[Fedora-directory-users] dbus and ldap and boot problems
by Ted Toth
After adding ldap to the passwd, group and shadow lines of nsswitch.conf
my FC6 box wasn't too happy on reboot. It seems that dbus is trying to
connect to ldap which isn't running. How can I resolve this issue, start
ldap prior to dbus? Does ldap have a dependency on dbus?
16 years, 7 months
[Fedora-directory-users] Sync passwords from FDS to AD
by Ville Silventoinen
Hi,
our FDS contains a NIS-like structure of user accounts, Unix groups,
netgroups, mail aliases and sudoers entries. We manage everything in
Unix/Linux, using command-line tools and web pages that update the FDS and
NIS database files (generated from the LDAP server). We are not ready to
abandon NIS yet, hence this integration between LDAP and NIS.
We also use Active Directory, which has identical users and their
passwords in the AD format (I don't know what it is yet). Our problem is
that the users need to update the passwords twice, first in Linux/Unix and
then in Windows. This is a slight hassle for the users that we'd like to
remove. Also when a new account is created, it is first created in
Unix/Linux and then in Windows.
I read about the WindowsSync and PassSync, but I'm bit hesitant to add all
the "nt*" attributes to our schema, because all we want is to syncronize
the user names and passwords from FDS to AD. The passwords are stored in
{crypt} format in FDS. Any ideas how this could be done? Should I add
another attribute for the AD password?
Thank you,
Ville
16 years, 7 months
[Fedora-directory-users] fedora directory server and sun directory server
by Aaron Bliss
We are currently running sun directory server, however I don't
particularly care for it too much....I'm thinking about possibly
migrating to fds (I've used fds extensively at my previous job)...Does
anyone know if it's possible to setup replication between a sun
directory server supplier and fds consumer? Thanks for your help.
Aaron
16 years, 7 months
[Fedora-directory-users] Peer does not recognize and trust the CA that issued your certificate.
by Randall Svancara
To all,
I am having problems configuring TLS on FDS. I have followed the
following tutorials for setting up keys. I have tried both openssl and
certutil without any luck. I have TLS working on openldap, and I have
to admit it seemed easier than FDS.
I have been using the following document:
http://directory.fedoraproject.org/wiki/Howto:SSL
When I connect my solaris client, i see error log messages in FDS:
PR_Recv for connection 71 returns -12195 (Peer does not recognize and
trust the CA that issued your certificate.)
My fedora directory server is located on a server named utility.xyz.org
My client which is solaris 10 is located at test.xyz.org.
I have been creating the certificate using the following commands:
1. open directory
cd serverRoot/alias
2. Create password file
vi pwdfile.txt
3. Create noise file
vi noise.txt
4. Create databases
serverRoot/shared/bin/certutil -N -d . -f pwdfile.txt
5. Generate encryption key
/serverRoot/shared/bin/certutil -G -d . -z noise.txt -f
pwdfile.txt
6. Generate self signed certificate
/serverRoot/shared/bin/certutil -S -n "CA certificate" -s
"cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f
pwdfile.txt
7. Generate server certificate
/serverRoot/shared/bin/certutil -S -n "Server-Cert" -s
"cn=utility.xyz.org" -c "CA certificate" -t "u,u,u" -m 1001 -v
120 -d . -z noise.txt -f pwdfile.txt
8. Copy the key3.db and cert8.db you created to the default databases created at Directory Server installation:
mv key3.db slapd-server-key3.db
mv cert8.db slapd-server-cert8.db
ln -s slapd-server-key3.db key3.db
9. Run pki tool to convert cert database to pkcs12 format
/serverRoot/shared/bin/pk12util -d . -o cert.pk12 -n
Server-Cert
So at this point, under the server tab in FDS Console, i can can see ca-certificate. I can see the server-cert. They all appear to be normal. I have enabled SSL for this server.
I have selected the Server-Cert. I have allowed client authentication. I have turned off hostname checking against the certificate for outbound SSL connections.
On solaris 10 i have successfully configured authentication to LDAP without TLS. I enable TLS and import the cacert.asc.
certutil -N -d /var/ldap
certutil -A -n CAcert -d /var/ldap -t "TCu,Cu,Tuw" \
-i cacert.asc
certutil -L -d /var/ldap
Some other things I have done is to use NGREP to see if there is communication on port 389 from the client to the server. I have also looked at the Solaris Logs. I hate how Solaris logs nothing.
The key shows up in the database. But the client can not negotiate a tls:simple connection. Any ideas what I am doing wrong here.
Randall
16 years, 7 months
[Fedora-directory-users] FDS as an Address Book
by Adam Valenzuela
Hello All,
Does anyone out there use FDS as an Global Address Book? I have
a mixed enviornment of evolution and outlook 2003 mail clients and I was
wondering if anyone out there uses FDS for just an global address book.
Also if you do...do you also have email/distribution groups setup?
--
Thank you,
Adam A. Valenzuela
16 years, 7 months
[Fedora-directory-users] How limit access to server
by zdenek.kolar@veba.cz
I am new in FDS and I want set up FDS to central authentication for linux
servers.
I added user ?test? and I can logon to every servers with this account,
but I want limit access only for one server. Haw can I do it?
Zdenek
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
16 years, 7 months
[Fedora-directory-users] Zimbra Schema for FDS
by Wilmer Jaramillo M.
Actually i'm doing possible to use Zimbra with FDS backend, the only
adittional thing is a optional alias suffix for 'givenName' attribute
(RFC4519) named 'gn' attribute in 00core.ldif file, this attribute is
used for Zimbra in OpenLDAP part of a person's name. Also was replaced
all the macros, RFC4517 complian, fixed some attribute declaration and
process later with ol-schema-migrate.pl migration tool.
Please download 99zimbra.ldif from
http://wiki.fedora-ve.org/WilmerJaramillo/ZimbraSchema?action=AttachFile&...
and add optional alias suffix 'gn' attribute in 00core.ldif :
100c100
< attributeTypes: ( 2.5.4.42 NAME 'givenName' DESC 'Standard LDAP
attribute type' SUP name X-ORIGIN 'RFC 2256' )
---
> attributeTypes: ( 2.5.4.42 NAME ( 'givenName' 'gn' ) DESC 'Standard LDAP attribute type' SUP name X-ORIGIN 'RFC 2256' )
Enjoy.
--
Wilmer Jaramillo M.
GPG Key Fingerprint = 0666 D0D3 24CE 8935 9C24 BBF1 87DD BEA2 A4B2 1E8A
16 years, 7 months
RE: [Fedora-directory-users] Excessive clock skew error breaking replication
by Kyley Engle
Fedora 1.0.2 on RHEL 4 x64
-kyley
> Date: Fri, 3 Aug 2007 06:35:49 -0600> From: rmeggins(a)redhat.com> To: fedora-directory-users(a)redhat.com> Subject: Re: [Fedora-directory-users] Excessive clock skew error breaking replication> > Kyley Engle wrote:> > > > i'm in a bind, and hopefully someone out there has seen this before...> > > > i have a 3-tier, multimaster implementation for FDS. i am seeing > > replication failures between masters as well has from masters -> hubs > > and hubs -> search servers. in the error log i am seeing the following > > messages:> > > > [03/Aug/2007:03:15:33 +0000] NSMMReplicationPlugin - > > agmt="cn=ldaphub2" (ldap-hub-2:389): Unable to acquire replica: > > Excessive clock skew between the supplier and the consumer. > > Replication is aborting.> > [03/Aug/2007:03:15:33 +0000] NSMMReplicationPlugin - > > agmt="cn=ldaphub2" (ldap-hub-2:389): Incremental update failed and > > requires administrator action> > > > all of my servers have the same time settings (all are also using UTC > > time)> > > > i have also seen a single reference to csngen_adjust_time being 84001 > > when the limit is 84000.> > > > trying to find anything at all on these errors, i found the following > > thread, which suggested blowing away the changelogdb. followed the > > instructions to no avail.> > > > anyone have any ideas?> What is your OS and version? 32bit or 64bit?> > > > -kyley> >> >> > ------------------------------------------------------------------------> > Recharge--play some free games. Win cool prizes too! Play It! > > <http://club.live.com/home.aspx?icid=CLUB_wlmailtextlink>> > ------------------------------------------------------------------------> >> > --> > Fedora-directory-users mailing list> > Fedora-directory-users(a)redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users> > >
_________________________________________________________________
Find a local pizza place, movie theater, and more….then map the best route!
http://maps.live.com/default.aspx?v=2&ss=yp.bars~yp.pizza~yp.movie%20thea...
16 years, 7 months
[Fedora-directory-users] Excessive clock skew error breaking replication
by Kyley Engle
i'm in a bind, and hopefully someone out there has seen this before...
i have a 3-tier, multimaster implementation for FDS. i am seeing replication failures between masters as well has from masters -> hubs and hubs -> search servers. in the error log i am seeing the following messages:
[03/Aug/2007:03:15:33 +0000] NSMMReplicationPlugin - agmt="cn=ldaphub2" (ldap-hub-2:389): Unable to acquire replica: Excessive clock skew between the supplier and the consumer. Replication is aborting.[03/Aug/2007:03:15:33 +0000] NSMMReplicationPlugin - agmt="cn=ldaphub2" (ldap-hub-2:389): Incremental update failed and requires administrator action
all of my servers have the same time settings (all are also using UTC time)
i have also seen a single reference to csngen_adjust_time being 84001 when the limit is 84000.
trying to find anything at all on these errors, i found the following thread, which suggested blowing away the changelogdb. followed the instructions to no avail.
anyone have any ideas?
-kyley
_________________________________________________________________
Recharge--play some free games. Win cool prizes too!
http://club.live.com/home.aspx?icid=CLUB_wlmailtextlink
16 years, 7 months