Re: [389-users] OpenLDAP as a slave of Fedora Directory Server?
Currently, OpenLDAP and 389 have totally different replication mechanisms, so you can't really replicate between the two. You can of course export / import filtered LDIF in either direction, which, depending on the need, is occasionally good enough. Anne Cross wrote: I've been through the FDS/389 website, and the best I've come up with is this: http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration Unfortunately, that gives me the sync in the wrong direction. We have pre-existing OpenLDAP servers that belong to a different group. We're supposed to be their ultimate source of data - once we get set up - but they won't change their servers from OpenLDAP because, as they say, they know how they work and why should they do more work. I don't need data synced back from OpenLDAP, but syncrepl doesn't appear to do the right thing when pointed at an FDS directory server, so what's the secret, undocumented method? Even a hint would help. Google just keeps turning up pages where people have named their box Fedora and it's all openldap to openldap. -- 389 users mailing list 389-us...@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] shadowLastChange error and Active Directory synchronization
John A. Sullivan III wrote: Hello, all. I'm seeing a strange problem in our set up to synchronize passwords between Directory Server 8.0 and Active Directory. If I change a user's password from idm-console, the password synchronizes. If I change it from Active Directory, the password synchronizes. However, if the user changes their own password (they use Ubuntu 8.0.4 KDE desktops), the passwords do not synchronize. We do see an entry in the error log: Entry uid=mlap,ou=Desks,o=a0,o=Int,dc=mycompany,dc=com -- attribute shadowLastChange not allowed Do your account objects have the shadowAccount objectClass? That seemed straightforward so I checked the ACIs and we do allow users to change this attribute: (targetattr != nsroledn||aci) (version 3.0; acl Allow self entry modification except for nsroledn and aci attributes; allow (read,compare,search,write) (userdn = ldap:///self;) ;) Any idea why we are receiving these errors? Would this cause password synchronization to fail? Thanks - John -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] shadowLastChange error and Active Directory synchronization
John A. Sullivan III wrote: On Mon, 2009-04-27 at 14:15 -0700, George Holbert wrote: John A. Sullivan III wrote: Hello, all. I'm seeing a strange problem in our set up to synchronize passwords between Directory Server 8.0 and Active Directory. If I change a user's password from idm-console, the password synchronizes. If I change it from Active Directory, the password synchronizes. However, if the user changes their own password (they use Ubuntu 8.0.4 KDE desktops), the passwords do not synchronize. We do see an entry in the error log: Entry uid=mlap,ou=Desks,o=a0,o=Int,dc=mycompany,dc=com -- attribute shadowLastChange not allowed Do your account objects have the shadowAccount objectClass? Argh!! Embarrassment, embarrassment. I had checked several and they did . . . except for the one I was testing with! Would that torpedo Windows synchronization? Thanks - John I think it would just torpedo these password changes being accepted by FDS. If you don't need or use the shadow attributes, then you might look into seeing if your Ubuntu workstations can be configured to not try modifying them as part of password changes... and perhaps also ditching the shadowAccount objectClass altogether on your accounts. My hunch is if you accept password changes from both Windows and Ubuntu, you're not really using shadow attributes (not intentionally, at least). That seemed straightforward so I checked the ACIs and we do allow users to change this attribute: (targetattr != nsroledn||aci) (version 3.0; acl Allow self entry modification except for nsroledn and aci attributes; allow (read,compare,search,write) (userdn = ldap:///self;) ;) Any idea why we are receiving these errors? Would this cause password synchronization to fail? Thanks - John -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Update user passwords with passwd
Tim Hartmann wrote: Hi! So I can into yet another pot-hole in the road to LDAP bliss... We have a root suffix in our directory that stores the basic Posix attributes including password, I've been able to configure my client to use ldap for directory services, and authenticate against my replica's, so far so good! Then I tried to change my users password .. and thats where I started getting a bit hung up.. At first I thought that it was because my replicas weren't sending the update request/ referrals back to the masters. (We have two masters that sit behind four consumers) Then I decided to change my ldap.conf files to point directly to my masters but I still receaved the same errors Can't contact LDAP Server , which was strange since I can do ldap searches against it all day, and even bind to the servers to do searches! and Insufficient write privileges, which made me think that maybe it was an ACI.. but I have selfwrite enabled for the userPassword attribute... Here's the output of my failed attempt to change my user's password after logging in successfully to the server.. Changing password for user foo. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Can't contact LDAP server Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=foo,ou=people,dc=dept,dc=school,dc=edu'. passwd: Permission denied What do your LDAP server access and error logs show at the time of the attempted password change? If anyone has any thought I'd be grateful! I'm pretty perplexed! Best, Tim -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] multi-master ports
Every time I try to change the port on the second server to 389 it will not start stating that the port is already in use? Do you mean you're trying to set the secure (LDAPS) port to 389? That won't work unless you first set your standard LDAP port to something other than 389, and restart the server. But, I don't think you'd want to do that. What are you trying to do? Richard Larson wrote: Guy's; I'll proffer this question, knowing the answer is staring me right in the face somewhere. How do you get multi-masters to monitor the same port ie 389 or 636 for SSL Every time I try to change the port on the second server to 389 it will not start stating that the port is already in use? Thanks in advance Rich Larson Do not wait to strike till the iron is hot; but make it hot by striking. -- William B. Sprague -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] (no subject)
Chavez, James R. wrote:
Hello again, Thanks for the reply.
My Solaris 10 and 8 clients are working against SSL now, thanks!
For my Linx clients clients I am trying to follow the FDS wiki: How
to:SSL.
I am having a problem importing the root CA certificate on my Fedora
boxes.
The Howto SSL link says to run this command to import the cacert.asc
file.
cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noot -hash -in
cacert.asc`.0
However that responds with the below error. Anybody familiar with this
error?
Also I see Fedora has the certutil utility, can I use this to import the
ca root certificate like I did for the Solaris clients?
I believe the nss_ldap and pam_ldap libraries on Fedora use OpenSSL, not
Mozilla's NSS (of which certutil is a component).
So certutil won't do you any good in this area.
'Error opening Certificate cacert.asc
2312:error:02001002:system library:fopen:No such file or
directory:bss_file.c:352:fopen('cacert.asc','r')
2312:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
Try giving an absolute path to cacert.asc... looks like it's just not
finding that file.
e.g.
cp /path/to/cacert.asc /etc/openldap/cacerts/`openssl x509 -noout -hash -in
/path/to/cacert.asc`.0
Many Thanks
James
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of George
Holbert
Sent: Friday, December 05, 2008 12:03 AM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Create client SSL certificates
forSolaris boxes.
James Chavez wrote:
George,
Thank you much for the help with this. I read up on the links you sent
and they seem to have helped. I have been struggling with a Solaris 8
box for the past few hours. It would not work at first, I was getting
an end of file error in the access log. Then it just started working
after I restarted the client services a few times and readded the box
using the same profile.
I have another question in regards to SSL for replication.
I had MMR going between two servers, this one and another prior to
enabling SSL on this server. I removed all the replication agreements
because as I understand it they need to be recreated with SSL. I would
appreciate the lists opinions on the following. The Admin guide states
that there are 2 ways of replicating over SSL, I pasted them below. I
would like to know the pros and cons of each and if a DNS PTR record
is an absolute necessity on each MMR member.
The end result with both SSL replication flavors is the same.
Both encrypt the replication traffic between your directory servers.
The client cert method, when properly implemented, will make life more
challenging for a prospective attacker who would like to impersonate
your replication manager identity. In that sense, it is more secure
than simple auth with SSL.
CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged and/or
confidential information. If you are not the intended recipient of this e-mail
message, you are hereby notified that any dissemination, distribution or
copying of this e-mail message, and any attachments thereto, is strictly
prohibited. If you have received this e-mail message in error, please
immediately notify the sender and permanently delete the original and any
copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT
INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic
Transactions Act or the applicability of any other law of similar substance and
effect, absent an express statement to the contrary hereinabove, this e-mail
message its contents, and any attachments hereto are not intended to represent
an offer or acceptance to enter into a contract and are not otherwise intended
to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or
any other person or entity.
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Create client SSL certificates for Solaris boxes.
But what about creating a client certificate for each of my Linux and Solaris clients? If all you want is TLS with simple auth, you don't need these. Each client just needs to trust the CA which signed your directory server's certificate; sounds like you're already on top of this part. James Chavez wrote: Hello, I am having a bit of difficulty creating SSL client certificates for my Solaris boxes or client boxes in general. What I am trying to accomplish is to use TLS with simple authentication i believe. I want to log into my Solaris boxes authenticating to FDS but have it done over a secure TLS/SSL connection so the passwords cannot be intercepted. I successfully created ther root CA certificate and Server cert on the FDS box using the beautiful setupSSL script. However I am new to SSL and I am having a difficult time understanding what needs to be done on the client side machines to get SSL working correctly. I know I need to import and trust the Root CA certificate on each client. But what about creating a client certificate for each of my Linux and Solaris clients? Can the client certificates be created and exported on the server that I created the Root CA cert on? And from there can I just import them into the clients? I have read the NSS tools links regarding PKI and SSL but I am still having a bit of difficulty. On the FDS wiki documentation site there are some good links but I am not sure how to go about this to use TLS:simple authentication. Thank you James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Create client SSL certificates for Solaris boxes.
James Chavez wrote: Thank you for the reply. OK so the Root CA is self signed on the Directory server box. The setupSSL script already exported the cacert.asc file I believe. So my next step is to import it on each client that I want to use TLS:simple on if I am understanding. Yes. So I believe on each client I need to use certutil to create a cert database with ... certutil -N -d directory -f /passfile Does it matter where I create this? Yes. The details are specific to the client OS and its bundled SSL and LDAP libraries. For Solaris, you're on the right track with certutil. This Sun forum thread may be helpful: http://forums.sun.com/thread.jspa?threadID=5330016 For Linux, check your distribution's documentation. If you're using a RedHat variant, tls_cacertfile in /etc/ldap.conf is probably what you'll be most interested in. After this I just import the cacert.asc, is that accurate? Thank you James On Thu, 2008-12-04 at 11:49 -0800, George Holbert wrote: But what about creating a client certificate for each of my Linux and Solaris clients? If all you want is TLS with simple auth, you don't need these. Each client just needs to trust the CA which signed your directory server's certificate; sounds like you're already on top of this part. James Chavez wrote: Hello, I am having a bit of difficulty creating SSL client certificates for my Solaris boxes or client boxes in general. What I am trying to accomplish is to use TLS with simple authentication i believe. I want to log into my Solaris boxes authenticating to FDS but have it done over a secure TLS/SSL connection so the passwords cannot be intercepted. I successfully created ther root CA certificate and Server cert on the FDS box using the beautiful setupSSL script. However I am new to SSL and I am having a difficult time understanding what needs to be done on the client side machines to get SSL working correctly. I know I need to import and trust the Root CA certificate on each client. But what about creating a client certificate for each of my Linux and Solaris clients? Can the client certificates be created and exported on the server that I created the Root CA cert on? And from there can I just import them into the clients? I have read the NSS tools links regarding PKI and SSL but I am still having a bit of difficulty. On the FDS wiki documentation site there are some good links but I am not sure how to go about this to use TLS:simple authentication. Thank you James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter
Re: [Fedora-directory-users] Create client SSL certificates for Solaris boxes.
James Chavez wrote: George, Thank you much for the help with this. I read up on the links you sent and they seem to have helped. I have been struggling with a Solaris 8 box for the past few hours. It would not work at first, I was getting an end of file error in the access log. Then it just started working after I restarted the client services a few times and readded the box using the same profile. I have another question in regards to SSL for replication. I had MMR going between two servers, this one and another prior to enabling SSL on this server. I removed all the replication agreements because as I understand it they need to be recreated with SSL. I would appreciate the lists opinions on the following. The Admin guide states that there are 2 ways of replicating over SSL, I pasted them below. I would like to know the pros and cons of each and if a DNS PTR record is an absolute necessity on each MMR member. The end result with both SSL replication flavors is the same. Both encrypt the replication traffic between your directory servers. The client cert method, when properly implemented, will make life more challenging for a prospective attacker who would like to impersonate your replication manager identity. In that sense, it is more secure than simple auth with SSL. There are two ways to use SSL for replication: * * * Select SSL Client Authentication. * * With SSL client authentication, the supplier and consumer servers use certificates to authenticate to each other. * * Select Simple Authentication. * With simple authentication, the supplier and consumer servers use a bind DN and password to authenticate to each other I have the ability to register these boxes in DNS using the net utility but that does not create the inaddr-arpa reverse lookup PTR record. Is that absolutely necessary for SSL replication to work or can I get around it? This is my test environment so I would like to do without if possible for the time being. Thank you James * * James Chavez wrote: Thank you for the reply. OK so the Root CA is self signed on the Directory server box. The setupSSL script already exported the cacert.asc file I believe. So my next step is to import it on each client that I want to use TLS:simple on if I am understanding. Yes. So I believe on each client I need to use certutil to create a cert database with ... certutil -N -d directory -f /passfile Does it matter where I create this? Yes. The details are specific to the client OS and its bundled SSL and LDAP libraries. For Solaris, you're on the right track with certutil. This Sun forum thread may be helpful: http://forums.sun.com/thread.jspa?threadID=5330016 For Linux, check your distribution's documentation. If you're using a RedHat variant, tls_cacertfile in /etc/ldap.conf is probably what you'll be most interested in. After this I just import the cacert.asc, is that accurate? Thank you James On Thu, 2008-12-04 at 11:49 -0800, George Holbert wrote: But what about creating a client certificate for each of my Linux and Solaris clients? If all you want is TLS with simple auth, you don't need these. Each client just needs to trust the CA which signed your directory server's certificate; sounds like you're already on top of this part. James Chavez wrote: Hello, I am having a bit of difficulty creating SSL client certificates for my Solaris boxes or client boxes in general. What I am trying to accomplish is to use TLS with simple authentication i believe. I want to log into my Solaris boxes authenticating to FDS but have it done over a secure TLS/SSL connection so the passwords cannot be intercepted. I successfully created ther root CA certificate and Server cert on the FDS box using the beautiful setupSSL script. However I am new to SSL and I am having a difficult time understanding what needs to be done on the client side machines to get SSL working correctly. I know I need to import and trust the Root CA certificate on each client. But what about creating a client certificate for each of my Linux and Solaris clients? Can the client certificates be created and exported on the server that I created the Root CA cert on? And from there can I just import them into the clients? I have read the NSS tools links regarding PKI and SSL but I am still having a bit of difficulty. On the FDS wiki documentation site there are some good links but I am not sure how to go about this to use TLS:simple authentication. Thank you James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any
Re: [Fedora-directory-users] posixgroup name lookups
Jonathan Barber wrote: On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote: On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote: John A. Sullivan III wrote: John A. Sullivan III wrote: [snip] snip Thanks for the very thoughtful answer. I'm not only new to LDAP but also to Linux based file servers. I've been in a management role for the last decade and before then was doing NDS and NetWare for directory/file. We were planning to use a umask of 007 for standard users and set the sgid bit for shared folders. That's where we thought it would be helpful to have a group associated with each user. In fact, it finally made the default setup of creating a group for each user make sense as I always wondered why that was done. I suppose we'll also need to activate file system acls for more complex setups as when multiple groups need varying access to a shared file system directory. This arrangement is known (at least by Redhat) as User Private Groups (UPG): http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html The primary reason for doing it is that group access to files is managed via secondary group membership, not primary group membership If each of your users has their own group, then adding a posixGroup objectclass to each user makes perfect sense. You may also want to place an uniqueness constraint on the gidNumber attribute as well: http://www.centos.org/docs/5/html/CDS/ag/8.0/Administering_DSPPR-Server_Plug_in_Functionality_Reference.html#Server_Plug_in_Functionality_Reference-UID_Uniqueness_Plug_in WRT to linux, the only gotcha I can think of is that you'll have to set the nss_ldap nss_base_group option in /etc/ldap.conf to an entry that's the common parent to both your users and groups - otherwise it'll never find the UPG's. Another way would be to omit the addition of the posixGroup on your account objects, and just modify the filter on nss_base_group to include posixAccounts. e.g.: nss_base_group dc=example,dc=com?sub?(|(objectClass=posixGroup)(objectClass=posixAccount)) posixAccount already includes the gidNumber and cn attributes, which is all you're really after here... unless you want to start adding memberUid attributes to your account objects (which doesn't make any obvious sense). You will almost certainly have to modify your nss_base_group setting in either case, as Jonathan suggested. If that's a silly approach, kindly let me know and point me to some good documentation on the subject. Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 [EMAIL PROTECTED] http://www.spiritualoutreach.com Making Christianity intelligible to secular society -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] posixgroup name lookups
John A. Sullivan III wrote: On Thu, 2008-11-20 at 09:01 -0800, George Holbert wrote: Jonathan Barber wrote: On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote: On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote: John A. Sullivan III wrote: John A. Sullivan III wrote: [snip] snip Thanks for the very thoughtful answer. I'm not only new to LDAP but also to Linux based file servers. I've been in a management role for the last decade and before then was doing NDS and NetWare for directory/file. We were planning to use a umask of 007 for standard users and set the sgid bit for shared folders. That's where we thought it would be helpful to have a group associated with each user. In fact, it finally made the default setup of creating a group for each user make sense as I always wondered why that was done. I suppose we'll also need to activate file system acls for more complex setups as when multiple groups need varying access to a shared file system directory. This arrangement is known (at least by Redhat) as User Private Groups (UPG): http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/s1-users-groups-private-groups.html The primary reason for doing it is that group access to files is managed via secondary group membership, not primary group membership If each of your users has their own group, then adding a posixGroup objectclass to each user makes perfect sense. You may also want to place an uniqueness constraint on the gidNumber attribute as well: http://www.centos.org/docs/5/html/CDS/ag/8.0/Administering_DSPPR-Server_Plug_in_Functionality_Reference.html#Server_Plug_in_Functionality_Reference-UID_Uniqueness_Plug_in WRT to linux, the only gotcha I can think of is that you'll have to set the nss_ldap nss_base_group option in /etc/ldap.conf to an entry that's the common parent to both your users and groups - otherwise it'll never find the UPG's. Another way would be to omit the addition of the posixGroup on your account objects, and just modify the filter on nss_base_group to include posixAccounts. e.g.: nss_base_group dc=example,dc=com?sub?(|(objectClass=posixGroup)(objectClass=posixAccount)) posixAccount already includes the gidNumber and cn attributes, which is all you're really after here... unless you want to start adding memberUid attributes to your account objects (which doesn't make any obvious sense). You will almost certainly have to modify your nss_base_group setting in either case, as Jonathan suggested. snip Alas, I'm not sure this is going to work as expected but it could be my ignorance. I've read the man page and whatever documentation I could find. It appears it does an operation with the additional filter whereas I need an |. I gather the default is: (objectClass=posixgroup)(cn=group_name) I think I need it to be: |(((objectClass=posixgroup)(cn=group_name))((objectClass=posixaccount)(uid=group_name))) If it does an , I think I get: (((objectClass=posixgroup)(cn=group_name))((objectClass=posixaccount)(uid=group_name))) Nevertheless, I tried all of the following without success: nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?|(objectClass=posixAccount) nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?|((objectClass=posixAccount)(uid=group_name)) this broke the posixgroup filter, too! nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount)(uid=group_name) this broke the posixgroup filter, too! nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount)(uid=group_name) this broke the posixgroup filter, too! nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount) this broke the posixgroup filter, too! nss_base_group dc=X,dc=com,dc=ssiservices,dc=biz?sub?(objectClass=posixAccount) I did flush the nscd group database between each try. What am I doing wrong? Thanks - John It's not immediately obvious to me where the problem is. But, have you tried reviewing your LDAP server's access log? That's often a huge help for troubleshooting this kind of thing. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] posixgroup name lookups
-sh-3.2$ id -gn id: cannot find name for group ID 2000 2000 ... Instead, we added posixgroup as an objectclass to the users. Is this a reasonable way to go about this? Not really... id is asking your name service what is the group name for gid 2000. You have no groups defined in your name service with that gid. The most common way to address this is to add a posixGroup object in your LDAP directory with gid 2000, and whatever name (cn) you like. I would suggest doing this for each account's primary gid. John A. Sullivan III wrote: Hello, all. We're trying to move all our user access control to DS including file system rights management and thus group management. We've hit a few problems and would like to share how we've gotten around them both for documentation and so someone with more experience can tell us if we are going about this the wrong way. The first problem we hit was the various hosts could not resolve the gidnumber to a name: -sh-3.2$ id -gn id: cannot find name for group ID 2000 2000 We noticed in the access query that the hosts were looking for posixgroups: SRCH base=dc=ssiservices,dc=biz scope=2 filter=((objectClass=posixGroup)(gidNumber=2000)) attrs=cn userPassword memberUid uniqueMember gidNumber The problem comes with user's initial groups which are typically named after the uid. Since we had not created these explicitly as DS groups but rather simply assigned the gidnumber in the posixaccount's gidnumber attribute, there was no posixgroup to seek. I suppose the ideal way to address this is the change the query to look for a posixgroup or a posixaccount. I do not see how one does this. Instead, we added posixgroup as an objectclass to the users. Is this a reasonable way to go about this? Then we hit our next problem. The user's initial group is usually the same as their uid, e.g., user bsmith belongs to group bsmith. However, the query is looking for cn rather than uid. I suppose this is because a posixgroup, as opposed to a user, does not have a uid but does have a cn. This turned up as a problem where we wanted to control the umask in bashrc which uses logic such as: if [ $UID -gt 99 ] [ `id -gn` = `id -un` ]; then umask 002 id -un would return bsmith but id -gn would return something like Brian Smith. Thus, we will need to make it a user creation procedure to override the cn to be the same as the uid rather than FirstName LastName. Is this the correct approach? Thanks - John -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] posixgroup name lookups
John A. Sullivan III wrote: John A. Sullivan III wrote: Hello, all. We're trying to move all our user access control to DS including file system rights management and thus group management. We've hit a few problems and would like to share how we've gotten around them both for documentation and so someone with more experience can tell us if we are going about this the wrong way. The first problem we hit was the various hosts could not resolve the gidnumber to a name: -sh-3.2$ id -gn id: cannot find name for group ID 2000 2000 We noticed in the access query that the hosts were looking for posixgroups: SRCH base=dc=ssiservices,dc=biz scope=2 filter=((objectClass=posixGroup)(gidNumber=2000)) attrs=cn userPassword memberUid uniqueMember gidNumber The problem comes with user's initial groups which are typically named after the uid. Since we had not created these explicitly as DS groups but rather simply assigned the gidnumber in the posixaccount's gidnumber attribute, there was no posixgroup to seek. I suppose the ideal way to address this is the change the query to look for a posixgroup or a posixaccount. I do not see how one does this. Instead, we added posixgroup as an objectclass to the users. Is this a reasonable way to go about this? Then we hit our next problem. The user's initial group is usually the same as their uid, e.g., user bsmith belongs to group bsmith. However, the query is looking for cn rather than uid. I suppose this is because a posixgroup, as opposed to a user, does not have a uid but does have a cn. This turned up as a problem where we wanted to control the umask in bashrc which uses logic such as: if [ $UID -gt 99 ] [ `id -gn` = `id -un` ]; then umask 002 id -un would return bsmith but id -gn would return something like Brian Smith. Thus, we will need to make it a user creation procedure to override the cn to be the same as the uid rather than FirstName LastName. Is this the correct approach? Thanks - John On Wed, 2008-11-19 at 11:17 -0800, George Holbert wrote: -sh-3.2$ id -gn id: cannot find name for group ID 2000 2000 ... Instead, we added posixgroup as an objectclass to the users. Is this a reasonable way to go about this? Not really... id is asking your name service what is the group name for gid 2000. You have no groups defined in your name service with that gid. The most common way to address this is to add a posixGroup object in your LDAP directory with gid 2000, and whatever name (cn) you like. I would suggest doing this for each account's primary gid. snip Thanks for the reply. Perhaps this is a better approach but I have some reservations (which may be more my ignorance than a real problem). If I do this, I have the separate step of maintaining posixgroups for each user in a separate entity. Not only must I create two instead of one (times however many thousands of users I have) but I must keep them in sync (user delete, user rename). By adding a posixgroup objectclass to my users, I solve those problems and still give my name service a way to resolve the group name. It seems much simpler to manage but I'm just not sure if this does something bad. Am I missing something? Thanks - John Most (if not all) LDAP client software that accesses posix attributes will not expect this arrangement. Most sysadmins or developers that might work with your directory probably would also not expect this. Those are the biggest drawbacks that come immediately to mind. But depending on your usage, might never be a serious problem. This is a good time to ask yourself: Do you really need a corresponding groupname / gid for every username / uid in your name service? The answer might certainly be yes. But since you're spending time to accommodate this, could be helpful to be sure you have reasons beyond rote tradition. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] posixgroup name lookups
John A. Sullivan III wrote: On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote: John A. Sullivan III wrote: John A. Sullivan III wrote: Hello, all. We're trying to move all our user access control to DS including file system rights management and thus group management. We've hit a few problems and would like to share how we've gotten around them both for documentation and so someone with more experience can tell us if we are going about this the wrong way. The first problem we hit was the various hosts could not resolve the gidnumber to a name: -sh-3.2$ id -gn id: cannot find name for group ID 2000 2000 We noticed in the access query that the hosts were looking for posixgroups: SRCH base=dc=ssiservices,dc=biz scope=2 filter=((objectClass=posixGroup)(gidNumber=2000)) attrs=cn userPassword memberUid uniqueMember gidNumber The problem comes with user's initial groups which are typically named after the uid. Since we had not created these explicitly as DS groups but rather simply assigned the gidnumber in the posixaccount's gidnumber attribute, there was no posixgroup to seek. I suppose the ideal way to address this is the change the query to look for a posixgroup or a posixaccount. I do not see how one does this. Instead, we added posixgroup as an objectclass to the users. Is this a reasonable way to go about this? Then we hit our next problem. The user's initial group is usually the same as their uid, e.g., user bsmith belongs to group bsmith. However, the query is looking for cn rather than uid. I suppose this is because a posixgroup, as opposed to a user, does not have a uid but does have a cn. This turned up as a problem where we wanted to control the umask in bashrc which uses logic such as: if [ $UID -gt 99 ] [ `id -gn` = `id -un` ]; then umask 002 id -un would return bsmith but id -gn would return something like Brian Smith. Thus, we will need to make it a user creation procedure to override the cn to be the same as the uid rather than FirstName LastName. Is this the correct approach? Thanks - John On Wed, 2008-11-19 at 11:17 -0800, George Holbert wrote: -sh-3.2$ id -gn id: cannot find name for group ID 2000 2000 ... Instead, we added posixgroup as an objectclass to the users. Is this a reasonable way to go about this? Not really... id is asking your name service what is the group name for gid 2000. You have no groups defined in your name service with that gid. The most common way to address this is to add a posixGroup object in your LDAP directory with gid 2000, and whatever name (cn) you like. I would suggest doing this for each account's primary gid. snip Thanks for the reply. Perhaps this is a better approach but I have some reservations (which may be more my ignorance than a real problem). If I do this, I have the separate step of maintaining posixgroups for each user in a separate entity. Not only must I create two instead of one (times however many thousands of users I have) but I must keep them in sync (user delete, user rename). By adding a posixgroup objectclass to my users, I solve those problems and still give my name service a way to resolve the group name. It seems much simpler to manage but I'm just not sure if this does something bad. Am I missing something? Thanks - John Most (if not all) LDAP client software that accesses posix attributes will not expect this arrangement. Most sysadmins or developers that might work with your directory probably would also not expect this. Those are the biggest drawbacks that come immediately to mind. But depending on your usage, might never be a serious problem. This is a good time to ask yourself: Do you really need a corresponding groupname / gid for every username / uid in your name service? The answer might certainly be yes. But since you're spending time to accommodate this, could be helpful to be sure you have reasons beyond rote tradition. snip Thanks for the very thoughtful answer. I'm not only new to LDAP but also to Linux based file servers. I've been in a management role for the last decade and before then was doing NDS and NetWare for directory/file. We were planning to use a umask of 007 for standard users and set the sgid bit for shared folders. That's where we thought it would be helpful to have a group associated with each user. In fact, it finally made the default setup of creating a group for each user make sense as I always wondered why that was done. I suppose we'll also need to activate file system acls for more complex setups as when multiple groups need varying access to a shared file system directory. If that's a silly approach, kindly let me know and point me to some good documentation on the subject. Thanks - John Sounds like you do have some good (non-silly) reasons. Just be aware the hybrid posixGroup / posixAccount thing
Re: [Fedora-directory-users] netgroup configuration FDS with Sun solaris 10 x86 box
On Solaris at least, the getent command doesn't support netgroup.
According to the man page, it supports any of:
passwd, group, hosts, ipnodes, services, protocols, ethers, project,
networks, netmasks
Vipul Ramani wrote:
Hi all,
I am trying to configure FDS as directory server and clients are sun
solaris 10 boxes.. ( all are sun solaris 10 x86).
bash-3.00# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=example,dc=com
NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411
NS_LDAP_SERVERS= 192.168.109.73 http://192.168.109.73
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
bash-3.00# ldaplist
dn: cn=Directory Administrators, dc=example, dc=com
dn: ou=People, dc=example, dc=com
dn: ou=Special Users,dc=example, dc=com
dn: ou=profile,dc=example,dc=com
dn: ou=group, dc=example,dc=com
dn: ou=netgroup, dc=example,dc=com
dn: ou=Groups, dc=example, dc=com
===ou=netgroup,dc=,dc=com===
dn: cn=netgroup2,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
cn: netgroup2
nisNetgroupTriple: (,vipul2,)
When i type this command i m getting these error Do i need to
enable to netgroup database or i need to apply any patch to enable
this ???
bash-3.00# getent netgroup QAUsers
Unknown database: netgroup
usage: getent database [ key ... ]
--
Regards
Vipul Ramani
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] netgroup configuration FDS with Sun solaris 10 x86 box
So,
Netgroup does not work in solaris 10 :(
Solaris 10 doesn't have any specific netgroup problems that I'm aware
of, and it has not dropped support for netgroup.
But, as in previous Solaris releases, the getent command doesn't talk to
the netgroup database.
You can still use them, you just can't ask the system about them with
getent.
Vipul Ramani wrote:
So,
Netgroup does not work in solaris 10 :(
I want to configured group based access for the servers.. so what
should i used ?
On Mon, May 12, 2008 at 2:49 PM, George Holbert [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] wrote:
On Solaris at least, the getent command doesn't support netgroup.
According to the man page, it supports any of:
passwd, group, hosts, ipnodes, services, protocols, ethers,
project, networks, netmasks
Vipul Ramani wrote:
Hi all,
I am trying to configure FDS as directory server and clients
are sun solaris 10 boxes.. ( all are sun solaris 10 x86).
bash-3.00# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=example,dc=com
NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411
NS_LDAP_SERVERS= 192.168.109.73 http://192.168.109.73
http://192.168.109.73
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
bash-3.00# ldaplist
dn: cn=Directory Administrators, dc=example, dc=com
dn: ou=People, dc=example, dc=com
dn: ou=Special Users,dc=example, dc=com
dn: ou=profile,dc=example,dc=com
dn: ou=group, dc=example,dc=com
dn: ou=netgroup, dc=example,dc=com
dn: ou=Groups, dc=example, dc=com
===ou=netgroup,dc=,dc=com===
dn: cn=netgroup2,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
cn: netgroup2
nisNetgroupTriple: (,vipul2,)
When i type this command i m getting these error Do i
need to enable to netgroup database or i need to apply any
patch to enable this ???
bash-3.00# getent netgroup QAUsers
Unknown database: netgroup
usage: getent database [ key ... ]
--
Regards
Vipul Ramani
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
mailto:Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
mailto:Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Regards
Vipul Ramani
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Removing a Smart Referral
With a Fedora/Mozilla-based ldapsearch, you can get the DN of your referral objects like: ldapsearch -h host -M -R -b ou=Unit 2,o=My Org objectclass=referral Once you have the DN of the referral, you can remove it just like you would any other entry. Example LDIF: dn: ref RDN,ou=Unit 2,o=My Org changeType: delete - -- George Daniel Cristian Cruz wrote: Hi All, Is there any way to remove a smart referral? We had some users which are in a replicated tree, and we need to use it on our own tree. I can't find any way to remove the reference, without removing the user in the replicated tree. Example: o=My Org ou=Unit 1 uid=Replicated Account (consumer suffix) ou=Unit 2 uid=My Account uid=Replicated Account (Smart Referral to uid=Replicated Account,ou=Unit 1,o=My Org) Any help? -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Removing a Smart Referral
Is there any way to do that with PHP or Python? There probably is. I don't know off the top of my head though. Good luck! -- George Daniel Cristian Cruz wrote: Hu... Is there any way to do that with PHP or Python? Didn't found any -M option in these languages... On Ter, 2008-04-15 at 17:34 -0700, George Holbert wrote: With a Fedora/Mozilla-based ldapsearch, you can get the DN of your referral objects like: ldapsearch -h host -M -R -b ou=Unit 2,o=My Org objectclass=referral Once you have the DN of the referral, you can remove it just like you would any other entry. Example LDIF: dn: ref RDN,ou=Unit 2,o=My Org changeType: delete - -- George Daniel Cristian Cruz wrote: Hi All, Is there any way to remove a smart referral? We had some users which are in a replicated tree, and we need to use it on our own tree. I can't find any way to remove the reference, without removing the user in the replicated tree. Example: o=My Org ou=Unit 1 uid=Replicated Account (consumer suffix) ou=Unit 2 uid=My Account uid=Replicated Account (Smart Referral to uid=Replicated Account,ou=Unit 1,o=My Org) Any help? -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Preferred authentication mechanism - LDAPS or startTLS
Hi David, You're correct that LDAPS is deprecated. I think most people would encourage you to prefer StartTLS. However, you may still want to use LDAPS in your environment depending on what LDAP client applications your service will need to support. Several LDAP client programs still only support LDAPS, or have no support at all for transport layer security. Your particular usage scenario will be the most influential factor. If your LDAP service will be used with a variety of clients, odds are there's at least a few that will only support LDAPS. Beside startTLS, what are some other popular LDAP authentication mechanisms that is widely use in today's enterprise world? As far as FDS, check out the following: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_SSL.html http://www.redhat.com/docs/manuals/dir-server/ag/8.0/SASL.html http://directory.fedoraproject.org/wiki/Documentation Chun Tat David Chu wrote: Hi group, I'm currently looking into LDAP authentication and would like to know about what is the preferred authentication mechanism. If I want to use TLS for authentication, should I use LDAPS or startTLS? From my understanding, LDAPS was introduced in LDAPv2 and startTLS is introduced in LDAPv3. I surfed on the Internet, and it appears that startTLS should be deprecating LDAPS but a lot of people are still using LDAPS today. Beside startTLS, what are some other popular LDAP authentication mechanisms that is widely use in today's enterprise world? Thanks! David -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Fedora-directory-users] resource limits for replication manager
Just curious if anyone knows: Would there ever be a need to extend search resource limits for cn=replication manager,cn=replication,cn=config ? For example, set higher-than-default values for replication manager on any of: nsSizeLimit nsLookThroughLimit nsTimeLimit nsIdleTimeout Or is the replication manager immune to resource limits, like cn=directory manager? Thanks, -- George -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Custom Attribute Export
These should already be in your .../config/schema/99user.ldif file. Jared B. Griffith wrote: Is there a way to export the custom attributes and object classes I have created into an ldif file of some sort? -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Custom Attribute Export
You'll have to filter out the ones you've added into a new file. Might be useful to grep 99user.ldif for the OID used for your schema items, etc. Schema elements added through the console (which I'm guessing is how yours were added) are appended to 99user.ldif, and FDS doesn't specially distinguish them from other entries in that file. Jared B. Griffith wrote: There appears to be a lot of extra stuff in there that I really don't need, I just want the specific ones that I have added. - Original Message - From: George Holbert gholbert broadcom.com To: Jared B. Griffith jared.griffith farheap.com, General discussion list for the Fedora Directory server project. fedora-directory-users redhat.com Sent: Thursday, November 29, 2007 11:38:45 AM (GMT-0800) America/Los_Angeles Subject: Re: [Fedora-directory-users] Custom Attribute Export These should already be in your .../config/schema/99user.ldif file. Jared B. Griffith wrote: Is there a way to export the custom attributes and object classes I have created into an ldif file of some sort? -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] FDS Groups
Most likely, you've created a traditional LDAP static group (groupOfNames or groupOfUniqueNames) without the posixGroup objectClass. Creating a group in the FDS console creates a groupOfUniqueNames object. Do your group objects have objectClass: posixGroup and a gidNumber? Jared B. Griffith wrote: How would one go about configuring FDS to be able to do groups such as wheel and what not? I have it set up, but the client is not getting the groups out of the Groups OU. -- - Thank you, - Jared B. Griffith -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Re: backup/dump--restore/import
Backup/Restore: Creates / restores from a copy of the server's binary database files. Export/Import: Creates / imports from ASCII text LDIF files representing the data in the directory server. It's actually a good idea to do both (if possible), as this will give you the most flexibility when you're in the heat of a restore. http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1055147 I get error 53 (failed to read the backup file set) Is the backup file set still there? Linux Admin wrote: If I want to do through GUI: which option do I use: Backup/Restore or Import/Export When I sued BackupI tried to restore into vanilla LDAP specifying the top level directory which contains NetascapeRoot and userRoot subdirs, I get error 53 (failed to read the backup file set) On 10/18/07, *Linux Admin* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Please forgive the newbee question here. What is the best way to backup/dump--restore/import a fedora ldap server (without downtime) TIA -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Re: backup/dump--restore/import
db2bak (binary backup) is pretty specific to the machine on which it was created. At least a few dependencies: - architecture of the machine (e.g., sparc to intel, or 32 to 64 bit). - hostname is sprinkled throughout o=NetscapeRoot. - index and other configuration in the server's cn=config. Unless you're restoring on an identical machine with identical directory server configuration, I would expect quirks when attempting what you've described. On the bright side, since it does work on the new server, it sounds like you've isolated the problem to something with the original server. What happens when you create a fresh new directory server instance on the original, and try to backup and restore that instance? Linux Admin wrote: It get really bad: on new clean server: Backup from CLI: db2bak Restore CLI: works OK then I bring the dir produce by db2bak from the server I am trying to restore to new box and teh same restore commad fails On 10/24/07, *Linux Admin* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Using the refernace for redhat site even command line does work error 43: Failed to read backup file set On 10/24/07, * George Holbert* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Backup/Restore: Creates / restores from a copy of the server's binary database files. Export/Import: Creates / imports from ASCII text LDIF files representing the data in the directory server. It's actually a good idea to do both (if possible), as this will give you the most flexibility when you're in the heat of a restore. http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1055147 http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1055147 I get error 53 (failed to read the backup file set) Is the backup file set still there? Linux Admin wrote: If I want to do through GUI: which option do I use: Backup/Restore or Import/Export When I sued BackupI tried to restore into vanilla LDAP specifying the top level directory which contains NetascapeRoot and userRoot subdirs, I get error 53 (failed to read the backup file set) On 10/18/07, *Linux Admin* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Please forgive the newbee question here. What is the best way to backup/dump--restore/import a fedora ldap server (without downtime) TIA -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] acls problem
The RedHat documentation covers pretty much everything you've asked: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html Be prepared for some trial and error to get your ACIs working as you'd like. Di Giambelardini Gabriele wrote: HI to all, I have a problem with some acls needed from a mail client to visit a address book. I need to restrict for anonymous user, the fileds ( attributes ) he can see. other solution may be, negate to anonymous user access to the ldap and create an specific user for address book, or use the same mail user also for address book. Some body can help me: for restrict accesso to anonymous user? for deny access to ldap for anonymous user? set the right permission for the same user used for mail login?? Thanks, excuse me in advance for my english. -- -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] question about SSL configuration with IP takeover HA setup
eastldap0 - eastldap0.test.com cert - eastldap.test.com cert ... Each running FDS server instance will have just one SSL certificate. If you want your server to identify with multiple names, you can either: - Do a cert with subjectAltName extensions. - Do a cert with a wildcard in the subject's CN (e.g., cn=*.test.com). LDAP / SSL client support for these varies, so you will probably want to test both ways and see what works with better with your clients. If it works for you, the subjectAltName method is probably preferable, because you can precisely list the valid names for your server. Also, consider keeping it simple and just doing certs with single names (e.g., one cert each for 'westldap.test.com' and 'eastldap.test.com'), and installing that same cert on each server which should have that SSL identity. This is actually a pretty common way to do it, though it will limit your ability to make SSL connections to individual nodenames, like eastldap0.test.com (as you noticed). Ryan Braun wrote: Hey guys, installed FDS on a couple debian servers this week and am liking it so far. I have a couple questions regarding SSL/TLS setup with servers setup for IP takeover type HA setup. Keep in mind I have some experience with the LDAP side of things, it's the ssl and all the different certs and whatnot that keeps me up at night. Essentially what I'm looking at is a 4 way multimaster setup, ending up with 2 HA pairs of servers. call them eastldap and westldap. I've implemented the east side in my test lab and have it replicating and can pull any user info I need off the directory no problem. so eastldap0.test.com ip 192.168.0.11 eastldap1.test.com ip 192.168.0.12 and the virtual interface on whichever machine is master would be eastldap.test.com ip 192.168.0.10 and then the exact same setup with the last 2 westldap0.test.com ip 192.168.1.11 westldap1.test.com ip 192.168.1.12 westldap.test.com ip 192.168.1.10 Once everything is setup and running clients would be primarily only connecting to either virtual interface west/eastldap using TLS over port 389 and the 4 masters replicating with encryption (not sure but I imagine this takes place on ldaps port). I followed the instructions on the howto:ssl page and created a cert located on eastldap0. But instead of using the eastldap0.test.com as the cn, I used eastldap.test.com. Cert installed ok, made sure eastldap0 was the HA master and restarted fds. When I copied over the cacert to a linux client, I can run searches using ldapsearch -ZZ -h eastldap.test.com. Server logs and wire sniffs confirm everything is coming back encrypted. It seems to be behaving as expected, when I try ldapsearch -ZZ -h eastldap0.test.com, it pukes with error 11 additional info: TLS: hostname does not match CN in peer certificate, which is right as the name in the cert is eastldap.test.com. So it would appear I'm on my way, I just am not sure about what certs I need now, and how to add them properly. I would think I need at the very least eastldap0 - eastldap0.test.com cert - eastldap.test.com cert eastldap1 - eastldap1.test.com cert - eastldap.test.com cert westldap0 - westldap0.test.com cert - westldap.test.com cert westldap1 - westldap1.test.com cert - westldap.test.com cert I'm just not sure if that is the proper way to go about it. Also, I would like to have the clients to be able to have all the cacerts to be able to communicate with all virtual and physical address' if need be. Later on, I would be adding probably 5 or 6 consumer read only replicas inbetween the suppliers and the clients, but one must walk before they run I guess :) Long post I know, just trying to make sure I get all the important stuff out there. Be kind if I was using the incorrect terminology for the certs/cacerts :) Ryan PS. anyone have a good SSL for dummies reference that lays out what the heck is going on with SSL (pems,keys,certs,cacerts etc) -- -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] failover works but very slow.
I just want to add that our SUSE 10 clients do not have this problem at all. Interesting! Do you know what versions of pam_ldap and nss_ldap are used on those clients? Hai Wu wrote: I just want to add that our SUSE 10 clients do not have this problem at all. On 9/11/07, George Holbert [EMAIL PROTECTED] wrote: Thanks for your quick reply, it is hard to believe Redhat's Fedora DS has such problem on their OS. Actually this is more related to the pam and nss_ldap libraries from PADL, which RedHat (and pretty much everyone else) bundles with their Linux. It's unlikely that recent improvements to PADL's software will show up in RHEL3 or RHEL4, but sometimes certain bugfixes are backported by RedHat. Hai Wu wrote: Thanks for your quick reply, it is hard to believe Redhat's Fedora DS has such problem on their OS. I tried to reduce bind_timelimit from 3 to 1 and it almost reduced the delay to an acceptable(but still noticeable) level, I think we will do this if there is no side effect to have such a small bind_timelimit. In the meaning time, I will stick to my taking-primary-IP workaround which reduces the delay to zero. On 9/11/07, George Holbert [EMAIL PROTECTED] wrote: This is just the way it is with pam/nss_ldap as bundled in RHEL3 and RHEL4. There is no easy fix. If you like, you can reduce bind_timelimit to something very small. But this still isn't much of a solution, since clients will definitely notice when the primary is down. It's possible that newer versions of pam/nss_ldap handle failover more elegantly (I've seen notes to this effect in their Changelog). I haven't tested this myself yet. Another possibility is to put some kind of load balancer in front of your LDAP servers, which hides from clients the failure of any individual LDAP server. Hai Wu wrote: Hi, We are using fedora 1.0.4, When the first ldap server dies and does not ping, the clients can still bind to second server but it is very slow to do anything on clients, opening a terminal or listing a dir takes a few seconds. I find when ldap service is down on the first server but server it still up and pingable, there is no delay on clients at all, so I have the workaround to set up a eth0:0 on second ldap server(or any other machine) to assume the IP of the first ldap server when first ldap server does not ping. Please see our /etc/ldap.conf and /etc/openldap/ldap.conf , we have only Rhel 3 and 4 clients. Any idea how to fix this? Thanks Mark /etc/ldap.conf host 1.1.1.1 2.2.2.2 port 636 ldap_version 3 base o=unix,dc=company,dc=com scope sub timelimit 5 bind_timelimit 3 pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_password crypt idle_timelimit 3600 /etc/openldap/ldap.conf BASE o=unix,dc=company,dc=com HOST 1.1.1.1 2.2.2.2 PORT 636 SIZELIMIT 0 TIMELIMIT 0 -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] failover works but very slow.
This is just the way it is with pam/nss_ldap as bundled in RHEL3 and RHEL4. There is no easy fix. If you like, you can reduce bind_timelimit to something very small. But this still isn't much of a solution, since clients will definitely notice when the primary is down. It's possible that newer versions of pam/nss_ldap handle failover more elegantly (I've seen notes to this effect in their Changelog). I haven't tested this myself yet. Another possibility is to put some kind of load balancer in front of your LDAP servers, which hides from clients the failure of any individual LDAP server. Hai Wu wrote: Hi, We are using fedora 1.0.4, When the first ldap server dies and does not ping, the clients can still bind to second server but it is very slow to do anything on clients, opening a terminal or listing a dir takes a few seconds. I find when ldap service is down on the first server but server it still up and pingable, there is no delay on clients at all, so I have the workaround to set up a eth0:0 on second ldap server(or any other machine) to assume the IP of the first ldap server when first ldap server does not ping. Please see our /etc/ldap.conf and /etc/openldap/ldap.conf , we have only Rhel 3 and 4 clients. Any idea how to fix this? Thanks Mark /etc/ldap.conf host 1.1.1.1 2.2.2.2 port 636 ldap_version 3 base o=unix,dc=company,dc=com scope sub timelimit 5 bind_timelimit 3 pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_password crypt idle_timelimit 3600 /etc/openldap/ldap.conf BASE o=unix,dc=company,dc=com HOST 1.1.1.1 2.2.2.2 PORT 636 SIZELIMIT 0 TIMELIMIT 0 -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] failover works but very slow.
Thanks for your quick reply, it is hard to believe Redhat's Fedora DS has such problem on their OS. Actually this is more related to the pam and nss_ldap libraries from PADL, which RedHat (and pretty much everyone else) bundles with their Linux. It's unlikely that recent improvements to PADL's software will show up in RHEL3 or RHEL4, but sometimes certain bugfixes are backported by RedHat. Hai Wu wrote: Thanks for your quick reply, it is hard to believe Redhat's Fedora DS has such problem on their OS. I tried to reduce bind_timelimit from 3 to 1 and it almost reduced the delay to an acceptable(but still noticeable) level, I think we will do this if there is no side effect to have such a small bind_timelimit. In the meaning time, I will stick to my taking-primary-IP workaround which reduces the delay to zero. On 9/11/07, George Holbert [EMAIL PROTECTED] wrote: This is just the way it is with pam/nss_ldap as bundled in RHEL3 and RHEL4. There is no easy fix. If you like, you can reduce bind_timelimit to something very small. But this still isn't much of a solution, since clients will definitely notice when the primary is down. It's possible that newer versions of pam/nss_ldap handle failover more elegantly (I've seen notes to this effect in their Changelog). I haven't tested this myself yet. Another possibility is to put some kind of load balancer in front of your LDAP servers, which hides from clients the failure of any individual LDAP server. Hai Wu wrote: Hi, We are using fedora 1.0.4, When the first ldap server dies and does not ping, the clients can still bind to second server but it is very slow to do anything on clients, opening a terminal or listing a dir takes a few seconds. I find when ldap service is down on the first server but server it still up and pingable, there is no delay on clients at all, so I have the workaround to set up a eth0:0 on second ldap server(or any other machine) to assume the IP of the first ldap server when first ldap server does not ping. Please see our /etc/ldap.conf and /etc/openldap/ldap.conf , we have only Rhel 3 and 4 clients. Any idea how to fix this? Thanks Mark /etc/ldap.conf host 1.1.1.1 2.2.2.2 port 636 ldap_version 3 base o=unix,dc=company,dc=com scope sub timelimit 5 bind_timelimit 3 pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_password crypt idle_timelimit 3600 /etc/openldap/ldap.conf BASE o=unix,dc=company,dc=com HOST 1.1.1.1 2.2.2.2 PORT 636 SIZELIMIT 0 TIMELIMIT 0 -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Problem with users' passwords
Some ldapsearch binaries base64-encode password strings in their output.
Not sure if this is what's happening for you, or if you actually have
the password string stored as a base64 string in your directory database.
If you want to decode the base64 strings, this link might be useful for you:
http://www.openldap.org/faq/data/cache/1353.html
Nalin Dahyabhai wrote:
On Thu, Jul 05, 2007 at 11:20:52AM -0600, Richard Megginson wrote:
Saied W. Andalib wrote:
Some look like this:
userPassword: e1NTSEF9b0lZeWJsWDdPOTNkUVliY215UDZXaDFIdURIQ2tmQjA=
I'm not sure what this is. Fedora DS expects the userPassword to either be
the clear text value
userPassword: mypassword
or a hash with the hash type in the front
userPassword: {SSHA}POTNkUVliY215UDZXaDFIdURI==
I'm not sure what e1NTSEF9b0lZeWJsWDdPOTNkUVliY215UDZXaDFIdURIQ2tmQjA= is.
The = on the end suggests that it's base64, and the example was
missing the extra : which would indicate that it is. Decoding that
gives {SSHA}oIYyblX7O93dQYbcmyP6Wh1HuDHCkfB0.
Perhaps the value was accidentally converted so that it's actually being
stored that way in the directory, when it shouldn't be.
HTH,
Nalin
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] backup to ldif
Have you tried db2ldif ? It is included with FDS. http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1011783 Jonathan Mills wrote: Just thought I'd ask first, rather than go reinventing the wheelbut does anyone have a cute little script to backup the whole directory to a single ldif file? -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] looking for some insight into configuring FDS for an enterprise environment of 10k users
Running this script will generate can't contact the LDAP server errors. Does this happen immediately, or does the script run for a while first? When you start seeing this message, what shows up in the server's access and error logs? Max file descriptors: 4096 If you're running on machines dedicated to the directory service, you can increase this quite a bit... in fact, this is probably the limit you're hitting. Anderson, Cary wrote: I have been doing some stress tests on the FDS in order to try and configure the server for an enterprise wide deployment. My goal is to recommend the number of slave/master servers and the appropriate configuration for an environment with 10k users. Starting with a default FDS installation I have modified the directory accordingly: 10k users id's the max cache size: 63Mb Lookthrough limit: 15000 Max file descriptors: 4096 memory avail. for cache: 100Mb Created an index for uidnumber I have created a php script to stress test the server. The script has the following parameters: processes 500 # number of simultaneous connections binds 5 #number of times the script will loop query 50 # number of queries to make min sleep 1 # min time between queries max sleep 5 # max time between queries uid_number 5 # search for this uidnumber server 10.27.1.104 #host ldap server Running this script will generate can't contact the LDAP server errors. My question is should I be looking at some other parameters to modify in order to have the server handle more simultaneous connections. 500 connections doesn't seem like an unreasonable number of connections for an enterprise directory server, yet the server is rolling over at what seems to be a pretty light load... Any insights on how best to configure the server to handle a larger number of connections would be greatly appreciated. Thanks -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] ldapsearch results.
One thought: The subscriberID value on your test object is larger than the maximum value for a 32-bit unsigned integer (4294967296), and subscriberID has integerMatch EQUALITY. It would be interesting to try with a small subscriberID (like '10'), and see if it works as you expect. Balaji Ganesan wrote: I have a simple test schema -- dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.8918.1.1.1.1 NAME ( 'mailMSISDN' ) DESC 'mailMSISDN' EQUALITY telephoneNumberMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.8918.1.1.1.2 NAME ( 'subscriberId' ) DESC 'subscriberId' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) objectClasses: ( 1.3.6.1.4.1.8918.1.1.1.0 NAME 'myUser' DESC 'myUser' SUP top STRUCTURAL MUST ( mailMSISDN $ subscriberId ) X-ORIGIN 'Test Schema' ) -- ldapsearch on objectclass myUser returns -- /usr/local/fds/shared/bin/ldapsearch -p 390 -x -D cn=testing -w testingpwd -b dc=test,dc=com obje ctclass=myUser version: 1 dn: mailMSISDN=16502272370,dc=test,dc=com objectClass: myUser objectClass: top mailMSISDN: 16502272370 subscriberId: 6502272370 dn: mailMSISDN=16502272371,dc=test,dc=com objectClass: myUser objectClass: top mailMSISDN: 16502272371 subscriberId: 6502272371 dn: mailMSISDN=16502272372,dc=test,dc=com objectClass: myUser objectClass: top mailMSISDN: 16502272372 subscriberId: 6502272372 -- ldapsearch on mailMSISDN returns expected results -- /usr/local/fds/shared/bin/ldapsearch -p 390 -x -D cn=testing -w testingpwd -b dc=test,dc=com mailMSISDN=16502272370 version: 1 dn: mailMSISDN=16502272370,dc=test,dc=com objectClass: myUser objectClass: top mailMSISDN: 16502272370 subscriberId: 6502272370 -- ldapsearch on subscriberId returns odd results. -- /usr/local/fds/shared/bin/ldapsearch -p 390 -x -D cn=testing -w testingpwd -b dc=test,dc=com subscriberId=6502272370 version: 1 dn: mailMSISDN=16502272370,dc=test,dc=com objectClass: myUser objectClass: top mailMSISDN: 16502272370 subscriberId: 6502272370 dn: mailMSISDN=16502272371,dc=test,dc=com objectClass: myUser objectClass: top mailMSISDN: 16502272371 subscriberId: 6502272371 dn: mailMSISDN=16502272372,dc=test,dc=com objectClass: myUser objectClass: top mailMSISDN: 16502272372 subscriberId: 6502272372 -- I was expecting to get back 1 entry with matching subscriberId. Why do I get back 3 entries? Any ideas what I am doing wrong? thanks in advance. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] disable anonymous binding
You will want to set up ACIs to allow the minimum necessary access. See: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html Be prepared for some trial-and-error experimentation to learn how to implement your intended access policy. Good luck! -- George Tony wrote: Hi, I'm very new to FDS, but I have succeeeded in getting it up and running on top of CentOS 4.4, and have populated it with a basic list of users and their details. I've even got SSL working properly. Now I'd like to open port 636 to the outside world to let my users see the address list etc while they are outside the LAN. However I don't want anyone to bind anonymously to then pull out all the staff details - emails, phone numbers etc - so I'd like to prevent anonymous binds and make sure that all users authenticate before being allowed to access the data. Could some kind person point me at the docs/info in order to do that? I did find the Require Client Authentication check box but I believe that is something else - or am I wrong? -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Modify the Schema
Try: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/scmacfg.html Patricio A. Bruna wrote: Hi, Has any knows where i can read about build my own schema? Thanks. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Modify the Schema
Hi Patricio, Sorry, I should have posted this: http://www.redhat.com/archives/fedora-directory-users/2006-December/msg00090.html Patricio A. Bruna wrote: Thanks George, But i need something a bit more low leve, like the schema works, and how make a schema with vi :) - George Holbert [EMAIL PROTECTED] escribió: Try: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/scmacfg.html Patricio A. Bruna wrote: Hi, Has any knows where i can read about build my own schema? Thanks. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Non-indexed searches on objectclass?
objectclass is indexed by default, so you shouldn't have to add it. Maybe your searches are exceeding the All IDs threshold. Take a look at: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/index1.html#1110655 Philip Kime wrote: When I look at the logconv output for some of my FDS servers, I see that the common factor on all listed unindexed searches is using the objectclass attribute. Is it worth indexing this? PK -- Philip Kime NOPS Systems Architect 310 401 0407 -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Fedora-directory-users] ip in ACI bind rules
I've noticed that the 'ip' keyword in ACI bind rules seems to have no effect on its own. For example, This does not deny access to IP 1.2.3.4: aci: (version 3.0; acl Deny 1.2.3.4; deny(all) (ip = 1.2.3.4);) But when combined with a userdn clause like this, it works: aci: (version 3.0; acl Deny 1.2.3.4; deny(all) (userdn = ldap:///anyone;) and (ip = 1.2.3.4);) Is this known/expected behavior? Just want to make sure I'm interpreting this right. Thanks a lot, -- George -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Fedora-directory-users] virtual attributes in targetfilter
Under recent versions of FDS, is it OK to use virtual attributes (i.e., nsRole or CoS-generated) in ACI targetfilters? In earlier versions of Netscape DS, this was not recommended, and this is still mentioned in the RHDS 7.1 docs: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#1013769 However, in testing I haven't seen any problems so far doing this, and have noticed examples of it elsewhere, e.g.: http://www.redhat.com/archives/fedora-directory-users/2005-June/msg00188.html Are the docs just a little dated on this, or is it still not a good idea? Thank you! -- George -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] How to change password storage method?
However - it has not solved this problem. The password is still being sent in the clear. I have /etc/ldap.conf including the line: pam_password md5 pam_password controls how new passwords are hashed locally before updating an account's password attribute, i.e. when someone changes their password. If you want the hash setting on the server to always be honored, use pam_password clear. Comments from PADL's ldap.conf: # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. #pam_password clear Pete Rowley wrote: Andy Schofield wrote: My real problem is that clients are broadcasting passwords in the clear (despite pam being told to use md5 with ldap). I am assuming that is because the ldap server is using SSHA and pam is using md5 so they negotiate to send passwords in the clear. Does that sound right? However - it has not solved this problem. The password is still being sent in the clear. I have /etc/ldap.conf including the line: What you need is not a hashed password sent over the wire (which achieves very little) but an encrypted transport using SSL, or SASL and kerberos. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Failover between masters
What we're finding is if ldap1 dies for some reason, the clients don't failover to ldap2. We don't know if the problem is client side or server side. When ldap1 dies, do you see any activity in ldap2's access log? If not, you know the clients aren't making the switch to ldap2. On one of your Linux LDAP clients, try doing this while ldap1 is down: # service nscd stop # strace getent passwd Among the tons of output should be some indication of what LDAP servers are being tried. Coe, Colin C. (Unix Engineer) wrote: Hi all We are currently using Sun's Directory server and have had some problems with clients failing over to the other master if one fails. The clients are a minxute of RHEL 3 WS and Solaris 8 (SPARC), and the Sun Directory servers are both Solars 9 (SPARC) running Directory One 5.1. /etc/ldap.conf host 1.1.1.1 2.2.2.2 port 636 ldap_version 3 base o=unix,dc=company,dc=com scope sub timelimit 5 bind_timelimit 3 ssl on pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_password crypt idle_timelimit 3600 /etc/openldap/ldap.conf BASE o=unix,dc=company,dc=com HOST ldap1.company.com ldap2.company.com PORT 636 SASL_SECPROPS noanonymous,noplain SIZELIMIT 0 TIMELIMIT 0 DEREF never TLS_CACERT /etc/ssl/ldap/cacert.pem TLS_REQCERT demand We're using the bog standard nscd daemons provided by the OS vendors. We also use IDSync to synchronise user passwords from AD to LDAP but not from LDAP to AD. What we're finding is if ldap1 dies for some reason, the clients don't failover to ldap2. We don't know if the problem is client side or server side. Would Fedora Directory Server, set up in a similar manner, also not failover properly? While we're prepared to look at Fed DS, there is a feeling that it too will behave in the same manner, given they are both forks of the same project. Comments? Thanks CC -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Trying to set up a simple authentication and file server
Hi Andy, Not to discourage you, but if you're going to switch from NIS to LDAP, be prepared to spend a lot of time. For a single site with 20 users, the simplicity of NIS might make it a better choice, particularly since you and your co-workers are already familiar with it. (1) Is fedora-ds the right tool for the job? Perhaps it is using a sledgehammer to crack a nut. FDS is a great tool, but yeah, it is kind of a sledgehammer for your case. (3) How do I add the automap? Various websites talk about automountInformation: entry, but where does that come in? It does not appear as an attribute I can add to a person. You need to add some extra schema. http://directory.fedora.redhat.com/wiki/Howto:Automount (4) Does anyone know of a simple walk-through documentation to do this as I am surely not the first person to try and do this with FDS? Gary Tay has a lot of good notes on NIS-to-LDAP topics here: http://web.singnet.com.sg/~garyttt I don't know of any one-size-fits-all recipes. Good luck! -- George Andy Schofield wrote: Please excuse the obvious newbie posting: I am struggling to get my head round fedora-ds and what I am trying to do must be so standard. I am trying to set up a simple server for about 20 users that allows clients running Redhat Enterprise 4 to authenticate over ldap and find the automounter map which tells them how to automount a users home space. We are moving from a solaris NIS server which from a clients perspective is trivial to setup: you just run system-config-authentication + enable configure NIS + fill in the NIS domain and the NIS server and it just works. Running system-config-authentication also has an option to enable configure LDAP where you fill in the LDAP Search Base DN and the LDAP Server. I would like to create the server that will respond appropriately. So my questions: (1) Is fedora-ds the right tool for the job? Perhaps it is using a sledgehammer to crack a nut. (2) I've more or less got the authentication bit working but the console seems counter intuitive. The opening screen has a tab Users and Group which allows you to search and add users but this, as far as I can see, as nothing to do with the users that the server will authenticate. They need to be added way down the tree, by opening the Directory Server, choosing the suffix and rightclicking the People and adding new. Is this the correct method of adding users? (I don't want to import them from the passwd file - there are so few of them I want to do things by hand). (3) How do I add the automap? Various websites talk about automountInformation: entry, but where does that come in? It does not appear as an attribute I can add to a person. (4) Does anyone know of a simple walk-through documentation to do this as I am surely not the first person to try and do this with FDS? Thanks for your help Andy -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Adding custom attributes without the gui
http://www.redhat.com/docs/manuals/dir-server/schema/7.1/schemaTOC.html http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/schema.html James S. White wrote: How does one add custom attributes and objectclasses without using the GUI in fedora-ds -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] lookthrough vs. sizelimit
The notion behind lookthrough limit is that the administrator can dermine an upper bound for the amount of WORK that the server will perform for a given client's search. That makes sense. Does this mean if a sizelimit (not lookthrough) is hit, the server continues searching the database, even though it has already returned error code 4 to the client? Thanks for the responses, -- George David Boreham wrote: The notion behind lookthrough limit is that the administrator can dermine an upper bound for the amount of WORK that the server will perform for a given client's search. This is basically a simple form of denial of service control. So clients that hit the limit are not expected to receive useful results at all. The client should say something like 'the server didn't complete your search because you burned too much gas'. I believe it is fairly common to want to set a lookthrough limit for 'ordinary' users, but have an infinite limit for special accounts that are expected to perform expensive searches. There are other ways to skin the cat, for example denying certain users the ability to perform un-indexed searches at all. Paul Engle wrote: As I understand it, sizelimit determines the maximum number of results that are returned from the search, whereas lookthroughlimit determines the maximum number of things that will be searched in the first place. Frankly, in our setup I have lookthroughlimit set to -1 (unlimited). Since the order of the searching is non-deterministic, I can't fathom any use for it. It has to be at least as large as your largest searchable tree, or else there will be entries that can never be returned in a search. If anyone out there is using this parameter, can you explain how/why? -paul - --On Wednesday, March 14, 2007 12:45:49 PM -0700 George Holbert [EMAIL PROTECTED] wrote: Something I've been wondering about: It seems like nsslapd-lookthroughlimit and nsslapd-sizelimit effectively do the same thing, but just return a different error code. If nsslapd-lookthroughlimit is lower, the error code is 11 and the error message is: ldap_search: Administrative limit exceeded If nsslapd-sizelimit is lower, the error code is 4 and the error message is: ldap_search: Sizelimit exceeded I've read the description of both of these variables many times in the documentation, and I think I understand the theoretical difference. But in practical terms, it still seems like whichever has the higher value will never have an effect, since the lower limit on the other is always hit first. Can anyone describe a practical situation where both the lookthrough and size limits would come into play? Is there any particular reason to prefer one or the other to enforce maximum search result limits? Thank you! -- George - -- Paul D. Engle| Rice University Sr. Systems Administrator| Information Technology - MS119 (713) 348-4702 | P.O. Box 1892 [EMAIL PROTECTED] | Houston, TX 77251-1892 -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] lookthrough vs. sizelimit
No. That'd be quite silly, wouldn't it ? Absolutely :), that's why I was curious. So correct me if this wrong, but sounds like either of the two can be used to limit how much the server works on a search, but they each take effect at a different part of the search algorithm. I still wonder why you'd choose one over the other to implement result limits? Seems kind of like a door with two knobs. Maybe there's some specific cases where one is preferable. Thanks again for the replies, -- George David Boreham wrote: George Holbert wrote: The notion behind lookthrough limit is that the administrator can dermine an upper bound for the amount of WORK that the server will perform for a given client's search. That makes sense. Does this mean if a sizelimit (not lookthrough) is hit, the server continues searching the database, even though it has already returned error code 4 to the client? No. That'd be quite silly, wouldn't it ? It _might_ do a bunch of work up front to service a search only to discover when sending entries back to the client that the size limit is exceeded. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] lookthrough vs. sizelimit
That clarifies it perfectly. Thanks for the example! Richard Megginson wrote: In general, lookthroughlimit is much stricter than sizelimit. For example, let's say a user wants to do an unindexed search for (description=*something*). Let's say that there are 5000 users and 1000 users who have a description attribute that matches *something*. The server will have to search through every entry in sequential (indeterminate) order to find matches. If you set lookthroughlimit to be 1000, and set sizelimit to be unlimited, the server will look at up to 1000 entries looking for description=*something*. Some of them may match, some of them may not, and the server will return 1000 or fewer entries (indeterminate). The server is limited in the amount of work it performs searching through the database. If you set sizelimit to be 1000, and set lookthroughlimit to be unlimited, the server could look at all 5000 user entries, until it finds 1000 entries which match, at which point it will terminate the search and return the 1000 entries to the user. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] LDAP and RDBMS Integration
Sun recently released a LDAP proxy server product which is advertised as a solution to this kind of problem. The idea is it acts as a frontend LDAP server to multiple types of backend data sources. Here's the man page to the commandline config program (dpconf), which will give you an idea of what it's supposed to be able to do: http://docs.sun.com/app/docs/doc/819-0986/6n3chglmc?a=view I haven't used it personally, but looks like it might be of interest for you. Bill Bailey wrote: Hi, I noticed on the list of features an item indicating that data interoperability plug-ins are available to allow the use of an RDBMS as a data source, but I’m having trouble locating the specifics (e.g. which databases, what sort of integration, etc.) in the documentation. Anyone have any pointers on where I can find more information on this? In particular, I’m struggling with whether to use a directory server for user management or a database. If I store users in my LDAP directory (e.g. username, password, name, address, phone, etc.), there is still user data that I need to store in a database (e.g. transaction data or other frequently modified data) … and I need to be able to correlate the two. For example, for reporting I may need to display both the basic user info and demographic information that is so well suited for a directory alongside data that comes from a database. This seems to me problematic since the data models and query languages are different. And even if I could make the LDAP data look like something I could query with SQL … and join with real RDBMS tables … it would seem likely that performance might be less than great. My thinking is that if I could get the LDAP server to use e.g. MySQL under the covers for storage, but I could still get access (read-only) to the underlying tables, I might be able to have the best of both worlds (assuming the underlying table structure was amenable to being joined to my tables without to many contortions). I’m guessing my dilemma isn’t new … has anyone else struggled with this and, if so, how did you resolve it? And have been satisfied with the solution you selected? Thanks for any input or comments. Bill Bailey -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] ldap too many connections from clients? following ldap even for local accounts?
If a machine is disconnected from the network, a login attempt as 'root' user (with local passwd file entry and password) fails. ... I think I need to configure something such that the nsswitch.conf entry tells it to stop if it finds the 'files' entry and not proceed to the 'ldap' entry. I thought this would happen by default. At least for authentication, this behavior depends also on your PAM config. You need to make sure that the auth and account stacks will succeed for local accounts (e.g., root) without asking pam_ldap. What's in your /etc/pam.d/system-auth files on your RHEL3 and RHEL4 clients? MJD Shop Account wrote: I'm having some odd ldap issues with connection or lack thereof to ldap server when nsswitch.conf and pam.d/system-auth are configured to used FDS ldap server. I'm running both RHEL3 and RHEL4 clients. My servers are RHEL4 update 4 and FDS 1.0.4. My /etc/ldap.conf is configured with two host names. I've noticed these issues: * If a machine is disconnected from the network, a login attempt as 'root' user (with local passwd file entry and password) fails. The system appears to accept the password, but sits for maybe a minute, then dumps you back to the login prompt. I've had to boot off rescue CD and shell in to remove 'ldap' from the /etc/nsswitch.conf file to get around this in some instances. My relevant /etc/ldap.conf entries are: passwd: files ldap shadow: files group: files ldap netgroup: files ldap * I noticed that a anhy randomly chosen client has a few connections to the ldap server that persist. The connections are tied to processes that also should have local entries only in the local /etc/passwd files. Here's an example: # netstat -a | grep ldap tcp 38 0 clienthostname:32771 serverhostname:ldap CLOSE_WAIT # fuser 32771/tcp here: 32771 32771/tcp:3729 # ps -ef | grep 3729 | grep -v grep ntp 3729 1 0 Feb23 ?00:00:00 ntpd -u ntp:ntp -p /var/run/ntpd.pid -g # * I notice that doing a netstat -a on the server that most clients are using takes a long time. It spits out a bunch, then slows down when reporting the entries that are ESTABLISHED ldap connections: tcp0 0 ldapserver:ldap ldapclient:35908 ESTABLISHED I see that some clients have very many connections, I would expect just one or two. Here's one client that had a whole bunch, most disappeared before I could capture this bash shell command output. This output is for jobs associated with ports connecting to ldap server: # for i in `netstat -a | grep ldap | cut -d: -f2 | cut -d -f1`; do for j in `(fuser $i/tcp | cut -b 23-26)`; do ps -ef | grep $j | grep -v grep; done; done xfs 2726 1 0 Feb20 ?00:00:00 xfs -droppriv -daemon root 3138 3031 0 Feb20 ?00:00:00 /usr/bin/gdm-binary bell-style none root 3418 3138 0 18:32 ?00:00:02 /usr/X11R6/bin/X :0 -auth /var/gdm/:0.Xauth vt7 gdm 3430 3138 0 18:32 ?00:00:00 /usr/bin/gdmgreeter root 2477 2617 0 18:22 ?00:00:01 sshd: [EMAIL PROTECTED]/0 root 2481 2477 0 18:22 pts/000:00:00 -tcsh I ran a similar command on a client computer where the user is running a lot of jobs, I got 53 lines of output. Basically every job is maintaining an ldap connection, I guess. * I think I need to configure something such that the nsswitch.conf entry tells it to stop if it finds the 'files' entry and not proceed to the 'ldap' entry. I thought this would happen by default. * I think the above problem is possibly leading to many more ldap connections than are necessary which in turn may be causing performance issues on the server, ALTHOUGH the cpu load and memory load does not appear inordinately heavy * I tried running nscd (for caching the info) once, it seemed to cause too many problems so I turned it off. I have tried something like implementing pam_ccache, I don't think it would help the too-many-connections, just the issue with no logins when off the net. * Here's my /etc/ldap.conf minus the usual comment lines, I'm doing anonymous binds. Maybe there's some keepalive flag that should be set or unset?: host server1 server2 base dc=example,dc=com ldap_version 3 scope sub bind_timelimit 10 pam_lookup_policy yes pam_password exop nss_base_passwd ou=People,dc=example,dc=com?one nss_base_group ou=Group,dc=example,dc=com?one nss_base_services ou=Services,dc=example,dc=com?one nss_base_aliasesou=Aliases,dc=example,dc=com?one
Re: [Fedora-directory-users] ldap too many connections from clients? following ldap even for local accounts?
For RHEL3, change: account required /lib/security/$ISA/pam_unix.so broken_shadow to: account sufficient /lib/security/$ISA/pam_unix.so broken_shadow Keep in mind that this will make the account stack succeed in most cases before it hits pam_ldap, which means pam_ldap won't be used for enforcing account policy. See below for an alternate method, if this matters for you. For RHEL4, disconnected root login _should_ already be working, beause of the extra line: account sufficient/lib/security/$ISA/pam_succeed_if.so uid 100 quiet As you can probably tell, this line makes the stack succeed if the user's uid is less than 100, which is of course true for root. The alternate RHEL3 fix would be to manually compile and deploy pam_succeed_if.so on your RHEL3 clients, and use the same system-auth you currently have on your RHEL4 clients. - Original Message - From: MJD Shop Account [EMAIL PROTECTED] To: George Holbert [EMAIL PROTECTED]; General discussion list for the Fedora Directory server project. fedora-directory-users@redhat.com Sent: Wednesday, March 07, 2007 8:13 PM Subject: Re: [Fedora-directory-users] ldap too many connections from clients? following ldap even for local accounts? My RH3 system-auth is as follows: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired /lib/security/$ISA/pam_env.so authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok authsufficient/lib/security/$ISA/pam_ldap.so use_first_pass authsufficient/lib/security/$ISA/pam_krb5.so use_first_pass authrequired /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so #account required /lib/security/$ISA/pam_deny.so passwordrequisite /lib/security/$ISA/pam_cracklib.so retry=3 passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow passwordsufficient/lib/security/$ISA/pam_ldap.so use_authtok passwordsufficient/lib/security/$ISA/pam_krb5.so use_authtok passwordrequired /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so session optional /lib/security/$ISA/pam_krb5.so My RH4 version is the same, with this difference: --- system-auth.RH3 2006-10-25 22:49:19.0 -0400 +++ system-auth.RH4 2006-10-25 22:42:05.0 -0400 @@ -8,6 +8,7 @@ authrequired /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow +account sufficient/lib/security/$ISA/pam_succeed_if.so uid 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so #account required /lib/security/$ISA/pam_deny.so -Original Message- From: George Holbert [EMAIL PROTECTED] Sent: Mar 7, 2007 8:42 PM To: MJD Shop Account [EMAIL PROTECTED], General discussion list for the Fedora Directory server project. fedora-directory-users@redhat.com Subject: Re: [Fedora-directory-users] ldap too many connections from clients? following ldap even for local accounts? If a machine is disconnected from the network, a login attempt as 'root' user (with local passwd file entry and password) fails. ... I think I need to configure something such that the nsswitch.conf entry tells it to stop if it finds the 'files' entry and not proceed to the 'ldap' entry. I thought this would happen by default. At least for authentication, this behavior depends also on your PAM config. You need to make sure that the auth and account stacks will succeed for local accounts (e.g., root) without asking pam_ldap. What's in your /etc/pam.d/system-auth files on your RHEL3 and RHEL4 clients? MJD Shop Account wrote: I'm having some odd ldap issues with connection or lack thereof to ldap server when nsswitch.conf and pam.d/system-auth are configured to used FDS ldap server. I'm running both RHEL3 and RHEL4 clients. My servers are RHEL4 update 4 and FDS 1.0.4. My /etc/ldap.conf is configured with two host names. I've noticed these issues: * If a machine is disconnected from the network, a login attempt as 'root' user (with local passwd file entry and password) fails. The system appears to accept the password, but sits for maybe a minute, then dumps you back to the login prompt. I've had to boot off rescue CD and shell in to remove 'ldap' from the /etc/nsswitch.conf file to get around this in some
Re: [Fedora-directory-users] not enough file descriptors
What is the value of the nsslapd-maxdescriptors attribute on cn=config? MJD Shop Account wrote: I have a problem with running out of file descriptors. I get this repeating message periodically in the /opt/fedora-ds/slapd-servername/logs/errors file: [02/Mar/2007:13:25:45 -0500] - Not listening for new connections - too many fds open [02/Mar/2007:13:25:46 -0500] - Listening for new connections again [02/Mar/2007:13:25:47 -0500] - Not listening for new connections - too many fds open [02/Mar/2007:13:25:47 -0500] - Listening for new connections again ... When this happens, the users cannot log in for long periods and get angry. Imagine that. I do have this in a multi-master configuration with a second master, which is different hardware and does not show this error. I read the tuning page http://directory.fedora.redhat.com/wiki/Performance_Tuning#Linux, which recommends updating the filedescriptors limit like so: echo 64000 /proc/sys/fs/file-max However mine is already well above that: # cat /proc/sys/fs/file-max 128456 How much higher should I be setting it? I am running RHEL 4 update 4, single Pentium III 1.4GHz processor, 1280MB of memory. I don't have any settinsg in sysctl.conf or /etc/security/limites for soft/hard limits, how do I tell what the defaults on soft/hard limits are? -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] group mapping issue
This means the client can't find any group objects in your LDAP directory that have gidNumber=1676. Have you loaded your group data into the directory? Try this on one of your LDAP clients: # getent group 1676 Then, see what search this generates on the LDAP server by looking at the access log. You could also test with a manual ldapsearch, e.g.: # ldapsearch -x -h ldap.example.com -D binddn from clients' /etc/ldap.conf -b dc=example,dc=com ((objectClass=posixGroup)(gidNumber=1676)) Brandon Young wrote: I have recently attempted to set up a Fedora Directory Server for evaluation as a replacement for NIS. Overall, the set up process was pretty painless. I spent some time reading the Installation Guide, Administrator's Guide, and Deployment Guide beforehand. Additionally, I tracked down this wonderful guide (http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html) which seemed like exactly what I needed. I am trying to (ultimately) set up a directory service which provides user authentication for Linux and OS X clients. The problem I have run in to is the following: when I issue the command `ls`, I see the following: ~$ ls -l total 1 drwxr-xr-x 2 bky 1676 336 Jan 23 09:12 Desktop drwxr-xr-x 4 bky 1676 216 Jan 17 10:24 Documents drwx-- 19 bky 1676 544 Jan 22 12:19 Library drwxr-xr-x 2 bky 1676 48 Jan 17 08:33 Movies drwxr-xr-x 3 bky 1676 72 Jan 17 09:45 Music drwxr-xr-x 2 bky 1676 48 Jan 17 08:30 Pictures drwxrwxr-x 2 bky 1676 96 Dec 20 14:29 bin drwxrwxr-x 3 bky 1676 72 Dec 20 15:53 svn drwxr-xr-x 2 bky 1676 48 Jan 17 09:48 vmware ~$ if I issue the 'groups' command for the user, it tells me: # groups bky id: cannot find name for group ID 1676 # So, it seems obvious to me that group mappings are not configured correctly. On the client side, I am using a CentOS 4.4 machine, configured to use ldap using system-config-authentication, and further tweaking /etc/ldap.conf values for nss_base_passwd, nss_base_shadow, and nss_base_group. Further, in digging through the mailing list archives I found a suggestion to make sure pam_member_attribute was set to uniqueMember -- which I tried, to no avail. I also tried starting nscd which does not fix it (but I didn't really feel like that was the problem, anyway). I will further mention here that the ldap-client package is installed and I have not tried to configure SSL or TLS, yet. So, with that in mind ... what very obvious thing am I missing? Has anyone seen and resolved this issue for themselves? Any help would be greatly appreciated. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] big searches dont return anything
Is it possible for DB corruption to be replicated? In other words, if a master replica's DB goes corrupt, how likely is that to corrupt the DB on the consumers (if at all)? Thanks, -- George - Original Message - From: David Boreham [EMAIL PROTECTED] To: General discussion list for the Fedora Directory server project. fedora-directory-users@redhat.com Sent: Wednesday, January 10, 2007 8:07 AM Subject: Re: [Fedora-directory-users] big searches dont return anything Stéphane Konstantaropoulos wrote: It'd be nice if it noticed by itself that the db is corrupted. Unfortunately that's something of an AI problem :( There is some code in the server that can compare the results of an indexed vs an unindexed execution of the same query (used in the past to debug query optimizations). Someone could develop that into a kind of index inconsistency tool. All out corruption (someone writes random c**p over the database pages _will_ be detected). It sounds like you had some inconsistency between the primary and secondary indices. I'm not sure how that could have happened (it shouldn't). -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Extending inetOrgPerson Class
Hi Ankur, Try these: http://www.redhat.com/docs/manuals/dir-server/schema/7.1/schemaTOC.html http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/schema.html All schema changes you make through the console or via LDAP modifications to cn=schema end up in serverRoot/slapd-serverID/config/schema/99user.ldif (so named because it stores user-defined schema). Alternatively, you can define schema in other LDIF files, and manually copy them to serverRoot/slapd-serverID/config/schema. See the docs at the links above for more details. -- George Ankur Agarwal wrote: Hi, I want to add some attributes to my users hence want to extend inetOrgPerson class. Have a few questions related to that: 1) I am able to add attributes and create a new class extending inetOrgPerson using Red Hat directory console. But if i want to move these chanegs to other environment do i need to use console only to make chanegs maually? How can i export this new class and attributes and import on target environment? 2) If there is an optional attribute in inetOrgPerson that i want to make mandatory how can i do that? 3) How can i export my new ou and import it to target env? I have looked at dsadm pdf documentation and could not find any ways to move chanegs using scripts/ldif files. Please help me here. Thanks, Check out the all-new Yahoo! Mail beta http://us.rd.yahoo.com/evt=43257/*http://advision.webevents.yahoo.com/mailbeta - Fire up a more powerful email and get things done faster. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: FW: [Fedora-directory-users] Extracting details from ActiveDirectoryto FDS
I've realised that the sync only takes the group and user objects from the OU or CN being specified. Hi Darren, As you noticed, the PassSync service isn't really intended to sync arbitrary data from AD to FDS. Probably most people haven't yet tried to use it for this purpose, so no one has a good answer for you. Browsing the source code might shed some light as to whether it can be made to do what you want. PassSync is in the fedora-ds source, which can be downloaded from: http://directory.fedora.redhat.com/wiki/Download Good luck! Paxton, Darren wrote: Apologies for mailing yet again, however either my messages are not getting through (something I don't believe as I keep getting the post to the mailing list) - or for some reason, no one is willing to even acknowledge my issue. In the spirit of the community - can someone at least acknowledge a message as I find it quite disheartening that I have had no replies at all even if just to point me somewhere for assistance. ** -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Re: password policy on FDS 1.0.2 - doesn't seem to work?
Now, am I right in thinking that I can use clear as long as I'm using SSL to the LDAP server? Yes, sending un-hashed passwords over SSL is very safe. What about setting local non-LDAP passwords with this set to clear isn't that dangerous? No worries about this, pam_ldap password settings don't affect passwords stored locally in /etc/passwd. Your /etc/pam.d/system-auth password stack for Linux LDAP clients probably looks something like the below: passwordrequisite /lib/security/$ISA/pam_cracklib.so retry=3 type= passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow passwordsufficient/lib/security/$ISA/pam_ldap.so use_authtok passwordrequired /lib/security/$ISA/pam_deny.so When setting local passwords, the stack will never even invoke pam_ldap, since the pam_unix line is sufficient. - Original Message - From: Philip Kime [EMAIL PROTECTED] To: fedora-directory-users@redhat.com Sent: Saturday, November 18, 2006 9:11 PM Subject: [Fedora-directory-users] Re: password policy on FDS 1.0.2 - doesn't seem to work? I think have have an idea about this now ... the problem seems to be the exop password modify request. Subtree and user policies are ignored from ldappasswd (which uses exop) PAM (when pam_password is set to exop in /etc/ldap.conf) But are ok from Ldapmodify PAM (when pam_password is set to clear in /etc/ldap.conf) So, the RFC 3062 password modification requests seem to bypass the subtree and user policies. I see this behaviour in 1.0.2 and 1.0.4. Now, am I right in thinking that I can use clear as long as I'm using SSL to the LDAP server? What about setting local non-LDAP passwords with this set to clear isn't that dangerous? I can't use ssha for pam_password as then password changes don't seem to work at all, which is why I changed to exop. PK -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Trouble getting windows to talk to fds
Title: Trouble getting windows to talk to fds "-P" takes the part of the filename leading up to "cert8.db" or "key3.db". e.g. Say you have: slapd-example-cert8.db slapd-example-key3.db Then you would do this: ... -P slapd-example- ... - Original Message - From: Bliss, Aaron To: General discussion list for the Fedora Directory server project. Sent: Monday, October 30, 2006 7:17 PM Subject: [Fedora-directory-users] Trouble getting windows to talk to fds Hi everyone, I'm having trouble with the directions in the wiki that deals with getting windows to sync with fds; I'm having trouble with this step; there are 2 files in my /opt/fedora-ds/alias file; 1 is the cert database, the other is the key database; are either of these the parameters that I'm suppose to be passing the -P option below? Thanks for your help. Aaron From your Fedora Directory Server, export the server certificate using pk12util. cd "/opt/fedora-ds/alias/" pk12util -d . -P slapd-instance -o servercert.p12 -n Server-Cert Confidentiality Notice:The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. --Fedora-directory-users mailing listFedora-directory-users@redhat.comhttps://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] modify userPassword via perl-ldap?
Are you prefixing the password with the hash you're using to encrypt the
password?
e.g.,
{crypt}
or
{ssha}
Jo De Troy wrote:
Hello,
I'm trying to modify the userPassword value from within a perl script
using Perl::LDAP.
I generate an encrypted pwd in perl and then write it to FedoraDS via
ldap-modify
The update seems successfull but when I query FedoraDS afterwards the
string in userPassword is not the same as the one I generated. What
exactly is happening in the background giving this result? I tried
writing the same value to another attribute (eg mail) and then it is
as expected.
What's the best way to update the userPassword from within perl?
Thanks again,
Jo
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Issue with fine-grained password policy
Last time I looked at this, I vaguely recall finding that pam_ldap doesn't pay too much attention to FDS password metadata for expiration warnings or strength restrictions. So what you're seeing may be the norm. Hopefully someone else out there will have better news for you on this. Ian Meyer wrote: Hello all, I set up FDS 1.0.2 on a server and got everything configured and imported etc etc.. things work great, I can authenticate against it, make updates.. but I can not get our linux clients to warn me about changing my password, expiration, length, etc.. I followed the instructions on http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1074672 to set up a global config, and a user config. Is there anything on the client side for PAM that needs to be configured? I've been pouring over this for a couple of days now so I may just be blind to a small detail I may have missed. Any help/insight would be appreciated. Thanks in advance, Ian -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] how to set up Fedora Ds on a multinetwork host
Sergey, Do you want to have both interfaces talk to the same LDAP directory? Or do you want an entirely separate LDAP directory for each? -- George Sergey Ivanov wrote: Hi, I have installed Fedora Directory Server or a machine, which belongs to 2 different networks. One is local network with 192.168. prefix, and other is a real IP I've got from Internet Service provider. I want to have Directory Server, listening to both interfaces, with SSL certificates. How can I set up Directory Server to use different certificates for different IP addresses (and different hostnames)? Is it possible? I have not find the answer in documentation and in the internet. I tried to set up another Directory Server instance on the same host, but also I failed, because it refuses to share the same port number, and to bind to that port only on one of IP addresses. Please, help me. With best regards, Sergey Ivanov. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] how to set up Fedora Ds on a multinetwork host
Sergey, Mike's recipe would do the trick. If you try that, also look into the nsslapd-listenhost and nsslapd-securelistenhost config variables (in directory server docs). These will allow you to arrange for each directory server instance to only listen on a single interface. I believe the default is to listen on all interfaces. -- George Mike Jackson wrote: Sergey Ivanov wrote: Hi George, I want to have the same LDAP directory for both interfaces, but with different SSL certificates. Probably the fastest and easiest way to do it: 1. Setup directory server to only listen to interface1 (hostname1) 2. Install SSL cert for hostname1 3. Setup directory server to only listen to interface2 (hostname2) 4. Install SSL cert for hostname2 5. Setup multimaster replication between the two directory servers 6. Populate data Mike -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] pam_ldap doesn't follow referrals
This is a shot in the dark, but have you tried specifying: pam_password exop ..in /etc/ldap.conf? I suggest this because you mention ldappasswd seems to do the job, and ldappasswd uses the password change extended operation to do its work. Philip Kime wrote: Any pointers welcome. This is on RHEL4 and FDS 1.0.2. pam_ldap moans about referrals when the first LDAP server in ldap.conf is a consumer-only. No problem if it's talking to a read-write master. # passwd test Changing password for user test. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Referral I tried nss_ldap-226 and nss-ldap-253 which comes with an updated pam_ldap. I have referrals yes in ldap.conf I can do a manual ldappasswd update to the consumer and it works, presumably referring to a writable master ok (thought I can't see anything about referrals in the ldappasswd debugging output, nor nothing in the master logs). PK -- Philip Kime NOPS Systems Architect 310 401 0407 -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] userPassword versus Password
However, it will only use the userPassword attribute, not the Password attribute. You're in luck: userPassword already is the standard password attribute in FDS. Dave Augustus wrote: I have an external applet that authenticates via LDAP. However, it will only use the userPassword attribute, not the Password attribute. How can I tell FDS to use the Password attribute for Passwords? Thanks, Dave -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Fedora directory and solaris 10
I guess my question is can I use Sun directory server on one box as master, then another box (doing the multi-master replication) running fedora directory? My understanding is that would not work. You would want all servers running either SunDS or FDS. James Greene wrote: I can do that, but I guess my question is can I use Sun directory server on one box as master, then another box (doing the multi-master replication) running fedora directory? I know they both are based on the same code, but not sure if that would work or not. On 10/11/06 4:07 PM, Scott Roberts [EMAIL PROTECTED] wrote: Why? I know I will get kicked in the face for mentioning this... but the major OS's have their own directory servers, Red Hat has one now as we all know, and Sun has one too. Just use the sun directory server on solaris, its free, the support is not. --- James Greene [EMAIL PROTECTED] wrote: -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Need Pointers For Migrating To FDS from NIS
Vadim, This is a pretty big topic. Gary Tay has put together some docs that are a great starting point: http://web.singnet.com.sg/~garyttt/ Sun's docs regarding Solaris clients will also be useful for you: http://docs.sun.com/app/docs/doc/816-4556 One other thing: My goal is to migrate my Solaris and Linux machines onto the AD structure for user, group, hosts, networks and netgroups map use (perhaps other maps later). If you mean that you will be using AD as your directory server, you won't necessarily need to run a separate directory server like FDS. Good luck! Vadim Pushkin wrote: Hello All; My current environment is using NIS (not NIS+) on Sparc Solaris 8/10 and x86 Linux, with a separate AD structure. My goal is to migrate my Solaris and Linux machines onto the AD structure for user, group, hosts, networks and netgroups map use (perhaps other maps later). My questions are: 1. Am I correct in believing that Fedora Dir Server is able to allow me to auth to my AD DC's? Or does FDS only perform as a conduit to the AD structure, either fine by me. 2. What and where do I change to aloow this on my pam.conf on my Solaris and Linux servers? 3. Where do I get the PAM modules to allow this to work? 4. What additional software must I run on my RH/FC FDS server? Should I, or can I, run two servers in case one fails? 5. Finally, does anyone have any written docs or a site that can help me? Thanks very much in advance, .vadim -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
RE: [Fedora-directory-users] Referrals break everything ...
If your client is RHEL4 or newer, try adding this line to /etc/ldap.conf: debug 1 This will spit a lot of debugging output to your console whenever you do any lookup through nss_ldap. Maybe it will shed some light. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philip Kime Sent: Friday, June 30, 2006 2:42 PM To: fedora-directory-users@redhat.com Subject: Re: [Fedora-directory-users] Referrals break everything ... PADL (usually in /etc/ldap.conf): referrals yes Many thanks for both replies ... This looked good but I tried it and I still get the same error in syslog. Hmm. The binds are all anonymous and work fine so there doesn't seem to be a bind DN issue. http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/dit.html#100588 9 Ah - this is more what I wanted but it appears that you can't do Virtual DITs from roots - has to be from an OU, for example, which is annoying since that means I have to create a new datbase for the old dc=x,dc=y and create an OU so I can create a virtual DIT view. What a game! I just want to redirect all queries for one thing somewhere else ... -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Referrals break everything ...
Two things to check: 1. Make sure nss_ldap is configured to follow referrals. Not sure if you're using Sun's or PADL's (Linux) nss_ldap, but each have an option for this. Sun (in /var/ldap/ldap_client_file): NS_LDAP_SEARCH_REF= TRUE PADL (usually in /etc/ldap.conf): referrals yes 2. Make sure that the bind DN you're using to bind to the first directory server also exists on the second (referral target) directory server, and has the same password. There may be something else going on, but check these two first. Philip Kime wrote: I am running the latest Fedora-DS and trying to use nss_ldap. I have to migrate an older LDAP server onto the Fedora-DS but keep temporarily the old tree structure for all current LDAP clients. So I was goint to leave the old search base in /etc/ldap.conf on the client and just re-direct queries to the new location (on the same server). A job for referrals, I thought. I'll just put a stub root dc on the new server and make it point to the new location, like this: dc=a,dc=y a referral to the new dc=a,dc=b I set this up, ldapsearch shows that it's getting the right referral (though I can't seem to get ldapsearch follow the the referral?) However, if I try to do anything involving nss_ldap (which otherwise works fine), I get this, for example, in syslog: getent: nss_ldap: could not search LDAP server - Referral Does nss_ldap not follow referalls? That would make it rather useless Is this a Fedora-DS problem? -- Philip Kime -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Fedora-directory-users] consumer replica without update referrals?
I'd like to set up a read-only consumer that never returns referrals to a writable master server. Basically, any write requests that aren't replication updates would just be dropped. It doesn't look like there is an analogous setting for this in the suffix-level nsslapd-state variable. The closest thing is referral on update (default consumer behavior). Then there is the nsslapd-readonly attribute, but I think this would also disable updates from the master replica. One way would be to set a bogus suffix referral, so that client updates are referred to a non-existent server. Does anyone have a more elegant solution? Thank you! -- George -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Command Line Question - Regarding Admin Passwords
*For directory manager: # ldapmodify -h DS hostname -D cn=Directory Manager -w password dn: cn=config changetype: modify replace: nsslapd-rootpw nsslapd-rootpw: newpassword For console admin: **# ldapmodify -h DS hostname -D cn=Directory Manager -w password dn: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot changetype: modify replace: userPassword userPassword: newpassword* Joe Sheehan wrote: Is there anyway to change the admin and directory manager password via a command line script or utility instead of going through the Console? Thanks Joe -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Shadow account vs. password policy
PAM should honor the Fedora DS password policy, so I don't think you need the shadow stuff anymore. I agree with Rich. Also, in my testing I found that Solaris 8 native LDAP clients ignore the shadow attributes, which meant the shadow method is useless for my particular situation. Richard Megginson wrote: Jason Russler wrote: Hi all, I imported our Unix/Linux password and shadow files into FDS recently (using LdapImport.pl) and I'm trying to figure out the difference or conflicts between the shadowaccount object class attributes (shdowmax, shadowwarning etc.) and the passwordexpiriationtime and passwordexpiredwarned etc. attributes that I assume come from the Password policy settings features of the directory. I'm having trouble getting inconsistent results when expiring accounts to test whether or not the PAM ldap client (on RedHat Enterprise 4 systems) weighs one set of attributes more more over the other or even cares about them at all. Does anyone have experience with the PAM clients and the directory's password policy settings vs. the shadowaccount attributes? Should I quit using the password and password expiration features and just use the shadowaccount attributes or ditch the shadowaccount object class altogether? If PAM will honor the password expiration policy then I may just write a little something to set the policy attributes from the shadow attributes of the imported files and then remove shadowaccount OC altogether. Any thoughts? PAM should honor the Fedora DS password policy, so I don't think you need the shadow stuff anymore. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] adding users
is there some way to create an ldif file programatically and then use ldapadd? Absolutely. The simplest case might be just a shell script that prompts for each value that constitutes a new user, then prints that to stdout in LDIF format, which could be piped to ldapmodify. Steve Strong wrote: hmmm, this sounds a lot like copy all of the information over by hand ... how about writing a shell script to add the user to the unix side and then copy the associated information (including the new group) into fedora directory? is there some way to create an ldif file programatically and then use ldapadd? has anyone done this already? steve Pete Rowley wrote: Steve Strong wrote: OK, I'm a newbie, but it seems that now that I've migrated all of my users that I need to learn how to add users (ya think?) There must be an underlying unix account, right? how do you add one unix account to the fedora ldap directory? In the console create a new user, once you have filled out the default tab, click on the posix tab. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] FDS to AD sync weirdness ... CN changes, unique constraints.
Elias, I agree with you that AD is wrong on this. I believe that CN is a multivalued attribute (at least in FDS). So, if it's any help, you could have unique CNs that are used in the entries' DNs, and optionally have additional CNs that may not be unique. e.g., dn: cn=Kristín Jónsdóttir_00,ou=people,dc=example,dc=edu cn: Kristín Jónsdóttir_00 cn: Kristín Jónsdóttir telephoneNumber: 123-456-7890 ... The _00 unique suffix is just an example, you could use whatever you like of course. Elías Halldór Ágústsson wrote: We are experimenting with Fedora Directory Server and trying to sync it to AD. Setting up SSL for both and initiating sync was successful. However, it seems that DN in AD is constructed from the CN, which is the full name. However, that's neigh impossible, since DN has a unique constraint, but full names are seldom unique, and particularly not here in Iceland. For example, my organization has at least 10 people called Kristín Jónsdóttir. I regard AD as broken by design in this regard. My question is, can this be fixed? What would be the right way to approach this problem? -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] upperlimit on uidNumber
http://kbase.redhat.com/faq/FAQ_80_6231.shtm I think Solaris also supports 32-bit uids, not sure about other OSes. [EMAIL PROTECTED] wrote: I was wondering if there is an upper limit on the uid or the gidNumber in fds. Or is there a limit on OS level? Does anyone know what it is? Is this different between the RedHat releases? Is it different from other Unixes? I have personally loaded 10 million user accounts into FDS as a performance test (on a measly 2.4Ghz P4 machine with 512MB of RAM), and it worked just fine; not sure how many it could theoretically hold. The linux kernel has officially had support for 32-bit uidnumbers since kernel v2.4, so the maximum user id number is 4294967295, or approximately 4.3 billion. This is the same on any distribution using kernel 2.4 or newer. I am not sure about UNIX... -- mike -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] upperlimit on uidNumber
For some reason, I just assumed that they would be unsigned integers. That would make more sense to me too... since uid numbers can't be negative (as far as I know)? oh well :) [EMAIL PROTECTED] wrote: http://kbase.redhat.com/faq/FAQ_80_6231.shtm Aha, they are stored as signed integers, so the actual number is in the 2 billion range... For some reason, I just assumed that they would be unsigned integers. Thanks for the pointer! -- mike -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] How interhangeable are ldap server?
I doubt you'll need much custom code for the basics. But you'll need to be aware of vendor-specific features and schema, and not rely on those in your app, if you want it to work the same on any server. Mont Rothstein wrote: We have a windows app that uses an LDAP server for authentication. For our clients that don't already have an LDAP server we provide FDS. However many of our clients already have an LDAP server (AD, Novell, IBM, Oracle). How interchangeable are LDAP servers? Are we likely to be able to just talk to any server, or will we need custom code for each? In addition to authentication we plan to create and assign roles, and possibly use a small custom schema. Any information or pointers to information on this would be appreciated. I couldn't find anything via Google. Thanks, -Mont -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Existing User Accounts
You would add a new objectclass to the objects that were created when you imported the passwd file. For example, if your account objects were created with the following objectclasses: objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount ...then they will have no mail attribute. So, you could add: objectClass: inetOrgPerson for each, and then you can also populate mail for each. You can make these changes with ldapmodify, or the console, or whatever you prefer. You could also tweak the migrate_passwd.pl script and re-import everything, if you want. There are other ways you could store email addresses in your directory, but the above example is probably what you're trying to do. Esquivel, Vicente wrote: Ok I am a total newbie to the Directory so bear with me. Do you accomplish this by going to the configuration tab then selecting schema? Vince -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George Holbert Sent: Friday, April 07, 2006 3:22 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Existing User Accounts The usual attribute for email addresses is mail. You may need to add another objectclass (like inetOrgPerson) to your objects in order for the mail attribute to be available. Esquivel, Vicente wrote: Thanks for the reply. I ran the scripts and was able to get all of the users imported into the Directory server. The only question is how do I get their email address into the Directory of the passwd and shadow file information? Thanks Vince -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oscar A. Valdez Sent: Thursday, April 06, 2006 10:38 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Existing User Accounts El jue, 06-04-2006 a las 09:49 -0500, Esquivel, Vicente escribió: I have the Directory server up and running. My question is how to get the user accounts from one of my servers into the directory? I do not have an existing ldap or nis server, we are using local systems account creation and authentication. I did a search through the archives but wasn't able to come up with anything. Any insight would be very helpful and appreciated. Try the Migration Tools from PADL software (they are also the creators of the nss_ldap and pam_ldap modules): http://www.padl.com/OSS/MigrationTools.html You first have to edit migrate_base.pl for your organization's naming context. The scripts migrate_passwd.pl, migrate_group.pl, migrate_aliases.pl, etc., will do what their names suggest. They output in ldif format to standard output, so you can tweak the results before importing into your DS server. After importing my existing users, I wrote my own script for new user creation that generates the ldif stuff. -- Oscar A. Valdez -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Hostname does not match CN....
[EMAIL PROTECTED] ldapsearch -x -ZZ '(uid=testuser)' ldap_start_tls: Connect error (-11) additional info: TLS:hostname does not match CN in peer certificate How can I solve ? The server hostname you pass to ldapsearch must exactly match the CN in the certificate you signed for the server. So, if you signed the certificate with a fully-qualified domainname (e.g. ldaphost.example.com), use -h ldaphost.example.com instead of -h ldaphost. Alex aka Magobin wrote: Hi, After with your help, succesfully configured replication between server I take a look to configure client's authentication through ldap server...I have 2 question: 1) Is it possible add a user directly from fedora ds as posix user using groups from server?..I don't know is groups is integrated with system...is it possible to add server groups to Fedora DS groups? 2) Reading ssl howto I export CA certificate to client(fedora core5) in /etc/openldap/cacerts(some of steps in ssl howto are automatically generated from fedora core 5 as installing in cacerts directory in x509 mode) but when I try to check if ssl is enable the answer is: [EMAIL PROTECTED] ldapsearch -x -ZZ '(uid=testuser)' ldap_start_tls: Connect error (-11) additional info: TLS:hostname does not match CN in peer certificate How can I solve ? Alex -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Hostname does not match CN....
TLS: hostname(ldap.domain.example.com http://ldap.domain.example.com) does not match common name in certificate (nodo1.domain.example.com http://nodo1.domain.example.com) ...now...how can I solve it?? For the setup you described, you'd probably want to use a single certificate, signed with a CN of 'ldap.domain.example.com'. This will make it possible for your server cert CNs and hostnames to match consistently, regardless of which machine (nodo1 or nodo2) the clients end up talking to. Alessandro Binarelli wrote: 2006/4/3, George Holbert [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]: [EMAIL PROTECTED] ldapsearch -x -ZZ '(uid=testuser)' ldap_start_tls: Connect error (-11) additional info: TLS:hostname does not match CN in peer certificate How can I solve ? The server hostname you pass to ldapsearch must exactly match the CN in the certificate you signed for the server. So, if you signed the certificate with a fully-qualified domainname (e.g. ldaphost.example.com http://ldaphost.example.com), use -h ldaphost.example.com http://ldaphost.example.com instead of -h ldaphost. Sigh...I found the problem...so: I set up Fedora DS in cluster scenario with two node..nodo1 and nodo2...with their real ip address and I make a multimaster replication; taking advantage of ldap protocol I set up an floating ip address and an entry to dns that point to ldap.domain.example.com http://ldap.domain.example.com with that ip...therefore if I make a query to ldap.domain.example.com http://ldap.domain.example.com, depending if floating ip is up on nodo1 or nodo2 the DS server answer to query taking advantage to multimaster replication...this scenario works very well in clear modebut I saw that if I set up ssl encryption and try to verify it, the answer is: [EMAIL PROTECTED] ldapsearch -h ldap.domain.example.com http://ldap.domain.example.com -x -ZZ '(ObjectClass=*:)' -d 1 -CUT- TLS: hostname(ldap.domain.example.com http://ldap.domain.example.com) does not match common name in certificate (nodo1.domain.example.com http://nodo1.domain.example.com) ...now...how can I solve it?? -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] comment about setupssl.sh
If you create your certs with FQDNs, doesn't that mean that all clients must refer to ldap server by FQDN? In general, the answer is yes. For example, Solaris' LDAP name service will not work unless the server name in the Solaris client config exactly matches the CN on the LDAP server certificate. Some clients (like PADL's nss_ldap used in most Linuxes) can be configured to disable server cert verification. Or others just have it always turned off (Outlook Express). In these cases, you could get away with using a shortname or alias instead of the exact name listed in the CN. So it depends on the LDAP client apps you need to support. Depending on your environment and requirements, you could technically use shortnames or aliases. But you're really better off using FQDNs in both the server cert and your client configs, if possible. Of course, for non-SSL/TLS connections, no cert verification is involved, so you can use whatever name or alias you want for those. Susan wrote: --- Richard Megginson [EMAIL PROTECTED] wrote: One solution would be to change setupssl.sh to accept a list of FQDNs for which to create DS and AS certs. Then you could just create all of the key/cert databases at once, and just copy them to the /opt/fedora-ds/alias directory on each machine. yeah, this is a good idea. Because I don't know about other users but for me, creating certs is just 1 of the steps towards SSL encrypted client-FDS comms MMR. Another thing is this. If you create your certs with FQDNs, doesn't that mean that all clients must refer to ldap server by FQDN? Because that's how it works in the web world. If I create/sign a cert for webserver and somebody goes to https://webserver.company.com it'll prompt the user, asking about this new cert, even though you're already trusting the CA that signed it. If that's the case, that would be pretty annoying because within a company, everybody always refers to hostnames, not fqdns (provided DNS works properly, obv.) __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] FDS Red Hat Certificate System
...the management is a little concerned about MITM attacks against the FDS, so we need a way to verify that the server saying that it's our FDS really is the FDS. Right now no certs are deployed on the clients, we're using them only for SSL traffic encryption. If I'm interpreting your question right, I think you're already covered for this as long as: - Your client apps do server cert verification. - Your internal CA isn't compromised. - Your cert/key DB files on your FDS servers haven't been compromised. You shouldn't need to sign a new certificate for every client, you just need a copy of the CA certificate on each client. Susan wrote: Hi, everyone. I think this subject has been briefly raised before but I've more questions. Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)? Has anybody done this? RHCS doesn't seem to be opensourced. Is there a reliable free alternative? The problem I'm trying to solve is that my CA cert is self-signed. I guess even if it weren't, the management is a little concerned about MITM attacks against the FDS, so we need a way to verify that the server saying that it's our FDS really is the FDS. Right now no certs are deployed on the clients, we're using them only for SSL traffic encryption. What's the best way to go about doing this? I don't want to manually create/deploy dozens of certs for various clients. I also need a way to implement CRL somehow, in case a box is comprosmised. Thank you. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] FDS Red Hat Certificate System
...to automatically hand out CA certs to ldap clients upon request? There is no standard mechanism for this. You have to manually copy CA certs to the location and in the format that each of your secure LDAP client apps expects. yea but what about ldap clients? AFAIK no ldap client implicitly trusts verisign or anything like that. So, even if I do get a real CA cert, will a plain vanilla FC4 install trust it? I'm guessing no? RedHat Linux in the past has come with a bundle of well-known CA certs in /usr/share/ssl/cert.pem. I haven't used FC4, but I'm guessing it has this too? You would still need to configure LDAP client apps to know about this file. Using PADL's pam_ldap/nss_ldap as an example, you would need to add: tls_cacertfile /usr/share/ssl/cert.pem ...to /etc/ldap.conf. Susan wrote: --- Richard Megginson [EMAIL PROTECTED] wrote: Susan wrote: Hi, everyone. I think this subject has been briefly raised before but I've more questions. Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)? Yes. You go to the RHCS web interface, click Get CA Cert Chain, and you can download or copy/paste the CA cert for use with client apps (or importing into your web browser or email program or etc.). This assumes you are using RHCS as your CA. well, I'm speaking strictly of ldap clients. Browsers I don't care about. Has anybody done this? We used this extensively at Netscape. to automatically hand out CA certs to ldap clients upon request? Right now no certs are deployed on the clients, we're using them only for SSL traffic encryption. Do you mean client cert auth? well, no. We don't care whether the clients misrepresent themselves. We care if the FDS misrepresents itself. CA certs or client certs? For the CA cert problem, AFAIK, there is no way around it - you have to configure your clients to trust your CA one way or another. You can mitigate this somewhat by going through the process of getting a real CA cert from one of the trusted root CAs listed in your web browser or email client. yea but what about ldap clients? AFAIK no ldap client implicitly trusts verisign or anything like that. So, even if I do get a real CA cert, will a plain vanilla FC4 install trust it? I'm guessing no? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Re: Problem adding user
* mailRoutingAddress
* mailHost
* inetLocalMailRecipient
* kerberosSecurityObject
* krbName
Is not having these in my schema common/normal?
I'm sure there's plenty of directories out there that don't maintain
these attributes on account objects.
If all you want to do is import the UNIX /etc/passwd attributes, you
definitely don't need these.
Mont Rothstein wrote:
Thank you for your reply.
I grabbed the migration scripts from http://www.padl.com/download/
because I wanted to avoid installing openldap when all I needed was
the scripts.
Looking at the source the kerberosSecurityObject is inserted as long
as there is a default realm, though the extended schema does cause a
problem with mail related values (see below).
It sounds like what I was missing is the fact that editing the
migration scripts is expected. I was under the impression that if my
migration didn't work it was a mistake I had made.
After commenting out the following items in the password_migration
script my admin user finally added:
* mailRoutingAddress
* mailHost
* inetLocalMailRecipient
* kerberosSecurityObject
* krbName
Is not having these in my schema common/normal?
Thanks,
-Mont/
/
On 3/24/06, *Craig White* [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] wrote:
On Fri, 2006-03-24 at 10:26 -0800, Mont Rothstein wrote:
A suggestion was made that I should add the contents of my
sambaAdmin.ldif file to this post. They are below.
The kerberosSecurityObject isn't in my schema, so thus the
error. But
why did migrate_password.pl put that in my ldif? Is there a config
option somewhere that should be switched to disable Kerberos or do I
just need to manually edit the ldif and delete the offending line?
Thanks,
-Mont
dn: uid=Administrator,ou=People,dc=forayadams,dc=foray,dc=com
uid: Administrator
cn: Samba Admin
givenName: Samba
sn: Admin
mail: [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
mailRoutingAddress: [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
mailHost: mail.forayadams.foray.com
http://mail.forayadams.foray.com
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: kerberosSecurityObject
userPassword: {crypt}x
krbName: [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: Samba Admin
the option of course is yours.
If you read through the source within the padl migration scripts (I'm
assuming that you used the ones installed by openldap-server package
from the distribution, you will probably notice how and why it is put
there...presumably because you have chosen to use an extended schema.
I think the object is to test, tune, test, tune until you get what you
want from the migration scripts.
I suspect the reasons no one else answered this question was that the
source isn't part of FDS, the DSA setup will be as you design it to be
and the source is lightweight and should be simple enough to
comprehend
and adjust as needed.
Craig
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
mailto:Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] Rename or Hide o=NetscapeRoot
I don't think renaming o=NetscapeRoot is a good idea. What is it you want to do? If you just want to prevent people from browsing it, you're on the right track with setting up some ACIs. If it can be browsed anonymously, there's some ACI that's allowing this. Look for allow (anyone) ACIs on o=NetscapeRoot. Yann wrote: Hi all, I've, again, a curious question :-) ; It's possible to rename o=NetscapeRoot ? to something else like o=MyRoot ? And/or, it's possible to hide the entry o=NetscapeRoot from unpriviligied users ? I've ACL on it to deny read inside, but, the o=NetscapeRoot stay visible when anonymous user browse with an LDAP browser for example. Thanks ! Yann -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] SSL problem on replication!
2) To make secure replication...I have to enable ssl on DS...in this case...is still possible to query LDAP on port 389 ?? Absolutely, enabling SSL does not affect unencrypted connections on port 389. Alex aka Magobin wrote: On gio, 2006-03-23 at 08:43 -0800, Susan wrote: This is what I did to get ssl repl working: 1. generate a single CA certificate and use that to sign both the supplier and consumer certificates. Each server doesn't need its own CA. on the consumer: Thank you Susan for your reply...two question 4 you if possible: 1) This procedure..similar to (Chapter 8 in Administration Guide)...but you have to create cert db before 2) To make secure replication...I have to enable ssl on DS...in this case...is still possible to query LDAP on port 389 ?? Thanks in advance!! Alex -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] migrate_common.ph on RHEL ES4
If you prefer, you can also get this directly from PADL: http://www.padl.com/download/MigrationTools.tar.gz Craig White wrote: On Wed, 2006-03-15 at 14:57 -0800, Mont Rothstein wrote: I am running RHEL ES4 and the FDS/Samba integration HowTo: http://directory.fedora.redhat.com/wiki/Howto:Samba calls for the use of: /usr/share/openldap/migration/migrate_common.ph which does not exist. In fact, /usr/share/openldap exists but is empty. Do I have to install openldap just to get this, or is there somewhere I can download it from? rpm -q --whatprovides /usr/share/openldap/migration/migrate_common.ph openldap-servers-2.2.13-4 up2date openldap-servers Craig -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] migrate_common.ph on RHEL ES4
Take a look at the directory index (http://www.padl.com/download) and you'll see how often they're updated. Mont Rothstein wrote: Thanks for the download link. Do you know if these tools are fairly stable? I am creating instructions that we will use to build servers for some time and I'm wondering if I can just include a copy with our instructions, or if we will need to download the most recent every time. Thanks, -Mont On 3/15/06, *George Holbert* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: If you prefer, you can also get this directly from PADL: http://www.padl.com/download/MigrationTools.tar.gz Craig White wrote: On Wed, 2006-03-15 at 14:57 -0800, Mont Rothstein wrote: I am running RHEL ES4 and the FDS/Samba integration HowTo: http://directory.fedora.redhat.com/wiki/Howto:Samba calls for the use of: /usr/share/openldap/migration/migrate_common.ph which does not exist. In fact, /usr/share/openldap exists but is empty. Do I have to install openldap just to get this, or is there somewhere I can download it from? rpm -q --whatprovides /usr/share/openldap/migration/migrate_common.ph openldap-servers-2.2.13-4 up2date openldap-servers Craig -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com mailto:Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com mailto:Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] allowing users to change their own passwords (solaris 10)
Ah yes, Check permission on /var/ldap/cert7.db and /var/ldap/key3.db. They should be mode 644. Pete Rowley wrote: Susan wrote: Why would it fail to initialize TLS security? root works fine... Is there an env var I'm missing? Permissions for local files? Try getting a TLS ldapsearch to work first. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] solaris 10 SSL connections
The ldapsearch command doesn't look in /var/ldap for the cert db. It uses the current directory as the default cert db path. You can run ldapsearch from /var/ldap, or give it a -P /var/ldap argument to use the cert db in /var/ldap. Also, the -v arg might help you narrow down what's happening. Note that the Solaris ldap_cachemgr (i.e., the ldap name service client) daemon DOES use /var/ldap as its default directory to find cert db files. Also, Solaris 8 and 9 are very picky about which cert DB version they can use for ldap name service over SSL: it MUST be cert7.db as generated by earlier versions of the NSS tools. Solaris 10 might be able to use cert8.db. Susan wrote: Hi, all. I've ssl enabled in FDS: # ldapsearch -D cn=Directory Manager -w adminpass -b cn=encryption,cn=config -h cnyitlin02 cn=* version: 1 dn: cn=encryption,cn=config objectClass: top objectClass: nsEncryptionConfig cn: encryption nsSSLSessionTimeout: 0 nsSSLClientAuth: allowed nsSSL2: off nsSSL3: on nsSSL3Ciphers: +rsa_rc4_128_md5,+rsa_3des_sha,+fortezza_null,-rsa_null_md5,+fo Currently, I have authenticationMethod: simple in my default profile. I can ssh/telnet w/o problems, authenticating from FDS (thank you, Gary Tay!) I've been having a real hard time getting Solaris SSL to work, however. I did the whole mozilla cert import thing, got the cert8.db (it's not 7), and key3.db, put them in /var/ldap However, even though this returns data: -bash-3.00# ldapsearch -b dc=composers,dc=company,dc=com -h cnyitlin02 -L objectclass=* -p 636 -Z version: 1 dn: dc=composers,dc=company,dc=com dn: cn=Directory Administrators, dc=composers,dc=company,dc=com dn: ou=Groups, dc=composers,dc=company,dc=com dn: ou=People, dc=composers,dc=company,dc=com dn: ou=profile,dc=composers,dc=company,dc=com dn: cn=proxyAgent,ou=profile,dc=composers,dc=company,dc=com dn: uid=test, ou=People, dc=composers,dc=company,dc=com It's not encrypted. I can see the traffic clear text in ethereal. Any ideas what the problem is? Has anybody gotten solaris ssl to work with FDS? Thank you. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] solaris 10 SSL connections
i've renamed cert8 to cert7, same thing. Everything goes clear text for some reason? yah, I wouldn't expect this to help. The file contents have more significance than the file name, and cert8 files aren't identical to cert7. However, I'm not sure this is the problem, since Solaris 10 might be able to use (or even require) cert8 files. All you need in the Solaris client cert db files is the CA certificate of the CA which signed your FDS server's certificate. I'd suggest using the certutil command, rather than Mozilla, to generate the cert db files. The following recipe has worked well for me: |# Create new cert and key DB files.|**| certutil -N -d /var/ldap|** *|# Add your ascii CA certificate to the cert DB. certutil -A -n Susan's CA -t C,, -a -i ./susans-cacert.pem -d /var/ldap # List the contents of your cert DB. |***|certutil -L -d /var/ldap|** Try this first using certutil as included with Solaris 10 (/usr/sfw/bin/certutil). I think this will create a cert8 file. If cert8 doesn't seem to work, try generating a cert7 file with an older version of the certutil command. I've found that 3.3.2 is the latest version that will work for the Solaris 8 and 9 ldap name service client: http://www.mozilla.org/projects/security/pki/nss/release_notes_332.html Again, I'm not sure if the cert7/8 version problem is even an issue in Solaris 10, but it certainly is with 8 and 9. -- George Susan wrote: --- George Holbert [EMAIL PROTECTED] wrote: The ldapsearch command doesn't look in /var/ldap for the cert db. It uses the current directory as the default cert db path. You can run ldapsearch from /var/ldap, or give it a -P /var/ldap argument to use the cert db in /var/ldap. yea, I tried that also, same result. It just doesn't encrypt the connection. Also, the -v arg might help you narrow down what's happening. that doesn't add any more info. by earlier versions of the NSS tools. Solaris 10 might be able to use cert8.db. i've renamed cert8 to cert7, same thing. Everything goes clear text for some reason? Now, if I take this exact same command, copy/paste into a linux box (I've to append -x for simple auth) then voila! it all get scrambled and ethereal says invalid LDAP header, because it can't parse SSL on LDAP port. So, it looks like FDS is OK but the solaris is no good here... NO IDEA why.. George, do you have ssl-enabled solaris ldap auth working with FDS? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] solaris 10 SSL connections
how did you verify that SSL is working? Did you sniff it or what? Yes, using snoop. I should say I didn't debug it using ldapsearch, so I'm still not sure what's going on with that in your case. But, since your end goal is ldap name service over SSL, have you tried that yet on the Solaris 10 client? If nothing else, it might spew some error messages (in /var/adm/messages) that give some new clues. Susan wrote: --- George Holbert [EMAIL PROTECTED] wrote: *|# Add your ascii CA certificate to the cert DB. certutil -A -n Susan's CA -t C,, -a -i ./susans-cacert.pem -d /var/ldap # List the contents of your cert DB. |***|certutil -L -d /var/ldap|** did all that, imported w/o problems: -bash-3.00# /usr/sfw/bin/certutil -L -d /var/ldap CA certificate C,, However, this: ldapsearch -b ou=profile,dc=composers,dc=company,dc=com -h cnyitlin02 -L cn=* -Z -p 636 -P /var/ldap/ still transmits clear text. Try this first using certutil as included with Solaris 10 (/usr/sfw/bin/certutil). I think this will create a cert8 file. It does. Doesn't seem to do any good, however. how did you verify that SSL is working? Did you sniff it or what? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] autofs FDS
Uhm.. What's a gal to do then??? AFAIK, there isn't yet a perfect answer, mostly because automount schema is not standard yet (though rfc2307bis is/was a proposed standard). If you are only supporting Linux clients, you probably don't need additional autofs schema. Linux autofs (at least in RedHat/Fedora) will look for objects with objectclass 'nisObject' when looking up automount info. This method dates back to the original RFC2307 (non-bis version), and might make your life easier as long as you don't expect to add Solaris clients to your environment. If you are supporting Solaris clients, you WILL need the 2307bis style automount schema, although Sun's version is NOT identical to the one at http://people.redhat.com/nalin/schema/autofs.schema. You can find the Solaris automount schema embedded in their 'idsconfig' script: http://cvs.opensolaris.org/source/xref/on/usr/src/cmd/ldap/ns_ldap/idsconfig.sh Some more discussions about storing automount info in a directory can be found at http://www.ldapguru.org, e.g.: http://www.ldapguru.org/modules/newbb/viewtopic.php?viewmode=flattopic_id=2029forum=6 Hopefully this will be a lot more straightforward in a few years, but for now the standard is a work-in-progress. -- George Susan wrote: --- Pete Rowley [EMAIL PROTECTED] wrote: Susan wrote: However, I now get this: [EMAIL PROTECTED] schema]# /opt/fedora-ds/slapd-cnyldap01/restart-slapd [06/Feb/2006:13:34:09 -0500] dse - The entry cn=schema in file /opt/fedora-ds/slapd-cnyldap01/config/schema/80autofs.ldif is invalid, error code 20 (Type or value exists) - object class automount: The OID 1.3.6.1.1.1.1.9 is also used by the attribute type shadowInactive Have you seen this error before? It is conflicting with the RFC2307 schema. I don't know how this stuff perpetuates (and this nonsense is everywhere, I have seen at least two phony OIDs for this attribute alone) - but the automount attribute in the linked schema has an OID stolen from RFC2307 and assigned by IANA to shadowInactive. Got it. The problem is that the schema above is provided by what looks like a Redhat employee which lends some credence to it. RFC2307bis is the first document to mention automount, and it designates automount schema thus: so, should I just use the RFC2307bis schema then? I mean, looks like this RFC has expired and there doesn't seem to be a replacement for the autofs attributes and object classes. Uhm.. What's a gal to do then??? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] FDS console on Windows with SSL and self-signed certificates
Hi Brian, When running the console on Unix, these files are created under $HOME/.mcc. ls -l ~/.mcc total 178 -rw-r--r-- 1 root other226 Jan 12 14:27 Console.4.0.Login.preferences -rw--- 1 root other 65536 Aug 16 18:32 cert8.db -rw--- 1 root other 32768 Aug 16 18:32 key3.db -rw--- 1 root other 32768 Aug 16 18:32 secmod.db I'm not sure where this stuff would be created on Windows, but might be under C:\Documents and Settings\username\.mcc ? Just a guess. -- George Brian Rudy wrote: Hi Folks, I have set up Fedora Management Console on one of my Windows boxes per the directions in the Howto:WindowsConsole Wiki, but have an issue connecting to the Directory Server using SSL. From the Windows box FMC, the Directory Server is listed in the Server Group, with Server status: Stopped. In the slapd logs I see the following: [20/Jan/2006:11:09:36 -0800] conn=4768 fd=68 slot=68 SSL connection from 192.168.128.65 to 192.168.128.4 [20/Jan/2006:11:09:36 -0800] conn=4768 op=-1 fd=68 closed - SSL peer cannot verify your certificate. Since I am using a self-signed certificate on the directory server, which would require installation on the client, this all appears to make sense. Now for the question: How does one install certificates on the client when using JSS/NSPR/NSS as shown in the Wiki? It looks like you would need to create your own cert7.db and key3.db with certutil, and import the Server-Cert, but I'm a bit confused as to where the .db files should be located, and what they should be named. Has anyone done this who wouldn't mind sharing? -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] reducing memory footprint?
Hi Gerald, HP has a tuning guide for their bundled Netscape DS, which may be somewhat useful to you for this: http://docs.hp.com/en/7152/nds621_tuning_sizing_13.pdf Of course, Fedora DS and HP's DS are not the same product, but they have common heritage. Excerpt: The Netscape Directory Server for HP-UX caches entry and indexing information in memory. HP-UX requires at least 256 MB of memory for a small deployment. But for large directory servers, 512MB to 4GB RAM is needed for best performance. To estimate how much RAM needed for Directory Server on a system, please use the following formula: Total_NDS_RAM = 1.2 * (base_RAM_need_for_slapd_process + caches) Where base_RAM_needed_for_slapd_process = 32MB + nsslapd-threadnumber * 1MB caches = dbcache + SUM(all entry caches) + import_cache Explanation: · 1.2: 20% additional RAM needed for slapd process to handle incoming LDAP operations. 20% is an estimated number, and it should be sufficient. However, testing is needed to ensure that it is enough before going into production. · 32MB: is the size of the slapd process. · nsslapd-threadnumber *1MB: each thread needs about 1MB of memory. · dbcache: specified as nsslapd-dbcachesize. · All entry caches: specified as nsslapd-cachememsize. Gerald Richter wrote: Hi, I just made a test installation of FDS and saw that a ns-slapd without any user data takes about 120MB of (virtual) memory on my system. I would like to run it on a system which limited memory resources, so I am looking for a way to use less memory. I don't have high load on that system and never more than one or two quries in parallel, so it would be quite ok to reduce the number of threads and things like this, but beside reducing the cache size of the backend DB I didn't find any hints what can be done in this direction. Any ideas? Thanks Gerald ** Virus checked by BB-5000 Mailfilter ** -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] reducing memory footprint?
Ulf, thanks for the clarification. Gerald, I should have mentioned, the HP tuning guide is not explicitly a guide for reducing memory usage. But, some of the text (such as the excerpt I pasted) may be of use to you. Good luck, -- George Ulf Weltman wrote: Hello George and Gerald. I'm afraid the tuning guide wont help much with reducing memory footprint, it focuses on increasing performance which involves using more memory among other things! :) There is a document for the NSDS 7.0 which is not far from the FDS 1.0 codebase if you're still interested, but the measurements and tuning suggestions are meant for DS running on HP-UX. It does answer one of Gerald's questions: worker threads can be reduced with nsslapd-threadnumber, the default is 30. I don't know that this will save you significant memory on Linux. Ulf George Holbert wrote: Hi Gerald, HP has a tuning guide for their bundled Netscape DS, which may be somewhat useful to you for this: http://docs.hp.com/en/7152/nds621_tuning_sizing_13.pdf Of course, Fedora DS and HP's DS are not the same product, but they have common heritage. Excerpt: The Netscape Directory Server for HP-UX caches entry and indexing information in memory. HP-UX requires at least 256 MB of memory for a small deployment. But for large directory servers, 512MB to 4GB RAM is needed for best performance. To estimate how much RAM needed for Directory Server on a system, please use the following formula: Total_NDS_RAM = 1.2 * (base_RAM_need_for_slapd_process + caches) Where base_RAM_needed_for_slapd_process = 32MB + nsslapd-threadnumber * 1MB caches = dbcache + SUM(all entry caches) + import_cache Explanation: · 1.2: 20% additional RAM needed for slapd process to handle incoming LDAP operations. 20% is an estimated number, and it should be sufficient. However, testing is needed to ensure that it is enough before going into production. · 32MB: is the size of the slapd process. · nsslapd-threadnumber *1MB: each thread needs about 1MB of memory. · dbcache: specified as nsslapd-dbcachesize. · All entry caches: specified as nsslapd-cachememsize. Gerald Richter wrote: Hi, I just made a test installation of FDS and saw that a ns-slapd without any user data takes about 120MB of (virtual) memory on my system. I would like to run it on a system which limited memory resources, so I am looking for a way to use less memory. I don't have high load on that system and never more than one or two quries in parallel, so it would be quite ok to reduce the number of threads and things like this, but beside reducing the cache size of the backend DB I didn't find any hints what can be done in this direction. Any ideas? Thanks Gerald ** Virus checked by BB-5000 Mailfilter ** -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] openlda client and fedora-ds
Enrico, ldapsearch on Linux (built with OpenLDAP libs) defaults to SASL authentication. Add the -x switch to use simple authentication: ldapsearch -x -L -b dc=chiccomara,dc=org -W (objectclass=*) Enrico Valsecchi wrote: Dear All, I'm install with your help my fedora-ds. Many thanks! Well, into my linux box are installed openldapclient, and I want browse my ldap dir content. O.K., i type: ldapsearch -L -b dc=chiccomara,dc=org -W (objectclass=*) LDAP server request a password. I type LDAP password, and result is: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: Where is a problem? Many thanks, Enrico Valsecchi -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Fedora-directory-users] Using 'localhost' for configuration directory
If each directory server in an environment will be acting as its own configuration directory (i.e., for o=NetscapeRoot stuff), is it ok to just use 'localhost' as the value for the configuration directory server? Or, is it better/required to use the FQDN of the public network interface (e.g., ldaphost.example.com)? Thanks, -- George -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] crypt password with AD ?
Unfortunately, the Microsoft AD password hash isn't a supported password hash in FDS (or any other directory server, except AD of course). I think this is because Microsoft's hash is proprietary. This means neither SSHA or crypt can directly be synced with AD. To sync passwords, you have to use something that can catch the password while it's in clear text (i.e., when the user changes it). There is a Fedora Winsync package which I believe can help with this. Jón Björn Njálsson wrote: Hi. Is there any way to sync FDS crypt passwords with Active Directory or do they have to be encrypted with SSHA ? Jon -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: [Fedora-directory-users] strange problem with group of more than 2000 users
Hi Basile, i exactly can have 726 member in my group ( 5232 login caracters 5958 with end line ) So it doesn't break at exactly 4096, as I suggested earlier. Hmm... perhaps the limit is larger than I thought? I still would guess the problem is in the client OS rather than the directory server. Note that the before/after logs you posted are nigh-identical. This suggests the directory server isn't doing anything different when the group size increases. It might be a good test to create the same large group in the local /etc/group file on a client, and see if it works that way. This should help confirm if the problem is LDAP-related or group length-related. Good luck, -- George basile au siris wrote: hi back with new infos :) i exactly can have 726 member in my group ( 5232 login caracters 5958 with end line ) what kind of solaris limirtation could it be ? i ve 3146 people in the directory in 10 groups and just one with more than 726 users here are ldap logs for 726 users in group when doing a getent group toto [12/Oct/2005:12:37:39 +0200] conn=1 fd=64 slot=64 connection from xxx.xxx.xxx.4 to xxx.xxx.xxx.4 [12/Oct/2005:12:37:39 +0200] conn=1 op=0 BIND dn=cn=proxyagent,ou=profile,dc=example,dc=fr method=128 version=3 [12/Oct/2005:12:37:39 +0200] conn=1 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=cn=proxyagent,ou=profile,dc=example,dc=fr [12/Oct/2005:12:37:39 +0200] conn=1 op=1 SRCH base= ou=groups,dc=example,dc=fr scope=1 filter=((objectClass=posixGroup)(cn=toto)) attrs=cn gidNumber userPassword memberUid [12/Oct/2005:12:37:39 +0200] conn=1 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [12/Oct/2005:12:37:39 +0200] conn=1 op=2 UNBIND [12/Oct/2005:12:37:39 +0200] conn=1 op=2 fd=64 closed - U1 and here with 727 users when it don t works [12/Oct/2005:12:46:24 +0200] conn=1 fd=64 slot=64 connection from xxx.xxx.xxx.4 to xxx.xxx.xxx.4 [12/Oct/2005:12:46:24 +0200] conn=1 op=0 BIND dn=cn=proxyagent,ou=profile,dc=example,dc=fr method=128 version=3 [12/Oct/2005:12:46:24 +0200] conn=1 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=cn=proxyagent,ou=profile,dc=example,dc=fr [12/Oct/2005:12:46:24 +0200] conn=1 op=1 SRCH base= ou=groups,dc=example,dc=fr scope=1 filter=((objectClass=posixGroup)(cn=toto)) attrs=cn gidNumber userPassword memberUid [12/Oct/2005:12:46:24 +0200] conn=1 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [12/Oct/2005:12:46:24 +0200] conn=1 op=2 UNBIND [12/Oct/2005:12:46:24 +0200] conn=1 op=2 fd=64 closed - U1 thanks basile Jeff Clowser wrote: If it is hitting any type of administrative limit, it should show some type of error in the logs. Look at the searches it is doing, and make sure you have appropriate indexes on attributes it is searching against - if the appropriate stuff is indexed, searches should be fast enough to not run into a timeout issue in most cases. Look in the access log for Notes=U - that should be there on an unindexed search. If you don't see any of this in the logs, I'd say it's more a limit on the Solaris side (as someone else mentioned) than the LDAP side. How big is your directory (how many entries, approximately)? - Jeff basile au siris wrote: i did a test with 643 users it works with 800 users it don t works could it be timers problem ( time_search_limit or time_bind_limit for proxyagent wich is used to query directory ) basile basile au siris wrote: thanks i set the sizelimit to -1 but it don t works better i set nssizelimit to -1 of the proxyagent which is used to bind to the directory but same result i look at the logs and when i use id or getent there is directory query it seems crazy i can t have more than 2000 users in a group i search the limit of users i can have basile Jeff Clowser wrote: It could be a limit on the sizes of groups, etc in Solaris. To check to see if it's LDAP related, look at the ldap access logs for queries related to that group or coming from that machine. Anyway, 2000 I believe is the default sizelimit for searches, so look for entries with 2000 results, if it's consistently failing at 2000 users. If it's just reading the group with 2000+ static members (1 entry), then maybe reading each user individually (1 entry/search), it shouldn't hit a resource limit. But... if it reads the group, then searches for all users with that group id, or something similar, it may hit the administrative limits. For a simple test, you could up the sizelimit (say to 1 or -1) on the directory server and see if the problem goes away. If you find something like this, there are a couple ways to fix it: 1. Up your server administrative sizelimit (to a higher number, or -1 for unlimited). This should be a last resort, since it allows anyone (even anonymous) to make unlimited size searches against your directory. If your directory is large, that could cause problems. 2. If the solaris box is binding as a particular DN to search, you can add the nsSizeLimit to that
[Fedora-directory-users] Tuning nsslapd-dbcachesize on Solaris
When tuning FDS on a Solaris machine, I've heard two different suggestions about nsslapd-dbcachesize: 1. Decrease nsslapd-dbcachesize, and instead rely on Solaris' built-in filesystem cache which performs better. 2. Tune nsslapd-dbcachesize up to a value that is at least as large as the size of your backend LDBM database. To know for sure which works best in my case, I'll need to test both of course. But, does anyone have any thoughts or prior experience on which of the above options performs better? Thanks a lot, -- George -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Fedora-directory-users] user-defined vs. standard schema files
I've copied some custom schema files to the config/schema directory. In the Java console, some of the attributes and objectclasses defined in the custom schema files show up under Standard, while others show up in User Defined. Does anyone know how FDS determines that an attribute or objectclass is standard vs. user-defined? I would think everything that is defined in a custom schema file would show up in user-defined. Not sure that this really matters much, but just curious. Thanks, -- George -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
