I am new to LDAP and more specifically FDS. I had an OpenLDAP server setup
a year or so ago which I used an older version of phpldapadmin with. It
seemed to work without too much trouble, but I can't seem to get either FDS
or OpenLDAP working with phpldapamdin.
I found some information in the list archives as well as other places, but
my problem seems to be still existing.
The error I get from phpLDAPadmin
Could not determine the root of your LDAP tree.
It appears that the LDAP server has been configured to not reveal its root.
Please specify it in config.php
I would really like to use FDS and have it running what I consider very
well. I am not able to get this plugged into it and I really don't know
enough yet on where to look to configure either FDS to reveal its root or
phpldapadmin to know what the rootDSE is set to?
Any help would be great. I have read the docs, but just need a little push
in the right direction.
System Support Engineer
1800 288 7750
I'm running fedora-ds-1.0.4 on FC5. The server starts normally
with /opt/fedora-ds/slapd-pendragon/start-slapd, and serves ldap queries
However, when I start-admin or restart-admin, and then startconsole
(with the J2RE properly in my $PATH), I can log into the console, but
it's "Servers and Applications" tab is empty. The admin-serv logs don't
record anything out of the ordinary.
I'll appreciate help in getting my console back to work.
Oscar A. Valdez
Industrias Duraflex, S.A. de C.V.
This is happening because you enabled the option "User must change password after reset". In the Directory Server Console go to Configuration Tab, select Data, go to "Passwords" Tab and then uncheck this option.
> Hi to all, i have a problem with passwordExpirationTime.
> the problem is:
> my fedora-ds is set to " password expires after 180 days.
> and every user have "passwordExpirationTime: 20070807102527Z"
> but when i try to import this messagge appear "The error sent by the
> server was 'Object class violation. single-valued attribute
> "passwordExpirationTime" has multiple values".
> so if i delete the attribute "passwordExpirationTime" from the user,
> import work fine, but the date for the expiration password is set
> automatically by fedora-ds to "19001023000000Z ( or simil )".
> How i shoud set the ntp or the right date from fedora-ds 1.0.4 ???
> thanks to all
> Fedora-directory-users mailing list
I should have probably provided more detail. I followed the HOWTO:kerberos and entered the config - sasl - mapping as it explained, namely:
And that poduces the same SASL GSSAPI errors as in the last post. The link on that HOWTO that points to the SASL configurations shows the other configuraton paramaters (the ones that I also tried and posted in my last message). The install isa standard user(a)mydomain.com so you're probably correct and I've canged that entry to the above settings.
The SASL documenation:
Configuring SASL Identity Mapping from the Console
In the Console, open the Directory Server.
Open the "Configuration" tab.
Select the "SASL Mapping" tab.
To add new SASL identities, select the "Add" button, and fill in the required values.
The Kerberos HOWTO doesn't discuss adding any mappings on the console, so it wasn't clear if this was required or not. Can you confirm? If it is required, what would the fields be filled with - do we need to link to the dn: cn=mapname,cn=mapping,cn=sasl,cn=config above?
Also, because the service principal that FDS is going to use is ldap/fqdnoffds.myexample.com, do I need to add a second dn in order for this to work...such as:
> Also, I'm not sure if I need all the settings (such as a sasl_auth_id) but they are left over from configuration of openldap.
The SASL settings that openldap used (they aren't mentioned in the howto: kerberos or SASL on the FDS sites), but they are:
I've tried with and without these settings and I still get the the error: invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (Permission denied). When I set these, I beleve it is used for default settings (such as you don't have to type ldapwhoami -Y GSSAPI, just ldapwhoami).
Any thoughts would be appreciated!
Many thanks again,
The problem was really related to indexes.
I indexed the attribute gidnumber and the CPU utilization decreased a lot.
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> We were seeing similar CPU utilization recently. The problem turned out to
> be a lack of indexes. The web app for looking up people had changed
> recently and was doing substring matches on two attributes that were not
> indexed at all, much less for substrings. Once I created the indexes, CPU
> utilization dropped from 99% to under 2%. You might check your access logs
> to see what sorts of searches are being done and confirm that you have
> indexes in place to speed things up.
> - --On Friday, January 26, 2007 10:18:25 AM -0200 Renato Ribeiro da Silva
> <capareci(a)uol.com.br> wrote:
> > I'm having questions about CPU utilization of Directory Server. The
> > process ns-slapd take 99.9% of CPU almost all the time. Is there any way
> > to know why this is happening? Any performance counter ( DS Console ) can
> > show me the answer ? Is is possible to know the apps that are using the
> > Directory in this moment ?
> > Best Regards,
> > Renato
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> - --
> Paul D. Engle | Rice University
> Sr. Systems Administrator | Information Technology - MS119
> (713) 348-4702 | P.O. Box 1892
> pengle(a)rice.edu | Houston, TX 77251-1892
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> -----END PGP SIGNATURE-----
> Fedora-directory-users mailing list
Is it possible to replicate (multi-master preferably) a FDS 1.0.4 with a Sun
If so, anybody can point me to some documentation about it?
Stéphane Konstantaropoulos <skonstant(a)sgul.ac.uk>
-- Web Developer - Computing Services
--- St George's University of London
>I think your best option is to just keep Kerberos for authentication,
>especially if you are already using it successfully for other apps.
>What problems did you have with SASL mapping?
Thanks for your reply. I've followed the documentation on the FDS website, basically to keep it as compatible as possible, I've added (under confg - sasl - mapping):
On the server I've added export KRB5_KTNAME=/etc/ldap.keytab to /opt/fedora-ds/start-slapd. (I've done a ktdump to this file from kadmin).
On the client that previously connected to OpenLDAP, I've changed the /etc/ldap.conf (and /etc/openldap/ldap.conf) to:
base dc=example, dc=com
When trying to do an ldapwoami I recieve:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneus failure (Permission Denied).
I have already done a kinit username to my KRB5 REALM and that user exists in the base ou=People, dc=example, dc=com on the FDS.
One thing that was not clear to me was if I needed to add a SASL Mapping entry under the configuration tab when I already have the added entry above - and if so what it should look like). Also, I'm not sure if I need all the settings (such as a sasl_auth_id) but they are left over from configuration of openldap.
Any help would be appreciated.
I am interested in switching from MIT Kerberos5 (GSSAPI/SASL), OpenLDAP to FDS. Primarily, I'm looking for authentication and authorization for fedora / centos console logins (via PAM).
Currently I have a cron job that keeps a kerberos service principal alive to allow slapd to bind to openldap (as I've also disabled anonymous binds). I also have startTLS running w/o client authentication (just server certificates and the local client has the CA pub cert).
I then have nsswitch/pam configured to use these for console (console,ssh,etc) logins.
I'm currently using the pam_sasl_mech GSSAPI and pam_groupdn features of the /etc/ldap.conf (/etc/openldap/ldap.conf) to manage authorization to the local system (by pointint to a posix group dn).
I was able to setup FDS to for console sessions with cleartext and nsswitch. I'm not sure which route to take in terms of locking down FDS with a pure linux environment. The straight SSL certificate approach seems to want the user to enter a password before a bind, so I'm not sure that's compatible with PAM. Is TLS a better option for this? The last option seems to be to keep Kerberos / GSSAPI, but I've read some posts where you can't easily do this. I've tried to make the SASL mapping as the docs show, but was unsuccessful.
Can anyone point me in the right direction for the best way to accomplish secure PAM / FDS integraion? Any help would be greatly appreciated.
I'm having questions about CPU utilization of Directory Server. The process ns-slapd take 99.9% of CPU almost all the time. Is there any way to know why this is happening? Any performance counter ( DS Console ) can show me the answer ? Is is possible to know the apps that are using the Directory in this moment ?