[Fedora-directory-users] New install, not authenticating
by Hendry, Chris
Upgraded Fedora-ds-1.1 from 1.0.
Version 1.0 worked great, no problems, I upgraded, ran
the setup-ds-admin.pl in the most default way.
Clients can not login when pointing to this new DS.
Focus line in /var/log/dirsrv/slapd-servername/access
[07/Feb/2008:14:24:01 -0500] conn=172 op=1 RESULT
err=49 tag=97 nentries=0 etime=0
tag=97 for a result from a client bind operation
err=49 = invalid credentials
Entire log:
[07/Feb/2008:14:24:01 -0500] conn=169 fd=71 slot=71
connection from 10.188.49.187 to 10.188.135.186
[07/Feb/2008:14:24:01 -0500] conn=169 op=-1 fd=71 closed
- B1
[07/Feb/2008:14:24:01 -0500] conn=170 fd=71 slot=71
connection from 10.188.49.187 to 10.188.135.186
[07/Feb/2008:14:24:01 -0500] conn=170 op=0 BIND dn=""
method=128 version=3
[07/Feb/2008:14:24:01 -0500] conn=170 op=0 RESULT err=0
tag=97 nentries=0 etime=0 dn=""
[07/Feb/2008:14:24:01 -0500] conn=170 op=1 SRCH
base="dc=post,dc=cnn" scope=2
filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(object
Class=shadowAccount))(|(|(uid=dme))(|(cn=dme))))" attrs="homeDirectory
userPassword gidNumber cn uid cn uidNumber loginShell"
[07/Feb/2008:14:24:01 -0500] conn=170 op=1 RESULT err=0
tag=101 nentries=1 etime=0
[07/Feb/2008:14:24:01 -0500] conn=170 op=2 SRCH
base="dc=post,dc=cnn" scope=2
filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(object
Class=shadowAccount))(|(uidNumber=8000)))" attrs="uidNumber uid cn
gidNumber"
[07/Feb/2008:14:24:01 -0500] conn=170 op=2 RESULT err=0
tag=101 nentries=1 etime=0
[07/Feb/2008:14:24:01 -0500] conn=170 op=3 SRCH
base="dc=post,dc=cnn" scope=2
filter="(&(|(objectClass=posixGroup))(|(gidNumber=8000)))" attrs="cn
gidNumber"
[07/Feb/2008:14:24:01 -0500] conn=170 op=3 RESULT err=0
tag=101 nentries=0 etime=0
[07/Feb/2008:14:24:01 -0500] conn=170 op=4 SRCH
base="dc=post,dc=cnn" scope=2
filter="(&(|(objectClass=posixGroup))(|(memberUid=dme)))" attrs="cn
gidNumber"
[07/Feb/2008:14:24:01 -0500] conn=170 op=4 RESULT err=0
tag=101 nentries=0 etime=0
[07/Feb/2008:14:24:01 -0500] conn=170 op=5 SRCH
base="dc=post,dc=cnn" scope=2
filter="(&(|(objectClass=posixGroup))(|(cn=FFFFEEEE-DDDD-CCCC-BBBB-AAAA0
0001F40)))" attrs="cn gidNumber"
[07/Feb/2008:14:24:01 -0500] conn=170 op=5 RESULT err=0
tag=101 nentries=0 etime=0
[07/Feb/2008:14:24:01 -0500] conn=170 op=6 SRCH
base="dc=post,dc=cnn" scope=2
filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(object
Class=shadowAccount))(|(|(uid=dme))(|(cn=dme))))" attrs="uid cn
userPassword cn homeDirectory loginShell uidNumber gidNumber
shadowLastChange shadowExpire"
[07/Feb/2008:14:24:01 -0500] conn=170 op=6 RESULT err=0
tag=101 nentries=1 etime=0
[07/Feb/2008:14:24:01 -0500] conn=170 op=7 SRCH
base="dc=post,dc=cnn" scope=2
filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(object
Class=shadowAccount))(|(|(uid=dme))(|(cn=dme))))" attrs="uid cn"
[07/Feb/2008:14:24:01 -0500] conn=170 op=7 RESULT err=0
tag=101 nentries=1 etime=0
[07/Feb/2008:14:24:01 -0500] conn=170 op=8 SRCH
base="dc=post,dc=cnn" scope=2
filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(object
Class=shadowAccount))(|(uid=dme)(cn=dme)))" attrs="userPassword"
[07/Feb/2008:14:24:01 -0500] conn=170 op=8 RESULT err=0
tag=101 nentries=1 etime=0
[07/Feb/2008:14:24:01 -0500] conn=170 op=9 SRCH
base="dc=post,dc=cnn" scope=2
filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(object
Class=shadowAccount))(|(uid=dme)(cn=dme)))" attrs=ALL
[07/Feb/2008:14:24:01 -0500] conn=170 op=9 RESULT err=0
tag=101 nentries=1 etime=0
[07/Feb/2008:14:24:01 -0500] conn=171 fd=72 slot=72
connection from 10.188.49.187 to 10.188.135.186
[07/Feb/2008:14:24:01 -0500] conn=171 op=-1 fd=72 closed
- B1
[07/Feb/2008:14:24:01 -0500] conn=172 fd=72 slot=72
connection from 10.188.49.187 to 10.188.135.186
[07/Feb/2008:14:24:01 -0500] conn=172 op=0 BIND dn=""
method=sasl version=3 mech=CRAM-MD5
[07/Feb/2008:14:24:01 -0500] conn=172 op=0 RESULT err=14
tag=97 nentries=0 etime=0, SASL bind in progress
[07/Feb/2008:14:24:01 -0500] conn=172 op=1 BIND dn=""
method=sasl version=3 mech=CRAM-MD5
[07/Feb/2008:14:24:01 -0500] conn=172 op=1 RESULT err=49
tag=97 nentries=0 etime=0
[07/Feb/2008:14:24:01 -0500] conn=172 op=2 UNBIND
[07/Feb/2008:14:24:01 -0500] conn=172 op=2 fd=72 closed
- U1
16 years, 3 months
[Fedora-directory-users] Windows Management Console
by Chris Brandt
Hi there, I'm having some issues with the Windows Console.
The console runs, connects to my server and I can do a simple search
returning results. So it basically works.
But there are some problems:
1. Servers and Applications tab is always empty. Not sure if I'm
doing something wrong or just havn't done something. But the web based
console (Administration Express) does show my servers and groups. Do I
need to add a group to the java console?
2. I get exceptions showing up in the java text console when I try
different operations in the graphical console window. For example I can
do a search and get results, but if I double click a name the cursor
changes to an hour glass and the following exception shows up in the
java console : Exception in thread "AWT-EventQueue-0"
java.lang.NullPointerException and nothing happens in the graphical
console.
I am running JRE 1.6.0_03, I see that the website recommends 1.4.2. I'm
not a java guy, is it possible to easily do a side by side installation?
Or does any one know that JRE 1.6.0 works.
Any ideas on what I can do to get this thing working properly?
Thanks
Christopher Brandt
Systems Architect
Suite 225 - 4259 Canada Way
Burnaby, BC V5G 1H1
e. chris.brandt(a)ernex.com
p. 604.415.1554
c. 604.318-5724
f. 604.415.1591
A Division of Moneris Solutions Corporation
16 years, 3 months
[Fedora-directory-users] Wierd failed install
by Hendry, Chris
This is my second upgrade to fedora-ds 1.1 on fedora-core 6.
The config O/S install is the same.
The first went great, no problem, but then after running
setup-ds-admin.pl on the second server got:
Are you ready to set up your servers? [yes]:
Creating directory server . . .
Your new DS instance 'p4ds03' was successfully created.
Creating the configuration directory server . . .
Error: failed to open an LDAP connection to host 'p4ds03.mydomain.com'
port '389' as user 'cn=Directory Manager'. Error
: unknown.
Failed to create the configuration directory server
Exiting . . .
Log file is '/tmp/setupHxsAmb.log'
In log file: /var/log/dirsrv/admin-serv/error :
Configuration Failed
[Wed Feb 06 10:00:01 2008] [warn] Unable to bind as LocalAdmin to
populate LocalAdmin tasks into cache.
[Wed Feb 06 10:00:01 2008] [notice] Access Host filter is:
*.mydomain.com
[Wed Feb 06 10:00:01 2008] [notice] Access Address filter is: *
Tried to manually connect but got:
[root@p4ds03 dirsrv]# ldapsearch -x -h p4ds03.mydomain.com -p 389 -D
"cn=directory manager" -w "mypassword" -s base -b ""
ldap_bind: Can't contact LDAP server (-1)
/var/log/dirsrv/slapd-p4ds03/errors:
[06/Feb/2008:10:01:32 -0500] - slapd shutting down - signaling operation
threads
[06/Feb/2008:10:01:32 -0500] - slapd shutting down - waiting for 25
threads to terminate
[06/Feb/2008:10:01:32 -0500] - slapd shutting down - closing down
internal subsystems and plugins
[06/Feb/2008:10:01:32 -0500] - Waiting for 4 database threads to stop
[06/Feb/2008:10:01:32 -0500] - All database threads now stopped
[06/Feb/2008:10:01:32 -0500] - slapd stopped.
[06/Feb/2008:10:02:43 -0500] - dblayer_instance_start: pagesize: 4096,
pages: 518667, procpages: 6666
[06/Feb/2008:10:02:43 -0500] - cache autosizing: import cache: 204800k
[06/Feb/2008:10:02:43 -0500] - li_import_cache_autosize: 50,
import_pages: 51200, pagesize: 4096
[06/Feb/2008:10:02:43 -0500] - WARNING: Import is running with
nsslapd-db-private-import-mem on; No other process is allowed to access
the database
[06/Feb/2008:10:02:43 -0500] - dblayer_instance_start: pagesize: 4096,
pages: 518667, procpages: 6666
[06/Feb/2008:10:02:43 -0500] - cache autosizing: import cache: 204800k
[06/Feb/2008:10:02:43 -0500] - li_import_cache_autosize: 50,
import_pages: 51200, pagesize: 4096
[06/Feb/2008:10:02:43 -0500] - import userRoot: Beginning import job...
[06/Feb/2008:10:02:43 -0500] - import userRoot: Index buffering enabled
with bucket size 100
[06/Feb/2008:10:02:43 -0500] - import userRoot: Processing file
"/tmp/ldifXRKznG.ldif"
[06/Feb/2008:10:02:43 -0500] - import userRoot: Finished scanning file
"/tmp/ldifXRKznG.ldif" (9 entries)
[06/Feb/2008:10:02:44 -0500] - import userRoot: Workers finished;
cleaning up...
[06/Feb/2008:10:02:44 -0500] - import userRoot: Workers cleaned up.
[06/Feb/2008:10:02:44 -0500] - import userRoot: Cleaning up producer
thread...
[06/Feb/2008:10:02:44 -0500] - import userRoot: Indexing complete.
Post-processing...
[06/Feb/2008:10:02:44 -0500] - import userRoot: Flushing caches...
[06/Feb/2008:10:02:44 -0500] - import userRoot: Closing files...
[06/Feb/2008:10:02:44 -0500] - All database threads now stopped
[06/Feb/2008:10:02:44 -0500] - import userRoot: Import complete.
Processed 9 entries in 1 seconds. (9.00 entries/sec)
[06/Feb/2008:10:02:44 -0500] - Fedora-Directory/1.1.0 B2007.354.1236
starting up
[06/Feb/2008:10:02:44 -0500] - I'm resizing my cache now...cache was
209715200 and is now 8000000
[06/Feb/2008:10:02:44 -0500] - slapd started. Listening on All
Interfaces port 389 for LDAP requests
/var/log/dirsrv/slapd-p4ds03/access:
[06/Feb/2008:10:00:40 -0500] conn=0 op=-1 fd=64 closed - B1
[06/Feb/2008:10:01:02 -0500] conn=1 fd=64 slot=64 connection from
10.188.49.54 to 10.188.135.186
[06/Feb/2008:10:01:02 -0500] conn=1 op=0 BIND dn="(null)" method=128
version=3
[06/Feb/2008:10:01:02 -0500] conn=1 op=0 RESULT err=32 tag=97 nentries=0
etime=0
[06/Feb/2008:10:01:08 -0500] conn=1 op=-1 fd=64 closed - B1
Any ideas before I give up and just upgrade to Fedora 8?
Chris
16 years, 3 months
Re: [Fedora-directory-users] where is password sync for rhds
by Aaron Oas
> I think you can just use
> http://directory.fedoraproject.org/wiki/Download the latest
PassSync.msi
> here. If you're already using it, you shouldn't have to do anything.
> This is dated 20060330 which was well after the 7.1 release. I
suppose
> this is one of those times where the Red Hat docs can trip you up if
you
> are a Fedora DS user.
# rpm -q --whatprovides /opt/redhat-ds/winsync/PassSync.msi
redhat-ds-7.1SP3-5.RHEL4
# md5sum /opt/redhat-ds/winsync/PassSync.msi
54c33a6e665bb2526f1f286e505cc0ff /opt/redhat-ds/winsync/PassSync.msi
The one we installed when setting up RHDS 7.1SP3 has the same md5sum as
the latest one on the FDS download site. I assume PassSync.msi in RHDS
7.1 was updated to current as part of one of the service packs to RHDS
7.1.
That seems to be in alignment with the verbiage "if 7.1 is upgraded to a
*service pack* [emphasis added] or 8.0" that I found in the 8.0
documentation -- i.e. if you had a non-service-pack 7.1 and upgraded to
a 7.1SP version, you also needed to upgrade the PassSync.msi on the AD
server.
Well, it continues to seem odd that Red Hat is not supplying the
PassSync.msi anywhere in the RHDS 8.0 packages. Where would a new
customer implementing RHDS 8.0 expect to find PassSync.msi?
On the other hand, it looks like I'm current. If I hear back from my
Red Hat support ticket to the contrary, I'll reply to this in case
anyone else was dying to know the answer.
Thanks, Rich!
- Aaron Oas
16 years, 3 months
[Fedora-directory-users] sync new attribute
by Luigi Santangelo
Hi all
I configured Fedora DS so that now I can sync it with Windows AD.
Then, I modified the Fedora LDAP schema adding a new attribute called
memberOf. Windows AD has already an attribute with the same name.
When I start the sync, all the attributes are syncronized unless the
new attribute. How can I sync the new attribute in the same way?
thanks
Luigi
________________________________________________________
Tiscali Voce 8 Mega: Telefono + Adsl a soli € 4,95 al mese.
http://abbonati.tiscali.it/promo/mail/
16 years, 3 months
[Fedora-directory-users] where is password sync for rhds 8.0
by Aaron Oas
Apologies in advance for invoking rhds instead of fds, and for what will
surely prove to be a glaringly obvious answer, but I am tearing my hair
out trying to find where passsync.msi or passsync.exe went with the
release of redhat directory server 8.0.
I have googled and have done the brute-force approaches like:
rpm -ql redhat-ds*rpm |grep -I passsync
find / -iname "passsync*"
to no avail.
In 19.2.4 of the Red Hat Directory Server 8.0 Administration Guide, it
says:
"NOTE
If the Directory Server is upgraded from 7.1 to a service pack or to
version 8.0, then the Password Sync service must be reinstalled with the
newer version. "
So I assume there is a new version of the password sync service in 8.0,
but I cannot find any mention of what directory or RPM to get the
passsync.msi from. In rhds 7.1, the file was in
/opt/redhat-ds/winsync/PassSync.msi, but in rhds 8.0, the packages and
filesystem layout is different.
Does anyone know where the PassSync.msi file is in redhat directory
server 8.0?
- Aaron Oas
16 years, 3 months
[Fedora-directory-users] pam ldap nss_ldap
by gregory LAROCHE
I have a problem with ldap authentification and pam,
that generate an error message like:
pam_unix(vsftpd:auth): authentication failure
pam_unix(sshd:auth): authentication failure
Did I need attributs for my users or something else ?
/etc/pam.d/vsftpd
auth required pam_listfile.so item=user
sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include system-auth
/etc/pam.d/system-auth
auth required pam_env.so
### if the next lign is commented, I could not
authenticate "myuser" by ftp or ssh, to the machine
through ldap directory server
#auth sufficient pam_unix.so nullok
try_first_pass
### if the lign before is not commented, I could auth,
to the machine through ldap but with the error
message, shown below
auth requisite pam_succeed_if.so uid >= 500
quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
# error messages in /var/log/secure
pam_unix(vsftpd:auth): authentication failure
pam_unix(sshd:auth): authentication failure
# ldap entries
dn: uid=myuser,ou=people,dc=mydomain,dc=com
givenName: myuser
sn: myuser
mail: myuser.myuser(a)mydomain.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: shadowaccount
objectClass: posixAccount
objectClass: account
objectClass: authorizedserviceobject
uid: myuser
cn: myuser myuser
uidNumber: 521
gidNumber: 521
homeDirectory: /tmp
loginShell: /bin/bash
host: myhost.mydomain.com
authorizedService: vsftpd
authorizedService: sshd
shadowLastChange: 13313
shadowMax: 99999
shadowWarning: 7
userPassword: {SSHA}yOhxgKxfjdkjfkdmjfkmdsjf298*x$==
nsuniqueid: 8fd56b01-1dd211b2-8724ac3a-e0940000
parentid: 4
entryid: 82
entrydn: uid=myuser,ou=people,dc=mydomain,dc=com
hassubordinates: FALSE
numsubordinates: 0
subschemasubentry: cn=schema
dn:
cn=myuser+gidnumber=521,ou=Groups,dc=mydomain,dc=com
cn: myuser
gidNumber: 521
objectClass: top
objectClass: posixgroup
nsuniqueid: d75bf701-1dd111b2-8725ac3a-e0940000
parentid: 3
entryid: 83
entrydn:
cn=myuser+gidnumber=521,ou=groups,dc=mydomain,dc=com
hassubordinates: FALSE
numsubordinates: 0
subschemasubentry: cn=schema
# config PAM : fedora core 5
# FDS 1.1 : fedora core 7
## -- Thanks you
_____________________________________________________________________________
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail http://mail.yahoo.fr
16 years, 3 months
[Fedora-directory-users] Generating UID and GID with 1.1 and admin console
by Todd Nine
Hi all,
I'm trying to create new users that have POSIX user attributes so I can
set up PAM on our servers to authenticate against the fedora directory
server, as well as subversion. I have directory server version 1.1 and I've
enabled the libdna-plugin, and restarted both the directory server and the
admin server. However when I enable POSIX on a new user through the admin
console, I'm still required to enter a UID and GID. Am I missing the point
of the libdna plugin, but isn't it going to generate this for me? Is it
possible for me to make those fields not required in the admin interface?
Thanks,
Todd
16 years, 3 months
[Fedora-directory-users] Generating and installing certificates for Fedora-ds 1.1.0 usig Openssl base CA
by Howard Wilkinson
We have a CA using our corporate certificate which we want to sign our
certificates for the fedora-ds and clients.
I am trying to work out how to do this. The setupssl2 script works fine
in generating and installing a self-signed certifictae on the server(s)
but we now want to generate and sign using our CA.
Does anybody have a set of instructions that would cover this case?
In particular I would like to understand when the use of certutil is
mandatory and when it can be replaced with one or more openssl commands.
Eventually I would like to be able to configure the server using the
setup-ds-admin script with a certificate already pre-generated by
openssl quoted as the CACertificate parameter.
One complication to all of this is that we need to assign a number of
SubjectAltNames to the certificates so that a server may have multiple
identities!
Regards, Howard
16 years, 3 months
[Fedora-directory-users] Exception trying to use the 1.1 console
by Richard Hesse
If I connect to a 1.04 DS that houses our configuration data, the initial console screen doesn't show the existing configuration data. If I hit refresh, I get this exception:
Exception in thread "AWT-EventQueue-0" java.lang.ArrayIndexOutOfBoundsException:
node has no children
at javax.swing.tree.DefaultMutableTreeNode.getChildAt(Unknown Source)
at com.netscape.management.client.topology.ServerLocNode.getChildAt(Unkn
own Source)
at com.netscape.management.client.ResourceModel.getChild(Unknown Source)
at com.netscape.management.client.topology.TopologyModel.expandFirstNode
(Unknown Source)
at com.netscape.management.client.topology.TopologyModel.refreshTree(Unk
nown Source)
at com.netscape.management.client.topology.TopologyModel.actionMenuSelec
ted(Unknown Source)
Any ideas? 1.04 console works fine, but I'd like to get 1.1 working so that I can manage some 1.1 test instances. Thanks.
-richard
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.19.18/1255 - Release Date: 2/1/2008 9:59 AM
16 years, 3 months