[Fedora-directory-users] Allow root to change user's passwords
by Orion Poplawski
I'm used to being able to change user's passwords as root using the
"passwd" command on my main server (this was with NIS and the master
shadow file kept on the server). Now with FDS, I get:
# passwd orion
Changing password for user orion.
Enter login(LDAP) password:
and I must enter the password for the user "orion". This gets tricky
when the user has forgotten their password.
Is there a way to avoid this first check and allow root to force a
change of the password?
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA/CoRA Division FAX: 303-415-9702
3380 Mitchell Lane orion(a)cora.nwra.com
Boulder, CO 80301 http://www.cora.nwra.com
14 years, 5 months
[Fedora-directory-users] Referential Integrity
by Hartmann, Tim
So After my trials and tribulations with " Referrals for Update
Operations" (thanks again, you guys rock!) hence known as "Tim's
continuing LDAP Saga and Viking Cha-Cha"
I came across "Referential Integrity" in the docs, and boy howdy does it
look useful!
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Creating_Directory_E...
I had a couple of concerns, before I enabled it that I was hoping people
could chime in on!
1) I'd like to have Referential Integrity monitor the memberUid field as
well, but I was unclear in the documentation if when scanning the
directory if it scans ALL the directories hosted by a given server, or
just searches in the directory where the user was deleted?
for example, I have two root suffixes, both of which contain users and
groups , and more often then we'd like user "foo" exists in both...
dc=example,dc=edu
dc=dept,dc=example,dc=edu
if I delete user uid=foo,ou=People,dc=dept,dc=example,dc=edu
would the Referential Integrity plug in know to leave any instance of
"uid=foo" and "memberUid=foo" in the dc=example,dc=edu branch alone?
2) I have 2 Masters (set up to be Multi Masters) and 4 Replica's, There
are a number of warnings about setting this up only on 1 of the Masters
(which shouldn't be a problem), in the case that M1 is configured with
the Referential Integrity plug in, and it goes down for some amount of
time, and a user is deleted, will the plugin "Catch up" once M1 has been
brought back online?
Thanks for the input!
Tim
14 years, 7 months
[Fedora-directory-users] Do you use WinSync for group sync?
by Rich Megginson
We're currently investigating the group sync feature of Windows Sync,
and we wanted to know how it is deployed. Do you sync groups? What
types of groups? Security or Distribution? Global or Local? Do the
groups have "meaning" in both AD and Fedora DS, or only in one side?
14 years, 7 months
[Fedora-directory-users] [OT?] tls_checkpeer yes problems
by John A. Sullivan III
Hello, all. This may be a bit off-topic as it is primarily an ldap
client issue but I am having a bear of a time getting my test centos
clients to access fds. The problem is tls_checkpeer. I do want it set
to yes but this breaks access. It is as if the directory server's cert
cannot be validated against the CA cert. Here are the pertinent
settings from my centos client ldap.conf (as you can see, I've tried
many combinations):
uri ldap://ldap.mycompany.com/
#host ldap.mycompany.com
#ssl on
ssl start_tls
#tls_cacertdir /etc/pki/tls/certs
tls_cacertfile /etc/pki/tls/certs/SSICA.pem
pam_password md5
tls_checkpeer yes
tls_ciphers TLSv1
An strace shows that the SSICA.pem file is opened. Apparently, this is
a problem in Ubuntu because of a change to gnutls. However, I can
confirm the combination of uri ldap://, ssl start_tls, and tls_certfile
rather than tls_certdir work on Ubuntu. My problem is redhat style
systems.
Our test bed is CentOS 5.2. Does anyone have this working on newer
redhat based systems? If so, with what configuration? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan(a)opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
14 years, 7 months
[Fedora-directory-users] Authentication problems
by Per Qvindesland
Hi List
After having installed Directory Server with no problems and created a test
user account I then go ahead to configure a client to test the
authentication to my new directory server, sadly after a reboot I can't
login with my new user account that I created, I have spent a few days
reading up about what the problem may be but until now I have had very
little joy.
If I try ldapsearch -v then I get error message:
SASL/EXTERNAL authentication started
Ldap_sasl_interactive_bind_s:unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
If i use ldapsearch -x then I get the output of a ldif file with all groups,
users and domains available so there is apparently nothing rong with the
communication, I truly belive that this is a security problem that sits
somewhere but I have no idea.
Could anyone give me some pointers to how I could fix this problem?
Regards
Per Qvindesland
14 years, 8 months
[Fedora-directory-users] posix root user in ds
by John A. Sullivan III
Hello, all. I'm intentionally doing some things the hard way to
understand how they work. I'd like to place the root user into my
directory. The client with which I am testing can query ldap and allows
login for users defined in ldap.
I then tried to add the root user without using an import script. I
created a user with both uidnumber and gidnumber set to 0 and uid and cn
set to root. I then set a password in ldap different from the one on
the local system and attempted to login to my test system as root. It
failed with the LDAP password but succeeded with the local password.
/etc/nsswitch.conf has "file ldap" for both passwd and shadow. I tried
changing the password both from the local station and from ldap and they
did not synchronize.
I then added an objectclass of shadowaccount and added attributes for
shadowmin, shadowmax, shadowwarning, shadowlastchange as in
the /etc/shadow file. Still no luck.
What must one do to synchronize an existing local account with an ldap
account? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan(a)opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
14 years, 8 months
[Fedora-directory-users] Proper way to generate a server certificate.
by James Chavez
Hello List,
I am trying to setup SSL between an AD or edir box and my FDS box.
I want to generate a server cert for the AD or edir box and import it
into edir/AD and import the CA cert into AD/edir as well.
What commands do i use to accomplish this.
Also what format does the cert need to be to successfully import into AD
or edir.
I have generated a self signed CA cert named "FDS CA"
exported with
certutil -L -d . -n "FDS CA" -a > ca.asc and
certutil -L -d . -n "FDS CA" -r > ca.der
I have generated a server cert for the AD/edir box with
certutil -S -n "server-Cert" -s "cn=host.example.com" -c "FDS CA" -t
"u,u,u" -m 3002 -v 120 -d . -z ./noise.txt -f ./pwdfile.txt
And exported it with..
pk12util -d . -o /tmp/server-cert.p12 -n "server-Cert"
I then send the CA cert in ascii and .der format along with the
server-cert.p12 to the admin but he gets errors below trying to import
into edir.
Need help on this one please.
..
-1240 FFFFFB28 PKI E PARSE CERTIFICATE
Source
Novell(r) Certificate Server
Explanation
Novell Certificate Server was unable to parse a certificate that has
been stored or is being stored.
Possible Cause
The user attempted to store a certificate or a certificate chain with an
invalid encoding into a Server Certificate object. The certificate or
certificate chain obtained from the Certificate Authority is invalid.
Action
Perform the following operations:
* Contact the Certificate Authority that issued the server
certificate to obtain the Certificate Authority's certificate.
* Using ConsoleOne(r), view the Server Certificate object. Click
Import.
* Import the Certificate Authority's certificate as the trusted
root.
* Import the server's certificate as the object certificate.
If the problem persists, contact the Certificate Authority.
Any body out there can help out please.
Thanks
James
CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
14 years, 8 months
[Fedora-directory-users] chainings and views (aka views don't follow chains)
by Roberto Polli
hi all,
I'm implementing an ldap proxy with chaining, but seems that views don't
follow the chains..
on real servers I got the following structure:
dc=top
o=sample
dc=sample.com
and
dc=nsroot
ou=view
nsviewfilter: (dc=*)
so that I can access domain directly under dc=nsroot
when I made such structure on the proxy
i put a chain
dc=top
o=sample ---> realserver
after creating the ou=view, I found nothing under it..
Hope someone can help..
Peace, R.
--
Roberto Polli
Babel S.r.l. - http://www.babel.it
Tel. +39.06.91801075 - fax +39.06.91612446
P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma)
"Il seguente messaggio contiene informazioni riservate. Qualora questo
messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene
notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio
erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto
della legge in materia di protezione dei dati personali."
14 years, 8 months
[Fedora-directory-users] nested groups
by Jan-Frode Myklebust
Is there any ways of nesting groups in fedora directory server ?
I tried creating a group "testgroup" with another group as
uniqueMember, but "getent group testgroup" didn't nest in any
users from the uniqueMember-group.
-jf
14 years, 8 months
