Re: [389-users] winsync: differences between 1.2.11.15 and 1.3

[Juan Carlos Camargo]

Rich,Thanks for replying.The entry CN= is the same in both cases and inside the scope (inside the windows subtree). The agreements are the same in both servers:v1.2.11.15dn: cn=ad5,cn=replica,cn=dc\3Dmetaeprinsa\2Cdc\3Dorg,cn=mapping tree,cn=configobjectClass: topobjectClass: nsDSWindowsReplicationAgreementdescription: ad5cn: ad5nsds7WindowsReplicaSubtree: dc=eprnsds7DirectoryReplicaSubtree: ou=usuarios,dc=metaeprinsa,dc=orgnsds7NewWinUserSyncEnabled: onnsds7NewWinGroupSyncEnabled: offnsds7WindowsDomain: eprnsDS5ReplicaRoot: dc=metaeprinsa,dc=orgnsDS5ReplicaHost: ad5.eprnsDS5ReplicaPort: 389nsDS5ReplicaBindDN: cn=metasync,ou=usuarios de servicio,ou=grupos,dc=eprnsDS5ReplicaBindMethod: SIMPLEnsDS5ReplicaCredentials: oneWaySync: fromWindowsv1.3dn: cn=ad5,cn=replica,cn=dc\3Dmetaeprinsa\2Cdc\3Dorg,cn=mapping tree,cn=configobjectClass: topobjectClass: nsDSWindowsReplicationAgreementdescription: ad5cn: ad5nsds7WindowsReplicaSubtree: dc=eprnsds7DirectoryReplicaSubtree: ou=usuarios,dc=metaeprinsa,dc=orgnsds7NewWinUserSyncEnabled: onnsds7NewWinGroupSyncEnabled: offnsds7WindowsDomain: eprnsDS5ReplicaRoot: dc=metaeprinsa,dc=orgnsDS5ReplicaHost: ad5.eprnsDS5ReplicaPort: 389nsDS5ReplicaBindDN: cn=metasync,ou=usuarios de servicio,ou=grupos,dc=eprnsDS5ReplicaBindMethod: SIMPLEnsDS5ReplicaCredentials: oneWaySync: fromWindowsDe: "Rich Megginson" Para: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org>CC: "Juan Carlos Camargo" Enviados: Jueves, 18 de Julio 2013 16:01:52Asunto: Re: [389-users] winsync: differences between 1.2.11.15 and 1.3On 07/18/2013 06:17 AM, Juan Carlos Camargo wrote:Hi 389ers,I have a lab scenario with one server running version 1.3 on Fedora19. My production servers still use 1.2.11.15 and run on CentOS. I've created oneway sync agreements FROM Windows2003 , in both cases with the same params: windows sync user, windows host, ds subtree and windows subtree. But I've noticed that in version 1.3 sync does not work, all users are reported to be "out of scope" even when the same sAMAccountName/uid is found.Ex:v1.3"[18/Jul/2013:12:59:15 +0200] NSMMReplicationPlugin - agmt="cn=ad5" (ad5:389): windows_process_dirsync_entry: windows inbound entry CN= has the same name as local entry uid= but the windows entry is out of the scope of the sync subtree [dc=DOMAIN] - if you want these entries to be in sync, add the ntUser/ntGroup objectclass and required attributes to the local entry, and move the windows entry into scope"v1.2.11.15[18/Jul/2013:13:31:00 +0200] NSMMReplicationPlugin - agmt="cn=ad5" (ad5:389): map_entry_dn_inbound: looking for local entry matching AD entry [CN=][18/Jul/2013:13:31:00 +0200] NSMMReplicationPlugin - agmt="cn=ad5" (ad5:389): map_entry_dn_inbound: looking for local entry by guid [155e86afca9f2141af71624d7f55a44c][18/Jul/2013:13:31:00 +0200] NSMMReplicationPlugin - agmt="cn=ad5" (ad5:389): map_entry_dn_inbound: found local entry [uid=]Sorry about the different timestamps, but the user under  was the same in both cases. So, same agreement in version 1.2.11.15 syncs the users (from Windows always) perfectly.  I've deleted and recreated the agreements in both sides, just in case I mispelled something,but still the same results. What has changed , or better, where did I go wrong? Can you post your winsync config? The AD entry CN= - is it in the windows subtree or outside of it?  If it is outside of it, why? Regards!--  Juan Carlos Camargo Carrillo.@jcarloscamargo957-211157 , 650932877 --
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users-- Juan Carlos Camargo Carrillo.@jcarloscamargo957-211157 , 650932877 --
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Manual & help step by step

[تدريبك - دورات -شبكات - حاسبات]

Dear Dan ,

 

Please read this :

we need to run multi domain ldap where each domain will have an admin group
who can do everything and the user can change only passwords. We need to
know how to write the ACL for such scenario. Each domain will be represented
by O=domain and then we will have ou=people and we will have admin group
under the groups. Each domain will have this structure.

 

Best regards ,

Husam 

 

 

 

From: 389-users-boun...@lists.fedoraproject.org
[mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Dan Lavu
Sent: Thursday, July 18, 2013 3:31 AM
To: 'General discussion list for the 389 Directory server project.'
Subject: Re: [389-users] Manual & help step by step

 

They are plenty of step by step instructions to do what you are trying to
do. You can refer to the Red Hat documentation or the 389 documentation. 

http://directory.fedoraproject.org/wiki/Howto:SSL

 

Also it is normal for the CA certificate to show up in the server tab if you
generated the CA certificate on the LDAP server, any certificate with the
private key in the database will appear as a server certificate. For example
when you export the CA and move it to a second server it will not show up in
the server tab then.

 

In addition, when generating a CSR using the GUI (idm console) you must
stick with it, because the CSR will create the key in the db. If you are
pursuing the command line using certutil, you must convert the x509
certificates (three files usually, private, public and ca into pkcs12
format. 

 

Here is a link to understand and configure ACIs. 

http://directory.fedoraproject.org/wiki/Howto:AccessControl

 

I hope this helps.

 

Dan

 

From: 389-users-boun...@lists.fedoraproject.org
[mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of ?? -
? -? - ??
Sent: Wednesday, July 17, 2013 7:38 PM
To: 389-users@lists.fedoraproject.org
Subject: [389-users] Manual & help step by step

 

Dear friends,

 

Anyone can help me ?

I have install the directory , on centos 

I want to make certs and install it on the server 

I have tried many ways but all not working  , one way with p12 , when
uploading the certificates it's both appear in the server tab even the CA .

The other way with openssl  in this case I can't upload the certificate on
server tab its only appear on the CA tab .

 

Also I want some help setting Acyls 

Like I want to have many admins each one can control his group no access for
the other groups 

 

Many thanks in advance .

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Manual & help step by step

[تدريبك - دورات -شبكات - حاسبات]

Dear Alberto ,

Please read this :
we need to run multi domain ldap where each domain will have an admin group who 
can do everything and the user can change only passwords. We need to know how 
to write the ACL for such scenario. Each domain will be represented by O=domain 
and then we will have ou=people and we will have admin group under the groups. 
Each domain will have this structure.

Best regards ,
Husam 

-Original Message-
From: 389-users-boun...@lists.fedoraproject.org 
[mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Alberto Su?rez
Sent: Thursday, July 18, 2013 6:17 PM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Manual & help step by step

Hello, please find attached my notes. Please, bear in mind that these are the 
steps I followed to install 389 in Centos 6.3. I have tried to document a 
procedure that works, but I can not guarantee the instructions provided will 
work in your particular setup.

Please, do not hesitate to get back to me if you get lost with my document. I 
will try to help as much as I can.

Good luck.

تدريبك - دورات -شبكات - حاسبات wrote:
> Dear friends,
>
> Anyone can help me ?
>
> I have install the directory , on centos
>
> I want to make certs and install it on the server
>
> I have tried many ways but all not working , one way with p12 , when 
> uploading the certificates it's both appear in the server tab even the CA .
>
> The other way with openssl in this case I can't upload the certificate 
> on server tab its only appear on the CA tab .
>
> Also I want some help setting Acyls
>
> Like I want to have many admins each one can control his group no 
> access for the other groups
>
> Many thanks in advance .
>
>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Manual & help step by step

[تدريبك - دورات -شبكات - حاسبات]

Dear Alberto ,

Many thanks ,

I will back to you after  I re the work again and give you my feedback .

Best regards  ,
Husam .


-Original Message-
From: 389-users-boun...@lists.fedoraproject.org 
[mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Alberto Su?rez
Sent: Thursday, July 18, 2013 6:17 PM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Manual & help step by step

Hello, please find attached my notes. Please, bear in mind that these are the 
steps I followed to install 389 in Centos 6.3. I have tried to document a 
procedure that works, but I can not guarantee the instructions provided will 
work in your particular setup.

Please, do not hesitate to get back to me if you get lost with my document. I 
will try to help as much as I can.

Good luck.

تدريبك - دورات -شبكات - حاسبات wrote:
> Dear friends,
>
> Anyone can help me ?
>
> I have install the directory , on centos
>
> I want to make certs and install it on the server
>
> I have tried many ways but all not working , one way with p12 , when 
> uploading the certificates it's both appear in the server tab even the CA .
>
> The other way with openssl in this case I can't upload the certificate 
> on server tab its only appear on the CA tab .
>
> Also I want some help setting Acyls
>
> Like I want to have many admins each one can control his group no 
> access for the other groups
>
> Many thanks in advance .
>
>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Manual & help step by step

[تدريبك - دورات -شبكات - حاسبات]

Dear Dan ,

 

Many thanks ,

I will back to you after  I re the work again and give you my feedback .

 

Best regards  ,

Husam .

 

From: 389-users-boun...@lists.fedoraproject.org
[mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Dan Lavu
Sent: Thursday, July 18, 2013 3:31 AM
To: 'General discussion list for the 389 Directory server project.'
Subject: Re: [389-users] Manual & help step by step

 

They are plenty of step by step instructions to do what you are trying to
do. You can refer to the Red Hat documentation or the 389 documentation. 

http://directory.fedoraproject.org/wiki/Howto:SSL

 

Also it is normal for the CA certificate to show up in the server tab if you
generated the CA certificate on the LDAP server, any certificate with the
private key in the database will appear as a server certificate. For example
when you export the CA and move it to a second server it will not show up in
the server tab then.

 

In addition, when generating a CSR using the GUI (idm console) you must
stick with it, because the CSR will create the key in the db. If you are
pursuing the command line using certutil, you must convert the x509
certificates (three files usually, private, public and ca into pkcs12
format. 

 

Here is a link to understand and configure ACIs. 

http://directory.fedoraproject.org/wiki/Howto:AccessControl

 

I hope this helps.

 

Dan

 

From: 389-users-boun...@lists.fedoraproject.org
[mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of ?? -
? -? - ??
Sent: Wednesday, July 17, 2013 7:38 PM
To: 389-users@lists.fedoraproject.org
Subject: [389-users] Manual & help step by step

 

Dear friends,

 

Anyone can help me ?

I have install the directory , on centos 

I want to make certs and install it on the server 

I have tried many ways but all not working  , one way with p12 , when
uploading the certificates it's both appear in the server tab even the CA .

The other way with openssl  in this case I can't upload the certificate on
server tab its only appear on the CA tab .

 

Also I want some help setting Acyls 

Like I want to have many admins each one can control his group no access for
the other groups 

 

Many thanks in advance .

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Manual & help step by step

[Dan Lavu]

Alberto,

I did mistake you for the person asking for help, sorry for the confusion. 

Dan

On Jul 18, 2013, at 8:20 AM, Alberto Suárez  
wrote:

> Hi Dan,
> 
> I'm afraid there is a little misunderstanding here. I just offered my notes 
> to the person asking for assistance in setting up 389. It is not me who is 
> asking for help. I'm sorry if I caused any confussion with my answer to that 
> request.
> 
> Thank you anyway...
> 
> Alberto.
> 
> Dan Lavu wrote:
>> Alberto,
>> 
>> I do not have the time to walk you through something like this, it'd be
>> best if you stated what the error message and the step you do not
>> understand.
>> 
>> You are not going to learn anything if I walk you through it, and it
>> will not benefit you if you do not learn the software assuming you are
>> the administrator.
>> 
>> Dan
>> 
>> 
>> On Thu, Jul 18, 2013 at 4:39 AM, Alberto Suárez
>> mailto:asua...@gobiernodecanarias.org>>
>> wrote:
>> 
>>Hello:
>> 
>>I have a document with the steps I followed but it is in spanish. If
>>you can wait a few hours I will post it translated into english, ok?
>> 
>>Kind regards,
>> 
>>Alberto Suárez.
>> 
>> 
>>تدريبك - دورات -شبكات - حاسبات wrote:
>> 
>>Dear friends,
>> 
>>Anyone can help me ?
>> 
>>I have install the directory , on centos
>> 
>>I want to make certs and install it on the server
>> 
>>I have tried many ways but all not working , one way with p12 , when
>>uploading the certificates it's both appear in the server tab
>>even the CA .
>> 
>>The other way with openssl in this case I can't upload the
>>certificate
>>on server tab its only appear on the CA tab .
>> 
>>Also I want some help setting Acyls
>> 
>>Like I want to have many admins each one can control his group
>>no access
>>for the other groups
>> 
>>Many thanks in advance .
>> 
>> 
>> 
>>--
>>389 users mailing list
>>389-users@lists.fedoraproject.__org
>>
>>https://admin.fedoraproject.__org/mailman/listinfo/389-users
>>
>> 
>>--
>>389 users mailing list
>>389-users@lists.fedoraproject.__org
>>
>>https://admin.fedoraproject.__org/mailman/listinfo/389-users
>>
>> 
>> 
>> 
>> 
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] winsync: differences between 1.2.11.15 and 1.3

[Rich Megginson]

  
  
On 07/18/2013 06:17 AM, Juan Carlos
  Camargo wrote:


  
Hi 389ers,


I have a lab scenario with one server running version 1.3
  on Fedora19. My production servers still use 1.2.11.15 and run
  on CentOS. I've created oneway sync agreements FROM
  Windows2003 , in both cases with the same params: windows sync
  user, windows host, ds subtree and windows subtree. But I've
  noticed that in version 1.3 sync does not work, all users are
  reported to be "out of scope" even when the same
  sAMAccountName/uid is found. 


Ex:

  v1.3
  "
  [18/Jul/2013:12:59:15 +0200] NSMMReplicationPlugin -
agmt="cn=ad5" (ad5:389): windows_process_dirsync_entry:
windows inbound entry CN= has the same name as local
entry uid= but the windows entry is out of the scope of
the sync subtree [dc=DOMAIN] - if you want these entries to
be in sync, add the ntUser/ntGroup objectclass and required
attributes to the local entry, and move the windows entry
into scope

"


v1.2.11.15

  
  
  [18/Jul/2013:13:31:00 +0200] NSMMReplicationPlugin -
agmt="cn=ad5" (ad5:389): map_entry_dn_inbound: looking for
local entry matching AD entry [CN=]
  [18/Jul/2013:13:31:00 +0200] NSMMReplicationPlugin -
agmt="cn=ad5" (ad5:389): map_entry_dn_inbound: looking for
local entry by guid [155e86afca9f2141af71624d7f55a44c]
  [18/Jul/2013:13:31:00 +0200] NSMMReplicationPlugin -
agmt="cn=ad5" (ad5:389): map_entry_dn_inbound: found local
entry [uid=]





Sorry about the different
timestamps, but the user under  was the same in both
cases. So, same agreement in version 1.2.11.15 syncs the
users (from Windows always) perfectly.  I've deleted and
recreated the agreements in both sides, just in case I
mispelled something,but still the same results. What has
changed , or better, where did I go wrong?
  


Can you post your winsync config?
The AD entry CN= - is it in the windows subtree or outside of
it?  If it is outside of it, why?


  


Regards!


-- 


  

  Juan Carlos Camargo Carrillo.
  @jcarloscamargo
  957-211157 , 650932877
   
  


  
  
  
  
  --
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


  

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

[389-users] winsync: differences between 1.2.11.15 and 1.3

[Juan Carlos Camargo]

Hi 389ers,I have a lab scenario with one server running version 1.3 on Fedora19. My production servers still use 1.2.11.15 and run on CentOS. I've created oneway sync agreements FROM Windows2003 , in both cases with the same params: windows sync user, windows host, ds subtree and windows subtree. But I've noticed that in version 1.3 sync does not work, all users are reported to be "out of scope" even when the same sAMAccountName/uid is found. Ex:v1.3"[18/Jul/2013:12:59:15 +0200] NSMMReplicationPlugin - agmt="cn=ad5" (ad5:389): windows_process_dirsync_entry: windows inbound entry CN= has the same name as local entry uid= but the windows entry is out of the scope of the sync subtree [dc=DOMAIN] - if you want these entries to be in sync, add the ntUser/ntGroup objectclass and required attributes to the local entry, and move the windows entry into scope"v1.2.11.15[18/Jul/2013:13:31:00 +0200] NSMMReplicationPlugin - agmt="cn=ad5" (ad5:389): map_entry_dn_inbound: looking for local entry matching AD entry [CN=][18/Jul/2013:13:31:00 +0200] NSMMReplicationPlugin - agmt="cn=ad5" (ad5:389): map_entry_dn_inbound: looking for local entry by guid [155e86afca9f2141af71624d7f55a44c][18/Jul/2013:13:31:00 +0200] NSMMReplicationPlugin - agmt="cn=ad5" (ad5:389): map_entry_dn_inbound: found local entry [uid=]Sorry about the different timestamps, but the user under  was the same in both cases. So, same agreement in version 1.2.11.15 syncs the users (from Windows always) perfectly.  I've deleted and recreated the agreements in both sides, just in case I mispelled something,but still the same results. What has changed , or better, where did I go wrong?Regards!-- Juan Carlos Camargo Carrillo.@jcarloscamargo957-211157 , 650932877 --
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Manual & help step by step

[Dan Lavu]

Alberto,

I do not have the time to walk you through something like this, it'd be
best if you stated what the error message and the step you do not
understand.

You are not going to learn anything if I walk you through it, and it will
not benefit you if you do not learn the software assuming you are the
administrator.

Dan


On Thu, Jul 18, 2013 at 4:39 AM, Alberto Suárez <
asua...@gobiernodecanarias.org> wrote:

> Hello:
>
> I have a document with the steps I followed but it is in spanish. If you
> can wait a few hours I will post it translated into english, ok?
>
> Kind regards,
>
> Alberto Suárez.
>
>
> تدريبك - دورات -شبكات - حاسبات wrote:
>
>> Dear friends,
>>
>> Anyone can help me ?
>>
>> I have install the directory , on centos
>>
>> I want to make certs and install it on the server
>>
>> I have tried many ways but all not working , one way with p12 , when
>> uploading the certificates it's both appear in the server tab even the CA
>> .
>>
>> The other way with openssl in this case I can't upload the certificate
>> on server tab its only appear on the CA tab .
>>
>> Also I want some help setting Acyls
>>
>> Like I want to have many admins each one can control his group no access
>> for the other groups
>>
>> Many thanks in advance .
>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.**org <389-users@lists.fedoraproject.org>
>> https://admin.fedoraproject.**org/mailman/listinfo/389-users
>>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.**org <389-users@lists.fedoraproject.org>
> https://admin.fedoraproject.**org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Manual & help step by step

[Alberto Suárez]

Hello:

I have a document with the steps I followed but it is in spanish. If you 
can wait a few hours I will post it translated into english, ok?


Kind regards,

Alberto Suárez.

تدريبك - دورات -شبكات - حاسبات wrote:

Dear friends,

Anyone can help me ?

I have install the directory , on centos

I want to make certs and install it on the server

I have tried many ways but all not working , one way with p12 , when
uploading the certificates it's both appear in the server tab even the CA .

The other way with openssl in this case I can't upload the certificate
on server tab its only appear on the CA tab .

Also I want some help setting Acyls

Like I want to have many admins each one can control his group no access
for the other groups

Many thanks in advance .



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users