[Fedora-directory-users] FDS and Samba3
by Raj Seenivasan
I have 2 questions to ask. I searched the list and couldn't find
anything related...
1. Is there a way to setup samba and FDS on 2 different boxes and use
FDS as the backend for samba?
FDS wiki (http://directory.fedoraproject.org/wiki/Howto:Samba) has
instructions to setup both samba and fds on the same box.
What special steps needs to be done if on 2 different boxes?
2. I had setup samba+fds on a single box and password syncing works
only one way.
FDS --> Samba sync is not working. Passwords changed using smbpasswd
gets synced with fds.
Am I missing something?
Thanks.
CONFIDENTIALITY NOTICE: This email message and any attachments contain proprietary and privileged information of Roundbox, Inc., which are provided for the sole and confidential use of the intended recipients. Any review, use, disclosure or distribution of this information is restricted and must comply with the nondisclosure agreement between Roundbox, Inc. and you (or your company). All other uses are prohibited. If you are not an intended recipient, please contact the sender by reply email and promptly delete and otherwise destroy all copies of the message and its attachments.
16 years, 7 months
[Fedora-directory-users] FDS and Solaris Client Question
by Jeremiah Coleman
I'm trying to set up a Solaris 10 client with FDS (all my linux clients
are working beautifully), but authentication is acting very strange.
Monitoring the net traffic, I can see the Solaris system bind, search
for info about the username, get a normal response, but then it just
unbinds. It never asks to authenticate a password. My configuration is
below.
Any help would be much appreciated.
ldap_client_file:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= fds1.wherever.com
NS_LDAP_SEARCH_BASEDN= dc=wherever,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=wherever,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=wherever,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=wherever,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=wherever,dc=com?one
NS_LDAP_BIND_TIME= 2
/etc/nsswitch.conf (note, I pulled ldap from networks, etc, since not
all of that is configured on ldap as yet):
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: files ldap
group: files ldap
shadow: files ldap
# consult /etc "files" only if ldap is down.
hosts: dns files ldap
# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes: files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: ldap
automount: files ldap
aliases: files ldap
# for efficient getservbyname() avoid ldap
services: files ldap
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap
tnrhtp: files ldap
tnrhdb: files ldap
/etc/pam.conf:
# login service (explicit because of pam_dial_auth)
#
login auth required pam_ldap.so.1
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_ldap.so.1
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth sufficient pam_ldap.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth sufficient pam_ldap.so.1
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account sufficient pam_ldap.so.1
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session sufficient pam_ldap.so.1
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
--
Jeremiah Coleman
Systems Administrator
C & C Technologies
337-261-0660 x3421
jay.coleman(a)cctechnol.com
16 years, 7 months
[Fedora-directory-users] Re: getting sh on RHAS5 to work with FDS.
by Howard Chu
> Date: Tue, 18 Sep 2007 08:39:55 -0600
> From: Richard Megginson <rmeggins(a)redhat.com>
> Yes, very.
> http://directory.fedoraproject.org/wiki/Howto:SSL#Basic_Steps
> <quote>
>
> NOTE - *Do not use cn=server-cert for your server certificate*. In step
> 7 of the linked instructions, it says to use certutil .... -s
> cn=server-cert - this will cause clients to fail to validate the cert.
> Instead, you must use the fully qualified domain name of your server
> host as the value of the cn attribute in the subject DN. For example, if
> your directory server hostname is foo.example.com, use
Also look at the constraints in RFC4513, section 3.1.3. Use subjectAltName
extensions to get more flexibility here.
>
> ../shared/bin/certutil -S -n "Server-Cert" -s cn=foo.example.com -c "CA certificate" \
> -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt
>
> to generate your server cert. This is the minimum. You may wish to
> provide your clients with more details about your server. For more
> information, see RFC 1485 <http://www.ietf.org/rfc/rfc1485.txt>. You
> could choose to specify the subject DN like this:
>
> ../shared/bin/certutil ... -s "cn=foo.example.com,ou=engineering,o=example corp,c=us" ...
>
> </quote>
>
> Note that this also means that if you use cn=foo.example.com, clients
> must be able to resolve the server's IP address to "foo.example.com". If
> you don't care/can't do this, then use TLS_REQCERT never in your
> /etc/openldap/ldap.conf to make ldapsearch stop complaining. I highly
> recommend you do not do this though.
Agreed, bad idea. By the way, the OpenLDAP libraries never do a DNS lookup on
the name you provide, so whether the name resolves or not doesn't matter. We
expect the name passed in to exactly match the CN, or to match the subjectAltName.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
16 years, 7 months
[Fedora-directory-users] question about certificate
by Elisa Pellegrini
Hi!
I don't now if this is the right email address to ask my problem..
I'm using fedora Directory -server to implement ldap.
The problem is about certificate: I create a certificate but is impossible to use that because the issuer's certificate is not recornize. How can i solve this problem?Whit console I fixed CA cert name and I edit trust. Is necessary to fix certmap mappingName issuerDN in certmap.conf file? I try to do this but nothing changed.
Sorry for my bad english!
Thanks!
------------------------------------------------------
Leggi GRATIS le tue mail con il telefonino i-mode di Wind
http://i-mode.wind.it/
_______________________________________________
Like your solution? Hate it? Go to your software vendor's page at RHX - http://rhx.redhat.com - and tell us what you think!
Help improve RHX. The RHX team is looking for your feedback with a short, 12 question survey:
http://www.keysurvey.com/survey/162511/fa85/
------------------------------------------------------
Leggi GRATIS le tue mail con il telefonino i-mode di Wind
http://i-mode.wind.it/
16 years, 7 months
[Fedora-directory-users] Password Expiration Warning notification
by Raj Seenivasan
Is there an option in FDS for password expiration warning message to go out
via email?
We have few applications that use FDS but none reports about the password
expiration.
SSH displays the warning but there are users who don't use ssh.
Any help is highly appreciated.
Thanks much.
CONFIDENTIALITY NOTICE: This email message and any attachments contain proprietary and privileged information of Roundbox, Inc., which are provided for the sole and confidential use of the intended recipients. Any review, use, disclosure or distribution of this information is restricted and must comply with the nondisclosure agreement between Roundbox, Inc. and you (or your company). All other uses are prohibited. If you are not an intended recipient, please contact the sender by reply email and promptly delete and otherwise destroy all copies of the message and its attachments.
16 years, 7 months
[Fedora-directory-users] help....unable to start fedora server
by bikas gurung
Hi all,
I'm certainly in deep s*&#t now. I just updated my file-server with new
updates and patches and tried to reboot it; but it hanged: reason - Kernel
Panic. So I had to shutdown the system manually and had to run 'fsck'
manually afterwards. Everything seemed to run well afterwards. But today
evening I found that I was not able to connect my pc to file-server. When I
checked, it turns out that 'slapd' daemon wasn't started at all. I manually
tried to start the server using the scripts (in /rc.d/init.d ) but got an
error. Here's an error logged in log file:
Fedora-Directory/1.0.2 B2006.060.1928
isec-file:636 (/opt/fedora-ds/slapd-isec-file)
[17/Sep/2007:20:52:06 -0500] - Fedora-Directory/1.0.2 B2006.060.1928starting up
[17/Sep/2007:20:52:06 -0500] - Detected Disorderly Shutdown last time
Directory Server was running, recovering database.
[17/Sep/2007:20:52:06 -0500] - libdb: Ignoring log file:
/opt/fedora-ds/slapd-isec-file/db/log.0000000206: magic number 0, not 40988
[17/Sep/2007:20:52:06 -0500] - libdb: Invalid log file: log.0000000206:
Invalid argument
[17/Sep/2007:20:52:06 -0500] - libdb: PANIC: Invalid argument
[17/Sep/2007:20:52:06 -0500] - libdb: PANIC: DB_RUNRECOVERY: Fatal error,
run database recovery
[17/Sep/2007:20:52:06 -0500] - Database Recovery Process FAILED. The
database is not recoverable. err=-30978: DB_RUNRECOVERY: Fatal error, run
database recovery
[17/Sep/2007:20:52:06 -0500] - Please make sure there is enough disk space
for dbcache (10485760 bytes) and db region files
[17/Sep/2007:20:52:06 -0500] - start: Failed to init database, err=-30978
DB_RUNRECOVERY: Fatal error, run database recovery
[17/Sep/2007:20:52:06 -0500] - Failed to start database plugin ldbm database
[17/Sep/2007:20:52:06 -0500] - WARNING: ldbm instance userRoot already
exists
[17/Sep/2007:20:52:06 -0500] - WARNING: ldbm instance NetscapeRoot already
exists
[17/Sep/2007:20:52:06 -0500] binder-based resource limits -
nsLookThroughLimit: parameter error (slapi_reslimit_register() already
registered)
[17/Sep/2007:20:52:06 -0500] - start: Resource limit registration failed
[17/Sep/2007:20:52:06 -0500] - Failed to start database plugin ldbm database
[17/Sep/2007:20:52:06 -0500] - Error: Failed to resolve plugin dependencies
[17/Sep/2007:20:52:06 -0500] - Error: preoperation plugin 7-bit check is not
started
[17/Sep/2007:20:52:06 -0500] - Error: accesscontrol plugin ACL Plugin is not
started
[17/Sep/2007:20:52:06 -0500] - Error: preoperation plugin ACL preoperation
is not started
[17/Sep/2007:20:52:06 -0500] - Error: postoperation plugin Class of Service
is not started
[17/Sep/2007:20:52:06 -0500] - Error: preoperation plugin HTTP Client is not
started
[17/Sep/2007:20:52:06 -0500] - Error: database plugin ldbm database is not
started
[17/Sep/2007:20:52:06 -0500] - Error: object plugin Legacy Replication
Plugin is not started
[17/Sep/2007:20:52:06 -0500] - Error: object plugin Multimaster Replication
Plugin is not started
[17/Sep/2007:20:52:06 -0500] - Error: postoperation plugin Roles Plugin is
not started
[17/Sep/2007:20:52:06 -0500] - Error: object plugin Views is not started
As all the client machines depend upon this server for authentication and as
weekend is still far away, I'm in big trouble now. I'm quite clueless what
to do and would really appreciate any kind of help. And no, unfortunately I
don't have a backup to fall back to .
Thanking you in advance
bikas
16 years, 7 months
[Fedora-directory-users] ssh login fail
by Steven Jones
Hi,
I am trying to get a RHEL4 box to LDAP authenticate against FDS (also on
RHEL4) and failing.....
In the logs (messages) I have,
Sep 10 13:30:52 vuwunicvfwall02 sshd(pam_unix)[2284]: authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1
Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind
Can't contact LDAP server
Sep 10 13:30:52 vuwunicvfwall02 sshd[2284]: pam_ldap: ldap_simple_bind
Can't contact LDAP server
Sep 10 13:31:05 vuwunicvfwall02 sshd(pam_unix)[2284]: 2 more
authentication failures; logname= uid=0 euid=0 tty=ssh ruser=
rhost=vuwunicvadmin02.res.vuw.ac.nz user=jonesst1
Any ideas why? And how to fix? Also is there a way to search the archive
for this list?
When I do a,
ldapsearch -x -h 130.195.87.249 -b dc=vuw,dc=ac,dc=nz "(ou=Users)"
The server replies so FDS appears to be running OK....
Also is there a way to search the archive for this list? I have tried
Googling with no luck...
regards
Steven Jones
Senior Linux/Unix/San/Vmware System Administrator
APG -Technology Integration Team
Victoria University of Wellington
Phone: +64 4 463 6272
16 years, 7 months
[Fedora-directory-users] FDS and OpenLDAP integration
by Matteo Angelino
Hello,
in my organization I have a master ldap server based on openLDAP. Now
I have installed a new ldap server (slave) based on Fedora Directory
Server.
The openLDAP server have a replica directive in the cenfiguration
file to replicate the modify to FDS server. Modify entry that exist
on master server work fine.
The problem in the insert of e new user into the master server. When
I try to insert e new user from the followind ldif, i see an error in
the insert.
testuser.ldif:
dn: uid=testuser, dc=studenti, dc=unipmn,dc=it
givenName: TEST
postalCode: 1920
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword:: e21kNX0rcmM3V2xoeE9QcnZLc0MvdlJtRlZnPT0=
mail: roberto.pinna(a)studenti.unipmn.it
uid: testuser
uidNumber: 6763578
cn: TEST USER
carLicense: PNNRRT73B26A182A
loginShell: /bin/bash
gidNumber: 100
homeDirectory: /home/test
sn: TEST
Error from FDS error log:
Entry "uid=testuser,dc=studenti,dc=unipmn,dc=it" -- attribute
"structuralobjectclass" not allowed
Error from slurpd (on master openLDAP server):
Error: ldap_add_s failed adding DN
"uid=testuser,dc=studenti,dc=unipmn,dc=it": attribute
"structuralobjectclass" not allowed
Information from reject file of the surpd:
ERROR::
T2JqZWN0IGNsYXNzIHZpb2xhdGlvbjogYXR0cmlidXRlICJzdHJ1Y3R1cmFsb2JqZWN0Y2
xhc3MiIG5vdCBhbGxvd2VkCg==
replica: db.mfn.unipmn.it:389
time: 1189156318.0
dn: uid=testuser,dc=studenti,dc=unipmn,dc=it
changetype: add
givenName: TEST
postalCode: 1920
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword:: e21kNX0rcmM3V2xoeE9QcnZLc0MvdlJtRlZnPT0=
uid: testuser
mail: roberto.pinna(a)studenti.unipmn.it
uidNumber: 6763578
cn: TEST USER
carLicense: PNNRRT73B26A182A
loginShell: /bin/bash
gidNumber: 100
homeDirectory: /home/test
sn: TEST
structuralObjectClass: inetOrgPerson
entryUUID: 21363b50-f16e-102b-96d1-e14b33466425
creatorsName: cn=manager,dc=unipmn,dc=it
createTimestamp: 20070907091157Z
entryCSN: 20070907091157Z#000000#00#000000
modifiersName: cn=manager,dc=unipmn,dc=it
modifyTimestamp: 20070907091157Z
I have see that the structuralobjectclass is not defined in the
attributes available in FDS.... how can resolve the probem?
Thank's in advance
--------------------------------------------------------------
Matteo Angelino
Dipartimento di Informatica
Via Bellini 25\G
15100 Alessandria
ITALY
Tel: +39 0131 360375
Email: matteo.angelino(a)mfn.unipmn.it
--------------------------------------------------------------
16 years, 7 months
[Fedora-directory-users] samba + Directory server + windows client
by Satish Patel
Dear all
I am going to implement Intranet server on my organization i m very intreseted on FDS now thing is that my users on windows client and i am installing samba 4.0 as a PDC. so is it possible i can create group policy or network controll through FDS + samba PDC
means i dont want to give access of Network to a specific user or not give access of telnet command or something like that which is possible on windows 2003 PDC
it will support all policy on OpenSource Setup ???
Regards
satish patel
$ cat ~/satish/url.txt
http://www.linuxbug.org
_____________________________________________________________________________________________________
---------------------------------
Why delete messages? Unlimited storage is just a click away.
16 years, 7 months