I getting this correct? *
***
** **
Thanks,
Daniel
** **
*From:* 389-users-boun...@lists.fedoraproject.org [mailto:
389-users-boun...@lists.fedoraproject.org] *On Behalf Of *Grzegorz
Dwornicki
*Sent:* Wednesday, September 18, 2013 11:09 AM
*To:* General discussion list for the 389
,
Has a new option for console- windows sync Agreement, I configured and
managed to replicate my LDAP to AD. What I am having trouble is to
reprocess the information changelog. Is this possible?
Denise
--
*De:* Grzegorz Dwornicki gd1...@gmail.com
*Para
Selinux is about type labeling when location change. Make sure that
security context change aswell.
G.
17 wrz 2013 13:28, Parasit Hendersson para...@go2.pl napisał(a):
W dniu 2013-09-16 17:00, Gordon Messmer pisze:
On 09/16/2013 07:49 AM, Parasit Hendersson wrote:
WARNING---no write
Are you doing this on loadbalancer? You can use iptables with log target
but if this is not sufficient, then some kind of sniffer like tcpdump might
be helpful
12 lip 2013 23:27, Rich Megginson rmegg...@redhat.com napisał(a):
On 07/12/2013 03:25 PM, Justin Kinney wrote:
Hello,
I'm
Ok thanks for clarification. I thought you might do this in simpler way.
12 lip 2013 23:57, Justin Kinney jakinne+389-us...@gmail.com napisał(a):
On Fri, Jul 12, 2013 at 2:50 PM, Grzegorz Dwornicki gd1...@gmail.comwrote:
That is true but load balancer iptables see incoming requests
, Grzegorz Dwornicki gd1...@gmail.comwrote:
Are you doing this on loadbalancer? You can use iptables with log target
but if this is not sufficient, then some kind of sniffer like tcpdump might
be helpful
The loadbalancer will add the client ip address to the TCP options field
of the client request
Please read this chapter of admin guide
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Extending_the_Directory_Schema.html
This should have solution for your problem.
8 maj 2013 20:53, Steve Ovens steve_ov...@linux.com napisał(a):
Hi,
Are you using LDAPS uri with -ZZ args?
7 maj 2013 10:18, Aziza Lichir aziza.lic...@gmail.com napisał(a):
Hey,
I'm having problems with TLS/SSL on my client side. When I do ldapsearch
-ZZ it works just fine and says that SSL started but when i try to
authenticate a user I keep getting this
=net
TLS_CACERTDIR /etc/openldap/cacerts
TLS_REQCERT allow
2013/5/7 Grzegorz Dwornicki gd1...@gmail.com
Are you using LDAPS uri with -ZZ args?
7 maj 2013 10:18, Aziza Lichir aziza.lic...@gmail.com napisał(a):
Hey,
I'm having problems with TLS/SSL on my client side. When I do ldapsearch
Grzegorz Dwornicki gd1...@gmail.com
What was old uri? Did you change port aswell?
The error looks like result of trying using starttls on encrypted
connection. Starttls works on 389 port. You need to leave ldap and 389 port
in URL and then try to use starttls. This should work
7 maj 2013 10
Look closer you have starttls in your config next to ssl directive. This
tells ldap commands to use starttls on default
7 maj 2013 11:29, Aziza Lichir aziza.lic...@gmail.com napisał(a):
now I've changed uri in both files /etc/ldap.conf and
/etc/openldap/ldap.conf :
uri
The document I gave you link in other thread. Was describing negation in
filters.
25 kwi 2013 11:08, Aziza Lichir aziza.lic...@gmail.com napisał(a):
Hello,
Is it possible to make a filter to synchronize specific values. For
example i don't want to replicate/synchronize this value
Yes but it will not be as simple as one LDIF file import from ad
Here are the details :
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Windows_Sync.html
22 kwi 2013 11:04, Aziza Lichir aziza.lic...@gmail.com napisał(a):
Hey
i did
i'm facing now is that when i created a sync agreement
(Onewaysync fromWindows) it shows that everything is fine but i don't have
any replcated users my base is still empty and i have no error and i don't
understand why.
So i realy wuld appreciate some help
Thanks
2013/4/17 Grzegorz
It will be painful but you can use ldap* commands and write all actions in
LDIF syntax. Look in directory server admin guide for more detail
information about ocjectclasses and attributes.
17 kwi 2013 11:24, Aziza Lichir aziza.lic...@gmail.com napisał(a):
hello,
I'm new to this project and i
Winsync require LDAPS for password sync. This domain user needs some
privileges in ad - modifying, read, write on the synced subtree.
From ds point of view you configure normal user account for needs of sync
with ad. This user doesn't need to be in your organization tree. You can
place him in
I think inetOrgPerson have field for email.
When you create entries you define ocjectclasses. You can always change
them later. If you use scripts create template with ocjectclasses.
Applications usually do soo automatically
12 kwi 2013 11:23, Vesa Alho lis...@alho.fi napisał(a):
Hi,
I have
You can use what objectclass you wish. But inetOrgPerson In my opinion is
the best to check first. A lot of applications use it out of the box. Good
examples will be mail clients. The downside is that not always the same
fields. But still it is easier.
12 kwi 2013 11:35, Vesa Alho lis...@alho.fi
Maybe they need reinitialization. This error sugests this. I don't Know why
this is but had you tried this?
10 kwi 2013 12:52, Vesa Alho lis...@alho.fi napisał(a):
Hi,
I'm having a problem with creating a sync agreement between two identical
389ds installations (1.2.11.5). I'm a bit puzzled
(a):
Hello,
Thanks Grzegorz Dwornicki.
I found the solution, but someone can explain me why this option gave me
an error.
I uncheck the box Check hostname against name certificate for outboun SSL
connections in the Encryption tab (on both server side).
Just to exemple, I have one server name
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Configuring_Logs.html
Please look in this doc and increase the log verbosity. This might help.
10 kwi 2013 13:15, alexandre axel0fe...@gmail.com napisał(a):
Hi,
I'm having problem with my
Are you using Sssd or nscld?
10 kwi 2013 19:51, harry.dev...@faa.gov napisał(a):
I am trying to implement a Forgot Password web page for our organization
and I am at the point where I want to update the user's account with the
temporary password. Since I don't want to have any issues on the
Again in your case: you need to export CA cert from Windows AD CA and
import it to DS
Greg.
28 mar 2013 11:05, alexandre axel0fe...@gmail.com napisał(a):
Hello,
I want to Configure the Password Sync Service and do this command (in /
etc/dirsrv/slapd-instance):
certutil -d . -L -n CA
of this list !!!
Sorry my understanding is not perfect because i'm french, so I don't have
any CA in my DS, I have one CA (installed on my domain controller).
Do I need to install a CA in my DS ? (when I write CA for me it means a
Authority).
Alex
2013/3/27 Grzegorz Dwornicki gd1...@gmail.com
MegginsonIt's not the 389DS server certificate, but the CA
certificate for the CA that issued the 389DS server certificate, that you
need for PassSync
@Grzegorz Dwornicki But you must generate cert for DS on AD CA. Then
you need to import this cert with AD CA cert on DS
Sorry I don't
I am not sure but In my opinion this applet read only local files. You can
use other tools to modify ldap users. Maybe if you tell us what
modifications you wish to do someone might help you :). I don't wish to
make you chassing ghosts soo I am not giving any ldap client name without
knowing what
I do not know what you mean in DIACAP... acl I assume that you mean local
permision on system: I used ldap accounts with local permissions and I did
not experience any problems AFAICT.
Greg.
14 sty 2013 16:48, Chaudhari, Rohit K. rohit.chaudh...@jhuapl.edu
napisał(a):
Is this something that
Isn't userPassword single-value? if I understand corecly: you wish to add a
second userPassword attribute?
Greg.
14 sty 2013 22:00, Picture Book pictureboo...@hotmail.com napisał(a):
Got the following error when trying to ADD userPassword attribute to an
entry, but the same user has no problem
For the record dirsrv creates file in its directory with the last good
configuration. I believe it was called dse.ldif.startok
Greg.
11 sty 2013 18:06, Chandan Kumar chandank.ku...@gmail.com napisał(a):
You may not need to re-install it. If you could just replace the file that
you changed, I
It apears that you need to reinitialize consumers again. In your case three
masters from fourth. I think this can do some harm. Lets asume that 389
uses some version numbers to tell consumers when they need to replicate
data from master server (this will be the change log).
Now lets say that one
...@lists.fedoraproject.org] *On Behalf Of *Grzegorz
Dwornicki
*Sent:* Friday, January 11, 2013 3:10 PM
*To:* General discussion list for the 389 Directory server project.
*Subject:* Re: [389-users] NSMMReplicationPlugin -
replica_check_for_data_reload: Warning:
** **
It apears that you need
way I can look in the change log to see the maxcsn? All the cosumers
maxcsn must be there because replication is working.
** **
** **
*From:* 389-users-boun...@lists.fedoraproject.org [mailto:
389-users-boun...@lists.fedoraproject.org] *On Behalf Of *Grzegorz
Dwornicki
*Sent:* Friday
to see this reply, thanks so much. Unfortunately, I copied
that to the dse.ldif and the results are the same. It won't start and with
the same error.
Sincerely,
Doug Tucker
On 01/11/2013 11:14 AM, Grzegorz Dwornicki wrote:
For the record dirsrv creates file in its directory with the last
What about NSS configuration? Maybe there is configuration making ssl
mandatory?
Greg
13 lis 2012 12:51, Ali Jawad ali.ja...@splendor.net napisał(a):
Hi All
I am trying to change the password using passwd, please see the below :
[xyz@server ~]$ passwd
Changing password for user xyz.
Enter
Could you also provide us with error logs from ldap? Do this just after
passwd faild. This will tell us more about errors on ldap side (like the
possible ACI problems).
Passwd hash algorithm for pam_ldap you can configure in /etc/nss_ldap.conf.
Search for 'password crypt' and uncomment it. You
I did not get your problem. Can you repeat your mail?
Greg.
1 paź 2012 11:52, Bernd Sindlinger bernd.sindlin...@unibas.ch
napisał(a):
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
with the -ZZ options. So for some reason, it isn't liking my CA cert, and
I'm not sure why.
On Thu, Sep 27, 2012 at 9:46 PM, Grzegorz Dwornicki gd1...@gmail.comwrote:
Did you install ca.cert on system and setup /etc/openldap/ldap.conf ?
Greg.
28 wrz 2012 05:11, Kyle Flavin kyle.fla
, Sep 27, 2012 at 11:56 PM, Grzegorz Dwornicki gd1...@gmail.comwrote:
maybe tls_reqcert never forces non ssl or it forces no ssl checks. As You
know for example hostname must be present and valid DNS domain in CN field
of certficace or session will fail.
Have you tried using tls_cacert insted
, Sep 28, 2012 at 10:01 AM, Grzegorz Dwornicki gd1...@gmail.comwrote:
There is definetly something wrong with your CA. Error is fatal and named
unknown CA. I agree with you now: please try put FQDN in CN field. This
still maybe not the issue but when you create CA cert again then maybe
error
: Connect error (-11)
additional info: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
On Fri, Sep 28, 2012 at 8:46 AM, Grzegorz Dwornicki gd1...@gmail.comwrote:
I was thinking about server cert but I usually put fqdn in every
certificate I made
napisał(a):
May be i am binding DN using cn=directory manager and because of that it
don't understand about test or test4 user and because of that it ignore ACL
On Tue, Sep 25, 2012 at 7:31 PM, Grzegorz Dwornicki gd1...@gmail.comwrote:
I have to admit I thought that access log for webapp will show
Did you install ca.cert on system and setup /etc/openldap/ldap.conf ?
Greg.
28 wrz 2012 05:11, Kyle Flavin kyle.fla...@gmail.com napisał(a):
Hi, I've been struggling to setup 389 Directory server with Start TLS.
I have a multi-master replication working with four server. From an
external
Can you provide logs from FDS when you are trying to login via application?
Greg.
25 wrz 2012 19:27, Satish Patel satish@gmail.com napisał(a):
Hello ALL,
I have a web base application and user authenticate web application using
Directory Service (FDS). I want to restrict some user to not
/2012:14:04:36 -0400] conn=498 op=1 UNBIND
On Tue, Sep 25, 2012 at 1:46 PM, Grzegorz Dwornicki gd1...@gmail.comwrote:
Can you provide logs from FDS when you are trying to login via
application?
Greg.
25 wrz 2012 19:27, Satish Patel satish@gmail.com napisał(a):
Hello ALL,
I have
You can create ACI on ou=Groups,dc=domain,dc=com. This ACI can deny search,
compare, read of ou=Sales. All ldap clients included in target of this ACI
will not see your sales OU. This can be targeted to some users and
annonymous bind. Pls look in red hat docs: red hat directory server admin
guide.
I guess you used script on fedora site to create certs? I am not sure about
CA cert. This may require changing too becuse it may have your old fqdn in
cn field. Base on this it seems that easiest way may be using th script
again.
Greg.
18 wrz 2012 11:09, Ray r...@renegade.zapto.org napisał(a):
In red hat docs you may find some scenarios.
Your approach seems ok. The only question in my opinion is how big
redundancy you need. Lets say that master1 fails. Is this situation
problematic for your datacenter? If yes, then you should consider adding
two more ldap servers. They can act as
Let me get your idea right. You want to use static and dynamic group as the
same time as 1 group?
Greg.
17 wrz 2012 21:03, Nick Cappelletti n...@switchtower.com napisał(a):
Hello Everyone,
I've been banging my head against this one for a few hours and was hoping
for some input. I have a
As i recall from my days as samba admin. Samba had its own attributes and
you shold use smb* commands to set expiration of password.
Greg.
06-09-2012 17:26, David Hoskinson david.hoskin...@datatrak.net
napisał(a):
We have discovered that if a 389 ldap account expires due to age, that
the user
Look in red hat docs. There you can find a lot of advices on schema
writing. But writing a schema is one thing but app to use it is another
issue.
Greg.
Send from htc desire z
17-08-2012 08:27, Ray r...@renegade.zapto.org napisał(a):
Am 16.08.2012 20:16, schrieb Stephen Ingram:
On Thu, Aug
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Perl_Scripts.html#Perl_Scripts-db2bak.pl_Create_backup_of_database
This describes this script in human readable format. Best souce of DS
knowledge im my opinion is red hat
=backup_2012_8_3_10_48_13, cn=backup, cn=tasks,
cn=config
so how if i go to /root/bac
there is not any file in there .
so where is the backup ??
On Fri, Aug 17, 2012 at 11:49 AM, Grzegorz Dwornicki gd1...@gmail.com
wrote:
https://access.redhat.com/knowledge/docs/en-US
I should look similat to this:
dn: uid=jsmith,ou=users,l=uk,dc=fosiul,dc=lan
changetype: modrdn
newrrdn: uid=new_uid_value
deleteoldrdn: 1
-
changetype: modify
replace: loginshell
loginshell: /bin/nologin
-
modify: userPassword
userPassword: asfasfasfasfasfasfasfdPQ=
If you see :: in
Hi
He ment BASE directive in /etc/openldap/ldap.conf
Greg.
Send from htc desire z
13-08-2012 12:52, Fosiul Alam fos...@gmail.com napisał(a):
Hi thanks
But
dapsearch -xZZ -D cn=Directory Manager -w 'testtest' -b l=uk
uniqueMember=uid=falam,ou=users,l=uk,dc=fosiul,dc=lan
it does not
What configuration you have?
Is this repliction schema? Or maybe linked ldap tree build from many
severs? This message looks to me like you are trying to modify a slave
replication server ldap tree. I can be wrong.
Greg.
Send from htc desire z
13-08-2012 16:29, Fosiul Alam fos...@gmail.com
Hi
I'm not sure about your second server, does it need to have same base tree.
I think yes it needs. Because admin console and shell 389 backup tools make
copy of database files not in ldif format. If your second server have
diferent tree you can use sed + ldapsearch to extract data.
Consider
14:25, Fosiul Alam fos...@gmail.com napisał(a):
Hi
Is there any way to make ldif from production server
then run this on this test server??
Fosiul
On Wed, Aug 8, 2012 at 1:03 PM, Grzegorz Dwornicki gd1...@gmail.com
wrote:
Hi
I'm not sure about your second server, does it need
to
do an export which uses db2ldif under the covers. db2ldif has various
capabilities to include and exclude portions of the tree. ldif2db is to
import. also well documented. i do this all the time. it's really
easy.
/mrg
On Aug 8, 2012, at 9:01, Grzegorz Dwornicki wrote
this user belong to ??
will really appropriate your help.
Fosiul.
On Wed, Aug 8, 2012 at 2:36 PM, Grzegorz Dwornicki gd1...@gmail.com
wrote:
Ldapsearch -x '(memberuid=jsmith)'
This will not return user primary group.
Greg.
Send from htc desire z
08-08-2012 15:27, Fosiul Alam fos
Hi
I must say this ldap replication connections look quite unusual. Can you
provide more information about:
- type of replication servers? Some servers i guest are masters and some
are maybe slaves?
- Does errors occur when you try to initiate replication manually?
Some errors suggests that
The best way in my opinion is to generate template using migration tools.
Then when you want to add new user use sed to modify it and pipe result to
ldapmodify or target it with -a option in ldapadd command. New passwords
you can generate using slappasswd or ldappasswd (after user is added to
It looks like you are using wrong directory manager DN. Maybe you have
administrator named just cn=Directory Manager?
Greg.
Send from htc desire z
04-08-2012 15:52, Fosiul Alam fos...@gmail.com napisał(a):
Hi for bellow search i get this :
ldapsearch -xZZ -D cn=Directory Manager -w
. Which means the authentication is fine
But dont know how to crete the ldif file for that user.
Thanks
On Sat, Aug 4, 2012 at 5:00 PM, Grzegorz Dwornicki gd1...@gmail.com
wrote:
It looks like you are using wrong directory manager DN. Maybe you have
administrator named just cn=Directory
I am still confused.
Thanks
On Sat, Aug 4, 2012 at 6:31 PM, Grzegorz Dwornicki gd1...@gmail.com
wrote:
Sorry for empty message.
You are close. When you use cn=Directory Manager for ldapsearch, then
you
use same cn=Directory Manager as -D paameter for ldapadd aswell not
cn
: No such object (32)
matched DN: l=uk,dc=fosiul,dc=lan
On Sat, Aug 4, 2012 at 7:05 PM, Grzegorz Dwornicki gd1...@gmail.com
wrote:
Look what account you typed in ldapsearch and ldapadd. Both should be
cn=Directory Manager. But in ldapadd you use other perhaps non existing
account.
Greg
: posixgroup
uniqueMember: uid=falam,ou=users,l=UK,dc=fosiul,dc=lan
cn: ops-uk
So what would be the ldif if i want to add user alam into this groups
thanks for your great help
On Sat, Aug 4, 2012 at 8:33 PM, Grzegorz Dwornicki gd1...@gmail.com
wrote:
In ldif format you must use
: yalam
So the current entry is
uniqueMember: uid=falam,ou=users,l=UK,dc=fosiul,dc=lan
but when i am adding its adding as memberUid
can i not add as uniqueMember ???
On Sat, Aug 4, 2012 at 8:53 PM, Grzegorz Dwornicki gd1...@gmail.com
wrote:
It will look like this:
dn: cn=ops-uk
Hi again
all informations you provided looks ok. At times like this when error was
hard to find I looked /var/log/dirsrv/slapd-instance_name/access log for
debug info. Run tail -f on access log and try to use id command again. The
logs will provide some tracing info commbined with information you
I am not sure about case sensivity in names soo just to be sure: your CA is
named CA certificate and you used name CA Certtificate
28-07-2012 12:15, fosiul alam expertal...@gmail.com napisał(a):
Hi
Thanks for reply.
but there is a problem ..
is there is the example
certutil -d . -L
To make system aware of users in 389 you need to configure other files:
/etc/ldap.conf (el5 systems) or /etc/nss_ldap.conf (el6 systems) +
/etc/nsswitch.conf + PAM modules (/etc/pam.d/system-auth + install pam_ldap
module). On RHEL/Fedora/Centos/SL you can do this easy way using
authconfig,
On gmail i have option replay next to every email. If you are using email
client look in docs for your client.
Your error mean that CN (common name) field of certificate is wrong. It
should be FQDN of 389. You need to make new server cert.
Good Luck!
2012/7/28 fosiul alam expertal...@gmail.com
Does this user have uid=falam in its DN?
Tls works if that what you are asking.
28-07-2012 14:13, fosiul alam expertal...@gmail.com napisał(a):
Hi Thanks
no i think its fine ..
I was trying with ldap-2 only
but when i use faqdn name its work
llike bellow
ldapsearch
In other mail I've told you: use authconfig or authconfig-tui or
system-config-authentication to setup system for ldap authentication. For
example authconfig-tui has simple text-based interface, authconfig is CLI
based and require arguments. Finally system-config-authentication has gui.
28-07-2012
,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
uri ldap://ldap-2.fosiul.lan/
ssl start_tls
tls_cacertfile /etc/openldap/cacerts/ds-ca.crt
pam_password clear
On Sat, Jul 28, 2012 at 5:23 PM, Grzegorz Dwornicki gd1...@gmail.com
wrote:
I assume you are using TLS. You need
Well back in centos/redhat/fedora directory server this could be done like
this:
First you should check what certificates names you have in certutil
database. In slapd directory type:
certutil -d . -L
this should show you all certificates in database (server certificates
aswell). Usualy CA
75 matches
Mail list logo