[Fedora-directory-users] FDS, Radius and Beyond
by Satish Chetty
Hello,
This is a not a direct FDS question but I thought I will ask anyway. I
want to issue digital certificates (stored and verified on FDS) to every
laptop and desktop. When the laptop/desktop gets on the network and
requests a DHCP IP address, I want the DHCP server to verify the
certificate before access to the network resources is allowed. Something
similar to the Hotspots in coffee shops and hotels but that uses
certificates instead of login/password from user.
Has worked on something like this or can point to me to such white papers?
Cheers,
-Satish.
15 years, 7 months
[Fedora-directory-users] Re: problem with cert for ssl on RHAS5
by Howard Chu
> Date: Wed, 5 Dec 2007 15:37:53 +1300
> From: "Steven Jones" <Steven.Jones(a)vuw.ac.nz>
> Is there a way to search the list archives for topics?
>
> Such as say,
>
> "ldap_start_tls: Connect error (-11)
> additional info: TLS: hostname does not match CN in peer
> certificate"
Since the above message comes from the OpenLDAP tools/library, you'd have
better luck searching the OpenLDAP archives. www.openldap.org.
>> So what did I do wrong?
> ----
> probably should only use uri and not host in /etc/openldap/ldap.conf
>
> yep, I can take that out....
>
> And it's clear that
>
> ldap.vuw.ac.nz != cn=vuwunicvfdsm001.vuw.ac.nz (certificate)
>
> Sorry I fail to see it as that clear (until now you explain it anyway!)
>
> ....Working through the FDS/RDS documentation I seem to have failed to
> notice that it clearly (if at all???) explains what cn= should equal or
> indeed the setting in the ldap.conf needs to be the same....in terms of
> DNS they do equal as ldap is a CNAME of vuwunicvfdsm001....
This is explained in the OpenLDAP Admin Guide.
http://www.openldap.org/doc/admin24/tls.html#TLS%20Certificates
>
> The advantage of using a CNAME is I can upgrade the system and to a
> simple CNAME change to replace the servers....
RFC2830 explicitly forbid clients from talking to a DNS server to verify the
server name. Therefore most clients would be unable to dereference a CNAME.
RFC4513 relaxes this constraint, and permits a client to use secure hostname
services (e.g. DNSSEC), but in practice there's no standard APIs to select or
control these services, so the RFC2830 constraint is still in force - the
hostname provided by the client must be used directly, without any other
mapping, in comparisons to the names in the server certificate. But as already
mentioned, you can include arbitrarily many subjectAltName extensions in the
certificate to provide aliases and domain wildcards.
> Date: Tue, 04 Dec 2007 20:42:25 -0700
> From: Craig White <craigwhite(a)azapple.com>
> Lastly, you probably can add to both /etc/ldap.conf
> and /etc/openldap/ldap.conf
>
> ssl start_tls
>
> and it should automatically use tls...
No. That's only legal for PADL's pam_ldap and nss_ldap. There is no equivalent
option for OpenLDAP's libldap because that is not a library-level issue, it's
application level. /etc/openldap/ldap.conf is only for library default
settings. There is no configuration file for client tool defaults.
> Date: Tue, 04 Dec 2007 20:05:25 -0800
> From: Satish Chetty <satish(a)suburbia.org.au>
>> I am trying to do a ldapsearch with ssl enabled....and I get this error,
>
> You can also try ldapsearch that comes with FDS (without -x option)
>
> Also, if you want only encryption and not host identification, use
> 'tls_checkpeer no' in your ldap.conf
That is also only valid for pam_ldap and nss_ldap. In OpenLDAP that's what the
"TLS_REQCERT never" option is for, but in the versions of OpenLDAP that RedHat
ships, that are typically 3-5 years obsolete, that option doesn't quite work
as expected. I.e., the hostname check is performed regardless of the setting
of TLS_REQCERT.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
15 years, 8 months
[Fedora-directory-users] Migrating RHEL users to Directory Server
by Joel Heenan
Fedora Directory Users,
I have a bunch of users currently using local RHEL 4 local unix user
accounts for their usernames and passwords and I would like to migrate
them to Directory Server. My question concerns the MD5 sum password.
I tried adding a user joeltest with password joeltest and I got hash:
JqBiQXU4$gnJeKmNzXy.kaXUaBIygs0
from RHEL but I got hash:
WGvQgGYUH2UOX2ZA1IQeyQ==
>From Directory Server when I set the same password.
I'm guessing this is to do with further encodings placed on the password
hash. Hoping someone has done this before and can point me in the right
direction?
Thanks
Joel
The information contained in this e-mail message and any accompanying files is or may be confidential. If you are not the intended recipient, any use, dissemination, reliance, forwarding, printing or copying of this e-mail or any attached files is unauthorised. This e-mail is subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If you have received this e-mail in error please advise the sender immediately by return e-mail or telephone and delete all copies. Fairfax does not guarantee the accuracy or completeness of any information contained in this e-mail or attached files. Internet communications are not secure, therefore Fairfax does not accept legal responsibility for the contents of this message or attached files.
15 years, 8 months
[Fedora-directory-users] Can't access DSGW
by Ian Blackwell
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I've just built a FC8 server and am trying now to
install/configure/use Fedora-DS 1.1. I've managed to get it working
to some degree, but I can't get access to the directory server
gateway. Several things appear to be wrong/missing at present, but
after many hours trying to find out what, I'm stumped - hence this email.
Firstly when I browse to http://myserver:9830 the graphic images
aren't appearing.
Next, when I click on the Directory Server Gateway
<http://myserver:9830/clients/dsgw/bin/lang?context=dsgw> link I get
this error:-
"The requested URL /clients/dsgw/bin/lang was not found on this server."
This is from the admin-server error log:-
[Fri Dec 28 15:59:37 2007] [error] [client 192.168.2.254] File does
not exist: /usr/share/dirsrv/html/clients, referer:
http://myserver:9830/bin/admin/admin/bin/download
I can connect to Fedora Administration Express
<http://myserver:9830/admin-serv/tasks/configuration/HTMLAdmin?op=index>
without any trouble, but it doesn't appear to offer anything
useful... Is there a RPM that I'm missing perhaps? Here's a list of
the relevant RPMs installed:-
fedora-ds-console-1.1.0-4
fedora-ds-base-1.1.0-2.0.fc8
fedora-ds-1.1.0-2.0.fc8
fedora-ds-admin-1.1.0-1.15.fc8
fedora-admin-console-1.1.0-3.fc6
idm-console-framework-1.1.0-1
fedora-idm-console-1.1.0-4
Finally, I've tried to use the Fedora IDM Console from Windows, but
can't get that working either. When I connect to it, it seems to fail
to connect to the ldap service and wants to restart it.
Thanks to anyone that can point me in the right direction with this...
Regards,
Ian Blackwell
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHdIvqLwWMnKQTL2sRAtrQAJ4kTTsXijvOpLXRhIa83avdhvL8mgCdFEUh
0OVC7UAPln3DFXbh+PEkCYE=
=J7O1
-----END PGP SIGNATURE-----
15 years, 8 months
Re: [Fedora-directory-users] problem with unique search on gidNumber
by Jason Beavers
All,
Any thoughts about this? I know i'm missing something but so far i'm still stumped.
----- Original Message ----
From: Jason Beavers <beavrz1(a)yahoo.com>
To: General discussion list for the Fedora Directory server project. <fedora-directory-users(a)redhat.com>
Sent: Wednesday, December 19, 2007 5:22:10 PM
Subject: Re: [Fedora-directory-users] problem with unique search on gidNumber
that search returns ALL results with with ANY gidNumber value set, not just those with "205"
----- Original Message ----
From: Rich Megginson <rmeggins(a)redhat.com>
To: General discussion list for the Fedora Directory server project. <fedora-directory-users(a)redhat.com>
Sent: Friday, December 14, 2007 10:57:40 AM
Subject: Re: [Fedora-directory-users] problem with unique search on gidNumber
Jason Beavers wrote:
> Yep, "gidnumber.db4" is there.
So what does a search for "(gidNumber=205)" return?
>
> ----- Original Message ----
> From: Rich Megginson <rmeggins(a)redhat.com>
> To: General discussion list for the Fedora Directory server project.
> <fedora-directory-users(a)redhat.com>
> Sent: Friday, December 14, 2007 10:19:54 AM
> Subject: Re: [Fedora-directory-users] problem with unique search on
> gidNumber
>
> Jason Beavers wrote:
> > well i cheated (lazy :-) ) and edited the index configuration using
> > the Fedora console, which regenerated the indexes.
> You can check - look in /opt/fedora-ds/slapd-instancename/db/userRoot
> and see if you have a
gidNumber.db4 file.
> > Or so i was lead to believe it would based on the documentation.
> > should i be forcing it by runing the perl scripts instead?
> >
> > ----- Original Message ----
> > From: Rich Megginson <rmeggins(a)redhat.com
<mailto:rmeggins@redhat.com>>
> > To: General discussion list for the Fedora Directory server
project.
> > <fedora-directory-users(a)redhat.com
> <mailto:fedora-directory-users@redhat.com>>
> > Sent: Friday, December 14, 2007 8:08:24 AM
> > Subject: Re: [Fedora-directory-users] problem with unique search on
> > gidNumber
> >
> > Jason Beavers wrote:
> > > I'm trying to get unique searches working for "gidNumber." When
> > > trying a search as below:
> > >
> > > ./ldapsearch -b "dc=mydomain,dc=int"
> > > "(&(objectClass=groupOfNames)(gidNumber=205)(ou:dn:=Groups))" cn
> > gidNumber
> > >
> > >
> > > I'm getting results back with ALL entries with a gidNumber
attribute
> > > set, instead of just the one entry that matches "gidNumber=205."
> > > I've tried adding the gidNumber attribute to the indexes,
> > What steps did you take? You created the index configuration?
Then ran
> > db2index to generate the index files?
> > > however i cannot seem to get it to respond with a unique result.
> > Have you tried just "(gidNumber=205)" - does that work?
> > >
> > > What am I missing?
> > >
> > > Thanks in advance.
> > >
> > > -j
> > >
> > >
>
------------------------------------------------------------------------
> > > Never miss a thing. Make Yahoo your homepage.
> > > <http://us.rd.yahoo.com/evt=51438/*http://www.yahoo.com/r/hs>
> > >
>
------------------------------------------------------------------------
> > >
> > > --
> > > Fedora-directory-users mailing list
> > > Fedora-directory-users(a)redhat.com
> <mailto:Fedora-directory-users@redhat.com>
> > <mailto:Fedora-directory-users@redhat.com
> <mailto:Fedora-directory-users@redhat.com>>
> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > >
> >
> >
> >
> >
------------------------------------------------------------------------
> > Looking for last minute shopping deals? Find them fast with Yahoo!
> > Search.
> >
>
<http://us.rd.yahoo.com/evt=51734/*http://tools.search.yahoo.com/newsearch...>
>
> >
> >
------------------------------------------------------------------------
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users(a)redhat.com
> <mailto:Fedora-directory-users@redhat.com>
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
>
>
>
>
------------------------------------------------------------------------
> Never miss a thing. Make Yahoo your homepage.
> <http://us.rd.yahoo.com/evt=51438/*http://www.yahoo.com/r/hs>
>
------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
Looking for last minute shopping deals?
Find them fast with Yahoo! Search.
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
15 years, 8 months
[Fedora-directory-users] Fedora Directory Server not configuring admin server!
by Dane Shea
Hi, I am on the verge of creating a fedora directory server but I have one
more obstacle in my way. This is what happens when I try to set up the
Fedora Directory Server 1.0.4 in Fedora 8
Please select the install mode:
1 - Express - minimal questions
2 - Typical - some customization (default)
3 - Custom - lots of customization
Please select 1, 2, or 3 (default: 2) 2
Hostname to use (default: localhost.localdomain) daneshea.com
Server user ID to use (default: nobody) SheaServer
Server group ID to use (default: nobody) SheaServer
[slapd-daneshea]: starting up server ...
[slapd-daneshea]: Fedora-Directory/1.0.4 B2006.312.1539
[slapd-daneshea]: daneshea.com:389 (/opt/fedora-ds/slapd-daneshea)
[slapd-daneshea]:
[slapd-daneshea]: [26/Dec/2007:11:17:31 -0600] - Fedora-Directory/1.0.4
B2006.312.1539 starting up
[slapd-daneshea]: [26/Dec/2007:11:17:31 -0600] - slapd started. Listening on
All Interfaces port 389 for LDAP requests
Your new directory server has been started.
Created new Directory Server
Start Slapd Starting Slapd server configuration.
Success Slapd Added Directory Server information to Configuration Server.
Configuring Administration Server...
ERROR: Administration Server configuration failed.
You can now use the console. Here is the command to use to start the
console:
cd /opt/fedora-ds
./startconsole -u admin -a http://daneshea.com:40814/
INFO Finished with setup, logfile is setup/setup.log
[root@daneshea ~]#
If you curious this is what the log file says:
Continue? (yes/no) yes
Please select 1, 2, or 3 (default: 2) 2
getFQDN: hostname = daneshea.com
getFQDN: host daneshea.com = daneshea.com
daneshea.com
daneshea.com
getFQDN: host daneshea.com has length 13
getFQDN: new max host daneshea.com has length 13
getFQDN: host daneshea.com has length 13
getFQDN: host daneshea.com has length 13
getFQDN: host daneshea.com has length 13
getFQDN: host daneshea.com has length 13
getFQDN: host daneshea has length 9
getFQDN: host localhost.localdomain has length 22
getFQDN: new max host localhost.localdomain has length 22
getFQDN: host localhost has length 10
getFQDN: host daneshea has length 9
Hostname to use (default: localhost.localdomain) daneshea.com
Server user ID to use (default: nobody) SheaServer
Server group ID to use (default: nobody) SheaServer
[slapd-daneshea]: starting up server ...
[slapd-daneshea]: Fedora-Directory/1.0.4 B2006.312.1539
[slapd-daneshea]: daneshea.com:389 (/opt/fedora-ds/slapd-daneshea)
[slapd-daneshea]:
[slapd-daneshea]: [26/Dec/2007:11:17:31 -0600] - Fedora-Directory/1.0.4
B2006.312.1539 starting up
[slapd-daneshea]: [26/Dec/2007:11:17:31 -0600] - slapd started. Listening on
All Interfaces port 389 for LDAP requests
Your new directory server has been started.
Created new Directory Server
Start Slapd Starting Slapd server configuration.
Success Slapd Added Directory Server information to Configuration Server.
Configuring Administration Server...
ERROR: Administration Server configuration failed.
You can now use the console. Here is the command to use to start the
console:
cd /opt/fedora-ds
./startconsole -u admin -a http://daneshea.com:40814/
INFO Finished with setup, logfile is setup/setup.log
Thanks in advance guys!
15 years, 8 months
[Fedora-directory-users] Setting up 1.0.4-1 x86_64 on RHES5 64-bit
by Ken Marsh
Hello again,
Thanks for the previous help. As advised, I removed the FC5 binary and
went with FC6 on Red Hat Enterprise Server 5 x86_64. I've now caught up
with where I was before. The Directory Server is running OK but I can't
get the admin server to start. The setup/setup script failed with a
message:
Setting up Administration Server Instance...
ERROR: Administration Server configuration failed.
The console starts as advised, but there is no Admin server for it to
connect to.
I can't find specific directions for where I'm at now, I guess because
this stuff is supposed to "just work". Striking out on my own, I've
copied over the templates for start-admin and httpd.conf and edited
them. I am using /usr/sbin/http.worker for my web server. After setting
sroot and httpd, it seems to start up OK until it looks for modules.
Here is the error:
[root@ansb16 fedora-ds]# ./start-admin
httpd.worker: Syntax error on line 128 of
/opt/fedora-ds/admin-serv/config/httpd.conf: Cannot load
/opt/fedora-ds/admin-serv/%%%module_dir%%%/modules/mod_access.so into
server:
/opt/fedora-ds/admin-serv/%%%module_dir%%%/modules/mod_access.so: cannot
open shared object file: No such file or directory
I've looked around. I don't see the config file location to set
%%%module_dir%%%, and what is more, the
/opt/fedora-ds/admin-serv/modules directory is empty. I did some finds
on the system and cannot find mod_access.so anywhere. So, even if I did
set it, where do I point it to?
Is there a preferred place to download these modules, or do I need them
at all? Or did I skip some part of the setup process?
Thanks and Happy Holidays,
Ken.
15 years, 8 months
[Fedora-directory-users] Problem with nsview hierarchy
by Fabrice Durand
Hi,
i've got a problem with my nsview organizationalunit hierarchy, and i don't
understand what's wrong.
I use my nsview hierarchie to organize my flat user OU
(ou=People,dc=test,dc=com). All user have an departmentNumber that i use to
filter with nsviewfilter.
The problem is that when a script search all OU in the hierarchy, the
serveur doesn't return all the OU. (perl script, php script).
I put an ldif file of my directory (ou=annuaire,dc=test,dc=com) and the
script i use , to understand what happen.
An exemple when i search with a filter "objectClass=organizationalUnit" in
ou=annuaire,dc=test,dc=com, fedora directory server return only 17 entries.
When i modify the entry ou=annuaire,dc=test,dc=com (delete the value of
nsviewfilter and delete objectclass=nsview), the serveur return all the
entries(45), but all the users disepeared.
I really don't understand what's wrong, sometime when i change an "OU" name,
the number of return entries changes.
If you have an explanation, thank you in advance.
Fabrice Durand
15 years, 8 months
