[Fedora-directory-users] How to get the hosts for host login restriction
by Rich Megginson
As it turns out, PADL's nss/pam ldap ships with a schema that does this
very thing. On my RHEL4 system, there is a file called
/usr/share/doc/nss_ldap-226/ldapns.schema which contains the following:
# $Id: ldapns.schema,v 1.3 2003/05/29 12:57:29 lukeh Exp $
# LDAP Name Service Additional Schema
# http://www.iana.org/assignments/gssapi-service-names
attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
DESC 'IANA GSS-API authorized service name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
DESC 'Auxiliary object class for adding authorizedService attribute'
SUP top
AUXILIARY
MAY authorizedService )
objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject'
DESC 'Auxiliary object class for adding host attribute'
SUP top
AUXILIARY
MAY host )
It's already a standard in the sense that it already has an official
IANA OID assigned to the hostObject objectclass. It's been included
with nss/pam ldap for years.
18 years, 8 months
Re: [Fedora-directory-users] MS Exchange/FDS
by Luke Howard
Exchange uses a proprietary RPC protocol to perform directory
lookups against Active Directory. So this just ain't going to
work...
-- Luke
>From: Igor <logastellus(a)yahoo.com>
>Subject: Re: [Fedora-directory-users] MS Exchange/FDS
>To: "General discussion list for the Fedora Directory server project." <fedora-directory-users(a)redhat.com>
>Date: Fri, 26 Aug 2005 06:43:10 -0700 (PDT)
>
>
>
>--- David Boreham <david_list(a)boreham.org> wrote:
>
>> Pascal Jakobi wrote:
>>
>> > Hi there,
>> >
>> > I am facing a strange enquiry : someone wants to interface directly
>> > his Microsoft Exchange box to an LDAP Directory (without using Active
>> > Directory any more).
>>
>> I don't think there's even a remote chance of this working.
>
>yea.. What I have working is linux T-bird/Evolution authenticating against MS Exchange +
>Address book thru the AD LDAP interface. AD is (supposedly) LDAP compliant although MS
>made certain "enhancements" that borked the protocol for lots of apps.
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users(a)redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
18 years, 8 months
Re: [Fedora-directory-users] Wishlist
by Steve Bonneville
Jeff Clowser wrote:
> Basically, part of the thread devolved to the idea of creating a single
> user entry that has objectclasses: inetorgperson, account,
> posixaccount, shadowaccount, etc. If I understand the response (see
> below), this violates ldap standards because you are mixing in
> structural objectclasses and that is not allowed(?)
>
> This is all I could find that came close - rfc2251 seems to say servers
> may disallow changing structural objectclasses on an entry (to prevent
> changing a user to a country, for example). RFC 2252 actually seems to
> specifically say you _can_ mix structural objectclasses in one entry.
Well, sort of. What X.501 says and the LDAP RFCs follow is that an entry
is characterized by exactly one *chain* of structural object classes that
has exactly one structural object class as the most subordinate object
class in the chain. You then can add zero or more auxiliary object
classes to add more attributes. So an entry structured as
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: shadowAccount
is legal. The most subordinate structural object class is inetOrgPerson,
which the schema says is a subclass of organizationalPerson, which is a
subclass of person, which is a subclass of top. The posixAccount and
shadowAccount object classes are auxiliary, so no problem including those.
Now, we can't add account as an object class of this entry, because it is
a structural object class that is not part of the structural object class
chain connecting inetOrgPerson to top, so we'd end up with two structural
object class chains -- that's illegal.
By using inetOrgPerson, you also have to include all of its superclasses.
So you can't have inetOrgPerson without organizationalPerson, for example.
If you can extend the schema, you can always derive a new structural
class from an existing one. The parent structural class still appears
as an objectclass attribute of an entry since it is part of the superclass
chain of the structural object class of the entry. Look at evolutionPerson
(in /usr/share/evolution-data-server-1.0/evolutionperson.schema on RHEL4)
for an example. It's derived from inetOrgPerson and therefore gets all its
attributes and the attributes of inetOrgPerson's superclasses.
-- Steve Bonneville
18 years, 8 months
[Fedora-directory-users] DNS backended in LDAP
by Jeff Clowser
I'm looking at options for back-ending DNS data in LDAP/FDS. Looking
for free/open source options, and what I've found so far are:
ldapdns
dns server integrated against ldap
http://www.nimh.org/code/ldapdns/ (version 2)
http://ldapdns.sourceforge.net/ (version 3)
Sounds good, but I'm not sure if it's under active development.
bind-sdb
bind plugin to use ldap for backend data
http://www.venaas.no/ldap/bind-sdb/
Conn's are that you still have to edit a text file to add new zones -
not ideal for a provider that may be adding zones a lot.
bind-dlz
another plugin for bind
http://bind-dlz.sourceforge.net
Seems pretty flexible, looks it will pick up new zones created in LDAP, etc.
Doesn't seem to be tied to any one schema, but their docs suggest a
custom schema/tree structure for storing DNS info.
So far, I'm thinking bind-dlz is the leading choice.
Was wondering if anyone has played much with these or other solutions,
if they have any opinions or experience to share, other solutions
they've found, etc.
- Jeff
18 years, 8 months
RE: [Fedora-directory-users] getting solaris 8 to talk to FDS - HOWTOwritten
by Tay, Gary
Rich, this is the link from my home page, this way I could continue to
update it.
http://web.singnet.com.sg/~garyttt/Configuring%20Solaris%20Native%20LDAP
%20Client%20for%20Fedora%20Directory%20Server.htm
Gary
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Rich
Megginson
Sent: Friday, August 26, 2005 10:27 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] getting solaris 8 to talk to FDS -
HOWTOwritten
Thanks Gary! Which is the correct version, the zip file or the html
file? Also, do you already have this document on a web site somewhere
that we can link to, or should I copy this document to the wiki?
Tay, Gary wrote:
>Pls find attached a HOW-TO.
>
>Gary
>
>
>
18 years, 8 months
RE: [Fedora-directory-users] getting solaris 8 to talk to FDS - HOWTO written
by Tay, Gary
Pls find attached a HOW-TO.
Gary
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Igor
Sent: Friday, August 26, 2005 5:46 AM
To: General discussion list for the Fedora Directory server project.
Subject: RE: [Fedora-directory-users] getting solaris 8 to talk to FDS
--- "Tay, Gary" <Gary_Tay(a)platts.com> wrote:
> Please re-install with your choice of baseDN, be it
> dc=composers,dc=foo,dc=com or dc=foo,dc=com.
I reinstalled it -- it works a lot better now!
bash-2.03# ldaplist -l
ldaplist: Object not found (LDAP ERROR (50): Insufficient access.)
bash-2.03# id testdba
uid=10001(testdba) gid=7000
bash-2.03# ldaplist -l passwd testdba
dn: uid=testdba,ou=People, dc=composers,dc=foo,dc=com
givenName: oracle
sn: user
loginShell: /bin/bash
uidNumber: 10001
gidNumber: 7000
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: testdba
cn: oracle user
homeDirectory: /home/testdba
bash-2.03# getent passwd testdba
testdba::10001:7000::/home/testdba:/bin/bash
I don't know why ldaplist doesn't work. Could it be because I didn't
setup pam.conf yet? Is it important to have ldaplist working? I did add
the aci, didn't do anything.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
Fedora-directory-users mailing list Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
18 years, 8 months
RE: [Fedora-directory-users] getting solaris 8 to talk to FDS
by Tay, Gary
Pls find attached a HOW-TO.
Gary
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Igor
Sent: Friday, August 26, 2005 5:46 AM
To: General discussion list for the Fedora Directory server project.
Subject: RE: [Fedora-directory-users] getting solaris 8 to talk to FDS
--- "Tay, Gary" <Gary_Tay(a)platts.com> wrote:
> Please re-install with your choice of baseDN, be it
> dc=composers,dc=foo,dc=com or dc=foo,dc=com.
I reinstalled it -- it works a lot better now!
bash-2.03# ldaplist -l
ldaplist: Object not found (LDAP ERROR (50): Insufficient access.)
bash-2.03# id testdba
uid=10001(testdba) gid=7000
bash-2.03# ldaplist -l passwd testdba
dn: uid=testdba,ou=People, dc=composers,dc=foo,dc=com
givenName: oracle
sn: user
loginShell: /bin/bash
uidNumber: 10001
gidNumber: 7000
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: testdba
cn: oracle user
homeDirectory: /home/testdba
bash-2.03# getent passwd testdba
testdba::10001:7000::/home/testdba:/bin/bash
I don't know why ldaplist doesn't work. Could it be because I didn't
setup pam.conf yet? Is it important to have ldaplist working? I did add
the aci, didn't do anything.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
Fedora-directory-users mailing list Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
18 years, 8 months
[Fedora-directory-users] MS Exchange/FDS
by Pascal Jakobi
Hi there,
I am facing a strange enquiry : someone wants to interface directly his
Microsoft Exchange box to an LDAP Directory (without using Active
Directory any more).
To be workable, this would imply that MS Exchange just uses the LDAP
standard PDUs/calls to access AD ...
Is this the case ? Did anyone on this list did something as such ?
Taking any advice....
Thanks in adv.
Pascal
PS. I am conscious of the winsync capabilities, but this is not what I
need here : no sync, replacement....
18 years, 8 months
RE: [Fedora-directory-users] getting solaris 8 to talk to FDS
by Tay, Gary
"ldapclient" result indicates that your "domainame" does not tally with "nisDomain" object in the rootDN entry, it is kind of messy, here and there.
Please re-install with your choice of baseDN, be it dc=composers,dc=foo,dc=com or dc=foo,dc=com.
If you change /etc/defaultdomain, to take immediate effect you may run
# domainname `cat /etc/defaultdomain`
otherwise "ldapclient ..." will do it for you as part of the result.
Use the ACLs I mentioned in previous posting and amend it to suit your need, those ACLs are taken from SUN ONE DS default install (I think they are there after running the "idsconfig" command tool, I wish FDS developers should develope an equivalent "fdsconfig" meant for Solaris Native LDAP Client)
Gary
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com on behalf of Igor
Sent: Thu 8/25/2005 11:34 PM
To: General discussion list for the Fedora Directory server project.
Cc:
Subject: RE: [Fedora-directory-users] getting solaris 8 to talk to FDS
This is gonna be loooong... I just want to thank you guys again for wading thru this
crap...
--- "Tay, Gary" <Gary_Tay(a)platts.com> wrote:
> ===
> Do you still think I need to change my defaultSearchDN? Also, must those ACLs be added
> still? Because it looks like you're doing a manual config, right?
> ===
> Yes I think you should set baseDN (defaultSearchBase) to dc=composers,dc=foo,dc=com,
> NOT dc=foo,dc=com, it should correspond LDAP domain (nisdomain) name, i.e.
> composers.foo.com, which you set in the rootDN entry nisDomainObject.
well, instead, I got rid of composers altogether.
> Yes set the ACLs to allow proxyAgent to read LDAP DIT.
I have this:
(targetattr = "*") (version 3.0;acl "Allow proxyAgent read access";allow
(read,compare)(userdn = "ldap:///uid=proxyAgent,ou=profile,dc=foo,dc=com");)
> Please re-install FDS7.1 using baseDN=dc=composers,dc=foo,dc=com, and create ldif file
well, I got rid of composers for now. If you say I've to reinstall I will but that'll
probably be my last resort, though.
> Step by step
> # ldapclient -l
bash-2.03# ldapclient -l
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=proxyAgent,ou=profile,dc=foo,dc=com
NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411
NS_LDAP_SERVERS= 149.85.70.17
NS_LDAP_SEARCH_BASEDN= dc=foo,dc=com
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=foo,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=foo,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=foo,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=foo,dc=com?one
> # /usr/lib/ldap/ldap_cachemgr -g
> Does it say LDAP cache manager is UP and running?
bash-2.03# /usr/lib/ldap/ldap_cachemgr -g
cachemgr configuration:
server debug level 0
server log file "/var/ldap/cachemgr.log"
number of calls to ldapcachemgr 15
cachemgr cache data statistics:
Configuration refresh information:
Configured to NO REFRESH.
Server information:
Previous refresh time: 2005/08/25 11:11:57
Next refresh time: 2005/08/25 11:21:57
server: 149.85.70.17, status: UP
Cache data information:
Maximum cache entries: 256
Number of cache entries: 0
> # cat /var/ldap/cachemgr.log
> Any critical error?
bash-2.03# cat /var/ldap/cachemgr.log
Thu Aug 25 11:11:56.9844 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log
Thu Aug 25 11:11:57.0843 sig_ok_to_exit(): parent exiting...
bash-2.03# ps -ef | grep ldap
root 2553 1 0 11:11:56 ? 0:00 /usr/lib/ldap/ldap_cachemgr
So, doesn't look like any errors...
______________________
Also: On the FDS server:
[root@cnyitlin02 slapd-cnyitlin02]# ldapsearch -x | grep compose
defaultServerList: cnyitlin02.composers.foo.com
[root@cnyitlin02 slapd-cnyitlin02]#
That's it, nothing else. However, when I rerun ldapclient -i, I get this:
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "composers.foo.com"
^^^^^^^^^^^^^
file_backup: stat(/var/yp/binding/composers.foo.com)=-1
file_backup: No /var/yp/binding/composers.foo.com directory.
file_backup: stat(/var/ldap/ldap_client_file)=0
file_backup: (/var/ldap/ldap_client_file -> /var/ldap/restore/ldap_client_file)
file_backup: (/var/ldap/ldap_client_cred -> /var/ldap/restore/ldap_client_cred)
Starting network services
start: /usr/bin/domainname foo.com... success
start: /usr/lib/ldap/ldap_cachemgr... success
start: /etc/init.d/autofs start... success
start: /etc/init.d/nscd start... success
start: /etc/init.d/sendmail start... success
System successfully configured
Where does it get composers from???
It also resets /etc/defaultdomain to composers even though i manually change it to
foo.com
> # ldaplist -l passwd testdba", it should display something like:
Nope.
bash-2.03# ldaplist -l passwd testdba
ldaplist: Object not found
bash-2.03# ldaplist -l passwd
ldaplist: Object not found (LDAP ERROR (50): Insufficient access.)
bash-2.03#
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
18 years, 8 months
[Fedora-directory-users] Samba + FDS
by James van Zeeland
Scratching my head on samba integration.
I can login Posix users OK, i.e. go to directory console create a user,
enable posix attributes, set UID and GID, create a home directory and
the user can login.
Have followed the howto linked to from docs page.
Attempting to login with samba from an XP workstation. It is not a
domain member.
On accessing \\ldapserver, I am prompted for a login.
I provide the same user as works for linux, and password
I can then browse the available shares, but attempting to enter one
produces another login prompt.
No user/pass combination provides access, and once one cancels the
login, further attempts to enter a share return "you may not have
permission to to use this network resource"
Probably a newbie question, or something I've done wrong....what should
I look for?
J
18 years, 8 months