[Fedora-directory-users] use of certificate
by Elisa Pellegrini
Hi!
I have a problem with certificate: I create certificate and install my
CA in FDS .
When I show certificate's detail I have the following field
"this certificate has been verified for the following uses: "
and notihig else is specified: I don't specify uses of certifiate .
Is this a problem for the use of certififcate?
16 years, 4 months
[Fedora-directory-users] Restricting Users Login Question
by Jared B. Griffith
I am setting up a Fedora Directory Server for use in our company. Our problem now is that any user that has a posix account (which it is necessary for every user to have a posix account due web applications and our heavy use of Linux machines) can log into machines we do not want them having access to (ie production web servers, gateways, firewalls, etc etc etc).
Yes, we could lock it down via sshd_config on the servers with the AllowUsers statement, but that would not prevent them from being able to log in on the local machine.
I have changed my ldap.conf on my linux / bsd machines to allow only the following:
pam_groupdn cn=syadmins,ou=IT,ou=Groups,dc=company,dc=tld
# Group member attribute
pam_member_attribute uniqueMember
This does and does not work. When logging into the server with a user that is not a member of that group, I get the following warning:
You must be a uniqueMember of cn=syadmins,ou=IT,ou=Groups,dc=company,dc=tld to login
But it logs me right in.
I have posted the full ldap.conf here:
http://pastebin.com/m11b0b227
Here is the shorter version (minus all commented out stuff)
http://pastebin.com/m26f9048d
Any help or pointers would be appreciated.
--
- Thank you,
- Jared B. Griffith
- Farheap Solutions, Inc.
- Lead Systems Administrator
- California IT Department
- Email - jared.griffith(a)farheap.com
- Phone - 949.417.1500 ext. 266
- Cell Phone - 949.910.6542
16 years, 4 months
Re: [Fedora-directory-users] libnss_ldap-2.5.0.so update breaks admin server.
by Brian Roy
Platform is FC6.
LDAP auth worked with libnss_ladap-2.4.90 AND libnss_ldap-2.5 HOWEVER
after the 2.5 update (via Software Updater) Admin Server child
processes crashed when loading libnss_ldap.so.2.
The second un-updated system (the one I pulled libnss_ldap-2.4.90.so
from) is also FC6.
Log Snips:
Admin Server Error Log (showing the period when the reboot after
Software Updater update):
[Fri Aug 24 11:55:07 2007] [notice] [client ::1]
admserv_host_ip_check: host [localhost.localdomain] did not match
pattern [*.santan.brianandkelly.ws] -will scan aliases
[Fri Aug 24 11:55:07 2007] [notice] [client ::1]
admserv_host_ip_check: host alias [localhost] did not match pattern
[*.santan.brianandkelly.ws]
[Fri Aug 24 11:55:07 2007] [notice] [client ::1]
admserv_check_authz(): passing [/admin-serv/authenticate] to the
userauth handler
[Wed Oct 24 09:53:30 2007] [notice] caught SIGTERM, shutting down
[Wed Oct 24 09:58:51 2007] [notice] Access Host filter is:
*.santan.brianandkelly.ws
[Wed Oct 24 09:58:51 2007] [notice] Access Address filter is: *
[Wed Oct 24 09:58:52 2007] [notice] Access Host filter is:
*.santan.brianandkelly.ws
[Wed Oct 24 09:58:52 2007] [notice] Access Address filter is: *
[Wed Oct 24 09:58:52 2007] [notice] Apache/2.2.6 (Unix) mod_nss/2.2.3
NSS/3.11.3 configured -- resuming normal operations
[Wed Oct 24 09:58:53 2007] [notice] child pid 3327 exit signal
Segmentation fault (11)
[Wed Oct 24 09:58:55 2007] [notice] child pid 3328 exit signal
Segmentation fault (11)
[Wed Oct 24 09:58:57 2007] [notice] child pid 3348 exit signal
Segmentation fault (11)
[Wed Oct 24 09:58:59 2007] [notice] child pid 3350 exit signal
Segmentation fault (11)
Content of strace on Segmentation Faulting admin server child process:
<clip - standar stuff... looking for libnss_ldap.so.2>
open("/usr/lib/libnss_ldap.so.2", O_RDONLY) = 32
read(32, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`&
\0\0004\0\0\0"..., 512) = 512
fstat64(32, {st_mode=S_IFREG|0755, st_size=84552, ...}) = 0
mmap2(NULL, 129408, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
32, 0) = 0x6f2d0000
mmap2(0x6f2e4000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 32, 0x14) = 0x6f2e4000
mmap2(0x6f2e5000, 43392, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_ANONYMOUS, -1, 0) = 0x6f2e5000
close(32) = 0
munmap(0xb729d000, 57248) = 0
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_IGN}, 8) = 0
geteuid32() = 0
futex(0x6f2e4544, FUTEX_WAKE, 2147483647) = 0
open("/etc/ldap.conf", O_RDONLY) = 32
fstat64(32, {st_mode=S_IFREG|0644, st_size=6182, ...}) = 0
fstat64(32, {st_mode=S_IFREG|0644, st_size=6182, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7f5f000
read(32, "#\n# This is the configuration fi"..., 4096) = 4096
read(32, "7objectclass\tmapped_objectclass\n"..., 4096) = 2086
read(32, "", 4096) = 0
close(32) = 0
munmap(0xb7f5f000, 4096) = 0
uname({sys="Linux", node="royhomegp02.santan.brianandkelly.ws", ...})
= 0
open("/etc/hosts", O_RDONLY) = 32
fcntl64(32, F_GETFD) = 0
fcntl64(32, F_SETFD, FD_CLOEXEC) = 0
fstat64(32, {st_mode=S_IFREG|0644, st_size=194, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7f5f000
read(32, "# Do not remove the following li"..., 4096) = 194
read(32, "", 4096) = 0
close(32) = 0
munmap(0xb7f5f000, 4096) = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 32
connect(32, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("192.168.0.5")}, 28) = 0
fcntl64(32, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(32, F_SETFL, O_RDWR|O_NONBLOCK) = 0
gettimeofday({1194384239, 115881}, NULL) = 0
poll([{fd=32, events=POLLOUT, revents=POLLOUT}], 1, 0) = 1
send(32, "\23\0\1\0\0\1\0\0\0\0\0\0\vroyhomegp02\6santan\r"..., 53,
MSG_NOSIGNAL) = 53
poll([{fd=32, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(32, FIONREAD, [111]) = 0
recvfrom(32, "\23\0\205\200\0\1\0\1\0\1\0\1\vroyhomegp02\6santan
\r"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("192.168.0.5")}, [16]) = 111
close(32) = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
chdir("/opt/fedora-ds/admin-serv") = 0
rt_sigaction(SIGSEGV, {SIG_DFL}, {SIG_DFL}, 8) = 0
kill(7265, SIGSEGV) = 0
sigreturn() = ? (mask now [])
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
Brian T. Roy
b.t.roy(a)brianandkelly.ws
Visit my blog @: http://briantroy.com/blog
The greatest mistake you can make in life is to be continually fearing
you will make one.
— Elbert Hubbard (1856-1915), The Note Book
On Nov 9, 2007, at 10:00 AM, fedora-directory-users-request(a)redhat.com
wrote:
> Re: [Fedora-directory-users] libnss_ldap-2.5.0.so update breaks
> admin server.
16 years, 4 months
[Fedora-directory-users] libnss_ldap-2.5.0.so update breaks admin server.
by Brian Roy
Admin server began having child process seg faults after my box
updated to libnss_ldap-2.5.so
I know this is the culprit as I've tracked down (using strace) the seg
fault to the use of libnss_ldap.so.2
I grabed libnss_ldap-2.4.90.so from another system which had not
updated and re-sym linked libnss_ldap.so.2 back to
libnss_ldap-2.4.90.so and now Admin Server runs fine... however...
All LDAP auth on the server is now broken. Anyone found a real fix for
this... as of now I've created a script to swap the symlinks allowing
me to run the Admin Server and the Directory Console - and another
script which allows me to swap the symlink back to libnss_ldap-2.5.so
to re-enable ldap auth. Needless to say this is a significant pain in
the...
Any suggestions?
Brian T. Roy
b.t.roy(a)brianandkelly.ws
Visit my blog @: http://briantroy.com/blog
The greatest mistake you can make in life is to be continually fearing
you will make one.
— Elbert Hubbard (1856-1915), The Note Book
16 years, 4 months
[Fedora-directory-users] ns-slapd out of memory
by Tamas Bagyal
hello,
first, sorry for my bad english :)
I installed two fedora-ds 1.0.4 on debian etch (compile in place by dsbuild
script) with multi master replication. these servers used by powerdns with ldap
backend and cups 1.2.7 ( both came out from officially debian archive)
configured for ldap browseing.
the problem is: when the cups use ldap browseing, the memory usage is begin
growing while the ns-slapd is run out of memory. the machine have 2gb memory
this enough about 6-7 days. the cups generate 50-60 read/mod request every 3
minutes, powerdns make 2-3 read request per second.
i'm new in fedora-ds, this is normal operation? almost every setting are
default, however which logs/conf settings you need for the problem determination?
thanks,
KeeF
16 years, 4 months
[Fedora-directory-users] FDS Groups
by Jared B. Griffith
How would one go about configuring FDS to be able to do groups such as wheel and what not?
I have it set up, but the client is not getting the groups out of the Groups OU.
--
- Thank you,
- Jared B. Griffith
- Farheap Solutions, Inc.
- Lead Systems Administrator
- California IT Department
- Email - jared.griffith(a)farheap.com
- Phone - 949.417.1500 ext. 266
- Cell Phone - 949.910.6542
16 years, 4 months
[Fedora-directory-users] samba + PDC + FDS
by Satish Patel
dear all
it is possible to implement samba as PDC + FDS and it will give fully functionality like Win 2003 DC ??
Regards
$ cat ~/satish/url.txt
http://www.linuxbug.org
_____________________________________________________________________________________________________
---------------------------------
Forgot the famous last words? Access your message archive online. Click here.
16 years, 4 months
[Fedora-directory-users] Password Encryption
by Jared B. Griffith
What is the default password encryption routine for FDS?
Also, is it possible to change it?
--
- Thank you,
- Jared B. Griffith
- Farheap Solutions, Inc.
- Lead Systems Administrator
- California IT Department
- Email - jared.griffith(a)farheap.com
- Phone - 949.417.1500 ext. 266
- Cell Phone - 949.910.6542
16 years, 4 months