389-dsgw and Linux Virtual Server
by Luke Schierer
Has anyone put the dsgw behind linux virtual server successfully? I am
trying to set it up using lvs-dr, and while I can connect to each real
server directly, I cannot connect if I go through the lvs vip. If someone
has a working lvs.cf that they could share, or tips on making this work,
that would be awesome.
Luke
14 years, 3 months
Change password of entries to clear-text
by Eric
Hi,
I'm new in ldap and have installed ldap-389. The password of entries in
database are saved in SSHA. How to config it to be clear-text? and how to
change entries that are saved until now?
thanks
14 years, 3 months
mmr.pl script with --with-ssl not working !!!
by Ajeet S Raina
Guys,
I tried the mmr.pl command with --with-ssl and it doesnt displays anything
but stuck with no output.
But if I run the same without ssl it does shows that replication is working
!!
what could be the issue.
14 years, 3 months
Multi-Master Replication Errorlogs..
by Ajeet S Raina
I have 389-ds.sap supplier and 389-ds2.sap as consumer system.
I downloaded the mmr.pl script and ran it on 389-ds.sap system:
[root@389-ds opt]# ./mmr.pl --host1 389-ds.sap.com --host2
389-ds2.sap.com--host1_id 1 --host2_id 2 --bindpw '!password'
--repmanpw '!password'
--create --create
adding to 389-ds.sap.com -> cn=changelog5,cn=config
-> already exists
adding to 389-ds.sap.com -> cn=repman,cn=config
-> already exists
adding to 389-ds.sap.com -> cn=replica,cn="o=netscaperoot",cn=mapping
tree,cn=config
-> already exists
adding to 389-ds2.sap.com -> cn=changelog5,cn=config
-> already exists
adding to 389-ds2.sap.com -> cn=repman,cn=config
-> already exists
adding to 389-ds2.sap.com -> cn=replica,cn="o=netscaperoot",cn=mapping
tree,cn=config
-> already exists
adding to 389-ds.sap.com -> plaintext replication 389-ds.sap.com ->
389-ds2.sap.com
adding to 389-ds2.sap.com -> plaintext replication 389-ds2.sap.com ->
389-ds.sap.com
initializing replication 389-ds.sap.com -> 389-ds2.sap.com (port 389)
The Logs at Supplier shows:
SMMReplicationPlugin - Beginning total update of replica
"agmt="cn="Replication to 389-ds2.sap.com""
(389-ds2:389)".
[17/Jan/2010:23:21:25 +051800] NSMMReplicationPlugin - Finished total update
of replica "agmt="cn="Replication to 389-ds2.sap.com""
(389-ds2:389)". Sent 109 entries.
-----------------------
The Logs at Consumer side is:
ReplicationPlugin - replica_replace_ruv_tombstone: failed to update
replication update vector for replica o=netscaperoot: LDAP
error - 1
[17/Jan/2010:23:24:14 +051800] NSMMReplicationPlugin -
multimaster_be_state_chan ge: replica o=netscaperoot is
going offline; disabling replication
[17/Jan/2010:23:24:14 +051800] - WARNING: Import is running with
nsslapd-db-priv ate-import-mem on; No other process is
allowed to access the database
[17/Jan/2010:23:24:18 +051800] - import NetscapeRoot: Workers finished;
cleaning up...
[17/Jan/2010:23:24:18 +051800] - import NetscapeRoot: Workers cleaned up.
[17/Jan/2010:23:24:18 +051800] - import NetscapeRoot: Indexing complete.
Post-p rocessing...
[17/Jan/2010:23:24:18 +051800] - import NetscapeRoot: Flushing caches...
[17/Jan/2010:23:24:18 +051800] - import NetscapeRoot: Closing files...
[17/Jan/2010:23:24:18 +051800] - import NetscapeRoot: Import complete.
Processe d 109 entries in 4 seconds. (27.25 entries/sec)
[17/Jan/2010:23:24:18 +051800] NSMMReplicationPlugin -
multimaster_be_state_chan ge: replica o=netscaperoot is
coming online; enabling replication
[17/Jan/2010:23:24:18 +051800] NSMMReplicationPlugin - agmt="cn="Replication
to 389-ds.sap.com"" (389-ds:389): Succesfully bound
cn=repman,cn=config to cons umer, but password has expired
on consumer.
[17/Jan/2010:23:24:18 +051800] NSMMReplicationPlugin - agmt="cn="Replication
to 389-ds.sap.com"" (389-ds:389): Succesfully bound
cn=repman,cn=config to cons umer, but password is expiring
on consumer in 0 seconds.
Let me inform you that I have SSL configured on both the system and when I
use the ./mmr.pl with --with-ssl option, it doesnt show anything.
The above output gets shown when i run it without --with-ssl.
Pls Suggest?
14 years, 3 months
Object class violation !!
by Ajeet S Raina
Hello,
I was going through link:
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/dna.html to
configure DNA_plugin.
All I followed is:
ldapmodify *-a* -D "cn=directory manager" -w secret -p 636 -h 389-ds
dn: ou=Ranges, dc=im,dc=sap, dc=com
objectclass: top
objectclass: extensibleObject
objectclass: organizationalUnit
ou: Ranges
dn: cn=Account UIDs, ou=Ranges, dc=im,dc=sap, dc=com
objectclass: top
objectclass: extensibleObject
cn: Account UIDs
Next,
Enabled the DNA Plugin through Console
Next,
Create the new DNA Plug-in instance beneath the container entry
dn: cn=Account UIDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: Account UIDs
dnatype: uidNumber
dnafilter: (objectclass=posixAccount)
dnascope: ou=People, dc=im,dc=sap,dc=com
dnanextvalue: 1
dnaMaxValue: 1300
dnasharedcfgdn: cn=Account UIDs,ou=Ranges,dc=im,dc=sap,dc=com
dnathreshold: 100
dnaRangeRequestTimeout: 60
dnaMagicRegen: magic
Restarted the dirsrv service.
Now if I try to add a user through script:
ldapmodify -x -h 389-ds.sap.com -D "cn=Directory Manager" -w secret -f
Users.ldif
adding new entry "uid=dav,ou=People,dc=im,dc=sap,dc=com"
ldapmodify: Object class violation (65)
additional info: missing attribute "gidNumber" required by object
class "posixAccount"
[root@389-ds opt]#
Any Idea what i have missed?
14 years, 3 months
Extending the 60autofs.ldif schema.
by Anne (juniper) Cross
The 60autofs.ldif schema that ships with Fedora Directory Server is plenty for Linux, and is working flawlessly for us there. (http://directory.fedoraproject.org/wiki/Howto:Automount seems to have a lot of superfluous work, but the auto.home and auto.master stuff helped a lot. Thank you.)
However, for serving up home directories to the Macs in our office, we're drawing a blank. We need two additional entries in the autofs schema:
attributeTypes: (
1.3.6.1.1.1.1.31
NAME 'automountMapName'
DESC 'automount Map Name'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
attributeTypes: (
1.3.6.1.1.1.1.32
NAME 'automountKey'
DESC 'Automount Key value'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
All very tidy, and dropping them into the autofs schema file produces no screaming from a restart of the directory server...but they're still inaccessible. Thinking I needed to tweak automountMap and automount to make them usable (based on some documentation on various Mac sites) I tried this:
objectClasses: (
1.3.6.1.1.1.2.17
NAME 'automount'
DESC 'An entry in an automounter map'
SUP top
STRUCTURAL
MUST ( cn $ automountInformation )
MAY ( description $ automountKey )
X-ORIGIN 'draft-howard-rfc2307bis'
)
objectClasses: (
1.3.6.1.1.1.2.16
NAME 'automountMap'
DESC 'An group of related automount objects'
SUP top
STRUCTURAL
MUST ( ou )
MAY ( automountMapName )
X-ORIGIN 'draft-howard-rfc2307bis'
)
The "MAY ( ... $ automountKey )" and "MAY ( automountMapName )" both were my additions - "MAY (description)" was already there. Again, the servers restarted cleanly, but the new attrbiuteTypes are not available.
What am I missing?
-- juniper
14 years, 3 months
Help with setiting up Password Policy and SSL/TLS
by Fulda, Paul R (IS)
Hi,
I am trying to configure the Password Policy for my users and read that
you would not be able to use the Policy unless you set up SSL/TLS.
I am using 389 Server version 1.2.2. Also I am running the Server on
Fedora 11 64 bit. All clients are also Fedora 11 64 bit.
I followed the instructions in setting up SSL here at
http://directory.fedoraproject.org/wiki/Howto:SSL
I ran the setupssl2.sh script and it completed with no errors. In the
389 Admin Console I could see the certificates for both the Admin Server
and DS Server in the
Manage Certificates screens.
Also, I do not want to use SSL for the Admin Server or the Admin
Console. I just want to be able to use it for user authentication so
the Password Policy works.
Bottom line is that I cannot get both features (Password Policies and
SSL) working. Any help would be greatly appreciated.
Up to this point here are my questions:
1) In the Directory Server GUI from the 389 Admin Console what
certificate do I use to populate the Certificate field in the Encryption
Tab?
There are 3 choices it provides after running the
sslsetup2.sh script which are CA Certificate, server-cert, and
server-Cert.
2) In the Client Authentication Block in the same Encryption Tab
as #1 above, I have selected "Require client authentication". Is this
correct?
Is this how you force the Directory Server to use only
port 636 for secure communications? If not, how do you do that?
3) What are the differences between /etc/openldap/ldap.conf and
/etc/ldap.conf? What are the client configurations needed to make this
work?
The only ldap.conf file that
http://directory.fedoraproject.org/wiki/Howto:SSL talks about
configuring is the /etc/openldap/ldap.conf file.
My /etc/openldap/ldap.conf file looks like this:
URI ldap://hadmina.eidev.ngc.com/
BASE dc=eidev, dc=ngc, dc=com
TLS_CACERT /etc/openldap/cacerts
TLS_REQCERT allow
4) How do you get the certificate on the client machines? What I
did was copy from the server the cacert.asc file that is located in
/etc/dirsrv/slapd-hadmina
to the client machine in /etc/openldap/cacerts
directory. Is this correct?
Thanks and I hope there is someone out there that can help me get this
working!
Paul
14 years, 3 months
Solaris 10 native LDAP client with FDS
by Charles Gilbert
Hi All,
I have read all information included on the site for documentation but have
one road block left. I have my Solaris 10 client configured for account
management. Everything regarding password changes etc work fine. If I lock
an account, the use is locked out. The only issue I am struggling with is
allowing uses to use SSH keys. This is something that is required for our
system, and I am getting the error "Server does not provide account
information without a password." I know that recently, there was an update
to SunOne DS that allows for passwordless logins.
I am not sure where to go. Is this a patch that needs applied to my Solaris
10 client, or a config in FDS that needs set as far as ACI.
I would greatly appreciate any help with this.
Thank you for your time,
Chuck
14 years, 3 months
How to add Account UID for DNA_Plugin ??
by Ajeet S Raina
I have been suggested with
http://www.directory.fedora.redhat.com/wiki/DNA_Plugin for understanding the
DNA_plugin for auto IncrementalUID and GUID.
I can see the ldif format as:
dn: cn=Account UIDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: Account UIDs
dnatype: uidNumber
dnainterval: 1
dnamaxvalue: 1000
dnamagicregen: 0
dnathreshold: 100
dnafilter: (objectclass=posixAccount)
dnascope: dc=example,dc=com
dnasharedcfgdn: cn=Account UIDs,ou=Ranges,dc=example,dc=com
dnanextvalue: 1
dn: cn=Account GIDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: Account GIDs
dnatype: gidNumber
dnainterval: 1
dnamaxvalue: 1000
dnamagicregen: 0
dnathreshold: 100
dnafilter: (objectclass=posixAccount)
dnascope: dc=example,dc=com
dnasharedcfgdn: cn=Account GIDs,ou=Ranges,dc=example,dc=com
dnanextvalue: 1
May I know how to add this to Directory Server.
All I can see through console is :cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
Pls Suggest
14 years, 3 months
Adding Users through script?
by Ajeet S Raina
Guys,
I downloaded a script called USERADD from link:
http://www.redhat.com/f/pdf/rhas/NetgroupWhitepaper.pdf Page 9 and follow
as follow:
It did create a new Users.ldif file as follow:
dn: uid=dave, cn=EnvOD,ou=IM,ou=Bangalore,dc=im,dc=sap,dc=com
changetype: add
uid: dave
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
cn: Dave Meyer
sn: Meyer
givenName: Dave Meyer
gidNumber: 1000
uidNumber: 1003
userPassword: {clear}redhat
loginShell: /bin/bash
homeDirectory: /home/dave
But if I import it into Directory Server as:
ldapmodify -h 389-ds.sap.com -D "cn=Directory Manager" -w <password> -f
Users.ldif
[1] 9443
-bash: -f: command not found
[root@389-ds opt]# SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional ldapmodify -h 389-ds.sapient.com -D "cn=Directory
Manager" -w Oracle123456& -f Users.ldif
No Idea why its behaving so?
Am I missing anything in the command.
I did provided -ZZ options for TLS but it dint work.
Note: I have configured SSL for the 389-Ds.
14 years, 3 months