[Fedora-directory-users] Host Access Based on Group Membership
by Jason Hane
I've been searching everywhere for the past week and haven't found a
solution. I would like to be able to assign access to servers based
upon membership to a group or role. For example, if I create a
group/role called "Web Servers", everyone in that group can access all
the web servers. Everyone in the group/role "Database Servers" would be
allowed to log into the database servers. Users can be part of multiple
groups.
There has to be a way to do this already. All the clients are running
OpenLDAP and can already authenticate to the Directory Server. To
implement this solution, would I have to change ldap.conf or
system-auth?
Thanks,
Jason
18 years, 4 months
[Fedora-directory-users] Integration with Apple's OpenDirectory
by Billy Allan
Hi,
I'm looking to use FD as our main LDAP server - with Active Directory
for windows clients and OpenDirectory for Apple clients. I was
wondering if anyone had tried integration with Apple's software as I
couldn't see anything in the docs or on the list?
If anyone has - any tips/pointers/pitfalls?
Billy.
18 years, 4 months
[Fedora-directory-users] Correction: [SECURITY] Fedora Directory Server 1.0 Update: Admin Server
by Rich Megginson
Correction to the below notice. The link is broken. It should be
http://directory.fedora.redhat.com/sources/adminserver10to101.patch
And the md5sum is not correct. It should be
1a18195b3bf057139e04852f6f3c0be9 adminserver10to101.patch
I apologize for any inconvenience or confusion.
---------------------------------------------------------------------
Fedora Directory Server Update Notification
2005-12-07
---------------------------------------------------------------------
Product : Fedora Directory Server
Name : Admin Server
Version : 1.0
Release : 1
Summary : The Admin Server httpd administrative engine.
Description :
The Admin Server component of Fedora Directory Server is an httpd
server which uses Apache 2 to serve up web pages and execute
CGIs used to administer the Fedora Directory Server. This package
is included with Fedora Directory Server.
---------------------------------------------------------------------
Update Information:
Fixed bug #174837 (CVE-2005-3630)
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174837
Frank Reppin discovered a flaw in the default Apache configuration for
Fedora DS. By default clients are allowed to read everything under the
document root, which can reveal sensitive information to a remote user.
This update modifies this behavior, only allowing read access to
specific files and directories under the document root.
---------------------------------------------------------------------
This update is a patch file available for download from:
http://directory.fedora.redhat.com/download/adminserver10to101.patch
2d7553a300551ef2a19b1b89a017e5ff adminserver20051205.patch
To install the patch:
cd /opt/fedora-ds
patch -p0 < adminserver10to101.patch
./restart-admin
18 years, 4 months
[Fedora-directory-users] SECURITY] Fedora Directory Server 1.0 Update: Admin Server
by Rich Megginson
---------------------------------------------------------------------
Fedora Directory Server Update Notification
2005-12-07
---------------------------------------------------------------------
Product : Fedora Directory Server
Name : Admin Server
Version : 1.0
Release : 1
Summary : The Admin Server httpd administrative engine.
Description :
The Admin Server component of Fedora Directory Server is an httpd
server which uses Apache 2 to serve up web pages and execute
CGIs used to administer the Fedora Directory Server. This package
is included with Fedora Directory Server.
---------------------------------------------------------------------
Update Information:
Fixed bug #174837 (CVE-2005-3630)
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=174837
Frank Reppin discovered a flaw in the default Apache configuration for
Fedora DS. By default clients are allowed to read everything under the
document root, which can reveal sensitive information to a remote user.
This update modifies this behavior, only allowing read access to
specific files and directories under the document root.
---------------------------------------------------------------------
This update is a patch file available for download from:
http://directory.fedora.redhat.com/download/adminserver10to101.patch
2d7553a300551ef2a19b1b89a017e5ff adminserver20051205.patch
To install the patch:
cd /opt/fedora-ds
patch -p0 < adminserver10to101.patch
./restart-admin
18 years, 4 months
[Fedora-directory-users] FDS 1.0 console problem
by Taymour A. El Erian
Hi,
I have just downloaded FDS 1.0 to my FC2 box for testing (thinking
of moving from OpenLDAP). I started the setup (tried the 3 modes) and
finished the installation but unfortunately I am unable to login to the
console and I have the following errors in the log
[Mon Dec 05 11:20:02 2005] [crit] openLDAPConnection(): ldap_set_option
failed to disable cache for :148841712
[Mon Dec 05 11:20:02 2005] [warn] Unable to open initial LDAPConnection
to populate LocalAdmin tasks into cache.
[Mon Dec 05 11:20:10 2005] [crit] openLDAPConnection(): ldap_set_option
failed to disable cache for :145712368
[Mon Dec 05 11:20:10 2005] [warn] Unable to open initial LDAPConnection
to populate LocalAdmin tasks into cache.
[Mon Dec 05 11:20:11 2005] [crit] openLDAPConnection(): ldap_set_option
failed to disable cache for :156321008
[Mon Dec 05 11:20:11 2005] [warn] Unable to open initial LDAPConnection
to populate LocalAdmin tasks into cache.
[Mon Dec 05 11:20:12 2005] [crit] openLDAPConnection(): ldap_set_option
failed to disable cache for :141018352
[Mon Dec 05 11:20:12 2005] [warn] Unable to open initial LDAPConnection
to populate LocalAdmin tasks into cache.
[Mon Dec 05 11:20:13 2005] [crit] openLDAPConnection(): ldap_set_option
failed to disable cache for :144086256
[Mon Dec 05 11:20:13 2005] [warn] Unable to open initial LDAPConnection
to populate LocalAdmin tasks into cache.
[Mon Dec 05 11:20:14 2005] [crit] openLDAPConnection(): ldap_set_option
failed to disable cache for :163882224
[Mon Dec 05 11:20:14 2005] [warn] Unable to open initial LDAPConnection
to populate LocalAdmin tasks into cache.
[Mon Dec 05 11:20:16 2005] [crit] openLDAPConnection(): ldap_set_option
failed to disable cache for :161109232
[Mon Dec 05 11:20:16 2005] [warn] Unable to open initial LDAPConnection
to populate LocalAdmin tasks into cache.
[Mon Dec 05 11:20:45 2005] [crit] openLDAPConnection(): ldap_set_option
failed to disable cache for :144094448
[Mon Dec 05 11:20:45 2005] [warn] Unable to open initial LDAPConnection
to populate LocalAdmin tasks into cache.
[Mon Dec 05 11:20:47 2005] [crit] openLDAPConnection(): ldap_set_option
failed to disable cache for :152855792
[Mon Dec 05 11:20:47 2005] [warn] Unable to open initial LDAPConnection
to populate LocalAdmin tasks into cache.
[Mon Dec 05 11:20:49 2005] [crit] openLDAPConnection(): ldap_set_option
failed to disable cache for :163517680
[Mon Dec 05 11:20:49 2005] [warn] Unable to open initial LDAPConnection
to populate LocalAdmin tasks into cache.
[Mon Dec 05 11:21:37 2005] [crit] openLDAPConnection(): ldap_set_option
failed to disable cache for :145147120
[Mon Dec 05 11:21:37 2005] [warn] Unable to open initial LDAPConnection
to populate LocalAdmin tasks into cache.
[Mon Dec 05 11:21:55 2005] [crit] openLDAPConnection(): ldap_set_option
failed to disable cache for :152823024
[Mon Dec 05 11:21:55 2005] [warn] Unable to open initial LDAPConnection
to populate LocalAdmin tasks into cache.
[Mon Dec 05 11:21:56 2005] [crit] openLDAPConnection(): ldap_set_option
failed to disable cache for :152845528
[Mon Dec 05 11:21:56 2005] [warn] Unable to open initial LDAPConnection
to populate LocalAdmin tasks into cache.
[Mon Dec 05 11:21:56 2005] [notice] Apache/2.0 configured -- resuming
normal operations
[Mon Dec 05 11:22:39 2005] [notice] [client 212.103.165.84]
admserv_host_ip_check: Unauthorized host ip=xxx.xxx.xxx.xxx connection
rejected
xxx.xxx.xxx.xxx is my ip address (both the server and console run on it)
Any help ?
--
Taymour A El Erian
System Division Manager
RHCE, LPIC, CCNA, MCSE, CNA
TE Data
E-mail: taymour.elerian(a)tedata.net
Web: www.tedata.net
Tel: +(202)-4166600
Fax: +(202)-4166700
Ext: 1101
18 years, 4 months
[Fedora-directory-users] Schema fun :-)
by David Barker
Hi all,
I've just been having some fun converting some schema's from our
existing openldap schema to FDS :-) A couple of things have been thrown
up, that I have listed below (for google and others in the audience ;-)
- Those still on the samba 2.x ldap schema will find it clashes with
00core.ldif. Samba 2 defines pwdMustChange , as does 00core.ldif.
Removing the pwdMustChange from the samba schema lets ns-slapd start,
and samba works fine too.
- openldap will let use use the syntax OID
"1.3.6.1.4.1.1466.115.121.1.36" ( numericString -
http://www.alvestrand.no/objectid/1.3.6.1.4.1.1466.115.121.1.36.html )
but ns-slapd won't. Not really a problem - in our case, we were able to
use 1.3.6.1.4.1.1466.115.121.1.27 ( integer -
http://www.alvestrand.no/objectid/1.3.6.1.4.1.1466.115.121.1.27.html )
instead but others are available too :)
As an aside, are user updates going to be allowed to the wiki soon? :-)
18 years, 4 months
[Fedora-directory-users] MD5 passwords for FDS
by Ryan Ordway
Any ideas when the MD5 password handling code will be in the
distributed binaries? I'm considering migrating from OpenLDAP to
FDS, but I've got some users with MD5 passwords that I would need
to be able to handle.
Thanks,
Ryan
--
Ryan Ordway E-mail: ryan.ordway(a)oregonstate.edu
Unix Systems Administrator rordway(a)library.oregonstate.edu
Oregon State University Libraries
121 The Valley Library Office: The Valley Library #4657
Corvallis, OR 97331
18 years, 4 months
[Fedora-directory-users] moron at the helm - can't coordinate users-groups & padl stuff
by Craig White
This is basic stuff and I could do it easily with openldap and I can see
I am close. I can get what I need from command line ldapsearch and it
works fine.
RHEL 4 - have run authconfig and my pam.d/system-auth looks like wiki
page for FDS with PAM
I can tell that the padl stuff (nsswitch.conf and /etc/ldap.conf) is
working because the logs show me that 'cn=Directory Manager' is
attempting to bind but it always returns error=32 (obviously no such
object...which by the way is a lousy error report because obviously this
is about invalid credentials and should return error=49)
Anyway, I do have the password for cn=Directory Manager
in /etc/ldap.secret (have tried both with and without a line feed) and
even tried to put rootbinddn & rootpw in /root/.ldaprc to no avail.
Regardless, 'getent passwd' doesn't return anything but contents
of /etc/passwd (likewise for group)
Is there a clue stick for being able to derive accounts from FDS?
I could post the contents of /etc/ldap.conf and /etc/nsswitch if
necessary...perhaps it's one of the commented values in ldap.conf that I
routinely pass over with openldap.
Craig
18 years, 4 months
[Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 7, Issue 15
by Kevin M. Goess
On Tuesday 06 December 2005 01:33 pm,
fedora-directory-users-request(a)redhat.com wrote:
> This is a permissions problem. Did you use the same user for the
> directory server as for the admin server?
Nope, I used ldap for the directory server, which seems to work fine, and was
trying to use 'ldapas' for the admin server.
> What's in the file /tmp/file2dDMoZ?
$ ls -lF /tmp/file2dDMoZ
-rw-r--r-- 1 root root 0 Dec 6 13:12 /tmp/file2dDMoZ
An empty file, owned by root.
> What is the output of
> ls -l admin-serv/config
> ?
$ ls -al admin-serv/config/
total 60
drwxr-xr-x 2 ldapas ldapas 4096 2005-12-06 16:59 .
drwxr-xr-x 6 ldapas ldapas 4096 2005-12-06 16:59 ..
-rw------- 1 ldapas root 347 2005-12-06 16:59 adm.conf
-rw------- 1 ldapas ldapas 39 2005-12-06 16:59 admpw
-rw------- 1 ldapas root 3537 2005-12-06 16:59 admserv.conf
-rw------- 1 ldapas root 3722 2005-12-06 16:59 console.conf
-rw------- 1 ldapas root 26608 2005-12-06 16:59 httpd.conf
-rw------- 1 ldapas root 4573 2005-12-06 16:59 nss.conf
> >On a side note, is there any reason not to use the standard redhat
> >"ldap" user
> >instead of "nobody" for the default suggested slapd user?
>
> You should be able to use "ldap".
>
> >My impression was
> >that "nobody" should not own any files on the filesystem.
Then would this be the place to suggest making the suggested default "ldap"
intead of "nobody"? I know at least one sysadmin who would be saved the
trouble of pulling out his hair in handfuls when he saw important system
files owned by the "nobody" user.
--
Kevin M. Goess
(415) 277-2079
Ensenda, Inc.
18 years, 4 months
[Fedora-directory-users] Re: a little bit of samba confusion
by Steve Bonneville
Craig White <craigwhite(a)azapple.com> wrote:
> First, imported nearly my entire openldap structure...but couldn't
> import this record
>
> dn: sambaDomainName=AZAPPLE,dc=azapple,dc=com
> objectClass: sambaDomain
> sambaDomainName: AZAPPLE
> sambaSID: S-1-5-21-1423820788-2381578139-3444021595
> sambaAlgorithmicRidBase: 1000
>
> Easy enough to recreate in console but didn't understand the error...
> [03/Dec/2005:11:24:28 -0700] - Entry
> "sambaDomainName=AZAPPLE,dc=azapple,dc=com" -- attribute "objectClass"
> not allowed
The samba.schema file was converted with a tool that doesn't avoid
the "overly picky schema parsing" bug (#170791). You can try the
new schema conversion script on the website to see if it handles
this, or for samba.schema the workaround
./ol-schema-migrate.pl samba.schema | grep -v DESC > 61samba.ldif
to remove all DESC lines from the schema will work, since the DESC
line is an optional line that is out of order in the original file.
See the bug for details about how this affects objectclass
sambaDomain; the short story is that Directory Server doesn't know
that sambaDomain is derived from objectclass top, from which
sambaDomain inherits the "objectClass" attribute.
-- Steve Bonneville
18 years, 4 months