Hi,
I'm extremely glad FDS is now freely available and almost open-source. I have run into some issues when I started playing with it.
1. I've tried to port my OpenLDAP database to it and found that that there is no automount objectclass specified by default. The automount and automountInformation classes are defined in Fedora schema extensions that come with the openldap RPM, so not having them in FDS is a little weird. I had to define them myself.
2. After a failed import I deleted the database and tried to recreate it. I went first to Configuration/Data/New Root Suffix and specified the base DN and the database name. Then I went to Data/<Server name:389>/ New Root Object and tried to create the root entry, but got this error:
"Only the Directory Manager has the right to create the Root Entry. Log in as Directory Manager to be able to perform this operation. "
I've checked that the manager DN is specified correctly in Configuration/Manager.
I tried restarting the directory server, but that did not help. How do I reinitalize it?
3) Finally, the Java administration console is extremely slow. I'm running over an SSH connection, but my server is a 2.8 Ghz machine with 512 Mb of RAM. I wonder what console performance other people experience.
Thanks - I'm looking forward to deploying FDS with Windows sync! Simon
Vsevolod (Simon) Ilyushchenko wrote:
Hi,
I'm extremely glad FDS is now freely available and almost open-source. I have run into some issues when I started playing with it.
- I've tried to port my OpenLDAP database to it and found that that
there is no automount objectclass specified by default. The automount and automountInformation classes are defined in Fedora schema extensions that come with the openldap RPM, so not having them in FDS is a little weird. I had to define them myself.
The IETF LDAP community has decided to deprecated them in favor of the new netgroups stuff.
- After a failed import I deleted the database and tried to recreate
it. I went first to Configuration/Data/New Root Suffix and specified the base DN and the database name. Then I went to Data/<Server name:389>/ New Root Object and tried to create the root entry, but got this error:
"Only the Directory Manager has the right to create the Root Entry. Log in as Directory Manager to be able to perform this operation. "
I've checked that the manager DN is specified correctly in Configuration/Manager.
We don't yet have a way to set an ACI to allow users other than the Directory Manager (i.e. cn=Directory Manager, not the admin console user) to create the entry for a root suffix. In the console, you can Log In As New User, and specify cn=directory manager (or whatever you used for your directory manager user when you performed the initial installation).
I tried restarting the directory server, but that did not help. How do I reinitalize it?
- Finally, the Java administration console is extremely slow. I'm
running over an SSH connection, but my server is a 2.8 Ghz machine with 512 Mb of RAM. I wonder what console performance other people experience.
It's not great. It is a huge Java/Swing application.
Thanks - I'm looking forward to deploying FDS with Windows sync! Simon
The IETF LDAP community has decided to deprecated them in favor of the new netgroups stuff.
I thought automount, automountInformation, etc. were the most current way to store automount mappings in a directory. They still appear in the RFC2307bis draft: http://www.ietf.org/internet-drafts/draft-howard-rfc2307bis-01.txt
However, it does make sense that they might not be included with FDS since RFC2307bis is still a work in progress.
What is the "new netgroups stuff"?
Thanks, -- George
Rich Megginson wrote:
Vsevolod (Simon) Ilyushchenko wrote:
Hi,
I'm extremely glad FDS is now freely available and almost open-source. I have run into some issues when I started playing with it.
- I've tried to port my OpenLDAP database to it and found that that
there is no automount objectclass specified by default. The automount and automountInformation classes are defined in Fedora schema extensions that come with the openldap RPM, so not having them in FDS is a little weird. I had to define them myself.
The IETF LDAP community has decided to deprecated them in favor of the new netgroups stuff.
- After a failed import I deleted the database and tried to recreate
it. I went first to Configuration/Data/New Root Suffix and specified the base DN and the database name. Then I went to Data/<Server name:389>/ New Root Object and tried to create the root entry, but got this error:
"Only the Directory Manager has the right to create the Root Entry. Log in as Directory Manager to be able to perform this operation. "
I've checked that the manager DN is specified correctly in Configuration/Manager.
We don't yet have a way to set an ACI to allow users other than the Directory Manager (i.e. cn=Directory Manager, not the admin console user) to create the entry for a root suffix. In the console, you can Log In As New User, and specify cn=directory manager (or whatever you used for your directory manager user when you performed the initial installation).
I tried restarting the directory server, but that did not help. How do I reinitalize it?
- Finally, the Java administration console is extremely slow. I'm
running over an SSH connection, but my server is a 2.8 Ghz machine with 512 Mb of RAM. I wonder what console performance other people experience.
It's not great. It is a huge Java/Swing application.
Thanks - I'm looking forward to deploying FDS with Windows sync! Simon
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Rich,
Thanks for the quick answer! Perhaps this information should go into the FAQ - what do you think?
Rich Megginson wrote on 07/13/2005 12:47 PM:
The IETF LDAP community has decided to deprecated them in favor of the new netgroups stuff.
OK, I'll reconfigure my entries. Does Fedora automounter understand the netgroups structure?
We don't yet have a way to set an ACI to allow users other than the Directory Manager (i.e. cn=Directory Manager, not the admin console user) to create the entry for a root suffix. In the console, you can Log In As New User, and specify cn=directory manager (or whatever you used for your directory manager user when you performed the initial installation).
This is very non-trivial. :) Creating the root suffix now works, but I tried creating top-level entries one by one, as well as creating a new server in the administration console, and it all failed. I had to delete the RPM and reinstall it.
By the way, I found out that if I install the RPM a second time, the admin console tries to connect to port 15918, but the admin server is running on port 25394. I don't remember what port was used the first time. :(
This time I successfully created an SSL-enabled directory and was able to authenticate to it. I followed the steps here: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158 to create a self-signed certificate.
For archives - the docs don't tell you that after running pk12util in step 9 you first have to enter the password 'secretpwd' that you've saved in the file pwdfile.txt, and then you have to create a different startup password. Later, when you start the server on the command line, this second password is required.
Simon
Vsevolod (Simon) Ilyushchenko wrote:
Rich,
Thanks for the quick answer! Perhaps this information should go into the FAQ - what do you think?
Rich Megginson wrote on 07/13/2005 12:47 PM:
The IETF LDAP community has decided to deprecated them in favor of the new netgroups stuff.
OK, I'll reconfigure my entries. Does Fedora automounter understand the netgroups structure?
I'm trying to find out some information about this.
We don't yet have a way to set an ACI to allow users other than the Directory Manager (i.e. cn=Directory Manager, not the admin console user) to create the entry for a root suffix. In the console, you can Log In As New User, and specify cn=directory manager (or whatever you used for your directory manager user when you performed the initial installation).
This is very non-trivial. :) Creating the root suffix now works, but I tried creating top-level entries one by one, as well as creating a new server in the administration console, and it all failed. I had to delete the RPM and reinstall it.
What problems did you have? I'm not sure what you did, or what you could have done to necessitate a reinstall.
By the way, I found out that if I install the RPM a second time, the admin console tries to connect to port 15918, but the admin server is running on port 25394. I don't remember what port was used the first time. :(
After uninstall, remove your ~/.mcc directory, or edit the file in there after installation. The URL box in the login screen should have had a drop down list to let you select another one.
This time I successfully created an SSL-enabled directory and was able to authenticate to it. I followed the steps here: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158 to create a self-signed certificate.
For archives - the docs don't tell you that after running pk12util in step 9 you first have to enter the password 'secretpwd' that you've saved in the file pwdfile.txt, and then you have to create a different startup password.
You can't use the same password?
Later, when you start the server on the command line, this second password is required.
Simon
Rich,
What problems did you have? I'm not sure what you did, or what you could have done to necessitate a reinstall.
The second LDAP server I've created would not start before the reinstall, but I can't replicate this problem any more. I was also able to add a top-level organizational unit now.
The earlier problems began after I've deleted the top-level entry on the Configuration tab. That was probably not a smart thing to do, but I don't know how to delete all the data from the directory. Command-line ldapdelete won't work either, because recursive deletion is not supported by the server.
After uninstall, remove your ~/.mcc directory, or edit the file in there after installation. The URL box in the login screen should have had a drop down list to let you select another one.
Okay - thanks!
For archives - the docs don't tell you that after running pk12util in step 9 you first have to enter the password 'secretpwd' that you've saved in the file pwdfile.txt, and then you have to create a different startup password.
You can't use the same password?
You can, of course, I just wanted to emphasize that they serve two different purposes.
Simon
Vsevolod (Simon) Ilyushchenko wrote:
Rich,
What problems did you have? I'm not sure what you did, or what you could have done to necessitate a reinstall.
The second LDAP server I've created would not start before the reinstall, but I can't replicate this problem any more. I was also able to add a top-level organizational unit now.
The earlier problems began after I've deleted the top-level entry on the Configuration tab. That was probably not a smart thing to do, but I don't know how to delete all the data from the directory. Command-line ldapdelete won't work either, because recursive deletion is not supported by the server.
Recursive deletion is supported by the console, in the directory browser.
After uninstall, remove your ~/.mcc directory, or edit the file in there after installation. The URL box in the login screen should have had a drop down list to let you select another one.
Okay - thanks!
For archives - the docs don't tell you that after running pk12util in step 9 you first have to enter the password 'secretpwd' that you've saved in the file pwdfile.txt, and then you have to create a different startup password.
You can't use the same password?
You can, of course, I just wanted to emphasize that they serve two different purposes.
Oh, right.
Simon
The file "local.conf" contains many parameters to control the behavior of the administration server (for the FDS console). It looks to me like this file is auto-generated from attributes stored in o=NetscapeRoot when you start the admin server. However, I'm not yet 100% sure on this.
Does anyone happen to know if local.conf is auto-generated entirely based on attributes under o=NetscapeRoot? I'm wondering if a
George Holbert wrote:
The file "local.conf" contains many parameters to control the behavior of the administration server (for the FDS console). It looks to me like this file is auto-generated from attributes stored in o=NetscapeRoot when you start the admin server. However, I'm not yet 100% sure on this.
Does anyone happen to know if local.conf is auto-generated entirely based on attributes under o=NetscapeRoot? I'm wondering if a
Yes, it's generated.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Hi, all. I've been battling this for days now, with no luck. I've got fds up & running and linux clients authenticating w/o problems. Solaris has so far been a royal pain.
This is what I've done so far: - imported the 2 schemas that a kind soul sent me (dua & nis) - added the nisDomain object - added a few users to test - copied the ldap_file & ldap_cred files from Gary Tay's site - added a default simple profile - ran ldap-genprofile to get the NS1 password, put it in the cred file. - added ldap to the nsswitch.conf
Yet the solaris box doesn't see the ldap server. In the dmesg, I see this:
Aug 24 09:16:34 unknown getent[1506]: [ID 293258 user.error] libsldap: Status: 7 Mesg: Session error no available conn. Aug 24 09:18:07 unknown nscd[1498]: [ID 293258 user.error] libsldap: Status: 7 Mesg: Session error no available conn. Aug 24 09:18:07 unknown nscd[1498]: [ID 293258 user.error] libsldap: Status: 7 Mesg: Session error no available conn.
Can anybody point me in the right direction? I'm about to start kicking the solaris server...
____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
My 2 cents
- test with: ldapsearch -h ldapserver.domain.nl -s base -b "" "objectclass=*" , to see if you can queuery the server. - make sure the posix account has the "shadowAccount" attribute - SSHA is default used by FDS for password encyption.. this should be CRYPT.
import: ------------------------------ dn: cn=config changetype: modify replace: passwordstoragescheme passwordstoragescheme: CRYPT ------------------------------
- make sure to use "simple" instead of "tls:simple" for your initial tests - use : ldapclient -v -P default -D "cn=proxyagent,ou=profile,dc=domain,dc=nl" -d domain.nl -w proxy_password {ipnumber_ldap_server} , to create the ldap_file & ldap_cred files - make sure you run te latest recommended patch cluster.
I'm working on documentation.. maybe I'll have time to publish it sometime soon.
Justin
Hi, all. I've been battling this for days now, with no luck. I've got fds up & running and linux clients authenticating w/o problems. Solaris has so far been a royal pain.
This is what I've done so far:
- imported the 2 schemas that a kind soul sent me (dua
& nis)
- added the nisDomain object
- added a few users to test
- copied the ldap_file & ldap_cred files from Gary
Tay's site
- added a default simple profile
- ran ldap-genprofile to get the NS1 password, put it
in the cred file.
- added ldap to the nsswitch.conf
Yet the solaris box doesn't see the ldap server. In the dmesg, I see this:
Aug 24 09:16:34 unknown getent[1506]: [ID 293258 user.error] libsldap: Status: 7 Mesg: Session error no available conn. Aug 24 09:18:07 unknown nscd[1498]: [ID 293258 user.error] libsldap: Status: 7 Mesg: Session error no available conn. Aug 24 09:18:07 unknown nscd[1498]: [ID 293258 user.error] libsldap: Status: 7 Mesg: Session error no available conn.
Can anybody point me in the right direction? I'm about to start kicking the solaris server...
Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
--- Justin Albstmeijer justin@VLAMea.nl wrote:
My 2 cents
- test with: ldapsearch -h ldapserver.domain.nl -s
base -b "" "objectclass=*" , to see if you can queuery the server.
Yea -- I can't. (there's no ldapsearch on this machine, so I used ldaplist)
bash-2.03# ldaplist ldaplist: Object not found (Session error no available conn. )
Same error message. This is a pretty fundamental problem, no? I mean, like you said -- the FDS needs to be switched from ssha to crypt, etc but regardless, shouldn't ldaplist work?
I also have iDS installed I suppose I can scp ldapsearch from there...
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
--- Justin Albstmeijer justin@VLAMea.nl wrote:
My 2 cents
- test with: ldapsearch -h ldapserver.domain.nl -s
base -b "" "objectclass=*" , to see if you can queuery the server.
I went ahead and got the ldapsearch. It worked. ldaplist is just busted, I guess.
- make sure the posix account has the
"shadowAccount" attribute
Added it. I went to user, properties, posixAccount, advanced, add value -> shadowAccount. Not sure if that's the right way of doing it or not...
- SSHA is default used by FDS for password
encyption.. this should be CRYPT.
Done -- thank you!
- make sure to use "simple" instead of "tls:simple"
for your initial tests
- use : ldapclient -v -P default -D
"cn=proxyagent,ou=profile,dc=domain,dc=nl" -d domain.nl -w proxy_password {ipnumber_ldap_server} , to create the ldap_file & ldap_cred files
Yea -- that's where I hit another problem:
Handling init option About to configure machine by downloading a profile findBaseDN: begins findBaseDN: Stopping ldap findBaseDN: calling __ns_ldap_default_config() found 2 namingcontexts findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=composers.foo.com))" rootDN[0] dc=foo,dc=com found baseDN nisdomain=composers.foo.com,dc=foo,dc=com for domain composers.foo.com The download of the profile failed. Could not read the profile 'default'. Perhaps it does not exist or you don't have sufficient rights to read it.
However, from the FDS server itself, ldapsearch -x shows this: (snipped)
# default, profile, foo.com dn: cn=default,ou=profile,dc=foo,dc=com defaultSearchBase: dc=foo,dc=com authenticationMethod: simple followReferrals: TRUE bindTimeLimit: 2 profileTTL: 43200 searchTimeLimit: 30 objectClass: top objectClass: DUAConfigProfile defaultServerList: cnyitlin02.composers.foo.com credentialLevel: proxy cn: default defaultSearchScope: one
So, the profile is there but what's this about the rights???
- make sure you run te latest recommended patch
cluster.
Did that already.
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
I went ahead and got the ldapsearch. It worked. ldaplist is just busted, I guess.
No ldaplist just depends on a successfull creation of the /var/ldap/* files.
- make sure the posix account has the
"shadowAccount" attribute
Added it. I went to user, properties, posixAccount, advanced, add value -> shadowAccount. Not sure if that's the right way of doing it or not...
That's ok
- use : ldapclient -v -P default -D
"cn=proxyagent,ou=profile,dc=domain,dc=nl" -d domain.nl -w proxy_password {ipnumber_ldap_server} , to create the ldap_file & ldap_cred files
Yea -- that's where I hit another problem:
Nope this is the main problem.
Handling init option About to configure machine by downloading a profile findBaseDN: begins findBaseDN: Stopping ldap findBaseDN: calling __ns_ldap_default_config() found 2 namingcontexts findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=composers.foo.com))" rootDN[0] dc=foo,dc=com found baseDN nisdomain=composers.foo.com,dc=foo,dc=com for domain composers.foo.com The download of the profile failed. Could not read the profile 'default'. Perhaps it does not exist or you don't have sufficient rights to read it.
However, from the FDS server itself, ldapsearch -x shows this: (snipped)
# default, profile, foo.com dn: cn=default,ou=profile,dc=foo,dc=com defaultSearchBase: dc=foo,dc=com authenticationMethod: simple followReferrals: TRUE bindTimeLimit: 2 profileTTL: 43200 searchTimeLimit: 30 objectClass: top objectClass: DUAConfigProfile defaultServerList: cnyitlin02.composers.foo.com credentialLevel: proxy cn: default defaultSearchScope: one
Could you do a "ldapclient -u", stop ldapcachemgr/nscd, remove everything from /var/ldap. Then try the first ldapsearch test queuery but this time authenticating as proxyagent.
What value has "nisdomain" in the FDS tree?
Try the ldapclient -v -P... line again.
Could you do a "ldapclient -u", stop ldapcachemgr/nscd, remove everything from /var/ldap. Then try the first ldapsearch test queuery but this time authenticating as proxyagent.
Worked! I get a bunch of stuff:
bash-2.03# ldapsearch -D "uid=proxyagent,ou=profile,dc=foo,dc=com" -w password -h cnyitlin02 -s base -b "" "objectclass=*"
objectClass=top namingContexts=dc=foo,dc=com namingContexts=o=NetscapeRoot supportedExtension=2.16.840.1.113730.3.5.7 supportedExtension=2.16.840.1.113730.3.5.8 supportedExtension=2.16.840.1.113730.3.5.3 supportedExtension=2.16.840.1.113730.3.5.5 supportedExtension=2.16.840.1.113730.3.5.6
[blah blah]
What value has "nisdomain" in the FDS tree?
# composers.foo.com, foo.com dn: nisdomain=composers.foo.com,dc=foo,dc=com nisDomain: composers.foo.com objectClass: top objectClass: nisdomainobject
Try the ldapclient -v -P... line again.
same result:
found baseDN nisdomain=composers.foo.com,dc=foo,dc=com for domain composers.foo.com The download of the profile failed. Could not read the profile 'default'. Perhaps it does not exist or you don't have sufficient rights to read it. bash-2.03#
one small note:
I removed the old proxy agent:
# proxyagent, profile, foo.com dn: cn=proxyagent,ou=profile,dc=foo,dc=com objectClass: top objectClass: person sn: proxyagent cn: proxyagent
and added this (hoping that'll fix it): # proxyAgent, profile, foo.com dn: uid=proxyAgent,ou=profile,dc=foo,dc=com uid: proxyAgent givenName: Proxy objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: Agent cn: Proxy Agent
needless to say, it did nothing.
____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
Just checking,
ldapsearch -D "uid=proxyagent,ou=profile,dc=foo,dc=com"...
# proxyagent, profile, foo.com dn: cn=proxyagent,ou=profile,dc=foo,dc=com objectClass: top objectClass: person sn: proxyagent cn: proxyagent
uid=proxyagent, does not match cn=proxyagent.
no password field?
dn: nisdomain=composers.foo.com,dc=foo,dc=com nisDomain: composers.foo.com objectClass: top objectClass: nisdomainobject
I would expect:
dn: dc=foo,dc=com nisDomain: composers.foo.com objectClass: top objectClass: nisDomainObject
defaultServerList: cnyitlin02.composers.foo.com
replace the hostname with the ipnumber of the server.
--- Justin Albstmeijer justin@VLAMea.nl wrote:
uid=proxyagent, does not match cn=proxyagent.
yeah, that's from before. Now I have uid everywhere.
dn: uid=proxyAgent,ou=profile,dc=foo,dc=com uid: proxyAgent
no password field?
well, in the UI, I put a password in. When I do ldapsearch -x it doesn't show. ACI?
dn: nisdomain=composers.foo.com,dc=foo,dc=com nisDomain: composers.foo.com objectClass: top objectClass: nisdomainobject
I would expect:
dn: dc=foo,dc=com nisDomain: composers.foo.com objectClass: top objectClass: nisDomainObject
well.. It got in there from this:
objectClass: nisDomainObject nisDomain: composers.foo.com
which I got from Gary's site. If you think I should change it, I'll change it.
defaultServerList: cnyitlin02.composers.foo.com
replace the hostname with the ipnumber of the server.
Did. Didn't help.
Also, I have two profiles total:
dn: cn=default,ou=profile,dc=foo,dc=com defaultSearchBase: dc=foo,dc=com authenticationMethod: simple followReferrals: TRUE bindTimeLimit: 2 profileTTL: 43200 searchTimeLimit: 30 objectClass: top objectClass: DUAConfigProfile defaultServerList: 149.85.70.17 credentialLevel: proxy cn: default defaultSearchScope: one
dn: cn=tls_profile,ou=profile,dc=foo,dc=com defaultSearchBase: dc=foo,dc=com authenticationMethod: tls:simple followReferrals: FALSE bindTimeLimit: 10 profileTTL: 43200 searchTimeLimit: 30 objectClass: top objectClass: DUAConfigProfile defaultServerList: cnyitlin02.composers.foo.com credentialLevel: proxy cn: tls_profile serviceSearchDescriptor: passwd: ou=People,dc=foo,dc=com serviceSearchDescriptor: group: ou=group,dc=foo,dc=com serviceSearchDescriptor: shadow: ou=People,dc=foo,dc=com defaultSearchScope: one
(the tls_profile still has the fqdn.)
However, my primary default profile does not have the searchDescriptors. Is that a problem?
____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
Here's what I get when I run ldapsearch:
bash-2.03# ldapsearch -h cnyitlin02 -b "dc=foo,dc=com" -L "objectclass=*" -D "uid=proxyagent,ou=profile,dc=foo,dc=com" -w password dn: dc=foo,dc=com dn: cn=Directory Administrators, dc=foo,dc=com dn: gidnumber=5000,cn=Directory Administrators,dc=foo,dc=com dn: gidnumber=6000,dc=foo,dc=com dn: uid=testdba,gidnumber=6000,dc=foo,dc=com dn: ou=profile,dc=foo,dc=com dn: cn=default,ou=profile,dc=foo,dc=com dn: cn=tls_profile,ou=profile,dc=foo,dc=com dn: nisdomain=composers.foo.com,dc=foo,dc=com dn: uid=proxyAgent,ou=profile,dc=foo,dc=com
how do I get rid of the nisdomain in there? moreover, do I need to?
____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
Hi,
I've just ran into the issue described here: http://www.ldapguru.org/modules/newbb/viewtopic.php?viewmode=flat&topic_...
The problem is that both Fedora and Solaris would like to use object class named "automount" for automount entries, but they define it differently. The solution suggested above is to modify the relevant object classes so that they contain the superset of the attributes for both platforms.
You (Rich) and others say that there should be a transition to nisObject/nisMap structure, but I still don't know where Fedora stands in this regard.
Thanks, Simon
Rich Megginson wrote on 07/13/2005 03:51 PM:
OK, I'll reconfigure my entries. Does Fedora automounter understand the netgroups structure?
I'm trying to find out some information about this.
There has been a lot of confusion around this issue (mostly on my part). I think one of the problems is that rfc2307 support from OS vendors is now deprecated in favor of rfc2307bis http://www.ietf.org/internet-drafts/draft-howard-rfc2307bis-01.txt, which is still in Internet Draft phase (and is due to expire very quickly). A new draft is being worked on with the goal of generating a new RFC. The bis draft has one problem with it, in that it requires the use of the authPassword attribute (defined in RFC 3112 http://www.ietf.org/rfc/rfc3112.txt). FDS does not support this (and neither does OpenLDAP AFAICT). I have attached a file called 10rfc2307bis.ldif. This is the schema from the 2307bis I-D in FDS schema format.
The preferred way to map the automount information is to use the automount attributes and objectclasses in the RFC 2307bis draft schema. The problem is that I don't know all of the vendor support. So far I've been unable to find out what RHEL3 and RHEL4 support. I've been told that Solaris has support for the bis schema.
If you like, you can replace the 10rfc2307.ldif schema supplied with FDS with the attached file, and see what happens.
Vsevolod (Simon) Ilyushchenko wrote:
Hi,
I've just ran into the issue described here: http://www.ldapguru.org/modules/newbb/viewtopic.php?viewmode=flat&topic_...
The problem is that both Fedora and Solaris would like to use object class named "automount" for automount entries, but they define it differently. The solution suggested above is to modify the relevant object classes so that they contain the superset of the attributes for both platforms.
You (Rich) and others say that there should be a transition to nisObject/nisMap structure, but I still don't know where Fedora stands in this regard.
Thanks, Simon
Rich Megginson wrote on 07/13/2005 03:51 PM:
OK, I'll reconfigure my entries. Does Fedora automounter understand the netgroups structure?
I'm trying to find out some information about this.
dn: cn=schema attributetypes: ( 1.3.6.1.1.1.1.0 NAME 'uidNumber' DESC 'An integer uniquely identifying a user in an administrative domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.1 NAME 'gidNumber' DESC 'An integer uniquely identifying a group in an administrative domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.2 NAME 'gecos' DESC 'The GECOS field; the common name' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'The absolute path to the home directory' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.4 NAME 'loginShell' DESC 'The path to the login shell' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.6 NAME 'shadowMin' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.7 NAME 'shadowMax' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.12 NAME 'memberUid' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetypes: ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetypes: ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Netgroup triple' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetypes: ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' DESC 'Service port number' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' DESC 'Service protocol name' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributetypes: ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' DESC 'IP protocol number' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber' DESC 'ONC RPC number' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' DESC 'IPv4 addresses as a dotted decimal omitting leading zeros or IPv6 addresses as defined in RFC2373' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetypes: ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' DESC 'IP network omitting leading zeros, eg. 192.168' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' DESC 'IP netmask omitting leading zeros, eg. 255.255.255.0' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.22 NAME 'macAddress' DESC 'MAC address in maximal, colon separated hex notation, eg. 00:00:92:90:ee:e2' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetypes: ( 1.3.6.1.1.1.1.23 NAME 'bootParameter' DESC 'rpc.bootparamd parameter' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetypes: ( 1.3.6.1.1.1.1.24 NAME 'bootFile' DESC 'Boot image name' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetypes: ( 1.3.6.1.1.1.1.26 NAME 'nisMapName' DESC 'Name of a generic NIS map' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} ) attributetypes: ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry' DESC 'A generic NIS entry' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey' DESC 'NIS public key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey' DESC 'NIS secret key' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) attributetypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'Automount Key value' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributetypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'Automount information' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) objectclasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) ) objectclasses: ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY DESC 'Additional attributes for shadow passwords' MUST uid MAY ( userPassword $ description $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag ) ) objectclasses: ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY DESC 'Abstraction of a group of accounts' MUST gidNumber MAY ( userPassword $ memberUid $ description ) ) objectclasses: ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL DESC 'Abstraction an Internet Protocol service. Maps an IP port and protocol (such as tcp or udp) to one or more names; the distinguished value of the cn attribute denotes the service's canonical name' MUST ( cn $ ipServicePort $ ipServiceProtocol ) MAY description ) objectclasses: ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL DESC 'Abstraction of an IP protocol. Maps a protocol number to one or more names. The distinguished value of the cn attribute denotes the protocol canonical name' MUST ( cn $ ipProtocolNumber ) MAY description ) objectclasses: ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL DESC 'Abstraction of an Open Network Computing (ONC) [RFC1057] Remote Procedure Call (RPC) binding. This class maps an ONC RPC number to a name. The distinguished value of the cn attribute denotes the RPC service canonical name' MUST ( cn $ oncRpcNumber ) MAY description ) objectclasses: ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY DESC 'Abstraction of a host, an IP device. The distinguished value of the cn attribute denotes the host's canonical name. Device SHOULD be used as a structural class' MUST ( cn $ ipHostNumber ) MAY ( userPassword $ l $ description $ manager ) ) objectclasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL DESC 'Abstraction of a network. The distinguished value of the cn attribute denotes the network canonical name' MUST ipNetworkNumber MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) ) objectclasses: ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL DESC 'Abstraction of a netgroup. May refer to other netgroups' MUST cn MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) objectclasses: ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL DESC 'A generic abstraction of a NIS map' MUST nisMapName MAY description ) objectclasses: ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL DESC 'An entry in a NIS map' MUST ( cn $ nisMapEntry $ nisMapName ) MAY description ) objectclasses: ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY DESC 'A device with a MAC address; device SHOULD be used as a structural class' MAY macAddress ) objectclasses: ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY DESC 'A device with boot parameters; device SHOULD be used as a structural class' MAY ( bootFile $ bootParameter ) ) objectclasses: ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY DESC 'An object with a public and secret key' MUST ( cn $ nisPublicKey $ nisSecretKey ) MAY ( uidNumber $ description ) ) objectclasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY DESC 'Associates a NIS domain with a naming context' MUST nisDomain ) objectclasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL MUST ( automountMapName ) MAY description ) objectclasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL DESC 'Automount information' MUST ( automountKey $ automountInformation ) MAY description )
Rich Megginson wrote on 08/16/2005 11:01 AM:
If you like, you can replace the 10rfc2307.ldif schema supplied with FDS with the attached file, and see what happens.
Aha - this looks similar to the Solaris scheme. Thanks!
Simon
- Finally, the Java administration console is extremely slow. I'm
running over an SSH connection, but my server is a 2.8 Ghz machine with 512 Mb of RAM. I wonder what console performance other people experience.
Console performance is great for me. There should be no performance problems per se on that hardware. What operations in particular seem slow ?
David Boreham wrote on 07/13/2005 02:21 PM:
Console performance is great for me. There should be no performance problems per se on that hardware. What operations in particular seem slow ?
Switching tabs and in particular browsing the data. We only have a few hundred users, and it takes the GUI about 5 seconds to show the first batch of users (about 15), and the performance does not improve even after the whole list is loaded - clicking and scrolling take up to 10 seconds to respond. I'll probably stick with other tools for data administration if I don't find ways to improve the console speed.
Simon
Vsevolod (Simon) Ilyushchenko wrote:
Switching tabs and in particular browsing the data. We only have a few hundred users, and it takes the GUI about 5 seconds to show the first batch of users (about 15), and the performance does not improve even after the whole list is loaded - clicking and scrolling take up to 10 seconds to respond. I'll probably stick with other tools for data administration if I don't find ways to improve the console speed.
This is atypical. Something's broken somewhere.
On 7/13/05, Vsevolod (Simon) Ilyushchenko simonf@cshl.edu wrote:
- Finally, the Java administration console is extremely slow. I'm
running over an SSH connection, but my server is a 2.8 Ghz machine with 512 Mb of RAM. I wonder what console performance other people experience.
Try using "-c blowfish" when you connect to the server. That ought to help a bit.
Ben Steeves wrote on 07/13/2005 04:13 PM:
On 7/13/05, Vsevolod (Simon) Ilyushchenko simonf@cshl.edu wrote:
- Finally, the Java administration console is extremely slow. I'm
running over an SSH connection, but my server is a 2.8 Ghz machine with 512 Mb of RAM. I wonder what console performance other people experience.
Try using "-c blowfish" when you connect to the server. That ought to help a bit.
Thanks, Ben - I see approximately a twofold improvement in speed (though setting DISPLAY to my desktop manually speeds the program up even more, of course).
Simon
389-users@lists.fedoraproject.org