June 2006 - 389-users - Fedora Mailing-Lists

[Fedora-directory-users] Attribute Subtypes in FDS

by Andrey Ivanov

Actually, I have found the answer. These limitations are imposed by the java console interface. With ldapadd & ldapmodify i can add any subtype one can imagine.... > Is there a simple way to add more attribute subtypes than the default ones > (lang-xx, Binary and Pronunciation)? I have searched through the schema > but i haven't found any place where these subtypes are defined. Are > they defined in sources? > > I want to use it to have different shell/uid/gid depending on the > workstation the user is logging in (for example, uidNumber;192.158.0.1=512, > uidNumber;192.168.0.2=512 etc). Maybe someone knows a more elegant/simple way to > do this? Andrey Ivanov tel +33-(0)1-69-33-99-24 fax +33-(0)1-69-33-99-55 Direction des Systemes d'Information Ecole Polytechnique 91128 Palaiseau CEDEX France

17 years, 10 months

1
0
0 / 0

[Fedora-directory-users] Fedora DS 1.0.2 Multiple Master SSL replication: empty bind DN...

by Kevin McCarthy

Dear List Members, Release: fedora-ds-1.0.2-1.RHEL3.i386.opt.rpm A typical replication error log entry now follows (seen repeatedly at both fedora DS servers): [28/Jun/2006:18:29:21 +0100] NSMMReplicationPlugin - agmt="cn=EDS from server 2" (ukstatlap:636): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. Believe me, I have been investigating this one for 2 or 3 days now (having just switched from OpenLDAP, since multiple master replication is required) before sending this submission, just in case I missed a configuration item or work-around, but unfortunately no luck (so far). The only reference I can find for SSL Client Authentication based Multiple Master replication (2 Linux RHEL 3 servers being used) that supplies empty DNs, is the Windows specific entry (whose work-around I tried anyway, but without success). Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. To workaround the problem, after you modify and save the replication schedule of an agreement, refresh the console, reconfigure the connection settings (to SSL client authentication) for the agreement, and save your changes. http://www.redhat.com/docs/manuals/dir-server/release-notes/ds611relnotes.ht ml The mutual "Current Supplier DNs" are indeed set (cn=Replication Manager,cn=replication,cn=config) and the corresponding directory entries do exist. The respective server certificates and CA certificates are installed, with Subject DN entries loaded. I do not have Legacy Consumer enabled. CertMapping is also defined (though with a NULL DN being supplied, I guess that will not be kicking in just yet, though there are entries for the exact subject DN anyway.) When using simple authentication, with or without SSL, all is well (although replication did require both servers to Initialize the Consumer, I thought that only one was required e.g. ID 1 initializing ID 2, but ID 2 then needed to initialize ID 1 before successful 2-way replication was achieved). Any suggestions will be most gratefully received! Regards, Kevin

17 years, 10 months

2
1
0 / 0

[Fedora-directory-users] apache win32

by Mickael Besse

I'm now trying to configure apache 2.2.0 install with xampp under windows 2000. With ldap it's ok but I ve got some probleme with SSL (again). In the log of apache, I have: LDAP : an attemp to set LDAP_OPT_SSL on failed. Parameter Error. did someone alreday configure apache (win32) with LDAPS??? _________________________________________________________________ Retrouvez tout en un clin d'oeil avec la barre d'outil MSN Search ! http://desktop.msn.fr/

17 years, 10 months

3
3
0 / 0

[Fedora-directory-users] FDS crashed, how to find out the reason?

by Kimmo Koivisto

Hello I have MMR environment, 2x FDS, version 1.0.2, Red Hat Enterprise 4 ES 32bit x86. My servers are server1.ton.fi and server2.ton.fi. Server2 died couple of days ago (friday I think) and I restarted it today. Everything seems to be okay, but I need to provide some reasons why this happened. My /opt/fedora-ds/slapd-server2/logs/error shows the following: <error log> Fedora-Directory/1.0.2 B2006.060.1928 server2.ton.fi:389 (/opt/fedora-ds/slapd-server2.ton.fi) [17/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to server1.ton.fi"" (server1:389): Incremental protocol: event update_window_opened should no t occur in state wait_for_changes [18/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to server1.ton.fi"" (server1:389): Incremental protocol: event update_window_opened should no t occur in state wait_for_changes Fedora-Directory/1.0.2 B2006.060.1928 server2.ton.fi:389 (/opt/fedora-ds/slapd-server2.ton.fi) [18/Jun/2006:04:23:11 +0300] - Backing up file 1 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/sn.db4) [18/Jun/2006:04:23:11 +0300] - Backing up file 2 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/entrydn.db4) [18/Jun/2006:04:23:11 +0300] - Backing up file 3 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/parentid.db4) [18/Jun/2006:04:23:11 +0300] - Backing up file 4 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/objectclass.db4) [18/Jun/2006:04:23:11 +0300] - Backing up file 5 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/aci.db4) [18/Jun/2006:04:23:11 +0300] - Backing up file 6 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/cn.db4) [18/Jun/2006:04:23:11 +0300] - Backing up file 7 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/givenName.db4) [18/Jun/2006:04:23:12 +0300] - Backing up file 8 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/nsUniqueId.db4) [18/Jun/2006:04:23:12 +0300] - Backing up file 9 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/numsubordinates.db4) [18/Jun/2006:04:23:12 +0300] - Backing up file 10 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/DBVERSION) [18/Jun/2006:04:23:12 +0300] - Backing up file 11 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/ancestorid.db4) [18/Jun/2006:04:23:12 +0300] - Backing up file 12 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/uid.db4) [18/Jun/2006:04:23:12 +0300] - Backing up file 13 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/nscpEntryDN.db4) [18/Jun/2006:04:23:12 +0300] - Backing up file 14 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/id2entry.db4) [18/Jun/2006:04:23:12 +0300] - Backing up file 15 (/tmp/tmp.dJIDpX3348/fdsbackup/userRoot/nsds5ReplConflict.db4) [18/Jun/2006:04:23:12 +0300] - Backing up file 16 (/tmp/tmp.dJIDpX3348/fdsbackup/log.0000002860) [18/Jun/2006:04:23:12 +0300] - Backing up file 17 (/tmp/tmp.dJIDpX3348/fdsbackup/DBVERSION) [19/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to server1.ton.fi"" (server1:389): Incremental protocol: event update_window_opened should no t occur in state wait_for_changes [20/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to server1.ton.fi"" (server1:389): Incremental protocol: event update_window_opened should no t occur in state wait_for_changes [21/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to server1.ton.fi"" (server1:389): Incremental protocol: event update_window_opened should no t occur in state wait_for_changes [22/Jun/2006:00:00:00 +0300] NSMMReplicationPlugin - agmt="cn="Replication to server1.ton.fi"" (server1:389): Incremental protocol: event update_window_opened should no t occur in state wait_for_changes Fedora-Directory/1.0.2 B2006.060.1928 server2.ton.fi:389 (/opt/fedora-ds/slapd-server2.ton.fi) [22/Jun/2006:17:01:10 +0300] - Fedora-Directory/1.0.2 B2006.060.1928 starting up Fedora-Directory/1.0.2 B2006.060.1928 server2.ton.fi:389 (/opt/fedora-ds/slapd-server2.ton.fi) [25/Jun/2006:20:25:48 +0300] - Fedora-Directory/1.0.2 B2006.060.1928 starting up [25/Jun/2006:20:25:48 +0300] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [25/Jun/2006:20:26:06 +0300] - slapd started. Listening on All Interfaces port 389 for LDAP requests [25/Jun/2006:20:27:05 +0300] NSMMReplicationPlugin - agmt="cn="Replication to server1.ton.fi"" (server1:389): Unable to receive the response for a startReplication exte nded operation to consumer (Can't contact LDAP server). Will retry later. [25/Jun/2006:20:27:09 +0300] NSMMReplicationPlugin - agmt="cn="Replication to server1.ton.fi"" (server1:389): Simple bind resumed </error log> Any ideas? Best Regards Kimmo Koivisto

17 years, 10 months

3
4
0 / 0

[Fedora-directory-users] Need information about phpldapadmin and Fedora DS

by Rich Megginson

We have the Howto here - http://directory.fedora.redhat.com/wiki/Howto:phpLdapAdmin But it seems apparent from some recent IRC conversations that users can't even get this far - they can't even get phpldapadmin to display anything, even though it works fine with openldap. So if you have any information about setting up phpldapadmin with fedora ds, please let me know. Thanks.

17 years, 10 months

3
6
0 / 0

Re: [Fedora-directory-users] Setting up multi-master via thecommand-line

by Mike Jackson

Joe Sheehan <triswimjoe(a)hotmail.com> kirjoitti: > Not at all - I can download it and I was just going to test it out today for > my systems. > I was just trying to automate the install of everything off the default > install so I was just curious if there were other ways. You can write LDIF files to configure the replication, and use the included ldapmodify tool. In my automated installations, I generate these LDIFs from parsed configuration files. It's quite a lot of work. The mmr.pl tool is seen as a blessing by nearly everybody who has ever tried to setup MMR by hand. I wrote it because I got tired of taking 10 minutes to setup a replication testbed, over and over again. BR, -- mike http://www.netauth.com

17 years, 10 months

1
0
0 / 0

Re: [Fedora-directory-users] Setting up multi-master via the command-line

by Mike Jackson

Joe Sheehan <triswimjoe(a)hotmail.com> kirjoitti: > Is there any utilities or instructions for setting up multi-master > via the command-line. The only ones I can find are > http://directory.fedora.redhat.com/wiki/Howto:MultiMasterReplication > but the mmr.pl doesn't come by default. > Hi, Do you mean that you can't access the netauth.com website? It's my website, and it should be working. I'm sitting next to my server right now, and from here, it works. -- mike

17 years, 10 months

2
1
0 / 0

[Fedora-directory-users] data design for inactive users?

by Philip Lembo

We archive inactive entries by removing them from the "active" part of the DIT and then recreating them in an "inactive" branch, where permissioning prevents all but a few administrative apps from seeing them. This allows us to prevent further use of the account while at the same time preserving information that might be helpful in an audit. If a user becomes active again (e.g. where an employee is rehired), we simply restore their entry to the active part of the tree. The two problems with this approach are accidental creation of duplicate entries (like when an employee returns after having a name change) and the fact that no off-the-shelf tool will do the archive/unarchive operation for you. I handle the former by yelling at HR alot and the latter by deploying some in-house created cgi scripts. The problem with using an "inactive" flag is that every COTS vendor who interfaces with LDAP has a different standard, and few are very customizable. Entrenched homegrown apps pose the same issue. Theoretically, the number of entries in a particular directory or directory container shouldn't be an issue. Unfortunately, many developers insist on treating LDAP like an RDMS, doing massive "data mining" queries and invoking Server Side Sort to boot. As a result, anything you can do to reduce the number of entries they can search through helps.

17 years, 10 months

2
1
0 / 0

[Fedora-directory-users] apache ldap over SSL.

by Mickael Besse

I have a problem to use apache ldap over SSL. os: fedora core 3 (updated with yum) tools :fedora directory server 1.0.2, HTTPd 2.0.53, mod_ssl 1:2.0.53, mod_auth_ldap, mod_ldap, errors : In /var/log/http/error_log: auth_ldap authenticate: user test authentication failed; URI / [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server] In /opt/fedora-ds/slapd-id/logs/access : SSL connection from 127.0.0.1 to 127.0.0.1 closed - Encountered end of file I have no probleme without ssl. In http.conf: LDAPTrustedCA /etc/httpd/conf/ssl.crt/certificat.pem LDAPTrustedCAType BASE64_FILE <Directory "/var/www/html"> AuthLDAPEnabled on AuthLDAPURL ldaps://name_of_LDAPserver:636/dc=***,dc=***?uid require group dn_groupe </Directory> In fedora directory server, I use certutil -L -d . -P slapd-serverID- -n "CA certificate" -a > cacert.asc to export CA cert. Then, I copy the contents of cacert.asc in /etc/httpd/conf/ssl.crt/certificat.pem. So /etc/httpd/conf/ssl.crt/certificat.pem look like: -----BEGIN CERTIFICATE----- kjbfilqbvlsdbvlisdf........ -----END CERTIFICATE----- Note this message in access log when the httpd server start LDAP: Built with OpenLDAP LDAP SDK LDAP: SSL support unavailable Did a solution for this problem ? Can I use apache / ssl / auth_mod_ldap / ldap(s) togheter ? Maybe a miss somethings ? Did I have to rebuild my module auth_ldap module ? I want to rebuild the srpm from fedora core 3 updates, and include --with-ldap-sdk=netscape for the auth_ldap module. But I have no idea where to specifie this. httpd.spec file defines core options, but not modules options. Where can I specied configure options for auth_ldap modules ? This hints would be very appreciated... The time you spend to me is very appreciated regards _________________________________________________________________ Windows Live Mail : découvrez et testez la version bêta ! http://www.ideas.live.com/programpage.aspx?versionId=5d21c51a-b161-4314-9...

17 years, 10 months

6
28
0 / 0

[Fedora-directory-users] slow mass deletion

by Dirk Kastens

Hi, I'm using fedora-ds-1.0.2-1.RHEL4. When I try to delete a whole branch in my ldap tree that contains several thousand entries, the deletion is extremely slow. The server needs about 10 seconds to delete a single entry. I can watch the progress in the server's logfiles. Deleting the branch will take nearly a day in my case. It doesn't matter if I use ldapdelete, ldapmodify with an ldif file as input, or the server console. My IBM directory server only needs a few seconds to delete a whole branch. How can I speed up the deletion? Regards, Dirk

17 years, 10 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users June 2006