Richard Megginson
2007-Jul-16 16:08 UTC
Re: [Fedora-directory-users] questions about FDS and distro/email groups
Adam Valenzuela wrote:> Hello all, > > I have a question about FDS and the ability to make a > distro/email group. Here is some backgroud. Currently running > openldap as my GAL and we want to switch to FDS because the people we > sync with all use exchange. I have FDS 1.0.3 stood up and running. I > exported my ldif file from my openldap server which has both email > accounts and distro groups. When i imported them into FDS all the > email address were stripped. At first I thought it was the syntax of > the openldap leif file, and at first it was and i wanst able to import > anything. Now i can import without any errors but no email address > come up, just user account info. > > What did I do wrong?Did you migrate the access control information from openldap to Fedora DS?> > Thank you in advance, > > -- > Thank you, > Adam A. Valenzuela > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Adam Valenzuela
2007-Jul-16 16:13 UTC
[Fedora-directory-users] questions about FDS and distro/email groups
Hello all, I have a question about FDS and the ability to make a distro/email group. Here is some backgroud. Currently running openldap as my GAL and we want to switch to FDS because the people we sync with all use exchange. I have FDS 1.0.3 stood up and running. I exported my ldif file from my openldap server which has both email accounts and distro groups. When i imported them into FDS all the email address were stripped. At first I thought it was the syntax of the openldap leif file, and at first it was and i wanst able to import anything. Now i can import without any errors but no email address come up, just user account info. What did I do wrong? Thank you in advance, -- Thank you, Adam A. Valenzuela
I''m trying to create a new group "cn=testgroup" under the "ou=Groups" which is already provided by default. The testgroup has an "entryid" attribute. However, when I try to add the "gidNumber" attribute through the "Add Attribute" Tab, it doesn''t seem to be listed. SWA
Richard Megginson
2007-Jul-16 22:57 UTC
Re: [Fedora-directory-users] questions about FDS and distro/email groups
Adam Valenzuela wrote:> we had no aci''s on the openldap side. > > On 7/16/07, *Richard Megginson* <rmeggins@redhat.com > <mailto:rmeggins@redhat.com>> wrote: > > Adam Valenzuela wrote: > > Hello all, > > > > I have a question about FDS and the ability to make a > > distro/email group. Here is some backgroud. Currently running > > openldap as my GAL and we want to switch to FDS because the > people we > > sync with all use exchange. I have FDS 1.0.3 stood up and > running. I > > exported my ldif file from my openldap server which has both email > > accounts and distro groups. When i imported them into FDS all the > > email address were stripped. At first I thought it was the > syntax of > > the openldap leif file, and at first it was and i wanst able to > import > > anything. Now i can import without any errors but no email address > > come up, just user account info. >Can you post a relevant excerpt of the LDIF file you exported from OpenLDAP?> > > > > What did I do wrong? > Did you migrate the access control information from openldap to > Fedora DS? > > > > Thank you in advance, > > > > -- > > Thank you, > > Adam A. Valenzuela > > > ------------------------------------------------------------------------ > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Thank you, > Adam A. Valenzuela > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Adam Valenzuela
2007-Jul-16 23:01 UTC
Re: [Fedora-directory-users] questions about FDS and distro/email groups
we had no aci''s on the openldap side. On 7/16/07, Richard Megginson <rmeggins@redhat.com> wrote:> > Adam Valenzuela wrote: > > Hello all, > > > > I have a question about FDS and the ability to make a > > distro/email group. Here is some backgroud. Currently running > > openldap as my GAL and we want to switch to FDS because the people we > > sync with all use exchange. I have FDS 1.0.3 stood up and running. I > > exported my ldif file from my openldap server which has both email > > accounts and distro groups. When i imported them into FDS all the > > email address were stripped. At first I thought it was the syntax of > > the openldap leif file, and at first it was and i wanst able to import > > anything. Now i can import without any errors but no email address > > come up, just user account info. > > > > What did I do wrong? > Did you migrate the access control information from openldap to Fedora DS? > > > > Thank you in advance, > > > > -- > > Thank you, > > Adam A. Valenzuela > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-- Thank you, Adam A. Valenzuela
Adam Valenzuela
2007-Jul-17 00:52 UTC
Re: [Fedora-directory-users] questions about FDS and distro/email groups
There is company sensitive information inside the ldif so i am unable to send you copy, but if you tell me what your lookig for i can troll for it. On 7/16/07, Richard Megginson <rmeggins@redhat.com> wrote:> > Adam Valenzuela wrote: > > we had no aci''s on the openldap side. > > > > On 7/16/07, *Richard Megginson* <rmeggins@redhat.com > > <mailto:rmeggins@redhat.com>> wrote: > > > > Adam Valenzuela wrote: > > > Hello all, > > > > > > I have a question about FDS and the ability to make a > > > distro/email group. Here is some backgroud. Currently running > > > openldap as my GAL and we want to switch to FDS because the > > people we > > > sync with all use exchange. I have FDS 1.0.3 stood up and > > running. I > > > exported my ldif file from my openldap server which has both email > > > accounts and distro groups. When i imported them into FDS all the > > > email address were stripped. At first I thought it was the > > syntax of > > > the openldap leif file, and at first it was and i wanst able to > > import > > > anything. Now i can import without any errors but no email > address > > > come up, just user account info. > > > > Can you post a relevant excerpt of the LDIF file you exported from > OpenLDAP? > > > > > > > > What did I do wrong? > > Did you migrate the access control information from openldap to > > Fedora DS? > > > > > > Thank you in advance, > > > > > > -- > > > Thank you, > > > Adam A. Valenzuela > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users@redhat.com > > <mailto:Fedora-directory-users@redhat.com> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > <mailto:Fedora-directory-users@redhat.com> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > -- > > Thank you, > > Adam A. Valenzuela > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-- Thank you, Adam A. Valenzuela
Richard Megginson
2007-Jul-17 02:15 UTC
Re: [Fedora-directory-users] questions about FDS and distro/email groups
Adam Valenzuela wrote:> There is company sensitive information inside the ldif so i am unable > to send you copy, but if you tell me what your lookig for i can troll > for it.Well I''m not exactly sure, but I get the impression that something is wrong. What people usually do is obscure company sensitive information before posting e.g. dn: uid=XXXXX,ou=people,dc=example,dc=com uid: XXXXX userPassword: XXXXXXX> > On 7/16/07, * Richard Megginson* <rmeggins@redhat.com > <mailto:rmeggins@redhat.com>> wrote: > > Adam Valenzuela wrote: > > we had no aci''s on the openldap side. > > > > On 7/16/07, *Richard Megginson* <rmeggins@redhat.com > <mailto:rmeggins@redhat.com> > > <mailto: rmeggins@redhat.com <mailto:rmeggins@redhat.com>>> wrote: > > > > Adam Valenzuela wrote: > > > Hello all, > > > > > > I have a question about FDS and the ability > to make a > > > distro/email group. Here is some backgroud. Currently > running > > > openldap as my GAL and we want to switch to FDS because the > > people we > > > sync with all use exchange. I have FDS 1.0.3 stood up and > > running. I > > > exported my ldif file from my openldap server which has > both email > > > accounts and distro groups. When i imported them into FDS > all the > > > email address were stripped. At first I thought it was the > > syntax of > > > the openldap leif file, and at first it was and i wanst > able to > > import > > > anything. Now i can import without any errors but no > email address > > > come up, just user account info. > > > > Can you post a relevant excerpt of the LDIF file you exported from > OpenLDAP? > > > > > > > > What did I do wrong? > > Did you migrate the access control information from openldap to > > Fedora DS? > > > > > > Thank you in advance, > > > > > > -- > > > Thank you, > > > Adam A. Valenzuela > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com> > > <mailto: Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com>> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com> > > <mailto: Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com>> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > -- > > Thank you, > > Adam A. Valenzuela > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > <https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > Thank you, > Adam A. Valenzuela > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
You have to add the objectClass first before you can add certain attributes because it belongs to that objectclass. ie ObjectClass in your case would be posixGroup then you can gidNumber. Or better yet if doing lots of object manipulation I strongly recommend you learn how to edit objects via the command line its more powerful and adapt if you are modifying/adding/deleting several objects in the LDAP direcotory. Ie in your case, Unix groups and membership which I''ve documented for reference on my website http://www.csse.uwa.edu.au/~ashley, look at "LDAP HOWTO Fedora Directory Server via Command line" Cheers then, Ashley> > I''m trying to create a new group "cn=testgroup" under the "ou=Groups" > which is already provided by default. The testgroup has an "entryid" > attribute. However, when I try to add the "gidNumber" attribute through > the "Add Attribute" Tab, it doesn''t seem to be listed. > > SWA > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > !DSPAM:272,469bb2c7146121416619726! >-- Ashley Chew - Systems Administrator School of Computer Science and Software Engineering University of Western Australia Tel: (+61 8) 6488 7082 - Fax: (+61 8) 6488 1089 Ashley[@]csse.uwa.edu.au - http://www.csse.uwa.edu.au/~ashley "There is no such thing as Fate, Fate is what you make of it!"
Adam Valenzuela
2007-Jul-17 15:52 UTC
Re: [Fedora-directory-users] questions about FDS and distro/email groups
ok, let me mod my file and ill shoot it off to you. On 7/16/07, Richard Megginson <rmeggins@redhat.com> wrote:> > Adam Valenzuela wrote: > > There is company sensitive information inside the ldif so i am unable > > to send you copy, but if you tell me what your lookig for i can troll > > for it. > Well I''m not exactly sure, but I get the impression that something is > wrong. > > What people usually do is obscure company sensitive information before > posting e.g. > dn: uid=XXXXX,ou=people,dc=example,dc=com > uid: XXXXX > userPassword: XXXXXXX > > > > > On 7/16/07, * Richard Megginson* <rmeggins@redhat.com > > <mailto:rmeggins@redhat.com>> wrote: > > > > Adam Valenzuela wrote: > > > we had no aci''s on the openldap side. > > > > > > On 7/16/07, *Richard Megginson* <rmeggins@redhat.com > > <mailto:rmeggins@redhat.com> > > > <mailto: rmeggins@redhat.com <mailto:rmeggins@redhat.com>>> wrote: > > > > > > Adam Valenzuela wrote: > > > > Hello all, > > > > > > > > I have a question about FDS and the ability > > to make a > > > > distro/email group. Here is some backgroud. Currently > > running > > > > openldap as my GAL and we want to switch to FDS because the > > > people we > > > > sync with all use exchange. I have FDS 1.0.3 stood up and > > > running. I > > > > exported my ldif file from my openldap server which has > > both email > > > > accounts and distro groups. When i imported them into FDS > > all the > > > > email address were stripped. At first I thought it was the > > > syntax of > > > > the openldap leif file, and at first it was and i wanst > > able to > > > import > > > > anything. Now i can import without any errors but no > > email address > > > > come up, just user account info. > > > > > > > Can you post a relevant excerpt of the LDIF file you exported from > > OpenLDAP? > > > > > > > > > > > What did I do wrong? > > > Did you migrate the access control information from openldap > to > > > Fedora DS? > > > > > > > > Thank you in advance, > > > > > > > > -- > > > > Thank you, > > > > Adam A. Valenzuela > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > -- > > > > Fedora-directory-users mailing list > > > > Fedora-directory-users@redhat.com > > <mailto:Fedora-directory-users@redhat.com> > > > <mailto: Fedora-directory-users@redhat.com > > <mailto:Fedora-directory-users@redhat.com>> > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users@redhat.com > > <mailto:Fedora-directory-users@redhat.com> > > > <mailto: Fedora-directory-users@redhat.com > > <mailto:Fedora-directory-users@redhat.com>> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > -- > > > Thank you, > > > Adam A. Valenzuela > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users@redhat.com > > <mailto:Fedora-directory-users@redhat.com> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > <https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > <mailto:Fedora-directory-users@redhat.com> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > -- > > Thank you, > > Adam A. Valenzuela > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-- Thank you, Adam A. Valenzuela
I have a Solaris 9 client and have configured it as a client of fds-1.0.4 which runs on RHEL5. Without TLS, the Solaris client authenticates against the fds fine. But, if TLS is enabled on the Sun client, the ldapsearch commands runs ok, but, authentication fails. The nscd logs the following error message: Jul 30 13:31:01 thread nscd[1172]: [ID 293258 user.error] libsldap: Status: 91 Mesg: openConnection: failed to initialize TLS security (security library: bad database.) Jul 30 13:31:01 thread nscd[1172]: [ID 293258 user.error] libsldap: Status: 7 Mesg: Session error no available conn. I think the problem is related to the certificates on the Sun client but I''m not sure... Thanks, SWA
On Mon, 2007-07-30 at 13:44 -0500, Saied W. Andalib wrote:> I have a Solaris 9 client and have configured it as a client of > fds-1.0.4 which runs on RHEL5. Without TLS, the Solaris client > authenticates against the fds fine. But, if TLS is enabled on the Sun > client, the ldapsearch commands runs ok, but, authentication fails. > The nscd logs the following error message: > > > > Jul 30 13:31:01 thread nscd[1172]: [ID 293258 user.error] libsldap: > Status: 91 Mesg: openConnection: failed to initialize TLS security > (security library: bad database.) > > Jul 30 13:31:01 thread nscd[1172]: [ID 293258 user.error] libsldap: > Status: 7 Mesg: Session error no available conn. > > > > > I think the problem is related to the certificates on the Sun client > but I''m not sure... > > > Thanks, > > SWA >Do you have the certs copied to you Solaris client? There''s an example here: http://blogs.sun.com/baban/entry/steps_to_setup_ssl_using and here: http://directory.fedoraproject.org/wiki/Howto:SolarisClient I''ve also seen references that say to point netscape at https://yourserver:636, keep the certificate forever and copy .netscape/{cert7.db,key3.db} to /var/ldap on your Solaris client. -Steve
The Solaris docs will also be somewhat helpful for this: http://docs.sun.com/app/docs/doc/816-4556/6maort2st?a=view#clientsetup-57 Steve Rigler wrote:> On Mon, 2007-07-30 at 13:44 -0500, Saied W. Andalib wrote: > >> I have a Solaris 9 client and have configured it as a client of >> fds-1.0.4 which runs on RHEL5. Without TLS, the Solaris client >> authenticates against the fds fine. But, if TLS is enabled on the Sun >> client, the ldapsearch commands runs ok, but, authentication fails. >> The nscd logs the following error message: >> >> >> >> Jul 30 13:31:01 thread nscd[1172]: [ID 293258 user.error] libsldap: >> Status: 91 Mesg: openConnection: failed to initialize TLS security >> (security library: bad database.) >> >> Jul 30 13:31:01 thread nscd[1172]: [ID 293258 user.error] libsldap: >> Status: 7 Mesg: Session error no available conn. >> >> >> >> >> I think the problem is related to the certificates on the Sun client >> but I''m not sure... >> >> >> Thanks, >> >> SWA >> >> > > Do you have the certs copied to you Solaris client? > > There''s an example here: > http://blogs.sun.com/baban/entry/steps_to_setup_ssl_using > > and here: > http://directory.fedoraproject.org/wiki/Howto:SolarisClient > > I''ve also seen references that say to point netscape at > https://yourserver:636, keep the certificate forever and > copy .netscape/{cert7.db,key3.db} to /var/ldap on your Solaris client. > > -Steve
Thanks for replying. It works now! My mistake was that I was trying to get the certificates via Netscape with URL "http://fds-server:636", which always refused. The correct URL is "https://fds-server:636". SWA