[389-users] Managing groups
Hello, I would like to know how can I use memberof or member attributes to affect an appropriate gidNumber to my users to avoid this error: id: can not find the name of the group identifier 38468 Thank you * ___* *Aziza Lichir* * * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Managing groups
Hello again, I'll explain what I want exactly, let's say I have some users and some groups in my DS base : for example: #user uid=user1 gid=38401 memberOf= cn=group1 memberOf= cn=group2 memberOf= cn=group3 #groups cn=group1 gid=38430 uniqueMember= uid=user1 uniqueMember= uid=user2 uniqueMember= uid=user3 cn=group2 gid=38432 uniqueMember= uid=user1 uniqueMember= uid=user2 uniqueMember= uid=user4 what i want is that the gid of user1 will be the same as the gid of the main group that he belongs to, (group1 or group2 in the example), I don't know if the main groups exist in 389 DS like in Active directory,I was looking for a solution but i couldn't find anything. * *Thanking you in advance for your help * ___* *Aziza Lichir* * * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Users and groups
Hello, It's being a while, I've started with 389 DS and it never occurred me to see if the users I add in the console will be add automatically to server in kind of ldif file :p .! I know now that i didn't really get it. so now I would like to know how can I add an object class to all users I have with one command if it's possible, I already tried this one but it didn't work for new users I added : http://directory.fedoraproject.org/wiki/Howto:Default_Console_Object_Objectclass . Another question, how can I fix this error id:can not find the name of the group identifierknowing that when I enable Posix User for sync users from AD I add the GID randomly ? Thanking you in advance for your precious answers. *___* *Aziza Lichir* * * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] ACl
Hello again, I would like to know if it's possible to limit the access to my server to some users, for example via ssh ?!!! Thanking you in advance for your answer... -- * ___* *Aziza Lichir* * * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] TLS failure
yes this is my file : /etc/ldap.conf uri ldaps://srv-ds-38.meyclub.net:636 ssl start_tls tls_cacertdir /etc/openldap/cacerts pam_password crypt and /etc/openldap/ldap.conf: URI ldaps://srv-ds-38.meyclub.net:636 -- i've tried with ldap and it was the same BASE dc=meyclub,dc=net TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT allow 2013/5/7 Grzegorz Dwornicki gd1...@gmail.com Are you using LDAPS uri with -ZZ args? 7 maj 2013 10:18, Aziza Lichir aziza.lic...@gmail.com napisał(a): Hey, I'm having problems with TLS/SSL on my client side. When I do ldapsearch -ZZ it works just fine and says that SSL started but when i try to authenticate a user I keep getting this strange error: [07/May/2013:10:04:06 +0200] conn=95 fd=228 slot=228 SSL connection [07/May/2013:10:04:06 +0200] conn=95 SSL 256-bit AES [07/May/2013:10:04:06 +0200] conn=95 op=0 EXT oid=1.3.6.1.4.1.1466.20037 name=startTLS [07/May/2013:10:04:06 +0200] conn=95 op=0 RESULT err=1 tag=120 nentries=0 etime=0 [07/May/2013:10:04:06 +0200] conn=95 op=1 UNBIND [07/May/2013:10:04:06 +0200] conn=95 op=1 fd=228 closed - U1 the plate form is : server : CentOS-6.3-i386 client: CentOS 5.3 [root@srv-ds-38 ~]# rpm -qi 389-ds-base Name: 389-ds-base Relocations: (not relocatable) Version : 1.2.11.15 Vendor: CentOS Release : 14.el6_4 Build Date: Tue 16 Apr 2013 12:57:55 AM CEST Install Date: Fri 26 Apr 2013 04:05:26 PM CEST Build Host: c6b7.bsys.dev.centos.org Group : System Environment/DaemonsSource RPM: 389-ds-base-1.2.11.15-14.el6_4.src.rpm Size: 4940881 License: GPLv2 with exceptions Signature : RSA/SHA1, Tue 16 Apr 2013 11:32:27 AM CEST, Key ID 0946fca2c105b9de Packager: CentOS BuildSystem http://bugs.centos.org URL : http://port389.org/ Summary : 389 Directory Server (base) Description : 389 Directory Server is an LDAPv3 compliant server. The base package includes the LDAP server and command line utilities for server administration. I would appreciate some help. -- * ___* *Aziza Lichir* * * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- * ___* *Aziza Lichir* * * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] TLS failure
I agree when i used uri ldap with 389 port it was working but i want to connect to server on 636 port thats why i've changed my flie. 2013/5/7 Grzegorz Dwornicki gd1...@gmail.com What was old uri? Did you change port aswell? The error looks like result of trying using starttls on encrypted connection. Starttls works on 389 port. You need to leave ldap and 389 port in URL and then try to use starttls. This should work 7 maj 2013 10:52, Aziza Lichir aziza.lic...@gmail.com napisał(a): yes this is my file : /etc/ldap.conf uri ldaps://srv-ds-38.meyclub.net:636 ssl start_tls tls_cacertdir /etc/openldap/cacerts pam_password crypt and /etc/openldap/ldap.conf: URI ldaps://srv-ds-38.meyclub.net:636 -- i've tried with ldap and it was the same BASE dc=meyclub,dc=net TLS_CACERTDIR /etc/openldap/cacerts TLS_REQCERT allow 2013/5/7 Grzegorz Dwornicki gd1...@gmail.com Are you using LDAPS uri with -ZZ args? 7 maj 2013 10:18, Aziza Lichir aziza.lic...@gmail.com napisał(a): Hey, I'm having problems with TLS/SSL on my client side. When I do ldapsearch -ZZ it works just fine and says that SSL started but when i try to authenticate a user I keep getting this strange error: [07/May/2013:10:04:06 +0200] conn=95 fd=228 slot=228 SSL connection [07/May/2013:10:04:06 +0200] conn=95 SSL 256-bit AES [07/May/2013:10:04:06 +0200] conn=95 op=0 EXT oid=1.3.6.1.4.1.1466.20037 name=startTLS [07/May/2013:10:04:06 +0200] conn=95 op=0 RESULT err=1 tag=120 nentries=0 etime=0 [07/May/2013:10:04:06 +0200] conn=95 op=1 UNBIND [07/May/2013:10:04:06 +0200] conn=95 op=1 fd=228 closed - U1 the plate form is : server : CentOS-6.3-i386 client: CentOS 5.3 [root@srv-ds-38 ~]# rpm -qi 389-ds-base Name: 389-ds-base Relocations: (not relocatable) Version : 1.2.11.15 Vendor: CentOS Release : 14.el6_4 Build Date: Tue 16 Apr 2013 12:57:55 AM CEST Install Date: Fri 26 Apr 2013 04:05:26 PM CEST Build Host: c6b7.bsys.dev.centos.org Group : System Environment/DaemonsSource RPM: 389-ds-base-1.2.11.15-14.el6_4.src.rpm Size: 4940881 License: GPLv2 with exceptions Signature : RSA/SHA1, Tue 16 Apr 2013 11:32:27 AM CEST, Key ID 0946fca2c105b9de Packager: CentOS BuildSystem http://bugs.centos.org URL : http://port389.org/ Summary : 389 Directory Server (base) Description : 389 Directory Server is an LDAPv3 compliant server. The base package includes the LDAP server and command line utilities for server administration. I would appreciate some help. -- * ___* *Aziza Lichir* * * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- * ___* *Aziza Lichir* * * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- * ___* *Aziza Lichir* * * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] TLS failure
now I've changed uri in both files /etc/ldap.conf and /etc/openldap/ldap.conf : uri ldap://srv-ds-38.meyclub.net and its working just like before here are logs : [07/May/2013:11:20:58 +0200] conn=200 fd=69 slot=69 connection from 192.168.1.103 to 192.168.1.112 [07/May/2013:11:20:58 +0200] conn=200 op=0 EXT oid=1.3.6.1.4.1.1466.20037 name=startTLS [07/May/2013:11:20:58 +0200] conn=200 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [07/May/2013:11:20:58 +0200] conn=200 SSL 256-bit AES [07/May/2013:11:20:58 +0200] conn=200 op=1 BIND dn= method=128 version=3 [07/May/2013:11:20:58 +0200] conn=200 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn= [07/May/2013:11:20:58 +0200] conn=200 op=2 SRCH base=dc=meyclub,dc=net scope=2 filter=((objectClass=posixAccount)(uid=user1)) attrs=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass [07/May/2013:11:20:58 +0200] conn=200 op=2 RESULT err=0 tag=101 nentries=1 etime=0 and the server side when i do netstat -ntap all i see is this for tcp0 0 :::192.168.1.112:389:::192.168.1.103:46296 ESTABLISHED 19414/ns-slapd tcp0 0 :::192.168.1.112:389:::192.168.1.103:46301 ESTABLISHED 19414/ns-slapd tcp0 0 :::192.168.1.112:389:::192.168.1.103:46294 ESTABLISHED 19414/ns-slapd tcp0 0 :::192.168.1.112:389:::192.168.1.76:4824 ESTABLISHED 19414/ns-slapd tcp0 0 :::192.168.1.112:389:::192.168.1.103:46298 ESTABLISHED 19414/ns-slapd tcp0 0 :::192.168.1.112:389:::192.168.1.103:46295 ESTABLISHED 19414/ns-slapd tcp0 0 :::192.168.1.112:636:::192.168.1.76:4715 ESTABLISHED 19414/ns-slapd so I don't get it maybe i didn't understand the use of TLS/SSL very well or I'm missing something. Thanks for your help. * ___* *Aziza Lichir* * * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] MemberOf attribute
Hello, I would like to understand how can I synchronize the memberOf attribute from AD to DS or if there is another solution by creating an attribute that can find each user's memberships . I've checked this http://directory.fedoraproject.org/wiki/MemberOf_Multiple_Grouping_Enhancements but all i understood is that it's so complicated for a beginner like me . So i would appreciate any help i can get for this matter . Thanking you in advance. -- * ___* *Aziza Lichir* * * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Fwd: X11 forwarding refused
Thanks for your answer i actualy succeed with the synchronisation between AD and DS with a simple connection now my question is it possible to integrate like a kind of filter to choose the OU that i want to synchronise or not like for example i have one OU=computers in AD that i dont wannt neither to copy or to synchronise to my DS 389 is there a simple way to do that. thanks again for your help 2013/4/22 Grzegorz Dwornicki gd1...@gmail.com Yes but it will not be as simple as one LDIF file import from ad Here are the details : https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Windows_Sync.html 22 kwi 2013 11:04, Aziza Lichir aziza.lic...@gmail.com napisał(a): Hey i did install DS on linux i just take control of it from windows cause it's easy to use the graphical interface and since i just wanna see how it works i just want to do a first sync with a simple connection no SSL/TLS for the moment.* * is it possible to populate DS 389 with users from AD with a simple connection ??? thanks for your help * * *___* *Aziza Lichir* * * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- * ___* *Aziza Lichir* * * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] X11 forwarding refused
Hey, I didn't explain what i was doing exactely so i actualy have Windows XP computer with one virtual machine with Centos 6 which is the server 389 and since i have no graphical interface on it, i was obliged to install it on Windows. And in the other part of the network it exist the AD that i want to replicate on my virtuall machine. The problem i'm facing now is that when i created a sync agreement (Onewaysync fromWindows) it shows that everything is fine but i don't have any replcated users my base is still empty and i have no error and i don't understand why. So i realy wuld appreciate some help Thanks 2013/4/17 Grzegorz Dwornicki gd1...@gmail.com Winsync require LDAPS for password sync. This domain user needs some privileges in ad - modifying, read, write on the synced subtree. From ds point of view you configure normal user account for needs of sync with ad. This user doesn't need to be in your organization tree. You can place him in cn=config. I usually create account like cn=adsyncuser, cn=config without ocjectclasses providing normal system account attributes. Hope this helps you 17 kwi 2013 16:40, Aziza Lichir aziza.lic...@gmail.com napisał(a): Hey, Thanks for your quick answer, for the moment I installed the 389 console on a WindowsXP machine and i want to know if i can replicate users from AD knowing that i only use a normal user account and without activating Ldaps ? thanks for your help *___* ** *Aziza * * * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- *___* ** *Aziza Lichir* *Tél : 0777053628 * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] X11 forwarding refused
Ok maybe i didn't quite understand your question and i think i dont get at all the way of this works cause i only have one simple user account in AD with the right of replication and i never done any changes in AD's part is this could be the reason why nothing works ! 2013/4/19 Aziza Lichir aziza.lic...@gmail.com i did install DS on linux i just take control of it from windows cause it's easy to use the graphical interface and since i just wanna see how it works i just want to do a first sync with a simple connection no SSL/TLS for the moment. 2013/4/19 Grzegorz Dwornicki gd1...@gmail.com Let me get this right. You have configured the sync service on windows? What about configuration on DS part? Did you install certificates? What instructions did you follow? 19 kwi 2013 14:09, Aziza Lichir aziza.lic...@gmail.com napisał(a): Hey, I didn't explain what i was doing exactely so i actualy have Windows XP computer with one virtual machine with Centos 6 which is the server 389 and since i have no graphical interface on it, i was obliged to install it on Windows. And in the other part of the network it exist the AD that i want to replicate on my virtuall machine. The problem i'm facing now is that when i created a sync agreement (Onewaysync fromWindows) it shows that everything is fine but i don't have any replcated users my base is still empty and i have no error and i don't understand why. So i realy wuld appreciate some help Thanks 2013/4/17 Grzegorz Dwornicki gd1...@gmail.com Winsync require LDAPS for password sync. This domain user needs some privileges in ad - modifying, read, write on the synced subtree. From ds point of view you configure normal user account for needs of sync with ad. This user doesn't need to be in your organization tree. You can place him in cn=config. I usually create account like cn=adsyncuser, cn=config without ocjectclasses providing normal system account attributes. Hope this helps you 17 kwi 2013 16:40, Aziza Lichir aziza.lic...@gmail.com napisał(a): Hey, Thanks for your quick answer, for the moment I installed the 389 console on a WindowsXP machine and i want to know if i can replicate users from AD knowing that i only use a normal user account and without activating Ldaps ? thanks for your help *___* ** *Aziza * * * -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- *___* ** *Aziza Lichir* -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] X11 forwarding refused
hello, I'm new to this project and i would like to know how to use DS-389 without the graphical interface in CentOs6. Thank you -- *___* ** *Aziza Lichir* * * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] X11 forwarding refused
Hey, Thanks for your quick answer, for the moment I installed the 389 console on a WindowsXP machine and i want to know if i can replicate users from AD knowing that i only use a normal user account and without activating Ldaps ? thanks for your help *___* ** *Aziza * * * -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users