389-users February 2006

389-users@lists.fedoraproject.org

50 participants
81 discussions

[Fedora-directory-users] Cos? or plug-in issue?
by Scott 07 Mar '06

07 Mar '06

I have been working with updating the attributeType 'uid' to conform the a "caseExactMatch" setting. I understand that this does agree with RFC standards, but this Directory Server will not be interacting with any ldap applications. The primary purpose is user authentication. I must be missing something on how the Directory Server (fedora-ds) defines the attributes. I was under the impression I could just update the 00core.ldif entry and the new matching rule would then be applied. This has proven not to be the case, I think it might have to do with the server interacts with the plugins or the CoS which needs to be addressed. Anyone who could educate me on a method to enforce case sensitivity for the attribute uid, it would help me out greatly. I have read everything I can find on the subject and it just does not seem to be documented (not in a direct manner anyway). This is how the attribute appears in the 00core.ldif after I attempted to change the attribute definition but it does not seem to have any effect. attributeTypes: ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' ) DESC 'Standard LDAP attribute type' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 1274' ) Thanks in advance to anyone who can point me in the correct direction, I must be making this more difficult then it needs to be.

6 14

[Fedora-directory-users] TLS authentication without a user mapped
by François Beretti 01 Mar '06

01 Mar '06

Hi, is it possible to do a SASL/EXTERNAL bind with a TLS certificate, while no user in the directory is mapped to the certificate DN ? If yes, is it possible then to give rights to certificate DN (so, to a DN that is not in the directory) ? I would like this if I don't want to store users in a directory (because they already are in another one. Thank you François

3 4

RE: [Fedora-directory-users] Disabling vlv support
by Reinhard Nappert 27 Feb '06

27 Feb '06

Unfortunately there is a bug (iPlanet/SUN Directory Server used to have the same bug, but it was fixed recently). In case you perform vlv searches and modifications occur at the same time the server hangs. Have a look at the release notes (http://docs.sun.com/source/819-1814-10/relnotes_ds51sp4.html) bug-id 4973380. Therefore, I do not want to accept any vlv requests. Cheers -Reinhard -----Original Message----- From: fedora-directory-users-bounces(a)redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Mike Jackson Sent: Monday, February 27, 2006 10:10 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Disabling vlv support Richard Megginson wrote: > Views and VLV (Virtual List Views) are different. Views allows you to > impose a hierarchical DIT upon a flat tree (virtually). VLV is paged > search results. > Right. So, do you Rich have any tips how to disable VLV? Although I still don't see the reason why somebody would want to do this. Are there misbehaving clients on your network, or what? -- mike -- Fedora-directory-users mailing list Fedora-directory-users(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

2 1

[Fedora-directory-users] Disabling vlv support
by Reinhard Nappert 27 Feb '06

27 Feb '06

Hi, I want to disable the virtual list view support. I would think that you would just delete the appropriate OID (supportedControl attribute) from the rootDSE object. However, the directory does not allow me to do that, due to access control restrictions. I try to perform this modification with the "super-administrator" account (cn=Directory Manager). Can anybody point me to a way how the vlv feature can be disabled? Thanks -Reinhard

5 6

RE: [Fedora-directory-users] Some password policy enforcement information questions
by Bliss, Aaron 25 Feb '06

25 Feb '06

Well, it turns out that the passwordExpWarned attribute doesn't get changed either if a user authenticates to a server with a key via ssh; so I had to redesign how the script works; I figured that it's probably best to give the users the actual number of days they have before their password will expire. I've actually turned it into 2 scripts, the bash script is used to query the ldap server for password expiration info, and it passes this value to the perl script; Calling this from /etc/profile should work just fine. I thought this might be helpful to other users (perl script was tough for me, as I've never really scripted in perl but couldn't figure out a way to do in bash), so here you go: #!/bin/bash #use this script in order to figure out when the users #password is going to expire and give them a heads up about it #figure out who the user is mynam=`whoami` #create some exceptions to this rule so that they don't get a phony messsage if [ $mynam = root ] ; then exit fi #pswarn1=`ldapsearch -x -ZZ "(uid=$mynam)" passwordExpWarned | grep passwordExpWarned | grep -v '#' | awk '{print $2}'` #figure out exactly when their password is going to expire pswar=`ldapsearch -x -ZZ "(uid=$mynam)" passwordexpirationtime | grep passwordexpirationtime | grep -v '#' | awk '{print $2}' | cut -c 1-8` #setup some variables pwmonth=`echo $pswar | cut -c 5-6` pwday=`echo $pswar | cut -c 7-8` pwyear=`echo $pswar | cut -c 1-4` #perl script expects input year month day /usr/local/sbin/ck_pass1.pl $pwyear $pwmonth $pwday exit 0 #! /usr/bin/perl use strict; use warnings; use Time::Local; #epoch secs for 2 weeks equal 1209600 #setup vars that were passed in year, month, day in that order my $varpass0 = $ARGV[0]; my $varpass1 = $ARGV[1]; my $varpass2 = $ARGV[2]; #timelocal doesn't work for dates past the year 2038 if ($varpass0 >= 2038) { print "year passed is too much for this script\n"; exit 0; } #get todays date and format it properly #beaware localtime is going to format year-1900 and month-1 my ($mday,$mmonth,$myear) = (localtime(time)) [3,4,5]; my $epdate = timelocal (0,0,0,$mday,$mmonth,$myear); #get epoch date for when password will expire #we have to format what was passed to us to make it usable by timelocal my $varpass00 = $varpass0 - 1900; my $varpass11 = $varpass1 - 1; my $passexp = timelocal (0,0,0,$varpass2,$varpass11,$varpass00); #subtract password expiration from today and see what we get my $passans = $passexp - $epdate; my $finans2 = $passans / 86400; #lets see where we stand #and send a warning to the end users if necessary if ($passans <= 1209600) { printf "Warning, Your Ldap password will expire in %.0f", $finans2; print " days\n"; } -----Original Message----- From: Bliss, Aaron Sent: Monday, February 20, 2006 10:35 AM To: 'General discussion list for the Fedora Directory server project.' Subject: RE: [Fedora-directory-users] Some password policy enforcement information questions Yep, this issue occurs over ssh. Aaron -----Original Message----- From: fedora-directory-users-bounces(a)redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard Megginson Sent: Monday, February 20, 2006 10:08 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Some password policy enforcement information questions Bliss, Aaron wrote: >Some more trouble with password expiration warnings; I have passwords >warnings being displayed to users when they use passwords, however >users configured to use key authentication > Do you mean ssh? >do not receive this warnings; has >anyone seen this before? This is of course going to be a very big >problem for me. Any ideas? Thanks again. > > >Aaron > >-----Original Message----- >From: Bliss, Aaron >Sent: Wednesday, January 25, 2006 7:48 PM >To: General discussion list for the Fedora Directory server project. >Subject: RE: [Fedora-directory-users] Some password policy enforcement >information questions > >Turns out the issue I was having was with my clients; I'm not sure why, >but the administrator before me had "UseLogin Yes" set in >/etc/ssh/sshd_config; commenting this out immediately started >generating password warnings to users (as configured by the directory >server); does anyone know what the UseLogin option is used for? Thanks. > >Aaron > >-----Original Message----- >From: Bliss, Aaron >Sent: Thursday, January 19, 2006 3:15 PM >To: 'General discussion list for the Fedora Directory server project.' >Subject: RE: [Fedora-directory-users] Some password policy enforcement >information questions > >Thanks very much for the explanation; makes much sense to me now; I did >some playing around, and got the directory server to spit out to me >that your password is going to expire in x amount of days. Thanks again. > >Aaron > >-----Original Message----- >From: fedora-directory-users-bounces(a)redhat.com >[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard >Megginson >Sent: Thursday, January 19, 2006 2:35 PM >To: General discussion list for the Fedora Directory server project. >Subject: Re: [Fedora-directory-users] Some password policy enforcement >information questions > >It looks like the way it works is this: >When you have enabled password warning, an operational attribute called >"passwordExpWarned" is created in the user's entry. The value will be >0 until the user does a successful BIND operation and the time between >now and the configured password expiration time is less than or equal >to the configured password warning time. When this happens, the >warning will be sent, the value of passwordExpWarned will be changed to >1, and the operational attribute passwordExpirationTime in the user's >entry will be set to the time at which the password will expire. When >the user changes the password, passwordExpWarned will be reset to 0 and >passwordExpirationTime will be set to the new expiration time. > >Bliss, Aaron wrote: > > > >>If I've configured a correct password policy and the warning attribute >>is not getting updated, should this be considered a bug? >> >>Aaron >> >>-----Original Message----- >>From: fedora-directory-users-bounces(a)redhat.com >>[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of >>Richard >> >> > > > >>Megginson >>Sent: Thursday, January 19, 2006 1:48 PM >>To: General discussion list for the Fedora Directory server project. >>Subject: Re: [Fedora-directory-users] Some password policy enforcement >>information questions >> >>Bliss, Aaron wrote: >> >> >> >> >> >>>Please forgive me if I'm asking silly newbie questions, however I'm >>>trying to understand exactly what I'm seeing thru fds; first the >>>policy >>> >>> >>> >>> >> >> >> >> >>>I've configured on the directory using the fds console: >>>I've enabled fine-grain password policy for the data unit, including >>>password history enforcement, password expiration after 90 days, >>>password warning 14 days before password expires, check password >>>syntax, account lockout policy enabled after 3 login failures for 120 >>>minutes and reset failure count after 15 minutes. >>> >>>Everything seems to be working except for send password warning; in >>> >>> >the > > >>>client's ldap.conf file, I've enabled pam_lookup_policy yes. >>> >>>Looking at account information attributes for a user, >>>passwordexpwarnd >>> >>> > > > >>>value is 0; I've reset users password to try to initialize the >>>password >>> >>> >>> >>> >> >> >> >> >>>policy, however this value never seems to change. According to this >>>documentation >>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10 >>>7 >>>7 >>>0 >>>81 I believe that this attribute is stored in seconds. Is this true? >>> >>> >>> >>> >>> >>> >>Yes. >> >> >> >> >> >>>If so, what can I do to ensure this attribute is getting updated >>>(assuming that this is the attribute responsible for triggering >>>password expiration warning). >>> >>> >>> >>> >>> >>> >>I'm not really sure. >> >> >> >> >> >>>Second issue/question: >>>I've looked at this wiki >>>http://directory.fedora.redhat.com/wiki/Howto:PAM and near the very >>>bottom it mentions adding the following >>> >>>dn: cn=config >>>changetype: modify >>>add: passwordExp >>>passwordExp: on >>>- >>>add: passwordMaxAge >>>passwordMaxAge: 8640000 (this I believe would give a password max age >>>of 100 days) >>> >>>Do I need to add these attributes even though I've configured the >>>password policy using fds console has done this for me. Is this the >>>case, I see don't these attributes in the gui, however I do see >>>passwordexpirationtime as an attribute and is set to 90 days from now >>>(I'm want to ensure that accounts are indeed locked after passwords >>>have expired). >>> >>> >>> >>> >>> >>> >>Those attributes are only for global (default) password policy - what >>you have set for fine grained password policy will override those. >> >> >> >> >> >>>Also, Jim Summers posted to this group that he saw an issue with >>>shadowpasswd / shadowexpire fields not being updated >>>https://www.redhat.com/archives/fedora-directory-users/2005-December/ >>>m >>>s >>>g >>>00367.html >>> >>>Can anyone tell me what these fields are used for, as I don't see any >>>mention of them in this documentation >>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10 >>>7 >>>7 >>>0 >>>81 >>> >>> >>> >>> >>> >>> >>Right. They are a PAM/posix thing - FDS treats them as any other data >>- it doesn't update them from it's own password policy. >> >> >> >> >> >>>Thanks again very much. >>> >>>Aaron >>> >>> >>> >>> >>>www.preferredcare.org >>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>>Power and Associates >>> >>>Confidentiality Notice: >>>The information contained in this electronic message is intended for >>> >>> >>> >>> >>the exclusive use of the individual or entity named above and may >>contain privileged or confidential information. If the reader of this >>message is not the intended recipient or the employee or agent >>responsible to deliver it to the intended recipient, you are hereby >>notified that dissemination, distribution or copying of this >>information is prohibited. If you have received this communication in >>error, please notify the sender immediately by telephone and destroy >>the copies you received. >> >> >> >> >>>-- >>>Fedora-directory-users mailing list >>>Fedora-directory-users(a)redhat.com >>>https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> >>> >>> >>www.preferredcare.org >>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >>Power and Associates >> >>Confidentiality Notice: >>The information contained in this electronic message is intended for >> >> >the exclusive use of the individual or entity named above and may >contain privileged or confidential information. If the reader of this >message is not the intended recipient or the employee or agent >responsible to deliver it to the intended recipient, you are hereby >notified that dissemination, distribution or copying of this >information is prohibited. If you have received this communication in >error, please notify the sender immediately by telephone and destroy >the copies you received. > > >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users(a)redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> > > >www.preferredcare.org >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. >Power and Associates > >Confidentiality Notice: >The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. > > >-- >Fedora-directory-users mailing list >Fedora-directory-users(a)redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.

2 1

[Fedora-directory-users] dumping the data base
by Scott Boggs 24 Feb '06

24 Feb '06

Hello, I am attempting to pull the schema of my FDS, I am use to using a command such as 'ldapsearch -x -s base -b "" subschemasubentry' or 'ldapsearch -b "cn=subschema" attributetypes' Can anyone shine any light on how my syntax is wrong with these commands. I am trying to pull the subschema to show the various attribute definitions. I am sure I have just missed how to do it in the docs. Thanks in advance

4 11

[Fedora-directory-users] Admin console and problem with allowed ip/host, can't log in anymore :=)
by Kimmo Koivisto 24 Feb '06

24 Feb '06

Hello I have FDS 1.0.1 installed to RHEL4ES and I managed to deny admin console connections from anywhere :) I have domain ton.fi and by default admin server seems to allow connections only from *.ton.fi. I need to connect admin server from anywhere and I thought that I could add * to the allowed host list... I did it with admin console. After I applied changes, I no longer could log in to the admin console, even from localhost, error log says: <error log> [Fri Feb 24 08:41:21 2006] [notice] Access Host filter is: (*.ton.fi|*) [Fri Feb 24 08:41:21 2006] [notice] Access Address filter is: * [Fri Feb 24 08:41:22 2006] [notice] Access Host filter is: (*.ton.fi|*) [Fri Feb 24 08:41:22 2006] [notice] Access Address filter is: * [Fri Feb 24 08:41:22 2006] [notice] Apache/2.0 configured -- resuming normal operations [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1 [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host [ldap2.ton.fi] did not match pattern [(*.ton.fi|*)] -will scan aliases [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [ldap2] did not match pattern [(*.ton.fi|*)] [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [localhost.localdomain] did not match pattern [(*.ton.fi|*)] [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [localhost] did not match pattern [(*.ton.fi|*)] [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [ldapsrv] did not match pattern [(*.ton.fi|*)] [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: host alias [*] did not match pattern [(*.ton.fi|*)] [Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1] admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection </error log> I tried to modify local.conf but it is always overwritten when I restart admin server. How to remove that * from the settings and what is the proper way to allow connections to admin server from anywhere. Admin connections are restricted with IPsec, FDS can allow it from anywhere, no problems with security. I was able to migrate from IBM LDAP to FDS and I'm really happy. I did not like IBM's multimaster replication, too many problems and did not know where to get support. FDS and mmr just works. Thanks for the great product :) Best Regards Kimmo Koivisto

4 4

[Fedora-directory-users] sendmail alias in fds
by basile 24 Feb '06

24 Feb '06

hi i try to use sendmail with sendamail alias in fds and have problems here are definition of alias dn: sendmailMTAKey=Basile.Mathieu,dc=siris,dc=sorbonne,dc=fr sendmailMTAAliasGrouping: aliases sendmailMTAAliasGrouping: revaliases sendmailMTAHost: sorbon2.sorbonne.fr sendmailMTAKey: Basile.Mathieu sendmailMTAAliasValue: bmathieu objectClass: top objectClass: sendmailMTA objectClass: sendmailMTAAlias objectClass: sendmailMTAAliasObject dn: sendmailMTAKey=bmathieu,dc=siris,dc=sorbonne,dc=fr sendmailMTAAliasGrouping: aliases sendmailMTAAliasGrouping: revaliases sendmailMTAHost: sorbon2.sorbonne.fr sendmailMTAKey: bmathieu sendmailMTAAliasValue: bmathieu objectClass: top objectClass: sendmailMTA objectClass: sendmailMTAAlias objectClass: sendmailMTAAliasObject dn: sendmailMTAKey=Alain.Lierre,dc=paris4,dc=sorbonne,dc=fr sendmailMTAAliasGrouping: aliases sendmailMTAAliasGrouping: revaliases sendmailMTAHost: sorbon2.sorbonne.fr sendmailMTAKey: Alain.Lierre sendmailMTAAliasValue: alierre objectClass: top objectClass: sendmailMTA objectClass: sendmailMTAAlias objectClass: sendmailMTAAliasObject dn: sendmailMTAKey=alierre,dc=paris4,dc=sorbonne,dc=fr sendmailMTAAliasGrouping: aliases sendmailMTAAliasGrouping: revaliases sendmailMTAHost: sorbon2.sorbonne.fr sendmailMTAKey: alierre sendmailMTAAliasValue: alierre objectClass: top objectClass: sendmailMTA objectClass: sendmailMTAAlias objectClass: sendmailMTAAliasObject here i test email with sendmail #/usr/lib/sendmail -bv -C /etc/mail/sendmail-tx.cf Alain.Lierre(a)sorbon2.sorbonne.fr Alain.Lierre(a)sorbon2.sorbonne.fr... User unknown sorbon2 # /usr/lib/sendmail -bv -C /etc/mail/sendmail-tx.cf Basile.mathieu(a)sorbon2.sorbonne.fr bmathieu... deliverable: mailer local, user bmathieu why the first alias is not recognize user bmathieu and alierre are defined search base is dc=sorbonne,dc=fr and here are logs of fds [24/Feb/2006:11:57:50 +0100] conn=2307 fd=64 slot=64 connection from 195.220.107.251 to 195.220.107.251 [24/Feb/2006:11:57:50 +0100] conn=2307 op=0 BIND dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3 [24/Feb/2006:11:57:50 +0100] conn=2307 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" [24/Feb/2006:11:57:50 +0100] conn=2307 op=1 SRCH base=" ou=People,dc=sorbonne,dc=fr" scope=1 filter="(&(objectClass=posixAccount)(uid=mailnull))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell" [24/Feb/2006:11:57:50 +0100] conn=2307 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [24/Feb/2006:11:57:50 +0100] conn=2307 op=2 UNBIND [24/Feb/2006:11:57:50 +0100] conn=2307 op=2 fd=64 closed - U1 [24/Feb/2006:11:57:50 +0100] conn=2308 fd=65 slot=65 connection from 195.220.107.251 to 195.220.107.251 [24/Feb/2006:11:57:50 +0100] conn=2308 op=0 BIND dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3 [24/Feb/2006:11:57:50 +0100] conn=2308 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" [24/Feb/2006:11:57:50 +0100] conn=2308 op=1 SRCH base=" ou=People,dc=sorbonne,dc=fr" scope=1 filter="(&(objectClass=posixAccount)(uid=sendmail))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell" [24/Feb/2006:11:57:50 +0100] conn=2308 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [24/Feb/2006:11:57:50 +0100] conn=2308 op=2 UNBIND [24/Feb/2006:11:57:50 +0100] conn=2308 op=2 fd=65 closed - U1 [24/Feb/2006:11:57:50 +0100] conn=2309 fd=64 slot=64 connection from 195.220.107.251 to 195.220.107.251 [24/Feb/2006:11:57:50 +0100] conn=2309 op=0 BIND dn="" method=128 version=2 [24/Feb/2006:11:57:50 +0100] conn=2309 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [24/Feb/2006:11:57:50 +0100] conn=2309 op=1 SRCH base="dc=sorbonne,dc=fr" scope=2 filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=revaliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=root))" attrs="sendmailMTAAliasValue" [24/Feb/2006:11:57:51 +0100] conn=2310 fd=65 slot=65 connection from 195.220.107.251 to 195.220.107.251 [24/Feb/2006:11:57:51 +0100] conn=2310 op=0 BIND dn="" method=128 version=2 [24/Feb/2006:11:57:51 +0100] conn=2310 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [24/Feb/2006:11:57:51 +0100] conn=2310 op=1 SRCH base="dc=sorbonne, dc=fr" scope=2 filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=alain.lierre))" attrs="sendmailMTAAliasValue" [24/Feb/2006:11:57:52 +0100] conn=2309 op=1 RESULT err=4 tag=101 nentries=28 etime=2 notes=U [24/Feb/2006:11:57:53 +0100] conn=2311 fd=66 slot=66 connection from 195.220.107.251 to 195.220.107.251 [24/Feb/2006:11:57:53 +0100] conn=2311 op=0 BIND dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3 [24/Feb/2006:11:57:53 +0100] conn=2311 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" [24/Feb/2006:11:57:53 +0100] conn=2311 op=1 SRCH base=" ou=People,dc=sorbonne,dc=fr" scope=1 filter="(&(objectClass=posixAccount)(uid=alain.lierre))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell" [24/Feb/2006:11:57:53 +0100] conn=2311 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [24/Feb/2006:11:57:53 +0100] conn=2310 op=2 UNBIND [24/Feb/2006:11:57:53 +0100] conn=2310 op=2 fd=65 closed - U1 [24/Feb/2006:11:57:53 +0100] conn=2309 op=2 UNBIND [24/Feb/2006:11:57:53 +0100] conn=2309 op=2 fd=64 closed - U1 [24/Feb/2006:11:57:53 +0100] conn=2311 op=2 UNBIND [24/Feb/2006:11:57:53 +0100] conn=2311 op=2 fd=66 closed - U1 [24/Feb/2006:11:57:53 +0100] conn=2310 op=1 RESULT err=4 tag=101 nentries=0 etime=2 notes=U [24/Feb/2006:11:58:01 +0100] conn=2312 fd=64 slot=64 connection from 195.220.107.251 to 195.220.107.251 [24/Feb/2006:11:58:01 +0100] conn=2312 op=0 BIND dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3 [24/Feb/2006:11:58:01 +0100] conn=2312 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" [24/Feb/2006:11:58:01 +0100] conn=2312 op=1 SRCH base=" ou=People,dc=sorbonne,dc=fr" scope=1 filter="(&(objectClass=posixAccount)(uid=mailnull))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell" [24/Feb/2006:11:58:01 +0100] conn=2312 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [24/Feb/2006:11:58:01 +0100] conn=2313 fd=65 slot=65 connection from 195.220.107.251 to 195.220.107.251 [24/Feb/2006:11:58:01 +0100] conn=2312 op=2 UNBIND [24/Feb/2006:11:58:01 +0100] conn=2312 op=2 fd=64 closed - U1 [24/Feb/2006:11:58:01 +0100] conn=2313 op=0 BIND dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3 [24/Feb/2006:11:58:01 +0100] conn=2313 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" [24/Feb/2006:11:58:01 +0100] conn=2313 op=1 SRCH base=" ou=People,dc=sorbonne,dc=fr" scope=1 filter="(&(objectClass=posixAccount)(uid=sendmail))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell" [24/Feb/2006:11:58:01 +0100] conn=2313 op=1 RESULT err=0 tag=101 nentries=0 etime=0 [24/Feb/2006:11:58:01 +0100] conn=2313 op=2 UNBIND [24/Feb/2006:11:58:01 +0100] conn=2313 op=2 fd=65 closed - U1 [24/Feb/2006:11:58:01 +0100] conn=2314 fd=64 slot=64 connection from 195.220.107.251 to 195.220.107.251 [24/Feb/2006:11:58:01 +0100] conn=2314 op=0 BIND dn="" method=128 version=2 [24/Feb/2006:11:58:01 +0100] conn=2314 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [24/Feb/2006:11:58:01 +0100] conn=2314 op=1 SRCH base="dc=sorbonne,dc=fr" scope=2 filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=revaliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=root))" attrs="sendmailMTAAliasValue" [24/Feb/2006:11:58:02 +0100] conn=2315 fd=65 slot=65 connection from 195.220.107.251 to 195.220.107.251 [24/Feb/2006:11:58:02 +0100] conn=2315 op=0 BIND dn="" method=128 version=2 [24/Feb/2006:11:58:02 +0100] conn=2315 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [24/Feb/2006:11:58:02 +0100] conn=2315 op=1 SRCH base="dc=sorbonne, dc=fr" scope=2 filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=basile.mathieu))" attrs="sendmailMTAAliasValue" [24/Feb/2006:11:58:03 +0100] conn=2314 op=1 RESULT err=4 tag=101 nentries=28 etime=2 notes=U [24/Feb/2006:11:58:04 +0100] conn=2315 op=2 SRCH base="dc=sorbonne, dc=fr" scope=2 filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=bmathieu))" attrs="sendmailMTAAliasValue" [24/Feb/2006:11:58:04 +0100] conn=2315 op=1 RESULT err=4 tag=101 nentries=1 etime=2 notes=U [24/Feb/2006:11:58:05 +0100] conn=2316 fd=66 slot=66 connection from 195.220.107.251 to 195.220.107.251 [24/Feb/2006:11:58:05 +0100] conn=2316 op=0 BIND dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3 [24/Feb/2006:11:58:05 +0100] conn=2316 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" [24/Feb/2006:11:58:05 +0100] conn=2316 op=1 SRCH base=" ou=People,dc=sorbonne,dc=fr" scope=1 filter="(&(objectClass=posixAccount)(uid=bmathieu))" attrs="cn uid uidNumber gidNumber gecos description homeDirectory loginShell" [24/Feb/2006:11:58:05 +0100] conn=2316 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [24/Feb/2006:11:58:05 +0100] conn=2316 op=2 UNBIND [24/Feb/2006:11:58:05 +0100] conn=2316 op=2 fd=66 closed - U1 [24/Feb/2006:11:58:05 +0100] conn=2315 op=3 SRCH base="dc=sorbonne, dc=fr" scope=2 filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=owner-bmathieu))" attrs="sendmailMTAAliasValue" [24/Feb/2006:11:58:06 +0100] conn=2315 op=2 RESULT err=4 tag=101 nentries=1 etime=2 notes=U [24/Feb/2006:11:58:07 +0100] conn=2315 op=4 SRCH base="dc=sorbonne, dc=fr" scope=2 filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=owner-basile.mathieu))" attrs="sendmailMTAAliasValue" [24/Feb/2006:11:58:07 +0100] conn=2315 op=3 RESULT err=4 tag=101 nentries=0 etime=2 notes=U [24/Feb/2006:11:58:08 +0100] conn=2315 op=5 UNBIND [24/Feb/2006:11:58:08 +0100] conn=2315 op=5 fd=65 closed - U1 [24/Feb/2006:11:58:08 +0100] conn=2314 op=2 UNBIND [24/Feb/2006:11:58:08 +0100] conn=2314 op=2 fd=64 closed - U1 [24/Feb/2006:11:58:08 +0100] conn=2315 op=4 RESULT err=4 tag=101 nentries=0 etime=1 notes=U thanks for help basile

2 1

[Fedora-directory-users] sendmail alias in fds
by basile 24 Feb '06

24 Feb '06

i explain our strange problem a little more we have a top level domain sorbonne.fr , and domain under this one like siris.sorbonne.fr or etab.sorbonne.fr alias works for domain siris and not for the others ( and not for top level sorbonne ) i delete domain siris , and the alias works for other domains , but not for all what happens is that sendmail search the sendmailMTAKey , and get the sendmailMATAliasValue , and then search this value as key , and then search this value as uid when it don t works , it doesn t search the value as key , and just search the alias as uid , which doesn t exist example key=basile.mathieu search key=basile.mathieu , attrs=value obtain bmathieu search key=bmathieu , attrs=value obtain bmathieu search uid=bmathieu works key=toto.exemple search key=toto.exemple ,attrs=value search uid=toto.exemple does not find dont works it s very strange

1 0

[Fedora-directory-users] allowing users to change their own passwords (solaris 10)
by Susan 24 Feb '06

24 Feb '06

Well, I've gotten authentication working for solaris 10 & FDS. (Thank you, everybody) As root, I can change any user's password and that works. As a regular user, however, no luck: -bash-3.00$ passwd passwd: Changing password for test passwd: Sorry, wrong passwd Permission denied -bash-3.00$ passwd -r ldap passwd: Changing password for test passwd: Sorry, wrong passwd Permission denied -bash-3.00$ I've this aci: (targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title ||userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";) Doesn't seem to be doing anything, even though userPassword is in there. Btw, in Linux, non-root users can change their passwords just fine! I've also two of these ACIs which I got from Gary Tay's site: (target="ldap:///dc=company,dc=com")(targetattr="userPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=company,dc=com";) (targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid")(version 3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn = "ldap:///self";) They seem to doing nothing either, i.e. removing them neither fixes nor breaks anything. Nothing in server/client logs either... Any ideas? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

3 10

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users February 2006