[Fedora-directory-users] Schema Conversion
by D Canfield
I don't suppose anyone has found an easy way to convert OpenLDAP schema
into fedora-ds compatible ldif files? We've got about 100 attributes
defined, and I'm really not looking forward to entering them all by hand...
Thanks
DC
18 years, 1 month
[Fedora-directory-users] Wishlist
by Jeff Clowser
I was looking at the wishlist
(http://directory.fedora.redhat.com/wiki/Wishlist).
Some of these things can already be done, and should be just a matter of
configuration, based on it's Netscape DS heritage. Wanted to give back
by suggesting some ideas on how to accomplish these wishes where no code
changes are needed.
Under Core Server Features:
1. Disable anonymous binds.
By default, the server creates an annonymous aci in the suffix entry
(i.e. top of the tree).
If you edit that entry and remove that aci, you remove anonymous
access. Note that some
services "require" anonymous access, so may break (some clients/apps
may need to do anon
access to look up a uid to get a dn to bind as for auth, etc, so it
may either be necessary to
change the config of these clients to bind as something that can
still do these lookups, or
you may have to just tweak anonymous access to limit what it can
see, rather than removing
it altogether).
2. Option to control resource limits specifically for anonymous.
Anonymous uses the default server settings for these resource
limits. I believe Fedora-ds
supports the following attributes on entries: nslookthroughlimit,
nsizelimit, nstimelimit,
and nsidletimeout (these are in the schema, and the Sun and Netscape
servers fds is based
on supports them). If you put these attributes in an entry, when
that entry binds to the server,
these resource limits are used instead of the server defaults. So,
a way to implement control
of resource limits for anonymous is to set the server default
settings to whatever you want
anonymous to have, and then to set these attributes on all users
that you want to be different
(i.e. have more lenient limits) than anonymous. For things like
mail servers, etc, I always
create an entry for the mail/whatever server, and set these
attributes to appropriate values.
FYI: setting any of these to -1 means unlimited.
Under Console Features:
2. Add host based access control to posixAccount/shadowAccount to
determine who can
log into what hosts.
While this is not specifically in Console, it's relatively
straightforward to add this, if
you're a little creative :) :
- First, create a new ldap attribute in the schema - lets call it
something like "allowedHosts".
Make sure it is multivalued.
- Second, you need to add it to an objectclass. You could add it to
the PosixAccount
objectclass (simpler, but not recommended because you are
modifying a standard
objectclass), or create a new objectclass (lets call if unixUser,
make it derive from
posixAccount, and add allowedHosts as a required attribute).
- When you create users, set their objectclass to posixAccount and
unixUser (and
shadowAccount). Add a list of hostnames you want the user to log
into in the
allowedHosts field.
- When you configure the Unix/Linux/etc box that the user will log
into:
. if you can define a filter for finding users, set it to
"(&(objectclass=posixAccount)(allowedHosts=<hostname>))"
replacing <hostname> with the hostname of the machine they are
logging into.
. If you cannot define a filter, you can set an IP based aci in
the directory for each
of these hosts that allows them to see only users that can log
into "this" box.
You may have to tweak other aci's, such as anonymous, so that
they don't
allow the box to see the users you don't want seen.
One note to make: purists would say DON'T create attributes and
objectclasses on the fly like this. Personally, I don't have a problem
creating attributes/objectclasses for my own internal use. But... if
someone wanted to formalize this with "real" registered oids for the
attributes and objectclasses, and/or defining and going through all the
paperwork/review process to do this or expand posixAccount officially, I
would have no objections :). NDS/FDS/SDS are nice in that they allow
you to create these local definitions without all the complexities of
registering those definitions to the rest of the world.
- Jeff
18 years, 3 months
[Fedora-directory-users] schema extension via ldif at install time
by Brian K. Jones
Hi all,
I want to perform a custom installation of FDS, and when it asks for the ldif
file to be imported, I want to point it at a file that contains ldif to
extend the schema, and add the entries dumped from my old openldap directory.
Without extending the schema, the import will fail because every entry
violates the default schema. However, turning schema checking off leaves some
small chance that there is something in my directory that shouldn't be there
or isn't as it should be.
I have another installation of FDS on a test machine, and I used the GUI to
add my extra objects and attributes, and I tried copying the resulting ldif
to the server I'm now trying to install (minus operational stuff), but the
install ignored the cn=schema part of my LDIF file (the part holding the
schema extensions), and subsequently, all of the entries failed.
Has anyone done this? Any clues? Is there somewhere I can place a 99user.ldif
file *before* running setup that will cause the slapd instance to use it the
first time it starts up?
Thanks,
brian.
18 years, 4 months
[Fedora-directory-users] support for non-localy stored passwords?
by Aleksandar Milivojevic
Hi,
I don't have Fedora Directory Server installed (yet). However, there's one
feature from OpenLDAP that is must-have before even attempting to play with
FDS.
In OpenLDAP, if I use string like "{SASL}username@REALM" as a value for
userPassword attribute, and have "pwcheck_method: saslauthd" in
/usr/lib/sasl2/slapd.conf, then OpenLDAP will use saslauthd to authenticate the
user (passing it "username@REALM" and whatever password user supplied). I've
read that FDS supports SASL, but does it support this feautre too?
Thanks,
Aleksandar Milivojevic
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
18 years, 5 months
[Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 1, Issue 38
by Douglas Willis
fedora-directory-users-request(a)redhat.com wrote:
>Message: 2
>Date: Mon, 27 Jun 2005 15:40:49 -0700
>From: "Pete Rowley" <pete(a)openrowley.com>
>Subject: RE: [Fedora-directory-users] SYNTAX oid's
>To: "'General discussion list for the Fedora Directory server
> project.'" <fedora-directory-users(a)redhat.com>
>Message-ID: <200506272237.j5RMbPFk030780(a)mx3.redhat.com>
>Content-Type: text/plain; charset="us-ascii"
>
>
>
>
>
>>-----Original Message-----
>>From: fedora-directory-users-bounces(a)redhat.com
>>[mailto:fedora-directory-users-bounces@redhat.com] On Behalf
>>Of Douglas Willis
>>Sent: Monday, June 27, 2005 1:34 AM
>>To: fedora-directory-users(a)redhat.com
>>Subject: [Fedora-directory-users] SYNTAX oid's
>>
>> Numeric String => 1.3.6.1.4.1.1466.115.121.1.36 and
>>Printable String => 1.3.6.1.4.1.1466.115.121.1.44
>>
>>
>
>Those are both RFC 2252 syntaxes, I would be surprised if they are not in
>the schema alread
>
>
>
As far as I can tell these are the supported SYNTAX of the directory
server.
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.5 DESC 'Binary' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.7 DESC 'Boolean' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.15 DESC 'DirectoryString' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.11 DESC 'Country String' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.12 DESC 'DN' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.24 DESC 'GeneralizedTime' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.26 DESC 'IA5String' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.27 DESC 'INTEGER' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.28 DESC 'JPEG' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.38 DESC 'OID' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.40 DESC 'OctetString' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.41 DESC 'Postal Address' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.50 DESC 'TelephoneNumber' )
ldapSyntaxes: ( 1.3.6.1.4.1.4401.1.1.1 DESC 'URI' )
ldapSyntaxes: ( 2.16.840.1.113730.3.7.1 DESC 'SpaceInsensitiveString' )
I ended up replacing the printable string with IA5String and Numeric
String with TelephoneNumber
--
Douglas Willis (ddw(a)bas.ac.uk)
British Antarctic Survey
High Cross, Madingley Road
Cambridge, CB3 0ET, United Kingdom
tel: +44 1223 221400, fax: +44 1223 362616
18 years, 5 months
[Fedora-directory-users] users not showing up in directory listing
by Brian K. Jones
Hi,
I wonder if anyone else has seen this who might have a clue why it happens:
I have users in my directory that will show up if I do a search on the
directory, either in the console or from a command line or whatever, but when
I open the console, double click my directory to open it, click on the
"directory" tab, and navigate to "People" on the left, there are some people
who don't show up on the right. I can't figure out why that would be, because
all of my entries are automatically generated from a script. They're all
identical.
clues?
thanks,
brian.
18 years, 5 months
[Fedora-directory-users] IBM JVM/HT Problem
by Gabriele Chervatin
I'm the author of tread: Admin Server on Centos 4.1 in which i see
that my problems maybe are caused by the: IBM JVM/HT Problem.
What means? There are known solutions? I work on a Dell 1850 with a
Xeon CPU and i use kernel 2.6.9-smp with Centos 4.1 and kernel
2.6.11-1.1369_FC4smp with Fedora Core 4.
Thanks
--
Gabriele Chervatin
18 years, 5 months