> Date: Mon, 02 Oct 2006 10:01:55 -0600 > From: Richard Megginson <rmeggins@redhat.com>> Sergio Diaz wrote: >> Hi Richard; >> >> Openldap: >> >> The *meta* backend to *slapd(8) >> <http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8>* >> performs basic LDAP proxying with respect >> to a set of remote LDAP servers, called "targets". The information >> contained in these servers can be presented as belonging to a single >> Directory Information Tree (DIT). >> >> Its possible with FDS ?? >> > FDS has a chaining backend which allows you to use another LDAP server > to store the data.It sounds like the FDS chaining backend is similar to OpenLDAP back-ldap and/or the chaining overlay. In OpenLDAP back-ldap forwards a request to one other server (at a time; multiple servers can be configured but the others will only be used if the first server cannot be contacted). The back-meta backend is a superset of back-ldap, it can fanout single requests to multiple servers in parallel and aggregate the results. (There''s also attribute mapping and DN rewriting, but those capabilities are no longer unique to back-meta, having been moved into the rewrite overlay.) With these modules you can stitch together a variety of heterogeneous directories into a coherent virtual directory.>> Regards!! >> Sergio >> >> >> >> On Mon, 2006-10-02 at 07:25 -0600, Richard Megginson wrote: >>> Sergio Diaz wrote: >>>> Hi People, >>>> >>>> Its Possible Sync only in One Way ? >>>> >>>> Users Windows AD -> FDS. >>> No, not really. >>>> Or the other scenario its like OpenLDAP have a Meta Backend (2 LDAPs, >>>> 1 AD), its possible with FDS ? >>> It''s possible. What does the meta backend do? >>>> >>>> Regards, >>>> Sergio-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
Hello all, I''ve been working on getting chaining working with an active directory back end for a week now. Has anyone successfully done this or have directions on setting this up? Brian Smith Howard Chu wrote:> >> Date: Mon, 02 Oct 2006 10:01:55 -0600 >> From: Richard Megginson <rmeggins@redhat.com> > >> Sergio Diaz wrote: >>> Hi Richard; >>> >>> Openldap: >>> >>> The *meta* backend to *slapd(8) >>> <http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8>* >>> performs basic LDAP proxying with respect >>> to a set of remote LDAP servers, called "targets". The >>> information >>> contained in these servers can be presented as belonging >>> to a single >>> Directory Information Tree (DIT). >>> >>> Its possible with FDS ?? >>> >> FDS has a chaining backend which allows you to use another LDAP >> server to store the data. > > It sounds like the FDS chaining backend is similar to OpenLDAP > back-ldap and/or the chaining overlay. In OpenLDAP back-ldap forwards > a request to one other server (at a time; multiple servers can be > configured but the others will only be used if the first server cannot > be contacted). The back-meta backend is a superset of back-ldap, it > can fanout single requests to multiple servers in parallel and > aggregate the results. (There''s also attribute mapping and DN > rewriting, but those capabilities are no longer unique to back-meta, > having been moved into the rewrite overlay.) With these modules you > can stitch together a variety of heterogeneous directories into a > coherent virtual directory. > >>> Regards!! >>> Sergio >>> >>> >>> On Mon, 2006-10-02 at 07:25 -0600, Richard Megginson wrote: >>>> Sergio Diaz wrote: >>>>> Hi People, >>>>> >>>>> Its Possible Sync only in One Way ? >>>>> Users Windows AD -> FDS. >>>> No, not really. >>>>> Or the other scenario its like OpenLDAP have a Meta Backend (2 >>>>> LDAPs, 1 AD), its possible with FDS ? >>>> It''s possible. What does the meta backend do? >>>>> >>>>> Regards, >>>>> Sergio > >
FDS, OpenLDAP and AD One Directory FDS.....i want this directions to... Chaining Backend... Regards, Sergio On Mon, 2006-10-02 at 14:12 -0400, Brian Smith wrote:> Hello all, I''ve been working on getting chaining working with an active > directory back end for a week now. Has anyone successfully done this or > have directions on setting this up? > > Brian Smith > > Howard Chu wrote: > > > >> Date: Mon, 02 Oct 2006 10:01:55 -0600 > >> From: Richard Megginson <rmeggins@redhat.com> > > > >> Sergio Diaz wrote: > >>> Hi Richard; > >>> > >>> Openldap: > >>> > >>> The *meta* backend to *slapd(8) > >>> <http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8>* > >>> performs basic LDAP proxying with respect > >>> to a set of remote LDAP servers, called "targets". The > >>> information > >>> contained in these servers can be presented as belonging > >>> to a single > >>> Directory Information Tree (DIT). > >>> > >>> Its possible with FDS ?? > >>> > >> FDS has a chaining backend which allows you to use another LDAP > >> server to store the data. > > > > It sounds like the FDS chaining backend is similar to OpenLDAP > > back-ldap and/or the chaining overlay. In OpenLDAP back-ldap forwards > > a request to one other server (at a time; multiple servers can be > > configured but the others will only be used if the first server cannot > > be contacted). The back-meta backend is a superset of back-ldap, it > > can fanout single requests to multiple servers in parallel and > > aggregate the results. (There''s also attribute mapping and DN > > rewriting, but those capabilities are no longer unique to back-meta, > > having been moved into the rewrite overlay.) With these modules you > > can stitch together a variety of heterogeneous directories into a > > coherent virtual directory. > > > >>> Regards!! > >>> Sergio > >>> > >>> > >>> On Mon, 2006-10-02 at 07:25 -0600, Richard Megginson wrote: > >>>> Sergio Diaz wrote: > >>>>> Hi People, > >>>>> > >>>>> Its Possible Sync only in One Way ? > >>>>> Users Windows AD -> FDS. > >>>> No, not really. > >>>>> Or the other scenario its like OpenLDAP have a Meta Backend (2 > >>>>> LDAPs, 1 AD), its possible with FDS ? > >>>> It''s possible. What does the meta backend do? > >>>>> > >>>>> Regards, > >>>>> Sergio > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
It may be that AD doesn''t support proxied auth, in which case you should tell chaining to disable it. See http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#21180 for more information - the pertinent attribute is nsProxiedAuthorization Brian Smith wrote:> All, > Here''s what I''ve now done to enable the AD Back end DB for a sub tree: > 1. Click configuration and select the "dc=domain,dc=com" tree. > 2. Right click "dc=domain,dc=com" tree and select new sub suffix > 3. In New Suffix box, typed "ou=subsuffix1" and unchecked create > associated database automatically and click OK. > 4. Open "dc=domain,dc=com" and right click > "ou=subsuffix1,dc=domain,dc=com, and select "new database link. > 5. Here, I put Database link name "subsuffix1", put the bind dn and > password of a domain user account in my AD, and put the domain > controller ip in the remote server box and clicked save. (I can > connect to my AD with the DN I provided here) > 6. Check enable this suffix under ou=subsuffix1,dc=worldpub,dc=corp > > now subsuffix1 database appears under ou=subsuffix1,dc=domain,dc=com. > If I now go to the directory tab, and select the directory entry, i > get critical extension unavailable and if i use an ldap browser i get > list failed on the main tree. Did i miss a step? If I disable the > ou=subsuffix1,dc=domain,dc=com suffix i can browse the tree no > problem. Thanks! > Brian Smith > > > > Sergio Diaz wrote: >> >> FDS, OpenLDAP and AD >> >> One Directory FDS.....i want this directions to... >> Chaining Backend... >> >> Regards, >> Sergio >> >> On Mon, 2006-10-02 at 14:12 -0400, Brian Smith wrote: >>> Hello all, I''ve been working on getting chaining working with an active >>> directory back end for a week now. Has anyone successfully done this or >>> have directions on setting this up? >>> >>> Brian Smith >>> >>> Howard Chu wrote: >>> > >>> >> Date: Mon, 02 Oct 2006 10:01:55 -0600 >>> >> From: Richard Megginson <rmeggins@redhat.com <mailto:rmeggins@redhat.com>> >>> > >>> >> Sergio Diaz wrote: >>> >>> Hi Richard; >>> >>> >>> >>> Openldap: >>> >>> >>> >>> The *meta* backend to *slapd(8) >>> >>> <http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8 <http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8>>* >>> >>> performs basic LDAP proxying with respect >>> >>> to a set of remote LDAP servers, called "targets". The >>> >>> information >>> >>> contained in these servers can be presented as belonging >>> >>> to a single >>> >>> Directory Information Tree (DIT). >>> >>> >>> >>> Its possible with FDS ?? >>> >>> >>> >> FDS has a chaining backend which allows you to use another LDAP >>> >> server to store the data. >>> > >>> > It sounds like the FDS chaining backend is similar to OpenLDAP >>> > back-ldap and/or the chaining overlay. In OpenLDAP back-ldap forwards >>> > a request to one other server (at a time; multiple servers can be >>> > configured but the others will only be used if the first server cannot >>> > be contacted). The back-meta backend is a superset of back-ldap, it >>> > can fanout single requests to multiple servers in parallel and >>> > aggregate the results. (There''s also attribute mapping and DN >>> > rewriting, but those capabilities are no longer unique to back-meta, >>> > having been moved into the rewrite overlay.) With these modules you >>> > can stitch together a variety of heterogeneous directories into a >>> > coherent virtual directory. >>> > >>> >>> Regards!! >>> >>> Sergio >>> >>> >>> >>> >>> >>> On Mon, 2006-10-02 at 07:25 -0600, Richard Megginson wrote: >>> >>>> Sergio Diaz wrote: >>> >>>>> Hi People, >>> >>>>> >>> >>>>> Its Possible Sync only in One Way ? >>> >>>>> Users Windows AD -> FDS. >>> >>>> No, not really. >>> >>>>> Or the other scenario its like OpenLDAP have a Meta Backend (2 >>> >>>>> LDAPs, 1 AD), its possible with FDS ? >>> >>>> It''s possible. What does the meta backend do? >>> >>>>> >>> >>>>> Regards, >>> >>>>> Sergio >>> > >>> > >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users@redhat.com <mailto:Fedora-directory-users@redhat.com> >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Hi all, I successfully connect the AD Back End DB to FDS like Brian Smith, i disable the nsProxiedAuthorization (comment by Richard Meggison) in Plugins->Chaining Database->AD (is the name of my Sub Suffix), but i cant Browse the Directory "Critical Extension unavailable". - In the Console i can search Users, Groups of my AD and FDS =) Happy!! Two Questions: Its possible to Map the Attributes like: map attribute uid sAMAaccountname map attribute cn name map attribute mail userprincipalname map attribute account user Its possible to Link the Database of the AD only for Read ? I like to write a Howto for this settings. Regards, Sergio On 10/2/06, Richard Megginson <rmeggins@redhat.com> wrote:> > It may be that AD doesn''t support proxied auth, in which case you should > tell chaining to disable it. See > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#21180 > for more information - the pertinent attribute is nsProxiedAuthorization > > Brian Smith wrote: > > All, > > Here''s what I''ve now done to enable the AD Back end DB for a sub tree: > > 1. Click configuration and select the "dc=domain,dc=com" tree. > > 2. Right click "dc=domain,dc=com" tree and select new sub suffix > > 3. In New Suffix box, typed "ou=subsuffix1" and unchecked create > > associated database automatically and click OK. > > 4. Open "dc=domain,dc=com" and right click > > "ou=subsuffix1,dc=domain,dc=com, and select "new database link. > > 5. Here, I put Database link name "subsuffix1", put the bind dn and > > password of a domain user account in my AD, and put the domain > > controller ip in the remote server box and clicked save. (I can > > connect to my AD with the DN I provided here) > > 6. Check enable this suffix under ou=subsuffix1,dc=worldpub,dc=corp > > > > now subsuffix1 database appears under ou=subsuffix1,dc=domain,dc=com. > > If I now go to the directory tab, and select the directory entry, i > > get critical extension unavailable and if i use an ldap browser i get > > list failed on the main tree. Did i miss a step? If I disable the > > ou=subsuffix1,dc=domain,dc=com suffix i can browse the tree no > > problem. Thanks! > > Brian Smith > > > > > > > > Sergio Diaz wrote: > >> > >> FDS, OpenLDAP and AD > >> > >> One Directory FDS.....i want this directions to... > >> Chaining Backend... > >> > >> Regards, > >> Sergio > >> > >> On Mon, 2006-10-02 at 14:12 -0400, Brian Smith wrote: > >>> Hello all, I''ve been working on getting chaining working with an > active > >>> directory back end for a week now. Has anyone successfully done this > or > >>> have directions on setting this up? > >>> > >>> Brian Smith > >>> > >>> Howard Chu wrote: > >>> > > >>> >> Date: Mon, 02 Oct 2006 10:01:55 -0600 > >>> >> From: Richard Megginson <rmeggins@redhat.com <mailto: > rmeggins@redhat.com>> > >>> > > >>> >> Sergio Diaz wrote: > >>> >>> Hi Richard; > >>> >>> > >>> >>> Openldap: > >>> >>> > >>> >>> The *meta* backend to *slapd(8) > >>> >>> < > http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8< > http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8 > >>* > >>> >>> performs basic LDAP proxying with respect > >>> >>> to a set of remote LDAP servers, called "targets". The > >>> >>> information > >>> >>> contained in these servers can be presented as belonging > >>> >>> to a single > >>> >>> Directory Information Tree (DIT). > >>> >>> > >>> >>> Its possible with FDS ?? > >>> >>> > >>> >> FDS has a chaining backend which allows you to use another LDAP > >>> >> server to store the data. > >>> > > >>> > It sounds like the FDS chaining backend is similar to OpenLDAP > >>> > back-ldap and/or the chaining overlay. In OpenLDAP back-ldap > forwards > >>> > a request to one other server (at a time; multiple servers can be > >>> > configured but the others will only be used if the first server > cannot > >>> > be contacted). The back-meta backend is a superset of back-ldap, it > >>> > can fanout single requests to multiple servers in parallel and > >>> > aggregate the results. (There''s also attribute mapping and DN > >>> > rewriting, but those capabilities are no longer unique to back-meta, > >>> > having been moved into the rewrite overlay.) With these modules you > >>> > can stitch together a variety of heterogeneous directories into a > >>> > coherent virtual directory. > >>> > > >>> >>> Regards!! > >>> >>> Sergio > >>> >>> > >>> >>> > >>> >>> On Mon, 2006-10-02 at 07:25 -0600, Richard Megginson wrote: > >>> >>>> Sergio Diaz wrote: > >>> >>>>> Hi People, > >>> >>>>> > >>> >>>>> Its Possible Sync only in One Way ? > >>> >>>>> Users Windows AD -> FDS. > >>> >>>> No, not really. > >>> >>>>> Or the other scenario its like OpenLDAP have a Meta Backend (2 > >>> >>>>> LDAPs, 1 AD), its possible with FDS ? > >>> >>>> It''s possible. What does the meta backend do? > >>> >>>>> > >>> >>>>> Regards, > >>> >>>>> Sergio > >>> > > >>> > > >>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users@redhat.com <mailto: > Fedora-directory-users@redhat.com> > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > >
Sergio Diaz wrote:> Hi all, > > I successfully connect the AD Back End DB to FDS like Brian Smith, i > disable the nsProxiedAuthorization (comment by Richard Meggison) in > Plugins->Chaining Database->AD (is the name of my Sub Suffix), but i > cant Browse the Directory "Critical Extension unavailable".I don''t understand. You can''t "Browse" the directory, but you can search Users and Groups?> > - In the Console i can search Users, Groups of my AD and FDS =) Happy!! > > Two Questions: > Its possible to Map the Attributes like: > > map attribute uid sAMAaccountname > map attribute cn name > map attribute mail userprincipalname > map attribute account userNo.> > Its possible to Link the Database of the AD only for Read ?You might be able to set the Chaining Database to be readonly in its settings.> > I like to write a Howto for this settings. > > Regards, > Sergio > > > > > > > On 10/2/06, *Richard Megginson* <rmeggins@redhat.com > <mailto:rmeggins@redhat.com>> wrote: > > It may be that AD doesn''t support proxied auth, in which case you > should > tell chaining to disable it. See > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#21180 > <http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#21180> > for more information - the pertinent attribute is > nsProxiedAuthorization > > Brian Smith wrote: > > All, > > Here''s what I''ve now done to enable the AD Back end DB for a sub > tree: > > 1. Click configuration and select the "dc=domain,dc=com" tree. > > 2. Right click "dc=domain,dc=com" tree and select new sub suffix > > 3. In New Suffix box, typed "ou=subsuffix1" and unchecked create > > associated database automatically and click OK. > > 4. Open "dc=domain,dc=com" and right click > > "ou=subsuffix1,dc=domain,dc=com, and select "new database link. > > 5. Here, I put Database link name "subsuffix1", put the bind > dn and > > password of a domain user account in my AD, and put the domain > > controller ip in the remote server box and clicked save. (I can > > connect to my AD with the DN I provided here) > > 6. Check enable this suffix under > ou=subsuffix1,dc=worldpub,dc=corp > > > > now subsuffix1 database appears under > ou=subsuffix1,dc=domain,dc=com. > > If I now go to the directory tab, and select the directory entry, i > > get critical extension unavailable and if i use an ldap browser > i get > > list failed on the main tree. Did i miss a step? If I disable the > > ou=subsuffix1,dc=domain,dc=com suffix i can browse the tree no > > problem. Thanks! > > Brian Smith > > > > > > > > Sergio Diaz wrote: > >> > >> FDS, OpenLDAP and AD > >> > >> One Directory FDS.....i want this directions to... > >> Chaining Backend... > >> > >> Regards, > >> Sergio > >> > >> On Mon, 2006-10-02 at 14:12 -0400, Brian Smith wrote: > >>> Hello all, I''ve been working on getting chaining working with > an active > >>> directory back end for a week now. Has anyone successfully > done this or > >>> have directions on setting this up? > >>> > >>> Brian Smith > >>> > >>> Howard Chu wrote: > >>> > > >>> >> Date: Mon, 02 Oct 2006 10:01:55 -0600 > >>> >> From: Richard Megginson <rmeggins@redhat.com > <mailto:rmeggins@redhat.com> <mailto:rmeggins@redhat.com > <mailto:rmeggins@redhat.com>>> > >>> > > >>> >> Sergio Diaz wrote: > >>> >>> Hi Richard; > >>> >>> > >>> >>> Openldap: > >>> >>> > >>> >>> The *meta* backend to *slapd(8) > >>> >>> < > http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8 > <http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8> > < > http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8 > <http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8>>>* > >>> >>> performs basic LDAP proxying with respect > >>> >>> to a set of remote LDAP > servers, called "targets". The > >>> >>> information > >>> >>> contained in these servers can be presented as > belonging > >>> >>> to a single > >>> >>> Directory Information Tree (DIT). > >>> >>> > >>> >>> Its possible with FDS ?? > >>> >>> > >>> >> FDS has a chaining backend which allows you to use another LDAP > >>> >> server to store the data. > >>> > > >>> > It sounds like the FDS chaining backend is similar to OpenLDAP > >>> > back-ldap and/or the chaining overlay. In OpenLDAP back-ldap > forwards > >>> > a request to one other server (at a time; multiple servers > can be > >>> > configured but the others will only be used if the first > server cannot > >>> > be contacted). The back-meta backend is a superset of > back-ldap, it > >>> > can fanout single requests to multiple servers in parallel and > >>> > aggregate the results. (There''s also attribute mapping and DN > >>> > rewriting, but those capabilities are no longer unique to > back-meta, > >>> > having been moved into the rewrite overlay.) With these > modules you > >>> > can stitch together a variety of heterogeneous directories > into a > >>> > coherent virtual directory. > >>> > > >>> >>> Regards!! > >>> >>> Sergio > >>> >>> > >>> >>> > >>> >>> On Mon, 2006-10-02 at 07:25 -0600, Richard Megginson wrote: > >>> >>>> Sergio Diaz wrote: > >>> >>>>> Hi People, > >>> >>>>> > >>> >>>>> Its Possible Sync only in One Way ? > >>> >>>>> Users Windows AD -> FDS. > >>> >>>> No, not really. > >>> >>>>> Or the other scenario its like OpenLDAP have a Meta > Backend (2 > >>> >>>>> LDAPs, 1 AD), its possible with FDS ? > >>> >>>> It''s possible. What does the meta backend do? > >>> >>>>> > >>> >>>>> Regards, > >>> >>>>> Sergio > >>> > > >>> > > >>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com> > <mailto:Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com>> > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > > > ------------------------------------------------------------------------ > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
On 10/13/06, Richard Megginson <rmeggins@redhat.com> wrote:> > Sergio Diaz wrote: > > Hi all, > > > > I successfully connect the AD Back End DB to FDS like Brian Smith, i > > disable the nsProxiedAuthorization (comment by Richard Meggison) in > > Plugins->Chaining Database->AD (is the name of my Sub Suffix), but i > > cant Browse the Directory "Critical Extension unavailable". > I don''t understand. You can''t "Browse" the directory, but you can > search Users and Groups?Yes. Look the ScreenShots -> SearchAD.png and BrowseCritical.png In the Console i can Search Users from AD or FDS. In the Directory Sever in TAB Directory i cant Browse the Settings of my Domain (Critical Extension Unavailable) Map Attributes No. OK> > > > Its possible to Link the Database of the AD only for Read ? > You might be able to set the Chaining Database to be readonly in its > settings.In wich part i can do this ? Regards, Sergio> I like to write a Howto for this settings. > > > > Regards, > > Sergio > > > > > > > > > > > > > > On 10/2/06, *Richard Megginson* <rmeggins@redhat.com > > <mailto:rmeggins@redhat.com>> wrote: > > > > It may be that AD doesn''t support proxied auth, in which case you > > should > > tell chaining to disable it. See > > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#21180 > > < > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#21180 > > > > for more information - the pertinent attribute is > > nsProxiedAuthorization > > > > Brian Smith wrote: > > > All, > > > Here''s what I''ve now done to enable the AD Back end DB for a sub > > tree: > > > 1. Click configuration and select the "dc=domain,dc=com" tree. > > > 2. Right click "dc=domain,dc=com" tree and select new sub suffix > > > 3. In New Suffix box, typed "ou=subsuffix1" and unchecked create > > > associated database automatically and click OK. > > > 4. Open "dc=domain,dc=com" and right click > > > "ou=subsuffix1,dc=domain,dc=com, and select "new database link. > > > 5. Here, I put Database link name "subsuffix1", put the bind > > dn and > > > password of a domain user account in my AD, and put the domain > > > controller ip in the remote server box and clicked save. (I can > > > connect to my AD with the DN I provided here) > > > 6. Check enable this suffix under > > ou=subsuffix1,dc=worldpub,dc=corp > > > > > > now subsuffix1 database appears under > > ou=subsuffix1,dc=domain,dc=com. > > > If I now go to the directory tab, and select the directory entry, > i > > > get critical extension unavailable and if i use an ldap browser > > i get > > > list failed on the main tree. Did i miss a step? If I disable > the > > > ou=subsuffix1,dc=domain,dc=com suffix i can browse the tree no > > > problem. Thanks! > > > Brian Smith > > > > > > > > > > > > Sergio Diaz wrote: > > >> > > >> FDS, OpenLDAP and AD > > >> > > >> One Directory FDS.....i want this directions to... > > >> Chaining Backend... > > >> > > >> Regards, > > >> Sergio > > >> > > >> On Mon, 2006-10-02 at 14:12 -0400, Brian Smith wrote: > > >>> Hello all, I''ve been working on getting chaining working with > > an active > > >>> directory back end for a week now. Has anyone successfully > > done this or > > >>> have directions on setting this up? > > >>> > > >>> Brian Smith > > >>> > > >>> Howard Chu wrote: > > >>> > > > >>> >> Date: Mon, 02 Oct 2006 10:01:55 -0600 > > >>> >> From: Richard Megginson <rmeggins@redhat.com > > <mailto:rmeggins@redhat.com> <mailto:rmeggins@redhat.com > > <mailto:rmeggins@redhat.com>>> > > >>> > > > >>> >> Sergio Diaz wrote: > > >>> >>> Hi Richard; > > >>> >>> > > >>> >>> Openldap: > > >>> >>> > > >>> >>> The *meta* backend to *slapd(8) > > >>> >>> < > > > http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8 > > < > http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8 > > > > < > > > http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8 > > < > http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8 > >>>* > > >>> >>> performs basic LDAP proxying with respect > > >>> >>> to a set of remote LDAP > > servers, called "targets". The > > >>> >>> information > > >>> >>> contained in these servers can be presented as > > belonging > > >>> >>> to a single > > >>> >>> Directory Information Tree (DIT). > > >>> >>> > > >>> >>> Its possible with FDS ?? > > >>> >>> > > >>> >> FDS has a chaining backend which allows you to use another > LDAP > > >>> >> server to store the data. > > >>> > > > >>> > It sounds like the FDS chaining backend is similar to OpenLDAP > > >>> > back-ldap and/or the chaining overlay. In OpenLDAP back-ldap > > forwards > > >>> > a request to one other server (at a time; multiple servers > > can be > > >>> > configured but the others will only be used if the first > > server cannot > > >>> > be contacted). The back-meta backend is a superset of > > back-ldap, it > > >>> > can fanout single requests to multiple servers in parallel and > > >>> > aggregate the results. (There''s also attribute mapping and DN > > >>> > rewriting, but those capabilities are no longer unique to > > back-meta, > > >>> > having been moved into the rewrite overlay.) With these > > modules you > > >>> > can stitch together a variety of heterogeneous directories > > into a > > >>> > coherent virtual directory. > > >>> > > > >>> >>> Regards!! > > >>> >>> Sergio > > >>> >>> > > >>> >>> > > >>> >>> On Mon, 2006-10-02 at 07:25 -0600, Richard Megginson wrote: > > >>> >>>> Sergio Diaz wrote: > > >>> >>>>> Hi People, > > >>> >>>>> > > >>> >>>>> Its Possible Sync only in One Way ? > > >>> >>>>> Users Windows AD -> FDS. > > >>> >>>> No, not really. > > >>> >>>>> Or the other scenario its like OpenLDAP have a Meta > > Backend (2 > > >>> >>>>> LDAPs, 1 AD), its possible with FDS ? > > >>> >>>> It''s possible. What does the meta backend do? > > >>> >>>>> > > >>> >>>>> Regards, > > >>> >>>>> Sergio > > >>> > > > >>> > > > >>> > > >>> -- > > >>> Fedora-directory-users mailing list > > >>> Fedora-directory-users@redhat.com > > <mailto:Fedora-directory-users@redhat.com> > > <mailto:Fedora-directory-users@redhat.com > > <mailto:Fedora-directory-users@redhat.com>> > > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >>> > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users@redhat.com > > <mailto:Fedora-directory-users@redhat.com> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > <mailto:Fedora-directory-users@redhat.com> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > >
Sergio Diaz wrote:> On 10/13/06, *Richard Megginson* <rmeggins@redhat.com > <mailto:rmeggins@redhat.com>> wrote: > > Sergio Diaz wrote: > > Hi all, > > > > I successfully connect the AD Back End DB to FDS like Brian > Smith, i > > disable the nsProxiedAuthorization (comment by Richard Meggison) in > > Plugins->Chaining Database->AD (is the name of my Sub Suffix), > but i > > cant Browse the Directory "Critical Extension unavailable". > I don''t understand. You can''t "Browse" the directory, but you can > search Users and Groups? > > > Yes. Look the ScreenShots -> SearchAD.png and BrowseCritical.png > In the Console i can Search Users from AD or FDS. > In the Directory Sever in TAB Directory i cant Browse the Settings of > my Domain (Critical Extension Unavailable)I see. The browser uses lots of tricks to make the display look correct - manage dsait, sorting, vlv. I''m not sure which of these AD is complaining about. You might try to first disable manage dsait. Go to the View menu and make sure Sort and Follow Referrals are unchecked. Then again, it may be that there is so much Fedora DS specific stuff in the console directory browser that you may not be able to use it with AD.> > Map Attributes No. > OK > > > > > > Its possible to Link the Database of the AD only for Read ? > You might be able to set the Chaining Database to be readonly in its > settings. > > > In wich part i can do this ? > > > Regards, > Sergio > > > I like to write a Howto for this settings. > > > > Regards, > > Sergio > > > > > > > > > > > > > > On 10/2/06, *Richard Megginson* <rmeggins@redhat.com > <mailto:rmeggins@redhat.com> > > <mailto:rmeggins@redhat.com <mailto:rmeggins@redhat.com>>> wrote: > > > > It may be that AD doesn''t support proxied auth, in which > case you > > should > > tell chaining to disable it. See > > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#21180 > > < > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#21180> > > for more information - the pertinent attribute is > > nsProxiedAuthorization > > > > Brian Smith wrote: > > > All, > > > Here''s what I''ve now done to enable the AD Back end DB for > a sub > > tree: > > > 1. Click configuration and select the "dc=domain,dc=com" > tree. > > > 2. Right click "dc=domain,dc=com" tree and select new > sub suffix > > > 3. In New Suffix box, typed "ou=subsuffix1" and > unchecked create > > > associated database automatically and click OK. > > > 4. Open "dc=domain,dc=com" and right click > > > "ou=subsuffix1,dc=domain,dc=com, and select "new database > link. > > > 5. Here, I put Database link name "subsuffix1", put the bind > > dn and > > > password of a domain user account in my AD, and put the > domain > > > controller ip in the remote server box and clicked save. > (I can > > > connect to my AD with the DN I provided here) > > > 6. Check enable this suffix under > > ou=subsuffix1,dc=worldpub,dc=corp > > > > > > now subsuffix1 database appears under > > ou=subsuffix1,dc=domain,dc=com. > > > If I now go to the directory tab, and select the directory > entry, i > > > get critical extension unavailable and if i use an ldap > browser > > i get > > > list failed on the main tree. Did i miss a step? If I > disable the > > > ou=subsuffix1,dc=domain,dc=com suffix i can browse the tree no > > > problem. Thanks! > > > Brian Smith > > > > > > > > > > > > Sergio Diaz wrote: > > >> > > >> FDS, OpenLDAP and AD > > >> > > >> One Directory FDS.....i want this directions to... > > >> Chaining Backend... > > >> > > >> Regards, > > >> Sergio > > >> > > >> On Mon, 2006-10-02 at 14:12 -0400, Brian Smith wrote: > > >>> Hello all, I''ve been working on getting chaining working > with > > an active > > >>> directory back end for a week now. Has anyone successfully > > done this or > > >>> have directions on setting this up? > > >>> > > >>> Brian Smith > > >>> > > >>> Howard Chu wrote: > > >>> > > > >>> >> Date: Mon, 02 Oct 2006 10:01:55 -0600 > > >>> >> From: Richard Megginson < rmeggins@redhat.com > <mailto:rmeggins@redhat.com> > > <mailto:rmeggins@redhat.com <mailto:rmeggins@redhat.com>> > <mailto:rmeggins@redhat.com <mailto:rmeggins@redhat.com> > > <mailto:rmeggins@redhat.com <mailto:rmeggins@redhat.com>>>> > > >>> > > > >>> >> Sergio Diaz wrote: > > >>> >>> Hi Richard; > > >>> >>> > > >>> >>> Openldap: > > >>> >>> > > >>> >>> The *meta* backend to *slapd(8) > > >>> >>> < > > > http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8 > <http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8> > > < > http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8 > <http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8>> > > < > > > http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8 > <http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8> > > > <http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8 > <http://docsrv.caldera.com:8457/cgi-bin/man?mansearchword=slapd&mansection=8>>>>* > > >>> >>> performs basic LDAP proxying with respect > > >>> >>> to a set of remote LDAP > > servers, called "targets". The > > >>> >>> information > > >>> >>> contained in these servers can be > presented as > > belonging > > >>> >>> to a single > > >>> >>> Directory Information Tree (DIT). > > >>> >>> > > >>> >>> Its possible with FDS ?? > > >>> >>> > > >>> >> FDS has a chaining backend which allows you to use > another LDAP > > >>> >> server to store the data. > > >>> > > > >>> > It sounds like the FDS chaining backend is similar to > OpenLDAP > > >>> > back-ldap and/or the chaining overlay. In OpenLDAP > back-ldap > > forwards > > >>> > a request to one other server (at a time; multiple > servers > > can be > > >>> > configured but the others will only be used if the first > > server cannot > > >>> > be contacted). The back-meta backend is a superset of > > back-ldap, it > > >>> > can fanout single requests to multiple servers in > parallel and > > >>> > aggregate the results. (There''s also attribute mapping > and DN > > >>> > rewriting, but those capabilities are no longer unique to > > back-meta, > > >>> > having been moved into the rewrite overlay.) With these > > modules you > > >>> > can stitch together a variety of heterogeneous > directories > > into a > > >>> > coherent virtual directory. > > >>> > > > >>> >>> Regards!! > > >>> >>> Sergio > > >>> >>> > > >>> >>> > > >>> >>> On Mon, 2006-10-02 at 07:25 -0600, Richard Megginson > wrote: > > >>> >>>> Sergio Diaz wrote: > > >>> >>>>> Hi People, > > >>> >>>>> > > >>> >>>>> Its Possible Sync only in One Way ? > > >>> >>>>> Users Windows AD -> FDS. > > >>> >>>> No, not really. > > >>> >>>>> Or the other scenario its like OpenLDAP have a Meta > > Backend (2 > > >>> >>>>> LDAPs, 1 AD), its possible with FDS ? > > >>> >>>> It''s possible. What does the meta backend do? > > >>> >>>>> > > >>> >>>>> Regards, > > >>> >>>>> Sergio > > >>> > > > >>> > > > >>> > > >>> -- > > >>> Fedora-directory-users mailing list > > >>> Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com> > > <mailto: Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com>> > > <mailto:Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com> > > <mailto: Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com>>> > > >>> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > <https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > >>> > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com> > > <mailto:Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com>> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com> > > <mailto:Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com>> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >