[Fedora-directory-users] Update user passwords with "passwd"
by Hartmann, Tim
Hi!
So I can into yet another pot-hole in the road to LDAP bliss...
We have a root suffix in our directory that stores the basic Posix
attributes including password, I've been able to configure my client to
use ldap for directory services, and authenticate against my replica's,
so far so good! Then I tried to change my users password .. and thats
where I started getting a bit hung up..
At first I thought that it was because my replicas weren't sending the
update request/ referrals back to the masters. (We have two masters that
sit behind four consumers)
Then I decided to change my ldap.conf files to point directly to my
masters.... but I still receaved the same errors "Can't contact LDAP
Server" , which was strange since I can do ldap searches against it all
day, and even bind to the servers to do searches! and Insufficient write
privileges, which made me think that maybe it was an ACI.. but I have
selfwrite enabled for the userPassword attribute...
Here's the output of my failed attempt to change my user's password
after logging in successfully to the server..
Changing password for user foo.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Can't contact LDAP server
Insufficient 'write' privilege to the 'userPassword' attribute of entry
'uid=foo,ou=people,dc=dept,dc=school,dc=edu'.
passwd: Permission denied
If anyone has any thought I'd be grateful! I'm pretty perplexed!
Best,
Tim
15 years, 4 months
[Fedora-directory-users] New to Fedora Directory Server (Questions)
by Sas Jamal
Hi guys,
I am relatively new to Linux, and LDAP (I have some experience with Active
Directory).
I have recently inherited a message board installation (Vbulletin), and some
custom apps, each with their own user database. I noticed that VBulletin had
a LDAP Plugin which was used by several members of the community, and a
friend suggested I implement LDAP as a centralized system for manging user
accounts, since it is scalable and easy to backup
(All of the applications are on different networks on different servers).
It seemed like a good idea, but I am a bit lost J
I have installed Fedoara Directory Server, and I need to have the passwords
for all users stored as MD5 hashes, and I also want to modify the schema to
support fields which are common throughout all of our systems.
I also want to use E-Mail Addresses as a Unique Identifier.
I am a bit overwhelmed, and new to LDAP as well, are there are any resources
or tutorials or books you guys can point me to.
Thanks,
Sas
15 years, 4 months
[Fedora-directory-users] FDS sync to eDirectory
by Jeff Garner
currently we have AD, eDir syncing using the Novell DirXML driver and a
'shim' installed on all AD DC's worldwide. TO avoid having to replicate
this structure from Active Directory using FDS, we have decided to use
eDirectory sync to FDS.
Currently we can sync FROM eDir to FDS, including passwords. No issues
there. The problem is that we want to sync only password changes from
FDS back into eDir. I can understand some of the complexities on this,
however can anyone point me in a direction of information to do this
task?
basically I want one way from eDir to FDS for all attributes, and
bi-directional sync of password attribute from FDS to eDIR and eDir to
FDS.
I had imagined going in, that this would be as simple as some sort of an
ldapmodify driver from FDS to eDir, but it seems that might have been
too simplistic. So, anyone have an idea on how I could accomplish this
task, if can even be done, or if I should not waste my time trying?
Regards,
J.Garner
CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
15 years, 4 months
[Fedora-directory-users] High CPU load on FDS
by Emmanuel BILLOT
Hi,
Does anyones know how can we explain a 90% CPU utilization on FDS ?
Many forum on the web speak about index problem or memory variables
misconfiguration (|nsslapd-idlistscanlimit and co).|
||
|Howerver, i do not found any good web ites which explains howto |
|- monitor indexes utilization|
|- build/rebuilt indexes (if this is the problem)|
|- configure properly FDS for having good performance|
||
|Our directory tree contains 15000 entries.|
||
|Does anyone know what can we do ? Best pratices ?|
|How to know if there is a problem on our config ?|
||
|Regards,|
||||
--
==========================================
Emmanuel BILLOT
IRD - Orléans
Délégation aux Systèmes d'Information (DSI)
tél : 02 38 49 95 88
==========================================
15 years, 4 months
[Fedora-directory-users] Windows Sync Not working with AD password = P@ssw0rd ?
by lambam80@hotmail.com
Hello everybody and thanks for the tremendous support to date.
Firstly, yes I'm a paranoid personality ...
It's too late for me to try recreating this problem using my existing machines.
Is it possible that accounts created on RHDS are not 'replicated' to Active-Directoryif the AD Administrator password is 'P@ssw0rd' ? Please note, shame on me, I'm performing my replication using the AD Administrator account.
If you've not yet died laughing, at my expense :-) , any help would be greatly appreciated.
_________________________________________________________________
15 years, 4 months
[Fedora-directory-users] DSGW on LDAP server
by John A. Sullivan III
If installing DSGW on the same server as Directory Server, should it be
compiled with --with-adminserver=no? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
Street Preacher: Are you SAVED?????!!!!!!
Educated Skeptic: Saved from WHAT?????!!!!!!
Educated Believer: From our selfishness that hurts the ones we love
and condemns us to an eternity of hurting each other.
http://www.spiritualoutreach.com
Christianity that makes sense
15 years, 4 months
[Fedora-directory-users] idm-console does not accept cert
by John A. Sullivan III
Hello, all. We are working on implementing SSL on our directory server.
Our test environment is using Centos using console framework 1.1.1 and
ds centos-ds-8.0.0-1.4.el5.centos.4. When we attempt to login to
centos-idm-console, we receive an error that the certificate this server
presents is either untrusted or unknown. When we view the cert, the
note under details says "Untrusted issuer". However, if we look in
Manage Certificates for the Administration Server (I assume the console
is logging into the Administration Server but the same is true for the
Directory Server), we see the CA cert as trusted and see the certificate
chain. Everything looks correct. Why is the console not trusting the
CA cert? Is it looking for it someplace else? If so, where?
More details:
I'm assuming the problem is the CA cert. The admin server cert details
are:
cn=ldap01admin.ssiservices.biz
There are DNS entries in subjAltName of:
ldap01.ssiservices.biz
ldap01
ldap01admin
and there is an IP address entry.
I get the same problem connecting to
https://ldap01admin.ssiservices.biz:9830 as
https://ldap01.ssiservices.biz:9830
--
John A. Sullivan III
Open Source Development Corporation
Street Preacher: Are you SAVED?????!!!!!!
Educated Skeptic: Saved from WHAT?????!!!!!!
Educated Believer: From our selfishness that hurts the ones we love
and condemns us to an eternity of hurting each other.
http://www.spiritualoutreach.com
Christianity that makes sense
15 years, 4 months
[Fedora-directory-users] migrating from fedora-ds-1.0.4 to fedora-ds-1.1- problem
by Eric
Hi,
I had fedora-ds-1.0.4 on centos 5.2. I migrated to fedora-ds-1.1.
fedora-idm-console runs and all data are there. command line search works
too. but there are some problems. when I use: rpm -q fedora-ds version is
fedora-1.0.4. when I search passwords of users it shows : {cypt}mypasswd but
when I used 1.0.4 it was showing encrypted password. why there are these
deferences?
Is there any problem in installing or migrating?
15 years, 4 months
[Fedora-directory-users] Problems with replication and granular password policies
by John A. Sullivan III
Hello, all. I've had major grief tonight trying to set up replication
in our test environment. I'll submit this email to document our
workarounds in case other hit the same problems and to solicit
corrections in case them problem was not the product and documentation
but rather our approach.
First we have the issue of the Supplier Bind DN. We attempted to create
the user by stopping dirsrv on the RO replica and add the following to
dse.ldif:
dn: cn=repliman,cn=config
uid: repliman
objectClass: inetorgperson
objectClass: person
objectClass: top
cn: repliman
givenname: Replication
sn: Manager
userPassword: <medium security password>
passwordExpirationTime: 20380119031407Z
We've never gotten it to work. The replication agreement wizard cannot
find the dn. We've always had to create the user through the console in
the config branch and then we can find the user.
Once we did that, we hit a second problem. We had enabled fine grained
password policies and required users to change their password when
reset. This, of course, applied to the Supplier Bind DN user but we did
not realize that at first. Perhaps a note in the documentation would
have helped. Once we created the custom password policy for the user,
all finally worked fine.
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan(a)opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
15 years, 4 months
[Fedora-directory-users] Clarification of User DS tab
by John A. Sullivan III
I'm in the midst of setting up a DS replica using SSL and find myself a
bit confused on the purpose of the User DS and Configuration DS tabs in
the Administration Server Configuration. Could someone point me to some
documentation on them?
What do they represent? I am guessing the Configuration DS is how we
connect to the portion of the tree holding configuration
(o=NetscapeRoot?). When the LDAP server is part of another
administrative domain, should this point to the local LDAP server or to
the LDAP server which manages the administrative domain?
I am also guessing the User DS is that portion of the tree holding the
user directory, i.e., most of the directory. In the case of a read-only
replica, should this point to the read/write master? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
Street Preacher: Are you SAVED?????!!!!!!
Educated Skeptic: Saved from WHAT?????!!!!!!
Educated Believer: From our selfishness that hurts the ones we love
and condemns us to an eternity of hurting each other.
http://www.spiritualoutreach.com
Christianity that makes sense
15 years, 4 months