[Fedora-directory-users] PassSync service stopped working
by Dan Oglesby
PassSync has been working fine for me in production on a couple
different systems, but has stopped working on one for some reason.
I've tried reinstalling the PassSync software, removed the passhook.log
and passhook.dat between installations, verified passwords and user info
is correct for the service, still nothing.
When I restart the service, I get the following in my access log file on
the LDAP server (IPs and user info removed):
[12/Jun/2006:14:42:48 -0500] conn=896 fd=178 slot=178 SSL connection
from 192.168.X.X to 192.168.X.X
[12/Jun/2006:14:42:48 -0500] conn=896 SSL 128-bit RC4
[12/Jun/2006:14:42:48 -0500] conn=896 op=0 BIND dn="userinfo" method=128
version=2
[12/Jun/2006:14:42:48 -0500] conn=896 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="userinfo"
[12/Jun/2006:14:42:48 -0500] conn=896 op=1 UNBIND
[12/Jun/2006:14:42:48 -0500] conn=896 op=1 fd=178 closed - U1
After the service has started, I get nothing else in either the access
or errors log files.
The passhook.log never shows any info, and the log file in the PassSync
directory only contains info regarding the service stopping and
starting.
Any hints as to where else I need to be looking to fix this issue?
--Dan
17 years, 9 months
[Fedora-directory-users] updating/renewing CA and server cert
by Brian Jones
Hi all,
The SSL Howto on the wiki doesn't really cover a procedure for what to do
when your root CA has to be renewed, along with your server certs.
I have 3 servers whose server certs are all signed with our own root CA, but
that root CA is expiring, and needs to be replaced. Presumably this means I
also need to replace the server certs, since they were signed with this
expiring root CA.
What I was able to do was just blow away /opt/fedora-ds/alias/*.db, and then
run:
###### CREATE NEW *.db FILES ########
/opt/fedora-ds/share/bin/certutil -N -d /opt/fedora-ds/alias -P slapd-ldap-
###### INSTALL NEW ROOT CA ########
/opt/fedora-ds/share/bin/certutil -A -n "My Dept. Root CA" -P slapd-ldap- -d
/opt/fedora-ds/alias -t "CT,," -a -i ./cacert.pem
###### CREATE NEW SERVER CERT REQUEST #######
/opt/fedora-ds/share/bin/certutil -R -d /opt/fedora-ds/alias -a -P
slapd-ldap- -s "cn=ldap.my-domain.com" -o /tmp/csr.der.txt -g 1024
###### SIGN THE NEW SERVER CERT REQUEST ########
openssl ca -config openssl.cnf -policy policy_anything -out
certs/ldapcert.pem -infiles csr.der.txt
###### INSTALL NEW SERVER CERT #########
/opt/fedora-ds/shared/bin/certutil -A -d /opt/fedora-ds/alias -n
"ldap-server-cert" -P slapd-ldap- -t u,u,u -a -i
/opt/fedora-ds/alias/ldapcert.pem
At this point, my server starts up just fine and all appears to be well, but
it doesn't seem like it should be absolutely necessary to start over from
scratch on each server when our root CA expires. Can someone detail a
shorter method to replace expired root CAs *and* server certificates?
thanks.
brian.
17 years, 9 months
[Fedora-directory-users] account expiration time
by Mikael Kermorgant
Hello,
I'd like to know if there's a common way to manage account expiration
by specifying an expiration date ?
In my case, I have some accounts which have to be renewed each year.
They should by default be disactivated automatically.
I've considered adding a dedicated attribute and running a script via
cron but I'd welcome any suggestion.
Best regards,
--
Mikael Kermorgant
17 years, 9 months
[Fedora-directory-users] ns-slapd process growing
by Frits Hoogland
I am running the fedora directory server version 1.0.2
on debian gnu linux version 3.1 (debian sarge)
The ldap server itself (ns-slapd) worked alright, but upon increased usage,
the ns-slapd process is ever increasing memory usage.
ps shows size (SZ col) of 220669,
top show virt 863m, res 407m, shr 47m
Is this normal behavior? Any way to restrict memory usage in any form?
frits
17 years, 9 months
[Fedora-directory-users] Replica has no update vector. It has never been initialized
by Jeff Gamsby
I have setup passSync and replication, but I get this error:
Replica has no update vector. It has never been initialized.
I have run the "Initiate full re-initialization" and restarted the
PassSync service on AD.
I'm not sure what to do.
I had it working before, but had to re-install. I had this problem before,
but it seemed to solve itself.
Please help.
Thanks
17 years, 9 months
[Fedora-directory-users] Attribute uniqueness of multiple attributes
by Arjan Franzen
Hi all,
I'm using FDS as a component in a software development project.
up until now I've had no problems but what puzzles me is the status of
attribute uniqueness. FDS is based on Netscape iPlanet and or Sun ONE
directory from what I read.
if I look at the documentation of FDS (iPlanet 7.0 based) I see clearly no
support for multiple unique attributes (page 594 of the admin manual):
If I on the other hand look at the Sun documenation:
http://docs.sun.com/source/816-6400-10/attruniq.html#wp19660
see section: "Configuring the Plug-In From the Command-Line"
I see that there is a way! only I can't get it to work which suggests what
I read in the FDS documentation.
My question: Can FDS now or in the future support multiple unique
attributes? I'm using it to keep integrity intact of some objects stored
both in FDS and in a RDBMS.
regards,
Arjan
17 years, 9 months
[Fedora-directory-users] Question regarding FDS and Samba Integration re: group security
by timmmyyy@mts.net
Greetings,
I have been a linux user for sometime, but have only recently started working with LDAP after hearing about the Fedora Directory Server. I have been using it primarily with integration into Samba as a replacement for Active Directory, and it has been working well thus far. I have deployed a servers into a production environment, and it's working great.
I followed the howto for Samba found on the main page, and the server is setup in this way.
My question though relates to group security. Since I wish to delegate access to files on the samba fileserver via group membership, how can I accomplish this using FDS and Samba? Am I able to create a group using the Admin Console, add the user accounts to be members of the group, and then set security on shares based on group? Or is there a specific procedure to follow? I'm becoming fairly versed at samba, but LDAP is still quite new to me. Obviously the more I can do using the Admin console, the happier I, and my customers are.
I have tried creating a share in samba, allowing only access to the group that I created in the directory, then adding a user to that group, but the user is unable to access the share, as samba doesn't seem to be aware of the group created in the directory.
A bit of searching has told me that samba wants the group to be a posix group, or to exist in the /etc/group file on the system. Several LDAP/Samba howtos have also suggested at needing to run a net groupmap command to map the ldap group to a posix id. This makes sense, as in the Fedora howto this is necessary to create the well-known groups which users are added to later on, but then how is group membership managed? The well-known groups that are created during the initial howto appear differently in the administration console, and double clicking them only opens the advanced the properties, and not the ability to add additional members to the group.
I apologize for any parts that don't make sense, but hopefully someone will catch what I'm actually meaning and be able to offer some help. If any more information is required, please ask, and I will gladly provide.
Tim Friesen
17 years, 9 months
[Fedora-directory-users] FDS over SSL with PassSync -- How I did it
by Jeff Gamsby
Thanks to everyone who helped me.
Since it was a struggle for me, I thought that I would post how I did it
in case others have the same problems that I had. Maybe it will help
someone else.
My Setup:
Fedora Core 4
Fedora Directory Server 1.0.2
Windows 2000 Server
Install FDS ( or reinstall: rpm -qa | grep fedora-ds | xargs rpm -e; rm
-rf /opt/fedora-ds ; rpm -i fedora-ds-1.0.2 )
create certificates, etc..
I used this simple script that I wrote: (cd to /opt/fedora-ds/alias)
-----------------------------------------------------------------------
echo -n "Creating password and noise file..."
echo "8904859034905834-580943502385430958430958049385" >
/opt/fedora-ds/alias/pwdfile.txt
echo "8374893jkhsdfjkhdjksfah89dskjfkdghkjdfhguiert9348khkfhgkjfd79" >
/opt/fedora-ds/alias/noise.txt
echo -n "Creating Databases..."
$serverroot/shared/bin/certutil -N -d . -f pwdfile.txt
echo -n "Generating encryption key..."
$serverroot/shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt
echo -n "Generating self-signed certificate..."
$serverroot/shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x
-t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt
echo -n "Generating server certificate.."
$serverroot/shared/bin/certutil -S -n "Server-Cert" -s
"cn=msas.msd.lbl.gov" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d
. -z noise.txt -f pwdfile.txt
mv key3.db slapd-msas-key3.db
mv cert8.db slapd-msas-cert8.db
ln -s slapd-msas-key3.db key3.db
ln -s slapd-msas-cert8.db cert8.db
echo -n "Setting permissions.."
chown nobody.nobody /opt/fedora-ds/alias/slapd-msas*
echo -n "Exporting certificate.."
$serverroot/shared/bin/certutil -L -d . -n "CA certificate" -r > cacert.der
echo "Converting certificate.."
openssl x509 -inform DER -in cacert.der -outform PEM -out cacert.pem
echo "Copying cacert.pem to /etc/openldap/cacerts.."
cp cacert.pem /etc/openldap/cacerts/
echo -n "Enabling SSL in FDS"
echo ""
echo -n "Please enter Manager password..(twice)"
ldapmodify -x -D cn=Manager -W -f /tmp/ssl_enable.ldif
ldapmodify -x -D cn=Manager -W -a -f /tmp/addRSA.ldif
---------------------------------------------------------
restart FDS
Test SSL connections and ldapsearch
netstat -an | grep 636
Install Active Directory on Windows Server
Install Certificate Services --> Enterprise root CA
reboot
Enable SSL on AD
1. Install Certificate Services on Windows 2000 Server and an
Enterprise Certificate Authority in the Active Directory Domain.
Make sure you install an Enterprise Certificate Authority.
2. Create a Security (Group) Policy to direct Domain Controllers to
get an SSL certificate from the Certificate Authority (CA).
1. Open the Active Directory Users and Computers Administrative
tool.
2. Under the domain, right-click on Domain Controllers.
3. Select Properties.
4. In the Group Policy tab, click to edit the Default Domain
Controllers Policy.
5. Go to Computer Configuration->Windows Settings->Security
Settings->Public Key Policies.
6. Right click Automatic Certificate Request Settings.
7. Select New.
8. Select Automatic Certificate Request.
9. Run the wizard. Select the Certificate Template for a Domain
Controller.
10. Select your Enterprise Certificate Authority as the CA.
Selecting a third-party CA works as well.
11. Complete the wizard.
12. All Domain Controllers now automatically request a
certificate from the CA, and support LDAP using SSL on port 636.
3. Retrieve the Certificate Authority Certificate
1. Open a Web browser on the AD machine
2. Go to http://localhost/certsrv/
3. Select the task Retrieve the CA certificate or certificate
revocation list.
4. Click Next.
5. The next page automatically highlights the CA certificate.
Click Download CA certificate.
6. A new download window opens. Save the file to the hard drive.
Save in DER mode
Copy file to FDS server, convert to PEM format
openssl x509 -inform DER -in ad-cert.der -outform PEM -out ad-cert.pem
Import AD CA cert into FDS
certutil -A -d . -P slapd-instance- -t "CT,CT,CT" -a -i ad-cert.pem
check certs ( from /opt/fedora-ds/alias)
certutil -L -d . -P slapd-instance
Check ldapsearch from FDS to AD
ldapsearch -Z -P <RHDS-cert8.db> -h <AD/NT Hostname> -p <AD SSL port>
-D "<sync manager user> -w < sync manager password> -s <scope>
-b "<AD base>" "<filter>"
Install PassSync on Windows machine.
Follow directions from Howto:WindowsSync (certificate creation)
restart AD server
Enable Replication in Directory Server Console:
Go to configuration tab --> Replication --> enable changelog --> default
Expand Replication, click UserRoot
Check "Enable Replica" Single-master
Right Click UserRoot --> Create new windows sync agreement
Up log level in FDS:
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 8192
ldapmodify -x -D "cn=directory manager" -a -f repl_log.ldif
restart FDS
right click win sync agreement --> Initiate Full Sync
check error logs (/opt/fedora/slapd-instance/logs/errors)
In order for users to be created on the Windows side, users must have
certain attributes.
e.g.
dn: uid=TBird,ou=People, dc=server,dc=com
givenName: Tweetie
ntUserCreateNewAccount: true
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: ntuser
objectClass: posixAccount
facsimileTelephoneNumber: 510-555-5555
uid: TBird
mail: tbird(a)server.com
uidNumber: 71209
cn: Tweetie Bird
ntUserComment: Tweetie Bird User Account
telephoneNumber: 510-555-5555
loginShell: /bin/bash
ntUserDomainId: tbird
gidNumber: 5000
ntUserDeleteAccount: true
gecos: Tweetie Bird
homeDirectory: /home/tbird
sn: Bird
userPassword::
I hope that I have this right.
17 years, 9 months