generate certificate request with certutil
by muzzol
hi,
i want to generate a certificate request from command line to send to
an external CA. this is what i use:
certutil -S -n "test-server" -s "CN=testserver.example.com" -c "CA
auth" -t "u,u,u" -m 1023 -v 120 -d .
and i get this error:
certutil: unable to retrieve key CA auth: The private key for this
certificate cannot be found in key database
i've imported the root cert for CA auth though the GUI but certutil
seems not to find it.
if i create the request via GUI everything is fine, but i need to use
certutil because i need to pass additional parameters not supported by
the GUI.
any hints?
--
========================
^ ^
O O
(_ _)
muzzol(a)muzzol.com
========================
jabber id: muzzol(a)jabber.dk
========================
No atribueixis qualitats humanes als ordinadors.
No els hi agrada.
========================
"El gobierno español sólo habla con terroristas, homosexuales y
catalanes, a ver cuando se decide a hablar con gente normal"
Jiménez Losantos
========================
<echelon spamming>
bomb terrorism bush aznar teletubbies
</echelon spamming>
14 years, 4 months
Multimaster replication out of sync
by Mitja Mihelič
Hi!
We have two instances of the DS in a multimaster replication setup.
We had to restore the database of one of the servers from backup.
While the second master was down, the first was receiving updates.
After we fired up the restored master it started receiving updates as
soon as a change occurred on the first master (i.e. after 15 minutes)
After the sync finished, we noticed they weren't identical.
Clicking "Send updates now" from the replication agreement does not help.
Is there a way to get them synced up again ? Other than reinitializing
the second/restored master ?
Regards,
Mitja
14 years, 4 months
import private key
by Mikael Kermorgant
Hello,
I've asked for a bunch of certificate lately, issuing certificate
request with openssl for all of them.
Unfortunately, I forgot that the procedure for installing a
certificate in 389ds was to issue the certificate request with its own
tools.
Is there an easy way to import my private key in 389ds in order to use
my new certificate ?
Regards,
--
Mikael Kermorgant
14 years, 4 months
Re: Fedora-directory-users Digest, Vol 55, Issue 24
by Dimon
----------------------
>
> Message: 8
> Date: Tue, 15 Dec 2009 09:45:11 -0700
> From: Rich Megginson <rmeggins(a)redhat.com>
> Subject: Re: [389-users] I need some help!
> To: "General discussion list for the 389 Directory server project."
> <fedora-directory-users(a)redhat.com>
> Message-ID: <4B27BD17.5080504(a)redhat.com>
> Content-Type: text/plain; charset=windows-1251; format=flowed
>
> Dimon wrote:
> > Hi everyone! I'm a beginer in Fedora Directory (389 project) server so I hope that you will give me an advice to solve my problem.
> >
> > I want to synchronize my diectory server with Active Directory's users (centos-ds-8.1.0). I read the manual Red Hat 8.1 and had success. But my AD users have Posix atributes (home directory, gidnumber, uidnumber, Nis Domain) and they did not synchronize.
> Right. Windows Sync does not work with posix attributes.
> > I've read about DNA plugin in DS. It't written that I have to check pugin int my cn=plugins,cn=config and initialize it. I did so. I didn't have success. The probles is: my centos-ds doesn't match with the example described in the Rd Hat manual.
> >
> How so? What example? Can you provide a link?
I found some Installing guide about directory-server in pdf - format... And found there examples how to configure DNA using dnagidnumber,dnauidnumber, dnaNextvalue parameters. As I said ldap shema doesn't have any of them. If it necessary i will send you the Installing guide!
> > It's written that I must have parameters such dnagidnumber,dnauidnumber, dnaNextvalue and others (it is showed on the pictures). I don't have any parameters connected with dna...My Ldap schema doesn't have any dna* nevertheless plugin DNA (libdna.so) present even in my ds-tree.
> These attributes and objectclasses are defined internally and not exported.
> > When I filled check box in order co configure DNA nothing happend!
YES this parameters are internal - I wanted to see them in Directory -> config->plugins->DNS ->Properties->advanced. I saw classes, any other parameters but I didn't se dna* in the way how it is showed in manual! I didn't see. I tryed to add them from ldap schema - but it doesn't content any off them! I tryed to Reconfigure it from file - witch content somthing like dn: cn= Distributed Advanced Plugin,cn=plugin,cn=config
Objectclass ... dnauidnumber, dnaguidnumber, dnaNextvalue and others... But when I tryed to add it via command line - I had an error - invalid dna (or nknown parameters - I'am not sure now!). I followed the manual. Configure DNA via command line!
> What check box?
On or off Configuration->DNA plugin cn=plugins,cn=config
> > Duaring synchronization I still have no Posix account activated and parameters which I need
> Do you think DNA is going to fill in home directory and NIS domain?
Acctually I thought that I will have an oportunity to fill guid and uid automatically using DNA or replicate it from my AD with it. Cause AD accounts content them all.
> > I use centos-idm-console-1.0.1 in order to manage the server. When I try to turn off DNA plugin - server says that "Server in unwilling to perform the operation. Cause the DNA plugin doesn't configure properly" - or somthing like that.
> check the directory server access and errors logs for more information.
> > I found manual about configure centos-ds with pictures - and as I said (it's written that I have to turn on DNA plugin - just fill check box).
> >
> Enabling and disabling plugin requires a server restart.
It doesn't work! Because when I'am trying to turn off DNA plugin and push save button - I have the error. Otherwise my settings don't save! Of cource I tryed to reboot my server! And plugin is still on. So I found it in my .lde config and turned it off manually. I have no additional information about it in my log-files!
> > I have no idea how to solve it. May be you will have some time to give me a clue about it. I need it very much. And I have the other problem with it. I want to change the password using ldappasswd. It's required using LDAPS port 636. When I'm trying to use ldpapasswd - or ldapsearch on 636 port, session waiting for something and it seams nothing happens, session just waits. I tryed to debug it using ldapsearch with -d. I didn't see any mistakes. I have feeling that it is connected with ldap.conf (client) but I don't know how to solve it yet. Using ldapsearch on 389 port - everything is fine.
> >
> Can you paste the output of ldappasswd -d 1 to fpaste.org and paste the
> link here?
I solved this problem I tryed to use ldappasswd -x -h localhost -p 636 -D "" -W -b "" and I didn't work. ldappasswd needs secure connection - so I read some articles and use -Z and -p 389 instead of 636 and everything works fine. Now I can change passwords in my DS using only one command line.
> > Thank you in advance!
-- реклама -----------------------------------------------------------
http://FREEhost.UA - при покупке хостинга домен в подарок!
Получи свою персональную скидку http://freehost.com.ua/cuponakciya.php
14 years, 4 months
LDAP password information update failed: Insufficient access
by Allan Hougham
Hi,
I have a problem for write when I change my password
This is the error:
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user testsi.
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information update failed: Insufficient access
Insufficient 'write' privilege to the 'userPassword' attribute of entry 'cn=testsi,ou=infraestructura,ou=sistemas,ou=tronador,ou=argentina,dc=ml,dc=com'.
How to do for give me permissions for writing??
Thanks a lot!
Allan
_________________________________________________________________
Windows Live Messenger GRATIS: lo que faltaba en tu BlackBerry
http://www.messengerentublackberry.com?ocid=WL_BB_LandPage_TagLine
14 years, 4 months
Linked attributes plugin
by Juan Asensio Sánchez
Hi
I am trying to configure the linked attributes plugin, to make it work like
the memberf plugin, but with the uniquemember attribute instead of the
member attribute. I have found that this plugin is not included in FDS
v1.1.3, but yes in 1.2.2. Which version did start to include this plugin? We
have servers with mixed versions.
How will this plugin behave with read only databases? Will the attribute
memberOf be included in users whose database is configured ad "referral on
update", on only in those configured ad "backend"?
Regards.
14 years, 4 months
I need some help!
by Dimon
Hi everyone! I'm a beginer in Fedora Directory (389 project) server so I hope that you will give me an advice to solve my problem.
I want to synchronize my diectory server with Active Directory's users (centos-ds-8.1.0). I read the manual Red Hat 8.1 and had success. But my AD users have Posix atributes (home directory, gidnumber, uidnumber, Nis Domain) and they did not synchronize. I've read about DNA plugin in DS. It't written that I have to check pugin int my cn=plugins,cn=config and initialize it. I did so. I didn't have success. The probles is: my centos-ds doesn't match with the example described in the Rd Hat manual.
It's written that I must have parameters such dnagidnumber,dnauidnumber, dnaNextvalue and others (it is showed on the pictures). I don't have any parameters connected with dna...My Ldap schema doesn't have any dna* nevertheless plugin DNA (libdna.so) present even in my ds-tree. When I filled check box in order co configure DNA nothing happend! Duaring synchronization I still have no Posix account activated and parameters which I need. I use centos-idm-console-1.0.1 in order to manage the server. When I try to turn off DNA plugin - server says that "Server in unwilling to perform the operation. Cause the DNA plugin doesn't configure properly" - or somthing like that. I found manual about configure centos-ds with pictures - and as I said (it's written that I have to turn on DNA plugin - just fill check box).
I have no idea how to solve it. May be you will have some time to give me a clue about it. I need it very much. And I have the other problem with it. I want to change the password using ldappasswd. It's required using LDAPS port 636. When I'm trying to use ldpapasswd - or ldapsearch on 636 port, session waiting for something and it seams nothing happens, session just waits. I tryed to debug it using ldapsearch with -d. I didn't see any mistakes. I have feeling that it is connected with ldap.conf (client) but I don't know how to solve it yet. Using ldapsearch on 389 port - everything is fine.
Thank you in advance!
-- реклама -----------------------------------------------------------
http://FREEhost.UA - при покупке хостинга домен в подарок!
Получи свою персональную скидку http://freehost.com.ua/cuponakciya.php
14 years, 4 months
Securing LDAP information on the network
by Kenneth Holter
Hi all.
We'd like to make sure that the LDAP data on our network is encrypted, at
least the data that contains sensitive information. We've set up TLS between
on these communication links:
- LDAP client <-> LDAP server (using StartTLS)
- LDAP master <-> LDAP slave
- Web browser <-> Admin server web console (i.e. https)
We have a pretty default installation of the directory server (which btw is
Red Hat Directory Server v8.1.0). To my best knowledge, these links above
should cover all relevant trafikk on the network, since the directory
server, admins server and the console are all located on the same physical
server. Does anyone agree or disagree?
Btw, if anyone knows of any nice diagrams that shows the different data
links (i.e information flow) between the directory server components (such
as admins server, console, main console, directory server, and so forth)
please do post a link to this.
Best regards,
Kenneth Holter
14 years, 4 months
LDAPCon 2009
by Ivanov Andrey (M.)
Is there a reason why 389 was absent at the LDAPCon 2009 conference?
14 years, 4 months
Clarkconnect integration?
by Alan McKay
Hey folks, has anyone integrated with Clarkconnect?
Looks like our firewall is running its own LDAP server - I'd much
rather point it at Centos-DS
Google does not seem to bring up much
thanks,
-Alan
--
“Don't eat anything you've ever seen advertised on TV”
- Michael Pollan, author of "In Defense of Food"
14 years, 4 months
