Re: [Fedora-directory-users] RE: Fedora-directory-users Digest, Vol 19, Issue 1

My logs seem to indicate that the connection is being encrypted; I can ssh to a client server and get the password prompt, but when I enter the password it just returns me to the password prompt again [01/Dec/2006:19:47:44 -0500] conn=650 fd=69 slot=69 connection from xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx [01/Dec/2006:19:47:44 -0500] conn=650 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [01/Dec/2006:19:47:44 -0500] conn=650 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [01/Dec/2006:19:47:44 -0500] conn=650 SSL 256-bit AES

[01/Dec/2006:19:47:44 -0500] conn=650 op=1 UNBIND [01/Dec/2006:19:47:44 -0500] conn=650 op=1 fd=69 closed - U1

If I disable TLS everything works fine, the client server can query the FDS and auth the client properly I am not sure if the problem has to do with the pam_ldap not properly formatted or the cert file not in proper format Does anyone have an example of what the pam_ldap config should look like? or suggestions on checking whether the cert file is in proper format

Also what's the UNBIND shown in the logs? Thanks > From: fedora-directory-users-request(a)redhat.com > Reply-To: fedora-directory-users(a)redhat.com > To: fedora-directory-users(a)redhat.com > Subject: Fedora-directory-users Digest, Vol 19, Issue 1 > Date: Fri, 1 Dec 2006 12:00:06 -0500 (EST) > > Send Fedora-directory-users mailing list submissions to > fedora-directory-users(a)redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/fedora-directory-users > or, via email, send a message with subject or body 'help' to > fedora-directory-users-request(a)redhat.com > > You can reach the person managing the list at > fedora-directory-users-owner(a)redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Fedora-directory-users digest..." > > > Today's Topics: > > 1. pam_ldap with SSL/TLS (t b) > 2. RE: pam_ldap with SSL/TLS (Morris, Patrick) > 3. Re: pam_ldap with SSL/TLS (Richard Megginson) > 4. Problem with SSL console in X in specific circumstances > (Philip Kime) > 5. FW: [Fedora-directory-users] Extracting details from > ActiveDirectoryto FDS (Paxton, Darren) > 6. alias in fedora directory server (patrick ndjientcheu ngandjui) > 7. Re: FW: [Fedora-directory-users] Extracting details from > ActiveDirectoryto FDS (Nicholas Byrne) > 8. Re: Memory usage (koniczynek) > 9. Re: Memory usage (David Boreham) > 10. Re: Memory usage (koniczynek) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 30 Nov 2006 12:31:50 -0500 > From: "t b" <mxheadroom(a)hotmail.com&gt; > Subject: [Fedora-directory-users] pam_ldap with SSL/TLS > To: fedora-directory-users(a)redhat.com > Message-ID: <BAY116-F322745E96D702ED748B1D0CDDB0(a)phx.gbl&gt; > Content-Type: text/plain; format=flowed > > I am trying to setup pam_ldap to use TLS to communicate with the FDS, > but > having lots of problems doing so; it works if I use the unencrypted > way but > not if I use ldaps ( port 636 ) > > I used the instructions at, > http://directory.fedora.redhat.com/wiki/Howto:PAM > > Has anyone gotten PAM to work TLS > > > Thanks > > _________________________________________________________________ > Buy, Load, Play. The new Sympatico / MSN Music Store works seamlessly > with > Windows Media Player. Just Click PLAY. > http://musicstore.sympatico.msn.ca/content/viewer.aspx?cid=SMS_Sept192006 > > > > > ------------------------------ > > Message: 2 > Date: Thu, 30 Nov 2006 13:00:56 -0500 > From: "Morris, Patrick" <patrick.morris(a)hp.com&gt; > Subject: RE: [Fedora-directory-users] pam_ldap with SSL/TLS > To: "General discussion list for the Fedora Directory server project." > <fedora-directory-users(a)redhat.com&gt; > Message-ID: > <CD18C81835E18A40A64C4A0D16A237BE05FE850D(a)ATAEXC01.americas.cpqcorp.net&gt; > > > Content-Type: text/plain; charset="US-ASCII" > > > I am trying to setup pam_ldap to use TLS to communicate with > > the FDS, but having lots of problems doing so; it works if I > > use the unencrypted way but not if I use ldaps ( port 636 ) > > Someone should jump in here and correct me if I'm wrong, but I believe > it's normal for TLS connections to happen on the standard LDAP port. > You should be able to tell from your logs whether the connection is > encrypted or not. > > > > ------------------------------ > > Message: 3 > Date: Thu, 30 Nov 2006 11:08:08 -0700 > From: Richard Megginson <rmeggins(a)redhat.com&gt; > Subject: Re: [Fedora-directory-users] pam_ldap with SSL/TLS > To: "General discussion list for the Fedora Directory server project." > <fedora-directory-users(a)redhat.com&gt; > Message-ID: <456F1E08.40601(a)redhat.com&gt; > Content-Type: text/plain; charset="iso-8859-1" > > Morris, Patrick wrote: > >> I am trying to setup pam_ldap to use TLS to communicate with > >> the FDS, but having lots of problems doing so; it works if I > >> use the unencrypted way but not if I use ldaps ( port 636 ) > >> > > > > Someone should jump in here and correct me if I'm wrong, but I believe > > it's normal for TLS connections to happen on the standard LDAP port. > > You should be able to tell from your logs whether the connection is > > encrypted or not. > > > Yes. The LDAP "preferred" way is to use the startTLS extended operation > which starts a TLS session on the non-secure port. This will be logged > in the access log. > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users(a)redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3178 bytes > Desc: S/MIME Cryptographic Signature > Url : > https://www.redhat.com/archives/fedora-directory-users/attachments/200611... > > > ------------------------------ > > Message: 4 > Date: Thu, 30 Nov 2006 18:02:55 -0800 > From: "Philip Kime" <pkime(a)Shopzilla.com&gt; > Subject: [Fedora-directory-users] Problem with SSL console in X in > specific circumstances > To: <fedora-directory-users(a)redhat.com&gt; > Message-ID: > <9C0091F428E697439E7A773FFD083427435BE3(a)szexchange.Shopzilla.inc&gt; > Content-Type: text/plain; charset="us-ascii" > > Here's the problem: > > Running startconsole (SSL) to a remote display on a PC X-server (xwin32) > works fine and requires that my windows home dir on the PC X-server > machine has .fedora-console/ containing cert8.db and key3.db, as you'd > expect. If I rename this dir, the console hangs at the splash screen. So > far, so good, all makes sense. > > If I try the same thing to cygwin's X server on same machine or to an X > server on a Mac running OSX, startconsole always hangs as if it can't > find ~/.fedora-console on the local machine. I've tried copying this dir > to what cygwin/OSX thinks is the user's home dir but no luck. Where > should I put the Cert db files under "real" UNIX X to get the SSL > console to work? Also tried ~/.mmc as per the docs but I could never get > this to work. > > PK > > -- > Philip Kime > NOPS Systems Architect > 310 401 0407 > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > https://www.redhat.com/archives/fedora-directory-users/attachments/200611... > > > ------------------------------ > > Message: 5 > Date: Fri, 1 Dec 2006 08:04:30 -0000 > From: "Paxton, Darren" <Darren.Paxton(a)mercer.com&gt; > Subject: FW: [Fedora-directory-users] Extracting details from > ActiveDirectoryto FDS > To: <Fedora-directory-users(a)redhat.com&gt; > Message-ID: > <52F7C07B119CF4439B7EFBFE0FB3256B027CBD02(a)eidwpexms06.mercer.com&gt; > Content-Type: text/plain; charset="us-ascii" > > Skipped content of type multipart/alternative-------------- next part > -------------- > -- > Fedora-directory-users mailing list > Fedora-directory-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------ > > Message: 6 > Date: Fri, 1 Dec 2006 08:10:42 +0000 (GMT) > From: patrick ndjientcheu ngandjui <tchen_pat(a)yahoo.fr&gt; > Subject: [Fedora-directory-users] alias in fedora directory server > To: Fedora-directory-users(a)redhat.com > Message-ID: <20061201081042.78578.qmail(a)web25801.mail.ukl.yahoo.com&gt; > Content-Type: text/plain; charset="iso-8859-1" > > Hi, > I would like to know how to use alias in fedora directory server.It > seems that it is used for point to another entry in the directory,but > i don't know how to use this feature.May someone helps me on this > issue? I would really appreciate an example. > > Thanks > > > > > > > > > ___________________________________________________________________________ > > Découvrez une nouvelle façon d'obtenir des réponses à toutes vos > questions ! > Profitez des connaissances, des opinions et des expériences des > internautes sur Yahoo! Questions/Réponses > http://fr.answers.yahoo.com > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > https://www.redhat.com/archives/fedora-directory-users/attachments/200612... > > > ------------------------------ > > Message: 7 > Date: Fri, 01 Dec 2006 11:50:13 +0000 > From: Nicholas Byrne <nicholas.byrne(a)quadriga.com&gt; > Subject: Re: FW: [Fedora-directory-users] Extracting details from > ActiveDirectoryto FDS > To: "General discussion list for the Fedora Directory server project." > <fedora-directory-users(a)redhat.com&gt; > Message-ID: <457016F5.5030202(a)quadriga.com&gt; > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Your messages got through - you can confirm by checking the archives - > https://www.redhat.com/archives/fedora-directory-users/ > > I'm a new user as well so i'm afraid i can't answer your question, but > if you keep asking i'm sure someone will know! > Nick > > Paxton, Darren wrote: > > Apologies for mailing yet again, however either my messages are not > > getting through (something I don't believe as I keep getting the post > > to the mailing list) - or for some reason, no one is willing to even > > acknowledge my issue. > > > > In the spirit of the community - can someone at least acknowledge a > > message as I find it quite disheartening that I have had no replies at > > all even if just to point me somewhere for assistance. > > > > > ------------------------------------------------------------------------ > > *From:* fedora-directory-users-bounces(a)redhat.com > > [mailto:fedora-directory-users-bounces@redhat.com] *On Behalf Of > > *Paxton, Darren > > *Sent:* 30 November 2006 08:46 > > *To:* General discussion list for the Fedora Directory server project. > > *Subject:* RE: [Fedora-directory-users] Extracting details from > > ActiveDirectoryto FDS > > > > Hi > > > > Has anyone had any thoughts on my query or can point me in the right > > direction? > > > > As is the nature of AD, I would have thought it is possible to extract > > this information using a scope setting or something similar. > > > > Thanks > > > > Darren > > > > > ------------------------------------------------------------------------ > > *From:* fedora-directory-users-bounces(a)redhat.com > > [mailto:fedora-directory-users-bounces@redhat.com] *On Behalf Of > > *Paxton, Darren > > *Sent:* 24 November 2006 14:56 > > *To:* fedora-directory-users(a)redhat.com > > *Subject:* [Fedora-directory-users] Extracting details from Active > > Directoryto FDS > > > > Hi all, > > > > I've been tinkering with integrating our Linux devices into our AD > > domain for some time and I've hit a few brick walls, however I've > > recently discovered FDS and the synchronisation features with AD. > > > > I've managed to set up a few replication jobs, however due to the > > extensive nature of our AD, I've realised that the sync only takes > > the group and user objects from the OU or CN being specified. > > > > Is there any way I can specify that it should traverse all > > subtrees of an OU and extract all that information back into FDS? > > > > Thanks > > > > Darren > > > > -- > > Darren Paxton > > EMEA Tier2 > > Red Hat Certified Engineer > > VMware Certified Professional > > MGTI Centralised ops > > > > > > This e-mail and any attachments may be confidential or legally > > privileged.If you received this message in error or are not the > > intended recipient, you should destroy the email message and any > > attachments or copies, and you are prohibited from retaining, > > distributing, disclosing or using any information contained herein. > > Please inform us of the erroneous delivery by return e-mail. Thank you > > for your co-operation. > > > > Mercer Human Resource Consulting Limited is authorised and regulated > > by the Financial Services Authority. Registered in England No. 984275. > > Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU. > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users(a)redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users(a)redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > This e-mail is the property of Quadriga Worldwide Ltd, intended for > the addressee only and confidential. Any dissemination, copying or > distribution of this message or any attachments is strictly prohibited. > > If you have received this message in error, please notify us > immediately by replying to the message and deleting it from your > computer. > > Messages sent to and from Quadriga may be monitored. > > Quadriga cannot guarantee any message delivery method is secure or > error-free. Information could be intercepted, corrupted, lost, > destroyed, arrive late or incomplete, or contain viruses. > > We do not accept responsibility for any errors or omissions in this > message and/or attachment that arise as a result of transmission. > > You should carry out your own virus checks before opening any > attachment. > > Any views or opinions presented are solely those of the author and do > not necessarily represent those of Quadriga. > > > > ------------------------------ > > Message: 8 > Date: Fri, 01 Dec 2006 16:45:28 +0100 > From: koniczynek <koniczynek(a)uaznia.net&gt; > Subject: Re: [Fedora-directory-users] Memory usage > To: "General discussion list for the Fedora Directory server project." > <fedora-directory-users(a)redhat.com&gt; > Message-ID: <45704E18.3070705(a)uaznia.net&gt; > Content-Type: text/plain; charset=ISO-8859-2; format=flowed > > Richard Megginson napisa³(a): > > This is an excellent cache/memory tuning document from a Sun employee, > > primarily targeted to Sun DS users, but almost all of the > information is > > relevant to Fedora DS (since they share a common lineage). > > > > http://www.directorymanager.org/blogs/ds_cache_sizing.pdf > Lets say I heven't got much time lately so without thinking I've changed > in dse.ldif > nsslapd-import-cache-autosize from -1 to 1 and after restarting I've > started to receive errors like: "3 Time limit exceeded" Someone do know > what to do? ;) > > -- > xmpp/email: koniczynek(a)uaznia.net > xmpp/email: koniczynek(a)gmail.com > > > > ------------------------------ > > Message: 9 > Date: Fri, 01 Dec 2006 09:15:14 -0700 > From: David Boreham <david_list(a)boreham.org&gt; > Subject: Re: [Fedora-directory-users] Memory usage > To: "General discussion list for the Fedora Directory server project." > <fedora-directory-users(a)redhat.com&gt; > Message-ID: <45705512.4070808(a)boreham.org&gt; > Content-Type: text/plain; charset=ISO-8859-2; format=flowed > > koniczynek wrote: > > > Richard Megginson napisa³(a): > > > >> This is an excellent cache/memory tuning document from a Sun > >> employee, primarily targeted to Sun DS users, but almost all of the > >> information is relevant to Fedora DS (since they share a common > >> lineage). > >> > >> http://www.directorymanager.org/blogs/ds_cache_sizing.pdf > > > > Lets say I heven't got much time lately so without thinking I've > > changed in dse.ldif > > nsslapd-import-cache-autosize from -1 to 1 and after restarting I've > > started to receive errors like: "3 Time limit exceeded" Someone do > > know what to do? ;) > > > Change it back ? > > > > > > ------------------------------ > > Message: 10 > Date: Fri, 01 Dec 2006 17:53:22 +0100 > From: koniczynek <koniczynek(a)uaznia.net&gt; > Subject: Re: [Fedora-directory-users] Memory usage > To: "General discussion list for the Fedora Directory server project." > <fedora-directory-users(a)redhat.com&gt; > Message-ID: <45705E02.7020709(a)uaznia.net&gt; > Content-Type: text/plain; charset=ISO-8859-2 > > David Boreham, dnia 2006-12-01 17:15 napisal: > >> Lets say I heven't got much time lately so without thinking I've > >> changed in dse.ldif > >> nsslapd-import-cache-autosize from -1 to 1 and after restarting I've > >> started to receive errors like: "3 Time limit exceeded" Someone do > >> know what to do? ;) > > Change it back ? > man, please, show some respect ;) I did change it back, but to no avail. > Also I can say (to stop further questions): yes, I've stopped the server > before change. > > -- > email/xmpp: koniczynek(a)uaznia.net > > > > ------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > End of Fedora-directory-users Digest, Vol 19, Issue 1 > ***************************************************** _________________________________________________________________ Off to school, going on a trip, or moving? Windows Live (MSN) Messenger lets you stay in touch with friends and family wherever you go. Click here to find out how to sign up! http://www.telusmobility.com/msnxbox/ -- Fedora-directory-users mailing list Fedora-directory-users(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users