After much efforts I was able to have a samba pdc going with Fedora
directory server. Now there
are 100 user who are on openldap- pdc and I need to move them to directory
server. Is there a
tried-tested way or tools available for this. Please suggest.
When removing a server instance that has the o=NetscapeRoot with ds_removal,
I get the following error message in 1.2.0:
Error:The server 'ldap://ldap.test.org:389/o=NetscapeRoot' is not
reachable. Error: unknown error
The server directories and configuration seems to be properly removed, but
it looks as if an additional connection attempt is made after the server is
shut down and removed.
Don't remember seeing this before upgrading from 1.1.3. This is not much of
a problem though because the server seems to be removed just fine besides
the trailing error message.
There is no error message when deleting additional instances registered with
the first config directory. Only when removing the config directory itself.
Here's the inf-file used to create the config directory instance.
AdminDomain = test.org
SuiteSpotGroup = nobody
ConfigDirectoryLdapURL = ldap://ldap.test.org:389/o=NetscapeRoot
ConfigDirectoryAdminID = admin
ConfigDirectoryAdminPwd = pwd
SuiteSpotUserID = nobody
FullMachineName = ldap.test.org
InstallLdifFile = suggest
ServerIdentifier = test
ServerPort = 389
AddOrgEntries = No
RootDN = cn=Directory Manager
RootDNPwd = pwd
SlapdConfigForMC = yes
Suffix = dc=test,dc=org
UseExistingMC = 0
AddSampleEntries = No
ServerAdminID = admin
ServerAdminPwd = pwd
SysUser = nobody
Port = 9830
I tried to use http://tinyurl.com/culeft. But the database link doesn't work. I setup the database link to the Active Directory (and OpenLDAP). When I looked into Wireshark log, FDS send search request with controls:
And the AD server responded: Unavailable Critical Extension.
I tried to remove this two controls from Database Link Settings (in administration console) but it didn't help. The server didn't return the message above, but the administrative console show error dialog.
> Michal Rejda wrote:
> > Hi all,
> > Im trying to setup proxy on FDS to another LDAP server (OpenLDAP and
> > Active Directory). I tried two ways, but none of these works:
> > 1) New database link to LDAP server.
> > - The remote LDAP server (OpenLDAP) returns: null. manageDSAit
> > value not found
> You might have to tweak the controls used by chaining - see
> > 2) Create multiple-master replication and setup other server as
> > - But this show error: 255 Replication error acquiring replica:
> > unknown error.
> Replication will only work to a SunDS, not to any other vendor.
> > My question is: Is there way how to setup proxy to access another
> > server from Fedora DS? I know that is possible to use AD sync, but I
> > cannot install anything on the AD server. The second reason why I
> > to setup proxy is to use data stored in LDAP server (OpenLDAP, Open
> > Direcoty Server and Active Directory) in one place. I need to update
> > them too. It is not necessary to synchronize passwords.
> See also
> > Thank you for reply.
> > Regards,
> > Michal
I am struggling with the concatenation oft wo ca certs. I have two fedora-ds (version 1.0.4 – on two RHEL4 boxes) and I have generated two self signed certificates.
Everytime I try to concatenate them one server is not reachable with ldapsearch –Z –xxx ´username´. If I change the order in the cacert.asc file the search request works fine.
I have tried to „cat cacert1.asc >> cacert.asc“ and „cat cacert2.asc >> cacert.asc“ without any achievement.
Does anyone of you know how to do it?
Thank you in advance.
Im Sinne unserer Umwelt: Bitte bedenken Sie, dass ein Ausdruck dieser Nachricht wertvolle Ressourcen verbraucht.
For the sake of our environment: Please be aware of the fact that printing this message consumes valuable resources.
I am looking to use the Directory Server Admin Console similar to how
the Active Directory user's and Computers tool is used.
More specifically I would like to create an administrative group with
permission to perform certain functions such as reset user passwords and
change certain other attributes. I would like to login to the console
with these users instead of Directory Manager or admin to limit the
access and damage that can be done.
I have created a group of users with full access to my suffix with
ability to add and remove objects. I can do pretty much any operation
with ldapmodify, ldapadd, ldapdelete from the command line.
However I cannot login to the Directory server console with these users
to admin the directory.
If I login as Directory Manager to the admin console and then select
"login as new user" I am able to login with the users, however the
Directory is not visible. I do not have the correct access somewhere
How can I configure FDS to allow these users to admin the directory in a
limited role? I am assuming I need to set aci's in certain places to
allow logging into the FDS admin server console .
I am assuming this is possible. I am able to access with a third party
tool but would like to use the FDS admin console.
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
Sorry for answering so late...
One major reason in choosing RHDS was the RFC compliance and
There are two features wich should be very interesting
* AD/RHDS map attribute configuration (even simple)
* multiple script programming (API for PHP, Java, Perl) for plug in
Hoping it's not ridiculous...
IRD - Orléans
Délégation aux Systèmes d'Information (DSI)
tél : 02 38 49 95 88
Would like to see additional monitoring flexibility for snmp - when configuring multiple ds instances with same port on single multihomed host monitoring information is agregated by port in the monitoring not by instance and port.
Please provide more information on deprecation of certmap.conf. Need flexibility to not rely on dn in cert mapping to anything in directory and rely on successful tls mutual authentication and truststore configuration.
Script to provide index analysis based on data in the directory to provide the following info:
Search performance efficiency of index and index type based on return limits, and scanidslistlimit.
Compressed ldif(gzip) capability for export, import, and initialization usage.
Sent from my Windows Mobile® phone.
From: Rich Megginson <rmeggins(a)redhat.com>
Sent: Thursday, April 09, 2009 7:23 PM
To: General discussion list for the Fedora Directory server project. <fedora-directory-users(a)redhat.com>
Subject: Re: [Fedora-directory-users] Proposed new features for 1.3
Andrey Ivanov wrote:
> I continue with my list
Thanks - I've added many of these to the list - questions below.
> * the server should be able to return the members of dynamic groups
> "on the fly" as if it were real members, the membership attribute
> should be configurable - uniqueMember, member or another
I put this on the Future list:
Dynamic group expansion
* Define a dynamic group, and have the member/uniqueMember attribute
of this group automatically be populated by the server
* clients can then just search for member like with a regular static
> * support of other virtual attributes generated "on the fly"
Can you explain this a little more?
> * pam passthrough plug-in should take into account at least the
> account activation/desactivation (bug *470684*
> <https://bugzilla.redhat.com/show_bug.cgi?id=470684> ). There is a
> comment about some additional useful features it in th README file of
> this plug-in :
> We need to worry about account expiration or lockout e.g. the user's
> credentials are valid but the user has been locked out of his/her
> account, or the password has expired, or something like that. Some of
> this can be handled by LDAP e.g. returning password policy control
> values when the password has expired.
> * a way to synchronise the configuration of indexes (each time we add
> an index on one of the replicated servers we need to make it manually
> on all the others) and some other parameters in "cn=config" between
> the replicated servers (a little like the "configuration" partition
> in active directory), the schema changes are already replicated which
> is very good
I'm calling this feature "Configuration replication" - I think it could
be useful for other sorts of configuration.
> * enforced attribute syntax validation
Already on the list - Syntax validation checking
> * re-verify and validate conformance of the syntaxes, case sensitivity
> and their matching rules to RFC
Already on the list
> * unix socket autobind still does not seem to work (ldapi) -
> It could be very useful for various maintenance scripts running on the
We tested this with 1.2.0 and it seems to work. You tested a build from
source? Did you use --enable-autobind with configure? Did you restart
the server after configuring your autobind and sasl mapping?
> * verification of the server from the viewpoint of memory leaks. Th
> size of the memory used by the server grows with time (normally we
> don't restart the sevrr during several months, so i can follow the stats)
We regularly run the server test suite with valgrind enabled. I'm not
aware of any per connection or per operation leaks. What exactly are
> * logconv.pl - very useful script, add some more options/ adjustments
> (for example, a switch to hide unindexed searches in verbose mode). We
> use it as logwatch.
> * a perl script to show the replication statistics (there is one for
> the we page generation statistics, something more basic, text-only
> would be very welcome) in text mode - to receiveth reports by mail
> once per day like logwatch for example
What sort of information are you looking for? ldapsearch can provide
most of the useful information.
> * regular expressions in ACIs (i know, it is very difficult to do, so
> maybe somewhere in the timescale of the version 10.0 ? :)) - for
> example, allow a user to add or modify a value just in case the new
> value mathes the regex. Or the group or dn of the user matches the
You can do some of that currently with targetattrfilters - see
We added support in 1.2.0 to allow you to specify group membership with
LDAP search specifications, which does allow some wildcarding, so that
might help too.
> * simplify the creation of new syntaxes and their validation/
> enforcement (version 11.0? :))
Can you elaborate?
> * virtual views allowing to map not only the trees but also the
> attributes ('cn' instead of 'uid' in a subtree, for example)
Can you elaborate?
> * enable regex in certmap.conf for mapping the CNs of the certificates
> during the certificate authentification of users
This is on the list as
Get rid of certmap.conf - use SASL mapping (cert auth is really just
The sasl mapping code uses regular expressions
> Other than that i just want to emphasize the great job you are doing
> adding new features and especially the fantastic reactivity in fixing
> some critical server bugs (usually it takes only one or two days to
> have the necessary diff in bugzilla!)
> Thank you and please continue the development of this directory server!
And thank you for your suggestions.
> Thanks - I've added these notes to
> Anyone else? C'mon - surely you have an opinion about a new
> Thanks for all your hard work on this!
> Fedora-directory-users mailing list
This e-mail and any attachment is intended for the above name recipient(s) only and may contain confidential or privileged information. If you are not an intended recipient, please notify the sender and delete the message. Failure to maintain the confidentiality of this e-mail and any attachment may subject you to penalties under applicable law.
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information or otherwise be protected by law. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Im trying to setup proxy on FDS to another LDAP server (OpenLDAP and Active Directory). I tried two ways, but none of these works:
1) New database link to LDAP server.
- The remote LDAP server (OpenLDAP) returns: null. manageDSAit control value not found
2) Create multiple-master replication and setup other server as consumer.
- But this show error: 255 Replication error acquiring replica: unknown error.
My question is: Is there way how to setup proxy to access another LDAP server from Fedora DS? I know that is possible to use AD sync, but I cannot install anything on the AD server. The second reason why I need to setup proxy is to use data stored in LDAP server (OpenLDAP, Open Direcoty Server and Active Directory) in one place. I need to update them too. It is not necessary to synchronize passwords.
Thank you for reply.