FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 09-14-2010, 09:39 AM
Lars Gunther
 
Default 389 as authentication server on Fedora 13 #389 @Skolan #ldap

2010-09-13 17:57, Rich Megginson skrev:
> Not sure what you mean by "Fedora 13 does not allow unencrypted
> passwords" - do you mean "unencrypted BIND operations"?

When setting up authentication using the graphic tools
(system-config-authentication) I must either specify ldaps or TLS (or
use Kerberos which I think is overkill for my setup). ldaps seem to be
the easiest option.

>> 2. I can not import old posixGroups, nor can I create new ones. Trying
>> to import using LDIF, I get errors. Trying to create manually, I do not
>> see the option appear in the admin tool.
>>
> It would be helpful if you provided the errors, and more information
> about "the option appear in the admin tool".

This LDIF could noyt be imported. It was generated as an export from
OpenLDAP.

dn: cn=test,ou=Group,dc=labbnet,dc=ne,dc=keryx,dc=se
objectClass: posixGroup
objectClass: top
cn: gunther
userPassword:: e2NyeXB0fXg=
gidNumber: 600

Error Message:

cn=test,ou=Group,dc=labbnet,dc=ne,dc=keryx,dc=se:
Error adding object 'dn: cn=test,ou=Group,dc=labbnet,dc=ne,dc=keryx,dc=se'.
The error sent by the server was 'No such object'.
The object is: LDAPEntry:
cn=test,ou=Group,dc=labbnet,dc=ne,dc=keryx,dc=se; LDAPAttributeSet:
LDAPAttribute {type='gidnumber', values='600'}
LDAPAttribute {type='userpassword', values='{crypt}x'}
LDAPAttribute {type='objectclass', values='posixGroup,top'
LDAPAttribute {type='cn', values='gunther'}.

This LDIF import succeded:

dn: uid=test,ou=People,dc=labbnet,dc=ne,dc=keryx,dc=se
userPassword:: xxx
loginShell: /bin/bash
gidNumber: 600
uidNumber: 600
shadowMax: 99999
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
uid: gunther
gecos: Testare
shadowLastChange: 13313

>> BTW, please CC my Evernote account when you reply to this thread.
This works great. Please continue to do that :-)


--
Lars Gunther
http://keryx.se/
http://twitter.com/itpastorn/
http://itpastorn.blogspot.com/
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-14-2010, 12:18 PM
Lars Gunther
 
Default 389 as authentication server on Fedora 13 #389 @Skolan #ldap

2010-09-14 11:39, Lars Gunther skrev:
> This LDIF could not be imported. It was generated as an export from
> OpenLDAP.
>
> dn: cn=test,ou=Group,dc=labbnet,dc=ne,dc=keryx,dc=se
> objectClass: posixGroup
> objectClass: top
> cn: gunther
> userPassword:: e2NyeXB0fXg=
> gidNumber: 600
>

OK, I've found the problem
> dn: cn=test,ou=Group,dc=labbnet,dc=ne,dc=keryx,dc=se
Should be
dn: cn=test,ou=Groups,dc=labbnet,dc=ne,dc=keryx,dc=se

Group/s/

Duh!

However, I still can not add posixGroups using the admin tool!

And I still can't log in as the user I've added.

--
Lars Gunther
http://keryx.se/
http://twitter.com/itpastorn/
http://itpastorn.blogspot.com/
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-14-2010, 03:26 PM
Rich Megginson
 
Default 389 as authentication server on Fedora 13 #389 @Skolan #ldap

Lars Gunther wrote:
> 2010-09-14 11:39, Lars Gunther skrev:
>
>> This LDIF could not be imported. It was generated as an export from
>> OpenLDAP.
>>
>> dn: cn=test,ou=Group,dc=labbnet,dc=ne,dc=keryx,dc=se
>> objectClass: posixGroup
>> objectClass: top
>> cn: gunther
>> userPassword:: e2NyeXB0fXg=
>> gidNumber: 600
>>
>>
>
> OK, I've found the problem
> > dn: cn=test,ou=Group,dc=labbnet,dc=ne,dc=keryx,dc=se
> Should be
> dn: cn=test,ou=Groups,dc=labbnet,dc=ne,dc=keryx,dc=se
>
> Group/s/
>
> Duh!
>
> However, I still can not add posixGroups using the admin tool!
>
I still don't know what you mean by "add posixGroups using the admin
tool". If by "admin tool" you mean the 389 GUI console, then right,
there is no explicit posix group tab in the Group editor window, but you
can use the Advanced... editor to add the posixGroup objectclass to the
list of objectclasses.
> And I still can't log in as the user I've added.
>
What error do you get? It's always helpful when you have a problem to
specify
* the platform and 389-ds-base version
* the exact command you used - if by "log in" you mean system login,
also please specify your /etc/ldap.conf settings
* the error message and error code you get from the command, if any
* check the directory server access log from around the time of your log
in attempt to see what the directory server logged
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-14-2010, 09:54 PM
Lars Gunther
 
Default 389 as authentication server on Fedora 13 #389 @Skolan #ldap

2010-09-14 17:26, Rich Megginson skrev:

> I still don't know what you mean by "add posixGroups using the admin
> tool". If by "admin tool" you mean the 389 GUI console, then right,
> there is no explicit posix group tab in the Group editor window, but you
> can use the Advanced... editor to add the posixGroup objectclass to the
> list of objectclasses.

Yep. That's what I meant. (389-console)

When I click Advanced I see posixGroup stuff not when I click "Show All
Allowed Attributes", nor do I sse it as an option when I click the "Add
Attribute" button.

What do you mean when you say "Advanced editor"?

Having searched for a while, I've found a way to add posixGroups:
Right click -> New -> Other -> posixGroup

They will however be identified in the tree by the gidnimber, not by
their cn...

>> And I still can't log in as the user I've added.
>>
> What error do you get? It's always helpful when you have a problem to
> specify
> * the platform and 389-ds-base version

Fedora 13
389 1.2.0

Error message "User does not exist"

> * the exact command you used - if by "log in" you mean system login,

I've tried "su" both locally and from a client machine.

> also please specify your /etc/ldap.conf settings

[root@lb ~]# cat /etc/ldap.conf|grep -v "#"|sed '/^$/d'
base dc=labbnet,dc=ne,dc=keryx,dc=se
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat, radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pul se
uri ldaps://127.0.0.1:1636/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

I've changed the port to 1636 since *nix requires the server to run as
root for ldaps on a port below 1024...

> * the error message and error code you get from the command, if any
> * check the directory server access log from around the time of your log
> in attempt to see what the directory server logged

/var/log/dirsrv/slapd-lb/errors is silent

/var/log/dirsrv/slapd-lb/access (I've removed the timestamp)

conn=29 op=47 UNBIND
conn=29 op=47 fd=85 closed - U1
conn=26 op=77 MOD
dn="cn=ResourcePage,ou=1.1,ou=Console,ou=cn5c=dire ctory
manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot"
conn=26 op=77 RESULT err=0 tag=103 nentries=0 etime=1
conn=26 op=78 MOD
dn="cn=ResourcePage,ou=1.1,ou=Console,ou=cn5c=dire ctory
manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot"
conn=26 op=78 RESULT err=0 tag=103 nentries=0 etime=0
conn=26 op=79 MOD dn="cn=General,ou=1.1,ou=Console,ou=cn5c=director y
manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot"
conn=26 op=79 RESULT err=0 tag=103 nentries=0 etime=0
conn=26 op=80 MOD dn="cn=General,ou=1.1,ou=Console,ou=cn5c=director y
manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot"
conn=26 op=80 RESULT err=0 tag=103 nentries=0 etime=0
conn=26 op=82 MOD dn="cn=General,ou=1.1,ou=Console,ou=cn5c=director y
manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot"
conn=26 op=82 RESULT err=0 tag=103 nentries=0 etime=0
conn=26 op=83 MOD dn="cn=General,ou=1.1,ou=Console,ou=cn5c=director y
manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot"
conn=26 op=83 RESULT err=0 tag=103 nentries=0 etime=0
conn=28 op=-1 fd=84 closed - B1
conn=26 op=-1 fd=82 closed - B1
conn=27 op=-1 fd=83 closed - B1


--
Lars Gunther
http://keryx.se/
http://twitter.com/itpastorn/
http://itpastorn.blogspot.com/
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-14-2010, 11:11 PM
Rich Megginson
 
Default 389 as authentication server on Fedora 13 #389 @Skolan #ldap

Lars Gunther wrote:
> 2010-09-14 17:26, Rich Megginson skrev:
>
>> I still don't know what you mean by "add posixGroups using the admin
>> tool". If by "admin tool" you mean the 389 GUI console, then right,
>> there is no explicit posix group tab in the Group editor window, but you
>> can use the Advanced... editor to add the posixGroup objectclass to the
>> list of objectclasses.
>
> Yep. That's what I meant. (389-console)
>
> When I click Advanced I see posixGroup stuff not when I click "Show
> All Allowed Attributes", nor do I sse it as an option when I click the
> "Add Attribute" button.
>
> What do you mean when you say "Advanced editor"?
I mean the window you are using that has the "Show All Allowed
Attributes" etc.

You should be able to left-click on the objectClass attribute to select
it, then Add Value to select the posixGroup objectclass to add to the
entry. Once you do that, you should be able to Add Attribute to add the
posixGroup attributes.
>
> Having searched for a while, I've found a way to add posixGroups:
> Right click -> New -> Other -> posixGroup
>
> They will however be identified in the tree by the gidnimber, not by
> their cn...
Right. If you want the group to be recognized both by the console and
by the OS, you need to create it as a regular group first, then add
posixGroup.
>
>>> And I still can't log in as the user I've added.
>>>
>> What error do you get? It's always helpful when you have a problem to
>> specify
>> * the platform and 389-ds-base version
>
> Fedora 13
> 389 1.2.0
>
> Error message "User does not exist"
>
>> * the exact command you used - if by "log in" you mean system login,
>
> I've tried "su" both locally and from a client machine.
>
>> also please specify your /etc/ldap.conf settings
>
> [root@lb ~]# cat /etc/ldap.conf|grep -v "#"|sed '/^$/d'
> base dc=labbnet,dc=ne,dc=keryx,dc=se
> timelimit 120
> bind_timelimit 120
> idle_timelimit 3600
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat, radiusd,news,mailman,nscd,gdm,polkituser,rtkit,pul se
>
> uri ldaps://127.0.0.1:1636/
> ssl no
> tls_cacertdir /etc/openldap/cacerts
> pam_password md5
>
> I've changed the port to 1636 since *nix requires the server to run as
> root for ldaps on a port below 1024...
>
>> * the error message and error code you get from the command, if any
>> * check the directory server access log from around the time of your log
>> in attempt to see what the directory server logged
>
> /var/log/dirsrv/slapd-lb/errors is silent
>
> /var/log/dirsrv/slapd-lb/access (I've removed the timestamp)
>
> conn=29 op=47 UNBIND
> conn=29 op=47 fd=85 closed - U1
> conn=26 op=77 MOD
> dn="cn=ResourcePage,ou=1.1,ou=Console,ou=cn5c=dire ctory
> manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot"
> conn=26 op=77 RESULT err=0 tag=103 nentries=0 etime=1
> conn=26 op=78 MOD
> dn="cn=ResourcePage,ou=1.1,ou=Console,ou=cn5c=dire ctory
> manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot"
> conn=26 op=78 RESULT err=0 tag=103 nentries=0 etime=0
> conn=26 op=79 MOD dn="cn=General,ou=1.1,ou=Console,ou=cn5c=director y
> manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot"
> conn=26 op=79 RESULT err=0 tag=103 nentries=0 etime=0
> conn=26 op=80 MOD dn="cn=General,ou=1.1,ou=Console,ou=cn5c=director y
> manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot"
> conn=26 op=80 RESULT err=0 tag=103 nentries=0 etime=0
> conn=26 op=82 MOD dn="cn=General,ou=1.1,ou=Console,ou=cn5c=director y
> manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot"
> conn=26 op=82 RESULT err=0 tag=103 nentries=0 etime=0
> conn=26 op=83 MOD dn="cn=General,ou=1.1,ou=Console,ou=cn5c=director y
> manager,ou=UserPreferences, ou=labbnet.ne.keryx.se, o=NetscapeRoot"
> conn=26 op=83 RESULT err=0 tag=103 nentries=0 etime=0
> conn=28 op=-1 fd=84 closed - B1
> conn=26 op=-1 fd=82 closed - B1
> conn=27 op=-1 fd=83 closed - B1
This doesn't show any SRCH or BIND operations that would have been done
by su.

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-15-2010, 12:24 AM
Ulf Weltman
 
Default 389 as authentication server on Fedora 13 #389 @Skolan #ldap

On 9/14/2010 4:11 PM, Rich Megginson wrote:
> Lars Gunther wrote:
>> 2010-09-14 17:26, Rich Megginson skrev:
>> Having searched for a while, I've found a way to add posixGroups:
>> Right click -> New -> Other -> posixGroup
>>
>> They will however be identified in the tree by the gidnimber, not by
>> their cn...
> Right. If you want the group to be recognized both by the console and
> by the OS, you need to create it as a regular group first, then add
> posixGroup.
Also, the advanced editor has a Naming Attribute button in the lower
right corner which launches a Change Name Attribute dialog. There you
can uncheck gidnumber and check cn to make the latter the naming attribute.


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 01:00 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org