[Fedora-directory-users] Question on FDS Usage
by Alex Ackerman
Ok, this may seem like old hat to some of you, but I'm feeling like I'm
playing stump the dummy with my computer. I am trying to modify my
directory's schema to add support for Open-XChange. I have a schema file
that I have converted to FDS format from the shipped OpenLDAP format
(thanks to tools on the Fedora Directory Server site), but I can't seem
to add this to the server. I first tried:
Code:
[root@bastet ~]# ldapmodify -h localhost -x -f openxchange.ldif2
modifying entry "cn=schema"
ldap_modify: Insufficient access (50)
additional info: Insufficient 'write' privilege to the 'attributeTypes' attribute of entry 'cn=schema'.
I then tried:
Code:
[root@bastet ~]# ldapadd -x -D "cn=Directory Manager,dc=domain,dc=net" -h localhost -W -f openxchange.ldif2
Enter LDAP Password:
ldap_bind: No such object (32)
matched DN: dc=domain,dc=net
As you can see, I'm getting really stumped. What is the right command
that I'm missing? I'm new to the directory server realm and this has
been my attempt at trying to learn. Thanks for any assistance you can
provide.
Alex
An excert of the schema follows:
#
################################################################################
#
dn: cn=schema
#
################################################################################
#
attributeTypes: (
1.1.2.1.1.1
NAME ( 'mailEnabled' )
DESC 'Is the user enabled or not, for pam_ldap,postfix etc.
filtering...'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768}
SINGLE-VALUE
)
#
################################################################################
#
attributeTypes: (
1.1.2.1.1.2
NAME ( 'alias' )
DESC 'email alias'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768}
)
#
################################################################################
#
attributeTypes: (
1.1.2.1.1.3
NAME ( 'imapServer' )
DESC 'Users Imap Server'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768}
SINGLE-VALUE
)
...
------------------------------------
This email has been ClamScanned!
www.clamav.net
18 years
[Fedora-directory-users] [SECURITY] Fedora Directory Server 1.0.1 Update
by Rich Megginson
---------------------------------------------------------------------
Fedora Directory Server Update Notification
2006-03-01
---------------------------------------------------------------------
Product : Fedora Directory Server
Name : Directory Server
Version : 1.0.1
Release : 1
Summary : The core LDAP server engine
Description :
The core directory server component of Fedora Directory Server is the
LDAP server engine/daemon.
---------------------------------------------------------------------
Update Information:
Evgeny Legerov of GLEG, Ltd. (http://www.gleg.net/) discovered several
flaws affecting Fedora Directory Server using the GLEG ProtoVer LDAP
test suite. A remote attacker who is able to connect to the directory
server could send malicious requests which would cause the server to
crash leading to a denial of service.
The Common Vulnerabilities and Exposures project assigned the names
CVE-2006-0451, CVE-2006-0452, and CVE-2006-0453 to these issues.
---------------------------------------------------------------------
This update is available by upgrading to Fedora Directory Server 1.0.2
available here:
http://directory.fedora.redhat.com/wiki/Download
The above link has instructions for downloading the new version and
upgrading older versions.
18 years
[Fedora-directory-users] Rename or Hide o=NetscapeRoot
by Yann
Hi all,
I've, again, a curious question :-) ;
It's possible to rename o=NetscapeRoot ? to something else like o=MyRoot ?
And/or, it's possible to hide the entry o=NetscapeRoot from unpriviligied users
? I've ACL on it to deny read inside, but, the "o=NetscapeRoot" stay visible
when anonymous user browse with an LDAP browser for example.
Thanks !
Yann
18 years
[Fedora-directory-users] Problem adding user
by Mont Rothstein
I am trying to create a Samba Admin account in FDS as per the final steps of
http://directory.fedora.redhat.com/wiki/Howto:Samba
I've created a sambaAdmin file with contents:
Administrator:x:0:0:Samba Admin:/root:/bin/bash
I then ran:
/usr/share/openldap/migration/migrate_passwd.pl /tmp/sambaAdmin >
/tmp/sambaAdmin.ldif
but when I get to converting the ldif to ldap via:
/opt/fedora-ds/slapd-<server>/ldif2ldap "cn=Directory manager"
password /tmp/sambaAdmin.ldif
I get the following error:
adding new entry uid=Administrator,ou=People,dc=forayadams,dc=foray,dc=com
ldap_add: Object class violation
ldap_add: additional info: unknown object class "kerberosSecurityObject"
As far as I know I haven't enabled kerberos anywhere. Does anyone know what
I need to do to resolve this?
Thanks,
-Mont
18 years
[Fedora-directory-users] Replication, migration from slaver to master, error with agreement
by Olivier SILBER
Dear all,
I have setup 4 servers: 2 master (server1 & server2) and 2 slaves
(server3 & server4). Server1 and Server2 have the agreement to replica
each other but also the agreement for replication to server3 and
server4. Everything works perfectly now with this solution.
After a while, I think that I do not need a so big setting and would
like to remove DS from server1 and server2 and use only server3 and
server4 as masters with replication between them. Why? because server1
and server2 are also my end-user servers and DS use too much resources,
so they have started to be very slow.... and my end-user complain!!!!
So my first try was to define server3 and server4 as multi-master as
well as server1 and server2, and after add an agreement into this 2
servers. But I can not add any agreement into server3 and server4, I
have always this error from my logs:
NSMMReplicationPlugin - agmtlist_add_callback: Can't start agreement
"cn=replication to server4,cn=replica,cn=o=xxxx\,c=xx,cn=mapping
tree,cn=config"
I have used both the admin console and the script to generate a
multimaster replication (perl), both are providing me this error. I have
put the debug level to the maxi (8156) with the same error (no more
detail !!!!).
What I did into server3:
1) uncheck consumer -> restart
2) check replica with multi-master -> restart (of course with an
unique ID)
3) create the agreement -> error
I think that an old slave could be a master as easy as this and probably
I will need to refresh the database from scrash into server3 and server4
(backup, init and restore). But because this 2 servers are in operation,
I do not want to do this if there is another solution more accurate.
Thanks
Olivier
--
----------------------------------------------------------------
Olivier SILBER - Terra Proxyma China Ltd.
Email: osi(a)terra.com.cn <mailto:osi@terra.com.cn> Website:
http://www.terra.com.cn/
Address: 10th Floor, GuangHua Building, Tower B, No.8 Guang Hua Road,
Chaoyang district, Beijing, 100026, P.R. CHINA
Telephone: (8610) 6581 1030 - Fax: (8610) 6581 2814
/**** DISCLAIMER ****/
/"This e-mail and any attachments thereto may contain information which
is confidential and/or protected by intellectual property rights and are
intended for the sole use of the recipient(s) named above. Any use of
the information contained herein (including, but not limited to, total
or partial reproduction, communication or distribution in any form) by
persons other than the designated recipient(s) is prohibited. If you
have received this e-mail in error, please notify the sender either by
telephone or by e-mail and delete the material from any computer.
Although Terra Proxyma attempts to sweep e-mail and attachments for
viruses, it does not guarantee that either are virus-free and accepts no
liability for any damage sustained as a result of viruses."
A fanatic is one who can't change his mind and won't change the subject.
- Sir Winston Leonard Spencer Churchill/
18 years
[Fedora-directory-users] Mac OS X Client authenticating against Fedora Directory Server
by David Schibeci
I am in the process of migrating our directory from OpenLDAP to
Fedora Directory Server.
The only client I can't get to authenticate against FDS is Mac OS X.
I've searched to net to no avail. Has anyone been able to do this
successfully?
Cheers,
David
------------------------------------------------------------------------
------
David Schibeci
Systems Administrator/Software Developer
Centre for Bioinformatics and Biological Computing
Murdoch University
South Street
Murdoch WA 6150
Phone: 61 8 9360 2961
Fax: 61 8 9360 7238
E-Mail: schibeci(a)cbbc.murdoch.edu.au
18 years, 1 month
[Fedora-directory-users] How to add a computer (feeling foolish)
by Mont Rothstein
I can't figure out how to add a computer to the domain.
I've searched but can't find anything on this, which I assume means it is so
easy that no one has even bothered to write about it.
I created a user in the Domain Admins group. I made that user an NT User,
set the NT User ID to be the same as the FDS User ID, and checked Create New
NT Account.
On a Windows XP box I went to System Properties->Computer Name->Computer
Name Changes and entered the domain name.
I am prompted to enter the name and password of an account with permission
to join the domain. I have tried entering the user name both as
domainname\username and just username. No matter what I entered I get:
"unknown user name or bad password"
I also tried adding a similar user (different User ID) to the Directory
Administrators group. Using that user produced the same result.
If someone could please explain what needs to be done, or point me to a doc
no this very basic process, I would appreciate it.
Thanks,
-Mont
18 years, 1 month
[Fedora-directory-users] Adding Samba Groups to FDS
by Mont Rothstein
I am (still) following the How To for integrating Samba with FDS and I am
working on adding Samba groups to FDS.
Everything went well until I got to the "net groupmap" section.
For each net groupmap command I got a "Can't lookup UNIX group Domain
Admins" message.
Were the group names specified in the previous steps merely examples? I
have a bare install and haven't created any groups in unix (other than those
created with new users) nor have I created any in Samba.
If they were not simply examples are these messages expected or is something
else wrong?
Thanks,
-Mont
18 years, 1 month