September 2006 - 389-users - Fedora Mailing-Lists

[Fedora-directory-users] Confusion over admserv_host_ip_check message

by Dave Della Costa

Hi folks, I'm having a lot of problems getting into the console admin to the server remotely. I'm getting this in the admin-serv/logs/error log (I've changed the IPs below, obviously...they are all the same one FYI): [Mon Sep 25 08:51:57 2006] [notice] [client xxx.xx.xx.xxx] admserv_host_ip_check: ap_get_remote_host could not resolve xxx.xx.xx.xxx [Mon Sep 25 08:51:57 2006] [warn] [client xxx.xx.xx.xxx] admserv_host_ip_check: failed to get host by ip addr [xxx.xx.xx.xxx] - check your host and DNS configuration [Mon Sep 25 08:51:57 2006] [notice] [client xxx.xx.xx.xxx] admserv_host_ip_check: Unauthorized host ip=xxx.xx.xx.xxx, connection rejected I tried to use ldapmodify to open up the restriction, per the instructions here: http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt ..like so: dn: dn of your admin server config entry changetype: modify replace: nsAdminAccessAddresses nsAdminAccessHosts nsAdminAccessAddresses: nsAdminAccessHosts: (I left them blank per this mailing list post: http://www.redhat.com/archives/fedora-directory-users/2005-December/msg00...) I've checked this doc, but it seems to be about what you can do AFTER you get the console running: http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt I feel like it's going to be really simple to fix this, but I just am pretty unfamiliar with directory server and LDAP in general. Thanks for any help or instructions-- Best, Dave

17 years, 6 months

3
6
0 / 0

[Fedora-directory-users] GSSAPI / kerberos

by Gordon Messmer

Is anyone using GSSAPI / kerberos in production? I've come across what looks like a bug, and I'd like any available info from other users: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=208058

17 years, 6 months

1
0
0 / 0

[Fedora-directory-users] GSSAPI / kerberos

by Gordon Messmer

Is anyone using GSSAPI / kerberos in production? I've come across what looks like a bug, and I'd like any available info from other users: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=208058

17 years, 6 months

1
0
0 / 0

Re: [Fedora-directory-users] Re: Extending inetOrgPerson's schema to support custom attributes

by kevin james

Francois, Thanks for your quick and helpful reply, I tried what you explained, So I create a new file called 70kevin.ldif and put this into it dn: cn=schema objectClass: top objectClass: inetorgPerson objectClass: subschema attributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.2 NAME 'policyNos' DESC 'Policy Num bers for Insured' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121. 1.15 X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.12274.1.1.2.1 NAME 'externalUser' DESC '' SUP inet orgPerson AUXILLARY MAY ( policyNos ) X-ORIGIN 'user defined' ) I restarted slapd and I got this warning "Entry "cn=schema" missing attribute "sn" required by object class "inetOrgPerson"" I can see 'externalUser' but when I try to create a new user, it asks me for the policyNos attribute but not the other attributes of inetOrgPerson, when I try to create the object I get an object violation error. I didnt quite understand this part you mentioned , what else could I be missing. <quote>.....and have your users implement both inetOrgPerson and your auxiliary class. </quote> Any ideas ? Thanks, Kevin ----- Original Message ---- From: kevin james <kevinjj33(a)yahoo.com> To: François Beretti <francois.beretti(a)gmail.com> Sent: Monday, September 25, 2006 4:37:04 PM Subject: Re: [Fedora-directory-users] Re: Extending inetOrgPerson's schema to support custom attributes Francois, Thanks for your quick and helpful reply, I tried what you explained, So I create a new file called 70kevin.ldif and put this into it dn: cn=schema objectClass: top objectClass: inetorgPerson objectClass: subschema attributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.2 NAME 'policyNos' DESC 'Policy Num bers for Insured' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121. 1.15 X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.12274.1.1.2.1 NAME 'externalUser' DESC '' SUP inet orgPerson AUXILLARY MAY ( policyNos ) X-ORIGIN 'user defined' ) I restarted slapd and I got this warning "Entry "cn=schema" missing attribute "sn" required by object class "inetOrgPerson"" I can see 'externalUser' but when I try to create a new user, it asks me for the policyNos attribute but not the other attributes of inetOrgPerson, when I try to create the object I get an object violation error. I didnt quite understand this part you mentioned , what else could I be missing. <quote>.....and have your users implement both inetOrgPerson and your auxiliary class. </quote> Any ideas ? Thanks, Kevin ----- Original Message ---- From: François Beretti <francois.beretti(a)gmail.com> To: kevin james <kevinjj33(a)yahoo.com>; General discussion list for the Fedora Directory server project. <fedora-directory-users(a)redhat.com> Sent: Monday, September 25, 2006 3:59:11 PM Subject: Re: [Fedora-directory-users] Re: Extending inetOrgPerson's schema to support custom attributes Hi, a few thoughts from someone who is not a fedoraDS expert : - you created a new attribute type, but did not add it to the inetorgperson class definition. So the class itself is not modified. The way the LDIF files are named does not imply you modify a given class. Only the number has a meaning, and this represents the order of the files analysing at the server startup - I am not sure, but I believe that 99users.ldif should not be modified, because it represents a view of the directory schema, and is not a configuration file. Again, I am really not sure, I don't have a fedora instance at home and can't check this - standard classes should not be modified. You should create an auxiliary objectClass containing you custom attribute types, and have your users implement both inetOrgPerson and your auxiliary class. This can also be a way to determine if a given user is configured for our application or not (if it implements your aux class or not) To achieve this, you should create a file named, for example, 70kevin.ldif and put all your custom schema in it. Then start your server. Regards, François 2006/9/25, kevin james < kevinjj33(a)yahoo.com>: Oops I pressed the enter key and the mail got sent, Yahoo Beta Mail is too Ajaxified :) These were the lines I added to the bottom of the 99users.ldif My custom attribute being called "policyNos" attributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.2 NAME 'policyNos' DESC 'Policy Numbers for Insured' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) I was able to restart slapd with no problems, but it still doesnt show up in my list of attrbutes for inetOrgPerson. Again any suggestions would be greatly appreciated. Thanks, Kevin ----- Original Message ---- From: kevin james < kevinjj33(a)yahoo.com> To: fedora-directory-users(a)redhat.com Sent: Monday, September 25, 2006 3:43:07 PM Subject: Extending inetOrgPerson's schema to support custom attributes Hello All, I'm trying to extend the inetOrgPerson's schema in order to better support our companie's user profile. I 've been doing some googling and I understand that modifications need to be done to the 99users.ldif file, I've tried a couple of settings but I'm unable to see my custom attributes show up in the list of schema attributes for the inetOrgPerson class. Here's what I've done so far. Any help would be greatly appreciated. These are the lines I added to the bottom of the 99users.ldif file. -- Fedora-directory-users mailing list Fedora-directory-users(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

17 years, 7 months

2
2
0 / 0

[Fedora-directory-users] Re: Extending inetOrgPerson's schema to support custom attributes

by kevin james

Oops I pressed the enter key and the mail got sent, Yahoo Beta Mail is too Ajaxified :) These were the lines I added to the bottom of the 99users.ldif My custom attribute being called "policyNos" attributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.2 NAME 'policyNos' DESC 'Policy Numbers for Insured' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) I was able to restart slapd with no problems, but it still doesnt show up in my list of attrbutes for inetOrgPerson. Again any suggestions would be greatly appreciated. Thanks, Kevin ----- Original Message ---- From: kevin james <kevinjj33(a)yahoo.com> To: fedora-directory-users(a)redhat.com Sent: Monday, September 25, 2006 3:43:07 PM Subject: Extending inetOrgPerson's schema to support custom attributes Hello All, I'm trying to extend the inetOrgPerson's schema in order to better support our companie's user profile. I 've been doing some googling and I understand that modifications need to be done to the 99users.ldif file, I've tried a couple of settings but I'm unable to see my custom attributes show up in the list of schema attributes for the inetOrgPerson class. Here's what I've done so far. Any help would be greatly appreciated. These are the lines I added to the bottom of the 99users.ldif file.

17 years, 7 months

2
1
0 / 0

[Fedora-directory-users] Extending inetOrgPerson's schema to support custom attributes

by kevin james

Hello All, I'm trying to extend the inetOrgPerson's schema in order to better support our companie's user profile. I 've been doing some googling and I understand that modifications need to be done to the 99users.ldif file, I've tried a couple of settings but I'm unable to see my custom attributes show up in the list of schema attributes for the inetOrgPerson class. Here's what I've done so far. Any help would be greatly appreciated. These are the lines I added to the bottom of the 99users.ldif file.

17 years, 7 months

1
0
0 / 0

[Fedora-directory-users] Does userattr="parent[1].attribute#LDAPURL" work ?

by François Beretti

Hi all, in the directory server access control documentation, it is said that the following aci syntax can be used : (version 3.0; acl "test" allow (all) userattr = "parent[1].attribute#LDAPURL";) I need exactly this feature for the LDAP support of my software. But in my tests, while userattr="url.#LDAPURL" does work, the use of the "parent" keyword does not work. I use the class enatelUserReferer which allow the url attribute type. The object under which I want to create another one is : cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests it is named by the nsuniqueid of the object : uid=francois,dc=evidian,dc=fr I want to give add access to this user, even if the user is renamed. So I want to use the nsuniqueid to find him. In the url attribute I store : ldap:///dc=evidian,dc=fr??sub?(nsuniqueid=5b74e802-1dd211b2-80e4f010-e49d0000) Here are the ACI set on my o=tests root suffix : dn: o=tests changetype: modify add: aci aci: (targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version 3.0; acl "enatelUserReferer read access"; allow (read,search,compare) userdn="ldap:///all";) dn: o=tests changetype: modify add: aci aci: (targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version 3.0; acl "enatelUserReferer add access"; allow (add) userdn="ldap:///all";) dn: o=tests changetype: modify add: aci aci: (targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version 3.0; acl "enatelUserReferer personal acce ss"; allow (all) userattr="url#LDAPURL";) dn: o=tests changetype: modify add: aci aci: (targetfilter="(objectClass=enatelUserManagedAuth)")(targetattr=*)(version 3.0; acl "enatelUserManagedAuth acces s"; allow (all) userattr="parent[1].url#LDAPURL";) Then I bind as uid=francois,dc=evidian,dc=fr and try to create an enatelUserManagedAuth of DN : cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests I got access denied error. Here is the access control log of slapd : [22/Sep/2006:17:35:28 +0200] NSACLPlugin - acl_init_userGroup: found in cache for dn:uid=francois,dc=evidian,dc=fr [22/Sep/2006:17:35:28 +0200] NSACLPlugin - #### conn=1285 op=14 binddn="uid=francois,dc=evidian,dc=fr" [22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for update:cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d00 00,o=tests: container:-1 [22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for update:cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tes ts: container:-1 [22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for update:o=tests: container:26 [22/Sep/2006:17:35:28 +0200] NSACLPlugin - ************ RESOURCE INFO STARTS ********* [22/Sep/2006:17:35:28 +0200] NSACLPlugin - Client DN: uid=francois,dc=evidian,dc=fr [22/Sep/2006:17:35:28 +0200] NSACLPlugin - resource type:256(add target_DN ) [22/Sep/2006:17:35:28 +0200] NSACLPlugin - Slapi_Entry DN: cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests [22/Sep/2006:17:35:28 +0200] NSACLPlugin - ATTR: NULL [22/Sep/2006:17:35:28 +0200] NSACLPlugin - rights:add [22/Sep/2006:17:35:28 +0200] NSACLPlugin - ************ RESOURCE INFO ENDS ********* [22/Sep/2006:17:35:28 +0200] NSACLPlugin - Using ACL Cointainer:0 for evaluation [22/Sep/2006:17:35:28 +0200] NSACLPlugin - ***BEGIN ACL INFO[ Name: "enatelUserManagedAuth access"]*** [22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACL Index:692 ACL_ELEVEL:3 [22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACI type:(compare search read write delete add self target_attr target_fil ter acltxt allow_rule ) [22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACI RULE type:(userattr ) [22/Sep/2006:17:35:28 +0200] NSACLPlugin - Slapi_Entry DN:o=tests [22/Sep/2006:17:35:28 +0200] NSACLPlugin - ***END ACL INFO***************************** [22/Sep/2006:17:35:28 +0200] NSACLPlugin - Num of ALLOW Handles:1, DENY handles:0 [22/Sep/2006:17:35:28 +0200] NSACLPlugin - Processed attr:NULL for entry:cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d00 00,o=tests [22/Sep/2006:17:35:28 +0200] NSACLPlugin - 1. Evaluating ALLOW aci(692) " "enatelUserManagedAuth access"" [22/Sep/2006:17:35:28 +0200] NSACLPlugin - DS_LASUserAttrEval: AttrName:parent[1].url, attrVal:LDAPURL [22/Sep/2006:17:35:28 +0200] NSACLPlugin - conn=1285 op=14 (main): Deny add on entry(cn=auth,cn=5b74e802-1dd211b2-80e 4f010-e49d0000,o=tests).attr(NULL): no aci matched the subject by aci(692): aciname= "enatelUserManagedAuth access", acidn="o=tests" Where is the problem ? Thank you very much François

17 years, 7 months

1
2
0 / 0

[Fedora-directory-users] Command line replication setup

by Patricio A. Bruna

Hi, Anyone knows how i can setup replication from the command line instead of using the console? thanks ---------------------------- Patricio Bruna V. Red Hat Certified Engineer IT Linux Ltda. http://www.it-linux.cl Fono : (+56-2) 333 0051 Cel : (+56-09) 8288 5195

17 years, 7 months

4
6
0 / 0

[Fedora-directory-users] cryptocard and FDS

by Del

Hi all, I'm looking for a way forwards to get cryptocard (http://www.cryptocard.com/) authentication working for a client who uses FDS. There are a number of possibilities that I'm thinking of, but here are the basics: * Cryptocard has its own authentication server, but provides a PAM module for Linux. Therefore it should be possible to use the PAM passthru FDS module mentioned here a while back: http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/servers/plugins/pam_... * Cryptocard apparently supports a RADIUS style authentication. Perhaps use SASL in some way that back ends on to RADIUS? Has anyone any other ideas or can suggest a best way of doing this? -- Del Babel Com Australia http://www.babel.com.au/ ph: 02 9368 0728 fax: 02 9368 0758

17 years, 7 months

3
2
0 / 0

[Fedora-directory-users] How to make anonymous SASL work?

by devel - Fashion Content

I seem quite stuck on getting the first step of setting up mail authentication. I have a running directory and Cyrus-SASL installed, but I can't get the two to communicate properly. For now I think anonymous access is fine as they are on the same server. I tried ldapsearch, but it seems to fail quite basicly: [root@langham ~]# ldapsearch -D "cn=admin" -w fidelio77 -b "fashioncontent.com" cn=hvendelbo SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: [root@langham ~]# ldapsearch -X -Y SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: As I understand the message I need to configure some protocol on the server, but I have no idea where or how?? Henrik

17 years, 7 months

3
9
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users September 2006