[Fedora-directory-users] Can't connect to admin server as Directory Manager
by Mike Mueller
I just did a fresh install of FDS 1.0.4 on a Gentoo Linux workstation
(built manually, not from RPM). After running the setup script to
install it, everything appears to be working, except I can't login to
the admin console. I can connect to the server via the web browser on
my admin port (9419) and authenticate fine there.
However, when I start the console up, I do:
User ID: cn=Directory Manager
Password: <my password>
Administration URL: http://hostname.domain.com:9419/
The dialog that I get says:
"Cannot logon because of an incorrect User ID,
Incorrect password or Directory problem.
HttpException
Response: HTTP/1.1 401 Authorization Required
Status: 401
URL: http://hostname.domain.com:9419/admin-serv/authenticate"
I made sure that the admin server isn't configured to block any hosts
or IP addresses (set them both to '*' in the local.conf file).
Here's what the error log says:
[Sat Dec 23 05:09:46 2006] [notice] [client 192.168.2.1]
admserv_host_ip_check: ap_get_remote_host could not resolve
192.168.2.1
[Sat Dec 23 05:09:46 2006] [error] [client 192.168.2.1] user
cn=Directory Manager not found: /admin-serv/authenticate
How could the "cn=Directory Manager" user be not found? Doesn't it
always exist? Yes, I used the default name for this user when I ran
setup.
Any input would be appreciated!
Thanks,
Mike
17 years, 4 months
[Fedora-directory-users] Simple Paged Results Control Support in Future?
by Phil Lembo
>
> Date: Fri, 22 Dec 2006 09:30:59 -0700
> From: David Boreham
> Subject: Re: [Fedora-directory-users] Simple Paged Results Control
> Support in Future?
> To: "General discussion list for the Fedora Directory server project."
> <fedora-directory-users(a)redhat.com>
>
> Phil Lembo wrote:
>
> > Any chance we'll get to see support for Simple Paged Results Control
> > in a future version of Fedora Directory?
>
> It wouldn't be hard to implement because the existing VLV code could be
> mostly re-used.
>
> Are you looking to support an application that already uses simple paged
> results ?
> Or is there something you're looking for that VLV doesn't do ?
>
Just like to be able to use the same techniques for paging through different
directories. Today I've got to maintain 2 different methods in any scripts
that query both FDS and AD -- I know, I know, I should have modularized them
long ago... Anyway, OpenLDAP and a couple of other proprietary directories
also support SPRC, so the only one I've still got to shift over to VLV for
is FDS (and it's proprietary cousins).
--
Phil Lembo
17 years, 4 months
[Fedora-directory-users] DNS?
by Derrick MacPherson
I'm installing on a server I've got at home, and at the end of the setup I
get the gethostbyname failed when creating the server; I'm assuming this is
because the server is unable to get DNS cause there is none. Is there a way
around this cause it seems like the setup doesn't finish properly?
As well, if I go to redo the setup, is it better to uninstall, rpm -e the
rpm, then reinstall, run the setup again? When I try to do the setup I get
an error after it asks for the admin username and password, seems like it's
trying to connect and access information that didn't get into the ldap?
Thanks, I hope that all makes sense to someone.
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.26/598 - Release Date: 12/22/2006
3:22 PM
17 years, 4 months
[Fedora-directory-users] Persistent MMR problems
by Chris St. Pierre
A few months ago, I had a machine die suddenly when the power cord was
tripped over. (Oops!) After that, I had some replication issues that
I solved with the help of this list. Before long, they came back, and
back, and back. Basically, I get a bunch of messages like this in the
error logs:
[22/Dec/2006:09:26:08 -0600] agmt="cn="Replication to
zeppo.nebrwesleyan.edu (o=pab)"" (zeppo:389) - Can't locate CSN
458acc0e000000020000 in the changelog (DBrc=-30990). The consumer may
need to be reinitialized.
[22/Dec/2006:09:31:09 -0600] agmt="cn="Replication to
chico.nebrwesleyan.edu (o=pab)"" (chico:389) - Can't locate CSN
458acc0e000000020000 in the changelog (DBrc=-30990). The consumer may
need to be reinitialized.
I get similar messages on every host in the 4-way MMR group. Each
machine only complains about one CSN, but they're different CSNs on
each machine.
This morning, I took down all of the replication agreements, and
reinitialized every host from one, which I temporarily treated as the
authoritative master. Within minutes, these messages were appearing
again.
Does anyone have any ideas how to solve this once and for all? I've
rebuilt my replication agreements countless times, and nothing seems
to get them in sync. Any and all ideas are welcome. Thanks.
Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University
----------------------------
Never send mail to thobrux(a)nebrwesleyan.edu
17 years, 4 months
[Fedora-directory-users] Extracting details from ActiveDirectoryto FDS
by Phil Lembo
Darren:
I wrote a Perl script using the Net::LDAP module and Kartik Subbrao's
ldifdiff.pl (in Net::LDAP contrib section on search.cpan.org) to go the
other way, updating AD from LDAP (in our case the FDS-related Sun
Directory). The basic process I followed was to dump the contents of each
directory to LDIF (after all, AD is "just another LDAP directory", ;-),
transform the dns so that the source looks like the target (we get the dn by
doing a search against the target on a attribute value common to both, in
our case, AD CN = LDAP UID), then diffing the transformed files, and using
the resulting diff to make my changes to the target. The current version is
heavily customized for my company's environment so the code would probably
be pretty useless to you, but if a barely competent Perl programmer like me
could come up with something like this I'd guess that someone who *really*
knew what they were doing could come up with something much better.
There are also commercial products out there like Microsoft or Sun's
metadirectory, and HP's LDAP Directory Synchronizer (LDSU) (see
http://h20219.www2.hp.com/services/cache/11215-0-0-0-121.html). All of these
are quite costly. The Sun product is freely downloadable but it is very
complex and I'd wouldn't recommend exploring it without professional
services assistance. You should also look at Sun's latest Directory Resource
Kit,
http://developers.sun.com/prodtech/dirserver/reference/techart/DSRK_52.html,
which provides a number of tools that can be used together to synchronize
disparate directories. The doc is a worthwhile read for getting you thinking
about how you'd go about it in your environment.
--
Phil Lembo
17 years, 4 months
[Fedora-directory-users] Migration from i-planet 52
by Edward Capriolo
I recently did an ldif backup of our iplanet 52 database. Its about an 88 MB
ldif file.
I took this to a new FDS server Dell 850 3 ghz duel core 2 sata hard disks.
I ran an ldapadd the data imported perfectly.
Then I tried to cutover some systems and give the database some load.
System went 200% processor
Eventually I realized I was missing indexes so I added them through the
graphical tool.
The log seemed to do something like this
generating index 1%
generating index 2%
....
generating index 49%
Done
Seemed weird that they would jump from 49% to Done
At this point the new system was running at 100% processor
But the queries are running faster on our old 440 MHZ sparc t1 server52
database
I ran
DB ERROR: db_verify: Page 30: out-of-order key at entry 498
DB ERROR: db_verify: DB->verify: db/o_com/channelcontentowner.db4:
DB_VERIFY_BAD: Database verification failed
then I tried db2_index. The program seemed to be in a tight loop complaining
about 1 missing entry.
I do not realize how the data can be so corrupted right after an import.
These are someone generic symptoms. Any ideas? Thanks
17 years, 4 months
[Fedora-directory-users] adding an attribute, howto?
by MJD Shop Account
I would like to use the pam_passthru plugin to use kerberos
authentication via pam_krb5, but am running into a few issues. I
need to specify an attribute to use, as I have multiple realms--my
uid is just a login name, for the kerberos to work I need
<uid>@<realm>. I wasn't sure what to use for the attribute, and was
thinking of hijacking the 'description' attribute for this purpose.
However another posting to this list gave me the idea of just
extending the schema with an additional attribute in 99user.ldif. I
would likely want to copy the definition for 'uid' from, say class
posixaccount, but rename it to krb5uid or something. Can anyone
point me to detailed instructions? Is this trivial or difficult? I
looked at the current schema files and was not sure what I wold need
to copy to make it work, and how to add the new attribute explicitly
to the class schema as an optional attribute.
What are the consequences of adding such an attribute when
replication is occurring? I assume I must extend the schema on each
server, what happens if I neglect to extend the schema on one server
and it receives replica info that has this new attribute populated
for some users?
I would also entertain the idea of having an attribute with just the
realm (or a proxy for the realm), and constructing the krbuid
equivalent via some operational attribute that constructs it via uid
+ "@" + realm on the fly, if this is possible. I might even be able
to do this using existing location attribute or another existing
attribute, I can easily determine the correct realm from
corresponding location-specific info associated with each user. But,
I don't know how to do this in practice.
Also, if anyone has an example pam ldapserver file they could share,
I would appreciate it.
-Marty
17 years, 4 months
[Fedora-directory-users] migrating users from Tru64 to Fedora DS
by Israel Garcia
Hi, I have 4 Tru64 servers with a lot of users and I want to unify the
authentication of them using FDS.
My idea is to install FDS on a fedora server with replicas if
possible. Have anybody done this before? Have FDS scripts to migrate
users/home_directory/UID/GID from a passwd file? What do you recommend
me? Can I use FDS as en LDAP server for Tru64 clients?
thanks in advance
regards;
Israel
17 years, 4 months