Re: [389-users] Need help to setup a slave server
Hello On Tue, Feb 19, 2013 at 5:16 PM, Fosiul Alam wrote: > Hi Expert, > i just want some guidance about how to setup slave and start the replication. Refer https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication.html https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Configuring_Single_Master_Replication.html > we have a master server which is already running. Is SSL configured on master ? Configure that first using https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/SecureConnections.html > now i want to setup a slave > what will be the best way to do this ?? (example copying cert files ) > just copy from master to slave will work ?? or do i need do this via > command line ?? > any web link about setup slave from master .. > I often use this to create CA & certs for both master & slave, Check if you find it helpful http://lists.fedoraproject.org/pipermail/389-users/2013-January/015400.html > Thanks for any advise towards this > Fosiul. > -- > 389 users mailing list > 389-us...@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users Regards Arpit Tolani -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] passwordExpirationtime
Hello On Mon, Feb 18, 2013 at 4:52 PM, Vesa Alho wrote: > Hi, > > I'm setting up new 389 ds servers and importing data from old 389 server. > One thing is unclear to me. I would like to enforce password expiration > which was not used in old server. Could you explain the following example > value to me: > > passwordExpirationTime: 2011 09 16 07 10 26 Z > => does that mean -MM-DD-HH-MM-SS (I read max. value is Jan 18 2038)? > => value does not seem to update automatically, no I need to update it > "manually"? > yes, password expiration is saved in zulu format, which is MMDDHHMMSSZ. If passwordexpirationtime is greater than current date, user can successfully login, If it is less, User is asked to change his password. > And how does directory wide setting "Password expires in __ days" relate to > this? > When ever a user logs in, current date/time is matched with passwordexpirationtime, If that is higher thn it is ignored, else user is prompted with a warning message "Password will be expired in X days" > -Vesa > -- > 389 users mailing list > 389-us...@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users Regards Arpit Tolani -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] LDAPS configuration/installation
Hie 2012/3/5 Gilbert Martin > Hi All, > > I've been trying to get SSL working with my LDAP server, but haven't had > success. I'm currently implementing a new test environment. Does anyone > have some quick and dirty instruction on setting up a CA and SSL certs for > my directory server and clients? > > > From my cheat sheet The first thing we need to do is create a new key store. # cd /etc/dirsrv/slapd-directory/ # mv cert8.db key3.db secmod.db /root/ # certutil -N -d . Then we create your CA. # certutil -S -n "CA certificate" -s "cn=CA cert,dc=directory,dc=example,dc=com" -2 -x -t "CT,," -m 1000 -v 720 -d . -k rsa Make sure you say yes to "Is this a CA certificate [y/N]?" and everything else will be default. Next we create your server cert. Make sure your cn is your FQDN of this server. # certutil -S -n "directory-Server-Cert" -s "cn=directory.example.com" -c "CA certificate" -t "u,u,u" -m 1001 -v 720 -d . -k rsa Then check to make sure it looks ok certutil -L -d /etc/dirsrv/slapd-directory/ Create your public ca for your clients. # certutil -d . -L -n "CA certificate" -a > my-public-ca.asc In your /etc/dirsrv/slapd-directory/dse.ldif make your nsSSLPersonalitySSL look like the following. nsSSLPersonalitySSL: directory-Server-Cert That should be it. You have to restart the directory server after above steps. After this configure Directory Server to use SSL. Set the secure port for the server to use for TLS/SSL communications. In the Configuration area, select the Settings tab, and enter the value in the Encrypted Port field. - The encrypted port number must not be the same port number used for normal LDAP communications. By default, the standard port number is 389, and the secure port is 636. - Select the Configuration tab, and then select the top entry in the navigation tree in the left pane. Select the Encryption tab in the right pane. - Select the Enable SSL for this Server checkbox. - Check the Use this Cipher Family checkbox. - Select the certificate to use from the drop-down menu. > -- > 389 users mailing list > 389-us...@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- Regards Arpit Tolani -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] How do I configure Solaris 10 as a LDAP client.
Hie 2011/12/13 Carsten Grzemba > For SSHA Passwords needs Solaris a proper pam configuration, for SSH > especially the section : > > other auth requisite pam_authtok_get.so.1 > other auth required pam_dhkeys.so.1 > other auth required pam_unix_cred.so.1 > other auth bindingpam_unix_auth.so.1 server_policy > other auth required pam_ldap.so.1 > > Because there are some variations in the config between the Solaris > versions, the best source for the right stack is > # man pam_ldap > > Carsten > > Thanks, I tried above but didnt worked. I am not much familiar with Solaris. any other help will be appreciated. Thanks & Regards Arpit Tolani -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] change IP of admin server
2011/12/6 Ellsworth, Josh > What do I need to do to change the IP of the admin server? I brought up an > instance from an image of a working 389 install and now I can’t connect to > the admin server I think that I missed something changing the IP. Is there > a special process that should be run? > > ** ** > > Josh > > You need to change below things. in admin-serv/local.conf serverhostname: in admin-serv/adm.conf ldapurl: in slapd-instance/dse.ldif nsslapd-localhost > -- > 389 users mailing list > 389-us...@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- Thanks & Regards Arpit Tolani -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
