I have the Directory server up and running. My question is how to get
the user accounts from one of my servers into the directory? I do not
have an existing ldap or nis server, we are using local systems account
creation and authentication. I did a search through the archives but
wasn't able to come up with anything. Any insight would be very helpful
Thanks all for the help.
I went with the IBM version and all went well.
> -----Original Message-----
> From: fedora-directory-users-bounces(a)redhat.com
> [mailto:email@example.com] On Behalf
> Of Richard Megginson
> Sent: Thursday, April 06, 2006 8:50 AM
> To: General discussion list for the Fedora Directory server project.
> Subject: Re: [Fedora-directory-users] GUI Console
> Alex aka Magobin wrote:
> >On gio, 2006-04-06 at 09:30 -0400, Richard Megginson wrote:
> >>Esquivel, Vicente wrote:
> >>>Hello all,
> >>>I am new to the list and new to RH Directory. I have installed
> >>>fedora-ds-1.0.2.RHEL4.i386.opt.rpm and j2SDK-1_4_2_11 on a RHEL 4
> >>>Update 2. I did an express install of the Directory and
> was able to
> >>>get the slapd and admin to start successfully but when I
> try to start
> >>>the console I get no gui console and get the following
> message below.
> >>>Can anyone tell me what I need to do to get the gui console up and
> >I don't know why in Redhat this link and this problem is not
> http://directory.fedora.redhat.com/wiki/Install_Guide which
> is linked from the Release Notes as well.
> >...this is step by step intruction to upgrade jre that solve your
> > Alex
> >Fedora-directory-users mailing list
I am new to the list and new to RH Directory. I have installed
fedora-ds-1.0.2.RHEL4.i386.opt.rpm and j2SDK-1_4_2_11 on a RHEL 4
Update 2. I did an express install of the Directory and was able to get
the slapd and admin to start successfully but when I try to start the
console I get no gui console and get the following message below. Can
anyone tell me what I need to do to get the gui console up and running?
[diradmin@linole fedora-ds]$ ./startconsole -u admin -a
Warning: -ms8m not understood. Ignoring.
Warning: -mx64m not understood. Ignoring.
Exception in thread "main" java.lang.NoSuchMethodError: method
com.netscape.management.client.util.RemoteImage.setImage was not found.
at _Jv_ResolvePoolEntry(java.lang.Class, int) (/usr/lib/libgcj.so.5.0.0)
ring) (Unknown Source)
.swing.UIDefaults) (Unknown Source)
at com.netscape.management.nmclf.SuiLookAndFeel.getDefaults() (Unknown
at javax.swing.UIManager.put(java.lang.Object, java.lang.Object)
) (Unknown Source)
ing) (Unknown Source)
java.lang.String, java.lang.String, java.lang.String, java.lang.String,
java.lang.String) (Unknown Source)
I have a problem with fedora directory server 1.0.2 installed en FC5
at the beginning of the installation, i get this message :
NOTICE : System is i686-unknown-linux2.6.15-1.2054_FC5xen0 (1 processor).
WARNING: 463MB of physical memory is available on the system. 1024MB is recommended for best performance on large production system.
NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
(120 minutes). This may cause temporary server congestion from lost
WARNING: There are only 1024 file descriptors (hard limit) available, which
limit the number of simultaneous connections.
WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.
install : OK
setup : OK
after setup i get this
[slapd-dahmer]: [04/Apr/2006:18:09:50 +0200] - Fedora-Directory/1.0.2 B2006.060.1951 starting up
[slapd-dahmer]: [04/Apr/2006:18:09:51 +0200] - slapd started. Listening on All Interfaces port 389 for LDAP requests
Your new directory server has been started.
Created new Directory Server
Start Slapd Starting Slapd server configuration.
Success Slapd Added Directory Server information to Configuration Server.
Configuring Administration Server...
Setting up Administration Server Instance...
Configuring Administration Tasks in Directory Server...
Configuring Global Parameters in Directory Server...
Can't start Admin server [/opt/fedora-ds/start-admin > /tmp/fileH9SeEW 2>&1] (error: No such file or directory)
You can now use the console. Here is the command to use to start the console:
why it "Can't start Admin server [/opt/fedora-ds/start-admin > /tmp/fileH9SeEW 2>&1] (error: No such file or directory)" ??
the ns-slapd is lunched
but I get the following error when I attempt to start the admin server
"httpd.worker: Syntax error on line 151 of /opt/fedora-ds/admin-serv/config/httpd.conf: Cannot load /opt/fedora-ds/bin/admin/lib/libmodrestartd.so into server: /opt/fedora-ds/bin/admin/lib/libmodrestartd.so: undefined symbol: apr_filename_of_pathname"
I can start the console management, but i can't log in because the admin server is not started
I also saw this post : https://www.redhat.com/archives/fedora-directory-users/2005-December/msg0...
Sexy Like Us : Tu veux savoir si tu as la cote ? http://www.sexy.lycos.fr
It looks like your PassSync setup is working well. We should focus on
the FDS side of things. In your replication agreement, are you using
SSL and connecting to AD using port 636? Have you verified that you can
connect to AD via SSL using another LDAP client like JXplorer? You will
probably want to increase your logging level to include more replication
In the console, you should change the settings for your error log to
include replication info:
1. Log into console
2. Open your directory server
3. Click on the Config tab
4. Expand the Logs tree on the left
5. Select Error Log
6. Scroll down the form on the right until you see the Log Level list
7. Ctl-click on the Replication entry
8. Click Save
Now you should be getting all replication data in your logs, in addition
The following command will set up a ssl proxy on port 8638 that forwards
connections to ADServer.domain.com. In the process it will decode the
ssl traffic, dump extra info, and continue listening after the first
connection, and dump everything into ~/ssltap.log
ssltap -sxl -p 8636 ADServer.domain.com:636 > ~/ssltap.log
In order to use this to debug replication you may have to set up a dummy
replication agreement, dummy OU and dummy users. Point to the local
host and port 8636 for the port, and then see what comes out. This is
totally and completely experimental on my part, and I have not done this
Spring Arbor University
"For even the Son of Man did not come to be served, but to serve, and to give His life a ransom for many"
Rob Crittenden <rcritten(a)redhat.com> wrote:
> Alex aka Magobin wrote:
> > today I tried to issue 2 server certs using the same CA...using the same
> > CN...I can make correctly the certs and in Manage Certificate I can see
> > both server certs with the same name...but when I try to establish ssl
> > encryption between servers:
> > NSMMReplicationPlugin -agmt="cn="Replication to
> > nodo1.domain.example.com""(nodo1:636): Simple bind failed, LDAP sdk
> > error 81 (Can't contact LDAP server), Netscape Portable Runtime error-
> > 12276 (Unable to communicate securely with peer: requested domain name
> > does not match the server's certificate.)
> > Is there someone that use two server Fedora DS to authenticate clients?
> > Even if I can browse in clear mode FDS both on nodo1 and nodo2...in
> > encrypt mode only one can certificate my clients?
> This isn't an SSL problem, it's a problem with the way you are trying to
> use it. You are trying to present the world with a single directory
> server and behind the scenes have 2 physical servers. Nothing wrong with
> this but you were told a while back that this could be a problem.
> You basically need your machine to answer to 2 separate things: its
> "real" hostname and the "cluster" hostname.
> As I see it, there are 2 ways to resolve this. I'm not a DS engineer so
> I can't say which one is more plausible/possible, and there may be other
> ways that I'm not seeing.
> 1. The easiest solution is to use a wildcard in the SSL server
> certificate hostname: CN=*.example.com. This is super ugly but should
> work. Note that you'll never get a CA like Verisign to issue you a
> wildcard server certificate. So if you are using your own self-signed CA
> during testing and plan to get server certs later from another CA beware.
> 2. I wonder if it is possible to set up multiple listeners and assign a
> separate SSL certificate to each one. Then you could have
> CN=host1.example.com on say port 638 for replication and
> CN=ldap.example.com on 636 for general use.
> I don't know of #2 is even possible right now. #1 definitely is but has
> issues. One of the reasons for SSL is to prevent man-in-the-middle
> attacks. This is preceisely the problem you are having. SSL is detecting
> that things aren't lining up like they should and preventing you from
> continuing. While a wildcard certificate will get around this you must
> understand that you are also giving up a certain amount of security.
Does Directory Server support the subjectAltName extension on SSL certs?
If it does, then you could create a certificate with a subject of
cn=ldap.domain.example.com,... and a subjectAltName of something like
DNS:nodo1.domain.example.com. I think you can have multiple subjectAltName
extensions on one certificate.
See /usr/share/doc/openssl-0.9.7a/openssl.txt for some more details. I'm
not a DS engineer either, and while it's on my "to do" list, I haven't
tried this myself yet.
-- Steve Bonneville
I don't think it is an issue with settings in AD. Server 2003 will
automatically disable an account that is created with a blank password.
This seems to fit with what you are seeing, since the account is
immediately disabled in AD and the user is required to change their
password. Is your SSL setup working? You can use ssltap (in
/opt/fedora-ds/shared/bin if you used the installed defaults) to proxy
the connections and see what is going (or not going) back and forth.
Replication requires SSL in order to sync passwords, and unless it is
set up correctly on both FDS and the DC with PassSync, you will not get
any passwords, period. What do your logs in FDS say when you add a
user? Are there any errors? If the logs are not very informative, use
the console to increase the log level. Passwords are the trickiest part
of this setup, simply because they require SSL/certificates and an extra
app on the DC. The wiki has detailed instructions. If you need more
help, posting error messages and log info would be very helpful.
After with your help, succesfully configured replication between server
I take a look to configure client's authentication through ldap
server...I have 2 question:
1) Is it possible add a user directly from fedora ds as posix user using
groups from server?..I don't know is groups is integrated with
system...is it possible to add server groups to Fedora DS groups?
2) Reading ssl howto I export CA certificate to client(fedora core5)
in /etc/openldap/cacerts....(some of steps in ssl howto are
automatically generated from fedora core 5 as installing in cacerts
directory in x509 mode) but when I try to check if ssl is enable the
[root@test]# ldapsearch -x -ZZ '(uid=testuser)'
ldap_start_tls: Connect error (-11)
additional info: TLS:hostname does not match CN in peer
How can I solve ?
Thanks for your reply.
Let us take the scenario in which the consumer server is taken off line for
maintenance purpose. When the consumer server comes back online, how does it
initialize (update) it's replica? Because in the mean time supplier server may
have been updated.
If only supplier initiated replication is supported by Fedora Directory Server,
how does the supplier know that the consumer has come back online ?
> Does the Fedora Directory Server support consumer initiated replication. If
> not, is there any work around for this ?
> No Fedora DS does not support consumer initiated replication. For what
> reasons do you require CIR?
> Please advise.