- > Gary Windham > Senior Enterprise Systems Architect > The University of Arizona, UITS > +1 520 626 5981 > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From muzzol at gmail.com Thu Jul 2 07:57:21 2009 From: muzzol at gmail.com (muzzol) Date: Thu, 2 Jul 2009 09:57:21 +0200 Subject: [389-users] posixGroup vs groupOfUniqueNames Message-ID: <4a3f02760907020057t5479732fo5466109d5520a19c@mail.gmail.com> hi, where can i find info about pros and cons of posixGroup vs groupOfUniqueNames? im planning a fresh new directory service and im not sure about what object to be used for groups. thanks, muzzol -- ======================== ^ ^ O O (_ _) muzzol(a)muzzol.com ======================== jabber id: muzzol(a)jabber.dk ======================== No atribueixis qualitats humanes als ordinadors. No els hi agrada. ======================== "El gobierno espa?ol s?lo habla con terroristas, homosexuales y catalanes, a ver cuando se decide a hablar con gente normal" Jim?nez Losantos ======================== bomb terrorism bush aznar teletubbies From windhamg at email.arizona.edu Thu Jul 2 16:34:44 2009 From: windhamg at email.arizona.edu (Gary Windham) Date: Thu, 2 Jul 2009 09:34:44 -0700 Subject: [389-users] bulk initialization with MMR In-Reply-To: References: <4A4A2D50.9050407@redhat.com> Message-ID: <2976E5D8-3239-4394-896D-0F913793CBF9@email.arizona.edu> Thanks, Luke! Since my original post, I did some more research and arrived at a solution very close to yours. I did turn the servers into MMR, and am using the "ldifsort" and "ldifdiff" utilities that come with the perl-ldap module to generate "delta" LDIF files that are loaded via ldapmodify. For our "real time" updates we have PeopleSoft sending SOAP messages via Integration Broker to some web services which perform the appropriate LDAP operations. I appreciate your response...it serves as a good "sanity check". :) --Gary -- Gary Windham Senior Enterprise Systems Architect The University of Arizona, UITS +1 520 626 5981 On Jul 1, 2009, at 3:44 PM, Luke Bigum wrote: > Hi Gary, > > I used to work for a university that does something similar to what > you are trying to do. I'll explain their setup and it might give you > a few ideas. They have a custom user management database that's the > authoritative source of computer account information, a series of > FDS servers are used for identification and authentication. A Perl > script is used to turn the database contents into LDIF format as it > would be used to populate an empty database (like one of your > ldif2db batch extracts). They then take a dump of the LDAP directory > into LDIF format and compare the database LDIF to directory LDIF and > come up with a delta LDIF file. This delta LDIF is then run on the > directory server to bring it in line with the database contents. > > This update process runs every couple minutes, so the delta never > really gets that big and password changes / new users only take a > few minutes to propagate around the university. They would never > need to batch import the entire database contents unless there was a > catastrophe. > > So, for your scenario, you might consider scrapping the nightly bulk > initialisations, turn your servers into MMR and look at doing more > frequent updates with delta files to provide faster synchronisation > between your data sources. > > If you actually need to do real real-time updates, you can do that > with the same setup above, you just need to fire off a specific LDAP > update to your load balanced LDAP from Peoplesoft. > > Luke Bigum > Systems Administrator > (p) 1300 661 668 > (f) 1300 661 540 > (e) lbigum at iseek.com.au > http://www.iseek.com.au > Level 1, 100 Ipswich Road Woolloongabba QLD 4102 > > > > This e-mail and any files transmitted with it may contain > confidential and privileged material for the sole use of the > intended recipient. Any review, use, distribution or disclosure by > others is strictly prohibited. If you are not the intended recipient > (or authorised to receive for the recipient), please contact the > sender by reply e-mail and delete all copies of this message. > > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com > ] On Behalf Of Rich Megginson > Sent: Wednesday 1 July 2009 1:21 AM > To: General discussion list for the 389 Directory server project. > Subject: Re: [389-users] bulk initialization with MMR > > Gary Windham wrote: >> We have a setup where we are running 2 servers behind a load balancer >> (for HA purposes), where each of these servers is bulk-initialized >> daily (via ldif2db.pl) with a large set of data fed to us via batch >> extracts from various administrative systems. Up till now, there has >> been no need to configure replication between these 2 servers, as all >> of the data is read-only. However, we now have a requirement to >> update some of the directory data in a "real-time" fashion (e.g., >> when >> particular events fire in our PeopleSoft system we want to update the >> directory)--hence, the need for MMR. The batch extracts will still >> be >> our "checkpoints", so we will want to load them in once-per-day, as >> we >> do now. > How does the data get from peoplesoft to the directory server? >> >> So, the question is: what would be the "recommended" approach for a >> scenario like this? How do we (can we?) make MMR coexist peacefully >> with frequent bulk initializations? > In general, it's not a good idea to do a bulk load daily. >> >> TIA, >> --Gary >> >> -- >> Gary Windham >> Senior Enterprise Systems Architect >> The University of Arizona, UITS >> +1 520 626 5981 >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Thu Jul 2 20:37:49 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 02 Jul 2009 14:37:49 -0600 Subject: [389-users] LDAPCon 2009 Message-ID: <4A4D1A9D.5080809@redhat.com> The 2nd Edition of the International Conference on LDAP (LDAPCon 2009[1]) will be held on September 20-21, 2009 in Portland, Oregon, USA. The event is being co-hosted by LinuxCon[2] (same place and overlapping time). The 1st International Conference on LDAP[3] was held in September 2007 in Germany. (Some pictures from 1st LDAPCon [4]) A Call For Papers[5] has been raised and the Program Committee asks you to submit abstracts by July 8th. So if you're involved with LDAP in interesting projects and you want to share your experiences, please check the Call For Papers and submit a proposal. 1: http://www.symas.com/ldapcon2009/ 2: http://events.linuxfoundation.org/events/linuxcon 3: http://www.guug.de/veranstaltungen/ldapcon2007/index.html 4: http://www.flickr.com/photos/ludovic_p/sets/72157601937159198/detail/ 5: http://www.symas.com/ldapcon2009/call-for-papers.shtml -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From lemoine.paul at agora.msa.fr Fri Jul 3 13:51:49 2009 From: lemoine.paul at agora.msa.fr (Paul Lemoine) Date: Fri, 03 Jul 2009 15:51:49 +0200 Subject: [389-users] Directory server : search problem with wildcard Message-ID: <14209_1246629110_4A4E0CF6_14209_17470_1_4A4E0CF5.4070100@agora.msa.fr> Hi, I have a search problem with Fedora DS 1.1.3. My directory has an extended schema on the objectClass "inetOrgPerson". It contains 350000 inetOrgPerson objects. When I proceed a search with that kind of filter (cn=smith*) or (uid=25698*) the response comes 1 minute later with a error code 11. Indexes on cn and uid attribute are on equality, presence and substring. I have recreated (plus reindexed) this attribute. I put the look-through-limit to infinity though I don't have the errror code 11 anymore but I have to wait a very long time the response. In the log, I found "etime=77 notes=U" which means that the search does not use the indexes. I have done the same requests with a "native" schema : it works perfectly. So, it is my extended schema which causes the problem. Can the Fedora DS (or 389 DS) deal with extended schema ? Does anybody met this problem ? Is there a solution for forcing FDS to use the indexes ? Regards Thanks you Paul. Ce message est prot?g? par les r?gles relatives au secret des correspondances. Il est donc ?tabli ? destination exclusive de son destinataire. Celui-ci peut donc contenir des informations confidentielles. La divulgation de ces informations est ? ce titre rigoureusement interdite. Si vous avez re?u ce message par erreur, merci de le renvoyer ? l'exp?diteur dont l'adresse e-mail figure ci-dessus et de d?truire le message ainsi que toute pi?ce jointe. This message is protected by the secrecy of correspondence rules. Therefore, this message is intended solely for the attention of the addressee. This message may contain privileged or confidential information, as such the disclosure of these informations is strictly forbidden. If, by mistake, you have received this message, please return this message to the addressser whose e-mail address is written above and destroy this message and all files attached. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: lemoine.paul.vcf Type: text/x-vcard Size: 231 bytes Desc: not available URL: From tisdn.livre at serpro.gov.br Fri Jul 3 15:07:37 2009 From: tisdn.livre at serpro.gov.br (Diretorio Livre) Date: Fri, 3 Jul 2009 12:07:37 -0300 Subject: [389-users] Directory server : search problem with wildcard Message-ID: <2cc332b9a6c783fe64d5ff5b6f6f00b7@correiolivre.serpro.gov.br> An embedded message was scrubbed... From: Diretorio Livre Subject: Re: [389-users] Directory server : search problem with wildcard Date: Fri, 3 Jul 2009 12:07:37 -0300 Size: 5995 URL: -------------- next part -------------- "Esta mensagem do SERVI?O FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa p?blica federal regida pelo disposto na Lei Federal n? 5.615, ? enviada exclusivamente a seu destinat?rio e pode conter informa??es confidenciais, protegidas por sigilo profissional. Sua utiliza??o desautorizada ? ilegal e sujeita o infrator ?s penas da lei. Se voc? a recebeu indevidamente, queira, por gentileza, reenvi?-la ao emitente, esclarecendo o equ?voco." "This message from SERVI?O FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure." From sobi_altkom at o2.pl Fri Jul 3 15:11:22 2009 From: sobi_altkom at o2.pl (=?UTF-8?Q?Luke_Altkom?=) Date: Fri, 03 Jul 2009 17:11:22 +0200 Subject: =?UTF-8?Q?Re:_[389-users]_Replication_error?= In-Reply-To: <4A4B8C21.6020802@redhat.com> References: <7e86d437.647cd029.4a48d4ce.78af@o2.pl> <4A4A2D05.4090103@redhat.com> <4A4B8C21.6020802@redhat.com> Message-ID: <5b3aa08d.2a97a081.4a4e1f9a.27f63@o2.pl> > Yes. How long were the servers out of sync due to this problem? > If the servers get too far out of sync, you will have to do a > re-init. I think, there's problem, 'couse servers were out of sync since January/February. How should I perform a re-init? I have looked in the documentation, and I have found info (http://www.redhat.com/docs/manuals/dir-server/ag/7.1/replicat.htm#1030555), that creating a replication agreement is sufficient to start replication process. I haven't modified previous replication agreement (only imported new certificate). Is this mean, that I should delete current, and set up new replication agreements between directory and directory1 & directory2? Best regards, Luke. From rmeggins at redhat.com Mon Jul 6 14:52:31 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 06 Jul 2009 08:52:31 -0600 Subject: [389-users] Replication error In-Reply-To: <5b3aa08d.2a97a081.4a4e1f9a.27f63@o2.pl> References: <7e86d437.647cd029.4a48d4ce.78af@o2.pl> <4A4A2D05.4090103@redhat.com> <4A4B8C21.6020802@redhat.com> <5b3aa08d.2a97a081.4a4e1f9a.27f63@o2.pl> Message-ID: <4A520FAF.7000408@redhat.com> Luke Altkom wrote: >> Yes. How long were the servers out of sync due to this problem? >> If the servers get too far out of sync, you will have to do a >> re-init. >> > > I think, there's problem, 'couse servers were out of sync since January/February. > How should I perform a re-init? I have looked in the documentation, and I have found > info (http://www.redhat.com/docs/manuals/dir-server/ag/7.1/replicat.htm#1030555), > that creating a replication agreement is sufficient to start replication process. > No, not exactly. See part 3 there: > > 3. Expand the Replication folder, then expand the replicated > database. Right-click the replication agreement, and choose > Initialize Consumer from the pop-up menu. > > A message is displayed to warn you that any information already > stored in the replica on the consumer will be removed. > > I haven't modified previous replication agreement (only imported new certificate). > Is this mean, that I should delete current, and set up new replication agreements > between directory and directory1 & directory2? > > Best regards, > Luke. > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jul 6 14:54:09 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 06 Jul 2009 08:54:09 -0600 Subject: [389-users] Directory server : search problem with wildcard In-Reply-To: <14209_1246629110_4A4E0CF6_14209_17470_1_4A4E0CF5.4070100@agora.msa.fr> References: <14209_1246629110_4A4E0CF6_14209_17470_1_4A4E0CF5.4070100@agora.msa.fr> Message-ID: <4A521011.6000003@redhat.com> Paul Lemoine wrote: > Hi, > > I have a search problem with Fedora DS 1.1.3. > My directory has an extended schema on the objectClass > "inetOrgPerson". It contains 350000 inetOrgPerson objects. > When I proceed a search with that kind of filter (cn=smith*) or > (uid=25698*) the response comes 1 minute later with a error code 11. How many entries match cn=smith*? uid=25698*? I think the problem is the idlistscanlimit as mentioned by another poster. > Indexes on cn and uid attribute are on equality, presence and > substring. I have recreated (plus reindexed) this attribute. > I put the look-through-limit to infinity though I don't have the > errror code 11 anymore but I have to wait a very long time the response. > In the log, I found "etime=77 notes=U" which means that the search > does not use the indexes. > > I have done the same requests with a "native" schema : it works > perfectly. So, it is my extended schema which causes the problem. > Can the Fedora DS (or 389 DS) deal with extended schema ? > > Does anybody met this problem ? Is there a solution for forcing FDS to > use the indexes ? > > Regards > Thanks you > Paul. > > Ce message est prot?g? par les r?gles relatives au secret des > correspondances. Il est donc ?tabli ? destination exclusive de son > destinataire. Celui-ci peut donc contenir des informations > confidentielles. La divulgation de ces informations est ? ce titre > rigoureusement interdite. Si vous avez re?u ce message par erreur, > merci de le renvoyer ? l'exp?diteur dont l'adresse e-mail figure > ci-dessus et de d?truire le message ainsi que toute pi?ce jointe. This > message is protected by the secrecy of correspondence rules. > Therefore, this message is intended solely for the attention of the > addressee. This message may contain privileged or confidential > information, as such the disclosure of these informations is strictly > forbidden. If, by mistake, you have received this message, please > return this message to the addressser whose e-mail address is written > above and destroy this message and all files attached. > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From lemoine.paul at agora.msa.fr Tue Jul 7 07:08:52 2009 From: lemoine.paul at agora.msa.fr (Paul Lemoine) Date: Tue, 07 Jul 2009 09:08:52 +0200 Subject: [Attachement suspect] Re: [389-users] Directory server : search problem with wildcard In-Reply-To: <3234_1246891980_4A520FCC_3234_24805_1_4A521011.6000003@redhat.com> References: <14209_1246629110_4A4E0CF6_14209_17470_1_4A4E0CF5.4070100@agora.msa.fr> <3234_1246891980_4A520FCC_3234_24805_1_4A521011.6000003@redhat.com> Message-ID: <14439_1246950549_4A52F495_14439_32081_1_4A52F484.2060209@agora.msa.fr> I have tested a bigger value for the idlistscanlimit (10*4000 = 40000) and the search problem disappeared. Thanks you for everyone Now I wonder what could be its value for a directory which intends to reach 3 000 000 inetOrgPerson ? Is there a rule between idlistscanlimit and the number of entries ? Thanks you Regards Paul. Rich Megginson a ?crit : > Paul Lemoine wrote: >> Hi, >> >> I have a search problem with Fedora DS 1.1.3. >> My directory has an extended schema on the objectClass >> "inetOrgPerson". It contains 350000 inetOrgPerson objects. >> When I proceed a search with that kind of filter (cn=smith*) or >> (uid=25698*) the response comes 1 minute later with a error code 11. > How many entries match cn=smith*? uid=25698*? I think the problem is > the idlistscanlimit as mentioned by another poster. >> Indexes on cn and uid attribute are on equality, presence and >> substring. I have recreated (plus reindexed) this attribute. >> I put the look-through-limit to infinity though I don't have the >> errror code 11 anymore but I have to wait a very long time the response. >> In the log, I found "etime=77 notes=U" which means that the search >> does not use the indexes. >> >> I have done the same requests with a "native" schema : it works >> perfectly. So, it is my extended schema which causes the problem. >> Can the Fedora DS (or 389 DS) deal with extended schema ? >> >> Does anybody met this problem ? Is there a solution for forcing FDS >> to use the indexes ? >> >> Regards >> Thanks you >> Paul. >> >> Ce message est prot?g? par les r?gles relatives au secret des >> correspondances. Il est donc ?tabli ? destination exclusive de son >> destinataire. Celui-ci peut donc contenir des informations >> confidentielles. La divulgation de ces informations est ? ce titre >> rigoureusement interdite. Si vous avez re?u ce message par erreur, >> merci de le renvoyer ? l'exp?diteur dont l'adresse e-mail figure >> ci-dessus et de d?truire le message ainsi que toute pi?ce jointe. >> This message is protected by the secrecy of correspondence rules. >> Therefore, this message is intended solely for the attention of the >> addressee. This message may contain privileged or confidential >> information, as such the disclosure of these informations is strictly >> forbidden. If, by mistake, you have received this message, please >> return this message to the addressser whose e-mail address is written >> above and destroy this message and all files attached. >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > Ce message est prot?g? par les r?gles relatives au secret des correspondances. Il est donc ?tabli ? destination exclusive de son destinataire. Celui-ci peut donc contenir des informations confidentielles. La divulgation de ces informations est ? ce titre rigoureusement interdite. Si vous avez re?u ce message par erreur, merci de le renvoyer ? l'exp?diteur dont l'adresse e-mail figure ci-dessus et de d?truire le message ainsi que toute pi?ce jointe. This message is protected by the secrecy of correspondence rules. Therefore, this message is intended solely for the attention of the addressee. This message may contain privileged or confidential information, as such the disclosure of these informations is strictly forbidden. If, by mistake, you have received this message, please return this message to the addressser whose e-mail address is written above and destroy this message and all files attached. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: lemoine.paul.vcf Type: text/x-vcard Size: 231 bytes Desc: not available URL: From Jean-Noel.Chardron at dr15.cnrs.fr Tue Jul 7 08:48:29 2009 From: Jean-Noel.Chardron at dr15.cnrs.fr (=?ISO-8859-1?Q?jean-No=EBl_Chardron?=) Date: Tue, 07 Jul 2009 10:48:29 +0200 Subject: [389-users] Password sync Message-ID: <4A530BDD.6060601@dr15.cnrs.fr> Hello, I have a Network with two Windows 2000 server , I suppose one is master (or primary) and one is secondary - I don't know exactly the vocabulary of Windows. the AD is "replicated" over the two Windows Server I installed synchronization between the FDS server and the AD on a host (say Windows-1 server), with Agreement replication then I installed the password sync on the Windows-1 host. All is ok when the password is changed on the Windows-1 server, the password is synchronized to the FDS. Now when a user change his password on a windows XP station in the AD (the operation is CTRL+ALT+DEL then change password) the password is not necessary sync to the FDS. my hypothesis : it seems it depends on which windows server the password has been changed. Some time the password is sync when, I suppose, the Windows1 server answer to the request to change the password, but when the windows2 server answer , then the password is not sync. is my hypothesis correct ? Can I install the password sync programm on the other Windows2 server even if the replicated agreement is beetween FDS and Windows1 server ? wich will behavior be ? thanks -- Jean-Noel Chardron From hugo.etievant at inrp.fr Tue Jul 7 09:12:33 2009 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Tue, 07 Jul 2009 11:12:33 +0200 Subject: [389-users] Password sync In-Reply-To: <4A530BDD.6060601@dr15.cnrs.fr> References: <4A530BDD.6060601@dr15.cnrs.fr> Message-ID: <4A531181.3010904@inrp.fr> hello, jean-No?l Chardron a ?crit : > Hello, > > I have a Network with two Windows 2000 server , I suppose one is > master (or primary) and one is secondary - I don't know exactly the > vocabulary of Windows. the AD is "replicated" over the two Windows Server > > I installed synchronization between the FDS server and the AD on a > host (say Windows-1 server), with Agreement replication > then I installed the password sync on the Windows-1 host. > All is ok when the password is changed on the Windows-1 server, the > password is synchronized to the FDS. > > Now when a user change his password on a windows XP station in the AD > (the operation is CTRL+ALT+DEL then change password) the password is > not necessary sync to the FDS. > my hypothesis : it seems it depends on which windows server the > password has been changed. Some time the password is sync when, I > suppose, the Windows1 server answer to the request to change the > password, but when the windows2 server answer , then the password is > not sync. > > is my hypothesis correct ? Yes, it is correct. Password is captured in clear by passsync service into the AD server witch is used by workstation for changing password operation. Master AD server give password to slave servers in no-clear mode and crypted password can not be captured by passsync service. > Can I install the password sync programm on the other Windows2 server > even if the replicated agreement is beetween FDS and Windows1 server ? > wich will behavior be ? No, you can't. In the AD-FDS synchronization architecture, only one synchronization is allowed. If you install two passsync services into two AD servers you take risks to create problems in replication. cf : http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html "WARNING : There can only be a single sync agreement between the Directory Server environment and the Active Directory environment. Multiple sync agreements to the same Active Directory domain can create entry conflicts." This is the point of failure of the FDS/windows sync architecture. regards -- * Hugo ?ti?vant * *INRP/SCI* From michael at stroeder.com Tue Jul 7 09:28:34 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 07 Jul 2009 11:28:34 +0200 Subject: [389-users] Password sync In-Reply-To: <4A531181.3010904@inrp.fr> References: <4A530BDD.6060601@dr15.cnrs.fr> <4A531181.3010904@inrp.fr> Message-ID: <4A531542.5010307@stroeder.com> Hugo Etievant wrote: > Password is captured in clear by passsync service into the AD server > witch is used by workstation for changing password operation. Out of curiousity: What happens if the passsync service cannot reach the FDS via LDAP because of network problems? Is the password synch LDAP modify operation synchronous or is there kind of a queue implemented? Ciao, Michael. From hugo.etievant at inrp.fr Tue Jul 7 10:15:37 2009 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Tue, 07 Jul 2009 12:15:37 +0200 Subject: [389-users] Password sync In-Reply-To: <4A531542.5010307@stroeder.com> References: <4A530BDD.6060601@dr15.cnrs.fr> <4A531181.3010904@inrp.fr> <4A531542.5010307@stroeder.com> Message-ID: <4A532049.7090300@inrp.fr> Michael Str?der a ?crit : > Hugo Etievant wrote: > >> Password is captured in clear by passsync service into the AD server >> witch is used by workstation for changing password operation. >> > > Out of curiousity: What happens if the passsync service cannot reach the > FDS via LDAP because of network problems? Is the password synch LDAP > modify operation synchronous or is there kind of a queue implemented? > log file of passsync service show that password change is deferring for each user in case of network problem or bad access right to LDAP, constraint violation, etc... until change is abandonned sample : 01/21/09 15:35:33 Deferring password change for xxx 01/21/09 15:36:12 Deferring password change for xxx 01/21/09 15:37:29 Deferring password change for xxx [...] 01/21/09 15:39:47 Abandoning password change for xxx backoff expired -- * Hugo ?ti?vant * **INRP/SCI From Jean-Noel.Chardron at dr15.cnrs.fr Tue Jul 7 10:54:31 2009 From: Jean-Noel.Chardron at dr15.cnrs.fr (=?ISO-8859-1?Q?jean-No=EBl_Chardron?=) Date: Tue, 07 Jul 2009 12:54:31 +0200 Subject: [389-users] Password sync In-Reply-To: <4A531181.3010904@inrp.fr> References: <4A530BDD.6060601@dr15.cnrs.fr> <4A531181.3010904@inrp.fr> Message-ID: <4A532967.708@dr15.cnrs.fr> Hugo Etievant a ?crit : > hello, > > jean-No?l Chardron a ?crit : >> Hello, >> >> I have a Network with two Windows 2000 server , I suppose one is >> master (or primary) and one is secondary - I don't know exactly the >> vocabulary of Windows. the AD is "replicated" over the two Windows >> Server >> >> I installed synchronization between the FDS server and the AD on a >> host (say Windows-1 server), with Agreement replication >> then I installed the password sync on the Windows-1 host. >> All is ok when the password is changed on the Windows-1 server, the >> password is synchronized to the FDS. >> >> Now when a user change his password on a windows XP station in the AD >> (the operation is CTRL+ALT+DEL then change password) the password is >> not necessary sync to the FDS. >> my hypothesis : it seems it depends on which windows server the >> password has been changed. Some time the password is sync when, I >> suppose, the Windows1 server answer to the request to change the >> password, but when the windows2 server answer , then the password is >> not sync. >> >> is my hypothesis correct ? > Yes, it is correct. > Password is captured in clear by passsync service into the AD server > witch is used by workstation for changing password operation. > Master AD server give password to slave servers in no-clear mode and > crypted password can not be captured by passsync service. > > >> Can I install the password sync programm on the other Windows2 server >> even if the replicated agreement is beetween FDS and Windows1 server >> ? wich will behavior be ? > No, you can't. > > In the AD-FDS synchronization architecture, only one synchronization > is allowed. > If you install two passsync services into two AD servers you take > risks to create problems in replication. > > cf : > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html > "WARNING : There can only be a single sync agreement between the > Directory Server environment and the Active Directory environment. > Multiple sync agreements to the same Active Directory domain can > create entry conflicts." > > This is the point of failure of the FDS/windows sync architecture. > > thank you for your reply However by looking in the documentation PDF I found this: 9.2.4. Step 4: Install the Password Sync Service Password Sync can be installed on every domain controller in the Active Directory domain in order to synchronize Windows passwords. I do not know how to interpret the above So I installed a second passSync.msi on the slave windows2 server > regards > -- Jean-Noel Chardron D?l?gation CNRS Aquitaine et Limousin Service du Traitement de l'Information Avenue des Arts et m?tiers BP 105 33402 TALENCE - FRANCE t?l : (33) 5.57.35.58.41 fax : (33) 5.57.35.58.01 MSN : jnc at dr15.cnrs.fr From daniel.cruz at sc.senai.br Tue Jul 7 11:31:50 2009 From: daniel.cruz at sc.senai.br (DANIEL CRISTIAN CRUZ) Date: Tue, 7 Jul 2009 08:31:50 -0300 Subject: [389-users] Upgrading a Schema Message-ID: Hi all, I've upgraded from 1.1.X to 1.2.0, but when looking at console, version 1.1.X still there. On one server, which doesn't have memborOf plugin in list (1.1.0 install), still without it, even after upgrade. How do I upgrade schemas? How do I upgrade the available plugins? Regards, Daniel Cruz -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jul 7 15:10:28 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 07 Jul 2009 09:10:28 -0600 Subject: [389-users] Upgrading a Schema In-Reply-To: References: Message-ID: <4A536564.3020903@redhat.com> DANIEL CRISTIAN CRUZ wrote: > > Hi all, > > I've upgraded from 1.1.X to 1.2.0, but when looking at console, > version 1.1.X still there. > Run setup-ds-admin.pl -u after upgrade - this will refresh the version displayed in the console - (note - cannot do this during rpm -U because you usually need to supply the admin password) > > On one server, which doesn't have memborOf plugin in list (1.1.0 > install), still without it, even after upgrade. > Right. Upgrade does not add the plugin entry. Just shutdown the server, copy/paste the entry from http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Advanced_Entry_Management-Using_Groups.html#groups-cmd-memberof to the dse.ldif for your server, and restart. > > How do I upgrade schemas? > Which schemas? > > How do I upgrade the available plugins? > You'll have to copy/paste the plugin entry to your dse.ldif, from either the documentation or the template dse.ldif in /usr/share/dirsrv/data/template-dse.ldif > > Regards, > > Daniel Cruz > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jul 7 15:12:31 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 07 Jul 2009 09:12:31 -0600 Subject: [389-users] Password sync In-Reply-To: <4A532967.708@dr15.cnrs.fr> References: <4A530BDD.6060601@dr15.cnrs.fr> <4A531181.3010904@inrp.fr> <4A532967.708@dr15.cnrs.fr> Message-ID: <4A5365DF.9060007@redhat.com> jean-No?l Chardron wrote: > Hugo Etievant a ?crit : >> hello, >> >> jean-No?l Chardron a ?crit : >>> Hello, >>> >>> I have a Network with two Windows 2000 server , I suppose one is >>> master (or primary) and one is secondary - I don't know exactly the >>> vocabulary of Windows. the AD is "replicated" over the two Windows >>> Server >>> >>> I installed synchronization between the FDS server and the AD on a >>> host (say Windows-1 server), with Agreement replication >>> then I installed the password sync on the Windows-1 host. >>> All is ok when the password is changed on the Windows-1 server, the >>> password is synchronized to the FDS. >>> >>> Now when a user change his password on a windows XP station in the >>> AD (the operation is CTRL+ALT+DEL then change password) the >>> password is not necessary sync to the FDS. >>> my hypothesis : it seems it depends on which windows server the >>> password has been changed. Some time the password is sync when, I >>> suppose, the Windows1 server answer to the request to change the >>> password, but when the windows2 server answer , then the password is >>> not sync. >>> >>> is my hypothesis correct ? >> Yes, it is correct. >> Password is captured in clear by passsync service into the AD server >> witch is used by workstation for changing password operation. >> Master AD server give password to slave servers in no-clear mode and >> crypted password can not be captured by passsync service. >> >> >>> Can I install the password sync programm on the other Windows2 >>> server even if the replicated agreement is beetween FDS and Windows1 >>> server ? wich will behavior be ? >> No, you can't. >> >> In the AD-FDS synchronization architecture, only one synchronization >> is allowed. >> If you install two passsync services into two AD servers you take >> risks to create problems in replication. >> >> cf : >> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html >> "WARNING : There can only be a single sync agreement between the >> Directory Server environment and the Active Directory environment. >> Multiple sync agreements to the same Active Directory domain can >> create entry conflicts." >> >> This is the point of failure of the FDS/windows sync architecture. >> >> > thank you for your reply > However by looking in the documentation PDF I found this: > 9.2.4. Step 4: Install the Password Sync Service > Password Sync can be installed on every domain controller in the > Active Directory domain in order to > synchronize Windows passwords. > I do not know how to interpret the above > So I installed a second passSync.msi on the slave windows2 server Windows sync (the part that goes from DS to AD) is single master - but password changes are the exception to this - in fact you must install PassSync.msi on every AD domain controller to get all of the password changes. > >> regards >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jul 7 15:13:03 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 07 Jul 2009 09:13:03 -0600 Subject: [389-users] Password sync In-Reply-To: <4A531542.5010307@stroeder.com> References: <4A530BDD.6060601@dr15.cnrs.fr> <4A531181.3010904@inrp.fr> <4A531542.5010307@stroeder.com> Message-ID: <4A5365FF.8050402@redhat.com> Michael Str?der wrote: > Hugo Etievant wrote: > >> Password is captured in clear by passsync service into the AD server >> witch is used by workstation for changing password operation. >> > > Out of curiousity: What happens if the passsync service cannot reach the > FDS via LDAP because of network problems? Is the password synch LDAP > modify operation synchronous or is there kind of a queue implemented? > The password change operations are queued. > Ciao, Michael. > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jul 7 15:13:49 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 07 Jul 2009 09:13:49 -0600 Subject: [389-users] Password sync In-Reply-To: <4A532049.7090300@inrp.fr> References: <4A530BDD.6060601@dr15.cnrs.fr> <4A531181.3010904@inrp.fr> <4A531542.5010307@stroeder.com> <4A532049.7090300@inrp.fr> Message-ID: <4A53662D.6030509@redhat.com> Hugo Etievant wrote: > Michael Str?der a ?crit : >> Hugo Etievant wrote: >> >>> Password is captured in clear by passsync service into the AD server >>> witch is used by workstation for changing password operation. >>> >> >> Out of curiousity: What happens if the passsync service cannot reach the >> FDS via LDAP because of network problems? Is the password synch LDAP >> modify operation synchronous or is there kind of a queue implemented? >> > > > log file of passsync service show that password change is deferring > for each user in case of network problem or bad access right to LDAP, > constraint violation, etc... until change is abandonned > > sample : > 01/21/09 15:35:33 Deferring password change for xxx > 01/21/09 15:36:12 Deferring password change for xxx > 01/21/09 15:37:29 Deferring password change for xxx > [...] > 01/21/09 15:39:47 Abandoning password change for xxx backoff expired Check the access log and errors log for the directory server to see if you can figure out why the password change was not accepted, if not a network problem. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jul 7 15:14:51 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 07 Jul 2009 09:14:51 -0600 Subject: [Attachement suspect] Re: [389-users] Directory server : search problem with wildcard In-Reply-To: <14439_1246950549_4A52F495_14439_32081_1_4A52F484.2060209@agora.msa.fr> References: <14209_1246629110_4A4E0CF6_14209_17470_1_4A4E0CF5.4070100@agora.msa.fr> <3234_1246891980_4A520FCC_3234_24805_1_4A521011.6000003@redhat.com> <14439_1246950549_4A52F495_14439_32081_1_4A52F484.2060209@agora.msa.fr> Message-ID: <4A53666B.2090307@redhat.com> Paul Lemoine wrote: > I have tested a bigger value for the idlistscanlimit (10*4000 = 40000) > and the search problem disappeared. > Thanks you for everyone > Now I wonder what could be its value for a directory which intends to > reach 3 000 000 inetOrgPerson ? > Is there a rule between idlistscanlimit and the number of entries ? No, there is a rule between idlistscanlimit and how many entries you expect to match a single search. So if you are planning to do searches like (cn=*e*) you should have a very large idlistscanlimit. > > Thanks you > Regards > Paul. > > Rich Megginson a ?crit : >> Paul Lemoine wrote: >>> Hi, >>> >>> I have a search problem with Fedora DS 1.1.3. >>> My directory has an extended schema on the objectClass >>> "inetOrgPerson". It contains 350000 inetOrgPerson objects. >>> When I proceed a search with that kind of filter (cn=smith*) or >>> (uid=25698*) the response comes 1 minute later with a error code 11. >> How many entries match cn=smith*? uid=25698*? I think the problem >> is the idlistscanlimit as mentioned by another poster. >>> Indexes on cn and uid attribute are on equality, presence and >>> substring. I have recreated (plus reindexed) this attribute. >>> I put the look-through-limit to infinity though I don't have the >>> errror code 11 anymore but I have to wait a very long time the >>> response. >>> In the log, I found "etime=77 notes=U" which means that the search >>> does not use the indexes. >>> >>> I have done the same requests with a "native" schema : it works >>> perfectly. So, it is my extended schema which causes the problem. >>> Can the Fedora DS (or 389 DS) deal with extended schema ? >>> >>> Does anybody met this problem ? Is there a solution for forcing FDS >>> to use the indexes ? >>> >>> Regards >>> Thanks you >>> Paul. >>> >>> Ce message est prot?g? par les r?gles relatives au secret des >>> correspondances. Il est donc ?tabli ? destination exclusive de son >>> destinataire. Celui-ci peut donc contenir des informations >>> confidentielles. La divulgation de ces informations est ? ce titre >>> rigoureusement interdite. Si vous avez re?u ce message par erreur, >>> merci de le renvoyer ? l'exp?diteur dont l'adresse e-mail figure >>> ci-dessus et de d?truire le message ainsi que toute pi?ce jointe. >>> This message is protected by the secrecy of correspondence rules. >>> Therefore, this message is intended solely for the attention of the >>> addressee. This message may contain privileged or confidential >>> information, as such the disclosure of these informations is >>> strictly forbidden. If, by mistake, you have received this message, >>> please return this message to the addressser whose e-mail address is >>> written above and destroy this message and all files attached. >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> ------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > Ce message est prot?g? par les r?gles relatives au secret des > correspondances. Il est donc ?tabli ? destination exclusive de son > destinataire. Celui-ci peut donc contenir des informations > confidentielles. La divulgation de ces informations est ? ce titre > rigoureusement interdite. Si vous avez re?u ce message par erreur, > merci de le renvoyer ? l'exp?diteur dont l'adresse e-mail figure > ci-dessus et de d?truire le message ainsi que toute pi?ce jointe. This > message is protected by the secrecy of correspondence rules. > Therefore, this message is intended solely for the attention of the > addressee. This message may contain privileged or confidential > information, as such the disclosure of these informations is strictly > forbidden. If, by mistake, you have received this message, please > return this message to the addressser whose e-mail address is written > above and destroy this message and all files attached. > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From Jean-Noel.Chardron at dr15.cnrs.fr Tue Jul 7 15:58:09 2009 From: Jean-Noel.Chardron at dr15.cnrs.fr (=?ISO-8859-1?Q?jean-No=EBl_Chardron?=) Date: Tue, 07 Jul 2009 17:58:09 +0200 Subject: [389-users] Password sync In-Reply-To: <4A5365DF.9060007@redhat.com> References: <4A530BDD.6060601@dr15.cnrs.fr> <4A531181.3010904@inrp.fr> <4A532967.708@dr15.cnrs.fr> <4A5365DF.9060007@redhat.com> Message-ID: <4A537091.1020407@dr15.cnrs.fr> Rich Megginson a ?crit : > jean-No?l Chardron wrote: >> Hugo Etievant a ?crit : >>> hello, >>> >>> jean-No?l Chardron a ?crit : >>>> Hello, >>>> >>>> I have a Network with two Windows 2000 server , I suppose one is >>>> master (or primary) and one is secondary - I don't know exactly >>>> the vocabulary of Windows. the AD is "replicated" over the two >>>> Windows Server >>>> >>>> I installed synchronization between the FDS server and the AD on a >>>> host (say Windows-1 server), with Agreement replication >>>> then I installed the password sync on the Windows-1 host. >>>> All is ok when the password is changed on the Windows-1 server, the >>>> password is synchronized to the FDS. >>>> >>>> Now when a user change his password on a windows XP station in the >>>> AD (the operation is CTRL+ALT+DEL then change password) the >>>> password is not necessary sync to the FDS. >>>> my hypothesis : it seems it depends on which windows server the >>>> password has been changed. Some time the password is sync when, I >>>> suppose, the Windows1 server answer to the request to change the >>>> password, but when the windows2 server answer , then the password >>>> is not sync. >>>> >>>> is my hypothesis correct ? >>> Yes, it is correct. >>> Password is captured in clear by passsync service into the AD server >>> witch is used by workstation for changing password operation. >>> Master AD server give password to slave servers in no-clear mode and >>> crypted password can not be captured by passsync service. >>> >>> >>>> Can I install the password sync programm on the other Windows2 >>>> server even if the replicated agreement is beetween FDS and >>>> Windows1 server ? wich will behavior be ? >>> No, you can't. >>> >>> In the AD-FDS synchronization architecture, only one synchronization >>> is allowed. >>> If you install two passsync services into two AD servers you take >>> risks to create problems in replication. >>> >>> cf : >>> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html >>> "WARNING : There can only be a single sync agreement between the >>> Directory Server environment and the Active Directory environment. >>> Multiple sync agreements to the same Active Directory domain can >>> create entry conflicts." >>> >>> This is the point of failure of the FDS/windows sync architecture. >>> >>> >> thank you for your reply >> However by looking in the documentation PDF I found this: >> 9.2.4. Step 4: Install the Password Sync Service >> Password Sync can be installed on every domain controller in the >> Active Directory domain in order to >> synchronize Windows passwords. >> I do not know how to interpret the above >> So I installed a second passSync.msi on the slave windows2 server > Windows sync (the part that goes from DS to AD) is single master - but > password changes are the exception to this - in fact you must install > PassSync.msi on every AD domain controller to get all of the password > changes. Ok thanks, perhaps an update of the documentation will be welcome. Because for me it was not obvious to have to install on all the windows domain server. I installed the PassSync.msi just on the master Windows server. so the FDS has missed many updates passwords. >> >>> regards >>> >> >> > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Jean-Noel Chardron From dumboq at yahoo.com Wed Jul 8 18:19:55 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Wed, 8 Jul 2009 11:19:55 -0700 (PDT) Subject: [389-users] Recover after installing a bad cert. Message-ID: <331732.53124.qm@web111911.mail.gq1.yahoo.com> I just installed a new ssl certificate using pk12util. I restarted my dirsrv, and picked the new cert in the dropdown menu under the encryption tab. I restarted dirsrv to make it take affect. When I did this, I found that the root certificate was not in redhats/openssls ca-bundle. I tried importing the intermediate certificate, and I think I just made the problem worse. right now im getting the following. SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert rhds.example.com - Comodo CA Limited of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.) [08/Jul/2009:14:18:04 -0400] - SSL failure: None of the cipher are valid Now my directory is down completely. How can I get it to start up without SSL so that I can fix the problem? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jul 8 19:02:18 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 08 Jul 2009 13:02:18 -0600 Subject: [389-users] Recover after installing a bad cert. In-Reply-To: <331732.53124.qm@web111911.mail.gq1.yahoo.com> References: <331732.53124.qm@web111911.mail.gq1.yahoo.com> Message-ID: <4A54ED3A.1030902@redhat.com> Dumbo Q wrote: > I just installed a new ssl certificate using pk12util. I restarted my > dirsrv, and picked the new cert in the dropdown menu under the > encryption tab. I restarted dirsrv to make it take affect. When I > did this, I found that the root certificate was not in > redhats/openssls ca-bundle. I tried importing the intermediate > certificate, and I think I just made the problem worse. > > right now im getting the following. > SSL alert: CERT_VerifyCertificateNow: verify certificate failed for > cert rhds.example.com - Comodo CA Limited of family > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 > - Peer's Certificate issuer is not recognized.) > [08/Jul/2009:14:18:04 -0400] - SSL failure: None of the cipher are valid > > > Now my directory is down completely. How can I get it to start up > without SSL so that I can fix the problem? The default list of approved root CAs are in a shared library called libnssckbi.so - try this cd /etc/dirsrv/slapd-yourinstance ln -s /usr/lib/libnssckbi.so > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From ryan.braun at ec.gc.ca Wed Jul 8 18:50:10 2009 From: ryan.braun at ec.gc.ca (Ryan Braun [ADS]) Date: Wed, 8 Jul 2009 18:50:10 +0000 Subject: [389-users] Recover after installing a bad cert. In-Reply-To: <331732.53124.qm@web111911.mail.gq1.yahoo.com> References: <331732.53124.qm@web111911.mail.gq1.yahoo.com> Message-ID: <200907081850.10958.ryan.braun@ec.gc.ca> On July 8, 2009 06:19:55 pm Dumbo Q wrote: > I just installed a new ssl certificate using pk12util. I restarted my > dirsrv, and picked the new cert in the dropdown menu under the encryption > tab. I restarted dirsrv to make it take affect. When I did this, I found > that the root certificate was not in redhats/openssls ca-bundle. I tried > importing the intermediate certificate, and I think I just made the problem > worse. > > right now im getting the following. > SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert > rhds.example.com - Comodo CA Limited of family > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - > Peer's Certificate issuer is not recognized.) [08/Jul/2009:14:18:04 -0400] > - SSL failure: None of the cipher are valid > > > Now my directory is down completely. How can I get it to start up without > SSL so that I can fix the problem? Make sure you backup /etc/dirsrv/INSTANCE/dse.ldif then edit that file and look for nsslapd-security: on change to nsslapd-security: off save file, restart service and ssl should be turned off. Keep in mind whatever caused the ssl config to puke in the first place is still there :) Ryan From dumboq at yahoo.com Wed Jul 8 20:57:49 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Wed, 8 Jul 2009 13:57:49 -0700 (PDT) Subject: [389-users] Recover after installing a bad cert. In-Reply-To: <200907081850.10958.ryan.braun@ec.gc.ca> References: <331732.53124.qm@web111911.mail.gq1.yahoo.com> <200907081850.10958.ryan.braun@ec.gc.ca> Message-ID: <318998.64417.qm@web111914.mail.gq1.yahoo.com> Thanks that did it. I just can't seem to get this certificate working. Here is the most recent way that i have tried. cat bundle.crt >> new.crt ## bundle, being the chain certificates provided by the CA cat rhds.crt >> new.crt ## rhds being the actual cert provided by the CA openssl verify new.crt ## turned out OK openssl pkcs12 -export -in new.crt -inkey rhds.example.com.key -out rhds.example.com-PSSL.p12 pk12util -i /root/certs/rhds.example.com-PSSL.p12 -d . certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI rhds.example.com - Comodo CA Limited u,u,u PositiveSSL CA - The USERTRUST Network ,, UTN-USERFirst-Hardware - AddTrust AB ,, Still the same error when i try to use this cert. Am I doing something wrong? ________________________________ From: Ryan Braun [ADS] To: fedora-directory-users at redhat.com Cc: Dumbo Q Sent: Wednesday, July 8, 2009 2:50:10 PM Subject: Re: [389-users] Recover after installing a bad cert. On July 8, 2009 06:19:55 pm Dumbo Q wrote: > I just installed a new ssl certificate using pk12util. I restarted my > dirsrv, and picked the new cert in the dropdown menu under the encryption > tab. I restarted dirsrv to make it take affect. When I did this, I found > that the root certificate was not in redhats/openssls ca-bundle. I tried > importing the intermediate certificate, and I think I just made the problem > worse. > > right now im getting the following. > SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert > rhds.example.com - Comodo CA Limited of family > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - > Peer's Certificate issuer is not recognized.) [08/Jul/2009:14:18:04 -0400] > - SSL failure: None of the cipher are valid > > > Now my directory is down completely. How can I get it to start up without > SSL so that I can fix the problem? Make sure you backup /etc/dirsrv/INSTANCE/dse.ldif then edit that file and look for nsslapd-security: on change to nsslapd-security: off save file, restart service and ssl should be turned off. Keep in mind whatever caused the ssl config to puke in the first place is still there :) Ryan -------------- next part -------------- An HTML attachment was scrubbed... URL: From dumboq at yahoo.com Wed Jul 8 22:00:07 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Wed, 8 Jul 2009 15:00:07 -0700 (PDT) Subject: [389-users] Recover after installing a bad cert. In-Reply-To: <318998.64417.qm@web111914.mail.gq1.yahoo.com> References: <331732.53124.qm@web111911.mail.gq1.yahoo.com> <200907081850.10958.ryan.braun@ec.gc.ca> <318998.64417.qm@web111914.mail.gq1.yahoo.com> Message-ID: <193848.87620.qm@web111902.mail.gq1.yahoo.com> Of course, it would help if i trusted the intermediate cert. certutil -M -t "CT,," -d . -n "UTN-USERFirst-Hardware - AddTrust AB" certutil -M -t "CT,," -d . -n "PositiveSSL CA - The USERTRUST Network" After doing this I tried an ldapsearch -H ldaps://.... ldapsearch worked with no problem. My ldap client "Jxplorer" could not connect however. It complained with the following.. javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Invalid Server Certificate: server certificate could not be verified, and the CA certificate is missing from the certificate chain. A partial success i guess. ________________________________ From: Dumbo Q To: Ryan Braun [ADS] ; fedora-directory-users at redhat.com Sent: Wednesday, July 8, 2009 4:57:49 PM Subject: Re: [389-users] Recover after installing a bad cert. Thanks that did it. I just can't seem to get this certificate working. Here is the most recent way that i have tried. cat bundle.crt >> new.crt ## bundle, being the chain certificates provided by the CA cat rhds.crt >> new.crt ## rhds being the actual cert provided by the CA openssl verify new.crt ## turned out OK openssl pkcs12 -export -in new.crt -inkey rhds.example.com.key -out rhds.example.com-PSSL.p12 pk12util -i /root/certs/rhds.example.com-PSSL.p12 -d . certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI rhds.example.com - Comodo CA Limited u,u,u PositiveSSL CA - The USERTRUST Network ,, UTN-USERFirst-Hardware - AddTrust AB ,, Still the same error when i try to use this cert. Am I doing something wrong? ________________________________ From: Ryan Braun [ADS] To: fedora-directory-users at redhat.com Cc: Dumbo Q Sent: Wednesday, July 8, 2009 2:50:10 PM Subject: Re: [389-users] Recover after installing a bad cert. On July 8, 2009 06:19:55 pm Dumbo Q wrote: > I just installed a new ssl certificate using pk12util. I restarted my > dirsrv, and picked the new cert in the dropdown menu under the encryption > tab. I restarted dirsrv to make it take affect. When I did this, I found > that the root certificate was not in redhats/openssls ca-bundle. I tried > importing the intermediate certificate, and I think I just made the problem > worse. > > right now im getting the following. > SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert > rhds.example.com - Comodo CA Limited of family > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - > Peer's Certificate issuer is not recognized.) [08/Jul/2009:14:18:04 -0400] > - SSL failure: None of the cipher are valid > > > Now my directory is down completely. How can I get it to start up without > SSL so that I can fix the problem? Make sure you backup /etc/dirsrv/INSTANCE/dse.ldif then edit that file and look for nsslapd-security: on change to nsslapd-security: off save file, restart service and ssl should be turned off. Keep in mind whatever caused the ssl config to puke in the first place is still there :) Ryan -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jul 9 02:11:26 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 08 Jul 2009 20:11:26 -0600 Subject: [389-users] Recover after installing a bad cert. In-Reply-To: <193848.87620.qm@web111902.mail.gq1.yahoo.com> References: <331732.53124.qm@web111911.mail.gq1.yahoo.com> <200907081850.10958.ryan.braun@ec.gc.ca> <318998.64417.qm@web111914.mail.gq1.yahoo.com> <193848.87620.qm@web111902.mail.gq1.yahoo.com> Message-ID: <4A5551CE.3080002@redhat.com> Dumbo Q wrote: > Of course, it would help if i trusted the intermediate cert. > certutil -M -t "CT,," -d . -n "UTN-USERFirst-Hardware - AddTrust AB" > certutil -M -t "CT,," -d . -n "PositiveSSL CA - The USERTRUST Network" > > > After doing this I tried an ldapsearch -H ldaps://.... > ldapsearch worked with no problem. > My ldap client "Jxplorer" could not connect however. It complained > with the following.. > javax.net.ssl.SSLHandshakeException: > java.security.cert.CertificateException: Invalid Server Certificate: > server certificate could not be verified, and the CA certificate is > missing from the certificate chain. > > A partial success i guess. Does Jxplorer have the CA cert? > > ------------------------------------------------------------------------ > *From:* Dumbo Q > *To:* Ryan Braun [ADS] ; > fedora-directory-users at redhat.com > *Sent:* Wednesday, July 8, 2009 4:57:49 PM > *Subject:* Re: [389-users] Recover after installing a bad cert. > > Thanks that did it. > > I just can't seem to get this certificate working. Here is the most > recent way that i have tried. > cat bundle.crt >> new.crt ## bundle, being the chain certificates > provided by the CA > cat rhds.crt >> new.crt ## rhds being the actual cert provided by > the CA > openssl verify new.crt ## turned out OK > > openssl pkcs12 -export -in new.crt -inkey rhds.example.com > .key -out rhds.example.com-PSSL.p12 > > pk12util -i /root/certs/rhds.example.com-PSSL.p12 -d . > certutil -L -d . > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > > rhds.example.com - Comodo CA > Limited u,u,u > PositiveSSL CA - The USERTRUST Network ,, > UTN-USERFirst-Hardware - AddTrust AB ,, > > > Still the same error when i try to use this cert. Am I doing > something wrong? > > > > ------------------------------------------------------------------------ > *From:* Ryan Braun [ADS] > *To:* fedora-directory-users at redhat.com > *Cc:* Dumbo Q > *Sent:* Wednesday, July 8, 2009 2:50:10 PM > *Subject:* Re: [389-users] Recover after installing a bad cert. > > On July 8, 2009 06:19:55 pm Dumbo Q wrote: > > I just installed a new ssl certificate using pk12util. I restarted my > > dirsrv, and picked the new cert in the dropdown menu under the > encryption > > tab. I restarted dirsrv to make it take affect. When I did this, I > found > > that the root certificate was not in redhats/openssls ca-bundle. I > tried > > importing the intermediate certificate, and I think I just made the > problem > > worse. > > > > right now im getting the following. > > SSL alert: CERT_VerifyCertificateNow: verify certificate failed for > cert > > rhds.example.com - Comodo CA Limited of family > > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - > > Peer's Certificate issuer is not recognized.) [08/Jul/2009:14:18:04 > -0400] > > - SSL failure: None of the cipher are valid > > > > > > Now my directory is down completely. How can I get it to start up > without > > SSL so that I can fix the problem? > > Make sure you backup /etc/dirsrv/INSTANCE/dse.ldif > > then edit that file and look for > > nsslapd-security: on > > change to > > nsslapd-security: off > > save file, restart service and ssl should be turned off. Keep in mind > whatever caused the ssl config to puke in the first place is still > there :) > > Ryan > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From arun.reso at gmail.com Thu Jul 9 07:22:39 2009 From: arun.reso at gmail.com (Arun Shrimali) Date: Thu, 9 Jul 2009 12:52:39 +0530 Subject: [389-users] installation - LDAP connection error Message-ID: Dear All, I am planning to setup FDS (389) (FDS 1.1.3-1.FC11) on Fedora 11, I have followed the installation process, which went fairly, but while setup I got following error the interactive phase is complete. The script will now set up your servers. Enter No or go Back if you want to change something. Are you ready to set up your servers? [yes]: Creating directory server . . . Your new DS instance 'reso' was successfully created. Creating the configuration directory server . . . Error: failed to open an LDAP connection to host 'data.resobank.net' port '52060' as user 'cn=Directory Manager'. Error: unknown. Failed to create the configuration directory server Exiting . . . Log file is '/tmp/setupJVTstI.log' can anybody help me ...................where is the problem and to resolve Arun From muzzol at gmail.com Thu Jul 9 07:45:41 2009 From: muzzol at gmail.com (muzzol) Date: Thu, 9 Jul 2009 07:45:41 +0000 Subject: [389-users] installation - LDAP connection error In-Reply-To: References: Message-ID: <4a3f02760907090045p1475b55el10613ef58dc11fc6@mail.gmail.com> 2009/7/9 Arun Shrimali : > data.resobank.net' be sure that data.resobank.net is in first place in your /etc/hosts file for your public IP -- ======================== ^ ^ O O (_ _) muzzol(a)muzzol.com ======================== jabber id: muzzol(a)jabber.dk ======================== No atribueixis qualitats humanes als ordinadors. No els hi agrada. ======================== "El gobierno espa?ol s?lo habla con terroristas, homosexuales y catalanes, a ver cuando se decide a hablar con gente normal" Jim?nez Losantos ======================== bomb terrorism bush aznar teletubbies From psundaram at wgen.net Thu Jul 9 14:19:56 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Thu, 9 Jul 2009 10:19:56 -0400 Subject: [389-users] Migration from OpenLDAP and Sync with AD Message-ID: Dear fellow Fedora DS users and experts, I am working on this new project where there is a two step process. We are currently using a poorly managed OpenLDAP server for over 3 years and planning to migrate to Fedora DS. Scenario: OPenLDAP=====Migrate all users and passwords===> Fedora DS <----------PassSync------->Windows AD Question1: Is it possible to migrate current users (around 300users) from OpenLDAP to Fedora DS along with the UIDs, Security id and passwords. Like everything looks same in users perspective. Question2: Is is possible to create a password sync between FDS and AD for all the above users. Yes, the username is same in both the directories. Question2.1: The users are stored with different Security IDs in windows environment than in OpenLDAP or FDS. Will that pose a problem? Question2.2: We have several domain controllers and Active Directory server which run in sync. Since the PassSync can only run on one server, will it be a problem that some passwords do not get sync because the user changed it on XP which redirected to a another server (without PassSync)? If any of you has gone thru these issues and anything more, please respond to this thread or give me links. Thanks for your help and patience. Prashanth From david.donnan at thalesgroup.com Thu Jul 9 14:29:58 2009 From: david.donnan at thalesgroup.com (david.donnan at thalesgroup.com) Date: Thu, 9 Jul 2009 16:29:58 +0200 Subject: [389-users] Out of the office In-Reply-To: Message-ID: <49F9AB2300584AC5@d3smsg01p.services.thales> ----- The following is an automated response ----- to your message generated on behalf of david.donnan at thalesgroup.com Subject: Out of the office Hello. I'm out of the office from 10 July 2009 until 20 July 2009 (inclusive). Thanks, David (Dave) Donnan -------------- next part -------------- An embedded message was scrubbed... From: "Prashanth Sundaram" Subject: [389-users] Migration from OpenLDAP and Sync with AD Date: Thu, 9 Jul 2009 10:19:56 -0400 Size: 6366 URL: From psundaram at wgen.net Thu Jul 9 14:25:03 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Thu, 09 Jul 2009 10:25:03 -0400 Subject: [389-users] Migration from OpenLDAP and PassSync with AD Message-ID: Dear fellow Fedora DS users and experts, I am working on this new project where there is a two step process. We are currently using a poorly managed OpenLDAP server for over 3 years and planning to migrate to Fedora DS. Scenario: OPenLDAP=====Migrate all users and passwords===> Fedora DS <----------PassSync------->Windows AD Question1: Is it possible to migrate current users (around 300users) from OpenLDAP to Fedora DS along with the UIDs, Security id and passwords. Like everything looks same in users perspective. Question2: Is is possible to create a password sync between FDS and AD for all the above users. Yes, the username is same in both the directories. Question2.1: The users are stored with different Security IDs in windows environment than in OpenLDAP or FDS. Will that pose a problem? Question2.2: We have several domain controllers and Active Directory server which run in sync. Since the PassSync can only run on one server, will it be a problem that some passwords do not get sync because the user changed it on XP which redirected to a another server (without PassSync)? If any of you has gone thru these issues and anything more, please respond to this thread or give me links. Thanks for your help and patience. Prashanth -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jul 9 15:03:00 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 09 Jul 2009 09:03:00 -0600 Subject: [389-users] Migration from OpenLDAP and PassSync with AD In-Reply-To: References: Message-ID: <4A5606A4.5010004@redhat.com> Prashanth Sundaram wrote: > Dear fellow Fedora DS users and experts, > > I am working on this new project where there is a two step process. We > are currently using a poorly managed OpenLDAP server for over 3 years > and planning to migrate to Fedora DS. > > Scenario: OPenLDAP=====Migrate all users and passwords===> Fedora DS > <----------PassSync------->Windows AD > > Question1: Is it possible to migrate current users (around 300users) > from OpenLDAP to Fedora DS along with the UIDs, Security id and > passwords. Like everything looks same in users perspective. > > Question2: Is is possible to create a password sync between FDS and AD > for all the above users. Yes, the username is same in both the > directories. > > Question2.1: The users are stored with different > Security IDs in windows environment than in OpenLDAP or FDS. Will that > pose a problem? > > Question2.2: We have several domain controllers and > Active Directory server which run in sync. Since the PassSync can only > run on one server, will it be a problem that some passwords do not get > sync because the user changed it on XP which redirected to a another > server (without PassSync)? You must install PassSync on all domain controllers. PassSync can run on more than one AD server. I guess we're not very clear about this in the documentation, because it seems to be common misperception that PassSync can run on only one server. > > If any of you has gone thru these issues and anything more, please > respond to this thread or give me links. > > Thanks for your help and patience. > Prashanth > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Thu Jul 9 15:47:06 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 09 Jul 2009 08:47:06 -0700 Subject: [389-users] Migration from OpenLDAP and Sync with AD In-Reply-To: References: Message-ID: <4A5610FA.4020707@redhat.com> On 07/09/2009 07:19 AM, Prashanth Sundaram wrote: > Dear fellow Fedora DS users and experts, > > I am working on this new project where there is a two step process. We are > currently using a poorly managed OpenLDAP server for over 3 years and > planning to migrate to Fedora DS. > > Scenario: OPenLDAP=====Migrate all users and passwords===> Fedora DS > <----------PassSync------->Windows AD > > Question1: Is it possible to migrate current users (around 300users) from > OpenLDAP to Fedora DS along with the UIDs, Security id and passwords. Like > everything looks same in users perspective. > It depends on the schema that is used, but this should be a case of exporting from OpenLDAP and importing to 389. > Question2: Is is possible to create a password sync between FDS and AD for > all the above users. Yes, the username is same in both the directories. > Yes, you can sync passwords. A number of other common attributes are synchronized as well. These attributes are listed in the Red Hat Directory Server Administrator's Guide. > Question2.1: The users are stored with different Security > IDs in windows environment than in OpenLDAP or FDS. Will that pose a > problem? > I'm not sure what LDAP attribute you are referring to as the "Security ID", so I can't say if this will be a problem. > > Question2.2: We have several domain controllers and Active > Directory server which run in sync. Since the PassSync can only run on one > server, will it be a problem that some passwords do not get sync because the > user changed it on XP which redirected to a another server (without > PassSync)? > You need to run the PassSync service on all domain controllers. It's the synchronization agreement that you set up on the 389 side that can only point to one domain controller. > If any of you has gone thru these issues and anything more, please respond > to this thread or give me links. > > Thanks for your help and patience. > Prashanth > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From psundaram at wgen.net Thu Jul 9 16:35:02 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Thu, 09 Jul 2009 12:35:02 -0400 Subject: [389-users] Migration from OpenLDAP and PassSync with AD In-Reply-To: <20090709160019.8F4BC61A65B@hormel.redhat.com> Message-ID: Elaborating the Qs: Question1:Since we have an existing LDAP server(OpenLDAP) and users were logging in to other dev, prod and testing servers using the passwords managed by this OpenLDAP server. I believe the way the member servers remember the user credentials is by assigning each user with a unique security ID. (please correct me if I am wrong) If that gets lost in migration, then my users' permissions will have to be re-assigned from scratch (pain for sysadmins) So my question was, will the users be able to login to member servers after migrating to FDS and still have same permissions and home directory folder and everything looks the same without panicking about any missing permissions or files. Question2.1: What will happen to the passwords that are different on the FDS and AD before the Sync. I do not want the passwords to be reset on FDS or AD after 1st sync but only future passwords changes to be Synced to FDS and AD and vice versa. Question2.1: I was working with windows before and noticed that the Windows saves users with a unique id. If that is lost or recreated, the previous permissions will no longer hold true for the user, even though the username is same. Is it same in Unix environment? Like say I delete a user account from FDS and a day after I re-create the ID, will the permissions stay intact? Thanks, Prashanth https://www.redhat.com/archives/fedora-directory-users/2009-July/msg00013.ht ml > On 07/09/2009 07:19 AM, Prashanth Sundaram wrote: >> Dear fellow Fedora DS users and experts, >> >> I am working on this new project where there is a two step process. We are >> currently using a poorly managed OpenLDAP server for over 3 years and >> planning to migrate to Fedora DS. >> >> Scenario: OPenLDAP=====Migrate all users and passwords===> Fedora DS >> <----------PassSync------->Windows AD >> >> Question1: Is it possible to migrate current users (around 300users) from >> OpenLDAP to Fedora DS along with the UIDs, Security id and passwords. Like >> everything looks same in users perspective. >> > It depends on the schema that is used, but this should be a case of > exporting from OpenLDAP and importing to 389. >> Question2: Is is possible to create a password sync between FDS and AD for >> all the above users. Yes, the username is same in both the directories. >> > Yes, you can sync passwords. A number of other common attributes are > synchronized as well. These attributes are listed in the Red Hat > Directory Server Administrator's Guide. >> Question2.1: The users are stored with different Security >> IDs in windows environment than in OpenLDAP or FDS. Will that pose a >> problem? >> > I'm not sure what LDAP attribute you are referring to as the "Security > ID", so I can't say if this will be a problem. >> >> Question2.2: We have several domain controllers and Active >> Directory server which run in sync. Since the PassSync can only run on one >> server, will it be a problem that some passwords do not get sync because the >> user changed it on XP which redirected to a another server (without >> PassSync)? >> > You need to run the PassSync service on all domain controllers. It's > the synchronization agreement that you set up on the 389 side that can > only point to one domain controller. >> If any of you has gone thru these issues and anything more, please respond >> to this thread or give me links. >> >> Thanks for your help and patience. >> Prashanth >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > > ------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > End of Fedora-directory-users Digest, Vol 50, Issue 8 > ***************************************************** From nkinder at redhat.com Thu Jul 9 17:24:16 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 09 Jul 2009 10:24:16 -0700 Subject: [389-users] Migration from OpenLDAP and PassSync with AD In-Reply-To: References: Message-ID: <4A5627C0.5010708@redhat.com> On 07/09/2009 09:35 AM, Prashanth Sundaram wrote: > Elaborating the Qs: > > Question1:Since we have an existing LDAP server(OpenLDAP) and users were > logging in to other dev, prod and testing servers using the passwords > managed by this OpenLDAP server. I believe the way the member servers > remember the user credentials is by assigning each user with a unique > security ID. (please correct me if I am wrong) If that gets lost in > migration, then my users' permissions will have to be re-assigned from > scratch (pain for sysadmins) > > So my question was, will the users be able to login to member servers after > migrating to FDS and still have same permissions and home directory folder > and everything looks the same without panicking about any missing > permissions or files. > I believe you are referring to the uidNumber and gidNumber attributes. File permissions use these numbers. These will remain the same when you export from OpenLDAP and import to 389. > Question2.1: What will happen to the passwords that are different on the FDS > and AD before the Sync. I do not want the passwords to be reset on FDS or AD > after 1st sync but only future passwords changes to be Synced to FDS and AD > and vice versa. > A clear-text password is required to sync since different hashing schemes are used on each side. Passwords will only be synchronized when they are changed, which is what you want. > Question2.1: I was working with windows before and noticed that the Windows > saves users with a unique id. If that is lost or recreated, the previous > permissions will no longer hold true for the user, even though the username > is same. Is it same in Unix environment? Like say I delete a user account > from FDS and a day after I re-create the ID, will the permissions stay > intact? > The uidNumber and gidNumber are used in *nix, not the actual uid. If you re-create a user using the same uidNumber and gidNumber, the permissions will still have the same net effect as they did with the old user entry. > > Thanks, > Prashanth > > > > https://www.redhat.com/archives/fedora-directory-users/2009-July/msg00013.ht > ml > > > > >> On 07/09/2009 07:19 AM, Prashanth Sundaram wrote: >> >>> Dear fellow Fedora DS users and experts, >>> >>> I am working on this new project where there is a two step process. We are >>> currently using a poorly managed OpenLDAP server for over 3 years and >>> planning to migrate to Fedora DS. >>> >>> Scenario: OPenLDAP=====Migrate all users and passwords===> Fedora DS >>> <----------PassSync------->Windows AD >>> >>> Question1: Is it possible to migrate current users (around 300users) from >>> OpenLDAP to Fedora DS along with the UIDs, Security id and passwords. Like >>> everything looks same in users perspective. >>> >>> >> It depends on the schema that is used, but this should be a case of >> exporting from OpenLDAP and importing to 389. >> >>> Question2: Is is possible to create a password sync between FDS and AD for >>> all the above users. Yes, the username is same in both the directories. >>> >>> >> Yes, you can sync passwords. A number of other common attributes are >> synchronized as well. These attributes are listed in the Red Hat >> Directory Server Administrator's Guide. >> >>> Question2.1: The users are stored with different Security >>> IDs in windows environment than in OpenLDAP or FDS. Will that pose a >>> problem? >>> >>> >> I'm not sure what LDAP attribute you are referring to as the "Security >> ID", so I can't say if this will be a problem. >> >>> Question2.2: We have several domain controllers and Active >>> Directory server which run in sync. Since the PassSync can only run on one >>> server, will it be a problem that some passwords do not get sync because the >>> user changed it on XP which redirected to a another server (without >>> PassSync)? >>> >>> >> You need to run the PassSync service on all domain controllers. It's >> the synchronization agreement that you set up on the 389 side that can >> only point to one domain controller. >> >>> If any of you has gone thru these issues and anything more, please respond >>> to this thread or give me links. >>> >>> Thanks for your help and patience. >>> Prashanth >>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> >> ------------------------------ >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> End of Fedora-directory-users Digest, Vol 50, Issue 8 >> ***************************************************** >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew.kerr at amdocs.com Thu Jul 9 18:31:39 2009 From: andrew.kerr at amdocs.com (Andrew Kerr) Date: Thu, 9 Jul 2009 11:31:39 -0700 Subject: [389-users] Re-enable or move NetscapeRoot Message-ID: <79C574D4B49B6047B5213B694531E5FF019FD0F7@seamail1.corp.amdocs.com> We are running Fedora DS 1.0.4. We have two servers doing master-master on NetscapeRoot and our user root. The machine that was the original master needs to be shut down. In preparation for its decommission I changed the user root to just a consumer, and I disabled NetscapeRoot. I am now unable to run the console on the remaining master, since it apparently is still trying to connect to the old machine's NetscapeRoot. How can I either re-enable NetscapeRoot on that old machine, or better yet have the console connect to the other master? When I start the console I give it the administration URL of the new server, and I thought that was enough - but it isn't. Thanks in advance. This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew.kerr at amdocs.com Thu Jul 9 19:15:10 2009 From: andrew.kerr at amdocs.com (Andrew Kerr) Date: Thu, 9 Jul 2009 12:15:10 -0700 Subject: [389-users] Re-enable or move NetscapeRoot In-Reply-To: <79C574D4B49B6047B5213B694531E5FF019FD0F7@seamail1.corp.amdocs.com> References: <79C574D4B49B6047B5213B694531E5FF019FD0F7@seamail1.corp.amdocs.com> Message-ID: <79C574D4B49B6047B5213B694531E5FF019FD129@seamail1.corp.amdocs.com> I found a page on the wiki that helped: http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt. In addition to following the directions under "How to change the user/group LDAP server", I also had to edit /opt/fedora-ds/slapd-/config/dse.ldif and change: under: dc: cn=Pass Through Authentication,cn=plugins,cn=config I changed: nssldap-pluginarg0: I'm not sure if the stuff on the wiki page is what did it, or just editing the dse.ldif... I'm new to this and it is still a bit confusing. But all seems to be good now. I could log in to the admin console on the second (new) master. At that point I could have re-enabled the NetscapeRoot on the other (old) master, but I don't want to - I think at this point I can kill the old master (?). ________________________________ From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Andrew Kerr Sent: Thursday, July 09, 2009 2:32 PM To: fedora-directory-users at redhat.com Subject: [389-users] Re-enable or move NetscapeRoot We are running Fedora DS 1.0.4. We have two servers doing master-master on NetscapeRoot and our user root. The machine that was the original master needs to be shut down. In preparation for its decommission I changed the user root to just a consumer, and I disabled NetscapeRoot. I am now unable to run the console on the remaining master, since it apparently is still trying to connect to the old machine's NetscapeRoot. How can I either re-enable NetscapeRoot on that old machine, or better yet have the console connect to the other master? When I start the console I give it the administration URL of the new server, and I thought that was enough - but it isn't. Thanks in advance. This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp -------------- next part -------------- An HTML attachment was scrubbed... URL: From dumboq at yahoo.com Thu Jul 9 19:13:24 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Thu, 9 Jul 2009 12:13:24 -0700 (PDT) Subject: [389-users] Recover after installing a bad cert. In-Reply-To: <4A5551CE.3080002@redhat.com> References: <331732.53124.qm@web111911.mail.gq1.yahoo.com> <200907081850.10958.ryan.braun@ec.gc.ca> <318998.64417.qm@web111914.mail.gq1.yahoo.com> <193848.87620.qm@web111902.mail.gq1.yahoo.com> <4A5551CE.3080002@redhat.com> Message-ID: <518489.84769.qm@web111917.mail.gq1.yahoo.com> My understanding is that I should not need to do anything on the client to make it work. Please note that this is a valid certificate from a real CA. The use of an intermediate certificate (although very annoying) is sometimes used, and is normal. Although, the only other company i've used were i needed to use an intermediate cert was through verisign. I think i may have mistakenly thought that jxplorer would use the same source of trusted CA's as the os. Now that i'm looking into some of the settings, I see it actually only has a handful of CA certs. ________________________________ From: Rich Megginson To: General discussion list for the 389 Directory server project. Sent: Wednesday, July 8, 2009 10:11:26 PM Subject: Re: [389-users] Recover after installing a bad cert. Dumbo Q wrote: > Of course, it would help if i trusted the intermediate cert. > certutil -M -t "CT,," -d . -n "UTN-USERFirst-Hardware - AddTrust AB" > certutil -M -t "CT,," -d . -n "PositiveSSL CA - The USERTRUST Network" > > > After doing this I tried an ldapsearch -H ldaps://.... > ldapsearch worked with no problem. > My ldap client "Jxplorer" could not connect however. It complained with the following.. > javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Invalid Server Certificate: server certificate could not be verified, and the CA certificate is missing from the certificate chain. > > A partial success i guess. Does Jxplorer have the CA cert? > > ------------------------------------------------------------------------ > *From:* Dumbo Q > *To:* Ryan Braun [ADS] ; fedora-directory-users at redhat.com > *Sent:* Wednesday, July 8, 2009 4:57:49 PM > *Subject:* Re: [389-users] Recover after installing a bad cert. > > Thanks that did it. > > I just can't seem to get this certificate working. Here is the most recent way that i have tried. > cat bundle.crt >> new.crt ## bundle, being the chain certificates provided by the CA > cat rhds.crt >> new.crt ## rhds being the actual cert provided by the CA > openssl verify new.crt ## turned out OK > > openssl pkcs12 -export -in new.crt -inkey rhds.example.com.key -out rhds.example.com-PSSL.p12 > > pk12util -i /root/certs/rhds.example.com-PSSL.p12 -d . > certutil -L -d . > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > > rhds.example.com - Comodo CA Limited u,u,u > PositiveSSL CA - The USERTRUST Network ,, > UTN-USERFirst-Hardware - AddTrust AB ,, > > > Still the same error when i try to use this cert. Am I doing something wrong? > > > > ------------------------------------------------------------------------ > *From:* Ryan Braun [ADS] > *To:* fedora-directory-users at redhat.com > *Cc:* Dumbo Q > *Sent:* Wednesday, July 8, 2009 2:50:10 PM > *Subject:* Re: [389-users] Recover after installing a bad cert. > > On July 8, 2009 06:19:55 pm Dumbo Q wrote: > > I just installed a new ssl certificate using pk12util. I restarted my > > dirsrv, and picked the new cert in the dropdown menu under the encryption > > tab. I restarted dirsrv to make it take affect. When I did this, I found > > that the root certificate was not in redhats/openssls ca-bundle. I tried > > importing the intermediate certificate, and I think I just made the problem > > worse. > > > > right now im getting the following. > > SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert > > rhds.example.com - Comodo CA Limited of family > > cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - > > Peer's Certificate issuer is not recognized.) [08/Jul/2009:14:18:04 -0400] > > - SSL failure: None of the cipher are valid > > > > > > Now my directory is down completely. How can I get it to start up without > > SSL so that I can fix the problem? > > Make sure you backup /etc/dirsrv/INSTANCE/dse.ldif > > then edit that file and look for > > nsslapd-security: on > > change to > > nsslapd-security: off > > save file, restart service and ssl should be turned off. Keep in mind > whatever caused the ssl config to puke in the first place is still there :) > > Ryan > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From arun.reso at gmail.com Fri Jul 10 06:30:33 2009 From: arun.reso at gmail.com (Arun Shrimali) Date: Fri, 10 Jul 2009 12:00:33 +0530 Subject: [389-users] installation - LDAP connection error In-Reply-To: <4a3f02760907090045p1475b55el10613ef58dc11fc6@mail.gmail.com> References: <4a3f02760907090045p1475b55el10613ef58dc11fc6@mail.gmail.com> Message-ID: On Thu, Jul 9, 2009 at 1:15 PM, muzzol wrote: > 2009/7/9 Arun Shrimali : >> data.resobank.net' > > be sure that data.resobank.net is in first place in your /etc/hosts > file for your public IP > > > -- > ======================== > ? ? ^ ^ > ? ? O O > ? ?(_ _) > muzzol(a)muzzol.com > ======================== > jabber id: muzzol(a)jabber.dk > ======================== > No atribueixis qualitats humanes als ordinadors. > No els hi agrada. > ======================== > "El gobierno espa?ol s?lo habla con terroristas, homosexuales y > catalanes, a ver cuando se decide a hablar con gente normal" > Jim?nez Losantos > ======================== > > bomb terrorism bush aznar teletubbies > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > I don't want my FDS server to be on public IP, I like to have a internal (file) server through which user can authenticate and access their files/folder. What domain should I used ?? Arun From muzzol at gmail.com Fri Jul 10 06:41:53 2009 From: muzzol at gmail.com (muzzol) Date: Fri, 10 Jul 2009 06:41:53 +0000 Subject: [389-users] installation - LDAP connection error In-Reply-To: References: <4a3f02760907090045p1475b55el10613ef58dc11fc6@mail.gmail.com> Message-ID: <4a3f02760907092341u63af1175vaba39cd05477fd0d@mail.gmail.com> 2009/7/10 Arun Shrimali : > I don't want my FDS server to be on public IP, I like to have a > internal (file) server through which user can authenticate and access > their files/folder. What domain should I used ?? > as internal i meant your actual IP, not 127.0.0.1 is not necessary to be an internet IP sorry for the misunderstunding. -- ======================== ^ ^ O O (_ _) muzzol(a)muzzol.com ======================== jabber id: muzzol(a)jabber.dk ======================== No atribueixis qualitats humanes als ordinadors. No els hi agrada. ======================== "El gobierno espa?ol s?lo habla con terroristas, homosexuales y catalanes, a ver cuando se decide a hablar con gente normal" Jim?nez Losantos ======================== bomb terrorism bush aznar teletubbies From arun.reso at gmail.com Fri Jul 10 07:34:04 2009 From: arun.reso at gmail.com (Arun Shrimali) Date: Fri, 10 Jul 2009 13:04:04 +0530 Subject: [389-users] installation - LDAP connection error In-Reply-To: <4a3f02760907092341u63af1175vaba39cd05477fd0d@mail.gmail.com> References: <4a3f02760907090045p1475b55el10613ef58dc11fc6@mail.gmail.com> <4a3f02760907092341u63af1175vaba39cd05477fd0d@mail.gmail.com> Message-ID: On Fri, Jul 10, 2009 at 12:11 PM, muzzol wrote: > 2009/7/10 Arun Shrimali : >> I don't want my FDS server to be on public IP, I like to have a >> internal (file) server through which user can authenticate and access >> their files/folder. What domain should I used ?? >> > > as internal i meant your actual IP, not 127.0.0.1 > is not necessary to be an internet IP > > sorry for the misunderstunding. > > -- > ======================== > ^ ^ > O O > (_ _) > muzzol(a)muzzol.com > ======================== > jabber id: muzzol(a)jabber.dk > ======================== > No atribueixis qualitats humanes als ordinadors. > No els hi agrada. > ======================== > "El gobierno espa?ol s?lo habla con terroristas, homosexuales y > catalanes, a ver cuando se decide a hablar con gente normal" > Jim?nez Losantos > ======================== > > bomb terrorism bush aznar teletubbies > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > Following your suggesation, now I am trying to setup data.localhost.localdomain at ipaddress 127.0.0.1 *I found the following error*: ============================================================================== The interactive phase is complete. The script will now set up your servers. Enter No or go Back if you want to change something. Are you ready to set up your servers? [yes]: Creating directory server . . . Your new DS instance 'data' was successfully created. Creating the configuration directory server . . . Error: failed to open an LDAP connection to host 'data.localhost.localdomain' port '389' as user 'cn=Directory Manager'. Error: unknown. Failed to create the configuration directory server Exiting . . . Log file is '/tmp/setupKcR0CB.log' [root at resobank reso]# *Is it not possible to setup FDS for offline network ???* Arun -------------- next part -------------- An HTML attachment was scrubbed... URL: From arun.reso at gmail.com Fri Jul 10 13:51:49 2009 From: arun.reso at gmail.com (Arun Shrimali) Date: Fri, 10 Jul 2009 19:21:49 +0530 Subject: [389-users] installation - LDAP connection error In-Reply-To: References: <4a3f02760907090045p1475b55el10613ef58dc11fc6@mail.gmail.com> <4a3f02760907092341u63af1175vaba39cd05477fd0d@mail.gmail.com> Message-ID: On Fri, Jul 10, 2009 at 1:04 PM, Arun Shrimali wrote: > > > On Fri, Jul 10, 2009 at 12:11 PM, muzzol wrote: > > 2009/7/10 Arun Shrimali : > >> I don't want my FDS server to be on public IP, I like to have a > >> internal (file) server through which user can authenticate and access > >> their files/folder. What domain should I used ?? > >> > > > > as internal i meant your actual IP, not 127.0.0.1 > > is not necessary to be an internet IP > > > > sorry for the misunderstunding. > > > > -- > > ======================== > > ^ ^ > > O O > > (_ _) > > muzzol(a)muzzol.com > > ======================== > > jabber id: muzzol(a)jabber.dk > > ======================== > > No atribueixis qualitats humanes als ordinadors. > > No els hi agrada. > > ======================== > > "El gobierno espa?ol s?lo habla con terroristas, homosexuales y > > catalanes, a ver cuando se decide a hablar con gente normal" > > Jim?nez Losantos > > ======================== > > > > bomb terrorism bush aznar teletubbies > > > > > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > Following your suggesation, now I am trying to setup > data.localhost.localdomain at ipaddress 127.0.0.1 > > *I found the following error*: > > > ============================================================================== > The interactive phase is complete. The script will now set up your > servers. Enter No or go Back if you want to change something. > > Are you ready to set up your servers? [yes]: > Creating directory server . . . > Your new DS instance 'data' was successfully created. > Creating the configuration directory server . . . > Error: failed to open an LDAP connection to host > 'data.localhost.localdomain' port '389' as user 'cn=Directory Manager'. > Error: unknown. > Failed to create the configuration directory server > Exiting . . . > Log file is '/tmp/setupKcR0CB.log' > > [root at resobank reso]# > > *Is it not possible to setup FDS for offline network ???* > > Arun > I am trying to setup the FDS server offline I add the following line to /etc/hosts 127.0.0.1 data.resobank.net data localhost.localdomain localhost data all in one line, then tried to setup FDS standard process # [root at resobank reso]# setup-ds-admin.pl ---------- --------- ---------- ============================================================================== The interactive phase is complete. The script will now set up your servers. Enter No or go Back if you want to change something. Are you ready to set up your servers? [yes]: Creating directory server . . . Your new DS instance 'data' was successfully created. Creating the configuration directory server . . . Beginning Admin Server creation . . . Creating Admin Server files and directories . . . Updating adm.conf . . . Updating admpw . . . Registering admin server with the configuration directory server . . . Updating adm.conf with information from configuration directory server . . . Updating the configuration for the httpd engine . . . Starting admin server . . . output: httpd.worker: apr_sockaddr_info_get() failed for resobank.net output: httpd.worker: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName Could not start the admin server. Error: 256 Failed to create and configure the admin server Exiting . . . Log file is '/tmp/setup_qJ3Qr.log' [root at resobank reso]# how can i have the fully qualified domain name on offline server ......... Arun -------------- next part -------------- An HTML attachment was scrubbed... URL: From ebenze at hotmail.com Fri Jul 10 16:12:53 2009 From: ebenze at hotmail.com (Eric B.) Date: Fri, 10 Jul 2009 12:12:53 -0400 Subject: [389-users] Conflicting documentation for RHEL/CentOS 5.x configuration Message-ID: Hi, I'm not sure if I am posting this in the right place, so if this belongs more on another list, please let me know. I am trying to get Autofs configured to use LDAP on CentOS5.3, but am running into an inconsitency. On CentOS5.3, the openldap server is installed with an extra schema/redhat/autofs.schema file. From what I can tell, that schema file seems to follow RFC2307bis. In the schema, it uses cn and ou. However, in all docs I can find for RHEL5, everything indicates that I should be using automountMapName and automountKey as the Map attribute and the Entry Attribute. I am very confused. Which is the "right" one to use? If I follow the RHEL docs and tell autofs to use MAP_ATTRIBUTE as automountMapName, then I can't use the schema that is distributed with CentOS5.3. Should I be using the schema that is distributed with the RHEL/CentOS openLdap package, or is there another one that I should be using instead? Right now, the openldap-servers package that is installed is openldap-servers-2.3.43-3.el5. Thanks, Eric From david.donnan at thalesgroup.com Fri Jul 10 16:15:29 2009 From: david.donnan at thalesgroup.com (david.donnan at thalesgroup.com) Date: Fri, 10 Jul 2009 18:15:29 +0200 Subject: [389-users] Out of the office In-Reply-To: Message-ID: <49F9AB23005A19C8@d3smsg01p.services.thales> ----- The following is an automated response ----- to your message generated on behalf of david.donnan at thalesgroup.com Subject: Out of the office Hello. I'm out of the office from 10 July 2009 until 20 July 2009 (inclusive). Thanks, David (Dave) Donnan -------------- next part -------------- An embedded message was scrubbed... From: "Eric B." Subject: [389-users] Conflicting documentation for RHEL/CentOS 5.x configuration Date: Fri, 10 Jul 2009 12:12:53 -0400 Size: 6320 URL: From techchavez at gmail.com Fri Jul 10 16:21:42 2009 From: techchavez at gmail.com (Techie) Date: Fri, 10 Jul 2009 09:21:42 -0700 Subject: [389-users] Add attributes to user objects. Message-ID: Hello, I want to associate servers to user objects in my directory using attributes that contain the server names. I want to do this so I can query the directory based on the attributes. In the end I would like to map drives based upon a attribute that contains a server name or at least gather the needed server names by searching the user.. So for example I have an existing user object.. dn: uid=test_user,dc=example,dc=com title: test account objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top objectClass: posixAccount objectClass: shadowaccount homeDirectory: /export/home/test_user gidNumber: 1000 uidNumber: 1000 loginShell: /bin/bash sn: user cn: test_user st: Wyoming mail: a at a.com givenName: test description: test user uid: test_user Now I have many users with drives on different servers based upon their geographic location. I would like to add the server names to the user object using an attribute. For example server1: mp3 server, server2:mp4server.. With the object classes I have i do not see a attribute that I can use that jumps out at me. What attribute can I use without having to extend the schema? Is there an ext_attribute like Active Directory uses? I am looking into the schema now but perhaps someone has already done this. The account would look something like below with the server1, and server2 attributes. I understand I would need to create an objectClass if I cannot find existing attributes but I hope to avoid that. There has got to be some auxiliary attributes I can use right? dn: uid=test_user,dc=example,dc=com title: test account objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top objectClass: posixAccount objectClass: shadowaccount homeDirectory: /export/home/test_user gidNumber: 1000 uidNumber: 1000 loginShell: /bin/bash sn: user cn: test_user st: Wyoming mail: a at a.comgivenName: test description: test user uid: test_user server1: mp3server server2: mp4server From psundaram at wgen.net Fri Jul 10 16:53:37 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Fri, 10 Jul 2009 12:53:37 -0400 Subject: [389-users] Password synchronization between AD and FDS Message-ID: Hello, I am in the process of setting up the Fedora DS as our main development LDAP server. I would like to know all the possible ways to sync the password between AD and FDS. Please forgive me, if I am repeating any questions already posted on this forum. Question1: Is FDS and Password sync Enterprise ready? I am afraid the password Sync can break anytime. Also our Windows admins are very skeptical to install a plug-in like PassSync. Question2: How can I make sure the service is running without any problems on MS server 2003? Any checks or notification system? Question3: Has any one tried the Windows Services for Unix 3.5, Password Synchronization between AD and UNIX? Question4: What other password sync mechanisms can I try, even if it requires hours of configuring. Thanks, Prashanth -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Jul 10 17:06:43 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 10 Jul 2009 11:06:43 -0600 Subject: [389-users] Password synchronization between AD and FDS In-Reply-To: References: Message-ID: <4A577523.20403@redhat.com> Prashanth Sundaram wrote: > Hello, > > I am in the process of setting up the Fedora DS as our main > development LDAP server. I would like to know all the possible ways to > sync the password between AD and FDS. > > Please forgive me, if I am repeating any questions already posted on > this forum. > > Question1: Is FDS and Password sync Enterprise ready? Yes. > I am afraid the password Sync can break anytime. Any software can break anytime. There are no 100% guarantees in the world of software. > Also our Windows admins are very skeptical to install a plug-in like > PassSync. In every shop that has a "windows side of the house" and a "*nix side of the house", and someone wants to deploy directory server and PassSync, the windows admins _never_ want to deploy any additional software on their precious AD machines, especially none of that weird, messy free open source stuff. However, PassSync is used quite successfully in many, many deployments. > > Question2: How can I make sure the service is running without any > problems on MS server 2003? Any checks or notification system? There are log files. > > Question3: Has any one tried the Windows Services for Unix 3.5, > Password Synchronization between AD and UNIX? It's really the same problem as with PassSync, only the reverse - you have to install, configure, and secure a Microsoft provided daemon (and PAM too) on every linux machine you want to sync passwords with. I'm sure the Windows guys will say "look - it's much safer than PassSync - it's from Microsoft!" > > Question4: What other password sync mechanisms can I try, even if it > requires hours of configuring. > > Thanks, > Prashanth > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From dumboq at yahoo.com Fri Jul 10 18:38:28 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Fri, 10 Jul 2009 11:38:28 -0700 (PDT) Subject: [389-users] Strange replication error Message-ID: <511379.48346.qm@web111913.mail.gq1.yahoo.com> I have 2 servers setup for MMR. It seemed to be working fine (although I've only had it running for a few hours). Today I installed a new SSL certificate on both servers. They both came back up fine, and SSL is working perfectly. However I noticed that replication has stopped. Here is the error message that I am getting. I've looked around and can't find any information about it. I imagine I could probably reinitialize, but I would really like to know what went wrong. [10/Jul/2009:11:22:13 -0400] - CentOS-Directory/8.1.0 B2009.134.1334 starting up [10/Jul/2009:11:22:13 -0400] - I'm resizing my cache now...cache was 20000000 and is now 8000000 [10/Jul/2009:11:22:13 -0400] - skipping cos definition cn=nsAccountInactivation_cos,dc=mydomain,dc=com--no templates found [10/Jul/2009:11:22:13 -0400] - _csngen_parse_state: replica id mismatch; current id - 1, replica id in the state - 65535 [10/Jul/2009:11:22:13 -0400] NSMMReplicationPlugin - _replica_init_from_config: failed to create csn generator for replica (cn=replica,cn=\22dc=mydomain, dc=com\22,cn=mapping tree,cn=config) [10/Jul/2009:11:22:13 -0400] NSMMReplicationPlugin - Unable to configure replica dc=mydomain, dc=com: failed to create csn generator for replica (cn=replica,cn=\22dc=mydomain, dc=com\22,cn=mapping tree,cn=config) [10/Jul/2009:11:22:13 -0400] - skipping cos definition cn=nsAccountInactivation_cos,dc=mydomain,dc=com--no templates found [10/Jul/2009:11:22:13 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [10/Jul/2009:11:22:13 -0400] - Listening on All Interfaces port 636 for LDAPS requests [10/Jul/2009:12:08:52 -0400] NSMMReplicationPlugin - conn=18 op=3 replica="unknown": Unable to acquire replica: error: no such replica -------------- next part -------------- An HTML attachment was scrubbed... URL: From gopalsachin at gmail.com Sat Jul 11 16:22:57 2009 From: gopalsachin at gmail.com (Sachin Gopal) Date: Sat, 11 Jul 2009 21:52:57 +0530 Subject: [389-users] samba pdc + fedora directory server Message-ID: <7833b03c0907110922j3eff241ft4d7b448876c14e35@mail.gmail.com> Hi, I have a existing openldap server running with samba pdc. If I move the existing to fedora directory server would all the existing users password be same ? Or is there some hack on this. -- Sachin Gopal -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.donnan at thalesgroup.com Sat Jul 11 16:23:24 2009 From: david.donnan at thalesgroup.com (david.donnan at thalesgroup.com) Date: Sat, 11 Jul 2009 18:23:24 +0200 Subject: [389-users] Out of the office In-Reply-To: <7833b03c0907110922j3eff241ft4d7b448876c14e35@mail.gmail.com> Message-ID: <49F9AB23005A871F@d3smsg01p.services.thales> ----- The following is an automated response ----- to your message generated on behalf of david.donnan at thalesgroup.com Subject: Out of the office Hello. I'm out of the office from 10 July 2009 until 20 July 2009 (inclusive). Thanks, David (Dave) Donnan -------------- next part -------------- An embedded message was scrubbed... From: Sachin Gopal Subject: [389-users] samba pdc + fedora directory server Date: Sat, 11 Jul 2009 21:52:57 +0530 Size: 6519 URL: From maumar at cost.it Sun Jul 12 20:58:16 2009 From: maumar at cost.it (Maurizio Marini) Date: Sun, 12 Jul 2009 22:58:16 +0200 Subject: [389-users] no admin console after changing dirmanager password Message-ID: <200907122258.16446.maumar@cost.it> I have changed Dir Manager password as explained here: http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword after the change and restart, i checked as suggested: ldapsearch -x -D "cn=directory manager" -w newpassword -s base -b "" "objectclass=*" all seems ok but... fedora-idm-console allow access but after access all is blank this is the log: [Sun Jul 12 15:25:14 2009] [notice] [client 127.0.0.1] admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1 [Sun Jul 12 15:25:14 2009] [notice] [client 127.0.0.1] admserv_host_ip_check: host [localhost.localdomain] did not match pattern [*.xxxxxx.it] -will scan aliases [Sun Jul 12 15:25:14 2009] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [localhost] did not match pattern [*.xxxxxx.it] [Sun Jul 12 15:25:14 2009] [notice] [client 127.0.0.1] admserv_check_authz(): passing [/admin-serv/authenticate] to the userauth handler i dunno where i failed, i supposed that my editor had splitted lines longer than 80 chars into dse.ldif but now i see (after reinstalled fds) that in dse.ldif lines are wrapped. -m From david.donnan at thalesgroup.com Sun Jul 12 20:59:10 2009 From: david.donnan at thalesgroup.com (david.donnan at thalesgroup.com) Date: Sun, 12 Jul 2009 22:59:10 +0200 Subject: [389-users] Out of the office In-Reply-To: <200907122258.16446.maumar@cost.it> Message-ID: <49F9AB23005AD182@d3smsg01p.services.thales> ----- The following is an automated response ----- to your message generated on behalf of david.donnan at thalesgroup.com Subject: Out of the office Hello. I'm out of the office from 10 July 2009 until 20 July 2009 (inclusive). Thanks, David (Dave) Donnan -------------- next part -------------- An embedded message was scrubbed... From: Maurizio Marini Subject: [389-users] no admin console after changing dirmanager password Date: Sun, 12 Jul 2009 22:58:16 +0200 Size: 6177 URL: From michal.nosek at enlogit.cz Mon Jul 13 05:59:07 2009 From: michal.nosek at enlogit.cz (Michal Nosek) Date: Mon, 13 Jul 2009 07:59:07 +0200 Subject: [389-users] samba pdc + fedora directory server In-Reply-To: <7833b03c0907110922j3eff241ft4d7b448876c14e35@mail.gmail.com> References: <7833b03c0907110922j3eff241ft4d7b448876c14e35@mail.gmail.com> Message-ID: <1247464747.5392.8.camel@mnosek-ubuntu.enlogit.local> Sachin Gopal p??e v So 11. 07. 2009 v 21:52 +0530: > Hi, > > I have a existing openldap server running with samba pdc. If I move > the existing to > fedora directory server would all the existing users password be > same ? Or is there > some hack on this. Hi, It would, becose password is saved like a hash and you can copy the hash. -- Morbid From arun.reso at gmail.com Mon Jul 13 08:02:39 2009 From: arun.reso at gmail.com (Arun Shrimali) Date: Mon, 13 Jul 2009 13:32:39 +0530 Subject: [389-users] FDS user accounts how to ?? Message-ID: Dear All, I have setup FDS (389) (FDS 1.1.3-1.FC11) on Fedora 11, I have followed the installation process, which went fairly. Now I have FDS running. I want my users on LAN (windows / Linux) to authenticate (while booting) and access to their home folders. Will creating users through FDS would be sufficient our I have install / configure few more things. An easy howto of a GUI tool would be helpful. regards Arun -------------- next part -------------- An HTML attachment was scrubbed... URL: From dumboq at yahoo.com Mon Jul 13 14:42:12 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Mon, 13 Jul 2009 07:42:12 -0700 (PDT) Subject: [389-users] Re: Strange replication error Message-ID: <764330.41952.qm@web111911.mail.gq1.yahoo.com> Any ideas? I'll probably try reinitializing the bad server again, but it is a little uncomfortably not knowing what caused this to break. I looked around on google but all i found was another person with the same problem, and no responses to his posting. ________________________________ From: Dumbo Q To: fedora-directory-users at redhat.com Sent: Friday, July 10, 2009 2:38:28 PM Subject: Strange replication error I have 2 servers setup for MMR. It seemed to be working fine (although I've only had it running for a few hours). Today I installed a new SSL certificate on both servers. They both came back up fine, and SSL is working perfectly. However I noticed that replication has stopped. Here is the error message that I am getting. I've looked around and can't find any information about it. I imagine I could probably reinitialize, but I would really like to know what went wrong. [10/Jul/2009:11:22:13 -0400] - CentOS-Directory/8.1.0 B2009.134.1334 starting up [10/Jul/2009:11:22:13 -0400] - I'm resizing my cache now...cache was 20000000 and is now 8000000 [10/Jul/2009:11:22:13 -0400] - skipping cos definition cn=nsAccountInactivation_cos,dc=mydomain,dc=com--no templates found [10/Jul/2009:11:22:13 -0400] - _csngen_parse_state: replica id mismatch; current id - 1, replica id in the state - 65535 [10/Jul/2009:11:22:13 -0400] NSMMReplicationPlugin - _replica_init_from_config: failed to create csn generator for replica (cn=replica,cn=\22dc=mydomain, dc=com\22,cn=mapping tree,cn=config) [10/Jul/2009:11:22:13 -0400] NSMMReplicationPlugin - Unable to configure replica dc=mydomain, dc=com: failed to create csn generator for replica (cn=replica,cn=\22dc=mydomain, dc=com\22,cn=mapping tree,cn=config) [10/Jul/2009:11:22:13 -0400] - skipping cos definition cn=nsAccountInactivation_cos,dc=mydomain,dc=com--no templates found [10/Jul/2009:11:22:13 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests [10/Jul/2009:11:22:13 -0400] - Listening on All Interfaces port 636 for LDAPS requests [10/Jul/2009:12:08:52 -0400] NSMMReplicationPlugin - conn=18 op=3 replica="unknown": Unable to acquire replica: error: no such replica -------------- next part -------------- An HTML attachment was scrubbed... URL: From psundaram at wgen.net Mon Jul 13 15:06:58 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Mon, 13 Jul 2009 11:06:58 -0400 Subject: [389-users] Alternative way to sync password Message-ID: Hello folks, I would like to test all the options for password sync between Fedora DS and Active Directory. Isn?t there an alternative to this?? 1. Win Sync Agreement and PassSync.msi 2. ??? 3. ??? Note: I need only passwords to sync, User accounts and groups are optional. Thanks Prashanth -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jul 13 15:10:24 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 13 Jul 2009 09:10:24 -0600 Subject: [389-users] Strange replication error In-Reply-To: <511379.48346.qm@web111913.mail.gq1.yahoo.com> References: <511379.48346.qm@web111913.mail.gq1.yahoo.com> Message-ID: <4A5B4E60.60104@redhat.com> Dumbo Q wrote: > I have 2 servers setup for MMR. It seemed to be working fine (although > I've only had it running for a few hours). Today I installed a new > SSL certificate on both servers. They both came back up fine, and SSL > is working perfectly. > > However I noticed that replication has stopped. Here is the error > message that I am getting. I've looked around and can't find any > information about it. I imagine I could probably reinitialize, but I > would really like to know what went wrong. > > > > [10/Jul/2009:11:22:13 -0400] - CentOS-Directory/8.1.0 B2009.134.1334 > starting up > [10/Jul/2009:11:22:13 -0400] - I'm resizing my cache now...cache was > 20000000 and is now 8000000 > [10/Jul/2009:11:22:13 -0400] - skipping cos definition > cn=nsAccountInactivation_cos,dc=mydomain,dc=com--no templates found > [10/Jul/2009:11:22:13 -0400] - _csngen_parse_state: replica id > mismatch; current id - 1, replica id in the state - 65535 The only thing that changed is the SSL certificate? Because this error appears to be caused by some really weird configuration problem, as if you replaced a working replication configuration with something else. > [10/Jul/2009:11:22:13 -0400] NSMMReplicationPlugin - > _replica_init_from_config: failed to create csn generator for replica > (cn=replica,cn=\22dc=mydomain, dc=com\22,cn=mapping tree,cn=config) Same as agove. > [10/Jul/2009:11:22:13 -0400] NSMMReplicationPlugin - Unable to > configure replica dc=mydomain, dc=com: failed to create csn generator > for replica (cn=replica,cn=\22dc=mydomain, dc=com\22,cn=mapping > tree,cn=config) Same as above. > [10/Jul/2009:11:22:13 -0400] - skipping cos definition > cn=nsAccountInactivation_cos,dc=mydomain,dc=com--no templates found > [10/Jul/2009:11:22:13 -0400] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [10/Jul/2009:11:22:13 -0400] - Listening on All Interfaces port 636 > for LDAPS requests > [10/Jul/2009:12:08:52 -0400] NSMMReplicationPlugin - conn=18 op=3 > replica="unknown": Unable to acquire replica: error: no such replica I have no idea what happened - I've never seen this before. I'm not really sure what you can do except to just start over. You'll have to shutdown the servers, remove all cn=replica entries and their children from cn=config (by editing dse.ldif with a text editor - be sure to make a backup first), then start up the servers, then configure replication from scratch. > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jul 13 15:11:46 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 13 Jul 2009 09:11:46 -0600 Subject: [389-users] no admin console after changing dirmanager password In-Reply-To: <200907122258.16446.maumar@cost.it> References: <200907122258.16446.maumar@cost.it> Message-ID: <4A5B4EB2.5070106@redhat.com> Maurizio Marini wrote: > I have changed Dir Manager password > as explained here: > http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword > after the change and restart, i checked as suggested: > ldapsearch -x -D "cn=directory manager" -w newpassword -s base -b "" "objectclass=*" > > all seems ok > > but... > fedora-idm-console allow access but after access all is blank > this is the log: > > [Sun Jul 12 15:25:14 2009] [notice] [client 127.0.0.1] admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1 > [Sun Jul 12 15:25:14 2009] [notice] [client 127.0.0.1] admserv_host_ip_check: host [localhost.localdomain] did not match pattern [*.xxxxxx.it] -will scan aliases > [Sun Jul 12 15:25:14 2009] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [localhost] did not match pattern [*.xxxxxx.it] > [Sun Jul 12 15:25:14 2009] [notice] [client 127.0.0.1] admserv_check_authz(): passing [/admin-serv/authenticate] to the userauth handler > These are usually benign. http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt > i dunno where i failed, i supposed that my editor had splitted lines longer > than 80 chars into dse.ldif but now i see (after reinstalled fds) that in dse.ldif lines are wrapped. > Are you logging into the console as cn=directory manager or admin? Try fedora-idm-console -D 9 -f console.log > -m > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From dumboq at yahoo.com Mon Jul 13 16:05:12 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Mon, 13 Jul 2009 09:05:12 -0700 (PDT) Subject: [389-users] Strange replication error In-Reply-To: <4A5B4E60.60104@redhat.com> References: <511379.48346.qm@web111913.mail.gq1.yahoo.com> <4A5B4E60.60104@redhat.com> Message-ID: <462848.84483.qm@web111915.mail.gq1.yahoo.com> I think I must have goofed something up with the replica ID. I thought I recalled it be set to 65535, but then changing it to 1. However looking at the idm console it doesn't appear to have an option to change it. My best assumption is that I botched it up, but it didn't break until i restarted it. I deleted both replication agreements, and recreated them (reinitializing one of the servers). It seems ok now. It survived a reboot. ________________________________ From: Rich Megginson To: General discussion list for the 389 Directory server project. Sent: Monday, July 13, 2009 11:10:24 AM Subject: Re: [389-users] Strange replication error Dumbo Q wrote: > I have 2 servers setup for MMR. It seemed to be working fine (although I've only had it running for a few hours). Today I installed a new SSL certificate on both servers. They both came back up fine, and SSL is working perfectly. > > However I noticed that replication has stopped. Here is the error message that I am getting. I've looked around and can't find any information about it. I imagine I could probably reinitialize, but I would really like to know what went wrong. > > > > [10/Jul/2009:11:22:13 -0400] - CentOS-Directory/8.1.0 B2009.134.1334 starting up > [10/Jul/2009:11:22:13 -0400] - I'm resizing my cache now...cache was 20000000 and is now 8000000 > [10/Jul/2009:11:22:13 -0400] - skipping cos definition cn=nsAccountInactivation_cos,dc=mydomain,dc=com--no templates found > [10/Jul/2009:11:22:13 -0400] - _csngen_parse_state: replica id mismatch; current id - 1, replica id in the state - 65535 The only thing that changed is the SSL certificate? Because this error appears to be caused by some really weird configuration problem, as if you replaced a working replication configuration with something else. > [10/Jul/2009:11:22:13 -0400] NSMMReplicationPlugin - _replica_init_from_config: failed to create csn generator for replica (cn=replica,cn=\22dc=mydomain, dc=com\22,cn=mapping tree,cn=config) Same as agove. > [10/Jul/2009:11:22:13 -0400] NSMMReplicationPlugin - Unable to configure replica dc=mydomain, dc=com: failed to create csn generator for replica (cn=replica,cn=\22dc=mydomain, dc=com\22,cn=mapping tree,cn=config) Same as above. > [10/Jul/2009:11:22:13 -0400] - skipping cos definition cn=nsAccountInactivation_cos,dc=mydomain,dc=com--no templates found > [10/Jul/2009:11:22:13 -0400] - slapd started. Listening on All Interfaces port 389 for LDAP requests > [10/Jul/2009:11:22:13 -0400] - Listening on All Interfaces port 636 for LDAPS requests > [10/Jul/2009:12:08:52 -0400] NSMMReplicationPlugin - conn=18 op=3 replica="unknown": Unable to acquire replica: error: no such replica I have no idea what happened - I've never seen this before. I'm not really sure what you can do except to just start over. You'll have to shutdown the servers, remove all cn=replica entries and their children from cn=config (by editing dse.ldif with a text editor - be sure to make a backup first), then start up the servers, then configure replication from scratch. > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From psundaram at wgen.net Mon Jul 13 17:13:11 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Mon, 13 Jul 2009 13:13:11 -0400 Subject: [389-users] Password lookup to AD Message-ID: Hi, Is it possible to have Fedora DS and have the password lookup redirected to Active Directory? Some kind of proxy lookup. Take the case of Mac OS X server and clients, they have Open Directory and the password manager can authenticate against the Active Directory. Is it possible to have FDS without the password? So I would like to know, is it possible to achieve the same for FDS using Samba, Winbind or NSS?? Is it possible that the FDS has all the user permissions and special groups but the authentication is turned to AD. I know the passwords are hashed by Kerberos and hope we can achieve this with some effort. A useful post by Microsoft http://technet.microsoft.com/en-us/magazine/2008.12.linux.aspx?pr=blog Thanks, Prashanth -------------- next part -------------- An HTML attachment was scrubbed... URL: From psundaram at wgen.net Mon Jul 13 18:03:13 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Mon, 13 Jul 2009 14:03:13 -0400 Subject: [389-users] Re: Password lookup to AD In-Reply-To: Message-ID: To elaborate the question: Is it possible to have a Pass-Through authentication system as with OpenLDAP? About Pass-through Authentication http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authenticat ion Another post by Microsoft: I am hoping this setting can help me read the user passwords to authenticate against. http://www.advproxy.net/ldapads.html Prashanth On 7/13/09 1:13 PM, "Prashanth Sundaram" wrote: > Hi, > > Is it possible to have Fedora DS and have the password lookup redirected to > Active Directory? Some kind of proxy lookup. Take the case of Mac OS X server > and clients, they have Open Directory and the password manager can > authenticate against the Active Directory. > > Is it possible to have FDS without the password? > > So I would like to know, is it possible to achieve the same for FDS using > Samba, Winbind or NSS?? Is it possible that the FDS has all the user > permissions and special groups but the authentication is turned to AD. I know > the passwords are hashed by Kerberos and hope we can achieve this with some > effort. > > A useful post by Microsoft > http://technet.microsoft.com/en-us/magazine/2008.12.linux.aspx?pr=blog > > Thanks, > Prashanth -------------- next part -------------- An HTML attachment was scrubbed... URL: From nkinder at redhat.com Mon Jul 13 18:07:09 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 13 Jul 2009 11:07:09 -0700 Subject: [389-users] Password lookup to AD In-Reply-To: References: Message-ID: <4A5B77CD.3040805@redhat.com> On 07/13/2009 10:13 AM, Prashanth Sundaram wrote: > Hi, > > Is it possible to have Fedora DS and have the password lookup > redirected to Active Directory? Some kind of proxy lookup. Take the > case of Mac OS X server and clients, they have Open Directory and the > password manager can authenticate against the Active Directory. > > Is it possible to have FDS without the password? See the PAM Pass-through plug-in: http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through > > So I would like to know, is it possible to achieve the same for FDS > using Samba, Winbind or NSS?? Is it possible that the FDS has all the > user permissions and special groups but the authentication is turned > to AD. I know the passwords are hashed by Kerberos and hope we can > achieve this with some effort. > > A useful post by Microsoft > http://technet.microsoft.com/en-us/magazine/2008.12.linux.aspx?pr=blog > > Thanks, > Prashanth > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From psundaram at wgen.net Mon Jul 13 21:15:40 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Mon, 13 Jul 2009 17:15:40 -0400 Subject: [389-users] Re: Password lookup to AD In-Reply-To: Message-ID: Thanks Nathan. I found some old threads discussing the same issue. https://www.redhat.com/archives/fedora-directory-users/2006-November/msg0030 1.html Question1: Do I still need PassSync.msi installed on the Win server? Question2: How does this work exactly? This is what I understand: Any user who log on, the query first goes to FDS and then PTA-plugin quries the AD. Question3: What is exactly AD Chaining? I get the literal meaning that, AD is a symlink to the ldap DB on the FDS. I would like to know clear distinction between the two. (AD Chaining and Pass-thru) I am sorry, if I am repeating any questions. I am new to unix and learning on my own. Thank you so much, your help is greatly appreciated. Prashanth -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.donnan at thalesgroup.com Mon Jul 13 21:14:05 2009 From: david.donnan at thalesgroup.com (david.donnan at thalesgroup.com) Date: Mon, 13 Jul 2009 23:14:05 +0200 Subject: [389-users] Out of the office In-Reply-To: Message-ID: <49F9AB23005B8D7F@d3smsg01p.services.thales> ----- The following is an automated response ----- to your message generated on behalf of david.donnan at thalesgroup.com Subject: Out of the office Hello. I'm out of the office from 10 July 2009 until 20 July 2009 (inclusive). Thanks, David (Dave) Donnan -------------- next part -------------- An embedded message was scrubbed... From: Prashanth Sundaram Subject: [389-users] Re: Password lookup to AD Date: Mon, 13 Jul 2009 17:15:40 -0400 Size: 7439 URL: From rmeggins at redhat.com Mon Jul 13 21:21:28 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 13 Jul 2009 15:21:28 -0600 Subject: [389-users] Re: Password lookup to AD In-Reply-To: References: Message-ID: <4A5BA558.6090508@redhat.com> Prashanth Sundaram wrote: > Thanks Nathan. > > I found some old threads discussing the same issue. > > https://www.redhat.com/archives/fedora-directory-users/2006-November/msg00301.html > > Question1: Do I still need PassSync.msi installed on the Win server? No. > > Question2: How does this work exactly? This is what I understand: Any > user who log on, the query first goes to FDS and then PTA-plugin > quries the AD. PAM passthrough works via pam - similarly to how OpenLDAP goes through saslauthd - so if you have some PAM module that can auth against AD (except LDAP which probably won't work) you can configure PAM passthrough to pass the auth to that PAM module, then to AD > > Question3: What is exactly AD Chaining? I get the literal meaning > that, AD is a symlink to the ldap DB on the FDS. I would like to know > clear distinction between the two. (AD Chaining and Pass-thru) With chaining, you have _no_ local data in the directory server - all of the data is pulled from AD. With PAM passthrough, just the _auth_ is done against AD - you still have to have the local data in the directory server > > I am sorry, if I am repeating any questions. I am new to unix and > learning on my own. > > Thank you so much, your help is greatly appreciated. > > Prashanth > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From chris at untrepid.com Mon Jul 13 21:39:58 2009 From: chris at untrepid.com (Chris Phillips) Date: Mon, 13 Jul 2009 22:39:58 +0100 Subject: [389-users] Out of the office In-Reply-To: <49F9AB23005B8D7F@d3smsg01p.services.thales> References: <49F9AB23005B8D7F@d3smsg01p.services.thales> Message-ID: <3e4e5d790907131439j26d40c98pb9788a9e2d037865@mail.gmail.com> Well thank fuck for that. So glad I know a complete stranger is on holiday... On Mon, Jul 13, 2009 at 10:14 PM, wrote: > ----- The following is an automated response > ----- to your message generated on behalf of > david.donnan at thalesgroup.com > > > Subject: Out of the office > > Hello. I'm out of the office from 10 July 2009 until 20 July 2009 > (inclusive). > > Thanks, David (Dave) Donnan > > > > > > > > ---------- Forwarded message ---------- > From: Prashanth Sundaram > To: "fedora-directory-users at redhat.com" > > Date: Mon, 13 Jul 2009 17:15:40 -0400 > Subject: [389-users] Re: Password lookup to AD > Thanks Nathan. > > I found some old threads discussing the same issue. > > > https://www.redhat.com/archives/fedora-directory-users/2006-November/msg00301.html > > Question1: Do I still need PassSync.msi installed on the Win server? > > Question2: How does this work exactly? This is what I understand: Any user > who log on, the query first goes to FDS and then PTA-plugin quries the AD. > > Question3: What is exactly AD Chaining? I get the literal meaning that, AD > is a symlink to the ldap DB on the FDS. I would like to know clear > distinction between the two. (AD Chaining and Pass-thru) > > I am sorry, if I am repeating any questions. I am new to unix and learning > on my own. > > Thank you so much, your help is greatly appreciated. > > Prashanth > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From n.gresham at uq.edu.au Tue Jul 14 02:18:10 2009 From: n.gresham at uq.edu.au (Nick Gresham) Date: Tue, 14 Jul 2009 12:18:10 +1000 Subject: [389-users] Fedora DS with virtual machines Message-ID: Hi All Does anyone have any experience running DS in a virtual machine? Our current LDAP infrastructure is quite busy, 500-1000 connections/ minute, with >6.5 million operations per day. The VMs will have up to 8GB of RAM, though we think we'll only need 6. We're performing testing with slamd, but it's hard to get truly representative stress testing using this tool I think. What has your experience been like? Any snafus to watch out for? Thanks, Nick From lbigum at iseek.com.au Tue Jul 14 02:42:31 2009 From: lbigum at iseek.com.au (Luke Bigum) Date: Tue, 14 Jul 2009 12:42:31 +1000 Subject: [389-users] Fedora DS with virtual machines In-Reply-To: References: Message-ID: Hey Nick, We run Fedora DS inside Virtuozzo VEs (not VMWare) and don't have any capacity concerns, our environment sounds like a good tenth the size of yours though. Each VE (there's 2) has only half a GB of RAM and does about 100 connections a minute, however our LDAP database is very small, so the memory we've allocated is massive overkill. In terms of CPU usage, the VE does practically nothing. I wouldn't think you'd need much more RAM over the size of your LDAP database files, so unless you've got 8GB of LDAP information, 8GB of RAM sounds a lot to me. Our LDAP database is only about 40MB, which is close to the RAM usage of the VE. Our stats, might help you decide on what you need. Maybe someone more knowledgeable in the DS internals could explain the large virtual table size. USER PR NI VIRT RES SHR S %CPU TIME+ %MEM COMMAND nobody 18 0 601m 39m 18m S 0 16:29.95 7.7 ns-slapd [root at host:/var/lib/dirsrv/slapd-host]# du -sh . 38M . Luke Bigum Systems Administrator (p) 1300 661 668 (f)? 1300 661 540 (e)? lbigum at iseek.com.au http://www.iseek.com.au Level 1, 100 Ipswich Road Woolloongabba QLD 4102 This e-mail and any files transmitted with it may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorised to receive for the recipient), please contact the sender by reply e-mail and delete all copies of this message. -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Nick Gresham Sent: Tuesday 14 July 2009 12:18 PM To: fedora-directory-users at redhat.com Subject: [389-users] Fedora DS with virtual machines Hi All Does anyone have any experience running DS in a virtual machine? Our current LDAP infrastructure is quite busy, 500-1000 connections/ minute, with >6.5 million operations per day. The VMs will have up to 8GB of RAM, though we think we'll only need 6. We're performing testing with slamd, but it's hard to get truly representative stress testing using this tool I think. What has your experience been like? Any snafus to watch out for? Thanks, Nick -- 389 users mailing list 389-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From jsullivan at opensourcedevel.com Tue Jul 14 03:05:47 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 13 Jul 2009 23:05:47 -0400 Subject: [389-users] Fedora DS with virtual machines In-Reply-To: References: Message-ID: <1247540747.6549.5.camel@jaspav.missionsit.net.missionsit.net> Likewise, we are running in VServer (www.linux-vserver.org) with no problems at all but our environment is currently much smaller - John On Tue, 2009-07-14 at 12:42 +1000, Luke Bigum wrote: > Hey Nick, > > We run Fedora DS inside Virtuozzo VEs (not VMWare) and don't have any capacity concerns, our environment sounds like a good tenth the size of yours though. Each VE (there's 2) has only half a GB of RAM and does about 100 connections a minute, however our LDAP database is very small, so the memory we've allocated is massive overkill. In terms of CPU usage, the VE does practically nothing. > > I wouldn't think you'd need much more RAM over the size of your LDAP database files, so unless you've got 8GB of LDAP information, 8GB of RAM sounds a lot to me. Our LDAP database is only about 40MB, which is close to the RAM usage of the VE. > > Our stats, might help you decide on what you need. Maybe someone more knowledgeable in the DS internals could explain the large virtual table size. > > USER PR NI VIRT RES SHR S %CPU TIME+ %MEM COMMAND > nobody 18 0 601m 39m 18m S 0 16:29.95 7.7 ns-slapd > > [root at host:/var/lib/dirsrv/slapd-host]# du -sh . > 38M . > > Luke Bigum > Systems Administrator > (p) 1300 661 668 > (f) 1300 661 540 > (e) lbigum at iseek.com.au > http://www.iseek.com.au > Level 1, 100 Ipswich Road Woolloongabba QLD 4102 > > > > This e-mail and any files transmitted with it may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorised to receive for the recipient), please contact the sender by reply e-mail and delete all copies of this message. > > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Nick Gresham > Sent: Tuesday 14 July 2009 12:18 PM > To: fedora-directory-users at redhat.com > Subject: [389-users] Fedora DS with virtual machines > > Hi All > > Does anyone have any experience running DS in a virtual machine? Our > current LDAP infrastructure is quite busy, 500-1000 connections/ > minute, with >6.5 million operations per day. The VMs will have up to > 8GB of RAM, though we think we'll only need 6. > > We're performing testing with slamd, but it's hard to get truly > representative stress testing using this tool I think. > > What has your experience been like? Any snafus to watch out for? > > Thanks, > Nick > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From psundaram at wgen.net Tue Jul 14 15:11:38 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Tue, 14 Jul 2009 11:11:38 -0400 Subject: [389-users] Re: Password lookup to AD Message-ID: Thank you Rich, ?so if you have some PAM module that can auth against AD (except LDAP which probably won't work) you can configure PAM passthrough to pass the auth to that PAM module, then to AD? Are you implying, the FDS will go out of picture with PAM? I mean, can I still use FDS to check the uid attribute and then pass it to PAM? I am sorry, but I am not getting the flow clearly. Can you type in rough, how the flow goes? (Hopefully someone might come this way and find this helpful) -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jul 14 15:21:10 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 14 Jul 2009 09:21:10 -0600 Subject: [389-users] Re: Password lookup to AD In-Reply-To: References: Message-ID: <4A5CA266.3080203@redhat.com> Prashanth Sundaram wrote: > Thank you Rich, > > ?so if you have some PAM module that can auth against AD (except LDAP > which probably won't work) you can configure PAM passthrough to pass > the auth to that PAM module, then to AD? > > Are you implying, the FDS will go out of picture with PAM? I mean, can > I still use FDS to check the uid attribute and then pass it to PAM? > I am sorry, but I am not getting the flow clearly. The flow with login will typically go like this: user types in username + password client does a search for uid=username - gets back the users full DN client does a BIND request with full BIND DN + password DS PAM passthrough intercepts the bind request - uses the rule to extract the PAM userid from the BIND DN or user's entry (default will use the value of the uid=userid from the BIND DN) - PAM passthrough plugin passes the auth userid and password to PAM (assumes properly configured PAM stack for use by DS) - PAM passthrough plugin will accept or reject the BIND request based on the PAM auth results - the plugin can optionally continue the BIND to use regular DS authentication if the PAM auth failed So the real problem here is figuring out what type of PAM stack to use to authenticate to AD - note that pam_ldap will likely not work because that would load the openldap libraries into the DS process which will conflict with the mozldap libraries used by DS - so something else, perhaps winbind? I just don't know > > Can you type in rough, how the flow goes? (Hopefully someone might > come this way and find this helpful) > > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From maumar at cost.it Tue Jul 14 16:40:10 2009 From: maumar at cost.it (Maurizio Marini) Date: Tue, 14 Jul 2009 18:40:10 +0200 Subject: [389-users] no admin console after changing dirmanager password In-Reply-To: <4A5B4EB2.5070106@redhat.com> References: <200907122258.16446.maumar@cost.it> <4A5B4EB2.5070106@redhat.com> Message-ID: <200907141840.16131.maumar@cost.it> On Monday 13 July 2009, Rich Megginson wrote: > Maurizio Marini wrote: > > I have changed Dir Manager password > > as explained here: > > http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword > > after the change and restart, i checked as suggested: > > ldapsearch -x -D "cn=directory manager" -w newpassword -s base -b "" > > "objectclass=*" > > > > all seems ok > > > > but... > > fedora-idm-console allow access but after access all is blank > > this is the log: > > > > [Sun Jul 12 15:25:14 2009] [notice] [client 127.0.0.1] > > admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1 > > [Sun Jul 12 15:25:14 2009] [notice] [client 127.0.0.1] > > admserv_host_ip_check: host [localhost.localdomain] did not match pattern > > [*.xxxxxx.it] -will scan aliases [Sun Jul 12 15:25:14 2009] [notice] > > [client 127.0.0.1] admserv_host_ip_check: host alias [localhost] did not > > match pattern [*.xxxxxx.it] [Sun Jul 12 15:25:14 2009] [notice] [client > > 127.0.0.1] admserv_check_authz(): passing [/admin-serv/authenticate] to > > the userauth handler > thnx Richard for helping us :) i have reinstalled everithing c/c i cannot wait for you answer ;( but it's very interesting to know hot what to do in this fragments, to see blank panes is horrible > These are usually benign. > http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt i give a look > > > i dunno where i failed, i supposed that my editor had splitted lines > > longer than 80 chars into dse.ldif but now i see (after reinstalled fds) > > that in dse.ldif lines are wrapped. > > Are you logging into the console as cn=directory manager or admin? admin > Try fedora-idm-console -D 9 -f console.log next time it will happen i will do :) -- Maurizio Marini Via Collemare, 14 - 61039 San Costanzo (PU) - Italy GSM +39-335-8259739 RTG : +39-0721950396 0721870286 Skype: maumar at datalogica.com C.F. MRNMRZ59E17G920X P. Iva: 01332360419 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: This is a digitally signed message part. URL: From maumar at cost.it Tue Jul 14 16:46:12 2009 From: maumar at cost.it (Maurizio Marini) Date: Tue, 14 Jul 2009 18:46:12 +0200 Subject: [389-users] administrator created w/out shadowAccount object Message-ID: <200907141846.12645.maumar@cost.it> i cannot believe...but it's true ;( the scenario: Centos 5.3 fully updated, Fedora that one i downloded by repository for Centos 5.3 last saturday samba: rpm -qa |grep samba system-config-samba-1.2.41-3.el5 samba-client-3.0.33-3.7.el5 samba-common-3.0.33-3.7.el5 samba-3.0.33-3.7.el5 rpm -qa |grep fedora fedora-ds-base-1.2.0-2.fc6 fedora-ds-dsgw-1.1.2-1.fc6 fedora-ds-admin-1.1.7-3.fc6 fedora-ds-1.1.3-1.fc6 fedora-ds-console-1.2.0-1.fc6 fedora-ds-admin-console-1.1.3-1.fc6 fedora-idm-console-1.1.3-1.fc6 samba is pdc with fds backend trying to change Administrator pasword using smbldap-passwd i get: Failed to modify UNIX password: attribute "shadowLastChange" not allowed changing for test user is fine checking with admin console i find that Administrator is without shadowAccount object. i folowed the samba howto to installa pdc, but i recovered a backup of previous pdc server taht was damaged and reinstalled my question is: when is added this object and who adds it? tia m. -- Maurizio Marini Via Collemare, 14 - 61039 San Costanzo (PU) - Italy GSM +39-335-8259739 RTG : +39-0721950396 0721870286 Skype: maumar at datalogica.com C.F. MRNMRZ59E17G920X P. Iva: 01332360419 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: This is a digitally signed message part. URL: From maumar at cost.it Tue Jul 14 17:07:32 2009 From: maumar at cost.it (Maurizio Marini) Date: Tue, 14 Jul 2009 19:07:32 +0200 Subject: [389-users] administrator created w/out shadowAccount object In-Reply-To: <200907141846.12645.maumar@cost.it> References: <200907141846.12645.maumar@cost.it> Message-ID: <200907141907.38648.maumar@cost.it> maybe this is the reason: shadowAccount is added by fds when you select Configuration Tab -> Password Expiration -> Pasword expires after ... as i have not select anything and changed Administartor, no shadowAccount was created for him, Then i added expiration and test user was fine What i failed was: i have not selected expiration passwords before changing Administrator (or anyone else) password isn't it? -m -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: This is a digitally signed message part. URL: From psundaram at wgen.net Tue Jul 14 18:25:30 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Tue, 14 Jul 2009 14:25:30 -0400 Subject: [389-users] FDS authentication through AD Message-ID: Dear All, I would like to build a system where the FDS authentication is delegated to Active Directory. I do not want the password to be stored in FDS or Synced using PassSync.msi. I am asking the community if anyone has come this way? I am trying to put together the pieces of this puzzle with PAM, Pass-through Authentication, Winbind, Windows ADAM and ADFS, Samba etc. I would like to get some comments and see if this can be achieved without modifying the code.(As Rich mentioned: ?what type of PAM stack to use to authenticate to AD?) Anyone interested in working along me or correct me at stages of implementation? Note: I have couple of posts in today?s thread with feedback from Rich Megginson and Nathan Kinder. This post is to seek problems someone might have faced and work together. Thanks Prashanth -------------- next part -------------- An HTML attachment was scrubbed... URL: From maumar at cost.it Wed Jul 15 07:58:34 2009 From: maumar at cost.it (Maurizio Marini) Date: Wed, 15 Jul 2009 09:58:34 +0200 Subject: [389-users] trouble with admin access Message-ID: <200907150958.34744.maumar@cost.it> i have played with password syntax, enabling and disabling and restarting each time dirsrv, until i was not able to see anything in the directory tree then, i logged off by admin console and when i try to access again i see Cannot connect to directory server: netscape.ldap.LDAPException: error result(49): password expired!; Invalid Credentials i followed Rich suggestion and i read this: http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt but i cannot find anything o=netscaperoot related: /usr/bin/ldapsearch -x -b o=netscaperoot -D "cn=directory manager" -w xxxx "objectclass=nsAdminConfig" # extended LDIF # # LDAPv3 # base with scope subtree # filter: objectclass=nsAdminConfig # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 so admin config was lost? can i recover in same way? should i reinstall again? tia -m From david.donnan at thalesgroup.com Wed Jul 15 07:59:03 2009 From: david.donnan at thalesgroup.com (david.donnan at thalesgroup.com) Date: Wed, 15 Jul 2009 09:59:03 +0200 Subject: [389-users] Out of the office In-Reply-To: <200907150958.34744.maumar@cost.it> Message-ID: <49F9AB23005C5155@d3smsg01p.services.thales> ----- The following is an automated response ----- to your message generated on behalf of david.donnan at thalesgroup.com Subject: Out of the office Hello. I'm out of the office from 10 July 2009 until 20 July 2009 (inclusive). Thanks, David (Dave) Donnan -------------- next part -------------- An embedded message was scrubbed... From: Maurizio Marini Subject: [389-users] trouble with admin access Date: Wed, 15 Jul 2009 09:58:34 +0200 Size: 5709 URL: From muzzol at muzzol.com Wed Jul 15 08:18:37 2009 From: muzzol at muzzol.com (muzzol) Date: Wed, 15 Jul 2009 08:18:37 +0000 Subject: [389-users] several samba servers with multimaster replication Message-ID: <4a3f02760907150118p4a635ck56975a3e5506c272@mail.gmail.com> hi, i've configured 3 FDS servers with multimaster replication and 1 samba in the "A" node. B and C nodes will be located at different sites and connected through vpn links. i need samba on B and C nodes but im not sure if i must configure them as PDCs, BDCs or just regular file servers feeding from FDS database. is anyone using a similar setup? regards, muzzol -- ======================== ^ ^ O O (_ _) muzzol(a)muzzol.com ======================== jabber id: muzzol(a)jabber.dk ======================== No atribueixis qualitats humanes als ordinadors. No els hi agrada. ======================== "El gobierno espa?ol s?lo habla con terroristas, homosexuales y catalanes, a ver cuando se decide a hablar con gente normal" Jim?nez Losantos ======================== bomb terrorism bush aznar teletubbies From maumar at cost.it Wed Jul 15 11:20:35 2009 From: maumar at cost.it (Maurizio Marini) Date: Wed, 15 Jul 2009 13:20:35 +0200 Subject: [389-users] to avoid reinstalling again Message-ID: <200907151320.42236.maumar@cost.it> Afetr loosing netscape root, I have tried to restore backup of this morning at 4 o'clock, yestarday and sunday, without any successs. I wnder you if saving with rsync or tar or wichever /var/lib/dirsrv/slapd-pdc/db /etc/dirsrv i could avoids reinstalling everything. As far as I can see, all data are there, conf are /etc/dirsrv, saving in a binary fashion these 2 dirs can be sufficient to restore excatly as it was 1 day before tia -m -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: This is a digitally signed message part. URL: From rmeggins at redhat.com Wed Jul 15 14:39:00 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 15 Jul 2009 08:39:00 -0600 Subject: [389-users] trouble with admin access In-Reply-To: <200907150958.34744.maumar@cost.it> References: <200907150958.34744.maumar@cost.it> Message-ID: <4A5DEA04.2080905@redhat.com> Maurizio Marini wrote: > i have played with password syntax, enabling and disabling and restarting each time dirsrv, > until i was not able to see anything in the directory tree > > then, i logged off by admin console and when i try to access again i see > Cannot connect to directory server: > netscape.ldap.LDAPException: error result(49): password expired!; Invalid Credentials > > i followed Rich suggestion and i read this: > http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt > > but i cannot find anything o=netscaperoot related: > /usr/bin/ldapsearch -x -b o=netscaperoot -D "cn=directory manager" -w xxxx "objectclass=nsAdminConfig" > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: objectclass=nsAdminConfig > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success > > # numResponses: 1 > > > so admin config was lost? can i recover in same way? > should i reinstall again? > What version of DS? What platform? Are you sure you are searching your configuration directory server? Do you have more than one directory server? Do you have anything under o=NetscapeRoot? /usr/bin/ldapsearch -x -b o=netscaperoot -D "cn=directory manager" -w xxxx "objectclass=*" What's in /etc/dirsrv/admin-serv/adm.conf? > tia > > -m > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From psundaram at wgen.net Wed Jul 15 16:55:16 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Wed, 15 Jul 2009 12:55:16 -0400 Subject: [389-users] Console error from Winsrv 2003 Message-ID: Hi All, I am trying to access the FDS using Java mgmt. console installed on Windows Server 2003. There was a similar case posted before, but I mine differs as I have not changed any hostname. https://www.redhat.com/archives/fedora-directory-users/2008-February/msg0023 0.html Error Message: -------------------------------------------- ?Initialization Failure Cannot connect to the directory server ldap://fedorads-lin.fedorads.net:389 LDAP Error: failed to connect to server ldap://fedorads-lin.fedorads.net:389 Would you like to attempt to restart the Directory Server?? -------------------------------------------- System: Fedora 11 and FedoraDS 1.1.3, Selinux and Firewall disabled Winserver 2003 and FedoraConsole 20090403.msi. Also has DNS, DHCP, DC and AD roles. I have NAT enabled on this machine, so the firewall is disabled. Installation: I had everything default and the hostname is fedorads-lin(never changed). The mgmt. console works fine on Unix box. Console details: User: cn=Directory Manager, Pass:** , URL: http://192.178.1.12:9830 Test conducted: I am able to ping fedorads-lin via IP and DN(DNS is fine). Disabled Firewall and SElinux on FDS box. Checked Name resolution, fine. Suspected Problem: Previously when firewall was enabled, I got a different message like server is not running..... So I am sure it is able to connect to the FDS but just not initializing. Any ideas?? Thanks, Prashanth -------------- next part -------------- An HTML attachment was scrubbed... URL: From suuuper at messinalug.org Wed Jul 15 16:56:00 2009 From: suuuper at messinalug.org (Giovanni Mancuso) Date: Wed, 15 Jul 2009 18:56:00 +0200 Subject: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem Message-ID: <4A5E0A20.7000600@messinalug.org> Hi, i try to configure 2 Directory Server with db link. I have first DS that point to second DS that have DB in filesystem. I create a proxy user in second DS: # tproxy, config dn: uid=tproxy,cn=config uid: tproxy givenName: test objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: proxy cn: test proxy userPassword:: ********************************************* and i create in first DS the "Dababase link" that use this user to bind in second DS. In second DS i add the following aci: (targetattr = "*") (target = "ldap:///dc=example,dc=com") (version 3.0;acl "AciChepermettetutto";allow (all)(userdn = "ldap:///uid=tproxy,cn=config");) (targetattr = "*") (target = "ldap:///dc=example,dc=com") (version 3.0;acl "proxy acl";allow (proxy)(userdn = "ldap:///uid=tproxy,cn=config");) Bu if i try to execute the ldapserach in first directory server i have the following error: dapsearch -h localhost -x -p 20389 -D "cn=Directory Manager" -w ********* -b "dc=example,dc=com" "(objectclass=*)" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 53 Server is unwilling to perform text: Proxy dn should not be rootdn # numResponses: 1 If i enable verbose logging in my error log i have: [15/Jul/2009:18:44:47 +0200] - activity on 65r [15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit() conn=0xb1557d68, handle=3 [15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [15/Jul/2009:18:44:47 +0200] - read activity on 65 [15/Jul/2009:18:44:47 +0200] - add_pb [15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit() conn=0xb1557c08, handle=3 [15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [15/Jul/2009:18:44:47 +0200] - get_pb [15/Jul/2009:18:44:47 +0200] - conn 1 activity level = 2 [15/Jul/2009:18:44:47 +0200] - conn 1 turbo rank = 2 out of 3 conns [15/Jul/2009:18:44:47 +0200] - do_search [15/Jul/2009:18:44:47 +0200] - => get_filter_internal [15/Jul/2009:18:44:47 +0200] - PRESENT [15/Jul/2009:18:44:47 +0200] - <= get_filter_internal 0 [15/Jul/2009:18:44:47 +0200] get_filter - before optimize: (objectClass=*) [15/Jul/2009:18:44:47 +0200] get_filter - after optimize: (objectClass=*) [15/Jul/2009:18:44:47 +0200] - SRCH base="dc=example,dc=com" scope=2 deref=0 sizelimit=0 timelimit=0 attrsonly=0 filter="(objectClass=*)" attrs=ALL [15/Jul/2009:18:44:47 +0200] - => get_ldapmessage_controls [15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for 2.16.840.1.113730.3.4.2) [15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND) [15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for 1.3.6.1.4.1.42.2.27.8.5.1) [15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND) [15/Jul/2009:18:44:48 +0200] - <= get_ldapmessage_controls 2 controls [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 2.16.840.1.113730.3.4.3) [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 2.16.840.1.113730.3.4.20) [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 2.16.840.1.113730.3.4.14) [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 1.3.6.1.4.1.42.2.27.9.5.2) [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) [15/Jul/2009:18:44:48 +0200] - mapping tree selected backend : example [15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit() conn=0xb1557cb8, handle=2 [15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit() conn=0xb1557cb8, handle=1 [15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [15/Jul/2009:18:44:48 +0200] - => compute_limits: sizelimit=2000, timelimit=3600 [15/Jul/2009:18:44:48 +0200] - Calling plugin 'ACL preoperation' #1 type 403 [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for 2.16.840.1.113730.3.4.12) [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 1 (FOUND) [15/Jul/2009:18:44:48 +0200] - => send_ldap_result 53::Proxy dn should not be rootdn [15/Jul/2009:18:44:48 +0200] - flush_ber() wrote 43 bytes to socket 65 [15/Jul/2009:18:44:48 +0200] - <= send_ldap_result [15/Jul/2009:18:44:48 +0200] - mapping tree release backend : example [15/Jul/2009:18:44:48 +0200] - slapi_filter_free type 0x87 [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() conn=0xb1557d68, handle=3 [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() conn=0xb1557cb8, handle=3 [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() conn=0xb1557c08, handle=3 [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [15/Jul/2009:18:44:49 +0200] - listener got signaled [15/Jul/2009:18:44:53 +0200] - Event id a19b958 called at 1247676293 (scheduled for 1247676293) [15/Jul/2009:18:44:55 +0200] - ldbm backend flushing [15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing [15/Jul/2009:18:44:55 +0200] - ldbm backend flushing [15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing The problem seems the "ACL preoperation" plugin. Indeed if i disable this plugin, it WORKS. But i cannot disable this plugin. Any ideas to solve the problem?? Thanks and sorry in advance for my bad English // -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jul 15 16:58:54 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 15 Jul 2009 10:58:54 -0600 Subject: [389-users] Console error from Winsrv 2003 In-Reply-To: References: Message-ID: <4A5E0ACE.40708@redhat.com> Prashanth Sundaram wrote: > Hi All, > > I am trying to access the FDS using Java mgmt. console installed on > Windows Server 2003. There was a similar case posted before, but I > mine differs as I have not changed any hostname. > > https://www.redhat.com/archives/fedora-directory-users/2008-February/msg00230.html > > Error Message: > -------------------------------------------- > ?Initialization Failure > Cannot connect to the directory server > ldap://fedorads-lin.fedorads.net:389 > LDAP Error: failed to connect to server > ldap://fedorads-lin.fedorads.net:389 > > Would you like to attempt to restart the Directory Server?? > -------------------------------------------- > System: Fedora 11 and FedoraDS 1.1.3, Selinux and Firewall disabled > Winserver 2003 and FedoraConsole 20090403.msi. Also has DNS, DHCP, DC > and AD roles. I have NAT enabled on this machine, so the firewall is > disabled. > > Installation: I had everything default and the hostname is > fedorads-lin(never changed). The mgmt. console works fine on Unix box. > > Console details: User: cn=Directory Manager, Pass:** , URL: > http://192.178.1.12:9830 > > Test conducted: I am able to ping fedorads-lin via IP and DN(DNS is > fine). Disabled Firewall and SElinux on FDS box. Checked Name > resolution, fine. > > Suspected Problem: Previously when firewall was enabled, I got a > different message like server is not running..... So I am sure it is > able to connect to the FDS but just not initializing. > > Any ideas?? You could try editing the .bat file used to start the console - add -D 9 to the end of the argument list > > Thanks, > Prashanth > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jul 15 17:02:37 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 15 Jul 2009 11:02:37 -0600 Subject: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem In-Reply-To: <4A5E0A20.7000600@messinalug.org> References: <4A5E0A20.7000600@messinalug.org> Message-ID: <4A5E0BAD.7030600@redhat.com> Giovanni Mancuso wrote: > Hi, > > i try to configure 2 Directory Server with db link. > > I have first DS that point to second DS that have DB in filesystem. > > I create a proxy user in second DS: > > # tproxy, config > dn: uid=tproxy,cn=config > uid: tproxy > givenName: test > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > sn: proxy > cn: test proxy > userPassword:: ********************************************* > > and i create in first DS the "Dababase link" that use this user to > bind in second DS. > > In second DS i add the following aci: What entry did you add this aci to? > > (targetattr = "*") (target = "ldap:///dc=example,dc=com") (version > 3.0;acl "AciChepermettetutto";allow (all)(userdn = > "ldap:///uid=tproxy,cn=config");) you should not need this aci > > (targetattr = "*") (target = "ldap:///dc=example,dc=com") (version > 3.0;acl "proxy acl";allow (proxy)(userdn = > "ldap:///uid=tproxy,cn=config");) This is the correct aci > > Bu if i try to execute the ldapserach in first directory server i have > the following error: proxy does not currently work with directory manager. Directory manager is considered a "local" user to each directory server. Try a different user. > > dapsearch -h localhost -x -p 20389 -D "cn=Directory Manager" -w > ********* -b "dc=example,dc=com" "(objectclass=*)" > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # search result > search: 2 > result: 53 Server is unwilling to perform > text: Proxy dn should not be rootdn > > # numResponses: 1 > > If i enable verbose logging in my error log i have: > > [15/Jul/2009:18:44:47 +0200] - activity on 65r > [15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit() > conn=0xb1557d68, handle=3 > [15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [15/Jul/2009:18:44:47 +0200] - read activity on > 65 > [15/Jul/2009:18:44:47 +0200] - > add_pb > [15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit() > conn=0xb1557c08, handle=3 > [15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [15/Jul/2009:18:44:47 +0200] - > get_pb > [15/Jul/2009:18:44:47 +0200] - conn 1 activity level = > 2 > [15/Jul/2009:18:44:47 +0200] - conn 1 turbo rank = 2 out of 3 > conns > [15/Jul/2009:18:44:47 +0200] - > do_search > [15/Jul/2009:18:44:47 +0200] - => > get_filter_internal > [15/Jul/2009:18:44:47 +0200] - > PRESENT > [15/Jul/2009:18:44:47 +0200] - <= get_filter_internal > 0 > [15/Jul/2009:18:44:47 +0200] get_filter - before optimize: > (objectClass=*) > [15/Jul/2009:18:44:47 +0200] get_filter - after optimize: > (objectClass=*) > [15/Jul/2009:18:44:47 +0200] - SRCH base="dc=example,dc=com" scope=2 > deref=0 sizelimit=0 timelimit=0 attrsonly=0 filter="(objectClass=*)" > attrs=ALL > [15/Jul/2009:18:44:47 +0200] - => > get_ldapmessage_controls > > [15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for > 2.16.840.1.113730.3.4.2) > > [15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND) > [15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for > 1.3.6.1.4.1.42.2.27.8.5.1) > [15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND) > [15/Jul/2009:18:44:48 +0200] - <= get_ldapmessage_controls 2 controls > [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for > 2.16.840.1.113730.3.4.3) > [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) > [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for > 2.16.840.1.113730.3.4.20) > [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) > [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for > 2.16.840.1.113730.3.4.14) > [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) > [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for > 1.3.6.1.4.1.42.2.27.9.5.2) > [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) > [15/Jul/2009:18:44:48 +0200] - mapping tree selected backend : example > [15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit() > conn=0xb1557cb8, handle=2 > [15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit() > conn=0xb1557cb8, handle=1 > [15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [15/Jul/2009:18:44:48 +0200] - => compute_limits: sizelimit=2000, > timelimit=3600 > [15/Jul/2009:18:44:48 +0200] - Calling plugin 'ACL preoperation' #1 > type 403 > [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for > 2.16.840.1.113730.3.4.12) > [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 1 (FOUND) > [15/Jul/2009:18:44:48 +0200] - => send_ldap_result 53::Proxy dn should > not be rootdn > [15/Jul/2009:18:44:48 +0200] - flush_ber() wrote 43 bytes to socket 65 > [15/Jul/2009:18:44:48 +0200] - <= send_ldap_result > [15/Jul/2009:18:44:48 +0200] - mapping tree release backend : example > [15/Jul/2009:18:44:48 +0200] - slapi_filter_free type 0x87 > [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() > conn=0xb1557d68, handle=3 > [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() > conn=0xb1557cb8, handle=3 > [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() > conn=0xb1557c08, handle=3 > [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [15/Jul/2009:18:44:49 +0200] - listener got signaled > [15/Jul/2009:18:44:53 +0200] - Event id a19b958 called at 1247676293 > (scheduled for 1247676293) > [15/Jul/2009:18:44:55 +0200] - ldbm backend flushing > [15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing > [15/Jul/2009:18:44:55 +0200] - ldbm backend flushing > [15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing > > The problem seems the "ACL preoperation" plugin. Indeed if i disable > this plugin, it WORKS. > But i cannot disable this plugin. > > Any ideas to solve the problem?? > > Thanks and sorry in advance for my bad English > // > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From maumar at cost.it Wed Jul 15 17:46:56 2009 From: maumar at cost.it (Maurizio Marini) Date: Wed, 15 Jul 2009 19:46:56 +0200 Subject: [389-users] still wasted :( Message-ID: <200907151946.56628.maumar@cost.it> After reinstalling this morning and recovered nigthly backup, i cannot again access Admin Console If i use admin/password i get: netscape.ldap.LDAPException error result(32) No such object if i try to access using cn=Directory manage / Password i am allowed to access, but then there is only "Administration server" available in the tree, if i click on Directory Server, i get a Red error telling me that rpm package fedora-idm-console was not found and i should reinstall it i would change my strategy can i backup an ldif file containing samba objects, only? I would reinstall everything on another server and after configured samba domain with Domain dn: sambaDomainName=DOMAIN,dc=xxxxx,dc=it and Administrator i would restore a backup with samba only data so, apart from all directory config domain administrator what i would export would be: samba user computers groups is it sufficient to use a command with a filter like "(objectclass=sambaSAMAccount)" ? if yes, could someone please suggest me the db2ldif command line to export only this data in ldif format file? tia -m From maumar at cost.it Wed Jul 15 18:27:57 2009 From: maumar at cost.it (Maurizio Marini) Date: Wed, 15 Jul 2009 20:27:57 +0200 Subject: [389-users] trouble with admin access In-Reply-To: <4A5DEA04.2080905@redhat.com> References: <200907150958.34744.maumar@cost.it> <4A5DEA04.2080905@redhat.com> Message-ID: <200907152028.05199.maumar@cost.it> On Wednesday 15 July 2009, Rich Megginson wrote: > > What version of DS? What platform? cat /etc/redhat-release CentOS release 5.3 (Final) uname -a Linux pdc.xxxxx.it 2.6.18-128.1.14.el5 #1 SMP Wed Jun 17 06:40:54 EDT 2009 i686 i686 i386 GNU/Linux > > Are you sure you are searching your configuration directory server? Do > you have more than one directory server? no, only one installed on Sunday > > Do you have anything under o=NetscapeRoot? > > /usr/bin/ldapsearch -x -b o=netscaperoot -D "cn=directory manager" -w xxxx > "objectclass=*" > i have only this scrolling up my konsole: ldapsearch -x -D "cn=directory manager" -w xxxxxx -s base -b "" "objectclass=*" # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: objectclass=* # requesting: ALL # # dn: objectClass: top namingContexts: dc=xxxxx, dc=it namingContexts: o=netscaperoot supportedExtension: 2.16.840.1.113730.3.5.7 supportedExtension: 2.16.840.1.113730.3.5.8 supportedExtension: 2.16.840.1.113730.3.5.10 supportedExtension: 2.16.840.1.113730.3.5.3 supportedExtension: 2.16.840.1.113730.3.5.5 supportedExtension: 2.16.840.1.113730.3.5.6 supportedExtension: 2.16.840.1.113730.3.5.9 supportedExtension: 2.16.840.1.113730.3.5.4 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 2.16.840.1.113730.3.4.3 supportedControl: 2.16.840.1.113730.3.4.4 supportedControl: 2.16.840.1.113730.3.4.5 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.16 supportedControl: 2.16.840.1.113730.3.4.15 supportedControl: 2.16.840.1.113730.3.4.17 supportedControl: 2.16.840.1.113730.3.4.19 supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1 supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2 supportedControl: 2.16.840.1.113730.3.4.14 supportedControl: 2.16.840.1.113730.3.4.20 supportedControl: 1.3.6.1.4.1.1466.29539.12 supportedControl: 2.16.840.1.113730.3.4.12 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.13 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: PLAIN supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: ANONYMOUS supportedSASLMechanisms: LOGIN supportedLDAPVersion: 2 supportedLDAPVersion: 3 vendorName: Fedora Project vendorVersion: Fedora-Directory/1.2.0 B2009.118.1756 dataversion: 020090715072101020090715072101 netscapemdsuffix: cn=ldap://dc=pdc,dc=xxxxx,dc=it:389 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 > What's in /etc/dirsrv/admin-serv/adm.conf? i have not saved it, i have reinstalled later -- Maurizio Marini Via Collemare, 14 - 61039 San Costanzo (PU) - Italy GSM +39-335-8259739 RTG : +39-0721950396 0721870286 Skype: maumar at datalogica.com C.F. MRNMRZ59E17G920X P. Iva: 01332360419 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: This is a digitally signed message part. URL: From maumar at cost.it Wed Jul 15 18:31:14 2009 From: maumar at cost.it (Maurizio Marini) Date: Wed, 15 Jul 2009 20:31:14 +0200 Subject: [389-users] trouble with admin access In-Reply-To: <4A5DEA04.2080905@redhat.com> References: <200907150958.34744.maumar@cost.it> <4A5DEA04.2080905@redhat.com> Message-ID: <200907152031.14756.maumar@cost.it> On Wednesday 15 July 2009, Rich Megginson wrote: > What version of DS? What platform? i forget to report this: rpm -qa |grep fedora fedora-ds-admin-console-1.1.3-1.fc6 fedora-idm-console-1.1.3-1.fc6 fedora-ds-dsgw-1.1.2-1.fc6 fedora-ds-admin-1.1.7-3.fc6 fedora-ds-1.1.3-1.fc6 fedora-ds-console-1.2.0-1.fc6 fedora-ds-base-1.2.0-2.fc6 -m -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: This is a digitally signed message part. URL: From rmeggins at redhat.com Wed Jul 15 18:51:21 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 15 Jul 2009 12:51:21 -0600 Subject: [389-users] still wasted :( In-Reply-To: <200907151946.56628.maumar@cost.it> References: <200907151946.56628.maumar@cost.it> Message-ID: <4A5E2529.907@redhat.com> Maurizio Marini wrote: > After reinstalling this morning and recovered nigthly backup, i cannot again > access Admin Console > If i use admin/password i get: > netscape.ldap.LDAPException error result(32) No such object > fedora-idm-console -D 9 -f console.log also check the /var/log/dirsrv/admin-serv logs you should also be able to look at the directory server logs /var/log/dirsrv/slapd-instance/access to see what request is returning err=32 Finally, if you are willing to just start over again from scratch, save your data to ldif (db2ldif - but omit o=NetscapeRoot data) and run remove-ds-admin.pl this will wipe out everything, completely, so be sure to save your data first in a safe place (not in any dirsrv directory). Then, run setup-ds-admin.pl again, and then restore your data. > if i try to access using > cn=Directory manage / Password > > i am allowed to access, but then there is only "Administration server" > available in the tree, if i click on Directory Server, i get a Red error > telling me that rpm package > fedora-idm-console > was not found and i should reinstall it > > i would change my strategy > > can i backup an ldif file containing samba objects, only? > I would reinstall everything on another server and after configured samba > domain with Domain > dn: sambaDomainName=DOMAIN,dc=xxxxx,dc=it > and Administrator > i would restore a backup with samba only data > > > so, apart from > all directory config > domain > administrator > > what i would export would be: > samba user > computers > groups > > is it sufficient to use a command with a filter like > "(objectclass=sambaSAMAccount)" > ? > > if yes, could someone please suggest me the db2ldif command line to export > only this data in ldif format file? > You cannot use db2ldif to filter the data. You could use ldapsearch. But why not just dump and save everything under dc=xxxxx,dc=it? > tia > > -m > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From cthulhucalling at gmail.com Wed Jul 15 20:04:49 2009 From: cthulhucalling at gmail.com (Ian Hayes) Date: Wed, 15 Jul 2009 13:04:49 -0700 Subject: [389-users] SSL timeouts Message-ID: <36df569a0907151304w501b27bfn41a7770f83b825d9@mail.gmail.com> I have a Directory server with a read-only replication partner. The servers and all my client workstations are set to use TLS for commuication, and the clients are set up with with both hostnames in /etc/ldap.conf. During a recent maintenace period, we noticed that if we take down the primary server, it takes 5 minutes for the clients to realize the primary is down, and to switch over to the backup sever. I'm assuming this is due to the 300 second timeout for the TLS session. Is there a way to shorten this to a more acceptable time? -------------- next part -------------- An HTML attachment was scrubbed... URL: From suuuper at messinalug.org Wed Jul 15 22:36:38 2009 From: suuuper at messinalug.org (Giovanni Mancuso) Date: Thu, 16 Jul 2009 00:36:38 +0200 Subject: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem In-Reply-To: <4A5E0BAD.7030600@redhat.com> References: <4A5E0A20.7000600@messinalug.org> <4A5E0BAD.7030600@redhat.com> Message-ID: <4A5E59F6.3040906@messinalug.org> Rich Megginson wrote: > Giovanni Mancuso wrote: >> Hi, >> >> i try to configure 2 Directory Server with db link. >> >> I have first DS that point to second DS that have DB in filesystem. >> >> I create a proxy user in second DS: >> >> # tproxy, config >> dn: uid=tproxy,cn=config >> uid: tproxy >> givenName: test >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: inetorgperson >> sn: proxy >> cn: test proxy >> userPassword:: ********************************************* >> >> and i create in first DS the "Dababase link" that use this user to >> bind in second DS. >> >> In second DS i add the following aci: > What entry did you add this aci to? I add the aci in root suffix (dc=example,dc=com) >> >> (targetattr = "*") (target = "ldap:///dc=example,dc=com") (version >> 3.0;acl "AciChepermettetutto";allow (all)(userdn = >> "ldap:///uid=tproxy,cn=config");) > you should not need this aci Ok i delete this aci. > >> >> (targetattr = "*") (target = "ldap:///dc=example,dc=com") (version >> 3.0;acl "proxy acl";allow (proxy)(userdn = >> "ldap:///uid=tproxy,cn=config");) > This is the correct aci >> >> Bu if i try to execute the ldapserach in first directory server i >> have the following error: > proxy does not currently work with directory manager. Directory > manager is considered a "local" user to each directory server. Try a > different user. Now, i create a new user in first DS: dn: uid=ttestuser,cn=config uid: testuser givenName: test objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: user cn: test user userPassword: ********* And if i try, to run ldapsearch with this user it works: ldapsearch -LLL -s base -h localhost -x -p 20389 -D "uid=ttestuser,cn=config" -w ********* -b "dc=example,dc=com" "(objectclass=*)" dn: dc=example,dc=com dc: example objectClass: top objectClass: domain The problem now is if i try to execute add in first directory server. I create the following ldif: cat /tmp/tempuser.ldif dn: uid=conaltroustente,node=testgio,dc=example,dc=com uid: conaltroustente givenName: conaltroustente objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: dsdsds cn: pippopidddssd dsdsds And i try to run: ldapmodify -a -h localhost -x -p 20389 -D "uid=ttestuser,cn=config" -w *********** -f /tmp/tempuser.ldif adding new entry "uid=conaltroustente,node=testgio,dc=example,dc=com" ldap_add: Insufficient access (50) additional info: Insufficient 'add' privilege to add the entry 'uid=conaltroustente,node=testgio,dc=example,dc=com'. Any ideas?? >> >> dapsearch -h localhost -x -p 20389 -D "cn=Directory Manager" -w >> ********* -b "dc=example,dc=com" "(objectclass=*)" >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # search result >> search: 2 >> result: 53 Server is unwilling to perform >> text: Proxy dn should not be rootdn >> >> # numResponses: 1 >> >> If i enable verbose logging in my error log i have: >> >> [15/Jul/2009:18:44:47 +0200] - activity on 65r >> [15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit() >> conn=0xb1557d68, handle=3 >> [15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit() >> returning NO VALUE [15/Jul/2009:18:44:47 +0200] - read activity >> on 65 [15/Jul/2009:18:44:47 >> +0200] - >> add_pb >> [15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit() >> conn=0xb1557c08, handle=3 >> [15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit() >> returning NO VALUE [15/Jul/2009:18:44:47 +0200] - >> get_pb >> [15/Jul/2009:18:44:47 +0200] - conn 1 activity level = >> 2 [15/Jul/2009:18:44:47 +0200] - >> conn 1 turbo rank = 2 out of 3 conns >> [15/Jul/2009:18:44:47 +0200] - >> do_search >> [15/Jul/2009:18:44:47 +0200] - => >> get_filter_internal >> [15/Jul/2009:18:44:47 +0200] - >> PRESENT >> [15/Jul/2009:18:44:47 +0200] - <= get_filter_internal >> 0 [15/Jul/2009:18:44:47 +0200] >> get_filter - before optimize: (objectClass=*) >> [15/Jul/2009:18:44:47 +0200] get_filter - after optimize: >> (objectClass=*) [15/Jul/2009:18:44:47 +0200] - SRCH >> base="dc=example,dc=com" scope=2 deref=0 sizelimit=0 timelimit=0 >> attrsonly=0 filter="(objectClass=*)" attrs=ALL >> [15/Jul/2009:18:44:47 +0200] - => >> get_ldapmessage_controls >> >> [15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for >> 2.16.840.1.113730.3.4.2) >> >> [15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND) >> [15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for >> 1.3.6.1.4.1.42.2.27.8.5.1) >> [15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND) >> [15/Jul/2009:18:44:48 +0200] - <= get_ldapmessage_controls 2 controls >> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for >> 2.16.840.1.113730.3.4.3) >> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) >> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for >> 2.16.840.1.113730.3.4.20) >> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) >> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for >> 2.16.840.1.113730.3.4.14) >> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) >> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for >> 1.3.6.1.4.1.42.2.27.9.5.2) >> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) >> [15/Jul/2009:18:44:48 +0200] - mapping tree selected backend : example >> [15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit() >> conn=0xb1557cb8, handle=2 >> [15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit() >> returning NO VALUE >> [15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit() >> conn=0xb1557cb8, handle=1 >> [15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit() >> returning NO VALUE >> [15/Jul/2009:18:44:48 +0200] - => compute_limits: sizelimit=2000, >> timelimit=3600 >> [15/Jul/2009:18:44:48 +0200] - Calling plugin 'ACL preoperation' #1 >> type 403 >> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for >> 2.16.840.1.113730.3.4.12) >> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 1 (FOUND) >> [15/Jul/2009:18:44:48 +0200] - => send_ldap_result 53::Proxy dn >> should not be rootdn >> [15/Jul/2009:18:44:48 +0200] - flush_ber() wrote 43 bytes to socket 65 >> [15/Jul/2009:18:44:48 +0200] - <= send_ldap_result >> [15/Jul/2009:18:44:48 +0200] - mapping tree release backend : example >> [15/Jul/2009:18:44:48 +0200] - slapi_filter_free type 0x87 >> [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() >> conn=0xb1557d68, handle=3 >> [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() >> returning NO VALUE >> [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() >> conn=0xb1557cb8, handle=3 >> [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() >> returning NO VALUE >> [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() >> conn=0xb1557c08, handle=3 >> [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() >> returning NO VALUE >> [15/Jul/2009:18:44:49 +0200] - listener got signaled >> [15/Jul/2009:18:44:53 +0200] - Event id a19b958 called at 1247676293 >> (scheduled for 1247676293) >> [15/Jul/2009:18:44:55 +0200] - ldbm backend flushing >> [15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing >> [15/Jul/2009:18:44:55 +0200] - ldbm backend flushing >> [15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing >> >> The problem seems the "ACL preoperation" plugin. Indeed if i disable >> this plugin, it WORKS. >> But i cannot disable this plugin. >> >> Any ideas to solve the problem?? >> >> Thanks and sorry in advance for my bad English >> // >> >> ------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Jul 15 22:50:01 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 15 Jul 2009 16:50:01 -0600 Subject: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem In-Reply-To: <4A5E59F6.3040906@messinalug.org> References: <4A5E0A20.7000600@messinalug.org> <4A5E0BAD.7030600@redhat.com> <4A5E59F6.3040906@messinalug.org> Message-ID: <4A5E5D19.2010204@redhat.com> Giovanni Mancuso wrote: > Rich Megginson wrote: >> Giovanni Mancuso wrote: >>> Hi, >>> >>> i try to configure 2 Directory Server with db link. >>> >>> I have first DS that point to second DS that have DB in filesystem. >>> >>> I create a proxy user in second DS: >>> >>> # tproxy, config >>> dn: uid=tproxy,cn=config >>> uid: tproxy >>> givenName: test >>> objectClass: top >>> objectClass: person >>> objectClass: organizationalPerson >>> objectClass: inetorgperson >>> sn: proxy >>> cn: test proxy >>> userPassword:: ********************************************* >>> >>> and i create in first DS the "Dababase link" that use this user to >>> bind in second DS. >>> >>> In second DS i add the following aci: >> What entry did you add this aci to? > I add the aci in root suffix (dc=example,dc=com) Ok >>> >>> (targetattr = "*") (target = "ldap:///dc=example,dc=com") (version >>> 3.0;acl "AciChepermettetutto";allow (all)(userdn = >>> "ldap:///uid=tproxy,cn=config");) >> you should not need this aci > Ok i delete this aci. >> >>> >>> (targetattr = "*") (target = "ldap:///dc=example,dc=com") (version >>> 3.0;acl "proxy acl";allow (proxy)(userdn = >>> "ldap:///uid=tproxy,cn=config");) >> This is the correct aci >>> >>> Bu if i try to execute the ldapserach in first directory server i >>> have the following error: >> proxy does not currently work with directory manager. Directory >> manager is considered a "local" user to each directory server. Try a >> different user. > Now, i create a new user in first DS: By first DS do you mean the DS with the "real" database or the DS with the database link? We also refer to the DS with the "real" database as the "remote" DS and the DS with the database link as the "local" DS. > > dn: uid=ttestuser,cn=config > uid: testuser > givenName: test > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > sn: user > cn: test user > userPassword: ********* > > And if i try, to run ldapsearch with this user it works: > > ldapsearch -LLL -s base -h localhost -x -p 20389 -D > "uid=ttestuser,cn=config" -w ********* -b "dc=example,dc=com" > "(objectclass=*)" > dn: dc=example,dc=com > dc: example > objectClass: top > objectClass: domain > > The problem now is if i try to execute add in first directory server. > > I create the following ldif: > > cat /tmp/tempuser.ldif > dn: uid=conaltroustente,node=testgio,dc=example,dc=com > uid: conaltroustente > givenName: conaltroustente > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > sn: dsdsds > cn: pippopidddssd dsdsds > > And i try to run: > > ldapmodify -a -h localhost -x -p 20389 -D "uid=ttestuser,cn=config" -w > *********** -f /tmp/tempuser.ldif > adding new entry "uid=conaltroustente,node=testgio,dc=example,dc=com" > ldap_add: Insufficient access (50) > additional info: Insufficient 'add' privilege to add the entry > 'uid=conaltroustente,node=testgio,dc=example,dc=com'. > > Any ideas?? Did you add an ACI to allow the uid=ttestuser,cn=config to add entries under node=testgio,dc=example,dc=com ? > >>> >>> dapsearch -h localhost -x -p 20389 -D "cn=Directory Manager" -w >>> ********* -b "dc=example,dc=com" "(objectclass=*)" >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base with scope subtree >>> # filter: (objectclass=*) >>> # requesting: ALL >>> # >>> >>> # search result >>> search: 2 >>> result: 53 Server is unwilling to perform >>> text: Proxy dn should not be rootdn >>> >>> # numResponses: 1 >>> >>> If i enable verbose logging in my error log i have: >>> >>> [15/Jul/2009:18:44:47 +0200] - activity on 65r >>> [15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit() >>> conn=0xb1557d68, handle=3 >>> [15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit() >>> returning NO VALUE [15/Jul/2009:18:44:47 +0200] - read activity >>> on 65 >>> [15/Jul/2009:18:44:47 +0200] - >>> add_pb >>> [15/Jul/2009:18:44:47 +0200] - => slapi_reslimit_get_integer_limit() >>> conn=0xb1557c08, handle=3 >>> [15/Jul/2009:18:44:47 +0200] - <= slapi_reslimit_get_integer_limit() >>> returning NO VALUE [15/Jul/2009:18:44:47 +0200] - >>> get_pb >>> [15/Jul/2009:18:44:47 +0200] - conn 1 activity level = >>> 2 [15/Jul/2009:18:44:47 +0200] - >>> conn 1 turbo rank = 2 out of 3 conns >>> [15/Jul/2009:18:44:47 +0200] - >>> do_search >>> [15/Jul/2009:18:44:47 +0200] - => >>> get_filter_internal >>> [15/Jul/2009:18:44:47 +0200] - >>> PRESENT >>> [15/Jul/2009:18:44:47 +0200] - <= get_filter_internal >>> 0 [15/Jul/2009:18:44:47 +0200] >>> get_filter - before optimize: (objectClass=*) >>> [15/Jul/2009:18:44:47 +0200] get_filter - after optimize: >>> (objectClass=*) [15/Jul/2009:18:44:47 +0200] - >>> SRCH base="dc=example,dc=com" scope=2 deref=0 sizelimit=0 >>> timelimit=0 attrsonly=0 filter="(objectClass=*)" attrs=ALL >>> [15/Jul/2009:18:44:47 +0200] - => >>> get_ldapmessage_controls >>> >>> [15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for >>> 2.16.840.1.113730.3.4.2) >>> >>> [15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND) >>> [15/Jul/2009:18:44:47 +0200] - => slapi_control_present (looking for >>> 1.3.6.1.4.1.42.2.27.8.5.1) >>> [15/Jul/2009:18:44:47 +0200] - <= slapi_control_present 0 (NOT FOUND) >>> [15/Jul/2009:18:44:48 +0200] - <= get_ldapmessage_controls 2 controls >>> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for >>> 2.16.840.1.113730.3.4.3) >>> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) >>> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for >>> 2.16.840.1.113730.3.4.20) >>> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) >>> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for >>> 2.16.840.1.113730.3.4.14) >>> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) >>> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for >>> 1.3.6.1.4.1.42.2.27.9.5.2) >>> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 0 (NOT FOUND) >>> [15/Jul/2009:18:44:48 +0200] - mapping tree selected backend : example >>> [15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit() >>> conn=0xb1557cb8, handle=2 >>> [15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit() >>> returning NO VALUE >>> [15/Jul/2009:18:44:48 +0200] - => slapi_reslimit_get_integer_limit() >>> conn=0xb1557cb8, handle=1 >>> [15/Jul/2009:18:44:48 +0200] - <= slapi_reslimit_get_integer_limit() >>> returning NO VALUE >>> [15/Jul/2009:18:44:48 +0200] - => compute_limits: sizelimit=2000, >>> timelimit=3600 >>> [15/Jul/2009:18:44:48 +0200] - Calling plugin 'ACL preoperation' #1 >>> type 403 >>> [15/Jul/2009:18:44:48 +0200] - => slapi_control_present (looking for >>> 2.16.840.1.113730.3.4.12) >>> [15/Jul/2009:18:44:48 +0200] - <= slapi_control_present 1 (FOUND) >>> [15/Jul/2009:18:44:48 +0200] - => send_ldap_result 53::Proxy dn >>> should not be rootdn >>> [15/Jul/2009:18:44:48 +0200] - flush_ber() wrote 43 bytes to socket 65 >>> [15/Jul/2009:18:44:48 +0200] - <= send_ldap_result >>> [15/Jul/2009:18:44:48 +0200] - mapping tree release backend : example >>> [15/Jul/2009:18:44:48 +0200] - slapi_filter_free type 0x87 >>> [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() >>> conn=0xb1557d68, handle=3 >>> [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() >>> returning NO VALUE >>> [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() >>> conn=0xb1557cb8, handle=3 >>> [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() >>> returning NO VALUE >>> [15/Jul/2009:18:44:49 +0200] - => slapi_reslimit_get_integer_limit() >>> conn=0xb1557c08, handle=3 >>> [15/Jul/2009:18:44:49 +0200] - <= slapi_reslimit_get_integer_limit() >>> returning NO VALUE >>> [15/Jul/2009:18:44:49 +0200] - listener got signaled >>> [15/Jul/2009:18:44:53 +0200] - Event id a19b958 called at 1247676293 >>> (scheduled for 1247676293) >>> [15/Jul/2009:18:44:55 +0200] - ldbm backend flushing >>> [15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing >>> [15/Jul/2009:18:44:55 +0200] - ldbm backend flushing >>> [15/Jul/2009:18:44:55 +0200] - ldbm backend done flushing >>> >>> The problem seems the "ACL preoperation" plugin. Indeed if i disable >>> this plugin, it WORKS. >>> But i cannot disable this plugin. >>> >>> Any ideas to solve the problem?? >>> >>> Thanks and sorry in advance for my bad English >>> // >>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> ------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From n.gresham at uq.edu.au Thu Jul 16 01:06:12 2009 From: n.gresham at uq.edu.au (Nick Gresham) Date: Thu, 16 Jul 2009 11:06:12 +1000 Subject: [389-users] Fedora DS with virtual machines In-Reply-To: <20090714160010.F031D61A0A8@hormel.redhat.com> References: <20090714160010.F031D61A0A8@hormel.redhat.com> Message-ID: <0D739A6B-CDF1-48FE-A8A5-7DA5C0B1243A@uq.edu.au> Thanks for the responses. We currently have 5GB on disk. I suspect this will increase (with corresponding increase in mem usage) as we want to increase our indexing to address some performance issues - mainly by increasing nsslapd-allidsthreshold and tweaking the cache sizes. Cheers Nick On 15/07/2009, at 2:00 AM, lbigum at iseek.com.au wrote: > I wouldn't think you'd need much more RAM over the size of your LDAP > database files, so unless you've got 8GB of LDAP information, 8GB of > RAM sounds a lot to me. Our LDAP database is only about 40MB, which > is close to the RAM usage of the VE. From micke at devnix.se Thu Jul 16 11:59:13 2009 From: micke at devnix.se (Michael Jonsson) Date: Thu, 16 Jul 2009 13:59:13 +0200 Subject: [389-users] DS for the authentication of samba Message-ID: Hi all, I intend to put up a DS for the authentication of samba, proftpd and other services. DS will be installed on server A Samba server B Proftp on server C All Windows XP to use pgina against the DS. All home folders should be on server B, when the windows xp user access server B for the first time, it should automatic creation a user folder on the server. Is it possible to do it, this way? If so is there any one that help me. I am interested to look at some working configuration files for samba and proftpd.... Regards Micke From muzzol at gmail.com Thu Jul 16 12:01:23 2009 From: muzzol at gmail.com (muzzol) Date: Thu, 16 Jul 2009 14:01:23 +0200 Subject: [389-users] DS for the authentication of samba In-Reply-To: References: Message-ID: <4a3f02760907160501w65c4e2dfw7ceeabe3741fbe42@mail.gmail.com> 2009/7/16 Michael Jonsson : > Hi all, > > I intend to put up a DS for the authentication of samba, proftpd and other > services. > > DS will be installed on server A > Samba server B > Proftp on server C > > All Windows XP to use pgina against the DS. > if you use pgina you dont need samba for auth, just for sharing resources. -- ======================== ^ ^ O O (_ _) muzzol(a)muzzol.com ======================== jabber id: muzzol(a)jabber.dk ======================== No atribueixis qualitats humanes als ordinadors. No els hi agrada. ======================== "El gobierno espa?ol s?lo habla con terroristas, homosexuales y catalanes, a ver cuando se decide a hablar con gente normal" Jim?nez Losantos ======================== bomb terrorism bush aznar teletubbies From micke at devnix.se Thu Jul 16 12:33:08 2009 From: micke at devnix.se (Michael Jonsson) Date: Thu, 16 Jul 2009 14:33:08 +0200 Subject: [389-users] DS for the authentication of samba In-Reply-To: <4a3f02760907160501w65c4e2dfw7ceeabe3741fbe42@mail.gmail.com> References: <4a3f02760907160501w65c4e2dfw7ceeabe3741fbe42@mail.gmail.com> Message-ID: exactly what I want, but how will smb.conf look like? 16 jul 2009 kl. 14.01 skrev muzzol: > 2009/7/16 Michael Jonsson : >> Hi all, >> >> I intend to put up a DS for the authentication of samba, proftpd >> and other >> services. >> >> DS will be installed on server A >> Samba server B >> Proftp on server C >> >> All Windows XP to use pgina against the DS. >> > > if you use pgina you dont need samba for auth, just for sharing > resources. > > > -- > ======================== > ^ ^ > O O > (_ _) > muzzol(a)muzzol.com > ======================== > jabber id: muzzol(a)jabber.dk > ======================== > No atribueixis qualitats humanes als ordinadors. > No els hi agrada. > ======================== > "El gobierno espa?ol s?lo habla con terroristas, homosexuales y > catalanes, a ver cuando se decide a hablar con gente normal" > Jim?nez Losantos > ======================== > > bomb terrorism bush aznar teletubbies > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From leonid_bogdanov at mail.ru Thu Jul 16 12:54:49 2009 From: leonid_bogdanov at mail.ru (Leonid Bogdanov) Date: Thu, 16 Jul 2009 16:54:49 +0400 Subject: [389-users] Adding custom attribute to class Message-ID: Hello! How can I add custom attribute to 'inetorgperson' class? Preferably without inheritance. The problem is that I want to have boolean attribute which I can check in my program and tell user that he must change password after admin reset. Something like 'pwdReset' attribute in OpenLDAP. Thank you! From rmeggins at redhat.com Thu Jul 16 15:15:13 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 16 Jul 2009 09:15:13 -0600 Subject: [389-users] Adding custom attribute to class In-Reply-To: References: Message-ID: <4A5F4401.1060503@redhat.com> Leonid Bogdanov wrote: > Hello! > > How can I add custom attribute to 'inetorgperson' class? Preferably without inheritance. You should never add custom attributes to standard objectclasses such as inetOrgPerson. You should always extend the schema through inheritance (or create a new operational attribute if you must). > The problem is that I want to have boolean attribute which I can check in my program and tell user that he must change password after admin reset. Something like 'pwdReset' attribute in OpenLDAP. > If you configure the password policy so that the user must change the password after a reset http://www.redhat.com/docs/manuals/dir-server/8.1/admin/User_Account_Management.html#User_Account_Management-Managing_the_Password_Policy Will that do what you want? You can also check the operational attribute passwordExpirationTime > Thank you! > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From muzzol at gmail.com Thu Jul 16 15:40:58 2009 From: muzzol at gmail.com (muzzol) Date: Thu, 16 Jul 2009 17:40:58 +0200 Subject: [389-users] DS for the authentication of samba In-Reply-To: References: <4a3f02760907160501w65c4e2dfw7ceeabe3741fbe42@mail.gmail.com> Message-ID: <4a3f02760907160840k2b055c1ck21da3d400bee693@mail.gmail.com> 2009/7/16 Michael Jonsson : > > exactly what I want, but how will smb.conf look like? > you can start with http://directory.fedoraproject.org/wiki/Howto:Samba and ask if you have any specific question. -- ======================== ^ ^ O O (_ _) muzzol(a)muzzol.com ======================== jabber id: muzzol(a)jabber.dk ======================== No atribueixis qualitats humanes als ordinadors. No els hi agrada. ======================== "El gobierno espa?ol s?lo habla con terroristas, homosexuales y catalanes, a ver cuando se decide a hablar con gente normal" Jim?nez Losantos ======================== bomb terrorism bush aznar teletubbies From msauton at redhat.com Thu Jul 16 17:42:42 2009 From: msauton at redhat.com (Marc Sauton) Date: Thu, 16 Jul 2009 10:42:42 -0700 Subject: [389-users] Fedora DS with virtual machines In-Reply-To: <1247540747.6549.5.camel@jaspav.missionsit.net.missionsit.net> References: <1247540747.6549.5.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <4A5F6692.3030600@redhat.com> Regarding the top output, the virtual memory is used for opened libraries, plug-ins, bdb opened files, and possibly quite some non shared anonymous blocks for all dynamic storage needed by the application, a pmap -x can provide with some details. On a side note, I have been using KVM as a host loaded with ram, running Fedora with 10 to 20 guests running different operating systems, 32 and 64 bits, for quite for RHDS/port389 and RHCS/Dogtag configurations, some with several millions ldap entries, for testing and dev, not production, and performances are good for me, cpu and i/o wise (up to 1,5K entries imported per sec seen), with usually 512MB or 1GB per guest, sometimes more. M. John A. Sullivan III wrote: > Likewise, we are running in VServer (www.linux-vserver.org) with no > problems at all but our environment is currently much smaller - John > > On Tue, 2009-07-14 at 12:42 +1000, Luke Bigum wrote: > >> Hey Nick, >> >> We run Fedora DS inside Virtuozzo VEs (not VMWare) and don't have any capacity concerns, our environment sounds like a good tenth the size of yours though. Each VE (there's 2) has only half a GB of RAM and does about 100 connections a minute, however our LDAP database is very small, so the memory we've allocated is massive overkill. In terms of CPU usage, the VE does practically nothing. >> >> I wouldn't think you'd need much more RAM over the size of your LDAP database files, so unless you've got 8GB of LDAP information, 8GB of RAM sounds a lot to me. Our LDAP database is only about 40MB, which is close to the RAM usage of the VE. >> >> Our stats, might help you decide on what you need. Maybe someone more knowledgeable in the DS internals could explain the large virtual table size. >> >> USER PR NI VIRT RES SHR S %CPU TIME+ %MEM COMMAND >> nobody 18 0 601m 39m 18m S 0 16:29.95 7.7 ns-slapd >> >> [root at host:/var/lib/dirsrv/slapd-host]# du -sh . >> 38M . >> >> Luke Bigum >> Systems Administrator >> (p) 1300 661 668 >> (f) 1300 661 540 >> (e) lbigum at iseek.com.au >> http://www.iseek.com.au >> Level 1, 100 Ipswich Road Woolloongabba QLD 4102 >> >> >> >> This e-mail and any files transmitted with it may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorised to receive for the recipient), please contact the sender by reply e-mail and delete all copies of this message. >> >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Nick Gresham >> Sent: Tuesday 14 July 2009 12:18 PM >> To: fedora-directory-users at redhat.com >> Subject: [389-users] Fedora DS with virtual machines >> >> Hi All >> >> Does anyone have any experience running DS in a virtual machine? Our >> current LDAP infrastructure is quite busy, 500-1000 connections/ >> minute, with >6.5 million operations per day. The VMs will have up to >> 8GB of RAM, though we think we'll only need 6. >> >> We're performing testing with slamd, but it's hard to get truly >> representative stress testing using this tool I think. >> >> What has your experience been like? Any snafus to watch out for? >> >> Thanks, >> Nick >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> From rnappert at juniper.net Thu Jul 16 17:48:19 2009 From: rnappert at juniper.net (Reinhard Nappert) Date: Thu, 16 Jul 2009 13:48:19 -0400 Subject: [389-users] Chaining database links Message-ID: Hi, I was wondering if you can chain to a LDAP v2 directory? Thanks, -Reinhard -------------- next part -------------- An HTML attachment was scrubbed... URL: From leonid_bogdanov at mail.ru Fri Jul 17 06:34:00 2009 From: leonid_bogdanov at mail.ru (Leonid Bogdanov) Date: Fri, 17 Jul 2009 10:34:00 +0400 Subject: =?windows-1251?Q?Re[2]=3A_[389-users]_Adding_custom_attribute_to_class?= In-Reply-To: <4A5F4401.1060503@redhat.com> References: <4A5F4401.1060503@redhat.com> Message-ID: Ok, how can I add a new operational attribute to schema? I've tried several ways, but they didn't work. When I created a new class based on 'inetorgperson' (e.g., 'inetorgpersonex') I couldn't create object of this class or change class of existing object (user account) by means of Fedora admin console. I've tried to configure password policy too. But with enabled option 'user must change password after reset' and when administrator change user's password user succefully logins with new password and there are no exceptions or warnings that he must change it. My program is using Novell JLDAP library, just in case. Thank you in advance! -----Original Message----- From: Rich Megginson To: Leonid Bogdanov , "General discussion list for the 389 Directory server project." Date: Thu, 16 Jul 2009 09:15:13 -0600 Subject: Re: [389-users] Adding custom attribute to class > Leonid Bogdanov wrote: > > Hello! > > > > How can I add custom attribute to 'inetorgperson' class? Preferably without inheritance. > You should never add custom attributes to standard objectclasses such as > inetOrgPerson. You should always extend the schema through inheritance > (or create a new operational attribute if you must). > > The problem is that I want to have boolean attribute which I can check in my program and tell user that he must change password after admin reset. Something like 'pwdReset' attribute in OpenLDAP. > > > If you configure the password policy so that the user must change the > password after a reset > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/User_Account_Management.html#User_Account_Management-Managing_the_Password_Policy > > Will that do what you want? You can also check the operational > attribute passwordExpirationTime > > Thank you! > > > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > ATTACHMENT: application/x-pkcs7-signature (smime.p7s) > From maumar at cost.it Fri Jul 17 06:47:27 2009 From: maumar at cost.it (Maurizio Marini) Date: Fri, 17 Jul 2009 08:47:27 +0200 Subject: [389-users] still wasted :( In-Reply-To: <4A5E2529.907@redhat.com> References: <200907151946.56628.maumar@cost.it> <4A5E2529.907@redhat.com> Message-ID: <200907170847.27715.maumar@cost.it> On Wednesday 15 July 2009, Rich Megginson wrote: > You cannot use db2ldif to filter the data. You could use ldapsearch. > But why not just dump and save everything under dc=xxxxx,dc=it? thn Richm and your unvaluable help :) just this line did the job and solved my issues: /usr/lib/dirsrv/slapd-pdc/db2ldif -n userRoot -U -a /tmp/dump.ldif reinstaling a fresh fds on another server and importing dump.lfid was enough have all samba objects in place bye m From rmeggins at redhat.com Fri Jul 17 14:57:12 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 17 Jul 2009 08:57:12 -0600 Subject: [389-users] Adding custom attribute to class In-Reply-To: References: <4A5F4401.1060503@redhat.com> Message-ID: <4A609148.5090506@redhat.com> Leonid Bogdanov wrote: > Ok, how can I add a new operational attribute to schema? I've tried several ways, but they didn't work. > What ways have you tried? > When I created a new class based on 'inetorgperson' (e.g., 'inetorgpersonex') I couldn't create object of this class or change class of existing object (user account) by means of Fedora admin console. > The usual way to do this is to create a new attribute, then create a new AUXILIARY objectclass with your new attribute as an allowed (MAY), not required (MUST), attribute. Then you should be able to add your objectclass to any existing entry, then add your attribute. > I've tried to configure password policy too. But with enabled option 'user must change password after reset' and when administrator change user's password user succefully logins with new password and there are no exceptions or warnings that he must change it. My program is using Novell JLDAP library, just in case. > The directory server adds two response controls to the bind request - the first one is the LDAP password expired control OID "2.16.840.1.113730.3.4.4" - the second one is the newer password policy response control OID "1.3.6.1.4.1.42.2.27.8.5.1" with the valid "password change after reset". The second is only returned if the client uses the password policy request control OID "1.3.6.1.4.1.42.2.27.8.5.1" with the bind request. The use of one or both of these controls should give your client information about the password. I would assume the JLDAP API allows you to send and receive LDAPv3 controls, and may even have support for these particular controls. > Thank you in advance! > > -----Original Message----- > From: Rich Megginson > To: Leonid Bogdanov , > "General discussion list for the 389 Directory server project." > Date: Thu, 16 Jul 2009 09:15:13 -0600 > Subject: Re: [389-users] Adding custom attribute to class > > >> Leonid Bogdanov wrote: >> >>> Hello! >>> >>> How can I add custom attribute to 'inetorgperson' class? Preferably without inheritance. >>> >> You should never add custom attributes to standard objectclasses such as >> inetOrgPerson. You should always extend the schema through inheritance >> (or create a new operational attribute if you must). >> >>> The problem is that I want to have boolean attribute which I can check in my program and tell user that he must change password after admin reset. Something like 'pwdReset' attribute in OpenLDAP. >>> >>> >> If you configure the password policy so that the user must change the >> password after a reset >> http://www.redhat.com/docs/manuals/dir-server/8.1/admin/User_Account_Management.html#User_Account_Management-Managing_the_Password_Policy >> >> Will that do what you want? You can also check the operational >> attribute passwordExpirationTime >> >>> Thank you! >>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> ATTACHMENT: application/x-pkcs7-signature (smime.p7s) >> >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From psundaram at wgen.net Fri Jul 17 16:53:58 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Fri, 17 Jul 2009 12:53:58 -0400 Subject: [389-users] Checklist for OpenLDAp to FDS migration Message-ID: Hi All, Can someone post the checklist for OpenLDAP to FDS migration? I see some bit and pieces here and there about schema conversion, ldif porting and copying some files. It would be great if someone can post a detail message here or direct me to a link for step-by-step guide. Here?s the template: 1. 2. 3. Thanks, Prashanth -------------- next part -------------- An HTML attachment was scrubbed... URL: From kwan.lowe at gmail.com Fri Jul 17 19:05:27 2009 From: kwan.lowe at gmail.com (Kwan Lowe) Date: Fri, 17 Jul 2009 15:05:27 -0400 Subject: [389-users] Checklist for OpenLDAp to FDS migration In-Reply-To: References: Message-ID: On Fri, Jul 17, 2009 at 12:53 PM, Prashanth Sundaram wrote: > Hi All, > > Can someone post the checklist for OpenLDAP to FDS migration? I see some > bit and pieces here and there about schema conversion, ldif porting and > copying some files. > It would be great if someone can post a detail message here or direct me to > a link for step-by-step guide. > > Here?s the template: > 1. Export the OpenLDAP database to LDIF. 2. Use awk to convert the OpenLDAP LDIF to a FDS format, taking care to note any schema differenences. 3. Import the new LDIF to FDS. 4. Point your clients to the new DS. Don't mean to sound facetious, but so much depends on your existing setup that no guide you find will offer a lot of detail that applies wholly to your environment. For Step (1) I just used an ldapsearch and piped the output to an ldif. For Step (2) I wrote a couple awk scripts that rewrote the LDIF to match one that I exported from FDS. But my environment is just a few hundred users and OpenLDAP was only used for authentication and simple groups. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jrobertm8 at yahoo.com Mon Jul 20 02:41:06 2009 From: jrobertm8 at yahoo.com (John Robert Mendoza) Date: Mon, 20 Jul 2009 10:41:06 +0800 (SGT) Subject: [389-users] MIT Kerberos and FDS integration Message-ID: <205415.96954.qm@web76313.mail.sg1.yahoo.com> Hi to all! I am currently setting up an integration with the FDS and Kerberos. I have successfully setup both independently and verified them to be working independently. How do I know that I have successfully binded FDS and kerberos. How can i verify it. I am using Fedora 1.2.0 and Kerberos 1.6.3... John Robert Mendoza Interested in growing your business? Find out how with Yahoo! Search Marketing! Check it out at http://searchmarketing.yahoo.com/en_SG/arp/internetmarketing.php?o=SG0147 -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrey.ivanov at polytechnique.fr Mon Jul 20 06:06:45 2009 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Mon, 20 Jul 2009 08:06:45 +0200 Subject: [389-users] MIT Kerberos and FDS integration In-Reply-To: <205415.96954.qm@web76313.mail.sg1.yahoo.com> References: <205415.96954.qm@web76313.mail.sg1.yahoo.com> Message-ID: <1601b8650907192306uba56bdal8687d4b121c3115e@mail.gmail.com> Hi, kinit myusername ldapsearch -Y GSSAPI -h ldap.example.com -b "" objectClass=* SASL/GSSAPI authentication started SASL username: @KERBEROS.REALM SASL SSF: 56 SASL installing layers # extended LDIF # # LDAPv3 # base with scope subtree # filter: objectClass=* # requesting: ALL # ... 2009/7/20 John Robert Mendoza : > Hi to all! > > I am currently setting up an integration with the FDS and Kerberos. > > I have successfully setup both independently and verified them to be working > independently. > > How do I know that I have successfully binded FDS and kerberos. > How can i verify it. > > I am using Fedora 1.2.0 and Kerberos 1.6.3... > > > John Robert Mendoza > ________________________________ > What can we do to improve Metro Manila traffic? > Find the answers on Yahoo! Answers > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From jrobertm8 at yahoo.com Mon Jul 20 08:33:53 2009 From: jrobertm8 at yahoo.com (John Robert Mendoza) Date: Mon, 20 Jul 2009 16:33:53 +0800 (SGT) Subject: [389-users] MIT Kerberos and FDS integration In-Reply-To: <1601b8650907192306uba56bdal8687d4b121c3115e@mail.gmail.com> Message-ID: <755757.65989.qm@web76315.mail.sg1.yahoo.com> Actually i use the #/usr/lib/mozldap/ldapsearch There is no option for the -Y. I can bind using GSSAPI by this command #/usr/lib/mozldap/ldapsearch -o "mech=GSSAPI" -b "my suffix" objectclass=* and it outputs this error ldapsearch: started Mon Jul 20 16:33:07 2009 ldap_init( localhost, 389 ) Bind Error: Invalid credentials Bind Error: additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.? Minor code may provide more information (Permission denied) Thanks for your reply. John Robert Mendoza --- On Mon, 7/20/09, Andrey Ivanov wrote: From: Andrey Ivanov Subject: Re: [389-users] MIT Kerberos and FDS integration To: "General discussion list for the 389 Directory server project." Date: Monday, 20 July, 2009, 2:06 PM Hi, kinit myusername ldapsearch -Y GSSAPI -h ldap.example.com -b "" objectClass=* SASL/GSSAPI authentication started SASL username: @KERBEROS.REALM SASL SSF: 56 SASL installing layers # extended LDIF # # LDAPv3 # base with scope subtree # filter:? objectClass=* # requesting: ALL # ... 2009/7/20 John Robert Mendoza : > Hi to all! > > I am currently setting up an integration with the FDS and Kerberos. > > I have successfully setup both independently and verified them to be working > independently. > > How do I know that I have successfully binded FDS and kerberos. > How can i verify it. > > I am using Fedora 1.2.0 and Kerberos 1.6.3... > > > John Robert Mendoza > ________________________________ > What can we do to improve Metro Manila traffic? > Find the answers on Yahoo! Answers > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- 389 users mailing list 389-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users Surf faster. Internet Explorer 8 optmized for Yahoo! auto launches 2 of your favorite pages everytime you open your browser. Get IE8 here! http://downloads.yahoo.com/sg/internetexplorer/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jul 20 13:31:25 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Jul 2009 07:31:25 -0600 Subject: [389-users] MIT Kerberos and FDS integration In-Reply-To: <755757.65989.qm@web76315.mail.sg1.yahoo.com> References: <755757.65989.qm@web76315.mail.sg1.yahoo.com> Message-ID: <4A6471AD.8000903@redhat.com> John Robert Mendoza wrote: > Actually i use the > > #/usr/lib/mozldap/ldapsearch > > There is no option for the -Y. > > I can bind using GSSAPI by this command > > #/usr/lib/mozldap/ldapsearch -o "mech=GSSAPI" -b "my suffix" objectclass=* > That's the same as using /usr/bin/ldapsearch with -Y GSSAPI If you use klist, do you see your correct principal with the correct expiration? > > and it outputs this error > > ldapsearch: started Mon Jul 20 16:33:07 2009 > > ldap_init( localhost, 389 ) > Bind Error: Invalid credentials > Bind Error: additional info: SASL(-1): generic failure: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information > (Permission denied) > Check the directory server access and error logs for more information. You might need to configure the SASL mapping. In order to do a SASL/GSSAPI BIND to the directory server, you must have a real entry in the directory server that corresponds to your Kerberos principal. That is, you must configure the directory server to map richm at EXAMPLE.COM (the Kerberos principal) to uid=richm,ou=people,dc=example,dc=com (the LDAP entry). This is done with SASL mapping. http://directory.fedoraproject.org/wiki/Howto:Kerberos > > Thanks for your reply. > > > > > John Robert Mendoza > > --- On *Mon, 7/20/09, Andrey Ivanov > //* wrote: > > > From: Andrey Ivanov > Subject: Re: [389-users] MIT Kerberos and FDS integration > To: "General discussion list for the 389 Directory server > project." > Date: Monday, 20 July, 2009, 2:06 PM > > Hi, > > > kinit myusername > ldapsearch -Y GSSAPI -h ldap.example.com -b "" > objectClass=* > SASL/GSSAPI authentication started > SASL username: @KERBEROS.REALM > SASL SSF: 56 > SASL installing layers > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: objectClass=* > # requesting: ALL > # > ... > > > > 2009/7/20 John Robert Mendoza >: > > Hi to all! > > > > I am currently setting up an integration with the FDS and Kerberos. > > > > I have successfully setup both independently and verified them > to be working > > independently. > > > > How do I know that I have successfully binded FDS and kerberos. > > How can i verify it. > > > > I am using Fedora 1.2.0 and Kerberos 1.6.3... > > > > > > John Robert Mendoza > > ________________________________ > > What can we do to improve Metro Manila traffic? > > Find the answers on Yahoo! Answers > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > Importing contacts has never been easier.. > > > Bring your friends over to Yahoo! Mail today! > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon Jul 20 13:38:13 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Jul 2009 09:38:13 -0400 Subject: [389-users] MIT Kerberos and FDS integration In-Reply-To: <755757.65989.qm@web76315.mail.sg1.yahoo.com> References: <755757.65989.qm@web76315.mail.sg1.yahoo.com> Message-ID: <4A647345.3090003@redhat.com> John Robert Mendoza wrote: > Actually i use the > > #/usr/lib/mozldap/ldapsearch > > There is no option for the -Y. > > I can bind using GSSAPI by this command > > #/usr/lib/mozldap/ldapsearch -o "mech=GSSAPI" -b "my suffix" objectclass=* > > and it outputs this error > > ldapsearch: started Mon Jul 20 16:33:07 2009 > > ldap_init( localhost, 389 ) > Bind Error: Invalid credentials > Bind Error: additional info: SASL(-1): generic failure: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information > (Permission denied) > Check the permission and ownership of the DS keytab. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rnappert at juniper.net Mon Jul 20 15:36:40 2009 From: rnappert at juniper.net (Reinhard Nappert) Date: Mon, 20 Jul 2009 11:36:40 -0400 Subject: [389-users] Db-link setup question Message-ID: Hi, I have two LDAP Servers setup (Server A and Server B). Both of them have the identical suffix (o=suffix). Again, both of them have a people organizational unit (ou=people,o=suffix). Server B has a big subtree (ou=region B,ou=people,o=suffix). My intension is to create a db link on Server A, which links to the ou=region B,ou=people,o=suffix subtree on Server B. I did create the database link and a new suffix l=location B,ou=people,o=suffix on Server A with the following entries: dn: cn=serverBlink,cn=chaining database,cn=plugins,cn=config objectclass: top objectclass: extensibleObject objectclass: nsBackendInstance nsslapd-suffix: ou=region B,ou=people,o=suffix nsfarmserverurl: ldap://serverB:389/ nsmultiplexorbinddn: cn=proxy admin,cn=config nsmultiplexorcredentials: secret cn: serverBlink dn: cn="l=location B,ou=people,o=suffix",cn=mapping tree,cn=config objectclass: top objectclass: extensibleObject objectclass: nsMappingTree nsslapd-state: backend nsslapd-backend: serverBlink nsslapd-parent-suffix: "ou=people,o=suffix " cn: "l=location B,ou=people,o=suffix" I am only interested in reading the server B information, when accessing from server A. The "proxy admin" user was created as well. When I do a search with the base l=location B,ou=people,o=suffix, accessing server A, I always get the following error "Proxy dn should not be rootdn". What did I miss for the setup? Thanks, -Reinhard -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jul 20 16:36:50 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Jul 2009 10:36:50 -0600 Subject: [389-users] Db-link setup question In-Reply-To: References: Message-ID: <4A649D22.80609@redhat.com> Reinhard Nappert wrote: > Hi, > > I have two LDAP Servers setup (Server A and Server B). Both of them > have the identical suffix (o=suffix). Again, both of them have a > people organizational unit (ou=people,o=suffix). Server B has a big > subtree (ou=region B,ou=people,o=suffix). > > My intension is to create a db link on Server A, which links to the > ou=region B,ou=people,o=suffix subtree on Server B. > > I did create the database link and a new suffix l=location > B,ou=people,o=suffix on Server A with the following entries: > > dn: cn=serverBlink,cn=chaining database,cn=plugins,cn=config > objectclass: top > objectclass: extensibleObject > objectclass: nsBackendInstance > nsslapd-suffix: ou=region B,ou=people,o=suffix > nsfarmserverurl: ldap://serverB:389/ > nsmultiplexorbinddn: cn=proxy admin,cn=config > nsmultiplexorcredentials: secret > cn: serverBlink > > dn: cn="l=location B,ou=people,o=suffix",cn=mapping tree,cn=config > objectclass: top > objectclass: extensibleObject > objectclass: nsMappingTree > nsslapd-state: backend > nsslapd-backend: serverBlink > nsslapd-parent-suffix: "ou=people,o=suffix " > cn: "l=location B,ou=people,o=suffix" > > I am only interested in reading the server B information, when > accessing from server A. The "proxy admin" user was created as well. > > When I do a search with the base l=location B,ou=people,o=suffix, > accessing server A, I always get the following error "Proxy dn should > not be rootdn". > > What did I miss for the setup? You cannot chain the directory manager user (aka rootdn). I'm assuming you're doing a search like ldapsearch -D "cn=directory manager" ... This will not work - you must use a user other than directory manager. > > Thanks, > -Reinhard > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rnappert at juniper.net Mon Jul 20 17:02:08 2009 From: rnappert at juniper.net (Reinhard Nappert) Date: Mon, 20 Jul 2009 13:02:08 -0400 Subject: [389-users] Db-link setup question In-Reply-To: <4A649D22.80609@redhat.com> References: <4A649D22.80609@redhat.com> Message-ID: Thanks Rick, Yes this is what I did. I find the error message not very user-friendly. Anyway, when I use a different bind dn, it says that my sub suffix l=location B,ou=people,o=suffix does not exist. Do I need to add that object as well? Thought, the directory takes care of this one. -Reinhard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Monday, July 20, 2009 12:37 PM To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] Db-link setup question Reinhard Nappert wrote: > Hi, > > I have two LDAP Servers setup (Server A and Server B). Both of them > have the identical suffix (o=suffix). Again, both of them have a > people organizational unit (ou=people,o=suffix). Server B has a big > subtree (ou=region B,ou=people,o=suffix). > > My intension is to create a db link on Server A, which links to the > ou=region B,ou=people,o=suffix subtree on Server B. > > I did create the database link and a new suffix l=location > B,ou=people,o=suffix on Server A with the following entries: > > dn: cn=serverBlink,cn=chaining database,cn=plugins,cn=config > objectclass: top > objectclass: extensibleObject > objectclass: nsBackendInstance > nsslapd-suffix: ou=region B,ou=people,o=suffix > nsfarmserverurl: ldap://serverB:389/ > nsmultiplexorbinddn: cn=proxy admin,cn=config > nsmultiplexorcredentials: secret > cn: serverBlink > > dn: cn="l=location B,ou=people,o=suffix",cn=mapping tree,cn=config > objectclass: top > objectclass: extensibleObject > objectclass: nsMappingTree > nsslapd-state: backend > nsslapd-backend: serverBlink > nsslapd-parent-suffix: "ou=people,o=suffix " > cn: "l=location B,ou=people,o=suffix" > > I am only interested in reading the server B information, when > accessing from server A. The "proxy admin" user was created as well. > > When I do a search with the base l=location B,ou=people,o=suffix, > accessing server A, I always get the following error "Proxy dn should > not be rootdn". > > What did I miss for the setup? You cannot chain the directory manager user (aka rootdn). I'm assuming you're doing a search like ldapsearch -D "cn=directory manager" ... This will not work - you must use a user other than directory manager. > > Thanks, > -Reinhard > > ---------------------------------------------------------------------- > -- > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Mon Jul 20 17:14:33 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Jul 2009 11:14:33 -0600 Subject: [389-users] Db-link setup question In-Reply-To: References: <4A649D22.80609@redhat.com> Message-ID: <4A64A5F9.9090802@redhat.com> Reinhard Nappert wrote: > Thanks Rick, > > Yes this is what I did. I find the error message not very user-friendly. Anyway, when I use a different bind dn, it says that my sub suffix l=location B,ou=people,o=suffix does not exist. Do I need to add that object as well? Thought, the directory takes care of this one. > Yes, the object does not have to exist in the chaining database, only in the real database that is chained to. Any info in the access and error logs on the chaining server or the chained to server? > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson > Sent: Monday, July 20, 2009 12:37 PM > To: General discussion list for the 389 Directory server project. > Subject: Re: [389-users] Db-link setup question > > Reinhard Nappert wrote: > >> Hi, >> >> I have two LDAP Servers setup (Server A and Server B). Both of them >> have the identical suffix (o=suffix). Again, both of them have a >> people organizational unit (ou=people,o=suffix). Server B has a big >> subtree (ou=region B,ou=people,o=suffix). >> >> My intension is to create a db link on Server A, which links to the >> ou=region B,ou=people,o=suffix subtree on Server B. >> >> I did create the database link and a new suffix l=location >> B,ou=people,o=suffix on Server A with the following entries: >> >> dn: cn=serverBlink,cn=chaining database,cn=plugins,cn=config >> objectclass: top >> objectclass: extensibleObject >> objectclass: nsBackendInstance >> nsslapd-suffix: ou=region B,ou=people,o=suffix >> nsfarmserverurl: ldap://serverB:389/ >> nsmultiplexorbinddn: cn=proxy admin,cn=config >> nsmultiplexorcredentials: secret >> cn: serverBlink >> >> dn: cn="l=location B,ou=people,o=suffix",cn=mapping tree,cn=config >> objectclass: top >> objectclass: extensibleObject >> objectclass: nsMappingTree >> nsslapd-state: backend >> nsslapd-backend: serverBlink >> nsslapd-parent-suffix: "ou=people,o=suffix " >> cn: "l=location B,ou=people,o=suffix" >> >> I am only interested in reading the server B information, when >> accessing from server A. The "proxy admin" user was created as well. >> >> When I do a search with the base l=location B,ou=people,o=suffix, >> accessing server A, I always get the following error "Proxy dn should >> not be rootdn". >> >> What did I miss for the setup? >> > You cannot chain the directory manager user (aka rootdn). I'm assuming you're doing a search like ldapsearch -D "cn=directory manager" ... > This will not work - you must use a user other than directory manager. > >> >> Thanks, >> -Reinhard >> >> ---------------------------------------------------------------------- >> -- >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rnappert at juniper.net Mon Jul 20 17:27:08 2009 From: rnappert at juniper.net (Reinhard Nappert) Date: Mon, 20 Jul 2009 13:27:08 -0400 Subject: [389-users] Db-link setup question In-Reply-To: <4A64A5F9.9090802@redhat.com> References: <4A649D22.80609@redhat.com> <4A64A5F9.9090802@redhat.com> Message-ID: Nothing in error and only err=32 in access. -Reinhard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Monday, July 20, 2009 1:15 PM To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] Db-link setup question Reinhard Nappert wrote: > Thanks Rick, > > Yes this is what I did. I find the error message not very user-friendly. Anyway, when I use a different bind dn, it says that my sub suffix l=location B,ou=people,o=suffix does not exist. Do I need to add that object as well? Thought, the directory takes care of this one. > Yes, the object does not have to exist in the chaining database, only in the real database that is chained to. Any info in the access and error logs on the chaining server or the chained to server? > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson > Sent: Monday, July 20, 2009 12:37 PM > To: General discussion list for the 389 Directory server project. > Subject: Re: [389-users] Db-link setup question > > Reinhard Nappert wrote: > >> Hi, >> >> I have two LDAP Servers setup (Server A and Server B). Both of them >> have the identical suffix (o=suffix). Again, both of them have a >> people organizational unit (ou=people,o=suffix). Server B has a big >> subtree (ou=region B,ou=people,o=suffix). >> >> My intension is to create a db link on Server A, which links to the >> ou=region B,ou=people,o=suffix subtree on Server B. >> >> I did create the database link and a new suffix l=location >> B,ou=people,o=suffix on Server A with the following entries: >> >> dn: cn=serverBlink,cn=chaining database,cn=plugins,cn=config >> objectclass: top >> objectclass: extensibleObject >> objectclass: nsBackendInstance >> nsslapd-suffix: ou=region B,ou=people,o=suffix >> nsfarmserverurl: ldap://serverB:389/ >> nsmultiplexorbinddn: cn=proxy admin,cn=config >> nsmultiplexorcredentials: secret >> cn: serverBlink >> >> dn: cn="l=location B,ou=people,o=suffix",cn=mapping tree,cn=config >> objectclass: top >> objectclass: extensibleObject >> objectclass: nsMappingTree >> nsslapd-state: backend >> nsslapd-backend: serverBlink >> nsslapd-parent-suffix: "ou=people,o=suffix " >> cn: "l=location B,ou=people,o=suffix" >> >> I am only interested in reading the server B information, when >> accessing from server A. The "proxy admin" user was created as well. >> >> When I do a search with the base l=location B,ou=people,o=suffix, >> accessing server A, I always get the following error "Proxy dn should >> not be rootdn". >> >> What did I miss for the setup? >> > You cannot chain the directory manager user (aka rootdn). I'm assuming you're doing a search like ldapsearch -D "cn=directory manager" ... > This will not work - you must use a user other than directory manager. > >> >> Thanks, >> -Reinhard >> >> ---------------------------------------------------------------------- >> -- >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Mon Jul 20 17:56:38 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Jul 2009 11:56:38 -0600 Subject: [389-users] Db-link setup question In-Reply-To: References: <4A649D22.80609@redhat.com> <4A64A5F9.9090802@redhat.com> Message-ID: <4A64AFD6.7090003@redhat.com> Reinhard Nappert wrote: > Nothing in error and only err=32 in access. > err=32 in which access? The chaining server or the chained to server? > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson > Sent: Monday, July 20, 2009 1:15 PM > To: General discussion list for the 389 Directory server project. > Subject: Re: [389-users] Db-link setup question > > Reinhard Nappert wrote: > >> Thanks Rick, >> >> Yes this is what I did. I find the error message not very user-friendly. Anyway, when I use a different bind dn, it says that my sub suffix l=location B,ou=people,o=suffix does not exist. Do I need to add that object as well? Thought, the directory takes care of this one. >> >> > Yes, the object does not have to exist in the chaining database, only in the real database that is chained to. Any info in the access and error logs on the chaining server or the chained to server? > >> -Reinhard >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson >> Sent: Monday, July 20, 2009 12:37 PM >> To: General discussion list for the 389 Directory server project. >> Subject: Re: [389-users] Db-link setup question >> >> Reinhard Nappert wrote: >> >> >>> Hi, >>> >>> I have two LDAP Servers setup (Server A and Server B). Both of them >>> have the identical suffix (o=suffix). Again, both of them have a >>> people organizational unit (ou=people,o=suffix). Server B has a big >>> subtree (ou=region B,ou=people,o=suffix). >>> >>> My intension is to create a db link on Server A, which links to the >>> ou=region B,ou=people,o=suffix subtree on Server B. >>> >>> I did create the database link and a new suffix l=location >>> B,ou=people,o=suffix on Server A with the following entries: >>> >>> dn: cn=serverBlink,cn=chaining database,cn=plugins,cn=config >>> objectclass: top >>> objectclass: extensibleObject >>> objectclass: nsBackendInstance >>> nsslapd-suffix: ou=region B,ou=people,o=suffix >>> nsfarmserverurl: ldap://serverB:389/ >>> nsmultiplexorbinddn: cn=proxy admin,cn=config >>> nsmultiplexorcredentials: secret >>> cn: serverBlink >>> >>> dn: cn="l=location B,ou=people,o=suffix",cn=mapping tree,cn=config >>> objectclass: top >>> objectclass: extensibleObject >>> objectclass: nsMappingTree >>> nsslapd-state: backend >>> nsslapd-backend: serverBlink >>> nsslapd-parent-suffix: "ou=people,o=suffix " >>> cn: "l=location B,ou=people,o=suffix" >>> >>> I am only interested in reading the server B information, when >>> accessing from server A. The "proxy admin" user was created as well. >>> >>> When I do a search with the base l=location B,ou=people,o=suffix, >>> accessing server A, I always get the following error "Proxy dn should >>> not be rootdn". >>> >>> What did I miss for the setup? >>> >>> >> You cannot chain the directory manager user (aka rootdn). I'm assuming you're doing a search like ldapsearch -D "cn=directory manager" ... >> This will not work - you must use a user other than directory manager. >> >> >>> >>> Thanks, >>> -Reinhard >>> >>> ---------------------------------------------------------------------- >>> -- >>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rnappert at juniper.net Mon Jul 20 18:06:12 2009 From: rnappert at juniper.net (Reinhard Nappert) Date: Mon, 20 Jul 2009 14:06:12 -0400 Subject: [389-users] Db-link setup question In-Reply-To: <4A64AFD6.7090003@redhat.com> References: <4A649D22.80609@redhat.com> <4A64A5F9.9090802@redhat.com> <4A64AFD6.7090003@redhat.com> Message-ID: Sorry, the chaining server. I checked the chained to server (Server B)'s access file and it gets it from there. This is good, that Server A actually talks to Server B. The issue is the following: I do a search with the Base: l=location B,ou=people,o=suffix It performs the search on Server B with the exactly same search-base, although I configured it as nsslapd-suffix: ou=region B,ou=people,o=suffix So, shouldn't Server A alter the search and use ou=region B,ou=people,o=suffix as base? On the otherhand, I could change the configuration accordingly. -Reinhard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Monday, July 20, 2009 1:57 PM To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] Db-link setup question Reinhard Nappert wrote: > Nothing in error and only err=32 in access. > err=32 in which access? The chaining server or the chained to server? > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Monday, July 20, 2009 1:15 PM > To: General discussion list for the 389 Directory server project. > Subject: Re: [389-users] Db-link setup question > > Reinhard Nappert wrote: > >> Thanks Rick, >> >> Yes this is what I did. I find the error message not very user-friendly. Anyway, when I use a different bind dn, it says that my sub suffix l=location B,ou=people,o=suffix does not exist. Do I need to add that object as well? Thought, the directory takes care of this one. >> >> > Yes, the object does not have to exist in the chaining database, only in the real database that is chained to. Any info in the access and error logs on the chaining server or the chained to server? > >> -Reinhard >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >> Megginson >> Sent: Monday, July 20, 2009 12:37 PM >> To: General discussion list for the 389 Directory server project. >> Subject: Re: [389-users] Db-link setup question >> >> Reinhard Nappert wrote: >> >> >>> Hi, >>> >>> I have two LDAP Servers setup (Server A and Server B). Both of them >>> have the identical suffix (o=suffix). Again, both of them have a >>> people organizational unit (ou=people,o=suffix). Server B has a big >>> subtree (ou=region B,ou=people,o=suffix). >>> >>> My intension is to create a db link on Server A, which links to the >>> ou=region B,ou=people,o=suffix subtree on Server B. >>> >>> I did create the database link and a new suffix l=location >>> B,ou=people,o=suffix on Server A with the following entries: >>> >>> dn: cn=serverBlink,cn=chaining database,cn=plugins,cn=config >>> objectclass: top >>> objectclass: extensibleObject >>> objectclass: nsBackendInstance >>> nsslapd-suffix: ou=region B,ou=people,o=suffix >>> nsfarmserverurl: ldap://serverB:389/ >>> nsmultiplexorbinddn: cn=proxy admin,cn=config >>> nsmultiplexorcredentials: secret >>> cn: serverBlink >>> >>> dn: cn="l=location B,ou=people,o=suffix",cn=mapping tree,cn=config >>> objectclass: top >>> objectclass: extensibleObject >>> objectclass: nsMappingTree >>> nsslapd-state: backend >>> nsslapd-backend: serverBlink >>> nsslapd-parent-suffix: "ou=people,o=suffix " >>> cn: "l=location B,ou=people,o=suffix" >>> >>> I am only interested in reading the server B information, when >>> accessing from server A. The "proxy admin" user was created as well. >>> >>> When I do a search with the base l=location B,ou=people,o=suffix, >>> accessing server A, I always get the following error "Proxy dn >>> should not be rootdn". >>> >>> What did I miss for the setup? >>> >>> >> You cannot chain the directory manager user (aka rootdn). I'm assuming you're doing a search like ldapsearch -D "cn=directory manager" ... >> This will not work - you must use a user other than directory manager. >> >> >>> >>> Thanks, >>> -Reinhard >>> >>> -------------------------------------------------------------------- >>> -- >>> -- >>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Mon Jul 20 18:32:32 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 20 Jul 2009 12:32:32 -0600 Subject: [389-users] Db-link setup question In-Reply-To: References: <4A649D22.80609@redhat.com> <4A64A5F9.9090802@redhat.com> <4A64AFD6.7090003@redhat.com> Message-ID: <4A64B840.1000100@redhat.com> Reinhard Nappert wrote: > Sorry, the chaining server. > I checked the chained to server (Server B)'s access file and it gets it from there. This is good, that Server A actually talks to Server B. The issue is the following: > > I do a search with the > Base: l=location B,ou=people,o=suffix > > It performs the search on Server B with the exactly same search-base, although I configured it as > nsslapd-suffix: ou=region B,ou=people,o=suffix > > So, shouldn't Server A alter the search and use > ou=region B,ou=people,o=suffix as base? > > On the otherhand, I could change the configuration accordingly. > There is no search altering or search mapping with chaining. > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson > Sent: Monday, July 20, 2009 1:57 PM > To: General discussion list for the 389 Directory server project. > Subject: Re: [389-users] Db-link setup question > > Reinhard Nappert wrote: > >> Nothing in error and only err=32 in access. >> >> > err=32 in which access? The chaining server or the chained to server? > >> -Reinhard >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >> Megginson >> Sent: Monday, July 20, 2009 1:15 PM >> To: General discussion list for the 389 Directory server project. >> Subject: Re: [389-users] Db-link setup question >> >> Reinhard Nappert wrote: >> >> >>> Thanks Rick, >>> >>> Yes this is what I did. I find the error message not very user-friendly. Anyway, when I use a different bind dn, it says that my sub suffix l=location B,ou=people,o=suffix does not exist. Do I need to add that object as well? Thought, the directory takes care of this one. >>> >>> >>> >> Yes, the object does not have to exist in the chaining database, only in the real database that is chained to. Any info in the access and error logs on the chaining server or the chained to server? >> >> >>> -Reinhard >>> >>> -----Original Message----- >>> From: fedora-directory-users-bounces at redhat.com >>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >>> Megginson >>> Sent: Monday, July 20, 2009 12:37 PM >>> To: General discussion list for the 389 Directory server project. >>> Subject: Re: [389-users] Db-link setup question >>> >>> Reinhard Nappert wrote: >>> >>> >>> >>>> Hi, >>>> >>>> I have two LDAP Servers setup (Server A and Server B). Both of them >>>> have the identical suffix (o=suffix). Again, both of them have a >>>> people organizational unit (ou=people,o=suffix). Server B has a big >>>> subtree (ou=region B,ou=people,o=suffix). >>>> >>>> My intension is to create a db link on Server A, which links to the >>>> ou=region B,ou=people,o=suffix subtree on Server B. >>>> >>>> I did create the database link and a new suffix l=location >>>> B,ou=people,o=suffix on Server A with the following entries: >>>> >>>> dn: cn=serverBlink,cn=chaining database,cn=plugins,cn=config >>>> objectclass: top >>>> objectclass: extensibleObject >>>> objectclass: nsBackendInstance >>>> nsslapd-suffix: ou=region B,ou=people,o=suffix >>>> nsfarmserverurl: ldap://serverB:389/ >>>> nsmultiplexorbinddn: cn=proxy admin,cn=config >>>> nsmultiplexorcredentials: secret >>>> cn: serverBlink >>>> >>>> dn: cn="l=location B,ou=people,o=suffix",cn=mapping tree,cn=config >>>> objectclass: top >>>> objectclass: extensibleObject >>>> objectclass: nsMappingTree >>>> nsslapd-state: backend >>>> nsslapd-backend: serverBlink >>>> nsslapd-parent-suffix: "ou=people,o=suffix " >>>> cn: "l=location B,ou=people,o=suffix" >>>> >>>> I am only interested in reading the server B information, when >>>> accessing from server A. The "proxy admin" user was created as well. >>>> >>>> When I do a search with the base l=location B,ou=people,o=suffix, >>>> accessing server A, I always get the following error "Proxy dn >>>> should not be rootdn". >>>> >>>> What did I miss for the setup? >>>> >>>> >>>> >>> You cannot chain the directory manager user (aka rootdn). I'm assuming you're doing a search like ldapsearch -D "cn=directory manager" ... >>> This will not work - you must use a user other than directory manager. >>> >>> >>> >>>> >>>> Thanks, >>>> -Reinhard >>>> >>>> -------------------------------------------------------------------- >>>> -- >>>> -- >>>> >>>> -- >>>> 389 users mailing list >>>> 389-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rnappert at juniper.net Mon Jul 20 19:16:31 2009 From: rnappert at juniper.net (Reinhard Nappert) Date: Mon, 20 Jul 2009 15:16:31 -0400 Subject: [389-users] Db-link setup question In-Reply-To: <4A64B840.1000100@redhat.com> References: <4A649D22.80609@redhat.com> <4A64A5F9.9090802@redhat.com> <4A64AFD6.7090003@redhat.com> <4A64B840.1000100@redhat.com> Message-ID: I do not feel very confident using chained links: When I change my configuration to dn: cn=serverBlink,cn=chaining database,cn=plugins,cn=config objectclass: top objectclass: extensibleObject objectclass: nsBackendInstance nsslapd-suffix: ou=region B,ou=people,o=suffix nsfarmserverurl: ldap://serverB:389/ nsmultiplexorbinddn: cn=proxy admin,cn=config nsmultiplexorcredentials: secret cn: serverBlink dn: cn="ou=region B,ou=people,o=suffix",cn=mapping tree,cn=config objectclass: top objectclass: extensibleObject objectclass: nsMappingTree nsslapd-state: backend nsslapd-backend: serverBlink nsslapd-parent-suffix: "ou=people,o=suffix " cn: "ou=region B,ou=people,o=suffix" Server A proxies the correct search to Server B. However, the response is empty if I search for an existing entry of Server B. I also see the search in Server B's access file, but the response is empty. If I contact Server B with the proxy admin credentials, it returns the existing object. This tells me that the ACI's are working. Do you have an explanation for that? Even more disturbing: After I restart Server A, the entire chaining is broken. I get again err=32, but this time server A even does not perform the search twoards Server B. -Reinhard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Monday, July 20, 2009 2:33 PM To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] Db-link setup question Reinhard Nappert wrote: > Sorry, the chaining server. > I checked the chained to server (Server B)'s access file and it gets it from there. This is good, that Server A actually talks to Server B. The issue is the following: > > I do a search with the > Base: l=location B,ou=people,o=suffix > > It performs the search on Server B with the exactly same search-base, > although I configured it as > nsslapd-suffix: ou=region B,ou=people,o=suffix > > So, shouldn't Server A alter the search and use ou=region > B,ou=people,o=suffix as base? > > On the otherhand, I could change the configuration accordingly. > There is no search altering or search mapping with chaining. > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Monday, July 20, 2009 1:57 PM > To: General discussion list for the 389 Directory server project. > Subject: Re: [389-users] Db-link setup question > > Reinhard Nappert wrote: > >> Nothing in error and only err=32 in access. >> >> > err=32 in which access? The chaining server or the chained to server? > >> -Reinhard >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >> Megginson >> Sent: Monday, July 20, 2009 1:15 PM >> To: General discussion list for the 389 Directory server project. >> Subject: Re: [389-users] Db-link setup question >> >> Reinhard Nappert wrote: >> >> >>> Thanks Rick, >>> >>> Yes this is what I did. I find the error message not very user-friendly. Anyway, when I use a different bind dn, it says that my sub suffix l=location B,ou=people,o=suffix does not exist. Do I need to add that object as well? Thought, the directory takes care of this one. >>> >>> >>> >> Yes, the object does not have to exist in the chaining database, only in the real database that is chained to. Any info in the access and error logs on the chaining server or the chained to server? >> >> >>> -Reinhard >>> >>> -----Original Message----- >>> From: fedora-directory-users-bounces at redhat.com >>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >>> Megginson >>> Sent: Monday, July 20, 2009 12:37 PM >>> To: General discussion list for the 389 Directory server project. >>> Subject: Re: [389-users] Db-link setup question >>> >>> Reinhard Nappert wrote: >>> >>> >>> >>>> Hi, >>>> >>>> I have two LDAP Servers setup (Server A and Server B). Both of them >>>> have the identical suffix (o=suffix). Again, both of them have a >>>> people organizational unit (ou=people,o=suffix). Server B has a big >>>> subtree (ou=region B,ou=people,o=suffix). >>>> >>>> My intension is to create a db link on Server A, which links to the >>>> ou=region B,ou=people,o=suffix subtree on Server B. >>>> >>>> I did create the database link and a new suffix l=location >>>> B,ou=people,o=suffix on Server A with the following entries: >>>> >>>> dn: cn=serverBlink,cn=chaining database,cn=plugins,cn=config >>>> objectclass: top >>>> objectclass: extensibleObject >>>> objectclass: nsBackendInstance >>>> nsslapd-suffix: ou=region B,ou=people,o=suffix >>>> nsfarmserverurl: ldap://serverB:389/ >>>> nsmultiplexorbinddn: cn=proxy admin,cn=config >>>> nsmultiplexorcredentials: secret >>>> cn: serverBlink >>>> >>>> dn: cn="l=location B,ou=people,o=suffix",cn=mapping tree,cn=config >>>> objectclass: top >>>> objectclass: extensibleObject >>>> objectclass: nsMappingTree >>>> nsslapd-state: backend >>>> nsslapd-backend: serverBlink >>>> nsslapd-parent-suffix: "ou=people,o=suffix " >>>> cn: "l=location B,ou=people,o=suffix" >>>> >>>> I am only interested in reading the server B information, when >>>> accessing from server A. The "proxy admin" user was created as well. >>>> >>>> When I do a search with the base l=location B,ou=people,o=suffix, >>>> accessing server A, I always get the following error "Proxy dn >>>> should not be rootdn". >>>> >>>> What did I miss for the setup? >>>> >>>> >>>> >>> You cannot chain the directory manager user (aka rootdn). I'm assuming you're doing a search like ldapsearch -D "cn=directory manager" ... >>> This will not work - you must use a user other than directory manager. >>> >>> >>> >>>> >>>> Thanks, >>>> -Reinhard >>>> >>>> ------------------------------------------------------------------- >>>> - >>>> -- >>>> -- >>>> >>>> -- >>>> 389 users mailing list >>>> 389-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rnappert at juniper.net Mon Jul 20 19:29:22 2009 From: rnappert at juniper.net (Reinhard Nappert) Date: Mon, 20 Jul 2009 15:29:22 -0400 Subject: [389-users] Db-link setup question In-Reply-To: References: <4A649D22.80609@redhat.com> <4A64A5F9.9090802@redhat.com> <4A64AFD6.7090003@redhat.com> <4A64B840.1000100@redhat.com> Message-ID: Rick, the first issue is solved my adding an additional aci for that proxy admin, allowing proxy: aci: (targetattr=*)(target = "ldap:///ou=region B,ou=people,o=suffix")(version 3.0;acl "Allows use of admin for chaining"; allow (proxy) (userdn="ldap:///uid=proxy admin,cn=config");) However, when I restart Server A, it is broken with err=32. -Reinhard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Reinhard Nappert Sent: Monday, July 20, 2009 3:17 PM To: General discussion list for the 389 Directory server project. Subject: RE: [389-users] Db-link setup question I do not feel very confident using chained links: When I change my configuration to dn: cn=serverBlink,cn=chaining database,cn=plugins,cn=config objectclass: top objectclass: extensibleObject objectclass: nsBackendInstance nsslapd-suffix: ou=region B,ou=people,o=suffix nsfarmserverurl: ldap://serverB:389/ nsmultiplexorbinddn: cn=proxy admin,cn=config nsmultiplexorcredentials: secret cn: serverBlink dn: cn="ou=region B,ou=people,o=suffix",cn=mapping tree,cn=config objectclass: top objectclass: extensibleObject objectclass: nsMappingTree nsslapd-state: backend nsslapd-backend: serverBlink nsslapd-parent-suffix: "ou=people,o=suffix " cn: "ou=region B,ou=people,o=suffix" Server A proxies the correct search to Server B. However, the response is empty if I search for an existing entry of Server B. I also see the search in Server B's access file, but the response is empty. If I contact Server B with the proxy admin credentials, it returns the existing object. This tells me that the ACI's are working. Do you have an explanation for that? Even more disturbing: After I restart Server A, the entire chaining is broken. I get again err=32, but this time server A even does not perform the search twoards Server B. -Reinhard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Monday, July 20, 2009 2:33 PM To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] Db-link setup question Reinhard Nappert wrote: > Sorry, the chaining server. > I checked the chained to server (Server B)'s access file and it gets it from there. This is good, that Server A actually talks to Server B. The issue is the following: > > I do a search with the > Base: l=location B,ou=people,o=suffix > > It performs the search on Server B with the exactly same search-base, > although I configured it as > nsslapd-suffix: ou=region B,ou=people,o=suffix > > So, shouldn't Server A alter the search and use ou=region > B,ou=people,o=suffix as base? > > On the otherhand, I could change the configuration accordingly. > There is no search altering or search mapping with chaining. > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Monday, July 20, 2009 1:57 PM > To: General discussion list for the 389 Directory server project. > Subject: Re: [389-users] Db-link setup question > > Reinhard Nappert wrote: > >> Nothing in error and only err=32 in access. >> >> > err=32 in which access? The chaining server or the chained to server? > >> -Reinhard >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >> Megginson >> Sent: Monday, July 20, 2009 1:15 PM >> To: General discussion list for the 389 Directory server project. >> Subject: Re: [389-users] Db-link setup question >> >> Reinhard Nappert wrote: >> >> >>> Thanks Rick, >>> >>> Yes this is what I did. I find the error message not very user-friendly. Anyway, when I use a different bind dn, it says that my sub suffix l=location B,ou=people,o=suffix does not exist. Do I need to add that object as well? Thought, the directory takes care of this one. >>> >>> >>> >> Yes, the object does not have to exist in the chaining database, only in the real database that is chained to. Any info in the access and error logs on the chaining server or the chained to server? >> >> >>> -Reinhard >>> >>> -----Original Message----- >>> From: fedora-directory-users-bounces at redhat.com >>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >>> Megginson >>> Sent: Monday, July 20, 2009 12:37 PM >>> To: General discussion list for the 389 Directory server project. >>> Subject: Re: [389-users] Db-link setup question >>> >>> Reinhard Nappert wrote: >>> >>> >>> >>>> Hi, >>>> >>>> I have two LDAP Servers setup (Server A and Server B). Both of them >>>> have the identical suffix (o=suffix). Again, both of them have a >>>> people organizational unit (ou=people,o=suffix). Server B has a big >>>> subtree (ou=region B,ou=people,o=suffix). >>>> >>>> My intension is to create a db link on Server A, which links to the >>>> ou=region B,ou=people,o=suffix subtree on Server B. >>>> >>>> I did create the database link and a new suffix l=location >>>> B,ou=people,o=suffix on Server A with the following entries: >>>> >>>> dn: cn=serverBlink,cn=chaining database,cn=plugins,cn=config >>>> objectclass: top >>>> objectclass: extensibleObject >>>> objectclass: nsBackendInstance >>>> nsslapd-suffix: ou=region B,ou=people,o=suffix >>>> nsfarmserverurl: ldap://serverB:389/ >>>> nsmultiplexorbinddn: cn=proxy admin,cn=config >>>> nsmultiplexorcredentials: secret >>>> cn: serverBlink >>>> >>>> dn: cn="l=location B,ou=people,o=suffix",cn=mapping tree,cn=config >>>> objectclass: top >>>> objectclass: extensibleObject >>>> objectclass: nsMappingTree >>>> nsslapd-state: backend >>>> nsslapd-backend: serverBlink >>>> nsslapd-parent-suffix: "ou=people,o=suffix " >>>> cn: "l=location B,ou=people,o=suffix" >>>> >>>> I am only interested in reading the server B information, when >>>> accessing from server A. The "proxy admin" user was created as well. >>>> >>>> When I do a search with the base l=location B,ou=people,o=suffix, >>>> accessing server A, I always get the following error "Proxy dn >>>> should not be rootdn". >>>> >>>> What did I miss for the setup? >>>> >>>> >>>> >>> You cannot chain the directory manager user (aka rootdn). I'm assuming you're doing a search like ldapsearch -D "cn=directory manager" ... >>> This will not work - you must use a user other than directory manager. >>> >>> >>> >>>> >>>> Thanks, >>>> -Reinhard >>>> >>>> ------------------------------------------------------------------- >>>> - >>>> -- >>>> -- >>>> >>>> -- >>>> 389 users mailing list >>>> 389-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- 389 users mailing list 389-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From scott.kaminski at gmail.com Mon Jul 20 23:45:33 2009 From: scott.kaminski at gmail.com (Scott Kaminski) Date: Mon, 20 Jul 2009 16:45:33 -0700 Subject: [389-users] Issues with Starting Admin console Message-ID: I'm having a problem with the Admin console and making it work properlly. I have a CentOS 5.3 machine that i recently installed and setup the Directory Server on. The rpm's i used are: fedora-ds-base-1.2.0-2.fc6 fedora-ds-admin-console-1.1.3-1.fc6 fedora-ds-console-1.2.0-1.fc6 fedora-ds-admin-1.1.7-3.fc6 fedora-ds-1.1.3-1.fc6 fedora-ds-dsgw-1.1.2-1.fc6 fedora-idm-console-1.1.3-1.fc6 I used the method that involved downloading and setting up the yum repositories. I have managed to make the directory server work and authenticate users. However i seam to have an issue with the management console. The console locks up and nolonger responds when i attempt to access the administration server box under server group. I also have a java console error indicating "java.lang.nullpointerexception". Initally i would click on directory server or administration server and just get an error indicating that some jar files are missing in /usr/share/dirsrv/html/java/ the two missing files are called centos-admin-8.0.jar and centos-ds-8.0.jar . I created some symlinks to the fedora versions of these files to correct the problem. The issue appears to be related to the administration server jar file as deleting the jar dir in my users home dir and removing the symlink to the admin jar file the error appears and the lock up goes away however i can't do any server administration. So does anyone have any solutions/suggestions to this problem? -Scott -------------- next part -------------- An HTML attachment was scrubbed... URL: From mazzystr at gmail.com Mon Jul 20 23:57:49 2009 From: mazzystr at gmail.com (Chris C) Date: Mon, 20 Jul 2009 19:57:49 -0400 Subject: [389-users] Issues with Starting Admin console In-Reply-To: References: Message-ID: execute fedora-idm-console -D 9 Send us the output. /Chris Callegari On Mon, Jul 20, 2009 at 7:45 PM, Scott Kaminski wrote: > I'm having a problem with the Admin console and making it work properlly. I > have a CentOS 5.3 machine that i recently installed and setup the Directory > Server on. The rpm's i used are: > > fedora-ds-base-1.2.0-2.fc6 > fedora-ds-admin-console-1.1.3-1.fc6 > fedora-ds-console-1.2.0-1.fc6 > fedora-ds-admin-1.1.7-3.fc6 > fedora-ds-1.1.3-1.fc6 > fedora-ds-dsgw-1.1.2-1.fc6 > fedora-idm-console-1.1.3-1.fc6 > > I used the method that involved downloading and setting up the yum > repositories. I have managed to make the directory server work and > authenticate users. However i seam to have an issue with the management > console. The console locks up and nolonger responds when i attempt to > access the administration server box under server group. I also have a java > console error indicating "java.lang.nullpointerexception". > > Initally i would click on directory server or administration server and > just get an error indicating that some jar files are missing in > /usr/share/dirsrv/html/java/ the two missing files are called > centos-admin-8.0.jar and centos-ds-8.0.jar . I created some symlinks to the > fedora versions of these files to correct the problem. The issue appears to > be related to the administration server jar file as deleting the jar dir in > my users home dir and removing the symlink to the admin jar file the error > appears and the lock up goes away however i can't do any server > administration. > > So does anyone have any solutions/suggestions to this problem? > > -Scott > > > > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From scott.kaminski at gmail.com Tue Jul 21 00:06:59 2009 From: scott.kaminski at gmail.com (Scott Kaminski) Date: Mon, 20 Jul 2009 17:06:59 -0700 Subject: [389-users] Re: Issues with Starting Admin console In-Reply-To: References: Message-ID: Just remembered I subscribed to the digest list. Hope this works without screwing up the list. Here is some of the output when running the admin console with debug level 9: ClassLoader: No language file for centos-admin-8.0.jar found on local disk, lang=en ClassLoader: classes.env NOT in centos-admin-8.0.jar ClassLoader: no manifest found for centos-admin-8.0.jar ClassLoader: No manifest file for centos-admin-8.0.jar ClassLoader: new LocalJarClassLoader centos-admin-8.0.jar:{centos-admin-8.0.jar } ClassLoader: Create loader centos-admin-8.0.jar ClassLoader: :loadClass():name:com.netscape.management.admserv.AdminServer ClassLoader: :loadClass():loading:com.netscape.management.admserv.AdminServer ClassLoader: com/netscape/management/admserv/AdminServer.class found in centos-admin-8.0.jar ClassLoader: :loadClass():name:com.netscape.management.nmclf.SuiConstants ClassLoader: :loadClass():loading:com.netscape.management.nmclf.SuiConstants ClassLoader: com/netscape/management/nmclf/SuiConstants.class NOT in centos-admin-8.0.jar ClassLoader: :loadClass():name:com.netscape.management.client.topology.AbstractServerObject ClassLoader: :loadClass():loading:com.netscape.management.client.topology.AbstractServerObject ClassLoader: com/netscape/management/client/topology/AbstractServerObject.class NOT in centos-admin-8.0.jar ClassLoader: :loadClass():resolving com.netscape.management.admserv.AdminServer ClassLoader: :loadClass():name:java.lang.Throwable ClassLoader: :loadClass():name:java.net.MalformedURLException ClassLoader: :loadClass():name:netscape.ldap.LDAPException ClassLoader: :loadClass():loading:netscape.ldap.LDAPException ClassLoader: netscape/ldap/LDAPException.class NOT in centos-admin-8.0.jar ClassLoader: :loadClass():name:com.netscape.management.client.IFrameworkInitializer ClassLoader: :loadClass():loading:com.netscape.management.client.IFrameworkInitializer ClassLoader: com/netscape/management/client/IFrameworkInitializer.class NOT in centos-admin-8.0.jar ClassLoader: :loadClass():name:com.netscape.management.client.IStatusItem ClassLoader: :loadClass():loading:com.netscape.management.client.IStatusItem ClassLoader: com/netscape/management/client/IStatusItem.class NOT in centos-admin-8.0.jar ClassLoader: :loadClass():name:com.netscape.management.admserv.panel.IRestartControl ClassLoader: :loadClass():loading:com.netscape.management.admserv.panel.IRestartControl ClassLoader: com/netscape/management/admserv/panel/IRestartControl.class found in centos-admin-8.0.jar ClassLoader: :loadClass():name:java.lang.Object ClassLoader: :loadClass():name:java.awt.Component ClassLoader: :loadClass():name:javax.swing.JFrame ClassLoader: :loadClass():loading:javax.swing.JFrame ClassLoader: javax/swing/JFrame.class NOT in centos-admin-8.0.jar ClassLoader: :loadClass():name:javax.swing.Icon ClassLoader: :loadClass():loading:javax.swing.Icon ClassLoader: javax/swing/Icon.class NOT in centos-admin-8.0.jar ClassLoader: :loadClass():name:com.netscape.management.client.util.ResourceSet ClassLoader: :loadClass():loading:com.netscape.management.client.util.ResourceSet ClassLoader: com/netscape/management/client/util/ResourceSet.class NOT in centos-admin-8.0.jar ResourceSet: NOT found in cache loader3753023:com.netscape.management.admserv.admserv ClassLoader: com/netscape/management/admserv/admserv_en_US.properties NOT in centos-admin-8.0.jar ClassLoader: com/netscape/management/admserv/admserv_en.properties NOT in centos-admin-8.0.jar ClassLoader: com/netscape/management/admserv/admserv.properties NOT in centos-admin-8.0.jar ResourceSet(): unable to open com.netscape.management.admserv.admserv ClassLoader: :loadClass():name:com.netscape.management.admserv.AdminServer$1 ClassLoader: :loadClass():loading:com.netscape.management.admserv.AdminServer$1 ClassLoader: com/netscape/management/admserv/AdminServer$1.class found in centos-admin-8.0.jar ResourceSet: found in cache loader8222510:com.netscape.management.client.console.console ResourceSet: found in cache loader8222510:com.netscape.management.client.console.console ClassLoader: :loadClass():name:com.netscape.management.client.util.RemoteImage ClassLoader: :loadClass():loading:com.netscape.management.client.util.RemoteImage ClassLoader: com/netscape/management/client/util/RemoteImage.class NOT in centos-admin-8.0.jar ResourceSet:getString():Unable to resolve admin-smallIcon RemoteImage: NOT found in cache loader3753023:null RemoteImage: java.lang.NullPointerException(null) Uncaught error fetching image: java.lang.NullPointerException at java.io.FileInputStream.(Unknown Source) at java.io.FileInputStream.(Unknown Source) at sun.awt.image.FileImageSource.getDecoder(Unknown Source) at sun.awt.image.InputStreamImageSource.doFetch(Unknown Source) at sun.awt.image.ImageFetcher.fetchloop(Unknown Source) at sun.awt.image.ImageFetcher.run(Unknown Source) AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register AbstractServerObject.StatusThread: waiting for change listeners to register -Scott On Mon, Jul 20, 2009 at 4:45 PM, Scott Kaminski wrote: > I'm having a problem with the Admin console and making it work properlly. I > have a CentOS 5.3 machine that i recently installed and setup the Directory > Server on. The rpm's i used are: > > fedora-ds-base-1.2.0-2.fc6 > fedora-ds-admin-console-1.1.3-1.fc6 > fedora-ds-console-1.2.0-1.fc6 > fedora-ds-admin-1.1.7-3.fc6 > fedora-ds-1.1.3-1.fc6 > fedora-ds-dsgw-1.1.2-1.fc6 > fedora-idm-console-1.1.3-1.fc6 > > I used the method that involved downloading and setting up the yum > repositories. I have managed to make the directory server work and > authenticate users. However i seam to have an issue with the management > console. The console locks up and nolonger responds when i attempt to > access the administration server box under server group. I also have a java > console error indicating "java.lang.nullpointerexception". > > Initally i would click on directory server or administration server and > just get an error indicating that some jar files are missing in > /usr/share/dirsrv/html/java/ the two missing files are called > centos-admin-8.0.jar and centos-ds-8.0.jar . I created some symlinks to the > fedora versions of these files to correct the problem. The issue appears to > be related to the administration server jar file as deleting the jar dir in > my users home dir and removing the symlink to the admin jar file the error > appears and the lock up goes away however i can't do any server > administration. > > So does anyone have any solutions/suggestions to this problem? > > -Scott > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kwan.lowe at gmail.com Tue Jul 21 00:47:40 2009 From: kwan.lowe at gmail.com (Kwan Lowe) Date: Mon, 20 Jul 2009 20:47:40 -0400 Subject: [389-users] Re: Issues with Starting Admin console In-Reply-To: References: Message-ID: On Mon, Jul 20, 2009 at 8:06 PM, Scott Kaminski wrote: > Just remembered I subscribed to the digest list. Hope this works without > screwing up the list. Here is some of the output when running the admin > console with debug level 9: > > ClassLoader: No language file for centos-admin-8.0.jar found on local disk, > lang=en > ClassLoader: classes.env NOT in centos-admin-8.0.jar > ClassLoader: no manifest found for centos-admin-8.0.jar > ClassLoader: No manifest file for centos-admin-8.0.jar > Not certain if it's the same thing you're seeing, but every Java issue I've had so far was directly related to using the gcc-java rather than the Sun Java. Do a "java --version" to check... If you see something about gcj, try installing the JRE from java.com and then adjusting your PATH. You don't need to uninstall the gcj version, but the Sun version should be in the PATH before /usr/bin. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jrobertm8 at yahoo.com Tue Jul 21 01:28:56 2009 From: jrobertm8 at yahoo.com (John Robert Mendoza) Date: Tue, 21 Jul 2009 09:28:56 +0800 (SGT) Subject: [389-users] MIT Kerberos and FDS integration In-Reply-To: <4A647345.3090003@redhat.com> Message-ID: <276822.99481.qm@web76310.mail.sg1.yahoo.com> Thanks for the reply Rob. I did manage to solve the error by changing the permissions on the ds.keytab file. I can finally do ldapsearch with gssapi.? BTW, I was just wondering, would there be any way i can make ldap as the database for the kerberos principals. Isn't it that when get a ticket from kerberos it supposed to look into ldap for its principals? Thanks, John Robert Mendoza --- On Mon, 7/20/09, Rob Crittenden wrote: From: Rob Crittenden Subject: Re: [389-users] MIT Kerberos and FDS integration To: "General discussion list for the 389 Directory server project." Date: Monday, 20 July, 2009, 9:38 PM John Robert Mendoza wrote: > Actually i use the > > #/usr/lib/mozldap/ldapsearch > > There is no option for the -Y. > > I can bind using GSSAPI by this command > > #/usr/lib/mozldap/ldapsearch -o "mech=GSSAPI" -b "my suffix" objectclass=* > > and it outputs this error > > ldapsearch: started Mon Jul 20 16:33:07 2009 > > ldap_init( localhost, 389 ) > Bind Error: Invalid credentials > Bind Error: additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.? Minor code may provide more information (Permission denied) > Check the permission and ownership of the DS keytab. rob -----Inline Attachment Follows----- -- 389 users mailing list 389-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users Design your own exclusive Pingbox today! It's easy to create your personal chat space on your blogs. http://ph.messenger.yahoo.com/pingbox -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jul 21 02:33:33 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 20 Jul 2009 22:33:33 -0400 Subject: [389-users] MIT Kerberos and FDS integration In-Reply-To: <276822.99481.qm@web76310.mail.sg1.yahoo.com> References: <276822.99481.qm@web76310.mail.sg1.yahoo.com> Message-ID: <4A6528FD.6090805@redhat.com> John Robert Mendoza wrote: > Thanks for the reply Rob. > > I did manage to solve the error by changing the permissions on the > ds.keytab file. > > I can finally do ldapsearch with gssapi. BTW, I was just wondering, > would there be any way i can make ldap as the database for the kerberos > principals. > > Isn't it that when get a ticket from kerberos it supposed to look into > ldap for its principals? Yes, MIT kerberos has an LDAP backend that you can use. You might want to look into the IPA project at http://www.freeipa.org/ This is exactly what it does (among other things). It might give you some pointers how to configure things at a minimum. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jrobertm8 at yahoo.com Tue Jul 21 02:40:07 2009 From: jrobertm8 at yahoo.com (John Robert Mendoza) Date: Tue, 21 Jul 2009 10:40:07 +0800 (SGT) Subject: [389-users] MIT Kerberos and FDS integration In-Reply-To: <4A6528FD.6090805@redhat.com> Message-ID: <966309.47718.qm@web76314.mail.sg1.yahoo.com> Thanks Rob. I have looked into the Free IPA project and somehow I just want to setup Kerberos 1.6 with its principal database in FDS 1.2.0. Isnt it that when I add an entry to the FDS and try to kinit with the name of the entry i just added, is kerberos supposed to give me a ticket? John Robert Mendoza --- On Tue, 7/21/09, Rob Crittenden wrote: From: Rob Crittenden Subject: Re: [389-users] MIT Kerberos and FDS integration To: "General discussion list for the 389 Directory server project." Date: Tuesday, 21 July, 2009, 10:33 AM John Robert Mendoza wrote: > Thanks for the reply Rob. > > I did manage to solve the error by changing the permissions on the ds.keytab file. > > I can finally do ldapsearch with gssapi.? BTW, I was just wondering, would there be any way i can make ldap as the database for the kerberos principals. > > Isn't it that when get a ticket from kerberos it supposed to look into ldap for its principals? Yes, MIT kerberos has an LDAP backend that you can use. You might want to look into the IPA project at http://www.freeipa.org/ This is exactly what it does (among other things). It might give you some pointers how to configure things at a minimum. rob -----Inline Attachment Follows----- -- 389 users mailing list 389-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users Connect instantly with more friends on your blog and personal website? Create your latest Pingbox today! http://ph.messenger.yahoo.com/pingbox -------------- next part -------------- An HTML attachment was scrubbed... URL: From rahulsen002 at gmail.com Tue Jul 21 21:03:27 2009 From: rahulsen002 at gmail.com (rahul sen) Date: Wed, 22 Jul 2009 02:33:27 +0530 Subject: [389-users] Setting up Fedora Directory Server on Fedora 10 as an LDAP Server Message-ID: <99234f370907211403y4c375e7cl757a52e549a89ffb@mail.gmail.com> http://www.burntomlette.in/index.php?title=Openldap_server_client_by_rahulsen002 please see the above page. I was successful till the last step in that page. *When i tried Restarting the dirsrv, dirsrv-admin and httpd services by..* #service httpd restart #service dirsrv restart #service dirsrv-admin restart, then i am getting failure message. *moreover, when i am **trying tolaunch the Fedora Console Login window*, i am getting the below mentioned results..... [root at rahulsen rahulsen]# fedora-idm-console No protocol specified Exception in thread "main" java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11GraphicsEnvironment at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:186) at java.awt.GraphicsEnvironment.getLocalGraphicsEnvironment(GraphicsEnvironment.java:82) at sun.awt.X11.XToolkit.(XToolkit.java:106) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:186) at java.awt.Toolkit$2.run(Toolkit.java:849) at java.security.AccessController.doPrivileged(Native Method) at java.awt.Toolkit.getDefaultToolkit(Toolkit.java:841) at sun.swing.SwingUtilities2$AATextInfo.getAATextInfo(SwingUtilities2.java:131) at javax.swing.plaf.metal.MetalLookAndFeel.initComponentDefaults(MetalLookAndFeel.java:1564) at com.netscape.management.nmclf.SuiLookAndFeel.initComponentDefaults(Unknown Source) at com.netscape.management.nmclf.SuiLookAndFeel.getDefaults(Unknown Source) at javax.swing.UIManager.setLookAndFeel(UIManager.java:545) at com.netscape.management.client.console.Console.common_init(Unknown Source) at com.netscape.management.client.console.Console.(Unknown Source) at com.netscape.management.client.console.Console.main(Unknown Source) Cant proceed... please help! -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jul 21 22:00:08 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 21 Jul 2009 16:00:08 -0600 Subject: [389-users] Setting up Fedora Directory Server on Fedora 10 as an LDAP Server In-Reply-To: <99234f370907211403y4c375e7cl757a52e549a89ffb@mail.gmail.com> References: <99234f370907211403y4c375e7cl757a52e549a89ffb@mail.gmail.com> Message-ID: <4A663A68.3080006@redhat.com> rahul sen wrote: > http://www.burntomlette.in/index.php?title=Openldap_server_client_by_rahulsen002 > > please see the above page. I was successful till the last step in that > page. > > *When i tried Restarting the dirsrv, dirsrv-admin and httpd services by..* > #service httpd restart > #service dirsrv restart > #service dirsrv-admin restart, > then i am getting failure message. > *moreover, when i am **trying tolaunch the Fedora Console Login window*, > > i am getting the below mentioned results..... > > > [root at rahulsen rahulsen]# fedora-idm-console > No protocol specified > Exception in thread "main" java.lang.NoClassDefFoundError: Could not > initialize class sun.awt.X11GraphicsEnvironment > at java.lang.Class.forName0(Native Method) > at java.lang.Class.forName(Class.java:186) > at > java.awt.GraphicsEnvironment.getLocalGraphicsEnvironment(GraphicsEnvironment.java:82) > at sun.awt.X11.XToolkit.(XToolkit.java:106) > at java.lang.Class.forName0(Native Method) > at java.lang.Class.forName(Class.java:186) > at java.awt.Toolkit$2.run(Toolkit.java:849) > at java.security.AccessController.doPrivileged(Native Method) > at java.awt.Toolkit.getDefaultToolkit(Toolkit.java:841) > at > sun.swing.SwingUtilities2$AATextInfo.getAATextInfo(SwingUtilities2.java:131) > at > javax.swing.plaf.metal.MetalLookAndFeel.initComponentDefaults(MetalLookAndFeel.java:1564) > at > com.netscape.management.nmclf.SuiLookAndFeel.initComponentDefaults(Unknown > Source) > at > com.netscape.management.nmclf.SuiLookAndFeel.getDefaults(Unknown Source) > at javax.swing.UIManager.setLookAndFeel(UIManager.java:545) > at > com.netscape.management.client.console.Console.common_init(Unknown Source) > at com.netscape.management.client.console.Console.(Unknown > Source) > at com.netscape.management.client.console.Console.main(Unknown Source) > > Cant proceed... please help! java -version > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From techchavez at gmail.com Wed Jul 22 02:51:01 2009 From: techchavez at gmail.com (Techie) Date: Tue, 21 Jul 2009 19:51:01 -0700 Subject: [389-users] Latest Fedora/389 releases Message-ID: Rich, list, These are the packages I have installed. Are these the latest for Fedora 9? Yum upgrade says it cannot find an update match. Thanks fedora-ds-base-1.2.0-3.fc9.i386 fedora-ds-admin-1.1.7-3.fc9.i386 fedora-ds-1.1.3-1.fc9.noarch fedora-ds-dsgw-1.1.2-1.fc9.i386 fedora-ds-admin-console-1.1.3-1.fc9.noarch fedora-ds-console-1.2.0-1.fc9.noarch fedora-idm-console-1.1.1-2.fc9.i386 From techchavez at gmail.com Wed Jul 22 15:56:53 2009 From: techchavez at gmail.com (Techie) Date: Wed, 22 Jul 2009 08:56:53 -0700 Subject: [389-users] using tasks question Message-ID: Hello, I am looking to automate some things with cn=tasks?. I have read the Task invocation info but no nsdirectoryservertask objectclass exists even in the source from what I see.Where can I get the schema file with this O class? Thank you From techchavez at gmail.com Wed Jul 22 16:19:33 2009 From: techchavez at gmail.com (Techie) Date: Wed, 22 Jul 2009 09:19:33 -0700 Subject: [389-users] Re: using tasks question In-Reply-To: References: Message-ID: Although I did not find the nsDirectoryServerTask oclass I did find a way around it. I have another question regarding exporting a MMR enabled replica. I plan on scripting this on a weekly basis. As I understand it, when using db2ldif with the -r option it is necessary to stop the directory before running the command. My question is why exactly is that, can it cause corruption? Also the documentation for using tasks to export replicas does not mention having to stop the directory, can you confirm that it is not necessary to stop the directory before using tasks to export a replica? Thank you On Wed, Jul 22, 2009 at 8:56 AM, Techie > Hello, > I am looking to automate some things with cn=tasks?. I have read the > Task invocation info but no nsdirectoryservertask objectclass exists > even in the source from what I see.Where can I get the schema file > with this O class? > > Thank you > From rmeggins at redhat.com Wed Jul 22 16:56:13 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 22 Jul 2009 10:56:13 -0600 Subject: [389-users] Latest Fedora/389 releases In-Reply-To: References: Message-ID: <4A6744AD.8070703@redhat.com> Techie wrote: > Rich, list, > These are the packages I have installed. Are these the latest for Fedora 9? > Yes, these are the latest. Note that Fedora 9 is soon scheduled for EOL - we will not be releasing any more updates for Fedora 9. I suggest an upgrade to F-10 or F-11 ASAP. > Yum upgrade says it cannot find an update match. > > Thanks > > fedora-ds-base-1.2.0-3.fc9.i386 > fedora-ds-admin-1.1.7-3.fc9.i386 > fedora-ds-1.1.3-1.fc9.noarch > fedora-ds-dsgw-1.1.2-1.fc9.i386 > fedora-ds-admin-console-1.1.3-1.fc9.noarch > fedora-ds-console-1.2.0-1.fc9.noarch > fedora-idm-console-1.1.1-2.fc9.i386 > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rahulsen002 at gmail.com Wed Jul 22 19:09:26 2009 From: rahulsen002 at gmail.com (rahul sen) Date: Thu, 23 Jul 2009 00:39:26 +0530 Subject: [389-users] solution to the problem in installation of Fedora Directory Server on Fedora 10 as an LDAP Server Message-ID: <99234f370907221209g2d8fca49u58672ad8a3b32430@mail.gmail.com> while installing Fedora Directory Server on Fedora 10 as an LDAP Server, i faced problems for the occurrence of exceptions, on the following command,to launch* ** the Fedora Console Login window *: #fedora-idm-console Solution: On rebooting the machine, i found the problem was solved. -------------- next part -------------- An HTML attachment was scrubbed... URL: From joelh at planetjoel.com Thu Jul 23 01:38:44 2009 From: joelh at planetjoel.com (Joel Heenan) Date: Thu, 23 Jul 2009 11:38:44 +1000 Subject: [389-users] registered with an admin server behind a firewall In-Reply-To: <4f89225b0907221835m6bf1c1a5y7e5c51d6590ca378@mail.gmail.com> References: <4f89225b0907221835m6bf1c1a5y7e5c51d6590ca378@mail.gmail.com> Message-ID: <4f89225b0907221838q66be24a0rb760d94c8644d256@mail.gmail.com> I'm using Directory Server 8.1 on CentOS. I have multi-mastered servers setup in our administrative network secured and locked away working well. I have consumers setup out in other network zones and am planning to setup replication out to these servers. I wanted to keep the console as a single administration point for all the servers but I can't work out how I can register the consumers with the console given that they have no network access. Is the access needed once you have registered them? If not I could punch a quick ssh tunnel or something which would allow them to register. Thanks Joel -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigidwu at gmail.com Thu Jul 23 07:35:32 2009 From: sigidwu at gmail.com (sigid@JINLab) Date: Thu, 23 Jul 2009 14:35:32 +0700 Subject: [389-users] Latest Fedora/389 releases In-Reply-To: <4A6744AD.8070703@redhat.com> References: <4A6744AD.8070703@redhat.com> Message-ID: <4A6812C4.5010302@gmail.com> Rich Megginson wrote: > Techie wrote: >> Rich, list, >> These are the packages I have installed. Are these the latest for >> Fedora 9? >> > Yes, these are the latest. > > Note that Fedora 9 is soon scheduled for EOL - we will not be releasing > any more updates for Fedora 9. I suggest an upgrade to F-10 or F-11 ASAP. 1. What could happen if we don't upgrade to fedora 10 or fedora 11? 2. Is there any prediction on when the 389DS will be release? Thanks -- http://sigidwu.blogspot.com Save a tree. Don't print any documents unless it's necessary. From rcritten at redhat.com Thu Jul 23 12:53:15 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 23 Jul 2009 08:53:15 -0400 Subject: [389-users] Latest Fedora/389 releases In-Reply-To: <4A6812C4.5010302@gmail.com> References: <4A6744AD.8070703@redhat.com> <4A6812C4.5010302@gmail.com> Message-ID: <4A685D3B.40006@redhat.com> sigid at JINLab wrote: > Rich Megginson wrote: >> Techie wrote: >>> Rich, list, >>> These are the packages I have installed. Are these the latest for >>> Fedora 9? >>> >> Yes, these are the latest. >> >> Note that Fedora 9 is soon scheduled for EOL - we will not be releasing >> any more updates for Fedora 9. I suggest an upgrade to F-10 or F-11 ASAP. > > 1. What could happen if we don't upgrade to fedora 10 or fedora 11? > 2. Is there any prediction on when the 389DS will be release? > Thanks Fedora 9 EOL notice: http://www.mail-archive.com/fedora-announce-list at redhat.com/msg01574.html The Fedora Lifecycle: http://fedoraproject.org/wiki/LifeCycle It means that there will be no more Fedora 9 updates. So no more security fixes, no more package updates. Your existing system will run just fine, it just won't get any more updates. You can try to monitor the Fedora 10 and 11 updates and pick up security fixes from there but upgrading is probably a better long-term solution. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From joelh at planetjoel.com Thu Jul 23 01:35:02 2009 From: joelh at planetjoel.com (Joel Heenan) Date: Thu, 23 Jul 2009 11:35:02 +1000 Subject: [389-users] registered with an admin server behind a firewall Message-ID: <4f89225b0907221835m6bf1c1a5y7e5c51d6590ca378@mail.gmail.com> I'm using Directory Server 8.1 on CentOS. I have multi-mastered servers setup in our administrative network secured and locked away working well. I have consumers setup out in other network zones and am planning to setup replication out to these servers. I wanted to keep the console as a single administration point for all the servers but I can't work out how I can register the consumers with the console given that they have no network access. Is the access needed once you have registered them? If not I could punch a quick ssh tunnel or something which would allow them to register. Thanks Joel -------------- next part -------------- An HTML attachment was scrubbed... URL: From rpolli at babel.it Thu Jul 23 14:53:29 2009 From: rpolli at babel.it (Roberto Polli) Date: Thu, 23 Jul 2009 16:53:29 +0200 Subject: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem In-Reply-To: <4A5E59F6.3040906@messinalug.org> References: <4A5E0A20.7000600@messinalug.org> <4A5E0BAD.7030600@redhat.com> <4A5E59F6.3040906@messinalug.org> Message-ID: <200907231653.29808.rpolli@babel.it> hi all, I got similar problem with: dblink+proxyuser. >Rich Megginson wrote: >>Giovanni Mancuso wrote: >>Bu if i try to execute the ldapserach in first directory server i have the >> following error: proxy does not currently work with directory manager. >> Directory manager is considered a "local" user to each directory server. >> Try a different user. Now, i create a new user in first DS: >By first DS do you mean the DS with the "real" database or the DS with the > database link? We also refer to the DS with the "real" database as the > "remote" DS and the DS with the database link as the "local" DS. case1) * I bind with uid=admin to the local DS tree to modify the "givenName" of a user on the remote server * the modify is successful, as the uid=admin is proxied and the "uid=admin" is replicated on the remote server case2) * same as case1 but I try to modify "userPassword" * the modify fails as the remote server won't evaluate aci on "uid=admin" but on "dn:proxyuser" >Did you add an ACI to allow the uid=ttestuser,cn=config to add entries under > node=testgio,dc=example,dc=com ? to solve that issue it seems by this thread that you suggest giving (proxy+all) access to proxyuser instead of the proxied one (uid=admin) imho this won't fit, as every proxied user will be granted write access; while the desired behaviour is to have the aci checked against uid=admin Am I wrong? Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altres? a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." From rmeggins at redhat.com Thu Jul 23 15:36:21 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 23 Jul 2009 09:36:21 -0600 Subject: [389-users] Latest Fedora/389 releases In-Reply-To: <4A6812C4.5010302@gmail.com> References: <4A6744AD.8070703@redhat.com> <4A6812C4.5010302@gmail.com> Message-ID: <4A688375.9030806@redhat.com> sigid at JINLab wrote: > Rich Megginson wrote: > >> Techie wrote: >> >>> Rich, list, >>> These are the packages I have installed. Are these the latest for >>> Fedora 9? >>> >>> >> Yes, these are the latest. >> >> Note that Fedora 9 is soon scheduled for EOL - we will not be releasing >> any more updates for Fedora 9. I suggest an upgrade to F-10 or F-11 ASAP. >> > > 1. What could happen if we don't upgrade to fedora 10 or fedora 11? > You won't get any updates of 389 (fedora ds) - unless you build it yourself. > 2. Is there any prediction on when the 389DS will be release? > We're working on it - Real Soon Now - we just recently had the 389 packages approved for Fedora (even though it was essentially just renaming the packages from Fedora DS to 389, we still had to go through the entire new package review process . . .) > Thanks > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jul 23 15:49:43 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 23 Jul 2009 09:49:43 -0600 Subject: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem In-Reply-To: <200907231653.29808.rpolli@babel.it> References: <4A5E0A20.7000600@messinalug.org> <4A5E0BAD.7030600@redhat.com> <4A5E59F6.3040906@messinalug.org> <200907231653.29808.rpolli@babel.it> Message-ID: <4A688697.5080802@redhat.com> Roberto Polli wrote: > hi all, > > I got similar problem with: dblink+proxyuser. > > >> Rich Megginson wrote: >> >>> Giovanni Mancuso wrote: >>> Bu if i try to execute the ldapserach in first directory server i have the >>> following error: proxy does not currently work with directory manager. >>> Directory manager is considered a "local" user to each directory server. >>> Try a different user. Now, i create a new user in first DS: >>> > > >> By first DS do you mean the DS with the "real" database or the DS with the >> database link? We also refer to the DS with the "real" database as the >> "remote" DS and the DS with the database link as the "local" DS. >> > > case1) > * I bind with uid=admin to the local DS tree to modify the "givenName" of a > user on the remote server > * the modify is successful, as the uid=admin is proxied and the "uid=admin" is > replicated on the remote server > > case2) > * same as case1 but I try to modify "userPassword" > * the modify fails as the remote server won't evaluate aci on "uid=admin" but > on "dn:proxyuser" > Is there an aci on the remote server that explicitly denies access to userPassword? How about on the local server? > >> Did you add an ACI to allow the uid=ttestuser,cn=config to add entries under >> node=testgio,dc=example,dc=com ? >> > to solve that issue it seems by this thread that you suggest giving > (proxy+all) access to proxyuser instead of the proxied one (uid=admin) > > imho this won't fit, as every proxied user will be granted write access; while > the desired behaviour is to have the aci checked against uid=admin > > Am I wrong? > You should not have to allow the proxy user "all" access, only "proxy" access. The proxy user is not a "superuser". The access control should apply to the actual user. > Peace, > R. > > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jul 23 15:50:43 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 23 Jul 2009 09:50:43 -0600 Subject: [389-users] registered with an admin server behind a firewall In-Reply-To: <4f89225b0907221838q66be24a0rb760d94c8644d256@mail.gmail.com> References: <4f89225b0907221835m6bf1c1a5y7e5c51d6590ca378@mail.gmail.com> <4f89225b0907221838q66be24a0rb760d94c8644d256@mail.gmail.com> Message-ID: <4A6886D3.2000503@redhat.com> Joel Heenan wrote: > I'm using Directory Server 8.1 on CentOS. > > I have multi-mastered servers setup in our administrative network > secured and locked away working well. I have consumers setup out in > other network zones and am planning to setup replication out to these > servers. I wanted to keep the console as a single administration point > for all the servers but I can't work out how I can register the > consumers with the console given that they have no network access. Is > the access needed once you have registered them? If not I could punch > a quick ssh tunnel or something which would allow them to register. I don't understand - you want to remotely manage the consumer servers with the console (which uses network access) but the consumers have no network access? > > Thanks > > Joel > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From techchavez at gmail.com Thu Jul 23 16:00:21 2009 From: techchavez at gmail.com (Techie) Date: Thu, 23 Jul 2009 09:00:21 -0700 Subject: [389-users] Latest Fedora/389 releases In-Reply-To: <4A688375.9030806@redhat.com> References: <4A6744AD.8070703@redhat.com> <4A6812C4.5010302@gmail.com> <4A688375.9030806@redhat.com> Message-ID: I have what I think is a valid question regarding this.. So say I have my FC8 box acting as one of two MMR members and the CA for all my SSL operations including replication and client access. What is the safe process to upgrade/rebuild the box to FC11 and keep replication agreements and the SSL certs valid or intact. The replication agreements are all over SSL and the certs were issued by this machine. If I take this box down to rebuild/upgrade, the certs will be invalid in my environment correct? How would one handle this? Thank you On Thu, Jul 23, 2009 at 8:36 AM, Rich Megginson wrote: > sigid at JINLab wrote: >> >> Rich Megginson wrote: >> >>> >>> Techie wrote: >>> >>>> >>>> Rich, list, >>>> These are the packages I have installed. Are these the latest for >>>> Fedora 9? >>>> >>> >>> Yes, these are the latest. >>> >>> Note that Fedora 9 is soon scheduled for EOL - we will not be releasing >>> any more updates for Fedora 9. I suggest an upgrade to F-10 or F-11 >>> ASAP. >>> >> >> 1. What could happen if we don't upgrade to fedora 10 or fedora 11? >> > > You won't get any updates of 389 (fedora ds) - unless you build it yourself. >> >> 2. Is there any prediction on when the 389DS will be release? >> > > We're working on it - Real Soon Now - we just recently had the 389 packages > approved for Fedora (even though it was essentially just renaming the > packages from Fedora DS to 389, we still had to go through the entire new > package review process . . .) >> >> Thanks >> > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From rpolli at babel.it Thu Jul 23 16:59:21 2009 From: rpolli at babel.it (Roberto Polli) Date: Thu, 23 Jul 2009 18:59:21 +0200 Subject: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem In-Reply-To: <4A688697.5080802@redhat.com> References: <4A5E0A20.7000600@messinalug.org> <200907231653.29808.rpolli@babel.it> <4A688697.5080802@redhat.com> Message-ID: <200907231859.21674.rpolli@babel.it> On Thursday 23 July 2009 17:49:43 Rich Megginson wrote: > Roberto Polli wrote: > > hi all, > > > > I got similar problem with: dblink+proxyuser. > > > >> Rich Megginson wrote: > >>> Giovanni Mancuso wrote: > >>> Bu if i try to execute the ldapserach in first directory server i have > >>> the following error: proxy does not currently work with directory > >>> manager. Directory manager is considered a "local" user to each > >>> directory server. Try a different user. Now, i create a new user in > >>> first DS: > >> > >> By first DS do you mean the DS with the "real" database or the DS with > >> the database link? We also refer to the DS with the "real" database as > >> the "remote" DS and the DS with the database link as the "local" DS. > > > > case1) > > * I bind with uid=admin to the local DS tree to modify the "givenName" of > > a user on the remote server > > * the modify is successful, as the uid=admin is proxied and the > > "uid=admin" is replicated on the remote server > > > > case2) > > * same as case1 but I try to modify "userPassword" > > * the modify fails as the remote server won't evaluate aci on "uid=admin" > > but on "dn:proxyuser" > > Is there an aci on the remote server that explicitly denies access to > userPassword? How about on the local server? nope: "deny" is never mentioned. nor in local and remote server # for i in "" "uid=pluto,node=isola3," "node=isola3,"; do ldapsearch .. -b "${i}dc=babel,dc=it" -s base aci done |grep -ci deny 0 acis on remote aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";) //INHERITED FROM BASEDN aci: (targetattr = "*") (version 3.0;acl "SA administration";allow (all)(roled n = "ldap:///cn=SA role,dc=babel,dc=it");) //INHERITED FROM BASEDN aci: (targetattr = "*") (target = "ldap:///node=isola3,dc=babel,dc=it") (versi on 3.0;acl "proxy3proxy";allow (proxy)(userdn = "ldap:///uid=proxyuser3,cn=co nfig");) // INHERITED FROM node=isola3 acis on remote are the same: aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";) //INHERITED FROM BASEDN aci: (targetattr = "*") (version 3.0;acl "SA administration";allow (all)(roled n = "ldap:///cn=SA role,dc=babel,dc=it");) //INHERITED FROM BASEDN > You should not have to allow the proxy user "all" access, only "proxy" > access. The proxy user is not a "superuser". The access control should > apply to the actual user. so proxy access should be able to change userPassword... do I have to set some custom settings in config (eg. plugins & co) Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altres? a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." From rmeggins at redhat.com Thu Jul 23 17:10:26 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 23 Jul 2009 11:10:26 -0600 Subject: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem In-Reply-To: <200907231859.21674.rpolli@babel.it> References: <4A5E0A20.7000600@messinalug.org> <200907231653.29808.rpolli@babel.it> <4A688697.5080802@redhat.com> <200907231859.21674.rpolli@babel.it> Message-ID: <4A689982.4070800@redhat.com> Roberto Polli wrote: > On Thursday 23 July 2009 17:49:43 Rich Megginson wrote: > >> Roberto Polli wrote: >> >>> hi all, >>> >>> I got similar problem with: dblink+proxyuser. >>> >>> >>>> Rich Megginson wrote: >>>> >>>>> Giovanni Mancuso wrote: >>>>> Bu if i try to execute the ldapserach in first directory server i have >>>>> the following error: proxy does not currently work with directory >>>>> manager. Directory manager is considered a "local" user to each >>>>> directory server. Try a different user. Now, i create a new user in >>>>> first DS: >>>>> >>>> By first DS do you mean the DS with the "real" database or the DS with >>>> the database link? We also refer to the DS with the "real" database as >>>> the "remote" DS and the DS with the database link as the "local" DS. >>>> >>> case1) >>> * I bind with uid=admin to the local DS tree to modify the "givenName" of >>> a user on the remote server >>> * the modify is successful, as the uid=admin is proxied and the >>> "uid=admin" is replicated on the remote server >>> >>> case2) >>> * same as case1 but I try to modify "userPassword" >>> * the modify fails as the remote server won't evaluate aci on "uid=admin" >>> but on "dn:proxyuser" >>> >> Is there an aci on the remote server that explicitly denies access to >> userPassword? How about on the local server? >> > nope: "deny" is never mentioned. nor in local and remote server > > # for i in "" "uid=pluto,node=isola3," "node=isola3,"; do > ldapsearch .. -b "${i}dc=babel,dc=it" -s base aci > done |grep -ci deny > 0 > > acis on remote > > aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"; > allow (read, search, compare) userdn="ldap:///anyone";) //INHERITED FROM > BASEDN > > aci: (targetattr = "*") (version 3.0;acl "SA administration";allow (all)(roled > n = "ldap:///cn=SA role,dc=babel,dc=it");) //INHERITED FROM BASEDN > > aci: (targetattr = "*") (target = "ldap:///node=isola3,dc=babel,dc=it") (versi > on 3.0;acl "proxy3proxy";allow (proxy)(userdn = "ldap:///uid=proxyuser3,cn=co > nfig");) // INHERITED FROM node=isola3 > > > > acis on remote are the same: > > aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access"; > allow (read, search, compare) userdn="ldap:///anyone";) //INHERITED FROM > BASEDN > > aci: (targetattr = "*") (version 3.0;acl "SA administration";allow (all)(roled > n = "ldap:///cn=SA role,dc=babel,dc=it");) //INHERITED FROM BASEDN > > > >> You should not have to allow the proxy user "all" access, only "proxy" >> access. The proxy user is not a "superuser". The access control should >> apply to the actual user. >> > so proxy access should be able to change userPassword... > Yes. > do I have to set some custom settings in config (eg. plugins & co) > So the user uid=admin - is that the Directory Manager (rootdn)? If not, is it a member of roledn = "ldap:///cn=SA role,dc=babel,dc=it"? Does roledn = "ldap:///cn=SA role,dc=babel,dc=it" exist on both the local and remote servers? > Peace, > R. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jul 23 17:10:58 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 23 Jul 2009 11:10:58 -0600 Subject: [389-users] Latest Fedora/389 releases In-Reply-To: References: <4A6744AD.8070703@redhat.com> <4A6812C4.5010302@gmail.com> <4A688375.9030806@redhat.com> Message-ID: <4A6899A2.5010608@redhat.com> Techie wrote: > I have what I think is a valid question regarding this.. > > So say I have my FC8 box acting as one of two MMR members and the CA > for all my SSL operations including replication and client access. > > What is the safe process to upgrade/rebuild the box to FC11 and keep > replication agreements and the SSL certs valid or intact. The > replication agreements are all over SSL and the certs were issued by > this machine. If I take this box down to rebuild/upgrade, the certs > will be invalid in my environment correct? Why would they be invalid? > How would one handle this? > > Thank you > > On Thu, Jul 23, 2009 at 8:36 AM, Rich Megginson wrote: > >> sigid at JINLab wrote: >> >>> Rich Megginson wrote: >>> >>> >>>> Techie wrote: >>>> >>>> >>>>> Rich, list, >>>>> These are the packages I have installed. Are these the latest for >>>>> Fedora 9? >>>>> >>>>> >>>> Yes, these are the latest. >>>> >>>> Note that Fedora 9 is soon scheduled for EOL - we will not be releasing >>>> any more updates for Fedora 9. I suggest an upgrade to F-10 or F-11 >>>> ASAP. >>>> >>>> >>> 1. What could happen if we don't upgrade to fedora 10 or fedora 11? >>> >>> >> You won't get any updates of 389 (fedora ds) - unless you build it yourself. >> >>> 2. Is there any prediction on when the 389DS will be release? >>> >>> >> We're working on it - Real Soon Now - we just recently had the 389 packages >> approved for Fedora (even though it was essentially just renaming the >> packages from Fedora DS to 389, we still had to go through the entire new >> package review process . . .) >> >>> Thanks >>> >>> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rpolli at babel.it Thu Jul 23 17:28:55 2009 From: rpolli at babel.it (Roberto Polli) Date: Thu, 23 Jul 2009 19:28:55 +0200 Subject: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem In-Reply-To: <4A689982.4070800@redhat.com> References: <4A5E0A20.7000600@messinalug.org> <200907231859.21674.rpolli@babel.it> <4A689982.4070800@redhat.com> Message-ID: <200907231928.56333.rpolli@babel.it> On Thursday 23 July 2009 19:10:26 Rich Megginson wrote:> >>> case1) > >>> * I bind with uid=admin to the local DS tree to modify the "givenName" > >>> of a user on the remote server > >>> * the modify is successful, as the uid=admin is proxied and the > >>> "uid=admin" is replicated on the remote server > >>> > >>> case2) > >>> * same as case1 but I try to modify "userPassword" > >>> * the modify fails as the remote server won't evaluate aci on > >>> "uid=admin" but on "dn:proxyuser" > >> > So the user uid=admin - is that the Directory Manager (rootdn)? no > If not, > is it a member of roledn = "ldap:///cn=SA role,dc=babel,dc=it"? yes, and it can modify users' attribute, but password > Does roledn = "ldap:///cn=SA role,dc=babel,dc=it" exist on both the > local and remote servers? yes it seems that when I try to modify userPassword, the reference to uid=admin is not forwarded and only the proxyuser rights are used.. Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altres? a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." From techchavez at gmail.com Thu Jul 23 17:44:12 2009 From: techchavez at gmail.com (Techie) Date: Thu, 23 Jul 2009 10:44:12 -0700 Subject: [389-users] Latest Fedora/389 releases In-Reply-To: <4A6899A2.5010608@redhat.com> References: <4A6744AD.8070703@redhat.com> <4A6812C4.5010302@gmail.com> <4A688375.9030806@redhat.com> <4A6899A2.5010608@redhat.com> Message-ID: On Thu, Jul 23, 2009 at 10:10 AM, Rich Megginson wrote: > Techie wrote: >> >> I have what I think is a valid question regarding this.. >> >> So say I have my FC8 box acting as one of two MMR members and the CA >> for all my SSL operations including replication and client access. >> >> What is the safe process to upgrade/rebuild the box to FC11 and keep >> replication agreements and the SSL certs valid or intact. The >> replication agreements are all over SSL and the certs were issued by >> this machine. If I take this box down to rebuild/upgrade, the certs >> will be invalid in my environment correct? > > Why would they be invalid? Well it may be just a lack of understanding on my part. My thinking was that this host issued all the SSL certs and I would be rebuilding the box, this in turn may adversely effect the SSL communications. Judging from your response I assume this is incorrect. All hosts involved in replication have the CA cert and their server certs (both issued from this box) in their certificate stores. Because of this perhaps the SSL communication will still function normally. I have an idea of what I need to do. I will do some research/testing and see how things go. Thank you >> >> How would one handle this? >> >> Thank you >> >> On Thu, Jul 23, 2009 at 8:36 AM, Rich Megginson >> wrote: >> >>> >>> sigid at JINLab wrote: >>> >>>> >>>> Rich Megginson wrote: >>>> >>>> >>>>> >>>>> Techie wrote: >>>>> >>>>> >>>>>> >>>>>> Rich, list, >>>>>> These are the packages I have installed. Are these the latest for >>>>>> Fedora 9? >>>>>> >>>>>> >>>>> >>>>> Yes, these are the latest. >>>>> >>>>> Note that Fedora 9 is soon scheduled for EOL - we will not be releasing >>>>> any more updates for Fedora 9. I suggest an upgrade to F-10 or F-11 >>>>> ASAP. >>>>> >>>>> >>>> >>>> 1. What could happen if we don't upgrade to fedora 10 or fedora 11? >>>> >>>> >>> >>> You won't get any updates of 389 (fedora ds) - unless you build it >>> yourself. >>> >>>> >>>> 2. Is there any prediction on when the 389DS will be release? >>>> >>>> >>> >>> We're working on it - Real Soon Now - we just recently had the 389 >>> packages >>> approved for Fedora (even though it was essentially just renaming the >>> packages from Fedora DS to 389, we still had to go through the entire new >>> package review process . . .) >>> >>>> >>>> Thanks >>>> >>>> >>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From rmeggins at redhat.com Thu Jul 23 17:48:27 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 23 Jul 2009 11:48:27 -0600 Subject: [389-users] Latest Fedora/389 releases In-Reply-To: References: <4A6744AD.8070703@redhat.com> <4A6812C4.5010302@gmail.com> <4A688375.9030806@redhat.com> <4A6899A2.5010608@redhat.com> Message-ID: <4A68A26B.9000705@redhat.com> Techie wrote: > On Thu, Jul 23, 2009 at 10:10 AM, Rich Megginson wrote: > >> Techie wrote: >> >>> I have what I think is a valid question regarding this.. >>> >>> So say I have my FC8 box acting as one of two MMR members and the CA >>> for all my SSL operations including replication and client access. >>> >>> What is the safe process to upgrade/rebuild the box to FC11 and keep >>> replication agreements and the SSL certs valid or intact. The >>> replication agreements are all over SSL and the certs were issued by >>> this machine. If I take this box down to rebuild/upgrade, the certs >>> will be invalid in my environment correct? >>> >> Why would they be invalid? >> > Well it may be just a lack of understanding on my part. > My thinking was that this host issued all the SSL certs and I would be > rebuilding the box, this in turn may adversely effect the SSL > communications. Judging from your response I assume this is incorrect. > All hosts involved in replication have the CA cert and their server > certs (both issued from this box) in their certificate stores. Because > of this perhaps the SSL communication will still function normally. Yes. > I > have an idea of what I need to do. I will do some research/testing and > see how things go. > I think everything should continue to work fine. > Thank you > > > >>> How would one handle this? >>> >>> Thank you >>> >>> On Thu, Jul 23, 2009 at 8:36 AM, Rich Megginson >>> wrote: >>> >>> >>>> sigid at JINLab wrote: >>>> >>>> >>>>> Rich Megginson wrote: >>>>> >>>>> >>>>> >>>>>> Techie wrote: >>>>>> >>>>>> >>>>>> >>>>>>> Rich, list, >>>>>>> These are the packages I have installed. Are these the latest for >>>>>>> Fedora 9? >>>>>>> >>>>>>> >>>>>>> >>>>>> Yes, these are the latest. >>>>>> >>>>>> Note that Fedora 9 is soon scheduled for EOL - we will not be releasing >>>>>> any more updates for Fedora 9. I suggest an upgrade to F-10 or F-11 >>>>>> ASAP. >>>>>> >>>>>> >>>>>> >>>>> 1. What could happen if we don't upgrade to fedora 10 or fedora 11? >>>>> >>>>> >>>>> >>>> You won't get any updates of 389 (fedora ds) - unless you build it >>>> yourself. >>>> >>>> >>>>> 2. Is there any prediction on when the 389DS will be release? >>>>> >>>>> >>>>> >>>> We're working on it - Real Soon Now - we just recently had the 389 >>>> packages >>>> approved for Fedora (even though it was essentially just renaming the >>>> packages from Fedora DS to 389, we still had to go through the entire new >>>> package review process . . .) >>>> >>>> >>>>> Thanks >>>>> >>>>> >>>>> >>>> -- >>>> 389 users mailing list >>>> 389-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Jul 23 18:02:37 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 23 Jul 2009 12:02:37 -0600 Subject: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem In-Reply-To: <200907231928.56333.rpolli@babel.it> References: <4A5E0A20.7000600@messinalug.org> <200907231859.21674.rpolli@babel.it> <4A689982.4070800@redhat.com> <200907231928.56333.rpolli@babel.it> Message-ID: <4A68A5BD.2020902@redhat.com> Roberto Polli wrote: > On Thursday 23 July 2009 19:10:26 Rich Megginson wrote:> >>> case1) > >>>>> * I bind with uid=admin to the local DS tree to modify the "givenName" >>>>> of a user on the remote server >>>>> * the modify is successful, as the uid=admin is proxied and the >>>>> "uid=admin" is replicated on the remote server >>>>> >>>>> case2) >>>>> * same as case1 but I try to modify "userPassword" >>>>> * the modify fails as the remote server won't evaluate aci on >>>>> "uid=admin" but on "dn:proxyuser" >>>>> > > >> So the user uid=admin - is that the Directory Manager (rootdn)? >> > no > > >> If not, >> is it a member of roledn = "ldap:///cn=SA role,dc=babel,dc=it"? >> > yes, and it can modify users' attribute, but password > > >> Does roledn = "ldap:///cn=SA role,dc=babel,dc=it" exist on both the >> local and remote servers? >> > yes > > it seems that when I try to modify userPassword, the reference to uid=admin is > not forwarded and only the proxyuser rights are used.. > I suppose you could turn on ACL summary logging to see what's going on. http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > > Peace, > R. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From psundaram at wgen.net Fri Jul 24 15:56:21 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Fri, 24 Jul 2009 11:56:21 -0400 Subject: [389-users] Getent and ldapsearch import from openldap Message-ID: Hi all, I am trying to migrate all users from openldap to FDS. The schema and object class in openldap is pretty messed up and needs lot of massaging. I tried exporting the schema and running the conversion script but it usually fails and the db import is not correct. Requirement: Only users with uid, gid and homedir needed. Nothing more or less So I did this, for Users, uid, gid, homedir import: #getent passwd Sample output: oracle:x:1001:1001:oracle:/home/oracle:/bin/bash Now, run ./migrate_passwd.pl on the aboveoutput to convert to ldif file. The result was like below. Sample output ldif: dn: uid=oracle,ou=People,dc=fedorads,dc=net uid: oracle cn: oracle objectClass: account objectClass: posixAccount objectClass: top userPassword: {crypt}x loginShell: /bin/bash uidNumber: 1001 gidNumber: 1001 homeDirectory: /home/oracle gecos: oracle For Password import ldapsearch ?D BindDN ?W ?x uid=* userPassword uidNumber gidNumber sample dn: uid=oracle,ou=People,dc=padl,dc=net uidNumber: 1001 gidNumber: 1001 userPassword:: e01ENX1nbDdQNm5iU3FQOGZJOTdVWXM2QXp3PT8H9 Question 1: Please comment on above. Tell me if I could have simplified the approach. Is there a better way to import the password from OpenLDAP? The conversion schema is not working for me and it was set default. Question 2: Now I have two database with user and password separate. Can I import them separately and have it working? Question 3: When I imported, I got only 500users in db and rest didn?t make it. I am trying to remember which file and what limit needs to be edited for this issue. -------------- next part -------------- An HTML attachment was scrubbed... URL: From craigwhite at azapple.com Fri Jul 24 16:33:31 2009 From: craigwhite at azapple.com (Craig White) Date: Fri, 24 Jul 2009 09:33:31 -0700 Subject: [389-users] Getent and ldapsearch import from openldap In-Reply-To: References: Message-ID: <1248453211.8413.70.camel@lin-workstation.azapple.com> On Fri, 2009-07-24 at 11:56 -0400, Prashanth Sundaram wrote: > Hi all, > > I am trying to migrate all users from openldap to FDS. The schema and > object class in openldap is pretty messed up and needs lot of > massaging. I tried exporting the schema and running the conversion > script but it usually fails and the db import is not correct. > > Requirement: Only users with uid, gid and homedir needed. Nothing more > or less > > So I did this, for Users, uid, gid, homedir import: > > #getent passwd > Sample output: > oracle:x:1001:1001:oracle:/home/oracle:/bin/bash > > Now, run ./migrate_passwd.pl on the aboveoutput to convert to ldif > file. The result was like below. > Sample output ldif: > dn: uid=oracle,ou=People,dc=fedorads,dc=net uid: oracle cn: oracle > objectClass: account objectClass: posixAccount objectClass: top > userPassword: {crypt}x loginShell: /bin/bash uidNumber: 1001 > gidNumber: 1001 homeDirectory: /home/oracle gecos: oracle > > For Password import > > ldapsearch ?D BindDN ?W ?x uid=* userPassword uidNumber gidNumber > sample > dn: uid=oracle,ou=People,dc=padl,dc=net uidNumber: 1001 gidNumber: > 1001 userPassword:: e01ENX1nbDdQNm5iU3FQOGZJOTdVWXM2QXp3PT8H9 > > Question 1: Please comment on above. Tell me if I could have > simplified the approach. Is there a better way to import the password > from OpenLDAP? The conversion schema is not working for me and it was > set default. > > Question 2: Now I have two database with user and password separate. > Can I import them separately and have it working? > > Question 3: When I imported, I got only 500users in db and rest didn?t > make it. I am trying to remember which file and what limit needs to be > edited for this issue. ---- Q1 - yes Q2 - no Q3 - yes, I think the rootbinddn does not have limits in openLDAP ldapsearch -D BindDN -W -x '(homedir=/home/*)' -l max > /tmp/dump.ldif but definitely use rootbinddn so you get passwords and no limits Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From obirimelvin at gmail.com Sat Jul 25 09:14:16 2009 From: obirimelvin at gmail.com (melvin obiri) Date: Sat, 25 Jul 2009 12:14:16 +0300 Subject: [389-users] AD LDIF help Message-ID: I'd like some help in importing this ldif to fds ; how I get errors, am not sure which ones are supported and required for me to move users credentials from AD -> FDS; Anyone with an idea can point me here ************LDIF start****************************** dn: CN=Legal D,OU=staff,DC=my,DC=co,DC=ke changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Legal D sn: D givenName: Legal distinguishedName: CN=Legal D,OU=staff,DC=my,DC=co,DC=ke instanceType: 4 whenCreated: 20081031124920.0Z whenChanged: 20081031124931.0Z displayName: Legal D uSNCreated: 53994 uSNChanged: 54001 homeMTA: CN=Microsoft MTA,CN=MYMSG002,CN=Servers,CN=First Administrative Group,CN=Admi nistrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=C onfiguration,DC=my,DC=co,DC=ke proxyAddresses: SMTP:legal at my.co.ke proxyAddresses: X400:c=US;a= ;p=First Organizati;o=Exchange;s=D;g=Legal; homeMDB: CN=Mailbox Store (MYMSG002),CN=First Storage Group,CN=InformationStore,CN=MY MSG002,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Fi rst Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=my,DC= co,DC=ke mDBUseDefaults: TRUE mailNickname: legal name: Legal D objectGUID:: NXpu+vZD+kum0AMwrajanw== userAccountControl: 66048 badPwdCount: 2 codePage: 0 countryCode: 0 badPasswordTime: 128873658553906250 lastLogoff: 0 lastLogon: 128854531816093750 pwdLastSet: 128699309609531250 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAATmEHg7SKj5EHC0sq0wUAAA== accountExpires: 9223372036854775807 logonCount: 8 sAMAccountName: legal sAMAccountType: 805306368 showInAddressBook: CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Co ntainer,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configurati on,DC=my,DC=co,DC=ke showInAddressBook: CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=First Organiza tion,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=my,DC=co,DC=ke legacyExchangeDN: /o=First Organization/ou=First Administrative Group/cn=Recipients/cn=legal userPrincipalName: legal at my.co.ke objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=my,DC=co,DC=ke textEncodedORAddress: c=US;a= ;p=First Organizati;o=Exchange;s=D;g=Legal; mail: legal at my.co.ke msExchHomeServerName: /o=First Organization/ou=First Administrative Group/cn=Configuration/cn=Server s/cn=MYAMSG002 msExchALObjectVersion: 49 msExchMailboxSecurityDescriptor:: AQAEgHgAAACUAAAAAAAAABQAAAAEAGQAAQAAAAACFAADAAIAAQEAAAAAAAUKAAAAAAAAAGkAcgBlAG sAdQAsAE8AVQAAAQAAAAEAAAEAAAAgAAAAQwA9AG0AZgBhACwARABDAD0AZwBvACwARABDAD0AawBl AAAAAQUAAAAAAAUVAAAATmEHg7SKj5EHC0sq9AEAAAEFAAAAAAAFFQAAAE5hB4O0io+RBwtLKvQBAA A= msExchUserAccountControl: 0 msExchMailboxGuid:: AkHm6pJ1Yk+sgMUAU8hb4g== msExchPoliciesIncluded: {D3F64A3C-F3D9-4082-9687-C4F00135CABA},{26491CFC-9E50-4857-861B-0CB8DF22B5D7} ***************************end ldif************************************************************************* -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsullivan at opensourcedevel.com Sat Jul 25 10:34:44 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Sat, 25 Jul 2009 06:34:44 -0400 Subject: [389-users] AD LDIF help In-Reply-To: References: Message-ID: <1248518084.6484.6.camel@jaspav.missionsit.net.missionsit.net> On Sat, 2009-07-25 at 12:14 +0300, melvin obiri wrote: > I'd like some help in importing this ldif to fds ; how I get errors, > am not sure which ones are supported and required for me to move users > credentials from AD -> FDS; > Anyone with an idea can point me here > > > ************LDIF start****************************** > dn: CN=Legal D,OU=staff,DC=my,DC=co,DC=ke > changetype: add > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: Legal D > sn: D > givenName: Legal > distinguishedName: CN=Legal D,OU=staff,DC=my,DC=co,DC=ke > instanceType: 4 > whenCreated: 20081031124920.0Z > whenChanged: 20081031124931.0Z > displayName: Legal D > uSNCreated: 53994 > uSNChanged: 54001 > homeMTA: > CN=Microsoft MTA,CN=MYMSG002,CN=Servers,CN=First Administrative > Group,CN=Admi > nistrative Groups,CN=First Organization,CN=Microsoft > Exchange,CN=Services,CN=C > onfiguration,DC=my,DC=co,DC=ke > proxyAddresses: SMTP:legal at my.co.ke > proxyAddresses: X400:c=US;a= ;p=First > Organizati;o=Exchange;s=D;g=Legal; > homeMDB: > CN=Mailbox Store (MYMSG002),CN=First Storage > Group,CN=InformationStore,CN=MY > MSG002,CN=Servers,CN=First Administrative Group,CN=Administrative > Groups,CN=Fi > rst Organization,CN=Microsoft > Exchange,CN=Services,CN=Configuration,DC=my,DC= > co,DC=ke > mDBUseDefaults: TRUE > mailNickname: legal > name: Legal D > objectGUID:: NXpu+vZD+kum0AMwrajanw== > userAccountControl: 66048 > badPwdCount: 2 > codePage: 0 > countryCode: 0 > badPasswordTime: 128873658553906250 > lastLogoff: 0 > lastLogon: 128854531816093750 > pwdLastSet: 128699309609531250 > primaryGroupID: 513 > objectSid:: AQUAAAAAAAUVAAAATmEHg7SKj5EHC0sq0wUAAA== > accountExpires: 9223372036854775807 > logonCount: 8 > sAMAccountName: legal > sAMAccountType: 805306368 > showInAddressBook: > CN=Default Global Address List,CN=All Global Address Lists,CN=Address > Lists Co > ntainer,CN=First Organization,CN=Microsoft > Exchange,CN=Services,CN=Configurati > on,DC=my,DC=co,DC=ke > showInAddressBook: > CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=First > Organiza > tion,CN=Microsoft > Exchange,CN=Services,CN=Configuration,DC=my,DC=co,DC=ke > legacyExchangeDN: > /o=First Organization/ou=First Administrative > Group/cn=Recipients/cn=legal > userPrincipalName: legal at my.co.ke > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=my,DC=co,DC=ke > textEncodedORAddress: c=US;a= ;p=First > Organizati;o=Exchange;s=D;g=Legal; > mail: legal at my.co.ke > msExchHomeServerName: > /o=First Organization/ou=First Administrative > Group/cn=Configuration/cn=Server > s/cn=MYAMSG002 > msExchALObjectVersion: 49 > msExchMailboxSecurityDescriptor:: > AQAEgHgAAACUAAAAAAAAABQAAAAEAGQAAQAAAAACFAADAAIAAQEAAAAAAAUKAAAAAAAAAGkAcgBlAG > sAdQAsAE8AVQAAAQAAAAEAAAEAAAAgAAAAQwA9AG0AZgBhACwARABDAD0AZwBvACwARABDAD0AawBl > AAAAAQUAAAAAAAUVAAAATmEHg7SKj5EHC0sq9AEAAAEFAAAAAAAFFQAAAE5hB4O0io > +RBwtLKvQBAA > A= > msExchUserAccountControl: 0 > msExchMailboxGuid:: AkHm6pJ1Yk+sgMUAU8hb4g== > msExchPoliciesIncluded: > {D3F64A3C-F3D9-4082-9687-C4F00135CABA},{26491CFC-9E50-4857-861B-0CB8DF22B5D7} > ***************************end > ldif************************************************************************* This is not an area of expertise for me and you probably know more than I but may I ask what you are trying to do at a high level; perhaps there is an easier way. Are you trying to migrate from AD to FDS and thus trying to move your users? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From amessina at messinet.com Sat Jul 25 19:17:39 2009 From: amessina at messinet.com (Anthony Messina) Date: Sat, 25 Jul 2009 14:17:39 -0500 Subject: [389-users] ACI Confusion (New to 389 Came from OL): Message-ID: <200907251417.45669.amessina@messinet.com> Hello, firstly, thanks for 389! I have just migrated my small domain from OL to 389 DS including some basic replication and have found it to be a solid, reliable and quick system. I am however having a lot of confusion with ACIs. I am trying to create ACIs with the same specificity that I had with OL and eGroupWare (http://egroupware.org), but can't seem to get one of them figured out. This is what I'm trying to accomplish (in OL format): access to dn.regex="^ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$" attrs=children by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com" write by * none access to dn.regex="^cn=([^,]+),ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$" attrs=entry by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com" write by dn.exact,expand="uid=$1,ou=accounts,ou=$2,o=eGroupWare,dc=messinet,dc=com" read by * none access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$" by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com" write by dn.exact,expand="uid=$1,ou=accounts,ou=$2,o=eGroupWare,dc=messinet,dc=com" write by * none I have tried using the following in 389 DS to no avail. On the ou=messinet.com,ou=eGW,dc=messinet,dc=com entry... (targetattr = "*") (target = "ldap:///cn=($dn),ou=personal,ou=contacts,ou=messinet.com,ou=eGW,dc=messinet,dc=com") (version 3.0;acl "eGW personal addressbook access";allow (read,compare,search,write,delete,add)(userdn = "ldap:///uid=($dn),ou=accounts,ou=messinet.com,ou=eGW,dc=messinet,dc=com");) I need to have the uid of the binding user be matched to the cn of the tree root for personal contacts. How would I allow access by the bind user of: "uid=example_user,ou=accounts,ou=messinet.com,ou=eGW,dc=messinet,dc=com" to the entry and subentries of: cn=example_user,ou=personal,ou=contacts,ou=messinet.com,ou=eGW,dc=messinet,dc=com" References to the suggested ACLs (for OL) are here: http://svn.egroupware.org/egroupware/trunk/addressbook/doc/README http://svn.egroupware.org/egroupware/trunk/addressbook/doc/acl_addressbook.conf http://svn.egroupware.org/egroupware/trunk/phpgwapi/doc/ldap/acl_egw_addressbook.conf Thank you very much in advance for your assistance. -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From obirimelvin at gmail.com Sat Jul 25 20:48:03 2009 From: obirimelvin at gmail.com (melvin obiri) Date: Sat, 25 Jul 2009 23:48:03 +0300 Subject: [389-users] AD LDIF help In-Reply-To: <1248518084.6484.6.camel@jaspav.missionsit.net.missionsit.net> References: <1248518084.6484.6.camel@jaspav.missionsit.net.missionsit.net> Message-ID: thanks John, Am trying to Migrate users from AD to FDS ; Its a production Windows 2003 with AD ; Was given one time access so I exported most of the users using ldifde -f **.ldif ; Intention was to replicate a similar AD server then work on it off site, to realize migration. On the Overall is to get a SAMBA pdc , have mail users stored in FDS ; But priority is mail On Sat, Jul 25, 2009 at 1:34 PM, John A. Sullivan III < jsullivan at opensourcedevel.com> wrote: > On Sat, 2009-07-25 at 12:14 +0300, melvin obiri wrote: > > I'd like some help in importing this ldif to fds ; how I get errors, > > am not sure which ones are supported and required for me to move users > > credentials from AD -> FDS; > > Anyone with an idea can point me here > > > > > > ************LDIF start****************************** > > dn: CN=Legal D,OU=staff,DC=my,DC=co,DC=ke > > changetype: add > > objectClass: top > > objectClass: person > > objectClass: organizationalPerson > > objectClass: user > > cn: Legal D > > sn: D > > givenName: Legal > > distinguishedName: CN=Legal D,OU=staff,DC=my,DC=co,DC=ke > > instanceType: 4 > > whenCreated: 20081031124920.0Z > > whenChanged: 20081031124931.0Z > > displayName: Legal D > > uSNCreated: 53994 > > uSNChanged: 54001 > > homeMTA: > > CN=Microsoft MTA,CN=MYMSG002,CN=Servers,CN=First Administrative > > Group,CN=Admi > > nistrative Groups,CN=First Organization,CN=Microsoft > > Exchange,CN=Services,CN=C > > onfiguration,DC=my,DC=co,DC=ke > > proxyAddresses: SMTP:legal at my.co.ke > > proxyAddresses: X400:c=US;a= ;p=First > > Organizati;o=Exchange;s=D;g=Legal; > > homeMDB: > > CN=Mailbox Store (MYMSG002),CN=First Storage > > Group,CN=InformationStore,CN=MY > > MSG002,CN=Servers,CN=First Administrative Group,CN=Administrative > > Groups,CN=Fi > > rst Organization,CN=Microsoft > > Exchange,CN=Services,CN=Configuration,DC=my,DC= > > co,DC=ke > > mDBUseDefaults: TRUE > > mailNickname: legal > > name: Legal D > > objectGUID:: NXpu+vZD+kum0AMwrajanw== > > userAccountControl: 66048 > > badPwdCount: 2 > > codePage: 0 > > countryCode: 0 > > badPasswordTime: 128873658553906250 > > lastLogoff: 0 > > lastLogon: 128854531816093750 > > pwdLastSet: 128699309609531250 > > primaryGroupID: 513 > > objectSid:: AQUAAAAAAAUVAAAATmEHg7SKj5EHC0sq0wUAAA== > > accountExpires: 9223372036854775807 > > logonCount: 8 > > sAMAccountName: legal > > sAMAccountType: 805306368 > > showInAddressBook: > > CN=Default Global Address List,CN=All Global Address Lists,CN=Address > > Lists Co > > ntainer,CN=First Organization,CN=Microsoft > > Exchange,CN=Services,CN=Configurati > > on,DC=my,DC=co,DC=ke > > showInAddressBook: > > CN=All Users,CN=All Address Lists,CN=Address Lists Container,CN=First > > Organiza > > tion,CN=Microsoft > > Exchange,CN=Services,CN=Configuration,DC=my,DC=co,DC=ke > > legacyExchangeDN: > > /o=First Organization/ou=First Administrative > > Group/cn=Recipients/cn=legal > > userPrincipalName: legal at my.co.ke > > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=my,DC=co,DC=ke > > textEncodedORAddress: c=US;a= ;p=First > > Organizati;o=Exchange;s=D;g=Legal; > > mail: legal at my.co.ke > > msExchHomeServerName: > > /o=First Organization/ou=First Administrative > > Group/cn=Configuration/cn=Server > > s/cn=MYAMSG002 > > msExchALObjectVersion: 49 > > msExchMailboxSecurityDescriptor:: > > > AQAEgHgAAACUAAAAAAAAABQAAAAEAGQAAQAAAAACFAADAAIAAQEAAAAAAAUKAAAAAAAAAGkAcgBlAG > > > sAdQAsAE8AVQAAAQAAAAEAAAEAAAAgAAAAQwA9AG0AZgBhACwARABDAD0AZwBvACwARABDAD0AawBl > > AAAAAQUAAAAAAAUVAAAATmEHg7SKj5EHC0sq9AEAAAEFAAAAAAAFFQAAAE5hB4O0io > > +RBwtLKvQBAA > > A= > > msExchUserAccountControl: 0 > > msExchMailboxGuid:: AkHm6pJ1Yk+sgMUAU8hb4g== > > msExchPoliciesIncluded: > > > {D3F64A3C-F3D9-4082-9687-C4F00135CABA},{26491CFC-9E50-4857-861B-0CB8DF22B5D7} > > ***************************end > > > ldif************************************************************************* > > This is not an area of expertise for me and you probably know more than > I but may I ask what you are trying to do at a high level; perhaps there > is an easier way. Are you trying to migrate from AD to FDS and thus > trying to move your users? Thanks - John > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan at opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsullivan at opensourcedevel.com Sat Jul 25 20:54:57 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Sat, 25 Jul 2009 16:54:57 -0400 Subject: [389-users] ACI Confusion (New to 389 Came from OL): In-Reply-To: <200907251417.45669.amessina@messinet.com> References: <200907251417.45669.amessina@messinet.com> Message-ID: <1248555297.6495.37.camel@jaspav.missionsit.net.missionsit.net> On Sat, 2009-07-25 at 14:17 -0500, Anthony Messina wrote: > Hello, firstly, thanks for 389! I have just migrated my small domain from OL > to 389 DS including some basic replication and have found it to be a solid, > reliable and quick system. > > I am however having a lot of confusion with ACIs. I am trying to create ACIs > with the same specificity that I had with OL and eGroupWare > (http://egroupware.org), but can't seem to get one of them figured out. > > This is what I'm trying to accomplish (in OL format): > access to > dn.regex="^ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$" > attrs=children > by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com" write > by * none > > access to > dn.regex="^cn=([^,]+),ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$" > attrs=entry > by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com" write > by > dn.exact,expand="uid=$1,ou=accounts,ou=$2,o=eGroupWare,dc=messinet,dc=com" > read > by * none > > access to > dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$" > by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com" write > by > dn.exact,expand="uid=$1,ou=accounts,ou=$2,o=eGroupWare,dc=messinet,dc=com" > write > by * none > > I have tried using the following in 389 DS to no avail. > On the ou=messinet.com,ou=eGW,dc=messinet,dc=com entry... > > (targetattr = "*") (target = > "ldap:///cn=($dn),ou=personal,ou=contacts,ou=messinet.com,ou=eGW,dc=messinet,dc=com") > (version 3.0;acl "eGW personal addressbook access";allow > (read,compare,search,write,delete,add)(userdn = > "ldap:///uid=($dn),ou=accounts,ou=messinet.com,ou=eGW,dc=messinet,dc=com");) > > I need to have the uid of the binding user be matched to the cn of the tree > root for personal contacts. > > How would I allow access by the bind user of: > "uid=example_user,ou=accounts,ou=messinet.com,ou=eGW,dc=messinet,dc=com" > to the entry and subentries of: > cn=example_user,ou=personal,ou=contacts,ou=messinet.com,ou=eGW,dc=messinet,dc=com" > > References to the suggested ACLs (for OL) are here: > http://svn.egroupware.org/egroupware/trunk/addressbook/doc/README > http://svn.egroupware.org/egroupware/trunk/addressbook/doc/acl_addressbook.conf > http://svn.egroupware.org/egroupware/trunk/phpgwapi/doc/ldap/acl_egw_addressbook.conf Hmm . . . I've never used an ACI swapping attributes as your are (CN for UID) but I would think it should work. Out of curiosity, if you set the user's CN = UID and then rewrite the ACI to be ldap://($dn),....., does it work? I'm eager to see what more knowledgeable folks have to say. Good luck - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From jsullivan at opensourcedevel.com Sat Jul 25 20:58:25 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Sat, 25 Jul 2009 16:58:25 -0400 Subject: [389-users] AD LDIF help In-Reply-To: References: <1248518084.6484.6.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <1248555505.6495.40.camel@jaspav.missionsit.net.missionsit.net> I would hope some googling or roaming around the 389 documentation would reveal how others have done this as I'm sure they must. Failing that, you may need to work through the schema attribute by attribute, find the mismatches, and fix them with some creating scripting. Just an ignorant guess - John On Sat, 2009-07-25 at 23:48 +0300, melvin obiri wrote: > thanks John, > Am trying to Migrate users from AD to FDS ; > Its a production Windows 2003 with AD ; Was given one time access so > I exported most of the users using ldifde -f **.ldif ; > Intention was to replicate a similar AD server then work on it off > site, to realize migration. > On the Overall is to get a SAMBA pdc , have mail users stored in FDS ; > But priority is mail > > > > On Sat, Jul 25, 2009 at 1:34 PM, John A. Sullivan III > wrote: > > On Sat, 2009-07-25 at 12:14 +0300, melvin obiri wrote: > > I'd like some help in importing this ldif to fds ; how I > get errors, > > am not sure which ones are supported and required for me to > move users > > credentials from AD -> FDS; > > Anyone with an idea can point me here > > > > > > ************LDIF start****************************** > > dn: CN=Legal D,OU=staff,DC=my,DC=co,DC=ke > > changetype: add > > objectClass: top > > objectClass: person > > objectClass: organizationalPerson > > objectClass: user > > cn: Legal D > > sn: D > > givenName: Legal > > distinguishedName: CN=Legal D,OU=staff,DC=my,DC=co,DC=ke > > instanceType: 4 > > whenCreated: 20081031124920.0Z > > whenChanged: 20081031124931.0Z > > displayName: Legal D > > uSNCreated: 53994 > > uSNChanged: 54001 > > homeMTA: > > CN=Microsoft MTA,CN=MYMSG002,CN=Servers,CN=First > Administrative > > Group,CN=Admi > > nistrative Groups,CN=First Organization,CN=Microsoft > > Exchange,CN=Services,CN=C > > onfiguration,DC=my,DC=co,DC=ke > > proxyAddresses: SMTP:legal at my.co.ke > > proxyAddresses: X400:c=US;a= ;p=First > > Organizati;o=Exchange;s=D;g=Legal; > > homeMDB: > > CN=Mailbox Store (MYMSG002),CN=First Storage > > Group,CN=InformationStore,CN=MY > > MSG002,CN=Servers,CN=First Administrative > Group,CN=Administrative > > Groups,CN=Fi > > rst Organization,CN=Microsoft > > Exchange,CN=Services,CN=Configuration,DC=my,DC= > > co,DC=ke > > mDBUseDefaults: TRUE > > mailNickname: legal > > name: Legal D > > objectGUID:: NXpu+vZD+kum0AMwrajanw== > > userAccountControl: 66048 > > badPwdCount: 2 > > codePage: 0 > > countryCode: 0 > > badPasswordTime: 128873658553906250 > > lastLogoff: 0 > > lastLogon: 128854531816093750 > > pwdLastSet: 128699309609531250 > > primaryGroupID: 513 > > objectSid:: AQUAAAAAAAUVAAAATmEHg7SKj5EHC0sq0wUAAA== > > accountExpires: 9223372036854775807 > > logonCount: 8 > > sAMAccountName: legal > > sAMAccountType: 805306368 > > showInAddressBook: > > CN=Default Global Address List,CN=All Global Address > Lists,CN=Address > > Lists Co > > ntainer,CN=First Organization,CN=Microsoft > > Exchange,CN=Services,CN=Configurati > > on,DC=my,DC=co,DC=ke > > showInAddressBook: > > CN=All Users,CN=All Address Lists,CN=Address Lists > Container,CN=First > > Organiza > > tion,CN=Microsoft > > Exchange,CN=Services,CN=Configuration,DC=my,DC=co,DC=ke > > legacyExchangeDN: > > /o=First Organization/ou=First Administrative > > Group/cn=Recipients/cn=legal > > userPrincipalName: legal at my.co.ke > > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=my,DC=co,DC=ke > > textEncodedORAddress: c=US;a= ;p=First > > Organizati;o=Exchange;s=D;g=Legal; > > mail: legal at my.co.ke > > msExchHomeServerName: > > /o=First Organization/ou=First Administrative > > Group/cn=Configuration/cn=Server > > s/cn=MYAMSG002 > > msExchALObjectVersion: 49 > > msExchMailboxSecurityDescriptor:: > > > AQAEgHgAAACUAAAAAAAAABQAAAAEAGQAAQAAAAACFAADAAIAAQEAAAAAAAUKAAAAAAAAAGkAcgBlAG > > > sAdQAsAE8AVQAAAQAAAAEAAAEAAAAgAAAAQwA9AG0AZgBhACwARABDAD0AZwBvACwARABDAD0AawBl > > > AAAAAQUAAAAAAAUVAAAATmEHg7SKj5EHC0sq9AEAAAEFAAAAAAAFFQAAAE5hB4O0io > > +RBwtLKvQBAA > > A= > > msExchUserAccountControl: 0 > > msExchMailboxGuid:: AkHm6pJ1Yk+sgMUAU8hb4g== > > msExchPoliciesIncluded: > > > {D3F64A3C-F3D9-4082-9687-C4F00135CABA},{26491CFC-9E50-4857-861B-0CB8DF22B5D7} > > ***************************end > > > ldif************************************************************************* > > > This is not an area of expertise for me and you probably know > more than > I but may I ask what you are trying to do at a high level; > perhaps there > is an easier way. Are you trying to migrate from AD to FDS > and thus > trying to move your users? Thanks - John > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan at opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From amessina at messinet.com Sat Jul 25 22:00:06 2009 From: amessina at messinet.com (Anthony Messina) Date: Sat, 25 Jul 2009 17:00:06 -0500 Subject: [389-users] ACI Confusion (New to 389 Came from OL): In-Reply-To: <1248555297.6495.37.camel@jaspav.missionsit.net.missionsit.net> References: <200907251417.45669.amessina@messinet.com> <1248555297.6495.37.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <200907251700.10837.amessina@messinet.com> On Saturday 25 July 2009 03:54:57 pm John A. Sullivan III wrote: > Hmm . . . I've never used an ACI swapping attributes as your are (CN for > UID) but I would think it should work. Out of curiosity, if you set the > user's CN = UID and then rewrite the ACI to be ldap://($dn),....., does > it work? Thanks for giving a good stab at this, John. I tried just changing the "cn" for a user without changing the dn to read cn=amessina... (currently, eGroupWare expects it to read uid=amessina...) That did not work. Is it to be expected, then, that one is not able to do something like: target = ldap://some_attr=($dn)... userdn = ldap://some_other_attr=($dn)... or userdn = ldap://some_other_attr=[$dn]... ??? In short, does the ($dn) macro in the target HAVE TO match the whole portion between the commas, like "uid=amessina" rather than just "amessina": Can it do: target = ldap://cn=($dn),ou=.... or must it be: target = ldap://($dn),ou=... > I'm eager to see what more knowledgeable folks have to say. Good luck - > John I'm thinking that I'll be using the ($attr) or userattr methods, but I'm not sure how as the access is based on the tree structure, rather than attributes of subcomponent entried: +-ou=messinet.com,ou=egw,dc=messinet,dc=com | | | +-ou=accounts | | +-uid=amessina | | +-uid=... | | | +-ou=groups | | +-cn=Default | | +-cn=... | | | +ou=contacts | | | +-ou=shared | | +-cn=default | | +-cn=... | | | +-ou=personal | +-cn=amessina | +-cn=... -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From jsullivan at opensourcedevel.com Sat Jul 25 23:17:27 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Sat, 25 Jul 2009 19:17:27 -0400 Subject: [389-users] ACI Confusion (New to 389 Came from OL): In-Reply-To: <200907251700.10837.amessina@messinet.com> References: <200907251417.45669.amessina@messinet.com> <1248555297.6495.37.camel@jaspav.missionsit.net.missionsit.net> <200907251700.10837.amessina@messinet.com> Message-ID: <1248563847.6495.48.camel@jaspav.missionsit.net.missionsit.net> On Sat, 2009-07-25 at 17:00 -0500, Anthony Messina wrote: > On Saturday 25 July 2009 03:54:57 pm John A. Sullivan III wrote: > > Hmm . . . I've never used an ACI swapping attributes as your are (CN for > > UID) but I would think it should work. Out of curiosity, if you set the > > user's CN = UID and then rewrite the ACI to be ldap://($dn),....., does > > it work? > > Thanks for giving a good stab at this, John. I tried just changing the "cn" > for a user without changing the dn to read cn=amessina... (currently, > eGroupWare expects it to read uid=amessina...) That did not work. > > Is it to be expected, then, that one is not able to do something like: > > target = ldap://some_attr=($dn)... > > userdn = ldap://some_other_attr=($dn)... or > userdn = ldap://some_other_attr=[$dn]... > ??? > > In short, does the ($dn) macro in the target HAVE TO match the whole portion > between the commas, like "uid=amessina" rather than just "amessina": > > Can it do: > target = ldap://cn=($dn),ou=.... > or must it be: > target = ldap://($dn),ou=... > As I mentioned, I've never tried it using just the value and swapping attributes. I would expect it would work. We have used variable substitution very successfully in some quite complex ACIs. (target = "ldap:///($dn),o=internal,dc=ssiservices,dc=biz")(targetattr ! = "sambaLMPassword || sambaNTPassword || userPassword") (version 3.0;acl "Client Internal Directory Searcher";allow (read,compare,search)(userdn = "ldap:///uid=*dsearcher, [$dn],o=sysaccounts,dc=ssiservices,dc=biz");) I would have thought what you were doing would work just as you described. The biggest problem we have faced is not being able to use wildcards in groupdn although we can in userdn. I can say that using the complete attribute does work as advertised. Hopefully the gurus will return to the list soon! I'd like to know why what you have proposed doesn't work. Good luck - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From amessina at messinet.com Sun Jul 26 05:00:53 2009 From: amessina at messinet.com (Anthony Messina) Date: Sun, 26 Jul 2009 00:00:53 -0500 Subject: [389-users] ACI Confusion (New to 389 Came from OL): In-Reply-To: <1248563847.6495.48.camel@jaspav.missionsit.net.missionsit.net> References: <200907251417.45669.amessina@messinet.com> <200907251700.10837.amessina@messinet.com> <1248563847.6495.48.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <200907260000.56983.amessina@messinet.com> On Saturday 25 July 2009 06:17:27 pm John A. Sullivan III wrote: > As I mentioned, I've never tried it using just the value and swapping > attributes. I would expect it would work. We have used variable > substitution very successfully in some quite complex ACIs. > > (target = "ldap:///($dn),o=internal,dc=ssiservices,dc=biz")(targetattr ! > = "sambaLMPassword || sambaNTPassword || userPassword") (version 3.0;acl > "Client Internal Directory Searcher";allow (read,compare,search)(userdn > = "ldap:///uid=*dsearcher, [$dn],o=sysaccounts,dc=ssiservices,dc=biz");) > > I would have thought what you were doing would work just as you > described. The biggest problem we have faced is not being able to use > wildcards in groupdn although we can in userdn. > > I can say that using the complete attribute does work as advertised. > Hopefully the gurus will return to the list soon! I'd like to know why > what you have proposed doesn't work. Good luck - John I have gotten much closer. I think I'll need to tighten them up a bit (parents/children/etc), but here's where I got so far... http://messinet.com/trac/egw/browser/README.389DS Thanks for your help. If you think of anything else, let me know. I surely wouldn't call this solved. -A -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From robert.ludvik at zd-lj.si Sun Jul 26 20:49:14 2009 From: robert.ludvik at zd-lj.si (Robert Ludvik) Date: Sun, 26 Jul 2009 22:49:14 +0200 Subject: [389-users] ACI Confusion (New to 389 Came from OL): In-Reply-To: <20090726160804.42FF1618105@hormel.redhat.com> References: <20090726160804.42FF1618105@hormel.redhat.com> Message-ID: <4A6CC14A.4000103@zd-lj.si> Anthony, thank you for this. I was lost in this ACIs, too. I'll try this in my Egw installation. Will you let people at EGW know about this link, too? Maybe they can help to improve and include this in the README. At least they should be interested in this ... (egroupware-users at lists.sourceforge.net or egroupware-developers at lists.sourceforge.net). Regards Robert I have gotten much closer. I think I'll need to tighten them up a bit (parents/children/etc), but here's where I got so far... http://messinet.com/trac/egw/browser/README.389DS Thanks for your help. If you think of anything else, let me know. I surely wouldn't call this solved. -A -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E From amessina at messinet.com Sun Jul 26 22:22:04 2009 From: amessina at messinet.com (Anthony Messina) Date: Sun, 26 Jul 2009 17:22:04 -0500 Subject: [389-users] ACI Confusion (New to 389 Came from OL): In-Reply-To: <4A6CC14A.4000103@zd-lj.si> References: <20090726160804.42FF1618105@hormel.redhat.com> <4A6CC14A.4000103@zd-lj.si> Message-ID: <200907261722.07684.amessina@messinet.com> On Sunday 26 July 2009 03:49:14 pm Robert Ludvik wrote: > Anthony, thank you for this. I was lost in this ACIs, too. I'll try this in > my Egw installation. Will you let people at EGW know about this link, too? > Maybe they can help to improve and include this in the README. At least > they should be interested in this ... > (egroupware-users at lists.sourceforge.net or > egroupware-developers at lists.sourceforge.net). > > Regards > Robert already done: http://sourceforge.net/mailarchive/message.php?msg_name=200907260038.45731.amessina at messinet.com -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: From joelh at planetjoel.com Mon Jul 27 00:29:29 2009 From: joelh at planetjoel.com (Joel Heenan) Date: Mon, 27 Jul 2009 10:29:29 +1000 Subject: [389-users] registered with an admin server behind a firewall In-Reply-To: <4A6886D3.2000503@redhat.com> References: <4f89225b0907221835m6bf1c1a5y7e5c51d6590ca378@mail.gmail.com> <4f89225b0907221838q66be24a0rb760d94c8644d256@mail.gmail.com> <4A6886D3.2000503@redhat.com> Message-ID: <4f89225b0907261729k214763fau2a4e6052bf269673@mail.gmail.com> The consumers are in a DMZ and have no direct access to the configuration server. Obviously the masters are allowed to talk to the consumers to send them replication information, but the consumers are not allowed to talk back. In all the guides they say run the perl script register-ds-admin.pl and type in the name of the configuration server. But this won't work because they aren't allowed to connect. Is there another way say can you export the configuration information to an LDIF and then import it ? Joel On Fri, Jul 24, 2009 at 1:50 AM, Rich Megginson wrote: > Joel Heenan wrote: > >> I'm using Directory Server 8.1 on CentOS. >> >> I have multi-mastered servers setup in our administrative network secured >> and locked away working well. I have consumers setup out in other network >> zones and am planning to setup replication out to these servers. I wanted to >> keep the console as a single administration point for all the servers but I >> can't work out how I can register the consumers with the console given that >> they have no network access. Is the access needed once you have registered >> them? If not I could punch a quick ssh tunnel or something which would allow >> them to register. >> > I don't understand - you want to remotely manage the consumer servers with > the console (which uses network access) but the consumers have no network > access? > >> >> Thanks >> >> Joel >> >> ------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kevin.mccarthy at teligent.co.uk Mon Jul 27 11:40:11 2009 From: kevin.mccarthy at teligent.co.uk (kevin.mccarthy at teligent.co.uk) Date: Mon, 27 Jul 2009 12:40:11 +0100 Subject: [389-users] Auto-reply: Fedora-directory-users Digest, Vol 50, Issue 28 In-Reply-To: <20090724155643.06B4D619D7A@hormel.redhat.com> References: <20090724155643.06B4D619D7A@hormel.redhat.com> Message-ID: This is an automatic reply for kevin.mccarthy at teligent.co.uk ======================================================================= I am now out of the office until Monday 3rd August From rmeggins at redhat.com Mon Jul 27 15:53:29 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 27 Jul 2009 09:53:29 -0600 Subject: [389-users] registered with an admin server behind a firewall In-Reply-To: <4f89225b0907261729k214763fau2a4e6052bf269673@mail.gmail.com> References: <4f89225b0907221835m6bf1c1a5y7e5c51d6590ca378@mail.gmail.com> <4f89225b0907221838q66be24a0rb760d94c8644d256@mail.gmail.com> <4A6886D3.2000503@redhat.com> <4f89225b0907261729k214763fau2a4e6052bf269673@mail.gmail.com> Message-ID: <4A6DCD79.90009@redhat.com> Joel Heenan wrote: > The consumers are in a DMZ and have no direct access to the > configuration server. Obviously the masters are allowed to talk to the > consumers to send them replication information, but the consumers are > not allowed to talk back. > > In all the guides they say run the perl script register-ds-admin.pl > and type in the name of the configuration server. But this won't work > because they aren't allowed to connect. Is there another way say can > you export the configuration information to an LDIF and then import it ? It's possible. Try this: Create a local directory server instance, inside the firewall, on a different machine than the configuration directory server. Export the o=NetscapeRoot database from the config DS. Then run register-ds-admin.pl to register the directory server instance. Then export the o=NetscapeRoot again, and compare the before LDIF with the after LDIF. That should give you a pretty good idea of what entries and attributes you need. Note that you will still have to run register-ds-admin.pl on the consumer machines because there is some additional admin server set up that needs to be done on each machine, and some configuration of each remote directory server to allow remote management from the central console. > > Joel > > On Fri, Jul 24, 2009 at 1:50 AM, Rich Megginson > wrote: > > Joel Heenan wrote: > > I'm using Directory Server 8.1 on CentOS. > > I have multi-mastered servers setup in our administrative > network secured and locked away working well. I have consumers > setup out in other network zones and am planning to setup > replication out to these servers. I wanted to keep the console > as a single administration point for all the servers but I > can't work out how I can register the consumers with the > console given that they have no network access. Is the access > needed once you have registered them? If not I could punch a > quick ssh tunnel or something which would allow them to register. > > I don't understand - you want to remotely manage the consumer > servers with the console (which uses network access) but the > consumers have no network access? > > > Thanks > > Joel > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rwood at TrustedCS.com Mon Jul 27 20:55:47 2009 From: rwood at TrustedCS.com (Randall Wood) Date: Mon, 27 Jul 2009 16:55:47 -0400 Subject: [389-users] Password policy: Dictionary of unauthorized tokens Message-ID: <1248728147.25920.24.camel@rwood-laptop.tsc-sec.com> The RedHat/FDS documentation suggests that FDS can use a dictionary of unauthorized tokens in a password policy, although it does not seem configurable. Is there a dictionary that FDS uses, and is it possible to add words to it if so desired? -- Randall Wood Secure Systems Engineer Trusted Computer Solutions 2350 Corporate Park Drive, Suite 500 Herndon, Virginia 20170 Tel (703) 537-4382 | Fax (703) 318-5041 rwood at trustedcs.com http://www.trustedcs.com From rmeggins at redhat.com Mon Jul 27 21:00:35 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 27 Jul 2009 15:00:35 -0600 Subject: [389-users] Password policy: Dictionary of unauthorized tokens In-Reply-To: <1248728147.25920.24.camel@rwood-laptop.tsc-sec.com> References: <1248728147.25920.24.camel@rwood-laptop.tsc-sec.com> Message-ID: <4A6E1573.9050800@redhat.com> Randall Wood wrote: > The RedHat/FDS documentation suggests that FDS can use a dictionary of > unauthorized tokens in a password policy, although it does not seem > configurable. > Where does it say that, and what exactly does it say? > Is there a dictionary that FDS uses, and is it possible to add words to > it if so desired? > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Mon Jul 27 22:38:18 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 27 Jul 2009 15:38:18 -0700 Subject: [389-users] Password policy: Dictionary of unauthorized tokens In-Reply-To: <1248728147.25920.24.camel@rwood-laptop.tsc-sec.com> References: <1248728147.25920.24.camel@rwood-laptop.tsc-sec.com> Message-ID: <4A6E2C5A.40405@redhat.com> On 07/27/2009 01:55 PM, Randall Wood wrote: > The RedHat/FDS documentation suggests that FDS can use a dictionary of > unauthorized tokens in a password policy, although it does not seem > configurable. > > Is there a dictionary that FDS uses, and is it possible to add words to > it if so desired? > That description is not really correct. There is a check that ensures that values used in common attribtues of the user entry can not be present in the password. This prevents things like using your uid or cn in your password. The values are broken into tokens of a configurable length and then compared to the userPassword value. From jrobertm8 at yahoo.com Tue Jul 28 04:27:50 2009 From: jrobertm8 at yahoo.com (John Robert Mendoza) Date: Tue, 28 Jul 2009 12:27:50 +0800 (SGT) Subject: [389-users] Krb5kdc startup instance Message-ID: <575633.77679.qm@web76304.mail.sg1.yahoo.com> Hi, After installing an IPA server on a machine, I have found out that after each bootup the kdc instance does not initialize at startup.? I have to manually start it up using #service krb5kdc start. Is this normal or have I missed any options during my installation. Thanks John Robert Mendoza Open emails faster. Yahoo! recommends that you upgrade your browser to the new Internet Explorer 8 optimized for Yahoo! Get it here! http://downloads.yahoo.com/sg/internetexplorer/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From n.gresham at uq.edu.au Tue Jul 28 05:57:25 2009 From: n.gresham at uq.edu.au (Nick Gresham) Date: Tue, 28 Jul 2009 15:57:25 +1000 Subject: [389-users] cache settings Message-ID: <4B7EE1C0-8752-4313-8AB0-CEA6F7E1561B@uq.edu.au> Hi All I'm looking for some clarification (best practices) on setting cache sizes for Fedora DS. What is the difference between the maximum cache size under LDBM Plug-in settings tab and the cache size under individual backends' Database Settings tab? http://directory.fedoraproject.org/wiki/Performance_Tuning gives some reference to disk cache and memory cache differences but I've been unable to find further references. Thanks Nick From techchavez at gmail.com Tue Jul 28 06:29:25 2009 From: techchavez at gmail.com (Techie) Date: Mon, 27 Jul 2009 23:29:25 -0700 Subject: [389-users] anonymous access Message-ID: Hello, I am trying to altogether eliminate anonymous access to my directory. However in doing this my authentication fails unless....I add a binddn and bindpw to the ldap.conf on the clients. As I understand it "bindpw" is inappropriate according to the OpenLDAP architects. So my situation right now looks like this. I have a ldap.conf populated with a binddn and bindpw entry. This allows me to remove anonymous access and authenticate to the directory with ldap user credentials. This is what I want, I just do not want to store a username and pass in the ldap.conf file. However if I remove this binddn and bindpw entry, and I disallow anonymous access, I am unable to authenticate against the directory using ldap user credentials. Even though upon attempting to login i am supplying valid LDAP user credentials it cannot find the user because it initially binds as "nobody" or 'dn="" in the access log and is unable to locate attributes do to the lack of anonymous access. Is there a way to have LDAP use the credential of the user logging in to bind to the directory initially. What are my options? I can force SASL GSSAPI but it it not ideal in my situation. Thank you From muzzol at muzzol.com Tue Jul 28 07:41:13 2009 From: muzzol at muzzol.com (muzzol) Date: Tue, 28 Jul 2009 07:41:13 +0000 Subject: [389-users] attribute "sambaPasswordHistory" not allowed Message-ID: <4a3f02760907280041w5f289d9do45689bdf45f5b722@mail.gmail.com> hi, im trying to manage ldap users with webmin module. when i change the password i get this error in /var/log/dirsrv/slapd-ds01/errors file: [28/Jul/2009:09:35:46 +0200] - Entry "uid=pepet8,ou=Users,dc=example.com,dc=global" -- attribute "sambaPasswordHistory" not allowed any hints debugging this issue? thanks, muzzol -- ======================== ^ ^ O O (_ _) muzzol(a)muzzol.com ======================== jabber id: muzzol(a)jabber.dk ======================== No atribueixis qualitats humanes als ordinadors. No els hi agrada. ======================== "El gobierno espa?ol s?lo habla con terroristas, homosexuales y catalanes, a ver cuando se decide a hablar con gente normal" Jim?nez Losantos ======================== bomb terrorism bush aznar teletubbies From jsullivan at opensourcedevel.com Tue Jul 28 09:13:33 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Tue, 28 Jul 2009 05:13:33 -0400 Subject: [389-users] anonymous access In-Reply-To: References: Message-ID: <1248772413.6434.28.camel@jaspav.missionsit.net.missionsit.net> On Mon, 2009-07-27 at 23:29 -0700, Techie wrote: > Hello, > I am trying to altogether eliminate anonymous access to my directory. > However in doing this my authentication fails unless....I add a binddn > and bindpw to the ldap.conf on the clients. > As I understand it "bindpw" is inappropriate according to the OpenLDAP > architects. > > So my situation right now looks like this. I have a ldap.conf > populated with a binddn and bindpw entry. > This allows me to remove anonymous access and authenticate to the > directory with ldap user credentials. > This is what I want, I just do not want to store a username and pass > in the ldap.conf file. > > However if I remove this binddn and bindpw entry, and I disallow > anonymous access, I am unable to authenticate against the directory > using ldap user credentials. Even though upon attempting to login i am > supplying valid LDAP user credentials it cannot find the user because > it initially binds as "nobody" or 'dn="" in the access log and is > unable to locate attributes do to the lack of anonymous access. > > Is there a way to have LDAP use the credential of the user logging in > to bind to the directory initially. > What are my options? > I can force SASL GSSAPI but it it not ideal in my situation. > As far as I know (and that's not very far), that's the way it is. How else would the client be able to query the directory. We made sure we did not use a sensitive password and also ensured the ldap.conf file was NOT world readable. We also had to implement some custom ACIs to replace anonymous access and, I'm surprised how many applications simply assume anonymous access; we had to do a bit of dancing on a per application basis to make them work. Hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From rcritten at redhat.com Tue Jul 28 13:06:56 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Jul 2009 09:06:56 -0400 Subject: [389-users] attribute "sambaPasswordHistory" not allowed In-Reply-To: <4a3f02760907280041w5f289d9do45689bdf45f5b722@mail.gmail.com> References: <4a3f02760907280041w5f289d9do45689bdf45f5b722@mail.gmail.com> Message-ID: <4A6EF7F0.1090203@redhat.com> muzzol wrote: > hi, > > im trying to manage ldap users with webmin module. > > when i change the password i get this error in > /var/log/dirsrv/slapd-ds01/errors file: > > [28/Jul/2009:09:35:46 +0200] - Entry > "uid=pepet8,ou=Users,dc=example.com,dc=global" -- attribute > "sambaPasswordHistory" not allowed > > > any hints debugging this issue? > > thanks, > > muzzol > Looks like it is assuming the user has the sambaSamAccount objectclass. I know next to nothing about webmin but I'd suggest you ask them for assistance. I can point you to the Samba v3 schema but without the big picture I don't want to screw things up for you. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jeff.moody at evscorporation.com Tue Jul 28 13:11:42 2009 From: jeff.moody at evscorporation.com (Jeff Moody) Date: Tue, 28 Jul 2009 08:11:42 -0500 Subject: [389-users] Krb5kdc startup instance In-Reply-To: <575633.77679.qm@web76304.mail.sg1.yahoo.com> References: <575633.77679.qm@web76304.mail.sg1.yahoo.com> Message-ID: <712B6F0C7079C0459DB8A063743A3CB0BE2092B1@evsxmail1.evscorporation.com> I noticed the same behavior when installing a FreeIPA server for testing purposes. I was able to resolve it with a chkconfig --levels 345 krb5kdc on ---- Jeff Moody Senior Systems Engineer EVS Corporation 5050 Poplar Avenue ,Suite 1600 Memphis, Tennessee 38157 (901) 259-2387 - 24x7 Helpdesk (901) 881-0919 - Office (901) 497-1444 - Cell jeff.moody at evscorporation.com From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of John Robert Mendoza Sent: Monday, July 27, 2009 11:28 PM To: fedora-directory-users at redhat.com Subject: [389-users] Krb5kdc startup instance Hi, After installing an IPA server on a machine, I have found out that after each bootup the kdc instance does not initialize at startup. I have to manually start it up using #service krb5kdc start. Is this normal or have I missed any options during my installation. Thanks John Robert Mendoza ________________________________ It's easy to get all the latest local news when it's Purple Go Now. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Jul 28 13:13:12 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Jul 2009 09:13:12 -0400 Subject: [389-users] Krb5kdc startup instance In-Reply-To: <575633.77679.qm@web76304.mail.sg1.yahoo.com> References: <575633.77679.qm@web76304.mail.sg1.yahoo.com> Message-ID: <4A6EF968.8040808@redhat.com> John Robert Mendoza wrote: > > Hi, > > After installing an IPA server on a machine, I have found out that after > each bootup the kdc instance does not initialize at startup. I have to > manually start it up using #service krb5kdc start. > > Is this normal or have I missed any options during my installation. > > Thanks > > John Robert Mendoza > Are you using NetworkManager for networking? If so, try adding NETWORKWAIT=yes to /etc/sysconfig/network file to block startup for up to 10 seconds while waiting for a network connection to come up (from http://www.freeipa.org/page/TroubleshootingGuide) Also, IPA has its own set of mailing lists, freeipa-user and freeipa-devel. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue Jul 28 13:32:06 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 28 Jul 2009 09:32:06 -0400 Subject: [389-users] Krb5kdc startup instance In-Reply-To: <712B6F0C7079C0459DB8A063743A3CB0BE2092B1@evsxmail1.evscorporation.com> References: <575633.77679.qm@web76304.mail.sg1.yahoo.com> <712B6F0C7079C0459DB8A063743A3CB0BE2092B1@evsxmail1.evscorporation.com> Message-ID: <4A6EFDD6.2090602@redhat.com> Jeff Moody wrote: > I noticed the same behavior when installing a FreeIPA server for testing > purposes. > > I was able to resolve it with a chkconfig --levels 345 krb5kdc on The installer is supposed to do that automatically. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From techchavez at gmail.com Tue Jul 28 14:20:01 2009 From: techchavez at gmail.com (Techie) Date: Tue, 28 Jul 2009 07:20:01 -0700 Subject: [389-users] anonymous access In-Reply-To: <1248772413.6434.28.camel@jaspav.missionsit.net.missionsit.net> References: <1248772413.6434.28.camel@jaspav.missionsit.net.missionsit.net> Message-ID: On Tue, Jul 28, 2009 at 2:13 AM, John A. Sullivan III wrote: > On Mon, 2009-07-27 at 23:29 -0700, Techie wrote: >> Hello, >> I am trying to altogether eliminate anonymous access to my directory. >> However in doing this my authentication fails unless....I add a binddn >> and bindpw to the ldap.conf on the clients. >> As I understand it "bindpw" is inappropriate according to the OpenLDAP >> architects. >> >> So my situation right now looks like this. I have a ldap.conf >> populated with a binddn and bindpw entry. >> This allows me to remove anonymous access and authenticate to the >> directory with ldap user credentials. >> This is what I want, I just do not want to store a username and pass >> in the ldap.conf file. >> >> However if I remove this binddn and bindpw entry, and I disallow >> anonymous access, I am unable to authenticate against the directory >> using ldap user credentials. Even though upon attempting to login i am >> supplying valid LDAP user credentials it cannot find the user because >> it initially binds as "nobody" or 'dn="" in the access log and is >> unable to locate attributes do to the lack of anonymous access. >> >> Is there a way to have LDAP use the credential of the user logging in >> to bind to the directory initially. >> What are my options? >> I can force SASL GSSAPI but it it not ideal in my situation. >> > > As far as I know (and that's not very far), that's the way it is. How > else would the client be able to query the directory. We made sure we > did not use a sensitive password and also ensured the ldap.conf file was > NOT world readable. We also had to implement some custom ACIs to > replace anonymous access and, I'm surprised how many applications simply > assume anonymous access; we had to do a bit of dancing on a per > application basis to make them work. Hope this helps - John > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan at opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society John, It does help, thank you. Currently I use an account for the binddn that has only read access to a subset of attributes. not much damage can be done. I will keep searching and see what I find. Thanks again From jeff_clowser at fanniemae.com Tue Jul 28 15:40:18 2009 From: jeff_clowser at fanniemae.com (Clowser, Jeff) Date: Tue, 28 Jul 2009 11:40:18 -0400 Subject: [389-users] anonymous access In-Reply-To: References: <1248772413.6434.28.camel@jaspav.missionsit.net.missionsit.net> Message-ID: > On Tue, Jul 28, 2009 at 2:13 AM, John A. Sullivan > III wrote: > > On Mon, 2009-07-27 at 23:29 -0700, Techie wrote: > >> Hello, > >> I am trying to altogether eliminate anonymous access to my > directory. > >> However in doing this my authentication fails unless....I > add a binddn > >> and bindpw to the ldap.conf on the clients. > >> As I understand it "bindpw" is inappropriate according to > the OpenLDAP > >> architects. Hmm... curious way of putting that... > >> So my situation right now looks like this. I have a ldap.conf > >> populated with a binddn and bindpw entry. > >> This allows me to remove anonymous access and authenticate to the > >> directory with ldap user credentials. > >> This is what I want, I just do not want to store a > username and pass > >> in the ldap.conf file. This is something of a chicken and egg problem. Most apps ask users for a uid and a password, then do a simple bind against ldap to validate this. However, a simple bind requires a dn, rather than a uid. You need to do a search to translate the uid to do the bind, but without access to do such a search, you can't do the lookup. It can't safely make assumptions about your tree or the format of the dn, so it has to do a search to look up the uid to know what dn to bind as, but if you turn off anonymous, it can't do that as anonymous, obviously. You can do one of two things as a minimum: 1. Set up an ACI to allow anonymous to ONLY see the uid (and probably objectclass) attributes. This will allow *any* app to connect to your directory server as anonymous and do uid lookups. 2. Define a "service account" that is allowed to just read/search the uid and objectclass attributes, and nothing else. Preferably create a group and set the aci against the group, so that you can make several of these types of service accounts (say, a different one for each app, to easily track their usage separately) You probably need to allow objectclass, as well as uid, because apps tend to do filters like (&(objectclass=person)(uid=bob)). Ultimately, the only way to tell the minimum access your app needs is to see in the access logs what it does, and tune accordingly. Option 1 has advantages in that any app can then do this translation without the need to config each with a bind dn and pwd, but also means anyone that knows about your dir server and can connect to it can look up uids, etc. Option 2 has advantages in that you can create separate accounts for separate apps or separate organizational groups to track their usage separately. You can also put resource limits on these accounts (for example, you might set the nssizelimit on these service accounts to 1, so that even if someone compromises the account, it can't return more than one entry in a search ever - and why would it need to return more than one, if it's looking up one uid to get one dn?) It also means that someone without a valid dn and pwd can't see anything, so requires more than just the host and port of your server. From el_alexluna at yahoo.com.mx Tue Jul 28 16:33:20 2009 From: el_alexluna at yahoo.com.mx (Alejandro Rodriguez Luna) Date: Tue, 28 Jul 2009 09:33:20 -0700 (PDT) Subject: [389-users] Diferences Message-ID: <387032.17758.qm@web50804.mail.re2.yahoo.com> Somebody could tell me the differences between 389 directory server 1.2.0 and redhat directory serevr 8.1? ---------------------------------- Alejandro Rodriguez Luna Web: http://www.alexluna.org E-mail: el_alexluna at yahoo.com.mx ---------------------------------- ?Obt?n la mejor experiencia en la web! Descarga gratis el nuevo Internet Explorer 8. http://downloads.yahoo.com/ieak8/?l=mx -------------- next part -------------- An HTML attachment was scrubbed... URL: From hyc at symas.com Tue Jul 28 20:24:47 2009 From: hyc at symas.com (Howard Chu) Date: Tue, 28 Jul 2009 13:24:47 -0700 Subject: [389-users] Re: anonymous access (Techie) In-Reply-To: <20090728160011.E97D861A123@hormel.redhat.com> References: <20090728160011.E97D861A123@hormel.redhat.com> Message-ID: <4A6F5E8F.20802@symas.com> > Date: Tue, 28 Jul 2009 07:20:01 -0700 > From: Techie > On Tue, Jul 28, 2009 at 2:13 AM, John A. Sullivan > III wrote: >> On Mon, 2009-07-27 at 23:29 -0700, Techie wrote: >>> Hello, >>> I am trying to altogether eliminate anonymous access to my directory. >>> However in doing this my authentication fails unless....I add a binddn >>> and bindpw to the ldap.conf on the clients. >>> As I understand it "bindpw" is inappropriate according to the OpenLDAP >>> architects. I don't know which conversation you're referring to, but certainly bindpw is not valid in the OpenLDAP ldap.conf. It may be valid in PADL's ldap.conf, but that's a different story. (As for why two completely different config files have the same name, well, we blame PADL for usurping the name and sowing endless confusion. Newer distros have started using different names like "nssldap.conf" to cut down on the confusion.) >>> So my situation right now looks like this. I have a ldap.conf >>> populated with a binddn and bindpw entry. >>> This allows me to remove anonymous access and authenticate to the >>> directory with ldap user credentials. >>> This is what I want, I just do not want to store a username and pass >>> in the ldap.conf file. >>> However if I remove this binddn and bindpw entry, and I disallow >>> anonymous access, I am unable to authenticate against the directory >>> using ldap user credentials. Even though upon attempting to login i am >>> supplying valid LDAP user credentials it cannot find the user because >>> it initially binds as "nobody" or 'dn="" in the access log and is >>> unable to locate attributes do to the lack of anonymous access. >>> Is there a way to have LDAP use the credential of the user logging in >>> to bind to the directory initially. >>> What are my options? >>> I can force SASL GSSAPI but it it not ideal in my situation. You can also use SASL DIGEST-MD5, which doesn't require any special infrastructure for deployment. Of course, here you're talking about the login which is handled by pam_ldap; you'll still need a set of service credentials that nss_ldap can use for its own queries. >> >> As far as I know (and that's not very far), that's the way it is. How >> else would the client be able to query the directory. We made sure we >> did not use a sensitive password and also ensured the ldap.conf file was >> NOT world readable. We also had to implement some custom ACIs to >> replace anonymous access and, I'm surprised how many applications simply >> assume anonymous access; we had to do a bit of dancing on a per >> application basis to make them work. Hope this helps - John >> -- >> John A. Sullivan III >> Open Source Development Corporation >> +1 207-985-7880 >> jsullivan at opensourcedevel.com >> >> http://www.spiritualoutreach.com >> Making Christianity intelligible to secular society > John, > It does help, thank you. Currently I use an account for the binddn > that has only read access to a subset of attributes. not much damage > can be done. I will keep searching and see what I find. That's really the best approach - use a dedicated account for nss queries and limit its privileges... -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From techchavez at gmail.com Tue Jul 28 21:48:21 2009 From: techchavez at gmail.com (Techie) Date: Tue, 28 Jul 2009 14:48:21 -0700 Subject: [389-users] anonymous access In-Reply-To: References: <1248772413.6434.28.camel@jaspav.missionsit.net.missionsit.net> Message-ID: On Tue, Jul 28, 2009 at 8:40 AM, Clowser, Jeff wrote: >> On Tue, Jul 28, 2009 at 2:13 AM, John A. Sullivan >> III wrote: >> > On Mon, 2009-07-27 at 23:29 -0700, Techie wrote: >> >> Hello, >> >> I am trying to altogether eliminate anonymous access to my >> directory. >> >> However in doing this my authentication fails unless....I >> add a binddn >> >> and bindpw to the ldap.conf on the clients. >> >> As I understand it "bindpw" is inappropriate according to >> the OpenLDAP >> >> architects. > > Hmm... curious way of putting that... > >> >> So my situation right now looks like this. I have a ldap.conf >> >> populated with a binddn and bindpw entry. >> >> This allows me to remove anonymous access and authenticate to the >> >> directory with ldap user credentials. >> >> This is what I want, I just do not want to store a >> username and pass >> >> in the ldap.conf file. > > > This is something of a chicken and egg problem. Most apps > ask users for a uid and a password, then do a simple bind > against ldap to validate this. However, a simple bind requires > a dn, rather than a uid. You need to do a search to translate > the uid to do the bind, but without access to do such a search, > you can't do the lookup. > > It can't safely make assumptions about your > tree or the format of the dn, so it has to do a search > to look up the uid to know what dn to bind as, but if you > turn off anonymous, it can't do that as anonymous, obviously. > > You can do one of two things as a minimum: > 1. Set up an ACI to allow anonymous to ONLY see the uid > (and probably objectclass) attributes. This will allow > *any* app to connect to your directory server as > anonymous and do uid lookups. I did try this yesterday actually, (objectClass, uid ) however the bind wanted more than this for the login. I need to trace back what exact attributes it was requesting and fiddle some more. > 2. Define a "service account" that is allowed to just > read/search the uid and objectclass attributes, and > nothing else. Preferably create a group and set the > aci against the group, so that you can make several of > these types of service accounts (say, a different one > for each app, to easily track their usage separately) This is essentially what I have going on now, a binddn/pw with limited read and search access. The group dn thing is a great idea. thanks. > You probably need to allow objectclass, as well as uid, because > apps tend to do filters like (&(objectclass=person)(uid=bob)). > Ultimately, the only way to tell the minimum access your app > needs is to see in the access logs what it does, and tune > accordingly. > > Option 1 has advantages in that any app can then do this > translation without the need to config each with a bind dn > and pwd, but also means anyone that knows about your dir > server and can connect to it can look up uids, etc. > > Option 2 has advantages in that you can create separate > accounts for separate apps or separate organizational > groups to track their usage separately. You can also > put resource limits on these accounts (for example, you > might set the nssizelimit on these service accounts to > 1, so that even if someone compromises the account, it > can't return more than one entry in a search ever - and > why would it need to return more than one, if it's > looking up one uid to get one dn?) It also means that > someone without a valid dn and pwd can't see > anything, so requires more than just the host and port > of your server. Interesting, I was not aware that the nssizelimit could be enforced for individual entries. good to know thanks. > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From techchavez at gmail.com Tue Jul 28 22:21:20 2009 From: techchavez at gmail.com (Techie) Date: Tue, 28 Jul 2009 15:21:20 -0700 Subject: [389-users] Re: anonymous access (Techie) In-Reply-To: <4A6F5E8F.20802@symas.com> References: <20090728160011.E97D861A123@hormel.redhat.com> <4A6F5E8F.20802@symas.com> Message-ID: On Tue, Jul 28, 2009 at 1:24 PM, Howard Chu wrote: >> Date: Tue, 28 Jul 2009 07:20:01 -0700 >> From: Techie > >> On Tue, Jul 28, 2009 at 2:13 AM, John A. Sullivan >> III wrote: >>> >>> On Mon, 2009-07-27 at 23:29 -0700, Techie wrote: >>>> >>>> Hello, >>>> I am trying to altogether eliminate anonymous access to my directory. >>>> However in doing this my authentication fails unless....I add a binddn >>>> and bindpw to the ldap.conf on the clients. >>>> As I understand it "bindpw" is inappropriate according to the OpenLDAP >>>> architects. > > I don't know which conversation you're referring to, but certainly bindpw is > not valid in the OpenLDAP ldap.conf. It may be valid in PADL's ldap.conf, > but that's a different story. (As for why two completely different config > files have the same name, well, we blame PADL for usurping the name and > sowing endless confusion. Newer distros have started using different names > like "nssldap.conf" to cut down on the confusion.) > >>>> So my situation right now looks like this. I have a ldap.conf >>>> populated with a binddn and bindpw entry. >>>> This allows me to remove anonymous access and authenticate to the >>>> directory with ldap user credentials. >>>> This is what I want, I just do not want to store a username and pass >>>> in the ldap.conf file. > >>>> However if I remove this binddn and bindpw entry, and I disallow >>>> anonymous access, I am unable to authenticate against the directory >>>> using ldap user credentials. Even though upon attempting to login i am >>>> supplying valid LDAP user credentials it cannot find the user because >>>> it initially binds as "nobody" or 'dn="" in the access log and is >>>> unable to locate attributes do to the lack of anonymous access. > >>>> Is there a way to have LDAP use the credential of the user logging in >>>> to bind to the directory initially. > >>>> What are my options? >>>> I can force SASL GSSAPI but it it not ideal in my situation. > > You can also use SASL DIGEST-MD5, which doesn't require any special > infrastructure for deployment. Of course, here you're talking about the > login which is handled by pam_ldap; you'll still need a set of service > credentials that nss_ldap can use for its own queries. Ok so a service credential and clear text password is necessary in the case of login with pam_ldap/nss_ldap. I was thinking there was similar functionality to the Solaris LDAP client that stores the NSldap bindpasswd hashed in a local file. >>> >>> >>> As far as I know (and that's not very far), that's the way it is. How >>> else would the client be able to query the directory. We made sure we >>> did not use a sensitive password and also ensured the ldap.conf file was >>> NOT world readable. We also had to implement some custom ACIs to >>> replace anonymous access and, I'm surprised how many applications simply >>> assume anonymous access; we had to do a bit of dancing on a per >>> application basis to make them work. Hope this helps - John >>> -- >>> John A. Sullivan III >>> Open Source Development Corporation >>> +1 207-985-7880 >>> jsullivan at opensourcedevel.com >>> >>> http://www.spiritualoutreach.com >>> Making Christianity intelligible to secular society >> >> John, >> It does help, thank you. Currently I use an account for the binddn >> that has only read access to a subset of attributes. not much damage >> can be done. I will keep searching and see what I find. > > That's really the best approach - use a dedicated account for nss queries > and limit its privileges... Thank you for the clarification. I will make the adjustments. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From jrobertm8 at yahoo.com Wed Jul 29 02:17:10 2009 From: jrobertm8 at yahoo.com (John Robert Mendoza) Date: Wed, 29 Jul 2009 10:17:10 +0800 (SGT) Subject: [389-users] Krb5kdc startup instance In-Reply-To: <4A6EFDD6.2090602@redhat.com> Message-ID: <665018.72450.qm@web76310.mail.sg1.yahoo.com> Thanks Rob and Jeff for your replies.? That solved my problem. I somehow sent my query to the wrong mailing list. I am too a member of the freeipa mailing list. Nevertheless, you guys are very helpful.? Thanks. John Robert Mendoza --- On Tue, 7/28/09, Rob Crittenden wrote: From: Rob Crittenden Subject: Re: [389-users] Krb5kdc startup instance To: "General discussion list for the 389 Directory server project." Date: Tuesday, 28 July, 2009, 9:32 PM Jeff Moody wrote: > I noticed the same behavior when installing a FreeIPA server for testing purposes. > > I was able to resolve it with a chkconfig --levels 345 krb5kdc on The installer is supposed to do that automatically. rob -----Inline Attachment Follows----- -- 389 users mailing list 389-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users _______________________________________________________________________________It's easy to get all the latest local news when it's Purple. Go Now! http://ph.news.yahoo.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From jrobertm8 at yahoo.com Wed Jul 29 02:29:51 2009 From: jrobertm8 at yahoo.com (John Robert Mendoza) Date: Wed, 29 Jul 2009 10:29:51 +0800 (SGT) Subject: [389-users] Krb5kdc startup instance In-Reply-To: <4A6EFDD6.2090602@redhat.com> Message-ID: <615310.93316.qm@web76306.mail.sg1.yahoo.com> Thanks Rob and Jeff for the reply. That solved the problem for me. Yeah I somehow sent this query to the wrong mailing list. I am also a member of the freeipa-users mailing list. Nevertheless, you guys are very helpful. Thanks again. John Robert Mendoza --- On Tue, 7/28/09, Rob Crittenden wrote: From: Rob Crittenden Subject: Re: [389-users] Krb5kdc startup instance To: "General discussion list for the 389 Directory server project." Date: Tuesday, 28 July, 2009, 9:32 PM Jeff Moody wrote: > I noticed the same behavior when installing a FreeIPA server for testing purposes. > > I was able to resolve it with a chkconfig --levels 345 krb5kdc on The installer is supposed to do that automatically. rob -----Inline Attachment Follows----- -- 389 users mailing list 389-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users Design your own exclusive Pingbox today! It's easy to create your personal chat space on your blogs. http://ph.messenger.yahoo.com/pingbox -------------- next part -------------- An HTML attachment was scrubbed... URL: From muzzol at gmail.com Wed Jul 29 07:23:52 2009 From: muzzol at gmail.com (muzzol) Date: Wed, 29 Jul 2009 07:23:52 +0000 Subject: [389-users] attribute "sambaPasswordHistory" not allowed In-Reply-To: <4A6EF7F0.1090203@redhat.com> References: <4a3f02760907280041w5f289d9do45689bdf45f5b722@mail.gmail.com> <4A6EF7F0.1090203@redhat.com> Message-ID: <4a3f02760907290023q1d759bb9wac7db8a2aad99db8@mail.gmail.com> 2009/7/28 Rob Crittenden : > Looks like it is assuming the user has the sambaSamAccount objectclass. > > I know next to nothing about webmin but I'd suggest you ask them for > assistance. I can point you to the Samba v3 schema but without the big > picture I don't want to screw things up for you. > ok, thanks for the guidance. i'll do that. -- ======================== ^ ^ O O (_ _) muzzol(a)muzzol.com ======================== jabber id: muzzol(a)jabber.dk ======================== No atribueixis qualitats humanes als ordinadors. No els hi agrada. ======================== "El gobierno espa?ol s?lo habla con terroristas, homosexuales y catalanes, a ver cuando se decide a hablar con gente normal" Jim?nez Losantos ======================== bomb terrorism bush aznar teletubbies From rpolli at babel.it Wed Jul 29 14:11:02 2009 From: rpolli at babel.it (Roberto Polli) Date: Wed, 29 Jul 2009 16:11:02 +0200 Subject: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem In-Reply-To: <4A68A5BD.2020902@redhat.com> References: <4A5E0A20.7000600@messinalug.org> <200907231928.56333.rpolli@babel.it> <4A68A5BD.2020902@redhat.com> Message-ID: <200907291611.03122.rpolli@babel.it> Hi Rich, On Thursday 23 July 2009 20:02:37 Rich Megginson wrote: > > it seems that when I try to modify userPassword, the reference to > > uid=admin is not forwarded and only the proxyuser rights are used.. > > I suppose you could turn on ACL summary logging to see what's going on. > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting I followed your suggestion, and I found that: 1) when I modify the givenName, the local server made a proxy auth using the local binddn. log states: NSACLPlugin - proxied authorization dn is (uid=u1,ou=serv ice administrators,dc=babel,dc=it) 2) when I modify the userPassword, the remote server states: NSACLPlugin - proxied authorization dn is () now I'm tcpdumping, but really strange old details down. Peace, R. > Roberto Polli wrote: > > On Thursday 23 July 2009 19:10:26 Rich Megginson wrote:> >>> case1) > > > >>>>> * I bind with uid=admin to the local DS tree to modify the > >>>>> "givenName" of a user on the remote server > >>>>> * the modify is successful, as the uid=admin is proxied and the > >>>>> "uid=admin" is replicated on the remote server > >>>>> > >>>>> case2) > >>>>> * same as case1 but I try to modify "userPassword" > >>>>> * the modify fails as the remote server won't evaluate aci on > >>>>> "uid=admin" but on "dn:proxyuser" > >> > >> So the user uid=admin - is that the Directory Manager (rootdn)? > > no > >> is it a member of roledn = "ldap:///cn=SA role,dc=babel,dc=it"? > > yes, and it can modify users' attribute, but password > >> Does roledn = "ldap:///cn=SA role,dc=babel,dc=it" exist on both the > >> local and remote servers? > > yes > > > > it seems that when I try to modify userPassword, the reference to > > uid=admin is not forwarded and only the proxyuser rights are used.. > > I suppose you could turn on ACL summary logging to see what's going on. > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > > > Peace, > > R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altres? a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." From rpolli at babel.it Wed Jul 29 16:04:27 2009 From: rpolli at babel.it (Roberto Polli) Date: Wed, 29 Jul 2009 18:04:27 +0200 Subject: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem In-Reply-To: <200907291611.03122.rpolli@babel.it> References: <4A5E0A20.7000600@messinalug.org> <4A68A5BD.2020902@redhat.com> <200907291611.03122.rpolli@babel.it> Message-ID: <200907291804.27491.rpolli@babel.it> On Wednesday 29 July 2009 16:11:02 Roberto Polli wrote: > now I'm tcpdumping, but really strange tcpdump says the requests made by the local to the remote are almost identical both contains the user proxied (uid=admin) both contains the controls (proxy and loop detection) 2.16.840.1.113730.3.4.12 1.3.6.1.4.1.1466.29539.12 packages are: fedora-ds-1.1.2-1.fc6 fedora-ds-base-1.1.3-2.fc6 Peace, R. > > old details down. > Peace, > R. > > > Roberto Polli wrote: > > > On Thursday 23 July 2009 19:10:26 Rich Megginson wrote:> >>> case1) > > > > > >>>>> * I bind with uid=admin to the local DS tree to modify the > > >>>>> "givenName" of a user on the remote server > > >>>>> * the modify is successful, as the uid=admin is proxied and the > > >>>>> "uid=admin" is replicated on the remote server > > >>>>> > > >>>>> case2) > > >>>>> * same as case1 but I try to modify "userPassword" > > >>>>> * the modify fails as the remote server won't evaluate aci on > > >>>>> "uid=admin" but on "dn:proxyuser" > > >> > > >> So the user uid=admin - is that the Directory Manager (rootdn)? > > > > > > no > > > > > >> is it a member of roledn = "ldap:///cn=SA role,dc=babel,dc=it"? > > > > > > yes, and it can modify users' attribute, but password > > > > > >> Does roledn = "ldap:///cn=SA role,dc=babel,dc=it" exist on both the > > >> local and remote servers? > > > > > > yes > > > > > > > > > it seems that when I try to modify userPassword, the reference to > > > uid=admin is not forwarded and only the proxyuser rights are used.. > > > > I suppose you could turn on ACL summary logging to see what's going on. > > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > > > > > Peace, > > > R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altres? a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." From rmeggins at redhat.com Wed Jul 29 16:09:17 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 29 Jul 2009 10:09:17 -0600 Subject: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem In-Reply-To: <200907291804.27491.rpolli@babel.it> References: <4A5E0A20.7000600@messinalug.org> <4A68A5BD.2020902@redhat.com> <200907291611.03122.rpolli@babel.it> <200907291804.27491.rpolli@babel.it> Message-ID: <4A70742D.6050808@redhat.com> Roberto Polli wrote: > On Wednesday 29 July 2009 16:11:02 Roberto Polli wrote: > >> now I'm tcpdumping, but really strange >> > tcpdump says the requests made by the local to the remote are almost identical > > both contains the user proxied (uid=admin) > both contains the controls (proxy and loop detection) > 2.16.840.1.113730.3.4.12 > 1.3.6.1.4.1.1466.29539.12 > > packages are: > fedora-ds-1.1.2-1.fc6 > fedora-ds-base-1.1.3-2.fc6 > Does this give any useful information? http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Configuring_Directory_Databases-Creating_and_Maintaining_Database_Links.html#Creating_and_Maintaining_Database_Links-Database_Links_and_Access_Control_Evaluation > > Peace, > R. > > >> old details down. >> Peace, >> R. >> >> >>> Roberto Polli wrote: >>> >>>> On Thursday 23 July 2009 19:10:26 Rich Megginson wrote:> >>> case1) >>>> >>>> >>>>>>>> * I bind with uid=admin to the local DS tree to modify the >>>>>>>> "givenName" of a user on the remote server >>>>>>>> * the modify is successful, as the uid=admin is proxied and the >>>>>>>> "uid=admin" is replicated on the remote server >>>>>>>> >>>>>>>> case2) >>>>>>>> * same as case1 but I try to modify "userPassword" >>>>>>>> * the modify fails as the remote server won't evaluate aci on >>>>>>>> "uid=admin" but on "dn:proxyuser" >>>>>>>> >>>>> So the user uid=admin - is that the Directory Manager (rootdn)? >>>>> >>>> no >>>> >>>> >>>>> is it a member of roledn = "ldap:///cn=SA role,dc=babel,dc=it"? >>>>> >>>> yes, and it can modify users' attribute, but password >>>> >>>> >>>>> Does roledn = "ldap:///cn=SA role,dc=babel,dc=it" exist on both the >>>>> local and remote servers? >>>>> >>>> yes >>>> >>>> >>>> it seems that when I try to modify userPassword, the reference to >>>> uid=admin is not forwarded and only the proxyuser rights are used.. >>>> >>> I suppose you could turn on ACL summary logging to see what's going on. >>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >>> >>> >>>> Peace, >>>> R. >>>> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jul 29 21:00:43 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 29 Jul 2009 15:00:43 -0600 Subject: [389-users] cache settings In-Reply-To: <4B7EE1C0-8752-4313-8AB0-CEA6F7E1561B@uq.edu.au> References: <4B7EE1C0-8752-4313-8AB0-CEA6F7E1561B@uq.edu.au> Message-ID: <4A70B87B.6040604@redhat.com> Nick Gresham wrote: > Hi All > > I'm looking for some clarification (best practices) on setting cache > sizes for Fedora DS. What is the difference between the maximum cache > size under LDBM Plug-in settings tab This applies to the index files. > and the cache size under individual backends' Database Settings tab? This applies to the Entry cache for that backend. > > http://directory.fedoraproject.org/wiki/Performance_Tuning gives some > reference to disk cache and memory cache differences but I've been > unable to find further references. If you really want the details, and especially about how to monitor cache usage, go to http://www.redhat.com/docs/manuals/dir-server/8.1/cli/ix01.html and search for "cache", cn=database, and cn=monitor > > Thanks > Nick > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jul 29 21:08:26 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 29 Jul 2009 15:08:26 -0600 Subject: [389-users] Re: using tasks question In-Reply-To: References: Message-ID: <4A70BA4A.7090103@redhat.com> Techie wrote: > Although I did not find the nsDirectoryServerTask oclass I did find a > way around it. > > I have another question regarding exporting a MMR enabled replica. > I plan on scripting this on a weekly basis. As I understand it, when > using db2ldif with the -r option it is necessary to stop the directory > before running the command. My question is why exactly is that, can it > cause corruption? You can get an inconsistent LDIF file. It should not corrupt the database. > Also the documentation for using tasks to export > replicas does not mention having to stop the directory, can you > confirm that it is not necessary to stop the directory before using > tasks to export a replica? > That is correct. You can do the export using the task interface without stopping the server. > Thank you > > On Wed, Jul 22, 2009 at 8:56 AM, Techie > >> Hello, >> I am looking to automate some things with cn=tasks?. I have read the >> Task invocation info but no nsdirectoryservertask objectclass exists >> even in the source from what I see.Where can I get the schema file >> with this O class? >> >> Thank you >> >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jul 29 21:38:02 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 29 Jul 2009 15:38:02 -0600 Subject: [389-users] Db-link setup question In-Reply-To: References: <4A649D22.80609@redhat.com> <4A64A5F9.9090802@redhat.com> <4A64AFD6.7090003@redhat.com> <4A64B840.1000100@redhat.com> Message-ID: <4A70C13A.5000301@redhat.com> Reinhard Nappert wrote: > Rick, > > the first issue is solved my adding an additional aci for that proxy admin, allowing proxy: > aci: (targetattr=*)(target = "ldap:///ou=region B,ou=people,o=suffix")(version 3.0;acl > "Allows use of admin for chaining"; allow (proxy) (userdn="ldap:///uid=proxy admin,cn=config");) > > However, when I restart Server A, it is broken with err=32. > What entry is giving err=32? > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Reinhard Nappert > Sent: Monday, July 20, 2009 3:17 PM > To: General discussion list for the 389 Directory server project. > Subject: RE: [389-users] Db-link setup question > > I do not feel very confident using chained links: > > When I change my configuration to > > dn: cn=serverBlink,cn=chaining database,cn=plugins,cn=config > objectclass: top > objectclass: extensibleObject > objectclass: nsBackendInstance > nsslapd-suffix: ou=region B,ou=people,o=suffix > nsfarmserverurl: ldap://serverB:389/ > nsmultiplexorbinddn: cn=proxy admin,cn=config > nsmultiplexorcredentials: secret > cn: serverBlink > > dn: cn="ou=region B,ou=people,o=suffix",cn=mapping tree,cn=config > objectclass: top > objectclass: extensibleObject > objectclass: nsMappingTree > nsslapd-state: backend > nsslapd-backend: serverBlink > nsslapd-parent-suffix: "ou=people,o=suffix " > cn: "ou=region B,ou=people,o=suffix" > > Server A proxies the correct search to Server B. However, the response is empty if I search for an existing entry of Server B. I also see the search in Server B's access file, but the response is empty. If I contact Server B with the proxy admin credentials, it returns the existing object. This tells me that the ACI's are working. > Do you have an explanation for that? > > Even more disturbing: After I restart Server A, the entire chaining is broken. I get again err=32, but this time server A even does not perform the search twoards Server B. > > -Reinhard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson > Sent: Monday, July 20, 2009 2:33 PM > To: General discussion list for the 389 Directory server project. > Subject: Re: [389-users] Db-link setup question > > Reinhard Nappert wrote: > >> Sorry, the chaining server. >> I checked the chained to server (Server B)'s access file and it gets it from there. This is good, that Server A actually talks to Server B. The issue is the following: >> >> I do a search with the >> Base: l=location B,ou=people,o=suffix >> >> It performs the search on Server B with the exactly same search-base, >> although I configured it as >> nsslapd-suffix: ou=region B,ou=people,o=suffix >> >> So, shouldn't Server A alter the search and use ou=region >> B,ou=people,o=suffix as base? >> >> On the otherhand, I could change the configuration accordingly. >> >> > There is no search altering or search mapping with chaining. > >> -Reinhard >> >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >> Megginson >> Sent: Monday, July 20, 2009 1:57 PM >> To: General discussion list for the 389 Directory server project. >> Subject: Re: [389-users] Db-link setup question >> >> Reinhard Nappert wrote: >> >> >>> Nothing in error and only err=32 in access. >>> >>> >>> >> err=32 in which access? The chaining server or the chained to server? >> >> >>> -Reinhard >>> >>> -----Original Message----- >>> From: fedora-directory-users-bounces at redhat.com >>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >>> Megginson >>> Sent: Monday, July 20, 2009 1:15 PM >>> To: General discussion list for the 389 Directory server project. >>> Subject: Re: [389-users] Db-link setup question >>> >>> Reinhard Nappert wrote: >>> >>> >>> >>>> Thanks Rick, >>>> >>>> Yes this is what I did. I find the error message not very user-friendly. Anyway, when I use a different bind dn, it says that my sub suffix l=location B,ou=people,o=suffix does not exist. Do I need to add that object as well? Thought, the directory takes care of this one. >>>> >>>> >>>> >>>> >>> Yes, the object does not have to exist in the chaining database, only in the real database that is chained to. Any info in the access and error logs on the chaining server or the chained to server? >>> >>> >>> >>>> -Reinhard >>>> >>>> -----Original Message----- >>>> From: fedora-directory-users-bounces at redhat.com >>>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich >>>> Megginson >>>> Sent: Monday, July 20, 2009 12:37 PM >>>> To: General discussion list for the 389 Directory server project. >>>> Subject: Re: [389-users] Db-link setup question >>>> >>>> Reinhard Nappert wrote: >>>> >>>> >>>> >>>> >>>>> Hi, >>>>> >>>>> I have two LDAP Servers setup (Server A and Server B). Both of them >>>>> have the identical suffix (o=suffix). Again, both of them have a >>>>> people organizational unit (ou=people,o=suffix). Server B has a big >>>>> subtree (ou=region B,ou=people,o=suffix). >>>>> >>>>> My intension is to create a db link on Server A, which links to the >>>>> ou=region B,ou=people,o=suffix subtree on Server B. >>>>> >>>>> I did create the database link and a new suffix l=location >>>>> B,ou=people,o=suffix on Server A with the following entries: >>>>> >>>>> dn: cn=serverBlink,cn=chaining database,cn=plugins,cn=config >>>>> objectclass: top >>>>> objectclass: extensibleObject >>>>> objectclass: nsBackendInstance >>>>> nsslapd-suffix: ou=region B,ou=people,o=suffix >>>>> nsfarmserverurl: ldap://serverB:389/ >>>>> nsmultiplexorbinddn: cn=proxy admin,cn=config >>>>> nsmultiplexorcredentials: secret >>>>> cn: serverBlink >>>>> >>>>> dn: cn="l=location B,ou=people,o=suffix",cn=mapping tree,cn=config >>>>> objectclass: top >>>>> objectclass: extensibleObject >>>>> objectclass: nsMappingTree >>>>> nsslapd-state: backend >>>>> nsslapd-backend: serverBlink >>>>> nsslapd-parent-suffix: "ou=people,o=suffix " >>>>> cn: "l=location B,ou=people,o=suffix" >>>>> >>>>> I am only interested in reading the server B information, when >>>>> accessing from server A. The "proxy admin" user was created as well. >>>>> >>>>> When I do a search with the base l=location B,ou=people,o=suffix, >>>>> accessing server A, I always get the following error "Proxy dn >>>>> should not be rootdn". >>>>> >>>>> What did I miss for the setup? >>>>> >>>>> >>>>> >>>>> >>>> You cannot chain the directory manager user (aka rootdn). I'm assuming you're doing a search like ldapsearch -D "cn=directory manager" ... >>>> This will not work - you must use a user other than directory manager. >>>> >>>> >>>> >>>> >>>>> >>>>> Thanks, >>>>> -Reinhard >>>>> >>>>> ------------------------------------------------------------------- >>>>> - >>>>> -- >>>>> -- >>>>> >>>>> -- >>>>> 389 users mailing list >>>>> 389-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>>>> >>>>> >>>> -- >>>> 389 users mailing list >>>> 389-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rpolli at babel.it Wed Jul 29 23:06:31 2009 From: rpolli at babel.it (Roberto Polli) Date: Thu, 30 Jul 2009 01:06:31 +0200 Subject: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem In-Reply-To: <4A707A6C.3070607@redhat.com> References: <4A5E0A20.7000600@messinalug.org> <200907291828.54928.rpolli@babel.it> <4A707A6C.3070607@redhat.com> Message-ID: <200907300106.31965.rpolli@babel.it> On Wednesday 29 July 2009 18:35:56 you wrote: > Roberto Polli wrote: > > On Wednesday 29 July 2009 18:09:17 Rich Megginson wrote: > >> Does this give any useful information? > >> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Configuring_Directo > >>ry_ > >> Databases-Creating_and_Maintaining_Database_Links.html#Creating_and_Main > >>tain ing_Database_Links-Database_Links_and_Access_Control_Evaluation > > > > I read it more than once..made some slides too > > http://docs.google.com/present/view?id=dd4mpk7p_10366hxdsmn > > > > nonethless I may have made some mistake. > > > > what I didn't understood is why - when updating userPassword - the remote > > server states that > > > >> NSACLPlugin - proxied authorization dn is () > > > > instead of > > > >> NSACLPlugin - proxied authorization dn is (uid=u1,ou=serv > >> ice administrators,dc=babel,dc=it) > > > > hope this could clarify a bit my problem.. > > Are you using the ldappasswd command to update the password? ldapmodify: dn: uid=pippo,dc=example,dc=com changetype: modify replace: userPassword userPassword: pippo1242102d32d322d8321p8enxnc093212190cx321 > You may have to allow that component to chain. > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Configuring_Directo >ry_Databases-Creating_and_Maintaining_Database_Links.html#Configuring_the_Ch >aining_Policy-Chaining_Component_Operations Even if I don't use SASL, anyway I enabled chaining of PasswordPolicy controls, but nothing changes. .. but..is it right that in aclplugin.c the function acl_get_proxyauth_dn( pb, &proxy_dn, &errtext ) returns proxy_dn = "" ? Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altres? a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." From rmeggins at redhat.com Wed Jul 29 23:15:00 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 29 Jul 2009 17:15:00 -0600 Subject: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem In-Reply-To: <200907300106.31965.rpolli@babel.it> References: <4A5E0A20.7000600@messinalug.org> <200907291828.54928.rpolli@babel.it> <4A707A6C.3070607@redhat.com> <200907300106.31965.rpolli@babel.it> Message-ID: <4A70D7F4.8060306@redhat.com> Roberto Polli wrote: > On Wednesday 29 July 2009 18:35:56 you wrote: > >> Roberto Polli wrote: >> >>> On Wednesday 29 July 2009 18:09:17 Rich Megginson wrote: >>> >>>> Does this give any useful information? >>>> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Configuring_Directo >>>> ry_ >>>> Databases-Creating_and_Maintaining_Database_Links.html#Creating_and_Main >>>> tain ing_Database_Links-Database_Links_and_Access_Control_Evaluation >>>> >>> I read it more than once..made some slides too >>> http://docs.google.com/present/view?id=dd4mpk7p_10366hxdsmn >>> >>> nonethless I may have made some mistake. >>> >>> what I didn't understood is why - when updating userPassword - the remote >>> server states that >>> >>> >>>> NSACLPlugin - proxied authorization dn is () >>>> >>> instead of >>> >>> >>>> NSACLPlugin - proxied authorization dn is (uid=u1,ou=serv >>>> ice administrators,dc=babel,dc=it) >>>> >>> hope this could clarify a bit my problem.. >>> > > >> Are you using the ldappasswd command to update the password? >> > ldapmodify: > dn: uid=pippo,dc=example,dc=com > changetype: modify > replace: userPassword > userPassword: pippo1242102d32d322d8321p8enxnc093212190cx321 > > > >> You may have to allow that component to chain. >> http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Configuring_Directo >> ry_Databases-Creating_and_Maintaining_Database_Links.html#Configuring_the_Ch >> aining_Policy-Chaining_Component_Operations >> > > Even if I don't use SASL, anyway I enabled chaining of PasswordPolicy > controls, but nothing changes. > .. > > but..is it right that in aclplugin.c the function > acl_get_proxyauth_dn( pb, &proxy_dn, &errtext ) > returns proxy_dn = "" ? > It is if there is no proxy auth control being sent. > Peace, > R. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rpolli at babel.it Wed Jul 29 23:28:37 2009 From: rpolli at babel.it (Roberto Polli) Date: Thu, 30 Jul 2009 01:28:37 +0200 Subject: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem In-Reply-To: <4A70D7F4.8060306@redhat.com> References: <4A5E0A20.7000600@messinalug.org> <200907300106.31965.rpolli@babel.it> <4A70D7F4.8060306@redhat.com> Message-ID: <200907300128.37996.rpolli@babel.it> On Thursday 30 July 2009 01:15:00 Rich Megginson wrote: > > but..is it right that in aclplugin.c the function > > acl_get_proxyauth_dn( pb, &proxy_dn, &errtext ) > > returns proxy_dn = "" ? > > It is if there is no proxy auth control being sent. but tcpdump states it's sent... Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altres? a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." From rmeggins at redhat.com Wed Jul 29 23:36:15 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 29 Jul 2009 17:36:15 -0600 Subject: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem In-Reply-To: <200907300128.37996.rpolli@babel.it> References: <4A5E0A20.7000600@messinalug.org> <200907300106.31965.rpolli@babel.it> <4A70D7F4.8060306@redhat.com> <200907300128.37996.rpolli@babel.it> Message-ID: <4A70DCEF.1060909@redhat.com> Roberto Polli wrote: > On Thursday 30 July 2009 01:15:00 Rich Megginson wrote: > >>> but..is it right that in aclplugin.c the function >>> acl_get_proxyauth_dn( pb, &proxy_dn, &errtext ) >>> returns proxy_dn = "" ? >>> >> It is if there is no proxy auth control being sent. >> > but tcpdump states it's sent... > Without walking through the server with the debugger, it's going to be difficult to tell what's going on. The function acl_get_proxyauth_dn() is pretty straightforward - look at the request controls, see if version 1 or version 2 of the proxy auth control was sent, if so, grab the DN from the control value. There is no obvious place in the code where acl_get_proxyauth_dn() would be called conditionally (that is, not called due to some condition). So I'm at a loss to explain how acl_get_proxyauth_dn() could be called at all, with a valid proxy auth control containing a non-empty DN value, and return a NULL or empty DN. > Peace, > R. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rpolli at babel.it Wed Jul 29 23:41:36 2009 From: rpolli at babel.it (Roberto Polli) Date: Thu, 30 Jul 2009 01:41:36 +0200 Subject: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem In-Reply-To: <4A70DCEF.1060909@redhat.com> References: <4A5E0A20.7000600@messinalug.org> <200907300128.37996.rpolli@babel.it> <4A70DCEF.1060909@redhat.com> Message-ID: <200907300141.36703.rpolli@babel.it> On Thursday 30 July 2009 01:36:15 Rich Megginson wrote: > Roberto Polli wrote: > > On Thursday 30 July 2009 01:15:00 Rich Megginson wrote: > >>> but..is it right that in aclplugin.c the function > >>> acl_get_proxyauth_dn( pb, &proxy_dn, &errtext ) > >>> returns proxy_dn = "" ? > >> > >> It is if there is no proxy auth control being sent. > > > > but tcpdump states it's sent... > > Without walking through the server with the debugger, it's going to be > difficult to tell what's going on. it's the whole day I'm trying that way ;) hope to discover something.. I should set thread to 1 to use gdb against slapd > The function acl_get_proxyauth_dn() > is pretty straightforward - look at the request controls, see if version > 1 or version 2 of the proxy auth control was sent, ok > if so, grab the DN > from the control value. There is no obvious place in the code where > acl_get_proxyauth_dn() would be called conditionally (that is, not > called due to some condition). ok > So I'm at a loss to explain how > acl_get_proxyauth_dn() could be called at all, with a valid proxy auth > control containing a non-empty DN value, and return a NULL or empty DN. Thats a nice answer :P I'll continue to play with it..just hope not to be silly enough to have some mistake in configs. Maybe it's worth an rpm -U of the server... Rich, thank you very much for all your prompt replies. I'll let you know. Thanks again + Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altres? a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." From techchavez at gmail.com Thu Jul 30 05:42:19 2009 From: techchavez at gmail.com (Techie) Date: Wed, 29 Jul 2009 22:42:19 -0700 Subject: [389-users] Supported Extension Message-ID: Greetings all, Is it possible to add the supportedExtension: 1.3.6.1.4.1.4203.1.11.1 to the 389 Directory server? Thank you From rmeggins at redhat.com Thu Jul 30 13:24:48 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 30 Jul 2009 07:24:48 -0600 Subject: [389-users] Supported Extension In-Reply-To: References: Message-ID: <4A719F20.3050306@redhat.com> Techie wrote: > Greetings all, > Is it possible to add the supportedExtension: 1.3.6.1.4.1.4203.1.11.1 > to the 389 Directory server? > It's not there? It should already be listed: ldapsearch -x -s base -b "" dn: ... supportedExtension: 2.16.840.1.113730.3.5.9 supportedExtension: 2.16.840.1.113730.3.5.4 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 <---- supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 2.16.840.1.113730.3.4.3 ... > Thank you > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From daniel.cruz at sc.senai.br Thu Jul 30 13:30:17 2009 From: daniel.cruz at sc.senai.br (DANIEL CRISTIAN CRUZ) Date: Thu, 30 Jul 2009 10:30:17 -0300 Subject: [389-users] Multimaster upgrade issues Message-ID: Hi all, Does someone had problems upgrading a cluster with 2 multi-master servers and several consumers? We are planning a upgrade, first one master, than the other. Consumers will be upgraded eventually. Is the aproach correct? Regards, Daniel Cruz -------------- next part -------------- An HTML attachment was scrubbed... URL: From techchavez at gmail.com Thu Jul 30 13:44:05 2009 From: techchavez at gmail.com (Techie) Date: Thu, 30 Jul 2009 06:44:05 -0700 Subject: [389-users] Supported Extension In-Reply-To: <4A719F20.3050306@redhat.com> References: <4A719F20.3050306@redhat.com> Message-ID: On Thu, Jul 30, 2009 at 6:24 AM, Rich Megginson wrote: > Techie wrote: >> >> Greetings all, >> Is it possible to add the supportedExtension: 1.3.6.1.4.1.4203.1.11.1 >> to the 389 Directory server? >> > > It's not there? It should already be listed: > ldapsearch -x -s base -b "" > dn: > ... > supportedExtension: 2.16.840.1.113730.3.5.9 > supportedExtension: 2.16.840.1.113730.3.5.4 > supportedExtension: 1.3.6.1.4.1.4203.1.11.1 <---- > supportedControl: 2.16.840.1.113730.3.4.2 > supportedControl: 2.16.840.1.113730.3.4.3 My Mistake... The extension I am looking for is. 1.3.6.1.4.1.4203.1.11.3 1.3.6.1.4.1.4203.1.11.1 is definitely there. Thank you >> > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From rmeggins at redhat.com Thu Jul 30 14:01:57 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 30 Jul 2009 08:01:57 -0600 Subject: [389-users] Supported Extension In-Reply-To: References: <4A719F20.3050306@redhat.com> Message-ID: <4A71A7D5.6080005@redhat.com> Techie wrote: > On Thu, Jul 30, 2009 at 6:24 AM, Rich Megginson wrote: > >> Techie wrote: >> >>> Greetings all, >>> Is it possible to add the supportedExtension: 1.3.6.1.4.1.4203.1.11.1 >>> to the 389 Directory server? >>> >>> >> It's not there? It should already be listed: >> ldapsearch -x -s base -b "" >> dn: >> ... >> supportedExtension: 2.16.840.1.113730.3.5.9 >> supportedExtension: 2.16.840.1.113730.3.5.4 >> supportedExtension: 1.3.6.1.4.1.4203.1.11.1 <---- >> supportedControl: 2.16.840.1.113730.3.4.2 >> supportedControl: 2.16.840.1.113730.3.4.3 >> > > My Mistake... The extension I am looking for is. > > 1.3.6.1.4.1.4203.1.11.3 > > 1.3.6.1.4.1.4203.1.11.1 is definitely there. > > > > Thank you > Please file a bug/enhancement request at https://bugzilla.redhat.com/enter_bug.cgi?product=389 > > >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From across at itasoftware.com Thu Jul 30 22:02:12 2009 From: across at itasoftware.com (Anne Cross) Date: Thu, 30 Jul 2009 18:02:12 -0400 Subject: [389-users] OpenLDAP as a slave of Fedora Directory Server? Message-ID: <4A721864.9000902@itasoftware.com> I've been through the FDS/389 website, and the best I've come up with is this: http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration Unfortunately, that gives me the sync in the wrong direction. We have pre-existing OpenLDAP servers that belong to a different group. We're supposed to be their ultimate source of data - once we get set up - but they won't change their servers from OpenLDAP because, as they say, they know how they work and why should they do more work. I don't need data synced back from OpenLDAP, but syncrepl doesn't appear to do the right thing when pointed at an FDS directory server, so what's the secret, undocumented method? Even a hint would help. Google just keeps turning up pages where people have named their box "Fedora" and it's all openldap to openldap. -- ,___, {o,o} Anne "Juniper" Cross (___) Senior Linux Systems Engineer and Extropic Crusader -"-"-- Information Technology, ITA Software /^^^ From gholbert at broadcom.com Thu Jul 30 22:28:58 2009 From: gholbert at broadcom.com (George Holbert) Date: Thu, 30 Jul 2009 15:28:58 -0700 Subject: [389-users] OpenLDAP as a slave of Fedora Directory Server? In-Reply-To: <4A721864.9000902@itasoftware.com> References: <4A721864.9000902@itasoftware.com> Message-ID: <4A721EAA.7040600@broadcom.com> Currently, OpenLDAP and 389 have totally different replication mechanisms, so you can't really replicate between the two. You can of course export / import filtered LDIF in either direction, which, depending on the need, is occasionally good enough. Anne Cross wrote: > I've been through the FDS/389 website, and the best I've come up with is > this: http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration > > Unfortunately, that gives me the sync in the wrong direction. We have > pre-existing OpenLDAP servers that belong to a different group. We're > supposed to be their ultimate source of data - once we get set up - but > they won't change their servers from OpenLDAP because, as they say, they > know how they work and why should they do more work. > > I don't need data synced back from OpenLDAP, but syncrepl doesn't appear > to do the right thing when pointed at an FDS directory server, so what's > the secret, undocumented method? Even a hint would help. Google just > keeps turning up pages where people have named their box "Fedora" and > it's all openldap to openldap. > > From across at itasoftware.com Thu Jul 30 22:32:28 2009 From: across at itasoftware.com (Anne Cross) Date: Thu, 30 Jul 2009 18:32:28 -0400 Subject: [389-users] OpenLDAP as a slave of Fedora Directory Server? In-Reply-To: <4A721EAA.7040600@broadcom.com> References: <4A721864.9000902@itasoftware.com> <4A721EAA.7040600@broadcom.com> Message-ID: <4A721F7C.2020905@itasoftware.com> Rats. That's pretty much the conclusion I'd reached, but I'd hoped I was wrong, based on the wiki page. Unfortunately, for account terminations, we need more than just the ldif export/import, and Security is kind of cranky about the lack. Thanks for the answer. I guess I'll cross my fingers that somebody takes it off of the wishlist soon. -- juniper George Holbert wrote: > Currently, OpenLDAP and 389 have totally different replication > mechanisms, so you can't really replicate between the two. > You can of course export / import filtered LDIF in either direction, > which, depending on the need, is occasionally good enough. > > Anne Cross wrote: >> I've been through the FDS/389 website, and the best I've come up with >> is this: >> http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration >> >> Unfortunately, that gives me the sync in the wrong direction. We >> have pre-existing OpenLDAP servers that belong to a different group. >> We're supposed to be their ultimate source of data - once we get set >> up - but they won't change their servers from OpenLDAP because, as >> they say, they know how they work and why should they do more work. >> >> I don't need data synced back from OpenLDAP, but syncrepl doesn't >> appear to do the right thing when pointed at an FDS directory server, >> so what's the secret, undocumented method? Even a hint would help. >> Google just keeps turning up pages where people have named their box >> "Fedora" and it's all openldap to openldap. >> >> > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- ,___, {o,o} Anne "Juniper" Cross (___) Senior Linux Systems Engineer and Extropic Crusader -"-"-- Information Technology, ITA Software /^^^ From rpolli at babel.it Fri Jul 31 15:44:21 2009 From: rpolli at babel.it (Roberto Polli) Date: Fri, 31 Jul 2009 17:44:21 +0200 Subject: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem In-Reply-To: <200907300141.36703.rpolli@babel.it> References: <4A5E0A20.7000600@messinalug.org> <4A70DCEF.1060909@redhat.com> <200907300141.36703.rpolli@babel.it> Message-ID: <200907311744.21988.rpolli@babel.it> just another failing test, to be sure it's a remote server issue: #ldapmodify -D "uid=tproxy,cn=config" -w -Y "dn:uid=u1..." -f /root/pippo.password.ldif ldap_modify: Insufficient access # dapmodify -D "uid=tproxy,cn=config" -w -Y "dn:uid=u1..." -f /root/pippo.givenName.ldif modifying entry uid=pippo,dc=example,dc=com logs state: NSACLPlugin - #### conn=11 op=1 binddn="uid=tproxy,cn=config" instead of: NSACLPlugin - proxied authorization dn is (uid=u1,ou=Service Administrators,dc=babel,dc=it) NSACLPlugin - #### conn=12 op=1 binddn="uid=tproxy,cn=config" Peace, R -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altres? a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." From David.Christensen at viveli.com Fri Jul 31 20:00:46 2009 From: David.Christensen at viveli.com (David Christensen) Date: Fri, 31 Jul 2009 15:00:46 -0500 Subject: [389-users] Samba integration with FDS and Heartbeat for HA Samba Message-ID: <4A734D6E.8000403@viveli.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I successfully setup heartbeat and glusterfs (instead of DRBD) to provide an HA Samba configuration. I tested that fail over worked fine all the existing computers were able to get to their shares and re authenticate users. However I discovered that I was not able to join computers to the domain after the configuration was setup. The netbios name was changed to accommodate the new heartbeat VIP and the new VIP is the only address I have samba bound to. When I go to add the computer to the domain, type to the domain in and hit enter, I am presented with a login dialog box. When I enter the admin and password and hit enter, after a few seconds I get the warning that a controller for the domain could not be foumd. I suspect that there is some caching going on and (maybe) winbind is using the old info for the PDC and not the new? Are there any caches I could clear that may fix this? Am I on the right track or is there somethign else I should be looking at? When I compare the ldap access logs with and without heartbeat, there is a difference in the query. As I previously mentioned, without heartbeat, adding is successful, with heartbeat it is not. I found that the search base is different: With heartbeat - SRCH base="cn=groups,cn=accounts,dc=example,dc=com" scope=2 filter="(&(objectClass=sambaGroupMapping)(gidNumber=99))" attrs="gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass" W/heartbeat - SRCH base="sambaDomainName=exampleHQ,sambaDomainName=exampleHQ,dc=example,dc=com" scope=2 filter="(&(objectClass=sambaTrustedDomainPassword)(sambaDomainName=exampleHQ))" attrs=ALL When I compared the logs when executing pdbedit -Lv with both setups, the queries are the same. Why would samba do a different query to the same instance of ldap when configured with heartbeat and without heartbeat? The address that samba is binding to/from for access to ldap is not the VIP provided by heartbeat. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkpzTW4ACgkQ5B+8XEnAvqub1ACdGFBhVRaePH0fuTD0mORGIMgB V48AnR0znBY9KD3nhYYdPtR2dQXUWxBO =jrTm -----END PGP SIGNATURE-----