almost off-topic: when is it advisable to get a 3rd party signed (vs. a self-signed) cert to use with 389-ds?
by Jon Detert
I managed to get 389-ds working with encryption. Whew. The project should really update http://directory.fedoraproject.org/wiki/Howto:SSL to make it simpler to figure out. I'm willing to, but the wiki says "We are not ready to accept contributions at this time."
Anyway, I'm wondering what advantage(s) I'd have in using a 3rd-part signed cert instead of a self-signed one? I admit - this question stems from my ignorance of how clients certify servers.
I think I understand that when you use a self-signed cert, that you typically have to 'inform' a client about that cert, telling the client that it is trusted.
How would it be different if I used a 3rd-party (like GeoTrust) signed cert?
Do clients typically know about common CA's? Do they typically rely on the o.s. to define/supply the list of known CAs?
Here are some of the clients I need to talk ldaps to my ldap servers:
Zimbra
Liferay
Apache
openldap ldapsearch
Home-grown java code
Actuate
Thanks,
--
Jon Detert
Sr. Systems Administrator
Infinity Healthcare
Milwaukee, Wisconsin
414-290-6759
10 years, 2 months
documentation on creating/using roles
by Elizabeth Jones
Can anyone point me towards any documentation or examples on creating and
using roles? I am hoping to set up a role for our service desk users so
they can add/delete users, but I need to have them login as themselves so
we can track them. I have an aci that I created that would allow them to
do this but I don't want to put the aci directly on specific user accounts
if i can avoid it.
thanks -
Elizabeth J
10 years, 2 months
Single Master replication : after master o.s. + dirsrv upgrade, replication fails with nsds5replicaLastInitStatus=3
by Jon Detert
I have a single master replicating to 2 slaves.
The master is Fedora Directory Server v1.0.4
The slaves are 389-DirectoryServer v1.2.10.
This has been working fine.
I tried to replace the single master with the same ds software as the slaves (389-DirectoryServer v1.2.10), but I could not get replication to work.
I'm hoping someone can help me see what I did wrong.
What I did:
-----------
1) deleted the replication agreements from the Fedora ds master.
(Not sure this was necessary. Thought it might leave the slave replicas in a state that would more cleanly accept new replication agreements).
2) replaced the fedora ds master with new o.s. running 389-ds v1.2.10. Created new slapd instance, and loaded it with the same schema and data as was used in the fedora ds DIT.
3) created replication agreements (on the new master) with the 2 slaves.
What I see:
-----------
a) Immediately, the replication status was:
"nsds5replicaLastInitStatus: 3 Replication error acquiring replica: permission denied"
b) On the master, /var/log/dirsrv/slapd-madds1/errors says this:
"NSMMReplicationPlugin - agmt="cn=o-ihccom-to-madds2" (madds2:389): Unable to acquire replica: permission denied. The bind dn "uid=replica-manager,cn=config" does not have permission to supply replication updates to the replica. Will retry later."
c) On the slaves, /var/log/dirsrv/slapd-madds2/errors says this:
"NSMMReplicationPlugin - conn=34 op=3 replica="dc=example,dc=com": Unable to acquire replica: error: permission denied"
d) The following query on a slave, shows that the bind-dn used by the master is correct:
ldapsearch -x -LLL -D 'cn=directory manager' -W -b cn=config -s sub objectclass=nsds5replica
yields output like this:
dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replica
objectClass: extensibleObject
cn: replica
nsDS5ReplicaRoot: dc=example,dc=com
nsDS5ReplicaType: 2
nsDS5ReplicaBindDN: uid=replica-manager,cn=config
nsDS5Flags: 0
nsDS5ReplicaId: 65535
nsState:: //8AAAAAAADDxzdRAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
nsDS5ReplicaName: edb50b02-86af11e2-9dc2a557-8005a77d
nsds5ReplicaChangeCount: 0
nsds5replicareapactive: 0
Thanks for any insight you offer.
--
Jon Detert
Sr. Systems Administrator
Infinity Healthcare
Milwaukee, Wisconsin
414-290-6759
10 years, 3 months
nsDS5ReplicaCredentials confusion
by Jon Detert
When setting up replication, I understand that you :
a) create a dn on the consumer to be used as the 'bind-dn' for the replica on the consumer;
b) create a replication agreement on the supplier, in which you reference the bind dn from a).
I have a couple questions about this:
1) How do you generate the hash used in the nsDS5ReplicaCredentials attribute of the supplier's replication agreement? I understand that the 389-ds-console will generate it for you, but I don't want to use the console.
2) Why is the hash recorded in the nsDS5ReplicaCredentials attribute of the supplier's replication agreement {DES} differently than the hash recorded in the person objectClass {SSHA} on the consumer for the dn?
3) How does the supplier authenticate to the consumer when replicating? Does it pass the binddn credentials? If so, in what format? How are they validated?
Thanks,
Jon
10 years, 3 months
How can I grant read access to the attributes of a nsDS5ReplicationAgreement object?
by Jon Detert
I want to check the status of replication agreements, but I don't want to use the directory manager's credentials to do so. I want to use bind credentials for a dn that only has read access.
Is an ACI what I need? If so, how? I've tried several, but they don't work as I intended.
One thing I'm uncertain of, is which dn to associate the aci attribute with. I've tried these:
cn=config
cn=mapping tree,cn=config
dc=example,dc=com
and the actual dn of the replication agreement object.
I'm also not certain of the target to use in the aci. I've tried these:
(targetfilter = "(objectClass=nsds5ReplicationAgreement)")
and
(target="ldap:///cn=*,cn=replica,cn=*,cn=mapping tree,cn=config")
Any ideas what I'm doing wrong? Thanks
--
Jon Detert
Sr. Systems Administrator
Infinity Healthcare
Milwaukee, Wisconsin
414-290-6759
10 years, 3 months
How to get password expire time for user
by Fosiul Alam
HI Expert
I am trying to find out a way to get password expire time for users so
that i can sent them email
i was looking in google , but i am not clear yet
can any one please advise whats the best way to get password expire time ??
Thanks
Fosiul.
10 years, 3 months
Apache 2.4.4
by Tom Browder
Is there any work underway to get mod_nss working with the latest Apache?
Thanks and best regards,
-Tom
10 years, 3 months
using PWM with 389 DS
by Elizabeth Jones
I was wondering if anyone here has integrated PWM into your 389 DS and
might be able to help me out.
We want to use PWM just for allowing users to change their passwords. I
followed the documentation that is here
https://docs.google.com/document/d/1I9u1xaVrIOTFj8Le7uzCM5zGqrODCi9Udo2gG...
to add the users and aci's that PWM needs, following the directions in the
doc (except that I had to change from replace to add to the aci section or
it wiped out our existing acis).
Following this doc, I added users pwmproxy and pwmtest to
People,mycompany,com
Using PWM, I can access the pwmproxy and pwmtest users at the People level
and change their passwords. I can also add additional test/generic users
at this level (People, mycompany, com)and access those using pwm. But if I
try to access any of our existing users IDs that are below People, i.e.
internal,people,company,com
external,people,company,com
PWM says it can't find those users.
Any thoughts on what else I might need to do to get to those users?
thanks
EJ
10 years, 3 months
Replication fails: id2entry.db4 too large?
by Luigi Santangelo
Hi,
I have configured two server (called A and B) in replica multimaster mode.
Server B is in read only mode. In server A I have configured
succesfully replication to B of my userRoot.
Today, the sync doesn't work: when A try to send replication data to
B, B crashes with no error log.
When I start the service on B, it works fine until the sync starts. If
I disable the syncronization, B works fine.
The problem could be the dimension of id2entry.db4? Now it is 10GB and
in the DB I have only 100.000 entry.
Can I reduce the dimension of the file? It seems too large for the
number of records inside.
Thanks in advance.
Best regards.
Luigi
10 years, 3 months
