[Fedora-directory-users] FDS 1.1 is not starting on Fedora 10
by Morenisco
Hi,
I tried with Fedora 10 and FDS 1.1, but appears that I'm experiencing
the same problem described in my last email.
The installation looks good, but in the last part, when trying to start
the server, it fails:
The interactive phase is complete. The script will now set up your
servers. Enter No or go Back if you want to change something.
Are you ready to set up your servers? [yes]:
Creating directory server . . .
Server failed to start !!! Please check errors log for problems
And the error log doesn't contains any error:
[...]
[28/Dec/2008:16:43:21 -0300] - import userRoot: Import complete.
Processed 9 entries in 1 seconds. (9.00 entries/sec)
[28/Dec/2008:16:43:21 -0300] - Fedora-Directory/1.1.3 B2008.289.115
starting up
Some know what can be failing please?
Regards.
--
Morenisco.
Centro de Difusión del Software Libre.
http://www.cdsl.cl
http://santiago.flisol.cl
Blog: http://morenisco.belvil.eu
14 years, 11 months
[Fedora-directory-users] FDS 1.1 is not starting on CentOS 5
by Morenisco
Hi,
I was able to install and configure FDS 1.1 on CentOS 5, but in the
latest step of the configuration, the service doesn't start.
1) I saw the following messages in the last part of the installation:
Are you ready to set up your servers? [yes]:
Creating directory server . . .
Server failed to start !!! Please check errors log for problems
Could not start the directory server using command
'/usr/lib/dirsrv/slapd-dirserver1/start-slapd'. The last line from the
error log was '[28/Dec/2008:11:18:14 -0300] - Fedora-Directory/1.1.3
B2008.269.157 starting up
'. Error: Unknown error 256
Error: Could not create directory server instance 'dirserver1'.
Exiting . . .
Log file is '/tmp/setupRikE7Y.log'
2 ) The error log just says the following:
[28/Dec/2008:12:41:07 -0300] - Fedora-Directory/1.1.3 B2008.269.157
starting up
3) The log file /tmp/setupRikE7Y.log says the following:
[08/12/28:11:13:10] - [Setup] Info Are you ready to set up your servers?
[08/12/28:11:13:16] - [Setup] Info yes
[08/12/28:11:13:16] - [Setup] Info Creating directory server . . .
[08/12/28:11:23:18] - [Setup] Info Could not start the directory server
using command '/usr/lib/dirsrv/slapd-dirserver1/start-slapd'. The last
line from the error log was '[28/Dec/2008:11:18:14 -0300] -
Fedora-Directory/1.1.3 B2008.269.157 starting up
'. Error: Unknown error 256
[08/12/28:11:23:18] - [Setup] Fatal Error: Could not create directory
server instance 'dirserver1'.
[08/12/28:11:23:18] - [Setup] Fatal Exiting . . .
Well, I'm using the user 'nobody' and group 'nobody'.
4) When I try to run the command by hand as root, I get the same:
[root@dirserver1 slapd-dirserver1]# pwd
/usr/lib/dirsrv/slapd-dirserver1
[root@dirserver1 slapd-dirserver1]# ./start-slapd
Server failed to start !!! Please check errors log for problems
5) Running the command with sh -x, I got the line that it not starting
the command:
+ cd /usr/sbin
+ ./ns-slapd -D /etc/dirsrv/slapd-dirserver1 -i
/var/run/dirsrv/slapd-dirserver1.pid -w
/var/run/dirsrv/slapd-dirserver1.startpid
6) Running the last command by hand:
[root@dirserver1 sbin]# ./ns-slapd -D /etc/dirsrv/slapd-dirserver1 -i
/var/run/dirsrv/slapd-dirserver1.pid -w
/var/run/dirsrv/slapd-dirserver1.startpid
[root@dirserver1 sbin]#
[root@dirserver1 sbin]# ps -fea | grep slapd
root 6893 6729 0 12:55 pts/3 00:00:00 grep slapd
==> this is not starting.
7) Trying the same, but with trace level:
./ns-slapd -d 1 -D /etc/dirsrv/slapd-dirserver1 -i
/var/run/dirsrv/slapd-dirserver1.pid -w
/var/run/dirsrv/slapd-dirserver1.startpid
[28/Dec/2008:12:58:18 -0300] - <= send_ldap_result
[28/Dec/2008:12:58:18 -0300] - Fedora-Directory/1.1.3 B2008.269.157
starting up
Failed to open stats file (/var/run/dirsrv/slapd-dirserver1.stats)
(error 1).
Then, the binary ns-slapd is not creating the file
/var/run/dirsrv/slapd-dirserver1.stats (I think).
8) Some details of the binary and my kernel version:
[root@dirserver1 sbin]# file ns-slapd
ns-slapd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for
GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux
2.6.9, stripped
[root@dirserver1 sbin]#
[root@dirserver1 sbin]# uname -a
Linux dirserver1.cdsl.cl 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 EDT
2008 i686 i686 i386 GNU/Linux
Could it be related to the difference of the kernel version?
Thanks!
--
Morenisco.
Centro de Difusión del Software Libre.
http://www.cdsl.cl
http://santiago.flisol.cl
Blog: http://morenisco.belvil.eu
14 years, 11 months
[Fedora-directory-users] WindowSync and Netgroups: Where to add netgroup attributes?
by Kenneth Holter
Hi.
We're planning on using netgroups to control user access to the different
servers within our organization, and the netgroups will be populated based
on group memberships on the AD-side (we'll use WindowsSync to sync groups
from AD to DS). The basic idea is this:
- Sync AD-group entry "group1" over to DS-group entry "group1". This is
done automatically with WindowsSync.
- Populate netgroup entry "netgroup1" based on DS-group entry "group1".
Alternately, add "netGroup" object class to DS-group entry.
- Configure clients to use netgroup based authentication.
A script will be created to manage netgroup membership dynamically, but
creation of netgroups will probably be done manually.
Anyway, we need to decide on whether to have a separate netgroup entry and
populate netgroup attributes here, or if we should simply add
netgroup attributes to the DS-group itself. I believe that both options will
work just fine, but would like to hear from others who may have implemented
a similar scheme. Maybe there are some pitfalls that we should be aware of.
Regards,
Kenneth Holter
14 years, 11 months
[Fedora-directory-users] ACI help
by James Chavez
Hello,
I am using FDS as a replacement for NIS for user authentication and
group and host entries.
I am looking to allow anonymous searches of the directory but to
disallow the visibility of the userPassword attribute.
I would like to allow access to the userPassword attribute to only the
user that is authenticating to the directory for logins.
I have read the ACI chapter on the Directory services Administrator's
guide but I am still struggling a bit.
Thank you
James
CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
14 years, 11 months
[Fedora-directory-users] config of SSL on ADs and FDS
by Abdellah Alaoui Ismaili
is that someone can provide me with detailed documents sharing certificates
between MS. Active Directory and Fedora Directory Server, because the
connection via port 636 do not want to walk.
I have this error log file in windows sync.
12/25/08 11:48:28: Backoff time expired. Attempting sync
12/25/08 11:48:28: Password list has 6 entries
12/25/08 11:48:28: Ldap bind error in Connect
81: Can't contact LDAP server
12/25/08 11:48:28: Can not connect to ldap server in SyncPasswords
12/25/08 11:48:28: Backing off for 16000ms
but with the ports 389 synchronizes this information, but the password does
not want to be synchronized.
you can help me plz.
14 years, 11 months
Re: [Fedora-directory-users] Exporting MD5 Hash from FD-DS into /etc/shadow
by Franta Hanzlík
Howard Chu wrote:
>> fedora-directory-users-request redhat com wrote:
>> dennis demarco com wrote:
>>> I would like to export the MD5 hash from the Fedora directory user's password
>>> attribute into /etc/shadow of a Linux machine not in LDAP (Redhat).
>>> It appears this isn't working, is there a way for me to do this?
>>> Not all machines are using ldap but I would like to export from ldap.
>>>
>> Hi,
>> I haven't tried this, but here's an idea just off the top of my head which _might_ work:
>>
>> 1. take away the {MD5} from the string
>> 2. base64 decode the rest of the string
>> 3. convert the string to hex
>> 4. put the $1$ at the front of the hex string
>> 5. put the whole string into the password field in /etc/shadow and test
>>
>> If that works, you could write a perl script to automate the procedure. And report back to the list as well :-)
>>
> No, the password field is not in hex, it uses the same 6-bit encoding
> that DES crypt() uses, which is different from base64.
> base64 uses the characters [A-Z][a-z][0-9]+/ while crypt uses
> the characters ./[0-9][A-Z][a-z] (in those exact orders).
>
> --
> -- Howard Chu
> Chief Architect, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc
> OpenLDAP Core Team http://www.openldap.org/project/
--
Hello,
I found this 2 years old thread. I have same task - convert LDAP values
to passwd/shadow, and solve password conversion. But I'm still out of luck.
I have idea utilize something as MD5 crypt() with empty salt - this
probably work, as when I create password in manner:
openssl passwd -1 -salt "" "heslo"
$1$$1dziKo9JPNdLlVrGfqIBG.
then result is working, with it in shadow I can authenticate and all work
OK. Salt is empty - after "$1$" signature immediately follow salt/hash
delimiter "$", and then as usually 22 chars hash.
But result of MD5 password created e.g. with command:
slappasswd -h {MD5} -s "heslo"
{MD5}lV2wuB7xmJtKTf6ugGGppg==
(values coded in this manner I have in LDAP DB. Isn't problem convert
among different formats, eg:
echo -n "heslo"|md5sum
955db0b81ef1989b4a4dfeae8061a9a6
echo -n "heslo"|openssl dgst -md5 -hex
955db0b81ef1989b4a4dfeae8061a9a6
echo '<? $A=base64_encode(pack("H*",md5("heslo"))); echo $A;?>' | php
lV2wuB7xmJtKTf6ugGGppg==
And it is simple to obtain full 128-bit hex MD5 hash by reverting LDAP values:
echo '<? $A=unpack("H*",base64_decode("lV2wuB7xmJtKTf6ugGGppg==")); echo $A[1];?>'|php
955db0b81ef1989b4a4dfeae8061a9a6
)
Generally, I have convert 22 char long base-64 value to 22 char long
value as generated by MD5 crypt():
lV2wuB7xmJtKTf6ugGGppg # LDAP base-64 value
1dziKo9JPNdLlVrGfqIBG. # MD5 crypt() value
Both uses 6-bit encoding, first with charset "[A-Z][a-z][0-9]+/", second
the characters "./[0-9][A-Z][a-z]". But simple conversion as this:
CRYPT_HASH=`echo "$BASE64_HASH"|tr 'A-Za-z0-9+/' './0-9A-Za-z'`
not work.
Is this problem ever solvable?
Had someone in this thread success with solving this problem?
Is idea of empty salt real, and problem is only in conversion between
6-bit DES crypt() encoding and base-64 encoding?
Have someone any knowledge about this?
Thanks in advance,
Franta Hanzlik
14 years, 11 months
