[Fedora-directory-users] RE: Fedora-directory-users Digest, Vol 29, Issue 5
Clementous Clement
Clementous.Clement at fox.com
Sat Oct 6 16:00:04 UTC 2007
Richard,
I'm trying to use Netgroups to employ control access to groups of hosts
to groups of users just as with NIS. I've searched the web for decent
example to create the netgroup containter within FDS, but haven't
discovered any.
=-Clem
-----Original Message-----
From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of
fedora-directory-users-request at redhat.com
Sent: Thursday, October 04, 2007 9:00 AM
To: fedora-directory-users at redhat.com
Subject: Fedora-directory-users Digest, Vol 29, Issue 5
Send Fedora-directory-users mailing list submissions to
fedora-directory-users at redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/fedora-directory-users
or, via email, send a message with subject or body 'help' to
fedora-directory-users-request at redhat.com
You can reach the person managing the list at
fedora-directory-users-owner at redhat.com
When replying, please edit your Subject line so it is more specific than
"Re: Contents of Fedora-directory-users digest..."
Today's Topics:
1. Re: nss_ldap cannot authenticate vs FDS (Peter Santiago)
2. Re: problem with SSL and load balance (Enrico M. V. Fasanelli)
3. linux authentication though ds (lance raymond)
4. RE: problem with SSL and load balance (Richard Hesse)
5. Re: problem with SSL and load balance (Jazcek Braden)
6. Re: linux authentication though ds (Marc Sauton)
7. Re: problem with SSL and load balance (Marc Sauton)
8. Re: problem with SSL and load balance (Marc Sauton)
9. Fedora-DS/netgroup configuration (Clementous Clement)
10. Re: Fedora-DS/netgroup configuration (Steve Rigler)
11. Re: RedHat 4/Fedora-DS - SSL Cert DB not readable? (Glenn)
----------------------------------------------------------------------
Message: 1
Date: Thu, 04 Oct 2007 00:08:05 +0800
From: Peter Santiago <peters at psinergybbs.com>
Subject: Re: [Fedora-directory-users] nss_ldap cannot authenticate vs
FDS
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users at redhat.com>, Steve Rigler
<srigler at marathonoil.com>
Message-ID: <20071004000805.w0m9bmxk6cws4sk0 at webmail.psinergybbs.com>
Content-Type: text/plain; charset="iso-8859-1"
Skipped content of type multipart/alternative-------------- next part
-------------- A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3051 bytes
Desc: S/MIME Cryptographic Signature
Url :
https://www.redhat.com/archives/fedora-directory-users/attachments/20071
004/cd9c6979/smime.bin
------------------------------
Message: 2
Date: Wed, 03 Oct 2007 19:49:56 +0200
From: "Enrico M. V. Fasanelli" <Enrico.M.V.Fasanelli at le.infn.it>
Subject: Re: [Fedora-directory-users] problem with SSL and load
balance
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users at redhat.com>
Message-ID: <4703D644.9020608 at le.infn.it>
Content-Type: text/plain; charset="iso-8859-1"
Hi Victor,
have you tried with a certificate that contains the alternate name of
the server?
Something like
X509v3 Subject Alternative Name: DNS:fds.mydomain.com,
DNS:fds1.mydomain.com
Ciao,
Enrico
Victor Hugo dos Santos wrote:
> Hello List,
>
> I have the same problem that Alex Aka in Apr 2006
>
http://www.redhat.com/archives/fedora-directory-users/2006-April/msg0002
2.html
>
> I have two FDS (fds1 and fds2) in MMR
>
> in the DNS I create this machines
>
> fds1 IN A 10.0.0.11
> fds2 IN A 10.0.0.12
> fds IN A 10.0.0.11
> fds IN A 10.0.0.12
>
> in the clients, I configure the ldap.conf with this parameters:
>
> BASE dc=mydomain,dc=com
> URI ldap://fds.mydomain.com
>
> this configuration work very,very fine !!!! exist replication between
> servers and fault tolerance in the clients.. but i enable SSL in
> server and in the clients (ldap.conf)
>
>
> BASE dc=mydomain,dc=com
> URI ldaps://fds.mydomain.com
> TLS_CACERT /etc/ssl/certs/cacert.org.pem
> TLS_REQCERT allow
>
> and "no" work !!! :-( i receive this error:
>
> ldap_bind: Can't contact LDAP server (-1)
>
> additional info: TLS: hostname does not match CN in peer certificate
>
> this problem, is derivate that i configured the servers with one
> certificate and distinct CN for independent serves (fds1 and fds2)...
>
> if I config one same certificate with same CN (fds) for both nodes
> (fds1 and fds2).. work fine in the clients, but the replication dont
> work !!! :-(
>
> obs.: my certificates is sign in http://cacert.org
>
> any idea or suggestion ???
>
> thanks
>
>
--
Pochi conoscono cio' che ha veramente scoperto Einstein:
quando mangiamo spaghetti, in effetti stiamo masticando
un concentrato di Spazio-Tempo.
(Antonino Zichichi)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2954 bytes
Desc: S/MIME Cryptographic Signature
Url :
https://www.redhat.com/archives/fedora-directory-users/attachments/20071
003/578df590/smime.bin
------------------------------
Message: 3
Date: Wed, 3 Oct 2007 14:31:58 -0400
From: "lance raymond" <lance.raymond at gmail.com>
Subject: [Fedora-directory-users] linux authentication though ds
To: fedora-directory-users at redhat.com
Message-ID:
<5d1656000710031131y6cc0c663jb6a930299f76bfbb at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Afternoon, I have been reading a lot on this and wish to see if I am on
the
right track. I wish to have all employees login information be stored
in
DS, and authenticate through him. I have subscribed to the list a few
day's
ago and the questions are pretty high level, so it does seem that people
are
using fedora's version, so I guess for starters, is this possible.
I already have fedora ds running, added a few people, but I didn't see 2
much on authenticating though DS.
Thanks ...
lr
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
https://www.redhat.com/archives/fedora-directory-users/attachments/20071
003/e4b54ef3/attachment.html
------------------------------
Message: 4
Date: Wed, 3 Oct 2007 12:17:50 -0700
From: Richard Hesse <richard at powerset.com>
Subject: RE: [Fedora-directory-users] problem with SSL and load
balance
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users at redhat.com>
Message-ID:
<84E2AE771361E9419DD0EFBD31F09C4D4894671AAA at EXVMBX015-1.exch015.msoutloo
konline.net>
Content-Type: text/plain; charset="us-ascii"
Do wildcard certs work with Fedora Directory Server? If they do, that
will easily solve your problem. That or setting checkpeer to off.
-richard
-----Original Message-----
From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Victor
Hugo dos Santos
Sent: Wednesday, October 03, 2007 8:20 AM
To: General discussion list for the Fedora Directory server project.
Subject: [Fedora-directory-users] problem with SSL and load balance
Hello List,
I have the same problem that Alex Aka in Apr 2006
http://www.redhat.com/archives/fedora-directory-users/2006-April/msg0002
2.html
I have two FDS (fds1 and fds2) in MMR
in the DNS I create this machines
fds1 IN A 10.0.0.11
fds2 IN A 10.0.0.12
fds IN A 10.0.0.11
fds IN A 10.0.0.12
in the clients, I configure the ldap.conf with this parameters:
BASE dc=mydomain,dc=com
URI ldap://fds.mydomain.com
this configuration work very,very fine !!!! exist replication between
servers and fault tolerance in the clients.. but i enable SSL in
server and in the clients (ldap.conf)
BASE dc=mydomain,dc=com
URI ldaps://fds.mydomain.com
TLS_CACERT /etc/ssl/certs/cacert.org.pem
TLS_REQCERT allow
and "no" work !!! :-( i receive this error:
ldap_bind: Can't contact LDAP server (-1)
additional info: TLS: hostname does not match CN in peer certificate
this problem, is derivate that i configured the servers with one
certificate and distinct CN for independent serves (fds1 and fds2)...
if I config one same certificate with same CN (fds) for both nodes
(fds1 and fds2).. work fine in the clients, but the replication dont
work !!! :-(
obs.: my certificates is sign in http://cacert.org
any idea or suggestion ???
thanks
--
--
Victor Hugo dos Santos
Linux Counter #224399
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
------------------------------
Message: 5
Date: Wed, 03 Oct 2007 15:31:20 -0400
From: Jazcek Braden <jazcek at scs.fsu.edu>
Subject: Re: [Fedora-directory-users] problem with SSL and load
balance
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users at redhat.com>
Message-ID: <4703EE08.4020003 at scs.fsu.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Wildcard certs definitely work, that is the way that I have my load
balanced installation setup. However if you are trying to use
self-signed certificates I think you have to make sure to setup the
trust chain, but I am not sure.
--
Jazcek Braden
Richard Hesse wrote:
> Do wildcard certs work with Fedora Directory Server? If they do, that
will easily solve your problem. That or setting checkpeer to off.
>
> -richard
>
> -----Original Message-----
> From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Victor
Hugo dos Santos
> Sent: Wednesday, October 03, 2007 8:20 AM
> To: General discussion list for the Fedora Directory server project.
> Subject: [Fedora-directory-users] problem with SSL and load balance
>
> Hello List,
>
> I have the same problem that Alex Aka in Apr 2006
>
http://www.redhat.com/archives/fedora-directory-users/2006-April/msg0002
2.html
>
> I have two FDS (fds1 and fds2) in MMR
>
> in the DNS I create this machines
>
> fds1 IN A 10.0.0.11
> fds2 IN A 10.0.0.12
> fds IN A 10.0.0.11
> fds IN A 10.0.0.12
>
> in the clients, I configure the ldap.conf with this parameters:
>
> BASE dc=mydomain,dc=com
> URI ldap://fds.mydomain.com
>
> this configuration work very,very fine !!!! exist replication between
> servers and fault tolerance in the clients.. but i enable SSL in
> server and in the clients (ldap.conf)
>
>
> BASE dc=mydomain,dc=com
> URI ldaps://fds.mydomain.com
> TLS_CACERT /etc/ssl/certs/cacert.org.pem
> TLS_REQCERT allow
>
> and "no" work !!! :-( i receive this error:
>
> ldap_bind: Can't contact LDAP server (-1)
>
> additional info: TLS: hostname does not match CN in peer certificate
>
> this problem, is derivate that i configured the servers with one
> certificate and distinct CN for independent serves (fds1 and fds2)...
>
> if I config one same certificate with same CN (fds) for both nodes
> (fds1 and fds2).. work fine in the clients, but the replication dont
> work !!! :-(
>
> obs.: my certificates is sign in http://cacert.org
>
> any idea or suggestion ???
>
> thanks
>
>
> --
> --
> Victor Hugo dos Santos
> Linux Counter #224399
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
------------------------------
Message: 6
Date: Wed, 03 Oct 2007 13:31:35 -0700
From: Marc Sauton <msauton at redhat.com>
Subject: Re: [Fedora-directory-users] linux authentication though ds
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users at redhat.com>
Message-ID: <4703FC27.6030900 at redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
It depends what you want to do, there is some info in the howto section
at:
http://directory.fedoraproject.org/wiki/Documentation#Howtos
Under "A series of articles about how to get the Directory Server
working with other tools", you will find some links to articles, for
example about pam, mta's, file system, apache.
M.
lance raymond wrote:
> Afternoon, I have been reading a lot on this and wish to see if I am
> on the right track. I wish to have all employees login information be
> stored in DS, and authenticate through him. I have subscribed to the
> list a few day's ago and the questions are pretty high level, so it
> does seem that people are using fedora's version, so I guess for
> starters, is this possible.
>
> I already have fedora ds running, added a few people, but I didn't see
> 2 much on authenticating though DS.
>
> Thanks ...
> lr
>
------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
------------------------------
Message: 7
Date: Wed, 03 Oct 2007 13:36:26 -0700
From: Marc Sauton <msauton at redhat.com>
Subject: Re: [Fedora-directory-users] problem with SSL and load
balance
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users at redhat.com>
Message-ID: <4703FD4A.70907 at redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Just for info, there was a good contribution in
http://directory.fedoraproject.org/wiki/Howto:SSL#Using_Subject_Alt_Name
M.
Enrico M. V. Fasanelli wrote:
> Hi Victor,
>
> have you tried with a certificate that contains the alternate name of
> the server?
>
> Something like
> X509v3 Subject Alternative Name: DNS:fds.mydomain.com,
> DNS:fds1.mydomain.com
>
>
> Ciao,
> Enrico
>
> Victor Hugo dos Santos wrote:
>> Hello List,
>>
>> I have the same problem that Alex Aka in Apr 2006
>>
http://www.redhat.com/archives/fedora-directory-users/2006-April/msg0002
2.html
>>
>>
>> I have two FDS (fds1 and fds2) in MMR
>>
>> in the DNS I create this machines
>>
>> fds1 IN A 10.0.0.11
>> fds2 IN A 10.0.0.12
>> fds IN A 10.0.0.11
>> fds IN A 10.0.0.12
>>
>> in the clients, I configure the ldap.conf with this parameters:
>>
>> BASE dc=mydomain,dc=com
>> URI ldap://fds.mydomain.com
>>
>> this configuration work very,very fine !!!! exist replication between
>> servers and fault tolerance in the clients.. but i enable SSL in
>> server and in the clients (ldap.conf)
>>
>>
>> BASE dc=mydomain,dc=com
>> URI ldaps://fds.mydomain.com
>> TLS_CACERT /etc/ssl/certs/cacert.org.pem
>> TLS_REQCERT allow
>>
>> and "no" work !!! :-( i receive this error:
>>
>> ldap_bind: Can't contact LDAP server (-1)
>>
>> additional info: TLS: hostname does not match CN in peer certificate
>>
>> this problem, is derivate that i configured the servers with one
>> certificate and distinct CN for independent serves (fds1 and fds2)...
>>
>> if I config one same certificate with same CN (fds) for both nodes
>> (fds1 and fds2).. work fine in the clients, but the replication dont
>> work !!! :-(
>>
>> obs.: my certificates is sign in http://cacert.org
>>
>> any idea or suggestion ???
>>
>> thanks
>>
>>
>
>
------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
------------------------------
Message: 8
Date: Wed, 03 Oct 2007 13:37:34 -0700
From: Marc Sauton <msauton at redhat.com>
Subject: Re: [Fedora-directory-users] problem with SSL and load
balance
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users at redhat.com>
Message-ID: <4703FD8E.4080108 at redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
See
http://directory.fedoraproject.org/wiki/Howto:SSL#Import_the_CA_cert_int
o_another_Fedora_DS
M.
Jazcek Braden wrote:
> Wildcard certs definitely work, that is the way that I have my load
> balanced installation setup. However if you are trying to use
> self-signed certificates I think you have to make sure to setup the
> trust chain, but I am not sure.
>
------------------------------
Message: 9
Date: Wed, 3 Oct 2007 09:26:58 -0700
From: "Clementous Clement" <Clementous.Clement at fox.com>
Subject: [Fedora-directory-users] Fedora-DS/netgroup configuration
To: <fedora-directory-users at redhat.com>
Message-ID:
<12C2BCDB3FA74D4E8E482325998611190277EF48 at fegplmsexmb05.ffe.foxeg.com>
Content-Type: text/plain; charset="us-ascii"
Hello Everyone,
I'm a newbie to configuring/depolying Fedora-DS. I've been lucky enough
to complete the installation for Fedora-DS. I need a little guideance on
setting up and configuring netgroups. I've located the link below and
researched the the link below, but still can't get the feature to work.
Any advice?
http://directory.fedoraproject.org/wiki/Howto:Netgroups
Thanks In Advance,
Clementous Clement
System Administrator
cclementous at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
https://www.redhat.com/archives/fedora-directory-users/attachments/20071
003/1974e7e5/attachment.html
------------------------------
Message: 10
Date: Thu, 04 Oct 2007 08:22:10 -0500
From: Steve Rigler <srigler at MarathonOil.com>
Subject: Re: [Fedora-directory-users] Fedora-DS/netgroup configuration
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users at redhat.com>
Message-ID: <1191504130.4298.8.camel at houuc8>
Content-Type: text/plain
On Wed, 2007-10-03 at 09:26 -0700, Clementous Clement wrote:
> Hello Everyone,
>
> I'm a newbie to configuring/depolying Fedora-DS. I've been lucky
> enough to complete the installation for Fedora-DS. I need a little
> guideance on setting up and configuring netgroups. I've located the
> link below and researched the the link below, but still can't get the
> feature to work. Any advice?
>
> http://directory.fedoraproject.org/wiki/Howto:Netgroups
>
>
> Thanks In Advance,
>
> Clementous Clement
> System Administrator
> cclementous at gmail.com
>
What are you trying to accomplish with netgroups that isn't working?
-Steve
------------------------------
Message: 11
Date: Thu, 4 Oct 2007 09:25:33 -0500
From: "Glenn" <glenn at mail.txwes.edu>
Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB
not readable?
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users at redhat.com>
Message-ID: <20071004141907.M49775 at mail.txwes.edu>
Content-Type: text/plain; charset=iso-8859-1
Richard - It has been months since I did this, and I don't remember each
detail of the installation. I did not use the default server user ID; I
changed it when given the opportunity during installation. Maybe this
caused
a permissions problem? -Glenn.
---------- Original Message -----------
From: Richard Megginson <rmeggins at redhat.com>
To: "General discussion list for the Fedora Directory server project."
<fedora-directory-users at redhat.com>
Sent: Wed, 03 Oct 2007 08:02:15 -0600
Subject: Re: [Fedora-directory-users] RedHat 4/Fedora-DS - SSL Cert DB
not
readable?
> Glenn wrote:
> > Travis - I had this problem with new installations and clean re-
> > installations. The installation of Fedora Directory did not create
the
> > certificate database. I solved it by creating the
appropriately-named
> > certificate database in the correct location using certutil.
-Glenn.
> >
> Is there any sort of pattern to when it does or does not create the
> key/cert databases? When the server starts up, it is supposed to
> create them if they are not there. This means that /opt/fedora-
> ds/alias must be writable by the server user id (default nobody).
>
------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
End of Fedora-directory-users Digest, Vol 29, Issue 5
*****************************************************
More information about the Fedora-directory-users
mailing list