Re: [389-users] Back up of database for desaster recovery
Thank you Derek.
Alberto.
On 14/08/14 15:41, Derek Belcher wrote:
These commands will export your data into an LDIF file. Replace
everything in the [brackets] with your info.
Change to directory with scripts
# cd /usr/lib64/dirsrv/slapd-[TAB]
Dump data to ldif
# ./db2ldif -n userRoot -a /var/tmp/`date +%Y.%m.%d`.ldif
This step might be optional.. I think it should all ready have the 755
permissions when you dump it, but if not, do this...
# chmod 755 /var/tmp/`date +%Y.%m.%d`.ldif
Restore command
# ./ldif2db.pl <http://ldif2db.pl> -v -D "cn=directory manager" -w
PASSWORD -i /var/tmp/`date +%Y.%m.%d`.ldif -s dc=[YOUR],dc=[COM]
-Derek
On Thu, Aug 14, 2014 at 3:56 AM, Alberto Suárez
<mailto:asua...@gobiernodecanarias.org>> wrote:
Hello:
I would like to make a valid copy of the LDAP data so that I could
restore it in another 389 installation in case of a crash. ¿What
is the best way? I have tried the 389 commands but came across
with issues.
Thank you.
Alberto Suárez
--
389 users mailing list
389-users@lists.fedoraproject.org
<mailto:389-users@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Back up of database for desaster recovery
Ops! You are right, there was an answer I overlooked. I apologize for that. I am going to explore the suggestion given. Thank you. Alberto. On 19/08/14 13:19, Ludwig Krispenz wrote: there was an answer the same day you asked, if it doesn't work let us know what issues you have. On 08/19/2014 01:27 PM, Alberto Suárez wrote: Any answer? Regards, Alberto Suárez On 14/08/14 09:56, Alberto Suárez wrote: Hello: I would like to make a valid copy of the LDAP data so that I could restore it in another 389 installation in case of a crash. ¿What is the best way? I have tried the 389 commands but came across with issues. Thank you. Alberto Suárez -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Back up of database for desaster recovery
Any answer? Regards, Alberto Suárez On 14/08/14 09:56, Alberto Suárez wrote: Hello: I would like to make a valid copy of the LDAP data so that I could restore it in another 389 installation in case of a crash. ¿What is the best way? I have tried the 389 commands but came across with issues. Thank you. Alberto Suárez -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Back up of database for desaster recovery
Hello: I would like to make a valid copy of the LDAP data so that I could restore it in another 389 installation in case of a crash. ¿What is the best way? I have tried the 389 commands but came across with issues. Thank you. Alberto Suárez -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Manual & help step by step
Hello Husam, Unfortunately I have not played with ACLs in 389 enough to help you in that part. Good luck. Alberto تدريبك - دورات -شبكات - حاسبات wrote: Dear Alberto , Please read this : we need to run multi domain ldap where each domain will have an admin group who can do everything and the user can change only passwords. We need to know how to write the ACL for such scenario. Each domain will be represented by O=domain and then we will have ou=people and we will have admin group under the groups. Each domain will have this structure. Best regards , Husam -Original Message- From: 389-users-boun...@lists.fedoraproject.org [mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Alberto Su?rez Sent: Thursday, July 18, 2013 6:17 PM To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] Manual& help step by step Hello, please find attached my notes. Please, bear in mind that these are the steps I followed to install 389 in Centos 6.3. I have tried to document a procedure that works, but I can not guarantee the instructions provided will work in your particular setup. Please, do not hesitate to get back to me if you get lost with my document. I will try to help as much as I can. Good luck. تدريبك - دورات -شبكات - حاسبات wrote: Dear friends, Anyone can help me ? I have install the directory , on centos I want to make certs and install it on the server I have tried many ways but all not working , one way with p12 , when uploading the certificates it's both appear in the server tab even the CA . The other way with openssl in this case I can't upload the certificate on server tab its only appear on the CA tab . Also I want some help setting Acyls Like I want to have many admins each one can control his group no access for the other groups Many thanks in advance . -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Manual & help step by step
Hello: I have a document with the steps I followed but it is in spanish. If you can wait a few hours I will post it translated into english, ok? Kind regards, Alberto Suárez. تدريبك - دورات -شبكات - حاسبات wrote: Dear friends, Anyone can help me ? I have install the directory , on centos I want to make certs and install it on the server I have tried many ways but all not working , one way with p12 , when uploading the certificates it's both appear in the server tab even the CA . The other way with openssl in this case I can't upload the certificate on server tab its only appear on the CA tab . Also I want some help setting Acyls Like I want to have many admins each one can control his group no access for the other groups Many thanks in advance . -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] samba+ldap
Hi Upen, If you contact me I might be able to give you a hand, as I set it up recently. Regards, Alberto upen wrote: Hello, I am trying to setup Samba with existing 389-ds on the same server. Following http://directory.fedoraproject.org/wiki/Howto:Samba didn't help. Does anyone know if there is any other useful updated document for this purpose? Thanks. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Want to change the hostname of my 389-box. Is there an easy way to fix the cert?
Hi! Please, excuse me for confusing you. I'll try to give you the right instructions now. For details about using certutil, please see http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html. For details about using pk12util, please see http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html These should be the right steps: 1.Produce the new DS server certificate: certutil -S -n "DS_Server_cert_label" -s "cn=myhost.myorg.example.com” -c “CA_cert_label” -t “u,u,u” -m 1001 -v 120 -d /etc/dirsrv/slapd-myhost -k rsa -f /etc/dirsrv/slapd-myhost/pwdfile.txt 2. Export it to p12 format: pk12util -d /etc/dirsrv/slapd-myhost -o /etc/dirsrv/slapd-myhost/directoryserver.p12 -n “DS_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k /etc/dirsrv/slapd-myhost/pwdfile.txt 3. Produce the new Admin server certificate: certutil -S -n "Admin_Server_cert_label" -s "cn=myhost.myorg.example.com,ou=389 Administration Server” -c “CA_cert_label” -t “u,u,u” -m 1002 -v 120 -d /etc/dirsrv/slapd-myhost -k rsa -f /etc/dirsrv/slapd-myhost/pwdfile.txt Note that the Admin Server's certificate is stored in the Directory Server's certs database (/etc/dirsrv/slapd-myhost/cert8.db) 4. Export it to p12 format: pk12util -d /etc/dirsrv/slapd-myhost -o /etc/dirsrv/admin-serv/adminserver.p12 -n “Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k /etc/dirsrv/slapd-myhost/pwdfile.txt 5. Import into Admin server database: pk12util -d /etc/dirsrv/admin-serv -i /etc/dirsrv/admin-serv/adminserver.p12 -n “Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k /etc/dirsrv/slapd-myhost/pwdfile.txt 6. Now import DS cert into Admin server's database: pk12util -d /etc/dirsrv/admin-serv -i /etc/dirsrv/slapd-myhost/directoryserver.p12 -n “DS_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k /etc/dirsrv/slapd-myhost/pwdfile.txt I did not need to distribute any cert (in my case i am using 389 as a backend to samba, both sitting on the same machine). I think that the protocol takes care of whatever is needed. If using start_tls, the connection is first established over a non secured channel and then negotiations start in order to change to a secured one. Cheers, Alberto Ray wrote: Hi Alberto & 389ers, I've put this issue on the side for three weeks, now I have holidays and want to get to it… There are still dome open questions: 1) The -d . option: Where is "."? I ran the commands below with .=/etc/dirsrv/slapd- "-d" stands for the path to the directory containing the certificate and key database files (cert8.db and key3.db). You should replace "." for whatever that path is in your environment. The substitution you have done seems correct. When I do that, steps 5 and 6 fail, because /etc/dirsrv/admin-serv/adminserver.p12 does not exist. So I simply left the P12 files in /etc/dirsrv/slapd- and switched directories with "cd ../admin-serv" and imported there like this: pk12util -d . -i /etc/dirsrv/slapd-/Admin_Server.p12 -n "Admin_Server_cert_label" -w /etc/dirsrv/slapd-/pwdfile.txt -k /etc/dirsrv/slapd-/pwdfile.txt (Admin server) and pk12util -d . -i /etc/dirsrv/slapd-/DS_Server.p12 -n "DS_Server_cert_label" -w /etc/dirsrv/slapd-/pwdfile.txt -k /etc/dirsrv/slapd-/pwdfile.txt (Could it be that Step 6 below is wrong?: You're simply importing the admin cert again instead of the DS cert) Adminserver.p12 and That appears to have worked. But: were my assumptions with switching "." correct? 2) Where do I find the certificate that I need to distribute to all my client machines? Or do I first need to generate it resp. extract it? If so: how would I do that? Sorry if I'm appear a bit picky here but dealing with certificates is like open heart surgery for me. I'm far away from being as relaxed as you certificate expert superheros ;) Cheers, Ray Am 19.09.2012 10:34, schrieb Alberto Suárez: Hi Ray, Ys, those are strings you choose to name the certificates. I should have written "CA_cert_label" instead of "AC_cert_label", sorry about that... All those lables are chosen by you when generating each certificate. If you followed the setupssl2.sh script, it should be "CA certificate" for the CA (see line 114 in https://github.com/richm/scripts/blob/master/setupssl2.sh). If you generated with certutil yourself, it should be the string used after "-n". If you are generating new certs for DS and Admin server you could use the string you wish (in the script "Server-Cert" is used for DS, see line 131, and "server-cert" for Admin server, see line 137). Alberto Ray wrote: Hi Alberto, thanks for the instructions. I have two more questions: 1) The labels DS_Server_cert_label and Admin_Server_cert_label are complete
Re: [389-users] Want to change the hostname of my 389-box. Is there an easy way to fix the cert?
Hi Ray, Ys, those are strings you choose to name the certificates. I should have written "CA_cert_label" instead of "AC_cert_label", sorry about that... All those lables are chosen by you when generating each certificate. If you followed the setupssl2.sh script, it should be "CA certificate" for the CA (see line 114 in https://github.com/richm/scripts/blob/master/setupssl2.sh). If you generated with certutil yourself, it should be the string used after "-n". If you are generating new certs for DS and Admin server you could use the string you wish (in the script "Server-Cert" is used for DS, see line 131, and "server-cert" for Admin server, see line 137). Alberto Ray wrote: Hi Alberto, thanks for the instructions. I have two more questions: 1) The labels DS_Server_cert_label and Admin_Server_cert_label are completely my choice, right? 2) How about the AC_cert_label though? Where does that come from? Cheers, Ray Am 18.09.2012 11:56, schrieb Alberto Suárez: If you have toruble with the script, try this: 1. Produce the new DS server certificate: certutil -S -n "DS_Server_cert_label" -s "cn=myhost.myorg.example.com” -c “AC_cert_label” -t “u,u,u” -m 1001 -v 120 -d . -k rsa -f /etc/dirsrv/slapd-myhost/pwdfile.txt 2. Export it to p12 format: pk12util -d . -o directoryserver.p12 -n “DS_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k /etc/dirsrv/slapd-myhost/pwdfile.txt 3. Produce the new Admin server certificate: certutil -S -n "Admin_Server_cert_label" -s "cn=myhost.myorg.example.com,ou=389 Administration Server” -c “AC_cert_label” -t “u,u,u” -m 1002 -v 120 -d /etc/dirsrv/slapd-myhost -k rsa -f /etc/dirsrv/slapd-myhost/pwdfile.txt 4. Export it to p12 format: pk12util -d . -o adminserver.p12 -n “Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k /etc/dirsrv/slapd-myhost/pwdfile.txt 5. Import into Admin server database: pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n “Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k /etc/dirsrv/slapd-myhost/pwdfile.txt 6. Now import DS cert into Admin server's database pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n “Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k /etc/dirsrv/slapd-myhost/pwdfile.txt 7. In "Manage certificates" window, replace the old DS cert by the new one. Hope this helps, Alberto Ray wrote: Hi, I am running a 389 box with TLS enabled. Now I would like to change the hostname, which would render the current certificate invalid. Is there an easy way to create a new certificate with the new hostname? Cheers, Ray -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users . -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Want to change the hostname of my 389-box. Is there an easy way to fix the cert?
If you have toruble with the script, try this: 1. Produce the new DS server certificate: certutil -S -n "DS_Server_cert_label" -s "cn=myhost.myorg.example.com” -c “AC_cert_label” -t “u,u,u” -m 1001 -v 120 -d . -k rsa -f /etc/dirsrv/slapd-myhost/pwdfile.txt 2. Export it to p12 format: pk12util -d . -o directoryserver.p12 -n “DS_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k /etc/dirsrv/slapd-myhost/pwdfile.txt 3. Produce the new Admin server certificate: certutil -S -n "Admin_Server_cert_label" -s "cn=myhost.myorg.example.com,ou=389 Administration Server” -c “AC_cert_label” -t “u,u,u” -m 1002 -v 120 -d /etc/dirsrv/slapd-myhost -k rsa -f /etc/dirsrv/slapd-myhost/pwdfile.txt 4. Export it to p12 format: pk12util -d . -o adminserver.p12 -n “Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k /etc/dirsrv/slapd-myhost/pwdfile.txt 5. Import into Admin server database: pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n “Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k /etc/dirsrv/slapd-myhost/pwdfile.txt 6. Now import DS cert into Admin server's database pk12util -d . -i /etc/dirsrv/admin-serv/adminserver.p12 -n “Admin_Server_cert_label" -w /etc/dirsrv/slapd-myhost/pwdfile.txt -k /etc/dirsrv/slapd-myhost/pwdfile.txt 7. In "Manage certificates" window, replace the old DS cert by the new one. Hope this helps, Alberto Ray wrote: Hi, I am running a 389 box with TLS enabled. Now I would like to change the hostname, which would render the current certificate invalid. Is there an easy way to create a new certificate with the new hostname? Cheers, Ray -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Questions on 389 configuration
Hi, I have finished configuring 389 on Centos 6.2. and it seems to work ok now. Not a conceptually difficult exercise, but a very complex exercise in practice, due to the many details that have to be born in mind which either are not well documented (IMHO) or scatterd in several docs, plus the tricky changes introduced by Centos 6.2. My intention is to prepare a doc in spanish explaining how to set the thing up from the beginning and make it available to anyone who needs it. However I still have some doubts after having gone through the installation an configuration of the product: 1. Autobind and LDAPI. From my understanding, Centos 6.2 wants you to use SSL, but on the other hand there is LDAPI which is meant to be faster and more secure. In my case, the client and LDAP will be sitting on the same machine, so I do not see the point in using SSL as opposed to ldapi. How do you configure 389 to use ldapi and not SSL? I enabled LDAPI and configured Autobind following the instructions given in RHDS 9.0 documentation, but I do not se how it is (if it is) used. 2. Is there some doc that explains the various directives found in /etc/pam_ldap.conf and /etc/nslcd.conf files? I have configured some in order to get it to work, but I do not understand well its purpose. The man page does not cover every directive and it is not quite explanatory, anyway. Thank you. Alberto -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] 389-ds + CentOS 6.2 + TLS (self-signed, setupssl2.sh-script) + 389-console : complete FAIL. Would appreciate help.
Hi Ray, I am trying to achieve exactly then same as you and I ended in a dead street too. For some reason the configuration of ssl with the script does not work as expected on Centos 6.2. I am trying again, this time avoiding that script. Unfortunately, there is no much documentation on setting up 389 on Centos 6.2. (or at least I have not found it!) and it is the small details that mess everything up. If you want, get in touch with me so we could exchange experiences and suggestions. Cheers, Alberto Ray wrote: Hi there, thanks for the suggestions for a cleaner removal of previous installations. I tried this at once, but unfortunately, it did not help. After running the setupssl2.sh script, the server behaves exactly the same… :( Is there anything else I should try? Cheers, Raimund Am 07.07.2012 17:52, schrieb Rich Megginson: On 07/07/2012 04:15 AM, Ray wrote: Hi there, here's what I would like to do: Run the 389 directory server on CentOS 6.2 (x86_64). As you guys know, TLS is a must in RHEL 6+ and I do not want to turn it off, switching in sysconfig to RHEL 5 "legacy mode". Instead I would like to use the setupssl2.sh script from the 389-site to set up TLS. This fails completely: I start out switching off & deleteing everything: -- root@ldap:~# service dirsrv stop Shutting down dirsrv: bb_auth... [ OK ] root@ldap:~# service dirsrv-admin stop Shutting down dirsrv-admin: [ OK ] remove-ds-admin.pl -y root@ldap:~# yum remove 389-ds* yum remove 389* yum remove 389-ds* won't remove 389-console, 389-admin, etc. root@ldap:~# rm -rf /etc/sysconfig/dirsrv* /etc/dirsrv /var/lib/dirsrv /root/.389-console -- Now everything 389-related should be wiped from the box. Please correct me if I'm wrong. Next, I switch off iptables and disable selinux: -- root@ldap:~# service iptables stop root@ldap:~# setenforce 0 -- Now I start from scratch: /etc/hosts: -- root@ldap:~# cat /etc/hosts 127.0.0.1 ldap.baar.intra.bbcomputing.org localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 ldap.baar.intra.bbcomputing.org localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.10.37 ldap.baar.intra.bbcomputing.org -- Installation: -- root@ldap:~# yum install 389-ds ... Running Transaction Installing : 389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64 1/9 Installing : 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 2/9 Installing : 389-admin-1.1.29-1.el6.x86_64 3/9 Installing : 389-admin-console-1.1.8-1.el6.noarch 4/9 Installing : 389-ds-console-1.2.6-1.el6.noarch 5/9 Installing : 389-ds-console-doc-1.2.6-1.el6.noarch 6/9 Installing : 389-admin-console-doc-1.1.8-1.el6.noarch 7/9 Installing : 389-dsgw-1.1.9-1.el6.x86_64 8/9 Installing : 389-ds-1.2.2-1.el6.noarch 9/9 Installed: 389-ds.noarch 0:1.2.2-1.el6 ... -- Looks ok to me. (Again: Please correct m if I'm wrong) Setup: -- root@ldap:~# setup-ds-admin.pl My answers here: Would you like to continue with set up? [yes]: y Would you like to continue? [yes]: y Choose a setup type [2]: 2 Computer name [ldap.baar.intra.bbcomputing.org]: ldap.baar.intra.bbcomputing.org System User [nobody]: nobody System Group [nobody]: nobody Do you want to register this software with an existing configuration directory server? [no]: n administrator ID [admin]: admin Password: Password (confirm): Administration Domain [baar.intra.bbcomputing.org]: intra.bbcomputing.org Directory server network port [389]: 389 Directory server identifier [ldap]: bb_auth Suffix [dc=baar, dc=intra, dc=bbcomputing, dc=org]: dc=bbcomputing,dc=org Directory Manager DN [cn=Directory Manager]: cn=Directory Manager Password: Password (confirm): Administration port [9830]: 9830 Are you ready to set up your servers? [yes]: y -- Here's the following output: -- Creating directory server . . . Your new DS instance 'bb_auth' was successfully created. Creating the configuration directory server . . . Beginning Admin Server creation . . . Creating Admin Server files and directories . . . Updating adm.conf . . . Updating admpw . . . Registering admin server with the configuration directory server . . . Updating adm.conf with information from configuration direc
Re: [389-users] 389 and Samba integration on Centos 6
Hello Paul, Thank you for your answer. My intention is to use Samba 3 as, as far as I am aware, use of Samba 4 in productioon environments is discouraged at this point. Regarding FreeIpa, yes, I am inclined to add it to my setup, but further on, not in the short term. My objective now is to have a server with 389 and Samba 3 up and running the soonest. My problems come from the use of Centos 6, instead of Centos 5, as there are some differences that affect the set up procedure which are not well documented and I see there is not much experience yet on the Web. And, of course, my lack of previous experience with 389... Kind regards, Alberto Suarez. Paul Robert Marino wrote: For clarity are you planing to use samba 3 or 4? There is a huge difference between the two mainly samba 4 has its own kerberos 5 server (its a embedded fork of Heimdal). This muddies the water a bit when talking about samba 4 because while on pure technical merits I think Heimdal Kerberos 5 is superior implementation when compared to MIT Kerberos 5, RedHat and Most other Distributions have standardized on MIT Kerberos 5. Note you can get MIT Kerberos to work with Samba 4 but it breaks some of the compatibility with samba and the windows Kerberos Client. As a result the answer is very different depending on which one you plan to use and if you plan to use FreeIPA or not. 2012/5/3 Alberto Suárez: Hello: I think I have succeded in setting up 389ds on Centos 6.2. Now I would like to integrate samba with 389. Is there any documentation available that explains how to do it? Thank you! Alberto Suárez. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Documentation to set up 389DS on Centos 6.2
Thanks, Andrey. I will take a look at it. Regards, Alberto. Andrey Ivanov wrote: Hi Alberto, Le 24 avril 2012 16:15, Alberto Suárezmailto:asua...@gobiernodecanarias.org>> a écrit : httpd.worker: Syntax error on line 735 of /etc/dirsrv/admin-serv/httpd.__conf: Could not open configuartion file /etc/dirsrv/admin-serv/nss.__conf: Permission denied I have played with that file's permissions, even setting them as 777, but nothing changes. It is currently owned by user "fedora-ds" group "fedora-ds" and permissions are set to 400. It may be SELinux-related -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Documentation to set up 389DS on Centos 6.2
Hi Russell, Thank you for your scripts. I did not configure SSL for any particular bit of the software, I just followed the instructions given in the document "Configuring SSL Enabled Fedora Directory Server" found in fedora project's website. At a point it links to your script. I was wondering if the problem might come from likely differences between Centos 5 and Centos 5. Thank you for your hint. I will look into it. Alberto. Russell Beall wrote: Sure. Unfortunately you've gone beyond my limited experience with issues with the admin-server. I haven't configured SSL for the admin server, though I did get SSL working for the directory server. I'll have to leave the rest of this to someone more experienced. However, I have debugged issues like this, and one simple thing to make sure of is that the whole directory tree is accessible to the user that runs the process. Is the process owner of the admin server fedora-ds and does that user have read access to the whole tree? If you become that user can you see the files? Regards, Russ. On Apr 24, 2012, at 10:15 AM, Alberto Suárez wrote: Thank you for your prompt reply. I am running Centos 6.2 64 bits. To be honest, I am a bit lost with so many things to take into account... Right now I am a bit stuck at configuring TLS. I executed the script "setupssl2.sh" kindly provided by Rich Megginson and now i can no longer start the administration server. When I execute "service server-admin I get the following error message: httpd.worker: Syntax error on line 735 of /etc/dirsrv/admin-serv/httpd.conf: Could not open configuartion file /etc/dirsrv/admin-serv/nss.conf: Permission denied I have played with that file's permissions, even setting them as 777, but nothing changes. It is currently owned by user "fedora-ds" group "fedora-ds" and permissions are set to 400. Thank you again. Regards, Alberto. Russell Beall wrote: I had very few OS-related issues setting up on CentOS 6.2. I set a node up in this OS alongside a node in RedHat 6.2 and the settings for the directoryserver are identical. I was pleased at the very large quantity of documentation at the redhat site which describes every aspect of the product in very complete detail. The documentation at RedHat never seemed very OS-specific to me, and the only differences I generally saw were where the documentation had differing instructions based on the older "fedora" version of the directory server. What system differences did you encounter? Is your issue related to being on a 32-bit system instead of a 64-bit system? Regards, Russ. On Apr 24, 2012, at 8:26 AM, Alberto Suárez wrote: Hello: I am struggling to set up 389DS on Centos 6.2. I can hardly find any information on how to do it, as everything is written for Centos 5. Due to the changes introduced in Centos 6 and the lack of information, I am finding it a nightmare, every step I make I run into new issues. Any help? -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Documentation to set up 389DS on Centos 6.2
Thank you for your prompt reply. I am running Centos 6.2 64 bits. To be honest, I am a bit lost with so many things to take into account... Right now I am a bit stuck at configuring TLS. I executed the script "setupssl2.sh" kindly provided by Rich Megginson and now i can no longer start the administration server. When I execute "service server-admin I get the following error message: httpd.worker: Syntax error on line 735 of /etc/dirsrv/admin-serv/httpd.conf: Could not open configuartion file /etc/dirsrv/admin-serv/nss.conf: Permission denied I have played with that file's permissions, even setting them as 777, but nothing changes. It is currently owned by user "fedora-ds" group "fedora-ds" and permissions are set to 400. Thank you again. Regards, Alberto. Russell Beall wrote: I had very few OS-related issues setting up on CentOS 6.2. I set a node up in this OS alongside a node in RedHat 6.2 and the settings for the directoryserver are identical. I was pleased at the very large quantity of documentation at the redhat site which describes every aspect of the product in very complete detail. The documentation at RedHat never seemed very OS-specific to me, and the only differences I generally saw were where the documentation had differing instructions based on the older "fedora" version of the directory server. What system differences did you encounter? Is your issue related to being on a 32-bit system instead of a 64-bit system? Regards, Russ. On Apr 24, 2012, at 8:26 AM, Alberto Suárez wrote: Hello: I am struggling to set up 389DS on Centos 6.2. I can hardly find any information on how to do it, as everything is written for Centos 5. Due to the changes introduced in Centos 6 and the lack of information, I am finding it a nightmare, every step I make I run into new issues. Any help? -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Documentation to set up 389DS on Centos 6.2
Hello: I am struggling to set up 389DS on Centos 6.2. I can hardly find any information on how to do it, as everything is written for Centos 5. Due to the changes introduced in Centos 6 and the lack of information, I am finding it a nightmare, every step I make I run into new issues. Any help? -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
