[Fedora-directory-users] auto dn lookups
by Ben Steeves
Hi Folks,
I'm wondering if anyone has tackled something like this and might have
a suggestion for me:
We have a few fields on people records which are essentially
"pointers" to other records, for example:
dn: uid=example,ou=people,dc=example,dc=com
uid: example
comExampleOrgUnitDN: ou=EXAM,ou=departments,dc=example,dc=com
...which basically says that the person "example" is in the "EXAM"
department. But of course when someone looks up Mr. Example, he
probably would like to know that he works in "Department of Examples",
rather than the DN of the department...
dn: ou=EXAM,ou=departments,dc=example,dc=com
cn: Department of Examples
So my question is: is there any trick to create a sort of dynamic
lookup on the person's record that would "drill down" into the
department record and pull up the cn? My first thought is that this
would be a sort of computed/translated field... I haven't run across
anything describing this in the FDS documentation.
Any ideas? Basically, I want to avoid putting "Department of
Examples" on Mr. Example's record because if the Department decided to
change its name to the "Example Department", I'd have to manually
adjust everyone in the department.
--
Ben Steeves _ bcs(a)metacon.ca
The ASCII ribbon campaign ( ) ben.steeves(a)gmail.com
against HTML e-mail X GPG ID: 0xB3EBF1D9
http://www.metacon.ca/bcs / \ Yahoo Messenger: ben_steeves
18 years, 9 months
Re: [Fedora-directory-users] PAM authentication
by Thomas Mathiesen
Rich Megginson (rmeggins(a)redhat.com) wrote:
> >>>1. How do I add posixAccounts in the admin web interface (eg.
> >>>http://ldap.mydomain.com:15613/clients/dsgw/bin/lang?context=dsgw)?
> >>>
> >>>
> >>>
> >>You can't in the _web_ interface, but you can in the console. This
> >>won't work from the Users&Groups tab in the main console window. Open
> >>the Directory Server into which you want to add the users. Go to the
> >>Directory tab. With the Properties editor, you can "posix" enable an
> >>existing user or create a new user with the posix attributes.
> >>
> >>
> >
> >But the console seems to need you to run some kind of java app, and I believe
> >this needs X?
> >My server has no X installed.
> >
> >Isn't there a setting somewhere? In a clear text file (for defaults)
> >
> >
> The file that controls this UI is
> serverroot/clients/dsgw/config/display-orgperson.html. This is a
> "template" that is parsed by the CGIs and rendered as HTML. If you look
> at line 188 in this file you will see where it sets the objectclasses
> for the new user. It would be easy to add the shadowAccount to this
> list - the only required attribute is "uid" which is already supplied by
> the UI. Unfortunately, it would be more difficult to add posixAccount
> to this list because that objectclass requires cn, uidNumber, gidNumber,
> and homeDirectory, which are not part of the UI. So those fields would
> have to be added. I think this would be a good enhancement, to either
> add shadow and posix account support to display-orgperson.html, or
> create a new template for posix/shadow accounts.
Is anyone working on such a template?
I will not be able to do it, so I am thinking of using phpldapadmin instead.
/T
18 years, 9 months
[Fedora-directory-users] x64 Compiled Version
by Evan Montgomery-Recht
Are there any plans to provide an x64 compiled version with admin
server and console? Simular to the solaris and binary version?
At this point it probably doesn't matter that much unless the code
allows for x64 memory usage. But it'd be nice.
thanks,
evan
18 years, 9 months
Re: [Fedora-directory-users] PAM authentication
by Thomas Mathiesen
> >1. How do I add posixAccounts in the admin web interface (eg.
> >http://ldap.mydomain.com:15613/clients/dsgw/bin/lang?context=dsgw)?
> >
> You can't in the _web_ interface, but you can in the console. This
> won't work from the Users&Groups tab in the main console window. Open
> the Directory Server into which you want to add the users. Go to the
> Directory tab. With the Properties editor, you can "posix" enable an
> existing user or create a new user with the posix attributes.
But the console seems to need you to run some kind of java app, and I believe
this needs X?
My server has no X installed.
Isn't there a setting somewhere? In a clear text file (for defaults)
/T
18 years, 9 months
Re: [Fedora-directory-users] PAM authentication
by Thomas Mathiesen
Two more issues (one off-topic):
1. How do I add posixAccounts in the admin web interface (eg.
http://ldap.mydomain.com:15613/clients/dsgw/bin/lang?context=dsgw)?
Preferrably a gui method for this. If not, I'll have to think of using
phpldapadmin or something similar.
2. Does anyone know how I can cache posixAccounts on the client? At the
moment, users can login, if connected to the network where the fds server is..
but if we have a network outage, or a person is using a laptop off-site, (s)he
won't be able to login using their ldap account? Ok. maybe this is off-topic,
but if anyone knows, please tell me.
I am writing some scripts, and gonna build a gui, to make it easy for newbie
admins to set this up.
Cheers
/Thomas
18 years, 9 months
[Fedora-directory-users] userPassword is base64 encoded
by Sævaldur Gunnarsson
I posted the following on the samba-users mailing list:
--
I'm switching from OpenLDAP to the newly released Fedora Directory
Server (formely known as the Netscape Directory Server) as a LDAP
backend for my Samba domain.
I'm now faced with a problem regarding how Fedora DS handles the
userPassword field.
Unlike OpenLDAP it encodes it in base64 so instead of reading
userPassword: {SSHA}8FZY4LdYi1f1oA5YgDw/+h/Rmy0mEeyO
it reads:
userPassword:: e1NTSEF9OEZaWTRMZFlpMWYxb0E1WWdEdy8raC9SbXkwbUVleU8=
Samba apparently does not like this because when I try to change the
password using the "ctrl+alt+del -> Change Password" method I get the
following error in samba.log (with log level = passdb:5)
-- cut here --
[2005/06/07 19:27:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511)
init_sam_from_ldap: Entry found for user: gg
[2005/06/07 19:27:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511)
init_sam_from_ldap: Entry found for user: gg
[2005/06/07 19:27:45, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1704)
ldapsam_update_sam_account: user gg to be modified has dn:
uid=gg,ou=People,dc=kung,dc=foo
[2005/06/07 19:27:45, 2] passdb/pdb_ldap.c:init_ldap_from_sam(893)
init_ldap_from_sam: Setting entry for user: gg
[2005/06/07 19:27:45, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1587)
ldapsam_modify_entry: LDAP Password could not be changed for user gg:
Unknown error
Current passwd must be supplied by the user.
[2005/06/07 19:27:45, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1731)
ldapsam_update_sam_account: failed to modify user with uid = gg,
error: Current passwd must be supplied by the user.
(Success)
[2005/06/07 19:27:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511)
init_sam_from_ldap: Entry found for user: gg
[2005/06/07 19:27:45, 0] libsmb/smbencrypt.c:decode_pw_buffer(539)
decode_pw_buffer: incorrect password length (-988553355).
[2005/06/07 19:27:45, 0] libsmb/smbencrypt.c:decode_pw_buffer(540)
decode_pw_buffer: check that 'encrypt passwords = yes'
-- cut here --
And a dialog from Windows that says:
"The User name or old password is incorrect. Letters in passwords must
be typed using the correct case."
The SambaNTPassword and SambaLMPassword entries change, but the
userPassword entry does not.
I'm using the ldap passwd sync = Yes option in my smb.conf since the
LDAP server is used for Linux authentication as well as Samba
authentication.
However, if I use the smbldap-passwd utility everything works like a charm.
Both the SambaLMPassword/SambaNTPassword and userPassword entries are
changed.
If the ldap passwd sync option is set to No in the smb.conf then Windows
does not complain when I use ctrl+alt+del method, but then of course the
userPassword entry is not modified.
The samba server is a RHEL4 machine with samba-3.0.10-1.4E and
fedora-ds-7.1-2.RHEL4.
Output from ldapsearch of the user gg:
--cut here --
kung.foo.is /opt/fedora-ds/slapd-palladium/config/schema# ldapsearch -x
-ZZ -D "uid=gg,ou=People,dc=kung,dc=foo" -W uid=gg userPassword
SambaLMPassword SambaNTPassword
Enter LDAP Password:
# gg, People, kung.foo
dn: uid=gg,ou=People,dc=kung,dc=foo
userPassword:: e1NTSEF9OEZaWTRMZFlpMWYxb0E1WWdEdy8raC9SbXkwbUVleU8=
SambaLMPassword: 7B9FBD79429286DBAAD3B435B51404EE
SambaNTPassword: 2352D5C13878770724EA84A32EFCD485
--cut here--
Advice of how to correct this are greatly appreciated.
--
The reply I got back was that it was not a Samba problem but a FDS problem.
I guess I'm looking for a way to store the userPassword entry as a
regular entry and not a base64 encoded one.
So any advice ?
--
Sævaldur Gunnarsson /> RHCE
18 years, 9 months
Re: [Fedora-directory-users] Support for Windows login?
by Ian Bishop
Has anyone tested pgina against FDS?
I've tried creating an entry: cn=ibishop,ou=People,dc=localdomain in my
directory and then test authenticating against the directory from a PC
running pgina on WinXP.
The pgina ldap config is:
LDAP method: map mode
LDAP server: 192.168.2.200
prepend: cn=
append: ou=People,dc=localdomain
When I try and bind to this with pgina I get the following in the slapd log:
fd=75 slot=75 connection from 192.168.2.183 to 192.168.2.200
[08/Jun/2005:12:30:47 +1000] conn=42 op=0 BIND
dn="cn=ibishop,ou=people,dc=localdomain" method=128 version=3
[08/Jun/2005:12:30:47 +1000] conn=42 op=0 RESULT err=32 tag=97
nentries=0 etime=0
[08/Jun/2005:12:30:47 +1000] conn=42 op=1 UNBIND
[08/Jun/2005:12:30:47 +1000] conn=42 op=1 fd=75 closed - U1
My directory has all the default bind permissions (which should allow
this right?)...can anyone see what I'm doing wrong?
Thanks,
Ian
Max Kipness wrote:
Can this directory service take the place of MS Active Directory and be
used to login Windows XP workstations without an AD Domain Controllers
present?
Sure, but it does not provide all of the active directory policies, or
allow you to apply permissions to files on your machine based on domain
groups, etc.
To get windows authenticating from standard LDAP, you need to use pGina:
http://pgina.xpasystems.com/
BR,
--
Mike
LDAP Directory Consulting: http://www.netauth.com
18 years, 9 months
[Fedora-directory-users] More on x86_64
by D Canfield
Just to followup on my previous post, it looks like the following 32-bit
libraries are required to start FDS on RHEL4 x86_64:
libgcc
libstdc++
libtermcap
ncurses
e2fsprogs
krb5-libs
That seems to allow the server to start, though I'm still not able to
run the console. Unfortunately, I'm not familiar enough with Java to
know if this is due to a Java/path issue, a missing 32-bit library
issue, or just not getting the X forwarding right. :-(
Here's the error in case something jumps out at somebody (I'm using the
ibm-java from RHEL4 extras, as I understood from another thread that
it's the correct jre for this...).
[canfield]$ ssh -X elwe.test /opt/fedora-ds/startconsole
Exception in thread "main" java.lang.ExceptionInInitializerError
at
com.sun.java.swing.plaf.windows.WindowsLookAndFeel.initialize(WindowsLookAndFeel.java:154)
at
com.netscape.management.nmclf.SuiLookAndFeel.initialize(Unknown Source)
at javax.swing.UIManager.setLookAndFeel(UIManager.java:424)
at
com.netscape.management.client.console.Console.common_init(Unknown Source)
at com.netscape.management.client.console.Console.<init>(Unknown
Source)
at com.netscape.management.client.console.Console.main(Unknown
Source)
Caused by: java.lang.NullPointerException
at java.lang.ClassLoader.loadLibrary0(ClassLoader.java:2159)
at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1994)
at java.lang.Runtime.loadLibrary0(Runtime.java:824)
at java.lang.System.loadLibrary(System.java:908)
at
sun.security.action.LoadLibraryAction.run(LoadLibraryAction.java:76)
at java.security.AccessController.doPrivileged1(Native Method)
at
java.security.AccessController.doPrivileged(AccessController.java:287)
at java.awt.Toolkit.loadLibraries(Toolkit.java:1488)
at java.awt.Toolkit.<clinit>(Toolkit.java:1511)
... 6 more
Thanks
DC
18 years, 9 months
Re: [Fedora-directory-users] PAM authentication
by Thomas Mathiesen
WORKS!!! I am actually not using the libnssldap.conf file.. but the
pam_ldap.conf file in /etc/ on ubuntu.
There are two "ldap" conf files, and it seems to use only one.
Thanks alot for guidance :)
/T
Nalin Dahyabhai (nalin(a)redhat.com) wrote:
>
> On Tue, Jun 07, 2005 at 12:00:34PM +0000, Thomas Mathiesen wrote:
> > So, here's what I continued doing:
> > Added a user (using the webinterface).
> > Added objectclass posixAccount to this user (using GQ)
> >
> > Turning to my desktop, running Ubuntu Hoary and Openldap, I set it up using
> > this ldap config:
> > host ldap.mydomain.com
> > base dc=mydomain,dc=com
> > ldap_version 3
> > timelimit 30
> > pam_filter objectclass=posixAccount
> > pam_login_attribute uid
> > ssl no
> > #ssl start_tls
> > #tls_checkpeer no
> > pam_password ssha
> >
> > I've tried to use ssl (and tls_checkpeer no), and no ssl.... nothing works.
> >
> > In my log on the fedora directory server, I see the connection, and it first
> > tries to find the posixAccount, and returns no error. Then it looks for
> > shadowAccount, and returns no error (after I added that objectclass as well).
> >
> > The client worked fine, authenticating with my previous openldap server... and
> > I can't see why I doesn't authenticate with my new fedora server.
>
> Can you give us some more details to go on? Are you using pam_ldap to
> check passwords, or are you just using nss_ldap in combination with
> pam_unix? What do your system logs indicate when the user's attempt to
> authenticate fails?
>
> If it's nss_ldap+pam_unix, can you read the userPassword attribute of
> the user's posixAccount object when you bind to the directory
> anonymously? For example, does this command give you any userPassword
> values?
> ldapsearch -x -h ldap.mydomain.com -b dc=mydomain,dc=com
> uid=username userPassword
>
> My guess here is that you have an ACI on dc=mydomain,dc=com which allows
> read access to any attribute except "userPassword" for anonymous users,
> and because nss_ldap is binding to the directory anonymously on
> pam_unix's behalf to read the attribute, pam_unix can't check passwords.
>
> HTH,
>
> Nalin
>
>
--
LinProfs
Phone: +31703521193 & +31652572454
Web: www.linprofs.com & www.linprofs.nl
Email: thomas(a)linprofs.com
-
"Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking"
18 years, 9 months
Antwort: [Fedora-directory-users] userPassword is base64 encoded [Auf Viren geprüft]
by Frerk.Meyer@Edeka.de
I don't have FDS yet but speaking from my Sun LDAP experience there
are four methods to store the userPassword:
plain, crypt, SHA and SSHA
It is set in the global password policy, but you may create more
policies with other settings and apply them individual to users.
So I guess you have to change the global policy and everybody
has to set their password again.
Frerk Meyer
EDEKA Aktiengesellschaft
GB Datenverarbeitung
Frerk Meyer
CC Web Technologien
New-York-Ring 6
22297 Hamburg
Tel: 040/6377 - 3272
Fax: 040/6377 - 41268
mailto:frerk.meyer@edeka.de
18 years, 9 months