Samba Support
by David Christensen
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Implemented samba on FDS using the howto, but when I try to add a
Windows XP machine to the new domain, I get a login failure when I use
the Administrator login and password I defined, the logs show a lookup
but it keeps failing indicating unknown username or bad password.
Any ideas of what I need to look at with my configuration?
Thanks.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkpDuU4ACgkQ5B+8XEnAvqsTMACfXKvLvx3CcUAM1iz6w50tXFsu
bRoAn2i+f2DbDOzpdJ8B4Om+l4Mm+//3
=++j/
-----END PGP SIGNATURE-----
14 years, 10 months
problem with mmr.pl script
by Del
Hi all,
There is a problem I'm getting (and I've seen it reported elsewhere on
the mailing list) with mmr.pl as described on this page:
http://directory.fedoraproject.org/wiki/Howto:MultiMasterReplication
When running the script I get the error:
failed to add changelog entry: failed to start changelog; error - 8 at
./mmr.pl line 253, <DATA> line 342.
The solution is to create the changelog entries manually as per the
instructions on this page:
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication...
(Section 8.5.1 just the first part).
... then to re-run the mmr.pl script. It will issue a minor complaint
about the changelogs already existing but otherwise it will work.
I am not sure but I think "8" in the mmr.pl error message seems to
relate to standard LDAP error code 8 which is "Strong authentication
required". So for some reason despite me not having SSL enabled on my
directory server (this is an entirely internal deployment) it seems to
want me to have SSL authentication or other strong authentication to
create the changelog entries.
I have done an LDIF export of cn=config before and after manually
creating the changelog entries in the directory using the console and
diffed these, and the entries created seem to be exactly the same as
those that should be created in the mmr.pl script, so I'm not otherwise
sure why the mmr.pl script should be failing to create these entries.
This is with Fedora Directory Server 1.2.0 on RHEL 5.3.
--
Del
Babel Com Australia
http://www.babel.com.au/
ph: 02 9966 9476
fax: 02 9906 2864
14 years, 10 months
Single master, multiple slave with no configuration server
by Vince Tingey
Hi everyone,
Just wondering if there are any problems I should be aware of if I want
to setup a single master multiple slave scenario WITHOUT using the
master as a configuration server. I'm ok having to connect to the slave
admin servers individually instead of them all showing up in the console
when I connect to the master admin server. Are there any other drawbacks?
What are the benefits of using a configuration server in this scenario?
Thank you,
--
Vince | Michael Smith Laboratories
IT Systems Coordinator | University of British Columbia
14 years, 10 months
389 Directory Server on Redhat
by DANIEL CRISTIAN CRUZ
Cláudio,
Olha a merda:
[root@ptolomeu ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.2 (Tikanga)
</pre>
Instruções no Site do 389DS:
* Enterprise Linux 5
There are currently (April 2, 2009) no binary packages for EL5 (e.g. RHEL5,
CentOS5 and derivatives). However, with a little hoop jumping, you can use
packages from Fedora Core 6.
* Step 1 - Upgrade to 5.3 or later - 5.3 includes some necessary
packages for the core server as well as the OpenJDK Java 1.6 - <b>The
directory server will not work correctly if you do not upgrade</b>
Estou cada vez mais arrependido de ter feito com FDS e não com OpenLDAP...
Atenciosamente,
--
<span style="color: #000080">Daniel Cristian Cruz
</span>Administrador de Banco de Dados
Direção Regional - Núcleo de Tecnologia da Informação
SENAI - SC
Telefone: 48-3239-1422 (ramal 1422)
14 years, 10 months
Trouble using self signed certificates.
by Dumbo Q
I've managed to get past the the strangely obscure method of installing an SSL certificate, and from the server side everything appears to be OK. Actually its a "CACert" certificate, rather then self signed. Using Jxplorer, I can connect the the DS using SSL, accept the certificate, and I'm all set.
However, I am having a ton of trouble figuring out how to use an untrusted ca for my linux user authentication. I changed /etc/ldap.conf to use ldaps://, and it attemtps to connect as expected. I think this would work, if I could figure out how to tell it to accept the certificate. I get the following error message in DS after running getent passwd.
[24/Jun/2009:12:24:02 -0400] conn=3 op=-1 fd=66 closed - Peer does not recognize and trust the CA that issued your certificate.
[24/Jun/2009:12:24:02 -0400] conn=4 op=-1 fd=67 closed - Peer does not recognize and trust the CA that issued your certificate.
Any thoughts?
14 years, 10 months
Password Sync Plugin
by DANIEL CRISTIAN CRUZ
Hi all,
Does someone knows if could it be possible to build a plugin to sync
userPassword, samba passwords and others passwords, enforcind the
userPassword always get saved in plain text over an SSL conection?
I'm thinking in a quick and dirt solution, since there is no solution.
Regards,
--
<span style="color: #000080">Daniel Cristian Cruz
</span>Administrador de Banco de Dados
Direção Regional - Núcleo de Tecnologia da Informação
SENAI - SC
Telefone: 48-3239-1422 (ramal 1422)
14 years, 10 months
Programmatically / dynamically deriving an attribute?
by Aaron Mahler
Hello!
I'm still getting into the swing of LDAP, but I'm starting to get
things functioning fairly well.
I've run into one issue and I'm not sure how to tackle it from a
conceptual standpoint.
Our Fedora/389 (whichever I should call it now) LDAP server is
intended to be the main, core LDAP server for campus. Our mail server
(an older version of CommuniGate Pro), however, is remaining the
primary source of user info for the time being. It provides names,
UIDs, passwords, etc., and now successfully talks to the LDAP server
via CommuniGate's "Directory Integration" feature.
By this, I mean any email account creations, modifications, etc.,
on the mail server are being provided to the LDAP server pretty
seamlessly. Applications can now point to the Fedora server for use in
authentication, various other directory queries, etc.
One problem, though, is that CommuniGate does not provide a mail
attribute - just UID, real name, some custom fields of ours (mapped to
proper fields in the LDAP scheme), etc. So queries to the Fedora
server don't return a mail field which, in our case, should just be
uid with @sbc.edu appended. It's causing some trouble in various areas.
Is there a way I can configure Fedora to dynamically either fill
the mail field itself by combining uid with @sbc.edu on creates/
updates or, when answering requests for the mail attribute,
dynamically creating that response?
Is there a plug-in or some other trigger mechanism for doing this
kind of thing?
Thanks!
- Aaron
--
halfpress: http://www.halfpress.com
TWiP: http://twiplog.com
Documenting Democracy: http://www.docdem.org
Aaron's MAME Boxes - http://www.mameblog.com
Twitter: halfpress
14 years, 10 months
Re: [389-users] Trouble using self signed certificates.
by Dumbo Q
To answer a few questions,
Searching for any thing about ldap.conf in google gave me a lot of openldap specific stuff. Sorry to have to post into this mailling list, but I figure that if im having this much trouble getting this to work, then there is a good chance others are too.
I've tried a few combinations of these and none have worked for me.
TLS_CACERT is pointing to CACert's root certificate.
Here is the current tail of my ldap.conf file.
TLS_CACERT /etc/pki/tls/certs/cacert.org-root.txt
TLS_CACERT_DIR /etc/pki/tls/certs
TLS_REQCERT allow
uri ldaps://rhds.example.com:636/
ssl no
#tls_cacertdir /etc/pki/tls/certs
pam_password ssha
Interestingly enough, it worked after doing the following.
cat /etc/pki/tls/certs/cacert.org-root.txt >> /etc/pki/tls/cert.pem
This is the symlink to ca-bundle.crt
My fear with this, is that I'll run a yum -y update on all my servers, and then nobody will be able to log in anywhere.
________________________________
From: Jean-Noel Chardron <Jean-Noel.Chardron(a)dr15.cnrs.fr>
To: General discussion list for the 389 Directory server project. <fedora-directory-users(a)redhat.com>
Sent: Wednesday, June 24, 2009 1:19:36 PM
Subject: Re: [389-users] Trouble using self signed certificates.
David Christensen a écrit :
>
> I was having a similar issue yesterday, everything worked until I
> appended more then one CA to the file in /etc/openldap/cacerts, then it
> kept failing until I limited it to one CA. Are you
> using a single CA?
>
The client authenticates to a server with a single authority, so why try to install two or more. otherwise you must use a file by CA in the directory.
unless you speak CA chain.
--
389 users mailing list
389-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
14 years, 10 months
Referrals
by David Christensen
Can referrals be used to reference a user or group in another branch of
the DIT? I am using FDS for authentication, some basic authorization
and as a directory. I have my DIT setup with three organizational
branches under a single root suffix. Hosts are then setup with a base
DN based on the organization they belong to, so very few host's do a
search starting at the root suffix. At the moment users are added to
the DIT based on their organization and OU within that organization.
If I wanted to have a user who is in org A and only org A to be able to
gain access to hosts in org B my initial thought was adding them in org
B, but this would create maintenance logistical nightmares so my thought
was using referrals so that a search by an org B host for a user who is
actually in org A would be referred to the user record in org A, but
would symbolically be in org B. Would this work, or would it break
something, and is this the proper way to use a referral? Is there
anyway of doing this on a group basis instead of by single user?
Thanks.
14 years, 10 months
