[Fedora-directory-users] ldap scheme/site survey troubles
by Bikerepairman -
Hi,
I'm new at ldap/directory services, and I's like to get some advice setting
up a directory server.
While reading the docs, some thing are clear while other things are not that
clear. I'm at the stage of survey/scheme drawing now.
The directory server will be used for authenticating and assigning
rights/quota for about 70 users.
This is for a hobby network and we're migrating the servers from windows to
linux. I myself use linux for 1 ½ year now.
What I got so far is the folowing:
2 domains (one primary, one for experimenting)
3 servers (file-, gateway/proxy- and web); can be expanded to 9)
4 user groups (users, companies, power-users and administrators)
8 services (pop mail, imap mail, sendmail/postfix, website/homepages, ftp,
samba and nfs, dns)
The organisation (non-profit) is called dins. And we live in the
netherlands. Our top-level name should be o=dins, c=nl. After this I begin
to run in circles. I think I fail to see something.
Who is willing to help me getting the scheme right and/or discuss it over
the mail?
18 years, 3 months
RE: [Fedora-directory-users] Question on password changes
by Bliss, Aaron
Thanks for getting back to me so quickly; I've seen the error messages
that you referenced below; I can then assume then my only alternative is
to setup a multimaster environment? Thanks.
Aaron
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard
Megginson
Sent: Tuesday, January 24, 2006 10:35 AM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Question on password changes
Bliss, Aaron wrote:
>I have a quick question on password changes; my current setup is the
>following: I have 2 directory servers, single master environment
>(supplier and consumer); I understand that all changes to the directory
>have to be made by the supplier and are then replicated to the
>consumer; when a client server binds to the consumer and a user
>attempts to change their password, they receive an unknown error
>response from the server, and changes are not made; simply configuring
>the client's ldap.conf file to bind first with the supplier resolved
>this issue, however I was wondering if it's possible to configure the
>consumer in such a way that he will refer the update to take place on
>the supplier instead of rejecting the change to the database?
>
Yes, that's what should be happening. When you send the modify password
request to the consumer, it should send back a referral to the supplier.
You can see this in the access log - a MOD request followed by a
response with err=10 (referral). If however the client is using the
password modify extended operation, I don't think that is referred to
the supplier. In this case, you will see EXT as the operation type in
the access log for the request.
>I would have thought that the
>consumer would simply refer changes automatically to the supplier, but
>that doesn't seem to be the case. Any thoughts?
>
Check the access logs, as above.
>I do know that I can
>configure both servers to be masters, but I was hoping to avoid this
>(I've read thru some of the directory server documentation citing
>errors and so forth in a multi-master environment) Thanks.
>
>
http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate
However, I don't think we chain the password change extended operation.
>Aaron
>
>www.preferredcare.org
>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
>Power and Associates
>
>Confidentiality Notice:
>The information contained in this electronic message is intended for
the exclusive use of the individual or entity named above and may
contain privileged or confidential information. If the reader of this
message is not the intended recipient or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that dissemination, distribution or copying of this information
is prohibited. If you have received this communication in error, please
notify the sender immediately by telephone and destroy the copies you
received.
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users(a)redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
www.preferredcare.org
"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates
Confidentiality Notice:
The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.
18 years, 3 months
[Fedora-directory-users] Question on password changes
by Bliss, Aaron
I have a quick question on password changes; my current setup is the
following: I have 2 directory servers, single master environment
(supplier and consumer); I understand that all changes to the directory
have to be made by the supplier and are then replicated to the consumer;
when a client server binds to the consumer and a user attempts to change
their password, they receive an unknown error response from the server,
and changes are not made; simply configuring the client's ldap.conf file
to bind first with the supplier resolved this issue, however I was
wondering if it's possible to configure the consumer in such a way that
he will refer the update to take place on the supplier instead of
rejecting the change to the database? I would have thought that the
consumer would simply refer changes automatically to the supplier, but
that doesn't seem to be the case. Any thoughts? I do know that I can
configure both servers to be masters, but I was hoping to avoid this
(I've read thru some of the directory server documentation citing errors
and so forth in a multi-master environment) Thanks.
Aaron
www.preferredcare.org
"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates
Confidentiality Notice:
The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.
18 years, 3 months
[Fedora-directory-users] Installation error on RHEL 4 using a Dynamic DNS
by Julian Yap
Hi,
I'm trying to install FDS on a RHEL test machine. I have a dynamic
domain name for this machine (from dyndns.org).
I'm getting this error at the end of the installation:
[slapd-test]: [23/Jan/2006:16:21:46 -1000] - slapd started. Listening
on All Interfaces port 389 for LDAP requests
Your new directory server has been started.
Created new Directory Server
Start Slapd Starting Slapd server configuration.
Fatal Slapd ERROR: Ldap authentication failed for url
ldap://test.homelinux.com:389/o=NetscapeRoot user id admin (151:Unknown
error.)
Fatal Slapd Did not add Directory Server information to Configuration
Server.
Configuring Administration Server...
----
Any clues here?
In this case, my dynamic domain name is test.homelinux.com. I think I
may have setup the hostname wrong? Or have I done something wrong in
the FDS setup?
Thanks,
Julian
18 years, 3 months
[Fedora-directory-users] Couple of questions on ldapsearch queries
by Bliss, Aaron
I'm sure that you guys will know how to run these queries against my
directory servers (pardon the newbie questions), but can you tell me how
to:
1. Check last time passwords were changed (similar functionality to
chage)
2. check when passwords are due to expire (similar functionality to
chage)
3. Return list of users who have access to a specific server (I'm using
the host attribute in order to restrict access to servers) i.e. show
list of users who have access to serverA
Thanks very much for your help.
Aaron
www.preferredcare.org
"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates
Confidentiality Notice:
The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.
18 years, 3 months
[Fedora-directory-users] Samba PDC using FDS backend
by Brian Rudy
Hi Folks,
I had a crack at setting up a Samba PDC using a fresh installation of
FDS 1.0.1 as the backend on one of our RHEL 3 servers per the Wiki
Howto:Samba but ran into a few issues.
In the section 'Populating FDS with PDC Entry', it instructs the user to
run 'net getlocalsid'. This results in the following:
[root@mybox logs]# net getlocalsid
[2006/01/03 14:32:58, 0] lib/smbldap.c:smbldap_search_domain_info(1392)
Adding domain info for CMOMA failed with NT_STATUS_UNSUCCESSFUL
SID for domain mybox is: S-1-5-21-4207250186-2406131440-3849861866
Thinking that I might just have a Samba configuration problem, I
continued by attempting to add the following ldif:
dn: sambaDomainName=CMOMA,dc=cmoma,dc=mycompany,dc=com
objectclass: sambaDomain
objectclass: sambaUnixIDPool
objectclass: top
sambaDomainName: CMOMA
sambaSID: S-1-5-21-4207250186-2406131440-3849861866
uidNumber: 550
gidNumber: 550
which resulted in the following error:
adding new entry sambaDomainName=CMOMA,dc=cmoma,dc=mycompany,dc=com
ldap_add: Object class violation
ldap_add: additional info: unknown object class "sambaUnixIDPool"
I double checked
/opt/fedora-ds/slapd-<server>/config/schema/61samba.ldif created in the
initial setup steps and was unable to find a sambaUnixIDPool
objectclass, but did see a sambaUnixIdPool. However, after I edited
/tmp/sambaDomainName.ldif to reflect this objectclass name, ldif2ldap
still complains about an 'unknown object class'.
Any idea of what might be happening here?
18 years, 3 months
[Fedora-directory-users] Grabbing unix crypt of password
by Daniel Shackelford
Hello,
We have scripts that are currently looking at our Win2003 and grabbing
the user passwords via SFU. This is in a Unix crypt format, and it is
then stuffed into the local passwd file and httpauth file on our HPUX
server. We are attempting to move to FDS and it would be super nice if
we could just change a few line of our current scripts to get the
password crypts from there instead.
Are my hopes too high?
--
Daniel Shackelford
Systems Administrator
Technology Services
Spring Arbor University
517 750-6648
"For even the Son of Man did not come to be served, but to serve, and to give His life a ransom for many"
Mark 10:45
18 years, 3 months
[Fedora-directory-users] Re: enforce strong passwords
by Jo De Troy
Hi Nathan,
yep this would meet my requirements.
As an aside: Would it be in scope of this project to have a webinterface to
allow the users to change their passwords?
If the endusers don't have a valid shell on a Unix box and they need to
change their password.
Would the ldapserver give back meaningfull errors as to why a password
change was rejected?
Maybe a stupid question: Will changing the password via ldappasswd enforce
all the policies set? ( e.g. password history, lockout, expiration)
If ldappasswd does this, I guess it does, I guess a webinterface would
basically be a frontend to ldappasswd.
Greetings,
Jo
18 years, 3 months
Re: [Fedora-directory-users] Admin Server or Console problem
by Little Dragon
Hi Richard,
I reinstalled with custom install.
can youtelnet hostname 1500
Yes I can. (Port changed to 51321)
The result:
[root@vpclinux fedora-ds]# telnet vpclinux 51321
Trying xxx.xxx.xxx.xxx...
Connected to vpclinux.emea.tcs.com (xxx.xxx.xxx.xxx).
Escape character is '^]'.
*************************************
can you use your web browser to connect to http://hostname:1500/
Yes I can,,. I can see the pages chek admin-server info and
log, ldap server info and log.
As from the hostname you can see this linux (Fedora Core 4)
run on a virtual PC (Microsoft Virtual PC 2004), I jus
wanted to try the directory server.
Any other idea, things to check?
Are there any debug level option on admin-server and/or
console side?
TIA,
Laszlo
Little Dragon wrote:
> Hi,
>
> I have installed fedora-ds-1.0.1-1.FC4.i386.opt.rpm
> and SUN java: j2re-1_4_2_10-linux-i586.rpm
> Then set the JAVA_HOME env. Variable.
>
> After the Typical install the ldapsearch works (I get
results).
> (ldapsearch -x -h localhost -p 389 -b "o=NetscapeRoot")
>
> But I can not start the console.
> startconsole -u admin -a http://vpclinux:1500
>
> I always get the error: Cannot connect to the Admin Server
"http://hostname:1500"
> The URL is not correct or the server is not running.
>
>
can you
telnet hostname 1500
?
can you use your web browser to connect to
http://hostname:1500/
?
> I can see the ns-slapd and httpd.worker processes running
> (one ns-slapd and 3 httpd.worker processes are running)
>
> I read all the docs on the web and the FAQ at redhat
> (Troubleshooting)
> Troubleshooting can not help: - there is no
"admin-serv/config/jvm12.conf", (I created but
> no effect)
> - there is no "<server-root>/bin/https/bin/start-jvm" file
> so I can not edit
>
> After 3 days I am out of ideas.
> Could anybody help?
>
> TIA,
> Laszlo
>
>
>
>> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
________________________________________________________________________
Képkidolgozás már bruttó 25,- Ft-tól! FotoMarket Online Fotóáruház
- már 5 éve az Ön fotószolgálatában: www.fotomarket.hu
18 years, 3 months
[Fedora-directory-users] NT Password Hash Storage
by Roger Spencer
I'm working on getting wireless network clients to do authentication via
radius plugged into Fedora DS. Windows will do PEAP for authentication,
which encrypts the mschapv2 password check. FreeRadius supports this
and all works well, except...
For Radius to do mschapv2, using Fedora DS, the NT hash of the password
must be in the directory. It cannot use the regular user's password.
I used a perl script to hash a password and put it in a user's entry,
using ntusercomment (for lack of finding a better field), told
FreeRadius that ntusercomment is the NT-Password field it's looking for,
and I was able to successfully authenticate from a Windows box over the
wireless card using WAP. Obviously this is not a good long term solution.
1) Does anyone know of a better way to store NT password hashes in the
directory?
2) Is there a way to update the hash when the user changes their
password? Maybe have DS call a perl script when a password change occurs?
3) Is there a better way of doing this?
Thank you,
18 years, 3 months
