Migrating a Directory Server from 389-ds to FreeIPA
by Michael Kang
Dear Fedora Directory community,
I'm help my PL migrating Fedora directory server(storing employees info and
Linux user accounts) from 389-ds(1.1.x) to FreeIPA(1.2.2). I backed up from
the command line using the *db2bak* command-line script. I got two LDIF
files and two folders(userRoot and NetscapeRoot) which contains many db4
files.
After reading the FreeIPA Administrator Guide, I realized there is no *
db2bak* or *bak2db* commands for FreeIPA users. So I copy those LDIF files
and folders to /var/lib/dirsrv/<ds instance> directly. Then I run *service
dirsvr restart*, the dirsvr instance cannot start anymore. The instance
names of 389-ds and FreeIPA are different.
So I want to learn more about 389-ds server. I run *yum install 389-ds* in
Fedora 9 i386. I got message: No package 389-ds available. My system is
already updated. What's the new name of the 389-ds package?
How can I finish this hard job? Have anybody ever migrated successfully? I
need your help..
Best Regards,
Michael
--
Michael Kang(康上明学)
There is a giant asleep within every man. When the giant awakens,miracles
happen.
Personal blog: http://ufusion.org - United Fusion
14 years, 7 months
Posix attributes plugin
by Prashanth Sundaram
Thanks Rich and Everyone who helped me with this project. Thanks for being
patient and answering my questions :)
I have finally got my 389-ds working and meeting most of requirements, but
there is this one last piece which will be great to have: posix Attributes
generator/sync
So I was able to sync the users from AD and all the fields are populated
except the posix attributes. Is there a generator plugin, that automatically
assign the next uidNumber, defaultshell, default homedir etc to new user
synced?
Or is there a tool/configuration to sync posix Attributes from AD? (I don¹t
yet maintain the posix attributes in AD, but I if I have to then I will
export it for existing users.)
14 years, 7 months
389 upgrade
by Juan Asensio Sánchez
Hi
I am trying to upgrade some of our FDS servers. The test versions we
are using for upgrade are (the same that the production servers):
[root@fdsold ~]# rpm -qa | grep -i fedora
fedora-ds-dsgw-1.1.1-1.fc6
fedora-ds-1.1.2-1.fc6
fedora-ds-admin-1.1.2-2.fc6
fedora-ds-console-1.1.2-1.fc6
fedora-idm-console-1.1.0-5.fc6
fedora-ds-base-1.1.3-2.fc6
fedora-ds-admin-console-1.1.2-1.fc6
We have two test servers, with replication agreements between them,
and SSL configured for directory and console; 389 port is disabled.
Then we upgrade FDS/389 with this command (we do not want to upgrade
the full server):
yum upgrade 389-admin 389-admin-console 389-console 389-ds 389-ds-base
389-ds-console 389-dsgw
The upgrade is done correctly, then we run "setup-ds-admin.pl -u":
[root@fdsnew ~]# setup-ds-admin.pl -u
==============================================================================
The update option will allow you to re-register your servers with the
configuration directory server and update the information about your
servers that the console and admin server uses. You will need your
configuration directory server admin ID and password to continue.
Continue? [yes]:
==============================================================================
Please specify the information about your configuration directory
server. The following information is required:
- host (fully qualified), port (non-secure or secure), suffix,
protocol (ldap or ldaps) - this information should be provided in the
form of an LDAP url e.g. for non-secure
ldap://host.example.com:389/o=NetscapeRoot
or for secure
ldaps://host.example.com:636/o=NetscapeRoot
- admin ID and password
- admin domain
- a CA certificate file may be required if you choose to use ldaps and
security has not yet been configured - the file must be in PEM/ASCII
format - specify the absolute path and filename
Configuration directory server URL
[ldaps://fdsnew.sacyl.es:636/o=NetscapeRoot]:
Configuration directory server admin ID [uid=admin, ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot]:
Configuration directory server admin password:
Configuration directory server admin domain [center2.sacyl.es]:
CA certificate filename: /etc/openldap/cacerts/cert-CA-cacert.pem
==============================================================================
The interactive phase is complete. The script will now set up your
servers. Enter No or go Back if you want to change something.
Are you ready to set up your servers? [yes]:
Registering the directory server instances with the configuration
directory server . . .
Beginning Admin Server reconfiguration . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Exiting . . .
Log file is '/tmp/setupwDn6B0.log'
And reboot... After that, when connecting with the console, we have
two entries for the directory server and two for the administration
server. One of each does not show the icon it should, and when I click
on it, it tries to download new jars, but it can not. If I use the old
item for the administration console (that shows the icon), in the
encryption tab , SSL is disabled, but before the upgrade it was
enabled, but if i try to access the server with the browser, i must
use https (¿?). Why is SSL disabled? And if it is disabled, why must I
access using https? Is there any step I haven't done?
Regards and thanks in advance.
14 years, 7 months
template scripts
by lejeczek
dear all quickie,
is it possible to manually(not gui) make use of templates files
from script-templates, like:
db2bak, db2ldif, and perl scripts,
basically what I'm trying to do is to take backup and gui console is broken,
no tasks have been ever set.
cheers
Pawel
14 years, 7 months
jar jar jar.. 386-console
by lejeczek
jar :) dear all,
I've always had problems with missing messy jars, particularly after
upgrades.
does anybody know why, when I fire up 386-console clean, and want to connect
to dir or admin server, console complains about being not able to find
fedora-ds, fedora-admin respectively.
there are no such files on the server, it all 389*jar now, right?
which one is it to say what jar should be used, console or admin server?
where to go to fix it? it's always felt to me like this part fedora-ds
was wobbly.
cheers
Pawel
14 years, 7 months
Re: [389-users] PAM PTA partially working
by Prashanth Sundaram
Andrey,
Thanks for the info. It worked for me. :) Just another question, I want to
secure the communication with AD secure. I read that AD is not SSL
compatible and supports startTLS. What security mechanism have you used in
your systems with AD?
http://www.directory.fedora.redhat.com/wiki?title=Server_To_Server_Conn&redi
rect=no
Hi,
You should not verify the users locally (there is a "no_user_check" to
add). The authoritative source of validation should be AD/Kerberos.
Here is the config that works for us :
auth sufficient /lib/security/pam_krb5.so no_user_check
account required /lib/security/pam_krb5.so no_user_check
14 years, 7 months
Re: [389-users] PAM PTA partially working
by Prashanth Sundaram
Rich,
Andrey¹s suggestion worked. Yes, I have enabled SSL in the Admin server and
Directory Server. But it still would fall back on 389-ds password, when
³pamsecure=TRUE¹. If I set pamsecure=FALSE, the authentication passed
through to the AD as intended.
How do I secure the communication between 389-ds and LDAP server? I used
wireshark to capture packets, and it¹s all clear.
>
> To revisit, here's the observation: pamsecure when set to TRUE authenticates
> users only to the password in 389-ds, but when set to FALSE will
> authenticate to the AD password only if the uid exists in /etc/passwd.
>
That's really bizarre - the only place where pamSecure is used is here:
if (cfg->pamptconfig_secure) { /* is a secure connection required? */
int is_ssl = 0;
slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl);
if (!is_ssl) {
slapi_log_error( SLAPI_LOG_PLUGIN, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
"<= connection not secure (secure connection required; check config)");
return retcode;
}
}
That is, if pamSecure is true, requests will be rejected unless using
TLS/SSL. Do you have your directory server configured to use TLS/SSL when
using pamSecure: TRUE?
14 years, 7 months
Problems starting dirsrv-admin
by Juan Asensio Sánchez
Hi
For some time i am having troubles starting dirsrv-admin. It worked
fine, but now it doesn't start. When I run /etc/init.d/dirsrv-admin
start, the process hangs, and after 10 minutes, i get this error:
[root@XXXXXX ~]# /etc/init.d/dirsrv-admin start
Starting dirsrv-admin:
*** Error: dirsrv-admin failed to start [FALLÓ]
If i run this command manually, using strace for debug, the last lines
before a segmentation fault are these (full output attached):
[root@XXXXXX ~]# strace /usr/sbin/httpd.worker -k start -f
/etc/dirsrv/admin-serv/httpd.conf -e debug -X
[...]
open("/etc/hosts", O_RDONLY) = 6
fcntl64(6, F_GETFD) = 0
fcntl64(6, F_SETFD, FD_CLOEXEC) = 0
fstat64(6, {st_mode=S_IFREG|0644, st_size=505, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7f99000
read(6, "# Do not remove the following li"..., 4096) = 505
read(6, "", 4096) = 0
close(6) = 0
munmap(0xb7f99000, 4096) = 0
open("/etc/hosts", O_RDONLY) = 6
fcntl64(6, F_GETFD) = 0
fcntl64(6, F_SETFD, FD_CLOEXEC) = 0
fstat64(6, {st_mode=S_IFREG|0644, st_size=505, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7f99000
read(6, "# Do not remove the following li"..., 4096) = 505
close(6) = 0
munmap(0xb7f99000, 4096) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 6
fcntl64(6, F_GETFL) = 0x2 (flags O_RDWR)
fcntl64(6, F_SETFL, O_RDWR|O_NONBLOCK) = 0
connect(6, {sa_family=AF_INET, sin_port=htons(636),
sin_addr=inet_addr("XX.XX.XX.XX")}, 16) = -1 EINPROGRESS (Operation
now in progress)
poll([{fd=6, events=POLLPRI|POLLOUT}], 1, 5000) = 1 ([{fd=6, revents=POLLOUT}])
getsockopt(6, SOL_SOCKET, SO_ERROR, [0], [4]) = 0
getpeername(6, {sa_family=AF_INET, sin_port=htons(636),
sin_addr=inet_addr("XX.XX.XX.XX")}, [16]) = 0
time(NULL) = 1253515556
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
XX.XX.XX.XX is the IP address of the server.
[root@XXXXXX ~]# rpm -qa | grep fedora
fedora-ds-admin-1.1.1-1.fc6
fedora-ds-1.1.0-3.fc6
fedora-ds-base-1.1.0-3.fc6
fedora-admin-console-1.1.0-4.fc6
fedora-idm-console-1.1.0-5.fc6
fedora-ds-console-1.1.0-5.fc6
[root@XXXXXX ~]# uname -a
Linux XXXXXXXXXXXXXXXXXXX 2.6.18-128.1.10.el5.centos.plusPAE #1 SMP
Mon May 11 07:51:33 EDT 2009 i686 i686 i386 GNU/Linux
Any idea why is happening this? The LDAP server itself is working fine.
Regards.
14 years, 7 months
Re: [389-users] Configuring Multimaster Replication
by Morris, Patrick
On Mon, 21 Sep 2009, Allan Gaston Hougham wrote:
> Hi,
>
> I trying to create a Multimaster Replication (two master only, active-active)
> and I tryed with this solution but this issue is not working
>
> http://directory.fedoraproject.org/wiki/Howto:MultiMasterReplication
>
> Is posible to have two masters servers? any have this implementation in production?
A couple things:
1. When starting a new thread, don't reply to someone else's message and
change the subject. Those of use with threaded mail readers probably
won't see it, since your message will be included in a thread on a
totally different subject.
2. Yes, multi-master replication works. Give us some details about
what's not working for you and what's in your logs and someone can
probably help you out.
14 years, 7 months
