Richard, I'm trying to use Netgroups to employ control access to groups of hosts to groups of users just as with NIS. I've searched the web for decent example to create the netgroup containter within FDS, but haven't discovered any. =-Clem -----Original Message----- From: fedora-directory-users-bounces@xxxxxxxxxx [mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of fedora-directory-users-request@xxxxxxxxxx Sent: Thursday, October 04, 2007 9:00 AM To: fedora-directory-users@xxxxxxxxxx Subject: Fedora-directory-users Digest, Vol 29, Issue 5 Send Fedora-directory-users mailing list submissions to fedora-directory-users@xxxxxxxxxx To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/fedora-directory-users or, via email, send a message with subject or body 'help' to fedora-directory-users-request@xxxxxxxxxx You can reach the person managing the list at fedora-directory-users-owner@xxxxxxxxxx When replying, please edit your Subject line so it is more specific than "Re: Contents of Fedora-directory-users digest..." Today's Topics: 1. Re: nss_ldap cannot authenticate vs FDS (Peter Santiago) 2. Re: problem with SSL and load balance (Enrico M. V. Fasanelli) 3. linux authentication though ds (lance raymond) 4. RE: problem with SSL and load balance (Richard Hesse) 5. Re: problem with SSL and load balance (Jazcek Braden) 6. Re: linux authentication though ds (Marc Sauton) 7. Re: problem with SSL and load balance (Marc Sauton) 8. Re: problem with SSL and load balance (Marc Sauton) 9. Fedora-DS/netgroup configuration (Clementous Clement) 10. Re: Fedora-DS/netgroup configuration (Steve Rigler) 11. Re: RedHat 4/Fedora-DS - SSL Cert DB not readable? (Glenn) ---------------------------------------------------------------------- Message: 1 Date: Thu, 04 Oct 2007 00:08:05 +0800 From: Peter Santiago <peters@xxxxxxxxxxxxxxx> Subject: Re: nss_ldap cannot authenticate vs FDS To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@xxxxxxxxxx>, Steve Rigler <srigler@xxxxxxxxxxxxxxx> Message-ID: <20071004000805.w0m9bmxk6cws4sk0@xxxxxxxxxxxxxxxxxxxxxxx> Content-Type: text/plain; charset="iso-8859-1" Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3051 bytes Desc: S/MIME Cryptographic Signature Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20071 004/cd9c6979/smime.bin ------------------------------ Message: 2 Date: Wed, 03 Oct 2007 19:49:56 +0200 From: "Enrico M. V. Fasanelli" <Enrico.M.V.Fasanelli@xxxxxxxxxx> Subject: Re: problem with SSL and load balance To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@xxxxxxxxxx> Message-ID: <4703D644.9020608@xxxxxxxxxx> Content-Type: text/plain; charset="iso-8859-1" Hi Victor, have you tried with a certificate that contains the alternate name of the server? Something like X509v3 Subject Alternative Name: DNS:fds.mydomain.com, DNS:fds1.mydomain.com Ciao, Enrico Victor Hugo dos Santos wrote: > Hello List, > > I have the same problem that Alex Aka in Apr 2006 > http://www.redhat.com/archives/fedora-directory-users/2006-April/msg0002 2.html > > I have two FDS (fds1 and fds2) in MMR > > in the DNS I create this machines > > fds1 IN A 10.0.0.11 > fds2 IN A 10.0.0.12 > fds IN A 10.0.0.11 > fds IN A 10.0.0.12 > > in the clients, I configure the ldap.conf with this parameters: > > BASE dc=mydomain,dc=com > URI ldap://fds.mydomain.com > > this configuration work very,very fine !!!! exist replication between > servers and fault tolerance in the clients.. but i enable SSL in > server and in the clients (ldap.conf) > > > BASE dc=mydomain,dc=com > URI ldaps://fds.mydomain.com > TLS_CACERT /etc/ssl/certs/cacert.org.pem > TLS_REQCERT allow > > and "no" work !!! :-( i receive this error: > > ldap_bind: Can't contact LDAP server (-1) > > additional info: TLS: hostname does not match CN in peer certificate > > this problem, is derivate that i configured the servers with one > certificate and distinct CN for independent serves (fds1 and fds2)... > > if I config one same certificate with same CN (fds) for both nodes > (fds1 and fds2).. work fine in the clients, but the replication dont > work !!! :-( > > obs.: my certificates is sign in http://cacert.org > > any idea or suggestion ??? > > thanks > > -- Pochi conoscono cio' che ha veramente scoperto Einstein: quando mangiamo spaghetti, in effetti stiamo masticando un concentrato di Spazio-Tempo. (Antonino Zichichi) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2954 bytes Desc: S/MIME Cryptographic Signature Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20071 003/578df590/smime.bin ------------------------------ Message: 3 Date: Wed, 3 Oct 2007 14:31:58 -0400 From: "lance raymond" <lance.raymond@xxxxxxxxx> Subject: linux authentication though ds To: fedora-directory-users@xxxxxxxxxx Message-ID: <5d1656000710031131y6cc0c663jb6a930299f76bfbb@xxxxxxxxxxxxxx> Content-Type: text/plain; charset="iso-8859-1" Afternoon, I have been reading a lot on this and wish to see if I am on the right track. I wish to have all employees login information be stored in DS, and authenticate through him. I have subscribed to the list a few day's ago and the questions are pretty high level, so it does seem that people are using fedora's version, so I guess for starters, is this possible. I already have fedora ds running, added a few people, but I didn't see 2 much on authenticating though DS. Thanks ... lr -------------- next part -------------- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/fedora-directory-users/attachments/20071 003/e4b54ef3/attachment.html ------------------------------ Message: 4 Date: Wed, 3 Oct 2007 12:17:50 -0700 From: Richard Hesse <richard@xxxxxxxxxxxx> Subject: RE: problem with SSL and load balance To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@xxxxxxxxxx> Message-ID: <84E2AE771361E9419DD0EFBD31F09C4D4894671AAA@xxxxxxxxxxxxxxxxxxxxxxxxxxxx konline.net> Content-Type: text/plain; charset="us-ascii" Do wildcard certs work with Fedora Directory Server? If they do, that will easily solve your problem. That or setting checkpeer to off. -richard -----Original Message----- From: fedora-directory-users-bounces@xxxxxxxxxx [mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of Victor Hugo dos Santos Sent: Wednesday, October 03, 2007 8:20 AM To: General discussion list for the Fedora Directory server project. Subject: problem with SSL and load balance Hello List, I have the same problem that Alex Aka in Apr 2006 http://www.redhat.com/archives/fedora-directory-users/2006-April/msg0002 2.html I have two FDS (fds1 and fds2) in MMR in the DNS I create this machines fds1 IN A 10.0.0.11 fds2 IN A 10.0.0.12 fds IN A 10.0.0.11 fds IN A 10.0.0.12 in the clients, I configure the ldap.conf with this parameters: BASE dc=mydomain,dc=com URI ldap://fds.mydomain.com this configuration work very,very fine !!!! exist replication between servers and fault tolerance in the clients.. but i enable SSL in server and in the clients (ldap.conf) BASE dc=mydomain,dc=com URI ldaps://fds.mydomain.com TLS_CACERT /etc/ssl/certs/cacert.org.pem TLS_REQCERT allow and "no" work !!! :-( i receive this error: ldap_bind: Can't contact LDAP server (-1) additional info: TLS: hostname does not match CN in peer certificate this problem, is derivate that i configured the servers with one certificate and distinct CN for independent serves (fds1 and fds2)... if I config one same certificate with same CN (fds) for both nodes (fds1 and fds2).. work fine in the clients, but the replication dont work !!! :-( obs.: my certificates is sign in http://cacert.org any idea or suggestion ??? thanks -- -- Victor Hugo dos Santos Linux Counter #224399 -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users ------------------------------ Message: 5 Date: Wed, 03 Oct 2007 15:31:20 -0400 From: Jazcek Braden <jazcek@xxxxxxxxxxx> Subject: Re: problem with SSL and load balance To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@xxxxxxxxxx> Message-ID: <4703EE08.4020003@xxxxxxxxxxx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Wildcard certs definitely work, that is the way that I have my load balanced installation setup. However if you are trying to use self-signed certificates I think you have to make sure to setup the trust chain, but I am not sure. -- Jazcek Braden Richard Hesse wrote: > Do wildcard certs work with Fedora Directory Server? If they do, that will easily solve your problem. That or setting checkpeer to off. > > -richard > > -----Original Message----- > From: fedora-directory-users-bounces@xxxxxxxxxx [mailto:fedora-directory-users-bounces@xxxxxxxxxx] On Behalf Of Victor Hugo dos Santos > Sent: Wednesday, October 03, 2007 8:20 AM > To: General discussion list for the Fedora Directory server project. > Subject: problem with SSL and load balance > > Hello List, > > I have the same problem that Alex Aka in Apr 2006 > http://www.redhat.com/archives/fedora-directory-users/2006-April/msg0002 2.html > > I have two FDS (fds1 and fds2) in MMR > > in the DNS I create this machines > > fds1 IN A 10.0.0.11 > fds2 IN A 10.0.0.12 > fds IN A 10.0.0.11 > fds IN A 10.0.0.12 > > in the clients, I configure the ldap.conf with this parameters: > > BASE dc=mydomain,dc=com > URI ldap://fds.mydomain.com > > this configuration work very,very fine !!!! exist replication between > servers and fault tolerance in the clients.. but i enable SSL in > server and in the clients (ldap.conf) > > > BASE dc=mydomain,dc=com > URI ldaps://fds.mydomain.com > TLS_CACERT /etc/ssl/certs/cacert.org.pem > TLS_REQCERT allow > > and "no" work !!! :-( i receive this error: > > ldap_bind: Can't contact LDAP server (-1) > > additional info: TLS: hostname does not match CN in peer certificate > > this problem, is derivate that i configured the servers with one > certificate and distinct CN for independent serves (fds1 and fds2)... > > if I config one same certificate with same CN (fds) for both nodes > (fds1 and fds2).. work fine in the clients, but the replication dont > work !!! :-( > > obs.: my certificates is sign in http://cacert.org > > any idea or suggestion ??? > > thanks > > > -- > -- > Victor Hugo dos Santos > Linux Counter #224399 > > -- > Fedora-directory-users mailing list > Fedora-directory-users@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------ Message: 6 Date: Wed, 03 Oct 2007 13:31:35 -0700 From: Marc Sauton <msauton@xxxxxxxxxx> Subject: Re: linux authentication though ds To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@xxxxxxxxxx> Message-ID: <4703FC27.6030900@xxxxxxxxxx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed It depends what you want to do, there is some info in the howto section at: http://directory.fedoraproject.org/wiki/Documentation#Howtos Under "A series of articles about how to get the Directory Server working with other tools", you will find some links to articles, for example about pam, mta's, file system, apache. M. lance raymond wrote: > Afternoon, I have been reading a lot on this and wish to see if I am > on the right track. I wish to have all employees login information be > stored in DS, and authenticate through him. I have subscribed to the > list a few day's ago and the questions are pretty high level, so it > does seem that people are using fedora's version, so I guess for > starters, is this possible. > > I already have fedora ds running, added a few people, but I didn't see > 2 much on authenticating though DS. > > Thanks ... > lr > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------ Message: 7 Date: Wed, 03 Oct 2007 13:36:26 -0700 From: Marc Sauton <msauton@xxxxxxxxxx> Subject: Re: problem with SSL and load balance To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@xxxxxxxxxx> Message-ID: <4703FD4A.70907@xxxxxxxxxx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Just for info, there was a good contribution in http://directory.fedoraproject.org/wiki/Howto:SSL#Using_Subject_Alt_Name M. Enrico M. V. Fasanelli wrote: > Hi Victor, > > have you tried with a certificate that contains the alternate name of > the server? > > Something like > X509v3 Subject Alternative Name: DNS:fds.mydomain.com, > DNS:fds1.mydomain.com > > > Ciao, > Enrico > > Victor Hugo dos Santos wrote: >> Hello List, >> >> I have the same problem that Alex Aka in Apr 2006 >> http://www.redhat.com/archives/fedora-directory-users/2006-April/msg0002 2.html >> >> >> I have two FDS (fds1 and fds2) in MMR >> >> in the DNS I create this machines >> >> fds1 IN A 10.0.0.11 >> fds2 IN A 10.0.0.12 >> fds IN A 10.0.0.11 >> fds IN A 10.0.0.12 >> >> in the clients, I configure the ldap.conf with this parameters: >> >> BASE dc=mydomain,dc=com >> URI ldap://fds.mydomain.com >> >> this configuration work very,very fine !!!! exist replication between >> servers and fault tolerance in the clients.. but i enable SSL in >> server and in the clients (ldap.conf) >> >> >> BASE dc=mydomain,dc=com >> URI ldaps://fds.mydomain.com >> TLS_CACERT /etc/ssl/certs/cacert.org.pem >> TLS_REQCERT allow >> >> and "no" work !!! :-( i receive this error: >> >> ldap_bind: Can't contact LDAP server (-1) >> >> additional info: TLS: hostname does not match CN in peer certificate >> >> this problem, is derivate that i configured the servers with one >> certificate and distinct CN for independent serves (fds1 and fds2)... >> >> if I config one same certificate with same CN (fds) for both nodes >> (fds1 and fds2).. work fine in the clients, but the replication dont >> work !!! :-( >> >> obs.: my certificates is sign in http://cacert.org >> >> any idea or suggestion ??? >> >> thanks >> >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------ Message: 8 Date: Wed, 03 Oct 2007 13:37:34 -0700 From: Marc Sauton <msauton@xxxxxxxxxx> Subject: Re: problem with SSL and load balance To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@xxxxxxxxxx> Message-ID: <4703FD8E.4080108@xxxxxxxxxx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed See http://directory.fedoraproject.org/wiki/Howto:SSL#Import_the_CA_cert_int o_another_Fedora_DS M. Jazcek Braden wrote: > Wildcard certs definitely work, that is the way that I have my load > balanced installation setup. However if you are trying to use > self-signed certificates I think you have to make sure to setup the > trust chain, but I am not sure. > ------------------------------ Message: 9 Date: Wed, 3 Oct 2007 09:26:58 -0700 From: "Clementous Clement" <Clementous.Clement@xxxxxxx> Subject: Fedora-DS/netgroup configuration To: <fedora-directory-users@xxxxxxxxxx> Message-ID: <12C2BCDB3FA74D4E8E482325998611190277EF48@xxxxxxxxxxxxxxxxxxxxxxxxxxx> Content-Type: text/plain; charset="us-ascii" Hello Everyone, I'm a newbie to configuring/depolying Fedora-DS. I've been lucky enough to complete the installation for Fedora-DS. I need a little guideance on setting up and configuring netgroups. I've located the link below and researched the the link below, but still can't get the feature to work. Any advice? http://directory.fedoraproject.org/wiki/Howto:Netgroups Thanks In Advance, Clementous Clement System Administrator cclementous@xxxxxxxxx -------------- next part -------------- An HTML attachment was scrubbed... URL: https://www.redhat.com/archives/fedora-directory-users/attachments/20071 003/1974e7e5/attachment.html ------------------------------ Message: 10 Date: Thu, 04 Oct 2007 08:22:10 -0500 From: Steve Rigler <srigler@xxxxxxxxxxxxxxx> Subject: Re: Fedora-DS/netgroup configuration To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@xxxxxxxxxx> Message-ID: <1191504130.4298.8.camel@houuc8> Content-Type: text/plain On Wed, 2007-10-03 at 09:26 -0700, Clementous Clement wrote: > Hello Everyone, > > I'm a newbie to configuring/depolying Fedora-DS. I've been lucky > enough to complete the installation for Fedora-DS. I need a little > guideance on setting up and configuring netgroups. I've located the > link below and researched the the link below, but still can't get the > feature to work. Any advice? > > http://directory.fedoraproject.org/wiki/Howto:Netgroups > > > Thanks In Advance, > > Clementous Clement > System Administrator > cclementous@xxxxxxxxx > What are you trying to accomplish with netgroups that isn't working? -Steve ------------------------------ Message: 11 Date: Thu, 4 Oct 2007 09:25:33 -0500 From: "Glenn" <glenn@xxxxxxxxxxxxxx> Subject: Re: RedHat 4/Fedora-DS - SSL Cert DB not readable? To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@xxxxxxxxxx> Message-ID: <20071004141907.M49775@xxxxxxxxxxxxxx> Content-Type: text/plain; charset=iso-8859-1 Richard - It has been months since I did this, and I don't remember each detail of the installation. I did not use the default server user ID; I changed it when given the opportunity during installation. Maybe this caused a permissions problem? -Glenn. ---------- Original Message ----------- From: Richard Megginson <rmeggins@xxxxxxxxxx> To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@xxxxxxxxxx> Sent: Wed, 03 Oct 2007 08:02:15 -0600 Subject: Re: RedHat 4/Fedora-DS - SSL Cert DB not readable? > Glenn wrote: > > Travis - I had this problem with new installations and clean re- > > installations. The installation of Fedora Directory did not create the > > certificate database. I solved it by creating the appropriately-named > > certificate database in the correct location using certutil. -Glenn. > > > Is there any sort of pattern to when it does or does not create the > key/cert databases? When the server starts up, it is supposed to > create them if they are not there. This means that /opt/fedora- > ds/alias must be writable by the server user id (default nobody). > ------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users End of Fedora-directory-users Digest, Vol 29, Issue 5 ***************************************************** -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
