[Fedora-directory-users] How to ldapsearch password expiration data?
by Vsevolod (Simon) Ilyushchenko
Hi,
I finally found where the password expiration data are located. If I do
a database export from the GUI, I can see the entry:
***
dn:
cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu
modifyTimestamp: 20051109200121Z
modifiersName:
uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
t
passwordMaxAge: 864000000
passwordWarning: 0
passwordMinAge: 0
passwordExp: on
passwordGraceLimit: 0
objectClass: ldapsubentry
objectClass: passwordpolicy
objectClass: top
cn: cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu
creatorsName:
uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
createTimestamp: 20051109200121Z
nsUniqueId: 97b5d182-1dd111b2-80f8db9c-cc6f0000
***
However, if I ldapsearch -b
'cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu'
I'm not getting any subentries:
***
# extended LDIF
#
# LDAPv3
# base
<cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu>
with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 3
result: 0 Success
***
I've tried connecting both as "cn=Manager" and "uid=admin".
Is there a way to access these data programmatically using ldapsearch?
Thanks,
Simon
--
Simon (Vsevolod ILyushchenko) simonf(a)cshl.edu
http://www.simonf.com
"Think like a man of action, act like a man of thought."
Henri Bergson
17 years, 9 months
[Fedora-directory-users] problem importing sendmail.schema in fds
by basile
hi
i try to import sendmail.schema in fds and i have this error when i
restart server :
dse - The entry cn=schema in file
/opt/fedora-ds/slapd-nagios1/config/schema/63sendmail.ldif is invalid,
error code 21 (Invalid syntax) - object class sendmailMTAAlias: Unknown
allowed attribute type " sendmailMTACluster"
here is the file 63sendmail.schema
attribute sendmailMTACluster seems to be right define
and if i delete this attribute i have same error with others
#
#********************************************************************
#
dn: cn=schema
#
#********************************************************************
#
attributeTypes: (
1.3.6.1.4.1.6152.10.3.1.10
NAME 'sendmailMTACluster'
DESC 'cluster name associated with a set of MTAs'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256}
)
#
#********************************************************************
#
attributeTypes: (
1.3.6.1.4.1.6152.10.3.1.11
NAME 'sendmailMTAHost'
DESC 'host name associated with a MTA cluster'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256}
)
#
#********************************************************************
#
attributeTypes: (
1.3.6.1.4.1.6152.10.3.1.13
NAME 'sendmailMTAKey'
DESC 'key (left hand side) of an aliases or map entry'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256}
)
#
#********************************************************************
#
attributeTypes: (
1.3.6.1.4.1.6152.10.3.1.14
NAME 'sendmailMTAMapName'
DESC 'identifier for the particular map'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128}
SINGLE-VALUE
)
#
#********************************************************************
#
attributeTypes: (
1.3.6.1.4.1.6152.10.3.1.16
NAME 'sendmailMTAMapValue'
DESC 'value (right hand side) of a map entry'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
#
#********************************************************************
#
attributeTypes: (
1.3.6.1.4.1.6152.10.3.1.18
NAME 'sendmailMTAAliasGrouping'
DESC 'name that identifies a particular aliases grouping'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256}
)
#
#********************************************************************
#
attributeTypes: (
1.3.6.1.4.1.6152.10.3.1.20
NAME 'sendmailMTAAliasValue'
DESC 'value (right hand side) of an alias'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
#
#********************************************************************
#
attributeTypes: (
1.3.6.1.4.1.6152.10.3.1.22
NAME 'sendmailMTAClassName'
DESC 'identifier for the class'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128}
SINGLE-VALUE
)
#
#********************************************************************
#
attributeTypes: (
1.3.6.1.4.1.6152.10.3.1.23
NAME 'sendmailMTAClassValue'
DESC 'member of a class'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
)
#
#********************************************************************
#
objectClasses: (
1.3.6.1.4.1.6152.10.3.2.10
NAME 'sendmailMTA'
SUP top
STRUCTURAL
DESC 'Sendmail MTA definition'
MAY ( sendmailMTACluster $ sendmailMTAHost $ Description )
)
#
#********************************************************************
#
objectClasses: (
1.3.6.1.4.1.6152.10.3.2.11
NAME 'sendmailMTAMap'
SUP sendmailMTA
STRUCTURAL
DESC 'Sendmail MTA map definition'
MUST sendmailMTAMapName
MAY ( sendmailMTACluster $ sendmailMTAHost $ Description )
)
#
#********************************************************************
#
objectClasses: (
1.3.6.1.4.1.6152.10.3.2.12
NAME 'sendmailMTAMapObject'
SUP sendmailMTAMap
STRUCTURAL
DESC 'Sendmail MTA map object'
MUST ( sendmailMTAMapName $ sendmailMTAKey $ sendmailMTAMapValue )
MAY ( sendmailMTACluster $ sendmailMTAHost $ Description )
)
#
#********************************************************************
#
objectClasses: (
1.3.6.1.4.1.6152.10.3.2.13
NAME 'sendmailMTAAlias'
SUP sendmailMTA
STRUCTURAL
DESC 'Sendmail MTA alias definition'
MAY ( sendmailMTAAliasGrouping $ sendmailMTACluster $
sendmailMTAHost $ Description )
)
#
#********************************************************************
#
objectClasses: (
1.3.6.1.4.1.6152.10.3.2.14
NAME 'sendmailMTAAliasObject'
SUP sendmailMTAAlias
STRUCTURAL
DESC 'Sendmail MTA alias object'
MUST ( sendmailMTAKey $ sendmailMTAAliasValue )
MAY ( sendmailMTAAliasGrouping $ sendmailMTACluster $
sendmailMTAHost $ Description )
)
#
#********************************************************************
#
thanks for help
basile
17 years, 9 months
[Fedora-directory-users] Winsync Problem with NT4
by Hartmut Wöhrle
Hello Everyone,
it seems as if everyone is syncing with AD but not with an NT PDC.... except
of me.
I have a Problem while setting up a connection:
I set up winsync at the PDC (not passwordsync up till now) and I try to
initiate a first init-replication. Then nothing happens and the FDS says
"Loop detected"
But at the PDC side I see an entry in the usersync.log with tells me, which
"uid=...." I'm using to connect.
Maybe it is because I used the wrong password at the first try (PDC side)? I
read in the manual that
"After the service is installed and started the first time the password can
only be changed via an LDAP modify operation, not the configuration file."
Ldapmodify - where?? PDC or FDS side?
But I'm not able to find the place where this PDC information would be stored
in the FDS - so I guess ldapmodify at the PDC?
Or is uninstall and re-install the only chance to fix it?
See U
Hartmut
--
===========================================
Hartmut Woehrle
EMail: hartmut.woehrle(a)mail.pcom.de
17 years, 10 months
[Fedora-directory-users] LDAP subagent questions
by Kevin M. Myer
Hello,
I'm working through some of the documentation for the ldap-agent at
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/snmp.html
(although with Fedora Directory Server). I have a simple
ldap-agent.conf file in /opt/fedora-ds/slapd-instance/config. The
documentation states that a config item of "server" should be specified
that points to the log directory of the Directory Server instance to be
monitored. I found that it balked if I did that:
ldap-agent: Error opening server config file:
/opt/fedora-ds/slapd-instance/logs/config/dse.ldif
so I changed the server value to be just /opt/fedora-ds/slapd-instance.
Error message goes away but now when I try to start ldap-agent, I get:
ldap-agent: Not started! Check log file for details.
And if I check the log file for details, I see:
2005-11-30 16:58:21 Starting ldap-agent...
The -D option generates no more additional information.
On the server, net-snmp is running, with agentx support, listening to a
socket in /var/agentx/master. The documentation states that version
5.2.1 is required, but I'm only running 5.1.2.
Now I found that if I disabled iptables on this server, the agent came
up, one time. Thought that was it but then I found if I killed it and
restarted it, it didn't come up. And then with iptables enabled again,
it did come up. And then it didn't. You get the picture - its very
inconsistent :)
So, anyone have this running reliably?
Kevin
--
Kevin M. Myer
Senior Systems Administrator
Lancaster-Lebanon Intermediate Unit 13 http://www.iu13.org
17 years, 10 months
[Fedora-directory-users] NIS migration
by Brian Zuromski
Hi,
I'm migrating a network from NIS to FDS. All the users of the old
network were members of a particular group which is required to access
certain directories/files etc.... I'm having problems in the FDS
assigning them to groups with the same GID. I fixed it temporarily by
adding the group in the local /etc/group file on each host and it works.
How do I create the group on the FDS server and assign people to it and
it'll carry over to each box. Thanks!!!
17 years, 10 months
[Fedora-directory-users] Search by "uid" attribute returns duplicate results
by Kevin M. Myer
Hello,
I migrated a Netscape Directory Server 4.16 installation to Fedora
Directory Server over the weekend. It went very smoothly, but I now
have a puzzling problem. I have two servers setup in multimaster
replication mode. On the one server, for one subtree only, if I search
via the 'uid' attribute, each search returns two identical entries. On
the other server, if I search via the 'uid' attribute, I get one entry.
If I search on anything but the 'uid' attribute (say, for instance
'mail'), I get one result from both servers.
The server that returns duplicate results for the 'uid' searches was
running in a test mode prior to my migration. However, I wiped the
database/subtree that had our organization accounts located in it prior
to migrating. My initial suspicion is that I have a messed up index
somewhere but I don't see how I would ever have been able to import
duplicate sets of entries anyway, since we are using 'uid' as our RDN
value. Further, if I export the data for that subtree, there are only
one set of entries for each account.
Thoughts on what might be occuring?
Kevin
--
Kevin M. Myer
Senior Systems Administrator
Lancaster-Lebanon Intermediate Unit 13 http://www.iu13.org
17 years, 10 months
[Fedora-directory-users] pam.conf on Solaris 2.6?
by Vsevolod (Simon) Ilyushchenko
Hi,
Has anyone been able to make OpenLDAP work via pam.con in Solaris 2.6?
(Don't ask. :) The 'id' and 'su' commands don't even use LDAP, and when
I enable UsePam in openssh, the LDAP calls are made, but the user is not
recognized. When I look at the traffic, I see this:
0.003082 client -> server LDAP MsgId=2 Search Request, Base
DN=dc=cshl,dc=edu
... The correct uid is requested.
0.003882 server -> client LDAP MsgId=2 Search Entry, 1 result
... Correct user entry is returned, but the next client request is very
puzzling:
0.005893 client -> server LDAP MsgId=3 Bind Request,
DN=uid=ilyush,ou=People,dc=cshl,dc=edu
0000 00 11 25 29 98 74 00 30 7b 94 f2 94 08 00 45 00 ..%).t.0{.....E.
0010 00 85 e1 2c 40 00 fe 06 4a 84 8f 30 07 df 8f 30 ...,@...J..0...0
0020 2a 82 fa 6a 01 85 6c c4 0b 8c eb 0c 9d d6 50 18 *..j..l.......P.
0030 22 38 d4 76 00 00 30 5b 02 01 03 60 37 02 01 03 "8.v..0[...`7...
0040 04 23 75 69 64 3d 69 6c 79 75 73 68 2c 6f 75 3d .#uid=ilyush,ou=
0050 50 65 6f 70 6c 65 2c 64 63 3d 63 73 68 6c 2c 64 People,dc=cshl,d
0060 63 3d 65 64 75 80 0d 08 0a 0d 7f 49 4e 43 4f 52 c=edu......INCOR
0070 52 45 43 54 a0 1d 30 1b 04 19 31 2e 33 2e 36 2e RECT..0...1.3.6.
0080 31 2e 34 2e 31 2e 34 32 2e 32 2e 32 37 2e 38 2e 1.4.1.42.2.27.8.
0090 35 2e 31 5.1
Obviously, this attempt to login does not work:
0.006885 server -> client LDAP MsgId=3 Bind Result, Invalid credentials
0000 00 00 0c 07 ac 2a 00 11 25 29 98 74 08 00 45 00 .....*..%).t..E.
0010 00 36 21 22 40 00 40 06 c8 de 8f 30 2a 82 8f 30 .6!"@.@....0*..0
0020 07 df 01 85 fa 6a eb 0c 9d d6 6c c4 0b e9 50 18 .....j....l...P.
0030 16 d0 50 ea 00 00 30 0c 02 01 03 61 07 0a 01 31 ..P...0....a...1
0040 04 00 04 00 ....
I've taken the pam.conf file that works fine for me on Solaris 8 and
removed all the non-existent libraries. Here it is:
***
login auth sufficient pam_unix.so.1
login auth required pam_ldap.so.1
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth required pam_unix.so.1
dtlogin auth required pam_unix.so.1
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix.so.1
other auth sufficient pam_unix.so.1
other auth sufficient pam_ldap.so
login account sufficient pam_unix.so.1
login account required pam_ldap.so
other account sufficient pam_unix.so.1
other account required pam_ldap.so
other session required pam_unix.so.1
dtsession auth required pam_unix.so.1
passwd auth required pam_passwd_auth.so.1
ppp auth required pam_unix.so.1
ppp auth required pam_dial_auth.so.1
cron account required pam_unix.so.1
***
Thanks,
Simon
--
Simon (Vsevolod ILyushchenko) simonf(a)cshl.edu
http://www.simonf.com
"Think like a man of action, act like a man of thought."
Henri Bergson
17 years, 10 months
[Fedora-directory-users] 'No Such Object' when importing LDIF from OpenLDAP
by Tim Edwards
I'm trying to import the data from our OpenLDAP server into FedoraDS.
I've exported the data from OpenLDAP into an LDIF file and am now trying
to import that into my Fedora DS instance, unfortunately it gets errors
on the first entry. I tried just seperating out the first entry into its
own LDIF file:
dn: cn=Domain Users,ou=groups,dc=registriesltd,dc=com,dc=au
gidNumber: 513
sambaSID: S-1-5-21-1837449576-3234076748-520123900-513
cn: Domain Users
sambaGroupType: 2
objectClass: top
objectClass: posixgroup
objectClass: sambaGroupMapping
description: Domain Users
displayName: Domain Users
creatorsName: cn=samba,ou=special,dc=registriesltd,dc=com,dc=au
createTimestamp: 20041013050147Z
modifiersName: cn=samba,ou=special,dc=registriesltd,dc=com,dc=au
modifyTimestamp: 20041013050147Z
But I still get the same error when importing it:
Error adding object 'dn: cn=Domain
Users,ou=groups,dc=registriesltd,dc=com,dc=au'. The error sent by the
server was 'No such object'. The object is: LDAPEntry: cn=Domain
Users,ou=groups,dc=registriesltd,dc=com,dc=au; LDAPAttributeSet:
LDAPAttribute {type='gidnumber', values='513'} LDAPAttribute
{type='displayname', values='Domain Users'} LDAPAttribute
{type='objectclass', values='top,posixgroup,sambaGroupMapping'}
LDAPAttribute {type='sambasid',
values='S-1-5-21-1837449576-3234076748-520123900-513'} LDAPAttribute
{type='modifytimestamp', values='20041013050147Z'} LDAPAttribute
{type='modifiersname',
values='cn=samba,ou=special,dc=registriesltd,dc=com,dc=au'}
LDAPAttribute {type='sambagrouptype', values='2'} LDAPAttribute
{type='createtimestamp', values='20041013050147Z'} LDAPAttribute
{type='cn', values='Domain Users'} LDAPAttribute {type='creatorsname',
values='cn=samba,ou=special,dc=registriesltd,dc=com,dc=au'}
LDAPAttribute {type='description', values='Domain Users'}.
I'm a bit of newbie when it comes to LDIF files and Schemas so I'm not
sure exacly where to go from here? Is there a more detailed error log
than that rejects file? What kind of problems cause this 'No Such
Object' error?
Thanks
--
Tim Edwards
17 years, 10 months
[Fedora-directory-users] Re: Re: ssl client authentication
by Michael Montgomery
Does anyone possibly have an answer to these questions? I'm quite
stumped at the moment, and would love to try and get this fully working.
Thanks again.
> Date: Thu, 17 Nov 2005 10:09:45 -0600
> From: Michael Montgomery <mmontgomery(a)theplanet.com>
> Subject: Re: Re: [Fedora-directory-users] ssl client authentication
> To: fedora-directory-users(a)redhat.com
> Message-ID: <1132243785.24437.11.camel@work>
> Content-Type: text/plain
>
> Thank you very much for your response. I just have a couple more
> questions so I can be sure I know what I'm talking about.
>
> > the directory server (your SSL server) replies with the certificate chain which includes
> > the CA certificate, and the self-signed SSL certificate."
>
> I'm assuming the 'self-signed SSL cerificate' is the client's ssl
> certificate I imported into the SSL server's store, and NOT the server's
> own client certificate?
>
> > you should have the SSL certificate imported into your SSL client's security database,
> > and it should be marked as trusted (i.e -t "CT,CT,CT").
>
> Is there any documentation on how to do this with a RHEL4 server? The
> only things that come to mind are the openssl dirs '/usr/share/ssl/*',
> and possibly installing the certutil package on this machine...(but how
> would the ldap.conf file reference this, and even know about it... I'm
> curious about integration)
>
> >Another way to do this is to sign your SSL server certificate with your self-signed CA
> > certificate, and import your CA certificate into your SSL client's security database.
>
> I'm assuming you're talking about this option to Sign/Validate a
> self-signed cert:
>
> -V Validate a certificate
> -n cert-name The nickname of the cert to Validate
> -b time validity time ("YYMMDDHHMMSS[+HHMM|-HHMM|Z]")
> -e Check certificate signature
> -u certusage Specify certificate usage:
> C SSL Client
> V SSL Server
> S Email signer
> R Email Recipient
> -d certdir Cert database directory (default is ~/.netscape)
> -P dbprefix Cert & Key database prefix
> -X force the database to open R/W
>
> But then there's still the above question of how to import it into
> clients...
>
> Once again, thank you very much for your answers up to this point, as
> they were quite helpful.
>
> Michael.
17 years, 10 months
