[Fedora-directory-users] Replication Problem!
by Alex aka Magobin
hi,
testing replication, I've configured a user in consumer and it correctly
replicate to nodo2 supplier....after that, I've set up a second user in
supplier...but nothing is replicated in consumer...so I tried to re-run
mmr.pl...and in supplier logs:
NSMMReplicationPlugin: - replica_reload_ruv: Warning: new data for
replica dc=domain,dc=example,dc=com does not match the data in the
changelog,
Recreating the changelog file. This could affect replication with
replica's consumers in which case the consumers should be reinitialized.
How do I procede in this case?...
How and where do I recreate changelog?
Thanks
Alex
P.S: Where is documentation about configuring Fedora DS to authenticate
users for both user login and mail accounts with postfix?
18 years
RE: [Fedora-directory-users] Getting Started, POSIX accounts
by Tay, Gary
It depends on if you intend to use one of these options in
/etc/ldap.conf
1) pam_member_attribute uniquemember
or
2) pam_member_attribute memberuid
Pls note that the default FDS install would create ou=Groups and some
sample group entries if you choose to create samples, whereas the sample
PADL or RH client's /etc/ldap.conf would usually use ou=group (or
ou=Group) instead of ou=Groups.
nss_base_group ou=Group,dc=padl,dc=com?one
If your choice is 1), you could point to group lookup to ou=Groups and
use objectclass groupofuniquenames
If your choice is 2), you could point to group lookup to ou=Group and
use objectclass posixgroup
I usually won't use ou=Groups and will manually create an additional OU
(New OU in Admin GUI) called ou=group after the default install, and
when populating the DIT with group entries I will add objectclass:
posixgroup in ldif file, and with user entries I will add objectclass:
posixaccount and objectclass: shadowaccount.
If I use Admin GUI to create an user entry, I will have to manually
"Enable Posix User Attributes", so that I could enter uidNumber and
gidNumber and so on, I also add additional objectclass: shadowaccount by
clicking the Advanced Properties and insert new objectclass, if not LDAP
Auth won't work.
You may find a HOW-TO I wrote for Solaris Native LDAP Client useful.
http://web.singnet.com.sg/~garyttt/Configuring%20Solaris%20Native%20LDAP
%20Client%20for%20Fedora%20Directory%20Server.htm
Gary
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Michael
Christian
Sent: Thursday, March 30, 2006 7:49 AM
To: Fedora-directory-users(a)redhat.com
Subject: [Fedora-directory-users] Getting Started, POSIX
accounts
Hi guys. I've installed FDS and the setup is killing me.
Essentially all I want to use it for is Posix accounts and groups and
I'm having trouble with groups.
Getting user accounts is no problem, the attributes are aleady
there, but posix groups are from scratch?
If someone could point me in the right direction, or send me a
link I would appreciate it. I've combed through the RHDS documentation
and not been able to find what I was looking for.
--
Michael
18 years
[Fedora-directory-users] FDS & Red Hat Certificate System
by Susan
Hi, everyone. I think this subject has been briefly raised before but I've more questions.
Can RHCS be used to hand out CA certs to Unix clients (linux/solaris)?
Has anybody done this?
RHCS doesn't seem to be opensourced. Is there a reliable free alternative?
The problem I'm trying to solve is that my CA cert is self-signed. I guess even if it weren't,
the management is a little concerned about MITM attacks against the FDS, so we need a way to
verify that the server saying that it's our FDS really is the FDS. Right now no certs are
deployed on the clients, we're using them only for SSL traffic encryption.
What's the best way to go about doing this? I don't want to manually create/deploy dozens of
certs for various clients. I also need a way to implement CRL somehow, in case a box is
comprosmised.
Thank you.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
18 years
[Fedora-directory-users] comment about setupssl.sh
by Susan
I was looking through the script from the wiki and I saw this line:
../shared/bin/certutil -S -n "Server-Cert" -s "cn=$myhost,ou=Fedora Directory Server" .....
Wouldn't it be better to change that to -n "`hostname`" or something like that because when you
create certs for multiple servers, they all end up being called Server-Cert which causes
confusion.
What do you guys think?
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
18 years
[Fedora-directory-users] FDS AD Sync
by Abdelrahman
Hi all,
i have been playing with FDS for a couple of months now.
My company has about many windows machines and the users are on stored ldap.
and they want to control the access from the windows machines to the
internet through 802.1x authentication and without having to purchase a
third party client for them. up to my knowledge, windows doesn't support pap
authentication and there isn't a way that ldap support mschapv2
authentication.
While reading the documentation, i found out about the Pass sync. After
struggling for a while, i was able to start SSL on the FDS and my AD, i
installed pass sync on the windows machine and started a sync agreement
policy on the FDS.
Everything is working perfectly but i have the following problem:
When i start the sync between the FDS and AD, the accounts synced become
disabled by default of the AD, also, even when i enable them, their
passwords aren't copied at the first time.
I tried to enable a synced account and login on a machine in the domain, a
message said that i am required to change the password for the first time,
so i concluded that passwords weren't copied with the account!
I thought that it was a policy on the windows domain controller, so i
disabled all the policies on it, especially the passwords ones.
I tried checking the logs but i don't know where to search or what for?!
I don't know what to do?
Regards
Abdelrahman
18 years
[Fedora-directory-users] SSL problem on replication!
by Alex aka Magobin
hi,
I used Replication HOWTO to make a replica with 2 server; after that I
saw that replication was without encryption, so I maked my own CA
Authority and I maked two certificate for both server...I maked request
from Fedora Console and then I installed it from same console.
Testing on second server, I tried to restart slapd, but when I tried the
server ask correctly PIN for Internal Software Token, but then it says:
22/Mar/2006:11:20:39 +0100] - SSL alert: CERT_VerifyCertificateNow:
verify certificate failed for cert nodo2-cert of family
cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 -
Peer's Certificate issuer is not recognized.)
[22/Mar/2006:11:20:39 +0100] - SSL failure: None of the cipher are valid
...what does it mean?...maybe that I have maked some mistakes about ssl?
...how can I resolv this problem?
...is it possible to come back??
thanks in advance
Alex
18 years
[Fedora-directory-users] fedora-ds FC5 rpm
by Matteo Centonza
Hi,
is there any chance of having FC5 rpm for fedora-ds 1.0.2?
I know that i can build it my own but unfortunately
in this particular test environment (FC5 under vmware server)
there's a problem with dsbuild (gcc/vmware related).
Thanks in advance,
-m
18 years
[Fedora-directory-users] nsAdminAccessHosts
by Matteo Centonza
Hi,
after adding a single ip address to the list of allowed hosts/domains
for admin-server i can't log in anymore.
The change was made trough the console:
from e.g.:
configuration.nsAdminAccessHosts: *.example.com
to:
configuration.nsAdminAccessHosts: (*.example.com|185.118.64.237)
Trying to connect from both addresses, i receive an error, corresponding
in the admin-serv access log file to a pattern mismatch.
My question is: how can i reset this value?
Thanks in advance,
-m
18 years
[Fedora-directory-users] Re: Bind FDS to one specific ip-address
by Michael Smedeus
Hi Richard,
That solved it, thank you very much for quick respons.
My best
M.Smedéus
From: Richard Megginson <rmeggins redhat com>
To: "General discussion list for the Fedora Directory server
project." <fedora-directory-users redhat com>
Subject: Re: [Fedora-directory-users] Bind FDS to one specific
ip-address
Date: Tue, 28 Mar 2006 08:05:29 -0700
If the two interfaces have different IP addresses, you can use the
attribute nsslapd-listenhost in cn=config e.g. in dse.ldif:
dn: cn=config
....
nsslapd-listenhost: 192.168.1.1
There is also an nsslapd-securelistenhost if you want to do the same for
your SSL port.
Michael Smedeus wrote:
Hi,
I'm trying to bind FDS 1.0.2 on Fedora Core 4 to only listen to one
specific ip-address on the regular 389 port. The machine has one physical
interface, eth0, with two virtual interfaces eth0 and eth0:1 with different
IP and subnets. IP on interface eth0 is already used for an OpenLDAP proxy
that must not be interfered.
I can't find any solution in the documentation or FAQ's. And test's on a
testserver with a similar setup hasn't helped out much.
Is it possible to configure FDS to only listen to eth0:1port 389 without
interfering with eth0 port 389?
My best
M.Smedéus
18 years