How to set up 389 client
by Chaudhari, Rohit K.
Hello everyone,
How do I set up a 389 LDAP client to authenticate users against a 389 LDAP server? I don't have a trusted certificate authority (CA) but will create self-signed CA that signs server certificates, and then put that self-signed CA as the trusted CA on the client side. Is there anything more specific or a guide on how to set this up out there? Thanks in advance.
Rohit
6 years, 11 months
Swap Master Hardware.
by Shardul Kerkar
Hi Folks,
I have recently been tasked with moving a Single Ldap Master from a dying machine to a spanking new blade. After doing some research it appears to me that the optimum way to do this will be installing a fresh instance of the application on the new server, import the database and then recreate and reinitialize all the hubs and replicas. The problem I face is that this work place has a humongous LDAP database will 3 mil+ entries. Re-initialization is taking upto 3 hours in some cases. With 5 hubs and 20 replicas to reinitialize, the downtime is unacceptable to the client.
If I stop writes to the Master, then export the database to the new box and recreate the New-Master-Hub replication after removing the old Master , will I still need to re-initialize the hubs? Is there any way to do this swap without reinitializing or fooling the hubs and reps into thinking that they are still talking to the same Master albeit on a new machine (same ip address/dns).
The client is still using ver. 1.1.2 on Centos 5.4
Thanks,
Shar Ker
6 years, 11 months
Bind localhost to 389, external IP to 636, fails with Local Network address is in use
by Graham Leggett
Hi all,
After updating the directory as follows in order to make 389ds listen to localhost:389 and external.ip.address:636 (with SSL), the server refuses to start complaining as follows:
[22/Dec/2012:09:32:26 +0000] createprlistensockets - PR_Bind() on 172.20.10.6 port 636 failed: Netscape Portable Runtime error -5982 (Local Network address is in use.)
I have checked, nothing is listening to port 636 before the server restart, so the most likely explanation is that 389ds is trying to bind to port 636 twice, and failing on the second go.
# set the IP address for unencrypted access
dn: cn=config
changetype: modify
replace: nsslapd-listenhost
nsslapd-listenhost: 127.0.0.1
# set the IP address for encrypted access
dn: cn=config
changetype: modify
replace: nsslapd-securelistenhost
nsslapd-securelistenhost: 172.20.10.6
Can anyone point out what I am doing wrong above?
Regards,
Graham
--
6 years, 11 months
Importing certificates during setup-ds.pl - is this possible?
by Graham Leggett
Hi all,
I am currently trying to script the setup of a directory using the ConfigFile entry within an INF file, and so far I've hit a snag.
In order to enable SSL on the directory, first I must use certutil to import the certificate to be used, otherwise the attempt to add the cn=RSA,cn=encryption,cn=config entry fails saying "No such object". If I set up the directory, then manually add the certificates, then manually enable SSL by adding the cn=RSA,cn=encryption,cn=config entry (and various other SSL related configs), it seems to work fine.
Is there some way of getting setup-ds.pl to import a given certificate (p12 file, whatever) when the server is set up, in addition to creating the initial certificate database within /etc/dirsrv/slapd-INSTANCE/?
Regards,
Graham
--
6 years, 11 months
Bind localhost to 389, external IP to 636, fails with Local Network address is in use
by Graham Leggett
Hi all,
After updating the directory as follows in order to make 389ds listen to localhost:389 and external.ip.address:636 (with SSL), the server refuses to start complaining as follows:
[22/Dec/2012:09:32:26 +0000] createprlistensockets - PR_Bind() on 172.20.10.6 port 636 failed: Netscape Portable Runtime error -5982 (Local Network address is in use.)
I have checked, nothing is listening to port 636 before the server restart, so the most likely explanation is that 389ds is trying to bind to port 636 twice, and failing on the second go.
# set the IP address for unencrypted access
dn: cn=config
changetype: modify
replace: nsslapd-listenhost
nsslapd-listenhost: 127.0.0.1
# set the IP address for encrypted access
dn: cn=config
changetype: modify
replace: nsslapd-securelistenhost
nsslapd-securelistenhost: 172.20.10.6
Can anyone point out what I am doing wrong above?
Regards,
Graham
--
6 years, 11 months
Nested groups ldap to PAM
by Deas, Jim
I am about to upgrade our systems to the current version. One of my difficulty's in the old version was the lack of nested groups.
Is there a way with the current software to create nested groups in openldap that will be seen properly by the linux PAM module and Mac OSX?
Regards,
JD
6 years, 11 months
console X11 issue
by Doug Tucker
I got it installed with the epel. Thanks to Rich for that! Doing an
ldapsearch on the base works, yea! I cannot launch the console though.
When I try I get this:
/usr/bin/389-console -a http://localhost:9830
Exception in thread "main" java.awt.HeadlessException:
No X11 DISPLAY variable was set, but this program performed an operation
which requires it.
at
java.awt.GraphicsEnvironment.checkHeadless(GraphicsEnvironment.java:173)
at java.awt.Window.<init>(Window.java:477)
at java.awt.Frame.<init>(Frame.java:419)
at java.awt.Frame.<init>(Frame.java:384)
at javax.swing.JFrame.<init>(JFrame.java:174)
at com.netscape.management.client.console.Console.<init>(Unknown
Source)
at com.netscape.management.client.console.Console.main(Unknown Source)
Googling reveals people not passing X through their ssh session. I am
by ssh -X hostname. I have tried from 2 different X clients and get the
same results. Any ideas?
--
Sincerely,
Doug Tucker
6 years, 11 months