From bbahar3 at gmail.com Sun Mar 1 06:22:26 2009 From: bbahar3 at gmail.com (Eric) Date: Sun, 1 Mar 2009 09:52:26 +0330 Subject: [Fedora-directory-users] Re: unique uid problem Message-ID: <38a27c8c0902282222o5b153b68y76b8b55bb7df158e@mail.gmail.com> But in my server when I add in console an entry with value that was added before , it doesn't add it. but when I use ldapadd command it could be added. > Date: Wed, 25 Feb 2009 12:46:28 +0000 > From: Kashif Ali > Subject: Re: Re: [Fedora-directory-users] unique uid problem > To: "General discussion list for the Fedora Directory server project." > > Message-ID: > <879a677e0902250446g3236f9e2h7801a58eae69396a at mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Sorry to jump, but I just wanted to say it also does not work in the GUI? > > 2009/2/25 Eric > > > yes but it operates only when I use console to add new user id. when I > use > > command ldapadd for adding users with ldif files, some users with the > same > > value in uid are added.where is the problem? > > > >> > >>> > > >>> > Message: 2 > >>> > Date: Mon, 23 Feb 2009 12:08:01 +0100 > >>> > From: Roberto Polli > >>> > Subject: Re: [Fedora-directory-users] unique uid problem > >>> > To: "General discussion list for the Fedora Directory server > >>> > project." > >>> > > >>> > Message-ID: <200902231208.01500.rpolli at babel.it> > >>> > Content-Type: text/plain; charset="iso-8859-15" > >>> > > >>> > On Monday 23 February 2009 03:08:56 John A. Sullivan III > >>> > wrote: > >>> > > > when I want to make a new user in fedora-ds using > >>> > console, can't set > >>> > > > the value that exists before for uid but when using > >>> > command line for > >>> > > > ldapadd,it adds replicated uid valiue. > >>> > which uid? > >>> > nsUniqueId or EntryUUID > >>> > > >>> > Peace, R. > >>> > -- > >>> > > >>> > -- > >>> > Fedora-directory-users mailing list > >>> > Fedora-directory-users at redhat.com > >>> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> -- > >>> John A. Sullivan III > >>> Open Source Development Corporation > >>> +1 207-985-7880 > >>> jsullivan at opensourcedevel.com > >>> > >>> http://www.spiritualoutreach.com > >>> Making Christianity intelligible to secular society > >>> > >>> > >>> > >>> ------------------------------ > >>> > >> > >> > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > https://www.redhat.com/archives/fedora-directory-users/attachments/20090225/af1a994b/attachment.html > > ------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > End of Fedora-directory-users Digest, Vol 45, Issue 25 > ****************************************************** > -------------- next part -------------- An HTML attachment was scrubbed... URL: From minfrin at sharp.fm Mon Mar 2 11:38:39 2009 From: minfrin at sharp.fm (Graham Leggett) Date: Mon, 02 Mar 2009 13:38:39 +0200 Subject: [Fedora-directory-users] FDS and PagedResultsControl Message-ID: <49ABC53F.4000402@sharp.fm> Hi all, Normal users on the directory are subject to an administrative limit as to the size of the result sets returned, which in our case has defaulted to 50. I have to periodically query the directory and have all results returned, in order to perform an operation on all users periodically. As I understand it, I can achieve this using the PagedResultsControl (in Java), which returns results in small chunks rather than one big blob. When I try to use this control, I get the error: LDAP: error code 12 - Unavailable Critical Extension I understand from this error message that the paged control is not supported by FDS? Before trying to get PagedResultsControl to work, I need to clarify at the outset: Am I approaching this the right way? Is there an alternative method I should be using to return large result sets, without being forced to receive all results in one big blob, triggering administrative limits? Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3287 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Mon Mar 2 11:48:04 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 02 Mar 2009 12:48:04 +0100 Subject: [Fedora-directory-users] FDS and PagedResultsControl In-Reply-To: <49ABC53F.4000402@sharp.fm> References: <49ABC53F.4000402@sharp.fm> Message-ID: <49ABC774.7070301@stroeder.com> Graham Leggett wrote: > > Normal users on the directory are subject to an administrative limit as > to the size of the result sets returned, which in our case has defaulted > to 50. > > I have to periodically query the directory and have all results > returned, in order to perform an operation on all users periodically. > > As I understand it, I can achieve this using the PagedResultsControl (in > Java), which returns results in small chunks rather than one big blob Note that the PagedResultsControl does not circumvent administrative limits on all LDAP server implementations. It does on MS Active Directory. But I consider this to be a security flaw. Ciao, Michael. From rmeggins at redhat.com Mon Mar 2 15:34:37 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 02 Mar 2009 08:34:37 -0700 Subject: [Fedora-directory-users] FDS and PagedResultsControl In-Reply-To: <49ABC53F.4000402@sharp.fm> References: <49ABC53F.4000402@sharp.fm> Message-ID: <49ABFC8D.2050209@redhat.com> Graham Leggett wrote: > Hi all, > > Normal users on the directory are subject to an administrative limit > as to the size of the result sets returned, which in our case has > defaulted to 50. > > I have to periodically query the directory and have all results > returned, in order to perform an operation on all users periodically. > > As I understand it, I can achieve this using the PagedResultsControl > (in Java), which returns results in small chunks rather than one big > blob. > > When I try to use this control, I get the error: > > LDAP: error code 12 - Unavailable Critical Extension > > I understand from this error message that the paged control is not > supported by FDS? > > Before trying to get PagedResultsControl to work, I need to clarify at > the outset: Am I approaching this the right way? > > Is there an alternative method I should be using to return large > result sets, without being forced to receive all results in one big > blob, triggering administrative limits? You could also create a special administrative user account that's used only for this purpose, and increase the size, time, and lookthrough limits on this account only. http://www.redhat.com/docs/manuals/dir-server/ag/8.0/User_Account_Management-Setting_Resource_Limits_Based_on_the_Bind_DN.html If you need paging, you could use Virtual List View (VLV aka "Browsing Index") - see http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Indexes.html - look for Browsing Index > > Regards, > Graham > -- > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Mon Mar 2 17:34:44 2009 From: david_list at boreham.org (David Boreham) Date: Mon, 02 Mar 2009 10:34:44 -0700 Subject: [Fedora-directory-users] FDS and PagedResultsControl In-Reply-To: <49ABFC8D.2050209@redhat.com> References: <49ABC53F.4000402@sharp.fm> <49ABFC8D.2050209@redhat.com> Message-ID: <49AC18B4.6070001@boreham.org> > Graham Leggett wrote: >> >> Normal users on the directory are subject to an administrative limit >> as to the size of the result sets returned, which in our case has >> defaulted to 50. >> >> I have to periodically query the directory and have all results >> returned, in order to perform an operation on all users periodically. >> >> As I understand it, I can achieve this using the PagedResultsControl >> (in Java), which returns results in small chunks rather than one big >> blob. The paged results control isn't the way to work around the size limit (and there's also the fact that it isn't supported !). As Rich said, configure the server to override the limit for the user you're binding as (the directory manager always overrides the limit btw). There's no problem with receiving the results 'all in one big blob' because TCP backpressure ensures that entries are not sent to the client until they're read by the application (modulo the TCP window size and OS buffering). From minfrin at sharp.fm Tue Mar 3 00:20:47 2009 From: minfrin at sharp.fm (Graham Leggett) Date: Tue, 03 Mar 2009 02:20:47 +0200 Subject: [Fedora-directory-users] LDAP Unsolicited Notifications Message-ID: <49AC77DF.6000908@sharp.fm> Hi all, Does Fedora Directory Server support unsolicited notifications? According to http://java.sun.com/docs/books/tutorial/jndi/ldap/unsol.html, I need to "prod" the server in a directory dependent way. Does anyone have any information about what this means, practically? Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3287 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Mar 3 00:36:52 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 02 Mar 2009 17:36:52 -0700 Subject: [Fedora-directory-users] LDAP Unsolicited Notifications In-Reply-To: <49AC77DF.6000908@sharp.fm> References: <49AC77DF.6000908@sharp.fm> Message-ID: <49AC7BA4.3020904@redhat.com> Graham Leggett wrote: > Hi all, > > Does Fedora Directory Server support unsolicited notifications? > > According to > http://java.sun.com/docs/books/tutorial/jndi/ldap/unsol.html, I need > to "prod" the server in a directory dependent way. > > Does anyone have any information about what this means, practically? Why do you need unsolicited notifications? > > Regards, > Graham > -- > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From minfrin at sharp.fm Tue Mar 3 00:56:12 2009 From: minfrin at sharp.fm (Graham Leggett) Date: Tue, 03 Mar 2009 02:56:12 +0200 Subject: [Fedora-directory-users] LDAP Unsolicited Notifications In-Reply-To: <49AC7BA4.3020904@redhat.com> References: <49AC77DF.6000908@sharp.fm> <49AC7BA4.3020904@redhat.com> Message-ID: <49AC802C.40703@sharp.fm> Rich Megginson wrote: > Why do you need unsolicited notifications? Assuming I am understanding them correctly, to receive results of a long running search, including changes made at some point in the future, so I don't need to poll for updates. Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3287 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Mar 3 01:24:32 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 02 Mar 2009 18:24:32 -0700 Subject: [Fedora-directory-users] LDAP Unsolicited Notifications In-Reply-To: <49AC802C.40703@sharp.fm> References: <49AC77DF.6000908@sharp.fm> <49AC7BA4.3020904@redhat.com> <49AC802C.40703@sharp.fm> Message-ID: <49AC86D0.5080108@redhat.com> Graham Leggett wrote: > Rich Megginson wrote: > >> Why do you need unsolicited notifications? > > Assuming I am understanding them correctly, to receive results of a > long running search, including changes made at some point in the > future, so I don't need to poll for updates. That sounds like the persistent search feature of Fedora DS. > > Regards, > Graham > -- > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From minfrin at sharp.fm Tue Mar 3 13:17:18 2009 From: minfrin at sharp.fm (Graham Leggett) Date: Tue, 03 Mar 2009 15:17:18 +0200 Subject: [Fedora-directory-users] LDAP Unsolicited Notifications In-Reply-To: <49AC86D0.5080108@redhat.com> References: <49AC77DF.6000908@sharp.fm> <49AC7BA4.3020904@redhat.com> <49AC802C.40703@sharp.fm> <49AC86D0.5080108@redhat.com> Message-ID: <49AD2DDE.3050508@sharp.fm> Rich Megginson wrote: > That sounds like the persistent search feature of Fedora DS. I found this, which describes persistent search for C and perl: http://directory.fedoraproject.org/wiki/Howto:Persistent_search Are there any APIs that do persistent search for Java that are known to work with FDS? Regards, Graham -- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3287 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Mar 3 14:20:03 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 03 Mar 2009 07:20:03 -0700 Subject: [Fedora-directory-users] LDAP Unsolicited Notifications In-Reply-To: <49AD2DDE.3050508@sharp.fm> References: <49AC77DF.6000908@sharp.fm> <49AC7BA4.3020904@redhat.com> <49AC802C.40703@sharp.fm> <49AC86D0.5080108@redhat.com> <49AD2DDE.3050508@sharp.fm> Message-ID: <49AD3C93.8040807@redhat.com> Graham Leggett wrote: > Rich Megginson wrote: > >> That sounds like the persistent search feature of Fedora DS. > > I found this, which describes persistent search for C and perl: > > http://directory.fedoraproject.org/wiki/Howto:Persistent_search > > Are there any APIs that do persistent search for Java that are known > to work with FDS? I don't know what Java support there is, but any persistent search API will work with FDS. > > Regards, > Graham > -- > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From sigidwu at gmail.com Wed Mar 4 04:43:09 2009 From: sigidwu at gmail.com (sigid@JINLab) Date: Wed, 04 Mar 2009 11:43:09 +0700 Subject: [Fedora-directory-users] Last password change Message-ID: <49AE06DD.3020909@gmail.com> Dear all, I still don't understand what does the number mean on these atributes, anyone can help? sambaPwdLastSet: 1235955741 shadowLastChange: 14305 Thanks -- http://sigidwu.blogspot.com Save a tree. Don't print any documents unless it's necessary. From rcritten at redhat.com Wed Mar 4 13:55:41 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 04 Mar 2009 08:55:41 -0500 Subject: [Fedora-directory-users] Last password change In-Reply-To: <49AE06DD.3020909@gmail.com> References: <49AE06DD.3020909@gmail.com> Message-ID: <49AE885D.50607@redhat.com> sigid at JINLab wrote: > Dear all, > I still don't understand what does the number mean on these atributes, > anyone can help? > > sambaPwdLastSet: 1235955741 > shadowLastChange: 14305 > > Thanks sambaPwdLastSet is the number of seconds between January 1, 1970, and the date that the password was last modified. shadowLastChange is the number of days between January 1, 1970, and the date that the password was last modified. In this case, sambaPwdLastSet is equivalent to Mon Mar 2 01:02:21 UTC 2009. rob From beyonddc.storage at gmail.com Wed Mar 4 15:41:56 2009 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Wed, 4 Mar 2009 10:41:56 -0500 Subject: [Fedora-directory-users] LDAP Unsolicited Notifications In-Reply-To: <49AD2DDE.3050508@sharp.fm> References: <49AC77DF.6000908@sharp.fm> <49AC7BA4.3020904@redhat.com> <49AC802C.40703@sharp.fm> <49AC86D0.5080108@redhat.com> <49AD2DDE.3050508@sharp.fm> Message-ID: <20e4c38c0903040741y69a5fb48l5366896d967f678b@mail.gmail.com> Yes, JAVA JNDI supports persistent search. We use it with Fedora Directory with no problem. The tutorial can be found here http://java.sun.com/products/jndi/tutorial/beyond/event/index.html - David On Tue, Mar 3, 2009 at 8:17 AM, Graham Leggett wrote: > Rich Megginson wrote: > > That sounds like the persistent search feature of Fedora DS. >> > > I found this, which describes persistent search for C and perl: > > http://directory.fedoraproject.org/wiki/Howto:Persistent_search > > Are there any APIs that do persistent search for Java that are known to > work with FDS? > > Regards, > Graham > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From beyonddc.storage at gmail.com Wed Mar 4 15:46:07 2009 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Wed, 4 Mar 2009 10:46:07 -0500 Subject: [Fedora-directory-users] FDS and PagedResultsControl In-Reply-To: <49ABC53F.4000402@sharp.fm> References: <49ABC53F.4000402@sharp.fm> Message-ID: <20e4c38c0903040746l5c530a1cr90153ff6175e4ec3@mail.gmail.com> Hi Graham, >From your last email about event notification, it seems like you're using JNDI. Take a look at the JAVA API document on javax.naming.directory.DirContext. There's a method called search which takes a SearchControls object. Within the SearchControls object you can set search count, timeout and search level (onelevel, subtree, object) - David On Mon, Mar 2, 2009 at 6:38 AM, Graham Leggett wrote: > Hi all, > > Normal users on the directory are subject to an administrative limit as to > the size of the result sets returned, which in our case has defaulted to 50. > > I have to periodically query the directory and have all results returned, > in order to perform an operation on all users periodically. > > As I understand it, I can achieve this using the PagedResultsControl (in > Java), which returns results in small chunks rather than one big blob. > > When I try to use this control, I get the error: > > LDAP: error code 12 - Unavailable Critical Extension > > I understand from this error message that the paged control is not > supported by FDS? > > Before trying to get PagedResultsControl to work, I need to clarify at the > outset: Am I approaching this the right way? > > Is there an alternative method I should be using to return large result > sets, without being forced to receive all results in one big blob, > triggering administrative limits? > > Regards, > Graham > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From beyonddc.storage at gmail.com Wed Mar 4 22:02:42 2009 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Wed, 4 Mar 2009 17:02:42 -0500 Subject: [Fedora-directory-users] Dynamic Schema Reload Message-ID: <20e4c38c0903041402o44b2a223n26860c66b7ac9424@mail.gmail.com> Hi, We recently build Red Hat Directory 8 from source, and I could not find the schema-reload.pl that described in http://directory.fedoraproject.org/wiki/Dynamically_Reload_Schema My question is which version of RH Directory provides dynamic schema reload? We're currently using redhat-ds-base-8.0.4-7.el5dsrv.x86_64.rpm Thanks, David -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Mar 4 22:08:42 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 04 Mar 2009 15:08:42 -0700 Subject: [Fedora-directory-users] Dynamic Schema Reload In-Reply-To: <20e4c38c0903041402o44b2a223n26860c66b7ac9424@mail.gmail.com> References: <20e4c38c0903041402o44b2a223n26860c66b7ac9424@mail.gmail.com> Message-ID: <49AEFBEA.8080506@redhat.com> Chun Tat David Chu wrote: > Hi, > > We recently build Red Hat Directory 8 from source, and I could not > find the schema-reload.pl that described in > http://directory.fedoraproject.org/wiki/Dynamically_Reload_Schema > > My question is which version of RH Directory provides dynamic schema > reload? We're currently using redhat-ds-base-8.0.4-7.el5dsrv.x86_64.rpm It is not in Red Hat Directory Server yet. It is in Fedora Directory Server (fedora-ds-base 1.1.3). > > Thanks, > > David > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From beyonddc.storage at gmail.com Wed Mar 4 22:14:31 2009 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Wed, 4 Mar 2009 17:14:31 -0500 Subject: [Fedora-directory-users] Dynamic Schema Reload In-Reply-To: <49AEFBEA.8080506@redhat.com> References: <20e4c38c0903041402o44b2a223n26860c66b7ac9424@mail.gmail.com> <49AEFBEA.8080506@redhat.com> Message-ID: <20e4c38c0903041414r2f8b25e6gce12d37453479b02@mail.gmail.com> Rich, thanks for you information. Do you happen to know when will that be available to RH DS? Thanks On Wed, Mar 4, 2009 at 5:08 PM, Rich Megginson wrote: > Chun Tat David Chu wrote: > >> Hi, >> >> We recently build Red Hat Directory 8 from source, and I could not find >> the schema-reload.pl that described in >> http://directory.fedoraproject.org/wiki/Dynamically_Reload_Schema >> >> My question is which version of RH Directory provides dynamic schema >> reload? We're currently using redhat-ds-base-8.0.4-7.el5dsrv.x86_64.rpm >> > It is not in Red Hat Directory Server yet. It is in Fedora Directory > Server (fedora-ds-base 1.1.3). > >> >> Thanks, >> >> David >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Mar 4 22:18:29 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 04 Mar 2009 15:18:29 -0700 Subject: [Fedora-directory-users] Dynamic Schema Reload In-Reply-To: <20e4c38c0903041414r2f8b25e6gce12d37453479b02@mail.gmail.com> References: <20e4c38c0903041402o44b2a223n26860c66b7ac9424@mail.gmail.com> <49AEFBEA.8080506@redhat.com> <20e4c38c0903041414r2f8b25e6gce12d37453479b02@mail.gmail.com> Message-ID: <49AEFE35.6000706@redhat.com> Chun Tat David Chu wrote: > Rich, thanks for you information. > > Do you happen to know when will that be available to RH DS? Soon. If you are Red Hat Directory Server customer, please contact your support person(s). > > Thanks > > On Wed, Mar 4, 2009 at 5:08 PM, Rich Megginson > wrote: > > Chun Tat David Chu wrote: > > Hi, > > We recently build Red Hat Directory 8 from source, and I could > not find the schema-reload.pl that described in > http://directory.fedoraproject.org/wiki/Dynamically_Reload_Schema > > My question is which version of RH Directory provides dynamic > schema reload? We're currently using > redhat-ds-base-8.0.4-7.el5dsrv.x86_64.rpm > > It is not in Red Hat Directory Server yet. It is in Fedora > Directory Server (fedora-ds-base 1.1.3). > > > Thanks, > > David > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From beyonddc.storage at gmail.com Wed Mar 4 22:19:43 2009 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Wed, 4 Mar 2009 17:19:43 -0500 Subject: [Fedora-directory-users] Dynamic Schema Reload In-Reply-To: <49AEFE35.6000706@redhat.com> References: <20e4c38c0903041402o44b2a223n26860c66b7ac9424@mail.gmail.com> <49AEFBEA.8080506@redhat.com> <20e4c38c0903041414r2f8b25e6gce12d37453479b02@mail.gmail.com> <49AEFE35.6000706@redhat.com> Message-ID: <20e4c38c0903041419r5b197601s8e4c3ac9f6818c0e@mail.gmail.com> Thanks Rich. :-) On Wed, Mar 4, 2009 at 5:18 PM, Rich Megginson wrote: > Chun Tat David Chu wrote: > >> Rich, thanks for you information. >> >> Do you happen to know when will that be available to RH DS? >> > Soon. If you are Red Hat Directory Server customer, please contact your > support person(s). > >> >> Thanks >> >> On Wed, Mar 4, 2009 at 5:08 PM, Rich Megginson > rmeggins at redhat.com>> wrote: >> >> Chun Tat David Chu wrote: >> >> Hi, >> >> We recently build Red Hat Directory 8 from source, and I could >> not find the schema-reload.pl that described in >> http://directory.fedoraproject.org/wiki/Dynamically_Reload_Schema >> >> My question is which version of RH Directory provides dynamic >> schema reload? We're currently using >> redhat-ds-base-8.0.4-7.el5dsrv.x86_64.rpm >> >> It is not in Red Hat Directory Server yet. It is in Fedora >> Directory Server (fedora-ds-base 1.1.3). >> >> >> Thanks, >> >> David >> >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sigidwu at gmail.com Thu Mar 5 03:15:51 2009 From: sigidwu at gmail.com (sigid@JINLab) Date: Thu, 05 Mar 2009 10:15:51 +0700 Subject: [Fedora-directory-users] Last password change In-Reply-To: <49AE885D.50607@redhat.com> References: <49AE06DD.3020909@gmail.com> <49AE885D.50607@redhat.com> Message-ID: <49AF43E7.9070607@gmail.com> Rob Crittenden wrote: > sigid at JINLab wrote: >> Dear all, >> I still don't understand what does the number mean on these atributes, >> anyone can help? >> >> sambaPwdLastSet: 1235955741 >> shadowLastChange: 14305 >> >> Thanks > > sambaPwdLastSet is the number of seconds between January 1, 1970, and > the date that the password was last modified. > shadowLastChange is the number of days between January 1, 1970, and the > date that the password was last modified. > > In this case, sambaPwdLastSet is equivalent to Mon Mar 2 01:02:21 UTC > 2009. > > rob Ok, thanks Rob... -- http://sigidwu.blogspot.com Save a tree. Don't print any documents unless it's necessary. From listas.vhs at gmail.com Thu Mar 5 13:57:29 2009 From: listas.vhs at gmail.com (Victor Hugo dos Santos) Date: Thu, 5 Mar 2009 10:57:29 -0300 Subject: [Fedora-directory-users] SSL certificate problem with config two multimaster servers Message-ID: <5dce4940903050557o3017d0aagf9e09451f5a45d48@mail.gmail.com> Hello, I have a problem with two FDS (1.1.3) both installed in CentOS 5.2 from FedoraCore6 repository. I'm trying to configure that two servers in multimaster architecture and SSL enable in console and directory. - in a clean installation of centos, I install this packages: ============ rpm -qa | grep fedora fedora-ds-admin-1.1.6-1.fc6 fedora-idm-console-1.1.1-1.fc6 fedora-ds-base-1.1.3-2.fc6 fedora-ds-dsgw-1.1.1-1.fc6 fedora-ds-console-1.1.2-1.fc6 fedora-ds-1.1.2-1.fc6 fedora-ds-admin-console-1.1.2-1.fc6 ============ - after installation of packages I run "setup-ds-admin.pl" command in server FDS1 and work fine. - finish this process, I run "fedora-idm-console" and configure certificates to console and directory and all work fine. - well, now I change to server FDS2 and run "setup-ds-admin.pl" command, the only difference is that I setup this directory to connect with FDS1 ============ Configuration directory server? [no]: yes Configuration directory server URL [ldaps://fds1.mydomain.com:636/o=NetscapeRoot]: Configuration directory server admin ID [uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot]: Configuration directory server admin password: Configuration directory server admin domain [multiexportfoods.com]: CA certificate filename: /tmp/root.txt ============ and, too work fine.. after finished the installation, I can connect to both directories (FDS1 and FDS2) from console.. Now, I open Manage Certificates window of FDS2.. in first time, I put/setup a password and after I can create the certficates to directory. after closed this window, I open "Configuration" tab and click in "Encryption" sub-tab.. in this moment I get this error: ============== Incorrect Usage An error has occurred Could not open file (null). File does not exist or filename is invalid. ============== I click in OK.. and in "Encryption" sub-tab: * the "Use this cipher family: RSA" content/block is hidden * all other options ("enable SSL fot this server" / "Cleitne Authetication" / "Check hostname against") is disabled I try: - reinstall both servers - configuring FDS2 fist that FDS1, and problem persist (both now in FDS1) Obs.: If I install both servers independents, work fine. >From yesterday, I'm searching in the web, bugzilla and wiki.. but I don't found one solution or other similar problem. Sincerely, I'm puzzled.. because basically this is a default installation (two servers connected).. and appears that only me have this problem !! :-( thanks for any idea. -- Victor Hugo dos Santos Linux Counter #224399 From siedler at hrd-asia.com Mon Mar 9 03:21:36 2009 From: siedler at hrd-asia.com (Wolf Siedler) Date: Mon, 09 Mar 2009 10:21:36 +0700 Subject: [Fedora-directory-users] Migrating Fedora DS 1.1 to another host by script "migrate-ds-admin" Message-ID: <49B48B40.5090601@hrd-asia.com> Hi! I need to migrate a Fedora Directory Server (1.1) from one host to another. Both hosts are on latest CentOS 5 level. Having read the installation instructions (8.4.3 Migrating a Directory Server from One Machine to Another), I feel this could (should?) be done by script migrate-ds-admin.pl. Keeping the hostname is nor a problem as the old host is about to be disconnected anyway. However, I am confused about the script parameters --oldsroot/--actualroot from the manual. They both refer to the Directory Server directory in /opt, where it used to be until Fedora DS 1.0.4. I am unsure what to use for Fedora DS version 1.1.x. Can anybody advise, please? Is there any other potential issue I should be aware of? Needless to say, I appreciate any advice. Regards, Wolf From neuronring at gmail.com Mon Mar 9 08:46:28 2009 From: neuronring at gmail.com (neuron ring) Date: Mon, 9 Mar 2009 14:16:28 +0530 Subject: [Fedora-directory-users] Problem with ldbm-backend in fds Message-ID: <30abda540903090146k6413d905vbde9aaeeec17ed1d@mail.gmail.com> Hi, I have two doubts to be clarified regarding fds ldbm database. 1. Can anyone to help me how to find the total usage of a ldbm backend. /* * dbsize.c - ldbm backend routine which returns the size (in bytes) * that the database occupies on disk. */ #include "back-ldbm.h" int ldbm_db_size( Slapi_PBlock *pb ) { /*contents*/ } what this function doing? i m not able to find any commands which returns the size of database which occupies the disk space. what command does that? How to make use of this function "ldbm_db_size" ----------------------------------------------------------------------------------------------------- 2. /* * rmdb.c - ldbm backend routine which deletes an entire database. * This routine is not exposed in the public SLAPI interface. It * is called by the replication subsystem when then changelog must * be erased. */ #include "back-ldbm.h" int ldbm_back_rmdb( Slapi_PBlock *pb ) { /*contents*/ } When this function will be called? How to exercise this ?ldbm_back_rmdb?. How to remove the entire DB. I tried Ldapdelete and rm ?rf But both of them didn?t access this function ?ldbm_back_rmdb?. Can anyone give me a pointer. Thanks in advance, Neuron Ring -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Mar 9 14:08:54 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 09 Mar 2009 08:08:54 -0600 Subject: [Fedora-directory-users] Migrating Fedora DS 1.1 to another host by script "migrate-ds-admin" In-Reply-To: <49B48B40.5090601@hrd-asia.com> References: <49B48B40.5090601@hrd-asia.com> Message-ID: <49B522F6.2010400@redhat.com> Wolf Siedler wrote: > Hi! > > I need to migrate a Fedora Directory Server (1.1) from one host to > another. Both hosts are on latest CentOS 5 level. > > Having read the installation instructions (8.4.3 Migrating a Directory > Server from One Machine to Another), I feel this could (should?) be done > by script migrate-ds-admin.pl. > Keeping the hostname is nor a problem as the old host is about to be > disconnected anyway. > > However, I am confused about the script parameters > --oldsroot/--actualroot from the manual. They both refer to the > Directory Server directory in /opt, where it used to be until Fedora DS > 1.0.4. > > I am unsure what to use for Fedora DS version 1.1.x. > Can anybody advise, please? > Is there any other potential issue I should be aware of? > > Needless to say, I appreciate any advice. > migration is only used for major version upgrades. If you are going to be using the same DS version on the same OS release and architecture, you should just be able to copy the old files to the new machine, after installing the sotware. > Regards, > Wolf > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From branimir.pejakovic at fina.hr Mon Mar 9 15:24:42 2009 From: branimir.pejakovic at fina.hr (Branimir) Date: Mon, 09 Mar 2009 16:24:42 +0100 Subject: [Fedora-directory-users] Total number of LDAP entries Message-ID: <49B534BA.9040108@fina.hr> Hi list, can someone tell me where to find the total number of LDAP entries stored in FDC? I looked up in Console "Status" tab but I could not find the number. If someone can give me a hint... Thank you in advance! Best regards, Branimir From siedler at hrd-asia.com Mon Mar 9 19:48:36 2009 From: siedler at hrd-asia.com (Wolf Siedler) Date: Tue, 10 Mar 2009 02:48:36 +0700 Subject: [Fedora-directory-users] Re: Migrating Fedora DS 1.1 to another host, (NOT) by script "migrate-ds-admin" In-Reply-To: <49B522F6.2010400@redhat.com> References: <49B48B40.5090601@hrd-asia.com> <49B522F6.2010400@redhat.com> Message-ID: <49B57294.8070905@hrd-asia.com> Dear Rich, > migration is only used for major version upgrades. Ah, I had not realized that. > If you are going to be using the same DS version on the same OS release and architecture, you should just be able to copy the old files to the new machine, after installing the sotware. "The old files" - that would be everything in /etc/dirsrv/? Fedora DS is already installed on the new host, but the I haven't yet run the setup script. At least this is how I understood the instructions. Am I correct? Thanks for your advice! Regards, Wolf From rmeggins at redhat.com Mon Mar 9 20:04:59 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 09 Mar 2009 14:04:59 -0600 Subject: [Fedora-directory-users] Re: Migrating Fedora DS 1.1 to another host, (NOT) by script "migrate-ds-admin" In-Reply-To: <49B57294.8070905@hrd-asia.com> References: <49B48B40.5090601@hrd-asia.com> <49B522F6.2010400@redhat.com> <49B57294.8070905@hrd-asia.com> Message-ID: <49B5766B.3060605@redhat.com> Wolf Siedler wrote: > Dear Rich, > > >> migration is only used for major version upgrades. >> > > Ah, I had not realized that. > > >> If you are going to be using the same DS version on the same OS release and architecture, you should just be able to copy the old files to the new machine, after installing the sotware. >> > > "The old files" - that would be everything in /etc/dirsrv/? > Fedora DS is already installed on the new host, but the I haven't yet > run the setup script. At least this is how I understood the > instructions. Am I correct? > Well, it's more than that - you should probably copy all of these files and dirs: find /etc/dirsrv /usr/lib/dirsrv /usr/lib64/dirsrv /var/lib/dirsrv -name slapd-yourinstancename If you want the log files, add /var/log/dirsrv too. > Thanks for your advice! > > Regards, > Wolf > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From siedler at hrd-asia.com Mon Mar 9 20:21:22 2009 From: siedler at hrd-asia.com (Wolf Siedler) Date: Tue, 10 Mar 2009 03:21:22 +0700 Subject: [Fedora-directory-users] Re: Migrating Fedora DS 1.1 to another host, (NOT) by script "migrate-ds-admin" In-Reply-To: <49B5766B.3060605@redhat.com> References: <49B48B40.5090601@hrd-asia.com> <49B522F6.2010400@redhat.com> <49B57294.8070905@hrd-asia.com> <49B5766B.3060605@redhat.com> Message-ID: <49B57A42.4000601@hrd-asia.com> > you should probably copy all of these files and dirs: > find /etc/dirsrv /usr/lib/dirsrv /usr/lib64/dirsrv /var/lib/dirsrv > -name slapd-yourinstancename > > If you want the log files, add /var/log/dirsrv too. OK, will do so. Thanks for the fast advice! Regards, Wolf From diwakoe at gmail.com Tue Mar 10 10:29:55 2009 From: diwakoe at gmail.com (Diwakoe) Date: Tue, 10 Mar 2009 17:29:55 +0700 Subject: [Fedora-directory-users] Too many FDS open In-Reply-To: <19A4A238A352AD40B65B3D88780DDBC6013F1254@sjc1amfpew04.am.sanm.corp> References: <19A4A238A352AD40B65B3D88780DDBC6013F1254@sjc1amfpew04.am.sanm.corp> Message-ID: On Thu, Feb 26, 2009 at 4:46 AM, Chavez, James R. wrote: > Hello Rich, list, > > > Earlier today we started getting this error in our FDS error log > repeatedly. Obviously connections were being refused at this point. I > had to restart the directory server for the server to function again. > Prior to releasing this box into production I did set the parameters > according to the Installation guide specifications. The output of > "ulimit -n" is 8192. The output of "sysctl -p" is below.(I increased > fs.file-max from 64000)Does anything look off? > net.ipv4.tcp_syncookies = 1 > net.ipv4.tcp_keepalive_time = 300 > fs.file-max = 128000 > net.ipv4.ip_local_port_range = 1024 65000 > > I also changed the setting in the config from > nsslapd-maxdescriptors: 1024 to > nsslapd-maxdescriptors: 8192 > > Is there a way to tweak these settings so that this will not happen in > the future? > This is a dedicated consumer or read only replica. > Directory size is roughly 20,000 users. > We are running FC9 and FDS 1.1.1-3. > We are lacking in RAM but look to improve on that shortly. > > I do see on the web past posts to this list regarding this error, I am > currently looking through them. Is there anyone out there that has > experienced this and gotten past it? > > Thanks > James > > [25/Feb/2009:13:30:08 -0600] - Not listening for new connections - too > many fds open > [25/Feb/2009:13:30:08 -0600] - Listening for new connections again > [25/Feb/2009:13:30:08 -0600] - Not listening for new connections - too > many fds open > [25/Feb/2009:13:30:08 -0600] - Listening for new connections again > Hi James, Have you turned on "nscd" service on client side? I got same problem and every 3 hours must re-start fds daemon to clear all client connections and the error gone when I start "nscd" service on each client. Thanks, Teguh -- Semua rasa ada disini http://www.teoteblung.co.cc From beyonddc.storage at gmail.com Tue Mar 10 14:18:34 2009 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Tue, 10 Mar 2009 10:18:34 -0400 Subject: [Fedora-directory-users] Default Password Encryption Scheme Message-ID: <20e4c38c0903100718h1ffbd252ka60018c72bb209b@mail.gmail.com> Hi All, Just curious, the default password encryption scheme for LDAP is SSHA. What is the number of bits it is using? Is it SSSH256, SSSH384, SSSH512? Thanks, David -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Mar 10 14:47:35 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 10 Mar 2009 08:47:35 -0600 Subject: [Fedora-directory-users] Default Password Encryption Scheme In-Reply-To: <20e4c38c0903100718h1ffbd252ka60018c72bb209b@mail.gmail.com> References: <20e4c38c0903100718h1ffbd252ka60018c72bb209b@mail.gmail.com> Message-ID: <49B67D87.1070503@redhat.com> Chun Tat David Chu wrote: > Hi All, > > Just curious, the default password encryption scheme for LDAP is SSHA. > What is the number of bits it is using? Is it SSSH256, SSSH384, SSSH512? It's the SHA-1 140 bits algorithm > > Thanks, > > David > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From branimir.pejakovic at fina.hr Tue Mar 10 14:48:24 2009 From: branimir.pejakovic at fina.hr (Branimir) Date: Tue, 10 Mar 2009 15:48:24 +0100 Subject: [Fedora-directory-users] Re: Total number of LDAP entries In-Reply-To: <49B534BA.9040108@fina.hr> References: <49B534BA.9040108@fina.hr> Message-ID: <49B67DB8.3070302@fina.hr> Branimir wrote: > Hi list, > > can someone tell me where to find the total number of LDAP entries > stored in FDC? I looked up in Console "Status" tab but I could not find > the number. > > If someone can give me a hint... > > Thank you in advance! > Hi, so there is no way to find the number of total LDAP entries stored in FDC? Thanks! Best regards, Branimir From beyonddc.storage at gmail.com Tue Mar 10 14:54:10 2009 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Tue, 10 Mar 2009 10:54:10 -0400 Subject: [Fedora-directory-users] Default Password Encryption Scheme In-Reply-To: <49B67D87.1070503@redhat.com> References: <20e4c38c0903100718h1ffbd252ka60018c72bb209b@mail.gmail.com> <49B67D87.1070503@redhat.com> Message-ID: <20e4c38c0903100754p1b611f27j9db4a7db97721ccb@mail.gmail.com> Rich, thanks for your info. I have one more question. Is the salt used for the SSHA generated every time when a new user is added into the LDAP? What I meant is that there is an unique salt generated per user password, am I correct? Thanks, David On Tue, Mar 10, 2009 at 10:47 AM, Rich Megginson wrote: > Chun Tat David Chu wrote: > >> Hi All, >> >> Just curious, the default password encryption scheme for LDAP is SSHA. >> What is the number of bits it is using? Is it SSSH256, SSSH384, SSSH512? >> > It's the SHA-1 140 bits algorithm > >> >> Thanks, >> >> David >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Tue Mar 10 14:55:19 2009 From: david_list at boreham.org (David Boreham) Date: Tue, 10 Mar 2009 08:55:19 -0600 Subject: [Fedora-directory-users] Re: Total number of LDAP entries In-Reply-To: <49B67DB8.3070302@fina.hr> References: <49B534BA.9040108@fina.hr> <49B67DB8.3070302@fina.hr> Message-ID: <49B67F57.5060105@boreham.org> Branimir wrote: > so there is no way to find the number of total LDAP entries stored in > FDC? Obviously that's a ridiculous statement. You could at the very least perform a search that returns all entries and count them ! The server however does not maintain a running count itself. So one way or another you will need to count the entries. Unless...you configure a VLV index covering the target entries (e.g. all entries). This will as a side-effect maintain the count, which can be retrieved with the appropriate VLV search. From rquirantes at cica.es Tue Mar 10 14:59:33 2009 From: rquirantes at cica.es (Rocio Quirantes) Date: Tue, 10 Mar 2009 15:59:33 +0100 Subject: [Fedora-directory-users] Re: Total number of LDAP entries In-Reply-To: <49B67DB8.3070302@fina.hr> References: <49B534BA.9040108@fina.hr> <49B67DB8.3070302@fina.hr> Message-ID: <49B68055.30804@cica.es> I,m not sure, but if you perform a search that returns all entries it will show you the number. For example: In the command line: ldapsearch -LLL -x -D bindDn -W -H ldaps://ldap.example.com:636 -b ou=users, dc=example,dc=com objectClass=* in the ldap log you get: conn=2853323 fd=276 ACCEPT from IP=150.214.4.136:60252 (IP=0.0.0.0:636) conn=2853323 fd=276 TLS established tls_ssf=256 ssf=256 conn=2853323 op=0 BIND dn="cn=Manager,dc=cica,dc=es" method=128 conn=2853323 op=0 BIND dn="cn=Manager,dc=cica,dc=es" mech=SIMPLE ssf=0 conn=2853323 op=0 RESULT tag=97 err=0 text= conn=2853323 op=1 SRCH base="ou=cica,ou=users,ou=cuentas,dc=cica,dc=es" scope=2 deref=0 filter="(objectClass=*)" conn=2853323 op=1 SEARCH RESULT tag=101 err=0 nentries=72 text= As you can see the operation returns 72 entries. It is not a very clean way but it is the only I could think about Hope it would help you Rocio Branimir escribi?: > Branimir wrote: >> Hi list, >> >> can someone tell me where to find the total number of LDAP entries >> stored in FDC? I looked up in Console "Status" tab but I could not >> find the number. >> >> If someone can give me a hint... >> >> Thank you in advance! >> > > Hi, > > so there is no way to find the number of total LDAP entries stored in > FDC? > > Thanks! > > Best regards, > > Branimir > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Rocio Quirantes Rodal ?rea de Seguridad Inform?tica Centro Inform?tico Cient?fico de Andaluc?a (CICA) Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain) Tfno.: +34 955 056 648 / +34 955 056 600 / FAX: +34 955 056 650 Consejer?a de Innovaci?n, Ciencia y Empresa Junta de Andaluc?a -------------------------------------------------- Este mensaje esta firmado digitalmente. Para poder reconocer la firma desde su cliente debera tener instalado el certificado raiz de la CA del CICA en el mismo. Puede descargarlo desde: http://pki.cica.es/cacert/ -------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3891 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Mar 10 15:05:57 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 10 Mar 2009 09:05:57 -0600 Subject: [Fedora-directory-users] Re: Total number of LDAP entries In-Reply-To: <49B67F57.5060105@boreham.org> References: <49B534BA.9040108@fina.hr> <49B67DB8.3070302@fina.hr> <49B67F57.5060105@boreham.org> Message-ID: <49B681D5.6020104@redhat.com> David Boreham wrote: > Branimir wrote: >> so there is no way to find the number of total LDAP entries stored in >> FDC? > Obviously that's a ridiculous statement. You could at the very least > perform a search that > returns all entries and count them ! > > The server however does not maintain a running count itself. So one > way or another you will > need to count the entries. > > Unless...you configure a VLV index covering the target entries (e.g. > all entries). This will > as a side-effect maintain the count, which can be retrieved with the > appropriate VLV search. You might also be able to extract that information from the information in cn=monitor or one of the cn=monitor entries under the database entries - http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command_File_Reference-Core_Server_Configuration_Reference-Core_Server_Configuration_Attributes_Reference.html#Configuration_Command_File_Reference-Core_Server_Configuration_Attributes_Reference-cnmonitor and http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command_File_Reference-Plug_in_Implemented_Server_Functionality_Reference-Database_Plug_in_Attributes.html#Configuration_Command_File_Reference-Database_Plug_in_Attributes-Database_Attributes_under_cndatabase_cnmonitor_cnldbm_database_cnplugins_cnconfig and http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command_File_Reference-Plug_in_Implemented_Server_Functionality_Reference-Database_Plug_in_Attributes.html#Configuration_Command_File_Reference-Database_Plug_in_Attributes-Database_Attributes_under_cnmonitor_cnNetscapeRoot_cnldbm_database_cnplugins_cnconfig The directory server also uses the operational attribute numSubordinates in a container node to specify the number of entries that are direct children of that container node - so I suppose you could also search for all of these and count them up. > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Mar 10 15:06:23 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 10 Mar 2009 09:06:23 -0600 Subject: [Fedora-directory-users] Default Password Encryption Scheme In-Reply-To: <20e4c38c0903100754p1b611f27j9db4a7db97721ccb@mail.gmail.com> References: <20e4c38c0903100718h1ffbd252ka60018c72bb209b@mail.gmail.com> <49B67D87.1070503@redhat.com> <20e4c38c0903100754p1b611f27j9db4a7db97721ccb@mail.gmail.com> Message-ID: <49B681EF.6080703@redhat.com> Chun Tat David Chu wrote: > Rich, thanks for your info. > > I have one more question. Is the salt used for the SSHA generated > every time when a new user is added into the LDAP? What I meant is > that there is an unique salt generated per user password, am I correct? Yes. > > Thanks, > > David > > On Tue, Mar 10, 2009 at 10:47 AM, Rich Megginson > wrote: > > Chun Tat David Chu wrote: > > Hi All, > > Just curious, the default password encryption scheme for LDAP > is SSHA. > What is the number of bits it is using? Is it SSSH256, > SSSH384, SSSH512? > > It's the SHA-1 140 bits algorithm > > > Thanks, > > David > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From beyonddc.storage at gmail.com Tue Mar 10 15:06:55 2009 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Tue, 10 Mar 2009 11:06:55 -0400 Subject: [Fedora-directory-users] Re: Total number of LDAP entries In-Reply-To: <49B68055.30804@cica.es> References: <49B534BA.9040108@fina.hr> <49B67DB8.3070302@fina.hr> <49B68055.30804@cica.es> Message-ID: <20e4c38c0903100806l3707f886qc2289fec57c86fc@mail.gmail.com> The search might not be a good way to do it if the number of entries exceeded the number you have set in the size limit in the Fedora LDAP. On Tue, Mar 10, 2009 at 10:59 AM, Rocio Quirantes wrote: > I,m not sure, but if you perform a search that returns all entries it > will show you the number. > For example: > In the command line: > > ldapsearch -LLL -x -D bindDn -W -H ldaps://ldap.example.com:636 -b > ou=users, dc=example,dc=com objectClass=* > > in the ldap log you get: > > conn=2853323 fd=276 ACCEPT from IP=150.214.4.136:60252 (IP=0.0.0.0:636) > conn=2853323 fd=276 TLS established tls_ssf=256 ssf=256 > conn=2853323 op=0 BIND dn="cn=Manager,dc=cica,dc=es" method=128 > conn=2853323 op=0 BIND dn="cn=Manager,dc=cica,dc=es" mech=SIMPLE ssf=0 > conn=2853323 op=0 RESULT tag=97 err=0 text= > conn=2853323 op=1 SRCH base="ou=cica,ou=users,ou=cuentas,dc=cica,dc=es" > scope=2 deref=0 filter="(objectClass=*)" > conn=2853323 op=1 SEARCH RESULT tag=101 err=0 nentries=72 text= > > As you can see the operation returns 72 entries. > It is not a very clean way but it is the only I could think about > Hope it would help you > > Rocio > > Branimir escribi?: > > Branimir wrote: > >> Hi list, > >> > >> can someone tell me where to find the total number of LDAP entries > >> stored in FDC? I looked up in Console "Status" tab but I could not > >> find the number. > >> > >> If someone can give me a hint... > >> > >> Thank you in advance! > >> > > > > Hi, > > > > so there is no way to find the number of total LDAP entries stored in > > FDC? > > > > Thanks! > > > > Best regards, > > > > Branimir > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Rocio Quirantes Rodal > ?rea de Seguridad Inform?tica > Centro Inform?tico Cient?fico de Andaluc?a (CICA) > Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain) > Tfno.: +34 955 056 648 / +34 955 056 600 / FAX: +34 955 056 650 > Consejer?a de Innovaci?n, Ciencia y Empresa > Junta de Andaluc?a > -------------------------------------------------- > Este mensaje esta firmado digitalmente. Para poder > reconocer la firma desde su cliente debera tener > instalado el certificado raiz de la CA del CICA en > el mismo. Puede descargarlo desde: > > http://pki.cica.es/cacert/ > -------------------------------------------------- > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Tue Mar 10 15:11:44 2009 From: david_list at boreham.org (David Boreham) Date: Tue, 10 Mar 2009 09:11:44 -0600 Subject: [Fedora-directory-users] Re: Total number of LDAP entries In-Reply-To: <49B681D5.6020104@redhat.com> References: <49B534BA.9040108@fina.hr> <49B67DB8.3070302@fina.hr> <49B67F57.5060105@boreham.org> <49B681D5.6020104@redhat.com> Message-ID: <49B68330.7090502@boreham.org> Rich Megginson wrote: > You might also be able to extract that information from the > information in cn=monitor or one of the cn=monitor entries under the > database entries - Unless something has changed recently, there's no entry count information maintained or readable via cn=monitor. > The directory server also uses the operational attribute > numSubordinates in a container node to specify the number of entries > that are direct children of that container node - so I suppose you > could also search for all of these and count them up. This would work but if the tree has many branches it'd be more efficient to use VLV. For a single big container it'd be fine though. From branimir.pejakovic at fina.hr Tue Mar 10 15:14:28 2009 From: branimir.pejakovic at fina.hr (Branimir) Date: Tue, 10 Mar 2009 16:14:28 +0100 Subject: [Fedora-directory-users] Re: Total number of LDAP entries In-Reply-To: <49B67F57.5060105@boreham.org> References: <49B534BA.9040108@fina.hr> <49B67DB8.3070302@fina.hr> <49B67F57.5060105@boreham.org> Message-ID: <49B683D4.5020309@fina.hr> David Boreham wrote: > Branimir wrote: >> so there is no way to find the number of total LDAP entries stored in >> FDC? > Obviously that's a ridiculous statement. You could at the very least > perform a search that > returns all entries and count them ! > > The server however does not maintain a running count itself. So one way > or another you will > need to count the entries. > > Unless...you configure a VLV index covering the target entries (e.g. all > entries). This will > as a side-effect maintain the count, which can be retrieved with the > appropriate VLV search. Hi David and Rocio, David: well, I know that I can perform search and count them. I hoped that there is some shell command implemented in FDS that could provide this number. I administer commercial LDAP solution that provides such command. In my case this commercial solution charges per directory entry so I always have to know entry count. I was hoping FDC has some kind of equivalent command. Rocio: Thank you for your effort! Thanks! Branimir From david_list at boreham.org Tue Mar 10 15:16:29 2009 From: david_list at boreham.org (David Boreham) Date: Tue, 10 Mar 2009 09:16:29 -0600 Subject: [Fedora-directory-users] Re: Total number of LDAP entries In-Reply-To: <49B683D4.5020309@fina.hr> References: <49B534BA.9040108@fina.hr> <49B67DB8.3070302@fina.hr> <49B67F57.5060105@boreham.org> <49B683D4.5020309@fina.hr> Message-ID: <49B6844D.7010808@boreham.org> Branimir wrote: > well, I know that I can perform search and count them. I hoped that > there is some shell command implemented in FDS that could provide this > number. I administer commercial LDAP solution that provides such > command. In my case this commercial solution charges per directory > entry so I always have to know entry count. I was hoping FDC has some > kind of equivalent command. Pipe the search output through grep and wc to count the entries returned. From ryan.braun at ec.gc.ca Tue Mar 10 14:57:54 2009 From: ryan.braun at ec.gc.ca (Ryan Braun [ADS]) Date: Tue, 10 Mar 2009 14:57:54 +0000 Subject: [Fedora-directory-users] Unable to properly login with cached password using libpam-ccreds Message-ID: <200903101457.54136.ryan.braun@ec.gc.ca> This isn't exactly fds specific, but I figure someone might have run into this aswell here. I'm trying to setup my ldap clients to cache their passwords so they are able to login if the network connection to the ldap servers go down. All servers and clients are running etch. But I'm having issues getting users to login successfully with a simulated ldap outtage (just blocking outgoing port 389 with iptables). While the network is connected, the ldap user newuser is able to ssh in just fine, I can see that the user's password is cached properly using cc_dump and testing with cc_test. I don't think it's a problem with me entering in the password (its just 111111, as you can see with cc_test) xxxxxx19:~/ldap# cc_dump Credential Type User Service Cached Credentials ---------------------------------------------------------------------------------- Salted SHA1 newuser any 37955e15e8960ac751616ed1c631f18763806651 xxxxxx19:~/ldap# cc_test -validate any newuser 111111 pam_cc_validate_credentials: Success xxxxxx19:~/ldap# cc_test -validate any newuser 11111a pam_cc_validate_credentials: Authentication failure The oddest part (which must point to pam issues methinks) is that the first login attempt will always fail, while the second attempt will always work xxxxxx19:~/ldap# ssh newuser at localhost newuser at localhost's password: Permission denied, please try again. newuser at localhost's password: You have been logged on using cached credentials. Linux xxxxxx19 2.6.24-etchnhalf.1-686-bigmem #1 SMP Tue Dec 2 08:50:08 UTC 2008 i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Feb 27 14:28:36 2009 from localhost newuser at xxxxxx19:~$ All cached nss functionality is there during ldap server downtime. xxxxxx19:~/ldap# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination REJECT tcp -- anywhere anywhere tcp dpt:ldap reject-with icmp-port-unreachable xxxxx19:~/ldap# id newuser uid=1000(newuser) gid=1000(cfwos-user) groups=1000(test-user) xxxxxx19:~/ldap# grep newuser /etc/passwd xxxxxx19:~/ldap# I've installed the following packages on the clients nss-updatedb libnss-db libpam-ccreds libpam-ldap libnss-ldap ldap-utils Here are my pam configs. newuser at xxxxxx19:~$ grep -v ^# /etc/pam.d/common-*|strings /etc/pam.d/common-account: /etc/pam.d/common-account: /etc/pam.d/common-account:account sufficient pam_unix.so nullok_secure /etc/pam.d/common-account:account sufficient pam_ldap.so /etc/pam.d/common-account:account required pam_permit.so /etc/pam.d/common-auth: /etc/pam.d/common-auth: /etc/pam.d/common-auth: /etc/pam.d/common-auth:auth sufficient pam_unix.so /etc/pam.d/common-auth:auth required pam_group.so use_first_pass /etc/pam.d/common-auth:auth [authinfo_unavail=ignore success=1 default=die] pam_ldap.so use_first_pass /etc/pam.d/common-auth:auth [default=done] pam_ccreds.so action=validate use_first_pass /etc/pam.d/common-auth:auth [default=done] pam_ccreds.so action=store use_first_pass /etc/pam.d/common-auth:auth [default=done] pam_ccreds.so action=update use_first_pass /etc/pam.d/common-password: /etc/pam.d/common-password: /etc/pam.d/common-password:password sufficient pam_ldap.so ignore_unknown_user /etc/pam.d/common-password:password required pam_unix.so nullok obscure min=4 max=8 md5 /etc/pam.d/common-password: /etc/pam.d/common-password: /etc/pam.d/common-session:session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 /etc/pam.d/common-session:session required pam_unix.so /etc/pam.d/common-session:session optional pam_ldap.so newuser at xxxxxx19:~$ grep -v ^# /etc/pam.d/login |strings auth requisite pam_securetty.so auth requisite pam_nologin.so session required pam_env.so readenv=1 session required pam_env.so readenv=1 envfile=/etc/default/locale @include common-auth auth optional pam_group.so session required pam_limits.so session optional pam_lastlog.so session optional pam_motd.so session optional pam_mail.so standard @include common-account @include common-session @include common-password And the libnss/pam_ldap configs xxxxxx19:~/ldap# vc /etc/libnss-ldap.conf base dc=xxx,dc=xx,dc=xx,dc=xx uri ldap://xxxsrvr0.xxx.xx.xx.xx uri ldap://xxxsrvr1.xxx.xx.xx.xx ldap_version 3 rootbinddn cn=directory manager bind_timelimit 2 bind_policy soft pam_check_host_attr yes pam_password exop tls_cacertdir /etc/ldap/cacerts xxxxxx19:~/ldap# vc /etc/pam_ldap.conf base dc=xxx,dc=xx,dc=xx,dc=xx uri ldap://xxxsrvr0.xxx.xx.xx.xx uri ldap://xxxsrvr1.xxx.xx.xx.xx ldap_version 3 rootbinddn cn=directory manager pam_check_host_attr yes pam_password exop ssl start_tls tls_cacertdir /etc/ldap/cacerts Here is the log contents from auth.log xxxxxx19:/var/log# grep 28664 auth.log.work |grep -v nss_ldap Feb 27 14:51:18 xxxxxx19 sshd[28664]: pam_ldap: ldap_starttls_s: Can't contact LDAP server Feb 27 14:51:20 xxxxxx19 sshd[28664]: Failed password for newuser from xxx.xx.xxx.247 port 44489 ssh2 Feb 27 14:51:36 xxxxxx19 sshd[28664]: pam_ldap: ldap_simple_bind Can't contact LDAP server Feb 27 14:51:44 xxxxxx19 sshd[28664]: pam_ldap: ldap_simple_bind Can't contact LDAP server Feb 27 14:51:44 xxxxxx19 sshd[28664]: Accepted password for newuser from xxx.xx.xxx.247 port 44489 ssh2 xxxxxx19:/var/log# (without a whole bunch of messages from nss_ldap about not being able to find the server) Anyone have any ideas? Ryan Braun Informatics Operations Aviation and Defence Services Division Chief Information Officer Branch, Environment Canada CIV: (204) 833-2500x2625 CSN: 257-2625 FAX: (204) 833-2524 E-Mail: Ryan.Braun at ec.gc.ca From beyonddc.storage at gmail.com Tue Mar 10 15:24:59 2009 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Tue, 10 Mar 2009 11:24:59 -0400 Subject: [Fedora-directory-users] Default Password Encryption Scheme In-Reply-To: <49B681EF.6080703@redhat.com> References: <20e4c38c0903100718h1ffbd252ka60018c72bb209b@mail.gmail.com> <49B67D87.1070503@redhat.com> <20e4c38c0903100754p1b611f27j9db4a7db97721ccb@mail.gmail.com> <49B681EF.6080703@redhat.com> Message-ID: <20e4c38c0903100824l782d87ddm41ac9a4c452a8ac4@mail.gmail.com> Great! Thank you very much! - David On Tue, Mar 10, 2009 at 11:06 AM, Rich Megginson wrote: > Chun Tat David Chu wrote: > >> Rich, thanks for your info. >> >> I have one more question. Is the salt used for the SSHA generated every >> time when a new user is added into the LDAP? What I meant is that there is >> an unique salt generated per user password, am I correct? >> > Yes. > >> >> Thanks, >> >> David >> >> On Tue, Mar 10, 2009 at 10:47 AM, Rich Megginson > rmeggins at redhat.com>> wrote: >> >> Chun Tat David Chu wrote: >> >> Hi All, >> >> Just curious, the default password encryption scheme for LDAP >> is SSHA. >> What is the number of bits it is using? Is it SSSH256, >> SSSH384, SSSH512? >> >> It's the SHA-1 140 bits algorithm >> >> >> Thanks, >> >> David >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Mar 10 15:29:26 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 10 Mar 2009 09:29:26 -0600 Subject: [Fedora-directory-users] Re: Total number of LDAP entries In-Reply-To: <49B683D4.5020309@fina.hr> References: <49B534BA.9040108@fina.hr> <49B67DB8.3070302@fina.hr> <49B67F57.5060105@boreham.org> <49B683D4.5020309@fina.hr> Message-ID: <49B68756.10007@redhat.com> Branimir wrote: > David Boreham wrote: >> Branimir wrote: >>> so there is no way to find the number of total LDAP entries stored >>> in FDC? >> Obviously that's a ridiculous statement. You could at the very least >> perform a search that >> returns all entries and count them ! >> >> The server however does not maintain a running count itself. So one >> way or another you will >> need to count the entries. >> >> Unless...you configure a VLV index covering the target entries (e.g. >> all entries). This will >> as a side-effect maintain the count, which can be retrieved with the >> appropriate VLV search. > > Hi David and Rocio, > > David: > well, I know that I can perform search and count them. I hoped that > there is some shell command implemented in FDS that could provide this > number. I administer commercial LDAP solution Which LDAP solution? > that provides such command. What is the command and how does it work? > In my case this commercial solution charges per directory entry so I > always have to know entry count. I was hoping FDC has some kind of > equivalent command. Assuming your entry cache contains every entry (that is, assuming you have enough RAM to cache every entry), you can query the entry cache count and that should be the number of entries in your directory server. This is the (apparently) undocumented attribute called currentEntryCacheCount in the cn=monitor entry for each database. > > Rocio: > Thank you for your effort! > > > Thanks! > > Branimir > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Tue Mar 10 15:30:46 2009 From: david_list at boreham.org (David Boreham) Date: Tue, 10 Mar 2009 09:30:46 -0600 Subject: [Fedora-directory-users] Re: Total number of LDAP entries In-Reply-To: <49B68756.10007@redhat.com> References: <49B534BA.9040108@fina.hr> <49B67DB8.3070302@fina.hr> <49B67F57.5060105@boreham.org> <49B683D4.5020309@fina.hr> <49B68756.10007@redhat.com> Message-ID: <49B687A6.6070607@boreham.org> Rich Megginson wrote: > Assuming your entry cache contains every entry (that is, assuming you > have enough RAM to cache every entry), you can query the entry cache > count and that should be the number of entries in your directory > server. This is the (apparently) undocumented attribute called > currentEntryCacheCount in the cn=monitor entry for each database. Hmm...this is a bit convoluted. You'd have to know the number of entries in advance, then make sure the entry cache size was configured to a larger number, then perform a search for all entries to force them into the cache, and finally read the count. Wouldn't it be easier to just use the search output to count the entries ? I suppose if you had a gazillion entries, so many that it would take a very long time to send them back to a client, then it might be worthwhile. You'd need to concoct a search that you knew would touch every entry but would not return any of them (a filter that is un-indexed and doesn't match any entry would do it). From nalin at redhat.com Tue Mar 10 15:55:59 2009 From: nalin at redhat.com (Nalin Dahyabhai) Date: Tue, 10 Mar 2009 11:55:59 -0400 Subject: [Fedora-directory-users] Re: Total number of LDAP entries In-Reply-To: <49B683D4.5020309@fina.hr> References: <49B534BA.9040108@fina.hr> <49B67DB8.3070302@fina.hr> <49B67F57.5060105@boreham.org> <49B683D4.5020309@fina.hr> Message-ID: <20090310155559.GA6290@redhat.com> On Tue, Mar 10, 2009 at 04:14:28PM +0100, Branimir wrote: > well, I know that I can perform search and count them. I hoped that > there is some shell command implemented in FDS that could provide this > number. I administer commercial LDAP solution that provides such > command. In my case this commercial solution charges per directory entry > so I always have to know entry count. I was hoping FDC has some kind of > equivalent command. Assuming you only care about entries that get stored on disk (which is what I'd prefer if I were a customer), you could find the id2entry database file run 'db_stat -d' against it, and use the number of unique keys and data items it returns as your count. HTH, Nalin From david_list at boreham.org Tue Mar 10 15:57:48 2009 From: david_list at boreham.org (David Boreham) Date: Tue, 10 Mar 2009 09:57:48 -0600 Subject: [Fedora-directory-users] Re: Total number of LDAP entries In-Reply-To: <20090310155559.GA6290@redhat.com> References: <49B534BA.9040108@fina.hr> <49B67DB8.3070302@fina.hr> <49B67F57.5060105@boreham.org> <49B683D4.5020309@fina.hr> <20090310155559.GA6290@redhat.com> Message-ID: <49B68DFC.4080903@boreham.org> Nalin Dahyabhai wrote: > Assuming you only care about entries that get stored on disk (which is > what I'd prefer if I were a customer), you could find the id2entry > database file run 'db_stat -d' against it, and use the number of unique > keys and data items it returns as your count. > This does essentially the same thing as a search for all entries. However it will potentially give the wrong number because it'll include deleted entries. From branimir.pejakovic at fina.hr Tue Mar 10 17:35:59 2009 From: branimir.pejakovic at fina.hr (Branimir) Date: Tue, 10 Mar 2009 18:35:59 +0100 Subject: [Fedora-directory-users] Re: Total number of LDAP entries In-Reply-To: <49B68756.10007@redhat.com> References: <49B534BA.9040108@fina.hr> <49B67DB8.3070302@fina.hr> <49B67F57.5060105@boreham.org> <49B683D4.5020309@fina.hr> <49B68756.10007@redhat.com> Message-ID: <49B6A4FF.3090106@fina.hr> Rich Megginson wrote: > Branimir wrote: >> David Boreham wrote: >>> Branimir wrote: >>>> so there is no way to find the number of total LDAP entries stored >>>> in FDC? >>> Obviously that's a ridiculous statement. You could at the very least >>> perform a search that >>> returns all entries and count them ! >>> >>> The server however does not maintain a running count itself. So one >>> way or another you will >>> need to count the entries. >>> >>> Unless...you configure a VLV index covering the target entries (e.g. >>> all entries). This will >>> as a side-effect maintain the count, which can be retrieved with the >>> appropriate VLV search. >> >> Hi David and Rocio, >> >> David: >> well, I know that I can perform search and count them. I hoped that >> there is some shell command implemented in FDS that could provide this >> number. I administer commercial LDAP solution > Which LDAP solution? >> that provides such command. > What is the command and how does it work? Hi Rich, please don't be offended but I work in CA environment and I cannot provide that information. What I can say that this command counts number of entries on both master and replica servers. Also thank you for the links. Cheers, Branimir From branimir.pejakovic at fina.hr Tue Mar 10 17:38:33 2009 From: branimir.pejakovic at fina.hr (Branimir) Date: Tue, 10 Mar 2009 18:38:33 +0100 Subject: [Fedora-directory-users] Re: Total number of LDAP entries In-Reply-To: <49B6844D.7010808@boreham.org> References: <49B534BA.9040108@fina.hr> <49B67DB8.3070302@fina.hr> <49B67F57.5060105@boreham.org> <49B683D4.5020309@fina.hr> <49B6844D.7010808@boreham.org> Message-ID: <49B6A599.6080309@fina.hr> David Boreham wrote: > Branimir wrote: >> well, I know that I can perform search and count them. I hoped that >> there is some shell command implemented in FDS that could provide this >> number. I administer commercial LDAP solution that provides such >> command. In my case this commercial solution charges per directory >> entry so I always have to know entry count. I was hoping FDC has some >> kind of equivalent command. > > Pipe the search output through grep and wc to count the entries returned. > Thanks David. I am familiar with UNIX basics :). As I said before, I was hoping there is some simple command for this, nothing more. Cheers, Branimir From rmeggins at redhat.com Tue Mar 10 17:46:09 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 10 Mar 2009 11:46:09 -0600 Subject: [Fedora-directory-users] Re: Total number of LDAP entries In-Reply-To: <49B6A4FF.3090106@fina.hr> References: <49B534BA.9040108@fina.hr> <49B67DB8.3070302@fina.hr> <49B67F57.5060105@boreham.org> <49B683D4.5020309@fina.hr> <49B68756.10007@redhat.com> <49B6A4FF.3090106@fina.hr> Message-ID: <49B6A761.4050005@redhat.com> Branimir wrote: > Rich Megginson wrote: >> Branimir wrote: >>> David Boreham wrote: >>>> Branimir wrote: >>>>> so there is no way to find the number of total LDAP entries stored >>>>> in FDC? >>>> Obviously that's a ridiculous statement. You could at the very >>>> least perform a search that >>>> returns all entries and count them ! >>>> >>>> The server however does not maintain a running count itself. So one >>>> way or another you will >>>> need to count the entries. >>>> >>>> Unless...you configure a VLV index covering the target entries >>>> (e.g. all entries). This will >>>> as a side-effect maintain the count, which can be retrieved with >>>> the appropriate VLV search. >>> >>> Hi David and Rocio, >>> >>> David: >>> well, I know that I can perform search and count them. I hoped that >>> there is some shell command implemented in FDS that could provide >>> this number. I administer commercial LDAP solution >> Which LDAP solution? >>> that provides such command. >> What is the command and how does it work? > > Hi Rich, > > please don't be offendedbut I work in CA environment and I cannot > provide that information. Why? Is this the CA E-Trust Directory Server? If so, isn't the information on it publicly available? If so, why would you not be able to provide that information. > What I can say that this command counts number of entries on both > master and replica servers. How does it work? Does it use LDAP? Does it invoke some sort of remote shell? > > Also thank you for the links. > > Cheers, > > Branimir > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From branimir.pejakovic at fina.hr Tue Mar 10 17:53:49 2009 From: branimir.pejakovic at fina.hr (Branimir) Date: Tue, 10 Mar 2009 18:53:49 +0100 Subject: [Fedora-directory-users] Re: Total number of LDAP entries In-Reply-To: <49B6A761.4050005@redhat.com> References: <49B534BA.9040108@fina.hr> <49B67DB8.3070302@fina.hr> <49B67F57.5060105@boreham.org> <49B683D4.5020309@fina.hr> <49B68756.10007@redhat.com> <49B6A4FF.3090106@fina.hr> <49B6A761.4050005@redhat.com> Message-ID: <49B6A92D.7010008@fina.hr> Rich Megginson wrote: > Branimir wrote: >> Rich Megginson wrote: >>> Branimir wrote: >>>> David Boreham wrote: >>>>> Branimir wrote: >>>>>> so there is no way to find the number of total LDAP entries stored >>>>>> in FDC? >>>>> Obviously that's a ridiculous statement. You could at the very >>>>> least perform a search that >>>>> returns all entries and count them ! >>>>> >>>>> The server however does not maintain a running count itself. So one >>>>> way or another you will >>>>> need to count the entries. >>>>> >>>>> Unless...you configure a VLV index covering the target entries >>>>> (e.g. all entries). This will >>>>> as a side-effect maintain the count, which can be retrieved with >>>>> the appropriate VLV search. >>>> >>>> Hi David and Rocio, >>>> >>>> David: >>>> well, I know that I can perform search and count them. I hoped that >>>> there is some shell command implemented in FDS that could provide >>>> this number. I administer commercial LDAP solution >>> Which LDAP solution? >>>> that provides such command. >>> What is the command and how does it work? >> >> Hi Rich, >> >> please don't be offendedbut I work in CA environment and I cannot >> provide that information. > Why? Is this the CA E-Trust Directory Server? If so, isn't the > information on it publicly available? If so, why would you not be able > to provide that information. Sorry for misunderstanding. CA = Certificate Authority. >> What I can say that this command counts number of entries on both >> master and replica servers. > How does it work? Does it use LDAP? Does it invoke some sort of remote > shell? It doesn't invoke remote shell and it doesn't use LDAP. That's all I can say. Branimir From ryan.braun at ec.gc.ca Tue Mar 10 18:04:20 2009 From: ryan.braun at ec.gc.ca (Ryan Braun [ADS]) Date: Tue, 10 Mar 2009 18:04:20 +0000 Subject: [Fedora-directory-users] Re: Total number of LDAP entries In-Reply-To: <49B6A599.6080309@fina.hr> References: <49B534BA.9040108@fina.hr> <49B6844D.7010808@boreham.org> <49B6A599.6080309@fina.hr> Message-ID: <200903101804.21170.ryan.braun@ec.gc.ca> On Tuesday 10 March 2009 17:38:33 Branimir wrote: > David Boreham wrote: > > Branimir wrote: > >> well, I know that I can perform search and count them. I hoped that > >> there is some shell command implemented in FDS that could provide this > >> number. I administer commercial LDAP solution that provides such > >> command. In my case this commercial solution charges per directory > >> entry so I always have to know entry count. I was hoping FDC has some > >> kind of equivalent command. > > > > Pipe the search output through grep and wc to count the entries returned. > > Thanks David. I am familiar with UNIX basics :). As I said before, I was > hoping there is some simple command for this, nothing more. > > Cheers, > > Branimir > Here's an easy perl script you can run, it will do a sub search on a given suffex and output the total entries returned. Ryan #!/usr/bin/perl use strict; use Net::LDAP; my $bind_dn = "cn=directory manager"; my $bind_pw = "password"; my @servers = qw(server1.com server2.com); my $base_dn = "cn=config"; foreach my $server (@servers) { my $ldap = Net::LDAP->new($server, port => '389', timeout=>10); if ( ! $ldap ) { # return 0 here for a failed attempt print "failed to connect to $server\n"; return 0; } my $msg = $ldap->bind ( $bind_dn,password => $bind_pw ,version => 3 ); if ($msg->code) { # print error message here because we have access to the $msg object print "\t$server\t\t\tFAILURE " . $msg->code . " error text is " . $msg->error_name . "\n"; return 0; } $msg = $ldap->search(filter=>"objectClass=*", base=>$base_dn,scope => 'sub' ); print "Found " . $msg->entries . " total entries in $base_dn on $server\n"; } From michael at stroeder.com Tue Mar 10 18:24:49 2009 From: michael at stroeder.com (=?ISO-8859-2?Q?Michael_Str=F6der?=) Date: Tue, 10 Mar 2009 19:24:49 +0100 Subject: [Fedora-directory-users] Re: Total number of LDAP entries In-Reply-To: <200903101804.21170.ryan.braun@ec.gc.ca> References: <49B534BA.9040108@fina.hr> <49B6844D.7010808@boreham.org> <49B6A599.6080309@fina.hr> <200903101804.21170.ryan.braun@ec.gc.ca> Message-ID: <49B6B071.9080302@stroeder.com> Ryan Braun [ADS] wrote: > Here's an easy perl script you can run, it will do a sub search on a given suffex and output the total entries returned. On FDS I'd prefer to search for (hasSubordinates=TRUE) and sum up the values of the numSubordinates attribute in the entries found. Other LDAP server implementations have other operational attributes with different semantics: Siemens DirX: numAllSubordinates Critical Path Directory Server: countImmSubordinates, countTotSubordinates MS Active Directory: msDS-Approx-Immed-Subordinates My web2ldap uses all these besides 'hasSubordinates' to determine whether an entry found is leaf entry or not and display the number of subordinate entries in the link popup help. Ciao, Michael. From diwakoe at gmail.com Wed Mar 11 10:10:08 2009 From: diwakoe at gmail.com (Diwakoe) Date: Wed, 11 Mar 2009 17:10:08 +0700 Subject: [Fedora-directory-users] Ubuntu 8.04 authentication Message-ID: Dear all, I want to configure ubuntu 8.04 authentication using FDS still can not get user from server, another workstation using fedora 7 can authenticate well. Already using this doc: https://help.ubuntu.com/community/FedoraDirectoryServerClientHowto, but still no luck. Any help is appreciated. Cheers, Teguh -- Semua rasa ada disini http://www.teoteblung.co.cc From emmanuel.billot at ird.fr Wed Mar 11 10:44:09 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Wed, 11 Mar 2009 11:44:09 +0100 Subject: [Fedora-directory-users] SSL replication Message-ID: <49B795F9.2030109@ird.fr> Hi, During our many tests, we've seen a particular behaviour in certs checking, so wewander if it is not as misconfiguration of our server : We have installed 2 FDS and replication agrements between it. Those replication agrement are configurated with the "SSL connection" option enable, "simple authentification" and a replication manager. A certificate have been generated for each server, using is FQDN. Replication is ok. However, we 've made a mistake in a tests, and one cert was generated with DNS hostname different from the server it was destinated for and replication is still working... How is it possible ? Is there any hostname controle in the SSL connection ? Ex: toutou.gaia.net (with cert signed toutou.gaia.intranet.net) is replicating with gri.gaia.net (with cert signed gri.gaia.net) BR, -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From rmeggins at redhat.com Wed Mar 11 13:51:22 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 11 Mar 2009 07:51:22 -0600 Subject: [Fedora-directory-users] SSL replication In-Reply-To: <49B795F9.2030109@ird.fr> References: <49B795F9.2030109@ird.fr> Message-ID: <49B7C1DA.2090401@redhat.com> Emmanuel BILLOT wrote: > Hi, > > During our many tests, we've seen a particular behaviour in certs > checking, so wewander if it is not as misconfiguration of our server : > > We have installed 2 FDS and replication agrements between it. Those > replication agrement are configurated with the "SSL connection" option > enable, "simple authentification" and a replication manager. > A certificate have been generated for each server, using is FQDN. > Replication is ok. > However, we 've made a mistake in a tests, and one cert was generated > with DNS hostname different from the server it was destinated for and > replication is still working... > > How is it possible ? Is there any hostname controle in the SSL > connection ? I'm not sure how it's possible. Yes, by default the hostname is checked. This is controlled by the attribute nsslapd-ssl-check-hostname in cn=config. By default this is "on". > > Ex: toutou.gaia.net (with cert signed toutou.gaia.intranet.net) is > replicating with gri.gaia.net (with cert signed gri.gaia.net) > > BR, > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From tamarinp at gmail.com Wed Mar 11 16:09:00 2009 From: tamarinp at gmail.com (tamarin p) Date: Wed, 11 Mar 2009 17:09:00 +0100 Subject: [Fedora-directory-users] Admin-server/config-server Message-ID: <4dd1b3eb0903110909j12e494a8y2810bd6f596808d9@mail.gmail.com> Hey, I've installed Fedora DS 1.1.3 on RHEL5 and configured two server instances using setup-ds-admin.pl. It seems to work fine, including single-master replication. I can manage both servers through the fedora-idm-console. I'm left with some some questions I couldn't find answers to in the documentation however, and was hoping someone could help me clear some of them. 1) The Red Hat documentation makes references to both an admin server and a configuration server. I can't seem to get a handle on what's what. Is it simply two terms for the same thing or does one refer to the web-interface while the other refers to the o=NetscapeRoot suffix on one of the ldap instances? 2) Slightly connected with 1). Is it advisable to create a completely separate ldap instance for the configuration server or does one generally just use the first instance created? For example in my test setup I created two instances. slapd-primary and slapd-secondary, where the configuration server for secondary was set to ldap://ldap.test.org:389/o=NetscapeRoot. I'm assuming pointers to all servers managed by this console etc. is stored here. Would it instead be advisable to have a completely separate instance for this, so that instead of slapd-primary and slapd-secondary, I'd have slapd-admin, slapd-primary and slapd-secondary? In production (and further along in my testing) they would all live on separate boxes obviously. 3) I'm assuming it's only possible to have one admin console/config server per machine. Ie not possible to have four server instances on the same box but have the first two managed through one console and the remaining two through another (on the same machine)? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Mar 11 16:44:51 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 11 Mar 2009 10:44:51 -0600 Subject: [Fedora-directory-users] Admin-server/config-server In-Reply-To: <4dd1b3eb0903110909j12e494a8y2810bd6f596808d9@mail.gmail.com> References: <4dd1b3eb0903110909j12e494a8y2810bd6f596808d9@mail.gmail.com> Message-ID: <49B7EA83.9010903@redhat.com> tamarin p wrote: > Hey, > > I've installed Fedora DS 1.1.3 on RHEL5 and configured two server > instances using setup-ds-admin.pl. It seems to work fine, including > single-master replication. I can manage both servers through the > fedora-idm-console. > > I'm left with some some questions I couldn't find answers to in the > documentation however, and was hoping someone could help me clear some > of them. > > 1) The Red Hat documentation makes references to both an admin server > and a configuration server. I can't seem to get a handle on what's > what. Is it simply two terms for the same thing or does one refer to > the web-interface while the other refers to the o=NetscapeRoot suffix > on one of the ldap instances? The admin server is the httpd server + admin server module (apache httpd.worker + mod_admserv) - config in /etc/dirsrv/admin-serv The configuration (directory) server is the directory server (ns-slapd) that hosts o=NetscapeRoot for your admin domain - config in /etc/dirsrv/slapd-yourinstancename > > 2) Slightly connected with 1). Is it advisable to create a completely > separate ldap instance for the configuration server or does one > generally just use the first instance created? For example in my test > setup I created two instances. slapd-primary and slapd-secondary, > where the configuration server for secondary was set to > ldap://ldap.test.org:389/o=NetscapeRoot > . I'm assuming pointers to > all servers managed by this console etc. is stored here. Would it > instead be advisable to have a completely separate instance for this, > so that instead of slapd-primary and slapd-secondary, I'd have > slapd-admin, slapd-primary and slapd-secondary? In production (and > further along in my testing) they would all live on separate boxes > obviously. If you have a very large deployment with hundreds of thousands of entries, thousands of client connections, and lots of updates and replication, you might want to have separate instances for ease of manageability. Otherwise, having them both on the same instance is fine. > > 3) I'm assuming it's only possible to have one admin console/config > server per machine. Ie not possible to have four server instances on > the same box but have the first two managed through one console and > the remaining two through another (on the same machine)? There can be only 1 admin server per machine. The admin server on that machine manages all directory server instances on that machine. You can create directory server instances that cannot be managed in the console at all using setup-ds.pl. I don't know if that answers your question. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From hugo.etievant at inrp.fr Thu Mar 12 10:41:42 2009 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Thu, 12 Mar 2009 11:41:42 +0100 Subject: [Fedora-directory-users] FDS Password policy and passsync Message-ID: <49B8E6E6.4090508@inrp.fr> hello, Step 1 : A have create a replication agreement betwen a FDS (DS 1.1.3 on Fedora 8) server and a Windows 2003 Server (Active Directory). User's passwords are successfully synchronized. Step 2 : I activated password policy in FDS and in AD. Password policies are identical. But some passwords are not synchronized betwen AD and FDS (in this way only). error message in log : 03/12/09 09:49:01: Ldap error in ModifyPassword 19: Constraint violation 03/12/09 09:49:01: Modify password failed for remote entry: uid=foobar,ou=people,dc=inrp,dc=fr 03/12/09 09:49:01: Deferring password change for foobar details of password policy in FDS : nsslapd-security: on nsslapd-auditlog-logging-enabled: on nsslapd-errorlog-level: 8192 nsslapd-pwpolicy-local: on passwordMinLength: 8 passwordMinCategories: 3 passwordMinTokenLength: 2 passwordCheckSyntax: on passwordMinAlphas: 0 passwordMinDigits: 0 passwordMaxAge: 63072000 (secondes = 730 days) passwordExp: on passwordHistory: on passwordWarning: 0 passwordInHistory: 10 details of password policy in AD (i use "Windows Server 2003 Password Complexity Requirements") : * Passwords cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters. * Passwords must be at least 6 characters in length. * Passwords must contain characters from three of the following four categories: 1. English uppercase characters (A through Z). 2. English lowercase characters (a through z). 3. Base 10 digits (0 through 9). 4. Non-alphabetic characters (for example, !, $, #, %). password history = 10 max age : 730 days password min len : 8 Why some of my users ahve problems (FDS no not accept new Windows password) ? regards -- * Hugo ?ti?vant * -------------- next part -------------- An HTML attachment was scrubbed... URL: From tamarinp at gmail.com Thu Mar 12 11:25:39 2009 From: tamarinp at gmail.com (tamarin p) Date: Thu, 12 Mar 2009 12:25:39 +0100 Subject: [Fedora-directory-users] Admin-server/config-server In-Reply-To: <49B7EA83.9010903@redhat.com> References: <4dd1b3eb0903110909j12e494a8y2810bd6f596808d9@mail.gmail.com> <49B7EA83.9010903@redhat.com> Message-ID: <4dd1b3eb0903120425h62858127j487931478104ff18@mail.gmail.com> 2009/3/11 Rich Megginson > tamarin p wrote: > >> >> 3) I'm assuming it's only possible to have one admin console/config server >> per machine. Ie not possible to have four server instances on the same box >> but have the first two managed through one console and the remaining two >> through another (on the same machine)? >> > There can be only 1 admin server per machine. The admin server on that > machine manages all directory server instances on that machine. You can > create directory server instances that cannot be managed in the console at > all using setup-ds.pl. I don't know if that answers your question. > Thanks for the explanation, Rich. One additional question with regards to the above, though, if I may: Does this mean it's not intended/possible to register ldap instance(s) on machine A with the config-server on machine B? I assumed it was because answering "yes" on the register-with-existing-configserv step in setup-ds-admin.pl prompts you for a full ldap-URL. However, creating an instance with setup-ds.pl and then later running register-ds-admin.pl it only seems possible to register locally by folder/identifier, not ldap-URL. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Mar 12 13:18:15 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 12 Mar 2009 07:18:15 -0600 Subject: [Fedora-directory-users] Admin-server/config-server In-Reply-To: <4dd1b3eb0903120425h62858127j487931478104ff18@mail.gmail.com> References: <4dd1b3eb0903110909j12e494a8y2810bd6f596808d9@mail.gmail.com> <49B7EA83.9010903@redhat.com> <4dd1b3eb0903120425h62858127j487931478104ff18@mail.gmail.com> Message-ID: <49B90B97.5060605@redhat.com> tamarin p wrote: > > > 2009/3/11 Rich Megginson > > > tamarin p wrote: > > > 3) I'm assuming it's only possible to have one admin > console/config server per machine. Ie not possible to have > four server instances on the same box but have the first two > managed through one console and the remaining two through > another (on the same machine)? > > There can be only 1 admin server per machine. The admin server on > that machine manages all directory server instances on that > machine. You can create directory server instances that cannot be > managed in the console at all using setup-ds.pl. I don't know if > that answers your question. > > > Thanks for the explanation, Rich. > > One additional question with regards to the above, though, if I may: > Does this mean it's not intended/possible to register ldap instance(s) > on machine A with the config-server on machine B? I assumed it was > because answering "yes" on the register-with-existing-configserv step > in setup-ds-admin.pl prompts you for a full ldap-URL. You usually have a single configuration directory server for a single admin domain, which may consist of many machines. So yes, that's what that dialog does - it registers your directory server with a (possibly) remote configuration directory server, used to store configuration for many machines. > However, creating an instance with setup-ds.pl and then later running > register-ds-admin.pl it only seems possible to register locally by > folder/identifier, not ldap-URL. It should be possible both ways. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From hugo.etievant at inrp.fr Thu Mar 12 14:15:21 2009 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Thu, 12 Mar 2009 15:15:21 +0100 Subject: [Fedora-directory-users] FDS Password policy and passsync In-Reply-To: <49B8E6E6.4090508@inrp.fr> References: <49B8E6E6.4090508@inrp.fr> Message-ID: <49B918F9.1030902@inrp.fr> hi, I find the explanation of my problem : unicode char are accepted by Windows Server but refused by FDS. Only 7 bit chars are accepted for userpassword in FDS. I disabled the "enforce clean 7 bits attribute value" for userPassword attribute in the "7 bits plugin" of my DS with the IDM Console. Now Unicodes password are accepted by FDS and passsync do not fail. ldapsearch comand line accept unicode password, but some applications (Thunderbird) do not accept unicode password !!!! Have you a solution for me ? Can i enfore 7 bits clean into Windows server 2003 ???? regards Hugo Etievant a ?crit : > hello, > > Step 1 : > A have create a replication agreement betwen a FDS (DS 1.1.3 on Fedora > 8) server and a Windows 2003 Server (Active Directory). > User's passwords are successfully synchronized. > > Step 2 : > I activated password policy in FDS and in AD. > Password policies are identical. > > But some passwords are not synchronized betwen AD and FDS (in this way > only). > error message in log : > > 03/12/09 09:49:01: Ldap error in ModifyPassword > 19: Constraint violation > 03/12/09 09:49:01: Modify password failed for remote entry: > uid=foobar,ou=people,dc=inrp,dc=fr > 03/12/09 09:49:01: Deferring password change for foobar > > > details of password policy in FDS : > > nsslapd-security: on > nsslapd-auditlog-logging-enabled: on > nsslapd-errorlog-level: 8192 > nsslapd-pwpolicy-local: on > passwordMinLength: 8 > passwordMinCategories: 3 > passwordMinTokenLength: 2 > passwordCheckSyntax: on > passwordMinAlphas: 0 > passwordMinDigits: 0 > passwordMaxAge: 63072000 (secondes = 730 days) > passwordExp: on > passwordHistory: on > passwordWarning: 0 > passwordInHistory: 10 > > details of password policy in AD (i use "Windows Server 2003 Password > Complexity Requirements") : > > * Passwords cannot contain the user's account name or parts of the > user's full name that exceed two consecutive characters. > * Passwords must be at least 6 characters in length. > * Passwords must contain characters from three of the following > four categories: > > 1. > English uppercase characters (A through Z). > 2. > English lowercase characters (a through z). > 3. > Base 10 digits (0 through 9). > 4. > Non-alphabetic characters (for example, !, $, #, %). > > password history = 10 > max age : 730 days > password min len : 8 > > > > > > Why some of my users ahve problems (FDS no not accept new Windows > password) ? > > regards > > -- > * Hugo ?ti?vant > * -- * Hugo ?ti?vant * -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Mar 12 14:23:51 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 12 Mar 2009 08:23:51 -0600 Subject: [Fedora-directory-users] Problem with ldbm-backend in fds In-Reply-To: <30abda540903090146k6413d905vbde9aaeeec17ed1d@mail.gmail.com> References: <30abda540903090146k6413d905vbde9aaeeec17ed1d@mail.gmail.com> Message-ID: <49B91AF7.8060101@redhat.com> neuron ring wrote: > Hi, > > I have two doubts to be clarified regarding fds ldbm database. > > 1. Can anyone to help me how to find the total usage of a ldbm backend. > > > /* > * dbsize.c - ldbm backend routine which returns the size (in bytes) > * that the database occupies on disk. > */ > > #include "back-ldbm.h" > > int > ldbm_db_size( Slapi_PBlock *pb ) > { > > /*contents*/ > > } > > what this function doing? i m not able to find any commands > which returns the size of database which occupies the disk space. > > what command does that? How to make use of this function "ldbm_db_size" > > ----------------------------------------------------------------------------------------------------- > 2. > > /* > * rmdb.c - ldbm backend routine which deletes an entire database. > * This routine is not exposed in the public SLAPI interface. It > * is called by the replication subsystem when then changelog must > * be erased. > */ > > #include "back-ldbm.h" > > int > ldbm_back_rmdb( Slapi_PBlock *pb ) > { > /*contents*/ > > } > > When this function will be called? How to exercise this > ?ldbm_back_rmdb?. How to remove the entire DB. I tried > > Ldapdelete and rm ?rf > > But both of them didn?t access this function ?ldbm_back_rmdb?. Can > anyone give me a pointer. > > > Thanks in advance, > Neuron Ring Can you provide more information about what you are trying to do? Are you trying to write a database plug-in and you want to find out how to implement these functions? > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jfenal at redhat.com Thu Mar 12 16:13:27 2009 From: jfenal at redhat.com (Jerome Fenal) Date: Thu, 12 Mar 2009 17:13:27 +0100 Subject: [Fedora-directory-users] FDS Password policy and passsync In-Reply-To: <49B918F9.1030902@inrp.fr> References: <49B8E6E6.4090508@inrp.fr> <49B918F9.1030902@inrp.fr> Message-ID: <1236874407.13361.8.camel@jfenal.f10> Le jeudi 12 mars 2009 ? 15:15 +0100, Hugo Etievant a ?crit : > hi, > > I find the explanation of my problem : unicode char are accepted by > Windows Server but refused by FDS. > Only 7 bit chars are accepted for userpassword in FDS. > > I disabled the "enforce clean 7 bits attribute value" for userPassword > attribute in the "7 bits plugin" of my DS with the IDM Console. > Now Unicodes password are accepted by FDS and passsync do not fail. > > ldapsearch comand line accept unicode password, but some applications > (Thunderbird) do not accept unicode password !!!! > > > Have you a solution for me ? > Can i enfore 7 bits clean into Windows server 2003 ???? this you should ask to your Microsoft support. -- J?r?me Fenal, RHCE Tel.: +33 1 41 91 23 37 Solution Architect Mob.: +33 6 88 06 51 15 Consultant Avant-ventes Fax.: +33 1 41 91 23 32 http://www.redhat.fr/ jfenal at redhat.com Red Hat France SARL Siret n? 421 199 464 00064 Le Linea, 1 rue du G?n?ral Leclerc 92047 Paris La D?fense C?dex From tscherf at redhat.com Fri Mar 13 11:25:01 2009 From: tscherf at redhat.com (Thorsten Scherf) Date: Fri, 13 Mar 2009 12:25:01 +0100 Subject: [Fedora-directory-users] Re: Ubuntu 8.04 authentication In-Reply-To: References: Message-ID: <20090313112501.GB4336@tscherf.redhat.com> On [Wed, 11.03.2009 17:10], Diwakoe wrote: >Dear all, > >I want to configure ubuntu 8.04 authentication using FDS still can not >get user from server, another workstation using fedora 7 can >authenticate well. If you use TLS to talk to the FDS, there is a bug in the GnuTLS package shipped with Ubuntu. Check Ubuntu bug-tracker system for this. Happy Day. Thorsten -- "Eternity is a very long time, especially towards the end." ? Stephen Hawking -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3855 bytes Desc: not available URL: From ryan.braun at ec.gc.ca Fri Mar 13 16:10:56 2009 From: ryan.braun at ec.gc.ca (Ryan Braun [ADS]) Date: Fri, 13 Mar 2009 16:10:56 +0000 Subject: [Fedora-directory-users] Ubuntu 8.04 authentication In-Reply-To: References: Message-ID: <200903131610.56478.ryan.braun@ec.gc.ca> On Wednesday 11 March 2009 10:10:08 Diwakoe wrote: > Dear all, > > I want to configure ubuntu 8.04 authentication using FDS still can not > get user from server, another workstation using fedora 7 can > authenticate well. > > Already using this doc: > https://help.ubuntu.com/community/FedoraDirectoryServerClientHowto, > but still no luck. > I find that starting small and working forward is the best way to go. First off, disable all encryption (for now). in pam_ldap.conf and libnss- ldap.conf. I've found that running wireshark while learning/setting up the clients helps a ton. You can see the ldap calls over tcpip and can also see all the username and passwords. Which should inspire you to turn encryption back on when done :) Next configure nss lookups. Make sure libnss-ldap is installed, And again minimally, setup libnss-ldap.conf. Add ldap to your nsswitch.conf file and try a getent (passwd|group). If nothing happens, check your sniffer and fds logs to see if it was able to try and connect to your ldap server. Then move onto your pam config. Same as above, start minimally then add configs/features later. But remember, FDS will not accept passwd changes from the command line unless over TLs/SSL. But it will authenticate just fine. But like I said initially, for myself, watching wireshark helped a ton. Ryan From emmanuel.billot at ird.fr Mon Mar 16 13:26:15 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Mon, 16 Mar 2009 14:26:15 +0100 Subject: [Fedora-directory-users] Plug in Message-ID: <49BE5377.7010100@ird.fr> Hi, Is there an exhaustive list of plug in developped for FDS ? Where can i found a detailed method to create one ? BR, -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From hugo.etievant at inrp.fr Fri Mar 13 15:10:35 2009 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Fri, 13 Mar 2009 16:10:35 +0100 Subject: [Fedora-directory-users] Password History Navigation Message-ID: <49BA776B.5040907@inrp.fr> Hi, I have setted a password policy with password history. When i use ldappasswd for change password, this tool says me "Constraint violation" but that do not mean the real raison of failure. =>>> How can we verify if a password is in the history list ??? my follwing command is not successful : ldapsearch -h HOST -p 389 -D "cn=ADMIN" -b "ou=UNIT,dc=HOST,dc=COM" -x -w - "(passwordHistory=OLDPASSWD)" dn regards -- * Hugo ?ti?vant * ** From aaron.mills at returnpath.net Mon Mar 16 17:25:33 2009 From: aaron.mills at returnpath.net (Aaron Mills) Date: Mon, 16 Mar 2009 11:25:33 -0600 Subject: [Fedora-directory-users] Solaris 10 central auth through FDS Message-ID: Hi All, I?m trying to hook a bunch of Solaris 10 boxes into my FDS install for central user authentication. I?ve already got a dozen or so linux boxes authenticating off FDS 1.1.3. I was reading the documentation here: http://directory.fedoraproject.org/wiki/Howto:SolarisClient#Solaris_10_LDAP_ Client Which seems to be slightly outdated (idsconfig fails consistently). Is there a newer doc out there somewhere and/or has anyone had success with the Wiki?s instructions? Any advice would be much appreciated. Thanks, -Aaron -- Aaron Mills Systems Administrator Return Path http://www.returnpath.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Mar 16 17:33:22 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 16 Mar 2009 11:33:22 -0600 Subject: [Fedora-directory-users] Plug in In-Reply-To: <49BE5377.7010100@ird.fr> References: <49BE5377.7010100@ird.fr> Message-ID: <49BE8D62.6000108@redhat.com> Emmanuel BILLOT wrote: > Hi, > > Is there an exhaustive list of plug in developped for FDS ? In the source code: http://cvs.fedoraproject.org/viewvc/ldapserver/ldap/servers/plugins/?root=dirsec > Where can i found a detailed method to create one ? http://directory.fedoraproject.org/wiki/Plugins is some basic information There is also the plug-in programmer's guide - http://www.redhat.com/docs/manuals/dir-server/plugin/contents.htm We are in the process of updating this so that the information will better apply to Fedora DS 1.1 and later. The fedora-directory-devel list is a good place to discuss plug-in programming. > > BR, > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Mar 16 17:37:31 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 16 Mar 2009 11:37:31 -0600 Subject: [Fedora-directory-users] Password History Navigation In-Reply-To: <49BA776B.5040907@inrp.fr> References: <49BA776B.5040907@inrp.fr> Message-ID: <49BE8E5B.1040806@redhat.com> Hugo Etievant wrote: > Hi, > > I have setted a password policy with password history. > > When i use ldappasswd for change password, this tool says me > "Constraint violation" but that do not mean the real raison of failure. > > =>>> How can we verify if a password is in the history list ??? If you display the extended information sent back in the LDAP error return, you should see a message like this "password in history" > > my follwing command is not successful : > ldapsearch -h HOST -p 389 -D "cn=ADMIN" -b "ou=UNIT,dc=HOST,dc=COM" -x > -w - "(passwordHistory=OLDPASSWD)" dn passwordHistory stores hashed passwords so this ldapsearch won't work I suppose you could use ldapsearch to get the passwordHistory list, then write a script to use the pwdhash command to hash and compare a given password with the passwords in the list. > > > regards > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From lbigum at iseek.com.au Mon Mar 16 22:17:00 2009 From: lbigum at iseek.com.au (Luke Bigum) Date: Tue, 17 Mar 2009 08:17:00 +1000 Subject: [Fedora-directory-users] RE: Solaris 10 central auth through FDS In-Reply-To: References: Message-ID: Aaron, that's the documentation I followed, it should be correct. Make sure you take a note of the first point and modify the script. Here's my copy of the chk_ids_version function: chk_ids_version() { [ $DEBUG -eq 1 ] && ${ECHO} "In chk_ids_version()" # check iDS version number. eval "${LDAPSEARCH} ${SERVER_ARGS} -b cn=monitor -s base \"objectclass=*\" version | ${GREP} \"^version=\" | cut -f2 -d'/' | cut -f1 -d' ' > ${TMPDIR}/checkDSver 2>&1" if [ $? -ne 0 ]; then ${ECHO} "ERROR: Can not determine the version number of iDS!" exit 1 fi IDS_VER=`cat ${TMPDIR}/checkDSver` IDS_MAJVER=`${ECHO} ${IDS_VER} | cut -f1 -d.` IDS_MINVER=`${ECHO} ${IDS_VER} | cut -f2 -d.` if [ "${IDS_MAJVER}" != "5" ] && [ "${IDS_MAJVER}" != "6" ] && [ "${IDS_MAJVER}" != "1" ]; then ${ECHO} "ERROR: $PROG only works with JES DS version 5.x and 6.x and FDS 1.1.3, not ${IDS_VER}." exit 1 fi if [ $DEBUG -eq 1 ]; then ${ECHO} " IDS_MAJVER = $IDS_MAJVER" ${ECHO} " IDS_MINVER = $IDS_MINVER" fi } If that doesn't fix your problem, can you find out where in the script it's dying? Luke Bigum Systems Administrator (p) 1300 661 668 (f) 1300 661 540 (e) lbigum at iseek.com.au http://www.iseek.com.au Level 1, 100 Ipswich Road Woolloongabba QLD 4102 [cid:image001.jpg at 01C9A6D8.BED66C40] This e-mail and any files transmitted with it may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorised to receive for the recipient), please contact the sender by reply e-mail and delete all copies of this message. From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Aaron Mills Sent: Tuesday, 17 March 2009 3:26 AM To: discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] Solaris 10 central auth through FDS Hi All, I'm trying to hook a bunch of Solaris 10 boxes into my FDS install for central user authentication. I've already got a dozen or so linux boxes authenticating off FDS 1.1.3. I was reading the documentation here: http://directory.fedoraproject.org/wiki/Howto:SolarisClient#Solaris_10_LDAP_Client Which seems to be slightly outdated (idsconfig fails consistently). Is there a newer doc out there somewhere and/or has anyone had success with the Wiki's instructions? Any advice would be much appreciated. Thanks, -Aaron -- Aaron Mills Systems Administrator Return Path http://www.returnpath.net -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 3245 bytes Desc: image001.jpg URL: From diwakoe at gmail.com Wed Mar 18 01:53:45 2009 From: diwakoe at gmail.com (Diwakoe) Date: Wed, 18 Mar 2009 08:53:45 +0700 Subject: [Fedora-directory-users] Re: Ubuntu 8.04 authentication In-Reply-To: <20090313112501.GB4336@tscherf.redhat.com> References: <20090313112501.GB4336@tscherf.redhat.com> Message-ID: On Fri, Mar 13, 2009 at 6:25 PM, Thorsten Scherf wrote: > If you use TLS to talk to the FDS, there is a bug in the GnuTLS > package shipped with Ubuntu. Check Ubuntu bug-tracker system for this. > > Happy Day. > Thorsten > We not using TLS yet. I will check tracker. Thanks, Diwa -- Semua rasa ada disini http://www.teoteblung.co.cc From neuronring at gmail.com Wed Mar 18 06:18:07 2009 From: neuronring at gmail.com (neuron ring) Date: Wed, 18 Mar 2009 11:48:07 +0530 Subject: [Fedora-directory-users] Problem with mmldif tool Message-ID: <30abda540903172318o8c7194bx87b3883500791550@mail.gmail.com> Hi all, I need a clarification regarding mmldif tool in *Red Hat-Directory/8.0.0 B2007.353.1140* 1. I need to merge to input files using mmldif tool 2. I m exporting it to a ldif file using db2ldif tool */opt/dirsrv/slapd- /db2ldif -n /opt/dirsrv/slapd- /db2ldif -n * 3. I got two ldif files by exporting two directory server instance databases. *One.ldif* dn: sn=Jensen,dc=siroe,dc=com objectclass: top objectclass: person cn: Babs Jensen sn: Jensen telephoneNumber: 555-5550 createTimestamp: 100 dn: sn=Minsky,dc=siroe,dc=com objectclass: top objectclass: person cn: Pete Minsky sn: Minsky telephoneNumber: 555-5551 createTimestamp: 100 dn: sn=Rose,dc=siroe,dc=com objectclass: top objectclass: person cn: Paula Rose sn: Rose telephoneNumber: 555-5552 createTimestamp: 100 *Two.ldif* dn: sn=Jensen,dc=siroe,dc=com objectclass: top objectclass: person cn: Babs Jensen sn: Jensen telephoneNumber: 555-5550 createTimestamp: 100 dn: sn=Minsky,dc=siroe,dc=com objectclass: top objectclass: person cn: Pete Minsky sn: Minsky telephoneNumber: 555-5559 modifyTimestamp: 200 dn: sn=Morris,dc=siroe,dc=com objectclass: top objectclass: person cn: Ted Morris sn: Morris telephoneNumber: 555-5558 createTimestamp: 200 dn: sn=Rose,dc=siroe,dc=com objectclass: nsTombstone deleteTimestamp: 200 4. Now I m trying to use mmldif tool. 5. */opt/dirsrv/bin/mmldif -c -D -o /home/neuronring/output.ldif /home/ neuronring/one.ldif /home/ neuronring/two.ldif* 6. Finally everything *IN VAIN, *I got the following error: *[18/Mar/2009:11:35:04 +051800] - finger printing directory 0 [18/Mar/2009:11:35:04 +051800] - db0: dn: sn=Jensen,dc=siroe,dc=com /opt/dirsrv/bin/mmldif[50]: 18247 Memory fault(coredump)* The following files are created in my path. 1. one.ldif.delta 2. two.ldif.delta These two files has no data 0 bytes size. 3. core ? size 1882552 bytes Even I tried exporting the database with ?r option (for replica) after stopping the instance. I m getting this error continuously with different error numbers like, /opt/dirsrv/bin/mmldif[50]: *10854* Memory fault(coredump). Somebody please suggest me to resolve this issue. Thanks in advance, Neuron Ring. -------------- next part -------------- An HTML attachment was scrubbed... URL: From per at norhex.com Wed Mar 18 10:22:37 2009 From: per at norhex.com (Per Qvindesland) Date: Wed, 18 Mar 2009 11:22:37 +0100 Subject: [Fedora-directory-users] Import Unix users Message-ID: Hi list. Does anyone know about a simple script to import users from /etc/passwd to directory server? I found some n the Fedora Directory server but I am just wondering if there might be some others ideas since I have to import from several servers into different ou's Regards Per Qvindesland From emmanuel.billot at ird.fr Wed Mar 18 11:01:43 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Wed, 18 Mar 2009 12:01:43 +0100 Subject: [Fedora-directory-users] Windows Sync problem Message-ID: <49C0D497.4050506@ird.fr> Hi, A Win Sync between FDS and Active Directory failed on our servers due to FDS reboot. Errog log says : (delta:636) - Can't locate CSN 48f3e8cc000100020000 in the changelog (DB rc=-30990). The consumer may need to be reinitialized. Does it mean that a consumer reinitialization may be done ? In this case, does it erase any data in AD ? What happens with AD-only attributs ? IS there any method to resync without deleting AD data ? BR, -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From lejeczek at jatymy.org Wed Mar 18 15:16:07 2009 From: lejeczek at jatymy.org (lejeczek) Date: Wed, 18 Mar 2009 15:16:07 +0000 Subject: [Fedora-directory-users] quickie on basics - another instance of directory server Message-ID: <49C11037.9070702@jatymy.org> dear all, I'm(an entrant) not sure I got the hang of setup-ds-admin.pl my understanding is: every box/machine hosting idm_console-manageable Directory Server instance need an Administration Server installed on this/the same box, this Administration Sever can manage many Directory Server instances being installed on this same box, right? if I'm right of above, what am I doing wrong while setup-ds-admin.pl is having second run to set up SERV_2 for which, from first setup-ds-admin - SERV_1 would be Configuration Directory Server simple set-up, right, I let installation know about ldap:// to SERV_1, etc.. then it asks of Administration Server port - standard 9830, right next I run idm console there is only newly created SERV_2 and SERV_1 - gone? p.s it's f10, do you have problems creating new instances directly from idm console too? a little light someone can shed on it for me? cheers lejeczek From aaron.mills at returnpath.net Wed Mar 18 20:02:42 2009 From: aaron.mills at returnpath.net (Aaron Mills) Date: Wed, 18 Mar 2009 14:02:42 -0600 Subject: [Fedora-directory-users] RE: Solaris 10 central auth through FDS In-Reply-To: Message-ID: Thanks for the help ? I?m following this doc a little more closely, but I?m stuck at the part where it says to add the nisDomain attribute type to the root node: http://directory.fedoraproject.org/wiki/Howto:SolarisClient#Solaris_10_LDAP_ Client When I attempt to add the following: dn: dc=foobar,dc=com changetype: modify add: nisdomain nisdomain: foobar.com I get the error: ?additional info: attribute "nisDomain" not allowed? I?ve double checked the object type of my domain and it?s set to domain and top. Is there another value I need to modify? The solaris client keeps failing with this: NOTFOUND:Could not find the nisDomainObject for DN dc=foobar, dc=com -Aaron On 3/16/09 4:17 PM, "Luke Bigum" wrote: > Aaron, that's the documentation I followed, it should be correct. Make sure > you take a note of the first point and modify the script. Here's my copy of > the chk_ids_version function: > > chk_ids_version() > { > [ $DEBUG -eq 1 ] && ${ECHO} "In chk_ids_version()" > > # check iDS version number. > eval "${LDAPSEARCH} ${SERVER_ARGS} -b cn=monitor -s base \"objectclass=*\" > version | ${GREP} \"^version=\" > | cut -f2 -d'/' | cut -f1 -d' ' > ${TMPDIR}/checkDSver 2>&1" > if [ $? -ne 0 ]; then > ${ECHO} "ERROR: Can not determine the version number of iDS!" > exit 1 > fi > IDS_VER=`cat ${TMPDIR}/checkDSver` > IDS_MAJVER=`${ECHO} ${IDS_VER} | cut -f1 -d.` > IDS_MINVER=`${ECHO} ${IDS_VER} | cut -f2 -d.` > if [ "${IDS_MAJVER}" != "5" ] && [ "${IDS_MAJVER}" != "6" ] && [ > "${IDS_MAJVER}" != "1" ]; then > ${ECHO} "ERROR: $PROG only works with JES DS version 5.x and 6.x and > FDS 1.1.3, not ${IDS_VER}." > exit 1 > fi > if [ $DEBUG -eq 1 ]; then > ${ECHO} " IDS_MAJVER = $IDS_MAJVER" > ${ECHO} " IDS_MINVER = $IDS_MINVER" > fi > } > > If that doesn't fix your problem, can you find out where in the script it's > dying? > > > Luke Bigum > Systems Administrator > (p) 1300 661 668 > (f) 1300 661 540 > (e) lbigum at iseek.com.au > http://www.iseek.com.au > Level 1, 100 Ipswich Road Woolloongabba QLD 4102 > > > > This e-mail and any files transmitted with it may contain confidential and > privileged material for the sole use of the intended recipient. Any review, > use, distribution or disclosure by others is strictly prohibited. If you are > not the intended recipient (or authorised to receive for the recipient), > please contact the sender by reply e-mail and delete all copies of this > message. > > > > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Aaron Mills > Sent: Tuesday, 17 March 2009 3:26 AM > To: discussion list for the Fedora Directory server project. > Subject: [Fedora-directory-users] Solaris 10 central auth through FDS > > Hi All, > > I?m trying to hook a bunch of Solaris 10 boxes into my FDS install for central > user authentication. I?ve already got a dozen or so linux boxes authenticating > off FDS 1.1.3. > > I was reading the documentation here: > http://directory.fedoraproject.org/wiki/Howto:SolarisClient#Solaris_10_LDAP_Cl > ient > > Which seems to be slightly outdated (idsconfig fails consistently). Is there a > newer doc out there somewhere and/or has anyone had success with the Wiki?s > instructions? Any advice would be much appreciated. > > Thanks, > > -Aaron > -- Aaron Mills Systems Administrator Return Path http://www.returnpath.net -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.jpg Type: image/jpeg Size: 3245 bytes Desc: not available URL: From lbigum at iseek.com.au Wed Mar 18 22:40:53 2009 From: lbigum at iseek.com.au (Luke Bigum) Date: Thu, 19 Mar 2009 08:40:53 +1000 Subject: [Fedora-directory-users] RE: Solaris 10 central auth through FDS In-Reply-To: References: Message-ID: 'nisDomain' is an attribute of the obectClass 'nisDomainObect', so first you'll want to (something like): dn: dc=foobar,dc=com changetype: modify add: objectClass objectClass: nisDomainObject Luke Bigum Systems Administrator (p) 1300 661 668 (f) 1300 661 540 (e) lbigum at iseek.com.au http://www.iseek.com.au Level 1, 100 Ipswich Road Woolloongabba QLD 4102 [cid:image001.jpg at 01C9A86E.6A1CA1A0] This e-mail and any files transmitted with it may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorised to receive for the recipient), please contact the sender by reply e-mail and delete all copies of this message. From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Aaron Mills Sent: Thursday, 19 March 2009 6:03 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] RE: Solaris 10 central auth through FDS Thanks for the help - I'm following this doc a little more closely, but I'm stuck at the part where it says to add the nisDomain attribute type to the root node: http://directory.fedoraproject.org/wiki/Howto:SolarisClient#Solaris_10_LDAP_Client When I attempt to add the following: dn: dc=foobar,dc=com changetype: modify add: nisdomain nisdomain: foobar.com I get the error: "additional info: attribute "nisDomain" not allowed" I've double checked the object type of my domain and it's set to domain and top. Is there another value I need to modify? The solaris client keeps failing with this: NOTFOUND:Could not find the nisDomainObject for DN dc=foobar, dc=com -Aaron On 3/16/09 4:17 PM, "Luke Bigum" wrote: Aaron, that's the documentation I followed, it should be correct. Make sure you take a note of the first point and modify the script. Here's my copy of the chk_ids_version function: chk_ids_version() { [ $DEBUG -eq 1 ] && ${ECHO} "In chk_ids_version()" # check iDS version number. eval "${LDAPSEARCH} ${SERVER_ARGS} -b cn=monitor -s base \"objectclass=*\" version | ${GREP} \"^version=\" | cut -f2 -d'/' | cut -f1 -d' ' > ${TMPDIR}/checkDSver 2>&1" if [ $? -ne 0 ]; then ${ECHO} "ERROR: Can not determine the version number of iDS!" exit 1 fi IDS_VER=`cat ${TMPDIR}/checkDSver` IDS_MAJVER=`${ECHO} ${IDS_VER} | cut -f1 -d.` IDS_MINVER=`${ECHO} ${IDS_VER} | cut -f2 -d.` if [ "${IDS_MAJVER}" != "5" ] && [ "${IDS_MAJVER}" != "6" ] && [ "${IDS_MAJVER}" != "1" ]; then ${ECHO} "ERROR: $PROG only works with JES DS version 5.x and 6.x and FDS 1.1.3, not ${IDS_VER}." exit 1 fi if [ $DEBUG -eq 1 ]; then ${ECHO} " IDS_MAJVER = $IDS_MAJVER" ${ECHO} " IDS_MINVER = $IDS_MINVER" fi } If that doesn't fix your problem, can you find out where in the script it's dying? Luke Bigum Systems Administrator (p) 1300 661 668 (f) 1300 661 540 (e) lbigum at iseek.com.au http://www.iseek.com.au Level 1, 100 Ipswich Road Woolloongabba QLD 4102 [cid:image001.jpg at 01C9A86E.6A1CA1A0] This e-mail and any files transmitted with it may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorised to receive for the recipient), please contact the sender by reply e-mail and delete all copies of this message. From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Aaron Mills Sent: Tuesday, 17 March 2009 3:26 AM To: discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] Solaris 10 central auth through FDS Hi All, I'm trying to hook a bunch of Solaris 10 boxes into my FDS install for central user authentication. I've already got a dozen or so linux boxes authenticating off FDS 1.1.3. I was reading the documentation here: http://directory.fedoraproject.org/wiki/Howto:SolarisClient#Solaris_10_LDAP_Client Which seems to be slightly outdated (idsconfig fails consistently). Is there a newer doc out there somewhere and/or has anyone had success with the Wiki's instructions? Any advice would be much appreciated. Thanks, -Aaron -- Aaron Mills Systems Administrator Return Path http://www.returnpath.net -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 3245 bytes Desc: image001.jpg URL: From emmanuel.billot at ird.fr Thu Mar 19 09:20:33 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Thu, 19 Mar 2009 10:20:33 +0100 Subject: [Fedora-directory-users] Nothing happens on Win Sync ? Message-ID: <49C20E61.4070208@ird.fr> Hi, I configured Win Sync with a 2003 server, ldaps:636 works on each side. I've got many entries in FDS, i laucnh "Initialize Full Re-synchronization". A pop up indicate the process is running. But noting happens, logs are [19/Mar/2009:10:09:48 +0100] NSMMReplicationPlugin - agmt="cn=win" (10:636): State: backoff -> backoff [19/Mar/2009:10:09:48 +0100] NSMMReplicationPlugin - agmt="cn=win" (10:636): State: backoff -> backoff [19/Mar/2009:10:09:48 +0100] NSMMReplicationPlugin - agmt="cn=win" (10:636): No linger to cancel on the connection [19/Mar/2009:10:09:48 +0100] NSMMReplicationPlugin - agmt="cn=win" (10:636): Disconnected from the consumer [19/Mar/2009:10:09:49 +0100] NSMMReplicationPlugin - agmt="cn=win" (10:636): windows_inc_stop: protocol stopped after 1 seconds [19/Mar/2009:10:09:49 +0100] - acquire_replica, supplier RUV: [19/Mar/2009:10:09:49 +0100] NSMMReplicationPlugin - supplier: {replicageneration} 4975e2f8000000010000 [19/Mar/2009:10:09:49 +0100] NSMMReplicationPlugin - supplier: {replica 1 ldap://ldapnew.intranet.orleans.ird.fr:389} 4975e382000000010000 49c20a2b000000010000 49c20a2b [19/Mar/2009:10:09:49 +0100] - acquire_replica, consumer RUV: [19/Mar/2009:10:09:49 +0100] - acquire_replica, consumer RUV = null [19/Mar/2009:10:09:49 +0100] - acquire_replica, supplier RUV is newer [19/Mar/2009:10:09:49 +0100] NSMMReplicationPlugin - agmt="cn=win" (10:636): Trying secure slapi_ldap_init [19/Mar/2009:10:09:49 +0100] NSMMReplicationPlugin - agmt="cn=win" (10:636): binddn = cn=zizou zizou,cn=Users,dc=ird,dc=fr, passwd = {DES}hEWPI2lOsxbq1sXNqsB92Q== [19/Mar/2009:10:09:49 +0100] NSMMReplicationPlugin - agmt="cn=win" (10:636): Disconnected from the consumer [19/Mar/2009:10:09:49 +0100] NSMMReplicationPlugin - agmt="cn=win" (10:636): Beginning linger on the connection [19/Mar/2009:10:09:49 +0100] NSMMReplicationPlugin - agmt="cn=win" (10:636): No linger on the closed conn [19/Mar/2009:10:09:49 +0100] NSMMReplicationPlugin - agmt="cn=win" (10:636): No linger to cancel on the connection [19/Mar/2009:10:09:49 +0100] NSMMReplicationPlugin - agmt="cn=win" (10:636): Disconnected from the consumer [19/Mar/2009:10:09:49 +0100] NSMMReplicationPlugin - agmt="cn=win" (10:636): State: start -> ready_to_acquire_replica [19/Mar/2009:10:09:49 +0100] - acquire_replica, supplier RUV: [19/Mar/2009:10:09:49 +0100] NSMMReplicationPlugin - supplier: {replicageneration} 4975e2f8000000010000 [19/Mar/2009:10:09:49 +0100] NSMMReplicationPlugin - supplier: {replica 1 ldap://ldapnew.intranet.orleans.ird.fr:389} 4975e382000000010000 49c20a2b000000010000 49c20a2b [19/Mar/2009:10:09:49 +0100] - acquire_replica, consumer RUV: [19/Mar/2009:10:09:49 +0100] - acquire_replica, consumer RUV = null [19/Mar/2009:10:09:49 +0100] - acquire_replica, supplier RUV is newer [19/Mar/2009:10:09:49 +0100] NSMMReplicationPlugin - agmt="cn=win" (10:636): Trying secure slapi_ldap_init [19/Mar/2009:10:09:49 +0100] NSMMReplicationPlugin - agmt="cn=win" (10:636): binddn = cn=zizou zizou,cn=Users,dc=ird,dc=fr, passwd = {DES}hEWPI2lOsxbq1sXNqsB92Q== [19/Mar/2009:10:09:49 +0100] NSMMReplicationPlugin - agmt="cn=win" (10:636): Disconnected from the consumer [19/Mar/2009:10:09:49 +0100] NSMMReplicationPlugin - agmt="cn=win" (10:636): Beginning linger on the connection [19/Mar/2009:10:09:49 +0100] NSMMReplicationPlugin - agmt="cn=win" (10:636): No linger on the closed conn [19/Mar/2009:10:09:49 +0100] NSMMReplicationPlugin - windows_acquire_replica returned transient_error (105) [19/Mar/2009:10:09:49 +0100] NSMMReplicationPlugin - agmt="cn=win" (10:636): State: ready_to_acquire_replica -> start_backoff [19/Mar/2009:10:09:52 +0100] NSMMReplicationPlugin - agmt="cn=win" (10:636): State: start_backoff -> backoff What's wrong ? BR, -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From diwakoe at gmail.com Thu Mar 19 09:32:31 2009 From: diwakoe at gmail.com (Diwakoe) Date: Thu, 19 Mar 2009 16:32:31 +0700 Subject: [Fedora-directory-users] Ubuntu 8.04 authentication In-Reply-To: <200903131610.56478.ryan.braun@ec.gc.ca> References: <200903131610.56478.ryan.braun@ec.gc.ca> Message-ID: On Fri, Mar 13, 2009 at 11:10 PM, Ryan Braun [ADS] wrote: > I find that starting small and working forward is the best way to go. > > First off, ?disable all encryption (for now). in pam_ldap.conf and libnss- > ldap.conf. ?I've found that running wireshark while learning/setting up the > clients helps a ton. ?You can see the ldap calls over tcpip and can also see > all the username and passwords. ?Which should inspire you to turn encryption > back on when done :) > > Next configure nss lookups. ?Make sure libnss-ldap is installed, ?And again > minimally, ?setup libnss-ldap.conf. ?Add ldap to your nsswitch.conf file and > try a getent (passwd|group). ?If nothing happens, ?check your sniffer and fds > logs to see if it was able to try and connect to your ldap server. > > Then move onto your pam config. ?Same as above, ?start minimally then add > configs/features later. ?But remember, ?FDS will not accept passwd changes from > the command line unless over TLs/SSL. ?But it will authenticate just fine. > > But like I said initially, ?for myself, ?watching wireshark helped a ton. > > Ryan > Hi Ryan, Now I can list all user from server using "getent passwd" but still can not get user /home detail using "getent passwd ". I already tried login using fds username and user not authenticated. Any help is appreciated. Thanks, Diwa -- Semua rasa ada disini http://www.teoteblung.co.cc From lejeczek at jatymy.org Thu Mar 19 12:46:04 2009 From: lejeczek at jatymy.org (lejeczek) Date: Thu, 19 Mar 2009 12:46:04 +0000 Subject: [Fedora-directory-users] idm console connect to admin serv but in... Message-ID: <49C23E8C.8020609@jatymy.org> .. console itself admin server appears as using different port than once console connects to?? and it shows up as 'stopped', checked it, in local.conf and admin.conf and.. but if it was like it seems console should not be able to connect in the first, right? so where to look what so search for? cheers From emmanuel.billot at ird.fr Thu Mar 19 13:24:21 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Thu, 19 Mar 2009 14:24:21 +0100 Subject: [Fedora-directory-users] Nothing happens on Win Sync ? In-Reply-To: <28975_1237454507_49C20EAB_28975_10_1_49C20E61.4070208@ird.fr> References: <28975_1237454507_49C20EAB_28975_10_1_49C20E61.4070208@ird.fr> Message-ID: <49C24785.30306@ird.fr> Many tests give the followibng result [root at ldapnew slapd-ldapnew]# /usr/lib/mozldap/ldapsearch -h porlsvrdc0003.ird.fr -p 636 -D "cn=toutou,cn=Users,dc=ird,dc=fr" -w - -Z -P /etc/dirsrv/slapd-ldapnew/cert8.db -s base -b "" "objectclass=*" Enter bind password: ldap_simple_bind: Can't contact LDAP server SSL error -8183 (security library: improperly formatted DER-encoded message.) However, cert seems to be ok: - ldaps:636 works on ldap.exe client (Windows) - ldaps:636 works on ldapsearch -x -H ldaps://porlsvrdc0003.ird.fr -D "cn=toutou,cn=Users,dc=ird,dc=fr" -W -b "dc=ird,dc=fr" with the "classic" ldapsearch client How can i debug it ? BR, -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From emmanuel.billot at ird.fr Thu Mar 19 13:41:59 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Thu, 19 Mar 2009 14:41:59 +0100 Subject: [Fedora-directory-users] Nothing happens on Win Sync ? In-Reply-To: <30319_1237469089_49C247A1_30319_1729_1_49C24785.30306@ird.fr> References: <28975_1237454507_49C20EAB_28975_10_1_49C20E61.4070208@ird.fr> <30319_1237469089_49C247A1_30319_1729_1_49C24785.30306@ird.fr> Message-ID: <49C24BA7.4020602@ird.fr> Emmanuel BILLOT a ?crit : > Many tests give the followibng result > > [root at ldapnew slapd-ldapnew]# /usr/lib/mozldap/ldapsearch -h > porlsvrdc0003.ird.fr -p 636 -D "cn=toutou,cn=Users,dc=ird,dc=fr" -w - > -Z -P /etc/dirsrv/slapd-ldapnew/cert8.db -s base -b "" "objectclass=*" > Enter bind password: > ldap_simple_bind: Can't contact LDAP server > SSL error -8183 (security library: improperly formatted > DER-encoded message.) > > However, cert seems to be ok: > - ldaps:636 works on ldap.exe client (Windows) > - ldaps:636 works on ldapsearch -x -H ldaps://porlsvrdc0003.ird.fr -D > "cn=toutou,cn=Users,dc=ird,dc=fr" -W -b "dc=ird,dc=fr" with the > "classic" ldapsearch client > > How can i debug it ? > > BR, > Ok i found what was wrong : the request.inf from which the req cert is generated contained an unknow item value [Extensions] 2.5.29.17=xxxxxxxx The inf file without the extensions section generate a good req file and then a valid cert. BR, -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From emmanuel.billot at ird.fr Thu Mar 19 13:50:04 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Thu, 19 Mar 2009 14:50:04 +0100 Subject: [Fedora-directory-users] Sync diff subtrees ? Message-ID: <49C24D8C.50200@ird.fr> Hi, Yet a new pb (sorry :-( ) I try to sync to different subtrees ou=People,dc=orleans,dc=ird,dc=fr and cn=utilisateurs,cn=orleans,dc=ird,dc=fr since replication assistant asked for each sub tree, i thought it was easy to map it together. Logs say : [19/Mar/2009:14:53:33 +0100] NSMMReplicationPlugin - received entry from dirsync: CN=toutou,CN=Users,DC=ird,DC=fr [19/Mar/2009:14:53:33 +0100] NSMMReplicationPlugin - agmt="cn=j" (porlsvrdc0003:636): windows_process_total_entry: Looking dn="uid=zizou,ou=People,dc=orleans,dc=ird,dc=fr" (ours) [19/Mar/2009:14:53:33 +0100] NSMMReplicationPlugin - agmt="cn=j" (porlsvrdc0003:636): map_entry_dn_outbound: looking for AD entry for DS dn="uid=zizou,ou=People,dc=orleans,dc=ird,dc=fr" guid="(null)" [19/Mar/2009:14:53:33 +0100] NSMMReplicationPlugin - agmt="cn=j" (porlsvrdc0003:636): map_entry_dn_outbound: looking for AD entry for DS dn="uid=zizou,ou=People,dc=orleans,dc=ird,dc=fr" username="zizou" [19/Mar/2009:14:53:33 +0100] - Calling windows entry search request plugin [19/Mar/2009:14:53:33 +0100] NSMMReplicationPlugin - agmt="cn=j" (porlsvrdc0003:636): map_entry_dn_outbound: entry not found - rc -1 Any idea ? BR, -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From msauton at redhat.com Thu Mar 19 17:31:56 2009 From: msauton at redhat.com (Marc Sauton) Date: Thu, 19 Mar 2009 10:31:56 -0700 Subject: [Fedora-directory-users] Sync diff subtrees ? In-Reply-To: <49C24D8C.50200@ird.fr> References: <49C24D8C.50200@ird.fr> Message-ID: <49C2818C.2040308@redhat.com> Emmanuel BILLOT wrote: > Hi, > > Yet a new pb (sorry :-( ) > > I try to sync to different subtrees sync is between suffixes:// http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html#Windows_Sync-About_Windows_Sync with the note: " Any descendant container entries need to be created separately in Active Directory by an administrator; Windows Sync does not create container entries. " > > ou=People,dc=orleans,dc=ird,dc=fr and > cn=utilisateurs,cn=orleans,dc=ird,dc=fr > > since replication assistant asked for each sub tree, i thought it was > easy to map it together. > > Logs say : > [19/Mar/2009:14:53:33 +0100] NSMMReplicationPlugin - received entry > from dirsync: CN=toutou,CN=Users,DC=ird,DC=fr > [19/Mar/2009:14:53:33 +0100] NSMMReplicationPlugin - agmt="cn=j" > (porlsvrdc0003:636): windows_process_total_entry: Looking > dn="uid=zizou,ou=People,dc=orleans,dc=ird,dc=fr" (ours) > [19/Mar/2009:14:53:33 +0100] NSMMReplicationPlugin - agmt="cn=j" > (porlsvrdc0003:636): map_entry_dn_outbound: looking for AD entry for > DS dn="uid=zizou,ou=People,dc=orleans,dc=ird,dc=fr" guid="(null)" > [19/Mar/2009:14:53:33 +0100] NSMMReplicationPlugin - agmt="cn=j" > (porlsvrdc0003:636): map_entry_dn_outbound: looking for AD entry for > DS dn="uid=zizou,ou=People,dc=orleans,dc=ird,dc=fr" username="zizou" > [19/Mar/2009:14:53:33 +0100] - Calling windows entry search request > plugin > [19/Mar/2009:14:53:33 +0100] NSMMReplicationPlugin - agmt="cn=j" > (porlsvrdc0003:636): map_entry_dn_outbound: entry not found - rc -1 > > Any idea ? > > BR, > From emmanuel.billot at ird.fr Thu Mar 19 17:56:26 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Thu, 19 Mar 2009 18:56:26 +0100 Subject: [Fedora-directory-users] Sync diff subtrees ? In-Reply-To: <49C2818C.2040308@redhat.com> References: <49C24D8C.50200@ird.fr> <49C2818C.2040308@redhat.com> Message-ID: <49C2874A.7090508@ird.fr> Marc Sauton a ?crit : > Emmanuel BILLOT wrote: >> Hi, >> >> Yet a new pb (sorry :-( ) >> >> I try to sync to different subtrees > sync is between suffixes:// > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html#Windows_Sync-About_Windows_Sync > > with the note: > " > Any descendant container entries need to be created separately in > Active Directory by an administrator; Windows Sync does not create > container entries. > " Ok, however the DIT is already set on each directory. Users are directly under ou=People,dc=orleans,dc=ird,dc=fr for FDS and cn=utilisateurs,cn=orleans,dc=ird,dc=fr for AD (empty, i want to fill it with FDS users) There is no container or subtree to create. That's why i define those two suffixes in the sync agremment. In the logs, it seems that the replication get a FDS user in the subtree i defined in the agrement, for ex uid=vinet45,ou=people,dc=orleans,dc=ird,dc=fr, and then search the same entry in AD. It fails (AD subtree is empty and is differents than FDS's one), and all stop. What's wrong ? BR, >> >> ou=People,dc=orleans,dc=ird,dc=fr and >> cn=utilisateurs,cn=orleans,dc=ird,dc=fr >> >> since replication assistant asked for each sub tree, i thought it was >> easy to map it together. >> >> Logs say : >> [19/Mar/2009:14:53:33 +0100] NSMMReplicationPlugin - received entry >> from dirsync: CN=toutou,CN=Users,DC=ird,DC=fr >> [19/Mar/2009:14:53:33 +0100] NSMMReplicationPlugin - agmt="cn=j" >> (porlsvrdc0003:636): windows_process_total_entry: Looking >> dn="uid=zizou,ou=People,dc=orleans,dc=ird,dc=fr" (ours) >> [19/Mar/2009:14:53:33 +0100] NSMMReplicationPlugin - agmt="cn=j" >> (porlsvrdc0003:636): map_entry_dn_outbound: looking for AD entry for >> DS dn="uid=zizou,ou=People,dc=orleans,dc=ird,dc=fr" guid="(null)" >> [19/Mar/2009:14:53:33 +0100] NSMMReplicationPlugin - agmt="cn=j" >> (porlsvrdc0003:636): map_entry_dn_outbound: looking for AD entry for >> DS dn="uid=zizou,ou=People,dc=orleans,dc=ird,dc=fr" username="zizou" >> [19/Mar/2009:14:53:33 +0100] - Calling windows entry search request >> plugin >> [19/Mar/2009:14:53:33 +0100] NSMMReplicationPlugin - agmt="cn=j" >> (porlsvrdc0003:636): map_entry_dn_outbound: entry not found - rc -1 >> >> Any idea ? >> >> BR, >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From nhosoi at redhat.com Thu Mar 19 18:29:49 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Thu, 19 Mar 2009 11:29:49 -0700 Subject: [Fedora-directory-users] Problem with mmldif tool In-Reply-To: <30abda540903172318o8c7194bx87b3883500791550@mail.gmail.com> References: <30abda540903172318o8c7194bx87b3883500791550@mail.gmail.com> Message-ID: <49C28F1D.5070100@redhat.com> I could reproduce the problem. Could you please file a bug at https://bugzilla.redhat.com/enter_bug.cgi? Thanks, --noriko neuron ring wrote: > Hi all, > > I need a clarification regarding mmldif tool in *Red > Hat-Directory/8.0.0 B2007.353.1140* > > 1. I need to merge to input files using mmldif tool > 2. I m exporting it to a ldif file using db2ldif tool > > */opt/dirsrv/slapd- /db2ldif -n > /opt/dirsrv/slapd- /db2ldif -n * > > 3. I got two ldif files by exporting two directory server instance > databases. > *_One.ldif_* > dn: sn=Jensen,dc=siroe,dc=com > objectclass: top > objectclass: person > cn: Babs Jensen > sn: Jensen > telephoneNumber: 555-5550 > createTimestamp: 100 > > dn: sn=Minsky,dc=siroe,dc=com > objectclass: top > objectclass: person > cn: Pete Minsky > sn: Minsky > telephoneNumber: 555-5551 > createTimestamp: 100 > > dn: sn=Rose,dc=siroe,dc=com > objectclass: top > objectclass: person > cn: Paula Rose > sn: Rose > telephoneNumber: 555-5552 > createTimestamp: 100 > > *_Two.ldif_* > > dn: sn=Jensen,dc=siroe,dc=com > objectclass: top > objectclass: person > cn: Babs Jensen > sn: Jensen > telephoneNumber: 555-5550 > createTimestamp: 100 > > dn: sn=Minsky,dc=siroe,dc=com > objectclass: top > objectclass: person > cn: Pete Minsky > sn: Minsky > telephoneNumber: 555-5559 > modifyTimestamp: 200 > > dn: sn=Morris,dc=siroe,dc=com > objectclass: top > objectclass: person > cn: Ted Morris > sn: Morris > telephoneNumber: 555-5558 > createTimestamp: 200 > > dn: sn=Rose,dc=siroe,dc=com > objectclass: nsTombstone > deleteTimestamp: 200 > > 4. Now I m trying to use mmldif tool. > 5. */opt/dirsrv/bin/mmldif -c -D -o /home/neuronring/output.ldif > /home/ neuronring/one.ldif /home/ neuronring/two.ldif* > 6. Finally everything *IN VAIN, *I got the following error: > > *[18/Mar/2009:11:35:04 +051800] - finger printing directory 0 > [18/Mar/2009:11:35:04 +051800] - db0: dn: sn=Jensen,dc=siroe,dc=com > /opt/dirsrv/bin/mmldif[50]: _18247_ Memory fault(coredump)* > > The following files are created in my path. > 1. one.ldif.delta > 2. two.ldif.delta > These two files has no data 0 bytes size. > 3. core ? size 1882552 bytes > > Even I tried exporting the database with ?r option (for replica) after > stopping the instance. I m getting this error continuously with > different error numbers like, /opt/dirsrv/bin/mmldif[50]: *_10854_* > Memory fault(coredump). > > Somebody please suggest me to resolve this issue. > > Thanks in advance, > Neuron Ring. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3250 bytes Desc: S/MIME Cryptographic Signature URL: From nhosoi at redhat.com Thu Mar 19 20:58:01 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Thu, 19 Mar 2009 13:58:01 -0700 Subject: [Fedora-directory-users] Problem with mmldif tool In-Reply-To: <49C28F1D.5070100@redhat.com> References: <30abda540903172318o8c7194bx87b3883500791550@mail.gmail.com> <49C28F1D.5070100@redhat.com> Message-ID: <49C2B1D9.9020504@redhat.com> Noriko Hosoi wrote: > I could reproduce the problem. Could you please file a bug at > https://bugzilla.redhat.com/enter_bug.cgi? Please never mind. I've opened this bug: *491215* - mmldif crashes in PK11_CreateDigestContext > Thanks, > --noriko > > neuron ring wrote: >> Hi all, >> >> I need a clarification regarding mmldif tool in *Red >> Hat-Directory/8.0.0 B2007.353.1140* >> >> 1. I need to merge to input files using mmldif tool >> 2. I m exporting it to a ldif file using db2ldif tool >> >> */opt/dirsrv/slapd- /db2ldif -n >> /opt/dirsrv/slapd- /db2ldif -n * >> >> 3. I got two ldif files by exporting two directory server instance >> databases. >> *_One.ldif_* >> dn: sn=Jensen,dc=siroe,dc=com >> objectclass: top >> objectclass: person >> cn: Babs Jensen >> sn: Jensen >> telephoneNumber: 555-5550 >> createTimestamp: 100 >> >> dn: sn=Minsky,dc=siroe,dc=com >> objectclass: top >> objectclass: person >> cn: Pete Minsky >> sn: Minsky >> telephoneNumber: 555-5551 >> createTimestamp: 100 >> >> dn: sn=Rose,dc=siroe,dc=com >> objectclass: top >> objectclass: person >> cn: Paula Rose >> sn: Rose >> telephoneNumber: 555-5552 >> createTimestamp: 100 >> >> *_Two.ldif_* >> >> dn: sn=Jensen,dc=siroe,dc=com >> objectclass: top >> objectclass: person >> cn: Babs Jensen >> sn: Jensen >> telephoneNumber: 555-5550 >> createTimestamp: 100 >> >> dn: sn=Minsky,dc=siroe,dc=com >> objectclass: top >> objectclass: person >> cn: Pete Minsky >> sn: Minsky >> telephoneNumber: 555-5559 >> modifyTimestamp: 200 >> >> dn: sn=Morris,dc=siroe,dc=com >> objectclass: top >> objectclass: person >> cn: Ted Morris >> sn: Morris >> telephoneNumber: 555-5558 >> createTimestamp: 200 >> >> dn: sn=Rose,dc=siroe,dc=com >> objectclass: nsTombstone >> deleteTimestamp: 200 >> >> 4. Now I m trying to use mmldif tool. >> 5. */opt/dirsrv/bin/mmldif -c -D -o /home/neuronring/output.ldif >> /home/ neuronring/one.ldif /home/ neuronring/two.ldif* >> 6. Finally everything *IN VAIN, *I got the following error: >> *[18/Mar/2009:11:35:04 +051800] - finger printing directory 0 >> [18/Mar/2009:11:35:04 +051800] - db0: dn: sn=Jensen,dc=siroe,dc=com >> /opt/dirsrv/bin/mmldif[50]: _18247_ Memory fault(coredump)* >> >> The following files are created in my path. 1. one.ldif.delta >> 2. two.ldif.delta >> These two files has no data 0 bytes size. >> 3. core ? size 1882552 bytes >> >> Even I tried exporting the database with ?r option (for replica) >> after stopping the instance. I m getting this error continuously with >> different error numbers like, /opt/dirsrv/bin/mmldif[50]: *_10854_* >> Memory fault(coredump). >> Somebody please suggest me to resolve this issue. >> >> Thanks in advance, >> Neuron Ring. >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3250 bytes Desc: S/MIME Cryptographic Signature URL: From neuronring at gmail.com Fri Mar 20 03:48:35 2009 From: neuronring at gmail.com (neuron ring) Date: Fri, 20 Mar 2009 09:18:35 +0530 Subject: [Fedora-directory-users] Problem with mmldif tool In-Reply-To: <49C2B1D9.9020504@redhat.com> References: <30abda540903172318o8c7194bx87b3883500791550@mail.gmail.com> <49C28F1D.5070100@redhat.com> <49C2B1D9.9020504@redhat.com> Message-ID: <30abda540903192048m4bf7a188vd516357a1b77cffd@mail.gmail.com> Hi Noriko Hosoi, Thanks for filing the bug https://bugzilla.redhat.com/show_bug.cgi?id=491215 on behalf of me. Regards, Neuron Ring. 2009/3/20 Noriko Hosoi > Noriko Hosoi wrote: > >> I could reproduce the problem. Could you please file a bug at >> https://bugzilla.redhat.com/enter_bug.cgi? >> > Please never mind. I've opened this bug: > *491215* - mmldif > crashes in PK11_CreateDigestContext > >> Thanks, >> --noriko >> >> neuron ring wrote: >> >>> Hi all, >>> >>> I need a clarification regarding mmldif tool in *Red Hat-Directory/8.0.0 >>> B2007.353.1140* >>> >>> 1. I need to merge to input files using mmldif tool >>> 2. I m exporting it to a ldif file using db2ldif tool >>> >>> */opt/dirsrv/slapd- /db2ldif -n >>> /opt/dirsrv/slapd- /db2ldif -n * >>> >>> 3. I got two ldif files by exporting two directory server instance >>> databases. >>> *_One.ldif_* >>> dn: sn=Jensen,dc=siroe,dc=com >>> objectclass: top >>> objectclass: person >>> cn: Babs Jensen >>> sn: Jensen >>> telephoneNumber: 555-5550 >>> createTimestamp: 100 >>> >>> dn: sn=Minsky,dc=siroe,dc=com >>> objectclass: top >>> objectclass: person >>> cn: Pete Minsky >>> sn: Minsky >>> telephoneNumber: 555-5551 >>> createTimestamp: 100 >>> >>> dn: sn=Rose,dc=siroe,dc=com >>> objectclass: top >>> objectclass: person >>> cn: Paula Rose >>> sn: Rose >>> telephoneNumber: 555-5552 >>> createTimestamp: 100 >>> >>> *_Two.ldif_* >>> >>> dn: sn=Jensen,dc=siroe,dc=com >>> objectclass: top >>> objectclass: person >>> cn: Babs Jensen >>> sn: Jensen >>> telephoneNumber: 555-5550 >>> createTimestamp: 100 >>> >>> dn: sn=Minsky,dc=siroe,dc=com >>> objectclass: top >>> objectclass: person >>> cn: Pete Minsky >>> sn: Minsky >>> telephoneNumber: 555-5559 >>> modifyTimestamp: 200 >>> >>> dn: sn=Morris,dc=siroe,dc=com >>> objectclass: top >>> objectclass: person >>> cn: Ted Morris >>> sn: Morris >>> telephoneNumber: 555-5558 >>> createTimestamp: 200 >>> >>> dn: sn=Rose,dc=siroe,dc=com >>> objectclass: nsTombstone >>> deleteTimestamp: 200 >>> >>> 4. Now I m trying to use mmldif tool. >>> 5. */opt/dirsrv/bin/mmldif -c -D -o /home/neuronring/output.ldif /home/ >>> neuronring/one.ldif /home/ neuronring/two.ldif* >>> 6. Finally everything *IN VAIN, *I got the following error: >>> *[18/Mar/2009:11:35:04 +051800] - finger printing directory 0 >>> [18/Mar/2009:11:35:04 +051800] - db0: dn: sn=Jensen,dc=siroe,dc=com >>> /opt/dirsrv/bin/mmldif[50]: _18247_ Memory fault(coredump)* >>> >>> The following files are created in my path. 1. one.ldif.delta >>> 2. two.ldif.delta >>> These two files has no data 0 bytes size. >>> 3. core ? size 1882552 bytes >>> >>> Even I tried exporting the database with ?r option (for replica) after >>> stopping the instance. I m getting this error continuously with different >>> error numbers like, /opt/dirsrv/bin/mmldif[50]: *_10854_* Memory >>> fault(coredump). >>> Somebody please suggest me to resolve this issue. >>> >>> Thanks in advance, >>> Neuron Ring. >>> >>> >>> ------------------------------------------------------------------------ >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From emmanuel.billot at ird.fr Fri Mar 20 09:36:37 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Fri, 20 Mar 2009 10:36:37 +0100 Subject: [Fedora-directory-users] Sync diff subtrees ? In-Reply-To: <8140_1237485416_49C28768_8140_590_1_49C2874A.7090508@ird.fr> References: <49C24D8C.50200@ird.fr> <49C2818C.2040308@redhat.com> <8140_1237485416_49C28768_8140_590_1_49C2874A.7090508@ird.fr> Message-ID: <49C363A5.4090106@ird.fr> Emmanuel BILLOT a ?crit : > Marc Sauton a ?crit : >> Emmanuel BILLOT wrote: >>> Hi, >>> >>> Yet a new pb (sorry :-( ) >>> >>> I try to sync to different subtrees >> sync is between suffixes:// >> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html#Windows_Sync-About_Windows_Sync >> >> with the note: >> " >> Any descendant container entries need to be created separately in >> Active Directory by an administrator; Windows Sync does not create >> container entries. >> " > Ok, however the DIT is already set on each directory. > Users are directly under > ou=People,dc=orleans,dc=ird,dc=fr for FDS > and > cn=utilisateurs,cn=orleans,dc=ird,dc=fr for AD (empty, i want to fill > it with FDS users) > > > There is no container or subtree to create. > That's why i define those two suffixes in the sync agremment. > > In the logs, it seems that the replication get a FDS user in the > subtree i defined in the agrement, for ex > uid=vinet45,ou=people,dc=orleans,dc=ird,dc=fr, and then search the > same entry in AD. > It fails (AD subtree is empty and is differents than FDS's one), and > all stop. > > What's wrong ? > > BR, > > >>> >>> ou=People,dc=orleans,dc=ird,dc=fr and >>> cn=utilisateurs,cn=orleans,dc=ird,dc=fr >>> >>> since replication assistant asked for each sub tree, i thought it >>> was easy to map it together. >>> >>> Logs say : >>> [19/Mar/2009:14:53:33 +0100] NSMMReplicationPlugin - received entry >>> from dirsync: CN=toutou,CN=Users,DC=ird,DC=fr >>> [19/Mar/2009:14:53:33 +0100] NSMMReplicationPlugin - agmt="cn=j" >>> (porlsvrdc0003:636): windows_process_total_entry: Looking >>> dn="uid=zizou,ou=People,dc=orleans,dc=ird,dc=fr" (ours) >>> [19/Mar/2009:14:53:33 +0100] NSMMReplicationPlugin - agmt="cn=j" >>> (porlsvrdc0003:636): map_entry_dn_outbound: looking for AD entry for >>> DS dn="uid=zizou,ou=People,dc=orleans,dc=ird,dc=fr" guid="(null)" >>> [19/Mar/2009:14:53:33 +0100] NSMMReplicationPlugin - agmt="cn=j" >>> (porlsvrdc0003:636): map_entry_dn_outbound: looking for AD entry for >>> DS dn="uid=zizou,ou=People,dc=orleans,dc=ird,dc=fr" username="zizou" >>> [19/Mar/2009:14:53:33 +0100] - Calling windows entry search request >>> plugin >>> [19/Mar/2009:14:53:33 +0100] NSMMReplicationPlugin - agmt="cn=j" >>> (porlsvrdc0003:636): map_entry_dn_outbound: entry not found - rc -1 >>> >>> Any idea ? >>> >>> BR, >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > I finally found what the pb was (cn/ou confusion) Sync is working -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From emmanuel.billot at ird.fr Fri Mar 20 09:39:25 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Fri, 20 Mar 2009 10:39:25 +0100 Subject: [Fedora-directory-users] Windows account not atcivated ? Message-ID: <49C3644D.2020905@ird.fr> Hi, Every new AD account created by FDS replication is desactivated. The FDS account is well activated. Why ? BR, -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From emmanuel.billot at ird.fr Fri Mar 20 09:44:13 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Fri, 20 Mar 2009 10:44:13 +0100 Subject: [Fedora-directory-users] Kerberos login Message-ID: <49C3656D.5060503@ird.fr> Hi, During FDS replication on AD, it seems that the "classic" login attribut for windows is well filled wiith the ntuserdomainid FDS attribut. However, the userPrincipaName is also filled with the ntuserdomainid FDS attribut, since it should be quite different... Is it possible to match this attribut with another one in FDS ? BR, -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From browndeigo at gmail.com Fri Mar 20 12:19:48 2009 From: browndeigo at gmail.com (brown deigo) Date: Fri, 20 Mar 2009 17:49:48 +0530 Subject: [Fedora-directory-users] Problem in moving subtree of entries to new parent. Message-ID: <53859ceb0903200519s493045ccnef13ba40244acf6a@mail.gmail.com> Hello all, Currently I am facing problem with moving subtree of entries to a new parent. I am trying to move a subtree or a user to a new parent. I am getting the following error message. There are two OU?s under the suffix o=xyzcorp.com ou=education and ou=finance. Browny is the user in ou=education,o=xyzcorp.com. Now I need to move Browny to ou=finance,o=xyzcorp.com. When I attempt to do the following modification I am getting error. dn: cn=Browny,ou=education,o=xyzcorp.com changetype: modrdn newrdn: cn=BrownyNew deleteoldrdn: 0 newsuperior: ou=finance,o= xyzcorp.com *new RDN: cn=BrownyNew, new parent ou=finance,o= xyzcorp.com (keep existing values) modifying RDN of entry cn=Browny,ou= education,o= xyzcorp.com and/or moving it beneath a new parent ldap_rename: DSA is unwilling to perform ldap_rename: additional info: server does not support moving of entries* *I tried it this way also,??. *dn: cn=Browny,ou=education,o=xyzcorp.com changetype: modrdn newrdn: cn=Browny deleteoldrdn: 1 newparent: ou=finance,o= xyzcorp.com *??no success* Like the same way I am not able to move the OU also to a new parent. Is anybody aware of this. If so educate me how to do this. Thanks in advance, Brown Deigo. -------------- next part -------------- An HTML attachment was scrubbed... URL: From hugo.etievant at inrp.fr Fri Mar 20 15:30:46 2009 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Fri, 20 Mar 2009 16:30:46 +0100 Subject: [Fedora-directory-users] Windows account not atcivated ? In-Reply-To: <49C3644D.2020905@ird.fr> References: <49C3644D.2020905@ird.fr> Message-ID: <49C3B6A6.7050304@inrp.fr> hello, It is a known bug : https://bugzilla.redhat.com/show_bug.cgi?id=470224 cf : http://www.mail-archive.com/fedora-directory-users at redhat.com/msg08538.html New FDS accounts are marcked 'disabled' on AD after synchronization. regards. Emmanuel BILLOT a ?crit : > Hi, > > Every new AD account created by FDS replication is desactivated. > The FDS account is well activated. > > Why ? > > BR, > -- * Hugo ?ti?vant * From emmanuel.billot at ird.fr Fri Mar 20 15:56:32 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Fri, 20 Mar 2009 16:56:32 +0100 Subject: [Fedora-directory-users] Windows account not atcivated ? In-Reply-To: <49C3B6A6.7050304@inrp.fr> References: <49C3644D.2020905@ird.fr> <49C3B6A6.7050304@inrp.fr> Message-ID: <49C3BCB0.60203@ird.fr> Hugo Etievant a ?crit : > hello, > > It is a known bug : https://bugzilla.redhat.com/show_bug.cgi?id=470224 > cf : > http://www.mail-archive.com/fedora-directory-users at redhat.com/msg08538.html > > > New FDS accounts are marcked 'disabled' on AD after synchronization. > > > regards. Ok effectivement. Vous utilisez un paliatif ? > > > Emmanuel BILLOT a ?crit : >> Hi, >> >> Every new AD account created by FDS replication is desactivated. >> The FDS account is well activated. >> >> Why ? >> >> BR, >> > > -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From hugo.etievant at inrp.fr Fri Mar 20 16:10:50 2009 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Fri, 20 Mar 2009 17:10:50 +0100 Subject: [Fedora-directory-users] Windows account not atcivated ? In-Reply-To: <49C3BCB0.60203@ird.fr> References: <49C3644D.2020905@ird.fr> <49C3B6A6.7050304@inrp.fr> <49C3BCB0.60203@ird.fr> Message-ID: <49C3C00A.9080307@inrp.fr> Emmanuel BILLOT a ?crit : > Hugo Etievant a ?crit : >> hello, >> >> It is a known bug : https://bugzilla.redhat.com/show_bug.cgi?id=470224 >> cf : >> http://www.mail-archive.com/fedora-directory-users at redhat.com/msg08538.html >> >> >> New FDS accounts are marcked 'disabled' on AD after synchronization. >> >> >> regards. > Ok effectivement. > Vous utilisez un paliatif ? No. But our process implie some manuals operations of admin in AD for groups manipulation, and a this moment, we activate user account. An other way is to modify the accountCountrol flag to 512 in AD with a script some minutes after user account creation in FDS... regards -- * Hugo ?ti?vant * *Biblioth?que Denis Diderot Coordinateur informatique du Projet SID (Syst?me d'Information Documentaire)* hugo.etievant at inrp.fr Tel : 04 72 76 61 13 - Fax : 04 72 76 61 10 From yinyang at eburg.com Fri Mar 20 20:50:23 2009 From: yinyang at eburg.com (Gordon Messmer) Date: Fri, 20 Mar 2009 13:50:23 -0700 Subject: [Fedora-directory-users] Import Unix users In-Reply-To: References: Message-ID: <49C4018F.80005@eburg.com> Per Qvindesland wrote: > > Does anyone know about a simple script to import users from /etc/passwd to > directory server? I found some n the Fedora Directory server but I am just > wondering if there might be some others ideas since I have to import from > several servers into different ou's This is a copy of one I've been using and improving. -------------- next part -------------- #!/usr/bin/python # importAccounts - Import user and group data for a directory server # Copyright (C) 2008 Gordon Messmer # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . import csv import sets import sys import ldap import ldap.modlist import ldif users = {} groups = {} passwd = '/etc/passwd' shadow = '/etc/shadow' smbpasswd = '/etc/samba/smbpasswd' group = '/etc/group' gshadow = '/etc/gshadow' sambaDomainSID = 'S-1-5-21-5555555-55555555-55555555' caCertFile = None ldapUri = 'ldap://directory.example.com' baseDN = 'dc=example,dc=com' ldapMergeIgnores = ['cn', 'sn', 'givenName', 'userPassword'] class ImportError(Exception): def __init__(self, value): self.value = value def __str__(self): return repr(self.value) class SkipOutput(ImportError): pass class User: def __init__(self, user): self.uid = user self.userPassword = None self.uidNumber = None self.gidNumber = None self.gecos = None self.homeDirectory = None self.loginShell = None self.shadowLastChange = None self.shadowMin = None self.shadowMax = None self.shadowWarning = None self.shadowInactive = None self.shadowExpire = None self.shadowFlag = None self.sambaLMPassword = None self.sambaNTPassword = None self.sambaAcctFlags = None self.sambaPwdLastSet = None class Group: def __init__(self, group): self.cn = group self.userPassword = None self.gidNumber = None self.members = [] class unixpwdDialect(csv.Dialect): delimiter = ':' doublequote = False escapechar = '\\' lineterminator = '\n' quotechar = '"' quoting = csv.QUOTE_NONE skipinitialspace = False def ldapConnect(): if(caCertFile): ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, caCertFile) server = ldap.initialize(ldapUri) server.protocol_version = ldap.VERSION3 return server def ldapSearch(filter, attributes=None, server=None): """Search the directory.""" if not server: server = ldapConnect() scope = ldap.SCOPE_SUBTREE return server.search_s(baseDN, scope, filter, attributes) def getUser(user): if not user in users: users[user] = User(user) return users[user] def getGroup(group): if not group in groups: groups[group] = Group(group) return groups[group] def inFilterPasswd(): try: reader = csv.reader(open(passwd, 'r'), 'unixpwd') except IOError: sys.stderr.write('Password file not readable.\n') sys.exit(66) for row in reader: userEnt = getUser(row[0]) (userEnt.userPassword, userEnt.uidNumber, userEnt.gidNumber, userEnt.gecos, userEnt.homeDirectory, userEnt.loginShell) = row[1:] def inFilterShadow(): try: reader = csv.reader(open(shadow, 'r'), 'unixpwd') except IOError: sys.stderr.write('Shadow file not readable.\n') sys.exit(66) for row in reader: userEnt = getUser(row[0]) (userEnt.userPassword, userEnt.shadowLastChange, userEnt.shadowMin, userEnt.shadowMax, userEnt.shadowWarning, userEnt.shadowInactive, userEnt.shadowExpire, userEnt.shadowFlag) = row[1:] def addGroupMembers(groupEnt, members): if members: groupMembers = members.split(',') for member in groupMembers: if member not in groupEnt.members: groupEnt.members.append(member) def inFilterGroup(): try: reader = csv.reader(open(group, 'r'), 'unixpwd') except IOError: sys.stderr.write('Group password file not readable.\n') sys.exit(66) for row in reader: groupEnt = getGroup(row[0]) (groupEnt.userPassword, groupEnt.gidNumber) = row[1:3] addGroupMembers(groupEnt, row[3]) def inFilterGshadow(): try: reader = csv.reader(open(gshadow, 'r'), 'unixpwd') except IOError: sys.stderr.write('Group shadow password file not readable.\n') sys.exit(66) for row in reader: groupEnt = getGroup(row[0]) groupEnt.userPassword = row[1] # We don't convert admins addGroupMembers(groupEnt, row[3]) def inFilterSmbpasswd(): try: reader = csv.reader(open(smbpasswd, 'r'), 'unixpwd') except IOError: sys.stderr.write('Samba password file not readable.\n') sys.exit(66) for row in reader: userEnt = getUser(row[0]) if userEnt.uidNumber != row[1]: continue (userEnt.sambaLMPassword, userEnt.sambaNTPassword, userEnt.sambaAcctFlags, userEnt.sambaPwdLastSet) = row[2:6] def outFilterUserPassword(entry): if hasattr(entry, 'userPassword') and entry.userPassword: entry.userPassword = '{CRYPT}%s' % entry.userPassword def outFilterUserValid(userEnt): if not (userEnt.uid and userEnt.uidNumber and userEnt.gidNumber and userEnt.homeDirectory): raise SkipOutput('information for %s is incomplete' % userEnt.uid) def outFilterUid(userEnt): if int(userEnt.uidNumber) < 500: raise SkipOutput('uid indicates local system account') def ldifAddAttribute(out, entry, attribute): if getattr(entry, attribute): out[attribute] = [getattr(entry, attribute)] def outFilterUserComposeLdif(userEnt): out = {} userEnt.dn = 'uid=%s,ou=People,%s' % (userEnt.uid, baseDN) out['objectClass'] = ['posixAccount', 'shadowAccount', 'inetOrgPerson'] for attr in ('uid', 'userPassword', 'uidNumber', 'gidNumber', 'gecos', 'homeDirectory', 'loginShell', 'shadowLastChange', 'shadowMin', 'shadowMax', 'shadowWarning', 'shadowInactive', 'shadowExpire', 'shadowFlag'): ldifAddAttribute(out, userEnt, attr) if userEnt.gecos: gecos = userEnt.gecos else: gecos = userEnt.uid gfields = gecos.split(',') out['cn'] = [gfields[0]] names = gfields[0].split() out['sn'] = [names[-1]] if names[0:-1]: out['givenName'] = [' '.join(names[0:-1])] if(sambaDomainSID and (userEnt.sambaAcctFlags or userEnt.sambaLMPassword or userEnt.sambaNTPassword or userEnt.sambaPwdLastSet)): out['objectClass'].append('sambaSamAccount') out['sambaSID'] = ['%s-%d' % (sambaDomainSID, int(userEnt.uidNumber) * 2 + 1000)] for attr in ('sambaLMPassword', 'sambaNTPassword', 'sambaAcctFlags', 'sambaPwdLastSet'): ldifAddAttribute(out, userEnt, attr) userEnt.ldif = out def outFilterUserLdapScrub(entry): filter = 'uid=%s' % (entry.uid,) outFilterLdapScrub(entry, filter) def outFilterGroupValid(groupEnt): if not (groupEnt.cn and groupEnt.gidNumber): raise SkipOutput('information for %s is incomplete' % groupEnt.cn) def outFilterGid(groupEnt): if int(groupEnt.gidNumber) < 500: raise SkipOutput('gid indicates local system group') def outFilterGroupComposeLdif(groupEnt): out = {} groupEnt.dn = 'cn=%s,ou=Groups,%s' % (groupEnt.cn, baseDN) out['objectClass'] = ['posixGroup'] for attr in ('cn', 'gidNumber'): ldifAddAttribute(out, groupEnt, attr) if groupEnt.members: out['objectClass'].append('groupOfNames') out['memberUid'] = [] out['member'] = [] for member in groupEnt.members: out['memberUid'].append(member) out['member'].append('uid=%s,ou=People,%s' % (member, baseDN)) if(sambaDomainSID): out['objectClass'].append('sambaGroupMapping') out['sambaGroupType'] = ['2'] out['sambaSID'] = ['%s-%d' % (sambaDomainSID, int(groupEnt.gidNumber) * 2 + 1001)] groupEnt.ldif = out def outFilterGroupLdapScrub(entry): filter = 'cn=%s' % (entry.cn,) outFilterLdapScrub(entry, filter) def outFilterLdapScrub(entry, ldapFilter): attributes = entry.ldif.keys() ldapResult = ldapSearch(ldapFilter, attributes=attributes) if len(ldapResult) is not 1: entry.ldif = ldap.modlist.addModlist(entry.ldif) return entry.dn = ldapResult[0][0] for attr in ldapMergeIgnores: if attr in entry.ldif: del entry.ldif[attr] for attr in ldapResult[0][1]: if attr in entry.ldif: vals = sets.Set(entry.ldif[attr]) newvals = list(vals.union(ldapResult[0][1][attr])) entry.ldif[attr] = newvals else: entry.ldif[attr] = ldapResult[0][1][attr] entry.ldif = ldap.modlist.modifyModlist(ldapResult[0][1], entry.ldif) def outFilterWriteLdif(entry): writer=ldif.LDIFWriter(sys.stdout) writer.unparse(entry.dn, entry.ldif) csv.register_dialect('unixpwd', unixpwdDialect) userInFilters = (inFilterPasswd, inFilterShadow, inFilterSmbpasswd) userOutFilters = (outFilterUserValid, outFilterUid, outFilterUserPassword, outFilterUserComposeLdif, outFilterUserLdapScrub, outFilterWriteLdif) groupInFilters = (inFilterGroup, inFilterGshadow) groupOutFilters = (outFilterGroupValid, outFilterGid, outFilterUserPassword, outFilterGroupComposeLdif, outFilterGroupLdapScrub, outFilterWriteLdif) for filter in userInFilters: filter() for filter in groupInFilters: filter() for user in users.values(): try: for filter in userOutFilters: filter(user) except SkipOutput, cause: sys.stderr.write('%s\n' % cause) continue for group in groups.values(): try: for filter in groupOutFilters: filter(group) except SkipOutput, cause: sys.stderr.write('%s\n' % cause) continue From nhosoi at redhat.com Fri Mar 20 22:29:37 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Fri, 20 Mar 2009 15:29:37 -0700 Subject: [Fedora-directory-users] Problem in moving subtree of entries to new parent. In-Reply-To: <53859ceb0903200519s493045ccnef13ba40244acf6a@mail.gmail.com> References: <53859ceb0903200519s493045ccnef13ba40244acf6a@mail.gmail.com> Message-ID: <49C418D1.9020503@redhat.com> This is the restriction the current FDS has. Please see "2.4.2.1. A Note on Renaming Entries" on this Administration Guide page. http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Creating_Directory_Entries-LDIF_Update_Statements.html#LDIF_Update_Statements-Renaming_an_Entry_Using_LDIF Thanks, --noriko brown deigo wrote: > Hello all, > > Currently I am facing problem with moving subtree of entries to a new > parent. > > I am trying to move a subtree or a user to a new parent. I am getting > the following error message. > > There are two OU?s under the suffix o=xyzcorp.com > ou=education and ou=finance. > Browny is the user in ou=education,o=xyzcorp.com . > Now I need to move Browny to ou=finance,o=xyzcorp.com > . > > When I attempt to do the following modification I am getting error. > > dn: cn=Browny,ou=education,o=xyzcorp.com > changetype: modrdn > newrdn: cn=BrownyNew > deleteoldrdn: 0 > newsuperior: ou=finance,o= xyzcorp.com > > *new RDN: cn=BrownyNew, new parent ou=finance,o= xyzcorp.com > (keep existing values) > modifying RDN of entry cn=Browny,ou= education,o= xyzcorp.com > and/or moving it beneath a new parent > > ldap_rename: DSA is unwilling to perform > ldap_rename: additional info: server does not support moving of entries* > > > *I tried it this way also,??. > > *dn: cn=Browny,ou=education,o=xyzcorp.com > changetype: modrdn > newrdn: cn=Browny > deleteoldrdn: 1 > newparent: ou=finance,o= xyzcorp.com > > *??no success* > > Like the same way I am not able to move the OU also to a new parent. > > Is anybody aware of this. > > If so educate me how to do this. > > > Thanks in advance, > Brown Deigo. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3250 bytes Desc: S/MIME Cryptographic Signature URL: From browndeigo at gmail.com Sat Mar 21 06:11:59 2009 From: browndeigo at gmail.com (Brown Diego) Date: Sat, 21 Mar 2009 11:41:59 +0530 Subject: [Fedora-directory-users] Problem in moving subtree of entries to new parent. In-Reply-To: <49C418D1.9020503@redhat.com> References: <53859ceb0903200519s493045ccnef13ba40244acf6a@mail.gmail.com> <49C418D1.9020503@redhat.com> Message-ID: <53859ceb0903202311w22048016xfae6d621e62d7873@mail.gmail.com> Yes, I had gone through the topic. Thanks for the pointer.* * It says really there is no way to move subtrees to different parent. Instead I need to create same entry with same attributes under the parent suffix to which I need to actually move it and finally delete the old ones? Is my understanding right? If so it is just like creating a new entry under a parent. It doesn't means move an existing entry to another suffix. If I am wrong throw some light on this. Thanks, Brown Diego 2009/3/21 Noriko Hosoi > This is the restriction the current FDS has. Please see "2.4.2.1. A Note > on Renaming Entries" on this Administration Guide page. > > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Creating_Directory_Entries-LDIF_Update_Statements.html#LDIF_Update_Statements-Renaming_an_Entry_Using_LDIF > > Thanks, > --noriko > > brown deigo wrote: > >> Hello all, >> >> Currently I am facing problem with moving subtree of entries to a new >> parent. >> >> I am trying to move a subtree or a user to a new parent. I am getting the >> following error message. >> >> There are two OU?s under the suffix o=xyzcorp.com >> ou=education and ou=finance. >> Browny is the user in ou=education,o=xyzcorp.com . >> Now I need to move Browny to ou=finance,o=xyzcorp.com > >. >> >> When I attempt to do the following modification I am getting error. >> >> dn: cn=Browny,ou=education,o=xyzcorp.com >> changetype: modrdn >> newrdn: cn=BrownyNew >> deleteoldrdn: 0 >> newsuperior: ou=finance,o= xyzcorp.com >> >> *new RDN: cn=BrownyNew, new parent ou=finance,o= xyzcorp.com < >> http://xyzcorp.com> (keep existing values) >> modifying RDN of entry cn=Browny,ou= education,o= xyzcorp.com < >> http://xyzcorp.com> and/or moving it beneath a new parent >> >> ldap_rename: DSA is unwilling to perform >> ldap_rename: additional info: server does not support moving of entries* >> >> >> *I tried it this way also,??. >> >> *dn: cn=Browny,ou=education,o=xyzcorp.com >> changetype: modrdn >> newrdn: cn=Browny >> deleteoldrdn: 1 >> newparent: ou=finance,o= xyzcorp.com >> >> *??no success* >> >> Like the same way I am not able to move the OU also to a new parent. >> >> Is anybody aware of this. >> >> If so educate me how to do this. >> >> >> Thanks in advance, >> Brown Deigo. >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From browndeigo at gmail.com Sat Mar 21 06:13:07 2009 From: browndeigo at gmail.com (Brown Diego) Date: Sat, 21 Mar 2009 11:43:07 +0530 Subject: [Fedora-directory-users] Database Testing Utility? Message-ID: <53859ceb0903202313l746cd639g3ede0d3f8d8157aa@mail.gmail.com> Hello all, I found a file called dbtest.c in fds source code. The actual purpose the file written is - ?ldbm database test program?. (from the comment inside file) The function dbtest_help() inside the dbtest.c clearly shows some command line help messages such as i => traverse index keys and ID list values" t => traverse index keys and values" ; T => traverse index keys"; u => traverse id2entry keys and values" ; U => traverse id2entry keys"; l => lookup index"; L => lookup index (all)"; t => traverse index keys? etc, But I could not find any specific tool which uses the functions which exists inside dbtest.c. I tried using all the available tools in FDS I didn?t find any tool which invokes this dbtest_help () function. Other than dbverify, dbscan, is there really any testing tool available for database testing OR This file is in the source code as an intention of using it in future FDS releases. Can somebody clarify my doubt? Thanks, Brown Diego. -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Sat Mar 21 09:32:50 2009 From: michael at stroeder.com (=?windows-1252?Q?Michael_Str=F6der?=) Date: Sat, 21 Mar 2009 10:32:50 +0100 Subject: [Fedora-directory-users] Problem in moving subtree of entries to new parent. In-Reply-To: <53859ceb0903202311w22048016xfae6d621e62d7873@mail.gmail.com> References: <53859ceb0903200519s493045ccnef13ba40244acf6a@mail.gmail.com> <49C418D1.9020503@redhat.com> <53859ceb0903202311w22048016xfae6d621e62d7873@mail.gmail.com> Message-ID: <49C4B442.8010907@stroeder.com> Brown Diego wrote: > 2009/3/21 Noriko Hosoi > > > This is the restriction the current FDS has. Please see "2.4.2.1. A > Note on Renaming Entries" on this Administration Guide page. > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Creating_Directory_Entries-LDIF_Update_Statements.html#LDIF_Update_Statements-Renaming_an_Entry_Using_LDIF > It says really there is no way to move subtrees to different parent. > Instead I need to create same entry with same attributes under the > parent suffix to which I need to actually move it and finally delete the > old ones? Yes. Unfortunately setting the newSuperior in ModifyDNRequest is not supported in FDS even when moving entries without subordinate entries. Having to add/delete an entry to move it is not atomic. So the LDAP client application has to implement some sort of rollback in case something is going wrong. I thought of supporting something like this in web2ldap. But I wonder which order of the operations is right and how to deal with errors. E.g. if there's a unique constraint on some of the attributes an add-delete-sequence will simply fail. And if implementing it as delete-add-sequence and there's something going wrong when adding the entry (e.g. newrdn is already present under the newSuperior) the entry is lost (and has to be re-added at the old superior). Gee, that's bad and probably not worth the implementation effort. FDS developers should seriously consider to at least implement handling the newSuperior in ModifyDNRequest for moving entries without subordinate entries. Ciao, Michael. From andrey.ivanov at polytechnique.fr Sun Mar 22 16:56:26 2009 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Sun, 22 Mar 2009 17:56:26 +0100 Subject: [Fedora-directory-users] Problem in moving subtree of entries to new parent. In-Reply-To: <49C4B442.8010907@stroeder.com> References: <53859ceb0903200519s493045ccnef13ba40244acf6a@mail.gmail.com> <49C418D1.9020503@redhat.com> <53859ceb0903202311w22048016xfae6d621e62d7873@mail.gmail.com> <49C4B442.8010907@stroeder.com> Message-ID: <1601b8650903220956p11d7b8f5w7cb0f0ea7954f55e@mail.gmail.com> I have made a request of this feature some time ago, you can follow its progress and add your comments or requests here : https://bugzilla.redhat.com/show_bug.cgi?id=429005 2009/3/21 Michael Str?der > Brown Diego wrote: > > 2009/3/21 Noriko Hosoi > > > > > This is the restriction the current FDS has. Please see "2.4.2.1. A > > Note on Renaming Entries" on this Administration Guide page. > > > > > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Creating_Directory_Entries-LDIF_Update_Statements.html#LDIF_Update_Statements-Renaming_an_Entry_Using_LDIF > > It says really there is no way to move subtrees to different parent. > > Instead I need to create same entry with same attributes under the > > parent suffix to which I need to actually move it and finally delete the > > old ones? > > Yes. Unfortunately setting the newSuperior in ModifyDNRequest is not > supported in FDS even when moving entries without subordinate entries. > > Having to add/delete an entry to move it is not atomic. So the LDAP > client application has to implement some sort of rollback in case > something is going wrong. > > I thought of supporting something like this in web2ldap. But I wonder > which order of the operations is right and how to deal with errors. E.g. > if there's a unique constraint on some of the attributes an > add-delete-sequence will simply fail. And if implementing it as > delete-add-sequence and there's something going wrong when adding the > entry (e.g. newrdn is already present under the newSuperior) the entry > is lost (and has to be re-added at the old superior). Gee, that's bad > and probably not worth the implementation effort. > > FDS developers should seriously consider to at least implement handling > the newSuperior in ModifyDNRequest for moving entries without > subordinate entries. > > Ciao, Michael. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From per at norhex.com Sun Mar 22 17:31:01 2009 From: per at norhex.com (Per Qvindesland) Date: Sun, 22 Mar 2009 18:31:01 +0100 Subject: [Fedora-directory-users] Password In-Reply-To: <4995EDC1.8000901@redhat.com> Message-ID: Hi I am finally ready to move on with the implementation of my directory server and I would like to have implemented this solution so that it automatically adds in the username as the default password for all new users, I have been trying to figure out this through this script but it is referring to ipa-server which is not something that I have installed, is there anywhere else or is there any other way of doing this? Regards Per Qvindesland On 2/13/09 11:01 PM, "Rob Crittenden" wrote: > Per Qvindesland wrote: >> Hi >> >> Thanks for replying, i will try but could you please give me a clue on where >> I might find this file? >> >> Kind regards >> Per Qvindesland >> >> >> On 2/13/09 10:30 PM, "Rob Crittenden" wrote: >> >>> You can put this just about anywhere in there, I'd put it around where >>> we check for and set homeDirectory, etc. >> > > I think the change should look something like (untested): > > diff --git a/ipa-server/xmlrpc-server/funcs.py > b/ipa-server/xmlrpc-server/funcs. > index cf9e7de..d5bbab2 100644 > --- a/ipa-server/xmlrpc-server/funcs.py > +++ b/ipa-server/xmlrpc-server/funcs.py > @@ -623,6 +623,9 @@ class IPAServer: > if user.get('gn'): > del user['gn'] > > + if not user.get('userpassword'): > + user['userpassword'] = user['uid'] > + > # some required objectclasses > entry.setValues('objectClass', > (config.get('ipauserobjectclasses'))) > > On an installed system this is in > /usr/lib/python2.5/site-packages/ipaserver/funcs.py > > rob > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From nhosoi at redhat.com Mon Mar 23 19:10:23 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Mon, 23 Mar 2009 12:10:23 -0700 Subject: [Fedora-directory-users] Database Testing Utility? In-Reply-To: <53859ceb0903202313l746cd639g3ede0d3f8d8157aa@mail.gmail.com> References: <53859ceb0903202313l746cd639g3ede0d3f8d8157aa@mail.gmail.com> Message-ID: <49C7DE9F.2050704@redhat.com> Sorry, the functionality dbtest is not supported. It's an old method to examine the database. --noriko Brown Diego wrote: > Hello all, > > I found a file called dbtest.c in fds source code. > The actual purpose the file written is - ?ldbm database test program?. > (from the comment inside file) > > The function dbtest_help() inside the dbtest.c clearly shows some > command line help messages such as > > i => traverse index keys and ID list values" > t => traverse index keys and values" ; > T => traverse index keys"; > u => traverse id2entry keys and values" ; > U => traverse id2entry keys"; > l => lookup index"; > L => lookup index (all)"; > t => traverse index keys? etc, > > But I could not find any specific tool which uses the functions which > exists inside dbtest.c. I tried using all the available tools in FDS I > didn?t find any tool which invokes this dbtest_help () function. > > Other than dbverify, dbscan, is there really any testing tool > available for database testing OR > This file is in the source code as an intention of using it in future > FDS releases. > > Can somebody clarify my doubt? > > Thanks, > > Brown Diego. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3250 bytes Desc: S/MIME Cryptographic Signature URL: From scarolan at gmail.com Mon Mar 23 21:13:42 2009 From: scarolan at gmail.com (Sean Carolan) Date: Mon, 23 Mar 2009 16:13:42 -0500 Subject: [Fedora-directory-users] /usr/lib64/dirsrv/modules/mod_admserv.so will not load Message-ID: <277020fc0903231413n32107d36t4c3e90472b42edb0@mail.gmail.com> I have successfully installed Fedora Directory server on an x86_64 machine running CentOS 5. Everything works except for the Admin Server. When I attempt to start it the apache module fails to load: /usr/lib64/dirsrv/modules/mod_admserv.so [Mon Mar 23 16:06:44 2009] [error] This module only supports the threaded MPM Can anyone shed some light on this error? I googled and looked through the mailing list archives but did not find anything to specifically address this problem Thanks Sean From ryan.manikowski at 2ergo.com Mon Mar 23 21:18:01 2009 From: ryan.manikowski at 2ergo.com (Ryan Manikowski) Date: Mon, 23 Mar 2009 17:18:01 -0400 Subject: [Fedora-directory-users] /usr/lib64/dirsrv/modules/mod_admserv.so will not load In-Reply-To: <277020fc0903231413n32107d36t4c3e90472b42edb0@mail.gmail.com> References: <277020fc0903231413n32107d36t4c3e90472b42edb0@mail.gmail.com> Message-ID: <49C7FC89.90708@2ergo.com> Edit /etc/sysconfig/httpd and find the line that says httpd.worker. Uncomment that and then try and start the Admin server. Apache by default uses prefork in Centos/RHEL/Fedora. Beward that unless php (if you're using it) was compiled for threads, it will not work with httpd.worker on Centos w/ Apache 2.0.x/2.2.x. Ryan Manikowski | System Administrator :703.677.8499: ryan.manikowski at 2ergo.com 2ergo ? Digital leaders in a mobile world Mobile Excellence Award - Best Innovator Mobile Star Award - Best Enterprise Mobile Web Publishing Solution Webby Awards - Official Honoree for Best Mobile News Site Deloitte Fast 50 - Fastest Growing Technology Companies in the UK GSMA - GSMA Mobile Innovation Award Finalist Vodafone - Vodafone Innovation Award ***** Email confidentiality notice ***** This message (including attachments) is confidential and may be legally privileged. The content and views expressed are those of the sender and not necessarily the 2ergo Group. If you are not the intended recipient, you must not disclose, copy or use any part of it. Please delete all copies immediately and notify the sender. Sean Carolan wrote: > I have successfully installed Fedora Directory server on an x86_64 > machine running CentOS 5. Everything works except for the Admin > Server. When I attempt to start it the apache module fails to load: > > /usr/lib64/dirsrv/modules/mod_admserv.so > [Mon Mar 23 16:06:44 2009] [error] This module only supports the threaded MPM > > Can anyone shed some light on this error? I googled and looked > through the mailing list archives but did not find anything to > specifically address this problem > > Thanks > > Sean > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > From scarolan at gmail.com Mon Mar 23 21:34:09 2009 From: scarolan at gmail.com (Sean Carolan) Date: Mon, 23 Mar 2009 16:34:09 -0500 Subject: [Fedora-directory-users] /usr/lib64/dirsrv/modules/mod_admserv.so will not load In-Reply-To: <49C7FC89.90708@2ergo.com> References: <277020fc0903231413n32107d36t4c3e90472b42edb0@mail.gmail.com> <49C7FC89.90708@2ergo.com> Message-ID: <277020fc0903231434t72700f6cqa2f3279927d33a9c@mail.gmail.com> > Beward that unless php (if you're using it) was compiled for threads, it > will not work with httpd.worker on Centos w/ Apache 2.0.x/2.2.x. Indeed: [Mon Mar 23 16:24:22 2009] [crit] Apache is running a threaded MPM, but your PHP Module is not compiled to be threadsafe. You need to recompile PHP. Pre-configuration failed I tried removing PHP and unfortunately it still doesn't work. Running httpd.worker from the command line produces this: [root at newldap6 ~]# /usr/sbin/httpd.worker -k start -f /etc/dirsrv/admin-serv/httpd.conf Segmentation fault Could this be because of the 64 bit OS? From neuronring at gmail.com Tue Mar 24 12:21:50 2009 From: neuronring at gmail.com (neuron ring) Date: Tue, 24 Mar 2009 17:51:50 +0530 Subject: [Fedora-directory-users] Certificate to LDAP Mapping API Message-ID: <30abda540903240521x207cbbafo17423867427c6c40@mail.gmail.com> Hi all, I need to use ?Certificate to LDAP Mapping? functionality. The README file in the source ldapserver/lib/ldaputil/examples path suggests: Refer "Certificate to LDAP Mapping API" documentation to find out about the various API functions and how you can write your plug-in. And also to refer ?Managing servers? manual. But I couldn?t get those documents. How can I write my own plug-in for LDAP Mapping? Or what can I do with Certmap.conf file to configure Certificate to LDAP Mapping. Can somebody provide link to that document or explain what is Certificate to LDAP Mapping. Thanks in advance, Neuron Ring. -------------- next part -------------- An HTML attachment was scrubbed... URL: From nhosoi at redhat.com Tue Mar 24 16:35:07 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Tue, 24 Mar 2009 09:35:07 -0700 Subject: [Fedora-directory-users] Certificate to LDAP Mapping API In-Reply-To: <30abda540903240521x207cbbafo17423867427c6c40@mail.gmail.com> References: <30abda540903240521x207cbbafo17423867427c6c40@mail.gmail.com> Message-ID: <49C90BBB.2060909@redhat.com> neuron ring wrote: > Hi all, > > I need to use ?Certificate to LDAP Mapping? functionality. > > The README file in the source ldapserver/lib/ldaputil/examples path > suggests: > Refer "Certificate to LDAP Mapping API" documentation to find out > about the various API functions and how you can write your > plug-in. > > And also to refer ?Managing servers? manual. But I couldn?t get those > documents. How can I write my own plug-in for LDAP Mapping? > > Or what can I do with Certmap.conf file to configure Certificate to > LDAP Mapping. > > Can somebody provide link to that document or explain > what is Certificate to LDAP Mapping. Did you have a chance to look into these docs? http://directory.fedoraproject.org/wiki/Howto:CertMapping http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL-Configuring_LDAP_Clients_to_Use_SSL.html Thanks, --noriko > > Thanks in advance, > Neuron Ring. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From browndeigo at gmail.com Wed Mar 25 12:57:53 2009 From: browndeigo at gmail.com (Brown Diego) Date: Wed, 25 Mar 2009 18:27:53 +0530 Subject: [Fedora-directory-users] import-merge utility clarification Message-ID: <53859ceb0903250557t59d3182bs168972f372e1d124@mail.gmail.com> Hi, Is anybody familiar with ?import-merge.c?? How to utilize this tool? From the program I got that it is being used for importing small db files and then merge them finally. import_mega_merge is also one of the function used in that file. I couldn?t find a way to make use of this import-merge file. Is there any special functionality available in the directory server to merge the files? Do I need to import using db2ldif and then again ldif2db. Thanks in advance, Brown Diego. -------------- next part -------------- An HTML attachment was scrubbed... URL: From browndeigo at gmail.com Wed Mar 25 12:58:53 2009 From: browndeigo at gmail.com (Brown Diego) Date: Wed, 25 Mar 2009 18:28:53 +0530 Subject: [Fedora-directory-users] Modrdn operation not allowed on non-leaf. Message-ID: <53859ceb0903250558x25801af6hfc9388fc49f1dc6c@mail.gmail.com> Hi, Operation 1: I read there is no way of renaming a ou or an entry if it has children. Please refer: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Creating_Directory_Entries-LDIF_Update_Statements.html#LDIF_Update_Statements-Renaming_an_Entry_Using_LDIF new RDN: ou= alumini (keep existing values) modifying RDN of entry ou=alumini, o=school.com ldap_rename: Operation not allowed on nonleaf Since the ou student has child entries in it. Operation 2: But, ldbm_modrdn.c file has the methods to rename the child entries also when their parent entry is renamed. i.e deleting the old parent DN and changing the new superior DN (new parent modified using modrdn operation). Example: moddn_rename_children When the operation 1. is not allowed how Operation 2 is possible ? What is the necessity of using methods inside ldbm_modrdn.c file. If I am not wrong, can anybody clarify my doubt. Thanks in advance, Brown Diego. -------------- next part -------------- An HTML attachment was scrubbed... URL: From browndeigo at gmail.com Wed Mar 25 13:23:58 2009 From: browndeigo at gmail.com (Brown Diego) Date: Wed, 25 Mar 2009 18:53:58 +0530 Subject: [Fedora-directory-users] Small change: Modrdn operation not allowed on non-leaf. Message-ID: <53859ceb0903250623o24d5826xe077852e99e07f5b@mail.gmail.com> Hi, Operation 1: I read there is no way of renaming a ou or an entry if it has children. Please refer: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Creating_Directory_Entries-LDIF_Update_Statements.html#LDIF_Update_Statements-Renaming_an_Entry_Using_LDIF new RDN: ou= alumini (keep existing values) modifying RDN of entry ou=students, o=school.com ldap_rename: Operation not allowed on nonleaf Since the ou students has child entries in it. Operation 2: But, ldbm_modrdn.c file has the methods to rename the child entries also when their parent entry is renamed. i.e deleting the old parent DN and changing the new superior DN (new parent modified using modrdn operation). Example: moddn_rename_children When the operation 1. is not allowed how Operation 2 is possible ? What is the necessity of using methods inside ldbm_modrdn.c file. If I am not wrong, can anybody clarify my doubt. Thanks in advance, Brown Diego. -------------- next part -------------- An HTML attachment was scrubbed... URL: From emmanuel.billot at ird.fr Wed Mar 25 15:52:17 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Wed, 25 Mar 2009 16:52:17 +0100 Subject: [Fedora-directory-users] Windows data sync Message-ID: <49CA5331.2030100@ird.fr> Hi, We've installed FDS, AD and a replication agrement. FDS data/passwords sync with AD AD passwords sync with FDS. 2 pbs are still unsolved : - AD modifications (name, surname, mail) are not send or catched in FDS - Passwords are not recognized after a Full init. FDS => AD full init = unable to log on AD (even if we manually activate the account) FDS -> AD passwd update = passwd ok in AD Anyone has an idea ? -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From rmeggins at redhat.com Wed Mar 25 16:46:21 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 25 Mar 2009 10:46:21 -0600 Subject: [Fedora-directory-users] Windows data sync In-Reply-To: <49CA5331.2030100@ird.fr> References: <49CA5331.2030100@ird.fr> Message-ID: <49CA5FDD.5030906@redhat.com> Emmanuel BILLOT wrote: > Hi, > > We've installed FDS, AD and a replication agrement. > FDS data/passwords sync with AD > AD passwords sync with FDS. > > 2 pbs are still unsolved : > - AD modifications (name, surname, mail) are not send or catched in FDS I suppose you could enable the replication log level and see why this is not working. Note that changes may take up to 5 minutes to sync over to Fedora DS due to the way the sync works using the DirSync control. http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > - Passwords are not recognized after a Full init. > FDS => AD full init = unable to log on AD (even if we manually > activate the account) Right. Passwords are not synced during full init. Full init only uses passwords in the database which are hashed and do not sync. > FDS -> AD passwd update = passwd ok in AD Right. Passwd update uses clear text passwords. > > Anyone has an idea ? > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Mar 25 16:47:45 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 25 Mar 2009 10:47:45 -0600 Subject: [Fedora-directory-users] Small change: Modrdn operation not allowed on non-leaf. In-Reply-To: <53859ceb0903250623o24d5826xe077852e99e07f5b@mail.gmail.com> References: <53859ceb0903250623o24d5826xe077852e99e07f5b@mail.gmail.com> Message-ID: <49CA6031.3090108@redhat.com> Brown Diego wrote: > Hi, > > Operation 1: I read there is no way of renaming a ou or an entry if it > has children. > > Please refer: > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Creating_Directory_Entries-LDIF_Update_Statements.html#LDIF_Update_Statements-Renaming_an_Entry_Using_LDIF > > new RDN: ou= alumini (keep existing values) > modifying RDN of entry ou=students, o=school.com > ldap_rename: Operation not allowed on nonleaf > > Since the ou students has child entries in it. > > Operation 2: But, ldbm_modrdn.c file has the methods to rename the > child entries also when their parent entry is renamed. > i.e deleting the old parent DN and changing the new superior DN (new > parent modified using modrdn operation). > > Example: moddn_rename_children > > When the operation 1. is not allowed how Operation 2 is possible ? > What is the necessity of using methods inside > ldbm_modrdn.c file. Those methods are only used for replication fix up operations e.g. if you rename a child entry on one server, and at the same time add children to that same entry on another master, the replication fix up code has to be able to reconcile those two conflicting operations. > > If I am not wrong, can anybody clarify my doubt. > > Thanks in advance, > > Brown Diego. > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Mar 25 16:48:15 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 25 Mar 2009 10:48:15 -0600 Subject: [Fedora-directory-users] import-merge utility clarification In-Reply-To: <53859ceb0903250557t59d3182bs168972f372e1d124@mail.gmail.com> References: <53859ceb0903250557t59d3182bs168972f372e1d124@mail.gmail.com> Message-ID: <49CA604F.1000804@redhat.com> Brown Diego wrote: > Hi, > > Is anybody familiar with ?import-merge.c?? How to utilize this tool? > From the program I got that it is being used for importing > small db files and then merge them finally. import_mega_merge is also > one of the function used in that file. > > I couldn?t find a way to make use of this import-merge file. Is there > any special functionality available in the directory server to merge > the files? > > Do I need to import using db2ldif and then again ldif2db. What is the problem you are trying to solve? Why do you think you need to use import-merge? > > > Thanks in advance, > Brown Diego. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Mar 25 16:49:05 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 25 Mar 2009 10:49:05 -0600 Subject: [Fedora-directory-users] /usr/lib64/dirsrv/modules/mod_admserv.so will not load In-Reply-To: <277020fc0903231434t72700f6cqa2f3279927d33a9c@mail.gmail.com> References: <277020fc0903231413n32107d36t4c3e90472b42edb0@mail.gmail.com> <49C7FC89.90708@2ergo.com> <277020fc0903231434t72700f6cqa2f3279927d33a9c@mail.gmail.com> Message-ID: <49CA6081.5030808@redhat.com> Sean Carolan wrote: >> Beward that unless php (if you're using it) was compiled for threads, it >> will not work with httpd.worker on Centos w/ Apache 2.0.x/2.2.x. >> > > Indeed: > > [Mon Mar 23 16:24:22 2009] [crit] Apache is running a threaded MPM, > but your PHP Module is not compiled to be threadsafe. You need to > recompile PHP. > Pre-configuration failed > > I tried removing PHP and unfortunately it still doesn't work. Running > httpd.worker from the command line produces this: > > [root at newldap6 ~]# /usr/sbin/httpd.worker -k start -f > /etc/dirsrv/admin-serv/httpd.conf > Segmentation fault > > Could this be because of the 64 bit OS? > No. Fedora DS admin server will only work with httpd.worker. It uses its own special httpd.conf file and other config files - it does not use /etc/httpd config files. > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Mar 25 16:49:57 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 25 Mar 2009 10:49:57 -0600 Subject: [Fedora-directory-users] Windows account not atcivated ? In-Reply-To: <49C3C00A.9080307@inrp.fr> References: <49C3644D.2020905@ird.fr> <49C3B6A6.7050304@inrp.fr> <49C3BCB0.60203@ird.fr> <49C3C00A.9080307@inrp.fr> Message-ID: <49CA60B5.9040001@redhat.com> Hugo Etievant wrote: > Emmanuel BILLOT a ?crit : >> Hugo Etievant a ?crit : >>> hello, >>> >>> It is a known bug : https://bugzilla.redhat.com/show_bug.cgi?id=470224 >>> cf : >>> http://www.mail-archive.com/fedora-directory-users at redhat.com/msg08538.html >>> >>> >>> New FDS accounts are marcked 'disabled' on AD after synchronization. >>> >>> >>> regards. >> Ok effectivement. >> Vous utilisez un paliatif ? > No. > But our process implie some manuals operations of admin in AD for > groups manipulation, and a this moment, we activate user account. > > An other way is to modify the accountCountrol flag to 512 in AD with a > script some minutes after user account creation in FDS... Yes. This is a bug in the current Fedora DS winsync. The recommended method for now is to manually set the accountControl flag after account creation. > > > > regards > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Mar 25 16:51:56 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 25 Mar 2009 10:51:56 -0600 Subject: [Fedora-directory-users] Kerberos login In-Reply-To: <49C3656D.5060503@ird.fr> References: <49C3656D.5060503@ird.fr> Message-ID: <49CA612C.8080100@redhat.com> Emmanuel BILLOT wrote: > Hi, > > During FDS replication on AD, it seems that the "classic" login > attribut for windows is well filled wiith the ntuserdomainid FDS > attribut. > However, the userPrincipaName is also filled with the ntuserdomainid > FDS attribut, since it should be quite different... userPrincipalName is supposed to be username at domain where username is the samAccountName (e.g. the uid) and domain is the windows domain name you specified when you created the sync agreement. > > Is it possible to match this attribut with another one in FDS ? Not sure what you mean. > > BR, > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Mar 25 16:52:35 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 25 Mar 2009 10:52:35 -0600 Subject: [Fedora-directory-users] idm console connect to admin serv but in... In-Reply-To: <49C23E8C.8020609@jatymy.org> References: <49C23E8C.8020609@jatymy.org> Message-ID: <49CA6153.4040405@redhat.com> lejeczek wrote: > .. console itself admin server appears as using different port than > once console connects to?? > and it shows up as 'stopped', checked it, in local.conf and admin.conf > and.. > but if it was like it seems console should not be able to connect in > the first, right? > so where to look what so search for? Try fedora-idm-console -D 9 -f console.log > cheers > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Mar 25 16:54:10 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 25 Mar 2009 10:54:10 -0600 Subject: [Fedora-directory-users] quickie on basics - another instance of directory server In-Reply-To: <49C11037.9070702@jatymy.org> References: <49C11037.9070702@jatymy.org> Message-ID: <49CA61B2.9060004@redhat.com> lejeczek wrote: > dear all, > I'm(an entrant) not sure I got the hang of setup-ds-admin.pl > my understanding is: > every box/machine hosting idm_console-manageable Directory Server > instance need an Administration Server installed on this/the same box, > this Administration Sever can manage many Directory Server instances > being installed on this same box, right? yes. > > if I'm right of above, what am I doing wrong while setup-ds-admin.pl > is having second run to set up SERV_2 for which, > from first setup-ds-admin - SERV_1 would be Configuration Directory > Server > simple set-up, right, I let installation know about ldap:// to SERV_1, > etc.. > then it asks of Administration Server port - standard 9830, right > > next I run idm console there is only newly created SERV_2 and SERV_1 - > gone? > > p.s it's f10, do you have problems creating new instances directly > from idm console too? There are some bugs in the additional instance creation process. If you need to create additional instances, use setup-ds.pl to create them, then use register-ds-admin.pl to register them with the console. > > a little light someone can shed on it for me? > cheers > lejeczek > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Mar 25 16:54:34 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 25 Mar 2009 10:54:34 -0600 Subject: [Fedora-directory-users] Windows Sync problem In-Reply-To: <49C0D497.4050506@ird.fr> References: <49C0D497.4050506@ird.fr> Message-ID: <49CA61CA.5020306@redhat.com> Emmanuel BILLOT wrote: > Hi, > > A Win Sync between FDS and Active Directory failed on our servers due > to FDS reboot. > Errog log says : > > (delta:636) - Can't locate CSN 48f3e8cc000100020000 in the changelog > (DB rc=-30990). The consumer may need to be reinitialized. > > Does it mean that a consumer reinitialization may be done ? In this > case, does it erase any data in AD ? What happens with AD-only > attributs ? > IS there any method to resync without deleting AD data ? In WinSync init, no data is removed from AD > > BR, > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From scarolan at gmail.com Wed Mar 25 16:53:45 2009 From: scarolan at gmail.com (Sean Carolan) Date: Wed, 25 Mar 2009 11:53:45 -0500 Subject: [Fedora-directory-users] /usr/lib64/dirsrv/modules/mod_admserv.so will not load In-Reply-To: <49CA6081.5030808@redhat.com> References: <277020fc0903231413n32107d36t4c3e90472b42edb0@mail.gmail.com> <49C7FC89.90708@2ergo.com> <277020fc0903231434t72700f6cqa2f3279927d33a9c@mail.gmail.com> <49CA6081.5030808@redhat.com> Message-ID: <277020fc0903250953t6934a207rde39683c36e4ca5d@mail.gmail.com> > No. ?Fedora DS admin server will only work with httpd.worker. ?It uses its > own special httpd.conf file and other config files - it does not use > /etc/httpd config files. Ok, I understand all that. But the initialization script fails with no useful error message, just an exit status of "1". How can I continue to troubleshoot this to find the problem? From emmanuel.billot at ird.fr Wed Mar 25 16:56:50 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Wed, 25 Mar 2009 17:56:50 +0100 Subject: [Fedora-directory-users] Windows data sync In-Reply-To: <49CA5FDD.5030906@redhat.com> References: <49CA5331.2030100@ird.fr> <49CA5FDD.5030906@redhat.com> Message-ID: <49CA6252.6050800@ird.fr> Rich Megginson a ?crit : > Emmanuel BILLOT wrote: >> Hi, >> >> We've installed FDS, AD and a replication agrement. >> FDS data/passwords sync with AD >> AD passwords sync with FDS. >> >> 2 pbs are still unsolved : >> - AD modifications (name, surname, mail) are not send or catched in FDS > I suppose you could enable the replication log level and see why this > is not working. Note that changes may take up to 5 minutes to sync > over to Fedora DS due to the way the sync works using the DirSync > control. > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting I(ve enabled it but nothing else more than an empty replication try... I thought FDS connect to AD and "ldapsearch" modified entries. I can't see any request or update try. >> - Passwords are not recognized after a Full init. >> FDS => AD full init = unable to log on AD (even if we manually >> activate the account) > Right. Passwords are not synced during full init. Full init only > uses passwords in the database which are hashed and do not sync. >> FDS -> AD passwd update = passwd ok in AD > Right. Passwd update uses clear text passwords. >> >> Anyone has an idea ? >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From rmeggins at redhat.com Wed Mar 25 17:42:39 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 25 Mar 2009 11:42:39 -0600 Subject: [Fedora-directory-users] /usr/lib64/dirsrv/modules/mod_admserv.so will not load In-Reply-To: <277020fc0903250953t6934a207rde39683c36e4ca5d@mail.gmail.com> References: <277020fc0903231413n32107d36t4c3e90472b42edb0@mail.gmail.com> <49C7FC89.90708@2ergo.com> <277020fc0903231434t72700f6cqa2f3279927d33a9c@mail.gmail.com> <49CA6081.5030808@redhat.com> <277020fc0903250953t6934a207rde39683c36e4ca5d@mail.gmail.com> Message-ID: <49CA6D0F.8090209@redhat.com> Sean Carolan wrote: >> No. Fedora DS admin server will only work with httpd.worker. It uses its >> own special httpd.conf file and other config files - it does not use >> /etc/httpd config files. >> > > Ok, I understand all that. But the initialization script fails with > no useful error message, just an exit status of "1". How can I > continue to troubleshoot this to find the problem? > You cannot run setup-ds-admin.pl again - you have to start with a completely clean system. > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Mar 25 17:43:44 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 25 Mar 2009 11:43:44 -0600 Subject: [Fedora-directory-users] Windows data sync In-Reply-To: <49CA6252.6050800@ird.fr> References: <49CA5331.2030100@ird.fr> <49CA5FDD.5030906@redhat.com> <49CA6252.6050800@ird.fr> Message-ID: <49CA6D50.3010008@redhat.com> Emmanuel BILLOT wrote: > Rich Megginson a ?crit : >> Emmanuel BILLOT wrote: >>> Hi, >>> >>> We've installed FDS, AD and a replication agrement. >>> FDS data/passwords sync with AD >>> AD passwords sync with FDS. >>> >>> 2 pbs are still unsolved : >>> - AD modifications (name, surname, mail) are not send or catched in FDS >> I suppose you could enable the replication log level and see why this >> is not working. Note that changes may take up to 5 minutes to sync >> over to Fedora DS due to the way the sync works using the DirSync >> control. >> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > I(ve enabled it but nothing else more than an empty replication try... > I thought FDS connect to AD and "ldapsearch" modified entries. I can't > see any request or update try. Yes. That's what it is supposed to do, if the init succeeded. >>> - Passwords are not recognized after a Full init. >>> FDS => AD full init = unable to log on AD (even if we manually >>> activate the account) >> Right. Passwords are not synced during full init. Full init only >> uses passwords in the database which are hashed and do not sync. >>> FDS -> AD passwd update = passwd ok in AD >> Right. Passwd update uses clear text passwords. >>> >>> Anyone has an idea ? >>> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From scarolan at gmail.com Wed Mar 25 19:29:46 2009 From: scarolan at gmail.com (Sean Carolan) Date: Wed, 25 Mar 2009 14:29:46 -0500 Subject: [Fedora-directory-users] /usr/lib64/dirsrv/modules/mod_admserv.so will not load In-Reply-To: <49CA6D0F.8090209@redhat.com> References: <277020fc0903231413n32107d36t4c3e90472b42edb0@mail.gmail.com> <49C7FC89.90708@2ergo.com> <277020fc0903231434t72700f6cqa2f3279927d33a9c@mail.gmail.com> <49CA6081.5030808@redhat.com> <277020fc0903250953t6934a207rde39683c36e4ca5d@mail.gmail.com> <49CA6D0F.8090209@redhat.com> Message-ID: <277020fc0903251229t6ad2f340j33c6dd2faadec730@mail.gmail.com> > You cannot run setup-ds-admin.pl again - you have to start with a completely > clean system. I wasn't talking about the setup-ds-admin.pl script. I was referring to /etc/init.d/dirsrv-admin, which simply fails with no error message. I followed the installation instructions here: http://directory.fedoraproject.org/wiki/Download#Enterprise_Linux_5 As I mentioned before, the LDAP server is working great, but the dirsrv-admin is not. From rmeggins at redhat.com Wed Mar 25 19:33:05 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 25 Mar 2009 13:33:05 -0600 Subject: [Fedora-directory-users] /usr/lib64/dirsrv/modules/mod_admserv.so will not load In-Reply-To: <277020fc0903251229t6ad2f340j33c6dd2faadec730@mail.gmail.com> References: <277020fc0903231413n32107d36t4c3e90472b42edb0@mail.gmail.com> <49C7FC89.90708@2ergo.com> <277020fc0903231434t72700f6cqa2f3279927d33a9c@mail.gmail.com> <49CA6081.5030808@redhat.com> <277020fc0903250953t6934a207rde39683c36e4ca5d@mail.gmail.com> <49CA6D0F.8090209@redhat.com> <277020fc0903251229t6ad2f340j33c6dd2faadec730@mail.gmail.com> Message-ID: <49CA86F1.9080606@redhat.com> Sean Carolan wrote: >> You cannot run setup-ds-admin.pl again - you have to start with a completely >> clean system. >> > > I wasn't talking about the setup-ds-admin.pl script. I was referring > to /etc/init.d/dirsrv-admin, which simply fails with no error message. > I followed the installation instructions here: > > http://directory.fedoraproject.org/wiki/Download#Enterprise_Linux_5 > > As I mentioned before, the LDAP server is working great, but the > dirsrv-admin is not. > Does /usr/sbin/start-ds-admin work? > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From scarolan at gmail.com Wed Mar 25 19:35:10 2009 From: scarolan at gmail.com (Sean Carolan) Date: Wed, 25 Mar 2009 14:35:10 -0500 Subject: [Fedora-directory-users] /usr/lib64/dirsrv/modules/mod_admserv.so will not load In-Reply-To: <49CA86F1.9080606@redhat.com> References: <277020fc0903231413n32107d36t4c3e90472b42edb0@mail.gmail.com> <49C7FC89.90708@2ergo.com> <277020fc0903231434t72700f6cqa2f3279927d33a9c@mail.gmail.com> <49CA6081.5030808@redhat.com> <277020fc0903250953t6934a207rde39683c36e4ca5d@mail.gmail.com> <49CA6D0F.8090209@redhat.com> <277020fc0903251229t6ad2f340j33c6dd2faadec730@mail.gmail.com> <49CA86F1.9080606@redhat.com> Message-ID: <277020fc0903251235q534dd629xabc85277b610413c@mail.gmail.com> > Does /usr/sbin/start-ds-admin work? >> Nope: [scarolan at newldap6 ~]$ sudo /usr/sbin/start-ds-admin [scarolan at newldap6 ~]$ echo $? 1 From rmeggins at redhat.com Wed Mar 25 19:40:25 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 25 Mar 2009 13:40:25 -0600 Subject: [Fedora-directory-users] /usr/lib64/dirsrv/modules/mod_admserv.so will not load In-Reply-To: <277020fc0903251235q534dd629xabc85277b610413c@mail.gmail.com> References: <277020fc0903231413n32107d36t4c3e90472b42edb0@mail.gmail.com> <49C7FC89.90708@2ergo.com> <277020fc0903231434t72700f6cqa2f3279927d33a9c@mail.gmail.com> <49CA6081.5030808@redhat.com> <277020fc0903250953t6934a207rde39683c36e4ca5d@mail.gmail.com> <49CA6D0F.8090209@redhat.com> <277020fc0903251229t6ad2f340j33c6dd2faadec730@mail.gmail.com> <49CA86F1.9080606@redhat.com> <277020fc0903251235q534dd629xabc85277b610413c@mail.gmail.com> Message-ID: <49CA88A9.3010904@redhat.com> Sean Carolan wrote: >> Does /usr/sbin/start-ds-admin work? >> > > Nope: > > [scarolan at newldap6 ~]$ sudo /usr/sbin/start-ds-admin > [scarolan at newldap6 ~]$ echo $? > What's in /var/log/dirsrv/admin-serv/error? > 1 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From scarolan at gmail.com Wed Mar 25 19:42:01 2009 From: scarolan at gmail.com (Sean Carolan) Date: Wed, 25 Mar 2009 14:42:01 -0500 Subject: [Fedora-directory-users] /usr/lib64/dirsrv/modules/mod_admserv.so will not load In-Reply-To: <49CA88A9.3010904@redhat.com> References: <277020fc0903231413n32107d36t4c3e90472b42edb0@mail.gmail.com> <49C7FC89.90708@2ergo.com> <277020fc0903231434t72700f6cqa2f3279927d33a9c@mail.gmail.com> <49CA6081.5030808@redhat.com> <277020fc0903250953t6934a207rde39683c36e4ca5d@mail.gmail.com> <49CA6D0F.8090209@redhat.com> <277020fc0903251229t6ad2f340j33c6dd2faadec730@mail.gmail.com> <49CA86F1.9080606@redhat.com> <277020fc0903251235q534dd629xabc85277b610413c@mail.gmail.com> <49CA88A9.3010904@redhat.com> Message-ID: <277020fc0903251242m4c7d4c3te084923d4c72646d@mail.gmail.com> > What's in /var/log/dirsrv/admin-serv/error? I get this: [Wed Mar 25 14:41:21 2009] [crit] do_admserv_post_config(): unable to create AdmldapInfo Configuration Failed [Wed Mar 25 14:41:21 2009] [error] NSS_Shutdown failed: -8038 Is it unable to create a file somewhere? From rmeggins at redhat.com Wed Mar 25 19:45:22 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 25 Mar 2009 13:45:22 -0600 Subject: [Fedora-directory-users] /usr/lib64/dirsrv/modules/mod_admserv.so will not load In-Reply-To: <277020fc0903251242m4c7d4c3te084923d4c72646d@mail.gmail.com> References: <277020fc0903231413n32107d36t4c3e90472b42edb0@mail.gmail.com> <49C7FC89.90708@2ergo.com> <277020fc0903231434t72700f6cqa2f3279927d33a9c@mail.gmail.com> <49CA6081.5030808@redhat.com> <277020fc0903250953t6934a207rde39683c36e4ca5d@mail.gmail.com> <49CA6D0F.8090209@redhat.com> <277020fc0903251229t6ad2f340j33c6dd2faadec730@mail.gmail.com> <49CA86F1.9080606@redhat.com> <277020fc0903251235q534dd629xabc85277b610413c@mail.gmail.com> <49CA88A9.3010904@redhat.com> <277020fc0903251242m4c7d4c3te084923d4c72646d@mail.gmail.com> Message-ID: <49CA89D2.7080208@redhat.com> Sean Carolan wrote: >> What's in /var/log/dirsrv/admin-serv/error? >> > > I get this: > > [Wed Mar 25 14:41:21 2009] [crit] do_admserv_post_config(): unable to > create AdmldapInfo > Configuration Failed > [Wed Mar 25 14:41:21 2009] [error] NSS_Shutdown failed: -8038 > > Is it unable to create a file somewhere? > grep \^User /etc/dirsrv/admin-serv/console.conf ls -al /etc/dirsrv/admin-serv > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From scarolan at gmail.com Wed Mar 25 19:56:21 2009 From: scarolan at gmail.com (Sean Carolan) Date: Wed, 25 Mar 2009 14:56:21 -0500 Subject: [Fedora-directory-users] /usr/lib64/dirsrv/modules/mod_admserv.so will not load In-Reply-To: <49CA89D2.7080208@redhat.com> References: <277020fc0903231413n32107d36t4c3e90472b42edb0@mail.gmail.com> <49CA6081.5030808@redhat.com> <277020fc0903250953t6934a207rde39683c36e4ca5d@mail.gmail.com> <49CA6D0F.8090209@redhat.com> <277020fc0903251229t6ad2f340j33c6dd2faadec730@mail.gmail.com> <49CA86F1.9080606@redhat.com> <277020fc0903251235q534dd629xabc85277b610413c@mail.gmail.com> <49CA88A9.3010904@redhat.com> <277020fc0903251242m4c7d4c3te084923d4c72646d@mail.gmail.com> <49CA89D2.7080208@redhat.com> Message-ID: <277020fc0903251256j47e019e3g1a5f808036cb3fc@mail.gmail.com> > grep \^User /etc/dirsrv/admin-serv/console.conf > ls -al /etc/dirsrv/admin-serv Ok, I think we are on the right track, thank you for pointing out this config file. [scarolan at newldap6 ~]$ grep \^User /etc/dirsrv/admin-serv/console.conf User nobody [scarolan at newldap6 ~]$ ls -al /etc/dirsrv/admin-serv total 56 drwxr-xr-x 2 root root 4096 Mar 23 16:21 . drwxrwxr-x 7 root ldap 4096 Mar 23 15:49 .. -rw-r--r-- 1 root root 3984 Mar 23 15:29 adm.conf -rw-r--r-- 1 root root 3984 Sep 4 2008 admserv.conf -rw-r--r-- 1 root root 4033 Sep 4 2008 console.conf -rw-r--r-- 1 root root 27000 Sep 4 2008 httpd.conf -rw-r--r-- 1 root root 4548 Sep 4 2008 nss.conf The username we used to install FDS was "ldap" instead of "nobody". What should the settings be to enable the server to start? From rmeggins at redhat.com Wed Mar 25 20:28:22 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 25 Mar 2009 14:28:22 -0600 Subject: [Fedora-directory-users] /usr/lib64/dirsrv/modules/mod_admserv.so will not load In-Reply-To: <277020fc0903251256j47e019e3g1a5f808036cb3fc@mail.gmail.com> References: <277020fc0903231413n32107d36t4c3e90472b42edb0@mail.gmail.com> <49CA6081.5030808@redhat.com> <277020fc0903250953t6934a207rde39683c36e4ca5d@mail.gmail.com> <49CA6D0F.8090209@redhat.com> <277020fc0903251229t6ad2f340j33c6dd2faadec730@mail.gmail.com> <49CA86F1.9080606@redhat.com> <277020fc0903251235q534dd629xabc85277b610413c@mail.gmail.com> <49CA88A9.3010904@redhat.com> <277020fc0903251242m4c7d4c3te084923d4c72646d@mail.gmail.com> <49CA89D2.7080208@redhat.com> <277020fc0903251256j47e019e3g1a5f808036cb3fc@mail.gmail.com> Message-ID: <49CA93E6.4030500@redhat.com> Sean Carolan wrote: >> grep \^User /etc/dirsrv/admin-serv/console.conf >> ls -al /etc/dirsrv/admin-serv >> > > Ok, I think we are on the right track, thank you for pointing out this > config file. > > [scarolan at newldap6 ~]$ grep \^User /etc/dirsrv/admin-serv/console.conf > User nobody > [scarolan at newldap6 ~]$ ls -al /etc/dirsrv/admin-serv > total 56 > drwxr-xr-x 2 root root 4096 Mar 23 16:21 . > drwxrwxr-x 7 root ldap 4096 Mar 23 15:49 .. > -rw-r--r-- 1 root root 3984 Mar 23 15:29 adm.conf > -rw-r--r-- 1 root root 3984 Sep 4 2008 admserv.conf > -rw-r--r-- 1 root root 4033 Sep 4 2008 console.conf > -rw-r--r-- 1 root root 27000 Sep 4 2008 httpd.conf > -rw-r--r-- 1 root root 4548 Sep 4 2008 nss.conf > > The username we used to install FDS was "ldap" instead of "nobody". > Did the user "ldap" exist before you ran the setup script? > What should the settings be to enable the server to start? > Looks like something went wrong in setup, and it just ignored "ldap" and used the default "nobody". The config is pretty well hosed now and you're best off by just starting over. > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From emmanuel.billot at ird.fr Thu Mar 26 08:58:19 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Thu, 26 Mar 2009 09:58:19 +0100 Subject: [Fedora-directory-users] Windows data sync In-Reply-To: <49CA5FDD.5030906@redhat.com> References: <49CA5331.2030100@ird.fr> <49CA5FDD.5030906@redhat.com> Message-ID: <49CB43AB.1030304@ird.fr> Rich Megginson a ?crit : > Emmanuel BILLOT wrote: >> Hi, >> >> We've installed FDS, AD and a replication agrement. >> FDS data/passwords sync with AD >> AD passwords sync with FDS. >> >> 2 pbs are still unsolved : >> - AD modifications (name, surname, mail) are not send or catched in FDS > I suppose you could enable the replication log level and see why this > is not working. Note that changes may take up to 5 minutes to sync > over to Fedora DS due to the way the sync works using the DirSync > control. > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >> - Passwords are not recognized after a Full init. >> FDS => AD full init = unable to log on AD (even if we manually >> activate the account) Here is the log extract : [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" (porlsvrdc0003:636): No changes to send [26/Mar/2009:09:55:43 +0100] - Calling dirsync search request plugin [26/Mar/2009:09:55:43 +0100] - Sending dirsync search request [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" (porlsvrdc0003:636): Beginning linger on the connection [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" (porlsvrdc0003:636): Linger timeout has expired on the connection [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" (porlsvrdc0003:636): State: sending_updates -> wait_for_changes [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" (porlsvrdc0003:636): Disconnected from the consumer I can't see any action. > Right. Passwords are not synced during full init. Full init only > uses passwords in the database which are hashed and do not sync. >> FDS -> AD passwd update = passwd ok in AD > Right. Passwd update uses clear text passwords. >> >> Anyone has an idea ? >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From emmanuel.billot at ird.fr Thu Mar 26 09:45:47 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Thu, 26 Mar 2009 10:45:47 +0100 Subject: [Fedora-directory-users] Windows data sync In-Reply-To: <14896_1238057923_49CB43C3_14896_1599_1_49CB43AB.1030304@ird.fr> References: <49CA5331.2030100@ird.fr> <49CA5FDD.5030906@redhat.com> <14896_1238057923_49CB43C3_14896_1599_1_49CB43AB.1030304@ird.fr> Message-ID: <49CB4ECB.5030403@ird.fr> Emmanuel BILLOT a ?crit : > Rich Megginson a ?crit : >> Emmanuel BILLOT wrote: >>> Hi, >>> >>> We've installed FDS, AD and a replication agrement. >>> FDS data/passwords sync with AD >>> AD passwords sync with FDS. >>> >>> 2 pbs are still unsolved : >>> - AD modifications (name, surname, mail) are not send or catched in FDS >> I suppose you could enable the replication log level and see why this >> is not working. Note that changes may take up to 5 minutes to sync >> over to Fedora DS due to the way the sync works using the DirSync >> control. >> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >>> - Passwords are not recognized after a Full init. >>> FDS => AD full init = unable to log on AD (even if we manually >>> activate the account) > Here is the log extract : > [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" > (porlsvrdc0003:636): No changes to send > [26/Mar/2009:09:55:43 +0100] - Calling dirsync search request plugin > [26/Mar/2009:09:55:43 +0100] - Sending dirsync search request > [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" > (porlsvrdc0003:636): Beginning linger on the connection > [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" > (porlsvrdc0003:636): Linger timeout has expired on the connection > [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" > (porlsvrdc0003:636): State: sending_updates -> wait_for_changes > [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win" > (porlsvrdc0003:636): Disconnected from the consumer > > I can't see any action. >> Right. Passwords are not synced during full init. Full init only >> uses passwords in the database which are hashed and do not sync. >>> FDS -> AD passwd update = passwd ok in AD >> Right. Passwd update uses clear text passwords. >>> >>> Anyone has an idea ? >>> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > Ok i found the pb : Replicating directory changes was not in the replicationg user rights. All seems to be ok now. Thanks. BR, -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From emmanuel.billot at ird.fr Thu Mar 26 09:49:33 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Thu, 26 Mar 2009 10:49:33 +0100 Subject: [Fedora-directory-users] Windows data sync In-Reply-To: <49CA5FDD.5030906@redhat.com> References: <49CA5331.2030100@ird.fr> <49CA5FDD.5030906@redhat.com> Message-ID: <49CB4FAD.1000701@ird.fr> Rich Megginson a ?crit : > Emmanuel BILLOT wrote: >> Hi, >> >> We've installed FDS, AD and a replication agrement. >> FDS data/passwords sync with AD >> AD passwords sync with FDS. >> >> 2 pbs are still unsolved : >> - AD modifications (name, surname, mail) are not send or catched in FDS > I suppose you could enable the replication log level and see why this > is not working. Note that changes may take up to 5 minutes to sync > over to Fedora DS due to the way the sync works using the DirSync > control. > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >> - Passwords are not recognized after a Full init. >> FDS => AD full init = unable to log on AD (even if we manually >> activate the account) > Right. Passwords are not synced during full init. Full init only > uses passwords in the database which are hashed and do not sync. >> FDS -> AD passwd update = passwd ok in AD > Right. Passwd update uses clear text passwords. >> >> Anyone has an idea ? >> > Ok. Is there any best pratice when adding AD to a FDS ? I don't think i will ask all users to update their password just for it...? > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From rmeggins at redhat.com Thu Mar 26 14:37:54 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 26 Mar 2009 08:37:54 -0600 Subject: [Fedora-directory-users] Windows data sync In-Reply-To: <49CB4FAD.1000701@ird.fr> References: <49CA5331.2030100@ird.fr> <49CA5FDD.5030906@redhat.com> <49CB4FAD.1000701@ird.fr> Message-ID: <49CB9342.2080806@redhat.com> Emmanuel BILLOT wrote: > Rich Megginson a ?crit : >> Emmanuel BILLOT wrote: >>> Hi, >>> >>> We've installed FDS, AD and a replication agrement. >>> FDS data/passwords sync with AD >>> AD passwords sync with FDS. >>> >>> 2 pbs are still unsolved : >>> - AD modifications (name, surname, mail) are not send or catched in FDS >> I suppose you could enable the replication log level and see why this >> is not working. Note that changes may take up to 5 minutes to sync >> over to Fedora DS due to the way the sync works using the DirSync >> control. >> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >>> - Passwords are not recognized after a Full init. >>> FDS => AD full init = unable to log on AD (even if we manually >>> activate the account) >> Right. Passwords are not synced during full init. Full init only >> uses passwords in the database which are hashed and do not sync. >>> FDS -> AD passwd update = passwd ok in AD >> Right. Passwd update uses clear text passwords. >>> >>> Anyone has an idea ? >>> >> > Ok. > Is there any best pratice when adding AD to a FDS ? > I don't think i will ask all users to update their password just for > it...? That's one of the main problems with Windows Sync/Pass Sync. There is really no way to sync passwords - AD uses an unreversible hash/encryption, and so does Fedora DS. The Samba and freeIPA guys are working on ways to mitigate this situation. >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From emmanuel.billot at ird.fr Thu Mar 26 14:48:20 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Thu, 26 Mar 2009 15:48:20 +0100 Subject: [Fedora-directory-users] Windows data sync In-Reply-To: <49CB9342.2080806@redhat.com> References: <49CA5331.2030100@ird.fr> <49CA5FDD.5030906@redhat.com> <49CB4FAD.1000701@ird.fr> <49CB9342.2080806@redhat.com> Message-ID: <49CB95B4.7010905@ird.fr> Rich Megginson a ?crit : > Emmanuel BILLOT wrote: >> Rich Megginson a ?crit : >>> Emmanuel BILLOT wrote: >>>> Hi, >>>> >>>> We've installed FDS, AD and a replication agrement. >>>> FDS data/passwords sync with AD >>>> AD passwords sync with FDS. >>>> >>>> 2 pbs are still unsolved : >>>> - AD modifications (name, surname, mail) are not send or catched in >>>> FDS >>> I suppose you could enable the replication log level and see why >>> this is not working. Note that changes may take up to 5 minutes to >>> sync over to Fedora DS due to the way the sync works using the >>> DirSync control. >>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >>>> - Passwords are not recognized after a Full init. >>>> FDS => AD full init = unable to log on AD (even if we manually >>>> activate the account) >>> Right. Passwords are not synced during full init. Full init only >>> uses passwords in the database which are hashed and do not sync. >>>> FDS -> AD passwd update = passwd ok in AD >>> Right. Passwd update uses clear text passwords. >>>> >>>> Anyone has an idea ? >>>> >>> >> Ok. >> Is there any best pratice when adding AD to a FDS ? >> I don't think i will ask all users to update their password just for >> it...? > That's one of the main problems with Windows Sync/Pass Sync. There is > really no way to sync passwords - AD uses an unreversible > hash/encryption, and so does Fedora DS. > The Samba and freeIPA guys are working on ways to mitigate this > situation. I had an idea (maybe totally crazy) What happens if for each FDS entry, the password is updated with the same hashed value after init ? Does WinSync requires the cleartext password to work ? >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From rmeggins at redhat.com Thu Mar 26 14:54:40 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 26 Mar 2009 08:54:40 -0600 Subject: [Fedora-directory-users] Windows data sync In-Reply-To: <49CB95B4.7010905@ird.fr> References: <49CA5331.2030100@ird.fr> <49CA5FDD.5030906@redhat.com> <49CB4FAD.1000701@ird.fr> <49CB9342.2080806@redhat.com> <49CB95B4.7010905@ird.fr> Message-ID: <49CB9730.6030507@redhat.com> Emmanuel BILLOT wrote: > Rich Megginson a ?crit : >> Emmanuel BILLOT wrote: >>> Rich Megginson a ?crit : >>>> Emmanuel BILLOT wrote: >>>>> Hi, >>>>> >>>>> We've installed FDS, AD and a replication agrement. >>>>> FDS data/passwords sync with AD >>>>> AD passwords sync with FDS. >>>>> >>>>> 2 pbs are still unsolved : >>>>> - AD modifications (name, surname, mail) are not send or catched >>>>> in FDS >>>> I suppose you could enable the replication log level and see why >>>> this is not working. Note that changes may take up to 5 minutes to >>>> sync over to Fedora DS due to the way the sync works using the >>>> DirSync control. >>>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting >>>>> - Passwords are not recognized after a Full init. >>>>> FDS => AD full init = unable to log on AD (even if we manually >>>>> activate the account) >>>> Right. Passwords are not synced during full init. Full init only >>>> uses passwords in the database which are hashed and do not sync. >>>>> FDS -> AD passwd update = passwd ok in AD >>>> Right. Passwd update uses clear text passwords. >>>>> >>>>> Anyone has an idea ? >>>>> >>>> >>> Ok. >>> Is there any best pratice when adding AD to a FDS ? >>> I don't think i will ask all users to update their password just for >>> it...? >> That's one of the main problems with Windows Sync/Pass Sync. There >> is really no way to sync passwords - AD uses an unreversible >> hash/encryption, and so does Fedora DS. >> The Samba and freeIPA guys are working on ways to mitigate this >> situation. > I had an idea (maybe totally crazy) > What happens if for each FDS entry, the password is updated with the > same hashed value after init ? > Does WinSync requires the cleartext password to work ? WinSync must have access to the clear text password to send it to AD, and vice versa - that's what passsync does - it intercepts the clear text password modification so that it can send the clear text password to Fedora DS. >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From lambam80 at hotmail.com Fri Mar 27 12:11:48 2009 From: lambam80 at hotmail.com (lambam80 at hotmail.com) Date: Fri, 27 Mar 2009 08:11:48 -0400 Subject: [Fedora-directory-users] Certificate to LDAP Mapping API In-Reply-To: <30abda540903240521x207cbbafo17423867427c6c40@mail.gmail.com> References: <30abda540903240521x207cbbafo17423867427c6c40@mail.gmail.com> Message-ID: Hello Neron Ring. Certificate to LDAP Mapping: http://www.redhat.com/docs/manuals/dir-server/pdf/console60.pdf Page 198 ish. API: ---- >From page 201 of the above guide: < You can use the Certificate Mapping API to create your own properties. For < information on using the Certificate Mapping API, see ?Certificate Mapping SDKs? < at the following URL - which is followed by a defunct link. Try here, rather: http://www.redhat.com/docs/manuals/cert-system/sdk/7.1/ I hope this helps, laters. I'll keep an eye out for further questions along this line. Date: Tue, 24 Mar 2009 17:51:50 +0530 From: neuronring at gmail.com To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] Certificate to LDAP Mapping API Hi all, I need to use ?Certificate to LDAP Mapping? functionality. The README file in the source ldapserver/lib/ldaputil/examples path suggests: Refer "Certificate to LDAP Mapping API" documentation to find out about the various API functions and how you can write your plug-in. And also to refer ?Managing servers? manual. But I couldn?t get those documents. How can I write my own plug-in for LDAP Mapping? Or what can I do with Certmap.conf file to configure Certificate to LDAP Mapping. Can somebody provide link to that document or explain what is Certificate to LDAP Mapping. Thanks in advance, Neuron Ring. _________________________________________________________________ Experience all of the new features, and Reconnect with your life. http://go.microsoft.com/?linkid=9650730 -------------- next part -------------- An HTML attachment was scrubbed... URL: From neuronring at gmail.com Fri Mar 27 12:51:18 2009 From: neuronring at gmail.com (neuron ring) Date: Fri, 27 Mar 2009 18:21:18 +0530 Subject: [Fedora-directory-users] Certificate to LDAP mapping problem Message-ID: <30abda540903270551u136a07e3w940df902a8e088e5@mail.gmail.com> Hi lambam, I am trying to do LDAP client certificate mapping. I had given an insight of my configuration. My certmap.conf file: certmap example ou=employees,o=us.com -------------?? this is the DN of the CA issuer, example:verifycert on example:DNComps cn,email,roomNumber example:FilterComps l,email,uid,telephoneNumber example:CmapLdapAttr certSubjectDN Generation of CA cert: certutil -S -n "CertCA" -s "ou= employees,o= us.com" -x -t "CT,," -m 1000 -v 120 -d -z noise.txt ?Vf pwdfile.txt Is this correct. I assume ou=employees,o=us.com is my CA cert issuer. So I am using it as issuerDN value in certmap.conf. creating client certificate. certutil -S -n "certuser" -s "cn=certuser, ou=employees,o=us.com " -c " CertCA " -t "u,u,u" -m 1003 -v 120 -d -z noise.txt ?Vf pwdfile.txt and adding userCertificate;binary attribute to that user entry, after creating binary certificate. certutil -L -d -n "certuser" -r >usercert.bin When I try to ldapsearch: ldapsearch -h myhost -p 636 -Z -P /etc/opt/dirsrv/slapd-/cert8.db -N " certuser " -K /etc/opt/dirsrv/slapd-/key3.db -W "password" -b "o=us.com" cn=certuser ldap_sasl_bind: Invalid credentials ldap_sasl_bind: additional info: client certificate mapping failed But when I change the issuerDN in certmap.conf file to whatever dn (even if it is non-existing and invalid) I am getting the search Result properly. But the criteria is the issuerDN in certmap.conf should be exactly the same DN whose issues the CA certificate. The problem is whenever I use correct issuerDN in first line of certmap.conf file I am getting error. I am totally confused. Can somebody help me to get rid of this problem? Thanks in advance, Neuron Ring. Hello Neron Ring. Certificate to LDAP Mapping: http://www.redhat.com/docs/manuals/dir-server/pdf/console60.pdf Page 198 ish. API: ---- >From page 201 of the above guide: < You can use the Certificate Mapping API to create your own properties. For < information on using the Certificate Mapping API, see ??Certificate Mapping SDKs?? < at the following URL - which is followed by a defunct link. Try here, rather: http://www.redhat.com/docs/manuals/cert-system/sdk/7.1/ I hope this helps, laters. I'll keep an eye out for further questions along this line. -------------------------------------------------------------------------------- Date: Tue, 24 Mar 2009 17:51:50 +0530 From: neuronring at gmail.com To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] Certificate to LDAP Mapping API Hi all, I need to use ??Certificate to LDAP Mapping?? functionality. The README file in the source ldapserver/lib/ldaputil/examples path suggests: Refer "Certificate to LDAP Mapping API" documentation to find out about the various API functions and how you can write your plug-in. And also to refer ??Managing servers?? manual. But I couldn??t get those documents. How can I write my own plug-in for LDAP Mapping? Or what can I do with Certmap.conf file to configure Certificate to LDAP Mapping. Can somebody provide link to that document or explain what is Certificate to LDAP Mapping. Thanks in advance, Neuron Ring. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Sat Mar 28 18:55:33 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Sat, 28 Mar 2009 12:55:33 -0600 Subject: [Fedora-directory-users] Certificate to LDAP mapping problem In-Reply-To: <30abda540903270551u136a07e3w940df902a8e088e5@mail.gmail.com> References: <30abda540903270551u136a07e3w940df902a8e088e5@mail.gmail.com> Message-ID: <49CE72A5.8020308@redhat.com> neuron ring wrote: > > Hi lambam, > > I am trying to do LDAP client certificate mapping. I had given an > insight of my configuration. > > My certmap.conf file: > > certmap example ou=employees,o=us.com -------------? > this is the DN of the CA issuer, > example:verifycert on > example:DNComps cn,email,roomNumber > Try example:DNComps ou,o > > example:FilterComps l,email,uid,telephoneNumber > example:FilterComps cn > > example:CmapLdapAttr certSubjectDN > I don't think you want to use CmapLdapAttr See http://directory.fedoraproject.org/wiki/Howto:CertMapping for more information > > > Generation of CA cert: > > certutil -S -n "CertCA" -s "ou= employees,o= us.com " > -x -t "CT,," -m 1000 -v 120 -d > -z noise.txt ?f pwdfile.txt > > Is this correct. > > I assume ou=employees,o=us.com is my CA cert issuer. > So I am using it as issuerDN value in certmap.conf. > > creating client certificate. > > certutil -S -n "certuser" -s "cn=certuser, ou=employees,o=us.com > " -c " CertCA " -t "u,u,u" -m 1003 -v 120 -d > -z noise.txt ?f pwdfile.txt > > and adding userCertificate;binary attribute to that user entry, after > creating binary certificate. > > certutil -L -d -n "certuser" -r >usercert.bin > > When I try to ldapsearch: > > ldapsearch -h myhost -p 636 -Z -P > /etc/opt/dirsrv/slapd-/cert8.db -N " certuser " -K > /etc/opt/dirsrv/slapd-/key3.db -W "password" -b "o=us.com > " cn=certuser > > ldap_sasl_bind: Invalid credentials > ldap_sasl_bind: additional info: client certificate mapping failed > > But when I change the issuerDN in certmap.conf file to whatever dn > (even if it is non-existing and invalid) I am getting the search > Result properly. But the criteria is the issuerDN in certmap.conf > should be exactly the same DN whose issues the CA certificate. > > The problem is whenever I use correct issuerDN in first line of > certmap.conf file I am getting error. > > I am totally confused. Can somebody help me to get rid of this problem? > > Thanks in advance, > Neuron Ring. > > Hello Neron Ring. > > > Certificate to LDAP Mapping: > > http://www.redhat.com/docs/manuals/dir-server/pdf/console60.pdf > > Page 198 ish. > > API: > ---- > > >From page 201 of the above guide: > > > < You can use the Certificate Mapping API to create your own > properties. For > > < information on using the Certificate Mapping API, see ?Certificate > Mapping SDKs? > > < at the following URL - which is followed by a defunct link. > > Try here, rather: > > http://www.redhat.com/docs/manuals/cert-system/sdk/7.1/ > > I hope this helps, laters. I'll keep an eye out for further questions > along this line. > > > -------------------------------------------------------------------------------- > Date: Tue, 24 Mar 2009 17:51:50 +0530 > From: neuronring at gmail.com > To: fedora-directory-users at redhat.com > > Subject: [Fedora-directory-users] Certificate to LDAP Mapping API > > Hi all, > > I need to use ?Certificate to LDAP Mapping? functionality. > > The README file in the source ldapserver/lib/ldaputil/examples path > suggests: > Refer "Certificate to LDAP Mapping API" documentation to find out > about the various API functions and how you can write your > plug-in. > > And also to refer ?Managing servers? manual. But I couldn?t get those > documents. How can I write my own plug-in for LDAP Mapping? > > Or what can I do with Certmap.conf file to configure Certificate to > LDAP Mapping. > > Can somebody provide link to that document or explain > what is Certificate to LDAP Mapping. > > Thanks in advance, > Neuron Ring. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: