Problems with SSL
by Ski Kacoroski
Hi,
I am having problems with SSL setup. First I tried via the admin
console to use our company's star cert, but no matter what [in/password
I picked for the keystore, when I tried to restart the server it would
not accept my pin/password that I had just entered. I then gave up and
ran the setupssl2.sh script and this worked except that it threw an
error when trying to modify the directory to turn on ssl. So I went in
via the admin console and was able to turn on ssl for the admin console
and my directory. The problem now is that I cannot stop the server from
the admin console (I can start it ok). I just get a dialog with
"Directory Server nsd-org could not be stopped". Any ideas on why when
I can start the server ok? Also has any one else made this work with a
star cert?
cheers,
ski
--
"When we try to pick out anything by itself, we find it
connected to the entire universe" John Muir
Chris "Ski" Kacoroski, ckacoroski(a)nsd.org, 206-501-9803
or ski98033 on most IM services
13 years, 9 months
Demoting Supplier to Dedicated Consumer
by Frank Fossa
I'm new to the 389/RedHat Directory Server world (have had many years
experience with other directory server products). I've looked through the
documentation and did not see any directions on demoting a supplier to a
dedicated consumer. I tried to demote through the console first by moving
the supplier to a hub and then to a dedicated consumer. I thought all was
well until I restarted the instance. Now I'm seeing the following messages
in the errors log:
consumer
[04/Mar/2010:11:47:13 -0500] NSMMReplicationPlugin - conn=6 op=3
replica="unknown": Unable to acquire replica: error: no such replica
supplier
[04/Mar/2010:11:47:14 -0500] NSMMReplicationPlugin - agmt="cn=agmt"
(xxxxxx): Unable to acquire replica: there is no replicated area "<suffix
root>" on the consumer server. Replication is aborting.
[04/Mar/2010:11:47:14 -0500] NSMMReplicationPlugin - agmt="cn=agmt"
(xxxxxx): Incremental update failed and requires administrator action
At this point, I fear I will need to re-create the demoted supplier (as a
consumer). I would like to avoid that since this is a 25M entry test
database and could take a while to rebuild and configure.
Any thoughts how I can enable replication from the remaining suppliers to
this instance?
--
Frank Fossa
13 years, 9 months
DNSDomain objectclass missing
by muzzol
hi,
i've upgraded some directorys and i cant add dnsdomain attributes anymore.
i see that in previous installations those objects where defined in
28pilot.ldif and this file is now deprecated in favour of other
locations.
but i cant find anywhere DNSDomain objectclass:
[/etc/dirsrv]# grep -ri dnsdomain *
[/etc/dirsrv]#
i've also searched here
http://git.fedorahosted.org/git/?p=389/ds.git;a=tree;f=ldap/schema;hb=0f6...
whithout success.
where can i find dnsdomain objectclass?
regards,
muzzol
--
========================
^ ^
O O
(_ _)
muzzol(a)muzzol.com
========================
jabber id: muzzol(a)jabber.dk
========================
No atribueixis qualitats humanes als ordinadors.
No els hi agrada.
========================
"El gobierno español sólo habla con terroristas, homosexuales y
catalanes, a ver cuando se decide a hablar con gente normal"
Jiménez Losantos
========================
<echelon spamming>
bomb terrorism bush aznar teletubbies
</echelon spamming>
13 years, 9 months
Howto determine the last time an account was bound?
by Ryan Braun [ADS]
Is there an operational attribute or some other way to determine when the last
time an account was used to bind to the server (or any server in a MMR
setup). Basically looking to find out the last time an account performed a
bind operation to test for account inactivity.
Also, is there list of the available operational attributes anywhere?
Ryan Braun
Aviation and Defence Services Division
Chief Information Officer Branch, Environment Canada
CIV: 204-833-2500x2625 CSN: 257-2625 FAX: 204-833-2558
E-Mail: Ryan.Braun(a)ec.gc.ca
13 years, 9 months
Re: [389-users] Directory Server OID control for passwordless logins of Solaris Clients
by Charles Gilbert
This is from the Sun website about their pam_ldap module:
Configuring PAM to Use LDAP server_policy
To configure PAM to use LDAP server_policy, follow the sample in Example
pam_conf file for pam_ldap Configured for Account
Management<http://docs.sun.com/app/docs/doc/816-4556/schemas-250?a=view>.
Add the lines that contain pam_ldap.so.1 to the client's /etc/pam.conf file.
In addition, if any PAM module in the sample pam.conf file specifies the
binding flag and the server_policy option, use the same flag and option for
the corresponding module in the client's /etc/pam.conf file. Also, add the
server_policy option to the line that contains the service module
pam_authtok_store.so.1.
------------------------------
*Note – *
Previously, if you enabled pam_ldap account management, all users needed to
provide a login password for authentication any time they logged in to the
system. Therefore, nonpassword-based logins using tools such as rsh, rlogin,
or ssh would fail.
Now, however, pam_ldap(5)<http://docs.sun.com/app/docs/doc/816-5175/pam-ldap-5?a=view>,
when used with Sun Java System Directory Servers DS5.2p4 and newer releases,
enables users to log in with rsh, rlogin, rcp and ssh without giving a
password.
pam_ldap(5) <http://docs.sun.com/app/docs/doc/816-5175/pam-ldap-5?a=view> is
now modified to perform account management and retrieve the account status
of users without authenticating to Directory Server as the user logging in.
The new control to this on Directory Server is 1.3.6.1.4.1.42.2.27.9.5.8,
which is enabled by default.
To modify this control for other than default, add Access Control
Instructions (ACI) on Directory Server:
dn: oid=1.3.6.1.4.1.42.2.27.9.5.8,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid:1.3.6.1.4.1.42.2.27.9.5.8
cn:Password Policy Account Usable Request Control
aci: (targetattr != "aci")(version 3.0; acl "Account Usable";
allow (read, search, compare, proxy)
(groupdn = "ldap:///cn=Administrators,cn=config");)
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=server,cn=plugins,cn=config
I wanted to know if there is a known working version of this for ssh
keys with account management for 389.
Specifically, is this OID control available for 389?
Thanks!
Chuck
13 years, 9 months
Directory Server OID control for passwordless logins of Solaris Clients
by Charles Gilbert
Hi everyone,
I have been struggling with this one for a while.
In switching to 389, I am trying to figure out how to get my Solaris
clients working with account management and ssh keys. SunDS 5.? has
an oid control that allows for account management and ssh keys to
proceed with their server, and I was wondering if anyone has deal with
a similar instance of such on 389. I would really prefer to use the
native ldap settings that comes with Solaris.
Can you provide more information about this feature?
I hope I am not the only one that has ever had to deal with this. Please
help. This is a show stopper for deploying LDAP and is causing a lot of
problems for our project.
Thanks,
Chuck Gilbert
13 years, 9 months