March 2006 - 389-users - Fedora Mailing-Lists

[Fedora-directory-users] Mac OS X Client authenticating against Fedora Directory Server

by Jim Summers

Hello List, I am following up on a thread that was initiated by David Schibeci a few weeks back. He was trying to configure os/x machines to authenticate against fds. I to will have to authenticate some os/x machines when I migrate over to fds. So I thought I should test it out. Unfortunately I was not able to get it to work. All I am seeing in the system.log file are entries such as: DSOpenNode(): dsOpenDirNode("/LDAPv3/ipaddress") == -14002 DSGetCurrentConfigInfo(): dsGetRecordEntry() == -14061 Not to informative. Any ideas or suggestions will be greatly appreciated. Thanks -- Jim Summers School of Computer Science-University of Oklahoma -------------------------------------------------

17 years, 8 months

2
3
0 / 0

[Fedora-directory-users] People vs. Domain Users

by Mont Rothstein

I've been working with the Samba Howto ( http://directory.fedora.redhat.com/wiki/Howto:Samba). In it the ldap user suffix is set to "ou=People". Later, it walks through the creation of Samba Domain Groups, including Domain Users. I am confused by these two. When do user accounts go in ou=People and when do they go in cn=Domain Users? If someone could explain the difference between these two I would greatly appreciate it. Thanks, -Mont

17 years, 8 months

2
2
0 / 0

Re: [Fedora-directory-users] FDS AD Sync

by Daniel Shackelford

When you are replicating to AD, user accounts are fully synced upon creation. If you create a new user in FDS, the account and password will be immediately synced to AD. The issue is with accounts that already exist in AD (I am not sure about those that are in FDS) before a replication agreement is set up. If you are just now setting up FSD and want accounts created in FDS to also be created in AD at the same time, then you should not have any trouble if you have set up replication correctly. We use FDS for provisioning new accounts via a portal. The account is created in FDS and it is replicated to AD. The user can immediately log onto our network. The PassSync part on AD makes sure that if their password is changed via the windows tools (Ctrl-Alt-Del -> change password, Computers and Users MMC -> reset password), it will also set the new password in FDS. Our system goes both ways. Accounts can be created in either directory, and they will be replicated (with passwords) to the other one. Again, the issue is not with account creation, but with handling accounts that already exist before replication is set up. AD will not allow passwords to be read, only to be compared, and that is the main problem. I am not sure about FDS, and it may be possible to get the passwords out in order to reset them. Importing an ldif file to change the passwords will work, providing the passwords are in plain text. So if you can find a way to export the passwords in plain text (with the uid or dn), you may be able to reset them all in both directories in one fell swoop. Good luck (and be careful) >From your mail, i understood that you are trying to sync passwords from AD >to FDS. I am trying to sync accounts the other way round from FDS to AD. > >If pass sync doesn't full sync accounts between FDS and AD which i regard as >a replica of FDS, when i create new user i have to create him on the AD and >ask the user who's password is already saved on FDS to login and change his >password which he just created! > >This is wasn't i hoped for :( > >regards, >Abdelrahman -- Daniel Shackelford Systems Administrator Technology Services Spring Arbor University 517 750-6648 "For even the Son of Man did not come to be served, but to serve, and to give His life a ransom for many" Mark 10:45

17 years, 8 months

3
2
0 / 0

[Fedora-directory-users] API to detect password expiration

by François Beretti

Hi, I am trying to implement password expiration in my LDAP software. I am not using the fedora/mozilla/sun API, but the Novell API. So I can't use specific functions if they exist. There are three concepts I would like to integrate : - Password must be changed after a reset - Password expiration warning - Password expired How can I detect these three events ? Moreover, what can I do within the maximum login attempts ? Only bind then change the password ? Thank you very much, and congratulations for this beautiful software Regards, François Beretti

17 years, 8 months

2
3
0 / 0

[Fedora-directory-users] Consumer initiated replication

by Hariharan R

Hi, Does the Fedora Directory Server support consumer initiated replication. If not, is there any work around for this ? Please advise. --- Hariharan.R

17 years, 8 months

2
1
0 / 0

RE: [Fedora-directory-users] Consumer initiated replication

by Bliss, Aaron

I would setup your servers so that both are masters (multi-master) instead of supplier-consumer in which either server can commit changes and initiate replication to the other. Aaron -----Original Message----- From: fedora-directory-users-bounces(a)redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of HARIHARAN R Sent: Thursday, March 30, 2006 11:03 PM To: fedora-directory-users(a)redhat.com Subject: [Fedora-directory-users] Consumer initiated replication Hi, Does the Fedora Directory Server support consumer initiated replication. If not, is there any work around for this ? Please advise. --- Hariharan.R -- Fedora-directory-users mailing list Fedora-directory-users(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.

17 years, 8 months

1
0
0 / 0

[Fedora-directory-users] mmr.pl, replication and changelog

by Alex aka Magobin

hI, I reinitialize consumer (from supplier...initialize consumer)...replication didn't works for 5 time...at 6 worked and now server1 replicate to server2 (but I don't know why).Plus I had to remove replication with mmr.pl and re-run the script... But consulting log I still see errors below: NSMMReplicationPlugin: - replica_reload_ruv: Warning: new data for replica dc=domain,dc=example,dc=com does not match the data in the changelog, Recreating the changelog file. This could affect replication with replica's consumers in which case the consumers should be reinitialized. How can I clear this problem?? Thanks Alex

17 years, 8 months

1
0
0 / 0

Re: [Fedora-directory-users] FDS AD Sync

by Daniel Shackelford

I had some trouble myself with passwords from AD making it into FDS. Unfortunately no passwords are synced until they are changed on AD, which means that if you have a 7000 user base like we do, there are very few options for getting the passwords populated in FDS. PassSync uses a DLL to capture passwords in plain text during the set password process, and send them to FDS. This means that all those users that are synced magically when you set up replication, will not have passwords until they change their password on AD somehow. We started collecting credentials from our proxy auth, and storing them for a massive import after a few months. The import went well (I can tell you the process if you like), but we still have 5000 accounts without passwords in FDS for off-site users, and those who should be pruned. Now we are looking at a web interface for handling these special cases (is it special when it effects the majority of your users?). The PassSync that was distributed with FDS 7.1 did not give much info on what it was doing, and this led to an incorrect setup without knowing it was incorrect. If you use the most recent version, you can enable verbose logging, and see what is going on (it is a registry key under HKEY_Local_Machine->Software->PasswordSync->Log Level). It turned out that PassSync and FDS were not speaking to one another yet. I went through the key import process (pk12util + certutil), restarted the service, and away we went. If you think you might be able to get the unix crypted passwords via msSFU (Microsoft Services for Unix), and populate FDS, you would be right, unless you are also wanting to synchronize those passwords. I tried it and blew out the password for every user on our domain, and had to recover from tape. The crypt is one-way, so once it is in FDS, you can successfully authenticate, but it looks like junk to the password sync code, and it ends up syncing junk to AD, which in turn, syncs junk back to FDS. Bad bad bad. So it sounds like you may not have the PassSync service set up quite right, or you are expecting the passwords to be synced with the accounts, but they won't because that is not really what PassSync does. Either way you will have to address the issues of missing passwords in FDS. Do you have any secure way of collecting the credentials of users? A proxy/sniffer in front of your POP3 server? Just a suggestion. -- Daniel Shackelford Systems Administrator Technology Services Spring Arbor University 517 750-6648 "For even the Son of Man did not come to be served, but to serve, and to give His life a ransom for many" Mark 10:45

17 years, 8 months

2
1
0 / 0

[Fedora-directory-users] Getting Started, POSIX accounts

by Michael Christian

Hi guys. I've installed FDS and the setup is killing me. Essentially all I want to use it for is Posix accounts and groups and I'm having trouble with groups. Getting user accounts is no problem, the attributes are aleady there, but posix groups are from scratch? If someone could point me in the right direction, or send me a link I would appreciate it. I've combed through the RHDS documentation and not been able to find what I was looking for. -- Michael

17 years, 8 months

5
5
0 / 0

[Fedora-directory-users] fds and oracle authentication

by Bliss, Aaron

Were running fds in our environment; it's running great, however I was wondering if it's possible to use the directory servers to authenticate Oracle database users against? I know that Oracle has an application called Oracle Internet Directory server, however I would rather not put up yet another directory server. Any thoughts? Thanks very much. Aaron www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.

17 years, 8 months

5
4
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users March 2006