[Fedora-directory-users] nsaccountlock compare error
by DANIEL CRISTIAN CRUZ
Hi All,
Trying to figure out if an account is or isn't locked, I've tryied:
(Python shell)
>>> server.compare_s("uid=zaza.zozo.zozo,ou=UnitA,o=MyOrg", 'nsAccountLock',
'true')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 255, in
compare_s
return self.compare_ext_s(dn,attr,value,None,None)
File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 244, in
compare_ext_s
self.result(msgid,all=1,timeout=self.timeout)
File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 428, in
result
res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 432, in
result2
res_type, res_data, res_msgid, srv_ctrls =
self.result3(msgid,all,timeout)
File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 438, in
result3
ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
File "/usr/lib/python2.5/site-packages/ldap/ldapobject.py", line 96, in
_ldap_call
result = func(*args,**kwargs)
ldap.NO_SUCH_ATTRIBUTE: {'desc': 'No such attribute'}
I got the same code using PHP, there must be something with server
configuration or is it a "bad feature"?
I had many servers here, all with the same problem.
Kind regards,
--
<span style="color: #000080">Daniel Cristian Cruz
</span>Administrador de Banco de Dados
Direção Regional - Núcleo de Tecnologia da Informação
SENAI - SC
Telefone: 48-3239-1422 (ramal 1422)
15 years, 4 months
[Fedora-directory-users] AD Password Sync Question
by Christopher Barry
Greetings,
After reading chapter 19 of the RH docs about AD integration, I have a question regarding the 'lifetime' and locality of the plaintext password, and how this actually gets captured and sync'd.
In a multi-site AD Enterprise, with a lot of DCs, would the password sync service need to run on every DC, with a partnership to the one master master Directory Server? I'm wondering how if a user in Texas changes their password, it gets placed into the Directory Server Master in Pennsylvania.
Thanks,
-C
15 years, 4 months
[Fedora-directory-users] Syncing sambaLMPassword and sambaNTPassword with userPassword
by Jeff Williams
Hello all,
I am trying to set up a samba share that will use a ldap read-only consumer in such a fashion:
[windows active directory] -> [fedora-ds-MMR] -> [fedora-ds-RO] -> [samba share]
Note the singular direction, I am trying to not send updates back upstream. I use the PassSync to provide an updated password to the MMR, but I am at a loss of how to update sambaNTPassword and sambaLMPassword, without using smbpasswd. Is there an alternative? I've seen talk in the archives of people intending to write plugins for this task, where they ever written? Am I missing something simple?
Thanks,
Jeff Williams
15 years, 4 months
[Fedora-directory-users] MMR: Get identical Reolica ID.
by Reinhard Nappert
Hi,
I ran across a strange issue. I have a working MMR setup. One master
uses Replica ID 1 and the other 2.
At some time and point (I don't know when or why this happened), both
directories are complaining about the same ID:
[11/Dec/2008:16:01:38 -0500] NSMMReplicationPlugin - agmt="cn=m1tom2"
(m2:389): Incremental update failed and requires administrat
or action
[11/Dec/2008:16:02:38 -0500] NSMMReplicationPlugin - agmt="cn=m1tom2"
(m2:389): Unable to aquire replica: the replica has the same
Replica ID as this one. Replication is aborting.
I did check the configuration and they were not identical (otherwise, it
would not have worked in the first place).
To recover is not that easy anymore. I disabled replication and set it
up from scratch. Still, I run into the same error message.
Did anyone experience a similar thing?
Thanks,
-Reinhard
15 years, 4 months
[Fedora-directory-users] Error starting SSL enabled Admin-Server Segmentation fault (11)
by James Chavez
Hello,
I have 2 servers running FDS.
I have setup My directory servers to use SSL for the directory server
and Admin server. For my problem server I generated both the directory
server cert and admin server cert on the directory server acting as the
CA. I exported the Server-Cert2, server-cert2 in .p12 format and I
imported them as well as the CA cert into both the admin server and
directory server. I am able to establish SSL client sessions to the
directory server but I cannot login to the admin server through the
GUI.
I was able to login fine before enabling SSL...Unlike on this server,
the server acting as the root CA everything works fine.
I get the following error at the GUI login screen.
authenticating User ID "cn=Directory Manager"
java.io.InterruptedIOException: HTTP response timeout
In the error log I have this. The directory server that I can log into I
get the same messages but not the segmentation fault.
[notice] caught SIGTERM, shutting down
[notice] Access Host filter is: *.fedora
[notice] Access Address filter is: *
[notice] Access Host filter is: *.fedora
[notice] Access Address filter is: *
[error] SSL_InheritMPServerSIDCache failed
[error] SSL Library Error: -8191 Library Failure
[notice] Apache/2.2.8 (Unix) configured -- resuming normal operations
[notice] child pid 3284 exit signal Segmentation fault (11)
Here are my Cert data bases
[root@scooby ~]# certutil -L -d /etc/dirsrv/admin-serv/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
CA certificate CT,,
server-cert2 u,u,u
[root@scooby ~]# certutil -L -d /etc/dirsrv/slapd-scooby/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
CA certificate CT,,
Server-Cert2 u,u,u
Any ideas.
Thanks
James
CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
15 years, 4 months
[Fedora-directory-users] AD Sync Port Requirements
by James Roman
Anyone have a list of ports that would need to be opened between the FDS
and an Active Directory Server? I am primarily concerned with traffic in
the direction of FDS->ADS. I know that default AD->AD communication can
require everything above 1024, unless limited in the registry. Does the
AD->FDS sync have the same requirements?
--
James D. Roman
IT Network Administration
Terranet Inc.On contract to:
Science Systems and Applications, Inc.
15 years, 4 months
[Fedora-directory-users] An index for the server-side sort functionality
by Andrey Ivanov
Hi,
There is a special type of indexing for the VLV sort searches but I have
not found what sort of index I should create to make the server-side sort
on a certain attribute optimized.
Thank you
Andrey Ivanov
tel +33-(0)1-69-33-99-24
fax +33-(0)1-69-33-99-55
Direction des Systemes d'Information
Ecole Polytechnique
91128 Palaiseau CEDEX
France
15 years, 4 months
[Fedora-directory-users] 'Account Disabled' Windows Sync Directory Server red cross
by lambam80@hotmail.com
Firstly, please accept my apologies for a white lie.I'm, in fact, using CentOS but a colleague of mine recommended that I use this forum/mailing-list.Let me know if this white-lie is a problem.cat /etc/redhat-releaseCentOS release 5.2 (Final)/usr/sbin/ns-slapd -vCentOS-Directory/8.0.4 B2008.288.1513Windows 2003 Server Standard Edition R2I've 'successfully' configured Windows Sync and itworks in both directions.However, accounts that are synched from Centos Directory Server to Active Directory are created with the 'Account Disabled' checkbox selected.In the Windows account administration interfacethey also have the red cross next to them.Q1. Have other people seen this behavior with Windows Sync ?Q2. How can I change this behavior and have the windows-accounts enabled from the start ?Thanks for your time, cheers lambam80Active-Directory Active-Dir Active Dir Active Directory
_________________________________________________________________
15 years, 4 months
[Fedora-directory-users] (no subject)
by James Chavez
Hello again, Thanks for the reply.
My Solaris 10 and 8 clients are working against SSL now, thanks!
For my Linx clients clients I am trying to follow the FDS wiki: How
to:SSL.
I am having a problem importing the root CA certificate on my Fedora
boxes.
The Howto SSL link says to run this command to import the cacert.asc
file.
"cp cacert.asc /etc/openldap/cacerts/`openssl x509 -noot -hash -in
cacert.asc`.0"
However that responds with the below error. Anybody familiar with this
error?
Also I see Fedora has the certutil utility, can I use this to import the
ca root certificate like I did for the Solaris clients?
'Error opening Certificate cacert.asc
2312:error:02001002:system library:fopen:No such file or
directory:bss_file.c:352:fopen('cacert.asc','r')
2312:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
Many Thanks
James
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of George
Holbert
Sent: Friday, December 05, 2008 12:03 AM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Create client SSL certificates
forSolaris boxes.
James Chavez wrote:
> George,
> Thank you much for the help with this. I read up on the links you sent
> and they seem to have helped. I have been struggling with a Solaris 8
> box for the past few hours. It would not work at first, I was getting
> an end of file error in the access log. Then it just started working
> after I restarted the client services a few times and readded the box
> using the same profile.
>
> I have another question in regards to SSL for replication.
> I had MMR going between two servers, this one and another prior to
> enabling SSL on this server. I removed all the replication agreements
> because as I understand it they need to be recreated with SSL. I would
> appreciate the lists opinions on the following. The Admin guide states
> that there are 2 ways of replicating over SSL, I pasted them below. I
> would like to know the pros and cons of each and if a DNS PTR record
> is an absolute necessity on each MMR member.
>
The end result with both SSL replication flavors is the same.
Both encrypt the replication traffic between your directory servers.
The client cert method, when properly implemented, will make life more
challenging for a prospective attacker who would like to impersonate
your replication manager identity. In that sense, it is more secure
than simple auth with SSL.
CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
15 years, 4 months