I'm new to FDS and have a (stupid ?) question about ACI.
First : where do I set them ? I looked at the dse.ldif file, but I don't
believe it's in there.
Second : how would a rule allowing members of "Directory Administrators"
to essentially do everything look like ?
Thanks for hte help.
What I used to do in openldap was use an objectclass
inetLocalMailRecipient which was defined in the 'misc.schema' and my
primary usage was to use an attribute inetLocalMailAddress to stuff
additional addresses as aliases because I struggled with multiple values
in the mail attribute.
Obviously I can import the openldap schema that I was using into FDS but
now I am thinking that it is probably a better idea to re-examine my
To reduce my questions to basic...
- is the mail attribute multi-valued?
- How do I determine which attributes are multi-valued?
- Is there an attribute better used for mail aliases?
On initial console connection attempts, the admin server logs the
XX.XX.XX.XX - - [12/Dec/2005:09:46:59 -0500] "\x80F\x01\x03\x01" 302 291
I did a packet capture and can see the same data coming from the
console to the remote server.
Is this an expected request?
Kevin M. Myer
Senior Systems Administrator
Lancaster-Lebanon Intermediate Unit 13 http://www.iu13.org
Is it possible with Redhat Directory Server to use public key
authentication for all our Linux based servers?. Currently we have it
setup individually for each system. However we would like to go to a
centrally managed solution to keep it easy and allow us to scale much more
Any advice would be great.
I was following the instructions at  and I found an error regarding
how Samba tries to add its domain to the directory.
[12/Dec/2005:11:18:36 -0200] - Entry
"sambaDomainName=MYDOMAIN,dc=example,dc=com" -- attribute "objectClass"
It seems like a schema verification problem. Anyway, my fix was to add
it manually with the following LDIF:
The SID is the one I got from a previous install using OpenLDAP. After
forcing the add of MYDOMAIN the command 'net getlocalsid' works and
reports another SID which I've altered updated in the directory.
Just in case anyone has got the same problem.. I'll repeat the process
another time and try to write a small tutorial on it.
Giovanni P. Tirloni
... seems harder than I thought. I can't get Ldapimport to do anything
and it doesn't display any errors and the old fedora 4
/usr/share/openldap/migration scripts all die with a message saying
there is not "require" command.
thanks in advance for the help,
Math and Computer Science
Washington High School
2205 Forest Dr. SE
Cedar Rapids, IA 52403
I suppose being the newbie - I have to ask the obligatory ACI
I have personal address books...each user would have one - i.e.
and my thinking is that each person can read/write/delete/etc. their own
address book, authenticated users can read and anonymous is denied.
Thus I created 3 rules and they aren't working because an
unauthenticated/anonymous bind still can view them...
These are the 3 rules (which are applied to ou=People with the
expectation that each address book would inherit)...
(targetattr = "*") (target =
3.0;acl "Personal Address Books Owner";allow (all)(userdn =
(targetattr = "*") (target =
3.0;acl "Personal Address Books Non Owner";allow
(read,compare,search)(userdn = "ldap:///all");)
(targetattr = "") (target = "ldap:///ou=AddressBook,uid=*,ou=People,
dc=azapple,dc=com") (version 3.0;acl "Personal Address Books";deny
(all)(userdn = "ldap:///anyone");)
are these supposed to be separate rules or combined into 1 rule?
and lastly...despite the documentation, I can't get ldapsearch to return
the list of ACI's...
./ldapsearch -h localhost -D 'cn=Directory Manager' -w - '(aci=*)'
whether I use the ldapsearch client from fedora-ds or the one from
> Date: Fri, 09 Dec 2005 12:31:01 -0700
> From: David Boreham <david_list(a)boreham.org>
>> My thinking is that this somehow has something to do with the TLS_CACERT
>> in /etc/openldap/ldap.conf (the certificate for the client).
> In general most folk don't need client certs, but AFAIK the openldap
> ldapsearch _requires_ that you present a client cert.
Wrong. Client certs are only needed if you want to do certificate-based
client authentication, and the default settings do not require them. Of
course, the TLS_CACERT directive, as the name suggests, is for setting
the path to the CA cert, and by default it *is* required. I think your
terminology is imprecise here, so that may be confusing the issue.
>> Would this be the issue?
> Probably yes. Shouldn't you be using a user-specific ldap.conf for your
> client-side config ?
>> Is there a better method for creating the client certificate from either
>> the CA certificate (generated by openssl) or from the FDS Server
>> Certificate (also generated by openssl)?
> Provided the client cert was signed by the same CA as the server cert,
> you should be ok. The client cert has no relationship per se with the
> server cert.
Again, the poster was referring to the CA cert on the client, not a
"client cert," so dragging that into the discussion is only muddying things.
Note that the original poster used TLS_CACERT and TLS_CACERTDIR and the
OpenLDAP docs specifically state to use only one or the other, and in
general, not to use TLS_CACERTDIR at all. This is the real error;
TLS_CACERT must be a fully qualified path to a certificate file.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/