[Fedora-directory-users] Re: TLS for dummies
by Howard Chu
fedora-directory-users-request(a)redhat.com wrote:
> Date: Fri, 09 Dec 2005 12:05:18 -0700
> From: Craig White <craigwhite(a)azapple.com>
>
> Just basic stuff...I promise I have been through the wiki and the
> Administrator's guide (managing SSL and SASL) several times.
>
> Using openssl generated CA certificate and used that to sign CSR's from
> console application and loaded them all into console application. Have
> restarted FDS and it seems to be happy - but just to confirm...
>
>
>
> MY PROBLEM
> # ldapsearch -ZZ '(uid=jim)'
> ldap_start_tls: Connect error (-11)
> additional info: Start TLS request accepted.Server willing to
> negotiate SSL.
>
> # tail -n4 /opt/fedora-ds/slapd-srv1/logs/access
> [09/Dec/2005:11:55:26 -0700] conn=83 op=5 fd=68 closed - U1
> [09/Dec/2005:12:00:58 -0700] conn=84 fd=68 slot=68 connection from
> 127.0.0.1 to 127.0.0.1
> [09/Dec/2005:12:00:58 -0700] conn=84 op=0 EXT
> oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> [09/Dec/2005:12:00:58 -0700] conn=84 op=0 RESULT err=0 tag=120
> nentries=0 etime=0
> [09/Dec/2005:12:00:58 -0700] conn=84 op=-1 fd=68 closed - Encountered
> end of file.
>
> # tail -n 7 /etc/openldap/ldap.conf
> URI ldap://srv1.clsurvey.com
> HOST srv1.clsurvey.com
> BASE dc=clsurvey,dc=com
> TLS_CACERTDIR /etc/ssl
> TLS_CACERT server.crt
> pam_password md5
> TLS_REQCERT allow
>
> My thinking is that this somehow has something to do with the TLS_CACERT
> in /etc/openldap/ldap.conf (the certificate for the client).
>
Please re-read http://www.openldap.org/doc/admin23/tls.html; it's quite
clear about how to configure the CA cert.
Note that "pam_password" is not an OpenLDAP config keyword.
> Would this be the issue?
>
> Is there a better method for creating the client certificate from either
> the CA certificate (generated by openssl) or from the FDS Server
> Certificate (also generated by openssl)?
>
Only CA certs may be used to generate other certs. The server cert is
just that, nothing more.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
18 years, 4 months
[Fedora-directory-users] TLS for dummies
by Craig White
Just basic stuff...I promise I have been through the wiki and the
Administrator's guide (managing SSL and SASL) several times.
Using openssl generated CA certificate and used that to sign CSR's from
console application and loaded them all into console application. Have
restarted FDS and it seems to be happy - but just to confirm...
lifted from /opt/fedora-ds/slapd-srv1/logs/errors
[09/Dec/2005:08:33:47 -0700] - Fedora-Directory/1.0.1 B2005.342.165
starting up
[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in
backend userRoot, attempting to create one...
[09/Dec/2005:08:33:47 -0700] - Key for cipher AES successfully generated
and stored
[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher 3DES in
backend userRoot, attempting to create one...
[09/Dec/2005:08:33:47 -0700] - Key for cipher 3DES successfully
generated and stored
[09/Dec/2005:08:33:47 -0700] - No symmetric key found for cipher AES in
backend NetscapeRoot, attempting to create one...
[09/Dec/2005:08:33:48 -0700] - Key for cipher AES successfully generated
and stored
[09/Dec/2005:08:33:48 -0700] - No symmetric key found for cipher 3DES in
backend NetscapeRoot, attempting to create one...
[09/Dec/2005:08:33:48 -0700] - Key for cipher 3DES successfully
generated and stored
[09/Dec/2005:08:33:48 -0700] - slapd started. Listening on All
Interfaces port 389 for LDAP requests
[09/Dec/2005:08:33:48 -0700] - Listening on All Interfaces port 636 for
LDAPS requests
MY PROBLEM
# ldapsearch -ZZ '(uid=jim)'
ldap_start_tls: Connect error (-11)
additional info: Start TLS request accepted.Server willing to
negotiate SSL.
# tail -n4 /opt/fedora-ds/slapd-srv1/logs/access
[09/Dec/2005:11:55:26 -0700] conn=83 op=5 fd=68 closed - U1
[09/Dec/2005:12:00:58 -0700] conn=84 fd=68 slot=68 connection from
127.0.0.1 to 127.0.0.1
[09/Dec/2005:12:00:58 -0700] conn=84 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[09/Dec/2005:12:00:58 -0700] conn=84 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[09/Dec/2005:12:00:58 -0700] conn=84 op=-1 fd=68 closed - Encountered
end of file.
# tail -n 7 /etc/openldap/ldap.conf
URI ldap://srv1.clsurvey.com
HOST srv1.clsurvey.com
BASE dc=clsurvey,dc=com
TLS_CACERTDIR /etc/ssl
TLS_CACERT server.crt
pam_password md5
TLS_REQCERT allow
My thinking is that this somehow has something to do with the TLS_CACERT
in /etc/openldap/ldap.conf (the certificate for the client).
Would this be the issue?
Is there a better method for creating the client certificate from either
the CA certificate (generated by openssl) or from the FDS Server
Certificate (also generated by openssl)?
Craig
18 years, 4 months
[Fedora-directory-users] WinSync reports "Insufficient Access"
by Bryan Fransman
I'm seeking a little guidance in regard to the Windows Sync configuration. I
have the Windows Sync service speaking to the Fedora Directory Server (SSL
enabled), but passwords are not updated on the FDS side.
Environment is Windows 2000 server, Fedora Core 3 w/ FDS 1.0 w/ the latest
PassSync.msi
I have configured WinSync to use cn=replication manager,cn=config as the
bind user. This user exists in FDS.
I enabled logging for the password sync service, and found the following
entry in the passsync.log log:
12/09/05 11:17:06: Attempting to sync password for username
12/09/05 11:17:06: Searching for (ntuserdomainid=username)
12/09/05 11:17:06: Ldap error in ModifyPassword
50: Insufficient access
12/09/05 11:17:06: Modify password failed for remote entry:
uid=username,ou=People, dc=domain, dc=com
12/09/05 11:17:06: Deferring password change for username
12/09/05 11:17:06: Backing off for 32000ms
So, there it is.. the third line of log entry "Insufficient access".
I assume that its an ACI problem with the cn=replication manager,cn=config
user. I attempted to create an ACI to resolve the issue, but no luck.
(targetattr = "*") (target = "ldap:///uid=*,ou=People,dc=domain,dc=com")
(version 3.0;acl "WinSync";allow (all,proxy)(userdn = "ldap:///cn=replication
manager,cn=config") <ldap:///cn=replicationmanager,cn=config")>;)
Some help would be greatly appreciated.
Thanks,
Bryan
18 years, 4 months
[Fedora-directory-users] syntax errors reported when using LdapImport with Fedora Directory
by Steve Strong
I'm having trouble importing the flat files on our server into ldap after
installing 1.0.1 of Fedora Directory. I downloaded and extracted LdapImport.
I also downloaded Delta.pm and placed it in the same directory as LdapImport.
Here is what I got back after I executed LdapImport (I've also included a copy
of the "offending lines" below the console output.
thanks for the help!
steve
sh LdapImport.pl
LdapImport.pl: line 32: use: command not found
LdapImport.pl: line 33: use: command not found
LdapImport.pl: line 34: use: command not found
LdapImport.pl: line 35: use: command not found
LdapImport.pl: line 36: use: command not found
LdapImport.pl: line 37: use: command not found
LdapImport.pl: line 38: use: command not found
LdapImport.pl: line 39: use: command not found
LdapImport.pl: line 40: use: command not found
LdapImport.pl: line 41: use: command not found
LdapImport.pl: line 42: use: command not found
LdapImport.pl: line 43: use: command not found
LdapImport.pl: line 45: syntax error near unexpected token `('
LdapImport.pl: line 45: `use vars qw($VERSION);'
lines 32 to 45 from LdapImport.pl:
use strict;
use warnings;
use LdapConnectionManager;
use LdapSchemaTools;
use LdapEntryTools;
use LdapMigration;
use Net::LDAP;
use Net::LDAP::LDIF;
use Net::LDAP::Search;
use Net::LDAP::Entry;
use Data::Dumper;
use debug;
use vars qw($VERSION);
$VERSION=sprintf("%d.%02d", q$Revision: 1.21 $ =~ /(\d+)\.(\d+)/);
18 years, 4 months
RE: [Fedora-directory-users] Host Access Based on Group Membership
by Jason Hane
Thank you very much!! I briefly looked over the websites and it looks
like what I need. I knew there was a solution, but I didn't know what
it was called. I'll try it out and let you know how it goes.
________________________________
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Tay,
Gary
Sent: Thursday, December 08, 2005 5:37 AM
To: General discussion list for the Fedora Directory server project.
Subject: RE: [Fedora-directory-users] Host Access Based on Group
Membership
FDS is very similar to SUN ONE DS5.2, I think netgroup (
<mailto:+@netgroup> +@netgroup <mailto:+@netgroupXXX> XXX in /etc/passwd
and /etc/shadow and "compat" keyword in /etc/nsswitch.conf) LDAP maps
could be setup to achieve what you want, it has been used by many DS5.2
administrators
See:
http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20Open
LDAP%20for%20RedHat%20Enterprise%20Linux3.htm
Step 5Y: Configure "netgroup" to work with RedHat or Solaris Native LDAP
Clients
(i.e. controlling user access to host using netgroup LDAP maps)
Also see:
http://swforum.sun.com/jive/thread.jspa?threadID=52764&messageID=223846#
223846
Configuring LDAP netgroups
Gary
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Jason
Hane
Sent: Thursday, December 08, 2005 3:51 AM
To: fedora-directory-users(a)redhat.com
Subject: [Fedora-directory-users] Host Access Based on Group
Membership
I've been searching everywhere for the past week and haven't
found a solution. I would like to be able to assign access to servers
based upon membership to a group or role. For example, if I create a
group/role called "Web Servers", everyone in that group can access all
the web servers. Everyone in the group/role "Database Servers" would be
allowed to log into the database servers. Users can be part of multiple
groups.
There has to be a way to do this already. All the clients are
running OpenLDAP and can already authenticate to the Directory Server.
To implement this solution, would I have to change ldap.conf or
system-auth?
Thanks,
Jason
18 years, 4 months
Re: [Fedora-directory-users] Sync not updating
by Dimitri Yioulos
On Thursday December 08 2005 2:12 pm, you wrote:
> Dean Jones wrote ..
>
> > Dimitri Yioulos wrote:
> > > On Thursday December 08 2005 11:26 am, David Boreham wrote:
> > >>>>>New AD users are added via full sync, but not via update.
> > >>>>>NSmmReplicationPlugin error continues to show in error log.
> > >>
> > >>Try a second full sync.
> > >
> > > No change - same message.
> >
> > I had this happen as well with FDS 1..
> >
> > had to erase the sync agreement and reset it up.
> > upon creation of the sync agreement, immediately do a Full sync.
> > when that finishes do another full sync.
> > restart the directory server (slapd) then do another full sync.
> >
> > it should stop complaining after this point.
> > you can do a 'Send and receive updates' to check for the error.
> >
> > --
Thank you for the suggestion, but that didn't work either. So, to recap, full
sync works fine, update doesn't. Arrrgh!
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
18 years, 4 months
[Fedora-directory-users] Console - Administration Panel
by Craig White
OK - while mucking around with console and certificates, I manually
clipped out the stuff from admin-serv/config/adm.conf & console.conf and
local.conf and seem to have everything back in order.
I restart the admin-serv and the encryption stuff comes right back into
local.conf and I can't figure out where it is coming from.
So the console tells me that the Administration console is stopped when
it isn't stopped but it can't access it.
Any clues? (I am getting into a lot of trouble with the console
application) ;-)
thanks
Craig
18 years, 4 months
[Fedora-directory-users] still working instructions through...
by Craig White
FDS is running as nobody UID - I checked off in console to run with SSL
eneabled, ignored warning about only root can run ports < 1024 restarted
server - you know what happened next ;-)
OK so I have it turned off and server back up and running.
1. Following instructions on wiki...
http://directory.fedora.redhat.com/wiki/Howto:SSL
# ./ldapsearch -b "dc=clsurvey,dc=com" -x -ZZ '(uid=jim)'
SSL initialization failed: error -8192 (An I/O error occurred
during security authorization.)
2. My guess is that is because SSL isn't on. How do I deal with running
as UID nobody and SSL ?
Craig
18 years, 4 months