[Fedora-directory-users] Schema Conversion
by D Canfield
I don't suppose anyone has found an easy way to convert OpenLDAP schema
into fedora-ds compatible ldif files? We've got about 100 attributes
defined, and I'm really not looking forward to entering them all by hand...
Thanks
DC
17 years, 11 months
[Fedora-directory-users] Wishlist
by Jeff Clowser
I was looking at the wishlist
(http://directory.fedora.redhat.com/wiki/Wishlist).
Some of these things can already be done, and should be just a matter of
configuration, based on it's Netscape DS heritage. Wanted to give back
by suggesting some ideas on how to accomplish these wishes where no code
changes are needed.
Under Core Server Features:
1. Disable anonymous binds.
By default, the server creates an annonymous aci in the suffix entry
(i.e. top of the tree).
If you edit that entry and remove that aci, you remove anonymous
access. Note that some
services "require" anonymous access, so may break (some clients/apps
may need to do anon
access to look up a uid to get a dn to bind as for auth, etc, so it
may either be necessary to
change the config of these clients to bind as something that can
still do these lookups, or
you may have to just tweak anonymous access to limit what it can
see, rather than removing
it altogether).
2. Option to control resource limits specifically for anonymous.
Anonymous uses the default server settings for these resource
limits. I believe Fedora-ds
supports the following attributes on entries: nslookthroughlimit,
nsizelimit, nstimelimit,
and nsidletimeout (these are in the schema, and the Sun and Netscape
servers fds is based
on supports them). If you put these attributes in an entry, when
that entry binds to the server,
these resource limits are used instead of the server defaults. So,
a way to implement control
of resource limits for anonymous is to set the server default
settings to whatever you want
anonymous to have, and then to set these attributes on all users
that you want to be different
(i.e. have more lenient limits) than anonymous. For things like
mail servers, etc, I always
create an entry for the mail/whatever server, and set these
attributes to appropriate values.
FYI: setting any of these to -1 means unlimited.
Under Console Features:
2. Add host based access control to posixAccount/shadowAccount to
determine who can
log into what hosts.
While this is not specifically in Console, it's relatively
straightforward to add this, if
you're a little creative :) :
- First, create a new ldap attribute in the schema - lets call it
something like "allowedHosts".
Make sure it is multivalued.
- Second, you need to add it to an objectclass. You could add it to
the PosixAccount
objectclass (simpler, but not recommended because you are
modifying a standard
objectclass), or create a new objectclass (lets call if unixUser,
make it derive from
posixAccount, and add allowedHosts as a required attribute).
- When you create users, set their objectclass to posixAccount and
unixUser (and
shadowAccount). Add a list of hostnames you want the user to log
into in the
allowedHosts field.
- When you configure the Unix/Linux/etc box that the user will log
into:
. if you can define a filter for finding users, set it to
"(&(objectclass=posixAccount)(allowedHosts=<hostname>))"
replacing <hostname> with the hostname of the machine they are
logging into.
. If you cannot define a filter, you can set an IP based aci in
the directory for each
of these hosts that allows them to see only users that can log
into "this" box.
You may have to tweak other aci's, such as anonymous, so that
they don't
allow the box to see the users you don't want seen.
One note to make: purists would say DON'T create attributes and
objectclasses on the fly like this. Personally, I don't have a problem
creating attributes/objectclasses for my own internal use. But... if
someone wanted to formalize this with "real" registered oids for the
attributes and objectclasses, and/or defining and going through all the
paperwork/review process to do this or expand posixAccount officially, I
would have no objections :). NDS/FDS/SDS are nice in that they allow
you to create these local definitions without all the complexities of
registering those definitions to the rest of the world.
- Jeff
18 years, 1 month
[Fedora-directory-users] Database recreation, automount and performance
by Vsevolod (Simon) Ilyushchenko
Hi,
I'm extremely glad FDS is now freely available and almost open-source. I
have run into some issues when I started playing with it.
1. I've tried to port my OpenLDAP database to it and found that that
there is no automount objectclass specified by default. The automount
and automountInformation classes are defined in Fedora schema extensions
that come with the openldap RPM, so not having them in FDS is a little
weird. I had to define them myself.
2. After a failed import I deleted the database and tried to recreate
it. I went first to Configuration/Data/New Root Suffix and specified the
base DN and the database name. Then I went to Data/<Server name:389>/
New Root Object and tried to create the root entry, but got this error:
"Only the Directory Manager has the right to create the Root Entry. Log
in as Directory Manager to be able to perform this operation. "
I've checked that the manager DN is specified correctly in
Configuration/Manager.
I tried restarting the directory server, but that did not help. How do I
reinitalize it?
3) Finally, the Java administration console is extremely slow. I'm
running over an SSH connection, but my server is a 2.8 Ghz machine with
512 Mb of RAM. I wonder what console performance other people experience.
Thanks - I'm looking forward to deploying FDS with Windows sync!
Simon
--
Simon (Vsevolod ILyushchenko) simonf(a)cshl.edu
http://www.simonf.com
Terrorism is a tactic and so to declare war on terrorism
is equivalent to Roosevelt's declaring war on blitzkrieg.
Zbigniew Brzezinski, U.S. national security advisor, 1977-81
18 years, 1 month
[Fedora-directory-users] too many fds open
by Craig Ayliffe
Hi,
Has anyone come across problem with directory server having too many
fds open, which then causes it to not receive any new connections?
Version: Fedora-Directory/7.1 B2005.146.2010
OS: Linux ds01 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 EDT 2005 i686
i686 i386 GNU/Linux
>From the logs/error:
[28/Jul/2005:19:22:42 +1000] - Listening for new connections again
[28/Jul/2005:19:22:42 +1000] - Not listening for new connections - too
many fds open
[28/Jul/2005:19:22:42 +1000] - Listening for new connections again
[28/Jul/2005:19:22:42 +1000] - Not listening for new connections - too
many fds open
[28/Jul/2005:21:00:22 +1000] - Listening for new connections again
One thing I have noticed is a lot of tcp connections owned by the
ns-slapd process, that are suspended in the CLOSE_WAIT state.
# netstat -nap
...
tcp 0 0 ::ffff:10.10.246.31:389
::ffff:10.10.245.12:54566 CLOSE_WAIT 17118/ns-slapd
tcp 0 0 ::ffff:10.10.246.31:389
::ffff:10.10.245.12:54502 CLOSE_WAIT 17118/ns-slapd
tcp 0 0 ::ffff:10.10.246.31:389
::ffff:10.10.245.12:54758 CLOSE_WAIT 17118/ns-slapd
tcp 0 0 ::ffff:10.10.246.31:389
::ffff:10.10.245.12:54569 CLOSE_WAIT 17118/ns-slapd
tcp 0 0 ::ffff:10.10.246.31:389
::ffff:10.10.245.12:54312 CLOSE_WAIT 17118/ns-slapd
tcp 0 0 ::ffff:10.10.246.31:389
::ffff:10.10.245.12:54440 CLOSE_WAIT 17118/ns-slapd
tcp 0 0 ::ffff:10.10.246.31:389
::ffff:10.10.245.12:54379 CLOSE_WAIT 17118/ns-slapd
tcp 0 0 ::ffff:10.10.246.31:389
::ffff:10.10.245.12:54315 CLOSE_WAIT 17118/ns-slapd
Regards,
--
Craig Ayliffe
18 years, 1 month
[Fedora-directory-users] Specifying an all-inclusive User directory subtree?
by Kevin M. Myer
On initial configuration and later in the management console, you specify or use
a "User directory subtree". For a single organization, this may be easy to
setup, but for ourselves, we manage directory entries for a variety of
.k12.pa.us, .org, and .net domains. So whats the best way of creating a view
that encompasses all of those? Is it possible to use a blank subtree, so that
when I search for a user from within the management application, I can find
them all, regardless of the domain components used? Or are there better ways
to handle this?
Thanks,
Kevin
--
Kevin M. Myer
Senior Systems Administrator
Lancaster-Lebanon Intermediate Unit 13 http://www.iu13.org
18 years, 2 months
[Fedora-directory-users] ACI to restrict access to sensitive attributes.
by Alastair Neil
I am struggling with setting ACIs to restrict access to certain attributes
I would like the employeenumber attribute to be visible only to the user and
only if they are authenticated via sasl gssapi. I have tried several
varients of the following:
(target = "ldap:///ou=People, dc=ite,dc=gmu,dc=edu")
(targetattr ="employeeNumber")
(version 3.0;acl "EmployeeNumber";
deny (all) userdn="ldap:///anyone" |
allow (read) userdn="ldap:///self" and authmethod="sasl gssapi";
)
this one seems to deny access regardless of the authmethod or bindbd used.
Anyone got any pointers?
18 years, 2 months
[Fedora-directory-users] Samba and FDS 7.1 on Fedora Core 4 Error
by Leonardo Pugliesi
Hi Everyone
I have installed FSD and console seems working fine:
I can log, adding entries, etc.
Following the Samba-Howto (http://people.redhat.com/astokes/samba_rhds.pdf)
I encountered problems with net groupmap command:
____________________________________________________________________________
[root@fedorac4 setup]# net groupmap add rid=512 ntgroup="Domain Admins"
unixgroup="Domain Admins" --debuglevel=10
[2005/07/19 12:09:44, 5] lib/debug.c:debug_dump_status(366)
INFO: Current debug levels:
all: True/10
tdb: False/0
printdrivers: False/0
lanman: False/0
smb: False/0
rpc_parse: False/0
rpc_srv: False/0
rpc_cli: False/0
passdb: False/0
sam: False/0
auth: False/0
winbind: False/0
vfs: False/0
idmap: False/0
quota: False/0
acls: False/0
[2005/07/19 12:09:44, 3] param/loadparm.c:lp_load(3916)
lp_load: refreshing parameters
[2005/07/19 12:09:44, 3] param/loadparm.c:init_globals(1321)
Initialising global parameters
[2005/07/19 12:09:44, 3] param/params.c:pm_process(573)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2005/07/19 12:09:44, 3] param/loadparm.c:do_section(3418)
Processing section "[global]"
doing parameter workgroup = FEDORAC4
doing parameter username map = /etc/samba/smbusers
doing parameter enable privileges = yes
doing parameter server string = Samba Server %v
doing parameter security = user
doing parameter encrypt passwords = Yes
doing parameter min passwd length = 3
[2005/07/19 12:09:44, 1] param/loadparm.c:lp_do_parameter(3159)
WARNING: The "min passwd length" option is deprecated
doing parameter obey pam restrictions = No
doing parameter ldap passwd sync = Yes
doing parameter passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
doing parameter ldap passwd sync = Yes
doing parameter log level = 0
doing parameter syslog = 0
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 100000
doing parameter time server = Yes
doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
doing parameter mangling method = hash2
doing parameter Dos charset = 850
[2005/07/19 12:09:44, 5] lib/iconv.c:smb_register_charset(103)
Attempting to register new charset UCS-2LE
[2005/07/19 12:09:44, 5] lib/iconv.c:smb_register_charset(111)
Registered charset UCS-2LE
[2005/07/19 12:09:44, 5] lib/iconv.c:smb_register_charset(103)
Attempting to register new charset UTF-16LE
[2005/07/19 12:09:44, 5] lib/iconv.c:smb_register_charset(111)
Registered charset UTF-16LE
[2005/07/19 12:09:44, 5] lib/iconv.c:smb_register_charset(103)
Attempting to register new charset UCS-2BE
[2005/07/19 12:09:44, 5] lib/iconv.c:smb_register_charset(111)
Registered charset UCS-2BE
[2005/07/19 12:09:44, 5] lib/iconv.c:smb_register_charset(103)
Attempting to register new charset UTF-16BE
[2005/07/19 12:09:44, 5] lib/iconv.c:smb_register_charset(111)
Registered charset UTF-16BE
[2005/07/19 12:09:44, 5] lib/iconv.c:smb_register_charset(103)
Attempting to register new charset UTF8
[2005/07/19 12:09:44, 5] lib/iconv.c:smb_register_charset(111)
Registered charset UTF8
[2005/07/19 12:09:44, 5] lib/iconv.c:smb_register_charset(103)
Attempting to register new charset UTF-8
[2005/07/19 12:09:44, 5] lib/iconv.c:smb_register_charset(111)
Registered charset UTF-8
[2005/07/19 12:09:44, 5] lib/iconv.c:smb_register_charset(103)
Attempting to register new charset ASCII
[2005/07/19 12:09:44, 5] lib/iconv.c:smb_register_charset(111)
Registered charset ASCII
[2005/07/19 12:09:44, 5] lib/iconv.c:smb_register_charset(103)
Attempting to register new charset 646
[2005/07/19 12:09:44, 5] lib/iconv.c:smb_register_charset(111)
Registered charset 646
[2005/07/19 12:09:44, 5] lib/iconv.c:smb_register_charset(103)
Attempting to register new charset ISO-8859-1
[2005/07/19 12:09:44, 5] lib/iconv.c:smb_register_charset(111)
Registered charset ISO-8859-1
[2005/07/19 12:09:44, 5] lib/iconv.c:smb_register_charset(103)
Attempting to register new charset UCS2-HEX
[2005/07/19 12:09:44, 5] lib/iconv.c:smb_register_charset(111)
Registered charset UCS2-HEX
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
doing parameter Unix charset = ISO8859-1
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
doing parameter logon script = logon.bat
doing parameter logon drive = H:
doing parameter logon home =
doing parameter logon path =
doing parameter domain logons = Yes
doing parameter os level = 65
doing parameter preferred master = Yes
doing parameter domain master = Yes
doing parameter wins support = Yes
doing parameter passdb backend = ldapsam:ldap://fedorac4.localdomain
doing parameter ldap admin dn = cn=Directory Manager
doing parameter ldap suffix = dc=localdomain
doing parameter ldap group suffix = ou=Groups
doing parameter ldap user suffix = ou=People
doing parameter ldap machine suffix = ou=Computers
doing parameter ldap idmap suffix = ou=Users
doing parameter add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
doing parameter ldap delete dn = Yes
doing parameter add machine script = /opt/IDEALX/sbin/smbldap-useradd
-w "%u"
doing parameter add group script = /opt/IDEALX/sbin/smbldap-groupadd
-p "%g"
doing parameter add user to group script =
/opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
doing parameter delete user from group script =
/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
doing parameter set primary group script =
/opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
doing parameter printer admin = @"Print Operators"
doing parameter load printers = Yes
doing parameter create mask = 0640
doing parameter directory mask = 0750
doing parameter nt acl support = No
doing parameter printing = cups
doing parameter printcap name = cups
doing parameter deadtime = 10
doing parameter guest account = nobody
doing parameter map to guest = Bad User
doing parameter dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
doing parameter show add printer wizard = yes
doing parameter preserve case = yes
doing parameter short preserve case = yes
doing parameter case sensitive = no
[2005/07/19 12:09:44, 4] param/loadparm.c:lp_load(3947)
pm_process() returned Yes
[2005/07/19 12:09:44, 7] param/loadparm.c:lp_servicenumber(4057)
lp_servicenumber: couldn't find homes
[2005/07/19 12:09:44, 10] param/loadparm.c:set_server_role(3865)
set_server_role: role = ROLE_DOMAIN_PDC
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/charcnv.c:charset_name(81)
Substituting charset 'UTF-8' for LOCALE
[2005/07/19 12:09:44, 5] lib/util.c:init_names(278)
Netbios name list:-
my_netbios_names[0]="FEDORAC4"
[2005/07/19 12:09:44, 2] lib/interface.c:add_interface(81)
added interface ip=10.0.0.162 bcast=10.255.255.255 nmask=255.0.0.0
[2005/07/19 12:09:44, 10] intl/lang_tdb.c:lang_tdb_init(135)
lang_tdb_init: /usr/lib/samba/it_IT.UTF-8.msg: No such file or directory
Can't lookup UNIX group Domain Admins
[2005/07/19 12:09:44, 2] utils/net.c:main(897)
return code = -1
_________________________________________________________________________________
This is the global section of smb.conf I use:
[global]
workgroup = FEDORAC4
username map = /etc/samba/smbusers
enable privileges = yes
server string = Samba Server %v
security = user
encrypt passwords = Yes
min passwd length = 3
obey pam restrictions = No
ldap passwd sync = Yes
passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
ldap passwd sync = Yes
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
logon script = logon.bat
logon drive = H:
logon home =
logon path =
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:ldap://fedorac4.localdomain
ldap admin dn = cn=Directory Manager
ldap suffix = dc=localdomain
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m
"%u" "%g"
delete user from group script =
/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g
"%g" "%u"
printer admin = @"Print Operators"
load printers = Yes
create mask = 0640
directory mask = 0750
nt acl support = No
printing = cups
printcap name = cups
deadtime = 10
guest account = nobody
map to guest = Bad User
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes
preserve case = yes
short preserve case = yes
case sensitive = no
___________________________________________________________________________________
The problem seems to be Samba...
Any idea?
regards
Leon
_ <http://people.redhat.com/astokes/samba_rhds.pdf>_
18 years, 2 months
