[Fedora-directory-users] How interhangeable are ldap server?
by Mont Rothstein
We have a windows app that uses an LDAP server for authentication.
For our clients that don't already have an LDAP server we provide FDS.
However many of our clients already have an LDAP server (AD, Novell, IBM,
Oracle).
How interchangeable are LDAP servers? Are we likely to be able to just talk
to any server, or will we need custom code for each?
In addition to authentication we plan to create and assign roles, and
possibly use a small custom schema.
Any information or pointers to information on this would be appreciated. I
couldn't find anything via Google.
Thanks,
-Mont
18 years
[Fedora-directory-users] Another one-button script - rebuild_fds.sh
by Tay, Gary
FDS Folks,
Another automated script from me.
Gary
> #! /bin/sh
> #
> # rebuild_fds.sh - ReBuild Fedora Directory Server
> #
> # Gary Tay
> #
> # NOTE: This script will rebuild a FDS Server compatible with BOTH
> # RedHat and Solaris LDAP Clients
> #
> # 1) Make sure 'root' is used to run this script
> # 2) Make sure /home/ldap/dirmgr.pwd contains password of cn=Direcyory
> Manager
> #
> #set -vx
> IS_ROOT_UID=`id | grep "uid=0(root)"`
> if [ ! -n "$IS_ROOT_UID" ]; then
> echo "Please run this script as root"
> exit 1
> fi
> if [ ! -f /home/ldap/dirmgr.pwd ]; then
> echo "Please setup /home/ldap/dirmgr.pwd."
> exit 1
> else
> chmod 600 /home/ldap/dirmgr.pwd
> fi
> # Pls customize the followings
> FDS1_PATH=/opt/fedora-ds
> HOST=ldap1
> DOMAIN="example.com"
> BASEDN="dc=example,dc=com"
> SLAPD_OWNER=nobody
> SLAPD_GROUP=nobody
> LD_LIBRARY_PATH=$FDS1_PATH/shared/lib:$FDS1_PATH/lib
> export LD_LIBRARY_PATH
> PATH=$FDS1_PATH/shared/bin:$PATH; export PATH
> echo "ASSUMPTION: This script assumes that you have performed"
> echo "'rpm -e' and then 'rpm -ivh' to reinstall Fedora Directory
> Server"
> echo "and you have re-run the setup program"
> echo "ns-slapd should be running"
> echo "Press [Ctrl-C] to abort, enter [Yes] to continue..."
> read a_key
> [ "$a_key" != "Yes" ] && exit 1
> # Load schemas
> cat <<EOF >/tmp/61DUAConfigProfile.ldif
> dn: cn=schema
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList'
> DESC 'Default LDAP server host address used by a DUA' EQUALITY
> caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase'
> DESC 'Default LDAP base DN used by a DUA' EQUALITY
> distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
> SINGLE-VALUE )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList'
> DESC 'Preferred LDAP server host addresses to be used by a DUA'
> EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
> SINGLE-VALUE )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC
> 'Maximum time in seconds a DUA should allow for a search to complete'
> EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
> SINGLE-VALUE )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC
> 'Maximum time in seconds a DUA should allow for the bind operation to
> complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
> SINGLE-VALUE )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC
> 'Tells DUA if it should follow referrals returned by a DSA search
> result' EQUALITY caseIgnoreIA5Match SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod'
> DESC 'A keystring which identifies the type of authentication method
> used to contact the DSA' EQUALITY caseIgnoreMatch SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC
> 'Time to live, in seconds, before a client DUA should re-read this
> configuration profile' EQUALITY integerMatch SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME
> 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by a
> DUA' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC
> 'Attribute mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.26 )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel'
> DESC 'Identifies type of credentials a DUA should use when binding to
> the LDAP server' EQUALITY caseIgnoreIA5Match SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC
> 'Objectclass mappings used by a DUA' EQUALITY caseIgnoreIA5Match
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope'
> DESC 'Default search scope used by a DUA' EQUALITY caseIgnoreIA5Match
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME
> 'serviceCredentialLevel' DESC 'Identifies type of credentials a DUA
> should use when binding to the LDAP server for a specific service'
> EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
> attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME
> 'serviceAuthenticationMethod' DESC 'Authentication method used by a
> service of the DUA' EQUALITY caseIgnoreMatch SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15 )
> objectClasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP
> top STRUCTURAL DESC 'Abstraction of a base configuration for a DUA'
> MUST ( cn ) MAY ( defaultServerList $ preferredServerList $
> defaultSearchBase $ defaultSearchScope $ searchTimeLimit $
> bindTimeLimit $ credentialLevel $ authenticationMethod $
> followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $
> serviceAuthenticationMethod $ objectclassMap $ attributeMap $
> profileTTL ) )
> EOF
> cat <<EOF >/tmp/62nisDomain.ldif
> dn: cn=schema
> attributeTypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )
> objectClasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top
> STRUCTURAL MUST nisDomain X-ORIGIN 'user defined' )
> EOF
> /bin/cp -f /tmp/61DUAConfigProfile.ldif
> $FDS1_PATH/slapd-$HOST/config/schema
> /bin/cp -f /tmp/62nisDomain.ldif $FDS1_PATH/slapd-$HOST/config/schema
> chown $SLAPD_OWNER:$SLAPD_GROUP
> $FDS1_PATH/slapd-$HOST/config/schema/61DUAConfigProfile.ldif
> chown $SLAPD_OWNER:$SLAPD_GROUP
> $FDS1_PATH/slapd-$HOST/config/schema/62nisDomain.ldif
> $FDS1_PATH/slapd-$HOST/stop-slapd
> $FDS1_PATH/slapd-$HOST/start-slapd
> # Add nisDomainObject
> cat <<EOF >/tmp/add_nisDomainObject.ldif
> dn: $BASEDN
> changetype: modify
> add: objectclass
> objectclass: nisdomainobject
> -
> replace: nisdomain
> nisdomain: $DOMAIN
>
> EOF
> ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f
> /tmp/add_nisDomainObject.ldif
> # Add two ACIs
> cat <<EOF >/tmp/add_two_ACIs.ldif
> dn: $BASEDN
> changetype: modify
> add: aci
> aci: (targetattr =
> "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shado
> wMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFl
> ag||memberUid")(version 3.0; acl
> LDAP_Naming_Services_deny_write_access;deny (write) userdn =
> "ldap:///self";)
> -
> add: aci
> aci: (target="ldap:///$BASEDN")(targetattr="userPassword")(version
> 3.0; acl LDAP_Naming_Services_proxy_password_read; allow
> (compare,search) userdn = "ldap:///cn=proxyagent,ou=profile,$BASEDN";)
>
> EOF
> ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f
> /tmp/add_two_ACIs.ldif
> # Modify default password storage scheme
> cat <<EOF >/tmp/mod_passwordStorageScheme.ldif
> dn: cn=config
> changetype: modify
> replace: passwordStorageScheme
> passwordStorageScheme: CRYPT
> EOF
> ldapmodify -D "cn=Directory Manager" -w `cat /home/ldap/dirmgr.pwd` -f
> /tmp/mod_passwordStorageScheme.ldif
> # Create ou=group, proxyAgent and ldapclient profiles
> cat <<EOF >/tmp/People.ldif
> dn: uid=gtay, ou=People, $BASEDN
> givenName: Gary
> sn: Tay
> loginShell: /bin/bash
> uidNumber: 6167
> gidNumber: 102
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: posixAccount
> objectClass: shadowAccount
> uid: gtay
> cn: Gary Tay
> homeDirectory: /home/gtay
> userPassword: {CRYPT}U8bo2twhJ9Kkg
>
> dn: uid=tuser, ou=People, $BASEDN
> givenName: Test
> sn: User
> loginShell: /bin/bash
> uidNumber: 9999
> gidNumber: 102
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: posixAccount
> objectClass: shadowAccount
> uid: tuser
> cn: Test User
> homeDirectory: /home/tuser
> userPassword: {SHA}MWxHz/4F3kXGXlfK4EvIJUo2C2U=
>
> EOF
> $FDS1_PATH/shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w
> `cat /home/ldap/dirmgr.pwd` -f /tmp/People.ldif
> cat <<EOF >/tmp/group_and_other_OUs.ldif
> dn: ou=group,$BASEDN
> objectClass: organizationalUnit
> objectClass: top
> ou: group
>
> dn: cn=Users,ou=group,$BASEDN
> cn: Users
> gidNumber: 102
> objectClass: top
> objectClass: posixGroup
> memberUid: gtay
> memberUid: tuser
>
> dn: ou=netgroup,$BASEDN
> objectClass: organizationalUnit
> objectClass: top
> ou: netgroup
>
> dn: ou=sudoers,$BASEDN
> objectClass: organizationalUnit
> objectClass: top
> ou: sudoers
>
> EOF
> $FDS1_PATH/shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w
> `cat /home/ldap/dirmgr.pwd` -f /tmp/group_and_other_OUs.ldif
> cat <<EOF >/tmp/proxyAgent_and_profiles.ldif
> dn: ou=profile,$BASEDN
> objectClass: top
> objectClass: organizationalUnit
> ou: profile
>
> dn: cn=proxyAgent,ou=profile,$BASEDN
> objectClass: top
> objectClass: person
> cn: proxyAgent
> sn: proxyAgent
> userPassword: {CRYPT}l14aeXtphVSUg
>
> dn: cn=default,ou=profile,$BASEDN
> objectClass: top
> objectClass: DUAConfigProfile
> defaultServerList: $HOST.$DOMAIN
> defaultSearchBase: $BASEDN
> authenticationMethod: simple
> followReferrals: TRUE
> defaultSearchScope: one
> searchTimeLimit: 30
> profileTTL: 43200
> cn: default
> credentialLevel: proxy
> bindTimeLimit: 2
> serviceSearchDescriptor: passwd: ou=People,$BASEDN?one
> serviceSearchDescriptor: group: ou=group,$BASEDN?one
> serviceSearchDescriptor: shadow: ou=People,$BASEDN?one
> serviceSearchDescriptor: netgroup: ou=netgroup,$BASEDN?one
> serviceSearchDescriptor: sudoers: ou=sudoers,$BASEDN?one
>
> dn: cn=tls_profile,ou=profile,$BASEDN
> ObjectClass: top
> ObjectClass: DUAConfigProfile
> defaultServerList: $HOST.$DOMAIN
> defaultSearchBase: $BASEDN
> authenticationMethod: tls:simple
> followReferrals: FALSE
> defaultSearchScope: one
> searchTimeLimit: 30
> profileTTL: 43200
> bindTimeLimit: 10
> cn: tls_profile
> credentialLevel: proxy
> serviceSearchDescriptor: passwd: ou=People,$BASEDN?one
> serviceSearchDescriptor: group: ou=group,$BASEDN?one
> serviceSearchDescriptor: shadow: ou=People,$BASEDN?one
> serviceSearchDescriptor: netgroup: ou=netgroup,$BASEDN?one
> serviceSearchDescriptor: sudoers: ou=sudoers,$BASEDN?one
>
> EOF
> $FDS1_PATH/shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w
> `cat /home/ldap/dirmgr.pwd` -f /tmp/proxyAgent_and_profiles.ldif
> echo "Rebuild done."
>
> ===Sample Run===
>
> # ./rebuild_fds.sh
> ASSUMPTION: This script assumes that you have performed
> 'rpm -e' and then 'rpm -ivh' to reinstall Fedora Directory Server
> and you have re-run the setup program
> ns-slapd should be running
> Press [Ctrl-C] to abort, enter [Yes] to continue...
> Yes
> modifying entry dc=example,dc=com
>
> modifying entry dc=example,dc=com
> ldap_modify: Type or value exists
>
> modifying entry cn=config
>
> adding new entry uid=gtay, ou=People, dc=example,dc=com
>
> adding new entry uid=tuser, ou=People, dc=example,dc=com
>
> adding new entry ou=group,dc=example,dc=com
>
> adding new entry cn=Users,ou=group,dc=example,dc=com
>
> adding new entry ou=netgroup,dc=example,dc=com
>
> adding new entry ou=sudoers,dc=example,dc=com
>
> adding new entry ou=profile,dc=example,dc=com
>
> adding new entry cn=proxyAgent,ou=profile,dc=example,dc=com
>
> adding new entry cn=default,ou=profile,dc=example,dc=com
>
> adding new entry cn=tls_profile,ou=profile,dc=example,dc=com
>
> Rebuild done.
18 years
[Fedora-directory-users] Startconsole issues on Windows
by Ken Morehouse
Hello all. I just recently installed Fedora Directory Server v1.0.2-1. I'm
able to get the startconsole script to start up without an issue on the
RedHat server, but have been having considerable issues trying to get the
code to run on my workstation.
I get lost with Java pretty easily, and this is most likely user error, but
I can't seem to get a resolution. Any help will be greatly appreciated.
If I could get the Java to load, I can work through any connectivity to the
admin server.
Here are some of the details of my attempts.
1) Tried to run ./startconsole -D on the server, but only get
"Fedora-Management-Console/1.0 B2006.060.198" on stdout.
2) Used the HOWTO at
http://directory.fedora.redhat.com/wiki/Howto:WindowsConsole to build the
fedora folder and script on my XP workstation.
3) No SSL setup on the server until the basics are working.
4) When running the batch file on my machine, I get the following error.
"Exception in thread "main" java.lang.NoClassDefFoundError:
/com/netscape/management/client/console/Console"
- Output from java -version on my workstation:
java version "1.5.0_06"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_06-b05)
Java HotSpot(TM) Client VM (build 1.5.0_06-b05, mixed mode)
- Contents of my batch file
@echo off
set PATH=c:\fedora\lib\jss;c:\fedora\java;c:\fedora\lib;c:\program
files\Java\jre1.5.0_06\bin;%PATH%
"C:\Program files\Java\jre1.5.0_06\bin\java" -ms8m -mx64m -cp
.;.\java\fedora-nmclf-1.0.jar;.\java\fedora-base.jar;.\java\ldapjdk.jar;.\ja
va\fedora-mcc-1.0.jar;.\java\fedora-nmclf-1.0_en.jar;.\java\fedora-mcc-1.0_e
n.jar;.\java\jss3.jar; -Djava.library.path=c:\fedora\lib
-Djava.util.prefs.systemRoot=.\.java -Djava.util.prefs.userRoot=
.com.netscape.management.client.console.Console -D -a
http://adminsserver:port
- Contents of my c:\fedora\java directory
04/12/2006 10:24 AM 37,364 fedora-base-1.0.jar
04/12/2006 10:24 AM 1,004,998 fedora-mcc-1.0.jar
04/12/2006 10:24 AM 109,407 fedora-mcc-1.0_en.jar
04/12/2006 10:24 AM 26,242 fedora-nmclf-1.0.jar
04/12/2006 10:24 AM 10,306 fedora-nmclf-1.0_en.jar
04/12/2006 09:26 AM <DIR> html
04/12/2006 09:26 AM <DIR> jars
04/12/2006 10:24 AM 611,431 jss3.jar
04/12/2006 10:24 AM 264,659 ldapjdk.jar
- Contents of my c:\fedora\lib directory
04/12/2006 10:24 AM 123,480 acl-plugin.so
04/12/2006 10:24 AM 17,824 attr-unique-plugin.so
04/12/2006 10:24 AM 74,160 chainingdb-plugin.so
04/12/2006 10:24 AM 33,612 cos-plugin.so
04/12/2006 10:24 AM 9,488 des-plugin.so
04/12/2006 10:24 AM 23,808 http-client-plugin.so
04/11/2006 04:20 PM <DIR> jss
04/12/2006 10:24 AM 379,800 libback-ldbm.so
04/12/2006 10:24 AM 174,613 libjss3.so
04/12/2006 10:24 AM 22,536 liblcoll.so
04/12/2006 10:24 AM 13,036 passthru-plugin.so
04/12/2006 09:26 AM <DIR> perl
04/12/2006 10:24 AM 18,980 pwdstorage-plugin.so
04/12/2006 10:24 AM 16,956 referint-plugin.so
04/12/2006 10:24 AM 387,172 replication-plugin.so
04/12/2006 10:24 AM 32,384 retrocl-plugin.so
04/12/2006 10:24 AM 24,512 roles-plugin.so
04/12/2006 10:24 AM 7,432 statechange-plugin.so
04/12/2006 10:24 AM 24,736 syntax-plugin.so
04/12/2006 10:24 AM 15,736 views-plugin.so
18 years
[Fedora-directory-users] mass delete : size limit problem
by Mikael Kermorgant
Hello,
I'd like to run a script that deletes everything from ou=People (~ 5000
users).
The problem is that I first run a search and the result size is limited by
the server.
Increasing thiis limit would surely work but I don't find it very elegant.
Do you see another solution ?
Thanks in advance,
--
Mikael Kermorgant
PS : My script does the following :
retrieveAttributes = [ "entrydn" ]
searchFilter = "(uid=*)"
ldap_result_id = l.search(baseDN, searchScope, searchFilter,
retrieveAttributes)
while 1:
result_type, result_data = l.result(ldap_result_id, 0)
if (result_data == []):
break
else:
if result_type == ldap.RES_SEARCH_ENTRY:
print result_data[0][1]['entrydn'][0] + ' deleted'
l.delete_s(result_data[0][1]['entrydn'][0])
18 years
[Fedora-directory-users] OS Migration
by Jim Summers
Hello List,
I am closing in on my target date to switch over to FDS. On my test machines
I have been running with FC4. I need to re-install the operating system and
when I do I will have to use RHEL4.
My plan was to shutdown the DS.
Then make a tarball of /opt/fedora-ds and several other directories.
Next re-install with RHEL4
Drop in my iptables
Install fedora-ds and verify the OS / performance settings.
Then extract my fedora-ds tarball
and then hold my breath and start the DS service(s) and presto all is well???
Does this sound like a feasible approach?
I am a little unsure if it will break any of my configured ssl stuff. Which
is a basic self-signed scenario using the /opt/fedora-ds/shared/bin/certutil
for the key generation.
TIA
--
Jim Summers
School of Computer Science-University of Oklahoma
-------------------------------------------------
18 years
[Fedora-directory-users] Are these messages in errors log critical?
by Tay, Gary
I have managed to setup SSL config and started slapd, the followings
appear in errors log, may I know if they are critical errors?
Gary
[12/Apr/2006:05:58:12 -0400] - Fedora-Directory/1.0.2 B2006.060.1925
starting up
[12/Apr/2006:05:58:12 -0400] - attrcrypt_unwrap_key: failed to unwrap
key for ci
pher AES
[12/Apr/2006:05:58:12 -0400] - Failed to retrieve key for cipher AES in
attrcryp
t_cipher_init
[12/Apr/2006:05:58:12 -0400] - Failed to initialize cipher AES in
attrcrypt_init
[12/Apr/2006:05:58:12 -0400] - attrcrypt_unwrap_key: failed to unwrap
key for ci
pher AES
[12/Apr/2006:05:58:12 -0400] - Failed to retrieve key for cipher AES in
attrcryp
t_cipher_init
[12/Apr/2006:05:58:12 -0400] - Failed to initialize cipher AES in
attrcrypt_init
[12/Apr/2006:05:58:12 -0400] - slapd started. Listening on All
Interfaces port
389 for LDAP requests
[12/Apr/2006:05:58:12 -0400] - Listening on All Interfaces port 636 for
LDAPS re
quests
18 years
[Fedora-directory-users] Automated script for complementing SSL HowTo
by Tay, Gary
FDS Folks,
I wrote this script for the benefits of all.
Gary
> Content of cr_ssl_certs_fds1ldap.sh
>
> #! /bin/sh
> #
> # cr_ssl_certs_fds1ldap.sh
> #
> # 1) Make sure 'root' is used to run this script
> # 2) Make sure /home/ldap/dirmgr.pwd contains password of cn=Direcyory
> Manager
> #
> #set -vx
> IS_ROOT_UID=`id | grep "uid=0(root)"`
> if [ ! -n "$IS_ROOT_UID" ]; then
> echo "Please run this script as root"
> exit 1
> fi
> if [ ! -f /home/ldap/dirmgr.pwd ]; then
> echo "Please setup /home/ldap/dirmgr.pwd."
> exit 1
> else
> chmod 600 /home/ldap/dirmgr.pwd
> fi
> # Pls customize the followings
> HOST="ldap1"
> DOMAIN="example.com"
> BASEDN="dc=example,dc=com"
> FQDN="$HOST.$DOMAIN"
> ORG="Example Companies"
> LOCALITY="NewYork City"
> STATE="NewYork"
> COUNTRY="US"
> SLAPD_OWNER="nobody"
> SLAPD_GROUP="nobody"
> FDS1_PATH=/opt/fedora-ds
> LD_LIBRARY_PATH=$FDS1_PATH/shared/lib:$FDS1_PATH/lib
> export LD_LIBRARY_PATH
> PATH=$FDS1_PATH/shared/bin:$PATH; export PATH
> cd $FDS1_PATH/alias
> DOW=`date | cut -d' ' -f1`
> echo "Backing up existing *.db (if any) to backup_$DOW."
> mkdir -p backup_$DOW >/dev/null 2>/dev/null
> cp -p *.db backup_$DOW >/dev/null 2>/dev/null
> /bin/rm -f *.db >/dev/null 2>/dev/null
> echo "secretpwd" >pwdfile.txt
> chmod 600 pwdfile.txt
> echo "dsadasdasdasdadasdasdasdasdsadfwerwerjfdksdjfksdlfhjsdk"
> >noise.txt
> echo "Creating new security key3.db/cert8.db pair."
> ../shared/bin/certutil -N -d . -f pwdfile.txt
> echo "Generating encryption key."
> ../shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt
> echo "Generating self-signed CA certificate."
> ../shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x \
> -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt
> echo "Generating self-signed Server certificate."
> ../shared/bin/certutil -S -n "Server-Cert" -s \
> "cn=$FQDN,O=$ORG,L=$LOCALITY,ST=$STATE,C=$COUNTRY" -c "CA
> certificate" \
> -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt
> echo "Renaming and linking modified security DBs."
> mv -f key3.db slapd-$HOST-key3.db
> mv -f cert8.db slapd-$HOST-cert8.db
> ln -s slapd-$HOST-key3.db key3.db
> ln -s slapd-$HOST-cert8.db cert8.db
> echo "Setting the correct ownership of security DBs"
> chown $SLAPD_OWNER:$SLAPD_GROUP *.db
> echo "Self-signed CA and SSL Server certs generated."
> echo ""
> echo "The following commands are OPTIONAL."
> echo "They are for backing up CA and Server Certs in PK12 format,"
> echo "exporting the CA Cert in ASCII format or DER format, and"
> echo "importing the CA Cert into the Admin Server"
> echo ""
> echo "---Start of OPTIONAL commands---"
> cat <<EOF >optional_cmds.txt
> ../shared/bin/pk12util -d . -P slapd-$HOST- -o cacert.pfx -n "CA
> certificate"
> ../shared/bin/pk12util -d . -P slapd-$HOST- -o servercert.pfx -n
> "Server-Cert"
> ../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \
> -a > cacert.asc
> ../shared/bin/certutil -L -d . -P slapd-$HOST- -n "CA certificate" \
> -r > cacert.der
> ../shared/bin/certutil -A -d . -P admin-serv-$HOST- -n "CA
> certificate" \
> -t "CT,," -a -i cacert.asc
> EOF
> cat optional_cmds.txt
> echo "---End of OPTIONAL commands---"
> echo ""
> echo "Modifying server SSL configurations."
> echo "NOTE: changes will be saved to config/dse.ldif when slapd is
> shutdown"
> cat <<EOF >/tmp/ssl_enable.ldif
> dn: cn=encryption,cn=config
> changetype: modify
> replace: nsSSL3
> nsSSL3: on
> -
> replace: nsSSLClientAuth
> nsSSLClientAuth: allowed
> -
> add: nsSSL3Ciphers
> nsSSL3Ciphers:
> -rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
>
> +rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+forte
> zza,
>
> +fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_s
> ha,
> +tls_rsa_export1024_with_des_cbc_sha
> -
> add: nsKeyfile
> nsKeyfile: alias/slapd-$HOST-key3.db
> -
> add: nsCertfile
> nsCertfile: alias/slapd-$HOST-cert8.db
>
> dn: cn=config
> changetype: modify
> add: nsslapd-security
> nsslapd-security: on
> -
> replace: nsslapd-ssl-check-hostname
> nsslapd-ssl-check-hostname: off
>
> EOF
> ../shared/bin/ldapmodify -D "cn=Directory Manager" -w `cat
> /home/ldap/dirmgr.pwd` -f /tmp/ssl_enable.ldif
> cat <<EOF >/tmp/delRSA.ldif
> cn=RSA,cn=encryption,cn=config
>
> EOF
> ../shared/bin/ldapdelete -c -D "cn=Directory Manager" -w `cat
> /home/ldap/dirmgr.pwd` -f /tmp/delRSA.ldif
> [ $? -eq 0 ] && echo "deleting cn=RSA,cn=encryption,cn=config"
> cat <<EOF >/tmp/addRSA.ldif
> dn: cn=RSA,cn=encryption,cn=config
> objectclass: top
> objectclass: nsEncryptionModule
> cn: RSA
> nsSSLPersonalitySSL: Server-Cert
> nsSSLToken: internal (software)
> nsSSLActivation: on
>
> EOF
> ../shared/bin/ldapmodify -a -c -D "cn=Directory Manager" -w `cat
> /home/ldap/dirmgr.pwd` -f /tmp/addRSA.ldif
> echo "Creating a pin.txt for auto-starting of slapd."
> echo "Internal (Software) Token:`cat pwdfile.txt`"
> >slapd-$HOST-pin.txt
> chown $SLAPD_OWNER:$SLAPD_GROUP slapd-$HOST-pin.txt
> chmod 400 slapd-$HOST-pin.txt
> echo ""
> echo "IMPORTANT NOTES:"
> echo ""
> echo "1. How to check if SSL Configurations are done properly?"
> echo "You may view config/dse.ldif after shutting down slapd"
> echo "to verify all the required SSL configurations are there."
> echo ""
> echo "2. How to fix slapd startup issue due to mis-configuration of
> SSL?"
> echo "If for any reason slapd fails to start due to SSL issue,"
> echo "you may edit config/dse.ldif after shutting down slapd"
> echo "and revert back to non-SSL configs."
> echo "i.e. set nsSSL3: off, nsslapd-security: off"
> echo "and then try to restart slapd."
> echo ""
>
> =======Sample run.
>
> # ./cr_ssl_certs_fds1ldap.sh
> Backing up existing *.db (if any) to backup_Wed.
> Creating new security key3.db/cert8.db pair.
> Generating encryption key.
>
>
> Generating key. This may take a few moments...
>
> Generating self-signed CA certificate.
>
>
> Generating key. This may take a few moments...
>
> Generating self-signed Server certificate.
>
>
> Generating key. This may take a few moments...
>
> Renaming and linking modified security DBs.
> Setting the correct ownership of security DBs
> Self-signed CA and SSL Server certs generated.
>
> The following commands are OPTIONAL.
> They are for backing up CA and Server Certs in PK12 format,
> exporting the CA Cert in ASCII format or DER format, and
> importing the CA Cert into the Admin Server
>
> ---Start of OPTIONAL commands---
> ../shared/bin/pk12util -d . -P slapd-nj1net200plmon- -o cacert.pfx -n
> "CA certificate"
> ../shared/bin/pk12util -d . -P slapd-nj1net200plmon- -o servercert.pfx
> -n "Server-Cert"
> ../shared/bin/certutil -L -d . -P slapd-nj1net200plmon- -n "CA
> certificate" -a > cacert.asc
> ../shared/bin/certutil -L -d . -P slapd-nj1net200plmon- -n "CA
> certificate" -r > cacert.der
> ../shared/bin/certutil -A -d . -P admin-serv-nj1net200plmon- -n "CA
> certificate" -t "CT,," -a -i cacert.asc
> ---End of OPTIONAL commands---
>
> Modifying server SSL configurations.
> NOTE: changes will be saved to config/dse.ldif when slapd is shutdown
> modifying entry cn=encryption,cn=config
> ldap_modify: Type or value exists
>
> deleting cn=RSA,cn=encryption,cn=config
> adding new entry cn=RSA,cn=encryption,cn=config
>
> Creating a pin.txt for auto-starting of slapd.
>
> IMPORTANT NOTES:
>
> 1. How to check if SSL Configurations are done properly?
> You may view config/dse.ldif after shutting down slapd
> to verify all the required SSL configurations are there.
>
> 2. How to fix slapd startup issue due to mis-configuration of SSL?
> If for any reason slapd fails to start due to SSL issue,
> you may edit config/dse.ldif after shutting down slapd
> and revert back to non-SSL configs.
> i.e. set nsSSL3: off, nsslapd-security: off
> and then try to restart slapd.
>
>
18 years
Re: [Fedora-directory-users] Re: SubjectAltName how does it work?
by Alex aka Magobin
Hi,
today, I'm trying to solve ssl issue to comunicate from DS Fedora to both
client and another DS server for replication..after many test, with your
help I catched up this point:
I'm always in alias directory.
Create my CA database:
# ../shared/bin/certutil -N -d .
Make my self CA:
# ../shared/bin/certutil -S -d . -n 'CA Certificate' -s 'cn=CAcert' -x
-t CTu,CTu,CTu -g 1024 -m 1 -v 120 -2 -1 -5
Create server key and certificate for server1:
# ../shared/bin/certutil -R -d . -s
"cn=nodo1,dc=domain,dc=example,dc=com" -o tmpcertreq
-g 1024
# ../shares/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o
tmpcert.der -m 3 -v 12
-1 -5 -8 domain.example.com
# ../shared/bin/certutil -A -d . -n nodo1.domain.example.com -t u,u,u
-i tmpcert.der
#rm -f tmpcert.der tmpcertreq
Create server key and certificate for server2:
# ../shared/bin/certutil -R -d . -s
"cn=nodo2,dc=domain,dc=example,dc=com" -o tmpcertreq
-g 1024
# ../shares/bin/certutil -C -d . -c "CA Certificate" -i tmpcertreq -o
tmpcert.der -m 4 -v 12
-1 -5 -8 domain.example.com
# ../shared/bin/certutil -A -d . -n Alt-Cert -t u,u,u -i tmpcert.der
#rm -f tmpcert.der tmpcertreq
After that I copy database on server 2 and rename it to match with
correct server...finally I enable ssl encrypt on both servers
and I try to establish Multi Master Replication via mmr.pl script...so:
./mmr.pl --host1 nodo1.domain.example.com --host2
nodo2.domain.example.com --host1_id 1 --host2_id 2 --bindpw secret
--repmanpw secret --create --with-ssl
unfortunately consulting logs I find:
NSMMReplicationPlugin - agmt="cn="Replication
to nodo2.domain.example.com"" (nodo2:636): Simple bind failed, LDAP sdk
error 91 (Can't connect to the LDAP server), Netscape Portable Runtime error
-5961 (TCP connection reset by peer.)
It's incredible that when I find solution for something, at the same time I
find problem in another point :-)
Thanks in advance for support
Alex
18 years
[Fedora-directory-users] storing RSA public keys in FDS
by Susan
Hi, all. This may be slightly off topic but here goes anyway.
I've a small client/server app in perl that publishes msgs in multicast, cleartext. There's now a
concern about replay attacks, so we need to encrypt every msg and maybe sign it. (Crypt::RSA, I'm
thinking)
Since there's only 1 server but a large number of clients, I'm thinking of storing clients' public
keys in FDS, where the server can retrieve them. Has anybody successfully implemented this? I
know I can install OpenPGP Key Server and use that but I don't want to have another directory when
FDS is working fine already.
Thank you.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
18 years