LDAP to samba password synchronization
by John A. Sullivan III
Hello, all. Several hours of googling and testing have not solved my
problem. We are using Directory Server as our authentication mechanism
for as much as possible in our environment. So far, we have integrated
all our Linux servers, synchronized with AD, and are using it for
Zimbra.
We have just implemented a standalone SAMBA server and are having
trouble synchronizing passwords. I see plenty of examples of how to
have changes made using smbpasswd passed to the posix password in LDAP.
But that's not what we want. We want users (some of whom use SAMBA and
some of whom do not) to have a single place to change their password.
The users are all KDE. Changing their passwords in the KDE control
module for security changes everything brilliantly EXCEPT SAMBA.
How do we make password changes executed by the users or by the LDAP
admin in idm-console propagate to the SAMBA password attributes? Thanks
- John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan(a)opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
14 years, 11 months
Schema Question
by Hartmann, Tim
Does anyone have any recommendations for which schema might be
approriate to use for a Terminations/End of contract/Expiration dates
for user accounts? I did some looking, but didn't see anything that
jumped out at me....
Thanks
Tim
14 years, 11 months
CentOS5 Desktops authenticating to 389 Directory Server
by Clint Dilks
Hi Everyone.
I am doing some LDAP testing. I have setup a 389 Directory Server on
CentOS 5 and using the default schema I have populated it with a couple
of users. I then did the configuration on the client that I thought was
needed to make it authenticate.
To test this I expected to be able to use id <uidNumber> of a user I had
defined.
But I get id: 1001: No such user id: 5001: No such user
I then thought perhaps it was an LDAP permissions problem so I tried
binding to the LDAP server using a user I know has full rights using
these entries in /etc/openldap/ldap.conf there was no change.
BINDDN cn=admin,dc=scms,dc=waikato,dc=ac,dc=nz
BINDPW LDAPt3st
I can query these users from a desktop that I want to use the LDAP
server as an authentication source.
Using
* ldapsearch -x -H ldap://distilled.scms.waikato.ac.nz -b
dc=scms,dc=waikato,dc=ac,dc=nz uid=LDilks*
# extended LDIF
#
# LDAPv3
# base <dc=scms,dc=waikato,dc=ac,dc=nz> with scope subtree
# filter: uid=LDilks
# requesting: ALL
#
# LDilks, People, scms.waikato.ac.nz
dn: uid=LDilks,ou=People, dc=scms, dc=waikato, dc=ac, dc=nz
givenName: LDAP-Clint
sn: Dilks
telephoneNumber: 4546
loginShell: /bin/bash
gidNumber: 1001
uidNumber: 1001
mail: clintd(a)scms.waikato.ac.nz
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: LDilks
gecos: A Test LDAP account
cn: LDAP-Clint Dilks
homeDirectory: /home/LDAP-clint
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
*[root@distilled2 ~]# ldapsearch -x -H
ldap://distilled.scms.waikato.ac.nz -b dc=scms,dc=waikato,dc=ac,dc=nz
uid=BBuilder*
# extended LDIF
#
# LDAPv3
# base <dc=scms,dc=waikato,dc=ac,dc=nz> with scope subtree
# filter: uid=BBuilder
# requesting: ALL
#
# BBuilder, scms.waikato.ac.nz
dn: uid=BBuilder,dc=scms, dc=waikato, dc=ac, dc=nz
givenName: Bob
sn: Builder
loginShell: /bin/bash
uidNumber: 5001
gidNumber: 5001
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: BBuilder
gecos: Got to love Cartoons
cn: Bob Builder
homeDirectory: /home/bob
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
The three files config files I am aware of are
cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
URI ldap://distilled.scms.waikato.ac.nz
BASE dc=scms.dc=waikato,dc=ac,dc=nz
#BINDDN cn=admin,dc=scms,dc=waikato,dc=ac,dc=nz
#BINDPW LDAPt3st
TLS_CACERTDIR /etc/openldap/cacerts
cat /etc/nsswitch.conf | grep -v '^#' | grep -v '^$'
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
Can anyone give me any pointers as to where I am going wrong ?? And can
anyone confirm or deny that by default I should be able to bind
anonymously and get the required authentication information ?
Thank you for any help you can offer.
14 years, 11 months
Console unavailable after failed login
by John A. Sullivan III
Hello, all. We normally access idm-console via ssh to our ldap servers.
I find that, if I mistype the password, I am not offered an opportunity
to re-type it. The application seems to hang. If I kill it and launch
again, I get no screen. If I then try to restart dirsrv-admin, it shuts
down right away but then takes forever to start.
Has anyone else noticed this behavior? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan(a)opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
14 years, 11 months
Errors installing PKI Clone / chicken or egg question
by Michael Mercier
Hello,
Note: I have cross posted this because it seems to be related to both
applications.
The steps I have taken:
1. Install fedora 10 on 2 servers (service-1, service-2)
2. run yum update on both systems
3. on service-1 and service-2
a) yum install fedora-ds
b) setup replication agreement for
i) o=NetscapeRoot
ii) userRoot
Everything at this point seems to be fine.
4. on service-1 yum install pki-ca
a) run through setup screens
i) Create new security domain
ii) Configure this Instance as a New CA Subsystem
iii) Make this a Self-Signed Root CA within this new PKI hierarchy
iv) use 'localhost' for internal database
v) use defaults for rest of screen (exporting pkcs12)
b) pki-ca looks like it is running fine
5. on service-2 yum install pki-ca
a) run through setup screens
i) Join an Existing Security Domain (pointing to service-1:9444)
ii) type username / password
iii) chose to clone a system (only one option in drop down for service-1)
iv) import keys
v) use 'localhost' for internal database
At this point, the installation seems to hang... (see
/var/log/pki-ca/debug for what it is waiting for)
Should I not be using 'localhost' for the internal database?
An additional question:
When running through the setup for dogtag, you have the option of
using ssl for communication. What if you want to use your dogtag CA
(which you are setting up) to provide the sign the ldap certificate?
I have the following in my logs:
Service-1:
/var/log/dirsrv/slapd-TEST/errors
[21/May/2009:12:13:30 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:13:30 -0400] NSMMReplicationPlugin -
agmt="cn=masterAgreement1-service-2-pki-ca" (localhost:389):
Replication bind with SIMPLE auth failed: LDAP error 32 (No such
object) ()
[21/May/2009:12:13:31 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:13:31 -0400] NSMMReplicationPlugin -
agmt="cn=masterAgreement1-service-2-pki-ca" (localhost:389):
Replication bind with SIMPLE auth failed: LDAP error 32 (No such
object) ()
[21/May/2009:12:13:31 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:13:35 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:13:41 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:13:53 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
[21/May/2009:12:14:17 -0400] slapi_ldap_bind - Error: could not read
bind results for id [cn=Replication Manager
cloneAgreement1-service-2-pki-ca,cn=config] mech [SIMPLE]: error 32
(No such object)
Service-2:
/var/log/dirsrv/slapd-TEST/errors
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allExpiredCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allInvalidCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allInValidCertsNotBefore-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allNonRevokedCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allRevokedCaCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allRevokedCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allRevokedCertsNotAfter-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allRevokedExpiredCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allRevokedOrRevokedExpiredCaCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allRevokedOrRevokedExpiredCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: allValidCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allValidCertsNotAfter-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
allValidOrRevokedCerts-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caAll-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caCanceled-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCanceledEnrollment-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCanceledRenewal-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCanceledRevocation-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caComplete-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCompleteEnrollment-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCompleteRenewal-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV:
caCompleteRevocation-pki-caIndex
[21/May/2009:12:13:29 -0400] - pki-ca: Indexing VLV: caEnrollment-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caPending-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caPendingEnrollment-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caPendingRenewal-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caPendingRevocation-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRejected-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caRejectedEnrollment-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caRejectedRenewal-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV:
caRejectedRevocation-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRenewal-pki-caIndex
[21/May/2009:12:13:30 -0400] - pki-ca: Indexing VLV: caRevocation-pki-caIndex
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=certificaterepository,ou=ca,dc=pki-ca'; entry
ou=certificaterepository,ou=ca,dc=pki-ca may not be added to the
database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - info: entrydn not indexed on
'ou=ca,ou=requests,dc=pki-ca'; entry ou=ca,ou=requests,dc=pki-ca may
not be added to the database yet.
[21/May/2009:12:13:30 -0400] - pki-ca: Finished indexing.
[21/May/2009:12:13:30 -0400] NSMMReplicationPlugin -
agmt="cn=cloneAgreement1-service-2-pki-ca" (service-1:389): Replica
has a different generation ID than the local data.
/var/log/pki-ca/debug - this is what shows up continuously
[21/May/2009:12:21:02][http-9444-Processor25]: DatabasePanel
comparetAndWaitEntries checking ou=people,dc=pki-ca
[21/May/2009:12:21:02][http-9444-Processor25]: DatabasePanel
comparetAndWaitEntries ou=people,dc=pki-ca not found, let's wait!
Thanks,
Mike
14 years, 11 months
[fedora-directory-users] NSMMReplicationPlugin messages in errors log
by Michael Mercier
Hello,
I am getting the following error on both ends of a replication
agreement. The replication agreement is for the fedora dogtag CA
application.
Note: I had to manually do a few things to get it to work, the
automated cloning was failing to setup the replication agreement.
NSMMReplicationPlugin - repl_set_mtn_referrals: could not set
referrals for replica dc=<dogtag dc>: 1
Note: Dogtag and fedora-ds are running on the same systems:
Server-1 - fedora-ds and dogtag
Server-2 - fedora-ds and dogtag clone
Replication agreements between the systems for:
o=NetscapeRoot
userRoot
dogtag dc
The error *only* appears for the dogtag dc.
In my dse.ldif, I do notice that there is only one nsslapd-referral
for the dogtag dc (for server-1 to server-2)
Server-1
dn: cn="dc=<dogtag dc>",cn=mapping tree, cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: dc=<dogtag dc>
cn: "dc=<dogtag dc>"
nsslapd-backend: pki
nsslapd-state: Backend
creatorsName: cn=directory manager
modifiersName: cn=server,cn=plugins,cn=config
createTimestamp: 20090520160944Z
modifyTimestamp: 20090520162351Z
nsslapd-referral: ldap://server-2.internaldomain:389/dc%3D<dogtag dc>
numSubordinates: 1
Server-2
dn: cn="dc=<dogtag dc>",cn=mapping tree, cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: dc=<dogtag dc>
cn: "dc=<dogtag dc>"
nsslapd-backend: pki
nsslapd-state: Backend
creatorsName: cn=directory manager
modifiersName: cn=server,cn=plugins,cn=config
createTimestamp: 20090520165422Z
modifyTimestamp: 20090520180434Z
numSubordinates: 1
Searching google doesn't really point to an explanation (or solution)
to the error messages.
Is it safe to do an ldapmodify to add the entry on Server-2?
Thanks,
Mike
14 years, 11 months
DNA not working?
by Dmitry Amirov
Hello.
I have a problem with DNA plugin.
I have installed it in according with documentation and have done:
1)
dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
2)
dn: cn=Account UIDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: Account UIDs
dnatype: uidNumber
dnafilter: (objectclass=posixAccount)
dnascope: ou=People, dc=aqua
dnanextvalue: 1
dnaMaxValue: 1300
dnasharedcfgdn: cn=Account UIDs,ou=Ranges,dc=aqua
dnathreshold: 100
dnaRangeRequestTimeout: 60
dnaMagicRegen: magic
After that server has been restarted and i tryed to add new posixAccount
entry.
dn: uid=jsmith, ou=people,dc=aqua
objectClass: top
objectClass: person
objectClass: posixAccount
uid: jsmith
cn: John Smith
sn: Smith
homeDirectory: /home/smith
gidNumber: 123
So, DNA not working with error:
adding new entry uid=jsmith, ou=people,dc=aqua
ldap_add: Object class violation
ldap_add: additional info: missing attribute "uidNumber" required by
object class "posixAccount"
Please help with DNA. It's very important for me. Now i am using clean
openldap+smbldap-tools, but i want to migrate to FDS.
Thanks a lot.
14 years, 11 months
How to unlock a busy replica
by DANIEL CRISTIAN CRUZ
Hi all,
Sometimes our consumer server got the status "Busy Replica", with only one
master.
How can I unlock the Suffix/Database on the consumer server?
I read many pages on reference and admin manuals, and didn't found anything.
Regards,
--
<span style="color: #000080">Daniel Cristian Cruz
</span>Administrador de Banco de Dados
Direção Regional - Núcleo de Tecnologia da Informação
SENAI - SC
Telefone: 48-3239-1422 (ramal 1422)
14 years, 11 months
what are components of FDS?
by Kỳ Anh, Huỳnh
Hi all,
I am going to install FDS on a FreeBSD jail. This means that FDS will use FC8 compatibility mode which provided by FreeBSD 7.2. I downloaded the binary version of FDS 1.04 (fedora-ds-1.0.4-1.FC6.i386.opt.rpm) and my initial installation worked perfectly. This is only a *test* and now I'd like to install the latest version of FDS. I searched at
http://directory.fedoraproject.org/yum/dirsrv/fedora/
but there were so many packages that made me confused. I'd like to know:
(1) what are components of FDS 1.2.0 and what files should I download to get FDS worked in FC8? (If FDS binaries work on FC8 they should work on a FreeBSD jail ;)
(2) is it necessary to start the web interface of FDS? I just like to setup a LDAP database and then run all from command lines without touching the web browsers (yes I hate GUI). If this is the case I will run only FDS service and have nothing to do with Apache/Java requirements of FDS. In fact I don't want to install any web servers on my FDS server.
Your helps are highly appreciated. And if you have ever experienced FDS on FreeBSD please give me some advices!
Regards,
--
Ky Anh, Huynh
Homepage: http://viettug.org/
14 years, 11 months
