Re: [Fedora-directory-users] New filesystem layout for directory server and admin server files
by Mike Jackson
Richard Megginson <rmeggins(a)redhat.com> kirjoitti:
> --
> In order to be more linux friendly, we are currently considering changing the layout from having everything under
> /opt/fedora-ds to putting files in their FHS specific paths
FHS has it's place. However, as a very large user of this software, I am strongly against this idea.
One of the biggest strengths of this software is that it is completely self-contained, which allows much simpler troubleshooting, research and development of administration tools, and testing multiple versions. It is easier to see if a file is missing or has the wrong permissions, and fix it. It is easier to backup and restore. I could go on and on. When an entire network depends on the LDAP infrastructure, these type of things really matter.
I think this is a bad idea, and a waste of time. Time which could be much better spent on bring proper autoconf support.
BR,
Mike
16 years, 11 months
Re: [Fedora-directory-users] Referrals break everything ...
by Philip Kime
> PADL (usually in /etc/ldap.conf):
> referrals yes
Many thanks for both replies ...
This looked good but I tried it and I still get the same error in
syslog. Hmm. The binds are all anonymous and work fine so there doesn't
seem to be a bind DN issue.
http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/dit.html#100588
9
Ah - this is more what I wanted but it appears that you can't do Virtual
DITs from roots - has to be from an OU, for example, which is annoying
since that means I have to create a new datbase for the old dc=x,dc=y
and create an OU so I can create a virtual DIT view. What a game! I just
want to redirect all queries for one thing somewhere else ...
16 years, 11 months
Re: [Fedora-directory-users] New filesystem layout for directory server and admin server files
by Mike Jackson
Michael Chang <miranda(a)syndetic.org> kirjoitti:
>
>
> You could always make a separate, FHS-specific package available and see
> what people think. If the votes are high enough in support of the new
> layout then you could make a permanent switch.
The problem here is assuming that FDS updates will eventually be pushed into RHDS.
Judging by a good portion of the traffic on this list, a good majority of the FDS users are still learning how to use an LDAP server, so they likely don't understand or care enough to have an opinion about file layout or why it matters in a package as large and complex as this one.
OTOH, the RHDS package is used for critical infrastructure in banks, military, telecoms, etc. By the time those users notice the change and it's ramifications, it will be too late for them to have their vote (other than with their feet).
--
mike
16 years, 11 months
[Fedora-directory-users] Accessing the management console - error
by Greg Rich
I have Fedora Directory Server v1.0.2 install on one of my servers; I am
trying to connect to it using my laptop. I am able to access the
management console from the FDS server and have successfully got the
console running on my laptop but when I try to log in get the following
error:
Cannot logon because of an incorrect User ID,
Incorrect password or Directory problem.
HttpException:
Response: HTTP/1.1 401 Authorization Required
Status: 401
URL: http://<full server name>:54294/admin-serv/authenticate
I have read and tried
http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt to no
avail.
Thanks,
Gregory Rich
IT Manager
Harmonix Music Systems
16 years, 11 months
Re: [Fedora-directory-users] Fedora DS 1.0.2 Multiple Master SSL replication: empty bind DN...
by Kevin McCarthy
Richard, thank you for your response!
.hopefully whatever configuration mistake I made to cause a NULL bind DN
will soon come to light.
> Dear List Members,
>
> Release: *fedora-ds-1.0.2-1.RHEL3.i386.opt.rpm*
>
> A typical replication error log entry now follows (seen repeatedly at
> both fedora DS servers):
>
> [28/Jun/2006:18:29:21 +0100] NSMMReplicationPlugin - agmt="cn=EDS from
> server 2" (ukstatlap:636): Unable to acquire replica: permission
> denied. The *bind dn ""* does not have permission to supply
> replication updates to the replica. Will retry later.
>
> Believe me, I have been investigating this one for 2 or 3 days now
> (having just switched from OpenLDAP, since multiple master replication
> is required) before sending this submission, just in case I missed a
> configuration item or work-around, but unfortunately no luck (so far).
>
> The only reference I can find for SSL Client Authentication based
> Multiple Master replication (2 Linux RHEL 3 servers being used) that
> supplies empty DNs, is the Windows specific entry (whose work-around I
> tried anyway, but without success)_
>
> Unable to acquire replica: permission denied. The bind dn "" does not
> have permission to supply replication updates to the replica. Will
> retry later.
> To workaround the problem, after you modify and save the replication
> schedule of an agreement, refresh the console, reconfigure the
> connection settings (to SSL client authentication) for the agreement,
> and save your changes.
>
> http://www.redhat.com/docs/manuals/dir-server/release-notes/ds611relno
> tes.html
>
> The mutual _Current Supplier DNs_ are indeed set (cn=Replication
> Manager,cn=replication,cn=config) and the corresponding directory
> entries do exist.
>
> The respective server certificates and CA certificates are installed,
> with Subject DN entries loaded.
>
What are the SubjectDNs in the server certificates?
CN=<SERVERNAME>,OU=EDS,O=teligent,DC=co,C=uk
.where "<SERVERNAME>" is the respective server name of the replicating
servers e.g. "nema2" rather than a full domain name.
The following will hopefully also be relevant:
1) The tree being replicated is "OU=EDS,O=Teligent,DC=co,C=uk" i.e. the
Subject DN is within the replicated tree.
2) certutil was used to generate the server and CA certificates.
Surprisingly (to me at least) the CA certificate was then listed in the
"Server Certs" panel on the Directory Server "Manage Certificates" panel.
3) I loaded the ascii version of the "other" server's CA Certificate
directly into the "CA Certs" panel.
4) All CA certificates have both the accept and make connection trusts
ticked.
> I do _not_ have Legacy Consumer enabled.
>
You don't need it.
>
> CertMapping is also defined (though with a NULL DN being supplied, I
> guess that will not be kicking in just yet, though there are entries
> for the exact subject DN anyway.)
>
You might want to post your certmap.conf and see here -
http://directory.fedora.redhat.com/wiki/Howto:CertMapping
.I must admit that since the Bind DN was NULL I had not realized that
certmap'ping would actually take affect.
I ensured that the exact subject DN of the server certificates corresponded
to an actual directory entry (with the respective server's user certificate
loaded), which I had thought would be matched without the need for a certmap
configuration via the original "default" option, but I tried one anyway.
certmap nema ou=EDS,o=teligent,dc=co,c=uk
nema:FilterComps cn
nema:verifycert off
certmap default default
.indeed one server still runs with the default certmap configuration to see
if it made any difference, but both servers receive a NULL bind DN "".
> When using simple authentication, with or without SSL, all is well
> (although replication did require both servers to Initialize the
> Consumer, I thought that only one was required e.g. ID 1 initializing
> ID 2, but ID 2 then needed to initialize ID 1 before successful 2-way
> replication was achieved).
>
That's odd. You should only need to initialize once one way.
.indeed, but I guess that it can not do any harm, as the secondary server
will not actually need to supply any further updates back to the primary
server and it does at least make the mutual replication work for me - until
the certificates took their toll.
Regards and thanks again,
Kevin
16 years, 11 months
[Fedora-directory-users] Authenticating / Binding user via LDAP to Fedora Directory Server
by Greg Rich
Running Fedora Directory Server v 1.0.2 on Fedora Core 4
I can access the directory server just fine anonymously but I can not
bind as a user with a password. I am an AD guy slowly moving to Linux so
it could very well be me.
The FDS is a fresh install; I was able to sync users from my Windows
2000 AD. I know that the password do not sync up so I created a simple
web page using php and ldap_mod_replace to set / change users passwords.
This page works; I bind to a user w/o a password. I can even set the
password using the page. But I can not bind as a user using a password,
but for some odd reason even if a user has a password I can bind
anonymously to them and set the password (I assume it's a ACL setting
that is causing this). My main problem is binding as a user with a
password. I have also tried an LDAP query with Mozilla Thunderbird and
get similar results binding as anonymous I have no problems but if I try
as a user I get nothing.
Thanks in advance for your help.
Gregory Rich
IT Manager
Harmonix Music Systems
16 years, 11 months
[Fedora-directory-users] Accessing the management console - error
by Greg Rich
I have Fedora Directory Server v1.0.2 install on one of my servers; I am
trying to connect to it using my laptop. I am able to access the
management console from the FDS server and have successfully got the
console running on my laptop but when I try to log in get the following
error:
Cannot logon because of an incorrect User ID,
Incorrect password or Directory problem.
HttpException:
Response: HTTP/1.1 401 Authorization Required
Status: 401
URL: http://<full server name>:54294/admin-serv/authenticate
I have read and tried
http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt to no
avail.
Thanks,
Gregory Rich
IT Manager
Harmonix Music Systems
16 years, 11 months
[Fedora-directory-users] Referrals break everything ...
by Philip Kime
I am running the latest Fedora-DS and trying to use nss_ldap. I have to
migrate an older LDAP server onto the Fedora-DS but keep temporarily the
old tree structure for all current LDAP clients. So I was goint to leave
the old search base in /etc/ldap.conf on the client and just re-direct
queries to the new location (on the same server). A job for referrals, I
thought. I'll just put a stub root dc on the new server and make it
point to the new location, like this:
dc=a,dc=y
a referral to the new
dc=a,dc=b
I set this up, ldapsearch shows that it's getting the right referral
(though I can't seem to get ldapsearch follow the the referral?)
However, if I try to do anything involving nss_ldap (which otherwise
works fine), I get this, for example, in syslog:
getent: nss_ldap: could not search LDAP server - Referral
Does nss_ldap not follow referalls? That would make it rather useless
.... Is this a Fedora-DS problem?
--
Philip Kime
16 years, 11 months
[Fedora-directory-users] Install Error
by Brian Smith
Has anyone run into this problem? I looked through the archives but
don't see anything. Here's my setup. I have a configuration server
setup on config.domain.com. I made the admin domain config.domain.com
and setup a new domain called dev.domain.com. I setup dev1.domain.com to
use config.domain.com as the config storage server and everything
installed fine. the server is listed in dev.domain.com domain and is
using dc=dev,dc=domain,dc=com as it's base dn. I now am installing
dev2.domain.com using config.domain.com and used the same values on the
install except for the server id and name. It fails when it trys to add
the sample accounts. Here's the part of the setup.log, any help would
be appreciated:
Hostname to use (default: dev2.domain.com)
Server user ID to use (default: nobody)
Server group ID to use (default: nobody)
[slapd-dev2]: starting up server ...
[slapd-dev2]: Fedora-Directory/1.0.2 B2006.060.1928
[slapd-dev2]: dev2.domain.com:389 (/opt/fedora-ds/slapd-dev2)
[slapd-dev2]:
[slapd-dev2]: [29/Jun/2006:11:11:51 -0400] - Fedora-Directory/1.0.2
B2006.060.1928 starting up
[slapd-dev2]: [29/Jun/2006:11:11:53 -0400] - slapd started. Listening
on All Interfaces port 389 for LDAP requests
Your new directory server has been started.
Created new Directory Server
Start Slapd Starting Slapd server configuration.
Warning Slapd Could not open the new directory server
[ldap://dev2.domain.com:389/dc=dev,dc=domain,dc=com:cn=Directory
Manager] to add an aci [151].
Success Slapd Added Directory Server information to Configuration
Server.
Warning Slapd Could not add sample entries, ldap error code 151
Warning Slapd Could not populate with ldif file Yes error code 151
Configuring Administration Server...
Setting up Administration Server Instance...
Configuring Administration Tasks in Directory Server...
Configuring Global Parameters in Directory Server...
You can now use the console. Here is the command to use to start the
console:
cd /opt/fedora-ds
./startconsole -u admin -a http://dev2.domain.com:36352/
Thanks,
Brian Smith
16 years, 11 months
