[Fedora-directory-users] Import POSIX Users
by Dan Hawker
Hi All,
Have my test FDS 1.0.2 server up and running and touch wood, it seems to
be working well.
Am slightly confused about something that is pretty simple, just need some
clarification.
I am planning on migrating my users from having a username stored on every
server (around 10 or so) to having a central directory. Hence my install
of FDS. I have been testing the PADL migration tools to migrate my users.
One thing I have noticed is that when you import a user (or group) via
this mechanism there are a few attributes that are either not used or are
added. For instance if you look at groups...
A standard FDS *group* is a groupofuniquenames, whereas an imported group
is a posixgroup. Logical enough. The only real difference in simple terms
(that I can see) is that the posix one has a couple of extra attributes
such as groupid and memberUid, and the groupofuniquenames has an
additional description attribute.
What I am noticing however is that when adding users to groups that is a
*groupofuniquenames* you get to use the simple, easy-to-use dialogue,
whereas with the *posixgroup* you get the advanced dialogue. This is fine,
they are both easy to use. However when adding a new user (via the
console) you add a regular user. This can have posix attributes added (as
per the posix user tab) which is great. However I have noticed that
posixusers are not recognised as *users* when searching from the console
(say to add ppl to a group), hence you cannot use the usual add member to
a group if the user is a posixuser.
Also I wondered what happens when you add aforementioned regular user to a
non-posix group. How does FDS (or indeed the posix based machine that is
asking for the info, understand if the user is a member of that group and
hence allow access to the resource???
So...
Am I missing something simple???
is this the nature of LDAP (or the way the interface works)???
should I *filter* my LDIF a bit more and edit it to suit *standard user &
groups* (will this work OK)???
should I just use posix users & groups (within FDS)???
is there a way of adding attributes to existing objectClasses to add the
additional attributes???
TIA
Dan
18 years
[Fedora-directory-users] AD sync issues
by Vsevolod (Simon) Ilyushchenko
Hi,
I've half gotten the AD sync to work, but I have a couple of issues:
1. The updates are not propagated on their own. If I choose
'Send/Receive updates' from the sync agreement, they are immediately
transferred, but it never happens on it's own.
2. I tried to follow the steps here:
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/sync.html
under 'Setting Up SSL for the Password Sync Service' to tranfer the FDS
SSL certificate to the AD machine, and when I run the command in step 2
in the alias directory, I get:
../shared/bin/pk12util -d . -P slapd-fa22 -o servercert.pfx -n Server-Cert
pk12util-bin: find user certs from nickname failed: security library:
bad database.
Can you tell me what I should be looking for? SSL access works on the
FDS machine, so the database should not be corrupt.
Thanks,
Simon
--
Simon (Vsevolod ILyushchenko) simonf(a)cshl.edu
http://www.simonf.com
"Think like a man of action, act like a man of thought."
Henri Bergson
18 years
[Fedora-directory-users] SSL Problem
by Jim Summers
Hello All,
While monitoring the access log on my FDS I am seeing the following message
popping up:
===============
[26/Apr/2006:14:59:30 -0500] conn=1 op=-1 fd=65 closed - Peer does not
recognize and trust the CA that issued your certificate.
===============
Is the "Peer" the client attempting to connect?
I have the following set in the /etc/ldap.conf on the machine that is trying
to connect:
tls_checkpeer no
tls_reqcert never
Which I thought would instruct the client to not really care and just encrypt
the packets.
Actually this seems to only happen with an ldapsearch command.
A sample search command I am testing with is:
ldapsearch -v -x -LLL -D "uid=tulsa2,ou=people,dc=ou,dc=edu" -W -H
ldaps://ldapserver.ou.edu -b ou=people,dc=ou,dc=edu '(uid=tulsa2)'
I can issue id commands and ssh into the client without problem and it is over
the ssl enabled 636 port. Which I just double checked with tcpdump and the logs.
I am not sure what I have messed up.
Ideas / Suggestions greatly appreciated.
TIA
--
Jim Summers
School of Computer Science-University of Oklahoma
-------------------------------------------------
18 years
[Fedora-directory-users] Proxy Access to Directory
by Jim Summers
Hello List,
I just discovered that I can anonymously access my directory. I have scoured
over some of the docs and haven't seen a definitive howto on disabling that
access.
Is this an ACI mis-configuration on my part?
I have looked and do see an "Enable anonymous access" ACI at both the
Netscaperoot and the my domain levels. I am hesitant to remove them with out
knowing whether that is safe. I would then in turn need to define ACI's for
the proxyDN?
Ideas / Suggestions?
TIA
--
Jim Summers
School of Computer Science-University of Oklahoma
-------------------------------------------------
18 years
[Fedora-directory-users] problem with console on 1.0.2
by basile
hi
i install fds on fedora core 3 and get this error when i try
to launch console :
httpd.worker: Syntax error on line 151 of
/opt/fedora-ds/admin-serv/config/httpd.conf: Cannot load
/opt/fedora-ds/bin/admin/lib/libmodrestartd.so into server:
/opt/fedora-ds/bin/admin/lib/libmodrestartd.so: undefined symbol:
apr_filename_of_pathname
i find 2 thread on that problem , in the first solution was to correct
start-admin script ( but it still correct ) , and in the second to build
module by the hand :(
is there any other solution
thanks
basile
ps
does redhat team give binaries of fds-1.0.2 for solaris 9 ?
18 years
[Fedora-directory-users] Best way to populate DS with account and group!
by Alex aka Magobin
Hi, now that I have a Fedora DS installed and replicated correctly with
ssl encryption, I would to know what is the best way to populate DS with
accounts to authenticate linux clients; the goal is to automate accounts
creation for clients authentication and mail (postfix) authentication.
So, for example I want that when I make an account on DS for "test" it
must authenticate linux client and must authenticate postfix user (and
obviously user must to be added to postfix group)
What it the best way?
thanks in advance
Alex
18 years
[Fedora-directory-users] directory server gateway access configuration
by Mikael Kermorgant
Hello,
I'd like to use the directory server gateway but I get a 401 error :
---
Authorization Required
This server could not verify that you are authorized to access the
document requested. Either you supplied the wrong credentials (e.g.,
bad password), or your browser doesn't understand how to supply the
credentials required.
---
I've not found the right way to configure access to the gateway. Could
someone point me to the right direction ?
Thanks in advance,
--
Mikael Kermorgant
18 years
[Fedora-directory-users] MS Services for Unix integration?
by Vsevolod (Simon) Ilyushchenko
Hi,
Is anyone working on adding support for transferring the Posix
attributes from AD if SFU (Services for Unix) is enabled there? That
would be, ahem, incredibly useful.
By the way, someone implied that it might be possible to get
Unix-crypted passwords. Has anyone tried that?
Thanks,
Simon
--
Simon (Vsevolod ILyushchenko) simonf(a)cshl.edu
http://www.simonf.com
"Think like a man of action, act like a man of thought."
Henri Bergson
18 years
[Fedora-directory-users] replication errorlog
by Stein
Hi,
Im running a fds 1.0.2 on a fc4 box, replicating users from an ad
server.
It seems to be working fine, but the error log fills up with:
NSMMReplicationPlugin - agmt="cn=adsynctest" (10:389): Replica has no
update vector. It has never been initialized.
But the incremental update still works fine.
If i add more logging on replication,
[25/Apr/2006:19:46:48 +0200] NSMMReplicationPlugin - changelog program -
libdb: txn_checkpoint: failed to flush the buffer cache No such file or
directory
[25/Apr/2006:19:46:48 +0200] NSMMReplicationPlugin - changelog program -
libdb: f6dd6a82-1dd111b2-80cd8aae-532f0000_444d0d010000ffff0000.db4:
unable to flush: No such file or directory
[25/Apr/2006:19:46:48 +0200] NSMMReplicationPlugin - changelog program -
libdb: txn_checkpoint: failed to flush the buffer cache No such file or
directory
[25/Apr/2006:19:46:49 +0200] NSMMReplicationPlugin - changelog program -
libdb: f6dd6a82-1dd111b2-80cd8aae-532f0000_444d0d010000ffff0000.db4:
unable to flush: No such file or directory
[25/Apr/2006:19:46:49 +0200] NSMMReplicationPlugin - changelog program -
libdb: txn_checkpoint: failed to flush the buffer cache No such file or
directory
So, ladies and gents, any idea whats going on?
Recap, everything works, just a lot av entries in the error log
Stein
18 years