Re: [389-users] 389 hang while upgrading from 1.2.2 to 1.2.10
Hi Rich, On Tuesday 19 March 2013 13:19:08 Rich Megginson wrote: Looks like you might need to do a manual db upgrade procedure, even though you should not be affected by the subtree rename conditions, as in http://port389.org/wiki/Subtree_Rename#warning:_upgrade_from_389_v1.2.6_.28a.3F.2C_rc1_.7E_rc6.29_to_v1.2.6_rc6_or_newer Thank you very much for your support! Maybe it's better to trash the old data and reinitialize the newly installed server using replication or a restore ;) Peace, R. -- Roberto Polli Community Manager Babel S.r.l. - http://www.babel.it T: +39.06.9826.9651 M: +39.340.652.2736 F: +39.06.9826.9680 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente.-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] 389 hang while upgrading from 1.2.2 to 1.2.10
On 03/20/2013 05:15 AM, Roberto Polli wrote: Hi Rich, On Tuesday 19 March 2013 13:19:08 Rich Megginson wrote: Looks like you might need to do a manual db upgrade procedure, even though you should not be affected by the subtree rename conditions, as in http://port389.org/wiki/Subtree_Rename#warning:_upgrade_from_389_v1.2.6_.28a.3F.2C_rc1_.7E_rc6.29_to_v1.2.6_rc6_or_newer Thank you very much for your support! Maybe it's better to trash the old data and reinitialize the newly installed server using replication or a restore ;) Yes, replica init should work fine too. Peace, R. -- Roberto Polli Community Manager Babel S.r.l. - http://www.babel.it T: +39.06.9826.9651 M: +39.340.652.2736 F: +39.06.9826.9680 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] dsadmin python library
On 03/14/2013 11:11 AM, Roberto Polli wrote: On Thursday 14 March 2013 11:04:46 Rich Megginson wrote: What about the scripts such as dirsynccrtl.py, winsyncssl.py, etc. that use dsadmin.py? Should they be in the same repo as dsadmin.py? your choiche ;) I would just separate the reusable stuff from the perl and bug one. will see I really hope that dsadmin.py co will be added to 389 rpm as soon as we end a small facelift. That's a much larger task - will then need documentation, QE, etc., etc. Peace, R. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] dsadmin python library - about Entry behavior
On 03/18/2013 08:37 AM, Roberto Polli wrote: Hi Rich, a question about Entry behavior. Given the following entry: t = 'o=foo', {'objectclass': ['organization', 'top']} e = Entry(t) Use dict.update would be very nice, but if you try e.data.update({'dc': 'bar', 'objectclass':['organization', 'top', 'domain']}) you'll end up with a strange result. Do you think we should raise an exception if dict.values are strings? Sure. Peace, R: -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] How to Managed Entries Plugin for Linux Users?
Hi Nathan, Thanks. Yes it was a stupid Typo. Is there any way to modify/delete entries created by the Managed Entries plugin? When I try to delete those group entries it denies say It needs to be Manually Unlinked not sure how to un-link them. Any idea on that? -- http://about.me/chandank On Tue, Mar 19, 2013 at 10:55 PM, Nathan Kinder nkin...@redhat.com wrote: On 03/19/2013 02:33 PM, Chandan Kumar wrote: Hello, I am deploying the 389 server (On CentOS 6) to manage the Linux Users/Password. So as part of Linux User management, I was trying to get the Managed Entries work for Posix user creation. I am following the standard Redhat documentation. https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html-single/Deployment_Guide/index.html#managed-entries So I created the templates, exactly the way explained in the doc, but when I create the users it is not creating corresponding Groups. I am using following ldap commands to add entries. I could see the this plugin created in from the console server - data - Plugins - Managed Entries - My plugin User creation statements dn: uid=pappu1,ou=People,dc=ma,dc=net objectclass: person objectclass: inetorgperson objectclass: posixAccount cn: Pappu sn: Papa givenName: pappu1 uid:pappu1 uidNumber:9003 gidNumber:9003 objectclass: mepOriginEntry mepManagedEntry: cn=Pappu Group homeDirectory: /home/pappu1 The plugin dn: cn=Posix User-Group,cn=Managed Entries,cn=plugins,cn=config objectclass: extensibleObject cn: Posix User-Group originScope: ou=people,dc=ma,dc=ma You have a typo in your originScope setting. It should be ou=people,dc=ma,dc=net. -NGK originFilter: objectclass=posixAccount managedBase: ou=groups,dc=ma,dc=net managedTemplate: cn=Posix User-Group Template,ou=Templates,dc=ma,dc=net The template dn: cn=Posix User-Group Template, ou=Templates,dc=ma,dc=net objectclass: mepTemplateEntry cn: Posix User-Group Template mepRDNAttr: cn mepStaticAttr: objectclass: posixGroup mepMappedAttr: cn: $cn Group Entry mepMappedAttr: gidNumber: $gidNumber mepMappedAttr: memberUid: $uid -- http://about.me/chandank -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Using JNDI and 389DS
Hey everyone, I need help implementing a client-server SSL connection. I've been researching on the web and I have no idea how to get my Java application to talk to the 389DS securely. I have been looking into keytool and JSSE, but there is no clear cut explanation on how it should be done. I have a self-signed CA certificate that I created using certutil, and then a server certificate generated from that self-signed CA. Is there anyone who knows a path to a solution? Thanks, Rohit -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Using JNDI and 389DS
Hey everyone, I need help implementing a client-server SSL connection. I've been researching on the web and I have no idea how to get my Java application to talk to the 389DS securely. I have been looking into keytool and JSSE, but there is no clear cut explanation on how it should be done. I have a self-signed CA certificate that I created using certutil, and then a server certificate generated from that self-signed CA. Is there anyone who knows a path to a solution? Thanks, Rohit -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] How to Managed Entries Plugin for Linux Users?
Thanks that helped. The main reason for my LDAP deployment is for Centralized Linux User management for all Linux Servers. What would be the simplest way to do basic user/group management such as 1. Adding/Removing users to/from Groups. 2. Creating new groups and adding the users to it. 3. Moving users across the groups. From the documentation it appears that the static group is what I should be looking at, not sure though. Basically I already have many users whose accounts need to be migrated to directory server (as of now Manually managed by puppet). I was wondering if I could do that in some ldif commands. I am really poor with ldif statements. I was trying to do it with Managed group but I could not do it. How a ldif command would look like if I want to add a user say testuser, and also add it to 3 different usergroups (testuser (created by Managed Plugin), testsupport, testadmin, testsales). Thanks Chandan On Wednesday, March 20, 2013, Rich Megginson wrote: On 03/20/2013 10:07 AM, Chandan Kumar wrote: Hi Nathan, Thanks. Yes it was a stupid Typo. Is there any way to modify/delete entries created by the Managed Entries plugin? When I try to delete those group entries it denies say It needs to be Manually Unlinked not sure how to un-link them. Any idea on that? You have to remove objectclass: mepManagedEntry and mepManagedBy: uid=jsmith,ou=people,dc=example,dc=com from the group entry -- http://about.me/chandank On Tue, Mar 19, 2013 at 10:55 PM, Nathan Kinder nkin...@redhat.comwrote: On 03/19/2013 02:33 PM, Chandan Kumar wrote: Hello, I am deploying the 389 server (On CentOS 6) to manage the Linux Users/Password. So as part of Linux User management, I was trying to get the Managed Entries work for Posix user creation. I am following the standard Redhat documentation. https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html-single/Deployment_Guide/index.html#managed-entries So I created the templates, exactly the way explained in the doc, but when I create the users it is not creating corresponding Groups. I am using following ldap commands to add entries. I could see the this plugin created in from the console server - data - Plugins - Managed Entries - My plugin User creation statements dn: uid=pappu1,ou=People,dc=ma,dc=net objectclass: person objectclass: inetorgperson objectclass: posixAccount cn: Pappu sn: Papa givenName: pappu1 uid:pappu1 uidNumber:9003 gidNumber:9003 objectclass: mepOriginEntry mepManagedEntry: cn=Pappu Group homeDirectory: /home/pappu1 The plugin dn: cn=Posix User-Group,cn=Managed Entries,cn=plugins,cn=config objectclass: extensibleObject cn: Posix User-Group originScope: ou=people,dc=ma,dc=ma You have a typo in your originScope setting. It should be ou=people,dc=ma,dc=net. -NGK originFilter: objectclass=posixAccount managedBase: ou=groups,dc=ma,dc=net managedTemplate: cn=Posix User-Group Template,ou=Templates,dc=ma,dc=net The template dn: cn=Posix User-Group Template, ou=Templates,dc=ma,dc=net objectclass: mepTemplateEntry cn: Posix User-Group Template mepRDNAttr: cn mepStaticAttr: objectclass: posixGroup mepMappedAttr: cn: $cn Group Entry mepMappedAttr: gidNumber: $gidNumber mepMappedAttr: memberUid: $uid -- http://about.me/chandank -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- -- http://about.me/chandank -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Using JNDI and 389DS
Hey dc, I did create a keystore, but every time I try to get it to work, I get stuck. I will post my java code tomorrow to show you what my code looks like, and then I will mention the exact 389 DS configuration. Thanks, Rohit From: 389-users-boun...@lists.fedoraproject.org [389-users-boun...@lists.fedoraproject.org] On Behalf Of Chun Tat David Chu [beyonddc.stor...@gmail.com] Sent: Wednesday, March 20, 2013 9:15 PM To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] Using JNDI and 389DS I have written Java code that does what you described. I think you should break up your problem. 1) Install your server certificate on the 389 DS first. You should consult the following website https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_SSL.html 2) Write your Java application to use JNDI to talk with 389 DS via SSL. You should follow the tutorial from the website. http://docs.oracle.com/javase/jndi/tutorial/ldap/security/ssl.html An important thing to note is you need to create a Java keystore. The Java keystore needs to be accessible by your application. You can pass in a Java property that specifies the Java keystore. The JNDI Tutorial above should give you some hint. Good luck, dc On Wed, Mar 20, 2013 at 5:48 PM, Chandan Kumar chandank.ku...@gmail.commailto:chandank.ku...@gmail.com wrote: Hi Rohit, Months back Arpit responded to my similar query in this forum and it worked. I am just re-posting his steps here. The only difference is just ignore the slave certificate generation and all should be good. How about creating one CA cert signing all RHDS server from same CA, Then all you have to do is to import only one CA in clients. Create a CA Cerfificate # certutil -S -n CA certificate -s cn=CA cert,dc=directory,dc=example,dc=com -2 -x -t CT,, -m 1000 -v 720 -d . -k rsa Make sure you say yes to Is this a CA certificate [y/N]? and everything else will be default. Next we create your Server Cert. Important - Make sure your cn is your FQDN of this server. Create cert for ldap1.example.comhttp://ldap1.example.com on ldap1.example.comhttp://ldap1.example.com # certutil -S -n directory-Server-Cert-1 -s cn=ldap1.example.comhttp://ldap1.example.com -c CA certificate -t u,u,u -m 1001 -v 720 -d . -k rsa Create cert for ldap2.example.comhttp://ldap2.example.com on ldap1.example.comhttp://ldap1.example.com # certutil -S -n directory-Server-Cert-2 -s cn=ldap2.example.comhttp://ldap2.example.com -c CA certificate -t u,u,u -m 1002 -v 120 -d . -k rsa Then check to make sure it looks ok # certutil -L -n directory-Server-Cert-2 -d . Export keys certs for ldap2.example.comhttp://ldap2.example.com # pk12util -d . -o server2.p12 -n directory-Server-Cert-2 # certutil -L -d . -n CA certificate -a cacert.asc Copy the 'server2.p12' and 'cacert.asc' created above to the 2nd Red Hat Directory Server. Create your public ca for your clients. # certutil -d . -L -n CA certificate -a my-public-ca.asc While logged in to the 2nd RHDS i.e. ldap2.example.comhttp://ldap2.example.com, run the following: # service dirsrv stop # cd /etc/disrv/slapd-INSTANCE2/ # mv /path/to/server2.p12 /etc/dirsrv/slapd-INSTANCE2/ # mv /path/to/cacert.asc /etc/dirsrv/slapd-INSTANCE2/ # pk12util -d . -i server2.p12 # certutil -A -d . -n CA certificate -t CT,, -a -i cacert.asc # service dirsrv start Thanks Chandan On Wednesday, March 20, 2013, Chaudhari, Rohit K. wrote: Hey everyone, I need help implementing a client-server SSL connection. I've been researching on the web and I have no idea how to get my Java application to talk to the 389DS securely. I have been looking into keytool and JSSE, but there is no clear cut explanation on how it should be done. I have a self-signed CA certificate that I created using certutil, and then a server certificate generated from that self-signed CA. Is there anyone who knows a path to a solution? Thanks, Rohit -- -- http://about.me/chandank -- 389 users mailing list 389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users