Richard, I'm trying to use Netgroups to employ control access to groups of hosts to groups of users just as with NIS. I've searched the web for decent example to create the netgroup containter within FDS, but haven't discovered any. =-Clem -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of fedora-directory-users-request at redhat.com Sent: Thursday, October 04, 2007 9:00 AM To: fedora-directory-users at redhat.com Subject: Fedora-directory-users Digest, Vol 29, Issue 5 Send Fedora-directory-users mailing list submissions to fedora-directory-users at redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/fedora-directory-users or, via email, send a message with subject or body 'help' to fedora-directory-users-request at redhat.com You can reach the person managing the list at fedora-directory-users-owner at redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Fedora-directory-users digest..." Today's Topics: 1. Re: nss_ldap cannot authenticate vs FDS (Peter Santiago) 2. Re: problem with SSL and load balance (Enrico M. V. Fasanelli) 3. linux authentication though ds (lance raymond) 4. RE: problem with SSL and load balance (Richard Hesse) 5. Re: problem with SSL and load balance (Jazcek Braden) 6. Re: linux authentication though ds (Marc Sauton) 7. Re: problem with SSL and load balance (Marc Sauton) 8. Re: problem with SSL and load balance (Marc Sauton) 9. Fedora-DS/netgroup configuration (Clementous Clement) 10. Re: Fedora-DS/netgroup configuration (Steve Rigler) 11. Re: RedHat 4/Fedora-DS - SSL Cert DB not readable? (Glenn) ---------------------------------------------------------------------- Message: 1 Date: Thu, 04 Oct 2007 00:08:05 +0800 From: Peter Santiago <peters at psinergybbs.com> Subject: Re: nss_ldap cannot authenticate vs FDS To: "General discussion list for the Fedora Directory server project." <fedora-directory-users at redhat.com>, Steve Rigler <srigler at marathonoil.com> Message-ID: <20071004000805.w0m9bmxk6cws4sk0 at webmail.psinergybbs.com> Content-Type: text/plain; charset="iso-8859-1" Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3051 bytes Desc: S/MIME Cryptographic Signature Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20071 004/cd9c6979/smime.bin ------------------------------ Message: 2 Date: Wed, 03 Oct 2007 19:49:56 +0200 From: "Enrico M. V. Fasanelli" <Enrico.M.V.Fasanelli at le.infn.it> Subject: Re: problem with SSL and load balance To: "General discussion list for the Fedora Directory server project." <fedora-directory-users at redhat.com> Message-ID: <4703D644.9020608 at le.infn.it> Content-Type: text/plain; charset="iso-8859-1" Hi Victor, have you tried with a certificate that contains the alternate name of the server? Something like X509v3 Subject Alternative Name: DNS:fds.mydomain.com, DNS:fds1.mydomain.com Ciao, Enrico Victor Hugo dos Santos wrote: > Hello List, > > I have the same problem that Alex Aka in Apr 2006 > http://www.redhat.com/archives/fedora-directory-users/2006-April/msg0002 2.html > > I have two FDS (fds1 and fds2) in MMR > > in the DNS I create this machines > > fds1 IN A 10.0.0.11 > fds2 IN A 10.0.0.12 > fds IN A 10.0.0.11 > fds IN A 10.0.0.12 > > in the clients, I configure the ldap.conf with this parameters: > > BASE dc=mydomain,dc=com > URI ldap://fds.mydomain.com > > this configuration work very,very fine !!!! exist replication between > servers and fault tolerance in the clients.. but i enable SSL in > server and in the clients (ldap.conf) > > > BASE dc=mydomain,dc=com > URI ldaps://fds.mydomain.com > TLS_CACERT /etc/ssl/certs/cacert.org.pem > TLS_REQCERT allow > > and "no" work !!! :-( i receive this error: > > ldap_bind: Can't contact LDAP server (-1) > > additional info: TLS: hostname does not match CN in peer certificate > > this problem, is derivate that i configured the servers with one > certificate and distinct CN for independent serves (fds1 and fds2)... > > if I config one same certificate with same CN (fds) for both nodes > (fds1 and fds2).. work fine in the clients, but the replication dont > work !!! :-( > > obs.: my certificates is sign in http://cacert.org > > any idea or suggestion ??? > > thanks > > -- Pochi conoscono cio' che ha veramente scoperto Einstein: quando mangiamo spaghetti, in effetti stiamo masticando un concentrato di Spazio-Tempo. (Antonino Zichichi) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2954 bytes Desc: S/MIME Cryptographic Signature Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20071 003/578df590/smime.bin ------------------------------ Message: 3 Date: Wed, 3 Oct 2007 14:31:58 -0400 From: "lance raymond" <lance.raymond at gmail.com> Subject: linux authentication though ds To: fedora-directory-users at redhat.com Message-ID: <5d1656000710031131y6cc0c663jb6a930299f76bfbb at mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" Afternoon, I have been reading a lot on this and wish to see if I am on the right track. I wish to have all employees login information be stored in DS, and authenticate through him. I have subscribed to the list a few day's ago and the questions are pretty high level, so it does seem that people are using fedora's version, so I guess for starters, is this possible. I already have fedora ds running, added a few people, but I didn't see 2 much on authenticating though DS. Thanks ... lr -------------- next part -------------- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/fedora-directory-users/attachments/20071 003/e4b54ef3/attachment.html ------------------------------ Message: 4 Date: Wed, 3 Oct 2007 12:17:50 -0700 From: Richard Hesse <richard at powerset.com> Subject: RE: problem with SSL and load balance To: "General discussion list for the Fedora Directory server project." <fedora-directory-users at redhat.com> Message-ID: <84E2AE771361E9419DD0EFBD31F09C4D4894671AAA at EXVMBX015-1.exch015.msoutloo konline.net> Content-Type: text/plain; charset="us-ascii" Do wildcard certs work with Fedora Directory Server? If they do, that will easily solve your problem. That or setting checkpeer to off. -richard -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Victor Hugo dos Santos Sent: Wednesday, October 03, 2007 8:20 AM To: General discussion list for the Fedora Directory server project. Subject: problem with SSL and load balance Hello List, I have the same problem that Alex Aka in Apr 2006 http://www.redhat.com/archives/fedora-directory-users/2006-April/msg0002 2.html I have two FDS (fds1 and fds2) in MMR in the DNS I create this machines fds1 IN A 10.0.0.11 fds2 IN A 10.0.0.12 fds IN A 10.0.0.11 fds IN A 10.0.0.12 in the clients, I configure the ldap.conf with this parameters: BASE dc=mydomain,dc=com URI ldap://fds.mydomain.com this configuration work very,very fine !!!! exist replication between servers and fault tolerance in the clients.. but i enable SSL in server and in the clients (ldap.conf) BASE dc=mydomain,dc=com URI ldaps://fds.mydomain.com TLS_CACERT /etc/ssl/certs/cacert.org.pem TLS_REQCERT allow and "no" work !!! :-( i receive this error: ldap_bind: Can't contact LDAP server (-1) additional info: TLS: hostname does not match CN in peer certificate this problem, is derivate that i configured the servers with one certificate and distinct CN for independent serves (fds1 and fds2)... if I config one same certificate with same CN (fds) for both nodes (fds1 and fds2).. work fine in the clients, but the replication dont work !!! :-( obs.: my certificates is sign in http://cacert.org any idea or suggestion ??? thanks -- -- Victor Hugo dos Santos Linux Counter #224399 -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ------------------------------ Message: 5 Date: Wed, 03 Oct 2007 15:31:20 -0400 From: Jazcek Braden <jazcek at scs.fsu.edu> Subject: Re: problem with SSL and load balance To: "General discussion list for the Fedora Directory server project." <fedora-directory-users at redhat.com> Message-ID: <4703EE08.4020003 at scs.fsu.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Wildcard certs definitely work, that is the way that I have my load balanced installation setup. However if you are trying to use self-signed certificates I think you have to make sure to setup the trust chain, but I am not sure. -- Jazcek Braden Richard Hesse wrote: > Do wildcard certs work with Fedora Directory Server? If they do, that will easily solve your problem. That or setting checkpeer to off. > > -richard > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Victor Hugo dos Santos > Sent: Wednesday, October 03, 2007 8:20 AM > To: General discussion list for the Fedora Directory server project. > Subject: problem with SSL and load balance > > Hello List, > > I have the same problem that Alex Aka in Apr 2006 > http://www.redhat.com/archives/fedora-directory-users/2006-April/msg0002 2.html > > I have two FDS (fds1 and fds2) in MMR > > in the DNS I create this machines > > fds1 IN A 10.0.0.11 > fds2 IN A 10.0.0.12 > fds IN A 10.0.0.11 > fds IN A 10.0.0.12 > > in the clients, I configure the ldap.conf with this parameters: > > BASE dc=mydomain,dc=com > URI ldap://fds.mydomain.com > > this configuration work very,very fine !!!! exist replication between > servers and fault tolerance in the clients.. but i enable SSL in > server and in the clients (ldap.conf) > > > BASE dc=mydomain,dc=com > URI ldaps://fds.mydomain.com > TLS_CACERT /etc/ssl/certs/cacert.org.pem > TLS_REQCERT allow > > and "no" work !!! :-( i receive this error: > > ldap_bind: Can't contact LDAP server (-1) > > additional info: TLS: hostname does not match CN in peer certificate > > this problem, is derivate that i configured the servers with one > certificate and distinct CN for independent serves (fds1 and fds2)... > > if I config one same certificate with same CN (fds) for both nodes > (fds1 and fds2).. work fine in the clients, but the replication dont > work !!! :-( > > obs.: my certificates is sign in http://cacert.org > > any idea or suggestion ??? > > thanks > > > -- > -- > Victor Hugo dos Santos > Linux Counter #224399 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------ Message: 6 Date: Wed, 03 Oct 2007 13:31:35 -0700 From: Marc Sauton <msauton at redhat.com> Subject: Re: linux authentication though ds To: "General discussion list for the Fedora Directory server project." <fedora-directory-users at redhat.com> Message-ID: <4703FC27.6030900 at redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed It depends what you want to do, there is some info in the howto section at: http://directory.fedoraproject.org/wiki/Documentation#Howtos Under "A series of articles about how to get the Directory Server working with other tools", you will find some links to articles, for example about pam, mta's, file system, apache. M. lance raymond wrote: > Afternoon, I have been reading a lot on this and wish to see if I am > on the right track. I wish to have all employees login information be > stored in DS, and authenticate through him. I have subscribed to the > list a few day's ago and the questions are pretty high level, so it > does seem that people are using fedora's version, so I guess for > starters, is this possible. > > I already have fedora ds running, added a few people, but I didn't see > 2 much on authenticating though DS. > > Thanks ... > lr > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------ Message: 7 Date: Wed, 03 Oct 2007 13:36:26 -0700 From: Marc Sauton <msauton at redhat.com> Subject: Re: problem with SSL and load balance To: "General discussion list for the Fedora Directory server project." <fedora-directory-users at redhat.com> Message-ID: <4703FD4A.70907 at redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Just for info, there was a good contribution in http://directory.fedoraproject.org/wiki/Howto:SSL#Using_Subject_Alt_Name M. Enrico M. V. Fasanelli wrote: > Hi Victor, > > have you tried with a certificate that contains the alternate name of > the server? > > Something like > X509v3 Subject Alternative Name: DNS:fds.mydomain.com, > DNS:fds1.mydomain.com > > > Ciao, > Enrico > > Victor Hugo dos Santos wrote: >> Hello List, >> >> I have the same problem that Alex Aka in Apr 2006 >> http://www.redhat.com/archives/fedora-directory-users/2006-April/msg0002 2.html >> >> >> I have two FDS (fds1 and fds2) in MMR >> >> in the DNS I create this machines >> >> fds1 IN A 10.0.0.11 >> fds2 IN A 10.0.0.12 >> fds IN A 10.0.0.11 >> fds IN A 10.0.0.12 >> >> in the clients, I configure the ldap.conf with this parameters: >> >> BASE dc=mydomain,dc=com >> URI ldap://fds.mydomain.com >> >> this configuration work very,very fine !!!! exist replication between >> servers and fault tolerance in the clients.. but i enable SSL in >> server and in the clients (ldap.conf) >> >> >> BASE dc=mydomain,dc=com >> URI ldaps://fds.mydomain.com >> TLS_CACERT /etc/ssl/certs/cacert.org.pem >> TLS_REQCERT allow >> >> and "no" work !!! :-( i receive this error: >> >> ldap_bind: Can't contact LDAP server (-1) >> >> additional info: TLS: hostname does not match CN in peer certificate >> >> this problem, is derivate that i configured the servers with one >> certificate and distinct CN for independent serves (fds1 and fds2)... >> >> if I config one same certificate with same CN (fds) for both nodes >> (fds1 and fds2).. work fine in the clients, but the replication dont >> work !!! :-( >> >> obs.: my certificates is sign in http://cacert.org >> >> any idea or suggestion ??? >> >> thanks >> >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------ Message: 8 Date: Wed, 03 Oct 2007 13:37:34 -0700 From: Marc Sauton <msauton at redhat.com> Subject: Re: problem with SSL and load balance To: "General discussion list for the Fedora Directory server project." <fedora-directory-users at redhat.com> Message-ID: <4703FD8E.4080108 at redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed See http://directory.fedoraproject.org/wiki/Howto:SSL#Import_the_CA_cert_int o_another_Fedora_DS M. Jazcek Braden wrote: > Wildcard certs definitely work, that is the way that I have my load > balanced installation setup. However if you are trying to use > self-signed certificates I think you have to make sure to setup the > trust chain, but I am not sure. > ------------------------------ Message: 9 Date: Wed, 3 Oct 2007 09:26:58 -0700 From: "Clementous Clement" <Clementous.Clement at fox.com> Subject: Fedora-DS/netgroup configuration To: <fedora-directory-users at redhat.com> Message-ID: <12C2BCDB3FA74D4E8E482325998611190277EF48 at fegplmsexmb05.ffe.foxeg.com> Content-Type: text/plain; charset="us-ascii" Hello Everyone, I'm a newbie to configuring/depolying Fedora-DS. I've been lucky enough to complete the installation for Fedora-DS. I need a little guideance on setting up and configuring netgroups. I've located the link below and researched the the link below, but still can't get the feature to work. Any advice? http://directory.fedoraproject.org/wiki/Howto:Netgroups Thanks In Advance, Clementous Clement System Administrator cclementous at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/fedora-directory-users/attachments/20071 003/1974e7e5/attachment.html ------------------------------ Message: 10 Date: Thu, 04 Oct 2007 08:22:10 -0500 From: Steve Rigler <srigler at MarathonOil.com> Subject: Re: Fedora-DS/netgroup configuration To: "General discussion list for the Fedora Directory server project." <fedora-directory-users at redhat.com> Message-ID: <1191504130.4298.8.camel at houuc8> Content-Type: text/plain On Wed, 2007-10-03 at 09:26 -0700, Clementous Clement wrote: > Hello Everyone, > > I'm a newbie to configuring/depolying Fedora-DS. I've been lucky > enough to complete the installation for Fedora-DS. I need a little > guideance on setting up and configuring netgroups. I've located the > link below and researched the the link below, but still can't get the > feature to work. Any advice? > > http://directory.fedoraproject.org/wiki/Howto:Netgroups > > > Thanks In Advance, > > Clementous Clement > System Administrator > cclementous at gmail.com > What are you trying to accomplish with netgroups that isn't working? -Steve ------------------------------ Message: 11 Date: Thu, 4 Oct 2007 09:25:33 -0500 From: "Glenn" <glenn at mail.txwes.edu> Subject: Re: RedHat 4/Fedora-DS - SSL Cert DB not readable? To: "General discussion list for the Fedora Directory server project." <fedora-directory-users at redhat.com> Message-ID: <20071004141907.M49775 at mail.txwes.edu> Content-Type: text/plain; charset=iso-8859-1 Richard - It has been months since I did this, and I don't remember each detail of the installation. I did not use the default server user ID; I changed it when given the opportunity during installation. Maybe this caused a permissions problem? -Glenn. ---------- Original Message ----------- From: Richard Megginson <rmeggins at redhat.com> To: "General discussion list for the Fedora Directory server project." <fedora-directory-users at redhat.com> Sent: Wed, 03 Oct 2007 08:02:15 -0600 Subject: Re: RedHat 4/Fedora-DS - SSL Cert DB not readable? > Glenn wrote: > > Travis - I had this problem with new installations and clean re- > > installations. The installation of Fedora Directory did not create the > > certificate database. I solved it by creating the appropriately-named > > certificate database in the correct location using certutil. -Glenn. > > > Is there any sort of pattern to when it does or does not create the > key/cert databases? When the server starts up, it is supposed to > create them if they are not there. This means that /opt/fedora- > ds/alias must be writable by the server user id (default nobody). > ------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users End of Fedora-directory-users Digest, Vol 29, Issue 5 *****************************************************
