[Fedora-directory-users] SSL/TLS vs SASL in Directory Server solution
by Kenneth Holter
Hi.
We're planning on deploying Red Hat Directory Server 8.0, and could need
some advice on security.
The DS supports both TLS and SASL. TLS can be used for both authentication
and encryption, and should therefore cover our security needs.
SASL is quite new to me, and as of now I don't see the benefit of using it.
Which security or functionality features does SASL provide that TLS doesn't?
I know that SASL enables integration with Kerberos, but we're most likely
not going for a Kerberos based solution.
Furthermore, what are the default security features of RHDS 8.0? Is it using
SASL by default (is it possible to deactivate it)?
Regards,
kenneho
16 years
[Fedora-directory-users] MMR: excessive clock skew
by Reinhard Nappert
Hi,
I experienced with a FDS 1.0.4 MMR setup the following issue: After
weeks of proper replication, the replication fails with the following
error-log entry:
[08/May/2008:15:36:05 +0800] NSMMReplicationPlugin - conn=889 op=3
replica="<suffix>": Unable to acquire re
plica: error: excessive clock skew
Both boxes are configured with the same NTP server and the clock is in
sync.
After replication was disabled (deletion of all changelogs) and
configuring the MMR from scratch, replication works fine for a while,
but eventually the above mentioned issue occurs again.
Did anyone expierence the same? Is there are a solution to fix this
issue.
Thanks,
-Reinhard
16 years
[Fedora-directory-users] Netgroup FDS with solaris 10 x86
by Vipul Ramani
hi all,
I new to netgroup and I am trying to configure netgroup on FDS and sun
solaris 10 as a client .
I have host : test1 & 2nd host test2
I have FDS user : vipul2
I have domain : example.com
I have netgroup call : testgroup
---------etc./passwd and shadow file ----------
+@testgroup:x:::::
-:x:::::
--------------------------------------------------------------
Now
-----netgroup- inFDS -------------
dn: cn=testgroup, ou=netgroup, dc=example,dc=com
objectClass: nisNetgroup
objectClass: top
nisNetgroupTriple: (test1,vipul2,example.com)
cn: testgroup
-----------------------------------------------------------------
*now Case 1:
*if i set this value :: for
nisNetgroupTriple: (test1,vipul2,example)
i can login in to test1 and test2 both...
i want to user vipul2 can login in test1 only not test2... server. Can any
body tell me , M i missing something ...???
1 more Question ....
DOEST NETGROUP REQUIRED ALL FDQN and DNS ENTRY FOR ALL SUB DOMAIN & HOST
???
--
Regards
Vipul Ramani
16 years
[Fedora-directory-users] Directory server connection problems after enabling TLS
by Kenneth Holter
Hi.
I've just set up an Red Hat Directory Server, and it was working fine until
I enabled SSL/TLS. The LDAP server and my test LDAP client should be set up
correctly according to the manual, but I seem to have missed something.
Since enabling TLS I'm no longer allowd to log onto my LDAP client. The
error messeage says "Connection closed by 127.0.0.1".
However, when issuing the command "ldapsearch -x -H 'ldaps://<ldap-server>'"
the query is successful.
I've installed a CA signed server certificate on the LDAP server, and
installed the CA certificate on the LDAP client.
As I'm quite new to LDAP I could use som advice on how to debug this. Thanks
in advance.
Regards,
kenneho
16 years
[Fedora-directory-users] FDS - AD: sync deactivated status
by Sören Malchow
Dear all,
i have a FDS with synchronization to an AD up and running, everything
including password sync is fine, the only attribute that is needed and not
synching is whether the user is deactivated or not.
I can deactive users seperately in FDS or AD but it does not sync, after
alot of research i could not find a solution for that, can someone please
point me the way ?
Regards
Soeren
16 years
[Fedora-directory-users] netgroup configuration FDS with Sun solaris 10 x86 box
by Vipul Ramani
Hi all,
I am trying to configure FDS as directory server and clients are sun solaris
10 boxes.. ( all are sun solaris 10 x86).
bash-3.00# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=example,dc=com
NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411
NS_LDAP_SERVERS= 192.168.109.73
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
bash-3.00# ldaplist
dn: cn=Directory Administrators, dc=example, dc=com
dn: ou=People, dc=example, dc=com
dn: ou=Special Users,dc=example, dc=com
dn: ou=profile,dc=example,dc=com
dn: ou=group, dc=example,dc=com
dn: ou=netgroup, dc=example,dc=com
dn: ou=Groups, dc=example, dc=com
===ou=netgroup,dc=xxxx,dc=com===========
dn: cn=netgroup2,ou=netgroup,dc=example,dc=com
objectClass: top
objectClass: nisNetgroup
cn: netgroup2
nisNetgroupTriple: (,vipul2,)
When i type this command i m getting these error .... Do i need to enable
to netgroup database or i need to apply any patch to enable this ???
bash-3.00# getent netgroup QAUsers
Unknown database: netgroup
usage: getent database [ key ... ]
--
Regards
Vipul Ramani
16 years
[Fedora-directory-users] Installation problem DS 1.1 on F9
by Robert M. Albrecht
Hi,
I installed DS 1.1 on F9. The installation works without problems, the
server runs but management does not work. I can`t logon with
cn=Directory Manager.
Trying to start the daemon:
[root@nass init.d]# /etc/init.d/dirsrv-admin start
Starting dirsrv-admin:
grep: /etc/dirsrv/admin-serv/adm.conf: Datei oder Verzeichnis nicht gefunden
/var/run/dirsrv is not writable for [FEHLGESCHLAGEN]
[root@nass init.d]#
[root@nass /]# start-ds-admin
ERROR: ld.so: object '/usr/lib/libssl3.so' from LD_PRELOAD cannot be
preloaded: ignored.
ERROR: ld.so: object '/usr/lib/libssl3.so' from LD_PRELOAD cannot be
preloaded: ignored.
(2)No such file or directory: httpd.worker: could not open error log
file /var/log/dirsrv/admin-serv/error.
Unable to open logs
[root@nass /]#
Used Versions:
[root@nass init.d]# rpm --query fedora-ds
fedora-ds-1.1.1-3.fc9.i386
[root@nass init.d]# cat /etc/fedora-release
Fedora release 9 (Sulphur)
Is this a known bug ? Should it work, or did I something wrong ?
cu romal
16 years
[Fedora-directory-users] admin server dsgw 403 forbidden error
by Scott Lacy
Hi all,
I am making some changes to dsgw.conf to point htmldir, configdir, and gwnametrans to customized html and config directories on FDS's admin server. Everything else seems to work except for clicking on Directory Server Gateway, which gives me:
403 Forbidden error: You don't have permission to access /dsgw/bin/lang on this server.
The admin-serv error log shows:
[Thu May 08 13:10:41 2008] [error] [client a.b.c.d] client denied by server configuration: /opt/fedora-ds/dsgw, referer: http://foxtrot:5000/clients/dsgw/bin/lang?context=dsgw
[Thu May 08 13:10:41 2008] [error] [client a.b.c.d] client denied by server configuration: /opt/fedora-ds/dsgw, referer: http://foxtrot:5000/clients/dsgw/bin/lang?context=dsgw
Admserv.conf has:
<Directory "/opt/fedora-ds/clients/dsgw/bin/">
AllowOverride None
Options None
Order allow,deny
Allow from all
NESCompatEnv on
</Directory>
I've beat my head against the wall until it hurts. Any pointers on where to look next?
Thanks,
Scott
----------------------
Scott Lacy
Unix Systems Manager, Systems and Networks
Mercer University
478 301 5509
16 years
[Fedora-directory-users] Synchronization with multiple AD domains
by John Dickinson
Hi,
I am designing a integrated Directory system and as part of it I need
to link two Active Directory domains. They both contain the same set
of users but exist in different domains for historical reasons. I want
to link them so that users created in one domain auto-magically get
created in the other.
Since you can create multiple Windows Sync Agreements in Fedora DS I
guess it could be used to make this work. I plan to test it soon but
in the meantime am wondering if anyone else has tried this and knows
of any problems or a better way?
Thanks
John
---
John Dickinson
16 years