[Fedora-directory-users] Cases
by Fabio Gomes
Hi again,
I'm about to migrate our Sun One DS to Fedora DS. The tests executed in my
lab was pretty satisfactory.
But I would like to hear your experiences with that software in prodution
systems:
- How long are you running FDS?
- How many entries?
- Did anyone migrate from Sun DS to FDS?
I would really appretiate your comments.
Thx.
18 years, 2 months
[Fedora-directory-users] Problem with WindowsSync
by Sören Malchow
Hi,
i have a problem with synching my AD Users.
Everything seems to be fine, login ist ok, DS can reach AD, in a tcpdump i
see a search request from the DS, but afterwards there is an answer from
the AD server that says
"Can't parse message ID: Wrong type for that item"
the full initialization is reported as "sucessful" but no AD users show up
in the DS
anybdoy has an idea what i did wrong ?
Regards
soeren
Soeren Malchow
Head of Central Technical Services
Interone Worldwide GmbH
Schulterblatt 58
20357 Hamburg
T +49.40.43 29 69 - 547
F +49.40.43 29 69 - 90
mailto:soeren.malchow@interone.de
http://www.interone.de
NOTE: Information contained in this message is confidential and may be
legally privileged. If you are not the adressee indicated in this message
(or responsible for the delivery of the message to such person), you may
not copy, disclose or deliver this message or any part of it to anyone, in
any form. In such case, you should delete this message and kindly notify
the sender by reply Email. Opinions, conclusions and other information in
this message that does not relate to the official business of BBDO Germany
shall be understood as neither given nor endorsed by it.
18 years, 2 months
[Fedora-directory-users] POSTFIX and Prefilled data
by Scott Boggs
Hello,
I am looking into a method of automating POSTFIX attributes being added to a
user who is populated into the FDS from Active Directory with the
windows/password sync capability provided by FDS. Is there any sort of plug-in
that already exists which could do this? Or is there a method to pre-fill most
of the POSIX fields which do not change often (home dir, user shell ect.)?
I am hoping that I do not have to use a third party application or self made
scripts to accomplish this. It would nice if I can continue to use the servers
administrative GUI.
On the subject of having to use a alternate method to control POSIX information,
if it turns out that I won’t be able to use a automated method within the FDS’s
console, I am thinking of pulling the server away from the console. If the
choice is to pull the console functionality out of my FDS installation, how will
that affect my ability to perform the replication functions needed for account
and password synchronization?
Thanks for you Time
18 years, 2 months
[Fedora-directory-users] Error start-admin
by Douglas Hussey
I have made a fresh install of the latest DS version. I get the
following error when I attempt to start the admin server, what is
strange is the previous version runs fine on this machine 7.1-2. We
are running Redhat V4 AMD_64. JDK 1.5.0_05
ERROR: ld.so: object '/opt/fedora-ds/bin/admin/lib/libssl3.so' from
LD_PRELOAD cannot be preloaded: ignored.
ERROR: ld.so: object '/opt/fedora-ds/bin/admin/lib/libldap50.so' from
LD_PRELOAD cannot be preloaded: ignored.
Syntax error on line 150 of /opt/fedora-ds/admin-serv/config/httpd.conf:
Cannot load /opt/fedora-ds/bin/admin/lib/libmodrestartd.so into
server: /opt/fedora-ds/bin/admin/lib/libmodrestartd.so: cannot open
shared object file: No such file or directory
Thanks
Doug
18 years, 2 months
[Fedora-directory-users] Kerberos database in FDS?
by Andrey Ivanov
Hi,
I was wondering if anyone tried a configuration with Kerberos using
LDAP as database. After some searching it seems that MIT kerberos is
not capable to do that. However, Heimdal has a special option for
that. The only problem is that this option is applicable only to
openldap and only to unix socket connections. At least that's what is
told in the doc and in numerous howtos. There is also a special schema
extension for storing these data in openLDAP. I haven't found these
objects (krb* or kerberos*) in FDS schema....
Can anyone tell anything about a possibility of using Kerberos with
the key/principals database stored in Fedora Directory Server, please?
Thank you
Andrey Ivanov
tel +33-(0)1-69-33-99-24
fax +33-(0)1-69-33-99-55
Direction des Systemes d'Information
Ecole Polytechnique
91128 Palaiseau CEDEX
France
18 years, 2 months
[Fedora-directory-users] Re: Hosed sync with AD
by Daniel Shackelford
Thank you David.
Anyone able to address the other questions about ssl? I was able to use
the system version of ldapsearch to connect securely to my domain
controller from the FDS box. I can also connect the same way to FDS. I
have read that the -81 error means that there is a problem with my
server cert, or the ca cert that was used to create it. I have 2 server
certs signed by different CAs (nothing self-signed), and I have tried
them both. The CA certs are installed, and seem to be fine. I even
exported on to use on the local openldap in order to test connections to
the domain controller without a problem.
Is FDS dependent on specific versions of libssl3.so or ?... The thing
that confuses me the most is that it all seems to be working fine in
every other case. I am still not sure there isn't a problem with my
Win2003 domain controller...
Ack!
>Date: Tue, 31 Jan 2006 15:17:18 -0500
>From: Daniel Shackelford <dshackel(a)arbor.edu>
>Subject: [Fedora-directory-users] Hosed sync with AD
>To: FedoraUsers <fedora-directory-users(a)redhat.com>
>Message-ID: <43DFC5CE.1050909(a)arbor.edu>
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>Hello...
>
>Earlier this month we had an issue with one of our domain controllers
>(Win2003) and took it down. It was the one the directory server was
>pointing to for synchronization. Ever since then, no sync has occurred
>and I am back to getting the
>
>-81 (Peer's Certificate issuer is not recognized.)
>
>I have checked the DC, and all looks well. We were merely moving the
>logs to another volume, so it should not have an effect on ldap
>connections. I did some fiddling and at one point I removed the native
>java since I had installed the IBM version. Jessie depended on it, so
>that was removed as well. I have since gotten new certs and CA certs,
>and installed them, but still no luck on the connection. Certutil no
>longer worked, so I installed mozilla-nss, and now it does not work
>for other reasons:
>
>NSS_Initialize failed: An I/O error occurred during security authorization.
>
>All certificate management via the console seems to work fine...
>
>So, my questions are:
>
>Is there a way to get my ssl libraries so they line up with what FDS wants?
>Was jessie even involved in this issue?
>I already have all our data in this directory, so is there a way for me
>to get this thing syncing again without a wipe and reinstall?
>If I delete the sync agreement, and create a new one, what happens on
>the first sync? Will it just pick up where it left off, or will it
>choke on all the objects that were a part of the previous sync
>agreement? Will I have problems with my data since it has been over 10
>days since the last sync?
>
>
>
18 years, 2 months
[Fedora-directory-users] One Way Sync
by Scott Boggs
Hello,
I am interested in knowing if anyone is using the PassSync functionality in
only one direction, making the Fedora-DS a consumer only to the Active
Directory server. I am only interested in populating the Fedora-DS with the
user account information and passwords; there is no need for me to go in the
other direction. With that in mind, would I still create a 'Single Master'
replication configuration or is there an alternate method since the
Fedora-DS is really only the consumer and not a supplier? My guess is that
a 'Single Master' configuration will still have to be created since the
winsync code builds off the replication plug-in. If it turns out that the
Fedora-DS must be a supplier, is there any method to stop the Fedora-DS from
expecting the Active Directory system to have correctly sync'd databases?
Other than the functionality of pushing passwords and accounts from my
Fedora-DS system not being needed (in fact the AD server group will only
allow my Fedora-DS to pull and not update) I am hoping that this could fix
the "db vector errors" from occurring.
Any suggestions from the Fedora-DS veterans' out there? Thanks
18 years, 2 months
