date:20110616

Re: [389-users] About Kerberos and dirsrv

2011-06-16 Thread Gioachino Bartolotta

Hi Juan!

It's possible to do a bash script to import existing users into kerberos??
In my ldap I have already 2000 users ...

Thanks


2011/6/15 Juan Carlos Camargo Carrillo juan...@eprinsa.es:
 To your former question, yes. Basically, and assuming you have experience
 with openldap:

 0.- Backup your current installation or create a new 389ds instance.
 1.- Configure the kdc to use ldap as a database backend.
 2.- Get the 60kerberos.ldif from freeIPA (it works out of the box with
 389ds) and copy it to the instance's schema folder. Add krb5principalname
 to your  suffix database indexes. Restart dirsrv.

 3.- Create the realm with kdb5_ldap_util.
 4.- Create kerberos principals for your users
     4.1 for new users , addprinc principal 
     4.2 for existing ldap users, addprinc -x dn=full dn of the user
 principal. This will add kerberos attributes to an existing ldap user.

 Regards!

 El mié, 15-06-2011 a las 13:10 +0200, Gioachino Bartolotta escribió:

 Hi !!

 Yes, I want to use 389ds as a backend for kerberos.

 So, everything will work just if I import the schemas on 389ds?

 Another question. I have actually 2 389ds configured with multimaster
 replica, and on each server there is a kdc (1 master and 1 slave).

 I have to copy the same keytab on both servers?

 Have I also to change the file /etc/sysconfig/saslauthd with these
 parameters??

 MECH_OPTIONS=
 THREADS=5
 START=yes
 MECHANISMS=ldap
 OPTIONS=-m /var/run/saslauthd

 Then ... I am missing something else??

 Thank you.

 2011/6/15 Juan Carlos Camargo Carrillo juan...@eprinsa.es:
 Hi,

 It depends.  If you want to use 389ds as a Kerberos database backend  then
 you should import the schema into the directory and yes, you'll need to
 create principals or modify the existing ldap entries to accept kerberos
 attributes, as you've said you did with openldap.  I've done it with my
 389ds lab and it works.

 El mié, 15-06-2011 a las 12:08 +0200, Gioachino Bartolotta escribió:

 Hi all,

 I have a problem in setup kerberos with 389 and I tried to do using
 the documents available on 389 site and RedHat.

 I followed everything, but I am unable to get the initial ticket from
 kerberos. Have I to add these records as I have always done with
 openldap??

 dn: ou=KerberosPrincipals,ou=Users,dc=domain
 ou: KerberosPrincipals
 objectClass: top
 objectClass: organizationalUnit

 dn:

 krb5PrincipalName=ldapmaster/admin@DOMAN,ou=KerberosPrincipals,ou=Users,dc=domain
 objectClass: top
 objectClass: person
 objectClass: krb5Principal
 objectClass: krb5KDCEntry
 krb5PrincipalName: ldapmaster/admin@DOMAIN
 krb5KeyVersionNumber: 1
 krb5MaxLife: 86400
 krb5MaxRenew: 604800
 krb5KDCFlags: 126
 cn: ldapmaster/admin@domain
 sn: ldapmaster/admin@domain
 userPassword: {MD5}5S2YxFmBmhF3WTbY37t5KQ==

 Thanks



 --
 389 users mailing list
 389-users@lists.fedoraproject.org
 https://admin.fedoraproject.org/mailman/listinfo/389-users






 --
 389 users mailing list
 389-users@lists.fedoraproject.org
 https://admin.fedoraproject.org/mailman/listinfo/389-users




-- 
---
Gioachino Bartolotta
ICQ #: 9103167
MSN Messenger: astrar...@email.it
Yahoo  Skype: gioachino_bartolotta
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] About Kerberos and dirsrv

2011-06-16 Thread Juan Carlos Camargo

This link may help:
http://blogs.oracle.com/wfiveash/entry/the_rough_guide_to_configuring


El jue, 16-06-2011 a las 18:23 +0900, 夜神 岩男 escribió:

 On Thu, 2011-06-16 at 10:52 +0200, Gioachino Bartolotta wrote:
  Hi Juan!
  
  It's possible to do a bash script to import existing users into kerberos??
  In my ldap I have already 2000 users ...
  
  Thanks
 
 It is almost always possible to do a bash script to perform these sort
 of tasks. This is one of the best reasons to learn how if you aren't
 already good at it. If your sed/awk skills are well developed, this is
 an excellent, repeatable, adaptable solution. I will be facing a similar
 problem in the mid-term and if you have written a basic script by then
 I'd love to get a copy. If not, I will be writing one myself in a few
 months.
 
 This problem is probably frequent enough that someone may have already
 tackled it with a smart script... ? Anyone?
 
 -Iwao
 
 --
 389 users mailing list
 389-users@lists.fedoraproject.org
 https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Multimaster replication query

2011-06-16 Thread s.varadha rajan

Hi,

i ran the below command in supplier side and the output is,

# extended LDIF
#
# LDAPv3
# base cn=config with scope subtree
# filter: (objectclass=nsds5replicationagreement)
# requesting: ALL
#

# Replication from varad.xxx.xxx.com port 389 to sam.xxx.xxx.com po
 rt 389, replica, o\3Dnetscaperoot, mapping tree, config
dn: cn=Replication from varad.xxx.xxx.com port 389 to sam.xxx.xxx.c
 om port 389,cn=replica,cn=o=netscaperoot,cn=mapping tree,cn=config
objectClass: top
objectClass: nsDS5ReplicationAgreement
cn: Replication from varad.xxx.xxx.com port 389 to sam.xxx.xxx.com
 port 389
nsDS5ReplicaHost: sam.xxx.xxx.com
nsDS5ReplicaRoot: o=netscaperoot
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: cn=repman,cn=config
nsDS5ReplicaBindMethod: simple
nsds5replicaTimeout: 120
nsDS5ReplicaCredentials: {DES}VdEnvxoUkmw1TpV1QyVPtg==
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20110616123147Z
nsds5replicaLastUpdateEnd: 20110616123147Z
nsds5replicaChangesSentSinceStartup:: MToxNC8wIA==
nsds5replicaLastUpdateStatus: 0 Incremental update succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 20110616104148Z
nsds5replicaLastInitEnd: 20110616104153Z
nsds5replicaLastInitStatus: 0 Total update succeeded

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Regards,
Varad



On Thu, Jun 16, 2011 at 8:47 PM, Rich Megginson rmegg...@redhat.com wrote:

 **
 On 06/16/2011 07:33 AM, s.varadha rajan wrote:

 Hi,

  For me no issues to recive the logs.anyway, i have performed the
 following steps again,

  1.Stop the dirsrv on both sides.
 2.Enabled nsslapd-errorlog-level: 8192 on both servers in dse.ldif
 file.
 3.Started the dirsrv on both servers.
 4.Export the datas in .ldif and imported to sam system
 4.From varad.xxx.xxx.com,Remove the agreement again (./mmr.pl --host1
 varad.xxx.xxx.com --host2 sam.xxx.xxx.com --host1_id 1 --host2_id 2
 --bindpw password --repmanpw password --remove)
 5.From varad.xxx.xxx.com,Created agreement again (./mmr.pl --host1
 varad.xxx.xxx.com --host2 sam.xxx.xxx.com --host1_id 1 --host2_id 2
 --bindpw password --repmanpw password --create)
 6.Then created one user under ou=people , as a uid=TT in supplier side (
 varad.xxx.xxx.com)
 7.but not replicated in other system...

  Supplier system (/var/log/dirsrv/slapd-varad/errors): (varad.xxx.xxx.com
 ):

  [16/Jun/2011:18:36:48 +051800] NSMMReplicationPlugin -
 agmt=cn=Replication from varad.xxx.xxx.com port 389 to sam.xxx.xxx.comport 
 389 (sam:389): Disconnected from the consumer
 [16/Jun/2011:18:36:48 +051800] NSMMReplicationPlugin -
 agmt=cn=Replication from varad.xxx.xxx.com port 389 to sam.xxx.xxx.comport 
 389 (sam:389): State: start - ready_to_acquire_replica
 [16/Jun/2011:18:36:48 +051800] NSMMReplicationPlugin -
 agmt=cn=Replication from varad.xxx.xxx.com port 389 to sam.xxx.xxx.comport 
 389 (sam:389): State: ready_to_acquire_replica - wait_for_changes
 [16/Jun/2011:18:41:49 +051800] NSMMReplicationPlugin -
 agmt=cn=Replication from varad.xxx.xxx.com port 389 to sam.xxx.xxx.comport 
 389 (sam:389): State: wait_for_changes - wait_for_changes
 [16/Jun/2011:18:41:49 +051800] NSMMReplicationPlugin -
 agmt=cn=Replication from varad.xxx.xxx.com port 389 to sam.xxx.xxx.comport 
 389 (sam:389): State: wait_for_changes - start
 [16/Jun/2011:18:41:49 +051800] NSMMReplicationPlugin -
 agmt=cn=Replication from varad.xxx.xxx.com port 389 to sam.xxx.xxx.comport 
 389 (sam:389): No linger to cancel on the connection
 [16/Jun/2011:18:41:49 +051800] NSMMReplicationPlugin -
 agmt=cn=Replication from varad.xxx.xxx.com port 389 to sam.xxx.xxx.comport 
 389 (sam:389): Disconnected from the consumer
 [16/Jun/2011:18:41:49 +051800] NSMMReplicationPlugin -
 agmt=cn=Replication from varad.xxx.xxx.com port 389 to sam.xxx.xxx.comport 
 389 (sam:389): State: start - ready_to_acquire_replica
 [16/Jun/2011:18:41:49 +051800] NSMMReplicationPlugin -
 agmt=cn=Replication from varad.xxx.xxx.com port 389 to sam.xxx.xxx.comport 
 389 (sam:389): State: ready_to_acquire_replica - wait_for_changes

  Consumer system: (sam.xxx.xxx.xom):

  [16/Jun/2011:18:46:15 +051800] NSMMReplicationPlugin -
 agmt=cn=Replication from sam.xxx.xxx.com port 389 to varad.xxx.xxx.comport 
 389 (varad:389): Disconnected from the consumer
 [16/Jun/2011:18:46:15 +051800] NSMMReplicationPlugin -
 agmt=cn=Replication from sam.xxx.xxx.com port 389 to varad.xxx.xxx.comport 
 389 (varad:389): State: start - ready_to_acquire_replica
 [16/Jun/2011:18:46:15 +051800] NSMMReplicationPlugin -
 agmt=cn=Replication from sam.xxx.xxx.com port 389 to varad.xxx.xxx.comport 
 389 (varad:389): State: ready_to_acquire_replica - wait_for_changes
 [16/Jun/2011:18:51:15 +051800] NSMMReplicationPlugin -
 agmt=cn=Replication from sam.xxx.xxx.com port 389 to varad.xxx.xxx.comport 
 389 (varad:389): State: wait_for_changes - wait_for_changes
 [16/Jun/2011:18:51:15 +051800] NSMMReplicationPlugin -
 agmt=cn=Replication from sam.xxx.xxx.com port 389 to varad.xxx.xxx.comport

Re: [389-users] About Kerberos and dirsrv

Re: [389-users] About Kerberos and dirsrv

Re: [389-users] Multimaster replication query

3 matches

Site Navigation

Mail list logo

Footer information