I'm trying to list all my users in Fedora Console (Users and Groups tab)
just hiting search button, but, only the first 1000 users are show and a
message saying "Search returned the maximum number of results allowed
(1000). Try narrowing the search" appears. There is an option to show all
users, not only the first 1000? I tried to set search limits to admin user
(in account properties) to -1, but it only works for Directory tab not for
Users and Groups tab. I'm using FDS 1.0.4 (rpm package) on CentOS 4.4.
I was wondering if it's possible to use the certifcates of Fedora DS for an
Apache webserver running on the LDAP server.
Is it possible to export the certificates in the cert7 and key3 databases
and use the exported certificates for setting up an SSL enabled Apache?
If it's possible how should I go about?
Thanks in advance,
I have fds 1.04 on fedora 6 and running well for 3 month, today I
shutdown the server for moving into new building. After startup the
server is running well, but when I running for startconsole I got this
Exception in thread "main" java.lang.NoClassDefFoundError:
Is there any hint how to fix this?
For anyone curious, the slides from my presentation at the SambaXP
conference last week are now up on my web site.
Much of the material on malloc benchmarking was already presented at
SCALE5x earlier this year. New material in these slides include
benchmark results for OpenLDAP 2.3.34 vs FedoraDS 1.0.4, OpenDS 0.1-34,
and ApacheDS 1.0.1 on Linux 2.6. The machine used for these tests is the
same SunFire X4100 used in these tests last year
Some earlier discussion of these results is also on the Connexitor blog:
We didn't test Microsoft ActiveDirectory because we don't have a 64 bit
build of it available, nor do we have a 64 bit Windows system available.
I suppose we can run those tests and publish those results sometime down
the road. If anybody is interested in helping to run more tests along
these lines, feel free to contact me. (Judging from the information
I don't think there'd be any different news on that front anyway.)
This round of benchmarking was quite educational. We discovered a memory
leak in FedoraDS (and reported that to their maintainers, of course).
Analyzing the results also shows that while FDS' entry cache is
reasonably effective, they have a performance bottleneck in their
frontend, most likely in connection management. I didn't profile it to
get a closer look, though I'm sure a profiler would make the culprit
Also FDS is too memory hungry, which causes their server to run out of
memory much sooner than OpenLDAP (running on the identical machine, with
identical cache memory settings, indices, workload, etc...) so their
performance drops off quite sharply as database sizes increase and
memory becomes constrained. (This is something different from the malloc
degradation I was observing in OpenLDAP before, although FDS appears to
be affected by that as well.)
We also observed that Sun/Fedora's documentation and advice on
performance tuning for their servers is wrong, and we can obtain better
performance by ignoring their recommendations. Even though Sun, Fedora,
and OpenLDAP all use BerkeleyDB, it's obvious that they don't use it as
effectively as we do.
Given the extremely young age of the OpenDS code base I'd say they've
done a really good job thus far, even managing to beat FDS in one test.
But I'd also say they've gotten as good as they can possibly get with a
pure Java solution; indeed their future plans for entry caching require
support outside the JVM (e.g. using a tmpfs cache). Since they're still
at best 3x slower than OpenLDAP, it's unlikely they will ever achieve
their stated goal of delivering high performance with a Java code base.
Another thing to keep in mind - unlike FedoraDS (and Sun DSEE), OpenLDAP
is fully RFC compliant, does full schema checking, and fully implements
the X.500 data model. It does all that and is still over 3 times faster.
It's not just about speed; correctness still comes first. With good
engineering you don't have to sacrifice correctness to get performance.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
I'm working on the migration of an complex application from OpenLDAP
to FDS. Currently I'm trying to rebuild the access permissions in
- First of all, I think I'm not the first one with the problem, so:
are there any tools, which can convert slapd.conf access directives
to FDS ACIs (in ldif format for example)?
- What is the FDS ACI right equivalent to "auth" (=x) in OpenLDAP?
- I'm having various groups in my ldap tree, which are all of the
class groupOfNames (RFC 2256) but the graphical console doesn't show
them as groups. Can I use the groupdn keyword in ACIs to test for
membership in these groups anyway or do I have to change them to
groupOfUniqueNames (in which case I would have to change the data as
well as the membership attribute would be uniqueMember instead of
Any useful hints are highly appreciated,
Sascha Wilde OpenPGP key: 4BB86568
Intevation GmbH, Osnabrück http://www.intevation.de/~wilde/
Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
----- Пересланное письмо -----
От: "Сафонов Алексей" <alex-saf(a)npc.vrn.ru>
Кому: "Aaron Bliss" <ABliss(a)preferredcare.org>
Sent: 3 Май 2007 г. 16:54:01 (GMT+0300) Europe/Moscow
Тема: Re: [Fedora-directory-users] Map FDS group to Posix group
Many thanks for your answer.
All has worked.
----- Исходное сообщение -----
От: "Aaron Bliss" <ABliss(a)preferredcare.org>
Кому: "??????? ???????" <alex-saf(a)npc.vrn.ru>, fedora-directory-users(a)redhat.com
Sent: 2 Май 2007 г. 17:05:46 (GMT+0300) Europe/Moscow
Тема: RE: [Fedora-directory-users] Map FDS group to Posix group
I think your asking if you can assign a gid to a group, and the answer
is yes. In our organization, in order to continue with redhat's use of
private groups, when a new user is created in fds, I do the following:
-create the user object, defining posix attributes of uid, gid, default
-I also create a group of the same name (in a separate OU for
organizational purposes), add the new user to that group, then add the
posixgroup object class to the group, and then define the gid value
(same gid value as defined for the user object).
While I'm doing the same work twice, I like maintaining redhat's private
group structure. I'm sure there is an easier way to do this, however,
the above works great for us.
[mailto:email@example.com] On Behalf Of ???????
Sent: Wednesday, May 02, 2007 5:13 AM
Subject: [Fedora-directory-users] Map FDS group to Posix group
There is deployed server FDS. In the catalogue there are users and
groups. At users properties of the Posix-user are included and
accordingly established uid and gid. But specified gid have no attitude
to groups to which the user in FDS belongs. It is the extremely
inconvenient. Whether it is possible to map with groups FDS to groups
Fedora-directory-users mailing list
The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.
There is deployed server FDS. In the catalogue there are users and groups. At users properties of the Posix-user are included and accordingly established uid and gid. But specified gid have no attitude to groups to which the user in FDS belongs. It is the extremely inconvenient. Whether it is possible to map with groups FDS to groups UNIX/POSIX somehow?
Does Fedora Directory Server support IPv6? The only mention of it that
I've found was in the Roadmap, for v 1.0.3:
Upgrade to NSPR 4.6.3, NSS 3.11.3, LDAPCSDK 6.0.0 (with sasl/ipv6
It wasn't clear to me whether this means the entire product supports
IPv6, or if it's just the underlying lib upgrade that happened to
support it. Also, I'm assuming if IPv6 support really is present, then
it would include IPSEC as well...
Any info would be appreciated. Thanks!
I have built and installed fedora-ds 1.0.4 twice now using the dsbuild
script. Once with a jdk of 184.108.40.206 (64bit) and once with a jdk of
The ds builds fine, I run the setup and go through the wizard,
everything is installed, started up and running. When I try to connect
using the console I get:
"Cannot connect to the directory server: netscape.ldap.LDAPException:
error result (32); No such object"
I then look in the access log of the ldap server and see:
[27/Apr/2007:10:42:13 -0400] conn=7 fd=65 slot=65 connection from
192.168.1.162 to 192.168.1.222
[27/Apr/2007:10:42:13 -0400] conn=7 op=0 BIND dn="(null)" method=128
[27/Apr/2007:10:42:13 -0400] conn=7 op=0 RESULT err=32 tag=97 nentries=0
I know that what is *supposed* to be in the BIND dn field is more along
the lines of:
[27/Apr/2007:10:34:29 -0400] conn=135705 fd=76 slot=76 connection from
192.168.1.162 to 192.168.1.121
[27/Apr/2007:10:34:29 -0400] conn=135705 op=0 BIND dn="uid=admin,
ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" method=128
[27/Apr/2007:10:34:29 -0400] conn=135705 op=0 RESULT err=0 tag=97
It seems like the java console is not properly passing the uid that I
type into the console login to the directory server. I have attempted
to login both locally on the server (again with system vm JDK 1.5 and
with the whole thing rebuilt using 1.4.2) and get the same error. I
also am using a remote console on a windowsxp machine (that works fine
going to my other FDS server, running fedora os, 1.0.2 @ 192.168.1.121)
and get the error.
I am using the system versions of net-snmp and cyrus-sasl which are:
All the other deps are:
dev-lang/perl-5.8.8-r2 (URI 1.35)
Back when Fedora DS 1.0.2 was the current version I successfully built
and installed it on a 64-bit gentoo system and home and everything is
working great. I imagine 1.0.4 doesn't like a newer version of one of
the system utils/libraries?
I know the ldap server is functioning properly:
# cd /opt/fedora-ds/shared/bin
# ./ldapsearch -b o=netscaperoot -D "cn=directory manager" -w password
dn: cn=configuration, cn=admin-serv-mbn, cn=Fedora Administration
erver Group, cn=mbn.pki, ou=pki, o=NetscapeRoot
Any help would be much appreciated.