dse.ldif errors with a reboot
by Ryan Palamara
I am having problems where I need to restore the dse.ldif everytime I reboot the server. Has anyone seen issues like this before and have any recommendations for where to start troubleshooting it?
Thank you,
Ryan Palamara
ZAIS Group, LLC
2 Bridge Avenue, Suite 322
Red Bank, New Jersey 07701
Phone: (732) 450-7444
Ryan.palamara(a)zaisgroup.com<mailto:Ryan.palamara@zaisgroup.com>
________________________________
This e-mail message is intended only for the named recipient(s) above. It may contain confidential information. If you are not the intended recipient you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by replying to this e-mail and delete the message and any attachment(s) from your system. Thank you.
This is not an offer (or solicitation of an offer) to buy/sell the securities/instruments mentioned or an official confirmation. This is not research and is not from ZAIS Group but it may refer to a research analyst/research report. Unless indicated, these views are the author's and may differ from those of ZAIS Group research or others in the Firm. We do not represent this is accurate or complete and we may not update this. Past performance is not indicative of future returns.
IRS CIRCULAR 230 NOTICE:.
To comply with requirements imposed by the IRS, we inform you that any U.S. federal tax advice contained herein (including any attachments), unless specifically stated otherwise, is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending any transaction or matter addressed herein to another party. Each taxpayer should seek advice based on the taxpayer's particular circumstances from an independent tax advisor.
"ZAIS", "ZAIS Group" and "ZAIS Solutions" are trademarks of ZAIS Group, LLC.
11 years, 9 months
Import Apple Open Directory Schema
by Bradly Swart
Hi List,
I've just been put on a project requiring the migration of a clients Apple
Open Directory setup to a virtualized Linux RedHat environment running 389
Directory Server. I have no prior LDAP experience, so this has been quite
an adventure so far!
In order to get this going I have copied the apple schema files, converted
to ldif and put them into the /etc/dirsrv/slapd-ldap/schema
All good!
Now when I try and start the directory server up I get the following errors;
[23/Jul/2012:14:35:32 +1000] - Entry "cn={6}apple" has unknown object class
"olcSchemaConfig"
[23/Jul/2012:14:35:32 +1000] - Entry "cn={5}apple_auxillary" has unknown
object class "olcSchemaConfig"
[23/Jul/2012:14:35:32 +1000] - Entry "cn={0}core" has unknown object class
"olcSchemaConfig"
[23/Jul/2012:14:35:32 +1000] - Entry "cn={1}cosine" has unknown object
class "olcSchemaConfig"
[23/Jul/2012:14:35:32 +1000] - Entry "cn={2}inetorgperson" has unknown
object class "olcSchemaConfig"
[23/Jul/2012:14:35:32 +1000] - Entry "cn={3}nis" has unknown object class
"olcSchemaConfig"
[23/Jul/2012:14:35:32 +1000] - Entry "cn={4}samba" has unknown object class
"olcSchemaConfig"
[23/Jul/2012:14:35:32 +1000] createprlistensockets - PR_Bind() on All
Interfaces port 389 failed: Netscape Portable Runtime error -5966 (Access
Denied.)
Obviously it cannot find the object class definition / description,
atlhough I'm not sure why, and have no idea where that should be. According
to the blog posts and tutorials I have found they say to just copy the
schema files in the relevant format and restart the server, none of them
have come across this error.
Something along the lines of this blog post:
http://www.backupcentral.com/mr-backup-blog-mainmenu-47/13-mr-backup-blog...
Hope someone can point me in the right direction with this one!
389-NOOB
--
Bradly Swart
Mobile: +61 44 706 8963
Skype: bradly.swart
Twitter: @brad8711
11 years, 9 months
ldclt derefAliases: derefAlways
by Alexey.I.Larin@gmail.com
Hello,
How can I set option derefAlways for aliases using ldclt utility?
I sow "deref=[deref:attr]" but I did not catch how to use it.
Alexey Larin
11 years, 9 months
Re: [389-users] Stumped - SSL works for auth, sudo, etc, but fails for ldap user cronjobs
by Carsten Grzemba
Hi,
what kind of certificate do you use, selfsigned? Are the certificates signed by the same CA?
Am 18.07.12, schrieb David Nguyen <d_k_nguyen(a)yahoo.com>:
> Hi all,
>
> I have a strange one. My current setup is working perfectly. client1
> is able to connect to ldap-server1 via SSL and everything is working
> correctly. I then had a need to add another ldap server (ldap-server2)
> as a multi-master replica and everything is working (user auth, sudo
> via ldap users, ldapsearch, openssl, etc) except cronjobs for users
> served out of ldap fail to run.
>
> I can see this in the error log on ldap-server2:
>
> [18/Jul/2012:11:18:00 -0700] - PR_Recv for connection 467 returns
> -12195 (Peer does not recognize and trust the CA that issued your
> certificate.)
>
> If I set /etc/ldap.conf to not use SSL (URI ldap://fqdn vs URI
> ldaps://fqdn:636), the cronjobs fire just fine.
>
> So it appears as though there is an SSL cert issue, but I'm stumped
> because all of the other services that use ldap on client1 work except
> cron jobs (root cron fires fine as expected since nsswitch is set to
> files then ldap).
>
> If I replace the URI string in /etc/ldap.conf to point at
> ldap-server1, cron starts working.
>
> Both ldap-server1 and ldap-server2 are using running the same OS and
> kernel version (RHEL5) as well as the same version of 389 DS
> (389-ds-1.2.1-1.el5).
>
> Any ideas as to what could be causing this problem? Here is the
> /etc/ldap.conf on client1 if it matters:
>
> ====== begin /etc/ldap.conf =======
> URI ldaps://ops-ldap006.svale.netledger.com:636
> base dc=netsuite,dc=com
>
> timelimit 10
> bind_policy soft
> nss_reconnect_tries 3
> bind_timelimit 6
> idle_timelimit 30
> sudoers_base ou=SUDOers,dc=netsuite,dc=com
> sudoers_debug 0
>
> ##ssl start_tls
> TLS_CACERT /etc/openldap/cacerts/ca.crt
> TLS_CACERTFILE /etc/openldap/cacerts/ca.crt
> TLS_REQCERT demand
> pam_lookup_policy yes
> pam_password exop
>
> nss_initgroups_ignoreusers root,named,avahi,haldaemon,dbus,gdm,postfix,puppet
>
> ====== end /etc/ldap.conf =======
>
>
>
>
> Thanks in advance,
> David
> --
> 389 users mailing list
> 389-users(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
--
Carsten Grzemba
11 years, 9 months
Keep the schema or change it?
by Gary Algier
Hi,
I am in the process of migrating from Sun's DS 5.2 to DS 389 and I have
compared the schemata. I see some differences and I wonder as to the best way
to handle them. In general is it better to change the 389 schema and then
always have to "fix" it with each new release or change my Sun clients somehow
(this seems to border on the philosophical)?
As an example, there is the Automount schema. On Sun's systems, they expect
something schema like this:
objectClasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' MUST ( automountKey $
automountInformation ) MAY description ...)
with the 389 schema looking like this:
objectclasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' MUST ( cn $
automountInformation ) MAY description ...)
In other words, the lookup key matched against the user's login for home
directories would be "automountKey" for Sun, and "cn" for 389.
I notice that my Linux clients work fine with a Sun DS so they seem to be
using "automountKey". (Or are they looking for either?).
I also see differences in the objectClass automountMap. Linux does not seem
to work with a Sun-style autmountMap.
If I just dump my Sun DS and load it into the 389 DS do I want to overwrite
the schema? Should I only load the non-conflicting entries? If the 389
schema is the "right" schema, will Linux stop working some day when they
conform? Is there a way to have both?
I have about 500 mixed Sun and Linux clients and I want to minimize the
reconfiguration on the day that I switch DS.
--
Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
Nielsen's First Law of Computer Manuals:
People don't read documentation voluntarily.
11 years, 9 months
Stumped - SSL works for auth, sudo, etc, but fails for ldap user cronjobs
by David Nguyen
Hi all,
I have a strange one. My current setup is working perfectly. client1
is able to connect to ldap-server1 via SSL and everything is working
correctly. I then had a need to add another ldap server (ldap-server2)
as a multi-master replica and everything is working (user auth, sudo
via ldap users, ldapsearch, openssl, etc) except cronjobs for users
served out of ldap fail to run.
I can see this in the error log on ldap-server2:
[18/Jul/2012:11:18:00 -0700] - PR_Recv for connection 467 returns
-12195 (Peer does not recognize and trust the CA that issued your
certificate.)
If I set /etc/ldap.conf to not use SSL (URI ldap://fqdn vs URI
ldaps://fqdn:636), the cronjobs fire just fine.
So it appears as though there is an SSL cert issue, but I'm stumped
because all of the other services that use ldap on client1 work except
cron jobs (root cron fires fine as expected since nsswitch is set to
files then ldap).
If I replace the URI string in /etc/ldap.conf to point at
ldap-server1, cron starts working.
Both ldap-server1 and ldap-server2 are using running the same OS and
kernel version (RHEL5) as well as the same version of 389 DS
(389-ds-1.2.1-1.el5).
Any ideas as to what could be causing this problem? Here is the
/etc/ldap.conf on client1 if it matters:
====== begin /etc/ldap.conf =======
URI ldaps://ops-ldap006.svale.netledger.com:636
base dc=netsuite,dc=com
timelimit 10
bind_policy soft
nss_reconnect_tries 3
bind_timelimit 6
idle_timelimit 30
sudoers_base ou=SUDOers,dc=netsuite,dc=com
sudoers_debug 0
##ssl start_tls
TLS_CACERT /etc/openldap/cacerts/ca.crt
TLS_CACERTFILE /etc/openldap/cacerts/ca.crt
TLS_REQCERT demand
pam_lookup_policy yes
pam_password exop
nss_initgroups_ignoreusers root,named,avahi,haldaemon,dbus,gdm,postfix,puppet
====== end /etc/ldap.conf =======
Thanks in advance,
David
11 years, 9 months
Ldap authentication to multiple samba servers
by David Hoskinson
We are using 389 directory server authentication for our single samba server. We would like to add additional samba servers to the mix while still using the single ldap server. Is this possible. I know I had to make a administrative connection between the samba server and the ldap server when I originally set it up and it created a "domain" or samba object, I am not sure what the proper term is. I am guessing that under the directory tab, under my domain I will see an object for each machine. Is this correct?
Thanks for the help.
David Hoskinson | DATATRAK
Systems Engineer
Mayfield Heights, Ohio, USA
+1.440.443.0082 x 124 (p) | +1.319.471.3689 (m)
david.hoskinson(a)datatrak.net<mailto:david.hoskinson@datatrak.net> | www.datatrak.net<http://www.datatrak.net/>
11 years, 9 months
Deactivating accounts
by harry.devine@faa.gov
We have several users who no longer need access, but may in the future, so
we have set them to be Inactive in their profile. However, we noticed
that these accounts have re-activated themselves and those users could log
back in if they wanted to. How do we make accounts that we specifically
make inactive by pressing the Inactivate button stay that way?
We are using the following 389 versions on CentOS 5.7 64-bit:
389-ds-base-1.2.9.9-1.el5
389-admin-1.1.29-1.el5
389-ds-console-1.2.6-1.el5
389-adminutil-1.1.15-1.el5
389-admin-console-1.1.8-1.el5
389-ds-console-doc-1.2.6-1.el5
389-ds-base-libs-1.2.9.9-1.el5
389-dsgw-1.1.9-1.el5
389-console-1.1.7-3.el5
389-admin-console-doc-1.1.8-1.el5
389-ds-1.2.1-1.el5
Thanks for any help!
Harry
11 years, 9 months