From rmeggins at redhat.com Fri May 1 00:24:42 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 30 Apr 2009 18:24:42 -0600 Subject: [Fedora-directory-users] Unknown attribute nsslapd-ldapiautonsuffix will be ignored In-Reply-To: References: Message-ID: <49FA414A.8080609@redhat.com> James Chavez wrote: > Hello list, > I upgraded my FDS install (yum upgrade fedora-ds, yum upggrade > fedora-ds-base etc..) on one of my boxes and the directory restarts > fine. However I receive the following messages in the error log. I am > hoping that someone has seen this message before and can decipher it > for me. > The entry exists in the dse file so I figure it is some new > configuration parameter as it is new since upgrade. I tried Google > before the list and nothing turned up. That attribute has been deprecated in favor of SASL/EXTERNAL with sasl mapping. You can just remove that attribute from cn=config > > config - Unknown attribute nsslapd-*/ldapiautonsuffix/* will be > ignored > > > > Here is what I have installed. > > fedora-ds-base-1.2.0-3.fc9.i386 > fedora-ds-admin-1.1.7-3.fc9.i386 > fedora-ds-1.1.3-1.fc9.noarch > fedora-ds-dsgw-1.1.2-1.fc9.i386 > fedora-ds-admin-console-1.1.3-1.fc9.noarch > fedora-ds-console-1.2.0-1.fc9.noarch > > Thanks > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri May 1 16:38:21 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 01 May 2009 10:38:21 -0600 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <200904271145.09126.rpolli@babel.it> References: <49D2D1A0.3070307@redhat.com> <200904271145.09126.rpolli@babel.it> Message-ID: <49FB257D.4030906@redhat.com> Roberto Polli wrote: > If I'm in late it's good for 1.4 ;) > > * the ability to set attribute values using a set of internal functions (eg. > timestamp, incremental log value) > > * search in subtrees of view: when I create a view (eg. a view of domains) I > can't search in its subentries (eg. in ou=people, dc=domain) > > Peace, R. > > I'm not sure I understand these - can you explain them more? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From agiggins at wcg.net.au Mon May 4 06:41:54 2009 From: agiggins at wcg.net.au (Anthony Giggins) Date: Mon, 4 May 2009 16:41:54 +1000 Subject: [Fedora-directory-users] fds fails to start in centos 5.3 openvz instance Message-ID: Hi Guys, After installing fds on Centos 5.3 in an OpenVZ virtual instance from the Enterprise Linux 5 instructions provided http://directory.fedoraproject.org/wiki/Download I'm getting the errors below in the logs when starting the service. [04/May/2009:02:33:21 -0400] - Fedora-Directory/1.2.0 B2009.091.197 starting up [04/May/2009:02:33:21 -0400] - Failed to create semaphore for stats file (/var/run/dirsrv/slapd-sso.stats). Error 38.(Function not implemented) I'm pretty sure this is going to be a OpenVZ issue but I thought I'd post here first to get idea what is actually failing so I can investigate the OpenVZ side of things, any information that can help me troubleshoot this issue would be great. Thank You Anthony From rpolli at babel.it Mon May 4 09:11:26 2009 From: rpolli at babel.it (Roberto Polli) Date: Mon, 4 May 2009 11:11:26 +0200 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <49FB257D.4030906@redhat.com> References: <49D2D1A0.3070307@redhat.com> <200904271145.09126.rpolli@babel.it> <49FB257D.4030906@redhat.com> Message-ID: <200905041111.26688.rpolli@babel.it> On venerd? 01 maggio 2009 18:38:21 Rich Megginson wrote: > > * the ability to set attribute values using a set of internal functions > > (eg. timestamp, incremental log value) sql supports function. eg. INSERT INTO mytable VALUES (NOW()); UPDATE mytable(mydoc, revision) SET revision=revision+1 this enables the ability to use custom attributes for storing timestamp, as modifyTimestamp is unmodifiable. > > * search in subtrees of view: when I create a view (eg. a view of > > domains) I can't search in its subentries (eg. in ou=people, dc=domain) base tree: dc=example.com, o=example ltd, dc=top dc=example.net, o=example ltd, dc=top dc=company.com, o=company ltd, dc=top using views I can create a tree of all domains, no matter which organization: ou=domainView, dc=top nsViewFilter: (dc=*) so under ou=domainView I got all domains dc=example.com,ou=domainView dc=company.com,ou=domainView ... imagine I'd like to search a user under domain example.com dn: uid=jondoe,dc=example.com,o=example ltd,dc=top I could search straight in dc=example.com,ou=domainView,dc=top or pick directly uid=jondoe,dc=example.com,ou=domainView,dc=top but it's not possible. hoping to have been clear... Thx+Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altres? a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." From rmeggins at redhat.com Mon May 4 13:10:48 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 04 May 2009 07:10:48 -0600 Subject: [Fedora-directory-users] fds fails to start in centos 5.3 openvz instance In-Reply-To: References: Message-ID: <49FEE958.5070607@redhat.com> Anthony Giggins wrote: > Hi Guys, > > After installing fds on Centos 5.3 in an OpenVZ virtual instance from > the Enterprise Linux 5 instructions provided > http://directory.fedoraproject.org/wiki/Download > I'm getting the errors below in the logs when starting the service. > > > [04/May/2009:02:33:21 -0400] - Fedora-Directory/1.2.0 B2009.091.197 > starting up > [04/May/2009:02:33:21 -0400] - Failed to create semaphore for stats file > (/var/run/dirsrv/slapd-sso.stats). Error 38.(Function not implemented) > > > I'm pretty sure this is going to be a OpenVZ issue but I thought I'd > post here first to get idea what is actually failing so I can > investigate the OpenVZ side of things, any information that can help me > troubleshoot this issue would be great. > Does /var/run/dirsrv exist? Is it writable by your directory server user? > Thank You > > Anthony > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jsullivan at opensourcedevel.com Mon May 4 14:17:39 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 04 May 2009 10:17:39 -0400 Subject: [Fedora-directory-users] HELP! Lost single Master Message-ID: <1241446660.6370.13.camel@jaspav.missionsit.net.missionsit.net> Hello, everyone. I did something really stupid. I accidentally destroyed our Single Master replica server (that's what I get for resynching a failed RAID1 drive without realizing the drive device names had changed because of the failed drive!). Thankfully we were not yet in production (although very close and thus using lots of data). However, because we were not yet in production, it was not backed up. I'd like to recover the data from the read only replica. I'm guessing I can disable replication on the RO server and it will retain the data but now with write privileges. I can then rebuild the master, create a reverse replication agreement to transfer the data back. Then I can break that replication agreement, create a new one in the correct direction, and reinitialize the supplier. However, when I created the replica server, we told it to join an existing directory server domain. Is this simply based upon name? In other words, once I rebuild the main server and configure it using the same name and address as the original, will the secondary recognize it as the domain to which it registered or do I really need to destroy all servers and recreate the entire domain from scratch? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From rmeggins at redhat.com Mon May 4 14:28:57 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 04 May 2009 08:28:57 -0600 Subject: [Fedora-directory-users] HELP! Lost single Master In-Reply-To: <1241446660.6370.13.camel@jaspav.missionsit.net.missionsit.net> References: <1241446660.6370.13.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <49FEFBA9.6070603@redhat.com> John A. Sullivan III wrote: > Hello, everyone. I did something really stupid. I accidentally > destroyed our Single Master replica server (that's what I get for > resynching a failed RAID1 drive without realizing the drive device names > had changed because of the failed drive!). Thankfully we were not yet > in production (although very close and thus using lots of data). > However, because we were not yet in production, it was not backed up. > > I'd like to recover the data from the read only replica. I'm guessing I > can disable replication on the RO server and it will retain the data but > now with write privileges. I can then rebuild the master, create a > reverse replication agreement to transfer the data back. Then I can > break that replication agreement, create a new one in the correct > direction, and reinitialize the supplier. > No, it's not that complicated. The simplest way would be to just use db2ldif to dump your replica database, then use ldif2db to import it into the master. Then reinit your replica from the master. > However, when I created the replica server, we told it to join an > existing directory server domain. Is this simply based upon name? In > other words, once I rebuild the main server and configure it using the > same name and address as the original, will the secondary recognize it > as the domain to which it registered or do I really need to destroy all > servers and recreate the entire domain from scratch? Thanks - John > I'm not sure what you mean. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jsullivan at opensourcedevel.com Mon May 4 15:19:33 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 04 May 2009 11:19:33 -0400 Subject: [Fedora-directory-users] HELP! Lost single Master In-Reply-To: <49FEFBA9.6070603@redhat.com> References: <1241446660.6370.13.camel@jaspav.missionsit.net.missionsit.net> <49FEFBA9.6070603@redhat.com> Message-ID: <1241450373.6370.19.camel@jaspav.missionsit.net.missionsit.net> On Mon, 2009-05-04 at 08:28 -0600, Rich Megginson wrote: > John A. Sullivan III wrote: > > Hello, everyone. I did something really stupid. I accidentally > > destroyed our Single Master replica server (that's what I get for > > resynching a failed RAID1 drive without realizing the drive device names > > had changed because of the failed drive!). Thankfully we were not yet > > in production (although very close and thus using lots of data). > > However, because we were not yet in production, it was not backed up. > > > > I'd like to recover the data from the read only replica. I'm guessing I > > can disable replication on the RO server and it will retain the data but > > now with write privileges. I can then rebuild the master, create a > > reverse replication agreement to transfer the data back. Then I can > > break that replication agreement, create a new one in the correct > > direction, and reinitialize the supplier. > > > No, it's not that complicated. The simplest way would be to just use > db2ldif to dump your replica database, then use ldif2db to import it > into the master. Then reinit your replica from the master. Phew! > > However, when I created the replica server, we told it to join an > > existing directory server domain. Is this simply based upon name? In > > other words, once I rebuild the main server and configure it using the > > same name and address as the original, will the secondary recognize it > > as the domain to which it registered or do I really need to destroy all > > servers and recreate the entire domain from scratch? Thanks - John > > > I'm not sure what you mean. When we installed the first server, we told it there was no existing directory server instance with which to register. When we created the RO replica server, we told it to register with the existing instance. How do we handle that now that the original instance has been destroyed? What did registering it do? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From rmeggins at redhat.com Mon May 4 15:23:38 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 04 May 2009 09:23:38 -0600 Subject: [Fedora-directory-users] HELP! Lost single Master In-Reply-To: <1241450373.6370.19.camel@jaspav.missionsit.net.missionsit.net> References: <1241446660.6370.13.camel@jaspav.missionsit.net.missionsit.net> <49FEFBA9.6070603@redhat.com> <1241450373.6370.19.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <49FF087A.6080201@redhat.com> John A. Sullivan III wrote: > On Mon, 2009-05-04 at 08:28 -0600, Rich Megginson wrote: > >> John A. Sullivan III wrote: >> >>> Hello, everyone. I did something really stupid. I accidentally >>> destroyed our Single Master replica server (that's what I get for >>> resynching a failed RAID1 drive without realizing the drive device names >>> had changed because of the failed drive!). Thankfully we were not yet >>> in production (although very close and thus using lots of data). >>> However, because we were not yet in production, it was not backed up. >>> >>> I'd like to recover the data from the read only replica. I'm guessing I >>> can disable replication on the RO server and it will retain the data but >>> now with write privileges. I can then rebuild the master, create a >>> reverse replication agreement to transfer the data back. Then I can >>> break that replication agreement, create a new one in the correct >>> direction, and reinitialize the supplier. >>> >>> >> No, it's not that complicated. The simplest way would be to just use >> db2ldif to dump your replica database, then use ldif2db to import it >> into the master. Then reinit your replica from the master. >> > Phew! > >>> However, when I created the replica server, we told it to join an >>> existing directory server domain. Is this simply based upon name? In >>> other words, once I rebuild the main server and configure it using the >>> same name and address as the original, will the secondary recognize it >>> as the domain to which it registered or do I really need to destroy all >>> servers and recreate the entire domain from scratch? Thanks - John >>> >>> >> I'm not sure what you mean. >> > When we installed the first server, we told it there was no existing > directory server instance with which to register. When we created the > RO replica server, we told it to register with the existing instance. > > How do we handle that now that the original instance has been destroyed? > What did registering it do? Thanks - John > Ah, ok. I think you need to run the register-ds-admin.pl command after you restore the data on the master, and tell it you want the master to be the configuration directory server. Then you'll have to run setup-ds-admin.pl -u (or possibly register-ds-admin.pl) on the replica to register it with the configuration directory server. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon May 4 16:01:18 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 04 May 2009 10:01:18 -0600 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <200905041111.26688.rpolli@babel.it> References: <49D2D1A0.3070307@redhat.com> <200904271145.09126.rpolli@babel.it> <49FB257D.4030906@redhat.com> <200905041111.26688.rpolli@babel.it> Message-ID: <49FF114E.3040903@redhat.com> Roberto Polli wrote: > On venerd? 01 maggio 2009 18:38:21 Rich Megginson wrote: > >>> * the ability to set attribute values using a set of internal functions >>> (eg. timestamp, incremental log value) >>> > sql supports function. eg. > INSERT INTO mytable VALUES (NOW()); > UPDATE mytable(mydoc, revision) SET revision=revision+1 > > this enables the ability to use custom attributes for storing timestamp, as > modifyTimestamp is unmodifiable. > We could do something like this for a very specific and limited set of attribute values. The problem with general purpose use is that we have no "procedural" or "functional" programming language with which to define functions or operations (e.g. revision=revision+1) in the directory server (except for C - but I don't think that's what you mean). I think the Apache Directory Server project has done some research into something like stored procs and triggers. > > >>> * search in subtrees of view: when I create a view (eg. a view of >>> domains) I can't search in its subentries (eg. in ou=people, dc=domain) >>> > base tree: > dc=example.com, o=example ltd, dc=top > dc=example.net, o=example ltd, dc=top > dc=company.com, o=company ltd, dc=top > > using views I can create a tree of all domains, no matter which organization: > ou=domainView, dc=top > nsViewFilter: (dc=*) > > so under ou=domainView I got all domains > dc=example.com,ou=domainView > dc=company.com,ou=domainView > ... > > imagine I'd like to search a user under domain example.com > dn: uid=jondoe,dc=example.com,o=example ltd,dc=top > > I could search straight in > dc=example.com,ou=domainView,dc=top > > or pick directly > uid=jondoe,dc=example.com,ou=domainView,dc=top > > but it's not possible. > It's not possible to do a search like ldapsearch -s sub -b "dc=top" "(uid=jondoe)" ? > hoping to have been clear... > Thx+Peace, > R. > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From agiggins at wcg.net.au Mon May 4 23:37:55 2009 From: agiggins at wcg.net.au (Anthony Giggins) Date: Tue, 5 May 2009 09:37:55 +1000 Subject: [Fedora-directory-users] fds fails to start in centos 5.3 openvzinstance In-Reply-To: <49FEE958.5070607@redhat.com> References: <49FEE958.5070607@redhat.com> Message-ID: > Does /var/run/dirsrv exist? Is it writable by your directory server user? Yep that folder exists, permissions look fine drwxrwxrwx 3 root nobody 4096 May 4 02:33 dirsrv From rmeggins at redhat.com Tue May 5 00:59:53 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 04 May 2009 18:59:53 -0600 Subject: [Fedora-directory-users] fds fails to start in centos 5.3 openvzinstance In-Reply-To: References: <49FEE958.5070607@redhat.com> Message-ID: <49FF8F89.4070606@redhat.com> Anthony Giggins wrote: >> Does /var/run/dirsrv exist? Is it writable by your directory server >> > user? > > Yep that folder exists, permissions look fine > > drwxrwxrwx 3 root nobody 4096 May 4 02:33 dirsrv > Do you have the nsslapd-rundir attribute in cn=config in /etc/dirsrv/slapd-yourinstance/dse.ldif? > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From agiggins at wcg.net.au Tue May 5 02:41:54 2009 From: agiggins at wcg.net.au (Anthony Giggins) Date: Tue, 5 May 2009 12:41:54 +1000 Subject: [Fedora-directory-users] fds fails to start in centos5.3 openvzinstance In-Reply-To: <49FF8F89.4070606@redhat.com> References: <49FEE958.5070607@redhat.com> <49FF8F89.4070606@redhat.com> Message-ID: > Do you have the nsslapd-rundir attribute in cn=config in > /etc/dirsrv/slapd-yourinstance/dse.ldif? > > Yep, that looks good nsslapd-rundir: /var/run/dirsrv From rpolli at babel.it Tue May 5 09:14:59 2009 From: rpolli at babel.it (Roberto Polli) Date: Tue, 5 May 2009 11:14:59 +0200 Subject: [Fedora-directory-users] Proposed new features for 1.3 In-Reply-To: <49FF114E.3040903@redhat.com> References: <49D2D1A0.3070307@redhat.com> <200905041111.26688.rpolli@babel.it> <49FF114E.3040903@redhat.com> Message-ID: <200905051115.00427.rpolli@babel.it> On luned? 04 maggio 2009 18:01:18 Rich Megginson wrote: > >>> * search in subtrees of view: when I create a view (eg. a view of > >>> domains) I can't search in its subentries (eg. in ou=people, dc=domain) > > > > base tree: > > dc=example.com, o=example ltd, dc=top > > dc=example.net, o=example ltd, dc=top > > dc=company.com, o=company ltd, dc=top > > > > using views I can create a tree of all domains, no matter which > > organization: ou=domainView, dc=top > > nsViewFilter: (dc=*) > > > > so under ou=domainView I got all domains > > dc=example.com,ou=domainView > > dc=company.com,ou=domainView > > ... > > > > imagine I'd like to search a user under domain example.com > > dn: uid=jondoe,dc=example.com,o=example ltd,dc=top > > > > I could search straight in > > dc=example.com,ou=domainView,dc=top > > > > or pick directly > > uid=jondoe,dc=example.com,ou=domainView,dc=top > > > > but it's not possible. imho the behavior I suggest is more intuitive, as you can find in the view non only the given entries but their subtrees - and that's usually what software expects from an entry. In that way I have no different behavior between the original entry and the view one. > > It's not possible to do a search like > ldapsearch -s sub -b "dc=top" "(uid=jondoe)" > ? yes, but does a smaller basedn slower the search in case of thousands of entries? there's one more case where that behavior can be useful: in the above example, if I got o=example ltd is a dblink to server1 and o=company ltd is a dblink on server2 searching on dc=top would result in a search on two servers, while searching in the right tree will search only on the "right" one - except for a fast search for domain - and in mail environment we always know the domain. Hope it helps+Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altres? a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." From rmeggins at redhat.com Tue May 5 13:29:16 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 05 May 2009 07:29:16 -0600 Subject: [Fedora-directory-users] fds fails to start in centos5.3 openvzinstance In-Reply-To: References: <49FEE958.5070607@redhat.com> <49FF8F89.4070606@redhat.com> Message-ID: <4A003F2C.8050400@redhat.com> Anthony Giggins wrote: >> Do you have the nsslapd-rundir attribute in cn=config in >> /etc/dirsrv/slapd-yourinstance/dse.ldif? >> > > Yep, that looks good > > nsslapd-rundir: /var/run/dirsrv > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > Try starting the setver in debug mode /usr/lib/dirsrv/slapd-instance/start-slapd -d 1 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From agiggins at wcg.net.au Wed May 6 00:09:07 2009 From: agiggins at wcg.net.au (Anthony Giggins) Date: Wed, 6 May 2009 10:09:07 +1000 Subject: [Fedora-directory-users] fds fails to startin centos5.3 openvzinstance In-Reply-To: <4A003F2C.8050400@redhat.com> References: <49FEE958.5070607@redhat.com> <49FF8F89.4070606@redhat.com> <4A003F2C.8050400@redhat.com> Message-ID: > Try starting the setver in debug mode > /usr/lib/dirsrv/slapd-instance/start-slapd -d 1 Nope that doesn't work but as it's a 64bit virtual instance the command below seems to work /usr/lib64/dirsrv/slapd-sso/start-slapd -d 1 Appears to work up until [05/May/2009:20:04:33 -0400] - add_created_attrs [05/May/2009:20:04:33 -0400] - => send_ldap_result 0:: [05/May/2009:20:04:33 -0400] - <= send_ldap_result [05/May/2009:20:04:33 -0400] - Fedora-Directory/1.2.0 B2009.091.197 starting up [05/May/2009:20:04:33 -0400] - Failed to create semaphore for stats file (/var/run/dirsrv/slapd-sso.stats). Error 38.(Function not implemented) From rmeggins at redhat.com Wed May 6 00:21:51 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 05 May 2009 18:21:51 -0600 Subject: [Fedora-directory-users] fds fails to startin centos5.3 openvzinstance In-Reply-To: References: <49FEE958.5070607@redhat.com> <49FF8F89.4070606@redhat.com> <4A003F2C.8050400@redhat.com> Message-ID: <4A00D81F.6080809@redhat.com> Anthony Giggins wrote: >> Try starting the setver in debug mode >> /usr/lib/dirsrv/slapd-instance/start-slapd -d 1 >> > > Nope that doesn't work but as it's a 64bit virtual instance the command > below seems to work > > /usr/lib64/dirsrv/slapd-sso/start-slapd -d 1 > > Appears to work up until > > [05/May/2009:20:04:33 -0400] - add_created_attrs > [05/May/2009:20:04:33 -0400] - => send_ldap_result 0:: > [05/May/2009:20:04:33 -0400] - <= send_ldap_result > [05/May/2009:20:04:33 -0400] - Fedora-Directory/1.2.0 B2009.091.197 > starting up > [05/May/2009:20:04:33 -0400] - Failed to create semaphore for stats file > (/var/run/dirsrv/slapd-sso.stats). Error 38.(Function not implemented) > Are you attempting to run in a VM or in some sort of chroot environment? I've seen this before when running the directory server in a chroot. This is what I had to do: echo tmpfs /dev/shm tmpfs defaults 0 0 >> /etc/fstab mount /dev/shm run the server If you are using a chroot (e.g. mock) you must do the mount /dev/shm in the same chroot "session" - it does not persist. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From agiggins at wcg.net.au Wed May 6 03:03:11 2009 From: agiggins at wcg.net.au (Anthony Giggins) Date: Wed, 6 May 2009 13:03:11 +1000 Subject: [Fedora-directory-users] fds failsto startin centos5.3 openvzinstance In-Reply-To: <4A00D81F.6080809@redhat.com> References: <49FEE958.5070607@redhat.com> <49FF8F89.4070606@redhat.com> <4A003F2C.8050400@redhat.com> <4A00D81F.6080809@redhat.com> Message-ID: > Are you attempting to run in a VM or in some sort of chroot > environment? I've seen this before when running the directory server in > a chroot. This is what I had to do: > echo tmpfs /dev/shm tmpfs defaults 0 0 >> /etc/fstab > mount /dev/shm > run the server Thanks Rich This fixed the issue. From MEpstein at symark.com Wed May 6 03:42:10 2009 From: MEpstein at symark.com (Michael A. Epstein) Date: Tue, 5 May 2009 20:42:10 -0700 Subject: [Fedora-directory-users] objectRenamed with JNDI persistent search Message-ID: <72A6FAA9EDF9EF4C94514367E7C9F9646D922B4E04@dragonfly.symark.com> Hi All, I am trying to implement persistent search in a Java application. I have setup Fedora Directory to test this and it all seems to really work well except the objectRenamed event. When I remove, add or change an object I get the correct event; but renaming does not seem to work the way I expect it to. When I rename an object I do not get the event. However if I then I name it back to its original name get the objectRenamed event. I need to know if is this the intended behavior and my expectations are wrong or if I am possibly doing something wrong? Thank you for your time any help would be greatly appreciated. Thanks, Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed May 6 12:50:01 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 06 May 2009 06:50:01 -0600 Subject: [Fedora-directory-users] objectRenamed with JNDI persistent search In-Reply-To: <72A6FAA9EDF9EF4C94514367E7C9F9646D922B4E04@dragonfly.symark.com> References: <72A6FAA9EDF9EF4C94514367E7C9F9646D922B4E04@dragonfly.symark.com> Message-ID: <4A018779.2010705@redhat.com> Michael A. Epstein wrote: > > Hi All, > > > > I am trying to implement persistent search in a Java application. I > have setup Fedora Directory to test this and it all seems to really > work well except the objectRenamed event. When I remove, add or change > an object I get the correct event; but renaming does not seem to work > the way I expect it to. When I rename an object I do not get the > event. However if I then I name it back to its original name get the > objectRenamed event. > > > > I need to know if is this the intended behavior and my expectations > are wrong or if I am possibly doing something wrong? > > > > Thank you for your time any help would be greatly appreciated. > Does renaming the entry make it out of scope/filter of your original search? Does renaming it back put it back in the scope/filter of your search result set? > > > > Thanks, > > Mike > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From MEpstein at symark.com Wed May 6 16:36:02 2009 From: MEpstein at symark.com (Michael A. Epstein) Date: Wed, 6 May 2009 09:36:02 -0700 Subject: [Fedora-directory-users] objectRenamed with JNDI persistent search In-Reply-To: <4A018779.2010705@redhat.com> References: <72A6FAA9EDF9EF4C94514367E7C9F9646D922B4E04@dragonfly.symark.com> <4A018779.2010705@redhat.com> Message-ID: <72A6FAA9EDF9EF4C94514367E7C9F9646D922B4E05@dragonfly.symark.com> Hi Rich, Thank you for the response to answer your questions: > Does renaming the entry make it out of scope/filter of your original search? Yes > Does renaming it back put it back in the scope/filter of your search result set? Yes. Once it is renamed I lose it and renaming it back its fine again. -Mike -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Wednesday, May 06, 2009 5:50 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] objectRenamed with JNDI persistent search Michael A. Epstein wrote: > > Hi All, > > > > I am trying to implement persistent search in a Java application. I > have setup Fedora Directory to test this and it all seems to really > work well except the objectRenamed event. When I remove, add or change > an object I get the correct event; but renaming does not seem to work > the way I expect it to. When I rename an object I do not get the > event. However if I then I name it back to its original name get the > objectRenamed event. > > > > I need to know if is this the intended behavior and my expectations > are wrong or if I am possibly doing something wrong? > > > > Thank you for your time any help would be greatly appreciated. > Does renaming the entry make it out of scope/filter of your original search? Does renaming it back put it back in the scope/filter of your search result set? > > > > Thanks, > > Mike > > ---------------------------------------------------------------------- > -- > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Wed May 6 17:20:50 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 06 May 2009 11:20:50 -0600 Subject: [Fedora-directory-users] objectRenamed with JNDI persistent search In-Reply-To: <72A6FAA9EDF9EF4C94514367E7C9F9646D922B4E05@dragonfly.symark.com> References: <72A6FAA9EDF9EF4C94514367E7C9F9646D922B4E04@dragonfly.symark.com> <4A018779.2010705@redhat.com> <72A6FAA9EDF9EF4C94514367E7C9F9646D922B4E05@dragonfly.symark.com> Message-ID: <4A01C6F2.5090608@redhat.com> Michael A. Epstein wrote: > Hi Rich, > > Thank you for the response to answer your questions: > > >> Does renaming the entry make it out of scope/filter of your original search? >> > > Yes > > >> Does renaming it back put it back in the scope/filter of your search result set? >> > > Yes. > > Once it is renamed I lose it and renaming it back its fine again. > Then I think you'll have to come up with some sort of persistent search scope and filter that includes both the before and after. What search base, scope, and filter are you using? > -Mike > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson > Sent: Wednesday, May 06, 2009 5:50 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] objectRenamed with JNDI persistent search > > Michael A. Epstein wrote: > >> Hi All, >> >> >> >> I am trying to implement persistent search in a Java application. I >> have setup Fedora Directory to test this and it all seems to really >> work well except the objectRenamed event. When I remove, add or change >> an object I get the correct event; but renaming does not seem to work >> the way I expect it to. When I rename an object I do not get the >> event. However if I then I name it back to its original name get the >> objectRenamed event. >> >> >> >> I need to know if is this the intended behavior and my expectations >> are wrong or if I am possibly doing something wrong? >> >> >> >> Thank you for your time any help would be greatly appreciated. >> >> > Does renaming the entry make it out of scope/filter of your original search? Does renaming it back put it back in the scope/filter of your search result set? > >> >> >> Thanks, >> >> Mike >> >> ---------------------------------------------------------------------- >> -- >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From MEpstein at symark.com Wed May 6 17:33:41 2009 From: MEpstein at symark.com (Michael A. Epstein) Date: Wed, 6 May 2009 10:33:41 -0700 Subject: [Fedora-directory-users] objectRenamed with JNDI persistent search In-Reply-To: <4A01C6F2.5090608@redhat.com> References: <72A6FAA9EDF9EF4C94514367E7C9F9646D922B4E04@dragonfly.symark.com> <4A018779.2010705@redhat.com> <72A6FAA9EDF9EF4C94514367E7C9F9646D922B4E05@dragonfly.symark.com> <4A01C6F2.5090608@redhat.com> Message-ID: <72A6FAA9EDF9EF4C94514367E7C9F9646D922B4E07@dragonfly.symark.com> Hi Rich, I am using the listener that takes a dn and a scope. For example: Dn: uid=bob,ou=people Scope: SUB_TREE scope I am going to be monitoring lots different users and groups in the directory. I was hoping to have specific monitors for each one. But you are right if this is intended behavior I will have to have a more generic search and inspect the results to see if it is an object I am interested in. Thanks for your time, Mike -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich Megginson Sent: Wednesday, May 06, 2009 10:21 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] objectRenamed with JNDI persistent search Michael A. Epstein wrote: > Hi Rich, > > Thank you for the response to answer your questions: > > >> Does renaming the entry make it out of scope/filter of your original search? >> > > Yes > > >> Does renaming it back put it back in the scope/filter of your search result set? >> > > Yes. > > Once it is renamed I lose it and renaming it back its fine again. > Then I think you'll have to come up with some sort of persistent search scope and filter that includes both the before and after. What search base, scope, and filter are you using? > -Mike > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Rich > Megginson > Sent: Wednesday, May 06, 2009 5:50 AM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] objectRenamed with JNDI > persistent search > > Michael A. Epstein wrote: > >> Hi All, >> >> >> >> I am trying to implement persistent search in a Java application. I >> have setup Fedora Directory to test this and it all seems to really >> work well except the objectRenamed event. When I remove, add or >> change an object I get the correct event; but renaming does not seem >> to work the way I expect it to. When I rename an object I do not get >> the event. However if I then I name it back to its original name get >> the objectRenamed event. >> >> >> >> I need to know if is this the intended behavior and my expectations >> are wrong or if I am possibly doing something wrong? >> >> >> >> Thank you for your time any help would be greatly appreciated. >> >> > Does renaming the entry make it out of scope/filter of your original search? Does renaming it back put it back in the scope/filter of your search result set? > >> >> >> Thanks, >> >> Mike >> >> --------------------------------------------------------------------- >> - >> -- >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From konetzed at quixoticagony.com Wed May 6 17:02:43 2009 From: konetzed at quixoticagony.com (Edward Konetzko) Date: Wed, 06 May 2009 12:02:43 -0500 Subject: [Fedora-directory-users] dna multimaster Message-ID: <4A01C2B3.3050902@quixoticagony.com> I have read the following pages and cannot exactly figure out how to do what I want. http://directory.fedoraproject.org/wiki/DNA_Plugin http://www.redhat.com/docs/manuals/dir-server/8.1/admin/dna.html I have 2 companies I want to set ranges for company 1gets range uidNumber and gidNumber 1Million - (2Million -1) and Company 2 gets Range uidNumber and gidNumber 2 Million - (3Million -1). DIT layout is {ou=people,ou=groups,ou=ranges}, ou= Company{1,2}, dc=example, dc=com. I Setup company 1 on master1 with the following ldifs. dn: ou=Ranges,ou=Company1 dc=example, dc=com objectclass: top objectclass: extensibleObject objectclass: organizationalUnit ou: Ranges dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on dn: cn=Company1 Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: Company1 Account UIDs dnatype: uidNumber dnafilter: (objectclass=posixAccount) dnascope: ou=Company1 , dc=example,dc=com dnanextvalue: 1000000 dnaMaxValue: 1000500 dnasharedcfgdn: cn=Company1 Account UIDs,ou=Ranges,dc=example,dc=com dnathreshold: 100 dnaRangeRequestTimeout: 60 dnaMagicRegen: magic dnaNextRange: 1000501 - 1999999 I then repeat this on master2 but then when I add users to both servers Master1 hands out uidNumber = 1 and Master2 hands out uidNumber = 1 for their first adds and keep adding numbers incrementing by one thus overlapping numbers. For gidNumber I basically use the same Ldifs except I substitue Group UID for Account UID and gidNumber for uidNumber. User add ldif looks as the following dn: uid=test,ou=people,ou=Region1, dc=stabletransit,dc=com objectClass: posixAccount objectClass: shadowAccount objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: test gecos: test gidNumber: magic givenName: test homeDirectory: /home/test loginShell: /bin/bash mail: test at example.com o: test shadowLastChange: 14098 shadowMax: 99999 shadowWarning: 7 sn: test uid: test uidNumber: magic userPassword:: Question is what I am doing wrong? Server is Redhat DS 8.1 on rhel 5 64bit. Thanks Edward From konetzed at quixoticagony.com Wed May 6 19:28:37 2009 From: konetzed at quixoticagony.com (Edward Konetzko) Date: Wed, 06 May 2009 14:28:37 -0500 Subject: [Fedora-directory-users] DNA MultiMaster Message-ID: <4A01E4E5.4080000@quixoticagony.com> Sorry if this already posted, I seem to be having trouble with email today. I have read the following pages and cannot exactly figure out how to do what I want. http://directory.fedoraproject.org/wiki/DNA_Plugin http://www.redhat.com/docs/manuals/dir-server/8.1/admin/dna.html I have 2 companies I want to set ranges for company 1gets range uidNumber and gidNumber 1Million - (2Million -1) and Company 2 gets Range uidNumber and gidNumber 2 Million - (3Million -1). DIT layout is {ou=people,ou=groups,ou=ranges}, ou= Company{1,2}, dc=example, dc=com. I Setup company 1 on master1 with the following ldifs. dn: ou=Ranges,ou=Company1 dc=example, dc=com objectclass: top objectclass: extensibleObject objectclass: organizationalUnit ou: Ranges dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on dn: cn=Company1 Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: Company1 Account UIDs dnatype: uidNumber dnafilter: (objectclass=posixAccount) dnascope: ou=Company1 , dc=example,dc=com dnanextvalue: 1000000 dnaMaxValue: 1000500 dnasharedcfgdn: cn=Company1 Account UIDs,ou=Ranges,dc=example,dc=com dnathreshold: 100 dnaRangeRequestTimeout: 60 dnaMagicRegen: magic dnaNextRange: 1000501 - 1999999 I then repeat this on master2 but then when I add users to both servers Master1 hands out uidNumber = 1 and Master2 hands out uidNumber = 1 for their first adds and keep adding numbers incrementing by one thus overlapping numbers. For gidNumber I basically use the same Ldifs except I substitue Group UID for Account UID and gidNumber for uidNumber. User add ldif looks as the following dn: uid=test,ou=people,ou=Region1, dc=example,dc=com objectClass: posixAccount objectClass: shadowAccount objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: test gecos: test gidNumber: magic givenName: test homeDirectory: /home/test loginShell: /bin/bash mail: test at example.com o: test shadowLastChange: 14098 shadowMax: 99999 shadowWarning: 7 sn: test uid: test uidNumber: magic userPassword:: Question is what I am doing wrong? Server is Redhat DS 8.1 on rhel 5 64bit. Thanks Edward From nkinder at redhat.com Wed May 6 20:14:05 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 06 May 2009 13:14:05 -0700 Subject: [Fedora-directory-users] DNA MultiMaster In-Reply-To: <4A01E4E5.4080000@quixoticagony.com> References: <4A01E4E5.4080000@quixoticagony.com> Message-ID: <4A01EF8D.7080907@redhat.com> Edward Konetzko wrote: > Sorry if this already posted, I seem to be having trouble with email > today. > > I have read the following pages and cannot exactly figure out how to > do what I want. > > http://directory.fedoraproject.org/wiki/DNA_Plugin > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/dna.html > > I have 2 companies I want to set ranges for company 1gets range > uidNumber and gidNumber 1Million - (2Million -1) and Company 2 gets > Range uidNumber and gidNumber 2 Million - (3Million -1). DIT layout > is {ou=people,ou=groups,ou=ranges}, ou= Company{1,2}, dc=example, dc=com. > > I Setup company 1 on master1 with the following ldifs. > > dn: ou=Ranges,ou=Company1 dc=example, dc=com > objectclass: top > objectclass: extensibleObject > objectclass: organizationalUnit > ou: Ranges > > dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > changetype: modify > replace: nsslapd-pluginEnabled > nsslapd-pluginEnabled: on > > dn: cn=Company1 Account UIDs,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config > objectClass: top > objectClass: extensibleObject > cn: Company1 Account UIDs > dnatype: uidNumber > dnafilter: (objectclass=posixAccount) > dnascope: ou=Company1 , dc=example,dc=com > dnanextvalue: 1000000 > dnaMaxValue: 1000500 > dnasharedcfgdn: cn=Company1 Account UIDs,ou=Ranges,dc=example,dc=com > dnathreshold: 100 > dnaRangeRequestTimeout: 60 > dnaMagicRegen: magic > dnaNextRange: 1000501 - 1999999 > > I then repeat this on master2 but then when I add users to both > servers Master1 hands out uidNumber = 1 and Master2 hands out > uidNumber = 1 for their first adds and keep adding numbers > incrementing by one thus overlapping numbers. For gidNumber I > basically use the same Ldifs except I substitue Group UID for Account > UID and gidNumber for uidNumber. > > User add ldif looks as the following > dn: uid=test,ou=people,ou=Region1, dc=example,dc=com > objectClass: posixAccount > objectClass: shadowAccount > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > cn: test > gecos: test > gidNumber: magic > givenName: test > homeDirectory: /home/test > loginShell: /bin/bash > mail: test at example.com > o: test > shadowLastChange: 14098 > shadowMax: 99999 > shadowWarning: 7 > sn: test > uid: test > uidNumber: magic > userPassword:: > > > Question is what I am doing wrong? > Server is Redhat DS 8.1 on rhel 5 64bit. If you configure both masters to use the same range, then they will both assign the same values. You need to split the range for company1 in half and assign half to each of your two masters (1,000,000-1,499,999 for master1 and 1,500,000-1,999,999 for master2). You need to use dnaNextValue and dnaMaxValue to set these upper and lower boundries. You should not be setting dnaNextRange at all for what you are trying to do. > > Thanks > Edward > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From debajit_kataki at rediffmail.com Thu May 7 04:52:47 2009 From: debajit_kataki at rediffmail.com (debu) Date: 7 May 2009 04:52:47 -0000 Subject: [Fedora-directory-users] Regarding data deletion in FDS Message-ID: <20090507045247.18960.qmail@f4mail-235-144.rediffmail.com> Hi All, We had implemented FDS in one of our server. Now with lots of testing going around for quite a few application, i ended up with lot of junk data in my FDS server. I am all set to delete these 1 lac + data( out of which only some 3K+ is valid for me as of now :-/ ) But before this i wanted to know/ get some advice, that will these deletion 1 / will cause any issue on my server? 2/ Would it auto refresh its index and all? 3/ any otehr aspect should i consider before/after this activity. I have- fedora-ds-1.1.2-1 RHEL 5 - 32 bit. Thanks, Debajit kataki -------------- next part -------------- An HTML attachment was scrubbed... URL: From tamarinp at gmail.com Thu May 7 10:18:26 2009 From: tamarinp at gmail.com (tamarin p) Date: Thu, 7 May 2009 12:18:26 +0200 Subject: [Fedora-directory-users] aliasedObjectName problem In-Reply-To: <49EF2A59.1000706@redhat.com> References: <4dd1b3eb0904210712u69967e80u3649ff8239162990@mail.gmail.com> <49EDE4E1.2060903@redhat.com> <4dd1b3eb0904220728g1ff6709ao172ee22420453e84@mail.gmail.com> <49EF2A59.1000706@redhat.com> Message-ID: <4dd1b3eb0905070318x463a71a1qf35b96a3c725ea5d@mail.gmail.com> 2009/4/22 Rich Megginson > tamarin p wrote: > >> >> 2009/4/21 Rich Megginson > >> >> >> tamarin p wrote: >> >> I'm running into some problems when trying to add some alias >> entries and importing with ldapmodify or ldif2db. I'm using >> the directory server version 1.2.0. >> >> Example of LDIF >> dn: >> aliasedobjectname="ou=foo,dc=test,dc=com",ou=bar,ou=test,dc=com >> changetype: add >> aliasedObjectName: ou=foo,dc=test,dc=com >> objectClass: top >> objectClass: alias >> >> When I run this I get: >> ldapmodify: Object class violation (65) >> additional info: single-valued attribute >> "aliasedObjectName" has multiple values >> >> Same when I use ldif2db.. What am I doing wrong? >> >> >> The application running on top of the ldap uses aliases as pointers and >> the objectclass exists in the schemata for FDS, so there isnt a requirement >> that the aliases get dereferenced by the ldap. In any case it currently uses >> an older fedorads version. >> >> I discovered that that if I changed dn: >> aliasedobjectname="ou=foo,dc=test,dc=com",ou=bar,ou=test,dc=com in the LDIF >> to dn: aliasedobjectname=ou=foo\,dc=test\,dc=com,ou=bar,ou=test,dc=com >> (escape the commas instead of surrounding "" for the alias part in the dn), >> then I could add the entry and it seems to look ok in an ldap browser and >> satisfy whatever it is the application uses it for. Should the two be >> considered equivalent? >> > Yes. The double quoted style is deprecated - the \ escapes should be used > instead. > >> >> Then, when I dump the database to ldif with db2ldif, the entry is >> represented the same way: escaped comma for the alias part. One Strange >> thing is I could have sworn I added the same ldif with ""-aliases in FDS >> 1.1.3 and not only that: The ldif itself is actually dumped from a FDS 7.x >> server (which has schema checking off, if that could explain how they the >> entries were added in the first place). >> > I don't believe it has anything to do with schema checking. > >> Were there any changes between 1.1.3 and 1.2.0 that could explain this? >> > Not that I am aware of. I think we did fix some bugs in DN parsing and > normalization - it's possible we broke the double quote behavior. > >> Also it does not appear to have broken replication of those aliases >> (tested with a quick replica initialize that I didn't run long enough to >> finish more than 20% of the db, I'll run the whole init tonight) between the >> 7.x and 1.2.0 server so maybe it's just tools issue.. but if so it happened >> with both ldif2db and ldapmodify from openldap-clients. >> > Resurrecting another old thread here, but I ran into something i shouldve thought of much sooner. Basically we were hoping to use replication to migrate the data from an old ldap. the reason is that the directory is big and a regular ldif import would require the site to be offline (or read-only) for several hours. But with replication we could just let it "run in the background" until we're ready to swap the servers and downtime would be minimal. Trouble is we have thousands of entries like the one here: dn: aliasedobjectname="ou=foo,dc=test,dc=com",ou=bar,ou=test,dc=com These can't be added with ldap (ldapadd, ldif2db etc) anymore, but for some reason they replicate/initialize over without a problem. So for a while it seemed possible to take this migration path with FDS 1.2.0 as desired. But then I ran into a problem when testing a backup scripts: It seems an entry maintains the syntax it was "added with" instead of being dumped later with "canonical" syntax. Using replication to copy the data then, we of get a fully consistent directory that works perfectly, but alias entries keep their deprecated syntax when ldif exported which means: running db2ldif on the NEW server will print ldif aliasedobjectname entries that cannot be re-added with ldif2db later because they're in the "broken" syntax. This makes it impossible to restore from that ldif backup later without first converting these to the \, escaped commas syntax. running ldif2db on it unmodified just gives errors like this: Entry "aliasedobjectname=\22ou=foo,dc=test,dc=com\22,ou=bar,ou=test,dc=com" single-valued attribute "aliasedObjectName" has multiple values import userRoot: WARNING: skipping entry "aliasedobjectname=\22ou=foo,dc=test,dc=com\22,ou=bar,ou=test,dc=com" which violates schema, ending line 123 of file /tmp/myldif.ldif. I did some testing with ldapmodify with the following entry. dn: aliasedobjectname="ou=foo,dc=test,dc=com",ou=bar,ou=test,dc=comaliasedObjectName: ou=foo,dc=test,dc=com objectClass: top objectClass: alias If I add that entry after disabling schema checking, the entry can be added and the result in the directory is this. Note two aliasedObjectName attrs, one is wrong.: dn: aliasedobjectname="ou=foo,dc=test,dc=com",ou=bar,ou=test,dc=com aliasedObjectName: ou=foo,dc=test,dc=com aliasedObjectName: "ou=foo,dc=test,dc=com" objectClass: top objectClass: alias I then tried adding this entry again with no aliasedObjectName attribute. This will work also with schema checking on: dn: aliasedobjectname="ou=foo,dc=test,dc=com",ou=bar,ou=test,dc=com objectClass: top objectClass: alias And the result is this, which works even with schema checking on but yields the wrong aliaseObjectName attr (the "" shouldn't be there): dn: aliasedobjectname="ou=foo,dc=test,dc=com",ou=bar,ou=test,dc=com aliasedObjectName: "ou=foo,dc=test,dc=com" objectClass: top objectClass: alias For some reason, it's perfectly fine from the directory point of view when you replicate instead of ldifimport (until you try to import/export to ldif) so I assume there's some difference in how entries are parsed and added for the two methods there. Don't know if any of this tells you anything, just thought I should mention my findings. I'm now searching for a workaround that would allow me to still use replication for the migration step. is there f.ex. a way to make the server normalize either on input or output when doing ldif import/export? can you see a better option than to fall back on ldif processing/converting?. So far the only alternative to ldif processing I see is a script to walk the whole directory and modify the aliasedObjectName after replica initialization is complete at some point and the replication agreement is removed. -------------- next part -------------- An HTML attachment was scrubbed... URL: From michal.nosek at enlogit.cz Thu May 7 10:47:43 2009 From: michal.nosek at enlogit.cz (Michal Nosek) Date: Thu, 07 May 2009 12:47:43 +0200 Subject: [Fedora-directory-users] Per-hos access Message-ID: <1241693263.7862.0.camel@mnosek-ubuntu.enlogit.local> Hello I am looking for an ACL rule, which will allow client the access for searching only those entries, which got the same "host" attribute value as IP address of the client. Or is it possible to get RHDS to return different results depending on the hostname/IP of the client accesing the server? I would like keep the client configuration identical and as simple as possible. Thank you for any tips -- Michal From rmeggins at redhat.com Thu May 7 14:12:53 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 07 May 2009 08:12:53 -0600 Subject: [Fedora-directory-users] Per-hos access In-Reply-To: <1241693263.7862.0.camel@mnosek-ubuntu.enlogit.local> References: <1241693263.7862.0.camel@mnosek-ubuntu.enlogit.local> Message-ID: <4A02EC65.4040705@redhat.com> Michal Nosek wrote: > Hello > > I am looking for an ACL rule, which will allow client the access for > searching only those entries, which got the same "host" attribute value > as IP address of the client. > > Or is it possible to get RHDS to return different results depending on > the hostname/IP of the client accesing the server? > I'm not sure. You can set access control based on the client machine: http://tinyurl.com/ddtouz > I would like keep the client configuration identical and as simple as > possible. > > Thank you for any tips > -- > Michal > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu May 7 14:14:42 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 07 May 2009 08:14:42 -0600 Subject: [Fedora-directory-users] Regarding data deletion in FDS In-Reply-To: <20090507045247.18960.qmail@f4mail-235-144.rediffmail.com> References: <20090507045247.18960.qmail@f4mail-235-144.rediffmail.com> Message-ID: <4A02ECD2.7090107@redhat.com> debu wrote: > > Hi All, > > We had implemented FDS in one of our server. > Now with lots of testing going around for quite a few application, i > ended up with lot of junk data in my FDS server. > > I am all set to delete these 1 lac + data( out of which only some 3K+ > is valid for me as of now :-/ ) > > But before this i wanted to know/ get some advice, that will these > deletion > 1 / will cause any issue on my server? probably not > 2/ Would it auto refresh its index and all? yes > 3/ any otehr aspect should i consider before/after this activity. You might consider doing an LDIF export (db2ldif) then an LDIF import (ldif2db). The import will completely wipe out the previous contents. However, if you are using replication, you will have to reinit everything. > > > I have- > fedora-ds-1.1.2-1 > RHEL 5 - 32 bit. > > Thanks, > > Debajit kataki > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu May 7 14:19:58 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 07 May 2009 08:19:58 -0600 Subject: [Fedora-directory-users] The Fedora Directory Server Project is now "389" Message-ID: <4A02EE0E.6040309@redhat.com> The Fedora Directory Server Project is now called "389". The details are here: http://directory.fedoraproject.org/wiki/389_Change_FAQ The new project website is http://port389.org (which is currently just an alias for directory.fedoraproject.org) The new IRC channel is #389 We have created aliases for the mailing lists - so 389-users, 389-announce, etc. We're still in the process of rebranding, re-skinning the web site, etc. In the coming weeks you will see new packages with the 389 branding. Everything else is the same - the team, our mission, only the name has changed. We apologize if this change is disconcerting to some of you, we thank your for your support, and we hope to continue to make the 389 project a success. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From edlinuxguru at gmail.com Thu May 7 15:08:56 2009 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Thu, 7 May 2009 11:08:56 -0400 Subject: [Fedora-directory-users] The Fedora Directory Server Project is now "389" In-Reply-To: <4A02EE0E.6040309@redhat.com> References: <4A02EE0E.6040309@redhat.com> Message-ID: On Thu, May 7, 2009 at 10:19 AM, Rich Megginson wrote: > The Fedora Directory Server Project is now called "389". ?The details are > here: > > http://directory.fedoraproject.org/wiki/389_Change_FAQ > > The new project website is http://port389.org (which is currently just an > alias for directory.fedoraproject.org) > > The new IRC channel is #389 > > We have created aliases for the mailing lists - so 389-users, 389-announce, > etc. > > We're still in the process of rebranding, re-skinning the web site, etc. ?In > the coming weeks you will see new packages with the 389 branding. > > Everything else is the same - the team, our mission, only the name has > changed. ?We apologize if this change is disconcerting to some of you, we > thank your for your support, and we hope to continue to make the 389 project > a success. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > This original netscape code base has a legacy of re branding! Most times your here about a product called' X' and someone starts a new code base called Open 'X', yet this code base seems to endure. It is a story to tell your grand children netscape->aol->iplanet->sun directory server->RedHat->Fedora with forks and branches and documentation. It seems that just as the documentation and the variable names are catching up the name changes. :) 389 FTW! From priscilla.lanne at gmail.com Thu May 7 18:41:49 2009 From: priscilla.lanne at gmail.com (Priscilla Leao) Date: Thu, 7 May 2009 15:41:49 -0300 Subject: [Fedora-directory-users] FDS 1.2 - error when reinitialized dirsrv after the replication Message-ID: <5472c4a20905071141i6a4cackdc3442cc75d1770a@mail.gmail.com> Hi, everyone! When our FDS 1.2 server (consumer replica) receives the replica database and after the dirsrv service is reinitialized the following error message happens: "memory allocator - cannot calloc 0 elements;trying to allocate 0 or a negative number of elements is not portable and gives different results on different platforms." This server is a debian lenny and the FDS deb packages were generated using the default options based on the " http://directory.fedoraproject.org/wiki/Howto:BuildonEtch" document, but using the more recent packages on the http://directory.fedoraproject.org/sources/. Any idea about this problem? Regards, Priscilla Lanne -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri May 8 20:52:14 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 08 May 2009 14:52:14 -0600 Subject: [Fedora-directory-users] FDS 1.2 - error when reinitialized dirsrv after the replication In-Reply-To: <5472c4a20905071141i6a4cackdc3442cc75d1770a@mail.gmail.com> References: <5472c4a20905071141i6a4cackdc3442cc75d1770a@mail.gmail.com> Message-ID: <4A049B7E.2000100@redhat.com> Priscilla Leao wrote: > Hi, everyone! > > When our FDS 1.2 server (consumer replica) receives the replica > database and after the dirsrv service is reinitialized the following > error message happens: > > "memory allocator - cannot calloc 0 elements;trying to allocate 0 or a > negative number of elements is not portable and gives different > results on different platforms." > > This server is a debian lenny and the FDS deb packages were generated > using the default options based on the > "http://directory.fedoraproject.org/wiki/Howto:BuildonEtch" document, > but using the more recent packages on the > http://directory.fedoraproject.org/sources/. > > Any idea about this problem? Has anyone seen this problem on Fedora/EL? > > Regards, > Priscilla Lanne > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From michal.nosek at enlogit.cz Mon May 11 06:25:53 2009 From: michal.nosek at enlogit.cz (Michal Nosek) Date: Mon, 11 May 2009 08:25:53 +0200 Subject: [Fedora-directory-users] Per-hos access In-Reply-To: <4A02EC65.4040705@redhat.com> References: <1241693263.7862.0.camel@mnosek-ubuntu.enlogit.local> <4A02EC65.4040705@redhat.com> Message-ID: <1242023153.8093.5.camel@mnosek-ubuntu.enlogit.local> > > I'm not sure. You can set access control based on the client machine: > http://tinyurl.com/ddtouz I can, but I must set one rule for each server. This is not simple, because we have 200 servers :-( -- Michal From jsullivan at opensourcedevel.com Mon May 11 12:02:27 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 11 May 2009 08:02:27 -0400 Subject: [Fedora-directory-users] Wildcards in groupdn in ACIs Message-ID: <1242043347.6377.11.camel@jaspav.missionsit.net.missionsit.net> Hello, all. We are still refining how we want to deploy 389 in a multi-tenant environment. To grant access to the admins for each tenant to manage their own external contact lists, we created an ACI as follows: (targetattr = "*") (target = "ldap:///($dn),o=external,dc=ssiservices, dc=biz") (version 3.0;acl "Client Administrators External";allow (all)(groupdn = "ldap:///cn=*ldapadmins,ou=groups,[$dn],o=internal,dc=ssiservices,dc=biz");) Each tenant has a client number which is prefixed to the ldapadmins group cn so that we don't have thousands of groups with the same cn so, for example, c001ldapadmins, c002ldapadmins. Hence the * in the cn. However, it does not seem to work. Client admins are told they do not have rights to add new objects. If we replace the * with the prefix, e.g., "ldap:///cn=c001ldapadmins,ou=groups,[$dn],o=internal,dc=ssiservices,dc=biz"), it works fine. Is there a way to use wildcards in a groupdn? The literature explicitly says so for userdn but not groupdn. Thanks - John PS - I first tried sending this to 389-users but that mail bounced - John -- John A. Sullivan III Open Source Development Corporation Street Preacher: Are you SAVED?????!!!!!! Educated Skeptic: Saved from WHAT?????!!!!!! Educated Believer: From our selfishness that hurts the ones we love and condemns us to an eternity of hurting each other. http://www.spiritualoutreach.com Christianity that makes sense From rmeggins at redhat.com Mon May 11 13:58:33 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 11 May 2009 07:58:33 -0600 Subject: [Fedora-directory-users] Per-hos access In-Reply-To: <1242023153.8093.5.camel@mnosek-ubuntu.enlogit.local> References: <1241693263.7862.0.camel@mnosek-ubuntu.enlogit.local> <4A02EC65.4040705@redhat.com> <1242023153.8093.5.camel@mnosek-ubuntu.enlogit.local> Message-ID: <4A082F09.7040000@redhat.com> Michal Nosek wrote: >> >> I'm not sure. You can set access control based on the client machine: >> http://tinyurl.com/ddtouz >> > I can, but I must set one rule for each server. This is not simple, > because we have 200 servers :-( > Can you explain your problem a little more? > -- > Michal > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rwood at TrustedCS.com Mon May 11 14:45:11 2009 From: rwood at TrustedCS.com (Randall Wood) Date: Mon, 11 May 2009 10:45:11 -0400 Subject: [Fedora-directory-users] FDS chaining Message-ID: <1242053111.4665.68.camel@localhost.localdomain> I am attempting to chain to directory servers together, and am successful only if I disable proxied authorization. I can not find any resources that discuss how to make proxied authorization work other than iPlanet/Netscape/Sun/Fedora/Redhat Directory servers manuals, but I can not get it working. Does anyone know of a how-to guide for this? -- Randall Wood Secure Systems Engineer Trusted Computer Solutions 2350 Corporate Park Drive, Suite 500 Herndon, Virginia 20170 Tel (703) 537-4382 | Fax (703) 318-5041 rwood at trustedcs.com http://www.trustedcs.com From jsullivan at opensourcedevel.com Mon May 11 22:33:26 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 11 May 2009 18:33:26 -0400 Subject: [Fedora-directory-users] LDAP browsers Message-ID: <1242081206.6377.33.camel@jaspav.missionsit.net.missionsit.net> Hello, all. As we are planning to use 389 to hold external contact information for our users, we would like to give them the ability to browse their particular portions of the tree. May I ask what the various members of the list have used for a multi-distribution ldap administration tool? Luma seems a bit light. I've not yet played with getting idm-console to run on Ubuntu (the majority of the clients) but I think it would be overwhelming for a business manager who just needs to create contacts and organize them into OUs. DSGW has potential but, unless I missed it, I did not see a way to browse using it. Just search. What are folks using? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From rmeggins at redhat.com Mon May 11 22:38:56 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 11 May 2009 16:38:56 -0600 Subject: [Fedora-directory-users] test Message-ID: <4A08A900.3030003@redhat.com> test -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From james.chavez at sanmina-sci.com Tue May 12 00:51:00 2009 From: james.chavez at sanmina-sci.com (James Chavez) Date: Mon, 11 May 2009 17:51:00 -0700 Subject: [389-users] Case sensitivity and FC9 389 DS packages. Message-ID: Hello Rich, List, I have two inquiries. The first is regarding case sensitivity. I have the sudoers file centralized in LDAP (389) in one of the plants that I support. I have users listed by their uid as sudoUsers under the sudo roles. Now If the uid is listed as Joe_Montana..and I login as Joe_Montana then the entry is recognized correctly by the sudo functions. If I login as joe_montana the sudo functions fail. Is there a way to force 389 to be case insensitive so that username or UIDs are recognized regardless of case? I found these entries in dse. Can these be edited to force case insensitivity? nsslapd-return-exact-case: on dn: cn=Case Exact String Syntax,cn=plugins,cn=config cn: Case Exact String Syntax dn: cn=Case Ignore String Syntax,cn=plugins,cn=config cn: Case Ignore String Syntax Secondly it seems the Fedora 9 newkey updates repo is broken. I upgraded all of our installations to the newest packages 2 to 3 weeks ago and i am wondering if these are still the latest packages. fedora-ds-dsgw-1.1.1-1.fc9.i386 fedora-ds-console-1.2.0-1.fc9.noarch fedora-ds-base-1.2.0-4.fc9.i386 fedora-ds-1.1.3-1.fc9.noarch fedora-ds-admin-1.1.7-3.fc9.i386 fedora-ds-admin-console-1.1.3-1.fc9.noarch Thank you James -------------- next part -------------- An HTML attachment was scrubbed... URL: From stpierre at NebrWesleyan.edu Tue May 12 02:09:09 2009 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Mon, 11 May 2009 21:09:09 -0500 (CDT) Subject: [389-users] Case sensitivity and FC9 389 DS packages. In-Reply-To: References: Message-ID: On Mon, 11 May 2009, James Chavez wrote: > Now If the uid is listed as Joe_Montana..and I login as Joe_Montana then the > entry is recognized correctly by the sudo functions. > If I login as joe_montana the sudo functions fail. > Is there a way to force 389 to be case insensitive so that username or UIDs > are recognized regardless of case? In the sudoers schema file (/etc/dirsrv/slapd-/schema/60sudo.ldif), you'll note that the sudoUser attribute has: EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch So do the sudoHost, sudoCommand, etc., attributes. If you want case-insensitive matching, you should change that to: EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch And then restart the DS. > Secondly it seems the Fedora 9 newkey updates repo is broken. I upgraded all > of our installations to the newest packages 2 to 3 weeks ago and i am > wondering if these are still the latest packages. > > fedora-ds-dsgw-1.1.1-1.fc9.i386 > fedora-ds-console-1.2.0-1.fc9.noarch > fedora-ds-base-1.2.0-4.fc9.i386 > fedora-ds-1.1.3-1.fc9.noarch > fedora-ds-admin-1.1.7-3.fc9.i386 > fedora-ds-admin-console-1.1.3-1.fc9.noarch Yes, those are the latest packages. Note that the fedora-ds-base package -- which has the important stuff -- and the fedora-ds-console package -- which has the shiny GUI stuff -- are both at 1.2.0, the latest version. FDS -- err, 389DS -- doesn't rev all of the package versions to track the release version, so the fedora-ds package is still at 1.1.3 while its requirements are at various other versions. Some nuts and bolts: fedora-ds is itself just a "meta-package" that contains nothing; it just requires other packages. So the fedora-ds package version really only needs to incremented if the requirements change. Since they didn't, it's easier for the dev team to leave what they can alone and only release new versions of packages that actually have some changed code. Make sense? Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University From james.chavez at sanmina-sci.com Tue May 12 02:40:40 2009 From: james.chavez at sanmina-sci.com (James Chavez) Date: Mon, 11 May 2009 19:40:40 -0700 Subject: [389-users] Case sensitivity and FC9 389 DS packages. In-Reply-To: References: Message-ID: On Mon, May 11, 2009 at 7:09 PM, Chris St. Pierre wrote: > On Mon, 11 May 2009, James Chavez wrote: > > Now If the uid is listed as Joe_Montana..and I login as Joe_Montana then >> the >> entry is recognized correctly by the sudo functions. >> If I login as joe_montana the sudo functions fail. >> Is there a way to force 389 to be case insensitive so that username or >> UIDs >> are recognized regardless of case? >> > > In the sudoers schema file > (/etc/dirsrv/slapd-/schema/60sudo.ldif), you'll note that > the sudoUser attribute has: > > EQUALITY caseExactIA5Match > SUBSTR caseExactIA5SubstringsMatch > > So do the sudoHost, sudoCommand, etc., attributes. If you want > case-insensitive matching, you should change that to: > > EQUALITY caseIgnoreIA5Match > SUBSTR caseIgnoreIA5SubstringsMatch > > And then restart the DS. > ++ Chris thanks for the reply. That helps...seems obvious now that you > pointed it to me. i appreciate it. > > Secondly it seems the Fedora 9 newkey updates repo is broken. I upgraded >> all >> of our installations to the newest packages 2 to 3 weeks ago and i am >> wondering if these are still the latest packages. >> >> fedora-ds-dsgw-1.1.1-1.fc9.i386 >> fedora-ds-console-1.2.0-1.fc9.noarch >> fedora-ds-base-1.2.0-4.fc9.i386 >> fedora-ds-1.1.3-1.fc9.noarch >> fedora-ds-admin-1.1.7-3.fc9.i386 >> fedora-ds-admin-console-1.1.3-1.fc9.noarch >> > > Yes, those are the latest packages. Note that the fedora-ds-base > package -- which has the important stuff -- and the fedora-ds-console > package -- which has the shiny GUI stuff -- are both at 1.2.0, the > latest version. FDS -- err, 389DS -- doesn't rev all of the package > versions to track the release version, so the fedora-ds package is > still at 1.1.3 while its requirements are at various other versions. > > Some nuts and bolts: fedora-ds is itself just a "meta-package" that > contains nothing; it just requires other packages. So the fedora-ds > package version really only needs to incremented if the requirements > change. Since they didn't, it's easier for the dev team to leave what > they can alone and only release new versions of packages that actually > have some changed code. > > Make sense? ++ Makes perfect sense, thanks a bunch, so i should be most concerned with the fedora-ds-base and fedora-ds-console packages for revision or version changes. I will definitely keep that in mind. Thanks again for the clarity. James > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lambam80 at hotmail.com Tue May 12 11:56:52 2009 From: lambam80 at hotmail.com (lambam80 at hotmail.com) Date: Tue, 12 May 2009 07:56:52 -0400 Subject: [389-users] PAM-LDAP LDAPS (Linux Login) with PAM-LDAP using a client certificate Message-ID: Hello everybody and, firstly, thanks for your continued support. I hope I've used the correct expression/jargon, ie:PAM-LDAP ? PAM-LDAP works with LDAPS and binding with cn=Directory Manager/password hardcoded in /etc/ldap.conf - great stuff. This was configured using the GUI '/usr/sbin/system-config-authentication' - also great stuff ! Symbolic Link pointing to the CA certificate: Q1. I've searched the web but cannot find what purpose the symbolic link serves. ---------------------------------------- # ls -toalr /etc/openldap/cacerts -rw-r--r-- 1 root 1464 2009-03-10 12:21 authconfig_downloaded.pem lrwxrwxrwx 1 root 25 2009-03-10 12:21 123a856c.0 -> authconfig_downloaded.pem Client Certificate etc. -------------------------- I'm now experimenting with client certificates and have found the following link: http://lists.fini.net/pipermail/ldap-interop/2005-April/000421.html and see the following example lines for the file /etc/ldap.conf: tls_cert /usr/share/ssl/certs/ldap.pem ($FN.pem in my case) tls_key /usr/share/ssl/certs/ldap.key.pem ($FN.key for me) Q2. ldap.key.pem: Is this file simply the $FN.key file created by the following command ? Will I have trouble if I specify '-passout' ? I assume it protects the file $FN.key. How will PAM-LDAP open the keystore if I have used a password ? openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -passout pass: 0<< EOF >/dev/null 2>&1 Q3. ldap.pem: Is this file simply the $FN.pem file created by the following command ? openssl ca -in ${FN}.csr -out ${FN}.pem -days 7300 -keyfile $DIR/demoCA/private/cakey.pem \ -cert $DIR/demoCA/cacert.pem \ -passin pass: << EOF2 >/dev/null 2>&1 Thanks again, cdlt, ----------- _________________________________________________________________ Create a cool, new character for your Windows Live? Messenger. http://go.microsoft.com/?linkid=9656621 -------------- next part -------------- An HTML attachment was scrubbed... URL: From lambam80 at hotmail.com Tue May 12 14:20:45 2009 From: lambam80 at hotmail.com (lambam80 at hotmail.com) Date: Tue, 12 May 2009 10:20:45 -0400 Subject: [389-users] Part 2: PAM-LDAP LDAPS (Linux Login) with PAM-LDAP using a client certificate In-Reply-To: References: Message-ID: Further information for Q2: It looks like '-passout pass:' is mandatory, regardless: + openssl req -newkey rsa:1024 -keyout /root/tools/ssl/misc/output/X9999990.key -out /root/tools/ssl/misc/output/X9999990.csr -days 7300 Enter PEM pass phrase: Verifying - Enter PEM pass phrase: Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ... Like I say, any help would be greatly appreciated ! Cdlt, --------- From: lambam80 at hotmail.com To: fedora-directory-users at redhat.com; lambam80 at hotmail.com Subject: PAM-LDAP LDAPS (Linux Login) with PAM-LDAP using a client certificate Date: Tue, 12 May 2009 07:56:52 -0400 Hello everybody and, firstly, thanks for your continued support. I hope I've used the correct expression/jargon, ie:PAM-LDAP ? PAM-LDAP works with LDAPS and binding with cn=Directory Manager/password hardcoded in /etc/ldap.conf - great stuff. This was configured using the GUI '/usr/sbin/system-config-authentication' - also great stuff ! Symbolic Link pointing to the CA certificate: Q1. I've searched the web but cannot find what purpose the symbolic link serves. ---------------------------------------- # ls -toalr /etc/openldap/cacerts -rw-r--r-- 1 root 1464 2009-03-10 12:21 authconfig_downloaded.pem lrwxrwxrwx 1 root 25 2009-03-10 12:21 123a856c.0 -> authconfig_downloaded.pem Client Certificate etc. -------------------------- I'm now experimenting with client certificates and have found the following link: http://lists.fini.net/pipermail/ldap-interop/2005-April/000421.html and see the following example lines for the file /etc/ldap.conf: tls_cert /usr/share/ssl/certs/ldap.pem ($FN.pem in my case) tls_key /usr/share/ssl/certs/ldap.key.pem ($FN.key for me) Q2. ldap.key.pem: Is this file simply the $FN.key file created by the following command ? Will I have trouble if I specify '-passout' ? I assume it protects the file $FN.key. How will PAM-LDAP open the keystore if I have used a password ? openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -passout pass: 0<< EOF >/dev/null 2>&1 Q3. ldap.pem: Is this file simply the $FN.pem file created by the following command ? openssl ca -in ${FN}.csr -out ${FN}.pem -days 7300 -keyfile $DIR/demoCA/private/cakey.pem \ -cert $DIR/demoCA/cacert.pem \ -passin pass: << EOF2 >/dev/null 2>&1 Thanks again, cdlt, ----------- Create a cool, new character for your Windows Live? Messenger. Check it out _________________________________________________________________ Windows Live helps you keep up with all your friends, in one place. http://go.microsoft.com/?linkid=9660826 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue May 12 15:29:19 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 12 May 2009 09:29:19 -0600 Subject: [389-users] Case sensitivity and FC9 389 DS packages. In-Reply-To: References: Message-ID: <4A0995CF.4050508@redhat.com> James Chavez wrote: > Hello Rich, List, > > I have two inquiries. > The first is regarding case sensitivity. > I have the sudoers file centralized in LDAP (389) in one of the plants > that I support. I have users listed by their uid as sudoUsers under > the sudo roles. > > Now If the uid is listed as Joe_Montana..and I login as Joe_Montana > then the entry is recognized correctly by the sudo functions. > If I login as joe_montana the sudo functions fail. > Is there a way to force 389 to be case insensitive so that username or > UIDs are recognized regardless of case? > > I found these entries in dse. Can these be edited to force case > insensitivity? > nsslapd-return-exact-case: on > dn: cn=Case Exact String Syntax,cn=plugins,cn=config > cn: Case Exact String Syntax > dn: cn=Case Ignore String Syntax,cn=plugins,cn=config > cn: Case Ignore String Syntax > > > Secondly it seems the Fedora 9 newkey updates repo is broken. I > upgraded all of our installations to the newest packages 2 to 3 weeks > ago and i am wondering if these are still the latest packages. > > fedora-ds-dsgw-1.1.1-1.fc9. > i386 > fedora-ds-console-1.2.0-1.fc9.noarch > fedora-ds-base-1.2.0-4.fc9.i386 > fedora-ds-1.1.3-1.fc9.noarch > fedora-ds-admin-1.1.7-3.fc9.i386 > fedora-ds-admin-console-1.1.3-1.fc9.noarch yes, these are the latest > > Thank you > James > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue May 12 15:31:16 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 12 May 2009 09:31:16 -0600 Subject: [389-users] PAM-LDAP LDAPS (Linux Login) with PAM-LDAP using a client certificate In-Reply-To: References: Message-ID: <4A099644.5050407@redhat.com> lambam80 at hotmail.com wrote: > Hello everybody and, firstly, thanks for your continued support. > > I hope I've used the correct expression/jargon, ie:PAM-LDAP ? > > PAM-LDAP works with LDAPS and binding with cn=Directory > Manager/password hardcoded in /etc/ldap.conf - great stuff. Except for the fact that you have the directory manager clear text password hardcoded in ldap.conf :-( > This was configured using the GUI > '/usr/sbin/system-config-authentication' - also great stuff ! > > Symbolic Link pointing to the CA certificate: Q1. I've searched the > web but cannot find what purpose the symbolic link serves. > ---------------------------------------- > > # ls -toalr /etc/openldap/cacerts > -rw-r--r-- 1 root 1464 2009-03-10 12:21 authconfig_downloaded.pem > lrwxrwxrwx 1 root 25 2009-03-10 12:21 123a856c.0 -> > authconfig_downloaded.pem > > > Client Certificate etc. > -------------------------- > I'm now experimenting with client certificates and have found the > following link: > > http://lists.fini.net/pipermail/ldap-interop/2005-April/000421.html > > and see the following example lines for the file /etc/ldap.conf: > tls_cert /usr/share/ssl/certs/ldap.pem ($FN.pem in my case) > tls_key /usr/share/ssl/certs/ldap.key.pem ($FN.key for me) > > Q2. ldap.key.pem: Is this file simply the $FN.key file created by the > following command ? > Will I have trouble if I specify '-passout' ? I assume it protects the > file $FN.key. > How will PAM-LDAP open the keystore if I have used a password ? It probably won't, unless you either hardcode the clear text password, or simply have no key password. > > openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -passout > pass: 0<< EOF >/dev/null 2>&1 > > > Q3. ldap.pem: Is this file simply the $FN.pem file created by the > following command ? > > openssl ca -in ${FN}.csr -out ${FN}.pem -days 7300 -keyfile > $DIR/demoCA/private/cakey.pem \ > -cert $DIR/demoCA/cacert.pem \ > -passin pass: << EOF2 >/dev/null 2>&1 > > > Thanks again, cdlt, > ----------- > > > > > > ------------------------------------------------------------------------ > Create a cool, new character for your Windows Live? Messenger. Check > it out > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jfgamsby at lbl.gov Tue May 12 18:04:40 2009 From: jfgamsby at lbl.gov (Jeff Gamsby) Date: Tue, 12 May 2009 11:04:40 -0700 Subject: [389-users] windows replication directory subtree problems Message-ID: <4A09BA38.1010503@lbl.gov> I am having issues replicating with a 'sub' dc and an AD host. example: base dn of FDS server: dc=example,dc=com I want to use a windows sync agreement for a 'sub' dc (dc=sales,dc=example,dc=com) on the FDS server to dc=sales,dc=example,dc=com on the AD side The FDS logs show that it gets confused when trying to sync It appears as if the 'replicated subtree' (dc=example,dc=com) which cannot be changed should in fact be dc=sales,dc=example,dc=com Does that make sense? Is this possible? Thanks -- Jeff Gamsby From jsullivan at opensourcedevel.com Tue May 12 20:55:39 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Tue, 12 May 2009 16:55:39 -0400 Subject: [389-users] windows replication directory subtree problems In-Reply-To: <4A09BA38.1010503@lbl.gov> References: <4A09BA38.1010503@lbl.gov> Message-ID: <1242161739.6388.0.camel@jaspav.missionsit.net.missionsit.net> On Tue, 2009-05-12 at 11:04 -0700, Jeff Gamsby wrote: > I am having issues replicating with a 'sub' dc and an AD host. > > example: > > base dn of FDS server: dc=example,dc=com > > I want to use a windows sync agreement for a 'sub' dc > (dc=sales,dc=example,dc=com) on the FDS server to > dc=sales,dc=example,dc=com on the AD side > > The FDS logs show that it gets confused when trying to sync > > It appears as if the 'replicated subtree' (dc=example,dc=com) which > cannot be changed should in fact be dc=sales,dc=example,dc=com > > Does that make sense? > > Is this possible? > > > Thanks > What values did you give the fields in your sync agreement? - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From jfgamsby at lbl.gov Tue May 12 21:03:27 2009 From: jfgamsby at lbl.gov (Jeff Gamsby) Date: Tue, 12 May 2009 14:03:27 -0700 Subject: [389-users] windows replication directory subtree problems In-Reply-To: <1242161739.6388.0.camel@jaspav.missionsit.net.missionsit.net> References: <4A09BA38.1010503@lbl.gov> <1242161739.6388.0.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <8152DDA1-7B11-4AF7-A038-399F4E13266D@lbl.gov> I used DC=sales... The replication subtree cannot be edited Thanks On May 12, 2009, at 1:55 PM, "John A. Sullivan III" wrote: > On Tue, 2009-05-12 at 11:04 -0700, Jeff Gamsby wrote: >> I am having issues replicating with a 'sub' dc and an AD host. >> >> example: >> >> base dn of FDS server: dc=example,dc=com >> >> I want to use a windows sync agreement for a 'sub' dc >> (dc=sales,dc=example,dc=com) on the FDS server to >> dc=sales,dc=example,dc=com on the AD side >> >> The FDS logs show that it gets confused when trying to sync >> >> It appears as if the 'replicated subtree' (dc=example,dc=com) which >> cannot be changed should in fact be dc=sales,dc=example,dc=com >> >> Does that make sense? >> >> Is this possible? >> >> >> Thanks >> > What values did you give the fields in your sync agreement? - John > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan at opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From techchavez at gmail.com Tue May 12 23:03:46 2009 From: techchavez at gmail.com (J.C.) Date: Tue, 12 May 2009 16:03:46 -0700 Subject: [389-users] Schema SYNTAX question for 389. Message-ID: Hello, The uid attribute referenced in 01common.ldif shows as having syntax of. 1.3.6.1.4.1.1466.115.121.1.15 or case insensitive which is what I want. However memberUid referenced in 10rfc2307.ldif shows as having syntax of. 1.3.6.1.4.1.1466.115.121.1.26 or case sensitive which is cramping my style a bit and leading to inconsistencies in the returns of the groups command amongst other things. For example I may have a user uid=joe_doe and he is listed in the posixGroup cn=celtics as memberUid: Joe_Doe and listed in the posixgroup cn=cavs as memberUid: joe_doe. He will only be returned as being a member of cavs and not celtics when I use the groups command. My belief is that this is do to SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 setting for memberUid. Sound about right? I am curious to know if this is configurable? Can I modify the syntax for memberUid to be case insensitive as uid is by switching the SYNTAX from. 1.3.6.1.4.1.1466.115.121.1.26 (case sensitive) to 1.3.6.1.4.1.1466.115.121.1.15 (case INsensitive) ? What are the repercussions on the various groups/users I have already existing in the directory? Will I have to delete and recreate my indexes if I do do this? thx From lambam80 at hotmail.com Wed May 13 09:39:45 2009 From: lambam80 at hotmail.com (lambam80 at hotmail.com) Date: Wed, 13 May 2009 05:39:45 -0400 Subject: [389-users] PAM-LDAP LDAPS Where (in /etc/ldap.conf) to hardcode the keyfile-password (which name=value pair) ? In-Reply-To: <4A099644.5050407@redhat.com> References: <4A099644.5050407@redhat.com> Message-ID: Rich, hello and, as ever, thanks for the helpful reply. One very quick question and a quick technote 'for the record'. < You write, '... It probably won't, unless you either hardcode the clear text password ...' Q1: Hardcode where ? Is there an attribute in /etc/ldap.conf specifically for the keyfile password ? < You write, '... or simply have no key password ...' For the record, I reckon I need the '-noDES' option if I don't want a key file password: openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -days 7300 -nodes < Date: Tue, 12 May 2009 09:31:16 -0600 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > CC: lambam80 at hotmail.com > Subject: Re: [389-users] PAM-LDAP LDAPS (Linux Login) with PAM-LDAP using a client certificate > > lambam80 at hotmail.com wrote: > > Hello everybody and, firstly, thanks for your continued support. > > > > I hope I've used the correct expression/jargon, ie:PAM-LDAP ? > > > > PAM-LDAP works with LDAPS and binding with cn=Directory > > Manager/password hardcoded in /etc/ldap.conf - great stuff. > Except for the fact that you have the directory manager clear text > password hardcoded in ldap.conf :-( > > This was configured using the GUI > > '/usr/sbin/system-config-authentication' - also great stuff ! > > > > Symbolic Link pointing to the CA certificate: Q1. I've searched the > > web but cannot find what purpose the symbolic link serves. > > ---------------------------------------- > > > > # ls -toalr /etc/openldap/cacerts > > -rw-r--r-- 1 root 1464 2009-03-10 12:21 authconfig_downloaded.pem > > lrwxrwxrwx 1 root 25 2009-03-10 12:21 123a856c.0 -> > > authconfig_downloaded.pem > > > > > > Client Certificate etc. > > -------------------------- > > I'm now experimenting with client certificates and have found the > > following link: > > > > http://lists.fini.net/pipermail/ldap-interop/2005-April/000421.html > > > > and see the following example lines for the file /etc/ldap.conf: > > tls_cert /usr/share/ssl/certs/ldap.pem ($FN.pem in my case) > > tls_key /usr/share/ssl/certs/ldap.key.pem ($FN.key for me) > > > > Q2. ldap.key.pem: Is this file simply the $FN.key file created by the > > following command ? > > Will I have trouble if I specify '-passout' ? I assume it protects the > > file $FN.key. > > How will PAM-LDAP open the keystore if I have used a password ? > It probably won't, unless you either hardcode the clear text password, > or simply have no key password. > > > > openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -passout > > pass: 0<< EOF >/dev/null 2>&1 > > > > > > Q3. ldap.pem: Is this file simply the $FN.pem file created by the > > following command ? > > > > openssl ca -in ${FN}.csr -out ${FN}.pem -days 7300 -keyfile > > $DIR/demoCA/private/cakey.pem \ > > -cert $DIR/demoCA/cacert.pem \ > > -passin pass: << EOF2 >/dev/null 2>&1 > > > > > > Thanks again, cdlt, > > ----------- > > > > > > > > > > > > ------------------------------------------------------------------------ > > Create a cool, new character for your Windows Live? Messenger. Check > > it out > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > _________________________________________________________________ Internet explorer 8 lets you browse the web faster. http://go.microsoft.com/?linkid=9655582 -------------- next part -------------- An HTML attachment was scrubbed... URL: From emmanuel.billot at ird.fr Wed May 13 09:57:18 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Wed, 13 May 2009 11:57:18 +0200 Subject: [389-users] cert and key database failure Message-ID: <4A0A997E.4050302@ird.fr> Hi, The cert.db and key.db file seems to be corrupted. In GUI, we can see 3 certificates, one is cloned, one is valid. The "detail" option does not work on the cloned one, whith a failure message. We tried to manipulate db with certutil : certutil -L -d ...... Certificate Name Trust Attributes server-cert u,, IRDNEW u,pu,u IRDNEW u,pu,u IRD - IRD CT,, p Valid peer P Trusted peer (implies p) c Valid CA T Trusted CA to issue client certs (implies c) C Trusted CA to certs(only server certs for ssl) (implies c) u User cert w Send warning We tried to delete the cloned one but, here is an new error message : certutil: could not find certificate named "IRDNEW": security library: bad database. What is the pb ? BR, -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From emmanuel.billot at ird.fr Wed May 13 14:51:01 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Wed, 13 May 2009 16:51:01 +0200 Subject: [389-users] Replication failure Message-ID: <4A0ADE55.2020808@ird.fr> Hi, There is a strange behaviour on our FDS servers... We want to replicate a 12000 entries database between 2 FDS. At the replication agrement end, we 've got an "Unwilling to perform" with " [13/May/2009:00:19:56 +0200] NS7bitAttr - ADD begin [13/May/2009:00:19:56 +0200] NS7bitAttr - ADD target=cn=t,cn=replica,cn=dc=ird\,dc=fr,cn=mapping tree,cn=config [13/May/2009:00:19:56 +0200] NSMMReplicationPlugin - agmtlist_add_callback: Can't start agreement "cn=t,cn=replica,cn=dc=ird\,dc=fr,cn=mapping tree,cn=config" " in the log... When the datablase is empty, the replication agrement creation works !!! How is it possible ? -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From emmanuel.billot at ird.fr Wed May 13 15:05:06 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Wed, 13 May 2009 17:05:06 +0200 Subject: [389-users] Replication failure In-Reply-To: <8304_1242226289_4A0ADE70_8304_2283_1_4A0ADE55.2020808@ird.fr> References: <8304_1242226289_4A0ADE70_8304_2283_1_4A0ADE55.2020808@ird.fr> Message-ID: <4A0AE1A2.9030102@ird.fr> Emmanuel BILLOT a ?crit : > Hi, > > There is a strange behaviour on our FDS servers... > We want to replicate a 12000 entries database between 2 FDS. At the > replication agrement end, we 've got an "Unwilling to perform" with " > [13/May/2009:00:19:56 +0200] NS7bitAttr - ADD begin > [13/May/2009:00:19:56 +0200] NS7bitAttr - ADD > target=cn=t,cn=replica,cn=dc=ird\,dc=fr,cn=mapping tree,cn=config > [13/May/2009:00:19:56 +0200] NSMMReplicationPlugin - > agmtlist_add_callback: Can't start agreement > "cn=t,cn=replica,cn=dc=ird\,dc=fr,cn=mapping tree,cn=config" > " > in the log... > > When the datablase is empty, the replication agrement creation works !!! > > How is it possible ? > Correction, even if the db is empty it fails. How can i have other detailled logs ? Level is "replication" now. -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From rmeggins at redhat.com Wed May 13 15:31:54 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 13 May 2009 09:31:54 -0600 Subject: [389-users] PAM-LDAP LDAPS Where (in /etc/ldap.conf) to hardcode the keyfile-password (which name=value pair) ? In-Reply-To: References: <4A099644.5050407@redhat.com> Message-ID: <4A0AE7EA.7010705@redhat.com> lambam80 at hotmail.com wrote: > Rich, hello and, as ever, thanks for the helpful reply. One very quick > question and > a quick technote 'for the record'. > > < You write, '... It probably won't, unless you either hardcode the > clear text password ...' > > Q1: Hardcode where ? Is there an attribute in /etc/ldap.conf > specifically for the keyfile password ? I have no idea - all I know is that if you need a password to unlock the private key, you need to store it somewhere. > > < You write, '... or simply have no key password ...' > > For the record, I reckon I need the '-noDES' option if I don't want a > key file password: > > openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -days > 7300 -nodes < ... > EOF > > For reference: http://www.openssl.org/docs/apps/req.html# > > I'll let you all know if my PAM-LDAP Linux login works when using > client-certificates for binding to LDAP. Ok. > > Thanks again, > ----- > > > > Date: Tue, 12 May 2009 09:31:16 -0600 > > From: rmeggins at redhat.com > > To: fedora-directory-users at redhat.com > > CC: lambam80 at hotmail.com > > Subject: Re: [389-users] PAM-LDAP LDAPS (Linux Login) with PAM-LDAP > using a client certificate > > > > lambam80 at hotmail.com wrote: > > > Hello everybody and, firstly, thanks for your continued support. > > > > > > I hope I've used the correct expression/jargon, ie:PAM-LDAP ? > > > > > > PAM-LDAP works with LDAPS and binding with cn=Directory > > > Manager/password hardcoded in /etc/ldap.conf - great stuff. > > Except for the fact that you have the directory manager clear text > > password hardcoded in ldap.conf :-( > > > This was configured using the GUI > > > '/usr/sbin/system-config-authentication' - also great stuff ! > > > > > > Symbolic Link pointing to the CA certificate: Q1. I've searched the > > > web but cannot find what purpose the symbolic link serves. > > > ---------------------------------------- > > > > > > # ls -toalr /etc/openldap/cacerts > > > -rw-r--r-- 1 root 1464 2009-03-10 12:21 authconfig_downloaded.pem > > > lrwxrwxrwx 1 root 25 2009-03-10 12:21 123a856c.0 -> > > > authconfig_downloaded.pem > > > > > > > > > Client Certificate etc. > > > -------------------------- > > > I'm now experimenting with client certificates and have found the > > > following link: > > > > > > http://lists.fini.net/pipermail/ldap-interop/2005-April/000421.html > > > > > > and see the following example lines for the file /etc/ldap.conf: > > > tls_cert /usr/share/ssl/certs/ldap.pem ($FN.pem in my case) > > > tls_key /usr/share/ssl/certs/ldap.key.pem ($FN.key for me) > > > > > > Q2. ldap.key.pem: Is this file simply the $FN.key file created by the > > > following command ? > > > Will I have trouble if I specify '-passout' ? I assume it protects > the > > > file $FN.key. > > > How will PAM-LDAP open the keystore if I have used a password ? > > It probably won't, unless you either hardcode the clear text password, > > or simply have no key password. > > > > > > openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr > -passout > > > pass: 0<< EOF >/dev/null 2>&1 > > > > > > > > > Q3. ldap.pem: Is this file simply the $FN.pem file created by the > > > following command ? > > > > > > openssl ca -in ${FN}.csr -out ${FN}.pem -days 7300 -keyfile > > > $DIR/demoCA/private/cakey.pem \ > > > -cert $DIR/demoCA/cacert.pem \ > > > -passin pass: << EOF2 >/dev/null 2>&1 > > > > > > > > > Thanks again, cdlt, > > > ----------- > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > Create a cool, new character for your Windows Live? Messenger. Check > > > it out > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > ------------------------------------------------------------------------ > Internet Explorer 8 makes surfing easier. Get it now! > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed May 13 15:51:35 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 13 May 2009 09:51:35 -0600 Subject: [389-users] Replication failure In-Reply-To: <4A0AE1A2.9030102@ird.fr> References: <8304_1242226289_4A0ADE70_8304_2283_1_4A0ADE55.2020808@ird.fr> <4A0AE1A2.9030102@ird.fr> Message-ID: <4A0AEC87.2050408@redhat.com> Emmanuel BILLOT wrote: > Emmanuel BILLOT a ?crit : >> Hi, >> >> There is a strange behaviour on our FDS servers... >> We want to replicate a 12000 entries database between 2 FDS. At the >> replication agrement end, we 've got an "Unwilling to perform" with " >> [13/May/2009:00:19:56 +0200] NS7bitAttr - ADD begin >> [13/May/2009:00:19:56 +0200] NS7bitAttr - ADD >> target=cn=t,cn=replica,cn=dc=ird\,dc=fr,cn=mapping tree,cn=config >> [13/May/2009:00:19:56 +0200] NSMMReplicationPlugin - >> agmtlist_add_callback: Can't start agreement >> "cn=t,cn=replica,cn=dc=ird\,dc=fr,cn=mapping tree,cn=config" >> " >> in the log... >> >> When the datablase is empty, the replication agrement creation works !!! >> >> How is it possible ? >> > Correction, even if the db is empty it fails. > How can i have other detailled logs ? Level is "replication" now. Looks like you also have plugin level logging on too - NS7bitAttr messages Can you post the exact command you are using to add the agreement, and the relevant excerpts from the access log showing the add attempt and result? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed May 13 15:51:58 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 13 May 2009 09:51:58 -0600 Subject: [389-users] cert and key database failure In-Reply-To: <4A0A997E.4050302@ird.fr> References: <4A0A997E.4050302@ird.fr> Message-ID: <4A0AEC9E.6010201@redhat.com> Emmanuel BILLOT wrote: > Hi, > > The cert.db and key.db file seems to be corrupted. > In GUI, we can see 3 certificates, one is cloned, one is valid. The > "detail" option does not work on the cloned one, whith a failure message. > > We tried to manipulate db with certutil : > > certutil -L -d ...... > Certificate Name Trust > Attributes > > server-cert u,, > IRDNEW u,pu,u > IRDNEW u,pu,u > IRD - IRD CT,, > > p Valid peer > P Trusted peer (implies p) > c Valid CA > T Trusted CA to issue client certs (implies c) > C Trusted CA to certs(only server certs for ssl) (implies c) > u User cert > w Send warning > > > We tried to delete the cloned one but, here is an new error message : > > certutil: could not find certificate named "IRDNEW": security library: > bad database. > > What is the pb ? Can you post the exact certutil command line you're using? > > BR, > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jsullivan at opensourcedevel.com Wed May 13 19:06:47 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Wed, 13 May 2009 15:06:47 -0400 Subject: [389-users] LDAP to samba password synchronization Message-ID: <1242241607.6380.6.camel@jaspav.missionsit.net.missionsit.net> Hello, all. Several hours of googling and testing have not solved my problem. We are using Directory Server as our authentication mechanism for as much as possible in our environment. So far, we have integrated all our Linux servers, synchronized with AD, and are using it for Zimbra. We have just implemented a standalone SAMBA server and are having trouble synchronizing passwords. I see plenty of examples of how to have changes made using smbpasswd passed to the posix password in LDAP. But that's not what we want. We want users (some of whom use SAMBA and some of whom do not) to have a single place to change their password. The users are all KDE. Changing their passwords in the KDE control module for security changes everything brilliantly EXCEPT SAMBA. How do we make password changes executed by the users or by the LDAP admin in idm-console propagate to the SAMBA password attributes? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From jsullivan at opensourcedevel.com Wed May 13 19:13:19 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Wed, 13 May 2009 15:13:19 -0400 Subject: [389-users] LDAP to samba password synchronization In-Reply-To: <1242241607.6380.6.camel@jaspav.missionsit.net.missionsit.net> References: <1242241607.6380.6.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <1242241999.6380.10.camel@jaspav.missionsit.net.missionsit.net> On Wed, 2009-05-13 at 15:06 -0400, John A. Sullivan III wrote: > Hello, all. Several hours of googling and testing have not solved my > problem. We are using Directory Server as our authentication mechanism > for as much as possible in our environment. So far, we have integrated > all our Linux servers, synchronized with AD, and are using it for > Zimbra. > > We have just implemented a standalone SAMBA server and are having > trouble synchronizing passwords. I see plenty of examples of how to > have changes made using smbpasswd passed to the posix password in LDAP. > But that's not what we want. We want users (some of whom use SAMBA and > some of whom do not) to have a single place to change their password. > The users are all KDE. Changing their passwords in the KDE control > module for security changes everything brilliantly EXCEPT SAMBA. > > How do we make password changes executed by the users or by the LDAP > admin in idm-console propagate to the SAMBA password attributes? Thanks > - John I forgot to mention, we did change pam as follows: password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_smbpass.so use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so However, I would think this would affect password changes made only on the SAMBA server itself and not changes made by users at their desktops and reflected through to Linux. We really need changes made in LDAP from wherever they are made to affect the SAMBA password attributes in Linux. Is that possible? If so, how? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From rmeggins at redhat.com Wed May 13 19:37:33 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 13 May 2009 13:37:33 -0600 Subject: [389-users] LDAP to samba password synchronization In-Reply-To: <1242241999.6380.10.camel@jaspav.missionsit.net.missionsit.net> References: <1242241607.6380.6.camel@jaspav.missionsit.net.missionsit.net> <1242241999.6380.10.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <4A0B217D.5050904@redhat.com> John A. Sullivan III wrote: > On Wed, 2009-05-13 at 15:06 -0400, John A. Sullivan III wrote: > >> Hello, all. Several hours of googling and testing have not solved my >> problem. We are using Directory Server as our authentication mechanism >> for as much as possible in our environment. So far, we have integrated >> all our Linux servers, synchronized with AD, and are using it for >> Zimbra. >> >> We have just implemented a standalone SAMBA server and are having >> trouble synchronizing passwords. I see plenty of examples of how to >> have changes made using smbpasswd passed to the posix password in LDAP. >> But that's not what we want. We want users (some of whom use SAMBA and >> some of whom do not) to have a single place to change their password. >> The users are all KDE. Changing their passwords in the KDE control >> module for security changes everything brilliantly EXCEPT SAMBA. >> >> How do we make password changes executed by the users or by the LDAP >> admin in idm-console propagate to the SAMBA password attributes? Thanks >> - John >> > I forgot to mention, we did change pam as follows: > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_smbpass.so use_authtok > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > > However, I would think this would affect password changes made only on > the SAMBA server itself and not changes made by users at their desktops > and reflected through to Linux. We really need changes made in LDAP > from wherever they are made to affect the SAMBA password attributes in > Linux. Is that possible? If so, how? Thanks - John > freeIPA has a password plugin for 389 that syncs userPassword with the samba password hashes and vice versa (and kerberos too). -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jsullivan at opensourcedevel.com Wed May 13 19:47:13 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Wed, 13 May 2009 15:47:13 -0400 Subject: [389-users] LDAP to samba password synchronization In-Reply-To: <4A0B217D.5050904@redhat.com> References: <1242241607.6380.6.camel@jaspav.missionsit.net.missionsit.net> <1242241999.6380.10.camel@jaspav.missionsit.net.missionsit.net> <4A0B217D.5050904@redhat.com> Message-ID: <1242244033.6380.13.camel@jaspav.missionsit.net.missionsit.net> On Wed, 2009-05-13 at 13:37 -0600, Rich Megginson wrote: > John A. Sullivan III wrote: > > On Wed, 2009-05-13 at 15:06 -0400, John A. Sullivan III wrote: > > > >> Hello, all. Several hours of googling and testing have not solved my > >> problem. We are using Directory Server as our authentication mechanism > >> for as much as possible in our environment. So far, we have integrated > >> all our Linux servers, synchronized with AD, and are using it for > >> Zimbra. > >> > >> We have just implemented a standalone SAMBA server and are having > >> trouble synchronizing passwords. I see plenty of examples of how to > >> have changes made using smbpasswd passed to the posix password in LDAP. > >> But that's not what we want. We want users (some of whom use SAMBA and > >> some of whom do not) to have a single place to change their password. > >> The users are all KDE. Changing their passwords in the KDE control > >> module for security changes everything brilliantly EXCEPT SAMBA. > >> > >> How do we make password changes executed by the users or by the LDAP > >> admin in idm-console propagate to the SAMBA password attributes? Thanks > >> - John > >> > > I forgot to mention, we did change pam as follows: > > > > password requisite pam_cracklib.so try_first_pass retry=3 > > password sufficient pam_unix.so md5 shadow nullok try_first_pass > > use_authtok > > password sufficient pam_smbpass.so use_authtok > > password sufficient pam_ldap.so use_authtok > > password required pam_deny.so > > > > However, I would think this would affect password changes made only on > > the SAMBA server itself and not changes made by users at their desktops > > and reflected through to Linux. We really need changes made in LDAP > > from wherever they are made to affect the SAMBA password attributes in > > Linux. Is that possible? If so, how? Thanks - John > > > freeIPA has a password plugin for 389 that syncs userPassword with the > samba password hashes and vice versa (and kerberos too). I'm very interested in implementing freeIPA as it matures and as we have some breathing room after our initial product rollout. Is there any way to do this without researching and deploying a new product? Anything either built into 389 or PAM? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From rmeggins at redhat.com Wed May 13 19:50:56 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 13 May 2009 13:50:56 -0600 Subject: [389-users] LDAP to samba password synchronization In-Reply-To: <1242244033.6380.13.camel@jaspav.missionsit.net.missionsit.net> References: <1242241607.6380.6.camel@jaspav.missionsit.net.missionsit.net> <1242241999.6380.10.camel@jaspav.missionsit.net.missionsit.net> <4A0B217D.5050904@redhat.com> <1242244033.6380.13.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <4A0B24A0.1050401@redhat.com> John A. Sullivan III wrote: > On Wed, 2009-05-13 at 13:37 -0600, Rich Megginson wrote: > >> John A. Sullivan III wrote: >> >>> On Wed, 2009-05-13 at 15:06 -0400, John A. Sullivan III wrote: >>> >>> >>>> Hello, all. Several hours of googling and testing have not solved my >>>> problem. We are using Directory Server as our authentication mechanism >>>> for as much as possible in our environment. So far, we have integrated >>>> all our Linux servers, synchronized with AD, and are using it for >>>> Zimbra. >>>> >>>> We have just implemented a standalone SAMBA server and are having >>>> trouble synchronizing passwords. I see plenty of examples of how to >>>> have changes made using smbpasswd passed to the posix password in LDAP. >>>> But that's not what we want. We want users (some of whom use SAMBA and >>>> some of whom do not) to have a single place to change their password. >>>> The users are all KDE. Changing their passwords in the KDE control >>>> module for security changes everything brilliantly EXCEPT SAMBA. >>>> >>>> How do we make password changes executed by the users or by the LDAP >>>> admin in idm-console propagate to the SAMBA password attributes? Thanks >>>> - John >>>> >>>> >>> I forgot to mention, we did change pam as follows: >>> >>> password requisite pam_cracklib.so try_first_pass retry=3 >>> password sufficient pam_unix.so md5 shadow nullok try_first_pass >>> use_authtok >>> password sufficient pam_smbpass.so use_authtok >>> password sufficient pam_ldap.so use_authtok >>> password required pam_deny.so >>> >>> However, I would think this would affect password changes made only on >>> the SAMBA server itself and not changes made by users at their desktops >>> and reflected through to Linux. We really need changes made in LDAP >>> from wherever they are made to affect the SAMBA password attributes in >>> Linux. Is that possible? If so, how? Thanks - John >>> >>> >> freeIPA has a password plugin for 389 that syncs userPassword with the >> samba password hashes and vice versa (and kerberos too). >> > I'm very interested in implementing freeIPA as it matures and as we have > some breathing room after our initial product rollout. Is there any way > to do this without researching and deploying a new product? Anything > either built into 389 or PAM? No, not afaik. > Thanks - John > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From xkyanh at gmail.com Thu May 14 09:11:03 2009 From: xkyanh at gmail.com (=?UTF-8?B?S+G7sw==?= Anh, =?UTF-8?B?SHXhu7NuaA==?=) Date: Thu, 14 May 2009 16:11:03 +0700 Subject: [389-users] what are components of FDS? Message-ID: <20090514161103.24dff04e@icy> Hi all, I am going to install FDS on a FreeBSD jail. This means that FDS will use FC8 compatibility mode which provided by FreeBSD 7.2. I downloaded the binary version of FDS 1.04 (fedora-ds-1.0.4-1.FC6.i386.opt.rpm) and my initial installation worked perfectly. This is only a *test* and now I'd like to install the latest version of FDS. I searched at http://directory.fedoraproject.org/yum/dirsrv/fedora/ but there were so many packages that made me confused. I'd like to know: (1) what are components of FDS 1.2.0 and what files should I download to get FDS worked in FC8? (If FDS binaries work on FC8 they should work on a FreeBSD jail ;) (2) is it necessary to start the web interface of FDS? I just like to setup a LDAP database and then run all from command lines without touching the web browsers (yes I hate GUI). If this is the case I will run only FDS service and have nothing to do with Apache/Java requirements of FDS. In fact I don't want to install any web servers on my FDS server. Your helps are highly appreciated. And if you have ever experienced FDS on FreeBSD please give me some advices! Regards, -- Ky Anh, Huynh Homepage: http://viettug.org/ From yersinia.spiros at gmail.com Thu May 14 12:13:17 2009 From: yersinia.spiros at gmail.com (yersinia) Date: Thu, 14 May 2009 14:13:17 +0200 Subject: [389-users] LDAP to samba password synchronization In-Reply-To: <1242241999.6380.10.camel@jaspav.missionsit.net.missionsit.net> References: <1242241607.6380.6.camel@jaspav.missionsit.net.missionsit.net> <1242241999.6380.10.camel@jaspav.missionsit.net.missionsit.net> Message-ID: On Wed, May 13, 2009 at 9:13 PM, John A. Sullivan III < jsullivan at opensourcedevel.com> wrote: > On Wed, 2009-05-13 at 15:06 -0400, John A. Sullivan III wrote: > > Hello, all. Several hours of googling and testing have not solved my > > problem. We are using Directory Server as our authentication mechanism > > for as much as possible in our environment. So far, we have integrated > > all our Linux servers, synchronized with AD, and are using it for > > Zimbra. > > > > We have just implemented a standalone SAMBA server and are having > > trouble synchronizing passwords. I see plenty of examples of how to > > have changes made using smbpasswd passed to the posix password in LDAP. > > But that's not what we want. We want users (some of whom use SAMBA and > > some of whom do not) to have a single place to change their password. > > The users are all KDE. Changing their passwords in the KDE control > > module for security changes everything brilliantly EXCEPT SAMBA. > > > > How do we make password changes executed by the users or by the LDAP > > admin in idm-console propagate to the SAMBA password attributes? Thanks > > - John > See if the allegated program smbpasswd-sync.pl can help. I use it for a similar purpose against a Tivoli DIRECTORY SERVER. Do perldoc mbpasswd-sync.pl for the intended usage. hth -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smbpasswd-sync.pl Type: application/octet-stream Size: 9160 bytes Desc: not available URL: From vu at sivell.com Thu May 14 15:17:49 2009 From: vu at sivell.com (vu pham) Date: Thu, 14 May 2009 10:17:49 -0500 Subject: [389-users] domain vs organizationalUnit+dcObject Message-ID: <4A0C361D.9010905@sivell.com> Trying to practise myself with LDAP, I change the top ldif entry ( top container) from "domain" to organizationalUnit+dcObject as follows: 1 Using objectclass domain: dn: dc=xen2vm1,dc=example,dc=com objectClass: top objectClass: domain dc: xen2vm1 [... other entries ... for users ] 2. Using objectclass organizationalUnit dn: dc=xen2vm1,dc=example,dc=com objectclass: top objectclass: organizationalunit objectclass: dcObject ou: xen2vm1.example.com dc: xen2vm1 [... other entries ... for users ] In both cases, other entries below dc=xen2vm1,dc=example,dc=com are the same. In the first case, the command "ldapsearch -x -b dc=xen2vm1,dc=example,dc=com -h xen2vm1.example.com" returns all other entries. In the second case the above command return no errors and nothing at all. I am new with LDAP and cannot figure out what's wrong with the 2nd case. Any advice is greatly appreciated. Vu From gene.poole at macys.com Thu May 14 16:31:47 2009 From: gene.poole at macys.com (Gene Poole) Date: Thu, 14 May 2009 12:31:47 -0400 Subject: [389-users] HOWTO For A Newbie Message-ID: Does anyone know of a howto for FDS where it's a new installation and you're not migrating from any existing platform? In other words, a how to from the very beginning? Thanks, Gene Poole -------------- next part -------------- An HTML attachment was scrubbed... URL: From jfenal at gmail.com Thu May 14 18:41:23 2009 From: jfenal at gmail.com (=?UTF-8?B?SsOpcsO0bWUgRmVuYWw=?=) Date: Thu, 14 May 2009 20:41:23 +0200 Subject: [389-users] HOWTO For A Newbie In-Reply-To: References: Message-ID: <40a14bc10905141141g72ef0944j726cdac2b4cd4e9b@mail.gmail.com> 2009/5/14 Gene Poole : > Does anyone know of a howto for FDS where it's a new installation and you're > not migrating from any existing platform? In other words, a how to from the > very beginning? Hi, What do you want to achieve ? Regards, J. -- J?r?me Fenal - jfenal AT gmail.com - http://fenal.org/ Paris.pm - http://paris.mongueurs.net/ From kwan.lowe at gmail.com Thu May 14 21:27:10 2009 From: kwan.lowe at gmail.com (Kwan Lowe) Date: Thu, 14 May 2009 17:27:10 -0400 Subject: [389-users] HOWTO For A Newbie In-Reply-To: References: Message-ID: On Thu, May 14, 2009 at 12:31 PM, Gene Poole wrote: > Does anyone know of a howto for FDS where it's a new installation and you're > not migrating from any existing platform? In other words, a how to from the > very beginning? > There's one on HOWTOFORGE. However, the directory setup for a generic Linux authentication server is quite trivial. In a nutshell: yum -y install centos-ds Create an unprivileged LDAP user: useradd -g 1500 -c "Directory Server" dirsrv Run the setup script: setup-ds-admin.pl Choose the "Typical" setup. Accept just about all defaults. When prompted for the user to run as, enter dirsrv above (you can use nobody but I prefer to create an account first). Make note of the admin and server manager accounts. Once complete, run the "centos-idm-console" to launch the GUI. Login as "cn=Directory Manager" and use the password you provided in the setup. Use localhost:9830 for the port. Once logged in you can create a user. Make sure to enable the corresponding Posix entries. Client configuration on RedHat based distros is done with authconfig-tui. I'm actually prepping a short talk for my local Linux LUG on this topic for tonight. I'll send you the notes when I'm done if you'd like. From david.donnan at thalesgroup.com Fri May 15 11:06:32 2009 From: david.donnan at thalesgroup.com (David (Dave) Donnan) Date: Fri, 15 May 2009 13:06:32 +0200 Subject: [389-users] Changed hostname of machine. FDS Admin Server FAILS to start: Could not reliably determine the server's fully qualified domain name Message-ID: <4A0D4CB8.4060002@thalesgroup.com> Hello everybody and thanks for the continued support. It's incredible. I thought I'd be clever and installed my FDS on a machine with a hostname of localhost.localdomain When I rename it to it's proper hostname, a.b.c, the admin server FAILS when I start it: ./dirsrv-admin start Starting dirsrv-admin: httpd.worker: apr_sockaddr_info_get() failed for a.b.c httpd.worker: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName [FAILED] Honestly, I've tried everything I can think of, for example: - hacking /etc/init.d/dirsrv-admin - hacking /etc/dirsrv/admin-serv/httpd.conf specifically the variable: ServerName a.b.c:390 - hacking /usr/sbin/start-ds-admin ... Q1. Can anyone recommend a solution ? Thanks, Dave -------------- next part -------------- An HTML attachment was scrubbed... URL: From per at norhex.com Fri May 15 11:25:23 2009 From: per at norhex.com (Per Qvindesland) Date: Fri, 15 May 2009 13:25:23 +0200 Subject: [389-users] Changed hostname of machine. FDS Admin Server FAILS to start: Could not reliably determine the server's fully qualified domain name Message-ID: <20090515112523.9040.1876760894.swift@webmail.norhex.com> Check your /etc/host file and make sure that it says the correct ip address and hostname Per --- Original message follows --- SUBJECT:?[389-users] Changed hostname of machine. FDS Admin Server FAILS to start: Could not reliably determine the server's fully qualified domain name FROM: ?"David (Dave) Donnan" TO:?"Fedora-directory-users at redhat.com" DATE:?15-05-2009 13:06 Hello everybody and thanks for the continued support. It's incredible. I thought I'd be clever and installed my FDS on a machine with a hostname of localhost.localdomain When I rename it to it's proper hostname, a.b.c, the admin server FAILS when I start it: ./dirsrv-admin start Starting dirsrv-admin: httpd.worker: apr_sockaddr_info_get() failed for a.b.c httpd.worker: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName ?????????????????????????????????????????????????????????? [FAILED] Honestly, I've tried everything I can think of, for example: - hacking /etc/init.d/dirsrv-admin - hacking /etc/dirsrv/admin-serv/httpd.conf specifically the variable: ServerName a.b.c:390 - hacking /usr/sbin/start-ds-admin ... Q1. Can anyone recommend a solution ? Thanks, Dave -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.donnan at thalesgroup.com Fri May 15 12:32:24 2009 From: david.donnan at thalesgroup.com (David (Dave) Donnan) Date: Fri, 15 May 2009 14:32:24 +0200 Subject: [389-users] Changed hostname of machine. FDS Admin Server FAILS to start: I forgot to edit /etc/hosts as well In-Reply-To: <20090515112523.9040.1876760894.swift@webmail.norhex.com> References: <20090515112523.9040.1876760894.swift@webmail.norhex.com> Message-ID: <4A0D60D8.5030207@thalesgroup.com> Per you are sooo right. Silly me, I was changing /etc/sysconfig/network, rebooting, and not even thinking about the /etc/hosts file. Egg on my face! Have a nice weekend, Dave ------- Per Qvindesland wrote: > Check your /etc/host file and make sure that it says the correct ip > address and hostname > > Per > > --- Original message follows --- > *Subject: *[389-users] Changed hostname of machine. FDS Admin > Server FAILS to start: Could not reliably determine the server's > fully qualified domain name > *From: *"David (Dave) Donnan" > *To: *"Fedora-directory-users at redhat.com" > > *Date: *15-05-2009 13:06 > > > Hello everybody and thanks for the continued support. It's incredible. > > I thought I'd be clever and installed my FDS on a machine with a > hostname of localhost.localdomain > > When I rename it to it's proper hostname, a.b.c, the admin server > FAILS when I start it: > > ./dirsrv-admin start > Starting dirsrv-admin: > httpd.worker: apr_sockaddr_info_get() failed for a.b.c > httpd.worker: Could not reliably determine the server's > fully qualified domain name, using 127.0.0.1 for ServerName > > [FAILED] > > Honestly, I've tried everything I can think of, for example: > > - hacking /etc/init.d/dirsrv-admin > - hacking /etc/dirsrv/admin-serv/httpd.conf specifically the > variable: ServerName a.b.c:390 > - hacking /usr/sbin/start-ds-admin > ... > > Q1. Can anyone recommend a solution ? > > Thanks, Dave > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri May 15 17:00:15 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 15 May 2009 11:00:15 -0600 Subject: [389-users] what are components of FDS? In-Reply-To: <20090514161103.24dff04e@icy> References: <20090514161103.24dff04e@icy> Message-ID: <4A0D9F9F.2000605@redhat.com> Ky` Anh, Huy`nh wrote: > Hi all, > > I am going to install FDS on a FreeBSD jail. This means that FDS will use FC8 compatibility mode which provided by FreeBSD 7.2. I downloaded the binary version of FDS 1.04 (fedora-ds-1.0.4-1.FC6.i386.opt.rpm) and my initial installation worked perfectly. This is only a *test* and now I'd like to install the latest version of FDS. I searched at > > http://directory.fedoraproject.org/yum/dirsrv/fedora/ > > but there were so many packages that made me confused. I'd like to know: > > (1) what are components of FDS 1.2.0 and what files should I download to get FDS worked in FC8? (If FDS binaries work on FC8 they should work on a FreeBSD jail ;) > > (2) is it necessary to start the web interface of FDS? I just like to setup a LDAP database and then run all from command lines without touching the web browsers (yes I hate GUI). If this is the case I will run only FDS service and have nothing to do with Apache/Java requirements of FDS. In fact I don't want to install any web servers on my FDS server. > > Your helps are highly appreciated. And if you have ever experienced FDS on FreeBSD please give me some advices! > > Regards, > > fedora-ds-base - core directory server, no UI, no admin server - if you don't care about admin server or console, you can just install this adminutil - utility libraries used by admin server, dsgw fedora-ds-admin - admin server, limited web UI idm-console-framework - core console code fedora-idm-console - the "fedora-idm-console" shell script, and the fedora console "skin" fedora-ds-console - the directory server specific console jars fedora-ds-admin-console - the admin server specific console jars fedora-ds-dsgw - simple web based phonebook, user/group editor, org chart apps -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From emmanuel.billot at ird.fr Sun May 17 19:25:36 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Sun, 17 May 2009 21:25:36 +0200 Subject: [389-users] FDS cert check Message-ID: <4A1064B0.9010202@ird.fr> Hi, I posted a question few weeks ago about cert recognizing when replication begions. Indeed it seems that FDS works on SSL when replicationg with "fake certs". Ex : ldap1 replicates with ldap2 on 636 with SSL. Actually the cert used by ldap2 to encrypt data must contain the ldap2 DNS name. However, replication works even if the DNS name containes in the cert does not corresond with the host. THis particular feature is also present on S1DS. So i thought there is a mistake in our configuration... Is the any option that enforce DNS check on replication. ? BR, -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From emmanuel.billot at ird.fr Sun May 17 19:30:03 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Sun, 17 May 2009 21:30:03 +0200 Subject: [389-users] Replication failure In-Reply-To: <4A0AEC87.2050408@redhat.com> References: <8304_1242226289_4A0ADE70_8304_2283_1_4A0ADE55.2020808@ird.fr> <4A0AE1A2.9030102@ird.fr> <4A0AEC87.2050408@redhat.com> Message-ID: <4A1065BB.6030100@ird.fr> Rich Megginson a ?crit : > Emmanuel BILLOT wrote: >> Emmanuel BILLOT a ?crit : >>> Hi, >>> >>> There is a strange behaviour on our FDS servers... >>> We want to replicate a 12000 entries database between 2 FDS. At the >>> replication agrement end, we 've got an "Unwilling to perform" with " >>> [13/May/2009:00:19:56 +0200] NS7bitAttr - ADD begin >>> [13/May/2009:00:19:56 +0200] NS7bitAttr - ADD >>> target=cn=t,cn=replica,cn=dc=ird\,dc=fr,cn=mapping tree,cn=config >>> [13/May/2009:00:19:56 +0200] NSMMReplicationPlugin - >>> agmtlist_add_callback: Can't start agreement >>> "cn=t,cn=replica,cn=dc=ird\,dc=fr,cn=mapping tree,cn=config" >>> " >>> in the log... >>> >>> When the datablase is empty, the replication agrement creation works >>> !!! >>> >>> How is it possible ? >>> >> Correction, even if the db is empty it fails. >> How can i have other detailled logs ? Level is "replication" now. > Looks like you also have plugin level logging on too - NS7bitAttr > messages > > Can you post the exact command you are using to add the agreement, and > the relevant excerpts from the access log showing the add attempt and > result? The replication agrement was build with the GUI as we usually do. I resolve this pb with : - delete/recreate master suffixe - delete/recreate replica suffixe However it does not give me any answer. Never mind. BR, > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From emmanuel.billot at ird.fr Sun May 17 19:34:02 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Sun, 17 May 2009 21:34:02 +0200 Subject: [389-users] cert and key database failure In-Reply-To: <4A0AEC9E.6010201@redhat.com> References: <4A0A997E.4050302@ird.fr> <4A0AEC9E.6010201@redhat.com> Message-ID: <4A1066AA.6070700@ird.fr> Rich Megginson a ?crit : > Emmanuel BILLOT wrote: >> Hi, >> >> The cert.db and key.db file seems to be corrupted. >> In GUI, we can see 3 certificates, one is cloned, one is valid. The >> "detail" option does not work on the cloned one, whith a failure >> message. >> >> We tried to manipulate db with certutil : >> >> certutil -L -d ...... >> Certificate Name Trust >> Attributes >> >> server-cert u,, >> IRDNEW u,pu,u >> IRDNEW u,pu,u >> IRD - IRD CT,, >> >> p Valid peer >> P Trusted peer (implies p) >> c Valid CA >> T Trusted CA to issue client certs (implies c) >> C Trusted CA to certs(only server certs for ssl) (implies c) >> u User cert >> w Send warning >> >> >> We tried to delete the cloned one but, here is an new error message : >> >> certutil: could not find certificate named "IRDNEW": security >> library: bad database. >> >> What is the pb ? > Can you post the exact certutil command line you're using? >> certutil -L -d /etc/dirsrv/slapd-xxx -P slapd-xxx- for certs database listing (give a "ggod" result) certutil -D -d /etc/dirsrv/slapd-xxx -P slapd-xxx- "IRDNEW" for deleting a cert instance cert are p12 file generated with openssl. The only way we found was deleting/recreating the database with cert sources. BR, >> BR, >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From priscilla.lanne at gmail.com Mon May 18 13:04:35 2009 From: priscilla.lanne at gmail.com (Priscilla Leao) Date: Mon, 18 May 2009 10:04:35 -0300 Subject: [389-users] Re: [Fedora-directory-users] FDS 1.2 - error when reinitialized dirsrv after the replication In-Reply-To: <4A049B7E.2000100@redhat.com> References: <5472c4a20905071141i6a4cackdc3442cc75d1770a@mail.gmail.com> <4A049B7E.2000100@redhat.com> Message-ID: <5472c4a20905180604o47fc4bf9jaf6c5cddab52196d@mail.gmail.com> Rich, After some tests, we discovered that the problem occurs when there is view object (objectclass = nsview) on the directory. If we create a base that contains only groups and users, the error message doesn't exist, but if we create a view object, the message appears. The same error message occurs when we replicated database that has views. It's important to observe that the view is working correctly. This situation started with the FDS 1.2 version. If we use the FDS 1.1.3 version, that's all ok. Thanks, Priscilla Lanne 2009/5/8 Rich Megginson > Priscilla Leao wrote: > >> Hi, everyone! >> >> When our FDS 1.2 server (consumer replica) receives the replica database >> and after the dirsrv service is reinitialized the following error message >> happens: >> >> "memory allocator - cannot calloc 0 elements;trying to allocate 0 or a >> negative number of elements is not portable and gives different results on >> different platforms." >> >> This server is a debian lenny and the FDS deb packages were generated >> using the default options based on the " >> http://directory.fedoraproject.org/wiki/Howto:BuildonEtch" document, but >> using the more recent packages on the >> http://directory.fedoraproject.org/sources/. >> >> Any idea about this problem? >> > Has anyone seen this problem on Fedora/EL? > >> >> Regards, >> Priscilla Lanne >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ninjazjb at gmail.com Mon May 18 15:05:24 2009 From: ninjazjb at gmail.com (Jason Brown) Date: Mon, 18 May 2009 11:05:24 -0400 Subject: [389-users] FDS Groups Message-ID: I am having an issue with the groups that I set up on FDS. On a few servers the groups show up just fine however on other servers they do not show up at all. For instance, user1 logs in and types 'groups' or 'id' and their primary group along with the supplementary groups show up. However, if user1 logs into a different server only their primary group shows up. Both servers have the exact same ldap.conf and there is only one FDS in which they use. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon May 18 15:55:54 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 18 May 2009 09:55:54 -0600 Subject: [389-users] Re: [Fedora-directory-users] FDS 1.2 - error when reinitialized dirsrv after the replication In-Reply-To: <5472c4a20905180604o47fc4bf9jaf6c5cddab52196d@mail.gmail.com> References: <5472c4a20905071141i6a4cackdc3442cc75d1770a@mail.gmail.com> <4A049B7E.2000100@redhat.com> <5472c4a20905180604o47fc4bf9jaf6c5cddab52196d@mail.gmail.com> Message-ID: <4A11850A.2050902@redhat.com> Priscilla Leao wrote: > Rich, > > After some tests, we discovered that the problem occurs when there is > view object (objectclass = nsview) on the directory. If we create a > base that contains only groups and users, the error message doesn't > exist, but if we create a view object, the message appears. The same > error message occurs when we replicated database that has views. It's > important to observe that the view is working correctly. This > situation started with the FDS 1.2 version. If we use the FDS 1.1.3 > version, that's all ok. Thanks. Please file a bug at https://bugzilla.redhat.com/enter_bug.cgi?product=389 with the information about your platform and steps to reproduce. > > Thanks, > Priscilla Lanne > > > 2009/5/8 Rich Megginson > > > Priscilla Leao wrote: > > Hi, everyone! > > When our FDS 1.2 server (consumer replica) receives the > replica database and after the dirsrv service is reinitialized > the following error message happens: > > "memory allocator - cannot calloc 0 elements;trying to > allocate 0 or a negative number of elements is not portable > and gives different results on different platforms." > > This server is a debian lenny and the FDS deb packages were > generated using the default options based on the > "http://directory.fedoraproject.org/wiki/Howto:BuildonEtch" > document, but using the more recent packages on the > http://directory.fedoraproject.org/sources/. > > Any idea about this problem? > > Has anyone seen this problem on Fedora/EL? > > > Regards, > Priscilla Lanne > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From amirov at infinet.ru Tue May 19 04:31:14 2009 From: amirov at infinet.ru (Dmitry Amirov) Date: Tue, 19 May 2009 10:31:14 +0600 Subject: [389-users] DNA not working? Message-ID: <4A123612.9030500@infinet.ru> Hello. I have a problem with DNA plugin. I have installed it in according with documentation and have done: 1) dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on 2) dn: cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: Account UIDs dnatype: uidNumber dnafilter: (objectclass=posixAccount) dnascope: ou=People, dc=aqua dnanextvalue: 1 dnaMaxValue: 1300 dnasharedcfgdn: cn=Account UIDs,ou=Ranges,dc=aqua dnathreshold: 100 dnaRangeRequestTimeout: 60 dnaMagicRegen: magic After that server has been restarted and i tryed to add new posixAccount entry. dn: uid=jsmith, ou=people,dc=aqua objectClass: top objectClass: person objectClass: posixAccount uid: jsmith cn: John Smith sn: Smith homeDirectory: /home/smith gidNumber: 123 So, DNA not working with error: adding new entry uid=jsmith, ou=people,dc=aqua ldap_add: Object class violation ldap_add: additional info: missing attribute "uidNumber" required by object class "posixAccount" Please help with DNA. It's very important for me. Now i am using clean openldap+smbldap-tools, but i want to migrate to FDS. Thanks a lot. From rcritten at redhat.com Tue May 19 13:24:08 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 May 2009 09:24:08 -0400 Subject: [389-users] DNA not working? In-Reply-To: <4A123612.9030500@infinet.ru> References: <4A123612.9030500@infinet.ru> Message-ID: <4A12B2F8.3030203@redhat.com> Dmitry Amirov wrote: > Hello. > > I have a problem with DNA plugin. > I have installed it in according with documentation and have done: > 1) > dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > changetype: modify > replace: nsslapd-pluginEnabled > nsslapd-pluginEnabled: on > > 2) > dn: cn=Account UIDs,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config > objectClass: top > objectClass: extensibleObject > cn: Account UIDs > dnatype: uidNumber > dnafilter: (objectclass=posixAccount) > dnascope: ou=People, dc=aqua > dnanextvalue: 1 > dnaMaxValue: 1300 > dnasharedcfgdn: cn=Account UIDs,ou=Ranges,dc=aqua > dnathreshold: 100 > dnaRangeRequestTimeout: 60 > dnaMagicRegen: magic > > After that server has been restarted and i tryed to add new posixAccount > entry. > dn: uid=jsmith, ou=people,dc=aqua > objectClass: top > objectClass: person > objectClass: posixAccount > uid: jsmith > cn: John Smith > sn: Smith > homeDirectory: /home/smith > gidNumber: 123 > > So, DNA not working with error: > adding new entry uid=jsmith, ou=people,dc=aqua > ldap_add: Object class violation > ldap_add: additional info: missing attribute "uidNumber" required by > object class "posixAccount" > > Please help with DNA. It's very important for me. Now i am using clean > openldap+smbldap-tools, but i want to migrate to FDS. > > Thanks a lot. What version of 389/FDS is this? My working config looks like: dn: cn=Posix Accounts,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectclass: top objectclass: extensibleObject cn: Posix Accounts dnaType: uidNumber dnaNextValue: 1100 dnaInterval: 1 dnaMaxValue: 10000 dnaMagicRegen: 999 dnaFilter: (objectclass=posixAccount) dnaScope: dc=example,dc=com rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From vu at sivell.com Tue May 19 18:54:34 2009 From: vu at sivell.com (vu pham) Date: Tue, 19 May 2009 13:54:34 -0500 Subject: [389-users] cmd line for changing password encryption Message-ID: <4A13006A.5010404@sivell.com> Using the GUI-tool Directory console, I can change the password encryption from SSHA to other methods such as CRYPT. How can I do it with the command line ? Thanks, Vu From rmeggins at redhat.com Tue May 19 18:59:28 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 19 May 2009 12:59:28 -0600 Subject: [389-users] cmd line for changing password encryption In-Reply-To: <4A13006A.5010404@sivell.com> References: <4A13006A.5010404@sivell.com> Message-ID: <4A130190.8020300@redhat.com> vu pham wrote: > Using the GUI-tool Directory console, I can change the password > encryption from SSHA to other methods such as CRYPT. > > How can I do it with the command line ? See http://www.redhat.com/docs/manuals/dir-server/8.1/admin/User_Account_Management.html#User_Account_Management-Managing_the_Password_Policy > > Thanks, > Vu > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From morenisco at noc-root.net Tue May 19 19:00:12 2009 From: morenisco at noc-root.net (Morenisco) Date: Tue, 19 May 2009 13:00:12 -0600 (MDT) Subject: [389-users] I'm going to compile the sources to generate .debs Message-ID: <10051.148.87.1.172.1242759612.squirrel@box427.bluehost.com> Hi, I want to try compiling the sources to generate .debs for Debian/GNU Linux, just a try... I would like to avoid use alien, due to could be better to generate .debs from the sources. Well, I see that the URL to get the sources if the following: http://directory.fedoraproject.org/sources/ But I'm not sure about what files do I need. I think that I need those files: 389-admin-1.1.7.tar.bz2 389-admin-console-1.1.3.tar.bz2 389-adminutil-1.1.8.tar.bz2 389-console-1.1.3.tar.bz2 389-ds-base-1.2.1.tar.bz2 389-ds-console-1.2.0.tar.bz2 389-dsgw-1.1.2.tar.bz2 Can someone confirm please? Thanks. -- Morenisco. Centro de Difusi?n de Software Libre. http://www.cdsl.cl http://santiago.flisol.cl http://trabajosfloss.noc-root.net Blog: http://morenisco.noc-root.net From rcritten at redhat.com Tue May 19 19:03:14 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 19 May 2009 15:03:14 -0400 Subject: [389-users] I'm going to compile the sources to generate .debs In-Reply-To: <10051.148.87.1.172.1242759612.squirrel@box427.bluehost.com> References: <10051.148.87.1.172.1242759612.squirrel@box427.bluehost.com> Message-ID: <4A130272.2020005@redhat.com> Morenisco wrote: > Hi, > > I want to try compiling the sources to generate .debs for Debian/GNU > Linux, just a try... > I would like to avoid use alien, due to could be better to generate .debs > from the sources. > > Well, I see that the URL to get the sources if the following: > > http://directory.fedoraproject.org/sources/ > > But I'm not sure about what files do I need. > I think that I need those files: > > 389-admin-1.1.7.tar.bz2 > 389-admin-console-1.1.3.tar.bz2 > 389-adminutil-1.1.8.tar.bz2 > 389-console-1.1.3.tar.bz2 > 389-ds-base-1.2.1.tar.bz2 > 389-ds-console-1.2.0.tar.bz2 > 389-dsgw-1.1.2.tar.bz2 > > Can someone confirm please? > The really tricky part is probably going to be in the dependencies: cyrus-sasl, db4, nss, nspr, netsnmp, mozldap, sasl2 and perhaps a few others. You might want to start with the current spec file to get an idea of what it requires. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From vu at sivell.com Tue May 19 19:09:32 2009 From: vu at sivell.com (vu pham) Date: Tue, 19 May 2009 14:09:32 -0500 Subject: [389-users] cmd line for changing password encryption In-Reply-To: <4A130190.8020300@redhat.com> References: <4A13006A.5010404@sivell.com> <4A130190.8020300@redhat.com> Message-ID: <4A1303EC.3010008@sivell.com> Rich Megginson wrote: > vu pham wrote: >> Using the GUI-tool Directory console, I can change the password >> encryption from SSHA to other methods such as CRYPT. >> >> How can I do it with the command line ? > See > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/User_Account_Management.html#User_Account_Management-Managing_the_Password_Policy > >> Thanks a lot, Rich. That's what I looked for. Vu From rmeggins at redhat.com Tue May 19 19:21:41 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 19 May 2009 13:21:41 -0600 Subject: [389-users] I'm going to compile the sources to generate .debs In-Reply-To: <10051.148.87.1.172.1242759612.squirrel@box427.bluehost.com> References: <10051.148.87.1.172.1242759612.squirrel@box427.bluehost.com> Message-ID: <4A1306C5.9040502@redhat.com> Morenisco wrote: > Hi, > > I want to try compiling the sources to generate .debs for Debian/GNU > Linux, just a try... > I would like to avoid use alien, due to could be better to generate .debs > from the sources. > > Well, I see that the URL to get the sources if the following: > > http://directory.fedoraproject.org/sources/ > > But I'm not sure about what files do I need. > I think that I need those files: > > 389-admin-1.1.7.tar.bz2 > 389-admin-console-1.1.3.tar.bz2 > 389-adminutil-1.1.8.tar.bz2 > 389-console-1.1.3.tar.bz2 > 389-ds-base-1.2.1.tar.bz2 > 389-ds-console-1.2.0.tar.bz2 > 389-dsgw-1.1.2.tar.bz2 > > Can someone confirm please? > Start with 389-ds-base - here are the BuildRequires from the spec file: BuildRequires: nspr-devel BuildRequires: nss-devel BuildRequires: svrcore-devel BuildRequires: mozldap-devel BuildRequires: db4-devel BuildRequires: cyrus-sasl-devel BuildRequires: icu BuildRequires: libicu-devel # The following are needed to build the snmp ldap-agent BuildRequires: net-snmp-devel %ifnarch sparc sparc64 ppc ppc64 BuildRequires: lm_sensors-devel %endif BuildRequires: bzip2-devel BuildRequires: zlib-devel BuildRequires: openssl-devel BuildRequires: tcp_wrappers BuildRequires: libselinux-devel # the following is for the pam passthru auth plug-in BuildRequires: pam-devel Most of these are already in debian, although some of them will be named differently. The two notable exceptions are mozldap and svrcore perl-Mozilla-LDAP is not a build dependency but you will need this to run setup et. al. > Thanks. > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From blue_moon_ro at yahoo.com Tue May 19 22:53:55 2009 From: blue_moon_ro at yahoo.com (Sebastian Tabarce) Date: Tue, 19 May 2009 15:53:55 -0700 (PDT) Subject: [389-users] IP change for FDS Message-ID: <222147.27594.qm@web36503.mail.mud.yahoo.com> We will have to change the IP address of our FD server since we will reorganize our network. Is there any trouble to be expected because of the IP change? We will not change the domain name, only the IP address. Thanks, Sebastian -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue May 19 22:57:39 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 19 May 2009 16:57:39 -0600 Subject: [389-users] IP change for FDS In-Reply-To: <222147.27594.qm@web36503.mail.mud.yahoo.com> References: <222147.27594.qm@web36503.mail.mud.yahoo.com> Message-ID: <4A133963.4020702@redhat.com> Sebastian Tabarce wrote: > We will have to change the IP address of our FD server since we will > reorganize our network. Is there any trouble to be expected because of > the IP change? We will not change the domain name, only the IP address. > > Thanks, > Sebastian > > If you don't change your FQDN, and you didn't use your IP address instead of a hostname somewhere, you should be ok. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From per at norhex.com Tue May 19 23:03:14 2009 From: per at norhex.com (Per Qvindesland) Date: Wed, 20 May 2009 01:03:14 +0200 Subject: [389-users] IP change for FDS Message-ID: <20090519230314.14265.1879913710.swift@webmail.norhex.com> Hmm I would go through /etc/hosts and make sure that the new ip matches the name of the machine but as far as I can think of right now that should be it. Regards Per Qvindesland E-mail: per at norhex.com [1] http://www.linkedin.com/in/perqvindesland [2] --- Original message follows --- SUBJECT:?[389-users] IP change for FDS FROM: ?Sebastian Tabarce TO:?"fedora-directory-users at redhat.com" DATE:?20-05-2009 0:53 We will have to change the IP address of our FD server since we will reorganize our network. Is there any trouble to be expected because of the IP change? We will not change the domain name, only the IP address. Thanks, Sebastian -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users Links: ------ [1] http://webmail.norhex.com/# [2] http://www.linkedin.com/in/perqvindesland -------------- next part -------------- An HTML attachment was scrubbed... URL: From xkyanh at gmail.com Wed May 20 08:05:43 2009 From: xkyanh at gmail.com (=?UTF-8?B?S+G7sw==?= Anh, =?UTF-8?B?SHXhu7NuaA==?=) Date: Wed, 20 May 2009 15:05:43 +0700 Subject: [389-users] what are components of FDS? In-Reply-To: <4A0D9F9F.2000605@redhat.com> References: <20090514161103.24dff04e@icy> <4A0D9F9F.2000605@redhat.com> Message-ID: <20090520150543.744fdb19@icy> On Fri, 15 May 2009 11:00:15 -0600 Rich Megginson wrote: > Ky` Anh, Huy`nh wrote: > > Hi all, > > > > I am going to install FDS on a FreeBSD jail. This means that FDS > > will use FC8 compatibility mode which provided by FreeBSD 7.2. I > > downloaded the binary version of FDS 1.04 > > (fedora-ds-1.0.4-1.FC6.i386.opt.rpm) and my initial installation > > worked perfectly. This is only a *test* and now I'd like to > > install the latest version of FDS. I searched at > > > > http://directory.fedoraproject.org/yum/dirsrv/fedora/ > > > > but there were so many packages that made me confused. I'd like > > to know: > > > > (1) what are components of FDS 1.2.0 and what files should I > > download to get FDS worked in FC8? (If FDS binaries work on FC8 > > they should work on a FreeBSD jail ;) > > > > (2) is it necessary to start the web interface of FDS? I just > > like to setup a LDAP database and then run all from command lines > > without touching the web browsers (yes I hate GUI). If this is > > the case I will run only FDS service and have nothing to do with > > Apache/Java requirements of FDS. In fact I don't want to install > > any web servers on my FDS server. > > > > Your helps are highly appreciated. And if you have ever > > experienced FDS on FreeBSD please give me some advices! > > > fedora-ds-base - core directory server, no UI, no admin server - if > you don't care about admin server or console, you can just install > this Thank you, Rich. I've built `fedora-ds-base` successfully on FC8. Then I move all built files to my FreeBSD machine to test. You can read some details at http://forums.freebsd.org/showthread.php?p=24826#post24826. After chroot-ing to Linux inside FreeBSD I run `setup-ds.pl` to create the first instance of FDS. The script worked very well but it couldnot start the service as below. /============================================================================== $ uname -s FreeBSD $ chroot /home/fc8/ /bin/bash # # now i'm in Linux mode # /opt/fedora-ds/sbin/ns-slapd \ -d 9 \ -D /opt/fedora-ds/etc/dirsrv/slapd-fds2 \ -i /opt/fedora-ds/var/run/dirsrv/slapd-fds2.pid \ -w /opt/fedora-ds/var/run/dirsrv/slapd-fds2.startpid .... [20/May/2009:13:35:18 +0700] - Fedora-Directory/1.2.0 B2009.139.99 starting up [20/May/2009:13:35:18 +0700] - Failed to create semaphore for stats file (/opt/fedora-ds/var/run/dirsrv/slapd-fds2.stats). Error 38.(Function not implemented) \============================================================================== FDS tried to create stat file but it failed to do that. So it stopped working. Is there anyone who experiences this problem? Regards, -- Ky Anh, Huynh Homepage: http://viettug.org/ From david.donnan at thalesgroup.com Wed May 20 08:21:02 2009 From: david.donnan at thalesgroup.com (David (Dave) Donnan) Date: Wed, 20 May 2009 10:21:02 +0200 Subject: [389-users] IP change for FDS install as localhost.localdomain for a generic installation ? In-Reply-To: <20090519230314.14265.1879913710.swift@webmail.norhex.com> References: <20090519230314.14265.1879913710.swift@webmail.norhex.com> Message-ID: <4A13BD6E.8040300@thalesgroup.com> Something relevant from the pki-users-bounces at redhat.com mailinglist. You may want to consider it for the future: < I happened to have created one on a fc8 myself for the purpose of traveling. < < I have in my /etc/hosts file: 127.0.0.1 localhost.localdomain localhost localhost < and in /etc/nsswitch.conf:hosts: files dns < I do the following before each installation (rpm install or pkicreate) < root:domainname localdomain < root: hostname localhost => You can then change the hostname, after the fact, and the console can still find instances, etc where the hostname may be hardcoded in the LDAP tree. General comments ? Do you all approve ? Cdlt, ----------- Per Qvindesland wrote: > Hmm I would go through /etc/hosts and make sure that the new ip > matches the name of the machine but as far as I can think of right now > that should be it. > > Regards > Per Qvindesland > E-mail: per at norhex.com <#> > http://www.linkedin.com/in/perqvindesland > > --- Original message follows --- > *Subject: *[389-users] IP change for FDS > *From: *Sebastian Tabarce > *To: *"fedora-directory-users at redhat.com" > > *Date: *20-05-2009 0:53 > > > We will have to change the IP address of our FD server since we > will reorganize our network. Is there any trouble to be expected > because of the IP change? We will not change the domain name, only > the IP address. > > Thanks, > Sebastian > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.cruz at sc.senai.br Wed May 20 12:22:19 2009 From: daniel.cruz at sc.senai.br (DANIEL CRISTIAN CRUZ) Date: Wed, 20 May 2009 09:22:19 -0300 Subject: [389-users] How to unlock a busy replica Message-ID: <3bc97f78b05125ba97cd1b37583175e5@intranet.sc.senai.br> Hi all, Sometimes our consumer server got the status "Busy Replica", with only one master. How can I unlock the Suffix/Database on the consumer server? I read many pages on reference and admin manuals, and didn't found anything. Regards, -- Daniel Cristian Cruz Administrador de Banco de Dados Dire??o Regional?- N?cleo de Tecnologia da Informa??o SENAI - SC Telefone: 48-3239-1422 (ramal 1422) -------------- next part -------------- An HTML attachment was scrubbed... URL: From hartmann at fas.harvard.edu Wed May 20 13:12:01 2009 From: hartmann at fas.harvard.edu (Tim Hartmann) Date: Wed, 20 May 2009 09:12:01 -0400 Subject: [389-users] How to unlock a busy replica In-Reply-To: <3bc97f78b05125ba97cd1b37583175e5@intranet.sc.senai.br> References: <3bc97f78b05125ba97cd1b37583175e5@intranet.sc.senai.br> Message-ID: <4A1401A1.80504@fas.harvard.edu> DANIEL CRISTIAN CRUZ wrote: > > Hi all, > > Sometimes our consumer server got the status "Busy Replica", with only > one master. > > How can I unlock the Suffix/Database on the consumer server? > > I read many pages on reference and admin manuals, and didn't found > anything. > > Regards, > > *Daniel Cristian Cruz* > *Administrador de Banco de Dados > *Dire??o Regional - *N?cleo de Tecnologia da Informa??o > SENAI - SC > Telefone: 48-3239-1422 (ramal 1422)* > I've also run into this a bit, we monitor our replication with Nagios, and I've gotten a couple of alerts like this: Replication error: 1 Cant acquire busy replica Which is cleared by having the the effected master send another update, so far i've always done it through the console, but I DID find this script to do it through the CLI: http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Managing_Replication-Forcing_Replication_Updates.html I'd be interested in hearing if anyone else has come across this, and if there are any configuration tweaks that people might suggest to keep us from seeing this error, or maybe even clearing it automatically? Thanks! Tim From daniel.cruz at sc.senai.br Wed May 20 13:21:42 2009 From: daniel.cruz at sc.senai.br (DANIEL CRISTIAN CRUZ) Date: Wed, 20 May 2009 10:21:42 -0300 Subject: [389-users] How to unlock a busy replica In-Reply-To: <4A1401A1.80504@fas.harvard.edu> Message-ID: <00d609f7a34c729aa686e1e2fa11ec29@intranet.sc.senai.br> When in multi-master, I guess it's normal when one master is updating and another is trying to do the same. I my case, even when requested from console in a single master configuration, it doesn't work. Stay with status "Busy Replica". Regards, "Tim Hartmann" escreveu: > > I've also run into this a bit, we monitor our replication with Nagios, > and I've gotten a couple of alerts like this: > > Replication error: 1 Cant acquire busy replica > > Which is cleared by having the the effected master send another update, > so far i've always done it through the console, but I DID find this > script to do it through the CLI: > > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Managing_Replication-Forcing_Replication_Updates.html > > I'd be interested in hearing if anyone else has come across this, and if > there are any configuration tweaks that people might suggest to keep us > from seeing this error, or maybe even clearing it automatically? -- Daniel Cristian Cruz Administrador de Banco de Dados Dire??o Regional?- N?cleo de Tecnologia da Informa??o SENAI - SC Telefone: 48-3239-1422 (ramal 1422) From rmeggins at redhat.com Wed May 20 14:05:31 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 20 May 2009 08:05:31 -0600 Subject: [389-users] How to unlock a busy replica In-Reply-To: <00d609f7a34c729aa686e1e2fa11ec29@intranet.sc.senai.br> References: <00d609f7a34c729aa686e1e2fa11ec29@intranet.sc.senai.br> Message-ID: <4A140E2B.7020409@redhat.com> DANIEL CRISTIAN CRUZ wrote: > When in multi-master, I guess it's normal when one master is updating and > another is trying to do the same. > Yes. > I my case, even when requested from console in a single master > configuration, it doesn't work. Stay with status "Busy Replica". > What platform? What version of DS? > Regards, > > "Tim Hartmann" escreveu: > >> I've also run into this a bit, we monitor our replication with Nagios, >> and I've gotten a couple of alerts like this: >> >> Replication error: 1 Cant acquire busy replica >> >> Which is cleared by having the the effected master send another update, >> so far i've always done it through the console, but I DID find this >> script to do it through the CLI: >> >> >> > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Managing_Replication-Forcing_Replication_Updates.html > >> I'd be interested in hearing if anyone else has come across this, and if >> there are any configuration tweaks that people might suggest to keep us >> from seeing this error, or maybe even clearing it automatically? >> > > -- > Daniel Cristian Cruz > Administrador de Banco de Dados > Dire??o Regional - N?cleo de Tecnologia da Informa??o > SENAI - SC > Telefone: 48-3239-1422 (ramal 1422) > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed May 20 14:09:48 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 20 May 2009 08:09:48 -0600 Subject: [389-users] what are components of FDS? In-Reply-To: <20090520150543.744fdb19@icy> References: <20090514161103.24dff04e@icy> <4A0D9F9F.2000605@redhat.com> <20090520150543.744fdb19@icy> Message-ID: <4A140F2C.4090608@redhat.com> Ky` Anh, Huy`nh wrote: > On Fri, 15 May 2009 11:00:15 -0600 > Rich Megginson wrote: > > >> Ky` Anh, Huy`nh wrote: >> >>> Hi all, >>> >>> I am going to install FDS on a FreeBSD jail. This means that FDS >>> will use FC8 compatibility mode which provided by FreeBSD 7.2. I >>> downloaded the binary version of FDS 1.04 >>> (fedora-ds-1.0.4-1.FC6.i386.opt.rpm) and my initial installation >>> worked perfectly. This is only a *test* and now I'd like to >>> install the latest version of FDS. I searched at >>> >>> http://directory.fedoraproject.org/yum/dirsrv/fedora/ >>> >>> but there were so many packages that made me confused. I'd like >>> to know: >>> >>> (1) what are components of FDS 1.2.0 and what files should I >>> download to get FDS worked in FC8? (If FDS binaries work on FC8 >>> they should work on a FreeBSD jail ;) >>> >>> (2) is it necessary to start the web interface of FDS? I just >>> like to setup a LDAP database and then run all from command lines >>> without touching the web browsers (yes I hate GUI). If this is >>> the case I will run only FDS service and have nothing to do with >>> Apache/Java requirements of FDS. In fact I don't want to install >>> any web servers on my FDS server. >>> >>> Your helps are highly appreciated. And if you have ever >>> experienced FDS on FreeBSD please give me some advices! >>> >>> > > >> fedora-ds-base - core directory server, no UI, no admin server - if >> you don't care about admin server or console, you can just install >> this >> > > Thank you, Rich. > > I've built `fedora-ds-base` successfully on FC8. Then I move all built files to my FreeBSD machine to test. You can read some details at http://forums.freebsd.org/showthread.php?p=24826#post24826. > > After chroot-ing to Linux inside FreeBSD I run `setup-ds.pl` to create the first instance of FDS. The script worked very well but it couldnot start the service as below. > > /============================================================================== > > $ uname -s > FreeBSD > > $ chroot /home/fc8/ /bin/bash > > # # now i'm in Linux mode > > # /opt/fedora-ds/sbin/ns-slapd \ > -d 9 \ > -D /opt/fedora-ds/etc/dirsrv/slapd-fds2 \ > -i /opt/fedora-ds/var/run/dirsrv/slapd-fds2.pid \ > -w /opt/fedora-ds/var/run/dirsrv/slapd-fds2.startpid > > .... > > [20/May/2009:13:35:18 +0700] - Fedora-Directory/1.2.0 B2009.139.99 starting up > [20/May/2009:13:35:18 +0700] - Failed to create semaphore for stats > file (/opt/fedora-ds/var/run/dirsrv/slapd-fds2.stats). Error > 38.(Function not implemented) > > \============================================================================== > > FDS tried to create stat file but it failed to do that. So it stopped working. > > Is there anyone who experiences this problem? > Yes. I don't know why chroot environments trigger this problem # in chroot environments, sem_open doesn't work # gets errno 38 (function not implemented) # I found some information that says this: # As sem_open() creates named semaphores, it always tries to share them between processes. # Additionally, to support sharing named semaphores with sem_open() # add a line to /etc/fstab to mount /dev/shm as a tmpfs # tmpfs /dev/shm tmpfs defaults 0 0 # run mount /dev/shm or reboot NOTE: you have to mount /dev/shm in the same chroot session as the one you run the server in - you cannot do something like chroot "mount /dev/shm" then in another session chroot "start-slapd" The mount does not persist between chroot sessions. > Regards, > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From daniel.cruz at sc.senai.br Wed May 20 14:18:53 2009 From: daniel.cruz at sc.senai.br (DANIEL CRISTIAN CRUZ) Date: Wed, 20 May 2009 11:18:53 -0300 Subject: [389-users] How to unlock a busy replica In-Reply-To: <4A140E2B.7020409@redhat.com> Message-ID: <6c57faaff0ec001454741da6fcc77832@intranet.sc.senai.br> Rich, Fedora DS 1.1.1 on Red Hat ES 5. Regards, "Rich Megginson" escreveu: >> I my case, even when requested from console in a single master >> configuration, it doesn't work. Stay with status "Busy Replica". >> > What platform? What version of DS? >> Regards, >> >> "Tim Hartmann" escreveu: >> >>> I've also run into this a bit, we monitor our replication with Nagios, >>> and I've gotten a couple of alerts like this: >>> >>> Replication error: 1 Cant acquire busy replica >>> >>> Which is cleared by having the the effected master send another update, >>> so far i've always done it through the console, but I DID find this >>> script to do it through the CLI: >>> >>> >>> >> >> http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Managing_Replication-Forcing_Replication_Updates.html >> >>> I'd be interested in hearing if anyone else has come across this, and if >>> there are any configuration tweaks that people might suggest to keep us >>> from seeing this error, or maybe even clearing it automatically? >>> >> >> -- >> Daniel Cristian Cruz >> Administrador de Banco de Dados >> Dire??o Regional - N?cleo de Tecnologia da Informa??o >> SENAI - SC >> Telefone: 48-3239-1422 (ramal 1422) >> >> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > -------------------------------- -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Daniel Cristian Cruz Administrador de Banco de Dados Dire??o Regional?- N?cleo de Tecnologia da Informa??o SENAI - SC Telefone: 48-3239-1422 (ramal 1422) From rmeggins at redhat.com Wed May 20 14:24:55 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 20 May 2009 08:24:55 -0600 Subject: [389-users] How to unlock a busy replica In-Reply-To: <6c57faaff0ec001454741da6fcc77832@intranet.sc.senai.br> References: <6c57faaff0ec001454741da6fcc77832@intranet.sc.senai.br> Message-ID: <4A1412B7.3010307@redhat.com> DANIEL CRISTIAN CRUZ wrote: > Rich, > > Fedora DS 1.1.1 on Red Hat ES 5. > I suggest upgrading to the latest fedora-ds-base 1.2.0 fedora-ds-admin 1.1.7 fedora-ds 1.1.3 etc. I don't know if that will fix the problem, but we did fix a few replication related bugs between 1.1.1 and 1.2.0 > Regards, > > "Rich Megginson" escreveu: > >>> I my case, even when requested from console in a single master >>> configuration, it doesn't work. Stay with status "Busy Replica". >>> >>> >> What platform? What version of DS? >> >>> Regards, >>> >>> "Tim Hartmann" escreveu: >>> >>> >>>> I've also run into this a bit, we monitor our replication with Nagios, >>>> and I've gotten a couple of alerts like this: >>>> >>>> Replication error: 1 Cant acquire busy replica >>>> >>>> Which is cleared by having the the effected master send another update, >>>> so far i've always done it through the console, but I DID find this >>>> script to do it through the CLI: >>>> >>>> >>>> >>>> >>> > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Managing_Replication-Forcing_Replication_Updates.html > >>> >>> >>>> I'd be interested in hearing if anyone else has come across this, and if >>>> there are any configuration tweaks that people might suggest to keep us >>>> from seeing this error, or maybe even clearing it automatically? >>>> >>>> >>> -- >>> Daniel Cristian Cruz >>> Administrador de Banco de Dados >>> Dire??o Regional - N?cleo de Tecnologia da Informa??o >>> SENAI - SC >>> Telefone: 48-3239-1422 (ramal 1422) >>> >>> >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> >> > > -------------------------------- > -- > >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Daniel Cristian Cruz > Administrador de Banco de Dados > Dire??o Regional - N?cleo de Tecnologia da Informa??o > SENAI - SC > Telefone: 48-3239-1422 (ramal 1422) > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From mmercier at gmail.com Wed May 20 19:35:15 2009 From: mmercier at gmail.com (Mike Mercier) Date: Wed, 20 May 2009 15:35:15 -0400 Subject: [389-users] [fedora-directory-users] NSMMReplicationPlugin messages in errors log Message-ID: <4959d1510905201235r7138cbafqd08c6f435e5c1c37@mail.gmail.com> Hello, I am getting the following error on both ends of a replication agreement. The replication agreement is for the fedora dogtag CA application. Note: I had to manually do a few things to get it to work, the automated cloning was failing to setup the replication agreement. NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=: 1 Note: Dogtag and fedora-ds are running on the same systems: Server-1 - fedora-ds and dogtag Server-2 - fedora-ds and dogtag clone Replication agreements between the systems for: o=NetscapeRoot userRoot dogtag dc The error *only* appears for the dogtag dc. In my dse.ldif, I do notice that there is only one nsslapd-referral for the dogtag dc (for server-1 to server-2) Server-1 dn: cn="dc=",cn=mapping tree, cn=config objectClass: top objectClass: extensibleObject objectClass: nsMappingTree cn: dc= cn: "dc=" nsslapd-backend: pki nsslapd-state: Backend creatorsName: cn=directory manager modifiersName: cn=server,cn=plugins,cn=config createTimestamp: 20090520160944Z modifyTimestamp: 20090520162351Z nsslapd-referral: ldap://server-2.internaldomain:389/dc%3D numSubordinates: 1 Server-2 dn: cn="dc=",cn=mapping tree, cn=config objectClass: top objectClass: extensibleObject objectClass: nsMappingTree cn: dc= cn: "dc=" nsslapd-backend: pki nsslapd-state: Backend creatorsName: cn=directory manager modifiersName: cn=server,cn=plugins,cn=config createTimestamp: 20090520165422Z modifyTimestamp: 20090520180434Z numSubordinates: 1 Searching google doesn't really point to an explanation (or solution) to the error messages. Is it safe to do an ldapmodify to add the entry on Server-2? Thanks, Mike From rmeggins at redhat.com Wed May 20 20:25:22 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 20 May 2009 14:25:22 -0600 Subject: [389-users] [fedora-directory-users] NSMMReplicationPlugin messages in errors log In-Reply-To: <4959d1510905201235r7138cbafqd08c6f435e5c1c37@mail.gmail.com> References: <4959d1510905201235r7138cbafqd08c6f435e5c1c37@mail.gmail.com> Message-ID: <4A146732.5060206@redhat.com> Mike Mercier wrote: > Hello, > > I am getting the following error on both ends of a replication > agreement. The replication agreement is for the fedora dogtag CA > application. > Note: I had to manually do a few things to get it to work, the > automated cloning was failing to setup the replication agreement. > > NSMMReplicationPlugin - repl_set_mtn_referrals: could not set > referrals for replica dc=: 1 > Looks like some sort of timing thing - like the server has not been fully started yet or fully set up yet before it receives the replication request from the other master > Note: Dogtag and fedora-ds are running on the same systems: > > Server-1 - fedora-ds and dogtag > Server-2 - fedora-ds and dogtag clone > > Replication agreements between the systems for: > o=NetscapeRoot > userRoot > dogtag dc > > The error *only* appears for the dogtag dc. > > In my dse.ldif, I do notice that there is only one nsslapd-referral > for the dogtag dc (for server-1 to server-2) > > Server-1 > > dn: cn="dc=",cn=mapping tree, cn=config > objectClass: top > objectClass: extensibleObject > objectClass: nsMappingTree > cn: dc= > cn: "dc=" > nsslapd-backend: pki > nsslapd-state: Backend > creatorsName: cn=directory manager > modifiersName: cn=server,cn=plugins,cn=config > createTimestamp: 20090520160944Z > modifyTimestamp: 20090520162351Z > nsslapd-referral: ldap://server-2.internaldomain:389/dc%3D > numSubordinates: 1 > > Server-2 > dn: cn="dc=",cn=mapping tree, cn=config > objectClass: top > objectClass: extensibleObject > objectClass: nsMappingTree > cn: dc= > cn: "dc=" > nsslapd-backend: pki > nsslapd-state: Backend > creatorsName: cn=directory manager > modifiersName: cn=server,cn=plugins,cn=config > createTimestamp: 20090520165422Z > modifyTimestamp: 20090520180434Z > numSubordinates: 1 > > > Searching google doesn't really point to an explanation (or solution) > to the error messages. > Is it safe to do an ldapmodify to add the entry on Server-2? > Yes, although the replication code is supposed to set that automatically, and may overwrite it. > Thanks, > Mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jsullivan at opensourcedevel.com Thu May 21 02:45:40 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Wed, 20 May 2009 22:45:40 -0400 Subject: [389-users] memberOf task problem Message-ID: <1242873940.6379.91.camel@jaspav.missionsit.net.missionsit.net> Hello, all. We are in the process of upgrading from 8.0 to 8.1. We've hit a few glitches along the way but most has gone well. However, we wanted to implement the new memberOf functionality. We successfully added the plugin by editing dse.ldif and enabled it from the console. However, we've been unsuccessful in having existing group membership assigned to the memberOf attribute. We first tried to run fixup-memberOf.pl but the script does not exist. There is a template.fixup-memberOf.pl but this does not seem to have been built into a final script. We then thought we would use the new task feature of the console. We went to cn=memberof task,cn=tasks,cn=config and tried to create the task object. There was no nsDirectoryServerTask objectclass. We added an nstask but then found there was no basedn attribute we could add. We then created an extensibleobject instead but still not basedn attribute. Finally, we resorted to ldapmodify (we hesitated just because we are not very familiar with the command line tools). First, we did: dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config changetype: add objectclass: top objectclass: extensibleObject cn: fixMemberOf basedn: o=Internal,dc=ssiservices,dc=biz The Internal Organization has several organizations under it (for various clients) and then user organizational units under those organizations. Although it generated no errors, it did not seem to work. Perhaps I just don't know how to test it. However, the following did not return an memberOf data: /usr/lib64/mozldap/ldapsearch -b "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory Manager" -w - -h ldap uid=myid memberOf Doing /usr/lib64/mozldap/ldapsearch -b "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory Manager" -w - -h ldap uid=myid showed me plenty of attributes but nothing for memberOf I also tried creating the task with a basedn of ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz in case it did not change objects lower in the tree. Still no success. Finally I tried: dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config changetype: add objectclass: top objectclass: nsDirectoryServerTask cn: fixMemberOf basedn: o=Internal,dc=ssiservices,dc=biz adding new entry cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config ldap_add: Object class violation ldap_add: additional info: unknown object class "nsDirectoryServerTask" And received the expected unknown object class error. What are we doing wrong? Are these documentation bugs? Are there application bugs or do we simply not know what we are doing with tasks and memberOf? How do we get the memberOf information into our existing user objects? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From amirov at infinet.ru Thu May 21 10:35:25 2009 From: amirov at infinet.ru (Dmitry Amirov) Date: Thu, 21 May 2009 16:35:25 +0600 Subject: [389-users] DNA not working? In-Reply-To: <4A12B2F8.3030203@redhat.com> References: <4A123612.9030500@infinet.ru> <4A12B2F8.3030203@redhat.com> Message-ID: <4A152E6D.80901@infinet.ru> Hi Rob. Yes, you are right. Thank you. I have found it in sources of FDS. And i am wonder with this. There is miskate in documentation? Rob Crittenden wrote: > Dmitry Amirov wrote: >> Hello. >> >> I have a problem with DNA plugin. >> I have installed it in according with documentation and have done: >> 1) >> dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config >> changetype: modify >> replace: nsslapd-pluginEnabled >> nsslapd-pluginEnabled: on >> >> 2) >> dn: cn=Account UIDs,cn=Distributed Numeric Assignment >> Plugin,cn=plugins,cn=config >> objectClass: top >> objectClass: extensibleObject >> cn: Account UIDs >> dnatype: uidNumber >> dnafilter: (objectclass=posixAccount) >> dnascope: ou=People, dc=aqua >> dnanextvalue: 1 >> dnaMaxValue: 1300 >> dnasharedcfgdn: cn=Account UIDs,ou=Ranges,dc=aqua >> dnathreshold: 100 >> dnaRangeRequestTimeout: 60 >> dnaMagicRegen: magic >> >> After that server has been restarted and i tryed to add new posixAccount >> entry. >> dn: uid=jsmith, ou=people,dc=aqua >> objectClass: top >> objectClass: person >> objectClass: posixAccount >> uid: jsmith >> cn: John Smith >> sn: Smith >> homeDirectory: /home/smith >> gidNumber: 123 >> >> So, DNA not working with error: >> adding new entry uid=jsmith, ou=people,dc=aqua >> ldap_add: Object class violation >> ldap_add: additional info: missing attribute "uidNumber" required by >> object class "posixAccount" >> >> Please help with DNA. It's very important for me. Now i am using clean >> openldap+smbldap-tools, but i want to migrate to FDS. >> >> Thanks a lot. > > What version of 389/FDS is this? > > My working config looks like: > > dn: cn=Posix Accounts,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config > objectclass: top > objectclass: extensibleObject > cn: Posix Accounts > dnaType: uidNumber > dnaNextValue: 1100 > dnaInterval: 1 > dnaMaxValue: 10000 > dnaMagicRegen: 999 > dnaFilter: (objectclass=posixAccount) > dnaScope: dc=example,dc=com > > rob > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From andrey.ivanov at polytechnique.fr Thu May 21 10:59:54 2009 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Thu, 21 May 2009 12:59:54 +0200 Subject: [389-users] memberOf task problem In-Reply-To: <1242873940.6379.91.camel@jaspav.missionsit.net.missionsit.net> References: <1242873940.6379.91.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <1601b8650905210359v2396b049q226e6b26682e0b78@mail.gmail.com> Hi, there are two things to be verified and/or taken into account: * the pair of the attributes that is maintained (the arguments "memberofgroupattr" and "memberofattr" of the plug-in) * presence of these two attributes in the classes of your users and groups To find fixup-memberof.pl try "locate fixup-memberof.pl". To launch it manually you need to add something like that to the server (with ldapmodify) : dn: cn=memberOf_fixup_2009_5_21_12_39_21, cn=memberOf task, cn=tasks, cn=config changetype: add objectclass: top objectclass: extensibleObject cn: memberOf_fixup_2009_5_21_12_39_21 basedn: dc=example,dc=com filter: (objectClass=inetOrgPerson) As for your account, you may remove/add yourself from a group to see if it changes the memberof attribute. Verify the objectClass of your entry and make sure the attribute memberOf is an optional attribute of at least one of these objectClasses... 2009/5/21 John A. Sullivan III > Hello, all. We are in the process of upgrading from 8.0 to 8.1. We've > hit a few glitches along the way but most has gone well. However, we > wanted to implement the new memberOf functionality. We successfully > added the plugin by editing dse.ldif and enabled it from the console. > However, we've been unsuccessful in having existing group membership > assigned to the memberOf attribute. > > We first tried to run fixup-memberOf.pl but the script does not exist. > There is a template.fixup-memberOf.pl but this does not seem to have > been built into a final script. > > We then thought we would use the new task feature of the console. We > went to cn=memberof task,cn=tasks,cn=config and tried to create the task > object. There was no nsDirectoryServerTask objectclass. We added an > nstask but then found there was no basedn attribute we could add. We > then created an extensibleobject instead but still not basedn attribute. > > Finally, we resorted to ldapmodify (we hesitated just because we are not > very familiar with the command line tools). First, we did: > > dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config > changetype: add > objectclass: top > objectclass: extensibleObject > cn: fixMemberOf > basedn: o=Internal,dc=ssiservices,dc=biz > > The Internal Organization has several organizations under it (for > various clients) and then user organizational units under those > organizations. Although it generated no errors, it did not seem to > work. Perhaps I just don't know how to test it. However, the following > did not return an memberOf data: > > /usr/lib64/mozldap/ldapsearch -b > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory > Manager" -w - -h ldap uid=myid memberOf > > Doing /usr/lib64/mozldap/ldapsearch -b > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory > Manager" -w - -h ldap uid=myid > showed me plenty of attributes but nothing for memberOf > > I also tried creating the task with a basedn of > ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz in case it did not > change objects lower in the tree. Still no success. > > Finally I tried: > > dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config > changetype: add > objectclass: top > objectclass: nsDirectoryServerTask > cn: fixMemberOf > basedn: o=Internal,dc=ssiservices,dc=biz > > adding new entry cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config > ldap_add: Object class violation > ldap_add: additional info: unknown object class "nsDirectoryServerTask" > > And received the expected unknown object class error. > > What are we doing wrong? Are these documentation bugs? Are there > application bugs or do we simply not know what we are doing with tasks > and memberOf? How do we get the memberOf information into our existing > user objects? Thanks - John > > > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan at opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsullivan at opensourcedevel.com Thu May 21 11:33:18 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Thu, 21 May 2009 07:33:18 -0400 Subject: [389-users] memberOf task problem In-Reply-To: <1601b8650905210359v2396b049q226e6b26682e0b78@mail.gmail.com> References: <1242873940.6379.91.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905210359v2396b049q226e6b26682e0b78@mail.gmail.com> Message-ID: <1242905598.6381.6.camel@jaspav.missionsit.net.missionsit.net> Thank you, Andrey. I did do an updatedb and then locate - no fixup-member0f.pl - just template.fixup-memberOf.pl :-( Unless I'm missing something, you're ldapmodify looks just like mine except for the cn (I believe the documentation says it can be called anything) and I did not use a filter (again, I believe the documentation says it is optional and our dit is still rather small). I did create a new group and add myself to it as you suggested (thank you). Surprisingly, it did not appear to work. I did not see a memberOf attribute populated for me. I then thought I would see if I need to manually add that attribute to each user (I hope not!) and I did not see memberOf as an attribute I could add to my user object. I have verified that the plugin is defined in dse.ldif and it is enabled. I also see memberOf defined in 20subscriber.ldif and did not see anything in the documentation about needing to extend the schema. So, at this point, I am still at a loss for what I did wrong. What do I check next? Thanks - John On Thu, 2009-05-21 at 12:59 +0200, Andrey Ivanov wrote: > Hi, > > there are two things to be verified and/or taken into account: > * the pair of the attributes that is maintained (the arguments > "memberofgroupattr" and "memberofattr" of the plug-in) > * presence of these two attributes in the classes of your users and > groups > > To find fixup-memberof.pl try "locate fixup-memberof.pl". > > To launch it manually you need to add something like that to the > server (with ldapmodify) : > dn: cn=memberOf_fixup_2009_5_21_12_39_21, cn=memberOf task, cn=tasks, > cn=config > changetype: add > objectclass: top > objectclass: extensibleObject > cn: memberOf_fixup_2009_5_21_12_39_21 > basedn: dc=example,dc=com > filter: (objectClass=inetOrgPerson) > > > As for your account, you may remove/add yourself from a group to see > if it changes the memberof attribute. Verify the objectClass of your > entry and make sure the attribute memberOf is an optional attribute of > at least one of these objectClasses... > > > > 2009/5/21 John A. Sullivan III > Hello, all. We are in the process of upgrading from 8.0 to > 8.1. We've > hit a few glitches along the way but most has gone well. > However, we > wanted to implement the new memberOf functionality. We > successfully > added the plugin by editing dse.ldif and enabled it from the > console. > However, we've been unsuccessful in having existing group > membership > assigned to the memberOf attribute. > > We first tried to run fixup-memberOf.pl but the script does > not exist. > There is a template.fixup-memberOf.pl but this does not seem > to have > been built into a final script. > > We then thought we would use the new task feature of the > console. We > went to cn=memberof task,cn=tasks,cn=config and tried to > create the task > object. There was no nsDirectoryServerTask objectclass. We > added an > nstask but then found there was no basedn attribute we could > add. We > then created an extensibleobject instead but still not basedn > attribute. > > Finally, we resorted to ldapmodify (we hesitated just because > we are not > very familiar with the command line tools). First, we did: > > dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config > changetype: add > objectclass: top > objectclass: extensibleObject > cn: fixMemberOf > basedn: o=Internal,dc=ssiservices,dc=biz > > The Internal Organization has several organizations under it > (for > various clients) and then user organizational units under > those > organizations. Although it generated no errors, it did not > seem to > work. Perhaps I just don't know how to test it. However, the > following > did not return an memberOf data: > > /usr/lib64/mozldap/ldapsearch -b > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D > "cn=Directory > Manager" -w - -h ldap uid=myid memberOf > > Doing /usr/lib64/mozldap/ldapsearch -b > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D > "cn=Directory > Manager" -w - -h ldap uid=myid > showed me plenty of attributes but nothing for memberOf > > I also tried creating the task with a basedn of > ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz in case it > did not > change objects lower in the tree. Still no success. > > Finally I tried: > > dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config > changetype: add > objectclass: top > objectclass: nsDirectoryServerTask > cn: fixMemberOf > basedn: o=Internal,dc=ssiservices,dc=biz > > adding new entry cn=fixMemberOf,cn=memberof > task,cn=tasks,cn=config > ldap_add: Object class violation > ldap_add: additional info: unknown object class > "nsDirectoryServerTask" > > And received the expected unknown object class error. > > What are we doing wrong? Are these documentation bugs? Are > there > application bugs or do we simply not know what we are doing > with tasks > and memberOf? How do we get the memberOf information into our > existing > user objects? Thanks - John > > > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan at opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From amirov at infinet.ru Thu May 21 12:07:07 2009 From: amirov at infinet.ru (Dmitry Amirov) Date: Thu, 21 May 2009 18:07:07 +0600 Subject: [389-users] posixGroup Message-ID: <4A1543EB.4080401@infinet.ru> Hello. My question is simple. I need to create unix group. If i try to do this via New->Group, then i can't see posixGroup. So i can add posixGroup only manually by adding needed attributes. But i want to add via console such as i can add new user. Thanks From mmercier at gmail.com Thu May 21 12:13:47 2009 From: mmercier at gmail.com (Mike Mercier) Date: Thu, 21 May 2009 08:13:47 -0400 Subject: [389-users] [fedora-directory-users] NSMMReplicationPlugin messages in errors log In-Reply-To: <4A146732.5060206@redhat.com> References: <4959d1510905201235r7138cbafqd08c6f435e5c1c37@mail.gmail.com> <4A146732.5060206@redhat.com> Message-ID: <4959d1510905210513k4d74efcs72c9ae21f80c5c63@mail.gmail.com> Hi, Is there some way to resolve the timing issue/verify it is fully setup? I restarted dirsrv, and removed, re-added, and reinitialized (from server-1) the replication agreement on server-2 and here is what I see in the logs: Server-1: [21/May/2009:07:52:49 -0400] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn=PKI-Replication-Agreement" (server-2:389)". [21/May/2009:07:52:52 -0400] NSMMReplicationPlugin - Finished total update of replica "agmt="cn=PKI-Replication-Agreement" (server-2:389)". Sent 53 entries. [21/May/2009:07:57:03 -0400] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=pki: 1 Server-2: [21/May/2009:07:52:49 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [21/May/2009:07:52:52 -0400] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=pki: 1 [21/May/2009:07:52:52 -0400] - import pki: Workers finished; cleaning up... [21/May/2009:07:52:52 -0400] - import pki: Workers cleaned up. [21/May/2009:07:52:52 -0400] - import pki: Indexing complete. Post-processing... [21/May/2009:07:52:52 -0400] - import pki: Flushing caches... [21/May/2009:07:52:52 -0400] - import pki: Closing files... [21/May/2009:07:52:52 -0400] - import pki: Import complete. Processed 53 entries in 3 seconds. (17.67 entries/sec) [21/May/2009:07:52:52 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=pki is coming online; enabling replication [21/May/2009:07:57:03 -0400] NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=pki: 1 Can the repl_set_mtn_referrals message be ignored? Thanks, Mike On Wed, May 20, 2009 at 4:25 PM, Rich Megginson wrote: > Mike Mercier wrote: >> >> Hello, >> >> I am getting the following error on both ends of a replication >> agreement. ?The replication agreement is for the fedora dogtag CA >> application. >> Note: I had to manually do a few things to get it to work, the >> automated cloning was failing to setup the replication agreement. >> >> NSMMReplicationPlugin - repl_set_mtn_referrals: could not set >> referrals for replica dc=: 1 >> > > Looks like some sort of timing thing - like the server has not been fully > started yet or fully set up yet before it receives the replication request > from the other master >> >> Note: Dogtag and fedora-ds are running on the same systems: >> >> Server-1 - fedora-ds and dogtag >> Server-2 - fedora-ds and dogtag clone >> >> Replication agreements between the systems for: >> o=NetscapeRoot >> userRoot >> dogtag dc >> >> The error *only* appears for the dogtag dc. >> >> In my dse.ldif, I do notice that there is only one nsslapd-referral >> for the dogtag dc (for server-1 to server-2) >> >> Server-1 >> >> dn: cn="dc=",cn=mapping tree, cn=config >> objectClass: top >> objectClass: extensibleObject >> objectClass: nsMappingTree >> cn: dc= >> cn: "dc=" >> nsslapd-backend: pki >> nsslapd-state: Backend >> creatorsName: cn=directory manager >> modifiersName: cn=server,cn=plugins,cn=config >> createTimestamp: 20090520160944Z >> modifyTimestamp: 20090520162351Z >> nsslapd-referral: ldap://server-2.internaldomain:389/dc%3D >> numSubordinates: 1 >> >> Server-2 >> dn: cn="dc=",cn=mapping tree, cn=config >> objectClass: top >> objectClass: extensibleObject >> objectClass: nsMappingTree >> cn: dc= >> cn: "dc=" >> nsslapd-backend: pki >> nsslapd-state: Backend >> creatorsName: cn=directory manager >> modifiersName: cn=server,cn=plugins,cn=config >> createTimestamp: 20090520165422Z >> modifyTimestamp: 20090520180434Z >> numSubordinates: 1 >> >> >> Searching google doesn't really point to an explanation (or solution) >> to the error messages. >> Is it safe to do an ldapmodify to add the entry on Server-2? >> > > Yes, although the replication code is supposed to set that automatically, > and may overwrite it. >> >> Thanks, >> Mike >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From jsullivan at opensourcedevel.com Thu May 21 12:57:56 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Thu, 21 May 2009 08:57:56 -0400 Subject: [389-users] posixGroup In-Reply-To: <4A1543EB.4080401@infinet.ru> References: <4A1543EB.4080401@infinet.ru> Message-ID: <1242910676.6381.10.camel@jaspav.missionsit.net.missionsit.net> On Thu, 2009-05-21 at 18:07 +0600, Dmitry Amirov wrote: > Hello. > > My question is simple. I need to create unix group. If i try to do this > via New->Group, then i can't see posixGroup. So i can add posixGroup > only manually by adding needed attributes. But i want to add via console > such as i can add new user. If I correctly understand what you want, what I typically do is create the group, click on Advanced and add the posixgroup attribute. I then simply add users who have previously had the posixAccount attribute added to their definition. I also find in RedHat style systems that I need to add the posixgroup attribute to the users. Hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From amirov at infinet.ru Thu May 21 13:12:50 2009 From: amirov at infinet.ru (Dmitry Amirov) Date: Thu, 21 May 2009 19:12:50 +0600 Subject: [389-users] posixGroup In-Reply-To: <1242910676.6381.10.camel@jaspav.missionsit.net.missionsit.net> References: <4A1543EB.4080401@infinet.ru> <1242910676.6381.10.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <4A155352.7010609@infinet.ru> Hi John. Yes, it's a solution. But i want to add groups such ad users. When i creating user account, i can click on posixAccount and fill needed parameters. If i want to create posixGroup i need to add group and then click Advanced and add posixGroup Manually. John A. Sullivan III wrote: > On Thu, 2009-05-21 at 18:07 +0600, Dmitry Amirov wrote: > >> Hello. >> >> My question is simple. I need to create unix group. If i try to do this >> via New->Group, then i can't see posixGroup. So i can add posixGroup >> only manually by adding needed attributes. But i want to add via console >> such as i can add new user. >> > > If I correctly understand what you want, what I typically do is create > the group, click on Advanced and add the posixgroup attribute. I then > simply add users who have previously had the posixAccount attribute > added to their definition. I also find in RedHat style systems that I > need to add the posixgroup attribute to the users. Hope this helps - > John > From michael at stroeder.com Thu May 21 13:28:49 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 21 May 2009 15:28:49 +0200 Subject: [389-users] posixGroup In-Reply-To: <1242910676.6381.10.camel@jaspav.missionsit.net.missionsit.net> References: <4A1543EB.4080401@infinet.ru> <1242910676.6381.10.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <4A155711.2040602@stroeder.com> John A. Sullivan III wrote: > On Thu, 2009-05-21 at 18:07 +0600, Dmitry Amirov wrote: >> Hello. >> >> My question is simple. I need to create unix group. If i try to do this >> via New->Group, then i can't see posixGroup. So i can add posixGroup >> only manually by adding needed attributes. But i want to add via console >> such as i can add new user. > > If I correctly understand what you want, what I typically do is create > the group, click on Advanced and add the posixgroup attribute. I then > simply add users who have previously had the posixAccount attribute > added to their definition. I think instead of "add attribute" you meant to say "add auxiliary object class". But please note that the object classes groupOfNames/groupOfUniqueNames and posixGroup are all defined as STRUCTURAL. Strictly speaking in the spirit of LDAPv3 compliance an entry can only have exactly one STRUCTURAL object class (including the inherited STRUCTURAL object classes). Although the 389 DS does not prevent you from creating an entry like this objectClass: groupOfUniqueNames objectClass: posixGroup you shouldn't do that since it might lead to interop problems. > I also find in RedHat style systems that I > need to add the posixgroup attribute to the users. ??? 'posixGroup' is an auxiliary object class containing the members' 'uid' value in its multi-valued attribute 'memberUid'. Despite the issues with STRUCTURAL I don't see any reason to add this object class to a person or account entry anyway. Ciao, Michael. From michael at stroeder.com Thu May 21 13:30:22 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 21 May 2009 15:30:22 +0200 Subject: [389-users] posixGroup In-Reply-To: <4A155352.7010609@infinet.ru> References: <4A1543EB.4080401@infinet.ru> <1242910676.6381.10.camel@jaspav.missionsit.net.missionsit.net> <4A155352.7010609@infinet.ru> Message-ID: <4A15576E.1050709@stroeder.com> Dmitry Amirov wrote: > But i want to add groups such ad users. When i creating user account, i > can click on posixAccount and fill needed parameters. > If i want to create posixGroup i need to add group and then click > Advanced and add posixGroup Manually. How about just using another LDAP client dedicated to the maintenance of this data? Ciao, Michael. From amirov at infinet.ru Thu May 21 13:45:14 2009 From: amirov at infinet.ru (Dmitry Amirov) Date: Thu, 21 May 2009 19:45:14 +0600 Subject: [389-users] posixGroup In-Reply-To: <4A15576E.1050709@stroeder.com> References: <4A1543EB.4080401@infinet.ru> <1242910676.6381.10.camel@jaspav.missionsit.net.missionsit.net> <4A155352.7010609@infinet.ru> <4A15576E.1050709@stroeder.com> Message-ID: <4A155AEA.6050404@infinet.ru> Hello Michael. Yes, i know. I am using openldap already 4 years. And i want centralized system. I thought that 389 DS this system with full featured GUI. I wish to comfortably add groups, users, to operate mail records (qmailUser). Or i need to use other clients with 389 DS such as gq? Thanks I just want to Michael Str?der wrote: > Dmitry Amirov wrote: > >> But i want to add groups such ad users. When i creating user account, i >> can click on posixAccount and fill needed parameters. >> If i want to create posixGroup i need to add group and then click >> Advanced and add posixGroup Manually. >> > > How about just using another LDAP client dedicated to the maintenance of > this data? > > Ciao, Michael. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From jsullivan at opensourcedevel.com Thu May 21 13:46:13 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Thu, 21 May 2009 09:46:13 -0400 Subject: [389-users] posixGroup In-Reply-To: <4A155711.2040602@stroeder.com> References: <4A1543EB.4080401@infinet.ru> <1242910676.6381.10.camel@jaspav.missionsit.net.missionsit.net> <4A155711.2040602@stroeder.com> Message-ID: <1242913573.6381.14.camel@jaspav.missionsit.net.missionsit.net> On Thu, 2009-05-21 at 15:28 +0200, Michael Str?der wrote: > John A. Sullivan III wrote: > > On Thu, 2009-05-21 at 18:07 +0600, Dmitry Amirov wrote: > >> Hello. > >> > >> My question is simple. I need to create unix group. If i try to do this > >> via New->Group, then i can't see posixGroup. So i can add posixGroup > >> only manually by adding needed attributes. But i want to add via console > >> such as i can add new user. > > > > If I correctly understand what you want, what I typically do is create > > the group, click on Advanced and add the posixgroup attribute. I then > > simply add users who have previously had the posixAccount attribute > > added to their definition. > > I think instead of "add attribute" you meant to say "add auxiliary > object class". > > But please note that the object classes groupOfNames/groupOfUniqueNames > and posixGroup are all defined as STRUCTURAL. Strictly speaking in the > spirit of LDAPv3 compliance an entry can only have exactly one > STRUCTURAL object class (including the inherited STRUCTURAL object > classes). Although the 389 DS does not prevent you from creating an > entry like this > > objectClass: groupOfUniqueNames > objectClass: posixGroup > > you shouldn't do that since it might lead to interop problems. > > > I also find in RedHat style systems that I > > need to add the posixgroup attribute to the users. > > ??? > > 'posixGroup' is an auxiliary object class containing the members' 'uid' > value in its multi-valued attribute 'memberUid'. Despite the issues with > STRUCTURAL I don't see any reason to add this object class to a person > or account entry anyway. > > Ciao, Michael. Thanks very much for the clarification as I am (obviously) LDAP ignorant. Yes, I did mean add an objectclass. Unfortunately, I think we're a bit stuck because of RedHat's (useful) use of user groups. Since most of the user directory files are owned by a group with the same name as the user, I have major issues if I do not do this. I suppose the correct solution would be to create a group of the same name but then we hit potential problems with non-unique cn if we match uid and cn and preserve uniqueness. What do others do? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From andrey.ivanov at polytechnique.fr Thu May 21 13:59:58 2009 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Thu, 21 May 2009 15:59:58 +0200 Subject: [389-users] memberOf task problem In-Reply-To: <1242905598.6381.6.camel@jaspav.missionsit.net.missionsit.net> References: <1242873940.6379.91.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905210359v2396b049q226e6b26682e0b78@mail.gmail.com> <1242905598.6381.6.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <1601b8650905210659l29c1ef67u3d2f8e208248afe8@mail.gmail.com> 2009/5/21 John A. Sullivan III > Thank you, Andrey. I did do an updatedb and then locate - no > fixup-member0f.pl - just template.fixup-memberOf.pl :-( It is very strange. Normally during the server installation the template should be converted to the "normal" perl script. Have you verified the configuration of the memberOf plugin, especially the arguments/attributes "memberofgroupattr" and "memberofattr" ? > > Unless I'm missing something, you're ldapmodify looks just like mine > except for the cn (I believe the documentation says it can be called > anything) and I did not use a filter (again, I believe the documentation > says it is optional and our dit is still rather small). If you do not put the filter into the ldif then the default filter is used : "(objectClass=inetuser)". Do all your user entries include this objectClass (inetuser)? If not, you should add this objectClass to all the entries where you want the memberOf attribute to appear. > > > I did create a new group and add myself to it as you suggested (thank > you). Surprisingly, it did not appear to work. I did not see a > memberOf attribute populated for me. I then thought I would see if I > need to manually add that attribute to each user (I hope not!) and I did > not see memberOf as an attribute I could add to my user object. No. You should not add it manually, the memberOf attribute is maintained automatically based on the group membership. Do you see any message in error log? There should be something about the impossibility to write the memberof attribute i think. If you cannot add this attribute manually to your entry it means that your entry does not containe "objectClass: inetuser". Add this objectClass to all the entries that should be "managed" by the plug-in to allow the attribute memberOf to be written to that entries. > > > I have verified that the plugin is defined in dse.ldif and it is > enabled. I also see memberOf defined in 20subscriber.ldif and did not > see anything in the documentation about needing to extend the schema. No, you don't need to extend the schema but you need to make sure that your entries include the objectClass "inetuser": objectClasses: ( 2.16.840.1.113730.3.2.130 NAME 'inetUser' DESC 'Auxiliary class which must be present in an entry for delivery of subscriber services' SUP top AUXILIARY MAY ( uid $ inetUserStatus $ inetUserHTTPURL $ userPassword $ memberOf ) X-ORIGIN 'Netscape subscriber interoperability' ) > > > So, at this point, I am still at a loss for what I did wrong. What do I > check next? Thanks - John Try to add the "objectClass: inetuser" to the entries concerned and take a closer look to the "errors" log file. @+ > > > On Thu, 2009-05-21 at 12:59 +0200, Andrey Ivanov wrote: > > Hi, > > > > there are two things to be verified and/or taken into account: > > * the pair of the attributes that is maintained (the arguments > > "memberofgroupattr" and "memberofattr" of the plug-in) > > * presence of these two attributes in the classes of your users and > > groups > > > > To find fixup-memberof.pl try "locate fixup-memberof.pl". > > > > To launch it manually you need to add something like that to the > > server (with ldapmodify) : > > dn: cn=memberOf_fixup_2009_5_21_12_39_21, cn=memberOf task, cn=tasks, > > cn=config > > changetype: add > > objectclass: top > > objectclass: extensibleObject > > cn: memberOf_fixup_2009_5_21_12_39_21 > > basedn: dc=example,dc=com > > filter: (objectClass=inetOrgPerson) > > > > > > As for your account, you may remove/add yourself from a group to see > > if it changes the memberof attribute. Verify the objectClass of your > > entry and make sure the attribute memberOf is an optional attribute of > > at least one of these objectClasses... > > > > > > > > 2009/5/21 John A. Sullivan III > > Hello, all. We are in the process of upgrading from 8.0 to > > 8.1. We've > > hit a few glitches along the way but most has gone well. > > However, we > > wanted to implement the new memberOf functionality. We > > successfully > > added the plugin by editing dse.ldif and enabled it from the > > console. > > However, we've been unsuccessful in having existing group > > membership > > assigned to the memberOf attribute. > > > > We first tried to run fixup-memberOf.pl but the script does > > not exist. > > There is a template.fixup-memberOf.pl but this does not seem > > to have > > been built into a final script. > > > > We then thought we would use the new task feature of the > > console. We > > went to cn=memberof task,cn=tasks,cn=config and tried to > > create the task > > object. There was no nsDirectoryServerTask objectclass. We > > added an > > nstask but then found there was no basedn attribute we could > > add. We > > then created an extensibleobject instead but still not basedn > > attribute. > > > > Finally, we resorted to ldapmodify (we hesitated just because > > we are not > > very familiar with the command line tools). First, we did: > > > > dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config > > changetype: add > > objectclass: top > > objectclass: extensibleObject > > cn: fixMemberOf > > basedn: o=Internal,dc=ssiservices,dc=biz > > > > The Internal Organization has several organizations under it > > (for > > various clients) and then user organizational units under > > those > > organizations. Although it generated no errors, it did not > > seem to > > work. Perhaps I just don't know how to test it. However, the > > following > > did not return an memberOf data: > > > > /usr/lib64/mozldap/ldapsearch -b > > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D > > "cn=Directory > > Manager" -w - -h ldap uid=myid memberOf > > > > Doing /usr/lib64/mozldap/ldapsearch -b > > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D > > "cn=Directory > > Manager" -w - -h ldap uid=myid > > showed me plenty of attributes but nothing for memberOf > > > > I also tried creating the task with a basedn of > > ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz in case it > > did not > > change objects lower in the tree. Still no success. > > > > Finally I tried: > > > > dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config > > changetype: add > > objectclass: top > > objectclass: nsDirectoryServerTask > > cn: fixMemberOf > > basedn: o=Internal,dc=ssiservices,dc=biz > > > > adding new entry cn=fixMemberOf,cn=memberof > > task,cn=tasks,cn=config > > ldap_add: Object class violation > > ldap_add: additional info: unknown object class > > "nsDirectoryServerTask" > > > > And received the expected unknown object class error. > > > > What are we doing wrong? Are these documentation bugs? Are > > there > > application bugs or do we simply not know what we are doing > > with tasks > > and memberOf? How do we get the memberOf information into our > > existing > > user objects? Thanks - John > > > > > > -- > > John A. Sullivan III > > Open Source Development Corporation > > +1 207-985-7880 > > jsullivan at opensourcedevel.com > > > > http://www.spiritualoutreach.com > > Making Christianity intelligible to secular society > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan at opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu May 21 14:27:44 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 21 May 2009 08:27:44 -0600 Subject: [389-users] memberOf task problem In-Reply-To: <1601b8650905210659l29c1ef67u3d2f8e208248afe8@mail.gmail.com> References: <1242873940.6379.91.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905210359v2396b049q226e6b26682e0b78@mail.gmail.com> <1242905598.6381.6.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905210659l29c1ef67u3d2f8e208248afe8@mail.gmail.com> Message-ID: <4A1564E0.5020905@redhat.com> Andrey Ivanov wrote: > > > 2009/5/21 John A. Sullivan III > > > Thank you, Andrey. I did do an updatedb and then locate - no > fixup-member0f.pl - just template.fixup-memberOf.pl > :-( > > It is very strange. Normally during the server installation the > template should be converted to the "normal" perl script. I think that is the problem here. The script is not created if you already have an installation and just do an upgrade. If you want to use the script with existing instances, just copy the template file somewhere, and replace these tokens: {{DS-ROOT}} - replace with the empty string - for FHS systems, this is just "" {{SERVER-NAME}} - your server FQDN {{SERVER-PORT}} - your server port number (e.g. 389) The script is really pretty simple - all it does is create an LDIF task entry and add it using ldapmodify. > > Have you verified the configuration of the memberOf plugin, especially > the arguments/attributes "memberofgroupattr" and "memberofattr" ? > > > > > > Unless I'm missing something, you're ldapmodify looks just like mine > except for the cn (I believe the documentation says it can be called > anything) and I did not use a filter (again, I believe the > documentation > says it is optional and our dit is still rather small). > > If you do not put the filter into the ldif then the default filter is > used : "(objectClass=inetuser)". Do all your user entries include this > objectClass (inetuser)? If not, you should add this objectClass to all > the entries where you want the memberOf attribute to appear. > > > > > > I did create a new group and add myself to it as you suggested (thank > you). Surprisingly, it did not appear to work. I did not see a > memberOf attribute populated for me. I then thought I would see if I > need to manually add that attribute to each user (I hope not!) and > I did > not see memberOf as an attribute I could add to my user object. > > > No. You should not add it manually, the memberOf attribute is > maintained automatically based on the group membership. > > Do you see any message in error log? There should be something about > the impossibility to write the memberof attribute i think. > If you cannot add this attribute manually to your entry it means that > your entry does not containe "objectClass: inetuser". Add this > objectClass to all the entries that should be "managed" by the plug-in > to allow the attribute memberOf to be written to that entries. > > > > > I have verified that the plugin is defined in dse.ldif and it is > enabled. I also see memberOf defined in 20subscriber.ldif and did not > see anything in the documentation about needing to extend the schema. > > No, you don't need to extend the schema but you need to make sure that > your entries include the objectClass "inetuser": > > objectClasses: ( 2.16.840.1.113730.3.2.130 NAME 'inetUser' DESC > 'Auxiliary class which must be present in an entry for delivery of > subscriber services' SUP top AUXILIARY MAY ( uid $ inetUserStatus $ > inetUserHTTPURL $ userPassword $ memberOf ) X-ORIGIN 'Netscape > subscriber interoperability' ) > > > > > > So, at this point, I am still at a loss for what I did wrong. > What do I > check next? Thanks - John > > Try to add the "objectClass: inetuser" to the entries concerned and > take a closer look to the "errors" log file. > > @+ > > > > > > On Thu, 2009-05-21 at 12:59 +0200, Andrey Ivanov wrote: > > Hi, > > > > there are two things to be verified and/or taken into account: > > * the pair of the attributes that is maintained (the arguments > > "memberofgroupattr" and "memberofattr" of the plug-in) > > * presence of these two attributes in the classes of your users and > > groups > > > > To find fixup-memberof.pl try "locate fixup-memberof.pl". > > > > To launch it manually you need to add something like that to the > > server (with ldapmodify) : > > dn: cn=memberOf_fixup_2009_5_21_12_39_21, cn=memberOf task, > cn=tasks, > > cn=config > > changetype: add > > objectclass: top > > objectclass: extensibleObject > > cn: memberOf_fixup_2009_5_21_12_39_21 > > basedn: dc=example,dc=com > > filter: (objectClass=inetOrgPerson) > > > > > > As for your account, you may remove/add yourself from a group to see > > if it changes the memberof attribute. Verify the objectClass of your > > entry and make sure the attribute memberOf is an optional > attribute of > > at least one of these objectClasses... > > > > > > > > 2009/5/21 John A. Sullivan III > > > Hello, all. We are in the process of upgrading from 8.0 to > > 8.1. We've > > hit a few glitches along the way but most has gone well. > > However, we > > wanted to implement the new memberOf functionality. We > > successfully > > added the plugin by editing dse.ldif and enabled it from the > > console. > > However, we've been unsuccessful in having existing group > > membership > > assigned to the memberOf attribute. > > > > We first tried to run fixup-memberOf.pl but the script does > > not exist. > > There is a template.fixup-memberOf.pl > but this does not seem > > to have > > been built into a final script. > > > > We then thought we would use the new task feature of the > > console. We > > went to cn=memberof task,cn=tasks,cn=config and tried to > > create the task > > object. There was no nsDirectoryServerTask objectclass. We > > added an > > nstask but then found there was no basedn attribute we could > > add. We > > then created an extensibleobject instead but still not > basedn > > attribute. > > > > Finally, we resorted to ldapmodify (we hesitated just > because > > we are not > > very familiar with the command line tools). First, we did: > > > > dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config > > changetype: add > > objectclass: top > > objectclass: extensibleObject > > cn: fixMemberOf > > basedn: o=Internal,dc=ssiservices,dc=biz > > > > The Internal Organization has several organizations under it > > (for > > various clients) and then user organizational units under > > those > > organizations. Although it generated no errors, it did not > > seem to > > work. Perhaps I just don't know how to test it. > However, the > > following > > did not return an memberOf data: > > > > /usr/lib64/mozldap/ldapsearch -b > > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D > > "cn=Directory > > Manager" -w - -h ldap uid=myid memberOf > > > > Doing /usr/lib64/mozldap/ldapsearch -b > > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D > > "cn=Directory > > Manager" -w - -h ldap uid=myid > > showed me plenty of attributes but nothing for memberOf > > > > I also tried creating the task with a basedn of > > ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz in > case it > > did not > > change objects lower in the tree. Still no success. > > > > Finally I tried: > > > > dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config > > changetype: add > > objectclass: top > > objectclass: nsDirectoryServerTask > > cn: fixMemberOf > > basedn: o=Internal,dc=ssiservices,dc=biz > > > > adding new entry cn=fixMemberOf,cn=memberof > > task,cn=tasks,cn=config > > ldap_add: Object class violation > > ldap_add: additional info: unknown object class > > "nsDirectoryServerTask" > > > > And received the expected unknown object class error. > > > > What are we doing wrong? Are these documentation bugs? Are > > there > > application bugs or do we simply not know what we are doing > > with tasks > > and memberOf? How do we get the memberOf information > into our > > existing > > user objects? Thanks - John > > > > > > -- > > John A. Sullivan III > > Open Source Development Corporation > > +1 207-985-7880 > > jsullivan at opensourcedevel.com > > > > > http://www.spiritualoutreach.com > > Making Christianity intelligible to secular society > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan at opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu May 21 14:30:48 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 21 May 2009 08:30:48 -0600 Subject: [389-users] posixGroup In-Reply-To: <4A155AEA.6050404@infinet.ru> References: <4A1543EB.4080401@infinet.ru> <1242910676.6381.10.camel@jaspav.missionsit.net.missionsit.net> <4A155352.7010609@infinet.ru> <4A15576E.1050709@stroeder.com> <4A155AEA.6050404@infinet.ru> Message-ID: <4A156598.1050407@redhat.com> Dmitry Amirov wrote: > Hello Michael. > Yes, i know. I am using openldap already 4 years. And i want centralized > system. I thought that 389 DS this system with full featured GUI. > > I wish to comfortably add groups, users, to operate mail records > (qmailUser). Or i need to use other clients with 389 DS such as gq? > The problem is that the 389 console User&Group editor is not easily extensible - that is, it will not automatically discover object classes for entries and display some sort of automatic UI for them, nor will it easily allow you to add custom screens/tabs based on objectclass. If you are a Java hacker, you could probably do this pretty easily (I would help someone get set up with Eclipse), and receive the adoration of millions (well, hundreds maybe) for adding this often requested functionality. > Thanks > > > I just want to > > Michael Str?der wrote: > >> Dmitry Amirov wrote: >> >> >>> But i want to add groups such ad users. When i creating user account, i >>> can click on posixAccount and fill needed parameters. >>> If i want to create posixGroup i need to add group and then click >>> Advanced and add posixGroup Manually. >>> >>> >> How about just using another LDAP client dedicated to the maintenance of >> this data? >> >> Ciao, Michael. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu May 21 14:32:21 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 21 May 2009 08:32:21 -0600 Subject: [389-users] DNA not working? In-Reply-To: <4A152E6D.80901@infinet.ru> References: <4A123612.9030500@infinet.ru> <4A12B2F8.3030203@redhat.com> <4A152E6D.80901@infinet.ru> Message-ID: <4A1565F5.6010602@redhat.com> Dmitry Amirov wrote: > Hi Rob. > Yes, you are right. Thank you. > > I have found it in sources of FDS. And i am wonder with this. There is > miskate in documentation? > What is your platform and FDS version? "I have found it in sources of FDS." - ? What documentation are you looking at? > > Rob Crittenden wrote: > >> Dmitry Amirov wrote: >> >>> Hello. >>> >>> I have a problem with DNA plugin. >>> I have installed it in according with documentation and have done: >>> 1) >>> dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config >>> changetype: modify >>> replace: nsslapd-pluginEnabled >>> nsslapd-pluginEnabled: on >>> >>> 2) >>> dn: cn=Account UIDs,cn=Distributed Numeric Assignment >>> Plugin,cn=plugins,cn=config >>> objectClass: top >>> objectClass: extensibleObject >>> cn: Account UIDs >>> dnatype: uidNumber >>> dnafilter: (objectclass=posixAccount) >>> dnascope: ou=People, dc=aqua >>> dnanextvalue: 1 >>> dnaMaxValue: 1300 >>> dnasharedcfgdn: cn=Account UIDs,ou=Ranges,dc=aqua >>> dnathreshold: 100 >>> dnaRangeRequestTimeout: 60 >>> dnaMagicRegen: magic >>> >>> After that server has been restarted and i tryed to add new posixAccount >>> entry. >>> dn: uid=jsmith, ou=people,dc=aqua >>> objectClass: top >>> objectClass: person >>> objectClass: posixAccount >>> uid: jsmith >>> cn: John Smith >>> sn: Smith >>> homeDirectory: /home/smith >>> gidNumber: 123 >>> >>> So, DNA not working with error: >>> adding new entry uid=jsmith, ou=people,dc=aqua >>> ldap_add: Object class violation >>> ldap_add: additional info: missing attribute "uidNumber" required by >>> object class "posixAccount" >>> >>> Please help with DNA. It's very important for me. Now i am using clean >>> openldap+smbldap-tools, but i want to migrate to FDS. >>> >>> Thanks a lot. >>> >> What version of 389/FDS is this? >> >> My working config looks like: >> >> dn: cn=Posix Accounts,cn=Distributed Numeric Assignment >> Plugin,cn=plugins,cn=config >> objectclass: top >> objectclass: extensibleObject >> cn: Posix Accounts >> dnaType: uidNumber >> dnaNextValue: 1100 >> dnaInterval: 1 >> dnaMaxValue: 10000 >> dnaMagicRegen: 999 >> dnaFilter: (objectclass=posixAccount) >> dnaScope: dc=example,dc=com >> >> rob >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From mmercier at gmail.com Thu May 21 14:56:09 2009 From: mmercier at gmail.com (Mike Mercier) Date: Thu, 21 May 2009 10:56:09 -0400 Subject: [389-users] [fedora-directory-users] NSMMReplicationPlugin messages in errors log In-Reply-To: <4959d1510905210513k4d74efcs72c9ae21f80c5c63@mail.gmail.com> References: <4959d1510905201235r7138cbafqd08c6f435e5c1c37@mail.gmail.com> <4A146732.5060206@redhat.com> <4959d1510905210513k4d74efcs72c9ae21f80c5c63@mail.gmail.com> Message-ID: <4959d1510905210756w780dadq64f46c1d2e54cbce@mail.gmail.com> Hi, I seem to have resolved the problem by adding a URL on the replica setting to "Enter a new URL" field pointing to the other server. On Server-1: ldap://server-2.internaldomain:389/dn=pki On Server-2 ldap://server-1.internaldomain:389/dn=pki I am no longer seeing the error messages in /var/log/dirsrv/slapd-TEST/errors on either end of the replication agreement. Does anyone know if this will this cause any other side effects? Thanks, Mike On Thu, May 21, 2009 at 8:13 AM, Mike Mercier wrote: > Hi, > > Is there some way to resolve the timing issue/verify it is fully setup? > > I restarted dirsrv, and removed, re-added, and reinitialized (from > server-1) the replication agreement on server-2 and here is what I see > in the logs: > > Server-1: > [21/May/2009:07:52:49 -0400] NSMMReplicationPlugin - Beginning total > update of replica "agmt="cn=PKI-Replication-Agreement" > (server-2:389)". > [21/May/2009:07:52:52 -0400] NSMMReplicationPlugin - Finished total > update of replica "agmt="cn=PKI-Replication-Agreement" > (server-2:389)". Sent 53 entries. > [21/May/2009:07:57:03 -0400] NSMMReplicationPlugin - > repl_set_mtn_referrals: could not set referrals for replica dc=pki: 1 > > Server-2: > [21/May/2009:07:52:49 -0400] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [21/May/2009:07:52:52 -0400] NSMMReplicationPlugin - > repl_set_mtn_referrals: could not set referrals for replica dc=pki: 1 > [21/May/2009:07:52:52 -0400] - import pki: Workers finished; cleaning up... > [21/May/2009:07:52:52 -0400] - import pki: Workers cleaned up. > [21/May/2009:07:52:52 -0400] - import pki: Indexing complete. > Post-processing... > [21/May/2009:07:52:52 -0400] - import pki: Flushing caches... > [21/May/2009:07:52:52 -0400] - import pki: Closing files... > [21/May/2009:07:52:52 -0400] - import pki: Import complete. ?Processed > 53 entries in 3 seconds. (17.67 entries/sec) > [21/May/2009:07:52:52 -0400] NSMMReplicationPlugin - > multimaster_be_state_change: replica dc=pki is coming online; enabling > replication > [21/May/2009:07:57:03 -0400] NSMMReplicationPlugin - > repl_set_mtn_referrals: could not set referrals for replica dc=pki: 1 > > Can the repl_set_mtn_referrals message be ignored? > > Thanks, > Mike > > > On Wed, May 20, 2009 at 4:25 PM, Rich Megginson wrote: >> Mike Mercier wrote: >>> >>> Hello, >>> >>> I am getting the following error on both ends of a replication >>> agreement. ?The replication agreement is for the fedora dogtag CA >>> application. >>> Note: I had to manually do a few things to get it to work, the >>> automated cloning was failing to setup the replication agreement. >>> >>> NSMMReplicationPlugin - repl_set_mtn_referrals: could not set >>> referrals for replica dc=: 1 >>> >> >> Looks like some sort of timing thing - like the server has not been fully >> started yet or fully set up yet before it receives the replication request >> from the other master >>> >>> Note: Dogtag and fedora-ds are running on the same systems: >>> >>> Server-1 - fedora-ds and dogtag >>> Server-2 - fedora-ds and dogtag clone >>> >>> Replication agreements between the systems for: >>> o=NetscapeRoot >>> userRoot >>> dogtag dc >>> >>> The error *only* appears for the dogtag dc. >>> >>> In my dse.ldif, I do notice that there is only one nsslapd-referral >>> for the dogtag dc (for server-1 to server-2) >>> >>> Server-1 >>> >>> dn: cn="dc=",cn=mapping tree, cn=config >>> objectClass: top >>> objectClass: extensibleObject >>> objectClass: nsMappingTree >>> cn: dc= >>> cn: "dc=" >>> nsslapd-backend: pki >>> nsslapd-state: Backend >>> creatorsName: cn=directory manager >>> modifiersName: cn=server,cn=plugins,cn=config >>> createTimestamp: 20090520160944Z >>> modifyTimestamp: 20090520162351Z >>> nsslapd-referral: ldap://server-2.internaldomain:389/dc%3D >>> numSubordinates: 1 >>> >>> Server-2 >>> dn: cn="dc=",cn=mapping tree, cn=config >>> objectClass: top >>> objectClass: extensibleObject >>> objectClass: nsMappingTree >>> cn: dc= >>> cn: "dc=" >>> nsslapd-backend: pki >>> nsslapd-state: Backend >>> creatorsName: cn=directory manager >>> modifiersName: cn=server,cn=plugins,cn=config >>> createTimestamp: 20090520165422Z >>> modifyTimestamp: 20090520180434Z >>> numSubordinates: 1 >>> >>> >>> Searching google doesn't really point to an explanation (or solution) >>> to the error messages. >>> Is it safe to do an ldapmodify to add the entry on Server-2? >>> >> >> Yes, although the replication code is supposed to set that automatically, >> and may overwrite it. >>> >>> Thanks, >>> Mike >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > From rmeggins at redhat.com Thu May 21 15:06:24 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 21 May 2009 09:06:24 -0600 Subject: [389-users] [fedora-directory-users] NSMMReplicationPlugin messages in errors log In-Reply-To: <4959d1510905210756w780dadq64f46c1d2e54cbce@mail.gmail.com> References: <4959d1510905201235r7138cbafqd08c6f435e5c1c37@mail.gmail.com> <4A146732.5060206@redhat.com> <4959d1510905210513k4d74efcs72c9ae21f80c5c63@mail.gmail.com> <4959d1510905210756w780dadq64f46c1d2e54cbce@mail.gmail.com> Message-ID: <4A156DF0.30909@redhat.com> Mike Mercier wrote: > Hi, > > I seem to have resolved the problem by adding a URL on the replica > setting to "Enter a new URL" field pointing to the other server. > > On Server-1: > ldap://server-2.internaldomain:389/dn=pki > > On Server-2 > ldap://server-1.internaldomain:389/dn=pki > > I am no longer seeing the error messages in > /var/log/dirsrv/slapd-TEST/errors on either end of the replication > agreement. > > Does anyone know if this will this cause any other side effects? > Should not cause any side effects. But if you add/delete/move masters, you will have to update those URL fields manually. > Thanks, > Mike > > On Thu, May 21, 2009 at 8:13 AM, Mike Mercier wrote: > >> Hi, >> >> Is there some way to resolve the timing issue/verify it is fully setup? >> >> I restarted dirsrv, and removed, re-added, and reinitialized (from >> server-1) the replication agreement on server-2 and here is what I see >> in the logs: >> >> Server-1: >> [21/May/2009:07:52:49 -0400] NSMMReplicationPlugin - Beginning total >> update of replica "agmt="cn=PKI-Replication-Agreement" >> (server-2:389)". >> [21/May/2009:07:52:52 -0400] NSMMReplicationPlugin - Finished total >> update of replica "agmt="cn=PKI-Replication-Agreement" >> (server-2:389)". Sent 53 entries. >> [21/May/2009:07:57:03 -0400] NSMMReplicationPlugin - >> repl_set_mtn_referrals: could not set referrals for replica dc=pki: 1 >> >> Server-2: >> [21/May/2009:07:52:49 -0400] - WARNING: Import is running with >> nsslapd-db-private-import-mem on; No other process is allowed to >> access the database >> [21/May/2009:07:52:52 -0400] NSMMReplicationPlugin - >> repl_set_mtn_referrals: could not set referrals for replica dc=pki: 1 >> [21/May/2009:07:52:52 -0400] - import pki: Workers finished; cleaning up... >> [21/May/2009:07:52:52 -0400] - import pki: Workers cleaned up. >> [21/May/2009:07:52:52 -0400] - import pki: Indexing complete. >> Post-processing... >> [21/May/2009:07:52:52 -0400] - import pki: Flushing caches... >> [21/May/2009:07:52:52 -0400] - import pki: Closing files... >> [21/May/2009:07:52:52 -0400] - import pki: Import complete. Processed >> 53 entries in 3 seconds. (17.67 entries/sec) >> [21/May/2009:07:52:52 -0400] NSMMReplicationPlugin - >> multimaster_be_state_change: replica dc=pki is coming online; enabling >> replication >> [21/May/2009:07:57:03 -0400] NSMMReplicationPlugin - >> repl_set_mtn_referrals: could not set referrals for replica dc=pki: 1 >> >> Can the repl_set_mtn_referrals message be ignored? >> >> Thanks, >> Mike >> >> >> On Wed, May 20, 2009 at 4:25 PM, Rich Megginson wrote: >> >>> Mike Mercier wrote: >>> >>>> Hello, >>>> >>>> I am getting the following error on both ends of a replication >>>> agreement. The replication agreement is for the fedora dogtag CA >>>> application. >>>> Note: I had to manually do a few things to get it to work, the >>>> automated cloning was failing to setup the replication agreement. >>>> >>>> NSMMReplicationPlugin - repl_set_mtn_referrals: could not set >>>> referrals for replica dc=: 1 >>>> >>>> >>> Looks like some sort of timing thing - like the server has not been fully >>> started yet or fully set up yet before it receives the replication request >>> from the other master >>> >>>> Note: Dogtag and fedora-ds are running on the same systems: >>>> >>>> Server-1 - fedora-ds and dogtag >>>> Server-2 - fedora-ds and dogtag clone >>>> >>>> Replication agreements between the systems for: >>>> o=NetscapeRoot >>>> userRoot >>>> dogtag dc >>>> >>>> The error *only* appears for the dogtag dc. >>>> >>>> In my dse.ldif, I do notice that there is only one nsslapd-referral >>>> for the dogtag dc (for server-1 to server-2) >>>> >>>> Server-1 >>>> >>>> dn: cn="dc=",cn=mapping tree, cn=config >>>> objectClass: top >>>> objectClass: extensibleObject >>>> objectClass: nsMappingTree >>>> cn: dc= >>>> cn: "dc=" >>>> nsslapd-backend: pki >>>> nsslapd-state: Backend >>>> creatorsName: cn=directory manager >>>> modifiersName: cn=server,cn=plugins,cn=config >>>> createTimestamp: 20090520160944Z >>>> modifyTimestamp: 20090520162351Z >>>> nsslapd-referral: ldap://server-2.internaldomain:389/dc%3D >>>> numSubordinates: 1 >>>> >>>> Server-2 >>>> dn: cn="dc=",cn=mapping tree, cn=config >>>> objectClass: top >>>> objectClass: extensibleObject >>>> objectClass: nsMappingTree >>>> cn: dc= >>>> cn: "dc=" >>>> nsslapd-backend: pki >>>> nsslapd-state: Backend >>>> creatorsName: cn=directory manager >>>> modifiersName: cn=server,cn=plugins,cn=config >>>> createTimestamp: 20090520165422Z >>>> modifyTimestamp: 20090520180434Z >>>> numSubordinates: 1 >>>> >>>> >>>> Searching google doesn't really point to an explanation (or solution) >>>> to the error messages. >>>> Is it safe to do an ldapmodify to add the entry on Server-2? >>>> >>>> >>> Yes, although the replication code is supposed to set that automatically, >>> and may overwrite it. >>> >>>> Thanks, >>>> Mike >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Thu May 21 15:20:18 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 21 May 2009 17:20:18 +0200 Subject: [389-users] posixGroup In-Reply-To: <4A155AEA.6050404@infinet.ru> References: <4A1543EB.4080401@infinet.ru> <1242910676.6381.10.camel@jaspav.missionsit.net.missionsit.net> <4A155352.7010609@infinet.ru> <4A15576E.1050709@stroeder.com> <4A155AEA.6050404@infinet.ru> Message-ID: <4A157132.6070208@stroeder.com> Dmitry Amirov wrote: > I wish to comfortably add groups, users, to operate mail records > (qmailUser). Or i need to use other clients with 389 DS such as gq? gq is not maintained anymore and is buggy. It is also just a very generic LDAP client without any knowledge about the semantics of e.g. POSIX-related directory entries. There are various clients which claim to have good support for POSIX account data. I have some doubts including maintaining the POSIX account data with my own web2ldap if you don't have enough knowledge. A decent LDAP client should support some auto-magic (e.g. based on a UID pool entry) for concurrently assigning uidNumber to posixAccount entries and gidNumber for posixGroup entries. You could do that manually with almost all clients and let the LDAP server enforce uniqueness after adding/modifying the entry though. Additionally you might want to have some side-effects like generating home directories etc. IIRC GOSA can do this. Your mileage may vary. Ciao, Michael. From michael at stroeder.com Thu May 21 15:38:21 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 21 May 2009 17:38:21 +0200 Subject: [389-users] posixGroup In-Reply-To: <4A157132.6070208@stroeder.com> References: <4A1543EB.4080401@infinet.ru> <1242910676.6381.10.camel@jaspav.missionsit.net.missionsit.net> <4A155352.7010609@infinet.ru> <4A15576E.1050709@stroeder.com> <4A155AEA.6050404@infinet.ru> <4A157132.6070208@stroeder.com> Message-ID: <4A15756D.1020205@stroeder.com> Michael Str?der wrote: > There are various clients which claim to have good support for POSIX > account data. I have some doubts including maintaining the POSIX account > data with my own web2ldap if you don't have enough knowledge. For those of you who want to just try web2ldap on a posixAccount entry hit this URL and play around with it: http://demo.web2ldap.de:1760/web2ldap?ldap://ldap.uninett.no/uid%3Dvenaas%2Ccn%3Dusers%2Ccn%3Dposix%2Cdc%3Duninett%2Cdc%3Dno??base Obviously there's no write access there but you can look at how web2ldap handles different LDIF templates and HTML snippet templates for object classes when displaying the entry or when generating input forms. And you can try the group administration UI. It also lets you select group entries in a select list for the primary group (attribute gidNumber) of a posixAccount entry. The latter is done with the help of a web2ldap plugin class. More notes on customizing the UI: http://web2ldap.de/usability.html Ciao, Michael. From ryan.braun at ec.gc.ca Thu May 21 16:13:21 2009 From: ryan.braun at ec.gc.ca (Ryan Braun [ADS]) Date: Thu, 21 May 2009 16:13:21 +0000 Subject: [389-users] I'm going to compile the sources to generate .debs --scripts attached In-Reply-To: <4A1306C5.9040502@redhat.com> References: <10051.148.87.1.172.1242759612.squirrel@box427.bluehost.com> <4A1306C5.9040502@redhat.com> Message-ID: <200905211613.21503.ryan.braun@ec.gc.ca> On May 19, 2009 07:21:41 pm Rich Megginson wrote: > Morenisco wrote: > > Hi, > > > > I want to try compiling the sources to generate .debs for Debian/GNU > > Linux, just a try... > > I would like to avoid use alien, due to could be better to generate .debs > > from the sources. > > > > Well, I see that the URL to get the sources if the following: > > > > http://directory.fedoraproject.org/sources/ > > > > But I'm not sure about what files do I need. > > I think that I need those files: > > > > 389-admin-1.1.7.tar.bz2 > > 389-admin-console-1.1.3.tar.bz2 > > 389-adminutil-1.1.8.tar.bz2 > > 389-console-1.1.3.tar.bz2 > > 389-ds-base-1.2.1.tar.bz2 > > 389-ds-console-1.2.0.tar.bz2 > > 389-dsgw-1.1.2.tar.bz2 > > > > Can someone confirm please? > > Start with 389-ds-base - here are the BuildRequires from the spec file: > BuildRequires: nspr-devel > BuildRequires: nss-devel > BuildRequires: svrcore-devel > BuildRequires: mozldap-devel > BuildRequires: db4-devel > BuildRequires: cyrus-sasl-devel > BuildRequires: icu > BuildRequires: libicu-devel > # The following are needed to build the snmp ldap-agent > BuildRequires: net-snmp-devel > %ifnarch sparc sparc64 ppc ppc64 > BuildRequires: lm_sensors-devel > %endif > BuildRequires: bzip2-devel > BuildRequires: zlib-devel > BuildRequires: openssl-devel > BuildRequires: tcp_wrappers > BuildRequires: libselinux-devel > # the following is for the pam passthru auth plug-in > BuildRequires: pam-devel > > Most of these are already in debian, although some of them will be named > differently. > > The two notable exceptions are mozldap and svrcore > > perl-Mozilla-LDAP is not a build dependency but you will need this to > run setup et. al. > > > Thanks. I've attached some scripts I had created a while back. I've been running the etch 1.1 build for a while. But they do build lenny 1.2 packages. I just haven't tested them that much yet. Just edit the config file, and build them in the following order. svrcore mozldap perldap fedora-ds-base adminutil mod_nss fefora-ds-admin console Also, the debian package control section needs some work, but the package depends should all work if you throw the packages in your own apt repo. Also, the console jars didn't build all that well in lenny, apt kept pulling in some gcj packages that kept breaking the build, so YMMV. Ryan -------------- next part -------------- A non-text attachment was scrubbed... Name: fdsbuildscripts.tar.bz2 Type: application/x-tbz Size: 13575 bytes Desc: not available URL: From mmercier at gmail.com Thu May 21 16:29:42 2009 From: mmercier at gmail.com (Mike Mercier) Date: Thu, 21 May 2009 12:29:42 -0400 Subject: [389-users] Errors installing PKI Clone / chicken or egg question Message-ID: <4959d1510905210929gf5c80b4m3a32eb8c05e65503@mail.gmail.com> Hello, Note: I have cross posted this because it seems to be related to both applications. The steps I have taken: 1. Install fedora 10 on 2 servers (service-1, service-2) 2. run yum update on both systems 3. on service-1 and service-2 a) yum install fedora-ds b) setup replication agreement for i) o=NetscapeRoot ii) userRoot Everything at this point seems to be fine. 4. on service-1 yum install pki-ca a) run through setup screens i) Create new security domain ii) Configure this Instance as a New CA Subsystem iii) Make this a Self-Signed Root CA within this new PKI hierarchy iv) use 'localhost' for internal database v) use defaults for rest of screen (exporting pkcs12) b) pki-ca looks like it is running fine 5. on service-2 yum install pki-ca a) run through setup screens i) Join an Existing Security Domain (pointing to service-1:9444) ii) type username / password iii) chose to clone a system (only one option in drop down for service-1) iv) import keys v) use 'localhost' for internal database At this point, the installation seems to hang... (see /var/log/pki-ca/debug for what it is waiting for) Should I not be using 'localhost' for the internal database? An additional question: When running through the setup for dogtag, you have the option of using ssl for communication. What if you want to use your dogtag CA (which you are setting up) to provide the sign the ldap certificate? I have the following in my logs: Service-1: /var/log/dirsrv/slapd-TEST/errors [21/May/2009:12:13:30 -0400] slapi_ldap_bind - Error: could not read bind results for id [cn=Replication Manager cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 (No such object) [21/May/2009:12:13:30 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-service-2-pki-ca" (localhost:389): Replication bind with SIMPLE auth failed: LDAP error 32 (No such object) () [21/May/2009:12:13:31 -0400] slapi_ldap_bind - Error: could not read bind results for id [cn=Replication Manager cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 (No such object) [21/May/2009:12:13:31 -0400] NSMMReplicationPlugin - agmt="cn=masterAgreement1-service-2-pki-ca" (localhost:389): Replication bind with SIMPLE auth failed: LDAP error 32 (No such object) () [21/May/2009:12:13:31 -0400] slapi_ldap_bind - Error: could not read bind results for id [cn=Replication Manager cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 (No such object) [21/May/2009:12:13:35 -0400] slapi_ldap_bind - Error: could not read bind results for id [cn=Replication Manager cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 (No such object) [21/May/2009:12:13:41 -0400] slapi_ldap_bind - Error: could not read bind results for id [cn=Replication Manager cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 (No such object) [21/May/2009:12:13:53 -0400] slapi_ldap_bind - Error: could not read bind results for id [cn=Replication Manager cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 (No such object) [21/May/2009:12:14:17 -0400] slapi_ldap_bind - Error: could not read bind results for id [cn=Replication Manager cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 (No such object) Service-2: /var/log/dirsrv/slapd-TEST/errors [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allCerts-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allExpiredCerts-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allInvalidCerts-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allInValidCertsNotBefore-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allNonRevokedCerts-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allRevokedCaCerts-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allRevokedCerts-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allRevokedCertsNotAfter-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allRevokedExpiredCerts-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allRevokedOrRevokedExpiredCaCerts-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allRevokedOrRevokedExpiredCerts-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allValidCerts-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allValidCertsNotAfter-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allValidOrRevokedCerts-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caAll-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caCanceled-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caCanceledEnrollment-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caCanceledRenewal-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caCanceledRevocation-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caComplete-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caCompleteEnrollment-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caCompleteRenewal-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caCompleteRevocation-pki-caIndex [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caEnrollment-pki-caIndex [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caPending-pki-caIndex [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caPendingEnrollment-pki-caIndex [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caPendingRenewal-pki-caIndex [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caPendingRevocation-pki-caIndex [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRejected-pki-caIndex [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRejectedEnrollment-pki-caIndex [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRejectedRenewal-pki-caIndex [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRejectedRevocation-pki-caIndex [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRenewal-pki-caIndex [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRevocation-pki-caIndex [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may not be added to the database yet. [21/May/2009:12:13:30 -0400] - pki-ca: Finished indexing. [21/May/2009:12:13:30 -0400] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-service-2-pki-ca" (service-1:389): Replica has a different generation ID than the local data. /var/log/pki-ca/debug - this is what shows up continuously [21/May/2009:12:21:02][http-9444-Processor25]: DatabasePanel comparetAndWaitEntries checking ou=people,dc=pki-ca [21/May/2009:12:21:02][http-9444-Processor25]: DatabasePanel comparetAndWaitEntries ou=people,dc=pki-ca not found, let's wait! Thanks, Mike From msauton at redhat.com Thu May 21 17:06:44 2009 From: msauton at redhat.com (Marc Sauton) Date: Thu, 21 May 2009 10:06:44 -0700 Subject: [389-users] Errors installing PKI Clone / chicken or egg question In-Reply-To: <4959d1510905210929gf5c80b4m3a32eb8c05e65503@mail.gmail.com> References: <4959d1510905210929gf5c80b4m3a32eb8c05e65503@mail.gmail.com> Message-ID: <4A158A24.1060707@redhat.com> Mike Mercier wrote: > Hello, > > Note: I have cross posted this because it seems to be related to both > applications. > > > The steps I have taken: > > 1. Install fedora 10 on 2 servers (service-1, service-2) > 2. run yum update on both systems > 3. on service-1 and service-2 > a) yum install fedora-ds > b) setup replication agreement for > i) o=NetscapeRoot > ii) userRoot > Everything at this point seems to be fine. > > 4. on service-1 yum install pki-ca > a) run through setup screens > i) Create new security domain > ii) Configure this Instance as a New CA Subsystem > iii) Make this a Self-Signed Root CA within this new PKI hierarchy > iv) use 'localhost' for internal database > v) use defaults for rest of screen (exporting pkcs12) > b) pki-ca looks like it is running fine > > 5. on service-2 yum install pki-ca > a) run through setup screens > i) Join an Existing Security Domain (pointing to service-1:9444) > ii) type username / password > iii) chose to clone a system (only one option in drop down for service-1) > iv) import keys > v) use 'localhost' for internal database > > At this point, the installation seems to hang... (see > /var/log/pki-ca/debug for what it is waiting for) > > Should I not be using 'localhost' for the internal database? > > I would not, that was likely the first issue you encountered when replication could not be initialized by the Dogtag web configuration wizard. > An additional question: > > When running through the setup for dogtag, you have the option of > using ssl for communication. What if you want to use your dogtag CA > (which you are setting up) to provide the sign the ldap certificate? > The web configuration wizard creates all the necessary certificates and keys, as well all the replication agreements. Assuming the nsDS5ReplicaHost is not localhost, you may have hit a regression with Bugzilla 454032, with modified status, for RHCS 8.0, which should also be in Dogtag, what exact version are you using? (may want to check if you have this fix) In that case, a possible work around would be to not select SSL in the Dogtag web configuration wizard, and then later configure SSL replication either manually or using the Directory Server console. > > I have the following in my logs: > > Service-1: > /var/log/dirsrv/slapd-TEST/errors > [21/May/2009:12:13:30 -0400] slapi_ldap_bind - Error: could not read > bind results for id [cn=Replication Manager > cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 > (No such object) > [21/May/2009:12:13:30 -0400] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-service-2-pki-ca" (localhost:389): > Replication bind with SIMPLE auth failed: LDAP error 32 (No such > object) () > [21/May/2009:12:13:31 -0400] slapi_ldap_bind - Error: could not read > bind results for id [cn=Replication Manager > cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 > (No such object) > [21/May/2009:12:13:31 -0400] NSMMReplicationPlugin - > agmt="cn=masterAgreement1-service-2-pki-ca" (localhost:389): > Replication bind with SIMPLE auth failed: LDAP error 32 (No such > object) () > [21/May/2009:12:13:31 -0400] slapi_ldap_bind - Error: could not read > bind results for id [cn=Replication Manager > cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 > (No such object) > [21/May/2009:12:13:35 -0400] slapi_ldap_bind - Error: could not read > bind results for id [cn=Replication Manager > cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 > (No such object) > [21/May/2009:12:13:41 -0400] slapi_ldap_bind - Error: could not read > bind results for id [cn=Replication Manager > cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 > (No such object) > [21/May/2009:12:13:53 -0400] slapi_ldap_bind - Error: could not read > bind results for id [cn=Replication Manager > cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 > (No such object) > [21/May/2009:12:14:17 -0400] slapi_ldap_bind - Error: could not read > bind results for id [cn=Replication Manager > cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32 > (No such object) > > Service-2: > /var/log/dirsrv/slapd-TEST/errors > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allExpiredCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allInvalidCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allInValidCertsNotBefore-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allNonRevokedCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allRevokedCaCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allRevokedCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allRevokedCertsNotAfter-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allRevokedExpiredCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allRevokedOrRevokedExpiredCaCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allRevokedOrRevokedExpiredCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allValidCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allValidCertsNotAfter-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > allValidOrRevokedCerts-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caAll-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caCanceled-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > caCanceledEnrollment-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > caCanceledRenewal-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > caCanceledRevocation-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caComplete-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > caCompleteEnrollment-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > caCompleteRenewal-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: > caCompleteRevocation-pki-caIndex > [21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caEnrollment-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caPending-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: > caPendingEnrollment-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: > caPendingRenewal-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: > caPendingRevocation-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRejected-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: > caRejectedEnrollment-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: > caRejectedRenewal-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: > caRejectedRevocation-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRenewal-pki-caIndex > [21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRevocation-pki-caIndex > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=certificaterepository,ou=ca,dc=pki-ca'; entry > ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the > database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - info: entrydn not indexed on > 'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may > not be added to the database yet. > [21/May/2009:12:13:30 -0400] - pki-ca: Finished indexing. > [21/May/2009:12:13:30 -0400] NSMMReplicationPlugin - > agmt="cn=cloneAgreement1-service-2-pki-ca" (service-1:389): Replica > has a different generation ID than the local data. > > /var/log/pki-ca/debug - this is what shows up continuously > [21/May/2009:12:21:02][http-9444-Processor25]: DatabasePanel > comparetAndWaitEntries checking ou=people,dc=pki-ca > [21/May/2009:12:21:02][http-9444-Processor25]: DatabasePanel > comparetAndWaitEntries ou=people,dc=pki-ca not found, let's wait! > > Thanks, > Mike > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Thu May 21 17:16:21 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 21 May 2009 11:16:21 -0600 Subject: [389-users] I'm going to compile the sources to generate .debs --scripts attached In-Reply-To: <200905211613.21503.ryan.braun@ec.gc.ca> References: <10051.148.87.1.172.1242759612.squirrel@box427.bluehost.com> <4A1306C5.9040502@redhat.com> <200905211613.21503.ryan.braun@ec.gc.ca> Message-ID: <4A158C65.2040902@redhat.com> Ryan Braun [ADS] wrote: > On May 19, 2009 07:21:41 pm Rich Megginson wrote: > >> Morenisco wrote: >> >>> Hi, >>> >>> I want to try compiling the sources to generate .debs for Debian/GNU >>> Linux, just a try... >>> I would like to avoid use alien, due to could be better to generate .debs >>> from the sources. >>> >>> Well, I see that the URL to get the sources if the following: >>> >>> http://directory.fedoraproject.org/sources/ >>> >>> But I'm not sure about what files do I need. >>> I think that I need those files: >>> >>> 389-admin-1.1.7.tar.bz2 >>> 389-admin-console-1.1.3.tar.bz2 >>> 389-adminutil-1.1.8.tar.bz2 >>> 389-console-1.1.3.tar.bz2 >>> 389-ds-base-1.2.1.tar.bz2 >>> 389-ds-console-1.2.0.tar.bz2 >>> 389-dsgw-1.1.2.tar.bz2 >>> >>> Can someone confirm please? >>> >> Start with 389-ds-base - here are the BuildRequires from the spec file: >> BuildRequires: nspr-devel >> BuildRequires: nss-devel >> BuildRequires: svrcore-devel >> BuildRequires: mozldap-devel >> BuildRequires: db4-devel >> BuildRequires: cyrus-sasl-devel >> BuildRequires: icu >> BuildRequires: libicu-devel >> # The following are needed to build the snmp ldap-agent >> BuildRequires: net-snmp-devel >> %ifnarch sparc sparc64 ppc ppc64 >> BuildRequires: lm_sensors-devel >> %endif >> BuildRequires: bzip2-devel >> BuildRequires: zlib-devel >> BuildRequires: openssl-devel >> BuildRequires: tcp_wrappers >> BuildRequires: libselinux-devel >> # the following is for the pam passthru auth plug-in >> BuildRequires: pam-devel >> >> Most of these are already in debian, although some of them will be named >> differently. >> >> The two notable exceptions are mozldap and svrcore >> >> perl-Mozilla-LDAP is not a build dependency but you will need this to >> run setup et. al. >> >> >>> Thanks. >>> > > I've attached some scripts I had created a while back. I've been running the > etch 1.1 build for a while. But they do build lenny 1.2 packages. I just > haven't tested them that much yet. Just edit the config file, and build > them in the following order. > > svrcore > mozldap > perldap > fedora-ds-base > adminutil > mod_nss > fefora-ds-admin > console > > Also, the debian package control section needs some work, but the package > depends should all work if you throw the packages in your own apt repo. > Also, the console jars didn't build all that well in lenny, apt kept > pulling in some gcj packages that kept breaking the build, so YMMV. > Does debian now include openjdk? If so, you should be able to use that instead of gcj. > Ryan > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From mmercier at gmail.com Thu May 21 17:21:28 2009 From: mmercier at gmail.com (Mike Mercier) Date: Thu, 21 May 2009 13:21:28 -0400 Subject: [389-users] Errors installing PKI Clone / chicken or egg question In-Reply-To: <4A158A24.1060707@redhat.com> References: <4959d1510905210929gf5c80b4m3a32eb8c05e65503@mail.gmail.com> <4A158A24.1060707@redhat.com> Message-ID: <4959d1510905211021m28a44113s469d6bef8593d4d3@mail.gmail.com> Hello, I am running: [root at service-1 ~]# rpm -qa|grep pki pki-selinux-1.1.0-1.fc10.noarch pki-java-tools-1.1.0-1.fc10.noarch pki-native-tools-1.1.0-1.fc10.x86_64 dogtag-pki-ca-ui-1.1.0-1.fc10.noarch pki-setup-1.1.0-1.fc10.noarch dogtag-pki-common-ui-1.1.0-1.fc10.noarch pki-common-1.1.0-1.fc10.noarch pki-util-1.1.0-1.fc10.noarch pki-ca-1.1.0-1.fc10.noarch Looking at the dse.ldif file, it shows that the replication server in *not* localhost, service-1 shows service-2 and server-2 shows service-1 I am going to retry the install using the fqdn of the local machine as the internal database on each system. Thanks, Mike On Thu, May 21, 2009 at 1:06 PM, Marc Sauton wrote: > I would not, that was likely the first issue you encountered when > replication could not be initialized by the Dogtag web configuration wizard. >> >> An additional question: >> >> When running through the setup for dogtag, you have the option of >> using ssl for communication. ?What if you want to use your dogtag CA >> (which you are setting up) to provide the sign the ldap certificate? >> > > The web configuration wizard creates all the necessary certificates and > keys, as well all the replication agreements. > Assuming the nsDS5ReplicaHost is not localhost, you may have hit a > regression with Bugzilla 454032, with modified status, for RHCS 8.0, which > should also be in Dogtag, what exact version are you using? (may want to > check if you have this fix) > In that case, a possible work around would be to not select SSL in the > Dogtag web configuration wizard, and then later configure SSL replication > either manually or using the Directory Server console. From hartmann at fas.harvard.edu Thu May 21 17:29:35 2009 From: hartmann at fas.harvard.edu (Tim Hartmann) Date: Thu, 21 May 2009 13:29:35 -0400 Subject: [389-users] Schema Question Message-ID: <4A158F7F.6080601@fas.harvard.edu> Does anyone have any recommendations for which schema might be approriate to use for a Terminations/End of contract/Expiration dates for user accounts? I did some looking, but didn't see anything that jumped out at me.... Thanks Tim From mmercier at gmail.com Thu May 21 17:31:37 2009 From: mmercier at gmail.com (Mike Mercier) Date: Thu, 21 May 2009 13:31:37 -0400 Subject: [389-users] Errors installing PKI Clone / chicken or egg question In-Reply-To: <4959d1510905211021m28a44113s469d6bef8593d4d3@mail.gmail.com> References: <4959d1510905210929gf5c80b4m3a32eb8c05e65503@mail.gmail.com> <4A158A24.1060707@redhat.com> <4959d1510905211021m28a44113s469d6bef8593d4d3@mail.gmail.com> Message-ID: <4959d1510905211031o89df0f4y84d4150caf015783@mail.gmail.com> Hello, Re-installing the application using the fqdn of the system instead of 'localhost' has resolved the problem I was seeing. Thanks for the help, Mike On Thu, May 21, 2009 at 1:21 PM, Mike Mercier wrote: > Hello, > > I am running: > > [root at service-1 ~]# rpm -qa|grep pki > pki-selinux-1.1.0-1.fc10.noarch > pki-java-tools-1.1.0-1.fc10.noarch > pki-native-tools-1.1.0-1.fc10.x86_64 > dogtag-pki-ca-ui-1.1.0-1.fc10.noarch > pki-setup-1.1.0-1.fc10.noarch > dogtag-pki-common-ui-1.1.0-1.fc10.noarch > pki-common-1.1.0-1.fc10.noarch > pki-util-1.1.0-1.fc10.noarch > pki-ca-1.1.0-1.fc10.noarch > > Looking at the dse.ldif file, it shows that the replication server in > *not* localhost, > service-1 shows service-2 and server-2 shows service-1 > > I am going to retry the install using the fqdn of the local machine as > the internal database on each system. > > Thanks, > Mike > > On Thu, May 21, 2009 at 1:06 PM, Marc Sauton wrote: > >> I would not, that was likely the first issue you encountered when >> replication could not be initialized by the Dogtag web configuration wizard. >>> >>> An additional question: >>> >>> When running through the setup for dogtag, you have the option of >>> using ssl for communication. ?What if you want to use your dogtag CA >>> (which you are setting up) to provide the sign the ldap certificate? >>> >> >> The web configuration wizard creates all the necessary certificates and >> keys, as well all the replication agreements. >> Assuming the nsDS5ReplicaHost is not localhost, you may have hit a >> regression with Bugzilla 454032, with modified status, for RHCS 8.0, which >> should also be in Dogtag, what exact version are you using? (may want to >> check if you have this fix) >> In that case, a possible work around would be to not select SSL in the >> Dogtag web configuration wizard, and then later configure SSL replication >> either manually or using the Directory Server console. > From jsullivan at opensourcedevel.com Thu May 21 22:42:15 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Thu, 21 May 2009 18:42:15 -0400 Subject: [389-users] Console unavailable after failed login Message-ID: <1242945735.6381.76.camel@jaspav.missionsit.net.missionsit.net> Hello, all. We normally access idm-console via ssh to our ldap servers. I find that, if I mistype the password, I am not offered an opportunity to re-type it. The application seems to hang. If I kill it and launch again, I get no screen. If I then try to restart dirsrv-admin, it shuts down right away but then takes forever to start. Has anyone else noticed this behavior? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From jsullivan at opensourcedevel.com Thu May 21 23:17:20 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Thu, 21 May 2009 19:17:20 -0400 Subject: [389-users] memberOf task problem In-Reply-To: <1601b8650905210659l29c1ef67u3d2f8e208248afe8@mail.gmail.com> References: <1242873940.6379.91.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905210359v2396b049q226e6b26682e0b78@mail.gmail.com> <1242905598.6381.6.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905210659l29c1ef67u3d2f8e208248afe8@mail.gmail.com> Message-ID: <1242947840.6381.89.camel@jaspav.missionsit.net.missionsit.net> I'm starting to feel really stupid here - still not working. I thought the filter must be the problem for sure. I assumed from the documentation that no filter meant the task would add the attribute for everything that could take a memberOf attribute. I did not realize it defaulted to inetuser. So I recreated the task with a filter of (objectClass=inetOrgPerson) but it still did not seem to work. I thought perhaps I was doing ldapmodify wrong (enter the parameters, double enter, then CTL D) so I edited the fixup-memberof.pl script according to Rich's instructions. It ran without error (by the way, it reflects the admin password when using -w - !!!). But still no success. Perhaps I am checking incorrectly. I did not expect to see memberOf listed as an attribute in the advanced console screen for the user since it is a managed attribute. But I did try to view it with an ldapsearch: /usr/lib64/mozldap/ldapsearch -b "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory Manager" -w - -h ldap uid=jasiii memberOf Is this how I would check for success? There is nothing suspicious in the error log. I do have the audit log enabled. I see the creation and automatic deletion of the task but I do not see any changes to objects to add and populate the memberOf attribute. I'll paste in some excerpts below. What next? Thanks - John time: 20090520221132 dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config changetype: add objectClass: top objectClass: extensibleObject cn: fixMemberOf basedn: o=Internal,dc=ssiservices,dc=biz creatorsName: cn=xxxx modifiersName: cn=xxx createTimestamp: 20090521021132Z modifyTimestamp: 20090521021132Z time: 20090520221333 dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config changetype: delete modifiersname: cn=server,cn=plugins,cn=config time: 20090520222242 dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config changetype: add objectClass: top objectClass: extensibleObject cn: fixMemberOf basedn: ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz creatorsName: cn=xxxx modifiersName: cn=xxxx createTimestamp: 20090521022242Z modifyTimestamp: 20090521022242Z time: 20090520222442 dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config changetype: delete modifiersname: cn=server,cn=plugins,cn=config . . . time: 20090521183523 dn: cn=memberOf_fixup_2009_5_21_18_35_23, cn=memberOf task, cn=tasks, cn=config changetype: add objectClass: top objectClass: extensibleObject cn: memberOf_fixup_2009_5_21_18_35_23 basedn: o=Internal,dc=ssiservices,dc=biz filter: (objectClass=inetOrgPerson) creatorsName: cn=xxxx modifiersName: cn=xxxx createTimestamp: 20090521223523Z modifyTimestamp: 20090521223523Z time: 20090521183724 dn: cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof task,cn=tasks,cn=config changetype: delete modifiersname: cn=server,cn=plugins,cn=config time: 20090521185804 dn: cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou=ssiservices.biz,o=netscaperoot changetype: modify replace: nsPreference nsPreference:: IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3 dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg== - replace: modifiersname modifiersname: cn=xxxxx - replace: modifytimestamp modifytimestamp: 20090521225804Z - On Thu, 2009-05-21 at 15:59 +0200, Andrey Ivanov wrote: > > > 2009/5/21 John A. Sullivan III > Thank you, Andrey. I did do an updatedb and then locate - no > fixup-member0f.pl - just template.fixup-memberOf.pl :-( > It is very strange. Normally during the server installation the > template should be converted to the "normal" perl script. > > Have you verified the configuration of the memberOf plugin, especially > the arguments/attributes "memberofgroupattr" and "memberofattr" ? > > > > > > > Unless I'm missing something, you're ldapmodify looks just > like mine > except for the cn (I believe the documentation says it can be > called > anything) and I did not use a filter (again, I believe the > documentation > says it is optional and our dit is still rather small). > If you do not put the filter into the ldif then the default filter is > used : "(objectClass=inetuser)". Do all your user entries include this > objectClass (inetuser)? If not, you should add this objectClass to all > the entries where you want the memberOf attribute to appear. > > > > > I did create a new group and add myself to it as you suggested > (thank > you). Surprisingly, it did not appear to work. I did not see > a > memberOf attribute populated for me. I then thought I would > see if I > need to manually add that attribute to each user (I hope not!) > and I did > not see memberOf as an attribute I could add to my user > object. > > No. You should not add it manually, the memberOf attribute is > maintained automatically based on the group membership. > > Do you see any message in error log? There should be something about > the impossibility to write the memberof attribute i think. > If you cannot add this attribute manually to your entry it means that > your entry does not containe "objectClass: inetuser". Add this > objectClass to all the entries that should be "managed" by the plug-in > to allow the attribute memberOf to be written to that entries. > > > > > I have verified that the plugin is defined in dse.ldif and it > is > enabled. I also see memberOf defined in 20subscriber.ldif and > did not > see anything in the documentation about needing to extend the > schema. > No, you don't need to extend the schema but you need to make sure that > your entries include the objectClass "inetuser": > > objectClasses: ( 2.16.840.1.113730.3.2.130 NAME 'inetUser' DESC > 'Auxiliary class which must be present in an entry for delivery of > subscriber services' SUP top AUXILIARY MAY ( uid $ inetUserStatus $ > inetUserHTTPURL $ userPassword $ memberOf ) X-ORIGIN 'Netscape > subscriber interoperability' ) > > > > > > So, at this point, I am still at a loss for what I did wrong. > What do I > check next? Thanks - John > Try to add the "objectClass: inetuser" to the entries concerned and > take a closer look to the "errors" log file. > > @+ > > > > > > On Thu, 2009-05-21 at 12:59 +0200, Andrey Ivanov wrote: > > Hi, > > > > there are two things to be verified and/or taken into > account: > > * the pair of the attributes that is maintained (the > arguments > > "memberofgroupattr" and "memberofattr" of the plug-in) > > * presence of these two attributes in the classes of your > users and > > groups > > > > To find fixup-memberof.pl try "locate fixup-memberof.pl". > > > > To launch it manually you need to add something like that > to the > > server (with ldapmodify) : > > dn: cn=memberOf_fixup_2009_5_21_12_39_21, cn=memberOf task, > cn=tasks, > > cn=config > > changetype: add > > objectclass: top > > objectclass: extensibleObject > > cn: memberOf_fixup_2009_5_21_12_39_21 > > basedn: dc=example,dc=com > > filter: (objectClass=inetOrgPerson) > > > > > > As for your account, you may remove/add yourself from a > group to see > > if it changes the memberof attribute. Verify the objectClass > of your > > entry and make sure the attribute memberOf is an optional > attribute of > > at least one of these objectClasses... > > > > > > > > 2009/5/21 John A. Sullivan III > > > Hello, all. We are in the process of upgrading from > 8.0 to > > 8.1. We've > > hit a few glitches along the way but most has gone > well. > > However, we > > wanted to implement the new memberOf functionality. > We > > successfully > > added the plugin by editing dse.ldif and enabled it > from the > > console. > > However, we've been unsuccessful in having existing > group > > membership > > assigned to the memberOf attribute. > > > > We first tried to run fixup-memberOf.pl but the > script does > > not exist. > > There is a template.fixup-memberOf.pl but this does > not seem > > to have > > been built into a final script. > > > > We then thought we would use the new task feature of > the > > console. We > > went to cn=memberof task,cn=tasks,cn=config and > tried to > > create the task > > object. There was no nsDirectoryServerTask > objectclass. We > > added an > > nstask but then found there was no basedn attribute > we could > > add. We > > then created an extensibleobject instead but still > not basedn > > attribute. > > > > Finally, we resorted to ldapmodify (we hesitated > just because > > we are not > > very familiar with the command line tools). First, > we did: > > > > dn: cn=fixMemberOf,cn=memberof > task,cn=tasks,cn=config > > changetype: add > > objectclass: top > > objectclass: extensibleObject > > cn: fixMemberOf > > basedn: o=Internal,dc=ssiservices,dc=biz > > > > The Internal Organization has several organizations > under it > > (for > > various clients) and then user organizational units > under > > those > > organizations. Although it generated no errors, it > did not > > seem to > > work. Perhaps I just don't know how to test it. > However, the > > following > > did not return an memberOf data: > > > > /usr/lib64/mozldap/ldapsearch -b > > > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D > > "cn=Directory > > Manager" -w - -h ldap uid=myid memberOf > > > > Doing /usr/lib64/mozldap/ldapsearch -b > > > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D > > "cn=Directory > > Manager" -w - -h ldap uid=myid > > showed me plenty of attributes but nothing for > memberOf > > > > I also tried creating the task with a basedn of > > ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz > in case it > > did not > > change objects lower in the tree. Still no success. > > > > Finally I tried: > > > > dn: cn=fixMemberOf,cn=memberof > task,cn=tasks,cn=config > > changetype: add > > objectclass: top > > objectclass: nsDirectoryServerTask > > cn: fixMemberOf > > basedn: o=Internal,dc=ssiservices,dc=biz > > > > adding new entry cn=fixMemberOf,cn=memberof > > task,cn=tasks,cn=config > > ldap_add: Object class violation > > ldap_add: additional info: unknown object class > > "nsDirectoryServerTask" > > > > And received the expected unknown object class > error. > > > > What are we doing wrong? Are these documentation > bugs? Are > > there > > application bugs or do we simply not know what we > are doing > > with tasks > > and memberOf? How do we get the memberOf information > into our > > existing > > user objects? Thanks - John > > > > > > -- > > John A. Sullivan III > > Open Source Development Corporation > > +1 207-985-7880 > > jsullivan at opensourcedevel.com > > > > http://www.spiritualoutreach.com > > Making Christianity intelligible to secular society > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan at opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From clintd at scms.waikato.ac.nz Fri May 22 00:00:36 2009 From: clintd at scms.waikato.ac.nz (Clint Dilks) Date: Fri, 22 May 2009 12:00:36 +1200 Subject: [389-users] CentOS5 Desktops authenticating to 389 Directory Server Message-ID: <4A15EB24.2010900@scms.waikato.ac.nz> Hi Everyone. I am doing some LDAP testing. I have setup a 389 Directory Server on CentOS 5 and using the default schema I have populated it with a couple of users. I then did the configuration on the client that I thought was needed to make it authenticate. To test this I expected to be able to use id of a user I had defined. But I get id: 1001: No such user id: 5001: No such user I then thought perhaps it was an LDAP permissions problem so I tried binding to the LDAP server using a user I know has full rights using these entries in /etc/openldap/ldap.conf there was no change. BINDDN cn=admin,dc=scms,dc=waikato,dc=ac,dc=nz BINDPW LDAPt3st I can query these users from a desktop that I want to use the LDAP server as an authentication source. Using * ldapsearch -x -H ldap://distilled.scms.waikato.ac.nz -b dc=scms,dc=waikato,dc=ac,dc=nz uid=LDilks* # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=LDilks # requesting: ALL # # LDilks, People, scms.waikato.ac.nz dn: uid=LDilks,ou=People, dc=scms, dc=waikato, dc=ac, dc=nz givenName: LDAP-Clint sn: Dilks telephoneNumber: 4546 loginShell: /bin/bash gidNumber: 1001 uidNumber: 1001 mail: clintd at scms.waikato.ac.nz objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount uid: LDilks gecos: A Test LDAP account cn: LDAP-Clint Dilks homeDirectory: /home/LDAP-clint # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 *[root at distilled2 ~]# ldapsearch -x -H ldap://distilled.scms.waikato.ac.nz -b dc=scms,dc=waikato,dc=ac,dc=nz uid=BBuilder* # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=BBuilder # requesting: ALL # # BBuilder, scms.waikato.ac.nz dn: uid=BBuilder,dc=scms, dc=waikato, dc=ac, dc=nz givenName: Bob sn: Builder loginShell: /bin/bash uidNumber: 5001 gidNumber: 5001 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount uid: BBuilder gecos: Got to love Cartoons cn: Bob Builder homeDirectory: /home/bob # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 The three files config files I am aware of are cat /etc/openldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never URI ldap://distilled.scms.waikato.ac.nz BASE dc=scms.dc=waikato,dc=ac,dc=nz #BINDDN cn=admin,dc=scms,dc=waikato,dc=ac,dc=nz #BINDPW LDAPt3st TLS_CACERTDIR /etc/openldap/cacerts cat /etc/nsswitch.conf | grep -v '^#' | grep -v '^$' passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files ldap publickey: nisplus automount: files ldap aliases: files nisplus cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so Can anyone give me any pointers as to where I am going wrong ?? And can anyone confirm or deny that by default I should be able to bind anonymously and get the required authentication information ? Thank you for any help you can offer. From jsullivan at opensourcedevel.com Fri May 22 01:38:51 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Thu, 21 May 2009 21:38:51 -0400 Subject: [389-users] CentOS5 Desktops authenticating to 389 Directory Server In-Reply-To: <4A15EB24.2010900@scms.waikato.ac.nz> References: <4A15EB24.2010900@scms.waikato.ac.nz> Message-ID: <1242956331.6381.100.camel@jaspav.missionsit.net.missionsit.net> On Fri, 2009-05-22 at 12:00 +1200, Clint Dilks wrote: > Hi Everyone. > > I am doing some LDAP testing. I have setup a 389 Directory Server on > CentOS 5 and using the default schema I have populated it with a couple > of users. I then did the configuration on the client that I thought was > needed to make it authenticate. > > To test this I expected to be able to use id of a user I had > defined. > But I get id: 1001: No such user id: 5001: No such user > > I then thought perhaps it was an LDAP permissions problem so I tried > binding to the LDAP server using a user I know has full rights using > these entries in /etc/openldap/ldap.conf there was no change. > > BINDDN cn=admin,dc=scms,dc=waikato,dc=ac,dc=nz > BINDPW LDAPt3st > > I can query these users from a desktop that I want to use the LDAP > server as an authentication source. > > Using > > * ldapsearch -x -H ldap://distilled.scms.waikato.ac.nz -b > dc=scms,dc=waikato,dc=ac,dc=nz uid=LDilks* > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: uid=LDilks > # requesting: ALL > # > > # LDilks, People, scms.waikato.ac.nz > dn: uid=LDilks,ou=People, dc=scms, dc=waikato, dc=ac, dc=nz > givenName: LDAP-Clint > sn: Dilks > telephoneNumber: 4546 > loginShell: /bin/bash > gidNumber: 1001 > uidNumber: 1001 > mail: clintd at scms.waikato.ac.nz > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > objectClass: posixAccount > uid: LDilks > gecos: A Test LDAP account > cn: LDAP-Clint Dilks > homeDirectory: /home/LDAP-clint > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > *[root at distilled2 ~]# ldapsearch -x -H > ldap://distilled.scms.waikato.ac.nz -b dc=scms,dc=waikato,dc=ac,dc=nz > uid=BBuilder* > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: uid=BBuilder > # requesting: ALL > # > > # BBuilder, scms.waikato.ac.nz > dn: uid=BBuilder,dc=scms, dc=waikato, dc=ac, dc=nz > givenName: Bob > sn: Builder > loginShell: /bin/bash > uidNumber: 5001 > gidNumber: 5001 > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > objectClass: posixAccount > uid: BBuilder > gecos: Got to love Cartoons > cn: Bob Builder > homeDirectory: /home/bob > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > The three files config files I am aware of are > > cat /etc/openldap/ldap.conf > # > # LDAP Defaults > # > > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > > #BASE dc=example, dc=com > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > > #SIZELIMIT 12 > #TIMELIMIT 15 > #DEREF never > URI ldap://distilled.scms.waikato.ac.nz > BASE dc=scms.dc=waikato,dc=ac,dc=nz > #BINDDN cn=admin,dc=scms,dc=waikato,dc=ac,dc=nz > #BINDPW LDAPt3st > TLS_CACERTDIR /etc/openldap/cacerts > > cat /etc/nsswitch.conf | grep -v '^#' | grep -v '^$' > passwd: files ldap > shadow: files ldap > group: files ldap > hosts: files dns > bootparams: nisplus [NOTFOUND=return] files > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files > netgroup: files ldap > publickey: nisplus > automount: files ldap > aliases: files nisplus > > cat /etc/pam.d/system-auth > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_ldap.so > > Can anyone give me any pointers as to where I am going wrong ?? And can > anyone confirm or deny that by default I should be able to bind > anonymously and get the required authentication information ? > > Thank you for any help you can offer. Interesting! I know my setup is working yet, if I do id , it comes back with no such user. If I do id , it returns the appropriate information from LDAP. I have not taken the time to figure out why there is a difference. What happens if you do id ? - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From clintd at scms.waikato.ac.nz Fri May 22 01:56:38 2009 From: clintd at scms.waikato.ac.nz (Clint Dilks) Date: Fri, 22 May 2009 13:56:38 +1200 Subject: [389-users] CentOS5 Desktops authenticating to 389 Directory Server In-Reply-To: <1242956331.6381.100.camel@jaspav.missionsit.net.missionsit.net> References: <4A15EB24.2010900@scms.waikato.ac.nz> <1242956331.6381.100.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <4A160656.9010202@scms.waikato.ac.nz> > Interesting! I know my setup is working yet, if I do id , it > comes back with no such user. If I do id , it returns the > appropriate information from LDAP. I have not taken the time to figure > out why there is a difference. What happens if you do id ? - John > Hi John Thanks for the response. You are right the test should have been id LDilks or id BBuilder But this also wasn't working We were specifying uri ldap://distilled.scms.waikato.ac.nz when it should be uri ldap://distilled.scms.waikato.ac.nz/ Thanks for the feed back From andrey.ivanov at polytechnique.fr Fri May 22 06:31:19 2009 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Fri, 22 May 2009 08:31:19 +0200 Subject: [389-users] memberOf task problem In-Reply-To: <1242947840.6381.89.camel@jaspav.missionsit.net.missionsit.net> References: <1242873940.6379.91.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905210359v2396b049q226e6b26682e0b78@mail.gmail.com> <1242905598.6381.6.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905210659l29c1ef67u3d2f8e208248afe8@mail.gmail.com> <1242947840.6381.89.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <1601b8650905212331s340ca567wdf2e42cc57f3036a@mail.gmail.com> Can you show me the result of /usr/lib64/mozldap/ldapsearch -b "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory Manager" -w - -h ldap uid=jasiii objectClass It will list all the objectClasses of your entry. If "objectClass: inetUser" is not present in the result of this search you should, as i said in the previous message, add this objectClass to all the entries you're going to manage with memberOf plug-in, smth like: dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz changetype: add objectclass: inetUser Hope it helps . 2009/5/22 John A. Sullivan III > I'm starting to feel really stupid here - still not working. > > I thought the filter must be the problem for sure. I assumed from the > documentation that no filter meant the task would add the attribute for > everything that could take a memberOf attribute. I did not realize it > defaulted to inetuser. So I recreated the task with a filter of > (objectClass=inetOrgPerson) but it still did not seem to work. > > I thought perhaps I was doing ldapmodify wrong (enter the parameters, > double enter, then CTL D) so I edited the fixup-memberof.pl script > according to Rich's instructions. It ran without error (by the way, it > reflects the admin password when using -w - !!!). But still no success. > > Perhaps I am checking incorrectly. I did not expect to see memberOf > listed as an attribute in the advanced console screen for the user since > it is a managed attribute. But I did try to view it with an ldapsearch: It should be visible as an attribute you can add (provided your entry has "objectClass: inetUser") > > > /usr/lib64/mozldap/ldapsearch -b > "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory > Manager" -w - -h ldap uid=jasiii memberOf > > Is this how I would check for success? > > There is nothing suspicious in the error log. I do have the audit log > enabled. I see the creation and automatic deletion of the task but I do > not see any changes to objects to add and populate the memberOf > attribute. I'll paste in some excerpts below. > > What next? Thanks - John > > time: 20090520221132 > dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config > changetype: add > objectClass: top > objectClass: extensibleObject > cn: fixMemberOf > basedn: o=Internal,dc=ssiservices,dc=biz > creatorsName: cn=xxxx > modifiersName: cn=xxx > createTimestamp: 20090521021132Z > modifyTimestamp: 20090521021132Z > > time: 20090520221333 > dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config > changetype: delete > modifiersname: cn=server,cn=plugins,cn=config > > time: 20090520222242 > dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config > changetype: add > objectClass: top > objectClass: extensibleObject > cn: fixMemberOf > basedn: ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz > creatorsName: cn=xxxx > modifiersName: cn=xxxx > createTimestamp: 20090521022242Z > modifyTimestamp: 20090521022242Z > > time: 20090520222442 > dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config > changetype: delete > modifiersname: cn=server,cn=plugins,cn=config > > . > . > . > time: 20090521183523 > dn: cn=memberOf_fixup_2009_5_21_18_35_23, cn=memberOf task, cn=tasks, > cn=config > changetype: add > objectClass: top > objectClass: extensibleObject > cn: memberOf_fixup_2009_5_21_18_35_23 > basedn: o=Internal,dc=ssiservices,dc=biz > filter: (objectClass=inetOrgPerson) > creatorsName: cn=xxxx > modifiersName: cn=xxxx > createTimestamp: 20090521223523Z > modifyTimestamp: 20090521223523Z > > time: 20090521183724 > dn: cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof > task,cn=tasks,cn=config > changetype: delete > modifiersname: cn=server,cn=plugins,cn=config > > time: 20090521185804 > dn: > cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou= > ssiservices.biz,o=netscaperoot > changetype: modify > replace: nsPreference > nsPreference:: > IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3 > > dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg== > - > replace: modifiersname > modifiersname: cn=xxxxx > - > replace: modifytimestamp > modifytimestamp: 20090521225804Z > - > > On Thu, 2009-05-21 at 15:59 +0200, Andrey Ivanov wrote: > > > > > > 2009/5/21 John A. Sullivan III > > Thank you, Andrey. I did do an updatedb and then locate - no > > fixup-member0f.pl - just template.fixup-memberOf.pl :-( > > It is very strange. Normally during the server installation the > > template should be converted to the "normal" perl script. > > > > Have you verified the configuration of the memberOf plugin, especially > > the arguments/attributes "memberofgroupattr" and "memberofattr" ? > > > > > > > > > > > > > > Unless I'm missing something, you're ldapmodify looks just > > like mine > > except for the cn (I believe the documentation says it can be > > called > > anything) and I did not use a filter (again, I believe the > > documentation > > says it is optional and our dit is still rather small). > > If you do not put the filter into the ldif then the default filter is > > used : "(objectClass=inetuser)". Do all your user entries include this > > objectClass (inetuser)? If not, you should add this objectClass to all > > the entries where you want the memberOf attribute to appear. > > > > > > > > > > I did create a new group and add myself to it as you suggested > > (thank > > you). Surprisingly, it did not appear to work. I did not see > > a > > memberOf attribute populated for me. I then thought I would > > see if I > > need to manually add that attribute to each user (I hope not!) > > and I did > > not see memberOf as an attribute I could add to my user > > object. > > > > No. You should not add it manually, the memberOf attribute is > > maintained automatically based on the group membership. > > > > Do you see any message in error log? There should be something about > > the impossibility to write the memberof attribute i think. > > If you cannot add this attribute manually to your entry it means that > > your entry does not containe "objectClass: inetuser". Add this > > objectClass to all the entries that should be "managed" by the plug-in > > to allow the attribute memberOf to be written to that entries. > > > > > > > > > > I have verified that the plugin is defined in dse.ldif and it > > is > > enabled. I also see memberOf defined in 20subscriber.ldif and > > did not > > see anything in the documentation about needing to extend the > > schema. > > No, you don't need to extend the schema but you need to make sure that > > your entries include the objectClass "inetuser": > > > > objectClasses: ( 2.16.840.1.113730.3.2.130 NAME 'inetUser' DESC > > 'Auxiliary class which must be present in an entry for delivery of > > subscriber services' SUP top AUXILIARY MAY ( uid $ inetUserStatus $ > > inetUserHTTPURL $ userPassword $ memberOf ) X-ORIGIN 'Netscape > > subscriber interoperability' ) > > > > > > > > > > > > So, at this point, I am still at a loss for what I did wrong. > > What do I > > check next? Thanks - John > > Try to add the "objectClass: inetuser" to the entries concerned and > > take a closer look to the "errors" log file. > > > > @+ > > > > > > > > > > > > On Thu, 2009-05-21 at 12:59 +0200, Andrey Ivanov wrote: > > > Hi, > > > > > > there are two things to be verified and/or taken into > > account: > > > * the pair of the attributes that is maintained (the > > arguments > > > "memberofgroupattr" and "memberofattr" of the plug-in) > > > * presence of these two attributes in the classes of your > > users and > > > groups > > > > > > To find fixup-memberof.pl try "locate fixup-memberof.pl". > > > > > > To launch it manually you need to add something like that > > to the > > > server (with ldapmodify) : > > > dn: cn=memberOf_fixup_2009_5_21_12_39_21, cn=memberOf task, > > cn=tasks, > > > cn=config > > > changetype: add > > > objectclass: top > > > objectclass: extensibleObject > > > cn: memberOf_fixup_2009_5_21_12_39_21 > > > basedn: dc=example,dc=com > > > filter: (objectClass=inetOrgPerson) > > > > > > > > > As for your account, you may remove/add yourself from a > > group to see > > > if it changes the memberof attribute. Verify the objectClass > > of your > > > entry and make sure the attribute memberOf is an optional > > attribute of > > > at least one of these objectClasses... > > > > > > > > > > > > 2009/5/21 John A. Sullivan III > > > > > Hello, all. We are in the process of upgrading from > > 8.0 to > > > 8.1. We've > > > hit a few glitches along the way but most has gone > > well. > > > However, we > > > wanted to implement the new memberOf functionality. > > We > > > successfully > > > added the plugin by editing dse.ldif and enabled it > > from the > > > console. > > > However, we've been unsuccessful in having existing > > group > > > membership > > > assigned to the memberOf attribute. > > > > > > We first tried to run fixup-memberOf.pl but the > > script does > > > not exist. > > > There is a template.fixup-memberOf.pl but this does > > not seem > > > to have > > > been built into a final script. > > > > > > We then thought we would use the new task feature of > > the > > > console. We > > > went to cn=memberof task,cn=tasks,cn=config and > > tried to > > > create the task > > > object. There was no nsDirectoryServerTask > > objectclass. We > > > added an > > > nstask but then found there was no basedn attribute > > we could > > > add. We > > > then created an extensibleobject instead but still > > not basedn > > > attribute. > > > > > > Finally, we resorted to ldapmodify (we hesitated > > just because > > > we are not > > > very familiar with the command line tools). First, > > we did: > > > > > > dn: cn=fixMemberOf,cn=memberof > > task,cn=tasks,cn=config > > > changetype: add > > > objectclass: top > > > objectclass: extensibleObject > > > cn: fixMemberOf > > > basedn: o=Internal,dc=ssiservices,dc=biz > > > > > > The Internal Organization has several organizations > > under it > > > (for > > > various clients) and then user organizational units > > under > > > those > > > organizations. Although it generated no errors, it > > did not > > > seem to > > > work. Perhaps I just don't know how to test it. > > However, the > > > following > > > did not return an memberOf data: > > > > > > /usr/lib64/mozldap/ldapsearch -b > > > > > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D > > > "cn=Directory > > > Manager" -w - -h ldap uid=myid memberOf > > > > > > Doing /usr/lib64/mozldap/ldapsearch -b > > > > > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D > > > "cn=Directory > > > Manager" -w - -h ldap uid=myid > > > showed me plenty of attributes but nothing for > > memberOf > > > > > > I also tried creating the task with a basedn of > > > ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz > > in case it > > > did not > > > change objects lower in the tree. Still no success. > > > > > > Finally I tried: > > > > > > dn: cn=fixMemberOf,cn=memberof > > task,cn=tasks,cn=config > > > changetype: add > > > objectclass: top > > > objectclass: nsDirectoryServerTask > > > cn: fixMemberOf > > > basedn: o=Internal,dc=ssiservices,dc=biz > > > > > > adding new entry cn=fixMemberOf,cn=memberof > > > task,cn=tasks,cn=config > > > ldap_add: Object class violation > > > ldap_add: additional info: unknown object class > > > "nsDirectoryServerTask" > > > > > > And received the expected unknown object class > > error. > > > > > > What are we doing wrong? Are these documentation > > bugs? Are > > > there > > > application bugs or do we simply not know what we > > are doing > > > with tasks > > > and memberOf? How do we get the memberOf information > > into our > > > existing > > > user objects? Thanks - John > > > > > > > > > -- > > > John A. Sullivan III > > > Open Source Development Corporation > > > +1 207-985-7880 > > > jsullivan at opensourcedevel.com > > > > > > http://www.spiritualoutreach.com > > > Making Christianity intelligible to secular society > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > > > > John A. Sullivan III > > Open Source Development Corporation > > +1 207-985-7880 > > jsullivan at opensourcedevel.com > > > > http://www.spiritualoutreach.com > > Making Christianity intelligible to secular society > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan at opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rpolli at babel.it Fri May 22 08:17:03 2009 From: rpolli at babel.it (Roberto Polli) Date: Fri, 22 May 2009 10:17:03 +0200 Subject: [389-users] Schema Question In-Reply-To: <4A158F7F.6080601@fas.harvard.edu> References: <4A158F7F.6080601@fas.harvard.edu> Message-ID: <200905221017.04776.rpolli@babel.it> On gioved? 21 maggio 2009 19:29:35 Tim Hartmann wrote: > approriate to use for a Terminations/End of contract/Expiration dates > for user accounts? if you mean expiration password, you can configure something with fedora-idm- console. The objectClass (passwordObject) should be automagically enabled for all inetOrgPerson entries, there should be a field with the expiration date of the account, so that you can search for (passwordExpirationDate=>TODAY) Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altres? a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." From jsullivan at opensourcedevel.com Fri May 22 12:02:19 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Fri, 22 May 2009 08:02:19 -0400 Subject: [389-users] memberOf task problem In-Reply-To: <1601b8650905212331s340ca567wdf2e42cc57f3036a@mail.gmail.com> References: <1242873940.6379.91.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905210359v2396b049q226e6b26682e0b78@mail.gmail.com> <1242905598.6381.6.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905210659l29c1ef67u3d2f8e208248afe8@mail.gmail.com> <1242947840.6381.89.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905212331s340ca567wdf2e42cc57f3036a@mail.gmail.com> Message-ID: <1242993739.6380.14.camel@jaspav.missionsit.net.missionsit.net> Ah, I did not do that as I thought the filter would make the change to users with objectClass inetOrgPerson. I am virtually certain the users do not explicitly have inetUser as an object class. Are they supposed to? Is this done by default or is the need to add this object class to all users in order to use memberOf missing from the documentation (or overlooked by me!). objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: account objectClass: posixgroup objectClass: shadowaccount Thanks - John On Fri, 2009-05-22 at 08:31 +0200, Andrey Ivanov wrote: > Can you show me the result of > /usr/lib64/mozldap/ldapsearch -b > "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory > Manager" -w - -h ldap uid=jasiii objectClass > > It will list all the objectClasses of your entry. If "objectClass: > inetUser" is not present in the result of this search you should, as i > said in the previous message, add this objectClass to all the entries > you're going to manage with memberOf plug-in, smth like: > > dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz > changetype: add > objectclass: inetUser > > > Hope it helps . > > > > 2009/5/22 John A. Sullivan III > I'm starting to feel really stupid here - still not working. > > I thought the filter must be the problem for sure. I assumed > from the > documentation that no filter meant the task would add the > attribute for > everything that could take a memberOf attribute. I did not > realize it > defaulted to inetuser. So I recreated the task with a filter > of > (objectClass=inetOrgPerson) but it still did not seem to work. > > I thought perhaps I was doing ldapmodify wrong (enter the > parameters, > double enter, then CTL D) so I edited the fixup-memberof.pl > script > according to Rich's instructions. It ran without error (by > the way, it > reflects the admin password when using -w - !!!). But still > no success. > > Perhaps I am checking incorrectly. I did not expect to see > memberOf > listed as an attribute in the advanced console screen for the > user since > it is a managed attribute. But I did try to view it with an > ldapsearch: > It should be visible as an attribute you can add (provided your entry > has "objectClass: inetUser") > > > > > /usr/lib64/mozldap/ldapsearch -b > > "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D > "cn=Directory > Manager" -w - -h ldap uid=jasiii memberOf > > Is this how I would check for success? > > There is nothing suspicious in the error log. I do have the > audit log > enabled. I see the creation and automatic deletion of the > task but I do > not see any changes to objects to add and populate the > memberOf > attribute. I'll paste in some excerpts below. > > What next? Thanks - John > > time: 20090520221132 > dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config > changetype: add > > objectClass: top > objectClass: extensibleObject > cn: fixMemberOf > basedn: o=Internal,dc=ssiservices,dc=biz > > creatorsName: cn=xxxx > modifiersName: cn=xxx > createTimestamp: 20090521021132Z > modifyTimestamp: 20090521021132Z > > time: 20090520221333 > dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config > changetype: delete > modifiersname: cn=server,cn=plugins,cn=config > > time: 20090520222242 > dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config > changetype: add > > objectClass: top > objectClass: extensibleObject > cn: fixMemberOf > basedn: ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz > creatorsName: cn=xxxx > modifiersName: cn=xxxx > createTimestamp: 20090521022242Z > modifyTimestamp: 20090521022242Z > > time: 20090520222442 > dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config > changetype: delete > modifiersname: cn=server,cn=plugins,cn=config > > . > . > . > time: 20090521183523 > dn: cn=memberOf_fixup_2009_5_21_18_35_23, cn=memberOf task, > cn=tasks, > cn=config > changetype: add > objectClass: top > objectClass: extensibleObject > cn: memberOf_fixup_2009_5_21_18_35_23 > basedn: o=Internal,dc=ssiservices,dc=biz > > filter: (objectClass=inetOrgPerson) > creatorsName: cn=xxxx > modifiersName: cn=xxxx > createTimestamp: 20090521223523Z > modifyTimestamp: 20090521223523Z > > time: 20090521183724 > dn: cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof > task,cn=tasks,cn=config > > changetype: delete > modifiersname: cn=server,cn=plugins,cn=config > > time: 20090521185804 > dn: > cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou=ssiservices.biz,o=netscaperoot > changetype: modify > replace: nsPreference > nsPreference:: > IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3 > > dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg== > - > replace: modifiersname > modifiersname: cn=xxxxx > - > replace: modifytimestamp > modifytimestamp: 20090521225804Z > - > > > On Thu, 2009-05-21 at 15:59 +0200, Andrey Ivanov wrote: > > > > > > 2009/5/21 John A. Sullivan III > > > Thank you, Andrey. I did do an updatedb and then > locate - no > > fixup-member0f.pl - just > template.fixup-memberOf.pl :-( > > It is very strange. Normally during the server installation > the > > template should be converted to the "normal" perl script. > > > > Have you verified the configuration of the memberOf plugin, > especially > > the arguments/attributes "memberofgroupattr" and > "memberofattr" ? > > > > > > > > > > > > > > Unless I'm missing something, you're ldapmodify > looks just > > like mine > > except for the cn (I believe the documentation says > it can be > > called > > anything) and I did not use a filter (again, I > believe the > > documentation > > says it is optional and our dit is still rather > small). > > If you do not put the filter into the ldif then the default > filter is > > used : "(objectClass=inetuser)". Do all your user entries > include this > > objectClass (inetuser)? If not, you should add this > objectClass to all > > the entries where you want the memberOf attribute to appear. > > > > > > > > > > I did create a new group and add myself to it as you > suggested > > (thank > > you). Surprisingly, it did not appear to work. I > did not see > > a > > memberOf attribute populated for me. I then thought > I would > > see if I > > need to manually add that attribute to each user (I > hope not!) > > and I did > > not see memberOf as an attribute I could add to my > user > > object. > > > > No. You should not add it manually, the memberOf attribute > is > > maintained automatically based on the group membership. > > > > Do you see any message in error log? There should be > something about > > the impossibility to write the memberof attribute i think. > > If you cannot add this attribute manually to your entry it > means that > > your entry does not containe "objectClass: inetuser". Add > this > > objectClass to all the entries that should be "managed" by > the plug-in > > to allow the attribute memberOf to be written to that > entries. > > > > > > > > > > I have verified that the plugin is defined in > dse.ldif and it > > is > > enabled. I also see memberOf defined in > 20subscriber.ldif and > > did not > > see anything in the documentation about needing to > extend the > > schema. > > No, you don't need to extend the schema but you need to make > sure that > > your entries include the objectClass "inetuser": > > > > objectClasses: ( 2.16.840.1.113730.3.2.130 NAME 'inetUser' > DESC > > 'Auxiliary class which must be present in an entry for > delivery of > > subscriber services' SUP top AUXILIARY MAY ( uid $ > inetUserStatus $ > > inetUserHTTPURL $ userPassword $ memberOf ) X-ORIGIN > 'Netscape > > subscriber interoperability' ) > > > > > > > > > > > > So, at this point, I am still at a loss for what I > did wrong. > > What do I > > check next? Thanks - John > > Try to add the "objectClass: inetuser" to the entries > concerned and > > take a closer look to the "errors" log file. > > > > @+ > > > > > > > > > > > > On Thu, 2009-05-21 at 12:59 +0200, Andrey Ivanov > wrote: > > > Hi, > > > > > > there are two things to be verified and/or taken > into > > account: > > > * the pair of the attributes that is maintained > (the > > arguments > > > "memberofgroupattr" and "memberofattr" of the > plug-in) > > > * presence of these two attributes in the classes > of your > > users and > > > groups > > > > > > To find fixup-memberof.pl try "locate > fixup-memberof.pl". > > > > > > To launch it manually you need to add something > like that > > to the > > > server (with ldapmodify) : > > > dn: cn=memberOf_fixup_2009_5_21_12_39_21, > cn=memberOf task, > > cn=tasks, > > > cn=config > > > changetype: add > > > objectclass: top > > > objectclass: extensibleObject > > > cn: memberOf_fixup_2009_5_21_12_39_21 > > > basedn: dc=example,dc=com > > > filter: (objectClass=inetOrgPerson) > > > > > > > > > As for your account, you may remove/add yourself > from a > > group to see > > > if it changes the memberof attribute. Verify the > objectClass > > of your > > > entry and make sure the attribute memberOf is an > optional > > attribute of > > > at least one of these objectClasses... > > > > > > > > > > > > 2009/5/21 John A. Sullivan III > > > > > Hello, all. We are in the process of > upgrading from > > 8.0 to > > > 8.1. We've > > > hit a few glitches along the way but most > has gone > > well. > > > However, we > > > wanted to implement the new memberOf > functionality. > > We > > > successfully > > > added the plugin by editing dse.ldif and > enabled it > > from the > > > console. > > > However, we've been unsuccessful in having > existing > > group > > > membership > > > assigned to the memberOf attribute. > > > > > > We first tried to run fixup-memberOf.pl > but the > > script does > > > not exist. > > > There is a template.fixup-memberOf.pl but > this does > > not seem > > > to have > > > been built into a final script. > > > > > > We then thought we would use the new task > feature of > > the > > > console. We > > > went to cn=memberof > task,cn=tasks,cn=config and > > tried to > > > create the task > > > object. There was no > nsDirectoryServerTask > > objectclass. We > > > added an > > > nstask but then found there was no basedn > attribute > > we could > > > add. We > > > then created an extensibleobject instead > but still > > not basedn > > > attribute. > > > > > > Finally, we resorted to ldapmodify (we > hesitated > > just because > > > we are not > > > very familiar with the command line > tools). First, > > we did: > > > > > > dn: cn=fixMemberOf,cn=memberof > > task,cn=tasks,cn=config > > > changetype: add > > > objectclass: top > > > objectclass: extensibleObject > > > cn: fixMemberOf > > > basedn: o=Internal,dc=ssiservices,dc=biz > > > > > > The Internal Organization has several > organizations > > under it > > > (for > > > various clients) and then user > organizational units > > under > > > those > > > organizations. Although it generated no > errors, it > > did not > > > seem to > > > work. Perhaps I just don't know how to > test it. > > However, the > > > following > > > did not return an memberOf data: > > > > > > /usr/lib64/mozldap/ldapsearch -b > > > > > > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D > > > "cn=Directory > > > Manager" -w - -h ldap uid=myid memberOf > > > > > > Doing /usr/lib64/mozldap/ldapsearch -b > > > > > > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D > > > "cn=Directory > > > Manager" -w - -h ldap uid=myid > > > showed me plenty of attributes but nothing > for > > memberOf > > > > > > I also tried creating the task with a > basedn of > > > > ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz > > in case it > > > did not > > > change objects lower in the tree. Still > no success. > > > > > > Finally I tried: > > > > > > dn: cn=fixMemberOf,cn=memberof > > task,cn=tasks,cn=config > > > changetype: add > > > objectclass: top > > > objectclass: nsDirectoryServerTask > > > cn: fixMemberOf > > > basedn: o=Internal,dc=ssiservices,dc=biz > > > > > > adding new entry > cn=fixMemberOf,cn=memberof > > > task,cn=tasks,cn=config > > > ldap_add: Object class violation > > > ldap_add: additional info: unknown object > class > > > "nsDirectoryServerTask" > > > > > > And received the expected unknown object > class > > error. > > > > > > What are we doing wrong? Are these > documentation > > bugs? Are > > > there > > > application bugs or do we simply not know > what we > > are doing > > > with tasks > > > and memberOf? How do we get the memberOf > information > > into our > > > existing > > > user objects? Thanks - John > > > > > > > > > -- > > > John A. Sullivan III > > > Open Source Development Corporation > > > +1 207-985-7880 > > > jsullivan at opensourcedevel.com > > > > > > http://www.spiritualoutreach.com > > > Making Christianity intelligible to > secular society > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > > > > John A. Sullivan III > > Open Source Development Corporation > > +1 207-985-7880 > > jsullivan at opensourcedevel.com > > > > http://www.spiritualoutreach.com > > Making Christianity intelligible to secular society > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan at opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From capareci at uol.com.br Fri May 22 16:57:25 2009 From: capareci at uol.com.br (Renato Ribeiro da Silva) Date: Fri, 22 May 2009 13:57:25 -0300 Subject: [389-users] I'm going to compile the sources to generate .debs --scripts attached In-Reply-To: <4A158C65.2040902@redhat.com> References: <10051.148.87.1.172.1242759612.squirrel@box427.bluehost.com> <4A1306C5.9040502@redhat.com> <200905211613.21503.ryan.braun@ec.gc.ca> <4A158C65.2040902@redhat.com> Message-ID: <4a16d9757a1da_1b371555555879b466a@weasel11.tmail> An HTML attachment was scrubbed... URL: From morenisco at noc-root.net Fri May 22 17:18:10 2009 From: morenisco at noc-root.net (Morenisco) Date: Fri, 22 May 2009 11:18:10 -0600 (MDT) Subject: [389-users] I'm going to compile the sources to generate .debs --scripts attached In-Reply-To: <4a16d9757a1da_1b371555555879b466a@weasel11.tmail> References: <10051.148.87.1.172.1242759612.squirrel@box427.bluehost.com> <4A1306C5.9040502@redhat.com> <200905211613.21503.ryan.braun@ec.gc.ca> <4A158C65.2040902@redhat.com> <4a16d9757a1da_1b371555555879b466a@weasel11.tmail> Message-ID: <6922.148.87.1.172.1243012690.squirrel@box427.bluehost.com> On Fri, May 22, 2009 10:57 am, Renato Ribeiro da Silva wrote: > Morenisco, > I've compiled the sources and generate .debs following the > http://wiki.debian.org/Teams/DebianFDSPackaging instructions. It > Works. > Renato.Em 21/05/2009 14:16, Rich Megginson; Wow Renato, I'll try to contribute with the people that are generating the packages there. Thanks a lot and regards. -- Morenisco. Centro de Difusi?n de Software Libre. http://www.cdsl.cl http://santiago.flisol.cl http://trabajosfloss.noc-root.net Blog: http://morenisco.noc-root.net From ngolnik at gmail.com Fri May 22 18:33:01 2009 From: ngolnik at gmail.com (Nate Golnik) Date: Fri, 22 May 2009 14:33:01 -0400 Subject: [389-users] LDAP to samba password synchronization In-Reply-To: <1242244033.6380.13.camel@jaspav.missionsit.net.missionsit.net> References: <1242241607.6380.6.camel@jaspav.missionsit.net.missionsit.net> <1242241999.6380.10.camel@jaspav.missionsit.net.missionsit.net> <4A0B217D.5050904@redhat.com> <1242244033.6380.13.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <4358ce6b0905221133q3f0e2dcct42c5748a01df3362@mail.gmail.com> > I'm very interested in implementing freeIPA as it matures and as we have > some breathing room after our initial product rollout. ?Is there any way > to do this without researching and deploying a new product? Anything > either built into 389 or PAM? Thanks - John FreeIPA uses a plugin to sync the passwords, you could in theory pull the plugin out of freeipa and add it to 389. I started working on doing this a few months ago and ran out of time. When I looked at it, a conversion didn't look like it would be that hard. -Nate From dumboq at yahoo.com Fri May 22 19:38:05 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Fri, 22 May 2009 12:38:05 -0700 (PDT) Subject: [389-users] Best practice for user / group authentication Message-ID: <423116.78117.qm@web111915.mail.gq1.yahoo.com> I want to use centos-ds 8 for centralized authentication.? I believe this is derived from fedora-ds 1.1. I want to know what is the best practice for storing posixgroups.? In the envent that no DS is available, I want all of my system accounts to function as normal.? If I use LDAP to store posixgroups,? then all accounts will hang during login if my DS is down.? I understand the reason is that even a local user must look at ldap to see what other groups this user belongs to.? Is this something I should be concerned with?? Or will services that are already running before loosing access to DS function as normal?? I have several processes which use ssh to run commands on other machines.? I imagine that this will fail, or be extremely delayed waiting for ldap to timeout.? Two things that I could think of which could ease this problem a little. 1.? Can I set nsswitch to give up on ldap after x seconds?? Thus allowing local users to login without a major delay. 2. Can nscd 'not' expire records if it cannot contact ldap? -------------- next part -------------- An HTML attachment was scrubbed... URL: From dumboq at yahoo.com Fri May 22 19:43:32 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Fri, 22 May 2009 12:43:32 -0700 (PDT) Subject: [389-users] Customizing IDM Console Message-ID: <297446.64929.qm@web111913.mail.gq1.yahoo.com> Is there any way to customize the idm console?? I basically just need a tool for add/mod/remove users and groups for authentication.? centos-ds worked out of the box for authenticaition, but I had to manually pick a uid and gid.? Is there a way to have idm-console pick the next available id? If not, has anyone tried Gosa with fedora directory? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri May 22 19:45:09 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 22 May 2009 15:45:09 -0400 Subject: [389-users] Best practice for user / group authentication In-Reply-To: <423116.78117.qm@web111915.mail.gq1.yahoo.com> References: <423116.78117.qm@web111915.mail.gq1.yahoo.com> Message-ID: <4A1700C5.8060603@redhat.com> Dumbo Q wrote: > I want to use centos-ds 8 for centralized authentication. I believe > this is derived from fedora-ds 1.1. > > I want to know what is the best practice for storing posixgroups. In > the envent that no DS is available, I want all of my system accounts to > function as normal. If I use LDAP to store posixgroups, then all > accounts will hang during login if my DS is down. I understand the > reason is that even a local user must look at ldap to see what other > groups this user belongs to. > > Is this something I should be concerned with? Or will services that are > already running before loosing access to DS function as normal? I have > several processes which use ssh to run commands on other machines. I > imagine that this will fail, or be extremely delayed waiting for ldap to > timeout. > Two things that I could think of which could ease this problem a little. > 1. Can I set nsswitch to give up on ldap after x seconds? Thus > allowing local users to login without a major delay. To ensure you can get into the box when things are in a bad state, add this to /etc/ldap.conf: nss_initgroups_ignoreusers root For time limits, see the nss_ldap man page and look for bind_timelimit and timelimit. The default for these is 30 seconds an 0 (forever). In freeIPA we use 5 and 15. > 2. Can nscd 'not' expire records if it cannot contact ldap? I'm not sure if nscd is necessarily aware that the data comes from LDAP so I don't think you can really tune it this way. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From andrey.ivanov at polytechnique.fr Fri May 22 20:59:13 2009 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Fri, 22 May 2009 22:59:13 +0200 Subject: [389-users] memberOf task problem In-Reply-To: <1242993739.6380.14.camel@jaspav.missionsit.net.missionsit.net> References: <1242873940.6379.91.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905210359v2396b049q226e6b26682e0b78@mail.gmail.com> <1242905598.6381.6.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905210659l29c1ef67u3d2f8e208248afe8@mail.gmail.com> <1242947840.6381.89.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905212331s340ca567wdf2e42cc57f3036a@mail.gmail.com> <1242993739.6380.14.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <1601b8650905221359g57624751k7b449341c4ff579d@mail.gmail.com> 2009/5/22 John A. Sullivan III > Ah, I did not do that as I thought the filter would make the change to > users with objectClass inetOrgPerson. No. The filter just searches what you have in your directory > I am virtually certain the users > do not explicitly have inetUser as an object class. Are they supposed > to? Yes. The set of the attributes that your entry can hold is defined by the classes listed in "objectClass". And the attribute memberOf is part of the "inetUser" objectClass. > Is this done by default or is the need to add this object class to > all users in order to use memberOf missing from the documentation (or > overlooked by me!). No. It is not done by default, you need to add the "objectClass: inetUser" (or any other objectClass containing the memberOf attribute) to each user entry. You can make a small perl script that does for all your users something like ------------- dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz changetype: add objectclass: inetUser ------------- You can test it with the GUI of the console for one or two user entries just to be sure the attribute memberOf works as you wish... > > > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: account > objectClass: posixgroup > objectClass: shadowaccount > The origin of your problem is the absence of "objectClass: inetUser" necessary to add memberOf attribute to the entry... > > Thanks - John > > On Fri, 2009-05-22 at 08:31 +0200, Andrey Ivanov wrote: > > Can you show me the result of > > /usr/lib64/mozldap/ldapsearch -b > > "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory > > Manager" -w - -h ldap uid=jasiii objectClass > > > > It will list all the objectClasses of your entry. If "objectClass: > > inetUser" is not present in the result of this search you should, as i > > said in the previous message, add this objectClass to all the entries > > you're going to manage with memberOf plug-in, smth like: > > > > dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz > > changetype: add > > objectclass: inetUser > > > > > > Hope it helps . > > > > > > > > 2009/5/22 John A. Sullivan III > > I'm starting to feel really stupid here - still not working. > > > > I thought the filter must be the problem for sure. I assumed > > from the > > documentation that no filter meant the task would add the > > attribute for > > everything that could take a memberOf attribute. I did not > > realize it > > defaulted to inetuser. So I recreated the task with a filter > > of > > (objectClass=inetOrgPerson) but it still did not seem to work. > > > > I thought perhaps I was doing ldapmodify wrong (enter the > > parameters, > > double enter, then CTL D) so I edited the fixup-memberof.pl > > script > > according to Rich's instructions. It ran without error (by > > the way, it > > reflects the admin password when using -w - !!!). But still > > no success. > > > > Perhaps I am checking incorrectly. I did not expect to see > > memberOf > > listed as an attribute in the advanced console screen for the > > user since > > it is a managed attribute. But I did try to view it with an > > ldapsearch: > > It should be visible as an attribute you can add (provided your entry > > has "objectClass: inetUser") > > > > > > > > > > /usr/lib64/mozldap/ldapsearch -b > > > > "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D > > "cn=Directory > > Manager" -w - -h ldap uid=jasiii memberOf > > > > Is this how I would check for success? > > > > There is nothing suspicious in the error log. I do have the > > audit log > > enabled. I see the creation and automatic deletion of the > > task but I do > > not see any changes to objects to add and populate the > > memberOf > > attribute. I'll paste in some excerpts below. > > > > What next? Thanks - John > > > > time: 20090520221132 > > dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config > > changetype: add > > > > objectClass: top > > objectClass: extensibleObject > > cn: fixMemberOf > > basedn: o=Internal,dc=ssiservices,dc=biz > > > > creatorsName: cn=xxxx > > modifiersName: cn=xxx > > createTimestamp: 20090521021132Z > > modifyTimestamp: 20090521021132Z > > > > time: 20090520221333 > > dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config > > changetype: delete > > modifiersname: cn=server,cn=plugins,cn=config > > > > time: 20090520222242 > > dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config > > changetype: add > > > > objectClass: top > > objectClass: extensibleObject > > cn: fixMemberOf > > basedn: ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz > > creatorsName: cn=xxxx > > modifiersName: cn=xxxx > > createTimestamp: 20090521022242Z > > modifyTimestamp: 20090521022242Z > > > > time: 20090520222442 > > dn: cn=fixmemberof,cn=memberof task,cn=tasks,cn=config > > changetype: delete > > modifiersname: cn=server,cn=plugins,cn=config > > > > . > > . > > . > > time: 20090521183523 > > dn: cn=memberOf_fixup_2009_5_21_18_35_23, cn=memberOf task, > > cn=tasks, > > cn=config > > changetype: add > > objectClass: top > > objectClass: extensibleObject > > cn: memberOf_fixup_2009_5_21_18_35_23 > > basedn: o=Internal,dc=ssiservices,dc=biz > > > > filter: (objectClass=inetOrgPerson) > > creatorsName: cn=xxxx > > modifiersName: cn=xxxx > > createTimestamp: 20090521223523Z > > modifyTimestamp: 20090521223523Z > > > > time: 20090521183724 > > dn: cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof > > task,cn=tasks,cn=config > > > > changetype: delete > > modifiersname: cn=server,cn=plugins,cn=config > > > > time: 20090521185804 > > dn: > > cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou= > ssiservices.biz,o=netscaperoot > > changetype: modify > > replace: nsPreference > > nsPreference:: > > IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3 > > > > > dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg== > > - > > replace: modifiersname > > modifiersname: cn=xxxxx > > - > > replace: modifytimestamp > > modifytimestamp: 20090521225804Z > > - > > > > > > On Thu, 2009-05-21 at 15:59 +0200, Andrey Ivanov wrote: > > > > > > > > > 2009/5/21 John A. Sullivan III > > > > > Thank you, Andrey. I did do an updatedb and then > > locate - no > > > fixup-member0f.pl - just > > template.fixup-memberOf.pl :-( > > > It is very strange. Normally during the server installation > > the > > > template should be converted to the "normal" perl script. > > > > > > Have you verified the configuration of the memberOf plugin, > > especially > > > the arguments/attributes "memberofgroupattr" and > > "memberofattr" ? > > > > > > > > > > > > > > > > > > > > > Unless I'm missing something, you're ldapmodify > > looks just > > > like mine > > > except for the cn (I believe the documentation says > > it can be > > > called > > > anything) and I did not use a filter (again, I > > believe the > > > documentation > > > says it is optional and our dit is still rather > > small). > > > If you do not put the filter into the ldif then the default > > filter is > > > used : "(objectClass=inetuser)". Do all your user entries > > include this > > > objectClass (inetuser)? If not, you should add this > > objectClass to all > > > the entries where you want the memberOf attribute to appear. > > > > > > > > > > > > > > > I did create a new group and add myself to it as you > > suggested > > > (thank > > > you). Surprisingly, it did not appear to work. I > > did not see > > > a > > > memberOf attribute populated for me. I then thought > > I would > > > see if I > > > need to manually add that attribute to each user (I > > hope not!) > > > and I did > > > not see memberOf as an attribute I could add to my > > user > > > object. > > > > > > No. You should not add it manually, the memberOf attribute > > is > > > maintained automatically based on the group membership. > > > > > > Do you see any message in error log? There should be > > something about > > > the impossibility to write the memberof attribute i think. > > > If you cannot add this attribute manually to your entry it > > means that > > > your entry does not containe "objectClass: inetuser". Add > > this > > > objectClass to all the entries that should be "managed" by > > the plug-in > > > to allow the attribute memberOf to be written to that > > entries. > > > > > > > > > > > > > > > I have verified that the plugin is defined in > > dse.ldif and it > > > is > > > enabled. I also see memberOf defined in > > 20subscriber.ldif and > > > did not > > > see anything in the documentation about needing to > > extend the > > > schema. > > > No, you don't need to extend the schema but you need to make > > sure that > > > your entries include the objectClass "inetuser": > > > > > > objectClasses: ( 2.16.840.1.113730.3.2.130 NAME 'inetUser' > > DESC > > > 'Auxiliary class which must be present in an entry for > > delivery of > > > subscriber services' SUP top AUXILIARY MAY ( uid $ > > inetUserStatus $ > > > inetUserHTTPURL $ userPassword $ memberOf ) X-ORIGIN > > 'Netscape > > > subscriber interoperability' ) > > > > > > > > > > > > > > > > > > So, at this point, I am still at a loss for what I > > did wrong. > > > What do I > > > check next? Thanks - John > > > Try to add the "objectClass: inetuser" to the entries > > concerned and > > > take a closer look to the "errors" log file. > > > > > > @+ > > > > > > > > > > > > > > > > > > On Thu, 2009-05-21 at 12:59 +0200, Andrey Ivanov > > wrote: > > > > Hi, > > > > > > > > there are two things to be verified and/or taken > > into > > > account: > > > > * the pair of the attributes that is maintained > > (the > > > arguments > > > > "memberofgroupattr" and "memberofattr" of the > > plug-in) > > > > * presence of these two attributes in the classes > > of your > > > users and > > > > groups > > > > > > > > To find fixup-memberof.pl try "locate > > fixup-memberof.pl". > > > > > > > > To launch it manually you need to add something > > like that > > > to the > > > > server (with ldapmodify) : > > > > dn: cn=memberOf_fixup_2009_5_21_12_39_21, > > cn=memberOf task, > > > cn=tasks, > > > > cn=config > > > > changetype: add > > > > objectclass: top > > > > objectclass: extensibleObject > > > > cn: memberOf_fixup_2009_5_21_12_39_21 > > > > basedn: dc=example,dc=com > > > > filter: (objectClass=inetOrgPerson) > > > > > > > > > > > > As for your account, you may remove/add yourself > > from a > > > group to see > > > > if it changes the memberof attribute. Verify the > > objectClass > > > of your > > > > entry and make sure the attribute memberOf is an > > optional > > > attribute of > > > > at least one of these objectClasses... > > > > > > > > > > > > > > > > 2009/5/21 John A. Sullivan III > > > > > > > Hello, all. We are in the process of > > upgrading from > > > 8.0 to > > > > 8.1. We've > > > > hit a few glitches along the way but most > > has gone > > > well. > > > > However, we > > > > wanted to implement the new memberOf > > functionality. > > > We > > > > successfully > > > > added the plugin by editing dse.ldif and > > enabled it > > > from the > > > > console. > > > > However, we've been unsuccessful in having > > existing > > > group > > > > membership > > > > assigned to the memberOf attribute. > > > > > > > > We first tried to run fixup-memberOf.pl > > but the > > > script does > > > > not exist. > > > > There is a template.fixup-memberOf.pl but > > this does > > > not seem > > > > to have > > > > been built into a final script. > > > > > > > > We then thought we would use the new task > > feature of > > > the > > > > console. We > > > > went to cn=memberof > > task,cn=tasks,cn=config and > > > tried to > > > > create the task > > > > object. There was no > > nsDirectoryServerTask > > > objectclass. We > > > > added an > > > > nstask but then found there was no basedn > > attribute > > > we could > > > > add. We > > > > then created an extensibleobject instead > > but still > > > not basedn > > > > attribute. > > > > > > > > Finally, we resorted to ldapmodify (we > > hesitated > > > just because > > > > we are not > > > > very familiar with the command line > > tools). First, > > > we did: > > > > > > > > dn: cn=fixMemberOf,cn=memberof > > > task,cn=tasks,cn=config > > > > changetype: add > > > > objectclass: top > > > > objectclass: extensibleObject > > > > cn: fixMemberOf > > > > basedn: o=Internal,dc=ssiservices,dc=biz > > > > > > > > The Internal Organization has several > > organizations > > > under it > > > > (for > > > > various clients) and then user > > organizational units > > > under > > > > those > > > > organizations. Although it generated no > > errors, it > > > did not > > > > seem to > > > > work. Perhaps I just don't know how to > > test it. > > > However, the > > > > following > > > > did not return an memberOf data: > > > > > > > > /usr/lib64/mozldap/ldapsearch -b > > > > > > > > > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D > > > > "cn=Directory > > > > Manager" -w - -h ldap uid=myid memberOf > > > > > > > > Doing /usr/lib64/mozldap/ldapsearch -b > > > > > > > > > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D > > > > "cn=Directory > > > > Manager" -w - -h ldap uid=myid > > > > showed me plenty of attributes but nothing > > for > > > memberOf > > > > > > > > I also tried creating the task with a > > basedn of > > > > > > ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz > > > in case it > > > > did not > > > > change objects lower in the tree. Still > > no success. > > > > > > > > Finally I tried: > > > > > > > > dn: cn=fixMemberOf,cn=memberof > > > task,cn=tasks,cn=config > > > > changetype: add > > > > objectclass: top > > > > objectclass: nsDirectoryServerTask > > > > cn: fixMemberOf > > > > basedn: o=Internal,dc=ssiservices,dc=biz > > > > > > > > adding new entry > > cn=fixMemberOf,cn=memberof > > > > task,cn=tasks,cn=config > > > > ldap_add: Object class violation > > > > ldap_add: additional info: unknown object > > class > > > > "nsDirectoryServerTask" > > > > > > > > And received the expected unknown object > > class > > > error. > > > > > > > > What are we doing wrong? Are these > > documentation > > > bugs? Are > > > > there > > > > application bugs or do we simply not know > > what we > > > are doing > > > > with tasks > > > > and memberOf? How do we get the memberOf > > information > > > into our > > > > existing > > > > user objects? Thanks - John > > > > > > > > > > > > -- > > > > John A. Sullivan III > > > > Open Source Development Corporation > > > > +1 207-985-7880 > > > > jsullivan at opensourcedevel.com > > > > > > > > http://www.spiritualoutreach.com > > > > Making Christianity intelligible to > > secular society > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > > > > > John A. Sullivan III > > > Open Source Development Corporation > > > +1 207-985-7880 > > > jsullivan at opensourcedevel.com > > > > > > http://www.spiritualoutreach.com > > > Making Christianity intelligible to secular society > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > > John A. Sullivan III > > Open Source Development Corporation > > +1 207-985-7880 > > jsullivan at opensourcedevel.com > > > > http://www.spiritualoutreach.com > > Making Christianity intelligible to secular society > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan at opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dumboq at yahoo.com Fri May 22 21:16:16 2009 From: dumboq at yahoo.com (Dumbo Q) Date: Fri, 22 May 2009 14:16:16 -0700 (PDT) Subject: [389-users] Best practice for user / group authentication Message-ID: <839336.41388.qm@web111908.mail.gq1.yahoo.com> Thank you for the quick reply. I also have a question about the posix groups. To create a user in ds, the idm-console has a form which is quite easy.? I can also use this to create "Groups", but they are not unix groups. I assume these are simply to keep organized all the users. To add a unix group i have to create->new->other, and choose posix group.? Then i manually pick the gidnumber.? It does not seem to matter where i place this posix group.? My first thought is that it is going to get very messy trying to keep track of each users posixgroup. secondly, does this seem like a good plan for authentication structure below.? UnixGroups ??? \- all posix groups here. People ??? \- Vendors ??????? \- CompanyA ??????? \- CompanyB ??? \- Staff ??????? \- Accounting ??????? \- SysAd ??????? \- Development ??????? \- YadaYada. But then how would i say? users in companyb can only login to some hosts? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri May 22 22:21:34 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 22 May 2009 16:21:34 -0600 Subject: [389-users] Customizing IDM Console In-Reply-To: <297446.64929.qm@web111913.mail.gq1.yahoo.com> References: <297446.64929.qm@web111913.mail.gq1.yahoo.com> Message-ID: <4A17256E.9040507@redhat.com> Dumbo Q wrote: > Is there any way to customize the idm console? I basically just need > a tool for add/mod/remove users and groups for authentication. > centos-ds worked out of the box for authenticaition, but I had to > manually pick a uid and gid. Is there a way to have idm-console pick > the next available id? > > If not, has anyone tried Gosa with fedora directory? > > You can customize the IDM console if you can code Java - I can help get you set up with Eclipse if you really want to go this route, but I don't recommend it if you have no prior Java experience. There is also the dsgw (fedora-ds-dsgw) that should work with centos-ds - just grab the fedora-ds-dsgw package for EL5 - see http://directory.fedoraproject.org/wiki/Download and http://directory.fedoraproject.org/wiki/WebApps_Install > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From steen at ing-steen.se Sat May 23 22:45:33 2009 From: steen at ing-steen.se (Peter Steen) Date: Sun, 24 May 2009 00:45:33 +0200 Subject: [389-users] Fedora-DS Multi Master "no such replica" Message-ID: <200905232245.n4NMjX120607@lina.ing-steen.se> Hello Folks! I am setting up two fedora-ds servers, lets call them server one and server two at two different locations, both need to be in sync at all time, they keep config for sendmail, dbmail and horde-imp. Both fedora-ds setup are identical exept hostnames. I have added several schemas in server one, in order to handle sendmail, dbmail and horde + imp. All is working 100%. Setting up replication with inspiration from http://directory.fedoraproject.org/wiki/Howto:WalkthroughMultimasterSSL and http://www.linuxjournal.com/article/9517 ends up with an error at next last stage of the Linux Journal guide. Serve one is source and server two is "consumer" in the first attempt to initialize server two from server one. The result is: The consumer initialization has unsuccessfully completed. The error recieved by the replica is: 6 replication error aquiring replica replica: no such replica. In logfiles I can see on server one that it tries, logfiles at server two says something, but I can not see server one actually login. When doing the telnet test between server one and server two I can acces the LDAP servers at port 389 Also I can do ldapsearch between the two servers without any problem at all. I am stuck here. Is schema:s not replicated or what can it be ? Thank you in advance! Regards // // Peter Steen From vitty at altlinux.ru Sun May 24 21:49:31 2009 From: vitty at altlinux.ru (Vitaly Kuznetsov) Date: Mon, 25 May 2009 01:49:31 +0400 Subject: [389-users] Customizing IDM Console In-Reply-To: <297446.64929.qm@web111913.mail.gq1.yahoo.com> (Dumbo Q.'s message of "Fri, 22 May 2009 12:43:32 -0700 (PDT)") References: <297446.64929.qm@web111913.mail.gq1.yahoo.com> Message-ID: Dumbo Q writes: > > If not, has anyone tried Gosa with fedora directory? > I have working installation of FDS+GOsa. Works fine. From amirov at infinet.ru Mon May 25 03:20:50 2009 From: amirov at infinet.ru (Dmitry Amirov) Date: Mon, 25 May 2009 09:20:50 +0600 Subject: [389-users] Customizing IDM Console In-Reply-To: References: <297446.64929.qm@web111913.mail.gq1.yahoo.com> Message-ID: <4A1A0E92.1060003@infinet.ru> Have too. Works fine. Vitaly Kuznetsov wrote: > Dumbo Q writes: > > >> If not, has anyone tried Gosa with fedora directory? >> >> > I have working installation of FDS+GOsa. Works fine. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From emmanuel.billot at ird.fr Mon May 25 08:37:23 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Mon, 25 May 2009 10:37:23 +0200 Subject: [389-users] Deleting suffixe with command line Message-ID: <4A1A58C3.80407@ird.fr> Hi, Is there any simple method to delete completely a root suffix on command line ? When using UI, FDS seems to execute many differente operations and we need a script to do the same thing. BR, -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From emmanuel.billot at ird.fr Mon May 25 08:41:07 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Mon, 25 May 2009 10:41:07 +0200 Subject: [389-users] Creating suffixe with command line Message-ID: <4A1A59A3.8050301@ird.fr> Hi, Creating suffixe with command line is explained on http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Configuring_Directory_Databases.html#Creating_Suffixes-Creating_Root_and_Sub_Suffixes_from_the_Command_Line However a last operation is missing for having an operationnal directory : creating a new "root object" in the UI. Is there any method to do it from command line ? BR, -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From jsullivan at opensourcedevel.com Mon May 25 20:02:29 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 25 May 2009 16:02:29 -0400 Subject: [389-users] memberOf task problem In-Reply-To: <1601b8650905221359g57624751k7b449341c4ff579d@mail.gmail.com> References: <1242873940.6379.91.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905210359v2396b049q226e6b26682e0b78@mail.gmail.com> <1242905598.6381.6.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905210659l29c1ef67u3d2f8e208248afe8@mail.gmail.com> <1242947840.6381.89.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905212331s340ca567wdf2e42cc57f3036a@mail.gmail.com> <1242993739.6380.14.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905221359g57624751k7b449341c4ff579d@mail.gmail.com> Message-ID: <1243281750.6377.10.camel@jaspav.missionsit.net.missionsit.net> Hmm . . . this made perfect sense and I thought it would be the end of my problems for sure. However, I added inetUser, ran fixup_memberof.pl and still see no memberOf populated attribute even if I ask for it explicitly: [root at ldap01 ~]# /usr/lib64/mozldap/ldapsearch -b "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory Manager" -w - -h ldap01 uid=jasiii Enter bind password: version: 1 dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: account objectClass: posixgroup objectClass: shadowaccount objectClass: inetuser physicalDeliveryOfficeName: Kennebunk telephoneNumber: +1 (207) xxx-xxxx mail: jsullivan at example.com sn: Sullivan III givenName: John A. loginShell: /bin/bash homeDirectory: /home/jasiii gidNumber: 100001 uidNumber: 100001 cn: jasiii uid: jasiii userPassword: {SSHA}p5K8zhxQYqkjCXmu617H2DtnDKDgnom3qTgQAg== shadowLastChange: 14366 l: Kennebunk postalCode: 04043-XXXX postOfficeBox: PO Box XXX st: ME [root at ldap01 ~]# /usr/lib64/mozldap/ldapsearch -b "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory Manager" -w - -h ldap01 uid=jasiii memberOf Enter bind password: version: 1 dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz I then explicitly added the memberOf attribute to a user, created a bogus group and added the user to the group. Still no memberOf. What am I doing wrong? Thanks - John On Fri, 2009-05-22 at 22:59 +0200, Andrey Ivanov wrote: > > > 2009/5/22 John A. Sullivan III > Ah, I did not do that as I thought the filter would make the > change to > users with objectClass inetOrgPerson. > No. The filter just searches what you have in your directory > > > I am virtually certain the users > do not explicitly have inetUser as an object class. Are they > supposed > to? > Yes. The set of the attributes that your entry can hold is defined by > the classes listed in "objectClass". And the attribute memberOf is > part of the "inetUser" objectClass. > > Is this done by default or is the need to add this object > class to > all users in order to use memberOf missing from the > documentation (or > overlooked by me!). > No. It is not done by default, you need to add the "objectClass: > inetUser" (or any other objectClass containing the memberOf attribute) > to each user entry. You can make a small perl script that does for all > your users something like > > ------------- > dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz > changetype: add > objectclass: inetUser > ------------- > > > You can test it with the GUI of the console for one or two user > entries just to be sure the attribute memberOf works as you wish... > > > > > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: account > objectClass: posixgroup > objectClass: shadowaccount > The origin of your problem is the absence of "objectClass: inetUser" > necessary to add memberOf attribute to the entry... > > > > Thanks - John > > > On Fri, 2009-05-22 at 08:31 +0200, Andrey Ivanov wrote: > > Can you show me the result of > > /usr/lib64/mozldap/ldapsearch -b > > "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D > "cn=Directory > > Manager" -w - -h ldap uid=jasiii objectClass > > > > It will list all the objectClasses of your entry. If > "objectClass: > > inetUser" is not present in the result of this search you > should, as i > > said in the previous message, add this objectClass to all > the entries > > you're going to manage with memberOf plug-in, smth like: > > > > dn: > uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz > > changetype: add > > objectclass: inetUser > > > > > > Hope it helps . > > > > > > > > 2009/5/22 John A. Sullivan III > > > I'm starting to feel really stupid here - still not > working. > > > > I thought the filter must be the problem for sure. > I assumed > > from the > > documentation that no filter meant the task would > add the > > attribute for > > everything that could take a memberOf attribute. I > did not > > realize it > > defaulted to inetuser. So I recreated the task with > a filter > > of > > (objectClass=inetOrgPerson) but it still did not > seem to work. > > > > I thought perhaps I was doing ldapmodify wrong > (enter the > > parameters, > > double enter, then CTL D) so I edited the > fixup-memberof.pl > > script > > according to Rich's instructions. It ran without > error (by > > the way, it > > reflects the admin password when using -w - !!!). > But still > > no success. > > > > Perhaps I am checking incorrectly. I did not expect > to see > > memberOf > > listed as an attribute in the advanced console > screen for the > > user since > > it is a managed attribute. But I did try to view it > with an > > ldapsearch: > > It should be visible as an attribute you can add (provided > your entry > > has "objectClass: inetUser") > > > > > > > > > > /usr/lib64/mozldap/ldapsearch -b > > > > "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" > -D > > "cn=Directory > > Manager" -w - -h ldap uid=jasiii memberOf > > > > Is this how I would check for success? > > > > There is nothing suspicious in the error log. I do > have the > > audit log > > enabled. I see the creation and automatic deletion > of the > > task but I do > > not see any changes to objects to add and populate > the > > memberOf > > attribute. I'll paste in some excerpts below. > > > > What next? Thanks - John > > > > time: 20090520221132 > > dn: cn=fixMemberOf,cn=memberof > task,cn=tasks,cn=config > > changetype: add > > > > objectClass: top > > objectClass: extensibleObject > > cn: fixMemberOf > > basedn: o=Internal,dc=ssiservices,dc=biz > > > > creatorsName: cn=xxxx > > modifiersName: cn=xxx > > createTimestamp: 20090521021132Z > > modifyTimestamp: 20090521021132Z > > > > time: 20090520221333 > > dn: cn=fixmemberof,cn=memberof > task,cn=tasks,cn=config > > changetype: delete > > modifiersname: cn=server,cn=plugins,cn=config > > > > time: 20090520222242 > > dn: cn=fixMemberOf,cn=memberof > task,cn=tasks,cn=config > > changetype: add > > > > objectClass: top > > objectClass: extensibleObject > > cn: fixMemberOf > > basedn: > ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz > > creatorsName: cn=xxxx > > modifiersName: cn=xxxx > > createTimestamp: 20090521022242Z > > modifyTimestamp: 20090521022242Z > > > > time: 20090520222442 > > dn: cn=fixmemberof,cn=memberof > task,cn=tasks,cn=config > > changetype: delete > > modifiersname: cn=server,cn=plugins,cn=config > > > > . > > . > > . > > time: 20090521183523 > > dn: cn=memberOf_fixup_2009_5_21_18_35_23, > cn=memberOf task, > > cn=tasks, > > cn=config > > changetype: add > > objectClass: top > > objectClass: extensibleObject > > cn: memberOf_fixup_2009_5_21_18_35_23 > > basedn: o=Internal,dc=ssiservices,dc=biz > > > > filter: (objectClass=inetOrgPerson) > > creatorsName: cn=xxxx > > modifiersName: cn=xxxx > > createTimestamp: 20090521223523Z > > modifyTimestamp: 20090521223523Z > > > > time: 20090521183724 > > dn: cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof > > task,cn=tasks,cn=config > > > > changetype: delete > > modifiersname: cn=server,cn=plugins,cn=config > > > > time: 20090521185804 > > dn: > > > cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou=ssiservices.biz,o=netscaperoot > > changetype: modify > > replace: nsPreference > > nsPreference:: > > > IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3 > > > > > dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg== > > - > > replace: modifiersname > > modifiersname: cn=xxxxx > > - > > replace: modifytimestamp > > modifytimestamp: 20090521225804Z > > - > > > > > > On Thu, 2009-05-21 at 15:59 +0200, Andrey Ivanov > wrote: > > > > > > > > > 2009/5/21 John A. Sullivan III > > > > > Thank you, Andrey. I did do an updatedb > and then > > locate - no > > > fixup-member0f.pl - just > > template.fixup-memberOf.pl :-( > > > It is very strange. Normally during the server > installation > > the > > > template should be converted to the "normal" perl > script. > > > > > > Have you verified the configuration of the > memberOf plugin, > > especially > > > the arguments/attributes "memberofgroupattr" and > > "memberofattr" ? > > > > > > > > > > > > > > > > > > > > > Unless I'm missing something, you're > ldapmodify > > looks just > > > like mine > > > except for the cn (I believe the > documentation says > > it can be > > > called > > > anything) and I did not use a filter > (again, I > > believe the > > > documentation > > > says it is optional and our dit is still > rather > > small). > > > If you do not put the filter into the ldif then > the default > > filter is > > > used : "(objectClass=inetuser)". Do all your user > entries > > include this > > > objectClass (inetuser)? If not, you should add > this > > objectClass to all > > > the entries where you want the memberOf attribute > to appear. > > > > > > > > > > > > > > > I did create a new group and add myself to > it as you > > suggested > > > (thank > > > you). Surprisingly, it did not appear to > work. I > > did not see > > > a > > > memberOf attribute populated for me. I > then thought > > I would > > > see if I > > > need to manually add that attribute to > each user (I > > hope not!) > > > and I did > > > not see memberOf as an attribute I could > add to my > > user > > > object. > > > > > > No. You should not add it manually, the memberOf > attribute > > is > > > maintained automatically based on the group > membership. > > > > > > Do you see any message in error log? There should > be > > something about > > > the impossibility to write the memberof attribute > i think. > > > If you cannot add this attribute manually to your > entry it > > means that > > > your entry does not containe "objectClass: > inetuser". Add > > this > > > objectClass to all the entries that should be > "managed" by > > the plug-in > > > to allow the attribute memberOf to be written to > that > > entries. > > > > > > > > > > > > > > > I have verified that the plugin is defined > in > > dse.ldif and it > > > is > > > enabled. I also see memberOf defined in > > 20subscriber.ldif and > > > did not > > > see anything in the documentation about > needing to > > extend the > > > schema. > > > No, you don't need to extend the schema but you > need to make > > sure that > > > your entries include the objectClass "inetuser": > > > > > > objectClasses: ( 2.16.840.1.113730.3.2.130 NAME > 'inetUser' > > DESC > > > 'Auxiliary class which must be present in an entry > for > > delivery of > > > subscriber services' SUP top AUXILIARY MAY ( uid $ > > inetUserStatus $ > > > inetUserHTTPURL $ userPassword $ memberOf ) > X-ORIGIN > > 'Netscape > > > subscriber interoperability' ) > > > > > > > > > > > > > > > > > > So, at this point, I am still at a loss > for what I > > did wrong. > > > What do I > > > check next? Thanks - John > > > Try to add the "objectClass: inetuser" to the > entries > > concerned and > > > take a closer look to the "errors" log file. > > > > > > @+ > > > > > > > > > > > > > > > > > > On Thu, 2009-05-21 at 12:59 +0200, Andrey > Ivanov > > wrote: > > > > Hi, > > > > > > > > there are two things to be verified > and/or taken > > into > > > account: > > > > * the pair of the attributes that is > maintained > > (the > > > arguments > > > > "memberofgroupattr" and "memberofattr" > of the > > plug-in) > > > > * presence of these two attributes in > the classes > > of your > > > users and > > > > groups > > > > > > > > To find fixup-memberof.pl try "locate > > fixup-memberof.pl". > > > > > > > > To launch it manually you need to add > something > > like that > > > to the > > > > server (with ldapmodify) : > > > > dn: > cn=memberOf_fixup_2009_5_21_12_39_21, > > cn=memberOf task, > > > cn=tasks, > > > > cn=config > > > > changetype: add > > > > objectclass: top > > > > objectclass: extensibleObject > > > > cn: memberOf_fixup_2009_5_21_12_39_21 > > > > basedn: dc=example,dc=com > > > > filter: (objectClass=inetOrgPerson) > > > > > > > > > > > > As for your account, you may remove/add > yourself > > from a > > > group to see > > > > if it changes the memberof attribute. > Verify the > > objectClass > > > of your > > > > entry and make sure the attribute > memberOf is an > > optional > > > attribute of > > > > at least one of these objectClasses... > > > > > > > > > > > > > > > > 2009/5/21 John A. Sullivan III > > > > > > > Hello, all. We are in the > process of > > upgrading from > > > 8.0 to > > > > 8.1. We've > > > > hit a few glitches along the way > but most > > has gone > > > well. > > > > However, we > > > > wanted to implement the new > memberOf > > functionality. > > > We > > > > successfully > > > > added the plugin by editing > dse.ldif and > > enabled it > > > from the > > > > console. > > > > However, we've been unsuccessful > in having > > existing > > > group > > > > membership > > > > assigned to the memberOf > attribute. > > > > > > > > We first tried to run > fixup-memberOf.pl > > but the > > > script does > > > > not exist. > > > > There is a > template.fixup-memberOf.pl but > > this does > > > not seem > > > > to have > > > > been built into a final script. > > > > > > > > We then thought we would use the > new task > > feature of > > > the > > > > console. We > > > > went to cn=memberof > > task,cn=tasks,cn=config and > > > tried to > > > > create the task > > > > object. There was no > > nsDirectoryServerTask > > > objectclass. We > > > > added an > > > > nstask but then found there was > no basedn > > attribute > > > we could > > > > add. We > > > > then created an extensibleobject > instead > > but still > > > not basedn > > > > attribute. > > > > > > > > Finally, we resorted to > ldapmodify (we > > hesitated > > > just because > > > > we are not > > > > very familiar with the command > line > > tools). First, > > > we did: > > > > > > > > dn: cn=fixMemberOf,cn=memberof > > > task,cn=tasks,cn=config > > > > changetype: add > > > > objectclass: top > > > > objectclass: extensibleObject > > > > cn: fixMemberOf > > > > basedn: > o=Internal,dc=ssiservices,dc=biz > > > > > > > > The Internal Organization has > several > > organizations > > > under it > > > > (for > > > > various clients) and then user > > organizational units > > > under > > > > those > > > > organizations. Although it > generated no > > errors, it > > > did not > > > > seem to > > > > work. Perhaps I just don't know > how to > > test it. > > > However, the > > > > following > > > > did not return an memberOf data: > > > > > > > > /usr/lib64/mozldap/ldapsearch -b > > > > > > > > > > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D > > > > "cn=Directory > > > > Manager" -w - -h ldap uid=myid > memberOf > > > > > > > > > Doing /usr/lib64/mozldap/ldapsearch -b > > > > > > > > > > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D > > > > "cn=Directory > > > > Manager" -w - -h ldap uid=myid > > > > showed me plenty of attributes > but nothing > > for > > > memberOf > > > > > > > > I also tried creating the task > with a > > basedn of > > > > > > ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz > > > in case it > > > > did not > > > > change objects lower in the > tree. Still > > no success. > > > > > > > > Finally I tried: > > > > > > > > dn: cn=fixMemberOf,cn=memberof > > > task,cn=tasks,cn=config > > > > changetype: add > > > > objectclass: top > > > > objectclass: > nsDirectoryServerTask > > > > cn: fixMemberOf > > > > basedn: > o=Internal,dc=ssiservices,dc=biz > > > > > > > > adding new entry > > cn=fixMemberOf,cn=memberof > > > > task,cn=tasks,cn=config > > > > ldap_add: Object class violation > > > > ldap_add: additional info: > unknown object > > class > > > > "nsDirectoryServerTask" > > > > > > > > And received the expected > unknown object > > class > > > error. > > > > > > > > What are we doing wrong? Are > these > > documentation > > > bugs? Are > > > > there > > > > application bugs or do we simply > not know > > what we > > > are doing > > > > with tasks > > > > and memberOf? How do we get the > memberOf > > information > > > into our > > > > existing > > > > user objects? Thanks - John > > > > > > > > > > > > -- > > > > John A. Sullivan III > > > > Open Source Development > Corporation > > > > +1 207-985-7880 > > > > jsullivan at opensourcedevel.com > > > > > > > > http://www.spiritualoutreach.com > > > > Making Christianity intelligible > to > > secular society > > > > > > > > -- > > > > Fedora-directory-users mailing > list > > > > > Fedora-directory-users at redhat.com > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > > > > > John A. Sullivan III > > > Open Source Development Corporation > > > +1 207-985-7880 > > > jsullivan at opensourcedevel.com > > > > > > http://www.spiritualoutreach.com > > > Making Christianity intelligible to > secular society > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > > John A. Sullivan III > > Open Source Development Corporation > > +1 207-985-7880 > > jsullivan at opensourcedevel.com > > > > http://www.spiritualoutreach.com > > Making Christianity intelligible to secular society > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan at opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From andrey.ivanov at polytechnique.fr Tue May 26 07:38:03 2009 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Tue, 26 May 2009 09:38:03 +0200 Subject: [389-users] memberOf task problem In-Reply-To: <1243281750.6377.10.camel@jaspav.missionsit.net.missionsit.net> References: <1242873940.6379.91.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905210359v2396b049q226e6b26682e0b78@mail.gmail.com> <1242905598.6381.6.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905210659l29c1ef67u3d2f8e208248afe8@mail.gmail.com> <1242947840.6381.89.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905212331s340ca567wdf2e42cc57f3036a@mail.gmail.com> <1242993739.6380.14.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905221359g57624751k7b449341c4ff579d@mail.gmail.com> <1243281750.6377.10.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <1601b8650905260038s3748b68bn7709a33e9f85e5b9@mail.gmail.com> If it still doesn't work, it's a matter of the plug-in configuration and presence. Verify your dse.ldif. You shoud have something like dn: cn=MemberOf Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: MemberOf Plugin nsslapd-pluginPath: libmemberof-plugin nsslapd-pluginInitfunc: memberof_postop_init nsslapd-pluginType: postoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database memberofgroupattr: uniqueMember memberofattr: memberOf nsslapd-pluginId: memberof nsslapd-pluginVersion: 1.2.0 nsslapd-pluginVendor: Fedora Project nsslapd-pluginDescription: memberof plugin The importnant parameters are : nsslapd-pluginEnabled: on memberofgroupattr: uniqueMember memberofattr: memberOf Other than that you may have the plug-in binaries missing... 2009/5/25 John A. Sullivan III > Hmm . . . this made perfect sense and I thought it would be the end of > my problems for sure. However, I added inetUser, ran fixup_memberof.pl > and still see no memberOf populated attribute even if I ask for it > explicitly: > > [root at ldap01 ~]# /usr/lib64/mozldap/ldapsearch -b > "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory Manager" > -w - -h ldap01 uid=jasiii > Enter bind password: > version: 1 > dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: account > objectClass: posixgroup > objectClass: shadowaccount > objectClass: inetuser > physicalDeliveryOfficeName: Kennebunk > telephoneNumber: +1 (207) xxx-xxxx > mail: jsullivan at example.com > sn: Sullivan III > givenName: John A. > loginShell: /bin/bash > homeDirectory: /home/jasiii > gidNumber: 100001 > uidNumber: 100001 > cn: jasiii > uid: jasiii > userPassword: {SSHA}p5K8zhxQYqkjCXmu617H2DtnDKDgnom3qTgQAg== > shadowLastChange: 14366 > l: Kennebunk > postalCode: 04043-XXXX > postOfficeBox: PO Box XXX > st: ME > [root at ldap01 ~]# /usr/lib64/mozldap/ldapsearch -b > "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory Manager" > -w - -h ldap01 uid=jasiii memberOf > Enter bind password: > version: 1 > dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz > > I then explicitly added the memberOf attribute to a user, created a > bogus group and added the user to the group. Still no memberOf. What > am I doing wrong? Thanks - John > > > On Fri, 2009-05-22 at 22:59 +0200, Andrey Ivanov wrote: > > > > > > 2009/5/22 John A. Sullivan III > > Ah, I did not do that as I thought the filter would make the > > change to > > users with objectClass inetOrgPerson. > > No. The filter just searches what you have in your directory > > > > > > I am virtually certain the users > > do not explicitly have inetUser as an object class. Are they > > supposed > > to? > > Yes. The set of the attributes that your entry can hold is defined by > > the classes listed in "objectClass". And the attribute memberOf is > > part of the "inetUser" objectClass. > > > > Is this done by default or is the need to add this object > > class to > > all users in order to use memberOf missing from the > > documentation (or > > overlooked by me!). > > No. It is not done by default, you need to add the "objectClass: > > inetUser" (or any other objectClass containing the memberOf attribute) > > to each user entry. You can make a small perl script that does for all > > your users something like > > > > ------------- > > dn: uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz > > changetype: add > > objectclass: inetUser > > ------------- > > > > > > You can test it with the GUI of the console for one or two user > > entries just to be sure the attribute memberOf works as you wish... > > > > > > > > > > objectClass: top > > objectClass: person > > objectClass: organizationalPerson > > objectClass: inetOrgPerson > > objectClass: posixAccount > > objectClass: account > > objectClass: posixgroup > > objectClass: shadowaccount > > The origin of your problem is the absence of "objectClass: inetUser" > > necessary to add memberOf attribute to the entry... > > > > > > > > Thanks - John > > > > > > On Fri, 2009-05-22 at 08:31 +0200, Andrey Ivanov wrote: > > > Can you show me the result of > > > /usr/lib64/mozldap/ldapsearch -b > > > "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D > > "cn=Directory > > > Manager" -w - -h ldap uid=jasiii objectClass > > > > > > It will list all the objectClasses of your entry. If > > "objectClass: > > > inetUser" is not present in the result of this search you > > should, as i > > > said in the previous message, add this objectClass to all > > the entries > > > you're going to manage with memberOf plug-in, smth like: > > > > > > dn: > > uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz > > > changetype: add > > > objectclass: inetUser > > > > > > > > > Hope it helps . > > > > > > > > > > > > 2009/5/22 John A. Sullivan III > > > > > I'm starting to feel really stupid here - still not > > working. > > > > > > I thought the filter must be the problem for sure. > > I assumed > > > from the > > > documentation that no filter meant the task would > > add the > > > attribute for > > > everything that could take a memberOf attribute. I > > did not > > > realize it > > > defaulted to inetuser. So I recreated the task with > > a filter > > > of > > > (objectClass=inetOrgPerson) but it still did not > > seem to work. > > > > > > I thought perhaps I was doing ldapmodify wrong > > (enter the > > > parameters, > > > double enter, then CTL D) so I edited the > > fixup-memberof.pl > > > script > > > according to Rich's instructions. It ran without > > error (by > > > the way, it > > > reflects the admin password when using -w - !!!). > > But still > > > no success. > > > > > > Perhaps I am checking incorrectly. I did not expect > > to see > > > memberOf > > > listed as an attribute in the advanced console > > screen for the > > > user since > > > it is a managed attribute. But I did try to view it > > with an > > > ldapsearch: > > > It should be visible as an attribute you can add (provided > > your entry > > > has "objectClass: inetUser") > > > > > > > > > > > > > > > /usr/lib64/mozldap/ldapsearch -b > > > > > > "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" > > -D > > > "cn=Directory > > > Manager" -w - -h ldap uid=jasiii memberOf > > > > > > Is this how I would check for success? > > > > > > There is nothing suspicious in the error log. I do > > have the > > > audit log > > > enabled. I see the creation and automatic deletion > > of the > > > task but I do > > > not see any changes to objects to add and populate > > the > > > memberOf > > > attribute. I'll paste in some excerpts below. > > > > > > What next? Thanks - John > > > > > > time: 20090520221132 > > > dn: cn=fixMemberOf,cn=memberof > > task,cn=tasks,cn=config > > > changetype: add > > > > > > objectClass: top > > > objectClass: extensibleObject > > > cn: fixMemberOf > > > basedn: o=Internal,dc=ssiservices,dc=biz > > > > > > creatorsName: cn=xxxx > > > modifiersName: cn=xxx > > > createTimestamp: 20090521021132Z > > > modifyTimestamp: 20090521021132Z > > > > > > time: 20090520221333 > > > dn: cn=fixmemberof,cn=memberof > > task,cn=tasks,cn=config > > > changetype: delete > > > modifiersname: cn=server,cn=plugins,cn=config > > > > > > time: 20090520222242 > > > dn: cn=fixMemberOf,cn=memberof > > task,cn=tasks,cn=config > > > changetype: add > > > > > > objectClass: top > > > objectClass: extensibleObject > > > cn: fixMemberOf > > > basedn: > > ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz > > > creatorsName: cn=xxxx > > > modifiersName: cn=xxxx > > > createTimestamp: 20090521022242Z > > > modifyTimestamp: 20090521022242Z > > > > > > time: 20090520222442 > > > dn: cn=fixmemberof,cn=memberof > > task,cn=tasks,cn=config > > > changetype: delete > > > modifiersname: cn=server,cn=plugins,cn=config > > > > > > . > > > . > > > . > > > time: 20090521183523 > > > dn: cn=memberOf_fixup_2009_5_21_18_35_23, > > cn=memberOf task, > > > cn=tasks, > > > cn=config > > > changetype: add > > > objectClass: top > > > objectClass: extensibleObject > > > cn: memberOf_fixup_2009_5_21_18_35_23 > > > basedn: o=Internal,dc=ssiservices,dc=biz > > > > > > filter: (objectClass=inetOrgPerson) > > > creatorsName: cn=xxxx > > > modifiersName: cn=xxxx > > > createTimestamp: 20090521223523Z > > > modifyTimestamp: 20090521223523Z > > > > > > time: 20090521183724 > > > dn: cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof > > > task,cn=tasks,cn=config > > > > > > changetype: delete > > > modifiersname: cn=server,cn=plugins,cn=config > > > > > > time: 20090521185804 > > > dn: > > > > > cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou= > ssiservices.biz,o=netscaperoot > > > changetype: modify > > > replace: nsPreference > > > nsPreference:: > > > > > IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3 > > > > > > > > > dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg== > > > - > > > replace: modifiersname > > > modifiersname: cn=xxxxx > > > - > > > replace: modifytimestamp > > > modifytimestamp: 20090521225804Z > > > - > > > > > > > > > On Thu, 2009-05-21 at 15:59 +0200, Andrey Ivanov > > wrote: > > > > > > > > > > > > 2009/5/21 John A. Sullivan III > > > > > > > Thank you, Andrey. I did do an updatedb > > and then > > > locate - no > > > > fixup-member0f.pl - just > > > template.fixup-memberOf.pl :-( > > > > It is very strange. Normally during the server > > installation > > > the > > > > template should be converted to the "normal" perl > > script. > > > > > > > > Have you verified the configuration of the > > memberOf plugin, > > > especially > > > > the arguments/attributes "memberofgroupattr" and > > > "memberofattr" ? > > > > > > > > > > > > > > > > > > > > > > > > > > > > Unless I'm missing something, you're > > ldapmodify > > > looks just > > > > like mine > > > > except for the cn (I believe the > > documentation says > > > it can be > > > > called > > > > anything) and I did not use a filter > > (again, I > > > believe the > > > > documentation > > > > says it is optional and our dit is still > > rather > > > small). > > > > If you do not put the filter into the ldif then > > the default > > > filter is > > > > used : "(objectClass=inetuser)". Do all your user > > entries > > > include this > > > > objectClass (inetuser)? If not, you should add > > this > > > objectClass to all > > > > the entries where you want the memberOf attribute > > to appear. > > > > > > > > > > > > > > > > > > > > I did create a new group and add myself to > > it as you > > > suggested > > > > (thank > > > > you). Surprisingly, it did not appear to > > work. I > > > did not see > > > > a > > > > memberOf attribute populated for me. I > > then thought > > > I would > > > > see if I > > > > need to manually add that attribute to > > each user (I > > > hope not!) > > > > and I did > > > > not see memberOf as an attribute I could > > add to my > > > user > > > > object. > > > > > > > > No. You should not add it manually, the memberOf > > attribute > > > is > > > > maintained automatically based on the group > > membership. > > > > > > > > Do you see any message in error log? There should > > be > > > something about > > > > the impossibility to write the memberof attribute > > i think. > > > > If you cannot add this attribute manually to your > > entry it > > > means that > > > > your entry does not containe "objectClass: > > inetuser". Add > > > this > > > > objectClass to all the entries that should be > > "managed" by > > > the plug-in > > > > to allow the attribute memberOf to be written to > > that > > > entries. > > > > > > > > > > > > > > > > > > > > I have verified that the plugin is defined > > in > > > dse.ldif and it > > > > is > > > > enabled. I also see memberOf defined in > > > 20subscriber.ldif and > > > > did not > > > > see anything in the documentation about > > needing to > > > extend the > > > > schema. > > > > No, you don't need to extend the schema but you > > need to make > > > sure that > > > > your entries include the objectClass "inetuser": > > > > > > > > objectClasses: ( 2.16.840.1.113730.3.2.130 NAME > > 'inetUser' > > > DESC > > > > 'Auxiliary class which must be present in an entry > > for > > > delivery of > > > > subscriber services' SUP top AUXILIARY MAY ( uid $ > > > inetUserStatus $ > > > > inetUserHTTPURL $ userPassword $ memberOf ) > > X-ORIGIN > > > 'Netscape > > > > subscriber interoperability' ) > > > > > > > > > > > > > > > > > > > > > > > > So, at this point, I am still at a loss > > for what I > > > did wrong. > > > > What do I > > > > check next? Thanks - John > > > > Try to add the "objectClass: inetuser" to the > > entries > > > concerned and > > > > take a closer look to the "errors" log file. > > > > > > > > @+ > > > > > > > > > > > > > > > > > > > > > > > > On Thu, 2009-05-21 at 12:59 +0200, Andrey > > Ivanov > > > wrote: > > > > > Hi, > > > > > > > > > > there are two things to be verified > > and/or taken > > > into > > > > account: > > > > > * the pair of the attributes that is > > maintained > > > (the > > > > arguments > > > > > "memberofgroupattr" and "memberofattr" > > of the > > > plug-in) > > > > > * presence of these two attributes in > > the classes > > > of your > > > > users and > > > > > groups > > > > > > > > > > To find fixup-memberof.pl try "locate > > > fixup-memberof.pl". > > > > > > > > > > To launch it manually you need to add > > something > > > like that > > > > to the > > > > > server (with ldapmodify) : > > > > > dn: > > cn=memberOf_fixup_2009_5_21_12_39_21, > > > cn=memberOf task, > > > > cn=tasks, > > > > > cn=config > > > > > changetype: add > > > > > objectclass: top > > > > > objectclass: extensibleObject > > > > > cn: memberOf_fixup_2009_5_21_12_39_21 > > > > > basedn: dc=example,dc=com > > > > > filter: (objectClass=inetOrgPerson) > > > > > > > > > > > > > > > As for your account, you may remove/add > > yourself > > > from a > > > > group to see > > > > > if it changes the memberof attribute. > > Verify the > > > objectClass > > > > of your > > > > > entry and make sure the attribute > > memberOf is an > > > optional > > > > attribute of > > > > > at least one of these objectClasses... > > > > > > > > > > > > > > > > > > > > 2009/5/21 John A. Sullivan III > > > > > > > > > Hello, all. We are in the > > process of > > > upgrading from > > > > 8.0 to > > > > > 8.1. We've > > > > > hit a few glitches along the way > > but most > > > has gone > > > > well. > > > > > However, we > > > > > wanted to implement the new > > memberOf > > > functionality. > > > > We > > > > > successfully > > > > > added the plugin by editing > > dse.ldif and > > > enabled it > > > > from the > > > > > console. > > > > > However, we've been unsuccessful > > in having > > > existing > > > > group > > > > > membership > > > > > assigned to the memberOf > > attribute. > > > > > > > > > > We first tried to run > > fixup-memberOf.pl > > > but the > > > > script does > > > > > not exist. > > > > > There is a > > template.fixup-memberOf.pl but > > > this does > > > > not seem > > > > > to have > > > > > been built into a final script. > > > > > > > > > > We then thought we would use the > > new task > > > feature of > > > > the > > > > > console. We > > > > > went to cn=memberof > > > task,cn=tasks,cn=config and > > > > tried to > > > > > create the task > > > > > object. There was no > > > nsDirectoryServerTask > > > > objectclass. We > > > > > added an > > > > > nstask but then found there was > > no basedn > > > attribute > > > > we could > > > > > add. We > > > > > then created an extensibleobject > > instead > > > but still > > > > not basedn > > > > > attribute. > > > > > > > > > > Finally, we resorted to > > ldapmodify (we > > > hesitated > > > > just because > > > > > we are not > > > > > very familiar with the command > > line > > > tools). First, > > > > we did: > > > > > > > > > > dn: cn=fixMemberOf,cn=memberof > > > > task,cn=tasks,cn=config > > > > > changetype: add > > > > > objectclass: top > > > > > objectclass: extensibleObject > > > > > cn: fixMemberOf > > > > > basedn: > > o=Internal,dc=ssiservices,dc=biz > > > > > > > > > > The Internal Organization has > > several > > > organizations > > > > under it > > > > > (for > > > > > various clients) and then user > > > organizational units > > > > under > > > > > those > > > > > organizations. Although it > > generated no > > > errors, it > > > > did not > > > > > seem to > > > > > work. Perhaps I just don't know > > how to > > > test it. > > > > However, the > > > > > following > > > > > did not return an memberOf data: > > > > > > > > > > /usr/lib64/mozldap/ldapsearch -b > > > > > > > > > > > > > > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D > > > > > "cn=Directory > > > > > Manager" -w - -h ldap uid=myid > > memberOf > > > > > > > > > > > > Doing /usr/lib64/mozldap/ldapsearch -b > > > > > > > > > > > > > > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D > > > > > "cn=Directory > > > > > Manager" -w - -h ldap uid=myid > > > > > showed me plenty of attributes > > but nothing > > > for > > > > memberOf > > > > > > > > > > I also tried creating the task > > with a > > > basedn of > > > > > > > > ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz > > > > in case it > > > > > did not > > > > > change objects lower in the > > tree. Still > > > no success. > > > > > > > > > > Finally I tried: > > > > > > > > > > dn: cn=fixMemberOf,cn=memberof > > > > task,cn=tasks,cn=config > > > > > changetype: add > > > > > objectclass: top > > > > > objectclass: > > nsDirectoryServerTask > > > > > cn: fixMemberOf > > > > > basedn: > > o=Internal,dc=ssiservices,dc=biz > > > > > > > > > > adding new entry > > > cn=fixMemberOf,cn=memberof > > > > > task,cn=tasks,cn=config > > > > > ldap_add: Object class violation > > > > > ldap_add: additional info: > > unknown object > > > class > > > > > "nsDirectoryServerTask" > > > > > > > > > > And received the expected > > unknown object > > > class > > > > error. > > > > > > > > > > What are we doing wrong? Are > > these > > > documentation > > > > bugs? Are > > > > > there > > > > > application bugs or do we simply > > not know > > > what we > > > > are doing > > > > > with tasks > > > > > and memberOf? How do we get the > > memberOf > > > information > > > > into our > > > > > existing > > > > > user objects? Thanks - John > > > > > > > > > > > > > > > -- > > > > > John A. Sullivan III > > > > > Open Source Development > > Corporation > > > > > +1 207-985-7880 > > > > > jsullivan at opensourcedevel.com > > > > > > > > > > http://www.spiritualoutreach.com > > > > > Making Christianity intelligible > > to > > > secular society > > > > > > > > > > -- > > > > > Fedora-directory-users mailing > > list > > > > > > > Fedora-directory-users at redhat.com > > > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > -- > > > > > Fedora-directory-users mailing list > > > > > Fedora-directory-users at redhat.com > > > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > -- > > > > > > > > John A. Sullivan III > > > > Open Source Development Corporation > > > > +1 207-985-7880 > > > > jsullivan at opensourcedevel.com > > > > > > > > http://www.spiritualoutreach.com > > > > Making Christianity intelligible to > > secular society > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users at redhat.com > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > > > John A. Sullivan III > > > Open Source Development Corporation > > > +1 207-985-7880 > > > jsullivan at opensourcedevel.com > > > > > > http://www.spiritualoutreach.com > > > Making Christianity intelligible to secular society > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > > John A. Sullivan III > > Open Source Development Corporation > > +1 207-985-7880 > > jsullivan at opensourcedevel.com > > > > http://www.spiritualoutreach.com > > Making Christianity intelligible to secular society > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan at opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.donnan at thalesgroup.com Tue May 26 09:27:42 2009 From: david.donnan at thalesgroup.com (David (Dave) Donnan) Date: Tue, 26 May 2009 11:27:42 +0200 Subject: [389-users] posixGroup In-Reply-To: <4A15756D.1020205@stroeder.com> References: <4A1543EB.4080401@infinet.ru> <1242910676.6381.10.camel@jaspav.missionsit.net.missionsit.net> <4A155352.7010609@infinet.ru> <4A15576E.1050709@stroeder.com> <4A155AEA.6050404@infinet.ru> <4A157132.6070208@stroeder.com> <4A15756D.1020205@stroeder.com> Message-ID: <4A1BB60E.6070705@thalesgroup.com> Michel, hello and thanks for your participation in this newsgroup. The first URL doesn't work for me. Mozilla's logo keeps spinning and I suspect it will eventually timeout. Thanks again, Dave Michael Str?der wrote: > Michael Str?der wrote: > >> There are various clients which claim to have good support for POSIX >> account data. I have some doubts including maintaining the POSIX account >> data with my own web2ldap if you don't have enough knowledge. >> > > For those of you who want to just try web2ldap on a posixAccount entry > hit this URL and play around with it: > > http://demo.web2ldap.de:1760/web2ldap?ldap://ldap.uninett.no/uid%3Dvenaas%2Ccn%3Dusers%2Ccn%3Dposix%2Cdc%3Duninett%2Cdc%3Dno??base > > Obviously there's no write access there but you can look at how web2ldap > handles different LDIF templates and HTML snippet templates for object > classes when displaying the entry or when generating input forms. > > And you can try the group administration UI. It also lets you select > group entries in a select list for the primary group (attribute > gidNumber) of a posixAccount entry. The latter is done with the help of > a web2ldap plugin class. > > More notes on customizing the UI: > http://web2ldap.de/usability.html > > Ciao, Michael. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsullivan at opensourcedevel.com Tue May 26 10:43:02 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Tue, 26 May 2009 06:43:02 -0400 Subject: [389-users] memberOf task problem In-Reply-To: <1601b8650905260038s3748b68bn7709a33e9f85e5b9@mail.gmail.com> References: <1242873940.6379.91.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905210359v2396b049q226e6b26682e0b78@mail.gmail.com> <1242905598.6381.6.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905210659l29c1ef67u3d2f8e208248afe8@mail.gmail.com> <1242947840.6381.89.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905212331s340ca567wdf2e42cc57f3036a@mail.gmail.com> <1242993739.6380.14.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905221359g57624751k7b449341c4ff579d@mail.gmail.com> <1243281750.6377.10.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905260038s3748b68bn7709a33e9f85e5b9@mail.gmail.com> Message-ID: <1243334582.6379.6.camel@jaspav.missionsit.net.missionsit.net> Very interesting. The shipping dse.ldif which the instructions say to use as a template to edit the 8.0 dse.ldif has memberofgroupattr: member dn: cn=MemberOf Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: MemberOf Plugin nsslapd-pluginpath: libmemberof-plugin nsslapd-plugininitfunc: memberof_postop_init nsslapd-plugintype: postoperation nsslapd-pluginenabled: off nsslapd-plugin-depends-on-type: database memberOfGroupAttr: member memberOfAttr: memberOf When I changed it to uniqueMember, it worked! So it looks like there are several issues/errors/bugs in the instructions and procedures for upgrading from 8.0 to 8.1 1. The memberOf plugin is enabled by default and needs to be manually enabled (not really a bug but it is mentioned nowhere in the docs that I saw) 2. One must manually add the inetuser to each object with which one wishes to use the plugin. This does not appear to be a default objectClass for user creation - at least in 8.0 3. One must change the default memberofgroupattr from member to uniqueMember 4. The fixup-memberof.pl script is not generated from the template. Thanks very much for your help - John On Tue, 2009-05-26 at 09:38 +0200, Andrey Ivanov wrote: > If it still doesn't work, it's a matter of the plug-in configuration > and presence. Verify your dse.ldif. You shoud have something like > > dn: cn=MemberOf Plugin,cn=plugins,cn=config > objectClass: top > objectClass: nsSlapdPlugin > objectClass: extensibleObject > cn: MemberOf Plugin > nsslapd-pluginPath: libmemberof-plugin > nsslapd-pluginInitfunc: memberof_postop_init > nsslapd-pluginType: postoperation > nsslapd-pluginEnabled: on > nsslapd-plugin-depends-on-type: database > memberofgroupattr: uniqueMember > memberofattr: memberOf > nsslapd-pluginId: memberof > nsslapd-pluginVersion: 1.2.0 > nsslapd-pluginVendor: Fedora Project > nsslapd-pluginDescription: memberof plugin > > > The importnant parameters are : > nsslapd-pluginEnabled: on > memberofgroupattr: uniqueMember > memberofattr: memberOf > > Other than that you may have the plug-in binaries missing... > > 2009/5/25 John A. Sullivan III > Hmm . . . this made perfect sense and I thought it would be > the end of > my problems for sure. However, I added inetUser, ran > fixup_memberof.pl > and still see no memberOf populated attribute even if I ask > for it > explicitly: > > [root at ldap01 ~]# /usr/lib64/mozldap/ldapsearch -b > "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D > "cn=Directory Manager" -w - -h ldap01 uid=jasiii > Enter bind password: > version: 1 > dn: > uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz > > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: account > objectClass: posixgroup > objectClass: shadowaccount > > objectClass: inetuser > physicalDeliveryOfficeName: Kennebunk > telephoneNumber: +1 (207) xxx-xxxx > mail: jsullivan at example.com > sn: Sullivan III > givenName: John A. > loginShell: /bin/bash > homeDirectory: /home/jasiii > gidNumber: 100001 > uidNumber: 100001 > cn: jasiii > uid: jasiii > userPassword: {SSHA}p5K8zhxQYqkjCXmu617H2DtnDKDgnom3qTgQAg== > shadowLastChange: 14366 > l: Kennebunk > postalCode: 04043-XXXX > postOfficeBox: PO Box XXX > st: ME > [root at ldap01 ~]# /usr/lib64/mozldap/ldapsearch -b > "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D > "cn=Directory Manager" -w - -h ldap01 uid=jasiii memberOf > Enter bind password: > version: 1 > dn: > uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz > > > I then explicitly added the memberOf attribute to a user, > created a > bogus group and added the user to the group. Still no > memberOf. What > am I doing wrong? Thanks - John > > > > On Fri, 2009-05-22 at 22:59 +0200, Andrey Ivanov wrote: > > > > > > 2009/5/22 John A. Sullivan III > > > Ah, I did not do that as I thought the filter would > make the > > change to > > users with objectClass inetOrgPerson. > > No. The filter just searches what you have in your directory > > > > > > I am virtually certain the users > > do not explicitly have inetUser as an object class. > Are they > > supposed > > to? > > Yes. The set of the attributes that your entry can hold is > defined by > > the classes listed in "objectClass". And the attribute > memberOf is > > part of the "inetUser" objectClass. > > > > Is this done by default or is the need to add this > object > > class to > > all users in order to use memberOf missing from the > > documentation (or > > overlooked by me!). > > No. It is not done by default, you need to add the > "objectClass: > > inetUser" (or any other objectClass containing the memberOf > attribute) > > to each user entry. You can make a small perl script that > does for all > > your users something like > > > > ------------- > > dn: > uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz > > changetype: add > > objectclass: inetUser > > ------------- > > > > > > You can test it with the GUI of the console for one or two > user > > entries just to be sure the attribute memberOf works as you > wish... > > > > > > > > > > objectClass: top > > objectClass: person > > objectClass: organizationalPerson > > objectClass: inetOrgPerson > > objectClass: posixAccount > > objectClass: account > > objectClass: posixgroup > > objectClass: shadowaccount > > The origin of your problem is the absence of "objectClass: > inetUser" > > necessary to add memberOf attribute to the entry... > > > > > > > > Thanks - John > > > > > > On Fri, 2009-05-22 at 08:31 +0200, Andrey Ivanov > wrote: > > > Can you show me the result of > > > /usr/lib64/mozldap/ldapsearch -b > > > "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" > -D > > "cn=Directory > > > Manager" -w - -h ldap uid=jasiii objectClass > > > > > > It will list all the objectClasses of your entry. > If > > "objectClass: > > > inetUser" is not present in the result of this > search you > > should, as i > > > said in the previous message, add this objectClass > to all > > the entries > > > you're going to manage with memberOf plug-in, smth > like: > > > > > > dn: > > > uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz > > > changetype: add > > > objectclass: inetUser > > > > > > > > > Hope it helps . > > > > > > > > > > > > 2009/5/22 John A. Sullivan III > > > > > I'm starting to feel really stupid here - > still not > > working. > > > > > > I thought the filter must be the problem > for sure. > > I assumed > > > from the > > > documentation that no filter meant the > task would > > add the > > > attribute for > > > everything that could take a memberOf > attribute. I > > did not > > > realize it > > > defaulted to inetuser. So I recreated the > task with > > a filter > > > of > > > (objectClass=inetOrgPerson) but it still > did not > > seem to work. > > > > > > I thought perhaps I was doing ldapmodify > wrong > > (enter the > > > parameters, > > > double enter, then CTL D) so I edited the > > fixup-memberof.pl > > > script > > > according to Rich's instructions. It ran > without > > error (by > > > the way, it > > > reflects the admin password when using -w > - !!!). > > But still > > > no success. > > > > > > Perhaps I am checking incorrectly. I did > not expect > > to see > > > memberOf > > > listed as an attribute in the advanced > console > > screen for the > > > user since > > > it is a managed attribute. But I did try > to view it > > with an > > > ldapsearch: > > > It should be visible as an attribute you can add > (provided > > your entry > > > has "objectClass: inetUser") > > > > > > > > > > > > > > > /usr/lib64/mozldap/ldapsearch -b > > > > > > > "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" > > -D > > > "cn=Directory > > > Manager" -w - -h ldap uid=jasiii memberOf > > > > > > Is this how I would check for success? > > > > > > There is nothing suspicious in the error > log. I do > > have the > > > audit log > > > enabled. I see the creation and automatic > deletion > > of the > > > task but I do > > > not see any changes to objects to add and > populate > > the > > > memberOf > > > attribute. I'll paste in some excerpts > below. > > > > > > What next? Thanks - John > > > > > > time: 20090520221132 > > > dn: cn=fixMemberOf,cn=memberof > > task,cn=tasks,cn=config > > > changetype: add > > > > > > objectClass: top > > > objectClass: extensibleObject > > > cn: fixMemberOf > > > basedn: o=Internal,dc=ssiservices,dc=biz > > > > > > creatorsName: cn=xxxx > > > modifiersName: cn=xxx > > > createTimestamp: 20090521021132Z > > > modifyTimestamp: 20090521021132Z > > > > > > time: 20090520221333 > > > dn: cn=fixmemberof,cn=memberof > > task,cn=tasks,cn=config > > > changetype: delete > > > modifiersname: > cn=server,cn=plugins,cn=config > > > > > > time: 20090520222242 > > > dn: cn=fixMemberOf,cn=memberof > > task,cn=tasks,cn=config > > > changetype: add > > > > > > objectClass: top > > > objectClass: extensibleObject > > > cn: fixMemberOf > > > basedn: > > ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz > > > creatorsName: cn=xxxx > > > modifiersName: cn=xxxx > > > createTimestamp: 20090521022242Z > > > modifyTimestamp: 20090521022242Z > > > > > > time: 20090520222442 > > > dn: cn=fixmemberof,cn=memberof > > task,cn=tasks,cn=config > > > changetype: delete > > > modifiersname: > cn=server,cn=plugins,cn=config > > > > > > . > > > . > > > . > > > time: 20090521183523 > > > dn: cn=memberOf_fixup_2009_5_21_18_35_23, > > cn=memberOf task, > > > cn=tasks, > > > cn=config > > > changetype: add > > > objectClass: top > > > objectClass: extensibleObject > > > cn: memberOf_fixup_2009_5_21_18_35_23 > > > basedn: o=Internal,dc=ssiservices,dc=biz > > > > > > filter: (objectClass=inetOrgPerson) > > > creatorsName: cn=xxxx > > > modifiersName: cn=xxxx > > > createTimestamp: 20090521223523Z > > > modifyTimestamp: 20090521223523Z > > > > > > time: 20090521183724 > > > dn: > cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof > > > task,cn=tasks,cn=config > > > > > > changetype: delete > > > modifiersname: > cn=server,cn=plugins,cn=config > > > > > > time: 20090521185804 > > > dn: > > > > > > cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou=ssiservices.biz,o=netscaperoot > > > changetype: modify > > > replace: nsPreference > > > nsPreference:: > > > > > > IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3 > > > > > > > > > dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg== > > > - > > > replace: modifiersname > > > modifiersname: cn=xxxxx > > > - > > > replace: modifytimestamp > > > modifytimestamp: 20090521225804Z > > > - > > > > > > > > > On Thu, 2009-05-21 at 15:59 +0200, Andrey > Ivanov > > wrote: > > > > > > > > > > > > 2009/5/21 John A. Sullivan III > > > > > > > Thank you, Andrey. I did do an > updatedb > > and then > > > locate - no > > > > fixup-member0f.pl - just > > > template.fixup-memberOf.pl :-( > > > > It is very strange. Normally during the > server > > installation > > > the > > > > template should be converted to the > "normal" perl > > script. > > > > > > > > Have you verified the configuration of > the > > memberOf plugin, > > > especially > > > > the arguments/attributes > "memberofgroupattr" and > > > "memberofattr" ? > > > > > > > > > > > > > > > > > > > > > > > > > > > > Unless I'm missing something, > you're > > ldapmodify > > > looks just > > > > like mine > > > > except for the cn (I believe the > > documentation says > > > it can be > > > > called > > > > anything) and I did not use a > filter > > (again, I > > > believe the > > > > documentation > > > > says it is optional and our dit > is still > > rather > > > small). > > > > If you do not put the filter into the > ldif then > > the default > > > filter is > > > > used : "(objectClass=inetuser)". Do all > your user > > entries > > > include this > > > > objectClass (inetuser)? If not, you > should add > > this > > > objectClass to all > > > > the entries where you want the memberOf > attribute > > to appear. > > > > > > > > > > > > > > > > > > > > I did create a new group and add > myself to > > it as you > > > suggested > > > > (thank > > > > you). Surprisingly, it did not > appear to > > work. I > > > did not see > > > > a > > > > memberOf attribute populated for > me. I > > then thought > > > I would > > > > see if I > > > > need to manually add that > attribute to > > each user (I > > > hope not!) > > > > and I did > > > > not see memberOf as an attribute > I could > > add to my > > > user > > > > object. > > > > > > > > No. You should not add it manually, the > memberOf > > attribute > > > is > > > > maintained automatically based on the > group > > membership. > > > > > > > > Do you see any message in error log? > There should > > be > > > something about > > > > the impossibility to write the memberof > attribute > > i think. > > > > If you cannot add this attribute > manually to your > > entry it > > > means that > > > > your entry does not containe > "objectClass: > > inetuser". Add > > > this > > > > objectClass to all the entries that > should be > > "managed" by > > > the plug-in > > > > to allow the attribute memberOf to be > written to > > that > > > entries. > > > > > > > > > > > > > > > > > > > > I have verified that the plugin > is defined > > in > > > dse.ldif and it > > > > is > > > > enabled. I also see memberOf > defined in > > > 20subscriber.ldif and > > > > did not > > > > see anything in the > documentation about > > needing to > > > extend the > > > > schema. > > > > No, you don't need to extend the schema > but you > > need to make > > > sure that > > > > your entries include the objectClass > "inetuser": > > > > > > > > objectClasses: > ( 2.16.840.1.113730.3.2.130 NAME > > 'inetUser' > > > DESC > > > > 'Auxiliary class which must be present > in an entry > > for > > > delivery of > > > > subscriber services' SUP top AUXILIARY > MAY ( uid $ > > > inetUserStatus $ > > > > inetUserHTTPURL $ userPassword $ > memberOf ) > > X-ORIGIN > > > 'Netscape > > > > subscriber interoperability' ) > > > > > > > > > > > > > > > > > > > > > > > > So, at this point, I am still at > a loss > > for what I > > > did wrong. > > > > What do I > > > > check next? Thanks - John > > > > Try to add the "objectClass: inetuser" > to the > > entries > > > concerned and > > > > take a closer look to the "errors" log > file. > > > > > > > > @+ > > > > > > > > > > > > > > > > > > > > > > > > On Thu, 2009-05-21 at 12:59 > +0200, Andrey > > Ivanov > > > wrote: > > > > > Hi, > > > > > > > > > > there are two things to be > verified > > and/or taken > > > into > > > > account: > > > > > * the pair of the attributes > that is > > maintained > > > (the > > > > arguments > > > > > "memberofgroupattr" and > "memberofattr" > > of the > > > plug-in) > > > > > * presence of these two > attributes in > > the classes > > > of your > > > > users and > > > > > groups > > > > > > > > > > To find fixup-memberof.pl try > "locate > > > fixup-memberof.pl". > > > > > > > > > > To launch it manually you > need to add > > something > > > like that > > > > to the > > > > > server (with ldapmodify) : > > > > > dn: > > cn=memberOf_fixup_2009_5_21_12_39_21, > > > cn=memberOf task, > > > > cn=tasks, > > > > > cn=config > > > > > changetype: add > > > > > objectclass: top > > > > > objectclass: extensibleObject > > > > > cn: > memberOf_fixup_2009_5_21_12_39_21 > > > > > basedn: dc=example,dc=com > > > > > filter: > (objectClass=inetOrgPerson) > > > > > > > > > > > > > > > As for your account, you may > remove/add > > yourself > > > from a > > > > group to see > > > > > if it changes the memberof > attribute. > > Verify the > > > objectClass > > > > of your > > > > > entry and make sure the > attribute > > memberOf is an > > > optional > > > > attribute of > > > > > at least one of these > objectClasses... > > > > > > > > > > > > > > > > > > > > 2009/5/21 John A. Sullivan III > > > > > > > > > Hello, all. We are in > the > > process of > > > upgrading from > > > > 8.0 to > > > > > 8.1. We've > > > > > hit a few glitches > along the way > > but most > > > has gone > > > > well. > > > > > However, we > > > > > wanted to implement > the new > > memberOf > > > functionality. > > > > We > > > > > successfully > > > > > added the plugin by > editing > > dse.ldif and > > > enabled it > > > > from the > > > > > console. > > > > > However, we've been > unsuccessful > > in having > > > existing > > > > group > > > > > membership > > > > > assigned to the > memberOf > > attribute. > > > > > > > > > > We first tried to run > > fixup-memberOf.pl > > > but the > > > > script does > > > > > not exist. > > > > > There is a > > template.fixup-memberOf.pl but > > > this does > > > > not seem > > > > > to have > > > > > been built into a > final script. > > > > > > > > > > We then thought we > would use the > > new task > > > feature of > > > > the > > > > > console. We > > > > > went to cn=memberof > > > task,cn=tasks,cn=config and > > > > tried to > > > > > create the task > > > > > object. There was no > > > nsDirectoryServerTask > > > > objectclass. We > > > > > added an > > > > > nstask but then found > there was > > no basedn > > > attribute > > > > we could > > > > > add. We > > > > > then created an > extensibleobject > > instead > > > but still > > > > not basedn > > > > > attribute. > > > > > > > > > > Finally, we resorted > to > > ldapmodify (we > > > hesitated > > > > just because > > > > > we are not > > > > > very familiar with the > command > > line > > > tools). First, > > > > we did: > > > > > > > > > > dn: > cn=fixMemberOf,cn=memberof > > > > task,cn=tasks,cn=config > > > > > changetype: add > > > > > objectclass: top > > > > > objectclass: > extensibleObject > > > > > cn: fixMemberOf > > > > > basedn: > > o=Internal,dc=ssiservices,dc=biz > > > > > > > > > > The Internal > Organization has > > several > > > organizations > > > > under it > > > > > (for > > > > > various clients) and > then user > > > organizational units > > > > under > > > > > those > > > > > organizations. > Although it > > generated no > > > errors, it > > > > did not > > > > > seem to > > > > > work. Perhaps I just > don't know > > how to > > > test it. > > > > However, the > > > > > following > > > > > did not return an > memberOf data: > > > > > > > > > > > /usr/lib64/mozldap/ldapsearch -b > > > > > > > > > > > > > > > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D > > > > > "cn=Directory > > > > > Manager" -w - -h ldap > uid=myid > > memberOf > > > > > > > > > > > > Doing /usr/lib64/mozldap/ldapsearch -b > > > > > > > > > > > > > > > "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D > > > > > "cn=Directory > > > > > Manager" -w - -h ldap > uid=myid > > > > > showed me plenty of > attributes > > but nothing > > > for > > > > memberOf > > > > > > > > > > I also tried creating > the task > > with a > > > basedn of > > > > > > > > > ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz > > > > in case it > > > > > did not > > > > > change objects lower > in the > > tree. Still > > > no success. > > > > > > > > > > Finally I tried: > > > > > > > > > > dn: > cn=fixMemberOf,cn=memberof > > > > task,cn=tasks,cn=config > > > > > changetype: add > > > > > objectclass: top > > > > > objectclass: > > nsDirectoryServerTask > > > > > cn: fixMemberOf > > > > > basedn: > > o=Internal,dc=ssiservices,dc=biz > > > > > > > > > > adding new entry > > > cn=fixMemberOf,cn=memberof > > > > > > task,cn=tasks,cn=config > > > > > ldap_add: Object class > violation > > > > > ldap_add: additional > info: > > unknown object > > > class > > > > > > "nsDirectoryServerTask" > > > > > > > > > > And received the > expected > > unknown object > > > class > > > > error. > > > > > > > > > > What are we doing > wrong? Are > > these > > > documentation > > > > bugs? Are > > > > > there > > > > > application bugs or do > we simply > > not know > > > what we > > > > are doing > > > > > with tasks > > > > > and memberOf? How do > we get the > > memberOf > > > information > > > > into our > > > > > existing > > > > > user objects? Thanks - > John > > > > > > > > > > > -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From daniel.cruz at sc.senai.br Tue May 26 13:32:49 2009 From: daniel.cruz at sc.senai.br (DANIEL CRISTIAN CRUZ) Date: Tue, 26 May 2009 10:32:49 -0300 Subject: [389-users] Where are the 1.2.0 rpms? Message-ID: <77278e18c6202108e4dd22b07583d4d3@intranet.sc.senai.br> Sorry, I didn't found any rpm for 1.2.0... Where are they? Regards, -- Daniel Cristian Cruz Administrador de Banco de Dados Dire??o Regional?- N?cleo de Tecnologia da Informa??o SENAI - SC Telefone: 48-3239-1422 (ramal 1422) -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue May 26 14:21:48 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 26 May 2009 08:21:48 -0600 Subject: [389-users] Where are the 1.2.0 rpms? In-Reply-To: <77278e18c6202108e4dd22b07583d4d3@intranet.sc.senai.br> References: <77278e18c6202108e4dd22b07583d4d3@intranet.sc.senai.br> Message-ID: <4A1BFAFC.60704@redhat.com> DANIEL CRISTIAN CRUZ wrote: > > Sorry, > > I didn't found any rpm for 1.2.0... > > Where are they? > What platform? > > Regards, > > ------------------------------------------------------------------------ > > *Daniel Cristian Cruz* > *Administrador de Banco de Dados > *Dire??o Regional - *N?cleo de Tecnologia da Informa??o > SENAI - SC > Telefone: 48-3239-1422 (ramal 1422)* > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue May 26 14:23:01 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 26 May 2009 08:23:01 -0600 Subject: [389-users] Fedora-DS Multi Master "no such replica" In-Reply-To: <200905232245.n4NMjX120607@lina.ing-steen.se> References: <200905232245.n4NMjX120607@lina.ing-steen.se> Message-ID: <4A1BFB45.2060407@redhat.com> Peter Steen wrote: > Hello Folks! > > I am setting up two fedora-ds servers, lets call them server one and server two at two different locations, both need to be in sync at all time, they keep config for sendmail, dbmail and horde-imp. > > Both fedora-ds setup are identical exept hostnames. > > I have added several schemas in server one, in order to handle sendmail, dbmail and horde + imp. All is working 100%. > > Setting up replication with inspiration from http://directory.fedoraproject.org/wiki/Howto:WalkthroughMultimasterSSL and http://www.linuxjournal.com/article/9517 ends up with an error at next last stage of the Linux Journal guide. > > Serve one is source and server two is "consumer" in the first attempt to initialize server two from server one. > > The result is: > The consumer initialization has unsuccessfully completed. > The error recieved by the replica is: 6 replication error aquiring replica replica: no such replica. > > In logfiles I can see on server one that it tries, logfiles at server two says something, but I can not see server one actually login. > When doing the telnet test between server one and server two I can acces the LDAP servers at port 389 > Also I can do ldapsearch between the two servers without any problem at all. > > I am stuck here. > > Is schema:s not replicated or what can it be ? > Can you post some relevant excerpts from the error and access logs? > Thank you in advance! > > Regards // > // Peter Steen > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From daniel.cruz at sc.senai.br Tue May 26 14:26:20 2009 From: daniel.cruz at sc.senai.br (DANIEL CRISTIAN CRUZ) Date: Tue, 26 May 2009 11:26:20 -0300 Subject: [389-users] Where are the 1.2.0 rpms? In-Reply-To: <4A1BFAFC.60704@redhat.com> Message-ID: <602ae1737c1bfa7c7ed2a2429f99e810@intranet.sc.senai.br> "Rich Megginson" escreveu: > What platform? RedHat ES 5.2 and Fedora 8,9,10. -- Daniel Cristian Cruz Administrador de Banco de Dados Dire??o Regional?- N?cleo de Tecnologia da Informa??o SENAI - SC Telefone: 48-3239-1422 (ramal 1422) From rmeggins at redhat.com Tue May 26 14:42:29 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 26 May 2009 08:42:29 -0600 Subject: [389-users] Where are the 1.2.0 rpms? In-Reply-To: <602ae1737c1bfa7c7ed2a2429f99e810@intranet.sc.senai.br> References: <602ae1737c1bfa7c7ed2a2429f99e810@intranet.sc.senai.br> Message-ID: <4A1BFFD5.7000908@redhat.com> DANIEL CRISTIAN CRUZ wrote: > "Rich Megginson" escreveu: > >> What platform? >> > > RedHat ES 5.2 and Fedora 8,9,10. > http://directory.fedoraproject.org/wiki/Download Fedora 8 is no longer supported 5.2 is no longer supported - you must upgrade to 5.3 If you have not done a Fedora upgrade since they re-keying was done, you will have to do an upgrade to get the new rpm keys and yum repo config > -- > Daniel Cristian Cruz > Administrador de Banco de Dados > Dire??o Regional - N?cleo de Tecnologia da Informa??o > SENAI - SC > Telefone: 48-3239-1422 (ramal 1422) > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Tue May 26 17:15:56 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 26 May 2009 10:15:56 -0700 Subject: [389-users] memberOf task problem In-Reply-To: <1243334582.6379.6.camel@jaspav.missionsit.net.missionsit.net> References: <1242873940.6379.91.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905210359v2396b049q226e6b26682e0b78@mail.gmail.com> <1242905598.6381.6.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905210659l29c1ef67u3d2f8e208248afe8@mail.gmail.com> <1242947840.6381.89.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905212331s340ca567wdf2e42cc57f3036a@mail.gmail.com> <1242993739.6380.14.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905221359g57624751k7b449341c4ff579d@mail.gmail.com> <1243281750.6377.10.camel@jaspav.missionsit.net.missionsit.net> <1601b8650905260038s3748b68bn7709a33e9f85e5b9@mail.gmail.com> <1243334582.6379.6.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <4A1C23CC.206@redhat.com> John A. Sullivan III wrote: > Very interesting. The shipping dse.ldif which the instructions say to > use as a template to edit the 8.0 dse.ldif has memberofgroupattr: member > > dn: cn=MemberOf Plugin,cn=plugins,cn=config > objectClass: top > objectClass: nsSlapdPlugin > objectClass: extensibleObject > cn: MemberOf Plugin > nsslapd-pluginpath: libmemberof-plugin > nsslapd-plugininitfunc: memberof_postop_init > nsslapd-plugintype: postoperation > nsslapd-pluginenabled: off > nsslapd-plugin-depends-on-type: database > memberOfGroupAttr: member > memberOfAttr: memberOf > > When I changed it to uniqueMember, it worked! > > So it looks like there are several issues/errors/bugs in the > instructions and procedures for upgrading from 8.0 to 8.1 > > 1. The memberOf plugin is enabled by default and needs to be > manually enabled (not really a bug but it is mentioned nowhere > in the docs that I saw) > 2. One must manually add the inetuser to each object with which one > wishes to use the plugin. This does not appear to be a default > objectClass for user creation - at least in 8.0 > It all depends on how you provision your users, and what attributes you are using (they don't have to be "member" and "memberOf"). It is up to the administrator to use the proper objectclass that allows the attribute defined as the "memberOfAttr" config value in the member entries. > 3. One must change the default memberofgroupattr from member to > uniqueMember > This is going to depend on the attribute you use to define grouping. Some use the "groupOfNames" objectclass for a group entry, which uses the "member" attribute to define members. It appears that you are using "groupOfUniqueNames", which uses "uniqueMember". The memberOf plug-in allows you to use whatever attributes you want for both the grouping attribute as well as the membership attribute. In fact, the plug-in could be used for things completely unrelated to membership. > 4. The fixup-memberof.pl script is not generated from the template. > Yes, this appears to be a bug related to in-place upgrades. Please file a bug on this. > Thanks very much for your help - John > > On Tue, 2009-05-26 at 09:38 +0200, Andrey Ivanov wrote: > >> If it still doesn't work, it's a matter of the plug-in configuration >> and presence. Verify your dse.ldif. You shoud have something like >> >> dn: cn=MemberOf Plugin,cn=plugins,cn=config >> objectClass: top >> objectClass: nsSlapdPlugin >> objectClass: extensibleObject >> cn: MemberOf Plugin >> nsslapd-pluginPath: libmemberof-plugin >> nsslapd-pluginInitfunc: memberof_postop_init >> nsslapd-pluginType: postoperation >> nsslapd-pluginEnabled: on >> nsslapd-plugin-depends-on-type: database >> memberofgroupattr: uniqueMember >> memberofattr: memberOf >> nsslapd-pluginId: memberof >> nsslapd-pluginVersion: 1.2.0 >> nsslapd-pluginVendor: Fedora Project >> nsslapd-pluginDescription: memberof plugin >> >> >> The importnant parameters are : >> nsslapd-pluginEnabled: on >> memberofgroupattr: uniqueMember >> memberofattr: memberOf >> >> Other than that you may have the plug-in binaries missing... >> >> 2009/5/25 John A. Sullivan III >> Hmm . . . this made perfect sense and I thought it would be >> the end of >> my problems for sure. However, I added inetUser, ran >> fixup_memberof.pl >> and still see no memberOf populated attribute even if I ask >> for it >> explicitly: >> >> [root at ldap01 ~]# /usr/lib64/mozldap/ldapsearch -b >> "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D >> "cn=Directory Manager" -w - -h ldap01 uid=jasiii >> Enter bind password: >> version: 1 >> dn: >> uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz >> >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: inetOrgPerson >> objectClass: posixAccount >> objectClass: account >> objectClass: posixgroup >> objectClass: shadowaccount >> >> objectClass: inetuser >> physicalDeliveryOfficeName: Kennebunk >> telephoneNumber: +1 (207) xxx-xxxx >> mail: jsullivan at example.com >> sn: Sullivan III >> givenName: John A. >> loginShell: /bin/bash >> homeDirectory: /home/jasiii >> gidNumber: 100001 >> uidNumber: 100001 >> cn: jasiii >> uid: jasiii >> userPassword: {SSHA}p5K8zhxQYqkjCXmu617H2DtnDKDgnom3qTgQAg== >> shadowLastChange: 14366 >> l: Kennebunk >> postalCode: 04043-XXXX >> postOfficeBox: PO Box XXX >> st: ME >> [root at ldap01 ~]# /usr/lib64/mozldap/ldapsearch -b >> "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" -D >> "cn=Directory Manager" -w - -h ldap01 uid=jasiii memberOf >> Enter bind password: >> version: 1 >> dn: >> uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz >> >> >> I then explicitly added the memberOf attribute to a user, >> created a >> bogus group and added the user to the group. Still no >> memberOf. What >> am I doing wrong? Thanks - John >> >> >> >> On Fri, 2009-05-22 at 22:59 +0200, Andrey Ivanov wrote: >> > >> > >> > 2009/5/22 John A. Sullivan III >> >> > Ah, I did not do that as I thought the filter would >> make the >> > change to >> > users with objectClass inetOrgPerson. >> > No. The filter just searches what you have in your directory >> > >> > >> > I am virtually certain the users >> > do not explicitly have inetUser as an object class. >> Are they >> > supposed >> > to? >> > Yes. The set of the attributes that your entry can hold is >> defined by >> > the classes listed in "objectClass". And the attribute >> memberOf is >> > part of the "inetUser" objectClass. >> > >> > Is this done by default or is the need to add this >> object >> > class to >> > all users in order to use memberOf missing from the >> > documentation (or >> > overlooked by me!). >> > No. It is not done by default, you need to add the >> "objectClass: >> > inetUser" (or any other objectClass containing the memberOf >> attribute) >> > to each user entry. You can make a small perl script that >> does for all >> > your users something like >> > >> > ------------- >> > dn: >> uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz >> > changetype: add >> > objectclass: inetUser >> > ------------- >> > >> > >> > You can test it with the GUI of the console for one or two >> user >> > entries just to be sure the attribute memberOf works as you >> wish... >> > >> > >> > >> > >> > objectClass: top >> > objectClass: person >> > objectClass: organizationalPerson >> > objectClass: inetOrgPerson >> > objectClass: posixAccount >> > objectClass: account >> > objectClass: posixgroup >> > objectClass: shadowaccount >> > The origin of your problem is the absence of "objectClass: >> inetUser" >> > necessary to add memberOf attribute to the entry... >> > >> > >> > >> > Thanks - John >> > >> > >> > On Fri, 2009-05-22 at 08:31 +0200, Andrey Ivanov >> wrote: >> > > Can you show me the result of >> > > /usr/lib64/mozldap/ldapsearch -b >> > > "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" >> -D >> > "cn=Directory >> > > Manager" -w - -h ldap uid=jasiii objectClass >> > > >> > > It will list all the objectClasses of your entry. >> If >> > "objectClass: >> > > inetUser" is not present in the result of this >> search you >> > should, as i >> > > said in the previous message, add this objectClass >> to all >> > the entries >> > > you're going to manage with memberOf plug-in, smth >> like: >> > > >> > > dn: >> > >> uid=jasiii,ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz >> > > changetype: add >> > > objectclass: inetUser >> > > >> > > >> > > Hope it helps . >> > > >> > > >> > > >> > > 2009/5/22 John A. Sullivan III >> > >> > > I'm starting to feel really stupid here - >> still not >> > working. >> > > >> > > I thought the filter must be the problem >> for sure. >> > I assumed >> > > from the >> > > documentation that no filter meant the >> task would >> > add the >> > > attribute for >> > > everything that could take a memberOf >> attribute. I >> > did not >> > > realize it >> > > defaulted to inetuser. So I recreated the >> task with >> > a filter >> > > of >> > > (objectClass=inetOrgPerson) but it still >> did not >> > seem to work. >> > > >> > > I thought perhaps I was doing ldapmodify >> wrong >> > (enter the >> > > parameters, >> > > double enter, then CTL D) so I edited the >> > fixup-memberof.pl >> > > script >> > > according to Rich's instructions. It ran >> without >> > error (by >> > > the way, it >> > > reflects the admin password when using -w >> - !!!). >> > But still >> > > no success. >> > > >> > > Perhaps I am checking incorrectly. I did >> not expect >> > to see >> > > memberOf >> > > listed as an attribute in the advanced >> console >> > screen for the >> > > user since >> > > it is a managed attribute. But I did try >> to view it >> > with an >> > > ldapsearch: >> > > It should be visible as an attribute you can add >> (provided >> > your entry >> > > has "objectClass: inetUser") >> > > >> > > >> > > >> > > >> > > /usr/lib64/mozldap/ldapsearch -b >> > > >> > > >> "ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz" >> > -D >> > > "cn=Directory >> > > Manager" -w - -h ldap uid=jasiii memberOf >> > > >> > > Is this how I would check for success? >> > > >> > > There is nothing suspicious in the error >> log. I do >> > have the >> > > audit log >> > > enabled. I see the creation and automatic >> deletion >> > of the >> > > task but I do >> > > not see any changes to objects to add and >> populate >> > the >> > > memberOf >> > > attribute. I'll paste in some excerpts >> below. >> > > >> > > What next? Thanks - John >> > > >> > > time: 20090520221132 >> > > dn: cn=fixMemberOf,cn=memberof >> > task,cn=tasks,cn=config >> > > changetype: add >> > > >> > > objectClass: top >> > > objectClass: extensibleObject >> > > cn: fixMemberOf >> > > basedn: o=Internal,dc=ssiservices,dc=biz >> > > >> > > creatorsName: cn=xxxx >> > > modifiersName: cn=xxx >> > > createTimestamp: 20090521021132Z >> > > modifyTimestamp: 20090521021132Z >> > > >> > > time: 20090520221333 >> > > dn: cn=fixmemberof,cn=memberof >> > task,cn=tasks,cn=config >> > > changetype: delete >> > > modifiersname: >> cn=server,cn=plugins,cn=config >> > > >> > > time: 20090520222242 >> > > dn: cn=fixMemberOf,cn=memberof >> > task,cn=tasks,cn=config >> > > changetype: add >> > > >> > > objectClass: top >> > > objectClass: extensibleObject >> > > cn: fixMemberOf >> > > basedn: >> > ou=Desks,o=a100,o=Internal,dc=ssiservices,dc=biz >> > > creatorsName: cn=xxxx >> > > modifiersName: cn=xxxx >> > > createTimestamp: 20090521022242Z >> > > modifyTimestamp: 20090521022242Z >> > > >> > > time: 20090520222442 >> > > dn: cn=fixmemberof,cn=memberof >> > task,cn=tasks,cn=config >> > > changetype: delete >> > > modifiersname: >> cn=server,cn=plugins,cn=config >> > > >> > > . >> > > . >> > > . >> > > time: 20090521183523 >> > > dn: cn=memberOf_fixup_2009_5_21_18_35_23, >> > cn=memberOf task, >> > > cn=tasks, >> > > cn=config >> > > changetype: add >> > > objectClass: top >> > > objectClass: extensibleObject >> > > cn: memberOf_fixup_2009_5_21_18_35_23 >> > > basedn: o=Internal,dc=ssiservices,dc=biz >> > > >> > > filter: (objectClass=inetOrgPerson) >> > > creatorsName: cn=xxxx >> > > modifiersName: cn=xxxx >> > > createTimestamp: 20090521223523Z >> > > modifyTimestamp: 20090521223523Z >> > > >> > > time: 20090521183724 >> > > dn: >> cn=memberof_fixup_2009_5_21_18_35_23,cn=memberof >> > > task,cn=tasks,cn=config >> > > >> > > changetype: delete >> > > modifiersname: >> cn=server,cn=plugins,cn=config >> > > >> > > time: 20090521185804 >> > > dn: >> > > >> > >> cn=general,ou=1.1,ou=console,ou=cn=xxxxx,ou=userpreferences,ou=ssiservices.biz,o=netscaperoot >> > > changetype: modify >> > > replace: nsPreference >> > > nsPreference:: >> > > >> > >> IwojVGh1IE1heSAyMSAxODo1ODowNSBFRFQgMjAwOQpXaWR0aD0xMjgwClNob3 >> > > >> > > >> > >> dTdGF0dXNCYXI9dHJ1ZQpTaG93QmFubmVyQmFyPXRydWUKWT0wCkhlaWdodD03NjkKWD0wCg== >> > > - >> > > replace: modifiersname >> > > modifiersname: cn=xxxxx >> > > - >> > > replace: modifytimestamp >> > > modifytimestamp: 20090521225804Z >> > > - >> > > >> > > >> > > On Thu, 2009-05-21 at 15:59 +0200, Andrey >> Ivanov >> > wrote: >> > > > >> > > > >> > > > 2009/5/21 John A. Sullivan III >> > > >> > > > Thank you, Andrey. I did do an >> updatedb >> > and then >> > > locate - no >> > > > fixup-member0f.pl - just >> > > template.fixup-memberOf.pl :-( >> > > > It is very strange. Normally during the >> server >> > installation >> > > the >> > > > template should be converted to the >> "normal" perl >> > script. >> > > > >> > > > Have you verified the configuration of >> the >> > memberOf plugin, >> > > especially >> > > > the arguments/attributes >> "memberofgroupattr" and >> > > "memberofattr" ? >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > Unless I'm missing something, >> you're >> > ldapmodify >> > > looks just >> > > > like mine >> > > > except for the cn (I believe the >> > documentation says >> > > it can be >> > > > called >> > > > anything) and I did not use a >> filter >> > (again, I >> > > believe the >> > > > documentation >> > > > says it is optional and our dit >> is still >> > rather >> > > small). >> > > > If you do not put the filter into the >> ldif then >> > the default >> > > filter is >> > > > used : "(objectClass=inetuser)". Do all >> your user >> > entries >> > > include this >> > > > objectClass (inetuser)? If not, you >> should add >> > this >> > > objectClass to all >> > > > the entries where you want the memberOf >> attribute >> > to appear. >> > > > >> > > > >> > > > >> > > > >> > > > I did create a new group and add >> myself to >> > it as you >> > > suggested >> > > > (thank >> > > > you). Surprisingly, it did not >> appear to >> > work. I >> > > did not see >> > > > a >> > > > memberOf attribute populated for >> me. I >> > then thought >> > > I would >> > > > see if I >> > > > need to manually add that >> attribute to >> > each user (I >> > > hope not!) >> > > > and I did >> > > > not see memberOf as an attribute >> I could >> > add to my >> > > user >> > > > object. >> > > > >> > > > No. You should not add it manually, the >> memberOf >> > attribute >> > > is >> > > > maintained automatically based on the >> group >> > membership. >> > > > >> > > > Do you see any message in error log? >> There should >> > be >> > > something about >> > > > the impossibility to write the memberof >> attribute >> > i think. >> > > > If you cannot add this attribute >> manually to your >> > entry it >> > > means that >> > > > your entry does not containe >> "objectClass: >> > inetuser". Add >> > > this >> > > > objectClass to all the entries that >> should be >> > "managed" by >> > > the plug-in >> > > > to allow the attribute memberOf to be >> written to >> > that >> > > entries. >> > > > >> > > > >> > > > >> > > > >> > > > I have verified that the plugin >> is defined >> > in >> > > dse.ldif and it >> > > > is >> > > > enabled. I also see memberOf >> defined in >> > > 20subscriber.ldif and >> > > > did not >> > > > see anything in the >> documentation about >> > needing to >> > > extend the >> > > > schema. >> > > > No, you don't need to extend the schema >> but you >> > need to make >> > > sure that >> > > > your entries include the objectClass >> "inetuser": >> > > > >> > > > objectClasses: >> ( 2.16.840.1.113730.3.2.130 NAME >> > 'inetUser' >> > > DESC >> > > > 'Auxiliary class which must be present >> in an entry >> > for >> > > delivery of >> > > > subscriber services' SUP top AUXILIARY >> MAY ( uid $ >> > > inetUserStatus $ >> > > > inetUserHTTPURL $ userPassword $ >> memberOf ) >> > X-ORIGIN >> > > 'Netscape >> > > > subscriber interoperability' ) >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > So, at this point, I am still at >> a loss >> > for what I >> > > did wrong. >> > > > What do I >> > > > check next? Thanks - John >> > > > Try to add the "objectClass: inetuser" >> to the >> > entries >> > > concerned and >> > > > take a closer look to the "errors" log >> file. >> > > > >> > > > @+ >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > On Thu, 2009-05-21 at 12:59 >> +0200, Andrey >> > Ivanov >> > > wrote: >> > > > > Hi, >> > > > > >> > > > > there are two things to be >> verified >> > and/or taken >> > > into >> > > > account: >> > > > > * the pair of the attributes >> that is >> > maintained >> > > (the >> > > > arguments >> > > > > "memberofgroupattr" and >> "memberofattr" >> > of the >> > > plug-in) >> > > > > * presence of these two >> attributes in >> > the classes >> > > of your >> > > > users and >> > > > > groups >> > > > > >> > > > > To find fixup-memberof.pl try >> "locate >> > > fixup-memberof.pl". >> > > > > >> > > > > To launch it manually you >> need to add >> > something >> > > like that >> > > > to the >> > > > > server (with ldapmodify) : >> > > > > dn: >> > cn=memberOf_fixup_2009_5_21_12_39_21, >> > > cn=memberOf task, >> > > > cn=tasks, >> > > > > cn=config >> > > > > changetype: add >> > > > > objectclass: top >> > > > > objectclass: extensibleObject >> > > > > cn: >> memberOf_fixup_2009_5_21_12_39_21 >> > > > > basedn: dc=example,dc=com >> > > > > filter: >> (objectClass=inetOrgPerson) >> > > > > >> > > > > >> > > > > As for your account, you may >> remove/add >> > yourself >> > > from a >> > > > group to see >> > > > > if it changes the memberof >> attribute. >> > Verify the >> > > objectClass >> > > > of your >> > > > > entry and make sure the >> attribute >> > memberOf is an >> > > optional >> > > > attribute of >> > > > > at least one of these >> objectClasses... >> > > > > >> > > > > >> > > > > >> > > > > 2009/5/21 John A. Sullivan III >> > > > >> > > > > Hello, all. We are in >> the >> > process of >> > > upgrading from >> > > > 8.0 to >> > > > > 8.1. We've >> > > > > hit a few glitches >> along the way >> > but most >> > > has gone >> > > > well. >> > > > > However, we >> > > > > wanted to implement >> the new >> > memberOf >> > > functionality. >> > > > We >> > > > > successfully >> > > > > added the plugin by >> editing >> > dse.ldif and >> > > enabled it >> > > > from the >> > > > > console. >> > > > > However, we've been >> unsuccessful >> > in having >> > > existing >> > > > group >> > > > > membership >> > > > > assigned to the >> memberOf >> > attribute. >> > > > > >> > > > > We first tried to run >> > fixup-memberOf.pl >> > > but the >> > > > script does >> > > > > not exist. >> > > > > There is a >> > template.fixup-memberOf.pl but >> > > this does >> > > > not seem >> > > > > to have >> > > > > been built into a >> final script. >> > > > > >> > > > > We then thought we >> would use the >> > new task >> > > feature of >> > > > the >> > > > > console. We >> > > > > went to cn=memberof >> > > task,cn=tasks,cn=config and >> > > > tried to >> > > > > create the task >> > > > > object. There was no >> > > nsDirectoryServerTask >> > > > objectclass. We >> > > > > added an >> > > > > nstask but then found >> there was >> > no basedn >> > > attribute >> > > > we could >> > > > > add. We >> > > > > then created an >> extensibleobject >> > instead >> > > but still >> > > > not basedn >> > > > > attribute. >> > > > > >> > > > > Finally, we resorted >> to >> > ldapmodify (we >> > > hesitated >> > > > just because >> > > > > we are not >> > > > > very familiar with the >> command >> > line >> > > tools). First, >> > > > we did: >> > > > > >> > > > > dn: >> cn=fixMemberOf,cn=memberof >> > > > task,cn=tasks,cn=config >> > > > > changetype: add >> > > > > objectclass: top >> > > > > objectclass: >> extensibleObject >> > > > > cn: fixMemberOf >> > > > > basedn: >> > o=Internal,dc=ssiservices,dc=biz >> > > > > >> > > > > The Internal >> Organization has >> > several >> > > organizations >> > > > under it >> > > > > (for >> > > > > various clients) and >> then user >> > > organizational units >> > > > under >> > > > > those >> > > > > organizations. >> Although it >> > generated no >> > > errors, it >> > > > did not >> > > > > seem to >> > > > > work. Perhaps I just >> don't know >> > how to >> > > test it. >> > > > However, the >> > > > > following >> > > > > did not return an >> memberOf data: >> > > > > >> > > > > >> /usr/lib64/mozldap/ldapsearch -b >> > > > > >> > > > >> > > >> > >> "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D >> > > > > "cn=Directory >> > > > > Manager" -w - -h ldap >> uid=myid >> > memberOf >> > > > > >> > > > > >> > Doing /usr/lib64/mozldap/ldapsearch -b >> > > > > >> > > > >> > > >> > >> "ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D >> > > > > "cn=Directory >> > > > > Manager" -w - -h ldap >> uid=myid >> > > > > showed me plenty of >> attributes >> > but nothing >> > > for >> > > > memberOf >> > > > > >> > > > > I also tried creating >> the task >> > with a >> > > basedn of >> > > > > >> > > >> ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz >> > > > in case it >> > > > > did not >> > > > > change objects lower >> in the >> > tree. Still >> > > no success. >> > > > > >> > > > > Finally I tried: >> > > > > >> > > > > dn: >> cn=fixMemberOf,cn=memberof >> > > > task,cn=tasks,cn=config >> > > > > changetype: add >> > > > > objectclass: top >> > > > > objectclass: >> > nsDirectoryServerTask >> > > > > cn: fixMemberOf >> > > > > basedn: >> > o=Internal,dc=ssiservices,dc=biz >> > > > > >> > > > > adding new entry >> > > cn=fixMemberOf,cn=memberof >> > > > > >> task,cn=tasks,cn=config >> > > > > ldap_add: Object class >> violation >> > > > > ldap_add: additional >> info: >> > unknown object >> > > class >> > > > > >> "nsDirectoryServerTask" >> > > > > >> > > > > And received the >> expected >> > unknown object >> > > class >> > > > error. >> > > > > >> > > > > What are we doing >> wrong? Are >> > these >> > > documentation >> > > > bugs? Are >> > > > > there >> > > > > application bugs or do >> we simply >> > not know >> > > what we >> > > > are doing >> > > > > with tasks >> > > > > and memberOf? How do >> we get the >> > memberOf >> > > information >> > > > into our >> > > > > existing >> > > > > user objects? Thanks - >> John >> > > > > >> > > > > >> > > From edlinuxguru at gmail.com Tue May 26 21:55:37 2009 From: edlinuxguru at gmail.com (Edward Capriolo) Date: Tue, 26 May 2009 17:55:37 -0400 Subject: [389-users] Best practice for user / group authentication In-Reply-To: <839336.41388.qm@web111908.mail.gq1.yahoo.com> References: <839336.41388.qm@web111908.mail.gq1.yahoo.com> Message-ID: On Fri, May 22, 2009 at 5:16 PM, Dumbo Q wrote: > Thank you for the quick reply. > I also have a question about the posix groups. > To create a user in ds, the idm-console has a form which is quite easy.? I > can also use this to create "Groups", but they are not unix groups. I assume > these are simply to keep organized all the users. > > To add a unix group i have to create->new->other, and choose posix group. > Then i manually pick the gidnumber.? It does not seem to matter where i > place this posix group.? My first thought is that it is going to get very > messy trying to keep track of each users posixgroup. > secondly, does this seem like a good plan for authentication structure > below. > > UnixGroups > ??? \- all posix groups here. > People > ??? \- Vendors > ??????? \- CompanyA > ??????? \- CompanyB > ??? \- Staff > ??????? \- Accounting > ??????? \- SysAd > ??????? \- Development > ??????? \- YadaYada. > > But then how would i say? users in companyb can only login to some hosts? > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > I use 'pam groupdn' /etc/ldap.conf pam_groupdn cn=hadoop,ou=hosts,dc=yourdomain,dc=com This allows you to create an object with a list of users dn's that can log in. You can also use netgroups but this way is clean and has very little configuration. You can also set a login group in sshd_config. But then each of your machines will have a different sshd_config. -Regards Edward From d.alexander at lse.ac.uk Wed May 27 15:08:55 2009 From: d.alexander at lse.ac.uk (Derek Alexander) Date: Wed, 27 May 2009 16:08:55 +0100 Subject: [389-users] notifications? Message-ID: <4A1D5787.6070107@lse.ac.uk> Hi, Does FDS support notifications of any kind? Specifically I'm looking for a way to receive notifications when a new user entry is added to the directory. Cheers, Derek Please access the attached hyperlink for an important electronic communications disclaimer: http://www.lse.ac.uk/collections/secretariat/legal/disclaimer.htm From beyonddc.storage at gmail.com Wed May 27 15:12:57 2009 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Wed, 27 May 2009 11:12:57 -0400 Subject: [389-users] notifications? In-Reply-To: <4A1D5787.6070107@lse.ac.uk> References: <4A1D5787.6070107@lse.ac.uk> Message-ID: <20e4c38c0905270812o7516e50fw86b2a97ca0379d39@mail.gmail.com> Hi Derek, FDS supports persistent search. For more information, you can check out http://directory.fedoraproject.org/wiki/Howto:Persistent_search - David On Wed, May 27, 2009 at 11:08 AM, Derek Alexander wrote: > Hi, > > Does FDS support notifications of any kind? > > Specifically I'm looking for a way to receive notifications when a new user > entry > is added to the directory. > > Cheers, > Derek > > > > > Please access the attached hyperlink for an important electronic > communications disclaimer: > http://www.lse.ac.uk/collections/secretariat/legal/disclaimer.htm > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From d.alexander at lse.ac.uk Wed May 27 16:00:24 2009 From: d.alexander at lse.ac.uk (Derek Alexander) Date: Wed, 27 May 2009 17:00:24 +0100 Subject: [389-users] notifications? In-Reply-To: <20e4c38c0905270812o7516e50fw86b2a97ca0379d39@mail.gmail.com> References: <4A1D5787.6070107@lse.ac.uk> <20e4c38c0905270812o7516e50fw86b2a97ca0379d39@mail.gmail.com> Message-ID: <4A1D6398.8010906@lse.ac.uk> Thanks David. Seems like it may be possible to use that feature from a Java JNDI based client but I haven't come across any straightforward example from a quick Google search. Will investigate further but in the meantime, if anyone has an example of using this Persistent Search feature via the Java JNDI API that they can share, it would be appreciated. Regards, Derek Chun Tat David Chu wrote: > Hi Derek, > > FDS supports persistent search. For more information, you can check out > http://directory.fedoraproject.org/wiki/Howto:Persistent_search > > - David > > On Wed, May 27, 2009 at 11:08 AM, Derek Alexander > wrote: > > Hi, > > Does FDS support notifications of any kind? > > Specifically I'm looking for a way to receive notifications when a > new user entry > is added to the directory. > > Cheers, > Derek > > > > > Please access the attached hyperlink for an important electronic > communications disclaimer: > http://www.lse.ac.uk/collections/secretariat/legal/disclaimer.htm > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users Please access the attached hyperlink for an important electronic communications disclaimer: http://www.lse.ac.uk/collections/secretariat/legal/disclaimer.htm From beyonddc.storage at gmail.com Thu May 28 16:54:22 2009 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Thu, 28 May 2009 12:54:22 -0400 Subject: [389-users] notifications? In-Reply-To: <4A1D6398.8010906@lse.ac.uk> References: <4A1D5787.6070107@lse.ac.uk> <20e4c38c0905270812o7516e50fw86b2a97ca0379d39@mail.gmail.com> <4A1D6398.8010906@lse.ac.uk> Message-ID: <20e4c38c0905280954m7c972498p1873b08e2297fe23@mail.gmail.com> Hi Derek, There shouldn't be a problem using JNDI event notification capability to receive events from Fedora Directory. I have use it before. There's a tutorial on Sun's website. http://java.sun.com/products/jndi/tutorial/beyond/event/index.html David On Wed, May 27, 2009 at 12:00 PM, Derek Alexander wrote: > Thanks David. > > Seems like it may be possible to use that feature from a Java JNDI based > client but I > haven't come across any straightforward example from a quick Google search. > > Will investigate further but in the meantime, if anyone has an example of > using this > Persistent Search feature via the Java JNDI API that they can share, it > would be > appreciated. > > Regards, > Derek > > > > Chun Tat David Chu wrote: > > Hi Derek, > > > > FDS supports persistent search. For more information, you can check out > > http://directory.fedoraproject.org/wiki/Howto:Persistent_search > > > > - David > > > > On Wed, May 27, 2009 at 11:08 AM, Derek Alexander > > wrote: > > > > Hi, > > > > Does FDS support notifications of any kind? > > > > Specifically I'm looking for a way to receive notifications when a > > new user entry > > is added to the directory. > > > > Cheers, > > Derek > > > > > > > > > > Please access the attached hyperlink for an important electronic > > communications disclaimer: > > http://www.lse.ac.uk/collections/secretariat/legal/disclaimer.htm > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > Please access the attached hyperlink for an important electronic > communications disclaimer: > http://www.lse.ac.uk/collections/secretariat/legal/disclaimer.htm > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From d.alexander at lse.ac.uk Fri May 29 08:21:32 2009 From: d.alexander at lse.ac.uk (Derek Alexander) Date: Fri, 29 May 2009 09:21:32 +0100 Subject: [389-users] notifications? In-Reply-To: <20e4c38c0905280954m7c972498p1873b08e2297fe23@mail.gmail.com> References: <4A1D5787.6070107@lse.ac.uk> <20e4c38c0905270812o7516e50fw86b2a97ca0379d39@mail.gmail.com> <4A1D6398.8010906@lse.ac.uk> <20e4c38c0905280954m7c972498p1873b08e2297fe23@mail.gmail.com> Message-ID: <4A1F9B0C.3080502@lse.ac.uk> Thanks, I'd missed that. Derek Chun Tat David Chu wrote: > Hi Derek, > > There shouldn't be a problem using JNDI event notification capability to > receive events from Fedora Directory. I have use it before. > There's a tutorial on Sun's website. > http://java.sun.com/products/jndi/tutorial/beyond/event/index.html > > David > > On Wed, May 27, 2009 at 12:00 PM, Derek Alexander > wrote: > > Thanks David. > > Seems like it may be possible to use that feature from a Java JNDI > based client but I > haven't come across any straightforward example from a quick Google > search. > > Will investigate further but in the meantime, if anyone has an > example of using this > Persistent Search feature via the Java JNDI API that they can share, > it would be > appreciated. > > Regards, > Derek > > > > Chun Tat David Chu wrote: > > Hi Derek, > > > > FDS supports persistent search. For more information, you can > check out > > http://directory.fedoraproject.org/wiki/Howto:Persistent_search > > > > - David > > > > On Wed, May 27, 2009 at 11:08 AM, Derek Alexander > > > >> wrote: > > > > Hi, > > > > Does FDS support notifications of any kind? > > > > Specifically I'm looking for a way to receive notifications when a > > new user entry > > is added to the directory. > > > > Cheers, > > Derek > > > > > > > > > > Please access the attached hyperlink for an important electronic > > communications disclaimer: > > http://www.lse.ac.uk/collections/secretariat/legal/disclaimer.htm > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > Please access the attached hyperlink for an important electronic > communications disclaimer: > http://www.lse.ac.uk/collections/secretariat/legal/disclaimer.htm > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users Please access the attached hyperlink for an important electronic communications disclaimer: http://www.lse.ac.uk/collections/secretariat/legal/disclaimer.htm