ACl
by Aziza Lichir
Hello again,
I would like to know if it's possible to limit the access to my server to
some users, for example via ssh ?!!!
Thanking you in advance for your answer...
--
*
___________________________________________________________*
*Aziza Lichir*
*
*
9 years, 10 months
SSL alert: Security Initialization: Unable to authenticate
by Fosiul Alam
Hi
I am in the process of installing 10 ldap server, while installing some
times, i get bellow error ,
auth4... server already stopped [FAILED]
*** Error: 1 instance(s) unsuccessfully stopped [FAILED]
Starting dirsrv:
auth4...[13/May/2013:20:13:33 +0200] - SSL alert: Security
Initialization: Unable to authenticate (Netscape Portable Runtime error
-8192 - An I/O error occurred during security authorization.)
[13/May/2013:20:13:34 +0200] - ERROR: SSL Initialization Failed.
[FAILED]
*** Error: 1 instance(s) failed to start
I followed the same steps on all servers but in 3 servers i am seeing above
error
Why some times i see those error ??
When i see those error, I remove all rpm and install again , create
certificate .. then its get ok
I am trying to do google. but could not find too much information,any help
will be really appreciate ..
Thanks
9 years, 10 months
create pin.txt file
by Fosiul Alam
HI
I have already installed dirsrv and its running in production with ssl
certificate on.
when i restart dirsrv , its ask to provide the pin for the token.
how can i create the pin.txt with password so that dir server starts
automatically without providing the pin ??
i tried to create here , but seems did not work,
/etc/dirsrv/slapd-ldap/pin.txt
do i have to add anything special to create the file ??
any help will be really appreciated.
Thanks
9 years, 10 months
Re: [389-users] Backup Directory Server by db2bak.pl script
by Vincent Gerris
hi,
I noticed this entry when trying to use the db2bak.pl script.
I found out that the -a option only works when for example
the /var/lib/dirsrv/slapd-server/bak or a subdir is used (effectively)
the same dir as without the -a option.
I was using a root dir, which I also modded with nobody:nobody as
owner en chmod 777, but still no result.
Is this a bug, or does the server somehow checks the dir?
The backup script for an old iPlanet server does it too and is able to
use /local/bla without a problem.
Seems like a bug to me?
Greatings
Vincent
9 years, 10 months
Re: [389-users] FreeIPA
by Carsten Grzemba
Am 09.05.13 schrieb Rich Megginson <rmeggins(a)redhat.com>:
>
>
>
>
>
> On 05/09/2013 08:28 AM, Steve Ovens wrote:
>
>
> > Thanks for the responses.
> >
> >
> > I dont know why I didnt find that manual when I was googling. Perhaps because it is for the RH DS and I was searching 389 (I realize they are quite similar)
> >
> >
> > As to the FreeIPA, I may investigate this in the future but the issue I have here is that I have a DS in service already so its not really a fair solution to switch products.
> >
> >
> > Does FreeIPA provide Active Directory Sync.
> >
> >
> >
>
> Yes, although freeipa is slightly different:
> 1) it does not do group sync
> 2) it only syncs adds from AD -> DS - it does not sync adds from DS -> AD
> 3) it will sync account disable/enable
>
>
>
>
posix-winsync should sync account disable/enable too, if not it is a bug ;-)
>
>
>
>
>
>
> >
> >
> > Thanks again for the replies
> >
> >
> >
> > On Thu, May 9, 2013 at 6:03 AM, Petr Spacek <pspacek(a)redhat.com> wrote:
> >
> > > Hello,
> > >
> > > On 8.5.2013 20:53, Steve Ovens wrote:
> > >
> > > > Hi,
> > > >
> > > > I have been quite happily using 389 for around a year, and while I am not
> > > > at all advanced I have been able to add Samba and sudoers to 389. I am now
> > > > attempting to add openssh keys to the user entries I am using the
> > > > openssh-lpk_openldap.schema:
> > > >
> > >
> > > IMHO the FreeIPA project could help you a lot. It contains pre-baked solutions for common problems like central management of sudoers and ssh authorized_keys, including management utilities (with CLI, WebUI, XML RPC, JSON RPC).
> > >
> > > Homepage: http://freeipa.org/
> > > Users list: http://www.redhat.com/mailman/listinfo/freeipa-users
> > >
> > > The home page is undergoing a major redesign at the moment, because it is a bit confusing to newcomers. I would recommend you to ask freeipa-users list if you can't find what you are looking for.
> > >
> > > And BTW - FreeIPA is based on 389 DS.
> > >
> > > I'm sorry for the advertisement.
> > >
> > > Petr^2 Spacek
> > >
> > >
> > > > #
> > > > # LDAP Public Key Patch schema for use with openssh-ldappubkey
> > > > # Author: Eric AUGE <eau(a)phear.org>
> > > > #
> > > > # Based on the proposal of : Mark Ruijter
> > > > #
> > > >
> > > >
> > > > # octetString SYNTAX
> > > > attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
> > > > DESC 'MANDATORY: OpenSSH Public key'
> > > > EQUALITY octetStringMatch
> > > > SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
> > > >
> > > > # printableString SYNTAX yes|no
> > > > objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top
> > > > AUXILIARY
> > > > DESC 'MANDATORY: OpenSSH LPK objectclass'
> > > > MAY ( sshPublicKey $ uid )
> > > > )
> > > >
> > > >
> > > > I have run this through the ol-schema-migrate.pl(http://ol-schema-migrate.pl) and placed the output in
> > > > /etc/dirsrv/slapd-ds/schema/62sshkeys.ldif.
> > > >
> > > > I have restarted the server and there were no errors produced so I am
> > > > assuming that it took the ldif fine.
> > > >
> > > > How do I go about using the new schema. I have googled around quite a bit,
> > > > but I must be missing something. I would appreciate any pointers and I
> > > > fully intend on publishing a how-to on this (as I do for most things over
> > > > at overclockers.com(http://overclockers.com)<http://www.overclockers.com/forums/showthread.php?t=730515>
> > > > )
> > > >
> > > > Any guidance would be greatly appreciated!
> > > >
> > >
> >
> >
> >
> >
> > --
> > Red Hat Certified Engineer
> > Ubuntu Certified Professional
> > Novell Datacenter Specialist
> > Novell Certified Linux Administrator
> > LPIC-1 Certified
> > Linux+ Certified
> >
> >
> >
> >
> > --
> > 389 users mailing list
> > 389-users(a)lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
> >
>
>
>
>
>
9 years, 10 months
adding ssh public keys to 389
by Steve Ovens
Hi,
I have been quite happily using 389 for around a year, and while I am not
at all advanced I have been able to add Samba and sudoers to 389. I am now
attempting to add openssh keys to the user entries I am using the
openssh-lpk_openldap.schema:
#
# LDAP Public Key Patch schema for use with openssh-ldappubkey
# Author: Eric AUGE <eau(a)phear.org>
#
# Based on the proposal of : Mark Ruijter
#
# octetString SYNTAX
attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
DESC 'MANDATORY: OpenSSH Public key'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
# printableString SYNTAX yes|no
objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top
AUXILIARY
DESC 'MANDATORY: OpenSSH LPK objectclass'
MAY ( sshPublicKey $ uid )
)
I have run this through the ol-schema-migrate.pl and placed the output in
/etc/dirsrv/slapd-ds/schema/62sshkeys.ldif.
I have restarted the server and there were no errors produced so I am
assuming that it took the ldif fine.
How do I go about using the new schema. I have googled around quite a bit,
but I must be missing something. I would appreciate any pointers and I
fully intend on publishing a how-to on this (as I do for most things over
at overclockers.com<http://www.overclockers.com/forums/showthread.php?t=730515>
)
Any guidance would be greatly appreciated!
Thanks
--
Red Hat Certified Engineer
Ubuntu Certified Professional
Novell Datacenter Specialist
Novell Certified Linux Administrator
LPIC-1 Certified
Linux+ Certified
9 years, 10 months
Fwd: default values creating user/groups
by Victor Hugo dos Santos
Hello,
I was trying to find information how I can put a object/value by
default when I create a user/group.
for example, I like to make this values for default to all new user
that I create way DS java console:
===========
shadowMin: 1
shadowMax: 45
shadowWarning: 14
===========
but I dont found information.
Can I make one or more atributtes by default ??
thanks and attentive.
--
--
Victor Hugo dos Santos
http://www.vhsantos.net
Linux Counter #224399
9 years, 10 months
TLS failure
by Aziza Lichir
Hey,
I'm having problems with TLS/SSL on my client side. When I do ldapsearch
-ZZ it works just fine and says that SSL started but when i try to
authenticate a user I keep getting this strange error:
[07/May/2013:10:04:06 +0200] conn=95 fd=228 slot=228 SSL connection
[07/May/2013:10:04:06 +0200] conn=95 SSL 256-bit AES
[07/May/2013:10:04:06 +0200] conn=95 op=0 EXT oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
[07/May/2013:10:04:06 +0200] conn=95 op=0 RESULT err=1 tag=120 nentries=0
etime=0
[07/May/2013:10:04:06 +0200] conn=95 op=1 UNBIND
[07/May/2013:10:04:06 +0200] conn=95 op=1 fd=228 closed - U1
the plate form is :
server : CentOS-6.3-i386
client: CentOS 5.3
[root@srv-ds-38 ~]# rpm -qi 389-ds-base
Name : 389-ds-base Relocations: (not relocatable)
Version : 1.2.11.15 Vendor: CentOS
Release : 14.el6_4 Build Date: Tue 16 Apr 2013
12:57:55 AM CEST
Install Date: Fri 26 Apr 2013 04:05:26 PM CEST Build Host:
c6b7.bsys.dev.centos.org
Group : System Environment/Daemons Source RPM:
389-ds-base-1.2.11.15-14.el6_4.src.rpm
Size : 4940881 License: GPLv2 with
exceptions
Signature : RSA/SHA1, Tue 16 Apr 2013 11:32:27 AM CEST, Key ID
0946fca2c105b9de
Packager : CentOS BuildSystem <http://bugs.centos.org>
URL : http://port389.org/
Summary : 389 Directory Server (base)
Description :
389 Directory Server is an LDAPv3 compliant server. The base package
includes
the LDAP server and command line utilities for server administration.
I would appreciate some help.
--
*
___________________________________________________________*
*Aziza Lichir*
*
*
9 years, 10 months
Update probem
by alexandre
Hello,
I try to update my 1.2.10 389-ds-base to 1.2.11 389-ds-base.
With this command:
yum --enablerepo=epel-testing-389-ds-base --enablerepo=epel-testing update
389-ds-base
The installation begin, but I get an error:
Error: Package: 389-ds-base-1.2.11.21-1.el6_4.x86_64
(epel-testing-389-ds-base)
Requires: perl-Socket
Any ideas ?
My system is a Redhat 6.2.
Best regards,
Alex
9 years, 10 months
problems with console when access to ds instance
by Maximiliano de Mattos
Hi,
I'm starting with 389ds, and I have installed in a remote server a intance
of 389ds.
Well... I can connect remotely from 389ds console to this server, but when
I want to go in console to items "Administrarion Server" or "Directory
Server" I receive the followin error messages:
"Failed to install a local copy of 389-admin-1.1.jar or one of its
supporting files......"
"Failed to install a local copy of 389-ds-1.2.6.jar or one if its
supporting files...."
But looking for this jar files, I can found them
(/usr/share/dirsrv/html/java/) in the local computer with 389ds console..
but I cannot find a log of 389ds console to see whats happend.. :(
some ideas? :(
thanks in advance! ;)
****
9 years, 10 months
