September 2008 - 389-users - Fedora Mailing-Lists

[Fedora-directory-users] Recover directory database files when disk fills up!

by Howard Wilkinson

We had the disk with the directory database files fill up overnight, a rogue process :-[ Now the directory server will not start I get the following reported in the system logs. Jul 29 09:44:50 bastion ns-slapd: auxpropfunc error invalid parameter supplied Jul 29 09:44:50 bastion ns-slapd: sql_select option missing Jul 29 09:44:50 bastion ns-slapd: auxpropfunc error no mechanism available What can I do to recover the database so that I can start the server?

14 years, 6 months

2
9
0 / 0

[Fedora-directory-users] GOsa install

by Alan Orlič Belšak

Hello, maybe someone will be able to help me, in the istallation of GOsa I get the following error message: LDAP error: Object class violation (unknown object class "gosaAccount" How to add new object class with that name and is there any extra things to do? Bye, Alan

14 years, 8 months

2
2
0 / 0

[Fedora-directory-users] How do I setup FDS so that Solaris clients will work with it?

by Jerome Yanga

Help. Can someone point me to a set of instructions that will help me setup FDS 1.1.2 so that Solaris 10 clients will work with it? I cannot setup the FDS properly using the instructions below as it seems to be missing some information. http://directory.fedoraproject.org/wiki/Howto:SolarisClient Please advice. Regards, Jerome

14 years, 8 months

4
7
0 / 0

[Fedora-directory-users] Re: java.lang.ClassCastException @ exec of standalone fedora-idm-console on osx

by John Dickinson

(I moved this from the devel list as users seemed more appropriate to me.) PGNet said: > If, in the Fedora Management Console GUI I click through to the > Servers & Applications Tab, and select the Server, I get a "Class > Loader Error" dialog, > "Failed to instantiate Server Object for Directory Server (fds): > com.netscape.admin.dirserv.DSAdmin" I get the same error if I build all the components of the console in to the same built directory (../built or whatever you changed it to). Try deleting it between each one. My notes on building the console on OS X can be found here http://jadickinson.co.uk/test/howto/fedora-ds-console-on-os-x/ John

14 years, 8 months

1
0
0 / 0

RE: [Fedora-directory-users] How do I setup FDS so that Solaris clients will work with it?

by Jerome Yanga

Thanks, Satish, but I used the same DUAConfigProfile specified in the link below. http://directory.fedoraproject.org/wiki/Howto:SolarisClient Here is the exact contents of DUAConfigProfile I used from Gary Tay's article which was referenced by the link above(http://web.singnet.com.sg/~garyttt/Configuring%20Solaris%20Native% 20LDAP%20Client%20for%20Fedora%20Directory%20Server.htm). "dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live, in seconds, before a client DUA should re-read this configuration profile' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by a DUA' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server for a specific service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) objectClasses: ( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP top STRUCTURAL DESC 'Abstraction of a base configuration for a DUA' MUST ( cn ) MAY ( defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL ) )" When I import import it, I get the error below. "cn=schema: Error adding object 'dn: cn=schema'. The error sent by the server was 'null. missing required attribute "objectclass" '. The object is: LDAPEntry: cn=schema; LDAPAttributeSet: LDAPAttribute {type='objectclasses', values='( 1.3.6.1.4.1.11.1.3.1.2.4 NAME 'DUAConfigProfile' SUP top STRUCTURAL DESC 'Abstraction of a base configuration for a DUA' MUST ( cn ) MAY ( defaultServerList $ preferredServerList $ defaultSearchBase $ defaultSearchScope $ searchTimeLimit $ bindTimeLimit $ credentialLevel $ authenticationMethod $ followReferrals $ serviceSearchDescriptor $ serviceCredentialLevel $ serviceAuthenticationMethod $ objectclassMap $ attributeMap $ profileTTL ) )'} LDAPAttribute {type='attributetypes', values='( 1.3.6.1.4.1.11.1.3.1.1.0 NAME 'defaultServerList' DESC 'Default LDAP server host address used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ),( 1.3.6.1.4.1.11.1.3.1.1.1 NAME 'defaultSearchBase' DESC 'Default LDAP base DN used by a DUA' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ),( 1.3.6.1.4.1.11.1.3.1.1.2 NAME 'preferredServerList' DESC 'Preferred LDAP server host addresses to be used by a DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ),( 1.3.6.1.4.1.11.1.3.1.1.3 NAME 'searchTimeLimit' DESC 'Maximum time in seconds a DUA should allow for a search to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ),( 1.3.6.1.4.1.11.1.3.1.1.4 NAME 'bindTimeLimit' DESC 'Maximum time in seconds a DUA should allow for the bind operation to complete' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ),( 1.3.6.1.4.1.11.1.3.1.1.5 NAME 'followReferrals' DESC 'Tells DUA if it should follow referrals returned by a DSA search result' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ),( 1.3.6.1.4.1.11.1.3.1.1.6 NAME 'authenticationMethod' DESC 'A keystring which identifies the type of authentication method used to contact the DSA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ),( 1.3.6.1.4.1.11.1.3.1.1.7 NAME 'profileTTL' DESC 'Time to live, in seconds, before a client DUA should re-read this configuration profile' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ),( 1.3.6.1.4.1.11.1.3.1.1.14 NAME 'serviceSearchDescriptor' DESC 'LDAP search descriptor list used by a DUA' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ),( 1.3.6.1.4.1.11.1.3.1.1.9 NAME 'attributeMap' DESC 'Attribute mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ),( 1.3.6.1.4.1.11.1.3.1.1.10 NAME 'credentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ),( 1.3.6.1.4.1.11.1.3.1.1.11 NAME 'objectclassMap' DESC 'Objectclass mappings used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ),( 1.3.6.1.4.1.11.1.3.1.1.12 NAME 'defaultSearchScope' DESC 'Default search scope used by a DUA' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ),( 1.3.6.1.4.1.11.1.3.1.1.13 NAME 'serviceCredentialLevel' DESC 'Identifies type of credentials a DUA should use when binding to the LDAP server for a specific service' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ),( 1.3.6.1.4.1.11.1.3.1.1.15 NAME 'serviceAuthenticationMethod' DESC 'Authentication method used by a service of the DUA' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )'}." What does the error mean? I apologize for the noob question. Help. Regards, Jerome ________________________________________ From: Jerome Yanga Sent: Thursday, September 25, 2008 9:50 AM To: 'fedora-directory-users(a)redhat.com' Subject: How do I setup FDS so that Solaris clients will work with it? Help. Can someone point me to a set of instructions that will help me setup FDS 1.1.2 so that Solaris 10 clients will work with it? I cannot setup the FDS properly using the instructions below as it seems to be missing some information. http://directory.fedoraproject.org/wiki/Howto:SolarisClient Please advice. Regards, Jerome

14 years, 8 months

1
0
0 / 0

[Fedora-directory-users] Directory Server Authentication Pass through with Kerberos or saslauthd

by Hartmann, Tim

Hi all, I've run into some configuration trouble with our Red Hat Directory server V 8.0 and was hoping someone on this list might be able to shed a little light on my darkened, troubled and confused brow! We've got the directory running pretty and have enabled gssapi to allow us to bind with our Kerberos Tickets, so if I do an LDAP query and bind with gssapi with a valid TGT all is well! (hurray) However thats really only PART of what we hope to do with Kerberos and Red Hat Directory Server... we'd also like to be able to use Kerberos as the password database for LDAP... so that a non kerberos aware application which just wants to bind to ldap will be able to bind to the directory, unaware that Kerberos is actually being used as the password store and means of auth.. I found a pretty good HOWTO for how to do this with open ldap: http://www.ba.infn.it/~domenico/docs/AAIFiles/openLDAP.html Way down at the bottom where it says "Kerberos as back-end database for LDAP password" is exactly what I'd like to accomplish! Is there a means to do the same thing in FDS? I also found this documentations: http://directory.fedoraproject.org/wiki/Howto:PAM_Pass_Through Which seems like it could work, but seems kind of like a hack for what i'm trying to do and it seemed like I couldn't be the only one who wanted to do it! I suspect there's something I'm just missing! Thanks for the time, and any help would be much appreciated! Tim

14 years, 8 months

2
5
0 / 0

[Fedora-directory-users] Announcement - Fedora Directory Server 1.1.3

by Rich Megginson

Fedora Directory Server 1.1.3 is now available We are pleased to announce the availability of Fedora Directory Server 1.1.3. This is a minor bug fix release, to address a bug in the Windows Sync code introduced in 1.1.2. No other changes have been made. See the Release Notes for more information - http://directory.fedoraproject.org/wiki/Release_Notes

14 years, 8 months

1
0
0 / 0

[Fedora-directory-users] Need to escape space when adding referrals from scripts?

by Ryan Braun [ADS]

I have a perl script I've been working on to setup replication. The replication works great for replication from master to master. But I've been running into problems with dedicated consumers and their referrals. If I disable the add_replical_referral sub in my script, and let fds handle the referrals on the fly it works (go figure :) ). But it doesn't set it up how I want so I need to customize it. It seems like when I set the referrals manually via perl, the space in the url of the referal is causing the whole dn of the update to get truncated as soon as it detects a space. Here is what I mean. The following snippets are from myself updating an object on the consumer and it failing. All referrals have been created from my script. Not sure what the nsdisablerole is doing... On the dedicated consumer [24/Sep/2008:19:58:50 +0000] conn=14 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [24/Sep/2008:19:58:51 +0000] conn=14 op=0 RESULT err=0 tag=97 nentries=0 etime=1 dn="cn=directory manager" [24/Sep/2008:19:58:51 +0000] conn=14 op=1 SRCH base="uid=goodgut,ou=People, dc=xxx,dc=ec,dc=gc,dc=ca" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nscpEntryDN nsICQStatusText nsAIMStatusText copiedFrom passwordExpirationTime passwordAllowChangeTime nsICQStatusGraphic hasSubordinates nsRole nsRoleDN aci modifyTimestamp passwordExpWarned nsAccountLock nsAIMStatusGraphic nsds5ReplConflict nsIdleTimeout pwdpolicysubentry nsLookThroughLimit nsSizeLimit entryid nsUniqueId passwordRetryCount dncomp creatorsName nsSchemaCSN passwordGraceUserTime nsYIMStatusGraphic nsTimeLimit entrydn copyingFrom subschemaSubentry accountUnlockTime createTimestamp numSubordinates passwordHistory retryCountResetTime parentid ldapSchemas ldapSyntaxes modifiersName nsYIMStatusText nsBackendSuffix * aci" [24/Sep/2008:19:58:51 +0000] conn=14 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [24/Sep/2008:19:58:51 +0000] conn=14 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" [24/Sep/2008:19:58:51 +0000] conn=14 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [24/Sep/2008:19:58:51 +0000] conn=14 op=3 SRCH base="cn=nsdisabledrole,dc=xxx,dc=ec,dc=gc,dc=ca" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="cn userPassword nsRole nsRoleDN objectClass nsAccountLock" [24/Sep/2008:19:58:51 +0000] conn=14 op=3 RESULT err=32 tag=101 nentries=0 etime=0 [24/Sep/2008:19:58:56 +0000] conn=14 op=4 MOD dn="uid=goodgut,ou=People,dc=xxx,dc=ec,dc=gc,dc=ca" [24/Sep/2008:19:58:56 +0000] conn=14 op=4 RESULT err=10 tag=103 nentries=0 etime=0 On the MMR server [24/Sep/2008:19:58:57 +0000] conn=59 fd=70 slot=70 connection from x.x.x.x to x.x.x.x [24/Sep/2008:19:58:57 +0000] conn=59 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [24/Sep/2008:19:58:57 +0000] conn=59 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [24/Sep/2008:19:58:57 +0000] conn=59 op=1 MOD dn="uid=goodgut,ou=people,dc=xxx," [24/Sep/2008:19:58:57 +0000] conn=59 op=1 RESULT err=32 tag=103 nentries=0 etime=0 [24/Sep/2008:19:58:57 +0000] conn=59 op=2 UNBIND [24/Sep/2008:19:58:57 +0000] conn=59 op=2 fd=70 closed - U1 You can see in the mod request, it's not getting the whole DN, it seems to truncate it at the first space it detects. Here is the referral entries from the consumer xxxsrvr4:/etc/dirsrv/slapd-xxxsrvr4# ldapsearch -x -h xxxsrvr4 -D "cn=directory manager" -b "cn=config" -W "objectclass=*"|grep dmns Enter LDAP Password: nsslapd-referral: ldap://xxxdmns0:389/dc=xxx, dc=ec, dc=gc, dc=ca nsDS5ReplicaReferral: ldap://xxxdmns0:389/dc=xxx, dc=ec, dc=gc, dc=ca If I blow away the rep agreement, and create it from the console, the referrals work fine and look like so. [24/Sep/2008:20:17:29 +0000] conn=60 fd=70 slot=70 connection from x.x.x.x to x.x.x.x [24/Sep/2008:20:17:29 +0000] conn=60 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [24/Sep/2008:20:17:29 +0000] conn=60 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [24/Sep/2008:20:17:29 +0000] conn=60 op=1 MOD dn="uid=goodgut,ou=People,dc=xxx,dc=ec,dc=gc,dc=ca" [24/Sep/2008:20:17:29 +0000] conn=60 op=1 RESULT err=0 tag=103 nentries=0 etime=0 csn=48daa05a000000010000 [24/Sep/2008:20:17:29 +0000] conn=61 fd=71 slot=71 connection from x.x.x.x to x.x.x.x [24/Sep/2008:20:17:29 +0000] conn=61 op=0 BIND dn="uid=RManager,cn=config" method=128 version=3 [24/Sep/2008:20:17:29 +0000] conn=61 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=rmanager,cn=config" [24/Sep/2008:20:17:29 +0000] conn=61 op=1 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [24/Sep/2008:20:17:29 +0000] conn=61 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [24/Sep/2008:20:17:29 +0000] conn=61 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [24/Sep/2008:20:17:29 +0000] conn=61 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [24/Sep/2008:20:17:29 +0000] conn=61 op=3 EXT oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session" [24/Sep/2008:20:17:29 +0000] conn=61 op=3 RESULT err=0 tag=120 nentries=0 etime=0 [24/Sep/2008:20:17:29 +0000] conn=61 op=4 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session" [24/Sep/2008:20:17:29 +0000] conn=61 op=4 RESULT err=0 tag=120 nentries=0 etime=0 [24/Sep/2008:20:17:29 +0000] conn=60 op=2 UNBIND But the referals look like they've been added with ascii codes in the console. xxxsrvr4:/etc/dirsrv/slapd-xxxsrvr4# ldapsearch -x -h xxxsrvr4 -D "cn=directory manager" -b "cn=config" -W "objectclass=*"|grep dmns Enter LDAP Password: nsslapd-referral: ldap://xxxdmns0.xxx.ec.gc.ca:389/dc%3Dxxx%2C%20dc%3Dec%2C%20 nsslapd-referral: ldap://xxxdmns1.xxx.ec.gc.ca:389/dc%3Dxxx%2C%20dc%3Dec%2C%20 xxxrvr4:/etc/dirsrv/slapd-xxxsrvr4# So my question, is do I need to convert the spaces in my referral entries to ascii codes before creating the referral entries? Here is the sub I use for reference. sub add_replica_referral { # adds referral to the multivalued attribute nsDS5ReplicaReferral in dn: cn=replica,cn="$config{BASE_DN}",cn=mapping tree,cn=config # should only need to add this to a read only consumer!! # the first entry will be created automatically by the add_rep_object, this will add more referrals # TODO add check to make sure the replica object exists, otherwise it will fail silently and throw and err=32 no such object # in the servers log. my ($server, $server_port, $referral, $referral_port, $bind_pw) = @_; my ($ldap, $msg); if ( ($ldap = conn_bind($server,$server_port,$passwd)) eq 0 ) { print "\t*********** bind/connect failed to $server on port $server_port ***************\n"; return 0; } print "Adding referral on $server back to $referral\n"; # dn: cn=replica,cn="$config{BASE_DN}",cn=mapping tree,cn=config # nsDS5ReplicaReferral: ldap://xxxx:389/dc=xxx,dc=ec,dc=gc,dc=ca $msg = $ldap->modify("cn=replica,cn=\"$config{BASE_DN}\",cn=mapping tree,cn=config", add => { 'nsDS5ReplicaReferral' => "ldap://$referral:$referral_port/$config{BASE_DN}" }); if ($msg->code == LDAP_ALREADY_EXISTS) { print "\t -> already exists\n\n"; } disconnect($ldap); } Ryan

14 years, 8 months

2
1
0 / 0

[Fedora-directory-users] classes of service? question

by Marcelo N. Halpern

Hello list, here's the situation: I have a large number of {centos,rhel}{4,5} hosts on which I will be configuring ldap authentication via nss_ldap. Hosts are segregated onto different groups according to their function. This is based on their ip address and FQDN. For instance: Group "A": red team: 10.10.0.0/16, dbhost_01.nyc.red, wwhost_01.nyc.red, aphost_03.nyc.red, Group "B": blueteam: 10.20.0.0/16, dbhost_01.nyc.blue, wwhost_03.nyc.blue, aphost_01.nyc.blue, Group "C": greenteam 10.30.0.0/16, dbhost_01.nyc.green, wwhost_03.nyc.green, aphost_01.nyc.green, etc. My intention is to control host access entirely from ldap, using a single ldap.conf for all servers. Nss_ldap provides a "pam_check_host_attr" hook where the host in question will check its FQDN against the entry's "host" attribute. The entry dn: uid=mhalpern,ou=people,dc=foo.com host: dbhost_01.nyc.red host: dbhost_02.nyc.red would then be able to login to either one of these two hosts. At first I thought it should be really simple: I should be able define a container which specifies the different host groups, and use classes of service to pull in the rest of the information. This solution would be ideal for me, as users are also segregated into groups. To this effect I configured classes of service (and roles...) in a variety of combinations, with limited amount of success. Although I was able to make these "profile expansions" work as advertised, I could not get them to append values to the existing attribute set. For instance, a lookup on uid=mhalpern,ou=people,dc=foo.com with the following entries: dn: uid=mhalpern,ou=people,dc=foo.com ou=blue host: dbhost_01.nyc.red ... cn=cosTemplate,ou=people,dc=foo.com cosAttribute: host cosSpecifier: ou ... dn: blue,cn=cosTemplate,ou=people,dc=foo.com host: dbhost_01.nyc.blue host: dbhost_02.nyc.blue host: dbhost_03.nyc.blue would render dn: uid=mhalpern,ou=people,dc=foo.com ou=blue host: dbhost_01.nyc.red and I would expect: dn: uid=mhalpern,ou=people,dc=foo.com ou=blue host: dbhost_01.nyc.red host: dbhost_01.nyc.blue host: dbhost_02.nyc.blue host: dbhost_03.nyc.blue because classes of service are designed to replace, or be the default value of a particular attribute. I am open to any solutions to this problem... how have other people approached this issue? Thanks for any suggestions. -- Marcelo Nicolás Halpern Systems Administrator

14 years, 8 months

1
0
0 / 0

[Fedora-directory-users] Cannot find perl script mentioned in the Howto:SolarisClient

by Jerome Yanga

I am trying to setup a Solaris 10 client to use the FDS 1.1.2. The directions in the site below say "Import the duaconfigprofile schema into FDS. I used the perl script on the FDS doc site to create the rfc-compliant LDIF for FDS ". However, I cannot find the perl script mentioned. I do not even know what to search for in my server as the filename was not provided. http://directory.fedoraproject.org/wiki/Howto:SolarisClient I have been testing on this for a few weeks now and I still cannot get the Solaris client to use the FDS server. Help. Regards, Jerome

14 years, 8 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users September 2008