subject:"\[389\-users\] Manual help step by step"

Re: [389-users] Manual & help step by step

2013-07-22 Thread husam.shabeeb

Dear Dan ,

Thanks for this help 

I'm already try this 

What I want do to create 2 groups 

And make admin for each group that can change on his group only ,

So what I did 

 

1 – I create a group and name it  husam  gid 1000

2- I create user under this group 1212  ,  uid 1212  gid 1000

I add this user to the group husam

Right click on the group and I set access permission   - new 

On users tab remove every one 

Search for group and chose the group name that i made it 

On target tab , I chose this entry 

 

Open new console from the terminal ,

Login with user name and password that I  create it

but I can't find the husam under the main group 

so when trying to delete I cant delete any user 

also I cant create any user

 

my target directory entry :

uid=1212,ou=groups,dc=thiqar,dc=egov,dc=iq

 

 

 

 

 

From: 389-users-boun...@lists.fedoraproject.org
[mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Dan Lavu
Sent: Monday, July 22, 2013 7:46 PM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Manual & help step by step

 

Please review this document 

 

http://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_Access_Control-Creatin
g_ACIs_from_the_Console.html

 

Then ask any questions that you ay have afterwards. 

 

On Jul 20, 2013, at 3:50 AM, تدريبك - دورات -شبكات - حاسبات
 wrote:





we need your help in creating the ACLs not the structure we know how to
create the structure.

Can you send me photos for this process , or step by step commands .

 

From: 389-users-boun...@lists.fedoraproject.org
[mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Dan Lavu
Sent: Friday, July 19, 2013 10:54 PM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Manual & help step by step

 

Just create the structure and follow the instructions in the following url, 

 

 <http://directory.fedoraproject.org/wiki/Howto:AccessControl>
http://directory.fedoraproject.org/wiki/Howto:AccessControl

 

and please read the admin guide for instructions on how to use the idm
console to setup your tree.

 <https://access.redhat.com/site/documentation/Red_Hat_Directory_Server/>
https://access.redhat.com/site/documentation/Red_Hat_Directory_Server/

 

On Jul 19, 2013, at 1:34 PM, تدريبك - دورات -شبكات - حاسبات <
<mailto:hus.shab...@gmail.com> hus.shab...@gmail.com> wrote:






Dear Dan ,

 

Many thanks for your help ..

 

we want use number one option as it is the most flexible and least headache.

Let fox on it ,

Can you give more information on that .

 

Best regards ,

Husam






 

From: 389-users-boun...@lists.fedoraproject.org
[mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Dan Lavu
Sent: Friday, July 19, 2013 11:18 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Manual & help step by step

 

I can think of two ways to do this but I will propose the way that I think
is best…. so It will not be one ACI it will be several. 

 

Please keep in mind that ACI do get inherited and do not travel up the
directory structure, they only effect their child objects. So one ACI at the
top level of your root suffix o=X that permits users to change their own
attributes. For each OU you create, you will need to create an ACI for the
group of users who can administer the "domain". 

 

So

O=X (ACI that permits any user to write to their own attributes)

|dc=domain (ACI that permits administrators to manage their users)

|---ou=people

|---ou-group

|---dc=domain1 (ACI that permits the administrators to manage their
users) 

etc etc

 

So the nice thing about this is you have one database, one replication
agreement but without writing proper ACIs there is a change that domain1 can
have visibility into domain.

 

You can do 

O=domain (All ACIs can go here)

|ou=people

O=domain1

|ou=poeple

 

The only thing I don't like about this method is, for each domain you add
you will have to create a replication agreement but you can have separate
memory allocations, pagesize per domain so it depends on your implementation
and how its going to be used. 

 

I hope this helps. 

 

Dan

 

 

This will be the easiest way to manage it and administer it, if you require
that each domain be an entirely separate directory with no visibility into
other domains, you will want to read up on multiple databases, but this will
make it an administrative hassle. For each database

 

On Jul 18, 2013, at 6:22 PM, تدريبك - دورات -شبكات - حاسبات <
<mailto:hus.shab...@gmail.com> hus.shab...@gmail.com> wrote:







Dear Dan ,

 

Please read this :

we need to run multi domain ldap where each domain will have an admin group
who can do everything and the user can change only passw

Re: [389-users] Manual & help step by step

2013-07-22 Thread Dan Lavu

Please review this document 

http://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_Access_Control-Creating_ACIs_from_the_Console.html

Then ask any questions that you ay have afterwards. 

On Jul 20, 2013, at 3:50 AM, تدريبك - دورات -شبكات - حاسبات 
 wrote:

> we need your help in creating the ACLs not the structure we know how to 
> create the structure.
> Can you send me photos for this process , or step by step commands .
>  
> From: 389-users-boun...@lists.fedoraproject.org 
> [mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Dan Lavu
> Sent: Friday, July 19, 2013 10:54 PM
> To: General discussion list for the 389 Directory server project.
> Subject: Re: [389-users] Manual & help step by step
>  
> Just create the structure and follow the instructions in the following url, 
>  
> http://directory.fedoraproject.org/wiki/Howto:AccessControl
>  
> and please read the admin guide for instructions on how to use the idm 
> console to setup your tree.
> https://access.redhat.com/site/documentation/Red_Hat_Directory_Server/
>  
> On Jul 19, 2013, at 1:34 PM, تدريبك - دورات -شبكات - حاسبات 
>  wrote:
> 
> 
> Dear Dan ,
>  
> Many thanks for your help ..
>  
> we want use number one option as it is the most flexible and least headache.
> Let fox on it ,
> Can you give more information on that .
>  
> Best regards ,
> Husam
> 
> 
> 
>  
> From: 389-users-boun...@lists.fedoraproject.org 
> [mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Dan Lavu
> Sent: Friday, July 19, 2013 11:18 AM
> To: General discussion list for the 389 Directory server project.
> Subject: Re: [389-users] Manual & help step by step
>  
> I can think of two ways to do this but I will propose the way that I think is 
> best…. so It will not be one ACI it will be several. 
>  
> Please keep in mind that ACI do get inherited and do not travel up the 
> directory structure, they only effect their child objects. So one ACI at the 
> top level of your root suffix o=X that permits users to change their own 
> attributes. For each OU you create, you will need to create an ACI for the 
> group of users who can administer the "domain". 
>  
> So
> O=X (ACI that permits any user to write to their own attributes)
> |dc=domain (ACI that permits administrators to manage their users)
> |---ou=people
> |---ou-group
> |---dc=domain1 (ACI that permits the administrators to manage their 
> users) 
> etc etc
>  
> So the nice thing about this is you have one database, one replication 
> agreement but without writing proper ACIs there is a change that domain1 can 
> have visibility into domain.
>  
> You can do 
> O=domain (All ACIs can go here)
> |ou=people
> O=domain1
> |ou=poeple
>  
> The only thing I don't like about this method is, for each domain you add you 
> will have to create a replication agreement but you can have separate memory 
> allocations, pagesize per domain so it depends on your implementation and how 
> its going to be used. 
>  
> I hope this helps. 
>  
> Dan
>  
>  
> This will be the easiest way to manage it and administer it, if you require 
> that each domain be an entirely separate directory with no visibility into 
> other domains, you will want to read up on multiple databases, but this will 
> make it an administrative hassle. For each database
>  
> On Jul 18, 2013, at 6:22 PM, تدريبك - دورات -شبكات - حاسبات 
>  wrote:
> 
> 
> 
> Dear Dan ,
>  
> Please read this :
> we need to run multi domain ldap where each domain will have an admin group 
> who can do everything and the user can change only passwords. We need to know 
> how to write the ACL for such scenario. Each domain will be represented by 
> O=domain and then we will have ou=people and we will have admin group under 
> the groups. Each domain will have this structure.
>  
> Best regards ,
> Husam
>  
>  
>  
> From: 389-users-boun...@lists.fedoraproject.org 
> [mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Dan Lavu
> Sent: Thursday, July 18, 2013 3:31 AM
> To: 'General discussion list for the 389 Directory server project.'
> Subject: Re: [389-users] Manual & help step by step
>  
> They are plenty of step by step instructions to do what you are trying to do. 
> You can refer to the Red Hat documentation or the 389 documentation.
> http://directory.fedoraproject.org/wiki/Howto:SSL
>  
> Also it is normal for the CA certificate to show up in the server tab if you 
> generated the CA certificate on the LDAP server, any certific

Re: [389-users] Manual & help step by step

2013-07-20 Thread تدريبك - دورات -شبكات - حاسبات

we need your help in creating the ACLs not the structure we know how to
create the structure.

Can you send me photos for this process , or step by step commands .

 

From: 389-users-boun...@lists.fedoraproject.org
[mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Dan Lavu
Sent: Friday, July 19, 2013 10:54 PM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Manual & help step by step

 

Just create the structure and follow the instructions in the following url, 

 

 <http://directory.fedoraproject.org/wiki/Howto:AccessControl>
http://directory.fedoraproject.org/wiki/Howto:AccessControl

 

and please read the admin guide for instructions on how to use the idm
console to setup your tree.

https://access.redhat.com/site/documentation/Red_Hat_Directory_Server/

 

On Jul 19, 2013, at 1:34 PM, تدريبك - دورات -شبكات - حاسبات
 wrote:





Dear Dan ,

 

Many thanks for your help ..

 

we want use number one option as it is the most flexible and least headache.

Let fox on it ,

Can you give more information on that .

 

Best regards ,

Husam





 

From: 389-users-boun...@lists.fedoraproject.org
[mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Dan Lavu
Sent: Friday, July 19, 2013 11:18 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Manual & help step by step

 

I can think of two ways to do this but I will propose the way that I think
is best…. so It will not be one ACI it will be several. 

 

Please keep in mind that ACI do get inherited and do not travel up the
directory structure, they only effect their child objects. So one ACI at the
top level of your root suffix o=X that permits users to change their own
attributes. For each OU you create, you will need to create an ACI for the
group of users who can administer the "domain". 

 

So

O=X (ACI that permits any user to write to their own attributes)

|dc=domain (ACI that permits administrators to manage their users)

|---ou=people

|---ou-group

|---dc=domain1 (ACI that permits the administrators to manage their
users) 

etc etc

 

So the nice thing about this is you have one database, one replication
agreement but without writing proper ACIs there is a change that domain1 can
have visibility into domain.

 

You can do 

O=domain (All ACIs can go here)

|ou=people

O=domain1

|ou=poeple

 

The only thing I don't like about this method is, for each domain you add
you will have to create a replication agreement but you can have separate
memory allocations, pagesize per domain so it depends on your implementation
and how its going to be used. 

 

I hope this helps. 

 

Dan

 

 

This will be the easiest way to manage it and administer it, if you require
that each domain be an entirely separate directory with no visibility into
other domains, you will want to read up on multiple databases, but this will
make it an administrative hassle. For each database

 

On Jul 18, 2013, at 6:22 PM, تدريبك - دورات -شبكات - حاسبات <
<mailto:hus.shab...@gmail.com> hus.shab...@gmail.com> wrote:






Dear Dan ,

 

Please read this :

we need to run multi domain ldap where each domain will have an admin group
who can do everything and the user can change only passwords. We need to
know how to write the ACL for such scenario. Each domain will be represented
by O=domain and then we will have ou=people and we will have admin group
under the groups. Each domain will have this structure.

 

Best regards ,

Husam

 

 

 

From: 389- <mailto:users-boun...@lists.fedoraproject.org>
users-boun...@lists.fedoraproject.org [mailto:389-
<mailto:users-boun...@lists.fedoraproject.org>
users-boun...@lists.fedoraproject.org] On Behalf Of Dan Lavu
Sent: Thursday, July 18, 2013 3:31 AM
To: 'General discussion list for the 389 Directory server project.'
Subject: Re: [389-users] Manual & help step by step

 

They are plenty of step by step instructions to do what you are trying to
do. You can refer to the Red Hat documentation or the 389 documentation.

 <http://directory.fedoraproject.org/wiki/Howto:SSL>
http://directory.fedoraproject.org/wiki/Howto:SSL

 

Also it is normal for the CA certificate to show up in the server tab if you
generated the CA certificate on the LDAP server, any certificate with the
private key in the database will appear as a server certificate. For example
when you export the CA and move it to a second server it will not show up in
the server tab then.

 

In addition, when generating a CSR using the GUI (idm console) you must
stick with it, because the CSR will create the key in the db. If you are
pursuing the command line using certutil, you must convert the x509
certificates (three files usually, private, public and ca into pk

Re: [389-users] Manual & help step by step

2013-07-19 Thread Dan Lavu

Just create the structure and follow the instructions in the following url, 

> http://directory.fedoraproject.org/wiki/Howto:AccessControl

and please read the admin guide for instructions on how to use the idm console 
to setup your tree.
https://access.redhat.com/site/documentation/Red_Hat_Directory_Server/

On Jul 19, 2013, at 1:34 PM, تدريبك - دورات -شبكات - حاسبات 
 wrote:

> Dear Dan ,
>  
> Many thanks for your help ..
>  
> we want use number one option as it is the most flexible and least headache.
> Let fox on it ,
> Can you give more information on that .
>  
> Best regards ,
> Husam
> 
> 
>  
> From: 389-users-boun...@lists.fedoraproject.org 
> [mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Dan Lavu
> Sent: Friday, July 19, 2013 11:18 AM
> To: General discussion list for the 389 Directory server project.
> Subject: Re: [389-users] Manual & help step by step
>  
> I can think of two ways to do this but I will propose the way that I think is 
> best…. so It will not be one ACI it will be several. 
>  
> Please keep in mind that ACI do get inherited and do not travel up the 
> directory structure, they only effect their child objects. So one ACI at the 
> top level of your root suffix o=X that permits users to change their own 
> attributes. For each OU you create, you will need to create an ACI for the 
> group of users who can administer the "domain". 
>  
> So
> O=X (ACI that permits any user to write to their own attributes)
> |dc=domain (ACI that permits administrators to manage their users)
> |---ou=people
> |---ou-group
> |---dc=domain1 (ACI that permits the administrators to manage their 
> users) 
> etc etc
>  
> So the nice thing about this is you have one database, one replication 
> agreement but without writing proper ACIs there is a change that domain1 can 
> have visibility into domain.
>  
> You can do 
> O=domain (All ACIs can go here)
> |ou=people
> O=domain1
> |ou=poeple
>  
> The only thing I don't like about this method is, for each domain you add you 
> will have to create a replication agreement but you can have separate memory 
> allocations, pagesize per domain so it depends on your implementation and how 
> its going to be used. 
>  
> I hope this helps. 
>  
> Dan
>  
>  
> This will be the easiest way to manage it and administer it, if you require 
> that each domain be an entirely separate directory with no visibility into 
> other domains, you will want to read up on multiple databases, but this will 
> make it an administrative hassle. For each database
>  
> On Jul 18, 2013, at 6:22 PM, تدريبك - دورات -شبكات - حاسبات 
>  wrote:
> 
> 
> Dear Dan ,
>  
> Please read this :
> we need to run multi domain ldap where each domain will have an admin group 
> who can do everything and the user can change only passwords. We need to know 
> how to write the ACL for such scenario. Each domain will be represented by 
> O=domain and then we will have ou=people and we will have admin group under 
> the groups. Each domain will have this structure.
>  
> Best regards ,
> Husam
>  
>  
>  
> From: 389-users-boun...@lists.fedoraproject.org 
> [mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Dan Lavu
> Sent: Thursday, July 18, 2013 3:31 AM
> To: 'General discussion list for the 389 Directory server project.'
> Subject: Re: [389-users] Manual & help step by step
>  
> They are plenty of step by step instructions to do what you are trying to do. 
> You can refer to the Red Hat documentation or the 389 documentation.
> http://directory.fedoraproject.org/wiki/Howto:SSL
>  
> Also it is normal for the CA certificate to show up in the server tab if you 
> generated the CA certificate on the LDAP server, any certificate with the 
> private key in the database will appear as a server certificate. For example 
> when you export the CA and move it to a second server it will not show up in 
> the server tab then.
>  
> In addition, when generating a CSR using the GUI (idm console) you must stick 
> with it, because the CSR will create the key in the db. If you are pursuing 
> the command line using certutil, you must convert the x509 certificates 
> (three files usually, private, public and ca into pkcs12 format.
>  
> Here is a link to understand and configure ACIs.
> http://directory.fedoraproject.org/wiki/Howto:AccessControl
>  
> I hope this helps.
>  
> Dan
>  
> From: 389-users-boun...@lists.fedoraproject.org 
> [mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of ?

Re: [389-users] Manual & help step by step

2013-07-19 Thread Alberto Suárez


Hello Husam,

Unfortunately I have not played with ACLs in 389 enough to help you in 
that part.


Good luck.

Alberto

تدريبك - دورات -شبكات - حاسبات wrote:

Dear Alberto ,

Please read this :
we need to run multi domain ldap where each domain will have an admin group who 
can do everything and the user can change only passwords. We need to know how 
to write the ACL for such scenario. Each domain will be represented by O=domain 
and then we will have ou=people and we will have admin group under the groups. 
Each domain will have this structure.

Best regards ,
Husam

-Original Message-
From: 389-users-boun...@lists.fedoraproject.org 
[mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Alberto Su?rez
Sent: Thursday, July 18, 2013 6:17 PM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Manual&  help step by step

Hello, please find attached my notes. Please, bear in mind that these are the 
steps I followed to install 389 in Centos 6.3. I have tried to document a 
procedure that works, but I can not guarantee the instructions provided will 
work in your particular setup.

Please, do not hesitate to get back to me if you get lost with my document. I 
will try to help as much as I can.

Good luck.

تدريبك - دورات -شبكات - حاسبات wrote:

Dear friends,

Anyone can help me ?

I have install the directory , on centos

I want to make certs and install it on the server

I have tried many ways but all not working , one way with p12 , when
uploading the certificates it's both appear in the server tab even the CA .

The other way with openssl in this case I can't upload the certificate
on server tab its only appear on the CA tab .

Also I want some help setting Acyls

Like I want to have many admins each one can control his group no
access for the other groups

Many thanks in advance .



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Manual & help step by step

2013-07-19 Thread Dan Lavu

I can think of two ways to do this but I will propose the way that I think is 
best…. so It will not be one ACI it will be several. 

Please keep in mind that ACI do get inherited and do not travel up the 
directory structure, they only effect their child objects. So one ACI at the 
top level of your root suffix o=X that permits users to change their own 
attributes. For each OU you create, you will need to create an ACI for the 
group of users who can administer the "domain". 

So
O=X (ACI that permits any user to write to their own attributes)
|dc=domain (ACI that permits administrators to manage their users)
|---ou=people
|---ou-group
|---dc=domain1 (ACI that permits the administrators to manage their users) 
etc etc

So the nice thing about this is you have one database, one replication 
agreement but without writing proper ACIs there is a change that domain1 can 
have visibility into domain.

You can do 
O=domain (All ACIs can go here)
|ou=people
O=domain1
|ou=poeple

The only thing I don't like about this method is, for each domain you add you 
will have to create a replication agreement but you can have separate memory 
allocations, pagesize per domain so it depends on your implementation and how 
its going to be used. 

I hope this helps. 

Dan


This will be the easiest way to manage it and administer it, if you require 
that each domain be an entirely separate directory with no visibility into 
other domains, you will want to read up on multiple databases, but this will 
make it an administrative hassle. For each database

On Jul 18, 2013, at 6:22 PM, تدريبك - دورات -شبكات - حاسبات 
 wrote:

> Dear Dan ,
>  
> Please read this :
> we need to run multi domain ldap where each domain will have an admin group 
> who can do everything and the user can change only passwords. We need to know 
> how to write the ACL for such scenario. Each domain will be represented by 
> O=domain and then we will have ou=people and we will have admin group under 
> the groups. Each domain will have this structure.
>  
> Best regards ,
> Husam
>  
>  
>  
> From: 389-users-boun...@lists.fedoraproject.org 
> [mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Dan Lavu
> Sent: Thursday, July 18, 2013 3:31 AM
> To: 'General discussion list for the 389 Directory server project.'
> Subject: Re: [389-users] Manual & help step by step
>  
> They are plenty of step by step instructions to do what you are trying to do. 
> You can refer to the Red Hat documentation or the 389 documentation.
> http://directory.fedoraproject.org/wiki/Howto:SSL
>  
> Also it is normal for the CA certificate to show up in the server tab if you 
> generated the CA certificate on the LDAP server, any certificate with the 
> private key in the database will appear as a server certificate. For example 
> when you export the CA and move it to a second server it will not show up in 
> the server tab then.
>  
> In addition, when generating a CSR using the GUI (idm console) you must stick 
> with it, because the CSR will create the key in the db. If you are pursuing 
> the command line using certutil, you must convert the x509 certificates 
> (three files usually, private, public and ca into pkcs12 format.
>  
> Here is a link to understand and configure ACIs.
> http://directory.fedoraproject.org/wiki/Howto:AccessControl
>  
> I hope this helps.
>  
> Dan
>  
> From: 389-users-boun...@lists.fedoraproject.org 
> [mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of ?????? - 
> ? -? - ??
> Sent: Wednesday, July 17, 2013 7:38 PM
> To: 389-users@lists.fedoraproject.org
> Subject: [389-users] Manual & help step by step
>  
> Dear friends,
>  
> Anyone can help me ?
> I have install the directory , on centos
> I want to make certs and install it on the server
> I have tried many ways but all not working  , one way with p12 , when 
> uploading the certificates it's both appear in the server tab even the CA .
> The other way with openssl  in this case I can't upload the certificate on 
> server tab its only appear on the CA tab .
>  
> Also I want some help setting Acyls
> Like I want to have many admins each one can control his group no access for 
> the other groups
>  
> Many thanks in advance .
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Manual & help step by step

2013-07-18 Thread تدريبك - دورات -شبكات - حاسبات

Dear Dan ,

 

Please read this :

we need to run multi domain ldap where each domain will have an admin group
who can do everything and the user can change only passwords. We need to
know how to write the ACL for such scenario. Each domain will be represented
by O=domain and then we will have ou=people and we will have admin group
under the groups. Each domain will have this structure.

 

Best regards ,

Husam 

 

 

 

From: 389-users-boun...@lists.fedoraproject.org
[mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Dan Lavu
Sent: Thursday, July 18, 2013 3:31 AM
To: 'General discussion list for the 389 Directory server project.'
Subject: Re: [389-users] Manual & help step by step

 

They are plenty of step by step instructions to do what you are trying to
do. You can refer to the Red Hat documentation or the 389 documentation. 

http://directory.fedoraproject.org/wiki/Howto:SSL

 

Also it is normal for the CA certificate to show up in the server tab if you
generated the CA certificate on the LDAP server, any certificate with the
private key in the database will appear as a server certificate. For example
when you export the CA and move it to a second server it will not show up in
the server tab then.

 

In addition, when generating a CSR using the GUI (idm console) you must
stick with it, because the CSR will create the key in the db. If you are
pursuing the command line using certutil, you must convert the x509
certificates (three files usually, private, public and ca into pkcs12
format. 

 

Here is a link to understand and configure ACIs. 

http://directory.fedoraproject.org/wiki/Howto:AccessControl

 

I hope this helps.

 

Dan

 

From: 389-users-boun...@lists.fedoraproject.org
[mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of ?? -
? -? - ??
Sent: Wednesday, July 17, 2013 7:38 PM
To: 389-users@lists.fedoraproject.org
Subject: [389-users] Manual & help step by step

 

Dear friends,

 

Anyone can help me ?

I have install the directory , on centos 

I want to make certs and install it on the server 

I have tried many ways but all not working  , one way with p12 , when
uploading the certificates it's both appear in the server tab even the CA .

The other way with openssl  in this case I can't upload the certificate on
server tab its only appear on the CA tab .

 

Also I want some help setting Acyls 

Like I want to have many admins each one can control his group no access for
the other groups 

 

Many thanks in advance .

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Manual & help step by step

2013-07-18 Thread تدريبك - دورات -شبكات - حاسبات

Dear Alberto ,

Please read this :
we need to run multi domain ldap where each domain will have an admin group who 
can do everything and the user can change only passwords. We need to know how 
to write the ACL for such scenario. Each domain will be represented by O=domain 
and then we will have ou=people and we will have admin group under the groups. 
Each domain will have this structure.

Best regards ,
Husam 

-Original Message-
From: 389-users-boun...@lists.fedoraproject.org 
[mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Alberto Su?rez
Sent: Thursday, July 18, 2013 6:17 PM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Manual & help step by step

Hello, please find attached my notes. Please, bear in mind that these are the 
steps I followed to install 389 in Centos 6.3. I have tried to document a 
procedure that works, but I can not guarantee the instructions provided will 
work in your particular setup.

Please, do not hesitate to get back to me if you get lost with my document. I 
will try to help as much as I can.

Good luck.

تدريبك - دورات -شبكات - حاسبات wrote:
> Dear friends,
>
> Anyone can help me ?
>
> I have install the directory , on centos
>
> I want to make certs and install it on the server
>
> I have tried many ways but all not working , one way with p12 , when 
> uploading the certificates it's both appear in the server tab even the CA .
>
> The other way with openssl in this case I can't upload the certificate 
> on server tab its only appear on the CA tab .
>
> Also I want some help setting Acyls
>
> Like I want to have many admins each one can control his group no 
> access for the other groups
>
> Many thanks in advance .
>
>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Manual & help step by step

2013-07-18 Thread تدريبك - دورات -شبكات - حاسبات

Dear Alberto ,

Many thanks ,

I will back to you after  I re the work again and give you my feedback .

Best regards  ,
Husam .


-Original Message-
From: 389-users-boun...@lists.fedoraproject.org 
[mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Alberto Su?rez
Sent: Thursday, July 18, 2013 6:17 PM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Manual & help step by step

Hello, please find attached my notes. Please, bear in mind that these are the 
steps I followed to install 389 in Centos 6.3. I have tried to document a 
procedure that works, but I can not guarantee the instructions provided will 
work in your particular setup.

Please, do not hesitate to get back to me if you get lost with my document. I 
will try to help as much as I can.

Good luck.

تدريبك - دورات -شبكات - حاسبات wrote:
> Dear friends,
>
> Anyone can help me ?
>
> I have install the directory , on centos
>
> I want to make certs and install it on the server
>
> I have tried many ways but all not working , one way with p12 , when 
> uploading the certificates it's both appear in the server tab even the CA .
>
> The other way with openssl in this case I can't upload the certificate 
> on server tab its only appear on the CA tab .
>
> Also I want some help setting Acyls
>
> Like I want to have many admins each one can control his group no 
> access for the other groups
>
> Many thanks in advance .
>
>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Manual & help step by step

2013-07-18 Thread تدريبك - دورات -شبكات - حاسبات

Dear Dan ,

 

Many thanks ,

I will back to you after  I re the work again and give you my feedback .

 

Best regards  ,

Husam .

 

From: 389-users-boun...@lists.fedoraproject.org
[mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Dan Lavu
Sent: Thursday, July 18, 2013 3:31 AM
To: 'General discussion list for the 389 Directory server project.'
Subject: Re: [389-users] Manual & help step by step

 

They are plenty of step by step instructions to do what you are trying to
do. You can refer to the Red Hat documentation or the 389 documentation. 

http://directory.fedoraproject.org/wiki/Howto:SSL

 

Also it is normal for the CA certificate to show up in the server tab if you
generated the CA certificate on the LDAP server, any certificate with the
private key in the database will appear as a server certificate. For example
when you export the CA and move it to a second server it will not show up in
the server tab then.

 

In addition, when generating a CSR using the GUI (idm console) you must
stick with it, because the CSR will create the key in the db. If you are
pursuing the command line using certutil, you must convert the x509
certificates (three files usually, private, public and ca into pkcs12
format. 

 

Here is a link to understand and configure ACIs. 

http://directory.fedoraproject.org/wiki/Howto:AccessControl

 

I hope this helps.

 

Dan

 

From: 389-users-boun...@lists.fedoraproject.org
[mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of ?? -
? -? - ??
Sent: Wednesday, July 17, 2013 7:38 PM
To: 389-users@lists.fedoraproject.org
Subject: [389-users] Manual & help step by step

 

Dear friends,

 

Anyone can help me ?

I have install the directory , on centos 

I want to make certs and install it on the server 

I have tried many ways but all not working  , one way with p12 , when
uploading the certificates it's both appear in the server tab even the CA .

The other way with openssl  in this case I can't upload the certificate on
server tab its only appear on the CA tab .

 

Also I want some help setting Acyls 

Like I want to have many admins each one can control his group no access for
the other groups 

 

Many thanks in advance .

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Manual & help step by step

2013-07-18 Thread Dan Lavu

Alberto,

I did mistake you for the person asking for help, sorry for the confusion. 

Dan

On Jul 18, 2013, at 8:20 AM, Alberto Suárez  
wrote:

> Hi Dan,
> 
> I'm afraid there is a little misunderstanding here. I just offered my notes 
> to the person asking for assistance in setting up 389. It is not me who is 
> asking for help. I'm sorry if I caused any confussion with my answer to that 
> request.
> 
> Thank you anyway...
> 
> Alberto.
> 
> Dan Lavu wrote:
>> Alberto,
>> 
>> I do not have the time to walk you through something like this, it'd be
>> best if you stated what the error message and the step you do not
>> understand.
>> 
>> You are not going to learn anything if I walk you through it, and it
>> will not benefit you if you do not learn the software assuming you are
>> the administrator.
>> 
>> Dan
>> 
>> 
>> On Thu, Jul 18, 2013 at 4:39 AM, Alberto Suárez
>> mailto:asua...@gobiernodecanarias.org>>
>> wrote:
>> 
>>Hello:
>> 
>>I have a document with the steps I followed but it is in spanish. If
>>you can wait a few hours I will post it translated into english, ok?
>> 
>>Kind regards,
>> 
>>Alberto Suárez.
>> 
>> 
>>تدريبك - دورات -شبكات - حاسبات wrote:
>> 
>>Dear friends,
>> 
>>Anyone can help me ?
>> 
>>I have install the directory , on centos
>> 
>>I want to make certs and install it on the server
>> 
>>I have tried many ways but all not working , one way with p12 , when
>>uploading the certificates it's both appear in the server tab
>>even the CA .
>> 
>>The other way with openssl in this case I can't upload the
>>certificate
>>on server tab its only appear on the CA tab .
>> 
>>Also I want some help setting Acyls
>> 
>>Like I want to have many admins each one can control his group
>>no access
>>for the other groups
>> 
>>Many thanks in advance .
>> 
>> 
>> 
>>--
>>389 users mailing list
>>389-users@lists.fedoraproject.__org
>>
>>https://admin.fedoraproject.__org/mailman/listinfo/389-users
>>
>> 
>>--
>>389 users mailing list
>>389-users@lists.fedoraproject.__org
>>
>>https://admin.fedoraproject.__org/mailman/listinfo/389-users
>>
>> 
>> 
>> 
>> 
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Manual & help step by step

2013-07-18 Thread Dan Lavu

Alberto,

I do not have the time to walk you through something like this, it'd be
best if you stated what the error message and the step you do not
understand.

You are not going to learn anything if I walk you through it, and it will
not benefit you if you do not learn the software assuming you are the
administrator.

Dan


On Thu, Jul 18, 2013 at 4:39 AM, Alberto Suárez <
asua...@gobiernodecanarias.org> wrote:

> Hello:
>
> I have a document with the steps I followed but it is in spanish. If you
> can wait a few hours I will post it translated into english, ok?
>
> Kind regards,
>
> Alberto Suárez.
>
>
> تدريبك - دورات -شبكات - حاسبات wrote:
>
>> Dear friends,
>>
>> Anyone can help me ?
>>
>> I have install the directory , on centos
>>
>> I want to make certs and install it on the server
>>
>> I have tried many ways but all not working , one way with p12 , when
>> uploading the certificates it's both appear in the server tab even the CA
>> .
>>
>> The other way with openssl in this case I can't upload the certificate
>> on server tab its only appear on the CA tab .
>>
>> Also I want some help setting Acyls
>>
>> Like I want to have many admins each one can control his group no access
>> for the other groups
>>
>> Many thanks in advance .
>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.**org <389-users@lists.fedoraproject.org>
>> https://admin.fedoraproject.**org/mailman/listinfo/389-users
>>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.**org <389-users@lists.fedoraproject.org>
> https://admin.fedoraproject.**org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Manual & help step by step

2013-07-18 Thread Alberto Suárez


Hello:

I have a document with the steps I followed but it is in spanish. If you 
can wait a few hours I will post it translated into english, ok?


Kind regards,

Alberto Suárez.

تدريبك - دورات -شبكات - حاسبات wrote:

Dear friends,

Anyone can help me ?

I have install the directory , on centos

I want to make certs and install it on the server

I have tried many ways but all not working , one way with p12 , when
uploading the certificates it's both appear in the server tab even the CA .

The other way with openssl in this case I can't upload the certificate
on server tab its only appear on the CA tab .

Also I want some help setting Acyls

Like I want to have many admins each one can control his group no access
for the other groups

Many thanks in advance .



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Manual & help step by step

2013-07-17 Thread Dan Lavu

They are plenty of step by step instructions to do what you are trying to
do. You can refer to the Red Hat documentation or the 389 documentation. 

http://directory.fedoraproject.org/wiki/Howto:SSL

 

Also it is normal for the CA certificate to show up in the server tab if you
generated the CA certificate on the LDAP server, any certificate with the
private key in the database will appear as a server certificate. For example
when you export the CA and move it to a second server it will not show up in
the server tab then.

 

In addition, when generating a CSR using the GUI (idm console) you must
stick with it, because the CSR will create the key in the db. If you are
pursuing the command line using certutil, you must convert the x509
certificates (three files usually, private, public and ca into pkcs12
format. 

 

Here is a link to understand and configure ACIs. 

http://directory.fedoraproject.org/wiki/Howto:AccessControl

 

I hope this helps.

 

Dan

 

From: 389-users-boun...@lists.fedoraproject.org
[mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of ?? -
? -? - ??
Sent: Wednesday, July 17, 2013 7:38 PM
To: 389-users@lists.fedoraproject.org
Subject: [389-users] Manual & help step by step

 

Dear friends,

 

Anyone can help me ?

I have install the directory , on centos 

I want to make certs and install it on the server 

I have tried many ways but all not working  , one way with p12 , when
uploading the certificates it's both appear in the server tab even the CA .

The other way with openssl  in this case I can't upload the certificate on
server tab its only appear on the CA tab .

 

Also I want some help setting Acyls 

Like I want to have many admins each one can control his group no access for
the other groups 

 

Many thanks in advance .

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

[389-users] Manual & help step by step

2013-07-17 Thread تدريبك - دورات -شبكات - حاسبات

Dear friends,

 

Anyone can help me ?

I have install the directory , on centos 

I want to make certs and install it on the server 

I have tried many ways but all not working  , one way with p12 , when
uploading the certificates it's both appear in the server tab even the CA .

The other way with openssl  in this case I can't upload the certificate on
server tab its only appear on the CA tab .

 

Also I want some help setting Acyls 

Like I want to have many admins each one can control his group no access for
the other groups 

 

Many thanks in advance .

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Manual & help step by step

Re: [389-users] Manual & help step by step

Re: [389-users] Manual & help step by step

Re: [389-users] Manual & help step by step

Re: [389-users] Manual & help step by step

Re: [389-users] Manual & help step by step

Re: [389-users] Manual & help step by step

Re: [389-users] Manual & help step by step

Re: [389-users] Manual & help step by step

Re: [389-users] Manual & help step by step

Re: [389-users] Manual & help step by step

Re: [389-users] Manual & help step by step

Re: [389-users] Manual & help step by step

Re: [389-users] Manual & help step by step

[389-users] Manual & help step by step

15 matches

Site Navigation

Mail list logo

Footer information