From muzzol at muzzol.com Mon Jan 4 08:53:47 2010 From: muzzol at muzzol.com (muzzol) Date: Mon, 4 Jan 2010 09:53:47 +0100 Subject: [389-users] certificate with subjectAltName Message-ID: <4a3f02761001040053t1a6a24c2j3b2385c5226f8fa1@mail.gmail.com> hi, i've created a cert request with "-8" parameter (subjectAltName), signed with my own openssl CA and installed on a 389 node. when i perform an ldapsearch with TLS (-ZZ) i get TLS: hostname (ldap.example.com) does not match common name in certificate (node1.example.com). i've double checked all steps but no success. any advice? regards. -- ======================== ^ ^ O O (_ _) muzzol(a)muzzol.com ======================== jabber id: muzzol(a)jabber.dk ======================== No atribueixis qualitats humanes als ordinadors. No els hi agrada. ======================== "El gobierno espa?ol s?lo habla con terroristas, homosexuales y catalanes, a ver cuando se decide a hablar con gente normal" Jim?nez Losantos ======================== bomb terrorism bush aznar teletubbies From kenneho.ndu at gmail.com Mon Jan 4 09:07:48 2010 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Mon, 4 Jan 2010 10:07:48 +0100 Subject: [389-users] ADS <==> FedoraDS <==> Linux/Unix Clients? In-Reply-To: <6239e2930912290841t389170a1u5212a952fdfc63a7@mail.gmail.com> References: <6239e2930912290841t389170a1u5212a952fdfc63a7@mail.gmail.com> Message-ID: Hi. We're currently working on a similar setup. Regarding your first question: Using the Windows Sync plugin on the FDS you sync specific users from AD over to FDS. Just move your sysadmin users to an LDAP organization unit (OU), and sync that over to FDS. Next, you'll need to add posix attributes (user ID, group ID, home directory, etc) to these users on the FDS side. You can create simple scripts for doing this. In our setup, we're going to use groups defined on the AD side as basis for NIS netgroups on linux, so that we can control access to and sudo privileges on linux servers based on these groups. This adds to the complexity, but lets us manage users and access from the AD side. When you delete a user on the AD side, it will get deleted on the FDS side too. Regards, Kenneth Holter On Tue, Dec 29, 2009 at 5:41 PM, Ajeet S Raina wrote: > > I have a certain query regarding the following structure: > Code: > > Active Directory Server > || > || > Fedora Directory Server <=> Client(Linux | Fedora | Ubuntu | Solaris | HP) > > Let me explain you what I want: > > 1.There is a company Active Directory Server under domain intinfra.com.Asof now there are limited Windows Desktop Machine under that domain.I have > few Linux / Unix Machines which I want to authenticate through ADS(which are > presently not under ADS).Why? Becoz' everytime I need to delete the users > whenver they leave the project.Thats Cumbersome. > > So what I want is Setup Fedora DS(Wonder if We can do that without Fedora > DS).Now I can ads join to Fedora DS(I have administrative privileges for > ADS).What I really want to know is: > > If I join Fedora DS to ADS then all employee can login to the Linux Machine > through their login credentials. I dont want that to happen.We have 3000 > employee in intinfra Domain but We are only 30 Admins. I only want those > 30-40 admins to login restrictly.Is it possible to restrict at FedoraDS > level. > > 2.Say, I joined ADS and fedora DS and say after 30 days one of System Admin > left the company.So his name will be removed from ADS. Is it possible that > ADS and Fedora DS are synchronized in such a way that a user whose name gets > deleted in ADS, gets deleted too from fedora .Do fedora DS has the > capability to synchronize to ADS everytime. > > Pls Suggest. > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ajeetraina at gmail.com Mon Jan 4 11:40:59 2010 From: ajeetraina at gmail.com (Ajeet S Raina) Date: Mon, 4 Jan 2010 17:10:59 +0530 Subject: [389-users] ADS <==> FedoraDS <==> Linux/Unix Clients? In-Reply-To: References: <6239e2930912290841t389170a1u5212a952fdfc63a7@mail.gmail.com> Message-ID: <6239e2931001040340j7b01bejc4f04ef41969a046@mail.gmail.com> Hello Kenneho, Thanks for the quick response. I appreciate your helpful words on these queries. I would be thankful if yu can provide me with the tutorials or documents or links which you followed for the same setup. May I know what should be approach for syncing ADS to Fedora DS? Any step by step approach for the sa On Mon, Jan 4, 2010 at 2:37 PM, Kenneth Holter wrote: > Hi. > > > We're currently working on a similar setup. > > Regarding your first question: Using the Windows Sync plugin on the FDS you > sync specific users from AD over to FDS. Just move your sysadmin users to an > LDAP organization unit (OU), and sync that over to FDS. Next, you'll need to > add posix attributes (user ID, group ID, home directory, etc) to these users > on the FDS side. You can create simple scripts for doing this. In our setup, > we're going to use groups defined on the AD side as basis for NIS netgroups > on linux, so that we can control access to and sudo privileges on linux > servers based on these groups. This adds to the complexity, but lets us > manage users and access from the AD side. > > When you delete a user on the AD side, it will get deleted on the FDS side > too. > > > Regards, > Kenneth Holter > > > On Tue, Dec 29, 2009 at 5:41 PM, Ajeet S Raina wrote: > >> >> I have a certain query regarding the following structure: >> Code: >> >> Active Directory Server >> || >> || >> Fedora Directory Server <=> Client(Linux | Fedora | Ubuntu | Solaris | HP) >> >> Let me explain you what I want: >> >> 1.There is a company Active Directory Server under domain intinfra.com.Asof now there are limited Windows Desktop Machine under that domain.I have >> few Linux / Unix Machines which I want to authenticate through ADS(which are >> presently not under ADS).Why? Becoz' everytime I need to delete the users >> whenver they leave the project.Thats Cumbersome. >> >> So what I want is Setup Fedora DS(Wonder if We can do that without Fedora >> DS).Now I can ads join to Fedora DS(I have administrative privileges for >> ADS).What I really want to know is: >> >> If I join Fedora DS to ADS then all employee can login to the Linux >> Machine through their login credentials. I dont want that to happen.We have >> 3000 employee in intinfra Domain but We are only 30 Admins. I only want >> those 30-40 admins to login restrictly.Is it possible to restrict at >> FedoraDS level. >> >> 2.Say, I joined ADS and fedora DS and say after 30 days one of System >> Admin left the company.So his name will be removed from ADS. Is it possible >> that ADS and Fedora DS are synchronized in such a way that a user whose name >> gets deleted in ADS, gets deleted too from fedora .Do fedora DS has the >> capability to synchronize to ADS everytime. >> >> Pls Suggest. >> >> >> >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- ?It is not possible to rescue everyone who is caught in the Windows quicksand --Make sure you are on solid Linux ground before trying.? -------------- next part -------------- An HTML attachment was scrubbed... URL: From kenneho.ndu at gmail.com Mon Jan 4 12:55:26 2010 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Mon, 4 Jan 2010 13:55:26 +0100 Subject: [389-users] /etc/sudoers VS sudo-objects in directory server In-Reply-To: <20091230213811.GV17169@bakgwai.americas.hpqcorp.net> References: <20091230213811.GV17169@bakgwai.americas.hpqcorp.net> Message-ID: Thanks for all the replies. We're running Puppet to manage files on our linux servers, so assuming that Puppet consistently distributes /etc/sudoers (we'll maintain only one copy of this file) to our linux servers, we in a way will have a centralized setup of sudoers, much like using an LDAP. So to me, the main difference between the two approaches, as far as I can tell, is simply wether we store sudo information in /etc/sudoers format or in LDAP/LDIF format. And I must admit that /etc/sudoers seems like the best choice. >From the responsens I've got this far I can't see any major issues with the /etc/sudoers approach, as long as we can ensure that Puppet will do its job. Regards, Kenneth On Wed, Dec 30, 2009 at 10:38 PM, wrote: > On Tue, 29 Dec 2009, Kenneth Holter wrote: > > > We're working on setting up Red Hat Directory Server (RHDS), and need to > make a decision about wether sudo information should be defined as > sudo-objects in the directory server, or if we should stick to /etc/sudoers. > I've played around with sudo-objects in the directory server, and got it > working. But the way I see it, maintaining sudo information in /etc/sudoers > is much easier than to maintain it in a directory server. In the latter > case, I'd either have to use the GUI, or write scripts/ldif files to make > necessary changes to the sudo setup, and they both seem less intuitive than > to simply edit the /etc/sudoers file. > > > > I'd very much like to hear from others on their thoughts on wether to > maintain sudo information in /etc/sudoers or in the directory server, so > please feel free to post a reply. > > I know I'm stating the obvious here, and feel the need to mention that > there's absolutely nothing directly RHDS or 389-related about your > question, but you did ask... > > As with anything LDAP-related, you need to decide whether you want > centralization or the status quo. It seems you already know the benefits > to using LDAP (make changes in one place, replicate it everywhere) and > the drawbacks (it's not a simple matter of editing a sudoers file), as > well as the benefits of not using LDAP (flat, easy-to-read text files > and no learning curve or additional tools involved). > > Personally, given more than one machine to administer, I'd go LDAP every > time, but I've been bit too many times by inconsistencies, and I'm > familiar enough with doing it the LDAP way that it's no big deal to me. > I like being able to make one change in one place and know that it's > instantly taking effect on every box I want it to, without question, > every time. To me, consistency is a *huge* part of good security, and > that's easier to accomplish when you're changing one thing on one place, > rather than (in my case) changing one thing a few thousand places. > > That's just my situation, though, and I'm sure yours is different. Given > that you already seem to know the pros and cons, it's really just a > matter of deciding what's important to you, and then making the > appropriate decision. > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kenneho.ndu at gmail.com Mon Jan 4 13:40:30 2010 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Mon, 4 Jan 2010 14:40:30 +0100 Subject: [389-users] ADS <==> FedoraDS <==> Linux/Unix Clients? In-Reply-To: <6239e2931001040340j7b01bejc4f04ef41969a046@mail.gmail.com> References: <6239e2930912290841t389170a1u5212a952fdfc63a7@mail.gmail.com> <6239e2931001040340j7b01bejc4f04ef41969a046@mail.gmail.com> Message-ID: Well, I don't have any documentation on the posix/netgroup type of scripts. But I can try to outline our approach: In the AD LDAP tree, we have created an organizational unit (OU) named "linux" (or something like that). Under this OU we have two OUs, named "users" and "groups". Under these OU's we've moved all users and groups that are to be synced over to our Red Hat Directory Server (RHDS, which is basically the same as FDS). On the RHDS, we've done this: Using the Windows Sync ( http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html) plugin, we've defined that all entries under the "linux" OU on AD should be synced over to RHDS. Windows Sync basically copies those entries from AD. In addition, we have a few script running on the RHDS server. On script adds posix attributes to users that have been synced over from AD to RHDS. Another script populates NIS netgroups based on AD groups. Let me explain: Say we have a AD group called "linux-admins", and that it's placed under the "groups" OU (as explained above) as is thus synced over to the RHDS. On the RHDS side, we have a similar NIS netgroup called for example "netgroup-linux-admins". Our script reads the "linux-admins" membership info, and makes sure that the "netgroup-linux-admins" is updated with the same membership info. This way we can rely on the AD admins to manage group memeberships on the RHDS side. The NIS netgroup information can the be used for defining which groups of users can access which groups of servers (note that we're going to put server names into netgroup too), by configuring PAM to allow access based on netgroup membership. For example, we can define that users that are members of "netgroup-linux-admins" will have access to all servers. Furhtermore, we can use the same netgroups to define sudo privileges for groups of users. For the "netgroup-linux-admins", they will typically be given full sudo access on all servers. I hope this made some sense. Let me know if you want me to elaborate on some of the points. Btw, the most relevant info I've found on setting this thing up is the RHDS manuals (http://www.redhat.com/docs/manuals/dir-server/), and the 389 web site. - Kenneth On Mon, Jan 4, 2010 at 12:40 PM, Ajeet S Raina wrote: > Hello Kenneho, > > Thanks for the quick response. I appreciate your helpful words on these > queries. > I would be thankful if yu can provide me with the tutorials or documents or > links which you followed for the same setup. > > May I know what should be approach for syncing ADS to Fedora DS? > Any step by step approach for the sa > > On Mon, Jan 4, 2010 at 2:37 PM, Kenneth Holter wrote: > >> Hi. >> >> >> We're currently working on a similar setup. >> >> Regarding your first question: Using the Windows Sync plugin on the FDS >> you sync specific users from AD over to FDS. Just move your sysadmin users >> to an LDAP organization unit (OU), and sync that over to FDS. Next, you'll >> need to add posix attributes (user ID, group ID, home directory, etc) to >> these users on the FDS side. You can create simple scripts for doing this. >> In our setup, we're going to use groups defined on the AD side as basis for >> NIS netgroups on linux, so that we can control access to and sudo privileges >> on linux servers based on these groups. This adds to the complexity, but >> lets us manage users and access from the AD side. >> >> When you delete a user on the AD side, it will get deleted on the FDS side >> too. >> >> >> Regards, >> Kenneth Holter >> >> >> On Tue, Dec 29, 2009 at 5:41 PM, Ajeet S Raina wrote: >> >>> >>> I have a certain query regarding the following structure: >>> Code: >>> >>> Active Directory Server >>> || >>> || >>> Fedora Directory Server <=> Client(Linux | Fedora | Ubuntu | Solaris | HP) >>> >>> Let me explain you what I want: >>> >>> 1.There is a company Active Directory Server under domain >>> intinfra.com.As of now there are limited >>> Windows Desktop Machine under that domain.I have few Linux / Unix Machines >>> which I want to authenticate through ADS(which are presently not under >>> ADS).Why? Becoz' everytime I need to delete the users whenver they leave the >>> project.Thats Cumbersome. >>> >>> So what I want is Setup Fedora DS(Wonder if We can do that without Fedora >>> DS).Now I can ads join to Fedora DS(I have administrative privileges for >>> ADS).What I really want to know is: >>> >>> If I join Fedora DS to ADS then all employee can login to the Linux >>> Machine through their login credentials. I dont want that to happen.We have >>> 3000 employee in intinfra Domain but We are only 30 Admins. I only want >>> those 30-40 admins to login restrictly.Is it possible to restrict at >>> FedoraDS level. >>> >>> 2.Say, I joined ADS and fedora DS and say after 30 days one of System >>> Admin left the company.So his name will be removed from ADS. Is it possible >>> that ADS and Fedora DS are synchronized in such a way that a user whose name >>> gets deleted in ADS, gets deleted too from fedora .Do fedora DS has the >>> capability to synchronize to ADS everytime. >>> >>> Pls Suggest. >>> >>> >>> >>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > > > ?It is not possible to rescue everyone who is caught in the Windows > quicksand > --Make sure you are on solid Linux ground before trying.? > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jan 4 15:58:50 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 04 Jan 2010 08:58:50 -0700 Subject: [389-users] Looking for some advise In-Reply-To: References: Message-ID: <4B42103A.2010902@redhat.com> Scott Kaminski wrote: > >From what i've seen FreeIPA has a major drawback at present, it > doesn't work on EL without hacking. Check with the IPA guys about this. > Also from what I've seen it requires Fedora 10, which as I understand > is moving into unsupported status already. No, it should not require Fedora 10 > > -Scott > > > On Mon, Dec 21, 2009 at 7:04 PM, Doug Chapman > wrote: > > checkout http://freeipa.org/page/Main_Page > > On Mon, Dec 21, 2009 at 5:46 PM, Scott Kaminski > > wrote: > > Hello, > > I'm trying to setup a simple Kerberos/LDAP solution instead of > going down the NIS route and I haven't had much luck. I have > a mix of around 30 CentOS 5 and 4 machines. I want to use 389 > as my directory server. Is anyone aware of a complete howto > on how to set this up using 389? > > Also I was wondering if someone could clarify the relationship > between kerberos and ldap? I've got a functional kerberos and > ldap server running on two vm's and i've setup one server as > the primary kdc and admin server and configured it to > replicate the kerberos data. I've setup both machines to > authenticate using kerberos and to obtain user info using > ldap. How do i know that i'm actually using ldap + kerberos > properly? > > > > > > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Mon Jan 4 16:01:03 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 04 Jan 2010 09:01:03 -0700 Subject: [389-users] Modifying Default Install Location In-Reply-To: <20e4c38c0912211405p68312afdg75ca70706f43f9d@mail.gmail.com> References: <20e4c38c0912211405p68312afdg75ca70706f43f9d@mail.gmail.com> Message-ID: <4B4210BF.5090703@redhat.com> Chun Tat David Chu wrote: > Hi All, > > I really like the original layout of the Fedora Directory Server where > all files are installed in /opt/fedora-ds > > Is there a way to change/configure 389 Directory so all files are > installed in /opt/389-ds or something equivalent? We only provide pre-built packages that use FHS layout which is the preferred layout. If you build it from source, you can specify the --prefix layout which will put everything under /opt/389-ds or whatever prefix you prefer. It's just too difficult to support two different binary packages with two different layouts. > > Thanks! > > David > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Mon Jan 4 16:01:34 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 04 Jan 2010 09:01:34 -0700 Subject: [389-users] SubjectAltName MMR question In-Reply-To: References: Message-ID: <4B4210DE.705@redhat.com> Prashanth Sundaram wrote: > Hi All, > > Which one of the case below is suitable for a Multi-Master > replication. I have a load balancer with/ ldap.domain.com,/ which is > what clients will use to authenticate. > > *_Question: > _*Which one is a better implementation? What are the trade-offs? > Please input your feedback as it might be useful for someone coming > this way later. This can serve as a knowledge bank. > > Case-I > ldap01: server-cert with cn=ldap01.domain.com, subjAltName=ldap.domain.com > ldap02: server-cert with cn=ldap02.domain.com, subjAltName=ldap.domain.com > -MMR with tls throws error when ?*Check hostname against name in > certificate for outbound SSL connections?* option is enabled. But RH > recommends it to be turned ON. What is the FQDN you specified in the replication agreement? > > Case-II > ldap01: server-cert with cn=ldap.domain.com, > subjAltName=ldap01.domain.com, ldap02.domain.com > ldap01: server-cert with cn=ldap.domain.com, > subjAltName=ldap01.domain.com,ldap02.domain.com > -Does not comply with the requirement that ?server-cert? should have > hostname as cn.I found this method working perfectly fine. > > *Knowledge Sharing: > *Here?s a useful link which I use all the time and look before posting > to the list. This is the archive for the mailing list and has /search/ > feature which very useful. > > http://www.mail-archive.com/fedora-directory-users at redhat.com/info.html > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Mon Jan 4 16:02:15 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 04 Jan 2010 09:02:15 -0700 Subject: [389-users] 389-adminutil error In-Reply-To: References: Message-ID: <4B421107.9050401@redhat.com> Prashanth Sundaram wrote: > Hi Rich, > > I am getting this error when I install 389-adminutil. Any idea which > package gives these dependencies? What is your platform? RHEL 5? CentOS 5? Something else? What version? 32-bit or 64-bit? > > > [root at ldap02 psundaram]# yum install 389-adminutilLoaded plugins: > fastestmirror Loading mirror speeds from cached hostfile > Setting up Install Process > Resolving Dependencies > --> Running transaction check > ---> Package 389-adminutil.i386 0:1.1.8-4.el5 set to be updated > --> Processing Dependency: libssl3.so for package: 389-adminutil > --> Processing Dependency: libplc4.so for package: 389-adminutil > --> Processing Dependency: libldap60.so for package: 389-adminutil > --> Processing Dependency: libnss3.so for package: 389-adminutil > --> Processing Dependency: libnss3.so(NSS_3.5) for package: 389-adminutil > --> Processing Dependency: libldif60.so for package: 389-adminutil > --> Processing Dependency: libssl3.so(NSS_3.2) for package: 389-adminutil > --> Processing Dependency: libnspr4.so for package: 389-adminutil > --> Processing Dependency: libnss3.so(NSS_3.2) for package: 389-adminutil > --> Processing Dependency: libprldap60.so for package: 389-adminutil > --> Processing Dependency: libssldap60.so for package: 389-adminutil > ---> Package 389-adminutil.x86_64 0:1.1.8-4.el5 set to be updated > --> Running transaction check > ---> Package 389-adminutil.i386 0:1.1.8-4.el5 set to be updated > --> Processing Dependency: libldap60.so for package: 389-adminutil > --> Processing Dependency: libldif60.so for package: 389-adminutil > --> Processing Dependency: libprldap60.so for package: 389-adminutil > --> Processing Dependency: libssldap60.so for package: 389-adminutil > ---> Package nspr.i386 0:4.7.6-1.el5_4 set to be updated > ---> Package nss.i386 0:3.12.3.99.3-1.el5.centos.2 set to be updated > --> Finished Dependency Resolution > 389-adminutil-1.1.8-4.el5.i386 from epel has depsolving problems > --> Missing Dependency: libldap60.so is needed by package > 389-adminutil-1.1.8-4.el5.i386 (epel) > 389-adminutil-1.1.8-4.el5.i386 from epel has depsolving problems > --> Missing Dependency: libssldap60.so is needed by package > 389-adminutil-1.1.8-4.el5.i386 (epel) > 389-adminutil-1.1.8-4.el5.i386 from epel has depsolving problems > --> Missing Dependency: libldif60.so is needed by package > 389-adminutil-1.1.8-4.el5.i386 (epel) > 389-adminutil-1.1.8-4.el5.i386 from epel has depsolving problems > --> Missing Dependency: libprldap60.so is needed by package > 389-adminutil-1.1.8-4.el5.i386 (epel) > *Error: Missing Dependency: libprldap60.so is needed by package > 389-adminutil-1.1.8-4.el5.i386 (epel) > Error: Missing Dependency: libssldap60.so is needed by package > 389-adminutil-1.1.8-4.el5.i386 (epel) > Error: Missing Dependency: libldap60.so is needed by package > 389-adminutil-1.1.8-4.el5.i386 (epel) > Error: Missing Dependency: libldif60.so is needed by package > 389-adminutil-1.1.8-4.el5.i386 (epel) > * You could try using --skip-broken to work around the problem > You could try running: package-cleanup --problems > package-cleanup --dupes > rpm -Va --nofiles ?nodigest > > -Prashanth > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Mon Jan 4 16:02:59 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 04 Jan 2010 09:02:59 -0700 Subject: [389-users] certificate with subjectAltName In-Reply-To: <4a3f02761001040053t1a6a24c2j3b2385c5226f8fa1@mail.gmail.com> References: <4a3f02761001040053t1a6a24c2j3b2385c5226f8fa1@mail.gmail.com> Message-ID: <4B421133.7040107@redhat.com> muzzol wrote: > hi, > > i've created a cert request with "-8" parameter (subjectAltName), > signed with my own openssl CA and installed on a 389 node. > > when i perform an ldapsearch with TLS (-ZZ) i get > Did you specify the FQDN with the -h argument? What hostname did you give? The real hostname or the subjectAltName? > TLS: hostname (ldap.example.com) does not match common name in > certificate (node1.example.com). > > i've double checked all steps but no success. > > any advice? > > regards. > > From psundaram at wgen.net Mon Jan 4 16:12:37 2010 From: psundaram at wgen.net (Prashanth Sundaram) Date: Mon, 04 Jan 2010 11:12:37 -0500 Subject: [389-users] nscd: nss_ldap: could not search LDAP server - Server is unavailable In-Reply-To: <20091230230022.GW17169@bakgwai.americas.hpqcorp.net> Message-ID: Patrick, I am still unable to figure out what is the cause for the clients to time-out on LDAP connection. Is there nay performance tuning that I am unaware of? What is appropriate timelimit for search/bind/idle? To give some idea, we roughly have ~300 users and 600 servers. Is there a timeout settings in 389-ds? Thanks, Prashanth On 12/30/09 6:00 PM, "patrick.morris at hp.com" wrote: > Prashanth Sundaram wrote: > >> I have two 389-ds servers with MMR via TLS and client hosts >> authenticating via TLS. I see this error message in all client machines >> in /var/log/messages. It seems nscd is failing at random intervals. Has >> anyone seen this before? > >> Dec 29 10:35:35 dmc189 nscd: nss_ldap: could not search LDAP server - >> Server is unavailable >> Dec 29 11:00:21 dmc189 nscd: nss_ldap: could not search LDAP server - >> Server is unavailable >> Dec 29 11:12:15 dmc189 nscd: nss_ldap: could not search LDAP server - >> Server is unavailable > > Sure. It can be caused by several things: intermittent connectivity > issues, server malfunctions (the server log's a good place to look for > those), and several other possibilities. > > It could also be caused by problems with nss_ldap itself, especially > given the ldap.conf you've provided. What version are you running, > and on which platform? From psundaram at wgen.net Mon Jan 4 17:02:37 2010 From: psundaram at wgen.net (Prashanth Sundaram) Date: Mon, 04 Jan 2010 12:02:37 -0500 Subject: [389-users] SubjectAltName MMR question Message-ID: Rich, I specify the individual host?s FQDN in the replication agreement. I use haproxy for LB, so the hosts are in ACTIVE-PASSIVE state. Prashanth Sundaram wrote: > Hi All, > > Which one of the case below is suitable for a Multi-Master replication. I have > a load balancer with/ ldap.domain.com,/ which is what clients will use to > authenticate. > > *_Question: > _*Which one is a better implementation? What are the trade-offs? Please input > your feedback as it might be useful for someone coming this way later. This > can serve as a knowledge bank. > > Case-I > ldap01: server-cert with cn=ldap01.domain.com, subjAltName=ldap.domain.com > ldap02: server-cert with cn=ldap02.domain.com, subjAltName=ldap.domain.com > -MMR with tls throws error when ?*Check hostname against name in certificate > for outbound SSL connections?* option is enabled. But RH recommends it to be > turned ON. What is the FQDN you specified in the replication agreement? > > Case-II > ldap01: server-cert with cn=ldap.domain.com, subjAltName=ldap01.domain.com, > ldap02.domain.com ldap01: server-cert with cn=ldap.domain.com, > subjAltName=ldap01.domain.com,ldap02.domain.com -Does not comply with the > requirement that ?server-cert? should have hostname as cn.I found this method > working perfectly fine. > > *Knowledge Sharing: > *Here?s a useful link which I use all the time and look before posting to the > list. This is the archive for the mailing list and has /search/ feature which > very useful. > > http://www.mail-archive.com/fedora-directory-users redhat com/info.html > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users redhat com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > [Date Prev ][Date Next ] ? [Thread Prev ][Thread Next ] ? [Thread Index ] [Date Index ] [Author Index ] -------------- next part -------------- An HTML attachment was scrubbed... URL: From ajeetraina at gmail.com Mon Jan 4 17:17:26 2010 From: ajeetraina at gmail.com (Ajeet S Raina) Date: Mon, 4 Jan 2010 22:47:26 +0530 Subject: [389-users] ADS <==> FedoraDS <==> Linux/Unix Clients? In-Reply-To: References: <6239e2930912290841t389170a1u5212a952fdfc63a7@mail.gmail.com> <6239e2931001040340j7b01bejc4f04ef41969a046@mail.gmail.com> Message-ID: <6239e2931001040917u4e54ed95md756db8e033f2b51@mail.gmail.com> Hello Kenneho, Thanks for the wonderful explanation. It did helped me to come up with something more informative. I was going through Windows Sync and want to know about these points: 1.What all changes has to be done on Active Directory Server? Just to check risk and feasibility factor. 2. Say, I follow Red Hat Directory Server Guide. Do our 389 do contain every little stuff which RHDS has.Please clarify. What difference these servers have? 3. Can I follow the complete RHDS Docs to set my Fedora DS to work with ADS?What section may be missing? 4. What are the overall steps (just in points) to setup Fedora DS sync with ADS with Few ADS users synched to have permission to access the Linux Machine. I do got 2 links: 1. Restrictively allowing only ISST Sysadmins on Fedora DS(synchronized with ADS) to access the certain resources(Linux Machine) : * http://www.redhat.com/f/pdf/rhas/NetgroupWhitepaper.pdf* and, 2.Check ADS <=> Fedora DS Synchronization for User Creation/Deletion: *http://www.redhat.com/docs/manuals/d...dows_Sync.html* Do yu think they are enough for me to setup as my requirements. Please comment. Do help me with detail docs if yu have any so that I can help myself with the setuo. With Regards, Ajeet On Mon, Jan 4, 2010 at 7:10 PM, Kenneth Holter wrote: > Well, I don't have any documentation on the posix/netgroup type of scripts. > But I can try to outline our approach: > > In the AD LDAP tree, we have created an organizational unit (OU) named > "linux" (or something like that). Under this OU we have two OUs, named > "users" and "groups". Under these OU's we've moved all users and groups that > are to be synced over to our Red Hat Directory Server (RHDS, which is > basically the same as FDS). > > On the RHDS, we've done this: Using the Windows Sync ( > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html) > plugin, we've defined that all entries under the "linux" OU on AD should be > synced over to RHDS. Windows Sync basically copies those entries from AD. > In addition, we have a few script running on the RHDS server. On script > adds posix attributes to users that have been synced over from AD to RHDS. > Another script populates NIS netgroups based on AD groups. Let me explain: > Say we have a AD group called "linux-admins", and that it's placed under the > "groups" OU (as explained above) as is thus synced over to the RHDS. On the > RHDS side, we have a similar NIS netgroup called for example > "netgroup-linux-admins". Our script reads the "linux-admins" membership > info, and makes sure that the "netgroup-linux-admins" is updated with the > same membership info. This way we can rely on the AD admins to manage group > memeberships on the RHDS side. > The NIS netgroup information can the be used for defining which groups of > users can access which groups of servers (note that we're going to put > server names into netgroup too), by configuring PAM to allow access based on > netgroup membership. For example, we can define that users that are members > of "netgroup-linux-admins" will have access to all servers. Furhtermore, we > can use the same netgroups to define sudo privileges for groups of users. > For the "netgroup-linux-admins", they will typically be given full sudo > access on all servers. > > I hope this made some sense. Let me know if you want me to elaborate on > some of the points. > > Btw, the most relevant info I've found on setting this thing up is the RHDS > manuals (http://www.redhat.com/docs/manuals/dir-server/), and the 389 web > site. > > - Kenneth > > > > On Mon, Jan 4, 2010 at 12:40 PM, Ajeet S Raina wrote: > >> Hello Kenneho, >> >> Thanks for the quick response. I appreciate your helpful words on these >> queries. >> I would be thankful if yu can provide me with the tutorials or documents >> or links which you followed for the same setup. >> >> May I know what should be approach for syncing ADS to Fedora DS? >> Any step by step approach for the sa >> >> On Mon, Jan 4, 2010 at 2:37 PM, Kenneth Holter wrote: >> >>> Hi. >>> >>> >>> We're currently working on a similar setup. >>> >>> Regarding your first question: Using the Windows Sync plugin on the FDS >>> you sync specific users from AD over to FDS. Just move your sysadmin users >>> to an LDAP organization unit (OU), and sync that over to FDS. Next, you'll >>> need to add posix attributes (user ID, group ID, home directory, etc) to >>> these users on the FDS side. You can create simple scripts for doing this. >>> In our setup, we're going to use groups defined on the AD side as basis for >>> NIS netgroups on linux, so that we can control access to and sudo privileges >>> on linux servers based on these groups. This adds to the complexity, but >>> lets us manage users and access from the AD side. >>> >>> When you delete a user on the AD side, it will get deleted on the FDS >>> side too. >>> >>> >>> Regards, >>> Kenneth Holter >>> >>> >>> On Tue, Dec 29, 2009 at 5:41 PM, Ajeet S Raina wrote: >>> >>>> >>>> I have a certain query regarding the following structure: >>>> Code: >>>> >>>> Active Directory Server >>>> || >>>> || >>>> Fedora Directory Server <=> Client(Linux | Fedora | Ubuntu | Solaris | HP) >>>> >>>> Let me explain you what I want: >>>> >>>> 1.There is a company Active Directory Server under domain >>>> intinfra.com.As of now there are limited >>>> Windows Desktop Machine under that domain.I have few Linux / Unix Machines >>>> which I want to authenticate through ADS(which are presently not under >>>> ADS).Why? Becoz' everytime I need to delete the users whenver they leave the >>>> project.Thats Cumbersome. >>>> >>>> So what I want is Setup Fedora DS(Wonder if We can do that without >>>> Fedora DS).Now I can ads join to Fedora DS(I have administrative privileges >>>> for ADS).What I really want to know is: >>>> >>>> If I join Fedora DS to ADS then all employee can login to the Linux >>>> Machine through their login credentials. I dont want that to happen.We have >>>> 3000 employee in intinfra Domain but We are only 30 Admins. I only want >>>> those 30-40 admins to login restrictly.Is it possible to restrict at >>>> FedoraDS level. >>>> >>>> 2.Say, I joined ADS and fedora DS and say after 30 days one of System >>>> Admin left the company.So his name will be removed from ADS. Is it possible >>>> that ADS and Fedora DS are synchronized in such a way that a user whose name >>>> gets deleted in ADS, gets deleted too from fedora .Do fedora DS has the >>>> capability to synchronize to ADS everytime. >>>> >>>> Pls Suggest. >>>> >>>> >>>> >>>> >>>> -- >>>> 389 users mailing list >>>> 389-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> >> >> -- >> >> >> ?It is not possible to rescue everyone who is caught in the Windows >> quicksand >> --Make sure you are on solid Linux ground before trying.? >> >> >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- ?It is not possible to rescue everyone who is caught in the Windows quicksand --Make sure you are on solid Linux ground before trying.? -------------- next part -------------- An HTML attachment was scrubbed... URL: From psundaram at wgen.net Mon Jan 4 17:23:39 2010 From: psundaram at wgen.net (Prashanth Sundaram) Date: Mon, 04 Jan 2010 12:23:39 -0500 Subject: [389-users] 389-adminutil error Message-ID: Rich, Centos 5.4(Final) 64-bit 2.6.18-164.9.1.el5 Repos Rpmforge, EPEL,EPEL-Testing, pgdg-84 CentOS-Base CentOS-Media Hi Rich, > > I am getting this error when I install 389-adminutil. Any idea which package > gives these dependencies? What is your platform? RHEL 5? CentOS 5? Something else? What version? 32-bit or 64-bit? > > > [root ldap02 psundaram]# yum install 389-adminutilLoaded plugins: > fastestmirror Loading mirror speeds from cached hostfile > Setting up Install Process > Resolving Dependencies > --> Running transaction check > ---> Package 389-adminutil.i386 0:1.1.8-4.el5 set to be updated > --> Processing Dependency: libssl3.so for package: 389-adminutil > --> Processing Dependency: libplc4.so for package: 389-adminutil > --> Processing Dependency: libldap60.so for package: 389-adminutil > --> Processing Dependency: libnss3.so for package: 389-adminutil > --> Processing Dependency: libnss3.so(NSS_3.5) for package: 389-adminutil > --> Processing Dependency: libldif60.so for package: 389-adminutil > --> Processing Dependency: libssl3.so(NSS_3.2) for package: 389-adminutil > --> Processing Dependency: libnspr4.so for package: 389-adminutil > --> Processing Dependency: libnss3.so(NSS_3.2) for package: 389-adminutil > --> Processing Dependency: libprldap60.so for package: 389-adminutil > --> Processing Dependency: libssldap60.so for package: 389-adminutil > ---> Package 389-adminutil.x86_64 0:1.1.8-4.el5 set to be updated > --> Running transaction check > ---> Package 389-adminutil.i386 0:1.1.8-4.el5 set to be updated > --> Processing Dependency: libldap60.so for package: 389-adminutil > --> Processing Dependency: libldif60.so for package: 389-adminutil > --> Processing Dependency: libprldap60.so for package: 389-adminutil > --> Processing Dependency: libssldap60.so for package: 389-adminutil > ---> Package nspr.i386 0:4.7.6-1.el5_4 set to be updated > ---> Package nss.i386 0:3.12.3.99.3-1.el5.centos.2 set to be updated > --> Finished Dependency Resolution > 389-adminutil-1.1.8-4.el5.i386 from epel has depsolving problems > --> Missing Dependency: libldap60.so is needed by package > 389-adminutil-1.1.8-4.el5.i386 (epel) > 389-adminutil-1.1.8-4.el5.i386 from epel has depsolving problems > --> Missing Dependency: libssldap60.so is needed by package > 389-adminutil-1.1.8-4.el5.i386 (epel) > 389-adminutil-1.1.8-4.el5.i386 from epel has depsolving problems > --> Missing Dependency: libldif60.so is needed by package > 389-adminutil-1.1.8-4.el5.i386 (epel) > 389-adminutil-1.1.8-4.el5.i386 from epel has depsolving problems > --> Missing Dependency: libprldap60.so is needed by package > 389-adminutil-1.1.8-4.el5.i386 (epel) *Error: Missing Dependency: > libprldap60.so is needed by package 389-adminutil-1.1.8-4.el5.i386 (epel) > Error: Missing Dependency: libssldap60.so is needed by package > 389-adminutil-1.1.8-4.el5.i386 (epel) Error: Missing Dependency: libldap60.so > is needed by package 389-adminutil-1.1.8-4.el5.i386 (epel) Error: Missing > Dependency: libldif60.so is needed by package 389-adminutil-1.1.8-4.el5.i386 > (epel) > * You could try using --skip-broken to work around the problem > You could try running: package-cleanup --problems > package-cleanup --dupes > rpm -Va --nofiles ?nodigest > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jan 4 17:24:08 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 04 Jan 2010 10:24:08 -0700 Subject: [389-users] SubjectAltName MMR question In-Reply-To: References: Message-ID: <4B422438.4000302@redhat.com> Prashanth Sundaram wrote: > Rich, > > I specify the individual host?s FQDN in the replication agreement. So, ldap01.domain.com ? Maybe openldap/openssl has a problem with subjectAltName? Try mozldap ldapsearch instead like this: /usr/lib/mozldap/ldapsearch -h FQDN -ZZZ -P /etc/dirsrv/slapd-instance -s base -b "" "objectclass=*" > I use haproxy for LB, so the hosts are in ACTIVE-PASSIVE state. > > > Prashanth Sundaram wrote: > > Hi All, > > Which one of the case below is suitable for a Multi-Master > replication. I have a load balancer with/ ldap.domain.com,/ which > is what clients will use to authenticate. > > *_Question: > _*Which one is a better implementation? What are the trade-offs? > Please input your feedback as it might be useful for someone > coming this way later. This can serve as a knowledge bank. > > Case-I > ldap01: server-cert with cn=ldap01.domain.com, > subjAltName=ldap.domain.com > ldap02: server-cert with cn=ldap02.domain.com, > subjAltName=ldap.domain.com > -MMR with tls throws error when ?*Check hostname against name in > certificate for outbound SSL connections?* option is enabled. But > RH recommends it to be turned ON. > > What is the FQDN you specified in the replication agreement? > > > Case-II > ldap01: server-cert with cn=ldap.domain.com, > subjAltName=ldap01.domain.com, ldap02.domain.com ldap01: > server-cert with cn=ldap.domain.com, > subjAltName=ldap01.domain.com,ldap02.domain.com -Does not comply > with the requirement that ?server-cert? should have hostname as > cn.I found this method working perfectly fine. > > *Knowledge Sharing: > *Here?s a useful link which I use all the time and look before > posting to the list. This is the archive for the mailing list and > has /search/ feature which very useful. > > http://www.mail-archive.com/fedora-directory-users redhat > com/info.html > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users redhat com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > [Date Prev > > ][Date Next > > ] [Thread Prev > > ][Thread Next > > ] [Thread Index > > ] [Date Index > > ] [Author Index > > ] > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Mon Jan 4 17:35:13 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 04 Jan 2010 10:35:13 -0700 Subject: [389-users] ADS <==> FedoraDS <==> Linux/Unix Clients? In-Reply-To: <6239e2931001040917u4e54ed95md756db8e033f2b51@mail.gmail.com> References: <6239e2930912290841t389170a1u5212a952fdfc63a7@mail.gmail.com> <6239e2931001040340j7b01bejc4f04ef41969a046@mail.gmail.com> <6239e2931001040917u4e54ed95md756db8e033f2b51@mail.gmail.com> Message-ID: <4B4226D1.4050403@redhat.com> Ajeet S Raina wrote: > Hello Kenneho, > > Thanks for the wonderful explanation. It did helped me to come up with > something more informative. > I was going through Windows Sync and want to know about these points: > > 1.What all changes has to be done on Active Directory Server? Just to > check risk and feasibility factor. You have to install and configure the 389-PassSync .msi for your platform according to the documentation > 2. Say, I follow Red Hat Directory Server Guide. Do our 389 do contain > every little stuff which RHDS has.Please clarify. > What difference these servers have? Nothing substantial in this area > 3. Can I follow the complete RHDS Docs to set my Fedora DS to work > with ADS? Yes. > What section may be missing? Just be sure to use "389" instead of "Red Hat" where program folders etc. are mentioned > 4. What are the overall steps (just in points) to setup Fedora DS sync > with ADS with Few ADS users synched to have permission to access the > Linux Machine. > > I do got 2 links: > 1. Restrictively allowing only ISST Sysadmins on Fedora > DS(synchronized with ADS) to access the certain resources(Linux > Machine) : *http://www.redhat.com/f/pdf/rhas/NetgroupWhitepaper.pdf* > > and, > > > 2.Check ADS <=> Fedora DS Synchronization for User Creation/Deletion: > *http://www.redhat.com/docs/manuals/d...dows_Sync.html* > > > > Do yu think they are enough for me to setup as my requirements. > > Please comment. > Do help me with detail docs if yu have any so that I can help myself > with the setuo. > > With Regards, > Ajeet > On Mon, Jan 4, 2010 at 7:10 PM, Kenneth Holter > wrote: > > Well, I don't have any documentation on the posix/netgroup type of > scripts. But I can try to outline our approach: > > In the AD LDAP tree, we have created an organizational unit (OU) > named "linux" (or something like that). Under this OU we have two > OUs, named "users" and "groups". Under these OU's we've moved all > users and groups that are to be synced over to our Red Hat > Directory Server (RHDS, which is basically the same as FDS). > > On the RHDS, we've done this: Using the Windows Sync > (http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html) > plugin, we've defined that all entries under the "linux" OU on AD > should be synced over to RHDS. Windows Sync basically copies those > entries from AD. > In addition, we have a few script running on the RHDS server. On > script adds posix attributes to users that have been synced over > from AD to RHDS. Another script populates NIS netgroups based on > AD groups. Let me explain: Say we have a AD group called > "linux-admins", and that it's placed under the "groups" OU (as > explained above) as is thus synced over to the RHDS. On the RHDS > side, we have a similar NIS netgroup called for example > "netgroup-linux-admins". Our script reads the > "linux-admins" membership info, and makes sure that the > "netgroup-linux-admins" is updated with the same membership info. > This way we can rely on the AD admins to manage group memeberships > on the RHDS side. > The NIS netgroup information can the be used for defining which > groups of users can access which groups of servers (note that > we're going to put server names into netgroup too), by configuring > PAM to allow access based on netgroup membership. For example, we > can define that users that are members of "netgroup-linux-admins" > will have access to all servers. Furhtermore, we can use the same > netgroups to define sudo privileges for groups of users. For the > "netgroup-linux-admins", they will typically be given full sudo > access on all servers. > > I hope this made some sense. Let me know if you want me to > elaborate on some of the points. > > Btw, the most relevant info I've found on setting this thing up is > the RHDS manuals (http://www.redhat.com/docs/manuals/dir-server/), > and the 389 web site. > > - Kenneth > > > > On Mon, Jan 4, 2010 at 12:40 PM, Ajeet S Raina > > wrote: > > Hello Kenneho, > > Thanks for the quick response. I appreciate your helpful words > on these queries. > I would be thankful if yu can provide me with the tutorials or > documents or links which you followed for the same setup. > > May I know what should be approach for syncing ADS to Fedora DS? > Any step by step approach for the sa > > On Mon, Jan 4, 2010 at 2:37 PM, Kenneth Holter > > wrote: > > Hi. > > > We're currently working on a similar setup. > > Regarding your first question: Using the Windows Sync > plugin on the FDS you sync specific users from AD over to > FDS. Just move your sysadmin users to an LDAP organization > unit (OU), and sync that over to FDS. Next, you'll need to > add posix attributes (user ID, group ID, home directory, > etc) to these users on the FDS side. You can create simple > scripts for doing this. In our setup, we're going to use > groups defined on the AD side as basis for NIS netgroups > on linux, so that we can control access to and sudo > privileges on linux servers based on these groups. This > adds to the complexity, but lets us manage users and > access from the AD side. > > When you delete a user on the AD side, it will get deleted > on the FDS side too. > > > Regards, > Kenneth Holter > > > On Tue, Dec 29, 2009 at 5:41 PM, Ajeet S Raina > > wrote: > > > I have a certain query regarding the following structure: > Code: > > Active Directory Server > || > || > Fedora Directory Server <=> Client(Linux | Fedora | Ubuntu | Solaris | HP) > > Let me explain you what I want: > > 1.There is a company Active Directory Server under > domain intinfra.com.As of > now there are limited Windows Desktop Machine under > that domain.I have few Linux / Unix Machines which I > want to authenticate through ADS(which are presently > not under ADS).Why? Becoz' everytime I need to delete > the users whenver they leave the project.Thats Cumbersome. > > So what I want is Setup Fedora DS(Wonder if We can do > that without Fedora DS).Now I can ads join to Fedora > DS(I have administrative privileges for ADS).What I > really want to know is: > > If I join Fedora DS to ADS then all employee can login > to the Linux Machine through their login credentials. > I dont want that to happen.We have 3000 employee in > intinfra Domain but We are only 30 Admins. I only want > those 30-40 admins to login restrictly.Is it possible > to restrict at FedoraDS level. > > 2.Say, I joined ADS and fedora DS and say after 30 > days one of System Admin left the company.So his name > will be removed from ADS. Is it possible that ADS and > Fedora DS are synchronized in such a way that a user > whose name gets deleted in ADS, gets deleted too from > fedora .Do fedora DS has the capability to synchronize > to ADS everytime. > > Pls Suggest. > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > > > ?It is not possible to rescue everyone who is caught in the > Windows quicksand > --Make sure you are on solid Linux ground before > trying.? > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > > > ?It is not possible to rescue everyone who is caught in the Windows > quicksand > --Make sure you are on solid Linux ground before trying.? > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Mon Jan 4 17:35:54 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 04 Jan 2010 10:35:54 -0700 Subject: [389-users] 389-adminutil error In-Reply-To: References: Message-ID: <4B4226FA.6010806@redhat.com> Prashanth Sundaram wrote: > Rich, > > Centos 5.4(Final) 64-bit 2.6.18-164.9.1.el5 > > Repos > Rpmforge, EPEL,EPEL-Testing, pgdg-84 CentOS-Base CentOS-Media Hmm - is the mozldap package available from CentOS? > > > Hi Rich, > > > I am getting this error when I install 389-adminutil. Any idea > which package gives these dependencies? > > What is your platform? RHEL 5? CentOS 5? Something else? What version? > 32-bit or 64-bit? > > > > [root ldap02 psundaram]# yum install 389-adminutilLoaded plugins: > fastestmirror Loading mirror speeds from cached hostfile > Setting up Install Process > Resolving Dependencies > --> Running transaction check > ---> Package 389-adminutil.i386 0:1.1.8-4.el5 set to be updated > --> Processing Dependency: libssl3.so for package: 389-adminutil > --> Processing Dependency: libplc4.so for package: 389-adminutil > --> Processing Dependency: libldap60.so for package: 389-adminutil > --> Processing Dependency: libnss3.so for package: 389-adminutil > --> Processing Dependency: libnss3.so(NSS_3.5) for package: > 389-adminutil > --> Processing Dependency: libldif60.so for package: 389-adminutil > --> Processing Dependency: libssl3.so(NSS_3.2) for package: > 389-adminutil > --> Processing Dependency: libnspr4.so for package: 389-adminutil > --> Processing Dependency: libnss3.so(NSS_3.2) for package: > 389-adminutil > --> Processing Dependency: libprldap60.so for package: 389-adminutil > --> Processing Dependency: libssldap60.so for package: 389-adminutil > ---> Package 389-adminutil.x86_64 0:1.1.8-4.el5 set to be updated > --> Running transaction check > ---> Package 389-adminutil.i386 0:1.1.8-4.el5 set to be updated > --> Processing Dependency: libldap60.so for package: 389-adminutil > --> Processing Dependency: libldif60.so for package: 389-adminutil > --> Processing Dependency: libprldap60.so for package: 389-adminutil > --> Processing Dependency: libssldap60.so for package: 389-adminutil > ---> Package nspr.i386 0:4.7.6-1.el5_4 set to be updated > ---> Package nss.i386 0:3.12.3.99.3-1.el5.centos.2 set to be updated > --> Finished Dependency Resolution > 389-adminutil-1.1.8-4.el5.i386 from epel has depsolving problems > --> Missing Dependency: libldap60.so is needed by package > 389-adminutil-1.1.8-4.el5.i386 (epel) > 389-adminutil-1.1.8-4.el5.i386 from epel has depsolving problems > --> Missing Dependency: libssldap60.so is needed by package > 389-adminutil-1.1.8-4.el5.i386 (epel) > 389-adminutil-1.1.8-4.el5.i386 from epel has depsolving problems > --> Missing Dependency: libldif60.so is needed by package > 389-adminutil-1.1.8-4.el5.i386 (epel) > 389-adminutil-1.1.8-4.el5.i386 from epel has depsolving problems > --> Missing Dependency: libprldap60.so is needed by package > 389-adminutil-1.1.8-4.el5.i386 (epel) *Error: Missing Dependency: > libprldap60.so is needed by package 389-adminutil-1.1.8-4.el5.i386 > (epel) Error: Missing Dependency: libssldap60.so is needed by > package 389-adminutil-1.1.8-4.el5.i386 (epel) Error: Missing > Dependency: libldap60.so is needed by package > 389-adminutil-1.1.8-4.el5.i386 (epel) Error: Missing Dependency: > libldif60.so is needed by package 389-adminutil-1.1.8-4.el5.i386 > (epel) > * You could try using --skip-broken to work around the problem > You could try running: package-cleanup --problems > package-cleanup --dupes > rpm -Va --nofiles ?nodigest > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From psundaram at wgen.net Mon Jan 4 18:35:32 2010 From: psundaram at wgen.net (Prashanth Sundaram) Date: Mon, 04 Jan 2010 13:35:32 -0500 Subject: [389-users] 389-adminutil error Message-ID: Mozldap pkgs are available and installed. mozldap-tools-6.0.5-1.el5 mozldap-6.0.5-1.el5 Prashanth Sundaram wrote: > Rich, > > Centos 5.4(Final) 64-bit 2.6.18-164.9.1.el5 > > Repos > Rpmforge, EPEL,EPEL-Testing, pgdg-84 CentOS-Base CentOS-Media Hmm - is the mozldap package available from CentOS? > > > Hi Rich, > > > I am getting this error when I install 389-adminutil. Any idea > which package gives these dependencies? > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jan 4 18:49:43 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 04 Jan 2010 11:49:43 -0700 Subject: [389-users] 389-adminutil error In-Reply-To: References: Message-ID: <4B423847.9090208@redhat.com> Prashanth Sundaram wrote: > > Mozldap pkgs are available and installed. > > mozldap-tools-6.0.5-1.el5 > mozldap-6.0.5-1.el5 rpm -ql mozldap > > > Prashanth Sundaram wrote: > > Rich, > > Centos 5.4(Final) 64-bit 2.6.18-164.9.1.el5 > > Repos > Rpmforge, EPEL,EPEL-Testing, pgdg-84 CentOS-Base CentOS-Media > > Hmm - is the mozldap package available from CentOS? > > > > Hi Rich, > > > I am getting this error when I install 389-adminutil. Any idea > which package gives these dependencies? > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From patrick.morris at hp.com Mon Jan 4 19:03:48 2010 From: patrick.morris at hp.com (patrick.morris at hp.com) Date: Mon, 4 Jan 2010 11:03:48 -0800 Subject: [389-users] /etc/sudoers VS sudo-objects in directory server In-Reply-To: <25961970.1521262277108330.JavaMail.across@dops-acros> References: <25961970.1521262277108330.JavaMail.across@dops-acros> Message-ID: <20100104190348.GB17169@bakgwai.americas.hpqcorp.net> Hi Anne! On Thu, 31 Dec 2009, Anne Cross wrote: > As I understood it, you could only use entries in /etc/group as opposed to using LDAP groups (which is what we're after.) Our goal was to not need to manage locally stored files - we might as well manage /etc/sudoers as /etc/group in that instance. > > -- juniper You understood incorrectly. You can use LDAP groups. From across at itasoftware.com Mon Jan 4 20:10:26 2010 From: across at itasoftware.com (Anne Cross) Date: Mon, 4 Jan 2010 15:10:26 -0500 (EST) Subject: [389-users] /etc/sudoers VS sudo-objects in directory server In-Reply-To: <20100104190348.GB17169@bakgwai.americas.hpqcorp.net> Message-ID: <12686161.1661262635824478.JavaMail.across@dops-acros> > > Hi Anne! > > On Thu, 31 Dec 2009, Anne Cross wrote: > >> As I understood it, you could only use entries in /etc/group as opposed to using LDAP groups (which is what we're after.) Our goal was to not need to manage locally stored files - we might as well manage /etc/sudoers as /etc/group in that instance. >> > > You understood incorrectly. You can use LDAP groups. Oh wow. You just made my day. Could I ask for an example of how you're defining it inside of a sudoers object? I'd *really* appreciate it. The last time I went digging through the documentation, I couldn't find any examples, and now "assume" is making an idiot out of me. -- juniper From psundaram at wgen.net Mon Jan 4 22:16:29 2010 From: psundaram at wgen.net (Prashanth Sundaram) Date: Mon, 04 Jan 2010 17:16:29 -0500 Subject: [389-users] 389-adminutil error Message-ID: Here it is /usr/lib64/libldap60.so /usr/lib64/libldif60.so /usr/lib64/libprldap60.so /usr/lib64/libssldap60.so /usr/share/doc/mozldap-6.0.5 /usr/share/doc/mozldap-6.0.5/README.rpm Prashanth Sundaram wrote: > > Mozldap pkgs are available and installed. > > mozldap-tools-6.0.5-1.el5 > mozldap-6.0.5-1.el5 rpm -ql mozldap > > > Prashanth Sundaram wrote: -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Jan 4 22:36:11 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 04 Jan 2010 15:36:11 -0700 Subject: [389-users] 389-adminutil error In-Reply-To: References: Message-ID: <4B426D5B.1010606@redhat.com> Prashanth Sundaram wrote: > Here it is > /usr/lib64/libldap60.so > /usr/lib64/libldif60.so > /usr/lib64/libprldap60.so > /usr/lib64/libssldap60.so > /usr/share/doc/mozldap-6.0.5 > /usr/share/doc/mozldap-6.0.5/README.rpm Then why can't 389-adminutil find these? Is this some sort of 32-bit vs. 64-bit problem? > > > > Prashanth Sundaram wrote: > > > Mozldap pkgs are available and installed. > > mozldap-tools-6.0.5-1.el5 > mozldap-6.0.5-1.el5 > > rpm -ql mozldap > > > > Prashanth Sundaram wrote: > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From muzzol at gmail.com Mon Jan 4 23:23:43 2010 From: muzzol at gmail.com (muzzol) Date: Tue, 5 Jan 2010 00:23:43 +0100 Subject: [389-users] certificate with subjectAltName In-Reply-To: <4B421133.7040107@redhat.com> References: <4a3f02761001040053t1a6a24c2j3b2385c5226f8fa1@mail.gmail.com> <4B421133.7040107@redhat.com> Message-ID: <4a3f02761001041523y519804dcn398648fbc67f37d6@mail.gmail.com> 2010/1/4 Rich Megginson : > muzzol wrote: > Did you specify the FQDN with the -h argument? ?What hostname did you give? > ?The real hostname or the subjectAltName? i've used FQDN for CN and additional DNS entry for subjectAltName. anyway, i've found that i get a diferent cert when signing it with OpenSSL (openssl -req) and certutil (-C). i've created a sample CA with certutil and repeated all process. now i dont get that error anymore. is this a known behaviour? is there any limitations with subjectAltName and OpenSSL signing? anyone using OpenSSL to sign their DS certs? -- ======================== ^ ^ O O (_ _) muzzol(a)muzzol.com ======================== jabber id: muzzol(a)jabber.dk ======================== No atribueixis qualitats humanes als ordinadors. No els hi agrada. ======================== "El gobierno espa?ol s?lo habla con terroristas, homosexuales y catalanes, a ver cuando se decide a hablar con gente normal" Jim?nez Losantos ======================== bomb terrorism bush aznar teletubbies From jsullivan at opensourcedevel.com Tue Jan 5 00:04:12 2010 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Mon, 04 Jan 2010 19:04:12 -0500 Subject: [389-users] certificate with subjectAltName In-Reply-To: <4a3f02761001041523y519804dcn398648fbc67f37d6@mail.gmail.com> References: <4a3f02761001040053t1a6a24c2j3b2385c5226f8fa1@mail.gmail.com> <4B421133.7040107@redhat.com> <4a3f02761001041523y519804dcn398648fbc67f37d6@mail.gmail.com> Message-ID: <1262649852.4358.0.camel@jaspav.ssiservices.biz> On Tue, 2010-01-05 at 00:23 +0100, muzzol wrote: > 2010/1/4 Rich Megginson : > > muzzol wrote: > > Did you specify the FQDN with the -h argument? What hostname did you give? > > The real hostname or the subjectAltName? > > i've used FQDN for CN and additional DNS entry for subjectAltName. > > > anyway, i've found that i get a diferent cert when signing it with > OpenSSL (openssl -req) and certutil (-C). > > i've created a sample CA with certutil and repeated all process. now i > dont get that error anymore. > > is this a known behaviour? is there any limitations with > subjectAltName and OpenSSL signing? > > anyone using OpenSSL to sign their DS certs? > > > We are (via OpenCA) but we are also doing server side key generation - John From ajeetraina at gmail.com Tue Jan 5 06:57:12 2010 From: ajeetraina at gmail.com (Ajeet S Raina) Date: Tue, 5 Jan 2010 12:27:12 +0530 Subject: [389-users] Setting up a 389 Server on my Organization? Message-ID: <6239e2931001042257xac3fc86i8041bcac36e9f0a4@mail.gmail.com> Hello Guys, I am going to setup a 389 Server for my organization. I have nothing to do with Active Directory Server as I don't to be under the Windows Sysadmin shoes. We are Infrastructure Team of around 30 Linux and Unix Sysadmins.All I want to know is what organization structure I need to follow.I have been assigned with preparing mid-level plan for the setting up of 389 Directory Server(without ADS stuffs). Do you have any slides/ links discussing quick look at the 389 Server structure and architecture from Start. Pls Help me with the same. -------------- next part -------------- An HTML attachment was scrubbed... URL: From muzzol at muzzol.com Tue Jan 5 09:31:55 2010 From: muzzol at muzzol.com (muzzol) Date: Tue, 5 Jan 2010 10:31:55 +0100 Subject: [389-users] testing Enforcing password policy Message-ID: <4a3f02761001050131i21a1b4afy3fa07e9be599bc67@mail.gmail.com> hi, which attributes are used to hold password policy information? i want to test it and i tried to change passwordexpirationtime to force expiration/warning but no success. regards, muzzol -- ======================== ^ ^ O O (_ _) muzzol(a)muzzol.com ======================== jabber id: muzzol(a)jabber.dk ======================== No atribueixis qualitats humanes als ordinadors. No els hi agrada. ======================== "El gobierno espa?ol s?lo habla con terroristas, homosexuales y catalanes, a ver cuando se decide a hablar con gente normal" Jim?nez Losantos ======================== bomb terrorism bush aznar teletubbies From kenneho.ndu at gmail.com Tue Jan 5 12:19:06 2010 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Tue, 5 Jan 2010 13:19:06 +0100 Subject: [389-users] Making changes to the DN attribute of an LDAP object Message-ID: Hi. Is it possible to change the value of an LDAP object's DN attribute? I'd like to be able to change from uppercase to lowercase, but I'm not sure if it's supposed to work being the DN attribute and all.. My inital attempts have failed, so just thought I'd ask you guys if it's supposed to work in the first place. Regards, Kenneth Holter -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrey.ivanov at polytechnique.fr Tue Jan 5 12:59:55 2010 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Tue, 5 Jan 2010 13:59:55 +0100 Subject: [389-users] Making changes to the DN attribute of an LDAP object In-Reply-To: References: Message-ID: <1601b8651001050459y1a3d0f99x16d1fbe0f7989e62@mail.gmail.com> It's not an actual attribute, it's a "path" to the LDAP entry. So in order to change it you just need to rename the LDAP entry. Can you give an example of the DN that you want to "change" ? 2010/1/5 Kenneth Holter : > Hi. > > > Is it possible to change the value of an LDAP object's DN attribute? I'd > like to be able to change from uppercase to lowercase, but I'm not sure if > it's supposed to work being the DN attribute and all.. My inital attempts > have failed, so just thought I'd ask you guys if it's supposed to work in > the first place. > > > Regards, > Kenneth Holter > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From ajeetraina at gmail.com Tue Jan 5 13:33:12 2010 From: ajeetraina at gmail.com (Ajeet S Raina) Date: Tue, 5 Jan 2010 19:03:12 +0530 Subject: [389-users] Doubt regarding the 389 Client Root access? Message-ID: <6239e2931001050533p2e4680d2w7d5775ca577e165e@mail.gmail.com> Hello Guys, I have a doubt regarding the 389 Server Client Architecture. Say, I have 389 Server working and I have few Linux Clients. Now you say that if 389 client is configured it will login through credentials which is configured in Server. So what about the local Users on that Client. How will normal users in the Client login? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ajeetraina at gmail.com Tue Jan 5 16:05:22 2010 From: ajeetraina at gmail.com (Ajeet S Raina) Date: Tue, 5 Jan 2010 21:35:22 +0530 Subject: [389-users] Can Fedora DS be used as Inventory Management System? Message-ID: <6239e2931001050805u9d0a959h9d3243d9b14217f8@mail.gmail.com> Can 389 Server be used as Inventory Management System like Hardware , Software, Machines Details, RAM details etc. What purpose can we use 389 Server for? -------------- next part -------------- An HTML attachment was scrubbed... URL: From kenneho.ndu at gmail.com Tue Jan 5 16:32:16 2010 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Tue, 5 Jan 2010 17:32:16 +0100 Subject: [389-users] Making changes to the DN attribute of an LDAP object In-Reply-To: <1601b8651001050459y1a3d0f99x16d1fbe0f7989e62@mail.gmail.com> References: <1601b8651001050459y1a3d0f99x16d1fbe0f7989e62@mail.gmail.com> Message-ID: Thanks for your reply. It's actually as simple as changing DN "uid=someuser,ou=users,dc=example,dc=org" to "uid=SOMEUSER,ou=users,dc=example,dc=org" kind of thing. But I think I got it wrong in the first place, because what I was trying to do was to make the username uppercase, and by converting the value of "uid" attribute to uppcase I get just that. Thanks anyway. - Kenneth On Tue, Jan 5, 2010 at 1:59 PM, Andrey Ivanov < andrey.ivanov at polytechnique.fr> wrote: > It's not an actual attribute, it's a "path" to the LDAP entry. So in > order to change it you just need to rename the LDAP entry. Can you > give an example of the DN that you want to "change" ? > > 2010/1/5 Kenneth Holter : > > Hi. > > > > > > Is it possible to change the value of an LDAP object's DN attribute? I'd > > like to be able to change from uppercase to lowercase, but I'm not sure > if > > it's supposed to work being the DN attribute and all.. My inital attempts > > have failed, so just thought I'd ask you guys if it's supposed to work in > > the first place. > > > > > > Regards, > > Kenneth Holter > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prjctgeek at gmail.com Tue Jan 5 17:45:53 2010 From: prjctgeek at gmail.com (Doug Chapman) Date: Tue, 5 Jan 2010 09:45:53 -0800 Subject: [389-users] Can Fedora DS be used as Inventory Management System? In-Reply-To: <6239e2931001050805u9d0a959h9d3243d9b14217f8@mail.gmail.com> References: <6239e2931001050805u9d0a959h9d3243d9b14217f8@mail.gmail.com> Message-ID: Sounds like a solution looking for a problem? There are a couple interesting scheme's that could be used to track hosts (take a look): objectClass: ieee802device objectClass: iphost However- I think with the way most organizations treat 'inventory management', I'd avoid storing this info in a Directory; it seems better suited for a relational database. On Tue, Jan 5, 2010 at 8:05 AM, Ajeet S Raina wrote: > > > Can 389 Server be used as Inventory Management System like Hardware , > Software, Machines Details, RAM details etc. > What purpose can we use 389 Server for? > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsullivan at opensourcedevel.com Tue Jan 5 18:06:20 2010 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Tue, 05 Jan 2010 13:06:20 -0500 Subject: [389-users] Setting up a 389 Server on my Organization? In-Reply-To: <6239e2931001042257xac3fc86i8041bcac36e9f0a4@mail.gmail.com> References: <6239e2931001042257xac3fc86i8041bcac36e9f0a4@mail.gmail.com> Message-ID: <1262714780.4420.9.camel@jaspav.ssiservices.biz> On Tue, 2010-01-05 at 12:27 +0530, Ajeet S Raina wrote: > > > Hello Guys, > > I am going to setup a 389 Server for my organization. I have nothing > to do with Active Directory Server as I don't to be under the Windows > Sysadmin shoes. > We are Infrastructure Team of around 30 Linux and Unix Sysadmins.All I > want to know is what organization structure I need to follow.I have > been assigned with preparing mid-level plan for the setting up of 389 > Directory Server(without ADS stuffs). > Do you have any slides/ links discussing quick look at the 389 Server > structure and architecture from Start. It has been my experience that setting up 389 was the easy part. The hard part was doing what you have asked. In other words, before setting up the directory, we needed to understand how the directory would be used and what needed to be stored. Those are fundamentally business process questions and not technology questions and would be answered by looking into your business process. Once that has been answered in business process terms, then one can translate that into a tree layout and object types. Of course, I may have misunderstood what you are asking :-) Good luck - John From jsullivan at opensourcedevel.com Tue Jan 5 18:15:55 2010 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Tue, 05 Jan 2010 13:15:55 -0500 Subject: [389-users] testing Enforcing password policy In-Reply-To: <4a3f02761001050131i21a1b4afy3fa07e9be599bc67@mail.gmail.com> References: <4a3f02761001050131i21a1b4afy3fa07e9be599bc67@mail.gmail.com> Message-ID: <1262715355.4420.11.camel@jaspav.ssiservices.biz> On Tue, 2010-01-05 at 10:31 +0100, muzzol wrote: > hi, > > which attributes are used to hold password policy information? > > i want to test it and i tried to change passwordexpirationtime to > force expiration/warning but no success. > > regards, > > muzzol > > Hmm . . . off the top of my head (and exposing myself to extreme humiliation for being completely wrong!), I think password policies are stored as separate objects. I don't recall which off-hand - John From across at itasoftware.com Tue Jan 5 20:06:19 2010 From: across at itasoftware.com (Anne Cross) Date: Tue, 5 Jan 2010 15:06:19 -0500 (EST) Subject: [389-users] AD user moves vs. 389 user moves. In-Reply-To: <17817201.1831262721803870.JavaMail.across@dops-acros> Message-ID: <10248314.1851262721976924.JavaMail.across@dops-acros> Our AD admins want to move users from our ou=Users tree to a new tree called ou=Departed, after we've locked the accounts, so that we know when a user has left the company and we've completed the cleanup process. We've discovered through trial and error that when they do this on the AD server, it doesn't actually move the user out of the ou=Users tree on the 389 server. The accounts stay synced - passwords transmit and so forth - but the state of affairs is somewhat confusing. If I delete the user and then recreate them in the correct tree on my side, the AD server blows the user away and we lose all history - old passwords, AD preferences, etc, which is annoying when the person in question is an intern who might come back. Anyone have any suggestions on a workaround for this state of affairs? It doesn't look like a *bug* to me so much as a complete difference of opinion on how a user "move" should be accomplished between 389 and AD 2008. -- juniper From rmeggins at redhat.com Tue Jan 5 20:42:37 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 05 Jan 2010 13:42:37 -0700 Subject: [389-users] AD user moves vs. 389 user moves. In-Reply-To: <10248314.1851262721976924.JavaMail.across@dops-acros> References: <10248314.1851262721976924.JavaMail.across@dops-acros> Message-ID: <4B43A43D.3060103@redhat.com> Anne Cross wrote: > Our AD admins want to move users from our ou=Users tree to a new tree called ou=Departed, after we've locked the accounts, so that we know when a user has left the company and we've completed the cleanup process. We've discovered through trial and error that when they do this on the AD server, it doesn't actually move the user out of the ou=Users tree on the 389 server. The accounts stay synced - passwords transmit and so forth - but the state of affairs is somewhat confusing. > > If I delete the user and then recreate them in the correct tree on my side, the AD server blows the user away and we lose all history - old passwords, AD preferences, etc, which is annoying when the person in question is an intern who might come back. > > Anyone have any suggestions on a workaround for this state of affairs? It doesn't look like a *bug* to me so much as a complete difference of opinion on how a user "move" should be accomplished between 389 and AD 2008. > 389 does not (yet) support the atomic move operation. AD does. That's the problem. > -- juniper > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From Jean-Noel.Chardron at dr15.cnrs.fr Tue Jan 5 21:00:29 2010 From: Jean-Noel.Chardron at dr15.cnrs.fr (Jean-Noel Chardron) Date: Tue, 05 Jan 2010 22:00:29 +0100 Subject: [389-users] Can Fedora DS be used as Inventory Management System? In-Reply-To: <6239e2931001050805u9d0a959h9d3243d9b14217f8@mail.gmail.com> References: <6239e2931001050805u9d0a959h9d3243d9b14217f8@mail.gmail.com> Message-ID: <4B43A86D.8020609@dr15.cnrs.fr> Ajeet S Raina a ?crit : > > > Can 389 Server be used as Inventory Management System like Hardware , > Software, Machines Details, RAM details etc. > What purpose can we use 389 Server for? There are softwares to do inventory that works very well, better than a solution on a ldap server, here at work, we use OCSinventory http://www.ocsinventory-ng.org/ coupled with ? tracker/helpdesk system : GLPI http://www.glpi-project.org/spip.php?lang=en. In fact the users account are in the 389 server and a user can connect to OCSng or GLPI with the account in the 389 server. > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From Jean-Noel.Chardron at dr15.cnrs.fr Tue Jan 5 21:12:26 2010 From: Jean-Noel.Chardron at dr15.cnrs.fr (Jean-Noel Chardron) Date: Tue, 05 Jan 2010 22:12:26 +0100 Subject: [389-users] Doubt regarding the 389 Client Root access? In-Reply-To: <6239e2931001050533p2e4680d2w7d5775ca577e165e@mail.gmail.com> References: <6239e2931001050533p2e4680d2w7d5775ca577e165e@mail.gmail.com> Message-ID: <4B43AB3A.4010603@dr15.cnrs.fr> Ajeet S Raina a ?crit : > Hello Guys, > > I have a doubt regarding the 389 Server Client Architecture. Say, I > have 389 Server working and I have few Linux Clients. Now you say that > if 389 client is configured it will login through credentials which is > configured in Server. So what about the local Users on that Client. > How will normal users in the Client login? If you have few linux client you probably hear about pam module (generaly in /etc/pam.d/) that accredit the account. With pam you can login against ldap server and against what you want else (say it /etc/passwd, or winbind, or mySQL) .have a look to the documentation of your linux distribution to configure pam with a gui software that can do easyly that. > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From orion at cora.nwra.com Tue Jan 5 21:23:33 2010 From: orion at cora.nwra.com (Orion Poplawski) Date: Tue, 05 Jan 2010 14:23:33 -0700 Subject: [389-users] Trouble with upgrade Message-ID: <4B43ADD5.5030801@cora.nwra.com> I'm trying to upgrade from fedora-ds-base-1.1.2 and admin-1.1.6 to 389-ds-base-1.2.4 and admin-1.1.9. Running setup-ds-admin.pl -u I get: Are you ready to set up your servers? [yes]: dn: cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin cn: SMD5 nsslapd-pluginpath: libpwdstorage-plugin nsslapd-plugininitfunc: smd5_pwd_storage_scheme_init nsslapd-plugintype: pwdstoragescheme nsslapd-pluginenabled: on Error adding entry 'cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config'. Error: Object class violation Could not reconfigure the admin server. Exiting . . . I'm guessing I need to copy the new /etc/dirsrv/schema files into /etc/dirsrv/slapd-/schema? Don't see that mentioned here: http://directory.fedoraproject.org/wiki/Install_Guide#Upgrading Should I file a bug? Thanks! -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion at cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com From orion at cora.nwra.com Tue Jan 5 21:26:04 2010 From: orion at cora.nwra.com (Orion Poplawski) Date: Tue, 05 Jan 2010 14:26:04 -0700 Subject: [389-users] List address Message-ID: <4B43AE6C.3010703@cora.nwra.com> ----- The following addresses had permanent fatal errors ----- <389-users at redhat.com> (reason: 550 5.2.1 <389-users at redhat.com>... Mailbox disabled for this recipient) But this is the address shown in the footer | \|/ -------------- next part -------------- An embedded message was scrubbed... From: Orion Poplawski Subject: Trouble with upgrade Date: Tue, 05 Jan 2010 14:16:25 -0700 Size: 1875 URL: From orion at cora.nwra.com Tue Jan 5 21:41:41 2010 From: orion at cora.nwra.com (Orion Poplawski) Date: Tue, 05 Jan 2010 14:41:41 -0700 Subject: [389-users] Trouble with upgrade In-Reply-To: <4B43ADD5.5030801@cora.nwra.com> References: <4B43ADD5.5030801@cora.nwra.com> Message-ID: <4B43B215.6090006@cora.nwra.com> On 01/05/2010 02:23 PM, Orion Poplawski wrote: > Error adding entry 'cn=SMD5,cn=Password Storage > Schemes,cn=plugins,cn=config'. Error: Object class violation Cause appears to be: [05/Jan/2010:14:11:10 -0700] - Entry "cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config" missing attribute "nsslapd-pluginDescription" required by object class "nsslapdPlugin" same schema requirements for this in both versions. I installed 1.2.5-0.4.rc3 and the problem went away even though the /usr/share/dirsrv/updates/50smd5pwdstorageplugin.ldif file appears to be the same. Perhaps no longer applied? -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion at cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com From rmeggins at redhat.com Tue Jan 5 21:46:13 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 05 Jan 2010 14:46:13 -0700 Subject: [389-users] Trouble with upgrade In-Reply-To: <4B43ADD5.5030801@cora.nwra.com> References: <4B43ADD5.5030801@cora.nwra.com> Message-ID: <4B43B325.9060704@redhat.com> Orion Poplawski wrote: > I'm trying to upgrade from fedora-ds-base-1.1.2 and admin-1.1.6 to > 389-ds-base-1.2.4 and admin-1.1.9. Running setup-ds-admin.pl -u I get: > > Are you ready to set up your servers? [yes]: > dn: cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config > objectclass: top > objectclass: nsSlapdPlugin > cn: SMD5 > nsslapd-pluginpath: libpwdstorage-plugin > nsslapd-plugininitfunc: smd5_pwd_storage_scheme_init > nsslapd-plugintype: pwdstoragescheme > nsslapd-pluginenabled: on > > Error adding entry 'cn=SMD5,cn=Password Storage > Schemes,cn=plugins,cn=config'. Error: Object class violation > Could not reconfigure the admin server. > Exiting . . . > > I'm guessing I need to copy the new /etc/dirsrv/schema files into > /etc/dirsrv/slapd-/schema? No. With 389-ds-base 1.2.3 and later, this should be done automatically. Is there any additional information in the access or error log, like which attribute is causing the object class violation? > Don't see that mentioned here: > http://directory.fedoraproject.org/wiki/Install_Guide#Upgrading > > Should I file a bug? > > Thanks! > From rmeggins at redhat.com Tue Jan 5 22:05:16 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 05 Jan 2010 15:05:16 -0700 Subject: [389-users] Trouble with upgrade In-Reply-To: <4B43B215.6090006@cora.nwra.com> References: <4B43ADD5.5030801@cora.nwra.com> <4B43B215.6090006@cora.nwra.com> Message-ID: <4B43B79C.2070200@redhat.com> Orion Poplawski wrote: > On 01/05/2010 02:23 PM, Orion Poplawski wrote: >> Error adding entry 'cn=SMD5,cn=Password Storage >> Schemes,cn=plugins,cn=config'. Error: Object class violation > > Cause appears to be: > > [05/Jan/2010:14:11:10 -0700] - Entry "cn=SMD5,cn=Password Storage > Schemes,cn=plugins,cn=config" missing attribute > "nsslapd-pluginDescription" required by object class "nsslapdPlugin" Does the entry cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config exist in your /etc/dirsrv/slapd-instance/dse.ldif? > > same schema requirements for this in both versions. > > I installed 1.2.5-0.4.rc3 and the problem went away even though the > /usr/share/dirsrv/updates/50smd5pwdstorageplugin.ldif file appears to > be the same. Perhaps no longer applied? If the entry is already in dse.ldif, when it is loaded, the plugin code will add nsslapd-pluginDescription - this doesn't happen when adding over LDAP. From orion at cora.nwra.com Tue Jan 5 22:34:50 2010 From: orion at cora.nwra.com (Orion Poplawski) Date: Tue, 05 Jan 2010 15:34:50 -0700 Subject: [389-users] Trouble with upgrade In-Reply-To: <4B43B79C.2070200@redhat.com> References: <4B43ADD5.5030801@cora.nwra.com> <4B43B215.6090006@cora.nwra.com> <4B43B79C.2070200@redhat.com> Message-ID: <4B43BE8A.9090701@cora.nwra.com> On 01/05/2010 03:05 PM, Rich Megginson wrote: > Does the entry cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config > exist in your /etc/dirsrv/slapd-instance/dse.ldif? It does now. >> I installed 1.2.5-0.4.rc3 and the problem went away even though the >> /usr/share/dirsrv/updates/50smd5pwdstorageplugin.ldif file appears to >> be the same. Perhaps no longer applied? > If the entry is already in dse.ldif, when it is loaded, the plugin code > will add nsslapd-pluginDescription - this doesn't happen when adding > over LDAP. So perhaps 1.2.5 adds it to dse.ldif, but 1.2.4 did not? -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA Division FAX: 303-415-9702 3380 Mitchell Lane orion at cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com From rmeggins at redhat.com Tue Jan 5 22:58:40 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 05 Jan 2010 15:58:40 -0700 Subject: [389-users] Trouble with upgrade In-Reply-To: <4B43BE8A.9090701@cora.nwra.com> References: <4B43ADD5.5030801@cora.nwra.com> <4B43B215.6090006@cora.nwra.com> <4B43B79C.2070200@redhat.com> <4B43BE8A.9090701@cora.nwra.com> Message-ID: <4B43C420.5040307@redhat.com> Orion Poplawski wrote: > On 01/05/2010 03:05 PM, Rich Megginson wrote: >> Does the entry cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config >> exist in your /etc/dirsrv/slapd-instance/dse.ldif? > > It does now. > >>> I installed 1.2.5-0.4.rc3 and the problem went away even though the >>> /usr/share/dirsrv/updates/50smd5pwdstorageplugin.ldif file appears to >>> be the same. Perhaps no longer applied? >> If the entry is already in dse.ldif, when it is loaded, the plugin code >> will add nsslapd-pluginDescription - this doesn't happen when adding >> over LDAP. > > So perhaps 1.2.5 adds it to dse.ldif, but 1.2.4 did not? I think that even though you got the error with 1.2.4, it was added anyway. From rmeggins at redhat.com Tue Jan 5 23:26:42 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 05 Jan 2010 16:26:42 -0700 Subject: [389-users] Announcing 389 Directory Server 1.2.5 Release Candidate 4 Message-ID: <4B43CAB2.2090201@redhat.com> The 389 team is pleased to announce the availability of Release Candidate 4 of version 1.2.5. NOTE: Packages for Enterprise Linux are available from EPEL. We will no longer have a separate yum repo for these packagse. We need your help! Please help us test this software. It is a Release Candidate, so it is fairly stable at this point. We have worked hard to make sure upgrades from previous releases are as smooth as possible, and we would really appreciate feedback about upgrades. The Fedora system strongly encourages packages to be in Testing until verified and pushed to Stable. If we don't get any feedback while the packages are in Testing, the packages will remain in limbo, or get pushed to Stable. The more testing we get, the faster we can release these packages to Stable. The packages that need testing are: * 389-ds-base-1.2.5.rc4 * Release Notes - http://port389.org/wiki/Release_Notes * Install_Guide - http://port389.org/wiki/Install_Guide * Download - http://port389.org/wiki/Download === New features === None - this release is primarily to fix the bug about Active Directory password sync === Bugs Fixed === This release contains a couple of bug fixes. The complete list of bugs fixed is found at the link below. Note that bugs marked as MODIFIED have been fixed but are still in testing. * Tracking bug for 1.2.5 release - https://bugzilla.redhat.com/showdependencytree.cgi?id=533025&hide_resolved=0 * https://bugzilla.redhat.com/show_bug.cgi?id=537956 Password replication from 389DS to AD2008(64bit) fails, all other replication continues From ajeetraina at gmail.com Wed Jan 6 11:03:59 2010 From: ajeetraina at gmail.com (Ajeet S Raina) Date: Wed, 6 Jan 2010 16:33:59 +0530 Subject: [389-users] Script to add Message-ID: <6239e2931001060303p62668827s150fc5669cc91e9d@mail.gmail.com> Can anyone help me with automated script for 389 Clients to get automatically be created? all I need is run that script during boot time whenever any 389 Client gets added.That will probably save my time. -------------- next part -------------- An HTML attachment was scrubbed... URL: From erlingre at gmail.com Wed Jan 6 12:58:15 2010 From: erlingre at gmail.com (Erling Ringen Elvsrud) Date: Wed, 6 Jan 2010 13:58:15 +0100 Subject: [389-users] Unable to make changes on a server from the management console Message-ID: <664c5a071001060458h599aedacoc55cfd6dae042dd1@mail.gmail.com> Hello, I have this setup: - One master directory server which also contains the configuration directory - Two replicas, both use the configuration directory of the master. I open the management console on the master like this: /usr/bin/redhat-idm-console -a https://:9830 When authenticated I get the "Console" window with two tabs, "Servers and Application" and "Users and Groups" in the "Servers and Applications" tab I have the tree of directory server instances with my suffix at the top. I click "+" on one of the replica instances, and the "+" of the server group. I then open the directory server instance by clicking "open". The console window of that directory server instance then opens, with tabs "Tasks", "Configuration", "Directory" and "Status". I want to among other tasks enable encryption for that instance, so I click the "Configuration" tab, and "Encryption". I check the "Enable SSL for this server" box. The problem is that both "Save" and "Reset" are grey, so I cannot commit my changes. Other actions like stop and start under "Tasks" aborts with messages like "Directory sever xyz could not be stopped". Where should I look to correct this issue? Thanks, Erling Ringen Elvsrud From kenneho.ndu at gmail.com Wed Jan 6 14:52:15 2010 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Wed, 6 Jan 2010 15:52:15 +0100 Subject: [389-users] Web interface to the user directory console? In-Reply-To: <1601b8650912120838m4b05c4f6m2ec8787551504497@mail.gmail.com> References: <1601b8650912120838m4b05c4f6m2ec8787551504497@mail.gmail.com> Message-ID: Cool, I'll give it a try. - Kenneth On Sat, Dec 12, 2009 at 5:38 PM, Andrey Ivanov < andrey.ivanov at polytechnique.fr> wrote: > You can also install the console on your client machine (without > directory server and admin server, just the java console) and start it > locally. It will communicate with the port 9830 on the ldap server... > > > 2009/12/11 Kenneth Holter : > > Hi. > > > > > > We're setting up Red Hat Directory Server v8.1.0, and are able to access > the > > Directory Server console by issuing the redhat-idm-console script. I can > > access the administration module by pointing my web browser to port 9830 > on > > the LDAP server. But is there a way to get access to the directory server > > (i.e. user management and stuff) from a web interface? I would be great > to > > access the user directory via a web interface, instead of using SSH'ing > into > > the ldap server and use X forwarding to get the console up and running. > > > > > > Best regards, > > Kenneth Holter > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From across at itasoftware.com Wed Jan 6 16:16:22 2010 From: across at itasoftware.com (Anne Cross) Date: Wed, 6 Jan 2010 11:16:22 -0500 (EST) Subject: [389-users] Announcing 389 Directory Server 1.2.5 Release Candidate 4 In-Reply-To: <32784637.1891262794110158.JavaMail.across@dops-acros> Message-ID: <19890092.1911262794581842.JavaMail.across@dops-acros> It looks like the Install_Guide (http://directory.fedoraproject.org/wiki/Install_Guide) needs to be updated for the testing entries. I needed to run the following: yum upgrade --enablerepo=epel-testing 389-ds-base instead of: yum upgrade --enablerepo=updates-testing Still testing the rest of it... -- juniper ----- Original Message ----- From: "Rich Megginson" To: 389-announce at redhat.com, 389-users at redhat.com Sent: Tuesday, January 5, 2010 6:26:42 PM GMT -05:00 US/Canada Eastern Subject: [389-users] Announcing 389 Directory Server 1.2.5 Release Candidate 4 The 389 team is pleased to announce the availability of Release Candidate 4 of version 1.2.5. NOTE: Packages for Enterprise Linux are available from EPEL. We will no longer have a separate yum repo for these packagse. We need your help! Please help us test this software. It is a Release Candidate, so it is fairly stable at this point. We have worked hard to make sure upgrades from previous releases are as smooth as possible, and we would really appreciate feedback about upgrades. The Fedora system strongly encourages packages to be in Testing until verified and pushed to Stable. If we don't get any feedback while the packages are in Testing, the packages will remain in limbo, or get pushed to Stable. The more testing we get, the faster we can release these packages to Stable. The packages that need testing are: * 389-ds-base-1.2.5.rc4 * Release Notes - http://port389.org/wiki/Release_Notes * Install_Guide - http://port389.org/wiki/Install_Guide * Download - http://port389.org/wiki/Download === New features === None - this release is primarily to fix the bug about Active Directory password sync === Bugs Fixed === This release contains a couple of bug fixes. The complete list of bugs fixed is found at the link below. Note that bugs marked as MODIFIED have been fixed but are still in testing. * Tracking bug for 1.2.5 release - https://bugzilla.redhat.com/showdependencytree.cgi?id=533025&hide_resolved=0 * https://bugzilla.redhat.com/show_bug.cgi?id=537956 Password replication from 389DS to AD2008(64bit) fails, all other replication continues -- 389 users mailing list 389-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From rmeggins at redhat.com Wed Jan 6 16:38:07 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 06 Jan 2010 09:38:07 -0700 Subject: [389-users] Announcing 389 Directory Server 1.2.5 Release Candidate 4 In-Reply-To: <19890092.1911262794581842.JavaMail.across@dops-acros> References: <19890092.1911262794581842.JavaMail.across@dops-acros> Message-ID: <4B44BC6F.5070409@redhat.com> Anne Cross wrote: > It looks like the Install_Guide (http://directory.fedoraproject.org/wiki/Install_Guide) needs to be updated for the testing entries. > > I needed to run the following: > yum upgrade --enablerepo=epel-testing 389-ds-base > > instead of: > yum upgrade --enablerepo=updates-testing > > Still testing the rest of it... > Thanks. I've corrected the Install_Guide and Download pages. > -- juniper > > ----- Original Message ----- > From: "Rich Megginson" > To: 389-announce at redhat.com, 389-users at redhat.com > Sent: Tuesday, January 5, 2010 6:26:42 PM GMT -05:00 US/Canada Eastern > Subject: [389-users] Announcing 389 Directory Server 1.2.5 Release Candidate 4 > > The 389 team is pleased to announce the availability of Release > Candidate 4 of version 1.2.5. > > NOTE: Packages for Enterprise Linux are available from EPEL. We will no > longer have a separate yum repo for these packagse. > > We need your help! Please help us test this software. It is a Release > Candidate, so it is fairly stable at this point. We have worked hard to > make sure upgrades from previous releases are as smooth as possible, and > we would really appreciate feedback about upgrades. The Fedora system > strongly encourages packages to be in Testing until verified and pushed > to Stable. If we don't get any feedback while the packages are in > Testing, the packages will remain in limbo, or get pushed to Stable. > > The more testing we get, the faster we can release these packages to Stable. > > The packages that need testing are: > * 389-ds-base-1.2.5.rc4 > > * Release Notes - http://port389.org/wiki/Release_Notes > * Install_Guide - http://port389.org/wiki/Install_Guide > * Download - http://port389.org/wiki/Download > > === New features === > None - this release is primarily to fix the bug about Active Directory > password sync > > === Bugs Fixed === > This release contains a couple of bug fixes. The complete list of bugs > fixed is found at the link below. Note that bugs marked as MODIFIED > have been fixed but are still in testing. > * Tracking bug for 1.2.5 release - > https://bugzilla.redhat.com/showdependencytree.cgi?id=533025&hide_resolved=0 > * https://bugzilla.redhat.com/show_bug.cgi?id=537956 Password > replication from 389DS to AD2008(64bit) fails, all other replication > continues > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From ajeetraina at gmail.com Thu Jan 7 07:12:48 2010 From: ajeetraina at gmail.com (Ajeet S Raina) Date: Thu, 7 Jan 2010 12:42:48 +0530 Subject: [389-users] Backup Script for complete 389 Server? Message-ID: <6239e2931001062312s49ec7fa4w77cefb5dffe9fcec@mail.gmail.com> Guys, If anyone who have ever written a script which will complete backup of the 389 Server. Do 389 Server have such inbuilt tool? Pls Suggest. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ajeetraina at gmail.com Thu Jan 7 07:18:11 2010 From: ajeetraina at gmail.com (Ajeet S Raina) Date: Thu, 7 Jan 2010 12:48:11 +0530 Subject: [389-users] How to install 389 Server through Script? Message-ID: <6239e2931001062318v83eb376ge7677e5d389c5f08@mail.gmail.com> Have anyone written script to setup 389 Server configured with SSL? -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrey.ivanov at polytechnique.fr Thu Jan 7 10:18:23 2010 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Thu, 7 Jan 2010 11:18:23 +0100 Subject: [389-users] Backup Script for complete 389 Server? In-Reply-To: <6239e2931001062312s49ec7fa4w77cefb5dffe9fcec@mail.gmail.com> References: <6239e2931001062312s49ec7fa4w77cefb5dffe9fcec@mail.gmail.com> Message-ID: <1601b8651001070218k2ac40e4y6f1e0e10d66947fe@mail.gmail.com> Hi, there are several built-in tools for it: # bak2db (Restore database from backup) # db2bak (Create backup of database) # db2ldif (Export database contents to LDIF) # ldif2db (Import) # ldif2ldap (Perform import operation over LDAP) they can be used offline. There are also their counterparts with .pl extension. They can be used online. You can read more about it over here : http://www.redhat.com/docs/manuals/dir-server/8.1/cli/Configuration_Command_File_Reference-Command_Line_Scripts.html @+ 2010/1/7 Ajeet S Raina : > > > Guys, > > If anyone who have ever written a script which will complete backup of the > 389 Server. > Do 389 Server have such inbuilt tool? > Pls Suggest. > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From andrey.ivanov at polytechnique.fr Thu Jan 7 10:21:00 2010 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Thu, 7 Jan 2010 11:21:00 +0100 Subject: [389-users] How to install 389 Server through Script? In-Reply-To: <6239e2931001062318v83eb376ge7677e5d389c5f08@mail.gmail.com> References: <6239e2931001062318v83eb376ge7677e5d389c5f08@mail.gmail.com> Message-ID: <1601b8651001070221l1879fb8eu4ea79285d36b9736@mail.gmail.com> Hi, look at this : http://directory.fedoraproject.org/wiki/Howto:SSL#Starting_the_Server_with_SSL_enabled 2010/1/7 Ajeet S Raina : > > > Have anyone written script to setup 389 Server configured with SSL? > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From alin.ilie at yellowgnu.net Wed Jan 6 20:28:38 2010 From: alin.ilie at yellowgnu.net (Alin Ilie) Date: Wed, 06 Jan 2010 22:28:38 +0200 Subject: [389-users] FDS + SVN on Apache fails with error 500 Message-ID: <4B44F276.4080901@yellowgnu.net> Hi, I have installed 389-DS on Fedora 12 x86_64. I can authenticate other services against the DS. Unfortunately I cannot authenticate SVN over DS. It returns error 500. My config file is: DocumentRoot /var/www/svn ServerName svn.matrixrom.ro # Work around authz and SVNListParentPath issue #RedirectMatch ^(/svn)$ $1/ # Enable Subversion logging CustomLog logs/svn_logfile "%t %u %{SVN-ACTION}e" env=SVN-ACTION LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so # # Example configuration to enable HTTP access for a directory # containing Subversion repositories, "/var/www/svn". Each repository # must be both: # # a) readable and writable by the 'apache' user, and # # b) labelled with the 'http_sys_content_rw_t' context if using # SELinux # # # To create a new repository "http://localhost/repos/stuff" using # this configuration, run as root: # # # cd /var/www/svn # # svnadmin create stuff # # chown -R apache.apache stuff # # chcon -R -t -t http_sys_content_rw_t stuff # DAV svn SVNParentPath /var/www/svn # List repositories colleciton #SVNListParentPath On # Enable WebDAV automatic versioning SVNAutoversioning On # Repository Display Name SVNReposName "Subversion Repository" # Limit write permission to list of valid users. # Require SSL connection for password protection. SSLRequire false AuthType Basic AuthName "Subversion Repository" # AuthUserFile /path/to/passwdfile # AuthUserFile /etc/httpd/passwdfile #Alin # Make LDAP the authentication mechanism AuthBasicProvider ldap AuthzLDAPMethod ldap # AuthzLDAPAuthoritative on # AuthLDAPBindDN "cn=Directory manager,dc=matrixrom,dc=ro" # This is the password for the AuthLDAPBindDN user in Active Directory # AuthLDAPBindPassword cascade123 AuthzLDAPServer localhost AuthzLDAPUserBase ou=People,dc=matrixrom,dc=ro AuthzLDAPUserKey uid AuthzLDAPUserScope base # AuthLDAPURL "ldap://localhost:389/ou=People,dc=matrixrom,dc=ro?uid?base?(ObjectClass=person)" #Alin Require valid-user Options +Indexes FollowSymLinks AllowOverride All Order Allow,Deny Allow from all The output in the httpd error log is: [Wed Jan 06 23:06:41 2010] [info] Init: Seeding PRNG with 144 bytes of entropy [Wed Jan 06 23:06:41 2010] [info] Init: Seeding PRNG with 144 bytes of entropy [Wed Jan 06 23:06:41 2010] [debug] proxy_util.c(1806): proxy: grabbed scoreboard slot 0 in child 31358 for worker proxy:reverse [Wed Jan 06 23:06:41 2010] [debug] proxy_util.c(1825): proxy: worker proxy:reverse already initialized [Wed Jan 06 23:06:41 2010] [debug] proxy_util.c(1922): proxy: initialized single connection worker 0 in child 31358 for (*) [Wed Jan 06 23:06:41 2010] [debug] proxy_util.c(1806): proxy: grabbed scoreboard slot 0 in child 31359 for worker proxy:reverse [Wed Jan 06 23:06:41 2010] [debug] proxy_util.c(1825): proxy: worker proxy:reverse already initialized [Wed Jan 06 23:06:41 2010] [debug] proxy_util.c(1922): proxy: initialized single connection worker 0 in child 31359 for (*) Thank you very much, Alin Ilie -- This message has been scanned for viruses and dangerous content by MailScanner on Yellow! GNU server, and is believed to be clean. From david.donnan at thalesgroup.com Tue Jan 5 12:17:18 2010 From: david.donnan at thalesgroup.com (David (Dave) Donnan) Date: Tue, 05 Jan 2010 13:17:18 +0100 Subject: [389-users] certificate with subjectAltName In-Reply-To: <1262649852.4358.0.camel@jaspav.ssiservices.biz> References: <4a3f02761001040053t1a6a24c2j3b2385c5226f8fa1@mail.gmail.com> <4B421133.7040107@redhat.com> <4a3f02761001041523y519804dcn398648fbc67f37d6@mail.gmail.com> <1262649852.4358.0.camel@jaspav.ssiservices.biz> Message-ID: <4B432DCE.5020508@thalesgroup.com> Hello. My two centimes worth. Although I use OpenSSL in test, I've never used altnames - sorry. In prod we use a comercial CA. I find that if I want to use one or more altname(s) I must also specify the FQDN in the list of altnames. Common Name: * wiki*.a.b Alternate Name (DNS):* wiki*.a.b* wikisso*.a.b Cdlt, Dave --- John A. Sullivan III wrote: > On Tue, 2010-01-05 at 00:23 +0100, muzzol wrote: > >> 2010/1/4 Rich Megginson : >> >>> muzzol wrote: >>> Did you specify the FQDN with the -h argument? What hostname did you give? >>> The real hostname or the subjectAltName? >>> >> i've used FQDN for CN and additional DNS entry for subjectAltName. >> >> >> anyway, i've found that i get a diferent cert when signing it with >> OpenSSL (openssl -req) and certutil (-C). >> >> i've created a sample CA with certutil and repeated all process. now i >> dont get that error anymore. >> >> is this a known behaviour? is there any limitations with >> subjectAltName and OpenSSL signing? >> >> anyone using OpenSSL to sign their DS certs? >> >> >> >> > We are (via OpenCA) but we are also doing server side key generation - > John > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.donnan at thalesgroup.com Tue Jan 5 12:28:21 2010 From: david.donnan at thalesgroup.com (David (Dave) Donnan) Date: Tue, 05 Jan 2010 13:28:21 +0100 Subject: [389-users] certificate with subjectAltName or wildcards In-Reply-To: <4B432DCE.5020508@thalesgroup.com> References: <4a3f02761001040053t1a6a24c2j3b2385c5226f8fa1@mail.gmail.com> <4B421133.7040107@redhat.com> <4a3f02761001041523y519804dcn398648fbc67f37d6@mail.gmail.com> <1262649852.4358.0.camel@jaspav.ssiservices.biz> <4B432DCE.5020508@thalesgroup.com> Message-ID: <4B433065.60400@thalesgroup.com> Oups, as it's your own CA, you may want to investigate wildcard certificates, also (FQDN: *.domain.com): http://web.archive.org/web/20071124072414/http://wp.netscape.com/eng/security/ssl_2.0_certificate.html and search for the word encoding (ie. section *Subject Common Name). Cdlt, Dave ------ *David (Dave) Donnan wrote: > Hello. My two centimes worth. > > Although I use OpenSSL in test, I've never used altnames - sorry. > > In prod we use a comercial CA. I find that if I want to use one or > more altname(s) I must also specify the FQDN in the list of altnames. > > Common Name: * > wiki*.a.b > Alternate Name (DNS):* > wiki*.a.b* > wikisso*.a.b > > Cdlt, Dave > --- > John A. Sullivan III wrote: >> On Tue, 2010-01-05 at 00:23 +0100, muzzol wrote: >> >>> 2010/1/4 Rich Megginson : >>> >>>> muzzol wrote: >>>> Did you specify the FQDN with the -h argument? What hostname did you give? >>>> The real hostname or the subjectAltName? >>>> >>> i've used FQDN for CN and additional DNS entry for subjectAltName. >>> >>> >>> anyway, i've found that i get a diferent cert when signing it with >>> OpenSSL (openssl -req) and certutil (-C). >>> >>> i've created a sample CA with certutil and repeated all process. now i >>> dont get that error anymore. >>> >>> is this a known behaviour? is there any limitations with >>> subjectAltName and OpenSSL signing? >>> >>> anyone using OpenSSL to sign their DS certs? >>> >>> >>> >>> >> We are (via OpenCA) but we are also doing server side key generation - >> John >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sblume at ims.uni-hannover.de Wed Jan 6 10:41:49 2010 From: sblume at ims.uni-hannover.de (Steffen Blume) Date: Wed, 06 Jan 2010 11:41:49 +0100 Subject: [389-users] admin server under solaris not running Message-ID: <4B4468ED.2020406@ims.uni-hannover.de> Hello, my admin server (apache/httpd.worker) is not starting under /OpenSolaris/ (/SunOS 5.11/). I added the error log below. Log level is debug. The only error msg is the last line from nss. I compiled 389 DS by myself. Versions: nss-3.12.4-with-nspr-4.8 389-ds-base-1.2.4 mod_nss-1.0.8 adminutil-1.1.8 389-admin-1.1.9 -------------------------- [Wed Jan 06 11:13:55 2010] [debug] mod_admserv.c(2419): Entering mod_admserv_post_config - pid is [6597] init count is [0] [Wed Jan 06 11:13:55 2010] [debug] mod_admserv.c(2248): Entering do_admserv_post_config - pid is [6597] [Wed Jan 06 11:13:55 2010] [debug] mod_admserv.c(2256): Entering do_admserv_post_config - init count is [1] [Wed Jan 06 11:13:55 2010] [debug] mod_admserv.c(2280): [6597] Cache expiration set to 600 seconds [Wed Jan 06 11:13:55 2010] [debug] mod_admserv.c(2383): Added StartConfigDs task entry [cn=startconfigds,cn=operation,cn=tasks,cn=admin-serv-ldap,cn=389 administration server,cn=server group,cn=ldap.mydomain.de,ou=mydomain.de,o=netscaperoot:start_config_ds:] for user [LocalSuper] [Wed Jan 06 11:13:55 2010] [notice] Access Host filter is: *.mst.uni-hannover.de [Wed Jan 06 11:13:55 2010] [notice] Access Address filter is: * [Wed Jan 06 11:13:55 2010] [info] mod_unique_id: using ip addr xxx.xxx.xxx.xxx Assertion failure: SECSuccess == rv, at sslnonce.c:156 -------------------------- Any advice? Regards, Steffen -- Dipl.-Ing. Steffen Blume Institute of Microelectronic Systems phone : +49-511-762-19605 Leibniz Universit?t Hannover fax : +49-511-762-19601 Appelstr. 4, 30167 Hannover, Germany mail : sblume at ims.uni-hannover.de From muzzol at gmail.com Fri Jan 8 07:39:04 2010 From: muzzol at gmail.com (muzzol) Date: Fri, 8 Jan 2010 08:39:04 +0100 Subject: [389-users] certificate with subjectAltName In-Reply-To: <4B432DCE.5020508@thalesgroup.com> References: <4a3f02761001040053t1a6a24c2j3b2385c5226f8fa1@mail.gmail.com> <4B421133.7040107@redhat.com> <4a3f02761001041523y519804dcn398648fbc67f37d6@mail.gmail.com> <1262649852.4358.0.camel@jaspav.ssiservices.biz> <4B432DCE.5020508@thalesgroup.com> Message-ID: <4a3f02761001072339j4bfdfd20jd825ced543e3eb7e@mail.gmail.com> 2010/1/5 David (Dave) Donnan : > Hello. My two centimes worth. > > Although I use OpenSSL in test, I've never used altnames - sorry. > > In prod we use a comercial CA.? I find that if I want to use one or more > altname(s) I must also specify the FQDN in the list of altnames. > > Common Name: > wiki.a.b > Alternate Name (DNS): > wiki.a.b > wikisso.a.b > didn't try that. i'll give it a shot. thanks, muzzol -- ======================== ^ ^ O O (_ _) muzzol(a)muzzol.com ======================== jabber id: muzzol(a)jabber.dk ======================== No atribueixis qualitats humanes als ordinadors. No els hi agrada. ======================== "El gobierno espa?ol s?lo habla con terroristas, homosexuales y catalanes, a ver cuando se decide a hablar con gente normal" Jim?nez Losantos ======================== bomb terrorism bush aznar teletubbies From kenneho.ndu at gmail.com Fri Jan 8 12:48:58 2010 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Fri, 8 Jan 2010 13:48:58 +0100 Subject: [389-users] Is changes to the UID attribute on the directory server synced back to AD when using Windows sync? Message-ID: Hi. We're using Windows sync on our (RedHat) directory server to fetch users from AD, and have a quick question about the UID attribute: It look to me like the UID attribute that linux ldap clients use for authentication, is a attribute created when one adds the posixaccount object class to the user object. In other words, when user "kenneth" is synced over from AD and I add the posixaccount object class, then the uid attribute is automatically created and populated with uid value "kenneth" from some (which one? "name"? "cn"?) AD attribute. Is this correct? If so, can I assume that making changes to the uid attribute will not be reflected on the AD side? Best regards, Kenneth Holter -------------- next part -------------- An HTML attachment was scrubbed... URL: From ajeetraina at gmail.com Fri Jan 8 14:53:06 2010 From: ajeetraina at gmail.com (Ajeet S Raina) Date: Fri, 8 Jan 2010 20:23:06 +0530 Subject: [389-users] Constructing the Organization Structure Message-ID: <6239e2931001080653m3b510225g3dfeef24193a8eff@mail.gmail.com> Guys, I have set up 389 server setup with dc=im,dc=logic,dc=com domain component.I have been assigned work for setting up structure in the following ways: There are two Location : Noida and Hyderabad ( we need to make it OU.Is it possible?) Under Noida there are 5 projects (P1-5) and 7 under Hyderabad(P1-7) whereas IM is included in the both. There is additional Project called OU=Groups. The Overall Structure seems in the following ways: dc=im,dc=logic,dc=com || -------------- / \ Location=> Noida Hyderabad _______________|__________________ || | || ------------------------- | ----------------------- | | | | | | | | | P-1 P-2 P-3 IM OU=Group P-1 P-2 P-3 IM How Can I design the following organization struture under 389 Server? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ajeetraina at gmail.com Fri Jan 8 15:09:50 2010 From: ajeetraina at gmail.com (Ajeet S Raina) Date: Fri, 8 Jan 2010 20:39:50 +0530 Subject: [389-users] How to write a Low Level Plan for 389 Server Setup? Message-ID: <6239e2931001080709l602bdd65kb12eb29bed0fa998@mail.gmail.com> Hello All, I attempted writing Low Level Design for my 389 Server setup: 1 389 Design and architecture 2 Installing CentOS Machine 3 Installing 389 Directory Server 4 Setting up 389 SSL Configuration 5 User Group creation and Restriction on Domains 6 Password Ageing and Account Lockout policy 7 Access Control Usage 8 Creating and Maintaining the Database 9 Setting up 389 Clients(Linux, Solaris etc) 10 Documentation and Backup 11. Replication I have few suggestion needed for the following points: 1.Setting up 389 SSL Configuration - Is there any script? 2.Setting up 389 Clients(Linux, Solaris etc) - Is there any automatic script which could be put at boot time on all the clients? 3.Any script which creates organizational structure? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Jan 8 15:19:32 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 08 Jan 2010 08:19:32 -0700 Subject: [389-users] Is changes to the UID attribute on the directory server synced back to AD when using Windows sync? In-Reply-To: References: Message-ID: <4B474D04.9060808@redhat.com> Kenneth Holter wrote: > Hi. > > > We're using Windows sync on our (RedHat) directory server to fetch > users from AD, and have a quick question about the UID attribute: It > look to me like the UID attribute that linux ldap clients use for > authentication, is a attribute created when one adds the posixaccount > object class to the user object. In other words, when user "kenneth" > is synced over from AD and I add the posixaccount object class, then > the uid attribute is automatically created and populated with uid > value "kenneth" from some (which one? "name"? "cn"?) AD attribute. Is > this correct? Yes. The AD attribute samAccountName is used to populate the uid attribute on 389. > If so, can I assume that making changes to the uid attribute will not > be reflected on the AD side? I'm not sure. uid and samAccountName are "special" attributes - not sure if they are synced - you could try it I suppose. > > > Best regards, > Kenneth Holter > > > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri Jan 8 15:20:32 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 08 Jan 2010 08:20:32 -0700 Subject: [389-users] Constructing the Organization Structure In-Reply-To: <6239e2931001080653m3b510225g3dfeef24193a8eff@mail.gmail.com> References: <6239e2931001080653m3b510225g3dfeef24193a8eff@mail.gmail.com> Message-ID: <4B474D40.7050605@redhat.com> Ajeet S Raina wrote: > Guys, > > I have set up 389 server setup with dc=im,dc=logic,dc=com domain > component.I have been assigned work for setting up structure in the > following ways: > There are two Location : Noida and Hyderabad ( we need to make it > OU.Is it possible?) Why do you need to make it OUs? In general, it is best to keep the tree flat. > Under Noida there are 5 projects (P1-5) and 7 under Hyderabad(P1-7) > whereas IM is included in the both. There is additional Project called > OU=Groups. > The Overall Structure seems in the following ways: > > dc=im,dc=logic,dc=com > || > -------------- > / \ > Location=> Noida Hyderabad > _______________|__________________ > || | || > ------------------------- | > ----------------------- > | | | | | > | | | | > P-1 P-2 P-3 IM OU=Group P-1 P-2 P-3 IM > > > > > How Can I design the following organization struture under 389 Server? > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri Jan 8 15:24:17 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 08 Jan 2010 08:24:17 -0700 Subject: [389-users] How to write a Low Level Plan for 389 Server Setup? In-Reply-To: <6239e2931001080709l602bdd65kb12eb29bed0fa998@mail.gmail.com> References: <6239e2931001080709l602bdd65kb12eb29bed0fa998@mail.gmail.com> Message-ID: <4B474E21.9060900@redhat.com> Ajeet S Raina wrote: > Hello All, > I attempted writing Low Level Design for my 389 Server setup: > > 1 389 Design and architecture > 2 Installing CentOS Machine > 3 Installing 389 Directory Server > 4 Setting up 389 SSL Configuration > 5 User Group creation and Restriction on Domains > 6 Password Ageing and Account Lockout policy > 7 Access Control Usage > 8 Creating and Maintaining the Database > 9 Setting up 389 Clients(Linux, Solaris etc) > 10 Documentation and Backup > 11. Replication > > I have few suggestion needed for the following points: > > 1.Setting up 389 SSL Configuration - Is there any script? Have you seen http://directory.fedoraproject.org/wiki/Howto:SSL#Script > 2.Setting up 389 Clients(Linux, Solaris etc) - Is there any automatic > script which could be put at boot time on all the clients? > 3.Any script which creates organizational structure? setup-ds-admin.pl does this for you. > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri Jan 8 15:33:16 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 08 Jan 2010 08:33:16 -0700 Subject: [389-users] admin server under solaris not running In-Reply-To: <4B4468ED.2020406@ims.uni-hannover.de> References: <4B4468ED.2020406@ims.uni-hannover.de> Message-ID: <4B47503C.8010504@redhat.com> Steffen Blume wrote: > Hello, > > my admin server (apache/httpd.worker) is not starting under > /OpenSolaris/ (/SunOS 5.11/). > I added the error log below. Log level is debug. The only error msg is > the last line from nss. I compiled 389 DS by myself. > Versions: > nss-3.12.4-with-nspr-4.8 > 389-ds-base-1.2.4 > mod_nss-1.0.8 > adminutil-1.1.8 > 389-admin-1.1.9 > > -------------------------- > [Wed Jan 06 11:13:55 2010] [debug] mod_admserv.c(2419): Entering > mod_admserv_post_config - pid is [6597] init count is [0] > [Wed Jan 06 11:13:55 2010] [debug] mod_admserv.c(2248): Entering > do_admserv_post_config - pid is [6597] > [Wed Jan 06 11:13:55 2010] [debug] mod_admserv.c(2256): Entering > do_admserv_post_config - init count is [1] > [Wed Jan 06 11:13:55 2010] [debug] mod_admserv.c(2280): [6597] Cache > expiration set to 600 seconds > [Wed Jan 06 11:13:55 2010] [debug] mod_admserv.c(2383): Added > StartConfigDs task entry > [cn=startconfigds,cn=operation,cn=tasks,cn=admin-serv-ldap,cn=389 > administration server,cn=server > group,cn=ldap.mydomain.de,ou=mydomain.de,o=netscaperoot:start_config_ds:] > for user [LocalSuper] > [Wed Jan 06 11:13:55 2010] [notice] Access Host filter is: > *.mst.uni-hannover.de > [Wed Jan 06 11:13:55 2010] [notice] Access Address filter is: * > [Wed Jan 06 11:13:55 2010] [info] mod_unique_id: using ip addr > xxx.xxx.xxx.xxx > Assertion failure: SECSuccess == rv, at sslnonce.c:156 > Do you have a core file for admin server? If not, can you run the admin server using a debugger? > -------------------------- > > Any advice? > > Regards, > Steffen > > From psundaram at wgen.net Fri Jan 8 15:36:20 2010 From: psundaram at wgen.net (Prashanth Sundaram) Date: Fri, 08 Jan 2010 10:36:20 -0500 Subject: [389-users] Constructing the Organization Structure Message-ID: Read this before you design/deploy. http://www.redhat.com/docs/manuals/dir-server/8.1/deploy/index.html You can take a look at the views as that might be of your interest and specified OU structure. http://www.redhat.com/docs/manuals/dir-server/8.1/admin/using-views.html PS: The default flat OU?s are easier to maintain and manage. -Prashanth -------------- next part -------------- An HTML attachment was scrubbed... URL: From james.roman at ssaihq.com Fri Jan 8 16:03:27 2010 From: james.roman at ssaihq.com (James Roman) Date: Fri, 08 Jan 2010 11:03:27 -0500 Subject: [389-users] Is changes to the UID attribute on the directory server synced back to AD when using Windows sync? In-Reply-To: <4B474D04.9060808@redhat.com> References: <4B474D04.9060808@redhat.com> Message-ID: <4B47574F.2020204@ssaihq.com> Rich Megginson wrote: > Kenneth Holter wrote: >> Hi. >> >> >> We're using Windows sync on our (RedHat) directory server to fetch >> users from AD, and have a quick question about the UID attribute: It >> look to me like the UID attribute that linux ldap clients use for >> authentication, is a attribute created when one adds the posixaccount >> object class to the user object. In other words, when user "kenneth" >> is synced over from AD and I add the posixaccount object class, then >> the uid attribute is automatically created and populated with uid >> value "kenneth" from some (which one? "name"? "cn"?) AD attribute. Is >> this correct? > Yes. The AD attribute samAccountName is used to populate the uid > attribute on 389. >> If so, can I assume that making changes to the uid attribute will not >> be reflected on the AD side? > I'm not sure. uid and samAccountName are "special" attributes - not > sure if they are synced - you could try it I suppose. We normally see the following: 1. AD Account created 2. FreeIPA winsync sees the new account and creates a new user based on the samAccountName (so the uid value is = to samaccountname AND ntuserdomainid=samaccountname) 3. winsync runs again and the uid attribute is written to the AD record. 4. if you change the uid in freeipa, winsync will change the uid value for the AD record, but not the samaccountname. 5. if you change the ntuserdomainid in freeipa, then the account will no longer sync. (So make sure you change the samaccountname in AD next.) >> >> >> Best regards, >> Kenneth Holter >> >> >> >> >> ------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From beyonddc.storage at gmail.com Fri Jan 8 16:08:29 2010 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Fri, 8 Jan 2010 11:08:29 -0500 Subject: [389-users] What is addRSA.ldif? In-Reply-To: <20091231014127.GA17169@bakgwai.americas.hpqcorp.net> References: <20e4c38c0912301504vfb3b1c6te46ece9891a2f640@mail.gmail.com> <20091231014127.GA17169@bakgwai.americas.hpqcorp.net> Message-ID: <20e4c38c1001080808i58a21dfcsd95d890cfda0504d@mail.gmail.com> oops, I missed your e-mail. Thank you for your answer, Patrick. - David On Wed, Dec 30, 2009 at 8:41 PM, wrote: > On Wed, 30 Dec 2009, Chun Tat David Chu wrote: > > > HI All, > > > > I am following the instruction on how to enable SSL via > http://www.directory.fedora.redhat.com/wiki/Howto:SSL > > > > One of the step mentioned to create "addRSA.ldif". What exactly does > this file do? and why it is necessary?\ > > The file itself does nothing except give you a temporary place to store > the config entry that will enable RSA encryption on your server. Once > you've completed the ldapmodify step you can delete it. > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From beyonddc.storage at gmail.com Fri Jan 8 16:19:14 2010 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Fri, 8 Jan 2010 11:19:14 -0500 Subject: [389-users] Unable to configure Replication via command line Message-ID: <20e4c38c1001080819o72a37185r951974fc61b48feb@mail.gmail.com> Hi All, I am working on LDIF that will configure replication via command line. I'm following the direction documented in the Red Hat DS Administration Guide section 8.7. Particularly I am stuck in step 2 of 8.7.1 when configuring my suppliers. http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Managing_Replication-Configuring-Replication-cmd.html#Configuring-Replication-Suppliers-cmd Below is the output from my ldapmodify command. adding new entry "cn=Replication Manager,cn=config" adding new entry "cn=changelog5,cn=config" adding new entry "cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config" ldap_add: No such object (32) As you can see, I was able to create my replication manager, and enabled the change log, however, I wasn't able to create the 'dn: cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config' entry. I can see from the directory console that 'cn="dc=example,dc=com",cn=mapping tree,cn=config' does exist in my directory console. Is there anything that I did wrong in my LDIF? Can someone take a look? Thanks!!! ############################################################################### ############################################################################### # Step 1 - Create Supplier Bind DN Entry dn: cn=Replication Manager,cn=config changetype: add objectclass: top objectclass: person userPassword: password sn: Replication Manager description: The Replication Manager Account ############################################################################### ############################################################################### ############################################################################### ############################################################################### # Step 2 - Configuring Suppliers from the Command Line dn: cn=changelog5,cn=config changetype: add objectclass: top objectclass: extensibleObject cn: changelog5 nsslapd-changelogdir: /var/lib/dirsrv/slapd-localhost/changelogdb nsslapd-changelogmaxage: 10d dn: cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: add objectclass: top objectclass: nsds5replica objectclass: extensibleObject cn: replica nsds5replicaroot: dc=example,dc=com nsds5replicaid: 1 nsds5replicatype: 3 nsds5flags: 1 nsds5ReplicaPurgeDelay: 604800 nsds5ReplicaBindDN: cn=Replication Manager,cn=config ############################################################################### ############################################################################### Thanks a lot! - David -------------- next part -------------- An HTML attachment was scrubbed... URL: From beyonddc.storage at gmail.com Fri Jan 8 16:47:04 2010 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Fri, 8 Jan 2010 11:47:04 -0500 Subject: [389-users] Unable to configure Replication via command line In-Reply-To: <20e4c38c1001080819o72a37185r951974fc61b48feb@mail.gmail.com> References: <20e4c38c1001080819o72a37185r951974fc61b48feb@mail.gmail.com> Message-ID: <20e4c38c1001080847p6479d97an690075bd7d97d154@mail.gmail.com> uh.... okay, I got it working now. In my LDIF, the dn to create the "cn=replica" should be 'dn: cn=replica,cn="dc=example, dc=com",cn=mapping tree,cn=config' A space is needed between "dc=example," and "dc=com". I am not sure why though, but that made it work. - David On Fri, Jan 8, 2010 at 11:19 AM, Chun Tat David Chu < beyonddc.storage at gmail.com> wrote: > Hi All, > > I am working on LDIF that will configure replication via command line. I'm > following the direction documented in the Red Hat DS Administration Guide > section 8.7. Particularly I am stuck in step 2 of 8.7.1 when configuring my > suppliers. > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Managing_Replication-Configuring-Replication-cmd.html#Configuring-Replication-Suppliers-cmd > > Below is the output from my ldapmodify command. > adding new entry "cn=Replication Manager,cn=config" > adding new entry "cn=changelog5,cn=config" > adding new entry "cn=replica,cn="dc=example,dc=com",cn=mapping > tree,cn=config" > ldap_add: No such object (32) > > As you can see, I was able to create my replication manager, and enabled > the change log, however, I wasn't able to create the 'dn: > cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config' entry. I can > see from the directory console that 'cn="dc=example,dc=com",cn=mapping > tree,cn=config' does exist in my directory console. > > Is there anything that I did wrong in my LDIF? Can someone take a look? > Thanks!!! > > > ############################################################################### > > ############################################################################### > # Step 1 - Create Supplier Bind DN Entry > dn: cn=Replication Manager,cn=config > changetype: add > objectclass: top > objectclass: person > userPassword: password > sn: Replication Manager > description: The Replication Manager Account > > ############################################################################### > > ############################################################################### > > > ############################################################################### > > ############################################################################### > # Step 2 - Configuring Suppliers from the Command Line > dn: cn=changelog5,cn=config > changetype: add > objectclass: top > objectclass: extensibleObject > cn: changelog5 > nsslapd-changelogdir: /var/lib/dirsrv/slapd-localhost/changelogdb > nsslapd-changelogmaxage: 10d > > dn: cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config > changetype: add > objectclass: top > objectclass: nsds5replica > objectclass: extensibleObject > cn: replica > nsds5replicaroot: dc=example,dc=com > nsds5replicaid: 1 > nsds5replicatype: 3 > nsds5flags: 1 > nsds5ReplicaPurgeDelay: 604800 > nsds5ReplicaBindDN: cn=Replication Manager,cn=config > > ############################################################################### > > ############################################################################### > > Thanks a lot! > > - David > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ajeetraina at gmail.com Fri Jan 8 16:56:32 2010 From: ajeetraina at gmail.com (Ajeet S Raina) Date: Fri, 8 Jan 2010 22:26:32 +0530 Subject: [389-users] Constructing the Organization Structure In-Reply-To: <4B474D40.7050605@redhat.com> References: <6239e2931001080653m3b510225g3dfeef24193a8eff@mail.gmail.com> <4B474D40.7050605@redhat.com> Message-ID: <6239e2931001080856q15e5201dy588496aa677c3848@mail.gmail.com> Let me explain you what is the requirement. 1.All we have different projects in Noida and Hyderabad. Those Projects are running on Linux Machines.We are setting up the 389 Server so that these Project Machine Client can authenticate through 389 Server credentials (Just like ADS Clients).Now We need to setup for the same.As of now there are 15 Sysadmin in Noida and 30 Sysadmins in Hyderabad.We need to setup for them. 2.Can we provide Self Service for these users to fill up the data themselves?I dont know how gonna it work but can it be done. 3.Users should be able to change password after 90 days. 4.We need to setup Master -Slave Replication structure too. Pls Suggest. -------------- next part -------------- An HTML attachment was scrubbed... URL: From patrick.morris at hp.com Fri Jan 8 17:04:03 2010 From: patrick.morris at hp.com (Morris, Patrick) Date: Fri, 08 Jan 2010 09:04:03 -0800 Subject: [389-users] /etc/sudoers VS sudo-objects in directory server In-Reply-To: <12686161.1661262635824478.JavaMail.across@dops-acros> References: <12686161.1661262635824478.JavaMail.across@dops-acros> Message-ID: <4B476583.7050004@hp.com> Anne Cross wrote: >> Hi Anne! >> >> On Thu, 31 Dec 2009, Anne Cross wrote: >> >> >>> As I understood it, you could only use entries in /etc/group as opposed to using LDAP groups (which is what we're after.) Our goal was to not need to manage locally stored files - we might as well manage /etc/sudoers as /etc/group in that instance. >>> >>> >> You understood incorrectly. You can use LDAP groups. >> > > Oh wow. You just made my day. Could I ask for an example of how you're defining it inside of a sudoers object? I'd *really* appreciate it. The last time I went digging through the documentation, I couldn't find any examples, and now "assume" is making an idiot out of me. > You don't need to do anything special. Assuming your system is configured to look in LDAP for groups, you just specify them be preceding them with an @, just like local groups. From ajeetraina at gmail.com Fri Jan 8 18:04:05 2010 From: ajeetraina at gmail.com (Ajeet S Raina) Date: Fri, 8 Jan 2010 23:34:05 +0530 Subject: [389-users] How to start 389 Server? Message-ID: <6239e2931001081004w3b3a6458h608e69444346ba03@mail.gmail.com> I have installed 389 Package through: #yum install 389-ds But no idea how to proceed further. How can I start the directory server? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Jan 8 18:05:37 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 08 Jan 2010 11:05:37 -0700 Subject: [389-users] Constructing the Organization Structure In-Reply-To: <6239e2931001080856q15e5201dy588496aa677c3848@mail.gmail.com> References: <6239e2931001080653m3b510225g3dfeef24193a8eff@mail.gmail.com> <4B474D40.7050605@redhat.com> <6239e2931001080856q15e5201dy588496aa677c3848@mail.gmail.com> Message-ID: <4B4773F1.3030307@redhat.com> Ajeet S Raina wrote: > Let me explain you what is the requirement. > 1.All we have different projects in Noida and Hyderabad. > Those Projects are running on Linux Machines.We are setting up the 389 > Server so that these Project Machine Client can authenticate through > 389 Server credentials (Just like ADS Clients).Now We need to setup > for the same.As of now there are 15 Sysadmin in Noida and 30 Sysadmins > in Hyderabad.We need to setup for them. Ah - so you are using windows sync, so you must maintain the same tree structure between AD and 389? > > 2.Can we provide Self Service for these users to fill up the data > themselves?I dont know how gonna it work but can it be done. Yes. Use the 389-dsgw package - this provides a web app that can be used for self service, including allowing the user to change his/her password. > 3.Users should be able to change password after 90 days. You can control this with password policy > 4.We need to setup Master -Slave Replication structure too. None of this would require using a hierarchical tree with multiple OU containers, except if you are using windows sync. > > Pls Suggest. > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From andrey.ivanov at polytechnique.fr Fri Jan 8 18:41:25 2010 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Fri, 8 Jan 2010 19:41:25 +0100 Subject: [389-users] How to start 389 Server? In-Reply-To: <6239e2931001081004w3b3a6458h608e69444346ba03@mail.gmail.com> References: <6239e2931001081004w3b3a6458h608e69444346ba03@mail.gmail.com> Message-ID: <1601b8651001081041j5fa6f17bma49f1e1bdf863d23@mail.gmail.com> http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide-Directory_Server_on_Linux-download.html 2010/1/8 Ajeet S Raina : > > > I have installed 389 Package through: > #yum install 389-ds > > But no idea how to proceed further. > How can I start the directory server? > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From rmeggins at redhat.com Fri Jan 8 18:53:32 2010 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 08 Jan 2010 11:53:32 -0700 Subject: [389-users] How to start 389 Server? In-Reply-To: <6239e2931001081004w3b3a6458h608e69444346ba03@mail.gmail.com> References: <6239e2931001081004w3b3a6458h608e69444346ba03@mail.gmail.com> Message-ID: <4B477F2C.1050200@redhat.com> Ajeet S Raina wrote: > > > I have installed 389 Package through: > #yum install 389-ds > > But no idea how to proceed further. > How can I start the directory server? http://directory.fedoraproject.org/wiki/Install_Guide > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From patrick.morris at hp.com Fri Jan 8 23:27:53 2010 From: patrick.morris at hp.com (patrick.morris at hp.com) Date: Fri, 8 Jan 2010 15:27:53 -0800 Subject: [389-users] testing Enforcing password policy In-Reply-To: <4a3f02761001050131i21a1b4afy3fa07e9be599bc67@mail.gmail.com> References: <4a3f02761001050131i21a1b4afy3fa07e9be599bc67@mail.gmail.com> Message-ID: <20100108232753.GI17169@bakgwai.americas.hpqcorp.net> Hi muzzol! On Tue, 05 Jan 2010, muzzol wrote: > hi, > > which attributes are used to hold password policy information? > > i want to test it and i tried to change passwordexpirationtime to > force expiration/warning but no success. It depends, but that particular attribute is stored directly in the account record. After changing it, how did you test? Several things could have caused your issue: 1. A typo. 2. You don't have password expiration enabled for that user, or that user's part of your LDAP tree, or globally. 3. You didn't test with something that pays attention to the password expiration attributes. Just tweaking that attribute will do nothing in itself, but without knowing what else you did or how you tested it'd be very difficult to try to explain why it didn't work. From manoj.chauhan at ymail.com Sat Jan 9 04:08:07 2010 From: manoj.chauhan at ymail.com (Manoj S Chauhan) Date: Sat, 9 Jan 2010 09:38:07 +0530 (IST) Subject: [389-users] How to start 389 Server? In-Reply-To: <6239e2931001081004w3b3a6458h608e69444346ba03@mail.gmail.com> Message-ID: <519196.20474.qm@web95008.mail.in2.yahoo.com> Dear All, I Installed the 389-dirsvr. i want just know that how to authentication windows XP from 389 -dirsrv. ?? thanks?Manoj Chauhan --- On Fri, 8/1/10, Ajeet S Raina wrote: From: Ajeet S Raina Subject: [389-users] How to start 389 Server? To: "General discussion list for the 389 Directory server project." Date: Friday, 8 January, 2010, 11:34 PM I have installed 389 Package through: #yum install 389-ds But no idea how to proceed further. How can I start the directory server? -----Inline Attachment Follows----- -- 389 users mailing list 389-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users The INTERNET now has a personality. YOURS! See your Yahoo! Homepage. http://in.yahoo.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From ajeetraina at gmail.com Sat Jan 9 06:23:59 2010 From: ajeetraina at gmail.com (Ajeet S Raina) Date: Sat, 9 Jan 2010 11:53:59 +0530 Subject: [389-users] How to start 389 Server? In-Reply-To: <1601b8651001081041j5fa6f17bma49f1e1bdf863d23@mail.gmail.com> References: <6239e2931001081004w3b3a6458h608e69444346ba03@mail.gmail.com> <1601b8651001081041j5fa6f17bma49f1e1bdf863d23@mail.gmail.com> Message-ID: <6239e2931001082223p673b9c45oec26c9214035fe3@mail.gmail.com> Guys, I just ran : /usr/sbin/setup-ds.pl And it went through: It is recommended that you have "root" privilege to set up the software. Tips for using this program: - Press "Enter" to choose the default and go to the next screen - Type "Control-B" or the word "back" then "Enter" to go back to the previous screen - Type "Control-C" to cancel the setup program Would you like to continue with set up? [yes]: yes ============================================================================== BY SETTING UP AND USING THIS SOFTWARE YOU ARE CONSENTING TO BE BOUND BY AND ARE BECOMING A PARTY TO THE AGREEMENT FOUND IN THE LICENSE.TXT FILE. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, PLEASE DO NOT SET UP OR USE THIS SOFTWARE. Do you agree to the license terms? [no]: yes ============================================================================== Your system has been scanned for potential problems, missing patches, etc. The following output is a report of the items found that need to be addressed before running this software in a production environment. 389 Directory Server system tuning analysis version 10-AUGUST-2007. NOTICE : System is i686-unknown-linux2.6.18-164.el5 (1 processor). ERROR : Only 249MB of physical memory is available on the system. 256MB is the recommended minimum. 1024MB is recommended for best performance on large production system. NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds (120 minutes). This may cause temporary server congestion from lost client connections. WARNING: There are only 1024 file descriptors (hard limit) available, which limit the number of simultaneous connections. WARNING: There are only 1024 file descriptors (soft limit) available, which limit the number of simultaneous connections. ERROR : The above errors MUST be corrected before proceeding. Would you like to continue? [no]: yes ============================================================================== Choose a setup type: 1. Express Allows you to quickly set up the servers using the most common options and pre-defined defaults. Useful for quick evaluation of the products. 2. Typical Allows you to specify common defaults and options. 3. Custom Allows you to specify more advanced options. This is recommended for experienced server administrators only. To accept the default shown in brackets, press the Enter key. Choose a setup type [2]: 2 ============================================================================== Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: eros.example.com. To accept the default shown in brackets, press the Enter key. Computer name [389-ds.sap.com]: ============================================================================== The server must run as a specific user in a specific group. It is strongly recommended that this user should have no privileges on the computer (i.e. a non-root user). The setup procedure will give this user/group some permissions in specific paths/files to perform server-specific operations. If you have not yet created a user and group for the server, create this user and group using your native operating system utilities. System User [nobody]: fds System Group [nobody]: fds ============================================================================== The standard directory server network port number is 389. However, if you are not logged as the superuser, or port 389 is in use, the default value will be a random unused port number greater than 1024. If you want to use port 389, make sure that you are logged in as the superuser, that port 389 is not in use. Directory server network port [389]: ============================================================================== Each instance of a directory server requires a unique identifier. This identifier is used to name the various instance specific files and directories in the file system, as well as for other uses as a server instance identifier. Directory server identifier [389-ds]: ============================================================================== The suffix is the root of your directory tree. The suffix must be a valid DN. It is recommended that you use the dc=domaincomponent suffix convention. For example, if your domain is example.com, you should use dc=example,dc=com for your suffix. Setup will create this initial suffix for you, but you may have more than one suffix. Use the directory server utilities to create additional suffixes. Suffix [dc=sap, dc=com]: dc=ist,dc=sap,dc=com ============================================================================== Certain directory server operations require an administrative user. This user is referred to as the Directory Manager and typically has a bind Distinguished Name (DN) of cn=Directory Manager. You will also be prompted for the password for this user. The password must be at least 8 characters long, and contain no spaces. Press Control-B or type the word "back", then Enter to back up and start over. Directory Manager DN [cn=Directory Manager]: Password: Password (confirm): Your new DS instance '389-ds' was successfully created. Exiting . . . Log file is '/tmp/setupB947eW.log' I wonder if that is the overall step.Am I missing something. Do I need to run other scripts like setup-ds-admin.pl and setup-ds-dsgw. On Sat, Jan 9, 2010 at 12:11 AM, Andrey Ivanov < andrey.ivanov at polytechnique.fr> wrote: > > http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide-Directory_Server_on_Linux-download.html > > 2010/1/8 Ajeet S Raina : > > > > > > I have installed 389 Package through: > > #yum install 389-ds > > > > But no idea how to proceed further. > > How can I start the directory server? > > > > > > > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- ?It is not possible to rescue everyone who is caught in the Windows quicksand --Make sure you are on solid Linux ground before trying.? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ajeetraina at gmail.com Sat Jan 9 06:33:25 2010 From: ajeetraina at gmail.com (Ajeet S Raina) Date: Sat, 9 Jan 2010 12:03:25 +0530 Subject: [389-users] How to start 389 Server? In-Reply-To: <6239e2931001082223p673b9c45oec26c9214035fe3@mail.gmail.com> References: <6239e2931001081004w3b3a6458h608e69444346ba03@mail.gmail.com> <1601b8651001081041j5fa6f17bma49f1e1bdf863d23@mail.gmail.com> <6239e2931001082223p673b9c45oec26c9214035fe3@mail.gmail.com> Message-ID: <6239e2931001082233p20077f4fxf063aa2083af367f@mail.gmail.com> I tried running setup-ds-admin.pl but got stucked !!! [root at localhost sbin]# /usr/sbin/setup-ds-admin.pl ============================================================================== This program will set up the 389 Directory and Administration Servers. It is recommended that you have "root" privilege to set up the software. Tips for using this program: - Press "Enter" to choose the default and go to the next screen - Type "Control-B" then "Enter" to go back to the previous screen - Type "Control-C" to cancel the setup program Would you like to continue with set up? [yes]: yes ============================================================================== BY SETTING UP AND USING THIS SOFTWARE YOU ARE CONSENTING TO BE BOUND BY AND ARE BECOMING A PARTY TO THE AGREEMENT FOUND IN THE LICENSE.TXT FILE. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, PLEASE DO NOT SET UP OR USE THIS SOFTWARE. Do you agree to the license terms? [no]: yes ============================================================================== Your system has been scanned for potential problems, missing patches, etc. The following output is a report of the items found that need to be addressed before running this software in a production environment. 389 Directory Server system tuning analysis version 10-AUGUST-2007. NOTICE : System is i686-unknown-linux2.6.18-164.el5 (1 processor). ERROR : Only 249MB of physical memory is available on the system. 256MB is the recommended minimum. 1024MB is recommended for best performance on large production system. NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds (120 minutes). This may cause temporary server congestion from lost client connections. WARNING: There are only 1024 file descriptors (hard limit) available, which limit the number of simultaneous connections. WARNING: There are only 1024 file descriptors (soft limit) available, which limit the number of simultaneous connections. ERROR : The above errors MUST be corrected before proceeding. Would you like to continue? [no]: yes ============================================================================== Choose a setup type: 1. Express Allows you to quickly set up the servers using the most common options and pre-defined defaults. Useful for quick evaluation of the products. 2. Typical Allows you to specify common defaults and options. 3. Custom Allows you to specify more advanced options. This is recommended for experienced server administrators only. To accept the default shown in brackets, press the Enter key. Choose a setup type [2]: 2 ============================================================================== Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: eros.example.com. To accept the default shown in brackets, press the Enter key. Computer name [389-ds.sap.com]: ============================================================================== The servers must run as a specific user in a specific group. It is strongly recommended that this user should have no privileges on the computer (i.e. a non-root user). The setup procedure will give this user/group some permissions in specific paths/files to perform server-specific operations. If you have not yet created a user and group for the servers, create this user and group using your native operating system utilities. System User [nobody]: fds System Group [nobody]: fds ============================================================================== Server information is stored in the configuration directory server. This information is used by the console and administration server to configure and manage your servers. If you have already set up a configuration directory server, you should register any servers you set up or create with the configuration server. To do so, the following information about the configuration server is required: the fully qualified host name of the form .(e.g. hostname.example.com), the port number (default 389), the suffix, the DN and password of a user having permission to write the configuration information, usually the configuration directory administrator, and if you are using security (TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port number (default 636) instead of the regular LDAP port number, and provide the CA certificate (in PEM/ASCII format). If you do not yet have a configuration directory server, enter 'No' to be prompted to set up one. Do you want to register this software with an existing configuration directory server? [no]: yes ============================================================================== Please specify the information about your configuration directory server. The following information is required: - host (fully qualified), port (non-secure or secure), suffix, protocol (ldap or ldaps) - this information should be provided in the form of an LDAP url e.g. for non-secure ldap://host.example.com:389/o=NetscapeRoot or for secure ldaps://host.example.com:636/o=NetscapeRoot - admin ID and password - admin domain - a CA certificate file may be required if you choose to use ldaps and security has not yet been configured - the file must be in PEM/ASCII format - specify the absolute path and filename Configuration directory server URL [ldap:// 389-ds.sap.com:45474/o=NetscapeRoot]: Configuration directory server admin ID [admin]: Configuration directory server admin password: Configuration directory server admin domain [sapient.com]:password123 The server 'ldap://389-ds.sap.com:45474/o=NetscapeRoot' is not reachable. Error: unknown error Please try again, in case you mis-typed something. Configuration directory server URL [ldap:// 389-ds.sap.com:45474/o=NetscapeRoot]: Configuration directory server admin ID [admin]: Configuration directory server admin password: Configuration directory server admin domain [!nfra1sst]: The server 'ldap://389-ds.sap.com:45474/o=NetscapeRoot' is not reachable. Error: unknown error Please try again, in case you mis-typed something. Configuration directory server URL [ldap:// 389-ds.sap.com:45474/o=NetscapeRoot]: Any idea what I may be missing? On Sat, Jan 9, 2010 at 11:53 AM, Ajeet S Raina wrote: > Guys, > > I just ran : > /usr/sbin/setup-ds.pl > > And it went through: > It is recommended that you have "root" privilege to set up the software. > Tips for using this program: > - Press "Enter" to choose the default and go to the next screen > - Type "Control-B" or the word "back" then "Enter" to go back to the > previous screen > - Type "Control-C" to cancel the setup program > Would you like to continue with set up? [yes]: yes > > ============================================================================== > BY SETTING UP AND USING THIS SOFTWARE YOU ARE CONSENTING TO BE BOUND BY > AND ARE BECOMING A PARTY TO THE AGREEMENT FOUND IN THE > LICENSE.TXT FILE. IF YOU DO NOT AGREE TO ALL OF THE TERMS > OF THIS AGREEMENT, PLEASE DO NOT SET UP OR USE THIS SOFTWARE. > Do you agree to the license terms? [no]: yes > > ============================================================================== > Your system has been scanned for potential problems, missing patches, > etc. The following output is a report of the items found that need to > be addressed before running this software in a production > environment. > 389 Directory Server system tuning analysis version 10-AUGUST-2007. > NOTICE : System is i686-unknown-linux2.6.18-164.el5 (1 processor). > ERROR : Only 249MB of physical memory is available on the system. 256MB is > the > recommended minimum. 1024MB is recommended for best performance on large > production system. > NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds > (120 minutes). This may cause temporary server congestion from lost > client connections. > WARNING: There are only 1024 file descriptors (hard limit) available, which > limit the number of simultaneous connections. > WARNING: There are only 1024 file descriptors (soft limit) available, which > limit the number of simultaneous connections. > ERROR : The above errors MUST be corrected before proceeding. > Would you like to continue? [no]: yes > > ============================================================================== > Choose a setup type: > 1. Express > Allows you to quickly set up the servers using the most > common options and pre-defined defaults. Useful for quick > evaluation of the products. > 2. Typical > Allows you to specify common defaults and options. > 3. Custom > Allows you to specify more advanced options. This is > recommended for experienced server administrators only. > To accept the default shown in brackets, press the Enter key. > Choose a setup type [2]: 2 > > ============================================================================== > Enter the fully qualified domain name of the computer > on which you're setting up server software. Using the form > . > Example: eros.example.com. > To accept the default shown in brackets, press the Enter key. > Computer name [389-ds.sap.com]: > > ============================================================================== > The server must run as a specific user in a specific group. > It is strongly recommended that this user should have no privileges > on the computer (i.e. a non-root user). The setup procedure > will give this user/group some permissions in specific paths/files > to perform server-specific operations. > If you have not yet created a user and group for the server, > create this user and group using your native operating > system utilities. > System User [nobody]: fds > System Group [nobody]: fds > > ============================================================================== > The standard directory server network port number is 389. However, if > you are not logged as the superuser, or port 389 is in use, the > default value will be a random unused port number greater than 1024. > If you want to use port 389, make sure that you are logged in as the > superuser, that port 389 is not in use. > Directory server network port [389]: > > ============================================================================== > Each instance of a directory server requires a unique identifier. > This identifier is used to name the various > instance specific files and directories in the file system, > as well as for other uses as a server instance identifier. > Directory server identifier [389-ds]: > > ============================================================================== > The suffix is the root of your directory tree. The suffix must be a valid > DN. > It is recommended that you use the dc=domaincomponent suffix convention. > For example, if your domain is example.com, > you should use dc=example,dc=com for your suffix. > Setup will create this initial suffix for you, > but you may have more than one suffix. > Use the directory server utilities to create additional suffixes. > Suffix [dc=sap, dc=com]: dc=ist,dc=sap,dc=com > > ============================================================================== > Certain directory server operations require an administrative user. > This user is referred to as the Directory Manager and typically has a > bind Distinguished Name (DN) of cn=Directory Manager. > You will also be prompted for the password for this user. The password > must > be at least 8 characters long, and contain no spaces. > Press Control-B or type the word "back", then Enter to back up and start > over. > Directory Manager DN [cn=Directory Manager]: > Password: > Password (confirm): > Your new DS instance '389-ds' was successfully created. > Exiting . . . > Log file is '/tmp/setupB947eW.log' > > I wonder if that is the overall step.Am I missing something. > Do I need to run other scripts like setup-ds-admin.pl and setup-ds-dsgw. > On Sat, Jan 9, 2010 at 12:11 AM, Andrey Ivanov < > andrey.ivanov at polytechnique.fr> wrote: > >> >> http://www.redhat.com/docs/manuals/dir-server/install/8.0/Installation_Guide-Directory_Server_on_Linux-download.html >> >> 2010/1/8 Ajeet S Raina : >> > >> > >> > I have installed 389 Package through: >> > #yum install 389-ds >> > >> > But no idea how to proceed further. >> > How can I start the directory server? >> > >> > >> > >> > -- >> > 389 users mailing list >> > 389-users at redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> > >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > > -- > > > ?It is not possible to rescue everyone who is caught in the Windows > quicksand > --Make sure you are on solid Linux ground before trying.? > > > -- ?It is not possible to rescue everyone who is caught in the Windows quicksand --Make sure you are on solid Linux ground before trying.? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ajeetraina at gmail.com Sat Jan 9 07:26:15 2010 From: ajeetraina at gmail.com (Ajeet S Raina) Date: Sat, 9 Jan 2010 12:56:15 +0530 Subject: [389-users] Setting up 389 Server !!! Message-ID: <6239e2931001082326qd08361al3649b5491ed52a90@mail.gmail.com> Guys, I have been confused with the overall new 389 DS Server Setup. All I did upto now is: yum install 389-ds and it did all the installation correctly. Then, I ran: /usr/sbin/setup-ds.pl It too went fine. All I need is Setup 389 Server with SSL.I did went through http://directory.fedoraproject.org/wiki/Howto:SSL but no Idea how to proceed. I am confused with the following points: 1. Do I also need to run *setup-ds-admin.pl* and *setup-ds-dsgw* too? I tried running setup-ds-admin.pl and it stucked at : The server 'ldap://389-ds.sap.com:45474/o=NetscapeRoot' is not reachable. Error: unknown error. 2. When Should I run the setupssl2.sh script? After running the above setup-* scripts? What changes I need to make on the script? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ajeetraina at gmail.com Sat Jan 9 08:38:46 2010 From: ajeetraina at gmail.com (Ajeet S Raina) Date: Sat, 9 Jan 2010 14:08:46 +0530 Subject: [389-users] Setting up 389 Server !!! In-Reply-To: <6239e2931001082326qd08361al3649b5491ed52a90@mail.gmail.com> References: <6239e2931001082326qd08361al3649b5491ed52a90@mail.gmail.com> Message-ID: <6239e2931001090038k21cfb187t38088ddf0429ac2c@mail.gmail.com> Someone in the linuxQuestion recommended me to just start 389-ds-admin.plwhich will take care of Directory Server and Admin Server too. Is it correct? So, I ran the following commands Code: [root at 389-ds init.d]# service dirsrv stop Shutting down dirsrv: 389-ds... [ OK ] [root at 389-ds ~]# /usr/sbin/setup-ds-admin.pl ============================================================================== This program will set up the 389 Directory and Administration Servers. It is recommended that you have "root" privilege to set up the software. Tips for using this program: - Press "Enter" to choose the default and go to the next screen - Type "Control-B" then "Enter" to go back to the previous screen - Type "Control-C" to cancel the setup program Would you like to continue with set up? [yes]: yes ============================================================================== BY SETTING UP AND USING THIS SOFTWARE YOU ARE CONSENTING TO BE BOUND BY AND ARE BECOMING A PARTY TO THE AGREEMENT FOUND IN THE LICENSE.TXT FILE. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, PLEASE DO NOT SET UP OR USE THIS SOFTWARE. Do you agree to the license terms? [no]: yes ============================================================================== Your system has been scanned for potential problems, missing patches, etc. The following output is a report of the items found that need to be addressed before running this software in a production environment. 389 Directory Server system tuning analysis version 10-AUGUST-2007. NOTICE : System is i686-unknown-linux2.6.18-164.el5 (1 processor). ERROR : Only 249MB of physical memory is available on the system. 256MB is the recommended minimum. 1024MB is recommended for best performance on large production system. NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds (120 minutes). This may cause temporary server congestion from lost client connections. WARNING: There are only 1024 file descriptors (hard limit) available, which limit the number of simultaneous connections. WARNING: There are only 1024 file descriptors (soft limit) available, which limit the number of simultaneous connections. ERROR : The above errors MUST be corrected before proceeding. Would you like to continue? [no]: yes ============================================================================== Choose a setup type: 1. Express Allows you to quickly set up the servers using the most common options and pre-defined defaults. Useful for quick evaluation of the products. 2. Typical Allows you to specify common defaults and options. 3. Custom Allows you to specify more advanced options. This is recommended for experienced server administrators only. To accept the default shown in brackets, press the Enter key. Choose a setup type [2]: 2 ============================================================================== Enter the fully qualified domain name of the computer on which you're setting up server software. Using the form . Example: eros.example.com. To accept the default shown in brackets, press the Enter key. Computer name [389-ds.sap.com]: ============================================================================== The servers must run as a specific user in a specific group. It is strongly recommended that this user should have no privileges on the computer (i.e. a non-root user). The setup procedure will give this user/group some permissions in specific paths/files to perform server-specific operations. If you have not yet created a user and group for the servers, create this user and group using your native operating system utilities. System User [nobody]: fds System Group [nobody]: fds ============================================================================== Server information is stored in the configuration directory server. This information is used by the console and administration server to configure and manage your servers. If you have already set up a configuration directory server, you should register any servers you set up or create with the configuration server. To do so, the following information about the configuration server is required: the fully qualified host name of the form .(e.g. hostname.example.com), the port number (default 389), the suffix, the DN and password of a user having permission to write the configuration information, usually the configuration directory administrator, and if you are using security (TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port number (default 636) instead of the regular LDAP port number, and provide the CA certificate (in PEM/ASCII format). If you do not yet have a configuration directory server, enter 'No' to be prompted to set up one. Do you want to register this software with an existing configuration directory server? [no]: yes ============================================================================== Please specify the information about your configuration directory server. The following information is required: - host (fully qualified), port (non-secure or secure), suffix, protocol (ldap or ldaps) - this information should be provided in the form of an LDAP url e.g. for non-secure ldap://host.example.com:389/o=NetscapeRoot or for secure ldaps://host.example.com:636/o=NetscapeRoot - admin ID and password - admin domain - a CA certificate file may be required if you choose to use ldaps and security has not yet been configured - the file must be in PEM/ASCII format - specify the absolute path and filename Configuration directory server URL [ldap://389-ds.sap.com:389/o=NetscapeRoot ]: Configuration directory server admin ID [admin]: Configuration directory server admin password: Configuration directory server admin domain [sapient.com]: The server 'ldap://389-ds.sap.com:389/o=NetscapeRoot' is not reachable. Error: unknown error Please try again, in case you mis-typed something. Configuration directory server URL [ldap://389-ds.sap.com:389/o=NetscapeRoot ]: [root at 389-ds ~]#Am I missing anything? On Sat, Jan 9, 2010 at 12:56 PM, Ajeet S Raina wrote: > > > Guys, > > I have been confused with the overall new 389 DS Server Setup. > All I did upto now is: > > yum install 389-ds > > and it did all the installation correctly. > Then, I ran: > /usr/sbin/setup-ds.pl > > It too went fine. > > All I need is Setup 389 Server with SSL.I did went through > http://directory.fedoraproject.org/wiki/Howto:SSL but no Idea how to > proceed. > > I am confused with the following points: > > 1. Do I also need to run *setup-ds-admin.pl* and *setup-ds-dsgw* too? > > I tried running setup-ds-admin.pl and it stucked at : > > The server 'ldap://389-ds.sap.com:45474/o=NetscapeRoot' is not reachable. > Error: unknown error. > > 2. When Should I run the setupssl2.sh script? After running the above > setup-* scripts? > What changes I need to make on the script? > -- ?It is not possible to rescue everyone who is caught in the Windows quicksand --Make sure you are on solid Linux ground before trying.? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ajeetraina at gmail.com Sat Jan 9 09:41:14 2010 From: ajeetraina at gmail.com (Ajeet S Raina) Date: Sat, 9 Jan 2010 15:11:14 +0530 Subject: [389-users] Setting up 389 Server !!! In-Reply-To: <6239e2931001082326qd08361al3649b5491ed52a90@mail.gmail.com> References: <6239e2931001082326qd08361al3649b5491ed52a90@mail.gmail.com> Message-ID: <6239e2931001090141s18c231e9v76b9d7d0228853f7@mail.gmail.com> Hey Its Done. All I started with running setup-ds-admin.pl and this time I selected : Code: If you do not yet have a configuration directory server, enter 'No' to be prompted to set up one. Do you want to register this software with an existing configuration directory server? [no]: no [/code] That created Directory Server for me too. Now I wonder how can I setup SSL. Do I need to select 636 for port while selecting the port: Code: Directory server network port [389]:[/code] How to setup SSL now? On Sat, Jan 9, 2010 at 12:56 PM, Ajeet S Raina wrote: > > > Guys, > > I have been confused with the overall new 389 DS Server Setup. > All I did upto now is: > > yum install 389-ds > > and it did all the installation correctly. > Then, I ran: > /usr/sbin/setup-ds.pl > > It too went fine. > > All I need is Setup 389 Server with SSL.I did went through > http://directory.fedoraproject.org/wiki/Howto:SSL but no Idea how to > proceed. > > I am confused with the following points: > > 1. Do I also need to run *setup-ds-admin.pl* and *setup-ds-dsgw* too? > > I tried running setup-ds-admin.pl and it stucked at : > > The server 'ldap://389-ds.sap.com:45474/o=NetscapeRoot' is not reachable. > Error: unknown error. > > 2. When Should I run the setupssl2.sh script? After running the above > setup-* scripts? > What changes I need to make on the script? > -- ?It is not possible to rescue everyone who is caught in the Windows quicksand --Make sure you are on solid Linux ground before trying.? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ajeetraina at gmail.com Sat Jan 9 09:53:47 2010 From: ajeetraina at gmail.com (Ajeet S Raina) Date: Sat, 9 Jan 2010 15:23:47 +0530 Subject: [389-users] Administer the 389 Server through Windows? Message-ID: <6239e2931001090153h63863365j10702c9b84b641f8@mail.gmail.com> Hello Guys, I have setup 389 Server by running setup-ds-admin.pl which installed both the admin and directory server.I have kept the Linux Installation minimal due to which I dont have X Windows running. All I want is access and administer through Windows. is there any interface tool for Windows through which I can administer the 389 Server running on centOS linux? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ajeetraina at gmail.com Sat Jan 9 14:29:17 2010 From: ajeetraina at gmail.com (Ajeet S Raina) Date: Sat, 9 Jan 2010 19:59:17 +0530 Subject: [389-users] Unable to access 389-DS Server through remote LDAP Admin tool? Message-ID: <6239e2931001090629m54f06dg4e60b69c02e91bf@mail.gmail.com> I have 389-DS SSL running on my Linux Machine. I can see th output: [code] [root at 389-ds ~]# nmap -vv localhost Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-01-10 01:26 IST Initiating SYN Stealth Scan against localhost.localdomain (127.0.0.1) [1680 ports] at 01:26 Discovered open port 22/tcp on 127.0.0.1 Discovered open port 636/tcp on 127.0.0.1 The SYN Stealth Scan took 0.21s to scan 1680 total ports. Host localhost.localdomain (127.0.0.1) appears to be up ... good. Interesting ports on localhost.localdomain (127.0.0.1): Not shown: 1678 closed ports PORT STATE SERVICE 22/tcp open ssh 636/tcp open ldapssl Nmap finished: 1 IP address (1 host up) scanned in 0.344 seconds Raw packets sent: 1680 (73.920KB) | Rcvd: 3362 (141.208KB) [root at 389-ds ~]# [/code] This shows that 636 port is open.But When I am attempting to this Linux Server from one of Windows Desktop it says "LDAP is Down". I selected LDAPv3 and LDAPv3, hostname and SSL/TLS tried fetching base DN but it dint work. Pls Suggest. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sblume at ims.uni-hannover.de Fri Jan 8 16:09:33 2010 From: sblume at ims.uni-hannover.de (Steffen Blume) Date: Fri, 08 Jan 2010 17:09:33 +0100 Subject: [389-users] admin server under solaris not running In-Reply-To: <4B47503C.8010504@redhat.com> References: <4B4468ED.2020406@ims.uni-hannover.de> <4B47503C.8010504@redhat.com> Message-ID: <4B4758BD.9030509@ims.uni-hannover.de> Rich Megginson wrote: > Steffen Blume wrote: >> Hello, >> >> my admin server (apache/httpd.worker) is not starting under >> /OpenSolaris/ (/SunOS 5.11/). >> I added the error log below. Log level is debug. The only error msg is >> the last line from nss. I compiled 389 DS by myself. >> Versions: >> nss-3.12.4-with-nspr-4.8 >> 389-ds-base-1.2.4 >> mod_nss-1.0.8 >> adminutil-1.1.8 >> 389-admin-1.1.9 >> >> -------------------------- >> [Wed Jan 06 11:13:55 2010] [debug] mod_admserv.c(2419): Entering >> mod_admserv_post_config - pid is [6597] init count is [0] >> [Wed Jan 06 11:13:55 2010] [debug] mod_admserv.c(2248): Entering >> do_admserv_post_config - pid is [6597] >> [Wed Jan 06 11:13:55 2010] [debug] mod_admserv.c(2256): Entering >> do_admserv_post_config - init count is [1] >> [Wed Jan 06 11:13:55 2010] [debug] mod_admserv.c(2280): [6597] Cache >> expiration set to 600 seconds >> [Wed Jan 06 11:13:55 2010] [debug] mod_admserv.c(2383): Added >> StartConfigDs task entry >> [cn=startconfigds,cn=operation,cn=tasks,cn=admin-serv-ldap,cn=389 >> administration server,cn=server >> group,cn=ldap.mydomain.de,ou=mydomain.de,o=netscaperoot:start_config_ds:] >> >> for user [LocalSuper] >> [Wed Jan 06 11:13:55 2010] [notice] Access Host filter is: >> *.mst.uni-hannover.de >> [Wed Jan 06 11:13:55 2010] [notice] Access Address filter is: * >> [Wed Jan 06 11:13:55 2010] [info] mod_unique_id: using ip addr >> xxx.xxx.xxx.xxx >> Assertion failure: SECSuccess == rv, at sslnonce.c:156 >> > Do you have a core file for admin server? No. It terminates without crashing. > If not, can you run the admin server using a debugger? Just tried it with gdb. But gdb prints an internal error (and crashes): elfread.c:366: internal-error: sect_index_data not initialized A problem internal to GDB has been detected, further debugging may prove unreliable. Quit this debugging session? (y or n) n elfread.c:366: internal-error: sect_index_data not initialized A problem internal to GDB has been detected, further debugging may prove unreliable. I looked at the nss source code, where the error occurs. Somehow the function NSS_RegisterShutdown is called before NSS is initialized and returns an error. I think this happens indirectly in mod_nss!? >> -------------------------- >> >> Any advice? >> >> Regards, >> Steffen >> >> > -- Dipl.-Ing. Steffen Blume Institute of Microelectronic Systems phone : +49-511-762-19605 Leibniz Universit?t Hannover fax : +49-511-762-19601 Appelstr. 4, 30167 Hannover, Germany mail : sblume at ims.uni-hannover.de