[Fedora-directory-users] Confusion over admserv_host_ip_check message
by Dave Della Costa
Hi folks,
I'm having a lot of problems getting into the console admin to the
server remotely.
I'm getting this in the admin-serv/logs/error log (I've changed the IPs
below, obviously...they are all the same one FYI):
[Mon Sep 25 08:51:57 2006] [notice] [client xxx.xx.xx.xxx]
admserv_host_ip_check: ap_get_remote_host could not resolve xxx.xx.xx.xxx
[Mon Sep 25 08:51:57 2006] [warn] [client xxx.xx.xx.xxx]
admserv_host_ip_check: failed to get host by ip addr [xxx.xx.xx.xxx] -
check your host and DNS configuration
[Mon Sep 25 08:51:57 2006] [notice] [client xxx.xx.xx.xxx]
admserv_host_ip_check: Unauthorized host ip=xxx.xx.xx.xxx, connection
rejected
I tried to use ldapmodify to open up the restriction, per the
instructions here:
http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt
..like so:
dn: dn of your admin server config entry
changetype: modify
replace: nsAdminAccessAddresses nsAdminAccessHosts
nsAdminAccessAddresses:
nsAdminAccessHosts:
(I left them blank per this mailing list post:
http://www.redhat.com/archives/fedora-directory-users/2005-December/msg00...)
I've checked this doc, but it seems to be about what you can do AFTER
you get the console running:
http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt
I feel like it's going to be really simple to fix this, but I just am
pretty unfamiliar with directory server and LDAP in general. Thanks for
any help or instructions--
Best,
Dave
17 years, 7 months
Re: [Fedora-directory-users] Re: Extending inetOrgPerson's schema to support custom attributes
by kevin james
Francois,
Thanks for your quick and helpful reply, I tried what you explained,
So I create a new file called 70kevin.ldif and put this into it
dn: cn=schema
objectClass: top
objectClass: inetorgPerson
objectClass: subschema
attributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.2 NAME 'policyNos' DESC 'Policy Num
bers for Insured' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
1.15 X-ORIGIN 'user defined' )
objectClasses: ( 1.3.6.1.4.1.12274.1.1.2.1 NAME 'externalUser' DESC '' SUP inet
orgPerson AUXILLARY MAY ( policyNos ) X-ORIGIN 'user defined' )
I restarted slapd and I got this warning
"Entry "cn=schema" missing attribute "sn" required by object class "inetOrgPerson""
I can see 'externalUser' but when I try to create a new user, it asks me for the policyNos attribute but not the other attributes of inetOrgPerson, when I try to create the object I get an object violation error.
I didnt quite understand this part you mentioned , what else could I be missing.
<quote>.....and have your users implement both inetOrgPerson and your auxiliary class. </quote>
Any ideas ?
Thanks,
Kevin
----- Original Message ----
From: kevin james <kevinjj33(a)yahoo.com>
To: François Beretti <francois.beretti(a)gmail.com>
Sent: Monday, September 25, 2006 4:37:04 PM
Subject: Re: [Fedora-directory-users] Re: Extending inetOrgPerson's schema to support custom attributes
Francois,
Thanks for your quick and helpful reply, I tried what you explained,
So I create a new file called 70kevin.ldif and put this into it
dn: cn=schema
objectClass: top
objectClass: inetorgPerson
objectClass: subschema
attributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.2 NAME 'policyNos' DESC 'Policy Num
bers for Insured' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
1.15 X-ORIGIN 'user defined' )
objectClasses: ( 1.3.6.1.4.1.12274.1.1.2.1 NAME 'externalUser' DESC '' SUP inet
orgPerson AUXILLARY MAY ( policyNos ) X-ORIGIN 'user defined' )
I restarted slapd and I got this warning
"Entry "cn=schema" missing attribute "sn" required by object class "inetOrgPerson""
I can see 'externalUser' but when I try to create a new user, it asks me for the policyNos attribute but not the other attributes of inetOrgPerson, when I try to create the object I get an object violation error.
I didnt quite understand this part you mentioned , what else could I be missing.
<quote>.....and have your users implement both inetOrgPerson and your auxiliary class. </quote>
Any ideas ?
Thanks,
Kevin
----- Original Message ----
From: François Beretti <francois.beretti(a)gmail.com>
To: kevin james <kevinjj33(a)yahoo.com>; General discussion list for the Fedora Directory server project. <fedora-directory-users(a)redhat.com>
Sent: Monday, September 25, 2006 3:59:11 PM
Subject: Re: [Fedora-directory-users] Re: Extending inetOrgPerson's schema to support custom attributes
Hi,
a few thoughts from someone who is not a fedoraDS expert :
- you created a new attribute type, but did not add it to the inetorgperson class definition. So the class itself is not modified. The way the LDIF files are named does not imply you modify a given class. Only the number has a meaning, and this represents the order of the files analysing at the server startup
- I am not sure, but I believe that 99users.ldif should not be modified, because it represents a view of the directory schema, and is not a configuration file. Again, I am really not sure, I don't have a fedora instance at home and can't check this
- standard classes should not be modified. You should create an auxiliary objectClass containing you custom attribute types, and have your users implement both inetOrgPerson and your auxiliary class. This can also be a way to determine if a given user is configured for our application or not (if it implements your aux class or not) To achieve this, you should create a file named, for example, 70kevin.ldif and put all your custom schema in it. Then start your server.
Regards,
François
2006/9/25, kevin james < kevinjj33(a)yahoo.com>:
Oops I pressed the enter key and the mail got sent, Yahoo Beta Mail is too Ajaxified :)
These were the lines I added to the bottom of the 99users.ldif
My custom attribute being called "policyNos"
attributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.2 NAME 'policyNos' DESC 'Policy Numbers for Insured' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )
I was able to restart slapd with no problems, but it still doesnt show up in my list of attrbutes for inetOrgPerson.
Again any suggestions would be greatly appreciated.
Thanks,
Kevin
----- Original Message ----
From: kevin james < kevinjj33(a)yahoo.com>
To: fedora-directory-users(a)redhat.com
Sent: Monday, September 25, 2006 3:43:07 PM
Subject: Extending inetOrgPerson's schema to support custom attributes
Hello All,
I'm trying to extend the inetOrgPerson's schema in order to better support our companie's
user profile. I 've been doing some googling and I understand that modifications need to be done to the 99users.ldif file, I've tried a couple of settings but I'm unable to see my custom attributes show up in the list of schema attributes for the inetOrgPerson class.
Here's what I've done so far. Any help would be greatly appreciated.
These are the lines I added to the bottom of the 99users.ldif file.
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
17 years, 7 months
[Fedora-directory-users] Re: Extending inetOrgPerson's schema to support custom attributes
by kevin james
Oops I pressed the enter key and the mail got sent, Yahoo Beta Mail is too Ajaxified :)
These were the lines I added to the bottom of the 99users.ldif
My custom attribute being called "policyNos"
attributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.2 NAME 'policyNos' DESC 'Policy Numbers for Insured' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )
I was able to restart slapd with no problems, but it still doesnt show up in my list of attrbutes for inetOrgPerson.
Again any suggestions would be greatly appreciated.
Thanks,
Kevin
----- Original Message ----
From: kevin james <kevinjj33(a)yahoo.com>
To: fedora-directory-users(a)redhat.com
Sent: Monday, September 25, 2006 3:43:07 PM
Subject: Extending inetOrgPerson's schema to support custom attributes
Hello All,
I'm trying to extend the inetOrgPerson's schema in order to better support our companie's
user profile. I 've been doing some googling and I understand that modifications need to be done to the 99users.ldif file, I've tried a couple of settings but I'm unable to see my custom attributes show up in the list of schema attributes for the inetOrgPerson class.
Here's what I've done so far. Any help would be greatly appreciated.
These are the lines I added to the bottom of the 99users.ldif file.
17 years, 7 months
[Fedora-directory-users] Extending inetOrgPerson's schema to support custom attributes
by kevin james
Hello All,
I'm trying to extend the inetOrgPerson's schema in order to better support our companie's
user profile. I 've been doing some googling and I understand that modifications need to be done to the 99users.ldif file, I've tried a couple of settings but I'm unable to see my custom attributes show up in the list of schema attributes for the inetOrgPerson class.
Here's what I've done so far. Any help would be greatly appreciated.
These are the lines I added to the bottom of the 99users.ldif file.
17 years, 7 months
[Fedora-directory-users] Does userattr="parent[1].attribute#LDAPURL" work ?
by François Beretti
Hi all,
in the directory server access control documentation, it is said that the
following aci syntax can be used :
(version 3.0; acl "test" allow (all) userattr =
"parent[1].attribute#LDAPURL";)
I need exactly this feature for the LDAP support of my software.
But in my tests, while userattr="url.#LDAPURL" does work, the use of the
"parent" keyword does not work.
I use the class enatelUserReferer which allow the url attribute type. The
object under which I want to create another one is :
cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests
it is named by the nsuniqueid of the object :
uid=francois,dc=evidian,dc=fr
I want to give add access to this user, even if the user is renamed. So I
want to use the nsuniqueid to find him. In the url attribute I store :
ldap:///dc=evidian,dc=fr??sub?(nsuniqueid=5b74e802-1dd211b2-80e4f010-e49d0000)
Here are the ACI set on my o=tests root suffix :
dn: o=tests
changetype: modify
add: aci
aci: (targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version
3.0; acl "enatelUserReferer read access"; allow (read,search,compare)
userdn="ldap:///all";)
dn: o=tests
changetype: modify
add: aci
aci: (targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version
3.0; acl "enatelUserReferer add access"; allow (add) userdn="ldap:///all";)
dn: o=tests
changetype: modify
add: aci
aci: (targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version
3.0; acl "enatelUserReferer personal acce ss"; allow (all)
userattr="url#LDAPURL";)
dn: o=tests
changetype: modify
add: aci
aci:
(targetfilter="(objectClass=enatelUserManagedAuth)")(targetattr=*)(version
3.0; acl "enatelUserManagedAuth acces s"; allow (all)
userattr="parent[1].url#LDAPURL";)
Then I bind as uid=francois,dc=evidian,dc=fr and try to create an
enatelUserManagedAuth of DN :
cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests
I got access denied error.
Here is the access control log of slapd :
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - acl_init_userGroup: found in
cache for dn:uid=francois,dc=evidian,dc=fr
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - #### conn=1285 op=14
binddn="uid=francois,dc=evidian,dc=fr"
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for
update:cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d00 00,o=tests: container:-1
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for
update:cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tes ts: container:-1
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for
update:o=tests: container:26
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ************ RESOURCE INFO
STARTS *********
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Client DN:
uid=francois,dc=evidian,dc=fr
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - resource type:256(add
target_DN )
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Slapi_Entry DN:
cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ATTR: NULL
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - rights:add
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ************ RESOURCE INFO
ENDS *********
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Using ACL Cointainer:0 for
evaluation
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ***BEGIN ACL INFO[ Name:
"enatelUserManagedAuth access"]***
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACL Index:692 ACL_ELEVEL:3
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACI type:(compare search read
write delete add self target_attr target_fil ter acltxt allow_rule )
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACI RULE type:(userattr )
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Slapi_Entry DN:o=tests
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ***END ACL
INFO*****************************
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Num of ALLOW Handles:1, DENY
handles:0
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Processed attr:NULL for
entry:cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d00 00,o=tests
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - 1. Evaluating ALLOW aci(692) "
"enatelUserManagedAuth access""
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - DS_LASUserAttrEval:
AttrName:parent[1].url, attrVal:LDAPURL
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - conn=1285 op=14 (main): Deny add
on entry(cn=auth,cn=5b74e802-1dd211b2-80e
4f010-e49d0000,o=tests).attr(NULL): no aci matched the subject by aci(692):
aciname= "enatelUserManagedAuth access", acidn="o=tests"
Where is the problem ?
Thank you very much
François
17 years, 7 months
[Fedora-directory-users] How to make anonymous SASL work?
by devel - Fashion Content
I seem quite stuck on getting the first step of setting up mail authentication.
I have a running directory and Cyrus-SASL installed, but I can't get the two to communicate properly.
For now I think anonymous access is fine as they are on the same server.
I tried ldapsearch, but it seems to fail quite basicly:
[root@langham ~]# ldapsearch -D "cn=admin" -w fidelio77 -b "fashioncontent.com" cn=hvendelbo
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
[root@langham ~]# ldapsearch -X -Y
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
As I understand the message I need to configure some protocol on the server, but I have no idea where or how??
Henrik
17 years, 7 months