[Fedora-directory-users] Settings remembered?
by Vsevolod (Simon) Ilyushchenko
Hi,
I've noticed that if you remove and reinstall FDS, the admin console
tries to connect by default to the port that the admin server was
running during the previous installation. So the settings are stored
somewhere, I guess.
I've run into a problem when I've moved a server behind a firewall. Even
though I've reinstalled the RPM, the LDAP server still tries to connect
to a replication slave which is no more accessible, I suppose due to
some settings being stored somewhere. So the startup is hanging.
I've looked for hidden files in root's home dir, but there are none. I'm
removing the /opt/fedora-ds directory each time after removing the RPM,
so that's not it either. Where else could the settings be stored?
Thanks,
Simon
--
Simon (Vsevolod ILyushchenko) simonf(a)cshl.edu
http://www.simonf.com
Terrorism is a tactic and so to declare war on terrorism
is equivalent to Roosevelt's declaring war on blitzkrieg.
Zbigniew Brzezinski, U.S. national security advisor, 1977-81
18 years, 6 months
[Fedora-directory-users] Install FC4 in Fujitsu Siemens Amilo M1437G
by mario rossi
I have a notebook: Fujitsu Siemens Amilo M1437G. I'd like to install Fedora
Core 4, but I'm not sure it's possible.
Fedora DVD doesn't detect the Samsung 80GB SCSI hard disk and, I think,VIA
VT6421 RAID controller (name from Windows Control Panel). The installation
failure after the boot, where check the root partition. Are there any boot
parameter for this notebook?
Thank you, and excuse-me for my english.
Mario Rossi
_________________________________________________________________
Ricerche online più semplici e veloci con MSN Toolbar!
http://toolbar.msn.it/
18 years, 6 months
[Fedora-directory-users] VLV search filter granularity
by George Holbert
If I set up a VLV index with a simple filter like this:
vlvFilter: (objectClass=posixAccount)
...then will the VLV mechanism benefit searches that use a superset of
this filter?
e.g., if a ldapsearch is run with a filter like:
(&(objectClass=posixAccount)(location=California))
...will the vlv index help, even though the search also has a location
specified in the filter?
OR, must I create separate vlv indexes with every possible search filter
combination?
Thanks,
-- George
18 years, 6 months
[Fedora-directory-users] windows sync problem
by Jón Björn Njálsson
Hi all.
I have managed to set up FDS with SSL and I am able to sync users from FDS
to windows 2003 AD, but I have a problem syncing groups. I have created a
group called staff but I am unable to sync that group. The error message I
get in the error log is :
NSMMReplicationPlugin - agmt="cn=Active dir" (badabing:636):
windows_replay_update: failed to fetch local entry for add operatio
n dn="cn=rhi_staff,dc=rhi,dc=hi,dc=is"
Can anyone tell me what this error means and how to fix it ?
regards
Jon
18 years, 6 months
[Fedora-directory-users] Consumer directory server crashes during configuring Single-Master replication in Console ("Unable to contact LDAP Server")
by JURGEN KOBIERCZYNSKI
Hi,
Are there issues known with configuring replication?
I try to configure the read-only replica for a Single-Master
replication. Therefore I've deleted the original root-suffix on the
consumer(,because I will replicate this from the supplier), recreated a
new suffix, create a replication entry, and then enable the replica
checkbox on the suffix' database in the replication folder under the
configuration tab. Then I check dedicated consumer, fill in the bind DN,
and the supplier url. When I try to save this configuration the
directory server console looses all connection to the ldap server
(message "can not connect to LDAP server", and the ldap process
terminates.
I tried this in 2 configurations: a Single-Master replication between 2
servers, and a Single-Master replication between 2 directory instances
on the same server, and in both scenarios the ldap server terminates.
What did I wrong? Should I leave the original root-suffix intact on the
consumer and do I need to define 2 different root-suffixes on the
servers? I've used the same root suffix on both servers.
Thanks in advance.
Jurgen Kobierczynski
Assistant Network & Security Engineer
Nationale Loterij
Departement Operations & ICT
Tel. : +32 (0)2 238.47.42
Fax : +32 (0)2 238.47.18
GSM : +32 (0) 477 43.68.31
E-mail : jurgen.kobierczynski(a)nationale-loterij.be
This email and any attachments thereto may contain confidential and/or privileged information intended for the sole use of the recipient(s).
Any review, use, retention, distribution or disclosure by others is strictly prohibited.
If you are not the intended recipient, please contact the sender by reply email and delete all copies of this message.
This email and any attachments are susceptible to data corruption, interception, tampering, unauthorized amendment and viruses.
The National Lottery accepts no liability in connection therewith.
18 years, 6 months
[Fedora-directory-users] Winsync issues
by Jón Björn Njálsson
Hi all.
After setting up FSD and windows 2003 AD server, I have a problem with
winsync. I am trying to synchronize users from FDS to AD. Users are
replicated to the Domain Controller but all user accounts are disabled
and have the "User must change password on logon" set. Is there a
reason for this ?
regards
Jon Bjorn
18 years, 6 months
Re: [Fedora-directory-users] Issues with SSL/Admin console
by Brian Kosick
Thanks Everyone,
I got it working.
ldapmodify was the right one, along with making a few modifications to
the enable_ssl and addrsa files. For instance, the values for the cert
db's were all ready in there, as I had all ready had it enabled, and
getting the "Server-Cert" name right.
As for the windows issue, it was an issue with the jss3.jar/dll, I was
using jre 1.5.0_04. I followed the instructions in the Windows Console
HOWTO, including DL'ing the additional files required for SSL, and no
luck, it kept dieing trying to make the SSL connection. Right now, I
don't have enough time to try setting up Admin Console on Windows again.
I'll get back with the list when I have time to try again.
Thanks,
Brian
On Thu, 2005-10-06 at 18:06 -0700, uffe(a)loop.to wrote:
> The instructions were probably tested with the tools that accompany FDS,
> can you try with ldapmodify instead of ldapadd?
> cd /opt/fedora/shared/bin
> ./ldapmodify -f /tmp/ssl_enable.ldif -v -D "cn=Directory Manager" -h
> qapxe.corp.mxlogic.com -w <snip>
>
> For the Windows Console SSL problem, do you recall what class the
> exception mentioned wasn't found? I'm guessing it was a jss class, the
> jar might have had the wrong filename, like jss33.jar instead of jss3.jar...
>
> Brian Kosick wrote:
>
> >Here it is.
> >
> >Thanks
> >Brian
> >
> >On Thu, 2005-10-06 at 13:22 -0600, Rich Megginson wrote:
> >
> >
> >>I'm not sure. Are you sure you have no extraneous or trailing white
> >>spaces anywhere? It might help if you could post the raw file.
> >>
> >>Brian Kosick wrote:
> >>
> >>
> >>
> >>>Hi All,
> >>>
> >>>I have a quick question. I had SSL all setup and running on both the
> >>>admin server, and the directory server. My manager wanted it setup on
> >>>his windows box, so I followed the WindowsConsole HOWTO, and kept
> >>>getting stuck in the Mozilla libs not being able to make the SSL socket
> >>>connection, returning with class not found. I disabled SSL on the
> >>>admin server and was able to connect to that, and then disabled SSL on
> >>>the directory server, but couldn't get it to work. Now on my linux
> >>>admin console, which worked beautifully before, It keeps trying to
> >>>connect to port 636, rather than 389.
> >>>
> >>>I have tried re-enabling SSL in the directory server by following the
> >>>SSL Howto, but I keep getting
> >>>
> >>>ldapadd -f /tmp/ssl_enable.ldif -xv -D "cn=Directory Manager" -h
> >>>qapxe.corp.mxlogic.com -w <snip>
> >>>ldap_initialize( ldap://qapxe.corp.mxlogic.com )
> >>>ldapadd: invalid format (line 8) entry: "cn=encryption,cn=config"
> >>>
> >>>Based on a list thread that I found, I removed all the newlines in
> >>>cipher list and still have the same issue.
> >>>
> >>>Here's my enable_ssl.ldif
> >>>dn: cn=encryption,cn=config
> >>>changetype: modify
> >>>replace: nsSSL3
> >>>nsSSL3: on
> >>>-
> >>>replace: nsSSLClientAuth
> >>>nsSSLClientAuth: allowed
> >>>-
> >>>add: nsSSL3Ciphers
> >>>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,
> >>>+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,
> >>>+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,
> >>>+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
> >>>-
> >>>add: nsKeyfile
> >>>nsKeyfile: alias/slapd-qapxe-key3.db
> >>>-
> >>>add: nsCertfile
> >>>nsCertfile: alias/slapd-qapxe-cert8.db
> >>>
> >>>dn: cn=config
> >>>changetype: modify
> >>>add: nsslapd-security
> >>>nsslapd-security: on
> >>>-
> >>>replace: nsslapd-ssl-check-hostname
> >>>nsslapd-ssl-check-hostname: off
> >>>
> >>>My question is how do I either get the admin console to try to connect
> >>>via 389, rather than 636, or get SSL re-enabled on the directory server.
> >>>
> >>>Thanks in advance
> >>>Brian
> >>>
> >>>
> >>>------------------------------------------------------------------------
> >>>
> >>>--
> >>>Fedora-directory-users mailing list
> >>>Fedora-directory-users(a)redhat.com
> >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>>
> >>>
> >>>
> >>>
> >>--
> >>Fedora-directory-users mailing list
> >>Fedora-directory-users(a)redhat.com
> >>https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>
> >>
> >>------------------------------------------------------------------------
> >>
> >>dn: cn=encryption,cn=config
> >>changetype: modify
> >>replace: nsSSL3
> >>nsSSL3: on
> >>-
> >>replace: nsSSLClientAuth
> >>nsSSLClientAuth: allowed
> >>-
> >>add: nsSSL3Ciphers
> >>nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
> >>-
> >>add: nsKeyfile
> >>nsKeyfile: alias/slapd-qapxe-key3.db
> >>-
> >>add: nsCertfile
> >>nsCertfile: alias/slapd-qapxe-cert8.db
> >>
> >>dn: cn=config
> >>changetype: modify
> >>add: nsslapd-security
> >>nsslapd-security: on
> >>-
> >>replace: nsslapd-ssl-check-hostname
> >>nsslapd-ssl-check-hostname: off
> >>
> >>
> >>------------------------------------------------------------------------
> >>
> >>--
> >>Fedora-directory-users mailing list
> >>Fedora-directory-users(a)redhat.com
> >>https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>
> >>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
18 years, 6 months
Re: [Fedora-directory-users] Issues with SSL/Admin console
by Brian Kosick
Here it is.
Thanks
Brian
On Thu, 2005-10-06 at 13:22 -0600, Rich Megginson wrote:
> I'm not sure. Are you sure you have no extraneous or trailing white
> spaces anywhere? It might help if you could post the raw file.
>
> Brian Kosick wrote:
>
> >Hi All,
> >
> >I have a quick question. I had SSL all setup and running on both the
> >admin server, and the directory server. My manager wanted it setup on
> >his windows box, so I followed the WindowsConsole HOWTO, and kept
> >getting stuck in the Mozilla libs not being able to make the SSL socket
> >connection, returning with class not found. I disabled SSL on the
> >admin server and was able to connect to that, and then disabled SSL on
> >the directory server, but couldn't get it to work. Now on my linux
> >admin console, which worked beautifully before, It keeps trying to
> >connect to port 636, rather than 389.
> >
> >I have tried re-enabling SSL in the directory server by following the
> >SSL Howto, but I keep getting
> >
> >ldapadd -f /tmp/ssl_enable.ldif -xv -D "cn=Directory Manager" -h
> >qapxe.corp.mxlogic.com -w <snip>
> >ldap_initialize( ldap://qapxe.corp.mxlogic.com )
> >ldapadd: invalid format (line 8) entry: "cn=encryption,cn=config"
> >
> >Based on a list thread that I found, I removed all the newlines in
> >cipher list and still have the same issue.
> >
> >Here's my enable_ssl.ldif
> >dn: cn=encryption,cn=config
> >changetype: modify
> >replace: nsSSL3
> >nsSSL3: on
> >-
> >replace: nsSSLClientAuth
> >nsSSLClientAuth: allowed
> >-
> >add: nsSSL3Ciphers
> >nsSSL3Ciphers: -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,
> >+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,
> >+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,
> >+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha
> >-
> >add: nsKeyfile
> >nsKeyfile: alias/slapd-qapxe-key3.db
> >-
> >add: nsCertfile
> >nsCertfile: alias/slapd-qapxe-cert8.db
> >
> >dn: cn=config
> >changetype: modify
> >add: nsslapd-security
> >nsslapd-security: on
> >-
> >replace: nsslapd-ssl-check-hostname
> >nsslapd-ssl-check-hostname: off
> >
> >My question is how do I either get the admin console to try to connect
> >via 389, rather than 636, or get SSL re-enabled on the directory server.
> >
> >Thanks in advance
> >Brian
> >
> >
> >------------------------------------------------------------------------
> >
> >--
> >Fedora-directory-users mailing list
> >Fedora-directory-users(a)redhat.com
> >https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
18 years, 6 months
[Fedora-directory-users] Password Sync Search Scope
by Brian Peters
Hi,
I have a user directory structure in AD that mimics a typical org chart
such that my ou=People directory contains additional ou's as subtrees
that represent different departments. I have a windows sync agreement
in FDS set up, and after manually adding the various ou's on the FDS
side, all the users sync over properly in all the subtrees.
My problem is with the password sync service for windows. Upon changing
a user's password that has already been replicated to FDS from AD, I see
in the access logs a search along these lines:
SRCH base="ou=People,dc=my,dc=domain" scope=1
filter="(ntUserDomainId=myUser)" attrs=ALL
with the result indicating no entries found:
RESULT err=0 tag=101 nentries=0 etime=0
The myUser account is at ou=MyDept,ou=People,dc=my,dc=domain, but the
password sync service issues a search request to only search the
ou=People directory non-recursively (i.e. scope=1). I don't see any
options in either the PassSync.msi setup or in the registry keys to
force the service to do a scope=2 recursive search. I tried to use the
syntax "ou=People,dc=my,dc=domain?sub", but it doesn't seem to recognize
that either. Is there any workaround for this besides to synchronize
all of my users to a single directory on FDS?
Thanks,
Brian
18 years, 6 months
