Can an admin server manage remote directory servers?
by Orion Poplawski
Can an admin server manage remote directory servers? The docs always seems to
refer to running an admin server alongside the directory server, but in the
case of running a slave directory server, it would be nice to be able to
manage that from the admin server on our main directory server machine. Is
that possible?
Also, should the instance name of the slave server be different than the
instance name of the primary server? It doesn't seem to be a requirement, and
I'm not sure what is more or less confusing.
Thanks!
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 http://www.nwra.com
10 years, 6 months
SSL - Multiple Server Certs
by Tom Tucker
I have two 389 servers and a RHEL 6 sssd configured client. LDAP and LDAPS
authentication is working against these identical DS. My questioned in
centered around client side certificate handling.
Is it possible to reference multiple server certs from
/etc/openldap/cacerts? For example, if my primary server devldaps4901 is
unreachable connect to devldap4902 using its cert located in
/etc/openldap/cacerts (see below)?
I am able to fail over manually if I deleted the ee8c0644.0 hash and
recreate it pointing to devldaps4902 along with an sssd restart. Am I
missing something obvious here or is my approach all wrong?
Thank you,
Rich,
Thanks for the setupssl2.sh script. It worked great!
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_uri = ldaps://devldaps4901.autotrader.com,ldaps://
devldaps4902.autotrader.com
[root@rhel6-client cacerts]# ls -l
total 8
-rw-r--r--. 1 root root 647 Sep 8 16:02 devldaps4901.asc
-rw-r--r--. 1 root root 647 Sep 8 16:02 devldaps4902.asc
lrwxrwxrwx. 1 root root 16 Sep 8 19:13 ee8c0644.0 -> devldaps4901.asc
lrwxrwxrwx. 1 root root 16 Sep 8 19:13 ee8c0644.1 -> devldaps4902.asc
10 years, 6 months
Version equivalence between 389 Directory Server and Red Hat Directory Server
by Juan Asensio Sánchez
Hi
Is there any document where I could find the version equivalence
between 389 Directory Server and Red Hat Directory Server? Most of the
documentation i sin Red Hat Docs, but I don't know which version
should I see... I use 389DS 1.2.5, so which documentation version
should I read, 8.1, 8.2, 9.0?
Regards.
10 years, 6 months
Announcing 389 Directory Server version 1.2.11.14 Testing
by Rich Megginson
The 389 Project team is pleased to announce the release of
389-ds-base-1.2.11.14 for Testing. This release fixes a bug with
CLEANALLRUV and winsync, and a race condition in the replication
consumer extop code.
The new packages and versions are:
389-ds-base 1.2.11.14
NOTE: 1.2.11 will not be available for Fedora 16 or earlier, nor for EL6
or earlier - 1.2.11 will only be available for Fedora 17 and later. We
are trying to stabilize current, stable releases - upgrades to 1.2.11
will disrupt stability.
Installation
yum install 389-ds --enablerepo=updates-testing
# or for EPEL
yum install 389-ds --enablerepo=epel-testing
setup-ds-admin.pl
Upgrade
yum upgrade 389-ds-base --enablerepo=updates-testing
# or for EPEL
yum upgrade 389-ds-base --enablerepo=epel-testing
setup-ds-admin.pl -u
How to Give Feedback
The best way to provide feedback is via the Fedora Update system.
Go to https://admin.fedoraproject.org/updates
In the Search box in the upper right hand corner, type in the name
of the package
In the list, find the version and release you are using (if you're
not sure, use rpm -qi <package name> on your system) and click on the
release
On the page for the update, scroll down to "Add a comment" and
provide your input
Or just send us an email to 389-users(a)lists.fedoraproject.org
Reporting Bugs
If you find a bug, or would like to see a new feature, use the 389 Trac
- https://fedorahosted.org/389
More Information
* Release Notes - http://port389.org/wiki/Release_Notes
* Install_Guide - http://port389.org/wiki/Install_Guide
* Download - http://port389.org/wiki/Download
10 years, 6 months
Expired password still allows samba login
by David Hoskinson
We have discovered that if a 389 ldap account expires due to age, that the user can still use 389 authentication to login to our samba setup. I have set back in time the passwordexpirationtime and sambapwdlastset variables to see if this blocks access. It does deny ldap login, but samba can still access for same account. Is there something we are missing in our schema in 389 or smb.conf file that will force samba to use the expiration date.
Our system levels are Oracle Linux 5.5
389 Files
389-ds-base-1.2.8.3-1.el5
389-ds-console-doc-1.2.5-1.el5
389-ds-base-libs-1.2.8.3-1.el5
389-adminutil-1.1.13-1.el5
389-ds-console-1.2.5-1.el5
389-admin-console-1.1.7-1.el5
389-console-1.1.4-1.el5
389-ds-1.2.1-1.el5
389-admin-1.1.16-1.el5
389-admin-console-doc-1.1.7-1.el5
389-dsgw-1.1.6-1.el5
Samba Files on remote server
samba3-utils-3.6.3-44.el5
samba3-3.6.3-44.el5
samba3-client-3.6.3-44.el5
Thank you for your guidance...
David Hoskinson | DATATRAK
Systems Engineer
Mayfield Heights, Ohio, USA
+1.440.443.0082 x 124 (p) | +1.319.471.3689 (m)
david.hoskinson(a)datatrak.net<mailto:david.hoskinson@datatrak.net> | www.datatrak.net<http://www.datatrak.net/>
10 years, 6 months
Announcing 389 Directory Server version 1.2.11.13 Testing
by Rich Megginson
The 389 Project team is pleased to announce the release of
389-ds-base-1.2.11.13 for Testing. This release fixes a bug found
during upgrade with the POSIX Windows Sync plugin.
The new packages and versions are:
389-ds-base 1.2.11.13
NOTE: 1.2.11 will not be available for Fedora 16 or earlier, nor for EL6
or earlier - 1.2.11 will only be available for Fedora 17 and later. We
are trying to stabilize current, stable releases - upgrades to 1.2.11
will disrupt stability.
Installation
yum install 389-ds --enablerepo=updates-testing
# or for EPEL
yum install 389-ds --enablerepo=epel-testing
setup-ds-admin.pl
Upgrade
yum upgrade 389-ds-base --enablerepo=updates-testing
# or for EPEL
yum upgrade 389-ds-base --enablerepo=epel-testing
setup-ds-admin.pl -u
How to Give Feedback
The best way to provide feedback is via the Fedora Update system.
Go to https://admin.fedoraproject.org/updates
In the Search box in the upper right hand corner, type in the name
of the package
In the list, find the version and release you are using (if you're
not sure, use rpm -qi <package name> on your system) and click on the
release
On the page for the update, scroll down to "Add a comment" and
provide your input
Or just send us an email to 389-users(a)lists.fedoraproject.org
Reporting Bugs
If you find a bug, or would like to see a new feature, use the 389 Trac
- https://fedorahosted.org/389
More Information
* Release Notes - http://port389.org/wiki/Release_Notes
* Install_Guide - http://port389.org/wiki/Install_Guide
* Download - http://port389.org/wiki/Download
10 years, 6 months
Re: [389-users] Announcing 389 Directory Server version 1.2.11.12 Testing
by Carsten Grzemba
Perhaps Redhat has to much removed? I have not fonud a better document, but in:
http://docs.oracle.com/cd/E19099-01/nscp.dirsvr416/816-6682-10/oc_dir40.htm
is described the requiered attributes and like on http://github.com/cgrzemba it should work if you add this:
nsslapd-pluginDescription: Sync Posix Attributes for users and groups between AD and DS if available and user lock/unlock
nsslapd-pluginVendor: Redhat
nsslapd-pluginId: posix-winsync-plugin
nsslapd-pluginVersion: POSIX/1.0
Am 04.09.12, schrieb Rich Megginson <rmeggins(a)redhat.com>:
>
>
>
>
>
>
>
>
>
> On 09/02/2012 11:36 PM, Juan Carlos Camargo wrote:
>
>
> >
> > p { margin: 0; }
> > Thanks for the info and the
> > update! Congrats Carsten, wonderful job!
> >
> >
> > I
> > needed to turn off schema checking on the server (1.2.11.11)
> > for the update to complete. Otherwise I had an "object class
> > violation" error:
> >
> >
> >
> >
> >
> > (...)
> >
> >
> > Full DN of administrative user
> > [cn=Directory Manager]:
> >
> > Password for this user:
> >
> > Could not open TLS connection to
> > freeipa2.eprinsa.org:389 - trying regular connection
> >
> > dn: cn=Posix Winsync
> > API,cn=plugins,cn=config
> >
> > objectclass: top
> >
> > objectclass: nsSlapdPlugin
> >
> > objectclass: extensibleObject
> >
> > cn: Posix Winsync API
> >
> > nsslapd-pluginpath:
> > libposix-winsync-plugin
> >
> > nsslapd-plugininitfunc:
> > posix_winsync_plugin_init
> >
> > nsslapd-plugintype: preoperation
> >
> > nsslapd-pluginenabled: off
> >
> > nsslapd-plugin-depends-on-type:
> > database
> >
> > posixwinsyncmssfuschema: false
> >
> > posixwinsyncmapmemberuid: true
> >
> > posixwinsynccreatememberoftask:
> > false
> >
> > posixwinsynclowercaseuid: false
> >
> > nsslapd-pluginprecedence: 25
> >
> >
> >
> >
> >
> > Error adding entry 'cn=Posix
> > Winsync API,cn=plugins,cn=config'. Error: Object class
> > violation
> >
> > Error: could not update the
> > directory server.
> >
> >
> >
> >
> >
> >
> >
> >
>
> Is there any more information in the errors log?
>
>
> >
> >
> >
> >
> > (...)
> >
> >
> >
> >
> > De: "Rich
> > Megginson" <rmeggins(a)redhat.com> <rmeggins(a)redhat.com>
> >
> > Para: 389-announce(a)lists.fedoraproject.org,
> > 389-users(a)lists.fedoraproject.org,
> > test-announce(a)lists.fedoraproject.org
> >
> > Enviados: Viernes, 31 de Agosto 2012 22:50:56
> >
> > Asunto: [389-users] Announcing 389 Directory
> > Server version 1.2.11.12 Testing
> >
> >
> >
> > The 389 Project team is pleased to announce the release of
> >
> >
> > 389-ds-base-1.2.11.12 for Testing. This release includes
> > support for
> >
> > POSIX attributes in Windows Sync, several bug fixes, and
> > cleanup of
> >
> > various issues found by valgrind and Coverity. The 389
> > team would like
> >
> > to thank Carsten Grzemba for contributing his POSIX
> > Windows Sync plugin
> >
> > to the project.
> >
> >
> >
> > The new packages and versions are:
> >
> >
> >
> > 389-ds-base 1.2.11.12
> >
> >
> >
> > NOTE: 1.2.11 will not be available for Fedora 16 or
> > earlier, nor for EL6
> >
> > or earlier - 1.2.11 will only be available for Fedora 17
> > and later. We
> >
> > are trying to stabilize current, stable releases -
> > upgrades to 1.2.11
> >
> > will disrupt stability.
> >
> >
> >
> > Installation
> >
> >
> >
> > yum install 389-ds --enablerepo=updates-testing
> >
> > # or for EPEL
> >
> > yum install 389-ds --enablerepo=epel-testing
> >
> > setup-ds-admin.pl
> >
> >
> >
> > Upgrade
> >
> >
> >
> > yum upgrade 389-ds-base --enablerepo=updates-testing
> >
> > # or for EPEL
> >
> > yum upgrade 389-ds-base --enablerepo=epel-testing
> >
> > setup-ds-admin.pl -u
> >
> >
> >
> > How to Give Feedback
> >
> >
> >
> > The best way to provide feedback is via the Fedora Update
> > system.
> >
> >
> >
> > Go to https://admin.fedoraproject.org/updates
> >
> > In the Search box in the upper right hand corner,
> > type in the name
> >
> > of the package
> >
> > In the list, find the version and release you are
> > using (if you're
> >
> > not sure, use rpm -qi <package name> on your system)
> > and click on the
> >
> > release
> >
> > On the page for the update, scroll down to "Add a
> > comment" and
> >
> > provide your input
> >
> >
> >
> > Or just send us an email to
> > 389-users(a)lists.fedoraproject.org
> >
> >
> >
> > Reporting Bugs
> >
> >
> >
> > If you find a bug, or would like to see a new feature, use
> > the 389 Trac
> >
> > - https://fedorahosted.org/389
> >
> >
> >
> > More Information
> >
> > * Release Notes - http://port389.org/wiki/Release_Notes
> >
> > * Install_Guide - http://port389.org/wiki/Install_Guide
> >
> > * Download - http://port389.org/wiki/Download
> >
> >
> >
> >
> >
> > --
> >
> > 389 users mailing list
> >
> > 389-users(a)lists.fedoraproject.org
> >
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
> >
> >
> >
> >
> >
> >
> >
> > --
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Juan Carlos Camargo
> > Carrillo
> >
> >
> > 957-211157(callto:957-211157)
> > , 650932877(callto:650932877)
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > 389 users mailing list
> > 389-users(a)lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
> >
> >
>
>
>
>
>
>
>
>
>
--
Carsten Grzemba
Tel.: +49 3677 64740
Mobil: +49 171 9749479
Fax:: +49 3677 6474111
Email: carsten.grzemba(a)contac-dt.de
contac Datentechnik GmbH
10 years, 6 months
Announcing 389 Directory Server version 1.2.11.12 Testing
by Rich Megginson
The 389 Project team is pleased to announce the release of
389-ds-base-1.2.11.12 for Testing. This release includes support for
POSIX attributes in Windows Sync, several bug fixes, and cleanup of
various issues found by valgrind and Coverity. The 389 team would like
to thank Carsten Grzemba for contributing his POSIX Windows Sync plugin
to the project.
The new packages and versions are:
389-ds-base 1.2.11.12
NOTE: 1.2.11 will not be available for Fedora 16 or earlier, nor for EL6
or earlier - 1.2.11 will only be available for Fedora 17 and later. We
are trying to stabilize current, stable releases - upgrades to 1.2.11
will disrupt stability.
Installation
yum install 389-ds --enablerepo=updates-testing
# or for EPEL
yum install 389-ds --enablerepo=epel-testing
setup-ds-admin.pl
Upgrade
yum upgrade 389-ds-base --enablerepo=updates-testing
# or for EPEL
yum upgrade 389-ds-base --enablerepo=epel-testing
setup-ds-admin.pl -u
How to Give Feedback
The best way to provide feedback is via the Fedora Update system.
Go to https://admin.fedoraproject.org/updates
In the Search box in the upper right hand corner, type in the name
of the package
In the list, find the version and release you are using (if you're
not sure, use rpm -qi <package name> on your system) and click on the
release
On the page for the update, scroll down to "Add a comment" and
provide your input
Or just send us an email to 389-users(a)lists.fedoraproject.org
Reporting Bugs
If you find a bug, or would like to see a new feature, use the 389 Trac
- https://fedorahosted.org/389
More Information
* Release Notes - http://port389.org/wiki/Release_Notes
* Install_Guide - http://port389.org/wiki/Install_Guide
* Download - http://port389.org/wiki/Download
10 years, 6 months
Account Useability Request Control Usage
by Charles Gilbert
Hi everyone!
Does anyone have experience using this new feature in 389 or RHDS? After
updating my 389-ds-base I know see that the control is active in the
plugins and enabled. I then tested a Solaris 10 client with server_poliy
enabled in the pam.conf file, ssh in with a ssh key that works on all my
linux boxes, and got the message "Server does not give information without
password". This control was supposed to have address the issue with
solaris clients and ssh enforcing account policy from the directory
server. Any help would be great! Thanks!
10 years, 6 months
