0) As mentioned in previous email, use "ldapclient -i", not "ldapclient
-P".
Make sure you have the following TWO ACLs assigned to the baseDN,
dc=comosers,dc=foo,dc=com, actually FIRST ONE is needed, SECOND ONE is
to secure naming service.
Note that these two ACLs are NOT my creation, they exist in any normal
installation of SUN ONE DS5.2, for the FIRST ONE, it was "allow
(compare,read,search)", I removed "read" so that userPasswords WILL BE
MASKED OFF while running "ldaplist" or "ldapaddent -D" commands.
1)
(target="ldap:///dc=composers,dc=foo,dc=com")(targetattr="userPassword")
(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow
(compare,search) userdn =
"ldap:///cn=proxyagent,ou=profile,dc=composers,dc=foo,dc=com";)
2)
(targetattr =
"cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowM
in||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||
memberUid")(version 3.0; acl LDAP_Naming_Services_deny_write_access;deny
(write) userdn = "ldap:///self";)
3) Also I noticed you have:
===
dn: cn=default,ou=profile,dc=foo,dc=com
...
defaultSearchBase: dc=foo,dc=com
...
===
IIRC it should be set to:
dn: cn=default,ou=profile,dc=composers,dc=foo,dc=com
...
defaultSearchBase: dc=composers,dc=foo,dc=com
...
4) Don't forget to add IP address for cnyitlin02.composers.foo.com in
/etc/hosts, on top of DNS, or replace it with IP address in the default
profile.
HTH.
Gary
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Igor
Sent: Thursday, August 25, 2005 1:18 AM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] getting solaris 8 to talk to FDS
--- Justin Albstmeijer <justin(a)VLAMea.nl> wrote:
>
> My 2 cents
>
> - test with: ldapsearch -h ldapserver.domain.nl -s
> base -b ""
> "objectclass=*" , to see if you can queuery the
> server.
I went ahead and got the ldapsearch. It worked.
ldaplist is just busted, I guess.
> - make sure the posix account has the
> "shadowAccount" attribute
Added it. I went to user, properties, posixAccount,
advanced, add value -> shadowAccount. Not sure if
that's the right way of doing it or not...
> - SSHA is default used by FDS for password
> encyption.. this should be CRYPT.
Done -- thank you!
> - make sure to use "simple" instead of "tls:simple"
> for your initial tests
> - use : ldapclient -v -P default -D
> "cn=proxyagent,ou=profile,dc=domain,dc=nl" -d domain.nl -w
> proxy_password {ipnumber_ldap_server} , to create the ldap_file &
> ldap_cred files
Yea -- that's where I hit another problem:
Handling init option
About to configure machine by downloading a profile
findBaseDN: begins
findBaseDN: Stopping ldap
findBaseDN: calling __ns_ldap_default_config()
found 2 namingcontexts
findBaseDN: __ns_ldap_list(NULL,
"(&(objectclass=nisDomainObject)(nisdomain=composers.foo.com))"
rootDN[0] dc=foo,dc=com
found baseDN nisdomain=composers.foo.com,dc=foo,dc=com
for domain composers.foo.com
The download of the profile failed.
Could not read the profile 'default'.
Perhaps it does not exist or you don't have sufficient
rights to read it.
However, from the FDS server itself, ldapsearch -x
shows this: (snipped)
# default, profile, foo.com
dn: cn=default,ou=profile,dc=foo,dc=com
defaultSearchBase: dc=foo,dc=com
authenticationMethod: simple
followReferrals: TRUE
bindTimeLimit: 2
profileTTL: 43200
searchTimeLimit: 30
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: cnyitlin02.composers.foo.com
credentialLevel: proxy
cn: default
defaultSearchScope: one
So, the profile is there but what's this about the
rights???
> - make sure you run te latest recommended patch
> cluster.
Did that already.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
Fedora-directory-users mailing list Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
I was looking at the wishlist
(http://directory.fedora.redhat.com/wiki/Wishlist)
Some of these things can already be done, and should be just a matter of
configuration, based on it's Netscape DS heritage. Wanted to give back
by suggesting some ideas on how to accomplish these wishes where no code
changes are needed.
Under Core Server Features:
1. Disable anonymous binds.
By default, the server creates an annonymous aci in the suffix entry
(i.e. top of the tree).
If you edit that entry and remove that aci, you remove anonymous
access. Note that some
services "require" anonymous access, so may break (some clients/apps
may need to do anon
access to look up a uid to get a dn to bind as for auth, etc, so it
may either be necessary to
change the config of these clients to bind as something that can
still do these lookups, or
you may have to just tweak anonymous access to limit what it can
see, rather than removing
it altogether).
2. Option to control resource limits specifically for anonymous.
Anonymous uses the default server settings for these resource
limits. I believe Fedora-ds
supports the following attributes on entries: nslookthroughlimit,
nsizelimit, nstimelimit,
and nsidletimeout (these are in the schema, and the Sun and Netscape
servers fds is based
on supports them). If you put these attributes in an entry, when
that entry binds to the server,
these resource limits are used instead of the server defaults. So,
a way to implement control
of resource limits for anonymous is to set the server default
settings to whatever you want
anonymous to have, and then to set these attributes on all users
that you want to be different
(i.e. have more lenient limits) than anonymous. For things like
mail servers, etc, I always
create an entry for the mail/whatever server, and set these
attributes to appropriate values.
FYI: setting any of these to -1 means unlimited.
Under Console Features:
2. Add host based access control to posixAccount/shadowAccount to
determine who can
log into what hosts.
While this is not specifically in Console, it's relatively
straightforward to add this, if
you're a little creative :) :
- First, create a new ldap attribute in the schema - lets call it
something like "allowedHosts".
Make sure it is multivalued.
- Second, you need to add it to an objectclass. You could add it to
the PosixAccount
objectclass (simpler, but not recommended because you are
modifying a standard
objectclass), or create a new objectclass (lets call if unixUser,
make it derive from
posixAccount, and add allowedHosts as a required attribute).
- When you create users, set their objectclass to posixAccount and
unixUser (and
shadowAccount). Add a list of hostnames you want the user to log
into in the
allowedHosts field.
- When you configure the Unix/Linux/etc box that the user will log
into:
. if you can define a filter for finding users, set it to
"(&(objectclass=posixAccount)(allowedHosts=<hostname>))"
replacing <hostname> with the hostname of the machine they are
logging into.
. If you cannot define a filter, you can set an IP based aci in
the directory for each
of these hosts that allows them to see only users that can log
into "this" box.
You may have to tweak other aci's, such as anonymous, so that
they don't
allow the box to see the users you don't want seen.
One note to make: purists would say DON'T create attributes and
objectclasses on the fly like this. Personally, I don't have a problem
creating attributes/objectclasses for my own internal use. But... if
someone wanted to formalize this with "real" registered oids for the
attributes and objectclasses, and/or defining and going through all the
paperwork/review process to do this or expand posixAccount officially, I
would have no objections :). NDS/FDS/SDS are nice in that they allow
you to create these local definitions without all the complexities of
registering those definitions to the rest of the world.
- Jeff
It is kind of messy here, pls don't continue to do any other thing, I strongly suggest you start from FRESH and reinstall FDS7.1 again.
OK assuming you prefer to use foo.com as the LDAP domain (nisdomain), the baseDN (where the topmost rootDN is) will be dc=foo,dc=com, if you choose "populate with sample data", I think the ou=People and ou=Groups will be created, note that ou=group will not be created.
I am not sure and couldn't recall if FDS7.1 installation will create the nisDomain object in the rootDN, if it does not, you could create it by accessing this rootDN in admin server/open directory, click rootDN, add an objectClass "nisDomainObject" and attribute "nisDomain", with value "foo.com" in it (without the quotes).
If you query everything, the rootDN is listed first, it will be something like:
# /usr/bin/ldapsearch –h ldap1.foo.com -b "dc=foo,dc=com" -L "objectclass=*" | more
dn: dc=foo,dc=com
dc: foo
objectClass: top
objectClass: domain
objectClass: nisDomainObject
nisDomain: foo.com
...
Since most DS product standardize on using ou=group as the group data OU, instead of ou=Groups, do add "ou=group" using admin console.
Again whatever you do, don't jump, don't do "ldaplist" without first making sure "ldapclient" run OK, ldap_cachemgr started OK and show no error in its log, and so on.
Gary
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com on behalf of Igor
Sent: Thu 8/25/2005 11:17 PM
To: General discussion list for the Fedora Directory server project.
Cc:
Subject: RE: [Fedora-directory-users] getting solaris 8 to talk to FDS
--- "Tay, Gary" <Gary_Tay(a)platts.com> wrote:
> I think you should put "objectclass=*" (search filter) at the end, see
> "man ldapsearch"
>
> If you need to do anything and are not familar with LDAP command tools,
> use the admin server to do it.
>
> IIRC all your LDAP data should have baseDN dc=composers,dc=foo,dc=com,
> if your nisdomain (LDAP domain) is set as composers.foo.com.
I changed it:
# foo.com, foo.com
dn: nisdomain=foo.com,dc=foo,dc=com
objectClass: top
objectClass: nisdomainobject
nisDomain: foo.com
bash-2.03# ldaplist -l
ldaplist: Object not found (LDAP ERROR (50): Insufficient access.)
Gary, sorry for being dense but where's the baseDN? I need to check what it is...
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
===
Do you still think I need to change my defaultSearchDN? Also, must those ACLs be added
still? Because it looks like you're doing a manual config, right?
===
Yes I think you should set baseDN (defaultSearchBase) to dc=composers,dc=foo,dc=com, NOT dc=foo,dc=com, it should correspond LDAP domain (nisdomain) name, i.e. composers.foo.com, which you set in the rootDN entry nisDomainObject.
Yes set the ACLs to allow proxyAgent to read LDAP DIT. Yes "ldapclient -i" is manul config, I use it as "ldapclient -P" failed me when I tried to use TLS. If "ldapclient -P" works for you with or without TLS, by all mean use this syntax.
You passwd SSD should then be ou=People,dc=composers,dc=foo,dc=com?one
You shadow SSD should then be ou=People,dc=composers,dc=foo,dc=com?one
You group SSD should then be ou=group,dc=composers,dc=foo,dc=com?one
(SSD = serviceSearchDescriptor)
Please re-install FDS7.1 using baseDN=dc=composers,dc=foo,dc=com, and create ldif file to re-populate your LDAP data using this baseDN, including needed DUACongProfile, proxyAgent and sample People/group entries, the proxyAgent DN in your ldif file should be cn=proxyAgent,ou=profile,dc=composers,dc=foo,dc=com.
# default, profile, composers.foo.com
dn: cn=default,ou=profile,dc=composers,dc=foo,dc=com
defaultSearchBase: dc=composers,dc=foo,dc=com
authenticationMethod: simple
followReferrals: TRUE
bindTimeLimit: 2
profileTTL: 43200
searchTimeLimit: 30
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: 149.85.70.17
credentialLevel: proxy
cn: default
defaultSearchScope: one
serviceSearchDescriptor: passwd: ou=People,dc=composers,dc=foo,dc=com
serviceSearchDescriptor: group: ou=group,dc=composers,dc=foo,dc=com
serviceSearchDescriptor: shadow: ou=People,dc=composers,dc=foo,dc=com
serviceSearchDescriptor: netgroup: ou=netgroup,dc=composers,dc=foo,dc=com
# tls_profile, profile, composers.foo.com
dn: cn=tls_profile,ou=profile,dc=composers,dc=foo,dc=com
defaultSearchBase: dc=composers,dc=foo,dc=com
authenticationMethod: tls:simple
followReferrals: FALSE
bindTimeLimit: 10
profileTTL: 43200
searchTimeLimit: 30
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: cnyitlin02.composers.foo.com
credentialLevel: proxy
cn: tls_profile
defaultSearchScope: one
serviceSearchDescriptor: passwd: ou=People,dc=composers,dc=foo,dc=com
serviceSearchDescriptor: group: ou=group,dc=composers,dc=foo,dc=com
serviceSearchDescriptor: shadow: ou=People,dc=composers,dc=foo,dc=com
serviceSearchDescriptor: netgroup: ou=netgroup,dc=composers,dc=foo,dc=com
Read Solaris8 "man ldapclient" page, there is no such valid value "default" for "-a" option, please use "-a simple" and rerun "ldapclient -v -i ...", if you omit "-a", it defaults to "none", so proxyDN/PW are not really needed, that was why you have this msg in "ldapclient" result: No proxyDN/proxyPassword required.
/usr/sbin/ldapclient -v -i -a simple -b dc=composers,dc=foo,dc=com -c proxy \
-D cn=proxyAgent,ou=profile,dc=composers,dc=foo,dc=com -w password \
-S "passwd: ou=People,dc=composers,dc=foo,dc=com?one" \
-S "shadow: ou=People,dc=composers,dc=foo,dc=com?one" \
-S "group: ou=group,dc=composers,dc=foo,dc=com?one" \
-S "netgroup: ou=netgroup,dc=composers,dc=foo,dc=com?one" \
149.85.70.17
You seemed to jump very fast, before checking "id testdba" or "getent passwd testdba", first check these step-by-step:
# ldapclient -l
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyAgent,ou=profile,dc=composers,dc=foo,dc=com
NS_LDAP_BINDPASSWD= {NS1}...
NS_LDAP_SERVERS= 149.85.70.17
NS_LDAP_SEARCH_BASEDN= dc=composers,dc=foo,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=composers,dc=foo,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=composers,dc=foo,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=composers,dc=foo,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=composers,dc=foo,dc=com?one
# /usr/lib/ldap/ldap_cachemgr -g
Does it say LDAP cache manager is UP and running?
# cat /var/ldap/cachemgr.log
Any critical error?
# ldaplist -l passwd testdba", it should display something like:
dn: uid=testdba,ou=People,dc=composers,dc=foo,dc=com
givenName: Test
sn: DBA
loginShell: /bin/sh
uidNumber: 1111
gidNumber: 111
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: testdba
cn: Test DBA
homeDirectory: /home/testdba
If "ldaplist -l passwd testdba" fails, don't expect "id testdba" and "getent passwd testdba" to work.
Gary
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com on behalf of Igor
Sent: Thu 8/25/2005 9:39 PM
To: General discussion list for the Fedora Directory server project.
Cc:
Subject: RE: [Fedora-directory-users] getting solaris 8 to talk to FDS
Gary, thank you for the replies. (I do have the patch you mentioned:)
bash-2.03# showrev -p | grep "^Patch: 108993-48"
Patch: 108993-48 Obsoletes: 108827-40, 108991-18, 109322-09, 109461-03, 111641-0
[...]
--- "Tay, Gary" <Gary_Tay(a)platts.com> wrote:
> 0) As mentioned in previous email, use "ldapclient -i", not "ldapclient
> -P".
>
I did. It kept failing until I got rid of "-a default"
Handling manual option
Unable to set value: invalid authenticationMethod (default)
Getting rid of -a default:
bash-2.03# /usr/sbin/ldapclient -v -i -b dc=foo,dc=com -c proxy -D uid=proxyA
gent,ou=profile,dc=foo,dc=com -w password -S "passwd: ou=People,dc=foo,dc=
com?one" -S "shadow: ou=People,dc=foo,dc=com?one" -S "group: ou=group,dc=caxt
on,dc=com?one" -S "netgroup: ou=netgroup,dc=foo,dc=com?one" 149.85.70.17
Arguments parsed:
defaultSearchBase: dc=foo,dc=com
credentialLevel: proxy
proxyDN: uid=proxyAgent,ou=profile,dc=foo,dc=com
serviceSearchDescriptor:
arg[0]: passwd: ou=People,dc=foo,dc=com?one
arg[1]: shadow: ou=People,dc=foo,dc=com?one
arg[2]: group: ou=group,dc=foo,dc=com?one
arg[3]: netgroup: ou=netgroup,dc=foo,dc=com?one
proxyPassword: password
defaultServerList: 149.85.70.17
Handling manual option
Proxy DN: uid=proxyAgent,ou=profile,dc=foo,dc=com
Proxy password: {NS1}ecfa88f3a945c411
Credential level: 1
Authentication method: 0
Authentication method: 0
No proxyDN/proxyPassword required
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
Stopping nscd
Stopping autofs
Stopping ldap
nisd not running
nis_cache not running
nispasswd not running
nis(yp) not running
Removing existing restore directory
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "composers.foo.com"
file_backup: stat(/var/yp/binding/composers.foo.com)=-1
file_backup: No /var/yp/binding/composers.foo.com directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname composers.foo.com... success
start: /usr/lib/ldap/ldap_cachemgr... success
start: /etc/init.d/autofs start... success
start: /etc/init.d/nscd start... success
System successfully configured
bash-2.03# id testdba
id: invalid user name: "testdba"
bash-2.03#
So, looks like it worked but I can't authenticate any users. id testdba produces traffic
on the FDS server, so it's definitely trying to query it but can't resolve anything.
Also, I have two profiles:
# default, profile, foo.com
dn: cn=default,ou=profile,dc=foo,dc=com
defaultSearchBase: dc=foo,dc=com
authenticationMethod: simple
followReferrals: TRUE
bindTimeLimit: 2
profileTTL: 43200
searchTimeLimit: 30
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: 149.85.70.17
credentialLevel: proxy
cn: default
defaultSearchScope: one
# tls_profile, profile, foo.com
dn: cn=tls_profile,ou=profile,dc=foo,dc=com
defaultSearchBase: dc=foo,dc=com
authenticationMethod: tls:simple
followReferrals: FALSE
bindTimeLimit: 10
profileTTL: 43200
searchTimeLimit: 30
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: cnyitlin02.composers.foo.com
credentialLevel: proxy
cn: tls_profile
serviceSearchDescriptor: passwd: ou=People,dc=foo,dc=com
serviceSearchDescriptor: group: ou=group,dc=foo,dc=com
serviceSearchDescriptor: shadow: ou=People,dc=foo,dc=com
defaultSearchScope: one
My default profile doesn't have those 3 searchDescriptors. Or we are not using profiles
anymore? Just curious...
Do you still think I need to change my defaultSearchDN? Also, must those ACLs be added
still? Because it looks like you're doing a manual config, right?
Thank you for your help, Gary.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
I think you should put "objectclass=*" (search filter) at the end, see
"man ldapsearch"
If you need to do anything and are not familar with LDAP command tools,
use the admin server to do it.
IIRC all your LDAP data should have baseDN dc=composers,dc=foo,dc=com,
if your nisdomain (LDAP domain) is set as composers.foo.com.
Gary
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Igor
Sent: Thursday, August 25, 2005 3:20 AM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] getting solaris 8 to talk to FDS
Here's what I get when I run ldapsearch:
bash-2.03# ldapsearch -h cnyitlin02 -b "dc=foo,dc=com" -L
"objectclass=*" -D "uid=proxyagent,ou=profile,dc=foo,dc=com" -w password
dn: dc=foo,dc=com
dn: cn=Directory Administrators, dc=foo,dc=com
dn: gidnumber=5000,cn=Directory Administrators,dc=foo,dc=com
dn: gidnumber=6000,dc=foo,dc=com
dn: uid=testdba,gidnumber=6000,dc=foo,dc=com
dn: ou=profile,dc=foo,dc=com
dn: cn=default,ou=profile,dc=foo,dc=com
dn: cn=tls_profile,ou=profile,dc=foo,dc=com
dn: nisdomain=composers.foo.com,dc=foo,dc=com
dn: uid=proxyAgent,ou=profile,dc=foo,dc=com
how do I get rid of the nisdomain in there? moreover, do I need to?
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
--
Fedora-directory-users mailing list Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Thanks for the info, I did say "USED TO WORK VERY WELL".
I remembered it worked for me "once" or "twice" for a default profile
using "simple" bind, after that when I tried to enhance it to TLS
profile using "tls:simple" bind, it started to sing song. Again I wish
you could prove me wrong the next moment.
Anyway it is very time consuming and tiring patching the Solaris8
client, I have never been interested to do it again at a second Solaris8
client.
If one were to use "Solaris" Native LDAP Client, use "Solaris9", avoid
"Solaris8" unless you are trying create more works.
Gary
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Justin
Albstmeijer
Sent: Thursday, August 25, 2005 2:32 PM
To: General discussion list for the Fedora Directory server project.
Subject: RE: [Fedora-directory-users] getting solaris 8 to talk to FDS
> 1) The "ldapclient -P ..." command line which downloads LDAP profile
> from LDAP Server, USED TO WORK VERY WELL is not working anymore.
Strange Gary, "ldapclient -P ..." still works fine for me on Solaris 8
(108993-48), with FDS 7.1.
--
Fedora-directory-users mailing list Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
I have successfully configured Solaris8 Native LDAP Client to work
against FDS7.1, Below are what what I have experienced and observed.
It appears to me that 108993-48 LDAP patch breaks the "ldapclient -P"
command.
1) The "ldapclient -P ..." command line which downloads LDAP profile
from LDAP Server, USED TO WORK VERY WELL is not working anymore.
The following script failed, it will hang at:
...
Starting network services
start: /usr/bin/domainname example.com... Success
<Halt Here>
===
# cat ./ldapclient_download_defaultprofile_sol8.sh
/usr/sbin/ldapclient -v \
-P default \
-d example.com \
-D "cn=proxyagent,ou=profile,dc=example,dc=com" \
-w "password" \
192.168.1.168
# As ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap
# which contains a bug in "hosts:" entry, we need to repair it
sed -e '/^hosts:/s/ldap.*files$/files dns/' \
-e '/^passwd:/a\
shadow: files ldap' \
/etc/nsswitch.ldap >/etc/nsswitch.work
cp /etc/nsswitch.work /etc/nsswitch.conf
# Refresh Name Service Cache Daemon after repairing /etc/nsswitch.conf
/etc/init.d/nscd stop
/etc/init.d/nscd start
===
2) "ldapclient -i ..." works
===
[root@sins001u5 /var/ldap]# cat ldapclient_init_defaultprofile_sol8.sh
/usr/sbin/ldapclient -v -i -a simple -b dc=example,dc=com -c proxy \
-D cn=proxyAgent,ou=profile,dc=example,dc=com -w password \
-S "passwd: ou=People,dc=example,dc=com?one" \
-S "shadow: ou=People,dc=example,dc=com?one" \
-S "group: ou=group,dc=example,dc=com?one" \
-S "netgroup: ou=netgroup,dc=example,dc=com?one" \
192.168.1.168
echo ...
echo As ldapclient overwrites /etc/nsswitch.conf with /etc/nsswitch.ldap
echo which contains a bug in "hosts:" entry, we need to repair it
sed -e '/^hosts:/s/ldap.*files$/files dns/' \
-e '/^passwd:/a\
shadow: files ldap' \
/etc/nsswitch.ldap >/etc/nsswitch.work
cp /etc/nsswitch.work /etc/nsswitch.conf
echo ...
echo Refresh Name Service Cache Daemon after repairing
/etc/nsswitch.conf
/etc/init.d/nscd stop
/etc/init.d/nscd start
===
Gary
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Justin
Albstmeijer
Sent: Wednesday, August 24, 2005 10:25 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] getting solaris 8 to talk to FDS
My 2 cents
- test with: ldapsearch -h ldapserver.domain.nl -s base -b ""
"objectclass=*" , to see if you can queuery the server.
- make sure the posix account has the "shadowAccount" attribute
- SSHA is default used by FDS for password encyption.. this should be
CRYPT.
import:
------------------------------
dn: cn=config
changetype: modify
replace: passwordstoragescheme
passwordstoragescheme: CRYPT
------------------------------
- make sure to use "simple" instead of "tls:simple" for your initial
tests
- use : ldapclient -v -P default -D
"cn=proxyagent,ou=profile,dc=domain,dc=nl" -d domain.nl -w
proxy_password {ipnumber_ldap_server} , to create the ldap_file &
ldap_cred files
- make sure you run te latest recommended patch cluster.
I'm working on documentation.. maybe I'll have time to publish it
sometime soon.
Justin
> Hi, all. I've been battling this for days now, with
> no luck. I've got fds up & running and linux clients authenticating
> w/o problems. Solaris has so far been a royal pain.
>
> This is what I've done so far:
> - imported the 2 schemas that a kind soul sent me (dua
> & nis)
> - added the nisDomain object
> - added a few users to test
> - copied the ldap_file & ldap_cred files from Gary
> Tay's site
> - added a default simple profile
> - ran ldap-genprofile to get the NS1 password, put it
> in the cred file.
> - added ldap to the nsswitch.conf
>
> Yet the solaris box doesn't see the ldap server. In
> the dmesg, I see this:
>
> Aug 24 09:16:34 unknown getent[1506]: [ID 293258
> user.error] libsldap: Status: 7 Mesg: Session error
> no available conn.
> Aug 24 09:18:07 unknown nscd[1498]: [ID 293258
> user.error] libsldap: Status: 7 Mesg: Session error
> no available conn.
> Aug 24 09:18:07 unknown nscd[1498]: [ID 293258
> user.error] libsldap: Status: 7 Mesg: Session error
> no available conn.
>
> Can anybody point me in the right direction? I'm
> about to start kicking the solaris server...
>
>
>
> ____________________________________________________
> Start your day with Yahoo! - make it your home page
> http://www.yahoo.com/r/hs
>
>
> --
> Fedora-directory-users mailing list Fedora-directory-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
You wrote:
===
after configuring all the details.
===
Pls provide all the details.
Gary
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Tay,
Gary
Sent: Thursday, August 25, 2005 1:19 PM
To: General discussion list for the Fedora Directory server project.
Subject: **Caution-External**: RE: [Fedora-directory-users] Unable to
login tointerface..........HELP!!!!!
Tell us what is in setup/setup.log.
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of gokul
nath
Sent: Thursday, August 25, 2005 1:17 PM
To: fedora-directory-users(a)redhat.com
Subject: [Fedora-directory-users] Unable to login to
interface..........HELP!!!!!
I have download fedora-ds-7.1-2.i386.opt.rpm
after installing it...
i gave...
/opt/fedora-ds/setup/setup
i gave typical installtion
after configuring all the details.
it gave me an error. i have just pasted the error here
below
Server user ID to use (default: nobody)
Server group ID to use (default: nobody)
[slapd-in]: starting up server ...
[slapd-in]: Fedora-Directory/7.1 B2005.146.2010
[slapd-in]: in.sundarambizserv.com:389
(/opt/fedora-ds/slapd-in)
[slapd-in]:
[slapd-in]: [22/Aug/2005:09:59:45 +051800] - Fedora-Directory/7.1
B2005.146.2010 starting up
[slapd-in]: [22/Aug/2005:09:59:46 +051800] - slapd
started. Listening on All Interfaces port 389 for LDAP
requests
Your new directory server has been started.
Created new Directory Server
Start Slapd Starting Slapd server configuration.
Success Slapd Added Directory Server information to Configuration
Server.
Configuring Administration Server...
Setting up Administration Server Instance...
Configuring Administration Tasks in Directory
Server...
Configuring Global Parameters in Directory Server...
Can't start Admin server [/opt/fedora-ds/start-admin > /tmp/fileQJv7Um
2>&1] (error: No such file or directory)INFO Finished with setup,
logfile is setup/setup.log
Because of this i am not able to run the admin server
/opt/fedora-ds/startconsole is not allowing me to login.
Kindly help me out. Im stuck with this problem for
days...
Regards
gokul
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
Fedora-directory-users mailing list Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Tell us what is in setup/setup.log.
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of gokul
nath
Sent: Thursday, August 25, 2005 1:17 PM
To: fedora-directory-users(a)redhat.com
Subject: [Fedora-directory-users] Unable to login to
interface..........HELP!!!!!
I have download fedora-ds-7.1-2.i386.opt.rpm
after installing it...
i gave...
/opt/fedora-ds/setup/setup
i gave typical installtion
after configuring all the details.
it gave me an error. i have just pasted the error here
below
Server user ID to use (default: nobody)
Server group ID to use (default: nobody)
[slapd-in]: starting up server ...
[slapd-in]: Fedora-Directory/7.1 B2005.146.2010
[slapd-in]: in.sundarambizserv.com:389
(/opt/fedora-ds/slapd-in)
[slapd-in]:
[slapd-in]: [22/Aug/2005:09:59:45 +051800] - Fedora-Directory/7.1
B2005.146.2010 starting up
[slapd-in]: [22/Aug/2005:09:59:46 +051800] - slapd
started. Listening on All Interfaces port 389 for LDAP
requests
Your new directory server has been started.
Created new Directory Server
Start Slapd Starting Slapd server configuration.
Success Slapd Added Directory Server information to Configuration
Server.
Configuring Administration Server...
Setting up Administration Server Instance...
Configuring Administration Tasks in Directory
Server...
Configuring Global Parameters in Directory Server...
Can't start Admin server [/opt/fedora-ds/start-admin > /tmp/fileQJv7Um
2>&1] (error: No such file or directory)INFO Finished with setup,
logfile is setup/setup.log
Because of this i am not able to run the admin server
/opt/fedora-ds/startconsole is not allowing me to login.
Kindly help me out. Im stuck with this problem for
days...
Regards
gokul
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
Fedora-directory-users mailing list Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
I have download fedora-ds-7.1-2.i386.opt.rpm
after installing it...
i gave...
/opt/fedora-ds/setup/setup
i gave typical installtion
after configuring all the details.
it gave me an error. i have just pasted the error here
below
Server user ID to use (default: nobody)
Server group ID to use (default: nobody)
[slapd-in]: starting up server ...
[slapd-in]: Fedora-Directory/7.1 B2005.146.2010
[slapd-in]: in.sundarambizserv.com:389
(/opt/fedora-ds/slapd-in)
[slapd-in]:
[slapd-in]: [22/Aug/2005:09:59:45 +051800] -
Fedora-Directory/7.1 B2005.146.2010 starting up
[slapd-in]: [22/Aug/2005:09:59:46 +051800] - slapd
started. Listening on All Interfaces port 389 for LDAP
requests
Your new directory server has been started.
Created new Directory Server
Start Slapd Starting Slapd server configuration.
Success Slapd Added Directory Server information to
Configuration Server.
Configuring Administration Server...
Setting up Administration Server Instance...
Configuring Administration Tasks in Directory
Server...
Configuring Global Parameters in Directory Server...
Can't start Admin server [/opt/fedora-ds/start-admin >
/tmp/fileQJv7Um 2>&1] (error: No such file or
directory)INFO Finished with setup, logfile is
setup/setup.log
Because of this i am not able to run the admin server
/opt/fedora-ds/startconsole is not allowing me to
login.
Kindly help me out. Im stuck with this problem for
days...
Regards
gokul
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com