[Fedora-directory-users] blocking "unauthenticated bind"
by David Lewis
We have just migrated from openldap to fedora, and have realized with
horror that some authentication clients (for example CAS) are giving the
OK to users who submit un empty password string.
We have been going slowly mad trying to find how to block this in the
configuration.
We previously allowed anonymous binds, but since discovering the problem
we have disallowed them .. but this does NOT solve the problem.
In a nutshell, this is what happens :
% ldapbind -h fedora_ds_server.utc.fr -p 389 -D
"uid=someuser,ou=people,dc=utc,dc=fr" -w ""
bind successful
% ldapbind -h openldap_server.utc.fr -p 389 -D
"uid=someuser,ou=people,dc=utc,dc=fr" -w ""
ldap_bind: DSA is unwilling to perform
ldap_bind: additional info: unauthenticated bind (DN with no password)
disallowed
Could anyone tell us how to get fedora to behave like openldap in this
respect ? There's a lot of stuff on the web about blocking
"unauthenticated binds" in openldap, but hardly anything regarding other
directory servers.
Any useful tips would be gratefully received.
David
David Lewis
system administrator
University of Compiegne
France
18 years, 3 months
RE: [Fedora-directory-users] Fedora DS v1.0.2 src RPMs?
by Jason Hane
Red Hat doesn't support SPARC. My co-worker just installed Aurora today
on his SPARC box. It is similar, but I do see some differences.
Hopefully it'll work for you.
Jason Hane
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Dennis
Gilmore
Sent: Thursday, March 02, 2006 6:01 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Fedora DS v1.0.2 src RPMs?
On Thursday 02 March 2006 16:42, Richard Megginson wrote:
> Dennis Gilmore wrote:
> >On Thursday 02 March 2006 16:24, Richard Megginson wrote:
> >>If you want to build it yourself the information is here -
> >>http://directory.fedora.redhat.com/wiki/Building#One-Step_Build
> >>
> >>In a nutshell:
> >>wget
> >>http://directory.fedora.redhat.com/sources/dsbuild-fds102.tar.gz
> >>tar xfz dsbuild-fds102.tar.gz
> >>cd dsbuild-fds102/meta/ds
> >>make 2>&1 | tee build.log
> >>
> >>Use make BUILD_RPM=1 to make an RPM (default is an installable
> >>setuputil package), use DEBUG=full to produce a debug build (default
is optimize).
> >
> >How well do you think a build would go on sparc linux?
>
> What OS? I've never tried it, but RHEL or Fedora Core should work.
Aurora SPARC Linux its a port of Fedora to SPARC.
I guess ill give it a go and see what happens
--
Regards
Dennis Gilmore, RHCE
Proud Australian
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
18 years, 3 months
[Fedora-directory-users] Fedora DS v1.0.2 new setup - admin server fails (153:Unknown error.)
by Graham Leggett
Hi all,
Just tried to set up an FDS v1.0.2 from RHEL4 i386 RPM from scratch. The
setup program tries to crank up the new server, but this fails as below.
Anybody know what happened to the admin server?
[slapd-ldap.domain.com]: starting up server ...
[slapd-ldap.domain.com]: Fedora-Directory/1.0.2 B2006.060.1928
[slapd-ldap.domain.com]: ldap.domain.com:389
(/opt/fedora-ds/slapd-ldap.domain.com)
[slapd-ldap.domain.com]:
[slapd-ldap.domain.com]: [02/Mar/2006:15:16:21 -0600] -
Fedora-Directory/1.0.2 B2006.060.1928 starting up
[slapd-ldap.domain.com]: [02/Mar/2006:15:16:21 -0600] - slapd started.
Listening on All Interfaces port 389 for LDAP requests
Your new directory server has been started.
Created new Directory Server
Start Slapd Starting Slapd server configuration.
Fatal Slapd ERROR: Ldap authentication failed for url
ldap://ldap.domain.com:389/o=NetscapeRoot user id admin (153:Unknown error.)
Fatal Slapd Did not add Directory Server information to Configuration
Server.
Configuring Administration Server...
Setting up Administration Server Instance...
ERROR: Administration Server configuration failed.
You can now use the console. Here is the command to use to start the
console:
cd /opt/fedora-ds
./startconsole -u admin -a http://ldap.domain.com:1390/
INFO Finished with setup, logfile is setup/setup.log
Regards,
Graham
--
18 years, 3 months
RE: [Fedora-directory-users] Can't login to console
by Bliss, Aaron
If you can resolve the machine name via dns or local files, try this
section of this wiki
http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt
I had the exact same problems and this took care of it
________________________________
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Mont
Rothstein
Sent: Thursday, March 02, 2006 3:26 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Can't login to console
I am running Apache 2.0.52
As far as verifying that my directory server is up and running:
ns-slapd is running under the dsuser account
httpd.worker is running under the dsuser account
I fear I need help with ldapsearch.
If I try the following as root:
ldapsearch -LLL "(cn=Directory Manager)"
I get:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
If I try the following:
ldapsearch -LLL "(cn=Directory Manager)" -x -W
it prompts me for a password. I enter the administrator (dsadmin)
password and get:
ldap_bind: Can't contact LDAP server (-1)
This may indicate something is wrong, ot simply that I am trying to use
ldapsearch incorrectly.
Your assistance is greatly appreciated.
-Mont
On 3/2/06, Nathan Kinder <nkinder(a)redhat.com> wrote:
Mont Rothstein wrote:
> I am trying to setup Fedora Directory Server 1.0.1 on an x86
box
> running RedHat ES4 in a VMWare session.
What version of Apache are you running on the system?
>
> I've run setup. I've created a user and group dsuser which is
set as
> the server user. I set the admin to be dsadmin. I set the
admin
> server to be run as root.
>
> setup completes and appears to start correctly.
>
> I use the following line to launch the console:
>
> ./startconsole -x nologo -u dsadmin -a
> http://rheles4rs1.forayadams.foray.com:45303
>
> In the login window I enter the dsadmin password. I then get
a panel
> with the following message:
>
> Cannot logon because of incorrect User ID,
> incorrect password or Directory problem.
>
> HttpException:
> Response: HTTP/1.1 401 Authorization Required
> Status: 401
> URL:
http://rheles4rs1.forayadams.foray.com:45303/admin-serv/authenticate
>
> I'm sure I've done something stupid and basic somewhere, but I
have no
> idea what and I can't find anything about this via search.
>
> Does anyone have any ideas as to what I've done wrong?
Make sure that your directory server is up and running. You
should try
doing an ldapsearch as the same user you are attempting to log
into the
Console as. If all else fails, tail your DS access log when you
attempt
to log in via Console to see if the Directory is even getting
hit.
-NGK
>
> Thanks,
> -Mont
>
>-----------------------------------------------------------------------
-
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
<https://www.redhat.com/mailman/listinfo/fedora-directory-users>
>
>
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
www.preferredcare.org
"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates
Confidentiality Notice:
The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.
18 years, 3 months
RE: [Fedora-directory-users] Can't login to console
by Bliss, Aaron
If you can resolve the machine name via dns or local files, try this
section of this wiki
http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt
I had the exact same problems and this took care of it
________________________________
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Mont
Rothstein
Sent: Thursday, March 02, 2006 3:26 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Can't login to console
I am running Apache 2.0.52
As far as verifying that my directory server is up and running:
ns-slapd is running under the dsuser account
httpd.worker is running under the dsuser account
I fear I need help with ldapsearch.
If I try the following as root:
ldapsearch -LLL "(cn=Directory Manager)"
I get:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
If I try the following:
ldapsearch -LLL "(cn=Directory Manager)" -x -W
it prompts me for a password. I enter the administrator (dsadmin)
password and get:
ldap_bind: Can't contact LDAP server (-1)
This may indicate something is wrong, ot simply that I am trying to use
ldapsearch incorrectly.
Your assistance is greatly appreciated.
-Mont
On 3/2/06, Nathan Kinder <nkinder(a)redhat.com> wrote:
Mont Rothstein wrote:
> I am trying to setup Fedora Directory Server 1.0.1 on an x86
box
> running RedHat ES4 in a VMWare session.
What version of Apache are you running on the system?
>
> I've run setup. I've created a user and group dsuser which is
set as
> the server user. I set the admin to be dsadmin. I set the
admin
> server to be run as root.
>
> setup completes and appears to start correctly.
>
> I use the following line to launch the console:
>
> ./startconsole -x nologo -u dsadmin -a
> http://rheles4rs1.forayadams.foray.com:45303
>
> In the login window I enter the dsadmin password. I then get
a panel
> with the following message:
>
> Cannot logon because of incorrect User ID,
> incorrect password or Directory problem.
>
> HttpException:
> Response: HTTP/1.1 401 Authorization Required
> Status: 401
> URL:
http://rheles4rs1.forayadams.foray.com:45303/admin-serv/authenticate
>
> I'm sure I've done something stupid and basic somewhere, but I
have no
> idea what and I can't find anything about this via search.
>
> Does anyone have any ideas as to what I've done wrong?
Make sure that your directory server is up and running. You
should try
doing an ldapsearch as the same user you are attempting to log
into the
Console as. If all else fails, tail your DS access log when you
attempt
to log in via Console to see if the Directory is even getting
hit.
-NGK
>
> Thanks,
> -Mont
>
>-----------------------------------------------------------------------
-
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
<https://www.redhat.com/mailman/listinfo/fedora-directory-users>
>
>
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
www.preferredcare.org
"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates
Confidentiality Notice:
The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.
18 years, 3 months
RE: [Fedora-directory-users] Announcing Fedora Directory Server 1.0.2
by Bliss, Aaron
In my environment, I have 2 directory servers, a supplier and consumer
both running fds 1.0.1; is it necessary to upgrade them both at the same
time or can I run in a mixed environment for a while? Also, it looks
like that this bug fix
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=180515 is
addressing this thread
https://www.redhat.com/archives/fedora-directory-users/2006-February/msg
00087.html If so, is there any special configuration changes that I
need to make on the directory servers to make it work? Thanks very much
for a great product and it's awesome to see all of the improvements that
have made.
Aaron
www.preferredcare.org
"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates
Confidentiality Notice:
The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.
18 years, 3 months
[Fedora-directory-users] TLS authentication without a user mapped
by François Beretti
Hi,
is it possible to do a SASL/EXTERNAL bind with a TLS certificate,
while no user in the directory is mapped to the certificate DN ?
If yes, is it possible then to give rights to certificate DN (so, to a
DN that is not in the directory) ?
I would like this if I don't want to store users in a directory
(because they already are in another one.
Thank you
François
18 years, 3 months