[Fedora-directory-users] Migrating Netscape DS to FDS
by Dave
Hi, I have an old Netscape Directory Server version 4.1 (circa 2001)
that I need to migrate to Fedora Directory Server, but I am confused as
to the proper migration path.
I've been reading the Red Hat DS install guides at
http://www.redhat.com/docs/manuals/dir-server/ (as there doesn't
appear to be as a comprehensive guide for Fedora DS.
The Redhat DS 8.0 guide says that migrating Netscape DS 4.x is not
supported (only version 6 and above), so I read the Red Hat DS 6.0
install guide and it says that Netscape DS 4.x is indeed supported.
So am I right to presume that a step-upgrade will be required, from my
current version 4.x to 6.x and then to the current version 8.0?
Also, what version of the Fedora-DS is equivalent to Red Hat DS 6.0?
Thanks -Dave
p.s. If somebody can tell me how to search this list's archives that
would be much appreciated!
15 years, 5 months
[Fedora-directory-users] Windows Sync Certificate Trouble?
by Glenn
All of a sudden, Windows Sync is broken and I'm getting this error message in
the Fedora Directory 1.0.4 log:
[02/Oct/2008:06:08:10 -0500] NSMMReplicationPlugin - agmt="cn=AD-
LawFacultyStaff" (boccherini:636): Simple bind failed, LDAP sdk error 81
(Can't contact LDAP server), Netscape Portable Runtime error -8181 (Peer's
Certificate has expired.)
The problem is that no certificate has expired. I checked them all, and they
are still valid. Anyone got a clue? Thanks. -G.
15 years, 6 months
[Fedora-directory-users] Letting users see a tree in the console.
by Ray Van Dolson
Not a big LDAP guy, just trying to get a task done fairly quickly. :)
I want to give a user access to cn=OracleContext,dc=example,dc=com in
my Fedora DS setup (v1.0.4). I've created the user:
uid=ouser,ou=People,dc=example,dc=com
And set an ACI on cn=OracleContext,dc=example,dc=com:
(targetattr = "*")
(target = "ldap:///cn=OracleContext,dc=example,dc=com")
(version 3.0;
acl "OracleACI";
allow (all)
(userdn = "ldap:///uid=ouser,ou=People, dc=example,dc=com")
;)
Just for giggles, I also set one on dc=example,dc=com as well:
(targetattr = "*") (target = "ldap:///dc=example, dc=com")
(version 3.0;acl "OracleACI";allow (all)
(userdn = "ldap:///uid=ouser,ou=People, dc=example,dc=com");)
Via ldapsearch, this user can see everything I'd expect (at least under
the OracleContext container), but when I log in as the user to the java
console, the only objects I see available in the tree are schema,
monitor and config.
Why can't this user see the dc=example,dc=com tree? I don't see any
way to set ACI's at a higher level...
Thanks,
Ray
15 years, 6 months
[Fedora-directory-users] Windows Sync service - unsupported attribute when syncing
by Jonas Courteau
Hello:
I've got the Windows Sync service set up to sync with an AD server. For
some unknown reason, several of the groups on the AD server have an
email address and the mail:, the mailNickname: and several
exchange-related attributes set.
How would I go about modifying the schema that the Windows Sync service
is using to create the groups on the DS side of things? I believe
adding the mailrecipient object class should do the trick, but I can't
find any documentation on doing this.
Alternately, if there's a way of just dropping incompatible attributes
when syncing, that would work too. The error I currently get when
syncing:
Entry "cn=Support,ou=Groups, dc=example, dc=com" -- attribute "mail" not
allowed
NSMMReplicationPlugin - add operation of entry cn=Support,ou=Groups,
dc=example, dc=com returned: 65
Any suggestions would be helpful!
- Jonas
15 years, 6 months
[Fedora-directory-users] GOsa install
by Alan Orlič Belšak
Hello,
maybe someone will be able to help me, in the istallation of GOsa I get
the following error message:
LDAP error: Object class violation (unknown object class "gosaAccount"
How to add new object class with that name and is there any extra things
to do?
Bye, Alan
15 years, 6 months
[Fedora-directory-users] Replicating o=NetscapeRoot for admin server failover
by John Dickinson
Hi,
Using Fedora DS 1.1.2 (compiled from source) on CentOS 5.1.
I am trying to replicate o=NetscapeRoot for admin server failover and
having a few problems.
(I have read http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication...)
The detailed notes I have written on the steps for doing this can be
found here http://jadickinson.co.uk/test/howto/replicating-netscaperoot-on-fedora-ds/
In short I
1. have server 1 already running
2. Add replication info to server 1
3. Install server 2
4. on server 2 run setup-ds.pl -f /tmp/config.inf
5. On server 1 initialize the consumer
So now server 2 has the replicated o=netscaperoot
6. on server 2 run register-ds-admin.pl
When I do this I can connect with the console to server 1 and see both
servers listed. I can browse the ds and admin console for server 1 OK.
However, if I double click to open the directory console for server 2
and click on the configuration tab I get a message saying that
uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
doesn't have permission to perform this operation. If I connect as
cn=Directory Manager it works fine.
The difference seems to be that server 2 lacks the following entries
in the slapd-server2/dse.ldif
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
Group"; a
llow (all) groupdn="ldap:///cn=Configuration Administrators,
ou=Groups, ou=T
opologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator";
allow (a
ll) userdn="ldap:///uid=admin, ou=Administrators,
ou=TopologyManagement, o=N
etscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
groupdn = "l
dap:///cn=slapd-server1, cn=Fedora Directory Server, cn=Server
Group, cn=server1.example.com, ou=example.com, o=NetscapeRoot";)
Adding them to dse.ldif on server 2 seems to fix things but I don't
understand why they don't exist on server 2 and am concerned that this
is a sign of something that I have failed to do correctly.
Also what is the correct way to specify password in
nsDS5ReplicaCredentials and userPassword when a) using ldapmodify or
b) editing dse.ldif? The documentation seems to say that you should
use the hash of the password but that seems to give odd results. Plain
text passwords seem to work...
Thanks
John
15 years, 6 months