[Fedora-directory-users] DSGW user authorization problem
by Lev Dudko
Dear Directory server experts,
could you help me, please, to solve the problem with DSGW
authorization.
I have successfully setup FDS on Fedora 9 with
setup-ds-admin.pl
setup ssl with the help of script from this page:
http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/
run setup-ds-dsgw
Now, the directory server works, administration server works and
I can configure everything in DS and Admin server with console
fedora-idm-console -a https://localhost:9830
I can point my browser to https://localhost:9830 and use DSGW to
search successfully,
but I can not do authorization, when I try to authorize as some user
(normal user, Directory Manager or admin) I got the error:
Authentication Failed
Authentication failed because the password you supplied is incorrect.
Please click the Retry button and try again. If you have forgotten the
password for this entry, a directory administrator must reset the
password for you.
Of course, I am sure that the password is correct. There are no so much
useful information in the log files. The
executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization.
I have read available documentation rather careful, but did not find the
answer. Looks like one of the solution is to use binddnfile directive
with special text file, but it looks strange for me that it is
impossible to use normal authorization in LDAP with DSGW.
Do I missed something during the configuration or forgot to add some
special ACL?
Lev
15 years, 5 months
[Fedora-directory-users] Restored dirsrv on another system but now it does not return any entries for queries
by Richard Sharpe
Hi,
I was trying to move our dirsrv to another machine, so I installed
Fedora-DS on the new server, backed up the original machine, restored
it on the new server, which seemed to go OK.
If I do "ldapsearch -x '*'" on the new server, I seem to get the
correct results, however, if I do 'getent passwd' I do not get any
entries from dirsrv.
I grabbed packet captures from doing 'getent passwd' where LDAP points
at the original dirsrv server and the new one (boy, I knew that all
that work I did on Ethereal would come in handy one day) and the
difference is that against the original dirsrv server I get back all
the posixAccount (or something) entries, but against the new dirsrv
server, I get back zero entries. However, the queries are the same.
The log file on the new dirsrv server also says zero entries returned.
What have I forgotten? I haven't yet switched on lots of debugging to
find out what is wrong on the new server, but I guess that is the next
step if no one can think of something obvious I have done wrong.
--
Regards,
Richard Sharpe
15 years, 5 months
[Fedora-directory-users] Unable to access server group
by Matt Adams
Folks:
We recently changed the name of our LDAP server. We had a domain name
change so ldaphost.subdomain.example.org effectively became
ldaphost.new.subdomain.example.org).
I changed every instance of subdomain.example.org throughout the Fedora
DS configuration files and LDAP tree under o=NetscapeRoot. Everything
appears to run okay: the directory server and admin server start up,
answer queries and none of the integrated applications have had any
trouble with this change.
The only problem seems to be that I cannot access either the admin
server or directory server through the Fedora management console. The
"Server Group" entry under our administrative domain & host is empty
(e.g., Administrative Server & Directory Server refuse to show up like
they used to).
Does anyone have any idea what might be happening here? I cannot find
any errors that stand out in the logs.
FWIW, we are running 1.0.4.
Thanks in advance,
Matt
--
Matt Adams
Development & Network Services
Cypress Interactive
http://cypressinteractive.com, http://edsuite.com
15 years, 5 months
[Fedora-directory-users] Personal Address book In FDS
by stupid stupid
Hello,
I am new to FDS and LDAP world. I have installed FDS on a server and would
like to use it for Address book lookup.
The address book look up is working from different mail clients,
but I wanted to know how to allow users to add their own Personal Address
book entries to the Fedora DS.
Please help.
Thanks
15 years, 5 months
[Fedora-directory-users] surgery on existing directory
by Graham Seaman
Hi,
I have an existing populated directory supporting a live application.
The next development version will have some fairly large scale changes -
changes to schema, objectClasses, attribute names and attribute values -
but I can't lose the actual data we already have.
The approach I've been trying is:
1. Use db2ldif to dump the groups and users (the only bit of the data
which is 'mine') from the live directory on the live system:
/usr/lib/dirsrv/slapd-flame/db2ldif -U -n userRoot -a
/opt/backups/original.ldif -s "dc=lse,dc=ac,dc=uk" -s "ou=My Groups" -s
"ou=My Users"
2. Edit the ldif file with the changes I need
3. Load the ldif file into a new fedora directory on my development
system with ldif2db.pl:
/usr/lib/dirsrv/slapd-dam/ldif2db.pl -D "cn=directory manager" -w MYPASS
-n userRoot -s "dc=lse,dc=ac,dc=uk" -s "ou=New Groups" -s "ou=New
Users" -i /opt/backups/new.ldif
ldif2db.pl terminates almost immediately, clearly without having read
most of the file. The fedora log shows:
[14/Nov/2008:11:35:54 +0000] conn=2 op=1 ADD
dn="cn=import_2008_11_14_11_35_55, cn=import, cn=tasks, cn=config"
[14/Nov/2008:11:35:54 +0000] conn=2 op=1 RESULT err=0 tag=105 nentries=0
etime=0
If I repeat the operation I get 'operation error'; and if I try to
access the directory, it appears to be completely empty.
So, two questions:
- is this a reasonable way to go about this task, or are there other
tools I should use?
- any suggestions for debugging?
Thanks
Graham
15 years, 5 months
[Fedora-directory-users] I can not write dse.ldif file
by Hugo Etievant
hello,
When I do some updates in the content of the dse.ldif file for an
instance (/etc/dirsrv/slapd-instance/), my file is rewrited and restored
back to the previous version automatically by FDS without my permission !
How can I ensure durability of my updates for this config file ?
regards
--
* Hugo Étiévant
*
15 years, 5 months
[Fedora-directory-users] Frequency of sync windows
by Hugo Etievant
hello,
The admin manual say : "Synchronization occurs every five minutes.
However, an incremental update can be done manually if there are changes
that need synchronized immediately." (
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/
Windows_Sync-Using_Windows_Sync.html )
But my tests show that the synchro of users accounts, passwords and
attributes of entries is being in real time between FDS and Active
Directory without forcing "receive and send update" action in Fedora IDM
Console !
What are the real rules and frequencies of synchronization ?
How can we change those parameters ?
regards
--
* Hugo Étiévant
***
15 years, 5 months
[Fedora-directory-users] Errors when a full re-sync is initiated in Windows Sync. Could temp. changes in binding-user rights be the cause?
by Erling Ringen Elvsrud
When right clicking on the win-sync agreement and selecting initiate
full re-synchronization I get these errors in
/var/log/dirsrv/slapd-xyz/errors:
"[10/Nov/2008:08:05:52 +0100] NSMMReplicationPlugin - changelog
program - libdb: txn_checkpoint: failed to flush the buffer cache No
such file or directory
[10/Nov/2008:08:05:53 +0100] NSMMReplicationPlugin - changelog program
- libdb: 26fdcb82-912411dd-8d71b7a1-43daa7e9_48e5d6030000ffff0000.db4:
unable to flush: No such file or directory
[10/Nov/2008:08:05:53 +0100] NSMMReplicationPlugin - changelog program
- libdb: txn_checkpoint: failed to flush the buffer cache No such file
or directory
[10/Nov/2008:08:05:53 +0100] NSMMReplicationPlugin - changelog program
- libdb: 26fdcb82-912411dd-8d71b7a1-43daa7e9_48e5d6030000ffff0000.db4:
unable to flush: No such file or directory
[10/Nov/2008:08:05:53 +0100] NSMMReplicationPlugin - changelog program
- libdb: txn_checkpoint: failed to flush the buffer cache No such file
or directory"
A dialog box also appears with the following text:
"An error occured during the consumer initialization
The error received by the replica is '12 Total update aborted:
Replication agreement for agmnt=xyz can not be updated while the
replica is disabled
(if the suffix is disabled you must enable it then restart the server
for replication to take place).'.
To check the initialization status, go to the 'status' tab and click
on 'Replication status' in the left pane. The status of the
initialization appears in the right pane."
Before the problems occured we temporarily disabled "domain admins"
rights for the user WIndows Sync uses to bind to AD. While the
binding-user only had read acess for the suffix we wanted to sync with
we started a full re-sync (with the errors above). The dirsrv was also
restarted.
We have re-enabled "domain admins" rights for the binding-user but the
errors still appear. The directory server is searchable and seems to
work exept for syncing.
Could it be that the temporary changes in rights for the binding-user
could have caused this?
Also, is it absolutely needed to have domain admin rights for the
binding-user RHDS uses to connect to AD? We do not want to write any
changes back to AD and those attributes synced with Windows sync will
not be changed anyway.
Thanks,
Erling
15 years, 5 months
[Fedora-directory-users] Unable to create certificate request if O=Example, Inc.
by mallapadi niranjan
Hi all
I have Fedora Directory Server installed on F9 box
(fedora-ds-base-1.1.3-2.fc9.x86_64). Due to sum bug i guess , i am unable to
create the certificate request through Console that is
Directory Server->Manager Certificates-> Request -> Request Certificate
Manually.
In the Server Name:dhcp7-92.example.com
Organization: Example, Inc.
City/Locality: Raleigh
State/Province: North Carolina
Country/Region: US United States
Click on Show DN and i remove all the double quotes and my DN looks as
below
CN="dhcp7-92.example.com, O=Example, Inc., L=Raleigh, ST=North Carolina,
C=US
When i click on Next it says "Unable to convert DN to certificate name
So i tried with certutil command.
$cd /etc/dirsrv/slapd-dhcp7-92/
$certutil -R -s "C=US, ST=North Carolina, L=Raleigh, O=Example, Inc., CN=
dhcp7-92.example.com" -o mycert.req -d .
I got the below output
certutil -s: improperly formatted name: "C=US, ST=North Carolina, L=Raleigh,
O=Example, Inc., CN=dhcp7-92.pnq.redhat.com"
Now if i modify it as "certutil -R -s "C=US, ST=North Carolina, L=Raleigh,
O=Example, CN=dhcp7-92.pnq.redhat.com" -o mycert.req -d ."
it works.
The same with the console i.e If Organization title is modified from
"Example, Inc. " to "Example" it works.
So the space and period symbol in (Example, Inc.) is an issue ?
But this doesn't happen when i create certifcate requests with openssl
commands.
Regards
Niranjan
15 years, 5 months
[Fedora-directory-users] PassSync : Windows Active Directory remember my last 2 passwords
by Hugo Etievant
hello,
I discovered a strange behavior with Active Directory LDAP protocol !
My config :
- an Active Directory on MS Windows Server 2003 SP2 + PassSync service
- a Fedora Directory Server 1.1.3 + Replication Agreement for Windows
synchronization
Bidirectional synchronization of accounts is running, it is OKAY.
When an administrator reset an user password with Administration Server
Console,
this user can connects him to Windows LDAP with the new password choosed
by administrator (the sync of password is OK),
But this user can also uses the previous password (big surprise) !
=> both are accepted by Windows LDAP : the last and the previous
password !!!
How that can be possible ???!
And how to stop this strange behavior ?
User connexions are made with ldapsearch command :
/usr/lib/mozldap/ldapsearch -h adfds -P /etc/dirsrv/slapd-fds3/ -m
/etc/dirsrv/slapd-fds3/ -D "cn=Gontran
Bonheur,cn=Users,dc=example,dc=fr" -b "cn=Users,dc=example,dc=fr" -w -
"(cn=Gontran Bonheur)" dn
This request accepts the new and the previous passwords !!!!!!
If I force "Send and Receive Updates Now" in the Console, the behavior
does not change.
If my user uses Windows login banner, this behavior doesn't appear.
Regards.
--
* Hugo Étiévant
***
15 years, 5 months