[Fedora-directory-users] Attribute Subtypes in FDS
by Andrey Ivanov
Actually, I have found the answer. These limitations are imposed by
the java console interface. With ldapadd & ldapmodify i can add any
subtype one can imagine....
> Is there a simple way to add more attribute subtypes than the default ones
> (lang-xx, Binary and Pronunciation)? I have searched through the schema
> but i haven't found any place where these subtypes are defined. Are
> they defined in sources?
>
> I want to use it to have different shell/uid/gid depending on the
> workstation the user is logging in (for example, uidNumber;192.158.0.1=512,
> uidNumber;192.168.0.2=512 etc). Maybe someone knows a more elegant/simple way to
> do this?
Andrey Ivanov
tel +33-(0)1-69-33-99-24
fax +33-(0)1-69-33-99-55
Direction des Systemes d'Information
Ecole Polytechnique
91128 Palaiseau CEDEX
France
17 years, 10 months
[Fedora-directory-users] Fedora DS 1.0.2 Multiple Master SSL replication: empty bind DN...
by Kevin McCarthy
Dear List Members,
Release: fedora-ds-1.0.2-1.RHEL3.i386.opt.rpm
A typical replication error log entry now follows (seen repeatedly at both
fedora DS servers):
[28/Jun/2006:18:29:21 +0100] NSMMReplicationPlugin - agmt="cn=EDS from
server 2" (ukstatlap:636): Unable to acquire replica: permission denied. The
bind dn "" does not have permission to supply replication updates to the
replica. Will retry later.
Believe me, I have been investigating this one for 2 or 3 days now (having
just switched from OpenLDAP, since multiple master replication is required)
before sending this submission, just in case I missed a configuration item
or work-around, but unfortunately no luck (so far).
The only reference I can find for SSL Client Authentication based Multiple
Master replication (2 Linux RHEL 3 servers being used) that supplies empty
DNs, is the Windows specific entry (whose work-around I tried anyway, but
without success).
Unable to acquire replica: permission denied. The bind dn "" does not have
permission to supply replication updates to the replica. Will retry later.
To workaround the problem, after you modify and save the replication
schedule of an agreement, refresh the console, reconfigure the connection
settings (to SSL client authentication) for the agreement, and save your
changes.
http://www.redhat.com/docs/manuals/dir-server/release-notes/ds611relnotes.ht
ml
The mutual "Current Supplier DNs" are indeed set (cn=Replication
Manager,cn=replication,cn=config) and the corresponding directory entries do
exist.
The respective server certificates and CA certificates are installed, with
Subject DN entries loaded.
I do not have Legacy Consumer enabled.
CertMapping is also defined (though with a NULL DN being supplied, I guess
that will not be kicking in just yet, though there are entries for the exact
subject DN anyway.)
When using simple authentication, with or without SSL, all is well (although
replication did require both servers to Initialize the Consumer, I thought
that only one was required e.g. ID 1 initializing ID 2, but ID 2 then needed
to initialize ID 1 before successful 2-way replication was achieved).
Any suggestions will be most gratefully received!
Regards,
Kevin
17 years, 10 months
[Fedora-directory-users] apache win32
by Mickael Besse
I'm now trying to configure apache 2.2.0 install with xampp under windows
2000.
With ldap it's ok but I ve got some probleme with SSL (again). In the log of
apache, I have:
LDAP : an attemp to set LDAP_OPT_SSL on failed. Parameter Error.
did someone alreday configure apache (win32) with LDAPS???
_________________________________________________________________
Retrouvez tout en un clin d'oeil avec la barre d'outil MSN Search !
http://desktop.msn.fr/
17 years, 10 months
[Fedora-directory-users] FDS crashed, how to find out the reason?
by Kimmo Koivisto
Hello
I have MMR environment, 2x FDS, version 1.0.2, Red Hat Enterprise 4 ES 32bit
x86. My servers are server1.ton.fi and server2.ton.fi.
Server2 died couple of days ago (friday I think) and I restarted it today.
Everything seems to be okay, but I need to provide some reasons why this
happened.
My /opt/fedora-ds/slapd-server2/logs/error shows the following:
<error log>
Fedora-Directory/1.0.2 B2006.060.1928
server2.ton.fi:389 (/opt/fedora-ds/slapd-server2.ton.fi)
[17/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to
server1.ton.fi"" (server1:389): Incremental protocol: event
update_window_opened should no
t occur in state wait_for_changes
[18/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to
server1.ton.fi"" (server1:389): Incremental protocol: event
update_window_opened should no
t occur in state wait_for_changes
Fedora-Directory/1.0.2 B2006.060.1928
server2.ton.fi:389 (/opt/fedora-ds/slapd-server2.ton.fi)
[18/Jun/2006:04:23:11 +0300] - Backing up file 1
(/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/sn.db4)
[18/Jun/2006:04:23:11 +0300] - Backing up file 2
(/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/entrydn.db4)
[18/Jun/2006:04:23:11 +0300] - Backing up file 3
(/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/parentid.db4)
[18/Jun/2006:04:23:11 +0300] - Backing up file 4
(/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/objectclass.db4)
[18/Jun/2006:04:23:11 +0300] - Backing up file 5
(/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/aci.db4)
[18/Jun/2006:04:23:11 +0300] - Backing up file 6
(/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/cn.db4)
[18/Jun/2006:04:23:11 +0300] - Backing up file 7
(/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/givenName.db4)
[18/Jun/2006:04:23:12 +0300] - Backing up file 8
(/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/nsUniqueId.db4)
[18/Jun/2006:04:23:12 +0300] - Backing up file 9
(/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/numsubordinates.db4)
[18/Jun/2006:04:23:12 +0300] - Backing up file 10
(/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/DBVERSION)
[18/Jun/2006:04:23:12 +0300] - Backing up file 11
(/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/ancestorid.db4)
[18/Jun/2006:04:23:12 +0300] - Backing up file 12
(/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/uid.db4)
[18/Jun/2006:04:23:12 +0300] - Backing up file 13
(/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/nscpEntryDN.db4)
[18/Jun/2006:04:23:12 +0300] - Backing up file 14
(/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/id2entry.db4)
[18/Jun/2006:04:23:12 +0300] - Backing up file 15
(/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/nsds5ReplConflict.db4)
[18/Jun/2006:04:23:12 +0300] - Backing up file 16
(/tmp/tmp.dJIDpX3348/fdsbackup/log.0000002860)
[18/Jun/2006:04:23:12 +0300] - Backing up file 17
(/tmp/tmp.dJIDpX3348/fdsbackup/DBVERSION)
[19/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to
server1.ton.fi"" (server1:389): Incremental protocol: event
update_window_opened should no
t occur in state wait_for_changes
[20/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to
server1.ton.fi"" (server1:389): Incremental protocol: event
update_window_opened should no
t occur in state wait_for_changes
[21/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to
server1.ton.fi"" (server1:389): Incremental protocol: event
update_window_opened should no
t occur in state wait_for_changes
[22/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to
server1.ton.fi"" (server1:389): Incremental protocol: event
update_window_opened should no
t occur in state wait_for_changes
Fedora-Directory/1.0.2 B2006.060.1928
server2.ton.fi:389 (/opt/fedora-ds/slapd-server2.ton.fi)
[22/Jun/2006:17:01:10 +0300] - Fedora-Directory/1.0.2 B2006.060.1928 starting
up
Fedora-Directory/1.0.2 B2006.060.1928
server2.ton.fi:389 (/opt/fedora-ds/slapd-server2.ton.fi)
[25/Jun/2006:20:25:48 +0300] - Fedora-Directory/1.0.2 B2006.060.1928 starting
up
[25/Jun/2006:20:25:48 +0300] - Detected Disorderly Shutdown last time
Directory Server was running, recovering database.
[25/Jun/2006:20:26:06 +0300] - slapd started. Listening on All Interfaces
port 389 for LDAP requests
[25/Jun/2006:20:27:05 +0300] NSMMReplicationPlugin - agmt="cn="Replication to
server1.ton.fi"" (server1:389): Unable to receive the response for a
startReplication exte
nded operation to consumer (Can't contact LDAP server). Will retry later.
[25/Jun/2006:20:27:09 +0300] NSMMReplicationPlugin - agmt="cn="Replication to
server1.ton.fi"" (server1:389): Simple bind resumed
</error log>
Any ideas?
Best Regards
Kimmo Koivisto
17 years, 10 months
Re: [Fedora-directory-users] Setting up multi-master via thecommand-line
by Mike Jackson
Joe Sheehan <triswimjoe(a)hotmail.com> kirjoitti:
> Not at all - I can download it and I was just going to test it out today for
> my systems.
> I was just trying to automate the install of everything off the default
> install so I was just curious if there were other ways.
You can write LDIF files to configure the replication, and use the included ldapmodify tool. In my automated installations, I generate these LDIFs from parsed configuration files. It's quite a lot of work.
The mmr.pl tool is seen as a blessing by nearly everybody who has ever tried to setup MMR by hand. I wrote it because I got tired of taking 10 minutes to setup a replication testbed, over and over again.
BR,
--
mike
http://www.netauth.com
17 years, 10 months
[Fedora-directory-users] data design for inactive users?
by Philip Lembo
We archive inactive entries by removing them from the "active" part of
the DIT and then recreating them in an "inactive" branch, where
permissioning prevents all but a few administrative apps from seeing
them. This allows us to prevent further use of the account while at the
same time preserving information that might be helpful in an audit. If a
user becomes active again (e.g. where an employee is rehired), we simply
restore their entry to the active part of the tree.
The two problems with this approach are accidental creation of duplicate
entries (like when an employee returns after having a name change) and
the fact that no off-the-shelf tool will do the archive/unarchive
operation for you. I handle the former by yelling at HR alot and the
latter by deploying some in-house created cgi scripts.
The problem with using an "inactive" flag is that every COTS vendor who
interfaces with LDAP has a different standard, and few are very
customizable. Entrenched homegrown apps pose the same issue.
Theoretically, the number of entries in a particular directory or
directory container shouldn't be an issue. Unfortunately, many
developers insist on treating LDAP like an RDMS, doing massive "data
mining" queries and invoking Server Side Sort to boot. As a result,
anything you can do to reduce the number of entries they can search
through helps.
17 years, 10 months
[Fedora-directory-users] apache ldap over SSL.
by Mickael Besse
I have a problem to use apache ldap over SSL.
os: fedora core 3 (updated with yum)
tools :fedora directory server 1.0.2, HTTPd 2.0.53, mod_ssl 1:2.0.53,
mod_auth_ldap, mod_ldap,
errors :
In /var/log/http/error_log: auth_ldap authenticate: user test
authentication failed; URI / [LDAP: ldap_simple_bind_s() failed][Can't
contact LDAP server]
In /opt/fedora-ds/slapd-id/logs/access : SSL connection from 127.0.0.1 to
127.0.0.1
closed - Encountered end of file
I have no probleme without ssl.
In http.conf:
LDAPTrustedCA /etc/httpd/conf/ssl.crt/certificat.pem
LDAPTrustedCAType BASE64_FILE
<Directory "/var/www/html">
AuthLDAPEnabled on
AuthLDAPURL ldaps://name_of_LDAPserver:636/dc=***,dc=***?uid
require group dn_groupe
</Directory>
In fedora directory server, I use certutil -L -d . -P slapd-serverID- -n
"CA certificate" -a > cacert.asc to export CA cert. Then, I copy the
contents of cacert.asc in /etc/httpd/conf/ssl.crt/certificat.pem.
So /etc/httpd/conf/ssl.crt/certificat.pem look like:
-----BEGIN CERTIFICATE-----
kjbfilqbvlsdbvlisdf........
-----END CERTIFICATE-----
Note this message in access log when the httpd server start
LDAP: Built with OpenLDAP LDAP SDK
LDAP: SSL support unavailable
Did a solution for this problem ?
Can I use apache / ssl / auth_mod_ldap / ldap(s) togheter ?
Maybe a miss somethings ?
Did I have to rebuild my module auth_ldap module ?
I want to rebuild the srpm from fedora core 3 updates, and include
--with-ldap-sdk=netscape for the auth_ldap module.
But I have no idea where to specifie this. httpd.spec file defines core
options, but not modules options.
Where can I specied configure options for auth_ldap modules ? This hints
would be very appreciated...
The time you spend to me is very appreciated
regards
_________________________________________________________________
Windows Live Mail : découvrez et testez la version bêta !
http://www.ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9...
17 years, 10 months
[Fedora-directory-users] slow mass deletion
by Dirk Kastens
Hi,
I'm using fedora-ds-1.0.2-1.RHEL4.
When I try to delete a whole branch in my ldap tree that contains
several thousand entries, the deletion is extremely slow. The server
needs about 10 seconds to delete a single entry. I can watch the
progress in the server's logfiles. Deleting the branch will take nearly
a day in my case. It doesn't matter if I use ldapdelete, ldapmodify with
an ldif file as input, or the server console.
My IBM directory server only needs a few seconds to delete a whole
branch. How can I speed up the deletion?
Regards,
Dirk
17 years, 10 months