Currently, OpenLDAP and 389 have totally different replication
mechanisms, so you can't really replicate between the two.
You can of course export / import filtered LDIF in either direction,
which, depending on the need, is occasionally good enough.
Anne Cross wrote:
I've been through the
John A. Sullivan III wrote:
Hello, all. I'm seeing a strange problem in our set up to synchronize
passwords between Directory Server 8.0 and Active Directory. If I
change a user's password from idm-console, the password synchronizes.
If I change it from Active Directory, the password
John A. Sullivan III wrote:
On Mon, 2009-04-27 at 14:15 -0700, George Holbert wrote:
John A. Sullivan III wrote:
Hello, all. I'm seeing a strange problem in our set up to synchronize
passwords between Directory Server 8.0 and Active Directory. If I
change a user's password from idm
Tim Hartmann wrote:
Hi!
So I can into yet another pot-hole in the road to LDAP bliss...
We have a root suffix in our directory that stores the basic Posix
attributes including password, I've been able to configure my client to
use ldap for directory services, and authenticate against my
Every time I try to change the port on the second server to 389 it
will not start stating that the port is already in use?
Do you mean you're trying to set the secure (LDAPS) port to 389?
That won't work unless you first set your standard LDAP port to
something other than 389, and restart
x509 -noout -hash -in
/path/to/cacert.asc`.0
Many Thanks
James
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of George
Holbert
Sent: Friday, December 05, 2008 12:03 AM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora
But what about creating a client certificate for each of my
Linux and Solaris clients?
If all you want is TLS with simple auth, you don't need these.
Each client just needs to trust the CA which signed your directory
server's certificate; sounds like you're already on top of this part.
the cacert.asc, is that accurate?
Thank you
James
On Thu, 2008-12-04 at 11:49 -0800, George Holbert wrote:
But what about creating a client certificate for each of my
Linux and Solaris clients?
If all you want is TLS with simple auth, you don't need these.
Each client just needs to trust the CA
the cacert.asc, is that accurate?
Thank you
James
On Thu, 2008-12-04 at 11:49 -0800, George Holbert wrote:
But what about creating a client certificate for each of my
Linux and Solaris clients?
If all you want is TLS with simple auth, you don't need these.
Each client just needs
Jonathan Barber wrote:
On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote:
On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote:
John A. Sullivan III wrote:
John A. Sullivan III wrote:
[snip]
snip
Thanks for the very thoughtful answer
John A. Sullivan III wrote:
On Thu, 2008-11-20 at 09:01 -0800, George Holbert wrote:
Jonathan Barber wrote:
On Wed, Nov 19, 2008 at 03:32:28PM -0500, John A. Sullivan III wrote:
On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote:
John A. Sullivan III
-sh-3.2$ id -gn
id: cannot find name for group ID 2000
2000
...
Instead, we added posixgroup as an objectclass to the users. Is this a
reasonable way to go about this?
Not really...
id is asking your name service what is the group name for gid 2000.
You have no groups defined in your name
Brian
Smith.
Thus, we will need to make it a user creation procedure to override the
cn to be the same as the uid rather than FirstName LastName. Is this
the correct approach? Thanks - John
On Wed, 2008-11-19 at 11:17 -0800, George Holbert wrote:
-sh-3.2$ id -gn
id: cannot find name
John A. Sullivan III wrote:
On Wed, 2008-11-19 at 12:21 -0800, George Holbert wrote:
John A. Sullivan III wrote:
John A. Sullivan III wrote:
Hello, all. We're trying to move all our user access control to DS
including file system rights management and thus group
On Solaris at least, the getent command doesn't support netgroup.
According to the man page, it supports any of:
passwd, group, hosts, ipnodes, services, protocols, ethers, project,
networks, netmasks
Vipul Ramani wrote:
Hi all,
I am trying to configure FDS as directory server and clients
, you just can't ask the system about them with
getent.
Vipul Ramani wrote:
So,
Netgroup does not work in solaris 10 :(
I want to configured group based access for the servers.. so what
should i used ?
On Mon, May 12, 2008 at 2:49 PM, George Holbert [EMAIL PROTECTED]
mailto:[EMAIL
With a Fedora/Mozilla-based ldapsearch, you can get the DN of your
referral objects like:
ldapsearch -h host -M -R -b ou=Unit 2,o=My Org objectclass=referral
Once you have the DN of the referral, you can remove it just like you would any
other entry.
Example LDIF:
dn: ref RDN,ou=Unit 2,o=My
at 17:34 -0700, George Holbert wrote:
With a Fedora/Mozilla-based ldapsearch, you can get the DN of your
referral objects like:
ldapsearch -h host -M -R -b ou=Unit 2,o=My Org objectclass=referral
Once you have the DN of the referral, you can remove it just like you would any
other entry
Hi David,
You're correct that LDAPS is deprecated. I think most people would
encourage you to prefer StartTLS.
However, you may still want to use LDAPS in your environment depending
on what LDAP client applications your service will need to support.
Several LDAP client programs still only
Just curious if anyone knows:
Would there ever be a need to extend search resource limits for
cn=replication manager,cn=replication,cn=config ?
For example, set higher-than-default values for replication manager on
any of:
nsSizeLimit
nsLookThroughLimit
nsTimeLimit
nsIdleTimeout
Or is the
These should already be in your .../config/schema/99user.ldif file.
Jared B. Griffith wrote:
Is there a way to export the custom attributes and object classes I
have created into an ldif file of some sort?
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
distinguish them from other entries in that file.
Jared B. Griffith wrote:
There appears to be a lot of extra stuff in there that I really don't
need, I just want the specific ones that I have added.
- Original Message -
From: George Holbert gholbert broadcom.com
To: Jared B. Griffith
Most likely, you've created a traditional LDAP static group
(groupOfNames or groupOfUniqueNames) without the posixGroup objectClass.
Creating a group in the FDS console creates a groupOfUniqueNames object.
Do your group objects have objectClass: posixGroup and a gidNumber?
Jared B. Griffith
Backup/Restore: Creates / restores from a copy of the server's binary
database files.
Export/Import: Creates / imports from ASCII text LDIF files
representing the data in the directory server.
It's actually a good idea to do both (if possible), as this will give
you the most flexibility
trying to
restore to new box and teh same restore commad fails
On 10/24/07, *Linux Admin* [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] wrote:
Using the refernace for redhat site even command line does work
error 43: Failed to read backup file set
On 10/24/07, * George Holbert* [EMAIL
The RedHat documentation covers pretty much everything you've asked:
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html
Be prepared for some trial and error to get your ACIs working as you'd like.
Di Giambelardini Gabriele wrote:
HI to all, I have a problem with some acls needed
eastldap0
- eastldap0.test.com cert
- eastldap.test.com cert
...
Each running FDS server instance will have just one SSL certificate.
If you want your server to identify with multiple names, you can either:
- Do a cert with subjectAltName extensions.
- Do a cert with a wildcard in the
I just want to add that our SUSE 10 clients do not have this problem at all.
Interesting!
Do you know what versions of pam_ldap and nss_ldap are used on those
clients?
Hai Wu wrote:
I just want to add that our SUSE 10 clients do not have this problem at all.
On 9/11/07, George Holbert
This is just the way it is with pam/nss_ldap as bundled in RHEL3 and
RHEL4. There is no easy fix.
If you like, you can reduce bind_timelimit to something very small. But
this still isn't much of a solution, since clients will definitely
notice when the primary is down.
It's possible that
to an acceptable(but still noticeable) level, I think we will
do this if there is no side effect to have such a small
bind_timelimit. In the meaning time, I will stick to my
taking-primary-IP workaround which reduces the delay to zero.
On 9/11/07, George Holbert [EMAIL PROTECTED] wrote
Some ldapsearch binaries base64-encode password strings in their output.
Not sure if this is what's happening for you, or if you actually have
the password string stored as a base64 string in your directory database.
If you want to decode the base64 strings, this link might be useful for you:
Have you tried db2ldif ? It is included with FDS.
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/dbmanage.html#1011783
Jonathan Mills wrote:
Just thought I'd ask first, rather than go reinventing the
wheelbut does anyone have a cute little script to backup the whole
directory to a
Running this script will generate can't contact the LDAP server errors.
Does this happen immediately, or does the script run for a while first?
When you start seeing this message, what shows up in the server's access
and error logs?
Max file descriptors: 4096
If you're running on machines
One thought:
The subscriberID value on your test object is larger than the maximum
value for a 32-bit unsigned integer (4294967296), and subscriberID has
integerMatch EQUALITY.
It would be interesting to try with a small subscriberID (like '10'),
and see if it works as you expect.
Balaji
You will want to set up ACIs to allow the minimum necessary access.
See:
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html
Be prepared for some trial-and-error experimentation to learn how to
implement your intended access policy.
Good luck!
-- George
Tony wrote:
Hi,
I'm very
Try:
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/scmacfg.html
Patricio A. Bruna wrote:
Hi,
Has any knows where i can read about build my own schema?
Thanks.
--
Fedora-directory-users mailing list
Hi Patricio,
Sorry, I should have posted this:
http://www.redhat.com/archives/fedora-directory-users/2006-December/msg00090.html
Patricio A. Bruna wrote:
Thanks George,
But i need something a bit more low leve, like the schema works, and how make a
schema with vi :)
- George Holbert
objectclass is indexed by default, so you shouldn't have to add it.
Maybe your searches are exceeding the All IDs threshold.
Take a look at:
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/index1.html#1110655
Philip Kime wrote:
When I look at the logconv output for some of my FDS servers,
I've noticed that the 'ip' keyword in ACI bind rules seems to have no
effect on its own. For example,
This does not deny access to IP 1.2.3.4:
aci: (version 3.0; acl Deny 1.2.3.4; deny(all) (ip = 1.2.3.4);)
But when combined with a userdn clause like this, it works:
aci: (version 3.0; acl
Under recent versions of FDS, is it OK to use virtual attributes (i.e.,
nsRole or CoS-generated) in ACI targetfilters?
In earlier versions of Netscape DS, this was not recommended, and this
is still mentioned in the RHDS 7.1 docs:
However - it has not solved this problem. The password is still being
sent in the clear. I have /etc/ldap.conf including the line:
pam_password md5
pam_password controls how new passwords are hashed locally before
updating an account's password attribute, i.e. when someone changes
their
What we're finding is if ldap1 dies for some reason, the clients don't
failover to ldap2.
We don't know if the problem is client side or server side.
When ldap1 dies, do you see any activity in ldap2's access log? If not,
you know the clients aren't making the switch to ldap2.
On one
Hi Andy,
Not to discourage you, but if you're going to switch from NIS to LDAP,
be prepared to spend a lot of time.
For a single site with 20 users, the simplicity of NIS might make it a
better choice, particularly since you and your co-workers are already
familiar with it.
(1) Is
http://www.redhat.com/docs/manuals/dir-server/schema/7.1/schemaTOC.html
http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/schema.html
James S. White wrote:
How does one add custom attributes and objectclasses without using the
GUI in fedora-ds
--
Fedora-directory-users mailing list
, 2007 12:45:49 PM -0700 George Holbert
[EMAIL PROTECTED] wrote:
Something I've been wondering about:
It seems like nsslapd-lookthroughlimit and nsslapd-sizelimit
effectively
do the same thing, but just return a different error code.
If nsslapd-lookthroughlimit is lower, the error code is 11
why you'd choose one over the other to implement result
limits? Seems kind of like a door with two knobs. Maybe there's some
specific cases where one is preferable.
Thanks again for the replies,
-- George
David Boreham wrote:
George Holbert wrote:
The notion behind lookthrough limit
That clarifies it perfectly.
Thanks for the example!
Richard Megginson wrote:
In general, lookthroughlimit is much stricter than sizelimit.
For example, let's say a user wants to do an unindexed search for
(description=*something*). Let's say that there are 5000 users and
1000 users who
Sun recently released a LDAP proxy server product which is advertised as
a solution to this kind of problem.
The idea is it acts as a frontend LDAP server to multiple types of
backend data sources.
Here's the man page to the commandline config program (dpconf), which
will give you an idea of
If a machine is disconnected from the network, a login attempt as
'root' user (with local passwd file entry and password) fails.
...
I think I need to configure something such that the nsswitch.conf
entry tells it to stop if it finds the 'files' entry and not proceed
to the 'ldap' entry. I
Message -
From: MJD Shop Account [EMAIL PROTECTED]
To: George Holbert [EMAIL PROTECTED]; General discussion list for
the Fedora Directory server project. fedora-directory-users@redhat.com
Sent: Wednesday, March 07, 2007 8:13 PM
Subject: Re: [Fedora-directory-users] ldap too many connections
What is the value of the nsslapd-maxdescriptors attribute on cn=config?
MJD Shop Account wrote:
I have a problem with running out of file descriptors. I get this repeating message
periodically in the /opt/fedora-ds/slapd-servername/logs/errors file:
[02/Mar/2007:13:25:45 -0500] - Not
This means the client can't find any group objects in your LDAP
directory that have gidNumber=1676.
Have you loaded your group data into the directory?
Try this on one of your LDAP clients:
# getent group 1676
Then, see what search this generates on the LDAP server by looking at
the access
Is it possible for DB corruption to be replicated?
In other words, if a master replica's DB goes corrupt, how likely is that to
corrupt the DB on the consumers (if at all)?
Thanks,
-- George
- Original Message -
From: David Boreham [EMAIL PROTECTED]
To: General discussion list for the
Hi Ankur,
Try these:
http://www.redhat.com/docs/manuals/dir-server/schema/7.1/schemaTOC.html
http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/schema.html
All schema changes you make through the console or via LDAP
modifications to cn=schema end up in
I've realised that the sync only takes the group and user objects from
the OU or CN being specified.
Hi Darren,
As you noticed, the PassSync service isn't really intended to sync
arbitrary data from AD to FDS.
Probably most people haven't yet tried to use it for this purpose, so no
one has a
Now, am I right in thinking that I can use clear as long as I'm using
SSL to the LDAP server?
Yes, sending un-hashed passwords over SSL is very safe.
What about setting local non-LDAP passwords with this set to clear
isn't that dangerous?
No worries about this, pam_ldap password settings
Title: Trouble getting windows to talk to fds
"-P" takes the part of the filename leading up to
"cert8.db" or "key3.db".
e.g.
Say you have:
slapd-example-cert8.db
slapd-example-key3.db
Then you would do this:
... -P slapd-example- ...
- Original Message -
From:
Bliss, Aaron
Are you prefixing the password with the hash you're using to encrypt the
password?
e.g.,
{crypt}
or
{ssha}
Jo De Troy wrote:
Hello,
I'm trying to modify the userPassword value from within a perl script
using Perl::LDAP.
I generate an encrypted pwd in perl and then write it to FedoraDS via
Last time I looked at this, I vaguely recall finding that pam_ldap
doesn't pay too much attention to FDS password metadata for expiration
warnings or strength restrictions. So what you're seeing may be the norm.
Hopefully someone else out there will have better news for you on this.
Ian
Sergey,
Do you want to have both interfaces talk to the same LDAP directory?
Or do you want an entirely separate LDAP directory for each?
-- George
Sergey Ivanov wrote:
Hi,
I have installed Fedora Directory Server or a machine, which belongs to
2 different networks. One is local network with
Sergey,
Mike's recipe would do the trick. If you try that, also look into the
nsslapd-listenhost and nsslapd-securelistenhost config variables (in
directory server docs). These will allow you to arrange for each
directory server instance to only listen on a single interface. I
believe the
This is a shot in the dark,
but have you tried specifying:
pam_password exop
..in /etc/ldap.conf?
I suggest this because you mention ldappasswd seems to do the job, and
ldappasswd uses the password change extended operation to do its work.
Philip Kime wrote:
Any pointers welcome. This is on
However, it will
only use the userPassword attribute, not the Password attribute.
You're in luck: userPassword already is the standard password attribute
in FDS.
Dave Augustus wrote:
I have an external applet that authenticates via LDAP. However, it will
only use the userPassword
I guess my question is can I use Sun directory server on
one box as master, then another box (doing the multi-master replication)
running fedora directory?
My understanding is that would not work. You would want all servers
running either SunDS or FDS.
James Greene wrote:
I can do that,
Vadim,
This is a pretty big topic.
Gary Tay has put together some docs that are a great starting point:
http://web.singnet.com.sg/~garyttt/
Sun's docs regarding Solaris clients will also be useful for you:
http://docs.sun.com/app/docs/doc/816-4556
One other thing:
My goal is to migrate my
If your client is RHEL4 or newer,
try adding this line to /etc/ldap.conf:
debug 1
This will spit a lot of debugging output to your console whenever you do any
lookup through nss_ldap. Maybe it will shed some light.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Two things to check:
1. Make sure nss_ldap is configured to follow referrals. Not sure if
you're using Sun's or PADL's (Linux) nss_ldap, but each have an option
for this.
Sun (in /var/ldap/ldap_client_file):
NS_LDAP_SEARCH_REF= TRUE
PADL (usually in /etc/ldap.conf):
referrals yes
2.
I'd like to set up a read-only consumer that never returns referrals to
a writable master server. Basically, any write requests that aren't
replication updates would just be dropped.
It doesn't look like there is an analogous setting for this in the
suffix-level nsslapd-state variable. The
*For directory manager:
# ldapmodify -h DS hostname -D cn=Directory Manager -w password
dn: cn=config
changetype: modify
replace: nsslapd-rootpw
nsslapd-rootpw: newpassword
For console admin:
**# ldapmodify -h DS hostname -D cn=Directory Manager -w password
dn:
PAM should honor the Fedora DS password policy, so I don't think you
need the shadow stuff anymore.
I agree with Rich.
Also, in my testing I found that Solaris 8 native LDAP clients ignore
the shadow attributes, which meant the shadow method is useless for my
particular situation.
is there some way to create an ldif file programatically and then use
ldapadd?
Absolutely. The simplest case might be just a shell script that prompts
for each value that constitutes a new user, then prints that to stdout
in LDIF format, which could be piped to ldapmodify.
Steve Strong
Elias,
I agree with you that AD is wrong on this.
I believe that CN is a multivalued attribute (at least in FDS). So, if
it's any help, you could have unique CNs that are used in the entries'
DNs, and optionally have additional CNs that may not be unique.
e.g.,
dn: cn=KristĂn
http://kbase.redhat.com/faq/FAQ_80_6231.shtm
I think Solaris also supports 32-bit uids, not sure about other OSes.
[EMAIL PROTECTED] wrote:
I was wondering if there is an upper limit on the uid or the
gidNumber in
fds.
Or is there a limit on OS level? Does anyone know what it is? Is this
For some reason, I just assumed that they would be unsigned integers.
That would make more sense to me too... since uid numbers can't be
negative (as far as I know)?
oh well :)
[EMAIL PROTECTED] wrote:
http://kbase.redhat.com/faq/FAQ_80_6231.shtm
Aha, they are stored as signed integers,
I doubt you'll need much custom code for the basics.
But you'll need to be aware of vendor-specific features and schema, and
not rely on those in your app, if you want it to work the same on any
server.
Mont Rothstein wrote:
We have a windows app that uses an LDAP server for authentication.
schema?
Vince
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of George Holbert
Sent: Friday, April 07, 2006 3:22 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Existing User Accounts
[EMAIL PROTECTED] ldapsearch -x -ZZ '(uid=testuser)'
ldap_start_tls: Connect error (-11)
additional info: TLS:hostname does not match CN in peer
certificate
How can I solve ?
The server hostname you pass to ldapsearch must exactly match the CN in
the certificate you signed for the
with a CN of 'ldap.domain.example.com'.
This will make it possible for your server cert CNs and hostnames to
match consistently, regardless of which machine (nodo1 or nodo2) the
clients end up talking to.
Alessandro Binarelli wrote:
2006/4/3, George Holbert [EMAIL PROTECTED]
mailto:[EMAIL
If you create your certs with FQDNs, doesn't that mean that all clients
must refer to ldap server by FQDN?
In general, the answer is yes. For example, Solaris' LDAP name
service will not work unless the server name in the Solaris client
config exactly matches the CN on the LDAP server
...the management is a little concerned about MITM attacks against the FDS, so
we need a way to
verify that the server saying that it's our FDS really is the FDS. Right now
no certs are
deployed on the clients, we're using them only for SSL traffic encryption.
If I'm interpreting your
...to automatically hand out CA certs to ldap clients upon request?
There is no standard mechanism for this. You have to manually copy CA
certs to the location and in the format that each of your secure LDAP
client apps expects.
yea but what about ldap clients? AFAIK no ldap client
* mailRoutingAddress
* mailHost
* inetLocalMailRecipient
* kerberosSecurityObject
* krbName
Is not having these in my schema common/normal?
I'm sure there's plenty of directories out there that don't maintain
these attributes on account objects.
If all you want to do is
I don't think renaming o=NetscapeRoot is a good idea.
What is it you want to do?
If you just want to prevent people from browsing it, you're on the right
track with setting up some ACIs. If it can be browsed anonymously,
there's some ACI that's allowing this. Look for allow (anyone) ACIs
on
2) To make secure replication...I have to enable ssl on DS...in this
case...is still possible to query LDAP on port 389 ??
Absolutely, enabling SSL does not affect unencrypted connections on port
389.
Alex aka Magobin wrote:
On gio, 2006-03-23 at 08:43 -0800, Susan wrote:
This is what
If you prefer, you can also get this directly from PADL:
http://www.padl.com/download/MigrationTools.tar.gz
Craig White wrote:
On Wed, 2006-03-15 at 14:57 -0800, Mont Rothstein wrote:
I am running RHEL ES4 and the FDS/Samba integration HowTo:
wondering if I can just include a copy with our instructions, or if we
will need to download the most recent every time.
Thanks,
-Mont
On 3/15/06, *George Holbert* [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] wrote:
If you prefer, you can also get this directly from PADL:
http
Ah yes,
Check permission on /var/ldap/cert7.db and /var/ldap/key3.db.
They should be mode 644.
Pete Rowley wrote:
Susan wrote:
Why would it fail to initialize TLS security? root works fine... Is
there an env var I'm
missing?
Permissions for local files? Try getting a TLS ldapsearch
The ldapsearch command doesn't look in /var/ldap for the cert db. It
uses the current directory as the default cert db path.
You can run ldapsearch from /var/ldap, or give it a -P /var/ldap
argument to use the cert db in /var/ldap.
Also, the -v arg might help you narrow down what's happening.
for the Solaris 8 and 9 ldap name service client:
http://www.mozilla.org/projects/security/pki/nss/release_notes_332.html
Again, I'm not sure if the cert7/8 version problem is even an issue in
Solaris 10, but it certainly is with 8 and 9.
-- George
Susan wrote:
--- George Holbert [EMAIL PROTECTED] wrote
10
client? If nothing else, it might spew some error messages (in
/var/adm/messages) that give some new clues.
Susan wrote:
--- George Holbert [EMAIL PROTECTED] wrote:
*|# Add your ascii CA certificate to the cert DB.
certutil -A -n Susan's CA -t C,, -a -i ./susans-cacert.pem -d /var/ldap
Uhm.. What's a gal to do then???
AFAIK, there isn't yet a perfect answer, mostly because automount schema
is not standard yet (though rfc2307bis is/was a proposed standard).
If you are only supporting Linux clients, you probably don't need
additional autofs schema. Linux autofs (at least in
Hi Brian,
When running the console on Unix, these files are created under $HOME/.mcc.
ls -l ~/.mcc
total 178
-rw-r--r-- 1 root other226 Jan 12 14:27
Console.4.0.Login.preferences
-rw--- 1 root other 65536 Aug 16 18:32 cert8.db
-rw--- 1 root other
Hi Gerald,
HP has a tuning guide for their bundled Netscape DS, which may be
somewhat useful to you for this:
http://docs.hp.com/en/7152/nds621_tuning_sizing_13.pdf
Of course, Fedora DS and HP's DS are not the same product, but they have
common heritage.
Excerpt:
The Netscape Directory
and tuning
suggestions are meant for DS running on HP-UX.
It does answer one of Gerald's questions: worker threads can be
reduced with nsslapd-threadnumber, the default is 30. I don't know
that this will save you significant memory on Linux.
Ulf
George Holbert wrote:
Hi Gerald,
HP has
Enrico,
ldapsearch on Linux (built with OpenLDAP libs) defaults to SASL
authentication.
Add the -x switch to use simple authentication:
ldapsearch -x -L -b dc=chiccomara,dc=org -W (objectclass=*)
Enrico Valsecchi wrote:
Dear All,
I'm install with your help my fedora-ds.
Many thanks!
If each directory server in an environment will be acting as its own
configuration directory (i.e., for o=NetscapeRoot stuff), is it ok to
just use 'localhost' as the value for the configuration directory
server? Or, is it better/required to use the FQDN of the public network
interface (e.g.,
Unfortunately, the Microsoft AD password hash isn't a supported password
hash in FDS (or any other directory server, except AD of course). I
think this is because Microsoft's hash is proprietary. This means
neither SSHA or crypt can directly be synced with AD.
To sync passwords, you have to
Hi Basile,
i exactly can have 726 member in my group ( 5232 login caracters 5958
with end line )
So it doesn't break at exactly 4096, as I suggested earlier. Hmm...
perhaps the limit is larger than I thought?
I still would guess the problem is in the client OS rather than the
directory
When tuning FDS on a Solaris machine, I've heard two different
suggestions about nsslapd-dbcachesize:
1. Decrease nsslapd-dbcachesize, and instead rely on Solaris' built-in
filesystem cache which performs better.
2. Tune nsslapd-dbcachesize up to a value that is at least as large as
the size of
I've copied some custom schema files to the config/schema directory. In
the Java console, some of the attributes and objectclasses defined in
the custom schema files show up under Standard, while others show up
in User Defined.
Does anyone know how FDS determines that an attribute or
1 - 100 of 106 matches
Mail list logo