January 2010 - 389-users - Fedora Mailing-Lists

Re: [389-users] Adding Users through script?

by Patrick Morris

Ajeet S Raina wrote: > > > Guys, > > I downloaded a script called USERADD from link: http://www.redhat.com/f/pdf/rhas/NetgroupWhitepaper.pdf Page 9 and follow as follow: > > It did create a new Users.ldif file as follow: > > dn: uid=dave, cn=EnvOD,ou=IM,ou=Bangalore,dc=im,dc=sap,dc=com > changetype: add > uid: dave > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > objectClass: posixAccount > cn: Dave Meyer > sn: Meyer > givenName: Dave Meyer > gidNumber: 1000 > uidNumber: 1003 > userPassword: {clear}redhat > loginShell: /bin/bash > homeDirectory: /home/dave > > > But if I import it into Directory Server as: > > ldapmodify -h 389-ds.sap.com -D "cn=Directory Manager" -w <password> -f Users.ldif > [1] 9443 > -bash: -f: command not found > [root@389-ds opt]# SASL/EXTERNAL authentication started > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > additional ldapmodify -h 389-ds.sapient.com -D "cn=Directory Manager" -w Oracle123456& -f Users.ldif > > No Idea why its behaving so? > Am I missing anything in the command. > I did provided -ZZ options for TLS but it dint work. The fact that it's treating "-f" as a new command indicates there's a character in the password that's being interpreted by the shell to mean the end of a command (maybe a semicolon, or an ampersand, or something similar), and the password displayed in the error confirms it. Bad idea pasting that in a public mailing list, by the way. Try quoting the password, or use -W so you get prompted for it. It also looks like you're using the OpenLDAP version of ldapmodify, which will assume a SASL (not SSL) bind if you don't add -x to your parameters (or use the version of ldapmodify provided with 389). If you want to use LDAP over SSL with that client, you should probably use "-H ldaps://389-ds.sap.com" instead of "-h 389-ds.sap.com."

14 years, 3 months

1
0
0 / 0

Using Active Directory's SUA/SFU extensions in a Directory Server <==> AD setup

by Kenneth Holter

Hi. We wish to sync our Red Hat Directory Server (RHDS) with Active Directory (AD), and would like our linux boxes to make use the groups defined on AD. Our current plan have been to recreate the AD groups as netgroups on the RHDS side, but recently I've been told that it is possible use the AD groups directly - only modifications necessary would be to set some attribute mappings in the nss_ldap module, and enable/configure the Subsystem for UNIX-based Applications (SUA) on the AD side. Has anyone here implemented this setup? Is is so that SUA is simply a schema extension to hold unix attributes, so essentially what happens when enabling SUA is that one on the AD side is able to define posix attributes, which in turn is synced over to RHDS by the Windows Sync plugin? Best regards, Kenneth Holter

14 years, 3 months

2
3
0 / 0

the View Error !!!

by Ajeet S Raina

I can see the following logs error: [15/Jan/2010:21:33:56 +051800] views-plugin - Error: the view filter [Octopus] in entry [ou=oct,ou=bangalore,dc=im,dc=sap,dc=com] is not valid [15/Jan/2010:21:33:56 +051800] views-plugin - Error: the view filter [(l=novell] in entry [ou=nov,ou=gurgaon,dc=im,dc=sap,dc=com] is not valid [15/Jan/2010:21:33:56 +051800] views-plugin - Error: the view filter [(l=novell] in entry [ou=nov,ou=gurgaon,dc=im,dc=sap,dc=com] is not valid [15/Jan/2010:21:33:56 +051800] views-plugin - Error: the view filter [Octopus] in entry [ou=octo,ou=bangalore,dc=im,dc=sap,dc=com] is not valid I tried creating nsview and nsfilter stuff for my organization but wonder why the logs showing like that.

14 years, 3 months

1
0
0 / 0

[389-devel] Fatal Error: Could not create directory server instance

by Chun Tat David Chu

Hi All, I'm having an issue with installing the LDAP. I am currently testing our LDAP deployment and I was able to uninstall and reinstall the LDAP many times successfully. All of the sudden since yesterday, I no longer able to reinstall the LDAP, and I hit the following error when installing the LDAP. [10/01/14:15:39:13] - [Setup] Info Creating directory server . . . [10/01/14:15:39:15] - [Setup] Info Could not import LDIF file '/tmp/ldifns7zQW.ldif'. Error: 256. Output: importing data ... [14/Jan/2010:15:39:14 -0500] - Netscape Portable Runtime error -5977: /usr/lib64/dirsrv/libns-dshttpd.so.0: undefined symbol: XP_AccLangList [14/Jan/2010:15:39:14 -0500] - Could not open library "/usr/lib64/dirsrv/plugins/libacl-plugin.so" for plugin ACL Plugin [14/Jan/2010:15:39:14 -0500] - Unable to load plugin "cn=ACL Plugin,cn=plugins,cn=config" [10/01/14:15:39:15] - [Setup] Fatal Error: Could not create directory server instance 'host1'. [10/01/14:15:39:15] - [Setup] Fatal Exiting . . . Log file is '/tmp/setupzDqik5.log Please let me know if you know what kind of error I'm hitting. Thank you, - David

14 years, 3 months

3
5
0 / 0

Modifying Default Install Location

by Chun Tat David Chu

Hi All, I really like the original layout of the Fedora Directory Server where all files are installed in /opt/fedora-ds Is there a way to change/configure 389 Directory so all files are installed in /opt/389-ds or something equivalent? Thanks! David

14 years, 3 months

2
2
0 / 0

Distributed Numeric Assignment (DNA) Plugin Fails At 13003

by Fazli

Hi, I'm currently making use of the DNA plugin to assign unique values for the 'uidNumber' attribute for new POSIX users, which (from what I understand) is the 'ideal' configuration in a large, corporate environment. I decided to run a stress test by adding about twenty thousand users via the ldapadd command. After about the 3995th user, the server returned the following error for the 3996th: adding new entry "uid=test3996,ou=People,dc=example,dc=com ldapadd: Operation error (1) additional info: Allocation of a new value for uidNumber failed! Unable to proceed. I attempted to add the 3996th user myself through the 389 DS Management Console, and it returned the following error: Cannot save to directory server: netscape.ldap.LDAPException: error result (1); Allocation of a new value for uidNumber failed! Unable to proceed.; Operations error These are my current DNA settings: dn: cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config cn: Account UIDs dnafilter: (objectClass=posixAccount) dnamagicregen: 0 dnamaxvalue: -1 dnanextvalue: 13003 dnarangerequesttimeout: 60 dnascope: dc=nsn,dc=com,dc=sg dnasharedcfgdn: cn=Account UIDs,ou=Ranges,dc=nsn,dc=com,dc=sg dnathreshold: 1 dnatype: uidNumber objectClass: top objectClass: extensibleObject I find that if I delete the 3995th user, and set the 'dnanextvalue' attribute of the DNA configuration entry to '13002', the plugin doesn't throw the above exception. It just doesn't seem to be able to assign the 13003th uidNumber. I've also tried restarting the server, as well as updating the libraries from the repositories, with the same results. I'm running 389 DS on CentOS, kernel version 2.6.18-164.6.1.el5, if it helps. Regards, Fazli

14 years, 3 months

2
1
0 / 0

How to add this entry?

by Ajeet S Raina

Guys, I was following the link: http://www.directory.fedora.redhat.com/wiki/DNA_Plugin to make autoincrement of UID and GUID. I can see the entry: dn: cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: Account UIDs dnatype: uidNumber dnainterval: 1 dnamaxvalue: 1000 dnamagicregen: 0 dnathreshold: 100 dnafilter: (objectclass=posixAccount) dnascope: dc=example,dc=com dnasharedcfgdn: cn=Account UIDs,ou=Ranges,dc=example,dc=com dnanextvalue: 1 dn: cn=Account GIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: Account GIDs dnatype: gidNumber dnainterval: 1 dnamaxvalue: 1000 dnamagicregen: 0 dnathreshold: 100 dnafilter: (objectclass=posixAccount) dnascope: dc=example,dc=com dnasharedcfgdn: cn=Account GIDs,ou=Ranges,dc=example,dc=com dnanextvalue: 1 [edit<https://mail.google.com/wiki?title=DNA_Plugin&action=edit&section=10> ] But no idea how to add and where to add.Pls help.

14 years, 3 months

1
0
0 / 0

Announcing 389 Directory Server 1.2.5

by Rich Megginson

The 389 team is pleased to announce the availability of version 1.2.5. This release is essentially the same as 1.2.5 RC4. NOTE: Packages for Enterprise Linux are available from Fedora EPEL. We will no longer have a separate yum repo at port389.org for these packagse. * Release Notes - http://port389.org/wiki/Release_Notes * Install_Guide - http://port389.org/wiki/Install_Guide * Download - http://port389.org/wiki/Download === New features === * Named Pipe Log Script - this script allows you to replace the access/errors/audit log file with a named pipe attached to a script - this allows you to do things like ** enable full debug error log level in production environments without suffering too much performance degradation ** log only certain events e.g. failed bind attempts only, or only messages that contain a specified pattern ** send data to a remote server, send email, anything that can be scripted ** http://directory.fedoraproject.org/wiki/Named_Pipe_Log_Script === Bugs Fixed === This release contains several bug fixes. The complete list of bugs fixed is found at the link below. Note that bugs marked as MODIFIED have been fixed but are still in testing. * Tracking bug for 1.2.5 release - https://bugzilla.redhat.com/showdependencytree.cgi?id=533025&hide_resolved=0 * https://bugzilla.redhat.com/show_bug.cgi?id=537956 537956 Password replication from 389DS to AD2008(64bit) fails, all other replication continues * https://bugzilla.redhat.com/show_bug.cgi?id=548537 548537 Fix memory leaks in DNA plugin * https://bugzilla.redhat.com/show_bug.cgi?id=518084 518084 Fix out of order retro changelog entries * https://bugzilla.redhat.com/show_bug.cgi?id=497556 497556 LDAPI connections cause TCP performance degradation * https://bugzilla.redhat.com/show_bug.cgi?id=195302 195302 local pwp can't set storage scheme * https://bugzilla.redhat.com/show_bug.cgi?id=387681 387681 "windows_process_dirsync_entry: failed to map tombstone dn." with , in DisplayName * https://bugzilla.redhat.com/show_bug.cgi?id=486171 486171 [RFE] Access log - Failed binds * https://bugzilla.redhat.com/show_bug.cgi?id=497199 497199 'failed to send dirsync search request 2' error * https://bugzilla.redhat.com/show_bug.cgi?id=504817 504817 Double quoted distinguished names not working in fedora-ds 1.2.0 * https://bugzilla.redhat.com/show_bug.cgi?id=515329 515329 Multiple mods in one operation can result in an inconsistent replica * https://bugzilla.redhat.com/show_bug.cgi?id=540559 540559 selinux policy needs to allow log pipe

14 years, 3 months

2
2
0 / 0

Restricting Users for particular Machine?

by Ajeet S Raina

We are in process to customize 389-DS Server to allow users restrict to the particular machine. Say, I have the following organization: ou=>Pune ou=>Hyderabad Under Pune ou=> Project-1 ou=> Project-2 Under Project -1 Group=>Administrators Under Administrator User=> snal Now I can easily Right Click on Username >> SetAccess and Permission >> Users | Rights | Targets | Host| Themes whereas Host are entries which that user can only access( correct me if I am wrong) Say I have a 389 Client Machine 10.209.33.77 Now if I add this hostname So that user can only access this Host and not the other Right? Pls clarify.How can I stop a particular user to access only that machine?

14 years, 3 months

3
6
0 / 0

Stucked with Client Setup?

by Ajeet S Raina

have been stucked with the following points: 1. Authenticating Linux Client with ldaps:// 2. Auto create home directory ( I will look into what you sent) 3. Auto-Increment UserID Lets start with the first one. I have 389-DS configured with SSL. If I try to configure the Client with authconfig-tui command and deselecting TLS and ldaps:// it works fine. Lets talk about CLient binding to ldaps://. On Server Side, I found a crt file through find command as below: [root@389-ds schema]# find / -name *.crt /etc/pki/tls/certs/ca-bundle. crt Is that the certificate we need to send to /etc/openldap/cacerts/ As I can see links sent by fedora DS Mailing list experts is old one which talks about Fedora DS. But the new 389-DS seems to have different location for the certificates. Now I just copied this ca-bundle.crt to the client machine Tried running: authconfig-tui TLS[*] ldaps://<ip>/ dc=im,dc=sap,dc=com I did created a user through Management Console. [root@389-ds schema]# ldapsearch -x -b "dc=im,dc=sap,dc=com" -L '(objectclass=*)' # rajeshwar, Env, im, Bangalore, isst.sapient.com dn: uid=rajeshwar,cn=Env,ou=im,ou=Bangalore,dc=im,dc=sap,dc=com uid: rajeshwar givenName: Rajeshwar objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount objectClass: posixgroup sn: k cn: Rajeshwar k uidNumber: 670 gidNumber: 670 homeDirectory: /home/rajeshwar loginShell: /bin/bash # search result # numResponses: 28 # numEntries: 27 Now if I try to login through the username it doesnt display anything: Jan 14 14:53:34 localhost sshd[3757]: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... Jan 14 14:53:38 localhost sshd[3757]: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)... Jan 14 14:53:46 localhost sshd[3757]: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)... any idea what may be going wrong? -- ”It is not possible to rescue everyone who is caught in the Windows quicksand --Make sure you are on solid Linux ground before trying.”

14 years, 3 months

3
3
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users January 2010