[Fedora-directory-users] Re: Subtree/user pw policy on 1.0.2? (Richard Megginson)
by Philip Kime
> I know some people have reported success - perhaps they will chime in.
I tried an upgrade to 1.0.4 but it didn't change anything - still can't
have subtree/user policies enforced when I use ldappasswd. Now, this
shouldn't be an ACI issue on the policy objects, correct? Since the
policy in enforced internally, it should make no difference what
permissions the bind DN has for the policy objects? I am assuming that
this is right since it makes no difference even if I bind with DM. I'm
clutching at straws now - a library issue somewhere? I just can't see
why a global policy would work but nothing more local - the obvious
reason would be that the nspasswdlocalpolicy attribute is not set in
cn=config, but it is ...
> Because I don't have a FC4 x86_64 machine to build FDS on.
Sorry, I was being stupid, I meant RHEL4, which is certainly there.
PK
17 years, 5 months
[Fedora-directory-users] Nodes separated by Firewalls
by Nathaniel Hall
List,
We currently have two master nodes and one read-only node. They are protected from the Internet by
two firewalls. I would like to see about placing another read-only node in another location that is
protected by a third firewall. Shown below:
Master 1 --\ | | | | | |
Master 2 -------|Firewall 1|------------|Firewall 2|--Internet--|Firewall 3|------Slave 2
Slave 1 ---/ | | | | | |
Master 1, Master 2, and Slave 1 have private IPs th at are NATed before going to the Internet.
Slave 2 has a public IP address. I need to know if this is possible without giving either master or
Slave 1 a public IP address. Of course this will be over SSL, so that will help. Would Fedora
Directory Server connect to Slave 2 or does Slave 2 have to connect to one of the Masters?
--
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
17 years, 5 months
[Fedora-directory-users] PassSync on multi domain controler
by Jean-Baptiste CHARPENTIER
Hi,
I have install Pass Sync on one domain controller and Password is sync only
when I changed password with Active Directory Browser but not when users
change password . Any idea ? (In pass sync log it look they does see the
event of user password change)
I have install PassSync.msi (1777Ko) in June and I see a new version
PassSync-1.msi (1844Ko) on Fedora Directory Website.
What is change on this new version? Did it solve my problem?
Thanks for your help.
Jean-Baptiste CHARPENTIER
17 years, 5 months
[Fedora-directory-users] Subtree/user pw policy on 1.0.2?
by Philip Kime
I'm thinking of upgrading to 1.0.4 to see if that fixes the problem I'm
seeing with not being able to get subtree/user password policies working
( I notice there was a PWP ACI related bug fixed in 1.0.3). But first,
does anyone have subtree/user password policies working in 1.0.2?
Also, is there a reason where there are no RPMs on the website for
Fedora Core 4 x86_64?
PK
17 years, 5 months
[Fedora-directory-users] Replica has no update vector.
by Glenn
I'm still trying to get Windows Sync to work in my Red Hat DS 7.1SP3
evaluation. I have configured multi-master replication, because I want any
changes made on either system to be replicated to the other system. As soon
as I create the new Windows Sync Agreement, the DS error log begins to
record this error message every few seconds:
NSMMReplicationPlugin - agmt="cn=ldap-ad-5" (AD-servername:636): Replica has
no update vector. It has never been initialized.
So I figure, fine, I'll just initialize it, and I right-click the sync
agreement in the DS console and click "Initiate Full Re-syncronization",
because that's the only thing on the menu that resembles what the manual
says should be there.
Then the log reports:
NSMMReplicationPlugin - Beginning total update of replica "agmt=cn=ldap-ad-
5" (AD-servername:636)".
After this, the log continues to fill with the "no update vector" messages.
There is no further mention of the initialization in the log, but the
Replication Status window reports a "Last consumer init. update" message:
Total update aborted LDAP error: Operations error. Error Code: 1
The status window also says the last consumer initialization ended 16
seconds after it began.
I have tried redoing the sync agreement several times, and restarted the
admin and ds servers and rebooted the machine. What else can I do?
Thanks. -Glenn.
17 years, 5 months
[Fedora-directory-users] Windows Sync - Unable to contact Active Directory
by Glenn
I'm still trying to get Windows Sync working on my Red Hat Directory Server
7.1 SP3evaluation. I have followed all the instructions, including SSL and
certificate setup. When I try to create a synchronization agreement, I fill
out Windows Sync Server Info form and click Next, and a Warning window pops
up with the message, "Unable to contact Active Directory server, continue?"
There are two buttons, Yes and No. So far, I haven't clicked the Yes
button, because I don't think synchronization will work if the Directory
Server can't contact the Active Directory server.
I can ping the Active Directory server by its host name and by its fully
qualified domain name. What else should I be looking at? Thanks. -Glenn.
17 years, 5 months
[Fedora-directory-users] PassSync on multi domain controler
by Jean-Baptiste CHARPENTIER
Hi,
I have install Pass Sync on one domain controller and Password is sync only
when I changed password with Active Directory Browser but not when users
change password . Any idea ? (In pass sync log it look they does see the
event of user password change)
I have install PassSync.msi (1777Ko) in June and I see a new version
PassSync-1.msi (1844Ko) on Fedora Directory Website.
What is change on this new version? Did it solve my problem?
Thanks for your help.
Jean-Baptiste CHARPENTIER
17 years, 5 months
[Fedora-directory-users] ACI Allow users create own sub entry
by nattapon viroonsri
I try use following aci to allow user to create own subentry
but result show insufficient access
i try both type but still not work, anyone pls recommend correct aci to do
this
(target="ldap:///uid=xfs,ou=people,dc=icesolution,dc=com")(targetattr=*)
(version 3.0; acl "Create Entry"; allow (add)
userattr = "parent[0,1].owner#USERDN";)
(target="ldap:///uid=xfs,ou=people,dc=icesolution,dc=com")
(targattrfilters="add=objectClass:(objectClass=*)")
(version 3.0; acl "Create Entry"; allow (add)
(userdn= "ldap:///self") ;)
Nattapon,
Regards
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
17 years, 5 months
[Fedora-directory-users] Re: password policy on FDS 1.0.2 - doesn't seem to work?
by Philip Kime
> Yes, I'm referring to the "Configuration->Data->Passwords" tab. On
this panel, you
> should have both the "Enable fine-grained password policy"
> and "Check password syntax" options checked.
Yes, they are both checked. And when I check the same boxes on a user or
OU and make the settings more restrictive than the global settings, the
more restrictive settings are ignored and only the global settings are
enforced. For example, if I set the minimum digits required to 2
globally and 3 locally on an OU or user, I can enter passwords with 2
digits without problems, but not with 1 digit.
PK
17 years, 5 months
[Fedora-directory-users] pk12util error
by Glenn
I'm trying to get Windows Sync working on an evaluation copy of Red Hat
Directory Server 7.1 SP3. I am stuck at the step where you export the
directory server's certificate to a file. I use this command:
./pk12util -d . -P slapd-myserver- -o servercert.pfx -n Server-Cert
The response is:
Enter Password or Pin for "NSS Certificate DB"
After I enter the password, I get this error message:
pk12util-bin: find user certs from nickname failed: security library: bad
database.
I have followed all the instructions for setting up SSL in the directory
server and the admin server several times. The server and CA certificates
have been requested and installed. Everything looks correct in the console
screens. The slapd-myserver-cert8.db and slapd-myserver-key3.db files
exist. I got tired of retyping the path to the pk12util file, so I copied
it to the alias directory containing the certificates and databases.
What are some things I can try to get pk12util working? Or is there another
way to export the certificate and key so that I can import them into the
Windows certificate store? Could this be an NSS problem? Should I look for
an NSS update?
I will try just about anything, but the boss is real keen on using Red Hat,
as he believes the longer development cycle will make it easier to maintain
in the long run. However, if Fedora Directory Server is the only option
that works, I may be able to present it that way. I apologize for the off-
topic question, but there doesn't seem to be any support for the evaluation
of RHDS. Thanks. -Glenn.
17 years, 5 months
