I was wondering what the best way to setup multi-master replication was when
multiple suffixes exist on each supplier.
Should we first setup each supplier with the same root suffix in the
userRoot DB, then setup replication. Then create the 2nd suffix in a
separare database and setup replication for this suffix ...
I'm currently trying to use the mmr script to setup replication without succes.
I have 2 Fedora DS servers running each with a different suffix in
their userRoot and would like to setup replication te each other.
Thanks in advance,
I'm trying to get started testing out Fedora Directory Server with the
goal of replacing our OpenLDAP infrastructure. Most of our servers are
RHEL3/4 so there are no big issues there since there are already
prepackaged binary RPMS for those platforms.
But we do have two RHEL2.1 server which we will definitely need packages
for in order to do any migration to FDS. Upgrading these servers to
RHEL3/4 is not an option. Looking at the spec file of the SRPM from
RHEL3 it seems like dependencies won't be a problem, the spec file
itself is a mess and doesn't come close to building everything (which I
understand is a work in progress).
So my questions are: has anyone got FDS running well on RHEL2.1 (either
by compiling directly from source, shoehorning the RPM from RHEL3 or
building the RPM from the SRPM)? Has anyone written their own spec file
from scratch to build FDS in its entirety from sources? I also wanted to
change the installation prefix from /opt so getting a working and
complete spec file would be very desirable.
Hi peoples, I make two scripts (slapd-aplication and admin server) to
Suse 9x 10x system.
I based from scripts to RH (in wiki)
If somebody found any error please make the fix or report to list :)
Excuse me by my English :)
Instructions to setup: (to default path install)
chmod 755 fedora-ds
cp fedora-ds /etc/init.d/
ln -s /etc/init.d/fedora-ds /usr/sbin/rcfedora-ds
Edit /etc/init.d/fedora-ds and change APP_NAME var valeu to name of you
and enable the service in yast or in console
chkconfing fedora-ds on
chmod 755 fedora-ds-admin
cp fedora-ds-admin /etc/init.d/
ln -s /etc/init.d/fedora-ds-admin /usr/sbin/rcfedora-ds-admin
and enable the service in yast or in console
chkconfing fedora-ds-admin on
I find that it is this
I ask to help to solve a problem with the utility ldapsearch.
is a problem to carry out synchronization between FDS and AD. Has made the
1) Install FDS
2) Configuring SSL Enabled FDS. For this purpose has started script
setupssl.sh (http://directory.fedora.redhat.com/download/setupssl.sh) from
HOWTO "Howto:SSL" (http://directory.fedora.redhat.com/wiki/Howto:SSL)
3) Restart FDS.
netstat -atupn | grep ns-
tcp 0 0 :::389 :::* LISTEN 6039/ns-slapd
tcp 0 0 :::636 :::* LISTEN 6039/ns-slapd
4) Enable SSL on AD.
Install Certificate Service
Check util ldp.exe:
Connected param: Server- srv-vm1.mup-example.vrn.ru
Port - 636
ld = ldap_sslinit("srv-vm1.mup-example.vrn.ru", 636, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
Error <0x0> = ldap_connect(hLdap, NULL);
Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 128 bits
Established connection to srv-vm1.mup-example.vrn.ru.
Retrieving base DSA information...
5) Import AD CA certificate in DER mode.
6) Copy, convert (PEM) and install AD CA certificate in FDS. Check:
[root@asterisk1 alias]# /opt/fedora-ds/shared/bin/certutil -L -d . -P
CA certificate CTu,u,u
ad-cert CT,C,C <- install this
6) [root@asterisk1 alias]# ldapsearch -Z -P
rv-vm1.mup-example.vrn.ru -p 636 -D
"cn=Administrator,cn=users,dc=mup-examle,dc=vrn,dc=ru" -w secret01 -s
base -b "dc=mup-example,dc=vrn,dc=ru" "objectclass=*"
ldapsearch: unabel to parse protocol version
Fedora Core 5 (i386)
Fedora Directory Server 1.0.2
Windows 2003 Server (DC - srv-vm1.mup-example.vrn.ru)
I recently set up fedora-ds and managed to configure several FC5
machines to authenticate and get user information from the LDAP server.
Unfortunately, the laptop isn't always connected to the network so when
it boots up, the process hangs when it tries to start the "message bus".
I figure the process blocks when it tries to change UID to that of the
dbus user. When the machine isn't connected to the network (ie. no cable
and wireless isn't available), the process just hangs.
Any suggestions on fixing this?
Richi Plana <richip(a)richip.dhs.org>
I've setup my Fedora box to authenticate SSH session off Fedora
Directory, however I'm having some trouble getting X session to
I searched on google and found someone with exactly the same problem,
unfortunately noone seemed to have an answer for them at the time:
Is anyone successfully authenticating X sessions with GDM & LDAP?
Trying to do a "one-step" build. It's failing during the compile of
nss_expr_eval.c: In function `nss_expr_eval_comp':
nss_expr_eval.c:116: error: `ap_regex_t' undeclared (first use in this
nss_expr_eval.c:116: error: (Each undeclared identifier is reported only
nss_expr_eval.c:116: error: for each function it appears in.)
nss_expr_eval.c:116: error: `regex' undeclared (first use in this function)
nss_expr_eval.c:121: error: syntax error before ')' token
nss_expr_eval.c:133: error: syntax error before ')' token
make: *** [nss_expr_eval.lo] Error 1
make: Leaving directory
make: *** [build-work/mod_nss-1.0.2/Makefile] Error 2
make: Leaving directory `/usr/local/src/dsbuild-fds102/ds/mod_nss'
make: *** [dep-../../ds/mod_nss] Error 2
Any clues would be appreciated.
e-Commerce Systems Manager
3 Pitreavie Court
Pitreavie Business Park
Dunfermline KY11 8UU
Tel: +44 (0) 1383 723234
Fax: +44 (0) 1383 723235
Mob: +44 (0) 7796 148326
E-mail is an informal method of communication and may be subject to data corruption, interception and unauthorised amendment for which I-play, a trading name of Digital Bridges Ltd will accept no liability. Therefore, it will normally be inappropriate to rely on information contained on e-mail without obtaining written confirmation.
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
(C) 2005. I-play is a trademark and trading name of Digital Bridges Limited. All Rights Reserved.
This message has been checked for all known viruses by the
MessageLabs Virus Scanning Service. For further information visit
In an application I'm currently developing I'm using the internal
attribute nsaccountlock to lockout accounts. While trying to set the
attribute I ran into trouble since it is a multi value: the result was
that a account at one point had the nsaccountlock attribute set to
"null, true" (mutli-value).
I solved the problem by altering 00-core.ldif (sorry) and make the
nsaccountlock a single value because I can't think of a scenario in
where you would want to have the account status set to multiple values.
Since then I've not run into trouble and I'm testing it now in a MM
environment (starting to test it)
Does anyone have any experience with this approach or can someone point
out the risks I'm taking with this?
Can Fedora Directory Server be used for :
1) to provide enterprise-wide identity for employees ?
2) can this be integrated into Access Cards - Flash / Swipe
3) can this be integrated into EPABX
4) can we replace Windows Active Directory PDC which is authentifying my windows and *NIX workstations by Samba PDC using Fedora Directory Server.
5) Can my Cisco PIX, Squid Proxy, IPSec / SSL-VPN or any other Application (Apache, Zimbra, Subversion, Jive-WildeFire IM , etc which can talk to Active Directory and OpenLDAP for authentification) be configured to get user autentification from Fedora Directory Server
6) SSO ? Can I integrate Fedora Directory Server to my windows and *NIX workstation logons? will it result into, the email client MS Outlook 200x , Mozilla ThunderBird 1.x, Kontact 1.2.x, my browsers (IE 5.x & above, Mozilla Firefox 1.x) get authenticated automagically and will serve what they are intented to ie, send / receive emails, browse internet, etc without asking the user to key in his/her email id, email password etc
Please clarify my doubts
Thanks & Regards
Sign up and get your 30GB webmail at www.30gigs.com now!
I was wondering if you could do replication between 2 LDAP servers who
each have a different root suffix (eg eu.example.com and
na.example.com) and replicate the both parts to each other. Both
servers have a different suffix in their userRoot database
Another question is
When looking in the replication agreement the supplier has port 389
and the consumer has port 636. How can I get the supplier port to be
636 also? Or is this not needed for security?
Is there somewhere a list explaining the different status error codes?