From: fedora-directory-users-request@redhat.com Reply-To: fedora-directory-users@redhat.com To: fedora-directory-users@redhat.com Subject: Fedora-directory-users Digest, Vol 19, Issue 3 Date: Sat, 2 Dec 2006 12:00:05 -0500 (EST)
Send Fedora-directory-users mailing list submissions to fedora-directory-users@redhat.com
To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/fedora-directory-users or, via email, send a message with subject or body 'help' to fedora-directory-users-request@redhat.com
You can reach the person managing the list at fedora-directory-users-owner@redhat.com
When replying, please edit your Subject line so it is more specific than "Re: Contents of Fedora-directory-users digest..."
Today's Topics:
- Re: RE: Fedora-directory-users Digest, Vol 19, Issue 1 (Richard Megginson)
- Re: AD + FDS sync stops working? (To Ngan)
- Re: Memory usage (koniczynek)
Message: 1 Date: Fri, 01 Dec 2006 12:55:24 -0700 From: Richard Megginson rmeggins@redhat.com Subject: Re: [Fedora-directory-users] RE: Fedora-directory-users Digest, Vol 19, Issue 1 To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Message-ID: 457088AC.1030004@redhat.com Content-Type: text/plain; charset="iso-8859-1"
t b wrote:
My logs seem to indicate that the connection is being encrypted; I can ssh to a client server and get the password prompt, but when I enter the password it just returns me to the password prompt again
[01/Dec/2006:19:47:44 -0500] conn=650 fd=69 slot=69 connection from xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx [01/Dec/2006:19:47:44 -0500] conn=650 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [01/Dec/2006:19:47:44 -0500] conn=650 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [01/Dec/2006:19:47:44 -0500] conn=650 SSL 256-bit AES
All of this means the client was able to successfully perform the startTLS extended operation and start using SSL.
[01/Dec/2006:19:47:44 -0500] conn=650 op=1 UNBIND [01/Dec/2006:19:47:44 -0500] conn=650 op=1 fd=69 closed - U1
The UNBIND means the client had a problem and closed the connection. Does the client print any errors? Are there any messages in the server error log?
On the client server it show,
sshd[24149]: Failed password for invalid user xxxxx from xxx.xxx.xxx.xxx port xxx ssh2
If I disable TLS everything works fine, the client server can query the FDS and auth the client properly
I am not sure if the problem has to do with the pam_ldap not properly formatted or the cert file not in proper format
Does anyone have an example of what the pam_ldap config should look like? or suggestions on checking whether the cert file is in proper format
I'm not sure. PAM needs the ca cert of the CA that issued the directory server server cert. See http://directory.fedora.redhat.com/wiki/Howto:SSL for more information.
That was the info I used to do the SSL setup, but I only see a part of the log output they indicated,
Their logs,
[18/Jul/2005:20:33:36 -0400] conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [18/Jul/2005:20:33:36 -0400] conn=4 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [18/Jul/2005:20:33:36 -0400] conn=4 SSL 256-bit AES [18/Jul/2005:20:33:36 -0400] conn=4 op=1 BIND dn="" method=128 version=3 [18/Jul/2005:20:33:36 -0400] conn=4 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [18/Jul/2005:20:33:36 -0400] conn=4 op=2 SRCH base="dc=example,dc=com" scope=2 filter="(uid=testuser)" attrs=ALL
My Logs,
[04/Dec/2006:14:35:52 -0500] conn=757 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [04/Dec/2006:14:35:52 -0500] conn=757 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [04/Dec/2006:14:35:52 -0500] conn=757 SSL 256-bit AES [04/Dec/2006:14:35:52 -0500] conn=757 op=1 UNBIND [04/Dec/2006:14:35:52 -0500] conn=757 op=1 fd=71 closed - U1
For some reason my setup dies just before querying the FDS to determine user details
Do you know of any tests that I can run just on the client server to determine proper confuguration?
Also what's the UNBIND shown in the logs?
Thanks
From: fedora-directory-users-request@redhat.com Reply-To: fedora-directory-users@redhat.com To: fedora-directory-users@redhat.com Subject: Fedora-directory-users Digest, Vol 19, Issue 1 Date: Fri, 1 Dec 2006 12:00:06 -0500 (EST)
Send Fedora-directory-users mailing list submissions to fedora-directory-users@redhat.com
To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/fedora-directory-users or, via email, send a message with subject or body 'help' to fedora-directory-users-request@redhat.com
You can reach the person managing the list at fedora-directory-users-owner@redhat.com
When replying, please edit your Subject line so it is more specific than "Re: Contents of Fedora-directory-users digest..."
Today's Topics:
- pam_ldap with SSL/TLS (t b)
- RE: pam_ldap with SSL/TLS (Morris, Patrick)
- Re: pam_ldap with SSL/TLS (Richard Megginson)
- Problem with SSL console in X in specific circumstances (Philip Kime)
- FW: [Fedora-directory-users] Extracting details from ActiveDirectoryto FDS (Paxton, Darren)
- alias in fedora directory server (patrick ndjientcheu ngandjui)
- Re: FW: [Fedora-directory-users] Extracting details from ActiveDirectoryto FDS (Nicholas Byrne)
- Re: Memory usage (koniczynek)
- Re: Memory usage (David Boreham)
- Re: Memory usage (koniczynek)
Message: 1 Date: Thu, 30 Nov 2006 12:31:50 -0500 From: "t b" mxheadroom@hotmail.com Subject: [Fedora-directory-users] pam_ldap with SSL/TLS To: fedora-directory-users@redhat.com Message-ID: BAY116-F322745E96D702ED748B1D0CDDB0@phx.gbl Content-Type: text/plain; format=flowed
I am trying to setup pam_ldap to use TLS to communicate with the FDS, but having lots of problems doing so; it works if I use the unencrypted way but not if I use ldaps ( port 636 )
I used the instructions at, http://directory.fedora.redhat.com/wiki/Howto:PAM
Has anyone gotten PAM to work TLS
Thanks
Buy, Load, Play. The new Sympatico / MSN Music Store works seamlessly with Windows Media Player. Just Click PLAY.
http://musicstore.sympatico.msn.ca/content/viewer.aspx?cid=SMS_Sept192006
Message: 2 Date: Thu, 30 Nov 2006 13:00:56 -0500 From: "Morris, Patrick" patrick.morris@hp.com Subject: RE: [Fedora-directory-users] pam_ldap with SSL/TLS To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Message-ID:
CD18C81835E18A40A64C4A0D16A237BE05FE850D@ATAEXC01.americas.cpqcorp.net
Content-Type: text/plain; charset="US-ASCII"
I am trying to setup pam_ldap to use TLS to communicate with the FDS, but having lots of problems doing so; it works if I use the unencrypted way but not if I use ldaps ( port 636 )
Someone should jump in here and correct me if I'm wrong, but I believe it's normal for TLS connections to happen on the standard LDAP port. You should be able to tell from your logs whether the connection is encrypted or not.
Message: 3 Date: Thu, 30 Nov 2006 11:08:08 -0700 From: Richard Megginson rmeggins@redhat.com Subject: Re: [Fedora-directory-users] pam_ldap with SSL/TLS To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Message-ID: 456F1E08.40601@redhat.com Content-Type: text/plain; charset="iso-8859-1"
Morris, Patrick wrote:
I am trying to setup pam_ldap to use TLS to communicate with the FDS, but having lots of problems doing so; it works if I use the unencrypted way but not if I use ldaps ( port 636 )
Someone should jump in here and correct me if I'm wrong, but I
believe
it's normal for TLS connections to happen on the standard LDAP port. You should be able to tell from your logs whether the connection is encrypted or not.
Yes. The LDAP "preferred" way is to use the startTLS extended
operation
which starts a TLS session on the non-secure port. This will be logged in the access log.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
t b wrote:
From: fedora-directory-users-request@redhat.com Reply-To: fedora-directory-users@redhat.com To: fedora-directory-users@redhat.com Subject: Fedora-directory-users Digest, Vol 19, Issue 3 Date: Sat, 2 Dec 2006 12:00:05 -0500 (EST)
Send Fedora-directory-users mailing list submissions to fedora-directory-users@redhat.com
To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/fedora-directory-users or, via email, send a message with subject or body 'help' to fedora-directory-users-request@redhat.com
You can reach the person managing the list at fedora-directory-users-owner@redhat.com
When replying, please edit your Subject line so it is more specific than "Re: Contents of Fedora-directory-users digest..."
Today's Topics:
- Re: RE: Fedora-directory-users Digest, Vol 19, Issue 1
(Richard Megginson) 2. Re: AD + FDS sync stops working? (To Ngan) 3. Re: Memory usage (koniczynek)
Message: 1 Date: Fri, 01 Dec 2006 12:55:24 -0700 From: Richard Megginson rmeggins@redhat.com Subject: Re: [Fedora-directory-users] RE: Fedora-directory-users Digest, Vol 19, Issue 1 To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Message-ID: 457088AC.1030004@redhat.com Content-Type: text/plain; charset="iso-8859-1"
t b wrote:
My logs seem to indicate that the connection is being encrypted; I can ssh to a client server and get the password prompt, but when I enter the password it just returns me to the password prompt again
[01/Dec/2006:19:47:44 -0500] conn=650 fd=69 slot=69 connection from xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx [01/Dec/2006:19:47:44 -0500] conn=650 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [01/Dec/2006:19:47:44 -0500] conn=650 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [01/Dec/2006:19:47:44 -0500] conn=650 SSL 256-bit AES
All of this means the client was able to successfully perform the startTLS extended operation and start using SSL.
[01/Dec/2006:19:47:44 -0500] conn=650 op=1 UNBIND [01/Dec/2006:19:47:44 -0500] conn=650 op=1 fd=69 closed - U1
The UNBIND means the client had a problem and closed the connection. Does the client print any errors? Are there any messages in the server error log?
On the client server it show,
sshd[24149]: Failed password for invalid user xxxxx from xxx.xxx.xxx.xxx port xxx ssh2
If I disable TLS everything works fine, the client server can query the FDS and auth the client properly
I am not sure if the problem has to do with the pam_ldap not properly formatted or the cert file not in proper format
Does anyone have an example of what the pam_ldap config should look like? or suggestions on checking whether the cert file is in proper format
I'm not sure. PAM needs the ca cert of the CA that issued the directory server server cert. See http://directory.fedora.redhat.com/wiki/Howto:SSL for more information.
That was the info I used to do the SSL setup, but I only see a part of the log output they indicated,
Their logs,
[18/Jul/2005:20:33:36 -0400] conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [18/Jul/2005:20:33:36 -0400] conn=4 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [18/Jul/2005:20:33:36 -0400] conn=4 SSL 256-bit AES [18/Jul/2005:20:33:36 -0400] conn=4 op=1 BIND dn="" method=128 version=3 [18/Jul/2005:20:33:36 -0400] conn=4 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [18/Jul/2005:20:33:36 -0400] conn=4 op=2 SRCH base="dc=example,dc=com" scope=2 filter="(uid=testuser)" attrs=ALL
My Logs,
[04/Dec/2006:14:35:52 -0500] conn=757 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [04/Dec/2006:14:35:52 -0500] conn=757 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [04/Dec/2006:14:35:52 -0500] conn=757 SSL 256-bit AES [04/Dec/2006:14:35:52 -0500] conn=757 op=1 UNBIND [04/Dec/2006:14:35:52 -0500] conn=757 op=1 fd=71 closed - U1
For some reason my setup dies just before querying the FDS to determine user details
Do you know of any tests that I can run just on the client server to determine proper confuguration?
Firstly, try /usr/bin/ldapsearch to see if you can use startTLS and bind as your user.
Also what's the UNBIND shown in the logs?
Thanks
From: fedora-directory-users-request@redhat.com Reply-To: fedora-directory-users@redhat.com To: fedora-directory-users@redhat.com Subject: Fedora-directory-users Digest, Vol 19, Issue 1 Date: Fri, 1 Dec 2006 12:00:06 -0500 (EST)
Send Fedora-directory-users mailing list submissions to fedora-directory-users@redhat.com
To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/fedora-directory-users or, via email, send a message with subject or body 'help' to fedora-directory-users-request@redhat.com
You can reach the person managing the list at fedora-directory-users-owner@redhat.com
When replying, please edit your Subject line so it is more specific than "Re: Contents of Fedora-directory-users digest..."
Today's Topics:
- pam_ldap with SSL/TLS (t b)
- RE: pam_ldap with SSL/TLS (Morris, Patrick)
- Re: pam_ldap with SSL/TLS (Richard Megginson)
- Problem with SSL console in X in specific circumstances
(Philip Kime) 5. FW: [Fedora-directory-users] Extracting details from ActiveDirectoryto FDS (Paxton, Darren) 6. alias in fedora directory server (patrick ndjientcheu ngandjui) 7. Re: FW: [Fedora-directory-users] Extracting details from ActiveDirectoryto FDS (Nicholas Byrne) 8. Re: Memory usage (koniczynek) 9. Re: Memory usage (David Boreham) 10. Re: Memory usage (koniczynek)
Message: 1 Date: Thu, 30 Nov 2006 12:31:50 -0500 From: "t b" mxheadroom@hotmail.com Subject: [Fedora-directory-users] pam_ldap with SSL/TLS To: fedora-directory-users@redhat.com Message-ID: BAY116-F322745E96D702ED748B1D0CDDB0@phx.gbl Content-Type: text/plain; format=flowed
I am trying to setup pam_ldap to use TLS to communicate with the FDS, but having lots of problems doing so; it works if I use the unencrypted way but not if I use ldaps ( port 636 )
I used the instructions at, http://directory.fedora.redhat.com/wiki/Howto:PAM
Has anyone gotten PAM to work TLS
Thanks
Buy, Load, Play. The new Sympatico / MSN Music Store works seamlessly with Windows Media Player. Just Click PLAY.
http://musicstore.sympatico.msn.ca/content/viewer.aspx?cid=SMS_Sept192006
Message: 2 Date: Thu, 30 Nov 2006 13:00:56 -0500 From: "Morris, Patrick" patrick.morris@hp.com Subject: RE: [Fedora-directory-users] pam_ldap with SSL/TLS To: "General discussion list for the Fedora Directory server
project."
fedora-directory-users@redhat.com Message-ID:
CD18C81835E18A40A64C4A0D16A237BE05FE850D@ATAEXC01.americas.cpqcorp.net
Content-Type: text/plain; charset="US-ASCII"
I am trying to setup pam_ldap to use TLS to communicate with the FDS, but having lots of problems doing so; it works if I use the unencrypted way but not if I use ldaps ( port 636 )
Someone should jump in here and correct me if I'm wrong, but I
believe
it's normal for TLS connections to happen on the standard LDAP port. You should be able to tell from your logs whether the connection is encrypted or not.
Message: 3 Date: Thu, 30 Nov 2006 11:08:08 -0700 From: Richard Megginson rmeggins@redhat.com Subject: Re: [Fedora-directory-users] pam_ldap with SSL/TLS To: "General discussion list for the Fedora Directory server
project."
fedora-directory-users@redhat.com Message-ID: 456F1E08.40601@redhat.com Content-Type: text/plain; charset="iso-8859-1"
Morris, Patrick wrote:
I am trying to setup pam_ldap to use TLS to communicate with the FDS, but having lots of problems doing so; it works if I use the unencrypted way but not if I use ldaps ( port 636 )
Someone should jump in here and correct me if I'm wrong, but I
believe
it's normal for TLS connections to happen on the standard LDAP
port.
You should be able to tell from your logs whether the connection is encrypted or not.
Yes. The LDAP "preferred" way is to use the startTLS extended
operation
which starts a TLS session on the non-secure port. This will be
logged
in the access log.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url :
https://www.redhat.com/archives/fedora-directory-users/attachments/20061130/...
Message: 4 Date: Thu, 30 Nov 2006 18:02:55 -0800 From: "Philip Kime" pkime@Shopzilla.com Subject: [Fedora-directory-users] Problem with SSL console in X in specific circumstances To: fedora-directory-users@redhat.com Message-ID: 9C0091F428E697439E7A773FFD083427435BE3@szexchange.Shopzilla.inc Content-Type: text/plain; charset="us-ascii"
Here's the problem:
Running startconsole (SSL) to a remote display on a PC X-server
(xwin32)
works fine and requires that my windows home dir on the PC X-server machine has .fedora-console/ containing cert8.db and key3.db, as
you'd
expect. If I rename this dir, the console hangs at the splash
screen. So
far, so good, all makes sense.
If I try the same thing to cygwin's X server on same machine or to
an X
server on a Mac running OSX, startconsole always hangs as if it can't find ~/.fedora-console on the local machine. I've tried copying
this dir
to what cygwin/OSX thinks is the user's home dir but no luck. Where should I put the Cert db files under "real" UNIX X to get the SSL console to work? Also tried ~/.mmc as per the docs but I could
never get
this to work.
PK
-- Philip Kime NOPS Systems Architect 310 401 0407
-------------- next part -------------- An HTML attachment was scrubbed... URL:
https://www.redhat.com/archives/fedora-directory-users/attachments/20061130/...
Message: 5 Date: Fri, 1 Dec 2006 08:04:30 -0000 From: "Paxton, Darren" Darren.Paxton@mercer.com Subject: FW: [Fedora-directory-users] Extracting details from ActiveDirectoryto FDS To: Fedora-directory-users@redhat.com Message-ID: 52F7C07B119CF4439B7EFBFE0FB3256B027CBD02@eidwpexms06.mercer.com Content-Type: text/plain; charset="us-ascii"
Skipped content of type multipart/alternative-------------- next part
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Message: 6 Date: Fri, 1 Dec 2006 08:10:42 +0000 (GMT) From: patrick ndjientcheu ngandjui tchen_pat@yahoo.fr Subject: [Fedora-directory-users] alias in fedora directory server To: Fedora-directory-users@redhat.com Message-ID: 20061201081042.78578.qmail@web25801.mail.ukl.yahoo.com Content-Type: text/plain; charset="iso-8859-1"
Hi, I would like to know how to use alias in fedora directory server.It seems that it is used for point to another entry in the directory,but i don't know how to use this feature.May someone helps me on this issue? I would really appreciate an example.
Thanks
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.answers.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL:
https://www.redhat.com/archives/fedora-directory-users/attachments/20061201/...
Message: 7 Date: Fri, 01 Dec 2006 11:50:13 +0000 From: Nicholas Byrne nicholas.byrne@quadriga.com Subject: Re: FW: [Fedora-directory-users] Extracting details from ActiveDirectoryto FDS To: "General discussion list for the Fedora Directory server
project."
fedora-directory-users@redhat.com Message-ID: 457016F5.5030202@quadriga.com Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Your messages got through - you can confirm by checking the
archives -
https://www.redhat.com/archives/fedora-directory-users/
I'm a new user as well so i'm afraid i can't answer your question,
but
if you keep asking i'm sure someone will know! Nick
Paxton, Darren wrote:
Apologies for mailing yet again, however either my messages are not getting through (something I don't believe as I keep getting the
post
to the mailing list) - or for some reason, no one is willing to
even
acknowledge my issue.
In the spirit of the community - can someone at least acknowledge a message as I find it quite disheartening that I have had no
replies at
all even if just to point me somewhere for assistance.
*From:* fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] *On Behalf Of *Paxton, Darren *Sent:* 30 November 2006 08:46 *To:* General discussion list for the Fedora Directory server
project.
*Subject:* RE: [Fedora-directory-users] Extracting details from ActiveDirectoryto FDS
Hi
Has anyone had any thoughts on my query or can point me in the
right
direction?
As is the nature of AD, I would have thought it is possible to
extract
this information using a scope setting or something similar.
Thanks
Darren
*From:* fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] *On Behalf Of *Paxton, Darren *Sent:* 24 November 2006 14:56 *To:* fedora-directory-users@redhat.com *Subject:* [Fedora-directory-users] Extracting details from Active Directoryto FDS
Hi all,
I've been tinkering with integrating our Linux devices into our AD domain for some time and I've hit a few brick walls, however I've recently discovered FDS and the synchronisation features with AD.
I've managed to set up a few replication jobs, however due to the extensive nature of our AD, I've realised that the sync only takes the group and user objects from the OU or CN being specified.
Is there any way I can specify that it should traverse all subtrees of an OU and extract all that information back into FDS?
Thanks
Darren
-- Darren Paxton EMEA Tier2 Red Hat Certified Engineer VMware Certified Professional MGTI Centralised ops
This e-mail and any attachments may be confidential or legally privileged.If you received this message in error or are not the intended recipient, you should destroy the email message and any attachments or copies, and you are prohibited from retaining, distributing, disclosing or using any information contained herein. Please inform us of the erroneous delivery by return e-mail.
Thank you
for your co-operation.
Mercer Human Resource Consulting Limited is authorised and
regulated
by the Financial Services Authority. Registered in England No.
Registered Office: 1 Tower Place West, Tower Place, London, EC3R
5BU.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential. Any dissemination, copying or distribution of this message or any attachments is strictly
prohibited.
If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.
Messages sent to and from Quadriga may be monitored.
Quadriga cannot guarantee any message delivery method is secure or error-free. Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission.
You should carry out your own virus checks before opening any attachment.
Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga.
Message: 8 Date: Fri, 01 Dec 2006 16:45:28 +0100 From: koniczynek koniczynek@uaznia.net Subject: Re: [Fedora-directory-users] Memory usage To: "General discussion list for the Fedora Directory server
project."
fedora-directory-users@redhat.com Message-ID: 45704E18.3070705@uaznia.net Content-Type: text/plain; charset=ISO-8859-2; format=flowed
Richard Megginson napisa³(a):
This is an excellent cache/memory tuning document from a Sun
employee,
primarily targeted to Sun DS users, but almost all of the
information is
relevant to Fedora DS (since they share a common lineage).
Lets say I heven't got much time lately so without thinking I've
changed
in dse.ldif nsslapd-import-cache-autosize from -1 to 1 and after restarting I've started to receive errors like: "3 Time limit exceeded" Someone do
know
what to do? ;)
-- xmpp/email: koniczynek@uaznia.net xmpp/email: koniczynek@gmail.com
Message: 9 Date: Fri, 01 Dec 2006 09:15:14 -0700 From: David Boreham david_list@boreham.org Subject: Re: [Fedora-directory-users] Memory usage To: "General discussion list for the Fedora Directory server
project."
fedora-directory-users@redhat.com Message-ID: 45705512.4070808@boreham.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed
koniczynek wrote:
Richard Megginson napisa³(a):
This is an excellent cache/memory tuning document from a Sun employee, primarily targeted to Sun DS users, but almost all of
the
information is relevant to Fedora DS (since they share a common lineage).
Lets say I heven't got much time lately so without thinking I've changed in dse.ldif nsslapd-import-cache-autosize from -1 to 1 and after restarting
I've
started to receive errors like: "3 Time limit exceeded" Someone do know what to do? ;)
Change it back ?
Message: 10 Date: Fri, 01 Dec 2006 17:53:22 +0100 From: koniczynek koniczynek@uaznia.net Subject: Re: [Fedora-directory-users] Memory usage To: "General discussion list for the Fedora Directory server
project."
fedora-directory-users@redhat.com Message-ID: 45705E02.7020709@uaznia.net Content-Type: text/plain; charset=ISO-8859-2
David Boreham, dnia 2006-12-01 17:15 napisal:
Lets say I heven't got much time lately so without thinking I've changed in dse.ldif nsslapd-import-cache-autosize from -1 to 1 and after restarting
I've
started to receive errors like: "3 Time limit exceeded" Someone do know what to do? ;)
Change it back ?
man, please, show some respect ;) I did change it back, but to no
avail.
Also I can say (to stop further questions): yes, I've stopped the
server
before change.
-- email/xmpp: koniczynek@uaznia.net
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
End of Fedora-directory-users Digest, Vol 19, Issue 1
Off to school, going on a trip, or moving? Windows Live (MSN) Messenger lets you stay in touch with friends and family wherever you go. Click here to find out how to sign up! http://www.telusmobility.com/msnxbox/
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20061201/...
Message: 2 Date: Fri, 01 Dec 2006 15:23:28 -0800 From: To Ngan tngan@redhat.com Subject: Re: [Fedora-directory-users] AD + FDS sync stops working? To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Message-ID: 4570B970.3070901@redhat.com Content-Type: text/plain; charset="windows-1252"
Dan Oglesby wrote:
I tried the following:
In windows registry->HKLM->Software->PasswordSync, try add string
value “Log
Level” and set it to “1”. Restart the passsync service. This should
log
all transactions and errors. Turn this back to "0" and restart
passsync
after troubleshooting.
All I see in the log is this:
11/30/06 09:12:58: begin log 11/30/06 09:12:59: 0 new entries loaded from file 11/30/06 09:14:20: 0 new entries loaded from file 11/30/06 09:14:20: 0 entries saved to file 11/30/06 09:14:20: end log 11/30/06 09:14:22: begin log 11/30/06 09:14:22: 0 new entries loaded from file
That’s after restarting the passsync service twice, and changing a
user’s
password in AD four times.
Hmm... 2 Windows sync stopped working together after 6 months. Any cert on AD or DS side expired? -- toto
-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3233 bytes Desc: S/MIME Cryptographic Signature Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20061201/...
Message: 3 Date: Sat, 02 Dec 2006 09:28:17 +0100 From: koniczynek koniczynek@uaznia.net Subject: Re: [Fedora-directory-users] Memory usage To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Message-ID: 45713921.1080009@uaznia.net Content-Type: text/plain; charset=ISO-8859-2
Richard Megginson, dnia 2006-12-01 18:00 napisal:
man, please, show some respect ;) I did change it back, but to no
avail.
Also I can say (to stop further questions): yes, I've stopped the
server
before change.
What types of searches are returning time limit exceeded? Can you post relevant excerpts from the access and error logs?
I'm "benchmarking" my FDS with "ldapsearch -x" and earlier it worked and now it does not. In error logs there were "err=3" but I don't remember much more and I'll have access to the logs on Monday, so till then, only I can provide only this information (because I do not remember anything more ;) )
-- email/xmpp: koniczynek@uaznia.net
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
End of Fedora-directory-users Digest, Vol 19, Issue 3
Off to school, going on a trip, or moving? Windows Live (MSN) Messenger lets you stay in touch with friends and family wherever you go. Click here to find out how to sign up! http://www.telusmobility.com/msnxbox/
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
OMG please remove necessary information from the post, because now it's hard to find what you wrote! And this happens in all of your posts ;) so please, for the clarity and for the future use (mailing list archive) ;)
Richard Megginson, dnia 2006-12-05 16:19 napisal:
t b wrote:
From: fedora-directory-users-request@redhat.com Reply-To: fedora-directory-users@redhat.com To: fedora-directory-users@redhat.com Subject: Fedora-directory-users Digest, Vol 19, Issue 3 Date: Sat, 2 Dec 2006 12:00:05 -0500 (EST)
Send Fedora-directory-users mailing list submissions to fedora-directory-users@redhat.com
To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/fedora-directory-users or, via email, send a message with subject or body 'help' to fedora-directory-users-request@redhat.com
You can reach the person managing the list at fedora-directory-users-owner@redhat.com
When replying, please edit your Subject line so it is more specific than "Re: Contents of Fedora-directory-users digest..."
Today's Topics:
- Re: RE: Fedora-directory-users Digest, Vol 19, Issue 1
(Richard Megginson) 2. Re: AD + FDS sync stops working? (To Ngan) 3. Re: Memory usage (koniczynek)
Message: 1 Date: Fri, 01 Dec 2006 12:55:24 -0700 From: Richard Megginson rmeggins@redhat.com Subject: Re: [Fedora-directory-users] RE: Fedora-directory-users Digest, Vol 19, Issue 1 To: "General discussion list for the Fedora Directory server project." fedora-directory-users@redhat.com Message-ID: 457088AC.1030004@redhat.com Content-Type: text/plain; charset="iso-8859-1"
t b wrote:
My logs seem to indicate that the connection is being encrypted; I can ssh to a client server and get the password prompt, but when I enter the password it just returns me to the password prompt again
[01/Dec/2006:19:47:44 -0500] conn=650 fd=69 slot=69 connection from xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx [01/Dec/2006:19:47:44 -0500] conn=650 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [01/Dec/2006:19:47:44 -0500] conn=650 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [01/Dec/2006:19:47:44 -0500] conn=650 SSL 256-bit AES
All of this means the client was able to successfully perform the startTLS extended operation and start using SSL.
[01/Dec/2006:19:47:44 -0500] conn=650 op=1 UNBIND [01/Dec/2006:19:47:44 -0500] conn=650 op=1 fd=69 closed - U1
The UNBIND means the client had a problem and closed the connection. Does the client print any errors? Are there any messages in the server error log?
On the client server it show,
sshd[24149]: Failed password for invalid user xxxxx from xxx.xxx.xxx.xxx port xxx ssh2
If I disable TLS everything works fine, the client server can query the FDS and auth the client properly
I am not sure if the problem has to do with the pam_ldap not properly formatted or the cert file not in proper format
Does anyone have an example of what the pam_ldap config should look like? or suggestions on checking whether the cert file is in proper format
I'm not sure. PAM needs the ca cert of the CA that issued the directory server server cert. See http://directory.fedora.redhat.com/wiki/Howto:SSL for more information.
That was the info I used to do the SSL setup, but I only see a part of the log output they indicated,
Their logs,
[18/Jul/2005:20:33:36 -0400] conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [18/Jul/2005:20:33:36 -0400] conn=4 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [18/Jul/2005:20:33:36 -0400] conn=4 SSL 256-bit AES [18/Jul/2005:20:33:36 -0400] conn=4 op=1 BIND dn="" method=128 version=3 [18/Jul/2005:20:33:36 -0400] conn=4 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [18/Jul/2005:20:33:36 -0400] conn=4 op=2 SRCH base="dc=example,dc=com" scope=2 filter="(uid=testuser)" attrs=ALL
My Logs,
[04/Dec/2006:14:35:52 -0500] conn=757 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [04/Dec/2006:14:35:52 -0500] conn=757 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [04/Dec/2006:14:35:52 -0500] conn=757 SSL 256-bit AES [04/Dec/2006:14:35:52 -0500] conn=757 op=1 UNBIND [04/Dec/2006:14:35:52 -0500] conn=757 op=1 fd=71 closed - U1
For some reason my setup dies just before querying the FDS to determine user details
Do you know of any tests that I can run just on the client server to determine proper confuguration?
Firstly, try /usr/bin/ldapsearch to see if you can use startTLS and bind as your user.
Also what's the UNBIND shown in the logs?
Thanks
From: fedora-directory-users-request@redhat.com Reply-To: fedora-directory-users@redhat.com To: fedora-directory-users@redhat.com Subject: Fedora-directory-users Digest, Vol 19, Issue 1 Date: Fri, 1 Dec 2006 12:00:06 -0500 (EST)
Send Fedora-directory-users mailing list submissions to fedora-directory-users@redhat.com
To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/fedora-directory-users or, via email, send a message with subject or body 'help' to fedora-directory-users-request@redhat.com
You can reach the person managing the list at fedora-directory-users-owner@redhat.com
When replying, please edit your Subject line so it is more specific than "Re: Contents of Fedora-directory-users digest..."
Today's Topics:
- pam_ldap with SSL/TLS (t b)
- RE: pam_ldap with SSL/TLS (Morris, Patrick)
- Re: pam_ldap with SSL/TLS (Richard Megginson)
- Problem with SSL console in X in specific circumstances
(Philip Kime) 5. FW: [Fedora-directory-users] Extracting details from ActiveDirectoryto FDS (Paxton, Darren) 6. alias in fedora directory server (patrick ndjientcheu ngandjui) 7. Re: FW: [Fedora-directory-users] Extracting details from ActiveDirectoryto FDS (Nicholas Byrne) 8. Re: Memory usage (koniczynek) 9. Re: Memory usage (David Boreham) 10. Re: Memory usage (koniczynek)
Message: 1 Date: Thu, 30 Nov 2006 12:31:50 -0500 From: "t b" mxheadroom@hotmail.com Subject: [Fedora-directory-users] pam_ldap with SSL/TLS To: fedora-directory-users@redhat.com Message-ID: BAY116-F322745E96D702ED748B1D0CDDB0@phx.gbl Content-Type: text/plain; format=flowed
I am trying to setup pam_ldap to use TLS to communicate with the FDS, but having lots of problems doing so; it works if I use the unencrypted way but not if I use ldaps ( port 636 )
I used the instructions at, http://directory.fedora.redhat.com/wiki/Howto:PAM
Has anyone gotten PAM to work TLS
Thanks
Buy, Load, Play. The new Sympatico / MSN Music Store works seamlessly with Windows Media Player. Just Click PLAY.
http://musicstore.sympatico.msn.ca/content/viewer.aspx?cid=SMS_Sept192006
Message: 2 Date: Thu, 30 Nov 2006 13:00:56 -0500 From: "Morris, Patrick" patrick.morris@hp.com Subject: RE: [Fedora-directory-users] pam_ldap with SSL/TLS To: "General discussion list for the Fedora Directory server
project."
fedora-directory-users@redhat.com Message-ID:
CD18C81835E18A40A64C4A0D16A237BE05FE850D@ATAEXC01.americas.cpqcorp.net
Content-Type: text/plain; charset="US-ASCII"
I am trying to setup pam_ldap to use TLS to communicate with the FDS, but having lots of problems doing so; it works if I use the unencrypted way but not if I use ldaps ( port 636 )
Someone should jump in here and correct me if I'm wrong, but I
believe
it's normal for TLS connections to happen on the standard LDAP port. You should be able to tell from your logs whether the connection is encrypted or not.
Message: 3 Date: Thu, 30 Nov 2006 11:08:08 -0700 From: Richard Megginson rmeggins@redhat.com Subject: Re: [Fedora-directory-users] pam_ldap with SSL/TLS To: "General discussion list for the Fedora Directory server
project."
fedora-directory-users@redhat.com Message-ID: 456F1E08.40601@redhat.com Content-Type: text/plain; charset="iso-8859-1"
Morris, Patrick wrote:
> I am trying to setup pam_ldap to use TLS to communicate with > the FDS, but having lots of problems doing so; it works if I > use the unencrypted way but not if I use ldaps ( port 636 ) >
Someone should jump in here and correct me if I'm wrong, but I
believe
it's normal for TLS connections to happen on the standard LDAP
port.
You should be able to tell from your logs whether the connection is encrypted or not.
Yes. The LDAP "preferred" way is to use the startTLS extended
operation
which starts a TLS session on the non-secure port. This will be
logged
in the access log.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org