[Fedora-directory-users] Allow root to change user's passwords
by Orion Poplawski
I'm used to being able to change user's passwords as root using the
"passwd" command on my main server (this was with NIS and the master
shadow file kept on the server). Now with FDS, I get:
# passwd orion
Changing password for user orion.
Enter login(LDAP) password:
and I must enter the password for the user "orion". This gets tricky
when the user has forgotten their password.
Is there a way to avoid this first check and allow root to force a
change of the password?
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA/CoRA Division FAX: 303-415-9702
3380 Mitchell Lane orion(a)cora.nwra.com
Boulder, CO 80301 http://www.cora.nwra.com
14 years, 5 months
[Fedora-directory-users] Admin-server/config-server
by tamarin p
Hey,
I've installed Fedora DS 1.1.3 on RHEL5 and configured two server instances
using setup-ds-admin.pl. It seems to work fine, including single-master
replication. I can manage both servers through the fedora-idm-console.
I'm left with some some questions I couldn't find answers to in the
documentation however, and was hoping someone could help me clear some of
them.
1) The Red Hat documentation makes references to both an admin server and a
configuration server. I can't seem to get a handle on what's what. Is it
simply two terms for the same thing or does one refer to the web-interface
while the other refers to the o=NetscapeRoot suffix on one of the ldap
instances?
2) Slightly connected with 1). Is it advisable to create a completely
separate ldap instance for the configuration server or does one generally
just use the first instance created? For example in my test setup I created
two instances. slapd-primary and slapd-secondary, where the configuration
server for secondary was set to ldap://ldap.test.org:389/o=NetscapeRoot. I'm
assuming pointers to all servers managed by this console etc. is stored
here. Would it instead be advisable to have a completely separate instance
for this, so that instead of slapd-primary and slapd-secondary, I'd have
slapd-admin, slapd-primary and slapd-secondary? In production (and further
along in my testing) they would all live on separate boxes obviously.
3) I'm assuming it's only possible to have one admin console/config server
per machine. Ie not possible to have four server instances on the same box
but have the first two managed through one console and the remaining two
through another (on the same machine)?
14 years, 5 months
[Fedora-directory-users] Certificate to LDAP mapping problem
by neuron ring
Hi lambam,
I am trying to do LDAP client certificate mapping. I had given an insight of
my configuration.
My certmap.conf file:
certmap example ou=employees,o=us.com -------------� this is the DN of the
CA issuer,
example:verifycert on
example:DNComps cn,email,roomNumber
example:FilterComps l,email,uid,telephoneNumber
example:CmapLdapAttr certSubjectDN
Generation of CA cert:
certutil -S -n "CertCA" -s "ou= employees,o= us.com" -x -t "CT,," -m 1000 -v
120 -d <path/to/instance cert db>
-z noise.txt –f pwdfile.txt
Is this correct.
I assume ou=employees,o=us.com is my CA cert issuer. So I am using it as
issuerDN value in certmap.conf.
creating client certificate.
certutil -S -n "certuser" -s "cn=certuser, ou=employees,o=us.com " -c "
CertCA " -t "u,u,u" -m 1003 -v 120 -d <path/to/instance cert db> -z
noise.txt –f pwdfile.txt
and adding userCertificate;binary attribute to that user entry, after
creating binary certificate.
certutil -L -d <instance-path> -n "certuser" -r >usercert.bin
When I try to ldapsearch:
ldapsearch -h myhost -p 636 -Z -P /etc/opt/dirsrv/slapd-<instance>/cert8.db
-N " certuser " -K /etc/opt/dirsrv/slapd-<instance>/key3.db -W "password" -b
"o=us.com" cn=certuser
ldap_sasl_bind: Invalid credentials
ldap_sasl_bind: additional info: client certificate mapping failed
But when I change the issuerDN in certmap.conf file to whatever dn (even if
it is non-existing and invalid) I am getting the search
Result properly. But the criteria is the issuerDN in certmap.conf should be
exactly the same DN whose issues the CA certificate.
The problem is whenever I use correct issuerDN in first line of certmap.conf
file I am getting error.
I am totally confused. Can somebody help me to get rid of this problem?
Thanks in advance,
Neuron Ring.
Hello Neron Ring.
Certificate to LDAP Mapping:
http://www.redhat.com/docs/manuals/dir-server/pdf/console60.pdf
Page 198 ish.
API:
----
>From page 201 of the above guide:
< You can use the Certificate Mapping API to create your own properties. For
< information on using the Certificate Mapping API, see “Certificate Mapping
SDKs”
< at the following URL - which is followed by a defunct link.
Try here, rather:
http://www.redhat.com/docs/manuals/cert-system/sdk/7.1/
I hope this helps, laters. I'll keep an eye out for further questions
along this line.
--------------------------------------------------------------------------------
Date: Tue, 24 Mar 2009 17:51:50 +0530
From: neuronring(a)gmail.com
To: fedora-directory-users(a)redhat.com
Subject: [Fedora-directory-users] Certificate to LDAP Mapping API
Hi all,
I need to use “Certificate to LDAP Mapping” functionality.
The README file in the source ldapserver/lib/ldaputil/examples path
suggests:
Refer "Certificate to LDAP Mapping API" documentation to find out about the
various API functions and how you can write your
plug-in.
And also to refer “Managing servers” manual. But I couldn’t get those
documents. How can I write my own plug-in for LDAP Mapping?
Or what can I do with Certmap.conf file to configure Certificate to LDAP
Mapping.
Can somebody provide link to that document or explain
what is Certificate to LDAP Mapping.
Thanks in advance,
Neuron Ring.
14 years, 6 months
[Fedora-directory-users] Certificate to LDAP Mapping API
by neuron ring
Hi all,
I need to use “Certificate to LDAP Mapping” functionality.
The README file in the source ldapserver/lib/ldaputil/examples path
suggests:
Refer "Certificate to LDAP Mapping API" documentation to find out about the
various API functions and how you can write your
plug-in.
And also to refer “Managing servers” manual. But I couldn’t get those
documents. How can I write my own plug-in for LDAP Mapping?
Or what can I do with Certmap.conf file to configure Certificate to LDAP
Mapping.
Can somebody provide link to that document or explain
what is Certificate to LDAP Mapping.
Thanks in advance,
Neuron Ring.
14 years, 6 months
[Fedora-directory-users] Windows data sync
by Emmanuel BILLOT
Hi,
We've installed FDS, AD and a replication agrement.
FDS data/passwords sync with AD
AD passwords sync with FDS.
2 pbs are still unsolved :
- AD modifications (name, surname, mail) are not send or catched in FDS
- Passwords are not recognized after a Full init.
FDS => AD full init = unable to log on AD (even if we manually
activate the account)
FDS -> AD passwd update = passwd ok in AD
Anyone has an idea ?
--
==========================================
Emmanuel BILLOT
IRD - Orléans
Délégation aux Systèmes d'Information (DSI)
tél : 02 38 49 95 88
==========================================
14 years, 6 months
Re: [Fedora-directory-users] Windows data sync
by Emmanuel BILLOT
Emmanuel BILLOT a écrit :
> Rich Megginson a écrit :
>> Emmanuel BILLOT wrote:
>>> Hi,
>>>
>>> We've installed FDS, AD and a replication agrement.
>>> FDS data/passwords sync with AD
>>> AD passwords sync with FDS.
>>>
>>> 2 pbs are still unsolved :
>>> - AD modifications (name, surname, mail) are not send or catched in FDS
>> I suppose you could enable the replication log level and see why this
>> is not working. Note that changes may take up to 5 minutes to sync
>> over to Fedora DS due to the way the sync works using the DirSync
>> control.
>> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
>>> - Passwords are not recognized after a Full init.
>>> FDS => AD full init = unable to log on AD (even if we manually
>>> activate the account)
> Here is the log extract :
> [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win"
> (porlsvrdc0003:636): No changes to send
> [26/Mar/2009:09:55:43 +0100] - Calling dirsync search request plugin
> [26/Mar/2009:09:55:43 +0100] - Sending dirsync search request
> [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win"
> (porlsvrdc0003:636): Beginning linger on the connection
> [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win"
> (porlsvrdc0003:636): Linger timeout has expired on the connection
> [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win"
> (porlsvrdc0003:636): State: sending_updates -> wait_for_changes
> [26/Mar/2009:09:55:43 +0100] NSMMReplicationPlugin - agmt="cn=win"
> (porlsvrdc0003:636): Disconnected from the consumer
>
> I can't see any action.
>> Right. Passwords are not synced during full init. Full init only
>> uses passwords in the database which are hashed and do not sync.
>>> FDS -> AD passwd update = passwd ok in AD
>> Right. Passwd update uses clear text passwords.
>>>
>>> Anyone has an idea ?
>>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
>
Ok i found the pb :
Replicating directory changes was not in the replicationg user rights.
All seems to be ok now.
Thanks.
BR,
--
==========================================
Emmanuel BILLOT
IRD - Orléans
Délégation aux Systèmes d'Information (DSI)
tél : 02 38 49 95 88
==========================================
14 years, 6 months
[Fedora-directory-users] /usr/lib64/dirsrv/modules/mod_admserv.so will not load
by Sean Carolan
I have successfully installed Fedora Directory server on an x86_64
machine running CentOS 5. Everything works except for the Admin
Server. When I attempt to start it the apache module fails to load:
/usr/lib64/dirsrv/modules/mod_admserv.so
[Mon Mar 23 16:06:44 2009] [error] This module only supports the threaded MPM
Can anyone shed some light on this error? I googled and looked
through the mailing list archives but did not find anything to
specifically address this problem
Thanks
Sean
14 years, 6 months
[Fedora-directory-users] Windows Sync problem
by Emmanuel BILLOT
Hi,
A Win Sync between FDS and Active Directory failed on our servers due to
FDS reboot.
Errog log says :
(delta:636) - Can't locate CSN 48f3e8cc000100020000 in the changelog (DB
rc=-30990). The consumer may need to be reinitialized.
Does it mean that a consumer reinitialization may be done ? In this
case, does it erase any data in AD ? What happens with AD-only attributs ?
IS there any method to resync without deleting AD data ?
BR,
--
==========================================
Emmanuel BILLOT
IRD - Orléans
Délégation aux Systèmes d'Information (DSI)
tél : 02 38 49 95 88
==========================================
14 years, 6 months
[Fedora-directory-users] quickie on basics - another instance of directory server
by lejeczek
dear all,
I'm(an entrant) not sure I got the hang of setup-ds-admin.pl
my understanding is:
every box/machine hosting idm_console-manageable Directory Server
instance need an Administration Server installed on this/the same box,
this Administration Sever can manage many Directory Server instances
being installed on this same box, right?
if I'm right of above, what am I doing wrong while setup-ds-admin.pl is
having second run to set up SERV_2 for which,
from first setup-ds-admin - SERV_1 would be Configuration Directory Server
simple set-up, right, I let installation know about ldap:// to SERV_1, etc..
then it asks of Administration Server port - standard 9830, right
next I run idm console there is only newly created SERV_2 and SERV_1 - gone?
p.s it's f10, do you have problems creating new instances directly from
idm console too?
a little light someone can shed on it for me?
cheers
lejeczek
14 years, 6 months
[Fedora-directory-users] idm console connect to admin serv but in...
by lejeczek
.. console itself admin server appears as using different port than once
console connects to??
and it shows up as 'stopped', checked it, in local.conf and admin.conf and..
but if it was like it seems console should not be able to connect in the
first, right?
so where to look what so search for?
cheers
14 years, 6 months