[Fedora-directory-users] Cos? or plug-in issue?
by Scott
I have been working with updating the attributeType 'uid' to conform the a
"caseExactMatch" setting. I understand that this does agree with RFC
standards, but this Directory Server will not be interacting with any ldap
applications. The primary purpose is user authentication.
I must be missing something on how the Directory Server (fedora-ds) defines
the attributes. I was under the impression I could just update the
00core.ldif entry and the new matching rule would then be applied. This has
proven not to be the case, I think it might have to do with the server
interacts with the plugins or the CoS which needs to be addressed.
Anyone who could educate me on a method to enforce case sensitivity for the
attribute uid, it would help me out greatly. I have read everything I can
find on the subject and it just does not seem to be documented (not in a
direct manner anyway).
This is how the attribute appears in the 00core.ldif after I attempted to
change the attribute definition but it does not seem to have any effect.
attributeTypes: ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' ) DESC
'Standard LDAP attribute type' EQUALITY caseExactMatch SUBSTR
caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC
1274' )
Thanks in advance to anyone who can point me in the correct direction, I
must be making this more difficult then it needs to be.
17 years, 3 months
[Fedora-directory-users] TLS authentication without a user mapped
by François Beretti
Hi,
is it possible to do a SASL/EXTERNAL bind with a TLS certificate,
while no user in the directory is mapped to the certificate DN ?
If yes, is it possible then to give rights to certificate DN (so, to a
DN that is not in the directory) ?
I would like this if I don't want to store users in a directory
(because they already are in another one.
Thank you
François
17 years, 3 months
RE: [Fedora-directory-users] Disabling vlv support
by Reinhard Nappert
Unfortunately there is a bug (iPlanet/SUN Directory Server used to have
the same bug, but it was fixed recently). In case you perform vlv
searches and modifications occur at the same time the server hangs. Have
a look at the release notes
(http://docs.sun.com/source/819-1814-10/relnotes_ds51sp4.html) bug-id
4973380. Therefore, I do not want to accept any vlv requests.
Cheers
-Reinhard
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Mike
Jackson
Sent: Monday, February 27, 2006 10:10 AM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Disabling vlv support
Richard Megginson wrote:
> Views and VLV (Virtual List Views) are different. Views allows you to
> impose a hierarchical DIT upon a flat tree (virtually). VLV is paged
> search results.
>
Right.
So, do you Rich have any tips how to disable VLV?
Although I still don't see the reason why somebody would want to do
this. Are there misbehaving clients on your network, or what?
--
mike
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
17 years, 3 months
[Fedora-directory-users] Disabling vlv support
by Reinhard Nappert
Hi,
I want to disable the virtual list view support. I would think that you
would just delete the appropriate OID (supportedControl attribute) from
the rootDSE object. However, the directory does not allow me to do that,
due to access control restrictions. I try to perform this modification
with the "super-administrator" account (cn=Directory Manager).
Can anybody point me to a way how the vlv feature can be disabled?
Thanks
-Reinhard
17 years, 3 months
RE: [Fedora-directory-users] Some password policy enforcement information questions
by Bliss, Aaron
Well, it turns out that the passwordExpWarned attribute doesn't get
changed either if a user authenticates to a server with a key via ssh;
so I had to redesign how the script works; I figured that it's probably
best to give the users the actual number of days they have before their
password will expire. I've actually turned it into 2 scripts, the bash
script is used to query the ldap server for password expiration info,
and it passes this value to the perl script; Calling this from
/etc/profile should work just fine. I thought this might be helpful to
other users (perl script was tough for me, as I've never really scripted
in perl but couldn't figure out a way to do in bash), so here you go:
#!/bin/bash
#use this script in order to figure out when the users
#password is going to expire and give them a heads up about it
#figure out who the user is
mynam=`whoami`
#create some exceptions to this rule so that they don't get a phony
messsage
if [ $mynam = root ] ; then
exit
fi
#pswarn1=`ldapsearch -x -ZZ "(uid=$mynam)" passwordExpWarned | grep
passwordExpWarned | grep -v '#' | awk '{print $2}'`
#figure out exactly when their password is going to expire
pswar=`ldapsearch -x -ZZ "(uid=$mynam)" passwordexpirationtime | grep
passwordexpirationtime | grep -v '#' | awk '{print $2}' | cut -c 1-8`
#setup some variables
pwmonth=`echo $pswar | cut -c 5-6`
pwday=`echo $pswar | cut -c 7-8`
pwyear=`echo $pswar | cut -c 1-4`
#perl script expects input year month day
/usr/local/sbin/ck_pass1.pl $pwyear $pwmonth $pwday
exit 0
#! /usr/bin/perl
use strict;
use warnings;
use Time::Local;
#epoch secs for 2 weeks equal 1209600
#setup vars that were passed in year, month, day in that order
my $varpass0 = $ARGV[0];
my $varpass1 = $ARGV[1];
my $varpass2 = $ARGV[2];
#timelocal doesn't work for dates past the year 2038
if ($varpass0 >= 2038) {
print "year passed is too much for this script\n";
exit 0;
}
#get todays date and format it properly
#beaware localtime is going to format year-1900 and month-1
my ($mday,$mmonth,$myear) = (localtime(time)) [3,4,5];
my $epdate = timelocal (0,0,0,$mday,$mmonth,$myear);
#get epoch date for when password will expire
#we have to format what was passed to us to make it usable by timelocal
my $varpass00 = $varpass0 - 1900;
my $varpass11 = $varpass1 - 1;
my $passexp = timelocal (0,0,0,$varpass2,$varpass11,$varpass00);
#subtract password expiration from today and see what we get
my $passans = $passexp - $epdate;
my $finans2 = $passans / 86400;
#lets see where we stand
#and send a warning to the end users if necessary
if ($passans <= 1209600) {
printf "Warning, Your Ldap password will expire in %.0f", $finans2;
print " days\n";
}
-----Original Message-----
From: Bliss, Aaron
Sent: Monday, February 20, 2006 10:35 AM
To: 'General discussion list for the Fedora Directory server project.'
Subject: RE: [Fedora-directory-users] Some password policy enforcement
information questions
Yep, this issue occurs over ssh.
Aaron
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard
Megginson
Sent: Monday, February 20, 2006 10:08 AM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Some password policy enforcement
information questions
Bliss, Aaron wrote:
>Some more trouble with password expiration warnings; I have passwords
>warnings being displayed to users when they use passwords, however
>users configured to use key authentication
>
Do you mean ssh?
>do not receive this warnings; has
>anyone seen this before? This is of course going to be a very big
>problem for me. Any ideas? Thanks again.
>
>
>Aaron
>
>-----Original Message-----
>From: Bliss, Aaron
>Sent: Wednesday, January 25, 2006 7:48 PM
>To: General discussion list for the Fedora Directory server project.
>Subject: RE: [Fedora-directory-users] Some password policy enforcement
>information questions
>
>Turns out the issue I was having was with my clients; I'm not sure why,
>but the administrator before me had "UseLogin Yes" set in
>/etc/ssh/sshd_config; commenting this out immediately started
>generating password warnings to users (as configured by the directory
>server); does anyone know what the UseLogin option is used for?
Thanks.
>
>Aaron
>
>-----Original Message-----
>From: Bliss, Aaron
>Sent: Thursday, January 19, 2006 3:15 PM
>To: 'General discussion list for the Fedora Directory server project.'
>Subject: RE: [Fedora-directory-users] Some password policy enforcement
>information questions
>
>Thanks very much for the explanation; makes much sense to me now; I did
>some playing around, and got the directory server to spit out to me
>that your password is going to expire in x amount of days. Thanks
again.
>
>Aaron
>
>-----Original Message-----
>From: fedora-directory-users-bounces(a)redhat.com
>[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard
>Megginson
>Sent: Thursday, January 19, 2006 2:35 PM
>To: General discussion list for the Fedora Directory server project.
>Subject: Re: [Fedora-directory-users] Some password policy enforcement
>information questions
>
>It looks like the way it works is this:
>When you have enabled password warning, an operational attribute called
>"passwordExpWarned" is created in the user's entry. The value will be
>0 until the user does a successful BIND operation and the time between
>now and the configured password expiration time is less than or equal
>to the configured password warning time. When this happens, the
>warning will be sent, the value of passwordExpWarned will be changed to
>1, and the operational attribute passwordExpirationTime in the user's
>entry will be set to the time at which the password will expire. When
>the user changes the password, passwordExpWarned will be reset to 0 and
>passwordExpirationTime will be set to the new expiration time.
>
>Bliss, Aaron wrote:
>
>
>
>>If I've configured a correct password policy and the warning attribute
>>is not getting updated, should this be considered a bug?
>>
>>Aaron
>>
>>-----Original Message-----
>>From: fedora-directory-users-bounces(a)redhat.com
>>[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of
>>Richard
>>
>>
>
>
>
>>Megginson
>>Sent: Thursday, January 19, 2006 1:48 PM
>>To: General discussion list for the Fedora Directory server project.
>>Subject: Re: [Fedora-directory-users] Some password policy enforcement
>>information questions
>>
>>Bliss, Aaron wrote:
>>
>>
>>
>>
>>
>>>Please forgive me if I'm asking silly newbie questions, however I'm
>>>trying to understand exactly what I'm seeing thru fds; first the
>>>policy
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>I've configured on the directory using the fds console:
>>>I've enabled fine-grain password policy for the data unit, including
>>>password history enforcement, password expiration after 90 days,
>>>password warning 14 days before password expires, check password
>>>syntax, account lockout policy enabled after 3 login failures for 120
>>>minutes and reset failure count after 15 minutes.
>>>
>>>Everything seems to be working except for send password warning; in
>>>
>>>
>the
>
>
>>>client's ldap.conf file, I've enabled pam_lookup_policy yes.
>>>
>>>Looking at account information attributes for a user,
>>>passwordexpwarnd
>>>
>>>
>
>
>
>>>value is 0; I've reset users password to try to initialize the
>>>password
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>policy, however this value never seems to change. According to this
>>>documentation
>>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10
>>>7
>>>7
>>>0
>>>81 I believe that this attribute is stored in seconds. Is this true?
>>>
>>>
>>>
>>>
>>>
>>>
>>Yes.
>>
>>
>>
>>
>>
>>>If so, what can I do to ensure this attribute is getting updated
>>>(assuming that this is the attribute responsible for triggering
>>>password expiration warning).
>>>
>>>
>>>
>>>
>>>
>>>
>>I'm not really sure.
>>
>>
>>
>>
>>
>>>Second issue/question:
>>>I've looked at this wiki
>>>http://directory.fedora.redhat.com/wiki/Howto:PAM and near the very
>>>bottom it mentions adding the following
>>>
>>>dn: cn=config
>>>changetype: modify
>>>add: passwordExp
>>>passwordExp: on
>>>-
>>>add: passwordMaxAge
>>>passwordMaxAge: 8640000 (this I believe would give a password max age
>>>of 100 days)
>>>
>>>Do I need to add these attributes even though I've configured the
>>>password policy using fds console has done this for me. Is this the
>>>case, I see don't these attributes in the gui, however I do see
>>>passwordexpirationtime as an attribute and is set to 90 days from now
>>>(I'm want to ensure that accounts are indeed locked after passwords
>>>have expired).
>>>
>>>
>>>
>>>
>>>
>>>
>>Those attributes are only for global (default) password policy - what
>>you have set for fine grained password policy will override those.
>>
>>
>>
>>
>>
>>>Also, Jim Summers posted to this group that he saw an issue with
>>>shadowpasswd / shadowexpire fields not being updated
>>>https://www.redhat.com/archives/fedora-directory-users/2005-December/
>>>m
>>>s
>>>g
>>>00367.html
>>>
>>>Can anyone tell me what these fields are used for, as I don't see any
>>>mention of them in this documentation
>>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10
>>>7
>>>7
>>>0
>>>81
>>>
>>>
>>>
>>>
>>>
>>>
>>Right. They are a PAM/posix thing - FDS treats them as any other data
>>- it doesn't update them from it's own password policy.
>>
>>
>>
>>
>>
>>>Thanks again very much.
>>>
>>>Aaron
>>>
>>>
>>>
>>>
>>>www.preferredcare.org
>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
>>>Power and Associates
>>>
>>>Confidentiality Notice:
>>>The information contained in this electronic message is intended for
>>>
>>>
>>>
>>>
>>the exclusive use of the individual or entity named above and may
>>contain privileged or confidential information. If the reader of this
>>message is not the intended recipient or the employee or agent
>>responsible to deliver it to the intended recipient, you are hereby
>>notified that dissemination, distribution or copying of this
>>information is prohibited. If you have received this communication in
>>error, please notify the sender immediately by telephone and destroy
>>the copies you received.
>>
>>
>>
>>
>>>--
>>>Fedora-directory-users mailing list
>>>Fedora-directory-users(a)redhat.com
>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>>>
>>>
>>>
>>>
>>www.preferredcare.org
>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
>>Power and Associates
>>
>>Confidentiality Notice:
>>The information contained in this electronic message is intended for
>>
>>
>the exclusive use of the individual or entity named above and may
>contain privileged or confidential information. If the reader of this
>message is not the intended recipient or the employee or agent
>responsible to deliver it to the intended recipient, you are hereby
>notified that dissemination, distribution or copying of this
>information is prohibited. If you have received this communication in
>error, please notify the sender immediately by telephone and destroy
>the copies you received.
>
>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users(a)redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
>>
>
>
>www.preferredcare.org
>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
>Power and Associates
>
>Confidentiality Notice:
>The information contained in this electronic message is intended for
the exclusive use of the individual or entity named above and may
contain privileged or confidential information. If the reader of this
message is not the intended recipient or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that dissemination, distribution or copying of this information
is prohibited. If you have received this communication in error, please
notify the sender immediately by telephone and destroy the copies you
received.
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users(a)redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
www.preferredcare.org
"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates
Confidentiality Notice:
The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.
17 years, 3 months
[Fedora-directory-users] dumping the data base
by Scott Boggs
Hello,
I am attempting to pull the schema of my FDS, I am use to using a command such
as 'ldapsearch -x -s base -b "" subschemasubentry' or 'ldapsearch -b
"cn=subschema" attributetypes'
Can anyone shine any light on how my syntax is wrong with these commands. I am
trying to pull the subschema to show the various attribute definitions.
I am sure I have just missed how to do it in the docs.
Thanks in advance
17 years, 3 months
[Fedora-directory-users] Admin console and problem with allowed ip/host, can't log in anymore :=)
by Kimmo Koivisto
Hello
I have FDS 1.0.1 installed to RHEL4ES and I managed to deny admin console
connections from anywhere :)
I have domain ton.fi and by default admin server seems to allow connections
only from *.ton.fi. I need to connect admin server from anywhere and I
thought that I could add * to the allowed host list... I did it with admin
console.
After I applied changes, I no longer could log in to the admin console, even
from localhost, error log says:
<error log>
[Fri Feb 24 08:41:21 2006] [notice] Access Host filter is: (*.ton.fi|*)
[Fri Feb 24 08:41:21 2006] [notice] Access Address filter is: *
[Fri Feb 24 08:41:22 2006] [notice] Access Host filter is: (*.ton.fi|*)
[Fri Feb 24 08:41:22 2006] [notice] Access Address filter is: *
[Fri Feb 24 08:41:22 2006] [notice] Apache/2.0 configured -- resuming
normal operations
[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1
[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
admserv_host_ip_check: host [ldap2.ton.fi] did not match pattern
[(*.ton.fi|*)] -will scan aliases
[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
admserv_host_ip_check: host alias [ldap2] did not match pattern
[(*.ton.fi|*)]
[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
admserv_host_ip_check: host alias [localhost.localdomain] did not match
pattern [(*.ton.fi|*)]
[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
admserv_host_ip_check: host alias [localhost] did not match pattern
[(*.ton.fi|*)]
[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
admserv_host_ip_check: host alias [ldapsrv] did not match pattern
[(*.ton.fi|*)]
[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
admserv_host_ip_check: host alias [*] did not match pattern
[(*.ton.fi|*)]
[Fri Feb 24 08:46:51 2006] [notice] [client 127.0.0.1]
admserv_host_ip_check: Unauthorized host ip=127.0.0.1, connection
</error log>
I tried to modify local.conf but it is always overwritten when I restart admin
server.
How to remove that * from the settings and what is the proper way to allow
connections to admin server from anywhere. Admin connections are restricted
with IPsec, FDS can allow it from anywhere, no problems with security.
I was able to migrate from IBM LDAP to FDS and I'm really happy. I did not
like IBM's multimaster replication, too many problems and did not know where
to get support. FDS and mmr just works.
Thanks for the great product :)
Best Regards
Kimmo Koivisto
17 years, 3 months
[Fedora-directory-users] sendmail alias in fds
by basile
hi
i try to use sendmail with sendamail alias in fds and have problems
here are definition of alias
dn: sendmailMTAKey=Basile.Mathieu,dc=siris,dc=sorbonne,dc=fr
sendmailMTAAliasGrouping: aliases
sendmailMTAAliasGrouping: revaliases
sendmailMTAHost: sorbon2.sorbonne.fr
sendmailMTAKey: Basile.Mathieu
sendmailMTAAliasValue: bmathieu
objectClass: top
objectClass: sendmailMTA
objectClass: sendmailMTAAlias
objectClass: sendmailMTAAliasObject
dn: sendmailMTAKey=bmathieu,dc=siris,dc=sorbonne,dc=fr
sendmailMTAAliasGrouping: aliases
sendmailMTAAliasGrouping: revaliases
sendmailMTAHost: sorbon2.sorbonne.fr
sendmailMTAKey: bmathieu
sendmailMTAAliasValue: bmathieu
objectClass: top
objectClass: sendmailMTA
objectClass: sendmailMTAAlias
objectClass: sendmailMTAAliasObject
dn: sendmailMTAKey=Alain.Lierre,dc=paris4,dc=sorbonne,dc=fr
sendmailMTAAliasGrouping: aliases
sendmailMTAAliasGrouping: revaliases
sendmailMTAHost: sorbon2.sorbonne.fr
sendmailMTAKey: Alain.Lierre
sendmailMTAAliasValue: alierre
objectClass: top
objectClass: sendmailMTA
objectClass: sendmailMTAAlias
objectClass: sendmailMTAAliasObject
dn: sendmailMTAKey=alierre,dc=paris4,dc=sorbonne,dc=fr
sendmailMTAAliasGrouping: aliases
sendmailMTAAliasGrouping: revaliases
sendmailMTAHost: sorbon2.sorbonne.fr
sendmailMTAKey: alierre
sendmailMTAAliasValue: alierre
objectClass: top
objectClass: sendmailMTA
objectClass: sendmailMTAAlias
objectClass: sendmailMTAAliasObject
here i test email with sendmail
#/usr/lib/sendmail -bv -C /etc/mail/sendmail-tx.cf
Alain.Lierre(a)sorbon2.sorbonne.fr
Alain.Lierre@sorbon2.sorbonne.fr... User unknown sorbon2
# /usr/lib/sendmail -bv -C /etc/mail/sendmail-tx.cf
Basile.mathieu(a)sorbon2.sorbonne.fr
bmathieu... deliverable: mailer local, user bmathieu
why the first alias is not recognize
user bmathieu and alierre are defined
search base is dc=sorbonne,dc=fr
and here are logs of fds
[24/Feb/2006:11:57:50 +0100] conn=2307 fd=64 slot=64 connection from
195.220.107.251 to 195.220.107.251
[24/Feb/2006:11:57:50 +0100] conn=2307 op=0 BIND
dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3
[24/Feb/2006:11:57:50 +0100] conn=2307 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr"
[24/Feb/2006:11:57:50 +0100] conn=2307 op=1 SRCH base="
ou=People,dc=sorbonne,dc=fr" scope=1
filter="(&(objectClass=posixAccount)(uid=mailnull))" attrs="cn uid
uidNumber gidNumber gecos description homeDirectory loginShell"
[24/Feb/2006:11:57:50 +0100] conn=2307 op=1 RESULT err=0 tag=101
nentries=0 etime=0
[24/Feb/2006:11:57:50 +0100] conn=2307 op=2 UNBIND
[24/Feb/2006:11:57:50 +0100] conn=2307 op=2 fd=64 closed - U1
[24/Feb/2006:11:57:50 +0100] conn=2308 fd=65 slot=65 connection from
195.220.107.251 to 195.220.107.251
[24/Feb/2006:11:57:50 +0100] conn=2308 op=0 BIND
dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3
[24/Feb/2006:11:57:50 +0100] conn=2308 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr"
[24/Feb/2006:11:57:50 +0100] conn=2308 op=1 SRCH base="
ou=People,dc=sorbonne,dc=fr" scope=1
filter="(&(objectClass=posixAccount)(uid=sendmail))" attrs="cn uid
uidNumber gidNumber gecos description homeDirectory loginShell"
[24/Feb/2006:11:57:50 +0100] conn=2308 op=1 RESULT err=0 tag=101
nentries=0 etime=0
[24/Feb/2006:11:57:50 +0100] conn=2308 op=2 UNBIND
[24/Feb/2006:11:57:50 +0100] conn=2308 op=2 fd=65 closed - U1
[24/Feb/2006:11:57:50 +0100] conn=2309 fd=64 slot=64 connection from
195.220.107.251 to 195.220.107.251
[24/Feb/2006:11:57:50 +0100] conn=2309 op=0 BIND dn="" method=128 version=2
[24/Feb/2006:11:57:50 +0100] conn=2309 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[24/Feb/2006:11:57:50 +0100] conn=2309 op=1 SRCH
base="dc=sorbonne,dc=fr" scope=2
filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=revaliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=root))"
attrs="sendmailMTAAliasValue"
[24/Feb/2006:11:57:51 +0100] conn=2310 fd=65 slot=65 connection from
195.220.107.251 to 195.220.107.251
[24/Feb/2006:11:57:51 +0100] conn=2310 op=0 BIND dn="" method=128 version=2
[24/Feb/2006:11:57:51 +0100] conn=2310 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[24/Feb/2006:11:57:51 +0100] conn=2310 op=1 SRCH base="dc=sorbonne,
dc=fr" scope=2
filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=alain.lierre))"
attrs="sendmailMTAAliasValue"
[24/Feb/2006:11:57:52 +0100] conn=2309 op=1 RESULT err=4 tag=101
nentries=28 etime=2 notes=U
[24/Feb/2006:11:57:53 +0100] conn=2311 fd=66 slot=66 connection from
195.220.107.251 to 195.220.107.251
[24/Feb/2006:11:57:53 +0100] conn=2311 op=0 BIND
dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3
[24/Feb/2006:11:57:53 +0100] conn=2311 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr"
[24/Feb/2006:11:57:53 +0100] conn=2311 op=1 SRCH base="
ou=People,dc=sorbonne,dc=fr" scope=1
filter="(&(objectClass=posixAccount)(uid=alain.lierre))" attrs="cn uid
uidNumber gidNumber gecos description homeDirectory loginShell"
[24/Feb/2006:11:57:53 +0100] conn=2311 op=1 RESULT err=0 tag=101
nentries=0 etime=0
[24/Feb/2006:11:57:53 +0100] conn=2310 op=2 UNBIND
[24/Feb/2006:11:57:53 +0100] conn=2310 op=2 fd=65 closed - U1
[24/Feb/2006:11:57:53 +0100] conn=2309 op=2 UNBIND
[24/Feb/2006:11:57:53 +0100] conn=2309 op=2 fd=64 closed - U1
[24/Feb/2006:11:57:53 +0100] conn=2311 op=2 UNBIND
[24/Feb/2006:11:57:53 +0100] conn=2311 op=2 fd=66 closed - U1
[24/Feb/2006:11:57:53 +0100] conn=2310 op=1 RESULT err=4 tag=101
nentries=0 etime=2 notes=U
[24/Feb/2006:11:58:01 +0100] conn=2312 fd=64 slot=64 connection from
195.220.107.251 to 195.220.107.251
[24/Feb/2006:11:58:01 +0100] conn=2312 op=0 BIND
dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3
[24/Feb/2006:11:58:01 +0100] conn=2312 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr"
[24/Feb/2006:11:58:01 +0100] conn=2312 op=1 SRCH base="
ou=People,dc=sorbonne,dc=fr" scope=1
filter="(&(objectClass=posixAccount)(uid=mailnull))" attrs="cn uid
uidNumber gidNumber gecos description homeDirectory loginShell"
[24/Feb/2006:11:58:01 +0100] conn=2312 op=1 RESULT err=0 tag=101
nentries=0 etime=0
[24/Feb/2006:11:58:01 +0100] conn=2313 fd=65 slot=65 connection from
195.220.107.251 to 195.220.107.251
[24/Feb/2006:11:58:01 +0100] conn=2312 op=2 UNBIND
[24/Feb/2006:11:58:01 +0100] conn=2312 op=2 fd=64 closed - U1
[24/Feb/2006:11:58:01 +0100] conn=2313 op=0 BIND
dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3
[24/Feb/2006:11:58:01 +0100] conn=2313 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr"
[24/Feb/2006:11:58:01 +0100] conn=2313 op=1 SRCH base="
ou=People,dc=sorbonne,dc=fr" scope=1
filter="(&(objectClass=posixAccount)(uid=sendmail))" attrs="cn uid
uidNumber gidNumber gecos description homeDirectory loginShell"
[24/Feb/2006:11:58:01 +0100] conn=2313 op=1 RESULT err=0 tag=101
nentries=0 etime=0
[24/Feb/2006:11:58:01 +0100] conn=2313 op=2 UNBIND
[24/Feb/2006:11:58:01 +0100] conn=2313 op=2 fd=65 closed - U1
[24/Feb/2006:11:58:01 +0100] conn=2314 fd=64 slot=64 connection from
195.220.107.251 to 195.220.107.251
[24/Feb/2006:11:58:01 +0100] conn=2314 op=0 BIND dn="" method=128 version=2
[24/Feb/2006:11:58:01 +0100] conn=2314 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[24/Feb/2006:11:58:01 +0100] conn=2314 op=1 SRCH
base="dc=sorbonne,dc=fr" scope=2
filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=revaliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=root))"
attrs="sendmailMTAAliasValue"
[24/Feb/2006:11:58:02 +0100] conn=2315 fd=65 slot=65 connection from
195.220.107.251 to 195.220.107.251
[24/Feb/2006:11:58:02 +0100] conn=2315 op=0 BIND dn="" method=128 version=2
[24/Feb/2006:11:58:02 +0100] conn=2315 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[24/Feb/2006:11:58:02 +0100] conn=2315 op=1 SRCH base="dc=sorbonne,
dc=fr" scope=2
filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=basile.mathieu))"
attrs="sendmailMTAAliasValue"
[24/Feb/2006:11:58:03 +0100] conn=2314 op=1 RESULT err=4 tag=101
nentries=28 etime=2 notes=U
[24/Feb/2006:11:58:04 +0100] conn=2315 op=2 SRCH base="dc=sorbonne,
dc=fr" scope=2
filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=bmathieu))"
attrs="sendmailMTAAliasValue"
[24/Feb/2006:11:58:04 +0100] conn=2315 op=1 RESULT err=4 tag=101
nentries=1 etime=2 notes=U
[24/Feb/2006:11:58:05 +0100] conn=2316 fd=66 slot=66 connection from
195.220.107.251 to 195.220.107.251
[24/Feb/2006:11:58:05 +0100] conn=2316 op=0 BIND
dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr" method=128 version=3
[24/Feb/2006:11:58:05 +0100] conn=2316 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=proxyagent,ou=profile,dc=sorbonne,dc=fr"
[24/Feb/2006:11:58:05 +0100] conn=2316 op=1 SRCH base="
ou=People,dc=sorbonne,dc=fr" scope=1
filter="(&(objectClass=posixAccount)(uid=bmathieu))" attrs="cn uid
uidNumber gidNumber gecos description homeDirectory loginShell"
[24/Feb/2006:11:58:05 +0100] conn=2316 op=1 RESULT err=0 tag=101
nentries=1 etime=0
[24/Feb/2006:11:58:05 +0100] conn=2316 op=2 UNBIND
[24/Feb/2006:11:58:05 +0100] conn=2316 op=2 fd=66 closed - U1
[24/Feb/2006:11:58:05 +0100] conn=2315 op=3 SRCH base="dc=sorbonne,
dc=fr" scope=2
filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=owner-bmathieu))"
attrs="sendmailMTAAliasValue"
[24/Feb/2006:11:58:06 +0100] conn=2315 op=2 RESULT err=4 tag=101
nentries=1 etime=2 notes=U
[24/Feb/2006:11:58:07 +0100] conn=2315 op=4 SRCH base="dc=sorbonne,
dc=fr" scope=2
filter="(&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=)(sendmailMTAHost=sorbon2.sorbonne.fr))(sendmailMTAKey=owner-basile.mathieu))"
attrs="sendmailMTAAliasValue"
[24/Feb/2006:11:58:07 +0100] conn=2315 op=3 RESULT err=4 tag=101
nentries=0 etime=2 notes=U
[24/Feb/2006:11:58:08 +0100] conn=2315 op=5 UNBIND
[24/Feb/2006:11:58:08 +0100] conn=2315 op=5 fd=65 closed - U1
[24/Feb/2006:11:58:08 +0100] conn=2314 op=2 UNBIND
[24/Feb/2006:11:58:08 +0100] conn=2314 op=2 fd=64 closed - U1
[24/Feb/2006:11:58:08 +0100] conn=2315 op=4 RESULT err=4 tag=101
nentries=0 etime=1 notes=U
thanks for help
basile
17 years, 3 months
[Fedora-directory-users] sendmail alias in fds
by basile
i explain our strange problem a little more
we have a top level domain sorbonne.fr , and domain under this one like
siris.sorbonne.fr or etab.sorbonne.fr
alias works for domain siris and not for the others ( and not for top
level sorbonne )
i delete domain siris , and the alias works for other domains , but not
for all
what happens is that sendmail search the sendmailMTAKey , and get the
sendmailMATAliasValue ,
and then search this value as key , and then search this value as uid
when it don t works , it doesn t search the value as key , and just
search the alias as uid , which doesn t exist
example
key=basile.mathieu
search key=basile.mathieu , attrs=value
obtain bmathieu
search key=bmathieu , attrs=value
obtain bmathieu
search uid=bmathieu
works
key=toto.exemple
search key=toto.exemple ,attrs=value
search uid=toto.exemple
does not find
dont works
it s very strange
17 years, 3 months
[Fedora-directory-users] allowing users to change their own passwords (solaris 10)
by Susan
Well, I've gotten authentication working for solaris 10 & FDS. (Thank you, everybody)
As root, I can change any user's password and that works. As a regular user, however, no luck:
-bash-3.00$ passwd
passwd: Changing password for test
passwd: Sorry, wrong passwd
Permission denied
-bash-3.00$ passwd -r ldap
passwd: Changing password for test
passwd: Sorry, wrong passwd
Permission denied
-bash-3.00$
I've this aci:
(targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone
||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo
||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage
||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber
||telexNumber ||title ||userCertificate ||userPassword ||userSMIMECertificate
||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write)
userdn="ldap:///self";)
Doesn't seem to be doing anything, even though userPassword is in there. Btw, in Linux, non-root
users can change their passwords just fine!
I've also two of these ACIs which I got from Gary Tay's site:
(target="ldap:///dc=company,dc=com")(targetattr="userPassword")(version 3.0; acl
LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn =
"ldap:///cn=proxyagent,ou=profile,dc=company,dc=com";)
(targetattr =
"cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid")(version
3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn = "ldap:///self";)
They seem to doing nothing either, i.e. removing them neither fixes nor breaks anything.
Nothing in server/client logs either...
Any ideas?
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
17 years, 3 months
