[Fedora-directory-users] FDS and phpLDAPadmin
by Heath Henderson
I am new to LDAP and more specifically FDS. I had an OpenLDAP server setup
a year or so ago which I used an older version of phpldapadmin with. It
seemed to work without too much trouble, but I can't seem to get either FDS
or OpenLDAP working with phpldapamdin.
I found some information in the list archives as well as other places, but
my problem seems to be still existing.
The error I get from phpLDAPadmin
Could not determine the root of your LDAP tree.
It appears that the LDAP server has been configured to not reveal its root.
Please specify it in config.php
I would really like to use FDS and have it running what I consider very
well. I am not able to get this plugged into it and I really don't know
enough yet on where to look to configure either FDS to reveal its root or
phpldapadmin to know what the rootDSE is set to?
Any help would be great. I have read the docs, but just need a little push
in the right direction.
--
Heath Henderson
System Support Engineer
heath(a)gaggle.net
1800 288 7750
--
17 years, 2 months
[Fedora-directory-users] rhel/fedora clock drift?
by Scott Roberts
In rhel 4 and fc5 and fc6 the clock interrupt in the
kernel is 1000mhz. AFAIK this is too high and causes
the clock to drift and lose sync. This is even more of
a problem for virtual servers like vmware or zen.
Anyone experience this issue and have any workarounds
other than recompiling the kernel. Seems like a
drastic measure just to get an OS to keep accurate
time. I have looked for around for solutions and
thought maybe my fellow ldap admins might know something.
____________________________________________________________________________________
TV dinner still cooling?
Check out "Tonight's Picks" on Yahoo! TV.
http://tv.yahoo.com/
17 years, 2 months
[Fedora-directory-users] ACL
by Michał Droździewicz
Hi,
I want to convert my LDAP database form OpenLDAP to FDS and this is done
without problem. The problem is with ACL transfer - is there an easy way
to convert OpenLDAP ACLs to the one that FDS supports. I can't find it,
so please guide me ;) Thanks!
--
xmpp/email: koniczynek(a)uaznia.net
xmpp/email: koniczynek(a)gmail.com
17 years, 2 months
[Fedora-directory-users] Can't start admin server after update from 1.0.2 to 1.0.4
by Dave Augustus
host_ip_init(): PSET failure: Could not retrieve access hosts attribute
(pset error = )
shows up in the /opt/fedora-ds/admin-serv/logs/error file.
Turning up debugging gives me:
[Fri Feb 09 15:37:57 2007] [debug] mod_admserv.c(2221): [5957] Cache
expiration set to 600 seconds
[Fri Feb 09 15:37:57 2007] [debug] mod_admserv.c(2334): Added
StartConfigDs task entry
[cn=startconfigds,cn=operation,cn=tasks,cn=admin-serv-ldap,cn=fedora
administration server,cn=server
group,cn=ldap.hq.org,ou=hq.org,o=netscaperoot:start_config_ds:] for user
[LocalSuper]
[Fri Feb 09 15:37:57 2007] [crit] host_ip_init(): PSET failure: Could
not retrieve access hosts attribute (pset error = )
Configuration Failed
Any suggestions?
The DS runs fine.
Dave
17 years, 2 months
[Fedora-directory-users] sasl encryption not supported over ssl error
by Yu Joe
Dear all
I tried to make my FDS work with sasl(digest-md5)+SSL. I can get correct
result by "ldapsearch -Y digest-md5 -U sasl1 ..." or "ldapsearch -x -D
'cn=Directory Manager' -W -H ldaps://rhds.example.com...".
But I got the error message such as "*sasl encryption not supported over
ssl"*, when I execute command like "ldapsearch -Y digest-md5 -U sasl1 -H
ldaps://rhds.example.com ...". Some of my friends tell me this works on
openldap. So I suggest it must be also working on FDS. Is that right? If so,
what's the probably reason causes this error? Or it just really don't
support? Please helps, thanks a lot.
--
Joe Yu
A humble RHCE
comes from Taiwan
17 years, 2 months
[Fedora-directory-users] error when restarting FDS
by Mikael Kermorgant
Hello,
This night, FDS (1.0.2) refused to start after backup. I found this in
the logs :
[06/Feb/2007:22:04:39 +0100] - slapd stopped.
Fedora-Directory/1.0.2 B2006.060.1951
host:389 (/opt/fedora-ds/slapd-supann)
[06/Feb/2007:22:04:51 +0100] dse - The entry cn=config in file
/opt/fedora-ds/slapd-supann/config/dse.ldif is invalid, error code 53
(DSA is unwilling to perform) - nsslapd-maxdescriptors: invalid value
"65536", maximum file descriptors must range from 1 to 1024 (the
current process limit)
[06/Feb/2007:22:04:51 +0100] dse - Could not load config file [dse.ldif]
[06/Feb/2007:22:04:51 +0100] dse - Please edit the file to correct the
reported problems and then restart the server.
Fedora-Directory/1.0.2 B2006.060.1951
host:636 (/opt/fedora-ds/slapd-supann)
[07/Feb/2007:08:50:20 +0100] - Fedora-Directory/1.0.2 B2006.060.1951 starting up
Indeed, I checked my system and found :
[root@host logs]# cat /proc/sys/fs/file-max
65536
Which seems correct if I follow this page :
http://directory.fedora.redhat.com/wiki/Performance_Tuning#Linux
However, fds started without any problem some time later.
Any Idea about what I should do about this pb ?
Thanks in advance,
--
Mikael Kermorgant
17 years, 2 months
[Fedora-directory-users] Re: Announce: Net-LDAPapi version 2.00 released
by Chris Garrigues
> From: Quanah Gibson-Mount <quanah(a)stanford.edu>
> Date: Fri, 09 Feb 2007 01:24:52 -0800
>
> A new release of Net::LDAPapi module is now available for Perl via CPAN.
> This release includes compilation against OpenLDAP libraries from version
> 2.1 forward. It now supports LDAPv3, including SASL binds.
I hate to sound critical, but...
Who's responsible for the "object oriented" interface? It bugs me when a
package claims to have an OO interface, yet there's no use of OO concepts in
the interface. It took me a while to convince myself that the values returned
by first_entry and next_entry aren't actually objects on which I would then use
the get_values method.
I'd rather just use the non-OO interface since it wouldn't mislead me into
expecting OO behavior. I assume that still works even though it's no longer
documented. Do I just stick "ldap_" on the front of all the method names?
Chris
--
Chris Garrigues Trinsic Solutions
President 710-B West 14th Street
Austin, TX 78701-1755
512-322-0180 http://www.trinsics.com
Would you rather proactively pay for
uptime or reactively pay for downtime?
Trinsic Solutions
Your Proactive IT Management Partner
17 years, 2 months
[Fedora-directory-users] Password Expiration Loop
by Jim Summers
Hello List,
I am still troubled with the issue of a users password expiring, they get the
messages to change, successfully change password. Then the next time that
they login, the password loop begins again.
I searched the archives and didn't really find a solution, but could have
sworn that I had seen it solved some time back. The setup I am working with
is RHEL4 servers and FDS fedora-ds-1.0.2-1.RHEL4. The clients are mix of
fedora versions and RHEL4 machines. Everything works great(authentication,
netgroups, autofs, etc...) other than this one issue.
Here are the relevant entries(I think!) from ldap.conf on a client(rhel4):
ssl start_tls
ssl on
tls_checkpeer no
tls_reqcert never
tls_cacertfile /usr/share/ssl/certs/ca-bundle.crt
tls_cacertdir /usr/share/ssl/certs
pam_password crypt
pam_lookup_policy yes
The pam.d/system-auth is:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so
password required /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
and the log entry when using ssh to login with shows:
sshd(pam_unix)[4227]: session opened for user
but if I fumble the password it shows:
passwd[4222]: pam_ldap: error trying to bind as user ....
So, like I was several months ago, still stumped on what I have overlooked.
Any ideas or suggestions on what I have overlooked?
Can I find some log entries in the ldap server that may point to what I have
mis-configured or not configured?
Many Thanks
--
Jim Summers
School of Computer Science-University of Oklahoma
-------------------------------------------------
17 years, 2 months
RE: [Fedora-directory-users] Forgive the misunderstandings of a "newb"
by Keir Whitlock
System-config-authentication should have picked this up on newer
versions of redhat and fedora
_________________________________________
Keir Whitlock
Unix Systems Administrator
Unix Operations Team
T: +44 (0)870 7748500
F: +44 (0)870 7748501
E: keir.whitlock(a)jobsite.co.uk
W: www.jobsite.co.uk
Legally privileged/Confidential Information may be contained in this
message. If you are not the addressee(s) legally indicated in this
message (or responsible for delivery of the message to such person), you
may not copy or deliver this message to anyone. In such case, you should
destroy this message, and notify us immediately. If you or your employer
does not consent to Internet e-mail messages of this kind, please advise
us immediately. Opinions, conclusions and other information expressed in
this message are not given or endorsed by my firm or employer unless
otherwise indicated by an authorised representative independent of this
message. Please note that despite using the latest virus software,
neither my employer nor I accept any responsibility for viruses and it
is your responsibility to scan attachments (if any).
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Nathan
Kinder
Sent: 09 February 2007 16:26
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Forgive the misunderstandings of a
"newb"
Scott Ackerman wrote:
> Thanks Nathan, but where did I miss that in the how-to?
>
It appears to be missing from the how-to (some of the how-to's do make
reference to nss_ldap being required though).
> Nathan Kinder wrote:
>
>> lists(a)scott-ackerman.com wrote:
>>
>>> I thought I was smart until I dove into LDAP. I am the sole
part-time IT
>>> Manager for a charter school (240 students, 20 staff, 60 computers)
and
>>> am migrating away from a Windows server environment to Linux. The
only
>>> services that are being provided by a Windows server now are AD,
file
>>> and print sharing services. Since we are turning about 15 of our
student
>>> computers into Linux stations, I decided on a "simpler" method of
>>> managing authentication, login etc. and chose Fedora Directory
Server
>>> (after having beat my head against the wall with strictly OpenLDAP
for a
>>> month). I have successfully set up FDS and entered all students and
>>> staff. I have decided not to sync against our AD server because we
are
>>> changing the student login method, the old format was locker number
for
>>> user name and then a password. I have decided to use the first.last
name
>>> for user name and then a password.
>>>
>>> I am trying to set up posix authentication and Samba and am having
>>> difficulties with both, technical on the former and understanding on
the
>>> latter. First posix, I have followed the how to on the FDS Wiki, but
>>> there seems to be some steps missing. I have gotten an authenticated
>>> student logon, but only after having created an account on the local
>>> machine with the same UID. I made sure that the password was
different
>>> in FDS than when I created the user on the local machine and I am
able
>>> to login to using either password which would indicate to me that I
am
>>> successfully authenticating to FDS. However I don't particularly
care to
>>> have to add 240 students on all 15 computers to make this work, not
to
>>> mention all of the "home" directories that will be mounted from the
NFS
>>> server. So the questions is, what steps am I missing here?
>>>
>>>
>> It sounds like you need to configure nss_ldap. Assuming you have
>> nss_ldap installed on your client systems, you should be able to add
>> "ldap" as a service for looking up users and groups in your
>> /etc/nsswitch.conf file.
>>
>> -NGK
>>
>>> Samba. As I understand it, Windows will only authenticate against an
NT
>>> or "NT like (aka. Samba)" server, which means as far as I can tell
that
>>> either I have Samba sync against FDS or I use pGina on the Windows
side
>>> to authenticate directly against LDAP or scrap LDAP all together and
>>> just use an NIS server (don't think this is a good idea, but it is a
>>> possiblity). Of course trying to assess the pros and cons of either
has
>>> been somewhat difficult at best. Also the FDS Samba how-to doesn't
cover
>>> computer management which Samba is going to have to deal with as
well.
>>>
>>> Before someone replies with a "RTFM", I have read the Install Guide
as
>>> well as the Red Hat Directory Server documentation and I am
currently
>>> half-way through the book "Understanding and Deploying LDAP
Directory
>>> Services", so I have a reasonable understanding of how to get into
>>> trouble. Of course none of these provide in-depth (nor should they)
>>> information as to how to integrate with other services. I have spent
a
>>> month reading, tinkering etc., and I am not asking anyone else to do
my
>>> work for me, but I have seem to hit a wall and need a couple of
>>> "breadcrumbs" to get me back on the trail. Thank you for your
patience
>>> and understanding.
>>>
>>>
>>>
>>
------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>
>
17 years, 2 months
[Fedora-directory-users] Forgive the misunderstandings of a "newb"
by Scott Ackerman
I thought I was smart until I dove into LDAP. I am the sole part-time IT
Manager for a charter school (240 students, 20 staff, 60 computers) and
am migrating away from a Windows server environment to Linux. The only
services that are being provided by a Windows server now are AD, file
and print sharing services. Since we are turning about 15 of our student
computers into Linux stations, I decided on a "simpler" method of
managing authentication, login etc. and chose Fedora Directory Server
(after having beat my head against the wall with strictly OpenLDAP for a
month). I have successfully set up FDS and entered all students and
staff. I have decided not to sync against our AD server because we are
changing the student login method, the old format was locker number for
user name and then a password. I have decided to use the first.last name
for user name and then a password.
I am trying to set up posix authentication and Samba and am having
difficulties with both, technical on the former and understanding on the
latter. First posix, I have followed the how to on the FDS Wiki, but
there seems to be some steps missing. I have gotten an authenticated
student logon, but only after having created an account on the local
machine with the same UID. I made sure that the password was different
in FDS than when I created the user on the local machine and I am able
to login to using either password which would indicate to me that I am
successfully authenticating to FDS. However I don't particularly care to
have to add 240 students on all 15 computers to make this work, not to
mention all of the "home" directories that will be mounted from the NFS
server. So the questions is, what steps am I missing here?
Samba. As I understand it, Windows will only authenticate against an NT
or "NT like (aka. Samba)" server, which means as far as I can tell that
either I have Samba sync against FDS or I use pGina on the Windows side
to authenticate directly against LDAP or scrap LDAP all together and
just use an NIS server (don't think this is a good idea, but it is a
possiblity). Of course trying to assess the pros and cons of either has
been somewhat difficult at best. Also the FDS Samba how-to doesn't cover
computer management which Samba is going to have to deal with as well.
Before someone replies with a "RTFM", I have read the Install Guide as
well as the Red Hat Directory Server documentation and I am currently
half-way through the book "Understanding and Deploying LDAP Directory
Services", so I have a reasonable understanding of how to get into
trouble. Of course none of these provide in-depth (nor should they)
information as to how to integrate with other services. I have spent a
month reading, tinkering etc., and I am not asking anyone else to do my
work for me, but I have seem to hit a wall and need a couple of
"breadcrumbs" to get me back on the trail. Thank you for your patience
and understanding.
--
Scott Ackerman
1212 Baker Street
Fort Collins, Colorado 80524
970-231-9035
www.scott-ackerman.com
"Every improvement in the standard of work men do is followed swiftly and inevitably by an improvement in the men who do it" - William Morris
17 years, 2 months
