HOWTO For A Newbie
by Gene Poole
Does anyone know of a howto for FDS where it's a new installation and
you're not migrating from any existing platform? In other words, a how to
from the very beginning?
Thanks,
Gene Poole
14 years, 11 months
domain vs organizationalUnit+dcObject
by vu pham
Trying to practise myself with LDAP, I change the top ldif entry ( top
container) from "domain" to organizationalUnit+dcObject as follows:
1 Using objectclass domain:
dn: dc=xen2vm1,dc=example,dc=com
objectClass: top
objectClass: domain
dc: xen2vm1
[... other entries ... for users ]
2. Using objectclass organizationalUnit
dn: dc=xen2vm1,dc=example,dc=com
objectclass: top
objectclass: organizationalunit
objectclass: dcObject
ou: xen2vm1.example.com
dc: xen2vm1
[... other entries ... for users ]
In both cases, other entries below dc=xen2vm1,dc=example,dc=com are the
same.
In the first case, the command "ldapsearch -x -b
dc=xen2vm1,dc=example,dc=com -h xen2vm1.example.com" returns all other
entries.
In the second case the above command return no errors and nothing at all.
I am new with LDAP and cannot figure out what's wrong with the 2nd case.
Any advice is greatly appreciated.
Vu
14 years, 11 months
PAM-LDAP LDAPS (Linux Login) with PAM-LDAP using a client certificate
by lambam80@hotmail.com
Hello everybody and, firstly, thanks for your continued support.
I hope I've used the correct expression/jargon, ie:PAM-LDAP ?
PAM-LDAP works with LDAPS and binding with cn=Directory Manager/password hardcoded in /etc/ldap.conf - great stuff.
This was configured using the GUI '/usr/sbin/system-config-authentication' - also great stuff !
Symbolic Link pointing to the CA certificate: Q1. I've searched the web but cannot find what purpose the symbolic link serves.
----------------------------------------
# ls -toalr /etc/openldap/cacerts
-rw-r--r-- 1 root 1464 2009-03-10 12:21 authconfig_downloaded.pem
lrwxrwxrwx 1 root 25 2009-03-10 12:21 123a856c.0 -> authconfig_downloaded.pem
Client Certificate etc.
--------------------------
I'm now experimenting with client certificates and have found the following link:
http://lists.fini.net/pipermail/ldap-interop/2005-April/000421.html
and see the following example lines for the file /etc/ldap.conf:
tls_cert /usr/share/ssl/certs/ldap.pem ($FN.pem in my case)
tls_key /usr/share/ssl/certs/ldap.key.pem ($FN.key for me)
Q2. ldap.key.pem: Is this file simply the $FN.key file created by the following command ?
Will I have trouble if I specify '-passout' ? I assume it protects the file $FN.key.
How will PAM-LDAP open the keystore if I have used a password ?
openssl req -newkey rsa:1024 -keyout ${FN}.key -out ${FN}.csr -passout pass:<password> 0<< EOF >/dev/null 2>&1
<SNIP>
Q3. ldap.pem: Is this file simply the $FN.pem file created by the following command ?
openssl ca -in ${FN}.csr -out ${FN}.pem -days 7300 -keyfile $DIR/demoCA/private/cakey.pem \
-cert $DIR/demoCA/cacert.pem \
-passin pass:<CA PASSWORD> << EOF2 >/dev/null 2>&1
<SNIP>
Thanks again, cdlt,
-----------
_________________________________________________________________
Create a cool, new character for your Windows Live™ Messenger.
http://go.microsoft.com/?linkid=9656621
14 years, 11 months
Replication failure
by Emmanuel BILLOT
Hi,
There is a strange behaviour on our FDS servers...
We want to replicate a 12000 entries database between 2 FDS. At the
replication agrement end, we 've got an "Unwilling to perform" with "
[13/May/2009:00:19:56 +0200] NS7bitAttr - ADD begin
[13/May/2009:00:19:56 +0200] NS7bitAttr - ADD
target=cn=t,cn=replica,cn=dc=ird\,dc=fr,cn=mapping tree,cn=config
[13/May/2009:00:19:56 +0200] NSMMReplicationPlugin -
agmtlist_add_callback: Can't start agreement
"cn=t,cn=replica,cn=dc=ird\,dc=fr,cn=mapping tree,cn=config"
"
in the log...
When the datablase is empty, the replication agrement creation works !!!
How is it possible ?
--
==========================================
Emmanuel BILLOT
IRD - Orléans
Délégation aux Systèmes d'Information (DSI)
tél : 02 38 49 95 88
==========================================
14 years, 11 months
Schema SYNTAX question for 389.
by Techie
Hello,
The uid attribute referenced in 01common.ldif shows as having syntax of.
1.3.6.1.4.1.1466.115.121.1.15 or case insensitive which is what I want.
However memberUid referenced in 10rfc2307.ldif shows as having syntax of.
1.3.6.1.4.1.1466.115.121.1.26 or case sensitive which is cramping my
style a bit and leading to inconsistencies in the returns of the
groups command amongst other things.
For example I may have a user uid=joe_doe and he is listed in the posixGroup
cn=celtics as memberUid: Joe_Doe
and listed in the posixgroup
cn=cavs as memberUid: joe_doe.
He will only be returned as being a member of cavs and not celtics
when I use the groups command.
My belief is that this is do to
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 setting for memberUid.
Sound about right?
I am curious to know if this is configurable? Can I modify the syntax
for memberUid to be case insensitive as uid is by switching the SYNTAX
from.
1.3.6.1.4.1.1466.115.121.1.26 (case sensitive) to
1.3.6.1.4.1.1466.115.121.1.15 (case INsensitive) ?
What are the repercussions on the various groups/users I have already
existing in the directory?
Will I have to delete and recreate my indexes if I do do this?
thx
14 years, 11 months
windows replication directory subtree problems
by Jeff Gamsby
I am having issues replicating with a 'sub' dc and an AD host.
example:
base dn of FDS server: dc=example,dc=com
I want to use a windows sync agreement for a 'sub' dc
(dc=sales,dc=example,dc=com) on the FDS server to
dc=sales,dc=example,dc=com on the AD side
The FDS logs show that it gets confused when trying to sync
It appears as if the 'replicated subtree' (dc=example,dc=com) which
cannot be changed should in fact be dc=sales,dc=example,dc=com
Does that make sense?
Is this possible?
Thanks
--
Jeff Gamsby
14 years, 11 months
Case sensitivity and FC9 389 DS packages.
by James Chavez
Hello Rich, List,
I have two inquiries.
The first is regarding case sensitivity.
I have the sudoers file centralized in LDAP (389) in one of the plants that
I support. I have users listed by their uid as sudoUsers under the sudo
roles.
Now If the uid is listed as Joe_Montana..and I login as Joe_Montana then the
entry is recognized correctly by the sudo functions.
If I login as joe_montana the sudo functions fail.
Is there a way to force 389 to be case insensitive so that username or UIDs
are recognized regardless of case?
I found these entries in dse. Can these be edited to force case
insensitivity?
nsslapd-return-exact-case: on
dn: cn=Case Exact String Syntax,cn=plugins,cn=config
cn: Case Exact String Syntax
dn: cn=Case Ignore String Syntax,cn=plugins,cn=config
cn: Case Ignore String Syntax
Secondly it seems the Fedora 9 newkey updates repo is broken. I upgraded all
of our installations to the newest packages 2 to 3 weeks ago and i am
wondering if these are still the latest packages.
fedora-ds-dsgw-1.1.1-1.fc9.i386
fedora-ds-console-1.2.0-1.fc9.noarch
fedora-ds-base-1.2.0-4.fc9.i386
fedora-ds-1.1.3-1.fc9.noarch
fedora-ds-admin-1.1.7-3.fc9.i386
fedora-ds-admin-console-1.1.3-1.fc9.noarch
Thank you
James
14 years, 11 months
[Fedora-directory-users] LDAP browsers
by John A. Sullivan III
Hello, all. As we are planning to use 389 to hold external contact
information for our users, we would like to give them the ability to
browse their particular portions of the tree. May I ask what the
various members of the list have used for a multi-distribution ldap
administration tool?
Luma seems a bit light. I've not yet played with getting idm-console to
run on Ubuntu (the majority of the clients) but I think it would be
overwhelming for a business manager who just needs to create contacts
and organize them into OUs. DSGW has potential but, unless I missed it,
I did not see a way to browse using it. Just search. What are folks
using? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan(a)opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
14 years, 11 months
[Fedora-directory-users] FDS chaining
by Randall Wood
I am attempting to chain to directory servers together, and am
successful only if I disable proxied authorization. I can not find any
resources that discuss how to make proxied authorization work other than
iPlanet/Netscape/Sun/Fedora/Redhat Directory servers manuals, but I can
not get it working. Does anyone know of a how-to guide for this?
--
Randall Wood
Secure Systems Engineer
Trusted Computer Solutions
2350 Corporate Park Drive, Suite 500
Herndon, Virginia 20170
Tel (703) 537-4382 | Fax (703) 318-5041
rwood(a)trustedcs.com
http://www.trustedcs.com
14 years, 11 months