Fedora directory users - Jul 2005 - Database recreation, automount and performance

Hi,

I''m extremely glad FDS is now freely available and almost open-source.
I
have run into some issues when I started playing with it.

1. I''ve tried to port my OpenLDAP database to it and found that that 
there is no automount objectclass specified by default. The automount 
and automountInformation classes are defined in Fedora schema extensions
that come with the openldap RPM, so not having them in FDS is a little
weird. I had to define them myself.

2. After a failed import I deleted the database and tried to recreate 
it. I went first to Configuration/Data/New Root Suffix and specified the 
base DN and the database name. Then I went to Data/<Server name:389>/ 
New Root Object and tried to create the root entry, but got this error:

"Only the Directory Manager has the right to create the Root Entry. Log 
in as Directory Manager to be able to perform this operation. "

I''ve checked that the manager DN is specified correctly in 
Configuration/Manager.

I tried restarting the directory server, but that did not help. How do I 
reinitalize it?

3) Finally, the Java administration console is extremely slow. I''m 
running over an SSH connection, but my server is a 2.8 Ghz machine with 
512 Mb of RAM. I wonder what console performance other people experience.

Thanks - I''m looking forward to deploying FDS with Windows sync!
Simon
-- 

Simon (Vsevolod ILyushchenko)   simonf@cshl.edu
				http://www.simonf.com

Terrorism is a tactic and so to declare war on terrorism
is equivalent to Roosevelt''s declaring war on blitzkrieg.

Zbigniew Brzezinski, U.S. national security advisor, 1977-81

Vsevolod (Simon) Ilyushchenko wrote:
> Hi,
>
> I''m extremely glad FDS is now freely available and almost
open-source.
> I have run into some issues when I started playing with it.
>
> 1. I''ve tried to port my OpenLDAP database to it and found that
that
> there is no automount objectclass specified by default. The automount 
> and automountInformation classes are defined in Fedora schema extensions
> that come with the openldap RPM, so not having them in FDS is a little
> weird. I had to define them myself.
The IETF LDAP community has decided to deprecated them in favor of the 
new netgroups stuff.
>
> 2. After a failed import I deleted the database and tried to recreate 
> it. I went first to Configuration/Data/New Root Suffix and specified 
> the base DN and the database name. Then I went to Data/<Server 
> name:389>/ New Root Object and tried to create the root entry, but got 
> this error:
>
> "Only the Directory Manager has the right to create the Root Entry. 
> Log in as Directory Manager to be able to perform this operation. "
>
> I''ve checked that the manager DN is specified correctly in 
> Configuration/Manager.
We don''t yet have a way to set an ACI to allow users other than the 
Directory Manager (i.e. cn=Directory Manager, not the admin console 
user) to create the entry for a root suffix.  In the console, you can 
Log In As New User, and specify cn=directory manager (or whatever you 
used for your directory manager user when you performed the initial 
installation).
>
> I tried restarting the directory server, but that did not help. How do 
> I reinitalize it?
>
> 3) Finally, the Java administration console is extremely slow. I''m
> running over an SSH connection, but my server is a 2.8 Ghz machine 
> with 512 Mb of RAM. I wonder what console performance other people 
> experience.
It''s not great.  It is a huge Java/Swing application.
>
> Thanks - I''m looking forward to deploying FDS with Windows sync!
> Simon

> The IETF LDAP community has decided to deprecated them in favor of the 
> new netgroups stuff.

I thought automount, automountInformation, etc. were the most current 
way to store automount mappings in a directory.  They still appear in 
the RFC2307bis draft:
http://www.ietf.org/internet-drafts/draft-howard-rfc2307bis-01.txt

However, it does make sense that they might not be included with FDS 
since RFC2307bis is still a work in progress.

What is the "new netgroups stuff"?

Thanks,
-- George


Rich Megginson wrote:
> Vsevolod (Simon) Ilyushchenko wrote:
>
>> Hi,
>>
>> I''m extremely glad FDS is now freely available and almost 
>> open-source. I have run into some issues when I started playing with
it.
>>
>> 1. I''ve tried to port my OpenLDAP database to it and found
that that
>> there is no automount objectclass specified by default. The automount 
>> and automountInformation classes are defined in Fedora schema
extensions
>> that come with the openldap RPM, so not having them in FDS is a little
>> weird. I had to define them myself.
>
>
> The IETF LDAP community has decided to deprecated them in favor of the 
> new netgroups stuff.
>
>>
>> 2. After a failed import I deleted the database and tried to recreate 
>> it. I went first to Configuration/Data/New Root Suffix and specified 
>> the base DN and the database name. Then I went to Data/<Server 
>> name:389>/ New Root Object and tried to create the root entry, but 
>> got this error:
>>
>> "Only the Directory Manager has the right to create the Root
Entry.
>> Log in as Directory Manager to be able to perform this operation.
"
>>
>> I''ve checked that the manager DN is specified correctly in 
>> Configuration/Manager.
>
>
> We don''t yet have a way to set an ACI to allow users other than
the
> Directory Manager (i.e. cn=Directory Manager, not the admin console 
> user) to create the entry for a root suffix.  In the console, you can 
> Log In As New User, and specify cn=directory manager (or whatever you 
> used for your directory manager user when you performed the initial 
> installation).
>
>>
>> I tried restarting the directory server, but that did not help. How 
>> do I reinitalize it?
>>
>> 3) Finally, the Java administration console is extremely slow.
I''m
>> running over an SSH connection, but my server is a 2.8 Ghz machine 
>> with 512 Mb of RAM. I wonder what console performance other people 
>> experience.
>
>
> It''s not great.  It is a huge Java/Swing application.
>
>>
>> Thanks - I''m looking forward to deploying FDS with Windows
sync!
>> Simon
>
>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

>
>
> 3) Finally, the Java administration console is extremely slow. I''m
> running over an SSH connection, but my server is a 2.8 Ghz machine 
> with 512 Mb of RAM. I wonder what console performance other people 
> experience.
Console performance is great for me. There should be
no performance problems per se on that hardware.
What operations in particular seem slow ?

Rich,

Thanks for the quick answer! Perhaps this information should go into the 
FAQ - what do you think?

Rich Megginson wrote on 07/13/2005 12:47 PM:
> The IETF LDAP community has decided to deprecated them in favor of the 
> new netgroups stuff.
OK, I''ll reconfigure my entries. Does Fedora automounter understand the
netgroups structure?
> We don''t yet have a way to set an ACI to allow users other than
the
> Directory Manager (i.e. cn=Directory Manager, not the admin console 
> user) to create the entry for a root suffix.  In the console, you can 
> Log In As New User, and specify cn=directory manager (or whatever you 
> used for your directory manager user when you performed the initial 
> installation).
This is very non-trivial. :) Creating the root suffix now works, but I 
tried creating top-level entries one by one, as well as creating a new 
server in the administration console, and it all failed. I had to delete 
the RPM and reinstall it.

By the way, I found out that if I install the RPM a second time, the 
admin console tries to connect to port 15918, but the admin server is 
running on port 25394. I don''t remember what port was used the first 
time. :(

This time I successfully created an SSL-enabled directory and was able 
to authenticate to it. I followed the steps here:
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158
to create a self-signed certificate.

For archives - the docs don''t tell you that after running pk12util in 
step 9 you first have to enter the password ''secretpwd'' that
you''ve
saved in the file pwdfile.txt, and then you have to create a different 
startup password. Later, when you start the server on the command line, 
this second password is required.

Simon
-- 

Simon (Vsevolod ILyushchenko)   simonf@cshl.edu
				http://www.simonf.com

Terrorism is a tactic and so to declare war on terrorism
is equivalent to Roosevelt''s declaring war on blitzkrieg.

Zbigniew Brzezinski, U.S. national security advisor, 1977-81

David Boreham wrote on 07/13/2005 02:21 PM:
> Console performance is great for me. There should be
> no performance problems per se on that hardware.
> What operations in particular seem slow ?
Switching tabs and in particular browsing the data. We only have a few 
hundred users, and it takes the GUI about 5 seconds to show the first 
batch of users (about 15), and the performance does not improve even 
after the whole list is loaded - clicking and scrolling take up to 10 
seconds to respond. I''ll probably stick with other tools for data 
administration if I don''t find ways to improve the console speed.

Simon
-- 

Simon (Vsevolod ILyushchenko)   simonf@cshl.edu
				http://www.simonf.com

Terrorism is a tactic and so to declare war on terrorism
is equivalent to Roosevelt''s declaring war on blitzkrieg.

Zbigniew Brzezinski, U.S. national security advisor, 1977-81

Vsevolod (Simon) Ilyushchenko wrote:
> Switching tabs and in particular browsing the data. We only have a few 
> hundred users, and it takes the GUI about 5 seconds to show the first 
> batch of users (about 15), and the performance does not improve even 
> after the whole list is loaded - clicking and scrolling take up to 10 
> seconds to respond. I''ll probably stick with other tools for data 
> administration if I don''t find ways to improve the console speed.
This is atypical. Something''s broken somewhere.

Vsevolod (Simon) Ilyushchenko wrote:
> Rich,
>
> Thanks for the quick answer! Perhaps this information should go into 
> the FAQ - what do you think?
>
> Rich Megginson wrote on 07/13/2005 12:47 PM:
>
>> The IETF LDAP community has decided to deprecated them in favor of 
>> the new netgroups stuff.
>
>
> OK, I''ll reconfigure my entries. Does Fedora automounter
understand
> the netgroups structure?
I''m trying to find out some information about this.
>
>> We don''t yet have a way to set an ACI to allow users other
than the
>> Directory Manager (i.e. cn=Directory Manager, not the admin console 
>> user) to create the entry for a root suffix.  In the console, you can 
>> Log In As New User, and specify cn=directory manager (or whatever you 
>> used for your directory manager user when you performed the initial 
>> installation).
>
>
> This is very non-trivial. :) Creating the root suffix now works, but I 
> tried creating top-level entries one by one, as well as creating a new 
> server in the administration console, and it all failed. I had to 
> delete the RPM and reinstall it.
What problems did you have?  I''m not sure what you did, or what you 
could have done to necessitate a reinstall.
>
> By the way, I found out that if I install the RPM a second time, the 
> admin console tries to connect to port 15918, but the admin server is 
> running on port 25394. I don''t remember what port was used the
first
> time. :(
After uninstall, remove your ~/.mcc directory, or edit the file in there 
after installation.  The URL box in the login screen should have had a 
drop down list to let you select another one.
>
> This time I successfully created an SSL-enabled directory and was able 
> to authenticate to it. I followed the steps here:
> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158
> to create a self-signed certificate.
>
> For archives - the docs don''t tell you that after running pk12util
in
> step 9 you first have to enter the password ''secretpwd''
that you''ve
> saved in the file pwdfile.txt, and then you have to create a different 
> startup password.
You can''t use the same password?
> Later, when you start the server on the command line, this second 
> password is required.
>
> Simon

On 7/13/05, Vsevolod (Simon) Ilyushchenko <simonf@cshl.edu> wrote:
> 3) Finally, the Java administration console is extremely slow. I''m
> running over an SSH connection, but my server is a 2.8 Ghz machine with
> 512 Mb of RAM. I wonder what console performance other people experience.
Try using "-c blowfish" when you connect to the server.  That ought to
help a bit.

-- 
Ben Steeves                     _                    bcs@metacon.ca
 The ASCII ribbon campaign     ( )            ben.steeves@gmail.com
   against HTML e-mail          X                GPG ID: 0xB3EBF1D9
http://www.metacon.ca/bcs      / \     Yahoo Messenger: ben_steeves

Rich,

> What problems did you have?  I''m not sure what you did, or what
you
> could have done to necessitate a reinstall.
The second LDAP server I''ve created would not start before the 
reinstall, but I can''t replicate this problem any more. I was also able
to add a top-level organizational unit now.

The earlier problems began after I''ve deleted the top-level entry on
the
Configuration tab. That was probably not a smart thing to do, but I 
don''t know how to delete all the data from the directory. Command-line 
ldapdelete won''t work either, because recursive deletion is not 
supported by the server.
> After uninstall, remove your ~/.mcc directory, or edit the file in there 
> after installation.  The URL box in the login screen should have had a 
> drop down list to let you select another one.
Okay - thanks!
>> For archives - the docs don''t tell you that after running
pk12util in
>> step 9 you first have to enter the password
''secretpwd'' that you''ve
>> saved in the file pwdfile.txt, and then you have to create a different 
>> startup password.
> 
> 
> You can''t use the same password?
You can, of course, I just wanted to emphasize that they serve two 
different purposes.

Simon
-- 

Simon (Vsevolod ILyushchenko)   simonf@cshl.edu
				http://www.simonf.com

Terrorism is a tactic and so to declare war on terrorism
is equivalent to Roosevelt''s declaring war on blitzkrieg.

Zbigniew Brzezinski, U.S. national security advisor, 1977-81

Ben Steeves wrote on 07/13/2005 04:13 PM:
> On 7/13/05, Vsevolod (Simon) Ilyushchenko <simonf@cshl.edu> wrote:
> 
> 
>>3) Finally, the Java administration console is extremely slow.
I''m
>>running over an SSH connection, but my server is a 2.8 Ghz machine with
>>512 Mb of RAM. I wonder what console performance other people
experience.
> 
> 
> Try using "-c blowfish" when you connect to the server.  That
ought to
> help a bit.
Thanks, Ben - I see approximately a twofold improvement in speed (though 
setting DISPLAY to my desktop manually speeds the program up even more, 
of course).

Simon


-- 

Simon (Vsevolod ILyushchenko)   simonf@cshl.edu
				http://www.simonf.com

Terrorism is a tactic and so to declare war on terrorism
is equivalent to Roosevelt''s declaring war on blitzkrieg.

Zbigniew Brzezinski, U.S. national security advisor, 1977-81

Vsevolod (Simon) Ilyushchenko wrote:
> Rich,
>
>
>> What problems did you have?  I''m not sure what you did, or
what you
>> could have done to necessitate a reinstall.
>
>
> The second LDAP server I''ve created would not start before the 
> reinstall, but I can''t replicate this problem any more. I was also
> able to add a top-level organizational unit now.
>
> The earlier problems began after I''ve deleted the top-level entry
on
> the Configuration tab. That was probably not a smart thing to do, but 
> I don''t know how to delete all the data from the directory. 
> Command-line ldapdelete won''t work either, because recursive
deletion
> is not supported by the server.
Recursive deletion is supported by the console, in the directory browser.
>
>> After uninstall, remove your ~/.mcc directory, or edit the file in 
>> there after installation.  The URL box in the login screen should 
>> have had a drop down list to let you select another one.
>
>
> Okay - thanks!
>
>>> For archives - the docs don''t tell you that after running
pk12util
>>> in step 9 you first have to enter the password
''secretpwd'' that
>>> you''ve saved in the file pwdfile.txt, and then you have to
create a
>>> different startup password.
>>
>>
>>
>> You can''t use the same password?
>
>
> You can, of course, I just wanted to emphasize that they serve two 
> different purposes.
Oh, right.
>
> Simon

Hi,

I''ve just ran into the issue described here:
http://www.ldapguru.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=1478&forum=24

The problem is that both Fedora and Solaris would like to use object 
class named "automount" for automount entries, but they define it 
differently. The solution suggested above is to modify the relevant 
object classes so that they contain the superset of the attributes for 
both platforms.

You (Rich) and others say that there should be a transition to 
nisObject/nisMap structure, but I still don''t know where Fedora stands 
in this regard.

Thanks,
Simon

Rich Megginson wrote on 07/13/2005 03:51 PM:
>> OK, I''ll reconfigure my entries. Does Fedora automounter
understand
>> the netgroups structure?
> 
> 
> I''m trying to find out some information about this.
-- 

Simon (Vsevolod ILyushchenko)   simonf@cshl.edu
				http://www.simonf.com

Terrorism is a tactic and so to declare war on terrorism
is equivalent to Roosevelt''s declaring war on blitzkrieg.

Zbigniew Brzezinski, U.S. national security advisor, 1977-81

There has been a lot of confusion around this issue (mostly on my 
part).  I think one of the problems is that rfc2307 support from OS 
vendors is now deprecated in favor of rfc2307bis 
http://www.ietf.org/internet-drafts/draft-howard-rfc2307bis-01.txt, 
which is still in Internet Draft phase (and is due to expire very 
quickly).  A new draft is being worked on with the goal of generating a 
new RFC.  The bis draft has one problem with it, in that it requires the 
use of the authPassword attribute (defined in RFC 3112 
http://www.ietf.org/rfc/rfc3112.txt).  FDS does not support this (and 
neither does OpenLDAP AFAICT).  I have attached a file called 
10rfc2307bis.ldif.  This is the schema from the 2307bis I-D in FDS 
schema format.

The preferred way to map the automount information is to use the 
automount attributes and objectclasses in the RFC 2307bis draft schema.  
The problem is that I don''t know all of the vendor support.  So far
I''ve
been unable to find out what RHEL3 and RHEL4 support.  I''ve been told 
that Solaris has support for the bis schema.

If you like, you can replace the 10rfc2307.ldif schema supplied with FDS 
with the attached file, and see what happens.

Vsevolod (Simon) Ilyushchenko wrote:
> Hi,
>
> I''ve just ran into the issue described here:
>
http://www.ldapguru.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=1478&forum=24
>
>
> The problem is that both Fedora and Solaris would like to use object 
> class named "automount" for automount entries, but they define it
> differently. The solution suggested above is to modify the relevant 
> object classes so that they contain the superset of the attributes for 
> both platforms.
>
> You (Rich) and others say that there should be a transition to 
> nisObject/nisMap structure, but I still don''t know where Fedora
stands
> in this regard.
>
> Thanks,
> Simon
>
> Rich Megginson wrote on 07/13/2005 03:51 PM:
>
>>> OK, I''ll reconfigure my entries. Does Fedora automounter
understand
>>> the netgroups structure?
>>
>>
>>
>> I''m trying to find out some information about this.
>
>

Rich Megginson wrote on 08/16/2005 11:01 AM:
>
> If you like, you can replace the 10rfc2307.ldif schema supplied with FDS 
> with the attached file, and see what happens.
Aha - this looks similar to the Solaris scheme. Thanks!

Simon
-- 

Simon (Vsevolod ILyushchenko)   simonf@cshl.edu
				http://www.simonf.com

Terrorism is a tactic and so to declare war on terrorism
is equivalent to Roosevelt''s declaring war on blitzkrieg.

Zbigniew Brzezinski, U.S. national security advisor, 1977-81

The file "local.conf" contains many parameters to control the behavior
of the administration server (for the FDS console).
It looks to me like this file is auto-generated from attributes stored 
in o=NetscapeRoot when you start the admin server.  However, I''m not
yet
100% sure on this.

Does anyone happen to know if local.conf is auto-generated entirely 
based on attributes under o=NetscapeRoot?  I''m wondering if a

George Holbert wrote:
> The file "local.conf" contains many parameters to control the
behavior
> of the administration server (for the FDS console).
> It looks to me like this file is auto-generated from attributes stored 
> in o=NetscapeRoot when you start the admin server.  However, I''m
not
> yet 100% sure on this.
>
> Does anyone happen to know if local.conf is auto-generated entirely 
> based on attributes under o=NetscapeRoot?  I''m wondering if a
Yes, it''s generated.
>
>
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Hi, all.  I''ve been battling this for days now, with
no luck.  I''ve got fds up & running and linux clients
authenticating w/o problems.  Solaris has so far been
a royal pain.

This is what I''ve done so far:
- imported the 2 schemas that a kind soul sent me (dua
& nis)
- added the nisDomain object
- added a few users to test
- copied the ldap_file & ldap_cred files from Gary
Tay''s site
- added a default simple profile
- ran ldap-genprofile to get the NS1 password, put it
in the cred file.
- added ldap to the nsswitch.conf

Yet the solaris box doesn''t see the ldap server.  In
the dmesg, I see this:

Aug 24 09:16:34 unknown getent[1506]: [ID 293258
user.error] libsldap: Status: 7  Mesg: Session error
no available conn.
Aug 24 09:18:07 unknown nscd[1498]: [ID 293258
user.error] libsldap: Status: 7  Mesg: Session error
no available conn.
Aug 24 09:18:07 unknown nscd[1498]: [ID 293258
user.error] libsldap: Status: 7  Mesg: Session error
no available conn.

Can anybody point me in the right direction?  I''m
about to start kicking the solaris server...


		
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs

My 2 cents

- test with: ldapsearch -h ldapserver.domain.nl -s base -b ""
"objectclass=*" , to see if you can queuery the server.
- make sure the posix account has the "shadowAccount" attribute
- SSHA is default used by FDS for password encyption.. this should be CRYPT.

import:
------------------------------
dn: cn=config
changetype: modify
replace: passwordstoragescheme
passwordstoragescheme: CRYPT
------------------------------

- make sure to use "simple" instead of "tls:simple" for your
initial tests
- use : ldapclient -v -P default -D
"cn=proxyagent,ou=profile,dc=domain,dc=nl" -d domain.nl -w
proxy_password
{ipnumber_ldap_server} , to create the ldap_file & ldap_cred files
- make sure you run te latest recommended patch cluster.


I''m working on documentation.. maybe I''ll have time to publish
it sometime
soon.

Justin
> Hi, all.  I''ve been battling this for days now, with
> no luck.  I''ve got fds up & running and linux clients
> authenticating w/o problems.  Solaris has so far been
> a royal pain.
>
> This is what I''ve done so far:
> - imported the 2 schemas that a kind soul sent me (dua
> & nis)
> - added the nisDomain object
> - added a few users to test
> - copied the ldap_file & ldap_cred files from Gary
> Tay''s site
> - added a default simple profile
> - ran ldap-genprofile to get the NS1 password, put it
> in the cred file.
> - added ldap to the nsswitch.conf
>
> Yet the solaris box doesn''t see the ldap server.  In
> the dmesg, I see this:
>
> Aug 24 09:16:34 unknown getent[1506]: [ID 293258
> user.error] libsldap: Status: 7  Mesg: Session error
> no available conn.
> Aug 24 09:18:07 unknown nscd[1498]: [ID 293258
> user.error] libsldap: Status: 7  Mesg: Session error
> no available conn.
> Aug 24 09:18:07 unknown nscd[1498]: [ID 293258
> user.error] libsldap: Status: 7  Mesg: Session error
> no available conn.
>
> Can anybody point me in the right direction?  I''m
> about to start kicking the solaris server...
>
>
>
> ____________________________________________________
> Start your day with Yahoo! - make it your home page
> http://www.yahoo.com/r/hs
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

> I went ahead and got the ldapsearch.  It worked.
> ldaplist is just busted, I guess.
No ldaplist just depends on a successfull creation of the /var/ldap/* files.
>
>> - make sure the posix account has the
>> "shadowAccount" attribute
>
> Added it.  I went to user, properties, posixAccount,
> advanced, add value -> shadowAccount.  Not sure if
> that''s the right way of doing it or not...
That''s ok
>> - use : ldapclient -v -P default -D
>> "cn=proxyagent,ou=profile,dc=domain,dc=nl" -d
>> domain.nl -w proxy_password
>> {ipnumber_ldap_server} , to create the ldap_file &
>> ldap_cred files
>
> Yea -- that''s where I hit another problem:
Nope this is the main problem.
>
> Handling init option
> About to configure machine by downloading a profile
> findBaseDN: begins
> findBaseDN: Stopping ldap
> findBaseDN: calling __ns_ldap_default_config()
> found 2 namingcontexts
> findBaseDN: __ns_ldap_list(NULL,
>
"(&(objectclass=nisDomainObject)(nisdomain=composers.foo.com))"
> rootDN[0] dc=foo,dc=com
> found baseDN nisdomain=composers.foo.com,dc=foo,dc=com
> for domain composers.foo.com
> The download of the profile failed.
> Could not read the profile ''default''.
> Perhaps it does not exist or you don''t have sufficient
> rights to read it.
>
> However, from the FDS server itself, ldapsearch -x
> shows this: (snipped)
>
> # default, profile, foo.com
> dn: cn=default,ou=profile,dc=foo,dc=com
> defaultSearchBase: dc=foo,dc=com
> authenticationMethod: simple
> followReferrals: TRUE
> bindTimeLimit: 2
> profileTTL: 43200
> searchTimeLimit: 30
> objectClass: top
> objectClass: DUAConfigProfile
> defaultServerList: cnyitlin02.composers.foo.com
> credentialLevel: proxy
> cn: default
> defaultSearchScope: one
Could you do a "ldapclient -u", stop ldapcachemgr/nscd, remove
everything
from /var/ldap.
Then try the first ldapsearch test queuery but this time authenticating as
proxyagent.

What value has "nisdomain" in the FDS tree?

Try the ldapclient -v -P... line again.

--- Justin Albstmeijer <justin@VLAMea.nl> wrote:
> 
> My 2 cents
> 
> - test with: ldapsearch -h ldapserver.domain.nl -s
> base -b ""
> "objectclass=*" , to see if you can queuery the
> server.

Yea -- I can''t. (there''s no ldapsearch on this
machine, so I used ldaplist)

bash-2.03# ldaplist
ldaplist: Object not found (Session error no available
conn.
)

Same error message.  This is a pretty fundamental
problem, no?  I mean, like you said -- the FDS needs
to be switched from ssha to crypt, etc but regardless,
shouldn''t ldaplist work?

I also have iDS installed I suppose I can scp
ldapsearch from there...

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

--- Justin Albstmeijer <justin@VLAMea.nl> wrote:
> 
> My 2 cents
> 
> - test with: ldapsearch -h ldapserver.domain.nl -s
> base -b ""
> "objectclass=*" , to see if you can queuery the
> server.
I went ahead and got the ldapsearch.  It worked. 
ldaplist is just busted, I guess.
> - make sure the posix account has the
> "shadowAccount" attribute
Added it.  I went to user, properties, posixAccount,
advanced, add value -> shadowAccount.  Not sure if
that''s the right way of doing it or not...
> - SSHA is default used by FDS for password
> encyption.. this should be CRYPT.
 
Done -- thank you!
> - make sure to use "simple" instead of "tls:simple"
> for your initial tests
> - use : ldapclient -v -P default -D
> "cn=proxyagent,ou=profile,dc=domain,dc=nl" -d
> domain.nl -w proxy_password
> {ipnumber_ldap_server} , to create the ldap_file &
> ldap_cred files
Yea -- that''s where I hit another problem:

Handling init option
About to configure machine by downloading a profile
findBaseDN: begins
findBaseDN: Stopping ldap
findBaseDN: calling __ns_ldap_default_config()
found 2 namingcontexts
findBaseDN: __ns_ldap_list(NULL,
"(&(objectclass=nisDomainObject)(nisdomain=composers.foo.com))"
rootDN[0] dc=foo,dc=com
found baseDN nisdomain=composers.foo.com,dc=foo,dc=com
for domain composers.foo.com
The download of the profile failed.
Could not read the profile ''default''.
Perhaps it does not exist or you don''t have sufficient
rights to read it.

However, from the FDS server itself, ldapsearch -x
shows this: (snipped)

# default, profile, foo.com
dn: cn=default,ou=profile,dc=foo,dc=com
defaultSearchBase: dc=foo,dc=com
authenticationMethod: simple
followReferrals: TRUE
bindTimeLimit: 2
profileTTL: 43200
searchTimeLimit: 30
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: cnyitlin02.composers.foo.com
credentialLevel: proxy
cn: default
defaultSearchScope: one

So, the profile is there but what''s this about the
rights???

> - make sure you run te latest recommended patch
> cluster.
Did that already.
 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Just checking,
> ldapsearch -D "uid=proxyagent,ou=profile,dc=foo,dc=com"...
> # proxyagent, profile, foo.com
> dn: cn=proxyagent,ou=profile,dc=foo,dc=com
> objectClass: top
> objectClass: person
> sn: proxyagent
> cn: proxyagent

uid=proxyagent, does not match cn=proxyagent.

no password field?
> dn: nisdomain=composers.foo.com,dc=foo,dc=com
> nisDomain: composers.foo.com
> objectClass: top
> objectClass: nisdomainobject
I would expect:

dn: dc=foo,dc=com
nisDomain: composers.foo.com
objectClass: top
objectClass: nisDomainObject

>defaultServerList: cnyitlin02.composers.foo.com
replace the hostname with the ipnumber of the server.

> Could you do a "ldapclient -u", stop ldapcachemgr/nscd, remove
everything
> from /var/ldap.
> Then try the first ldapsearch test queuery but this time authenticating as
> proxyagent.
Worked!  I get a bunch of stuff:

bash-2.03#  ldapsearch -D "uid=proxyagent,ou=profile,dc=foo,dc=com" -w
password -h
cnyitlin02 -s base -b "" "objectclass=*"

objectClass=top
namingContexts=dc=foo,dc=com
namingContexts=o=NetscapeRoot
supportedExtension=2.16.840.1.113730.3.5.7
supportedExtension=2.16.840.1.113730.3.5.8
supportedExtension=2.16.840.1.113730.3.5.3
supportedExtension=2.16.840.1.113730.3.5.5
supportedExtension=2.16.840.1.113730.3.5.6

[blah blah]
> 
> What value has "nisdomain" in the FDS tree?
# composers.foo.com, foo.com
dn: nisdomain=composers.foo.com,dc=foo,dc=com
nisDomain: composers.foo.com
objectClass: top
objectClass: nisdomainobject

 
> Try the ldapclient -v -P... line again.
same result:

found baseDN nisdomain=composers.foo.com,dc=foo,dc=com for domain
composers.foo.com
The download of the profile failed.
Could not read the profile ''default''.
Perhaps it does not exist or you don''t have sufficient rights to read
it.
bash-2.03# 

one small note:

I removed the old proxy agent:

# proxyagent, profile, foo.com
dn: cn=proxyagent,ou=profile,dc=foo,dc=com
objectClass: top
objectClass: person
sn: proxyagent
cn: proxyagent

and added this (hoping that''ll fix it):
# proxyAgent, profile, foo.com
dn: uid=proxyAgent,ou=profile,dc=foo,dc=com
uid: proxyAgent
givenName: Proxy
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Agent
cn: Proxy Agent


needless to say, it did nothing.


		
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs

--- Justin Albstmeijer <justin@VLAMea.nl> wrote:
> uid=proxyagent, does not match cn=proxyagent.
yeah, that''s from before.  Now I have uid everywhere.

dn: uid=proxyAgent,ou=profile,dc=foo,dc=com
uid: proxyAgent
> no password field?
well, in the UI, I put a password in.  When I do ldapsearch -x it
doesn''t show.  ACI?
 
> > dn: nisdomain=composers.foo.com,dc=foo,dc=com
> > nisDomain: composers.foo.com
> > objectClass: top
> > objectClass: nisdomainobject
> 
> I would expect:
> 
> dn: dc=foo,dc=com
> nisDomain: composers.foo.com
> objectClass: top
> objectClass: nisDomainObject
well..  It got in there from this:

objectClass: nisDomainObject
nisDomain: composers.foo.com

which I got from Gary''s site.  If you think I should change it,
I''ll change it.
 
> 
> >defaultServerList: cnyitlin02.composers.foo.com
> 
> replace the hostname with the ipnumber of the server.
Did.  Didn''t help.

Also, I have two profiles total:

dn: cn=default,ou=profile,dc=foo,dc=com
defaultSearchBase: dc=foo,dc=com
authenticationMethod: simple
followReferrals: TRUE
bindTimeLimit: 2
profileTTL: 43200
searchTimeLimit: 30
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: 149.85.70.17
credentialLevel: proxy
cn: default
defaultSearchScope: one

dn: cn=tls_profile,ou=profile,dc=foo,dc=com
defaultSearchBase: dc=foo,dc=com
authenticationMethod: tls:simple
followReferrals: FALSE
bindTimeLimit: 10
profileTTL: 43200
searchTimeLimit: 30
objectClass: top
objectClass: DUAConfigProfile
defaultServerList: cnyitlin02.composers.foo.com
credentialLevel: proxy
cn: tls_profile
serviceSearchDescriptor: passwd: ou=People,dc=foo,dc=com
serviceSearchDescriptor: group: ou=group,dc=foo,dc=com
serviceSearchDescriptor: shadow: ou=People,dc=foo,dc=com
defaultSearchScope: one

(the tls_profile still has the fqdn.)

However, my primary default profile does not have the searchDescriptors.  Is
that a problem?


		
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs

Here''s what I get when I run ldapsearch:

bash-2.03# ldapsearch -h cnyitlin02 -b "dc=foo,dc=com" -L
"objectclass=*" -D
"uid=proxyagent,ou=profile,dc=foo,dc=com" -w password 
dn: dc=foo,dc=com
dn: cn=Directory Administrators, dc=foo,dc=com
dn: gidnumber=5000,cn=Directory Administrators,dc=foo,dc=com
dn: gidnumber=6000,dc=foo,dc=com
dn: uid=testdba,gidnumber=6000,dc=foo,dc=com
dn: ou=profile,dc=foo,dc=com
dn: cn=default,ou=profile,dc=foo,dc=com
dn: cn=tls_profile,ou=profile,dc=foo,dc=com
dn: nisdomain=composers.foo.com,dc=foo,dc=com
dn: uid=proxyAgent,ou=profile,dc=foo,dc=com

how do I get rid of the nisdomain in there?  moreover, do I need to?


		
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs