My logs seem to indicate that the connection is being encrypted; I can ssh to a client server and get the password prompt, but when I enter the password it just returns me to the password prompt again [01/Dec/2006:19:47:44 -0500] conn=650 fd=69 slot=69 connection from xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx [01/Dec/2006:19:47:44 -0500] conn=650 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [01/Dec/2006:19:47:44 -0500] conn=650 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [01/Dec/2006:19:47:44 -0500] conn=650 SSL 256-bit AES [01/Dec/2006:19:47:44 -0500] conn=650 op=1 UNBIND [01/Dec/2006:19:47:44 -0500] conn=650 op=1 fd=69 closed - U1 If I disable TLS everything works fine, the client server can query the FDS and auth the client properly I am not sure if the problem has to do with the pam_ldap not properly formatted or the cert file not in proper format Does anyone have an example of what the pam_ldap config should look like? or suggestions on checking whether the cert file is in proper format Also what's the UNBIND shown in the logs? Thanks >From: fedora-directory-users-request at redhat.com >Reply-To: fedora-directory-users at redhat.com >To: fedora-directory-users at redhat.com >Subject: Fedora-directory-users Digest, Vol 19, Issue 1 >Date: Fri, 1 Dec 2006 12:00:06 -0500 (EST) > >Send Fedora-directory-users mailing list submissions to > fedora-directory-users at redhat.com > >To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/fedora-directory-users >or, via email, send a message with subject or body 'help' to > fedora-directory-users-request at redhat.com > >You can reach the person managing the list at > fedora-directory-users-owner at redhat.com > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of Fedora-directory-users digest..." > > >Today's Topics: > > 1. pam_ldap with SSL/TLS (t b) > 2. RE: pam_ldap with SSL/TLS (Morris, Patrick) > 3. Re: pam_ldap with SSL/TLS (Richard Megginson) > 4. Problem with SSL console in X in specific circumstances > (Philip Kime) > 5. FW: Extracting details from > ActiveDirectoryto FDS (Paxton, Darren) > 6. alias in fedora directory server (patrick ndjientcheu ngandjui) > 7. Re: FW: Extracting details from > ActiveDirectoryto FDS (Nicholas Byrne) > 8. Re: Memory usage (koniczynek) > 9. Re: Memory usage (David Boreham) > 10. Re: Memory usage (koniczynek) > > >---------------------------------------------------------------------- > >Message: 1 >Date: Thu, 30 Nov 2006 12:31:50 -0500 >From: "t b" <mxheadroom at hotmail.com> >Subject: pam_ldap with SSL/TLS >To: fedora-directory-users at redhat.com >Message-ID: <BAY116-F322745E96D702ED748B1D0CDDB0 at phx.gbl> >Content-Type: text/plain; format=flowed > >I am trying to setup pam_ldap to use TLS to communicate with the FDS, but >having lots of problems doing so; it works if I use the unencrypted way but >not if I use ldaps ( port 636 ) > >I used the instructions at, >http://directory.fedora.redhat.com/wiki/Howto:PAM > >Has anyone gotten PAM to work TLS > > >Thanks > >_________________________________________________________________ >Buy, Load, Play. The new Sympatico / MSN Music Store works seamlessly with >Windows Media Player. Just Click PLAY. >http://musicstore.sympatico.msn.ca/content/viewer.aspx?cid=SMS_Sept192006 > > > >------------------------------ > >Message: 2 >Date: Thu, 30 Nov 2006 13:00:56 -0500 >From: "Morris, Patrick" <patrick.morris at hp.com> >Subject: RE: pam_ldap with SSL/TLS >To: "General discussion list for the Fedora Directory server project." > <fedora-directory-users at redhat.com> >Message-ID: > <CD18C81835E18A40A64C4A0D16A237BE05FE850D at ATAEXC01.americas.cpqcorp.net> > >Content-Type: text/plain; charset="US-ASCII" > > > I am trying to setup pam_ldap to use TLS to communicate with > > the FDS, but having lots of problems doing so; it works if I > > use the unencrypted way but not if I use ldaps ( port 636 ) > >Someone should jump in here and correct me if I'm wrong, but I believe >it's normal for TLS connections to happen on the standard LDAP port. >You should be able to tell from your logs whether the connection is >encrypted or not. > > > >------------------------------ > >Message: 3 >Date: Thu, 30 Nov 2006 11:08:08 -0700 >From: Richard Megginson <rmeggins at redhat.com> >Subject: Re: pam_ldap with SSL/TLS >To: "General discussion list for the Fedora Directory server project." > <fedora-directory-users at redhat.com> >Message-ID: <456F1E08.40601 at redhat.com> >Content-Type: text/plain; charset="iso-8859-1" > >Morris, Patrick wrote: > >> I am trying to setup pam_ldap to use TLS to communicate with > >> the FDS, but having lots of problems doing so; it works if I > >> use the unencrypted way but not if I use ldaps ( port 636 ) > >> > > > > Someone should jump in here and correct me if I'm wrong, but I believe > > it's normal for TLS connections to happen on the standard LDAP port. > > You should be able to tell from your logs whether the connection is > > encrypted or not. > > >Yes. The LDAP "preferred" way is to use the startTLS extended operation >which starts a TLS session on the non-secure port. This will be logged >in the access log. > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >-------------- next part -------------- >A non-text attachment was scrubbed... >Name: smime.p7s >Type: application/x-pkcs7-signature >Size: 3178 bytes >Desc: S/MIME Cryptographic Signature >Url : >https://www.redhat.com/archives/fedora-directory-users/attachments/20061130/0634e78a/smime.bin > >------------------------------ > >Message: 4 >Date: Thu, 30 Nov 2006 18:02:55 -0800 >From: "Philip Kime" <pkime at Shopzilla.com> >Subject: Problem with SSL console in X in > specific circumstances >To: <fedora-directory-users at redhat.com> >Message-ID: > <9C0091F428E697439E7A773FFD083427435BE3 at szexchange.Shopzilla.inc> >Content-Type: text/plain; charset="us-ascii" > >Here's the problem: > >Running startconsole (SSL) to a remote display on a PC X-server (xwin32) >works fine and requires that my windows home dir on the PC X-server >machine has .fedora-console/ containing cert8.db and key3.db, as you'd >expect. If I rename this dir, the console hangs at the splash screen. So >far, so good, all makes sense. > >If I try the same thing to cygwin's X server on same machine or to an X >server on a Mac running OSX, startconsole always hangs as if it can't >find ~/.fedora-console on the local machine. I've tried copying this dir >to what cygwin/OSX thinks is the user's home dir but no luck. Where >should I put the Cert db files under "real" UNIX X to get the SSL >console to work? Also tried ~/.mmc as per the docs but I could never get >this to work. > >PK > >-- >Philip Kime >NOPS Systems Architect >310 401 0407 > >-------------- next part -------------- >An HTML attachment was scrubbed... >URL: >https://www.redhat.com/archives/fedora-directory-users/attachments/20061130/054ecbd6/attachment.html > >------------------------------ > >Message: 5 >Date: Fri, 1 Dec 2006 08:04:30 -0000 >From: "Paxton, Darren" <Darren.Paxton at mercer.com> >Subject: FW: Extracting details from > ActiveDirectoryto FDS >To: <Fedora-directory-users at redhat.com> >Message-ID: > <52F7C07B119CF4439B7EFBFE0FB3256B027CBD02 at eidwpexms06.mercer.com> >Content-Type: text/plain; charset="us-ascii" > >Skipped content of type multipart/alternative-------------- next part >-------------- >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >------------------------------ > >Message: 6 >Date: Fri, 1 Dec 2006 08:10:42 +0000 (GMT) >From: patrick ndjientcheu ngandjui <tchen_pat at yahoo.fr> >Subject: alias in fedora directory server >To: Fedora-directory-users at redhat.com >Message-ID: <20061201081042.78578.qmail at web25801.mail.ukl.yahoo.com> >Content-Type: text/plain; charset="iso-8859-1" > >Hi, >I would like to know how to use alias in fedora directory server.It seems >that it is used for point to another entry in the directory,but i don't >know how to use this feature.May someone helps me on this issue? I would >really appreciate an example. > >Thanks > > > > > > > > >___________________________________________________________________________ >D?couvrez une nouvelle fa?on d'obtenir des r?ponses ? toutes vos questions >! >Profitez des connaissances, des opinions et des exp?riences des internautes >sur Yahoo! Questions/R?ponses >http://fr.answers.yahoo.com >-------------- next part -------------- >An HTML attachment was scrubbed... >URL: >https://www.redhat.com/archives/fedora-directory-users/attachments/20061201/0fa54e4f/attachment.html > >------------------------------ > >Message: 7 >Date: Fri, 01 Dec 2006 11:50:13 +0000 >From: Nicholas Byrne <nicholas.byrne at quadriga.com> >Subject: Re: FW: Extracting details from > ActiveDirectoryto FDS >To: "General discussion list for the Fedora Directory server project." > <fedora-directory-users at redhat.com> >Message-ID: <457016F5.5030202 at quadriga.com> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed > >Your messages got through - you can confirm by checking the archives - >https://www.redhat.com/archives/fedora-directory-users/ > >I'm a new user as well so i'm afraid i can't answer your question, but >if you keep asking i'm sure someone will know! >Nick > >Paxton, Darren wrote: > > Apologies for mailing yet again, however either my messages are not > > getting through (something I don't believe as I keep getting the post > > to the mailing list) - or for some reason, no one is willing to even > > acknowledge my issue. > > > > In the spirit of the community - can someone at least acknowledge a > > message as I find it quite disheartening that I have had no replies at > > all even if just to point me somewhere for assistance. > > > > ------------------------------------------------------------------------ > > *From:* fedora-directory-users-bounces at redhat.com > > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of > > *Paxton, Darren > > *Sent:* 30 November 2006 08:46 > > *To:* General discussion list for the Fedora Directory server project. > > *Subject:* RE: Extracting details from > > ActiveDirectoryto FDS > > > > Hi > > > > Has anyone had any thoughts on my query or can point me in the right > > direction? > > > > As is the nature of AD, I would have thought it is possible to extract > > this information using a scope setting or something similar. > > > > Thanks > > > > Darren > > > > >------------------------------------------------------------------------ > > *From:* fedora-directory-users-bounces at redhat.com > > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of > > *Paxton, Darren > > *Sent:* 24 November 2006 14:56 > > *To:* fedora-directory-users at redhat.com > > *Subject:* Extracting details from Active > > Directoryto FDS > > > > Hi all, > > > > I've been tinkering with integrating our Linux devices into our AD > > domain for some time and I've hit a few brick walls, however I've > > recently discovered FDS and the synchronisation features with AD. > > > > I've managed to set up a few replication jobs, however due to the > > extensive nature of our AD, I've realised that the sync only takes > > the group and user objects from the OU or CN being specified. > > > > Is there any way I can specify that it should traverse all > > subtrees of an OU and extract all that information back into FDS? > > > > Thanks > > > > Darren > > > > -- > > Darren Paxton > > EMEA Tier2 > > Red Hat Certified Engineer > > VMware Certified Professional > > MGTI Centralised ops > > > > > > This e-mail and any attachments may be confidential or legally > > privileged.If you received this message in error or are not the > > intended recipient, you should destroy the email message and any > > attachments or copies, and you are prohibited from retaining, > > distributing, disclosing or using any information contained herein. > > Please inform us of the erroneous delivery by return e-mail. Thank you > > for your co-operation. > > > > Mercer Human Resource Consulting Limited is authorised and regulated > > by the Financial Services Authority. Registered in England No. 984275. > > Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU. > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > >This e-mail is the property of Quadriga Worldwide Ltd, intended for the >addressee only and confidential. Any dissemination, copying or >distribution of this message or any attachments is strictly prohibited. > >If you have received this message in error, please notify us immediately by >replying to the message and deleting it from your computer. > >Messages sent to and from Quadriga may be monitored. > >Quadriga cannot guarantee any message delivery method is secure or >error-free. Information could be intercepted, corrupted, lost, destroyed, >arrive late or incomplete, or contain viruses. > >We do not accept responsibility for any errors or omissions in this message >and/or attachment that arise as a result of transmission. > >You should carry out your own virus checks before opening any attachment. > >Any views or opinions presented are solely those of the author and do not >necessarily represent those of Quadriga. > > > >------------------------------ > >Message: 8 >Date: Fri, 01 Dec 2006 16:45:28 +0100 >From: koniczynek <koniczynek at uaznia.net> >Subject: Re: Memory usage >To: "General discussion list for the Fedora Directory server project." > <fedora-directory-users at redhat.com> >Message-ID: <45704E18.3070705 at uaznia.net> >Content-Type: text/plain; charset=ISO-8859-2; format=flowed > >Richard Megginson napisa?(a): > > This is an excellent cache/memory tuning document from a Sun employee, > > primarily targeted to Sun DS users, but almost all of the information is > > relevant to Fedora DS (since they share a common lineage). > > > > http://www.directorymanager.org/blogs/ds_cache_sizing.pdf >Lets say I heven't got much time lately so without thinking I've changed >in dse.ldif >nsslapd-import-cache-autosize from -1 to 1 and after restarting I've >started to receive errors like: "3 Time limit exceeded" Someone do know >what to do? ;) > >-- >xmpp/email: koniczynek at uaznia.net >xmpp/email: koniczynek at gmail.com > > > >------------------------------ > >Message: 9 >Date: Fri, 01 Dec 2006 09:15:14 -0700 >From: David Boreham <david_list at boreham.org> >Subject: Re: Memory usage >To: "General discussion list for the Fedora Directory server project." > <fedora-directory-users at redhat.com> >Message-ID: <45705512.4070808 at boreham.org> >Content-Type: text/plain; charset=ISO-8859-2; format=flowed > >koniczynek wrote: > > > Richard Megginson napisa?(a): > > > >> This is an excellent cache/memory tuning document from a Sun > >> employee, primarily targeted to Sun DS users, but almost all of the > >> information is relevant to Fedora DS (since they share a common > >> lineage). > >> > >> http://www.directorymanager.org/blogs/ds_cache_sizing.pdf > > > > Lets say I heven't got much time lately so without thinking I've > > changed in dse.ldif > > nsslapd-import-cache-autosize from -1 to 1 and after restarting I've > > started to receive errors like: "3 Time limit exceeded" Someone do > > know what to do? ;) > > >Change it back ? > > > > > >------------------------------ > >Message: 10 >Date: Fri, 01 Dec 2006 17:53:22 +0100 >From: koniczynek <koniczynek at uaznia.net> >Subject: Re: Memory usage >To: "General discussion list for the Fedora Directory server project." > <fedora-directory-users at redhat.com> >Message-ID: <45705E02.7020709 at uaznia.net> >Content-Type: text/plain; charset=ISO-8859-2 > >David Boreham, dnia 2006-12-01 17:15 napisal: > >> Lets say I heven't got much time lately so without thinking I've > >> changed in dse.ldif > >> nsslapd-import-cache-autosize from -1 to 1 and after restarting I've > >> started to receive errors like: "3 Time limit exceeded" Someone do > >> know what to do? ;) > > Change it back ? >man, please, show some respect ;) I did change it back, but to no avail. >Also I can say (to stop further questions): yes, I've stopped the server >before change. > >-- >email/xmpp: koniczynek at uaznia.net > > > >------------------------------ > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >End of Fedora-directory-users Digest, Vol 19, Issue 1 >***************************************************** _________________________________________________________________ Off to school, going on a trip, or moving? Windows Live (MSN) Messenger lets you stay in touch with friends and family wherever you go. Click here to find out how to sign up! http://www.telusmobility.com/msnxbox/