January 2007 - 389-users - Fedora Mailing-Lists

[Fedora-directory-users] FDS and phpLDAPadmin

by Heath Henderson

I am new to LDAP and more specifically FDS. I had an OpenLDAP server setup a year or so ago which I used an older version of phpldapadmin with. It seemed to work without too much trouble, but I can't seem to get either FDS or OpenLDAP working with phpldapamdin. I found some information in the list archives as well as other places, but my problem seems to be still existing. The error I get from phpLDAPadmin Could not determine the root of your LDAP tree. It appears that the LDAP server has been configured to not reveal its root. Please specify it in config.php I would really like to use FDS and have it running what I consider very well. I am not able to get this plugged into it and I really don't know enough yet on where to look to configure either FDS to reveal its root or phpldapadmin to know what the rootDSE is set to? Any help would be great. I have read the docs, but just need a little push in the right direction. -- Heath Henderson System Support Engineer heath(a)gaggle.net 1800 288 7750 --

16 years, 3 months

5
6
0 / 0

[Fedora-directory-users] Admin console's default view is empty

by Oscar A. Valdez

I'm running fedora-ds-1.0.4 on FC5. The server starts normally with /opt/fedora-ds/slapd-pendragon/start-slapd, and serves ldap queries normally. However, when I start-admin or restart-admin, and then startconsole (with the J2RE properly in my $PATH), I can log into the console, but it's "Servers and Applications" tab is empty. The admin-serv logs don't record anything out of the ordinary. I'll appreciate help in getting my console back to work. -- Oscar A. Valdez Industrias Duraflex, S.A. de C.V.

16 years, 4 months

2
16
0 / 0

Re:[Fedora-directory-users] set dite end time to fedora-ds

by Renato Ribeiro da Silva

This is happening because you enabled the option "User must change password after reset". In the Directory Server Console go to Configuration Tab, select Data, go to "Passwords" Tab and then uncheck this option. > Hi to all, i have a problem with passwordExpirationTime. > the problem is: > my fedora-ds is set to " password expires after 180 days. > and every user have "passwordExpirationTime: 20070807102527Z" > but when i try to import this messagge appear "The error sent by the > server was 'Object class violation. single-valued attribute > "passwordExpirationTime" has multiple values". > so if i delete the attribute "passwordExpirationTime" from the user, > import work fine, but the date for the expiration password is set > automatically by fedora-ds to "19001023000000Z ( or simil )". > How i shoud set the ntp or the right date from fedora-ds 1.0.4 ??? > thanks to all > > -- > Fedora-directory-users mailing list > Fedora-directory-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >

16 years, 4 months

2
1
0 / 0

Re: [Fedora-directory-users] FDS / PAM Integration Questions

by Jonathan Schreiter

Hi Richard, I should have probably provided more detail. I followed the HOWTO:kerberos and entered the config - sasl - mapping as it explained, namely: dn: cn=mapname,cn=mapping,cn=sasl,cn=config objectclass: top objectclass: nsSaslMapping cn: mapname nsSaslMapRegexString: $.*$(a)$.*$ nsSaslMapBaseDNTemplate: uid=\1,dc=myexample,dc=com nsSaslMapFilterTemplate: (objectclass=inetOrgPerson) And that poduces the same SASL GSSAPI errors as in the last post. The link on that HOWTO that points to the SASL configurations shows the other configuraton paramaters (the ones that I also tried and posted in my last message). The install isa standard user(a)mydomain.com so you're probably correct and I've canged that entry to the above settings. The SASL documenation: Configuring SASL Identity Mapping from the Console In the Console, open the Directory Server. Open the "Configuration" tab. Select the "SASL Mapping" tab. To add new SASL identities, select the "Add" button, and fill in the required values. The Kerberos HOWTO doesn't discuss adding any mappings on the console, so it wasn't clear if this was required or not. Can you confirm? If it is required, what would the fields be filled with - do we need to link to the dn: cn=mapname,cn=mapping,cn=sasl,cn=config above? Also, because the service principal that FDS is going to use is ldap/fqdnoffds.myexample.com, do I need to add a second dn in order for this to work...such as: dn: cn=mapname2,cn=mapping,cn=sasl,cn=config objectclass: top objectclass: nsSaslMapping cn: mapname nsSaslMapRegexString: [^/]+/$.+$ nsSaslMapBaseDNTemplate: uid=\1,ou=hosts,dc=myexample,dc=com nsSaslMapFilterTemplate: .* > Also, I'm not sure if I need all the settings (such as a sasl_auth_id) but they are left over from configuration of openldap. > What settings? The SASL settings that openldap used (they aren't mentioned in the howto: kerberos or SASL on the FDS sites), but they are: SASL_MECH GSSAPI SASL_REALM MYEXAMPLE.COM use_sasl_on sasl_auhid nssldap/myclient.myexample.com I've tried with and without these settings and I still get the the error: invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (Permission denied). When I set these, I beleve it is used for default settings (such as you don't have to type ldapwhoami -Y GSSAPI, just ldapwhoami). Any thoughts would be appreciated! Many thanks again, Jonathan

16 years, 4 months

2
1
0 / 0

Re: [Fedora-directory-users] CPU utilization

by Renato Ribeiro da Silva

Thank you. The problem was really related to indexes. I indexed the attribute gidnumber and the CPU utilization decreased a lot. Best Regards, Renato. > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > We were seeing similar CPU utilization recently. The problem turned out to > be a lack of indexes. The web app for looking up people had changed > recently and was doing substring matches on two attributes that were not > indexed at all, much less for substrings. Once I created the indexes, CPU > utilization dropped from 99% to under 2%. You might check your access logs > to see what sorts of searches are being done and confirm that you have > indexes in place to speed things up. > > -paul > > - --On Friday, January 26, 2007 10:18:25 AM -0200 Renato Ribeiro da Silva > <capareci(a)uol.com.br> wrote: > > > I'm having questions about CPU utilization of Directory Server. The > > process ns-slapd take 99.9% of CPU almost all the time. Is there any way > > to know why this is happening? Any performance counter ( DS Console ) can > > show me the answer ? Is is possible to know the apps that are using the > > Directory in this moment ? > > > > Best Regards, > > Renato > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users(a)redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > - -- > Paul D. Engle | Rice University > Sr. Systems Administrator | Information Technology - MS119 > (713) 348-4702 | P.O. Box 1892 > pengle(a)rice.edu | Houston, TX 77251-1892 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > > iD8DBQFFuglNCpkISWtyHNsRAir0AKDzxxAfdzWuP8cENHFo08pWoHwfpgCg/YcK > Nw7zT5Msb6b3eakxPaAOEys= > =mcCv > -----END PGP SIGNATURE----- > > -- > Fedora-directory-users mailing list > Fedora-directory-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >

16 years, 4 months

3
4
0 / 0

[Fedora-directory-users] replication with sun JES

by Stéphane Konstantaropoulos

Hello, Is it possible to replicate (multi-master preferably) a FDS 1.0.4 with a Sun JES directory? If so, anybody can point me to some documentation about it? Thanks -- Stéphane Konstantaropoulos <skonstant(a)sgul.ac.uk> -- Web Developer - Computing Services --- St George's University of London

16 years, 4 months

1
0
0 / 0

Re: [Fedora-directory-users] FDS / PAM Integration Questions

by Jonathan Schreiter

>I think your best option is to just keep Kerberos for authentication, >especially if you are already using it successfully for other apps. >What problems did you have with SASL mapping? Hi Richad, Thanks for your reply. I've followed the documentation on the FDS website, basically to keep it as compatible as possible, I've added (under confg - sasl - mapping): objectclass: top objectclass: nsSaslMapping cn: mapname nsSaslMapRegexString: .* nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com nsSaslMapFilterTemplate: (cn=&) On the server I've added export KRB5_KTNAME=/etc/ldap.keytab to /opt/fedora-ds/start-slapd. (I've done a ktdump to this file from kadmin). On the client that previously connected to OpenLDAP, I've changed the /etc/ldap.conf (and /etc/openldap/ldap.conf) to: host: myfds.example.com base dc=example, dc=com SASL_MECH GSSAPI SASL_REALM MYEXAMPLE.COM use_sasl on sasl_auth_id nssldap/myclient.myexample.com When trying to do an ldapwoami I recieve: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneus failure (Permission Denied). I have already done a kinit username to my KRB5 REALM and that user exists in the base ou=People, dc=example, dc=com on the FDS. One thing that was not clear to me was if I needed to add a SASL Mapping entry under the configuration tab when I already have the added entry above - and if so what it should look like). Also, I'm not sure if I need all the settings (such as a sasl_auth_id) but they are left over from configuration of openldap. Any help would be appreciated. Regards, Jonathan

16 years, 4 months

2
1
0 / 0

[Fedora-directory-users] How can I force All users to reset their passwords on next login?

by Dave Augustus

Does FDS provide this feature?

16 years, 4 months

4
6
0 / 0

[Fedora-directory-users] FDS / PAM Integration Questions

by Jonathan Schreiter

Hi All, I am interested in switching from MIT Kerberos5 (GSSAPI/SASL), OpenLDAP to FDS. Primarily, I'm looking for authentication and authorization for fedora / centos console logins (via PAM). Currently I have a cron job that keeps a kerberos service principal alive to allow slapd to bind to openldap (as I've also disabled anonymous binds). I also have startTLS running w/o client authentication (just server certificates and the local client has the CA pub cert). I then have nsswitch/pam configured to use these for console (console,ssh,etc) logins. I'm currently using the pam_sasl_mech GSSAPI and pam_groupdn features of the /etc/ldap.conf (/etc/openldap/ldap.conf) to manage authorization to the local system (by pointint to a posix group dn). I was able to setup FDS to for console sessions with cleartext and nsswitch. I'm not sure which route to take in terms of locking down FDS with a pure linux environment. The straight SSL certificate approach seems to want the user to enter a password before a bind, so I'm not sure that's compatible with PAM. Is TLS a better option for this? The last option seems to be to keep Kerberos / GSSAPI, but I've read some posts where you can't easily do this. I've tried to make the SASL mapping as the docs show, but was unsuccessful. Can anyone point me in the right direction for the best way to accomplish secure PAM / FDS integraion? Any help would be greatly appreciated. Many thanks! Jonathan

16 years, 4 months

2
1
0 / 0

[Fedora-directory-users] CPU utilization

by Renato Ribeiro da Silva

I'm having questions about CPU utilization of Directory Server. The process ns-slapd take 99.9% of CPU almost all the time. Is there any way to know why this is happening? Any performance counter ( DS Console ) can show me the answer ? Is is possible to know the apps that are using the Directory in this moment ? Best Regards, Renato

16 years, 4 months

7
6
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users January 2007