Please help me to build my ldif file .
by Fosiul Alam
Hi for bellow search i get this :
ldapsearch -xZZ -D "cn=Directory Manager" -w 'testtest' -b
"ou=users,l=uk,dc=fosiul,dc=lan" uidNumber=1000
# extended LDIF
#
# LDAPv3
# base <ou=users,l=uk,dc=fosiul,dc=lan> with scope subtree
# filter: uidNumber=1000
# requesting: ALL
#
# falam, users, UK, fosiul.lan
dn: uid=falam,ou=users,l=UK,dc=fosiul,dc=lan
givenName: Fosiul
sn: Alam
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 6000
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: falam
cn: Fosiul Alam
homeDirectory: /home/falam
userPassword:: e1NTSEF9MSG1kOVcxdjFVUFVHMVA3eXI0dFQvZ2c9PQ=
=
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
NOw i am trying to create ldif file so that i can add entry manually .
-----------------------------------------------------------------------------------------
adding a new user :
dn: uid=yalam,ou=users,l=UK,dc=fosiul,dc=lan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
cn: Yafali Alam
uid: salam
uidNumber: 1001
gidNumber: 6000
homeDirectory: /home/yalam
loginShell: /bin/bash
gecos: Yafali Alam,Karate Instructor,Room 37A,435-555-555,801-555-555
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
but wh en i do this :
=======================================
ldapadd -xZZ -D "cn=Directory Manager,l=UK,dc=fosiul,dc=lan" -w
testtest -f add.ldif
I get bellow error :
dap_bind: No such object (32)
matched DN: l=uk,dc=fosiul,dc=lan
Can any one please help me to build the ldif ??
Thanks
11 years, 8 months
what is the best way to a new user and put him in to few groups?
by Fosiul Alam
Hi
I am very new in ldap(Fedora Directory Server)
I need to develop a script to add a new user and put it into few
groups automatically.
So wondering what would be best way .
Putting the command in to a script should not be a issue.
problem is what would be the best way
shall i create ldiif first then insert that ldif into ldap ??
my structure is like this :
cn=Directory Manager" -w 'testtest' -b "ou=users,l=uk,dc=fosiul,dc=lan"
suppose if i want to create a lidif.. for user John Smith
how the ldif would be ?
Thanks for your help
11 years, 8 months
dirsrv-admin: Failed to install a local copy of 389-admin-1.1.jar or one of its supporting files
by Arnold Werschky
Finally got the 389 server running over SSL....but some things had to
manually configured.
Now I'm able to connect over the 389-console, but when I click on the
Administration Server I get this error.
Same error on the Directory Server.
The rpms for console and admin are installed.
I ran setup-ds-admin.pl -u as suggested in an earlier thread, and that
didn't help.
Any ideas?
Thanks!
11 years, 8 months
Re: [389-users] dirsrv-admin startup issues with SSL/TLS configuration [solved]
by Arnold Werschky
This issue was solved with a total reinstall. I believe I had messed up
the configuration somehow with trying to install multiple times.
In addition, the script should not be corrected, as it worked just fine.
Thank you very much for your assistance, and patience.
On Wed, Aug 1, 2012 at 1:12 PM, Rich Megginson <rmeggins(a)redhat.com> wrote:
> On 08/01/2012 10:27 AM, Arnold Werschky wrote:
>
> As an aside, I can get rid of the errors on the setupssl2.sh script by
> making the following change...but I don't know if its a change I should be
> making.
>
> Yes, that looks correct. Not sure when/how that was broken.
>
>
> [root@ldap ~]# diff setupssl2.sh setupssl2.sh.orig
> 185c185
> < pk12util -d $secdir -n server-cert -i $secdir/adminserver.p12 -w
> $secdir/pwdfile.txt -k $secdir/pwdfile.txt
> ---
> > pk12util -d $assecdir -n server-cert -i $secdir/adminserver.p12 -w
> $secdir/pwdfile.txt -k $secdir/pwdfile.txt
>
> *********************************************************************
> results of commands requested:
> *********************************************************************
> root@ldap ~]# ls -al /etc/dirsrv/slapd-*
> total 472
> drwxrwx--- 3 ldap ldap 4096 Jul 31 15:01 .
> drwxrwxr-x 7 root ldap 4096 Jul 31 14:03 ..
> -r-------- 1 ldap ldap 2114 Jul 31 14:36 adminserver.p12
> -rw-r--r-- 1 ldap root 647 Jul 31 14:36 cacert.asc
> -rw------- 1 ldap ldap 65536 Jul 31 16:23 cert8.db
> -r--r----- 1 ldap ldap 3595 Jul 31 13:19 certmap.conf
> -rw------- 1 ldap ldap 71692 Jul 31 15:01 dse.ldif
> -rw------- 1 ldap ldap 71174 Jul 31 15:01 dse.ldif.bak
> -rw------- 1 ldap ldap 71917 Jul 31 15:00 dse.ldif.startOK
> -r--r----- 1 ldap ldap 32836 Jul 31 13:19 dse_original.ldif
> -rw------- 1 ldap ldap 16384 Jul 31 16:23 key3.db
> -r-------- 1 ldap ldap 41 Jul 31 14:36 noise.txt
> -rw-rw---- 1 ldap ldap 65536 Jul 31 15:00 orig-cert8.db
> -rw-rw---- 1 ldap ldap 16384 Jul 31 15:00 orig-key3.db
> -r-------- 1 ldap ldap 67 Jul 31 14:36 pin.txt
> -r-------- 1 ldap ldap 41 Jul 31 14:36 pwdfile.txt
> drwxrwx--- 2 ldap ldap 4096 Jul 31 15:01 schema
> -rw-rw---- 1 ldap ldap 16384 Jul 31 15:01 secmod.db
> -r--r----- 1 ldap ldap 5366 Jul 31 13:19 slapd-collations.conf
> [root@ldap ~]# ls -al /etc/dirsrv/admin-serv
> total 196
> drwx------ 2 ldap root 4096 Jul 31 15:27 .
> drwxrwxr-x 7 root ldap 4096 Jul 31 14:03 ..
> -rw------- 1 ldap ldap 498 Jul 31 14:36 adm.conf
> -rw------- 1 ldap root 40 Jul 31 13:19 admpw
> -rw-r--r-- 1 root root 3936 Mar 27 08:33 admserv.conf
> -rw------- 1 ldap root 65536 Jul 31 16:05 cert8.db
> -rw------- 1 ldap ldap 4467 Jul 31 14:36 console.conf
> -rw------- 1 ldap root 4467 Jul 27 18:42 console.conf.rpmsave
> -rw-r--r-- 1 root root 26302 Mar 27 08:33 httpd.conf
> -rw------- 1 ldap root 16384 Jul 31 16:05 key3.db
> -rw------- 1 ldap root 13343 Jul 31 13:19 local.conf
> -r-------- 1 ldap ldap 4535 Jul 31 14:36 nss.conf
> -rw------- 1 ldap root 4535 Jul 27 16:20 nss.conf.rpmsave
> -rw------- 1 ldap root 50 Jul 31 15:27 password.conf
> -rw------- 1 ldap root 16384 Jul 27 14:21 secmod.db
>
> On Wed, Aug 1, 2012 at 10:17 AM, Rich Megginson <rmeggins(a)redhat.com>wrote:
>
>> On 08/01/2012 08:17 AM, Arnold Werschky wrote:
>>
>> Good morning,
>>
>> I'm trying to set up a new install LDAP server with self signed TLS/SSL
>> on CentOS 6.2
>>
>> My install using setup-ds-admin.pl was typical, and I was able to login
>> to the 389-Console after installation.
>>
>> At that point I downloaded the script from richm :
>> https://github.com/richm/scripts/blob/master/setupssl2.sh
>>
>> I received two errors during its run (full output is at the bottom).
>>
>> pk12util: Failed to authenticate to PKCS11 slot: The security password
>> entered is incorrect.
>> pk12util: Failed to authenticate to "NSS User Private Key and Certificate
>> Services": The user pressed cancel.
>>
>>
>> start-ds-admin now fails to start, with the following error messages in
>> /var/log/dirsrv/admin-serv/error
>>
>> [Tue Jul 31 16:34:09 2012] [error] Password for slot internal is
>> incorrect.
>> [Tue Jul 31 16:34:09 2012] [error] NSS initialization failed. Certificate
>> database: /etc/dirsrv/admin-serv.
>> [Tue Jul 31 16:34:09 2012] [error] SSL Library Error: -8177 The security
>> password entered is incorrect:
>>
>>
>> I've searched for the SSL Library error to no avail. If anyone can
>> give me a starting point I'd appreciate it.
>>
>>
>>
>> ***************************************************************************
>> setupssl2.sh output
>> ***************************************************************************
>>
>> Using /etc/dirsrv/slapd-ldap-xxxxx as sec directory
>> No CA certificate found - will create new one
>> No Server Cert found - will create new one
>> No Admin Server Cert found - will create new one
>> Creating password file for security token
>> Creating noise file
>> Creating new key and cert db
>> Creating encryption key for CA
>>
>>
>> Generating key. This may take a few moments...
>>
>> Creating self-signed CA certificate
>>
>>
>> Generating key. This may take a few moments...
>>
>> Is this a CA certificate [y/N]?
>> Enter the path length constraint, enter to skip [<0 for unlimited path]:
>> > Is this a critical extension [y/N]?
>> Exporting the CA certificate to cacert.asc
>> Generating server certificate for 389 Directory Server on host
>> ldap.xxxxx.com
>> Using fully qualified hostname ldap.xxxxx.com for the server name in the
>> server cert subject DN
>> Note: If you do not want to use this hostname, edit this script to change
>> myhost to the
>> real hostname you want to use
>>
>>
>> Generating key. This may take a few moments...
>>
>> Creating the admin server certificate
>>
>>
>> Generating key. This may take a few moments...
>>
>> Exporting the admin server certificate pk12 file
>> pk12util: PKCS12 EXPORT SUCCESSFUL
>> Creating pin file for directory server
>> Importing the admin server key and cert (created above)
>> Incorrect password/PIN entered.
>> pk12util: Failed to authenticate to PKCS11 slot: The security password
>> entered is incorrect.
>> pk12util: Failed to authenticate to "NSS User Private Key and Certificate
>> Services": The user pressed cancel.
>>
>> Hmm - this is really strange.
>> ls -al /etc/dirsrv/slapd-*
>> ls -al /etc/dirsrv/admin-serv
>>
>> Importing the CA certificate from cacert.asc
>> Enabling the use of a password file in admin server
>> Turning on NSSEngine
>> Use ldaps for config ds connections
>> Enabling SSL in the directory server
>> when prompted, provide the directory manager password
>> Password:modifying entry "cn=encryption,cn=config"
>>
>> modifying entry "cn=config"
>>
>> adding new entry "cn=RSA,cn=encryption,cn=config"
>>
>> Enabling SSL in the admin server
>> modifying entry "cn=slapd-ldap-xxxxx,cn=389 Directory Server,cn=Server
>> Group,cn=ldap.xxxxx.com,ou=xxxxx,o=NetscapeRoot"
>>
>> modifying entry "cn=configuration,cn=admin-serv-ldap,cn=389
>> Administration Server,cn=Server Group,cn=ldap.xxxxx.com
>> ,ou=xxxxx,o=NetscapeRoot"
>>
>> Done. You must restart the directory server and the admin server for
>> the changes to take effect.
>>
>>
>> --
>> 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>>
>
>
11 years, 8 months
Sync additional Windows attributes
by Chris Visser
Hi guys,
Thanks for the help previously with syncing OUs recursively from Windows.
Right now however I've hit another snag. I would like to sync the windows Attribute called msExchMailboxGuid to my 389-DS.
After doing some research I found that it's a single value, octect string and created a user defined attribute.
>From my 99user.ldif file:
<SNIP>
attributeTypes: ( msExchMailboxGuid-oid NAME 'msExchMailboxGuid' SYNTAX 1.3.6
.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'user defined' )
I hoped that the same logic as with the OUs would apply, if it exists it'll be populated. Unfortunately this isn't true.
The documentation I read on docs.redhat.com shows me how Windows attributes are mapped locally, but not how to sync additional attributes.
Anywhere else to look? Tips?
Chris Visser
Linux/Network Infrastructure
==================
Please read our Email Disclaimer :
http://www.rtt.co.za/disclaimer.html
11 years, 8 months
problem with starting second instance
by Vlad
Hello,
I have (IMO) very strange problem with starting second instance of
directory server with SSL enabled (without SSL this instance starts
perfectly fine). The error is
createprlistensockets - PR_Bind() on All Interfaces port 1636 failed: Netscape Portable Runtime error -5966 (Access Denied.)
With strace I see following (successful bind to port 1389, but permission denied for SSL port 1636):
[pid 6698] bind(6, {sa_family=AF_INET6, sin6_port=htons(1389), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
[pid 6698] socket(PF_INET6, SOCK_STREAM, IPPROTO_IP) = 7
[pid 6698] fcntl(7, F_GETFL) = 0x2 (flags O_RDWR)
[pid 6698] fcntl(7, F_SETFL, O_RDWR|O_NONBLOCK) = 0
[pid 6698] setsockopt(7, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
[pid 6698] bind(7, {sa_family=AF_INET6, sin6_port=htons(1636), inet_pton(AF_INET6, "::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EACCES (Permission denied)
I'm out of ideas and appreciate any thoughts.
Regards,
Vlad.
P.S. OS is CentOS 6.2.
11 years, 8 months
dirsrv-admin startup issues with SSL/TLS configuration
by Arnold Werschky
Good morning,
I'm trying to set up a new install LDAP server with self signed TLS/SSL on
CentOS 6.2
My install using setup-ds-admin.pl was typical, and I was able to login to
the 389-Console after installation.
At that point I downloaded the script from richm :
https://github.com/richm/scripts/blob/master/setupssl2.sh
I received two errors during its run (full output is at the bottom).
pk12util: Failed to authenticate to PKCS11 slot: The security password
entered is incorrect.
pk12util: Failed to authenticate to "NSS User Private Key and Certificate
Services": The user pressed cancel.
start-ds-admin now fails to start, with the following error messages in
/var/log/dirsrv/admin-serv/error
[Tue Jul 31 16:34:09 2012] [error] Password for slot internal is incorrect.
[Tue Jul 31 16:34:09 2012] [error] NSS initialization failed. Certificate
database: /etc/dirsrv/admin-serv.
[Tue Jul 31 16:34:09 2012] [error] SSL Library Error: -8177 The security
password entered is incorrect:
I've searched for the SSL Library error to no avail. If anyone can give me
a starting point I'd appreciate it.
***************************************************************************
setupssl2.sh output
***************************************************************************
Using /etc/dirsrv/slapd-ldap-xxxxx as sec directory
No CA certificate found - will create new one
No Server Cert found - will create new one
No Admin Server Cert found - will create new one
Creating password file for security token
Creating noise file
Creating new key and cert db
Creating encryption key for CA
Generating key. This may take a few moments...
Creating self-signed CA certificate
Generating key. This may take a few moments...
Is this a CA certificate [y/N]?
Enter the path length constraint, enter to skip [<0 for unlimited path]: >
Is this a critical extension [y/N]?
Exporting the CA certificate to cacert.asc
Generating server certificate for 389 Directory Server on host
ldap.xxxxx.com
Using fully qualified hostname ldap.xxxxx.com for the server name in the
server cert subject DN
Note: If you do not want to use this hostname, edit this script to change
myhost to the
real hostname you want to use
Generating key. This may take a few moments...
Creating the admin server certificate
Generating key. This may take a few moments...
Exporting the admin server certificate pk12 file
pk12util: PKCS12 EXPORT SUCCESSFUL
Creating pin file for directory server
Importing the admin server key and cert (created above)
Incorrect password/PIN entered.
pk12util: Failed to authenticate to PKCS11 slot: The security password
entered is incorrect.
pk12util: Failed to authenticate to "NSS User Private Key and Certificate
Services": The user pressed cancel.
Importing the CA certificate from cacert.asc
Enabling the use of a password file in admin server
Turning on NSSEngine
Use ldaps for config ds connections
Enabling SSL in the directory server
when prompted, provide the directory manager password
Password:modifying entry "cn=encryption,cn=config"
modifying entry "cn=config"
adding new entry "cn=RSA,cn=encryption,cn=config"
Enabling SSL in the admin server
modifying entry "cn=slapd-ldap-xxxxx,cn=389 Directory Server,cn=Server
Group,cn=ldap.xxxxx.com,ou=xxxxx,o=NetscapeRoot"
modifying entry "cn=configuration,cn=admin-serv-ldap,cn=389 Administration
Server,cn=Server Group,cn=ldap.xxxxx.com,ou=xxxxx,o=NetscapeRoot"
Done. You must restart the directory server and the admin server for the
changes to take effect.
11 years, 8 months
Directory server not restarting
by Craig T
Hi All,
Spec:
Redhat Enterprise Linux 6.3 x64
- ipa-server-2.2.0-16.el6.x86_64
- 389-ds-base-1.2.10.2-18.el6_3.x86_64
- 389-ds-base-libs-1.2.10.2-18.el6_3.x86_64
We had a simple (but quite drammatic) issue the other day. Our backup
script simply does a cold backup of the 389 Directory Server, however
this time it didn't start back up.
[31/Jul/2012:02:00:38 +1000] - slapd stopped.
[31/Jul/2012:02:00:43 +1000] createprlistensockets - PR_Bind() on All
Interfaces port 636 failed: Netscape Portable Runtime error -5982 (Local
Network address is in use.)
Is there anyway to work out why this happened?
When I did a manual restart in the morning it was fine. The backups even
worked perfectly last night too. Sounds like a bug in the ipa shutdown
script?
cya
Craig
11 years, 8 months