I am using RHDS instead of FD, so if this issue has been addressed in FD please
To exemplify the issues I'll use the model:
AD <-> RHDS1 <-> RHDS2.
Only one master is setup to sync to AD, which is the standard setup. Since
password sync uses clear text to replicate to AD, password changes on RHDS2
will not propagate correctly to AD. RHDS2 sends the hash to RHDS1 which in turn
sends it to AD. AD assumes the hash to be the actual clear text pw and attempts
to use it to login to RHDS1. This creates a loop where one server keeps sending
what it believes to be the new password to the other.
I _think_ that if I add a replication agreement between RHDS2 and AD it will not
fix my problem as even if RHDS2 sends the password ok to AD, RHDS1 will still
try to send the update it received from RHDS2. Is this assumption correct?
What is the best course of action? How can I tell if a password update is done
on the server or pushed thru replication?
Hi again all,
Managed to get myself to a pretty good place with my configuration, but
would appreciate another pointer from yourselves.
Currently I have the system up and running with two servers (master1 and
master2) in a 2-way multi-master replication mode.
Master1 also has a Windows Synchronisation Agreement with adserver1,
which is also working, however it is working in a two-way mode,
propagating changes made on the Fedora Directory back to Active
Unfortunately, our current strategy is to have Active Directory as the
single Directory for user management so as to make our Service Desk more
efficient. We also have a policy of removing all single points of
failure from within our enterprise, therefore I was looking at having
two windows sync agreements from two Fedora Master servers to two
different members of the same Active Directory.
The two Fedora Servers would also obviously need to be in sync (hence
the multi-master setup) but probably with a number of read-only consumer
servers dotted around the globe.
The question, therefore, is what would be the best way in terms of
replication design, to achieve this objective?
Basically, I want to achieve the following:
AD2 -> FD2 <-> FD1 <- AD1
/ | |\
/ | | \
V V V V
FD3 FD4 FD5 FD6
Thanks in advance for any assistance you can provde.
This e-mail and any attachments may be confidential or legally
privileged.If you received this message in error or are not the intended
recipient, you should destroy the email message and any attachments or
copies, and you are prohibited from retaining, distributing, disclosing
or using any information contained herein. Please inform us of the
erroneous delivery by return e-mail. Thank you for your co-operation.
Mercer Human Resource Consulting Limited is authorised and regulated by
the Financial Services Authority. Registered in England No. 984275.
Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU.
I'm using FedoraDS 1.0.3 to perform authentication functions to servers in a
DMZ. This morning a user was able to log in but then 1 minute later they
tried to use sudo as themselves and they were denied. They continued to be
denied for the next 10 minutes before they gave up. I pulled the following
errors from the system log of the system they were logged into:
Mar 5 14:24:37 low-tcw-103 sudo(pam_unix): check pass; user unknown
Mar 5 14:24:37 low-tcw-103 sudo(pam_unix): authentication failure;
logname=marnelc uid=0 euid=0 tty=pts/1 ruser= rhost=
Mar 5 14:24:37 low-tcw-103 sudo: pam_ldap: error trying to bind as
user "uid=marnelc,ou=ISG,ou=Lowell,ou=People,dc=pii-dmz,dc=ext" (Invalid
Mar 5 14:24:43 low-tcw-103 sudo(pam_unix): check pass; user unknown
Mar 5 14:24:43 low-tcw-103 sudo: pam_ldap: error trying to bind as
user "uid=marnelc,ou=ISG,ou=Lowell,ou=People,dc=pii-dmz,dc=ext" (Constraint
It looks to me that the first time the user must have typed the wrong
password, but after that I don't know what happened.
I don't see any obvious errors in either the access or error log files on
the LDAP server. Has anyone seen this before?
Thanks for any info or advice.
Alright, I have a very odd problem. I created a new user and added them to
an existing group. When they try to ssh into an environment that the group
has permissions with it works on 1 (of 3) boxes and fails on the others. The
error is as follows:
sshd: pam_ldap: error trying to bind as user
"uid=user,ou=People,dc=domain,dc=com" (Invalid credentials)
Does anyone have any idea what could be causing this issue ? Its very
frustrating cause there is no way for me to know what they will or wont be
able to log into. ldapsearch, getent etc return the correct data.
I noticed on the list of features an item indicating that data
interoperability plug-ins are available to allow the use of an RDBMS as
a data source, but I'm having trouble locating the specifics (e.g. which
databases, what sort of integration, etc.) in the documentation. Anyone
have any pointers on where I can find more information on this?
In particular, I'm struggling with whether to use a directory server for
user management or a database. If I store users in my LDAP directory
(e.g. username, password, name, address, phone, etc.), there is still
user data that I need to store in a database (e.g. transaction data or
other frequently modified data) ... and I need to be able to correlate
the two. For example, for reporting I may need to display both the basic
user info and demographic information that is so well suited for a
directory alongside data that comes from a database. This seems to me
problematic since the data models and query languages are different. And
even if I could make the LDAP data look like something I could query
with SQL ... and join with real RDBMS tables ... it would seem likely
that performance might be less than great.
My thinking is that if I could get the LDAP server to use e.g. MySQL
under the covers for storage, but I could still get access (read-only)
to the underlying tables, I might be able to have the best of both
worlds (assuming the underlying table structure was amenable to being
joined to my tables without to many contortions). I'm guessing my
dilemma isn't new ... has anyone else struggled with this and, if so,
how did you resolve it? And have been satisfied with the solution you
Thanks for any input or comments.
I just found out about the fantastic pam_mkhomedir.so pam module. I have it working somewhat, I just need to know if what I want to do is possible.
Here's my setup:
FC4 with Fedora Directory Server 1.04 and is also the NFS /home share.
On this server I have in the /etc/pam.d/system-auth file the following entry
session required pam_mkhomedir.so skel=/etc/skel umask=0077
Then I have client machines that use FDS and the /home NFS share to provide central login and /home dir capabilities.
The /home dir itself is NFS export RO and only the user dirs are RW within it.
Using ldap (hostobject, pam_check_host_attr) attributes, I do not let users login to the FDS /home share server, just the clients.
I want to know it it is possible that the first time a user logs into one of the clients that it can somehow be passed to the /home dir server to create the users home dir.
I have it working with test users currently, but ONLY when they are allowed to login into the /home dir server, not any of the clients.
Any help, suggestions would be appreciated!
I just installed FDS in my FC6 box and created OU, Groups and Users, but I
was not able to login using the name and password which i created in the FDS
into my machine, is anything wrong?
And also, I would be happy if someone could help me or redirect me to some
article explaining how to add Ubuntu/FC machines as clients to the domain.
"Sometimes it's better not to ask - or to listen - when people tell you
something can't be done. I didnt ask for permission or approval. I just went
ahead and did it." - from "Direct from Dell"
Something I've been wondering about:
It seems like nsslapd-lookthroughlimit and nsslapd-sizelimit effectively
do the same thing, but just return a different error code.
If nsslapd-lookthroughlimit is lower, the error code is 11 and the error
ldap_search: Administrative limit exceeded
If nsslapd-sizelimit is lower, the error code is 4 and the error message is:
ldap_search: Sizelimit exceeded
I've read the description of both of these variables many times in the
documentation, and I think I understand the theoretical difference. But
in practical terms, it still seems like whichever has the higher value
will never have an effect, since the lower limit on the other is always
Can anyone describe a practical situation where both the lookthrough and
size limits would come into play?
Is there any particular reason to prefer one or the other to enforce
maximum search result limits?
I an running FDS 1.0.2 and 1.0.4 and I've got the same problem on both
boxes : the admin-server error logs shows this :
[Wed Mar 14 14:06:19 2007] [notice] [client x.x.x.x]
admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x
[Wed Mar 14 14:06:19 2007] [error] [client x.x.x.x] client denied by
server configuration: /opt/fedora-ds/Operation
I can access to the console interface and directory server'sinterface.
I don't know how to fix that issue. Moreover, I think since this time, I
can't clone anymore directory server configuration....
Any idea what could be causing this error ?
I am using the FDS with the SSL/TLS enable. I had to activate my
ldap.confconfig file to the "tls_checkpeer no" keyword.
It works fine and solved the problem.
I am looking for the corresponding solution when using the openldap (or
After the ldap_start_tls_s(ldap,NULL,NULL)
I am getting the problem that the server certificate failed in the verifying
Any idea for how to define (through the API) to ignore the server
certificate similar to the tls_checkpeer
Thanks in advance