[Fedora-directory-users] FDS <-> AD Sync with Windows 2003 R2 using RFC2307 extensions
by Howard Wilkinson
We have an environment where we hold the RFC2307 attributes within our
AD, this is based on a Windows 2003 R2 AD.
We have established a sync agreement with our first FDS installation and
would like to get the additional attributes synchronised into the FDS
from AD. How and where do we add such facilities?
--
Howard Wilkinson
Phone:
+44(20)76907075
Coherent Technology Limited
Fax:
23 Northampton Square,
Mobile:
+44(7980)639379
United Kingdom, EC1V 0HL
Email:
howard(a)cohtech.com
16 years, 7 months
[Fedora-directory-users] bloquear o envio de anexos para alguns usuarios
by thierry vandenbroucke
Pessoal , alguem tem ideia como faço para bloquear o envio de anexos pelo
postfix para alguns usuarios.
EX: Os diretores porem mais os funcionarios não.
Perguntei no listas do postfix br mas nao tive resposta ainda e é meio que
urgente..
obrigado
--
Thierry Vanden Broucke
Encontre um caminho ou abra um só para voce.
16 years, 7 months
[Fedora-directory-users] AD sync errors when renaming an account?
by Josh Kelley
We're regularly (every few seconds) getting the following errors in
our error log:
[22/Aug/2007:17:57:45 -0400] NSMMReplicationPlugin - agmt="cn=ad2 <->
fds2" (ad2:636): Consumer failed to replay change (uniqueid
1dc8382d-1dd211b2-805a97b7-83570000, CSN 46cca925000100010000):
Referral received. Will retry later.
This is with a Windows Sync agreement between Active Directory and FDS
1.0.2. These errors seem to occur when we rename an account on the
FDS side (using a Perl script that updates several name-related
attributes then invokes a modDN operation), but I'm not certain that's
the cause. Initiating full resynchronization appears to clear the
error, but it also apparently causes FDS to lose whatever changes it
was trying to make. (For example, we have several new FDS accounts
created with ntUserCreateNewAccount=true that never appeared in AD.)
In particular, the Perl script updates the ntUserDomainID attribute.
Is that what's causing this problem? How should accounts be renamed
in a Windows Sync environment?
If the problem is not changing the value of ntUserDomainID, any
suggestions for tracking down the problem?
Thank you.
Josh Kelley
16 years, 7 months
RE: [Fedora-directory-users] Configuration Directory Question
by James Deuchar
Thanks for your patience - and apoloiges for that rookie typo error.Fixed that and retried a few times but still to no avail - new instance is created and running ok but doesn't show up in the admin console. Where does the admin server get this list of servers etc from (and will that info help me!?).If I install an instance on server2 and point it towards the config instance on server1 as part of the setup script then it does appear in the console and all is well in my DS world...Seems only to cause problems when I'm trying to create a new data instance (using ds_newinst.pl) on the server1 when the config instance (created during install/setup) is already there. If there were an option to create a new instance via the console and specify a separate configuration directory it'd be easy...presumably!Is this the normal way to do this? Kind regards,James> Date: Thu, 26 Jul 2007 10:03:28 -0600> From: rmeggins(a)redhat.com> To: fedora-directory-users(a)redhat.com> Subject: Re: [Fedora-directory-users] Configuration Directory Question> > James Deuchar wrote:> > Thanks for the swift response - size depends on the success of the > > project - am tempted to go with external config directory assuming I > > can get it working...> >> > I tried to the procedure I listed below i.e. installed the RPM, ran > > setup to create a 'dsconfig' instance on port 5555.> >> > Then I created a master.inf file for inputing into the ds_newinst.pl > > script:> >> > [General]> > FullMachineName= server1.jamesd.com> > SuiteSpotUserID= ldap> > ServerRoot= /opt/fedora-ds> > ConfigDirectoryAdminID= admin> > ConfigDirectoryAdminPwd= blah> > ConfigDirectoryLdapURL= ldap://server1.jamesd.com:5555/o=NetscapeRoot> > AdminDomain= jamesd.com> >> > [slapd]> > ServerPort= 389> > ServerIdentifier= master01> > Suffix= dc=jamesd,dc=com> > RootDN= cn=Directory Manager> > RootDNPwd= blah> > UserExistingMC=1> This should be "UseExistingMC" not "User"> >> > When I ran that it seemed to work - instance called master01 was > > created and is running.> >> > When running the console though, it's not listed - only the > > Administration Server and 'dsconfig' Directory Server instance.> >> > How can I make the master01 instance appear in the admin console and > > also verify that master01 is using dsconfig to stores is configuration > > data?> >> > Thanks again> >> >> > > Date: Thu, 26 Jul 2007 09:33:37 -0600> > > From: rmeggins(a)redhat.com> > > To: fedora-directory-users(a)redhat.com> > > Subject: Re: [Fedora-directory-users] Configuration Directory Question> > >> > > James Deuchar wrote:> > > > Hi,> > > >> > > > I've got a what I thought was a relatively simple DS setup with two> > > > master DS servers doing master-master replication. In the future> > > > slaves may be added into the equation.> > > >> > > > Initially I installed both servers the same - as standalone DS' each> > > > with it's own admin server and 'in-house' o=NetscapeRoot > > configuration> > > > directory.> > > >> > > > Reading some of the Redhat docs on 'Configuration decisions' it talks> > > > about having the configuration directory in a separate directory> > > > instance - based on what I've seen from the DS setup script this> > > > implies supplying those details during the install of the real DS> > > > instances that will contain the data.> > > >> > > > Is my understanding correct? Does this mean I should be installing an> > > > independent configuration directory on both masters and setup> > > > replication between them to provide a redundant configuration> > > > directory alongside the redundant data directories?> > > For small deployments, you can have your config DS and data DS be > > the same.> > > >> > > > If so is the install procedure reasonable?:> > > >> > > > - install fedora RPM on server 1> > > > - Run setup script to create server 1 config directory> > > > - Run ds_newinst.pl to create data directory on the same server> > > > pointing it to the local config directory during setup> > > > - Repeat on server 2> > > > - Setup replication on data masters and on config directories> > > Sure.> > > >> > > > Many thanks!> > > >> > > > > > ------------------------------------------------------------------------> > > > Are you the Quizmaster? Play BrainBattle with a friend now!> > > > <http://specials.uk.msn.com/brainbattle>> > > > > > ------------------------------------------------------------------------> > > >> > > > --> > > > Fedora-directory-users mailing list> > > > Fedora-directory-users(a)redhat.com> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > >> > >> >> > ------------------------------------------------------------------------> > Email straight to your blog, upload jokes, photos and more. Windows > > Live Spaces, it's FREE! > > <http://specials.uk.msn.com/spaces/default.aspx%20>> > ------------------------------------------------------------------------> >> > --> > Fedora-directory-users mailing list> > Fedora-directory-users(a)redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > >
_________________________________________________________________
Celeb spotting – Play CelebMashup and win cool prizes
https://www.celebmashup.com/index2.html
16 years, 7 months
[Fedora-directory-users] synchronization agreement
by Gonzalo Guzman
I am using FDS 1.0.4-1 on FC6, I am trying to setup a synchronization
agreement between it and Win2K3. I have installed and configured PassSync
on the windows server, but I cannot find a way to create the synchronization
agreement on the FDS server. I have reviewed many documents on the RedHat
site as well as posting to this list. Any assistance would be greatly
appreciated.
Thanks,
Gonz
16 years, 7 months
[Fedora-directory-users] initial installation/configuration question
by Jeremiah Coleman
Hi,
I'm setting up fds with one config server and two masters. During the
initial install, when running setup, the system asks about config and
data servers, but since I seem to end up with a catch-22. If I set up
the config server first, it can't contact the data server, and
vice-versa. I've gone through the docs, pdfs, and wiki and haven't seen
a proper method to do this.
Any advice?
Thanks,
Jay Coleman
16 years, 7 months
[Fedora-directory-users] FDS SSL performance tuning query
by Jonathan Barber
Hello all, currently we have a FDS instance running on RHEL4 with a
small number of entries (6,000), we also have a linux compute cluster of
100 nodes which uses LDAP for user account data (via libnss_ldap).
nss_ldap on the cluster is configured to use SSL, and everything is fine
most of the time. However, occasionally, when a large job is started on
the cluster, the number of connections increases from 100/minute to
1600/minute (26/sec).
This causes the server to become generally unresponsive, and FDS
especially so (as judged by the time required to retrieve the DSE via
TLS). Which is a right pain as it causes our samba PDC to timeout and
everything goes wrong very quickly.
I can reproducably, impact on FDS performance by running:
$ getent passwd | cut -d: -f 1 | while read i; do id $i; done
across the cluster. When SSL is off, the command to run fine and doesn't
impact on other searches.
As a short term measure, we've disabled LDAPS on the cluster nodes,
which is fine as users don't log into them, but we had planned to expand
the use of LDAP to cover more hosts (Macs and Linux) that require a
confidential channal for authentication. So this experience is giving us
some trepidation about moving forward with that plan.
Our system is configured following the guidance of the wiki [0], with a
maximum of 16834 available file descriptors and 50M of cache (more than
enough to hold the DB) - and the ratio of cache hits/misses look good
with little paging out. Running logconv.pl on the access logs doesn't
show any unindexed searches, so that isn't an issue.
Our server CPU is a 3Ghz Xeon with 1G of RAM, and looking at the
performance of NSS 3.2 [1], I would expect the machine to be able to
setup and tear down many more connections than we are currently seeing.
Indeed, running the test described in [1] with the nss-3.11.4 binaries,
I get over 1200 connections per second [2], so it certainly doesn't seem
to be a problem with NSS.
This suggests to me that the problem lies in FDS somewhere. So, does
anyone have any suggestions as to how to improve the SSL/TLS performance
of FDS, or point me at tuning docs for the SSL side of FDS?
Cheers.
[0] http://directory.fedoraproject.org/wiki/Performance_Tuning
[1] http://www.mozilla.org/projects/security/pki/nss/nss-3.2-performance-results
[2] server$ ./selfserv -n "Server-Cert" -p 6000
client$ time ./strsclnt -p 6000 server -c 1000
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: 0 cache hits; 1 cache misses, 0 cache not reusable
strsclnt: 999 cache hits; 1 cache misses, 0 cache not reusable
real 0m0.605s
user 0m0.795s
sys 0m0.226s
--
Jonathan Barber
High Performance Computing Analyst
Tel. +44 (0) 1382 386389
16 years, 7 months
[Fedora-directory-users] Groups
by Ted Toth
Maybe this isn't the right place to ask this but ... I've set up
fedora-ds in order to do network logins via ldap. I've configured ssh to
use pam_mkhomedir and pam_ldap. I used a copy of Example.ldif changed
the root dn and configuring my users and imported it. I used the console
to make my users posix users adding their uid and gid. When I ssh into
the box as a user not configured on the box the user home dir and
contents specified in /etc/skel are created but the gid is a numeric
value as the group doesn't exist on the box. Do I need to create the
groups of network logins on all the client boxes? I don't see a way to
associate a gid with a group in fedora-ds. What's the right way top
handle this?
16 years, 7 months