which user must have access to /var/run/dirsrv ?
by dima vasiletc
Hello
When i try start dirsrv i have error
Failed to delete old semaphore for stats file
(/var/run/dirsrv/slapd-MY-DOMAIN-COM.stats). Error 13 (Permission denied).
but access for dirsrv user permited.
also
--
С уважением, Дмитрий
14 years, 10 months
Re: [389-users] which user must have access to /var/run/dirsrv ?
by Rich Megginson
----- "dima vasiletc" <pronix.service(a)gmail.com> wrote:
> On 06/15/2009 07:53 PM, Richard Megginson wrote:
> > ls -al /var/run/dirsrv
> >
>
> drwxrwxrwx 2 dirsrv nobody 4096 2009-06-15 10:21 .
> drwxr-xr-x 31 root root 4096 2009-06-15 10:21 ..
> -rw-r--r-- 1 dirsrv dirsrv 6 2009-06-15 10:21
> slapd-MYDOMAIN-COM.startpid
> -rw-r--r-- 1 dirsrv dirsrv 2072 2009-06-15 10:07
> slapd-MYDOMAIN-COM.stats
I'm not sure what's going on - what's the output of /usr/lib/dirsrv/slapd-MYDOMAIN-COM/start-slapd -d 1
>
> --
> С уважением, Дмитрий
>
> --
> 389 users mailing list
> 389-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
14 years, 10 months
Developting a CentOS-DS setup
by Doug Coats
I am new to using CentOS-DS and LDAP and I am having difficulty
finding solid information on setting up using CentOS-DS as the
information and authentification center of my network.
I have googled a number of different combinations looking for the
informaiton I need but have not found any good resources to setup what
I am after. I have downloaded and am going over the Red Hat
documentation and where it is very informative it certainly is not a
Howto.
My biggest need for resources is in setting up the authentification of
different services and LDAP.
I am using CentOS 5.3 and CentOS-DS 8.1. These I have installed and
running on a test server.
I would like to accomplish the following things in this order.
Linux authentification
Samba authentification
Dovecot authentification
So my questions to begin with are: How do I get Linux to use LDAP to
authenticate instead of the passwd and shadow files?
Once I get that to work: How do I get Linux to to do the normal things
it does with adduser (like create a home directory, create a group,
and things I can't think of)?
If anyone could push me in the right direction I would really appreciate it.
14 years, 10 months
New to FDS, need some assistance with DIT configuration
by David Christensen
I am a little more familiar with OpenLDAP than I am with FDS, so some of
the FDS configuration is familiar, however I am stuck with how to
implement access controls for all the servers I manage etc. As of right
now if you are authenticated by FDS you have access to every resource
that uses FDS for authentication.
Research indicates that I need to have all the objects I want to manage
in FDS and I need to use PAM with a modified ldap.conf file for each server.
What is the best way to implement privileges using FDS, listing allowed
hosts for each user or allowed users for each host, and how do I create
the entries in FDS for both conditions?
Thanks in advance for the help.
14 years, 10 months
loss of group members in AD after initialization of sync
by jean-Noël Chardron
hello,
When I initiate a first full synchronization of DS and AD I lost members
in groups
error log shows :
[10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: looking for local entry matching
AD entry [CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr]
[10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: looking for local entry by guid
[c0e73a492ffbc04c9e85781a68f45023]
[10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1
[10/Jun/2009:15:00:07 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: looking for local entry by uid [SFC]
[...]
[10/Jun/2009:15:00:11 +0200] - Windows sync entry: Adding new local
entry dn: cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr
objectClass: top
objectClass: groupofuniquenames
objectClass: ntGroup
ntGroupDeleteGroup: true
cn: SFC
description: Service Financier et Comptable
uniqueMember: uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15,
dc=cnrs, dc=
fr
uniqueMember:[...]
follow 10 members
[...]
[10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - received entry from
dirsync: CN=MX,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr
[10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: looking for local entry matching
AD entry [CN=MX,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr]
[10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: looking for local entry by guid
[0cdf6e627d64684cb10c70b3b8753fda]
[10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1
[10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: looking for local entry by uid [MX]
[10/Jun/2009:15:00:24 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: problem looking for username: -1
[10/Jun/2009:15:00:24 +0200] - Windows sync entry: Adding new local
entry dn: uid=MX,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetOrgPerson
objectClass: ntUser
ntUserDeleteAccount: true
uid: MX
sn: MX
givenName: Guillaume
cn: MX
ntUserCodePage: 0
ntUserAcctExpires: 0
ntUserDomainId: MX
mail: Guillaume.MX(a)dr15.cnrs.fr
ntUniqueId: 0cdf6e627d64684cb10c70b3b8753fda
[10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): windows_process_total_entry: Looking
dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" (ours)
[10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS
dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr"
guid="c0e73a492ffbc04c9e85781a68f45023"
[10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS
dn="cn=SFC,OU=groupes,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr" username="SFC"
[10/Jun/2009:15:01:34 +0200] - Calling windows entry search request plugin
[10/Jun/2009:15:01:34 +0200] - windows_search_entry: recieved 2
messages, 1 entries, 0 references
[10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_outbound: found AD entry
dn="CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr"
[10/Jun/2009:15:01:34 +0200] - Calling windows entry search request plugin
[10/Jun/2009:15:01:34 +0200] - windows_search_entry: recieved 2
messages, 1 entries, 0 references
[10/Jun/2009:15:01:34 +0200] NSMMReplicationPlugin -
windows_generate_update_mods:
CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr, description :
values are equal
[10/Jun/2009:15:01:35 +0200] - map_dn_values: no local entry found for
uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr
[10/Jun/2009:15:01:35 +0200] - map_dn_values: no local entry found for uid=
[follow 10 entries,]
[10/Jun/2009:15:01:35 +0200] - Calling windows entry search request plugin
[10/Jun/2009:15:01:35 +0200] - windows_search_entry: recieved 2
messages, 1 entries, 0 references
[10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: looking for local entry matching
AD entry [CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr]
[10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: looking for local entry by guid
[72a7171ffaa0d84a9ca4ec2d90a4ab2b]
[10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1
[10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: looking for local entry by uid
[essaibug]
[10/Jun/2009:15:01:35 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: problem looking for username: -1
[10/Jun/2009:15:01:35 +0200] - Calling windows entry search request plugin
[10/Jun/2009:15:01:35 +0200] - windows_search_entry: recieved 2
messages, 1 entries, 0 references
[10/Jun/2009:15:01:38 +0200] NSMMReplicationPlugin -
windows_generate_update_mods:
CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr, sAMAccountName :
values are equal
[10/Jun/2009:15:01:38 +0200] - smod - windows sync
[10/Jun/2009:15:01:38 +0200] - smod 0 - delete: member
[10/Jun/2009:15:01:38 +0200] - smod 0 - value: member:
CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr
[10/Jun/2009:15:01:38 +0200] - smod 1 - delete: member
[10/Jun/2009:15:01:38 +0200] - smod 1 - value: member:
[follow the 10 entries]
[10/Jun/2009:15:01:39 +0200] NSMMReplicationPlugin -
windows_update_remote_entry: modifying entry
CN=SFC,OU=groupes,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr
[10/Jun/2009:15:01:39 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): Received result code 0 () for modify operation
[10/Jun/2009:15:01:55 +0200] - map_dn_values: no local entry found for
uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr
[10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - received entry from
dirsync: CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr
[10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: looking for local entry matching
AD entry [CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr]
[10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: looking for local entry by guid
[72a7171ffaa0d84a9ca4ec2d90a4ab2b]
[10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1
[10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: looking for local entry by uid
[essaibug]
[10/Jun/2009:15:05:51 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: problem looking for username: -1
[10/Jun/2009:15:05:52 +0200] - Windows sync entry: Adding new local
entry dn: uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetOrgPerson
objectClass: ntUser
ntUserDeleteAccount: true
uid: essaibug
sn: essaibug
cn: essaibug
ntUserCodePage: 0
ntUserAcctExpires: 9223372036854775807
ntUserDomainId: essaibug
ntUniqueId: 72a7171ffaa0d84a9ca4ec2d90a4ab2b
[10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS
dn="uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr"
guid="72a7171ffaa0d84a9ca4ec2d90a4ab2b"
[10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_outbound: looking for AD entry for DS
dn="uid=essaibug,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr"
username="essaibug"
[10/Jun/2009:15:07:13 +0200] - Calling windows entry search request plugin
[10/Jun/2009:15:07:13 +0200] - windows_search_entry: recieved 2
messages, 1 entries, 0 references
[10/Jun/2009:15:07:13 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_outbound: found AD entry
dn="CN=essaibug,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr"
(following the translation of google)
I suppose that during the initialization of the replication, groups have
lost members (group sfc) with the logs in order explicit removal of the
member in the group, sent by the DS to AD. The most likely explanation
and that the process is sequential but with a dispatch from AD to
DS-anarchic, with a group can be created before members in DS users.
these are leading to a later stage in a request for suppresssion AD DS
to members of the group that did not exist before the creation of the
group. This is "normal" since DS checks the consistency of information
and therefore the group members. The solution to this problem is to
create manually in the AD to add the lost members in the group or may be
to initialize sync twice in a closed time.
The administrator of the Windows server and the AD insulted me as a
result of this blunder
I asked him if he had a backup of the AD. he had not
--
Jean-Noel Chardron
14 years, 10 months
recovery manager password
by Kỳ Anh, Huỳnh
Hello all,
I manage a server which has FDS installed since 2005. No one here can remember the rootdn or password to manager to server.
How to recover the rootdn and root password of FDS?
Thank you for your replies.
--
Ky Anh, Huynh
Homepage: http://viettug.org/
14 years, 10 months
Fail to sync with active directory
by jean-Noël Chardron
hello,
I tried to sync the FDS with Active directory, i follow the
instructions read in http://www.linuxmail.info/ad-fds-sync-howto/
except that I create a branch dc=ad and ou=DR15 (organizational unit)
(and 2 databases under the root suffix dc=dr15,dc=cnrs,dc=fr)
the FDS is version 1.2.0 and I upgrade this morning from fedora 10 to
Fedora 11
I try to synchronise with this parameters :
DS host : aragon.dr15.cnrs.fr , port 389
Windows host : zebigbos.ad.dr15.cnrs.fr , port 636
DS subtree : ou=DR15,dc=ad,dc=dr15,dc=cnrs,dc=fr
Windows Subtree : ou=DR15,dc=ad,dc=dr15,dc=cnrs,dc=fr
Replicated Subtree : ou=DR15,dc=ad,dc=dr15,dc=cnrs,dc=fr
I actived the log errors (level replication) and I get many lines
I extract few below :
[10/Jun/2009:12:45:26 +0200] NSMMReplicationPlugin - received entry from
dirsync: CN=Chardron,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr
[10/Jun/2009:12:45:26 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: looking for local entry matching
AD entry [CN=Chardron,OU=utilisateurs,OU=DR15,DC=ad,DC=dr15,DC=cnrs,DC=fr]
[10/Jun/2009:12:45:26 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: looking for local entry by guid
[c107390bd3669f4ca8b074de2af86397]
[10/Jun/2009:12:45:26 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: problem looking for guid: -1
[10/Jun/2009:12:45:26 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: looking for local entry by uid
[chardron]
[10/Jun/2009:12:45:26 +0200] NSMMReplicationPlugin - agmt="cn=zebigbos"
(zebigbos:636): map_entry_dn_inbound: problem looking for username: -1
[10/Jun/2009:12:45:26 +0200] - Windows sync entry: Adding new local
entry dn: uid=chardron,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetOrgPerson
objectClass: ntUser
ntUserDeleteAccount: true
uid: chardron
sn: Chardron
postalCode: 33402
physicalDeliveryOfficeName:: bsKwIDIxMg==
telephoneNumber: 05.57.35.58.41
givenName: Jean-Noel
initials: jnc
cn: Chardron
ntUserCodePage: 0
ntUserAcctExpires: 9223372036854775807
ntUserDomainId: chardron
mail: Jean-Noel.Chardron(a)dr15.cnrs.fr
ntUniqueId: c107390bd3669f4ca8b074de2af86397
[10/Jun/2009:12:45:26 +0200] NSMMReplicationPlugin - add operation of
entry uid=chardron,OU=utilisateurs,ou=DR15,dc=ad,dc=dr15, dc=cnrs, dc=fr
returned: 32
So it fails but why and what is the code error "32" ?
Previously yesterday evening when I tried with Fedora 10 I got the
return code "10" however I forgot the parameters used.
--
Jean-Noel Chardron
14 years, 10 months
error: failed to install local copy of fedora-ds-1.1.jar
by lejeczek
hi everybody,
error is from idm console, rpms are as follows:
fedora-ds-base-1.2.0-4.fc9.x86_64
fedora-ds-dsgw-1.1.2-1.fc9.x86_64
fedora-ds-base-devel-1.2.0-4.fc9.x86_64
fedora-ds-console-1.2.0-1.fc9.noarch
fedora-ds-admin-1.1.7-3.fc9.x86_64
fedora-ds-admin-console-1.1.3-1.fc9.noarch
and yet, even if I delete ~/.fedora-idm-console and start console, I can
connect to admin servers but not do ds
and when above folder gets created anew after manual deleteion files
actually copied from, I guess, /usr/share/dirsrv/html/java/
and not linked as they used to be, linking would be better - not?
and this numbering versions nomenclature is a bit messy, there in
~/.fedo... should be fedora-{ds,admin} linked to
correct versions in /usr/share/dirsrv/html/java/
so my call for help is - what is missing, I rpm'ed above packages but it
did not help
i can copy files by hand but I expect it to work out of box - no?
cheers everybody
14 years, 10 months
DSA unwilling to process update / Viewing contents of replication updates
by Chris Phillips
Hi,
I've a cluster of boxes with replication form two multimasters to 6 read
only replicas. There appears to be a problem in the replication in that the
error logs state that the DSA is unwilling to process updates for a specific
user account, so the replication status in the idm just stays at saying it
started rather than completed. I could just delete the account and recreate
it, but as it's unfortunately *my* account (and is in this state *possibly*
because I was messing with the resetpasswordretrytime field (or something
very similarly named) which I get the impression is treated differently to
other fields) I'd like to avoid deleting the account.
To this end I'm hoping a suitable solution is to remove whatever the change
is that is trying to be pushed across, but I can't see any way with SSL
replication to see what the actual attributes it doesn't like are. Any way
to pull this straight out with ldapsearch or something? Any tips for
elegantly troubleshooting this in a heavily locked down environment would be
appreciated.
Thanks
Chris
14 years, 10 months
Problem to create a root entry
by jean-Noël Chardron
hello,
On a fresh install of a 389 directory server on fedora 10, I tried to
create a root entry as described in the book Administration of Redhat
Directory Server
I tried some possibilities with directory console or command line, the
behavior is hazardous :
in command line i tried this below, but the branch dc=ad,... doesn't
appear in the directory console
[root@aragon db]# ldapmodify -a -x -D "cn=directory manager" -w secret
dn: cn=adData,cn=ldbm database,cn=plugins,cn=config
objectclass: extensibleObject
objectclass: nsBackendInstance
nsslapd-suffix: dc=ad,dc=dr15,dc=cnrs,dc=fr
adding new entry "cn=adData,cn=ldbm database,cn=plugins,cn=config"
dn: cn="dc=ad,dc=dr15,dc=cnrs,dc=fr",cn=mapping tree,cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsMappingTree
nsslapd-state: backend
nsslapd-parent-suffix: "dc=dr15,dc=cnrs,dc=fr"
nsslapd-backend: adData
cn: dc=ad,dc=dr15,dc=cnrs,dc=fr
adding new entry "cn="dc=ad,dc=dr15,dc=cnrs,dc=fr",cn=mapping
tree,cn=config"
but the branch dc=ad,dr=15,dc=cnrs,dc=fr doesn't appear in the directory
console
If I ommit the parent (nsslapd-parent-suffix: "dc=dr15,dc=cnrs,dc=fr")
and i create a independant branch, the new root suffix
(dc=ad,dc=dr15,dc=cnrs,dc=fr) appear in the directory console but in the
tab "directory" I cannot
create the new root Object
In fact my original problem is that I am never able to create a new root
object in the Directory under the root sufix dc=dr15,dc=cnrs,dc=fr even
after creating the database. In the directory console the link 'New Root
Object' is not active, then I cannot create the root object
"dc=ad,dc=dr15,dc=cnrs,dc=fr"
Can somebody tell me what is wrong or misconfigured
Thanks
jnc
14 years, 10 months