Add attributes to user objects.
by Techie
Hello,
I want to associate servers to user objects in my directory using
attributes that contain the server names. I want to do this so I can query
the directory based on the attributes.
In the end I would like to map drives based upon a attribute that
contains a server name or at least gather the needed server names by
searching the user..
So for example I have an existing user object..
dn: uid=test_user,dc=example,dc=com
title: test account
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: posixAccount
objectClass: shadowaccount
homeDirectory: /export/home/test_user
gidNumber: 1000
uidNumber: 1000
loginShell: /bin/bash
sn: user
cn: test_user
st: Wyoming
mail: a(a)a.com
givenName: test
description: test user
uid: test_user
Now I have many users with drives on different servers based upon
their geographic location. I would like to add the server names to the
user object using an attribute. For example server1: mp3 server,
server2:mp4server.. With the object classes I have i do not see a
attribute that I can use that jumps out at me.
What attribute can I use without having to extend the schema? Is there
an ext_attribute like Active Directory uses?
I am looking into the schema now but perhaps someone has already done this.
The account would look something like below with the server1, and
server2 attributes. I understand I would need to create an objectClass
if I cannot find existing attributes but I hope to avoid that. There
has got to be some auxiliary attributes I can use right?
dn: uid=test_user,dc=example,dc=com
title: test account
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: posixAccount
objectClass: shadowaccount
homeDirectory: /export/home/test_user
gidNumber: 1000
uidNumber: 1000
loginShell: /bin/bash
sn: user
cn: test_user
st: Wyoming
mail: a(a)a.comgivenName: test
description: test user
uid: test_user
server1: mp3server
server2: mp4server
14 years, 9 months
Conflicting documentation for RHEL/CentOS 5.x configuration
by Eric B.
Hi,
I'm not sure if I am posting this in the right place, so if this belongs
more on another list, please let me know.
I am trying to get Autofs configured to use LDAP on CentOS5.3, but am
running into an inconsitency. On CentOS5.3, the openldap server is
installed with an extra schema/redhat/autofs.schema file. From what I can
tell, that schema
file seems to follow RFC2307bis. In the schema, it uses cn and ou. However,
in all docs I can find for RHEL5, everything indicates that I should be
using automountMapName and automountKey as the Map attribute and the
Entry Attribute.
I am very confused. Which is the "right" one to use? If I follow the RHEL
docs and tell autofs to use MAP_ATTRIBUTE as automountMapName, then I can't
use the schema that is distributed with CentOS5.3.
Should I be using the schema that is distributed with the RHEL/CentOS
openLdap
package, or is there another one that I should be using instead?
Right now, the openldap-servers package that is installed is
openldap-servers-2.3.43-3.el5.
Thanks,
Eric
14 years, 9 months
installation - LDAP connection error
by Arun Shrimali
Dear All,
I am planning to setup FDS (389) (FDS 1.1.3-1.FC11) on Fedora 11, I
have followed the installation process, which went fairly, but while
setup I got following error
the interactive phase is complete. The script will now set up your
servers. Enter No or go Back if you want to change something.
Are you ready to set up your servers? [yes]:
Creating directory server . . .
Your new DS instance 'reso' was successfully created.
Creating the configuration directory server . . .
Error: failed to open an LDAP connection to host 'data.resobank.net'
port '52060' as user 'cn=Directory Manager'. Error: unknown.
Failed to create the configuration directory server
Exiting . . .
Log file is '/tmp/setupJVTstI.log'
can anybody help me ...................where is the problem and to resolve
Arun
14 years, 9 months
Re-enable or move NetscapeRoot
by Andrew Kerr
We are running Fedora DS 1.0.4. We have two servers doing master-master
on NetscapeRoot and our user root. The machine that was the original
master needs to be shut down. In preparation for its decommission I
changed the user root to just a consumer, and I disabled NetscapeRoot.
I am now unable to run the console on the remaining master, since it
apparently is still trying to connect to the old machine's NetscapeRoot.
How can I either re-enable NetscapeRoot on that old machine, or better
yet have the console connect to the other master? When I start the
console I give it the administration URL of the new server, and I
thought that was enough - but it isn't.
Thanks in advance.
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp
14 years, 9 months
Recover after installing a bad cert.
by Dumbo Q
I just installed a new ssl certificate using pk12util. I restarted my dirsrv, and picked the new cert in the dropdown menu under the encryption tab. I restarted dirsrv to make it take affect. When I did this, I found that the root certificate was not in redhats/openssls ca-bundle. I tried importing the intermediate certificate, and I think I just made the problem worse.
right now im getting the following.
SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert rhds.example.com - Comodo CA Limited of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8179 - Peer's Certificate issuer is not recognized.)
[08/Jul/2009:14:18:04 -0400] - SSL failure: None of the cipher are valid
Now my directory is down completely. How can I get it to start up without SSL so that I can fix the problem?
14 years, 9 months
Re: [389-users] Migration from OpenLDAP and PassSync with AD
by Prashanth Sundaram
Elaborating the Qs:
Question1:Since we have an existing LDAP server(OpenLDAP) and users were
logging in to other dev, prod and testing servers using the passwords
managed by this OpenLDAP server. I believe the way the member servers
remember the user credentials is by assigning each user with a unique
security ID. (please correct me if I am wrong) If that gets lost in
migration, then my users' permissions will have to be re-assigned from
scratch (pain for sysadmins)
So my question was, will the users be able to login to member servers after
migrating to FDS and still have same permissions and home directory folder
and everything looks the same without panicking about any missing
permissions or files.
Question2.1: What will happen to the passwords that are different on the FDS
and AD before the Sync. I do not want the passwords to be reset on FDS or AD
after 1st sync but only future passwords changes to be Synced to FDS and AD
and vice versa.
Question2.1: I was working with windows before and noticed that the Windows
saves users with a unique id. If that is lost or recreated, the previous
permissions will no longer hold true for the user, even though the username
is same. Is it same in Unix environment? Like say I delete a user account
from FDS and a day after I re-create the ID, will the permissions stay
intact?
Thanks,
Prashanth
https://www.redhat.com/archives/fedora-directory-users/2009-July/msg00013.ht
ml
> On 07/09/2009 07:19 AM, Prashanth Sundaram wrote:
>> Dear fellow Fedora DS users and experts,
>>
>> I am working on this new project where there is a two step process. We are
>> currently using a poorly managed OpenLDAP server for over 3 years and
>> planning to migrate to Fedora DS.
>>
>> Scenario: OPenLDAP=====Migrate all users and passwords===> Fedora DS
>> <----------PassSync------->Windows AD
>>
>> Question1: Is it possible to migrate current users (around 300users) from
>> OpenLDAP to Fedora DS along with the UIDs, Security id and passwords. Like
>> everything looks same in users perspective.
>>
> It depends on the schema that is used, but this should be a case of
> exporting from OpenLDAP and importing to 389.
>> Question2: Is is possible to create a password sync between FDS and AD for
>> all the above users. Yes, the username is same in both the directories.
>>
> Yes, you can sync passwords. A number of other common attributes are
> synchronized as well. These attributes are listed in the Red Hat
> Directory Server Administrator's Guide.
>> Question2.1: The users are stored with different Security
>> IDs in windows environment than in OpenLDAP or FDS. Will that pose a
>> problem?
>>
> I'm not sure what LDAP attribute you are referring to as the "Security
> ID", so I can't say if this will be a problem.
>>
>> Question2.2: We have several domain controllers and Active
>> Directory server which run in sync. Since the PassSync can only run on one
>> server, will it be a problem that some passwords do not get sync because the
>> user changed it on XP which redirected to a another server (without
>> PassSync)?
>>
> You need to run the PassSync service on all domain controllers. It's
> the synchronization agreement that you set up on the 389 side that can
> only point to one domain controller.
>> If any of you has gone thru these issues and anything more, please respond
>> to this thread or give me links.
>>
>> Thanks for your help and patience.
>> Prashanth
>>
>> --
>> 389 users mailing list
>> 389-users(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
>
>
> ------------------------------
>
> --
> 389 users mailing list
> 389-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> End of Fedora-directory-users Digest, Vol 50, Issue 8
> *****************************************************
14 years, 9 months
Migration from OpenLDAP and Sync with AD
by Prashanth Sundaram
Dear fellow Fedora DS users and experts,
I am working on this new project where there is a two step process. We are
currently using a poorly managed OpenLDAP server for over 3 years and
planning to migrate to Fedora DS.
Scenario: OPenLDAP=====Migrate all users and passwords===> Fedora DS
<----------PassSync------->Windows AD
Question1: Is it possible to migrate current users (around 300users) from
OpenLDAP to Fedora DS along with the UIDs, Security id and passwords. Like
everything looks same in users perspective.
Question2: Is is possible to create a password sync between FDS and AD for
all the above users. Yes, the username is same in both the directories.
Question2.1: The users are stored with different Security
IDs in windows environment than in OpenLDAP or FDS. Will that pose a
problem?
Question2.2: We have several domain controllers and Active
Directory server which run in sync. Since the PassSync can only run on one
server, will it be a problem that some passwords do not get sync because the
user changed it on XP which redirected to a another server (without
PassSync)?
If any of you has gone thru these issues and anything more, please respond
to this thread or give me links.
Thanks for your help and patience.
Prashanth
14 years, 9 months
Migration from OpenLDAP and PassSync with AD
by Prashanth Sundaram
Dear fellow Fedora DS users and experts,
I am working on this new project where there is a two step process. We are
currently using a poorly managed OpenLDAP server for over 3 years and
planning to migrate to Fedora DS.
Scenario: OPenLDAP=====Migrate all users and passwords===> Fedora DS
<----------PassSync------->Windows AD
Question1: Is it possible to migrate current users (around 300users) from
OpenLDAP to Fedora DS along with the UIDs, Security id and passwords. Like
everything looks same in users perspective.
Question2: Is is possible to create a password sync between FDS and AD for
all the above users. Yes, the username is same in both the directories.
Question2.1: The users are stored with different Security
IDs in windows environment than in OpenLDAP or FDS. Will that pose a
problem?
Question2.2: We have several domain controllers and Active
Directory server which run in sync. Since the PassSync can only run on one
server, will it be a problem that some passwords do not get sync because the
user changed it on XP which redirected to a another server (without
PassSync)?
If any of you has gone thru these issues and anything more, please respond
to this thread or give me links.
Thanks for your help and patience.
Prashanth
14 years, 9 months
Password sync
by jean-Noël Chardron
Hello,
I have a Network with two Windows 2000 server , I suppose one is master
(or primary) and one is secondary - I don't know exactly the vocabulary
of Windows. the AD is "replicated" over the two Windows Server
I installed synchronization between the FDS server and the AD on a host
(say Windows-1 server), with Agreement replication
then I installed the password sync on the Windows-1 host.
All is ok when the password is changed on the Windows-1 server, the
password is synchronized to the FDS.
Now when a user change his password on a windows XP station in the AD
(the operation is CTRL+ALT+DEL then change password) the password is
not necessary sync to the FDS.
my hypothesis : it seems it depends on which windows server the
password has been changed. Some time the password is sync when, I
suppose, the Windows1 server answer to the request to change the
password, but when the windows2 server answer , then the password is not
sync.
is my hypothesis correct ?
Can I install the password sync programm on the other Windows2 server
even if the replicated agreement is beetween FDS and Windows1 server ?
wich will behavior be ?
thanks
--
Jean-Noel Chardron
14 years, 9 months
Re: [Attachement suspect] Re: [389-users] Directory server : search problem with wildcard
by Paul Lemoine
I have tested a bigger value for the idlistscanlimit (10*4000 = 40000)
and the search problem disappeared.
Thanks you for everyone
Now I wonder what could be its value for a directory which intends to
reach 3 000 000 inetOrgPerson ?
Is there a rule between idlistscanlimit and the number of entries ?
Thanks you
Regards
Paul.
Rich Megginson a écrit :
> Paul Lemoine wrote:
>> Hi,
>>
>> I have a search problem with Fedora DS 1.1.3.
>> My directory has an extended schema on the objectClass
>> "inetOrgPerson". It contains 350000 inetOrgPerson objects.
>> When I proceed a search with that kind of filter (cn=smith*) or
>> (uid=25698*) the response comes 1 minute later with a error code 11.
> How many entries match cn=smith*? uid=25698*? I think the problem is
> the idlistscanlimit as mentioned by another poster.
>> Indexes on cn and uid attribute are on equality, presence and
>> substring. I have recreated (plus reindexed) this attribute.
>> I put the look-through-limit to infinity though I don't have the
>> errror code 11 anymore but I have to wait a very long time the response.
>> In the log, I found "etime=77 notes=U" which means that the search
>> does not use the indexes.
>>
>> I have done the same requests with a "native" schema : it works
>> perfectly. So, it is my extended schema which causes the problem.
>> Can the Fedora DS (or 389 DS) deal with extended schema ?
>>
>> Does anybody met this problem ? Is there a solution for forcing FDS
>> to use the indexes ?
>>
>> Regards
>> Thanks you
>> Paul.
>>
>> Ce message est protégé par les règles relatives au secret des
>> correspondances. Il est donc établi à destination exclusive de son
>> destinataire. Celui-ci peut donc contenir des informations
>> confidentielles. La divulgation de ces informations est à ce titre
>> rigoureusement interdite. Si vous avez reçu ce message par erreur,
>> merci de le renvoyer à l'expéditeur dont l'adresse e-mail figure
>> ci-dessus et de détruire le message ainsi que toute pièce jointe.
>> This message is protected by the secrecy of correspondence rules.
>> Therefore, this message is intended solely for the attention of the
>> addressee. This message may contain privileged or confidential
>> information, as such the disclosure of these informations is strictly
>> forbidden. If, by mistake, you have received this message, please
>> return this message to the addressser whose e-mail address is written
>> above and destroy this message and all files attached.
>> --
>> 389 users mailing list
>> 389-users(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
Ce message est protégé par les règles relatives au secret des correspondances. Il est donc établi à destination exclusive de son destinataire. Celui-ci peut donc contenir des informations confidentielles. La divulgation de ces informations est à ce titre rigoureusement interdite. Si vous avez reçu ce message par erreur, merci de le renvoyer à l'expéditeur dont l'adresse e-mail figure ci-dessus et de détruire le message ainsi que toute pièce jointe.
This message is protected by the secrecy of correspondence rules. Therefore, this message is intended solely for the attention of the addressee. This message may contain privileged or confidential information, as such the disclosure of these informations is strictly forbidden. If, by mistake, you have received this message, please return this message to the addressser whose e-mail address is written above and destroy this message and all files attached.
14 years, 9 months