windows 7/xp log in directory server
by Jon Colás Gómez
windows clients need any special software to login directory server?
Someone said me that they neednt any special software
how does it make?
sorry for my english
greetings and thanks
12 years, 10 months
logconv.pl does not accept start End dates
by Prashanth Sundaram
All,
When I run this I don¹t get any usable output(empty template shows up). But
when I don;t specify dates, it just works.
$ logconv.pl -S "[04/Apr/2010:15:00:00 -0400]" -E "[04/May/2010:15:00:00
-0400]" -V /var/log/dirsrv/slapd-poe111/access*
Access Log Analyzer 6.0
Command : logconv.pl -S [04/Apr/2010:15:00:00 -0400] -E
[04/May/2010:15:00:00 -0400] -V /var/log/dirsrv/slapd-poe111/access
/var/log/dirsrv/slapd-poe111/access.20100414-154711
The help menu has this syntax. Not sure what I am doing wrong.
./logconv.pl -S "[28/Mar/2002:13:14:22 -0800]" -E "[28/Mar/2002:13:50:05
-0800]" -e access
Any help is very much appreciated.
Thanks,
Prashanth
12 years, 10 months
Bad Ber tag encountered and IO block timeout logconv.pl
by Prashanth Sundaram
Hello all,
We have been experiencing some ldap timeout errors in a multi-master setup.
My setup looks close to this one but there is _NO_ M32 and M41 i.e consumers
don;t replicate to masters
http://www.redhat.com/docs/manuals/dir-server/8.1/deploy/Deployment_Guide-De
signing_the_Replication_Process-Common_Replication_Scenarios.html#Deployment
_Guide-Multi_Master_Replication-Multi_Master_Replication_Configuration_A_Fou
r_Suppliers
* 2 Supplier servers with multi-master setup between the two.
* 2 consumer servers with multi-master setup between the two.
* Each supplier server has replication setup to each of the two consumer
servers.(for redundancy)
* M1 & M2 authenticate users via PAM-PTA plugin to Active Directory.
* M3 & M4 use PTA plugin via SSL to authenticate via M1 & M2 in a redundant
fashion.
BIGGEST ISSUE: Clients connecting to M3 and M4 are having ³pam_ldap:
ldap_result Timed out² error. Any ideas, how we can improve/fix this?
Configuration:
nsslapd-sizelimit: 16384
nsslapd-idletimeout: 7200
nssslapd-maxbersize: 0
Q1. Should I increase my nsslapd-maxbersize?
Q2. How do I restrict the ldap clients to bind only using LDAP v3? (I
remembert reading it somewhere)
LDAP v2 Binds: 1006
LDAP v3 Binds: 9324
Q3. I use ³uniquemember² as group membership attribute, but logs show
filters like this. As far as I know, we don;t have any hard coded filters on
any hosts. How to remove filter like this.
(|(member=uid=kcapell,ou=people,dc=domain,dc=com)(uniquemember=uid=kcapell,o
u=people,dc=domain,dc=com)(memberuid=kcapell))
I ran logconv.pl on M2 and here is what I found
============================================================================
B1 75045 Bad Ber Tag Encountered
U1 13456 Cleanly Closed Connections
T2 160 IO Block Timeout Exceeded or NTSSL Timeout
T1 22 Idle Timeout Exceeded
69409 10.1.1.2 [ M1 ]
37611 - B1 Bad Ber Tag Encountered
3968 - U1 Cleanly Closed Connections
160 - T2 IO Block Timeout Exceeded or NTSSL Timeout
55326 10.1.1.3 [ M2 ]
27886 - B1 Bad Ber Tag Encountered
7 - U1 Cleanly Closed Connections
18096 10.1.0.7 [old ldap server which was using pen-ldap to pass
connection during migration ]
9531 - B1 Bad Ber Tag Encountered
8564 - U1 Cleanly Closed Connections
26 10.101.1.16 [ M3 ]
20 - T1 Idle Timeout Exceeded
1 - B1 Bad Ber Tag Encountered
* Unknown Host
16 - B1 Bad Ber Tag Encountered
13 - U1 Cleanly Closed Connections
2 - T1 Idle Timeout Exceeded
1. You have unindexed searches, this can be caused from a search on an
unindexed attribute, or your returned results exceeded the allidsthreshold.
Unindexed searches are not recommended. To refuse unindexed searches, switch
'nsslapd-require-index' to 'on' under your database entry (e.g.
cn=UserRoot,cn=ldbm database,cn=plugins,cn=config).
2. You have some connections that are are being closed by the idletimeout
setting. You may want to increase the idletimeout if it is set low.
3. You have some coonections that are being closed by the ioblocktimeout
setting. You may want to increase the ioblocktimeout.
4. You have a significant difference between binds and unbinds. You may
want to investigate this difference.
5. You have more abnormal connection codes than cleanly closed
connections. You may want to investigate this difference.
===============================================================
12 years, 10 months
getent group doesnt show any ldap groups
by Rick Dicaire
Hi folks...I've created a group, named it guitar. I execute getent
group guitar, and nothing returns.
I added a user, and added the user to this group. I execute getent
passwd username, and the uid and gid I set shows, not the group name I
added the user to.
graz:*:1200:1200:graz:/home/graz:/bin/bash
id user shows
uid=1200(graz) gid=1200 groups=1200
Why doesn't the group I'd added the user to show?
--
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
12 years, 10 months
sync Active Directory Computer Accounts to 389?
by Gregory A Fuller
I have Windows Active Directory to 389 Directory Server syncronization working. I can create an account in AD and it gets synced to the 389 LDAP server and the password is synced also. This only works for "User" accounts in Active Directory though.
Is there a way that I can sync my Active Directory "machine trust" accounts from AD to the 389 directory server? A machine trust account is just a user account that is a computer from what I can tell. I'm looking to get the computer username and password that is set in Active Directory into the 389 server so I can do machine based RADIUS authentication directly against the 389 LDAP server rather than directly through Active Directory.
Is it possible to sync the computer accounts from AD->389? Any ideas?
--greg
Gregory A. Fuller - CCNA
Network Manager
State University of New York at Oswego
Phone: (315) 312-5750
http://www.oswego.edu/~gfuller
12 years, 10 months
setup-ds-admin.pl fails to create the configuration directory server
by Rick Dicaire
Hi folks new to the list.
Fedora 12 i386
DS info:
Name : 389-ds
Arch : noarch
Version : 1.1.3
Release : 5.fc12
Upon running setup-ds-admin.pl -ddd, it errors out at the end:
Your new DS instance 'ws' was successfully created.
Creating the configuration directory server . . .
Error: failed to open an LDAP connection to host 'ws.int.kritek.net'
port '389' as user 'cn=Directory Manager'. Error: unknown.
Failed to create the configuration directory server
Exiting . . .
Log file is '/tmp/setupSjpStD.log'
The log file shows no indication of why this fails.
lsof -i:389
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ns-slapd 30155 nobody 6u IPv6 5218169 0t0 TCP *:ldap (LISTEN)
telnet ws 389
Trying 192.168.1.2...
telnet: connect to address 192.168.1.2: Connection refused
I don't understand why this instance of DS, started by
setup-ds-admin.pl, is listening ONLY on an ipv6 socket either.
In any case, how can I get setup-ds-admin.pl to complete its configuration?
Thanks
--
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
12 years, 10 months
web account manager
by Maurizio Marini
I have many fds+samba as pdc installations.
All my customers ask me how to manage domain accounts using an easy tool,
instead of sshing into fds and using smbldap tools.
What are u using?
Is LAM able to add and modify ldap+samba accounts without pains?
tia
Maurizio
12 years, 10 months
Re: [389-users] 389-users Digest, Vol 60, Issue 2
by Robert Ludvik
On 03. 05. 2010 14:00, 389-users-request(a)lists.fedoraproject.org wrote:
> Date: Mon, 3 May 2010 11:00:16 +0200
> From:maumar@cost.it
> Subject: [389-users] web account manager
> To: "General discussion list for the 389 Directory server project."
> <389-users(a)lists.fedoraproject.org>
> Message-ID:<201005031100.17067.maumar(a)cost.it>
> Content-Type: text/plain; charset="us-ascii"
>
> I have many fds+samba as pdc installations.
> All my customers ask me how to manage domain accounts using an easy tool,
> instead of sshing into fds and using smbldap tools.
>
> What are u using?
> Is LAM able to add and modify ldap+samba accounts without pains?
>
> tia
>
> Maurizio
>
We use LDAPAdmin (runs on Windows) for this.
http://ldapadmin.sourceforge.net/, look for some templates which can
easy your management.
Regards
Robert Ludvik
12 years, 10 months
