forgive my ignorance of ldap; i'm just beginning. we want to set up a
directory server which contains all the attributes except one. the other
attribute we want to retrive from an ActiveDirectory Server. in other
words, the query should return the combined list of attributes from this
directory server and the AD server. can this be done with chaining?
I have two seperate installations of FDS 1.0.1 that were successfully
configured to sync with two seperate AD controllers. They both worked fine
for about six months, and both have stopped synchronizing information that
should pass from the AD to FDS. Basically, if a user changes his or her
password through AD, nothing changes on FDS. If the password is changed
through FDS, it does get pushed up to the AD controller.
Has anyone else seen this happen? There have been no changes made to either
the FDS or AD configurations since the initial installation was completed.
The AD servers are Windows 2000 and Windows 2003 on seperate domains.
I've tried to uninstall and reinstall the PassSync software. Every time
that service is restarted, I see a connect via SSL in the logs in FDS, but
nothing after that.
We are in the process of moving from NIS to LDAP and one issue I've seen
is that some clients will go through an infinite loop of hostname
lookups if they are configured to use ldap for hosts resolution in their
nsswitch.conf. This can be worked around quite easily on the client
side, but one thing that concerns me is the potential for DoS
(especially when there are people running around that like to play
Does Fedora-DS have any way of limiting the number of connections
serviced from a given IP address?
With FDS 1.0.2, I've followed the configuration howto guide lines to
setup the Directory Server to use SSL (as per my post a few days ago)
however after configuring the Administration Server and Console to use
SSL as well i've run into trouble. The directory server alone works fine
The reason i'm trying to get Admin and console working in SSL is so i
can setup a secure windows sync agreement, without this all i can do is
setup a insecure sync agreement.
The console will not display anything (absolutely no screen or anything)
after entering password and clicking OK in the authentication dialog.
There are no messages in the console i started it on.
Before i configured the SSL on the admin server and console it was
working correctly and displayed the normal Admin server/Directory Server
The console which i'm running using (i also tried admin user):
startconsole -u "cn=Directory Manager" -a https://ds01.tech:59910 -x nologo
I turned loglevel to debug in the admin server and this is what i see:
[Tue Nov 28 14:22:46 2006] [info] Connection to child 30 established
(server ds01.tech:443, client 10.170.99.22)
[Tue Nov 28 14:22:47 2006] [notice] [client 10.170.99.22]
admserv_host_ip_check: ap_get_remote_host could not resolve 10.170.99.22
[Tue Nov 28 14:22:47 2006] [info] Initial (No.1) HTTPS request received
for child 30 (server ds01.tech:443)
[Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(2518): [client
10.170.99.22] checking user cache for: cn=Directory Manager
[Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(2525): [client
10.170.99.22] not in cache, trying DS
[Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(1480): [client
10.170.99.22] admserv_check_authz: request for uri
[Tue Nov 28 14:22:47 2006] [notice] [client 10.170.99.22]
admserv_check_authz(): passing [/admin-serv/authenticate] to the
[Tue Nov 28 14:22:47 2006] [info] Connection to child 30 closed (server
ds01.tech:443, client 10.170.99.22)
In the slapd log i see:
[28/Nov/2006:14:22:46 +0000] conn=51 fd=65 slot=65 SSL connection from
10.170.99.22 to 10.103.20.21
[28/Nov/2006:14:22:46 +0000] conn=51 SSL 128-bit RC4
[28/Nov/2006:14:22:46 +0000] conn=51 op=0 BIND dn="cn=Directory Manager"
[28/Nov/2006:14:22:46 +0000] conn=51 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[28/Nov/2006:14:22:46 +0000] conn=52 fd=64 slot=64 SSL connection from
10.170.99.22 to 10.103.20.21
[28/Nov/2006:14:32:04 +0000] conn=52 op=-1 fd=64 closed - Encountered
end of file.
Anyone know how i can fix this? Thanks very much
This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential. Any dissemination, copying or distribution of this message or any attachments is strictly prohibited.
If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.
Messages sent to and from Quadriga may be monitored.
Quadriga cannot guarantee any message delivery method is secure or error-free. Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.
We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission.
You should carry out your own virus checks before opening any attachment.
Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga.
I am new to Fedora Directory Server, I have manage to set it up all right but I have one simple question as such.. :-)
Before I will put a lot of effort into setting it up for my production env I would like to know atleast one thing.... When I manage to connect client to the directory server will I be able to control the users access to client thought the directory on file level?
That is if for some reason I would not allow the user to access or read certain files or folders on the client could that be controlled in the Directory ?
I'm in an account of a bigger company, which uses Microsoft Active
Directory for User Management and Authentication.
Now we need to save some additional information for a subset of all
employees, but the AD-Administrators do not want to include the required
attributes in the company ad. Our plan is now to install "Fedora
Directory Server" to hold these additional information. The users, which
uses a special application, should now connect to this server to
retrieve the necessary information, but the authentication should stay
in the AD.
Is it possible, and if yes how, to configure "Fedora Directory Server"
to pass the authentication information to the AD and only let the
specific user bind to the directory server if the AD-Authentication is OK?
Thanks in advance
In the java console.
[mailto:email@example.com] On Behalf Of Richard
Sent: Monday, November 27, 2006 10:23 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] migrate from NIS to Fedora DS
Gada, Subhash wrote:
> Hi All,
> Can any one point me to a script which migrates nis password, group
> and host files to ldif files compatible with fedora DS.
> How can we create a template like the one existing for creating a
You mean, in the console, or in the ds gateway web app?
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be
> copied, disclosed to, retained or used by, any other party. If you are
> not an intended recipient then please promptly delete this e-mail and
> any attachment and all copies and inform the sender. Thank you.
> Fedora-directory-users mailing list
I've set up FDS as the ldap back end for a Samba PDC. It is working
well, but I'm having a problem with Windows users changing their
password from Windows. When I use "ldap passwd sync = yes" (in the
samba config) Windows users receive an error message when they attempt
to change their password. What actually happens is their Samba/NT
passwords are changed, but the posix password is not. If I use "ldap
passwd sync = no" (default) then the users can successfully change their
passwords but, as per the smb.conf man page, only the Samba/NT passwords
are changed, not the posix password. I have FDS, User Admin tool
(Webmin - LDAP users and Groups), and /etc/ldap.conf set to use MD5 for
If, on the server I run "smbpasswd test_user" and attempt to change a
user's password that way; it gives me the error:
ldapsam_modify_entry: LDAP Password could not be changed for user
test_user: Confidentiality required
Operation requires a secure connection.
Failed to modify entry for user test_user.
Failed to modify password entry for user test_user
It looks like FDS requires SSL in order for a user's posix password to
be changed from Samba/Windows. I need to have the Samba and posix
passwords syncronized. Do I need to set up SSL for that to work, or is
there something else I am missing? I found a post where someone used
"unix password sync = yes" with smbldap-passwd for the password program
as a workaround for this same problem, but I would prefer the tidier and
simpler "ldap passwd sync = yes". Has anyone run into this and figured
out how to make it work?
I've been all day trying to get simple single master
to one consumer going on a pair of 1.0.4 FDS systems and I
can't get past the authentication credentials. I've gone over
this 20 times today from scratch, and it won't go. I've even
redone my procedures on my test boxes and they work fine.
Both the replication wizard and the consumer initialization
fail (if I force the wizard to accept and go on). There is
no firewall issue and tcpdump and ldapsearch gets to the
consumer machine. Consumer is RHEL 4. Here's my LDIF's I
used. Can I use ldapsearch to test binding to this netry
to try an debug what's up? On an aside, the Redhat/Fedora
documents for adding this entry are very vague and don't
have any information about most of these attributes. It
didn't appear one could even get this working *without*
using LDIF files. Anyway, any help would be great. Thanks.
dn: cn=replica, cn="dc=acme,dc=com", cn=mapping tree, cn=config
nsDS5ReplicaBindDN: cn=Replication Manager, cn=config
dn: cn=Replication Manager, cn=config
cn: Replication Manager
Can any one point me to a script which migrates nis password, group and
host files to ldif files compatible with fedora DS.
How can we create a template like the one existing for creating a
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.