[Fedora-directory-users] How to disable anonymous bind to LDAP?
by Ankur Agarwal
Hi,
Would like to know how to disable anonymous bind? Is there any configuration level change to be done?
regards,
Ankur
---------------------------------
8:00? 8:25? 8:40? Find a flick in no time
with theYahoo! Search movie showtime shortcut.
17 years, 1 month
[Fedora-directory-users] configuring SSL without using the "check peer no" option
by Yoram Kahana
Hi
1. After several FDS 1.0.4.1 installations i have the impresion that there
is a problem with the admin server database certificate initialisation. It
cause a situation were i cant start the manage certificate option in tasks.
2. I am getting an error telling my peer cant trust the server certificate.
When using the option check peer no it solve the problem. are these problem
related?
My goal is to use the SSL for authenticate and encrypt the traffic between
the client (my own code with openLdap API, and PAM/NSS)
I have tried two certificate types
1. from the Linux openssl
2. from Verisign test trial certificate
What do i miss?
How can i fix the verify the server certificate problem?
Thanks in advance
Yoram
17 years, 1 month
[Fedora-directory-users] Error : Critical extension unavailable
by Victor Rodriguez
Good Afternoon:
I have installed Fedora Directory Server on a test enviroment because I
need to link 2 diferents ldap servers (Openldap and eDirectory) on my
company throught only one (Fedora Directory Server). I have created a
database link to my first ldap server (openldap) and when I try to
connect throught my Fedora Directory Server I get this error: Critical
extension unavailable
Do I need to set up anything else?
Regards,
Victor Rodriguez
Attention:
The information contained in this message and or attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any system and destroy any copies.
Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of The Gribbles Group.
Thank You.
Whilst every effort has been made to ensure that this e-mail message and any attachments are free from viruses, you should scan this message and any attachments.
Under no circumstances do we accept liability for any loss or damage which may result from your receipt of this message or any attachment.
17 years, 1 month
[Fedora-directory-users] configuring SSL without using the "check peer no" option
by Yoram Kahana
Hi
1. After several FDS 1.0.4.1 installations i have the impresion that there
is a problem with the admin server database certificate initialisation. It
cause a situation were i cant start the manage certificate option in tasks.
2. I am getting an error telling my peer cant trust the server certificate.
When using the option check peer no it solve the problem. are these problem
related?
My goal is to use the SSL for authenticate and encrypt the traffic between
the client (my own code with openLdap API, and PAM/NSS)
i have tried two certificate types
17 years, 1 month
[Fedora-directory-users] Recovering from database corruption?
by Josh Kelley
I'm afraid that I may have messed up our FDS installation and would
greatly appreciate advice on how to fix things.
We have two Fedora Directory Servers, urim and thummim, set up to
replicate changes to each other. Following a combination of hardware
failure and administrator error (i.e., I thought that the server was
hung and killed it, possibly while it was in the middle of recovery),
the database got corrupted on urim, and it refused to start, giving
the following errors in its log file:
[27/Mar/2007:17:10:18 -0400] - libdb: Ignoring log file:
/opt/fedora-ds/slapd-urim/db/log.0000000164: magic number 0, not 40988
[27/Mar/2007:17:10:20 -0400] - libdb: Invalid log file:
log.0000000164: Invalid argument
[27/Mar/2007:17:10:20 -0400] - libdb: PANIC: Invalid argument
[27/Mar/2007:17:10:20 -0400] - libdb: PANIC: DB_RUNRECOVERY: Fatal
error, run database recovery
[27/Mar/2007:17:10:20 -0400] - Opening database environment
(/opt/fedora-ds/slapd-urim/db) failed. err=-30978: DB_RUNRECOVERY:
Fatal error, run database recovery
[27/Mar/2007:17:10:20 -0400] - start: Failed to init database,
err=-30978 DB_RUNRECOVERY: Fatal error, run database recovery
So then I moved the invalid log file out of the way and successfully
started FDS. Since urim was now out of date and had some database
inconsistencies, I opened the administrative console on thummim,
selected the replication agreement to urim, and told it to
(re)initialize the consumer.
Everything appears to be correct now; however, in the error logs on
urim, I got the following warning/error:
[27/Mar/2007:17:23:43 -0400] NSMMReplicationPlugin -
replica_reload_ruv: Warning: new data for replica dc=local does not
match the data in the changelog.
Recreating the changelog file. This could affect replication with
replica's consumers in which case the consumers should be
reinitialized.
Does this mean that I now need to reinitialize thummim as well? Or is
this warning the result of urim's changelog forcibly being sync'ed
with thummim, and everything's okay now?
Thank you.
Josh Kelley
17 years, 1 month
[Fedora-directory-users] Creating a dynamic group to mirror a netgroup?
by Philip Kime
Always the way - the LDAP enabled app/hardware falls one inch short of
doing what you need ...
In this case a Juniper VPN box which I need to check LDAP netgroup
membership for access control but it doesn't quite understand
netgroups. The
nisnetgrouptriple=(,username,)
format is the stumbling block as I need just the username. I was looking
at creating a dynamic group on the LDAP server itself to contain the
same usernames as in the netgroup but in a simple format the VPN box
could query. Anybody have an idea how to do this with dynamic groups?
Essentially, I need a query to turn this:
cn=netgroup1
nisnetgrouptriple=(,user1,)
nisnetgrouptriple=(,user2,)
into something like this:
cn=dynamic-group1
uniquemember=user1
uniquemember=user2
PK
--
Philip Kime
NOPS Systems Architect
310 401 0407
17 years, 1 month
[Fedora-directory-users] Question about the type of binds that are done after authentication
by Anderson, Cary
I have been asked a question relating to when authenticated and
anonymous binds are made to a LDAP directory, and I was hoping someone
might be able to provide some assistance...
After a user authenticates to Linux server via LDAP, and issues a UNIX
command, say ls will subsequent queries to LDAP be made in order to
determine the uid of the user issuing the command for purposes of
determining if the user can execute the command, and read the
directory/file target of the ls command, or is that cached in the
initial authentication? If subsequent LDAP queries are made for this
type of information, are they authenticated or anonymous binds?
Thanks in advanced.
Cary Anderson, Systems Software Specialist
UNIX/Linux Services
Information Technology Services Branch
Technology Services & Support Division / Data Center Section
System Software & Storage Infrastructure
fCalPERS
Phone: (916) 795-2588
Fax: (916) 795-2424
17 years, 1 month
[Fedora-directory-users] Unindexed Search question
by Renato Ribeiro da Silva
I'm trying to understand why the search below is not indexed.
[27/Mar/2007:06:54:21 -0300] conn=341590 op=2 SRCH base="dc=domain,dc=com" scope=2 filter="(objectClass=posixAccount)" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass"
[27/Mar/2007:06:54:26 -0300] conn=341590 op=2 RESULT err=0 tag=101 nentries=8975 etime=5 notes=U
I look for the configuration of the indexes in the database and the objectclass attribute has system(read-only) index of Equality.
Any idea?
Thanks in advance,
Renato.
17 years, 1 month
[Fedora-directory-users] Error message: Failed to initialize cipher AES in attrcrypt_init
by Guyon Julien
Hi,
Since I configure SSL (based on information found at http://directory.fedora.redhat.com/wiki/Howto:SSL), the following messages appear in errors log. The directory is starting and working well and also my AD passwords are correctly synchronised using WindowsSync over SSL.
At start time,
[22/Mar/2007:09:44:05 +0100] - Fedora-Directory/1.0.2 B2006.060.1928 starting up
[22/Mar/2007:09:44:05 +0100] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES
[22/Mar/2007:09:44:05 +0100] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init
[22/Mar/2007:09:44:05 +0100] - Failed to initialize cipher AES in attrcrypt_init
[22/Mar/2007:09:44:05 +0100] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES
[22/Mar/2007:09:44:05 +0100] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init
[22/Mar/2007:09:44:05 +0100] - Failed to initialize cipher AES in attrcrypt_init
[22/Mar/2007:09:44:05 +0100] - slapd started. Listening on All Interfaces port 1389 for LDAP requests
[22/Mar/2007:09:44:05 +0100] - Listening on All Interfaces port 1636 for LDAPS requests
Such question has already been posted one year ago but the answer was not sufficient to correct the problem.
Any ideas?
Cdt
Julien Guyon
Ingénieur Systèmes, Réseaux & Télécoms
Conseil Régional de Lorraine
Tél: (+33) 3 87 33 63 14
Mél: julien.guyon(a)cr-lorraine.fr
17 years, 1 month
