How to setup Fedora DS so the directory can access from other subnet? my subnet is 172.18.x.x and my branch subnet is 192.168.x.x, we're connect using VSAT. We can ping each other, remote each other, the 389 port is already open, but why still not working?
Robby Gunawan S
New Yahoo! Mail is the ultimate force in competitive emailing. Find out more at the Yahoo! Mail Championships. Plus: play games and win prizes.
I am planning to use the Fedora Directory Server
in Redhat Linux ES4.0 to do 'Server Side Sorting'.
The system processed around 4000 entries successfully.
However, when the system tried processing more than 5000 entries,
it returned an error such as 'LDAP_UNWILLING_TO_PERFORM'.
Does anyone know how to fix this problem?
Just in case, Ishow you the error logs below...
[01/Mar/2007:14:07:15 +0900] conn=96 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1
[01/Mar/2007:14:07:15 +0900] conn=96 op=0 BIND dn="" method=128 version=3
[01/Mar/2007:14:07:15 +0900] conn=96 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[01/Mar/2007:14:07:15 +0900] conn=96 op=1 SRCH base="ou=Users,o=Section,o=Company" scope=1 filter="(uid=*)" attrs=ALL
[01/Mar/2007:14:07:15 +0900] conn=96 op=1 SORT uid (*)
[01/Mar/2007:14:07:16 +0900] conn=96 op=1 RESULT err=4 tag=101 nentries=1000 etime=1 notes=U
[01/Mar/2007:14:07:17 +0900] conn=96 op=2 UNBIND
Bellow, I done
1. Install Fedora Directory Service.
2. Change look-through limit in Database Setting to 2147483647 from the Server Console.
3. Creating Presence and Substring Indexes of 'uid' from the Server Console
4. I start entry ....
So when I run the setup script for 1.0.4 on RHEL 4.4 I get the following
[13/Mar/2007:11:56:47 -0400] - SSL alert: Security Initialization: NSS
initialization failed (Netscape Portable Runtime error -8174 - security
library: bad database.): path: /opt/fedora-ds/alias/, certdb prefix:
slapd-util3-, keydb prefix: slapd-util3-.
[slapd-util3]: [13/Mar/2007:11:56:47 -0400] - ERROR: NSS Initialization
error:[13/Mar/2007:11:56:47 -0400] - ERROR: NSS Initialization\nFailed.
I'm not exactly clear on what its trying to do, since it creates those files
I'm not sure what its failing at trying to do. Is it looking for a library
thats not installed ? I have tried pointing ld to the right stuff, and I
have all of the ldd deps solved for the slapd binary. However I think there
is something I'm missing.
Symptom: Group members are randomly being dropped from group objects.
Frequency: Usually after a user is added to the group.
I've checked the normal FDS audit log and nothing unusual appears. Just the
expected modify operations to the group object, adding new values for
uniqueMember. Since we've established a Windows sync agreement, I'm guessing
that something is screwing up over there. Is there an audit log I can check
out to see if my hunch is correct? The only log I've found relates to
changing user's passwords and doesn't take any group modifications into
Here at Brooklyn Law School, we use Fedora DS together with a samba
schema quite succesfully. All students and most faculty log in to lab
computers and desktops that are members of a Samba domain. We avoid
using NT servers as much as possible for open source reasons, but our
faculty is hoping we can move them to an exchange server running on NT
2003. In a test environment, we were able to get password sync
happening between an NT server and a replica of our DS, but are
wondering how to keep our samba passwords updated. Currently, we have a
web front end pointed at a perl script loosely based on the smb-ldap
scripts from IDEALX. These keep our sambantpassword, sambalmpassword,
and unix passwords synced.
If we continue to use this script to update passwords on Fedora DS,
will fedora pick up the password and send it down to the windows
server? I assume there is not much I could do to get it to work in the
other direction, which would be ok -- we would require users to continue
to change their passwords through our web front end.
Any thoughts or suggestions would be greatly appreciated.
Does anyone know of a good guide to setting up read only ssl enabled
replicas ? I see many guides to setting up multiple masters, but nothing
directly about multiple read only ssl replicas.
Since second semester of 2006, i'm trying to config Samba(PDC and BDC) + Fedora Directory Server.
SO: Cent0S 4.3 x86_64
Fedora-DS(Ldap) with Simple Bind
Samba 3.0.10 (I'll upgrade it in next CenOS version)
password hash: Crypt (Linux, Fedora-DS and Samba)
1 - [root@netuno1 ~]# passwd samuel
Changing password for user samuel.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information changed for samuel
passwd: all authentication tokens updated successfully.
Why this line "Enter login(LDAP) password:", if is root that is changing the samuel's password? It does not happen when the user is from /etc/passwd!.
2 - Depend on pam_passord (howto:wiki sugests exop) parameter smbpasswd fails:
[root@netuno1 ~]# smbpasswd samuel
ldapsam_modify_entry: LDAP Password could not be changed for user samuel:
Operation requires a secure connection.
ldapsam_update_sam_account: failed to modify user with uid = samuel, error:
Operation requires a secure connection.
Failed to modify entry for user samuel.
Failed to modify password entry for user samuel
3 - When user try to change his password using CTRL + ALT + DEL from windows, after typing the passwords:
If ldap passwd sync = yes is set in /etc/samba/smb.conf, it returns the message: current password or user's name is incorrect, in other hands, if unix password sync = yes (password chat ...) is set, it returns the message: you do not have permission to modify the password,
and only samba passwd is changed (in both cases). I need userPassword for single sign on because i use other services.
Why the smbldap-passwd always runs ok from the prompt and not from the password program parameter ?!
I could see in the web that many people using Openldap, also have (had) the same problem.
I am despaired, because i am has much time without obtaining the solution for this problem.
Please, help me!
What to do?
Grateful for your attention,
I've managed to get a few features that I'd been struggling with working
on FDS, however I'd appreciate any guidance with the following:
Our service desk is outsourced and I'm looking to replace an existing
NIS implementation with LDAP (probably Redhat, but until we prove it to
be reliable I'm sticking with FDS for now).
I'm trying to avoid using the Administrator accounts set up in
O=NetscapeRoot and create user accounts within the main
dc=example,dc=com schema and give them access to the relevant subtrees
to be able to create user accounts, reset passwords etc - effectively
delegating restricted admin access whilst still ensuring the security
I thought i had achieved this by setting an Access Role on the target OU
and specifying that a group I had already created would have full access
to all attributes (I can refine this later to restrict down to the bare
Below is the syntax obtained from the GUI console when setting up the
(targetattr = "*")
(target = "ldap:///ou=Laser,dc=example,dc=com")
(groupdn = "ldap:///cn=gpServiceDesk,ou=Groups, dc=example,dc=com")
however, when I attempt to add a user via the newuser.pl script I
obtained from netauth, I get the following:
failed to add entry: Insufficient 'write' privilege to the
'userPassword' attribute at ./newuser.pl line 232, <DATA> line 228.
Has anyone implemented a security model like this and if so, would they
be able to share any experiences.
Darren Paxton, European Midrange Systems Senior Engineer
Centralised Operations | MMC Global Technology Infrastructure (MGTI)
Mercer Human Resource Consulting | Mercury Court, Tithebarn Street,
Liverpool, L2 2QH, Merseyside, UK
+44 (0) 151 242 7216 | Mobile +44 (0) 7789 0 30027 |
This e-mail and any attachments may be confidential or legally
privileged.If you received this message in error or are not the intended
recipient, you should destroy the email message and any attachments or
copies, and you are prohibited from retaining, distributing, disclosing
or using any information contained herein. Please inform us of the
erroneous delivery by return e-mail. Thank you for your co-operation.
Mercer Human Resource Consulting Limited is authorised and regulated by
the Financial Services Authority. Registered in England No. 984275.
Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU.
I cannot seem to find the newuser.pl script from http://www.netauth.com.
Does anyone know where to get the script now?
Also, has anyone tried the Fedora DS gets posix/unix automatic uid
generation posted on February 8th. If so, how do you get it and set it up?
> I'm having some significant issues getting my multi-master servers
> synchronized after a network outage this past weekend. First I was
> error--> NSMMReplicationPlugin - agmt="cn=srv1-to-srv2" (srv2:389):
> Replica has a different generation ID than the local data.
> Then after numerous attempts to clear out the change log and
> reinitialize the consumer from srv1 to srv2, and failing each time
> hitting a "ratio 0%" error (we increased server memory and
> corresponding database/cache settings to no avail):
> error--> import userRoot: Processed 48136 entries -- average rate
> 2292.2/sec, recent rate 2292.1/sec, hit ratio 0%
> Finally tried a local file restore db2ldif (with -r) and ldif2db and
> one from db2bak. Upon restore on both servers, now on the "good"
> server (srv1) I see:
> error--> NSMMReplicationPlugin - replica_check_for_data_reload:
> Warning: data for replica dc=<mydomain>,dc=com was reloaded and it no
> longer matches the data in the changelog (replica data > changelog).
> Recreating the changelog file. This could affect replication with
> replica's consumers in which case the consumers should be
> error--> NSMMReplicationPlugin - csnplCommit: can't find csn
> error--> NSMMReplicationPlugin - ruv_update_ruv: cannot commit csn
> error--> NSMMReplicationPlugin - replica_update_ruv: unable to update
> RUV for replica dc=<mydomain>,dc=com, csn = 45ee0228000000010000
> These are both after clearing the changelogdb (multiple times) and of
> course no synchronization.
> At this point I am stuck and would appreciate any help in getting this
> resolved. First I need to resolve the "NSMMReplicationPlugin -
> csnplCommit: can't find csn" problems so I can try the command line
> Thanks much!