Re: [389-users] Adding Users through script?
by Patrick Morris
Ajeet S Raina wrote:
>
>
> Guys,
>
> I downloaded a script called USERADD from link: http://www.redhat.com/f/pdf/rhas/NetgroupWhitepaper.pdf Page 9 and follow as follow:
>
> It did create a new Users.ldif file as follow:
>
> dn: uid=dave, cn=EnvOD,ou=IM,ou=Bangalore,dc=im,dc=sap,dc=com
> changetype: add
> uid: dave
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: posixAccount
> cn: Dave Meyer
> sn: Meyer
> givenName: Dave Meyer
> gidNumber: 1000
> uidNumber: 1003
> userPassword: {clear}redhat
> loginShell: /bin/bash
> homeDirectory: /home/dave
>
>
> But if I import it into Directory Server as:
>
> ldapmodify -h 389-ds.sap.com -D "cn=Directory Manager" -w <password> -f Users.ldif
> [1] 9443
> -bash: -f: command not found
> [root@389-ds opt]# SASL/EXTERNAL authentication started
> ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> additional ldapmodify -h 389-ds.sapient.com -D "cn=Directory Manager" -w Oracle123456& -f Users.ldif
>
> No Idea why its behaving so?
> Am I missing anything in the command.
> I did provided -ZZ options for TLS but it dint work.
The fact that it's treating "-f" as a new command indicates there's a
character in the password that's being interpreted by the shell to
mean the end of a command (maybe a semicolon, or an ampersand, or
something similar), and the password displayed in the error confirms
it. Bad idea pasting that in a public mailing list, by the way. Try
quoting the password, or use -W so you get prompted for it.
It also looks like you're using the OpenLDAP version of ldapmodify,
which will assume a SASL (not SSL) bind if you don't add -x to your
parameters (or use the version of ldapmodify provided with 389). If
you want to use LDAP over SSL with that client, you should probably
use "-H ldaps://389-ds.sap.com" instead of "-h 389-ds.sap.com."
14 years, 3 months
Using Active Directory's SUA/SFU extensions in a Directory Server <==> AD setup
by Kenneth Holter
Hi.
We wish to sync our Red Hat Directory Server (RHDS) with Active Directory
(AD), and would like our linux boxes to make use the groups defined on AD.
Our current plan have been to recreate the AD groups as netgroups on the
RHDS side, but recently I've been told that it is possible use the AD groups
directly - only modifications necessary would be to set some attribute
mappings in the nss_ldap module, and enable/configure the Subsystem for
UNIX-based Applications (SUA) on the AD side.
Has anyone here implemented this setup?
Is is so that SUA is simply a schema extension to hold unix attributes, so
essentially what happens when enabling SUA is that one on the AD side is
able to define posix attributes, which in turn is synced over to RHDS by the
Windows Sync plugin?
Best regards,
Kenneth Holter
14 years, 3 months
the View Error !!!
by Ajeet S Raina
I can see the following logs error:
[15/Jan/2010:21:33:56 +051800] views-plugin - Error: the view filter
[Octopus] in entry [ou=oct,ou=bangalore,dc=im,dc=sap,dc=com] is not valid
[15/Jan/2010:21:33:56 +051800] views-plugin - Error: the view filter
[(l=novell] in entry [ou=nov,ou=gurgaon,dc=im,dc=sap,dc=com] is not valid
[15/Jan/2010:21:33:56 +051800] views-plugin - Error: the view filter
[(l=novell] in entry [ou=nov,ou=gurgaon,dc=im,dc=sap,dc=com] is not valid
[15/Jan/2010:21:33:56 +051800] views-plugin - Error: the view filter
[Octopus] in entry [ou=octo,ou=bangalore,dc=im,dc=sap,dc=com] is not valid
I tried creating nsview and nsfilter stuff for my organization but wonder
why the logs showing like that.
14 years, 3 months
[389-devel] Fatal Error: Could not create directory server instance
by Chun Tat David Chu
Hi All,
I'm having an issue with installing the LDAP. I am currently testing our
LDAP deployment and I was able to uninstall and reinstall the LDAP many
times successfully. All of the sudden since yesterday, I no longer able to
reinstall the LDAP, and I hit the following error when installing the LDAP.
[10/01/14:15:39:13] - [Setup] Info Creating directory server . . .
[10/01/14:15:39:15] - [Setup] Info Could not import LDIF file
'/tmp/ldifns7zQW.ldif'. Error: 256. Output: importing data ...
[14/Jan/2010:15:39:14 -0500] - Netscape Portable Runtime error -5977:
/usr/lib64/dirsrv/libns-dshttpd.so.0: undefined symbol: XP_AccLangList
[14/Jan/2010:15:39:14 -0500] - Could not open library
"/usr/lib64/dirsrv/plugins/libacl-plugin.so" for plugin ACL Plugin
[14/Jan/2010:15:39:14 -0500] - Unable to load plugin "cn=ACL
Plugin,cn=plugins,cn=config"
[10/01/14:15:39:15] - [Setup] Fatal Error: Could not create directory server
instance 'host1'.
[10/01/14:15:39:15] - [Setup] Fatal Exiting . . .
Log file is '/tmp/setupzDqik5.log
Please let me know if you know what kind of error I'm hitting.
Thank you,
- David
14 years, 3 months
Modifying Default Install Location
by Chun Tat David Chu
Hi All,
I really like the original layout of the Fedora Directory Server where all
files are installed in /opt/fedora-ds
Is there a way to change/configure 389 Directory so all files are installed
in /opt/389-ds or something equivalent?
Thanks!
David
14 years, 3 months
Distributed Numeric Assignment (DNA) Plugin Fails At 13003
by Fazli
Hi,
I'm currently making use of the DNA plugin to assign unique values for the
'uidNumber' attribute for new POSIX users, which (from what I understand) is
the 'ideal' configuration in a large, corporate environment.
I decided to run a stress test by adding about twenty thousand users via the
ldapadd command. After about the 3995th user, the server returned the
following error for the 3996th:
adding new entry "uid=test3996,ou=People,dc=example,dc=com
ldapadd: Operation error (1)
additional info: Allocation of a new value for uidNumber failed! Unable to
proceed.
I attempted to add the 3996th user myself through the 389 DS Management
Console, and it returned the following error:
Cannot save to directory server:
netscape.ldap.LDAPException: error result (1); Allocation of a new value for
uidNumber failed! Unable to proceed.; Operations error
These are my current DNA settings:
dn: cn=Account UIDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
cn: Account UIDs
dnafilter: (objectClass=posixAccount)
dnamagicregen: 0
dnamaxvalue: -1
dnanextvalue: 13003
dnarangerequesttimeout: 60
dnascope: dc=nsn,dc=com,dc=sg
dnasharedcfgdn: cn=Account UIDs,ou=Ranges,dc=nsn,dc=com,dc=sg
dnathreshold: 1
dnatype: uidNumber
objectClass: top
objectClass: extensibleObject
I find that if I delete the 3995th user, and set the 'dnanextvalue'
attribute of the DNA configuration entry to '13002', the plugin doesn't
throw the above exception. It just doesn't seem to be able to assign the
13003th uidNumber.
I've also tried restarting the server, as well as updating the libraries
from the repositories, with the same results.
I'm running 389 DS on CentOS, kernel version 2.6.18-164.6.1.el5, if it
helps.
Regards,
Fazli
14 years, 3 months
How to add this entry?
by Ajeet S Raina
Guys,
I was following the link:
http://www.directory.fedora.redhat.com/wiki/DNA_Plugin to make autoincrement
of UID and GUID.
I can see the entry:
dn: cn=Account UIDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: Account UIDs
dnatype: uidNumber
dnainterval: 1
dnamaxvalue: 1000
dnamagicregen: 0
dnathreshold: 100
dnafilter: (objectclass=posixAccount)
dnascope: dc=example,dc=com
dnasharedcfgdn: cn=Account UIDs,ou=Ranges,dc=example,dc=com
dnanextvalue: 1
dn: cn=Account GIDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: Account GIDs
dnatype: gidNumber
dnainterval: 1
dnamaxvalue: 1000
dnamagicregen: 0
dnathreshold: 100
dnafilter: (objectclass=posixAccount)
dnascope: dc=example,dc=com
dnasharedcfgdn: cn=Account GIDs,ou=Ranges,dc=example,dc=com
dnanextvalue: 1
[edit<https://mail.google.com/wiki?title=DNA_Plugin&action=edit§ion=10>
]
But no idea how to add and where to add.Pls help.
14 years, 3 months
Restricting Users for particular Machine?
by Ajeet S Raina
We are in process to customize 389-DS Server to allow users restrict to the
particular machine.
Say, I have the following organization:
ou=>Pune
ou=>Hyderabad
Under Pune
ou=> Project-1
ou=> Project-2
Under Project -1
Group=>Administrators
Under Administrator
User=> snal
Now I can easily Right Click on Username >> SetAccess and Permission >>
Users | Rights | Targets | Host| Themes
whereas Host are entries which that user can only access( correct me if I am
wrong)
Say I have a 389 Client Machine 10.209.33.77
Now if I add this hostname
So that user can only access this Host and not the other Right?
Pls clarify.How can I stop a particular user to access only that machine?
14 years, 3 months
Stucked with Client Setup?
by Ajeet S Raina
have been stucked with the following points:
1. Authenticating Linux Client with ldaps://
2. Auto create home directory ( I will look into what you sent)
3. Auto-Increment UserID
Lets start with the first one.
I have 389-DS configured with SSL.
If I try to configure the Client with authconfig-tui command and deselecting
TLS and ldaps:// it works fine.
Lets talk about CLient binding to ldaps://.
On Server Side, I found a crt file through find command as below:
[root@389-ds schema]# find / -name *.crt
/etc/pki/tls/certs/ca-bundle.
crt
Is that the certificate we need to send to /etc/openldap/cacerts/
As I can see links sent by fedora DS Mailing list experts is old one which
talks about Fedora DS.
But the new 389-DS seems to have different location for the certificates.
Now I just copied this ca-bundle.crt to the client machine
Tried running:
authconfig-tui
TLS[*]
ldaps://<ip>/
dc=im,dc=sap,dc=com
I did created a user through Management Console.
[root@389-ds schema]# ldapsearch -x -b "dc=im,dc=sap,dc=com" -L
'(objectclass=*)'
# rajeshwar, Env, im, Bangalore, isst.sapient.com
dn: uid=rajeshwar,cn=Env,ou=im,ou=Bangalore,dc=im,dc=sap,dc=com
uid: rajeshwar
givenName: Rajeshwar
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: posixgroup
sn: k
cn: Rajeshwar k
uidNumber: 670
gidNumber: 670
homeDirectory: /home/rajeshwar
loginShell: /bin/bash
# search result
# numResponses: 28
# numEntries: 27
Now if I try to login through the username it doesnt display anything:
Jan 14 14:53:34 localhost sshd[3757]: nss_ldap: reconnecting to LDAP server
(sleeping 4 seconds)...
Jan 14 14:53:38 localhost sshd[3757]: nss_ldap: reconnecting to LDAP server
(sleeping 8 seconds)...
Jan 14 14:53:46 localhost sshd[3757]: nss_ldap: reconnecting to LDAP server
(sleeping 16 seconds)...
any idea what may be going wrong?
--
”It is not possible to rescue everyone who is caught in the Windows
quicksand
--Make sure you are on solid Linux ground before trying.”
14 years, 3 months