Re: [Fedora-directory-users] can't become a pdc]
by Strong Steve
actually, i fixed this problem and i've got samba and fedora directory working well with each other. BUT....
how do you add computers to the windoze domain? i saw a reference to some scripts from IDEALX, but it seems like now that the users, groups and authentication are working for people logging in from linux clients, that i'd rather not start all over.
by the way, the documentation's "how-to" had some errors. can someone tell me how to get them fixed? can users add to the wiki somehow?
thanks again,
steve
-------- Original Message --------
> Subject: Re: [Fedora-directory-users] can't become a pdc
> Date: Thu, 13 Jul 2006 23:22:03 +0300
> From: Mike Jackson <mj(a)sci.fi>
> Reply-To: General discussion list for the Fedora Directory server
> project. <fedora-directory-users(a)redhat.com>
> To: General discussion list for the Fedora Directory server
> project.
> <fedora-directory-users(a)redhat.com>
> References: <BD272BC8210D8A4A86612DD0087CDEB8A6D0FA(a)mail.crcsd.abc>
>
>
>
> Strong Steve wrote:
> > i'm using fedora directory on rhel 4.0 and i'm trying to
> set the server up so that it can be a windows (ick) pdc. the
> documentation "how-to" is very clear and things went well
> until i tried to get the local SID. after issuing the
> command: net getlocalsid, i got two sets of error messages,
> both suggesting that in couldn't find the ldap server. i can
> authenticate on the server using ldap, but samba doesn't seem
> to be able to find it.
> >
> > any help resolving this issue would be greatly appreciated, thanks,
> > steve
>
> Steve,
> What value do you have in smb.conf for "passdb backend"?
>
> BR,
> --
> Mike
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
> --
> Steve Strong
> Math and Computer Science
> Washington High School
> 2205 Forest Dr. SE
> Cedar Rapids, IA 52403
> http://crwash.org
> mailto:strong.s@crwash.org
>
>
17 years, 2 months
[Fedora-directory-users] Host-based access restrictions
by Philip Kime
I'm wondering - can I use something like netgroups in the LDAP
host-based ("host" attribute) for access restriction? I have over 1000
servers and there is no way I can list every combination of user/host
explicity.
I have looked at pam_access with LDAP netgroups, which is great but
there is one crucial problem - if a user needs temporary access for
example to a certain machine and this falls outside of my netgroup
definitions then there seems to be no way to allow specific access using
pam_access and /etc/security/access.conf, without having to push out
over 1000 new copies of this file. I need to be able to grant special
access like this on the LDAP server. The only thing I can think of is
this in access.conf:
+ @special@@special : ALL
where the "special" netgroup contains nisnetgroup triples like
(user,machine,)
Normally, you don't use both fields in a netgroup triple but this works
fine in access.conf because PAM uses the user part when the netgroup is
used in the user position of the user@host <mailto:user@host> field and
uses the machine part when the netgroup is in the "host" position. I
thought this was really nice until I realised that this means that if
the "special" netgroup contains several entries like:
(user1,machine1)
(user2,machine2)
Then user2 also gets access to machine1 and user1 gets access to machine
2 because PAM doesn't understand that these netgroup entries are
supposed to be kept together - it just parses the user and machine parts
completely seperately.
I just need to have one entry in access.conf that will cover
special-case creation on the LDAP server but it doesn't seem to be
possible, hence I am now looking at the LDAP-based host access thing.
--
Philip Kime
NOPS Systems Architect
310 401 0407
17 years, 2 months
[Fedora-directory-users] can't become a pdc
by Strong Steve
i'm using fedora directory on rhel 4.0 and i'm trying to set the server up so that it can be a windows (ick) pdc. the documentation "how-to" is very clear and things went well until i tried to get the local SID. after issuing the command: net getlocalsid, i got two sets of error messages, both suggesting that in couldn't find the ldap server. i can authenticate on the server using ldap, but samba doesn't seem to be able to find it.
any help resolving this issue would be greatly appreciated, thanks,
steve
Steve Strong
Computer Science Teacher
Washington High School
2205 Forest Dr. SE
Cedar Rapids, Iowa 52403
http://crwash.org
mailto:sstrong@crwash.org
17 years, 2 months
[Fedora-directory-users] Question on Schema Object Class Inheritance
by Chun Tat David Chu
Hi,
I think I got the answer, but I would like to confirm that if I'm correct.
At any given time, a single object class can only inherit from one and only
one object class (no multiple inheritance).
For example, if I have 3 object classes
1. objectclassA with attribute1
2. objectclassB with attribute2
3. objectclassC with attribute3
Then objectclassC can only either inherit from objectclassA or objectclassB.
If I want multiple inheirtance, then I'll need the following setup
1. objectclassB inherits from objectclassA
2. objectclassC inheirts from objectclassB
If I am correct about the object class inheritance, so that means thdoes
this rule only apply on Fedora Directory Server or it applies to all other
LDAP-enabled directory servers?
Thanks!
David Chu
17 years, 2 months
[Fedora-directory-users] Re: Converting a 4-way replication setup to SSL
by Philip Kime
Many thanks to all replies about this - in the end, I drew up a plan
using bits and pieces pulled from the setupssl.sh and the RH manual for
DS. It worked nicely. I made a CA cert as per the setupssl.sh script and
then generated server cert requests from the GUI, generated the certs on
the command-line from the CA and installed the server certs in the GUI.
Then I imported the CA cert via the GUI. Everything works. It allowed me
to name the certs nicely to instead of all being "server-cert" or
whatever. Replication is now working over SSL and client TLS access to
any server is working when clients have a copy of the CA cert.
17 years, 2 months
[Fedora-directory-users] Re: admin-server SSL and replication
by Jo De Troy
Hi Rich,
> startconsole must be configured to use SSL.
I guess it's sufficient to use https://<ldapserver>:<adminport> on
Linux or not?
I've tried to get the console on Windows to connect to
https://<ldapserver>:<adminport> without any luck yet. I did follow
the wiki page (downloading and install nss and nspr) but I get:
Exception in thread "main" java.lang.NoClassDefFoundError: org/mozilla/jss/crypt
o/AlreadyInitializedException
at com.netscape.management.client.console.Console.<init>(Unknown Source)
at com.netscape.management.client.console.Console.main(Unknown Source)
Another question I have about multi-master replication. If you create
the same replication manager entry with the same password on the
replication nodes, why is it necessary to have the same directory
manager entry and the same password?
>??? you mean cn=directory manager?
I thought the same replication
mgr entry would be sufficient
>It should be . . . what are you seeing that makes you think otherwise?
That's what's written in the requirements on the wiki page
http://directory.fedora.redhat.com/wiki/Howto:MultiMasterReplication
So I guess this is a prereq for the mmr.pl script or is this just an error.
Any idea when the next release will be available?
Thanks again,
Jo
17 years, 2 months
[Fedora-directory-users] Re: admin-server SSL and replication
by Jo De Troy
Hi Rich,
I can access the admin-server again with startconsole after having changed
admin-serv/config/adm.conf and shared/config/dbswitch.conf.
What exactly does "Secure Connection" in the admin-server console
ConfigurationDS tab
do? And why would this break the startup of startconsole?
And what exactly does the "Use SSL in Fedora Console" setting in the
Encryption tab of the Directory server console do?
Another question I have about multi-master replication. If you create
the same replication manager entry with the same password on the
replication nodes, why is it necessary to have the same directory
manager entry and the same password? I thought the same replication
mgr entry would be sufficient
Thanks again,
Jo
17 years, 2 months
[Fedora-directory-users] Converting a 4-way replication setup to SSL
by Philip Kime
What a nightmare.
I tried to use the script on the Wiki but this isn't really set up to do
this. I would like one CA and then to generate all of the DS and AS
certificates from this. I can't work out if I need to copy the CA db or
just the .asc file to the other servers to generate the certs - it seems
to need the key for the CA cert and also the noise and pwd files? I
finally got two servers on SSL but they won't replicate as they don't
like each other's certificates even though I had the CA certs on both
servers.
I have spent eight hours getting nowhere and will have to start again
from scratch. If there are any clues on how to:
Have one CA for all server certs
How to install this CA cert on all servers
What is needed for replication over SSL to work
Please let me know ...
PK
--
Philip Kime
NOPS Systems Architect
310 401 0407
17 years, 2 months
Re: [Fedora-directory-users] phpQLAdmin schema
by Carlos Cesario
Hi,
Seems that my schema conversion tool doesn't support attribute
inheritance. That's not something which is used very often, however
Turbo used it in the phpqladmin schema.
Replace all those lines where you see "SUP owner" in an attribute
definition, example:
Current:
attributetype ( 1.3.6.1.4.1.8767.3.2.4.4 NAME 'administrator'
DESC 'Administrator for branch'
SUP owner)
Fixed:
attributetype ( 1.3.6.1.4.1.8767.3.2.4.4 NAME 'administrator'
DESC 'Administrator for branch'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE)
I will keep this in mind for a feature enhancement.
BR,
Mike
--
http://www.netauth.com - LDAP Directory Consulting
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Hi Mike,
Thank you for your help!
This work!
But exists other fileds that is the sama problem
-= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -=
[09/Jul/2006:04:04:16 -0300] dse - The entry cn=schema in file /opt/fedora-ds/slapd-ldaptest/config/schema/55ns-phpQLAdmin.ldif is invalid, error code 21 (Invalid syntax) - attribute type controlBaseDn: Missing parent attribute syntax OID
[09/Jul/2006:04:04:16 -0300] dse - Please edit the file to correct the reported problems and then restart the server
-= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -= -=
I can make the same procedure with atrribute 'administrator' ?
current
attributetype ( 1.3.6.1.4.1.8767.3.2.4.5 NAME 'controlBaseDn'
DESC 'Search base DN for QmailLDAP/Controls objects'
SUP owner)
fixed
attributetype ( 1.3.6.1.4.1.8767.3.2.4.5 NAME 'controlBaseDn'
DESC 'Search base DN for QmailLDAP/Controls objects'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE)
the all attributes with SUP onwer are...
attributetype ( 1.3.6.1.4.1.8767.3.2.4.5 NAME 'controlBaseDn'
DESC 'Search base DN for QmailLDAP/Controls objects'
SUP owner)
attributetype ( 1.3.6.1.4.1.8767.3.2.4.10 NAME 'ezmlmAdministrator'
DESC 'Mailinglist Administrator for branch'
SUP owner)
attributetype ( 1.3.6.1.4.1.8767.3.2.4.12 NAME 'controlsAdministrator'
DESC 'QmailLDAP/Controls information administrator(s)?'
SUP owner)
I can make the same procedure?!
Very very thanks!
Carlos Cesario
17 years, 2 months
Re: [Fedora-directory-users] admin-server SSL
by Jo De Troy
Hello again,
I got SSL working on the admin server and can connect to it with
startconsole https://
However once that was working I enabled the flag "Secure Connection" in the
admin-server console- ConfigurationDS tab and now I cannot connect any more.
The startconsole initializes forever. Any idea what might be causing this?
How can I reset this flag? Which entry in the directory stores this setting?
And which entry stores the "Use SSL in Fedora Console" setting in the
Encryption tab of the Directory server console?
Or are both stored in a config file?
Thanks again,
Jo
17 years, 2 months
