Client setup
by Maurice James
Hi all,
I'm running FC14 and I'm having a hell of a time trying to get my client
authenticating to my 389-ds server.
Here are the specs
389-ds server: FC13
Client machines are a mix of FC 13 and FC14
I have SSL set up and listening on port 636. I used
system-config-authentication to set up the client. When I run getent passwd
<username> there is not output on the client, but I see a query in the
server. Am I missing a step?
13 years, 4 months
Announcing 389 Directory Server 1.2.7.5
by Rich Megginson
The 389 Project team is pleased to announce the release of
389-ds-base-1.2.7.5. This release has some key fixes for bugs in
1.2.7.2, .3, and .4.
Installation
yum install 389-ds
# or for EPEL
yum install 389-ds
setup-ds-admin.pl
Upgrade
yum upgrade 389-ds-base
# or for EPEL
yum upgrade 389-ds-base
setup-ds-admin.pl -u
How to Give Feedback
The best way to provide feedback is via the Fedora Update system. Each
update is broken down by package and platform. For example, if you are
using Fedora 13, and you have successfully installed or upgraded all of
the packages, and the console and etc. works, then go to the links below
for Fedora 13 and provide feedback.
* 389-ds-base-1.2.7.5
** EL-5 - https://admin.fedoraproject.org/updates/389-ds-base-1.2.7.5-1.el5
** Fedora 13 -
https://admin.fedoraproject.org/updates/389-ds-base-1.2.7.5-1.fc13
** Fedora 14 -
https://admin.fedoraproject.org/updates/389-ds-base-1.2.7.5-1.fc14
scroll down to the bottom of the page, and click on the Add a comment >>
link
* select one of the Works for me or Does not work radio buttons, add
text, and click on the Add Comment button
If you are using a build on another platform, just send us an email to
389-users(a)lists.fedoraproject.org
Reporting Bugs
If you find a bug, or would like to see a new feature, you can enter it
here - https://bugzilla.redhat.com/enter_bug.cgi?product=389
More Information
* Release Notes - http://port389.org/wiki/Release_Notes
* Install_Guide - http://port389.org/wiki/Install_Guide
* Download - http://port389.org/wiki/Download
13 years, 4 months
problem with SSL
by remy d1
Hi list,
I have followed the instructions of the SSL Howto, but I am still stick at
the SSL activation.
>From a clean installation, I try to launch the setupssl.sh script, but at
the end, I have
ldapmodify: invalid format (line 11) entry: "cn=encryption,cn=config"
There is not specific configuration except that I use the port 9831 for my
DS instead of 389 (I already use the standard LDAP port for OpenLDAP and I
do not want to migrate (it is for testing)). I have modified the setupssl
script to execute on this port.
If I just try the end of the script, you can see the error :
ldapmodify -x -h localhost -p 9831 -D "cn=Directory Manager" -W <<EOF
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
-
add: nsSSL3Ciphers
nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
+tls_rsa_export1024_with_des_cbc_qsha
dn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on
-
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off
-
replace: nsslapd-secureport
nsslapd-secureport: 636
dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: Server-Cert
nsSSLToken: internal (software)
nsSSLActivation: on
EOF
Enter LDAP Password:
ldapmodify: invalid format (line 11) entry: "cn=encryption,cn=config"
I have checked every part of these ldif data. The error is here :
nsSSL3Ciphers:
-rsa_null_md5,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,
+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,
+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,
+tls_rsa_export1024_with_des_cbc_qsha
But if I do the modifications except this piece of code, ldaps can be
started on the port 636, but the cert files could not be loaded from dirsrv,
so I can not do any request in SSL... I also try to :
- edit dse.ldif file in the dirsrv DS configuration directory and delete
the line corresponding to the cert files as Red Hat documentation tells
(after stoping dirsrv service). We can see that dirsrv reload the cert files
in the dse.ldif file, but it changed nothing.
- delete every *.db and *.txt files and cacert.csa. Then, if I reexecute
setupssl.sh, it generates the cert files, but (again), there is no
changes...
Obviously, if I open 389-console, I could see this string in the properties
of "cn=encryption,cn=config".
I have checked my real hostname and other stuffs specified in the
documentation... I know that I do not use the standard LDAP port but I do
not see why this section could not work... Other ldap request on this port
work.
Sorry for my bad english...
Any help would be gracefull !
Regards;
Rémy
13 years, 4 months
incorrect version displayed in console
by Aaron Hagopian
After updating to the latest 389-ds packages I can connect to my admin
console again but I happened to notice that the version displayed when I
click on Directory Server shows 1.2.6 but yum says differently:
Name : 389-ds-base
Arch : x86_64
Version : 1.2.7.2
Release : 1.fc14
Size : 5.5 M
Repo : installed
>From repo : updates
Summary : 389 Directory Server (base)
URL : http://port389.org/
License : GPLv2 with exceptions
Description : 389 Directory Server is an LDAPv3 compliant server. The base
: package includes the LDAP server and command line utilities
for
: server administration.
Obviously not a big deal but may confuse people. This is on a completely
up-to-date fedora 14 x86_64 machine.
Thanks,
Aaron
13 years, 4 months
Help with multiple office setup
by Orion Poplawski
I'm hoping to get some help/suggestions for setting up a directory server for
a company with multiple offices.
Our goal is to provide unified logins/passwords company-wide. We also have
local Windows domains. In my office, the domain is run by a Samba 3 server
with 389 providing the back end.
Any general suggestions? Currently I have all of our users in the top
dc=nwra,dc=com domain since I wanted to provide a unified space, but now not
so sure how this will interact with the windows domains.
Thanks!
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA/CoRA Division FAX: 303-415-9702
3380 Mitchell Lane orion(a)cora.nwra.com
Boulder, CO 80301 http://www.cora.nwra.com
13 years, 4 months
Re: [389-users] upgrading packages
by Angel Bosch Mora
> > im not sure about centos, but in debian land is very tipical to
> > found messages like that after installing/upgrading:
> >
> > "Remember to restart XXX package!"
> >
> > can yum do that?
> rpm can do that, if you run it from the command line. If you use a
> graphical tool to install/update packages, this information is not
> printed.
>
> But when you update 389-ds-base, rpm will upgrade and restart the
> servers for you (if they were running when you did the upgrade).
so, if rpm can detect you have an instance, why don't just run setup-ds-admin.pl -u?
> > do you think is a good idea?
> >
> > should i file a bug/feature request?
> I'd like to find out what is the problem with the way it is done now,
> and the motivation (i.e. what is the problem that you are attempting
> to solve).
i though it was clear with my previous questions.
upgrading your system from packages can be dangerous if you dont perform specific steps (setup-ds-admin.pl -u).
there's few packages that needs to perform a manual operation after upgrading, so a system may be misconfigured whithout your knowledge.
anyway, if you dont find this usefull just forget it. maybe is my problem because i tend to update my systems very often.
regards,
abosch
13 years, 4 months
admin http server segfaulting
by brandon
Okay, I have 389-admin-console-1.1.5-1 installed on RHEL5 with
httpd-2.2.3-43.el5_5.3 and SELinux enforcing.
We have installed on two hosts. It runs Okay on one host, but fails to
finish setup-ds-admin.pl on the other. All I can find is a repeated
segfault in dirsrv/admin-server/error (admin serve httpd error log).
I'm presuming the console does not work because the HTTP server cannot
stay up because of the Segfault. The directory server appears to be
working fine (ldapsearch verifies), but I want to get into the console.
I have reviewed the configurations between the two hosts (the one that
works and the one that does not) and I am a bit stumped as they appear
to be identical.
I did restart (from the command line) the console on the one that did
work, and now it has started segfaulting. I noted that the SEL context
changed for httpd.worker from system_u to user_u (presumably it picked
up system_u from the boot/init). I rebooted the second host and it came
up with system_u, but still segfaults.
I'm kindof at the end of the road here on troubleshooting. Any suggestions?
-Brandon
13 years, 4 months
Re: [389-users] upgrading packages
by Angel Bosch Mora
----- Missatge original -----
> Gerrard Geldenhuis wrote:
> >> -----Original Message-----
> >> From: 389-users-bounces(a)lists.fedoraproject.org [mailto:389-users-
> >> bounces(a)lists.fedoraproject.org] On Behalf Of Rich Megginson
> >> Sent: 10 November 2010 14:26
> >> To: General discussion list for the 389 Directory server project.
> >> Subject: Re: [389-users] upgrading packages
> >>
> >> Angel Bosch Mora wrote:
> >>
> >>> hi,
> >>>
> >> In general, it can't. The reason is that you may be using a
> >> centralized configuration directory server to manage several hosts
> >> with one 389-
> >> console. If you do that, the data that needs to be updated is on
> >> the remote
> >> server which hosts the configuration directory server (the one with
> >> the o=NetscapeRoot suffix). We need to get at least the console
> >> admin password to update that information remotely.
i'm refloting this thread to make a little suggestion.
when 389 packages are upgraded it could be usefull to show a warning if one or more instances are found.
im not sure about centos, but in debian land is very tipical to found messages like that after installing/upgrading:
"Remember to restart XXX package!"
can yum do that?
do you think is a good idea?
should i file a bug/feature request?
regards,
abosch
13 years, 4 months
Windows Sync Agreement troubles
by Andrey Voronin
Hi!
Have some troubles in setup AD -> DS replication.
CentOS 5.5
386ds version 1.2.6.1 build 2010.272.2313 installed from EPEL repo
I have created sync agreement based on this article:
http://www.linuxmail.info/ad-fds-sync-howto/
But sync doesn't work. Have many same events at error log:
"NSMMReplicationPlugin - agmt="cn=WinSyncAgreement" (ldap:389): Replica has
no update vector. It has never been initialized."
Also when i try to delete this agreement, dirsrv service dies.
# service dirsrv status
dirsrv 389ds dead but pid file exists
In error log only - "NSMMReplicationPlugin - agmt_delete: begin"
13 years, 4 months
Building 1.2.7
by Roberto Polli
Hi all,
I tried to build 1.2.7 with openldap only, but it seems I still require
mozldap for the ldif.h (like specified in the documentation).
Do you suggesto to continue building 1.2.7 with mozldap only?
Peace,
R.
--
Roberto Polli
Project Manager
Babel S.r.l. - http://www.babel.it
T: +39.06.91801075 M: +39.340.6522736 F: +39.06.91612446
P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma)
CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere
confidenziale per i destinatari in indirizzo.
E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati
nel messaggio originale.
Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di
comunicarlo al mittente e cancellarlo immediatamente.
13 years, 4 months
