[Fedora-directory-users] Help with NIS->FDS & AD migration
by Devon
Hello FDS users -
I am learning as I go here so please excuse my ignorance. I have scoured
over the Fedora and Redhat docs for Directory Server and read many threads
from this list archive concerning Active Directory sync. I'm having trouble
putting all the pieces together and would greatly appreciate some guidance
from people that have already gone through this process :)
I am in the process of migrating from NIS to LDAP. In our environment we
run both Windows and Linux systems. For quite awhile we have been
maintaining both NIS and Active Directory. Our goal is to move away from
NIS and achieve single sign on for our users. I have installed and
configured FDS, converted and imported our NIS maps as ldif. This worked
beautifully.
Can I create a sync agreement that only sends passwords from AD->FDS,
nothing else and no updates from FDS->AD?
I would like to configure our Linux clients to authenticate to AD with
kerberos and use FDS as the LDAP server. I understand we need to install
the password sync utility on one of our DC's and that when a user changes
their password in AD the utility will capture it in plaintext and send to
FDS. I also see that FDS and the pass sync have to be configured to share
certificates for the SSL connection between them.
Can the sync utility be restricted to one OU within AD? What access within
AD is required for the utility to run? Domain Admin rights or can specific
rights be delegated?
I would really appreciate some steps for: configuring SSL on the AD and FDS
side. Creating and testing the sync agreement.
Thank you so much for the help!!
Slat3dx
15 years
[Fedora-directory-users] trouble installing samba
by Maurizio Marini
I'am installing samba-pdc using
http://directory.fedoraproject.org/wiki/Howto:Samba
i am stumbled at the final point of adding Administrator:
pdbedit -U S-1-5-21-1017320176-1068811812-2284442376-500 -u Administrator -r
Username not found!
pdbedit -U S-1-5-21-1017320176-1068811812-2284442376-500 -u Administrator -a
Cannot locate Unix account for Administrator
in discussion i read:
http://directory.fedoraproject.org/wiki/Talk:Howto:Samba
"I found that the step to use pdbedit to modify the administrator account was
failing. after much searching i realized it is expecting the Administrator
account that was added with ldif2ldap of the sambaAdministrator.ldap to
*already* have a sambasamaccount object class associated with it."
i dunno how to do it :(
other comments make me wonder if using this howto i will be ever able to
install samba-pdc :(
if someone was able to do it, please! share your experience with us :)
m.
15 years
[Fedora-directory-users] Help with NIS->FDS & AD migration
by Devon
Hello FDS users -
I am learning as I go here so please excuse my ignorance. I have
scoured over the Fedora and Redhat docs for Directory Server and read
many threads from this list archive concerning Active Directory sync.
I'm having trouble putting all the pieces together and would greatly
appreciate some guidance from people that have already gone through this
process :)
I am in the process of migrating from NIS to LDAP. In our environment
we run both Windows and Linux systems. For quite awhile we have been
maintaining both NIS and Active Directory. Our goal is to move away
from NIS and achieve single sign on for our users. I have installed and
configured FDS, converted and imported our NIS maps as ldif. This
worked beautifully.
Can I create a sync agreement that only sends passwords from AD->FDS,
nothing else and no updates from FDS->AD?
I would like to configure our Linux clients to authenticate to AD with
kerberos and use FDS as the LDAP server. I understand we need to
install the password sync utility on one of our DC's and that when a
user changes their password in AD the utility will capture it in
plaintext and send to FDS. I also see that FDS and the pass sync have
to be configured to share certificates for the SSL connection between them.
Can the sync utility be restricted to one OU within AD? What access
within AD is required for the utility to run? Domain Admin rights or
can specific rights be delegated?
I would really appreciate some steps for: configuring SSL on the AD and
FDS side. Creating and testing the sync agreement.
Thank you so much for the help!!
Devon
15 years
[Fedora-directory-users] notes on building fds in etch and a failed build question
by Ryan Braun
I've been working a little bit towards setting up a build environment for fds
in debian. I've never actually built anything this complex, and in general
my compiling experience is somewhat lacking. I'm trying to follow the write
up at http://directory.fedoraproject.org/wiki/Building . Which states you
have to build the mozilla components first. Here's where it gets
interesting.
nspr and nss are already installed on the systems by default.
ii libnspr4-0d 1.8.0.15~pre080131b-0etch1
NetScape Portable Runtime Library
ii libnspr4-dev 1.8.0.15~pre080131b-0etch1
Development files for the NetScape Portable
ii libnss3-0d 1.8.0.15~pre080131b-0etch1
Network Security Service libraries
ii libnss3-0d-dbg 1.8.0.15~pre080131b-0etch1
Development files for the Network Security S
ii libnss3-dev 1.8.0.15~pre080131b-0etch1
Development files for the Network Security S
ii libnss3-tools 1.8.0.15~pre080131b-0etch1
Network Security Service tools
But they have a goofy version number dictated by the xulrunner package.
http://packages.debian.org/source/etch/xulrunner
ywgbuild:/usr/src/dsbuild/meta/ds# pkg-config --modversion xulrunner-nss
1.8.0.13pre
ywgbuild:/usr/src/dsbuild/meta/ds# pkg-config --modversion xulrunner-nspr
4.6.7
Now, I'm not sure why nspr is reporting it's true version number, while nss
is reporting the 1.8.0 version when it should be something like 3.10 or 3.11.
And, I've been digging on the debian packages listings trying to figure out
just which version nss is. Any idea how to pull the version number right out
of the shared lib? Anyhow I moved on to try and build the next component,
svrcore.
I had to do some fudging with pkg-config (ln -s xulrunner-nspr.pc nspr.pc and
ln -s xulrunner-nss.pc nss.pc) in order for svrcore's configure to work
(prolly a RH vs debian package naming issue).
So I ./configure --prefix=/opt/svrcore and it makes and make install's ok.
I add /opt/svrcore/lib to ld.so.conf, and run ldconfig.
ywgbuild:/opt/svrcore# strings /etc/ld.so.cache |grep svrcore
libsvrcore.so.0
/opt/svrcore/lib/libsvrcore.so.0
libsvrcore.so
/opt/svrcore/lib/libsvrcore.so
ywgbuild:/opt/svrcore# pkg-config --modversion svrcore
4.0.4
Next on the list is the mozldap library
ywgbuild:/usr/src/mozldap-6.0.5/mozilla/directory/c-sdk# ./configure --enable-clu --with-sasl --with-svrcore --enable-optimize --disable-debug --prefix=/opt/mozldap
works ok.
But then make throws this
gcc -o
ntuserpin.o -c -pipe -ansi -Wall -pthread -O2 -fPIC -UDEBUG -DNDEBUG=1 -DXP_UNIX=1 -D_POSIX_SOURCE=1 -D_BSD_SOURCE=1 -D_SVID_SOURCE=1 -D_LARGEFILE64_SOURCE=1 -DHAVE_FCNTL_FILE_LOCKING=1 -DLINUX=1 -Dlinux=1 -Di386=1 -DHAVE_LCHOWN=1 -DHAVE_STRERROR=1 -DHAVE_GETADDRINFO=1 -DHAVE_GETNAMEINFO=1 -DHAVE_SASL=1 -DHAVE_SASL_OPTIONS=1 -DLDAP_SASLIO_HOOKS=1 -D_REENTRANT=1 -DNET_SSL -DNO_LIBLCACHE -DLDAP_REFERRALS -DNS_DOMESTIC -DLINUX2_0 -DLINUX1_2 -DLINUX2_1 -DLDAP_TOOL_ARGPIN -DLDAP_TOOL_PKCS11 -DFORCE_PR_LOG -D_PR_PTHREADS -UHAVE_CVAR_BUILT_ON_SEM -I/usr/include/nss -I/usr/include/nspr -I/usr/include/nspr -I/usr/include/sasl -I../../../../../dist/public/ldap -I../../../ldap/include -I/opt/svrcore/include -I/usr/include/nspr -I/usr/include/nss
ntuserpin.c
c++ -o bin/ldapdelete ldapdelete.o common.o convutf8.o fileurl.o
ldaptool-sasl.o argpin.o
ntuserpin.o -L../../../../../dist/./lib -lssldap60 -lprldap60 -lldap60 -lldif60 -L../../../../../dist/lib -lsvrcore -lssl3 -lnss3 -lsoftokn3 -L/usr/lib -lplds4 -lplc4 -lnspr4 -lpthread -ldl -lplc4 -lplds4 -lnspr4 -lsasl2 -ldl -lresolv -lpthread
/usr/bin/ld: cannot find -lsvrcore
collect2: ld returned 1 exit status
make[2]: *** [bin/ldapdelete] Error 1
ywgbuild:/tmp# strace -o out ld -l svrcore
ld: cannot find -lsvrcore
ywgbuild:/tmp# grep open out
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/usr/lib/libbfd-2.17.so", O_RDONLY) = 3
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3
open("a.out", O_RDWR|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 3
open("/usr/bin/../lib/libsvrcore.so", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No
such file or directory)
open("/usr/bin/../lib/libsvrcore.a", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No
such file or directory)
open("/usr/i486-linux-gnu/lib32/libsvrcore.so", O_RDONLY|O_LARGEFILE) = -1
ENOENT (No such file or directory)
open("/usr/i486-linux-gnu/lib32/libsvrcore.a", O_RDONLY|O_LARGEFILE) = -1
ENOENT (No such file or directory)
open("/usr/local/lib32/libsvrcore.so", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No
such file or directory)
open("/usr/local/lib32/libsvrcore.a", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No
such file or directory)
open("/lib32/libsvrcore.so", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file
or directory)
open("/lib32/libsvrcore.a", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or
directory)
open("/usr/lib32/libsvrcore.so", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such
file or directory)
open("/usr/lib32/libsvrcore.a", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such
file or directory)
open("/usr/i486-linux-gnu/lib/libsvrcore.so", O_RDONLY|O_LARGEFILE) = -1
ENOENT (No such file or directory)
open("/usr/i486-linux-gnu/lib/libsvrcore.a", O_RDONLY|O_LARGEFILE) = -1 ENOENT
(No such file or directory)
open("/usr/local/lib/libsvrcore.so", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No
such file or directory)
open("/usr/local/lib/libsvrcore.a", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such
file or directory)
open("/lib/libsvrcore.so", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or
directory)
open("/lib/libsvrcore.a", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or
directory)
open("/usr/lib/libsvrcore.so", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file
or directory)
open("/usr/lib/libsvrcore.a", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file
or directory)
open("/usr/share/locale/locale.alias", O_RDONLY) = 4
open("/usr/share/locale/en_CA/LC_MESSAGES/ld.mo", O_RDONLY) = -1 ENOENT (No
such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/ld.mo", O_RDONLY) = -1 ENOENT (No such
file or directory)
So I'm not sure why ld doesn't want to look in /opt/svrcore/lib for the
libsvrcore shared libs. it just looks in the default spots according to
strace. Did I mess up somewhere?
As a quick fix I just symlinked /opt/svrcore/lib/libsvrcore.(a|so) to /usr/lib
and it built.
mozldap doesn't make install apparently, but creates a dist directory
symlinking all the built apps and libs. So I just
copied /usr/src/mozldap-6.0.5/mozilla/dist to /opt/mozldap copying the files
rather then preserving the symlinks.
add /opt/mozldap/lib to ld.so.conf && ldconfig
ywgbuild:/opt/mozldap/bin# strings /etc/ld.so.cache |grep mozldap
/opt/mozldap/lib/libssldap60.so
/opt/mozldap/lib/libprldap60.so
/opt/mozldap/lib/libldif60.so
/opt/mozldap/lib/libldap60.so
So those libs look to be installed ok.
I then hacked up a fedora mozldap.pc (the make process didn't generate one,
but the mozldap.pc.in file is there..)
ywgbuild:/tmp/usr/lib/pkgconfig# cat mozldap.pc
prefix=/opt/mozldap
exec_prefix=${prefix}
libdir=${prefix}/lib
includedir=${prefix}/include
bindir=${prefix}/bin
major=6
minor=0
submin=5
libsuffix=60
Name: mozldap
Description: Mozilla LDAP C SDK
Version: 6.0.5
Requires: nspr >= 4.6 , nss >= 1.8.0.13pre
Libs: -lssldap60 -lprldap60 -lldap60
Cflags: -I${includedir}
But again I end up in a spot where ld can't find the libs I just installed.
So I symlynk'd everything in /opt/mozldap/lib to /usr/lib/
Then ld -lssldap60 -lprldap60 -lldap60 wouldn't complain about not being able
to find the libs anymore.
Now for perl-ldap
export LDAPSDKINCDIR="/opt/mozldap/include"
export LDAPSDKDIR="/opt/mozldap"
export LDAPSDKLIBDIR="/opt/mozldap/lib"
export NSPRINCDIR="/usr/include/nspr"
export NSPRLIBDIR="/usr/lib"
export NSSLIBDIR="/usr/lib"
make would puke complaining about missing ldap-standard.h
ln -s /opt/mozldap/public/ldap/ldap-standard.h /opt/mozldap/include/ldap-standard.h
ywgbuild:/usr/src/perl-mozldap-1.5.2# make
cc -c -I/opt/mozldap/include -D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBIAN -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -DVERSION=\"1.5\" -DXS_VERSION=\"1.5\" -fPIC "-I/usr/lib/perl/5.8/CORE" -DUSE_SSL
API.c
Running Mkbootstrap for Mozilla::LDAP::API ()
chmod 644 API.bs
rm -f blib/arch/auto/Mozilla/LDAP/API/API.so
LD_RUN_PATH="/opt/mozldap/lib" LD_RUN_PATH=/opt/mozldap/lib
cc -shared -L/usr/local/lib API.o -o blib/arch/auto/Mozilla/LDAP/API/API.so
\
-L/opt/mozldap/lib -lssldap60 -lprldap60 -lldap60 -L/usr/lib -lssl3 -lnss3 -L/usr/lib -lplc4 -lnspr4
\
chmod 755 blib/arch/auto/Mozilla/LDAP/API/API.so
cp API.bs blib/arch/auto/Mozilla/LDAP/API/API.bs
chmod 644 blib/arch/auto/Mozilla/LDAP/API/API.bs
Manifying blib/man3/Mozilla::LDAP::Conn.3pm
Manifying blib/man3/Mozilla::LDAP::Utils.3pm
Manifying blib/man3/Mozilla::LDAP::Entry.3pm
Manifying blib/man3/Mozilla::LDAP::LDIF.3pm
Manifying blib/man3/Mozilla::LDAP::API.3pm
So where I'm at now, using sysyem nspr and nss, built mozldap and installed
to /opt/mozldap, built svrcore and installed to /opt/svrcore and built
perl-ldap, not installing it anywhere.
So I figured I would give the newer dsbuild a shot at building the directory
server. And it cranks away for a while then comes back with a message
complaining about ldap agent and snmp. I initiated dsbuild with just a make
command with no options.
Here are the snmp packages installed
ywgbuild:/usr/src/dsbuild/meta/ds# dpkg -l|grep snmp
ii libsnmp-base 5.2.3-7etch2
NET SNMP (Simple Network Management Protocol
ii libsnmp-perl 5.2.3-7etch2
NET SNMP (Simple Network Management Protocol
ii libsnmp9 5.2.3-7etch2
NET SNMP (Simple Network Management Protocol
ii libsnmp9-dev 5.2.3-7etch2
NET SNMP (Simple Network Management Protocol
I've sent the last portion of the build process to pastebin if you want to
have a look at
http://www.pastebin.org/20301
but the guts of the issue is this
3]: Entering directory
`/usr/src/dsbuild/ds/ldapserver/work/fedora-ds-base-1.1.0'
/bin/sh ./libtool --tag=CC --mode=link gcc -g -o ldap-agent-bin
ldap/servers/snmp/ldap_agent_bin-main.o
ldap/servers/snmp/ldap_agent_bin-ldap-agent.o
ldap/servers/slapd/ldap_agent_bin-agtmmap.o -lssldap60 -lprldap60 -lldap60 -lldif60 -lsasl2 -lssl3 -lnss3 -lsoftokn3 -lplc4 -lplds4 -lnspr4 -L/usr/lib -lnetsnmpmibs -lnetsnmpagent -lnetsnmphelpers -lnetsnmp -lm -ldl -lsensors -lwrap -lwrap
gcc -g -o ldap-agent-bin ldap/servers/snmp/ldap_agent_bin-main.o
ldap/servers/snmp/ldap_agent_bin-ldap-agent.o
ldap/servers/slapd/ldap_agent_bin-agtmmap.o -lssldap60 -lprldap60 -lldap60 -lldif60 /usr/lib/libsasl2.so -lresolv -lssl3 -lnss3 -lsoftokn3 -lplc4 -lplds4 -lnspr4 -L/usr/lib /usr/lib/libnetsnmpmibs.so /usr/lib/libnetsnmpagent.so /usr/lib/libnetsnmphelpers.so /usr/lib/libnetsnmp.so -lcrypto -lm -ldl -lsensors -lwrap
ldap/servers/snmp/ldap_agent_bin-ldap-agent.o: In function `init_ldap_agent':
ldap/servers/snmp/ldap-agent.c:98: undefined reference to `CONTAINER_INSERT'
collect2: ld returned 1 exit status
make[3]: *** [ldap-agent-bin] Error 1
make[3]: Leaving directory
`/usr/src/dsbuild/ds/ldapserver/work/fedora-ds-base-1.1.0'
make[2]: *** [all] Error 2
make[2]: Leaving directory
`/usr/src/dsbuild/ds/ldapserver/work/fedora-ds-base-1.1.0'
make[1]: *** [build-work/fedora-ds-base-1.1.0/Makefile] Error 2
make[1]: Leaving directory `/usr/src/dsbuild/ds/ldapserver'
make: *** [dep-../../ds/ldapserver] Error 2
make[
Any ideas?
Ryan Braun
Informatics Operations
Aviation and Defence Services Division
Chief Information Officer Branch, Environment Canada
CIV: (204) 833-2500x2824 CSN: 257-2824 FAX: (204) 833-2524
E-Mail: Ryan.Braun(a)ec.gc.ca
15 years
[Fedora-directory-users] YUM and 64 bit upgrade to 1.1 questions
by Ken Marsh
Hi,
I have some questions upgrading 3 Red Hat systems (ES3, 4 x86 &
ES5x86_64, one each) from FDS 1.01-4 to 1.1.
1. On RHES5.1 x86_64, is it safe to do yum to update the
installation? There are a lot of warnings out there about yum vs Beta of
1.1. Should I remove all of 1.01-4 first?
2. Should I be using redhat-ds instead of fedora-ds for supported
RH systems?
3. Searching for packages in rhn.redhat.com, there is no redhat-ds
available. Shouldn't it be there? I have entitlements for 3, 4 and 5.
4. Must I use YUM for Enterprise 4 systems? Why can't I just
download an FDS 1.1 RPM and install it? It would be much easier than
converting E4 systems to YUM.
5. If I must use YUM, is there some EASY, STRAIGHTFORWARD
instructions for installing YUM on ES4? Everything out there seems to
assume I am setting up some grand upgrade redistribution engine when all
I want is a few packages.
Ken Marsh
ANS System Administration Lead
(410) 876-9200
15 years
[Fedora-directory-users] Password Warnings
by Brian Roy
I have a PHP script that will query FDS for users with about to and
expired passwords.
It sends out email to both the user and a sysadmin. Let me know if you
are interested.
Regards,
Name: Brian Roy
Status: enjoying the weekend
Brian Roy
Visit my blog at www.briantroy.com/blog
contact | b.t.roy(a)brianandkelly.ws - 602.445.9849 | GoogleTalk - briantroy(a)chat.brianandkelly.ws
15 years
[Fedora-directory-users] Request For Comment: fedora-ds-utils project
by Ken Marsh
Chris,
As someone currently looking for some of these scripts, I think this is
a great idea. I'll throw in a few comments.
>2. The program must include 'ds' as the first element in the name; for
> instance:
>
> - ds-mmrtool
> - ds-schema-migrate
> - ds-setup-ssl
While I like the consistancy, this sort of introduces a massive
documentation bug. People will read the Red Hat DS or 7.1 DS or latest
DS documentation, look for (say) setup-ds-admin.pl, and it will be
missing (renamed), and come right back to the mailing list asking for it
again.
>4. The program must ONLY produce output a) on errors; or b) with the -v
> flag. In the event of successful operation, no output should be
> produced at all.
I suspect the purpose of some scripts is to produce output. Also, some
scripts call other perl or shell scripts, and tying up all those outputs
neatly would probably involve rewriting them all.
>5. The program must be capable of running completely unattended.
Yes!
7. All dependencies of the program must be available as RPMs in the
current release of Fedora Linux
OK, but hey! Don't forget us Red Hat (paying) customers. I've had many a
cool new package refuse to run on Enterprise 4 because supporting
packages were "too old" or packages weren't available. I can understand
giving up on Enterprise 3, but right now E4 is still the massive user
base.
Ken Marsh
15 years
[Fedora-directory-users] Problem while authenticating against FDS
by angad
Hi Friends,
I have installed Fedora Directory Server on RHEL 4. When I am configuring RHEL 4 clients for authentication, authentication is working fine. But I configure RHEL 3 client for authenticate against RHEL 4 FDS server , it is not authenticating. Is there any compability issue or any settings need to be done. Please help me out in this issue.
Thanks in advance
Regards,
Angad
15 years
