RE: [Fedora-directory-users] getting solaris 8 to talk to FDS
by Tay, Gary
To achieve the same result of this:
===
import:
------------------------------
dn: cn=config
changetype: modify
replace: passwordstoragescheme
passwordstoragescheme: CRYPT
------------------------------
===
You could simply go into FDS7.1 admin server, open directory server,
click "config (XXX acis)", right click again to edit its properties,
I think ldaplist will work only after successful "ldapclient"
initialization, ldapsearch will work as long as the ldap server allows
the data to be returned.
One irritating fact on Solaris8 is the lack of LDAP VERSION 2 client
command tools, I have to resort to performing a "dummy" SUN ONE DS5.2
install (with both server and client component) and just use the client
component while keeping the server component shutdown. Only the VERSION
2 "ldapsearch" command in $IDS5_PATH/shared/bin has the "-Z" and "-P"
options for testing TLS/SSL connection (After getting simple bind to
work, I am sure one would like to get tls:simple bind to work as it is
more secure).
# cat test_native_client_tls.sh
LDAP_ROOT=/usr/iplanet/ds5
LD_LIBRARY_PATH=$LDAP_ROOT/lib:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH
echo "Testing LDAP Master..."
$LDAP_ROOT/shared/bin/ldapsearch -h ldap1.example.com -p 636 -b "" -s
base -Z -P /var/ldap/cert7.db "(objectclass=*)"
Gary
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Igor
Sent: Thursday, August 25, 2005 1:02 AM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] getting solaris 8 to talk to FDS
--- Justin Albstmeijer <justin(a)VLAMea.nl> wrote:
>
> My 2 cents
>
> - test with: ldapsearch -h ldapserver.domain.nl -s
> base -b ""
> "objectclass=*" , to see if you can queuery the
> server.
Yea -- I can't. (there's no ldapsearch on this
machine, so I used ldaplist)
bash-2.03# ldaplist
ldaplist: Object not found (Session error no available
conn.
)
Same error message. This is a pretty fundamental
problem, no? I mean, like you said -- the FDS needs
to be switched from ssha to crypt, etc but regardless, shouldn't
ldaplist work?
I also have iDS installed I suppose I can scp
ldapsearch from there...
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
Fedora-directory-users mailing list Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
18 years, 9 months
RE: [Fedora-directory-users] getting solaris 8 to talk to FDS
by Tay, Gary
I have seen those messages, they are gone after applying LDAP patch, did
you apply OS and LDAP patches?
The starting point to configure Solaris8 or Solaris9 Native LDAP
Clients, against any type of LDAP Servers, be it FDS, OpenLDAP or SUN
ONE, is the SAME:
"To apply latest OS kernel patch and LDAP patch"
For Solaris9: LDAP Patch 112960-30 or later is recommended (at this
moment)
For Solaris8: LDAP Patch 108993-48 or later is recommended (at this
moment)
It is quite tough for Solaris8 as before you could apply 108993-48, you
got to apply so many patches to up the OS kernel patch level and apply
those patches that 108893-48 is depending on, very time consuming, these
patches (see the Requires line below), essentially make Solaris8 LDAP
libraries the same VERSION 2 as Solaris9's.
# showrev -p | grep "^Patch: 108993-48"
Patch: 108993-48 Obsoletes: 108827-40, 108991-18, 109322-09, 109461-03,
111641-01, 109680-01, 110589-02, 111217-02, 111177-06, 111921-02,
112022-02, 110194-01, 110390-02, 111090-03, 111431-01, 110700-01,
111081-01, 111464-01, 111780-01, 111085-02, 111299-04, 111393-02,
111659-07, 112218-01, 112605-04, 108997-03, 109005-05, 110511-05
Requires: 108528-24, 108989-01, 110386-01, 111023-03, 111317-05,
113648-03, 115827-01, 116602-01, , Incompatibles: 109079-01
Packages: SUNWcsu, SUNWcsl, SUNWcsr, SUNWcslx, SUNWcarx, SUNWatfsr,
SUNWatfsu, SUNWcsxu, SUNWnisr, SUNWnisu, SUNWapppr, SUNWapppu, SUNWarc,
SUNWarcx, SUNWcstl, SUNWdpl, SUNWdplx, SUNWlldap, SUNWmdbx, SUNWmdb,
SUNWhea, SUNWcstlx, SUNWpppd, SUNWpppdr, SUNWpppdu, SUNWpppdx
For Solaris9, less # of patches are required.
There are some related info I posted at SUN forums, they are for SUN ONE
DS5.2, but I think relevant in the case of FDS, pls help yourself to
them.
Solaris 8 LDAP Client
http://swforum.sun.com/jive/thread.jspa?threadID=55534&messageID=211589#
211589
Getting a Solaris 9 client to talk to OpenLDAP
http://forum.sun.com/thread.jspa?threadID=25436&tstart=30
LDAP TLS/SSL
http://forum.sun.com/thread.jspa?threadID=12811&tstart=30
Gary
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Igor
Sent: Wednesday, August 24, 2005 10:08 PM
To: General discussion list for the Fedora Directory server project.
Subject: [Fedora-directory-users] getting solaris 8 to talk to FDS
Hi, all. I've been battling this for days now, with
no luck. I've got fds up & running and linux clients authenticating w/o
problems. Solaris has so far been a royal pain.
This is what I've done so far:
- imported the 2 schemas that a kind soul sent me (dua
& nis)
- added the nisDomain object
- added a few users to test
- copied the ldap_file & ldap_cred files from Gary
Tay's site
- added a default simple profile
- ran ldap-genprofile to get the NS1 password, put it
in the cred file.
- added ldap to the nsswitch.conf
Yet the solaris box doesn't see the ldap server. In
the dmesg, I see this:
Aug 24 09:16:34 unknown getent[1506]: [ID 293258
user.error] libsldap: Status: 7 Mesg: Session error
no available conn.
Aug 24 09:18:07 unknown nscd[1498]: [ID 293258
user.error] libsldap: Status: 7 Mesg: Session error
no available conn.
Aug 24 09:18:07 unknown nscd[1498]: [ID 293258
user.error] libsldap: Status: 7 Mesg: Session error
no available conn.
Can anybody point me in the right direction? I'm
about to start kicking the solaris server...
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
--
Fedora-directory-users mailing list Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
18 years, 9 months
[Fedora-directory-users] Database recreation, automount and performance
by Vsevolod (Simon) Ilyushchenko
Hi,
I'm extremely glad FDS is now freely available and almost open-source. I
have run into some issues when I started playing with it.
1. I've tried to port my OpenLDAP database to it and found that that
there is no automount objectclass specified by default. The automount
and automountInformation classes are defined in Fedora schema extensions
that come with the openldap RPM, so not having them in FDS is a little
weird. I had to define them myself.
2. After a failed import I deleted the database and tried to recreate
it. I went first to Configuration/Data/New Root Suffix and specified the
base DN and the database name. Then I went to Data/<Server name:389>/
New Root Object and tried to create the root entry, but got this error:
"Only the Directory Manager has the right to create the Root Entry. Log
in as Directory Manager to be able to perform this operation. "
I've checked that the manager DN is specified correctly in
Configuration/Manager.
I tried restarting the directory server, but that did not help. How do I
reinitalize it?
3) Finally, the Java administration console is extremely slow. I'm
running over an SSH connection, but my server is a 2.8 Ghz machine with
512 Mb of RAM. I wonder what console performance other people experience.
Thanks - I'm looking forward to deploying FDS with Windows sync!
Simon
--
Simon (Vsevolod ILyushchenko) simonf(a)cshl.edu
http://www.simonf.com
Terrorism is a tactic and so to declare war on terrorism
is equivalent to Roosevelt's declaring war on blitzkrieg.
Zbigniew Brzezinski, U.S. national security advisor, 1977-81
18 years, 9 months
[Fedora-directory-users] unable to login to the interface...... HELP....
by gokul nath
I have download fedora-ds-7.1-2.i386.opt.rpm
after installing it...
i gave...
/opt/fedora-ds/setup/setup
i gave typical installtion
after configuring all the details.
it gave me an error. i have just pasted the error here
below
Server user ID to use (default: nobody)
Server group ID to use (default: nobody)
[slapd-in]: starting up server ...
[slapd-in]: Fedora-Directory/7.1 B2005.146.2010
[slapd-in]: in.sundarambizserv.com:389
(/opt/fedora-ds/slapd-in)
[slapd-in]:
[slapd-in]: [22/Aug/2005:09:59:45 +051800] -
Fedora-Directory/7.1 B2005.146.2010 starting up
[slapd-in]: [22/Aug/2005:09:59:46 +051800] - slapd
started. Listening on All Interfaces port 389 for LDAP
requests
Your new directory server has been started.
Created new Directory Server
Start Slapd Starting Slapd server configuration.
Success Slapd Added Directory Server information to
Configuration Server.
Configuring Administration Server...
Setting up Administration Server Instance...
Configuring Administration Tasks in Directory
Server...
Configuring Global Parameters in Directory Server...
Can't start Admin server [/opt/fedora-ds/start-admin >
/tmp/fileQJv7Um 2>&1] (error: No such file or
directory)INFO Finished with setup, logfile is
setup/setup.log
Because of this i am not able to run the admin server
/opt/fedora-ds/startconsole is not allowing me to
login.
Kindly help me out. Im stuck with this problem for
days...
Regards
gokul
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
18 years, 9 months
[Fedora-directory-users] Account lockout replication
by Bryan Wann
Hello,
I am trying to set up a global account lockout policy. In the
Deployment Guide, it says "Account lockout is enforced on the replicas"
and "The password policy information ... such as password age, the
account lockout counter ... are all replicated." When I trigger the
lockout on an account, I see the accountUnlockTime attribute get added
to the account's directory entry.
From what I make of the text in the Deployment Guide, accountUnlockTime
should be replicated to my other master and corresponding consumers,
thus locking out the account everywhere. This isn't what I'm seeing; I
am only locked out of the master on which it was originally triggered, I
can still bind using the account on the other master and consumers.
I have applied the same password and lockout policy to all of my
servers, so the configuration should be consistent. Do I have the wrong
expectations on how this should work? Does "enforced on the replicas"
simply mean the replicas as an independant server will perform lockouts?
Anyone been able to solve this one?
--bryan
18 years, 9 months
[Fedora-directory-users] missing passwordStorageScheme
by Justin Albstmeijer
Hi fedora directory users,
I seem to be missing "cn=passwordStorageScheme, cn=config" in a default
fedora-ds-7.1-2.RHEL4 installation.
I want to add and then change it to CRYPT.
Found lots of "modify" posts.. bu I need first to get it in to the tree.
Any suggestions?
Justin
18 years, 9 months
[Fedora-directory-users] problem while installing fedora
by gokul nath
I have download fedora-ds-7.1-2.i386.opt.rpm
after installing it...
i gave...
/opt/fedora-ds/setup/setup
i gave typical installtion
after configuring all the details.
it gave me an error. i have just pasted the error here below
Server user ID to use (default: nobody)
Server group ID to use (default: nobody)
[slapd-in]: starting up server ...
[slapd-in]: Fedora-Directory/7.1 B2005.146.2010
[slapd-in]: in.sundarambizserv.com:389 (/opt/fedora-ds/slapd-in)
[slapd-in]:
[slapd-in]: [22/Aug/2005:09:59:45 +051800] - Fedora-Directory/7.1 B2005.146.2010 starting up
[slapd-in]: [22/Aug/2005:09:59:46 +051800] - slapd started. Listening on All Interfaces port 389 for LDAP requests
Your new directory server has been started.
Created new Directory Server
Start Slapd Starting Slapd server configuration.
Success Slapd Added Directory Server information to Configuration Server.
Configuring Administration Server...
Setting up Administration Server Instance...
Configuring Administration Tasks in Directory Server...
Configuring Global Parameters in Directory Server...
Can't start Admin server [/opt/fedora-ds/start-admin > /tmp/fileQJv7Um 2>&1] (error: No such file or directory)INFO Finished with setup, logfile is setup/setup.log
Because of this i am not able to run the admin server /opt/fedora-ds/startconsole is not allowing me to login.
Kindly help me out. Im stuck with this problem for days...
Regards
gokul
---------------------------------
Start your day with Yahoo! - make it your home page
18 years, 9 months
[Fedora-directory-users] Can't start Admin server
by gokul nath
I have download fedora-ds-7.1-2.i386.opt.rpm
after installing it...
i gave...
/opt/fedora-ds/setup/setup
i gave typical installtion
after configuring all the details.
it gave me an error. i have just pasted the error here below
Server user ID to use (default: nobody)
Server group ID to use (default: nobody)
[slapd-in]: starting up server ...
[slapd-in]: Fedora-Directory/7.1 B2005.146.2010
[slapd-in]: in.sundarambizserv.com:389 (/opt/fedora-ds/slapd-in)
[slapd-in]:
[slapd-in]: [22/Aug/2005:09:59:45 +051800] - Fedora-Directory/7.1 B2005.146.2010 starting up
[slapd-in]: [22/Aug/2005:09:59:46 +051800] - slapd started. Listening on All Interfaces port 389 for LDAP requests
Your new directory server has been started.
Created new Directory Server
Start Slapd Starting Slapd server configuration.
Success Slapd Added Directory Server information to Configuration Server.
Configuring Administration Server...
Setting up Administration Server Instance...
Configuring Administration Tasks in Directory Server...
Configuring Global Parameters in Directory Server...
Can't start Admin server [/opt/fedora-ds/start-admin > /tmp/fileQJv7Um 2>&1] (error: No such file or directory)INFO Finished with setup, logfile is setup/setup.log
Because of this i am not able to run the admin server /opt/fedora-ds/startconsole is not allowing me to login.
Kindly help me out. Im stuck with this problem for days...
Some one help me out...
Regards
gokul
---------------------------------
Start your day with Yahoo! - make it your home page
18 years, 9 months
[Fedora-directory-users] Problem while installing fedora core
by gokul nath
I have download fedora-ds-7.1-2.i386.opt.rpm
after installing it...
i gave...
/opt/fedora-ds/setup/setup
i gave typical installtion
after configuring all the details.
it gave me an error. i have just pasted the error here below
Server user ID to use (default: nobody)
Server group ID to use (default: nobody)
[slapd-in]: starting up server ...
[slapd-in]: Fedora-Directory/7.1 B2005.146.2010
[slapd-in]: in.sundarambizserv.com:389 (/opt/fedora-ds/slapd-in)
[slapd-in]:
[slapd-in]: [22/Aug/2005:09:59:45 +051800] - Fedora-Directory/7.1 B2005.146.2010 starting up
[slapd-in]: [22/Aug/2005:09:59:46 +051800] - slapd started. Listening on All Interfaces port 389 for LDAP requests
Your new directory server has been started.
Created new Directory Server
Start Slapd Starting Slapd server configuration.
Success Slapd Added Directory Server information to Configuration Server.
Configuring Administration Server...
Setting up Administration Server Instance...
Configuring Administration Tasks in Directory Server...
Configuring Global Parameters in Directory Server...
Can't start Admin server [/opt/fedora-ds/start-admin > /tmp/fileQJv7Um 2>&1] (error: No such file or directory)INFO Finished with setup, logfile is setup/setup.log
Because of this i am not able to run the admin server /opt/fedora-ds/startconsole is not allowing me to login.
Kindly help me out. Im stuck with this problem for days...
Regards
gokul
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
18 years, 9 months
[Fedora-directory-users] Re: Problem with Samba-Fedora-ds Intergration (HOWTO:SAMBA)
by Tom.Tran@noaa.gov
Thank you for your reply.
Here is my /etc/samba/smb.conf
------------------------------
# Global parameters
[global]
workgroup = SEFSC
netbios name = MIAPOGO
server string = Samba %u on (%L)
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
dns proxy = No
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
cups options = raw
security = user
passdb backend = ldapsam:ldap://miapogo.sefsc.noaa.gov
ldap suffix = dc=sefsc,dc=noaa,dc=gov
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
os level = 33
domain logons = yes
domain master = yes
local master = yes
preferred master = yes
wins support = yes
logon home = \\%L\%u\profiles
logon path = \\%L\profiles\%u
logon drive = H:
template shell = /bin/false
winbind use default domain = yes
[netlogon]
path = /var/lib/samba/netlogon
read only = yes
browseable = no
[profiles]
path = /var/lib/samba/profiles
read only = no
create mask = 0600
directory mask = 0700
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
--------------------------
------- original message -------
Date: Fri, 19 Aug 2005 13:03:02 -0400
From: Adam Stokes <astokes(a)redhat.com>
Subject: Re: [Fedora-directory-users] Problem with Samba - Fedora-ds
Integration (HOWTO:SAMBA)
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users(a)redhat.com>
Message-ID: <20050819130302.7494f11d(a)froman.rdu.redhat.com>
Content-Type: text/plain; charset=US-ASCII
Please post your smb.conf
On Fri, 19 Aug 2005 11:29:03 -0400
<Tom.Tran(a)noaa.gov> wrote:
> I followed the document until I get the following error:
>
> #/opt/fedora-ds/slapd-miapogo/ldif2ldap "cn=Directory Manager"
> fds80000 /tmp/sambaGroups.ldif
>
> This command returns:
> adding new entry cn=Domain
Admins,ou=Groups,dc=sefsc,dc=noaa,dc=gov
> adding new entry cn=Domain Users,ou=Groups,dc=sefsc,dc=noaa,dc=gov
> adding new entry cn=Domain
Guests,ou=Groups,dc=sefsc,dc=noaa,dc=gov
> adding new entry cn=Domain
> Computers,ou=Groups,dc=sefsc,dc=noaa,dc=gov
>
> I then run the following command:
>
> # net groupmap add rid=512 ntgroup='Domain Admins' unixgroup='Domain
> Admins'
>
> This command returns:
> [2005/08/19 09:48:37, 0]
> passdb/pdb_ldap.c:ldapsam_add_group_mapping_entry(2330)
> ldapsam_add_group_mapping_entry: failed to add group 2512 error:
> Insufficient 'write' privilege to teh 'sambaSID' attribute of
> entry 'cn=domain admins,ou=groups,dc=sefsc,dc=noaa,dc=gov'.
> (Insufficient access)
> adding entry for group Domain Admins failed!
>
> I am a novice on this subject and have no idea how to fix it.
Please
> help!
>
> Tom Tran
18 years, 9 months