[Fedora-directory-users] Paths to executables and libraries
by Oscar A. Valdez
My installation of fedora-ds-1.0.1-1.RHEL4 puts executables
in /opt/fedora-ds/shared/bin/ and libraries
in /opt/fedora-ds/shared/lib/.
What would you all recomend as a "proper" way of modifying the $PATH
variable and of linking to the DS libraries?
--
Oscar A. Valdez
17 years, 7 months
[Fedora-directory-users] GSSAPI mapping
by Gordon Messmer
I'm migrating from OpenLDAP to FDS, soon, and I'm trying to establish an
entirely compatible Kerberos auth configuration on the new system. User
authentication wasn't really a problem, but we have one application
which uses a kerberos principal which doesn't map to a DN on the old system.
I'm using this ACI (among others, naturally) on the base DN:
dn: dc=ee,dc=washington,dc=edu
aci: (version 3.0; acl "Allow all writes by admin users and web form";
allow (all) userdn="ldap:///uid=*/admin,cn=GSSAPI,cn=auth ||
ldap:///uid=application/hostname.ee.washington.edu,cn=GSSAPI,cn=auth";)
My only SASL mapping rule is this:
dn: cn=Kerberos mapping,cn=mapping,cn=sasl,cn=config
changetype: add
objectClass: top
objectClass: nsSaslMapping
cn: Kerberos mapping
nsSaslMapRegexString: uid=([^/]*),cn=GSSAPI,cn=auth
nsSaslMapBaseDNTemplate: uid=\1,ou=people,dc=ee,dc=washington,dc=edu
nsSaslMapFilterTemplate: objectClass=inetOrgPerson
For the application, the obvious simple "out" seems to be creating a new
entry for the application, under "people", but I don't know how the
"admin" tickets will work.
I'm guessing that I need a "default" mapping, but SASL and GSSAPI are
documented rather poorly for FDS, and it's not clear to me exactly what
I need to do here.
17 years, 7 months
[Fedora-directory-users] solaris client
by Daniel Sanders Zuckerman
Greetings listers,
i have a stumper:
i set up f-ds on CentOS 4.3, and got it working perfectly happy with
authenticating users on my linux boxen. Once that was working, I
started trying to get a solaris box to authenticate, following the
advice in the f-ds wiki. i have a test script that is able to read the
database from the solaris box (with ssl)- that works fine. but when i
start ldap.client (with and w/o ssl) on the solaris box, the f-ds server
goes away, and the logs don't seem to indicate anything. any ideas?
Daniel
17 years, 7 months
[Fedora-directory-users] Getting ready to setup synchronization between AD and FDS
by Bliss, Aaron
Hi everyone, we've been running fds now for about 8 months or so, things
are going great, we have supplier/consumer replication agreement setup
between 2 fds servers; I would like to start looking at the password
synchronization piece between active directory and fds; we have a 2003
domain setup running in native mode; the domain and ldap root dn are the
same. Are there any got yas that I need to be aware before setting up
the password synchronization service? Will the password synchronization
piece allow for encrypted replication between fds and AD (currently the
fds servers are using a self signed cert for encryption). Thanks very
much for your help.
Aaron
Confidentiality Notice:
The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.
17 years, 7 months
[Fedora-directory-users] configuration directory registration
by Gordon Messmer
Suppose that I have a slapd instance that failed to register itself with
the configuration directory due to a bad password, or that I have an
instance that I'd like to move to a different configuration directory.
Is it possible to re-register an instance with the configuration
directory? If not, should I attempt to create an LDIF with the required
info and register it manually? I'd prefer to avoid removing the
instance and setting it up again if it's possible and not onerous.
17 years, 7 months
[Fedora-directory-users] startconsole errors
by Gary Reed
Trying to start the console after successful installation of
fedora-ds-1.0.2-1.RHEL4 on RHEL4 ES update 4. The admin server is running
correctly also. Getting this error:
# /opt/fedora-ds/startconsole
The java class is not found:
com/netscape/management/client/console/Console
I've tried Sun's JRE v1.4.2-11 also and get similar error.
# java -version
java version "1.4.2"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2)
Classic VM (build 1.4.2, J2RE 1.4.2 IBM build cxia32142-20050929 (SR3) (JIT
enabled: jitc))
# echo $JAVA_HOME
/opt/IBMJava2-142/jre
Ideas?
Gary Reed
Integrated Technology Delivery, Server Operations
E-Mail: greed(a)us.ibm.com
17 years, 7 months
[Fedora-directory-users] Simple SASL configuration
by devel - Fashion Content
How do I configure the directory to work with SASL? Any descriptions somewhere, I noticed several comments
on the list hinting that I have missed some existing documentation besides the manuals and googling.
I don't really care what setup, I just want to be able to authenticate against the directory somehow.
Henrik
17 years, 7 months
Re: [Fedora-directory-users] How to make anonymous SASL work?
by Howard Chu
> I tried ldapsearch, but it seems to fail quite basicly:
>
> [root@langham ~]# ldapsearch -D "cn=admin" -w fidelio77 -b "fashioncontent.com" cn=hvendelbo
> SASL/EXTERNAL authentication started
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> additional info: SASL(-4): no mechanism available:
> [root@langham ~]# ldapsearch -X -Y
> SASL/EXTERNAL authentication started
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> additional info: SASL(-4): no mechanism available:
> Date: Sun, 17 Sep 2006 09:53:11 -0600
> From: Richard Megginson <rmeggins(a)redhat.com>
> devel - Fashion Content wrote:
>>>> As I understand the message I need to configure some protocol
>>>> on the server, but I have no idea where or how??
>>>
>>> It looks like you're using the OpenLDAP version of ldapsearch and don't
>>> have SAASL auth set up on the server.
>> Yes, but how do I set up SASL auth. What doc describes it in less than
>> 100 pages.
>> Also, why shouldnt the OpenLDAP client be able to talk to Fedora DS ?
> It is - see below
>>> You can either pass the "-x" switch to ldapsearch to use plaintext auth,
>>> ot use the ldapsearch that comes with the directory server (probably in
>>> /opt/fedora-ds/shared/bin).
> /usr/bin/ldapsearch -x -D "bind dn" -w bindpassword .....
>
> ldapsearch by default will attempt a SASL bind, using the best mechanism
> available. To disable this behavior, and force the openldap command
> line tools to use SIMPLE binddn/password auth, you have to specify the
> -x argument.
By the way, I think it's a bug that your server advertised the
SASL/EXTERNAL mechanism here; that mech should only be offered when
there is actually an external security system in place (e.g. IPSEC or
TLS). It appears this was a plain, unprotected connection. A mech
shouldn't be listed in the supportedSASLmechanisms list if requesting it
will in fact fail with "no mechanism available"...
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
17 years, 7 months
[Fedora-directory-users] How to configure shared/bin & lib
by devel - Fashion Content
Apparently the standard installation doesn't include the shared/bin & lib directories in the path.
Can I put them in the path without breaking the OpenLDAP client, or is there some other way to make the tools work?
Henrik
17 years, 7 months
[Fedora-directory-users] run as root? newb question
by Scott Roberts
New to linux and was wondering what is the best
practice for choosing a user and group for running
applications? Is running an app as root the normal
thing to do? Is running apps as root a bad thing? Huge
security risk? Sorry for the stupid question but have
seen different docs saying what to run a directory as.
The RH docs say if you want to run directory on
default ports run as root. Thats what I plan to do.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
17 years, 7 months
