[Fedora-directory-users] FDS to AD sync weirdness ... CN changes, unique constraints.
by Elías Halldór Ágústsson
We are experimenting with Fedora Directory Server and trying to sync it
to AD.
Setting up SSL for both and initiating sync was successful.
However, it seems that DN in AD is constructed from the CN, which is the
full name. However, that's neigh impossible, since DN has a unique
constraint, but full names are seldom unique, and particularly not here
in Iceland. For example, my organization has at least 10 people called
"Kristín Jónsdóttir".
I regard AD as broken by design in this regard. My question is, can this
be fixed? What would be the right way to approach this problem?
--
Elías Halldór Ágústsson | Elias Halldor Agustsson
Unix Kerfisstjóri | Unix Systems Administrator
Reiknistofnun Háskóla Íslands | University of Iceland Computing Services
http://elias.rhi.hi.is/ | +354 525 4903
17 years, 7 months
[Fedora-directory-users] Administrating Fedora directory Server through commands
by Hariharan R
Hai,
I am using Fedora Directory Server 7.1 on CentOS 4.3 (SMP kernal).
Now i want to administer FDS from the command line.so i am using
ldapadd,ldapmodify,ldapdelete ... commands.
I have no problem in adding an organizational unit or user to the
directory.
I am getting problem while try to add a new root suffix to the FDS from
the command line.
This is the process i am following to add a new root suffix
1) The ldif file (root.ldif) contains the following attributes
corresponds to the root entry
dn: cn="dc=newroot,dc=com",cn=mapping tree,cn=config
objectclass: dcobject
objectclass: top
objectClass: domain
objectclass: extensibleObject
objectclass: nsMappingTree
nsslapd-state: backend
nsslapd-backend: newdb
cn: dc=newroot,dc=com
dc: newroot
2) Then i am using ldap add command to add the root suffix which is
defined in the ldif file(root.ldif)
ldapadd -x -D "cn=Directory Manager" -w testingdir -f root.ldif
This command is get executed perfectly.Then i opened the FDS console.
Perhaps there is no error in the log file too.
3) Click Directory server > configuration
I have the entry for "newroot" and "newdb" is the database assigned to
the database.
4) Then If i open the Directory server > directory window i am not having
a directory entry for the newly created root suffix.
I don't have any problem if i create the root suffix from the GUI mode.
What could be the problem?
Can anyone pls help me to get rid of the problem?
Is there is any documentation available for administrating the Fedora
Directory server from the command line with trouble shooting
methods.(Now i am using Fedors DS administration guide.)
Thanks in advance.
---
Regards,
Hariharan.R
17 years, 7 months
[Fedora-directory-users] replicating configuration directotry (NetscapeRoot)
by Linux Admin
Folks,
Is it possible to set up multi-master replication of NetscapeRoot
configuration directory.
I have tried and I can successfully initialize subscribers from the current
configuration directory server.
However initialization of replication in opposite direction fails.
Server 1 current conf dir -> Server 2: rplication sucsfull o=NetscapeRoot is
populated
Server 1 current conf dir <- Server 2: rplication failes with error:
Permission denied. Error code 3
on Server 2 I had to manully create NetscapeRoot database.
What am I missing?. Is it "idiot prrof" feature?
Thanks in advance for any help
SysLin
17 years, 7 months
[Fedora-directory-users] referential integrity checks for disactivated users
by Mikael Kermorgant
Hello,
I'm interested by the Referential Integrity plugin for updating groups
when a user is disactivated.
My problem is that disactivated users are not deleted but moved from
"ou=People" to "ou=disabled".
Would you have an idea of how to use Referential Integrity with this
way of handling users ?
Thanks,
--
Mikael Kermorgant
17 years, 7 months
[Fedora-directory-users] [OT] A call for input from directory server experts ...
by Bryan Smith
I'm helping head up development of a broad set real-world objectives
that covers Linux-based directory services. To this date, the early
focus had only looked at OpenLDAP, prior to the FDS project's
existence. Being a longer-term Netscape Directory Server
administrator myself (and thank God that Red Hat bought it), I would
like to change that by ensuring the objectives reflect "real-world"
directory service capabilities in FDS as well as OpenLDAP.
So I'm looking for peer experts who have deployed NsDS/RHDS/FDS in
the past, ideally with OpenLDAP (or other, general LDAP capabilities
of another directory service) experience as well, to help build a set
of objectives. It's also welcome to FDS developers as well --
although if you are a Red Hat employee, I understand there might be a
"conflict of interest" since Red Hat offers certification/training in
its RHCA program. These objectives would cover, in real-world tasks,
what an enterprise Linux administrator should know about in deploying
and maintaining LDAP (FDS, OpenLDAP, etc...) in an enterprise
environment.
If anything, it's a good opportunity to expose FDS to many people
that assume OpenLDAP is the only option out there. And ensure it in
a broad, vendor-neutral, peer-professional organization. If you are
interested, please contact me _off-list_.
-- Bryan J. Smith, LPIC-2, RHCE
--
Bryan J. Smith Professional, Technical Annoyance
b.j.smith(a)ieee.org http://thebs413.blogspot.com
-----------------------------------------------------------
Americans don't get upset because citizens in some foreign
nations can burn the American flag -- Americans get upset
because citizens in those same nations can't burn their own
17 years, 7 months
[Fedora-directory-users] mailAlternateAddress
by Craig White
I wanted to import the 'misc' schema from openldap so I could use
mailLocalAddress and fedora-ds didn't like that since there was a
collision at "2.16.840.1.113730.3.1.13" - where:
# grep
"2.16.840.1.113730.3.1.13" /opt/fedora-ds/slapd-srv1/config/schema/*
/opt/fedora-ds/slapd-srv1/config/schema/50ns-calendar.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.130 NAME 'nsCalRefreshPrefs' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Calendar Server' )
/opt/fedora-ds/slapd-srv1/config/schema/50ns-calendar.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.131 NAME 'nsCalResourceCapacity' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Calendar Server' )
/opt/fedora-ds/slapd-srv1/config/schema/50ns-calendar.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.132 NAME 'nsCalResourceNumber' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Calendar Server' )
/opt/fedora-ds/slapd-srv1/config/schema/50ns-calendar.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.133 NAME 'nsCalServerVersion' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Calendar Server' )
/opt/fedora-ds/slapd-srv1/config/schema/50ns-calendar.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.134 NAME 'nsCalSysopCanWritePassword' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Calendar Server' )
/opt/fedora-ds/slapd-srv1/config/schema/50ns-calendar.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.135 NAME 'nsCalTimezone' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Calendar Server' )
/opt/fedora-ds/slapd-srv1/config/schema/50ns-calendar.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.136 NAME 'nsCalXItemId' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Calendar Server' )
/opt/fedora-ds/slapd-srv1/config/schema/50ns-compass.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.137 NAME 'pipuid' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Compass Server' )
/opt/fedora-ds/slapd-srv1/config/schema/50ns-compass.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.138 NAME 'pipcompassservers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Compass Server' )
/opt/fedora-ds/slapd-srv1/config/schema/50ns-compass.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.139 NAME 'pipuniqueid' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Compass Server' )
/opt/fedora-ds/slapd-srv1/config/schema/50ns-mail.ldif:attributeTypes:
( 2.16.840.1.113730.3.1.13 NAME ( 'mailAlternateAddress' ) DESC
'Netscape Messaging Server 4.x defined attribute' SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Messaging Server
4.x' )
But as I look through available attributes in the console, I cannot use
mailAlternateAddress and so I am stumped.
How can I use such a beast?
Craig
17 years, 7 months
[Fedora-directory-users] Re: Need help syncing between Active, Directory and FDS
by Daniel Shackelford
> Message: 8
> Date: Thu, 27 Apr 2006 13:36:56 +0200
> From: "Espen A. Stefansen" <espen.stefansen(a)imr.no>
> Subject: [Fedora-directory-users] Need help syncing between Active
> Directory and FDS
> To: fedora-directory-users(a)redhat.com
> Message-ID: <1146137816.5150.62.camel@itse6848>
> Content-Type: text/plain
>
> Hi
> I'm a new user to FDS, so I've got some problems getting it to work. I'm
> trying to sync our Active Directory over to FDS. Unfortunately it
> doesn't work, so hopefully someone can give me some pointers.
>
> I've been looking through the wiki and the manuals, but i haven't found
> that helped.
>
> This is how I installed FDS:
>
> 1. Installed FDS on CentOS 4; fds.example.com.
>
> 2. Ran setup with default values (including directory manager)
>
> 3. Ran setupssl.sh.
>
> 4. Install PassSync on a Windows Domain Controller (Windows 2003);
> win.example.com.
> - Values:
> --- Hostname: fds.example.com
> --- Port: 686
> --- Username: cn=directory manager,cn=config
> --- Cert Token: ?? (Should this be the password for the certificate?)
> --- Search: dc=example,dc=com
>
> And then imported the certificates from fds.example.com
>
> 5. Started the console, and enabled "changelog" and "replica" as
> "single master".
>
> 6. I then generated a "windows sync agreement".
> - Values:
> --- domain: example.com
> --- DCH: win.example.com
> --- Enabled SSL
> --- Bind as: cn=directory manager,cn=config
>
>
It looks like you are using the FDS Directory Manager account, rather
than a valid AD account. You will need to use an AD account that has
the ability to create/update entries.
> When I try to do a full sync, it says it cant find the LDAP-server,
> error 81. Does that mean the FDS-server?
>
> Does anyone have any idea on what might be wrong? And have I installed
> it correctly?
>
> Regards
> Espen Stefansen
>
>
--
Daniel Shackelford
Systems Administrator
Technology Services
Spring Arbor University
517 750-6648
17 years, 7 months
[Fedora-directory-users] Need help syncing between Active Directory and FDS
by Espen A. Stefansen
Hi
I'm a new user to FDS, so I've got some problems getting it to work. I'm
trying to sync our Active Directory over to FDS. Unfortunately it
doesn't work, so hopefully someone can give me some pointers.
I've been looking through the wiki and the manuals, but i haven't found
that helped.
This is how I installed FDS:
1. Installed FDS on CentOS 4; fds.example.com.
2. Ran setup with default values (including directory manager)
3. Ran setupssl.sh.
4. Install PassSync on a Windows Domain Controller (Windows 2003);
win.example.com.
- Values:
--- Hostname: fds.example.com
--- Port: 686
--- Username: cn=directory manager,cn=config
--- Cert Token: ?? (Should this be the password for the certificate?)
--- Search: dc=example,dc=com
And then imported the certificates from fds.example.com
5. Started the console, and enabled "changelog" and "replica" as
"single master".
6. I then generated a "windows sync agreement".
- Values:
--- domain: example.com
--- DCH: win.example.com
--- Enabled SSL
--- Bind as: cn=directory manager,cn=config
When I try to do a full sync, it says it cant find the LDAP-server,
error 81. Does that mean the FDS-server?
Does anyone have any idea on what might be wrong? And have I installed
it correctly?
Regards
Espen Stefansen
17 years, 7 months
