[Fedora-directory-users] fedora directory server and ldap authentication for httpd 2.2.x
by Marco Strullato
Hi all,
I already have two fedora directory servers set up in multi master replica
and tls used for linux authentication.
Now I have to connect my fds authentication system to the apache web server
(httpd 2.2.x). Web traffic btw browser and httpd server will be encrypted
with mod_ssl.
I added to httpd.conf the following lines
LDAPTrustedGlobalCert CA_BASE64 /etc/openldap/cacerts/cacert.pem
LDAPTrustedMode TLS
and I create a .htaccess file with this content:
AuthType Basic
AuthName "Restricted Access"
AuthLDAPURL ldap://server/c=it?uid?one TLS
AuthzLDAPAuthoritative On
AuthLDAPEnabled On
AuthLDAPBindDN "cn=Directory Manager"
AuthLDAPBindPassword "password"
Unluckly I can not authenticate and I get
[Mon Mar 17 15:45:33 2008] [error] [client 10.0.1.13] access to /4.4 failed,
reason: verification of user id 'user' not configured
Suggestions?
Tnks
Marco Strullato
16 years, 2 months
[Fedora-directory-users] Fedora-DS replication issue
by Steve Burt
Hi Folks appreciate your help here at each stage there has been hurdles...
Fact 1 : I have added ldap2.hostname.com DS into the Configuration
Server on ldap1.hostname.com
Fact 2 : I have run the migration script to export all users and
groups into an ldif format and imported them into Fedora-DS
Fact 3 : I have Enabled Replica on ldap1 setup a Single Master Relation
Fact 4 : I have configured ldap2.hostname.com as a Dedicated Consumer
Fact 5 : I have set up a Replication Agreement on userRoot DB on ldap1
Fact 6 : I have set up a Base DN for the Replication Manager on ldap2
The errors I am now getting are... they sorta speak for themselves
Any Pointers...
[13/Mar/2008:16:55:13 +0000] NSMMReplicationPlugin - conn=59 op=3
replica="dc=hostname, dc=com": Unable to acquire replica: error:
permission denied
[13/Mar/2008:17:00:13 +0000] NSMMReplicationPlugin - conn=60 op=3
replica="dc=hostname, dc=com": Unable to acquire replica: error:
permission denied
[13/Mar/2008:17:05:13 +0000] NSMMReplicationPlugin - conn=61 op=3
replica="dc=hostname, dc=com": Unable to acquire replica: error:
permission denied
[13/Mar/2008:17:10:13 +0000] NSMMReplicationPlugin - conn=62 op=3
replica="dc=hostname, dc=com": Unable to acquire replica: error:
permission denied
[13/Mar/2008:17:15:13 +0000] NSMMReplicationPlugin - conn=63 op=3
replica="dc=hostname, dc=com": Unable to acquire replica: error:
permission denied
[13/Mar/2008:17:20:13 +0000] NSMMReplicationPlugin - conn=64 op=3
replica="dc=hostname, dc=com": Unable to acquire replica: error:
permission denied
[13/Mar/2008:17:25:13 +0000] NSMMReplicationPlugin - conn=65 op=3
replica="dc=hostname, dc=com": Unable to acquire replica: error:
permission denied
[13/Mar/2008:17:30:13 +0000] NSMMReplicationPlugin - conn=66 op=3
replica="dc=hostname, dc=com": Unable to acquire replica: error:
permission denied
[13/Mar/2008:17:35:13 +0000] NSMMReplicationPlugin - conn=67 op=3
replica="dc=hostname, dc=com": Unable to acquire replica: error:
permission denied
Kind Regards
Steve
16 years, 2 months
[Fedora-directory-users] Password Warnings
by Legatus
I am new to the list, and I apologize if this question has been answered
before.
I haven't done much programming for LDAP, though I have been managing
directories for years. I am working with some developers, who a) aren't very
imaginative, b) not very clever, and c) lazy. So I need to know how to get
at the password information that says a password has expired, is about to
expire, et. al. I have tried to query for the attributes using ldapsearch
that seem to be what I want, like passwordexpirationtime, but I get nothing
back. They all figure I should know the magic incantation, since I know how
to make the directory work, and usually that would be the case. This time I
am stuck. Anyone solved this problem. I am running FDS 1.0.2, and 1.0.4. I
get the same result in both. Any help would be great.
16 years, 2 months
[Fedora-directory-users] Replication Agreements
by Jared B. Griffith
Is it possible to set up new replication agreements without using the console (using ldif file obviously)?
--
- Thank you,
- Jared B. Griffith
- Farheap Solutions, Inc.
- Lead Systems Administrator
- California IT Department
- Email - jared.griffith(a)farheap.com
- Phone - 949.417.1500 ext. 266
- Cell Phone - 949.910.6542
16 years, 2 months
[Fedora-directory-users] LDAP entry not showing up in search
by Scott Lacy
Hi All,
I have an entry this morning that I have added via ldif. ldapmodify
gave no errors on the import, and the entry shows up in the backup ldif
I made of the database afterward. However, this user does not show up
in any searches. It is not an admin user, and is in the same ou as the
rest of the users. I did a larger ldif earlier this morning of some
additions and deletions, and they all seem to appear fine both in the
ldif and in searches. This is in 1.0.4. Any obvious things that I'm
missing or suggestions as to the problem?
Thanks,
Scott Lacy
Server Manager
Mercer University
16 years, 2 months
[Fedora-directory-users] groups
by solarflow99
I guess FDS doesn't really make use of the UPG scheme that local
authentication in redhat has always used?
If I could say a feature request, it would be a simple way to customise
templates for adding users/groups, etc. I don't see any way to add
objectcalsses and values, or hashed samba SID and passwords, without doing
them manually after the object has already been created. Also, some
objectclasses should be changed, for example adding a group uses
groupofuniquenames instead of posixgroup.
16 years, 2 months
[Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 34, Issue 24
by Steve Burt
Hi Rich,
Ok so I think I have to create an ldif file
There is a workaround - if the fqdn is host.example.com, you just have to create
the following entries:
dn: cn=host.example.com, ou=example.com, o=NetscapeRoot
objectclass: top
objectclass: nsHost
objectclass: groupOfUniqueNames
cn: host.example.com
nsosversion: output of uname -a on the machine
nshardwareplatform: arch e.g. i386 or x86_64 or ...
serverHostName: host.example.com
dn: cn=Server Group, cn=host.example.com, ou=example.com, o=NetscapeRoot
objectclass: top
objectclass: nsAdminGroup
objectclass: nsDirectoryInfo
objectclass: groupOfUniqueNames
nsAdminGroupName: Server Group
nsDirectoryInfoRef: cn=User Directory, ou=Global Preferences, ou=example.com,
o=NetscapeRoot
Is that correct
On 12/03/2008, fedora-directory-users-request(a)redhat.com
<fedora-directory-users-request(a)redhat.com> wrote:
> Send Fedora-directory-users mailing list submissions to
> fedora-directory-users(a)redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> or, via email, send a message with subject or body 'help' to
> fedora-directory-users-request(a)redhat.com
>
> You can reach the person managing the list at
> fedora-directory-users-owner(a)redhat.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Fedora-directory-users digest..."
>
>
> Today's Topics:
>
> 1. SELinux policy for Fedora Directory Server 1.1.0 (P?r Aronsson)
> 2. Problems in adding a second server into a new (Steve Burt)
> 3. Re: Problems in adding a second server into a new (Rich Megginson)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 11 Mar 2008 17:34:09 +0100
> From: P?r Aronsson <par.aronsson(a)telia.com>
> Subject: [Fedora-directory-users] SELinux policy for Fedora Directory
> Server 1.1.0
> To: selinux(a)tycho.nsa.gov, fedora-directory-users(a)redhat.com
> Message-ID: <200803111734.10289.par.aronsson(a)telia.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hello,
>
> Attached is a SELinux policy for the Fedora Directory Server 1.1.0.
> It is composed of three parts.
> * dirsrv - directory server and setup programs
> * dirsrv-admin - administration server and setup programs
> * fedora-idm-console - java based console for administration
>
> The policies were developed on a CentOS 5.1 with the following packages:
> fedora-ds-base-1.1.0-3.fc6
> fedora-ds-admin-1.1.1-1.fc6
> fedora-ds-console-1.1.0-5.fc6
> selinux-policy-2.4.6-106.el5_1.3
> kernel-2.6.18-53.1.4.el5
>
> I've succesfully tested the policies in targeted and strict mode.
>
> The dirsrv-admin policy requires that the apache policy module is loaded.
> Also run:
> setsebool -P httpd_enable_cgi on
>
> Comment out the following in /usr/sbin/start-ds-admin (line 63-65):
> if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
> SELINUX_CMD="runcon -t unconfined_t --"
> fi
>
> I had trouble with the replication plugin so I haven't been able to do any
> testing with replication.
>
> Any comments are welcome.
>
> // Pär Aronsson
>
16 years, 2 months
[Fedora-directory-users] Problems in adding a second server into a new
by Steve Burt
Greetings Folks
I am very new to Fedora-DS and have I think Sucessfully installed a
Directory Server and a server group with a admin server and 1
Directory Server.
My Aim is to Install a second directory server, I think this is
basically running the setup-ds-admin.pl on the second server...
Could anyone help..
Yours Humbly
Steve
16 years, 2 months
[Fedora-directory-users] temporary resource unavailable problem with fedora directory server
by M Vallapan
Dear all,
I have installed fedora directory server version :
fedora-ds-1.0.4-1.RHEL4. This ldap server integrates with postfix and
our radius server. My problem is when I check the access log I see
this error
.[18/Feb/2008:11:04:51 +0800] conn=72887 op=-1 fd=593 closed error 11
(Resource temporarily unavailable) - T1
[18/Feb/2008:11:04:54 +0800] conn=72898 op=-1 fd=666 closed error 11
(Resource temporarily unavailable) - T1
[18/Feb/2008:11:05:22 +0800] conn=72895 op=-1 fd=605 closed error 11
(Resource temporarily unavailable) - T1
occuring again and again very frequently. I have already tuned the
server according to the tuning guide on fedora directory server site.
This is my sysctl.conf :
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
net.ipv4.ip_local_port_range = 1024 65000
fs.file-max = 128000
net.ipv4.tcp_keepalive_time = 300
Am I missing something that I haven't done ?
16 years, 2 months