[Fedora-directory-users] Expanding directory schema using LDIF
by Chun Tat David Chu
Hi, I'm having a problem when attempting to expand my directory schema
using LDIF.
What I'm doing is to place my custom schema into the
INSTALLDIR/slapd-INSTANCE/config/schema directory.
I stopped the Fedora DS before doing so because base on what I read,
the schema should get automatically loaded during the start.
I received the following messages when I attempt to start Fedora DS.
Starting Fedora Directory Server: [20/Nov/2007:14:47:51 -0500] dse -
The entry cn=schema in file
/opt/fedora-ds/slapd-<hostname>/config/schema/98_test.ldif is invalid,
error code 21 (Invalid syntax) - attribute type testAttribute_1:
Missing attribute syntax OID
[20/Nov/2007:14:47:52 -0500] dse - Please edit the file to correct the
reported problems and then restart the server.
[FAILED]
Below is my schema
dn: cn=schema
objectClass: top
objectClass: ldapSubentry
objectClass: subschema
cn: schema
attributeTypes: ( testAttribute_1 NAME 'testAttribute_1'
DESC 'This is testAttribute_1'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
SINGLE-VALUE
X-ORIGIN 'user defined'
)
attributeTypes: ( testAttribute_1 NAME 'testAttribute_2'
DESC 'This is testAttribute_2'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
MULTI-VALUE
X-ORIGIN 'user defined'
)
Is the OID that I defined is invalid? If so what's the best way to
generate a OID? or that's something wrong in my LDIF?
Regards,
- David
16 years, 5 months
[Fedora-directory-users] Openldap Slave Servers
by Jared B. Griffith
Is it possible to set up openldap to be slave servers of Fedora Directory Servers?
We currently have BSD gateways, and building FDS for BSD is pretty much a no go (tried for about 3 weeks with no success), and on each gateway we would like to have a read only slave server of our FDS servers. That way if for some ungodly reason our network goes down, logins would still work correctly. I read that it is possible to set up slurpd for replication, but was wondering if anyone here has tried this and had success with it.
--
- Thank you,
- Jared B. Griffith
- Farheap Solutions, Inc.
- Lead Systems Administrator
- California IT Department
- Email - jared.griffith(a)farheap.com
- Phone - 949.417.1500 ext. 266
- Cell Phone - 949.910.6542
16 years, 5 months
[Fedora-directory-users] authenticating windows against directory server
by Jimmy Stewpot
Hi,
I am currently evaluating a Directory Server product. One of the
requirements we have is to authenticate windows servers to it. I have
had a look through the documentation on the web page and can see how we
can synchronise AD with FDS. I am wondering if its possible to
authenticate windows servers (2003 R2) directly to FDS.
Any additional information would be greatly appreciated.
Regards,
Jimmy
16 years, 5 months
[Fedora-directory-users] Restoring Replicating Masters
by James Deuchar
Hi,
We have two DS' with master-master replicating databases - for backup we're taking a nightly database backup on each server (DB not LDIF).
I've had trouble with changelogs in the past during devlopment phases
when we occasionally separated the pair of masters which has made me
nervous about how trouble-free a restore might be...
Before we jump in & test the process - is there a documented procedure for restoring replicated databases & do I have to worry about the changelog when restoring?
Many thanks for any/all advice!
James
_________________________________________________________________
Celeb spotting – Play CelebMashup and win cool prizes
https://www.celebmashup.com
16 years, 5 months
[Fedora-directory-users] PassSync Error
by Anthony Giggins
This is a New Proof of concept installation setup by following
http://directory.fedoraproject.org/wiki/Howto:WindowsSync
I am syncing users from Active Directory using LDAP without SSL, but SSL
is setup for both LDAP and Passsync but I'm getting the following errors
in the passsync.log
11/20/07 14:34:25: PassSync service started
11/20/07 14:34:25: Failed to load entries from file
11/20/07 14:34:25: Ldap bind error in Connect
48: Inappropriate authentication
11/20/07 14:34:25: Can not connect to ldap server in SyncPasswords
11/20/07 14:34:25: Password list is empty. Waiting for passhook event
And also the errors below in the FDS access log
[20/Nov/2007:14:32:34 +1100] conn=19 fd=65 slot=65 SSL connection from
10.50.10.231 to 10.50.1.24
[20/Nov/2007:14:32:34 +1100] conn=19 SSL 128-bit RC4
[20/Nov/2007:14:32:34 +1100] conn=19 op=0 BIND dn="cn=sync
manager,cn=config" method=128 version=2
[20/Nov/2007:14:32:34 +1100] conn=19 op=0 RESULT err=48 tag=97
nentries=0 etime=0
[20/Nov/2007:14:32:34 +1100] conn=19 op=1 UNBIND
[20/Nov/2007:14:32:34 +1100] conn=19 op=1 fd=65 closed - U1
Regards,
Anthony
16 years, 5 months
[Fedora-directory-users] Windows Authentication
by Jared B. Griffith
Has anyone gotten windows computers to successfully authenticate against Fedora Directory Server?
If so is there a walk through online somewhere?
Or is it just ridiculously easy to do?
Or is it like having a windows computer join an active directory domain?
--
- Thank you,
- Jared B. Griffith
- Farheap Solutions, Inc.
- Lead Systems Administrator
- California IT Department
- Email - jared.griffith(a)farheap.com
- Phone - 949.417.1500 ext. 266
- Cell Phone - 949.910.6542
16 years, 5 months
Re: [Fedora-directory-users] Can't locate CSN in Multi-Master replica
by Dael Maselli
> Do you have a changelog configured on B? Is B configured as a multiple master? Is the replica ID for B different than A?
Yes to all.
I hope it's an error of mine, we are planning a big reorganization of
our Authentication and Authorization Infrastructure, FDS seems to be
great for our needs.
I think it is a misconfiguration and maybe it work if I reinstall FDS,
but i need to understand what's happening.
Thank you.
--
___________________________________________________________________
Dael Maselli --- INFN-LNF Computing Service -- +39.06.9403.2214
___________________________________________________________________
Democracy is two wolves and a lamb voting on what to have for lunch
___________________________________________________________________
16 years, 5 months
Re: [Fedora-directory-users] tcp keepalive
by Howard Chu
> Date: Thu, 15 Nov 2007 15:10:59 -0700
> From: David Boreham <david_list(a)boreham.org>
> I doubt you need to use SO_KEEPALIVE. A couple of observations:
>
> 1. If you have ESTABLISHED state connections on one end that are not
> in the same state on the peer, that would indicate something broken in the
> network or the stack, rather than in the DS.
There's a lot of firewalls out there that silently drop idle connections,
rather than informing either side of the action (e.g., at least they should
send TCP RST packets but they do nothing). I think SO_KEEPALIVE is a
reasonable defensive measure to use, faced with such unfriendly behavior in
the network.
> 2. The DS already has connection timeout features that you can enable:
> http://osdir.com/ml/redhat.fedora.directory.user/2006-04/msg00131.html
> Gordon Messmer wrote:
>> > This morning I noticed that one of my directory servers has hundreds
>> > of "ESTABLISHED" connections from a coworker's Linux host. The
>> > directory server is running RHEL4, kernel 2.6.9-55.ELsmp, and
>> > tcp_keepalive_time is set to 600. The client no longer shows an
>> > ESTABLISHED connection on the port that is reported by netstat on the
>> > directory server. It reports less than ten open connections.
>> >
>> > I'm not sure whether or not an intermediary firewall is doing
>> > something bad, but I expected that the directory server would use
>> > setsockopt() to set SO_KEEPALIVE on its connections so that it could
>> > detect connections that die off. After 600 seconds of inactivity, the
>> > server should start sending probes, and then notify ns-slapd that the
>> > connection is closed.
>> >
>> > I'm not sure how I might filter keepalive packets with tcpdump, so I'm
>> > not sure if I can verify that they're being used with that tool. Can
>> > anyone identify the code that *should* be setting SO_KEEPALIVE on the
>> > sockets, or otherwise speculate on why they might not be working?
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
16 years, 5 months
[Fedora-directory-users] tcp keepalive
by Gordon Messmer
This morning I noticed that one of my directory servers has hundreds of
"ESTABLISHED" connections from a coworker's Linux host. The directory
server is running RHEL4, kernel 2.6.9-55.ELsmp, and tcp_keepalive_time
is set to 600. The client no longer shows an ESTABLISHED connection on
the port that is reported by netstat on the directory server. It
reports less than ten open connections.
I'm not sure whether or not an intermediary firewall is doing something
bad, but I expected that the directory server would use setsockopt() to
set SO_KEEPALIVE on its connections so that it could detect connections
that die off. After 600 seconds of inactivity, the server should start
sending probes, and then notify ns-slapd that the connection is closed.
I'm not sure how I might filter keepalive packets with tcpdump, so I'm
not sure if I can verify that they're being used with that tool. Can
anyone identify the code that *should* be setting SO_KEEPALIVE on the
sockets, or otherwise speculate on why they might not be working?
16 years, 5 months
[Fedora-directory-users] private key
by Elisa Pellegrini
Hi!
when a crete a new reqest of certificate and my CAsign it is impossible
form me to extract private key. How can I extract private key from
certificate? Where FDS put private key?
16 years, 5 months