[Fedora-directory-users] fds 1.1+ not setting nsslapd-instancedir on install?
by Ryan Braun [ADS]
Hey guys. I have some perl replication scripts (fdstool) that I developed on
fds 1.0.4. On my first attempt to use them on a 1.1+ (in this particular
case 1.1.2), the changelog object creation bails because the
nsslapd-instancedir attribute in cn=config isn't set.
##############################
# find the instance-dir
##############################
$msg = $ldap->search (
base => "cn=config",
scope => "base",
filter => "(objectClass=*)",
);
my $instance_dir = $msg->entry(0)->get_value("nsslapd-instancedir");
ends up as null as there isn't anything at said attribute.
Also,
shodan:/home/ryan/fdstools# ldapsearch -x -h yzxXXXX0 -D "cn=Directory
Manager" -W -b "cn=config" "objectclass=*"|grep instancedir
Enter LDAP Password:
nsslapd-instancedir:
shodan:/home/ryan/fdstools# ldapsearch -x -h yzxXXXX0 -D "cn=Directory
Manager" -W -b "cn=config" "objectclass=*"|grep nsslapd-ldifdir
Enter LDAP Password:
nsslapd-ldifdir: /var/lib/dirsrv/slapd-yzxdmns0/ldif
For now I'm useing nsslapd-ldifdir and just ~ s/\/ldif// to cut off the ldir
directory, but am just confirming this behavior is intended. FWIW I built
the packages myself, so it could very well be my own fault :P
Ryan
15 years, 7 months
[Fedora-directory-users] Encryption works, but odd entries in the error log on startup.
by Ryan Braun [ADS]
I had setup encryption on one of my test fds servers (1.1.2), generated a
CAcert and a Server-Cert and turned on encryption. It all worked fine. I
shut down fds, removed the Server-Cert and created a new Server-Cert with a
few Subject Alt Name entries. I didn't import a p12 cert, I just used
certutil to create a new cert in the database.
I restarted the server and tested with ldapsearch -ZZ and it all still worked.
When I had a look in the log recently, I noticed these entries everytime i
restart the service.
[11/Sep/2008:15:11:18 +0000] - Fedora-Directory/1.1.2 B2008.253.1749 starting
up
[11/Sep/2008:15:11:19 +0000] - attrcrypt_unwrap_key: failed to unwrap key for
cipher AES
[11/Sep/2008:15:11:19 +0000] - Failed to retrieve key for cipher AES in
attrcrypt_cipher_init
[11/Sep/2008:15:11:19 +0000] - Failed to initialize cipher AES in
attrcrypt_init
[11/Sep/2008:15:11:19 +0000] - attrcrypt_unwrap_key: failed to unwrap key for
cipher AES
[11/Sep/2008:15:11:19 +0000] - Failed to retrieve key for cipher AES in
attrcrypt_cipher_init
[11/Sep/2008:15:11:19 +0000] - Failed to initialize cipher AES in
attrcrypt_init
[11/Sep/2008:15:11:19 +0000] - slapd started. Listening on All Interfaces
port 389 for LDAP requests
[11/Sep/2008:15:11:19 +0000] - Listening on All Interfaces port 636 for LDAPS
requests
Looking back to when I first turned on encryption, I see
[10/Sep/2008:19:41:20 +0000] - Fedora-Directory/1.1.2 B2008.253.1749 starting
up
[10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher AES in
backend userRoot, attempting to create one...
[10/Sep/2008:19:41:20 +0000] - Key for cipher AES successfully generated and
stored
[10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher 3DES in
backend userRoot, attempting to create one...
[10/Sep/2008:19:41:20 +0000] - Key for cipher 3DES successfully generated and
stored
[10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher AES in
backend NetscapeRoot, attempting to create one...
[10/Sep/2008:19:41:20 +0000] - Key for cipher AES successfully generated and
stored
[10/Sep/2008:19:41:20 +0000] - No symmetric key found for cipher 3DES in
backend NetscapeRoot, attempting to create one...
[10/Sep/2008:19:41:20 +0000] - Key for cipher 3DES successfully generated and
stored
[10/Sep/2008:19:41:20 +0000] - slapd started. Listening on All Interfaces
port 389 for LDAP requests
[10/Sep/2008:19:41:20 +0000] - Listening on All Interfaces port 636 for LDAPS
requests
So I'm wondering if I need to somehow reinit some of the encryption keys? Or
maybe I missed a step for replacing a Server-Cert? But from the docs it
looks like a straight forward turn off fds, remove old cert, create/import
new cert (with same name), restart fds.
Ryan
15 years, 7 months
[Fedora-directory-users] Sudo and Ldap
by Kashif Ali
Hello all,
I have successfully setup FDS on Centos 5.2, and manage to get users signing
on without any issues. However if I edit the sudoers file to allow a group
on ldap use sudo, the sudo command does not see the members of the group or
I think the group itself?
I have no idea why this is:
if I run the command 'id' as the given user you can clear see the group
memberships, however if I do: getent group linuxops I see:
linuxops:*:6000:
with no members??? however SSHD AllowGroups works? I have configured sshd to
only allow members of the linxops group to login and this works fine? so my
question is why is sudo behaving differently?
15 years, 7 months
[Fedora-directory-users] mod_cgi or mod_cgid for adminserver?
by PGNet
Per docs @ http://directory.fedoraproject.org/wiki/AdminServer,
"Admin Server is ... formerly based on the Netscape Enterprise Server
but has been ported to use the Apache 2.x webserver using the Worker
model (multi-threaded mode, not multi process)."
I've installed as prereq,
httpd2 -V | grep MPM
Server MPM: Worker
-D APACHE_MPM_DIR="server/mpm/worker"
Per, "Apache Module mod_cgid"
(http://httpd.apache.org/docs/2.2/mod/mod_cgid.html(,
"This module (mod_cgid) is used by default instead of mod_cgi
whenever a multi-threaded MPM is selected during the compilation
process. At the user level, this module is identical in configuration
and operation to mod_cgi. The only exception is the additional
directive ScriptSock which gives the name of the socket to use for
communication with the cgi daemon."
In FedoraDS' install of adminserver, mod_cgi is loaded (and fails
@exec, as it's not installed by default),
@ #144 /etc/dirsrv/admin-serv/httpd.conf
LoadModule cgi_module /usr/lib64/apache2-worker/mod_cgi.so
and, also references mod_cgid.c,
@ #392 /etc/dirsrv/admin-serv/httpd.conf
<IfModule mod_cgid.c>
...
</IfModule>
which will never hit as mod_cgid is not @ LoadModule.
Should mod_cgi, then, be loaded for FedoraDS use, or mod_cgid?
Thanks.
15 years, 7 months
[Fedora-directory-users] missing "console.conf" in headless FedoraDS install
by PGNet
I'm building & installing FedoraDS on a headless server.
For the moment, remote management via shell login is fine; no
graphical consoles required.
I've built/installed from cvs source
FedoraDirSvr_1_1_2 ldapserver
adminutil_1_1_7 adminutil
mod_nss108 mod_nss
FedoraDirSrvAdmin_1_1_6 adminserver
FedoraDirSrvAdmin_1_1_6 mod_admserv
FedoraDirSrvAdmin_1_1_6 mod_restartd
@ Setup exec of,
setup-ds-admin.pl
I get,
Creating directory server . . .
Your new DS instance 'FedoraDS' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Error opening /etc/dirsrv/admin-serv/console.conf: No such file or
directoryCould not update the httpd engine configuration.
Failed to create and configure the admin server
Exiting . . .
Log file is '/tmp/setup4lZetX.log'
And, checking,
ls -1 /etc/dirsrv/admin-serv/
adm.conf
admpw
cert8.db
key3.db
local.conf
secmod.db
Is 'console.conf', in fact, required for console-less operation?
If so, where's it originate? Have I missed a required install,
perhaps "FedoraConsoleFramework_1_1_2"?
If not, where can I fix the dependency?
Remove @ #174:
} else {
# set up directory server instance to be managed by the
console/adminserver
$setup->msg('create_subds');
if (!createSubDSNoConn($setup->{inf}, \@errs)) {
$setup->msg($FATAL, @errs);
$setup->msg($FATAL, 'error_create_configds');
$setup->doExit(1);
from "setup-ds-admin.pl"? A preference setting somewhere?
Thanks.
15 years, 7 months
[Fedora-directory-users] email clients
by Malcolm Amir Hussain-Gambles
Just wondering what email clients people use for address books.
I've tried evolution, but it seems completely unstable for ldap, I've
had no choice but to revert to people using thunderbird. (this is the
fc9 version)
Thunderbird is stable but lacks features.
Claws is probably the best, but doesn't have that corporate feel like
evolution.
Are most people using outlook?
Cheers,
Malcolm
15 years, 7 months
[Fedora-directory-users] LDAP Error with sync agreement using ssl
by steve nguyen
Hi everybody,
I have created two sync agreement in FDS. I've got an error message with the one using ssl : "LDAP error: Can't contact LDAP server. Error Code 81.
The second sync agreement without ssl works.
I think this error should come from a certificate that I've create.
To create my certificate on Fedora I've used the second script from the fds wiki.
I want to know another thing : I selected a single master in the replica role column. If I choose multiple master, will the sync happen from both side : ad and fds ?
ps : escuse me for my bad english.
_________________________________________________________________
Contrôlez les personnes autorisées à parler à vos enfants sur MSN / Windows Live Messenger !
http://www.windowslive.fr/controleparental/default.asp
15 years, 7 months
[Fedora-directory-users] Can't connect to Redhat AS5 by 'telnet' !!!
by 김정곤
Hi everyone.
I have a problem. I am using FDS-1.0.4, and have Linux machines, Redhat AS4
and Redhat AS5.
But I can’t connect to Redhat AS5 machine by telnet. but I can connect to
the machine by ‘su’ using.
Redhat AS4 machine has no any problem.
Did you have a experience?
Would you please help me?
Thanks
15 years, 7 months
