[Fedora-directory-users] no response on port 636
by basile
hi
i can ldapsearch -ZZZ without problem ( with fds or openldap command )
but when i try ldapsearch -D "cn=Manager" -p 636 , i have no response
from the server
i have to CTRL-C to stop the command.
here are logs
conn=21 fd=67 slot=67 SSL connection from 127.0.0.1 to 127.0.0.1
and nothing else happens
thanks
basile
18 years, 4 months
[Fedora-directory-users] Server crash (and how-to reproduce)
by Thierry Lanfranchi
Hello,
I've just managed to crash my slapd process and can reproduce the problem everytime I try, this way :
I was playing with the languages tab on a user's properties window, I defined 'french' as the preference language and added afrikaans common name, first name and last name, and saved.
I then reopened the properties window and proceeded to remove these 3 afrikaans attributes by emptying the 3 fields and clicking Save when a popup warned me about a problem communicating with the server.
Actually the communication problem was just a slapd process crash.
I can reproduce the crash at will, and for information, my configuration is the following :
FDS 1.0.1
Centos 4.2
using the console from a winXP computer (local java, not deported X11 window)
Last lines of the error log before crash with all logging options activated are :
[02/Feb/2006:11:14:14 +0100] - Calling plugin 'Multimaster replication bepreoperation plugin' #0 type 451
[02/Feb/2006:11:14:14 +0100] - => entry_apply_mods_wsi
[02/Feb/2006:11:14:14 +0100] - delete: givenname;lang-af
[02/Feb/2006:11:14:14 +0100] - removing entire attribute givenname;lang-af
[02/Feb/2006:11:14:14 +0100] - -
[02/Feb/2006:11:14:14 +0100] - delete: sn;lang-af
[02/Feb/2006:11:14:14 +0100] - removing entire attribute sn;lang-af
[02/Feb/2006:11:14:14 +0100] - -
[02/Feb/2006:11:14:14 +0100] - delete: cn;lang-af
[02/Feb/2006:11:14:14 +0100] - removing entire attribute cn;lang-af
[02/Feb/2006:11:14:14 +0100] - -
[02/Feb/2006:11:14:14 +0100] - modifiersname: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
[02/Feb/2006:11:14:14 +0100] - replace: modifiersname
[02/Feb/2006:11:14:14 +0100] - -
[02/Feb/2006:11:14:14 +0100] - modifytimestamp: 20060202101411Z
[02/Feb/2006:11:14:14 +0100] - replace: modifytimestamp
[02/Feb/2006:11:14:14 +0100] - -
[02/Feb/2006:11:14:14 +0100] - <= entry_apply_mods_wsi 0
[02/Feb/2006:11:14:14 +0100] - => plugin_call_syntax_filter_ava uid=45123487
[02/Feb/2006:11:14:14 +0100] - <= plugin_call_syntax_filter_ava 0
[02/Feb/2006:11:14:14 +0100] - => id2entry_add( 14, "uid=45123487,ou=utilisateurs,ou=infrastructure,dc=oie,dc=local" )
[02/Feb/2006:11:14:14 +0100] - -> attrcrypt_encrypt_entry
[02/Feb/2006:11:14:14 +0100] - <- attrcrypt_encrypt_entry
[02/Feb/2006:11:14:14 +0100] - <= id2entry_add 0
Don't hesitate to ask for more informations if needed, or more tests to run in order to get rid of that nasty bug :)
Thanks in advance,
Thierry
18 years, 4 months
Re: [Fedora-directory-users] crash after succesfull pwdchange via ldappasswd
by Jo De Troy
Hi Rich,
thanks for the quick reply.
Do you need more info from me wrt behaviour I described?
Has the password strength enforcement been submitted yet? Any idea if and
when this will be included in a next release? And when could we expect such
a release?
I've read something about a plugin that would also change samba passwords in
FDS, do you happen to know what the status of that is?
Best Regards,
Jo
18 years, 4 months
[Fedora-directory-users] crash after succesfull pwdchange via ldappasswd
by Jo De Troy
Hello,
I'm trying out different ways of changing password and looking at how these
handle the policies (eg pwd history)
I can succesfully change a password from the command line (passwd) on a
Linux LDAP client
When I try changing the password using ldappasswd the slapd process
disappears after a succesfull change ( ldappasswd -x -h ldapserver -D
'uid=user2change,base' -A -S -W -ZZ 'uid=user2change,base' )
It ends with:
ldappasswd: ldap_result: Can't contact LDAP server (-1)
Which means slapd died. When I startup slapd on the server I can do an
ldapsearch with the new password.
Has anyone seen the same behaviour?
Someone told me about a web gateway included in FDS to change password, at
which URL can I find this? Should I specifically enable this webinterface?
TIA,
Jo
18 years, 4 months
[Fedora-directory-users] management console , xp , and tls
by basile
hi
i use HOWTO for starting console with xp
i try to use tls , but for certificates i have a problem
i generate cacert with openssl , do two certificate's request in fds console
and signed with cacert , and then install all in fds.
All works fine , but i don t exactly know what i have to do for windows
i have .mcc directory like in HOWTO , with key3 cert8 and secmod files.
I try to copy db files from my fds ( /opt/fedora/servers/alias ) server in .mcc
, try to rename then as key3 and cert8 but i always have
[01/Feb/2006:22:46:50] failure (10229): Error receiving connection
(SSL_ERROR_BAD_CERT_ALERT - SSL client cannot verify your certificate.) from
yyy.yyy.yyy.yyy:1078 on xxx.xxx.xxx.xxx:port
whati don t do in HOWTO is
pk12util -i servercert.pfx -d C:\Documents and Settings\<username>\.mcc
but i thinks its for creating cert8 and key3
thanks for help
basile
--------------------------------------------------------
Ce message a été envoyé par le Webmail Sorbonne via IMP.
http://courrier.sorbonne.fr/ http://mail.sorbonne.fr/
18 years, 4 months
[Fedora-directory-users] Re: Hosed sync with AD
by Daniel Shackelford
------------------------------
> I don't have any insight off the top of my head beyond what you've
> already tried.
> You could take a packet trace with ethereal or the like and see if
> there's anything
> interesting in the SSL handshake.
>> Is FDS dependent on specific versions of libssl3.so or ?... The thing
>> that confuses me the most is that it all seems to be working fine in
>> every other case. I am still not sure there isn't a problem with my
>> Win2003 domain controller...
>
>
> FDS should be used with the version of NSS that it was built against.
> There will be some minor functionality differences between NSS releases
> and bug fixes, but I wouldn't expect much sensitivity to NSS version
> as far as basic functionality like this goes.
>
> Bottom line is that if you can use the 'ldapsearch' command (the Mozilla
> version that ships with FDS), pointed at the same cert database that the
> server is using, to connect to your AD, then FDS's Winsync code should
> be able to connect too : the code paths are essentially identical.
Well, I think I found the problem...
Here is the output of ssltap that captured a request to the DC:
--> [
alloclen = 54 bytes
(54 bytes of 54)
[Wed Feb 1 12:39:36 2006] [ssl2] ClientHelloV2 {
version = {0x03, 0x01}
cipher-specs-length = 27 (0x1b)
sid-length = 0 (0x00)
challenge-length = 16 (0x10)
cipher-suites = {
(0x000004) SSL3/RSA/RC4-128/MD5
(0x00feff) SSL3/RSA-FIPS/3DESEDE-CBC/SHA
(0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
(0x00fefe) SSL3/RSA-FIPS/DES-CBC/SHA
(0x000009) SSL3/RSA/DES56-CBC/SHA
(0x000064) TLS/RSA-EXPORT1024/RC4-56/SHA
(0x000062) TLS/RSA-EXPORT1024/DES56-CBC/SHA
(0x000003) SSL3/RSA/RC4-40/MD5
(0x000006) SSL3/RSA/RC2CBC40/MD5
}
session-id = { }
challenge = { 0xc930 0x4121 0xe11d 0x443a 0x77b4 0xaef1
0x13b0 0xc017 }
}
]
<-- [
(2896 bytes, making 2896 of 4836)
]
<-- [
(1945 bytes, making 4836 of 4836)
SSLRecord { [Wed Feb 1 12:39:36 2006]
type = 22 (handshake)
version = { 3,1 }
length = 4836 (0x12e4)
handshake {
type = 2 (server_hello)
length = 70 (0x000046)
ServerHello {
server_version = {3, 1}
random = {...}
session ID = {
length = 32
contents = {..}
}
cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
}
type = 11 (certificate)
length = 1423 (0x00058f)
CertificateChain {
chainlength = 1420 (0x058c)
Certificate {
size = 1417 (0x0589)
data = { saved in file 'cert.001' }
}
}
type = 13 (certificate_request)
length = 3327 (0x000cff)
type = 14 (server_hello_done)
length = 0 (0x000000)
}
}
]
--> [
(7 bytes of 2)
SSLRecord { [Wed Feb 1 12:39:36 2006]
type = 21 (alert)
version = { 3,1 }
length = 2 (0x2)
fatal: unknown CA
}
]
Looking through this looks like it is the FDS server that is saying that
the CA is unknown, but it it refering to the response from the DC, or
it's own certificate store? Looking at the dump of extended data from
ssltap, the response from the DC indicates it is using a cert not signed
by itself (a CA), but by another server that is not a DC, and in fact a
non-critical server. The validity of that CA and all it's certificates
expired at the time that FDS stopped synconizing. Why our Windows Admin
is using CAs around the network willi-nillie is a mystery to me. I will
get rid of that cert, and make sure that it is offering up a cert that
is signed by a third party CA (like CACert.org)
Thank you Dave. It looks like you were right about this being a stumper
as long as we are looking for the problem on FDS.
--
Daniel Shackelford
Systems Administrator
Technology Services
Spring Arbor University
517 750-6648
"For even the Son of Man did not come to be served, but to serve, and to give His life a ransom for many"
Mark 10:45
18 years, 4 months
[Fedora-directory-users] automount (revisited)
by Roger Spencer
I dug the below out from the archive. Is there anything new on the subject?
I've seemed to have slammed head first into the subject. Got SUSE and
RHEL 3 using nisObjects happily (apparently they'll support either
model). Just configured a Solaris 10 box as a client and it wants
automountMap. Even worse, Solaris 9 and 10 do automountMap, Solaris 8
does nisObjects. Fortunately, I have all three versions running. (Info
on Solaris' automount:
http://www.informit.com/articles/article.asp?p=31550&seqNum=4&rl=1 )
I tried loading the 10rfc2307bis.ldif (by replacing the 10rfc2307.ldif
file) and slapd wouldn't restart.
Any idea to a) get the automountMap objects in the schema? b) possibly
support both models?
* /From/: Rich Megginson <rmeggins redhat com>
* /To/: "General discussion list for the Fedora Directory server
project." <fedora-directory-users redhat com>
* /Subject/: Re: [Fedora-directory-users] Re: automount
* /Date/: Tue, 16 Aug 2005 09:01:40 -0600
------------------------------------------------------------------------
There has been a lot of confusion around this issue (mostly on my part).
I think one of the problems is that rfc2307 support from OS vendors is
now deprecated in favor of rfc2307bis
http://www.ietf.org/internet-drafts/draft-howard-rfc2307bis-01.txt,
which is still in Internet Draft phase (and is due to expire very
quickly). A new draft is being worked on with the goal of generating a
new RFC. The bis draft has one problem with it, in that it requires the
use of the authPassword attribute (defined in RFC 3112
http://www.ietf.org/rfc/rfc3112.txt). FDS does not support this (and
neither does OpenLDAP AFAICT). I have attached a file called
10rfc2307bis.ldif. This is the schema from the 2307bis I-D in FDS schema
format.
The preferred way to map the automount information is to use the
automount attributes and objectclasses in the RFC 2307bis draft schema.
The problem is that I don't know all of the vendor support. So far I've
been unable to find out what RHEL3 and RHEL4 support. I've been told
that Solaris has support for the bis schema.
If you like, you can replace the 10rfc2307.ldif schema supplied with FDS
with the attached file, and see what happens.
18 years, 4 months
[Fedora-directory-users] Adding users after replacing NIS
by Oscar A. Valdez
I've followed the instructions in Gerald Carter's "LDAP System
Administration", specifically those in Chapter 6: Replacing NIS.
I've used PADL's scripts to migrate the info
from /etc/passwd, /etc/shadow, and /etc/group into the DS server. My
question now is, how do I add new users to the DS, with the necessary
shadowAccount attributes? How do I generate the crypted userPassword,
shadowLastChange, etc. values?
--
Oscar A. Valdez
18 years, 4 months
RE: [Fedora-directory-users] problem with startconsole
by Chris Conner
Have you tried the -nologo option?
Chris
Chris Conner, M.A.
Manager of Systems Support
MCP, MCP+I, MCDBA, MCSE
Salem Health Solutions
cconner(a)salem-health.com
336-747-7572
866-747-7560 x7572
/(bb|[^b]{2})/ that is the Question
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of basile
au siris
Sent: Wednesday, February 01, 2006 10:49 AM
To: fedora-directory-users(a)redhat.com
Subject: [Fedora-directory-users] problem with startconsole
hi
i install fds-7.0 on solaris 9
all works fine , but i have a strange problem with console i can start
the console on the server i can start the console from windows box but i
can t start it from linux box ( but i can start console from this linux
box to another fds installation on solaris ) i ssh -X , startconsole -D
, and i have the prompt fedora management console but never the login
window if someone has an idea ( port 6000 is open , ssh forward X11 ,
and all machines are on the same vlan ) thanks basile
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
18 years, 4 months