I've been using the Fedora Directory Server for very small scale testing at
work, but actually know rather little about LDAP unfortunately. Hopefully
you won't mind.
Anyway, is it possible to bind with an entry other than CN? I have the
following user (LDIF format):
dn: uid=RSmith,ou=People, dc=fedora,dc=test,dc=com
When attempting to bind using the following (as taken from the access log):
BIND dn="ntUserDomainId=Richard Smith,ou=People,dc=fedora,dc=test,dc=com"
...I get "No such object". This user does exist though. Is binding using the
ntUserDomainId out of the question?
I notice from the following discussion that the same sort of thing is
possible in Active Directory, although I have not tried it myself:
Any pointers would be greatly appreciated.
I have created a self-signed certificate as noted in chapter 11 in the RHDS
Admin guide. After following the instructions for creating the cert
(including creating the pk12 version to the server can read it) I then go
into the console to enable SSL and the cert isn't noted in the encryption
tab as the doc says it should. I don't know how to proceed. Thanks in
Darrell J. Frazier
Unix System Administrator
US Army Combat Readiness Center
Fort Rucker, Alabama 36362
Richard Gibson wrote:
> Hello there.
> I've been using the Fedora Directory Server for very small scale
> testing at work, but actually know rather little about LDAP
> unfortunately. Hopefully you won't mind. Anyway, is it possible to
> bind with an entry other than CN? I have the following user (LDIF
> dn: uid=RSmith,ou=People, dc=fedora,dc=test,dc=com
> mail: blablabla(a)test.com
> uid: RSmith
> givenName: Richard
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: ntuser
> objectClass: posixAccount
> sn: Smith
> cn: RSmith
> createTimestamp: 20050905103419Z
> modifyTimestamp: 20050916131603Z
> nsUniqueId: 86b5b081-1dd211b2-806ddcd6-e1700000
> ntUserDomainId: smithr
> uidNumber: 1
> gidNumber: 2
> homeDirectory: /home/smithr
> When attempting to bind using the following (as taken from the access
> BIND dn="ntUserDomainId=Richard Smith,ou=People,dc=fedora,dc=test,dc=com"
> ...I get "No such object". This user does exist though. Is binding
> using the ntUserDomainId out of the question?
Take a closer look. The ntUserDomainId is "smithr" for this user, not
Disclaimer: I'm an LDAP beginner myself. This is just a suggestion
based on the fact that your bind doesn't match the user information you
Has anybody gotten the orgchart application running on Fedora Core 2? I get
perl: error while loading shared
libraries: /opt/fedora-ds/bin/admin/lib/libldap50.so: undefined symbol:
I'm able to get it to run on FC3, but I don't have a pristine version of FC2
and I can't tell if it's because I fiddled with the Perl installation.
Trying to build Mozilla::LDAP gets me this from the build directory:
$ perl -Ilib -Iblib/lib -Iblib/arch t/entry.pl
perl: error while loading shared libraries:
blib/arch/auto/Mozilla/LDAP/API/API.so: undefined symbol: ldap_set_option
Kevin M. Goess
> Date: Tue, 10 Jan 2006 22:32:53 +0200
> From: Mike Jackson <mj(a)sci.fi>
> Subject: Re: [Fedora-directory-users] posixGroup location best
> Susan wrote:
>> Hi. Quick question, where in the tree do I stick posixGroups?
>> For now, I'll be authenticating linux machines only, so every uid=gid. Should I create a OU
>> called Groups or something and put all the groups in there? Or have a uid under gid or what? How
>> do you guys do it?
> Sure, just create some OU entry and put the group entries under that.
> That's the usual way. The reason for grouping them together is in case
> you want to restrict your search base, for efficiency and performance -
> not that it matters much in small setups.
For people migrating from traditional passwd and group databases it does
make sense to keep them colocated in the directory as well. And because
users and groups represent two different namespaces in Unix, it is
essential to keep them separate in the directory (ou=users and
ou=groups). (Contrast this with Microsoft, where users and groups all
reside in the same namespace. Very annoying.)
> Date: Tue, 10 Jan 2006 21:58:07 +0100
> From: Jo De Troy <jo.de.troy(a)gmail.com>
> Subject: Re: [Fedora-directory-users] password history question
> I thought I needed the cacert line in /etc/openldap/ldap.conf to point the
> ldap client to the CA cert we trust, otherwise we might not trust the
> server certificate being signed by the CA.
> Thanks again,
That's correct, you always need the CA cert on all of the servers and
clients. (Unless you're using anonymous cipher suites, in which case you
don't need any certs at all. But that's pretty reckless.)
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
I thought I needed the cacert line in /etc/openldap/ldap.conf to point the
ldap client to the CA cert we trust, otherwise we might not trust the
server certificate being signed by the CA.
yes it is. Below you can see my /etc/openldap/ldap.conf
The openssl command Mark pointed to works fine. From that output I grabbed
the CAcert and stored it the file I'm referencing in the
I'm wondering if the certificate I created is correct. Should the cn in the
certificate have the hostname as value? I guess it should or not?
I may have missed something but it seems to me that the RPMs for
Fedora-ds don't add necessary entries in the ldconfig config. This means
that you can't run any of the binaries in /opt/fedora-ds/shared/bin (for
example) until you manually add the following entries to a
/etc/ld.so.conf.d/fedorads-i386.conf file and run ldconfig.
Is this an oversight in the packaging or is there another way I was
supposed to do this?
I am using FDS 1.0.1, syncing with AD. User sync works just fine. I
have a separate sync agreement for groups, but membership does not seem
to be synced...
I do get errors that look like this:
[09/Jan/2006:15:43:58 -0500] NSMMReplicationPlugin -
agmt="cn=ADGroupSYnc" (bsod:636): windows_replay_update: failed to fetch
local entry for modify operation
And some like this:
[09/Jan/2006:15:40:45 -0500] - slapi_modify_internal_set_pb: NULL parameter
[09/Jan/2006:15:40:45 -0500] - allow_operation: component identity is NULL
And a couple of these:
[09/Jan/2006:15:40:41 -0500] - Entry "cn=testgroup,ou=portal,ou=uGroups,
dc=arbor,dc=edu" -- attribute "mail" not allowed
[09/Jan/2006:15:40:41 -0500] NSMMReplicationPlugin -
windows_update_local_entry: failed to modify entry
cn=testgroup,ou=portal,ou=uGroups, dc=arbor, dc=edu
Spring Arbor University
"For even the Son of Man did not come to be served, but to serve, and to give His life a ransom for many"