Re: [389-users] Re: [389-announce] Announcing 389 Directory Server 1.2.5 Release Candidate 2
On 12/08/2009 09:09 AM, Rich Megginson wrote: Andrey Ivanov wrote: Hi, 2009/12/8 Rich Megginson rmegg...@redhat.com: The 389 team is pleased to announce the availability of Release Candidate 2 of version 1.2.5. Well, this time the installation (compiled from sources) was ok. I've also imported my ldif export from 1.1 server. Excellent - good to know. The only catch was the syntax check (nsslapd-syntaxcheck: on) - had to disable it because of some expiration dates of Generalized Time syntax that were rather approximative (something like X-expirationDate: 201012). The telephoneNumber, on the other hand, is not validated, as far as i understand... You have attribute values that use telephoneNumber syntax, that are not correct syntax, that the server accepts? I think Andrey is just referring to the fact that the Telephone Number syntax is loose. It is simply defined as a PrintableString in RFC 4517. We do validate that it meets this criteria, however it's unlikely that one would have something in there that violates the syntax. The Generalized Time syntax is highly structured on the other hand. -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [389-users] SNMP trouble
On 12/07/2009 03:41 AM, Mitja Mihelic( wrote: Has anyone managed to get SNMP working ? Yes, it does work. The problem areas for most during setup seem to be communication between the master agent and the subagent (the subagent logs should indicate if this is a problem when you start it), and access control configuration of the master agent. Perhaps your community does not have rights to see everything? Mitja Mihelic wrote: Nathan Kinder wrote: On 12/01/2009 07:21 AM, Mitja Mihelic( wrote: Hi! I have set up SNMP on our server. What platform are you on and what version of 389 are you using? It's not the 389 server exactly. It's centos-ds-8.1.0-1.el5.centos.2 run on the current CentOS 5.4 What does your configuration file look like for the ldap-agent subagent? Did you configure it to communicate with snmpd via agentx? Do the ldap-agent logs show anything? The first two lines in /etc/snmp/snmpd.conf master agentx mibdirs +/usr/share/dirsrv/mibs Contents of the etc/dirsrv/snmp-agent/ldap-agent.conf agentx-master /var/agentx/master agent-logdir /var/log/dirsrv/snmp-agent/ server slapd-SERVER-users The ldap-agent logs shows the following, repeated every 15s or so: 2009-12-02 10:10:09 Reloading stats. 2009-12-02 10:10:09 Opening stats file (/var/run/dirsrv/slapd-SERVER-users.stats) for server: 389 The ldap-agent was run like so (in debug mode just in case): ldap-agent -D /etc/dirsrv/snmp-agent/ldap-agent.conf While it responds to my queries it reports only data from the OID .1.3.6.1.4.1.2312.6.5.1 (dsEntityEntry) All other variables seem to be empty. For instance, a query for .1.3.6.1.4.1.2312.6.3.1.9 (dsURL) : [host] snmpwalk -Cp -On -v 1 -c comunity localhost .1.3.6.1.4.1.2312.6.3.1.9 Variables found: 0 The same happens if I do it a bit further up the tree: [host] snmpwalk -Cp -On -v 1 -c comunity localhost .1.3.6.1.4.1.2312.6 (rhds) Only the values from dsEntityEntry are returned. I am lost here... Regards, Mitja -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [389-users] setting up multi master replication
On 12/03/2009 01:41 PM, Alan McKay wrote: Hey folks, The HOWTO refers to a script that is at the end of a dead link http://directory.fedoraproject.org/wiki/Howto:MultiMasterReplication And the Red Hat docs tell me to do something that causes an error. http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Creating_the_Supplier_Bind_DN_Entry.html The final entry should resemble Example 8.1, “Example Supplier Bind DN Entry”. dn: cn=replication manager,cn=config objectClass: inetorgperson objectClass: person objectClass: top cn: replication manager sn: RM userPassword: password passwordExpirationTime: 20380119031407Z [r...@sandbox2 ~]# /etc/init.d/dirsrv start Starting dirsrv: sandbox2...[03/Dec/2009:16:31:30 -0500] - Entry cn=replication manager,cn=config has unknown object class inetorgperson (remove the trailing space) [03/Dec/2009:16:31:30 -0500] - Entry cn=replication manager,cn=config has unknown object class person (remove the trailing space) [03/Dec/2009:16:31:30 -0500] - Entry cn=replication manager,cn=config has unknown object class top (remove the trailing space) [ OK ] And clearly I do not know enough about LDAP at this point to know what the heck I'm doing here :-) Both of my servers are set up with custom install but mostly defaults. Help me Obi-Wan, you are my only hope :-) As the error message states, you have trailing spaces at the end of the top, person, and inetorgperson objectclass lines. Remove the trailing spaces. BTW, I did order the O'Reilly LDAP book that everyone recommends - it shipped today. -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [389-users] Re: setting up multi master replication
On 12/03/2009 02:41 PM, Alan McKay wrote: Well, I blew something. http://www.redhat.com/docs/manuals/dir-server/8.1/admin/images/replagmt1.png When I got to this point I did not see at the bottom the subtree dc=example,dc=com I saw NetscapeRoot Which means when I asked the other question about whether to choose NetscapeRoot or userRoot, the answer must have been neither. But those were the only two choices I had. You need to choose userRoot. The default database name is userRoot, which maps to whatever suffix you defined at install time. The NetscapeRoot backend is used by the Administration Server for things like letting the Console application what servers it has to manage and what it can do. My replication failed with error 6. No such replica. I'll go back and retrace my steps tomorrow - getting too late for this right now. -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [389-users] Is there Linked Attributes configuration and usage documentation available?
On 12/02/2009 05:47 AM, Sean Brady wrote: OK, I see some helpful errors in the logs here: linkedattrs-plugin - linked_attrs_parse_config_entry: The linkType config setting is required for linked attribute pair cn=manager link,cn=linked attributes,cn=plugins,cn=config. [02/Dec/2009:06:19:24 -0700] linkedattrs-plugin - linked_attrs_parse_config_entry: Invalid config entry [cn=manager link,cn=linked attributes,cn=plugins,cn=config] skipped So... I am assuming that there is a configuration entry that I need called linkType, which isn't listed in the link per se, although there is a reference to it in passing. Can someone help me with the expected type of value, ie is this an attribute type, etc? What do I need here? The feature design page you referenced had the configuration attributes named incorrectly (the attribute names changed between the design and implementation of the feature). I have updated the configuration section of that page to be correct. Please look here for details: http://directory.fedoraproject.org/wiki/Linked_Attributes_Design#Configuration In short, you need to use linkType and managedType instead of linkAttribute and managedAttribute in your config entry that you have referenced below. -NGK The following was added to my dse.ldif: dn: cn=Manager Link, cn=Linked Attributes,cn=plugins,cn=config objectClass: extensibleObject objectClass: top cn: Manager Link linkattribute: directReport managedattribute: linkmanager Both the linkattribute directReport and managedattribute linkmanager are custom attributes added as MAY to a custom employee objectclass, to which 3 test users have as an attribute value. I didn't want to conflict with any existing attributes, and I noticed that the directreport attribute did not exist. Any help is appreciated. Thanks, SB *From:* fedora-directory-users-boun...@redhat.com [mailto:fedora-directory-users-boun...@redhat.com] *On Behalf Of *Sean Brady *Sent:* Tuesday, December 01, 2009 8:05 PM *To:* fedora-directory-users@redhat.com *Subject:* [389-users] Is there Linked Attributes configuration and usage documentation available? Hello All, I have 389 up and running, and had some questions on Linked Attributes. I found this http://directory.fedoraproject.org/wiki/Linked_Attributes_Design but that is the extent of the documentation that I have found. Does anyone know of any additional documentation that you can point me to? I am unclear on exactly how to configure Linked Attributes properly, and how to use them. Specifically, which ldif file would I need to modify to create a linked attribute? Would that be dse.ldif, or one of the ldif's in the schema sub-folder (/etc/dirsrv/slapd-instance_name/schema)? What else would I need to know to configure a linked attribute? What do I need to know about it's usage? Once I have the details I can post some documentation back to the community- there is nothing in the RedHat Directory Server on this plugin as of yet that I have seen. I don't think that this can be done through the GUI at this time... Thanks in advance for the community's help. SB -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [389-users] SNMP trouble
On 12/01/2009 07:21 AM, Mitja Mihelic( wrote: Hi! I have set up SNMP on our server. What platform are you on and what version of 389 are you using? What does your configuration file look like for the ldap-agent subagent? Did you configure it to communicate with snmpd via agentx? Do the ldap-agent logs show anything? While it responds to my queries it reports only data from the OID .1.3.6.1.4.1.2312.6.5.1 (dsEntityEntry) All other variables seem to be empty. For instance, a query for .1.3.6.1.4.1.2312.6.3.1.9 (dsURL) : [host] snmpwalk -Cp -On -v 1 -c comunity localhost .1.3.6.1.4.1.2312.6.3.1.9 Variables found: 0 The same happens if I do it a bit further up the tree: [host] snmpwalk -Cp -On -v 1 -c comunity localhost .1.3.6.1.4.1.2312.6 (rhds) Only the values from dsEntityEntry are returned. I am lost here... Regards, Mitja -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [389-users] Unindexed ?
On 11/18/2009 06:31 AM, Emmanuel BILLOT wrote: Hi, I used the logconv.pl utility to check our config, and it found a lot of unindexed search. In the access log file i found lines :: [18/Nov/2009:15:27:28 +0100] conn=1565 op=10246 RESULT err=0 tag=101 nentries=132 etime=1 notes=U [18/Nov/2009:15:27:28 +0100] conn=1565 op=10247 SRCH base=dc=ouaga,dc=ird,dc=fr scope=2 filter=((objectClass=*)) attrs=* aci Does the notes=U means it is an unindex search ? I must index a attribut but which one ? Yes, notes=U means the search was unindexed. You need to provide the SRCH line from your access log for conn=1565 op=10246 so we can see what attributes need to be indexed. BR, -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [389-users] memberof entries not appearing in replica with memberof plugin
On 11/10/2009 08:35 PM, John A. Sullivan III wrote: Hello, all. I'm running CentOS Directory Server 8.1 on CentOS 5.4. For some reason, the memberof plugin does not seem to be working on the replica. My first suspicion is we have done something wrong but I wonder if there is an error in the documentation. Here are the details. We are single master setup with a single replica. We noticed some of our LDAP queries were not correctly detecting group membership. We double checked the memberofplugin configuration and, for some reason, it seem to have reverted to looking at member instead of uniquemember. We changed this on the master and our problem went away. However, in the process of double-checking our steps, we read that the memberof attribute should NOT be replicated. We had not excluded it. So, we destroyed the replication agreement, created a new fractional replication enabled one, and reinitialized the replica. All of the memberof information was missing from all users on the replica. We then tried to rebuild it by running the fixup-memberof.pl script. That didn't work. We then simply tried deleting users from groups and adding them to see if that would work. It worked fine on the master but not on the replica. Is the documentation in error and replication of memberof should be excluded only in multimaster but should be propagated to consumers or have we done something wrong? I compared the memberofplugin definitions in dse.ldif on both and they look identical including being enabled. Nothing is jumping out in the error or audit logs. The only reason for using fractional replication to exclude the memberOf attribute is to avoid any sort of dangling membership issue when using multi-master replication. In your single-master replication setup, you only need to configure the memberOf plug-in on your master, not the replica. You can then safely replicate the memberOf attribute since a single-master replication scenario has no chance for conflicting changes from separate masters. Please open a documentation bug on this so we can get things cleared up in the manuals. We eventually added memberof to the replication agreement and resynchronized just to get the data across. We've pulled it back out and, as expected, any changes are not replicating. What are we doing wrong? Where do we look next to troubleshoot it? Thanks - John -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [389-users] Problems with password syntax checking: invalid password syntax
On 09/18/2009 08:10 AM, Kenneth Holter wrote: Hi all. I'm running Red Hat Directory Server 8.1.0, and are having some problems with password syntax checking. When I don't enable the syntax checking, everything works fine. But when I enable it it seems to discard even pretty strong passwords. In the example belov I've configured password syntax checking like this: * Password minimum length: 8 * Minimum required character categories: 1 * Minimum token length: 3 (btw, don't know why I need to set this) This is the token length to use for a trivial words check. This prevents someone from using portions of their cn, uid, etc. values in their password. The values are broken into tokens of this length and the password is then checked to see if any of the tokens exist. The new password I try to change to has two digits, four lower case letters, one uppercase letter, and one special character. So it should be far more complicated that the above settings call for. This is the output: Output start [r...@server ~]# ssh kenn...@localhost kenn...@localhost's password: You are required to change your LDAP password immediately. Last login: Fri Sep 18 16:37:26 2009 from localhost.localdomain Welcome to the server! WARNING: Your password has expired. You must change your password now and login again! Changing password for user kenneth. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Constraint violation invalid password syntax - passwords with storage scheme are not allowed passwd: Permission denied Connection to localhost closed. # Output end So basically what I'm wondering about is exactly which constraint I'm violating. In other words, what does the password with storage scheme are not allowed tell me? Your password is being hashed by your client system before it is sent to the Directory Server. This is not allowed since the server would have no way to enforce it's password policy against a pre-hashed password. You need to configure /etc/ldap.conf to send the clear text password to the LDAP server. You should use SSL/TLS to protect the password in transit. Best regards, Kenneth Holter -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [389-users] RHDS 8.1 and SNMP
On 08/13/2009 05:12 PM, Edward Koko Konetzko wrote: I am wonder if SNMP monitoring works in RHDS 8.1 if so I need some help getting it working. The docs I have been using are linked below http://directory.fedoraproject.org/wiki/Howto:SNMPMonitoring http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Monitoring_DS_Using_SNMP.html The /etc/snmp/snmp.conf file com2sec notConfigUser default public group notConfigGroup v1 notConfigUser group notConfigGroup v2c notConfigUser viewsystemviewincluded .1.3.6.1.2.1.1 viewsystemviewincluded .1.3.6.1.2.1.25.1.1 access notConfigGroup any noauthexact systemview none none com2sec local localhost ldap group MyROGroup anylocal view allincluded .1 access MyROGroup any noauth0 allnone none syslocation Unknown (edit /etc/snmp/snmpd.conf) syscontact Root r...@localhost (configure /etc/snmp/snmp.local.conf) pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat master agentx The /etc/dirsrv/config/ldap-agent.conf # Config file for AgentX access so FDS can pass snmp variables to net-snmp # This is the agent config file. # # Start the agent with /opt/fedora-ds/bin/slapd/server/ldap-agent /opt/fedora-ds/ldap-agent.conf # # ## AgentX Master ## # # Where the agent communicates with the AgentX Master (net-snmp). # If not specified uses the net-snmp default of a UNIX socket # at /var/agentx/master. RTFM if you decide to use a differing location... # agentx-master /var/agentx/master ## AgentX Logdir ## # # Where the agent logs its logfile... # agent-logdir /var/log/dirsrv/agent/ # ## Server ## # # Which FDS instance you wish to monitor. # This should be the absolute path to the log dir of the FDS instance. # server slapd-ldap-master-n01 When I run snmpwalk -v 1 -c ldap localhost .1.3.6.1.4.1.2312.6.1.1.3.389 I get nothing back but when I run snmpwalk -v 1 -c ldap localhost .1.3.6.1.4.1.2312 the following is returned. SNMPv2-SMI::enterprises.2312.6.5.1.1.389 = STRING: ldap master server SNMPv2-SMI::enterprises.2312.6.5.1.2.389 = STRING: Red Hat-Directory/8.1.0 SNMPv2-SMI::enterprises.2312.6.5.1.3.389 = STRING: Rackspace Cloud SNMPv2-SMI::enterprises.2312.6.5.1.4.389 = STRING: Lab SNMPv2-SMI::enterprises.2312.6.5.1.5.389 = STRING: not made yet SNMPv2-SMI::enterprises.2312.6.5.1.6.389 = STRING: ldap-master-n01 All of that is correct with what is set in the Directory server. If I run strings /var/run/dirsrv/slapd-ldap-master-n01.stats I get the following back and I am wondering if there is supposed to be something where it says Not Available? Red Hat-Directory/8.1.0 ldap-master-n01 ldap master server Rackspace Cloud not made yet Not Available Not Available Not Available Not Available Not Available Not Available Not Available Not Available Not Available Not Available The Not Available strings are from the unimplemented interactions table. This table is supposed to list the last 10 clients that the server has interacted with IIRC, but it's not implemented, so we just report Not Available. The bulk of the stats are not strings, so what you see is everything I would expect. /usr/bin/ldap-agent-bin -D /etc/dirsrv/config/ldap-agent.conf just outputs the following over and over again in its log file. 2009-08-13 18:51:57 Reloading stats. 2009-08-13 18:51:57 Opening stats file (/var/run/dirsrv/slapd-ldap-master-n01.stats) for server: 389 Thanks in advance. Edward -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [389-users] no modifiable attributes specified
On 08/05/2009 02:34 AM, Dharmin Mandalia wrote: Hello On my dir server, I am seeing lots of similar to below messages, how this can be resolve so I don't see below error msg.. appreciate your help. on dvfnds01 , is the supplier # tail -f /var/log/dirsrv/slap-*/access [05/Aug/2009:09:07:19 +] NSMMReplicationPlugin - agmt=cn=dvfnds02 (dvfnds02:636): Consumer failed to replay change (uniqueid 059b5581-0d2511dd-ae03d7e3-3dfce5fc, CSN 4a794bc80001): DSA is unwilling to perform. Will retry later. on dvfnds02 , is the consumer # tail -f /var/log/dirsrv/slap-*/access [05/Aug/2009:09:07:19 +] conn=3561655 SSL 256-bit AES [05/Aug/2009:09:07:19 +] conn=3561655 op=0 BIND dn=cn=Replication Manager,cn=config method=128 version=3 [05/Aug/2009:09:07:19 +] conn=3561655 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=cn=replication manager,cn=config [05/Aug/2009:09:07:19 +] conn=3561655 op=1 SRCH base= scope=0 filter=(objectClass=*) attrs=supportedControl supportedExtension [05/Aug/2009:09:07:19 +] conn=3561655 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [05/Aug/2009:09:07:19 +] conn=3561655 op=2 SRCH base= scope=0 filter=(objectClass=*) attrs=supportedControl supportedExtension [05/Aug/2009:09:07:19 +] conn=3561655 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [05/Aug/2009:09:07:19 +] conn=3561655 op=3 EXT oid=2.16.840.1.113730.3.5.3 name=Netscape Replication Start Session [05/Aug/2009:09:07:19 +] conn=3561655 op=3 RESULT err=0 tag=120 nentries=0 etime=0 [05/Aug/2009:09:07:19 +] conn=3561655 op=4 SRCH base=cn=replica,cn=\22dc=TB,dc=be\22,cn=mapping tree,cn=config scope=0 filter=(objectClass=*) attrs=nsDS5ReplicaId [05/Aug/2009:09:07:19 +] conn=3561655 op=4 RESULT err=32 tag=101 nentries=0 etime=0 [05/Aug/2009:09:07:19 +] conn=3561655 op=5 MOD dn=uid=john.elle,ou=people,ou=EB,dc=TB,dc=be, no modifiable attributes specified [05/Aug/2009:09:07:19 +] conn=3561655 op=5 RESULT err=53 tag=103 nentries=0 etime=0 [05/Aug/2009:09:07:19 +] conn=3561656 fd=186 slot=186 SSL connection from 192.168.3.12 to 192.168.3.134 [05/Aug/2009:09:07:19 +] conn=3561656 op=-1 fd=186 closed - Encountered end of file. Does anyone have a list of what error code 53 is or error code 32 is.. http://www.redhat.com/docs/manuals/dir-server/8.1/cli/Configuration_Command_File_Reference-Access_Log_and_Connection_Code_Reference-LDAP_Result_Codes.html Thanks... Regards Dharmin -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [389-users] Password policy: Dictionary of unauthorized tokens
On 07/27/2009 01:55 PM, Randall Wood wrote: The RedHat/FDS documentation suggests that FDS can use a dictionary of unauthorized tokens in a password policy, although it does not seem configurable. Is there a dictionary that FDS uses, and is it possible to add words to it if so desired? That description is not really correct. There is a check that ensures that values used in common attribtues of the user entry can not be present in the password. This prevents things like using your uid or cn in your password. The values are broken into tokens of a configurable length and then compared to the userPassword value. -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [389-users] Password lookup to AD
On 07/13/2009 10:13 AM, Prashanth Sundaram wrote: Hi, Is it possible to have Fedora DS and have the password lookup redirected to Active Directory? Some kind of proxy lookup. Take the case of Mac OS X server and clients, they have Open Directory and the password manager can authenticate against the Active Directory. Is it possible to have FDS without the password? See the PAM Pass-through plug-in: http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through So I would like to know, is it possible to achieve the same for FDS using Samba, Winbind or NSS?? Is it possible that the FDS has all the user permissions and special groups but the authentication is turned to AD. I know the passwords are hashed by Kerberos and hope we can achieve this with some effort. A useful post by Microsoft http://technet.microsoft.com/en-us/magazine/2008.12.linux.aspx?pr=blog Thanks, Prashanth -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [389-users] Migration from OpenLDAP and Sync with AD
On 07/09/2009 07:19 AM, Prashanth Sundaram wrote: Dear fellow Fedora DS users and experts, I am working on this new project where there is a two step process. We are currently using a poorly managed OpenLDAP server for over 3 years and planning to migrate to Fedora DS. Scenario: OPenLDAP=Migrate all users and passwords=== Fedora DS --PassSync---Windows AD Question1: Is it possible to migrate current users (around 300users) from OpenLDAP to Fedora DS along with the UIDs, Security id and passwords. Like everything looks same in users perspective. It depends on the schema that is used, but this should be a case of exporting from OpenLDAP and importing to 389. Question2: Is is possible to create a password sync between FDS and AD for all the above users. Yes, the username is same in both the directories. Yes, you can sync passwords. A number of other common attributes are synchronized as well. These attributes are listed in the Red Hat Directory Server Administrator's Guide. Question2.1: The users are stored with different Security IDs in windows environment than in OpenLDAP or FDS. Will that pose a problem? I'm not sure what LDAP attribute you are referring to as the Security ID, so I can't say if this will be a problem. Question2.2: We have several domain controllers and Active Directory server which run in sync. Since the PassSync can only run on one server, will it be a problem that some passwords do not get sync because the user changed it on XP which redirected to a another server (without PassSync)? You need to run the PassSync service on all domain controllers. It's the synchronization agreement that you set up on the 389 side that can only point to one domain controller. If any of you has gone thru these issues and anything more, please respond to this thread or give me links. Thanks for your help and patience. Prashanth -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [389-users] Migration from OpenLDAP and PassSync with AD
On 07/09/2009 09:35 AM, Prashanth Sundaram wrote: Elaborating the Qs: Question1:Since we have an existing LDAP server(OpenLDAP) and users were logging in to other dev, prod and testing servers using the passwords managed by this OpenLDAP server. I believe the way the member servers remember the user credentials is by assigning each user with a unique security ID. (please correct me if I am wrong) If that gets lost in migration, then my users' permissions will have to be re-assigned from scratch (pain for sysadmins) So my question was, will the users be able to login to member servers after migrating to FDS and still have same permissions and home directory folder and everything looks the same without panicking about any missing permissions or files. I believe you are referring to the uidNumber and gidNumber attributes. File permissions use these numbers. These will remain the same when you export from OpenLDAP and import to 389. Question2.1: What will happen to the passwords that are different on the FDS and AD before the Sync. I do not want the passwords to be reset on FDS or AD after 1st sync but only future passwords changes to be Synced to FDS and AD and vice versa. A clear-text password is required to sync since different hashing schemes are used on each side. Passwords will only be synchronized when they are changed, which is what you want. Question2.1: I was working with windows before and noticed that the Windows saves users with a unique id. If that is lost or recreated, the previous permissions will no longer hold true for the user, even though the username is same. Is it same in Unix environment? Like say I delete a user account from FDS and a day after I re-create the ID, will the permissions stay intact? The uidNumber and gidNumber are used in *nix, not the actual uid. If you re-create a user using the same uidNumber and gidNumber, the permissions will still have the same net effect as they did with the old user entry. Thanks, Prashanth https://www.redhat.com/archives/fedora-directory-users/2009-July/msg00013.ht ml On 07/09/2009 07:19 AM, Prashanth Sundaram wrote: Dear fellow Fedora DS users and experts, I am working on this new project where there is a two step process. We are currently using a poorly managed OpenLDAP server for over 3 years and planning to migrate to Fedora DS. Scenario: OPenLDAP=Migrate all users and passwords=== Fedora DS --PassSync---Windows AD Question1: Is it possible to migrate current users (around 300users) from OpenLDAP to Fedora DS along with the UIDs, Security id and passwords. Like everything looks same in users perspective. It depends on the schema that is used, but this should be a case of exporting from OpenLDAP and importing to 389. Question2: Is is possible to create a password sync between FDS and AD for all the above users. Yes, the username is same in both the directories. Yes, you can sync passwords. A number of other common attributes are synchronized as well. These attributes are listed in the Red Hat Directory Server Administrator's Guide. Question2.1: The users are stored with different Security IDs in windows environment than in OpenLDAP or FDS. Will that pose a problem? I'm not sure what LDAP attribute you are referring to as the Security ID, so I can't say if this will be a problem. Question2.2: We have several domain controllers and Active Directory server which run in sync. Since the PassSync can only run on one server, will it be a problem that some passwords do not get sync because the user changed it on XP which redirected to a another server (without PassSync)? You need to run the PassSync service on all domain controllers. It's the synchronization agreement that you set up on the 389 side that can only point to one domain controller. If any of you has gone thru these issues and anything more, please respond to this thread or give me links. Thanks for your help and patience. Prashanth -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users End of Fedora-directory-users Digest, Vol 50, Issue 8 * -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [389-users] using uid rather then cn in the binddn
Dumbo Q wrote: Erg.I thought I had it but it's something is blocking me from doing this update. Can anyone help me find where my constraint is? snip [r...@rhds ~]# ldapmodify -x -W -D cn=DirectoryManager dn: cn=testy,ou=users,ou=people,dc=mydomain,dc=com changetype: modify newRDN: uid=testy deleteOldRDN: 1 modifying entry cn=testy,ou=users,ou=people,dc=mydomain,dc=com ldapmodify: Object class violation (65) additional info: attribute newRdn not allowed You need to perform a modrdn operation instead of a regular modify. Try the above, but change your changetype to modrdn. You may also find that you don't want to delete the old RDN from the entry, particularly if that is the only cn value present in your entry. Doing so would cause an objectclass violation since cn is likely required for the objectclass you are using. -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [389-users] using uid rather then cn in the binddn
Dumbo Q wrote: Thanks. I tried that, but now it tells me ldapmodify: Object class violation (65) additional info: missing attribute cn required by object class inetOrgPerson Being that the entry has a 'cn', I guess this means that somewhere I have it setup where dn requires the cn to be in it ??? Anythoughts Are you still specifying deleteOldRDN: 1? As I mentioned, you shouldn't be doing that as it will delete the old RDN value from the entry, which is your cn. Since cn is required by the inetOrgPerson objectclass, this is an objectclass violation. Try specifying deleteOldRDN: 0. *From:* Nathan Kinder nkin...@redhat.com *To:* General discussion list for the 389 Directory server project. fedora-directory-users@redhat.com *Sent:* Monday, June 22, 2009 4:30:53 PM *Subject:* Re: [389-users] using uid rather then cn in the binddn Dumbo Q wrote: Erg.I thought I had it but it's something is blocking me from doing this update. Can anyone help me find where my constraint is? snip [r...@rhds ~]# ldapmodify -x -W -D cn=DirectoryManager dn: cn=testy,ou=users,ou=people,dc=mydomain,dc=com changetype: modify newRDN: uid=testy deleteOldRDN: 1 modifying entry cn=testy,ou=users,ou=people,dc=mydomain,dc=com ldapmodify: Object class violation (65) additional info: attribute newRdn not allowed You need to perform a modrdn operation instead of a regular modify. Try the above, but change your changetype to modrdn. You may also find that you don't want to delete the old RDN from the entry, particularly if that is the only cn value present in your entry. Doing so would cause an objectclass violation since cn is likely required for the objectclass you are using. -- 389 users mailing list 389-us...@redhat.com mailto:389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- 389 users mailing list 389-us...@redhat.com mailto:389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [389-users] which user must have access to /var/run/dirsrv ?
dima vasiletc wrote: Hello When i try start dirsrv i have error Failed to delete old semaphore for stats file (/var/run/dirsrv/slapd-MY-DOMAIN-COM.stats). Error 13 (Permission denied). Note that this is referring to a semaphore that coordinates access to the stats file, not the stats file itself. Did you previously install and remove a DS instance with the same name on this system? Did you recently change the user that this DS instance runs as? but access for dirsrv user permited. also -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [389-users] which user must have access to /var/run/dirsrv ?
dima vasiletc wrote: On 06/15/2009 08:08 PM, Nathan Kinder wrote: dima vasiletc wrote: Hello When i try start dirsrv i have error Failed to delete old semaphore for stats file (/var/run/dirsrv/slapd-MY-DOMAIN-COM.stats). Error 13 (Permission denied). Note that this is referring to a semaphore that coordinates access to the stats file, not the stats file itself. Did you previously install and remove a DS instance with the same name on this system? Did you recently change the user that this DS instance runs as? but access for dirsrv user permited. also -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users Thanks. After reboot resolved. Posix named semaphores are removed during a reboot, which is why the reboot fixed your problem. A reboot is not necessary to clean up a left over semaphore. You can see the current named semaphores and their ownership by doing a 'ls -l /dev/shm'. For DS, we create a semaphore named something similar to sem.slapd-localhost.stats. I believe simply removing this would have fixed your problem as well. -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] DNA MultiMaster
Edward Konetzko wrote: Sorry if this already posted, I seem to be having trouble with email today. I have read the following pages and cannot exactly figure out how to do what I want. http://directory.fedoraproject.org/wiki/DNA_Plugin http://www.redhat.com/docs/manuals/dir-server/8.1/admin/dna.html I have 2 companies I want to set ranges for company 1gets range uidNumber and gidNumber 1Million - (2Million -1) and Company 2 gets Range uidNumber and gidNumber 2 Million - (3Million -1). DIT layout is {ou=people,ou=groups,ou=ranges}, ou= Company{1,2}, dc=example, dc=com. I Setup company 1 on master1 with the following ldifs. dn: ou=Ranges,ou=Company1 dc=example, dc=com objectclass: top objectclass: extensibleObject objectclass: organizationalUnit ou: Ranges dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on dn: cn=Company1 Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: Company1 Account UIDs dnatype: uidNumber dnafilter: (objectclass=posixAccount) dnascope: ou=Company1 , dc=example,dc=com dnanextvalue: 100 dnaMaxValue: 1000500 dnasharedcfgdn: cn=Company1 Account UIDs,ou=Ranges,dc=example,dc=com dnathreshold: 100 dnaRangeRequestTimeout: 60 dnaMagicRegen: magic dnaNextRange: 1000501 - 199 I then repeat this on master2 but then when I add users to both servers Master1 hands out uidNumber = 1 and Master2 hands out uidNumber = 1 for their first adds and keep adding numbers incrementing by one thus overlapping numbers. For gidNumber I basically use the same Ldifs except I substitue Group UID for Account UID and gidNumber for uidNumber. User add ldif looks as the following dn: uid=test,ou=people,ou=Region1, dc=example,dc=com objectClass: posixAccount objectClass: shadowAccount objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: test gecos: test gidNumber: magic givenName: test homeDirectory: /home/test loginShell: /bin/bash mail: t...@example.com o: test shadowLastChange: 14098 shadowMax: 9 shadowWarning: 7 sn: test uid: test uidNumber: magic userPassword:: password Question is what I am doing wrong? Server is Redhat DS 8.1 on rhel 5 64bit. If you configure both masters to use the same range, then they will both assign the same values. You need to split the range for company1 in half and assign half to each of your two masters (1,000,000-1,499,999 for master1 and 1,500,000-1,999,999 for master2). You need to use dnaNextValue and dnaMaxValue to set these upper and lower boundries. You should not be setting dnaNextRange at all for what you are trying to do. Thanks Edward -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] ObjectClass PosixGroup + UID/GID auto-generation
Kashif Ali wrote: Hello All, After spending a long weekend, configuring Fedora-DS to have central autentication + Central home dirs, I now have two issues which I would like to know if anyone can help me with. 1) Currently when adding a new user, I have to manually goto advanced options and add a value called posixgroup to the object class, this is so that groupID have a name and you dont see the error GroupID name not found when logging onto a box. Is there anyway to update the default user template, so that, when you enable posixaccount, posixgroup objectclass is automatically added? thus removing the manual process? 2) Is there anyway to get the directory server generate UNIQUE UID/GID based on last uid created. Ideally I would like the range to start from 5000 and finish at 8000. The automatic procedure would just use the next available uid/gid in the list, again removing the need for the user to check and make sure the id is unique. There is a first version of a Distributed Numeric Assignment plug-in in the current Fedora Directory Server code that deals with this problem. It is designed to manage a range of unique numeric values across multiple master FDS instances. You can read more about the current implementation at http://directory.fedoraproject.org/wiki/DNA_Plugin_Implementation I am currently doing some re-design and improvement to this plug-in to address some shortcomings of the current implementation. These areas are pointed out at the bottom of the above page. -NGK any help with either of these issues would be much appreciated. Regards Kashif -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] newbie question - roles AND groups?
Edward Capriolo wrote: If you take a look at openldap it has dyamic 'overlays' . http://www.openldap.org/doc/admin24/overlays.html#Dynamic%20Lists. The main jist of it is that an LDAP Query can be saved in an object. This is similar in my mind to an SQL View. So nss_ldap would referece a dynamic_overlay like object and that would re-search for the actual content to be returned to the user Having the object work in this read-only sense would make it less complicated then http://directory.fedoraproject.org/wiki/MemberOf_Plugin and still fit the need nicely. The overlay approach is less complicated, but it doesn't appear to deal with nested groups. The complexity of the memberOf plug-in is due to this support for nested groups. The approach of having to do multiple searches to resolve a user's nested memberships every time you just want to find out what groups you belong to would have a negative performance impact for reads over generating the memberOf attribute values when an actual membership modification is made. The assumption is that membership checks occur more often than membership changes, so performing all of the work up front when the modify takes place is best. It would me more generic then memberOf and I can see a lot of uses for it. Maybe another such plug in exists that I am not aware of. The plans for the memberOf plug-in is to make it more generic. The current code in CVS allows the attributes it acts on to be configurable. Other changes would need to be made to the plug-in allow it to truly be a general purpose linked attribute plug-in. In particular, the ability to turn off the nesting capability, configure multiple linked attributes, and define which suffix(es) to operate on would be very useful. 2008/6/19 Richard Megginson [EMAIL PROTECTED]: Grzegorz Marszałek wrote: Hello! I'm newbie to Fedora Directory, but is has two significant features - acl and nested roles. But I could find a way to use roles as groups. That is - I'd like to define role, and then use this to define posix group, which I can use via nss_ldap on my servers. At first glance it seems that dynamic groups will do what I want - I just defined filter to include all users with particular role in group. But unfortunately dynamic groups aren't resolved by server, you need client aplication to do that :( So the question is: is there any way to do this without writing my own slapi plugin? No, not currently. But several other users have expressed an interest in a feature like this. There is another new feature related to this concept that is currently in Fedora DS and being improved for the next version - http://directory.fedoraproject.org/wiki/MemberOf_Plugin Would you be able to create a wiki page to explain your requirements for such a feature? That would be a very good place to start designing this feature. Thanks! --- Grzegorz Marszałek [EMAIL PROTECTED] -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] LDAP Load Tools
Michael Brown wrote: Hello All Can anyone point me to load generation tools specific to LDAP? Do they even exist? I'm working with an RHDS customer (currently RHDS 7.1sp3, hopefully moving to sp6 soon, or RHDS 8) with large attribute requirements (some attributes 25-30 Mbytes) who wants to do some modeling of performance in the lab so that memory sizing and configuration is less of a issue in production. Ideally the tool(s) would incorporate multiple threads, and configurable simultaneous writes and reads/searches of multiple nodes. However, I will settle for anything less than ideal at this point. There's the ldclt tool that's included with the fedora-ds-base package. It uses multiple threads and is fairly flexible in the operations that you can perform with it. Another popular tool is SLAMD, which is more advanced than ldclt. -NGK Thanks -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Remote console fails for access to Fedora-DS 1.1
Wolf Siedler wrote: So let me describe the setup: I have a server (RHEL 5.1) running Fedora Directory Server and Fedora Admin Server. It used to be Fedora-DS 1.0.4 (installed from rpm). A few days ago, I upgraded Fedora-DS to 1.1. For the upgrade procedure, I followed the instructions on the website regarding prerequisites and repo configuration. Afterwards, I ran the migration script migrate-ds-admin.pl. It stated that migration was done successfully (as per the logfile in /tmp/), only failed to start the admin server. Which I then did manually. The directory server was started automatically. Now I would like to use my workstation (running Fedora 7) for configuration. Java is JDK 1.5.0_14 from Sun. In the past, it worked after installing Fedora-DS 1.0.4 rpm and starting the console by ./startconsole. After the upgrade, I tried to duplicate the earlier approach and upgraded everything Fedora-DS-related on my workstation to version 1.1... Then I tried to start the console via fedora-idm-console. It didn't work 100%: I was able to open the configuration window for Fedora Administration Server from the main console window. However, I was unable to open the Fedora Directory Server configuration window from the main console. There were always error messages about a missing/incomplete fedora-ds-1.0.jar and clicking button Download in the main console didn't chnage anything. In order to see whether it might be a Java-related problem, I used a virtual machine with Windows 2000, fedora IDM console (.msi) and Sun-JRE 1.5.0_15 for crosschecking. Same failure in the main console window when trying to access the Fedora Directory Server (the one on the RHEL server) configuration window . Then I changed the JRE to Sun-JRE 1.6.0_06. Still, the same error when trying to access the Fedora Directory Server configuration window. So I removed everything Fedora-DS-related on my workstation, including ~/.fedora-idm-console. Next step was to install package fedora-idm-console only through yum. Afterwards, I started the console on my workstation by fedora-idm-console -D 9 -f fds_console.log From studying fds_console.log, I learned that the console apparently could not find fedora-ds-1.0.jar and fedora-ds-1.0_en.jar on the server (error 404). Fedora-ds-1.1(...).jar were found. So I went over the file structure at the server and found the fedora-ds-1.1(...).jar files in directory /usr/share/dirsrv/html/java/. However, copying fedora-ds-1.0.jar and fedora-ds-1.0_en.jar to /usr/share/dirsrv/html/java/ brought no change, fds_console.log still showed the error 404. Only after manually creating (sub)directory /usr/share/dirsrv/html/java/jars/ and copying fedora-ds-1.0.jar + fedora-ds-1.0_en.jar in there (only those two), the error 404 disappeared from fds_console.log. The current status is: On my (Fedora 7) workstation, I can open Fedora IDM console. Problems begin once I expand (in the main console window) the subtree below Server Group. I still can access Fedora Administration Server and open its configuration window. The (workstation/console) logfile fds_console.log shows that fedora-admin-1.1.jar gets downloaded from server to workstation. When attempting to open entry Fedora Directory Server, the console downloads fedora-ds-1.0.jar and fedora-ds-1.0_en.jar. But I can't open the corresponding configuration window from the console. Fds_console.log shows plenty of class not found messages and ends up in a Java exception error (attached below). At least as far as I am aware, there should be no more Fedora-DS components at level 1.0.4, neither on the server nor on the workstation/console side. However, while writing this down, I just double checked with JXplorer and found in cn=Fedora Direcory Server, ... , o=NetscapeRoot the attribute nsProductVersion as 1.0.4. Is this maybe the reason for all my troubles? Is there a way to find out whether my directory server is really still left at version 1.0.4? As mentioned above, based on the feedback of the migration script, I was honestly convinced it was successfully migrated. If is just a matter of an inaccurate version string, I could easily correct that through JXplorer. But to what value? I believe the migration did upgrade you to Fedora Directory Server 1.1, which you can verify in the ns-slapd errors log. The problem is that not all of the entries used by the Administration Server were properly updated. You should be able to look through the o=NetscapeRoot portion of your tree to see where 1.0.4 is still referenced and change them. The incorrect jar file name should be listed in an attribute there as well. -NGK I regret to cause that much trouble. Nevertheless, I appreciate your ongoing and fast advice. Regards, Wolf == snip -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME
Re: [Fedora-directory-users] Password Syntax Checking
Eric Brown wrote: I have been trying to get the Password Syntax Checking working with FDS 1.0.4 and am having some trouble with the passwords that it is allowing and the ones that are returning invalid syntax. I started by setting the password policy the way I thought I wanted to use for my environment, but then no passwords would work, so I changed everything down to the minimums that I could find, but I am still getting several passwords rejected due to a syntax error. I am not using the console and I need to be able to set this through an LDIF file. Currently I have these settings for the password policy configuration: passwordInHistory: 2 passwordUnlock: on passwordGraceLimit: 0 passwordMustChange: off passwordWarning: 86400 passwordLockout: on passwordMinLength: 4 passwordMinDigits: 0 passwordMinAlphas: 0 passwordMinUppers: 0 passwordMinLowers: 0 passwordMinSpecials: 0 passwordMin8bit: 0 passwordMaxRepeats: 0 passwordMinCategories: 1 passwordMinTokenLength: 1 You should use a larger value for passwordMinTokenLength, such as 3. This setting checks if portions of the attribute values in the users entry are in their password such as a password with your name in it. A setting of 1 is going to be very strict, meaning that any character that is in your name can not be present in your password. See this page for more detail: http://directory.fedoraproject.org/wiki/Password_Syntax -NGK passwordMaxFailure: 3 passwordMaxAge: 3888000 passwordResetFailureCount: 120 passwordisglobalpolicy: off passwordChange: on passwordExp: on passwordLockoutDuration: 300 passwordCheckSyntax: on passwordMinAge: 0 passwordStorageScheme: SSHA256 I am getting syntax errors on passwords like the following: spfihykr spfihykr10 qpwoeiru 10293847 cmdjeu37 alskdj37 xnshwy26 doggie doggie12 but things like testpass works just fine. I figure that I have something not configured properly, but I don't know what needs to be changed. And some of the values that I am using were in the User Account Management section of the Administrator's Guide two weeks ago, but they are missing now. Thanks in advance, Eric Brown -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] windows sync and password clear
Luigi Santangelo wrote: Hi everybody, this is my problem: I configured my Fedora DS and now I can sync the LDAP's users with Windows 2003 Active Directory. Then, I created a new user with this code ldif dn: uid=red,ou=Other,ou=Students,ou=People,dc=x,dc=xx givenName: red sn: red objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: ntuser uid: red ntUserCreateNewAccount: true ntUserDeleteAccount: true cn: red ntUserDomainId: red userPassword: redpwd creatorsName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot modifiersName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot createTimestamp: 20080318153555Z modifyTimestamp: 20080318153555Z nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae Note that I wrote the user's password in clear. Now, I can logon the Windows AD with the username red and the password redpwd. Then I added another user (yellow) with this code ldif dn: uid=yellow,ou=Other,ou=Students,ou=People,dc=x,dc=xx givenName: yellow sn: yellow objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: ntuser uid: yellow ntUserCreateNewAccount: true ntUserDeleteAccount: true cn: yellow ntUserDomainId: yellow userPassword: {MD5}8cb32079718c657b02176b97d030 creatorsName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot modifiersName: uid=root,ou=administrators,ou=topologymanagement, o=netscaperoot createTimestamp: 20080318153555Z modifyTimestamp: 20080318153555Z nsUniqueId: f8f6c801-f50011dc-80ebbfe2-cc3ccdae Note the MD5(yellowpwd) = 8cb32079718c657b02176b97d030 Then If I try logon the Windows AD (from Windows) with the username yellow and the password yellowred, I cannot log in. Instead, if I try logon the Windows AD with the username yellow and the password {MD5}8cb32079718c657b02176b97d030 I can log in. Do you think that this is a problem strictly related to Windows' problem? How can I get over it? You can't pre-hash the password on the client side if you want it to be properly sync'd to AD. The client needs to provide it's password to FDS in the clear, preferably over LDAPS or using a SASL mechanism that provides confidentiality. FDS will then hash it according to the default password hash storage scheme config setting. The clear password will be provided to AD over LDAPS so AD can hash it using the hashing scheme it needs. -NGK Thank you in advance. __ Adotta un bambino a distanza. Avrà vestiti, cibo, scuola?e avrà te! http://social.tiscali.it/promo/C02/sos/ -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Glue Entry Thread
James wrote: Hi All, I have a set of directory servers with multi-master replicaiton. On one of the two master servers, I see this log: [25/Mar/2008:14:26:42 -0400] NSMMReplicationPlugin - conn=5 op=6 csn=47cec17c: Can't created glue entry uid=soleotester,ou=people,dc=soleocommunications,dc=com uniqueid =96a7eb81-1dd111b2-8016d669-d398, error 68 [25/Mar/2008:14:26:42 -0400] NSMMReplicationPlugin - conn=5 op=6 csn=47cec17c: Can't created glue entry uid=soleotester,ou=people,dc=soleocommunications,dc=com uniqueid =96a7eb81-1dd111b2-8016d669-d398, error 68 The logs is repeated once per second (there are two in this copy/paste). I have a high-level understanding of what a glue entry is, and why one would be created, but why can't this server create one in this instance? And, is there anything I can do to fix this repeated log? It can't create it because it already exists (error 68). Please file a bug on this issue (https://bugzilla.redhat.com/enter_bug.cgi). You can try to delete the existing glue entry to allow the replication plug-in to re-create it and proceed. -NGK Thanks, ~James smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Glue Entry Thread
James wrote: Thanks for the suggestion. I have tried searching for the glue entry in the database, and I cant find it: [EMAIL PROTECTED] ~]$ ldapsearch -MMxw x -D cn=Directory Manager -b ou=soleotester,ou=people,dc=soleocommunications,dc=com -s one -h 10.1.5.211 # extended LDIF # # LDAPv3 # base ou=soleotester,ou=people,dc=soleocommunications,dc=com with scope one # filter: (objectclass=*) # requesting: ALL # with manageDSAit critical control # # search result search: 2 result: 32 No such object matchedDN: ou=people,dc=soleocommunications,dc=com # numResponses: 1 When I first noticed these logs, I did find the original entry present on this server (and on the other master) so I deleted this entry from both servers (and restarted ns-slapd), but that didnt get rid of the log. Also, Ive noticed that after a while of having this error printed out, the server stops allowing me to bind in. Am I doing something wrong in my search? Or, is there something else I can try? Your search is searching for ou=soleotester,ou=people,dc=soleocommunications,dc=com, but the glue entry the server is trying to create is uid=soleotester,ou=people,dc=soleocommunications,dc=com. Try doing this search instead: ldapsearch -b ou=people,dc=soleocommunications,dc=com -s one uid=soleotester -NGK Thanks ~James On Tuesday 25 March 2008 14:46:56 Nathan Kinder wrote: James wrote: Hi All, I have a set of directory servers with multi-master replicaiton. On one of the two master servers, I see this log: [25/Mar/2008:14:26:42 -0400] NSMMReplicationPlugin - conn=5 op=6 csn=47cec17c: Can't created glue entry uid=soleotester,ou=people,dc=soleocommunications,dc=com uniqueid =96a7eb81-1dd111b2-8016d669-d398, error 68 [25/Mar/2008:14:26:42 -0400] NSMMReplicationPlugin - conn=5 op=6 csn=47cec17c: Can't created glue entry uid=soleotester,ou=people,dc=soleocommunications,dc=com uniqueid =96a7eb81-1dd111b2-8016d669-d398, error 68 The logs is repeated once per second (there are two in this copy/paste). I have a high-level understanding of what a glue entry is, and why one would be created, but why can't this server create one in this instance? And, is there anything I can do to fix this repeated log? It can't create it because it already exists (error 68). Please file a bug on this issue (https://bugzilla.redhat.com/enter_bug.cgi). You can try to delete the existing glue entry to allow the replication plug-in to re-create it and proceed. -NGK Thanks, ~James smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Previous password still works?
Chris Halstead wrote: userPassword has no value at all. Are you searching as cn=Directory Manager when you check for userPassword? -chris Richard Megginson wrote: Do you have two values for the userPassword attribute in your entry? -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Previous password still works?
Chris Halstead wrote: OK, It took me a while to get there (had to figure out what our equivalent of 'cn=Directory Manager' was), but there are indeed two entries for userPassword after I change the password logged in as myself to the console. How are you changing the password through the console? A second value for userPassword is getting added instead of doing a replace of the existing password for some reason. -NGK When I reset the password using PAM-enabled passwd there is only one. -chris Nathan Kinder wrote: Chris Halstead wrote: userPassword has no value at all. Are you searching as cn=Directory Manager when you check for userPassword? -chris Richard Megginson wrote: Do you have two values for the userPassword attribute in your entry? -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] PassSync and SSL
Dennis Crissman wrote: I am experimenting with Fedora Directory Server and trying to hook up PassSync to synchronize with Active Directory. I have found a walk through on how to set this up (http://directory.fedoraproject.org/wiki/Howto:WindowsSync#Configuring_PassSync), but it seems to require using SSL. Is there a way to set this up without SSL for quick testing. Nope. It absolutely requires SSL. AD will not accept a password modification over LDAP without SSL. The PassSync service will also not send a password over an unencrypted channel. -NGK Thanks, Dennis -- The sender of this email subscribes to Perimeter Internetworking's email anti-virus service. This email has been scanned for malicious code and is believed to be virus free. For more information on email security please visit: http://www.perimeterusa.com/email-defense-content.html This communication is confidential, intended only for the named recipient(s) above and may contain trade secrets or other information that is exempt from disclosure under applicable law. Any use, dissemination, distribution or copying of this communication by anyone other than the named recipient(s) is strictly prohibited. If you have received this communication in error, please delete the email and immediately notify our Command Center at 203-541-3444. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Connect Active Directory to my LDAP
Alexandre Augusto da Rocha wrote: This is not true. You don't need SSL if AD will be a true slave. SLL is only required if you want to allow users to change their passwords on AD and have that propagated to FDS. Not exactly. You need SSL to allow passwords to be synchronized in either direction. AD will not accept an update to the password over LDAP without SSL. -NGK -Auggy Paulo Estrela - Suporte LabInfo UNIFACS wrote: Hi, Did you enable SSL on FDS and AD? It must be enabled for sync works. Information is avaiable on FDS documentation page. Paulo Estrela - Original Message - *From:* Michiel van Heukelom - Van Boxtel Software BV mailto:[EMAIL PROTECTED] *To:* fedora-directory-users@redhat.com mailto:fedora-directory-users@redhat.com *Sent:* Friday, March 30, 2007 5:17 AM *Subject:* [Fedora-directory-users] Connect Active Directory to my LDAP I've got the Fedora LDAP service running, connecting from other Linux server is no problem. the next step is to sunchronize the database to Active Directory. Is there a way to keep my Fedora LDAP as a master database and the AD server (W2003) as a member. So that i should only configure my users on my LDAP server and not on my AD server Met vriendelijke groet, Michiel van Heukelom *Van Boxtel Software B.V.* Telefoon: +31 (0) 492 - 327 357 Fax: +31 (0) 492 - 324 326 E-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Website: www.van-boxtel-software.nl http://www.van-boxtel-software.nl -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Suddenly, all our LDAP servers segfaulted today?
Philip Kime wrote: FDS 1.0.2 and suddenly today three out of four servers segfaulted (at different times) with this identical dump message: Feb 14 19:40:17 hqldap01 kernel: ns-slapd[2432]: segfault at 0008 rip 00411b6f rsp 404520c8 error 4 syslog also had a lot of this: Feb 13 03:15:26 hqldap02 ns-slapd: sql_select option missing Feb 13 03:15:26 hqldap02 ns-slapd: auxpropfunc error no mechanism available Feb 14 02:00:01 hqldap02 ns-slapd: sql_select option missing Feb 14 02:00:01 hqldap02 ns-slapd: auxpropfunc error no mechanism available Feb 14 02:00:04 hqldap02 ns-slapd: sql_select option missing Feb 14 02:00:04 hqldap02 ns-slapd: auxpropfunc error no mechanism available Feb 14 03:15:25 hqldap02 ns-slapd: sql_select option missing Feb 14 03:15:25 hqldap02 ns-slapd: auxpropfunc error no mechanism available This is really strange - any ideas? Those messages are from cyrus-sasl. Did you make any changes around saslauthd recently? Perhaps you started running that daemon on your servers? -- Philip Kime NOPS Systems Architect 310 401 0407 -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Forgive the misunderstandings of a newb
Scott Ackerman wrote: Thanks Nathan, but where did I miss that in the how-to? It appears to be missing from the how-to (some of the how-to's do make reference to nss_ldap being required though). Nathan Kinder wrote: [EMAIL PROTECTED] wrote: I thought I was smart until I dove into LDAP. I am the sole part-time IT Manager for a charter school (240 students, 20 staff, 60 computers) and am migrating away from a Windows server environment to Linux. The only services that are being provided by a Windows server now are AD, file and print sharing services. Since we are turning about 15 of our student computers into Linux stations, I decided on a simpler method of managing authentication, login etc. and chose Fedora Directory Server (after having beat my head against the wall with strictly OpenLDAP for a month). I have successfully set up FDS and entered all students and staff. I have decided not to sync against our AD server because we are changing the student login method, the old format was locker number for user name and then a password. I have decided to use the first.last name for user name and then a password. I am trying to set up posix authentication and Samba and am having difficulties with both, technical on the former and understanding on the latter. First posix, I have followed the how to on the FDS Wiki, but there seems to be some steps missing. I have gotten an authenticated student logon, but only after having created an account on the local machine with the same UID. I made sure that the password was different in FDS than when I created the user on the local machine and I am able to login to using either password which would indicate to me that I am successfully authenticating to FDS. However I don't particularly care to have to add 240 students on all 15 computers to make this work, not to mention all of the home directories that will be mounted from the NFS server. So the questions is, what steps am I missing here? It sounds like you need to configure nss_ldap. Assuming you have nss_ldap installed on your client systems, you should be able to add ldap as a service for looking up users and groups in your /etc/nsswitch.conf file. -NGK Samba. As I understand it, Windows will only authenticate against an NT or NT like (aka. Samba) server, which means as far as I can tell that either I have Samba sync against FDS or I use pGina on the Windows side to authenticate directly against LDAP or scrap LDAP all together and just use an NIS server (don't think this is a good idea, but it is a possiblity). Of course trying to assess the pros and cons of either has been somewhat difficult at best. Also the FDS Samba how-to doesn't cover computer management which Samba is going to have to deal with as well. Before someone replies with a RTFM, I have read the Install Guide as well as the Red Hat Directory Server documentation and I am currently half-way through the book Understanding and Deploying LDAP Directory Services, so I have a reasonable understanding of how to get into trouble. Of course none of these provide in-depth (nor should they) information as to how to integrate with other services. I have spent a month reading, tinkering etc., and I am not asking anyone else to do my work for me, but I have seem to hit a wall and need a couple of breadcrumbs to get me back on the trail. Thank you for your patience and understanding. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Forgive the misunderstandings of a newb
[EMAIL PROTECTED] wrote: I thought I was smart until I dove into LDAP. I am the sole part-time IT Manager for a charter school (240 students, 20 staff, 60 computers) and am migrating away from a Windows server environment to Linux. The only services that are being provided by a Windows server now are AD, file and print sharing services. Since we are turning about 15 of our student computers into Linux stations, I decided on a simpler method of managing authentication, login etc. and chose Fedora Directory Server (after having beat my head against the wall with strictly OpenLDAP for a month). I have successfully set up FDS and entered all students and staff. I have decided not to sync against our AD server because we are changing the student login method, the old format was locker number for user name and then a password. I have decided to use the first.last name for user name and then a password. I am trying to set up posix authentication and Samba and am having difficulties with both, technical on the former and understanding on the latter. First posix, I have followed the how to on the FDS Wiki, but there seems to be some steps missing. I have gotten an authenticated student logon, but only after having created an account on the local machine with the same UID. I made sure that the password was different in FDS than when I created the user on the local machine and I am able to login to using either password which would indicate to me that I am successfully authenticating to FDS. However I don't particularly care to have to add 240 students on all 15 computers to make this work, not to mention all of the home directories that will be mounted from the NFS server. So the questions is, what steps am I missing here? It sounds like you need to configure nss_ldap. Assuming you have nss_ldap installed on your client systems, you should be able to add ldap as a service for looking up users and groups in your /etc/nsswitch.conf file. -NGK Samba. As I understand it, Windows will only authenticate against an NT or NT like (aka. Samba) server, which means as far as I can tell that either I have Samba sync against FDS or I use pGina on the Windows side to authenticate directly against LDAP or scrap LDAP all together and just use an NIS server (don't think this is a good idea, but it is a possiblity). Of course trying to assess the pros and cons of either has been somewhat difficult at best. Also the FDS Samba how-to doesn't cover computer management which Samba is going to have to deal with as well. Before someone replies with a RTFM, I have read the Install Guide as well as the Red Hat Directory Server documentation and I am currently half-way through the book Understanding and Deploying LDAP Directory Services, so I have a reasonable understanding of how to get into trouble. Of course none of these provide in-depth (nor should they) information as to how to integrate with other services. I have spent a month reading, tinkering etc., and I am not asking anyone else to do my work for me, but I have seem to hit a wall and need a couple of breadcrumbs to get me back on the trail. Thank you for your patience and understanding. smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] error when restarting FDS
Mikael Kermorgant wrote: Hello, This night, FDS (1.0.2) refused to start after backup. I found this in the logs : [06/Feb/2007:22:04:39 +0100] - slapd stopped. Fedora-Directory/1.0.2 B2006.060.1951 host:389 (/opt/fedora-ds/slapd-supann) [06/Feb/2007:22:04:51 +0100] dse - The entry cn=config in file /opt/fedora-ds/slapd-supann/config/dse.ldif is invalid, error code 53 (DSA is unwilling to perform) - nsslapd-maxdescriptors: invalid value 65536, maximum file descriptors must range from 1 to 1024 (the current process limit) [06/Feb/2007:22:04:51 +0100] dse - Could not load config file [dse.ldif] [06/Feb/2007:22:04:51 +0100] dse - Please edit the file to correct the reported problems and then restart the server. Fedora-Directory/1.0.2 B2006.060.1951 host:636 (/opt/fedora-ds/slapd-supann) [07/Feb/2007:08:50:20 +0100] - Fedora-Directory/1.0.2 B2006.060.1951 starting up Indeed, I checked my system and found : [EMAIL PROTECTED] logs]# cat /proc/sys/fs/file-max 65536 Try checking the limit by running ulimit -n. -NGK Which seems correct if I follow this page : http://directory.fedora.redhat.com/wiki/Performance_Tuning#Linux However, fds started without any problem some time later. Any Idea about what I should do about this pb ? Thanks in advance, smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Password Policy Question
Stephen C. Rigler wrote: Is it possible to specify different types of password encryption on a subtree level from the that which is specified in the global policy? Using 1.0.4, it seems that if I specify crypt on the global level, specifying sha on a subtree level has no affect on the hashing algorithm used on that subtree. There is a bug open on this issue. We plan to address it in the next release. Thanks, Steve -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Console SSL Problem
Richard Megginson wrote: Nicholas Byrne wrote: Firstly, thanks for your help. Responding inline below - Richard Megginson wrote: Nicholas Byrne wrote: Hi, With FDS 1.0.2, I've followed the configuration howto guide lines to setup the Directory Server to use SSL (as per my post a few days ago) however after configuring the Administration Server and Console to use SSL as well i've run into trouble. The directory server alone works fine with SSL. The reason i'm trying to get Admin and console working in SSL is so i can setup a secure windows sync agreement, without this all i can do is setup a insecure sync agreement. But you don't have to get Admin and console working with SSL in order to set up a windows sync agreement with SSL. Do the docs say you have to do this? If so, where? No the docs don't say that explicitly but when setting up a windows sync agreement it doesn't give you the option of changing the supplier - it is set to ds01.tech:389. That's just the label it uses for that particular server in the console. It really uses ldaps if you configure it to, even though it shows the non-secure port for the label in the console. This is merely used to identify the server. This is a well known source of confusion. The Windows side of the connection is fine as i can specify the connection details. I was following the guide at http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html#2859728 and the image under step 6 indicates the supplier should be configured as port 636. I am new to this, so i may have got confused but i thought passwords won't be syncronised unless the FDS supplier and the Windows AD Server are set to use SSL/636. I also realise password changes won't be synced unless passsync is installed and configured on the AD side, but right now thats not necessary as i just want to get basics working. You can use passsync without SSL for testing purposes, but do not do this in production. This is incorrect. PassSync requires SSL to work. If SSL is not configured, PassSync will report errors in it's log file stating that SSL is required. -NGK The console will not display anything (absolutely no screen or anything) after entering password and clicking OK in the authentication dialog. There are no messages in the console i started it on. startconsole -D will give you debug information, and startconsole -D 9 will give you everything. Before i configured the SSL on the admin server and console it was working correctly and displayed the normal Admin server/Directory Server screens. The console which i'm running using (i also tried admin user): startconsole -u cn=Directory Manager -a https://ds01.tech:59910 -x nologo I turned loglevel to debug in the admin server and this is what i see: [Tue Nov 28 14:22:46 2006] [info] Connection to child 30 established (server ds01.tech:443, client 10.170.99.22) [Tue Nov 28 14:22:47 2006] [notice] [client 10.170.99.22] admserv_host_ip_check: ap_get_remote_host could not resolve 10.170.99.22 [Tue Nov 28 14:22:47 2006] [info] Initial (No.1) HTTPS request received for child 30 (server ds01.tech:443) [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(2518): [client 10.170.99.22] checking user cache for: cn=Directory Manager [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(2525): [client 10.170.99.22] not in cache, trying DS [Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(1480): [client 10.170.99.22] admserv_check_authz: request for uri [/admin-serv/authenticate] [Tue Nov 28 14:22:47 2006] [notice] [client 10.170.99.22] admserv_check_authz(): passing [/admin-serv/authenticate] to the userauth handler [Tue Nov 28 14:22:47 2006] [info] Connection to child 30 closed (server ds01.tech:443, client 10.170.99.22) This looks ok, except for the log shows port 443 and you are using port 59910. Is there a way to fix this? If i'm using https that implies 443 but specifying the port 59910, which has precedence - i assume the the port. If i use http and port 59910 the console with debug shows the server fails to respond: Right. https tells it to use HTTP over SSL, and the port specifies which port the server is listening on. When you configure the Admin Server to use SSL, you can no longer use HTTP - you must use HTTPS. The admin server doesn't listen to both a non-secure port and a secure port, as does the directory server. CommManager New CommRecord (http://ds01.tech:59910/admin-serv/authenticate) http://ds01.tech:59910/[0:0] open Ready http://ds01.tech:59910/[0:0] accept http://ds01.tech:59910/admin-serv/authenticate http://ds01.tech:59910/[0:0] send GET \ http://ds01.tech:59910/[0:0] send /admin-serv/authenticate \ http://ds01.tech:59910/[0:0] send HTTP/1.0 http://ds01.tech:59910/[0:0] send Host: ds01.tech:59910 http://ds01.tech:59910/[0:0] send Connection: Keep-Alive http://ds01.tech:59910/[0:0] send User-Agent: Fedora-Management-Console/1.0 http://ds01.tech:59910/[0:0] send
Re: [Fedora-directory-users] Re: password policy on FDS 1.0.2 - doesn't seem to work?
Philip Kime wrote: On the same panel where the global option is, there is a checkbox for enabling file- grained policies. The server will not enforce fine-grained policies unless this box is checked. Yes, this is turned on. We are talking about the same place I hope - the Config tab and the properties of the Data node? Yes, I'm referring to the Configuration-Data-Passwords tab. On this panel, you should have both the Enable fine-grained password policy and Check password syntax options checked. -NGK PK -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Re: password policy on FDS 1.0.2 - doesn't seem to work?
Philip Kime wrote: Yes. The global setting must be enabled to use any sort of password syntax checking. You can then override it at the subtree or user level. Hmm, doesn't seem to make any difference - I enabled password syntax checking at the global level and it works, if I try to override it with different checking at the subtree/user level, it's ignored, although the global settings are enforced. On the same panel where the global option is, there is a checkbox for enabling file-grained policies. The server will not enforce fine-grained policies unless this box is checked. -NGK PK -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Re: Re: password policy on FDS 1.0.2 - doesn't seem to work?
Philip Kime wrote: Hmm - If I enable password syntax checking globally, it works - ldappasswd applies the policy and so does PAM via pam_ldap. If it's a local policy on a subtree or user, it doesn't? I have checked and the cn=config nsslapd-pwpolicy-local is set to on so it should be applying local password policies. Do I have to enable the password syntax checking at a global level (possibly with no actual restrictions) and then overide it at the local level? Yes. The global setting must be enabled to use any sort of password syntax checking. You can then override it at the subtree or user level. -NGK PK -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Trouble getting windows to talk to fds
Bliss, Aaron wrote: I'm a little confused here; what is the purpose of the passsync service (I've successfully created a replication agreement over ssl via fds and ad). Thanks again. The PassSync service is only responsible for sending password changes initiated on the AD side to FDS. Any password that is changed on the FDS side will be sent to AD over the synchronization agreement along with other user group changes. The synchronization agreement will also pull changes that happened on the AD side over to FDS. The problem is that AD hashes the password differently than FDS does, so FDS needs access to the clear-text password. The only way for this to happen when a password change is initiated on the AD side is to have a password plug-in installed on the domain controller to get a copy of the clear-text password. This is exactly what the PassSync service does. It installs a plugin (passhook.dll) that receives the clear-text password which passsync.exe sends across to FDS over LDAPS. Hopefully that clears things up. -NGK Aaron smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Trouble getting windows to talk to fds
Bliss, Aaron wrote: That makes perfect sense, as I noticed that the replication agreement I created was a supplier/consumer agreement between fds and ad; now I have another question, if a new user is created in ad, since the fds box is the supplier, how will that uid be replicated to fds? When FDS connects to AD, it will send the dirsync control. This control contains a cookie of sorts. This basically tells AD to give us all modifications since the last time we sent the dirsync control (which it knows from the cookie we are sending). Ad then gives us the modifications along with a new cookie to use next time. You can think of this as pull-style replication in the AD-FDS direction. FDS pushes it's changes to AD while pulling changes from AD to itself. -NGK Aaron -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Kinder Sent: Tuesday, October 31, 2006 4:44 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Trouble getting windows to talk to fds Bliss, Aaron wrote: I'm a little confused here; what is the purpose of the passsync service (I've successfully created a replication agreement over ssl via fds and ad). Thanks again. The PassSync service is only responsible for sending password changes initiated on the AD side to FDS. Any password that is changed on the FDS side will be sent to AD over the synchronization agreement along with other user group changes. The synchronization agreement will also pull changes that happened on the AD side over to FDS. The problem is that AD hashes the password differently than FDS does, so FDS needs access to the clear-text password. The only way for this to happen when a password change is initiated on the AD side is to have a password plug-in installed on the domain controller to get a copy of the clear-text password. This is exactly what the PassSync service does. It installs a plugin (passhook.dll) that receives the clear-text password which passsync.exe sends across to FDS over LDAPS. Hopefully that clears things up. -NGK Aaron Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Question on enabling ssl passync between windows and fds
Bliss, Aaron wrote: Hi everyone, I'm attempting to get password synchronization to work between fds and active directory; per the following document _http://directory.fedora.redhat.com/wiki/Howto:WindowsSync#Test_to_make_sure_you_can_talk_SSL_from_Fedora_Directory_to_AD_ , I now have my AD box listening on port 636 as outlined in the section With TinyCA2; I have also installed a certificate for the fds box as prescribed here _http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091_ including the section marked Trust the Cerficate Authority; my question is, since both the AD box and FDS box trust my certificate authority setup with tinyCA, I believe then each box would inherently trust each other's certificates? If so, have I already achieved the steps listed below the section marked Enabling SSl for PASSSync in the first document above, or do I still need to proceed with that section even though the AD box and FDS box have certificates signed from the same root CA? Thanks very much for your help with this. You still need to enable SSL for the PassSync service. PassSync uses it's own certificate database, which is not the one that AD uses. This is why you need to set up SSL for PassSync separately from setting SSL up for AD. -NGK Aaron Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Issue with fine-grained password policy
Howard Chu wrote: Date: Wed, 25 Oct 2006 14:40:45 -0700 From: George Holbert [EMAIL PROTECTED] Last time I looked at this, I vaguely recall finding that pam_ldap doesn't pay too much attention to FDS password metadata for expiration warnings or strength restrictions. So what you're seeing may be the norm. Hopefully someone else out there will have better news for you on this. Actually PADL's pam_ldap has had support for Netscape password policy for many years - you just have to enable it and tell it the DN of the policy object. Recently support has also been added for the IETF draft LDAP password policy specification too, and it works well with the OpenLDAP implementation of this spec. The OpenLDAP implementation has also been tested successfully with CA eTrust, so there are at least a couple implementations out there supporting the IETF spec. Are you referring to the request and response controls defined in draft-behera-ldap-password-policy-09? Fedora Directory Server also supports the above mentioned controls. -NGK Ian Meyer wrote: Hello all, I set up FDS 1.0.2 on a server and got everything configured and imported etc etc.. things work great, I can authenticate against it, make updates.. but I can not get our linux clients to warn me about changing my password, expiration, length, etc.. I followed the instructions on http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1074672 to set up a global config, and a user config. Is there anything on the client side for PAM that needs to be configured? I've been pouring over this for a couple of days now so I may just be blind to a small detail I may have missed. Any help/insight would be appreciated. Thanks in advance, Ian smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] WindowsSync password not synced when changed via ldapmodify
Jeff Gamsby wrote: Jeff Gamsby wrote: I came across this problem today. When changing passwords from the Fedora console, it works and syncs across to AD. When changing passwords using 'passwd', it does not sync until pam_password is changed to ssha in ldap.conf. Then it syncs fine. When changing passwords via ldapmodify in SSHA form, passwords do not sync. FDS needs the clear text password in order to sync it to AD. The solution is to let FDS hash the password instead of doing it on the client side. -NGK OK, Thanks it works now. I wasn't meeting the password complexity requirements. If you turn on password syntax checking on the FDS side, the default settings match that of AD's password complexity requirements. -NGK Thanks Jeff Has anyone experienced this behavior? Does anyone have a solution? I'd like to change passwords via a PHP web interface. Thanks, Jeff -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Trying to run FDS on Core 5
Dick Steflik wrote: All, I'm trying to run FDS for a class I teach, I have previously used the Netscape Directory Server on NT but the hard drive on that machine went belly up this last summer. I decided that Linux would be the way to go for a replacement machine. Anyway, I downloaded the fedora-ds-1.0.2-1FC5.i386.opt.rpm and proceded with the install. Install seemed to go OK; I started slapd and tried a test query and it worked. I want to load a doctored up version of the old Airius.ldif file so I started looking for the admin-server. Anyway it seems like there are supposed to be start/stop scripts on /opt/fedora-ds but there aren'tany ideas what might have happened to them? or where I get them from. As Rich said, it sounds like the install did not complete successfully. Most times this is due to incorrect DNS / hostname resolution configuration. Also, I'm running a 512Mb machine which should be OK; but when I try to start up the Java based console I get an out of memory message. I would like to think that since only about 30 people are ever going to be doing ldap queries against it that 512Mb of RAM should be OK (it was for the old Netscape Directory Server). I could live without the Java based console if I could get the admin server running as that is the way I always administerd the old machine. The memory errors you are seeing are likely caused by the JVM you are using. It sounds like you are using gcj, which is not supported. You need to download either the IBM or the Sun JRE. -NGK Dick Steflik Binghamton University Binghamton, New York -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] CoS + SASL problems?
Hai Zaar wrote: Dear list! I'm using FDS-1.0.2 together with Heimdal Kerberos as NIS replacement. I having rather strange problem with SASL. I have two posixGroups. The first is cn=peopleGroup,ou=people,dc=example,dc=com and the other is cn=testGroup,ou=Groups,dc=example,dc=com testGroup is affected by Pointer CoS - this important! On client I run: # kinit foo # ldapsearch -h directory.example.com -b dc=example,dc=com -s sub -Y GSSAPI -I '((objectClass=posixGroup)(cn=peopleGroup))' Search returns sane results. However running serach for testGroup returns the following: --- # ldapsearch -h directory.example.com -b dc=example,dc=com -s sub -Y GSSAPI -I '((objectClass=posixGroup)(cn=testGroup))' SASL/GSSAPI authentication started SASL Interaction Please enter your authorization name: SASL username: [EMAIL PROTECTED] SASL SSF: 56 SASL installing layers # extended LDIF # # LDAPv3 # base dc=example,dc=com with scope subtree # filter: ((objectClass=posixGroup)(cn=testGroup)) # requesting: ALL # ldap_result: Can't contact LDAP server (-1) --- If I remove CoS from ou=Groups,dc=example,dc=com, then It all works OK (but of course I do not get any of 'uniquememeber' attributes that come from CoS). The most strange things is however that if I set SASL_SECPROPS maxssf=0 in /etc/openldap/ldap.conf, then everything works just fine (but no security). To the end, here is what FDS access log says: [10/Sep/2006:17:02:51 +0300] conn=111 fd=67 slot=67 connection from 10.0.2.236 to 10.0.0.10 [10/Sep/2006:17:02:51 +0300] conn=111 op=0 BIND dn= method=sasl version=3 mech=GSSAPI [10/Sep/2006:17:02:51 +0300] conn=111 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [10/Sep/2006:17:02:51 +0300] conn=111 op=1 BIND dn= method=sasl version=3 mech=GSSAPI [10/Sep/2006:17:02:51 +0300] conn=111 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [10/Sep/2006:17:02:51 +0300] conn=111 op=2 BIND dn= method=sasl version=3 mech=GSSAPI [10/Sep/2006:17:02:51 +0300] conn=111 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn=uid=foo,ou=people,dc=example,dc=com [10/Sep/2006:17:02:51 +0300] conn=111 op=3 SRCH base=dc=example,dc=com scope=2 filter=((objectClass=posixGroup)(cn=testGroup)) attrs=ALL [10/Sep/2006:17:02:51 +0300] conn=111 op=3 fd=67 closed - B4 It looks like server just drops connection. Error logs indicate nothing. Any ideas anyone? I'm unable to reproduce the issue. Could you supply us with your COS template, COS definition, and testGroup entries? -NGK smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] how to bind fedora-ds to one of IPs?
Sergey Ivanov wrote: Hi, I'd like to restrict ns-slapd to listen to LAN. It is installed at the computer having 2 interfaces, pointing to WAN and LAN. Are there some way to bind ns-slapd to listen for one of these 2 IPs, not to 0.0.0.0? You can use the nsslapd-listenhost configuration parameter to set a specific address that you want the server to listen on. Details about this configuration parameter are located in the docs at http://www.redhat.com/docs/manuals/dir-server/pdf/ds71cli.pdf. -NGK smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Replication of o=NetscapeRoot
Brian Moyles wrote: I've got 2 machines in multimaster replication across a WAN link. I'm replicating our root suffix (userRoot) successfully. I'm storing o=NetscapeRoot on box01 right now, and want to replicate that to 02 (using 2-way multimaster) and have 02 use its local copy so I have console failover as described in the howto in the wiki. What I'm unclear on, though, is where I should be creating the user for replication. Right now, I have cn=Replication Manager, cn=config, meaning that the user is in o=NetscapeRoot. The docs specify that the replication user cannot exist in the database you're replicating...so where should it go? The cn=config suffix is not in o=Netscape Root. It is it's own suffix that is really uses the dse.ldif file as it's back-end database. You can use the same user that you already have for replicating o=Netscape Root. -NGK Thanks in advance! Brian Moyles Playboy Enterprises, Inc. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] SNMP monitoring
Philip Kime wrote: My knowledge of SNMP is only fair, bear with me ... I've set up the subagent for SNMP monitoring and can snmpwalk the rhds stuff, with the output below. I have a few questions though: 1. what is the .389 suffix on the variables? Looks like the port number of the server? Yes, this is the port number. It is used as an index to identify which server instance you are looking at. 2. If I query the DS, none of the counters change? The dsInOps counter should be increasing, as should dsSearchOps. I believe that the refresh interval for the counters is 5 seconds. 3. The dsIntTable part of the MIB has no entries (I tried with snmptable) - how does this get populated? This table is not implemented at this time. 4. Do I need to do anything to enable SNMP on the servers? The checkbox mentioned in the docs doesn't exist but dse.ldif does have nsSNMPEnabled: on No, nothing is required to enable SNMP on the server. That checkbox was unnecessary, and was removed from the UI. The documentation needs to be updated accordingly. -NGK RHDS-MIB::dsAnonymousBinds.389 = Counter32: 0 RHDS-MIB::dsUnAuthBinds.389 = Counter32: 0 RHDS-MIB::dsSimpleAuthBinds.389 = Counter32: 21 RHDS-MIB::dsStrongAuthBinds.389 = Counter32: 0 RHDS-MIB::dsBindSecurityErrors.389 = Counter32: 0 RHDS-MIB::dsInOps.389 = Counter32: 306 RHDS-MIB::dsReadOps.389 = Counter32: 0 RHDS-MIB::dsCompareOps.389 = Counter32: 0 RHDS-MIB::dsAddEntryOps.389 = Counter32: 0 RHDS-MIB::dsRemoveEntryOps.389 = Counter32: 0 RHDS-MIB::dsModifyEntryOps.389 = Counter32: 53 RHDS-MIB::dsModifyRDNOps.389 = Counter32: 0 RHDS-MIB::dsListOps.389 = Counter32: 0 RHDS-MIB::dsSearchOps.389 = Counter32: 81 RHDS-MIB::dsOneLevelSearchOps.389 = Counter32: 6 RHDS-MIB::dsWholeSubtreeSearchOps.389 = Counter32: 7 RHDS-MIB::dsReferrals.389 = Counter32: 0 RHDS-MIB::dsChainings.389 = Counter32: 0 RHDS-MIB::dsSecurityErrors.389 = Counter32: 0 RHDS-MIB::dsErrors.389 = Counter32: 72 RHDS-MIB::dsMasterEntries.389 = Gauge32: 0 RHDS-MIB::dsCopyEntries.389 = Gauge32: 0 RHDS-MIB::dsCacheEntries.389 = Gauge32: 0 RHDS-MIB::dsCacheHits.389 = Counter32: 0 RHDS-MIB::dsSlaveHits.389 = Counter32: 0 -- Philip Kime NOPS Systems Architect 310 401 0407 -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] SNMP monitoring issues
Philip Kime wrote: The AgentX subagent config file is supposed to take a config line agentx-logdir The correct configuration parameter is agent-logdir. There is a typo in the documentation where it incorrectly refers to it as agentx-logdir. I will get this updated in the documentation. -NGK I have set this but the agent still logs to the same dir at the config file is in (which is the default location) - any ideas? -- Philip Kime NOPS Systems Architect 310 401 0407 -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] admin-serv error log
Jeff Gamsby wrote: Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Richard Megginson wrote: Jeff Gamsby wrote: Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 Richard Megginson wrote: Jeff Gamsby wrote: Richard Megginson wrote: Jeff Gamsby wrote: I am having a hard time getting the admin console to work in ssl mode. I get this notice error in the admin serv logs, is it a cause for concern? As far as I know, everything is setup correctly. [notice] [client xxx.xxx.xxx.xxx] admserv_host_ip_check: ap_get_remote_host could not resolve xxx.xxx.xxx.xxx This usually means reverse DNS is not working. I have created the certificates, Following the SSL howto at http://directory.fedora.redhat.com/wiki/Howto:SSL ? Yes, but instead of creating an admin-serv-serverID- I copied the slapd-serverID- cert db's over. It is true that I can use these same certs? I think so, but I've never tried it that way. I tried creating the admin certs db's seperately and importing the CA cert, but that did't work either. I had this working a few weeks ago, I'm not sure what has changed. What, if anything, has changed? I blew away the server and started over. When I had password sync problems with AD, I reinstalled the server several times. Each time I reinstall, I delete the /opt/fedora-ds directory. I don't really care about the admin console in SSL mode, I can use the Linux console or X, but I need the Sync agreements to run SSL in both directions, and so far, the only way I been able to establish that is when the admin console is in SSL mode. Unless there is another way. Well, one thing is that if you recreate the CA cert you'll need to copy that CA cert to all clients who use it. I do. Right now it's just the localhost You can use ldapsearch to verify the LDAPS connections to the SSL enabled directory servers (FDS and AD). Works (FDS). Right now, AD is not even in the picture. I pretty sure that I can get that to work. The problem is on the FDS side. When you create the Sync agreements, you cannot change the suppliers port, unless you have a secure connection to the admin console, AFAIK. I think that you are getting hung up on a display issue. The supplier is just listed as a string to identify the instance. The synchronization is always[*] initiated from the FDS side, so as long as you are trying to connect to AD via SSL, everything will be encrypted. [*] The one exception to this is the PassSync service installed on the windows side. You need to configure this to connect to FDS over the SSL port. -NGK Someone recently published steps to make windows sync work both ways with SSL to the fds users email list. Check the archives. I think someone was going to update the wiki with this information. I think that was me. I did not include instructions on how to get the admin console in SSL mode though. then copied the slapd-server-* files to admin-serv-*, then tried to enable SSL in the admin console. I have followed the directions from Managing SSL and SASL but I get the error Invalid LDAP Host/IP, could not connect to server in secure mode when I change to secure mode in the User DS tab. This error is from the console? Try using startconsole -D Using this method I get this error: validateLDAPParams netscape.ldap.LDAPException: JSSSocketFactory.makeSocket fds.server.example.com:636, SSL_ForceHandshake failed: (-8054) Unknown error (91); Cannot connect to the LDAP server Any suggestions? Thanks, Jeff -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] admin-serv error log
Jeff Gamsby wrote: I think that you are getting hung up on a display issue. The supplier is just listed as a string to identify the instance. The synchronization is always[*] initiated from the FDS side, so as long as you are trying to connect to AD via SSL, everything will be encrypted. [*] The one exception to this is the PassSync service installed on the windows side. You need to configure this to connect to FDS over the SSL port. -NGK OK, but when I set it up this way and I check the replication logs, I see the suppliers port, and it's listed as 389. When configuring PassSync, I do put it in secure mode with the secure port. So it doesn't matter, since the PassSync config is set to SSL, and the FDS to AD has to be SSL, then that 389 is just an identifier? Yes, that's just an identifier used in the synchronization agreement. To check if the PassSync connection in truly using SSL, check the access log on the FDS side. I'm not sure what connection logging AD provides, but there may be something similar. If not, you can use ethereal to verify that the traffic is being encrypted. -NGK Jeff -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Windows Sync agreement supplier port
Jeff Gamsby wrote: Thanks for everyone's help to get my FDS server running in SSL mode. I have another problem: I'm trying to setup PassSync, and I have got to the point whwre I can run ldapsearch over SSL to talk to AD. I'm trying to setup the sync agreement but cannot change the suppliers port from 389 to 636. Does the admin console need to run in SSL mode in order to do this? If I run the admin console in SSL mode, then will the suppliers port change to 636? The suppliers field cannot be edited. Do not be concerned with the suppliers port number. It is just using that to identify the supplier instance. All communication for the agreement is going in one direction (from FDS - AD), so the supplier isn't using the port it listens on anyway. When you install PassSync.msi on your AD box, you will need to point it at port 636 of your supplier. -NGK Thanks, Jeff -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Need help syncing between Active Directory and FDS
Espen A. Stefansen wrote: Hi I'm a new user to FDS, so I've got some problems getting it to work. I'm trying to sync our Active Directory over to FDS. Unfortunately it doesn't work, so hopefully someone can give me some pointers. I've been looking through the wiki and the manuals, but i haven't found that helped. This is how I installed FDS: 1. Installed FDS on CentOS 4; fds.example.com. 2. Ran setup with default values (including directory manager) 3. Ran setupssl.sh. 4. Install PassSync on a Windows Domain Controller (Windows 2003); win.example.com. - Values: --- Hostname: fds.example.com --- Port: 686 --- Username: cn=directory manager,cn=config --- Cert Token: ?? (Should this be the password for the certificate?) You don't need to fill the cert token in. --- Search: dc=example,dc=com And then imported the certificates from fds.example.com 5. Started the console, and enabled changelog and replica as single master. 6. I then generated a windows sync agreement. - Values: --- domain: example.com --- DCH: win.example.com --- Enabled SSL --- Bind as: cn=directory manager,cn=config When I try to do a full sync, it says it cant find the LDAP-server, error 81. Does that mean the FDS-server? It's saying it can't connect to Active Directory. This is probably because Active Directory is not running on the secure port (636). You need to setup Active Directory for LDAPS. Take a look at this page on our wiki for details on how to do this: http://directory.fedora.redhat.com/wiki/Howto:WindowsSync You should also make sure you can connect to Active Directory over LDAPS with ldapsearch before you create your sync agreement. -NGK Does anyone have any idea on what might be wrong? And have I installed it correctly? Regards Espen Stefansen -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Fedora-directory-users] Fedora Directory Server 1.0.2 - Now available for FC5 (x86 and x86_64)
Fedora Directory Server 1.0.2 is now available for Fedora Core 5 x86 and x86_64! You can download the Fedora Directory Server 1.0.2 RPMs from the download page: http://directory.fedora.redhat.com/wiki/Download For general information on Fedora Directory Server 1.0.2, please see the the release notes page on our wiki: http://directory.fedora.redhat.com/wiki/Release_Notes smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Search optimization?
Vsevolod (Simon) Ilyushchenko wrote: Hi, I've noticed that FDS is significantly slower in answering queries than openldap. If I run 'ls -l /home' on the list of 64 home directories whose owners are all different, I get the list back in 1 second if I use openldap. Version 7 of FDS took 16 seconds, and FDS 1.0.2 takes 12 seconds. The docs mention increasing cache sides to improve performance, but my cache is set to 10 M, which seems to be large enough, and the timing does not improve if I run 'ls -l' repeatedly. Is there anything else I can tune? It sounds like the search is against an unindexed attribute. I'd take a look at the search in your access log and check if it says NOTES=U. If so, that means that it is an unindexed search. You would need to create the proper indexes for the search to improve the performance. -NGK Thanks, Simon smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Odd admin console problem
Brian Moyles wrote: We're in the process of evaluating FDS, but have run into a small problem. I'm forwarding X from the server back to my OS X box running Apple's X11. When I run startconsole, I get a half-drawn login window. I've tried a few different jvms from different vendors, no luck. Which JVM's have you tried? I would recommend the 1.4 IBM or Sun JVM. 1.5 should work as well. I would also make sure that you are really using the Java you think you are. In FDS 1.0.2, startconsole doesn't use your $JAVA_HOME setting. It simply uses the first java binary in finds in $PATH. http://mirrors.playboy.com/~bmoyles/fds-console.png I'm sure I'm missing something simple here... Any thoughts? I've been able to redirect to my OS X box before, but that was with an earlier Directory Server version. I don't have my OS X laptop with me right now, but I'll give this a try with FDS 1.0.2 later and let you know if it works. -NGK Thanks for your time, Brian Moyles Sr. Systems Administrator Playboy Enterprises, Inc. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] SSL problem on replication!
Susan wrote: --- Alex aka Magobin [EMAIL PROTECTED] wrote: On gio, 2006-03-23 at 08:43 -0800, Susan wrote: This is what I did to get ssl repl working: 1. generate a single CA certificate and use that to sign both the supplier and consumer certificates. Each server doesn't need its own CA. on the consumer: Thank you Susan for your reply...two question 4 you if possible: 1) This procedure..similar to (Chapter 8 in Administration Guide)...but you have to create cert db before yes, cert db must exist, for a cert to be exported out of it :) 2) To make secure replication...I have to enable ssl on DS...in this case...is still possible to query LDAP on port 389 ?? yes. One way to disable it is to set the ldap port to 0, FDS will then say on startup that non secure access has been disabled, proceeding. That will break the console access, however. I haven't been able to turn off non-ssl access AND still be able to use the console. You can configure Console to talk LDAPS. I was just able to disable the standard LDAP port on my FDS 1.0.2 install and still use Console. You need to check the Use SSL in Fedora Console checkbox in the Configuration tab of the Directory Server Console. -NGK __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2
Bliss, Aaron wrote: I have 1 more question; looking at the new password policy options, what is the difference between required special characters and required alpha characters? Are alpha characters integers and special characters keys such as #$% Thanks again. Alphas are letters only. Digits are your numeric characters. Special characters are any other 7-bit characters such as [EMAIL PROTECTED] -NGK Aaron -Original Message- From: Bliss, Aaron Sent: Monday, March 13, 2006 2:08 PM To: 'General discussion list for the Fedora Directory server project.' Subject: RE: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Ah, thanks again. Aaron -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Megginson Sent: Monday, March 13, 2006 2:08 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Bliss, Aaron wrote: Thanks; just so I understand, I have to run the setup script even though my databases have already been configured? I did not have to do this on my test box in order to upgrade. Thanks. Setup will copy in the new schema files required to use the new password syntax checking, so if you skip that, you'll have to copy them in manually. Setup will also make sure the console reports the correct version of directory server. Aaron -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Megginson Sent: Monday, March 13, 2006 1:59 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Getting ready to upgrade from fds 1.0.1 to 1.0.2 Bliss, Aaron wrote: I'm planning on upgrading both my supplier and consumer fds servers tonight; do I need to worry about their server certificates? I'll just be running rpm -Uvh fedoraThanks very much. Upgrade shouldn't touch any ssl information. After doing the rpm -U, do cd /opt/fedora-ds ; ./setup/setup and follow the prompts. Aaron www.preferredcare.org An Outstanding Member Experience, Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users www.preferredcare.org An Outstanding Member Experience, Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users www.preferredcare.org An Outstanding Member Experience, Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] LdapSearch Field Length
Jim Summers wrote: Hello All, I was modifying the value of an attribute, automountInformation in this instance. The modify works as expected, but when I use ldapsearch to dump the entry containing the new value it seems to truncate it at 78 characters, that is (attribute name + attribute value). The remainder of the value is on the next line, which has caused some scripts to not work as expected. The manpage for ldapsearch did not reveal any clues or switches to get around this length limit. Could it be a server limit? Interesting also is that db2ldif produces the same behavior. This is part of the LDIF standard. You can refer RFC 2849 for details on the LDIF syntax. Ideas on what I could do to get the value retruned back on one line? The -U option to db2ldif will tell it to not fold lines. The -T option to ldapsearch will do the same. -NGK STRANGE EXAMPLE OUTPUT: === automountInformation: -rw,actimeo=30,rsize=32768,wsize=32768 fs001:/raid/facst aff/faharris === EXPECTED OUTPUT: === automountInformation: -rw,actimeo=30,rsize=32768,wsize=32768 fs001:/raid/facstaff/faharris === The above examples may not be clear due to email wrapping, but in the first one ldapsearch truncates at the t and in the second there is not truncating. TIA -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: R: R: R: [Fedora-directory-users] HELP: Error while startstartconsole
Alex wrote: # ls /usr/lib/jvm/java-1.4.2-ibm-1.4.2.2 bin include jre lib So I set JAVA_HOME: JAVA_HOME=/usr/lib/jvm/java-1.4.2-ibm-1.4.2.2 ; export JAVA_HOME Then I can run startconsole Ok, for test... - I've unistalled jre-1.4.2 and downloaded and installed jre1_5_0_06-linux-i586.rpm from Sun - after installation I check where system put the files, so Rpm -ql jre return that jre is installed on /usr/java/java1.5.0_06/ If I do ls /usr/java/java1.5.0_06/ The output is: Bin COPYRIGHT lib man README Welcome.html CHANGES javaws LICENSE plugin THIRDPARTYLICENSEREADME.txt ..but exporting JAVA_HOME with that path doen't work for me :-( You have IBM and IncludeI've downloaded only jre Any suggestion? Try running java --showversion and let us know what the output is. Alex -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Searchable archive
Fabio Gomes wrote: Hi list, Is there a searchable archive for this mailing list? There are archives available for online browsing as well as downloading at: https://www.redhat.com/archives/fedora-directory-users There is not an online search capability. -NGK I don't want to bother you all with redundant questions. Thx -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] enforce strong passwords
Jo, I'm expecting to check in code for this in the next few days, so don't worry about it. Thanks for offering to help with it though! Are there any specific password complexity requirements that you could share with us? I'd like to make sure I'm writing something useful to as many different deployments as possible. -NGK Jo De Troy wrote: Hello, I was wondering if anyone was looking into enforcement of strong passwords. I'm not a hardcore C programmer but I'm willing to help. But first I'll have to try in getting the current version compiled. I'm certainly willing to do some testing. Greetings, Jo -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] enforce strong passwords
Jo De Troy wrote: Hi Nathan, Richard, I was thinking along the lines of pam_passwdqc, well part of it. The password should contain at least 3 different character categories. The categories being: lowercase, uppercase, special characters and numbers Yes, I'm working on implementing this. The minimum number of categories would be configurable by the administrator. Not specifically a minumum number of uppercase/lowercase/... I'm making this configurable too. It'll be there, but you don't need to use it. Off course there should be no user data in the password, it should not even contain the username as a substring. But I think that code is already in CVS. It's checking for cn, givenname, surname, ... attributes We currently check is the password is equal to uid, cn, sn, givenname, or ou. We do not check if it's a substring. I'm changing this behavior to check if it's a substring. A dictionarry check would be nice but I would maybe make this optional. I guess that if we make the rules too stringent the enduser may complain Default rules would be a minimum password length of 8 with a minimum of 3 character categories. It would also check the attribute values I mentioned above if thos values are 3 or more characters in length (this length would be configurable). It sounds like this would meet your requirements. -NGK Greetings, Jo -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] admserv_host_ip_check
Michael Montgomery wrote: On Fri, 2005-12-16 at 11:22 -0700, Craig White wrote: On Fri, 2005-12-16 at 12:02 -0600, Michael Montgomery wrote: Ok, this is just great. I've locked myself out of the admin server now, and no ips can connect. So... I'll try the admconfig tool mentioned in the console.pdf file... oh great, that doesn't work either: [EMAIL PROTECTED] admin]# ./admconfig --h ./admconfig: line 55: /opt/fedora-ds/bin/base/jre/bin/java: No such file or directory ./admconfig: line 55: exec: /opt/fedora-ds/bin/base/jre/bin/java: cannot execute: No such file or directory [EMAIL PROTECTED] admin]# ls -l /opt/fedora-ds/bin/ admin/ slapd/ user/ Can I manually edit some config files somewhere to allow this to work? Also, I come in today to find the replication server's admin console doing this: [Fri Dec 16 11:30:22 2005] [notice] [client 10.5.1.202] unable to bind to server [ldap02.inside.*.com:389] as [cn=admin-serv-ldap02, cn=Fedora Administration Server, cn=Server Group, cn=ldap02.inside.**.com, ou=inside.***.com, o=NetscapeRoot] [Fri Dec 16 11:30:22 2005] [crit] populate_tasks_from_server(): Unable to search [cn=admin-serv-ldap02, cn=Fedora Administration Server, cn=Server Group, cn=ldap02.inside.*.com, ou=inside.***.com, o=NetscapeRoot] for LDAPConnection [ldap02.inside.*.com:389] [Fri Dec 16 11:30:22 2005] [crit] [client 10.5.1.202] admserv_check_authz(): Task [cn=statusping, cn=operation, cn=tasks, cn=admin-serv-ldap02, cn=fedora administration server, cn=server group, cn=ldap02.inside.*.com, ou=inside.*.com, o=netscaperoot] not found for user [uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot] - either the task was not registered or the user was not authorized And the admin console server won't start with this error: [Fri Dec 16 11:39:31 2005] [crit] mod_admserv_post_config(): unable to build user/group LDAP server info: unable to set User/Group baseDN Anybody got any clues what is going on? I seem to be having some pretty bad luck here. Thanks again. On Fri, 2005-12-16 at 11:29 -0600, Michael Montgomery wrote: You need to set hostnames to allow to NULL or empty - if there is anything there, it will assume you want to do access based on host/domain name, which must have the correct DNS /etc/nsswitch.conf or /etc/hosts configuration. Thank you, Thank you. When it mentions that you can use wildcards, it simply causes confusion. ls -l /opt/fedora-ds/admin-serv/config Craig Thank you Strangely, any changes made in the local.conf file, specifically the below field, seem to get overwritten when the admin server starts again, so this also will not allow me to connect. local.conf:configuration.nsAdminAccessAddresses: * That file is simply a bootstrap config file. The real configuration lives in the Directory Server. The admin server config entry is cn=configuration, cn=admin-serv-hostname, cn=Fedora Administration Server, cn=Server Group, cn=hostname, ou=domainname, o=NetscapeRoot. You can modify the config with ldapmodify. -NGK -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Windows NT4 Password Sync Problem
[EMAIL PROTECTED] wrote: Hallo everyone, so now the Winsync from NT4 PDC - FDS works fine (thanks to all) And now the next step gives me a problem. I do the Password sync without SSL connection (only one problem at a time). The PassSync service requires SSL. If you take a look at the passsync.log file, it should have an error about your SSL config. -NGK The setup should be correct: Windows Reg entry: (Default) (value not set) Cert Token Hostname192.168.1.55 Install PathC:\Program Files\Red. Passwordguessmypw Password Field userpassword Port Number 389 Search Base ou=People,dc=daheim,dc=weil User Name uid=useradmin,ou=Special Users,dc=daheim,dc=weil User Name Field ntuserdomainid the bind user has the aci's to change all values in the user tree But I recive the following error at the PDC: The description for event (105) in source (Password Synchronization Service) could not be found. It contains the following insertion string(s):. So in fact nothing happens :( At the FDS logs I don't see anything, so there seems no communication between ADS and FDS. The same as a question from RE: [Fedora-directory-users] AD sync from Darjo Gregoric at Thu, 3 Nov 2005 Is there anything missing in the setup? Or is something wrong in the Password Sync Programm. And how should the log at the FDS look like (error log set to Replication)? CU Hartmut -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Windows NT4 Password Sync Problem
Hartmut Wöhrle wrote: Am Mittwoch, 7. Dezember 2005 15:17 schrieb Nathan Kinder: [EMAIL PROTECTED] wrote: Hallo everyone, so now the Winsync from NT4 PDC - FDS works fine (thanks to all) And now the next step gives me a problem. I do the Password sync without SSL connection (only one problem at a time). The PassSync service requires SSL. If you take a look at the passsync.log file, it should have an error about your SSL config. -NGK Is there a difffernec between AD and NT PDC, because in the discussion of Winsync password from Dean Jones you write: citation from Thu, 17 Nov 2005 -- Nope. Accounts can sync fine without SSL. SSL is only required for passwords to sync from AD - FDS. You should take a look at the errors log on the FDS side. You may want to enable replication level logging through the Console application to get some useful info. -NGK end citation from Thu, 17 Nov 2005 -- And the followup from David Boreham says: citation from Thu, 17 Nov 2005 -- Other way around. Password sync AD - FDS works without SSL. Password sync FDS - AD requires SSL. AD will refuse to modify a password unless you connect via SSL. end citation from Thu, 17 Nov 2005 -- The PassSync service operates exactly the same on AD, or a NT4 PDC. In my experience, it will not send a password across in the clear. Set the Log Level registry key to 1 for Password Sync, then restart the service. You will see that it complains about SSL needing to be setup from the passsync.log. You can also take a look at the access log on the FDS side, and you won't see any connections from PassSync unless SSL is setup. David noted that passwords will not sync the other way without SSL either. I haven't verified this myself, but I'll take his word on it. -NGK Cu Hartmut smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] another issue starting the console
Craig White wrote: I can start the console and I get a window asking me to log in but the login window is never presented. # cat /etc/profile.d/java.sh JREHOME=/usr/java/jre1.5.0_06/lib/i386 JAVA_HOME=/usr/java/jre1.5.0_06 JAVAWSHOME=/usr/java/jre1.5.0_06/javaws LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$JREHOME:$JAVAWSHOME PATH=$PATH:/usr/java/jre1.5.0_06/bin export JAVA_HOME # echo $LD_LIBRARY_PATH :/usr/java/jre1.5.0_06/lib/i386:/usr/java/jre1.5.0_06/javaws # echo $PATH /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/usr/java/jre1.5.0_06/bin:/root/bin # export LD_LIBRARY_PATH=/opt/fedora-ds/shared/lib # ./startconsole -u admin -a http://srv1.clsurvey.com:26996/ nothing in /opt/fedora-ds/slapd-srv1/logs/ that suggests where the problem might be Is this a jre1.5.0_06 issue because on my own server, I am running j2re-1.4.2-11.1.fc3.rf Run startconsole with the -xnologo option. The login window is being hidden behind the splash window that you are seeing. Yes, this is an issue that has been reported with users using jre 1.5. -NGK Craig -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] FDS 1.0 and Friends
Aly Dharshi wrote: Hello All, I hope that you are well. Please forgive me if this is an out there question, with some of the changes that I read below in Richard's annoucement, how well will FDS 1.0 play with Sun's DS 5.x ? Anybody with any thoughts on this ? I am referring to replication to and from for instance. The replication code has not had any significant changes in FDS 1.0, so replication to Sun's DS 5.x should still work. The main architectural changes to FDS 1.0 are in the Administration Server, which does not affect replication. -NGK Cheers, Aly. Richard Megginson wrote: We are proud to announce the release of Fedora Directory Server 1.0. This release marks a significant milestone for the open source community, who now have access to the code for the console and administration engine as well as the previously open sourced LDAP engine. This release uses the Apache httpd engine as its administration server, and includes mod_nss - a rewrite of mod_ssl which uses the Mozilla NSS crypto engine. The 1.0 release, in addition to its many other features such as LDAPv3, Multi-Master Replication, and Windows Synchronization, includes support for MD5, SHA-256, SHA-384, and SHA-512 password hashing, as well as many bug fixes. Fedora Directory Server 1.0 furthers the evolution and democratization of open source software in making this powerful, enterprise proven technology available to all. It is a boon for developers who are now able to port the full package - LDAP engine, console, and admin engine - to many different platforms. If you have used the previous version of Fedora Directory Server, we invite you to try our new version. If you are using another LDAP server, we invite you to try ours and let us know how it compares - we're always looking for ways to improve. Our community is already active and growing, and you are welcome and encouraged to join. There are many ways: joining the mailing lists, reporting bugs, editing documentation, writing scripts/patches/plug-ins, and many more. Try it out! - http://directory.fedora.redhat.com/wiki/Download Our home page - http://directory.fedora.redhat.com/ Join our community! - http://directory.fedora.redhat.com/wiki/Ways_to_contribute mod_nss - http://directory.fedora.redhat.com/wiki/Mod_nss Drop us a line! - fedora-directory-users@redhat.com and http://directory.fedora.redhat.com/wiki/Mailing_Lists -- Fedora-directory-announce mailing list [EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/fedora-directory-announce smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Winsync Problem with NT4
Hartmut Wöhrle wrote: Hell Elliot, Am Dienstag, 29. November 2005 21:27 schrieb Elliot Schlegelmilch: I'm a bit confused now. Which password, or which actual? You can ldapsearch using the uid=admin,ou=system account and correct password. correct password thats exactly my problem. I think when setting up the system I did something wrong, because the answer is Invalid Credentials (49) which means wrong password. Therefore I can not connect, not search, and not modify anything so what to do? Uninstall and start from scratch? ldapsearch works, but (as you can see below) my bind password is wrong (or I can't remember :) ) I would suggest opening up your c:\program files\fedora directory synchronization\conf\usersync.conf in your favorite editor, and see what password is in it. Try binding as that user. While looking inside that file look for the 'server.db.partition.suffix.usersync field. While trying to install I changed this password and now it doesn't fit - or maybe I am too stupid because I can not remember. Then, with this password and base, try another search. ldapsearch -v -h 192.168.1.218 -D uid=admin,ou=system -w pw -b dc=home,dc=org (objectclass=*) I'm just guessing the base, but I assume it's something very similar. You should see something similar to this: # Guest, users, example.com dn: sAMAccountName=Guest,cn=users,dc=example,dc=com memberOf: sAMAccountName=Domain Guests,cn=users,dc=example,dc=com lastLogon: 0 objectGUID: 0105000515003D725165EB1AB15BC9504D49F501 countryCode: 0 Ok, so now I know what should com out - good. Once you can access your PDC from LDAP, there's a lot better chance that your Fedora Directory Server will be able to for replication. Exactly thats why I switched to the ldapsearch, because it tells me much more at the output as the logfile from Replication Log. Btw... It would be nice to find a schema (written or drawn) which tells me (or everyone) how winsync and passwordsync works. The Pictures in the manuals tell me the way which way the servers exchange informations, but within the PDC (or AD) I don't know anything - it is a black box. And I didn't find the sources to check by myself - is it closed source? It's not closed source. http://directory.fedora.redhat.com/wiki/Building#Pulling_the_Directory_Serv er_Source The Directory Server yes. But I don't see (maybe I'm blind) the sources for the ApacheDS at the PDC (Java based) and the sources for winsync software, which comes as a .msi (Microsoft Installer) File. So is this opensource? And where to find it? The ApacheDS source is available at http://directory.apache.org/ The source for the winsync software is in the same source tree as the Directory Server. The PassSync.msi source is in the ldapserver/ldap/synctools directory. The ntds.msi source is in the ldapserver/ldap/servers/ntds directory. And I think the manual is a little bit too small for the NT Winsync. With AD it is OK, because you use the LDAP Funktion of the AD and synchronise like a replica - more or less. But what exactly happens at the NT PDC??? I learned from this forum that winsync installs an ApacheDS as LDAP Server to connect with. OK what next. How does the ApacheDS connect to the PDC. Which user is used for the login - if any? Does it work like this: FDS -- ApacheDS (uid=admin,ou=system) -- NT PDC (user=?) or FDS -- ApacheDS (uid=admin,ou=system) -- NT PDC (user=admin) My understanding is that the ApacheDS just serves up an LDAP representation of NTs SAM database. It can access this since it is running as Administrator. And you need the replication manager (with the acl's to add, modify and delete a user) at the FDS side for the synchronization? So this works like this (push) NT PDC (user=?) -- ApacheDS (uid=admin,ou=system) -- FDS (uid=replmanager,out=users) And how does he know which user at hte FDS to use Or like this (Pull) FDS -- ApacheDS (uid=admin,ou=system) -- NT PDC (user=?) FDS pulls the data from ApacheDS. And how does it work, when I use the Password sync? Is there a layer inbetween windows admintool and PDC that reads the input and sends it to the FDS before handing it to the PDC Directory - but for this it needs an account with administrative rights, which one? The Windows LSA (local security authority) hands password changes off to PassSync. The PassSync service then attempts to push this password change to FDS. You need to setup a user on the FDS side that has permission to update the userPassword attribute for your user entries. It doesn't matter which user as long as they have the proper rights. -NGK You see there are many questions with this challenging tool. See U Hartmut smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com
Re: [Fedora-directory-users] JAVA_HOME problems after upgrade
FDS 7.1 included the IBM JVM. FDS 1.0 does not include a JVM. To use Console you need either the 14.2 Sun or IBM JVM on your system with JAVA_HOME set appropriately. -NGK Brian Zuromski wrote: After upgrading I keep getting this when starting the console... ./startconsole -u admin -a http://hostname.domain:10204/ ./startconsole: Unable to find libjava and libjvm in JAVA_HOME. Please ensure that JAVA_HOME is set correctly. It worked in the previous version (7.1) just fine. Are there any dependencies I should be installing? -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] LDAP subagent questions
Kevin M. Myer wrote: Nathan, I'm not sure if it matters what directory the agent is invoked from but the results are the same, if invoked with a full path, or if already in the bin/slapd/server directory: # cat /opt/fedora-ds/slapd-instance/config/ldap-agent.conf server /opt/fedora-ds/slapd-instance/logs # ./ldap-agent /opt/fedora-ds/slapd-instance/config/ldap-agent.conf ldap-agent: Error opening server config file: /opt/fedora-ds/slapd-instance/logs/config/dse.ldif Doh! I didn't notice this before, but the docs are incorrect. The server parameter should point to the instance directory, not the logs directory. In your case, it should be set to /opt/fedora-ds/slapd-instance. # cat /opt/fedora-ds/slapd-instance/config/ldap-agent.conf server /opt/fedora-ds/slapd-instance # ./ldap-agent /opt/fedora-ds/slapd-instance/config/ldap-agent.conf ldap-agent: Started as pid 25012 And a minor nit, the documentation talks about ldapagent and the binary is actually ldap-agent. I'll get documentation bugs filed for these issues. -NGK Kevin smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Winsync - passwords?
Dean Jones wrote: Hey everyone, I have setup winsync between FDS and AD and just want to clarify a few points that i can't find in the docs or older posts.. 1. Passwords. They do not appear to be syncing either direction but i don't have SSL enabled. my guess is that this is normal? No. They should be syncing from FDS - AD without SSL, but not the other way. This is related to your issue 2 below. 2. Accounts. They are only syncing from AD - FDS but i'm assuming this is also due to lack of SSL? Nope. Accounts can sync fine without SSL. SSL is only required for passwords to sync from AD - FDS. You should take a look at the errors log on the FDS side. You may want to enable replication level logging through the Console application to get some useful info. -NGK 3. Existing users. If i have identical users setup on both my FDS and AD servers and then do a sync, what will happen? just a password sync? Has anyone done this before? thanks! -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] howto Step by Step install Directory Server, help me!
This sounds like a known issue with the JVM that Admin Server uses crashing with JIT enabled. Re-run your installation, but set the environment variable JAVA_COMPILER=none first. That will diable JIT and should get you through the install. When the install is complete, edit the FDS install path/admin-serv/config/jvm12.conf file, and add -Djava.compiler=none to the jvm.options config parameter. This will allow the Admin Server to startup without needed an environment variable set. -NGK adirek sanyakhuan wrote: i config by guide but not work. Message error: Server group ID to use (default: nobody) [slapd-ldap]: starting up server ... [slapd-ldap]: Fedora-Directory/7.1 B2005.146.2010 [slapd-ldap]: ldap.pccp.ac.th:389 (/opt/fedora-ds/slapd-ldap) [slapd-ldap]: [slapd-ldap]: [10/Nov/2005:08:52:00 +0700] - Fedora-Directory/7.1 B2005.146.2010 starting up [slapd-ldap]: [10/Nov/2005:08:52:01 +0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests Your new directory server has been started. Created new Directory Server Start Slapd Starting Slapd server configuration. Success Slapd Added Directory Server information to Configuration Server. Configuring Administration Server... Setting up Administration Server Instance... Configuring Administration Tasks in Directory Server... Configuring Global Parameters in Directory Server... Can't start Admin server [/opt/fedora-ds/start-admin /tmp/fileErA2P6 21] (error: No such file or directory)INFO Finished with setup, logfile is setup/setup.log 2005/11/10, Mike Jackson [EMAIL PROTECTED]: adirek sanyakhuan wrote: i new user for fedora and i interest OpenLDAP or Directory Server. i try install but not work! any body suggest stepbystep install Directory Server Hi, I just wrote that type of guide on the wiki a few days ago: http://directory.fedora.redhat.com/wiki/Setup -- mike -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] FC3 - DS Source Build Prb
You need to install the krb5-devel package. Jason Kullo Sam wrote: Ok, got through all that, now onto building the DS source(again...but RIGHT this time). I get the feeling I input this cd ldapserver/ ; gmake USE_PERL_FROM_PATH=1 BUILD_DEBUG=optimize the make dies this... -L../../../../mozilla/dist/Linux2.6_x86_glibc_PTH_OPT.OBJ/lib -lplc4 -lplds4 -lnspr4 -L../../../../mozilla/dist/Linux2.6_x86_glibc_PTH_OPT.OBJ/lib -ldbm -lavl -lldif -llitekey -ldl -L../../../../mozilla/dist/Linux2.6_x86_glibc_PTH_OPT.OBJ/lib -lsvrcore -L../../../../cyrus-sasl-2.1.20/lib -lsasl2 -L/usr/kerberos/lib -lgssapi_krb5 -lcrypt -lpthread -L../../../../db-4.2.52.NC/built/.libs -ldb-4.2 /usr/bin/ld: cannot find -lgssapi_krb5 collect2: ld returned 1 exit status gmake[3]: *** [../../../built/release/slapd/Linux-domestic-optimize-normal-slapd/bin/slapd/server/ns-slapd] Error 1 gmake[3]: Leaving directory `/root/Desktop/dsbuild-static/ds/ldapserver/ldap/servers/slapd' gmake[2]: *** [_slapd] Error 2 gmake[2]: Leaving directory `/root/Desktop/dsbuild-static/ds/ldapserver/ldap/servers' gmake[1]: *** [ldapprogs] Error 2 gmake[1]: Leaving directory `/root/Desktop/dsbuild-static/ds/ldapserver/ldap' gmake: *** [buildDirectory] Error 2 [EMAIL PROTECTED] ldapserver]# ## Searched for lgssapi_krb5...is this wrong? ## [EMAIL PROTECTED] ~]# updatedb [EMAIL PROTECTED] ~]# locate libgssapi_krb5.a [EMAIL PROTECTED] ~]# locate libgssapi_krb5 /usr/lib/libgssapi_krb5.so.2 /usr/lib/libgssapi_krb5.so.2.2 = Any ideas? -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] integrating samba and FDS/RHDS (draft 1)
Darren Fulton wrote: On Wed, 2005-07-13 at 10:07 +0300, Vesko wrote: Adam Stokes wrote: There is no need for the /etc/group file to have those entries in it because Samba will map the entires from the ldap server. So remove the entries in /etc/group, import the ldif from /tmp/sambaGroups and map the appropriate entries (instead of ntgroup='Admins' use ntgroup='Domain Admins' unixgroup='Domain Admins') Remeber you are mapping from an ldap server so the entries have to exist somewhere. The same errors: [root dt ~]# net groupmap add rid=512 ntgroup=’Domain Admins’ unixgroup=’Domain Admins’ Bad option: Admins’ [root dt ~]# net groupmap add rid=512 ntgroup='Domain Admins' unixgroup='Domain Admins' Can't lookup UNIX group Domain Admins Is this a samba bug or ...? it is just not working as expected :( I did everything right up till this mommenet. I use samba-3.0.10-1.4E on CentOS release 4.1 (Final) and fedora-ds-7.1-2.RHEL4 (rpm install) regards -- Fedora-directory-users mailing list Fedora-directory-users redhat com https://www.redhat.com/mailman/listinfo/fedora-directory-users Hello, In this how-to, down in the code block for with the net groupmap add commands, there are some invalid characters. I see these things ’ instead of regular single quotes like this '. If you paste those into a terminal it results in lots of errors. I tried to sign up for Wiki access so that I could fix it, but it wouldn't let me sign up. I fixed this in the wiki. Thanks for tracking it down! -NGK I think this may be what is causing the errors described above. Thanks, Darren -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users smime.p7s Description: S/MIME Cryptographic Signature -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users