From debajit_kataki at rediffmail.com Mon Jun 1 06:11:26 2009 From: debajit_kataki at rediffmail.com (debu) Date: 1 Jun 2009 06:11:26 -0000 Subject: [389-users] Re: [Fedora-directory-users] Regarding data deletion in FDS Message-ID: <1241706301.S.10070.17518.f4mail-235-206.rediffmail.com.old.replied.1243836686.62394@webmail.rediffmail.com> Hi, I started deletion from my directory server on test setup 10 k everyday. after a couple of days i see the below error, and directory server stops abruptly and i need to retstart which does a DB_RUNRECOVERY operation and finally service comes up. [31/May/2009:23:34:51 +051800] - database index operation failed BAD 1130, err=-30987 DB_PAGE_NOTFOUND: Requested page not found [31/May/2009:23:34:51 +051800] - database index operation failed BAD 1140, err=-30987 DB_PAGE_NOTFOUND: Requested page not found [31/May/2009:23:34:51 +051800] - database index operation failed BAD 1250, err=-30987 DB_PAGE_NOTFOUND: Requested page not found [31/May/2009:23:34:51 +051800] - database index operation failed BAD 1030, err=-30987 DB_PAGE_NOTFOUND: Requested page not found [31/May/2009:23:34:51 +051800] - libdb: PANIC: fatal region error detected; run recovery Now can anyone please let me know, When or at what interval refresh index operation take place on FDS. Was this due to this delete operation? Thanks ~DEBU On Thu, 07 May 2009 19:55:01 +0530 wrote >debu wrote: >> >> Hi All, >> >> We had implemented FDS in one of our server. >> Now with lots of testing going around for quite a few application, i >> ended up with lot of junk data in my FDS server. >> >> I am all set to delete these 1 lac + data( out of which only some 3K+ >> is valid for me as of now :-/ ) >> >> But before this i wanted to know/ get some advice, that will these >> deletion >> 1 / will cause any issue on my server? >probably not >> 2/ Would it auto refresh its index and all? >yes >> 3/ any otehr aspect should i consider before/after this activity. >You might consider doing an LDIF export (db2ldif) then an LDIF import >(ldif2db). ?The import will completely wipe out the previous contents. ? >However, if you are using replication, you will have to reinit everything. >> >> >> I have- >> fedora-ds-1.1.2-1 >> RHEL 5 - 32 bit. >> >> Thanks, >> >> Debajit kataki >> >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ? > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex at davz.net Mon Jun 1 16:13:43 2009 From: alex at davz.net (Alex Davies) Date: Mon, 1 Jun 2009 17:13:43 +0100 Subject: [389-users] Active Directory Chaining - Search Filters fail Message-ID: <5fb622120906010913p27d41e8et68d86e342644821e@mail.gmail.com> Hi. I have setup a FDS server to chain a AD server, following instructions at http://directory.fedoraproject.org/wiki/Howto:ChainToAD If I ldapsearch the server, I get the first 1000 items back - regardless of the search filter I specify: ldapsearch -x localhost -b "dc=acme,dc=local" "(uid=alexd)" ... lots of output (look fine) # search result search: 2 result: 4 Size limit exceeded # numResponses: 1005 # numEntries: 1000 # numReferences: 4 Search bases work, so if I specify a OU that has < 1000 members everything works. There are no errors in the error log, although the graphical view of dc=acme,dc=local does not work in the console (big red "X" and a null error message when I double click). Any pointers would be much appreciated! Many thanks, Alex From emmanuel.billot at ird.fr Tue Jun 2 08:09:05 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Tue, 02 Jun 2009 10:09:05 +0200 Subject: [389-users] Monitoring recovering Message-ID: <4A24DE21.5000709@ird.fr> Hi, When DS is crashed, sometimes logs sayes "Recovering Database" and i have to wait for minutes before it re run. Is it possible to watch what DS is doing (recovering progression ?) BR? -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From michael at stroeder.com Tue Jun 2 11:58:39 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 02 Jun 2009 13:58:39 +0200 Subject: [389-users] Active Directory Chaining - Search Filters fail In-Reply-To: <5fb622120906010913p27d41e8et68d86e342644821e@mail.gmail.com> References: <5fb622120906010913p27d41e8et68d86e342644821e@mail.gmail.com> Message-ID: <4A2513EF.90809@stroeder.com> Alex Davies wrote: > > I have setup a FDS server to chain a AD server, following instructions > at http://directory.fedoraproject.org/wiki/Howto:ChainToAD > > If I ldapsearch the server, I get the first 1000 items back - > regardless of the search filter I specify: That's the normal behaviour of MS AD to return only 1000 entries for a normal search request. With AD you can get around that limit by using simple paged results. But I doubt that this is supported with chaining. Ciao, Michael. From jsullivan at opensourcedevel.com Tue Jun 2 12:51:28 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Tue, 02 Jun 2009 08:51:28 -0400 Subject: [389-users] Synching different passwords Message-ID: <1243947088.7464.37.camel@jaspav.missionsit.net.missionsit.net> Hello, all. It think I already know the negative answer to this question but is there a way to synchronize different password fields in 389? As a relative novice at 389 and a real novice at Asterisk, I've been dropped into the deep end of building an integrated Asterisk, Kaimalio, RTPProxy, FreePBX system using our existing LDAP as a database backend. There is a great article on using 389 in RedHat magazine (http://magazine.redhat.com/2008/07/24/open-source-telephony-a-fedora-based-voip-server-with-asterisk/) but the schema introduces a new password attribute. We'd like to for users to only have to change passwords once, not once for their data and once for the SIP accounts. Additionally, for security reasons, users' email addresses (and thus their SIP IDs) are different than their internal uids. Kamailio looks like it makes this easier in that we can specify a query using the email attribute and tell it which password field we want to retrieve. I'm not sure how it will handle the hashing. I'm more at a loss for how to do this in Asterisk. In any event, I will ask the Asterisk folks if we can use the existing password attribute rather than a specific SIPPassword attribute but, in case they say no, is there any way to sync the two password fields other than IPA? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From jsullivan at opensourcedevel.com Tue Jun 2 13:18:20 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Tue, 02 Jun 2009 09:18:20 -0400 Subject: [389-users] Synching different passwords In-Reply-To: <1243947088.7464.37.camel@jaspav.missionsit.net.missionsit.net> References: <1243947088.7464.37.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <1243948700.7464.41.camel@jaspav.missionsit.net.missionsit.net> On Tue, 2009-06-02 at 08:51 -0400, John A. Sullivan III wrote: > Hello, all. It think I already know the negative answer to this > question but is there a way to synchronize different password fields in > 389? > > As a relative novice at 389 and a real novice at Asterisk, I've been > dropped into the deep end of building an integrated Asterisk, Kaimalio, > RTPProxy, FreePBX system using our existing LDAP as a database backend. > There is a great article on using 389 in RedHat magazine > (http://magazine.redhat.com/2008/07/24/open-source-telephony-a-fedora-based-voip-server-with-asterisk/) but the schema introduces a new password attribute. We'd like to for users to only have to change passwords once, not once for their data and once for the SIP accounts. > > Additionally, for security reasons, users' email addresses (and thus > their SIP IDs) are different than their internal uids. > > Kamailio looks like it makes this easier in that we can specify a query > using the email attribute and tell it which password field we want to > retrieve. I'm not sure how it will handle the hashing. I'm more at a > loss for how to do this in Asterisk. > > In any event, I will ask the Asterisk folks if we can use the existing > password attribute rather than a specific SIPPassword attribute but, in > case they say no, is there any way to sync the two password fields other > than IPA? Thanks - John Hmm . . . as I read more, this seems to be complicated by the fact that SIP wants a hash in the form of hash(username:realm:password). There's an interesting article on this issue and a solution interposing RADIUS between LDAP and Asterisk at http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_authentication.html for anyone else who is facing such an issue - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From rmeggins at redhat.com Tue Jun 2 14:22:37 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 02 Jun 2009 08:22:37 -0600 Subject: [389-users] Monitoring recovering In-Reply-To: <4A24DE21.5000709@ird.fr> References: <4A24DE21.5000709@ird.fr> Message-ID: <4A2535AD.7050504@redhat.com> Emmanuel BILLOT wrote: > Hi, > > When DS is crashed, sometimes logs sayes "Recovering Database" and i > have to wait for minutes before it re run. > Is it possible to watch what DS is doing (recovering progression ?) No, not really. I suppose you could strace the process. I think all of the work is being done inside of berkeley db, I'm not sure how to get that information. > > BR? > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Tue Jun 2 14:39:21 2009 From: david_list at boreham.org (David Boreham) Date: Tue, 02 Jun 2009 08:39:21 -0600 Subject: [389-users] Monitoring recovering In-Reply-To: <4A2535AD.7050504@redhat.com> References: <4A24DE21.5000709@ird.fr> <4A2535AD.7050504@redhat.com> Message-ID: <4A253999.8020209@boreham.org> Rich Megginson wrote: > Emmanuel BILLOT wrote: >> Hi, >> >> When DS is crashed, sometimes logs sayes "Recovering Database" and i >> have to wait for minutes before it re run. >> Is it possible to watch what DS is doing (recovering progression ?) > No, not really. I suppose you could strace the process. I think all > of the work is being done inside of berkeley db, I'm not sure how to > get that information. There's a way to enable recovery logging in BDB, and have the output go to the DS logs. Unfortunately I don't remember how to do it, but it probably isn't hard to figure out from the code. Having done that, the progress can be seen by tailing the log. There's a more advanced progress monitoring mechanism in BDB now, but the DS doesn't use it. From nhosoi at redhat.com Tue Jun 2 16:39:00 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Tue, 02 Jun 2009 09:39:00 -0700 Subject: [389-users] Monitoring recovering In-Reply-To: <4A253999.8020209@boreham.org> References: <4A24DE21.5000709@ird.fr> <4A2535AD.7050504@redhat.com> <4A253999.8020209@boreham.org> Message-ID: <4A2555A4.6020201@redhat.com> David Boreham wrote: > Rich Megginson wrote: >> Emmanuel BILLOT wrote: >>> Hi, >>> >>> When DS is crashed, sometimes logs sayes "Recovering Database" and i >>> have to wait for minutes before it re run. >>> Is it possible to watch what DS is doing (recovering progression ?) >> No, not really. I suppose you could strace the process. I think all >> of the work is being done inside of berkeley db, I'm not sure how to >> get that information. > There's a way to enable recovery logging in BDB, and have the output > go to the DS logs. > Unfortunately I don't remember how to do it, but it probably isn't > hard to figure out from the code. > Having done that, the progress can be seen by tailing the log. Could it be "nsslapd-db-verbose"? It can be turned on by setting the directive in the backend config in dse.ldif. dn: cn=config,cn=ldbm database,cn=plugins,cn=config [...] nsslapd-db-verbose: on [...] > There's a more advanced progress monitoring mechanism in BDB now, but > the DS doesn't use it. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3250 bytes Desc: S/MIME Cryptographic Signature URL: From stpierre at NebrWesleyan.edu Tue Jun 2 19:54:37 2009 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Tue, 2 Jun 2009 14:54:37 -0500 (CDT) Subject: [389-users] Synching different passwords In-Reply-To: <1243947088.7464.37.camel@jaspav.missionsit.net.missionsit.net> References: <1243947088.7464.37.camel@jaspav.missionsit.net.missionsit.net> Message-ID: On Tue, 2 Jun 2009, John A. Sullivan III wrote: > Hello, all. It think I already know the negative answer to this > question but is there a way to synchronize different password fields in > 389? FreeIPA has a plugin to keep userPassword in sync with the Samba password hashes and the Kerberos password, but as far as I know, there's no generalized solution to this problem. I'd love for there to be one -- a configurable plugin or something like that -- but C isn't my forte. I think a lot of us are mucking with the same issue, just with slightly different parameters. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From tamarinp at gmail.com Wed Jun 3 10:49:54 2009 From: tamarinp at gmail.com (tamarin p) Date: Wed, 3 Jun 2009 12:49:54 +0200 Subject: [389-users] Double quoted distinguished names Message-ID: <4dd1b3eb0906030349w473570bfh590fe2cc40d54e17@mail.gmail.com> Hi, i apologize that i am revisiting this topic yet again but as we found out, double quoted distinguished names are no longer possible in 1.2.0. We initially discovered the problem for the aliasedobjectname class but it later turned out its a fault with double quoted dns in general and the schema violation we got for aliasedobjectname was because a doublequoted dn always leads for some bizare reason to the creation of an attribute with the double quoted part as the attr/value pair, so the schema violation was effect rather than cause.. we are also fairly certain they worked prior to this as we initially did some tests with 1.1.0, 1.1.2 and 1.1.3 without encountering into any problems with this. I was told in another thread that the double quoted syntax is deprecated and that escapes should be used instead. Is it then safe to assume that double quoted style will not be fixed (or at least have extremely low priority)? We have some clients who sometimes give us LDIFs for adding to the directory and they prefer the double quoted syntax as more easily readable. I can write convert script for them easily enough to handle the obvious cases but I won't go through the effort if there is a chance this will be fixed one minor version down the road. -------------- next part -------------- An HTML attachment was scrubbed... URL: From stpierre at NebrWesleyan.edu Wed Jun 3 18:41:39 2009 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Wed, 3 Jun 2009 13:41:39 -0500 (CDT) Subject: [389-users] Double quoted distinguished names In-Reply-To: <4dd1b3eb0906030349w473570bfh590fe2cc40d54e17@mail.gmail.com> References: <4dd1b3eb0906030349w473570bfh590fe2cc40d54e17@mail.gmail.com> Message-ID: On Wed, 3 Jun 2009, tamarin p wrote: > Hi, > > i apologize that i am revisiting this topic yet again but as we found out, > double quoted distinguished names are no longer possible in 1.2.0. We > initially discovered the problem for the aliasedobjectname class but it > later turned out its a fault with double quoted dns in general and the > schema violation we got for aliasedobjectname was because a doublequoted dn > always leads for some bizare reason to the creation of an attribute with the > double quoted part as the attr/value pair, so the schema violation was > effect rather than cause.. we are also fairly certain they worked prior to > this as we initially did some tests with 1.1.0, 1.1.2 and 1.1.3 without > encountering into any problems with this. > > I was told in another thread that the double quoted syntax is deprecated and > that escapes should be used instead. Is it then safe to assume that double > quoted style will not be fixed (or at least have extremely low priority)? We > have some clients who sometimes give us LDIFs for adding to the directory > and they prefer the double quoted syntax as more easily readable. I can > write convert script for them easily enough to handle the obvious cases but > I won't go through the effort if there is a chance this will be fixed one > minor version down the road. I just ran into the same problem, actually, and found one of your old mailing list posts on it; I'd been meaning to ask about it on the mailing list, so thanks for reminding me. :) The ns-newpwpolicy.pl script creates double-quoted DNs, which are then impossible (AFAICT) to modify. In other words, if you follow the documented procedure for creating per-user or per-subtree password policies, it doesn't work because the policy container is created with a double-quoted DN. In addition to the OP's question, what's the Right Thing to do with password policies? Will it work if I create the policy containers by hand with the hex escape syntax? Or do I need to create them by hand and populate them at creation time (since it's apparently still possible to _add_ entries with double-quoted DNs, just not modify them), and delete-and-recreate if I need to modify my policy? Thanks! Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From morenisco at noc-root.net Thu Jun 4 04:46:53 2009 From: morenisco at noc-root.net (Morenisco) Date: Thu, 04 Jun 2009 00:46:53 -0400 Subject: [389-users] Cannot start the dirsrv process on Debian Lenny Message-ID: <4A2751BD.9080305@noc-root.net> Hi, I made the following on a Debian Lenny chroot environment: 1) Installed all the dependences on the OS for the 389-ds-base-1.2.1 package. 2) I compiled sucessfully the 389-ds-base-1.2.1 package. 3) I configured the service, and in the last step the service didn't start, giving me the following error: Directory Manager DN [cn=Directory Manager]: Password: Password (confirm): /dev/null: Permission denied Server failed to start !!! Please check errors log for problems 4) Error log: root at dirserv1:/opt/dirsrv/var/log/dirsrv/slapd-dirserv1# cat errors Fedora-Directory/1.2.1 B2009.152.220 dirserv1.cdsl.cl:389 (/opt/dirsrv/etc/dirsrv/slapd-dirserv1) [04/Jun/2009:04:26:02 +0000] - dblayer_instance_start: pagesize: 4096, pages: 524288, procpages: 7193 [04/Jun/2009:04:26:02 +0000] - cache autosizing: import cache: 204800k [04/Jun/2009:04:26:02 +0000] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [04/Jun/2009:04:26:02 +0000] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [04/Jun/2009:04:26:02 +0000] - dblayer_instance_start: pagesize: 4096, pages: 524288, procpages: 7193 [04/Jun/2009:04:26:02 +0000] - cache autosizing: import cache: 204800k [04/Jun/2009:04:26:02 +0000] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [04/Jun/2009:04:26:02 +0000] - import userRoot: Beginning import job... [04/Jun/2009:04:26:02 +0000] - import userRoot: Index buffering enabled with bucket size 100 [04/Jun/2009:04:26:02 +0000] - import userRoot: Processing file "/tmp/ldifJJTzfX.ldif" [04/Jun/2009:04:26:02 +0000] - import userRoot: Finished scanning file "/tmp/ldifJJTzfX.ldif" (9 entries) [04/Jun/2009:04:26:03 +0000] - import userRoot: Workers finished; cleaning up... [04/Jun/2009:04:26:03 +0000] - import userRoot: Workers cleaned up. [04/Jun/2009:04:26:03 +0000] - import userRoot: Cleaning up producer thread... [04/Jun/2009:04:26:03 +0000] - import userRoot: Indexing complete. Post-processing... [04/Jun/2009:04:26:03 +0000] - import userRoot: Flushing caches... [04/Jun/2009:04:26:03 +0000] - import userRoot: Closing files... [04/Jun/2009:04:26:03 +0000] - All database threads now stopped [04/Jun/2009:04:26:03 +0000] - import userRoot: Import complete. Processed 9 entries in 1 seconds. (9.00 entries/sec) 5) Trying to start it manually: root at dirserv1:/opt/dirsrv/etc/rc.d/init.d# ./dirsrv start Starting dirsrv: dirserv1.../dev/null: Permission denied ^C 6) Reviewing the permissions over /dev/null root at dirserv1:~/project-389# ls -l /dev/null crw-r--r-- 1 root root 1, 3 2009-05-31 23:38 /dev/null I changed the permissions: root at dirserv1:~/project-389# chmod 0666 /dev/null root at dirserv1:~/project-389# ls -l /dev/null crw-rw-rw- 1 root root 1, 3 2009-05-31 23:38 /dev/null 7) Trying again: root at dirserv1:/opt/dirsrv/etc/rc.d/init.d# ./dirsrv start Starting dirsrv: dirserv1... FAILED *** Warning: 1 instance(s) failed to start 8) Seeing the error log file: root at dirserv1:/opt/dirsrv/var/log/dirsrv/slapd-dirserv1# cat errors [04/Jun/2009:04:43:11 +0000] - Fedora-Directory/1.2.1 B2009.152.220 starting up [04/Jun/2009:04:43:11 +0000] - Failed to create semaphore for stats file (/opt/dirsrv/var/run/dirsrv/slapd-dirserv1.stats). Error 38.(Function not implemented) Some idea bout this error please? Thanks. -- Morenisco. Centro de Difusi?n del Software Libre. http://www.cdsl.cl http://trabajosfloss.noc-root.net Blog: http://morenisco.noc-root.net From emmanuel.billot at ird.fr Thu Jun 4 07:56:59 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Thu, 04 Jun 2009 09:56:59 +0200 Subject: [389-users] Cert check in replication ? Message-ID: <4A277E4B.1070301@ird.fr> Hi, On Sun, 17 May 2009 i posted a message about DNS name check in replication between FDS servers. It seems that the name which the certificate gives is not checked (one can give any DNS hostname, replication works). We also had this behaviour this on S1DS on Solaris 9. However, on RHDS, here is the error message : [04/Jun/2009:09:53:28 +0200] slapi_ldap_bind - Error: could not send bind request for id [cn=replication manager,cn=config] mech [SIMPLE]: error 81 (Can't contact LDAP server) -12276 (Unable to communicate securely with peer: requested domain name does not match the server's certificate.) 11 (Resource temporarily unavailable) Both FDS and RHDS have been configured with the same config. The only way we found different is the OS (Centos for FDS, RHEL5 for RHDS, Solaris 9 for S1DS). Does anyone can found any explication ? -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From tamarinp at gmail.com Thu Jun 4 08:36:34 2009 From: tamarinp at gmail.com (tamarin p) Date: Thu, 4 Jun 2009 10:36:34 +0200 Subject: [389-users] Double quoted distinguished names In-Reply-To: References: <4dd1b3eb0906030349w473570bfh590fe2cc40d54e17@mail.gmail.com> Message-ID: <4dd1b3eb0906040136q1a2340f3v4ae083e25658e253@mail.gmail.com> 2009/6/3 Chris St. Pierre > On Wed, 3 Jun 2009, tamarin p wrote: > > Hi, >> >> i apologize that i am revisiting this topic yet again but as we found out, >> double quoted distinguished names are no longer possible in 1.2.0. >> > > I just ran into the same problem, actually, and found one of your old > mailing list posts on it; I'd been meaning to ask about it on the > mailing list, so thanks for reminding me. :) > > The ns-newpwpolicy.pl script creates double-quoted DNs, which are then > impossible (AFAICT) to modify. In other words, if you follow the > documented procedure for creating per-user or per-subtree password > policies, it doesn't work because the policy container is created with > a double-quoted DN. yes. fedora-idm-console does the same thing if you try to use that to manage policies. In addition to the OP's question, what's the Right Thing to do with > password policies? Will it work if I create the policy containers by > hand with the hex escape syntax? Or do I need to create them by hand > and populate them at creation time (since it's apparently still > possible to _add_ entries with double-quoted DNs, just not modify > them), and delete-and-recreate if I need to modify my policy? > I dont know if this answers your question but you don't really need the container entry at all. if you create a policy manually you can call the policy entry or container anything you want or just skip the container. It wont be managable with the console then (or pl script its probably safe to assume) which may be undesirable for you, but the policy itself will work. the only requirement is to set pwdpolicysubentry=... to point to your custom policy for your your users who wont use the default in cn=config, either directly on each user or more likely for the whole subtree using CoS pointers the same way the fedora-idm-console does it when you click on a subtree and choose to create a policy there. I guess you could try to create a policy with the pl script or console, then export the policy entries to LDIF and modify to use escaping instead of double quotes then readd with ldapmodify after deleting the original entries, and see if the console/script can still "see" the policy. i would actually expect this to work if "cn=foo,dc=test,dc=com",dc=test,dc=com should be considered equal with dn: cn\=foo\,dc\=test\,dc\=com,dc=test,dc=com -------------- next part -------------- An HTML attachment was scrubbed... URL: From emmanuel.billot at ird.fr Thu Jun 4 08:47:06 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Thu, 04 Jun 2009 10:47:06 +0200 Subject: [389-users] Cert check in replication ? In-Reply-To: <25951_1244102241_4A277E60_25951_369_2_4A277E4B.1070301@ird.fr> References: <25951_1244102241_4A277E60_25951_369_2_4A277E4B.1070301@ird.fr> Message-ID: <4A278A0A.1090104@ird.fr> Emmanuel BILLOT a ?crit : > Hi, > > On Sun, 17 May 2009 i posted a message about DNS name check in > replication between FDS servers. > > It seems that the name which the certificate gives is not checked (one > can give any DNS hostname, replication works). > We also had this behaviour this on S1DS on Solaris 9. > > However, on RHDS, here is the error message : > > [04/Jun/2009:09:53:28 +0200] slapi_ldap_bind - Error: could not send > bind request for id [cn=replication manager,cn=config] mech [SIMPLE]: > error 81 (Can't contact LDAP server) -12276 (Unable to communicate > securely with peer: requested domain name does not match the server's > certificate.) 11 (Resource temporarily unavailable) > > Both FDS and RHDS have been configured with the same config. > The only way we found different is the OS (Centos for FDS, RHEL5 for > RHDS, Solaris 9 for S1DS). > > Does anyone can found any explication ? > Ok seems that RHDS as the checks DNS option by default. -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From rmeggins at redhat.com Thu Jun 4 14:14:19 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 04 Jun 2009 08:14:19 -0600 Subject: [389-users] Cannot start the dirsrv process on Debian Lenny In-Reply-To: <4A2751BD.9080305@noc-root.net> References: <4A2751BD.9080305@noc-root.net> Message-ID: <4A27D6BB.3060801@redhat.com> Morenisco wrote: > Hi, > > I made the following on a Debian Lenny chroot environment: > > 1) Installed all the dependences on the OS for the 389-ds-base-1.2.1 > package. > 2) I compiled sucessfully the 389-ds-base-1.2.1 package. > 3) I configured the service, and in the last step the service didn't > start, giving me the following error: > > Directory Manager DN [cn=Directory Manager]: > Password: > Password (confirm): > /dev/null: Permission denied > Server failed to start !!! Please check errors log for problems > > 4) Error log: > > root at dirserv1:/opt/dirsrv/var/log/dirsrv/slapd-dirserv1# cat errors > Fedora-Directory/1.2.1 B2009.152.220 > dirserv1.cdsl.cl:389 (/opt/dirsrv/etc/dirsrv/slapd-dirserv1) > > [04/Jun/2009:04:26:02 +0000] - dblayer_instance_start: pagesize: 4096, > pages: 524288, procpages: 7193 > [04/Jun/2009:04:26:02 +0000] - cache autosizing: import cache: 204800k > [04/Jun/2009:04:26:02 +0000] - li_import_cache_autosize: 50, > import_pages: 51200, pagesize: 4096 > [04/Jun/2009:04:26:02 +0000] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [04/Jun/2009:04:26:02 +0000] - dblayer_instance_start: pagesize: 4096, > pages: 524288, procpages: 7193 > [04/Jun/2009:04:26:02 +0000] - cache autosizing: import cache: 204800k > [04/Jun/2009:04:26:02 +0000] - li_import_cache_autosize: 50, > import_pages: 51200, pagesize: 4096 > [04/Jun/2009:04:26:02 +0000] - import userRoot: Beginning import job... > [04/Jun/2009:04:26:02 +0000] - import userRoot: Index buffering > enabled with bucket size 100 > [04/Jun/2009:04:26:02 +0000] - import userRoot: Processing file > "/tmp/ldifJJTzfX.ldif" > [04/Jun/2009:04:26:02 +0000] - import userRoot: Finished scanning file > "/tmp/ldifJJTzfX.ldif" (9 entries) > [04/Jun/2009:04:26:03 +0000] - import userRoot: Workers finished; > cleaning up... > [04/Jun/2009:04:26:03 +0000] - import userRoot: Workers cleaned up. > [04/Jun/2009:04:26:03 +0000] - import userRoot: Cleaning up producer > thread... > [04/Jun/2009:04:26:03 +0000] - import userRoot: Indexing complete. > Post-processing... > [04/Jun/2009:04:26:03 +0000] - import userRoot: Flushing caches... > [04/Jun/2009:04:26:03 +0000] - import userRoot: Closing files... > [04/Jun/2009:04:26:03 +0000] - All database threads now stopped > [04/Jun/2009:04:26:03 +0000] - import userRoot: Import complete. > Processed 9 entries in 1 seconds. (9.00 entries/sec) > > 5) Trying to start it manually: > > root at dirserv1:/opt/dirsrv/etc/rc.d/init.d# ./dirsrv start > Starting dirsrv: > dirserv1.../dev/null: Permission denied > ^C > > 6) Reviewing the permissions over /dev/null > > root at dirserv1:~/project-389# ls -l /dev/null > crw-r--r-- 1 root root 1, 3 2009-05-31 23:38 /dev/null > > I changed the permissions: > > root at dirserv1:~/project-389# chmod 0666 /dev/null > root at dirserv1:~/project-389# ls -l /dev/null > crw-rw-rw- 1 root root 1, 3 2009-05-31 23:38 /dev/null > > 7) Trying again: > > root at dirserv1:/opt/dirsrv/etc/rc.d/init.d# ./dirsrv start > Starting dirsrv: > dirserv1... FAILED > *** Warning: 1 instance(s) failed to start > > 8) Seeing the error log file: > > root at dirserv1:/opt/dirsrv/var/log/dirsrv/slapd-dirserv1# cat errors > [04/Jun/2009:04:43:11 +0000] - Fedora-Directory/1.2.1 B2009.152.220 > starting up > [04/Jun/2009:04:43:11 +0000] - Failed to create semaphore for stats > file (/opt/dirsrv/var/run/dirsrv/slapd-dirserv1.stats). Error > 38.(Function not implemented) > > Some idea bout this error please? Yes. This appears to be a problem with setting up chroot environments - I have the same problem using mock on rhel/fedora. Note that you must do the mount /dev/shm in the same chroot session as the one you run the server - the mount does not persist between chroot sessions, nor does it automatically mount. # sem_open doesn't work # gets errno 38 (function not implemented) # I found some information that says this: # As sem_open() creates named semaphores, it always tries to share them between processes. # Additionally, to support sharing named semaphores with sem_open() # add a line to /etc/fstab to mount /dev/shm as a tmpfs # have to do the mount /dev/shm in the same chroot session echo tmpfs /dev/shm tmpfs defaults 0 0 >> /etc/fstab mount /dev/shm > > Thanks. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From el_alexluna at yahoo.com.mx Thu Jun 4 15:51:16 2009 From: el_alexluna at yahoo.com.mx (Alejandro Rodriguez Luna) Date: Thu, 4 Jun 2009 08:51:16 -0700 (PDT) Subject: [389-users] log on window machines Message-ID: <999486.31333.qm@web50808.mail.re2.yahoo.com> Hi all. i'm completely new about active directory and LDAP, my question here is: is there a way to allow window machines to log on against a fedora directory? or do i need? a combination of fedora directory with samba? Any help? ---------------------------------- Alejandro Rodriguez Luna Web: http://www.alexluna.org E-mail: el_alexluna at yahoo.com.mx MSN: el_alexluna at yahoo.com.mx GTalk: alexluna at gmail.com Movil: 044-311-112-86-41 ---------------------------------- ?Obt?n la mejor experiencia en la web! Descarga gratis el nuevo Internet Explorer 8. http://downloads.yahoo.com/ieak8/?l=mx -------------- next part -------------- An HTML attachment was scrubbed... URL: From morenisco at noc-root.net Fri Jun 5 00:56:04 2009 From: morenisco at noc-root.net (Morenisco) Date: Thu, 04 Jun 2009 20:56:04 -0400 Subject: [389-users] Cannot start the dirsrv process on Debian Lenny In-Reply-To: <4A27D6BB.3060801@redhat.com> References: <4A2751BD.9080305@noc-root.net> <4A27D6BB.3060801@redhat.com> Message-ID: <4A286D24.5010507@noc-root.net> Rich Megginson wrote: [...] > Yes. This appears to be a problem with setting up chroot environments > - I have the same problem using mock on rhel/fedora. Note that you > must do the mount /dev/shm in the same chroot session as the one you > run the server - the mount does not persist between chroot sessions, > nor does it automatically mount. Hi Rich, This worked, thanks a lot! -- Morenisco. Centro de Difusi?n del Software Libre. http://www.cdsl.cl http://trabajosfloss.noc-root.net Blog: http://morenisco.noc-root.net From morenisco at noc-root.net Fri Jun 5 00:30:03 2009 From: morenisco at noc-root.net (Morenisco) Date: Thu, 04 Jun 2009 20:30:03 -0400 Subject: [389-users] Where can I get the 389-ds-base developer names and emails? Message-ID: <4A28670B.7030806@noc-root.net> Hi, I'm debianizing the 389-ds-base-1.2.1 package and I need to include the developer names and emails. I don't see that info in the website, do someone know where I can get that info please? Thanks. -- Morenisco. Centro de Difusi?n del Software Libre. http://www.cdsl.cl http://trabajosfloss.noc-root.net Blog: http://morenisco.noc-root.net From dumboq at yahoo.com Fri Jun 5 18:14:14 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Fri, 5 Jun 2009 11:14:14 -0700 (PDT) Subject: [389-users] Customizing IDM Console In-Reply-To: <4A1A0E92.1060003@infinet.ru> References: <297446.64929.qm@web111913.mail.gq1.yahoo.com> <4A1A0E92.1060003@infinet.ru> Message-ID: <781014.13365.qm@web111904.mail.gq1.yahoo.com> Sorry for my late reply. I have been trying out RH IPA, but I do not think that it is right fit for my environment. At least not yet. I am going to give centosds+gosa a try now. Where there any specifics that you needed to do in order to get Gosa to work as expected with fedora-ds? The installation instructions on the web page a very specific to openldap. Thanks ________________________________ From: Dmitry Amirov To: General discussion list for the 389 Directory server project. Sent: Sunday, May 24, 2009 11:20:50 PM Subject: Re: [389-users] Customizing IDM Console Have too. Works fine. Vitaly Kuznetsov wrote: > Dumbo Q writes: > > >> If not, has anyone tried Gosa with fedora directory? >> >> > I have working installation of FDS+GOsa. Works fine. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From morenisco at noc-root.net Sat Jun 6 01:56:49 2009 From: morenisco at noc-root.net (Morenisco) Date: Fri, 05 Jun 2009 21:56:49 -0400 Subject: [389-users] Error debianizing the 389-ds-base-1.2.1 package Message-ID: <4A29CCE1.10803@noc-root.net> Hi, I tried to debianize the 389-ds-base-1.2.1 package in a clean directory and sources, and I got an error. The basic steps that I performed were the following: 1) 389-ds-base-1.2.1 package - Initial debianization: root at dirserv1:~/project-389/389-ds-base-1.2.1# dh_make -e morenisco at noc-root.net -c gpl -f ../389-ds-base-1.2.1.tar.gz Type of package: single binary, multiple binary, library, kernel module or cdbs? [s/m/l/k/b] s Maintainer name : root Email-Address : morenisco at noc-root.net Date : Thu, 04 Jun 2009 22:56:55 +0000 Package Name : 389-ds-base Version : 1.2.1 License : gpl Using dpatch : no Type of Package : Single Hit to confirm: Done. Please edit the files in the debian/ subdirectory now. 389-ds-base uses a configure script, so you probably don't have to edit the Makefiles. 2) I modified the control file as follows: Source: 389-ds-base Section: admin Priority: extra Maintainer: Morenisco Build-Depends: debhelper (>= 7), autotools-dev Standards-Version: 3.7.3 Homepage: http://directory.fedoraproject.org Package: 389-ds-base Architecture: any Depends: libsvrcore0, libsvrcore-dev, libmozldap-0d, libmozldap-dev, libmozilla-ldap-perl, libdb4.6-dev, libicu-dev, libsnmp-dev, libkrb5-dev, libpam-dev, libnet-ldap-perl, libperl-dev Description: The enterprise-class Open Source LDAP server for Linux. It is hardened by real-world use, is full-featured, supports multi-master replication, and already handles many of the largest LDAP deployments in the world. 3) I tried to build the package with the following command: root at dirserv1:~/project-389/389-ds-base-1.2.1# dpkg-buildpackage -rfakeroot The generated output is too long, and the latest part is the following: ldap/servers/slapd/.libs/libslapd_la-snmp_collator.o: In function `snmp_collator_create_semaphore': /root/project-389/389-ds-base-1.2.1/ldap/servers/slapd/snmp_collator.c:532: undefined reference to `sem_open' /root/project-389/389-ds-base-1.2.1/ldap/servers/slapd/snmp_collator.c:536: undefined reference to `sem_unlink' /root/project-389/389-ds-base-1.2.1/ldap/servers/slapd/snmp_collator.c:542: undefined reference to `sem_open' ldap/servers/slapd/.libs/libslapd_la-snmp_collator.o: In function `snmp_collator_sem_wait': /root/project-389/389-ds-base-1.2.1/ldap/servers/slapd/snmp_collator.c:574: undefined reference to `sem_trywait' /root/project-389/389-ds-base-1.2.1/ldap/servers/slapd/snmp_collator.c:586: undefined reference to `sem_close' /root/project-389/389-ds-base-1.2.1/ldap/servers/slapd/snmp_collator.c:587: undefined reference to `sem_unlink' ldap/servers/slapd/.libs/libslapd_la-snmp_collator.o: In function `snmp_collator_update': /root/project-389/389-ds-base-1.2.1/ldap/servers/slapd/snmp_collator.c:629: undefined reference to `sem_post' ldap/servers/slapd/.libs/libslapd_la-snmp_collator.o: In function `snmp_collator_stop': /root/project-389/389-ds-base-1.2.1/ldap/servers/slapd/snmp_collator.c:505: undefined reference to `sem_close' /root/project-389/389-ds-base-1.2.1/ldap/servers/slapd/snmp_collator.c:506: undefined reference to `sem_unlink' ldap/servers/slapd/.libs/libslapd_la-snmp_collator.o: In function `snmp_collator_init': /root/project-389/389-ds-base-1.2.1/ldap/servers/slapd/snmp_collator.c:205: undefined reference to `sem_post' collect2: ld returned 1 exit status make[2]: *** [libslapd.la] Error 1 make[2]: Leaving directory `/root/project-389/389-ds-base-1.2.1' make[1]: *** [all] Error 2 make[1]: Leaving directory `/root/project-389/389-ds-base-1.2.1' make: *** [build-stamp] Error 2 dpkg-buildpackage: failure: debian/rules build gave error exit status 2 root at dirserv1:~/project-389/389-ds-base-1.2.1# The complete output is in the following URL: http://morenisco.noc-root.net/debian/files/Error_Debianizing_389-ds-base-1.2.1 Some idea about why this can be failing please? Thanks a lot. -- Morenisco. Centro de Difusi?n del Software Libre. http://www.cdsl.cl http://trabajosfloss.noc-root.net Blog: http://morenisco.noc-root.net From rmeggins at redhat.com Sat Jun 6 16:03:21 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Sat, 06 Jun 2009 10:03:21 -0600 Subject: [389-users] Error debianizing the 389-ds-base-1.2.1 package In-Reply-To: <4A29CCE1.10803@noc-root.net> References: <4A29CCE1.10803@noc-root.net> Message-ID: <4A2A9349.8000208@redhat.com> Morenisco wrote: > Hi, > > I tried to debianize the 389-ds-base-1.2.1 package in a clean > directory and sources, and I got an error. > > The basic steps that I performed were the following: > > 1) 389-ds-base-1.2.1 package - Initial debianization: > > root at dirserv1:~/project-389/389-ds-base-1.2.1# dh_make -e > morenisco at noc-root.net -c gpl -f ../389-ds-base-1.2.1.tar.gz > > Type of package: single binary, multiple binary, library, kernel > module or cdbs? > [s/m/l/k/b] s > > Maintainer name : root > Email-Address : morenisco at noc-root.net > Date : Thu, 04 Jun 2009 22:56:55 +0000 > Package Name : 389-ds-base > Version : 1.2.1 > License : gpl I don't know if Debian differentiates between GPL flavors, but the 389-ds-base license is GPLv2 + exception for plug-ins. > Using dpatch : no > Type of Package : Single > Hit to confirm: > Done. Please edit the files in the debian/ subdirectory now. 389-ds-base > uses a configure script, so you probably don't have to edit the > Makefiles. > > 2) I modified the control file as follows: > > Source: 389-ds-base > Section: admin > Priority: extra > Maintainer: Morenisco > Build-Depends: debhelper (>= 7), autotools-dev > Standards-Version: 3.7.3 > Homepage: http://directory.fedoraproject.org You probably want to change this to port389.org > > Package: 389-ds-base > Architecture: any > Depends: libsvrcore0, libsvrcore-dev, libmozldap-0d, libmozldap-dev, > libmozilla-ldap-perl, libdb4.6-dev, libicu-dev, libsnmp-dev, > libkrb5-dev, libpam-dev, libnet-ldap-perl, libperl-dev I don't think it depends on libnet-ldap-perl, only on libmozilla-ldap-perl. DS base also depends on cyrus-sasl-devel - not sure what Debian package that is (libsasl2-dev?). And I don't see libnspr-dev or libnss-dev among the dependencies - perhaps they get pulled in by the svrcore or mozilla dependencies. > Description: The enterprise-class Open Source LDAP server for Linux. > It is hardened by real-world use, is full-featured, supports > multi-master replication, and already handles many of the > largest > LDAP deployments in the world. > > > 3) I tried to build the package with the following command: > > root at dirserv1:~/project-389/389-ds-base-1.2.1# dpkg-buildpackage > -rfakeroot > > The generated output is too long, and the latest part is the following: > > ldap/servers/slapd/.libs/libslapd_la-snmp_collator.o: In function > `snmp_collator_create_semaphore': > /root/project-389/389-ds-base-1.2.1/ldap/servers/slapd/snmp_collator.c:532: > undefined reference to `sem_open' > /root/project-389/389-ds-base-1.2.1/ldap/servers/slapd/snmp_collator.c:536: > undefined reference to `sem_unlink' > /root/project-389/389-ds-base-1.2.1/ldap/servers/slapd/snmp_collator.c:542: > undefined reference to `sem_open' > ldap/servers/slapd/.libs/libslapd_la-snmp_collator.o: In function > `snmp_collator_sem_wait': > /root/project-389/389-ds-base-1.2.1/ldap/servers/slapd/snmp_collator.c:574: > undefined reference to `sem_trywait' > /root/project-389/389-ds-base-1.2.1/ldap/servers/slapd/snmp_collator.c:586: > undefined reference to `sem_close' > /root/project-389/389-ds-base-1.2.1/ldap/servers/slapd/snmp_collator.c:587: > undefined reference to `sem_unlink' > ldap/servers/slapd/.libs/libslapd_la-snmp_collator.o: In function > `snmp_collator_update': > /root/project-389/389-ds-base-1.2.1/ldap/servers/slapd/snmp_collator.c:629: > undefined reference to `sem_post' > ldap/servers/slapd/.libs/libslapd_la-snmp_collator.o: In function > `snmp_collator_stop': > /root/project-389/389-ds-base-1.2.1/ldap/servers/slapd/snmp_collator.c:505: > undefined reference to `sem_close' > /root/project-389/389-ds-base-1.2.1/ldap/servers/slapd/snmp_collator.c:506: > undefined reference to `sem_unlink' > ldap/servers/slapd/.libs/libslapd_la-snmp_collator.o: In function > `snmp_collator_init': > /root/project-389/389-ds-base-1.2.1/ldap/servers/slapd/snmp_collator.c:205: > undefined reference to `sem_post' > collect2: ld returned 1 exit status > make[2]: *** [libslapd.la] Error 1 > make[2]: Leaving directory `/root/project-389/389-ds-base-1.2.1' > make[1]: *** [all] Error 2 > make[1]: Leaving directory `/root/project-389/389-ds-base-1.2.1' > make: *** [build-stamp] Error 2 > dpkg-buildpackage: failure: debian/rules build gave error exit status 2 > root at dirserv1:~/project-389/389-ds-base-1.2.1# > > The complete output is in the following URL: > > http://morenisco.noc-root.net/debian/files/Error_Debianizing_389-ds-base-1.2.1 > > > Some idea about why this can be failing please? The problem is that libslapd is not linked with -lrt, which provides the semaphore functions. This is usually fine, since ns-slapd (the executable) is linked with -lrt, so that at runtime all of these references are resolved, But Debian uses -Wl,-z,defs which forces all references to be looked up at link time. We should fix this in 389 - please file a bug against 389. In the meantime, you could either turn off -z,defs, or figure out how to link libslapd with -lrt > > Thanks a lot. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From dcoatshca at gmail.com Sat Jun 6 20:53:25 2009 From: dcoatshca at gmail.com (Doug Coats) Date: Sat, 6 Jun 2009 15:53:25 -0500 Subject: [389-users] Developting a CentOS-DS setup Message-ID: I am new to using CentOS-DS and LDAP and I am having difficulty finding solid information on setting up using CentOS-DS as the information and authentification center of my network. I have googled a number of different combinations looking for the informaiton I need but have not found any good resources to setup what I am after. I have downloaded and am going over the Red Hat documentation and where it is very informative it certainly is not a Howto. My biggest need for resources is in setting up the authentification of different services and LDAP. I am using CentOS 5.3 and CentOS-DS 8.1. These I have installed and running on a test server. I would like to accomplish the following things in this order. Linux authentification Samba authentification Dovecot authentification So my questions to begin with are: How do I get Linux to use LDAP to authenticate instead of the passwd and shadow files? Once I get that to work: How do I get Linux to to do the normal things it does with adduser (like create a home directory, create a group, and things I can't think of)? If anyone could push me in the right direction I would really appreciate it. From jsullivan at opensourcedevel.com Sat Jun 6 22:40:34 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Sat, 06 Jun 2009 18:40:34 -0400 Subject: [389-users] Developting a CentOS-DS setup In-Reply-To: References: Message-ID: <1244328034.6371.47.camel@jaspav.missionsit.net.missionsit.net> On Sat, 2009-06-06 at 15:53 -0500, Doug Coats wrote: > I am new to using CentOS-DS and LDAP and I am having difficulty > finding solid information on setting up using CentOS-DS as the > information and authentification center of my network. > > I have googled a number of different combinations looking for the > informaiton I need but have not found any good resources to setup what > I am after. I have downloaded and am going over the Red Hat > documentation and where it is very informative it certainly is not a > Howto. > > My biggest need for resources is in setting up the authentification of > different services and LDAP. > > I am using CentOS 5.3 and CentOS-DS 8.1. These I have installed and > running on a test server. > > I would like to accomplish the following things in this order. > > Linux authentification > Samba authentification > Dovecot authentification > > So my questions to begin with are: How do I get Linux to use LDAP to > authenticate instead of the passwd and shadow files? > > Once I get that to work: How do I get Linux to to do the normal things > it does with adduser (like create a home directory, create a group, > and things I can't think of)? > > If anyone could push me in the right direction I would really appreciate it. We are using almost an identical setup except for Dovecot and we started with DS 8.0 and upgraded to 8.1. I'm afraid I'm up to my eyeballs in a project so I can't customize this for you but I'll paste in as much of our internal documentation as would be prudent to do. You will need to understand the principles behind the steps so you can adapt it accordingly. For example, we installed the master replica on a vserver - a great project (www.linux-vserver.org) but it does introduce some complexity to LDAP. We also use a RO replica on KVM. Both are in an iSCSI environment. We also sync passwords with Active Directory for multiple clients - oh, and yes, this is a multi-tenant environment - hence the unusual hierarchical structure and bizarre ACIs. As I said, you will need to adapt but hopefully this will get you started. (and I hope it is not dropped for SPAM because of its length - hmm come to think of it, I think I'll send this email separately and then send the same email with all the notes. This way, if it does get trapped as SPAM, you can fish it out). -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From dcoatshca at gmail.com Sat Jun 6 23:26:39 2009 From: dcoatshca at gmail.com (Doug Coats) Date: Sat, 6 Jun 2009 18:26:39 -0500 Subject: [389-users] Developting a CentOS-DS setup In-Reply-To: <1244328034.6371.47.camel@jaspav.missionsit.net.missionsit.net> References: <1244328034.6371.47.camel@jaspav.missionsit.net.missionsit.net> Message-ID: John, Thanks for your reply. I look forward to any help you can give. Doug From jsullivan at opensourcedevel.com Sat Jun 6 23:58:01 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Sat, 06 Jun 2009 19:58:01 -0400 Subject: [389-users] Developting a CentOS-DS setup In-Reply-To: References: Message-ID: <1244332681.6371.113.camel@jaspav.missionsit.net.missionsit.net> On Sat, 2009-06-06 at 15:53 -0500, Doug Coats wrote: > I am new to using CentOS-DS and LDAP and I am having difficulty > finding solid information on setting up using CentOS-DS as the > information and authentification center of my network. > > I have googled a number of different combinations looking for the > informaiton I need but have not found any good resources to setup what > I am after. I have downloaded and am going over the Red Hat > documentation and where it is very informative it certainly is not a > Howto. > > My biggest need for resources is in setting up the authentification of > different services and LDAP. > > I am using CentOS 5.3 and CentOS-DS 8.1. These I have installed and > running on a test server. > > I would like to accomplish the following things in this order. > > Linux authentification > Samba authentification > Dovecot authentification > > So my questions to begin with are: How do I get Linux to use LDAP to > authenticate instead of the passwd and shadow files? > > Once I get that to work: How do I get Linux to to do the normal things > it does with adduser (like create a home directory, create a group, > and things I can't think of)? > > If anyone could push me in the right direction I would really appreciate it. We are using almost an identical setup except for Dovecot and we started with DS 8.0 and upgraded to 8.1. I'm afraid I'm up to my eyeballs in a project so I can't customize this for you but I'll paste in as much of our internal documentation as would be prudent to do. You will need to understand the principles behind the steps so you can adapt it accordingly. For example, we installed the master replica on a vserver - a great project (www.linux-vserver.org) but it does introduce some complexity to LDAP. We also use a RO replica on KVM. Both are in an iSCSI environment. We also sync passwords with Active Directory for multiple clients - oh, and yes, this is a multi-tenant environment - hence the unusual hierarchical structure and bizarre ACIs. As I said, you will need to adapt but hopefully this will get you started. (and I hope it is not dropped for SPAM because of its length - hmm come to think of it, I think I'll send this email separately and then send the same email with all the notes. This way, if it does get trapped as SPAM, you can fish it out) I'm sure there are errors in this document and would appreciate corrections, improvements, and comments from those who really know what they're doing (unlike me). Names and numbers changed to protect the innocent and my job! Create the VServer guest - probably not necessary to you - sorry but the formatting is being lost - this will be very hard to follow :-( Clone a new server named ldap1.mycompany.com with IP address 172.x.x.48/24 on the Internal VServer: vserver ldap1 build -m clone --hostname ldap1.mycompany.com --interface ethx:172.x.x.48/24 -- --source centos-basevs Set the proper /tmp file size and an adequate number of file handles for directory services: On the VServer HOST do: cd /etc/vservers/ldap1 Edit fstab by setting the options for the tmpfs mounted on /tmp to: size=128m,mode=1777,nosuid,nodev,noexec mkdir /etc/vservers/ldap1/ulimits echo 65535 > /etc/vservers/ldap1/ulimits/nofile (otherwise the DS installation will complain about only 1024 file handles available which may indeed be a problem) cd CentOS installations enforce pam_loginuid.so by default. Since it requires write access to /proc which is not available in the vserver, it will cause key processes to fail. We this disable it with the following one-line command: sed -i -e "s/^session.*required.*pam_loginuid.so/# session\trequired \tpam_loginuid.so/g" /vservers/ldap1/etc/pam.d/* Edit the /vservers/ldap1/etc/hosts file so it contains the following two lines: 127.0.0.1 localhost localhost.localdomain 172.x.x.48 ldap1 ldap1.mycompany.com Install Directory Server Start the new VServer guest (vserver ldap1 start) and connect to it (vserver ldap1 enter). The rest of these instructions assume one is on the ldap1 console unless specified otherwise. Create the ldap group and user groupadd -g 6xx ldap useradd -s /sbin/nologin -d /var/lib/dirsrv -g ldap -u 6xx ldap Edit /etc/yum.repos.d/CentOS-Base.repo by enabling the centosplus repository and adding the test repository with the following stanza: [c5-testing] name=CentOS-5 Testing baseurl=http://dev.centos.org/centos/$releasever/testing/$basearch/ enabled=0 gpgcheck=1 gpgkey=http://dev.centos.org/centos/RPM-GPG-KEY-CentOS-testing exclude=java-1.7.0-icedtea Install the directory server: yum --enablerepo=c5-testing install centos-ds java-1.6.0-openjdk After centos-ds and its many dependencies have installed, install these additional packages: yum install xorg-x11-xauth bitstream-vera-fonts dejavu-lgc-fonts urw-fonts firefox Run setup-ds-admin.pl Enter yes to continue and to accept the license terms The setup routine will run dsktune and may issue a warning about file handles or tcp keepalives. Enter yes to continue unless there is a more serious error. Choose a custom installation (because we must specify the vserver guest address) The default Computer name should be fine (ldap1.mycompany.com) System user is ldap System group is ldap There is no configuration directory server yet Administrator ID is someone Password is Administration domain is mycompany.com Take the default 389 port for now. We will implement LDAPS later Directory server identifier is ldap1 Suffix is dc=mycompany,dc=com Directory Manager DN is cn=Directory Manager Use the Do not install sample entries We do not want any suggested entries so type none Take the default administration port IP address is 172.x.x.48 - NO, now that we have loopback remapping and Single IP Special Casing, we can leave this blank. NOOOO!!!!! We can't if we want to use Single IP Special Casing (which we probably do because we will be setting up lots of connections). This completely destroyed our setup when we implemented SSL. We did recover using the procedures outlined in the notes but then reinstalled anyway just in case. Run Administration Server as ldap Enter yes to set up the servers Start the console GUI with (the viewing computer must be running X and using ssh X forwarding - configured in /etc/ssh/ssh_config). Beware the idm-console windows open minimized: centos-idm-console -a http://ldap1.mycompany.com:9830 -s slapd-ldap1 Login using cn=Directory Manager and the associated password Click on the Configuration tab Select the top level item in the tree on the left side (ldap1.mycompany.com:389) and click on the SNMP tab. Fill in the following details: Name: ldap1-ds Description: Directory Server on ldap1 Organization: My Company Location: Data Center 1 Contact: Operators Go to the SASL Mapping tab and add a new item with the following details: Name: kerberos uid mapping clients Regular Expression: \(.*\)@\(.*\)\.\(.*\) Search Base DN: o=Internal,dc=mycompany,dc=com Search Filter: (uid=\1) Click on Save We will need to install the SAMBA schema. Copy the schema from the SAMBA server (/usr/share/doc/samba-*/LDAP/samba.schema) and download the schema importer (http://directory.fedoraproject.org/download/ol-schema-migrate.pl) Run the importer: perl ol-schema-migrate.pl -b samba.schema > /etc/dirsrv/slapd-ldap1/schema/61samba.ldif Even easier, copy the already created 61samba.ldif file from the test lab into /etc/dirsrv/slapd-ldap1/schema/ Change ownership and permissions on 61samba.ldif: chown ldap:ldap 61samba.ldif chmod 440 61samba.ldif Restart the directory server (service dirsrv restart) Return to the idm-console window, the Configuration tab, and click on the Data object in the left panel Click on the Passwords tab. Enable fine grained password policy User must change after reset - Oops! That's a problem with X2Go. There is currently no way to change the password on first login via X2Go. Here is the email explanation from Alex: SKIP DETAILS - another great project (www.x2go.org) Keep six passwords Password expires in 31 days Warned four days before (to account for long weekends) Allow 4 login attempts after expiration Check password syntax to enforce minimum length of 9 characters with 3 character category and a token length of 2 (We need the last two in order to synchronize with Windows AD) Click the Account Lockout tab Enable account lockout after 4 failures with a 10 minute reset. Lock out for 10 minutes - This is more than three because of X2Go. It appears to make three logins during the session setup process. Thus, a single mistyped password locks an account limited to only three failed attempts. Here is the email explanation from Alex: SKIP DETAILS Click on Save Expand Data, expand dc=mycompany,dc=com, go to the UserRoot database for dc=mycompany,dc=com. Add the nsroledn attribute. Enable the presence index for member, nsroledn, owner, seeAlso, and uniquemember. Click Save. Expand the Logs item in the left panel. Enable Audit logging allowing 5 logs rotating each week or 100 MB with total storage of 500 MB held for 40 months or delete when space is below 50MB. Click Save. Disable Access logging. Click Save. Expand the Plugins item in the left panel Click on the Referential Integrity plugin and enable it. Click on Save. Click on the attribute uniqueness plugin, enable it and change the second argument to o=Internal,dc=mycompany,dc=com. Click on Save. To this point, we have been working on the Configuration tab. Now click on the Directory tab. Left click on the top level item (ldap1.mycompany.com:389). We left click first because this java implementation does not select automatically when right clicking. Once the top level item has been selected with a left click, right click and choose New Root Object and select dc=mycompany,dc=com. Select dcobject from the ensuing dialog box and click OK and then OK again. Expand the config object in the left panel. Click on plugins Left click and then right click the attribute uniqueness plugin and choose copy. Go to mycompany, left/right click and paste. Edit the new copy of attribute uniqueness by changing the word attribute to gidnumber in the name, nsslapd-plugindescription, and entrydn fields, and the nsslapd-pluginarg0 to gidnumber. Click OK. Left click then right click the new gidnumber uniqueness entry and copy. Then paste it back into config / plugins. For some reason, the DS GUI tries to copy in everything previously copied so ignore the errors about duplicate objects. Return to the first copy under mycompany and edit it so name, description, and entrydn use uidnumber instead of gidnumber, and change nsslapd-arg0 to uidnumber. Save changes. Right click, copy, and then paste into config / plugins. Return to the first copy under ssiservices and edit it so name, description, and entrydn use cn instead of uidnumber, and change nsslapd-arg0 to cn. Save changes. Right click, cut, and then paste into config / plugins. Restart the directory server (service dirsrv restart or use the idm-console task tab) WE DO NOT ALLOW ANONYMOUS BINDS AND MUST ALLOW CLIENTS TO ADMINISTER THEIR OWN PORTION OF THE TREE SO THIS MAY NOT APPLY TO YOU. PLUS, I BELIEVE WILD CARDS IN THE GROUPDN DEFINITIONS DID NOT WORK IN 8.0 AND WE HAVE STILL NOT FIXED OUR ACIS IN RESPONSE. WE HAVE NOT TESTED THIS WTIH 8.1 We need to create a root searcher named uid=searcher,dc=mycompany,dc=com with a custom password policy that does not require the user to change the password and does not expire passwords. Create the user with givenname (or first name)=Directory, sn (or last name)=Searcher, uid=cn=searcher (all lower case - remember to change the cn). Give it the medium security password - oops - we do not want to do that as the password will be recorded in the ldap.conf file on vd1 which is world readable. Instead, us a password as would be created for a searcher user by the clientsetup script. See the script for the details. To do this: Left and then right click on mycompany in the left panel and choose New User. Set the fields as above. Save the new user, then left/right click on the new user, choose Manage Password Policy and then For user. Enable fine grained passwords on the password tab. Set the password syntax as above (9 characters, 1 character category, 7 tokens). Click Save. Next we must make many adjustments to security. Left/right click on mycompany and choose Set Access Permissions Delete the Enable anonymous access ACI (click on the ACI, then click Remove). Since we have removed anonymous access, we must grant users rights to see themselves in a different ACI. Thus, edit the "Allow self entry modification except for nsroledn and aci attributes" ACI by adding Search, Compare, and Read rights. Add a new ACI to allow the global searcher (click on New, click on Edit Manually and paste in the following: (targetattr != "sambaLMPassword || sambaNTPassword || userPassword") (version 3.0; acl "Root Searcher"; allow (read,compare,search) (userdn = "ldap:///uid=searcher,dc=mycompany, dc=com") ;) Click Check Syntax to ensure there are no errors and then click on OK. Create two more new ACIs to allow client browsing of their portion of the Internal and External branches of the tree with the following two stanzas - one for each ACI. Remember to click Check Syntax to ensure there are no errors and then click on OK.: (target = "ldap:///($dn),o=external,dc=mycompany,dc=com")(targetattr != "sambaLMPassword || sambaNTPassword || userPassword") (version 3.0;acl "Client External Directory Searcher";allow (read,compare,search)(userdn = "ldap:///uid=*searcher, [$dn],o=sysaccounts,dc=mycompany,dc=com");) (target = "ldap:///($dn),o=internal,dc=mycompany,dc=com")(targetattr != "sambaLMPassword || sambaNTPassword || userPassword") (version 3.0;acl "Client Internal Directory Searcher";allow (read,compare,search)(userdn = "ldap:///uid=*searcher, [$dn],o=sysaccounts,dc=mycompany,dc=com");) Create two more ACIs in the same way to allow client administrative access to their portions of the tree with the following two ACIs: (targetattr = "*") (target = "ldap:///($dn),o=external,dc=mycompany, dc=com") (version 3.0;acl "Client Administrators External";allow (all)(groupdn = "ldap:///cn=*ldapadmins,ou=groups,[$dn],o=internal,dc=mycompany,dc=com");) (targetattr = "*") (target = "ldap:///($dn),o=internal,dc=mycompany, dc=com") (version 3.0;acl "Client Administrators Internal";allow (all)(groupdn = "ldap:///cn=*ldapadmins,ou=groups,[$dn],o=internal,dc=mycompany,dc=com");) Now we need an explicit deny ACI to prevent client administrators from adding or deleting users (this is how we determine their billing so they must not change it). Use this ACI: (targetattr = "") (target = "ldap:///ou=Desktops,($dn),o=internal,dc=mycompany,dc=com") (version 3.0;acl "Client Internal Deny";deny (delete,add)(groupdn = "ldap:///cn=*ldapadmins,ou=Groups,[$dn],o=Internal,dc=mycompany,dc=com");) We need an ACI to allow the user account used to enumerate uids for the DSGW application for each client to browse the client's portion of the Internal tree. Use this ACI: (target = "ldap:///ou=Desks,($dn),o=Internal,dc=mycompany,dc=com")(targetattr = "uid || st || sn || ou || name || entrydn || dn || dc || objectClass || cn || o || l || c || givenName") (version 3.0;acl "Client DSGW Lister";allow (search,read)(userdn = "ldap:///uid=*gwlister,[$dn],o=sysaccounts,dc=mycompany,dc=com");) We need the following ACIs to allow users to see selected attributes of all normally viewable entries in their own tree: (target = "ldap:///($dn),o=external,dc=mycompany,dc=com")(targetattr = "documentPublisher || documentTitle || physicalDeliveryOfficeName || preferredDeliveryMethod || documentVersion || subject || postalAddress || documentStore || roomNumber || drink || givenName || vacationenddate || documentAuthor || searchGuide || teletexTerminalIdentifier || mobile || manager || entrydn || objectClass || displayName || telexNumber || secretary || uid || certificateRevocationList || st || sn || description || mail || labeledUri || documentIdentifier || uidNumber || postOfficeBox || ou || seeAlso || registeredAddress || postalCode || photo || gidNumber || preferredTimeZone || title || uniqueMember || street || preferredLocale || presentationAddress || documentLocation || pager || dn || dc || o || cn || l || c || cACertificate || telephoneNumber || preferredLanguage || facsimileTelephoneNumber || memberOf || vacationstartdate") (version 3.0;acl "Client User Rights External";allow (read,compare,search)(userdn = "ldap:///uid=*,ou=Desks,[$dn],o=Internal,dc=mycompany,dc=com");) (target = "ldap:///($dn),o=internal,dc=mycompany,dc=com")(targetattr = "documentPublisher || documentTitle || physicalDeliveryOfficeName || preferredDeliveryMethod || documentVersion || subject || postalAddress || documentStore || roomNumber || drink || givenName || vacationenddate || documentAuthor || searchGuide || teletexTerminalIdentifier || mobile || manager || entrydn || objectClass || displayName || telexNumber || secretary || uid || certificateRevocationList || st || sn || description || mail || labeledUri || documentIdentifier || uidNumber || postOfficeBox || ou || seeAlso || registeredAddress || postalCode || photo || gidNumber || preferredTimeZone || title || uniqueMember || street || preferredLocale || presentationAddress || documentLocation || pager || dn || dc || o || cn || l || c || cACertificate || telephoneNumber || preferredLanguage || facsimileTelephoneNumber || memberOf || vacationstartdate") (version 3.0;acl "Client User Rights Internal";allow (read,compare,search)(userdn = "ldap:///uid=*,ou=Desks,[$dn],o=Internal,dc=mycompany,dc=com");) Click OK to save the new ACIs. Create three Organizations directly under dc=mycompany,dc=com, viz., Internal, External, and SysAccounts. Left/right click on mycompany, choose New and then Other. Select organization from the ensuing dialog and click OK. Replace "New" with the proper name in the name field and click OK. Do this for each of the three new organizations. Set a custom password policy for SysAccounts that users do not need to change passwords after reset and passwords never expire. Left/right click on SysAccounts in the right pane ( R if the window needs to be refreshed) and choose Manage Password Policy, then For Subtree. Enable Create subtree level password policy. Set the password syntax as above (9 characters, 1 character category, 7 tokens). Click on Save and then Close. The admin server complains about not being able to determine the server name on startup. To fix this problem, edit /etc/dirsrv/admin-serv/httpd.conf and set ServerName ldap1.mycompany.com:9830 Set the services to automatically start on boot: chkconfig dirsrv-admin on chkconfig dirsrv on Configure SSL communication Copy the ldap1admin PKCS#12 package generated as part of the PKI project to /etc/dirsrv/admin-serv/. Copy the CA cert (CA.pem) to /etc/dirsrv/admin-serv/ . Change ownership and permissions, import the PKCS#12 package and CA cert into Directory Admin Server with the following commands executed on ldap1: cd /etc/dirsrv/admin-serv chown ldap:ldap CA.pem chown ldap:ldap ldap1admin.p12 chmod 600 ldap1admin.p12 pk12util -i ldap1admin.p12 -d . (N.B. The terminal "." standing for the current directory) Use the medium security SSI password to secure the certificate store (the first password prompt) certutil -A -d . -n "CA certificate" -t "CT,," -a -i CA.pem Create a file in the /etc/dirsrv/admin-serv directory named password.conf with the following contents: internal: Set permissions and ownership on it as follows: chown ldap:ldap /etc/dirsrv/admin-serv/password.conf chmod 0400 /etc/dirsrv/admin-serv/password.conf Edit /etc/dirsrv/admin-serv/nss.conf to point the NSSPassPhraseDialog parameter to file://etc/dirsrv/admin-serv/password.conf At this point, we could delete ldap1admin.p12 but we will keep it just in case we need it in the future. Restart dirsrv-admin from the command line (NOT from the console) (service dirsrv-admin restart) Copy the ldap1 PKCS#12 package generated as part of the PKI project to /etc/dirsrv/slapd-ldap1/. Change ownership and permissions, import the PKCS#12 package and CA cert into Directory Server with the following commands executed on ldap1: cd /etc/dirsrv/slapd-ldap1 chown ldap:ldap ldap1.p12 chmod 600 ldap1.p12 pk12util -i ldap1.p12 -d . (N.B. The terminal "." standing for the current directory) Use the medium security SSI password to secure the certificate store (the first password prompt) certutil -A -d . -n "CA certificate" -t "CT,," -a -i /etc/dirsrv/admin-serv/CA.pem Create a file in the /etc/dirsrv/slapd-ldap1 directory named pin.txt with the following contents: Internal (Software) Token: Set permissions and ownership on it as follows: chown ldap:ldap /etc/dirsrv/slapd-ldap1/pin.txt chmod 0400 /etc/dirsrv/slapd-ldap1/pin.txt Restart dirsrv (service dirsrv restart) Open centos-idm-console (we want the full console this time and not just the directory server (-s slapd-ldap1). Expand ldap1.mycompany.com, expand Server Group, open the Directory Server (double click in left panel or click Open on right panel). Go to the Configuration tab of the Directory Server, click on the top level item in the left panel (ldap1.mycompany.com:389), click on the Encryption tab in the right panel. Enable SSL Check the Enable this cipher family:RSA check box Click on the Settings button and uncheck any "none" or "RC2" ciphers. Click OK Enable Use SSL in Console Click Save Click OK on the warnings about setting taking effect only after restart and having to start as root to use a port below 1024. Return to the main console, open the Administration Server and go to the Configuration tab, click on the top level item in the left panel (Administration Server), click on the Encryption tab in the right panel. Enable SSL Check the Enable this cipher family:RSA check box Click on the Settings button and uncheck any "none" or "RC2" ciphers. Click OK Go to the Configuration DS tab (authentication for the Directory Services config directory) Enable Secure Connection and make sure the port changes to 636. Go to the User DS tab (configuration for the DIT (Directory Information Tree)) Click Set User Directory LDAP host and port: ldap1.mycompany.com:636 Click on Secure Connection User Directory Subtree: dc=mycompany,dc=com (we need access to both Internal and SysAccounts) Click Save Go to the Main Console Click on mycompany.com in the left pane Click on Edit at the bottom of the right pane Click on Secure Connection and set the port to 636 Click on OK Close all console windows Stop the directory server (service dirsrv stop) Restart the admin server (service dirsrv-admin restart) If the restart fails with a error about NSSNickname only takes a single argument, it is most likely because pk12util gave a nickname to the cert with spaces in it. Edit the /etc/dirsrv/admin-serv/console.conf file at the line indicated by the error and enclose the nickname in quotation marks. We may also want to edit /etc/dirsrv/admin-serv/httpd.conf by setting: ServerName ldap1.mycompany.com:9830 in order to eliminate the cosmetic error about not determining the server name. Start the directory server (service dirsrv start) We need to import the CA cert into the database of the centos-idm-console user, i.e., the user running the GUI. In their home directory is a .centos-idm-console. Enter that directory and issue the following command (assuming it is running on the same computer as the admin-server - otherwise change the CA cert source appropriately): certutil -A -d . -n "CA certificate" -t "CT,," -a -i /etc/dirsrv/admin-serv/CA.pem Close the centos-idm-console if it is still running. Reopen it but be sure to change the login Administration url to https://ldap1.mycompany.com:9830 rather than http. Click on the top level item in the left pane (mycompany.com), click edit in the right pane, enable Secure connection and change the port on the User directory host and port setting from 389 to 636. Stop the directory server (service dirsrv stop) Restart the administration server (service dirsrv-admin restart) Start the directory server (service dirsrv start) Set the services to automatically start on boot: chkconfig dirsrv-admin on chkconfig dirsrv on Create read-only replica The rest of these instructions assume one is on the ldap2 console unless specified otherwise. Create the ldap group and user groupadd -g 6xx ldap useradd -s /sbin/nologin -d /var/lib/dirsrv -g ldap -u 6xx ldap Edit /etc/yum.repos.d/CentOS-Base.repo by enabling the centosplus repository and adding the test repository with the following stanza: [c5-testing] name=CentOS-5 Testing baseurl=http://dev.centos.org/centos/$releasever/testing/$basearch/ enabled=0 gpgcheck=1 gpgkey=http://dev.centos.org/centos/RPM-GPG-KEY-CentOS-testing exclude=java-1.7.0-icedtea Install the directory server: yum --enablerepo=c5-testing install centos-ds After centos-ds and its many dependencies have installed, install these additional packages: yum install xorg-x11-xauth bitstream-vera-fonts dejavu-lgc-fonts urw-fonts firefox We will need to trust the CA in order to connect to the existing directory server via ldaps. Create the /etc/dirsrv/admin-serv directory, copy the CA cert (CA.pem) into it, and set ownership and permissions: mkdir /etc/dirsrv/admin-serv cd /etc/dirsrv/admin-serv scp as appropriate chown ldap:ldap CA.pem chmod 660 CA.pem We need to increase the number of allowable file handles. Edit /etc/sysctl.conf by adding the following line: fs.file-max = 64000 Run sysctl -p to effect the new settings Add the following line to /etc/security/limits.conf * - nofile 8192 Reboot ldap2 from the KVM console Run setup-ds-admin.pl Enter yes to continue and to accept the license terms The setup routine will run dsktune and may issue a warning about file handles. Enter yes to continue unless there is a more serious error. Choose a custom installation (because we must specify the KVM guest address) The default Computer name should be fine (ldap2.mycompany.com) System user is ldap System group is ldap We do to register with an existing directory server. The configuration directory server is ldaps://ldap1.mycompany.com:636/o=NetscapeRoot Administrator ID is someone Password is Administration domain is mycompany.com The CA cert is in /etc/dirsrv/admin-serv/CA.pem Take the default 389 port for now. We will implement LDAPS later Directory server identifier is ldap2 Suffix is dc=mycompany,dc=com Directory Manager DN is cn=Directory Manager Use a different password Do not install sample entries We do not want any suggested entries so type none Take the default administration port IP address is 172.x.x.49 Run Administration Server as ldap Enter yes to set up the servers Start the console GUI with (the viewing computer must be running X and using ssh X forwarding - configured in /etc/ssh/ssh_config - may need to enable X11Trusted). Beware the idm-console windows open minimized: centos-idm-console -a http://ldap2.mycompany.com:9830 -s slapd-ldap2 Login using cn=DirMan and the associated password Click on the Configuration tab Select the top level item in the tree on the left side (ldap2.mycompany.com:389) and click on the SNMP tab. Fill in the following details: Name: ldap2-ds Description: Directory Server on ldap2 Organization: My Company Location: Data Center 1 Contact: Operators Go to the SASL Mapping tab and add a new item with the following details: Name: kerberos uid mapping clients Regular Expression: \(.*\)@\(.*\)\.\(.*\) Search Base DN: dc=mycompany,dc=com Search Filter: (uid=\1) Click on Save We will need to install the SAMBA schema. Copy the schema from the SAMBA server (/usr/share/doc/samba-*/LDAP/samba.schema) and download the schema importer (http://directory.fedoraproject.org/download/ol-schema-migrate.pl) Run the importer: perl ol-schema-migrate.pl -b samba.schema > /etc/dirsrv/slapd-ldap1/schema/61samba.ldif Even easier, copy the already created 61samba.ldif file from the test lab into /etc/dirsrv/slapd-ldap2/schema/ Change ownership and permissions on 61samba.ldif: chown ldap:ldap 61samba.ldif chmod 440 61samba.ldif Restart the directory server (service dirsrv restart) Return to the idm-console window, the Configuration tab, and click on the Data object in the left panel Click on the Passwords tab. Enable fine grained password policy User must change after reset Keep six passwords Password expires in 31 days Warned four days before (to account for long weekends) Allow 4 login attempts after expiration Check password syntax to enforce minimum length of 9 characters with 3 character category and a token length of 2 Click the Account Lockout tab Enable account lockout after 4 failures with a 10 minute reset. Lock out for 10 minutes. Click on Save Expand Data, expand dc=mycompany,dc=com, go to the UserRoot database for dc=mycompany,dc=com. Add the nsroledn attribute. Enable the presence index for member, nsroledn, owner, seeAlso, and uniquemember. Click Save. Expand the Logs item in the left panel. Enable Audit logging allowing 5 logs rotating each week or 100 MB with total storage of 500 MB held for 40 months or delete when space is below 50MB. Click Save. Disable Access logging. Click Save. The admin server complains about not being able to determine the server name on startup. To fix this problem, edit /etc/dirsrv/admin-serv/httpd.conf and set ServerName ldap2.mycompany.com:9830 Set the services to automatically start on boot: chkconfig dirsrv-admin on chkconfig dirsrv on Configure SSL communication Copy the ldap2admin PKCS#12 package generated as part of the PKI project to /etc/dirsrv/admin-serv/. Copy the CA cert (CA.pem) to /etc/dirsrv/admin-serv/ . Change ownership and permissions, import the PKCS#12 package and CA cert into Directory Admin Server with the following commands executed on ldap2: cd /etc/dirsrv/admin-serv chown ldap:ldap CA.pem chown ldap:ldap ldap2admin.p12 chmod 600 ldap2admin.p12 pk12util -i ldap2admin.p12 -d . (N.B. The terminal "." standing for the current directory) Use the medium security SSI password to secure the certificate store (the first password prompt) certutil -A -d . -n "CA certificate" -t "CT,," -a -i CA.pem Create a file in the /etc/dirsrv/admin-serv directory named password.conf with the following contents: internal:medium security SSI password Set permissions and ownership on it as follows: chown ldap:ldap /etc/dirsrv/admin-serv/password.conf chmod 0400 /etc/dirsrv/admin-serv/password.conf Edit /etc/admin-serv/nss.conf to point the NSSPassPhraseDialog parameter to file://etc/dirsrv/admin-serv/password.conf At this point, we could delete ldap2admin.p12 but we will keep it just in case we need it in the future. Restart dirsrv-admin from the command line (NOT from the console) (service dirsrv-admin restart) Copy the ldap2 PKCS#12 package generated as part of the PKI project to /etc/dirsrv/slapd-ldap2. Change ownership and permissions, import the PKCS#12 package and CA cert into Directory Server with the following commands executed on ldap2: cd /etc/dirsrv/slapd-ldap2 chown ldap:ldap ldap2.p12 chmod 600 ldap2.p12 pk12util -i ldap2.p12 -d . (N.B. The terminal "." standing for the current directory) Use the medium security SSI password to secure the certificate store (the first password prompt) certutil -A -d . -n "CA certificate" -t "CT,," -a -i /etc/dirsrv/admin-serv/CA.pem Create a file in the /etc/dirsrv/slapd-ldap2 directory named pin.txt with the following contents: Internal (Software) Token:medium security SSI password Set permissions and ownership on it as follows: chown ldap:ldap /etc/dirsrv/slapd-ldap2/pin.txt chmod 0400 /etc/dirsrv/slapd-ldap2/pin.txt Restart the directory server (service dirsrv restart) We need to import the CA cert into the database of the centos-idm-console user, i.e., the user running the GUI. In their home directory is a .centos-idm-console. Enter that directory and issue the following command (assuming it is running on the same computer as the admin-server - otherwise change the CA cert source appropriately): certutil -A -d . -n "CA certificate" -t "CT,," -a -i /etc/dirsrv/admin-serv/CA.pem Open centos-idm-console (we want the full console this time and not just the directory server (-s slapd-ldap2), open the Directory Server for ldap2. Go to the Configuration tab of the Directory Server, click on the top level item in the left panel (ldap2.mycompany.com:389), click on the Encryption tab in the right panel. Enable SSL Check the Enable this cipher family:RSA check box Click on the Settings button and uncheck any "none" or "RC2" ciphers. Click OK Enable Use SSL in Console Click Save Click OK on the warnings about setting taking effect only after restart and having to start as root to use a port below 1024. Open the Administration Server for ldap2 and go to the Configuration tab, click on the top level item in the left panel (Administration Server), click on the Encryption tab in the right panel. Enable SSL Check the Enable this cipher family:RSA check box Click on the Settings button and uncheck any "none" or "RC2" ciphers. Click OK Go to the Configuration DS tab Enable Secure Connection and make sure the port changes to 636 and it points to ldap1.mycompany.com and not ldap2 since ldap1 houses the DS configuration. Go to the User DS tab Click on the Set User Directory radio button Set LDAP host and port to ldap2.mycompany.com:636 ldap1.mycompany.com:636 Enable Secure Connection Set User Directory Subtree to dc=mycompany,dc=com Click Save Open the ldap1 Administration Server and go to the Configuration tab, click on the top level item in the left panel (Administration Server), click on the Encryption tab in the right panel. Go to the User DS tab Click on the Set User Directory radio button Set LDAP host and port to ldap1.mycompany.com:636 ldap2.mycompany.com:636 Enable Secure Connection Set User Directory Subtree to dc=mycompany,dc=com Click Save Close all consoles. Stop the directory server (service dirsrv stop) Restart the admin server (service dirsrv-admin restart) If the restart fails with a error about NSSNickname only takes a single argument, it is most likely because pk12util gave a nickname to the cert with spaces in it. Edit the /etc/dirsrv/admin-serv/console.conf file at the line indicated by the error and enclose the nickname in quotation marks. Start the directory server (service dirsrv start) Restart the admin server on ldap1. Close the centos-idm-console if it is still running. Reopen it but be sure to change the login Administration url to https://ldap2/mycompany.com:9830 rather than http. Setup replication Create the Replication Manager entry on ldap2. Stop the directory server on ldap2 (service dirsrv stop). Edit the /etc/dirsrv/slapd-ldap2/dse.ldif file by adding the following stanza: dn: cn=repuser,cn=config uid: repuser objectClass: inetorgperson objectClass: person objectClass: top cn: repuser givenname: Replication sn: Manager userPassword: passwordExpirationTime: 20380119031407Z Start the directory server (service dirsrv start) Argh! This always complains about trailing spaces. If it does, start the Directory Server and use the GUI to delete the repuser user and then create them with the above data. Be sure to change both the uid and cn to repuser and the name attribute to cn. One must save the new user and then edit the advanced properties after the first save in order to set the passwordExpirationTime as above. Argh! Apparently we cannot change the name attribute so, if we use this method, we must remember to use uid=repuser instead of cn=repuser in the Replication Agreement created below. The repuser user must have a separate password policy so the password is not required to be changed on login and does not expire. This is normally done as done previously, i.e., left/right click on the repuser user object in the ldap2 directory under cn=config. However, there is a bug in the UI which frequently makes the password manager UI unusable. If this is the case, we can create the password policy using the following process on the ldap2 directory: Left/right click on config in the left directory panel Add new other and choose nscontainer object Name the container "nsPwPolicyContainer" Left/right click nsPwPolicyContainer and add new other and choose passwordpolicy Add a new object class of ldapsubentry Add a cn attribute with value "cn=nsPwPolicyEntry,uid=repuser,cn=config" Change the naming attribute to cn (button toward bottom right of dialog) Hmm . . very strange, I was not looking forward to entering all the different password policy attributes manually when I realized I had mistyped the name of the nsPwPolicyEntry. I deleted the password policy entity so the nsPwPolicyContainer was empty. Somehow, this enabled the custom password policy to appear properly when right clicking the repuser entity! Hmm . . . it appears that, once we create the nsPwPolicyEntry, the menu appears and can then be used to add all the other attributes. THIS IS ALL FIXED IN 8.1 Go to the Directory Server GUI for ldap1 (this can now be done from centos-idm-console on ldap1 or ldap2), choose the Configuration tab, select Replication in the left panel and then the Supplier Settings in the right panel. Enable the Change Log Click the Use default button Click Save Expand the Replication object and choose the userRoot database Enable the replica Set to single master Give it a replica ID of 1 Click Save Go to the Directory Server GUI for ldap2, choose the Configuration tab. Expand the Replication object and choose the userRoot database Enable the replica Set to dedicated consumer Enter cn=repuser,cn=config in the Enter a new Supplier DN field and click Add. Click on Save. Go to the Directory tab Left/right click on config in the left panel and choose properties. Set the passwordisglobalpolicy to on. Click OK. Go back to the centos-idm-console on ldap1 Go to the Configuration tab, select the userRoot under the Replication object in the left panel. Left/right client and choose New Replication Agreement The name is "mycompany.com ldap1->ldap2" and the Description is "Replicates mycompany.com from ldap1 to ldap2". Click Next. Set the Consumer to ldap2.mycompany.com:389 from the drop down box (389 is correct even though we are really using 636) - Oops! That is not true despite what the documentation says. Click other and create a new entry for ldap2.mycompany.com on port 636. Enable the SSL connection. Enter cn=repuser,cn=config for the Bind As and enter the password. Click Next and then Next again. We will always keep directories in sync so click Next again. Choose Initialize Consumer Now and click Next Click Done Setup DSGW for client user administration We will install DSGW on ldap1 so clients can administer their own users. Thus, we will significantly restrict what DSGW can do. The Centos RPMs for the web based user interface have not yet been released. In the meantime, we can download the DSGW source from http://directory.fedoraproject.org/sources/fedora-ds-dsgw-1.1.1.tar.bz2 (1.1.2 is available but fails to compile for an unmet dependency) yum install wget tar gzip bzip2 mkdir /download cd /download wget http://directory.fedoraproject.org/sources/fedora-ds-dsgw-1.1.1.tar.bz2 These have some dependencies so we must do - oops! For some reason, there is a broken dependency setting for httpd-devel so we will need to download it manually after installing its dependencies: yum install apr-devel apr-util-devel pkgconfig cd /download wget http://dev.centos.org/centos/5/testing/x86_64/httpd-devel-2.2.8-1.el5s2.centos.x86_64.rpm rpm -Uvh httpd-devel*.rpm Now we can do: yum --enablerepo=c5-testing install icu libicu-devel mozldap-devel apr-devel pam-devel openssl-devel lm_sensors-devel net-snmp-devel cyrus-sasl gcc-c++ bzip2 make nspr-devel nss-devel adminutil-devel file svrcore-devel As a non-root user, untar the dsgw tarball and make dsgw: useradd -m someuser chown -R someuser /download su someuser cd /download tar jxfv fedora-ds-dsgw-1.1.1.tar.bz2 cd fed* ./configure --prefix=/usr --libdir=/usr/lib64 --sysconfdir=/etc --localstatedir=/var && make && su -c "make install" exit (to root) Copy the CA cert into /etc/dirsrv/dsgw so we can use LDAPS. cp /etc/dirsrv/admin-serv/CA.pem /etc/dirsrv/dsgw/ Now we configure DSGW by running setup-ds-dsgw We want to prevent any access to the Directory Manager account so we edit /etc/dirsrv/dsgw/dsgw.conf by commenting out the current dirmgr directory and creating a new one for the non-existent user "Intentionally Broken" dirmgr "cn=Intentionally Broken" Change the baseurl parameter in dsgw.conf to use port 636 (LDAPS). It may have detected ldaps during installation and already be set properly. We want to remove the hyperlinks to local server administration. To do this, edit /usr/share/dirsrv/html/admserv.html by commenting out the two table rows () containing the "CentOS Home Page" and the CentOS Administration Express". While we are editing, change the to SSI Directory Management Console and CentOS Server Products (note the breaks in between) to SSI Directory Management. In fact, we may want to comment out the user services altogether. We may also wish to rename the files to which the links point so they cannot be found explicitly by someone who has researched DSGW. mv /usr/share/dirsrv/html/htmladmin.html{,x} Because we do not allow anonymous access, we need a binddn and bindpw to access the tree. Since this is a client application, that will be different for each client. We will store the various bind information files in /etc/dirsrv/bindings so we need to make that directory: mkdir /etc/dirsrv/bindings dsgw.conf needs a binddnfile directive but we will add this on a per client basis. Thus we will construct customized files combining the binddnfile and a template which is simply the dsgw.conf file without the binddnfile directive. Thus do: cd /etc/dirsrv/dsgw cp dsgw.conf dsgw.template chown ldap:ldap /etc/dirsrv/dsgw/dsgw.template Restart dirsrv-admin The service is now available from https://ldap1.mycompany.com:9830 BECAUSE WE STARTED WITH 8.0, WE HAD TO UPGRADE TO 8.1 WITH SOMETHING SIMILAR TO THIS PROCEDURE. IT MAY CONTAIN IMPORTANT INFORMATION FOR YOU ldap2 SSH to ldap2 as root Backup the current database as follows: cd /usr/lib64/dirsrv/slap* ./db2ldif -n userRoot -a /tmp/ssi..ldif mv /tmp/ssi*.ldif ~/ (it seems we cannot save it here directly - I assume the backup process does not run as root but rather as ldap) Update centos ds as follows: yum --exclude=kernel --enablerepo=c5-testing upgrade Argh!! silly bug - because we are using ldaps, it asks for the CA cert but then complains that the CA cert is already installed. To work around the bug we need to uninstall the CA cert first with: certutil -D -d /etc/dirsrv/admin-serv -n "CA certficate" setup-ds-admin.pl -u Add the new plugins as follows: service dirsrv stop service dirsrv-admin stop Copy the contents of /usr/share/dirsrv/data/template-dse.ldif and /usr/share/dirsrv/data/template-dnaplugin.ldif into /etc/dirsrv/slapd-ldap2/dse.ldif Argh!! The MemberOf definition has an error in it. Change memberOfGroupAttr from member to uniqueMember and change nsslapd-pluginenabled from off to on. service dirsrv start service dirsrv-admin start ldap1 SSH to ldap1 as root Backup the current database as follows: cd /usr/lib64/dirsrv/slap* ./db2ldif -n userRoot -a /tmp/ssi..ldif ./db2ldif -n NetscapeRoot -a /tmp/ssi-config..ldif mv /tmp/ssi*.ldif ~/ Update centos ds as follows: yum --exclude=kernel --exclude=postgresql-libs --enablerepo=c5-testing upgrade setup-ds-admin.pl -u Add the new plugins as follows: service dirsrv stop service dirsrv-admin stop Copy the MemberOf definition from /usr/share/dirsrv/data/template-dse.ldif and the contents of /usr/share/dirsrv/data/template-dnaplugin.ldif into /etc/dirsrv/slapd-ldap1/dse.ldif Argh!! The MemberOf definition has an error in it. Change memberOfGroupAttr from member to uniqueMember and change nsslapd-pluginenabled from off to on. service dirsrv start service dirsrv-admin start Another Argh!! The memberOf plugin requires each user on whom it should operate to have the inetuser object class which is not created by default. We need to add it to each user. Add group membership to existing users as follows: fixup-memberof.pl Hmm . . . it cannot find fixup-memberof.pl so we try to do this with ldapmodify as follows: /usr/lib64/mozldap/ldapmodify -h ldap01 -D "cn=Directory Manager" -w - -ZZZ -P /etc/dirsrv/admin-serv Enter bind password: dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config changetype: add objectclass: top objectclass: extensibleObject cn: fixMemberOf basedn: o=Internal,dc=mycompany,dc=com filter: (objectClass=inetOrgPerson) LDAP Active Directory Integration This procedure outlines setting up clients with Windows users by integrating their Active Directory with the main LDAP directory. Unlike non-Windows client setups, we need to create the client Internal organization ( e.g., o=abcdefgh,o=Internal,dc=mycompany,dc=com) before the main user creation routine. This is because the synchronization agreement between LDAP and AD must be in place before the users are created lest the users be created disabled with passwords which must be changed at the first login. We will thus alter the clientsetup script to not fail automatically if it finds the Internal client organization already exists but will give the administrator a choice to continue. We will use a flag named ADINT to keep track of what to do with AD integration. It may have one of three values: 1.0 = The Internal client organization does not exist which implies no AD integration 2.1 = The Internal client organization does exist but the WTSUser group has not yet been created 3.2 = The Internal client organization does exist as does the WTSUser group so we simply add the Windows enabled user to that group. We begin by creating the client Internal organization in LDAP. Right click o=Internal and choose new other and then choose organization. We next go to the Windows domain controller and create organizational units named Desktops and Groups underneath the top level of AD, e.g., at dc=mycompany,dc=com. Right click on the top level of the domain and choose New / Organizational Unit. We create a user in the main cn=Users context of Active Directory to function as the binddn for LDAP. The user must be a member of the domain admins group. We go to centos-idm-console -s slapd-ldap1 on ldap1 to administer LDAP. Go to the configuration tab. Expand Replication and right click on UserRoot. Choose New Windows Sync Agreement. Give it an appropriate and unique name and a description. Enter the Windows domain name as appropriate; it should be the FQDN of the top level of AD, e.g., mycompany.com. Do NOT check Sync New Windows Users or Sync New Windows Groups as we do not want this information pushed from Windows to LDAP. We only want to go from LDAP to Windows. Synchronize with the top level of AD so we can access both users and groups in separate OUs, e..g, dc=mycompany,dc=com. The top level should synchronize with the client's Internal organization in LDAP, e.g., o=abcdefgh,o=Internal,dc=ssiservices,dc=biz. Enter the hostname for the domain controller and port 636. Check "Using encrypted SSL connection" and enter the credentials for the AD synchronization user created earlier. Click next and done. If there is a problem connecting to the LDAP server, it may be a bad password, bad binddn, or bad hostname. Left/right click on the new windows synchronization agreement under Replication / UserRoot in the left panel and choose Initiate Full Synchronization. Check the Replication status on the Status tab to ensure it was successful. Next, create the new users using the clientsetup script as normal. Answer "Y" to the question if it is OK that the client ID already exists. Once the objects have been created in LDAP, go to the configuration tab, left/right click on the Windows synchronization agreement and Send and Receive Updates Now. Go to the Windows Terminal Server console and open the Terminal Services Configuration utility. Double click the RDP-tcp connection. Go to the permissions tab and add the WTSUsers group (it will be named WTSUsers-). Set the permissions to User Allow for the WTSUsers group. LDAP configurations Now that we have defined the SSI users, we need to install and configure the LDAP client and related modules for all installed servers. We will start with host01. First copy the CA cert (CA.pem) into /etc/pki/tls/certs/ and ensure it is world readable. Then: yum install nscd nss_ldap authconfig authconfig --update --enableldap --enableldapauth --disablenis --enablecache --ldapserver=ldapxx.mycompany.com --ldapbasedn=dc=mycompany,dc=com --enableldaptls We must edit the resultant /etc/ldap.conf file as follows: binddn uid=searcher,o=abcdefg,o=SysAccounts,dc=mycompany,dc=com Oops! This is the case on all servers except this one as this one needs to see all the client data thus: binddn uid=searcher,dc=ssiservices,dc=biz bindpw rootbinddn (we will not set this for the guests systems on this vserver host) tls_cacertfile /etc/pki/tls/certs/CA.pem (toward the bottom) uri ldap://ldapxx.mycompany.com/ ssl start_tls pam_password md5 tls_checkpeer yes comment out tls_certdir Create the /etc/ldap.secret file containing the passphrase and set it rw for root only (chmod 600 /etc/ldap.secret). Edit /etc/nscd.conf to change the group positive cache limit (positive-time-to-live) to 600 seconds from the default 3600. Otherwise, group changes may take up to an hour to propagate. Edit /etc/pam.d/system-auth by changing: password sufficient pam_unix.so shadow nullok try_first_pass use_authtok to password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok (addition of md5) lest we only use the first eight characters of any password. It looks like this is the new default setting so no need to change it. Setup SAMBA In order for Windows Terminal Server users to see their data from their TS sessions, TS needs to map a drive to their data stored on host01. Thus, we need to install SAMBA and integrate it with LDAP. First, we install the needed packages: yum install samba samba-client samba-common Then edit /etc/samba/smb.conf from the default values as follows: [global] workgroup = WORKGROUP server string = HOST01 Version %v interfaces = lo bond0 172.x.x.8/16 disable netbios = yes large readwrite = yes Standalone Server Options security = user passdb backend = ldapsam:ldap://ldapxx.mycompany.com ldap ssl = start_tls ldap admin dn = uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot ldap suffix = dc=mycompany,dc=com ldap delete dn = no Browser Control Options local master = no Printing Options ; load printers = yes (i.e., comment it out) [homes] Comment out everything including the heading - we not want to map home drive access by default [printers] Comment out everything including the heading - we do not want to expose all printers [data-template] writable = yes create mask = 0770 directory mask = 0770 browseable = no case sensitive = yes block size = 4096 follow symlinks = no # ====== abcdefgh Shares ============ [data-abcdefgh] copy = data-template path = /data/clients/abcdefgh valid users = user1 user2 hosts allow = windows1.mycompany.com Create the secrets.tdb file to store the searcher password: smbpasswd -w history -c Add password to PasswordLocations file Edit /etc/openldap/ldap.conf (NOT /etc/ldap.conf) by setting TLS_CACERT /etc/pki/tls/certs/CA.pem Start the SAMBA service and set it to start on boot: service smb start chkconfig smb on Modifying SAMBA LDAP users Add needed object classes to the user by doing the following from host01: smbpasswd -a (enter current password - we have a problem in that there is currently no way to change the smbpasswd from LDAP - just the other way around) Although we are still not sure this is doing anything as all sources seem to say we cannot sync passwords from LDAP to SAMBA, just the other way around, without implementing FreeIPA, edit /etc/pam.d/system-auth-ac so the password section reads as follows: password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_smbpass.so use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so END I think that is just about everything we did. Perhaps it is more confusing than helpful and it certainly needs to be adapted. Wish I had more time to do that for you but it's time to shackle up my chains, head back to the pile and break more IT rocks. Good luck - John -- John A. Sullivan III Open Source Development Corporation Street Preacher: Are you SAVED?????!!!!!! Educated Skeptic: Saved from WHAT?????!!!!!! Educated Believer: From our selfishness that hurts the ones we love and condemns us to an eternity of hurting each other. http://www.spiritualoutreach.com Christianity that makes sense From dcoatshca at gmail.com Sun Jun 7 19:33:00 2009 From: dcoatshca at gmail.com (Doug Coats) Date: Sun, 7 Jun 2009 14:33:00 -0500 Subject: [389-users] Developting a CentOS-DS setup In-Reply-To: <1244332681.6371.113.camel@jaspav.missionsit.net.missionsit.net> References: <1244332681.6371.113.camel@jaspav.missionsit.net.missionsit.net> Message-ID: Thanks a ton John! This certainly gives me somewhere to start. Now I just need to figure out what parts Linux needs to authenticate to begin with. Do I need SSL if all of my LDAP reequests are coming from internal servers? Thanks again! Doug From jsullivan at opensourcedevel.com Mon Jun 8 09:41:31 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 08 Jun 2009 05:41:31 -0400 Subject: [389-users] Developting a CentOS-DS setup In-Reply-To: References: <1244332681.6371.113.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <1244454091.6383.12.camel@jaspav.missionsit.net.missionsit.net> On Sun, 2009-06-07 at 14:33 -0500, Doug Coats wrote: > Thanks a ton John! This certainly gives me somewhere to start. Now I > just need to figure out what parts Linux needs to authenticate to > begin with. Do I need SSL if all of my LDAP reequests are coming from > internal servers? The bottom part of the plan should give you most of that information. Some of the essential bits are in the clientsetup script we created and I really shouldn't post that. We do set up our users with objectlclasses of posixaccount and ntuser (I believe that's correct). On RedHat systems we also do something that I believe is technically incorrect, we add a posixgroup objectclass to the users to account for the personal group created by default. To keep the IDs unique among all the systems, we enforce unique uid, uidnumber, and gidnumber and, for other reasons in our multi-client environment, cn. This is one of the major reasons why we divide our DIT at the top level between Internal objects (which must enforce this uniqueness) and External objects (such as client contact lists) which do not enforce that uniqueness. At that point, one can use ldap.conf, nsswitch.conf, and the pam.d modules (largely configured automatically by, oh I forget the package name, I think it is authconfig - it's in the plan) to allow the Linux systems to authenticate users against LDAP. Certainly because we are a multi-client environment but even if we weren't, we do not believe in the hard and crunchy outside, soft and chewy inside security model. The network revolution means the primary attack vector is now on the inside of the network and not the outside. Truth be told, it always was. That's why we use SSL even on the internal network. If someone plants a protocol analyzer on the network, with a little bit of ARP poisoning, there's nothing they can't see traversing the wire. That's why we launched the ISCS network security project (http://iscs.sourceforge.net) and tend to "firepipe" rather than firewall our networks. Hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From kenneho.ndu at gmail.com Tue Jun 9 06:36:25 2009 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Tue, 9 Jun 2009 08:36:25 +0200 Subject: [389-users] Allowing users to change their password Message-ID: Hi all. I'd like my users to be able to change their password (stored in the directory server) by issuing "passwd" or something like that. Can this be done? According to the documentation it seems like one has to use the "ldappassrd" command, which seem pretty tricky to regular users. I'm running Red Hat Directory Server 8.0.0. Regards, Kenneth -------------- next part -------------- An HTML attachment was scrubbed... URL: From amirov at infinet.ru Tue Jun 9 06:39:46 2009 From: amirov at infinet.ru (Dmitry Amirov) Date: Tue, 09 Jun 2009 12:39:46 +0600 Subject: [389-users] Allowing users to change their password In-Reply-To: References: Message-ID: <4A2E03B2.7000200@infinet.ru> Hi Kenneth. It must be done by pam_ldap.so module. Kenneth Holter wrote: > > Hi all. > > > I'd like my users to be able to change their password (stored in the > directory server) by issuing "passwd" or something like that. Can this > be done? According to the documentation it seems like one has to use > the "ldappassrd" command, which seem pretty tricky to regular users. > > I'm running Red Hat Directory Server 8.0.0. > > > Regards, > Kenneth > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From niranjan.ashok at gmail.com Tue Jun 9 06:42:40 2009 From: niranjan.ashok at gmail.com (mallapadi niranjan) Date: Tue, 9 Jun 2009 12:12:40 +0530 Subject: [389-users] Allowing users to change their password In-Reply-To: References: Message-ID: <73e979680906082342u3f8243bo197aebff8314b9d6@mail.gmail.com> On Tue, Jun 9, 2009 at 12:06 PM, Kenneth Holter wrote: > > Hi all. > > > I'd like my users to be able to change their password (stored in the > directory server) by issuing "passwd" or something like that. Can this be > done? According to the documentation it seems like one has to use the > "ldappassrd" command, which seem pretty tricky to regular users. > > I'm running Red Hat Directory Server 8.0.0. If the system is authenticating to Directory Server, the user once logged in can change password using "passwd" command. You can refer to below documentation as to how to configure system to authenticate using RHDS http://directory.fedoraproject.org/wiki/Howto:PAM Regards Niranjan > > > Regards, > Kenneth > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From tamarinp at gmail.com Tue Jun 9 09:46:59 2009 From: tamarinp at gmail.com (tamarin p) Date: Tue, 9 Jun 2009 11:46:59 +0200 Subject: [389-users] Double quoted distinguished names In-Reply-To: <4dd1b3eb0906040136q1a2340f3v4ae083e25658e253@mail.gmail.com> References: <4dd1b3eb0906030349w473570bfh590fe2cc40d54e17@mail.gmail.com> <4dd1b3eb0906040136q1a2340f3v4ae083e25658e253@mail.gmail.com> Message-ID: <4dd1b3eb0906090246h33974233n6ea09fe36f071bbd@mail.gmail.com> 2009/6/4 tamarin p > > > 2009/6/3 Chris St. Pierre > >> On Wed, 3 Jun 2009, tamarin p wrote: >> >> Hi, >>> >>> i apologize that i am revisiting this topic yet again but as we found >>> out, >>> double quoted distinguished names are no longer possible in 1.2.0. >> >> Any word on this? should I file a bug in bugzilla for it or just are double quoted dn gone forever? -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jean-Noel.Chardron at dr15.cnrs.fr Tue Jun 9 10:46:18 2009 From: Jean-Noel.Chardron at dr15.cnrs.fr (=?ISO-8859-1?Q?jean-No=EBl_Chardron?=) Date: Tue, 09 Jun 2009 12:46:18 +0200 Subject: [389-users] Problem to create a root entry Message-ID: <4A2E3D7A.4030301@dr15.cnrs.fr> hello, On a fresh install of a 389 directory server on fedora 10, I tried to create a root entry as described in the book Administration of Redhat Directory Server I tried some possibilities with directory console or command line, the behavior is hazardous : in command line i tried this below, but the branch dc=ad,... doesn't appear in the directory console [root at aragon db]# ldapmodify -a -x -D "cn=directory manager" -w secret dn: cn=adData,cn=ldbm database,cn=plugins,cn=config objectclass: extensibleObject objectclass: nsBackendInstance nsslapd-suffix: dc=ad,dc=dr15,dc=cnrs,dc=fr adding new entry "cn=adData,cn=ldbm database,cn=plugins,cn=config" dn: cn="dc=ad,dc=dr15,dc=cnrs,dc=fr",cn=mapping tree,cn=config objectclass: top objectclass: extensibleObject objectclass: nsMappingTree nsslapd-state: backend nsslapd-parent-suffix: "dc=dr15,dc=cnrs,dc=fr" nsslapd-backend: adData cn: dc=ad,dc=dr15,dc=cnrs,dc=fr adding new entry "cn="dc=ad,dc=dr15,dc=cnrs,dc=fr",cn=mapping tree,cn=config" but the branch dc=ad,dr=15,dc=cnrs,dc=fr doesn't appear in the directory console If I ommit the parent (nsslapd-parent-suffix: "dc=dr15,dc=cnrs,dc=fr") and i create a independant branch, the new root suffix (dc=ad,dc=dr15,dc=cnrs,dc=fr) appear in the directory console but in the tab "directory" I cannot create the new root Object In fact my original problem is that I am never able to create a new root object in the Directory under the root sufix dc=dr15,dc=cnrs,dc=fr even after creating the database. In the directory console the link 'New Root Object' is not active, then I cannot create the root object "dc=ad,dc=dr15,dc=cnrs,dc=fr" Can somebody tell me what is wrong or misconfigured Thanks jnc From tamarinp at gmail.com Tue Jun 9 13:52:54 2009 From: tamarinp at gmail.com (tamarin p) Date: Tue, 9 Jun 2009 15:52:54 +0200 Subject: [389-users] Unable to set -1 total log disk space in fedora-idm-console Message-ID: <4dd1b3eb0906090652w43f9c0a3p207f52b19bd72ba5@mail.gmail.com> Possible input validation bug? It's not possible to set logmaxdiskspace=-1 in fedora-idm-console. The console states this must be equal or greater than the combined size of rotated logs, even though the docs state -1 is a valid setting. See http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Monitoring_Server_and_Database_Activity.html#Viewing_and_Configuring_Log_Files-Defining_a_Log_File_Deletion_Policy under "The maximum size of the combined archived logs". Seems to work as documented when you set it in dse.ldif manually (limit only determined by number of logs and size of each log). No complaints in logs. From lejeczek at jatymy.org Tue Jun 9 13:54:25 2009 From: lejeczek at jatymy.org (lejeczek) Date: Tue, 09 Jun 2009 14:54:25 +0100 Subject: [389-users] error: failed to install local copy of fedora-ds-1.1.jar Message-ID: <4A2E6991.3010408@jatymy.org> hi everybody, error is from idm console, rpms are as follows: fedora-ds-base-1.2.0-4.fc9.x86_64 fedora-ds-dsgw-1.1.2-1.fc9.x86_64 fedora-ds-base-devel-1.2.0-4.fc9.x86_64 fedora-ds-console-1.2.0-1.fc9.noarch fedora-ds-admin-1.1.7-3.fc9.x86_64 fedora-ds-admin-console-1.1.3-1.fc9.noarch and yet, even if I delete ~/.fedora-idm-console and start console, I can connect to admin servers but not do ds and when above folder gets created anew after manual deleteion files actually copied from, I guess, /usr/share/dirsrv/html/java/ and not linked as they used to be, linking would be better - not? and this numbering versions nomenclature is a bit messy, there in ~/.fedo... should be fedora-{ds,admin} linked to correct versions in /usr/share/dirsrv/html/java/ so my call for help is - what is missing, I rpm'ed above packages but it did not help i can copy files by hand but I expect it to work out of box - no? cheers everybody From rmeggins at redhat.com Tue Jun 9 13:57:15 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 09 Jun 2009 07:57:15 -0600 Subject: [389-users] Unable to set -1 total log disk space in fedora-idm-console In-Reply-To: <4dd1b3eb0906090652w43f9c0a3p207f52b19bd72ba5@mail.gmail.com> References: <4dd1b3eb0906090652w43f9c0a3p207f52b19bd72ba5@mail.gmail.com> Message-ID: <4A2E6A3B.3020508@redhat.com> tamarin p wrote: > Possible input validation bug? It's not possible to set > logmaxdiskspace=-1 in fedora-idm-console. The console states this must > be equal or greater than the combined size of rotated logs, even > though the docs state -1 is a valid setting. See > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Monitoring_Server_and_Database_Activity.html#Viewing_and_Configuring_Log_Files-Defining_a_Log_File_Deletion_Policy > under "The maximum size of the combined archived logs". > > Seems to work as documented when you set it in dse.ldif manually > (limit only determined by number of logs and size of each log). No > complaints in logs. > Sounds like a bug. Please file a bug against the console. > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jun 9 13:58:15 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 09 Jun 2009 07:58:15 -0600 Subject: [389-users] Double quoted distinguished names In-Reply-To: <4dd1b3eb0906090246h33974233n6ea09fe36f071bbd@mail.gmail.com> References: <4dd1b3eb0906030349w473570bfh590fe2cc40d54e17@mail.gmail.com> <4dd1b3eb0906040136q1a2340f3v4ae083e25658e253@mail.gmail.com> <4dd1b3eb0906090246h33974233n6ea09fe36f071bbd@mail.gmail.com> Message-ID: <4A2E6A77.5030008@redhat.com> tamarin p wrote: > 2009/6/4 tamarin p > > > > > 2009/6/3 Chris St. Pierre > > > On Wed, 3 Jun 2009, tamarin p wrote: > > Hi, > > i apologize that i am revisiting this topic yet again but > as we found out, > double quoted distinguished names are no longer possible > in 1.2.0. > > > Any word on this? should I file a bug in bugzilla for it or just are > double quoted dn gone forever? Please file a bug. But note that the double quoted behavior has been deprecated in LDAP for a long time. > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jun 9 13:59:40 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 09 Jun 2009 07:59:40 -0600 Subject: [389-users] Problem to create a root entry In-Reply-To: <4A2E3D7A.4030301@dr15.cnrs.fr> References: <4A2E3D7A.4030301@dr15.cnrs.fr> Message-ID: <4A2E6ACC.2010506@redhat.com> jean-No?l Chardron wrote: > hello, > > On a fresh install of a 389 directory server on fedora 10, I tried to > create a root entry as described in the book Administration of Redhat > Directory Server > > I tried some possibilities with directory console or command line, the > behavior is hazardous : > > in command line i tried this below, but the branch dc=ad,... doesn't > appear in the directory console > > [root at aragon db]# ldapmodify -a -x -D "cn=directory manager" -w secret > > dn: cn=adData,cn=ldbm database,cn=plugins,cn=config > objectclass: extensibleObject > objectclass: nsBackendInstance > nsslapd-suffix: dc=ad,dc=dr15,dc=cnrs,dc=fr > > adding new entry "cn=adData,cn=ldbm database,cn=plugins,cn=config" > > dn: cn="dc=ad,dc=dr15,dc=cnrs,dc=fr",cn=mapping tree,cn=config > objectclass: top > objectclass: extensibleObject > objectclass: nsMappingTree > nsslapd-state: backend > nsslapd-parent-suffix: "dc=dr15,dc=cnrs,dc=fr" > nsslapd-backend: adData > cn: dc=ad,dc=dr15,dc=cnrs,dc=fr > > adding new entry "cn="dc=ad,dc=dr15,dc=cnrs,dc=fr",cn=mapping > tree,cn=config" > > but the branch dc=ad,dr=15,dc=cnrs,dc=fr doesn't appear in the > directory console > > If I ommit the parent (nsslapd-parent-suffix: "dc=dr15,dc=cnrs,dc=fr") > and i create a independant branch, the new root suffix > (dc=ad,dc=dr15,dc=cnrs,dc=fr) appear in the directory console but in > the tab "directory" I cannot > create the new root Object > > In fact my original problem is that I am never able to create a new root > object in the Directory under the root sufix dc=dr15,dc=cnrs,dc=fr > even after creating the database. In the directory console the link > 'New Root Object' is not active, then I cannot create the root object > "dc=ad,dc=dr15,dc=cnrs,dc=fr" > > Can somebody tell me what is wrong or misconfigured This is one of the only operations the console admin cannot do. You must log into the console as cn=directory manager in order to create a root entry. > > Thanks > > > jnc > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jun 9 14:02:13 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 09 Jun 2009 08:02:13 -0600 Subject: [389-users] error: failed to install local copy of fedora-ds-1.1.jar In-Reply-To: <4A2E6991.3010408@jatymy.org> References: <4A2E6991.3010408@jatymy.org> Message-ID: <4A2E6B65.7080207@redhat.com> lejeczek wrote: > hi everybody, > error is from idm console, rpms are as follows: > fedora-ds-base-1.2.0-4.fc9.x86_64 > fedora-ds-dsgw-1.1.2-1.fc9.x86_64 > fedora-ds-base-devel-1.2.0-4.fc9.x86_64 > fedora-ds-console-1.2.0-1.fc9.noarch > fedora-ds-admin-1.1.7-3.fc9.x86_64 > fedora-ds-admin-console-1.1.3-1.fc9.noarch > > and yet, even if I delete ~/.fedora-idm-console and start console, I > can connect to admin servers but not do ds > and when above folder gets created anew after manual deleteion files > actually copied from, I guess, /usr/share/dirsrv/html/java/ > and not linked as they used to be, linking would be better - not? Not. The console is designed to manage remote servers - each server version has its own jar file version. The console figures out which jar file it needs to manage which server, and requests that jar file to be downloaded from the admin server and installed in your local ~/.fedora-idm-console directory. > and this numbering versions nomenclature is a bit messy, there in > ~/.fedo... should be fedora-{ds,admin} linked to > correct versions in /usr/share/dirsrv/html/java/ > > so my call for help is - what is missing, I rpm'ed above packages but > it did not help > i can copy files by hand but I expect it to work out of box - no? The way it works is that you start the console and select which server you want to manage. The console is supposed to automatically detect, download, and install the correct jar file. > > cheers everybody > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From chris at untrepid.com Tue Jun 9 14:36:10 2009 From: chris at untrepid.com (Chris Phillips) Date: Tue, 9 Jun 2009 15:36:10 +0100 Subject: [389-users] DSA unwilling to process update / Viewing contents of replication updates Message-ID: <3e4e5d790906090736h638a5518hb344ba79bfc940d7@mail.gmail.com> Hi, I've a cluster of boxes with replication form two multimasters to 6 read only replicas. There appears to be a problem in the replication in that the error logs state that the DSA is unwilling to process updates for a specific user account, so the replication status in the idm just stays at saying it started rather than completed. I could just delete the account and recreate it, but as it's unfortunately *my* account (and is in this state *possibly* because I was messing with the resetpasswordretrytime field (or something very similarly named) which I get the impression is treated differently to other fields) I'd like to avoid deleting the account. To this end I'm hoping a suitable solution is to remove whatever the change is that is trying to be pushed across, but I can't see any way with SSL replication to see what the actual attributes it doesn't like are. Any way to pull this straight out with ldapsearch or something? Any tips for elegantly troubleshooting this in a heavily locked down environment would be appreciated. Thanks Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jean-Noel.Chardron at dr15.cnrs.fr Tue Jun 9 14:42:06 2009 From: Jean-Noel.Chardron at dr15.cnrs.fr (=?ISO-8859-1?Q?jean-No=EBl_Chardron?=) Date: Tue, 09 Jun 2009 16:42:06 +0200 Subject: [389-users] Problem to create a root entry In-Reply-To: <4A2E6ACC.2010506@redhat.com> References: <4A2E3D7A.4030301@dr15.cnrs.fr> <4A2E6ACC.2010506@redhat.com> Message-ID: <4A2E74BE.2020703@dr15.cnrs.fr> hello, Rich Megginson a ?crit : > jean-No?l Chardron wrote: >> hello, >> >> On a fresh install of a 389 directory server on fedora 10, I tried >> to create a root entry as described in the book Administration of >> Redhat Directory Server >> >> I tried some possibilities with directory console or command line, >> the behavior is hazardous : >> >> in command line i tried this below, but the branch dc=ad,... doesn't >> appear in the directory console >> >> [root at aragon db]# ldapmodify -a -x -D "cn=directory manager" -w secret >> >> dn: cn=adData,cn=ldbm database,cn=plugins,cn=config >> objectclass: extensibleObject >> objectclass: nsBackendInstance >> nsslapd-suffix: dc=ad,dc=dr15,dc=cnrs,dc=fr >> >> adding new entry "cn=adData,cn=ldbm database,cn=plugins,cn=config" >> >> dn: cn="dc=ad,dc=dr15,dc=cnrs,dc=fr",cn=mapping tree,cn=config >> objectclass: top >> objectclass: extensibleObject >> objectclass: nsMappingTree >> nsslapd-state: backend >> nsslapd-parent-suffix: "dc=dr15,dc=cnrs,dc=fr" >> nsslapd-backend: adData >> cn: dc=ad,dc=dr15,dc=cnrs,dc=fr >> >> adding new entry "cn="dc=ad,dc=dr15,dc=cnrs,dc=fr",cn=mapping >> tree,cn=config" >> >> but the branch dc=ad,dr=15,dc=cnrs,dc=fr doesn't appear in the >> directory console >> >> If I ommit the parent (nsslapd-parent-suffix: "dc=dr15,dc=cnrs,dc=fr") >> and i create a independant branch, the new root suffix >> (dc=ad,dc=dr15,dc=cnrs,dc=fr) appear in the directory console but in >> the tab "directory" I cannot >> create the new root Object >> >> In fact my original problem is that I am never able to create a new root >> object in the Directory under the root sufix dc=dr15,dc=cnrs,dc=fr >> even after creating the database. In the directory console the link >> 'New Root Object' is not active, then I cannot create the root object >> "dc=ad,dc=dr15,dc=cnrs,dc=fr" >> >> Can somebody tell me what is wrong or misconfigured > This is one of the only operations the console admin cannot do. You > must log into the console as cn=directory manager in order to create a > root entry. I am loging into the console as cn=directory manager !! (I suppose the console is started by the application "fedora-idm-console" I write in the Management Console : the User ID (cn=Directory Manager) the password (of course) and the Administration URL : (http://localhost:9830 ) Is there an another way to log ? > >> >> Thanks >> >> >> jnc >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Jean-Noel Chardron D?l?gation CNRS Aquitaine et Limousin Service du Traitement de l'Information Avenue des Arts et m?tiers BP 105 33402 TALENCE - FRANCE t?l : (33) 5.57.35.58.41 fax : (33) 5.57.35.58.01 MSN : jnc at dr15.cnrs.fr From rmeggins at redhat.com Tue Jun 9 15:02:29 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 09 Jun 2009 09:02:29 -0600 Subject: [389-users] Problem to create a root entry In-Reply-To: <4A2E74BE.2020703@dr15.cnrs.fr> References: <4A2E3D7A.4030301@dr15.cnrs.fr> <4A2E6ACC.2010506@redhat.com> <4A2E74BE.2020703@dr15.cnrs.fr> Message-ID: <4A2E7985.9040004@redhat.com> jean-No?l Chardron wrote: > hello, > > Rich Megginson a ?crit : >> jean-No?l Chardron wrote: >>> hello, >>> >>> On a fresh install of a 389 directory server on fedora 10, I tried >>> to create a root entry as described in the book Administration of >>> Redhat Directory Server >>> >>> I tried some possibilities with directory console or command line, >>> the behavior is hazardous : >>> >>> in command line i tried this below, but the branch dc=ad,... doesn't >>> appear in the directory console >>> >>> [root at aragon db]# ldapmodify -a -x -D "cn=directory manager" -w >>> secret >>> >>> dn: cn=adData,cn=ldbm database,cn=plugins,cn=config >>> objectclass: extensibleObject >>> objectclass: nsBackendInstance >>> nsslapd-suffix: dc=ad,dc=dr15,dc=cnrs,dc=fr >>> >>> adding new entry "cn=adData,cn=ldbm database,cn=plugins,cn=config" >>> >>> dn: cn="dc=ad,dc=dr15,dc=cnrs,dc=fr",cn=mapping tree,cn=config >>> objectclass: top >>> objectclass: extensibleObject >>> objectclass: nsMappingTree >>> nsslapd-state: backend >>> nsslapd-parent-suffix: "dc=dr15,dc=cnrs,dc=fr" >>> nsslapd-backend: adData >>> cn: dc=ad,dc=dr15,dc=cnrs,dc=fr >>> >>> adding new entry "cn="dc=ad,dc=dr15,dc=cnrs,dc=fr",cn=mapping >>> tree,cn=config" >>> >>> but the branch dc=ad,dr=15,dc=cnrs,dc=fr doesn't appear in the >>> directory console >>> >>> If I ommit the parent (nsslapd-parent-suffix: "dc=dr15,dc=cnrs,dc=fr") >>> and i create a independant branch, the new root suffix >>> (dc=ad,dc=dr15,dc=cnrs,dc=fr) appear in the directory console but in >>> the tab "directory" I cannot >>> create the new root Object >>> >>> In fact my original problem is that I am never able to create a new >>> root >>> object in the Directory under the root sufix dc=dr15,dc=cnrs,dc=fr >>> even after creating the database. In the directory console the link >>> 'New Root Object' is not active, then I cannot create the root >>> object "dc=ad,dc=dr15,dc=cnrs,dc=fr" >>> >>> Can somebody tell me what is wrong or misconfigured >> This is one of the only operations the console admin cannot do. You >> must log into the console as cn=directory manager in order to create >> a root entry. > > I am loging into the console as cn=directory manager !! > (I suppose the console is started by the application "fedora-idm-console" > I write in the Management Console : the User ID (cn=Directory Manager) > the password (of course) and the Administration URL : > (http://localhost:9830 ) > Is there an another way to log ? Sure, you can use ldapmodify to add the entry. It appears to be a bug that you cannot add the root entry for a sub-suffix using the console. > >> >>> >>> Thanks >>> >>> >>> jnc >>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> ------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jun 9 15:06:41 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 09 Jun 2009 09:06:41 -0600 Subject: [389-users] DSA unwilling to process update / Viewing contents of replication updates In-Reply-To: <3e4e5d790906090736h638a5518hb344ba79bfc940d7@mail.gmail.com> References: <3e4e5d790906090736h638a5518hb344ba79bfc940d7@mail.gmail.com> Message-ID: <4A2E7A81.8050300@redhat.com> Chris Phillips wrote: > Hi, > > I've a cluster of boxes with replication form two multimasters to 6 > read only replicas. There appears to be a problem in the replication > in that the error logs state that the DSA is unwilling to process > updates for a specific user account, so the replication status in the > idm just stays at saying it started rather than completed. I could > just delete the account and recreate it, but as it's unfortunately > *my* account (and is in this state *possibly* because I was messing > with the resetpasswordretrytime field (or something very similarly > named) which I get the impression is treated differently to other > fields) I'd like to avoid deleting the account. > > To this end I'm hoping a suitable solution is to remove whatever the > change is that is trying to be pushed across, but I can't see any way > with SSL replication to see what the actual attributes it doesn't like > are. Any way to pull this straight out with ldapsearch or something? > Any tips for elegantly troubleshooting this in a heavily locked down > environment would be appreciated. Yes, it probably has to do with one of those password related operational attributes. There are a couple of ways to handle this 1) change your replication agreement to exclude the attributes passwordRetryCount, retryCountResetTime, and accountUnlockTime - you do this by adding these attributes to be excluded in fractional replication - you should be able to modify your existing replication agreements to exclude these 2) add the attribute passwordIsGlobalPolicy in cn=config to "on" on your servers - this will allow those attributes to be replicated > > Thanks > > Chris > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From Jean-Noel.Chardron at dr15.cnrs.fr Tue Jun 9 15:20:34 2009 From: Jean-Noel.Chardron at dr15.cnrs.fr (=?ISO-8859-1?Q?jean-No=EBl_Chardron?=) Date: Tue, 09 Jun 2009 17:20:34 +0200 Subject: [389-users] Problem to create a root entry In-Reply-To: <4A2E7985.9040004@redhat.com> References: <4A2E3D7A.4030301@dr15.cnrs.fr> <4A2E6ACC.2010506@redhat.com> <4A2E74BE.2020703@dr15.cnrs.fr> <4A2E7985.9040004@redhat.com> Message-ID: <4A2E7DC2.70909@dr15.cnrs.fr> Rich Megginson a ?crit : > jean-No?l Chardron wrote: >> hello, >> >> Rich Megginson a ?crit : >>> jean-No?l Chardron wrote: >>>> hello, >>>> >>>> On a fresh install of a 389 directory server on fedora 10, I tried >>>> to create a root entry as described in the book Administration of >>>> Redhat Directory Server >>>> >>>> I tried some possibilities with directory console or command line, >>>> the behavior is hazardous : >>>> >>>> in command line i tried this below, but the branch dc=ad,... >>>> doesn't appear in the directory console >>>> >>>> [root at aragon db]# ldapmodify -a -x -D "cn=directory manager" -w >>>> secret >>>> >>>> dn: cn=adData,cn=ldbm database,cn=plugins,cn=config >>>> objectclass: extensibleObject >>>> objectclass: nsBackendInstance >>>> nsslapd-suffix: dc=ad,dc=dr15,dc=cnrs,dc=fr >>>> >>>> adding new entry "cn=adData,cn=ldbm database,cn=plugins,cn=config" >>>> >>>> dn: cn="dc=ad,dc=dr15,dc=cnrs,dc=fr",cn=mapping tree,cn=config >>>> objectclass: top >>>> objectclass: extensibleObject >>>> objectclass: nsMappingTree >>>> nsslapd-state: backend >>>> nsslapd-parent-suffix: "dc=dr15,dc=cnrs,dc=fr" >>>> nsslapd-backend: adData >>>> cn: dc=ad,dc=dr15,dc=cnrs,dc=fr >>>> >>>> adding new entry "cn="dc=ad,dc=dr15,dc=cnrs,dc=fr",cn=mapping >>>> tree,cn=config" >>>> >>>> but the branch dc=ad,dr=15,dc=cnrs,dc=fr doesn't appear in the >>>> directory console >>>> >>>> If I ommit the parent (nsslapd-parent-suffix: "dc=dr15,dc=cnrs,dc=fr") >>>> and i create a independant branch, the new root suffix >>>> (dc=ad,dc=dr15,dc=cnrs,dc=fr) appear in the directory console but >>>> in the tab "directory" I cannot >>>> create the new root Object >>>> >>>> In fact my original problem is that I am never able to create a new >>>> root >>>> object in the Directory under the root sufix dc=dr15,dc=cnrs,dc=fr >>>> even after creating the database. In the directory console the link >>>> 'New Root Object' is not active, then I cannot create the root >>>> object "dc=ad,dc=dr15,dc=cnrs,dc=fr" >>>> >>>> Can somebody tell me what is wrong or misconfigured >>> This is one of the only operations the console admin cannot do. You >>> must log into the console as cn=directory manager in order to create >>> a root entry. >> >> I am loging into the console as cn=directory manager !! >> (I suppose the console is started by the application >> "fedora-idm-console" >> I write in the Management Console : the User ID (cn=Directory >> Manager) the password (of course) and the Administration URL : >> (http://localhost:9830 ) >> Is there an another way to log ? > Sure, you can use ldapmodify to add the entry. > I tried it according to chapter 2.2.2 in the book Redhat directory server but i get an error : # ldapmodify -a -x -D "cn=directory manager" -w password dn: dc=ad,dc=dr15,dc=cnrs,dc=fr objectClass: domain adding new entry "dc=ad,dc=dr15,dc=cnrs,dc=fr objectClass: domain" ldap_add: No such object (32) then I tried : dn: dc=ad,dc=dr15,dc=cnrs,dc=fr objectClass: domain objectclass: top dc: ad adding new entry "dc=ad,dc=dr15,dc=cnrs,dc=fr" ldap_add: Object class violation (65) additional info: unknown object class "top " (remove the trailing spaces) then : dn: dc=ad,dc=dr15,dc=cnrs,dc=fr objectClass: domain dc: ad adding new entry "dc=ad,dc=dr15,dc=cnrs,dc=fr" ?h great, it's working thanks, Ok now i'am going to do a replica of Active Directory, may be others bugs ... > It appears to be a bug that you cannot add the root entry for a > sub-suffix using the console. >> >>> >>>> >>>> Thanks >>>> >>>> >>>> jnc >>>> >>>> -- >>>> 389 users mailing list >>>> 389-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Jean-Noel Chardron D?l?gation CNRS Aquitaine et Limousin Service du Traitement de l'Information Avenue des Arts et m?tiers BP 105 33402 TALENCE - FRANCE t?l : (33) 5.57.35.58.41 fax : (33) 5.57.35.58.01 MSN : jnc at dr15.cnrs.fr From chris at untrepid.com Tue Jun 9 16:01:20 2009 From: chris at untrepid.com (Chris Phillips) Date: Tue, 9 Jun 2009 17:01:20 +0100 Subject: [389-users] DSA unwilling to process update / Viewing contents of replication updates In-Reply-To: <4A2E7A81.8050300@redhat.com> References: <3e4e5d790906090736h638a5518hb344ba79bfc940d7@mail.gmail.com> <4A2E7A81.8050300@redhat.com> Message-ID: <3e4e5d790906090901n438f25e3vbdc12f4f2453e7d7@mail.gmail.com> On Tue, Jun 9, 2009 at 4:06 PM, Rich Megginson wrote: > Chris Phillips wrote: > >> Hi, >> >> I've a cluster of boxes with replication form two multimasters to 6 read >> only replicas. There appears to be a problem in the replication in that the >> error logs state that the DSA is unwilling to process updates for a specific >> user account, so the replication status in the idm just stays at saying it >> started rather than completed. I could just delete the account and recreate >> it, but as it's unfortunately *my* account (and is in this state *possibly* >> because I was messing with the resetpasswordretrytime field (or something >> very similarly named) which I get the impression is treated differently to >> other fields) I'd like to avoid deleting the account. >> >> To this end I'm hoping a suitable solution is to remove whatever the >> change is that is trying to be pushed across, but I can't see any way with >> SSL replication to see what the actual attributes it doesn't like are. Any >> way to pull this straight out with ldapsearch or something? Any tips for >> elegantly troubleshooting this in a heavily locked down environment would be >> appreciated. >> > > Yes, it probably has to do with one of those password related operational > attributes. There are a couple of ways to handle this > 1) change your replication agreement to exclude the attributes > passwordRetryCount, retryCountResetTime, and accountUnlockTime - you do this > by adding these attributes to be excluded in fractional replication - you > should be able to modify your existing replication agreements to exclude > these > 2) add the attribute passwordIsGlobalPolicy in cn=config to "on" on your > servers - this will allow those attributes to be replicated This seems to fit in exactly, thanks. If I set this value on a read only replica, what will happen if it is locked out on that replica? Presumably despite this setting that can't get replicated back up to the multimasters? As an alternative to changing the policy, can I manually undo these changes? TBH I'm not too clued up on what triggers an attribute like this to be chosen to be replicated in the first place, if it's a hidden timestamp or such. Thanks Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jun 9 16:05:50 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 09 Jun 2009 10:05:50 -0600 Subject: [389-users] DSA unwilling to process update / Viewing contents of replication updates In-Reply-To: <3e4e5d790906090901n438f25e3vbdc12f4f2453e7d7@mail.gmail.com> References: <3e4e5d790906090736h638a5518hb344ba79bfc940d7@mail.gmail.com> <4A2E7A81.8050300@redhat.com> <3e4e5d790906090901n438f25e3vbdc12f4f2453e7d7@mail.gmail.com> Message-ID: <4A2E885E.1080304@redhat.com> Chris Phillips wrote: > > > On Tue, Jun 9, 2009 at 4:06 PM, Rich Megginson > wrote: > > Chris Phillips wrote: > > Hi, > > I've a cluster of boxes with replication form two multimasters > to 6 read only replicas. There appears to be a problem in the > replication in that the error logs state that the DSA is > unwilling to process updates for a specific user account, so > the replication status in the idm just stays at saying it > started rather than completed. I could just delete the account > and recreate it, but as it's unfortunately *my* account (and > is in this state *possibly* because I was messing with the > resetpasswordretrytime field (or something very similarly > named) which I get the impression is treated differently to > other fields) I'd like to avoid deleting the account. > > To this end I'm hoping a suitable solution is to remove > whatever the change is that is trying to be pushed across, but > I can't see any way with SSL replication to see what the > actual attributes it doesn't like are. Any way to pull this > straight out with ldapsearch or something? Any tips for > elegantly troubleshooting this in a heavily locked down > environment would be appreciated. > > > Yes, it probably has to do with one of those password related > operational attributes. There are a couple of ways to handle this > 1) change your replication agreement to exclude the attributes > passwordRetryCount, retryCountResetTime, and accountUnlockTime - > you do this by adding these attributes to be excluded in > fractional replication - you should be able to modify your > existing replication agreements to exclude these > 2) add the attribute passwordIsGlobalPolicy in cn=config to "on" > on your servers - this will allow those attributes to be replicated > > > This seems to fit in exactly, thanks. If I set this value on a read > only replica, what will happen if it is locked out on that replica? > Presumably despite this setting that can't get replicated back up to > the multimasters? Correct. You can set up chain on update to have "global" lockout - see http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate > > As an alternative to changing the policy, can I manually undo these > changes? TBH I'm not too clued up on what triggers an attribute like > this to be chosen to be replicated in the first place, if it's a > hidden timestamp or such. Yes. Those attributes are operational attributes - you have to ask for them explicitly in the ldapsearch request. You should be able to set them manually as directory manager. But for now, the problem is that the changes are in the changelog and the server is attempting to replicate them. I suggest setting the isglobal attribute in the replica, allowing the change, then disabling the replication of those attributes and disabling global policy. > > Thanks > > Chris > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From dweintraub+fds at vecna.com Tue Jun 9 20:20:15 2009 From: dweintraub+fds at vecna.com (Dan Weintraub) Date: Tue, 09 Jun 2009 16:20:15 -0400 Subject: [389-users] Problems with replication over SSL Message-ID: <4A2EC3FF.7000901@vecna.com> Hi all, I'm trying to setup replication over ssl and am running into problems. I first tried it unencrypted and all worked fine. I then copied over the consumer's CA certificate and set up replication with SSL and Simple Authentication. It doesn't work and I now get the following errors: When I set it up: supplier error log: [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin - agmt="cn=One" (fds:389): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable Runtime error -5938 (Encountered end of file.) these appear thereafter: consumer access log: [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection from 10.1.1.100 to 10.1.1.101 [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71 (Protocol error) - B1 consumer error log: [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP message (tag 0x80, expected 0x30) Versions: Supplier: fedora-ds-1.1.2-1.fc6 fedora-ds-dsgw-1.1.1-1.fc6 fedora-ds-base-1.1.3-2.fc6 fedora-ds-admin-1.1.6-1.fc6 fedora-ds-admin-console-1.1.2-1.fc6 fedora-ds-console-1.1.2-1.fc6 Consumer: fedora-ds-admin-1.1.7-3.fc6 fedora-ds-admin-console-1.1.3-1.fc6 fedora-ds-base-1.2.0-2.fc6 fedora-ds-dsgw-1.1.2-1.fc6 fedora-ds-console-1.2.0-1.fc6 fedora-ds-1.1.3-1.fc6 I'm at a loss as to how to proceed with troubleshooting and would appreciate any suggestions. Thanks, Dan Weintraub From rmeggins at redhat.com Tue Jun 9 20:36:02 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 09 Jun 2009 14:36:02 -0600 Subject: [389-users] Problems with replication over SSL In-Reply-To: <4A2EC3FF.7000901@vecna.com> References: <4A2EC3FF.7000901@vecna.com> Message-ID: <4A2EC7B2.6060808@redhat.com> Dan Weintraub wrote: > Hi all, > > I'm trying to setup replication over ssl and am running into problems. I > first tried it unencrypted and all worked fine. I then copied over the > consumer's CA certificate and set up replication with SSL and Simple > Authentication. It doesn't work and I now get the following errors: > > When I set it up: > supplier error log: > [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin - agmt="cn=One" > (fds:389): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP > server), Netscape Portable Runtime error -5938 (Encountered end of file.) > > these appear thereafter: > consumer access log: > [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection from > 10.1.1.100 to 10.1.1.101 > [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71 > (Protocol error) - B1 > > consumer error log: > [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP message (tag > 0x80, expected 0x30) Looks like an attempt to use SSL on the non-SSL port (port 389) > > Versions: > Supplier: > fedora-ds-1.1.2-1.fc6 > fedora-ds-dsgw-1.1.1-1.fc6 > fedora-ds-base-1.1.3-2.fc6 > fedora-ds-admin-1.1.6-1.fc6 > fedora-ds-admin-console-1.1.2-1.fc6 > fedora-ds-console-1.1.2-1.fc6 > > Consumer: > fedora-ds-admin-1.1.7-3.fc6 > fedora-ds-admin-console-1.1.3-1.fc6 > fedora-ds-base-1.2.0-2.fc6 > fedora-ds-dsgw-1.1.2-1.fc6 > fedora-ds-console-1.2.0-1.fc6 > fedora-ds-1.1.3-1.fc6 > > I'm at a loss as to how to proceed with troubleshooting and would > appreciate any suggestions. > > Thanks, > Dan Weintraub > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jsullivan at opensourcedevel.com Tue Jun 9 20:46:30 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Tue, 09 Jun 2009 16:46:30 -0400 Subject: [389-users] Problems with replication over SSL In-Reply-To: <4A2EC3FF.7000901@vecna.com> References: <4A2EC3FF.7000901@vecna.com> Message-ID: <1244580390.6384.91.camel@jaspav.missionsit.net.missionsit.net> On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote: > Hi all, > > I'm trying to setup replication over ssl and am running into problems. I > first tried it unencrypted and all worked fine. I then copied over the > consumer's CA certificate and set up replication with SSL and Simple > Authentication. It doesn't work and I now get the following errors: > > When I set it up: > supplier error log: > [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin - agmt="cn=One" > (fds:389): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP > server), Netscape Portable Runtime error -5938 (Encountered end of file.) > > these appear thereafter: > consumer access log: > [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection from > 10.1.1.100 to 10.1.1.101 > [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71 > (Protocol error) - B1 > > consumer error log: > [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP message (tag > 0x80, expected 0x30) > > Versions: > Supplier: > fedora-ds-1.1.2-1.fc6 > fedora-ds-dsgw-1.1.1-1.fc6 > fedora-ds-base-1.1.3-2.fc6 > fedora-ds-admin-1.1.6-1.fc6 > fedora-ds-admin-console-1.1.2-1.fc6 > fedora-ds-console-1.1.2-1.fc6 > > Consumer: > fedora-ds-admin-1.1.7-3.fc6 > fedora-ds-admin-console-1.1.3-1.fc6 > fedora-ds-base-1.2.0-2.fc6 > fedora-ds-dsgw-1.1.2-1.fc6 > fedora-ds-console-1.2.0-1.fc6 > fedora-ds-1.1.3-1.fc6 > > I'm at a loss as to how to proceed with troubleshooting and would > appreciate any suggestions. > > Thanks, > Dan Weintraub Hi, Dan. Here is a snippet from our internal documentation. I apologize that I don't have time to customize it or analyze your issue more deeply but perhaps our findings will help you in your environment. Given Rich's comment, I wonder if you were stung by the same error in documentation we noted below: Go back to the centos-idm-console on ldap1 Go to the Configuration tab, select the userRoot under the Replication object in the left panel. Left/right client and choose New Replication Agreement The name is "mycompany.com ldap1->ldap2" and the Description is "Replicates mycompany.com from ldap1 to ldap2". Click Next. Set the Consumer to ldap2.mycompany.com:389 from the drop down box (389 is correct even though we are really using 636) - Oops! That is not true despite what the documentation says. Click other and create a new entry for ldap2.mycompany.com on port 636. Enable the SSL connection. Enter cn=repuser,cn=config for the Bind As and enter the password. Click Next and then Next again. We will always keep directories in sync so click Next again. Choose Initialize Consumer Now and click Next Click Done If you need more details, e.g., about how we set up SSL, I posted most of our internal procedure a day or two ago on this mailing list in response to a post entitled "Developting a CentOS-DS setup". You can find much more detail there. Good luck - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From lejeczek at jatymy.org Wed Jun 10 07:39:49 2009 From: lejeczek at jatymy.org (lejeczek) Date: Wed, 10 Jun 2009 08:39:49 +0100 Subject: [389-users] error: failed to install local copy of fedora-ds-1.1.jar In-Reply-To: <4A2E6B65.7080207@redhat.com> References: <4A2E6991.3010408@jatymy.org> <4A2E6B65.7080207@redhat.com> Message-ID: <4A2F6345.6020201@jatymy.org> yes, this is precisely where/when I get these errors, could there be something wrong(bug) with the way f9(console) figures out what f10(servers) needs/uses? (both f9/10 64bit) (both admin/ds on the same f10 box) it works for admin server (downloading jar) but not for ds servers(above error) thanks Rich. Rich Megginson wrote: > lejeczek wrote: >> hi everybody, >> error is from idm console, rpms are as follows: >> fedora-ds-base-1.2.0-4.fc9.x86_64 >> fedora-ds-dsgw-1.1.2-1.fc9.x86_64 >> fedora-ds-base-devel-1.2.0-4.fc9.x86_64 >> fedora-ds-console-1.2.0-1.fc9.noarch >> fedora-ds-admin-1.1.7-3.fc9.x86_64 >> fedora-ds-admin-console-1.1.3-1.fc9.noarch >> >> and yet, even if I delete ~/.fedora-idm-console and start console, I >> can connect to admin servers but not do ds >> and when above folder gets created anew after manual deleteion files >> actually copied from, I guess, /usr/share/dirsrv/html/java/ >> and not linked as they used to be, linking would be better - not? > Not. The console is designed to manage remote servers - each server > version has its own jar file version. The console figures out which > jar file it needs to manage which server, and requests that jar file > to be downloaded from the admin server and installed in your local > ~/.fedora-idm-console directory. >> and this numbering versions nomenclature is a bit messy, there in >> ~/.fedo... should be fedora-{ds,admin} linked to >> correct versions in /usr/share/dirsrv/html/java/ > >> >> so my call for help is - what is missing, I rpm'ed above packages but >> it did not help >> i can copy files by hand but I expect it to work out of box - no? > The way it works is that you start the console and select which server > you want to manage. The console is supposed to automatically detect, > download, and install the correct jar file. >> >> cheers everybody >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From Jean-Noel.Chardron at dr15.cnrs.fr Wed Jun 10 11:02:09 2009 From: Jean-Noel.Chardron at dr15.cnrs.fr (=?ISO-8859-1?Q?jean-No=EBl_Chardron?=) Date: Wed, 10 Jun 2009 13:02:09 +0200 Subject: [389-users] Fail to sync with active directory Message-ID: <4A2F92B1.40504@dr15.cnrs.fr> hello, I tried to sync the FDS with Active directory, i follow the instructions read in http://www.linuxmail.info/ad-fds-sync-howto/ except that I create a branch dc=ad and ou=DR15 (organizational unit) (and 2 databases under the root suffix dc=dr15,dc=cnrs,dc=fr) the FDS is version 1.2.0 and I upgrade this morning from fedora 10 to Fedora 11 I try to synchronise with this parameters : DS host : aragon.dr15.cnrs.fr , port 389 Windows host : zebigbos.ad.dr15.cnrs.fr , port 636 DS subtree : ou=DR15,dc=ad,dc=dr15,dc=cnrs,dc=fr Windows Subtree : ou=DR15,dc=ad,dc=dr15,dc=cnrs,dc=fr Replicated Subtree : ou=DR15,dc=ad,dc=dr15,dc=cnrs,dc=fr I actived the log errors (level replication) and I get many lines I extract few below : [10/Jun/2009:12:45:26 +0200] NSMMReplicationPlugin - received entry from dirsync: CN=Chardron,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr [10/Jun/2009:12:45:26 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: looking for local entry matching AD entry [CN=Chardron,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr] [10/Jun/2009:12:45:26 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid [c107390bd3669f4ca8b074de2af86397] [10/Jun/2009:12:45:26 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1 [10/Jun/2009:12:45:26 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid [chardron] [10/Jun/2009:12:45:26 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: problem looking for username: -1 [10/Jun/2009:12:45:26 +0200] - Windows sync entry: Adding new local entry dn: uid=chardron,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetOrgPerson objectClass: ntUser ntUserDeleteAccount: true uid: chardron sn: Chardron postalCode: 33402 physicalDeliveryOfficeName:: bsKwIDIxMg== telephoneNumber: 05.57.35.58.41 givenName: Jean-Noel initials: jnc cn: Chardron ntUserCodePage: 0 ntUserAcctExpires: 9223372036854775807 ntUserDomainId: chardron mail: Jean-Noel.Chardron at dr15.cnrs.fr ntUniqueId: c107390bd3669f4ca8b074de2af86397 [10/Jun/2009:12:45:26 +0200] NSMMReplicationPlugin - add operation of entry uid=chardron,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr returned: 32 So it fails but why and what is the code error "32" ? Previously yesterday evening when I tried with Fedora 10 I got the return code "10" however I forgot the parameters used. -- Jean-Noel Chardron From rmeggins at redhat.com Wed Jun 10 14:09:30 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 10 Jun 2009 08:09:30 -0600 Subject: [389-users] error: failed to install local copy of fedora-ds-1.1.jar In-Reply-To: <4A2F6345.6020201@jatymy.org> References: <4A2E6991.3010408@jatymy.org> <4A2E6B65.7080207@redhat.com> <4A2F6345.6020201@jatymy.org> Message-ID: <4A2FBE9A.9090709@redhat.com> lejeczek wrote: > yes, this is precisely where/when I get these errors, could there be > something wrong(bug) > with the way f9(console) figures out what f10(servers) needs/uses? > (both f9/10 64bit) (both admin/ds on the same f10 box) > it works for admin server (downloading jar) but not for ds > servers(above error) > thanks Rich. fedora-idm-console -D 9 -f console.log - then paste the console.log to fpaste.org and send the link to the list > > Rich Megginson wrote: >> lejeczek wrote: >>> hi everybody, >>> error is from idm console, rpms are as follows: >>> fedora-ds-base-1.2.0-4.fc9.x86_64 >>> fedora-ds-dsgw-1.1.2-1.fc9.x86_64 >>> fedora-ds-base-devel-1.2.0-4.fc9.x86_64 >>> fedora-ds-console-1.2.0-1.fc9.noarch >>> fedora-ds-admin-1.1.7-3.fc9.x86_64 >>> fedora-ds-admin-console-1.1.3-1.fc9.noarch >>> >>> and yet, even if I delete ~/.fedora-idm-console and start console, I >>> can connect to admin servers but not do ds >>> and when above folder gets created anew after manual deleteion files >>> actually copied from, I guess, /usr/share/dirsrv/html/java/ >>> and not linked as they used to be, linking would be better - not? >> Not. The console is designed to manage remote servers - each server >> version has its own jar file version. The console figures out which >> jar file it needs to manage which server, and requests that jar file >> to be downloaded from the admin server and installed in your local >> ~/.fedora-idm-console directory. >>> and this numbering versions nomenclature is a bit messy, there in >>> ~/.fedo... should be fedora-{ds,admin} linked to >>> correct versions in /usr/share/dirsrv/html/java/ >> >>> >>> so my call for help is - what is missing, I rpm'ed above packages >>> but it did not help >>> i can copy files by hand but I expect it to work out of box - no? >> The way it works is that you start the console and select which >> server you want to manage. The console is supposed to automatically >> detect, download, and install the correct jar file. >>> >>> cheers everybody >>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> ------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From Jean-Noel.Chardron at dr15.cnrs.fr Wed Jun 10 14:15:55 2009 From: Jean-Noel.Chardron at dr15.cnrs.fr (=?ISO-8859-1?Q?jean-No=EBl_Chardron?=) Date: Wed, 10 Jun 2009 16:15:55 +0200 Subject: [389-users] Fail to sync with active directory (partially solved) In-Reply-To: <4A2F92B1.40504@dr15.cnrs.fr> References: <4A2F92B1.40504@dr15.cnrs.fr> Message-ID: <4A2FC01B.9080800@dr15.cnrs.fr> I reply to myself as I found the tip jean-No?l Chardron a ?crit : > hello, > > I tried to sync the FDS with Active directory, i follow the > instructions read in http://www.linuxmail.info/ad-fds-sync-howto/ > except that I create a branch dc=ad and ou=DR15 (organizational unit) > (and 2 databases under the root suffix dc=dr15,dc=cnrs,dc=fr) > > the FDS is version 1.2.0 and I upgrade this morning from fedora 10 to > Fedora 11 > > I try to synchronise with this parameters : > > DS host : aragon.dr15.cnrs.fr , port 389 > Windows host : zebigbos.ad.dr15.cnrs.fr , port 636 > DS subtree : ou=DR15,dc=ad,dc=dr15,dc=cnrs,dc=fr > Windows Subtree : ou=DR15,dc=ad,dc=dr15,dc=cnrs,dc=fr > Replicated Subtree : ou=DR15,dc=ad,dc=dr15,dc=cnrs,dc=fr > I manually create in the console the sub-hierarchy of the ou=DR15 > I actived the log errors (level replication) and I get many lines > I extract few below : > > [10/Jun/2009:12:45:26 +0200] NSMMReplicationPlugin - received entry > from dirsync: > CN=Chardron,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr > [10/Jun/2009:12:45:26 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: looking for > local entry matching AD entry > [CN=Chardron,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr] > [10/Jun/2009:12:45:26 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: looking for > local entry by guid [c107390bd3669f4ca8b074de2af86397] > [10/Jun/2009:12:45:26 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: problem > looking for guid: -1 > [10/Jun/2009:12:45:26 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: looking for > local entry by uid [chardron] > [10/Jun/2009:12:45:26 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: problem > looking for username: -1 > [10/Jun/2009:12:45:26 +0200] - Windows sync entry: Adding new local > entry dn: uid=chardron,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, > dc=fr > objectClass: top > objectClass: person > objectClass: organizationalperson > objectClass: inetOrgPerson > objectClass: ntUser > ntUserDeleteAccount: true > uid: chardron > sn: Chardron > postalCode: 33402 > physicalDeliveryOfficeName:: bsKwIDIxMg== > telephoneNumber: 05.57.35.58.41 > givenName: Jean-Noel > initials: jnc > cn: Chardron > ntUserCodePage: 0 > ntUserAcctExpires: 9223372036854775807 > ntUserDomainId: chardron > mail: Jean-Noel.Chardron at dr15.cnrs.fr > ntUniqueId: c107390bd3669f4ca8b074de2af86397 > > [10/Jun/2009:12:45:26 +0200] NSMMReplicationPlugin - add operation of > entry uid=chardron,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, > dc=fr returned: 32 > > So it fails but why and what is the code error "32" ? > Previously yesterday evening when I tried with Fedora 10 I got the > return code "10" however I forgot the parameters used. > > after creating ou=groupes, ou=DR15,dc=ad.... and ou=utilisateurs, ou=DR15,dc=adn the work is done : the log shows a correct insertion without return code error: -- Jean-Noel Chardron D?l?gation CNRS Aquitaine et Limousin Service du Traitement de l'Information Avenue des Arts et m?tiers BP 105 33402 TALENCE - FRANCE t?l : (33) 5.57.35.58.41 fax : (33) 5.57.35.58.01 MSN : jnc at dr15.cnrs.fr From dweintraub+fds at vecna.com Wed Jun 10 20:31:51 2009 From: dweintraub+fds at vecna.com (Dan Weintraub) Date: Wed, 10 Jun 2009 16:31:51 -0400 Subject: [389-users] Problems with replication over SSL In-Reply-To: <1244580390.6384.91.camel@jaspav.missionsit.net.missionsit.net> References: <4A2EC3FF.7000901@vecna.com> <1244580390.6384.91.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <4A301837.7050505@vecna.com> Thanks, that's exactly what I was following. Now that I've got the port corrected I'm getting a certificate error despite having the correct certificates setup (or so I thought...) I'll read through that documentation you posted and see if I can sort it out. Thanks, Dan PS NSMMReplicationPlugin - agmt="cn=One" (fds:636): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable Runtime error -8172 (Peer's certificate issuer has been marked as not trusted by the user.) John A. Sullivan III wrote: > On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote: >> Hi all, >> >> I'm trying to setup replication over ssl and am running into problems. I >> first tried it unencrypted and all worked fine. I then copied over the >> consumer's CA certificate and set up replication with SSL and Simple >> Authentication. It doesn't work and I now get the following errors: >> >> When I set it up: >> supplier error log: >> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin - agmt="cn=One" >> (fds:389): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP >> server), Netscape Portable Runtime error -5938 (Encountered end of file.) >> >> these appear thereafter: >> consumer access log: >> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection from >> 10.1.1.100 to 10.1.1.101 >> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71 >> (Protocol error) - B1 >> >> consumer error log: >> [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP message (tag >> 0x80, expected 0x30) >> >> Versions: >> Supplier: >> fedora-ds-1.1.2-1.fc6 >> fedora-ds-dsgw-1.1.1-1.fc6 >> fedora-ds-base-1.1.3-2.fc6 >> fedora-ds-admin-1.1.6-1.fc6 >> fedora-ds-admin-console-1.1.2-1.fc6 >> fedora-ds-console-1.1.2-1.fc6 >> >> Consumer: >> fedora-ds-admin-1.1.7-3.fc6 >> fedora-ds-admin-console-1.1.3-1.fc6 >> fedora-ds-base-1.2.0-2.fc6 >> fedora-ds-dsgw-1.1.2-1.fc6 >> fedora-ds-console-1.2.0-1.fc6 >> fedora-ds-1.1.3-1.fc6 >> >> I'm at a loss as to how to proceed with troubleshooting and would >> appreciate any suggestions. >> >> Thanks, >> Dan Weintraub > > Hi, Dan. Here is a snippet from our internal documentation. I apologize > that I don't have time to customize it or analyze your issue more deeply > but perhaps our findings will help you in your environment. Given > Rich's comment, I wonder if you were stung by the same error in > documentation we noted below: > > Go back to the centos-idm-console on ldap1 > Go to the Configuration tab, select the userRoot under the > Replication > object in the left panel. Left/right client and choose New > Replication > Agreement > The name is "mycompany.com ldap1->ldap2" and the Description is > "Replicates mycompany.com from ldap1 to ldap2". Click Next. > Set the Consumer to ldap2.mycompany.com:389 from the drop down > box (389 is correct even though we are really using 636) - Oops! > That is not true despite what the documentation says. Click > other and create a new entry for ldap2.mycompany.com on port > 636. > Enable the SSL connection. > Enter cn=repuser,cn=config for the Bind As and enter the > password. > Click Next and then Next again. > We will always keep directories in sync so click Next again. > Choose Initialize Consumer Now and click Next > Click Done > > If you need more details, e.g., about how we set up SSL, I posted most > of our internal procedure a day or two ago on this mailing list in > response to a post entitled "Developting a CentOS-DS setup". You can > find much more detail there. > > Good luck - John From jsullivan at opensourcedevel.com Wed Jun 10 20:42:32 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Wed, 10 Jun 2009 16:42:32 -0400 Subject: [389-users] Problems with replication over SSL In-Reply-To: <4A301837.7050505@vecna.com> References: <4A2EC3FF.7000901@vecna.com> <1244580390.6384.91.camel@jaspav.missionsit.net.missionsit.net> <4A301837.7050505@vecna.com> Message-ID: <1244666552.6376.37.camel@jaspav.missionsit.net.missionsit.net> Hi, Dan. My guess would be you do not have the CA cert in place and hence the lack of trust - John On Wed, 2009-06-10 at 16:31 -0400, Dan Weintraub wrote: > Thanks, that's exactly what I was following. Now that I've got the port > corrected I'm getting a certificate error despite having the correct > certificates setup (or so I thought...) I'll read through that > documentation you posted and see if I can sort it out. > > Thanks, > Dan > > PS > NSMMReplicationPlugin - agmt="cn=One" (fds:636): Simple bind failed, > LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable Runtime > error -8172 (Peer's certificate issuer has been marked as not trusted by > the user.) > > John A. Sullivan III wrote: > > On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote: > >> Hi all, > >> > >> I'm trying to setup replication over ssl and am running into problems. I > >> first tried it unencrypted and all worked fine. I then copied over the > >> consumer's CA certificate and set up replication with SSL and Simple > >> Authentication. It doesn't work and I now get the following errors: > >> > >> When I set it up: > >> supplier error log: > >> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin - agmt="cn=One" > >> (fds:389): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP > >> server), Netscape Portable Runtime error -5938 (Encountered end of file.) > >> > >> these appear thereafter: > >> consumer access log: > >> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection from > >> 10.1.1.100 to 10.1.1.101 > >> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71 > >> (Protocol error) - B1 > >> > >> consumer error log: > >> [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP message (tag > >> 0x80, expected 0x30) > >> > >> Versions: > >> Supplier: > >> fedora-ds-1.1.2-1.fc6 > >> fedora-ds-dsgw-1.1.1-1.fc6 > >> fedora-ds-base-1.1.3-2.fc6 > >> fedora-ds-admin-1.1.6-1.fc6 > >> fedora-ds-admin-console-1.1.2-1.fc6 > >> fedora-ds-console-1.1.2-1.fc6 > >> > >> Consumer: > >> fedora-ds-admin-1.1.7-3.fc6 > >> fedora-ds-admin-console-1.1.3-1.fc6 > >> fedora-ds-base-1.2.0-2.fc6 > >> fedora-ds-dsgw-1.1.2-1.fc6 > >> fedora-ds-console-1.2.0-1.fc6 > >> fedora-ds-1.1.3-1.fc6 > >> > >> I'm at a loss as to how to proceed with troubleshooting and would > >> appreciate any suggestions. > >> > >> Thanks, > >> Dan Weintraub > > > > Hi, Dan. Here is a snippet from our internal documentation. I apologize > > that I don't have time to customize it or analyze your issue more deeply > > but perhaps our findings will help you in your environment. Given > > Rich's comment, I wonder if you were stung by the same error in > > documentation we noted below: > > > > Go back to the centos-idm-console on ldap1 > > Go to the Configuration tab, select the userRoot under the > > Replication > > object in the left panel. Left/right client and choose New > > Replication > > Agreement > > The name is "mycompany.com ldap1->ldap2" and the Description is > > "Replicates mycompany.com from ldap1 to ldap2". Click Next. > > Set the Consumer to ldap2.mycompany.com:389 from the drop down > > box (389 is correct even though we are really using 636) - Oops! > > That is not true despite what the documentation says. Click > > other and create a new entry for ldap2.mycompany.com on port > > 636. > > Enable the SSL connection. > > Enter cn=repuser,cn=config for the Bind As and enter the > > password. > > Click Next and then Next again. > > We will always keep directories in sync so click Next again. > > Choose Initialize Consumer Now and click Next > > Click Done > > > > If you need more details, e.g., about how we set up SSL, I posted most > > of our internal procedure a day or two ago on this mailing list in > > response to a post entitled "Developting a CentOS-DS setup". You can > > find much more detail there. > > > > Good luck - John > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From xkyanh at gmail.com Thu Jun 11 02:39:53 2009 From: xkyanh at gmail.com (=?UTF-8?B?S+G7sw==?= Anh, =?UTF-8?B?SHXhu7NuaA==?=) Date: Thu, 11 Jun 2009 09:39:53 +0700 Subject: [389-users] recovery manager password Message-ID: <20090611093953.78831cfd@icy.localdomain> Hello all, I manage a server which has FDS installed since 2005. No one here can remember the rootdn or password to manager to server. How to recover the rootdn and root password of FDS? Thank you for your replies. -- Ky Anh, Huynh Homepage: http://viettug.org/ From rmeggins at redhat.com Thu Jun 11 02:49:41 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 10 Jun 2009 20:49:41 -0600 Subject: [389-users] recovery manager password In-Reply-To: <20090611093953.78831cfd@icy.localdomain> References: <20090611093953.78831cfd@icy.localdomain> Message-ID: <4A3070C5.8050800@redhat.com> Ky` Anh, Huy`nh wrote: > Hello all, > > I manage a server which has FDS installed since 2005. No one here can remember the rootdn or password to manager to server. > > How to recover the rootdn and root password of FDS? > > Thank you for your replies. > > http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From Jean-Noel.Chardron at dr15.cnrs.fr Thu Jun 11 07:44:00 2009 From: Jean-Noel.Chardron at dr15.cnrs.fr (=?ISO-8859-1?Q?jean-No=EBl_Chardron?=) Date: Thu, 11 Jun 2009 09:44:00 +0200 Subject: [389-users] Problems with replication over SSL In-Reply-To: <4A301837.7050505@vecna.com> References: <4A2EC3FF.7000901@vecna.com> <1244580390.6384.91.camel@jaspav.missionsit.net.missionsit.net> <4A301837.7050505@vecna.com> Message-ID: <4A30B5C0.3010203@dr15.cnrs.fr> hi, Dan Weintraub a ?crit : > Thanks, that's exactly what I was following. Now that I've got the > port corrected I'm getting a certificate error despite having the > correct certificates setup (or so I thought...) I'll read through that > documentation you posted and see if I can sort it out. > > Thanks, > Dan > > PS > NSMMReplicationPlugin - agmt="cn=One" (fds:636): Simple bind failed, > LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable > Runtime error -8172 > (Peer's certificate issuer has been marked as not trusted by the user.) > Can you post the output of the command : #certutil -L -d /path/of/directory/where/is/the/certificate/ The path of the directory where is the certificate has 2 files : key3.db and cert8.db For example, on my server the output is : # certutil -L -d /etc/dirsrv/slapd-aragon/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CNRS2-Standard CT,C,C aragon.dr15.cnrs.fr Cert u,u,u CNRS-Standard CT,C,C CNRS CT,C,C CNRS2 CT,C,C I suppose (it's a hypothesis) that your certificate doesn't have the tag u,u,u or something like this or the CA can't trust the certificate > John A. Sullivan III wrote: >> On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote: >>> Hi all, >>> >>> I'm trying to setup replication over ssl and am running into >>> problems. I >>> first tried it unencrypted and all worked fine. I then copied over the >>> consumer's CA certificate and set up replication with SSL and Simple >>> Authentication. It doesn't work and I now get the following errors: >>> >>> When I set it up: >>> supplier error log: >>> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin - agmt="cn=One" >>> (fds:389): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP >>> server), Netscape Portable Runtime error -5938 (Encountered end of >>> file.) >>> >>> these appear thereafter: >>> consumer access log: >>> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection from >>> 10.1.1.100 to 10.1.1.101 >>> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71 >>> (Protocol error) - B1 >>> >>> consumer error log: >>> [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP message >>> (tag >>> 0x80, expected 0x30) >>> >>> Versions: >>> Supplier: >>> fedora-ds-1.1.2-1.fc6 >>> fedora-ds-dsgw-1.1.1-1.fc6 >>> fedora-ds-base-1.1.3-2.fc6 >>> fedora-ds-admin-1.1.6-1.fc6 >>> fedora-ds-admin-console-1.1.2-1.fc6 >>> fedora-ds-console-1.1.2-1.fc6 >>> >>> Consumer: >>> fedora-ds-admin-1.1.7-3.fc6 >>> fedora-ds-admin-console-1.1.3-1.fc6 >>> fedora-ds-base-1.2.0-2.fc6 >>> fedora-ds-dsgw-1.1.2-1.fc6 >>> fedora-ds-console-1.2.0-1.fc6 >>> fedora-ds-1.1.3-1.fc6 >>> >>> I'm at a loss as to how to proceed with troubleshooting and would >>> appreciate any suggestions. >>> >>> Thanks, >>> Dan Weintraub >> >> Hi, Dan. Here is a snippet from our internal documentation. I apologize >> that I don't have time to customize it or analyze your issue more deeply >> but perhaps our findings will help you in your environment. Given >> Rich's comment, I wonder if you were stung by the same error in >> documentation we noted below: >> >> Go back to the centos-idm-console on ldap1 >> Go to the Configuration tab, select the userRoot under the >> Replication >> object in the left panel. Left/right client and choose New >> Replication >> Agreement >> The name is "mycompany.com ldap1->ldap2" and the Description is >> "Replicates mycompany.com from ldap1 to ldap2". Click Next. >> Set the Consumer to ldap2.mycompany.com:389 from the drop down >> box (389 is correct even though we are really using 636) - Oops! >> That is not true despite what the documentation says. Click >> other and create a new entry for ldap2.mycompany.com on port >> 636. >> Enable the SSL connection. >> Enter cn=repuser,cn=config for the Bind As and enter the >> password. >> Click Next and then Next again. >> We will always keep directories in sync so click Next again. >> Choose Initialize Consumer Now and click Next >> Click Done >> >> If you need more details, e.g., about how we set up SSL, I posted most >> of our internal procedure a day or two ago on this mailing list in >> response to a post entitled "Developting a CentOS-DS setup". You can >> find much more detail there. >> >> Good luck - John > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jean-Noel Chardron D?l?gation CNRS Aquitaine et Limousin Service du Traitement de l'Information Avenue des Arts et m?tiers BP 105 33402 TALENCE - FRANCE t?l : (33) 5.57.35.58.41 fax : (33) 5.57.35.58.01 MSN : jnc at dr15.cnrs.fr From david.donnan at thalesgroup.com Thu Jun 11 10:05:11 2009 From: david.donnan at thalesgroup.com (David (Dave) Donnan) Date: Thu, 11 Jun 2009 12:05:11 +0200 Subject: [389-users] PAM-LDAP LDAPS Where (in /etc/ldap.conf) to hardcode the keyfile-password (which name=value pair) ? In-Reply-To: <4A30B5C0.3010203@dr15.cnrs.fr> References: <4A2EC3FF.7000901@vecna.com> <1244580390.6384.91.camel@jaspav.missionsit.net.missionsit.net> <4A301837.7050505@vecna.com> <4A30B5C0.3010203@dr15.cnrs.fr> Message-ID: <4A30D6D7.4080004@thalesgroup.com> Rich, et al, hello. Thanks to everybody for all the help to date - quite incredible really. I've done my research but have nothing positive to report. I believe I was mistaken when I thought I could simply configure nss_ldap/pam_ldap to use a client SSL cert when binding to FDS : http://www.nabble.com/Using-certificate-per-host-to-secure-communication-to-OpenLDAP-td19371786.html http://www.nabble.com/Using-tls_cert-key-without-rootbinddn-td9089498.html Apparantly the secure tunel is used, the OS's certificate is 'validated' by FDS but no LDAP bind is performed. I reckon we'll put the password, in clear text, in the file /etc/ldap.conf and protect the file. Also, I think one must leave the client's (Linux O/S) secret key-file without a password. Cdlt, Dave -------------- Rich, hello and, as ever, thanks for the helpful reply. One very quick question and a quick technote 'for the record'. < You write, '... It probably won't, unless you either hardcode the clear text password ...' Q1: Hardcode where ? Is there an attribute in /etc/ldap.conf specifically for the keyfile password ? I have no idea - all I know is that if you need a password to unlock the private key, you need to store it somewhere. < You write, '... or simply have no key password ...' For the record, I reckon I need the '-noDES' option if I don't want a key file password: openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -days 7300 -nodes < Date: Tue, 12 May 2009 09:31:16 -0600 > From: rmegg... at redhat.com > To: fedora-directory-users at redhat.com > CC: lamba... at hotmail.com > Subject: Re: [389-users] PAM-LDAP LDAPS (Linux Login) with PAM-LDAP using a client certificate > > lamba... at hotmail.com wrote: > > Hello everybody and, firstly, thanks for your continued support. > > > > I hope I've used the correct expression/jargon, ie:PAM-LDAP ? > > > > PAM-LDAP works with LDAPS and binding with cn=Directory > > Manager/password hardcoded in /etc/ldap.conf - great stuff. > Except for the fact that you have the directory manager clear text > password hardcoded in ldap.conf :-( > > This was configured using the GUI > > '/usr/sbin/system-config-authentication' - also great stuff ! > > > > Symbolic Link pointing to the CA certificate: Q1. I've searched the > > web but cannot find what purpose the symbolic link serves. > > ---------------------------------------- > > > > # ls -toalr /etc/openldap/cacerts > > -rw-r--r-- 1 root 1464 2009-03-10 12:21 authconfig_downloaded.pem > > lrwxrwxrwx 1 root 25 2009-03-10 12:21 123a856c.0 -> > > authconfig_downloaded.pem > > > > > > Client Certificate etc. > > -------------------------- > > I'm now experimenting with client certificates and have found the > > following link: > > > > http://lists.fini.net/pipermail/ldap-interop/2005-April/000421.html > > > > and see the following example lines for the file /etc/ldap.conf: > > tls_cert /usr/share/ssl/certs/ldap.pem ($FN.pem in my case) > > tls_key /usr/share/ssl/certs/ldap.key.pem ($FN.key for me) > > > > Q2. ldap.key.pem: Is this file simply the $FN.key file created by the > > following command ? > > Will I have trouble if I specify '-passout' ? I assume it protects the > > file $FN.key. > > How will PAM-LDAP open the keystore if I have used a password ? > It probably won't, unless you either hardcode the clear text password, > or simply have no key password. > > > > openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -passout > > pass: 0<< EOF >/dev/null 2>&1 > > > > > > Q3. ldap.pem: Is this file simply the $FN.pem file created by the > > following command ? > > > > openssl ca -in ${FN}.csr -out ${FN}.pem -days 7300 -keyfile > > $DIR/demoCA/private/cakey.pem \ > > -cert $DIR/demoCA/cacert.pem \ > > -passin pass: << EOF2 >/dev/null 2>&1 > > > > > > Thanks again, cdlt, -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jean-Noel.Chardron at dr15.cnrs.fr Thu Jun 11 10:38:10 2009 From: Jean-Noel.Chardron at dr15.cnrs.fr (=?ISO-8859-1?Q?jean-No=EBl_Chardron?=) Date: Thu, 11 Jun 2009 12:38:10 +0200 Subject: [389-users] loss of group members in AD after initialization of sync Message-ID: <4A30DE92.4070907@dr15.cnrs.fr> hello, When I initiate a first full synchronization of DS and AD I lost members in groups error log shows : [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: looking for local entry matching AD entry [CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr] [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid [c0e73a492ffbc04c9e85781a68f45023] [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1 [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid [SFC] [...] [10/Jun/2009:15:00:11 +0200] - Windows sync entry: Adding new local entry dn: cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr objectClass: top objectClass: groupofuniquenames objectClass: ntGroup ntGroupDeleteGroup: true cn: SFC description: Service Financier et Comptable uniqueMember: uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc= fr uniqueMember:[...] follow 10 members [...] [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - received entry from dirsync: CN=MX,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: looking for local entry matching AD entry [CN=MX,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr] [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid [0cdf6e627d64684cb10c70b3b8753fda] [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1 [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid [MX] [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: problem looking for username: -1 [10/Jun/2009:15:00:24 +0200] - Windows sync entry: Adding new local entry dn: uid=MX,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetOrgPerson objectClass: ntUser ntUserDeleteAccount: true uid: MX sn: MX givenName: Guillaume cn: MX ntUserCodePage: 0 ntUserAcctExpires: 0 ntUserDomainId: MX mail: Guillaume.MX at dr15.cnrs.fr ntUniqueId: 0cdf6e627d64684cb10c70b3b8753fda [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): windows_process_total_entry: Looking dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" (ours) [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" guid="c0e73a492ffbc04c9e85781a68f45023" [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" username="SFC" [10/Jun/2009:15:01:34 +0200] - Calling windows entry search request plugin [10/Jun/2009:15:01:34 +0200] - windows_search_entry: recieved 2 messages, 1 entries, 0 references [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_outbound: found AD entry dn="CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr" [10/Jun/2009:15:01:34 +0200] - Calling windows entry search request plugin [10/Jun/2009:15:01:34 +0200] - windows_search_entry: recieved 2 messages, 1 entries, 0 references [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - windows_generate_update_mods: CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr, description : values are equal [10/Jun/2009:15:01:35 +0200] - map_dn_values: no local entry found for uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr [10/Jun/2009:15:01:35 +0200] - map_dn_values: no local entry found for uid= [follow 10 entries,] [10/Jun/2009:15:01:35 +0200] - Calling windows entry search request plugin [10/Jun/2009:15:01:35 +0200] - windows_search_entry: recieved 2 messages, 1 entries, 0 references [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: looking for local entry matching AD entry [CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr] [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid [72a7171ffaa0d84a9ca4ec2d90a4ab2b] [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1 [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid [essaibug] [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: problem looking for username: -1 [10/Jun/2009:15:01:35 +0200] - Calling windows entry search request plugin [10/Jun/2009:15:01:35 +0200] - windows_search_entry: recieved 2 messages, 1 entries, 0 references [10/Jun/2009:15:01:38 +0200] NSMMReplicationPlugin - windows_generate_update_mods: CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr, sAMAccountName : values are equal [10/Jun/2009:15:01:38 +0200] - smod - windows sync [10/Jun/2009:15:01:38 +0200] - smod 0 - delete: member [10/Jun/2009:15:01:38 +0200] - smod 0 - value: member: CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr [10/Jun/2009:15:01:38 +0200] - smod 1 - delete: member [10/Jun/2009:15:01:38 +0200] - smod 1 - value: member: [follow the 10 entries] [10/Jun/2009:15:01:39 +0200] NSMMReplicationPlugin - windows_update_remote_entry: modifying entry CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr [10/Jun/2009:15:01:39 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): Received result code 0 () for modify operation [10/Jun/2009:15:01:55 +0200] - map_dn_values: no local entry found for uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - received entry from dirsync: CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: looking for local entry matching AD entry [CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr] [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid [72a7171ffaa0d84a9ca4ec2d90a4ab2b] [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1 [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid [essaibug] [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_inbound: problem looking for username: -1 [10/Jun/2009:15:05:52 +0200] - Windows sync entry: Adding new local entry dn: uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetOrgPerson objectClass: ntUser ntUserDeleteAccount: true uid: essaibug sn: essaibug cn: essaibug ntUserCodePage: 0 ntUserAcctExpires: 9223372036854775807 ntUserDomainId: essaibug ntUniqueId: 72a7171ffaa0d84a9ca4ec2d90a4ab2b [10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS dn="uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" guid="72a7171ffaa0d84a9ca4ec2d90a4ab2b" [10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS dn="uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" username="essaibug" [10/Jun/2009:15:07:13 +0200] - Calling windows entry search request plugin [10/Jun/2009:15:07:13 +0200] - windows_search_entry: recieved 2 messages, 1 entries, 0 references [10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos" (zebigbos:636): map_entry_dn_outbound: found AD entry dn="CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr" (following the translation of google) I suppose that during the initialization of the replication, groups have lost members (group sfc) with the logs in order explicit removal of the member in the group, sent by the DS to AD. The most likely explanation and that the process is sequential but with a dispatch from AD to DS-anarchic, with a group can be created before members in DS users. these are leading to a later stage in a request for suppresssion AD DS to members of the group that did not exist before the creation of the group. This is "normal" since DS checks the consistency of information and therefore the group members. The solution to this problem is to create manually in the AD to add the lost members in the group or may be to initialize sync twice in a closed time. The administrator of the Windows server and the AD insulted me as a result of this blunder I asked him if he had a backup of the AD. he had not -- Jean-Noel Chardron From chris at untrepid.com Thu Jun 11 11:18:08 2009 From: chris at untrepid.com (Chris Phillips) Date: Thu, 11 Jun 2009 12:18:08 +0100 Subject: [389-users] Registering to a central admin server Message-ID: <3e4e5d790906110418h4f89db1fk606158fd4a6deb23@mail.gmail.com> Hi, Can someone describe how to register an existing dirsrv instance to an existing admin server? The ds-setup-admin.pl scripts clearly performs the registration exercise along with the build, but I can't see how to do this as a single, 100% safe non-destructive way of registering existing machines to a central admin server, to avoid having to annoyingly connect to admin instances on evey existing machine as we currently have to. Thanks Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Jun 11 14:12:02 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 11 Jun 2009 08:12:02 -0600 Subject: [389-users] Registering to a central admin server In-Reply-To: <3e4e5d790906110418h4f89db1fk606158fd4a6deb23@mail.gmail.com> References: <3e4e5d790906110418h4f89db1fk606158fd4a6deb23@mail.gmail.com> Message-ID: <4A3110B2.8030603@redhat.com> Chris Phillips wrote: > Hi, > > Can someone describe how to register an existing dirsrv instance to an > existing admin server? The ds-setup-admin.pl scripts clearly performs > the registration exercise along with the build, but I can't see how to > do this as a single, 100% safe non-destructive way of registering > existing machines to a central admin server, to avoid having to > annoyingly connect to admin instances on evey existing machine as we > currently have to. You should be able to use register-ds-admin.pl, or use setup-ds-admin.pl -u to update software/version information in the console. > > Thanks > > Chris > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From David.Christensen at viveli.com Thu Jun 11 21:30:17 2009 From: David.Christensen at viveli.com (David Christensen) Date: Thu, 11 Jun 2009 16:30:17 -0500 Subject: [389-users] New to FDS, need some assistance with DIT configuration Message-ID: <4A317769.2010807@viveli.com> I am a little more familiar with OpenLDAP than I am with FDS, so some of the FDS configuration is familiar, however I am stuck with how to implement access controls for all the servers I manage etc. As of right now if you are authenticated by FDS you have access to every resource that uses FDS for authentication. Research indicates that I need to have all the objects I want to manage in FDS and I need to use PAM with a modified ldap.conf file for each server. What is the best way to implement privileges using FDS, listing allowed hosts for each user or allowed users for each host, and how do I create the entries in FDS for both conditions? Thanks in advance for the help. From dcoatshca at gmail.com Sat Jun 13 12:51:26 2009 From: dcoatshca at gmail.com (Doug Coats) Date: Sat, 13 Jun 2009 07:51:26 -0500 Subject: [389-users] Developting a CentOS-DS setup In-Reply-To: <1244454091.6383.12.camel@jaspav.missionsit.net.missionsit.net> References: <1244332681.6371.113.camel@jaspav.missionsit.net.missionsit.net> <1244454091.6383.12.camel@jaspav.missionsit.net.missionsit.net> Message-ID: John, Thanks again for the information! As I go through this process I am sure it will be invaluable. I am making progress but I have also run into a specific problem. I am going to post this to the entire group since it does not specifically have to do with your prior informtion. I may post to this thread in the future with questions specific to your instrucitons. This is sort of a long term project for me that I am working on besides my other responsibilities. Anyway I guess I am trying to say "stay tuned." Thanks again, Doug On Mon, Jun 8, 2009 at 4:41 AM, John A. Sullivan III < jsullivan at opensourcedevel.com> wrote: > On Sun, 2009-06-07 at 14:33 -0500, Doug Coats wrote: > > Thanks a ton John! This certainly gives me somewhere to start. Now I > > just need to figure out what parts Linux needs to authenticate to > > begin with. Do I need SSL if all of my LDAP reequests are coming from > > internal servers? > > The bottom part of the plan should give you most of that information. > Some of the essential bits are in the clientsetup script we created and > I really shouldn't post that. We do set up our users with > objectlclasses of posixaccount and ntuser (I believe that's correct). On > RedHat systems we also do something that I believe is technically > incorrect, we add a posixgroup objectclass to the users to account for > the personal group created by default. > > To keep the IDs unique among all the systems, we enforce unique uid, > uidnumber, and gidnumber and, for other reasons in our multi-client > environment, cn. This is one of the major reasons why we divide our DIT > at the top level between Internal objects (which must enforce this > uniqueness) and External objects (such as client contact lists) which do > not enforce that uniqueness. > > At that point, one can use ldap.conf, nsswitch.conf, and the pam.d > modules (largely configured automatically by, oh I forget the package > name, I think it is authconfig - it's in the plan) to allow the Linux > systems to authenticate users against LDAP. > > Certainly because we are a multi-client environment but even if we > weren't, we do not believe in the hard and crunchy outside, soft and > chewy inside security model. The network revolution means the primary > attack vector is now on the inside of the network and not the outside. > Truth be told, it always was. That's why we use SSL even on the > internal network. If someone plants a protocol analyzer on the network, > with a little bit of ARP poisoning, there's nothing they can't see > traversing the wire. That's why we launched the ISCS network security > project (http://iscs.sourceforge.net) and tend to "firepipe" rather than > firewall our networks. > > Hope this helps - John > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan at opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dcoatshca at gmail.com Sat Jun 13 14:11:44 2009 From: dcoatshca at gmail.com (Doug Coats) Date: Sat, 13 Jun 2009 09:11:44 -0500 Subject: [389-users] GID error Message-ID: I have run into a issue with my system being able to correctly identify a user and their group. I am running CentOS 5.3 and centos-ds 8.1 I have created a user using the managment console. I set up the first name, last name, common name, user id, and password. Under Posix User I set up UID Number: 10009, GID Number: 10009, Home Directory: /home/user, and Shell: /bin/bash. I set up authentication using System > Administration > Authentication. I enabled LDAP support and configured it. Under the options tab I checke "Create home directories on first login." My user can log into the box and can ssh into the box. When I do log in I receive the following error. id: cannot find name for group ID 10009 When I ls -la the users home directory it displays. drwxr-xr-x 15 user 100009 4096 Jun 13 08:26 user I tried creating a "user" group but their is no way to attach a GID to that group so there is no way for LDAP or PAM to associate the two. I googled around but none of the solutions worked for me or seemed to apply to this situation. Thanks for any help! Doug -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsullivan at opensourcedevel.com Sat Jun 13 16:04:49 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Sat, 13 Jun 2009 12:04:49 -0400 Subject: [389-users] GID error In-Reply-To: References: Message-ID: <1244909089.6377.3.camel@jaspav.missionsit.net.missionsit.net> On Sat, 2009-06-13 at 09:11 -0500, Doug Coats wrote: > I have run into a issue with my system being able to correctly > identify a user and their group. > > I am running CentOS 5.3 and centos-ds 8.1 > > I have created a user using the managment console. > > I set up the first name, last name, common name, user id, and > password. Under Posix User I set up UID Number: 10009, GID Number: > 10009, Home Directory: /home/user, and Shell: /bin/bash. > > I set up authentication using System > Administration > > Authentication. I enabled LDAP support and configured it. Under the > options tab I checke "Create home directories on first login." > > My user can log into the box and can ssh into the box. > > When I do log in I receive the following error. > > id: cannot find name for group ID 10009 > > When I ls -la the users home directory it displays. > > drwxr-xr-x 15 user 100009 4096 Jun 13 08:26 user > > I tried creating a "user" group but their is no way to attach a GID to > that group so there is no way for LDAP or PAM to associate the two. > > I googled around but none of the solutions worked for me or seemed to > apply to this situation. > > Thanks for any help! > > Doug > Since you were able to set the GID, I assume you added the posixGroup object class. You would need to do the same to a group in order to add a GID, I believe. As you probably already know, one would do this by adding a value to objectClass in the advanced properties. I wonder if it is just a matter of time, in other words, perhaps there was a group query before the GID was set and nscd cached it. The default group cache is 3600 seconds which is why we change it to 600 in nscd.conf. I think the command to flush the group cache is nscd -i group or groups. Other than that, I'm not sure. You could enable Access Logging and see what queries are being made. I've not found the log screens in centos_idm-console very helpful and typically just look at the access file in /var/log/dirsrv/slapd-xxx/. I do notice there is a substantial delay between when events occur and when they are written to the log. Hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From julio at openinside.es Mon Jun 15 09:34:23 2009 From: julio at openinside.es (=?utf-8?Q?Julio_G=C3=B3mez_Belmonte?=) Date: Mon, 15 Jun 2009 10:34:23 +0100 (GMT+01:00) Subject: [389-users] Performance cuestions about ds. In-Reply-To: <12543389.12561245058350793.JavaMail.root@ns364188.ovh.net> Message-ID: <1023868.12581245058463425.JavaMail.root@ns364188.ovh.net> Hello everybody, This is my first message to the list, so I hope don't make recurring questions. My question concerns the performance of directory server, I have a directory with a large number of entries, ~ 20,000 objects. My question is: When I receive a too large query, the directory will be suspended until they answer this query. I could see that there are options to determine the threads that will use the directory (nsslapd-threadnumber), persistent searches and apply administrative limits to the queries. I am evaluating what changes to implement but I have several doubts. When I run the directory, I get a single process (ns-slapd) which is consuming 100% CPU when doing too long queries, if we have a multi-thread support, should appear multiple processes or Directory threads (ns-slapd)? Recommendations that could be followed in a case like this? Thanks and best regards, From jazcek at gmail.com Sat Jun 13 14:35:25 2009 From: jazcek at gmail.com (Jazcek Braden) Date: Sat, 13 Jun 2009 09:35:25 -0500 Subject: [389-users] GID error In-Reply-To: References: Message-ID: <50ca5db70906130735i48bc8c04p4d0ef61d6a7ad1a8@mail.gmail.com> you need to create a posixgroup object with cn=user and gidnumber=10009 On Sat, Jun 13, 2009 at 9:11 AM, Doug Coats wrote: > I have run into a issue with my system being able to?correctly identify a > user and their group. > > I am running CentOS 5.3 and centos-ds 8.1 > > I have created a user using the managment console. > > I set up the first name, last name, common name, user id, and password. > Under Posix User I set up UID Number: 10009, GID Number: 10009, Home > Directory: /home/user, and Shell: /bin/bash. > > I set up authentication using System > Administration > Authentication.? I > enabled LDAP support and configured it.? Under the options tab I checke > "Create home directories on first login." > > My user can log into the box and can ssh into the box. > > When I do log in I receive the following error. > > id: cannot find name for group ID 10009 > > When I?ls?-la?the users home directory it displays. > > drwxr-xr-x 15?user 100009 4096 Jun 13 08:26 user > > I tried creating a "user" group but their is no way to attach a GID to that > group so there is no way for LDAP or PAM to associate the two. > > I googled around but none?of the solutions worked for me or seemed to apply > to this situation. > > Thanks for any help! > > Doug > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Jazcek Braden From pronix.service at gmail.com Mon Jun 15 13:31:02 2009 From: pronix.service at gmail.com (dima vasiletc) Date: Mon, 15 Jun 2009 17:31:02 +0400 Subject: [389-users] which user must have access to /var/run/dirsrv ? Message-ID: <4A364D16.9040906@gmail.com> Hello When i try start dirsrv i have error Failed to delete old semaphore for stats file (/var/run/dirsrv/slapd-MY-DOMAIN-COM.stats). Error 13 (Permission denied). but access for dirsrv user permited. also -- ? ?????????, ??????? From rmeggins at redhat.com Mon Jun 15 15:53:08 2009 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 15 Jun 2009 11:53:08 -0400 (EDT) Subject: [389-users] which user must have access to /var/run/dirsrv ? In-Reply-To: <4A364D16.9040906@gmail.com> Message-ID: <299215776.60741245081188191.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> ----- "dima vasiletc" wrote: > Hello > When i try start dirsrv i have error > Failed to delete old semaphore for stats file > (/var/run/dirsrv/slapd-MY-DOMAIN-COM.stats). Error 13 (Permission > denied). > > but access for dirsrv user permited. > also ls -al /var/run/dirsrv > > -- > ? ?????????, ??????? > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From pronix.service at gmail.com Mon Jun 15 15:55:02 2009 From: pronix.service at gmail.com (dima vasiletc) Date: Mon, 15 Jun 2009 19:55:02 +0400 Subject: [389-users] which user must have access to /var/run/dirsrv ? In-Reply-To: <299215776.60741245081188191.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> References: <299215776.60741245081188191.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> Message-ID: <4A366ED6.7030107@gmail.com> On 06/15/2009 07:53 PM, Richard Megginson wrote: > ls -al /var/run/dirsrv > drwxrwxrwx 2 dirsrv nobody 4096 2009-06-15 10:21 . drwxr-xr-x 31 root root 4096 2009-06-15 10:21 .. -rw-r--r-- 1 dirsrv dirsrv 6 2009-06-15 10:21 slapd-MYDOMAIN-COM.startpid -rw-r--r-- 1 dirsrv dirsrv 2072 2009-06-15 10:07 slapd-MYDOMAIN-COM.stats -- ? ?????????, ??????? From rmeggins at redhat.com Mon Jun 15 15:56:19 2009 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 15 Jun 2009 11:56:19 -0400 (EDT) Subject: [389-users] Performance cuestions about ds. In-Reply-To: <1023868.12581245058463425.JavaMail.root@ns364188.ovh.net> Message-ID: <832522510.60991245081379818.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> ----- "Julio G?mez Belmonte" wrote: > Hello everybody, > > This is my first message to the list, so I hope don't make recurring > questions. > > My question concerns the performance of directory server, I have a > directory with a large number of entries, ~ 20,000 objects. My > question is: When I receive a too large query, Can you be more specific about what you mean by "too large query"? > the directory will be > suspended until they answer this query What is your platform? What version of directory server? How do you know the directory server is suspended? > I could see that there are > options to determine the threads that will use the directory > (nsslapd-threadnumber), persistent searches and apply administrative > limits to the queries. Did you change any of these settings from the defaults? > I am evaluating what changes to implement but I > have several doubts. When I run the directory, I get a single process > (ns-slapd) which is consuming 100% CPU when doing too long queries, More details please - search base, scope, filter - how many entries match the query - what user are you running as - have you changed any of the default administrative limits, database caching options, etc. etc. > if > we have a multi-thread support, should appear multiple processes or > Directory threads (ns-slapd)? single process with multiple threads > Recommendations that could be followed > in a case like this? > > Thanks and best regards, > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Mon Jun 15 15:58:23 2009 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 15 Jun 2009 11:58:23 -0400 (EDT) Subject: [389-users] which user must have access to /var/run/dirsrv ? In-Reply-To: <716914784.61091245081460111.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> Message-ID: <47190725.61231245081503973.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> ----- "dima vasiletc" wrote: > On 06/15/2009 07:53 PM, Richard Megginson wrote: > > ls -al /var/run/dirsrv > > > > drwxrwxrwx 2 dirsrv nobody 4096 2009-06-15 10:21 . > drwxr-xr-x 31 root root 4096 2009-06-15 10:21 .. > -rw-r--r-- 1 dirsrv dirsrv 6 2009-06-15 10:21 > slapd-MYDOMAIN-COM.startpid > -rw-r--r-- 1 dirsrv dirsrv 2072 2009-06-15 10:07 > slapd-MYDOMAIN-COM.stats I'm not sure what's going on - what's the output of /usr/lib/dirsrv/slapd-MYDOMAIN-COM/start-slapd -d 1 > > -- > ? ?????????, ??????? > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From nkinder at redhat.com Mon Jun 15 16:08:35 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 15 Jun 2009 09:08:35 -0700 Subject: [389-users] which user must have access to /var/run/dirsrv ? In-Reply-To: <4A364D16.9040906@gmail.com> References: <4A364D16.9040906@gmail.com> Message-ID: <4A367203.4090709@redhat.com> dima vasiletc wrote: > Hello > When i try start dirsrv i have error > Failed to delete old semaphore for stats file > (/var/run/dirsrv/slapd-MY-DOMAIN-COM.stats). Error 13 (Permission > denied). Note that this is referring to a semaphore that coordinates access to the stats file, not the stats file itself. Did you previously install and remove a DS instance with the same name on this system? Did you recently change the user that this DS instance runs as? > > but access for dirsrv user permited. > also > From pronix.service at gmail.com Mon Jun 15 16:16:44 2009 From: pronix.service at gmail.com (dima vasiletc) Date: Mon, 15 Jun 2009 20:16:44 +0400 Subject: [389-users] which user must have access to /var/run/dirsrv ? In-Reply-To: <4A367203.4090709@redhat.com> References: <4A364D16.9040906@gmail.com> <4A367203.4090709@redhat.com> Message-ID: <4A3673EC.10103@gmail.com> On 06/15/2009 08:08 PM, Nathan Kinder wrote: > dima vasiletc wrote: >> Hello >> When i try start dirsrv i have error >> Failed to delete old semaphore for stats file >> (/var/run/dirsrv/slapd-MY-DOMAIN-COM.stats). Error 13 (Permission >> denied). > Note that this is referring to a semaphore that coordinates access to > the stats file, not the stats file itself. > > Did you previously install and remove a DS instance with the same name > on this system? Did you recently change the user that this DS > instance runs as? >> >> but access for dirsrv user permited. >> also >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > Yes i reinstall and change more configurations. You think reboot can help ? -- ? ?????????, ??????? From pronix.service at gmail.com Mon Jun 15 16:19:45 2009 From: pronix.service at gmail.com (dima vasiletc) Date: Mon, 15 Jun 2009 20:19:45 +0400 Subject: [389-users] which user must have access to /var/run/dirsrv ? In-Reply-To: <4A367203.4090709@redhat.com> References: <4A364D16.9040906@gmail.com> <4A367203.4090709@redhat.com> Message-ID: <4A3674A1.7060306@gmail.com> On 06/15/2009 08:08 PM, Nathan Kinder wrote: > dima vasiletc wrote: >> Hello >> When i try start dirsrv i have error >> Failed to delete old semaphore for stats file >> (/var/run/dirsrv/slapd-MY-DOMAIN-COM.stats). Error 13 (Permission >> denied). > Note that this is referring to a semaphore that coordinates access to > the stats file, not the stats file itself. > > Did you previously install and remove a DS instance with the same name > on this system? Did you recently change the user that this DS > instance runs as? >> >> but access for dirsrv user permited. >> also >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > This is compress debug output -- ? ?????????, ??????? -------------- next part -------------- A non-text attachment was scrubbed... Name: log.tbz2 Type: application/x-bzip-compressed-tar Size: 4141 bytes Desc: not available URL: From pronix.service at gmail.com Mon Jun 15 16:27:51 2009 From: pronix.service at gmail.com (dima vasiletc) Date: Mon, 15 Jun 2009 20:27:51 +0400 Subject: [389-users] which user must have access to /var/run/dirsrv ? In-Reply-To: <4A367203.4090709@redhat.com> References: <4A364D16.9040906@gmail.com> <4A367203.4090709@redhat.com> Message-ID: <4A367687.7000906@gmail.com> On 06/15/2009 08:08 PM, Nathan Kinder wrote: > dima vasiletc wrote: >> Hello >> When i try start dirsrv i have error >> Failed to delete old semaphore for stats file >> (/var/run/dirsrv/slapd-MY-DOMAIN-COM.stats). Error 13 (Permission >> denied). > Note that this is referring to a semaphore that coordinates access to > the stats file, not the stats file itself. > > Did you previously install and remove a DS instance with the same name > on this system? Did you recently change the user that this DS > instance runs as? >> >> but access for dirsrv user permited. >> also >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > Thanks. After reboot resolved. -- ? ?????????, ??????? From nkinder at redhat.com Mon Jun 15 16:29:49 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 15 Jun 2009 09:29:49 -0700 Subject: [389-users] which user must have access to /var/run/dirsrv ? In-Reply-To: <4A367687.7000906@gmail.com> References: <4A364D16.9040906@gmail.com> <4A367203.4090709@redhat.com> <4A367687.7000906@gmail.com> Message-ID: <4A3676FD.8030509@redhat.com> dima vasiletc wrote: > On 06/15/2009 08:08 PM, Nathan Kinder wrote: >> dima vasiletc wrote: >>> Hello >>> When i try start dirsrv i have error >>> Failed to delete old semaphore for stats file >>> (/var/run/dirsrv/slapd-MY-DOMAIN-COM.stats). Error 13 (Permission >>> denied). >> Note that this is referring to a semaphore that coordinates access to >> the stats file, not the stats file itself. >> >> Did you previously install and remove a DS instance with the same >> name on this system? Did you recently change the user that this DS >> instance runs as? >>> >>> but access for dirsrv user permited. >>> also >>> >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > Thanks. > After reboot resolved. Posix named semaphores are removed during a reboot, which is why the reboot fixed your problem. A reboot is not necessary to clean up a left over semaphore. You can see the current named semaphores and their ownership by doing a 'ls -l /dev/shm'. For DS, we create a semaphore named something similar to "sem.slapd-localhost.stats". I believe simply removing this would have fixed your problem as well. From rmeggins at redhat.com Mon Jun 15 19:33:09 2009 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 15 Jun 2009 15:33:09 -0400 (EDT) Subject: [389-users] loss of group members in AD after initialization of sync In-Reply-To: <851596404.79881245094342974.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> Message-ID: <1083663729.79951245094389162.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> ----- "jean-No?l Chardron" wrote: > hello, > > When I initiate a first full synchronization of DS and AD I lost > members > in groups > > error log shows : > > [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_inbound: looking for local entry matching > > AD entry [CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr] > [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid > > [c0e73a492ffbc04c9e85781a68f45023] > [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1 > [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid > [SFC] > [...] > [10/Jun/2009:15:00:11 +0200] - Windows sync entry: Adding new local > entry dn: cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr > objectClass: top > objectClass: groupofuniquenames > objectClass: ntGroup > ntGroupDeleteGroup: true > cn: SFC > description: Service Financier et Comptable > uniqueMember: uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, > dc=cnrs, dc= > fr > uniqueMember:[...] > follow 10 members > > [...] > [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - received entry > from > dirsync: CN=MX,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr > [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_inbound: looking for local entry matching > > AD entry [CN=MX,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr] > [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid > > [0cdf6e627d64684cb10c70b3b8753fda] > [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1 > [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid > [MX] > [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_inbound: problem looking for username: > -1 > [10/Jun/2009:15:00:24 +0200] - Windows sync entry: Adding new local > entry dn: uid=MX,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, > dc=fr > objectClass: top > objectClass: person > objectClass: organizationalperson > objectClass: inetOrgPerson > objectClass: ntUser > ntUserDeleteAccount: true > uid: MX > sn: MX > givenName: Guillaume > cn: MX > ntUserCodePage: 0 > ntUserAcctExpires: 0 > ntUserDomainId: MX > mail: Guillaume.MX at dr15.cnrs.fr > ntUniqueId: 0cdf6e627d64684cb10c70b3b8753fda > > > [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): windows_process_total_entry: Looking > dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" (ours) > [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS > dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" > guid="c0e73a492ffbc04c9e85781a68f45023" > [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS > dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" > username="SFC" > [10/Jun/2009:15:01:34 +0200] - Calling windows entry search request > plugin > [10/Jun/2009:15:01:34 +0200] - windows_search_entry: recieved 2 > messages, 1 entries, 0 references > [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_outbound: found AD entry > dn="CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr" > [10/Jun/2009:15:01:34 +0200] - Calling windows entry search request > plugin > [10/Jun/2009:15:01:34 +0200] - windows_search_entry: recieved 2 > messages, 1 entries, 0 references > [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - > windows_generate_update_mods: > CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr, description : > values are equal > [10/Jun/2009:15:01:35 +0200] - map_dn_values: no local entry found for > > uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr > [10/Jun/2009:15:01:35 +0200] - map_dn_values: no local entry found for > uid= > > [follow 10 entries,] > > [10/Jun/2009:15:01:35 +0200] - Calling windows entry search request > plugin > [10/Jun/2009:15:01:35 +0200] - windows_search_entry: recieved 2 > messages, 1 entries, 0 references > [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_inbound: looking for local entry matching > > AD entry > [CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr] > [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid > > [72a7171ffaa0d84a9ca4ec2d90a4ab2b] > [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1 > [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid > [essaibug] > [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_inbound: problem looking for username: > -1 > [10/Jun/2009:15:01:35 +0200] - Calling windows entry search request > plugin > [10/Jun/2009:15:01:35 +0200] - windows_search_entry: recieved 2 > messages, 1 entries, 0 references > > [10/Jun/2009:15:01:38 +0200] NSMMReplicationPlugin - > windows_generate_update_mods: > CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr, sAMAccountName > : > values are equal > [10/Jun/2009:15:01:38 +0200] - smod - windows sync > [10/Jun/2009:15:01:38 +0200] - smod 0 - delete: member > [10/Jun/2009:15:01:38 +0200] - smod 0 - value: member: > CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr > [10/Jun/2009:15:01:38 +0200] - smod 1 - delete: member > [10/Jun/2009:15:01:38 +0200] - smod 1 - value: member: > > [follow the 10 entries] > > [10/Jun/2009:15:01:39 +0200] NSMMReplicationPlugin - > windows_update_remote_entry: modifying entry > CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr > [10/Jun/2009:15:01:39 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): Received result code 0 () for modify operation > > [10/Jun/2009:15:01:55 +0200] - map_dn_values: no local entry found for > > uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr > > [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - received entry > from > dirsync: > CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr > [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_inbound: looking for local entry matching > > AD entry > [CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr] > [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid > > [72a7171ffaa0d84a9ca4ec2d90a4ab2b] > [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1 > [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid > [essaibug] > [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_inbound: problem looking for username: > -1 > [10/Jun/2009:15:05:52 +0200] - Windows sync entry: Adding new local > entry dn: uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, > dc=fr > objectClass: top > objectClass: person > objectClass: organizationalperson > objectClass: inetOrgPerson > objectClass: ntUser > ntUserDeleteAccount: true > uid: essaibug > sn: essaibug > cn: essaibug > ntUserCodePage: 0 > ntUserAcctExpires: 9223372036854775807 > ntUserDomainId: essaibug > ntUniqueId: 72a7171ffaa0d84a9ca4ec2d90a4ab2b > > [10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS > dn="uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, > dc=fr" > guid="72a7171ffaa0d84a9ca4ec2d90a4ab2b" > [10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS > dn="uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, > dc=fr" > username="essaibug" > [10/Jun/2009:15:07:13 +0200] - Calling windows entry search request > plugin > [10/Jun/2009:15:07:13 +0200] - windows_search_entry: recieved 2 > messages, 1 entries, 0 references > [10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin - > agmt="cn=zebigbos" > (zebigbos:636): map_entry_dn_outbound: found AD entry > dn="CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr" > > (following the translation of google) > I suppose that during the initialization of the replication, groups > have > lost members (group sfc) with the logs in order explicit removal of > the > member in the group, sent by the DS to AD. The most likely explanation > > and that the process is sequential but with a dispatch from AD to > DS-anarchic, with a group can be created before members in DS users. > these are leading to a later stage in a request for suppresssion AD DS > > to members of the group that did not exist before the creation of the > > group. This is "normal" since DS checks the consistency of information > > and therefore the group members. The solution to this problem is to > create manually in the AD to add the lost members in the group or may > be > to initialize sync twice in a closed time. > > The administrator of the Windows server and the AD insulted me as a > result of this blunder > I asked him if he had a backup of the AD. he had not > So let me see if I understand what is happening: DS attempts to sync some groups from AD - since the user does not exist, it deletes the member from the group. Then it syncs the group back to AD, and deletes those users from AD. Is that correct? I suppose a workaround would be to make sure all of the users are first added to DS, then sync the groups. > -- > > Jean-Noel Chardron > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From Jean-Noel.Chardron at dr15.cnrs.fr Mon Jun 15 20:24:44 2009 From: Jean-Noel.Chardron at dr15.cnrs.fr (Jean-Noel Chardron) Date: Mon, 15 Jun 2009 22:24:44 +0200 Subject: [389-users] loss of group members in AD after initialization of sync In-Reply-To: <1083663729.79951245094389162.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> References: <1083663729.79951245094389162.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> Message-ID: <4A36AE0C.7090702@dr15.cnrs.fr> Richard Megginson a ?crit : > ----- "jean-No?l Chardron" wrote: > > >> hello, >> >> When I initiate a first full synchronization of DS and AD I lost >> members >> in groups >> >> error log shows : >> >> [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_inbound: looking for local entry matching >> >> AD entry [CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr] >> [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid >> >> [c0e73a492ffbc04c9e85781a68f45023] >> [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1 >> [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid >> [SFC] >> [...] >> [10/Jun/2009:15:00:11 +0200] - Windows sync entry: Adding new local >> entry dn: cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr >> objectClass: top >> objectClass: groupofuniquenames >> objectClass: ntGroup >> ntGroupDeleteGroup: true >> cn: SFC >> description: Service Financier et Comptable >> uniqueMember: uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, >> dc=cnrs, dc= >> fr >> uniqueMember:[...] >> follow 10 members >> >> [...] >> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - received entry >> from >> dirsync: CN=MX,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr >> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_inbound: looking for local entry matching >> >> AD entry [CN=MX,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr] >> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid >> >> [0cdf6e627d64684cb10c70b3b8753fda] >> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1 >> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid >> [MX] >> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_inbound: problem looking for username: >> -1 >> [10/Jun/2009:15:00:24 +0200] - Windows sync entry: Adding new local >> entry dn: uid=MX,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, >> dc=fr >> objectClass: top >> objectClass: person >> objectClass: organizationalperson >> objectClass: inetOrgPerson >> objectClass: ntUser >> ntUserDeleteAccount: true >> uid: MX >> sn: MX >> givenName: Guillaume >> cn: MX >> ntUserCodePage: 0 >> ntUserAcctExpires: 0 >> ntUserDomainId: MX >> mail: Guillaume.MX at dr15.cnrs.fr >> ntUniqueId: 0cdf6e627d64684cb10c70b3b8753fda >> >> >> [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): windows_process_total_entry: Looking >> dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" (ours) >> [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS >> dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" >> guid="c0e73a492ffbc04c9e85781a68f45023" >> [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS >> dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" >> username="SFC" >> [10/Jun/2009:15:01:34 +0200] - Calling windows entry search request >> plugin >> [10/Jun/2009:15:01:34 +0200] - windows_search_entry: recieved 2 >> messages, 1 entries, 0 references >> [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_outbound: found AD entry >> dn="CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr" >> [10/Jun/2009:15:01:34 +0200] - Calling windows entry search request >> plugin >> [10/Jun/2009:15:01:34 +0200] - windows_search_entry: recieved 2 >> messages, 1 entries, 0 references >> [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - >> windows_generate_update_mods: >> CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr, description : >> values are equal >> [10/Jun/2009:15:01:35 +0200] - map_dn_values: no local entry found for >> >> uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr >> [10/Jun/2009:15:01:35 +0200] - map_dn_values: no local entry found for >> uid= >> >> [follow 10 entries,] >> >> [10/Jun/2009:15:01:35 +0200] - Calling windows entry search request >> plugin >> [10/Jun/2009:15:01:35 +0200] - windows_search_entry: recieved 2 >> messages, 1 entries, 0 references >> [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_inbound: looking for local entry matching >> >> AD entry >> [CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr] >> [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid >> >> [72a7171ffaa0d84a9ca4ec2d90a4ab2b] >> [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1 >> [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid >> [essaibug] >> [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_inbound: problem looking for username: >> -1 >> [10/Jun/2009:15:01:35 +0200] - Calling windows entry search request >> plugin >> [10/Jun/2009:15:01:35 +0200] - windows_search_entry: recieved 2 >> messages, 1 entries, 0 references >> >> [10/Jun/2009:15:01:38 +0200] NSMMReplicationPlugin - >> windows_generate_update_mods: >> CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr, sAMAccountName >> : >> values are equal >> [10/Jun/2009:15:01:38 +0200] - smod - windows sync >> [10/Jun/2009:15:01:38 +0200] - smod 0 - delete: member >> [10/Jun/2009:15:01:38 +0200] - smod 0 - value: member: >> CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr >> [10/Jun/2009:15:01:38 +0200] - smod 1 - delete: member >> [10/Jun/2009:15:01:38 +0200] - smod 1 - value: member: >> >> [follow the 10 entries] >> >> [10/Jun/2009:15:01:39 +0200] NSMMReplicationPlugin - >> windows_update_remote_entry: modifying entry >> CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr >> [10/Jun/2009:15:01:39 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): Received result code 0 () for modify operation >> >> [10/Jun/2009:15:01:55 +0200] - map_dn_values: no local entry found for >> >> uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr >> >> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - received entry >> from >> dirsync: >> CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr >> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_inbound: looking for local entry matching >> >> AD entry >> [CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr] >> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_inbound: looking for local entry by guid >> >> [72a7171ffaa0d84a9ca4ec2d90a4ab2b] >> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1 >> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_inbound: looking for local entry by uid >> [essaibug] >> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_inbound: problem looking for username: >> -1 >> [10/Jun/2009:15:05:52 +0200] - Windows sync entry: Adding new local >> entry dn: uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, >> dc=fr >> objectClass: top >> objectClass: person >> objectClass: organizationalperson >> objectClass: inetOrgPerson >> objectClass: ntUser >> ntUserDeleteAccount: true >> uid: essaibug >> sn: essaibug >> cn: essaibug >> ntUserCodePage: 0 >> ntUserAcctExpires: 9223372036854775807 >> ntUserDomainId: essaibug >> ntUniqueId: 72a7171ffaa0d84a9ca4ec2d90a4ab2b >> >> [10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS >> dn="uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, >> dc=fr" >> guid="72a7171ffaa0d84a9ca4ec2d90a4ab2b" >> [10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS >> dn="uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, >> dc=fr" >> username="essaibug" >> [10/Jun/2009:15:07:13 +0200] - Calling windows entry search request >> plugin >> [10/Jun/2009:15:07:13 +0200] - windows_search_entry: recieved 2 >> messages, 1 entries, 0 references >> [10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin - >> agmt="cn=zebigbos" >> (zebigbos:636): map_entry_dn_outbound: found AD entry >> dn="CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr" >> >> (following the translation of google) >> I suppose that during the initialization of the replication, groups >> have >> lost members (group sfc) with the logs in order explicit removal of >> the >> member in the group, sent by the DS to AD. The most likely explanation >> >> and that the process is sequential but with a dispatch from AD to >> DS-anarchic, with a group can be created before members in DS users. >> these are leading to a later stage in a request for suppresssion AD DS >> >> to members of the group that did not exist before the creation of the >> >> group. This is "normal" since DS checks the consistency of information >> >> and therefore the group members. The solution to this problem is to >> create manually in the AD to add the lost members in the group or may >> be >> to initialize sync twice in a closed time. >> >> The administrator of the Windows server and the AD insulted me as a >> result of this blunder >> I asked him if he had a backup of the AD. he had not >> >> > > So let me see if I understand what is happening: > DS attempts to sync some groups from AD - since the user does not exist, it deletes the member from the group. Then it syncs the group back to AD, and deletes those users from AD. > Is that correct? > I suppose a workaround would be to make sure all of the users are first added to DS, then sync the groups. > yes, that is correct. >> -- >> >> Jean-Noel Chardron >> >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From dcoatshca at gmail.com Mon Jun 15 20:45:11 2009 From: dcoatshca at gmail.com (Doug Coats) Date: Mon, 15 Jun 2009 15:45:11 -0500 Subject: [389-users] GID error In-Reply-To: <1244909089.6377.3.camel@jaspav.missionsit.net.missionsit.net> References: <1244909089.6377.3.camel@jaspav.missionsit.net.missionsit.net> Message-ID: Thanks for you help John and Braden. I tried using the the Directory Server area of the Console to add the object class "posixgroup" to the Groups, People, user dcoats, and group dcoats. So I make myself clear I did this by double clicking on Directory Server in the Management Console. I then clicked on the Directory tab. I selected my Directory Server Identifier and right clicked on each of the items mentioned above. I selected Advanced Properties, clicked on Object Class from the list, and then clicked on Add Value. I selected posixgroup from the list and I got the following error after I click on OK. Object class violation; missing attribute "gidNumber" required by object class "posixGroup" Any insight would be greatly appreciated. Thanks! > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jazcek at scs.fsu.edu Mon Jun 15 20:52:46 2009 From: jazcek at scs.fsu.edu (Jazcek Braden) Date: Mon, 15 Jun 2009 15:52:46 -0500 Subject: [389-users] GID error In-Reply-To: References: <1244909089.6377.3.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <50ca5db70906151352g5c521bfaue50925684cb5472f@mail.gmail.com> the object class posixgroup has a required attribute of gidnumber. In the interface that you mentioned it should automatically create this field that is empty on the attribute list of the object. You need to fill a number in there before you try to save the entry. -- Jazcek On Mon, Jun 15, 2009 at 3:45 PM, Doug Coats wrote: > Thanks for you help John and Braden. > > I tried using the the Directory Server area of the Console to add the object > class "posixgroup" to the Groups, People, user dcoats, and group dcoats. > > So I make myself clear I did this by double clicking on Directory Server in > the Management Console.? I then clicked on the Directory tab.? I selected my > Directory Server Identifier and right clicked on each of the items mentioned > above.? I selected Advanced Properties, clicked on Object Class from the > list, and then clicked on Add Value.? I selected posixgroup from the list > and?I got the following error?after I click on OK. > > Object class violation; missing attribute "gidNumber" required by object > class "posixGroup" > > Any insight would be greatly appreciated. > > Thanks! > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Jazcek Braden From aaron.mills at returnpath.net Mon Jun 15 20:57:06 2009 From: aaron.mills at returnpath.net (Aaron Mills) Date: Mon, 15 Jun 2009 14:57:06 -0600 Subject: [389-users] cron no longer works after password expiration Message-ID: Hi all, I set up password policy on my FDS box and things were humming along just fine until people's passwords expired (100 days). Users can still log in to our linux boxen as normal (though we were seeing Invalid Credentials log entries). I disabled password policy, however now cron jobs no longer work. I tried setting something up like so: * * * * * /bin/date >> /var/tmp/test.txt But nothing gets logged. There's no even an entry in the cron logfile. This appears to be LDAP related since local user crons still work. I've looked in the /var/log/messages and /var/log/cron, but it's as if my boxes just stopped recognizing user crons altogether. Any ides on the right direction to look? Thanks, -Aaron -- Aaron Mills Systems Administrator Return Path, Inc. aaron.mills at returnpath.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsullivan at opensourcedevel.com Mon Jun 15 21:01:43 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 15 Jun 2009 17:01:43 -0400 Subject: [389-users] GID error In-Reply-To: References: <1244909089.6377.3.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <1245099703.6394.22.camel@jaspav.missionsit.net.missionsit.net> On Mon, 2009-06-15 at 15:45 -0500, Doug Coats wrote: > Thanks for you help John and Braden. > > I tried using the the Directory Server area of the Console to add the > object class "posixgroup" to the Groups, People, user dcoats, and > group dcoats. > > So I make myself clear I did this by double clicking on Directory > Server in the Management Console. I then clicked on the Directory > tab. I selected my Directory Server Identifier and right clicked on > each of the items mentioned above. I selected Advanced Properties, > clicked on Object Class from the list, and then clicked on Add Value. > I selected posixgroup from the list and I got the following > error after I click on OK. > > Object class violation; missing attribute "gidNumber" required by > object class "posixGroup" > > Any insight would be greatly appreciated. > > Thanks! > > Sounds like you're getting close. Once you add the objectClass posixgroup, you need to enter a value for the gidNumber attribute which should now magically appear in the advanced properties list. Hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From dcoatshca at gmail.com Mon Jun 15 22:03:35 2009 From: dcoatshca at gmail.com (Doug Coats) Date: Mon, 15 Jun 2009 17:03:35 -0500 Subject: [389-users] GID error In-Reply-To: <1245099703.6394.22.camel@jaspav.missionsit.net.missionsit.net> References: <1244909089.6377.3.camel@jaspav.missionsit.net.missionsit.net> <1245099703.6394.22.camel@jaspav.missionsit.net.missionsit.net> Message-ID: That did it. Thanks for pointing out the obvious. For those coming after me. Create a group with the same name as the user. Add the posixgroup to that groups Objectclass. Fill in the gidnumber with the same gid number you used when you created the user. Now it shows up as expected when I list the directory and I get no error on changing to that user. One last question on this topic. Is there a way to get that show up in the form that you create the group from? It would be nice not to have to do that for each user group that you create. That being said I will probably just create a large ldif file will all my user and group information. Is this the place just to import it set up correctly so that I don't waste my time trying to tweak the form? Thanks again! -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsullivan at opensourcedevel.com Mon Jun 15 22:49:24 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 15 Jun 2009 18:49:24 -0400 Subject: [389-users] GID error In-Reply-To: References: <1244909089.6377.3.camel@jaspav.missionsit.net.missionsit.net> <1245099703.6394.22.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <1245106164.6394.26.camel@jaspav.missionsit.net.missionsit.net> On Mon, 2009-06-15 at 17:03 -0500, Doug Coats wrote: > That did it. Thanks for pointing out the obvious. > > For those coming after me. Create a group with the same name as the > user. Add the posixgroup to that groups Objectclass. Fill in the > gidnumber with the same gid number you used when you created the user. > > Now it shows up as expected when I list the directory and I get no > error on changing to that user. > > One last question on this topic. Is there a way to get that show up > in the form that you create the group from? It would be nice not to > have to do that for each user group that you create. > > That being said I will probably just create a large ldif file will all > my user and group information. Is this the place just to import it > set up correctly so that I don't waste my time trying to tweak the > form? > > Thanks again! I suppose anyone comfortable enough with Java could add a page for groups similar the to page for users which offers to create a Posix user and then submit it to the development team for consideration. In my case, I bent the rules a little bit and added the posixgroup objectclass to my users to account for the user group. That may come back to bite me. I might also add there is a small problem in the KDE environment where Konqueror does not query LDAP for groups. One of the developers was kind enough to write a patch for me so KDE 3.5 behaved properly and the patch is being included in the next update for KDE 4.x I believe. Take care - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From morenisco at noc-root.net Tue Jun 16 02:46:43 2009 From: morenisco at noc-root.net (Morenisco) Date: Mon, 15 Jun 2009 22:46:43 -0400 Subject: [389-users] Error debianizing the 389-ds-base-1.2.1 package In-Reply-To: <4A2A9349.8000208@redhat.com> References: <4A29CCE1.10803@noc-root.net> <4A2A9349.8000208@redhat.com> Message-ID: <4A370793.4030708@noc-root.net> Rich Megginson wrote: [...] > The problem is that libslapd is not linked with -lrt, which provides > the semaphore functions. This is usually fine, since ns-slapd (the > executable) is linked with -lrt, so that at runtime all of these > references are resolved, But Debian uses -Wl,-z,defs which forces all > references to be looked up at link time. We should fix this in 389 - > please file a bug against 389. In the meantime, you could either turn > off -z,defs, or figure out how to link libslapd with -lrt Hi Rich, Finally I opened *Bug 506206* - libslapd is not linked with -lrt . I'll follow working on this, and I'll notify here If I got the packages... Regards. -- Morenisco. Centro de Difusi?n del Software Libre. http://www.cdsl.cl http://www.folasol.org http://trabajosfloss.noc-root.net Blog: http://morenisco.noc-root.net From kenneho.ndu at gmail.com Tue Jun 16 05:29:23 2009 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Tue, 16 Jun 2009 07:29:23 +0200 Subject: [389-users] Sharing scripts for AD<->RHDS integration Message-ID: Hi all. I'm working on a few small scripts aimed at AD<->FDS/RHDS integration. The scripts basically add posix attributes to users synced over from AD, and use AD group memberships to create NIS netgroup membership (which can be used for controlling which users gets to access which servers). I hope to have the initial version of the scripts ready in a few weeks, and would like to share them with others that may be interested in them. Since this is my first time share code I've written, I could use some advice on how and where to share it. Could someone point me to info on this? Thanks. Regards, Kenneth Holter -------------- next part -------------- An HTML attachment was scrubbed... URL: From pronix.service at gmail.com Tue Jun 16 13:03:49 2009 From: pronix.service at gmail.com (dima vasiletc) Date: Tue, 16 Jun 2009 17:03:49 +0400 Subject: [389-users] SSL Library Error: -12271 SSL client cannot verify your certificate Message-ID: <4A379835.1080202@gmail.com> Hello all encryption connections finished with error (Error code: sec_error_reused_issuer_and_serial) And server write to log SSL Library Error: -12271 SSL client cannot verify your certificate First i think need check dns querys. I see many A querys for example.com May be i must regenerate certificate ? Where i can read about that . Thanks. -- ? ?????????, ??????? From dumboq at yahoo.com Tue Jun 16 17:49:15 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Tue, 16 Jun 2009 10:49:15 -0700 (PDT) Subject: [389-users] General LDAP security Message-ID: <814338.4005.qm@web111918.mail.gq1.yahoo.com> I setup a RHDS server for authentication along with my a test client, and everything seems to working well. Before I deploy this solution into production I would like to know what I can do in regards to security. I got rid of my ldap.secret file, as I don't think I need it. I do not mind if root cannot change other peoples passwords from anywhere. The next problem that I'm running into is that I currently have my binddn set to cn=Directory Manager, and thus my most important password is still writtent in clear text in ldap.conf. Can some one explain (or point to an article which shows) how to create another user to use for my binddn? Is it as simple as making a regular user, or do I need to adjust any particular permissions. I would prefer this user to be read-only. Any particular tools to scan and see what can be accessed anonomously and what can be access with a particular binddn? Any other recomendations? -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsullivan at opensourcedevel.com Tue Jun 16 18:29:28 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Tue, 16 Jun 2009 14:29:28 -0400 Subject: [389-users] General LDAP security In-Reply-To: <814338.4005.qm@web111918.mail.gq1.yahoo.com> References: <814338.4005.qm@web111918.mail.gq1.yahoo.com> Message-ID: <1245176968.6381.6.camel@jaspav.missionsit.net.missionsit.net> On Tue, 2009-06-16 at 10:49 -0700, Dumbo Q wrote: > I setup a RHDS server for authentication along with my a test client, > and everything seems to working well. Before I deploy this solution > into production I would like to know what I can do in regards to > security. > > I got rid of my ldap.secret file, as I don't think I need it. I do not > mind if root cannot change other peoples passwords from anywhere. > > The next problem that I'm running into is that I currently have my > binddn set to cn=Directory Manager, and thus my most important > password is still writtent in clear text in ldap.conf. Can some one > explain (or point to an article which shows) how to create another > user to use for my binddn? Is it as simple as making a regular user, > or do I need to adjust any particular permissions. I would prefer > this user to be read-only. > > > Any particular tools to scan and see what can be accessed anonomously > and what can be access with a particular binddn? > > Any other recomendations? > Yes, there are some alternatives. I recently posted a ridiculously long outline about how we set up our environment in response to someone's request for steps to set up on CentOS. This included our security set up. In briefest summary, we create a separate user who has rights to see but not change the commonly needed fields for as much of the DIT as is needed for the various servers, e.g., some may need to see the entire tree whereas other may only need a small subset. The ACI's are in that large post. We then use this user as the binddn in ldap.conf. We never use cn=Directory Manager and always remove anonymous browsing. In fact, we also change the cn for both Directory Manager and the admin user just to further obscure the setup. Hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From chris at untrepid.com Tue Jun 16 19:13:39 2009 From: chris at untrepid.com (Chris Phillips) Date: Tue, 16 Jun 2009 20:13:39 +0100 Subject: [389-users] General LDAP security In-Reply-To: <1245176968.6381.6.camel@jaspav.missionsit.net.missionsit.net> References: <814338.4005.qm@web111918.mail.gq1.yahoo.com> <1245176968.6381.6.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <3e4e5d790906161213v494f5f84m5ecbd8994b0f2e4b@mail.gmail.com> http://www.mail-archive.com/fedora-directory-users at redhat.com/msg09428.html On Tue, Jun 16, 2009 at 7:29 PM, John A. Sullivan III < jsullivan at opensourcedevel.com> wrote: > In briefest summary, we create a separate user who has rights to see but > not change the commonly needed fields for as much of the DIT as is > needed for the various servers, e.g., some may need to see the entire > tree whereas other may only need a small subset. The ACI's are in that > large post. We then use this user as the binddn in ldap.conf. We never > use cn=Directory Manager and always remove anonymous browsing. In fact, > we also change the cn for both Directory Manager and the admin user just > to further obscure the setup. Hope this helps - John John, (and anyone else of course...) I read your mail that you referred to... http://www.mail-archive.com/fedora-directory-users at redhat.com/msg09428.html and don't really see an answer to the question, or more honestly, the very similar question I was about to ask before I saw this. That was how to have a full administrative user that is not Directory Manager. I'm working in a very high profile confidential project and to our shame are still using this account for pretty much everything of note (despite my protestations from day 1, I assure you!!) including the IDM console which is our main tool for managing data in it. I've tried to work out the most formal and effective way to make my own normal user account able to do whatever Directory Manager can do with the console but without luck. I expect it's an awful lot simpler than I think it is. In line with doing it "right" there's a Directory Administrators (or nearly that) group which I tried adding users to but no change was seen, and I'd think there's a difference between the access within the main directory and the Admin server config in o=NetscapeRoot. Is there an ACI that already exists and such? Also looking at your notes, it seems there may be better ways to manage a single directory (2 multimasters and 6 replicas) like bypassing the initial Admin section and going straight to the directory itself? Also if I do make my user account able to log in, would I then be faced with putting in the entire DN every single time? can I alias it etc..? Ideally I'd not want a dedicated account, unless there's some real logic in not using the account - something I can imagine... Any pointers, especially those which are simple, elegant and non-invasive, would be *very* much appreciated. Thanks Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Jun 16 20:03:11 2009 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 16 Jun 2009 16:03:11 -0400 (EDT) Subject: [389-users] General LDAP security In-Reply-To: <3e4e5d790906161213v494f5f84m5ecbd8994b0f2e4b@mail.gmail.com> Message-ID: <1456932769.163371245182591226.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> ----- "Chris Phillips" wrote: > http://www.mail-archive.com/fedora-directory-users at redhat.com/msg09428.html > > > On Tue, Jun 16, 2009 at 7:29 PM, John A. Sullivan III < > jsullivan at opensourcedevel.com > wrote: > > > In briefest summary, we create a separate user who has rights to see > but > not change the commonly needed fields for as much of the DIT as is > needed for the various servers, e.g., some may need to see the entire > tree whereas other may only need a small subset. The ACI's are in that > large post. We then use this user as the binddn in ldap.conf. We never > use cn=Directory Manager and always remove anonymous browsing. In > fact, > we also change the cn for both Directory Manager and the admin user > just > to further obscure the setup. Hope this helps - John > > John, (and anyone else of course...) > > I read your mail that you referred to... > http://www.mail-archive.com/fedora-directory-users at redhat.com/msg09428.html > and don't really see an answer to the question, or more honestly, the > very similar question I was about to ask before I saw this. > > That was how to have a full administrative user that is not Directory > Manager. I'm working in a very high profile confidential project and > to our shame are still using this account for pretty much everything > of note (despite my protestations from day 1, I assure you!!) > including the IDM console which is our main tool for managing data in > it. I've tried to work out the most formal and effective way to make > my own normal user account able to do whatever Directory Manager can > do with the console but without luck. I expect it's an awful lot > simpler than I think it is. In line with doing it "right" there's a > Directory Administrators (or nearly that) group which I tried adding > users to but no change was seen, and I'd think there's a difference > between the access within the main directory and the Admin server > config in o=NetscapeRoot. Is there an ACI that already exists and > such? I would take a look at the ACIs that are created for the uid=admin user, the one created during setup-ds-admin.pl time. That user is a close as you can get to directory manager. The only thing we don't have an ACI for is the ability to create the root entry for a top level suffix (e.g. if you create a new suffix dc=example,dc=com, only the directory manager can use LDAP ADD to create that entry, which is what the console does). You can work around this limitation by doing an import operation - create an ldif file which contains this entry, and do an import/ldif2db/database init with this file, as admin. > > Also looking at your notes, it seems there may be better ways to > manage a single directory (2 multimasters and 6 replicas) like > bypassing the initial Admin section and going straight to the > directory itself? > > Also if I do make my user account able to log in, would I then be > faced with putting in the entire DN every single time? can I alias it > etc..? Ideally I'd not want a dedicated account, unless there's some > real logic in not using the account - something I can imagine... Authentication is supposed to lookup the user id first in o=NetscapeRoot (e.g. the default console admin) then in your default user&group suffix (e.g. dc=example,dc=com). > > Any pointers, especially those which are simple, elegant and > non-invasive, would be *very* much appreciated. > > Thanks > > Chris > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From jsullivan at opensourcedevel.com Tue Jun 16 20:10:17 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Tue, 16 Jun 2009 16:10:17 -0400 Subject: [389-users] General LDAP security In-Reply-To: <3e4e5d790906161213v494f5f84m5ecbd8994b0f2e4b@mail.gmail.com> References: <814338.4005.qm@web111918.mail.gq1.yahoo.com> <1245176968.6381.6.camel@jaspav.missionsit.net.missionsit.net> <3e4e5d790906161213v494f5f84m5ecbd8994b0f2e4b@mail.gmail.com> Message-ID: <1245183017.6381.27.camel@jaspav.missionsit.net.missionsit.net> On Tue, 2009-06-16 at 20:13 +0100, Chris Phillips wrote: > http://www.mail-archive.com/fedora-directory-users at redhat.com/msg09428.html > > On Tue, Jun 16, 2009 at 7:29 PM, John A. Sullivan III > wrote: > In briefest summary, we create a separate user who has rights > to see but > not change the commonly needed fields for as much of the DIT > as is > needed for the various servers, e.g., some may need to see the > entire > tree whereas other may only need a small subset. The ACI's > are in that > large post. We then use this user as the binddn in > ldap.conf. We never > use cn=Directory Manager and always remove anonymous > browsing. In fact, > we also change the cn for both Directory Manager and the admin > user just > to further obscure the setup. Hope this helps - John > > John, (and anyone else of course...) > > I read your mail that you referred to... > http://www.mail-archive.com/fedora-directory-users at redhat.com/msg09428.html > and don't really see an answer to the question, or more honestly, the > very similar question I was about to ask before I saw this. > > That was how to have a full administrative user that is not Directory > Manager. I'm working in a very high profile confidential project and > to our shame are still using this account for pretty much everything > of note (despite my protestations from day 1, I assure you!!) > including the IDM console which is our main tool for managing data in > it. I've tried to work out the most formal and effective way to make > my own normal user account able to do whatever Directory Manager can > do with the console but without luck. I expect it's an awful lot > simpler than I think it is. In line with doing it "right" there's a > Directory Administrators (or nearly that) group which I tried adding > users to but no change was seen, and I'd think there's a difference > between the access within the main directory and the Admin server > config in o=NetscapeRoot. Is there an ACI that already exists and > such? > > Also looking at your notes, it seems there may be better ways to > manage a single directory (2 multimasters and 6 replicas) like > bypassing the initial Admin section and going straight to the > directory itself? > > Also if I do make my user account able to log in, would I then be > faced with putting in the entire DN every single time? can I alias it > etc..? Ideally I'd not want a dedicated account, unless there's some > real logic in not using the account - something I can imagine... > > Any pointers, especially those which are simple, elegant and > non-invasive, would be *very* much appreciated. Hi, Chris. I suppose the first thing I should point out is that I am by no means any kind of expert whatsoever in any way shape or form (not sure if I can say that more emphatically:-) ). Someone like Rich Megginson will know much more than I. I've only learned enough to do what I have to do on my project which is still awaiting funding to hire an LDAP engineer. Before this, I hadn't touched Directory Services since NetWare 4.x! There are a couple of options. I've not explored the difference between Directory Manager and uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot (or whatever the uid is, we've changed ours from the default proposed during installation). Even so, we do not use this user either for most of our functions (although our administrators are still logging in using Directory Manager in idm-console for administration). The magic, as you intimate, is the ACI. We created our own since we are a multi-tenant environment. Our admins do use Directory Manager (renamed) to oversee the entire tree but each of our clients have their own designated administrator for their part of the tree. We also break our tree into Internal and External sections (because of uniqueness requirements, e.g., all uids and cn must be unique across the clients in our environment but not for their address books of their external clients). I believe the ACIs we use to do this are: (targetattr = "*") (target = "ldap:///($dn),o=internal,dc=mycompany, dc=com") (version 3.0;acl "Client Administrators Internal";allow (all)(groupdn = "ldap:///cn=*ldapadmins,ou=groups,[$dn],o=internal,dc=mycompany,dc=com");) (targetattr = "*") (target = "ldap:///($dn),o=external,dc=mycompany, dc=com") (version 3.0;acl "Client Administrators External";allow (all)(groupdn = "ldap:///cn=*ldapadmins,ou=groups,[$dn],o=internal,dc=mycompany,dc=com");) We are having a problem in the last line. It does not look like DS likes wildcards in groupdn definitions (although I think they are OK in userdn) which we need because of our uniqueness constraints. We haven't had time to fix this but have been testing with something like this where we use the same named group in different contexts in a section of the tree which is not uniqueness constrained: (targetattr = "*") (target = "ldap:///($dn),o=external,dc=mycompany, dc=com") (version 3.0;acl "Test Client Administrators External";allow (all)(groupdn = "ldap:///cn=ldapadmins,[$dn],o=SysAccounts,dc=mycompany,dc=com");) I would think it would be trivial to adapt this to have a user oversee then entire tree. The trick for us was the variables to have one ACI (or two) for hopefully hundreds of clients. I may be missing your point as I'm honestly flying through this email on my way to building our PBX (until we hire our PBX engineer - ah the grief of delayed funding!) but hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From dcoatshca at gmail.com Wed Jun 17 00:25:08 2009 From: dcoatshca at gmail.com (Doug Coats) Date: Tue, 16 Jun 2009 19:25:08 -0500 Subject: [389-users] OS to authenticate to DS using TLS Message-ID: So my next hurdle I am tackling SSL certificates. I produced self-signed certificates and have installed them in through the Management Console. I can run the Management Console using a secure connection. Linux uses DS to authenticate (configured using System > Administration > Authentication and enableing LDAP support). If I try to "Use TLS to encrypt connection" I can't program a URL that will let me download the CA Certificate successfully. I hope that all made sence. Am I missing something? Do I need this? Thanks for any advise! -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsullivan at opensourcedevel.com Wed Jun 17 01:34:47 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Tue, 16 Jun 2009 21:34:47 -0400 Subject: [389-users] OS to authenticate to DS using TLS In-Reply-To: References: Message-ID: <1245202487.6381.32.camel@jaspav.missionsit.net.missionsit.net> On Tue, 2009-06-16 at 19:25 -0500, Doug Coats wrote: > So my next hurdle I am tackling SSL certificates. I produced > self-signed certificates and have installed them in through the > Management Console. I can run the Management Console using a secure > connection. > > Linux uses DS to authenticate (configured using System > > Administration > Authentication and enableing LDAP support). If I try > to "Use TLS to encrypt connection" I can't program a URL that will let > me download the CA Certificate successfully. I hope that all made > sence. > > Am I missing something? Do I need this? > Sorry, I don't quite follow. I know it was a difficult to follow post but I did post how we set up SSL communications including the client side setup. We simply copied the CA cert to the clients (servers using LDAP for authentication) via scp - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From narender.hooda at gmail.com Wed Jun 17 04:27:49 2009 From: narender.hooda at gmail.com (Hakuna Matata) Date: Wed, 17 Jun 2009 09:57:49 +0530 Subject: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS Message-ID: <253e13910906162127l7e415e03vd82b660a2b15c414@mail.gmail.com> Hi, I am new to FDS, i have set this up as per the documentation . It is working fine . Now want that linux client (CentOS 5.3) to authenticate with FDS. hostname of FDS = ldap.fds.local i create a user test01 and fill the posix information on client machine i am using system-config-authentiation 1. check the LDAP box and filled the details as . LDAP search base dn = dc=vfds, dc=local LDAP Server = ldap://ldap.vfds.local then i rebooted the machine and trying to login via user test01. now it is showing error as username or password incorrect. i would really appreciate if someone can give me some pointer or help where i am doing wrong. Many Thanks in advance Best regards --H From amirov at infinet.ru Wed Jun 17 06:51:16 2009 From: amirov at infinet.ru (Dmitry Amirov) Date: Wed, 17 Jun 2009 12:51:16 +0600 Subject: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS In-Reply-To: <253e13910906162127l7e415e03vd82b660a2b15c414@mail.gmail.com> References: <253e13910906162127l7e415e03vd82b660a2b15c414@mail.gmail.com> Message-ID: <4A389264.3010109@infinet.ru> Hello Is it ldap://ldap.vfds.local correct? Please, try this command: ping ldap.vfds.local If pinging then try to use command getent to check that ldap users are present in your system. getent passwd If not pinging, then you need to use FQDN or ip-address, like this: ldap://1.2.3.4 ldap://example.com Hakuna Matata wrote: > Hi, > > I am new to FDS, i have set this up as per the documentation . It is > working fine . > Now want that linux client (CentOS 5.3) to authenticate with FDS. > > hostname of FDS = ldap.fds.local > > i create a user test01 and fill the posix information > > on client machine i am using system-config-authentiation > 1. check the LDAP box and filled the details as . > LDAP search base dn = dc=vfds, dc=local > LDAP Server = ldap://ldap.vfds.local > > then i rebooted the machine and trying to login via user test01. now > it is showing error as username or password incorrect. > > > i would really appreciate if someone can give me some pointer or help > where i am doing wrong. > > Many Thanks in advance > Best regards > --H > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From narender.hooda at gmail.com Wed Jun 17 07:09:30 2009 From: narender.hooda at gmail.com (Hakuna Matata) Date: Wed, 17 Jun 2009 12:39:30 +0530 Subject: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS In-Reply-To: <4A389264.3010109@infinet.ru> References: <253e13910906162127l7e415e03vd82b660a2b15c414@mail.gmail.com> <4A389264.3010109@infinet.ru> Message-ID: <253e13910906170009u7bad9fb3h2064c1f965cbf677@mail.gmail.com> Yes this is correct. i am able to ping this. getent passwd is just returning the /etc/password users i also trying it by IP as you are suggesting...still no luck... :( is there any other place where i can look --H On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov wrote: > Hello > > Is it ldap://ldap.vfds.local correct? > Please, try this command: > > ping ldap.vfds.local > > If pinging then try to use command getent to check that ldap users are > present in your system. > getent passwd > > If not pinging, then you need to use FQDN or ip-address, like this: > > ldap://1.2.3.4 > ldap://example.com > > > Hakuna Matata wrote: > > Hi, > > > > I am new to FDS, i have set this up as per the documentation . It is > > working fine . > > Now want that linux client (CentOS 5.3) to authenticate with FDS. > > > > hostname of FDS = ldap.fds.local > > > > i create a user test01 and fill the posix information > > > > on client machine i am using system-config-authentiation > > 1. check the LDAP box and filled the details as . > > LDAP search base dn = dc=vfds, dc=local > > LDAP Server = > ldap://ldap.vfds.local > > > > then i rebooted the machine and trying to login via user test01. now > > it is showing error as username or password incorrect. > > > > > > i would really appreciate if someone can give me some pointer or help > > where i am doing wrong. > > > > Many Thanks in advance > > Best regards > > --H > > > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From amirov at infinet.ru Wed Jun 17 07:25:43 2009 From: amirov at infinet.ru (Dmitry Amirov) Date: Wed, 17 Jun 2009 13:25:43 +0600 Subject: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS In-Reply-To: <253e13910906170009u7bad9fb3h2064c1f965cbf677@mail.gmail.com> References: <253e13910906162127l7e415e03vd82b660a2b15c414@mail.gmail.com> <4A389264.3010109@infinet.ru> <253e13910906170009u7bad9fb3h2064c1f965cbf677@mail.gmail.com> Message-ID: <4A389A77.60500@infinet.ru> Please show your /etc/nsswitch.conf These entries should be: passwd: files ldap shadow: files ldap group: files ldap Hakuna Matata wrote: > Yes this is correct. > i am able to ping this. > > getent passwd is just returning the /etc/password users > > i also trying it by IP as you are suggesting...still no luck... :( > > is there any other place where i can look > > > --H > > On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov > wrote: > > Hello > > Is it ldap://ldap.vfds.local correct? > Please, try this command: > > ping ldap.vfds.local > > If pinging then try to use command getent to check that ldap users are > present in your system. > getent passwd > > If not pinging, then you need to use FQDN or ip-address, like this: > > ldap://1.2.3.4 > ldap://example.com > > > Hakuna Matata wrote: > > Hi, > > > > I am new to FDS, i have set this up as per the documentation . It is > > working fine . > > Now want that linux client (CentOS 5.3) to authenticate with FDS. > > > > hostname of FDS = ldap.fds.local > > > > i create a user test01 and fill the posix information > > > > on client machine i am using system-config-authentiation > > 1. check the LDAP box and filled the details as . > > LDAP search base dn = dc=vfds, dc=local > > LDAP Server = > ldap://ldap.vfds.local > > > > then i rebooted the machine and trying to login via user test01. now > > it is showing error as username or password incorrect. > > > > > > i would really appreciate if someone can give me some pointer or > help > > where i am doing wrong. > > > > Many Thanks in advance > > Best regards > > --H > > > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From narender.hooda at gmail.com Wed Jun 17 10:11:23 2009 From: narender.hooda at gmail.com (Hakuna Matata) Date: Wed, 17 Jun 2009 15:41:23 +0530 Subject: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS In-Reply-To: <4A389264.3010109@infinet.ru> References: <253e13910906162127l7e415e03vd82b660a2b15c414@mail.gmail.com> <4A389264.3010109@infinet.ru> Message-ID: <253e13910906170311g4f3d742boc7c4bf8dd742145a@mail.gmail.com> yes, my nsswitch.conf file is as below. passwd: files ldap shadow: files ldap group: files ldap ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files ldap publickey: nisplus automount: files ldap aliases: files nisplus and /etc/ldap.conf file contains uri ldap://192.168.5.1 ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 ----i am still not able to authenticate....... -best Regards --H On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov wrote: > Hello > > Is it ldap://ldap.vfds.local correct? > Please, try this command: > > ping ldap.vfds.local > > If pinging then try to use command getent to check that ldap users are > present in your system. > getent passwd > > If not pinging, then you need to use FQDN or ip-address, like this: > > ldap://1.2.3.4 > ldap://example.com > > > Hakuna Matata wrote: > > Hi, > > > > I am new to FDS, i have set this up as per the documentation . It is > > working fine . > > Now want that linux client (CentOS 5.3) to authenticate with FDS. > > > > hostname of FDS = ldap.fds.local > > > > i create a user test01 and fill the posix information > > > > on client machine i am using system-config-authentiation > > 1. check the LDAP box and filled the details as . > > LDAP search base dn = dc=vfds, dc=local > > LDAP Server = > ldap://ldap.vfds.local > > > > then i rebooted the machine and trying to login via user test01. now > > it is showing error as username or password incorrect. > > > > > > i would really appreciate if someone can give me some pointer or help > > where i am doing wrong. > > > > Many Thanks in advance > > Best regards > > --H > > > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jean-Noel.Chardron at dr15.cnrs.fr Wed Jun 17 11:03:51 2009 From: Jean-Noel.Chardron at dr15.cnrs.fr (=?ISO-8859-1?Q?jean-No=EBl_Chardron?=) Date: Wed, 17 Jun 2009 13:03:51 +0200 Subject: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS In-Reply-To: <253e13910906170311g4f3d742boc7c4bf8dd742145a@mail.gmail.com> References: <253e13910906162127l7e415e03vd82b660a2b15c414@mail.gmail.com> <4A389264.3010109@infinet.ru> <253e13910906170311g4f3d742boc7c4bf8dd742145a@mail.gmail.com> Message-ID: <4A38CD97.8000405@dr15.cnrs.fr> hi, ok , I suppose the ip adress of the server is 192.168.5.1 (right ?) and you have a client (a centos 5.3) with unknow to us ip address. I suppose the nsswitch.conf and /etc/ldap.conf below is on the client so it is correct Then can you show the files /etc/pam.d/system-auth and /etc/pam.d/login that are on the client please then can you tell us what is the uid of the user test01 in the FDS Hakuna Matata a ?crit : > > yes, my nsswitch.conf file is as below. > passwd: files ldap > shadow: files ldap > group: files ldap > > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files > > netgroup: files ldap > > publickey: nisplus > > automount: files ldap > aliases: files nisplus > > > and /etc/ldap.conf file contains > uri ldap://192.168.5.1 > ssl no > tls_cacertdir /etc/openldap/cacerts > pam_password md5 > > > > > ----i am still not able to authenticate....... > > > -best Regards > --H > > On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov > wrote: > > Hello > > Is it ldap://ldap.vfds.local correct? > Please, try this command: > > ping ldap.vfds.local > > If pinging then try to use command getent to check that ldap users are > present in your system. > getent passwd > > If not pinging, then you need to use FQDN or ip-address, like this: > > ldap://1.2.3.4 > ldap://example.com > > > Hakuna Matata wrote: > > Hi, > > > > I am new to FDS, i have set this up as per the documentation . It is > > working fine . > > Now want that linux client (CentOS 5.3) to authenticate with FDS. > > > > hostname of FDS = ldap.fds.local > > > > i create a user test01 and fill the posix information > > > > on client machine i am using system-config-authentiation > > 1. check the LDAP box and filled the details as . > > LDAP search base dn = dc=vfds, dc=local > > LDAP Server = > ldap://ldap.vfds.local > > > > then i rebooted the machine and trying to login via user test01. now > > it is showing error as username or password incorrect. > > > > > > i would really appreciate if someone can give me some pointer or > help > > where i am doing wrong. > > > > Many Thanks in advance > > Best regards > > --H > > > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From narender.hooda at gmail.com Wed Jun 17 11:31:23 2009 From: narender.hooda at gmail.com (Hakuna Matata) Date: Wed, 17 Jun 2009 17:01:23 +0530 Subject: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS In-Reply-To: <4A38CD97.8000405@dr15.cnrs.fr> References: <253e13910906162127l7e415e03vd82b660a2b15c414@mail.gmail.com> <4A389264.3010109@infinet.ru> <253e13910906170311g4f3d742boc7c4bf8dd742145a@mail.gmail.com> <4A38CD97.8000405@dr15.cnrs.fr> Message-ID: <253e13910906170431x631a9e2dj5f433b7835a3e49d@mail.gmail.com> Jean Thanks for a quick reply. Client IP address is 192.168.5.4 yes these files are from client only. */etc/pam.d/system-auth * ------------------------------------------------ This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so ----------------------------------------------------------------------- and* /etc/pam.d/login * #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth include system-auth account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session include system-auth session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session optional pam_keyinit.so force revoke ~ ---------------------------------------------------------------------------------- what is the *uid of the user test01 in the FDS* uid is t01 and under Posix user uid numbe =2223 (i manually gave this) gid number=2223 home dire = /home/test login shell=/bin/test and then i create a directory with name "test" under /home ...........eg. mkdir /home/test Best Regards --H On Wed, Jun 17, 2009 at 4:33 PM, jean-No?l Chardron < Jean-Noel.Chardron at dr15.cnrs.fr> wrote: > hi, > > ok , I suppose the ip adress of the server is 192.168.5.1 (right ?) > and you have a client (a centos 5.3) with unknow to us ip address. > > I suppose the nsswitch.conf and /etc/ldap.conf below is on the client so it > is correct > > Then can you show the files /etc/pam.d/system-auth and /etc/pam.d/login > that are on the client please > > then can you tell us what is the uid of the user test01 in the FDS > > > > Hakuna Matata a ?crit : > >> >> yes, my nsswitch.conf file is as below. >> passwd: files ldap >> shadow: files ldap >> group: files ldap >> >> ethers: files >> netmasks: files >> networks: files >> protocols: files >> rpc: files >> services: files >> >> netgroup: files ldap >> >> publickey: nisplus >> >> automount: files ldap >> aliases: files nisplus >> >> >> and /etc/ldap.conf file contains >> uri ldap://192.168.5.1 >> ssl no >> tls_cacertdir /etc/openldap/cacerts >> pam_password md5 >> >> >> >> >> ----i am still not able to authenticate....... >> >> >> -best Regards >> --H >> >> On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov > amirov at infinet.ru>> wrote: >> >> Hello >> >> Is it ldap://ldap.vfds.local correct? >> Please, try this command: >> >> ping ldap.vfds.local >> >> If pinging then try to use command getent to check that ldap users are >> present in your system. >> getent passwd >> >> If not pinging, then you need to use FQDN or ip-address, like this: >> >> ldap://1.2.3.4 >> ldap://example.com >> >> >> Hakuna Matata wrote: >> > Hi, >> > >> > I am new to FDS, i have set this up as per the documentation . It is >> > working fine . >> > Now want that linux client (CentOS 5.3) to authenticate with FDS. >> > >> > hostname of FDS = ldap.fds.local >> > >> > i create a user test01 and fill the posix information >> > >> > on client machine i am using system-config-authentiation >> > 1. check the LDAP box and filled the details as . >> > LDAP search base dn = dc=vfds, dc=local >> > LDAP Server = >> ldap://ldap.vfds.local >> > >> > then i rebooted the machine and trying to login via user test01. now >> > it is showing error as username or password incorrect. >> > >> > >> > i would really appreciate if someone can give me some pointer or >> help >> > where i am doing wrong. >> > >> > Many Thanks in advance >> > Best regards >> > --H >> > >> > -- >> > 389 users mailing list >> > 389-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> ------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Jean-Noel.Chardron at dr15.cnrs.fr Wed Jun 17 12:45:24 2009 From: Jean-Noel.Chardron at dr15.cnrs.fr (=?ISO-8859-1?Q?jean-No=EBl_Chardron?=) Date: Wed, 17 Jun 2009 14:45:24 +0200 Subject: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS In-Reply-To: <253e13910906170431x631a9e2dj5f433b7835a3e49d@mail.gmail.com> References: <253e13910906162127l7e415e03vd82b660a2b15c414@mail.gmail.com> <4A389264.3010109@infinet.ru> <253e13910906170311g4f3d742boc7c4bf8dd742145a@mail.gmail.com> <4A38CD97.8000405@dr15.cnrs.fr> <253e13910906170431x631a9e2dj5f433b7835a3e49d@mail.gmail.com> Message-ID: <4A38E564.5000306@dr15.cnrs.fr> Hakuna Matata a ?crit : > Jean > Thanks for a quick reply. > > Client IP address is 192.168.5.4 > yes these files are from client only. > all files seem correct , (in system-auth the interresting line are with pam_ldap.so) So may be, the base to search in the tree are misconfigured in the /etc/ldap.conf you previously show the /etc/ldap.conf : uri ldap://192.168.5.1 ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 can you show the ouptut of the command : grep base /etc/ldap.conf with only the line that are uncommented , normaly this will show the distinguished name of the search base. and this must correspond with the tree in your FDS > > */etc/pam.d/system-auth * > ------------------------------------------------ > This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_ldap.so > ----------------------------------------------------------------------- > > and* /etc/pam.d/login * > > #%PAM-1.0 > auth [user_unknown=ignore success=ok ignore=ignore default=bad] > pam_securetty.so > auth include system-auth > account required pam_nologin.so > account include system-auth > password include system-auth > # pam_selinux.so close should be the first session rule > session required pam_selinux.so close > session include system-auth > session required pam_loginuid.so > session optional pam_console.so > # pam_selinux.so open should only be followed by sessions to be > executed in the user context > session required pam_selinux.so open > session optional pam_keyinit.so force revoke > ~ > ---------------------------------------------------------------------------------- > > what is the *uid of the user test01 in the FDS* > > uid is t01 > > and under Posix user > > uid numbe =2223 (i manually gave this) > gid number=2223 > home dire = /home/test > login shell=/bin/test > > > and then i create a directory with name "test" under /home > ...........eg. mkdir /home/test > > > > > Best Regards > --H > > > > > > > On Wed, Jun 17, 2009 at 4:33 PM, jean-No?l Chardron > > wrote: > > hi, > > ok , I suppose the ip adress of the server is 192.168.5.1 (right ?) > and you have a client (a centos 5.3) with unknow to us ip address. > > I suppose the nsswitch.conf and /etc/ldap.conf below is on the > client so it is correct > > Then can you show the files /etc/pam.d/system-auth and > /etc/pam.d/login that are on the client please > > then can you tell us what is the uid of the user test01 in the FDS > > > > Hakuna Matata a ?crit : > > > yes, my nsswitch.conf file is as below. > passwd: files ldap > shadow: files ldap > group: files ldap > > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files > > netgroup: files ldap > > publickey: nisplus > > automount: files ldap > aliases: files nisplus > > > and /etc/ldap.conf file contains > uri ldap://192.168.5.1 > > ssl no > tls_cacertdir /etc/openldap/cacerts > pam_password md5 > > > > > ----i am still not able to authenticate....... > > > -best Regards > --H > > On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov > > >> wrote: > > Hello > > Is it ldap://ldap.vfds.local correct? > Please, try this command: > > ping ldap.vfds.local > > If pinging then try to use command getent to check that > ldap users are > present in your system. > getent passwd > > If not pinging, then you need to use FQDN or ip-address, > like this: > > ldap://1.2.3.4 > ldap://example.com > > > > Hakuna Matata wrote: > > Hi, > > > > I am new to FDS, i have set this up as per the > documentation . It is > > working fine . > > Now want that linux client (CentOS 5.3) to authenticate > with FDS. > > > > hostname of FDS = ldap.fds.local > > > > i create a user test01 and fill the posix information > > > > on client machine i am using system-config-authentiation > > 1. check the LDAP box and filled the details as . > > LDAP search base dn = dc=vfds, > dc=local > > LDAP Server = > ldap://ldap.vfds.local > > > > then i rebooted the machine and trying to login via user > test01. now > > it is showing error as username or password incorrect. > > > > > > i would really appreciate if someone can give me some > pointer or > help > > where i am doing wrong. > > > > Many Thanks in advance > > Best regards > > --H > > > > -- > > 389 users mailing list > > 389-users at redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > 389 users mailing list > 389-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Jean-Noel Chardron From david.donnan at thalesgroup.com Wed Jun 17 12:58:01 2009 From: david.donnan at thalesgroup.com (David (Dave) Donnan) Date: Wed, 17 Jun 2009 14:58:01 +0200 Subject: [389-users] OS to authenticate to DS using TLS In-Reply-To: <1245202487.6381.32.camel@jaspav.missionsit.net.missionsit.net> References: <1245202487.6381.32.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <4A38E859.3070900@thalesgroup.com> Hello. I think I understand the problem. I copied the CA cert locally to /tmp/CAcert.txt I then ran 'system-config-authentication' and used a URL like the following (where it says 'Download CA Certificate'): file:///tmp/CAcert.txt It's a lazy man's approach but it worked. Cdlt, Dave -------- And John A. Sullivan III wrote: > On Tue, 2009-06-16 at 19:25 -0500, Doug Coats wrote: > >> So my next hurdle I am tackling SSL certificates. I produced >> self-signed certificates and have installed them in through the >> Management Console. I can run the Management Console using a secure >> connection. >> >> Linux uses DS to authenticate (configured using System > >> Administration > Authentication and enableing LDAP support). If I try >> to "Use TLS to encrypt connection" I can't program a URL that will let >> me download the CA Certificate successfully. I hope that all made >> sence. >> >> Am I missing something? Do I need this? >> > > > Sorry, I don't quite follow. I know it was a difficult to follow post > but I did post how we set up SSL communications including the client > side setup. We simply copied the CA cert to the clients (servers using > LDAP for authentication) via scp - John > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dcoatshca at gmail.com Wed Jun 17 14:12:20 2009 From: dcoatshca at gmail.com (Doug Coats) Date: Wed, 17 Jun 2009 09:12:20 -0500 Subject: [389-users] OS to authenticate to DS using TLS In-Reply-To: <4A38E859.3070900@thalesgroup.com> References: <1245202487.6381.32.camel@jaspav.missionsit.net.missionsit.net> <4A38E859.3070900@thalesgroup.com> Message-ID: Thanks Dave - that worked. I am still some problem with the certificates though. If it I try this in the directory where the certificates are: openssl s_client -connect localhost:636 -CAfile filename I get a listing of the certificates without errors. If I try: ldapsearch -H ldaps://localhost:636 ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed If I start the console using: centos-idm-console -a https://127.0.0.1:9830 I have to "Accept" the certificate each time. It looks like there may be some problem with the certificate or some setting in DS that still needs to be switched on. What do you think? Thanks again for all of your help! On Wed, Jun 17, 2009 at 7:58 AM, David (Dave) Donnan < david.donnan at thalesgroup.com> wrote: > Hello. I think I understand the problem. > > I copied the CA cert locally to /tmp/CAcert.txt > > I then ran 'system-config-authentication' and used a URL like the > following (where it says 'Download CA Certificate'): > > file:///tmp/CAcert.txt > > It's a lazy man's approach but it worked. > > Cdlt, Dave > -------- > > > And John A. Sullivan III wrote: > > On Tue, 2009-06-16 at 19:25 -0500, Doug Coats wrote: > > > So my next hurdle I am tackling SSL certificates. I produced > self-signed certificates and have installed them in through the > Management Console. I can run the Management Console using a secure > connection. > > Linux uses DS to authenticate (configured using System > > Administration > Authentication and enableing LDAP support). If I try > to "Use TLS to encrypt connection" I can't program a URL that will let > me download the CA Certificate successfully. I hope that all made > sence. > > Am I missing something? Do I need this? > > > > > > Sorry, I don't quite follow. I know it was a difficult to follow post > but I did post how we set up SSL communications including the client > side setup. We simply copied the CA cert to the clients (servers using > LDAP for authentication) via scp - John > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew.kerr at amdocs.com Wed Jun 17 14:26:00 2009 From: andrew.kerr at amdocs.com (Andrew Kerr) Date: Wed, 17 Jun 2009 07:26:00 -0700 Subject: [389-users] Unable to connect to Admin or DS from management console In-Reply-To: <4A38E564.5000306@dr15.cnrs.fr> References: <253e13910906162127l7e415e03vd82b660a2b15c414@mail.gmail.com> <4A389264.3010109@infinet.ru> <253e13910906170311g4f3d742boc7c4bf8dd742145a@mail.gmail.com> <4A38CD97.8000405@dr15.cnrs.fr><253e13910906170431x631a9e2dj5f433b7835a3e49d@mail.gmail.com> <4A38E564.5000306@dr15.cnrs.fr> Message-ID: <79C574D4B49B6047B5213B694531E5FF018E4103@seamail1.corp.amdocs.com> I recently added a new fedora ds replica (1.2.0) to my master (1.0.4). I was able to add the new machine, and replicate to it. I set up the replication via the console, and everything was working fine. Today when I launch the console on the master and connect to the replica running 1.2.0 I get an error: "Failed to install a local copy of fedora-admin-1.1.jar or one of its components" "Can not connect to http://0.0.0.0:9830". 9830 is the correct port of the remote machine, but 0.0.0.0 isn't the correct ip. The local admin console is running on a different port. I can do a wget on the remote machine http://:9830 and I am able to connect and get the "download" page that has the quick console. So it isn't a network issue. The only change I've made is to add another replica, running 1.0.4. I can connect to that one just fine, and all of the others. I just can't get to the one I added a few days ago that is running the newer version. I'd suspect java, or something along those lines, except that it worked yesterday and nothing (verified by the yum logs) has been installed or changed on the server. My guess is that maybe the 1.0.4 ones work ok because they're running the same version, and no additional jar files are needed. I looked in the .fedora-console/jars and I don't see the new one. I tried removing that directory and letting it create a new one, also with no luck. I tried adding another 1.2.0 installation, and same problem. Any ideas would be greatly appreciated! This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at http://www.amdocs.com/email_disclaimer.asp From Jean-Noel.Chardron at dr15.cnrs.fr Wed Jun 17 14:43:29 2009 From: Jean-Noel.Chardron at dr15.cnrs.fr (=?ISO-8859-1?Q?jean-No=EBl_Chardron?=) Date: Wed, 17 Jun 2009 16:43:29 +0200 Subject: [389-users] Unable to connect to Admin or DS from management console In-Reply-To: <79C574D4B49B6047B5213B694531E5FF018E4103@seamail1.corp.amdocs.com> References: <253e13910906162127l7e415e03vd82b660a2b15c414@mail.gmail.com> <4A389264.3010109@infinet.ru> <253e13910906170311g4f3d742boc7c4bf8dd742145a@mail.gmail.com> <4A38CD97.8000405@dr15.cnrs.fr><253e13910906170431x631a9e2dj5f433b7835a3e49d@mail.gmail.com> <4A38E564.5000306@dr15.cnrs.fr> <79C574D4B49B6047B5213B694531E5FF018E4103@seamail1.corp.amdocs.com> Message-ID: <4A390111.4010908@dr15.cnrs.fr> *Don't hijack threads*. Don't post a new message by replying to an existing message and just changing the subject. The message will still have an In-Reply-To header, which messes up message threading. Andrew Kerr a ?crit : From jsullivan at opensourcedevel.com Wed Jun 17 14:46:37 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Wed, 17 Jun 2009 10:46:37 -0400 Subject: [389-users] OS to authenticate to DS using TLS In-Reply-To: References: <1245202487.6381.32.camel@jaspav.missionsit.net.missionsit.net> <4A38E859.3070900@thalesgroup.com> Message-ID: <1245249997.6374.21.camel@jaspav.missionsit.net.missionsit.net> I believe we encountered this problem, too, and found we needed to import the CA cert into the nss database for the user running centos-idm-console. The details are in that long, long, post - John On Wed, 2009-06-17 at 09:12 -0500, Doug Coats wrote: > Thanks Dave - that worked. > > I am still some problem with the certificates though. > > If it I try this in the directory where the certificates are: > > openssl s_client -connect localhost:636 -CAfile filename > > I get a listing of the certificates without errors. > > If I try: > > ldapsearch -H ldaps://localhost:636 > > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) > additional info: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > If I start the console using: > > centos-idm-console -a https://127.0.0.1:9830 > > I have to "Accept" the certificate each time. > > It looks like there may be some problem with the certificate or some > setting in DS that still needs to be switched on. > > What do you think? > > Thanks again for all of your help! > > > On Wed, Jun 17, 2009 at 7:58 AM, David (Dave) Donnan > wrote: > Hello. I think I understand the problem. > > I copied the CA cert locally to /tmp/CAcert.txt > > I then ran 'system-config-authentication' and used a URL like > the following (where it says 'Download CA Certificate'): > > file:///tmp/CAcert.txt > > It's a lazy man's approach but it worked. > > Cdlt, Dave > -------- > > > > And John A. Sullivan III wrote: > > On Tue, 2009-06-16 at 19:25 -0500, Doug Coats wrote: > > > > > So my next hurdle I am tackling SSL certificates. I produced > > > self-signed certificates and have installed them in through the > > > Management Console. I can run the Management Console using a secure > > > connection. > > > > > > Linux uses DS to authenticate (configured using System > > > > Administration > Authentication and enableing LDAP support). If I try > > > to "Use TLS to encrypt connection" I can't program a URL that will let > > > me download the CA Certificate successfully. I hope that all made > > > sence. > > > > > > Am I missing something? Do I need this? > > > > > > > > > Sorry, I don't quite follow. I know it was a difficult to follow post > > but I did post how we set up SSL communications including the client > > side setup. We simply copied the CA cert to the clients (servers using > > LDAP for authentication) via scp - John > > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From jsullivan at opensourcedevel.com Wed Jun 17 14:58:38 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Wed, 17 Jun 2009 10:58:38 -0400 Subject: [389-users] OS to authenticate to DS using TLS In-Reply-To: <1245249997.6374.21.camel@jaspav.missionsit.net.missionsit.net> References: <1245202487.6381.32.camel@jaspav.missionsit.net.missionsit.net> <4A38E859.3070900@thalesgroup.com> <1245249997.6374.21.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <1245250718.6374.24.camel@jaspav.missionsit.net.missionsit.net> I was able to dig out that portion of the plan from our internal docs: We need to import the CA cert into the database of the centos-idm-console user, i.e., the user running the GUI. In their home directory is a .centos-idm-console. Enter that directory and issue the following command (assuming it is running on the same computer as the admin-server - otherwise change the CA cert source appropriately): certutil -A -d . -n "CA certificate" -t "CT,," -a -i /etc/dirsrv/admin-serv/CA.pem Close the centos-idm-console if it is still running. Reopen it but be sure to change the login Administration url to https://ldap1.mycompany.com:9830 rather than http. On Wed, 2009-06-17 at 10:46 -0400, John A. Sullivan III wrote: > I believe we encountered this problem, too, and found we needed to > import the CA cert into the nss database for the user running > centos-idm-console. The details are in that long, long, post - John > > On Wed, 2009-06-17 at 09:12 -0500, Doug Coats wrote: > > Thanks Dave - that worked. > > > > I am still some problem with the certificates though. > > > > If it I try this in the directory where the certificates are: > > > > openssl s_client -connect localhost:636 -CAfile filename > > > > I get a listing of the certificates without errors. > > > > If I try: > > > > ldapsearch -H ldaps://localhost:636 > > > > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) > > additional info: error:14090086:SSL > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > If I start the console using: > > > > centos-idm-console -a https://127.0.0.1:9830 > > > > I have to "Accept" the certificate each time. > > > > It looks like there may be some problem with the certificate or some > > setting in DS that still needs to be switched on. > > > > What do you think? > > > > Thanks again for all of your help! > > > > > > On Wed, Jun 17, 2009 at 7:58 AM, David (Dave) Donnan > > wrote: > > Hello. I think I understand the problem. > > > > I copied the CA cert locally to /tmp/CAcert.txt > > > > I then ran 'system-config-authentication' and used a URL like > > the following (where it says 'Download CA Certificate'): > > > > file:///tmp/CAcert.txt > > > > It's a lazy man's approach but it worked. > > > > Cdlt, Dave > > -------- > > > > > > > > And John A. Sullivan III wrote: > > > On Tue, 2009-06-16 at 19:25 -0500, Doug Coats wrote: > > > > > > > So my next hurdle I am tackling SSL certificates. I produced > > > > self-signed certificates and have installed them in through the > > > > Management Console. I can run the Management Console using a secure > > > > connection. > > > > > > > > Linux uses DS to authenticate (configured using System > > > > > Administration > Authentication and enableing LDAP support). If I try > > > > to "Use TLS to encrypt connection" I can't program a URL that will let > > > > me download the CA Certificate successfully. I hope that all made > > > > sence. > > > > > > > > Am I missing something? Do I need this? > > > > > > > > > > > > > Sorry, I don't quite follow. I know it was a difficult to follow post > > > but I did post how we set up SSL communications including the client > > > side setup. We simply copied the CA cert to the clients (servers using > > > LDAP for authentication) via scp - John > > > > > > > > > > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From narender.hooda at gmail.com Wed Jun 17 17:35:27 2009 From: narender.hooda at gmail.com (Hakuna Matata) Date: Wed, 17 Jun 2009 23:05:27 +0530 Subject: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS In-Reply-To: <253e13910906170914m1a72a130s29a17b2693d3e2d3@mail.gmail.com> References: <253e13910906162127l7e415e03vd82b660a2b15c414@mail.gmail.com> <4A389264.3010109@infinet.ru> <253e13910906170311g4f3d742boc7c4bf8dd742145a@mail.gmail.com> <4A38CD97.8000405@dr15.cnrs.fr> <253e13910906170431x631a9e2dj5f433b7835a3e49d@mail.gmail.com> <4A38E564.5000306@dr15.cnrs.fr> <253e13910906170914m1a72a130s29a17b2693d3e2d3@mail.gmail.com> Message-ID: <253e13910906171035n10d56cdkcf71068b216f6430@mail.gmail.com> Still no luck.... i have added the below entry in my ldap.conf file base dc=vfds,dc=local --H On Wed, Jun 17, 2009 at 9:44 PM, Hakuna Matata wrote: >>>>>grep base /etc/ldap.conf > ---------------------------------- > #scope base > # nss_base_XXX????????? base?scope?filter > # where scope is {base,one,sub} > # nss_base_passwd?????? ou=People, > # to append the default base DN but this > #nss_base_passwd??????? ou=People,dc=example,dc=com?one > #nss_base_shadow??????? ou=People,dc=example,dc=com?one > #nss_base_group???????? ou=Group,dc=example,dc=com?one > #nss_base_hosts???????? ou=Hosts,dc=example,dc=com?one > #nss_base_services????? ou=Services,dc=example,dc=com?one > #nss_base_networks????? ou=Networks,dc=example,dc=com?one > #nss_base_protocols???? ou=Protocols,dc=example,dc=com?one > #nss_base_rpc?????????? ou=Rpc,dc=example,dc=com?one > #nss_base_ethers??????? ou=Ethers,dc=example,dc=com?one > #nss_base_netmasks????? ou=Networks,dc=example,dc=com?ne > #nss_base_bootparams??? ou=Ethers,dc=example,dc=com?one > #nss_base_aliases?????? ou=Aliases,dc=example,dc=com?one > #nss_base_netgroup????? ou=Netgroup,dc=example,dc=com?one > #nss_base_passwd ou=aixaccount,?one > #nss_base_group ou=aixgroup,?one > --------------------------------------------------------------------------- > > OK, so i was expecting some base which are binding it to FDS.....but did not > find here any such thing...which gives an impression that > system-config-authentication is not working proberly in CentOS5.3. My > assumption may be wrong.... > > so if i put some entry in this like (base dc=vfds,dc=local)...and then boot > the client machine... can i expect it workin then..... > > waiting for the advise....in the mean time i am rebooting the machine.... > > many thanks in advance... > > > --H > > On Wed, Jun 17, 2009 at 6:15 PM, jean-No?l Chardron > wrote: >> >> Hakuna Matata a ?crit : >>> >>> Jean >>> Thanks for a quick reply. >>> >>> Client IP address is 192.168.5.4 >>> yes these files are from client only. >>> >> all files seem correct , (in system-auth the interresting line are with >> pam_ldap.so) >> So may be, the base to search in the tree are misconfigured in the >> /etc/ldap.conf >> >> you previously show the /etc/ldap.conf : >> uri ldap://192.168.5.1 >> ssl no >> tls_cacertdir /etc/openldap/cacerts >> pam_password md5 >> >> can you show the ouptut of the command : >> grep base /etc/ldap.conf >> with only the line that are uncommented , normaly this will show the >> distinguished name of the search base. >> and this must correspond with the tree in your FDS >> >> >> >>> >>> */etc/pam.d/system-auth * >>> ------------------------------------------------ >>> ?This file is auto-generated. >>> # User changes will be destroyed the next time authconfig is run. >>> auth ? ? ? ?required ? ? ?pam_env.so >>> auth ? ? ? ?sufficient ? ?pam_unix.so nullok try_first_pass >>> auth ? ? ? ?requisite ? ? pam_succeed_if.so uid >= 500 quiet >>> auth ? ? ? ?sufficient ? ?pam_ldap.so use_first_pass >>> auth ? ? ? ?required ? ? ?pam_deny.so >>> >>> account ? ? required ? ? ?pam_unix.so broken_shadow >>> account ? ? sufficient ? ?pam_succeed_if.so uid < 500 quiet >>> account ? ? [default=bad success=ok user_unknown=ignore] pam_ldap.so >>> account ? ? required ? ? ?pam_permit.so >>> >>> password ? ?requisite ? ? pam_cracklib.so try_first_pass retry=3 >>> password ? ?sufficient ? ?pam_unix.so md5 shadow nullok try_first_pass >>> use_authtok >>> password ? ?sufficient ? ?pam_ldap.so use_authtok >>> password ? ?required ? ? ?pam_deny.so >>> >>> session ? ? optional ? ? ?pam_keyinit.so revoke >>> session ? ? required ? ? ?pam_limits.so >>> session ? ? optional ? ? ?pam_keyinit.so revoke >>> session ? ? required ? ? ?pam_limits.so >>> session ? ? [success=1 default=ignore] pam_succeed_if.so service in crond >>> quiet use_uid >>> session ? ? required ? ? ?pam_unix.so >>> session ? ? optional ? ? ?pam_ldap.so >>> ----------------------------------------------------------------------- >>> >>> and* /etc/pam.d/login ?* >>> >>> #%PAM-1.0 >>> auth [user_unknown=ignore success=ok ignore=ignore default=bad] >>> pam_securetty.so >>> auth ? ? ? include ? ? ?system-auth >>> account ? ?required ? ? pam_nologin.so >>> account ? ?include ? ? ?system-auth >>> password ? include ? ? ?system-auth >>> # pam_selinux.so close should be the first session rule >>> session ? ?required ? ? pam_selinux.so close >>> session ? ?include ? ? ?system-auth >>> session ? ?required ? ? pam_loginuid.so >>> session ? ?optional ? ? pam_console.so >>> # pam_selinux.so open should only be followed by sessions to be executed >>> in the user context >>> session ? ?required ? ? pam_selinux.so open >>> session ? ?optional ? ? pam_keyinit.so force revoke >>> ~ >>> ?---------------------------------------------------------------------------------- >>> >>> ?what is the *uid of the user test01 in the FDS* >>> >>> uid is t01 >>> >>> and under Posix user >>> >>> uid numbe ?=2223 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?(i manually gave this) >>> gid number=2223 >>> home dire = /home/test >>> login shell=/bin/test >>> >>> >>> and then i create a directory with name "test" under /home ...........eg. >>> mkdir /home/test >>> >>> >>> >>> >>> Best Regards >>> --H >>> >>> >>> >>> >>> >>> >>> On Wed, Jun 17, 2009 at 4:33 PM, jean-No?l Chardron >>> > >>> wrote: >>> >>> ? ?hi, >>> >>> ? ?ok , I suppose the ip adress of the server is ?192.168.5.1 (right ?) >>> ? ?and you have a client (a centos 5.3) ?with unknow to us ?ip address. >>> >>> ? ?I suppose the nsswitch.conf and /etc/ldap.conf below is on the >>> ? ?client so it is correct >>> >>> ? ?Then can you show the files /etc/pam.d/system-auth and >>> ? ?/etc/pam.d/login ?that are on the client please >>> >>> ? ?then can you tell us ?what is the uid of the user test01 in the FDS >>> >>> >>> >>> ? ?Hakuna Matata a ?crit : >>> >>> >>> ? ? ? ?yes, my nsswitch.conf file is as below. >>> ? ? ? ?passwd: ? ? files ldap >>> ? ? ? ?shadow: ? ? files ldap >>> ? ? ? ?group: ? ? ?files ldap >>> >>> ? ? ? ?ethers: ? ? files >>> ? ? ? ?netmasks: ? files >>> ? ? ? ?networks: ? files >>> ? ? ? ?protocols: ?files >>> ? ? ? ?rpc: ? ? ? ?files >>> ? ? ? ?services: ? files >>> >>> ? ? ? ?netgroup: ? files ldap >>> >>> ? ? ? ?publickey: ?nisplus >>> >>> ? ? ? ?automount: ?files ldap >>> ? ? ? ?aliases: ? ?files nisplus >>> >>> >>> ? ? ? ?and /etc/ldap.conf file contains >>> ? ? ? ?uri ldap://192.168.5.1 >>> >>> ? ? ? ?ssl no >>> ? ? ? ?tls_cacertdir /etc/openldap/cacerts >>> ? ? ? ?pam_password md5 >>> >>> >>> >>> >>> ? ? ? ?----i am still not able to authenticate....... >>> >>> >>> ? ? ? ?-best Regards >>> ? ? ? ?--H >>> >>> ? ? ? ?On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov >>> ? ? ? ? >>> ? ? ? ?>> wrote: >>> >>> ? ? ? ? ? Hello >>> >>> ? ? ? ? ? Is it ldap://ldap.vfds.local correct? >>> ? ? ? ? ? Please, try this command: >>> >>> ? ? ? ? ? ping ldap.vfds.local >>> >>> ? ? ? ? ? If pinging then try to use command getent to check that >>> ? ? ? ?ldap users are >>> ? ? ? ? ? present in your system. >>> ? ? ? ? ? getent passwd >>> >>> ? ? ? ? ? If not pinging, then you need to use FQDN or ip-address, >>> ? ? ? ?like this: >>> >>> ? ? ? ? ? ldap://1.2.3.4 >>> ? ? ? ? ? ldap://example.com >>> >>> >>> >>> ? ? ? ? ? Hakuna Matata wrote: >>> ? ? ? ? ? > Hi, >>> ? ? ? ? ? > >>> ? ? ? ? ? > I am new to FDS, i have set this up as per the >>> ? ? ? ?documentation . It is >>> ? ? ? ? ? > working fine . >>> ? ? ? ? ? > Now want that linux client (CentOS 5.3) to authenticate >>> ? ? ? ?with FDS. >>> ? ? ? ? ? > >>> ? ? ? ? ? > hostname of FDS = ldap.fds.local >>> ? ? ? ? ? > >>> ? ? ? ? ? > i create a user test01 and fill the posix information >>> ? ? ? ? ? > >>> ? ? ? ? ? > on client machine i am using system-config-authentiation >>> ? ? ? ? ? > 1. check the LDAP box and filled the details as . >>> ? ? ? ? ? > LDAP search base dn = ? ? ? ? ? ? ? ? ? ? ? ? ?dc=vfds, >>> ? ? ? ?dc=local >>> ? ? ? ? ? > LDAP Server = >>> ? ? ?ldap://ldap.vfds.local >>> ? ? ? ? ? > >>> ? ? ? ? ? > then i rebooted the machine and trying to login via user >>> ? ? ? ?test01. now >>> ? ? ? ? ? > it is showing error as username or password incorrect. >>> ? ? ? ? ? > >>> ? ? ? ? ? > >>> ? ? ? ? ? > i would really appreciate if someone can give me some >>> ? ? ? ?pointer or >>> ? ? ? ? ? help >>> ? ? ? ? ? > where i am doing wrong. >>> ? ? ? ? ? > >>> ? ? ? ? ? > Many Thanks in advance >>> ? ? ? ? ? > Best regards >>> ? ? ? ? ? > --H >>> ? ? ? ? ? > >>> ? ? ? ? ? > -- >>> ? ? ? ? ? > 389 users mailing list >>> ? ? ? ? ? > 389-users at redhat.com >>> ? ? ? ?> >>> >>> ? ? ? ? ? > >>> ? ? ? ?https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ? ? ? ? ? > >>> >>> ? ? ? ? ? -- >>> ? ? ? ? ? 389 users mailing list >>> ? ? ? ? ? 389-users at redhat.com >>> ? ? ? ?> >>> >>> ? ? ? ? ? https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> ?------------------------------------------------------------------------ >>> >>> ? ? ? ?-- >>> ? ? ? ?389 users mailing list >>> ? ? ? ?389-users at redhat.com >>> ? ? ? ?https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> ? ?-- >>> ? ?389 users mailing list >>> ? ?389-users at redhat.com >>> ? ?https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> ------------------------------------------------------------------------ >>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> -- >> Jean-Noel Chardron >> >> >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From Jean-Noel.Chardron at dr15.cnrs.fr Wed Jun 17 17:55:20 2009 From: Jean-Noel.Chardron at dr15.cnrs.fr (Jean-Noel Chardron) Date: Wed, 17 Jun 2009 19:55:20 +0200 Subject: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS In-Reply-To: <253e13910906171035n10d56cdkcf71068b216f6430@mail.gmail.com> References: <253e13910906162127l7e415e03vd82b660a2b15c414@mail.gmail.com> <4A389264.3010109@infinet.ru> <253e13910906170311g4f3d742boc7c4bf8dd742145a@mail.gmail.com> <4A38CD97.8000405@dr15.cnrs.fr> <253e13910906170431x631a9e2dj5f433b7835a3e49d@mail.gmail.com> <4A38E564.5000306@dr15.cnrs.fr> <253e13910906170914m1a72a130s29a17b2693d3e2d3@mail.gmail.com> <253e13910906171035n10d56cdkcf71068b216f6430@mail.gmail.com> Message-ID: <4A392E08.1040905@dr15.cnrs.fr> Hakuna Matata a ?crit : > Still no luck.... > i have added the below entry in my ldap.conf file > base dc=vfds,dc=local > > hum, does your fds answers to a request of ldapsearch ? you can try sommething like this from the server and from the client : without credentials: ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" '' with credentials : ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" -D "cn=Directory Manager '' -W > --H > > On Wed, Jun 17, 2009 at 9:44 PM, Hakuna Matata wrote: > >>>>>> grep base /etc/ldap.conf >>>>>> >> ---------------------------------- >> #scope base >> # nss_base_XXX base?scope?filter >> # where scope is {base,one,sub} >> # nss_base_passwd ou=People, >> # to append the default base DN but this >> #nss_base_passwd ou=People,dc=example,dc=com?one >> #nss_base_shadow ou=People,dc=example,dc=com?one >> #nss_base_group ou=Group,dc=example,dc=com?one >> #nss_base_hosts ou=Hosts,dc=example,dc=com?one >> #nss_base_services ou=Services,dc=example,dc=com?one >> #nss_base_networks ou=Networks,dc=example,dc=com?one >> #nss_base_protocols ou=Protocols,dc=example,dc=com?one >> #nss_base_rpc ou=Rpc,dc=example,dc=com?one >> #nss_base_ethers ou=Ethers,dc=example,dc=com?one >> #nss_base_netmasks ou=Networks,dc=example,dc=com?ne >> #nss_base_bootparams ou=Ethers,dc=example,dc=com?one >> #nss_base_aliases ou=Aliases,dc=example,dc=com?one >> #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one >> #nss_base_passwd ou=aixaccount,?one >> #nss_base_group ou=aixgroup,?one >> --------------------------------------------------------------------------- >> >> OK, so i was expecting some base which are binding it to FDS.....but did not >> find here any such thing...which gives an impression that >> system-config-authentication is not working proberly in CentOS5.3. My >> assumption may be wrong.... >> >> so if i put some entry in this like (base dc=vfds,dc=local)...and then boot >> the client machine... can i expect it workin then..... >> >> waiting for the advise....in the mean time i am rebooting the machine.... >> >> many thanks in advance... >> >> >> --H >> >> On Wed, Jun 17, 2009 at 6:15 PM, jean-No?l Chardron >> wrote: >> >>> Hakuna Matata a ?crit : >>> >>>> Jean >>>> Thanks for a quick reply. >>>> >>>> Client IP address is 192.168.5.4 >>>> yes these files are from client only. >>>> >>>> >>> all files seem correct , (in system-auth the interresting line are with >>> pam_ldap.so) >>> So may be, the base to search in the tree are misconfigured in the >>> /etc/ldap.conf >>> >>> you previously show the /etc/ldap.conf : >>> uri ldap://192.168.5.1 >>> ssl no >>> tls_cacertdir /etc/openldap/cacerts >>> pam_password md5 >>> >>> can you show the ouptut of the command : >>> grep base /etc/ldap.conf >>> with only the line that are uncommented , normaly this will show the >>> distinguished name of the search base. >>> and this must correspond with the tree in your FDS >>> >>> >>> >>> >>>> */etc/pam.d/system-auth * >>>> ------------------------------------------------ >>>> This file is auto-generated. >>>> # User changes will be destroyed the next time authconfig is run. >>>> auth required pam_env.so >>>> auth sufficient pam_unix.so nullok try_first_pass >>>> auth requisite pam_succeed_if.so uid >= 500 quiet >>>> auth sufficient pam_ldap.so use_first_pass >>>> auth required pam_deny.so >>>> >>>> account required pam_unix.so broken_shadow >>>> account sufficient pam_succeed_if.so uid < 500 quiet >>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >>>> account required pam_permit.so >>>> >>>> password requisite pam_cracklib.so try_first_pass retry=3 >>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass >>>> use_authtok >>>> password sufficient pam_ldap.so use_authtok >>>> password required pam_deny.so >>>> >>>> session optional pam_keyinit.so revoke >>>> session required pam_limits.so >>>> session optional pam_keyinit.so revoke >>>> session required pam_limits.so >>>> session [success=1 default=ignore] pam_succeed_if.so service in crond >>>> quiet use_uid >>>> session required pam_unix.so >>>> session optional pam_ldap.so >>>> ----------------------------------------------------------------------- >>>> >>>> and* /etc/pam.d/login * >>>> >>>> #%PAM-1.0 >>>> auth [user_unknown=ignore success=ok ignore=ignore default=bad] >>>> pam_securetty.so >>>> auth include system-auth >>>> account required pam_nologin.so >>>> account include system-auth >>>> password include system-auth >>>> # pam_selinux.so close should be the first session rule >>>> session required pam_selinux.so close >>>> session include system-auth >>>> session required pam_loginuid.so >>>> session optional pam_console.so >>>> # pam_selinux.so open should only be followed by sessions to be executed >>>> in the user context >>>> session required pam_selinux.so open >>>> session optional pam_keyinit.so force revoke >>>> ~ >>>> ---------------------------------------------------------------------------------- >>>> >>>> what is the *uid of the user test01 in the FDS* >>>> >>>> uid is t01 >>>> >>>> and under Posix user >>>> >>>> uid numbe =2223 (i manually gave this) >>>> gid number=2223 >>>> home dire = /home/test >>>> login shell=/bin/test >>>> >>>> >>>> and then i create a directory with name "test" under /home ...........eg. >>>> mkdir /home/test >>>> >>>> >>>> >>>> >>>> Best Regards >>>> --H >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Wed, Jun 17, 2009 at 4:33 PM, jean-No?l Chardron >>>> > >>>> wrote: >>>> >>>> hi, >>>> >>>> ok , I suppose the ip adress of the server is 192.168.5.1 (right ?) >>>> and you have a client (a centos 5.3) with unknow to us ip address. >>>> >>>> I suppose the nsswitch.conf and /etc/ldap.conf below is on the >>>> client so it is correct >>>> >>>> Then can you show the files /etc/pam.d/system-auth and >>>> /etc/pam.d/login that are on the client please >>>> >>>> then can you tell us what is the uid of the user test01 in the FDS >>>> >>>> >>>> >>>> Hakuna Matata a ?crit : >>>> >>>> >>>> yes, my nsswitch.conf file is as below. >>>> passwd: files ldap >>>> shadow: files ldap >>>> group: files ldap >>>> >>>> ethers: files >>>> netmasks: files >>>> networks: files >>>> protocols: files >>>> rpc: files >>>> services: files >>>> >>>> netgroup: files ldap >>>> >>>> publickey: nisplus >>>> >>>> automount: files ldap >>>> aliases: files nisplus >>>> >>>> >>>> and /etc/ldap.conf file contains >>>> uri ldap://192.168.5.1 >>>> >>>> ssl no >>>> tls_cacertdir /etc/openldap/cacerts >>>> pam_password md5 >>>> >>>> >>>> >>>> >>>> ----i am still not able to authenticate....... >>>> >>>> >>>> -best Regards >>>> --H >>>> >>>> On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov >>>> >>>> >> wrote: >>>> >>>> Hello >>>> >>>> Is it ldap://ldap.vfds.local correct? >>>> Please, try this command: >>>> >>>> ping ldap.vfds.local >>>> >>>> If pinging then try to use command getent to check that >>>> ldap users are >>>> present in your system. >>>> getent passwd >>>> >>>> If not pinging, then you need to use FQDN or ip-address, >>>> like this: >>>> >>>> ldap://1.2.3.4 >>>> ldap://example.com >>>> >>>> >>>> >>>> Hakuna Matata wrote: >>>> > Hi, >>>> > >>>> > I am new to FDS, i have set this up as per the >>>> documentation . It is >>>> > working fine . >>>> > Now want that linux client (CentOS 5.3) to authenticate >>>> with FDS. >>>> > >>>> > hostname of FDS = ldap.fds.local >>>> > >>>> > i create a user test01 and fill the posix information >>>> > >>>> > on client machine i am using system-config-authentiation >>>> > 1. check the LDAP box and filled the details as . >>>> > LDAP search base dn = dc=vfds, >>>> dc=local >>>> > LDAP Server = >>>> ldap://ldap.vfds.local >>>> > >>>> > then i rebooted the machine and trying to login via user >>>> test01. now >>>> > it is showing error as username or password incorrect. >>>> > >>>> > >>>> > i would really appreciate if someone can give me some >>>> pointer or >>>> help >>>> > where i am doing wrong. >>>> > >>>> > Many Thanks in advance >>>> > Best regards >>>> > --H >>>> > >>>> > -- >>>> > 389 users mailing list >>>> > 389-users at redhat.com >>>> > >>>> >>>> > >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> > >>>> >>>> -- >>>> 389 users mailing list >>>> 389-users at redhat.com >>>> > >>>> >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> -- >>>> 389 users mailing list >>>> 389-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>>> >>>> -- >>>> 389 users mailing list >>>> 389-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> -- >>>> 389 users mailing list >>>> 389-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>> -- >>> Jean-Noel Chardron >>> >>> >>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From dcoatshca at gmail.com Wed Jun 17 15:15:04 2009 From: dcoatshca at gmail.com (Doug Coats) Date: Wed, 17 Jun 2009 10:15:04 -0500 Subject: [389-users] OS to authenticate to DS using TLS In-Reply-To: <1245250718.6374.24.camel@jaspav.missionsit.net.missionsit.net> References: <1245202487.6381.32.camel@jaspav.missionsit.net.missionsit.net> <4A38E859.3070900@thalesgroup.com> <1245249997.6374.21.camel@jaspav.missionsit.net.missionsit.net> <1245250718.6374.24.camel@jaspav.missionsit.net.missionsit.net> Message-ID: Thanks John! I found that in your email. I think my problem might have had some connection with still using localhost in the console command instead of the subject in the certificate. I have read so many different instructions and discussions on this subject it is hard to keep it all straight as to what I read where. I guess my next endeavor is setting up Samba. Any words of wisdom as I stumble down that path? Again - many thanks! You and Dave have been a huge help! -------------- next part -------------- An HTML attachment was scrubbed... URL: From narender.hooda at gmail.com Wed Jun 17 16:14:08 2009 From: narender.hooda at gmail.com (Hakuna Matata) Date: Wed, 17 Jun 2009 21:44:08 +0530 Subject: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS In-Reply-To: <4A38E564.5000306@dr15.cnrs.fr> References: <253e13910906162127l7e415e03vd82b660a2b15c414@mail.gmail.com> <4A389264.3010109@infinet.ru> <253e13910906170311g4f3d742boc7c4bf8dd742145a@mail.gmail.com> <4A38CD97.8000405@dr15.cnrs.fr> <253e13910906170431x631a9e2dj5f433b7835a3e49d@mail.gmail.com> <4A38E564.5000306@dr15.cnrs.fr> Message-ID: <253e13910906170914m1a72a130s29a17b2693d3e2d3@mail.gmail.com> >>>>grep base /etc/ldap.conf ---------------------------------- #scope base # nss_base_XXX base?scope?filter # where scope is {base,one,sub} # nss_base_passwd ou=People, # to append the default base DN but this #nss_base_passwd ou=People,dc=example,dc=com?one #nss_base_shadow ou=People,dc=example,dc=com?one #nss_base_group ou=Group,dc=example,dc=com?one #nss_base_hosts ou=Hosts,dc=example,dc=com?one #nss_base_services ou=Services,dc=example,dc=com?one #nss_base_networks ou=Networks,dc=example,dc=com?one #nss_base_protocols ou=Protocols,dc=example,dc=com?one #nss_base_rpc ou=Rpc,dc=example,dc=com?one #nss_base_ethers ou=Ethers,dc=example,dc=com?one #nss_base_netmasks ou=Networks,dc=example,dc=com?ne #nss_base_bootparams ou=Ethers,dc=example,dc=com?one #nss_base_aliases ou=Aliases,dc=example,dc=com?one #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one #nss_base_passwd ou=aixaccount,?one #nss_base_group ou=aixgroup,?one --------------------------------------------------------------------------- OK, so i was expecting some base which are binding it to FDS.....but did not find here any such thing...which gives an impression that system-config-authentication is not working proberly in CentOS5.3. My assumption may be wrong.... so if i put some entry in this like (base dc=vfds,dc=local)...and then boot the client machine... can i expect it workin then..... waiting for the advise....in the mean time i am rebooting the machine.... many thanks in advance... --H On Wed, Jun 17, 2009 at 6:15 PM, jean-No?l Chardron < Jean-Noel.Chardron at dr15.cnrs.fr> wrote: > > Hakuna Matata a ?crit : > >> Jean >> Thanks for a quick reply. >> >> Client IP address is 192.168.5.4 >> yes these files are from client only. >> >> all files seem correct , (in system-auth the interresting line are with > pam_ldap.so) > So may be, the base to search in the tree are misconfigured in the > /etc/ldap.conf > > you previously show the /etc/ldap.conf : > uri ldap://192.168.5.1 > ssl no > tls_cacertdir /etc/openldap/cacerts > pam_password md5 > > can you show the ouptut of the command : > grep base /etc/ldap.conf > with only the line that are uncommented , normaly this will show the > distinguished name of the search base. > and this must correspond with the tree in your FDS > > > > >> */etc/pam.d/system-auth * >> >> ------------------------------------------------ >> This file is auto-generated. >> # User changes will be destroyed the next time authconfig is run. >> auth required pam_env.so >> auth sufficient pam_unix.so nullok try_first_pass >> auth requisite pam_succeed_if.so uid >= 500 quiet >> auth sufficient pam_ldap.so use_first_pass >> auth required pam_deny.so >> >> account required pam_unix.so broken_shadow >> account sufficient pam_succeed_if.so uid < 500 quiet >> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >> account required pam_permit.so >> >> password requisite pam_cracklib.so try_first_pass retry=3 >> password sufficient pam_unix.so md5 shadow nullok try_first_pass >> use_authtok >> password sufficient pam_ldap.so use_authtok >> password required pam_deny.so >> >> session optional pam_keyinit.so revoke >> session required pam_limits.so >> session optional pam_keyinit.so revoke >> session required pam_limits.so >> session [success=1 default=ignore] pam_succeed_if.so service in crond >> quiet use_uid >> session required pam_unix.so >> session optional pam_ldap.so >> ----------------------------------------------------------------------- >> >> and* /etc/pam.d/login * >> >> #%PAM-1.0 >> auth [user_unknown=ignore success=ok ignore=ignore default=bad] >> pam_securetty.so >> auth include system-auth >> account required pam_nologin.so >> account include system-auth >> password include system-auth >> # pam_selinux.so close should be the first session rule >> session required pam_selinux.so close >> session include system-auth >> session required pam_loginuid.so >> session optional pam_console.so >> # pam_selinux.so open should only be followed by sessions to be executed >> in the user context >> session required pam_selinux.so open >> session optional pam_keyinit.so force revoke >> ~ >> ---------------------------------------------------------------------------------- >> >> what is the *uid of the user test01 in the FDS* >> >> uid is t01 >> >> and under Posix user >> >> uid numbe =2223 (i manually gave this) >> gid number=2223 >> home dire = /home/test >> login shell=/bin/test >> >> >> and then i create a directory with name "test" under /home ...........eg. >> mkdir /home/test >> >> >> >> >> Best Regards >> --H >> >> >> >> >> >> >> On Wed, Jun 17, 2009 at 4:33 PM, jean-No?l Chardron < >> Jean-Noel.Chardron at dr15.cnrs.fr > >> wrote: >> >> hi, >> >> ok , I suppose the ip adress of the server is 192.168.5.1 (right ?) >> and you have a client (a centos 5.3) with unknow to us ip address. >> >> I suppose the nsswitch.conf and /etc/ldap.conf below is on the >> client so it is correct >> >> Then can you show the files /etc/pam.d/system-auth and >> /etc/pam.d/login that are on the client please >> >> then can you tell us what is the uid of the user test01 in the FDS >> >> >> >> Hakuna Matata a ?crit : >> >> >> yes, my nsswitch.conf file is as below. >> passwd: files ldap >> shadow: files ldap >> group: files ldap >> >> ethers: files >> netmasks: files >> networks: files >> protocols: files >> rpc: files >> services: files >> >> netgroup: files ldap >> >> publickey: nisplus >> >> automount: files ldap >> aliases: files nisplus >> >> >> and /etc/ldap.conf file contains >> uri ldap://192.168.5.1 >> >> ssl no >> tls_cacertdir /etc/openldap/cacerts >> pam_password md5 >> >> >> >> >> ----i am still not able to authenticate....... >> >> >> -best Regards >> --H >> >> On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov >> >> >> wrote: >> >> Hello >> >> Is it ldap://ldap.vfds.local correct? >> Please, try this command: >> >> ping ldap.vfds.local >> >> If pinging then try to use command getent to check that >> ldap users are >> present in your system. >> getent passwd >> >> If not pinging, then you need to use FQDN or ip-address, >> like this: >> >> ldap://1.2.3.4 >> ldap://example.com >> >> >> >> >> Hakuna Matata wrote: >> > Hi, >> > >> > I am new to FDS, i have set this up as per the >> documentation . It is >> > working fine . >> > Now want that linux client (CentOS 5.3) to authenticate >> with FDS. >> > >> > hostname of FDS = ldap.fds.local >> > >> > i create a user test01 and fill the posix information >> > >> > on client machine i am using system-config-authentiation >> > 1. check the LDAP box and filled the details as . >> > LDAP search base dn = dc=vfds, >> dc=local >> > LDAP Server = >> ldap://ldap.vfds.local >> > >> > then i rebooted the machine and trying to login via user >> test01. now >> > it is showing error as username or password incorrect. >> > >> > >> > i would really appreciate if someone can give me some >> pointer or >> help >> > where i am doing wrong. >> > >> > Many Thanks in advance >> > Best regards >> > --H >> > >> > -- >> > 389 users mailing list >> > 389-users at redhat.com >> > >> >> > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> > >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> ------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> ------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Jean-Noel Chardron > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From narender.hooda at gmail.com Wed Jun 17 18:25:10 2009 From: narender.hooda at gmail.com (Hakuna Matata) Date: Wed, 17 Jun 2009 23:55:10 +0530 Subject: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS In-Reply-To: <4A392E08.1040905@dr15.cnrs.fr> References: <253e13910906162127l7e415e03vd82b660a2b15c414@mail.gmail.com> <4A389264.3010109@infinet.ru> <253e13910906170311g4f3d742boc7c4bf8dd742145a@mail.gmail.com> <4A38CD97.8000405@dr15.cnrs.fr> <253e13910906170431x631a9e2dj5f433b7835a3e49d@mail.gmail.com> <4A38E564.5000306@dr15.cnrs.fr> <253e13910906170914m1a72a130s29a17b2693d3e2d3@mail.gmail.com> <253e13910906171035n10d56cdkcf71068b216f6430@mail.gmail.com> <4A392E08.1040905@dr15.cnrs.fr> Message-ID: <253e13910906171125o6e811bf6jaa4523512399c31f@mail.gmail.com> This is what it is returning.... i guess i have to rebuild the client with CentOS 5.2 (though i have no reason but still)..... and really want to give you big thank for helping me ...you are kind...... will keep posted with the results.... [root at client ~]# ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" -D "cn=Directory Manager" -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 [root at client ~]# On Wed, Jun 17, 2009 at 11:25 PM, Jean-Noel Chardron wrote: > Hakuna Matata a ?crit : >> >> Still no luck.... >> i have added the below entry in my ldap.conf file >> base dc=vfds,dc=local >> >> > > hum, > does your fds answers to a request of ldapsearch ? > you can try sommething like this from the server and from the client : > without credentials: > ldapsearch -x -h ?192.168.5.1 -b "dc=vfds,dc=local" '' > with credentials : > ldapsearch -x -h ?192.168.5.1 -b "dc=vfds,dc=local" -D "cn=Directory Manager > ?'' ?-W >> >> --H >> >> On Wed, Jun 17, 2009 at 9:44 PM, Hakuna Matata >> wrote: >> >>>>>>> >>>>>>> grep base /etc/ldap.conf >>>>>>> >>> >>> ---------------------------------- >>> #scope base >>> # nss_base_XXX ? ? ? ? ?base?scope?filter >>> # where scope is {base,one,sub} >>> # nss_base_passwd ? ? ? ou=People, >>> # to append the default base DN but this >>> #nss_base_passwd ? ? ? ?ou=People,dc=example,dc=com?one >>> #nss_base_shadow ? ? ? ?ou=People,dc=example,dc=com?one >>> #nss_base_group ? ? ? ? ou=Group,dc=example,dc=com?one >>> #nss_base_hosts ? ? ? ? ou=Hosts,dc=example,dc=com?one >>> #nss_base_services ? ? ?ou=Services,dc=example,dc=com?one >>> #nss_base_networks ? ? ?ou=Networks,dc=example,dc=com?one >>> #nss_base_protocols ? ? ou=Protocols,dc=example,dc=com?one >>> #nss_base_rpc ? ? ? ? ? ou=Rpc,dc=example,dc=com?one >>> #nss_base_ethers ? ? ? ?ou=Ethers,dc=example,dc=com?one >>> #nss_base_netmasks ? ? ?ou=Networks,dc=example,dc=com?ne >>> #nss_base_bootparams ? ?ou=Ethers,dc=example,dc=com?one >>> #nss_base_aliases ? ? ? ou=Aliases,dc=example,dc=com?one >>> #nss_base_netgroup ? ? ?ou=Netgroup,dc=example,dc=com?one >>> #nss_base_passwd ou=aixaccount,?one >>> #nss_base_group ou=aixgroup,?one >>> >>> --------------------------------------------------------------------------- >>> >>> OK, so i was expecting some base which are binding it to FDS.....but did >>> not >>> find here any such thing...which gives an impression that >>> system-config-authentication is not working proberly in CentOS5.3. My >>> assumption may be wrong.... >>> >>> so if i put some entry in this like (base dc=vfds,dc=local)...and then >>> boot >>> the client machine... can i expect it workin then..... >>> >>> waiting for the advise....in the mean time i am rebooting the machine.... >>> >>> many thanks in advance... >>> >>> >>> --H >>> >>> On Wed, Jun 17, 2009 at 6:15 PM, jean-No?l Chardron >>> wrote: >>> >>>> >>>> Hakuna Matata a ?crit : >>>> >>>>> >>>>> Jean >>>>> Thanks for a quick reply. >>>>> >>>>> Client IP address is 192.168.5.4 >>>>> yes these files are from client only. >>>>> >>>>> >>>> >>>> all files seem correct , (in system-auth the interresting line are with >>>> pam_ldap.so) >>>> So may be, the base to search in the tree are misconfigured in the >>>> /etc/ldap.conf >>>> >>>> you previously show the /etc/ldap.conf : >>>> uri ldap://192.168.5.1 >>>> ssl no >>>> tls_cacertdir /etc/openldap/cacerts >>>> pam_password md5 >>>> >>>> can you show the ouptut of the command : >>>> grep base /etc/ldap.conf >>>> with only the line that are uncommented , normaly this will show the >>>> distinguished name of the search base. >>>> and this must correspond with the tree in your FDS >>>> >>>> >>>> >>>> >>>>> >>>>> */etc/pam.d/system-auth * >>>>> ------------------------------------------------ >>>>> ?This file is auto-generated. >>>>> # User changes will be destroyed the next time authconfig is run. >>>>> auth ? ? ? ?required ? ? ?pam_env.so >>>>> auth ? ? ? ?sufficient ? ?pam_unix.so nullok try_first_pass >>>>> auth ? ? ? ?requisite ? ? pam_succeed_if.so uid >= 500 quiet >>>>> auth ? ? ? ?sufficient ? ?pam_ldap.so use_first_pass >>>>> auth ? ? ? ?required ? ? ?pam_deny.so >>>>> >>>>> account ? ? required ? ? ?pam_unix.so broken_shadow >>>>> account ? ? sufficient ? ?pam_succeed_if.so uid < 500 quiet >>>>> account ? ? [default=bad success=ok user_unknown=ignore] pam_ldap.so >>>>> account ? ? required ? ? ?pam_permit.so >>>>> >>>>> password ? ?requisite ? ? pam_cracklib.so try_first_pass retry=3 >>>>> password ? ?sufficient ? ?pam_unix.so md5 shadow nullok try_first_pass >>>>> use_authtok >>>>> password ? ?sufficient ? ?pam_ldap.so use_authtok >>>>> password ? ?required ? ? ?pam_deny.so >>>>> >>>>> session ? ? optional ? ? ?pam_keyinit.so revoke >>>>> session ? ? required ? ? ?pam_limits.so >>>>> session ? ? optional ? ? ?pam_keyinit.so revoke >>>>> session ? ? required ? ? ?pam_limits.so >>>>> session ? ? [success=1 default=ignore] pam_succeed_if.so service in >>>>> crond >>>>> quiet use_uid >>>>> session ? ? required ? ? ?pam_unix.so >>>>> session ? ? optional ? ? ?pam_ldap.so >>>>> ----------------------------------------------------------------------- >>>>> >>>>> and* /etc/pam.d/login ?* >>>>> >>>>> #%PAM-1.0 >>>>> auth [user_unknown=ignore success=ok ignore=ignore default=bad] >>>>> pam_securetty.so >>>>> auth ? ? ? include ? ? ?system-auth >>>>> account ? ?required ? ? pam_nologin.so >>>>> account ? ?include ? ? ?system-auth >>>>> password ? include ? ? ?system-auth >>>>> # pam_selinux.so close should be the first session rule >>>>> session ? ?required ? ? pam_selinux.so close >>>>> session ? ?include ? ? ?system-auth >>>>> session ? ?required ? ? pam_loginuid.so >>>>> session ? ?optional ? ? pam_console.so >>>>> # pam_selinux.so open should only be followed by sessions to be >>>>> executed >>>>> in the user context >>>>> session ? ?required ? ? pam_selinux.so open >>>>> session ? ?optional ? ? pam_keyinit.so force revoke >>>>> ~ >>>>> >>>>> ?---------------------------------------------------------------------------------- >>>>> >>>>> ?what is the *uid of the user test01 in the FDS* >>>>> >>>>> uid is t01 >>>>> >>>>> and under Posix user >>>>> >>>>> uid numbe ?=2223 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?(i manually gave this) >>>>> gid number=2223 >>>>> home dire = /home/test >>>>> login shell=/bin/test >>>>> >>>>> >>>>> and then i create a directory with name "test" under /home >>>>> ...........eg. >>>>> mkdir /home/test >>>>> >>>>> >>>>> >>>>> >>>>> Best Regards >>>>> --H >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Wed, Jun 17, 2009 at 4:33 PM, jean-No?l Chardron >>>>> >>>> > >>>>> wrote: >>>>> >>>>> ? hi, >>>>> >>>>> ? ok , I suppose the ip adress of the server is ?192.168.5.1 (right ?) >>>>> ? and you have a client (a centos 5.3) ?with unknow to us ?ip address. >>>>> >>>>> ? I suppose the nsswitch.conf and /etc/ldap.conf below is on the >>>>> ? client so it is correct >>>>> >>>>> ? Then can you show the files /etc/pam.d/system-auth and >>>>> ? /etc/pam.d/login ?that are on the client please >>>>> >>>>> ? then can you tell us ?what is the uid of the user test01 in the FDS >>>>> >>>>> >>>>> >>>>> ? Hakuna Matata a ?crit : >>>>> >>>>> >>>>> ? ? ? yes, my nsswitch.conf file is as below. >>>>> ? ? ? passwd: ? ? files ldap >>>>> ? ? ? shadow: ? ? files ldap >>>>> ? ? ? group: ? ? ?files ldap >>>>> >>>>> ? ? ? ethers: ? ? files >>>>> ? ? ? netmasks: ? files >>>>> ? ? ? networks: ? files >>>>> ? ? ? protocols: ?files >>>>> ? ? ? rpc: ? ? ? ?files >>>>> ? ? ? services: ? files >>>>> >>>>> ? ? ? netgroup: ? files ldap >>>>> >>>>> ? ? ? publickey: ?nisplus >>>>> >>>>> ? ? ? automount: ?files ldap >>>>> ? ? ? aliases: ? ?files nisplus >>>>> >>>>> >>>>> ? ? ? and /etc/ldap.conf file contains >>>>> ? ? ? uri ldap://192.168.5.1 >>>>> >>>>> ? ? ? ssl no >>>>> ? ? ? tls_cacertdir /etc/openldap/cacerts >>>>> ? ? ? pam_password md5 >>>>> >>>>> >>>>> >>>>> >>>>> ? ? ? ----i am still not able to authenticate....... >>>>> >>>>> >>>>> ? ? ? -best Regards >>>>> ? ? ? --H >>>>> >>>>> ? ? ? On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov >>>>> ? ? ? >>>>> ? ? ? >> wrote: >>>>> >>>>> ? ? ? ? ?Hello >>>>> >>>>> ? ? ? ? ?Is it ldap://ldap.vfds.local correct? >>>>> ? ? ? ? ?Please, try this command: >>>>> >>>>> ? ? ? ? ?ping ldap.vfds.local >>>>> >>>>> ? ? ? ? ?If pinging then try to use command getent to check that >>>>> ? ? ? ldap users are >>>>> ? ? ? ? ?present in your system. >>>>> ? ? ? ? ?getent passwd >>>>> >>>>> ? ? ? ? ?If not pinging, then you need to use FQDN or ip-address, >>>>> ? ? ? like this: >>>>> >>>>> ? ? ? ? ?ldap://1.2.3.4 >>>>> ? ? ? ? ?ldap://example.com >>>>> >>>>> >>>>> >>>>> ? ? ? ? ?Hakuna Matata wrote: >>>>> ? ? ? ? ?> Hi, >>>>> ? ? ? ? ?> >>>>> ? ? ? ? ?> I am new to FDS, i have set this up as per the >>>>> ? ? ? documentation . It is >>>>> ? ? ? ? ?> working fine . >>>>> ? ? ? ? ?> Now want that linux client (CentOS 5.3) to authenticate >>>>> ? ? ? with FDS. >>>>> ? ? ? ? ?> >>>>> ? ? ? ? ?> hostname of FDS = ldap.fds.local >>>>> ? ? ? ? ?> >>>>> ? ? ? ? ?> i create a user test01 and fill the posix information >>>>> ? ? ? ? ?> >>>>> ? ? ? ? ?> on client machine i am using system-config-authentiation >>>>> ? ? ? ? ?> 1. check the LDAP box and filled the details as . >>>>> ? ? ? ? ?> LDAP search base dn = ? ? ? ? ? ? ? ? ? ? ? ? ?dc=vfds, >>>>> ? ? ? dc=local >>>>> ? ? ? ? ?> LDAP Server = >>>>> ? ? ldap://ldap.vfds.local >>>>> ? ? ? ? ?> >>>>> ? ? ? ? ?> then i rebooted the machine and trying to login via user >>>>> ? ? ? test01. now >>>>> ? ? ? ? ?> it is showing error as username or password incorrect. >>>>> ? ? ? ? ?> >>>>> ? ? ? ? ?> >>>>> ? ? ? ? ?> i would really appreciate if someone can give me some >>>>> ? ? ? pointer or >>>>> ? ? ? ? ?help >>>>> ? ? ? ? ?> where i am doing wrong. >>>>> ? ? ? ? ?> >>>>> ? ? ? ? ?> Many Thanks in advance >>>>> ? ? ? ? ?> Best regards >>>>> ? ? ? ? ?> --H >>>>> ? ? ? ? ?> >>>>> ? ? ? ? ?> -- >>>>> ? ? ? ? ?> 389 users mailing list >>>>> ? ? ? ? ?> 389-users at redhat.com >>>>> ? ? ? > >>>>> >>>>> ? ? ? ? ?> >>>>> ? ? ? https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ? ? ? ? ?> >>>>> >>>>> ? ? ? ? ?-- >>>>> ? ? ? ? ?389 users mailing list >>>>> ? ? ? ? ?389-users at redhat.com >>>>> ? ? ? > >>>>> >>>>> ? ? ? ? ?https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>>>> >>>>> ?------------------------------------------------------------------------ >>>>> >>>>> ? ? ? -- >>>>> ? ? ? 389 users mailing list >>>>> ? ? ? 389-users at redhat.com >>>>> ? ? ? https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>>>> >>>>> ? -- >>>>> ? 389 users mailing list >>>>> ? 389-users at redhat.com >>>>> ? https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> -- >>>>> 389 users mailing list >>>>> 389-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>> >>>> -- >>>> Jean-Noel Chardron >>>> >>>> >>>> >>>> -- >>>> 389 users mailing list >>>> 389-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From narender.hooda at gmail.com Wed Jun 17 18:32:56 2009 From: narender.hooda at gmail.com (Hakuna Matata) Date: Thu, 18 Jun 2009 00:02:56 +0530 Subject: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS In-Reply-To: <253e13910906171125o6e811bf6jaa4523512399c31f@mail.gmail.com> References: <253e13910906162127l7e415e03vd82b660a2b15c414@mail.gmail.com> <4A389264.3010109@infinet.ru> <253e13910906170311g4f3d742boc7c4bf8dd742145a@mail.gmail.com> <4A38CD97.8000405@dr15.cnrs.fr> <253e13910906170431x631a9e2dj5f433b7835a3e49d@mail.gmail.com> <4A38E564.5000306@dr15.cnrs.fr> <253e13910906170914m1a72a130s29a17b2693d3e2d3@mail.gmail.com> <253e13910906171035n10d56cdkcf71068b216f6430@mail.gmail.com> <4A392E08.1040905@dr15.cnrs.fr> <253e13910906171125o6e811bf6jaa4523512399c31f@mail.gmail.com> Message-ID: <253e13910906171132nad6118i5779018691a8cafc@mail.gmail.com> just one more file contents ---authconfig , [root at client ~]# authconfig --test caching is enabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is enabled LDAP+TLS is disabled LDAP server = "ldap://192.168.5.1" LDAP base DN = "dc=vfds,dc=local" nss_nis is disabled NIS server = "" NIS domain = "" nss_nisplus is disabled nss_winbind is disabled SMB workgroup = "MYGROUP" SMB servers = "" SMB security = "user" SMB realm = "" Winbind template shell = "/bin/false" SMB idmap uid = "16777216-33554431" SMB idmap gid = "16777216-33554431" nss_wins is disabled pam_unix is always enabled shadow passwords are enabled password hashing algorithm is md5 pam_krb5 is disabled krb5 realm = "VFDS.VAD.COM" krb5 realm via dns is enabled krb5 kdc = "kerberos.vfds.vad.com:88" krb5 kdc via dns is disabled krb5 admin server = "kerberos.vfds.vad.com:749" pam_ldap is enabled LDAP+TLS is disabled LDAP server = "ldap://192.168.5.1" LDAP base DN = "dc=vfds,dc=local" pam_pkcs11 is disabled use only smartcard for login is disabled smartcard module = "coolkey" smartcard removal action = "Ignore" pam_smb_auth is disabled SMB workgroup = "MYGROUP" SMB servers = "" pam_winbind is disabled SMB workgroup = "MYGROUP" SMB servers = "" SMB security = "user" SMB realm = "" pam_cracklib is enabled (try_first_pass retry=3) pam_passwdqc is disabled () pam_access is disabled () pam_mkhomedir is disabled () Always authorize local users is disabled () Authenticate system accounts against network services is disabled ------------------------------------ On Wed, Jun 17, 2009 at 11:55 PM, Hakuna Matata wrote: > This is what it is returning.... > > i guess i have to rebuild the client with CentOS 5.2 (though i have no > reason but still)..... > > and really want to give you big thank for helping me ...you are kind...... > will keep posted with the results.... > > [root at client ~]# ldapsearch -x -h ?192.168.5.1 -b "dc=vfds,dc=local" > -D "cn=Directory Manager" ?-W > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # search result > search: 2 > result: 32 No such object > > # numResponses: 1 > [root at client ~]# > > > On Wed, Jun 17, 2009 at 11:25 PM, Jean-Noel > Chardron wrote: >> Hakuna Matata a ?crit : >>> >>> Still no luck.... >>> i have added the below entry in my ldap.conf file >>> base dc=vfds,dc=local >>> >>> >> >> hum, >> does your fds answers to a request of ldapsearch ? >> you can try sommething like this from the server and from the client : >> without credentials: >> ldapsearch -x -h ?192.168.5.1 -b "dc=vfds,dc=local" '' >> with credentials : >> ldapsearch -x -h ?192.168.5.1 -b "dc=vfds,dc=local" -D "cn=Directory Manager >> ?'' ?-W >>> >>> --H >>> >>> On Wed, Jun 17, 2009 at 9:44 PM, Hakuna Matata >>> wrote: >>> >>>>>>>> >>>>>>>> grep base /etc/ldap.conf >>>>>>>> >>>> >>>> ---------------------------------- >>>> #scope base >>>> # nss_base_XXX ? ? ? ? ?base?scope?filter >>>> # where scope is {base,one,sub} >>>> # nss_base_passwd ? ? ? ou=People, >>>> # to append the default base DN but this >>>> #nss_base_passwd ? ? ? ?ou=People,dc=example,dc=com?one >>>> #nss_base_shadow ? ? ? ?ou=People,dc=example,dc=com?one >>>> #nss_base_group ? ? ? ? ou=Group,dc=example,dc=com?one >>>> #nss_base_hosts ? ? ? ? ou=Hosts,dc=example,dc=com?one >>>> #nss_base_services ? ? ?ou=Services,dc=example,dc=com?one >>>> #nss_base_networks ? ? ?ou=Networks,dc=example,dc=com?one >>>> #nss_base_protocols ? ? ou=Protocols,dc=example,dc=com?one >>>> #nss_base_rpc ? ? ? ? ? ou=Rpc,dc=example,dc=com?one >>>> #nss_base_ethers ? ? ? ?ou=Ethers,dc=example,dc=com?one >>>> #nss_base_netmasks ? ? ?ou=Networks,dc=example,dc=com?ne >>>> #nss_base_bootparams ? ?ou=Ethers,dc=example,dc=com?one >>>> #nss_base_aliases ? ? ? ou=Aliases,dc=example,dc=com?one >>>> #nss_base_netgroup ? ? ?ou=Netgroup,dc=example,dc=com?one >>>> #nss_base_passwd ou=aixaccount,?one >>>> #nss_base_group ou=aixgroup,?one >>>> >>>> --------------------------------------------------------------------------- >>>> >>>> OK, so i was expecting some base which are binding it to FDS.....but did >>>> not >>>> find here any such thing...which gives an impression that >>>> system-config-authentication is not working proberly in CentOS5.3. My >>>> assumption may be wrong.... >>>> >>>> so if i put some entry in this like (base dc=vfds,dc=local)...and then >>>> boot >>>> the client machine... can i expect it workin then..... >>>> >>>> waiting for the advise....in the mean time i am rebooting the machine.... >>>> >>>> many thanks in advance... >>>> >>>> >>>> --H >>>> >>>> On Wed, Jun 17, 2009 at 6:15 PM, jean-No?l Chardron >>>> wrote: >>>> >>>>> >>>>> Hakuna Matata a ?crit : >>>>> >>>>>> >>>>>> Jean >>>>>> Thanks for a quick reply. >>>>>> >>>>>> Client IP address is 192.168.5.4 >>>>>> yes these files are from client only. >>>>>> >>>>>> >>>>> >>>>> all files seem correct , (in system-auth the interresting line are with >>>>> pam_ldap.so) >>>>> So may be, the base to search in the tree are misconfigured in the >>>>> /etc/ldap.conf >>>>> >>>>> you previously show the /etc/ldap.conf : >>>>> uri ldap://192.168.5.1 >>>>> ssl no >>>>> tls_cacertdir /etc/openldap/cacerts >>>>> pam_password md5 >>>>> >>>>> can you show the ouptut of the command : >>>>> grep base /etc/ldap.conf >>>>> with only the line that are uncommented , normaly this will show the >>>>> distinguished name of the search base. >>>>> and this must correspond with the tree in your FDS >>>>> >>>>> >>>>> >>>>> >>>>>> >>>>>> */etc/pam.d/system-auth * >>>>>> ------------------------------------------------ >>>>>> ?This file is auto-generated. >>>>>> # User changes will be destroyed the next time authconfig is run. >>>>>> auth ? ? ? ?required ? ? ?pam_env.so >>>>>> auth ? ? ? ?sufficient ? ?pam_unix.so nullok try_first_pass >>>>>> auth ? ? ? ?requisite ? ? pam_succeed_if.so uid >= 500 quiet >>>>>> auth ? ? ? ?sufficient ? ?pam_ldap.so use_first_pass >>>>>> auth ? ? ? ?required ? ? ?pam_deny.so >>>>>> >>>>>> account ? ? required ? ? ?pam_unix.so broken_shadow >>>>>> account ? ? sufficient ? ?pam_succeed_if.so uid < 500 quiet >>>>>> account ? ? [default=bad success=ok user_unknown=ignore] pam_ldap.so >>>>>> account ? ? required ? ? ?pam_permit.so >>>>>> >>>>>> password ? ?requisite ? ? pam_cracklib.so try_first_pass retry=3 >>>>>> password ? ?sufficient ? ?pam_unix.so md5 shadow nullok try_first_pass >>>>>> use_authtok >>>>>> password ? ?sufficient ? ?pam_ldap.so use_authtok >>>>>> password ? ?required ? ? ?pam_deny.so >>>>>> >>>>>> session ? ? optional ? ? ?pam_keyinit.so revoke >>>>>> session ? ? required ? ? ?pam_limits.so >>>>>> session ? ? optional ? ? ?pam_keyinit.so revoke >>>>>> session ? ? required ? ? ?pam_limits.so >>>>>> session ? ? [success=1 default=ignore] pam_succeed_if.so service in >>>>>> crond >>>>>> quiet use_uid >>>>>> session ? ? required ? ? ?pam_unix.so >>>>>> session ? ? optional ? ? ?pam_ldap.so >>>>>> ----------------------------------------------------------------------- >>>>>> >>>>>> and* /etc/pam.d/login ?* >>>>>> >>>>>> #%PAM-1.0 >>>>>> auth [user_unknown=ignore success=ok ignore=ignore default=bad] >>>>>> pam_securetty.so >>>>>> auth ? ? ? include ? ? ?system-auth >>>>>> account ? ?required ? ? pam_nologin.so >>>>>> account ? ?include ? ? ?system-auth >>>>>> password ? include ? ? ?system-auth >>>>>> # pam_selinux.so close should be the first session rule >>>>>> session ? ?required ? ? pam_selinux.so close >>>>>> session ? ?include ? ? ?system-auth >>>>>> session ? ?required ? ? pam_loginuid.so >>>>>> session ? ?optional ? ? pam_console.so >>>>>> # pam_selinux.so open should only be followed by sessions to be >>>>>> executed >>>>>> in the user context >>>>>> session ? ?required ? ? pam_selinux.so open >>>>>> session ? ?optional ? ? pam_keyinit.so force revoke >>>>>> ~ >>>>>> >>>>>> ?---------------------------------------------------------------------------------- >>>>>> >>>>>> ?what is the *uid of the user test01 in the FDS* >>>>>> >>>>>> uid is t01 >>>>>> >>>>>> and under Posix user >>>>>> >>>>>> uid numbe ?=2223 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?(i manually gave this) >>>>>> gid number=2223 >>>>>> home dire = /home/test >>>>>> login shell=/bin/test >>>>>> >>>>>> >>>>>> and then i create a directory with name "test" under /home >>>>>> ...........eg. >>>>>> mkdir /home/test >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Best Regards >>>>>> --H >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Wed, Jun 17, 2009 at 4:33 PM, jean-No?l Chardron >>>>>> >>>>> > >>>>>> wrote: >>>>>> >>>>>> ? hi, >>>>>> >>>>>> ? ok , I suppose the ip adress of the server is ?192.168.5.1 (right ?) >>>>>> ? and you have a client (a centos 5.3) ?with unknow to us ?ip address. >>>>>> >>>>>> ? I suppose the nsswitch.conf and /etc/ldap.conf below is on the >>>>>> ? client so it is correct >>>>>> >>>>>> ? Then can you show the files /etc/pam.d/system-auth and >>>>>> ? /etc/pam.d/login ?that are on the client please >>>>>> >>>>>> ? then can you tell us ?what is the uid of the user test01 in the FDS >>>>>> >>>>>> >>>>>> >>>>>> ? Hakuna Matata a ?crit : >>>>>> >>>>>> >>>>>> ? ? ? yes, my nsswitch.conf file is as below. >>>>>> ? ? ? passwd: ? ? files ldap >>>>>> ? ? ? shadow: ? ? files ldap >>>>>> ? ? ? group: ? ? ?files ldap >>>>>> >>>>>> ? ? ? ethers: ? ? files >>>>>> ? ? ? netmasks: ? files >>>>>> ? ? ? networks: ? files >>>>>> ? ? ? protocols: ?files >>>>>> ? ? ? rpc: ? ? ? ?files >>>>>> ? ? ? services: ? files >>>>>> >>>>>> ? ? ? netgroup: ? files ldap >>>>>> >>>>>> ? ? ? publickey: ?nisplus >>>>>> >>>>>> ? ? ? automount: ?files ldap >>>>>> ? ? ? aliases: ? ?files nisplus >>>>>> >>>>>> >>>>>> ? ? ? and /etc/ldap.conf file contains >>>>>> ? ? ? uri ldap://192.168.5.1 >>>>>> >>>>>> ? ? ? ssl no >>>>>> ? ? ? tls_cacertdir /etc/openldap/cacerts >>>>>> ? ? ? pam_password md5 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ? ? ? ----i am still not able to authenticate....... >>>>>> >>>>>> >>>>>> ? ? ? -best Regards >>>>>> ? ? ? --H >>>>>> >>>>>> ? ? ? On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov >>>>>> ? ? ? >>>>>> ? ? ? >> wrote: >>>>>> >>>>>> ? ? ? ? ?Hello >>>>>> >>>>>> ? ? ? ? ?Is it ldap://ldap.vfds.local correct? >>>>>> ? ? ? ? ?Please, try this command: >>>>>> >>>>>> ? ? ? ? ?ping ldap.vfds.local >>>>>> >>>>>> ? ? ? ? ?If pinging then try to use command getent to check that >>>>>> ? ? ? ldap users are >>>>>> ? ? ? ? ?present in your system. >>>>>> ? ? ? ? ?getent passwd >>>>>> >>>>>> ? ? ? ? ?If not pinging, then you need to use FQDN or ip-address, >>>>>> ? ? ? like this: >>>>>> >>>>>> ? ? ? ? ?ldap://1.2.3.4 >>>>>> ? ? ? ? ?ldap://example.com >>>>>> >>>>>> >>>>>> >>>>>> ? ? ? ? ?Hakuna Matata wrote: >>>>>> ? ? ? ? ?> Hi, >>>>>> ? ? ? ? ?> >>>>>> ? ? ? ? ?> I am new to FDS, i have set this up as per the >>>>>> ? ? ? documentation . It is >>>>>> ? ? ? ? ?> working fine . >>>>>> ? ? ? ? ?> Now want that linux client (CentOS 5.3) to authenticate >>>>>> ? ? ? with FDS. >>>>>> ? ? ? ? ?> >>>>>> ? ? ? ? ?> hostname of FDS = ldap.fds.local >>>>>> ? ? ? ? ?> >>>>>> ? ? ? ? ?> i create a user test01 and fill the posix information >>>>>> ? ? ? ? ?> >>>>>> ? ? ? ? ?> on client machine i am using system-config-authentiation >>>>>> ? ? ? ? ?> 1. check the LDAP box and filled the details as . >>>>>> ? ? ? ? ?> LDAP search base dn = ? ? ? ? ? ? ? ? ? ? ? ? ?dc=vfds, >>>>>> ? ? ? dc=local >>>>>> ? ? ? ? ?> LDAP Server = >>>>>> ? ? ldap://ldap.vfds.local >>>>>> ? ? ? ? ?> >>>>>> ? ? ? ? ?> then i rebooted the machine and trying to login via user >>>>>> ? ? ? test01. now >>>>>> ? ? ? ? ?> it is showing error as username or password incorrect. >>>>>> ? ? ? ? ?> >>>>>> ? ? ? ? ?> >>>>>> ? ? ? ? ?> i would really appreciate if someone can give me some >>>>>> ? ? ? pointer or >>>>>> ? ? ? ? ?help >>>>>> ? ? ? ? ?> where i am doing wrong. >>>>>> ? ? ? ? ?> >>>>>> ? ? ? ? ?> Many Thanks in advance >>>>>> ? ? ? ? ?> Best regards >>>>>> ? ? ? ? ?> --H >>>>>> ? ? ? ? ?> >>>>>> ? ? ? ? ?> -- >>>>>> ? ? ? ? ?> 389 users mailing list >>>>>> ? ? ? ? ?> 389-users at redhat.com >>>>>> ? ? ? > >>>>>> >>>>>> ? ? ? ? ?> >>>>>> ? ? ? https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> ? ? ? ? ?> >>>>>> >>>>>> ? ? ? ? ?-- >>>>>> ? ? ? ? ?389 users mailing list >>>>>> ? ? ? ? ?389-users at redhat.com >>>>>> ? ? ? > >>>>>> >>>>>> ? ? ? ? ?https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ?------------------------------------------------------------------------ >>>>>> >>>>>> ? ? ? -- >>>>>> ? ? ? 389 users mailing list >>>>>> ? ? ? 389-users at redhat.com >>>>>> ? ? ? https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ? -- >>>>>> ? 389 users mailing list >>>>>> ? 389-users at redhat.com >>>>>> ? https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> -- >>>>>> 389 users mailing list >>>>>> 389-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Jean-Noel Chardron >>>>> >>>>> >>>>> >>>>> -- >>>>> 389 users mailing list >>>>> 389-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> >>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > From jsullivan at opensourcedevel.com Wed Jun 17 19:04:06 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Wed, 17 Jun 2009 15:04:06 -0400 Subject: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS In-Reply-To: <253e13910906171125o6e811bf6jaa4523512399c31f@mail.gmail.com> References: <253e13910906162127l7e415e03vd82b660a2b15c414@mail.gmail.com> <4A389264.3010109@infinet.ru> <253e13910906170311g4f3d742boc7c4bf8dd742145a@mail.gmail.com> <4A38CD97.8000405@dr15.cnrs.fr> <253e13910906170431x631a9e2dj5f433b7835a3e49d@mail.gmail.com> <4A38E564.5000306@dr15.cnrs.fr> <253e13910906170914m1a72a130s29a17b2693d3e2d3@mail.gmail.com> <253e13910906171035n10d56cdkcf71068b216f6430@mail.gmail.com> <4A392E08.1040905@dr15.cnrs.fr> <253e13910906171125o6e811bf6jaa4523512399c31f@mail.gmail.com> Message-ID: <1245265446.6374.43.camel@jaspav.missionsit.net.missionsit.net> I've not been following this thread very closely but we are using CentOS 5.3 very happily - John On Wed, 2009-06-17 at 23:55 +0530, Hakuna Matata wrote: > This is what it is returning.... > > i guess i have to rebuild the client with CentOS 5.2 (though i have no > reason but still)..... > > and really want to give you big thank for helping me ...you are kind...... > will keep posted with the results.... > > [root at client ~]# ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" > -D "cn=Directory Manager" -W > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # search result > search: 2 > result: 32 No such object > > # numResponses: 1 > [root at client ~]# > > > On Wed, Jun 17, 2009 at 11:25 PM, Jean-Noel > Chardron wrote: > > Hakuna Matata a ?crit : > >> > >> Still no luck.... > >> i have added the below entry in my ldap.conf file > >> base dc=vfds,dc=local > >> > >> > > > > hum, > > does your fds answers to a request of ldapsearch ? > > you can try sommething like this from the server and from the client : > > without credentials: > > ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" '' > > with credentials : > > ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" -D "cn=Directory Manager > > '' -W > >> > >> --H > >> > >> On Wed, Jun 17, 2009 at 9:44 PM, Hakuna Matata > >> wrote: > >> > >>>>>>> > >>>>>>> grep base /etc/ldap.conf > >>>>>>> > >>> > >>> ---------------------------------- > >>> #scope base > >>> # nss_base_XXX base?scope?filter > >>> # where scope is {base,one,sub} > >>> # nss_base_passwd ou=People, > >>> # to append the default base DN but this > >>> #nss_base_passwd ou=People,dc=example,dc=com?one > >>> #nss_base_shadow ou=People,dc=example,dc=com?one > >>> #nss_base_group ou=Group,dc=example,dc=com?one > >>> #nss_base_hosts ou=Hosts,dc=example,dc=com?one > >>> #nss_base_services ou=Services,dc=example,dc=com?one > >>> #nss_base_networks ou=Networks,dc=example,dc=com?one > >>> #nss_base_protocols ou=Protocols,dc=example,dc=com?one > >>> #nss_base_rpc ou=Rpc,dc=example,dc=com?one > >>> #nss_base_ethers ou=Ethers,dc=example,dc=com?one > >>> #nss_base_netmasks ou=Networks,dc=example,dc=com?ne > >>> #nss_base_bootparams ou=Ethers,dc=example,dc=com?one > >>> #nss_base_aliases ou=Aliases,dc=example,dc=com?one > >>> #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one > >>> #nss_base_passwd ou=aixaccount,?one > >>> #nss_base_group ou=aixgroup,?one > >>> > >>> --------------------------------------------------------------------------- > >>> > >>> OK, so i was expecting some base which are binding it to FDS.....but did > >>> not > >>> find here any such thing...which gives an impression that > >>> system-config-authentication is not working proberly in CentOS5.3. My > >>> assumption may be wrong.... > >>> > >>> so if i put some entry in this like (base dc=vfds,dc=local)...and then > >>> boot > >>> the client machine... can i expect it workin then..... > >>> > >>> waiting for the advise....in the mean time i am rebooting the machine.... > >>> > >>> many thanks in advance... > >>> > >>> > >>> --H > >>> > >>> On Wed, Jun 17, 2009 at 6:15 PM, jean-No?l Chardron > >>> wrote: > >>> > >>>> > >>>> Hakuna Matata a ?crit : > >>>> > >>>>> > >>>>> Jean > >>>>> Thanks for a quick reply. > >>>>> > >>>>> Client IP address is 192.168.5.4 > >>>>> yes these files are from client only. > >>>>> > >>>>> > >>>> > >>>> all files seem correct , (in system-auth the interresting line are with > >>>> pam_ldap.so) > >>>> So may be, the base to search in the tree are misconfigured in the > >>>> /etc/ldap.conf > >>>> > >>>> you previously show the /etc/ldap.conf : > >>>> uri ldap://192.168.5.1 > >>>> ssl no > >>>> tls_cacertdir /etc/openldap/cacerts > >>>> pam_password md5 > >>>> > >>>> can you show the ouptut of the command : > >>>> grep base /etc/ldap.conf > >>>> with only the line that are uncommented , normaly this will show the > >>>> distinguished name of the search base. > >>>> and this must correspond with the tree in your FDS > >>>> > >>>> > >>>> > >>>> > >>>>> > >>>>> */etc/pam.d/system-auth * > >>>>> ------------------------------------------------ > >>>>> This file is auto-generated. > >>>>> # User changes will be destroyed the next time authconfig is run. > >>>>> auth required pam_env.so > >>>>> auth sufficient pam_unix.so nullok try_first_pass > >>>>> auth requisite pam_succeed_if.so uid >= 500 quiet > >>>>> auth sufficient pam_ldap.so use_first_pass > >>>>> auth required pam_deny.so > >>>>> > >>>>> account required pam_unix.so broken_shadow > >>>>> account sufficient pam_succeed_if.so uid < 500 quiet > >>>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so > >>>>> account required pam_permit.so > >>>>> > >>>>> password requisite pam_cracklib.so try_first_pass retry=3 > >>>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass > >>>>> use_authtok > >>>>> password sufficient pam_ldap.so use_authtok > >>>>> password required pam_deny.so > >>>>> > >>>>> session optional pam_keyinit.so revoke > >>>>> session required pam_limits.so > >>>>> session optional pam_keyinit.so revoke > >>>>> session required pam_limits.so > >>>>> session [success=1 default=ignore] pam_succeed_if.so service in > >>>>> crond > >>>>> quiet use_uid > >>>>> session required pam_unix.so > >>>>> session optional pam_ldap.so > >>>>> ----------------------------------------------------------------------- > >>>>> > >>>>> and* /etc/pam.d/login * > >>>>> > >>>>> #%PAM-1.0 > >>>>> auth [user_unknown=ignore success=ok ignore=ignore default=bad] > >>>>> pam_securetty.so > >>>>> auth include system-auth > >>>>> account required pam_nologin.so > >>>>> account include system-auth > >>>>> password include system-auth > >>>>> # pam_selinux.so close should be the first session rule > >>>>> session required pam_selinux.so close > >>>>> session include system-auth > >>>>> session required pam_loginuid.so > >>>>> session optional pam_console.so > >>>>> # pam_selinux.so open should only be followed by sessions to be > >>>>> executed > >>>>> in the user context > >>>>> session required pam_selinux.so open > >>>>> session optional pam_keyinit.so force revoke > >>>>> ~ > >>>>> > >>>>> ---------------------------------------------------------------------------------- > >>>>> > >>>>> what is the *uid of the user test01 in the FDS* > >>>>> > >>>>> uid is t01 > >>>>> > >>>>> and under Posix user > >>>>> > >>>>> uid numbe =2223 (i manually gave this) > >>>>> gid number=2223 > >>>>> home dire = /home/test > >>>>> login shell=/bin/test > >>>>> > >>>>> > >>>>> and then i create a directory with name "test" under /home > >>>>> ...........eg. > >>>>> mkdir /home/test > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> Best Regards > >>>>> --H > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> On Wed, Jun 17, 2009 at 4:33 PM, jean-No?l Chardron > >>>>> >>>>> > > >>>>> wrote: > >>>>> > >>>>> hi, > >>>>> > >>>>> ok , I suppose the ip adress of the server is 192.168.5.1 (right ?) > >>>>> and you have a client (a centos 5.3) with unknow to us ip address. > >>>>> > >>>>> I suppose the nsswitch.conf and /etc/ldap.conf below is on the > >>>>> client so it is correct > >>>>> > >>>>> Then can you show the files /etc/pam.d/system-auth and > >>>>> /etc/pam.d/login that are on the client please > >>>>> > >>>>> then can you tell us what is the uid of the user test01 in the FDS > >>>>> > >>>>> > >>>>> > >>>>> Hakuna Matata a ?crit : > >>>>> > >>>>> > >>>>> yes, my nsswitch.conf file is as below. > >>>>> passwd: files ldap > >>>>> shadow: files ldap > >>>>> group: files ldap > >>>>> > >>>>> ethers: files > >>>>> netmasks: files > >>>>> networks: files > >>>>> protocols: files > >>>>> rpc: files > >>>>> services: files > >>>>> > >>>>> netgroup: files ldap > >>>>> > >>>>> publickey: nisplus > >>>>> > >>>>> automount: files ldap > >>>>> aliases: files nisplus > >>>>> > >>>>> > >>>>> and /etc/ldap.conf file contains > >>>>> uri ldap://192.168.5.1 > >>>>> > >>>>> ssl no > >>>>> tls_cacertdir /etc/openldap/cacerts > >>>>> pam_password md5 > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> ----i am still not able to authenticate....... > >>>>> > >>>>> > >>>>> -best Regards > >>>>> --H > >>>>> > >>>>> On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov > >>>>> > >>>>> >> wrote: > >>>>> > >>>>> Hello > >>>>> > >>>>> Is it ldap://ldap.vfds.local correct? > >>>>> Please, try this command: > >>>>> > >>>>> ping ldap.vfds.local > >>>>> > >>>>> If pinging then try to use command getent to check that > >>>>> ldap users are > >>>>> present in your system. > >>>>> getent passwd > >>>>> > >>>>> If not pinging, then you need to use FQDN or ip-address, > >>>>> like this: > >>>>> > >>>>> ldap://1.2.3.4 > >>>>> ldap://example.com > >>>>> > >>>>> > >>>>> > >>>>> Hakuna Matata wrote: > >>>>> > Hi, > >>>>> > > >>>>> > I am new to FDS, i have set this up as per the > >>>>> documentation . It is > >>>>> > working fine . > >>>>> > Now want that linux client (CentOS 5.3) to authenticate > >>>>> with FDS. > >>>>> > > >>>>> > hostname of FDS = ldap.fds.local > >>>>> > > >>>>> > i create a user test01 and fill the posix information > >>>>> > > >>>>> > on client machine i am using system-config-authentiation > >>>>> > 1. check the LDAP box and filled the details as . > >>>>> > LDAP search base dn = dc=vfds, > >>>>> dc=local > >>>>> > LDAP Server = > >>>>> ldap://ldap.vfds.local > >>>>> > > >>>>> > then i rebooted the machine and trying to login via user > >>>>> test01. now > >>>>> > it is showing error as username or password incorrect. > >>>>> > > >>>>> > > >>>>> > i would really appreciate if someone can give me some > >>>>> pointer or > >>>>> help > >>>>> > where i am doing wrong. > >>>>> > > >>>>> > Many Thanks in advance > >>>>> > Best regards > >>>>> > --H > >>>>> > > >>>>> > -- > >>>>> > 389 users mailing list > >>>>> > 389-users at redhat.com > >>>>> > > >>>>> > >>>>> > > >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>> > > >>>>> > >>>>> -- > >>>>> 389 users mailing list > >>>>> 389-users at redhat.com > >>>>> > > >>>>> > >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> ------------------------------------------------------------------------ > >>>>> > >>>>> -- > >>>>> 389 users mailing list > >>>>> 389-users at redhat.com > >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> 389 users mailing list > >>>>> 389-users at redhat.com > >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>> > >>>>> > >>>>> > >>>>> ------------------------------------------------------------------------ > >>>>> > >>>>> -- > >>>>> 389 users mailing list > >>>>> 389-users at redhat.com > >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>> > >>>>> > >>>> > >>>> -- > >>>> Jean-Noel Chardron > >>>> > >>>> > >>>> > >>>> -- > >>>> 389 users mailing list > >>>> 389-users at redhat.com > >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>> > >>> > >>> > >> > >> -- > >> 389 users mailing list > >> 389-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > > > > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From Jean-Noel.Chardron at dr15.cnrs.fr Wed Jun 17 19:58:10 2009 From: Jean-Noel.Chardron at dr15.cnrs.fr (Jean-Noel Chardron) Date: Wed, 17 Jun 2009 21:58:10 +0200 Subject: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS In-Reply-To: <253e13910906171125o6e811bf6jaa4523512399c31f@mail.gmail.com> References: <253e13910906162127l7e415e03vd82b660a2b15c414@mail.gmail.com> <4A389264.3010109@infinet.ru> <253e13910906170311g4f3d742boc7c4bf8dd742145a@mail.gmail.com> <4A38CD97.8000405@dr15.cnrs.fr> <253e13910906170431x631a9e2dj5f433b7835a3e49d@mail.gmail.com> <4A38E564.5000306@dr15.cnrs.fr> <253e13910906170914m1a72a130s29a17b2693d3e2d3@mail.gmail.com> <253e13910906171035n10d56cdkcf71068b216f6430@mail.gmail.com> <4A392E08.1040905@dr15.cnrs.fr> <253e13910906171125o6e811bf6jaa4523512399c31f@mail.gmail.com> Message-ID: <4A394AD2.7040300@dr15.cnrs.fr> Hakuna Matata a ?crit : > This is what it is returning.... > > i guess i have to rebuild the client with CentOS 5.2 (though i have no > reason but still)..... > > and really want to give you big thank for helping me ...you are kind...... > will keep posted with the results.... > > [root at client ~]# ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" > -D "cn=Directory Manager" -W > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # search result > search: 2 > result: 32 No such object > > # numResponses: 1 > I don't know exactly the syntax of ldapsearch but I can say that the request is not correct, you forget the quote at the end of the line to have the full answer (see man ldapsearch). and what else if you try without bind the dn : ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" '' > [root at client ~]# > > > On Wed, Jun 17, 2009 at 11:25 PM, Jean-Noel > Chardron wrote: > >> Hakuna Matata a ?crit : >> >>> Still no luck.... >>> i have added the below entry in my ldap.conf file >>> base dc=vfds,dc=local >>> >>> >>> >> hum, >> does your fds answers to a request of ldapsearch ? >> you can try sommething like this from the server and from the client : >> without credentials: >> ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" '' >> with credentials : >> ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" -D "cn=Directory Manager >> '' -W >> >>> --H >>> >>> On Wed, Jun 17, 2009 at 9:44 PM, Hakuna Matata >>> wrote: >>> >>> >>>>>>>> grep base /etc/ldap.conf >>>>>>>> >>>>>>>> >>>> ---------------------------------- >>>> #scope base >>>> # nss_base_XXX base?scope?filter >>>> # where scope is {base,one,sub} >>>> # nss_base_passwd ou=People, >>>> # to append the default base DN but this >>>> #nss_base_passwd ou=People,dc=example,dc=com?one >>>> #nss_base_shadow ou=People,dc=example,dc=com?one >>>> #nss_base_group ou=Group,dc=example,dc=com?one >>>> #nss_base_hosts ou=Hosts,dc=example,dc=com?one >>>> #nss_base_services ou=Services,dc=example,dc=com?one >>>> #nss_base_networks ou=Networks,dc=example,dc=com?one >>>> #nss_base_protocols ou=Protocols,dc=example,dc=com?one >>>> #nss_base_rpc ou=Rpc,dc=example,dc=com?one >>>> #nss_base_ethers ou=Ethers,dc=example,dc=com?one >>>> #nss_base_netmasks ou=Networks,dc=example,dc=com?ne >>>> #nss_base_bootparams ou=Ethers,dc=example,dc=com?one >>>> #nss_base_aliases ou=Aliases,dc=example,dc=com?one >>>> #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one >>>> #nss_base_passwd ou=aixaccount,?one >>>> #nss_base_group ou=aixgroup,?one >>>> >>>> --------------------------------------------------------------------------- >>>> >>>> OK, so i was expecting some base which are binding it to FDS.....but did >>>> not >>>> find here any such thing...which gives an impression that >>>> system-config-authentication is not working proberly in CentOS5.3. My >>>> assumption may be wrong.... >>>> >>>> so if i put some entry in this like (base dc=vfds,dc=local)...and then >>>> boot >>>> the client machine... can i expect it workin then..... >>>> >>>> waiting for the advise....in the mean time i am rebooting the machine.... >>>> >>>> many thanks in advance... >>>> >>>> >>>> --H >>>> >>>> On Wed, Jun 17, 2009 at 6:15 PM, jean-No?l Chardron >>>> wrote: >>>> >>>> >>>>> Hakuna Matata a ?crit : >>>>> >>>>> >>>>>> Jean >>>>>> Thanks for a quick reply. >>>>>> >>>>>> Client IP address is 192.168.5.4 >>>>>> yes these files are from client only. >>>>>> >>>>>> >>>>>> >>>>> all files seem correct , (in system-auth the interresting line are with >>>>> pam_ldap.so) >>>>> So may be, the base to search in the tree are misconfigured in the >>>>> /etc/ldap.conf >>>>> >>>>> you previously show the /etc/ldap.conf : >>>>> uri ldap://192.168.5.1 >>>>> ssl no >>>>> tls_cacertdir /etc/openldap/cacerts >>>>> pam_password md5 >>>>> >>>>> can you show the ouptut of the command : >>>>> grep base /etc/ldap.conf >>>>> with only the line that are uncommented , normaly this will show the >>>>> distinguished name of the search base. >>>>> and this must correspond with the tree in your FDS >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> */etc/pam.d/system-auth * >>>>>> ------------------------------------------------ >>>>>> This file is auto-generated. >>>>>> # User changes will be destroyed the next time authconfig is run. >>>>>> auth required pam_env.so >>>>>> auth sufficient pam_unix.so nullok try_first_pass >>>>>> auth requisite pam_succeed_if.so uid >= 500 quiet >>>>>> auth sufficient pam_ldap.so use_first_pass >>>>>> auth required pam_deny.so >>>>>> >>>>>> account required pam_unix.so broken_shadow >>>>>> account sufficient pam_succeed_if.so uid < 500 quiet >>>>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >>>>>> account required pam_permit.so >>>>>> >>>>>> password requisite pam_cracklib.so try_first_pass retry=3 >>>>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass >>>>>> use_authtok >>>>>> password sufficient pam_ldap.so use_authtok >>>>>> password required pam_deny.so >>>>>> >>>>>> session optional pam_keyinit.so revoke >>>>>> session required pam_limits.so >>>>>> session optional pam_keyinit.so revoke >>>>>> session required pam_limits.so >>>>>> session [success=1 default=ignore] pam_succeed_if.so service in >>>>>> crond >>>>>> quiet use_uid >>>>>> session required pam_unix.so >>>>>> session optional pam_ldap.so >>>>>> ----------------------------------------------------------------------- >>>>>> >>>>>> and* /etc/pam.d/login * >>>>>> >>>>>> #%PAM-1.0 >>>>>> auth [user_unknown=ignore success=ok ignore=ignore default=bad] >>>>>> pam_securetty.so >>>>>> auth include system-auth >>>>>> account required pam_nologin.so >>>>>> account include system-auth >>>>>> password include system-auth >>>>>> # pam_selinux.so close should be the first session rule >>>>>> session required pam_selinux.so close >>>>>> session include system-auth >>>>>> session required pam_loginuid.so >>>>>> session optional pam_console.so >>>>>> # pam_selinux.so open should only be followed by sessions to be >>>>>> executed >>>>>> in the user context >>>>>> session required pam_selinux.so open >>>>>> session optional pam_keyinit.so force revoke >>>>>> ~ >>>>>> >>>>>> ---------------------------------------------------------------------------------- >>>>>> >>>>>> what is the *uid of the user test01 in the FDS* >>>>>> >>>>>> uid is t01 >>>>>> >>>>>> and under Posix user >>>>>> >>>>>> uid numbe =2223 (i manually gave this) >>>>>> gid number=2223 >>>>>> home dire = /home/test >>>>>> login shell=/bin/test >>>>>> >>>>>> >>>>>> and then i create a directory with name "test" under /home >>>>>> ...........eg. >>>>>> mkdir /home/test >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Best Regards >>>>>> --H >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Wed, Jun 17, 2009 at 4:33 PM, jean-No?l Chardron >>>>>> >>>>> > >>>>>> wrote: >>>>>> >>>>>> hi, >>>>>> >>>>>> ok , I suppose the ip adress of the server is 192.168.5.1 (right ?) >>>>>> and you have a client (a centos 5.3) with unknow to us ip address. >>>>>> >>>>>> I suppose the nsswitch.conf and /etc/ldap.conf below is on the >>>>>> client so it is correct >>>>>> >>>>>> Then can you show the files /etc/pam.d/system-auth and >>>>>> /etc/pam.d/login that are on the client please >>>>>> >>>>>> then can you tell us what is the uid of the user test01 in the FDS >>>>>> >>>>>> >>>>>> >>>>>> Hakuna Matata a ?crit : >>>>>> >>>>>> >>>>>> yes, my nsswitch.conf file is as below. >>>>>> passwd: files ldap >>>>>> shadow: files ldap >>>>>> group: files ldap >>>>>> >>>>>> ethers: files >>>>>> netmasks: files >>>>>> networks: files >>>>>> protocols: files >>>>>> rpc: files >>>>>> services: files >>>>>> >>>>>> netgroup: files ldap >>>>>> >>>>>> publickey: nisplus >>>>>> >>>>>> automount: files ldap >>>>>> aliases: files nisplus >>>>>> >>>>>> >>>>>> and /etc/ldap.conf file contains >>>>>> uri ldap://192.168.5.1 >>>>>> >>>>>> ssl no >>>>>> tls_cacertdir /etc/openldap/cacerts >>>>>> pam_password md5 >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ----i am still not able to authenticate....... >>>>>> >>>>>> >>>>>> -best Regards >>>>>> --H >>>>>> >>>>>> On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov >>>>>> >>>>>> >> wrote: >>>>>> >>>>>> Hello >>>>>> >>>>>> Is it ldap://ldap.vfds.local correct? >>>>>> Please, try this command: >>>>>> >>>>>> ping ldap.vfds.local >>>>>> >>>>>> If pinging then try to use command getent to check that >>>>>> ldap users are >>>>>> present in your system. >>>>>> getent passwd >>>>>> >>>>>> If not pinging, then you need to use FQDN or ip-address, >>>>>> like this: >>>>>> >>>>>> ldap://1.2.3.4 >>>>>> ldap://example.com >>>>>> >>>>>> >>>>>> >>>>>> Hakuna Matata wrote: >>>>>> > Hi, >>>>>> > >>>>>> > I am new to FDS, i have set this up as per the >>>>>> documentation . It is >>>>>> > working fine . >>>>>> > Now want that linux client (CentOS 5.3) to authenticate >>>>>> with FDS. >>>>>> > >>>>>> > hostname of FDS = ldap.fds.local >>>>>> > >>>>>> > i create a user test01 and fill the posix information >>>>>> > >>>>>> > on client machine i am using system-config-authentiation >>>>>> > 1. check the LDAP box and filled the details as . >>>>>> > LDAP search base dn = dc=vfds, >>>>>> dc=local >>>>>> > LDAP Server = >>>>>> ldap://ldap.vfds.local >>>>>> > >>>>>> > then i rebooted the machine and trying to login via user >>>>>> test01. now >>>>>> > it is showing error as username or password incorrect. >>>>>> > >>>>>> > >>>>>> > i would really appreciate if someone can give me some >>>>>> pointer or >>>>>> help >>>>>> > where i am doing wrong. >>>>>> > >>>>>> > Many Thanks in advance >>>>>> > Best regards >>>>>> > --H >>>>>> > >>>>>> > -- >>>>>> > 389 users mailing list >>>>>> > 389-users at redhat.com >>>>>> > >>>>>> >>>>>> > >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> > >>>>>> >>>>>> -- >>>>>> 389 users mailing list >>>>>> 389-users at redhat.com >>>>>> > >>>>>> >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> -- >>>>>> 389 users mailing list >>>>>> 389-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> 389 users mailing list >>>>>> 389-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> -- >>>>>> 389 users mailing list >>>>>> 389-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>>> >>>>>> >>>>> -- >>>>> Jean-Noel Chardron >>>>> >>>>> >>>>> >>>>> -- >>>>> 389 users mailing list >>>>> 389-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From pg_fds at fds.for.sabi.co.UK Wed Jun 17 17:26:53 2009 From: pg_fds at fds.for.sabi.co.UK (Peter Grandi) Date: Wed, 17 Jun 2009 18:26:53 +0100 Subject: [389-users] Performance cuestions about ds. In-Reply-To: <1023868.12581245058463425.JavaMail.root@ns364188.ovh.net> References: <12543389.12561245058350793.JavaMail.root@ns364188.ovh.net> <1023868.12581245058463425.JavaMail.root@ns364188.ovh.net> Message-ID: <19001.10077.314087.811992@tree.ty.sabi.co.uk> >>> On Mon, 15 Jun 2009 10:34:23 +0100 (GMT+01:00), Julio G?mez >>> Belmonte said: > a directory with a large number of entries, ~ 20,000 > objects. That is a directory of a very small size. 'grep' of a 20,000 LDIF text file takes very little time. > My question is: When I receive a too large query, the > directory will be suspended until they answer this query. That depends on how it is configured. And it is hard for me to imagine a realistic query over 20,000 records that takes a significant amount of time. > [ ... ] When I run the directory, I get a single process > (ns-slapd) which is consuming 100% CPU when doing too long > queries, [ ... ] At a site I am familiar with the FDS 'slapd' *always* consumes 100% CPU time (RHEL 4), even if the queries are very simple lookup ('passwd' emulation) and there are only a few queries per second. I suspect a bug in 'slapd', and I looked briefly into it and it seemed to me either a busy-lock bug or a a case where the DB indices get corrupted. From rmeggins at redhat.com Wed Jun 17 21:04:05 2009 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 17 Jun 2009 17:04:05 -0400 (EDT) Subject: [389-users] Unable to connect to Admin or DS from management console In-Reply-To: <1053955673.258541245272488806.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> Message-ID: <73424929.258671245272645090.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> ----- "Andrew Kerr" wrote: > I recently added a new fedora ds replica (1.2.0) to my master > (1.0.4). I was able to add the new machine, and replicate to it. I > set > up the replication via the console, and everything was working fine. > Today when I launch the console on the master and connect to the > replica > running 1.2.0 I get an error: "Failed to install a local copy of > fedora-admin-1.1.jar or one of its components" "Can not connect to > http://0.0.0.0:9830". > > 9830 is the correct port of the remote machine, but 0.0.0.0 > isn't the correct ip. The local admin console is running on a > different > port. I can do a wget on the remote machine http:// machine>:9830 and I am able to connect and get the "download" page > that > has the quick console. So it isn't a network issue. > > The only change I've made is to add another replica, running > 1.0.4. I can connect to that one just fine, and all of the others. > I > just can't get to the one I added a few days ago that is running the > newer version. > > I'd suspect java, or something along those lines, except that it > worked yesterday and nothing (verified by the yum logs) has been > installed or changed on the server. > > My guess is that maybe the 1.0.4 ones work ok because they're > running the same version, and no additional jar files are needed. I > looked in the .fedora-console/jars and I don't see the new one. I > tried > removing that directory and letting it create a new one, also with no > luck. > > I tried adding another 1.2.0 installation, and same problem. > > Any ideas would be greatly appreciated! I think in general you will not be able to manage 1.2 instances with the 1.0 console. The specific problem is https://bugzilla.redhat.com/show_bug.cgi?id=430364 which was fixed in idm-console-framework 1.1.3 I suppose you could use ldapmodify to change the nsServerAddress to the real IP address ldapsearch -x -D "cn=directory manager" -w yourpassword -s sub -b o=netscaperoot "nsServerAddress=0.0.0.0" Then find which entry that is, and do something like ldapsearch -x -D "cn=directory manager" -w yourpassword dn: dn of the entry changetype: modify replace: nsServerAddress nsServerAddress: your real IP address > > > > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > you may review at http://www.amdocs.com/email_disclaimer.asp > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Wed Jun 17 21:05:19 2009 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 17 Jun 2009 17:05:19 -0400 (EDT) Subject: [389-users] loss of group members in AD after initialization of sync In-Reply-To: <4A36AE0C.7090702@dr15.cnrs.fr> Message-ID: <1508355214.258801245272719789.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com> ----- "Jean-Noel Chardron" wrote: > Richard Megginson a ?crit : > > ----- "jean-No?l Chardron" wrote: > > > > > >> hello, > >> > >> When I initiate a first full synchronization of DS and AD I lost > >> members > >> in groups > >> > >> error log shows : > >> > >> [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_inbound: looking for local entry > matching > >> > >> AD entry [CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr] > >> [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_inbound: looking for local entry by > guid > >> > >> [c0e73a492ffbc04c9e85781a68f45023] > >> [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1 > >> [10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_inbound: looking for local entry by > uid > >> [SFC] > >> [...] > >> [10/Jun/2009:15:00:11 +0200] - Windows sync entry: Adding new local > > >> entry dn: cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr > >> objectClass: top > >> objectClass: groupofuniquenames > >> objectClass: ntGroup > >> ntGroupDeleteGroup: true > >> cn: SFC > >> description: Service Financier et Comptable > >> uniqueMember: uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, > >> dc=cnrs, dc= > >> fr > >> uniqueMember:[...] > >> follow 10 members > >> > >> [...] > >> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - received > entry > >> from > >> dirsync: CN=MX,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr > >> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_inbound: looking for local entry > matching > >> > >> AD entry > [CN=MX,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr] > >> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_inbound: looking for local entry by > guid > >> > >> [0cdf6e627d64684cb10c70b3b8753fda] > >> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1 > >> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_inbound: looking for local entry by > uid > >> [MX] > >> [10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_inbound: problem looking for > username: > >> -1 > >> [10/Jun/2009:15:00:24 +0200] - Windows sync entry: Adding new local > > >> entry dn: uid=MX,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, > >> dc=fr > >> objectClass: top > >> objectClass: person > >> objectClass: organizationalperson > >> objectClass: inetOrgPerson > >> objectClass: ntUser > >> ntUserDeleteAccount: true > >> uid: MX > >> sn: MX > >> givenName: Guillaume > >> cn: MX > >> ntUserCodePage: 0 > >> ntUserAcctExpires: 0 > >> ntUserDomainId: MX > >> mail: Guillaume.MX at dr15.cnrs.fr > >> ntUniqueId: 0cdf6e627d64684cb10c70b3b8753fda > >> > >> > >> [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): windows_process_total_entry: Looking > >> dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" > (ours) > >> [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS > > >> dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" > >> guid="c0e73a492ffbc04c9e85781a68f45023" > >> [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS > > >> dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" > >> username="SFC" > >> [10/Jun/2009:15:01:34 +0200] - Calling windows entry search > request > >> plugin > >> [10/Jun/2009:15:01:34 +0200] - windows_search_entry: recieved 2 > >> messages, 1 entries, 0 references > >> [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_outbound: found AD entry > >> dn="CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr" > >> [10/Jun/2009:15:01:34 +0200] - Calling windows entry search > request > >> plugin > >> [10/Jun/2009:15:01:34 +0200] - windows_search_entry: recieved 2 > >> messages, 1 entries, 0 references > >> [10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - > >> windows_generate_update_mods: > >> CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr, description > : > >> values are equal > >> [10/Jun/2009:15:01:35 +0200] - map_dn_values: no local entry found > for > >> > >> uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr > >> [10/Jun/2009:15:01:35 +0200] - map_dn_values: no local entry found > for > >> uid= > >> > >> [follow 10 entries,] > >> > >> [10/Jun/2009:15:01:35 +0200] - Calling windows entry search > request > >> plugin > >> [10/Jun/2009:15:01:35 +0200] - windows_search_entry: recieved 2 > >> messages, 1 entries, 0 references > >> [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_inbound: looking for local entry > matching > >> > >> AD entry > >> [CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr] > >> [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_inbound: looking for local entry by > guid > >> > >> [72a7171ffaa0d84a9ca4ec2d90a4ab2b] > >> [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1 > >> [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_inbound: looking for local entry by > uid > >> [essaibug] > >> [10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_inbound: problem looking for > username: > >> -1 > >> [10/Jun/2009:15:01:35 +0200] - Calling windows entry search > request > >> plugin > >> [10/Jun/2009:15:01:35 +0200] - windows_search_entry: recieved 2 > >> messages, 1 entries, 0 references > >> > >> [10/Jun/2009:15:01:38 +0200] NSMMReplicationPlugin - > >> windows_generate_update_mods: > >> CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr, > sAMAccountName > >> : > >> values are equal > >> [10/Jun/2009:15:01:38 +0200] - smod - windows sync > >> [10/Jun/2009:15:01:38 +0200] - smod 0 - delete: member > >> [10/Jun/2009:15:01:38 +0200] - smod 0 - value: member: > >> CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr > >> [10/Jun/2009:15:01:38 +0200] - smod 1 - delete: member > >> [10/Jun/2009:15:01:38 +0200] - smod 1 - value: member: > >> > >> [follow the 10 entries] > >> > >> [10/Jun/2009:15:01:39 +0200] NSMMReplicationPlugin - > >> windows_update_remote_entry: modifying entry > >> CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr > >> [10/Jun/2009:15:01:39 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): Received result code 0 () for modify operation > >> > >> [10/Jun/2009:15:01:55 +0200] - map_dn_values: no local entry found > for > >> > >> uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr > >> > >> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - received > entry > >> from > >> dirsync: > >> CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr > >> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_inbound: looking for local entry > matching > >> > >> AD entry > >> [CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr] > >> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_inbound: looking for local entry by > guid > >> > >> [72a7171ffaa0d84a9ca4ec2d90a4ab2b] > >> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1 > >> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_inbound: looking for local entry by > uid > >> [essaibug] > >> [10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_inbound: problem looking for > username: > >> -1 > >> [10/Jun/2009:15:05:52 +0200] - Windows sync entry: Adding new local > > >> entry dn: uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, > dc=cnrs, > >> dc=fr > >> objectClass: top > >> objectClass: person > >> objectClass: organizationalperson > >> objectClass: inetOrgPerson > >> objectClass: ntUser > >> ntUserDeleteAccount: true > >> uid: essaibug > >> sn: essaibug > >> cn: essaibug > >> ntUserCodePage: 0 > >> ntUserAcctExpires: 9223372036854775807 > >> ntUserDomainId: essaibug > >> ntUniqueId: 72a7171ffaa0d84a9ca4ec2d90a4ab2b > >> > >> [10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS > > >> dn="uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, > >> dc=fr" > >> guid="72a7171ffaa0d84a9ca4ec2d90a4ab2b" > >> [10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS > > >> dn="uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, > >> dc=fr" > >> username="essaibug" > >> [10/Jun/2009:15:07:13 +0200] - Calling windows entry search > request > >> plugin > >> [10/Jun/2009:15:07:13 +0200] - windows_search_entry: recieved 2 > >> messages, 1 entries, 0 references > >> [10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin - > >> agmt="cn=zebigbos" > >> (zebigbos:636): map_entry_dn_outbound: found AD entry > >> > dn="CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr" > >> > >> (following the translation of google) > >> I suppose that during the initialization of the replication, > groups > >> have > >> lost members (group sfc) with the logs in order explicit removal > of > >> the > >> member in the group, sent by the DS to AD. The most likely > explanation > >> > >> and that the process is sequential but with a dispatch from AD to > >> DS-anarchic, with a group can be created before members in DS > users. > >> these are leading to a later stage in a request for suppresssion AD > DS > >> > >> to members of the group that did not exist before the creation of > the > >> > >> group. This is "normal" since DS checks the consistency of > information > >> > >> and therefore the group members. The solution to this problem is to > > >> create manually in the AD to add the lost members in the group or > may > >> be > >> to initialize sync twice in a closed time. > >> > >> The administrator of the Windows server and the AD insulted me as a > > >> result of this blunder > >> I asked him if he had a backup of the AD. he had not > >> > >> > > > > So let me see if I understand what is happening: > > DS attempts to sync some groups from AD - since the user does not > exist, it deletes the member from the group. Then it syncs the group > back to AD, and deletes those users from AD. > > Is that correct? > > I suppose a workaround would be to make sure all of the users are > first added to DS, then sync the groups. > > > yes, that is correct. Ok. Please open a bug about this issue. Is there a way to make sure all of the users are synced first? > > >> -- > >> > >> Jean-Noel Chardron > >> > >> > >> -- > >> 389 users mailing list > >> 389-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >> > > > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From dweintraub+fds at vecna.com Wed Jun 17 21:48:47 2009 From: dweintraub+fds at vecna.com (Dan Weintraub) Date: Wed, 17 Jun 2009 17:48:47 -0400 Subject: [389-users] Problems with replication over SSL In-Reply-To: <4A30B5C0.3010203@dr15.cnrs.fr> References: <4A2EC3FF.7000901@vecna.com> <1244580390.6384.91.camel@jaspav.missionsit.net.missionsit.net> <4A301837.7050505@vecna.com> <4A30B5C0.3010203@dr15.cnrs.fr> Message-ID: <4A3964BF.9050800@vecna.com> Hi all, I've been looking into this and I first found out that your suspicions are correct. The trust attributes on my CA certificate are incorrect. certutil -L shows them as "CT,," To fix this I tried the modify command, certutil -M -n cacert -t CTu,u,u -d . It gives no error, but unfortunately, does nothing and certutil -L still shows me "CT,," I thought this might have been because I used openssh tools instead of certutil, so I removed all my certificates and created a new CA with certutil, specifying "CTu,u,u" on the command line when I created the CA cert. I then added the CA with the Certificate Manager and did a certutil -L only to find that it was marked "CT,," I tried to modify this certificate with certutil -M, but it still doesn't work. Do I have some permissions wrong somewhere? Am I using the tools incorrectly? Any suggestions? Thanks in advance, Dan jean-No?l Chardron wrote: > hi, > > Dan Weintraub a ?crit : >> Thanks, that's exactly what I was following. Now that I've got the >> port corrected I'm getting a certificate error despite having the >> correct certificates setup (or so I thought...) I'll read through that >> documentation you posted and see if I can sort it out. >> >> Thanks, >> Dan >> >> PS >> NSMMReplicationPlugin - agmt="cn=One" (fds:636): Simple bind failed, >> LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable >> Runtime error -8172 > >> (Peer's certificate issuer has been marked as not trusted by the user.) >> > Can you post the output of the command : > #certutil -L -d /path/of/directory/where/is/the/certificate/ > > The path of the directory where is the certificate has 2 files : key3.db > and cert8.db > > For example, on my server the output is : > # certutil -L -d /etc/dirsrv/slapd-aragon/ > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > CNRS2-Standard CT,C,C > aragon.dr15.cnrs.fr Cert u,u,u > CNRS-Standard CT,C,C > CNRS CT,C,C > CNRS2 CT,C,C > > I suppose (it's a hypothesis) that your certificate doesn't have the > tag u,u,u or something like this or the CA can't trust the certificate > >> John A. Sullivan III wrote: > >>> On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote: >>>> Hi all, >>>> >>>> I'm trying to setup replication over ssl and am running into >>>> problems. I >>>> first tried it unencrypted and all worked fine. I then copied over the >>>> consumer's CA certificate and set up replication with SSL and Simple >>>> Authentication. It doesn't work and I now get the following errors: >>>> >>>> When I set it up: >>>> supplier error log: >>>> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin - agmt="cn=One" >>>> (fds:389): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP >>>> server), Netscape Portable Runtime error -5938 (Encountered end of >>>> file.) >>>> >>>> these appear thereafter: >>>> consumer access log: >>>> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection from >>>> 10.1.1.100 to 10.1.1.101 >>>> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71 >>>> (Protocol error) - B1 >>>> >>>> consumer error log: >>>> [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP message >>>> (tag >>>> 0x80, expected 0x30) >>>> >>>> Versions: >>>> Supplier: >>>> fedora-ds-1.1.2-1.fc6 >>>> fedora-ds-dsgw-1.1.1-1.fc6 >>>> fedora-ds-base-1.1.3-2.fc6 >>>> fedora-ds-admin-1.1.6-1.fc6 >>>> fedora-ds-admin-console-1.1.2-1.fc6 >>>> fedora-ds-console-1.1.2-1.fc6 >>>> >>>> Consumer: >>>> fedora-ds-admin-1.1.7-3.fc6 >>>> fedora-ds-admin-console-1.1.3-1.fc6 >>>> fedora-ds-base-1.2.0-2.fc6 >>>> fedora-ds-dsgw-1.1.2-1.fc6 >>>> fedora-ds-console-1.2.0-1.fc6 >>>> fedora-ds-1.1.3-1.fc6 >>>> >>>> I'm at a loss as to how to proceed with troubleshooting and would >>>> appreciate any suggestions. >>>> >>>> Thanks, >>>> Dan Weintraub >>> >>> Hi, Dan. Here is a snippet from our internal documentation. I apologize >>> that I don't have time to customize it or analyze your issue more deeply >>> but perhaps our findings will help you in your environment. Given >>> Rich's comment, I wonder if you were stung by the same error in >>> documentation we noted below: >>> >>> Go back to the centos-idm-console on ldap1 >>> Go to the Configuration tab, select the userRoot under the >>> Replication >>> object in the left panel. Left/right client and choose New >>> Replication >>> Agreement >>> The name is "mycompany.com ldap1->ldap2" and the Description is >>> "Replicates mycompany.com from ldap1 to ldap2". Click Next. >>> Set the Consumer to ldap2.mycompany.com:389 from the drop down >>> box (389 is correct even though we are really using 636) - Oops! >>> That is not true despite what the documentation says. Click >>> other and create a new entry for ldap2.mycompany.com on port >>> 636. >>> Enable the SSL connection. >>> Enter cn=repuser,cn=config for the Bind As and enter the >>> password. >>> Click Next and then Next again. >>> We will always keep directories in sync so click Next again. >>> Choose Initialize Consumer Now and click Next >>> Click Done >>> >>> If you need more details, e.g., about how we set up SSL, I posted most >>> of our internal procedure a day or two ago on this mailing list in >>> response to a post entitled "Developting a CentOS-DS setup". You can >>> find much more detail there. >>> >>> Good luck - John >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From rmeggins at redhat.com Wed Jun 17 21:59:38 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 17 Jun 2009 15:59:38 -0600 Subject: [389-users] Problems with replication over SSL In-Reply-To: <4A3964BF.9050800@vecna.com> References: <4A2EC3FF.7000901@vecna.com> <1244580390.6384.91.camel@jaspav.missionsit.net.missionsit.net> <4A301837.7050505@vecna.com> <4A30B5C0.3010203@dr15.cnrs.fr> <4A3964BF.9050800@vecna.com> Message-ID: <4A39674A.4030809@redhat.com> Dan Weintraub wrote: > Hi all, > > I've been looking into this and I first found out that your suspicions > are correct. The trust attributes on my CA certificate are incorrect. > > certutil -L shows them as "CT,," > > To fix this I tried the modify command, > > certutil -M -n cacert -t CTu,u,u -d . > > It gives no error, but unfortunately, does nothing and certutil -L > still shows me "CT,," > > I thought this might have been because I used openssh tools instead of > certutil, so I removed all my certificates and created a new CA with > certutil, specifying "CTu,u,u" on the command line when I created the > CA cert. I then added the CA with the Certificate Manager and did a > certutil -L only to find that it was marked "CT,," I tried to modify > this certificate with certutil -M, but it still doesn't work. > > Do I have some permissions wrong somewhere? Am I using the tools > incorrectly? Any suggestions? CT and CTu are equivalent for a CA cert - that is, the "u" doesn't matter for a CA cert. What is it that leads you to believe the trust settings are an issue? > > Thanks in advance, > Dan > > > > jean-No?l Chardron wrote: >> hi, >> >> Dan Weintraub a ?crit : >>> Thanks, that's exactly what I was following. Now that I've got the >>> port corrected I'm getting a certificate error despite having the >>> correct certificates setup (or so I thought...) I'll read through >>> that documentation you posted and see if I can sort it out. >>> >>> Thanks, >>> Dan >>> >>> PS >>> NSMMReplicationPlugin - agmt="cn=One" (fds:636): Simple bind failed, >>> LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable >>> Runtime error -8172 >> >>> (Peer's certificate issuer has been marked as not trusted by the user.) >>> >> Can you post the output of the command : >> #certutil -L -d /path/of/directory/where/is/the/certificate/ >> >> The path of the directory where is the certificate has 2 files : >> key3.db and cert8.db >> >> For example, on my server the output is : >> # certutil -L -d /etc/dirsrv/slapd-aragon/ >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> CNRS2-Standard CT,C,C >> aragon.dr15.cnrs.fr Cert u,u,u >> CNRS-Standard CT,C,C >> CNRS CT,C,C >> CNRS2 CT,C,C >> >> I suppose (it's a hypothesis) that your certificate doesn't have the >> tag u,u,u or something like this or the CA can't trust the certificate >> >>> John A. Sullivan III wrote: >> >>>> On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote: >>>>> Hi all, >>>>> >>>>> I'm trying to setup replication over ssl and am running into >>>>> problems. I >>>>> first tried it unencrypted and all worked fine. I then copied over >>>>> the >>>>> consumer's CA certificate and set up replication with SSL and Simple >>>>> Authentication. It doesn't work and I now get the following errors: >>>>> >>>>> When I set it up: >>>>> supplier error log: >>>>> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin - agmt="cn=One" >>>>> (fds:389): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP >>>>> server), Netscape Portable Runtime error -5938 (Encountered end of >>>>> file.) >>>>> >>>>> these appear thereafter: >>>>> consumer access log: >>>>> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection from >>>>> 10.1.1.100 to 10.1.1.101 >>>>> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71 >>>>> (Protocol error) - B1 >>>>> >>>>> consumer error log: >>>>> [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP >>>>> message (tag >>>>> 0x80, expected 0x30) >>>>> >>>>> Versions: >>>>> Supplier: >>>>> fedora-ds-1.1.2-1.fc6 >>>>> fedora-ds-dsgw-1.1.1-1.fc6 >>>>> fedora-ds-base-1.1.3-2.fc6 >>>>> fedora-ds-admin-1.1.6-1.fc6 >>>>> fedora-ds-admin-console-1.1.2-1.fc6 >>>>> fedora-ds-console-1.1.2-1.fc6 >>>>> >>>>> Consumer: >>>>> fedora-ds-admin-1.1.7-3.fc6 >>>>> fedora-ds-admin-console-1.1.3-1.fc6 >>>>> fedora-ds-base-1.2.0-2.fc6 >>>>> fedora-ds-dsgw-1.1.2-1.fc6 >>>>> fedora-ds-console-1.2.0-1.fc6 >>>>> fedora-ds-1.1.3-1.fc6 >>>>> >>>>> I'm at a loss as to how to proceed with troubleshooting and would >>>>> appreciate any suggestions. >>>>> >>>>> Thanks, >>>>> Dan Weintraub >>>> >>>> Hi, Dan. Here is a snippet from our internal documentation. I >>>> apologize >>>> that I don't have time to customize it or analyze your issue more >>>> deeply >>>> but perhaps our findings will help you in your environment. Given >>>> Rich's comment, I wonder if you were stung by the same error in >>>> documentation we noted below: >>>> >>>> Go back to the centos-idm-console on ldap1 >>>> Go to the Configuration tab, select the userRoot under the >>>> Replication >>>> object in the left panel. Left/right client and choose New >>>> Replication >>>> Agreement >>>> The name is "mycompany.com ldap1->ldap2" and the >>>> Description is >>>> "Replicates mycompany.com from ldap1 to ldap2". Click Next. >>>> Set the Consumer to ldap2.mycompany.com:389 from the drop down >>>> box (389 is correct even though we are really using 636) - >>>> Oops! >>>> That is not true despite what the documentation says. Click >>>> other and create a new entry for ldap2.mycompany.com on port >>>> 636. >>>> Enable the SSL connection. >>>> Enter cn=repuser,cn=config for the Bind As and enter the >>>> password. >>>> Click Next and then Next again. >>>> We will always keep directories in sync so click Next again. >>>> Choose Initialize Consumer Now and click Next >>>> Click Done >>>> >>>> If you need more details, e.g., about how we set up SSL, I posted most >>>> of our internal procedure a day or two ago on this mailing list in >>>> response to a post entitled "Developting a CentOS-DS setup". You can >>>> find much more detail there. >>>> >>>> Good luck - John >>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jsullivan at opensourcedevel.com Wed Jun 17 22:05:02 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Wed, 17 Jun 2009 18:05:02 -0400 Subject: [389-users] Problems with replication over SSL In-Reply-To: <4A3964BF.9050800@vecna.com> References: <4A2EC3FF.7000901@vecna.com> <1244580390.6384.91.camel@jaspav.missionsit.net.missionsit.net> <4A301837.7050505@vecna.com> <4A30B5C0.3010203@dr15.cnrs.fr> <4A3964BF.9050800@vecna.com> Message-ID: <1245276303.6374.57.camel@jaspav.missionsit.net.missionsit.net> Hi, Dan. You might want to remove whatever CA certs you've got in the database and then re-add just in case. I don't recall the command to do that. Here is all we did to import our CA cert: certutil -A -d . -n "CA certificate" -t "CT,," -a -i CA.pem Are you certain you have the correct CA cert and that it is valid (not expired, etc.)? You can try doing: openssl x509 -in clientcertname.pem -noout -issuer and compare that to openssl x509 -in CA.pem -noout -subject This would also reveal if your copy of the CA cert is malformed for some reason. I'm pulling the syntax off the top of my head so it might be in error. I might also suggest editing this thread and bottom posting rather than top posting; it would make it a little easier to follow. Hope this helps - John On Wed, 2009-06-17 at 17:48 -0400, Dan Weintraub wrote: > Hi all, > > I've been looking into this and I first found out that your suspicions > are correct. The trust attributes on my CA certificate are incorrect. > > certutil -L shows them as "CT,," > > To fix this I tried the modify command, > > certutil -M -n cacert -t CTu,u,u -d . > > It gives no error, but unfortunately, does nothing and certutil -L still > shows me "CT,," > > I thought this might have been because I used openssh tools instead of > certutil, so I removed all my certificates and created a new CA with > certutil, specifying "CTu,u,u" on the command line when I created the CA > cert. I then added the CA with the Certificate Manager and did a > certutil -L only to find that it was marked "CT,," I tried to modify > this certificate with certutil -M, but it still doesn't work. > > Do I have some permissions wrong somewhere? Am I using the tools > incorrectly? Any suggestions? > > Thanks in advance, > Dan > > > > jean-No?l Chardron wrote: > > hi, > > > > Dan Weintraub a ?crit : > >> Thanks, that's exactly what I was following. Now that I've got the > >> port corrected I'm getting a certificate error despite having the > >> correct certificates setup (or so I thought...) I'll read through that > >> documentation you posted and see if I can sort it out. > >> > >> Thanks, > >> Dan > >> > >> PS > >> NSMMReplicationPlugin - agmt="cn=One" (fds:636): Simple bind failed, > >> LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable > >> Runtime error -8172 > > > >> (Peer's certificate issuer has been marked as not trusted by the user.) > >> > > Can you post the output of the command : > > #certutil -L -d /path/of/directory/where/is/the/certificate/ > > > > The path of the directory where is the certificate has 2 files : key3.db > > and cert8.db > > > > For example, on my server the output is : > > # certutil -L -d /etc/dirsrv/slapd-aragon/ > > Certificate Nickname Trust > > Attributes > > > > SSL,S/MIME,JAR/XPI > > > > CNRS2-Standard CT,C,C > > aragon.dr15.cnrs.fr Cert u,u,u > > CNRS-Standard CT,C,C > > CNRS CT,C,C > > CNRS2 CT,C,C > > > > I suppose (it's a hypothesis) that your certificate doesn't have the > > tag u,u,u or something like this or the CA can't trust the certificate > > > >> John A. Sullivan III wrote: > > > >>> On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote: > >>>> Hi all, > >>>> > >>>> I'm trying to setup replication over ssl and am running into > >>>> problems. I > >>>> first tried it unencrypted and all worked fine. I then copied over the > >>>> consumer's CA certificate and set up replication with SSL and Simple > >>>> Authentication. It doesn't work and I now get the following errors: > >>>> > >>>> When I set it up: > >>>> supplier error log: > >>>> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin - agmt="cn=One" > >>>> (fds:389): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP > >>>> server), Netscape Portable Runtime error -5938 (Encountered end of > >>>> file.) > >>>> > >>>> these appear thereafter: > >>>> consumer access log: > >>>> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection from > >>>> 10.1.1.100 to 10.1.1.101 > >>>> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71 > >>>> (Protocol error) - B1 > >>>> > >>>> consumer error log: > >>>> [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP message > >>>> (tag > >>>> 0x80, expected 0x30) > >>>> > >>>> Versions: > >>>> Supplier: > >>>> fedora-ds-1.1.2-1.fc6 > >>>> fedora-ds-dsgw-1.1.1-1.fc6 > >>>> fedora-ds-base-1.1.3-2.fc6 > >>>> fedora-ds-admin-1.1.6-1.fc6 > >>>> fedora-ds-admin-console-1.1.2-1.fc6 > >>>> fedora-ds-console-1.1.2-1.fc6 > >>>> > >>>> Consumer: > >>>> fedora-ds-admin-1.1.7-3.fc6 > >>>> fedora-ds-admin-console-1.1.3-1.fc6 > >>>> fedora-ds-base-1.2.0-2.fc6 > >>>> fedora-ds-dsgw-1.1.2-1.fc6 > >>>> fedora-ds-console-1.2.0-1.fc6 > >>>> fedora-ds-1.1.3-1.fc6 > >>>> > >>>> I'm at a loss as to how to proceed with troubleshooting and would > >>>> appreciate any suggestions. > >>>> > >>>> Thanks, > >>>> Dan Weintraub > >>> > >>> Hi, Dan. Here is a snippet from our internal documentation. I apologize > >>> that I don't have time to customize it or analyze your issue more deeply > >>> but perhaps our findings will help you in your environment. Given > >>> Rich's comment, I wonder if you were stung by the same error in > >>> documentation we noted below: > >>> > >>> Go back to the centos-idm-console on ldap1 > >>> Go to the Configuration tab, select the userRoot under the > >>> Replication > >>> object in the left panel. Left/right client and choose New > >>> Replication > >>> Agreement > >>> The name is "mycompany.com ldap1->ldap2" and the Description is > >>> "Replicates mycompany.com from ldap1 to ldap2". Click Next. > >>> Set the Consumer to ldap2.mycompany.com:389 from the drop down > >>> box (389 is correct even though we are really using 636) - Oops! > >>> That is not true despite what the documentation says. Click > >>> other and create a new entry for ldap2.mycompany.com on port > >>> 636. > >>> Enable the SSL connection. > >>> Enter cn=repuser,cn=config for the Bind As and enter the > >>> password. > >>> Click Next and then Next again. > >>> We will always keep directories in sync so click Next again. > >>> Choose Initialize Consumer Now and click Next > >>> Click Done > >>> > >>> If you need more details, e.g., about how we set up SSL, I posted most > >>> of our internal procedure a day or two ago on this mailing list in > >>> response to a post entitled "Developting a CentOS-DS setup". You can > >>> find much more detail there. > >>> > >>> Good luck - John > >> > >> -- > >> 389 users mailing list > >> 389-users at redhat.com > >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From msauton at redhat.com Wed Jun 17 22:21:42 2009 From: msauton at redhat.com (Marc Sauton) Date: Wed, 17 Jun 2009 15:21:42 -0700 Subject: [389-users] Problems with replication over SSL In-Reply-To: <4A3964BF.9050800@vecna.com> References: <4A2EC3FF.7000901@vecna.com> <1244580390.6384.91.camel@jaspav.missionsit.net.missionsit.net> <4A301837.7050505@vecna.com> <4A30B5C0.3010203@dr15.cnrs.fr> <4A3964BF.9050800@vecna.com> Message-ID: <4A396C76.6020604@redhat.com> On 06/17/2009 02:48 PM, Dan Weintraub wrote: > Hi all, > > I've been looking into this and I first found out that your suspicions > are correct. The trust attributes on my CA certificate are incorrect. > > certutil -L shows them as "CT,," > > To fix this I tried the modify command, > > certutil -M -n cacert -t CTu,u,u -d . > > It gives no error, but unfortunately, does nothing and certutil -L > still shows me "CT,," Try CTu,Cu,Cu or CT,C,C You can verify your cert chain with a certutil -V -d -n -eu CVS which should return: certutil: certificate is valid or certificate is invalid: Peer's Certificate issuer is not recognized. Use certutil -O to display the certificate chain. M. > > I thought this might have been because I used openssh tools instead of > certutil, so I removed all my certificates and created a new CA with > certutil, specifying "CTu,u,u" on the command line when I created the > CA cert. I then added the CA with the Certificate Manager and did a > certutil -L only to find that it was marked "CT,," I tried to modify > this certificate with certutil -M, but it still doesn't work. > > Do I have some permissions wrong somewhere? Am I using the tools > incorrectly? Any suggestions? > > Thanks in advance, > Dan > > > > jean-No?l Chardron wrote: >> hi, >> >> Dan Weintraub a ?crit : >>> Thanks, that's exactly what I was following. Now that I've got the >>> port corrected I'm getting a certificate error despite having the >>> correct certificates setup (or so I thought...) I'll read through >>> that documentation you posted and see if I can sort it out. >>> >>> Thanks, >>> Dan >>> >>> PS >>> NSMMReplicationPlugin - agmt="cn=One" (fds:636): Simple bind failed, >>> LDAP sdk error 81 (Can't contact LDAP server), Netscape Portable >>> Runtime error -8172 >> >>> (Peer's certificate issuer has been marked as not trusted by the user.) >>> >> Can you post the output of the command : >> #certutil -L -d /path/of/directory/where/is/the/certificate/ >> >> The path of the directory where is the certificate has 2 files : >> key3.db and cert8.db >> >> For example, on my server the output is : >> # certutil -L -d /etc/dirsrv/slapd-aragon/ >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> CNRS2-Standard CT,C,C >> aragon.dr15.cnrs.fr Cert u,u,u >> CNRS-Standard CT,C,C >> CNRS CT,C,C >> CNRS2 CT,C,C >> >> I suppose (it's a hypothesis) that your certificate doesn't have the >> tag u,u,u or something like this or the CA can't trust the certificate >> >>> John A. Sullivan III wrote: >> >>>> On Tue, 2009-06-09 at 16:20 -0400, Dan Weintraub wrote: >>>>> Hi all, >>>>> >>>>> I'm trying to setup replication over ssl and am running into >>>>> problems. I >>>>> first tried it unencrypted and all worked fine. I then copied over >>>>> the >>>>> consumer's CA certificate and set up replication with SSL and Simple >>>>> Authentication. It doesn't work and I now get the following errors: >>>>> >>>>> When I set it up: >>>>> supplier error log: >>>>> [01/Jun/2009:01:00:00 -0000] NSMMReplicationPlugin - agmt="cn=One" >>>>> (fds:389): Simple bind failed, LDAP sdk error 81 (Can't contact LDAP >>>>> server), Netscape Portable Runtime error -5938 (Encountered end of >>>>> file.) >>>>> >>>>> these appear thereafter: >>>>> consumer access log: >>>>> [01/Jun/2009:01:01:01 -0000] conn=898 fd=64 slot=64 connection from >>>>> 10.1.1.100 to 10.1.1.101 >>>>> [01/Jun/2009:01:01:01 -0000] conn=898 op=-1 fd=64 closed error 71 >>>>> (Protocol error) - B1 >>>>> >>>>> consumer error log: >>>>> [01/Jun/2009:01:01:01 -0000] - conn=898 received a non-LDAP >>>>> message (tag >>>>> 0x80, expected 0x30) >>>>> >>>>> Versions: >>>>> Supplier: >>>>> fedora-ds-1.1.2-1.fc6 >>>>> fedora-ds-dsgw-1.1.1-1.fc6 >>>>> fedora-ds-base-1.1.3-2.fc6 >>>>> fedora-ds-admin-1.1.6-1.fc6 >>>>> fedora-ds-admin-console-1.1.2-1.fc6 >>>>> fedora-ds-console-1.1.2-1.fc6 >>>>> >>>>> Consumer: >>>>> fedora-ds-admin-1.1.7-3.fc6 >>>>> fedora-ds-admin-console-1.1.3-1.fc6 >>>>> fedora-ds-base-1.2.0-2.fc6 >>>>> fedora-ds-dsgw-1.1.2-1.fc6 >>>>> fedora-ds-console-1.2.0-1.fc6 >>>>> fedora-ds-1.1.3-1.fc6 >>>>> >>>>> I'm at a loss as to how to proceed with troubleshooting and would >>>>> appreciate any suggestions. >>>>> >>>>> Thanks, >>>>> Dan Weintraub >>>> >>>> Hi, Dan. Here is a snippet from our internal documentation. I >>>> apologize >>>> that I don't have time to customize it or analyze your issue more >>>> deeply >>>> but perhaps our findings will help you in your environment. Given >>>> Rich's comment, I wonder if you were stung by the same error in >>>> documentation we noted below: >>>> >>>> Go back to the centos-idm-console on ldap1 >>>> Go to the Configuration tab, select the userRoot under the >>>> Replication >>>> object in the left panel. Left/right client and choose New >>>> Replication >>>> Agreement >>>> The name is "mycompany.com ldap1->ldap2" and the >>>> Description is >>>> "Replicates mycompany.com from ldap1 to ldap2". Click Next. >>>> Set the Consumer to ldap2.mycompany.com:389 from the drop down >>>> box (389 is correct even though we are really using 636) - >>>> Oops! >>>> That is not true despite what the documentation says. Click >>>> other and create a new entry for ldap2.mycompany.com on port >>>> 636. >>>> Enable the SSL connection. >>>> Enter cn=repuser,cn=config for the Bind As and enter the >>>> password. >>>> Click Next and then Next again. >>>> We will always keep directories in sync so click Next again. >>>> Choose Initialize Consumer Now and click Next >>>> Click Done >>>> >>>> If you need more details, e.g., about how we set up SSL, I posted most >>>> of our internal procedure a day or two ago on this mailing list in >>>> response to a post entitled "Developting a CentOS-DS setup". You can >>>> find much more detail there. >>>> >>>> Good luck - John >>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From Jean-Noel.Chardron at dr15.cnrs.fr Thu Jun 18 11:08:08 2009 From: Jean-Noel.Chardron at dr15.cnrs.fr (=?ISO-8859-1?Q?jean-No=EBl_Chardron?=) Date: Thu, 18 Jun 2009 13:08:08 +0200 Subject: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS In-Reply-To: <253e13910906171125o6e811bf6jaa4523512399c31f@mail.gmail.com> References: <253e13910906162127l7e415e03vd82b660a2b15c414@mail.gmail.com> <4A389264.3010109@infinet.ru> <253e13910906170311g4f3d742boc7c4bf8dd742145a@mail.gmail.com> <4A38CD97.8000405@dr15.cnrs.fr> <253e13910906170431x631a9e2dj5f433b7835a3e49d@mail.gmail.com> <4A38E564.5000306@dr15.cnrs.fr> <253e13910906170914m1a72a130s29a17b2693d3e2d3@mail.gmail.com> <253e13910906171035n10d56cdkcf71068b216f6430@mail.gmail.com> <4A392E08.1040905@dr15.cnrs.fr> <253e13910906171125o6e811bf6jaa4523512399c31f@mail.gmail.com> Message-ID: <4A3A2018.9000606@dr15.cnrs.fr> Hakuna Matata a ?crit : > This is what it is returning.... > > i guess i have to rebuild the client with CentOS 5.2 (though i have no > reason but still)..... > > not sure I did a mistake about ldapsearch so I resume the situation : You have a client Centos 5.3 with ip adress : 192.168.5.4 You have a server FDS with ip adress : 192.168.5.1 You have a user in FDS test01 with dn: cn=test01,ou=Users,dc=vfds,dc=local with uid = t01, uid number = 2223, gid = 2223, home dir = /home/test and login shell= /bin/test You want to log in with user test01 on the client station through the FDS server So you check the configuration of the client : /etc/nsswitch is correct /etc/ldap.conf is correct /etc/pam.d/system-auth is correct /etc/pam.d/login is correct you can ping from client to server and vice-versa ok now you have to check the server side, this can be done with the tools ldapsearch, from the client you make a request with ldapsearch to get the information from the FDS server But before this, I didn't see your misconfiguration of the user test01 in the attribute login shell = /bin/test . I see it just now. This attribute must be a valid shell on the client i.e /bin/bash or /bin/sh or what else you want but a valid shell, I don't think that /bin/test permit you to log in the client (on centos5.3 the program /bin/test doesn't exist !!) thus the first thing you can do is to change the attribute login shell from /bin/test to /bin/bash then try to login the station with user t01. For further verification of the server side you can do a request ldapsearch : ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" 'uid=t01' and show the output From chris at untrepid.com Thu Jun 18 11:18:28 2009 From: chris at untrepid.com (Chris Phillips) Date: Thu, 18 Jun 2009 12:18:28 +0100 Subject: [389-users] Registering to a central admin server In-Reply-To: <4A3110B2.8030603@redhat.com> References: <3e4e5d790906110418h4f89db1fk606158fd4a6deb23@mail.gmail.com> <4A3110B2.8030603@redhat.com> Message-ID: <3e4e5d790906180418o1a717cf4ve58f0e2706df7d36@mail.gmail.com> On Thu, Jun 11, 2009 at 3:12 PM, Rich Megginson wrote: > Chris Phillips wrote: > >> Hi, >> >> Can someone describe how to register an existing dirsrv instance to an >> existing admin server? The ds-setup-admin.pl scripts clearly performs the >> registration exercise along with the build, but I can't see how to do this >> as a single, 100% safe non-destructive way of registering existing machines >> to a central admin server, to avoid having to annoyingly connect to admin >> instances on evey existing machine as we currently have to. >> > You should be able to use register-ds-admin.pl, or use setup-ds-admin.pl -u > to update software/version information in the console. Hi again, I've been trying to do this, but I can't see how to register with a different centralized server. at no point in the register-ds-admin.pl steps can I give an alternative server name / IP address to go off and connect to. Any tips? Thanks Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: From hartmann at fas.harvard.edu Thu Jun 18 21:30:24 2009 From: hartmann at fas.harvard.edu (Tim Hartmann) Date: Thu, 18 Jun 2009 17:30:24 -0400 Subject: [389-users] lookthroughlimit and "result: 11 Administrative limit exceeded" Message-ID: <4A3AB1F0.9070705@fas.harvard.edu> Hi! So I've got a RHDS installation that I'm serving automount points off of, and I ran into this error unexpectedly # search result search: 2 result: 11 Administrative limit exceeded # numResponses: 1 I was able to search around and found this in the Doc's which seems to be the answer: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Indexes.html#About_Indexes-Overview_of_the_Searching_Algorithm However when I set "lookthroughlimit" to unlimited (-1) I then start getting result, but they are horrible!! Seconds between results! Whereas my old OpenLDAP servers respond immediately to the request! The search filter that the server seems to be sending is this: "(&(objectClass=posixAccount)(uidNumber=XXX))" I'm not super thrilled about allowing unlimited lookthroughlimit on the whole directory, but I'm not sure how else to get quick results from a search like that... er... help?! Thanks Tim From tisdn.livre at serpro.gov.br Fri Jun 19 19:37:47 2009 From: tisdn.livre at serpro.gov.br (Diretorio Livre) Date: Fri, 19 Jun 2009 16:37:47 -0300 Subject: [389-users] lookthroughlimit and "result: 11 Administrative limit exceeded" Message-ID: <2538e16f514518148e217795a6db2492@correiolivre.serpro.gov.br> An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Jun 19 19:51:09 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 19 Jun 2009 13:51:09 -0600 Subject: [389-users] lookthroughlimit and "result: 11 Administrative limit exceeded" In-Reply-To: <4A3AB1F0.9070705@fas.harvard.edu> References: <4A3AB1F0.9070705@fas.harvard.edu> Message-ID: <4A3BEC2D.2060303@redhat.com> Tim Hartmann wrote: > Hi! > > So I've got a RHDS installation that I'm serving automount points off > of, and I ran into this error unexpectedly > > # search result > search: 2 > result: 11 Administrative limit exceeded > > # numResponses: 1 > > > I was able to search around and found this in the Doc's which seems to > be the answer: > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Indexes.html#About_Indexes-Overview_of_the_Searching_Algorithm > > However when I set "lookthroughlimit" to unlimited (-1) I then start > getting result, but they are horrible!! Seconds between results! > Whereas my old OpenLDAP servers respond immediately to the request! The > search filter that the server seems to be sending is this: > "(&(objectClass=posixAccount)(uidNumber=XXX))" > > > I'm not super thrilled about allowing unlimited lookthroughlimit on the > whole directory, but I'm not sure how else to get quick results from a > search like that... er... help?! > 1) use logconv.pl to look for unindexed searches - you most likely need to index uidNumber for equality (and do you really need objectclass=posixAccount in there? are you concerned you may retrieve an entry with uidNumber=XXX that is _not_ a posixAccount?) 2) lookthrough limit is almost always the wrong answer, unless you need to allow some administrative client (not regular clients) to perform complex queries that will return many results and consume a lot of server resources in the process > Thanks > > Tim > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Jun 19 19:51:54 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 19 Jun 2009 13:51:54 -0600 Subject: [389-users] Registering to a central admin server In-Reply-To: <3e4e5d790906180418o1a717cf4ve58f0e2706df7d36@mail.gmail.com> References: <3e4e5d790906110418h4f89db1fk606158fd4a6deb23@mail.gmail.com> <4A3110B2.8030603@redhat.com> <3e4e5d790906180418o1a717cf4ve58f0e2706df7d36@mail.gmail.com> Message-ID: <4A3BEC5A.1010705@redhat.com> Chris Phillips wrote: > > > On Thu, Jun 11, 2009 at 3:12 PM, Rich Megginson > wrote: > > Chris Phillips wrote: > > Hi, > > Can someone describe how to register an existing dirsrv > instance to an existing admin server? The ds-setup-admin.pl > scripts clearly performs the registration exercise along with > the build, but I can't see how to do this as a single, 100% > safe non-destructive way of registering existing machines to a > central admin server, to avoid having to annoyingly connect to > admin instances on evey existing machine as we currently have to. > > You should be able to use register-ds-admin.pl, or use > setup-ds-admin.pl -u to update software/version information in the > console. > > > Hi again, > > I've been trying to do this, but I can't see how to register with a > different centralized server. at no point in the register-ds-admin.pl > steps can I give an alternative server name / IP address to go off and > connect to. Any tips? Try editing /etc/dirsrv/admin-serv/adm.conf to point to the correct server, then try register-ds-admin.pl > > Thanks > > Chris > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From hartmann at fas.harvard.edu Fri Jun 19 20:19:55 2009 From: hartmann at fas.harvard.edu (Tim Hartmann) Date: Fri, 19 Jun 2009 16:19:55 -0400 Subject: [389-users] lookthroughlimit and "result: 11 Administrative limit exceeded" In-Reply-To: <2538e16f514518148e217795a6db2492@correiolivre.serpro.gov.br> References: <2538e16f514518148e217795a6db2492@correiolivre.serpro.gov.br> Message-ID: <4A3BF2EB.1000704@fas.harvard.edu> Diretorio Livre wrote: > Have you tried to index the attribute uidNumber? > > Regards, > TISDN Team > > Em 18/06/2009 ?s 18:30 horas, fedora-directory-users at redhat.com escreveu: > > Hi! > > So I've got a RHDS installation that I'm serving automount points off > of, and I ran into this error unexpectedly > > # search result > search: 2 > result: 11 Administrative limit exceeded > > # numResponses: 1 > > > I was able to search around and found this in the Doc's which seems to > be the answer: > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Indexes.html#About_Indexes-Overview_of_the_Searching_Algorithm > > However when I set "lookthroughlimit" to unlimited (-1) I then start > getting result, but they are horrible!! Seconds between results! > Whereas my old OpenLDAP servers respond immediately to the > request! The > search filter that the server seems to be sending is this: > "(&(objectClass=posixAccount)(uidNumber=XXX))" > > > I'm not super thrilled about allowing unlimited lookthroughlimit > on the > whole directory, but I'm not sure how else to get quick results from a > search like that... er... help?! > > Thanks > > Tim > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > Did that this morning, and BAM! All is well!! Thanks! Tim From vtingey at msl.ubc.ca Fri Jun 19 20:19:28 2009 From: vtingey at msl.ubc.ca (Vince Tingey) Date: Fri, 19 Jun 2009 13:19:28 -0700 Subject: [389-users] Unregistering a server from a configuration server Message-ID: <4A3BF2D0.4050007@msl.ubc.ca> Hi Everyone! I'm new to this server so please take it easy on me :-) I found plenty of documentation to register a secondary server with a primary configuration server. I could not find any documentation on how to unregister the server if its no longer around or some other reason. I'd like it to not show up in the console anymore. How do I do this? Thank you, -- Vince | Michael Smith Laboratories IT Systems Coordinator | University of British Columbia -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Jun 19 20:53:52 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 19 Jun 2009 14:53:52 -0600 Subject: [389-users] Unregistering a server from a configuration server In-Reply-To: <4A3BF2D0.4050007@msl.ubc.ca> References: <4A3BF2D0.4050007@msl.ubc.ca> Message-ID: <4A3BFAE0.4060302@redhat.com> Vince Tingey wrote: > Hi Everyone! > > I'm new to this server so please take it easy on me :-) > > I found plenty of documentation to register a secondary server with a > primary configuration server. I could not find any documentation on > how to unregister the server if its no longer around or some other > reason. I'd like it to not show up in the console anymore. How do I > do this? The ds_removal command > > Thank you, > -- > > Vince | Michael Smith Laboratories > IT Systems Coordinator | University of British Columbia > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From chris at untrepid.com Sat Jun 20 06:27:59 2009 From: chris at untrepid.com (Chris Phillips) Date: Sat, 20 Jun 2009 07:27:59 +0100 Subject: [389-users] Registering to a central admin server In-Reply-To: <4A3BEC5A.1010705@redhat.com> References: <3e4e5d790906110418h4f89db1fk606158fd4a6deb23@mail.gmail.com> <4A3110B2.8030603@redhat.com> <3e4e5d790906180418o1a717cf4ve58f0e2706df7d36@mail.gmail.com> <4A3BEC5A.1010705@redhat.com> Message-ID: <3e4e5d790906192327k38df686clef0d680a594b0250@mail.gmail.com> On Fri, Jun 19, 2009 at 8:51 PM, Rich Megginson wrote: > Chris Phillips wrote: > > >> >> On Thu, Jun 11, 2009 at 3:12 PM, Rich Megginson > rmeggins at redhat.com>> wrote: >> >> Chris Phillips wrote: >> >> Hi, >> >> Can someone describe how to register an existing dirsrv >> instance to an existing admin server? The ds-setup-admin.pl >> scripts clearly performs the registration exercise along with >> the build, but I can't see how to do this as a single, 100% >> safe non-destructive way of registering existing machines to a >> central admin server, to avoid having to annoyingly connect to >> admin instances on evey existing machine as we currently have to. >> >> You should be able to use register-ds-admin.pl, or use >> setup-ds-admin.pl -u to update software/version information in the >> console. >> >> >> Hi again, >> >> I've been trying to do this, but I can't see how to register with a >> different centralized server. at no point in the register-ds-admin.pl steps >> can I give an alternative server name / IP address to go off and connect to. >> Any tips? >> > Try editing /etc/dirsrv/admin-serv/adm.conf to point to the correct server, > then try register-ds-admin.pl > Can we not have multiple ones? We'd want to be able to aggregate them back to a main console, but also connect to the machine itself if need be. Or could we just change the details temporarily? Thanks Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: From robert.ludvik at zd-lj.si Sun Jun 21 20:10:11 2009 From: robert.ludvik at zd-lj.si (Robert Ludvik) Date: Sun, 21 Jun 2009 22:10:11 +0200 Subject: [389-users] Dynamic groups and maillist Message-ID: <4A3E93A3.6090606@zd-lj.si> Hi Is there a way to use dynamic groups in FDS for group mails? I use LDAPAdmin for managing FDS users and groups and can't figure it out (if it is even possible). Regards From narender.hooda at gmail.com Mon Jun 22 06:59:03 2009 From: narender.hooda at gmail.com (Hakuna Matata) Date: Mon, 22 Jun 2009 12:29:03 +0530 Subject: [389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS In-Reply-To: <4A3A2018.9000606@dr15.cnrs.fr> References: <253e13910906162127l7e415e03vd82b660a2b15c414@mail.gmail.com> <253e13910906170311g4f3d742boc7c4bf8dd742145a@mail.gmail.com> <4A38CD97.8000405@dr15.cnrs.fr> <253e13910906170431x631a9e2dj5f433b7835a3e49d@mail.gmail.com> <4A38E564.5000306@dr15.cnrs.fr> <253e13910906170914m1a72a130s29a17b2693d3e2d3@mail.gmail.com> <253e13910906171035n10d56cdkcf71068b216f6430@mail.gmail.com> <4A392E08.1040905@dr15.cnrs.fr> <253e13910906171125o6e811bf6jaa4523512399c31f@mail.gmail.com> <4A3A2018.9000606@dr15.cnrs.fr> Message-ID: <253e13910906212359j52f69c37ua9a9923b50744886@mail.gmail.com> Thanks a million , it works now :) really really appreciate all the help. Best regards --H On Thu, Jun 18, 2009 at 4:38 PM, jean-No?l Chardron < Jean-Noel.Chardron at dr15.cnrs.fr> wrote: > Hakuna Matata a ?crit : > >> This is what it is returning.... >> >> i guess i have to rebuild the client with CentOS 5.2 (though i have no >> reason but still)..... >> >> >> > not sure > I did a mistake about ldapsearch so I resume the situation : > > You have a client Centos 5.3 with ip adress : 192.168.5.4 > You have a server FDS with ip adress : 192.168.5.1 > You have a user in FDS test01 with dn: cn=test01,ou=Users,dc=vfds,dc=local > with uid = t01, uid number = 2223, gid = 2223, home dir = /home/test and > login shell= /bin/test > > You want to log in with user test01 on the client station through the FDS > server > > So you check the configuration of the client : > /etc/nsswitch is correct > /etc/ldap.conf is correct > /etc/pam.d/system-auth is correct > /etc/pam.d/login is correct > you can ping from client to server and vice-versa > > ok now you have to check the server side, this can be done with the tools > ldapsearch, from the client you make a request with ldapsearch to get the > information from the FDS server > But before this, I didn't see your misconfiguration of the user test01 in > the attribute login shell = /bin/test . I see it just now. > This attribute must be a valid shell on the client i.e /bin/bash or /bin/sh > or what else you want but a valid shell, I don't think that /bin/test permit > you to log in the client (on centos5.3 the program /bin/test doesn't exist > !!) > > thus the first thing you can do is to change the attribute login shell from > /bin/test to /bin/bash > then try to login the station with user t01. > > For further verification of the server side you can do a request ldapsearch > : > > ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" 'uid=t01' > and show the output > > > > > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From emmanuel.billot at ird.fr Mon Jun 22 08:50:00 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Mon, 22 Jun 2009 10:50:00 +0200 Subject: [389-users] Registering Message-ID: <4A3F45B8.9050909@ird.fr> Hi, We want to use a FDS based directory, 2 multimasters, 5 replicas. Is it useful to register all those servers in a configuration server ? What is the main interest in registring servers ? BR, -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From emmanuel.billot at ird.fr Mon Jun 22 08:51:21 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Mon, 22 Jun 2009 10:51:21 +0200 Subject: [389-users] Add to registering Message-ID: <4A3F4609.8080203@ird.fr> Hi, Is there any main interest in registering server in a configuration server, other than having only one console ? BR, -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From emmanuel.billot at ird.fr Mon Jun 22 12:44:26 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Mon, 22 Jun 2009 14:44:26 +0200 Subject: [389-users] Managing suffixe with command line Message-ID: <4A3F7CAA.5090907@ird.fr> Hi, Is it possible to delete/disable suffixe and databses without the FDS console ? Documentation does not refere to it. http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Configuring_Directory_Databases.html#Maintaining_Suffixes-Deleting_a_Suffix BR, -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From rmeggins at redhat.com Mon Jun 22 14:48:29 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 22 Jun 2009 08:48:29 -0600 Subject: [389-users] Registering to a central admin server In-Reply-To: <3e4e5d790906192327k38df686clef0d680a594b0250@mail.gmail.com> References: <3e4e5d790906110418h4f89db1fk606158fd4a6deb23@mail.gmail.com> <4A3110B2.8030603@redhat.com> <3e4e5d790906180418o1a717cf4ve58f0e2706df7d36@mail.gmail.com> <4A3BEC5A.1010705@redhat.com> <3e4e5d790906192327k38df686clef0d680a594b0250@mail.gmail.com> Message-ID: <4A3F99BD.6070507@redhat.com> Chris Phillips wrote: > > > On Fri, Jun 19, 2009 at 8:51 PM, Rich Megginson > wrote: > > Chris Phillips wrote: > > > > On Thu, Jun 11, 2009 at 3:12 PM, Rich Megginson > > >> wrote: > > Chris Phillips wrote: > > Hi, > > Can someone describe how to register an existing dirsrv > instance to an existing admin server? The ds-setup-admin.pl > scripts clearly performs the registration exercise > along with > the build, but I can't see how to do this as a single, 100% > safe non-destructive way of registering existing > machines to a > central admin server, to avoid having to annoyingly > connect to > admin instances on evey existing machine as we > currently have to. > > You should be able to use register-ds-admin.pl, or use > setup-ds-admin.pl -u to update software/version information > in the > console. > > > Hi again, > > I've been trying to do this, but I can't see how to register > with a different centralized server. at no point in the > register-ds-admin.pl steps can I give an alternative server > name / IP address to go off and connect to. Any tips? > > Try editing /etc/dirsrv/admin-serv/adm.conf to point to the > correct server, then try register-ds-admin.pl > > > Can we not have multiple ones? We'd want to be able to aggregate them > back to a main console, but also connect to the machine itself if need > be. Or could we just change the details temporarily? It's not really designed for that - it's designed to have all servers registered in a central configuration directory server (o=NetscapeRoot), but I suppose with some hacking you could make it work. > > Thanks > > Chris > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jun 22 14:50:35 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 22 Jun 2009 08:50:35 -0600 Subject: [389-users] Add to registering In-Reply-To: <4A3F4609.8080203@ird.fr> References: <4A3F4609.8080203@ird.fr> Message-ID: <4A3F9A3B.8010107@redhat.com> Emmanuel BILLOT wrote: > Hi, > > Is there any main interest in registering server in a configuration > server, other than having only one console ? Yes. The main interest is to be able to manage them all from a single point using the admin server/console. Many 389 users do everything from the command line and scripts and do not use the console at all. > > BR, > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From dumboq at yahoo.com Mon Jun 22 18:00:11 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Mon, 22 Jun 2009 11:00:11 -0700 (PDT) Subject: [389-users] using uid rather then cn in the binddn Message-ID: <573417.30314.qm@web111920.mail.gq1.yahoo.com> Is there any reason to use cn vs. uid for a user login. I would like people to be able to use uid=... as their binddn, and Leave cn as the users full name. I'm just not sure how this works, or why for that matter. 1. The ldap browser tool that i am using displays a tree view of my ldap entries. In the tree, it displays the cn for each user (which in my opinion should be the full name). 2. When a linux user logs in, ldap binds as the user logging in with 'cn=userid,ou=...'. Im not sure how it knows to use cn rather then uid, and i don't see anywhere to specify that. So, my usernames are all stored in as cn. 3. Thunderbird's addressbook displays the cn as the persons full name. In my case, that means that you see everyones username instead of there real name. It does not respect the displayname attribute like outlook does. There is a workaround in 'user.js' but that would be a real pain to set that up on everyones computer. I believe my solution would be to have each users dn use uid rather then cn. Is this the correct approach? Is this possible? -------------- next part -------------- An HTML attachment was scrubbed... URL: From chris at untrepid.com Mon Jun 22 18:28:28 2009 From: chris at untrepid.com (Chris Phillips) Date: Mon, 22 Jun 2009 19:28:28 +0100 Subject: [389-users] Registering to a central admin server In-Reply-To: <4A3BEC5A.1010705@redhat.com> References: <3e4e5d790906110418h4f89db1fk606158fd4a6deb23@mail.gmail.com> <4A3110B2.8030603@redhat.com> <3e4e5d790906180418o1a717cf4ve58f0e2706df7d36@mail.gmail.com> <4A3BEC5A.1010705@redhat.com> Message-ID: <3e4e5d790906221128o67517ae2x698edf07d87f6fd3@mail.gmail.com> On Fri, Jun 19, 2009 at 8:51 PM, Rich Megginson wrote: > Chris Phillips wrote: > >> On Thu, Jun 11, 2009 at 3:12 PM, Rich Megginson > rmeggins at redhat.com>> wrote: >> Chris Phillips wrote: >> >> Hi, >> >> Can someone describe how to register an existing dirsrv >> instance to an existing admin server? The ds-setup-admin.pl >> scripts clearly performs the registration exercise along with >> the build, but I can't see how to do this as a single, 100% >> safe non-destructive way of registering existing machines to a >> central admin server, to avoid having to annoyingly connect to >> admin instances on evey existing machine as we currently have to. >> >> You should be able to use register-ds-admin.pl, or use >> setup-ds-admin.pl -u to update software/version information in the >> console. >> >> >> Hi again, >> >> I've been trying to do this, but I can't see how to register with a >> different centralized server. at no point in the register-ds-admin.pl steps >> can I give an alternative server name / IP address to go off and connect to. >> Any tips? >> > Try editing /etc/dirsrv/admin-serv/adm.conf to point to the correct server, > then try register-ds-admin.pl > I'm afraid I'm still in the dark here. The adm.conf is used by the admin server to contact the DS instance to be managed? I thought the logic was the other way round, with the DS server "phoning home" to register itself to the Admin. Either way, the adm.conf then only lists one server in the ldapurl, and the other two attributes referencing the server, sie and isie both get changed to match the server in the ldapurl as part of the registration, removing all other references to the server that was in there. So whilst I thought my modifications to adm.conf (changing the ldapurl from server b to a) on server b and running register-ds-admin.pl on server b would add server b to the admin console on server a. Instead it *replaced* server b with server a on the admin console on server b, meaning both admin consoles were then registered to administer server a. Not anything like what I wanted! Any pointers? Cheers Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jun 22 19:04:45 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 22 Jun 2009 13:04:45 -0600 Subject: [389-users] Registering to a central admin server In-Reply-To: <3e4e5d790906221128o67517ae2x698edf07d87f6fd3@mail.gmail.com> References: <3e4e5d790906110418h4f89db1fk606158fd4a6deb23@mail.gmail.com> <4A3110B2.8030603@redhat.com> <3e4e5d790906180418o1a717cf4ve58f0e2706df7d36@mail.gmail.com> <4A3BEC5A.1010705@redhat.com> <3e4e5d790906221128o67517ae2x698edf07d87f6fd3@mail.gmail.com> Message-ID: <4A3FD5CD.3020400@redhat.com> Chris Phillips wrote: > > > On Fri, Jun 19, 2009 at 8:51 PM, Rich Megginson > wrote: > > Chris Phillips wrote: > > On Thu, Jun 11, 2009 at 3:12 PM, Rich Megginson > > >> wrote: > Chris Phillips wrote: > > Hi, > > Can someone describe how to register an existing dirsrv > instance to an existing admin server? The ds-setup-admin.pl > scripts clearly performs the registration exercise > along with > the build, but I can't see how to do this as a single, 100% > safe non-destructive way of registering existing > machines to a > central admin server, to avoid having to annoyingly > connect to > admin instances on evey existing machine as we > currently have to. > > You should be able to use register-ds-admin.pl, or use > setup-ds-admin.pl -u to update software/version information > in the > console. > > > Hi again, > > I've been trying to do this, but I can't see how to register > with a different centralized server. at no point in the > register-ds-admin.pl steps can I give an alternative server > name / IP address to go off and connect to. Any tips? > > Try editing /etc/dirsrv/admin-serv/adm.conf to point to the > correct server, then try register-ds-admin.pl > > > I'm afraid I'm still in the dark here. The adm.conf is used by the > admin server to contact the DS instance to be managed? I thought the > logic was the other way round, with the DS server "phoning home" to > register itself to the Admin. Either way, the adm.conf then only lists > one server in the ldapurl, and the other two attributes referencing > the server, sie and isie both get changed to match the server in the > ldapurl as part of the registration, removing all other references to > the server that was in there. So whilst I thought my modifications to > adm.conf (changing the ldapurl from server b to a) on server b and > running register-ds-admin.pl on server b would add server b to the > admin console on server a. Instead it *replaced* server b with server > a on the admin console on server b, meaning both admin consoles were > then registered to administer server a. Not anything like what I wanted! > > Any pointers? Change adm.conf back to point to which server you want to use as your main server, and then run setup-ds-admin.pl -u > > Cheers > > Chris > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From chris at untrepid.com Mon Jun 22 19:13:58 2009 From: chris at untrepid.com (Chris Phillips) Date: Mon, 22 Jun 2009 20:13:58 +0100 Subject: [389-users] Registering to a central admin server In-Reply-To: <4A3FD5CD.3020400@redhat.com> References: <3e4e5d790906110418h4f89db1fk606158fd4a6deb23@mail.gmail.com> <4A3110B2.8030603@redhat.com> <3e4e5d790906180418o1a717cf4ve58f0e2706df7d36@mail.gmail.com> <4A3BEC5A.1010705@redhat.com> <3e4e5d790906221128o67517ae2x698edf07d87f6fd3@mail.gmail.com> <4A3FD5CD.3020400@redhat.com> Message-ID: <3e4e5d790906221213m4247a463v2601f6d713751752@mail.gmail.com> On Mon, Jun 22, 2009 at 8:04 PM, Rich Megginson wrote: > Chris Phillips wrote: >> >> >> Try editing /etc/dirsrv/admin-serv/adm.conf to point to the >> correct server, then try register-ds-admin.pl >> >> >> I'm afraid I'm still in the dark here. The adm.conf is used by the admin >> server to contact the DS instance to be managed? I thought the logic was the >> other way round, with the DS server "phoning home" to register itself to the >> Admin. Either way, the adm.conf then only lists one server in the ldapurl, >> and the other two attributes referencing the server, sie and isie both get >> changed to match the server in the ldapurl as part of the registration, >> removing all other references to the server that was in there. So whilst I >> thought my modifications to adm.conf (changing the ldapurl from server b to >> a) on server b and running register-ds-admin.pl on server b would add server >> b to the admin console on server a. Instead it *replaced* server b with >> server a on the admin console on server b, meaning both admin consoles were >> then registered to administer server a. Not anything like what I wanted! >> >> Any pointers? >> > Change adm.conf back to point to which server you want to use as your main > server, and then run setup-ds-admin.pl -u My main what server? DS or Admin? As I understand that, that will register whatever server is listed as the ldapurl as the only instance in the Admin server on the box I'm running this on. Correct? Am I being deluded about this? I'm expect to log in to an admin server with the idm console, and see a list of 8 different machines listed there, and be able to browse the ldap tree of any of those machines, including their o=NetscapeRoot and be able to manage ACI's, password policies and such... This is the model you recommend, no? Thanks Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jun 22 19:18:35 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 22 Jun 2009 13:18:35 -0600 Subject: [389-users] Registering to a central admin server In-Reply-To: <3e4e5d790906221213m4247a463v2601f6d713751752@mail.gmail.com> References: <3e4e5d790906110418h4f89db1fk606158fd4a6deb23@mail.gmail.com> <4A3110B2.8030603@redhat.com> <3e4e5d790906180418o1a717cf4ve58f0e2706df7d36@mail.gmail.com> <4A3BEC5A.1010705@redhat.com> <3e4e5d790906221128o67517ae2x698edf07d87f6fd3@mail.gmail.com> <4A3FD5CD.3020400@redhat.com> <3e4e5d790906221213m4247a463v2601f6d713751752@mail.gmail.com> Message-ID: <4A3FD90B.1080708@redhat.com> Chris Phillips wrote: > > On Mon, Jun 22, 2009 at 8:04 PM, Rich Megginson > wrote: > > Chris Phillips wrote: > > > Try editing /etc/dirsrv/admin-serv/adm.conf to point to the > correct server, then try register-ds-admin.pl > > > I'm afraid I'm still in the dark here. The adm.conf is used by > the admin server to contact the DS instance to be managed? I > thought the logic was the other way round, with the DS server > "phoning home" to register itself to the Admin. Either way, > the adm.conf then only lists one server in the ldapurl, and > the other two attributes referencing the server, sie and isie > both get changed to match the server in the ldapurl as part of > the registration, removing all other references to the server > that was in there. So whilst I thought my modifications to > adm.conf (changing the ldapurl from server b to a) on server b > and running register-ds-admin.pl on server b would add server > b to the admin console on server a. Instead it *replaced* > server b with server a on the admin console on server b, > meaning both admin consoles were then registered to administer > server a. Not anything like what I wanted! > > Any pointers? > > Change adm.conf back to point to which server you want to use as > your main server, and then run setup-ds-admin.pl -u > > > My main what server? DS or Admin? DS. The directory server which has the master copy of o=NetscapeRoot which contains all of the configuration information for all of the admin servers and directory servers in your organization. > As I understand that, that will register whatever server is listed as > the ldapurl as the only instance in the Admin server on the box I'm > running this on. Correct? No. > > Am I being deluded about this? I'm expect to log in to an admin server > with the idm console, and see a list of 8 different machines listed > there, and be able to browse the ldap tree of any of those machines, Yes. > including their o=NetscapeRoot No. Only the master configuration DS will have o=NetscapeRoot. The other servers should not have o=NetscapeRoot (unless you have set up MMR/failover for o=NetscapeRoot). > and be able to manage ACI's, password policies and such... This is the > model you recommend, no? This is the recommended model. > > Thanks > > Chris > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From dumboq at yahoo.com Mon Jun 22 20:25:27 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Mon, 22 Jun 2009 13:25:27 -0700 (PDT) Subject: [389-users] using uid rather then cn in the binddn In-Reply-To: <573417.30314.qm@web111920.mail.gq1.yahoo.com> References: <573417.30314.qm@web111920.mail.gq1.yahoo.com> Message-ID: <665646.41007.qm@web111912.mail.gq1.yahoo.com> Erg. I thought I had it but it's something is blocking me from doing this update. Can anyone help me find where my constraint is? [root at rhds ~]# ldapmodify -x -W -D cn=DirectoryManager dn: cn=testy,ou=users,ou=people,dc=mydomain,dc=com changetype: modify replace: dn dn: uid=testy,ou=users,ou=people,dc=mydomain,dc=com modifying entry "cn=testy,ou=users,ou=people,dc=mydomain,dc=com" ldapmodify: Object class violation (65) additional info: attribute "dn" not allowed [root at rhds ~]# ldapmodify -x -W -D cn=DirectoryManager dn: cn=testy,ou=users,ou=people,dc=mydomain,dc=com changetype: modify newRDN: uid=testy deleteOldRDN: 1 modifying entry "cn=testy,ou=users,ou=people,dc=mydomain,dc=com" ldapmodify: Object class violation (65) additional info: attribute "newRdn" not allowed ________________________________ From: Dumbo Q To: fedora-directory-users at redhat.com Sent: Monday, June 22, 2009 2:00:11 PM Subject: [389-users] using uid rather then cn in the binddn Is there any reason to use cn vs. uid for a user login. I would like people to be able to use uid=... as their binddn, and Leave cn as the users full name. I'm just not sure how this works, or why for that matter. 1. The ldap browser tool that i am using displays a tree view of my ldap entries. In the tree, it displays the cn for each user (which in my opinion should be the full name). 2. When a linux user logs in, ldap binds as the user logging in with 'cn=userid,ou=...'. Im not sure how it knows to use cn rather then uid, and i don't see anywhere to specify that. So, my usernames are all stored in as cn. 3. Thunderbird's addressbook displays the cn as the persons full name. In my case, that means that you see everyones username instead of there real name. It does not respect the displayname attribute like outlook does. There is a workaround in 'user.js' but that would be a real pain to set that up on everyones computer. I believe my solution would be to have each users dn use uid rather then cn. Is this the correct approach? Is this possible? -------------- next part -------------- An HTML attachment was scrubbed... URL: From nkinder at redhat.com Mon Jun 22 20:30:53 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 22 Jun 2009 13:30:53 -0700 Subject: [389-users] using uid rather then cn in the binddn In-Reply-To: <665646.41007.qm@web111912.mail.gq1.yahoo.com> References: <573417.30314.qm@web111920.mail.gq1.yahoo.com> <665646.41007.qm@web111912.mail.gq1.yahoo.com> Message-ID: <4A3FE9FD.2040905@redhat.com> Dumbo Q wrote: > Erg. I thought I had it but it's something is blocking me from > doing this update. Can anyone help me find where my constraint is? > > > [root at rhds ~]# ldapmodify -x -W -D cn=DirectoryManager > dn: cn=testy,ou=users,ou=people,dc=mydomain,dc=com > changetype: modify > newRDN: uid=testy > deleteOldRDN: 1 > > modifying entry "cn=testy,ou=users,ou=people,dc=mydomain,dc=com" > ldapmodify: Object class violation (65) > additional info: attribute "newRdn" not allowed You need to perform a "modrdn" operation instead of a regular modify. Try the above, but change your "changetype" to "modrdn". You may also find that you don't want to delete the old RDN from the entry, particularly if that is the only "cn" value present in your entry. Doing so would cause an objectclass violation since "cn" is likely required for the objectclass you are using. > > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From dumboq at yahoo.com Mon Jun 22 20:48:30 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Mon, 22 Jun 2009 13:48:30 -0700 (PDT) Subject: [389-users] using uid rather then cn in the binddn In-Reply-To: <4A3FE9FD.2040905@redhat.com> References: <573417.30314.qm@web111920.mail.gq1.yahoo.com> <665646.41007.qm@web111912.mail.gq1.yahoo.com> <4A3FE9FD.2040905@redhat.com> Message-ID: <367466.17462.qm@web111915.mail.gq1.yahoo.com> Thanks. I tried that, but now it tells me ldapmodify: Object class violation (65) additional info: missing attribute "cn" required by object class "inetOrgPerson" Being that the entry has a 'cn', I guess this means that somewhere I have it setup where dn requires the cn to be in it ??? Anythoughts ________________________________ From: Nathan Kinder To: General discussion list for the 389 Directory server project. Sent: Monday, June 22, 2009 4:30:53 PM Subject: Re: [389-users] using uid rather then cn in the binddn Dumbo Q wrote: > Erg. I thought I had it but it's something is blocking me from doing this update. Can anyone help me find where my constraint is? > > > [root at rhds ~]# ldapmodify -x -W -D cn=DirectoryManager > dn: cn=testy,ou=users,ou=people,dc=mydomain,dc=com > changetype: modify > newRDN: uid=testy > deleteOldRDN: 1 > > modifying entry "cn=testy,ou=users,ou=people,dc=mydomain,dc=com" > ldapmodify: Object class violation (65) > additional info: attribute "newRdn" not allowed You need to perform a "modrdn" operation instead of a regular modify. Try the above, but change your "changetype" to "modrdn". You may also find that you don't want to delete the old RDN from the entry, particularly if that is the only "cn" value present in your entry. Doing so would cause an objectclass violation since "cn" is likely required for the objectclass you are using. > > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- 389 users mailing list 389-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From nkinder at redhat.com Mon Jun 22 20:46:44 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 22 Jun 2009 13:46:44 -0700 Subject: [389-users] using uid rather then cn in the binddn In-Reply-To: <367466.17462.qm@web111915.mail.gq1.yahoo.com> References: <573417.30314.qm@web111920.mail.gq1.yahoo.com> <665646.41007.qm@web111912.mail.gq1.yahoo.com> <4A3FE9FD.2040905@redhat.com> <367466.17462.qm@web111915.mail.gq1.yahoo.com> Message-ID: <4A3FEDB4.6060204@redhat.com> Dumbo Q wrote: > Thanks. I tried that, but now it tells me > ldapmodify: Object class violation (65) > additional info: missing attribute "cn" required by object > class "inetOrgPerson" > > Being that the entry has a 'cn', I guess this means that somewhere I > have it setup where dn requires the cn to be in it ??? Anythoughts Are you still specifying "deleteOldRDN: 1"? As I mentioned, you shouldn't be doing that as it will delete the old RDN value from the entry, which is your "cn". Since "cn" is required by the "inetOrgPerson" objectclass, this is an objectclass violation. Try specifying "deleteOldRDN: 0". > > > > ------------------------------------------------------------------------ > *From:* Nathan Kinder > *To:* General discussion list for the 389 Directory server project. > > *Sent:* Monday, June 22, 2009 4:30:53 PM > *Subject:* Re: [389-users] using uid rather then cn in the binddn > > Dumbo Q wrote: > > Erg. I thought I had it but it's something is blocking me from > doing this update. Can anyone help me find where my constraint is? > > > > > > > [root at rhds ~]# ldapmodify -x -W -D cn=DirectoryManager > > dn: cn=testy,ou=users,ou=people,dc=mydomain,dc=com > > changetype: modify > > newRDN: uid=testy > > deleteOldRDN: 1 > > > > modifying entry "cn=testy,ou=users,ou=people,dc=mydomain,dc=com" > > ldapmodify: Object class violation (65) > > additional info: attribute "newRdn" not allowed > You need to perform a "modrdn" operation instead of a regular modify. > Try the above, but change your "changetype" to "modrdn". You may also > find that you don't want to delete the old RDN from the entry, > particularly if that is the only "cn" value present in your entry. > Doing so would cause an objectclass violation since "cn" is likely > required for the objectclass you are using. > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From dumboq at yahoo.com Mon Jun 22 21:07:07 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Mon, 22 Jun 2009 14:07:07 -0700 (PDT) Subject: (Solved) Re: [389-users] using uid rather then cn in the binddn In-Reply-To: <4A3FEDB4.6060204@redhat.com> References: <573417.30314.qm@web111920.mail.gq1.yahoo.com> <665646.41007.qm@web111912.mail.gq1.yahoo.com> <4A3FE9FD.2040905@redhat.com> <367466.17462.qm@web111915.mail.gq1.yahoo.com> <4A3FEDB4.6060204@redhat.com> Message-ID: <562142.77427.qm@web111908.mail.gq1.yahoo.com> Im sorry, i missed that part. using modrdn with deleteOldRDN: 0 worked perfectly. Thanks ________________________________ From: Nathan Kinder To: General discussion list for the 389 Directory server project. Sent: Monday, June 22, 2009 4:46:44 PM Subject: Re: [389-users] using uid rather then cn in the binddn Dumbo Q wrote: > Thanks. I tried that, but now it tells me > ldapmodify: Object class violation (65) > additional info: missing attribute "cn" required by object class "inetOrgPerson" > > Being that the entry has a 'cn', I guess this means that somewhere I have it setup where dn requires the cn to be in it ??? Anythoughts Are you still specifying "deleteOldRDN: 1"? As I mentioned, you shouldn't be doing that as it will delete the old RDN value from the entry, which is your "cn". Since "cn" is required by the "inetOrgPerson" objectclass, this is an objectclass violation. Try specifying "deleteOldRDN: 0". > > > > ------------------------------------------------------------------------ > *From:* Nathan Kinder > *To:* General discussion list for the 389 Directory server project. > *Sent:* Monday, June 22, 2009 4:30:53 PM > *Subject:* Re: [389-users] using uid rather then cn in the binddn > > Dumbo Q wrote: > > Erg. I thought I had it but it's something is blocking me from doing this update. Can anyone help me find where my constraint is? > > > > > > > [root at rhds ~]# ldapmodify -x -W -D cn=DirectoryManager > > dn: cn=testy,ou=users,ou=people,dc=mydomain,dc=com > > changetype: modify > > newRDN: uid=testy > > deleteOldRDN: 1 > > > > modifying entry "cn=testy,ou=users,ou=people,dc=mydomain,dc=com" > > ldapmodify: Object class violation (65) > > additional info: attribute "newRdn" not allowed > You need to perform a "modrdn" operation instead of a regular modify. Try the above, but change your "changetype" to "modrdn". You may also find that you don't want to delete the old RDN from the entry, particularly if that is the only "cn" value present in your entry. Doing so would cause an objectclass violation since "cn" is likely required for the objectclass you are using. > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- 389 users mailing list 389-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From josi at puzzle.ch Tue Jun 23 11:54:00 2009 From: josi at puzzle.ch (Simon Josi) Date: Tue, 23 Jun 2009 13:54:00 +0200 Subject: [389-users] Windows Sync Agreement: 00002108: LdapErr: DSID-0C0907FA, comment: Error processing control, data 0, vece Message-ID: <4A40C258.5010609@puzzle.ch> I had some working Sync Agreements between 389 and AD. Suddenly they stopped working, I even tried with a fresh Installation of 389. If I do a full rsync of a newly created agreement, the following two lines appear in the error log: [22/Jun/2009:15:52:39 +0200] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=Informatik-Mitarbeiter" (dns2:389)". [22/Jun/2009:15:52:39 +0200] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=Informatik-Mitarbeiter" (dns2:389)". Sent 0 entries. But that seems not to be the whole truth. I've captured the network traffic of a full resync via tcpdump: bindRequest(1) "cn=Amanda,cn=users,dc=rz-altdorf,dc=local" simple bindResponse(1) succes searchRequest(2) "dc=rz-altdorf,dc=local" wholeSubtree searchResDone(2) unwillingToPerform (00002108: LdapErr: DSID-0C0907FA, comment: Error processing control, data 0, vece) [0 results] The complete dump can be found here: http://pastie.org/521301 Seems to be an issue with the replControlValue Control. I don't find much Information on the net about this error. Any Ideas? Regards, Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: From rmeggins at redhat.com Tue Jun 23 15:21:13 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 23 Jun 2009 09:21:13 -0600 Subject: [389-users] Windows Sync Agreement: 00002108: LdapErr: DSID-0C0907FA, comment: Error processing control, data 0, vece In-Reply-To: <4A40C258.5010609@puzzle.ch> References: <4A40C258.5010609@puzzle.ch> Message-ID: <4A40F2E9.6070201@redhat.com> Simon Josi wrote: > I had some working Sync Agreements between 389 and AD. Suddenly they > stopped working, What changed? > I even tried with a fresh Installation of 389. > > If I do a full rsync of a newly created agreement, the following two > lines appear in the error log: > > [22/Jun/2009:15:52:39 +0200] NSMMReplicationPlugin - Beginning total > update of replica "agmt="cn=Informatik-Mitarbeiter" (dns2:389)". > [22/Jun/2009:15:52:39 +0200] NSMMReplicationPlugin - Finished total > update of replica "agmt="cn=Informatik-Mitarbeiter" (dns2:389)". Sent 0 > entries. > > But that seems not to be the whole truth. I've captured the network > traffic of a full resync via tcpdump: > > bindRequest(1) "cn=Amanda,cn=users,dc=rz-altdorf,dc=local" simple > bindResponse(1) succes > searchRequest(2) "dc=rz-altdorf,dc=local" wholeSubtree > searchResDone(2) unwillingToPerform (00002108: LdapErr: DSID-0C0907FA, > comment: Error processing control, data 0, vece) [0 results] > > The complete dump can be found here: http://pastie.org/521301 > > Seems to be an issue with the replControlValue Control. I don't find > much Information on the net about this error. > > Any Ideas? > > > Regards, > Simon > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Jun 24 03:07:14 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 23 Jun 2009 21:07:14 -0600 Subject: [389-users] Managing suffixe with command line In-Reply-To: <4A3F7CAA.5090907@ird.fr> References: <4A3F7CAA.5090907@ird.fr> Message-ID: <4A419862.30608@redhat.com> Emmanuel BILLOT wrote: > Hi, > > Is it possible to delete/disable suffixe and databses without the FDS > console ? Yes. Just do a recursive delete of the suffix entry and the database entry under cn=config. suffix entries are documented here - http://www.redhat.com/docs/manuals/dir-server/8.1/cli/Configuration_Command_File_Reference-Core_Server_Configuration_Reference-Core_Server_Configuration_Attributes_Reference.html#Configuration_Command_File_Reference-Core_Server_Configuration_Attributes_Reference-Suffix_Configuration_Attributes_under_cnsuffixName Database entries are documented here - http://www.redhat.com/docs/manuals/dir-server/8.1/cli/Configuration_Command_File_Reference-Plug_in_Implemented_Server_Functionality_Reference-Database_Plug_in_Attributes.html#Configuration_Command_File_Reference-Database_Plug_in_Attributes-Database_Attributes_under_cnNetscapeRoot_cnldbm_database_cnplugins_cnconfig_and_cnUserRoot_cnldbm_database_cnplugins_cnconfig openldap ldapdelete (/usr/bin/ldapdelete) has the -r option for recursive deletion. > Documentation does not refere to it. > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Configuring_Directory_Databases.html#Maintaining_Suffixes-Deleting_a_Suffix > > Please file a documentation bug. > BR, > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From David.Christensen at viveli.com Wed Jun 24 04:28:36 2009 From: David.Christensen at viveli.com (David Christensen) Date: Tue, 23 Jun 2009 21:28:36 -0700 Subject: [389-users] Referrals Message-ID: Can referrals be used to reference a user or group in another branch of the DIT? I am using FDS for authentication, some basic authorization and as a directory. I have my DIT setup with three organizational branches under a single root suffix. Hosts are then setup with a base DN based on the organization they belong to, so very few host's do a search starting at the root suffix. At the moment users are added to the DIT based on their organization and OU within that organization. If I wanted to have a user who is in org A and only org A to be able to gain access to hosts in org B my initial thought was adding them in org B, but this would create maintenance logistical nightmares so my thought was using referrals so that a search by an org B host for a user who is actually in org A would be referred to the user record in org A, but would symbolically be in org B. Would this work, or would it break something, and is this the proper way to use a referral? Is there anyway of doing this on a group basis instead of by single user? Thanks. From dumboq at yahoo.com Wed Jun 24 16:32:30 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Wed, 24 Jun 2009 09:32:30 -0700 (PDT) Subject: [389-users] Trouble using self signed certificates. Message-ID: <748292.53946.qm@web111901.mail.gq1.yahoo.com> I've managed to get past the the strangely obscure method of installing an SSL certificate, and from the server side everything appears to be OK. Actually its a "CACert" certificate, rather then self signed. Using Jxplorer, I can connect the the DS using SSL, accept the certificate, and I'm all set. However, I am having a ton of trouble figuring out how to use an untrusted ca for my linux user authentication. I changed /etc/ldap.conf to use ldaps://, and it attemtps to connect as expected. I think this would work, if I could figure out how to tell it to accept the certificate. I get the following error message in DS after running getent passwd. [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not recognize and trust the CA that issued your certificate. [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not recognize and trust the CA that issued your certificate. Any thoughts? -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsullivan at opensourcedevel.com Wed Jun 24 16:52:57 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Wed, 24 Jun 2009 12:52:57 -0400 Subject: [389-users] Trouble using self signed certificates. In-Reply-To: <748292.53946.qm@web111901.mail.gq1.yahoo.com> References: <748292.53946.qm@web111901.mail.gq1.yahoo.com> Message-ID: <1245862377.6384.4.camel@jaspav.missionsit.net.missionsit.net> On Wed, 2009-06-24 at 09:32 -0700, Dumbo Q wrote: > I've managed to get past the the strangely obscure method of > installing an SSL certificate, and from the server side everything > appears to be OK. Actually its a "CACert" certificate, rather then > self signed. Using Jxplorer, I can connect the the DS using SSL, > accept the certificate, and I'm all set. > > However, I am having a ton of trouble figuring out how to use an > untrusted ca for my linux user authentication. I > changed /etc/ldap.conf to use ldaps://, and it attemtps to connect as > expected. I think this would work, if I could figure out how to tell > it to accept the certificate. I get the following error message in > DS after running getent passwd. > > [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not > recognize and trust the CA that issued your certificate. > [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not > recognize and trust the CA that issued your certificate. > > > Any thoughts? I believe you'll find the way we did it in several of my recent posts. You'll need to configure the rest of the SSL portions of ldap.conf. In particular, you will need to tell it where to find the CA cert. I believe we stuck ours in /etc/pki/tls/certs/ and pointed the tlscertfile (?) parameter to it. Hope this helps - John > -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From Jean-Noel.Chardron at dr15.cnrs.fr Wed Jun 24 16:55:25 2009 From: Jean-Noel.Chardron at dr15.cnrs.fr (Jean-Noel Chardron) Date: Wed, 24 Jun 2009 18:55:25 +0200 Subject: [389-users] Trouble using self signed certificates. In-Reply-To: <748292.53946.qm@web111901.mail.gq1.yahoo.com> References: <748292.53946.qm@web111901.mail.gq1.yahoo.com> Message-ID: <4A425A7D.7080001@dr15.cnrs.fr> Dumbo Q a ?crit : > I've managed to get past the the strangely obscure method of > installing an SSL certificate, and from the server side everything > appears to be OK. Actually its a "CACert" certificate, rather then > self signed. Using Jxplorer, I can connect the the DS using SSL, > accept the certificate, and I'm all set. > > However, I am having a ton of trouble figuring out how to use an > untrusted ca for my linux user authentication. I changed > /etc/ldap.conf to use ldaps://, and it attemtps to connect as > expected. I think this would work, if I could figure out how to tell > it to accept the certificate. I get the following error message in DS > after running getent passwd. > > [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not > recognize and trust the CA that issued your certificate. > [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not > recognize and trust the CA that issued your certificate. > > > Any thoughts? > I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in /etc/ldap.conf man ldap.conf : TLS_CACERT Specifies the file that contains certificates for all of the Certificate Authorities the client will recognize. TLS_CACERTDIR Specifies the path of a directory that contains Certifi? cate Authority certificates in separate individual files. The TLS_CACERT is always used before TLS_CACERTDIR. This parameter is ignored with GNUtls. > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From David.Christensen at viveli.com Wed Jun 24 17:00:23 2009 From: David.Christensen at viveli.com (David Christensen) Date: Wed, 24 Jun 2009 12:00:23 -0500 Subject: [389-users] Trouble using self signed certificates. In-Reply-To: <4A425A7D.7080001@dr15.cnrs.fr> References: <748292.53946.qm@web111901.mail.gq1.yahoo.com> <4A425A7D.7080001@dr15.cnrs.fr> Message-ID: <4A425BA7.4060507@viveli.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jean-Noel Chardron wrote: > Dumbo Q a ?crit : >> I've managed to get past the the strangely obscure method of >> installing an SSL certificate, and from the server side everything >> appears to be OK. Actually its a "CACert" certificate, rather then >> self signed. Using Jxplorer, I can connect the the DS using SSL, >> accept the certificate, and I'm all set. >> >> However, I am having a ton of trouble figuring out how to use an >> untrusted ca for my linux user authentication. I changed >> /etc/ldap.conf to use ldaps://, and it attemtps to connect as >> expected. I think this would work, if I could figure out how to tell >> it to accept the certificate. I get the following error message in DS >> after running getent passwd. >> >> [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not >> recognize and trust the CA that issued your certificate. >> [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not >> recognize and trust the CA that issued your certificate. >> >> >> Any thoughts? >> > I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in > /etc/ldap.conf > man ldap.conf : > TLS_CACERT > Specifies the file that contains certificates for all of > the Certificate Authorities the client will recognize. > > TLS_CACERTDIR > Specifies the path of a directory that contains Certifi? > cate Authority certificates in separate individual files. > The TLS_CACERT is always used before TLS_CACERTDIR. This > parameter is ignored with GNUtls. > >> ------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users I was having a similar issue yesterday, everything worked until I appended more then one CA to the file in /etc/openldap/cacerts, then it kept failing until I limited it to one CA. Are you using a single CA? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkpCW6YACgkQ5B+8XEnAvquidwCcDcnsJTuyGaVGkfc/NEXYDzdD 3WIAnAx7FBt+G8VQYd9Zf1Vzbo7ebs/2 =lFVu -----END PGP SIGNATURE----- From Jean-Noel.Chardron at dr15.cnrs.fr Wed Jun 24 17:06:07 2009 From: Jean-Noel.Chardron at dr15.cnrs.fr (Jean-Noel Chardron) Date: Wed, 24 Jun 2009 19:06:07 +0200 Subject: [389-users] Trouble using self signed certificates. In-Reply-To: <4A425A7D.7080001@dr15.cnrs.fr> References: <748292.53946.qm@web111901.mail.gq1.yahoo.com> <4A425A7D.7080001@dr15.cnrs.fr> Message-ID: <4A425CFF.4070306@dr15.cnrs.fr> Jean-Noel Chardron a ?crit : > Dumbo Q a ?crit : >> I've managed to get past the the strangely obscure method of >> installing an SSL certificate, and from the server side everything >> appears to be OK. Actually its a "CACert" certificate, rather then >> self signed. Using Jxplorer, I can connect the the DS using SSL, >> accept the certificate, and I'm all set. >> >> However, I am having a ton of trouble figuring out how to use an >> untrusted ca for my linux user authentication. I changed >> /etc/ldap.conf to use ldaps://, and it attemtps to connect as >> expected. I think this would work, if I could figure out how to tell >> it to accept the certificate. I get the following error message in DS >> after running getent passwd. >> >> [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does >> not recognize and trust the CA that issued your certificate. >> [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does >> not recognize and trust the CA that issued your certificate. >> >> >> Any thoughts? >> > I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in > /etc/ldap.conf > man ldap.conf : > TLS_CACERT > Specifies the file that contains certificates for all of > the Certificate Authorities the client will recognize. > > TLS_CACERTDIR > Specifies the path of a directory that contains Certifi? > cate Authority certificates in separate individual files. > The TLS_CACERT is always used before TLS_CACERTDIR. This > parameter is ignored with GNUtls. > or may be, to test the connection, you can skip the check of the certificate (as i discover in the man) with the option : TLS_REQCERT allow >> ------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From Jean-Noel.Chardron at dr15.cnrs.fr Wed Jun 24 17:19:36 2009 From: Jean-Noel.Chardron at dr15.cnrs.fr (Jean-Noel Chardron) Date: Wed, 24 Jun 2009 19:19:36 +0200 Subject: [389-users] Trouble using self signed certificates. In-Reply-To: <4A425BA7.4060507@viveli.com> References: <748292.53946.qm@web111901.mail.gq1.yahoo.com> <4A425A7D.7080001@dr15.cnrs.fr> <4A425BA7.4060507@viveli.com> Message-ID: <4A426028.1050801@dr15.cnrs.fr> David Christensen a ?crit : > > I was having a similar issue yesterday, everything worked until I > appended more then one CA to the file in /etc/openldap/cacerts, then it > kept failing until I limited it to one CA. Are you > using a single CA? > The client authenticates to a server with a single authority, so why try to install two or more. otherwise you must use a file by CA in the directory. unless you speak CA chain. From David.Christensen at viveli.com Wed Jun 24 17:56:47 2009 From: David.Christensen at viveli.com (David Christensen) Date: Wed, 24 Jun 2009 12:56:47 -0500 Subject: [389-users] Trouble using self signed certificates. In-Reply-To: <4A426028.1050801@dr15.cnrs.fr> References: <748292.53946.qm@web111901.mail.gq1.yahoo.com> <4A425A7D.7080001@dr15.cnrs.fr> <4A425BA7.4060507@viveli.com> <4A426028.1050801@dr15.cnrs.fr> Message-ID: <4A4268DF.6080800@viveli.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jean-Noel Chardron wrote: > David Christensen a ?crit : >> I was having a similar issue yesterday, everything worked until I >> appended more then one CA to the file in /etc/openldap/cacerts, then it >> kept failing until I limited it to one CA. Are you >> using a single CA? >> > The client authenticates to a server with a single authority, so why try > to install two or more. otherwise you must use a file by CA in the > directory. > unless you speak CA chain. > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users I have two directory servers in a multmaster config using round robin DNS so I need clients to be able to authenticate to both servers since it will be random. It hasn't worked for me yet, but that is where I am trying to get. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkpCaN8ACgkQ5B+8XEnAvqsc0gCfbezu9knxX1HfNNNupTwdjCEe IX4AoIRCASuVxTrB6ugLr7U0TWvnfUTb =xSWx -----END PGP SIGNATURE----- From dumboq at yahoo.com Wed Jun 24 18:28:10 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Wed, 24 Jun 2009 11:28:10 -0700 (PDT) Subject: [389-users] Trouble using self signed certificates. Message-ID: <588182.98968.qm@web111913.mail.gq1.yahoo.com> To answer a few questions, Searching for any thing about ldap.conf in google gave me a lot of openldap specific stuff. Sorry to have to post into this mailling list, but I figure that if im having this much trouble getting this to work, then there is a good chance others are too. I've tried a few combinations of these and none have worked for me. TLS_CACERT is pointing to CACert's root certificate. Here is the current tail of my ldap.conf file. TLS_CACERT /etc/pki/tls/certs/cacert.org-root.txt TLS_CACERT_DIR /etc/pki/tls/certs TLS_REQCERT allow uri ldaps://rhds.example.com:636/ ssl no #tls_cacertdir /etc/pki/tls/certs pam_password ssha Interestingly enough, it worked after doing the following. cat /etc/pki/tls/certs/cacert.org-root.txt >> /etc/pki/tls/cert.pem This is the symlink to ca-bundle.crt My fear with this, is that I'll run a yum -y update on all my servers, and then nobody will be able to log in anywhere. ________________________________ From: Jean-Noel Chardron To: General discussion list for the 389 Directory server project. Sent: Wednesday, June 24, 2009 1:19:36 PM Subject: Re: [389-users] Trouble using self signed certificates. David Christensen a ?crit : > > I was having a similar issue yesterday, everything worked until I > appended more then one CA to the file in /etc/openldap/cacerts, then it > kept failing until I limited it to one CA. Are you > using a single CA? > The client authenticates to a server with a single authority, so why try to install two or more. otherwise you must use a file by CA in the directory. unless you speak CA chain. -- 389 users mailing list 389-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsullivan at opensourcedevel.com Wed Jun 24 18:32:34 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Wed, 24 Jun 2009 14:32:34 -0400 Subject: [389-users] Trouble using self signed certificates. In-Reply-To: <4A4268DF.6080800@viveli.com> References: <748292.53946.qm@web111901.mail.gq1.yahoo.com> <4A425A7D.7080001@dr15.cnrs.fr> <4A425BA7.4060507@viveli.com> <4A426028.1050801@dr15.cnrs.fr> <4A4268DF.6080800@viveli.com> Message-ID: <1245868354.6384.17.camel@jaspav.missionsit.net.missionsit.net> On Wed, 2009-06-24 at 12:56 -0500, David Christensen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jean-Noel Chardron wrote: > > David Christensen a ?crit : > >> I was having a similar issue yesterday, everything worked until I > >> appended more then one CA to the file in /etc/openldap/cacerts, then it > >> kept failing until I limited it to one CA. Are you > >> using a single CA? > >> > > The client authenticates to a server with a single authority, so why try > > to install two or more. otherwise you must use a file by CA in the > > directory. > > unless you speak CA chain. > > > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > I have two directory servers in a multmaster config using round robin > DNS so I need clients to be able to authenticate to both servers since > it will be random. It hasn't worked for me yet, but that is where I am > trying to get. That's exactly how we're set up (except we are not multi-master) and it is working fine. However, one only needs the CA cert in the cacertfile for it to work. For example, I have two DNS entries for ldap.mycompany.com which point to my two replicas. Each replica has a cert with ldap{1,2}.mycompany.com for the cn and that value as well as ldap.mycompany.com as DNS entries in the subjAltName. tls_cacertfile points to a single CA cert file (although I thought it supported concatenated certs) containing the cert for the CA which issued the ldap replica certs and keys. Hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From jsullivan at opensourcedevel.com Wed Jun 24 18:35:50 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Wed, 24 Jun 2009 14:35:50 -0400 Subject: [389-users] Trouble using self signed certificates. In-Reply-To: <4A425A7D.7080001@dr15.cnrs.fr> References: <748292.53946.qm@web111901.mail.gq1.yahoo.com> <4A425A7D.7080001@dr15.cnrs.fr> Message-ID: <1245868550.6384.22.camel@jaspav.missionsit.net.missionsit.net> On Wed, 2009-06-24 at 18:55 +0200, Jean-Noel Chardron wrote: > Dumbo Q a ?crit : > > I've managed to get past the the strangely obscure method of > > installing an SSL certificate, and from the server side everything > > appears to be OK. Actually its a "CACert" certificate, rather then > > self signed. Using Jxplorer, I can connect the the DS using SSL, > > accept the certificate, and I'm all set. > > > > However, I am having a ton of trouble figuring out how to use an > > untrusted ca for my linux user authentication. I changed > > /etc/ldap.conf to use ldaps://, and it attemtps to connect as > > expected. I think this would work, if I could figure out how to tell > > it to accept the certificate. I get the following error message in DS > > after running getent passwd. > > > > [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not > > recognize and trust the CA that issued your certificate. > > [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not > > recognize and trust the CA that issued your certificate. > > > > > > Any thoughts? > > > I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in > /etc/ldap.conf > man ldap.conf : > TLS_CACERT > Specifies the file that contains certificates for all of > the Certificate Authorities the client will recognize. > > TLS_CACERTDIR > Specifies the path of a directory that contains Certifi? > cate Authority certificates in separate individual files. > The TLS_CACERT is always used before TLS_CACERTDIR. This > parameter is ignored with GNUtls. > > > I think these may be the wrong variables. If I recall correctly, those variables are for /etc/openldap/ldap.conf and control openldap (and openldap related queries). pam uses /etc/ldap.conf. I believe the variables are set like this: ssl start_tls tls_checkpeer yes tls_cacertfile /usr/share/ca-certificates/CA.pem or whatever the path happens to be. Again, I'm not an expert - just sharing what we did that worked - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From jsullivan at opensourcedevel.com Wed Jun 24 18:38:00 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Wed, 24 Jun 2009 14:38:00 -0400 Subject: [389-users] Trouble using self signed certificates. In-Reply-To: <588182.98968.qm@web111913.mail.gq1.yahoo.com> References: <588182.98968.qm@web111913.mail.gq1.yahoo.com> Message-ID: <1245868680.6384.24.camel@jaspav.missionsit.net.missionsit.net> On Wed, 2009-06-24 at 11:28 -0700, Dumbo Q wrote: > To answer a few questions, > Searching for any thing about ldap.conf in google gave me a lot of > openldap specific stuff. Sorry to have to post into this mailling > list, but I figure that if im having this much trouble getting this to > work, then there is a good chance others are too. > > I've tried a few combinations of these and none have worked for me. > TLS_CACERT is pointing to CACert's root certificate. > > > Here is the current tail of my ldap.conf file. > TLS_CACERT /etc/pki/tls/certs/cacert.org-root.txt > TLS_CACERT_DIR /etc/pki/tls/certs > TLS_REQCERT allow > uri ldaps://rhds.example.com:636/ > ssl no > #tls_cacertdir /etc/pki/tls/certs > pam_password ssha > > > > Interestingly enough, it worked after doing the following. > cat /etc/pki/tls/certs/cacert.org-root.txt >> /etc/pki/tls/cert.pem > This is the symlink to ca-bundle.crt This may go back to using the wrong variables and thus falling through to the defaults which point tls_cacertfile to ca-bubdle.crt. Just a guess - John > > My fear with this, is that I'll run a yum -y update on all my servers, > and then nobody will be able to log in anywhere. > > > > > > > ______________________________________________________________________ > From: Jean-Noel Chardron > To: General discussion list for the 389 Directory server project. > > Sent: Wednesday, June 24, 2009 1:19:36 PM > Subject: Re: [389-users] Trouble using self signed certificates. > > David Christensen a ?crit : > > > > I was having a similar issue yesterday, everything worked until I > > appended more then one CA to the file in /etc/openldap/cacerts, then > it > > kept failing until I limited it to one CA. Are you > > using a single CA? > > > The client authenticates to a server with a single authority, so why > try to install two or more. otherwise you must use a file by CA in the > directory. > unless you speak CA chain. > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From rmeggins at redhat.com Wed Jun 24 18:48:43 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 24 Jun 2009 12:48:43 -0600 Subject: [389-users] Trouble using self signed certificates. In-Reply-To: <1245868550.6384.22.camel@jaspav.missionsit.net.missionsit.net> References: <748292.53946.qm@web111901.mail.gq1.yahoo.com> <4A425A7D.7080001@dr15.cnrs.fr> <1245868550.6384.22.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <4A42750B.6040100@redhat.com> John A. Sullivan III wrote: > On Wed, 2009-06-24 at 18:55 +0200, Jean-Noel Chardron wrote: > >> Dumbo Q a ?crit : >> >>> I've managed to get past the the strangely obscure method of >>> installing an SSL certificate, and from the server side everything >>> appears to be OK. Actually its a "CACert" certificate, rather then >>> self signed. Using Jxplorer, I can connect the the DS using SSL, >>> accept the certificate, and I'm all set. >>> >>> However, I am having a ton of trouble figuring out how to use an >>> untrusted ca for my linux user authentication. I changed >>> /etc/ldap.conf to use ldaps://, and it attemtps to connect as >>> expected. I think this would work, if I could figure out how to tell >>> it to accept the certificate. I get the following error message in DS >>> after running getent passwd. >>> >>> [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not >>> recognize and trust the CA that issued your certificate. >>> [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not >>> recognize and trust the CA that issued your certificate. >>> >>> >>> Any thoughts? >>> >>> >> I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in >> /etc/ldap.conf >> man ldap.conf : >> TLS_CACERT >> Specifies the file that contains certificates for all of >> the Certificate Authorities the client will recognize. >> >> TLS_CACERTDIR >> Specifies the path of a directory that contains Certifi? >> cate Authority certificates in separate individual files. >> The TLS_CACERT is always used before TLS_CACERTDIR. This >> parameter is ignored with GNUtls. >> >> >>> >>> > I think these may be the wrong variables. If I recall correctly, those > variables are for /etc/openldap/ldap.conf and control openldap (and > openldap related queries). pam uses /etc/ldap.conf. do "man nss_ldap" to see the configuration variables for /etc/ldap.conf - they are similar enough to /etc/openldap/ldap.conf to cause confusion. > I believe the > variables are set like this: > > ssl start_tls > tls_checkpeer yes > tls_cacertfile /usr/share/ca-certificates/CA.pem > > or whatever the path happens to be. Again, I'm not an expert - just > sharing what we did that worked - John > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From dumboq at yahoo.com Wed Jun 24 19:33:49 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Wed, 24 Jun 2009 12:33:49 -0700 (PDT) Subject: [389-users] Trouble using self signed certificates. In-Reply-To: <4A42750B.6040100@redhat.com> References: <748292.53946.qm@web111901.mail.gq1.yahoo.com> <4A425A7D.7080001@dr15.cnrs.fr> <1245868550.6384.22.camel@jaspav.missionsit.net.missionsit.net> <4A42750B.6040100@redhat.com> Message-ID: <489048.51932.qm@web111918.mail.gq1.yahoo.com> I got it. I got it working with SSL. Good enough. This is what is needed to get it to work. ssl on tls_cacertfile /etc/pki/tls/certs/cacert.org-root.txt uri ldaps://rhds.example.com:636/ I removed the cacert from the ca-bundle.crt file. ________________________________ From: Rich Megginson To: General discussion list for the 389 Directory server project. Sent: Wednesday, June 24, 2009 2:48:43 PM Subject: Re: [389-users] Trouble using self signed certificates. John A. Sullivan III wrote: > On Wed, 2009-06-24 at 18:55 +0200, Jean-Noel Chardron wrote: > >> Dumbo Q a ?crit : >> >>> I've managed to get past the the strangely obscure method of installing an SSL certificate, and from the server side everything appears to be OK. Actually its a "CACert" certificate, rather then self signed. Using Jxplorer, I can connect the the DS using SSL, accept the certificate, and I'm all set. >>> >>> However, I am having a ton of trouble figuring out how to use an untrusted ca for my linux user authentication. I changed /etc/ldap.conf to use ldaps://, and it attemtps to connect as expected. I think this would work, if I could figure out how to tell it to accept the certificate. I get the following error message in DS after running getent passwd. >>> >>> [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not recognize and trust the CA that issued your certificate. >>> [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not recognize and trust the CA that issued your certificate. >>> >>> >>> Any thoughts? >>> >>> >> I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in /etc/ldap.conf >> man ldap.conf : >> TLS_CACERT >> Specifies the file that contains certificates for all of >> the Certificate Authorities the client will recognize. >> >> TLS_CACERTDIR >> Specifies the path of a directory that contains Certifi? >> cate Authority certificates in separate individual files. >> The TLS_CACERT is always used before TLS_CACERTDIR. This >> parameter is ignored with GNUtls. >> >> >>> >>> > I think these may be the wrong variables. If I recall correctly, those > variables are for /etc/openldap/ldap.conf and control openldap (and > openldap related queries). pam uses /etc/ldap.conf. do "man nss_ldap" to see the configuration variables for /etc/ldap.conf - they are similar enough to /etc/openldap/ldap.conf to cause confusion. > I believe the > variables are set like this: > > ssl start_tls > tls_checkpeer yes > tls_cacertfile /usr/share/ca-certificates/CA.pem > > or whatever the path happens to be. Again, I'm not an expert - just > sharing what we did that worked - John > -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.cruz at sc.senai.br Wed Jun 24 20:21:50 2009 From: daniel.cruz at sc.senai.br (DANIEL CRISTIAN CRUZ) Date: Wed, 24 Jun 2009 17:21:50 -0300 Subject: [389-users] Password Sync Plugin Message-ID: <9e6ae6c81d7d0210f76ebf0b3bc4ef75@intranet.sc.senai.br> Hi all, Does someone knows if could it be possible to build a plugin to sync userPassword, samba passwords and others passwords, enforcind the userPassword always get saved in plain text over an SSL conection? I'm thinking in a quick and dirt solution, since there is no solution. Regards, -- Daniel Cristian Cruz Administrador de Banco de Dados Dire??o Regional?- N?cleo de Tecnologia da Informa??o SENAI - SC Telefone: 48-3239-1422 (ramal 1422) -------------- next part -------------- An HTML attachment was scrubbed... URL: From amahler at sbc.edu Wed Jun 24 21:53:02 2009 From: amahler at sbc.edu (Aaron Mahler) Date: Wed, 24 Jun 2009 17:53:02 -0400 Subject: [389-users] Programmatically / dynamically deriving an attribute? Message-ID: Hello! I'm still getting into the swing of LDAP, but I'm starting to get things functioning fairly well. I've run into one issue and I'm not sure how to tackle it from a conceptual standpoint. Our Fedora/389 (whichever I should call it now) LDAP server is intended to be the main, core LDAP server for campus. Our mail server (an older version of CommuniGate Pro), however, is remaining the primary source of user info for the time being. It provides names, UIDs, passwords, etc., and now successfully talks to the LDAP server via CommuniGate's "Directory Integration" feature. By this, I mean any email account creations, modifications, etc., on the mail server are being provided to the LDAP server pretty seamlessly. Applications can now point to the Fedora server for use in authentication, various other directory queries, etc. One problem, though, is that CommuniGate does not provide a mail attribute - just UID, real name, some custom fields of ours (mapped to proper fields in the LDAP scheme), etc. So queries to the Fedora server don't return a mail field which, in our case, should just be uid with @sbc.edu appended. It's causing some trouble in various areas. Is there a way I can configure Fedora to dynamically either fill the mail field itself by combining uid with @sbc.edu on creates/ updates or, when answering requests for the mail attribute, dynamically creating that response? Is there a plug-in or some other trigger mechanism for doing this kind of thing? Thanks! - Aaron -- halfpress: http://www.halfpress.com TWiP: http://twiplog.com Documenting Democracy: http://www.docdem.org Aaron's MAME Boxes - http://www.mameblog.com Twitter: halfpress From jsullivan at opensourcedevel.com Wed Jun 24 22:10:48 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Wed, 24 Jun 2009 18:10:48 -0400 Subject: [389-users] Password Sync Plugin In-Reply-To: <9e6ae6c81d7d0210f76ebf0b3bc4ef75@intranet.sc.senai.br> References: <9e6ae6c81d7d0210f76ebf0b3bc4ef75@intranet.sc.senai.br> Message-ID: <1245881448.6384.26.camel@jaspav.missionsit.net.missionsit.net> On Wed, 2009-06-24 at 17:21 -0300, DANIEL CRISTIAN CRUZ wrote: > Hi all, > > Does someone knows if could it be possible to build a plugin to sync > userPassword, samba passwords and others passwords, enforcind the > userPassword always get saved in plain text over an SSL conection? > > I'm thinking in a quick and dirt solution, since there is no solution. It's not down and dirty but you may want to look at IPA (or is it FreeIPA?). We plan to do so as soon as we have some spare time as it looks like a product with excellent potential and would solve these kinds of problems for us - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From Jean-Noel.Chardron at dr15.cnrs.fr Thu Jun 25 08:25:06 2009 From: Jean-Noel.Chardron at dr15.cnrs.fr (=?UTF-8?B?amVhbi1Ob8OrbCBDaGFyZHJvbg==?=) Date: Thu, 25 Jun 2009 10:25:06 +0200 Subject: [389-users] Trouble using self signed certificates. In-Reply-To: <1245868550.6384.22.camel@jaspav.missionsit.net.missionsit.net> References: <748292.53946.qm@web111901.mail.gq1.yahoo.com> <4A425A7D.7080001@dr15.cnrs.fr> <1245868550.6384.22.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <4A433462.9020906@dr15.cnrs.fr> John A. Sullivan III a ?crit : > On Wed, 2009-06-24 at 18:55 +0200, Jean-Noel Chardron wrote: > >> Dumbo Q a ?crit : >> >>> I've managed to get past the the strangely obscure method of >>> installing an SSL certificate, and from the server side everything >>> appears to be OK. Actually its a "CACert" certificate, rather then >>> self signed. Using Jxplorer, I can connect the the DS using SSL, >>> accept the certificate, and I'm all set. >>> >>> However, I am having a ton of trouble figuring out how to use an >>> untrusted ca for my linux user authentication. I changed >>> /etc/ldap.conf to use ldaps://, and it attemtps to connect as >>> expected. I think this would work, if I could figure out how to tell >>> it to accept the certificate. I get the following error message in DS >>> after running getent passwd. >>> >>> [24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not >>> recognize and trust the CA that issued your certificate. >>> [24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not >>> recognize and trust the CA that issued your certificate. >>> >>> >>> Any thoughts? >>> >>> >> I think you have to use the directive TLS_CACERT or TLS_CACERT_DIR in >> /etc/ldap.conf >> man ldap.conf : >> TLS_CACERT >> Specifies the file that contains certificates for all of >> the Certificate Authorities the client will recognize. >> >> TLS_CACERTDIR >> Specifies the path of a directory that contains Certifi? >> cate Authority certificates in separate individual files. >> The TLS_CACERT is always used before TLS_CACERTDIR. This >> parameter is ignored with GNUtls. >> >> >>> >>> > I think these may be the wrong variables. If I recall correctly, those > variables are for /etc/openldap/ldap.conf and control openldap (and > openldap related queries). pam uses /etc/ldap.conf. I believe the > variables are set like this: > > ssl start_tls > tls_checkpeer yes > tls_cacertfile /usr/share/ca-certificates/CA.pem > > or whatever the path happens to be. Again, I'm not an expert - just > sharing what we did that worked - John > that's correct I apologize, I made a mistake -- Jean-Noel Chardron From daniel.cruz at sc.senai.br Thu Jun 25 11:54:29 2009 From: daniel.cruz at sc.senai.br (DANIEL CRISTIAN CRUZ) Date: Thu, 25 Jun 2009 08:54:29 -0300 Subject: [389-users] 389 Directory Server on Redhat Message-ID: Cl?udio, Olha a merda: [root at ptolomeu ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.2 (Tikanga) Instru??es no Site do 389DS: * Enterprise Linux 5 There are currently (April 2, 2009) no binary packages for EL5 (e.g. RHEL5, CentOS5 and derivatives). However, with a little hoop jumping, you can use packages from Fedora Core 6. * Step 1 - Upgrade to 5.3 or later - 5.3 includes some necessary packages for the core server as well as the OpenJDK Java 1.6 - The directory server will not work correctly if you do not upgrade Estou cada vez mais arrependido de ter feito com FDS e n?o com OpenLDAP... Atenciosamente, -- Daniel Cristian Cruz Administrador de Banco de Dados Dire??o Regional?- N?cleo de Tecnologia da Informa??o SENAI - SC Telefone: 48-3239-1422 (ramal 1422) -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.cruz at sc.senai.br Thu Jun 25 11:58:01 2009 From: daniel.cruz at sc.senai.br (DANIEL CRISTIAN CRUZ) Date: Thu, 25 Jun 2009 08:58:01 -0300 Subject: [389-users] 389 Directory Server on Redhat In-Reply-To: Message-ID: <8e1f69b0a418d58d8ffcfd0ee39a91fb@intranet.sc.senai.br> Sorry, Wrong place. Is there some way to remove this mail from archives? Regards, "DANIEL CRISTIAN CRUZ" escreveu: >XXX >-------------------------------- > >-- >389 users mailing list >389-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > ? ? -- Daniel Cristian Cruz Administrador de Banco de Dados Dire??o Regional?- N?cleo de Tecnologia da Informa??o SENAI - SC Telefone: 48-3239-1422 (ramal 1422) -------------- next part -------------- An HTML attachment was scrubbed... URL: From David.Christensen at viveli.com Thu Jun 25 17:52:15 2009 From: David.Christensen at viveli.com (David Christensen) Date: Thu, 25 Jun 2009 12:52:15 -0500 Subject: [389-users] Samba Support Message-ID: <4A43B94F.9080104@viveli.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Implemented samba on FDS using the howto, but when I try to add a Windows XP machine to the new domain, I get a login failure when I use the Administrator login and password I defined, the logs show a lookup but it keeps failing indicating unknown username or bad password. Any ideas of what I need to look at with my configuration? Thanks. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkpDuU4ACgkQ5B+8XEnAvqsTMACfXKvLvx3CcUAM1iz6w50tXFsu bRoAn2i+f2DbDOzpdJ8B4Om+l4Mm+//3 =++j/ -----END PGP SIGNATURE----- From vtingey at msl.ubc.ca Thu Jun 25 17:55:31 2009 From: vtingey at msl.ubc.ca (Vince Tingey) Date: Thu, 25 Jun 2009 10:55:31 -0700 Subject: [389-users] Single master, multiple slave with no configuration server Message-ID: <4A43BA13.4060904@msl.ubc.ca> Hi everyone, Just wondering if there are any problems I should be aware of if I want to setup a single master multiple slave scenario WITHOUT using the master as a configuration server. I'm ok having to connect to the slave admin servers individually instead of them all showing up in the console when I connect to the master admin server. Are there any other drawbacks? What are the benefits of using a configuration server in this scenario? Thank you, -- Vince | Michael Smith Laboratories IT Systems Coordinator | University of British Columbia -------------- next part -------------- An HTML attachment was scrubbed... URL: From hartmann at fas.harvard.edu Fri Jun 26 03:52:55 2009 From: hartmann at fas.harvard.edu (Tim Hartmann) Date: Thu, 25 Jun 2009 23:52:55 -0400 Subject: [389-users] Finger slow and optimizing performance Message-ID: <4A444617.6090101@fas.harvard.edu> Hi! I was spending some time today trying to make sure that I was getting the most bang for my buck today an my replica's and I notices two items of interest that I was wondering if anyone else had input on! Firstly, after creating a number of indexs, my performance seems to be really good, the exception that I noticed was "finger" I noticed that finger takes a couple of seconds to return the data on RHDS whereas on OpenLDAP, it pops right now in real time! My first though was that I was doing an un-indexed search, but I can't for the life of me figure out what I might not be indexing that I should be! The second thing I noticed was that on my servers, which are RHEL5, running 32bit OS's with the PAE Kernels, RHDS doesn't ever actually address more then 3 gig of ram! I was looking through the documentations, and it looks like by raising the "Maximum Cache Size" I'll be able to allow RHDS to use more of the available memory.. did I get that right? Anyway, as always thanks in advance for all the help! This list has been a tremendous resource for an application that keeps on showing it's value in huge ways! Best, Tim From del at babel.com.au Fri Jun 26 06:25:35 2009 From: del at babel.com.au (Del) Date: Fri, 26 Jun 2009 16:25:35 +1000 Subject: [389-users] problem with mmr.pl script Message-ID: <4A4469DF.8000104@babel.com.au> Hi all, There is a problem I'm getting (and I've seen it reported elsewhere on the mailing list) with mmr.pl as described on this page: http://directory.fedoraproject.org/wiki/Howto:MultiMasterReplication When running the script I get the error: failed to add changelog entry: failed to start changelog; error - 8 at ./mmr.pl line 253, line 342. The solution is to create the changelog entries manually as per the instructions on this page: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Configuring_Multi_Master_Replication.html (Section 8.5.1 just the first part). ... then to re-run the mmr.pl script. It will issue a minor complaint about the changelogs already existing but otherwise it will work. I am not sure but I think "8" in the mmr.pl error message seems to relate to standard LDAP error code 8 which is "Strong authentication required". So for some reason despite me not having SSL enabled on my directory server (this is an entirely internal deployment) it seems to want me to have SSL authentication or other strong authentication to create the changelog entries. I have done an LDIF export of cn=config before and after manually creating the changelog entries in the directory using the console and diffed these, and the entries created seem to be exactly the same as those that should be created in the mmr.pl script, so I'm not otherwise sure why the mmr.pl script should be failing to create these entries. This is with Fedora Directory Server 1.2.0 on RHEL 5.3. -- Del Babel Com Australia http://www.babel.com.au/ ph: 02 9966 9476 fax: 02 9906 2864 From andrey.ivanov at polytechnique.fr Fri Jun 26 06:35:30 2009 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Fri, 26 Jun 2009 08:35:30 +0200 Subject: [389-users] Finger slow and optimizing performance In-Reply-To: <4A444617.6090101@fas.harvard.edu> References: <4A444617.6090101@fas.harvard.edu> Message-ID: <1601b8650906252335y165a2366sfbc6901bbe243c25@mail.gmail.com> Hi, There may be several attributes of interest to you as far as the memory consumption is concerned ( http://www.redhat.com/docs/manuals/dir-server/8.1/cli/Configuration_Command_File_Reference-Plug_in_Implemented_Server_Functionality_Reference-Database_Plug_in_Attributes.html) : nsslapd-dbcachesize nsslapd-cachememsize for every backend (by default, your data is in cn=userRoot,cn=ldbm database,cn=plugins,cn=config) nsslapd-import-cachesize (used only during ldif import) You can adjust the corresponding values by monitoring the attributes like currententrycachesize or entrycachehitratio of cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config ( http://www.redhat.com/docs/manuals/dir-server/8.1/cli/Configuration_Command_File_Reference-Plug_in_Implemented_Server_Functionality_Reference-Database_Plug_in_Attributes.html#Configuration_Command_File_Reference-Database_Plug_in_Attributes-Database_Attributes_under_cnmonitor_cnldbm_database_cnplugins_cnconfig ) 2009/6/26 Tim Hartmann > Hi! > > > I was spending some time today trying to make sure that I was getting the > most bang for my buck today an my replica's and I notices two items of > interest that I was wondering if anyone else had input on! > > Firstly, after creating a number of indexs, my performance seems to be > really good, the exception that I noticed was "finger" I noticed that finger > takes a couple of seconds to return the data on RHDS whereas on OpenLDAP, it > pops right now in real time! My first though was that I was doing an > un-indexed search, but I can't for the life of me figure out what I might > not be indexing that I should be! > > The second thing I noticed was that on my servers, which are RHEL5, running > 32bit OS's with the PAE Kernels, RHDS doesn't ever actually address more > then 3 gig of ram! I was looking through the documentations, and it looks > like by raising the "Maximum Cache Size" I'll be able to allow RHDS to use > more of the available memory.. did I get that right? > > > Anyway, as always thanks in advance for all the help! This list has been a > tremendous resource for an application that keeps on showing it's value in > huge ways! > > > Best, > > Tim > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yersinia.spiros at gmail.com Fri Jun 26 12:49:19 2009 From: yersinia.spiros at gmail.com (yersinia) Date: Fri, 26 Jun 2009 14:49:19 +0200 Subject: [389-users] Samba Support In-Reply-To: <4A43B94F.9080104@viveli.com> References: <4A43B94F.9080104@viveli.com> Message-ID: On Thu, Jun 25, 2009 at 7:52 PM, David Christensen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Any ideas of what I need to look at with my configuration? Look at the samba logs you can also raise the loglevel online smbcontrol smbd debug 10 But, in first place, "getent user" (similary for group) work for you ? And pdbedit -l -v ? Sure to have done smbpasswd -a ? ecc.. Regards > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri Jun 26 14:20:57 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 26 Jun 2009 08:20:57 -0600 Subject: [389-users] Finger slow and optimizing performance In-Reply-To: <1601b8650906252335y165a2366sfbc6901bbe243c25@mail.gmail.com> References: <4A444617.6090101@fas.harvard.edu> <1601b8650906252335y165a2366sfbc6901bbe243c25@mail.gmail.com> Message-ID: <4A44D949.1090109@redhat.com> Andrey Ivanov wrote: > Hi, > > > There may be several attributes of interest to you as far as the > memory consumption is concerned > (http://www.redhat.com/docs/manuals/dir-server/8.1/cli/Configuration_Command_File_Reference-Plug_in_Implemented_Server_Functionality_Reference-Database_Plug_in_Attributes.html) > : > nsslapd-dbcachesize > nsslapd-cachememsize for every backend (by default, your data is in > cn=userRoot,cn=ldbm database,cn=plugins,cn=config) > nsslapd-import-cachesize (used only during ldif import) Start with nsslapd-cachememsize - make that as large as possible and minimize nsslapd-dbcachesize > > You can adjust the corresponding values by monitoring the attributes > like currententrycachesize or entrycachehitratio of > cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config > (http://www.redhat.com/docs/manuals/dir-server/8.1/cli/Configuration_Command_File_Reference-Plug_in_Implemented_Server_Functionality_Reference-Database_Plug_in_Attributes.html#Configuration_Command_File_Reference-Database_Plug_in_Attributes-Database_Attributes_under_cnmonitor_cnldbm_database_cnplugins_cnconfig) > You can also use the logconv.pl script to examine the access log to see what types of searches are being done and which are not indexed properly. > > > 2009/6/26 Tim Hartmann > > > Hi! > > > I was spending some time today trying to make sure that I was > getting the most bang for my buck today an my replica's and I > notices two items of interest that I was wondering if anyone else > had input on! > > Firstly, after creating a number of indexs, my performance seems > to be really good, the exception that I noticed was "finger" I > noticed that finger takes a couple of seconds to return the data > on RHDS whereas on OpenLDAP, it pops right now in real time! My > first though was that I was doing an un-indexed search, but I > can't for the life of me figure out what I might not be indexing > that I should be! > > The second thing I noticed was that on my servers, which are > RHEL5, running 32bit OS's with the PAE Kernels, RHDS doesn't ever > actually address more then 3 gig of ram! I was looking through the > documentations, and it looks like by raising the "Maximum Cache > Size" I'll be able to allow RHDS to use more of the available > memory.. did I get that right? > > > Anyway, as always thanks in advance for all the help! This list > has been a tremendous resource for an application that keeps on > showing it's value in huge ways! > > > Best, > > Tim > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From hartmann at fas.harvard.edu Fri Jun 26 15:23:55 2009 From: hartmann at fas.harvard.edu (Tim Hartmann) Date: Fri, 26 Jun 2009 11:23:55 -0400 Subject: [389-users] Finger slow and optimizing performance In-Reply-To: <4A44D949.1090109@redhat.com> References: <4A444617.6090101@fas.harvard.edu> <1601b8650906252335y165a2366sfbc6901bbe243c25@mail.gmail.com> <4A44D949.1090109@redhat.com> Message-ID: <4A44E80B.8070100@fas.harvard.edu> Rich Megginson wrote: > Andrey Ivanov wrote: >> Hi, >> >> >> There may be several attributes of interest to you as far as the >> memory consumption is concerned >> (http://www.redhat.com/docs/manuals/dir-server/8.1/cli/Configuration_Command_File_Reference-Plug_in_Implemented_Server_Functionality_Reference-Database_Plug_in_Attributes.html) >> : >> nsslapd-dbcachesize >> nsslapd-cachememsize for every backend (by default, your data is in >> cn=userRoot,cn=ldbm database,cn=plugins,cn=config) >> nsslapd-import-cachesize (used only during ldif import) > Start with nsslapd-cachememsize - make that as large as possible and > minimize nsslapd-dbcachesize >> >> You can adjust the corresponding values by monitoring the attributes >> like currententrycachesize or entrycachehitratio of >> cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >> (http://www.redhat.com/docs/manuals/dir-server/8.1/cli/Configuration_Command_File_Reference-Plug_in_Implemented_Server_Functionality_Reference-Database_Plug_in_Attributes.html#Configuration_Command_File_Reference-Database_Plug_in_Attributes-Database_Attributes_under_cnmonitor_cnldbm_database_cnplugins_cnconfig) >> >> > You can also use the logconv.pl script to examine the access log to > see what types of searches are being done and which are not indexed > properly. > So after playing with logconv a bit, it looked like finger was making this call in the logs... [26/Jun/2009:10:59:36 -0400] conn=283289 op=-1 fd=80 closed - B1 [26/Jun/2009:10:59:36 -0400] conn=283289 op=2 RESULT err=11 tag=101 nentries=0 etime=1 notes=U [26/Jun/2009:10:59:35 -0400] conn=283289 op=2 SRCH base="ou=really,ou=long,o=name,dc=school,dc=edu" scope=2 filter="(objectClass=posixAccount)" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [26/Jun/2009:10:59:35 -0400] conn=283289 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [26/Jun/2009:10:59:35 -0400] conn=283289 op=1 SRCH base="ou=systems,ou=services,o=hascs,dc=fas,dc=harvard,dc=edu" scope=2 filter="(&(objectClass=posixAccount)(uid=foo))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [26/Jun/2009:10:59:35 -0400] conn=283289 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [26/Jun/2009:10:59:35 -0400] conn=283289 op=0 BIND dn="" method=128 version=3 [26/Jun/2009:10:59:35 -0400] conn=283289 fd=80 slot=80 connection from 1.2.3.4 to 4.3.2.1 But even after indexing "uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" finger still responds slower then it does on comparison to the older openLDAP servers... where we don't do indexing on all of these attributes, AND still claims that I'm running an search that hasn't been indexed! I'm I missing something glaringly obvious? Thanks! Tim From David.Christensen at viveli.com Fri Jun 26 16:19:45 2009 From: David.Christensen at viveli.com (David Christensen) Date: Fri, 26 Jun 2009 11:19:45 -0500 Subject: [389-users] Samba Support In-Reply-To: References: <4A43B94F.9080104@viveli.com> Message-ID: <4A44F521.1020206@viveli.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 yersinia wrote: > On Thu, Jun 25, 2009 at 7:52 PM, David > Christensen wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> > >> Any ideas of what I need to look at with my configuration? > > Look at the samba logs > > you can also raise the loglevel online > smbcontrol smbd debug 10 > > But, in first place, "getent user" (similary for group) work for you ? > And pdbedit -l -v ? Sure to have done smbpasswd -a ? ecc.. > > Regards >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users Thanks for the info, I figured it out, ended up being a samba configuration issue, I needed to enable the scripts for adding computers, users and groups. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkpE9SEACgkQ5B+8XEnAvqsy8ACfX+lDLbwEDeREYirU3V/Xlx3H WCsAn1KGYV59FZNJW6adeLweyzt86h/i =1lXZ -----END PGP SIGNATURE----- From windhamg at email.arizona.edu Fri Jun 26 19:57:43 2009 From: windhamg at email.arizona.edu (Gary Windham) Date: Fri, 26 Jun 2009 12:57:43 -0700 Subject: [389-users] bulk initialization with MMR Message-ID: We have a setup where we are running 2 servers behind a load balancer (for HA purposes), where each of these servers is bulk-initialized daily (via ldif2db.pl) with a large set of data fed to us via batch extracts from various administrative systems. Up till now, there has been no need to configure replication between these 2 servers, as all of the data is read-only. However, we now have a requirement to update some of the directory data in a "real-time" fashion (e.g., when particular events fire in our PeopleSoft system we want to update the directory)--hence, the need for MMR. The batch extracts will still be our "checkpoints", so we will want to load them in once-per-day, as we do now. So, the question is: what would be the "recommended" approach for a scenario like this? How do we (can we?) make MMR coexist peacefully with frequent bulk initializations? TIA, --Gary -- Gary Windham Senior Enterprise Systems Architect The University of Arizona, UITS +1 520 626 5981 From rmeggins at redhat.com Fri Jun 26 20:14:06 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 26 Jun 2009 14:14:06 -0600 Subject: [389-users] Finger slow and optimizing performance In-Reply-To: <4A44E80B.8070100@fas.harvard.edu> References: <4A444617.6090101@fas.harvard.edu> <1601b8650906252335y165a2366sfbc6901bbe243c25@mail.gmail.com> <4A44D949.1090109@redhat.com> <4A44E80B.8070100@fas.harvard.edu> Message-ID: <4A452C0E.3060402@redhat.com> Tim Hartmann wrote: > Rich Megginson wrote: > >> Andrey Ivanov wrote: >> >>> Hi, >>> >>> >>> There may be several attributes of interest to you as far as the >>> memory consumption is concerned >>> (http://www.redhat.com/docs/manuals/dir-server/8.1/cli/Configuration_Command_File_Reference-Plug_in_Implemented_Server_Functionality_Reference-Database_Plug_in_Attributes.html) >>> : >>> nsslapd-dbcachesize >>> nsslapd-cachememsize for every backend (by default, your data is in >>> cn=userRoot,cn=ldbm database,cn=plugins,cn=config) >>> nsslapd-import-cachesize (used only during ldif import) >>> >> Start with nsslapd-cachememsize - make that as large as possible and >> minimize nsslapd-dbcachesize >> >>> You can adjust the corresponding values by monitoring the attributes >>> like currententrycachesize or entrycachehitratio of >>> cn=monitor,cn=userRoot,cn=ldbm database,cn=plugins,cn=config >>> (http://www.redhat.com/docs/manuals/dir-server/8.1/cli/Configuration_Command_File_Reference-Plug_in_Implemented_Server_Functionality_Reference-Database_Plug_in_Attributes.html#Configuration_Command_File_Reference-Database_Plug_in_Attributes-Database_Attributes_under_cnmonitor_cnldbm_database_cnplugins_cnconfig) >>> >>> >>> >> You can also use the logconv.pl script to examine the access log to >> see what types of searches are being done and which are not indexed >> properly. >> >> > > So after playing with logconv a bit, it looked like finger was making > this call in the logs... > > [26/Jun/2009:10:59:36 -0400] conn=283289 op=-1 fd=80 closed - B1 > [26/Jun/2009:10:59:36 -0400] conn=283289 op=2 RESULT err=11 tag=101 > nentries=0 etime=1 notes=U > [26/Jun/2009:10:59:35 -0400] conn=283289 op=2 SRCH > base="ou=really,ou=long,o=name,dc=school,dc=edu" scope=2 > filter="(objectClass=posixAccount)" attrs="uid userPassword uidNumber > gidNumber cn homeDirectory loginShell gecos description objectClass" > [26/Jun/2009:10:59:35 -0400] conn=283289 op=1 RESULT err=0 tag=101 > nentries=1 etime=0 > [26/Jun/2009:10:59:35 -0400] conn=283289 op=1 SRCH > base="ou=systems,ou=services,o=hascs,dc=fas,dc=harvard,dc=edu" scope=2 > filter="(&(objectClass=posixAccount)(uid=foo))" attrs="uid userPassword > uidNumber gidNumber cn homeDirectory loginShell gecos description > objectClass" > [26/Jun/2009:10:59:35 -0400] conn=283289 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="" > [26/Jun/2009:10:59:35 -0400] conn=283289 op=0 BIND dn="" method=128 > version=3 > [26/Jun/2009:10:59:35 -0400] conn=283289 fd=80 slot=80 connection from > 1.2.3.4 to 4.3.2.1 > > > > But even after indexing "uid userPassword uidNumber gidNumber cn > homeDirectory loginShell gecos description objectClass" finger still > responds slower then it does on comparison to the older openLDAP > servers... where we don't do indexing on all of these attributes, AND > still claims that I'm running an search that hasn't been indexed! I'm > I missing something glaringly obvious? > You only need to index the attributes used for searching: (&(objectClass=posixAccount)(uid=foo)) You need an equality index on objectClass (which should already be there, it is one of the default indexes) and an equality index on uid (again, should already be there). The problem is this: [26/Jun/2009:10:59:36 -0400] conn=283289 op=2 RESULT err=11 tag=101 nentries=0 etime=1 notes=U [26/Jun/2009:10:59:35 -0400] conn=283289 op=2 SRCH base="ou=really,ou=long,o=name,dc=school,dc=edu" scope=2 filter="(objectClass=posixAccount)" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" The notes=U and err=11 mean that either the lookthrough limit has been exceeded, or you need to increase your nsslapd-idlistscanlimit: http://www.redhat.com/docs/manuals/dir-server/8.1/cli/Configuration_Command_File_Reference-Plug_in_Implemented_Server_Functionality_Reference-Database_Plug_in_Attributes.html#Configuration_Command_File_Reference-Database_Attributes_under_cnconfig_cnldbm_database_cnplugins_cnconfig-nsslapd_idlistscanlimit This is not a good search anyway - the client is basically asking for all entries that match objectClass=posixAccount which could be thousands or more - what does the client intend to do with all of those entries? > Thanks! > > Tim > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From dumboq at yahoo.com Fri Jun 26 20:35:45 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Fri, 26 Jun 2009 13:35:45 -0700 (PDT) Subject: [389-users] Promote a consumer to become a multimaster supplier Message-ID: <671088.76722.qm@web111913.mail.gq1.yahoo.com> I have setup my 1st directory server and have it running the way i would like it to. The next step for me was to create a second server so that I have two masters. Since I have not done this before, I thought it would make sense to make the second server a consumer only first, and then change it to become multi-master. This was partiallly just to teach myself how to setup a consumer. Following redhats docs I set up the consumer, and it worked instantly with no trouble. However I'm having a lot of trouble figuring out how to make this multimaster. I am not making too much sense out of multimaster documentation that i've found in the redhat deploy, install, and admin manuals. Does anyone have some better documentation about how to do this? -------------- next part -------------- An HTML attachment was scrubbed... URL: From hartmann at fas.harvard.edu Fri Jun 26 20:42:11 2009 From: hartmann at fas.harvard.edu (Tim Hartmann) Date: Fri, 26 Jun 2009 16:42:11 -0400 Subject: [389-users] Finger slow and optimizing performance In-Reply-To: <4A452C0E.3060402@redhat.com> References: <4A444617.6090101@fas.harvard.edu> <1601b8650906252335y165a2366sfbc6901bbe243c25@mail.gmail.com> <4A44D949.1090109@redhat.com> <4A44E80B.8070100@fas.harvard.edu> <4A452C0E.3060402@redhat.com> Message-ID: <4A4532A3.6020102@fas.harvard.edu> Rich Megginson wrote: > Tim Hartmann wrote: >> >>> >> >> So after playing with logconv a bit, it looked like finger was making >> this call in the logs... >> >> [26/Jun/2009:10:59:36 -0400] conn=283289 op=-1 fd=80 closed - B1 >> [26/Jun/2009:10:59:36 -0400] conn=283289 op=2 RESULT err=11 tag=101 >> nentries=0 etime=1 notes=U >> [26/Jun/2009:10:59:35 -0400] conn=283289 op=2 SRCH >> base="ou=really,ou=long,o=name,dc=school,dc=edu" scope=2 >> filter="(objectClass=posixAccount)" attrs="uid userPassword uidNumber >> gidNumber cn homeDirectory loginShell gecos description objectClass" >> [26/Jun/2009:10:59:35 -0400] conn=283289 op=1 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [26/Jun/2009:10:59:35 -0400] conn=283289 op=1 SRCH >> base="ou=systems,ou=services,o=hascs,dc=fas,dc=harvard,dc=edu" scope=2 >> filter="(&(objectClass=posixAccount)(uid=foo))" attrs="uid userPassword >> uidNumber gidNumber cn homeDirectory loginShell gecos description >> objectClass" >> [26/Jun/2009:10:59:35 -0400] conn=283289 op=0 RESULT err=0 tag=97 >> nentries=0 etime=0 dn="" >> [26/Jun/2009:10:59:35 -0400] conn=283289 op=0 BIND dn="" method=128 >> version=3 >> [26/Jun/2009:10:59:35 -0400] conn=283289 fd=80 slot=80 connection from >> 1.2.3.4 to 4.3.2.1 >> >> >> >> But even after indexing "uid userPassword uidNumber gidNumber cn >> homeDirectory loginShell gecos description objectClass" finger still >> responds slower then it does on comparison to the older openLDAP >> servers... where we don't do indexing on all of these attributes, AND >> still claims that I'm running an search that hasn't been indexed! I'm >> I missing something glaringly obvious? > You only need to index the attributes used for searching: > (&(objectClass=posixAccount)(uid=foo)) > You need an equality index on objectClass (which should already be > there, it is one of the default indexes) and an equality index on uid > (again, should already be there). > Ok, thats cool, those are both being indexed correctly.... > The problem is this: > [26/Jun/2009:10:59:36 -0400] conn=283289 op=2 RESULT err=11 tag=101 > nentries=0 etime=1 notes=U > [26/Jun/2009:10:59:35 -0400] conn=283289 op=2 SRCH > base="ou=really,ou=long,o=name,dc=school,dc=edu" scope=2 > filter="(objectClass=posixAccount)" attrs="uid userPassword uidNumber > gidNumber cn homeDirectory loginShell gecos description objectClass" > > The notes=U and err=11 mean that either the lookthrough limit has been > exceeded, or you need to increase your nsslapd-idlistscanlimit: > http://www.redhat.com/docs/manuals/dir-server/8.1/cli/Configuration_Command_File_Reference-Plug_in_Implemented_Server_Functionality_Reference-Database_Plug_in_Attributes.html#Configuration_Command_File_Reference-Database_Attributes_under_cnconfig_cnldbm_database_cnplugins_cnconfig-nsslapd_idlistscanlimit > > > This is not a good search anyway - the client is basically asking for > all entries that match objectClass=posixAccount which could be > thousands or more - what does the client intend to do with all of > those entries? > Thats apparently the search that "finger foo" on RHEL 5.2 generates! "finger foo" on Ubunutu 8.04 responds notibly faster, so I'm assuming that it's generating a different search... hmmm From dumboq at yahoo.com Fri Jun 26 20:47:09 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Fri, 26 Jun 2009 13:47:09 -0700 (PDT) Subject: [389-users] Schema replication Message-ID: <793043.506.qm@web111903.mail.gq1.yahoo.com> I recently setup a new server as a dedicated consumer. My ldap queries return the results as expected, and my writes give me a referral response. I looked in the idm-console, and all my aci's seem to have copied over as well. As a test (not caring if i break anything), I made it writable (and no this was not an attempt to make it multimaster). When i tried to change my givenName i am getting the following error. modifying entry "uid=dumbo,ou=people,dc=example,dc=com" ldapmodify: Object class violation (65) additional info: unknown object class "radiusprofile" This makes me believe that my schema did not move over correctly from the other server. Everything I read says that either replication will do this for me, or that I can copy over any custom schema files manually and restart the server. I diffed the schema directories between the two servers. The 99user.ldif was slightly different (just a hostname difference), and my 60radius.ldif was not present on my new server. I shut down the directory, and then copied over the radius file, and restarted. However it is still not working. What didn't replication take care of that? What am I doing wrong? -------------- next part -------------- An HTML attachment was scrubbed... URL: From nalin at redhat.com Fri Jun 26 20:59:20 2009 From: nalin at redhat.com (Nalin Dahyabhai) Date: Fri, 26 Jun 2009 16:59:20 -0400 Subject: [389-users] Finger slow and optimizing performance In-Reply-To: <4A452C0E.3060402@redhat.com> References: <4A444617.6090101@fas.harvard.edu> <1601b8650906252335y165a2366sfbc6901bbe243c25@mail.gmail.com> <4A44D949.1090109@redhat.com> <4A44E80B.8070100@fas.harvard.edu> <4A452C0E.3060402@redhat.com> Message-ID: <20090626205920.GA11341@redhat.com> On Fri, Jun 26, 2009 at 02:14:06PM -0600, Rich Megginson wrote: > This is not a good search anyway - the client is basically asking for > all entries that match objectClass=posixAccount which could be thousands > or more - what does the client intend to do with all of those entries? The finger command also tries to match your query against the first or last name of a user, as stored in the GECOS field of user entries. On Fedora and derived systems (including RHEL), this part of its function can be turned off with the -m switch. HTH, Nalin From rmeggins at redhat.com Fri Jun 26 21:00:57 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 26 Jun 2009 15:00:57 -0600 Subject: [389-users] Schema replication In-Reply-To: <793043.506.qm@web111903.mail.gq1.yahoo.com> References: <793043.506.qm@web111903.mail.gq1.yahoo.com> Message-ID: <4A453709.7050901@redhat.com> Dumbo Q wrote: > I recently setup a new server as a dedicated consumer. My ldap > queries return the results as expected, and my writes give me a > referral response. I looked in the idm-console, and all my aci's seem > to have copied over as well. As a test (not caring if i break > anything), I made it writable (and no this was not an attempt to make > it multimaster). When i tried to change my givenName i am getting > the following error. > > modifying entry "uid=dumbo,ou=people,dc=example,dc=com" > ldapmodify: Object class violation (65) > additional info: unknown object class "radiusprofile" > > > This makes me believe that my schema did not move over correctly from > the other server. Everything I read says that either replication will > do this for me, or that I can copy over any custom schema files > manually and restart the server. > > I diffed the schema directories between the two servers. The > 99user.ldif was slightly different (just a hostname difference), and > my 60radius.ldif was not present on my new server. I shut down the > directory, and then copied over the radius file, and restarted. > However it is still not working. > > What didn't replication take care of that? What am I doing wrong? Schema replication only replicates schema added over LDAP. It does not replicate schema files you manually add to the schema directory. > > > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From micke at devnix.se Sun Jun 28 13:35:15 2009 From: micke at devnix.se (Michael Jonsson) Date: Sun, 28 Jun 2009 15:35:15 +0200 Subject: [389-users] samba error... Message-ID: <95AA3F55-6DEB-4DA5-918F-38E867377CBC@devnix.se> Hi, I need help, I have try to setup the DS with samba. when I follow the samba guide, I get som error. ######################### [root at serv389 samba]# smbpasswd -a Administrator Failed to issue the StartTLS instruction: Protocol error Connection to LDAP server failed for the 1 try! Failed to issue the StartTLS instruction: Protocol error Connection to LDAP server failed for the 1 try! Failed to issue the StartTLS instruction: Protocol error Connection to LDAP server failed for the 1 try! add_new_domain_info: failed to add domain dn= sambaDomainName=KUNDDOMAIN,dc=kunddomain,dc=se with: Insufficient access Insufficient 'add' privilege to add the entry 'sambaDomainName=KUNDDOMAIN,dc=kunddomain,dc=se'. smbldap_search_domain_info: Adding domain info for KUNDDOMAIN failed with NT_STATUS_UNSUCCESSFUL New SMB password: Retype new SMB password: Failed to issue the StartTLS instruction: Protocol error Connection to LDAP server failed for the 1 try! Failed to issue the StartTLS instruction: Protocol error Connection to LDAP server failed for the 1 try! Failed to initialize account for user Administrator: NT_STATUS_ACCESS_DENIED Failed to modify password entry for user Administrator ################################# [root at serv389 samba]# pdbedit -U $( net getlocalsid | sed 's/SID for domain KUNDDOMAIN is: //' )-500 -u Administrator -r [2009/06/28 15:28:53, 0] lib/smbldap.c:smb_ldap_start_tls(600) Failed to issue the StartTLS instruction: Protocol error [2009/06/28 15:28:54, 0] lib/smbldap.c:smb_ldap_start_tls(600) Failed to issue the StartTLS instruction: Protocol error [2009/06/28 15:28:55, 0] lib/smbldap.c:smb_ldap_start_tls(600) Failed to issue the StartTLS instruction: Protocol error [2009/06/28 15:28:56, 0] lib/ smbldap_util.c:smbldap_search_domain_info(310) smbldap_search_domain_info: Adding domain info for KUNDDOMAIN failed with NT_STATUS_UNSUCCESSFUL Failed to issue the StartTLS instruction: Protocol error Connection to LDAP server failed for the 1 try! Failed to issue the StartTLS instruction: Protocol error Connection to LDAP server failed for the 1 try! Failed to issue the StartTLS instruction: Protocol error Connection to LDAP server failed for the 1 try! add_new_domain_info: failed to add domain dn= sambaDomainName=KUNDDOMAIN,dc=kunddomain,dc=se with: Insufficient access Insufficient 'add' privilege to add the entry 'sambaDomainName=KUNDDOMAIN,dc=kunddomain,dc=se'. smbldap_search_domain_info: Adding domain info for KUNDDOMAIN failed with NT_STATUS_UNSUCCESSFUL Failed to issue the StartTLS instruction: Protocol error Connection to LDAP server failed for the 1 try! Failed to issue the StartTLS instruction: Protocol error Connection to LDAP server failed for the 1 try! Failed to issue the StartTLS instruction: Protocol error Connection to LDAP server failed for the 1 try! add_new_domain_info: failed to add domain dn= sambaDomainName=KUNDDOMAIN,dc=kunddomain,dc=se with: Insufficient access Insufficient 'add' privilege to add the entry 'sambaDomainName=KUNDDOMAIN,dc=kunddomain,dc=se'. smbldap_search_domain_info: Adding domain info for KUNDDOMAIN failed with NT_STATUS_UNSUCCESSFUL Failed to issue the StartTLS instruction: Protocol error Connection to LDAP server failed for the 1 try! Username not found! [root at serv389 samba]# regards micke From renato.ribeiro-silva at serpro.gov.br Fri Jun 26 13:00:08 2009 From: renato.ribeiro-silva at serpro.gov.br (Renato Ribeiro da Silva) Date: Fri, 26 Jun 2009 10:00:08 -0300 Subject: [389-users] Finger slow and optimizing performance Message-ID: An HTML attachment was scrubbed... URL: From dumboq at yahoo.com Mon Jun 29 14:27:39 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Mon, 29 Jun 2009 07:27:39 -0700 (PDT) Subject: [389-users] Schema replication In-Reply-To: <4A453709.7050901@redhat.com> References: <793043.506.qm@web111903.mail.gq1.yahoo.com> <4A453709.7050901@redhat.com> Message-ID: <172621.14420.qm@web111910.mail.gq1.yahoo.com> I see you replied, but I don't see any text. Could you please resend? ________________________________ From: Rich Megginson To: General discussion list for the 389 Directory server project. Sent: Friday, June 26, 2009 5:00:57 PM Subject: Re: [389-users] Schema replication Dumbo Q wrote: > I recently setup a new server as a dedicated consumer. My ldap queries return the results as expected, and my writes give me a referral response. I looked in the idm-console, and all my aci's seem to have copied over as well. As a test (not caring if i break anything), I made it writable (and no this was not an attempt to make it multimaster). When i tried to change my givenName i am getting the following error. > > modifying entry "uid=dumbo,ou=people,dc=example,dc=com" > ldapmodify: Object class violation (65) > additional info: unknown object class "radiusprofile" > > > This makes me believe that my schema did not move over correctly from the other server. Everything I read says that either replication will do this for me, or that I can copy over any custom schema files manually and restart the server. > > I diffed the schema directories between the two servers. The 99user.ldif was slightly different (just a hostname difference), and my 60radius.ldif was not present on my new server. I shut down the directory, and then copied over the radius file, and restarted. However it is still not working. > > What didn't replication take care of that? What am I doing wrong? Schema replication only replicates schema added over LDAP. It does not replicate schema files you manually add to the schema directory. > > > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From vtingey at msl.ubc.ca Mon Jun 29 15:42:22 2009 From: vtingey at msl.ubc.ca (Vince Tingey) Date: Mon, 29 Jun 2009 08:42:22 -0700 Subject: [389-users] Single Master, Multiple Slave with NO Configuration Server Question Message-ID: <4A48E0DE.9060401@msl.ubc.ca> Hi everyone, I posted this last week but nobody replied. I thought I would send it out there one more time as I'd really like to know what you experts think. The documentation about what benefits using a configuration server gives you is lacking. Just wondering if there are any problems I should be aware of if I want to setup a single master multiple slave scenario WITHOUT using the master as a configuration server and just replicating our directory database (not o=Netscape Root). I'm ok having to connect to the slave admin servers individually instead of them all showing up in the console when I connect to the master admin server. Are there any other drawbacks? What are the benefits of using a configuration server in this scenario? Thank you, -- Vince | Michael Smith Laboratories IT Systems Coordinator | University of British Columbia -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jun 29 16:09:46 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 29 Jun 2009 10:09:46 -0600 Subject: [389-users] Single Master, Multiple Slave with NO Configuration Server Question In-Reply-To: <4A48E0DE.9060401@msl.ubc.ca> References: <4A48E0DE.9060401@msl.ubc.ca> Message-ID: <4A48E74A.5030307@redhat.com> Vince Tingey wrote: > Hi everyone, I posted this last week but nobody replied. I thought I > would send it out there one more time as I'd really like to know what > you experts think. The documentation about what benefits using a > configuration server gives you is lacking. It allows you to do centralized server management - manage all servers from a single console. > > Just wondering if there are any problems I should be aware of if I > want to setup a single master multiple slave scenario WITHOUT using > the master as a configuration server and just replicating our > directory database (not o=Netscape Root). I'm ok having to connect to > the slave admin servers individually instead of them all showing up in > the console when I connect to the master admin server. Are there any > other drawbacks? No, not really, If you don't want the centralized console, then you don't have to use it. Many Fedora DS users don't use the console/admin server at all and just manage everything directly with scripts and web based tools. > > What are the benefits of using a configuration server in this scenario? > > Thank you, > -- > > Vince | Michael Smith Laboratories > IT Systems Coordinator | University of British Columbia > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Jun 29 16:10:40 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 29 Jun 2009 10:10:40 -0600 Subject: [389-users] Schema replication In-Reply-To: <172621.14420.qm@web111910.mail.gq1.yahoo.com> References: <793043.506.qm@web111903.mail.gq1.yahoo.com> <4A453709.7050901@redhat.com> <172621.14420.qm@web111910.mail.gq1.yahoo.com> Message-ID: <4A48E780.7080607@redhat.com> Dumbo Q wrote: > I see you replied, but I don't see any text. Could you please resend? The text is inline - see below > > ------------------------------------------------------------------------ > *From:* Rich Megginson > *To:* General discussion list for the 389 Directory server project. > > *Sent:* Friday, June 26, 2009 5:00:57 PM > *Subject:* Re: [389-users] Schema replication > > Dumbo Q wrote: > > I recently setup a new server as a dedicated consumer. My ldap > queries return the results as expected, and my writes give me a > referral response. I looked in the idm-console, and all my aci's seem > to have copied over as well. As a test (not caring if i break > anything), I made it writable (and no this was not an attempt to make > it multimaster). When i tried to change my givenName i am getting the > following error. > > > > modifying entry "uid=dumbo,ou=people,dc=example,dc=com" > > ldapmodify: Object class violation (65) > > additional info: unknown object class "radiusprofile" > > > > > > This makes me believe that my schema did not move over correctly > from the other server. Everything I read says that either replication > will do this for me, or that I can copy over any custom schema files > manually and restart the server. > > > > I diffed the schema directories between the two servers. The > 99user.ldif was slightly different (just a hostname difference), and > my 60radius.ldif was not present on my new server. I shut down the > directory, and then copied over the radius file, and restarted. > However it is still not working. > > > > What didn't replication take care of that? What am I doing wrong? > Schema replication only replicates schema added over LDAP. It does > not replicate schema files you manually add to the schema directory. > > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From booleong at gmail.com Mon Jun 29 16:17:37 2009 From: booleong at gmail.com (Barramundi K) Date: Tue, 30 Jun 2009 00:17:37 +0800 Subject: [389-users] Finger slow and optimizing performance Message-ID: <672fdf7e0906290917y61c863e8qb1ac6daa9c5584@mail.gmail.com> Not sure what is the "finger" you meant. 32 bit OS definitely have limitation of using only 3 - 3.5GB, if you allocate more cache size than this (or around 70-80% of that figure), it will be in swap causing awful performance. Regards BL -------------- next part -------------- An HTML attachment was scrubbed... URL: From dpartridge at tangible.net Mon Jun 29 16:29:22 2009 From: dpartridge at tangible.net (David Partridge) Date: Mon, 29 Jun 2009 12:29:22 -0400 Subject: [389-users] Finger slow and optimizing performance References: Message-ID: <2F3DC4D41FA5994686AFFC36F1D661BE01C1AC6B@wolverine.tangiblesoftware.com> You also can run logconv.pl that will give you information on unindexed searches. Regards, Dave ________________________________ From: Renato Ribeiro da Silva [mailto:renato.ribeiro-silva at serpro.gov.br] Sent: Fri 6/26/2009 9:00 AM To: fedora-directory-users at redhat.com; General discussion list for the Fedora Directory server project. Subject: Re: [389-users] Finger slow and optimizing performance Hi, You can look for "notes=U" in the access log file that indicates an unindexed search. Regard, TISDN Em 26/06/2009 ?s 00:53 horas, fedora-directory-users at redhat.com escreveu: Hi! I was spending some time today trying to make sure that I was getting the most bang for my buck today an my replica's and I notices two items of interest that I was wondering if anyone else had input on! Firstly, after creating a number of indexs, my performance seems to be really good, the exception that I noticed was "finger" I noticed that finger takes a couple of seconds to return the data on RHDS whereas on OpenLDAP, it pops right now in real time! My first though was that I was doing an un-indexed search, but I can't for the life of me figure out what I might not be indexing that I should be! The second thing I noticed was that on my servers, which are RHEL5, running 32bit OS's with the PAE Kernels, RHDS doesn't ever actually address more then 3 gig of ram! I was looking through the documentations, and it looks like by raising the "Maximum Cache Size" I'll be able to allow RHDS to use more of the available memory.. did I get that right? Anyway, as always thanks in advance for all the help! This list has been a tremendous resource for an application that keeps on showing it's value in huge ways! Best, Tim -- 389 users mailing list 389-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users "Esta mensagem do SERVI?O FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa p?blica federal regida pelo disposto na Lei Federal n? 5.615, ? enviada exclusivamente a seu destinat?rio e pode conter informa??es confidenciais, protegidas por sigilo profissional. Sua utiliza??o desautorizada ? ilegal e sujeita o infrator ?s penas da lei. Se voc? a recebeu indevidamente, queira, por gentileza, reenvi?-la ao emitente, esclarecendo o equ?voco." "This message from SERVI?O FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure." -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 6003 bytes Desc: not available URL: From dumboq at yahoo.com Mon Jun 29 21:34:00 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Mon, 29 Jun 2009 14:34:00 -0700 (PDT) Subject: [389-users] Schema replication (Solved) In-Reply-To: <4A48E780.7080607@redhat.com> References: <793043.506.qm@web111903.mail.gq1.yahoo.com> <4A453709.7050901@redhat.com> <172621.14420.qm@web111910.mail.gq1.yahoo.com> <4A48E780.7080607@redhat.com> Message-ID: <89281.83084.qm@web111905.mail.gq1.yahoo.com> I had also tried to manually copy the custom schema file and restart dirsrv. I hate to admit that problem was that I accidentally copied in the wrong directory. I moved it into schema/ and restarted, then everything worked. thanks ________________________________ From: Rich Megginson To: General discussion list for the 389 Directory server project. Sent: Monday, June 29, 2009 12:10:40 PM Subject: Re: [389-users] Schema replication Dumbo Q wrote: > I see you replied, but I don't see any text. Could you please resend? The text is inline - see below > > ------------------------------------------------------------------------ > *From:* Rich Megginson > *To:* General discussion list for the 389 Directory server project. > *Sent:* Friday, June 26, 2009 5:00:57 PM > *Subject:* Re: [389-users] Schema replication > > Dumbo Q wrote: > > I recently setup a new server as a dedicated consumer. My ldap queries return the results as expected, and my writes give me a referral response. I looked in the idm-console, and all my aci's seem to have copied over as well. As a test (not caring if i break anything), I made it writable (and no this was not an attempt to make it multimaster). When i tried to change my givenName i am getting the following error. > > > > modifying entry "uid=dumbo,ou=people,dc=example,dc=com" > > ldapmodify: Object class violation (65) > > additional info: unknown object class "radiusprofile" > > > > > > This makes me believe that my schema did not move over correctly from the other server. Everything I read says that either replication will do this for me, or that I can copy over any custom schema files manually and restart the server. > > > > I diffed the schema directories between the two servers. The 99user.ldif was slightly different (just a hostname difference), and my 60radius.ldif was not present on my new server. I shut down the directory, and then copied over the radius file, and restarted. However it is still not working. > > > > What didn't replication take care of that? What am I doing wrong? > Schema replication only replicates schema added over LDAP. It does not replicate schema files you manually add to the schema directory. > > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sobi_altkom at o2.pl Mon Jun 29 14:50:54 2009 From: sobi_altkom at o2.pl (=?UTF-8?Q?Luke_Altkom?=) Date: Mon, 29 Jun 2009 16:50:54 +0200 Subject: [389-users] Replication error Message-ID: <7e86d437.647cd029.4a48d4ce.78af@o2.pl> Hello, as a new member of this maillist, first of all I'd like to say hello to everybody :). I have problem with replication on my three Fedora Directory Servers. All three have replication agreements (multiple master model), but in admin console I have following informations: [on directory] - with directory1: Incremental update has failed and requires administrator actionSystem error. Error Code: -1 - with directory2: Incremental update has failed and requires administrator actionSystem error. Error Code: -1 [on directory1] - with directory: Incremental update succeeded - with directory2: Incremental update succeeded [on directory2] - with directory: Incremental update succeeded - with directory1: Incremental update succeeded The problem is, that most of changes are made on server called "directory", but they didn't propagate to others two servers. I have googled for "Incremental update has failed and requires administrator actionSystem error", but results didn't gave me literally nothing. And because I'm not an experienced FDS user, I ask You for some clue(s) on what's going on and how to solve my problem. Of course I can post more detailed info, but I don't know (yet) which information can have any value for You. Best regards, Luke. From rmeggins at redhat.com Tue Jun 30 15:19:33 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 30 Jun 2009 09:19:33 -0600 Subject: [389-users] Replication error In-Reply-To: <7e86d437.647cd029.4a48d4ce.78af@o2.pl> References: <7e86d437.647cd029.4a48d4ce.78af@o2.pl> Message-ID: <4A4A2D05.4090103@redhat.com> Luke Altkom wrote: > Hello, > > as a new member of this maillist, first of all I'd like to say hello to everybody :). > > I have problem with replication on my three Fedora Directory Servers. All three have replication agreements (multiple master model), but in admin console I have following informations: > > [on directory] > - with directory1: Incremental update has failed and requires administrator actionSystem error. Error Code: -1 > - with directory2: Incremental update has failed and requires administrator actionSystem error. Error Code: -1 > Did you initialize d1 and d2 from directory? > [on directory1] > - with directory: Incremental update succeeded > - with directory2: Incremental update succeeded > > [on directory2] > - with directory: Incremental update succeeded > - with directory1: Incremental update succeeded > > The problem is, that most of changes are made on server called "directory", but they didn't propagate to others two servers. I have googled for "Incremental update has failed and requires administrator actionSystem error", but results didn't gave me literally nothing. And because I'm not an experienced FDS user, I ask You for some clue(s) on what's going on and how to solve my problem. > > Of course I can post more detailed info, but I don't know (yet) which information can have any value for You. > > Best regards, > Luke. > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Jun 30 15:20:48 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 30 Jun 2009 09:20:48 -0600 Subject: [389-users] bulk initialization with MMR In-Reply-To: References: Message-ID: <4A4A2D50.9050407@redhat.com> Gary Windham wrote: > We have a setup where we are running 2 servers behind a load balancer > (for HA purposes), where each of these servers is bulk-initialized > daily (via ldif2db.pl) with a large set of data fed to us via batch > extracts from various administrative systems. Up till now, there has > been no need to configure replication between these 2 servers, as all > of the data is read-only. However, we now have a requirement to > update some of the directory data in a "real-time" fashion (e.g., when > particular events fire in our PeopleSoft system we want to update the > directory)--hence, the need for MMR. The batch extracts will still be > our "checkpoints", so we will want to load them in once-per-day, as we > do now. How does the data get from peoplesoft to the directory server? > > So, the question is: what would be the "recommended" approach for a > scenario like this? How do we (can we?) make MMR coexist peacefully > with frequent bulk initializations? In general, it's not a good idea to do a bulk load daily. > > TIA, > --Gary > > -- > Gary Windham > Senior Enterprise Systems Architect > The University of Arizona, UITS > +1 520 626 5981 > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: