Re: RE: Fedora-directory-users Digest, Vol 19, Issue 1

Richard Megginson <rmeggins@xxxxxxxxxx> · Fri, 01 Dec 2006 12:55:24 -0700

t b wrote:
My logs seem to indicate that the connection is being encrypted; I can 
ssh to a client server and get the password prompt, but when I enter 
the password it just returns me to the password prompt again

[01/Dec/2006:19:47:44 -0500] conn=650 fd=69 slot=69 connection from 
xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx
[01/Dec/2006:19:47:44 -0500] conn=650 op=0 EXT 
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[01/Dec/2006:19:47:44 -0500] conn=650 op=0 RESULT err=0 tag=120 
nentries=0 etime=0
[01/Dec/2006:19:47:44 -0500] conn=650 SSL 256-bit AES
All of this means the client was able to successfully perform the 
startTLS extended operation and start using SSL.
[01/Dec/2006:19:47:44 -0500] conn=650 op=1 UNBIND
[01/Dec/2006:19:47:44 -0500] conn=650 op=1 fd=69 closed - U1
The UNBIND means the client had a problem and closed the connection.  
Does the client print any errors?  Are there any messages in the server 
error log?

If I disable TLS everything works fine, the client server can query 
the FDS and auth the client properly

I am not sure if the problem has to do with the pam_ldap not properly 
formatted or the cert file not in proper format

Does anyone have an example of what the pam_ldap config should look 
like? or suggestions on checking whether the cert file is in proper 
format
I'm not sure.  PAM needs the ca cert of the CA that issued the directory 
server server cert.  See 
http://directory.fedora.redhat.com/wiki/Howto:SSL for more information.

Also what's the UNBIND shown in the logs?

Thanks

From: fedora-directory-users-request@xxxxxxxxxx
Reply-To: fedora-directory-users@xxxxxxxxxx
To: fedora-directory-users@xxxxxxxxxx
Subject: Fedora-directory-users Digest, Vol 19, Issue 1
Date: Fri,  1 Dec 2006 12:00:06 -0500 (EST)

Send Fedora-directory-users mailing list submissions to
    fedora-directory-users@xxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
    https://www.redhat.com/mailman/listinfo/fedora-directory-users
or, via email, send a message with subject or body 'help' to
    fedora-directory-users-request@xxxxxxxxxx

You can reach the person managing the list at
    fedora-directory-users-owner@xxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Fedora-directory-users digest..."

Today's Topics:

   1. pam_ldap with SSL/TLS (t b)
   2. RE: pam_ldap with SSL/TLS (Morris, Patrick)
   3. Re: pam_ldap with SSL/TLS (Richard Megginson)
   4. Problem with SSL console in X in specific    circumstances
      (Philip Kime)
   5. FW:  Extracting details from
      ActiveDirectoryto FDS (Paxton, Darren)
   6. alias in fedora directory server (patrick ndjientcheu ngandjui)
   7. Re: FW:  Extracting details    from
      ActiveDirectoryto FDS (Nicholas Byrne)
   8. Re: Memory usage (koniczynek)
   9. Re: Memory usage (David Boreham)
  10. Re: Memory usage (koniczynek)

----------------------------------------------------------------------

Message: 1
Date: Thu, 30 Nov 2006 12:31:50 -0500
From: "t b" <mxheadroom@xxxxxxxxxxx>
Subject:  pam_ldap with SSL/TLS
To: fedora-directory-users@xxxxxxxxxx
Message-ID: <BAY116-F322745E96D702ED748B1D0CDDB0@xxxxxxx>
Content-Type: text/plain; format=flowed

I am trying to setup pam_ldap to use TLS to communicate with the FDS, 
but
having lots of problems doing so; it works if I use the unencrypted 
way but
not if I use ldaps ( port 636 )

I used the instructions at,
http://directory.fedora.redhat.com/wiki/Howto:PAM

Has anyone gotten PAM to work TLS

Thanks

_________________________________________________________________
Buy, Load, Play. The new Sympatico / MSN Music Store works seamlessly 
with
Windows Media Player. Just Click PLAY.
http://musicstore.sympatico.msn.ca/content/viewer.aspx?cid=SMS_Sept192006 

------------------------------

Message: 2
Date: Thu, 30 Nov 2006 13:00:56 -0500
From: "Morris, Patrick" <patrick.morris@xxxxxx>
Subject: RE:  pam_ldap with SSL/TLS
To: "General discussion list for the Fedora Directory server project."
    <fedora-directory-users@xxxxxxxxxx>
Message-ID:
    <CD18C81835E18A40A64C4A0D16A237BE05FE850D@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> 

Content-Type: text/plain;    charset="US-ASCII"

> I am trying to setup pam_ldap to use TLS to communicate with
> the FDS, but having lots of problems doing so; it works if I
> use the unencrypted way but not if I use ldaps ( port 636 )

Someone should jump in here and correct me if I'm wrong, but I believe
it's normal for TLS connections to happen on the standard LDAP port.
You should be able to tell from your logs whether the connection is
encrypted or not.

------------------------------

Message: 3
Date: Thu, 30 Nov 2006 11:08:08 -0700
From: Richard Megginson <rmeggins@xxxxxxxxxx>
Subject: Re:  pam_ldap with SSL/TLS
To: "General discussion list for the Fedora Directory server project."
    <fedora-directory-users@xxxxxxxxxx>
Message-ID: <456F1E08.40601@xxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Morris, Patrick wrote:
>> I am trying to setup pam_ldap to use TLS to communicate with
>> the FDS, but having lots of problems doing so; it works if I
>> use the unencrypted way but not if I use ldaps ( port 636 )
>>
>
> Someone should jump in here and correct me if I'm wrong, but I believe
> it's normal for TLS connections to happen on the standard LDAP port.
> You should be able to tell from your logs whether the connection is
> encrypted or not.
>
Yes.  The LDAP "preferred" way is to use the startTLS extended operation
which starts a TLS session on the non-secure port.  This will be logged
in the access log.
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
Url : 
https://www.redhat.com/archives/fedora-directory-users/attachments/20061130/0634e78a/smime.bin 

------------------------------

Message: 4
Date: Thu, 30 Nov 2006 18:02:55 -0800
From: "Philip Kime" <pkime@xxxxxxxxxxxxx>
Subject:  Problem with SSL console in X in
    specific    circumstances
To: <fedora-directory-users@xxxxxxxxxx>
Message-ID:
    <9C0091F428E697439E7A773FFD083427435BE3@xxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"

Here's the problem:

Running startconsole (SSL) to a remote display on a PC X-server (xwin32)
works fine and requires that my windows home dir on the PC X-server
machine has .fedora-console/ containing cert8.db and key3.db, as you'd
expect. If I rename this dir, the console hangs at the splash screen. So
far, so good, all makes sense.

If I try the same thing to cygwin's X server on same machine or to an X
server on a Mac running OSX, startconsole always hangs as if it can't
find ~/.fedora-console on the local machine. I've tried copying this dir
to what cygwin/OSX thinks is the user's home dir but no luck. Where
should I put the Cert db files under "real" UNIX X to get the SSL
console to work? Also tried ~/.mmc as per the docs but I could never get
this to work.

PK

--
Philip Kime
NOPS Systems Architect
310 401 0407

-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
https://www.redhat.com/archives/fedora-directory-users/attachments/20061130/054ecbd6/attachment.html 

------------------------------

Message: 5
Date: Fri, 1 Dec 2006 08:04:30 -0000
From: "Paxton, Darren" <Darren.Paxton@xxxxxxxxxx>
Subject: FW:  Extracting details from
    ActiveDirectoryto FDS
To: <Fedora-directory-users@xxxxxxxxxx>
Message-ID:
    <52F7C07B119CF4439B7EFBFE0FB3256B027CBD02@xxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"

Skipped content of type multipart/alternative-------------- next part 
--------------
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

------------------------------

Message: 6
Date: Fri, 1 Dec 2006 08:10:42 +0000 (GMT)
From: patrick ndjientcheu ngandjui <tchen_pat@xxxxxxxx>
Subject:  alias in fedora directory server
To: Fedora-directory-users@xxxxxxxxxx
Message-ID: <20061201081042.78578.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Hi,
I would like to know how to use alias in fedora directory server.It 
seems that it is used for point to another entry in the directory,but 
i don't know how to use this feature.May someone helps me on this 
issue? I would really appreciate an example.

Thanks

___________________________________________________________________________ 

Découvrez une nouvelle façon d'obtenir des réponses à toutes vos 
questions !
Profitez des connaissances, des opinions et des expériences des 
internautes sur Yahoo! Questions/Réponses
http://fr.answers.yahoo.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
https://www.redhat.com/archives/fedora-directory-users/attachments/20061201/0fa54e4f/attachment.html 

------------------------------

Message: 7
Date: Fri, 01 Dec 2006 11:50:13 +0000
From: Nicholas Byrne <nicholas.byrne@xxxxxxxxxxxx>
Subject: Re: FW:  Extracting details    from
    ActiveDirectoryto FDS
To: "General discussion list for the Fedora Directory server project."
    <fedora-directory-users@xxxxxxxxxx>
Message-ID: <457016F5.5030202@xxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Your messages got through - you can confirm by checking the archives  -
https://www.redhat.com/archives/fedora-directory-users/

I'm a new user as well so i'm afraid i can't answer your question, but
if you keep asking i'm sure someone will know!
Nick

Paxton, Darren wrote:
> Apologies for mailing yet again, however either my messages are not
> getting through (something I don't believe as I keep getting the post
> to the mailing list) - or for some reason, no one is willing to even
> acknowledge my issue.
>
> In the spirit of the community - can someone at least acknowledge a
> message as I find it quite disheartening that I have had no replies at
> all even if just to point me somewhere for assistance.
>
> 
------------------------------------------------------------------------
> *From:* fedora-directory-users-bounces@xxxxxxxxxx
> [mailto:fedora-directory-users-bounces@xxxxxxxxxx] *On Behalf Of
> *Paxton, Darren
> *Sent:* 30 November 2006 08:46
> *To:* General discussion list for the Fedora Directory server project.
> *Subject:* RE:  Extracting details from
> ActiveDirectoryto FDS
>
> Hi
>
> Has anyone had any thoughts on my query or can point me in the right
> direction?
>
> As is the nature of AD, I would have thought it is possible to extract
> this information using a scope setting or something similar.
>
> Thanks
>
> Darren
>
>     
------------------------------------------------------------------------
>     *From:* fedora-directory-users-bounces@xxxxxxxxxx
>     [mailto:fedora-directory-users-bounces@xxxxxxxxxx] *On Behalf Of
>     *Paxton, Darren
>     *Sent:* 24 November 2006 14:56
>     *To:* fedora-directory-users@xxxxxxxxxx
>     *Subject:*  Extracting details from Active
>     Directoryto FDS
>
>     Hi all,
>
>     I've been tinkering with integrating our Linux devices into our AD
>     domain for some time and I've hit a few brick walls, however I've
>     recently discovered FDS and the synchronisation features with AD.
>
>     I've managed to set up a few replication jobs, however due to the
>     extensive nature of our AD, I've realised that the sync only takes
>     the group and user objects from the OU or CN being specified.
>
>     Is there any way I can specify that it should traverse all
>     subtrees of an OU and extract all that information back into FDS?
>
>     Thanks
>
>     Darren
>
>     --
>     Darren Paxton
>     EMEA Tier2
>     Red Hat Certified Engineer
>     VMware Certified Professional
>     MGTI Centralised ops
>
>
> This e-mail and any attachments may be confidential or legally
> privileged.If you received this message in error or are not the
> intended recipient, you should destroy the email message and any
> attachments or copies, and you are prohibited from retaining,
> distributing, disclosing or using any information contained herein.
> Please inform us of the erroneous delivery by return e-mail. Thank you
> for your co-operation.
>
> Mercer Human Resource Consulting Limited is authorised and regulated
> by the Financial Services Authority. Registered in England No. 984275.
> Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU.
>
> 
------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> 
------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

This e-mail is the property of Quadriga Worldwide Ltd, intended for 
the addressee only and confidential.  Any dissemination, copying or 
distribution of this message or any attachments is strictly prohibited.

If you have received this message in error, please notify us 
immediately by replying to the message and deleting it from your 
computer.

Messages sent to and from Quadriga may be monitored.

Quadriga cannot guarantee any message delivery method is secure or 
error-free.  Information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or contain viruses.

We do not accept responsibility for any errors or omissions in this 
message and/or attachment that arise as a result of transmission.

You should carry out your own virus checks before opening any 
attachment.

Any views or opinions presented are solely those of the author and do 
not necessarily represent those of Quadriga.

------------------------------

Message: 8
Date: Fri, 01 Dec 2006 16:45:28 +0100
From: koniczynek <koniczynek@xxxxxxxxxx>
Subject: Re:  Memory usage
To: "General discussion list for the Fedora Directory server project."
    <fedora-directory-users@xxxxxxxxxx>
Message-ID: <45704E18.3070705@xxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-2; format=flowed

Richard Megginson napisa³(a):
> This is an excellent cache/memory tuning document from a Sun employee,
> primarily targeted to Sun DS users, but almost all of the 
information is
> relevant to Fedora DS (since they share a common lineage).
>
> http://www.directorymanager.org/blogs/ds_cache_sizing.pdf
Lets say I heven't got much time lately so without thinking I've changed
in dse.ldif
nsslapd-import-cache-autosize from -1 to 1 and after restarting I've
started to receive errors like: "3 Time limit exceeded" Someone do know
what to do? ;)

--
xmpp/email: koniczynek@xxxxxxxxxx
xmpp/email: koniczynek@xxxxxxxxx

------------------------------

Message: 9
Date: Fri, 01 Dec 2006 09:15:14 -0700
From: David Boreham <david_list@xxxxxxxxxxx>
Subject: Re:  Memory usage
To: "General discussion list for the Fedora Directory server project."
    <fedora-directory-users@xxxxxxxxxx>
Message-ID: <45705512.4070808@xxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-2; format=flowed

koniczynek wrote:

> Richard Megginson napisa³(a):
>
>> This is an excellent cache/memory tuning document from a Sun
>> employee, primarily targeted to Sun DS users, but almost all of the
>> information is relevant to Fedora DS (since they share a common
>> lineage).
>>
>> http://www.directorymanager.org/blogs/ds_cache_sizing.pdf
>
> Lets say I heven't got much time lately so without thinking I've
> changed in dse.ldif
> nsslapd-import-cache-autosize from -1 to 1 and after restarting I've
> started to receive errors like: "3 Time limit exceeded" Someone do
> know what to do? ;)
>
Change it back ?

------------------------------

Message: 10
Date: Fri, 01 Dec 2006 17:53:22 +0100
From: koniczynek <koniczynek@xxxxxxxxxx>
Subject: Re:  Memory usage
To: "General discussion list for the Fedora Directory server project."
    <fedora-directory-users@xxxxxxxxxx>
Message-ID: <45705E02.7020709@xxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-2

David Boreham, dnia 2006-12-01 17:15 napisal:
>> Lets say I heven't got much time lately so without thinking I've
>> changed in dse.ldif
>> nsslapd-import-cache-autosize from -1 to 1 and after restarting I've
>> started to receive errors like: "3 Time limit exceeded" Someone do
>> know what to do? ;)
> Change it back ?
man, please, show some respect ;) I did change it back, but to no avail.
Also I can say (to stop further questions): yes, I've stopped the server
before change.

--
email/xmpp: koniczynek@xxxxxxxxxx

------------------------------

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

End of Fedora-directory-users Digest, Vol 19, Issue 1
*****************************************************

_________________________________________________________________
Off to school, going on a trip, or moving? Windows Live (MSN) 
Messenger lets you stay in touch with friends and family wherever you 
go. Click here to find out how to sign up!  
http://www.telusmobility.com/msnxbox/

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users