From rmeggins at redhat.com Fri Sep 1 02:51:09 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 31 Aug 2006 20:51:09 -0600 Subject: [Fedora-directory-users] LD_LIBRARY_PATH question In-Reply-To: <9C0091F428E697439E7A773FFD0834270260D3@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD0834270260D3@szexchange.Shopzilla.inc> Message-ID: <44F7A01D.2000709@redhat.com> Philip Kime wrote: > I've just build an LDAP dev server, the same as my prod servers. > However, I can't start the console via HTTPS under X (no problems > under windows). I have the same libraries etc. on my dev box (copied > from PROD, where it works, in fact). I get the "libnss3.s0 not found". > This library is certainly in /opt/fedora-ds/shared/lib, where > LD_LIBRARY_PATH points to in startconsole. I found out why it works on > PROD but not on DEV - this is because /usr/lib/libnss3.s0 exists on > PROD but not on DEV. HOWEVER - why is it looking in /usr/lib when > LD_LIBRARY_PATH is set to look in /opt/fedora-ds/shared/lib? Here is > the output on PROD, where it works: Wow. This is really strange. When I do the same thing on my FDS 1.0.2 installation on FC5, LD_LIBRARY_PATH works. Are you sure you exported LD_LIBRARY_PATH? Try this: [root at hqldap01 ~]# LD_LIBRARY_PATH=/opt/fedora-ds/shared/lib ldd /opt/fedora-ds/lib/libjss3.so > > [root at hqldap01 ~]# echo $LD_LIBRARY_PATH > /opt/fedora-ds/shared/lib > [root at hqldap01 ~]# ldd /opt/fedora-ds/lib/libjss3.so > linux-gate.so.1 => (0xffffe000) > libnss3.so => /usr/lib/libnss3.so (0xf7f48000) > libsmime3.so => /usr/lib/libsmime3.so (0xf7f28000) > libssl3.so => /usr/lib/libssl3.so (0xf7f08000) > libplc4.so => /usr/lib/libplc4.so (0xf7f04000) > libplds4.so => /usr/lib/libplds4.so (0xf7f01000) > libnspr4.so => /usr/lib/libnspr4.so (0xf7ed0000) > libjvm.so => not found > libjava.so => not found > libc.so.6 => /lib/tls/libc.so.6 (0xf7da5000) > libsoftokn3.so => /usr/lib/libsoftokn3.so (0xf7d3f000) > libpthread.so.0 => /lib/tls/libpthread.so.0 (0xf7d2d000) > libdl.so.2 => /lib/libdl.so.2 (0xf7d28000) > /lib/ld-linux.so.2 (0x56555000) > This upsets me as I assumed that it was using the nice new libnss3 > etc. libs from the fedora tree. LD_LIBRARY_PATH seems to be doing > nothing at all. I can't see any SUID/SGID things in there which would > disable LD_LIBRARY_PATH? On DEV, it doesn't work because: > > [root at ldapdev001 ~]# echo $LD_LIBRARY_PATH > /opt/fedora-ds/shared/lib > [root at ldapdev001 ~]# ldd /opt/fedora-ds/lib/libjss3.so > linux-gate.so.1 => (0xffffe000) > libnss3.so => not found > libsmime3.so => not found > libssl3.so => not found > libplc4.so => not found > libplds4.so => not found > libnspr4.so => not found > libjvm.so => not found > libjava.so => not found > libc.so.6 => /lib/tls/libc.so.6 (0xf7e4a000) > /lib/ld-linux.so.2 (0x56555000) > > Now I'm worried that by PROD servers are using older libraries by > finding them in /usr/lib ... > > PK > > > -- > Philip Kime > NOPS Systems Architect > 310 401 0407 > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From brian.smith at worldpub.net Fri Sep 1 13:00:52 2006 From: brian.smith at worldpub.net (Brian Smith) Date: Fri, 01 Sep 2006 09:00:52 -0400 Subject: [Fedora-directory-users] UserRoot Datase disappeared In-Reply-To: <98E55D6E1B3CFD43BDA59EEB56DD7D7232D1@sbs01.xiss.private> References: <98E55D6E1B3CFD43BDA59EEB56DD7D7232D1@sbs01.xiss.private> Message-ID: <44F82F04.5010400@worldpub.net> Hello everybody, I am running 2 fedora-ds servers that were using multi master sync for my userroot. now on 1 of my servers, the userroot database is gone, I tried to do a database restore but that failed. userroot is missing in the admin console under "configuration - data - dc=my,dc=domain" where on the good server, userroot exists under that tree. If I go under the Directory tab, all I see is the servername and nothing under it. Has anyone run into this issue, I'm going to reinstall that server and re-sync the database, but I'm wondering if anyone has any ideas that might be a little easier to restore. Brian From pkime at Shopzilla.com Fri Sep 1 16:57:29 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Fri, 1 Sep 2006 09:57:29 -0700 Subject: [Fedora-directory-users] Re: LD_LIBRARY_PATH question Message-ID: <9C0091F428E697439E7A773FFD0834270260DD@szexchange.Shopzilla.inc> Seems broken ... [root at hqldap01 scripts]# ls -l /opt/fedora-ds/shared/lib/libnss3.so -rwxr-xr-x 1 root root 679918 Aug 25 13:36 /opt/fedora-ds/shared/lib/libns33.so [root at hqldap01 scripts]# LD_LIBRARY_PATH=/opt/fedora-ds/shared/lib ldd /opt/fedora-ds/lib/libjss3.so linux-gate.so.1 => (0xffffe000) libnss3.so => /usr/lib/libnss3.so (0xf7f48000) libsmime3.so => /usr/lib/libsmime3.so (0xf7f28000) libssl3.so => /usr/lib/libssl3.so (0xf7f08000) libplc4.so => /usr/lib/libplc4.so (0xf7f04000) libplds4.so => /usr/lib/libplds4.so (0xf7f01000) libnspr4.so => /usr/lib/libnspr4.so (0xf7ed0000) libjvm.so => not found libjava.so => not found libc.so.6 => /lib/tls/libc.so.6 (0xf7da5000) libsoftokn3.so => /usr/lib/libsoftokn3.so (0xf7d3f000) libpthread.so.0 => /lib/tls/libpthread.so.0 (0xf7d2d000) libdl.so.2 => /lib/libdl.so.2 (0xf7d28000) /lib/ld-linux.so.2 (0x56555000) Nothing to do with the NSS/NSPR library update to fix the memory leaking? Perhaps jss3 was compiled with the "ignore LD_LIBRARY_PATH" flag? Hmm. I checked ns-slapd with ldd and this seems to have been compiled with relative paths to the libs so it's ok. PK From rmeggins at redhat.com Fri Sep 1 17:30:57 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 01 Sep 2006 11:30:57 -0600 Subject: [Fedora-directory-users] Re: LD_LIBRARY_PATH question In-Reply-To: <9C0091F428E697439E7A773FFD0834270260DD@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD0834270260DD@szexchange.Shopzilla.inc> Message-ID: <44F86E51.8000700@redhat.com> Philip Kime wrote: > Seems broken ... > > [root at hqldap01 scripts]# ls -l /opt/fedora-ds/shared/lib/libnss3.so > -rwxr-xr-x 1 root root 679918 Aug 25 13:36 > /opt/fedora-ds/shared/lib/libns33.so > > [root at hqldap01 scripts]# LD_LIBRARY_PATH=/opt/fedora-ds/shared/lib ldd > /opt/fedora-ds/lib/libjss3.so > linux-gate.so.1 => (0xffffe000) > libnss3.so => /usr/lib/libnss3.so (0xf7f48000) > libsmime3.so => /usr/lib/libsmime3.so (0xf7f28000) > libssl3.so => /usr/lib/libssl3.so (0xf7f08000) > libplc4.so => /usr/lib/libplc4.so (0xf7f04000) > libplds4.so => /usr/lib/libplds4.so (0xf7f01000) > libnspr4.so => /usr/lib/libnspr4.so (0xf7ed0000) > libjvm.so => not found > libjava.so => not found > libc.so.6 => /lib/tls/libc.so.6 (0xf7da5000) > libsoftokn3.so => /usr/lib/libsoftokn3.so (0xf7d3f000) > libpthread.so.0 => /lib/tls/libpthread.so.0 (0xf7d2d000) > libdl.so.2 => /lib/libdl.so.2 (0xf7d28000) > /lib/ld-linux.so.2 (0x56555000) > > Nothing to do with the NSS/NSPR library update to fix the memory > leaking? Perhaps jss3 was compiled with the "ignore LD_LIBRARY_PATH" > flag? Perhaps. Do an ls -l /opt/fedora-ds/lib/libjss3.so then do md5sum /opt/fedora-ds/lib/libjss3.so > Hmm. I checked ns-slapd with ldd and this seems to have been > compiled with relative paths to the libs so it's ok. > > PK > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jnewby at highergear.com Fri Sep 1 21:01:53 2006 From: jnewby at highergear.com (James B Newby) Date: Fri, 01 Sep 2006 16:01:53 -0500 Subject: [Fedora-directory-users] Chain on Update Problem Message-ID: <44F89FC1.8070104@highergear.com> Hello all, I'm having a problem with my consumer's chain on update. I have a setup with two masters and one consumer. Multi-master replication is working properly. Changes made on either master propagate to the other master and to the consumer. Before setting up chaining, changes made on the consumer from the directory console would be denied. After setting up chaining per the wiki entry: http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate , changes could be made on the consumer through the directory console, but would not propagate to the master. I saw an e-mail with a similar problem in the December 2005 archive, but didn't see any info in the replies that would help me. I've tried setting this up from scratch a couple times, but without success. The responses to ILoveJython's email in December suggested that certain entries be pasted in, so I've included them below. The following acl is included in dc=hg,dc=com: (targetattr = "*")(version 3.0; acl "Proxied authorization for database links";allow (proxy) (userdn = "ldap:///cn=Replication Manager, cn=config");) Since multi-master replication is set up, this entry is present on all three servers. Any help would be appreciated! Thanks! -James dn: cn="dc=hg,dc=com",cn=mapping tree, cn=config objectClass: top objectClass: extensibleObject objectClass: nsMappingTree nsslapd-state: backend cn: "dc=hg,dc=com" cn: dc=hg,dc=com nsslapd-backend: userRoot nsslapd-backend: chainbe1 nsslapd-referral: ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com nsslapd-referral: ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com nsslapd-distribution-plugin: /opt/fedora-ds/lib/replication-plugin.so nsslapd-distribution-funct: repl_chain_on_update dn: cn=replica,cn="dc=hg,dc=com",cn=mapping tree, cn=config objectClass: nsDS5Replica objectClass: top nsDS5ReplicaRoot: dc=hg,dc=com nsDS5ReplicaType: 2 nsDS5Flags: 0 nsds5ReplicaPurgeDelay: 604800 nsDS5ReplicaBindDN: cn=Replication Manager,cn=config cn: replica nsDS5ReplicaId: 65535 nsState:: //8AAIcx9kQAAAAAAAAAAAEAAAA= nsDS5ReplicaName: ddc65803-1dd111b2-80e6a7e3-5afe0000 nsDS5ReplicaReferral: ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com nsDS5ReplicaReferral: ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com nsds5ReplicaChangeCount: 0 nsds5replicareapactive: 0 dn: cn=config,cn=chaining database,cn=plugins,cn=config cn: config objectClass: top objectClass: extensibleObject nstransmittedcontrols: 2.16.840.1.113730.3.4.2 nstransmittedcontrols: 2.16.840.1.113730.3.4.9 nstransmittedcontrols: 1.2.840.113556.1.4.473 nstransmittedcontrols: 1.3.6.1.4.1.1466.29539.12 nspossiblechainingcomponents: cn=resource limits,cn=components,cn=config nspossiblechainingcomponents: cn=certificate-based authentication,cn=component s,cn=config nspossiblechainingcomponents: cn=ACL Plugin,cn=plugins,cn=config nspossiblechainingcomponents: cn=old plugin,cn=plugins,cn=config nspossiblechainingcomponents: cn=referential integrity postoperation,cn=plugin s,cn=config nspossiblechainingcomponents: cn=attribute uniqueness,cn=plugins,cn=config dn: cn=chainbe1, cn=chaining database, cn=plugins, cn=config objectClass: top objectClass: extensibleObject objectClass: nsBackendInstance cn: chainbe1 nsslapd-suffix: dc=hg,dc=com nsfarmserverurl: ldap://ldap1.mw1.highergear.com:1389 ldap2.mw1.highergear.com :1389/ nsmultiplexorbinddn: cn=Replication Manager, cn=config nsmultiplexorcredentials: {DES} nsbindconnectionslimit: 3 nsoperationconnectionslimit: 20 nsabandonedsearchcheckinterval: 1 nsconcurrentbindlimit: 10 nsconcurrentoperationslimit: 2 nsproxiedauthorization: on nsconnectionlife: 0 nsbindtimeout: 15 nsreferralonscopedsearch: off nschecklocalaci: on nsbindretrylimit: 3 nsslapd-sizelimit: 2000 nsslapd-timelimit: 3600 nshoplimit: 10 nsmaxresponsedelay: 60 nsmaxtestresponsedelay: 15 From pkime at Shopzilla.com Fri Sep 1 21:29:00 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Fri, 1 Sep 2006 14:29:00 -0700 Subject: [Fedora-directory-users] How to monitor replication? Message-ID: <9C0091F428E697439E7A773FFD0834270260E0@szexchange.Shopzilla.inc> Is there a good way to monitor whether there replication problems? The SNMP tables for this don't seem to populate with anything and the last time I had a replication problem "Can't acquire busy replica. Code 1" There wasn't anything in the error logs. PK -- Philip Kime NOPS Systems Architect 310 401 0407 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Sep 1 21:39:02 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 01 Sep 2006 15:39:02 -0600 Subject: [Fedora-directory-users] Chain on Update Problem In-Reply-To: <44F89FC1.8070104@highergear.com> References: <44F89FC1.8070104@highergear.com> Message-ID: <44F8A876.2010905@redhat.com> James B Newby wrote: > Hello all, > > I'm having a problem with my consumer's chain on update. I have a > setup with two masters and one consumer. Multi-master replication is > working properly. Changes made on either master propagate to the > other master and to the consumer. > > Before setting up chaining, changes made on the consumer from the > directory console would be denied. After setting up chaining per the > wiki entry: > http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate , > changes could be made on the consumer through the directory console, > but would not propagate to the master. How are you testing/verifying the change doesn't get through? Note that if you make the change in the console, the console will not automatically refresh. I would first check the access log on the consumer to find the ADD or MOD request, then see if that request made it to a master, then see if the master rejected it and why. > > I saw an e-mail with a similar problem in the December 2005 archive, > but didn't see any info in the replies that would help me. I've tried > setting this up from scratch a couple times, but without success. The > responses to ILoveJython's email in December suggested that certain > entries be pasted in, so I've included them below. > > The following acl is included in dc=hg,dc=com: > (targetattr = "*")(version 3.0; acl "Proxied authorization for > database links";allow (proxy) (userdn = "ldap:///cn=Replication > Manager, cn=config");) > Since multi-master replication is set up, this entry is present on all > three servers. > > Any help would be appreciated! Thanks! > > -James > > dn: cn="dc=hg,dc=com",cn=mapping tree, cn=config > objectClass: top > objectClass: extensibleObject > objectClass: nsMappingTree > nsslapd-state: backend > cn: "dc=hg,dc=com" > cn: dc=hg,dc=com > nsslapd-backend: userRoot > nsslapd-backend: chainbe1 > nsslapd-referral: ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com > nsslapd-referral: ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com > nsslapd-distribution-plugin: /opt/fedora-ds/lib/replication-plugin.so > nsslapd-distribution-funct: repl_chain_on_update > > dn: cn=replica,cn="dc=hg,dc=com",cn=mapping tree, cn=config > objectClass: nsDS5Replica > objectClass: top > nsDS5ReplicaRoot: dc=hg,dc=com > nsDS5ReplicaType: 2 > nsDS5Flags: 0 > nsds5ReplicaPurgeDelay: 604800 > nsDS5ReplicaBindDN: cn=Replication Manager,cn=config > cn: replica > nsDS5ReplicaId: 65535 > nsState:: //8AAIcx9kQAAAAAAAAAAAEAAAA= > nsDS5ReplicaName: ddc65803-1dd111b2-80e6a7e3-5afe0000 > nsDS5ReplicaReferral: ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com > nsDS5ReplicaReferral: ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com > nsds5ReplicaChangeCount: 0 > nsds5replicareapactive: 0 > > dn: cn=config,cn=chaining database,cn=plugins,cn=config > cn: config > objectClass: top > objectClass: extensibleObject > nstransmittedcontrols: 2.16.840.1.113730.3.4.2 > nstransmittedcontrols: 2.16.840.1.113730.3.4.9 > nstransmittedcontrols: 1.2.840.113556.1.4.473 > nstransmittedcontrols: 1.3.6.1.4.1.1466.29539.12 > nspossiblechainingcomponents: cn=resource limits,cn=components,cn=config > nspossiblechainingcomponents: cn=certificate-based > authentication,cn=component > s,cn=config > nspossiblechainingcomponents: cn=ACL Plugin,cn=plugins,cn=config > nspossiblechainingcomponents: cn=old plugin,cn=plugins,cn=config > nspossiblechainingcomponents: cn=referential integrity > postoperation,cn=plugin > s,cn=config > nspossiblechainingcomponents: cn=attribute > uniqueness,cn=plugins,cn=config > dn: cn=chainbe1, cn=chaining database, cn=plugins, cn=config > objectClass: top > objectClass: extensibleObject > objectClass: nsBackendInstance > cn: chainbe1 > nsslapd-suffix: dc=hg,dc=com > nsfarmserverurl: ldap://ldap1.mw1.highergear.com:1389 > ldap2.mw1.highergear.com > :1389/ > nsmultiplexorbinddn: cn=Replication Manager, cn=config > nsmultiplexorcredentials: {DES} > nsbindconnectionslimit: 3 > nsoperationconnectionslimit: 20 > nsabandonedsearchcheckinterval: 1 > nsconcurrentbindlimit: 10 > nsconcurrentoperationslimit: 2 > nsproxiedauthorization: on > nsconnectionlife: 0 > nsbindtimeout: 15 > nsreferralonscopedsearch: off > nschecklocalaci: on > nsbindretrylimit: 3 > nsslapd-sizelimit: 2000 > nsslapd-timelimit: 3600 > nshoplimit: 10 > nsmaxresponsedelay: 60 > nsmaxtestresponsedelay: 15 > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Sep 1 21:41:52 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 01 Sep 2006 15:41:52 -0600 Subject: [Fedora-directory-users] How to monitor replication? In-Reply-To: <9C0091F428E697439E7A773FFD0834270260E0@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD0834270260E0@szexchange.Shopzilla.inc> Message-ID: <44F8A920.8030104@redhat.com> Philip Kime wrote: > Is there a good way to monitor whether there replication problems? The > SNMP tables for this don't seem to populate with anything and the last > time I had a replication problem http://www.redhat.com/docs/manuals/dir-server/ag/7.1/replicat.html#1106144 > > "Can't acquire busy replica. Code 1" This is normal. This can happen when two masters attempt to update the same consumer at the same time. One of them gets through, the other has to wait. > > There wasn't anything in the error logs. > > PK > > -- > Philip Kime > NOPS Systems Architect > 310 401 0407 > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jnewby at highergear.com Fri Sep 1 22:54:36 2006 From: jnewby at highergear.com (James B Newby) Date: Fri, 01 Sep 2006 17:54:36 -0500 Subject: [Fedora-directory-users] Chain on Update Problem In-Reply-To: <44F8A876.2010905@redhat.com> References: <44F89FC1.8070104@highergear.com> <44F8A876.2010905@redhat.com> Message-ID: <44F8BA2C.6070705@highergear.com> I found the MOD line in the consumer's access log. I saw no entry in the master's access log regarding that entry. It seems as if the request doesn't make it to the master. I can telnet into the ldap port on the master from the consumer. I installed Fedora Directory Server from fedora-ds-1.0.2-1.FC4.i386.opt.rpm on all machines. All three machines are Intel/CentOS 4.3. -James In the consumer's access log: [01/Sep/2006:17:41:34 -0500] conn=1 op=8 SRCH base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsRole nsRoleDN objectClass nsAccountLock" [01/Sep/2006:17:41:34 -0500] conn=1 op=8 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:17:41:34 -0500] conn=1 op=9 SRCH base="" scope=0 filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" [01/Sep/2006:17:41:34 -0500] conn=1 op=9 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:17:41:34 -0500] conn=0 op=14 SRCH base="cn=ldbm database, cn=plugins, cn=config" scope=2 filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix nsBackendSuffix" [01/Sep/2006:17:41:34 -0500] conn=0 op=14 RESULT err=0 tag=101 nentries=2 etime=0 [01/Sep/2006:17:41:34 -0500] conn=0 op=15 SRCH base="" scope=0 filter="(objectClass=*)" attrs="nsBackendSuffix" [01/Sep/2006:17:41:34 -0500] conn=0 op=15 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:17:41:34 -0500] conn=0 op=16 SRCH base="cn=MCC uid=jhines ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm database, cn=plugins, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" [01/Sep/2006:17:41:34 -0500] conn=0 op=16 RESULT err=32 tag=101 nentries=0 etime=0 [01/Sep/2006:17:41:35 -0500] conn=1 op=10 SRCH base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="numSubordinates nscpEntryDN subschemaSubentry nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic nsAIMStatusText passwordExpirationTime nsBackendSuffix hasSubordinates nsRole nsRoleDN accountUnlockTime passwordExpWarned nsYIMStatusText copiedFrom nsSizeLimit ldapSchemas nsAIMStatusGraphic dncomp nsTimeLimit passwordHistory retryCountResetTime passwordAllowChangeTime aci entryid nsIdleTimeout entrydn copyingFrom nsAccountLock nsds5ReplConflict modifyTimestamp passwordGraceUserTime passwordRetryCount nsUniqueId nsSchemaCSN creatorsName nsICQStatusText pwdpolicysubentry ldapSyntaxes createTimestamp nsLookThroughLimit *" [01/Sep/2006:17:41:35 -0500] conn=1 op=10 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:17:41:35 -0500] conn=1 op=11 SRCH base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(objectClass=*)" attrs="*" [01/Sep/2006:17:41:35 -0500] conn=1 op=11 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:17:41:36 -0500] conn=1 op=12 SRCH base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL [01/Sep/2006:17:41:36 -0500] conn=1 op=12 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:17:41:41 -0500] conn=1 op=14 MOD dn="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" [01/Sep/2006:17:41:41 -0500] conn=1 op=14 RESULT err=0 tag=103 nentries=0 etime=0 [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SRCH base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="objectClass numSubordinates ref aci" [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SORT cn givenName o ou sn (1) [01/Sep/2006:17:41:41 -0500] conn=0 op=18 RESULT err=0 tag=101 nentries=1 etime=0 notes=U Richard Megginson wrote: > James B Newby wrote: >> Hello all, >> >> I'm having a problem with my consumer's chain on update. I have a >> setup with two masters and one consumer. Multi-master replication is >> working properly. Changes made on either master propagate to the >> other master and to the consumer. >> >> Before setting up chaining, changes made on the consumer from the >> directory console would be denied. After setting up chaining per the >> wiki entry: >> http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate , >> changes could be made on the consumer through the directory console, >> but would not propagate to the master. > How are you testing/verifying the change doesn't get through? Note > that if you make the change in the console, the console will not > automatically refresh. I would first check the access log on the > consumer to find the ADD or MOD request, then see if that request made > it to a master, then see if the master rejected it and why. >> >> I saw an e-mail with a similar problem in the December 2005 archive, >> but didn't see any info in the replies that would help me. I've >> tried setting this up from scratch a couple times, but without >> success. The responses to ILoveJython's email in December suggested >> that certain entries be pasted in, so I've included them below. >> >> The following acl is included in dc=hg,dc=com: >> (targetattr = "*")(version 3.0; acl "Proxied authorization for >> database links";allow (proxy) (userdn = "ldap:///cn=Replication >> Manager, cn=config");) >> Since multi-master replication is set up, this entry is present on >> all three servers. >> >> Any help would be appreciated! Thanks! >> >> -James >> >> dn: cn="dc=hg,dc=com",cn=mapping tree, cn=config >> objectClass: top >> objectClass: extensibleObject >> objectClass: nsMappingTree >> nsslapd-state: backend >> cn: "dc=hg,dc=com" >> cn: dc=hg,dc=com >> nsslapd-backend: userRoot >> nsslapd-backend: chainbe1 >> nsslapd-referral: ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com >> nsslapd-referral: ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com >> nsslapd-distribution-plugin: /opt/fedora-ds/lib/replication-plugin.so >> nsslapd-distribution-funct: repl_chain_on_update >> >> dn: cn=replica,cn="dc=hg,dc=com",cn=mapping tree, cn=config >> objectClass: nsDS5Replica >> objectClass: top >> nsDS5ReplicaRoot: dc=hg,dc=com >> nsDS5ReplicaType: 2 >> nsDS5Flags: 0 >> nsds5ReplicaPurgeDelay: 604800 >> nsDS5ReplicaBindDN: cn=Replication Manager,cn=config >> cn: replica >> nsDS5ReplicaId: 65535 >> nsState:: //8AAIcx9kQAAAAAAAAAAAEAAAA= >> nsDS5ReplicaName: ddc65803-1dd111b2-80e6a7e3-5afe0000 >> nsDS5ReplicaReferral: ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com >> nsDS5ReplicaReferral: ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com >> nsds5ReplicaChangeCount: 0 >> nsds5replicareapactive: 0 >> >> dn: cn=config,cn=chaining database,cn=plugins,cn=config >> cn: config >> objectClass: top >> objectClass: extensibleObject >> nstransmittedcontrols: 2.16.840.1.113730.3.4.2 >> nstransmittedcontrols: 2.16.840.1.113730.3.4.9 >> nstransmittedcontrols: 1.2.840.113556.1.4.473 >> nstransmittedcontrols: 1.3.6.1.4.1.1466.29539.12 >> nspossiblechainingcomponents: cn=resource limits,cn=components,cn=config >> nspossiblechainingcomponents: cn=certificate-based >> authentication,cn=component >> s,cn=config >> nspossiblechainingcomponents: cn=ACL Plugin,cn=plugins,cn=config >> nspossiblechainingcomponents: cn=old plugin,cn=plugins,cn=config >> nspossiblechainingcomponents: cn=referential integrity >> postoperation,cn=plugin >> s,cn=config >> nspossiblechainingcomponents: cn=attribute >> uniqueness,cn=plugins,cn=config >> dn: cn=chainbe1, cn=chaining database, cn=plugins, cn=config >> objectClass: top >> objectClass: extensibleObject >> objectClass: nsBackendInstance >> cn: chainbe1 >> nsslapd-suffix: dc=hg,dc=com >> nsfarmserverurl: ldap://ldap1.mw1.highergear.com:1389 >> ldap2.mw1.highergear.com >> :1389/ >> nsmultiplexorbinddn: cn=Replication Manager, cn=config >> nsmultiplexorcredentials: {DES} >> nsbindconnectionslimit: 3 >> nsoperationconnectionslimit: 20 >> nsabandonedsearchcheckinterval: 1 >> nsconcurrentbindlimit: 10 >> nsconcurrentoperationslimit: 2 >> nsproxiedauthorization: on >> nsconnectionlife: 0 >> nsbindtimeout: 15 >> nsreferralonscopedsearch: off >> nschecklocalaci: on >> nsbindretrylimit: 3 >> nsslapd-sizelimit: 2000 >> nsslapd-timelimit: 3600 >> nshoplimit: 10 >> nsmaxresponsedelay: 60 >> nsmaxtestresponsedelay: 15 >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Fri Sep 1 23:01:08 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 01 Sep 2006 17:01:08 -0600 Subject: [Fedora-directory-users] Chain on Update Problem In-Reply-To: <44F8BA2C.6070705@highergear.com> References: <44F89FC1.8070104@highergear.com> <44F8A876.2010905@redhat.com> <44F8BA2C.6070705@highergear.com> Message-ID: <44F8BBB4.2010306@redhat.com> James B Newby wrote: > I found the MOD line in the consumer's access log. I saw no entry in > the master's access log regarding that entry. It seems as if the > request doesn't make it to the master. I can telnet into the ldap > port on the master from the consumer. > > I installed Fedora Directory Server from > fedora-ds-1.0.2-1.FC4.i386.opt.rpm on all machines. All three > machines are Intel/CentOS 4.3. > > -James > > In the consumer's access log: > [01/Sep/2006:17:41:34 -0500] conn=1 op=8 SRCH > base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 > filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsRole > nsRoleDN objectClass nsAccountLock" > [01/Sep/2006:17:41:34 -0500] conn=1 op=8 RESULT err=0 tag=101 > nentries=1 etime=0 > [01/Sep/2006:17:41:34 -0500] conn=1 op=9 SRCH base="" scope=0 > filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" > [01/Sep/2006:17:41:34 -0500] conn=1 op=9 RESULT err=0 tag=101 > nentries=1 etime=0 > [01/Sep/2006:17:41:34 -0500] conn=0 op=14 SRCH base="cn=ldbm database, > cn=plugins, cn=config" scope=2 > filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix > nsBackendSuffix" > [01/Sep/2006:17:41:34 -0500] conn=0 op=14 RESULT err=0 tag=101 > nentries=2 etime=0 > [01/Sep/2006:17:41:34 -0500] conn=0 op=15 SRCH base="" scope=0 > filter="(objectClass=*)" attrs="nsBackendSuffix" > [01/Sep/2006:17:41:34 -0500] conn=0 op=15 RESULT err=0 tag=101 > nentries=1 etime=0 > [01/Sep/2006:17:41:34 -0500] conn=0 op=16 SRCH base="cn=MCC uid=jhines > ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm database, > cn=plugins, cn=config" scope=0 > filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" > [01/Sep/2006:17:41:34 -0500] conn=0 op=16 RESULT err=32 tag=101 > nentries=0 etime=0 > [01/Sep/2006:17:41:35 -0500] conn=1 op=10 SRCH > base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 > filter="(|(objectClass=*)(objectClass=ldapsubentry))" > attrs="numSubordinates nscpEntryDN subschemaSubentry > nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic > nsAIMStatusText passwordExpirationTime nsBackendSuffix hasSubordinates > nsRole nsRoleDN accountUnlockTime passwordExpWarned nsYIMStatusText > copiedFrom nsSizeLimit ldapSchemas nsAIMStatusGraphic dncomp > nsTimeLimit passwordHistory retryCountResetTime > passwordAllowChangeTime aci entryid nsIdleTimeout entrydn copyingFrom > nsAccountLock nsds5ReplConflict modifyTimestamp passwordGraceUserTime > passwordRetryCount nsUniqueId nsSchemaCSN creatorsName nsICQStatusText > pwdpolicysubentry ldapSyntaxes createTimestamp nsLookThroughLimit *" > [01/Sep/2006:17:41:35 -0500] conn=1 op=10 RESULT err=0 tag=101 > nentries=1 etime=0 > [01/Sep/2006:17:41:35 -0500] conn=1 op=11 SRCH > base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 > filter="(objectClass=*)" attrs="*" > [01/Sep/2006:17:41:35 -0500] conn=1 op=11 RESULT err=0 tag=101 > nentries=1 etime=0 > [01/Sep/2006:17:41:36 -0500] conn=1 op=12 SRCH > base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 > filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL > [01/Sep/2006:17:41:36 -0500] conn=1 op=12 RESULT err=0 tag=101 > nentries=1 etime=0 > [01/Sep/2006:17:41:41 -0500] conn=1 op=14 MOD > dn="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" > [01/Sep/2006:17:41:41 -0500] conn=1 op=14 RESULT err=0 tag=103 > nentries=0 etime=0 > [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SRCH > base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 > filter="(|(objectClass=*)(objectClass=ldapsubentry))" > attrs="objectClass numSubordinates ref aci" > [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SORT cn givenName o ou sn (1) > [01/Sep/2006:17:41:41 -0500] conn=0 op=18 RESULT err=0 tag=101 > nentries=1 etime=0 notes=U Weird. It looks as though you added the entry to the local server, and were able to search for it right away. e.g. you search for uid=jhines, and the server replies with err=0 and nentries=1. Can you try the same search from the ldapsearch command line? > > > Richard Megginson wrote: >> James B Newby wrote: >>> Hello all, >>> >>> I'm having a problem with my consumer's chain on update. I have a >>> setup with two masters and one consumer. Multi-master replication >>> is working properly. Changes made on either master propagate to the >>> other master and to the consumer. >>> >>> Before setting up chaining, changes made on the consumer from the >>> directory console would be denied. After setting up chaining per >>> the wiki entry: >>> http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate , >>> changes could be made on the consumer through the directory console, >>> but would not propagate to the master. >> How are you testing/verifying the change doesn't get through? Note >> that if you make the change in the console, the console will not >> automatically refresh. I would first check the access log on the >> consumer to find the ADD or MOD request, then see if that request >> made it to a master, then see if the master rejected it and why. >>> >>> I saw an e-mail with a similar problem in the December 2005 archive, >>> but didn't see any info in the replies that would help me. I've >>> tried setting this up from scratch a couple times, but without >>> success. The responses to ILoveJython's email in December suggested >>> that certain entries be pasted in, so I've included them below. >>> >>> The following acl is included in dc=hg,dc=com: >>> (targetattr = "*")(version 3.0; acl "Proxied authorization for >>> database links";allow (proxy) (userdn = "ldap:///cn=Replication >>> Manager, cn=config");) >>> Since multi-master replication is set up, this entry is present on >>> all three servers. >>> >>> Any help would be appreciated! Thanks! >>> >>> -James >>> >>> dn: cn="dc=hg,dc=com",cn=mapping tree, cn=config >>> objectClass: top >>> objectClass: extensibleObject >>> objectClass: nsMappingTree >>> nsslapd-state: backend >>> cn: "dc=hg,dc=com" >>> cn: dc=hg,dc=com >>> nsslapd-backend: userRoot >>> nsslapd-backend: chainbe1 >>> nsslapd-referral: ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com >>> nsslapd-referral: ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com >>> nsslapd-distribution-plugin: /opt/fedora-ds/lib/replication-plugin.so >>> nsslapd-distribution-funct: repl_chain_on_update >>> >>> dn: cn=replica,cn="dc=hg,dc=com",cn=mapping tree, cn=config >>> objectClass: nsDS5Replica >>> objectClass: top >>> nsDS5ReplicaRoot: dc=hg,dc=com >>> nsDS5ReplicaType: 2 >>> nsDS5Flags: 0 >>> nsds5ReplicaPurgeDelay: 604800 >>> nsDS5ReplicaBindDN: cn=Replication Manager,cn=config >>> cn: replica >>> nsDS5ReplicaId: 65535 >>> nsState:: //8AAIcx9kQAAAAAAAAAAAEAAAA= >>> nsDS5ReplicaName: ddc65803-1dd111b2-80e6a7e3-5afe0000 >>> nsDS5ReplicaReferral: ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com >>> nsDS5ReplicaReferral: ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com >>> nsds5ReplicaChangeCount: 0 >>> nsds5replicareapactive: 0 >>> >>> dn: cn=config,cn=chaining database,cn=plugins,cn=config >>> cn: config >>> objectClass: top >>> objectClass: extensibleObject >>> nstransmittedcontrols: 2.16.840.1.113730.3.4.2 >>> nstransmittedcontrols: 2.16.840.1.113730.3.4.9 >>> nstransmittedcontrols: 1.2.840.113556.1.4.473 >>> nstransmittedcontrols: 1.3.6.1.4.1.1466.29539.12 >>> nspossiblechainingcomponents: cn=resource >>> limits,cn=components,cn=config >>> nspossiblechainingcomponents: cn=certificate-based >>> authentication,cn=component >>> s,cn=config >>> nspossiblechainingcomponents: cn=ACL Plugin,cn=plugins,cn=config >>> nspossiblechainingcomponents: cn=old plugin,cn=plugins,cn=config >>> nspossiblechainingcomponents: cn=referential integrity >>> postoperation,cn=plugin >>> s,cn=config >>> nspossiblechainingcomponents: cn=attribute >>> uniqueness,cn=plugins,cn=config >>> dn: cn=chainbe1, cn=chaining database, cn=plugins, cn=config >>> objectClass: top >>> objectClass: extensibleObject >>> objectClass: nsBackendInstance >>> cn: chainbe1 >>> nsslapd-suffix: dc=hg,dc=com >>> nsfarmserverurl: ldap://ldap1.mw1.highergear.com:1389 >>> ldap2.mw1.highergear.com >>> :1389/ >>> nsmultiplexorbinddn: cn=Replication Manager, cn=config >>> nsmultiplexorcredentials: {DES} >>> nsbindconnectionslimit: 3 >>> nsoperationconnectionslimit: 20 >>> nsabandonedsearchcheckinterval: 1 >>> nsconcurrentbindlimit: 10 >>> nsconcurrentoperationslimit: 2 >>> nsproxiedauthorization: on >>> nsconnectionlife: 0 >>> nsbindtimeout: 15 >>> nsreferralonscopedsearch: off >>> nschecklocalaci: on >>> nsbindretrylimit: 3 >>> nsslapd-sizelimit: 2000 >>> nsslapd-timelimit: 3600 >>> nshoplimit: 10 >>> nsmaxresponsedelay: 60 >>> nsmaxtestresponsedelay: 15 >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From pkime at Shopzilla.com Fri Sep 1 23:08:40 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Fri, 1 Sep 2006 16:08:40 -0700 Subject: [Fedora-directory-users] Re: LD_LIBRARY_PATH question Message-ID: <9C0091F428E697439E7A773FFD0834274358CB@szexchange.Shopzilla.inc> > Perhaps. Do an ls -l /opt/fedora-ds/lib/libjss3.so then do md5sum /opt/fedora-> > ds/lib/libjss3.so [root at hqldap01 ~]# ls -l /opt/fedora-ds/lib/libjss3.so -rwxr-xr-x 1 root root 182804 Jul 27 14:45 /opt/fedora-ds/lib/libjss3.so [root at hqldap01 ~]# md5sum /opt/fedora-ds/lib/libjss3.so 4e59a1243c27732dca9c367a9049e86a /opt/fedora-ds/lib/libjss3.so From pkime at Shopzilla.com Fri Sep 1 23:16:54 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Fri, 1 Sep 2006 16:16:54 -0700 Subject: [Fedora-directory-users] Re: How to monitor replication? Message-ID: <9C0091F428E697439E7A773FFD0834274358CD@szexchange.Shopzilla.inc> > This is normal. This can happen when two masters attempt to update the same consumer > at the same time. One of them gets through, the other has to wait. Problem is, it was like this for two days and there is only one master updating it ... I didn't notice because I can't work out how to monitor replication. I restarted the replication target ns-slapd and it was fine thereafter. PK From jnewby at highergear.com Fri Sep 1 23:24:24 2006 From: jnewby at highergear.com (James B Newby) Date: Fri, 01 Sep 2006 18:24:24 -0500 Subject: [Fedora-directory-users] Chain on Update Problem In-Reply-To: <44F8BBB4.2010306@redhat.com> References: <44F89FC1.8070104@highergear.com> <44F8A876.2010905@redhat.com> <44F8BA2C.6070705@highergear.com> <44F8BBB4.2010306@redhat.com> Message-ID: <44F8C128.9020201@highergear.com> Well actually the entry was already there; I just made a small change to one of the attributes on the consumer through the directory console. I added a new entry on the consumer from the command line: [root at ldap1 bin]# ./ldapmodify -a -D cn=Manager -w - -h localhost -p 1389 Enter bind password: dn: uid=nbody,ou=people,o=thgg,dc=hg,dc=com telephoneNumber: 800-555-5555 userPassword: cn: No Body sn: Body objectClass: hgperson objectClass: inetorgperson objectClass: organizationalPerson objectClass: person objectClass: top givenName: No uid: nbody mail: nbody at highergear.com adding new entry uid=nbody,ou=people,o=thgg,dc=hg,dc=com [root at ldap1 bin]# Then I searched for that user on the consumer's command line: [root at ldap1 bin]# ./ldapsearch -b "dc=hg,dc=com" -D cn=Manager -w - -h localhost -p 1389 uid=nbody Enter bind password: version: 1 dn: uid=nbody,ou=people,o=thgg,dc=hg,dc=com telephoneNumber: 800-555-5555 cn: No Body sn: Body objectClass: hgperson objectClass: inetorgperson objectClass: organizationalPerson objectClass: person objectClass: top givenName: No uid: nbody mail: nbody at highergear.com userPassword: {SSHA} [root at ldap1 bin]# Here is what resulted in the access log of the consumer: [01/Sep/2006:18:18:12 -0500] conn=4 fd=66 slot=66 connection from 127.0.0.1 to 127.0.0.1 [01/Sep/2006:18:18:12 -0500] conn=4 op=0 BIND dn="cn=Manager" method=128 version=3 [01/Sep/2006:18:18:12 -0500] conn=4 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=manager" [01/Sep/2006:18:18:18 -0500] conn=4 op=1 ADD dn="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" [01/Sep/2006:18:18:18 -0500] conn=4 op=1 RESULT err=0 tag=105 nentries=0 etime=0 [01/Sep/2006:18:18:21 -0500] conn=4 op=3 UNBIND [01/Sep/2006:18:18:21 -0500] conn=4 op=3 fd=66 closed - U1 [01/Sep/2006:18:18:47 -0500] conn=5 fd=66 slot=66 connection from 127.0.0.1 to 127.0.0.1 [01/Sep/2006:18:18:47 -0500] conn=5 op=0 BIND dn="cn=Manager" method=128 version=3 [01/Sep/2006:18:18:47 -0500] conn=5 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=manager" [01/Sep/2006:18:18:47 -0500] conn=5 op=1 SRCH base="dc=hg,dc=com" scope=2 filter="(uid=nbody)" attrs=ALL [01/Sep/2006:18:18:47 -0500] conn=5 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:18:18:47 -0500] conn=5 op=2 UNBIND [01/Sep/2006:18:18:47 -0500] conn=5 op=2 fd=66 closed - U1 I then searched for that new entry in the Directory Console and the following log entries resulted: [01/Sep/2006:18:19:58 -0500] conn=0 op=28 SRCH base="ou=people,o=thgg,dc=hg,dc=com" scope=1 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="objectClass numSubordinates ref aci" [01/Sep/2006:18:19:58 -0500] conn=0 op=28 SORT cn givenName o ou sn (196) [01/Sep/2006:18:19:58 -0500] conn=0 op=28 RESULT err=0 tag=101 nentries=196 etime=0 notes=U [01/Sep/2006:18:20:04 -0500] conn=1 op=23 SRCH base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsRole nsRoleDN objectClass nsAccountLock" [01/Sep/2006:18:20:04 -0500] conn=1 op=23 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:18:20:04 -0500] conn=1 op=24 SRCH base="" scope=0 filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" [01/Sep/2006:18:20:04 -0500] conn=1 op=24 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:18:20:04 -0500] conn=0 op=30 SRCH base="cn=ldbm database, cn=plugins, cn=config" scope=2 filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix nsBackendSuffix" [01/Sep/2006:18:20:04 -0500] conn=0 op=30 RESULT err=0 tag=101 nentries=2 etime=0 [01/Sep/2006:18:20:04 -0500] conn=0 op=31 SRCH base="" scope=0 filter="(objectClass=*)" attrs="nsBackendSuffix" [01/Sep/2006:18:20:04 -0500] conn=0 op=31 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:18:20:04 -0500] conn=0 op=32 SRCH base="cn=MCC uid=nbody ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm database, cn=plugins, cn=config" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" [01/Sep/2006:18:20:04 -0500] conn=0 op=32 RESULT err=32 tag=101 nentries=0 etime=0 [01/Sep/2006:18:20:05 -0500] conn=1 op=26 SRCH base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="numSubordinates nscpEntryDN subschemaSubentry nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic nsAIMStatusText passwordExpirationTime nsBackendSuffix hasSubordinates nsRole nsRoleDN accountUnlockTime passwordExpWarned nsYIMStatusText copiedFrom nsSizeLimit ldapSchemas nsAIMStatusGraphic dncomp nsTimeLimit passwordHistory retryCountResetTime passwordAllowChangeTime aci entryid nsIdleTimeout entrydn copyingFrom nsAccountLock nsds5ReplConflict modifyTimestamp passwordGraceUserTime passwordRetryCount nsUniqueId nsSchemaCSN creatorsName nsICQStatusText pwdpolicysubentry ldapSyntaxes createTimestamp nsLookThroughLimit *" [01/Sep/2006:18:20:05 -0500] conn=1 op=26 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:18:20:05 -0500] conn=1 op=27 SRCH base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(objectClass=*)" attrs="*" [01/Sep/2006:18:20:05 -0500] conn=1 op=27 RESULT err=0 tag=101 nentries=1 etime=0 [01/Sep/2006:18:20:05 -0500] conn=1 op=28 SRCH base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL -James Richard Megginson wrote: > James B Newby wrote: >> I found the MOD line in the consumer's access log. I saw no entry in >> the master's access log regarding that entry. It seems as if the >> request doesn't make it to the master. I can telnet into the ldap >> port on the master from the consumer. >> >> I installed Fedora Directory Server from >> fedora-ds-1.0.2-1.FC4.i386.opt.rpm on all machines. All three >> machines are Intel/CentOS 4.3. >> >> -James >> >> In the consumer's access log: >> [01/Sep/2006:17:41:34 -0500] conn=1 op=8 SRCH >> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsRole >> nsRoleDN objectClass nsAccountLock" >> [01/Sep/2006:17:41:34 -0500] conn=1 op=8 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [01/Sep/2006:17:41:34 -0500] conn=1 op=9 SRCH base="" scope=0 >> filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" >> [01/Sep/2006:17:41:34 -0500] conn=1 op=9 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [01/Sep/2006:17:41:34 -0500] conn=0 op=14 SRCH base="cn=ldbm >> database, cn=plugins, cn=config" scope=2 >> filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix >> nsBackendSuffix" >> [01/Sep/2006:17:41:34 -0500] conn=0 op=14 RESULT err=0 tag=101 >> nentries=2 etime=0 >> [01/Sep/2006:17:41:34 -0500] conn=0 op=15 SRCH base="" scope=0 >> filter="(objectClass=*)" attrs="nsBackendSuffix" >> [01/Sep/2006:17:41:34 -0500] conn=0 op=15 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [01/Sep/2006:17:41:34 -0500] conn=0 op=16 SRCH base="cn=MCC >> uid=jhines ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm >> database, cn=plugins, cn=config" scope=0 >> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" >> [01/Sep/2006:17:41:34 -0500] conn=0 op=16 RESULT err=32 tag=101 >> nentries=0 etime=0 >> [01/Sep/2006:17:41:35 -0500] conn=1 op=10 SRCH >> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >> attrs="numSubordinates nscpEntryDN subschemaSubentry >> nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic >> nsAIMStatusText passwordExpirationTime nsBackendSuffix >> hasSubordinates nsRole nsRoleDN accountUnlockTime passwordExpWarned >> nsYIMStatusText copiedFrom nsSizeLimit ldapSchemas nsAIMStatusGraphic >> dncomp nsTimeLimit passwordHistory retryCountResetTime >> passwordAllowChangeTime aci entryid nsIdleTimeout entrydn copyingFrom >> nsAccountLock nsds5ReplConflict modifyTimestamp passwordGraceUserTime >> passwordRetryCount nsUniqueId nsSchemaCSN creatorsName >> nsICQStatusText pwdpolicysubentry ldapSyntaxes createTimestamp >> nsLookThroughLimit *" >> [01/Sep/2006:17:41:35 -0500] conn=1 op=10 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [01/Sep/2006:17:41:35 -0500] conn=1 op=11 SRCH >> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >> filter="(objectClass=*)" attrs="*" >> [01/Sep/2006:17:41:35 -0500] conn=1 op=11 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [01/Sep/2006:17:41:36 -0500] conn=1 op=12 SRCH >> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL >> [01/Sep/2006:17:41:36 -0500] conn=1 op=12 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [01/Sep/2006:17:41:41 -0500] conn=1 op=14 MOD >> dn="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" >> [01/Sep/2006:17:41:41 -0500] conn=1 op=14 RESULT err=0 tag=103 >> nentries=0 etime=0 >> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SRCH >> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >> attrs="objectClass numSubordinates ref aci" >> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SORT cn givenName o ou sn (1) >> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 RESULT err=0 tag=101 >> nentries=1 etime=0 notes=U > Weird. It looks as though you added the entry to the local server, > and were able to search for it right away. e.g. you search for > uid=jhines, and the server replies with err=0 and nentries=1. Can you > try the same search from the ldapsearch command line? >> >> >> Richard Megginson wrote: >>> James B Newby wrote: >>>> Hello all, >>>> >>>> I'm having a problem with my consumer's chain on update. I have a >>>> setup with two masters and one consumer. Multi-master replication >>>> is working properly. Changes made on either master propagate to >>>> the other master and to the consumer. >>>> >>>> Before setting up chaining, changes made on the consumer from the >>>> directory console would be denied. After setting up chaining per >>>> the wiki entry: >>>> http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate , >>>> changes could be made on the consumer through the directory >>>> console, but would not propagate to the master. >>> How are you testing/verifying the change doesn't get through? Note >>> that if you make the change in the console, the console will not >>> automatically refresh. I would first check the access log on the >>> consumer to find the ADD or MOD request, then see if that request >>> made it to a master, then see if the master rejected it and why. >>>> >>>> I saw an e-mail with a similar problem in the December 2005 >>>> archive, but didn't see any info in the replies that would help >>>> me. I've tried setting this up from scratch a couple times, but >>>> without success. The responses to ILoveJython's email in December >>>> suggested that certain entries be pasted in, so I've included them >>>> below. >>>> >>>> The following acl is included in dc=hg,dc=com: >>>> (targetattr = "*")(version 3.0; acl "Proxied authorization for >>>> database links";allow (proxy) (userdn = "ldap:///cn=Replication >>>> Manager, cn=config");) >>>> Since multi-master replication is set up, this entry is present on >>>> all three servers. >>>> >>>> Any help would be appreciated! Thanks! >>>> >>>> -James >>>> >>>> dn: cn="dc=hg,dc=com",cn=mapping tree, cn=config >>>> objectClass: top >>>> objectClass: extensibleObject >>>> objectClass: nsMappingTree >>>> nsslapd-state: backend >>>> cn: "dc=hg,dc=com" >>>> cn: dc=hg,dc=com >>>> nsslapd-backend: userRoot >>>> nsslapd-backend: chainbe1 >>>> nsslapd-referral: ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com >>>> nsslapd-referral: ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com >>>> nsslapd-distribution-plugin: /opt/fedora-ds/lib/replication-plugin.so >>>> nsslapd-distribution-funct: repl_chain_on_update >>>> >>>> dn: cn=replica,cn="dc=hg,dc=com",cn=mapping tree, cn=config >>>> objectClass: nsDS5Replica >>>> objectClass: top >>>> nsDS5ReplicaRoot: dc=hg,dc=com >>>> nsDS5ReplicaType: 2 >>>> nsDS5Flags: 0 >>>> nsds5ReplicaPurgeDelay: 604800 >>>> nsDS5ReplicaBindDN: cn=Replication Manager,cn=config >>>> cn: replica >>>> nsDS5ReplicaId: 65535 >>>> nsState:: //8AAIcx9kQAAAAAAAAAAAEAAAA= >>>> nsDS5ReplicaName: ddc65803-1dd111b2-80e6a7e3-5afe0000 >>>> nsDS5ReplicaReferral: >>>> ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com >>>> nsDS5ReplicaReferral: >>>> ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com >>>> nsds5ReplicaChangeCount: 0 >>>> nsds5replicareapactive: 0 >>>> >>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config >>>> cn: config >>>> objectClass: top >>>> objectClass: extensibleObject >>>> nstransmittedcontrols: 2.16.840.1.113730.3.4.2 >>>> nstransmittedcontrols: 2.16.840.1.113730.3.4.9 >>>> nstransmittedcontrols: 1.2.840.113556.1.4.473 >>>> nstransmittedcontrols: 1.3.6.1.4.1.1466.29539.12 >>>> nspossiblechainingcomponents: cn=resource >>>> limits,cn=components,cn=config >>>> nspossiblechainingcomponents: cn=certificate-based >>>> authentication,cn=component >>>> s,cn=config >>>> nspossiblechainingcomponents: cn=ACL Plugin,cn=plugins,cn=config >>>> nspossiblechainingcomponents: cn=old plugin,cn=plugins,cn=config >>>> nspossiblechainingcomponents: cn=referential integrity >>>> postoperation,cn=plugin >>>> s,cn=config >>>> nspossiblechainingcomponents: cn=attribute >>>> uniqueness,cn=plugins,cn=config >>>> dn: cn=chainbe1, cn=chaining database, cn=plugins, cn=config >>>> objectClass: top >>>> objectClass: extensibleObject >>>> objectClass: nsBackendInstance >>>> cn: chainbe1 >>>> nsslapd-suffix: dc=hg,dc=com >>>> nsfarmserverurl: ldap://ldap1.mw1.highergear.com:1389 >>>> ldap2.mw1.highergear.com >>>> :1389/ >>>> nsmultiplexorbinddn: cn=Replication Manager, cn=config >>>> nsmultiplexorcredentials: {DES} >>>> nsbindconnectionslimit: 3 >>>> nsoperationconnectionslimit: 20 >>>> nsabandonedsearchcheckinterval: 1 >>>> nsconcurrentbindlimit: 10 >>>> nsconcurrentoperationslimit: 2 >>>> nsproxiedauthorization: on >>>> nsconnectionlife: 0 >>>> nsbindtimeout: 15 >>>> nsreferralonscopedsearch: off >>>> nschecklocalaci: on >>>> nsbindretrylimit: 3 >>>> nsslapd-sizelimit: 2000 >>>> nsslapd-timelimit: 3600 >>>> nshoplimit: 10 >>>> nsmaxresponsedelay: 60 >>>> nsmaxtestresponsedelay: 15 >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Sat Sep 2 03:11:06 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 01 Sep 2006 21:11:06 -0600 Subject: [Fedora-directory-users] Re: LD_LIBRARY_PATH question In-Reply-To: <9C0091F428E697439E7A773FFD0834274358CB@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD0834274358CB@szexchange.Shopzilla.inc> Message-ID: <44F8F64A.30908@redhat.com> Philip Kime wrote: >> Perhaps. Do an ls -l /opt/fedora-ds/lib/libjss3.so then do md5sum >> > /opt/fedora-> > >> ds/lib/libjss3.so >> > > [root at hqldap01 ~]# ls -l /opt/fedora-ds/lib/libjss3.so > -rwxr-xr-x 1 root root 182804 Jul 27 14:45 > /opt/fedora-ds/lib/libjss3.so > > [root at hqldap01 ~]# md5sum /opt/fedora-ds/lib/libjss3.so > 4e59a1243c27732dca9c367a9049e86a /opt/fedora-ds/lib/libjss3.so > What version of fedora ds is this? Here are the md5sums for the libjss3.so (optimized) included with Fedora DS 1.0.2: 8263a134c02b380c730d97c141918c4d RHEL3_x86_gcc3_OPT.OBJ/lib/libjss3.so (Fedora Core 2) 2226b0c12f1dec5c88158ad860e40208 RHEL4_x86_gcc3_OPT.OBJ/lib/libjss3.so (Fedora Core 3/4/5, RHEL4 i386) 2098364ec91d9b354e9086806852ae5d RHEL4_x86_64_gcc3_OPT.OBJ/lib/libjss3.so (Fedora Core 3/4/5, RHEL4 x86_64) > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Sat Sep 2 03:12:54 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 01 Sep 2006 21:12:54 -0600 Subject: [Fedora-directory-users] Re: How to monitor replication? In-Reply-To: <9C0091F428E697439E7A773FFD0834274358CD@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD0834274358CD@szexchange.Shopzilla.inc> Message-ID: <44F8F6B6.70509@redhat.com> Philip Kime wrote: >> This is normal. This can happen when two masters attempt to update >> > the same consumer > >> at the same time. One of them gets through, the other has to wait. >> > > Problem is, it was like this for two days and there is only one master > updating it ... > It's possible that can happen as well. When this happens, usually changes are propagated to the consumer through the master anyway, since that master is receiving updates from the other master(s). > I didn't notice because I can't work out how to monitor replication. I > restarted the replication target ns-slapd and it was fine thereafter. > Did the replication monitor documentation help at all? > PK > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Sat Sep 2 03:24:50 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 01 Sep 2006 21:24:50 -0600 Subject: [Fedora-directory-users] Chain on Update Problem In-Reply-To: <44F8C128.9020201@highergear.com> References: <44F89FC1.8070104@highergear.com> <44F8A876.2010905@redhat.com> <44F8BA2C.6070705@highergear.com> <44F8BBB4.2010306@redhat.com> <44F8C128.9020201@highergear.com> Message-ID: <44F8F982.4000305@redhat.com> James B Newby wrote: > Well actually the entry was already there; I just made a small change > to one of the attributes on the consumer through the directory console. > > I added a new entry on the consumer from the command line: > > [root at ldap1 bin]# ./ldapmodify -a -D cn=Manager -w - -h localhost -p 1389 > Enter bind password: > dn: uid=nbody,ou=people,o=thgg,dc=hg,dc=com > telephoneNumber: 800-555-5555 > userPassword: > cn: No Body > sn: Body > objectClass: hgperson > objectClass: inetorgperson > objectClass: organizationalPerson > objectClass: person > objectClass: top > givenName: No > uid: nbody > mail: nbody at highergear.com > adding new entry uid=nbody,ou=people,o=thgg,dc=hg,dc=com > > [root at ldap1 bin]# > > Then I searched for that user on the consumer's command line: > [root at ldap1 bin]# ./ldapsearch -b "dc=hg,dc=com" -D cn=Manager -w - -h > localhost -p 1389 uid=nbody > Enter bind password: > version: 1 > dn: uid=nbody,ou=people,o=thgg,dc=hg,dc=com > telephoneNumber: 800-555-5555 > cn: No Body > sn: Body > objectClass: hgperson > objectClass: inetorgperson > objectClass: organizationalPerson > objectClass: person > objectClass: top > givenName: No > uid: nbody > mail: nbody at highergear.com > userPassword: {SSHA} > [root at ldap1 bin]# > > Here is what resulted in the access log of the consumer: > [01/Sep/2006:18:18:12 -0500] conn=4 fd=66 slot=66 connection from > 127.0.0.1 to 127.0.0.1 > [01/Sep/2006:18:18:12 -0500] conn=4 op=0 BIND dn="cn=Manager" > method=128 version=3 > [01/Sep/2006:18:18:12 -0500] conn=4 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="cn=manager" > [01/Sep/2006:18:18:18 -0500] conn=4 op=1 ADD > dn="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" > [01/Sep/2006:18:18:18 -0500] conn=4 op=1 RESULT err=0 tag=105 > nentries=0 etime=0 > [01/Sep/2006:18:18:21 -0500] conn=4 op=3 UNBIND > [01/Sep/2006:18:18:21 -0500] conn=4 op=3 fd=66 closed - U1 > [01/Sep/2006:18:18:47 -0500] conn=5 fd=66 slot=66 connection from > 127.0.0.1 to 127.0.0.1 > [01/Sep/2006:18:18:47 -0500] conn=5 op=0 BIND dn="cn=Manager" > method=128 version=3 > [01/Sep/2006:18:18:47 -0500] conn=5 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="cn=manager" > [01/Sep/2006:18:18:47 -0500] conn=5 op=1 SRCH base="dc=hg,dc=com" > scope=2 filter="(uid=nbody)" attrs=ALL > [01/Sep/2006:18:18:47 -0500] conn=5 op=1 RESULT err=0 tag=101 > nentries=1 etime=0 > [01/Sep/2006:18:18:47 -0500] conn=5 op=2 UNBIND > [01/Sep/2006:18:18:47 -0500] conn=5 op=2 fd=66 closed - U1 So it appears to be working? > > I then searched for that new entry in the Directory Console and the > following log entries resulted: > [01/Sep/2006:18:19:58 -0500] conn=0 op=28 SRCH > base="ou=people,o=thgg,dc=hg,dc=com" scope=1 > filter="(|(objectClass=*)(objectClass=ldapsubentry))" > attrs="objectClass numSubordinates ref aci" > [01/Sep/2006:18:19:58 -0500] conn=0 op=28 SORT cn givenName o ou sn (196) > [01/Sep/2006:18:19:58 -0500] conn=0 op=28 RESULT err=0 tag=101 > nentries=196 etime=0 notes=U > [01/Sep/2006:18:20:04 -0500] conn=1 op=23 SRCH > base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 > filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsRole > nsRoleDN objectClass nsAccountLock" > [01/Sep/2006:18:20:04 -0500] conn=1 op=23 RESULT err=0 tag=101 > nentries=1 etime=0 > [01/Sep/2006:18:20:04 -0500] conn=1 op=24 SRCH base="" scope=0 > filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" > [01/Sep/2006:18:20:04 -0500] conn=1 op=24 RESULT err=0 tag=101 > nentries=1 etime=0 > [01/Sep/2006:18:20:04 -0500] conn=0 op=30 SRCH base="cn=ldbm database, > cn=plugins, cn=config" scope=2 > filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix > nsBackendSuffix" > [01/Sep/2006:18:20:04 -0500] conn=0 op=30 RESULT err=0 tag=101 > nentries=2 etime=0 > [01/Sep/2006:18:20:04 -0500] conn=0 op=31 SRCH base="" scope=0 > filter="(objectClass=*)" attrs="nsBackendSuffix" > [01/Sep/2006:18:20:04 -0500] conn=0 op=31 RESULT err=0 tag=101 > nentries=1 etime=0 > [01/Sep/2006:18:20:04 -0500] conn=0 op=32 SRCH base="cn=MCC uid=nbody > ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm database, > cn=plugins, cn=config" scope=0 > filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" > [01/Sep/2006:18:20:04 -0500] conn=0 op=32 RESULT err=32 tag=101 > nentries=0 etime=0 > [01/Sep/2006:18:20:05 -0500] conn=1 op=26 SRCH > base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 > filter="(|(objectClass=*)(objectClass=ldapsubentry))" > attrs="numSubordinates nscpEntryDN subschemaSubentry > nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic > nsAIMStatusText passwordExpirationTime nsBackendSuffix hasSubordinates > nsRole nsRoleDN accountUnlockTime passwordExpWarned nsYIMStatusText > copiedFrom nsSizeLimit ldapSchemas nsAIMStatusGraphic dncomp > nsTimeLimit passwordHistory retryCountResetTime > passwordAllowChangeTime aci entryid nsIdleTimeout entrydn copyingFrom > nsAccountLock nsds5ReplConflict modifyTimestamp passwordGraceUserTime > passwordRetryCount nsUniqueId nsSchemaCSN creatorsName nsICQStatusText > pwdpolicysubentry ldapSyntaxes createTimestamp nsLookThroughLimit *" > [01/Sep/2006:18:20:05 -0500] conn=1 op=26 RESULT err=0 tag=101 > nentries=1 etime=0 > [01/Sep/2006:18:20:05 -0500] conn=1 op=27 SRCH > base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 > filter="(objectClass=*)" attrs="*" > [01/Sep/2006:18:20:05 -0500] conn=1 op=27 RESULT err=0 tag=101 > nentries=1 etime=0 > [01/Sep/2006:18:20:05 -0500] conn=1 op=28 SRCH > base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 > filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL This appears to be working also? > > -James > > Richard Megginson wrote: >> James B Newby wrote: >>> I found the MOD line in the consumer's access log. I saw no entry >>> in the master's access log regarding that entry. It seems as if the >>> request doesn't make it to the master. I can telnet into the ldap >>> port on the master from the consumer. >>> >>> I installed Fedora Directory Server from >>> fedora-ds-1.0.2-1.FC4.i386.opt.rpm on all machines. All three >>> machines are Intel/CentOS 4.3. >>> >>> -James >>> >>> In the consumer's access log: >>> [01/Sep/2006:17:41:34 -0500] conn=1 op=8 SRCH >>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsRole >>> nsRoleDN objectClass nsAccountLock" >>> [01/Sep/2006:17:41:34 -0500] conn=1 op=8 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [01/Sep/2006:17:41:34 -0500] conn=1 op=9 SRCH base="" scope=0 >>> filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" >>> [01/Sep/2006:17:41:34 -0500] conn=1 op=9 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [01/Sep/2006:17:41:34 -0500] conn=0 op=14 SRCH base="cn=ldbm >>> database, cn=plugins, cn=config" scope=2 >>> filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix >>> nsBackendSuffix" >>> [01/Sep/2006:17:41:34 -0500] conn=0 op=14 RESULT err=0 tag=101 >>> nentries=2 etime=0 >>> [01/Sep/2006:17:41:34 -0500] conn=0 op=15 SRCH base="" scope=0 >>> filter="(objectClass=*)" attrs="nsBackendSuffix" >>> [01/Sep/2006:17:41:34 -0500] conn=0 op=15 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [01/Sep/2006:17:41:34 -0500] conn=0 op=16 SRCH base="cn=MCC >>> uid=jhines ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm >>> database, cn=plugins, cn=config" scope=0 >>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" >>> [01/Sep/2006:17:41:34 -0500] conn=0 op=16 RESULT err=32 tag=101 >>> nentries=0 etime=0 >>> [01/Sep/2006:17:41:35 -0500] conn=1 op=10 SRCH >>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>> attrs="numSubordinates nscpEntryDN subschemaSubentry >>> nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic >>> nsAIMStatusText passwordExpirationTime nsBackendSuffix >>> hasSubordinates nsRole nsRoleDN accountUnlockTime passwordExpWarned >>> nsYIMStatusText copiedFrom nsSizeLimit ldapSchemas >>> nsAIMStatusGraphic dncomp nsTimeLimit passwordHistory >>> retryCountResetTime passwordAllowChangeTime aci entryid >>> nsIdleTimeout entrydn copyingFrom nsAccountLock nsds5ReplConflict >>> modifyTimestamp passwordGraceUserTime passwordRetryCount nsUniqueId >>> nsSchemaCSN creatorsName nsICQStatusText pwdpolicysubentry >>> ldapSyntaxes createTimestamp nsLookThroughLimit *" >>> [01/Sep/2006:17:41:35 -0500] conn=1 op=10 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [01/Sep/2006:17:41:35 -0500] conn=1 op=11 SRCH >>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>> filter="(objectClass=*)" attrs="*" >>> [01/Sep/2006:17:41:35 -0500] conn=1 op=11 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [01/Sep/2006:17:41:36 -0500] conn=1 op=12 SRCH >>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL >>> [01/Sep/2006:17:41:36 -0500] conn=1 op=12 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [01/Sep/2006:17:41:41 -0500] conn=1 op=14 MOD >>> dn="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" >>> [01/Sep/2006:17:41:41 -0500] conn=1 op=14 RESULT err=0 tag=103 >>> nentries=0 etime=0 >>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SRCH >>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>> attrs="objectClass numSubordinates ref aci" >>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SORT cn givenName o ou sn (1) >>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 RESULT err=0 tag=101 >>> nentries=1 etime=0 notes=U >> Weird. It looks as though you added the entry to the local server, >> and were able to search for it right away. e.g. you search for >> uid=jhines, and the server replies with err=0 and nentries=1. Can >> you try the same search from the ldapsearch command line? >>> >>> >>> Richard Megginson wrote: >>>> James B Newby wrote: >>>>> Hello all, >>>>> >>>>> I'm having a problem with my consumer's chain on update. I have a >>>>> setup with two masters and one consumer. Multi-master replication >>>>> is working properly. Changes made on either master propagate to >>>>> the other master and to the consumer. >>>>> >>>>> Before setting up chaining, changes made on the consumer from the >>>>> directory console would be denied. After setting up chaining per >>>>> the wiki entry: >>>>> http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate , >>>>> changes could be made on the consumer through the directory >>>>> console, but would not propagate to the master. >>>> How are you testing/verifying the change doesn't get through? Note >>>> that if you make the change in the console, the console will not >>>> automatically refresh. I would first check the access log on the >>>> consumer to find the ADD or MOD request, then see if that request >>>> made it to a master, then see if the master rejected it and why. >>>>> >>>>> I saw an e-mail with a similar problem in the December 2005 >>>>> archive, but didn't see any info in the replies that would help >>>>> me. I've tried setting this up from scratch a couple times, but >>>>> without success. The responses to ILoveJython's email in December >>>>> suggested that certain entries be pasted in, so I've included them >>>>> below. >>>>> >>>>> The following acl is included in dc=hg,dc=com: >>>>> (targetattr = "*")(version 3.0; acl "Proxied authorization for >>>>> database links";allow (proxy) (userdn = "ldap:///cn=Replication >>>>> Manager, cn=config");) >>>>> Since multi-master replication is set up, this entry is present on >>>>> all three servers. >>>>> >>>>> Any help would be appreciated! Thanks! >>>>> >>>>> -James >>>>> >>>>> dn: cn="dc=hg,dc=com",cn=mapping tree, cn=config >>>>> objectClass: top >>>>> objectClass: extensibleObject >>>>> objectClass: nsMappingTree >>>>> nsslapd-state: backend >>>>> cn: "dc=hg,dc=com" >>>>> cn: dc=hg,dc=com >>>>> nsslapd-backend: userRoot >>>>> nsslapd-backend: chainbe1 >>>>> nsslapd-referral: ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com >>>>> nsslapd-referral: ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com >>>>> nsslapd-distribution-plugin: /opt/fedora-ds/lib/replication-plugin.so >>>>> nsslapd-distribution-funct: repl_chain_on_update >>>>> >>>>> dn: cn=replica,cn="dc=hg,dc=com",cn=mapping tree, cn=config >>>>> objectClass: nsDS5Replica >>>>> objectClass: top >>>>> nsDS5ReplicaRoot: dc=hg,dc=com >>>>> nsDS5ReplicaType: 2 >>>>> nsDS5Flags: 0 >>>>> nsds5ReplicaPurgeDelay: 604800 >>>>> nsDS5ReplicaBindDN: cn=Replication Manager,cn=config >>>>> cn: replica >>>>> nsDS5ReplicaId: 65535 >>>>> nsState:: //8AAIcx9kQAAAAAAAAAAAEAAAA= >>>>> nsDS5ReplicaName: ddc65803-1dd111b2-80e6a7e3-5afe0000 >>>>> nsDS5ReplicaReferral: >>>>> ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com >>>>> nsDS5ReplicaReferral: >>>>> ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com >>>>> nsds5ReplicaChangeCount: 0 >>>>> nsds5replicareapactive: 0 >>>>> >>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config >>>>> cn: config >>>>> objectClass: top >>>>> objectClass: extensibleObject >>>>> nstransmittedcontrols: 2.16.840.1.113730.3.4.2 >>>>> nstransmittedcontrols: 2.16.840.1.113730.3.4.9 >>>>> nstransmittedcontrols: 1.2.840.113556.1.4.473 >>>>> nstransmittedcontrols: 1.3.6.1.4.1.1466.29539.12 >>>>> nspossiblechainingcomponents: cn=resource >>>>> limits,cn=components,cn=config >>>>> nspossiblechainingcomponents: cn=certificate-based >>>>> authentication,cn=component >>>>> s,cn=config >>>>> nspossiblechainingcomponents: cn=ACL Plugin,cn=plugins,cn=config >>>>> nspossiblechainingcomponents: cn=old plugin,cn=plugins,cn=config >>>>> nspossiblechainingcomponents: cn=referential integrity >>>>> postoperation,cn=plugin >>>>> s,cn=config >>>>> nspossiblechainingcomponents: cn=attribute >>>>> uniqueness,cn=plugins,cn=config >>>>> dn: cn=chainbe1, cn=chaining database, cn=plugins, cn=config >>>>> objectClass: top >>>>> objectClass: extensibleObject >>>>> objectClass: nsBackendInstance >>>>> cn: chainbe1 >>>>> nsslapd-suffix: dc=hg,dc=com >>>>> nsfarmserverurl: ldap://ldap1.mw1.highergear.com:1389 >>>>> ldap2.mw1.highergear.com >>>>> :1389/ >>>>> nsmultiplexorbinddn: cn=Replication Manager, cn=config >>>>> nsmultiplexorcredentials: {DES} >>>>> nsbindconnectionslimit: 3 >>>>> nsoperationconnectionslimit: 20 >>>>> nsabandonedsearchcheckinterval: 1 >>>>> nsconcurrentbindlimit: 10 >>>>> nsconcurrentoperationslimit: 2 >>>>> nsproxiedauthorization: on >>>>> nsconnectionlife: 0 >>>>> nsbindtimeout: 15 >>>>> nsreferralonscopedsearch: off >>>>> nschecklocalaci: on >>>>> nsbindretrylimit: 3 >>>>> nsslapd-sizelimit: 2000 >>>>> nsslapd-timelimit: 3600 >>>>> nshoplimit: 10 >>>>> nsmaxresponsedelay: 60 >>>>> nsmaxtestresponsedelay: 15 >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From pkime at Shopzilla.com Sat Sep 2 06:34:37 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Fri, 1 Sep 2006 23:34:37 -0700 Subject: [Fedora-directory-users] Re: LD_LIBRARY_PATH question Message-ID: <9C0091F428E697439E7A773FFD0834274358D0@szexchange.Shopzilla.inc> > What version of fedora ds is this? fedora-ds-1.0.2-1.RHEL4 installed from fedora-ds-1.0.2-1.RHEL4.x86_64.opt.rpm Downloaded from http://directory.fedora.redhat.com/wiki/Download From pkime at Shopzilla.com Sat Sep 2 06:42:54 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Fri, 1 Sep 2006 23:42:54 -0700 Subject: [Fedora-directory-users] Re: How to monitor replication? Message-ID: <9C0091F428E697439E7A773FFD0834274358D1@szexchange.Shopzilla.inc> > It's possible that can happen as well. When this happens, usually changes are > propagated to the consumer through the master anyway, since that master is receiving > updates from the other master(s). I wonder if it is because we had a network blip between sites and there was an update/lock at the time so when the network came back up and the master tried to send updates, there was already a stale lock? It's actually multi-master replication - there are two masters and it's one of the masters which did this. > Did the replication monitor documentation help at all? The documentation on the repl-monitor script wasn't detailed enough perhaps? I tried getting this to work but couldn't. I tried every setting in the config file I could to no avail. It seems to be hard-coded to port 389 and I am running SSL (well, TLS). In any case, I really need something like SNMP alerts when there are replication problems. I suppose I can look for the string "NSMMReplicationPlugin" in the error log ... PK From jnewby at highergear.com Sun Sep 3 20:46:45 2006 From: jnewby at highergear.com (James B Newby) Date: Sun, 03 Sep 2006 15:46:45 -0500 Subject: [Fedora-directory-users] Chain on Update Problem In-Reply-To: <44F8F982.4000305@redhat.com> References: <44F89FC1.8070104@highergear.com> <44F8A876.2010905@redhat.com> <44F8BA2C.6070705@highergear.com> <44F8BBB4.2010306@redhat.com> <44F8C128.9020201@highergear.com> <44F8F982.4000305@redhat.com> Message-ID: <44FB3F35.7010709@highergear.com> Yes. I can add or modify entries on the consumer with update chaining set up, but those changes do not propagate to the master. If I search on the master for the entry created on the consumer : [root at ldap1-mw1 bin]$ ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - -h localhost -p 1389 uid=nbody Enter bind password: [root at ldap1-mw1 bin]$ It's not there. As I said in an earlier message, I've followed the instructions in the Chain on Update HOWTO, but I can't get it to work. I've reviewed the Administrator Guide as well as searching the Internet for an answer but no luck. Richard Megginson wrote: > James B Newby wrote: >> Well actually the entry was already there; I just made a small change >> to one of the attributes on the consumer through the directory console. >> >> I added a new entry on the consumer from the command line: >> >> [root at ldap1 bin]# ./ldapmodify -a -D cn=Manager -w - -h localhost -p >> 1389 >> Enter bind password: >> dn: uid=nbody,ou=people,o=thgg,dc=hg,dc=com >> telephoneNumber: 800-555-5555 >> userPassword: >> cn: No Body >> sn: Body >> objectClass: hgperson >> objectClass: inetorgperson >> objectClass: organizationalPerson >> objectClass: person >> objectClass: top >> givenName: No >> uid: nbody >> mail: nbody at highergear.com >> adding new entry uid=nbody,ou=people,o=thgg,dc=hg,dc=com >> >> [root at ldap1 bin]# >> >> Then I searched for that user on the consumer's command line: >> [root at ldap1 bin]# ./ldapsearch -b "dc=hg,dc=com" -D cn=Manager -w - >> -h localhost -p 1389 uid=nbody >> Enter bind password: >> version: 1 >> dn: uid=nbody,ou=people,o=thgg,dc=hg,dc=com >> telephoneNumber: 800-555-5555 >> cn: No Body >> sn: Body >> objectClass: hgperson >> objectClass: inetorgperson >> objectClass: organizationalPerson >> objectClass: person >> objectClass: top >> givenName: No >> uid: nbody >> mail: nbody at highergear.com >> userPassword: {SSHA} >> [root at ldap1 bin]# >> >> Here is what resulted in the access log of the consumer: >> [01/Sep/2006:18:18:12 -0500] conn=4 fd=66 slot=66 connection from >> 127.0.0.1 to 127.0.0.1 >> [01/Sep/2006:18:18:12 -0500] conn=4 op=0 BIND dn="cn=Manager" >> method=128 version=3 >> [01/Sep/2006:18:18:12 -0500] conn=4 op=0 RESULT err=0 tag=97 >> nentries=0 etime=0 dn="cn=manager" >> [01/Sep/2006:18:18:18 -0500] conn=4 op=1 ADD >> dn="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" >> [01/Sep/2006:18:18:18 -0500] conn=4 op=1 RESULT err=0 tag=105 >> nentries=0 etime=0 >> [01/Sep/2006:18:18:21 -0500] conn=4 op=3 UNBIND >> [01/Sep/2006:18:18:21 -0500] conn=4 op=3 fd=66 closed - U1 >> [01/Sep/2006:18:18:47 -0500] conn=5 fd=66 slot=66 connection from >> 127.0.0.1 to 127.0.0.1 >> [01/Sep/2006:18:18:47 -0500] conn=5 op=0 BIND dn="cn=Manager" >> method=128 version=3 >> [01/Sep/2006:18:18:47 -0500] conn=5 op=0 RESULT err=0 tag=97 >> nentries=0 etime=0 dn="cn=manager" >> [01/Sep/2006:18:18:47 -0500] conn=5 op=1 SRCH base="dc=hg,dc=com" >> scope=2 filter="(uid=nbody)" attrs=ALL >> [01/Sep/2006:18:18:47 -0500] conn=5 op=1 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [01/Sep/2006:18:18:47 -0500] conn=5 op=2 UNBIND >> [01/Sep/2006:18:18:47 -0500] conn=5 op=2 fd=66 closed - U1 > So it appears to be working? >> >> I then searched for that new entry in the Directory Console and the >> following log entries resulted: >> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 SRCH >> base="ou=people,o=thgg,dc=hg,dc=com" scope=1 >> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >> attrs="objectClass numSubordinates ref aci" >> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 SORT cn givenName o ou sn >> (196) >> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 RESULT err=0 tag=101 >> nentries=196 etime=0 notes=U >> [01/Sep/2006:18:20:04 -0500] conn=1 op=23 SRCH >> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsRole >> nsRoleDN objectClass nsAccountLock" >> [01/Sep/2006:18:20:04 -0500] conn=1 op=23 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [01/Sep/2006:18:20:04 -0500] conn=1 op=24 SRCH base="" scope=0 >> filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" >> [01/Sep/2006:18:20:04 -0500] conn=1 op=24 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [01/Sep/2006:18:20:04 -0500] conn=0 op=30 SRCH base="cn=ldbm >> database, cn=plugins, cn=config" scope=2 >> filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix >> nsBackendSuffix" >> [01/Sep/2006:18:20:04 -0500] conn=0 op=30 RESULT err=0 tag=101 >> nentries=2 etime=0 >> [01/Sep/2006:18:20:04 -0500] conn=0 op=31 SRCH base="" scope=0 >> filter="(objectClass=*)" attrs="nsBackendSuffix" >> [01/Sep/2006:18:20:04 -0500] conn=0 op=31 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [01/Sep/2006:18:20:04 -0500] conn=0 op=32 SRCH base="cn=MCC uid=nbody >> ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm database, >> cn=plugins, cn=config" scope=0 >> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" >> [01/Sep/2006:18:20:04 -0500] conn=0 op=32 RESULT err=32 tag=101 >> nentries=0 etime=0 >> [01/Sep/2006:18:20:05 -0500] conn=1 op=26 SRCH >> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >> attrs="numSubordinates nscpEntryDN subschemaSubentry >> nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic >> nsAIMStatusText passwordExpirationTime nsBackendSuffix >> hasSubordinates nsRole nsRoleDN accountUnlockTime passwordExpWarned >> nsYIMStatusText copiedFrom nsSizeLimit ldapSchemas nsAIMStatusGraphic >> dncomp nsTimeLimit passwordHistory retryCountResetTime >> passwordAllowChangeTime aci entryid nsIdleTimeout entrydn copyingFrom >> nsAccountLock nsds5ReplConflict modifyTimestamp passwordGraceUserTime >> passwordRetryCount nsUniqueId nsSchemaCSN creatorsName >> nsICQStatusText pwdpolicysubentry ldapSyntaxes createTimestamp >> nsLookThroughLimit *" >> [01/Sep/2006:18:20:05 -0500] conn=1 op=26 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [01/Sep/2006:18:20:05 -0500] conn=1 op=27 SRCH >> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >> filter="(objectClass=*)" attrs="*" >> [01/Sep/2006:18:20:05 -0500] conn=1 op=27 RESULT err=0 tag=101 >> nentries=1 etime=0 >> [01/Sep/2006:18:20:05 -0500] conn=1 op=28 SRCH >> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL > This appears to be working also? >> >> -James >> >> Richard Megginson wrote: >>> James B Newby wrote: >>>> I found the MOD line in the consumer's access log. I saw no entry >>>> in the master's access log regarding that entry. It seems as if >>>> the request doesn't make it to the master. I can telnet into the >>>> ldap port on the master from the consumer. >>>> >>>> I installed Fedora Directory Server from >>>> fedora-ds-1.0.2-1.FC4.i386.opt.rpm on all machines. All three >>>> machines are Intel/CentOS 4.3. >>>> >>>> -James >>>> >>>> In the consumer's access log: >>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=8 SRCH >>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsRole >>>> nsRoleDN objectClass nsAccountLock" >>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=8 RESULT err=0 tag=101 >>>> nentries=1 etime=0 >>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=9 SRCH base="" scope=0 >>>> filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" >>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=9 RESULT err=0 tag=101 >>>> nentries=1 etime=0 >>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=14 SRCH base="cn=ldbm >>>> database, cn=plugins, cn=config" scope=2 >>>> filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix >>>> nsBackendSuffix" >>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=14 RESULT err=0 tag=101 >>>> nentries=2 etime=0 >>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=15 SRCH base="" scope=0 >>>> filter="(objectClass=*)" attrs="nsBackendSuffix" >>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=15 RESULT err=0 tag=101 >>>> nentries=1 etime=0 >>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=16 SRCH base="cn=MCC >>>> uid=jhines ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm >>>> database, cn=plugins, cn=config" scope=0 >>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" >>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=16 RESULT err=32 tag=101 >>>> nentries=0 etime=0 >>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=10 SRCH >>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>> attrs="numSubordinates nscpEntryDN subschemaSubentry >>>> nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic >>>> nsAIMStatusText passwordExpirationTime nsBackendSuffix >>>> hasSubordinates nsRole nsRoleDN accountUnlockTime passwordExpWarned >>>> nsYIMStatusText copiedFrom nsSizeLimit ldapSchemas >>>> nsAIMStatusGraphic dncomp nsTimeLimit passwordHistory >>>> retryCountResetTime passwordAllowChangeTime aci entryid >>>> nsIdleTimeout entrydn copyingFrom nsAccountLock nsds5ReplConflict >>>> modifyTimestamp passwordGraceUserTime passwordRetryCount nsUniqueId >>>> nsSchemaCSN creatorsName nsICQStatusText pwdpolicysubentry >>>> ldapSyntaxes createTimestamp nsLookThroughLimit *" >>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=10 RESULT err=0 tag=101 >>>> nentries=1 etime=0 >>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=11 SRCH >>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>> filter="(objectClass=*)" attrs="*" >>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=11 RESULT err=0 tag=101 >>>> nentries=1 etime=0 >>>> [01/Sep/2006:17:41:36 -0500] conn=1 op=12 SRCH >>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL >>>> [01/Sep/2006:17:41:36 -0500] conn=1 op=12 RESULT err=0 tag=101 >>>> nentries=1 etime=0 >>>> [01/Sep/2006:17:41:41 -0500] conn=1 op=14 MOD >>>> dn="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" >>>> [01/Sep/2006:17:41:41 -0500] conn=1 op=14 RESULT err=0 tag=103 >>>> nentries=0 etime=0 >>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SRCH >>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>> attrs="objectClass numSubordinates ref aci" >>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SORT cn givenName o ou sn >>>> (1) >>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 RESULT err=0 tag=101 >>>> nentries=1 etime=0 notes=U >>> Weird. It looks as though you added the entry to the local server, >>> and were able to search for it right away. e.g. you search for >>> uid=jhines, and the server replies with err=0 and nentries=1. Can >>> you try the same search from the ldapsearch command line? >>>> >>>> >>>> Richard Megginson wrote: >>>>> James B Newby wrote: >>>>>> Hello all, >>>>>> >>>>>> I'm having a problem with my consumer's chain on update. I have >>>>>> a setup with two masters and one consumer. Multi-master >>>>>> replication is working properly. Changes made on either master >>>>>> propagate to the other master and to the consumer. >>>>>> >>>>>> Before setting up chaining, changes made on the consumer from the >>>>>> directory console would be denied. After setting up chaining per >>>>>> the wiki entry: >>>>>> http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate , >>>>>> changes could be made on the consumer through the directory >>>>>> console, but would not propagate to the master. >>>>> How are you testing/verifying the change doesn't get through? >>>>> Note that if you make the change in the console, the console will >>>>> not automatically refresh. I would first check the access log on >>>>> the consumer to find the ADD or MOD request, then see if that >>>>> request made it to a master, then see if the master rejected it >>>>> and why. >>>>>> >>>>>> I saw an e-mail with a similar problem in the December 2005 >>>>>> archive, but didn't see any info in the replies that would help >>>>>> me. I've tried setting this up from scratch a couple times, but >>>>>> without success. The responses to ILoveJython's email in >>>>>> December suggested that certain entries be pasted in, so I've >>>>>> included them below. >>>>>> >>>>>> The following acl is included in dc=hg,dc=com: >>>>>> (targetattr = "*")(version 3.0; acl "Proxied authorization for >>>>>> database links";allow (proxy) (userdn = "ldap:///cn=Replication >>>>>> Manager, cn=config");) >>>>>> Since multi-master replication is set up, this entry is present >>>>>> on all three servers. >>>>>> >>>>>> Any help would be appreciated! Thanks! >>>>>> >>>>>> -James >>>>>> >>>>>> dn: cn="dc=hg,dc=com",cn=mapping tree, cn=config >>>>>> objectClass: top >>>>>> objectClass: extensibleObject >>>>>> objectClass: nsMappingTree >>>>>> nsslapd-state: backend >>>>>> cn: "dc=hg,dc=com" >>>>>> cn: dc=hg,dc=com >>>>>> nsslapd-backend: userRoot >>>>>> nsslapd-backend: chainbe1 >>>>>> nsslapd-referral: ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com >>>>>> nsslapd-referral: ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com >>>>>> nsslapd-distribution-plugin: >>>>>> /opt/fedora-ds/lib/replication-plugin.so >>>>>> nsslapd-distribution-funct: repl_chain_on_update >>>>>> >>>>>> dn: cn=replica,cn="dc=hg,dc=com",cn=mapping tree, cn=config >>>>>> objectClass: nsDS5Replica >>>>>> objectClass: top >>>>>> nsDS5ReplicaRoot: dc=hg,dc=com >>>>>> nsDS5ReplicaType: 2 >>>>>> nsDS5Flags: 0 >>>>>> nsds5ReplicaPurgeDelay: 604800 >>>>>> nsDS5ReplicaBindDN: cn=Replication Manager,cn=config >>>>>> cn: replica >>>>>> nsDS5ReplicaId: 65535 >>>>>> nsState:: //8AAIcx9kQAAAAAAAAAAAEAAAA= >>>>>> nsDS5ReplicaName: ddc65803-1dd111b2-80e6a7e3-5afe0000 >>>>>> nsDS5ReplicaReferral: >>>>>> ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com >>>>>> nsDS5ReplicaReferral: >>>>>> ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com >>>>>> nsds5ReplicaChangeCount: 0 >>>>>> nsds5replicareapactive: 0 >>>>>> >>>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config >>>>>> cn: config >>>>>> objectClass: top >>>>>> objectClass: extensibleObject >>>>>> nstransmittedcontrols: 2.16.840.1.113730.3.4.2 >>>>>> nstransmittedcontrols: 2.16.840.1.113730.3.4.9 >>>>>> nstransmittedcontrols: 1.2.840.113556.1.4.473 >>>>>> nstransmittedcontrols: 1.3.6.1.4.1.1466.29539.12 >>>>>> nspossiblechainingcomponents: cn=resource >>>>>> limits,cn=components,cn=config >>>>>> nspossiblechainingcomponents: cn=certificate-based >>>>>> authentication,cn=component >>>>>> s,cn=config >>>>>> nspossiblechainingcomponents: cn=ACL Plugin,cn=plugins,cn=config >>>>>> nspossiblechainingcomponents: cn=old plugin,cn=plugins,cn=config >>>>>> nspossiblechainingcomponents: cn=referential integrity >>>>>> postoperation,cn=plugin >>>>>> s,cn=config >>>>>> nspossiblechainingcomponents: cn=attribute >>>>>> uniqueness,cn=plugins,cn=config >>>>>> dn: cn=chainbe1, cn=chaining database, cn=plugins, cn=config >>>>>> objectClass: top >>>>>> objectClass: extensibleObject >>>>>> objectClass: nsBackendInstance >>>>>> cn: chainbe1 >>>>>> nsslapd-suffix: dc=hg,dc=com >>>>>> nsfarmserverurl: ldap://ldap1.mw1.highergear.com:1389 >>>>>> ldap2.mw1.highergear.com >>>>>> :1389/ >>>>>> nsmultiplexorbinddn: cn=Replication Manager, cn=config >>>>>> nsmultiplexorcredentials: {DES} >>>>>> nsbindconnectionslimit: 3 >>>>>> nsoperationconnectionslimit: 20 >>>>>> nsabandonedsearchcheckinterval: 1 >>>>>> nsconcurrentbindlimit: 10 >>>>>> nsconcurrentoperationslimit: 2 >>>>>> nsproxiedauthorization: on >>>>>> nsconnectionlife: 0 >>>>>> nsbindtimeout: 15 >>>>>> nsreferralonscopedsearch: off >>>>>> nschecklocalaci: on >>>>>> nsbindretrylimit: 3 >>>>>> nsslapd-sizelimit: 2000 >>>>>> nsslapd-timelimit: 3600 >>>>>> nshoplimit: 10 >>>>>> nsmaxresponsedelay: 60 >>>>>> nsmaxtestresponsedelay: 15 >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From bmathieu at siris.sorbonne.fr Tue Sep 5 11:26:52 2006 From: bmathieu at siris.sorbonne.fr (basile) Date: Tue, 05 Sep 2006 13:26:52 +0200 Subject: [Fedora-directory-users] scheduled backup Message-ID: <44FD5EFC.4020005@siris.sorbonne.fr> hi is it possible to scheduled backup through fedora console thanks basile From rmeggins at redhat.com Tue Sep 5 14:49:51 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 05 Sep 2006 08:49:51 -0600 Subject: [Fedora-directory-users] scheduled backup In-Reply-To: <44FD5EFC.4020005@siris.sorbonne.fr> References: <44FD5EFC.4020005@siris.sorbonne.fr> Message-ID: <44FD8E8F.2040507@redhat.com> basile wrote: > hi > is it possible to scheduled backup through fedora console No. I guess the usual way to do this is to set up a cron script. > thanks > basile > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Sep 5 14:53:36 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 05 Sep 2006 08:53:36 -0600 Subject: [Fedora-directory-users] Chain on Update Problem In-Reply-To: <44FB3F35.7010709@highergear.com> References: <44F89FC1.8070104@highergear.com> <44F8A876.2010905@redhat.com> <44F8BA2C.6070705@highergear.com> <44F8BBB4.2010306@redhat.com> <44F8C128.9020201@highergear.com> <44F8F982.4000305@redhat.com> <44FB3F35.7010709@highergear.com> Message-ID: <44FD8F70.5020809@redhat.com> James B Newby wrote: > Yes. I can add or modify entries on the consumer with update chaining > set up, but those changes do not propagate to the master. If I search > on the master for the entry created on the consumer : > > [root at ldap1-mw1 bin]$ ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - > -h localhost -p 1389 uid=nbody > Enter bind password: > [root at ldap1-mw1 bin]$ > > It's not there. As I said in an earlier message, I've followed the > instructions in the Chain on Update HOWTO, but I can't get it to > work. I've reviewed the Administrator Guide as well as searching the > Internet for an answer but no luck. So, is this is a read only consumer? If so, you should not be able to write to it. That's what is confusing me. If this is a read-only consumer, you should get an err=10 back from a write operation if chaining is not set up. > > Richard Megginson wrote: >> James B Newby wrote: >>> Well actually the entry was already there; I just made a small >>> change to one of the attributes on the consumer through the >>> directory console. >>> >>> I added a new entry on the consumer from the command line: >>> >>> [root at ldap1 bin]# ./ldapmodify -a -D cn=Manager -w - -h localhost -p >>> 1389 >>> Enter bind password: >>> dn: uid=nbody,ou=people,o=thgg,dc=hg,dc=com >>> telephoneNumber: 800-555-5555 >>> userPassword: >>> cn: No Body >>> sn: Body >>> objectClass: hgperson >>> objectClass: inetorgperson >>> objectClass: organizationalPerson >>> objectClass: person >>> objectClass: top >>> givenName: No >>> uid: nbody >>> mail: nbody at highergear.com >>> adding new entry uid=nbody,ou=people,o=thgg,dc=hg,dc=com >>> >>> [root at ldap1 bin]# >>> >>> Then I searched for that user on the consumer's command line: >>> [root at ldap1 bin]# ./ldapsearch -b "dc=hg,dc=com" -D cn=Manager -w - >>> -h localhost -p 1389 uid=nbody >>> Enter bind password: >>> version: 1 >>> dn: uid=nbody,ou=people,o=thgg,dc=hg,dc=com >>> telephoneNumber: 800-555-5555 >>> cn: No Body >>> sn: Body >>> objectClass: hgperson >>> objectClass: inetorgperson >>> objectClass: organizationalPerson >>> objectClass: person >>> objectClass: top >>> givenName: No >>> uid: nbody >>> mail: nbody at highergear.com >>> userPassword: {SSHA} >>> [root at ldap1 bin]# >>> >>> Here is what resulted in the access log of the consumer: >>> [01/Sep/2006:18:18:12 -0500] conn=4 fd=66 slot=66 connection from >>> 127.0.0.1 to 127.0.0.1 >>> [01/Sep/2006:18:18:12 -0500] conn=4 op=0 BIND dn="cn=Manager" >>> method=128 version=3 >>> [01/Sep/2006:18:18:12 -0500] conn=4 op=0 RESULT err=0 tag=97 >>> nentries=0 etime=0 dn="cn=manager" >>> [01/Sep/2006:18:18:18 -0500] conn=4 op=1 ADD >>> dn="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" >>> [01/Sep/2006:18:18:18 -0500] conn=4 op=1 RESULT err=0 tag=105 >>> nentries=0 etime=0 >>> [01/Sep/2006:18:18:21 -0500] conn=4 op=3 UNBIND >>> [01/Sep/2006:18:18:21 -0500] conn=4 op=3 fd=66 closed - U1 >>> [01/Sep/2006:18:18:47 -0500] conn=5 fd=66 slot=66 connection from >>> 127.0.0.1 to 127.0.0.1 >>> [01/Sep/2006:18:18:47 -0500] conn=5 op=0 BIND dn="cn=Manager" >>> method=128 version=3 >>> [01/Sep/2006:18:18:47 -0500] conn=5 op=0 RESULT err=0 tag=97 >>> nentries=0 etime=0 dn="cn=manager" >>> [01/Sep/2006:18:18:47 -0500] conn=5 op=1 SRCH base="dc=hg,dc=com" >>> scope=2 filter="(uid=nbody)" attrs=ALL >>> [01/Sep/2006:18:18:47 -0500] conn=5 op=1 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [01/Sep/2006:18:18:47 -0500] conn=5 op=2 UNBIND >>> [01/Sep/2006:18:18:47 -0500] conn=5 op=2 fd=66 closed - U1 >> So it appears to be working? >>> >>> I then searched for that new entry in the Directory Console and the >>> following log entries resulted: >>> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 SRCH >>> base="ou=people,o=thgg,dc=hg,dc=com" scope=1 >>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>> attrs="objectClass numSubordinates ref aci" >>> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 SORT cn givenName o ou sn >>> (196) >>> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 RESULT err=0 tag=101 >>> nentries=196 etime=0 notes=U >>> [01/Sep/2006:18:20:04 -0500] conn=1 op=23 SRCH >>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsRole >>> nsRoleDN objectClass nsAccountLock" >>> [01/Sep/2006:18:20:04 -0500] conn=1 op=23 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [01/Sep/2006:18:20:04 -0500] conn=1 op=24 SRCH base="" scope=0 >>> filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" >>> [01/Sep/2006:18:20:04 -0500] conn=1 op=24 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [01/Sep/2006:18:20:04 -0500] conn=0 op=30 SRCH base="cn=ldbm >>> database, cn=plugins, cn=config" scope=2 >>> filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix >>> nsBackendSuffix" >>> [01/Sep/2006:18:20:04 -0500] conn=0 op=30 RESULT err=0 tag=101 >>> nentries=2 etime=0 >>> [01/Sep/2006:18:20:04 -0500] conn=0 op=31 SRCH base="" scope=0 >>> filter="(objectClass=*)" attrs="nsBackendSuffix" >>> [01/Sep/2006:18:20:04 -0500] conn=0 op=31 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [01/Sep/2006:18:20:04 -0500] conn=0 op=32 SRCH base="cn=MCC >>> uid=nbody ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm >>> database, cn=plugins, cn=config" scope=0 >>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" >>> [01/Sep/2006:18:20:04 -0500] conn=0 op=32 RESULT err=32 tag=101 >>> nentries=0 etime=0 >>> [01/Sep/2006:18:20:05 -0500] conn=1 op=26 SRCH >>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>> attrs="numSubordinates nscpEntryDN subschemaSubentry >>> nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic >>> nsAIMStatusText passwordExpirationTime nsBackendSuffix >>> hasSubordinates nsRole nsRoleDN accountUnlockTime passwordExpWarned >>> nsYIMStatusText copiedFrom nsSizeLimit ldapSchemas >>> nsAIMStatusGraphic dncomp nsTimeLimit passwordHistory >>> retryCountResetTime passwordAllowChangeTime aci entryid >>> nsIdleTimeout entrydn copyingFrom nsAccountLock nsds5ReplConflict >>> modifyTimestamp passwordGraceUserTime passwordRetryCount nsUniqueId >>> nsSchemaCSN creatorsName nsICQStatusText pwdpolicysubentry >>> ldapSyntaxes createTimestamp nsLookThroughLimit *" >>> [01/Sep/2006:18:20:05 -0500] conn=1 op=26 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [01/Sep/2006:18:20:05 -0500] conn=1 op=27 SRCH >>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>> filter="(objectClass=*)" attrs="*" >>> [01/Sep/2006:18:20:05 -0500] conn=1 op=27 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [01/Sep/2006:18:20:05 -0500] conn=1 op=28 SRCH >>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL >> This appears to be working also? >>> >>> -James >>> >>> Richard Megginson wrote: >>>> James B Newby wrote: >>>>> I found the MOD line in the consumer's access log. I saw no entry >>>>> in the master's access log regarding that entry. It seems as if >>>>> the request doesn't make it to the master. I can telnet into the >>>>> ldap port on the master from the consumer. >>>>> >>>>> I installed Fedora Directory Server from >>>>> fedora-ds-1.0.2-1.FC4.i386.opt.rpm on all machines. All three >>>>> machines are Intel/CentOS 4.3. >>>>> >>>>> -James >>>>> >>>>> In the consumer's access log: >>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=8 SRCH >>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>> attrs="nsRole nsRoleDN objectClass nsAccountLock" >>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=8 RESULT err=0 tag=101 >>>>> nentries=1 etime=0 >>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=9 SRCH base="" scope=0 >>>>> filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" >>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=9 RESULT err=0 tag=101 >>>>> nentries=1 etime=0 >>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=14 SRCH base="cn=ldbm >>>>> database, cn=plugins, cn=config" scope=2 >>>>> filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix >>>>> nsBackendSuffix" >>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=14 RESULT err=0 tag=101 >>>>> nentries=2 etime=0 >>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=15 SRCH base="" scope=0 >>>>> filter="(objectClass=*)" attrs="nsBackendSuffix" >>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=15 RESULT err=0 tag=101 >>>>> nentries=1 etime=0 >>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=16 SRCH base="cn=MCC >>>>> uid=jhines ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm >>>>> database, cn=plugins, cn=config" scope=0 >>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" >>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=16 RESULT err=32 tag=101 >>>>> nentries=0 etime=0 >>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=10 SRCH >>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>> attrs="numSubordinates nscpEntryDN subschemaSubentry >>>>> nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic >>>>> nsAIMStatusText passwordExpirationTime nsBackendSuffix >>>>> hasSubordinates nsRole nsRoleDN accountUnlockTime >>>>> passwordExpWarned nsYIMStatusText copiedFrom nsSizeLimit >>>>> ldapSchemas nsAIMStatusGraphic dncomp nsTimeLimit passwordHistory >>>>> retryCountResetTime passwordAllowChangeTime aci entryid >>>>> nsIdleTimeout entrydn copyingFrom nsAccountLock nsds5ReplConflict >>>>> modifyTimestamp passwordGraceUserTime passwordRetryCount >>>>> nsUniqueId nsSchemaCSN creatorsName nsICQStatusText >>>>> pwdpolicysubentry ldapSyntaxes createTimestamp nsLookThroughLimit *" >>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=10 RESULT err=0 tag=101 >>>>> nentries=1 etime=0 >>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=11 SRCH >>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>> filter="(objectClass=*)" attrs="*" >>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=11 RESULT err=0 tag=101 >>>>> nentries=1 etime=0 >>>>> [01/Sep/2006:17:41:36 -0500] conn=1 op=12 SRCH >>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL >>>>> [01/Sep/2006:17:41:36 -0500] conn=1 op=12 RESULT err=0 tag=101 >>>>> nentries=1 etime=0 >>>>> [01/Sep/2006:17:41:41 -0500] conn=1 op=14 MOD >>>>> dn="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" >>>>> [01/Sep/2006:17:41:41 -0500] conn=1 op=14 RESULT err=0 tag=103 >>>>> nentries=0 etime=0 >>>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SRCH >>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>> attrs="objectClass numSubordinates ref aci" >>>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SORT cn givenName o ou >>>>> sn (1) >>>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 RESULT err=0 tag=101 >>>>> nentries=1 etime=0 notes=U >>>> Weird. It looks as though you added the entry to the local server, >>>> and were able to search for it right away. e.g. you search for >>>> uid=jhines, and the server replies with err=0 and nentries=1. Can >>>> you try the same search from the ldapsearch command line? >>>>> >>>>> >>>>> Richard Megginson wrote: >>>>>> James B Newby wrote: >>>>>>> Hello all, >>>>>>> >>>>>>> I'm having a problem with my consumer's chain on update. I have >>>>>>> a setup with two masters and one consumer. Multi-master >>>>>>> replication is working properly. Changes made on either master >>>>>>> propagate to the other master and to the consumer. >>>>>>> >>>>>>> Before setting up chaining, changes made on the consumer from >>>>>>> the directory console would be denied. After setting up >>>>>>> chaining per the wiki entry: >>>>>>> http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate , >>>>>>> changes could be made on the consumer through the directory >>>>>>> console, but would not propagate to the master. >>>>>> How are you testing/verifying the change doesn't get through? >>>>>> Note that if you make the change in the console, the console will >>>>>> not automatically refresh. I would first check the access log on >>>>>> the consumer to find the ADD or MOD request, then see if that >>>>>> request made it to a master, then see if the master rejected it >>>>>> and why. >>>>>>> >>>>>>> I saw an e-mail with a similar problem in the December 2005 >>>>>>> archive, but didn't see any info in the replies that would help >>>>>>> me. I've tried setting this up from scratch a couple times, but >>>>>>> without success. The responses to ILoveJython's email in >>>>>>> December suggested that certain entries be pasted in, so I've >>>>>>> included them below. >>>>>>> >>>>>>> The following acl is included in dc=hg,dc=com: >>>>>>> (targetattr = "*")(version 3.0; acl "Proxied authorization for >>>>>>> database links";allow (proxy) (userdn = "ldap:///cn=Replication >>>>>>> Manager, cn=config");) >>>>>>> Since multi-master replication is set up, this entry is present >>>>>>> on all three servers. >>>>>>> >>>>>>> Any help would be appreciated! Thanks! >>>>>>> >>>>>>> -James >>>>>>> >>>>>>> dn: cn="dc=hg,dc=com",cn=mapping tree, cn=config >>>>>>> objectClass: top >>>>>>> objectClass: extensibleObject >>>>>>> objectClass: nsMappingTree >>>>>>> nsslapd-state: backend >>>>>>> cn: "dc=hg,dc=com" >>>>>>> cn: dc=hg,dc=com >>>>>>> nsslapd-backend: userRoot >>>>>>> nsslapd-backend: chainbe1 >>>>>>> nsslapd-referral: ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>> nsslapd-referral: ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>> nsslapd-distribution-plugin: >>>>>>> /opt/fedora-ds/lib/replication-plugin.so >>>>>>> nsslapd-distribution-funct: repl_chain_on_update >>>>>>> >>>>>>> dn: cn=replica,cn="dc=hg,dc=com",cn=mapping tree, cn=config >>>>>>> objectClass: nsDS5Replica >>>>>>> objectClass: top >>>>>>> nsDS5ReplicaRoot: dc=hg,dc=com >>>>>>> nsDS5ReplicaType: 2 >>>>>>> nsDS5Flags: 0 >>>>>>> nsds5ReplicaPurgeDelay: 604800 >>>>>>> nsDS5ReplicaBindDN: cn=Replication Manager,cn=config >>>>>>> cn: replica >>>>>>> nsDS5ReplicaId: 65535 >>>>>>> nsState:: //8AAIcx9kQAAAAAAAAAAAEAAAA= >>>>>>> nsDS5ReplicaName: ddc65803-1dd111b2-80e6a7e3-5afe0000 >>>>>>> nsDS5ReplicaReferral: >>>>>>> ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>> nsDS5ReplicaReferral: >>>>>>> ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>> nsds5ReplicaChangeCount: 0 >>>>>>> nsds5replicareapactive: 0 >>>>>>> >>>>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config >>>>>>> cn: config >>>>>>> objectClass: top >>>>>>> objectClass: extensibleObject >>>>>>> nstransmittedcontrols: 2.16.840.1.113730.3.4.2 >>>>>>> nstransmittedcontrols: 2.16.840.1.113730.3.4.9 >>>>>>> nstransmittedcontrols: 1.2.840.113556.1.4.473 >>>>>>> nstransmittedcontrols: 1.3.6.1.4.1.1466.29539.12 >>>>>>> nspossiblechainingcomponents: cn=resource >>>>>>> limits,cn=components,cn=config >>>>>>> nspossiblechainingcomponents: cn=certificate-based >>>>>>> authentication,cn=component >>>>>>> s,cn=config >>>>>>> nspossiblechainingcomponents: cn=ACL Plugin,cn=plugins,cn=config >>>>>>> nspossiblechainingcomponents: cn=old plugin,cn=plugins,cn=config >>>>>>> nspossiblechainingcomponents: cn=referential integrity >>>>>>> postoperation,cn=plugin >>>>>>> s,cn=config >>>>>>> nspossiblechainingcomponents: cn=attribute >>>>>>> uniqueness,cn=plugins,cn=config >>>>>>> dn: cn=chainbe1, cn=chaining database, cn=plugins, cn=config >>>>>>> objectClass: top >>>>>>> objectClass: extensibleObject >>>>>>> objectClass: nsBackendInstance >>>>>>> cn: chainbe1 >>>>>>> nsslapd-suffix: dc=hg,dc=com >>>>>>> nsfarmserverurl: ldap://ldap1.mw1.highergear.com:1389 >>>>>>> ldap2.mw1.highergear.com >>>>>>> :1389/ >>>>>>> nsmultiplexorbinddn: cn=Replication Manager, cn=config >>>>>>> nsmultiplexorcredentials: {DES} >>>>>>> nsbindconnectionslimit: 3 >>>>>>> nsoperationconnectionslimit: 20 >>>>>>> nsabandonedsearchcheckinterval: 1 >>>>>>> nsconcurrentbindlimit: 10 >>>>>>> nsconcurrentoperationslimit: 2 >>>>>>> nsproxiedauthorization: on >>>>>>> nsconnectionlife: 0 >>>>>>> nsbindtimeout: 15 >>>>>>> nsreferralonscopedsearch: off >>>>>>> nschecklocalaci: on >>>>>>> nsbindretrylimit: 3 >>>>>>> nsslapd-sizelimit: 2000 >>>>>>> nsslapd-timelimit: 3600 >>>>>>> nshoplimit: 10 >>>>>>> nsmaxresponsedelay: 60 >>>>>>> nsmaxtestresponsedelay: 15 >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jnewby at highergear.com Tue Sep 5 15:41:21 2006 From: jnewby at highergear.com (James B Newby) Date: Tue, 05 Sep 2006 10:41:21 -0500 Subject: [Fedora-directory-users] Chain on Update Problem In-Reply-To: <44FD8F70.5020809@redhat.com> References: <44F89FC1.8070104@highergear.com> <44F8A876.2010905@redhat.com> <44F8BA2C.6070705@highergear.com> <44F8BBB4.2010306@redhat.com> <44F8C128.9020201@highergear.com> <44F8F982.4000305@redhat.com> <44FB3F35.7010709@highergear.com> <44FD8F70.5020809@redhat.com> Message-ID: <44FD9AA1.8070509@highergear.com> Yes, it is a read-only consumer, set up as per instructions in the administration guide. My multi-master replication scheme works fine. When chaining is not set up, write operations to the read-only consumer fail. When chaining is set up, writes can be made to the read-only consumer but they do not propagate to the master. Are there any other queries I should make to the server in order to give you more information? Richard Megginson wrote: > James B Newby wrote: >> Yes. I can add or modify entries on the consumer with update >> chaining set up, but those changes do not propagate to the master. >> If I search on the master for the entry created on the consumer : >> >> [root at ldap1-mw1 bin]$ ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - >> -h localhost -p 1389 uid=nbody >> Enter bind password: >> [root at ldap1-mw1 bin]$ >> >> It's not there. As I said in an earlier message, I've followed the >> instructions in the Chain on Update HOWTO, but I can't get it to >> work. I've reviewed the Administrator Guide as well as searching the >> Internet for an answer but no luck. > So, is this is a read only consumer? If so, you should not be able to > write to it. That's what is confusing me. If this is a read-only > consumer, you should get an err=10 back from a write operation if > chaining is not set up. >> >> Richard Megginson wrote: >>> James B Newby wrote: >>>> Well actually the entry was already there; I just made a small >>>> change to one of the attributes on the consumer through the >>>> directory console. >>>> >>>> I added a new entry on the consumer from the command line: >>>> >>>> [root at ldap1 bin]# ./ldapmodify -a -D cn=Manager -w - -h localhost >>>> -p 1389 >>>> Enter bind password: >>>> dn: uid=nbody,ou=people,o=thgg,dc=hg,dc=com >>>> telephoneNumber: 800-555-5555 >>>> userPassword: >>>> cn: No Body >>>> sn: Body >>>> objectClass: hgperson >>>> objectClass: inetorgperson >>>> objectClass: organizationalPerson >>>> objectClass: person >>>> objectClass: top >>>> givenName: No >>>> uid: nbody >>>> mail: nbody at highergear.com >>>> adding new entry uid=nbody,ou=people,o=thgg,dc=hg,dc=com >>>> >>>> [root at ldap1 bin]# >>>> >>>> Then I searched for that user on the consumer's command line: >>>> [root at ldap1 bin]# ./ldapsearch -b "dc=hg,dc=com" -D cn=Manager -w - >>>> -h localhost -p 1389 uid=nbody >>>> Enter bind password: >>>> version: 1 >>>> dn: uid=nbody,ou=people,o=thgg,dc=hg,dc=com >>>> telephoneNumber: 800-555-5555 >>>> cn: No Body >>>> sn: Body >>>> objectClass: hgperson >>>> objectClass: inetorgperson >>>> objectClass: organizationalPerson >>>> objectClass: person >>>> objectClass: top >>>> givenName: No >>>> uid: nbody >>>> mail: nbody at highergear.com >>>> userPassword: {SSHA} >>>> [root at ldap1 bin]# >>>> >>>> Here is what resulted in the access log of the consumer: >>>> [01/Sep/2006:18:18:12 -0500] conn=4 fd=66 slot=66 connection from >>>> 127.0.0.1 to 127.0.0.1 >>>> [01/Sep/2006:18:18:12 -0500] conn=4 op=0 BIND dn="cn=Manager" >>>> method=128 version=3 >>>> [01/Sep/2006:18:18:12 -0500] conn=4 op=0 RESULT err=0 tag=97 >>>> nentries=0 etime=0 dn="cn=manager" >>>> [01/Sep/2006:18:18:18 -0500] conn=4 op=1 ADD >>>> dn="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" >>>> [01/Sep/2006:18:18:18 -0500] conn=4 op=1 RESULT err=0 tag=105 >>>> nentries=0 etime=0 >>>> [01/Sep/2006:18:18:21 -0500] conn=4 op=3 UNBIND >>>> [01/Sep/2006:18:18:21 -0500] conn=4 op=3 fd=66 closed - U1 >>>> [01/Sep/2006:18:18:47 -0500] conn=5 fd=66 slot=66 connection from >>>> 127.0.0.1 to 127.0.0.1 >>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=0 BIND dn="cn=Manager" >>>> method=128 version=3 >>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=0 RESULT err=0 tag=97 >>>> nentries=0 etime=0 dn="cn=manager" >>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=1 SRCH base="dc=hg,dc=com" >>>> scope=2 filter="(uid=nbody)" attrs=ALL >>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=1 RESULT err=0 tag=101 >>>> nentries=1 etime=0 >>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=2 UNBIND >>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=2 fd=66 closed - U1 >>> So it appears to be working? >>>> >>>> I then searched for that new entry in the Directory Console and the >>>> following log entries resulted: >>>> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 SRCH >>>> base="ou=people,o=thgg,dc=hg,dc=com" scope=1 >>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>> attrs="objectClass numSubordinates ref aci" >>>> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 SORT cn givenName o ou sn >>>> (196) >>>> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 RESULT err=0 tag=101 >>>> nentries=196 etime=0 notes=U >>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=23 SRCH >>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsRole >>>> nsRoleDN objectClass nsAccountLock" >>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=23 RESULT err=0 tag=101 >>>> nentries=1 etime=0 >>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=24 SRCH base="" scope=0 >>>> filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" >>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=24 RESULT err=0 tag=101 >>>> nentries=1 etime=0 >>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=30 SRCH base="cn=ldbm >>>> database, cn=plugins, cn=config" scope=2 >>>> filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix >>>> nsBackendSuffix" >>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=30 RESULT err=0 tag=101 >>>> nentries=2 etime=0 >>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=31 SRCH base="" scope=0 >>>> filter="(objectClass=*)" attrs="nsBackendSuffix" >>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=31 RESULT err=0 tag=101 >>>> nentries=1 etime=0 >>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=32 SRCH base="cn=MCC >>>> uid=nbody ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm >>>> database, cn=plugins, cn=config" scope=0 >>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" >>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=32 RESULT err=32 tag=101 >>>> nentries=0 etime=0 >>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=26 SRCH >>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>> attrs="numSubordinates nscpEntryDN subschemaSubentry >>>> nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic >>>> nsAIMStatusText passwordExpirationTime nsBackendSuffix >>>> hasSubordinates nsRole nsRoleDN accountUnlockTime passwordExpWarned >>>> nsYIMStatusText copiedFrom nsSizeLimit ldapSchemas >>>> nsAIMStatusGraphic dncomp nsTimeLimit passwordHistory >>>> retryCountResetTime passwordAllowChangeTime aci entryid >>>> nsIdleTimeout entrydn copyingFrom nsAccountLock nsds5ReplConflict >>>> modifyTimestamp passwordGraceUserTime passwordRetryCount nsUniqueId >>>> nsSchemaCSN creatorsName nsICQStatusText pwdpolicysubentry >>>> ldapSyntaxes createTimestamp nsLookThroughLimit *" >>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=26 RESULT err=0 tag=101 >>>> nentries=1 etime=0 >>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=27 SRCH >>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>> filter="(objectClass=*)" attrs="*" >>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=27 RESULT err=0 tag=101 >>>> nentries=1 etime=0 >>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=28 SRCH >>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL >>> This appears to be working also? >>>> >>>> -James >>>> >>>> Richard Megginson wrote: >>>>> James B Newby wrote: >>>>>> I found the MOD line in the consumer's access log. I saw no >>>>>> entry in the master's access log regarding that entry. It seems >>>>>> as if the request doesn't make it to the master. I can telnet >>>>>> into the ldap port on the master from the consumer. >>>>>> >>>>>> I installed Fedora Directory Server from >>>>>> fedora-ds-1.0.2-1.FC4.i386.opt.rpm on all machines. All three >>>>>> machines are Intel/CentOS 4.3. >>>>>> >>>>>> -James >>>>>> >>>>>> In the consumer's access log: >>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=8 SRCH >>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>> attrs="nsRole nsRoleDN objectClass nsAccountLock" >>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=8 RESULT err=0 tag=101 >>>>>> nentries=1 etime=0 >>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=9 SRCH base="" scope=0 >>>>>> filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" >>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=9 RESULT err=0 tag=101 >>>>>> nentries=1 etime=0 >>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=14 SRCH base="cn=ldbm >>>>>> database, cn=plugins, cn=config" scope=2 >>>>>> filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix >>>>>> nsBackendSuffix" >>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=14 RESULT err=0 tag=101 >>>>>> nentries=2 etime=0 >>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=15 SRCH base="" scope=0 >>>>>> filter="(objectClass=*)" attrs="nsBackendSuffix" >>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=15 RESULT err=0 tag=101 >>>>>> nentries=1 etime=0 >>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=16 SRCH base="cn=MCC >>>>>> uid=jhines ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm >>>>>> database, cn=plugins, cn=config" scope=0 >>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" >>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=16 RESULT err=32 tag=101 >>>>>> nentries=0 etime=0 >>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=10 SRCH >>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>> attrs="numSubordinates nscpEntryDN subschemaSubentry >>>>>> nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic >>>>>> nsAIMStatusText passwordExpirationTime nsBackendSuffix >>>>>> hasSubordinates nsRole nsRoleDN accountUnlockTime >>>>>> passwordExpWarned nsYIMStatusText copiedFrom nsSizeLimit >>>>>> ldapSchemas nsAIMStatusGraphic dncomp nsTimeLimit passwordHistory >>>>>> retryCountResetTime passwordAllowChangeTime aci entryid >>>>>> nsIdleTimeout entrydn copyingFrom nsAccountLock nsds5ReplConflict >>>>>> modifyTimestamp passwordGraceUserTime passwordRetryCount >>>>>> nsUniqueId nsSchemaCSN creatorsName nsICQStatusText >>>>>> pwdpolicysubentry ldapSyntaxes createTimestamp nsLookThroughLimit *" >>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=10 RESULT err=0 tag=101 >>>>>> nentries=1 etime=0 >>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=11 SRCH >>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>> filter="(objectClass=*)" attrs="*" >>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=11 RESULT err=0 tag=101 >>>>>> nentries=1 etime=0 >>>>>> [01/Sep/2006:17:41:36 -0500] conn=1 op=12 SRCH >>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL >>>>>> [01/Sep/2006:17:41:36 -0500] conn=1 op=12 RESULT err=0 tag=101 >>>>>> nentries=1 etime=0 >>>>>> [01/Sep/2006:17:41:41 -0500] conn=1 op=14 MOD >>>>>> dn="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" >>>>>> [01/Sep/2006:17:41:41 -0500] conn=1 op=14 RESULT err=0 tag=103 >>>>>> nentries=0 etime=0 >>>>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SRCH >>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>> attrs="objectClass numSubordinates ref aci" >>>>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SORT cn givenName o ou >>>>>> sn (1) >>>>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 RESULT err=0 tag=101 >>>>>> nentries=1 etime=0 notes=U >>>>> Weird. It looks as though you added the entry to the local >>>>> server, and were able to search for it right away. e.g. you >>>>> search for uid=jhines, and the server replies with err=0 and >>>>> nentries=1. Can you try the same search from the ldapsearch >>>>> command line? >>>>>> >>>>>> >>>>>> Richard Megginson wrote: >>>>>>> James B Newby wrote: >>>>>>>> Hello all, >>>>>>>> >>>>>>>> I'm having a problem with my consumer's chain on update. I >>>>>>>> have a setup with two masters and one consumer. Multi-master >>>>>>>> replication is working properly. Changes made on either master >>>>>>>> propagate to the other master and to the consumer. >>>>>>>> >>>>>>>> Before setting up chaining, changes made on the consumer from >>>>>>>> the directory console would be denied. After setting up >>>>>>>> chaining per the wiki entry: >>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate , >>>>>>>> changes could be made on the consumer through the directory >>>>>>>> console, but would not propagate to the master. >>>>>>> How are you testing/verifying the change doesn't get through? >>>>>>> Note that if you make the change in the console, the console >>>>>>> will not automatically refresh. I would first check the access >>>>>>> log on the consumer to find the ADD or MOD request, then see if >>>>>>> that request made it to a master, then see if the master >>>>>>> rejected it and why. >>>>>>>> >>>>>>>> I saw an e-mail with a similar problem in the December 2005 >>>>>>>> archive, but didn't see any info in the replies that would help >>>>>>>> me. I've tried setting this up from scratch a couple times, >>>>>>>> but without success. The responses to ILoveJython's email in >>>>>>>> December suggested that certain entries be pasted in, so I've >>>>>>>> included them below. >>>>>>>> >>>>>>>> The following acl is included in dc=hg,dc=com: >>>>>>>> (targetattr = "*")(version 3.0; acl "Proxied authorization for >>>>>>>> database links";allow (proxy) (userdn = "ldap:///cn=Replication >>>>>>>> Manager, cn=config");) >>>>>>>> Since multi-master replication is set up, this entry is present >>>>>>>> on all three servers. >>>>>>>> >>>>>>>> Any help would be appreciated! Thanks! >>>>>>>> >>>>>>>> -James >>>>>>>> >>>>>>>> dn: cn="dc=hg,dc=com",cn=mapping tree, cn=config >>>>>>>> objectClass: top >>>>>>>> objectClass: extensibleObject >>>>>>>> objectClass: nsMappingTree >>>>>>>> nsslapd-state: backend >>>>>>>> cn: "dc=hg,dc=com" >>>>>>>> cn: dc=hg,dc=com >>>>>>>> nsslapd-backend: userRoot >>>>>>>> nsslapd-backend: chainbe1 >>>>>>>> nsslapd-referral: >>>>>>>> ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>>> nsslapd-referral: >>>>>>>> ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>>> nsslapd-distribution-plugin: >>>>>>>> /opt/fedora-ds/lib/replication-plugin.so >>>>>>>> nsslapd-distribution-funct: repl_chain_on_update >>>>>>>> >>>>>>>> dn: cn=replica,cn="dc=hg,dc=com",cn=mapping tree, cn=config >>>>>>>> objectClass: nsDS5Replica >>>>>>>> objectClass: top >>>>>>>> nsDS5ReplicaRoot: dc=hg,dc=com >>>>>>>> nsDS5ReplicaType: 2 >>>>>>>> nsDS5Flags: 0 >>>>>>>> nsds5ReplicaPurgeDelay: 604800 >>>>>>>> nsDS5ReplicaBindDN: cn=Replication Manager,cn=config >>>>>>>> cn: replica >>>>>>>> nsDS5ReplicaId: 65535 >>>>>>>> nsState:: //8AAIcx9kQAAAAAAAAAAAEAAAA= >>>>>>>> nsDS5ReplicaName: ddc65803-1dd111b2-80e6a7e3-5afe0000 >>>>>>>> nsDS5ReplicaReferral: >>>>>>>> ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>>> nsDS5ReplicaReferral: >>>>>>>> ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>>> nsds5ReplicaChangeCount: 0 >>>>>>>> nsds5replicareapactive: 0 >>>>>>>> >>>>>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config >>>>>>>> cn: config >>>>>>>> objectClass: top >>>>>>>> objectClass: extensibleObject >>>>>>>> nstransmittedcontrols: 2.16.840.1.113730.3.4.2 >>>>>>>> nstransmittedcontrols: 2.16.840.1.113730.3.4.9 >>>>>>>> nstransmittedcontrols: 1.2.840.113556.1.4.473 >>>>>>>> nstransmittedcontrols: 1.3.6.1.4.1.1466.29539.12 >>>>>>>> nspossiblechainingcomponents: cn=resource >>>>>>>> limits,cn=components,cn=config >>>>>>>> nspossiblechainingcomponents: cn=certificate-based >>>>>>>> authentication,cn=component >>>>>>>> s,cn=config >>>>>>>> nspossiblechainingcomponents: cn=ACL Plugin,cn=plugins,cn=config >>>>>>>> nspossiblechainingcomponents: cn=old plugin,cn=plugins,cn=config >>>>>>>> nspossiblechainingcomponents: cn=referential integrity >>>>>>>> postoperation,cn=plugin >>>>>>>> s,cn=config >>>>>>>> nspossiblechainingcomponents: cn=attribute >>>>>>>> uniqueness,cn=plugins,cn=config >>>>>>>> dn: cn=chainbe1, cn=chaining database, cn=plugins, cn=config >>>>>>>> objectClass: top >>>>>>>> objectClass: extensibleObject >>>>>>>> objectClass: nsBackendInstance >>>>>>>> cn: chainbe1 >>>>>>>> nsslapd-suffix: dc=hg,dc=com >>>>>>>> nsfarmserverurl: ldap://ldap1.mw1.highergear.com:1389 >>>>>>>> ldap2.mw1.highergear.com >>>>>>>> :1389/ >>>>>>>> nsmultiplexorbinddn: cn=Replication Manager, cn=config >>>>>>>> nsmultiplexorcredentials: {DES} >>>>>>>> nsbindconnectionslimit: 3 >>>>>>>> nsoperationconnectionslimit: 20 >>>>>>>> nsabandonedsearchcheckinterval: 1 >>>>>>>> nsconcurrentbindlimit: 10 >>>>>>>> nsconcurrentoperationslimit: 2 >>>>>>>> nsproxiedauthorization: on >>>>>>>> nsconnectionlife: 0 >>>>>>>> nsbindtimeout: 15 >>>>>>>> nsreferralonscopedsearch: off >>>>>>>> nschecklocalaci: on >>>>>>>> nsbindretrylimit: 3 >>>>>>>> nsslapd-sizelimit: 2000 >>>>>>>> nsslapd-timelimit: 3600 >>>>>>>> nshoplimit: 10 >>>>>>>> nsmaxresponsedelay: 60 >>>>>>>> nsmaxtestresponsedelay: 15 >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Tue Sep 5 16:21:52 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 05 Sep 2006 10:21:52 -0600 Subject: [Fedora-directory-users] Chain on Update Problem In-Reply-To: <44FD9AA1.8070509@highergear.com> References: <44F89FC1.8070104@highergear.com> <44F8A876.2010905@redhat.com> <44F8BA2C.6070705@highergear.com> <44F8BBB4.2010306@redhat.com> <44F8C128.9020201@highergear.com> <44F8F982.4000305@redhat.com> <44FB3F35.7010709@highergear.com> <44FD8F70.5020809@redhat.com> <44FD9AA1.8070509@highergear.com> Message-ID: <44FDA420.8040304@redhat.com> James B Newby wrote: > Yes, it is a read-only consumer, set up as per instructions in the > administration guide. > My multi-master replication scheme works fine. When chaining is not > set up, write operations to the read-only consumer fail. When > chaining is set up, writes can be made to the read-only consumer but > they do not propagate to the master. But the entry is successfully added and can be successfully searched. So it must exist on a master somewhere? Try this - do a search for the entry after adding it - in addition to the usual attributes, request the replication state information - ask for the attribute nscpEntryWsi, and also the nsUniqueID attribute. With this information, we can determine on which master (replica ID) the entry was added on and at what time. > > Are there any other queries I should make to the server in order to > give you more information? > > Richard Megginson wrote: >> James B Newby wrote: >>> Yes. I can add or modify entries on the consumer with update >>> chaining set up, but those changes do not propagate to the master. >>> If I search on the master for the entry created on the consumer : >>> >>> [root at ldap1-mw1 bin]$ ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w >>> - -h localhost -p 1389 uid=nbody >>> Enter bind password: >>> [root at ldap1-mw1 bin]$ >>> >>> It's not there. As I said in an earlier message, I've followed the >>> instructions in the Chain on Update HOWTO, but I can't get it to >>> work. I've reviewed the Administrator Guide as well as searching >>> the Internet for an answer but no luck. >> So, is this is a read only consumer? If so, you should not be able >> to write to it. That's what is confusing me. If this is a read-only >> consumer, you should get an err=10 back from a write operation if >> chaining is not set up. >>> >>> Richard Megginson wrote: >>>> James B Newby wrote: >>>>> Well actually the entry was already there; I just made a small >>>>> change to one of the attributes on the consumer through the >>>>> directory console. >>>>> >>>>> I added a new entry on the consumer from the command line: >>>>> >>>>> [root at ldap1 bin]# ./ldapmodify -a -D cn=Manager -w - -h localhost >>>>> -p 1389 >>>>> Enter bind password: >>>>> dn: uid=nbody,ou=people,o=thgg,dc=hg,dc=com >>>>> telephoneNumber: 800-555-5555 >>>>> userPassword: >>>>> cn: No Body >>>>> sn: Body >>>>> objectClass: hgperson >>>>> objectClass: inetorgperson >>>>> objectClass: organizationalPerson >>>>> objectClass: person >>>>> objectClass: top >>>>> givenName: No >>>>> uid: nbody >>>>> mail: nbody at highergear.com >>>>> adding new entry uid=nbody,ou=people,o=thgg,dc=hg,dc=com >>>>> >>>>> [root at ldap1 bin]# >>>>> >>>>> Then I searched for that user on the consumer's command line: >>>>> [root at ldap1 bin]# ./ldapsearch -b "dc=hg,dc=com" -D cn=Manager -w >>>>> - -h localhost -p 1389 uid=nbody >>>>> Enter bind password: >>>>> version: 1 >>>>> dn: uid=nbody,ou=people,o=thgg,dc=hg,dc=com >>>>> telephoneNumber: 800-555-5555 >>>>> cn: No Body >>>>> sn: Body >>>>> objectClass: hgperson >>>>> objectClass: inetorgperson >>>>> objectClass: organizationalPerson >>>>> objectClass: person >>>>> objectClass: top >>>>> givenName: No >>>>> uid: nbody >>>>> mail: nbody at highergear.com >>>>> userPassword: {SSHA} >>>>> [root at ldap1 bin]# >>>>> >>>>> Here is what resulted in the access log of the consumer: >>>>> [01/Sep/2006:18:18:12 -0500] conn=4 fd=66 slot=66 connection from >>>>> 127.0.0.1 to 127.0.0.1 >>>>> [01/Sep/2006:18:18:12 -0500] conn=4 op=0 BIND dn="cn=Manager" >>>>> method=128 version=3 >>>>> [01/Sep/2006:18:18:12 -0500] conn=4 op=0 RESULT err=0 tag=97 >>>>> nentries=0 etime=0 dn="cn=manager" >>>>> [01/Sep/2006:18:18:18 -0500] conn=4 op=1 ADD >>>>> dn="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" >>>>> [01/Sep/2006:18:18:18 -0500] conn=4 op=1 RESULT err=0 tag=105 >>>>> nentries=0 etime=0 >>>>> [01/Sep/2006:18:18:21 -0500] conn=4 op=3 UNBIND >>>>> [01/Sep/2006:18:18:21 -0500] conn=4 op=3 fd=66 closed - U1 >>>>> [01/Sep/2006:18:18:47 -0500] conn=5 fd=66 slot=66 connection from >>>>> 127.0.0.1 to 127.0.0.1 >>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=0 BIND dn="cn=Manager" >>>>> method=128 version=3 >>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=0 RESULT err=0 tag=97 >>>>> nentries=0 etime=0 dn="cn=manager" >>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=1 SRCH base="dc=hg,dc=com" >>>>> scope=2 filter="(uid=nbody)" attrs=ALL >>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=1 RESULT err=0 tag=101 >>>>> nentries=1 etime=0 >>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=2 UNBIND >>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=2 fd=66 closed - U1 >>>> So it appears to be working? >>>>> >>>>> I then searched for that new entry in the Directory Console and >>>>> the following log entries resulted: >>>>> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 SRCH >>>>> base="ou=people,o=thgg,dc=hg,dc=com" scope=1 >>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>> attrs="objectClass numSubordinates ref aci" >>>>> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 SORT cn givenName o ou >>>>> sn (196) >>>>> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 RESULT err=0 tag=101 >>>>> nentries=196 etime=0 notes=U >>>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=23 SRCH >>>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>> attrs="nsRole nsRoleDN objectClass nsAccountLock" >>>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=23 RESULT err=0 tag=101 >>>>> nentries=1 etime=0 >>>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=24 SRCH base="" scope=0 >>>>> filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" >>>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=24 RESULT err=0 tag=101 >>>>> nentries=1 etime=0 >>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=30 SRCH base="cn=ldbm >>>>> database, cn=plugins, cn=config" scope=2 >>>>> filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix >>>>> nsBackendSuffix" >>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=30 RESULT err=0 tag=101 >>>>> nentries=2 etime=0 >>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=31 SRCH base="" scope=0 >>>>> filter="(objectClass=*)" attrs="nsBackendSuffix" >>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=31 RESULT err=0 tag=101 >>>>> nentries=1 etime=0 >>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=32 SRCH base="cn=MCC >>>>> uid=nbody ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm >>>>> database, cn=plugins, cn=config" scope=0 >>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" >>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=32 RESULT err=32 tag=101 >>>>> nentries=0 etime=0 >>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=26 SRCH >>>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>> attrs="numSubordinates nscpEntryDN subschemaSubentry >>>>> nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic >>>>> nsAIMStatusText passwordExpirationTime nsBackendSuffix >>>>> hasSubordinates nsRole nsRoleDN accountUnlockTime >>>>> passwordExpWarned nsYIMStatusText copiedFrom nsSizeLimit >>>>> ldapSchemas nsAIMStatusGraphic dncomp nsTimeLimit passwordHistory >>>>> retryCountResetTime passwordAllowChangeTime aci entryid >>>>> nsIdleTimeout entrydn copyingFrom nsAccountLock nsds5ReplConflict >>>>> modifyTimestamp passwordGraceUserTime passwordRetryCount >>>>> nsUniqueId nsSchemaCSN creatorsName nsICQStatusText >>>>> pwdpolicysubentry ldapSyntaxes createTimestamp nsLookThroughLimit *" >>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=26 RESULT err=0 tag=101 >>>>> nentries=1 etime=0 >>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=27 SRCH >>>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>> filter="(objectClass=*)" attrs="*" >>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=27 RESULT err=0 tag=101 >>>>> nentries=1 etime=0 >>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=28 SRCH >>>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL >>>> This appears to be working also? >>>>> >>>>> -James >>>>> >>>>> Richard Megginson wrote: >>>>>> James B Newby wrote: >>>>>>> I found the MOD line in the consumer's access log. I saw no >>>>>>> entry in the master's access log regarding that entry. It seems >>>>>>> as if the request doesn't make it to the master. I can telnet >>>>>>> into the ldap port on the master from the consumer. >>>>>>> >>>>>>> I installed Fedora Directory Server from >>>>>>> fedora-ds-1.0.2-1.FC4.i386.opt.rpm on all machines. All three >>>>>>> machines are Intel/CentOS 4.3. >>>>>>> >>>>>>> -James >>>>>>> >>>>>>> In the consumer's access log: >>>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=8 SRCH >>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>>> attrs="nsRole nsRoleDN objectClass nsAccountLock" >>>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=8 RESULT err=0 tag=101 >>>>>>> nentries=1 etime=0 >>>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=9 SRCH base="" scope=0 >>>>>>> filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" >>>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=9 RESULT err=0 tag=101 >>>>>>> nentries=1 etime=0 >>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=14 SRCH base="cn=ldbm >>>>>>> database, cn=plugins, cn=config" scope=2 >>>>>>> filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix >>>>>>> nsBackendSuffix" >>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=14 RESULT err=0 tag=101 >>>>>>> nentries=2 etime=0 >>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=15 SRCH base="" scope=0 >>>>>>> filter="(objectClass=*)" attrs="nsBackendSuffix" >>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=15 RESULT err=0 tag=101 >>>>>>> nentries=1 etime=0 >>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=16 SRCH base="cn=MCC >>>>>>> uid=jhines ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm >>>>>>> database, cn=plugins, cn=config" scope=0 >>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" >>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=16 RESULT err=32 tag=101 >>>>>>> nentries=0 etime=0 >>>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=10 SRCH >>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>>> attrs="numSubordinates nscpEntryDN subschemaSubentry >>>>>>> nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic >>>>>>> nsAIMStatusText passwordExpirationTime nsBackendSuffix >>>>>>> hasSubordinates nsRole nsRoleDN accountUnlockTime >>>>>>> passwordExpWarned nsYIMStatusText copiedFrom nsSizeLimit >>>>>>> ldapSchemas nsAIMStatusGraphic dncomp nsTimeLimit >>>>>>> passwordHistory retryCountResetTime passwordAllowChangeTime aci >>>>>>> entryid nsIdleTimeout entrydn copyingFrom nsAccountLock >>>>>>> nsds5ReplConflict modifyTimestamp passwordGraceUserTime >>>>>>> passwordRetryCount nsUniqueId nsSchemaCSN creatorsName >>>>>>> nsICQStatusText pwdpolicysubentry ldapSyntaxes createTimestamp >>>>>>> nsLookThroughLimit *" >>>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=10 RESULT err=0 tag=101 >>>>>>> nentries=1 etime=0 >>>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=11 SRCH >>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>> filter="(objectClass=*)" attrs="*" >>>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=11 RESULT err=0 tag=101 >>>>>>> nentries=1 etime=0 >>>>>>> [01/Sep/2006:17:41:36 -0500] conn=1 op=12 SRCH >>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL >>>>>>> [01/Sep/2006:17:41:36 -0500] conn=1 op=12 RESULT err=0 tag=101 >>>>>>> nentries=1 etime=0 >>>>>>> [01/Sep/2006:17:41:41 -0500] conn=1 op=14 MOD >>>>>>> dn="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" >>>>>>> [01/Sep/2006:17:41:41 -0500] conn=1 op=14 RESULT err=0 tag=103 >>>>>>> nentries=0 etime=0 >>>>>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SRCH >>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>>> attrs="objectClass numSubordinates ref aci" >>>>>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SORT cn givenName o ou >>>>>>> sn (1) >>>>>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 RESULT err=0 tag=101 >>>>>>> nentries=1 etime=0 notes=U >>>>>> Weird. It looks as though you added the entry to the local >>>>>> server, and were able to search for it right away. e.g. you >>>>>> search for uid=jhines, and the server replies with err=0 and >>>>>> nentries=1. Can you try the same search from the ldapsearch >>>>>> command line? >>>>>>> >>>>>>> >>>>>>> Richard Megginson wrote: >>>>>>>> James B Newby wrote: >>>>>>>>> Hello all, >>>>>>>>> >>>>>>>>> I'm having a problem with my consumer's chain on update. I >>>>>>>>> have a setup with two masters and one consumer. Multi-master >>>>>>>>> replication is working properly. Changes made on either >>>>>>>>> master propagate to the other master and to the consumer. >>>>>>>>> >>>>>>>>> Before setting up chaining, changes made on the consumer from >>>>>>>>> the directory console would be denied. After setting up >>>>>>>>> chaining per the wiki entry: >>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate , >>>>>>>>> changes could be made on the consumer through the directory >>>>>>>>> console, but would not propagate to the master. >>>>>>>> How are you testing/verifying the change doesn't get through? >>>>>>>> Note that if you make the change in the console, the console >>>>>>>> will not automatically refresh. I would first check the access >>>>>>>> log on the consumer to find the ADD or MOD request, then see if >>>>>>>> that request made it to a master, then see if the master >>>>>>>> rejected it and why. >>>>>>>>> >>>>>>>>> I saw an e-mail with a similar problem in the December 2005 >>>>>>>>> archive, but didn't see any info in the replies that would >>>>>>>>> help me. I've tried setting this up from scratch a couple >>>>>>>>> times, but without success. The responses to ILoveJython's >>>>>>>>> email in December suggested that certain entries be pasted in, >>>>>>>>> so I've included them below. >>>>>>>>> >>>>>>>>> The following acl is included in dc=hg,dc=com: >>>>>>>>> (targetattr = "*")(version 3.0; acl "Proxied authorization for >>>>>>>>> database links";allow (proxy) (userdn = >>>>>>>>> "ldap:///cn=Replication Manager, cn=config");) >>>>>>>>> Since multi-master replication is set up, this entry is >>>>>>>>> present on all three servers. >>>>>>>>> >>>>>>>>> Any help would be appreciated! Thanks! >>>>>>>>> >>>>>>>>> -James >>>>>>>>> >>>>>>>>> dn: cn="dc=hg,dc=com",cn=mapping tree, cn=config >>>>>>>>> objectClass: top >>>>>>>>> objectClass: extensibleObject >>>>>>>>> objectClass: nsMappingTree >>>>>>>>> nsslapd-state: backend >>>>>>>>> cn: "dc=hg,dc=com" >>>>>>>>> cn: dc=hg,dc=com >>>>>>>>> nsslapd-backend: userRoot >>>>>>>>> nsslapd-backend: chainbe1 >>>>>>>>> nsslapd-referral: >>>>>>>>> ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>>>> nsslapd-referral: >>>>>>>>> ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>>>> nsslapd-distribution-plugin: >>>>>>>>> /opt/fedora-ds/lib/replication-plugin.so >>>>>>>>> nsslapd-distribution-funct: repl_chain_on_update >>>>>>>>> >>>>>>>>> dn: cn=replica,cn="dc=hg,dc=com",cn=mapping tree, cn=config >>>>>>>>> objectClass: nsDS5Replica >>>>>>>>> objectClass: top >>>>>>>>> nsDS5ReplicaRoot: dc=hg,dc=com >>>>>>>>> nsDS5ReplicaType: 2 >>>>>>>>> nsDS5Flags: 0 >>>>>>>>> nsds5ReplicaPurgeDelay: 604800 >>>>>>>>> nsDS5ReplicaBindDN: cn=Replication Manager,cn=config >>>>>>>>> cn: replica >>>>>>>>> nsDS5ReplicaId: 65535 >>>>>>>>> nsState:: //8AAIcx9kQAAAAAAAAAAAEAAAA= >>>>>>>>> nsDS5ReplicaName: ddc65803-1dd111b2-80e6a7e3-5afe0000 >>>>>>>>> nsDS5ReplicaReferral: >>>>>>>>> ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>>>> nsDS5ReplicaReferral: >>>>>>>>> ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>>>> nsds5ReplicaChangeCount: 0 >>>>>>>>> nsds5replicareapactive: 0 >>>>>>>>> >>>>>>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config >>>>>>>>> cn: config >>>>>>>>> objectClass: top >>>>>>>>> objectClass: extensibleObject >>>>>>>>> nstransmittedcontrols: 2.16.840.1.113730.3.4.2 >>>>>>>>> nstransmittedcontrols: 2.16.840.1.113730.3.4.9 >>>>>>>>> nstransmittedcontrols: 1.2.840.113556.1.4.473 >>>>>>>>> nstransmittedcontrols: 1.3.6.1.4.1.1466.29539.12 >>>>>>>>> nspossiblechainingcomponents: cn=resource >>>>>>>>> limits,cn=components,cn=config >>>>>>>>> nspossiblechainingcomponents: cn=certificate-based >>>>>>>>> authentication,cn=component >>>>>>>>> s,cn=config >>>>>>>>> nspossiblechainingcomponents: cn=ACL Plugin,cn=plugins,cn=config >>>>>>>>> nspossiblechainingcomponents: cn=old plugin,cn=plugins,cn=config >>>>>>>>> nspossiblechainingcomponents: cn=referential integrity >>>>>>>>> postoperation,cn=plugin >>>>>>>>> s,cn=config >>>>>>>>> nspossiblechainingcomponents: cn=attribute >>>>>>>>> uniqueness,cn=plugins,cn=config >>>>>>>>> dn: cn=chainbe1, cn=chaining database, cn=plugins, cn=config >>>>>>>>> objectClass: top >>>>>>>>> objectClass: extensibleObject >>>>>>>>> objectClass: nsBackendInstance >>>>>>>>> cn: chainbe1 >>>>>>>>> nsslapd-suffix: dc=hg,dc=com >>>>>>>>> nsfarmserverurl: ldap://ldap1.mw1.highergear.com:1389 >>>>>>>>> ldap2.mw1.highergear.com >>>>>>>>> :1389/ >>>>>>>>> nsmultiplexorbinddn: cn=Replication Manager, cn=config >>>>>>>>> nsmultiplexorcredentials: {DES} >>>>>>>>> nsbindconnectionslimit: 3 >>>>>>>>> nsoperationconnectionslimit: 20 >>>>>>>>> nsabandonedsearchcheckinterval: 1 >>>>>>>>> nsconcurrentbindlimit: 10 >>>>>>>>> nsconcurrentoperationslimit: 2 >>>>>>>>> nsproxiedauthorization: on >>>>>>>>> nsconnectionlife: 0 >>>>>>>>> nsbindtimeout: 15 >>>>>>>>> nsreferralonscopedsearch: off >>>>>>>>> nschecklocalaci: on >>>>>>>>> nsbindretrylimit: 3 >>>>>>>>> nsslapd-sizelimit: 2000 >>>>>>>>> nsslapd-timelimit: 3600 >>>>>>>>> nshoplimit: 10 >>>>>>>>> nsmaxresponsedelay: 60 >>>>>>>>> nsmaxtestresponsedelay: 15 >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> ------------------------------------------------------------------------ >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Sep 5 17:23:53 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 05 Sep 2006 11:23:53 -0600 Subject: [Fedora-directory-users] Re: LD_LIBRARY_PATH question In-Reply-To: <9C0091F428E697439E7A773FFD0834274358D0@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD0834274358D0@szexchange.Shopzilla.inc> Message-ID: <44FDB2A9.3010001@redhat.com> Philip Kime wrote: >> What version of fedora ds is this? >> > > fedora-ds-1.0.2-1.RHEL4 > > installed from > > fedora-ds-1.0.2-1.RHEL4.x86_64.opt.rpm > > Downloaded from > > http://directory.fedora.redhat.com/wiki/Download > Weird. I just installed that rpm on a rhel4 x86_64 system and I got totally different numbers from what you reported in your earlier email, quoted below: # md5sum /opt/fedora-ds/lib/libjss3.so 2098364ec91d9b354e9086806852ae5d /opt/fedora-ds/lib/libjss3.so # ls -l /opt/fedora-ds/lib/libjss3.so -rw-r--r-- 1 root root 213324 Nov 15 2005 /opt/fedora-ds/lib/libjss3.so So at this point I'm not sure what happened. I didn't run setup, but I don't think setup changes this binary in any way. > * /From/: "Philip Kime" > * /To/: > * /Subject/: [Fedora-directory-users] Re: LD_LIBRARY_PATH question > * /Date/: Fri, 1 Sep 2006 16:08:40 -0700 > > ------------------------------------------------------------------------ > > Perhaps. Do an ls -l /opt/fedora-ds/lib/libjss3.so then do md5sum > /opt/fedora-> > > ds/lib/libjss3.so > > [root hqldap01 ~]# ls -l /opt/fedora-ds/lib/libjss3.so > -rwxr-xr-x 1 root root 182804 Jul 27 14:45 > /opt/fedora-ds/lib/libjss3.so > > [root hqldap01 ~]# md5sum /opt/fedora-ds/lib/libjss3.so > 4e59a1243c27732dca9c367a9049e86a /opt/fedora-ds/lib/libjss3.so > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jnewby at highergear.com Tue Sep 5 23:34:20 2006 From: jnewby at highergear.com (James B Newby) Date: Tue, 05 Sep 2006 18:34:20 -0500 Subject: [Fedora-directory-users] Chain on Update Problem In-Reply-To: <44FDA420.8040304@redhat.com> References: <44F89FC1.8070104@highergear.com> <44F8A876.2010905@redhat.com> <44F8BA2C.6070705@highergear.com> <44F8BBB4.2010306@redhat.com> <44F8C128.9020201@highergear.com> <44F8F982.4000305@redhat.com> <44FB3F35.7010709@highergear.com> <44FD8F70.5020809@redhat.com> <44FD9AA1.8070509@highergear.com> <44FDA420.8040304@redhat.com> Message-ID: <44FE097C.1010400@highergear.com> Example 1: Adding an entry to the consumer: [root at ldap1 bin]# ./ldapmodify -a -D cn=Manager -w - -h localhost -p 1389 Enter bind password: dn: uid=sbody,ou=people,o=thgg,dc=hg,dc=com objectClass: hgperson telephonenumber: 555-555-5555 sn: Body cn: Some Body givenName: Some mail: sbody at highergear.com uid: sbody adding new entry uid=sbody,ou=people,o=thgg,dc=hg,dc=com [root at ldap1 bin]# Searching for entry on consumer: [root at ldap1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - -h localhost -p 1389 uid=sbody nscpEntryWsi nsUniqueID Enter bind password: version: 1 dn: uid=sbody,ou=people,o=thgg,dc=hg,dc=com nscpEntryWsi: dn: uid=sbody,ou=people,o=thgg,dc=hg,dc=com nscpEntryWsi: objectClass: hgperson nscpEntryWsi: objectClass: inetOrgPerson nscpEntryWsi: objectClass: organizationalPerson nscpEntryWsi: objectClass: person nscpEntryWsi: objectClass: top nscpEntryWsi: telephoneNumber: 555-555-5555 nscpEntryWsi: sn: Body nscpEntryWsi: cn: Some Body nscpEntryWsi: givenName: Some nscpEntryWsi: mail: sbody at highergear.com nscpEntryWsi: uid: sbody nscpEntryWsi: creatorsName: cn=manager nscpEntryWsi: modifiersName: cn=manager nscpEntryWsi: createTimestamp: 20060905232428Z nscpEntryWsi: modifyTimestamp: 20060905232428Z nscpEntryWsi: nsUniqueId: 8e72a281-1dd211b2-8091a7e3-5afe0000 nscpEntryWsi: parentid: 11 nscpEntryWsi: entryid: 19720 nscpEntryWsi: entrydn: uid=sbody,ou=people,o=thgg,dc=hg,dc=com nsUniqueID: 8e72a281-1dd211b2-8091a7e3-5afe0000 [root at ldap1 bin]# Search for entry on Master 1: [root at ldap1-mw1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - -h localhost -p 1389 uid=sbody nscpEntryWsi nsUniqueID Enter bind password: [root at ldap1-mw1 bin]# Search for entry on Master 2: [root at ldap2-mw1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - -h localhost -p 1389 uid=sbody nscpEntryWsi nsUniqueID Enter bind password: [root at ldap2-mw1 bin]# ------------------------------------------------------- Example 2: Create an entry on Master 1: [root at ldap1-mw1 bin]# ./ldapmodify -a -D cn=Manager -w - -h localhost -p 1389 Enter bind password: dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com telephoneNumber: 800-555-5555 userPassword: cn: Some Employee sn: Employee objectClass: hgperson givenName: Some uid: semployee mail: semployee at highergear.com adding new entry uid=semployee,ou=people,o=thgg,dc=hg,dc=com [root at ldap1-mw1 bin]# Search for entry on Master 1: [root at ldap1-mw1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - -h localhost -p 1389 uid=semployee nscpEntryWsi nsUniqueID Enter bind password: version: 1 dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com nscpEntryWsi: dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com nscpEntryWsi: telephoneNumber;vucsn-44fe0619000000010000: 800-555-5555 nscpEntryWsi: cn;vucsn-44fe0619000000010000: Some Employee nscpEntryWsi: sn;vucsn-44fe0619000000010000: Employee nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: hgperson nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: inetOrgPerson nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: organizationalPerson nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: person nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: top nscpEntryWsi: givenName;vucsn-44fe0619000000010000: Some nscpEntryWsi: uid;vucsn-44fe0619000000010000;mdcsn-44fe0619000000010000: sempl oyee nscpEntryWsi: mail;vucsn-44fe0619000000010000: semployee at highergear.com nscpEntryWsi: userPassword;vucsn-44fe0619000000010000: {SSHA} nscpEntryWsi: creatorsName;vucsn-44fe0619000000010000: cn=manager nscpEntryWsi: modifiersName;vucsn-44fe0619000000010000: cn=manager nscpEntryWsi: createTimestamp;vucsn-44fe0619000000010000: 20060905231943Z nscpEntryWsi: modifyTimestamp;vucsn-44fe0619000000010000: 20060905231943Z nscpEntryWsi: nsUniqueId: fd033081-1dd111b2-80cef01a-e8560000 nscpEntryWsi: parentid: 11 nscpEntryWsi: entryid: 19718 nscpEntryWsi: entrydn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com nsUniqueID: fd033081-1dd111b2-80cef01a-e8560000 [root at ldap1-mw1 bin]# Search for Entry on Master 2: [root at ldap2-mw1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - -h localhost -p 1389 uid=semployee nscpEntryWsi nsUniqueID Enter bind password: version: 1 dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com nscpEntryWsi: dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com nscpEntryWsi: telephoneNumber;vucsn-44fe0619000000010000: 800-555-5555 nscpEntryWsi: cn;vucsn-44fe0619000000010000: Some Employee nscpEntryWsi: sn;vucsn-44fe0619000000010000: Employee nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: hgperson nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: inetOrgPerson nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: organizationalPerson nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: person nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: top nscpEntryWsi: givenName;vucsn-44fe0619000000010000: Some nscpEntryWsi: uid;vucsn-44fe0619000000010000;mdcsn-44fe0619000000010000: sempl oyee nscpEntryWsi: mail;vucsn-44fe0619000000010000: semployee at highergear.com nscpEntryWsi: userPassword;vucsn-44fe0619000000010000: {SSHA} nscpEntryWsi: creatorsName;vucsn-44fe0619000000010000: cn=manager nscpEntryWsi: modifiersName;vucsn-44fe0619000000010000: cn=manager nscpEntryWsi: createTimestamp;vucsn-44fe0619000000010000: 20060905231943Z nscpEntryWsi: modifyTimestamp;vucsn-44fe0619000000010000: 20060905231943Z nscpEntryWsi: nsUniqueId: fd033081-1dd111b2-80cef01a-e8560000 nscpEntryWsi: parentid: 11 nscpEntryWsi: entryid: 19718 nscpEntryWsi: entrydn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com nsUniqueID: fd033081-1dd111b2-80cef01a-e8560000 [root at ldap2-mw1 bin]# Search for entry on consumer: [root at ldap1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - -h localhost -p 1389 uid=semployee nscpEntryWsi nsUniqueID Enter bind password: version: 1 dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com nscpEntryWsi: dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com nscpEntryWsi: telephoneNumber;vucsn-44fe0619000000010000: 800-555-5555 nscpEntryWsi: cn;vucsn-44fe0619000000010000: Some Employee nscpEntryWsi: sn;vucsn-44fe0619000000010000: Employee nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: hgperson nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: inetOrgPerson nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: organizationalPerson nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: person nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: top nscpEntryWsi: givenName;vucsn-44fe0619000000010000: Some nscpEntryWsi: uid;vucsn-44fe0619000000010000;mdcsn-44fe0619000000010000: sempl oyee nscpEntryWsi: mail;vucsn-44fe0619000000010000: semployee at highergear.com nscpEntryWsi: userPassword;vucsn-44fe0619000000010000: {SSHA} nscpEntryWsi: creatorsName;vucsn-44fe0619000000010000: cn=manager nscpEntryWsi: modifiersName;vucsn-44fe0619000000010000: cn=manager nscpEntryWsi: createTimestamp;vucsn-44fe0619000000010000: 20060905231943Z nscpEntryWsi: modifyTimestamp;vucsn-44fe0619000000010000: 20060905231943Z nscpEntryWsi: nsUniqueId: fd033081-1dd111b2-80cef01a-e8560000 nscpEntryWsi: parentid: 11 nscpEntryWsi: entryid: 19719 nscpEntryWsi: entrydn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com nsUniqueID: fd033081-1dd111b2-80cef01a-e8560000 [root at ldap1 bin]# Richard Megginson wrote: > James B Newby wrote: >> Yes, it is a read-only consumer, set up as per instructions in the >> administration guide. >> My multi-master replication scheme works fine. When chaining is not >> set up, write operations to the read-only consumer fail. When >> chaining is set up, writes can be made to the read-only consumer but >> they do not propagate to the master. > But the entry is successfully added and can be successfully searched. > So it must exist on a master somewhere? Try this - do a search for > the entry after adding it - in addition to the usual attributes, > request the replication state information - ask for the attribute > nscpEntryWsi, and also the nsUniqueID attribute. With this > information, we can determine on which master (replica ID) the entry > was added on and at what time. >> >> Are there any other queries I should make to the server in order to >> give you more information? >> >> Richard Megginson wrote: >>> James B Newby wrote: >>>> Yes. I can add or modify entries on the consumer with update >>>> chaining set up, but those changes do not propagate to the master. >>>> If I search on the master for the entry created on the consumer : >>>> >>>> [root at ldap1-mw1 bin]$ ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w >>>> - -h localhost -p 1389 uid=nbody >>>> Enter bind password: >>>> [root at ldap1-mw1 bin]$ >>>> >>>> It's not there. As I said in an earlier message, I've followed the >>>> instructions in the Chain on Update HOWTO, but I can't get it to >>>> work. I've reviewed the Administrator Guide as well as searching >>>> the Internet for an answer but no luck. >>> So, is this is a read only consumer? If so, you should not be able >>> to write to it. That's what is confusing me. If this is a >>> read-only consumer, you should get an err=10 back from a write >>> operation if chaining is not set up. >>>> >>>> Richard Megginson wrote: >>>>> James B Newby wrote: >>>>>> Well actually the entry was already there; I just made a small >>>>>> change to one of the attributes on the consumer through the >>>>>> directory console. >>>>>> >>>>>> I added a new entry on the consumer from the command line: >>>>>> >>>>>> [root at ldap1 bin]# ./ldapmodify -a -D cn=Manager -w - -h localhost >>>>>> -p 1389 >>>>>> Enter bind password: >>>>>> dn: uid=nbody,ou=people,o=thgg,dc=hg,dc=com >>>>>> telephoneNumber: 800-555-5555 >>>>>> userPassword: >>>>>> cn: No Body >>>>>> sn: Body >>>>>> objectClass: hgperson >>>>>> objectClass: inetorgperson >>>>>> objectClass: organizationalPerson >>>>>> objectClass: person >>>>>> objectClass: top >>>>>> givenName: No >>>>>> uid: nbody >>>>>> mail: nbody at highergear.com >>>>>> adding new entry uid=nbody,ou=people,o=thgg,dc=hg,dc=com >>>>>> >>>>>> [root at ldap1 bin]# >>>>>> >>>>>> Then I searched for that user on the consumer's command line: >>>>>> [root at ldap1 bin]# ./ldapsearch -b "dc=hg,dc=com" -D cn=Manager -w >>>>>> - -h localhost -p 1389 uid=nbody >>>>>> Enter bind password: >>>>>> version: 1 >>>>>> dn: uid=nbody,ou=people,o=thgg,dc=hg,dc=com >>>>>> telephoneNumber: 800-555-5555 >>>>>> cn: No Body >>>>>> sn: Body >>>>>> objectClass: hgperson >>>>>> objectClass: inetorgperson >>>>>> objectClass: organizationalPerson >>>>>> objectClass: person >>>>>> objectClass: top >>>>>> givenName: No >>>>>> uid: nbody >>>>>> mail: nbody at highergear.com >>>>>> userPassword: {SSHA} >>>>>> [root at ldap1 bin]# >>>>>> >>>>>> Here is what resulted in the access log of the consumer: >>>>>> [01/Sep/2006:18:18:12 -0500] conn=4 fd=66 slot=66 connection from >>>>>> 127.0.0.1 to 127.0.0.1 >>>>>> [01/Sep/2006:18:18:12 -0500] conn=4 op=0 BIND dn="cn=Manager" >>>>>> method=128 version=3 >>>>>> [01/Sep/2006:18:18:12 -0500] conn=4 op=0 RESULT err=0 tag=97 >>>>>> nentries=0 etime=0 dn="cn=manager" >>>>>> [01/Sep/2006:18:18:18 -0500] conn=4 op=1 ADD >>>>>> dn="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" >>>>>> [01/Sep/2006:18:18:18 -0500] conn=4 op=1 RESULT err=0 tag=105 >>>>>> nentries=0 etime=0 >>>>>> [01/Sep/2006:18:18:21 -0500] conn=4 op=3 UNBIND >>>>>> [01/Sep/2006:18:18:21 -0500] conn=4 op=3 fd=66 closed - U1 >>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 fd=66 slot=66 connection from >>>>>> 127.0.0.1 to 127.0.0.1 >>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=0 BIND dn="cn=Manager" >>>>>> method=128 version=3 >>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=0 RESULT err=0 tag=97 >>>>>> nentries=0 etime=0 dn="cn=manager" >>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=1 SRCH base="dc=hg,dc=com" >>>>>> scope=2 filter="(uid=nbody)" attrs=ALL >>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=1 RESULT err=0 tag=101 >>>>>> nentries=1 etime=0 >>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=2 UNBIND >>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=2 fd=66 closed - U1 >>>>> So it appears to be working? >>>>>> >>>>>> I then searched for that new entry in the Directory Console and >>>>>> the following log entries resulted: >>>>>> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 SRCH >>>>>> base="ou=people,o=thgg,dc=hg,dc=com" scope=1 >>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>> attrs="objectClass numSubordinates ref aci" >>>>>> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 SORT cn givenName o ou >>>>>> sn (196) >>>>>> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 RESULT err=0 tag=101 >>>>>> nentries=196 etime=0 notes=U >>>>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=23 SRCH >>>>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>> attrs="nsRole nsRoleDN objectClass nsAccountLock" >>>>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=23 RESULT err=0 tag=101 >>>>>> nentries=1 etime=0 >>>>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=24 SRCH base="" scope=0 >>>>>> filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" >>>>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=24 RESULT err=0 tag=101 >>>>>> nentries=1 etime=0 >>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=30 SRCH base="cn=ldbm >>>>>> database, cn=plugins, cn=config" scope=2 >>>>>> filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix >>>>>> nsBackendSuffix" >>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=30 RESULT err=0 tag=101 >>>>>> nentries=2 etime=0 >>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=31 SRCH base="" scope=0 >>>>>> filter="(objectClass=*)" attrs="nsBackendSuffix" >>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=31 RESULT err=0 tag=101 >>>>>> nentries=1 etime=0 >>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=32 SRCH base="cn=MCC >>>>>> uid=nbody ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm >>>>>> database, cn=plugins, cn=config" scope=0 >>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" >>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=32 RESULT err=32 tag=101 >>>>>> nentries=0 etime=0 >>>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=26 SRCH >>>>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>> attrs="numSubordinates nscpEntryDN subschemaSubentry >>>>>> nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic >>>>>> nsAIMStatusText passwordExpirationTime nsBackendSuffix >>>>>> hasSubordinates nsRole nsRoleDN accountUnlockTime >>>>>> passwordExpWarned nsYIMStatusText copiedFrom nsSizeLimit >>>>>> ldapSchemas nsAIMStatusGraphic dncomp nsTimeLimit passwordHistory >>>>>> retryCountResetTime passwordAllowChangeTime aci entryid >>>>>> nsIdleTimeout entrydn copyingFrom nsAccountLock nsds5ReplConflict >>>>>> modifyTimestamp passwordGraceUserTime passwordRetryCount >>>>>> nsUniqueId nsSchemaCSN creatorsName nsICQStatusText >>>>>> pwdpolicysubentry ldapSyntaxes createTimestamp nsLookThroughLimit *" >>>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=26 RESULT err=0 tag=101 >>>>>> nentries=1 etime=0 >>>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=27 SRCH >>>>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>> filter="(objectClass=*)" attrs="*" >>>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=27 RESULT err=0 tag=101 >>>>>> nentries=1 etime=0 >>>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=28 SRCH >>>>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL >>>>> This appears to be working also? >>>>>> >>>>>> -James >>>>>> >>>>>> Richard Megginson wrote: >>>>>>> James B Newby wrote: >>>>>>>> I found the MOD line in the consumer's access log. I saw no >>>>>>>> entry in the master's access log regarding that entry. It >>>>>>>> seems as if the request doesn't make it to the master. I can >>>>>>>> telnet into the ldap port on the master from the consumer. >>>>>>>> >>>>>>>> I installed Fedora Directory Server from >>>>>>>> fedora-ds-1.0.2-1.FC4.i386.opt.rpm on all machines. All three >>>>>>>> machines are Intel/CentOS 4.3. >>>>>>>> >>>>>>>> -James >>>>>>>> >>>>>>>> In the consumer's access log: >>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=8 SRCH >>>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>>>> attrs="nsRole nsRoleDN objectClass nsAccountLock" >>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=8 RESULT err=0 tag=101 >>>>>>>> nentries=1 etime=0 >>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=9 SRCH base="" scope=0 >>>>>>>> filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" >>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=9 RESULT err=0 tag=101 >>>>>>>> nentries=1 etime=0 >>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=14 SRCH base="cn=ldbm >>>>>>>> database, cn=plugins, cn=config" scope=2 >>>>>>>> filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix >>>>>>>> nsBackendSuffix" >>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=14 RESULT err=0 tag=101 >>>>>>>> nentries=2 etime=0 >>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=15 SRCH base="" scope=0 >>>>>>>> filter="(objectClass=*)" attrs="nsBackendSuffix" >>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=15 RESULT err=0 tag=101 >>>>>>>> nentries=1 etime=0 >>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=16 SRCH base="cn=MCC >>>>>>>> uid=jhines ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm >>>>>>>> database, cn=plugins, cn=config" scope=0 >>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" >>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=16 RESULT err=32 tag=101 >>>>>>>> nentries=0 etime=0 >>>>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=10 SRCH >>>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>>>> attrs="numSubordinates nscpEntryDN subschemaSubentry >>>>>>>> nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic >>>>>>>> nsAIMStatusText passwordExpirationTime nsBackendSuffix >>>>>>>> hasSubordinates nsRole nsRoleDN accountUnlockTime >>>>>>>> passwordExpWarned nsYIMStatusText copiedFrom nsSizeLimit >>>>>>>> ldapSchemas nsAIMStatusGraphic dncomp nsTimeLimit >>>>>>>> passwordHistory retryCountResetTime passwordAllowChangeTime aci >>>>>>>> entryid nsIdleTimeout entrydn copyingFrom nsAccountLock >>>>>>>> nsds5ReplConflict modifyTimestamp passwordGraceUserTime >>>>>>>> passwordRetryCount nsUniqueId nsSchemaCSN creatorsName >>>>>>>> nsICQStatusText pwdpolicysubentry ldapSyntaxes createTimestamp >>>>>>>> nsLookThroughLimit *" >>>>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=10 RESULT err=0 tag=101 >>>>>>>> nentries=1 etime=0 >>>>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=11 SRCH >>>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>>> filter="(objectClass=*)" attrs="*" >>>>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=11 RESULT err=0 tag=101 >>>>>>>> nentries=1 etime=0 >>>>>>>> [01/Sep/2006:17:41:36 -0500] conn=1 op=12 SRCH >>>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL >>>>>>>> [01/Sep/2006:17:41:36 -0500] conn=1 op=12 RESULT err=0 tag=101 >>>>>>>> nentries=1 etime=0 >>>>>>>> [01/Sep/2006:17:41:41 -0500] conn=1 op=14 MOD >>>>>>>> dn="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" >>>>>>>> [01/Sep/2006:17:41:41 -0500] conn=1 op=14 RESULT err=0 tag=103 >>>>>>>> nentries=0 etime=0 >>>>>>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SRCH >>>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>>>> attrs="objectClass numSubordinates ref aci" >>>>>>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SORT cn givenName o >>>>>>>> ou sn (1) >>>>>>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 RESULT err=0 tag=101 >>>>>>>> nentries=1 etime=0 notes=U >>>>>>> Weird. It looks as though you added the entry to the local >>>>>>> server, and were able to search for it right away. e.g. you >>>>>>> search for uid=jhines, and the server replies with err=0 and >>>>>>> nentries=1. Can you try the same search from the ldapsearch >>>>>>> command line? >>>>>>>> >>>>>>>> >>>>>>>> Richard Megginson wrote: >>>>>>>>> James B Newby wrote: >>>>>>>>>> Hello all, >>>>>>>>>> >>>>>>>>>> I'm having a problem with my consumer's chain on update. I >>>>>>>>>> have a setup with two masters and one consumer. Multi-master >>>>>>>>>> replication is working properly. Changes made on either >>>>>>>>>> master propagate to the other master and to the consumer. >>>>>>>>>> >>>>>>>>>> Before setting up chaining, changes made on the consumer from >>>>>>>>>> the directory console would be denied. After setting up >>>>>>>>>> chaining per the wiki entry: >>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate , >>>>>>>>>> changes could be made on the consumer through the directory >>>>>>>>>> console, but would not propagate to the master. >>>>>>>>> How are you testing/verifying the change doesn't get through? >>>>>>>>> Note that if you make the change in the console, the console >>>>>>>>> will not automatically refresh. I would first check the >>>>>>>>> access log on the consumer to find the ADD or MOD request, >>>>>>>>> then see if that request made it to a master, then see if the >>>>>>>>> master rejected it and why. >>>>>>>>>> >>>>>>>>>> I saw an e-mail with a similar problem in the December 2005 >>>>>>>>>> archive, but didn't see any info in the replies that would >>>>>>>>>> help me. I've tried setting this up from scratch a couple >>>>>>>>>> times, but without success. The responses to ILoveJython's >>>>>>>>>> email in December suggested that certain entries be pasted >>>>>>>>>> in, so I've included them below. >>>>>>>>>> >>>>>>>>>> The following acl is included in dc=hg,dc=com: >>>>>>>>>> (targetattr = "*")(version 3.0; acl "Proxied authorization >>>>>>>>>> for database links";allow (proxy) (userdn = >>>>>>>>>> "ldap:///cn=Replication Manager, cn=config");) >>>>>>>>>> Since multi-master replication is set up, this entry is >>>>>>>>>> present on all three servers. >>>>>>>>>> >>>>>>>>>> Any help would be appreciated! Thanks! >>>>>>>>>> >>>>>>>>>> -James >>>>>>>>>> >>>>>>>>>> dn: cn="dc=hg,dc=com",cn=mapping tree, cn=config >>>>>>>>>> objectClass: top >>>>>>>>>> objectClass: extensibleObject >>>>>>>>>> objectClass: nsMappingTree >>>>>>>>>> nsslapd-state: backend >>>>>>>>>> cn: "dc=hg,dc=com" >>>>>>>>>> cn: dc=hg,dc=com >>>>>>>>>> nsslapd-backend: userRoot >>>>>>>>>> nsslapd-backend: chainbe1 >>>>>>>>>> nsslapd-referral: >>>>>>>>>> ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>>>>> nsslapd-referral: >>>>>>>>>> ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>>>>> nsslapd-distribution-plugin: >>>>>>>>>> /opt/fedora-ds/lib/replication-plugin.so >>>>>>>>>> nsslapd-distribution-funct: repl_chain_on_update >>>>>>>>>> >>>>>>>>>> dn: cn=replica,cn="dc=hg,dc=com",cn=mapping tree, cn=config >>>>>>>>>> objectClass: nsDS5Replica >>>>>>>>>> objectClass: top >>>>>>>>>> nsDS5ReplicaRoot: dc=hg,dc=com >>>>>>>>>> nsDS5ReplicaType: 2 >>>>>>>>>> nsDS5Flags: 0 >>>>>>>>>> nsds5ReplicaPurgeDelay: 604800 >>>>>>>>>> nsDS5ReplicaBindDN: cn=Replication Manager,cn=config >>>>>>>>>> cn: replica >>>>>>>>>> nsDS5ReplicaId: 65535 >>>>>>>>>> nsState:: //8AAIcx9kQAAAAAAAAAAAEAAAA= >>>>>>>>>> nsDS5ReplicaName: ddc65803-1dd111b2-80e6a7e3-5afe0000 >>>>>>>>>> nsDS5ReplicaReferral: >>>>>>>>>> ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>>>>> nsDS5ReplicaReferral: >>>>>>>>>> ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>>>>> nsds5ReplicaChangeCount: 0 >>>>>>>>>> nsds5replicareapactive: 0 >>>>>>>>>> >>>>>>>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config >>>>>>>>>> cn: config >>>>>>>>>> objectClass: top >>>>>>>>>> objectClass: extensibleObject >>>>>>>>>> nstransmittedcontrols: 2.16.840.1.113730.3.4.2 >>>>>>>>>> nstransmittedcontrols: 2.16.840.1.113730.3.4.9 >>>>>>>>>> nstransmittedcontrols: 1.2.840.113556.1.4.473 >>>>>>>>>> nstransmittedcontrols: 1.3.6.1.4.1.1466.29539.12 >>>>>>>>>> nspossiblechainingcomponents: cn=resource >>>>>>>>>> limits,cn=components,cn=config >>>>>>>>>> nspossiblechainingcomponents: cn=certificate-based >>>>>>>>>> authentication,cn=component >>>>>>>>>> s,cn=config >>>>>>>>>> nspossiblechainingcomponents: cn=ACL Plugin,cn=plugins,cn=config >>>>>>>>>> nspossiblechainingcomponents: cn=old plugin,cn=plugins,cn=config >>>>>>>>>> nspossiblechainingcomponents: cn=referential integrity >>>>>>>>>> postoperation,cn=plugin >>>>>>>>>> s,cn=config >>>>>>>>>> nspossiblechainingcomponents: cn=attribute >>>>>>>>>> uniqueness,cn=plugins,cn=config >>>>>>>>>> dn: cn=chainbe1, cn=chaining database, cn=plugins, cn=config >>>>>>>>>> objectClass: top >>>>>>>>>> objectClass: extensibleObject >>>>>>>>>> objectClass: nsBackendInstance >>>>>>>>>> cn: chainbe1 >>>>>>>>>> nsslapd-suffix: dc=hg,dc=com >>>>>>>>>> nsfarmserverurl: ldap://ldap1.mw1.highergear.com:1389 >>>>>>>>>> ldap2.mw1.highergear.com >>>>>>>>>> :1389/ >>>>>>>>>> nsmultiplexorbinddn: cn=Replication Manager, cn=config >>>>>>>>>> nsmultiplexorcredentials: {DES} >>>>>>>>>> nsbindconnectionslimit: 3 >>>>>>>>>> nsoperationconnectionslimit: 20 >>>>>>>>>> nsabandonedsearchcheckinterval: 1 >>>>>>>>>> nsconcurrentbindlimit: 10 >>>>>>>>>> nsconcurrentoperationslimit: 2 >>>>>>>>>> nsproxiedauthorization: on >>>>>>>>>> nsconnectionlife: 0 >>>>>>>>>> nsbindtimeout: 15 >>>>>>>>>> nsreferralonscopedsearch: off >>>>>>>>>> nschecklocalaci: on >>>>>>>>>> nsbindretrylimit: 3 >>>>>>>>>> nsslapd-sizelimit: 2000 >>>>>>>>>> nsslapd-timelimit: 3600 >>>>>>>>>> nshoplimit: 10 >>>>>>>>>> nsmaxresponsedelay: 60 >>>>>>>>>> nsmaxtestresponsedelay: 15 >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From nkinder at redhat.com Tue Sep 5 23:42:50 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 05 Sep 2006 16:42:50 -0700 Subject: [Fedora-directory-users] Chain on Update Problem In-Reply-To: <44FE097C.1010400@highergear.com> References: <44F89FC1.8070104@highergear.com> <44F8A876.2010905@redhat.com> <44F8BA2C.6070705@highergear.com> <44F8BBB4.2010306@redhat.com> <44F8C128.9020201@highergear.com> <44F8F982.4000305@redhat.com> <44FB3F35.7010709@highergear.com> <44FD8F70.5020809@redhat.com> <44FD9AA1.8070509@highergear.com> <44FDA420.8040304@redhat.com> <44FE097C.1010400@highergear.com> Message-ID: <44FE0B7A.60601@redhat.com> Try using a different bind DN for chaining than your "cn=Replication Manger, cn=config" user. It could be that replication is getting confused when chaining updates are being performed by that user since it will assume that updates by that user were sent via a replication agreement. I would create a chaining specific user such as "cn=Chaining Manager, cn=config" and configure chaining to use that user. -NGK James B Newby wrote: > Example 1: > > Adding an entry to the consumer: > > [root at ldap1 bin]# ./ldapmodify -a -D cn=Manager -w - -h localhost -p 1389 > Enter bind password: > dn: uid=sbody,ou=people,o=thgg,dc=hg,dc=com > objectClass: hgperson > telephonenumber: 555-555-5555 > sn: Body > cn: Some Body > givenName: Some > mail: sbody at highergear.com > uid: sbody > adding new entry uid=sbody,ou=people,o=thgg,dc=hg,dc=com > > [root at ldap1 bin]# > > Searching for entry on consumer: > > [root at ldap1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - -h > localhost -p 1389 uid=sbody nscpEntryWsi nsUniqueID > Enter bind password: > version: 1 > dn: uid=sbody,ou=people,o=thgg,dc=hg,dc=com > nscpEntryWsi: dn: uid=sbody,ou=people,o=thgg,dc=hg,dc=com > nscpEntryWsi: objectClass: hgperson > nscpEntryWsi: objectClass: inetOrgPerson > nscpEntryWsi: objectClass: organizationalPerson > nscpEntryWsi: objectClass: person > nscpEntryWsi: objectClass: top > nscpEntryWsi: telephoneNumber: 555-555-5555 > nscpEntryWsi: sn: Body > nscpEntryWsi: cn: Some Body > nscpEntryWsi: givenName: Some > nscpEntryWsi: mail: sbody at highergear.com > nscpEntryWsi: uid: sbody > nscpEntryWsi: creatorsName: cn=manager > nscpEntryWsi: modifiersName: cn=manager > nscpEntryWsi: createTimestamp: 20060905232428Z > nscpEntryWsi: modifyTimestamp: 20060905232428Z > nscpEntryWsi: nsUniqueId: 8e72a281-1dd211b2-8091a7e3-5afe0000 > nscpEntryWsi: parentid: 11 > nscpEntryWsi: entryid: 19720 > nscpEntryWsi: entrydn: uid=sbody,ou=people,o=thgg,dc=hg,dc=com > nsUniqueID: 8e72a281-1dd211b2-8091a7e3-5afe0000 > [root at ldap1 bin]# > > Search for entry on Master 1: > > [root at ldap1-mw1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - > -h localhost -p 1389 uid=sbody nscpEntryWsi nsUniqueID > Enter bind password: > [root at ldap1-mw1 bin]# > > Search for entry on Master 2: > > [root at ldap2-mw1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - > -h localhost -p 1389 uid=sbody nscpEntryWsi nsUniqueID > Enter bind password: > [root at ldap2-mw1 bin]# > > ------------------------------------------------------- > > Example 2: > > Create an entry on Master 1: > > [root at ldap1-mw1 bin]# ./ldapmodify -a -D cn=Manager -w - -h localhost > -p 1389 > Enter bind password: > dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com > telephoneNumber: 800-555-5555 > userPassword: > cn: Some Employee > sn: Employee > objectClass: hgperson > givenName: Some > uid: semployee > mail: semployee at highergear.com > > adding new entry uid=semployee,ou=people,o=thgg,dc=hg,dc=com > > [root at ldap1-mw1 bin]# > > Search for entry on Master 1: > [root at ldap1-mw1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - > -h localhost -p 1389 uid=semployee nscpEntryWsi nsUniqueID > Enter bind password: > version: 1 > dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com > nscpEntryWsi: dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com > nscpEntryWsi: telephoneNumber;vucsn-44fe0619000000010000: 800-555-5555 > nscpEntryWsi: cn;vucsn-44fe0619000000010000: Some Employee > nscpEntryWsi: sn;vucsn-44fe0619000000010000: Employee > nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: hgperson > nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: inetOrgPerson > nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: > organizationalPerson > nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: person > nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: top > nscpEntryWsi: givenName;vucsn-44fe0619000000010000: Some > nscpEntryWsi: > uid;vucsn-44fe0619000000010000;mdcsn-44fe0619000000010000: sempl > oyee > nscpEntryWsi: mail;vucsn-44fe0619000000010000: semployee at highergear.com > nscpEntryWsi: userPassword;vucsn-44fe0619000000010000: > {SSHA} > nscpEntryWsi: creatorsName;vucsn-44fe0619000000010000: cn=manager > nscpEntryWsi: modifiersName;vucsn-44fe0619000000010000: cn=manager > nscpEntryWsi: createTimestamp;vucsn-44fe0619000000010000: 20060905231943Z > nscpEntryWsi: modifyTimestamp;vucsn-44fe0619000000010000: 20060905231943Z > nscpEntryWsi: nsUniqueId: fd033081-1dd111b2-80cef01a-e8560000 > nscpEntryWsi: parentid: 11 > nscpEntryWsi: entryid: 19718 > nscpEntryWsi: entrydn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com > nsUniqueID: fd033081-1dd111b2-80cef01a-e8560000 > [root at ldap1-mw1 bin]# > > Search for Entry on Master 2: > [root at ldap2-mw1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - > -h localhost -p 1389 uid=semployee nscpEntryWsi nsUniqueID > Enter bind password: > version: 1 > dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com > nscpEntryWsi: dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com > nscpEntryWsi: telephoneNumber;vucsn-44fe0619000000010000: 800-555-5555 > nscpEntryWsi: cn;vucsn-44fe0619000000010000: Some Employee > nscpEntryWsi: sn;vucsn-44fe0619000000010000: Employee > nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: hgperson > nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: inetOrgPerson > nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: > organizationalPerson > nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: person > nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: top > nscpEntryWsi: givenName;vucsn-44fe0619000000010000: Some > nscpEntryWsi: > uid;vucsn-44fe0619000000010000;mdcsn-44fe0619000000010000: sempl > oyee > nscpEntryWsi: mail;vucsn-44fe0619000000010000: semployee at highergear.com > nscpEntryWsi: userPassword;vucsn-44fe0619000000010000: > {SSHA} > nscpEntryWsi: creatorsName;vucsn-44fe0619000000010000: cn=manager > nscpEntryWsi: modifiersName;vucsn-44fe0619000000010000: cn=manager > nscpEntryWsi: createTimestamp;vucsn-44fe0619000000010000: 20060905231943Z > nscpEntryWsi: modifyTimestamp;vucsn-44fe0619000000010000: 20060905231943Z > nscpEntryWsi: nsUniqueId: fd033081-1dd111b2-80cef01a-e8560000 > nscpEntryWsi: parentid: 11 > nscpEntryWsi: entryid: 19718 > nscpEntryWsi: entrydn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com > nsUniqueID: fd033081-1dd111b2-80cef01a-e8560000 > [root at ldap2-mw1 bin]# > > Search for entry on consumer: > [root at ldap1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - -h > localhost -p 1389 uid=semployee nscpEntryWsi nsUniqueID > Enter bind password: > version: 1 > dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com > nscpEntryWsi: dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com > nscpEntryWsi: telephoneNumber;vucsn-44fe0619000000010000: 800-555-5555 > nscpEntryWsi: cn;vucsn-44fe0619000000010000: Some Employee > nscpEntryWsi: sn;vucsn-44fe0619000000010000: Employee > nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: hgperson > nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: inetOrgPerson > nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: > organizationalPerson > nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: person > nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: top > nscpEntryWsi: givenName;vucsn-44fe0619000000010000: Some > nscpEntryWsi: > uid;vucsn-44fe0619000000010000;mdcsn-44fe0619000000010000: sempl > oyee > nscpEntryWsi: mail;vucsn-44fe0619000000010000: semployee at highergear.com > nscpEntryWsi: userPassword;vucsn-44fe0619000000010000: > {SSHA} > nscpEntryWsi: creatorsName;vucsn-44fe0619000000010000: cn=manager > nscpEntryWsi: modifiersName;vucsn-44fe0619000000010000: cn=manager > nscpEntryWsi: createTimestamp;vucsn-44fe0619000000010000: 20060905231943Z > nscpEntryWsi: modifyTimestamp;vucsn-44fe0619000000010000: 20060905231943Z > nscpEntryWsi: nsUniqueId: fd033081-1dd111b2-80cef01a-e8560000 > nscpEntryWsi: parentid: 11 > nscpEntryWsi: entryid: 19719 > nscpEntryWsi: entrydn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com > nsUniqueID: fd033081-1dd111b2-80cef01a-e8560000 > [root at ldap1 bin]# > > > > > Richard Megginson wrote: >> James B Newby wrote: >>> Yes, it is a read-only consumer, set up as per instructions in the >>> administration guide. >>> My multi-master replication scheme works fine. When chaining is not >>> set up, write operations to the read-only consumer fail. When >>> chaining is set up, writes can be made to the read-only consumer but >>> they do not propagate to the master. >> But the entry is successfully added and can be successfully >> searched. So it must exist on a master somewhere? Try this - do a >> search for the entry after adding it - in addition to the usual >> attributes, request the replication state information - ask for the >> attribute nscpEntryWsi, and also the nsUniqueID attribute. With this >> information, we can determine on which master (replica ID) the entry >> was added on and at what time. >>> >>> Are there any other queries I should make to the server in order to >>> give you more information? >>> >>> Richard Megginson wrote: >>>> James B Newby wrote: >>>>> Yes. I can add or modify entries on the consumer with update >>>>> chaining set up, but those changes do not propagate to the >>>>> master. If I search on the master for the entry created on the >>>>> consumer : >>>>> >>>>> [root at ldap1-mw1 bin]$ ./ldapsearch -b dc=hg,dc=com -D cn=Manager >>>>> -w - -h localhost -p 1389 uid=nbody >>>>> Enter bind password: >>>>> [root at ldap1-mw1 bin]$ >>>>> >>>>> It's not there. As I said in an earlier message, I've followed >>>>> the instructions in the Chain on Update HOWTO, but I can't get it >>>>> to work. I've reviewed the Administrator Guide as well as >>>>> searching the Internet for an answer but no luck. >>>> So, is this is a read only consumer? If so, you should not be able >>>> to write to it. That's what is confusing me. If this is a >>>> read-only consumer, you should get an err=10 back from a write >>>> operation if chaining is not set up. >>>>> >>>>> Richard Megginson wrote: >>>>>> James B Newby wrote: >>>>>>> Well actually the entry was already there; I just made a small >>>>>>> change to one of the attributes on the consumer through the >>>>>>> directory console. >>>>>>> >>>>>>> I added a new entry on the consumer from the command line: >>>>>>> >>>>>>> [root at ldap1 bin]# ./ldapmodify -a -D cn=Manager -w - -h >>>>>>> localhost -p 1389 >>>>>>> Enter bind password: >>>>>>> dn: uid=nbody,ou=people,o=thgg,dc=hg,dc=com >>>>>>> telephoneNumber: 800-555-5555 >>>>>>> userPassword: >>>>>>> cn: No Body >>>>>>> sn: Body >>>>>>> objectClass: hgperson >>>>>>> objectClass: inetorgperson >>>>>>> objectClass: organizationalPerson >>>>>>> objectClass: person >>>>>>> objectClass: top >>>>>>> givenName: No >>>>>>> uid: nbody >>>>>>> mail: nbody at highergear.com >>>>>>> adding new entry uid=nbody,ou=people,o=thgg,dc=hg,dc=com >>>>>>> >>>>>>> [root at ldap1 bin]# >>>>>>> >>>>>>> Then I searched for that user on the consumer's command line: >>>>>>> [root at ldap1 bin]# ./ldapsearch -b "dc=hg,dc=com" -D cn=Manager >>>>>>> -w - -h localhost -p 1389 uid=nbody >>>>>>> Enter bind password: >>>>>>> version: 1 >>>>>>> dn: uid=nbody,ou=people,o=thgg,dc=hg,dc=com >>>>>>> telephoneNumber: 800-555-5555 >>>>>>> cn: No Body >>>>>>> sn: Body >>>>>>> objectClass: hgperson >>>>>>> objectClass: inetorgperson >>>>>>> objectClass: organizationalPerson >>>>>>> objectClass: person >>>>>>> objectClass: top >>>>>>> givenName: No >>>>>>> uid: nbody >>>>>>> mail: nbody at highergear.com >>>>>>> userPassword: {SSHA} >>>>>>> [root at ldap1 bin]# >>>>>>> >>>>>>> Here is what resulted in the access log of the consumer: >>>>>>> [01/Sep/2006:18:18:12 -0500] conn=4 fd=66 slot=66 connection >>>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>>> [01/Sep/2006:18:18:12 -0500] conn=4 op=0 BIND dn="cn=Manager" >>>>>>> method=128 version=3 >>>>>>> [01/Sep/2006:18:18:12 -0500] conn=4 op=0 RESULT err=0 tag=97 >>>>>>> nentries=0 etime=0 dn="cn=manager" >>>>>>> [01/Sep/2006:18:18:18 -0500] conn=4 op=1 ADD >>>>>>> dn="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" >>>>>>> [01/Sep/2006:18:18:18 -0500] conn=4 op=1 RESULT err=0 tag=105 >>>>>>> nentries=0 etime=0 >>>>>>> [01/Sep/2006:18:18:21 -0500] conn=4 op=3 UNBIND >>>>>>> [01/Sep/2006:18:18:21 -0500] conn=4 op=3 fd=66 closed - U1 >>>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 fd=66 slot=66 connection >>>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=0 BIND dn="cn=Manager" >>>>>>> method=128 version=3 >>>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=0 RESULT err=0 tag=97 >>>>>>> nentries=0 etime=0 dn="cn=manager" >>>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=1 SRCH >>>>>>> base="dc=hg,dc=com" scope=2 filter="(uid=nbody)" attrs=ALL >>>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=1 RESULT err=0 tag=101 >>>>>>> nentries=1 etime=0 >>>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=2 UNBIND >>>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=2 fd=66 closed - U1 >>>>>> So it appears to be working? >>>>>>> >>>>>>> I then searched for that new entry in the Directory Console and >>>>>>> the following log entries resulted: >>>>>>> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 SRCH >>>>>>> base="ou=people,o=thgg,dc=hg,dc=com" scope=1 >>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>>> attrs="objectClass numSubordinates ref aci" >>>>>>> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 SORT cn givenName o ou >>>>>>> sn (196) >>>>>>> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 RESULT err=0 tag=101 >>>>>>> nentries=196 etime=0 notes=U >>>>>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=23 SRCH >>>>>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>>> attrs="nsRole nsRoleDN objectClass nsAccountLock" >>>>>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=23 RESULT err=0 tag=101 >>>>>>> nentries=1 etime=0 >>>>>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=24 SRCH base="" scope=0 >>>>>>> filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" >>>>>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=24 RESULT err=0 tag=101 >>>>>>> nentries=1 etime=0 >>>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=30 SRCH base="cn=ldbm >>>>>>> database, cn=plugins, cn=config" scope=2 >>>>>>> filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix >>>>>>> nsBackendSuffix" >>>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=30 RESULT err=0 tag=101 >>>>>>> nentries=2 etime=0 >>>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=31 SRCH base="" scope=0 >>>>>>> filter="(objectClass=*)" attrs="nsBackendSuffix" >>>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=31 RESULT err=0 tag=101 >>>>>>> nentries=1 etime=0 >>>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=32 SRCH base="cn=MCC >>>>>>> uid=nbody ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm >>>>>>> database, cn=plugins, cn=config" scope=0 >>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" >>>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=32 RESULT err=32 tag=101 >>>>>>> nentries=0 etime=0 >>>>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=26 SRCH >>>>>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>>> attrs="numSubordinates nscpEntryDN subschemaSubentry >>>>>>> nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic >>>>>>> nsAIMStatusText passwordExpirationTime nsBackendSuffix >>>>>>> hasSubordinates nsRole nsRoleDN accountUnlockTime >>>>>>> passwordExpWarned nsYIMStatusText copiedFrom nsSizeLimit >>>>>>> ldapSchemas nsAIMStatusGraphic dncomp nsTimeLimit >>>>>>> passwordHistory retryCountResetTime passwordAllowChangeTime aci >>>>>>> entryid nsIdleTimeout entrydn copyingFrom nsAccountLock >>>>>>> nsds5ReplConflict modifyTimestamp passwordGraceUserTime >>>>>>> passwordRetryCount nsUniqueId nsSchemaCSN creatorsName >>>>>>> nsICQStatusText pwdpolicysubentry ldapSyntaxes createTimestamp >>>>>>> nsLookThroughLimit *" >>>>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=26 RESULT err=0 tag=101 >>>>>>> nentries=1 etime=0 >>>>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=27 SRCH >>>>>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>> filter="(objectClass=*)" attrs="*" >>>>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=27 RESULT err=0 tag=101 >>>>>>> nentries=1 etime=0 >>>>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=28 SRCH >>>>>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL >>>>>> This appears to be working also? >>>>>>> >>>>>>> -James >>>>>>> >>>>>>> Richard Megginson wrote: >>>>>>>> James B Newby wrote: >>>>>>>>> I found the MOD line in the consumer's access log. I saw no >>>>>>>>> entry in the master's access log regarding that entry. It >>>>>>>>> seems as if the request doesn't make it to the master. I can >>>>>>>>> telnet into the ldap port on the master from the consumer. >>>>>>>>> >>>>>>>>> I installed Fedora Directory Server from >>>>>>>>> fedora-ds-1.0.2-1.FC4.i386.opt.rpm on all machines. All three >>>>>>>>> machines are Intel/CentOS 4.3. >>>>>>>>> >>>>>>>>> -James >>>>>>>>> >>>>>>>>> In the consumer's access log: >>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=8 SRCH >>>>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>>>>> attrs="nsRole nsRoleDN objectClass nsAccountLock" >>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=8 RESULT err=0 tag=101 >>>>>>>>> nentries=1 etime=0 >>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=9 SRCH base="" scope=0 >>>>>>>>> filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" >>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=9 RESULT err=0 tag=101 >>>>>>>>> nentries=1 etime=0 >>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=14 SRCH base="cn=ldbm >>>>>>>>> database, cn=plugins, cn=config" scope=2 >>>>>>>>> filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix >>>>>>>>> nsBackendSuffix" >>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=14 RESULT err=0 tag=101 >>>>>>>>> nentries=2 etime=0 >>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=15 SRCH base="" scope=0 >>>>>>>>> filter="(objectClass=*)" attrs="nsBackendSuffix" >>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=15 RESULT err=0 tag=101 >>>>>>>>> nentries=1 etime=0 >>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=16 SRCH base="cn=MCC >>>>>>>>> uid=jhines ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm >>>>>>>>> database, cn=plugins, cn=config" scope=0 >>>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" >>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=16 RESULT err=32 >>>>>>>>> tag=101 nentries=0 etime=0 >>>>>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=10 SRCH >>>>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>>>>> attrs="numSubordinates nscpEntryDN subschemaSubentry >>>>>>>>> nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic >>>>>>>>> nsAIMStatusText passwordExpirationTime nsBackendSuffix >>>>>>>>> hasSubordinates nsRole nsRoleDN accountUnlockTime >>>>>>>>> passwordExpWarned nsYIMStatusText copiedFrom nsSizeLimit >>>>>>>>> ldapSchemas nsAIMStatusGraphic dncomp nsTimeLimit >>>>>>>>> passwordHistory retryCountResetTime passwordAllowChangeTime >>>>>>>>> aci entryid nsIdleTimeout entrydn copyingFrom nsAccountLock >>>>>>>>> nsds5ReplConflict modifyTimestamp passwordGraceUserTime >>>>>>>>> passwordRetryCount nsUniqueId nsSchemaCSN creatorsName >>>>>>>>> nsICQStatusText pwdpolicysubentry ldapSyntaxes createTimestamp >>>>>>>>> nsLookThroughLimit *" >>>>>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=10 RESULT err=0 tag=101 >>>>>>>>> nentries=1 etime=0 >>>>>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=11 SRCH >>>>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>>>> filter="(objectClass=*)" attrs="*" >>>>>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=11 RESULT err=0 tag=101 >>>>>>>>> nentries=1 etime=0 >>>>>>>>> [01/Sep/2006:17:41:36 -0500] conn=1 op=12 SRCH >>>>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL >>>>>>>>> [01/Sep/2006:17:41:36 -0500] conn=1 op=12 RESULT err=0 tag=101 >>>>>>>>> nentries=1 etime=0 >>>>>>>>> [01/Sep/2006:17:41:41 -0500] conn=1 op=14 MOD >>>>>>>>> dn="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" >>>>>>>>> [01/Sep/2006:17:41:41 -0500] conn=1 op=14 RESULT err=0 tag=103 >>>>>>>>> nentries=0 etime=0 >>>>>>>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SRCH >>>>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>>>>> attrs="objectClass numSubordinates ref aci" >>>>>>>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SORT cn givenName o >>>>>>>>> ou sn (1) >>>>>>>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 RESULT err=0 tag=101 >>>>>>>>> nentries=1 etime=0 notes=U >>>>>>>> Weird. It looks as though you added the entry to the local >>>>>>>> server, and were able to search for it right away. e.g. you >>>>>>>> search for uid=jhines, and the server replies with err=0 and >>>>>>>> nentries=1. Can you try the same search from the ldapsearch >>>>>>>> command line? >>>>>>>>> >>>>>>>>> >>>>>>>>> Richard Megginson wrote: >>>>>>>>>> James B Newby wrote: >>>>>>>>>>> Hello all, >>>>>>>>>>> >>>>>>>>>>> I'm having a problem with my consumer's chain on update. I >>>>>>>>>>> have a setup with two masters and one consumer. >>>>>>>>>>> Multi-master replication is working properly. Changes made >>>>>>>>>>> on either master propagate to the other master and to the >>>>>>>>>>> consumer. >>>>>>>>>>> >>>>>>>>>>> Before setting up chaining, changes made on the consumer >>>>>>>>>>> from the directory console would be denied. After setting >>>>>>>>>>> up chaining per the wiki entry: >>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate , >>>>>>>>>>> changes could be made on the consumer through the directory >>>>>>>>>>> console, but would not propagate to the master. >>>>>>>>>> How are you testing/verifying the change doesn't get >>>>>>>>>> through? Note that if you make the change in the console, >>>>>>>>>> the console will not automatically refresh. I would first >>>>>>>>>> check the access log on the consumer to find the ADD or MOD >>>>>>>>>> request, then see if that request made it to a master, then >>>>>>>>>> see if the master rejected it and why. >>>>>>>>>>> >>>>>>>>>>> I saw an e-mail with a similar problem in the December 2005 >>>>>>>>>>> archive, but didn't see any info in the replies that would >>>>>>>>>>> help me. I've tried setting this up from scratch a couple >>>>>>>>>>> times, but without success. The responses to ILoveJython's >>>>>>>>>>> email in December suggested that certain entries be pasted >>>>>>>>>>> in, so I've included them below. >>>>>>>>>>> >>>>>>>>>>> The following acl is included in dc=hg,dc=com: >>>>>>>>>>> (targetattr = "*")(version 3.0; acl "Proxied authorization >>>>>>>>>>> for database links";allow (proxy) (userdn = >>>>>>>>>>> "ldap:///cn=Replication Manager, cn=config");) >>>>>>>>>>> Since multi-master replication is set up, this entry is >>>>>>>>>>> present on all three servers. >>>>>>>>>>> >>>>>>>>>>> Any help would be appreciated! Thanks! >>>>>>>>>>> >>>>>>>>>>> -James >>>>>>>>>>> >>>>>>>>>>> dn: cn="dc=hg,dc=com",cn=mapping tree, cn=config >>>>>>>>>>> objectClass: top >>>>>>>>>>> objectClass: extensibleObject >>>>>>>>>>> objectClass: nsMappingTree >>>>>>>>>>> nsslapd-state: backend >>>>>>>>>>> cn: "dc=hg,dc=com" >>>>>>>>>>> cn: dc=hg,dc=com >>>>>>>>>>> nsslapd-backend: userRoot >>>>>>>>>>> nsslapd-backend: chainbe1 >>>>>>>>>>> nsslapd-referral: >>>>>>>>>>> ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>>>>>> nsslapd-referral: >>>>>>>>>>> ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>>>>>> nsslapd-distribution-plugin: >>>>>>>>>>> /opt/fedora-ds/lib/replication-plugin.so >>>>>>>>>>> nsslapd-distribution-funct: repl_chain_on_update >>>>>>>>>>> >>>>>>>>>>> dn: cn=replica,cn="dc=hg,dc=com",cn=mapping tree, cn=config >>>>>>>>>>> objectClass: nsDS5Replica >>>>>>>>>>> objectClass: top >>>>>>>>>>> nsDS5ReplicaRoot: dc=hg,dc=com >>>>>>>>>>> nsDS5ReplicaType: 2 >>>>>>>>>>> nsDS5Flags: 0 >>>>>>>>>>> nsds5ReplicaPurgeDelay: 604800 >>>>>>>>>>> nsDS5ReplicaBindDN: cn=Replication Manager,cn=config >>>>>>>>>>> cn: replica >>>>>>>>>>> nsDS5ReplicaId: 65535 >>>>>>>>>>> nsState:: //8AAIcx9kQAAAAAAAAAAAEAAAA= >>>>>>>>>>> nsDS5ReplicaName: ddc65803-1dd111b2-80e6a7e3-5afe0000 >>>>>>>>>>> nsDS5ReplicaReferral: >>>>>>>>>>> ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>>>>>> nsDS5ReplicaReferral: >>>>>>>>>>> ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>>>>>> nsds5ReplicaChangeCount: 0 >>>>>>>>>>> nsds5replicareapactive: 0 >>>>>>>>>>> >>>>>>>>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config >>>>>>>>>>> cn: config >>>>>>>>>>> objectClass: top >>>>>>>>>>> objectClass: extensibleObject >>>>>>>>>>> nstransmittedcontrols: 2.16.840.1.113730.3.4.2 >>>>>>>>>>> nstransmittedcontrols: 2.16.840.1.113730.3.4.9 >>>>>>>>>>> nstransmittedcontrols: 1.2.840.113556.1.4.473 >>>>>>>>>>> nstransmittedcontrols: 1.3.6.1.4.1.1466.29539.12 >>>>>>>>>>> nspossiblechainingcomponents: cn=resource >>>>>>>>>>> limits,cn=components,cn=config >>>>>>>>>>> nspossiblechainingcomponents: cn=certificate-based >>>>>>>>>>> authentication,cn=component >>>>>>>>>>> s,cn=config >>>>>>>>>>> nspossiblechainingcomponents: cn=ACL >>>>>>>>>>> Plugin,cn=plugins,cn=config >>>>>>>>>>> nspossiblechainingcomponents: cn=old >>>>>>>>>>> plugin,cn=plugins,cn=config >>>>>>>>>>> nspossiblechainingcomponents: cn=referential integrity >>>>>>>>>>> postoperation,cn=plugin >>>>>>>>>>> s,cn=config >>>>>>>>>>> nspossiblechainingcomponents: cn=attribute >>>>>>>>>>> uniqueness,cn=plugins,cn=config >>>>>>>>>>> dn: cn=chainbe1, cn=chaining database, cn=plugins, cn=config >>>>>>>>>>> objectClass: top >>>>>>>>>>> objectClass: extensibleObject >>>>>>>>>>> objectClass: nsBackendInstance >>>>>>>>>>> cn: chainbe1 >>>>>>>>>>> nsslapd-suffix: dc=hg,dc=com >>>>>>>>>>> nsfarmserverurl: ldap://ldap1.mw1.highergear.com:1389 >>>>>>>>>>> ldap2.mw1.highergear.com >>>>>>>>>>> :1389/ >>>>>>>>>>> nsmultiplexorbinddn: cn=Replication Manager, cn=config >>>>>>>>>>> nsmultiplexorcredentials: {DES} >>>>>>>>>>> nsbindconnectionslimit: 3 >>>>>>>>>>> nsoperationconnectionslimit: 20 >>>>>>>>>>> nsabandonedsearchcheckinterval: 1 >>>>>>>>>>> nsconcurrentbindlimit: 10 >>>>>>>>>>> nsconcurrentoperationslimit: 2 >>>>>>>>>>> nsproxiedauthorization: on >>>>>>>>>>> nsconnectionlife: 0 >>>>>>>>>>> nsbindtimeout: 15 >>>>>>>>>>> nsreferralonscopedsearch: off >>>>>>>>>>> nschecklocalaci: on >>>>>>>>>>> nsbindretrylimit: 3 >>>>>>>>>>> nsslapd-sizelimit: 2000 >>>>>>>>>>> nsslapd-timelimit: 3600 >>>>>>>>>>> nshoplimit: 10 >>>>>>>>>>> nsmaxresponsedelay: 60 >>>>>>>>>>> nsmaxtestresponsedelay: 15 >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> ------------------------------------------------------------------------ >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> ------------------------------------------------------------------------ >>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Sep 6 00:26:48 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 05 Sep 2006 18:26:48 -0600 Subject: [Fedora-directory-users] Chain on Update Problem In-Reply-To: <44FE0B7A.60601@redhat.com> References: <44F89FC1.8070104@highergear.com> <44F8A876.2010905@redhat.com> <44F8BA2C.6070705@highergear.com> <44F8BBB4.2010306@redhat.com> <44F8C128.9020201@highergear.com> <44F8F982.4000305@redhat.com> <44FB3F35.7010709@highergear.com> <44FD8F70.5020809@redhat.com> <44FD9AA1.8070509@highergear.com> <44FDA420.8040304@redhat.com> <44FE097C.1010400@highergear.com> <44FE0B7A.60601@redhat.com> Message-ID: <44FE15C8.5040700@redhat.com> Nathan Kinder wrote: > Try using a different bind DN for chaining than your "cn=Replication > Manger, cn=config" user. It could be that replication is getting > confused when chaining updates are being performed by that user since > it will assume that updates by that user were sent via a replication > agreement. I would create a chaining specific user such as > "cn=Chaining Manager, cn=config" and configure chaining to use that user. I don't think that's the problem. Chain on Update is supposed to work with the repl manager DN - in fact it's much easier that way since that user already exists on all of the replicas. > > -NGK > > James B Newby wrote: >> Example 1: >> >> Adding an entry to the consumer: >> >> [root at ldap1 bin]# ./ldapmodify -a -D cn=Manager -w - -h localhost -p >> 1389 >> Enter bind password: >> dn: uid=sbody,ou=people,o=thgg,dc=hg,dc=com >> objectClass: hgperson >> telephonenumber: 555-555-5555 >> sn: Body >> cn: Some Body >> givenName: Some >> mail: sbody at highergear.com >> uid: sbody >> adding new entry uid=sbody,ou=people,o=thgg,dc=hg,dc=com >> >> [root at ldap1 bin]# >> >> Searching for entry on consumer: >> >> [root at ldap1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - -h >> localhost -p 1389 uid=sbody nscpEntryWsi nsUniqueID >> Enter bind password: >> version: 1 >> dn: uid=sbody,ou=people,o=thgg,dc=hg,dc=com >> nscpEntryWsi: dn: uid=sbody,ou=people,o=thgg,dc=hg,dc=com >> nscpEntryWsi: objectClass: hgperson >> nscpEntryWsi: objectClass: inetOrgPerson >> nscpEntryWsi: objectClass: organizationalPerson >> nscpEntryWsi: objectClass: person >> nscpEntryWsi: objectClass: top >> nscpEntryWsi: telephoneNumber: 555-555-5555 >> nscpEntryWsi: sn: Body >> nscpEntryWsi: cn: Some Body >> nscpEntryWsi: givenName: Some >> nscpEntryWsi: mail: sbody at highergear.com >> nscpEntryWsi: uid: sbody >> nscpEntryWsi: creatorsName: cn=manager >> nscpEntryWsi: modifiersName: cn=manager >> nscpEntryWsi: createTimestamp: 20060905232428Z >> nscpEntryWsi: modifyTimestamp: 20060905232428Z >> nscpEntryWsi: nsUniqueId: 8e72a281-1dd211b2-8091a7e3-5afe0000 >> nscpEntryWsi: parentid: 11 >> nscpEntryWsi: entryid: 19720 >> nscpEntryWsi: entrydn: uid=sbody,ou=people,o=thgg,dc=hg,dc=com >> nsUniqueID: 8e72a281-1dd211b2-8091a7e3-5afe0000 So the entry is being added to the consumer. The consumer must not have been configured properly to be a replication consumer for this suffix. If if were, and if it had been initialized from a master, you would not be able to do this. >> [root at ldap1 bin]# >> >> Search for entry on Master 1: >> >> [root at ldap1-mw1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - >> -h localhost -p 1389 uid=sbody nscpEntryWsi nsUniqueID >> Enter bind password: >> [root at ldap1-mw1 bin]# >> >> Search for entry on Master 2: >> >> [root at ldap2-mw1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - >> -h localhost -p 1389 uid=sbody nscpEntryWsi nsUniqueID >> Enter bind password: >> [root at ldap2-mw1 bin]# >> >> ------------------------------------------------------- >> >> Example 2: >> >> Create an entry on Master 1: >> >> [root at ldap1-mw1 bin]# ./ldapmodify -a -D cn=Manager -w - -h localhost >> -p 1389 >> Enter bind password: >> dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com >> telephoneNumber: 800-555-5555 >> userPassword: >> cn: Some Employee >> sn: Employee >> objectClass: hgperson >> givenName: Some >> uid: semployee >> mail: semployee at highergear.com >> >> adding new entry uid=semployee,ou=people,o=thgg,dc=hg,dc=com >> >> [root at ldap1-mw1 bin]# >> >> Search for entry on Master 1: >> [root at ldap1-mw1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - >> -h localhost -p 1389 uid=semployee nscpEntryWsi nsUniqueID >> Enter bind password: >> version: 1 >> dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com >> nscpEntryWsi: dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com >> nscpEntryWsi: telephoneNumber;vucsn-44fe0619000000010000: 800-555-5555 >> nscpEntryWsi: cn;vucsn-44fe0619000000010000: Some Employee >> nscpEntryWsi: sn;vucsn-44fe0619000000010000: Employee >> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: hgperson >> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: inetOrgPerson >> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: >> organizationalPerson >> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: person >> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: top >> nscpEntryWsi: givenName;vucsn-44fe0619000000010000: Some >> nscpEntryWsi: >> uid;vucsn-44fe0619000000010000;mdcsn-44fe0619000000010000: sempl >> oyee >> nscpEntryWsi: mail;vucsn-44fe0619000000010000: semployee at highergear.com >> nscpEntryWsi: userPassword;vucsn-44fe0619000000010000: >> {SSHA} >> nscpEntryWsi: creatorsName;vucsn-44fe0619000000010000: cn=manager >> nscpEntryWsi: modifiersName;vucsn-44fe0619000000010000: cn=manager >> nscpEntryWsi: createTimestamp;vucsn-44fe0619000000010000: >> 20060905231943Z >> nscpEntryWsi: modifyTimestamp;vucsn-44fe0619000000010000: >> 20060905231943Z >> nscpEntryWsi: nsUniqueId: fd033081-1dd111b2-80cef01a-e8560000 >> nscpEntryWsi: parentid: 11 >> nscpEntryWsi: entryid: 19718 >> nscpEntryWsi: entrydn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com >> nsUniqueID: fd033081-1dd111b2-80cef01a-e8560000 >> [root at ldap1-mw1 bin]# >> >> Search for Entry on Master 2: >> [root at ldap2-mw1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - >> -h localhost -p 1389 uid=semployee nscpEntryWsi nsUniqueID >> Enter bind password: >> version: 1 >> dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com >> nscpEntryWsi: dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com >> nscpEntryWsi: telephoneNumber;vucsn-44fe0619000000010000: 800-555-5555 >> nscpEntryWsi: cn;vucsn-44fe0619000000010000: Some Employee >> nscpEntryWsi: sn;vucsn-44fe0619000000010000: Employee >> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: hgperson >> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: inetOrgPerson >> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: >> organizationalPerson >> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: person >> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: top >> nscpEntryWsi: givenName;vucsn-44fe0619000000010000: Some >> nscpEntryWsi: >> uid;vucsn-44fe0619000000010000;mdcsn-44fe0619000000010000: sempl >> oyee >> nscpEntryWsi: mail;vucsn-44fe0619000000010000: semployee at highergear.com >> nscpEntryWsi: userPassword;vucsn-44fe0619000000010000: >> {SSHA} >> nscpEntryWsi: creatorsName;vucsn-44fe0619000000010000: cn=manager >> nscpEntryWsi: modifiersName;vucsn-44fe0619000000010000: cn=manager >> nscpEntryWsi: createTimestamp;vucsn-44fe0619000000010000: >> 20060905231943Z >> nscpEntryWsi: modifyTimestamp;vucsn-44fe0619000000010000: >> 20060905231943Z >> nscpEntryWsi: nsUniqueId: fd033081-1dd111b2-80cef01a-e8560000 >> nscpEntryWsi: parentid: 11 >> nscpEntryWsi: entryid: 19718 >> nscpEntryWsi: entrydn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com >> nsUniqueID: fd033081-1dd111b2-80cef01a-e8560000 >> [root at ldap2-mw1 bin]# >> >> Search for entry on consumer: >> [root at ldap1 bin]# ./ldapsearch -b dc=hg,dc=com -D cn=Manager -w - -h >> localhost -p 1389 uid=semployee nscpEntryWsi nsUniqueID >> Enter bind password: >> version: 1 >> dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com >> nscpEntryWsi: dn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com >> nscpEntryWsi: telephoneNumber;vucsn-44fe0619000000010000: 800-555-5555 >> nscpEntryWsi: cn;vucsn-44fe0619000000010000: Some Employee >> nscpEntryWsi: sn;vucsn-44fe0619000000010000: Employee >> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: hgperson >> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: inetOrgPerson >> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: >> organizationalPerson >> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: person >> nscpEntryWsi: objectClass;vucsn-44fe0619000000010000: top >> nscpEntryWsi: givenName;vucsn-44fe0619000000010000: Some >> nscpEntryWsi: >> uid;vucsn-44fe0619000000010000;mdcsn-44fe0619000000010000: sempl >> oyee >> nscpEntryWsi: mail;vucsn-44fe0619000000010000: semployee at highergear.com >> nscpEntryWsi: userPassword;vucsn-44fe0619000000010000: >> {SSHA} >> nscpEntryWsi: creatorsName;vucsn-44fe0619000000010000: cn=manager >> nscpEntryWsi: modifiersName;vucsn-44fe0619000000010000: cn=manager >> nscpEntryWsi: createTimestamp;vucsn-44fe0619000000010000: >> 20060905231943Z >> nscpEntryWsi: modifyTimestamp;vucsn-44fe0619000000010000: >> 20060905231943Z >> nscpEntryWsi: nsUniqueId: fd033081-1dd111b2-80cef01a-e8560000 >> nscpEntryWsi: parentid: 11 >> nscpEntryWsi: entryid: 19719 >> nscpEntryWsi: entrydn: uid=semployee,ou=people,o=thgg,dc=hg,dc=com >> nsUniqueID: fd033081-1dd111b2-80cef01a-e8560000 >> [root at ldap1 bin]# >> >> >> >> >> Richard Megginson wrote: >>> James B Newby wrote: >>>> Yes, it is a read-only consumer, set up as per instructions in the >>>> administration guide. >>>> My multi-master replication scheme works fine. When chaining is >>>> not set up, write operations to the read-only consumer fail. When >>>> chaining is set up, writes can be made to the read-only consumer >>>> but they do not propagate to the master. >>> But the entry is successfully added and can be successfully >>> searched. So it must exist on a master somewhere? Try this - do a >>> search for the entry after adding it - in addition to the usual >>> attributes, request the replication state information - ask for the >>> attribute nscpEntryWsi, and also the nsUniqueID attribute. With >>> this information, we can determine on which master (replica ID) the >>> entry was added on and at what time. >>>> >>>> Are there any other queries I should make to the server in order to >>>> give you more information? >>>> >>>> Richard Megginson wrote: >>>>> James B Newby wrote: >>>>>> Yes. I can add or modify entries on the consumer with update >>>>>> chaining set up, but those changes do not propagate to the >>>>>> master. If I search on the master for the entry created on the >>>>>> consumer : >>>>>> >>>>>> [root at ldap1-mw1 bin]$ ./ldapsearch -b dc=hg,dc=com -D cn=Manager >>>>>> -w - -h localhost -p 1389 uid=nbody >>>>>> Enter bind password: >>>>>> [root at ldap1-mw1 bin]$ >>>>>> >>>>>> It's not there. As I said in an earlier message, I've followed >>>>>> the instructions in the Chain on Update HOWTO, but I can't get it >>>>>> to work. I've reviewed the Administrator Guide as well as >>>>>> searching the Internet for an answer but no luck. >>>>> So, is this is a read only consumer? If so, you should not be >>>>> able to write to it. That's what is confusing me. If this is a >>>>> read-only consumer, you should get an err=10 back from a write >>>>> operation if chaining is not set up. >>>>>> >>>>>> Richard Megginson wrote: >>>>>>> James B Newby wrote: >>>>>>>> Well actually the entry was already there; I just made a small >>>>>>>> change to one of the attributes on the consumer through the >>>>>>>> directory console. >>>>>>>> >>>>>>>> I added a new entry on the consumer from the command line: >>>>>>>> >>>>>>>> [root at ldap1 bin]# ./ldapmodify -a -D cn=Manager -w - -h >>>>>>>> localhost -p 1389 >>>>>>>> Enter bind password: >>>>>>>> dn: uid=nbody,ou=people,o=thgg,dc=hg,dc=com >>>>>>>> telephoneNumber: 800-555-5555 >>>>>>>> userPassword: >>>>>>>> cn: No Body >>>>>>>> sn: Body >>>>>>>> objectClass: hgperson >>>>>>>> objectClass: inetorgperson >>>>>>>> objectClass: organizationalPerson >>>>>>>> objectClass: person >>>>>>>> objectClass: top >>>>>>>> givenName: No >>>>>>>> uid: nbody >>>>>>>> mail: nbody at highergear.com >>>>>>>> adding new entry uid=nbody,ou=people,o=thgg,dc=hg,dc=com >>>>>>>> >>>>>>>> [root at ldap1 bin]# >>>>>>>> >>>>>>>> Then I searched for that user on the consumer's command line: >>>>>>>> [root at ldap1 bin]# ./ldapsearch -b "dc=hg,dc=com" -D cn=Manager >>>>>>>> -w - -h localhost -p 1389 uid=nbody >>>>>>>> Enter bind password: >>>>>>>> version: 1 >>>>>>>> dn: uid=nbody,ou=people,o=thgg,dc=hg,dc=com >>>>>>>> telephoneNumber: 800-555-5555 >>>>>>>> cn: No Body >>>>>>>> sn: Body >>>>>>>> objectClass: hgperson >>>>>>>> objectClass: inetorgperson >>>>>>>> objectClass: organizationalPerson >>>>>>>> objectClass: person >>>>>>>> objectClass: top >>>>>>>> givenName: No >>>>>>>> uid: nbody >>>>>>>> mail: nbody at highergear.com >>>>>>>> userPassword: {SSHA} >>>>>>>> [root at ldap1 bin]# >>>>>>>> >>>>>>>> Here is what resulted in the access log of the consumer: >>>>>>>> [01/Sep/2006:18:18:12 -0500] conn=4 fd=66 slot=66 connection >>>>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>>>> [01/Sep/2006:18:18:12 -0500] conn=4 op=0 BIND dn="cn=Manager" >>>>>>>> method=128 version=3 >>>>>>>> [01/Sep/2006:18:18:12 -0500] conn=4 op=0 RESULT err=0 tag=97 >>>>>>>> nentries=0 etime=0 dn="cn=manager" >>>>>>>> [01/Sep/2006:18:18:18 -0500] conn=4 op=1 ADD >>>>>>>> dn="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" >>>>>>>> [01/Sep/2006:18:18:18 -0500] conn=4 op=1 RESULT err=0 tag=105 >>>>>>>> nentries=0 etime=0 >>>>>>>> [01/Sep/2006:18:18:21 -0500] conn=4 op=3 UNBIND >>>>>>>> [01/Sep/2006:18:18:21 -0500] conn=4 op=3 fd=66 closed - U1 >>>>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 fd=66 slot=66 connection >>>>>>>> from 127.0.0.1 to 127.0.0.1 >>>>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=0 BIND dn="cn=Manager" >>>>>>>> method=128 version=3 >>>>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=0 RESULT err=0 tag=97 >>>>>>>> nentries=0 etime=0 dn="cn=manager" >>>>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=1 SRCH >>>>>>>> base="dc=hg,dc=com" scope=2 filter="(uid=nbody)" attrs=ALL >>>>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=1 RESULT err=0 tag=101 >>>>>>>> nentries=1 etime=0 >>>>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=2 UNBIND >>>>>>>> [01/Sep/2006:18:18:47 -0500] conn=5 op=2 fd=66 closed - U1 >>>>>>> So it appears to be working? >>>>>>>> >>>>>>>> I then searched for that new entry in the Directory Console and >>>>>>>> the following log entries resulted: >>>>>>>> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 SRCH >>>>>>>> base="ou=people,o=thgg,dc=hg,dc=com" scope=1 >>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>>>> attrs="objectClass numSubordinates ref aci" >>>>>>>> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 SORT cn givenName o >>>>>>>> ou sn (196) >>>>>>>> [01/Sep/2006:18:19:58 -0500] conn=0 op=28 RESULT err=0 tag=101 >>>>>>>> nentries=196 etime=0 notes=U >>>>>>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=23 SRCH >>>>>>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>>>> attrs="nsRole nsRoleDN objectClass nsAccountLock" >>>>>>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=23 RESULT err=0 tag=101 >>>>>>>> nentries=1 etime=0 >>>>>>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=24 SRCH base="" scope=0 >>>>>>>> filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" >>>>>>>> [01/Sep/2006:18:20:04 -0500] conn=1 op=24 RESULT err=0 tag=101 >>>>>>>> nentries=1 etime=0 >>>>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=30 SRCH base="cn=ldbm >>>>>>>> database, cn=plugins, cn=config" scope=2 >>>>>>>> filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix >>>>>>>> nsBackendSuffix" >>>>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=30 RESULT err=0 tag=101 >>>>>>>> nentries=2 etime=0 >>>>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=31 SRCH base="" scope=0 >>>>>>>> filter="(objectClass=*)" attrs="nsBackendSuffix" >>>>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=31 RESULT err=0 tag=101 >>>>>>>> nentries=1 etime=0 >>>>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=32 SRCH base="cn=MCC >>>>>>>> uid=nbody ou=people o=thgg dc=hg dc=com, cn=chainbe1, cn=ldbm >>>>>>>> database, cn=plugins, cn=config" scope=0 >>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" >>>>>>>> [01/Sep/2006:18:20:04 -0500] conn=0 op=32 RESULT err=32 tag=101 >>>>>>>> nentries=0 etime=0 >>>>>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=26 SRCH >>>>>>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>>>> attrs="numSubordinates nscpEntryDN subschemaSubentry >>>>>>>> nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic >>>>>>>> nsAIMStatusText passwordExpirationTime nsBackendSuffix >>>>>>>> hasSubordinates nsRole nsRoleDN accountUnlockTime >>>>>>>> passwordExpWarned nsYIMStatusText copiedFrom nsSizeLimit >>>>>>>> ldapSchemas nsAIMStatusGraphic dncomp nsTimeLimit >>>>>>>> passwordHistory retryCountResetTime passwordAllowChangeTime aci >>>>>>>> entryid nsIdleTimeout entrydn copyingFrom nsAccountLock >>>>>>>> nsds5ReplConflict modifyTimestamp passwordGraceUserTime >>>>>>>> passwordRetryCount nsUniqueId nsSchemaCSN creatorsName >>>>>>>> nsICQStatusText pwdpolicysubentry ldapSyntaxes createTimestamp >>>>>>>> nsLookThroughLimit *" >>>>>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=26 RESULT err=0 tag=101 >>>>>>>> nentries=1 etime=0 >>>>>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=27 SRCH >>>>>>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>>> filter="(objectClass=*)" attrs="*" >>>>>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=27 RESULT err=0 tag=101 >>>>>>>> nentries=1 etime=0 >>>>>>>> [01/Sep/2006:18:20:05 -0500] conn=1 op=28 SRCH >>>>>>>> base="uid=nbody,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL >>>>>>> This appears to be working also? >>>>>>>> >>>>>>>> -James >>>>>>>> >>>>>>>> Richard Megginson wrote: >>>>>>>>> James B Newby wrote: >>>>>>>>>> I found the MOD line in the consumer's access log. I saw no >>>>>>>>>> entry in the master's access log regarding that entry. It >>>>>>>>>> seems as if the request doesn't make it to the master. I can >>>>>>>>>> telnet into the ldap port on the master from the consumer. >>>>>>>>>> >>>>>>>>>> I installed Fedora Directory Server from >>>>>>>>>> fedora-ds-1.0.2-1.FC4.i386.opt.rpm on all machines. All >>>>>>>>>> three machines are Intel/CentOS 4.3. >>>>>>>>>> >>>>>>>>>> -James >>>>>>>>>> >>>>>>>>>> In the consumer's access log: >>>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=8 SRCH >>>>>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>>>>>> attrs="nsRole nsRoleDN objectClass nsAccountLock" >>>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=8 RESULT err=0 tag=101 >>>>>>>>>> nentries=1 etime=0 >>>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=9 SRCH base="" scope=0 >>>>>>>>>> filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" >>>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=1 op=9 RESULT err=0 tag=101 >>>>>>>>>> nentries=1 etime=0 >>>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=14 SRCH base="cn=ldbm >>>>>>>>>> database, cn=plugins, cn=config" scope=2 >>>>>>>>>> filter="(objectClass=nsBackendInstance)" >>>>>>>>>> attrs="nsslapd-suffix nsBackendSuffix" >>>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=14 RESULT err=0 >>>>>>>>>> tag=101 nentries=2 etime=0 >>>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=15 SRCH base="" >>>>>>>>>> scope=0 filter="(objectClass=*)" attrs="nsBackendSuffix" >>>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=15 RESULT err=0 >>>>>>>>>> tag=101 nentries=1 etime=0 >>>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=16 SRCH base="cn=MCC >>>>>>>>>> uid=jhines ou=people o=thgg dc=hg dc=com, cn=chainbe1, >>>>>>>>>> cn=ldbm database, cn=plugins, cn=config" scope=0 >>>>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn" >>>>>>>>>> [01/Sep/2006:17:41:34 -0500] conn=0 op=16 RESULT err=32 >>>>>>>>>> tag=101 nentries=0 etime=0 >>>>>>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=10 SRCH >>>>>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>>>>>> attrs="numSubordinates nscpEntryDN subschemaSubentry >>>>>>>>>> nsYIMStatusGraphic modifiersName parentid nsICQStatusGraphic >>>>>>>>>> nsAIMStatusText passwordExpirationTime nsBackendSuffix >>>>>>>>>> hasSubordinates nsRole nsRoleDN accountUnlockTime >>>>>>>>>> passwordExpWarned nsYIMStatusText copiedFrom nsSizeLimit >>>>>>>>>> ldapSchemas nsAIMStatusGraphic dncomp nsTimeLimit >>>>>>>>>> passwordHistory retryCountResetTime passwordAllowChangeTime >>>>>>>>>> aci entryid nsIdleTimeout entrydn copyingFrom nsAccountLock >>>>>>>>>> nsds5ReplConflict modifyTimestamp passwordGraceUserTime >>>>>>>>>> passwordRetryCount nsUniqueId nsSchemaCSN creatorsName >>>>>>>>>> nsICQStatusText pwdpolicysubentry ldapSyntaxes >>>>>>>>>> createTimestamp nsLookThroughLimit *" >>>>>>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=10 RESULT err=0 >>>>>>>>>> tag=101 nentries=1 etime=0 >>>>>>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=11 SRCH >>>>>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>>>>> filter="(objectClass=*)" attrs="*" >>>>>>>>>> [01/Sep/2006:17:41:35 -0500] conn=1 op=11 RESULT err=0 >>>>>>>>>> tag=101 nentries=1 etime=0 >>>>>>>>>> [01/Sep/2006:17:41:36 -0500] conn=1 op=12 SRCH >>>>>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs=ALL >>>>>>>>>> [01/Sep/2006:17:41:36 -0500] conn=1 op=12 RESULT err=0 >>>>>>>>>> tag=101 nentries=1 etime=0 >>>>>>>>>> [01/Sep/2006:17:41:41 -0500] conn=1 op=14 MOD >>>>>>>>>> dn="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" >>>>>>>>>> [01/Sep/2006:17:41:41 -0500] conn=1 op=14 RESULT err=0 >>>>>>>>>> tag=103 nentries=0 etime=0 >>>>>>>>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SRCH >>>>>>>>>> base="uid=jhines,ou=people,o=thgg,dc=hg,dc=com" scope=0 >>>>>>>>>> filter="(|(objectClass=*)(objectClass=ldapsubentry))" >>>>>>>>>> attrs="objectClass numSubordinates ref aci" >>>>>>>>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 SORT cn givenName o >>>>>>>>>> ou sn (1) >>>>>>>>>> [01/Sep/2006:17:41:41 -0500] conn=0 op=18 RESULT err=0 >>>>>>>>>> tag=101 nentries=1 etime=0 notes=U >>>>>>>>> Weird. It looks as though you added the entry to the local >>>>>>>>> server, and were able to search for it right away. e.g. you >>>>>>>>> search for uid=jhines, and the server replies with err=0 and >>>>>>>>> nentries=1. Can you try the same search from the ldapsearch >>>>>>>>> command line? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Richard Megginson wrote: >>>>>>>>>>> James B Newby wrote: >>>>>>>>>>>> Hello all, >>>>>>>>>>>> >>>>>>>>>>>> I'm having a problem with my consumer's chain on update. I >>>>>>>>>>>> have a setup with two masters and one consumer. >>>>>>>>>>>> Multi-master replication is working properly. Changes made >>>>>>>>>>>> on either master propagate to the other master and to the >>>>>>>>>>>> consumer. >>>>>>>>>>>> >>>>>>>>>>>> Before setting up chaining, changes made on the consumer >>>>>>>>>>>> from the directory console would be denied. After setting >>>>>>>>>>>> up chaining per the wiki entry: >>>>>>>>>>>> http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate , >>>>>>>>>>>> changes could be made on the consumer through the directory >>>>>>>>>>>> console, but would not propagate to the master. >>>>>>>>>>> How are you testing/verifying the change doesn't get >>>>>>>>>>> through? Note that if you make the change in the console, >>>>>>>>>>> the console will not automatically refresh. I would first >>>>>>>>>>> check the access log on the consumer to find the ADD or MOD >>>>>>>>>>> request, then see if that request made it to a master, then >>>>>>>>>>> see if the master rejected it and why. >>>>>>>>>>>> >>>>>>>>>>>> I saw an e-mail with a similar problem in the December 2005 >>>>>>>>>>>> archive, but didn't see any info in the replies that would >>>>>>>>>>>> help me. I've tried setting this up from scratch a couple >>>>>>>>>>>> times, but without success. The responses to ILoveJython's >>>>>>>>>>>> email in December suggested that certain entries be pasted >>>>>>>>>>>> in, so I've included them below. >>>>>>>>>>>> >>>>>>>>>>>> The following acl is included in dc=hg,dc=com: >>>>>>>>>>>> (targetattr = "*")(version 3.0; acl "Proxied authorization >>>>>>>>>>>> for database links";allow (proxy) (userdn = >>>>>>>>>>>> "ldap:///cn=Replication Manager, cn=config");) >>>>>>>>>>>> Since multi-master replication is set up, this entry is >>>>>>>>>>>> present on all three servers. >>>>>>>>>>>> >>>>>>>>>>>> Any help would be appreciated! Thanks! >>>>>>>>>>>> >>>>>>>>>>>> -James >>>>>>>>>>>> >>>>>>>>>>>> dn: cn="dc=hg,dc=com",cn=mapping tree, cn=config >>>>>>>>>>>> objectClass: top >>>>>>>>>>>> objectClass: extensibleObject >>>>>>>>>>>> objectClass: nsMappingTree >>>>>>>>>>>> nsslapd-state: backend >>>>>>>>>>>> cn: "dc=hg,dc=com" >>>>>>>>>>>> cn: dc=hg,dc=com >>>>>>>>>>>> nsslapd-backend: userRoot >>>>>>>>>>>> nsslapd-backend: chainbe1 >>>>>>>>>>>> nsslapd-referral: >>>>>>>>>>>> ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>>>>>>> nsslapd-referral: >>>>>>>>>>>> ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>>>>>>> nsslapd-distribution-plugin: >>>>>>>>>>>> /opt/fedora-ds/lib/replication-plugin.so >>>>>>>>>>>> nsslapd-distribution-funct: repl_chain_on_update >>>>>>>>>>>> >>>>>>>>>>>> dn: cn=replica,cn="dc=hg,dc=com",cn=mapping tree, cn=config >>>>>>>>>>>> objectClass: nsDS5Replica >>>>>>>>>>>> objectClass: top >>>>>>>>>>>> nsDS5ReplicaRoot: dc=hg,dc=com >>>>>>>>>>>> nsDS5ReplicaType: 2 >>>>>>>>>>>> nsDS5Flags: 0 >>>>>>>>>>>> nsds5ReplicaPurgeDelay: 604800 >>>>>>>>>>>> nsDS5ReplicaBindDN: cn=Replication Manager,cn=config >>>>>>>>>>>> cn: replica >>>>>>>>>>>> nsDS5ReplicaId: 65535 >>>>>>>>>>>> nsState:: //8AAIcx9kQAAAAAAAAAAAEAAAA= >>>>>>>>>>>> nsDS5ReplicaName: ddc65803-1dd111b2-80e6a7e3-5afe0000 >>>>>>>>>>>> nsDS5ReplicaReferral: >>>>>>>>>>>> ldap://ldap1.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>>>>>>> nsDS5ReplicaReferral: >>>>>>>>>>>> ldap://ldap2.mw1.highergear.com:1389/dc=hg,dc=com >>>>>>>>>>>> nsds5ReplicaChangeCount: 0 >>>>>>>>>>>> nsds5replicareapactive: 0 >>>>>>>>>>>> >>>>>>>>>>>> dn: cn=config,cn=chaining database,cn=plugins,cn=config >>>>>>>>>>>> cn: config >>>>>>>>>>>> objectClass: top >>>>>>>>>>>> objectClass: extensibleObject >>>>>>>>>>>> nstransmittedcontrols: 2.16.840.1.113730.3.4.2 >>>>>>>>>>>> nstransmittedcontrols: 2.16.840.1.113730.3.4.9 >>>>>>>>>>>> nstransmittedcontrols: 1.2.840.113556.1.4.473 >>>>>>>>>>>> nstransmittedcontrols: 1.3.6.1.4.1.1466.29539.12 >>>>>>>>>>>> nspossiblechainingcomponents: cn=resource >>>>>>>>>>>> limits,cn=components,cn=config >>>>>>>>>>>> nspossiblechainingcomponents: cn=certificate-based >>>>>>>>>>>> authentication,cn=component >>>>>>>>>>>> s,cn=config >>>>>>>>>>>> nspossiblechainingcomponents: cn=ACL >>>>>>>>>>>> Plugin,cn=plugins,cn=config >>>>>>>>>>>> nspossiblechainingcomponents: cn=old >>>>>>>>>>>> plugin,cn=plugins,cn=config >>>>>>>>>>>> nspossiblechainingcomponents: cn=referential integrity >>>>>>>>>>>> postoperation,cn=plugin >>>>>>>>>>>> s,cn=config >>>>>>>>>>>> nspossiblechainingcomponents: cn=attribute >>>>>>>>>>>> uniqueness,cn=plugins,cn=config >>>>>>>>>>>> dn: cn=chainbe1, cn=chaining database, cn=plugins, cn=config >>>>>>>>>>>> objectClass: top >>>>>>>>>>>> objectClass: extensibleObject >>>>>>>>>>>> objectClass: nsBackendInstance >>>>>>>>>>>> cn: chainbe1 >>>>>>>>>>>> nsslapd-suffix: dc=hg,dc=com >>>>>>>>>>>> nsfarmserverurl: ldap://ldap1.mw1.highergear.com:1389 >>>>>>>>>>>> ldap2.mw1.highergear.com >>>>>>>>>>>> :1389/ >>>>>>>>>>>> nsmultiplexorbinddn: cn=Replication Manager, cn=config >>>>>>>>>>>> nsmultiplexorcredentials: {DES} >>>>>>>>>>>> nsbindconnectionslimit: 3 >>>>>>>>>>>> nsoperationconnectionslimit: 20 >>>>>>>>>>>> nsabandonedsearchcheckinterval: 1 >>>>>>>>>>>> nsconcurrentbindlimit: 10 >>>>>>>>>>>> nsconcurrentoperationslimit: 2 >>>>>>>>>>>> nsproxiedauthorization: on >>>>>>>>>>>> nsconnectionlife: 0 >>>>>>>>>>>> nsbindtimeout: 15 >>>>>>>>>>>> nsreferralonscopedsearch: off >>>>>>>>>>>> nschecklocalaci: on >>>>>>>>>>>> nsbindretrylimit: 3 >>>>>>>>>>>> nsslapd-sizelimit: 2000 >>>>>>>>>>>> nsslapd-timelimit: 3600 >>>>>>>>>>>> nshoplimit: 10 >>>>>>>>>>>> nsmaxresponsedelay: 60 >>>>>>>>>>>> nsmaxtestresponsedelay: 15 >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Fedora-directory-users mailing list >>>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Fedora-directory-users mailing list >>>>>>>>> Fedora-directory-users at redhat.com >>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Fedora-directory-users mailing list >>>>>>>> Fedora-directory-users at redhat.com >>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> ------------------------------------------------------------------------ >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>> >>>>>> -- >>>>>> Fedora-directory-users mailing list >>>>>> Fedora-directory-users at redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From pkime at Shopzilla.com Wed Sep 6 01:05:51 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Tue, 5 Sep 2006 18:05:51 -0700 Subject: [Fedora-directory-users] Re: LD_LIBRARY_PATH question Message-ID: <9C0091F428E697439E7A773FFD0834274358E6@szexchange.Shopzilla.inc> > Weird. I just installed that rpm on a rhel4 x86_64 system and I got > totally different numbers from what you reported in your earlier email, > quoted below: Sorry, me being stupid. I had followed the instructions here: http://directory.fedora.redhat.com/wiki/Howto:WindowsConsole For getting the console up with SSL but had looked on the ftp server the for the relevant Linux libs. Turns out that the jss3.3 on there is older than the included one. Once I grabbed the original again, the LD_LIBRARY_PATH worked. However, when I put the right libjss3.so in, I can't start the console in X any more: ./startconsole -a https://ldapserver:38900/ Exception in thread "main" java.lang.UnsatisfiedLinkError: /opt/fedora-ds/lib/li bjss3.so: /opt/fedora-ds/lib/libjss3.so: cannot open shared object file: No such file or directory It can't load itself? Ldd output looks fine now. So now my question is - which version is the libjss3 that comes with 1.0.2? And if I need to get X consoles working over SSL again, what version of the jss jar do I need? I seem to have a choice between a broken libjss3 which makes X consoles work and the right one, which doesn't ... From rmeggins at redhat.com Wed Sep 6 01:21:55 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 05 Sep 2006 19:21:55 -0600 Subject: [Fedora-directory-users] Re: LD_LIBRARY_PATH question In-Reply-To: <9C0091F428E697439E7A773FFD0834274358E6@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD0834274358E6@szexchange.Shopzilla.inc> Message-ID: <44FE22B3.5030506@redhat.com> Philip Kime wrote: >> Weird. I just installed that rpm on a rhel4 x86_64 system and I got >> totally different numbers from what you reported in your earlier >> > email, > >> quoted below: >> > > Sorry, me being stupid. I had followed the instructions here: > > http://directory.fedora.redhat.com/wiki/Howto:WindowsConsole > > For getting the console up with SSL but had looked on the ftp server the > for the relevant Linux libs. What do you need the linux libs for? Are you trying to install a standalone console on another linux box than the one you installed the server on? > Turns out that the jss3.3 on there is older > than the included one. Once I grabbed the original again, the > LD_LIBRARY_PATH worked. However, when I put the right libjss3.so in, I > can't start the console in X any more: > > ./startconsole -a https://ldapserver:38900/ > Exception in thread "main" java.lang.UnsatisfiedLinkError: > /opt/fedora-ds/lib/li > bjss3.so: /opt/fedora-ds/lib/libjss3.so: cannot open shared object file: > No such > file or directory > > It can't load itself? Ldd output looks fine now. > That usually means one of the dependent libs cannot be opened, either nss, nspr, the java lib, or one of the os libs. > So now my question is - which version is the libjss3 that comes with > 1.0.2? 3.7, which requires NSPR 4.6 or later and NSS 3.11 or later. > And if I need to get X consoles working over SSL again, what > version of the jss jar do I need? I seem to have a choice between a > broken libjss3 which makes X consoles work and the right one, which > doesn't ... > I don't understand - are you trying to get the console running on windows or on linux? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From pkime at Shopzilla.com Wed Sep 6 02:49:57 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Tue, 5 Sep 2006 19:49:57 -0700 Subject: [Fedora-directory-users] Re: LD_LIBRARY_PATH question - SOLVED Message-ID: <9C0091F428E697439E7A773FFD0834274358E7@szexchange.Shopzilla.inc> Groan. I have solved the problem. It was a combination of things. I didn't realise that FDS would do SSL console connections in X out of the box. There is no need to get any other bits of Java and libs. The version of JSS that comes with 1.0.2 is 3.7, which is fine. Once I'd fixed that and reverted to the out of the box JSS .jar and lib, the error was ./startconsole -a https://ldapserver:38900/ Exception in thread "main" java.lang.UnsatisfiedLinkError: /opt/fedora-ds/lib/li bjss3.so: /opt/fedora-ds/lib/libjss3.so: cannot open shared object file: No such file or directory This is typically because you are using a 32-bit Java and trying to load a 64-bit library. As RM has said on other threads, just run "file" on the lib and on the java binary and if the Java is 32-bit but the library is 64-bit, that's the problem. That was exactly my problem. I downloaded Java originally without scrolling a little bit further down to find the x64 JDK ... when I swapped Java to a 64-bit version, it all worked fine. Many thanks for the help, even though I was just being stupid ... PK From Diana.Shepard at cusys.edu Wed Sep 6 20:35:29 2006 From: Diana.Shepard at cusys.edu (Diana Shepard) Date: Wed, 6 Sep 2006 14:35:29 -0600 Subject: [Fedora-directory-users] install/uninstall admin-serv In-Reply-To: <44F622C3.6050006@redhat.com> Message-ID: <7315857F21D51B449CC55ADE3A5683180156F2F7@ex2k3.ad.cusys.edu> This problem was resolved by an install of the 64-bit, jdk1.5.0_08 from java.sun.com. Thanks to all who offered advice and solutions. Diana Shepard University of Colorado, Boulder > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf > Of Richard Megginson > Sent: Wednesday, August 30, 2006 5:44 PM > To: General discussion list for the Fedora Directory server project. > Subject: Re: [Fedora-directory-users] install/uninstall admin-serv > > Diana Shepard wrote: > > Thank you for your response. The file does exist in the > > /opt/fedora-ds/lib directory, and is readable, even though > the error > > says: > > > > "/opt/fedora-ds/lib/libjss3.so: cannot > > open shared object file: No such file or directory" > > > > Why can't it find it! I tried setting an LD_LIBRARY_PATH; no help. > > > I believe there are some java or ld.so flags and/or > environment variables that can provide greater detail about > dynamic library loading. Does anyone know off the top of > her/his head? Also, try writing a small test program that > just loads in a JSS class to see what that does. > > Also, ldd shows: > > > > # ldd /opt/fedora-ds/lib/libjss3.so > > libnss3.so => /opt/fedora-ds/bin/admin/lib/libnss3.so > > (0x0000002a95682000) > > libsmime3.so => /opt/fedora-ds/bin/admin/lib/libsmime3.so > > (0x0000002a95808000) > > libssl3.so => /opt/fedora-ds/bin/admin/lib/libssl3.so > > (0x0000002a95933000) > > libplc4.so => /opt/fedora-ds/bin/admin/lib/libplc4.so > > (0x0000002a95a60000) > > libplds4.so => /opt/fedora-ds/bin/admin/lib/libplds4.so > > (0x0000002a95b65000) > > libnspr4.so => /opt/fedora-ds/bin/admin/lib/libnspr4.so > > (0x0000002a95c68000) > > libc.so.6 => /lib64/tls/libc.so.6 (0x0000002a95dae000) > > libsoftokn3.so => > /opt/fedora-ds/bin/admin/lib/libsoftokn3.so > > (0x0000002a95fe2000) > > libpthread.so.0 => /lib64/tls/libpthread.so.0 > > (0x0000002a9613a000) > > libdl.so.2 => /lib64/libdl.so.2 (0x0000002a96250000) > > /lib64/ld-linux-x86-64.so.2 (0x000000552aaaa000) > > > > Diana Shepard > > > > > > > > > >> -----Original Message----- > >> From: fedora-directory-users-bounces at redhat.com > >> [mailto:fedora-directory-users-bounces at redhat.com] On > Behalf Of Rob > >> Crittenden > >> Sent: Wednesday, August 30, 2006 2:48 PM > >> To: General discussion list for the Fedora Directory > server project. > >> Subject: Re: [Fedora-directory-users] install/uninstall admin-serv > >> > >> Your problem seems to be with the console client, not with > the admin > >> server. For some reason libjss3.so can't be loaded. > >> This could be an architecute problem which is why Rich > asked what you > >> are running. > >> > >> You might try things like: > >> > >> # find /opt/fedora-ds -name libjss3.so (should be > >> /opt/fedora-ds/lib/libjss3.so) > >> # file /path/to/libjss3.so > >> # ldd /path/to/libjss3.so > >> > >> Now the ldd may return some "not found". Many libraries > are included > >> locally in /opt/fedora-ds. > >> > >> rob > >> > >> Diana Shepard wrote: > >> > >>> So back to my original question, is there a way to uninstall and > >>> reinstall the admin-serv only? > >>> > >>> Diana Shepard > >>> > >>> > >>> > >>>> -----Original Message----- > >>>> From: fedora-directory-users-bounces at redhat.com > >>>> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of > >>>> Richard Megginson > >>>> Sent: Tuesday, August 29, 2006 5:28 PM > >>>> To: General discussion list for the Fedora Directory > >>>> > >> server project. > >> > >>>> Subject: Re: [Fedora-directory-users] install/uninstall > admin-serv > >>>> > >>>> Diana Shepard wrote: > >>>> > >>>>> Not sure how to tell if it is "a 64-bit java executable", > >>>>> > >>>> but a clone > >>>> > >>>>> of the box (a multi-master replicated environment) has no > >>>>> > >> problems > >> > >>>>> with the admin-server. > >>>>> > >>>>> > >>>> Weird. To find out if it is a 64-bit native executable, > do ls -l > >>>> `which java` and keep following the symlinks (if any) > >>>> > >> until you find > >> > >>>> one that is not a symlink, then do file > /path/to/that/java - note > >>>> that if it points to /etc/alternatives/java, do > >>>> /usr/sbin/alternatives --display java to find out which java > >>>> executable it's using. If file tells you its a bourne > >>>> > >> script, you'll > >> > >>>> have to look in the bourne script file to find out where > the real > >>>> java executable is. For example, on my FC5 32bit system, > >>>> > >> I have the > >> > >>>> IBM JDK > >>>> installed: > >>>> # file /usr/lib/jvm/java-1.4.2-ibm-1.4.2.2/jre/bin/java.bin > >>>> /usr/lib/jvm/java-1.4.2-ibm-1.4.2.2/jre/bin/java.bin: ELF > >>>> > >> 32-bit LSB > >> > >>>> executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, > >>>> dynamically linked (uses shared libs), for GNU/Linux 2.2.5, not > >>>> stripped > >>>> > >>>> > >>>>> Diana Shepard > >>>>> > >>>>> > >>>>> > >>>>>> -----Original Message----- > >>>>>> From: fedora-directory-users-bounces at redhat.com > >>>>>> [mailto:fedora-directory-users-bounces at redhat.com] On > Behalf Of > >>>>>> Richard Megginson > >>>>>> Sent: Monday, August 28, 2006 8:37 PM > >>>>>> To: General discussion list for the Fedora Directory > >>>>>> > >>>> server project. > >>>> > >>>>>> Subject: Re: [Fedora-directory-users] install/uninstall > >>>>>> > >> admin-serv > >> > >>>>>> Diana Shepard wrote: > >>>>>> > >>>>>> > >>>>>>> I'm runnins 64-bit RedHat Linux AS, version 4, 64-bit). java > >>>>>>> 1.4.2_04. > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> Is it a 64-bit java executable? I think a 32-bit java > >>>>>> > >> might have > >> > >>>>>> problems loading 64-bit shared libs such as are included > >>>>>> > >> with the > >> > >>>>>> 64-bit Fedora DS. > >>>>>> > >>>>>> > >>>>>>> Diana Shepard > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>> -----Original Message----- > >>>>>>>> From: fedora-directory-users-bounces at redhat.com > >>>>>>>> [mailto:fedora-directory-users-bounces at redhat.com] On > >>>>>>>> > >> Behalf Of > >> > >>>>>>>> Richard Megginson > >>>>>>>> Sent: Monday, August 28, 2006 4:44 PM > >>>>>>>> To: General discussion list for the Fedora Directory > >>>>>>>> > >>>>>>>> > >>>>>> server project. > >>>>>> > >>>>>> > >>>>>>>> Subject: Re: [Fedora-directory-users] install/uninstall > >>>>>>>> > >>>> admin-serv > >>>> > >>>>>>>> Diana Shepard wrote: > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> The problem is that whenever I try to start the > >>>>>>>>> > >>>> Directory Server > >>>> > >>>>>>>>> Console via command line "startconsole", I get the > >>>>>>>>> > >>>>>>>>> > >>>>>> following error > >>>>>> > >>>>>> > >>>>>>>>> (libjss3.so is in /opt/fedora-ds/lib, and readable): > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> What OS and version are you running? 32bit or 64bit? > >>>>>>>> > >>>> Which java > >>>> > >>>>>>>> are you using? > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> Exception in thread "main" java.lang.UnsatisfiedLinkError: > >>>>>>>>> /opt/fedora-ds/lib/libjss3.so: > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> /opt/fedora-ds/lib/libjss3.so: cannot > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> open shared object file: No such file or directory > >>>>>>>>> > >>>>>>>>> at > >>>>>>>>> > >>>> java.lang.ClassLoader$NativeLibrary.load(Native Method) > >>>> > >>>>>>>>> at > >>>>>>>>> > >>>>>>>>> > >>>>>> java.lang.ClassLoader.loadLibrary0(ClassLoader.java:1560) > >>>>>> > >>>>>> > >>>>>>>>> at > >>>>>>>>> > >>>>>>>>> > >>>>>> java.lang.ClassLoader.loadLibrary(ClassLoader.java:1485) > >>>>>> > >>>>>> > >>>>>>>>> at java.lang.Runtime.loadLibrary0(Runtime.java:788) > >>>>>>>>> at java.lang.System.loadLibrary(System.java:834) > >>>>>>>>> at > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >> > org.mozilla.jss.CryptoManager.loadNativeLibraries(CryptoManager.java: > >> > >>>>>> 1 > >>>>>> > >>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> 330) > >>>>>>>>> > >>>>>>>>> at > >>>>>>>>> > >>>>>>>>> > >> org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:822) > >> > >>>>>>>>> at > >>>>>>>>> > >>>>>>>>> > >> org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:795) > >> > >>>>>>>>> at > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >> > com.netscape.management.client.util.UtilConsoleGlobals.initJSS(Unknow > >> > >>>>>> n > >>>>>> > >>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> Source) > >>>>>>>>> at > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >> > com.netscape.management.client.util.UtilConsoleGlobals.getLDAPSSLSock > >> > >>>>>> e > >>>>>> > >>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> tFactory(Unknown > >>>>>>>>> Source) > >>>>>>>>> at > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >> > com.netscape.management.client.console.Console.LDAPinitialization(Unk > >> > >>>>>> n > >>>>>> > >>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> own > >>>>>>>>> Source) > >>>>>>>>> at > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >> > com.netscape.management.client.console.Console.(Unknown Source) > >> > >>>>>> > >>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> at > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> com.netscape.management.client.console.Console.main(Unknown > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> Source) > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> Diana Shepard > >>>>>>>>> > >>>>>>>>> Date: Mon, 28 Aug 2006 15:59:40 -0600 > >>>>>>>>> From: Richard Megginson > >>>>>>>>> Subject: Re: [Fedora-directory-users] install/uninstall > >>>>>>>>> > >>>> admin-serv > >>>> > >>>>>>>>> only > >>>>>>>>> To: "General discussion list for the Fedora Directory > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> server project." > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> > >>>>>>>>> Message-ID: <44F3674C.1090202 at redhat.com> > >>>>>>>>> Content-Type: text/plain; charset="iso-8859-1" > >>>>>>>>> > >>>>>>>>> Diana Shepard wrote: > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>> Is there a way to unistall and reinstall the > admin-serv only? > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> Maybe, it depends. > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>> Mine seems to have gotten corrupted > >>>>>>>>>> somehow. > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> What seems to be the problem? > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>> Diana Shepard > >>>>>>>>>> University of Colorado > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >> > --------------------------------------------------------------------- > >> > >>>>>> - > >>>>>> > >>>>>> > >>>>>>>> > >>>>>>>> > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > From bmathieu at siris.sorbonne.fr Thu Sep 7 10:15:44 2006 From: bmathieu at siris.sorbonne.fr (basile) Date: Thu, 07 Sep 2006 12:15:44 +0200 Subject: [Fedora-directory-users] scheduled backup In-Reply-To: <44FD8E8F.2040507@redhat.com> References: <44FD5EFC.4020005@siris.sorbonne.fr> <44FD8E8F.2040507@redhat.com> Message-ID: <44FFF150.5090000@siris.sorbonne.fr> when i do a backup with redhat console does i use the script db2bak ( or which script ? ) thanks basile Richard Megginson wrote: > basile wrote: > >> hi >> is it possible to scheduled backup through fedora console > > No. I guess the usual way to do this is to set up a cron script. > >> thanks >> basile >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Thu Sep 7 12:25:20 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 07 Sep 2006 06:25:20 -0600 Subject: [Fedora-directory-users] scheduled backup In-Reply-To: <44FFF150.5090000@siris.sorbonne.fr> References: <44FD5EFC.4020005@siris.sorbonne.fr> <44FD8E8F.2040507@redhat.com> <44FFF150.5090000@siris.sorbonne.fr> Message-ID: <45000FB0.1020006@redhat.com> basile wrote: > when i do a backup with redhat console does i use the script db2bak ( > or which script ? ) Console probably uses the cn=tasks interface to initiate a backup via LDAP. See the db2bak.pl script for more details. > thanks > basile > > Richard Megginson wrote: > >> basile wrote: >> >>> hi >>> is it possible to scheduled backup through fedora console >> >> No. I guess the usual way to do this is to set up a cron script. >> >>> thanks >>> basile >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From Diana.Shepard at cusys.edu Thu Sep 7 18:15:25 2006 From: Diana.Shepard at cusys.edu (Diana Shepard) Date: Thu, 7 Sep 2006 12:15:25 -0600 Subject: [Fedora-directory-users] ds_newinst.pl Message-ID: <7315857F21D51B449CC55ADE3A5683180156F445@ex2k3.ad.cusys.edu> I have Fedora Directory Server 1.0.2 installed on Redhat Linux. I am trying to come up with a Disaster Recovery kickstart install of the server, Directory Server (DS) and DS contents. I tried ds_newinst.pl, as described in the Fedora DS Install Guide, to create a new DS instance from the command line, using the following ".inf" file: [General] FullMachineName= drtest.cusys.edu SuiteSpotUserID= ldap ServerRoot= /opt/fedora-ds [slapd] ServerPort= 40003 ServerIdentifier= sisauth Suffix= dc=cusys,dc=edu RootDN= cn=Directory Manager RootDNPwd= xxxxxxxx It executed successfully, created the expected directory structure, the DS is listening on the correct port, but when I go to the Console, the 2nd "sisauth" instance, the first being "config" isn't there. How can that be? Diana Shepard University of Colorado -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Sep 7 18:32:57 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 07 Sep 2006 12:32:57 -0600 Subject: [Fedora-directory-users] ds_newinst.pl In-Reply-To: <7315857F21D51B449CC55ADE3A5683180156F445@ex2k3.ad.cusys.edu> References: <7315857F21D51B449CC55ADE3A5683180156F445@ex2k3.ad.cusys.edu> Message-ID: <450065D9.5060308@redhat.com> Diana Shepard wrote: > > I have Fedora Directory Server 1.0.2 installed on > Redhat Linux. I am trying to come up with a > Disaster Recovery kickstart install of the server, > Directory Server (DS) and DS contents. > > I tried ds_newinst.pl, as described in the Fedora DS Install > Guide, to create a new DS instance from the command line, > using the following ".inf" file: > > [General] > FullMachineName= drtest.cusys.edu > SuiteSpotUserID= ldap > ServerRoot= /opt/fedora-ds > [slapd] > ServerPort= 40003 > ServerIdentifier= sisauth > Suffix= dc=cusys,dc=edu > RootDN= cn=Directory Manager > RootDNPwd= xxxxxxxx > > It executed successfully, created the expected directory structure, > the DS is listening on the correct port, but when I go to the Console, > the 2nd "sisauth" instance, the first being "config" isn't there. > How can that be? > ds_newinst.pl does not register any information in the console - it merely creates/copies in the config files. ds_newinst.pl was created for the 7.1 release which used pre-open source setup, console, and admin server code. We needed a way to create an instance using completely open source code, which meant we could not use setup, console, admin server, etc. But this is a moot point since the 1.0 release of open source everything. If you need to create a new instance from the command line, and have all of the admin server/console registration done, you should use bin/slapd/admin/bin/ds_create e.g. cd bin/slapd/admin/bin ./ds_create -s -f /path/to/your/install.inf > > Diana Shepard > University of Colorado > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From joshkel at gmail.com Thu Sep 7 20:49:57 2006 From: joshkel at gmail.com (Josh Kelley) Date: Thu, 7 Sep 2006 16:49:57 -0400 Subject: [Fedora-directory-users] SASL authentication Message-ID: <97cbd1a90609071349v49f2fe89x8810b83dd9e3e284@mail.gmail.com> SASL authentication appears to be operating incorrectly on my install of FDS. We do not use SASL; our passwords are stored in FDS using CRYPT-MD5, SMD5, and SSHA256, depending on when and how the account's password was last changed. As I understand it, SASL authentication using DIGEST-MD5 and CRAM-MD5 only works if passwords are stored in cleartext in FDS. Is this correct? The problem is that our OS X clients, when configured for LDAP authentication, try a SASL bind (CRAM-MD5) first then fall back to a simple bind if that fails. When OS X checks a login against an OpenLDAP server, the server returns resultCode 80 (other), error message "SASL(-13): user not found: no secret in database", and so the client falls back to a simple bind. However, when OS X tries a SASL bind against FDS, the server returns resultCode 49 (invalidCredentials), error message "SASL(-13): authentication failure: incorrect digest response", and so the client assumes that the login failed. Is this a bug in FDS? Or did I misconfigure something? Is there an easy workaround? Our Macs are mostly unusable until I can get this fixed. Thanks. Josh Kelley From rmeggins at redhat.com Thu Sep 7 20:57:52 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 07 Sep 2006 14:57:52 -0600 Subject: [Fedora-directory-users] SASL authentication In-Reply-To: <97cbd1a90609071349v49f2fe89x8810b83dd9e3e284@mail.gmail.com> References: <97cbd1a90609071349v49f2fe89x8810b83dd9e3e284@mail.gmail.com> Message-ID: <450087D0.9000305@redhat.com> Josh Kelley wrote: > SASL authentication appears to be operating incorrectly on my install > of FDS. We do not use SASL; our passwords are stored in FDS using > CRYPT-MD5, SMD5, and SSHA256, depending on when and how the account's > password was last changed. As I understand it, SASL authentication > using DIGEST-MD5 and CRAM-MD5 only works if passwords are stored in > cleartext in FDS. Is this correct? Yes. > > The problem is that our OS X clients, when configured for LDAP > authentication, try a SASL bind (CRAM-MD5) first then fall back to a > simple bind if that fails. When OS X checks a login against an > OpenLDAP server, the server returns resultCode 80 (other), error > message "SASL(-13): user not found: no secret in database", and so the > client falls back to a simple bind. However, when OS X tries a SASL > bind against FDS, the server returns resultCode 49 > (invalidCredentials), error message "SASL(-13): authentication > failure: incorrect digest response", and so the client assumes that > the login failed. > > Is this a bug in FDS? Or did I misconfigure something? Is there an > easy workaround? I'm not sure. Is it the LDAP resultCode that causes the OS X clients to fail, or is it the SASL return code? > Our Macs are mostly unusable until I can get this > fixed. > > Thanks. > > Josh Kelley > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From joshkel at gmail.com Thu Sep 7 21:04:17 2006 From: joshkel at gmail.com (Josh Kelley) Date: Thu, 7 Sep 2006 17:04:17 -0400 Subject: [Fedora-directory-users] SASL authentication In-Reply-To: <450087D0.9000305@redhat.com> References: <97cbd1a90609071349v49f2fe89x8810b83dd9e3e284@mail.gmail.com> <450087D0.9000305@redhat.com> Message-ID: <97cbd1a90609071404o7e6bfbd5h80d7d338d85cdd8e@mail.gmail.com> On 9/7/06, Richard Megginson wrote: > Josh Kelley wrote: > > Is this a bug in FDS? Or did I misconfigure something? Is there an > > easy workaround? > I'm not sure. Is it the LDAP resultCode that causes the OS X clients to > fail, or is it the SASL return code? I assume it's the LDAP resultCode - the only SASL results that the client sees appears to be a text error message, and I doubt OS X bothers to parse that - but I don't know of an easy way to check. Josh Kelley From rmeggins at redhat.com Thu Sep 7 21:21:18 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 07 Sep 2006 15:21:18 -0600 Subject: [Fedora-directory-users] SASL authentication In-Reply-To: <97cbd1a90609071404o7e6bfbd5h80d7d338d85cdd8e@mail.gmail.com> References: <97cbd1a90609071349v49f2fe89x8810b83dd9e3e284@mail.gmail.com> <450087D0.9000305@redhat.com> <97cbd1a90609071404o7e6bfbd5h80d7d338d85cdd8e@mail.gmail.com> Message-ID: <45008D4E.1010800@redhat.com> Josh Kelley wrote: > On 9/7/06, Richard Megginson wrote: >> Josh Kelley wrote: >> > Is this a bug in FDS? Or did I misconfigure something? Is there an >> > easy workaround? >> I'm not sure. Is it the LDAP resultCode that causes the OS X clients to >> fail, or is it the SASL return code? > > I assume it's the LDAP resultCode - the only SASL results that the > client sees appears to be a text error message, and I doubt OS X > bothers to parse that - but I don't know of an easy way to check. I checked RFC 4513 - http://www.ietf.org/rfc/rfc4513.txt - it doesn't say anything about the correct result code to return in this case, other than it is an error if anything other than success or bindinprogress is returned. You might want to ask on ldap at umich.edu or on IRC.freenode.net #ldap if there is a standard that covers this case. > > Josh Kelley > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Thu Sep 7 21:37:25 2006 From: david_list at boreham.org (David Boreham) Date: Thu, 07 Sep 2006 15:37:25 -0600 Subject: [Fedora-directory-users] SASL authentication In-Reply-To: <45008D4E.1010800@redhat.com> References: <97cbd1a90609071349v49f2fe89x8810b83dd9e3e284@mail.gmail.com> <450087D0.9000305@redhat.com> <97cbd1a90609071404o7e6bfbd5h80d7d338d85cdd8e@mail.gmail.com> <45008D4E.1010800@redhat.com> Message-ID: <45009115.7070302@boreham.org> One thing to observe here is that _generally_ one does not want to reveal more information to a potential attacker than is necessary. In this case it may be useful for a bad guy to know that there is no plaintext password vs. only knowing that authentication failed. Put another way : attempts to authenticate generally result in a binary succeed/fail result (excepting perhaps cases like 'your password has expired, which is only returned when an old but valid password is presented). From mikael.kermorgant at gmail.com Fri Sep 8 12:30:27 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Fri, 8 Sep 2006 14:30:27 +0200 Subject: [Fedora-directory-users] ds gateway behind apache proxy Message-ID: <9711147e0609080530x15c23e2fpd00dedafd795a4e@mail.gmail.com> Hello, I have installed FDS and activated dsgw which listens on a particular port, let's say 29154. I have managed to access it on port 80 by running apache2 on the same host and setting up mod_proxy in a particular way but it does only work for some pages. RewriteRule ^/clients(.*) /directory/clients$1 [R] ProxyPass http://ds.myorg.com:29154/ ProxyPassReverse http://ds.myorg.com:29154/ My problem is that there are hard-coded references to this port in the html files. For an example, after authentication, I have : Is there a way to configure this ? Thanks in advance, -- Mikael Kermorgant From rcritten at redhat.com Fri Sep 8 13:21:08 2006 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 08 Sep 2006 09:21:08 -0400 Subject: [Fedora-directory-users] ds gateway behind apache proxy In-Reply-To: <9711147e0609080530x15c23e2fpd00dedafd795a4e@mail.gmail.com> References: <9711147e0609080530x15c23e2fpd00dedafd795a4e@mail.gmail.com> Message-ID: <45016E44.5030306@redhat.com> Mikael Kermorgant wrote: > Hello, > > I have installed FDS and activated dsgw which listens on a particular > port, let's say 29154. > > I have managed to access it on port 80 by running apache2 on the same > host and setting up mod_proxy in a particular way but it does only > work for some pages. > > RewriteRule ^/clients(.*) /directory/clients$1 [R] > > ProxyPass http://ds.myorg.com:29154/ > ProxyPassReverse http://ds.myorg.com:29154/ > > > My problem is that there are hard-coded references to this port in the > html files. > For an example, after authentication, I have : > > onClick="top.location.href=\'http://ds.myorg.com:29154/clients/dsgw/bin/lang?context=dsgw&file=\'"> > > > > Is there a way to configure this ? I would use squid instead of Apache for a reverse proxy. It should automatically fix things up for you. Or you can have Apache re-write the URLs for you. See here for an example: http://www.daveyp.com/blog/index.php/archives/76/ rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From mikael.kermorgant at gmail.com Fri Sep 8 14:10:32 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Fri, 8 Sep 2006 16:10:32 +0200 Subject: [Fedora-directory-users] ds gateway behind apache proxy In-Reply-To: <45016E44.5030306@redhat.com> References: <9711147e0609080530x15c23e2fpd00dedafd795a4e@mail.gmail.com> <45016E44.5030306@redhat.com> Message-ID: <9711147e0609080710j31ad054dvc64722f7e258a5b4@mail.gmail.com> Thanks ! That's exactly what I needed. -- Mikael Kermorgant From joshkel at gmail.com Fri Sep 8 14:35:14 2006 From: joshkel at gmail.com (Josh Kelley) Date: Fri, 8 Sep 2006 10:35:14 -0400 Subject: [Fedora-directory-users] SASL authentication In-Reply-To: <45008D4E.1010800@redhat.com> References: <97cbd1a90609071349v49f2fe89x8810b83dd9e3e284@mail.gmail.com> <450087D0.9000305@redhat.com> <97cbd1a90609071404o7e6bfbd5h80d7d338d85cdd8e@mail.gmail.com> <45008D4E.1010800@redhat.com> Message-ID: <97cbd1a90609080735n5a3ba8b3pca4044c1be7a0ed6@mail.gmail.com> On 9/7/06, Richard Megginson wrote: > I checked RFC 4513 - http://www.ietf.org/rfc/rfc4513.txt - it doesn't > say anything about the correct result code to return in this case, other > than it is an error if anything other than success or bindinprogress is > returned. You might want to ask on ldap at umich.edu or on > IRC.freenode.net #ldap if there is a standard that covers this case. Thanks for the suggestion. I'll ask. I skimmed RFC 4513 (sans coffee) and didn't find the section you're referring to. I did see that RFC 4422 (last paragraph of section 3.6) seems to suggest that OS X's and OpenLDAP's behavior is legitimate and useful. Even if the standards permit either behavior (and even if it's slightly more secure to not reveal additional information, as David Boreham pointed out), wouldn't it be worth having FDS compatible with OpenLDAP and OS X? Josh Kelley From rmeggins at redhat.com Fri Sep 8 15:01:41 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 08 Sep 2006 09:01:41 -0600 Subject: [Fedora-directory-users] SASL authentication In-Reply-To: <97cbd1a90609080735n5a3ba8b3pca4044c1be7a0ed6@mail.gmail.com> References: <97cbd1a90609071349v49f2fe89x8810b83dd9e3e284@mail.gmail.com> <450087D0.9000305@redhat.com> <97cbd1a90609071404o7e6bfbd5h80d7d338d85cdd8e@mail.gmail.com> <45008D4E.1010800@redhat.com> <97cbd1a90609080735n5a3ba8b3pca4044c1be7a0ed6@mail.gmail.com> Message-ID: <450185D5.10608@redhat.com> Josh Kelley wrote: > On 9/7/06, Richard Megginson wrote: >> I checked RFC 4513 - http://www.ietf.org/rfc/rfc4513.txt - it doesn't >> say anything about the correct result code to return in this case, other >> than it is an error if anything other than success or bindinprogress is >> returned. You might want to ask on ldap at umich.edu or on >> IRC.freenode.net #ldap if there is a standard that covers this case. > > Thanks for the suggestion. I'll ask. > > I skimmed RFC 4513 (sans coffee) and didn't find the section you're > referring to. I did see that RFC 4422 (last paragraph of section 3.6) > seems to suggest that OS X's and OpenLDAP's behavior is legitimate and > useful. Yes. But it seems to differ from the behavior of a simple bind (rfc4513 5.1.3). In a simple bind, the server resultCode differentiates these cases: 1) Invalid bind DN results in a noSuchObject (well, not exactly specified, but this is the usual behavior) 2) Valid bind DN but invalid password results in invalidCredentials However, the rfc (and also rfc 4511 Appendix A LDAP Result Codes) says that other codes may be substituted for the above "to prevent unauthorized disclosures (such as substitution of noSuchObject for insufficientAccessRights, or invalidCredentials for insufficientAccessRights)." The SASL doc (rfc4422) says: "It is also important that the server can be configured such that the outcome message will not distinguish between a valid user with invalid credentials and an invalid user." So it seems that SASL wants the server not to differentiate these cases, probably for security reasons. But this makes sasl binds have different semantics than simple binds. > > Even if the standards permit either behavior (and even if it's > slightly more secure to not reveal additional information, as David > Boreham pointed out), wouldn't it be worth having FDS compatible with > OpenLDAP and OS X? Yes. And please file a bug about this at http://bugzilla.redhat.com/ > > Josh Kelley > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From david_list at boreham.org Fri Sep 8 15:04:14 2006 From: david_list at boreham.org (David Boreham) Date: Fri, 08 Sep 2006 09:04:14 -0600 Subject: [Fedora-directory-users] SASL authentication In-Reply-To: <97cbd1a90609080735n5a3ba8b3pca4044c1be7a0ed6@mail.gmail.com> References: <97cbd1a90609071349v49f2fe89x8810b83dd9e3e284@mail.gmail.com> <450087D0.9000305@redhat.com> <97cbd1a90609071404o7e6bfbd5h80d7d338d85cdd8e@mail.gmail.com> <45008D4E.1010800@redhat.com> <97cbd1a90609080735n5a3ba8b3pca4044c1be7a0ed6@mail.gmail.com> Message-ID: <4501866E.7070303@boreham.org> > I skimmed RFC 4513 (sans coffee) and didn't find the section you're > referring to. I did see that RFC 4422 (last paragraph of section 3.6) > seems to suggest that OS X's and OpenLDAP's behavior is legitimate and > useful. I'm not sure I read that there. I see this : It is also important that the server can be configured such that the outcome message will not distinguish between a valid user with invalid credentials and an invalid user. This is eactly what I was saying and would appear to be the opposite of what OpenLDAP have implemented. Back and bit in that same paragraph it says : The outcome is not successful if ... - the client's credentials could not be verified, which again seems to be in line with the FDS implementation because it tells the client that the authentication attempt was unsuccessful. From hyc at symas.com Fri Sep 8 17:35:01 2006 From: hyc at symas.com (Howard Chu) Date: Fri, 08 Sep 2006 10:35:01 -0700 Subject: [Fedora-directory-users] SASL authentication In-Reply-To: <20060908145837.3F30973251@hormel.redhat.com> References: <20060908145837.3F30973251@hormel.redhat.com> Message-ID: <4501A9C5.4050709@symas.com> > Date: Fri, 08 Sep 2006 09:01:41 -0600 > From: Richard Megginson > Josh Kelley wrote: >> > On 9/7/06, Richard Megginson wrote: >>> >> I checked RFC 4513 - http://www.ietf.org/rfc/rfc4513.txt - it doesn't >>> >> say anything about the correct result code to return in this case, other >>> >> than it is an error if anything other than success or bindinprogress is >>> >> returned. You might want to ask on ldap at umich.edu or on >>> >> IRC.freenode.net #ldap if there is a standard that covers this case. >> > >> > Thanks for the suggestion. I'll ask. >> > >> > I skimmed RFC 4513 (sans coffee) and didn't find the section you're >> > referring to. I did see that RFC 4422 (last paragraph of section 3.6) >> > seems to suggest that OS X's and OpenLDAP's behavior is legitimate and >> > useful. Before you go any further with this, please tell us which version of OpenLDAP you're using. Current releases (since 2.3.6) return invalidCredentials for a SASL bind failure: ldapsearch -H ldap://:9000 -Y DIGEST-MD5 SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database Probably we should also do something about not returning the SASL-specific error code in this case too, to adhere more to the intent of rfc4422. Logging it on the server side should be sufficient. I just checked, and releases 2.1 and 2.2 returned error code 80 here. So it seems Apple is relying on a broken behavior. > Yes. But it seems to differ from the behavior of a simple bind (rfc4513 > 5.1.3). In a simple bind, the server resultCode differentiates these cases: > 1) Invalid bind DN results in a noSuchObject (well, not exactly > specified, but this is the usual behavior) > 2) Valid bind DN but invalid password results in invalidCredentials > > However, the rfc (and also rfc 4511 Appendix A LDAP Result Codes) says > that other codes may be substituted for the above "to prevent > unauthorized disclosures (such as substitution of noSuchObject for > insufficientAccessRights, or invalidCredentials for > insufficientAccessRights)." > > The SASL doc (rfc4422) says: > > "It is also important that the server can be configured such that the outcome message will not distinguish between a valid user with invalid credentials and an invalid user." > > > So it seems that SASL wants the server not to differentiate these cases, > probably for security reasons. But this makes sasl binds have different > semantics than simple binds. >> > >> > Even if the standards permit either behavior (and even if it's >> > slightly more secure to not reveal additional information, as David >> > Boreham pointed out), wouldn't it be worth having FDS compatible with >> > OpenLDAP and OS X? > Yes. And please file a bug about this at http://bugzilla.redhat.com/ -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From joshkel at gmail.com Fri Sep 8 22:07:26 2006 From: joshkel at gmail.com (Josh Kelley) Date: Fri, 8 Sep 2006 18:07:26 -0400 Subject: [Fedora-directory-users] SASL authentication In-Reply-To: <4501A9C5.4050709@symas.com> References: <20060908145837.3F30973251@hormel.redhat.com> <4501A9C5.4050709@symas.com> Message-ID: <97cbd1a90609081507v1fe4d84dy84c5e792e51d271e@mail.gmail.com> On 9/8/06, Howard Chu wrote: > Before you go any further with this, please tell us which version of > OpenLDAP you're using. Current releases (since 2.3.6) return > invalidCredentials for a SASL bind failure: 2.2.13, as provided by RHEL 4. I had not thought to try a current release; thanks for the info. > Probably we should also do something about not returning the > SASL-specific error code in this case too, to adhere more to the intent > of rfc4422. Logging it on the server side should be sufficient. > > I just checked, and releases 2.1 and 2.2 returned error code 80 here. So > it seems Apple is relying on a broken behavior. I guess I really don't understand here. RFC 4422 says that "outcome message provided by the server can provide a way for the client to distinguish between errors" of various sorts, which I assumed could include errors resulting from attempting to use an unconfigured authentication mechanism. And although the RFC says that it is "important that the server can be configured such that the outcome message will not distinguish between a valid user with invalid credentials and an invalid user," it doesn't say that it's necessary that servers be so configured or that it's broken for servers to not be so configured. Furthermore, it seems to me that what Apple's trying to do - attempt a secure authentication method first, then fall back to a nonsecure authentication method if a secure method is not configured, without needlessly sending cleartext passwords if the secure authentication method is configured and rejects the user - is a good idea. Is Apple's default approach simply not permitted by the RFCs? I understand that for the server to unnecessarily give away security-related info is potentially bad, but it seems like a minor concern compared to the gains of permitting "secure by default, fall back to unsecured" behavior like Apple's default. (I guess MITM attacks are a risk with that kind of approach; are they enough of a risk to negate that approach's value?) I hope I'm not coming across as argumentative; I just would really like to understand the issues involved. If it is a bad idea for the server to distinguish between "invalid credentials" and "no secret in database," then what is the best way to get OS X logins to work? For now I've simply disabled CRAM-MD5 by moving those libraries out of my /usr/lib/sasl2 directory, but that seems like a hack. I guess a better solution would be to permit the SASL mech_list to be configured from within FDS; should I submit an RFE on Bugzilla for that? Thanks. Josh Kelley From rmeggins at redhat.com Fri Sep 8 22:42:17 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 08 Sep 2006 16:42:17 -0600 Subject: [Fedora-directory-users] SASL authentication In-Reply-To: <97cbd1a90609081507v1fe4d84dy84c5e792e51d271e@mail.gmail.com> References: <20060908145837.3F30973251@hormel.redhat.com> <4501A9C5.4050709@symas.com> <97cbd1a90609081507v1fe4d84dy84c5e792e51d271e@mail.gmail.com> Message-ID: <4501F1C9.8060608@redhat.com> Josh Kelley wrote: > On 9/8/06, Howard Chu wrote: >> Before you go any further with this, please tell us which version of >> OpenLDAP you're using. Current releases (since 2.3.6) return >> invalidCredentials for a SASL bind failure: > > 2.2.13, as provided by RHEL 4. I had not thought to try a current > release; thanks for the info. > >> Probably we should also do something about not returning the >> SASL-specific error code in this case too, to adhere more to the intent >> of rfc4422. Logging it on the server side should be sufficient. >> >> I just checked, and releases 2.1 and 2.2 returned error code 80 here. So >> it seems Apple is relying on a broken behavior. > > I guess I really don't understand here. RFC 4422 says that "outcome > message provided by the server can provide a way for the client to > distinguish between errors" of various sorts, which I assumed could > include errors resulting from attempting to use an unconfigured > authentication mechanism. And although the RFC says that it is > "important that the server can be configured such that the outcome > message will not distinguish between a valid user with invalid > credentials and an invalid user," it doesn't say that it's necessary > that servers be so configured or that it's broken for servers to not > be so configured. > > Furthermore, it seems to me that what Apple's trying to do - attempt a > secure authentication method first, then fall back to a nonsecure > authentication method if a secure method is not configured, without > needlessly sending cleartext passwords if the secure authentication > method is configured and rejects the user - is a good idea. Is > Apple's default approach simply not permitted by the RFCs? I > understand that for the server to unnecessarily give away > security-related info is potentially bad, but it seems like a minor > concern compared to the gains of permitting "secure by default, fall > back to unsecured" behavior like Apple's default. (I guess MITM > attacks are a risk with that kind of approach; are they enough of a > risk to negate that approach's value?) SASL is supposed to attempt to negotiate the strongest auth available. > > I hope I'm not coming across as argumentative; I just would really > like to understand the issues involved. > > If it is a bad idea for the server to distinguish between "invalid > credentials" and "no secret in database," then what is the best way to > get OS X logins to work? For now I've simply disabled CRAM-MD5 by > moving those libraries out of my /usr/lib/sasl2 directory, but that > seems like a hack. I guess a better solution would be to permit the > SASL mech_list to be configured from within FDS; should I submit an > RFE on Bugzilla for that? Yes. > > Thanks. > > Josh Kelley > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From pkime at Shopzilla.com Sat Sep 9 08:04:52 2006 From: pkime at Shopzilla.com (Philip Kime) Date: Sat, 9 Sep 2006 01:04:52 -0700 Subject: [Fedora-directory-users] HOWTO: put a pair of SSL-enabled servers behind a VIP (or a few VIPS) Message-ID: <9C0091F428E697439E7A773FFD08342743592C@szexchange.Shopzilla.inc> I just did this and thought others might like to see the procedure if the non-VIPed setup is already running. The issue is the SSL certs - they won't like the names/IPs of the VIPs and will complain (or depending on your setup, fail completely) when starting SSL/TLS. I assume your VIPs exist - here's how to change the SSL certs to work with the VIPs You already have the two servers up and running on SSL with their certificates working. How do you change the certificates to include the VIP names so things like "ldapsearch -ZZZ" don't die? You have to add an X.509 v3 "SubjectAltName" certificate extension to the certificate. But you can't add it, so you have to create a new certificate. This is how I did it and it has minimal impact - just one quick FDS restart (and even that might not be strictly necessary - please correct me). My situation was having two ldap servers and needing to put them behind two load-balanced VIPs. ldap1.foo.com ldap2.foo.com For each server, I did this: Generate a certificate request from the server. Either in the GUI and paste to a file or go into /opt/fedora-ds/alias and do /opt/fedora-ds/shared/bin/certutil -R -d /opt/fedora-ds/alias -s -o cert.req -a You may need the "-P" flag if your cert8.db and key3.db files for the DS are not the default names. I tend to use "-a" for ascii output as I have had problems with binary requests and certs in the past. Where "" is the DN for the Certificate. This is the nice part - make sure that this is *exactly* the same as your already-in-use SSL cert's Subject DN. To find this out what this is, do /opt/fedora-ds/shared/bin/certutil -L -n -d /opt/fedora-ds/alias Again, you may need the "-P" flag if your cert db files are not the default names. Here "" is the name of your server SSL cert. You can list all the cert names with: /opt/fedora-ds/shared/bin/certutil -L -d /opt/fedora-ds/alias If you are generating the cert request in the GUI, you can either enter the DN information in the seperate fields or choose the DN view and just past it in. Generate the request, get it into a file called "cert.req" and do this /opt/fedora-ds/shared/bin/certutil -C -d /opt/fedora-ds/alias -c -i cert.req -o cert.crt -a -m -v 120 -8 This is where you generate the cert with the extensions. is the name of your CA cert that is issuing the certificate - make sure it's the same CAcert that issued your current SSL cert (that way your clients which have the existing public CAcert wont' break). You can find out the name of it in the same way as described above for the server cert name. is a unique, arbitrary serial number for the cert. The only restriction is that it should definitely not be the same serial number as your existing cert(and not the same as any other certs you use either, really). - this is a comma-separated list of DNS names (can be IP addresses) of your VIPs. Basically, this option says "these names are valid matches for the hostname of the server too". "-v" sets the expiration on the certificate in months. Set it to whatever you want. You'll be prompted for the internal token to access the certificate database - I tend to use the "-f file" flag to get this from a file where it's stored. In our example: /opt/fedora-ds/shared/bin/certutil -C -d /opt/fedora-ds/alias -c -i cert.req -o cert.crt -a -m -v 120 -8 ldap1.foo.com,ldap2.foo.com The resulting certificate is left in the "cert.crt" file. Then install the certificate in the GUI (copy-paste is easy) - it will tell you that the Subject DN is identical to the certificate already installed and so it will call it by the same name. This is good and by design. So, now you will see two certificates with the same name. Delete the older one without the extensions (easy to do this in the GUI). I restarted the DS at this point in case it had cached the old certificate but this may not be necessary. That's it. Your certificate now has the extensions to allow it to work with the VIP names and TLS/SSL won't complain. ldapsearch -ZZZ should still work fine. You can check the certificates by the "certutil -L" commands above and you should see this in the certificate: Signed Extensions: Name: Certificate Subject Alt Name DNS name: "ldap1.foo.com" DNS name: "ldap2.foo.com" The trick with keeping the Subject DN the same (but changing the serial number, which is mandatory), means that you don't have to go into the DS setup and change the certificate name being used ... it just carries on working with minimal impact. -- Philip Kime NOPS Systems Architect 310 401 0407 -------------- next part -------------- An HTML attachment was scrubbed... URL: From radek at eadresa.cz Sat Sep 9 17:23:53 2006 From: radek at eadresa.cz (Radek Hladik) Date: Sat, 09 Sep 2006 19:23:53 +0200 Subject: [Fedora-directory-users] SSHA Password hash function Message-ID: <4502F8A9.9040905@eadresa.cz> Hi all, I'm trying to get working SSHA password generation in JavaScript. I've found interesting topic which I want to ask about. Is there any presumption about salt length? I've tried salt "saltedsalt" and password "abcd". It produced string {SSHA}/OwjNeakcceT6szrxGOMHUb53XJzYWx0ZWRzYWx0 which when inserted into userPassword attribute crashed slapd daemon when the user tried to log on. With random salt of length 13 everything works fine. Maybe there is some mistake related to base64 padding, but even with one or two trailing = this hash crashed the slapd daemon. FDS is 1.0.2 Radek From mj at sci.fi Sat Sep 9 17:34:19 2006 From: mj at sci.fi (Mike Jackson) Date: Sat, 09 Sep 2006 20:34:19 +0300 Subject: [Fedora-directory-users] SSHA Password hash function In-Reply-To: <4502F8A9.9040905@eadresa.cz> References: <4502F8A9.9040905@eadresa.cz> Message-ID: <4502FB1B.9030901@sci.fi> Radek Hladik wrote: > Hi all, > I'm trying to get working SSHA password generation in JavaScript. I've > found interesting topic which I want to ask about. You don't need to generate password hashes externally, the server will do it for you. Enable SSHA password hashing in the server, and modify the userPassword attribute with a plaintext value via SSL for transport security. The server will hash the userPassword value for you. Or you could use the password modify extended operation... -- mike From radek at eadresa.cz Sun Sep 10 13:02:31 2006 From: radek at eadresa.cz (Radek Hladik) Date: Sun, 10 Sep 2006 15:02:31 +0200 Subject: [Fedora-directory-users] SSHA Password hash function In-Reply-To: <4502FB1B.9030901@sci.fi> References: <4502F8A9.9040905@eadresa.cz> <4502FB1B.9030901@sci.fi> Message-ID: <45040CE7.40004@eadresa.cz> Mike Jackson napsal(a): > Radek Hladik wrote: >> Hi all, >> I'm trying to get working SSHA password generation in JavaScript. I've >> found interesting topic which I want to ask about. > > > You don't need to generate password hashes externally, the server will > do it for you. > > Enable SSHA password hashing in the server, and modify the userPassword > attribute with a plaintext value via SSL for transport security. The > server will hash the userPassword value for you. Or you could use the > password modify extended operation... Thanks, I didn't know about this possibility. But I would like to also provide the user with option to verify the hash. And password not leaving the client computer is good bonus too. However the code is working now, only some salt lengths cause troubles. And it is also not good that slapd crashes with the incorrect hash (yes, I've filed that as bug 205907 :-) ). Radek From haizaar at gmail.com Sun Sep 10 14:15:05 2006 From: haizaar at gmail.com (Hai Zaar) Date: Sun, 10 Sep 2006 17:15:05 +0300 Subject: [Fedora-directory-users] CoS + SASL problems? Message-ID: Dear list! I'm using FDS-1.0.2 together with Heimdal Kerberos as NIS replacement. I having rather strange problem with SASL. I have two posixGroups. The first is cn=peopleGroup,ou=people,dc=example,dc=com and the other is cn=testGroup,ou=Groups,dc=example,dc=com testGroup is affected by Pointer CoS - this important! On client I run: # kinit foo # ldapsearch -h directory.example.com -b "dc=example,dc=com" -s sub -Y GSSAPI -I '(&(objectClass=posixGroup)(cn=peopleGroup))' Search returns sane results. However running serach for testGroup returns the following: --------------------------- # ldapsearch -h directory.example.com -b "dc=example,dc=com" -s sub -Y GSSAPI -I '(&(objectClass=posixGroup)(cn=testGroup))' SASL/GSSAPI authentication started SASL Interaction Please enter your authorization name: SASL username: foo at EXAMPLE.COM SASL SSF: 56 SASL installing layers # extended LDIF # # LDAPv3 # base with scope subtree # filter: (&(objectClass=posixGroup)(cn=testGroup)) # requesting: ALL # ldap_result: Can't contact LDAP server (-1) --------------------------- If I remove CoS from ou=Groups,dc=example,dc=com, then It all works OK (but of course I do not get any of 'uniquememeber' attributes that come from CoS). The most strange things is however that if I set SASL_SECPROPS maxssf=0 in /etc/openldap/ldap.conf, then everything works just fine (but no security). To the end, here is what FDS access log says: [10/Sep/2006:17:02:51 +0300] conn=111 fd=67 slot=67 connection from 10.0.2.236 to 10.0.0.10 [10/Sep/2006:17:02:51 +0300] conn=111 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [10/Sep/2006:17:02:51 +0300] conn=111 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [10/Sep/2006:17:02:51 +0300] conn=111 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [10/Sep/2006:17:02:51 +0300] conn=111 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [10/Sep/2006:17:02:51 +0300] conn=111 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [10/Sep/2006:17:02:51 +0300] conn=111 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=foo,ou=people,dc=example,dc=com" [10/Sep/2006:17:02:51 +0300] conn=111 op=3 SRCH base="dc=example,dc=com" scope=2 filter="(&(objectClass=posixGroup)(cn=testGroup))" attrs=ALL [10/Sep/2006:17:02:51 +0300] conn=111 op=3 fd=67 closed - B4 It looks like server just drops connection. Error logs indicate nothing. Any ideas anyone? -- Zaar From haizaar at gmail.com Mon Sep 11 11:38:06 2006 From: haizaar at gmail.com (Hai Zaar) Date: Mon, 11 Sep 2006 14:38:06 +0300 Subject: [Fedora-directory-users] Why does FDS issues gethostbyname('hostname') on startup Message-ID: I have server "bigbox", which is also known as directory.example.com. I've installed FDS-1.0.2 to run on directory.example.com. The problem is that when I'm trying to start it, it complains: gethostbyname("bigbox") failed which is true, cause DNS does not known any for bigboxes. It knows only about directory.example.com. My question is - why does slapd care about resolving `hostname`? During installation I explicitly specified to use directory.example.com. -- Zaar From JENNIFER.C.KANCIANIC at saic.com Sun Sep 10 17:41:21 2006 From: JENNIFER.C.KANCIANIC at saic.com (Kancianic, Jennifer C. ) Date: Sun, 10 Sep 2006 13:41:21 -0400 Subject: [Fedora-directory-users] Startconsole Directory Server access causes traceback and hangs s tartconsole Message-ID: I've been working on this for a few hours and am now stumped as to what to do next. Any pointers would be great: I installed fedora-ds-1.0.2-1RHEL4.x86_64.opt.rpm on RedHat 2.6.9-34.Elsmp on my Linux server, configured it to run as a non-root user, pointed the ports appropriately and started it up as the non-root user. I can login using JXplorer fine (it's using ldap:\\ method of connecting). I then want to initialize the database with an LDIF from another server, so did a startconsole and logged in as the Directory Manager using the http:// method of connection. I am able to see the Administration Server and Directory Server listed items, but when I click on the Directory Server to open it, I get this traceback, which hangs the startconsole: Exception in thread "" java.lang.IndexOutOfBoundsException at java.io.BufferedInputStream.read(BufferedInputStream.java:306) at com.netscape.management.client.com.AsyncByteArrayInputStream.write(Unknown Source) at com.netscape.management.client.com.HttpChannel.invoke(Unknown Source) at com.netscape.management.client.com.HttpChannel.run(Unknown Source) at java.lang.thread.run(Thread.java:595) Some other info: ------------------------- 1. When I open the server to see the Administration Server and Directory Server, the icons associated with them were not displayed (only white boxes). 2. In the error.log for the admin-serv, I see this text: Admserv_host_ip_check: ap_get_remote_host could not resolve 3. I saw reports about bug #183925 and configured the admin server as nsAdminAccessAddresses=255.255.255.255 and nsAdminAccessHosts: *, but this didn't help. When I do an nslookup , it shows the appropriate hostname for all Ips involved, so reverse DNS seems to work. 4. When I use a web browser to browse to the Directory Server Gateway, images are also not shown there. Any thoughts about what may be causing the traceback or how to fix it? Thanks, Jenny -------------- next part -------------- An HTML attachment was scrubbed... URL: From radek at eadresa.cz Mon Sep 11 14:08:36 2006 From: radek at eadresa.cz (Radek Hladik) Date: Mon, 11 Sep 2006 16:08:36 +0200 Subject: [Fedora-directory-users] FDS on RedHat9 Message-ID: <45056DE4.4030905@eadresa.cz> I have one old RH9 box which functions as a backup server. I'm periodically backing up DB from primary FDS to it but it would be also nice to have read-only replica for failover there. But I was not able to compile FDS on it as there were some very strange compile errors when compiling libraries for it. I have some ideas how to get it working and I would like to ask for your opinion: 1) Run complete FDS+FC5 in vmware, but I think running extra kernel and daemons will result in unnecessary overhead. On the other hand this should work and as replication can happen only few times per day there should be no big overhead till failover situation. 2) Run FDS binary for FC5/FC4 and copy all required libraries from FC5/4 and force FDS binary to use them. Or I can copy complete installed FC5+FDS somewhere and chroot into it. This should eliminate overhead in option 1 but the 2.4 kernel could be too old for FC5/4 libraries. I can use some RHEL3 binaries and centos installation but I'm afraid of compatibility of next FDS releases with those old OSes. Do you have any other ideas or is someone running FS on RH9? Radek P.S. I'm stuck with RH9 as there is more important service running on this box which requires RH9. From david_list at boreham.org Mon Sep 11 14:15:03 2006 From: david_list at boreham.org (David Boreham) Date: Mon, 11 Sep 2006 08:15:03 -0600 Subject: [Fedora-directory-users] FDS on RedHat9 In-Reply-To: <45056DE4.4030905@eadresa.cz> References: <45056DE4.4030905@eadresa.cz> Message-ID: <45056F67.9010907@boreham.org> Your best option might be to build FDS on RH9. I'm not sure that the libraries are backward compatible (almost certain they are not). But a newly built binary should be ok. Radek Hladik wrote: > I have one old RH9 box which functions as a backup server. I'm > periodically backing up DB from primary FDS to it but it would be also > nice to have read-only replica for failover there. But I was not able > to compile FDS on it as there were some very strange compile errors > when compiling libraries for it. I have some ideas how to get it > working and I would like to ask for your opinion: > 1) Run complete FDS+FC5 in vmware, but I think running extra kernel > and daemons will result in unnecessary overhead. On the other hand > this should work and as replication can happen only few times per day > there should be no big overhead till failover situation. > 2) Run FDS binary for FC5/FC4 and copy all required libraries from > FC5/4 and force FDS binary to use them. Or I can copy complete > installed FC5+FDS somewhere and chroot into it. This should eliminate > overhead in option 1 but the 2.4 kernel could be too old for FC5/4 > libraries. I can use some RHEL3 binaries and centos installation but > I'm afraid of compatibility of next FDS releases with those old OSes. > > Do you have any other ideas or is someone running FS on RH9? > > Radek > > > P.S. I'm stuck with RH9 as there is more important service running on > this box which requires RH9. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From lesmikesell at gmail.com Mon Sep 11 15:38:36 2006 From: lesmikesell at gmail.com (Les Mikesell) Date: Mon, 11 Sep 2006 10:38:36 -0500 Subject: [Fedora-directory-users] FDS on RedHat9 In-Reply-To: <45056DE4.4030905@eadresa.cz> References: <45056DE4.4030905@eadresa.cz> Message-ID: <1157989117.8112.6.camel@moola.futuresource.com> On Mon, 2006-09-11 at 16:08 +0200, Radek Hladik wrote: > I have one old RH9 box which functions as a backup server. I'm > periodically backing up DB from primary FDS to it but it would be also > nice to have read-only replica for failover there. But I was not able to > compile FDS on it as there were some very strange compile errors when > compiling libraries for it. I have some ideas how to get it working and > I would like to ask for your opinion: > 1) Run complete FDS+FC5 in vmware, but I think running extra kernel and > daemons will result in unnecessary overhead. On the other hand this > should work and as replication can happen only few times per day there > should be no big overhead till failover situation. > 2) Run FDS binary for FC5/FC4 and copy all required libraries from FC5/4 > and force FDS binary to use them. Or I can copy complete installed > FC5+FDS somewhere and chroot into it. This should eliminate overhead in > option 1 but the 2.4 kernel could be too old for FC5/4 libraries. I can > use some RHEL3 binaries and centos installation but I'm afraid of > compatibility of next FDS releases with those old OSes. > > Do you have any other ideas or is someone running FS on RH9? > > Radek > > > P.S. I'm stuck with RH9 as there is more important service running on > this box which requires RH9. I'm running several small jobs on vmware guests and as long as the host has sufficient RAM to avoid swapping the overhead doesn't seem bad - and you can easily move it to any host machine that happens to have sufficient capacity just by copying the files over. There is a pre-built FDS appliance for vmware at http://www.vmware.com/vmtn/appliances/directory/. Is anyone using it in production or for a backup? -- Les Mikesell lesmikesell at gmail.com From haizaar at gmail.com Mon Sep 11 15:43:38 2006 From: haizaar at gmail.com (Hai Zaar) Date: Mon, 11 Sep 2006 18:43:38 +0300 Subject: [Fedora-directory-users] sasl-host in FedoraDS Message-ID: In OpenLDAP slapd.conf there were options sasl-host and sasl-realm. Is there anything similar in FedoraDS? My problem is, that on server side, SASL deduces sasl-host improperly: mashine's hostname is bigbox and it runs FDS on directory.example.com. Instead of using sasl-host "directory.example.com" and realm "EXAMPLE.COM", SASL runs gethostname and deduces host and realm from it. In the end, SASL expects for ldap/bigbox.example.com at EXAMPLE.COM credential, instead of correct ldap/directory.example.com at EXANOKE.COM credential which is supplied by client. -- Zaar From mikael.kermorgant at gmail.com Mon Sep 11 16:20:01 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Mon, 11 Sep 2006 18:20:01 +0200 Subject: [Fedora-directory-users] dsgw and group management (dsgw behind a an apache proxy) Message-ID: <9711147e0609110920l6e124970w328e49f6aca1a3bd@mail.gmail.com> Hello, I've just successfully set up fedora dsgw behind an apache proxy by using the technique presented here : http://www.daveyp.com/blog/index.php/archives/76/ Now, I face a strange problem : While editing a group to add a member, when I click on "Search and add", Internet explorer does nothing while Firefox behaves like expected. Without this trick with the perl module, it works well on both browsers. Anyone has an idea ? Thanks in advance, -- Mikael Kermorgant From mikael.kermorgant at gmail.com Mon Sep 11 16:29:06 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Mon, 11 Sep 2006 18:29:06 +0200 Subject: [Fedora-directory-users] Re: dsgw and group management (dsgw behind a an apache proxy) In-Reply-To: <9711147e0609110920l6e124970w328e49f6aca1a3bd@mail.gmail.com> References: <9711147e0609110920l6e124970w328e49f6aca1a3bd@mail.gmail.com> Message-ID: <9711147e0609110929r522445b9t64a8fcf70c4c806a@mail.gmail.com> Reply to myself : problem solved. While replacing the original url in the html code from the perl module, you have to begin the new url by "http://..." instead of just "/". Regards, -- Mikael Kermorgant From joshkel at gmail.com Mon Sep 11 18:39:58 2006 From: joshkel at gmail.com (Josh Kelley) Date: Mon, 11 Sep 2006 14:39:58 -0400 Subject: [Fedora-directory-users] SASL authentication In-Reply-To: <4501F1C9.8060608@redhat.com> References: <20060908145837.3F30973251@hormel.redhat.com> <4501A9C5.4050709@symas.com> <97cbd1a90609081507v1fe4d84dy84c5e792e51d271e@mail.gmail.com> <4501F1C9.8060608@redhat.com> Message-ID: <97cbd1a90609111139y12f5ed23gb6fac41ddbcaf734@mail.gmail.com> On 9/8/06, Richard Megginson wrote: > Josh Kelley wrote: > > If it is a bad idea for the server to distinguish between "invalid > > credentials" and "no secret in database," then what is the best way to > > get OS X logins to work? For now I've simply disabled CRAM-MD5 by > > moving those libraries out of my /usr/lib/sasl2 directory, but that > > seems like a hack. I guess a better solution would be to permit the > > SASL mech_list to be configured from within FDS; should I submit an > > RFE on Bugzilla for that? > Yes. Submitted at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=206053; thanks. Josh Kelley From radek at eadresa.cz Tue Sep 12 13:49:31 2006 From: radek at eadresa.cz (Radek Hladik) Date: Tue, 12 Sep 2006 15:49:31 +0200 Subject: [Fedora-directory-users] FDS on RedHat9 - Solved In-Reply-To: <45056DE4.4030905@eadresa.cz> References: <45056DE4.4030905@eadresa.cz> Message-ID: <4506BAEB.4020800@eadresa.cz> Radek Hladik napsal(a): > I have one old RH9 box which functions as a backup server. I'm > periodically backing up DB from primary FDS to it but it would be also > nice to have read-only replica for failover there. But I was not able to > compile FDS on it as there were some very strange compile errors when > compiling libraries for it. I have some ideas how to get it working and > I would like to ask for your opinion: I've finally get it working (after 6 hours...). I've compiled FDS from source via "one-step" compilation system, but this involved editing source codes, modifying make files and a few nasty hacks :( I also had to build httpd 2.0.54 just for FDS. I do not feel like I can write up some complete howto (and I do not know which problems has been caused by my configuration of that RH9 box) but I can try to help if someone get stuck with similar problem. Radek From mikael.kermorgant at gmail.com Tue Sep 12 16:10:10 2006 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Tue, 12 Sep 2006 18:10:10 +0200 Subject: [Fedora-directory-users] dsgw : group management Message-ID: <9711147e0609120910k3159d549r2bb49a9d1a487d9@mail.gmail.com> Hello, I'm using fedora dsgw for group management. I have 2 concerns : 1 - When I view a group, I can only view the uniquemember attribute, which gives me the uid of each member As my students get an uid which looks like a serial number, it's not easy to figure out who is member of the group. 2 - When I add a new member, I have to fill a form with its name and click on "search and add". There are many cases where the search operation returns more than one person. This, coupled with concern n? 1 makes it even more difficult to find out who has been added. Is there something I can do about that ? Thanks in advance, -- Mikael Kermorgant From JENNIFER.C.KANCIANIC at saic.com Tue Sep 12 21:57:55 2006 From: JENNIFER.C.KANCIANIC at saic.com (Kancianic, Jennifer C. ) Date: Tue, 12 Sep 2006 17:57:55 -0400 Subject: [Fedora-directory-users] Startconsole Directory Server access causes traceback and hangs startconsole Message-ID: OK - I turned on debugging for the startconsole with this command: ./startconsole -D 9 > /tmp/console.log 2>&1 Around when the traceback happens, the logfile indicated "Unable to read /.fedora-console/jars" directory. This directory did not exist in the user's home/.fedora-console directory. I checked a working Fedora DS installation on another machine and saw that there were two jar files that should be in that directory: ds10.jar and ds10_en.jar I created the jar directory by hand and put the two jarfiles in from the installation directory, then everything worked. It looks like there's a possible installation problem. Thanks, Jenny _____ From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Kancianic, Jennifer C. Sent: Sunday, September 10, 2006 1:41 PM To: 'fedora-directory-users at redhat.com' Subject: [Fedora-directory-users] Startconsole Directory Server access causes traceback and hangs s tartconsole I've been working on this for a few hours and am now stumped as to what to do next. Any pointers would be great: I installed fedora-ds-1.0.2-1RHEL4.x86_64.opt.rpm on RedHat 2.6.9-34.Elsmp on my Linux server, configured it to run as a non-root user, pointed the ports appropriately and started it up as the non-root user. I can login using JXplorer fine (it's using ldap:\\ method of connecting). I then want to initialize the database with an LDIF from another server, so did a startconsole and logged in as the Directory Manager using the http:// method of connection. I am able to see the Administration Server and Directory Server listed items, but when I click on the Directory Server to open it, I get this traceback, which hangs the startconsole: Exception in thread "" java.lang.IndexOutOfBoundsException at java.io.BufferedInputStream.read(BufferedInputStream.java:306) at com.netscape.management.client.com.AsyncByteArrayInputStream.write(Unknown Source) at com.netscape.management.client.com.HttpChannel.invoke(Unknown Source) at com.netscape.management.client.com.HttpChannel.run(Unknown Source) at java.lang.thread.run(Thread.java:595) Some other info: ------------------------- 1. When I open the server to see the Administration Server and Directory Server, the icons associated with them were not displayed (only white boxes). 2. In the error.log for the admin-serv, I see this text: Admserv_host_ip_check: ap_get_remote_host could not resolve 3. I saw reports about bug #183925 and configured the admin server as nsAdminAccessAddresses=255.255.255.255 and nsAdminAccessHosts: *, but this didn't help. When I do an nslookup , it shows the appropriate hostname for all Ips involved, so reverse DNS seems to work. 4. When I use a web browser to browse to the Directory Server Gateway, images are also not shown there. Any thoughts about what may be causing the traceback or how to fix it? Thanks, Jenny -------------- next part -------------- An HTML attachment was scrubbed... URL: From radek at eadresa.cz Wed Sep 13 16:36:21 2006 From: radek at eadresa.cz (Radek Hladik) Date: Wed, 13 Sep 2006 18:36:21 +0200 Subject: [Fedora-directory-users] Script after update operation Message-ID: <45083385.6020305@eadresa.cz> Hi all, I would like to execute script after every update operation on specified subtree. I would like to know whether is there any best practice solution. I've found out I can write really simple post-operation plugin but before I start to do that I would like to know whether there is not any better solution I might be overlooking. I need to extract the configuration for ldap non-aware application and recreate it's config file. Radek From rmeggins at redhat.com Wed Sep 13 16:44:08 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 13 Sep 2006 10:44:08 -0600 Subject: [Fedora-directory-users] Script after update operation In-Reply-To: <45083385.6020305@eadresa.cz> References: <45083385.6020305@eadresa.cz> Message-ID: <45083558.6030207@redhat.com> Radek Hladik wrote: > Hi all, > I would like to execute script after every update operation on > specified subtree. I would like to know whether is there any best > practice solution. I've found out I can write really simple > post-operation plugin but before I start to do that I would like to > know whether there is not any better solution I might be overlooking. > I need to extract the configuration for ldap non-aware application > and recreate it's config file. There are two other simpler ways that might work for you. 1) Use persistent search, possibly in combination with the Retro Changelog plugin. 2) Enable the audit log, and just tail -f audit | your script > > > Radek > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From radek at eadresa.cz Wed Sep 13 19:03:00 2006 From: radek at eadresa.cz (Radek Hladik) Date: Wed, 13 Sep 2006 21:03:00 +0200 Subject: [Fedora-directory-users] Script after update operation In-Reply-To: <45083558.6030207@redhat.com> References: <45083385.6020305@eadresa.cz> <45083558.6030207@redhat.com> Message-ID: <450855E4.1070404@eadresa.cz> Richard Megginson napsal(a): > Radek Hladik wrote: >> Hi all, >> I would like to execute script after every update operation on >> specified subtree. I would like to know whether is there any best >> practice solution. I've found out I can write really simple >> post-operation plugin but before I start to do that I would like to >> know whether there is not any better solution I might be overlooking. >> I need to extract the configuration for ldap non-aware application >> and recreate it's config file. > There are two other simpler ways that might work for you. > 1) Use persistent search, possibly in combination with the Retro > Changelog plugin. > 2) Enable the audit log, and just tail -f audit | your script >> >> >> Radek >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users Would you be so kind and point me to some more information about persistent searching? I can not find anything about it in FDS documentation, webpages and google returns only results about Novell eDirectory server. Is it FDS or LDAP extension? The solution with tail looks good but what about log rotation? Or would be FDS willing to log audit into named pipe? Radek From mj at sci.fi Wed Sep 13 19:16:09 2006 From: mj at sci.fi (Mike Jackson) Date: Wed, 13 Sep 2006 22:16:09 +0300 Subject: [Fedora-directory-users] Script after update operation In-Reply-To: <450855E4.1070404@eadresa.cz> References: <45083385.6020305@eadresa.cz> <45083558.6030207@redhat.com> <450855E4.1070404@eadresa.cz> Message-ID: <450858F9.70600@sci.fi> Radek Hladik wrote: > > Would you be so kind and point me to some more information about > persistent searching? I can not find anything about it in FDS > documentation, webpages and google returns only results about Novell > eDirectory server. Is it FDS or LDAP extension? > The solution with tail looks good but what about log rotation? Or would > be FDS willing to log audit into named pipe? > Radek Persistent search is an (expired) internet draft, which several LDAP server vendors implement, including FDS/RHDS. Persistent search is supported by the Net::LDAP API - http://ldap.perl.org. -- http://www.netauth.com - LDAP Directory Consulting From rmeggins at redhat.com Wed Sep 13 20:04:01 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 13 Sep 2006 14:04:01 -0600 Subject: [Fedora-directory-users] Script after update operation In-Reply-To: <450855E4.1070404@eadresa.cz> References: <45083385.6020305@eadresa.cz> <45083558.6030207@redhat.com> <450855E4.1070404@eadresa.cz> Message-ID: <45086431.3010301@redhat.com> Radek Hladik wrote: > Richard Megginson napsal(a): >> Radek Hladik wrote: >>> Hi all, >>> I would like to execute script after every update operation on >>> specified subtree. I would like to know whether is there any best >>> practice solution. I've found out I can write really simple >>> post-operation plugin but before I start to do that I would like to >>> know whether there is not any better solution I might be overlooking. >>> I need to extract the configuration for ldap non-aware >>> application and recreate it's config file. >> There are two other simpler ways that might work for you. >> 1) Use persistent search, possibly in combination with the Retro >> Changelog plugin. >> 2) Enable the audit log, and just tail -f audit | your script >>> >>> >>> Radek >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > Would you be so kind and point me to some more information about > persistent searching? I can not find anything about it in FDS > documentation, webpages and google returns only results about Novell > eDirectory server. Is it FDS or LDAP extension? cd /opt/fedora-ds/shared/bin ; ./ldapsearch -H The -C option does a persistent search - use especially with the -r option to avoid stdout buffering. > The solution with tail looks good but what about log rotation? Or > would be FDS willing to log audit into named pipe? Yes. You should first disable audit log rotation. > Radek > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From ulf.weltman at hp.com Wed Sep 13 20:07:01 2006 From: ulf.weltman at hp.com (Ulf Weltman) Date: Wed, 13 Sep 2006 13:07:01 -0700 Subject: [Fedora-directory-users] Script after update operation In-Reply-To: <450855E4.1070404@eadresa.cz> References: <45083385.6020305@eadresa.cz> <45083558.6030207@redhat.com> <450855E4.1070404@eadresa.cz> Message-ID: <450864E5.2040002@hp.com> Radek Hladik wrote: > Richard Megginson napsal(a): > >> Radek Hladik wrote: >> >>> Hi all, >>> I would like to execute script after every update operation on >>> specified subtree. I would like to know whether is there any best >>> practice solution. I've found out I can write really simple >>> post-operation plugin but before I start to do that I would like to >>> know whether there is not any better solution I might be overlooking. >>> I need to extract the configuration for ldap non-aware >>> application and recreate it's config file. >> >> There are two other simpler ways that might work for you. >> 1) Use persistent search, possibly in combination with the Retro >> Changelog plugin. >> 2) Enable the audit log, and just tail -f audit | your script >> >>> >>> >>> Radek >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > Would you be so kind and point me to some more information about > persistent searching? I can not find anything about it in FDS > documentation, webpages and google returns only results about Novell > eDirectory server. Is it FDS or LDAP extension? > The solution with tail looks good but what about log rotation? Or > would be FDS willing to log audit into named pipe? > Radek Audit log can be written to a named pipe, just replace the real audit file with a fifo. You'll still need to disable log rotation. Logging to a fifo has been a trick used in the past to capture the last few thousand lines of a high level of error logging with minimized performance impact, using a tool that provided a circular buffer in memory. From radek at eadresa.cz Wed Sep 13 21:16:52 2006 From: radek at eadresa.cz (Radek Hladik) Date: Wed, 13 Sep 2006 23:16:52 +0200 Subject: [Fedora-directory-users] Script after update operation In-Reply-To: <45086431.3010301@redhat.com> References: <45083385.6020305@eadresa.cz> <45083558.6030207@redhat.com> <450855E4.1070404@eadresa.cz> <45086431.3010301@redhat.com> Message-ID: <45087544.5010501@eadresa.cz> Richard Megginson napsal(a): > Radek Hladik wrote: >> Richard Megginson napsal(a): >>> Radek Hladik wrote: >>>> Hi all, >>>> I would like to execute script after every update operation on >>>> specified subtree. I would like to know whether is there any best >>>> practice solution. I've found out I can write really simple >>>> post-operation plugin but before I start to do that I would like to >>>> know whether there is not any better solution I might be overlooking. >>>> I need to extract the configuration for ldap non-aware >>>> application and recreate it's config file. >>> There are two other simpler ways that might work for you. >>> 1) Use persistent search, possibly in combination with the Retro >>> Changelog plugin. >>> 2) Enable the audit log, and just tail -f audit | your script >>>> >>>> >>>> Radek >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> ------------------------------------------------------------------------ >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> Would you be so kind and point me to some more information about >> persistent searching? I can not find anything about it in FDS >> documentation, webpages and google returns only results about Novell >> eDirectory server. Is it FDS or LDAP extension? > cd /opt/fedora-ds/shared/bin ; ./ldapsearch -H > The -C option does a persistent search - use especially with the -r > option to avoid stdout buffering. >> The solution with tail looks good but what about log rotation? Or >> would be FDS willing to log audit into named pipe? > Yes. You should first disable audit log rotation. >> Radek >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users Thanks for pointing to ldapsearch utility as this not mentioned in documentation. I've searched "persistent" in all PDFs including ds71cli without success and I've even read through ldapsearch -H but didn't realize that PS means Persistent Search :) I've put together few information about persistent searching and put it into Howto in wiki. Radek From rinconsystems at yahoo.com Thu Sep 14 19:27:03 2006 From: rinconsystems at yahoo.com (Scott Roberts) Date: Thu, 14 Sep 2006 12:27:03 -0700 (PDT) Subject: [Fedora-directory-users] run as root? newb question Message-ID: <20060914192703.7635.qmail@web34112.mail.mud.yahoo.com> New to linux and was wondering what is the best practice for choosing a user and group for running applications? Is running an app as root the normal thing to do? Is running apps as root a bad thing? Huge security risk? Sorry for the stupid question but have seen different docs saying what to run a directory as. The RH docs say if you want to run directory on default ports run as root. Thats what I plan to do. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From playactor at gmail.com Fri Sep 15 18:52:31 2006 From: playactor at gmail.com (Eric Brown) Date: Fri, 15 Sep 2006 13:52:31 -0500 Subject: [Fedora-directory-users] Building daemontools into an RPM Message-ID: Is there a way to build an RPM for the daemontools package? If not, what commands do I need to run to get it to a point where it can be packaged into an RPM and what directories and files to I need to include in the package? Thanks, Eric From mj at sci.fi Fri Sep 15 18:49:23 2006 From: mj at sci.fi (Mike Jackson) Date: Fri, 15 Sep 2006 21:49:23 +0300 Subject: [Fedora-directory-users] Building daemontools into an RPM In-Reply-To: References: Message-ID: <450AF5B3.3060905@sci.fi> Eric Brown wrote: > Is there a way to build an RPM for the daemontools package? > > If not, what commands do I need to run to get it to a point where it > can be packaged into an RPM and what directories and files to I need > to include in the package? http://www.google.com/search?hl=en&q=daemontools+rpm&btnG=Google+Search Results 1 - 10 of about 132,000 for daemontools rpm. (0.25 seconds) -- mike From prowley at redhat.com Fri Sep 15 20:40:11 2006 From: prowley at redhat.com (Pete Rowley) Date: Fri, 15 Sep 2006 13:40:11 -0700 Subject: [Fedora-directory-users] run as root? newb question In-Reply-To: <20060914192703.7635.qmail@web34112.mail.mud.yahoo.com> References: <20060914192703.7635.qmail@web34112.mail.mud.yahoo.com> Message-ID: <450B0FAB.1070408@redhat.com> Scott Roberts wrote: > New to linux and was wondering what is the best > practice for choosing a user and group for running > applications? Is running an app as root the normal > thing to do? no > Is running apps as root a bad thing? yes > Huge > security risk? yes > Sorry for the stupid question but have > seen different docs saying what to run a directory as. > The RH docs say if you want to run directory on > default ports run as root. Thats what I plan to do. > > This refers to starting the DS, but the DS is configured to run as another user/group. When the DS starts up it opens the ports it requires and then changes to the configured user/group in order that under normal running conditions it has a lower security profile. Starting the DS as root is required to open ports 389 and 636, the designated LDAP and LDAPS ports, but please do configure the server to switch to a user/group which you have created specifically for the DS. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From rinconsystems at yahoo.com Sat Sep 16 19:55:47 2006 From: rinconsystems at yahoo.com (Scott Roberts) Date: Sat, 16 Sep 2006 12:55:47 -0700 (PDT) Subject: [Fedora-directory-users] run as root? newb question In-Reply-To: <450B0FAB.1070408@redhat.com> Message-ID: <20060916195547.68602.qmail@web34103.mail.mud.yahoo.com> Thanks Pete. so the steps... create user and group install directory as root set server user and group to user and group created Does "installing" the directory as root affect how the DS starts (or anything else for that matter)? And if I set the server user and group to something I create, will the DS start as them? Trying to ascertain if I need to config the DS startup in the OS to switch users. Probably a common thing in rc.local or whatever and I'm an idiot :) Again thanks for answering the newb question. I just need to research linux more and get this baby running the correct way. --- Pete Rowley wrote: > Scott Roberts wrote: > > New to linux and was wondering what is the best > > practice for choosing a user and group for running > > applications? Is running an app as root the normal > > thing to do? > no > > Is running apps as root a bad thing? > yes > > Huge > > security risk? > yes > > Sorry for the stupid question but have > > seen different docs saying what to run a directory > as. > > The RH docs say if you want to run directory on > > default ports run as root. Thats what I plan to > do. > > > > > This refers to starting the DS, but the DS is > configured to run as > another user/group. When the DS starts up it opens > the ports it > requires and then changes to the configured > user/group in order that > under normal running conditions it has a lower > security profile. > Starting the DS as root is required to open ports > 389 and 636, the > designated LDAP and LDAPS ports, but please do > configure the server to > switch to a user/group which you have created > specifically for the DS. > > > -- > Pete > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From rmeggins at redhat.com Sat Sep 16 20:39:54 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Sat, 16 Sep 2006 14:39:54 -0600 Subject: [Fedora-directory-users] run as root? newb question In-Reply-To: <20060916195547.68602.qmail@web34103.mail.mud.yahoo.com> References: <20060916195547.68602.qmail@web34103.mail.mud.yahoo.com> Message-ID: <450C611A.7020401@redhat.com> Scott Roberts wrote: > Thanks Pete. > > so the steps... > create user and group > install directory as root > set server user and group to user and group created > setup will do this for you. > Does "installing" the directory as root affect how the > DS starts (or anything else for that matter)? No. In fact, you have to install the RPM as root. > And if I > set the server user and group to something I create, > will the DS start as them? The DS will start as root, and start the server listening to ports 389/636, then the server will "drop privileges" to run as the non-root user (nobody:nobody by default). > Trying to ascertain if I > need to config the DS startup in the OS to switch > users. Probably a common thing in rc.local or whatever > and I'm an idiot :) > No, the server just does it automatically. As long as you specify the user to use during setup. > Again thanks for answering the newb question. I just > need to research linux more and get this baby running > the correct way. > > --- Pete Rowley wrote: > > >> Scott Roberts wrote: >> >>> New to linux and was wondering what is the best >>> practice for choosing a user and group for running >>> applications? Is running an app as root the normal >>> thing to do? >>> >> no >> >>> Is running apps as root a bad thing? >>> >> yes >> >>> Huge >>> security risk? >>> >> yes >> >>> Sorry for the stupid question but have >>> seen different docs saying what to run a directory >>> >> as. >> >>> The RH docs say if you want to run directory on >>> default ports run as root. Thats what I plan to >>> >> do. >> >>> >>> >> This refers to starting the DS, but the DS is >> configured to run as >> another user/group. When the DS starts up it opens >> the ports it >> requires and then changes to the configured >> user/group in order that >> under normal running conditions it has a lower >> security profile. >> Starting the DS as root is required to open ports >> 389 and 636, the >> designated LDAP and LDAPS ports, but please do >> configure the server to >> switch to a user/group which you have created >> specifically for the DS. >> >> >> -- >> Pete >> >> >>> -- >>> >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From devel at fashioncontent.com Sun Sep 17 12:24:26 2006 From: devel at fashioncontent.com (devel - Fashion Content) Date: Sun, 17 Sep 2006 13:24:26 +0100 Subject: [Fedora-directory-users] How to make anonymous SASL work? Message-ID: <002701c6da54$37a0c930$0509a8c0@tinkerbell> I seem quite stuck on getting the first step of setting up mail authentication. I have a running directory and Cyrus-SASL installed, but I can't get the two to communicate properly. For now I think anonymous access is fine as they are on the same server. I tried ldapsearch, but it seems to fail quite basicly: [root at langham ~]# ldapsearch -D "cn=admin" -w fidelio77 -b "fashioncontent.com" cn=hvendelbo SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: [root at langham ~]# ldapsearch -X -Y SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: As I understand the message I need to configure some protocol on the server, but I have no idea where or how?? Henrik -------------- next part -------------- An HTML attachment was scrubbed... URL: From patrick.morris at hp.com Sun Sep 17 13:46:12 2006 From: patrick.morris at hp.com (Morris, Patrick) Date: Sun, 17 Sep 2006 09:46:12 -0400 Subject: [Fedora-directory-users] How to make anonymous SASL work? In-Reply-To: <002701c6da54$37a0c930$0509a8c0@tinkerbell> Message-ID: > I seem quite stuck on getting the first step of setting up > mail authentication. > > I have a running directory and Cyrus-SASL installed, but I > can't get the two to communicate properly. > > For now I think anonymous access is fine as they are on the > same server. > > I tried ldapsearch, but it seems to fail quite basicly: > > [root at langham ~]# ldapsearch -D "cn=admin" -w fidelio77 -b > "fashioncontent.com" cn=hvendelbo SASL/EXTERNAL authentication started > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > additional info: SASL(-4): no mechanism available: > [root at langham ~]# ldapsearch -X -Y > SASL/EXTERNAL authentication started > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > additional info: SASL(-4): no mechanism available: > > As I understand the message I need to configure some protocol > on the server, but I have no idea where or how?? It looks like you're using the OpenLDAP version of ldapsearch and don't have SAASL auth set up on the server. You can either pass the "-x" switch to ldapsearch to use plaintext auth, ot use the ldapsearch that comes with the directory server (probably in /opt/fedora-ds/shared/bin). From devel at fashioncontent.com Sun Sep 17 13:48:30 2006 From: devel at fashioncontent.com (devel - Fashion Content) Date: Sun, 17 Sep 2006 14:48:30 +0100 Subject: [Fedora-directory-users] Simple SASL configuration Message-ID: <007d01c6da5f$f5a86540$0509a8c0@tinkerbell> How do I configure the directory to work with SASL? Any descriptions somewhere, I noticed several comments on the list hinting that I have missed some existing documentation besides the manuals and googling. I don't really care what setup, I just want to be able to authenticate against the directory somehow. Henrik -------------- next part -------------- An HTML attachment was scrubbed... URL: From devel at fashioncontent.com Sun Sep 17 13:51:54 2006 From: devel at fashioncontent.com (devel - Fashion Content) Date: Sun, 17 Sep 2006 14:51:54 +0100 Subject: [Fedora-directory-users] How to make anonymous SASL work? References: Message-ID: <008201c6da60$6f771ab0$0509a8c0@tinkerbell> I have cyrus-sasl installed and configured so I tried testsaslauthd which failed so I tried ldapsearch. Should I remove OpenLDAP, I thought sasl used the LDAP client. Henrik ----- Original Message ----- From: "Morris, Patrick" To: "General discussion list for the Fedora Directory server project." Sent: Sunday, September 17, 2006 2:46 PM Subject: RE: [Fedora-directory-users] How to make anonymous SASL work? >> I seem quite stuck on getting the first step of setting up >> mail authentication. >> >> I have a running directory and Cyrus-SASL installed, but I >> can't get the two to communicate properly. >> >> For now I think anonymous access is fine as they are on the >> same server. >> >> I tried ldapsearch, but it seems to fail quite basicly: >> >> [root at langham ~]# ldapsearch -D "cn=admin" -w fidelio77 -b >> "fashioncontent.com" cn=hvendelbo SASL/EXTERNAL authentication started >> ldap_sasl_interactive_bind_s: Unknown authentication method (-6) >> additional info: SASL(-4): no mechanism available: >> [root at langham ~]# ldapsearch -X -Y >> SASL/EXTERNAL authentication started >> ldap_sasl_interactive_bind_s: Unknown authentication method (-6) >> additional info: SASL(-4): no mechanism available: >> >> As I understand the message I need to configure some protocol >> on the server, but I have no idea where or how?? > > > It looks like you're using the OpenLDAP version of ldapsearch and don't > have SAASL auth set up on the server. > > You can either pass the "-x" switch to ldapsearch to use plaintext auth, > ot use the ldapsearch that comes with the directory server (probably in > /opt/fedora-ds/shared/bin). > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From devel at fashioncontent.com Sun Sep 17 14:20:52 2006 From: devel at fashioncontent.com (devel - Fashion Content) Date: Sun, 17 Sep 2006 15:20:52 +0100 Subject: [Fedora-directory-users] How to make anonymous SASL work? References: Message-ID: <00a601c6da64$7b07eea0$0509a8c0@tinkerbell> >> As I understand the message I need to configure some protocol >> on the server, but I have no idea where or how?? > > > It looks like you're using the OpenLDAP version of ldapsearch and don't > have SAASL auth set up on the server. Yes, but how do I set up SASL auth. What doc describes it in less than 100 pages. Also, why shouldnt the OpenLDAP client be able to talk to Fedora DS ? > > You can either pass the "-x" switch to ldapsearch to use plaintext auth, > ot use the ldapsearch that comes with the directory server (probably in > /opt/fedora-ds/shared/bin). > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From devel at fashioncontent.com Sun Sep 17 14:23:38 2006 From: devel at fashioncontent.com (devel - Fashion Content) Date: Sun, 17 Sep 2006 15:23:38 +0100 Subject: [Fedora-directory-users] How to make anonymous SASL work? References: Message-ID: <00a901c6da64$ddfe4090$0509a8c0@tinkerbell> [root at langham ~]# /opt/fedora-ds/shared/bin/ldapsearch -x /opt/fedora-ds/shared/bin/ldapsearch: error while loading shared libraries: libssldap50.so: cannot open shared object file: No such file or directory The libssldap50.so is present with rx access to all ----- Original Message ----- From: "Morris, Patrick" To: "General discussion list for the Fedora Directory server project." Sent: Sunday, September 17, 2006 2:46 PM Subject: RE: [Fedora-directory-users] How to make anonymous SASL work? >> I seem quite stuck on getting the first step of setting up >> mail authentication. >> >> I have a running directory and Cyrus-SASL installed, but I >> can't get the two to communicate properly. >> >> For now I think anonymous access is fine as they are on the >> same server. >> >> I tried ldapsearch, but it seems to fail quite basicly: >> >> [root at langham ~]# ldapsearch -D "cn=admin" -w fidelio77 -b >> "fashioncontent.com" cn=hvendelbo SASL/EXTERNAL authentication started >> ldap_sasl_interactive_bind_s: Unknown authentication method (-6) >> additional info: SASL(-4): no mechanism available: >> [root at langham ~]# ldapsearch -X -Y >> SASL/EXTERNAL authentication started >> ldap_sasl_interactive_bind_s: Unknown authentication method (-6) >> additional info: SASL(-4): no mechanism available: >> >> As I understand the message I need to configure some protocol >> on the server, but I have no idea where or how?? > > > It looks like you're using the OpenLDAP version of ldapsearch and don't > have SAASL auth set up on the server. > > You can either pass the "-x" switch to ldapsearch to use plaintext auth, > ot use the ldapsearch that comes with the directory server (probably in > /opt/fedora-ds/shared/bin). > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From devel at fashioncontent.com Sun Sep 17 14:31:59 2006 From: devel at fashioncontent.com (devel - Fashion Content) Date: Sun, 17 Sep 2006 15:31:59 +0100 Subject: [Fedora-directory-users] How to configure shared/bin & lib Message-ID: <00c301c6da66$08a8aff0$0509a8c0@tinkerbell> Apparently the standard installation doesn't include the shared/bin & lib directories in the path. Can I put them in the path without breaking the OpenLDAP client, or is there some other way to make the tools work? Henrik -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Sun Sep 17 15:53:11 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Sun, 17 Sep 2006 09:53:11 -0600 Subject: [Fedora-directory-users] How to make anonymous SASL work? In-Reply-To: <00a601c6da64$7b07eea0$0509a8c0@tinkerbell> References: <00a601c6da64$7b07eea0$0509a8c0@tinkerbell> Message-ID: <450D6F67.7070001@redhat.com> devel - Fashion Content wrote: >>> As I understand the message I need to configure some protocol >>> on the server, but I have no idea where or how?? >> >> >> It looks like you're using the OpenLDAP version of ldapsearch and don't >> have SAASL auth set up on the server. > > Yes, but how do I set up SASL auth. What doc describes it in less than > 100 pages. > Also, why shouldnt the OpenLDAP client be able to talk to Fedora DS ? It is - see below > >> >> You can either pass the "-x" switch to ldapsearch to use plaintext auth, >> ot use the ldapsearch that comes with the directory server (probably in >> /opt/fedora-ds/shared/bin). /usr/bin/ldapsearch -x -D "bind dn" -w bindpassword ..... ldapsearch by default will attempt a SASL bind, using the best mechanism available. To disable this behavior, and force the openldap command line tools to use SIMPLE binddn/password auth, you have to specify the -x argument. >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From hyc at symas.com Sun Sep 17 16:51:48 2006 From: hyc at symas.com (Howard Chu) Date: Sun, 17 Sep 2006 09:51:48 -0700 Subject: [Fedora-directory-users] How to make anonymous SASL work? In-Reply-To: <20060917160004.AF9AE73774@hormel.redhat.com> References: <20060917160004.AF9AE73774@hormel.redhat.com> Message-ID: <450D7D24.9060709@symas.com> > I tried ldapsearch, but it seems to fail quite basicly: > > [root at langham ~]# ldapsearch -D "cn=admin" -w fidelio77 -b "fashioncontent.com" cn=hvendelbo > SASL/EXTERNAL authentication started > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > additional info: SASL(-4): no mechanism available: > [root at langham ~]# ldapsearch -X -Y > SASL/EXTERNAL authentication started > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > additional info: SASL(-4): no mechanism available: > Date: Sun, 17 Sep 2006 09:53:11 -0600 > From: Richard Megginson > devel - Fashion Content wrote: >>>> As I understand the message I need to configure some protocol >>>> on the server, but I have no idea where or how?? >>> >>> It looks like you're using the OpenLDAP version of ldapsearch and don't >>> have SAASL auth set up on the server. >> Yes, but how do I set up SASL auth. What doc describes it in less than >> 100 pages. >> Also, why shouldnt the OpenLDAP client be able to talk to Fedora DS ? > It is - see below >>> You can either pass the "-x" switch to ldapsearch to use plaintext auth, >>> ot use the ldapsearch that comes with the directory server (probably in >>> /opt/fedora-ds/shared/bin). > /usr/bin/ldapsearch -x -D "bind dn" -w bindpassword ..... > > ldapsearch by default will attempt a SASL bind, using the best mechanism > available. To disable this behavior, and force the openldap command > line tools to use SIMPLE binddn/password auth, you have to specify the > -x argument. By the way, I think it's a bug that your server advertised the SASL/EXTERNAL mechanism here; that mech should only be offered when there is actually an external security system in place (e.g. IPSEC or TLS). It appears this was a plain, unprotected connection. A mech shouldn't be listed in the supportedSASLmechanisms list if requesting it will in fact fail with "no mechanism available"... -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ From devel at fashioncontent.com Sun Sep 17 19:42:49 2006 From: devel at fashioncontent.com (devel - Fashion Content) Date: Sun, 17 Sep 2006 20:42:49 +0100 Subject: [Fedora-directory-users] How to make anonymous SASL work? References: <00a601c6da64$7b07eea0$0509a8c0@tinkerbell> <450D6F67.7070001@redhat.com> Message-ID: <011a01c6da91$74f404e0$0509a8c0@tinkerbell> >> >> You can either pass the "-x" switch to ldapsearch to use plaintext auth, >> ot use the ldapsearch that comes with the directory server (probably in >> /opt/fedora-ds/shared/bin). /usr/bin/ldapsearch -x -D "bind dn" -w bindpassword ..... ldapsearch by default will attempt a SASL bind, using the best mechanism available. To disable this behavior, and force the openldap command line tools to use SIMPLE binddn/password auth, you have to specify the -x argument. >> Ok tried that and it seemed to work except I can't get it to return any data (I have 3 users defined) when I use the ldapsearch which comes with fedora-ds. The OpenLDAP ldapsearch works as expected. testsaslauthd still doesn't work though. I must admit it seems a bit worrying that a vanilla mailserver setup is this hard. Am I the only one that would use Fedora DS for authenticating IMAP users? Henrik From rmeggins at redhat.com Sun Sep 17 23:19:52 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Sun, 17 Sep 2006 17:19:52 -0600 Subject: [Fedora-directory-users] How to make anonymous SASL work? In-Reply-To: <011a01c6da91$74f404e0$0509a8c0@tinkerbell> References: <00a601c6da64$7b07eea0$0509a8c0@tinkerbell> <450D6F67.7070001@redhat.com> <011a01c6da91$74f404e0$0509a8c0@tinkerbell> Message-ID: <450DD818.5000900@redhat.com> devel - Fashion Content wrote: >>> >>> You can either pass the "-x" switch to ldapsearch to use plaintext >>> auth, >>> ot use the ldapsearch that comes with the directory server (probably in >>> /opt/fedora-ds/shared/bin). > /usr/bin/ldapsearch -x -D "bind dn" -w bindpassword ..... > > ldapsearch by default will attempt a SASL bind, using the best mechanism > available. To disable this behavior, and force the openldap command > line tools to use SIMPLE binddn/password auth, you have to specify the > -x argument. >>> > > Ok tried that and it seemed to work except I can't get it to return > any data (I have 3 users defined) when I use the > ldapsearch which comes with fedora-ds. The OpenLDAP ldapsearch works > as expected. Can you post the exact command lines that you used and the output you got? > > testsaslauthd still doesn't work though. I'm not really sure what that does. Fedora DS supports SASL - EXTERNAL (i.e. client cert auth, if you configure the server for SSL), DIGEST-MD5 (with clear text passwords in the db), and GSSAPI (i.e. Kerberos). > I must admit it seems a bit worrying that a vanilla mailserver setup > is this hard. > Am I the only one that would use Fedora DS for authenticating IMAP users? > > Henrik > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From nhosoi at redhat.com Mon Sep 18 16:34:27 2006 From: nhosoi at redhat.com (Noriko Hosoi) Date: Mon, 18 Sep 2006 09:34:27 -0700 Subject: [Fedora-directory-users] Simple SASL configuration In-Reply-To: <007d01c6da5f$f5a86540$0509a8c0@tinkerbell> References: <007d01c6da5f$f5a86540$0509a8c0@tinkerbell> Message-ID: <450ECA93.1020402@redhat.com> devel - Fashion Content wrote: > How do I configure the directory to work with SASL? Any descriptions > somewhere, I noticed several comments > on the list hinting that I have missed some existing documentation > besides the manuals and googling. Did you have a chance to see these docs? http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#996824 http://directory.fedora.redhat.com/wiki/Howto:Kerberos Thanks, --noriko > > I don't really care what setup, I just want to be able to authenticate > against the directory somehow. > > Henrik > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3170 bytes Desc: S/MIME Cryptographic Signature URL: From devel at fashioncontent.com Mon Sep 18 17:19:29 2006 From: devel at fashioncontent.com (devel - Fashion Content) Date: Mon, 18 Sep 2006 18:19:29 +0100 Subject: [Fedora-directory-users] How to make anonymous SASL work? References: <00a601c6da64$7b07eea0$0509a8c0@tinkerbell> <450D6F67.7070001@redhat.com><011a01c6da91$74f404e0$0509a8c0@tinkerbell> <450DD818.5000900@redhat.com> Message-ID: <016301c6db46$9b8e3660$0509a8c0@tinkerbell> I have the mailserver and the directory on the same server. I have installed OpenLDAP client & libs and cyrus sasl. Fedora DS ldapsearch is not on the path. The Fedora DS now stores userPasswords as plaintext. saslauthd run with: MECH=ldap, FLAGS=-c saslauthd.conf: ldap_servers: ldap://127.0.0.1 ldap_search_base: ou=People,dc=fashioncontent,dc=com ldap_bind_dn: cn=Directory Manager,dc=fashioncontent,dc=com ldap_bind_pw: secret ldap_filter: (&(objectClass=inetorgperson)(uid=%u)) ldap_use_sasl: no ldap_auth_method: bind ldap_version: 3 ldap_debug: 3 ldap_verbose: on log_level: 255 OpenLDAP ldapsearch: Shows userPassword results hashed, but otherwise shows the users I look up OpenLDAP ldapsearch userPassword=secret: Success Fedora ldapsearch: Fails to find anything testsaslauthd -u devel -p secret: Fails to find anything, error code 32 I think I haven't figured out how to make saslauthd report the ldap queries, so I know very little of what happens and the Fedora logs don't appear to help much more. Henrik From devel at fashioncontent.com Mon Sep 18 17:27:40 2006 From: devel at fashioncontent.com (devel - Fashion Content) Date: Mon, 18 Sep 2006 18:27:40 +0100 Subject: [Fedora-directory-users] Simple SASL configuration References: <007d01c6da5f$f5a86540$0509a8c0@tinkerbell> <450ECA93.1020402@redhat.com> Message-ID: <017a01c6db47$be5a0790$0509a8c0@tinkerbell> >From: "Noriko Hosoi" >> How do I configure the directory to work with SASL? Any descriptions >> somewhere, I noticed several comments >> on the list hinting that I have missed some existing documentation >> besides the manuals and googling. >Did you have a chance to see these docs? >http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#996824 > http://directory.fedora.redhat.com/wiki/Howto:Kerberos Interesting, but isn't it more prudent to get the simplest configuration working first. Or is getting cyrus-sasl to work difficult? I currently see a potential conflict between open ldap client + cyrus-sasl vs Fedora ldap + sasl. I'm not sure to what extent there actually is a conflict, but it's definately confusing. Henrik From nhosoi at redhat.com Mon Sep 18 18:47:41 2006 From: nhosoi at redhat.com (Noriko Hosoi) Date: Mon, 18 Sep 2006 11:47:41 -0700 Subject: [Fedora-directory-users] Simple SASL configuration In-Reply-To: <017a01c6db47$be5a0790$0509a8c0@tinkerbell> References: <007d01c6da5f$f5a86540$0509a8c0@tinkerbell> <450ECA93.1020402@redhat.com> <017a01c6db47$be5a0790$0509a8c0@tinkerbell> Message-ID: <450EE9CD.6080603@redhat.com> devel - Fashion Content wrote: >> From: "Noriko Hosoi" > > >>> How do I configure the directory to work with SASL? Any descriptions >>> somewhere, I noticed several comments >>> on the list hinting that I have missed some existing documentation >>> besides the manuals and googling. >> >> Did you have a chance to see these docs? >> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#996824 >> http://directory.fedora.redhat.com/wiki/Howto:Kerberos > > > Interesting, but isn't it more prudent to get the simplest > configuration working first. > > Or is getting cyrus-sasl to work difficult? > > I currently see a potential conflict between open ldap client + > cyrus-sasl vs Fedora ldap + sasl. > > I'm not sure to what extent there actually is a conflict, but it's > definately confusing. What symptom do you have? Do you get error messages from your client tools? Do you see any errors in the errors log and/or access log in the Fedora Directory Server? BTW, Fedora DS uses cyrus sasl v2.1.20. --noriko > > Henrik > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3170 bytes Desc: S/MIME Cryptographic Signature URL: From devel at fashioncontent.com Mon Sep 18 20:28:13 2006 From: devel at fashioncontent.com (devel - Fashion Content) Date: Mon, 18 Sep 2006 21:28:13 +0100 Subject: [Fedora-directory-users] Simple SASL configuration References: <007d01c6da5f$f5a86540$0509a8c0@tinkerbell> <450ECA93.1020402@redhat.com><017a01c6db47$be5a0790$0509a8c0@tinkerbell> <450EE9CD.6080603@redhat.com> Message-ID: <019701c6db60$f7420440$0509a8c0@tinkerbell> >From: "Noriko Hosoi" >> I currently see a potential conflict between open ldap client + >> cyrus-sasl vs Fedora ldap + sasl. >> >> I'm not sure to what extent there actually is a conflict, but it's >> definately confusing. >What symptom do you have? Do you get error messages from your client >tools? Do you see any errors in the errors log and/or access log in the >Fedora Directory Server? OpenLDAP ldapsearch: Shows userPassword results hashed, but otherwise shows the users I look up OpenLDAP ldapsearch userPassword=secret: Success Fedora ldapsearch: Fails to find anything testsaslauthd -u devel -p secret: Fails to find anything, error code 32 I think I haven't figured out how to make saslauthd report the ldap queries, so I know very little of what happens and the Fedora logs don't appear to help much more. >BTW, Fedora DS uses cyrus sasl v2.1.20. Interesting. I have installed cyrus sasl using yum, will that be another installation than the one Fedora DS uses? will it use different conf files? I wouldn't be at all surprised if the problem is down to me configuring the wrong ldap+sasl combination. Henrik From nhosoi at redhat.com Mon Sep 18 21:37:15 2006 From: nhosoi at redhat.com (Noriko Hosoi) Date: Mon, 18 Sep 2006 14:37:15 -0700 Subject: [Fedora-directory-users] Simple SASL configuration In-Reply-To: <019701c6db60$f7420440$0509a8c0@tinkerbell> References: <007d01c6da5f$f5a86540$0509a8c0@tinkerbell> <450ECA93.1020402@redhat.com><017a01c6db47$be5a0790$0509a8c0@tinkerbell> <450EE9CD.6080603@redhat.com> <019701c6db60$f7420440$0509a8c0@tinkerbell> Message-ID: <450F118B.8070802@redhat.com> devel - Fashion Content wrote: > [...] > OpenLDAP ldapsearch: Shows userPassword results hashed, but otherwise > shows > the users I look up > OpenLDAP ldapsearch userPassword=secret: Success > Fedora ldapsearch: Fails to find anything ??? Users are not stored in the Fedora DS? Or auth as the user with the password fails and does not return anything? If you run this command, what mechanism list do you get? Is the mechanism you are trying to use is on the list? $ cd /opt/fedora-ds/shared/bin $ ./ldapsearch -p -D -w -b "" -s base "(objectclass=*)" supportedSASLMechanisms version: 1 dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: PLAIN supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: ANONYMOUS supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 > testsaslauthd -u devel -p secret: Fails to find anything, error code 32 I > think > > I haven't figured out how to make saslauthd report the ldap queries, so I > know very little of what happens and the Fedora logs > don't appear to help much more. > > >> BTW, Fedora DS uses cyrus sasl v2.1.20. > > > Interesting. I have installed cyrus sasl using yum, will that be > another installation than the > one Fedora DS uses? will it use different conf files? > > I wouldn't be at all surprised if the problem is down to me > configuring the wrong ldap+sasl combination. > > Henrik > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3170 bytes Desc: S/MIME Cryptographic Signature URL: From oscar.valdez at duraflex-politex.com Mon Sep 18 23:20:52 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Mon, 18 Sep 2006 17:20:52 -0600 Subject: [Fedora-directory-users] Paths to executables and libraries Message-ID: <1158621653.2166.66.camel@wzowski.duraflex-politex.com> My installation of fedora-ds-1.0.1-1.RHEL4 puts executables in /opt/fedora-ds/shared/bin/ and libraries in /opt/fedora-ds/shared/lib/. What would you all recomend as a "proper" way of modifying the $PATH variable and of linking to the DS libraries? -- Oscar A. Valdez From nhosoi at redhat.com Mon Sep 18 23:40:51 2006 From: nhosoi at redhat.com (Noriko Hosoi) Date: Mon, 18 Sep 2006 16:40:51 -0700 Subject: [Fedora-directory-users] Paths to executables and libraries In-Reply-To: <1158621653.2166.66.camel@wzowski.duraflex-politex.com> References: <1158621653.2166.66.camel@wzowski.duraflex-politex.com> Message-ID: <450F2E83.5000003@redhat.com> Oscar A. Valdez wrote: >My installation of fedora-ds-1.0.1-1.RHEL4 puts executables >in /opt/fedora-ds/shared/bin/ and libraries >in /opt/fedora-ds/shared/lib/. > >What would you all recomend as a "proper" way of modifying the $PATH >variable and of linking to the DS libraries? > > If you don't mind overriding the system ldap commands, which are normally located in /usr/bin, you could do $ export PATH=/opt/fedora-ds/shared/bin:$PATH $ export LD_LIBRARY_PATH=/opt/fedora-ds/shared/lib:$LD_LIBRARY_PATH Alternatively, you could go to the directory /opt/fedora-ds/shared/bin, and run the command line interface: $ cd /opt/fedora-ds/shared/bin; ./ldapsearch This way, the library path is take care of by rpath. If you don't want to make the fedora-ds command line utilities conflict with the system ones, you may want to make a script file (for each command) and set the to your path... --noriko -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3170 bytes Desc: S/MIME Cryptographic Signature URL: From gmessmer at u.washington.edu Tue Sep 19 16:55:19 2006 From: gmessmer at u.washington.edu (Gordon Messmer) Date: Tue, 19 Sep 2006 09:55:19 -0700 Subject: [Fedora-directory-users] configuration directory registration Message-ID: <451020F7.4090801@u.washington.edu> Suppose that I have a slapd instance that failed to register itself with the configuration directory due to a bad password, or that I have an instance that I'd like to move to a different configuration directory. Is it possible to re-register an instance with the configuration directory? If not, should I attempt to create an LDIF with the required info and register it manually? I'd prefer to avoid removing the instance and setting it up again if it's possible and not onerous. From greed at us.ibm.com Tue Sep 19 17:16:02 2006 From: greed at us.ibm.com (Gary Reed) Date: Tue, 19 Sep 2006 12:16:02 -0500 Subject: [Fedora-directory-users] startconsole errors Message-ID: Trying to start the console after successful installation of fedora-ds-1.0.2-1.RHEL4 on RHEL4 ES update 4. The admin server is running correctly also. Getting this error: # /opt/fedora-ds/startconsole The java class is not found: com/netscape/management/client/console/Console I've tried Sun's JRE v1.4.2-11 also and get similar error. # java -version java version "1.4.2" Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2) Classic VM (build 1.4.2, J2RE 1.4.2 IBM build cxia32142-20050929 (SR3) (JIT enabled: jitc)) # echo $JAVA_HOME /opt/IBMJava2-142/jre Ideas? Gary Reed Integrated Technology Delivery, Server Operations E-Mail: greed at us.ibm.com From gmessmer at u.washington.edu Tue Sep 19 17:26:57 2006 From: gmessmer at u.washington.edu (Gordon Messmer) Date: Tue, 19 Sep 2006 10:26:57 -0700 Subject: [Fedora-directory-users] startconsole errors In-Reply-To: References: Message-ID: <45102861.4060907@u.washington.edu> Gary Reed wrote: > # /opt/fedora-ds/startconsole > The java class is not found: > com/netscape/management/client/console/Console > Try: cd /opt/fedora-ds ./startconsole From mj at sci.fi Tue Sep 19 20:11:14 2006 From: mj at sci.fi (Mike Jackson) Date: Tue, 19 Sep 2006 23:11:14 +0300 Subject: [Fedora-directory-users] configuration directory registration In-Reply-To: <451020F7.4090801@u.washington.edu> References: <451020F7.4090801@u.washington.edu> Message-ID: <45104EE2.8030409@sci.fi> Gordon Messmer wrote: > Suppose that I have a slapd instance that failed to register itself with > the configuration directory due to a bad password, or that I have an > instance that I'd like to move to a different configuration directory. > Is it possible to re-register an instance with the configuration > directory? If not, should I attempt to create an LDIF with the required > info and register it manually? I'd prefer to avoid removing the > instance and setting it up again if it's possible and not onerous. It is onerous, very onerous indeed. For this reason, I stopped using a centralized configuration directory, and set each server to use itself as the configuration directory. -- mike From ABliss at preferredcare.org Tue Sep 19 21:50:53 2006 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Tue, 19 Sep 2006 17:50:53 -0400 Subject: [Fedora-directory-users] Getting ready to setup synchronization between AD and FDS Message-ID: Hi everyone, we've been running fds now for about 8 months or so, things are going great, we have supplier/consumer replication agreement setup between 2 fds servers; I would like to start looking at the password synchronization piece between active directory and fds; we have a 2003 domain setup running in native mode; the domain and ldap root dn are the same. Are there any got yas that I need to be aware before setting up the password synchronization service? Will the password synchronization piece allow for encrypted replication between fds and AD (currently the fds servers are using a self signed cert for encryption). Thanks very much for your help. Aaron Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Dirk.Kastens at uni-osnabrueck.de Wed Sep 20 06:52:28 2006 From: Dirk.Kastens at uni-osnabrueck.de (Dirk Kastens) Date: Wed, 20 Sep 2006 08:52:28 +0200 Subject: [Fedora-directory-users] Getting ready to setup synchronization between AD and FDS In-Reply-To: References: Message-ID: <4510E52C.6040804@uni-osnabrueck.de> Hi Aaron, Bliss, Aaron schrieb: > Will the password synchronization > piece allow for encrypted replication between fds and AD (currently the > fds servers are using a self signed cert for encryption). Thanks very > much for your help. The password synchronization ONLY works with encryption, because windows won't let you synchronize passwords over an unencrypted connection. Installing the certificate on the AD server is a bit tricky. It has to be in a special format. The procedure for securing Active Directory is described in a Microsoft document. The Fedora part is described in the RedHat Directory Server Administrator's Guide. Best wishes, Dirk Kastens From dzfds at hemiola.org Wed Sep 20 16:12:37 2006 From: dzfds at hemiola.org (Daniel Sanders Zuckerman) Date: Wed, 20 Sep 2006 12:12:37 -0400 Subject: [Fedora-directory-users] solaris client Message-ID: <1158768757.9923.32.camel@spock> Greetings listers, i have a stumper: i set up f-ds on CentOS 4.3, and got it working perfectly happy with authenticating users on my linux boxen. Once that was working, I started trying to get a solaris box to authenticate, following the advice in the f-ds wiki. i have a test script that is able to read the database from the solaris box (with ssl)- that works fine. but when i start ldap.client (with and w/o ssl) on the solaris box, the f-ds server goes away, and the logs don't seem to indicate anything. any ideas? Daniel From oscar.valdez at duraflex-politex.com Wed Sep 20 19:13:42 2006 From: oscar.valdez at duraflex-politex.com (Oscar A. Valdez) Date: Wed, 20 Sep 2006 13:13:42 -0600 Subject: [Fedora-directory-users] Paths to executables and libraries In-Reply-To: <450F2E83.5000003@redhat.com> References: <1158621653.2166.66.camel@wzowski.duraflex-politex.com> <450F2E83.5000003@redhat.com> Message-ID: <1158779623.2125.10.camel@wzowski.duraflex-politex.com> El lun, 18-09-2006 a las 16:40 -0700, Noriko Hosoi escribi?: > Oscar A. Valdez wrote: > > >My installation of fedora-ds-1.0.1-1.RHEL4 puts executables > >in /opt/fedora-ds/shared/bin/ and libraries > >in /opt/fedora-ds/shared/lib/. > > > >What would you all recomend as a "proper" way of modifying the $PATH > >variable and of linking to the DS libraries? > > > > > If you don't mind overriding the system ldap commands, which are > normally located in /usr/bin, you could do > $ export PATH=/opt/fedora-ds/shared/bin:$PATH I don't seem to have any ldap binaries in /usr/bin. Which ones are you referring to? > $ export LD_LIBRARY_PATH=/opt/fedora-ds/shared/lib:$LD_LIBRARY_PATH Using LD_LIBRARY_PATH is supposed to be "A Bad Thing". Why not # ldconfig /opt/fedora-ds/shared/lib Thanks for your reply. -- Oscar A. Valdez Industrias Duraflex, S.A. de C.V. From gmessmer at u.washington.edu Wed Sep 20 21:52:59 2006 From: gmessmer at u.washington.edu (Gordon Messmer) Date: Wed, 20 Sep 2006 14:52:59 -0700 Subject: [Fedora-directory-users] GSSAPI mapping Message-ID: <4511B83B.20005@u.washington.edu> I'm migrating from OpenLDAP to FDS, soon, and I'm trying to establish an entirely compatible Kerberos auth configuration on the new system. User authentication wasn't really a problem, but we have one application which uses a kerberos principal which doesn't map to a DN on the old system. I'm using this ACI (among others, naturally) on the base DN: dn: dc=ee,dc=washington,dc=edu aci: (version 3.0; acl "Allow all writes by admin users and web form"; allow (all) userdn="ldap:///uid=*/admin,cn=GSSAPI,cn=auth || ldap:///uid=application/hostname.ee.washington.edu,cn=GSSAPI,cn=auth";) My only SASL mapping rule is this: dn: cn=Kerberos mapping,cn=mapping,cn=sasl,cn=config changetype: add objectClass: top objectClass: nsSaslMapping cn: Kerberos mapping nsSaslMapRegexString: uid=([^/]*),cn=GSSAPI,cn=auth nsSaslMapBaseDNTemplate: uid=\1,ou=people,dc=ee,dc=washington,dc=edu nsSaslMapFilterTemplate: objectClass=inetOrgPerson For the application, the obvious simple "out" seems to be creating a new entry for the application, under "people", but I don't know how the "admin" tickets will work. I'm guessing that I need a "default" mapping, but SASL and GSSAPI are documented rather poorly for FDS, and it's not clear to me exactly what I need to do here. From rmeggins at redhat.com Thu Sep 21 03:43:44 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 20 Sep 2006 21:43:44 -0600 Subject: [Fedora-directory-users] Paths to executables and libraries In-Reply-To: <1158779623.2125.10.camel@wzowski.duraflex-politex.com> References: <1158621653.2166.66.camel@wzowski.duraflex-politex.com> <450F2E83.5000003@redhat.com> <1158779623.2125.10.camel@wzowski.duraflex-politex.com> Message-ID: <45120A70.2020807@redhat.com> Oscar A. Valdez wrote: > El lun, 18-09-2006 a las 16:40 -0700, Noriko Hosoi escribi?: > >> Oscar A. Valdez wrote: >> >> >>> My installation of fedora-ds-1.0.1-1.RHEL4 puts executables >>> in /opt/fedora-ds/shared/bin/ and libraries >>> in /opt/fedora-ds/shared/lib/. >>> >>> What would you all recomend as a "proper" way of modifying the $PATH >>> variable and of linking to the DS libraries? >>> >>> >>> >> If you don't mind overriding the system ldap commands, which are >> normally located in /usr/bin, you could do >> $ export PATH=/opt/fedora-ds/shared/bin:$PATH >> > > I don't seem to have any ldap binaries in /usr/bin. Which ones are you > referring to? > Hm - you must not have the openldap client or tools package installed. > >> $ export LD_LIBRARY_PATH=/opt/fedora-ds/shared/lib:$LD_LIBRARY_PATH >> > > Using LD_LIBRARY_PATH is supposed to be "A Bad Thing". Why not > # ldconfig /opt/fedora-ds/shared/lib > That works too, as long as you can guarantee that having those libraries in the default path won't mess up other apps e.g. on RHEL4 Firefox and Thunderbird use private copies of nspr, nss, and mozldap, which are different versions than those in /opt/fedora-ds/shared/lib. > Thanks for your reply. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From del at babel.com.au Thu Sep 21 05:43:49 2006 From: del at babel.com.au (Del) Date: Thu, 21 Sep 2006 15:43:49 +1000 Subject: [Fedora-directory-users] cryptocard and FDS Message-ID: <45122695.80307@babel.com.au> Hi all, I'm looking for a way forwards to get cryptocard (http://www.cryptocard.com/) authentication working for a client who uses FDS. There are a number of possibilities that I'm thinking of, but here are the basics: * Cryptocard has its own authentication server, but provides a PAM module for Linux. Therefore it should be possible to use the PAM passthru FDS module mentioned here a while back: http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/servers/plugins/pam_passthru/?root=dirsec * Cryptocard apparently supports a RADIUS style authentication. Perhaps use SASL in some way that back ends on to RADIUS? Has anyone any other ideas or can suggest a best way of doing this? -- Del Babel Com Australia http://www.babel.com.au/ ph: 02 9368 0728 fax: 02 9368 0758 From rmeggins at redhat.com Thu Sep 21 14:57:00 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 21 Sep 2006 08:57:00 -0600 Subject: [Fedora-directory-users] How to make anonymous SASL work? In-Reply-To: <016301c6db46$9b8e3660$0509a8c0@tinkerbell> References: <00a601c6da64$7b07eea0$0509a8c0@tinkerbell> <450D6F67.7070001@redhat.com><011a01c6da91$74f404e0$0509a8c0@tinkerbell> <450DD818.5000900@redhat.com> <016301c6db46$9b8e3660$0509a8c0@tinkerbell> Message-ID: <4512A83C.5080105@redhat.com> devel - Fashion Content wrote: > I have the mailserver and the directory on the same server. > > I have installed OpenLDAP client & libs and cyrus sasl. > Fedora DS ldapsearch is not on the path. > The Fedora DS now stores userPasswords as plaintext. > > saslauthd run with: MECH=ldap, FLAGS=-c > > saslauthd.conf: > > ldap_servers: ldap://127.0.0.1 > ldap_search_base: ou=People,dc=fashioncontent,dc=com > ldap_bind_dn: cn=Directory Manager,dc=fashioncontent,dc=com > ldap_bind_pw: secret > > ldap_filter: (&(objectClass=inetorgperson)(uid=%u)) > ldap_use_sasl: no > ldap_auth_method: bind > ldap_version: 3 > ldap_debug: 3 > ldap_verbose: on > log_level: 255 > > > OpenLDAP ldapsearch: Shows userPassword results hashed, but otherwise > shows the users I look up > OpenLDAP ldapsearch userPassword=secret: Success > Fedora ldapsearch: Fails to find anything > testsaslauthd -u devel -p secret: Fails to find anything, error code > 32 I think It would be helpful if you could post the exact ldapsearch command line that you used both for openldap and for fedora ds, along with the exact output, or an excerpt of a few lines at least. > > I haven't figured out how to make saslauthd report the ldap queries, > so I know very little of what happens and the Fedora logs > don't appear to help much more. The fedora ds access log will show the tcp socket connection/disconnection and peer IP address, the BIND request and result, and the SRCH request and result. If you need help interpreting the log output, please post an excerpt to this list. > > Henrik > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From smooge at gmail.com Thu Sep 21 17:46:17 2006 From: smooge at gmail.com (Stephen John Smoogen) Date: Thu, 21 Sep 2006 11:46:17 -0600 Subject: [Fedora-directory-users] cryptocard and FDS In-Reply-To: <45122695.80307@babel.com.au> References: <45122695.80307@babel.com.au> Message-ID: <80d7e4090609211046u1584fe70p81912001aa27d1c7@mail.gmail.com> On 9/20/06, Del wrote: > > Hi all, > > I'm looking for a way forwards to get cryptocard (http://www.cryptocard.com/) > authentication working for a client who uses FDS. There are a number of > possibilities that I'm thinking of, but here are the basics: > I do not have any FDS experience at this moment, but some cryptocard experience. In most cases you will want the cryptocard server to be 'frontended' by other servers to keep it from getting overwhelmed in a large environment (or dealing with security concerns). |-RADIUS Server ----| [CRYPTOCARD-SERVER] ----| |---client1 |-Kerberos Server---| | |---client2 |-LDAP-Servers------| [Hope the ascii art works out] -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" From pbruna at it-linux.cl Thu Sep 21 20:19:47 2006 From: pbruna at it-linux.cl (Patricio A. Bruna) Date: Thu, 21 Sep 2006 16:19:47 -0400 (CLT) Subject: [Fedora-directory-users] Command line replication setup Message-ID: <26854810.2711158869987128.JavaMail.root@lisa.it-linux.cl> Hi, Anyone knows how i can setup replication from the command line instead of using the console? thanks ---------------------------- Patricio Bruna V. Red Hat Certified Engineer IT Linux Ltda. http://www.it-linux.cl Fono : (+56-2) 333 0051 Cel : (+56-09) 8288 5195 -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Thu Sep 21 20:29:47 2006 From: david_list at boreham.org (David Boreham) Date: Thu, 21 Sep 2006 14:29:47 -0600 Subject: [Fedora-directory-users] cryptocard and FDS In-Reply-To: <45122695.80307@babel.com.au> References: <45122695.80307@babel.com.au> Message-ID: <4512F63B.4090308@boreham.org> > * Cryptocard has its own authentication server, but provides a PAM > module for Linux. Therefore it should be possible to use the PAM > passthru > FDS module mentioned here a while back: > http://cvs.fedora.redhat.com/viewcvs/ldapserver/ldap/servers/plugins/pam_passthru/?root=dirsec > > > * Cryptocard apparently supports a RADIUS style authentication. > Perhaps use SASL in some way that back ends on to RADIUS? > > Has anyone any other ideas or can suggest a best way of doing this? Does this help ? : http://www.cryptocard.com/index.cfm?pid=493&pagename=LDAP%20Authentication%20Example If you want to have LDAP client binds use cryptocard authentication then you would need a SASL plugin (or possibly PAM, if the exchange is one-way as in SecurID). Cryptocard folks don't seem to have considered this need in their literature (which seems strange since it would give them much wider application support without much work). From prowley at redhat.com Thu Sep 21 21:14:25 2006 From: prowley at redhat.com (Pete Rowley) Date: Thu, 21 Sep 2006 14:14:25 -0700 Subject: [Fedora-directory-users] Command line replication setup In-Reply-To: <26854810.2711158869987128.JavaMail.root@lisa.it-linux.cl> References: <26854810.2711158869987128.JavaMail.root@lisa.it-linux.cl> Message-ID: <451300B1.2010406@redhat.com> Patricio A. Bruna wrote: > Hi, > Anyone knows how i can setup replication from the command line > instead of using the console? > Yes. > thanks > > ---------------------------- > Patricio Bruna V. > Red Hat Certified Engineer > IT Linux Ltda. > http://www.it-linux.cl > Fono : (+56-2) 333 0051 > Cel : (+56-09) 8288 5195 > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Pete -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From pbruna at it-linux.cl Fri Sep 22 12:07:46 2006 From: pbruna at it-linux.cl (Patricio A. Bruna) Date: Fri, 22 Sep 2006 08:07:46 -0400 (CLT) Subject: [Fedora-directory-users] Command line replication setup In-Reply-To: <451300B1.2010406@redhat.com> Message-ID: <31906224.2801158926866432.JavaMail.root@lisa.it-linux.cl> i couldn't download the mmr.pl script. By the way, i need to set up the replica (in silent mode) in the consumer and then initialize the replica, also in silent modem. Can this be made from script? ----- Original Message ----- From: Pete Rowley To: General discussion list for the Fedora Directory server project. Sent: jueves 21 de septiembre de 2006 17H14 GMT-0400 Subject: Re: [Fedora-directory-users] Command line replication setup Patricio A. Bruna wrote: Hi, Anyone knows how i can setup replication from the command line instead of using the console? Yes. thanks ---------------------------- Patricio Bruna V. Red Hat Certified Engineer IT Linux Ltda. http://www.it-linux.cl Fono : (+56-2) 333 0051 Cel : (+56-09) 8288 5195 -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Pete -------------- next part -------------- An HTML attachment was scrubbed... URL: From gmessmer at u.washington.edu Fri Sep 22 16:55:20 2006 From: gmessmer at u.washington.edu (Gordon Messmer) Date: Fri, 22 Sep 2006 09:55:20 -0700 Subject: [Fedora-directory-users] Command line replication setup In-Reply-To: <26854810.2711158869987128.JavaMail.root@lisa.it-linux.cl> References: <26854810.2711158869987128.JavaMail.root@lisa.it-linux.cl> Message-ID: <45141578.9020804@u.washington.edu> Patricio A. Bruna wrote: > Hi, > Anyone knows how i can setup replication from the command line > instead of using the console? Sure. First thing, create a replication account on the consumer: ldapmodify -h consumer < Message-ID: <22885444.2831158945279348.JavaMail.root@lisa.it-linux.cl> Gordon, Thank you very much. I will try this. The initialization of the consumer i should do it with ldif2db.pl? ----- Original Message ----- From: Gordon Messmer To: General discussion list for the Fedora Directory server project. Sent: viernes 22 de septiembre de 2006 12H55 GMT-0400 Subject: Re: [Fedora-directory-users] Command line replication setup Patricio A. Bruna wrote: > Hi, > Anyone knows how i can setup replication from the command line > instead of using the console? Sure. First thing, create a replication account on the consumer: ldapmodify -h consumer < From gmessmer at u.washington.edu Fri Sep 22 17:29:37 2006 From: gmessmer at u.washington.edu (Gordon Messmer) Date: Fri, 22 Sep 2006 10:29:37 -0700 Subject: [Fedora-directory-users] Command line replication setup In-Reply-To: <22885444.2831158945279348.JavaMail.root@lisa.it-linux.cl> References: <22885444.2831158945279348.JavaMail.root@lisa.it-linux.cl> Message-ID: <45141D81.8030301@u.washington.edu> Patricio A. Bruna wrote: > Gordon, > Thank you very much. > I will try this. The initialization of the consumer i should do it > with ldif2db.pl? No, the second part of the replication agreement that I posted starts a "refresh" of the consumer. You shouldn't need to do anything more. From francois.beretti at gmail.com Fri Sep 22 17:53:42 2006 From: francois.beretti at gmail.com (=?ISO-8859-1?Q?Fran=E7ois_Beretti?=) Date: Fri, 22 Sep 2006 19:53:42 +0200 Subject: [Fedora-directory-users] Does userattr="parent[1].attribute#LDAPURL" work ? Message-ID: <85d6be850609221053i500532f5ga5454251977a4b57@mail.gmail.com> Hi all, in the directory server access control documentation, it is said that the following aci syntax can be used : (version 3.0; acl "test" allow (all) userattr = "parent[1].attribute#LDAPURL";) I need exactly this feature for the LDAP support of my software. But in my tests, while userattr="url.#LDAPURL" does work, the use of the "parent" keyword does not work. I use the class enatelUserReferer which allow the url attribute type. The object under which I want to create another one is : cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests it is named by the nsuniqueid of the object : uid=francois,dc=evidian,dc=fr I want to give add access to this user, even if the user is renamed. So I want to use the nsuniqueid to find him. In the url attribute I store : ldap:///dc=evidian,dc=fr??sub?(nsuniqueid=5b74e802-1dd211b2-80e4f010-e49d0000) Here are the ACI set on my o=tests root suffix : dn: o=tests changetype: modify add: aci aci: (targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version 3.0; acl "enatelUserReferer read access"; allow (read,search,compare) userdn="ldap:///all";) dn: o=tests changetype: modify add: aci aci: (targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version 3.0; acl "enatelUserReferer add access"; allow (add) userdn="ldap:///all";) dn: o=tests changetype: modify add: aci aci: (targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version 3.0; acl "enatelUserReferer personal acce ss"; allow (all) userattr="url#LDAPURL";) dn: o=tests changetype: modify add: aci aci: (targetfilter="(objectClass=enatelUserManagedAuth)")(targetattr=*)(version 3.0; acl "enatelUserManagedAuth acces s"; allow (all) userattr="parent[1].url#LDAPURL";) Then I bind as uid=francois,dc=evidian,dc=fr and try to create an enatelUserManagedAuth of DN : cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests I got access denied error. Here is the access control log of slapd : [22/Sep/2006:17:35:28 +0200] NSACLPlugin - acl_init_userGroup: found in cache for dn:uid=francois,dc=evidian,dc=fr [22/Sep/2006:17:35:28 +0200] NSACLPlugin - #### conn=1285 op=14 binddn="uid=francois,dc=evidian,dc=fr" [22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for update:cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d00 00,o=tests: container:-1 [22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for update:cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tes ts: container:-1 [22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for update:o=tests: container:26 [22/Sep/2006:17:35:28 +0200] NSACLPlugin - ************ RESOURCE INFO STARTS ********* [22/Sep/2006:17:35:28 +0200] NSACLPlugin - Client DN: uid=francois,dc=evidian,dc=fr [22/Sep/2006:17:35:28 +0200] NSACLPlugin - resource type:256(add target_DN ) [22/Sep/2006:17:35:28 +0200] NSACLPlugin - Slapi_Entry DN: cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests [22/Sep/2006:17:35:28 +0200] NSACLPlugin - ATTR: NULL [22/Sep/2006:17:35:28 +0200] NSACLPlugin - rights:add [22/Sep/2006:17:35:28 +0200] NSACLPlugin - ************ RESOURCE INFO ENDS ********* [22/Sep/2006:17:35:28 +0200] NSACLPlugin - Using ACL Cointainer:0 for evaluation [22/Sep/2006:17:35:28 +0200] NSACLPlugin - ***BEGIN ACL INFO[ Name: "enatelUserManagedAuth access"]*** [22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACL Index:692 ACL_ELEVEL:3 [22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACI type:(compare search read write delete add self target_attr target_fil ter acltxt allow_rule ) [22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACI RULE type:(userattr ) [22/Sep/2006:17:35:28 +0200] NSACLPlugin - Slapi_Entry DN:o=tests [22/Sep/2006:17:35:28 +0200] NSACLPlugin - ***END ACL INFO***************************** [22/Sep/2006:17:35:28 +0200] NSACLPlugin - Num of ALLOW Handles:1, DENY handles:0 [22/Sep/2006:17:35:28 +0200] NSACLPlugin - Processed attr:NULL for entry:cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d00 00,o=tests [22/Sep/2006:17:35:28 +0200] NSACLPlugin - 1. Evaluating ALLOW aci(692) " "enatelUserManagedAuth access"" [22/Sep/2006:17:35:28 +0200] NSACLPlugin - DS_LASUserAttrEval: AttrName:parent[1].url, attrVal:LDAPURL [22/Sep/2006:17:35:28 +0200] NSACLPlugin - conn=1285 op=14 (main): Deny add on entry(cn=auth,cn=5b74e802-1dd211b2-80e 4f010-e49d0000,o=tests).attr(NULL): no aci matched the subject by aci(692): aciname= "enatelUserManagedAuth access", acidn="o=tests" Where is the problem ? Thank you very much Fran?ois -------------- next part -------------- An HTML attachment was scrubbed... URL: From jorgecb at gmail.com Sat Sep 23 14:58:18 2006 From: jorgecb at gmail.com (Jorge Santos) Date: Sat, 23 Sep 2006 11:58:18 -0300 Subject: [Fedora-directory-users] [HELP] creating partition by command line Message-ID: Hello all, I tried create one partition by command line, but it doesn't work. And when I've tried to restart the console admin, it doesn's work too and when I did a search for cn=mapping tree,cn=config subtree, it didn't return anything. I Tried follow the tutorial at this site: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#17741 I Created the database for root suffix, the root suffix(dc=mg), sub suffix(ou=bh,dc=mg) and the database link(Contain a Referral for other Server) for sub suffix at Main Server . In the other server I created the root suffix(ou=bh,dc=mg) and the database for this root suffix. The LDIF's that i used for create these partitions as follow: ./ldapmodify -a -D "cn=directory manager" -w- -f /tmp/partition.ldif Configuration for the Main Server #Create the database dn: cn=particaoManual,cn=ldbm database,cn=plugins,cn=config objectclass: extensibleObject objectclass: nsBackendInstance nsslapd-suffix: "ou=bh,dc=mg" #Create root suffix dn: cn="ou=bh,dc=mg",cn=mapping tree,cn=config objectclass: top objectclass: extensibleObject objectclass: nsMappingTree nsslapd-state: backend nsslapd-backend: particaoManual cn: ou=bh,dc=mg #Create sub suffix dn: cn="ou=bh,dc=mg",cn=mapping tree,cn=config objectclass: top objectclass: extensibleObject objectclass: nsMappingTree nsslapd-state: Referral nsslapd-referral: ldap://172.25.0.13:389/ou=bh,dc=mg nsslapd-backend: particaoLink nsslapd-parent-suffix: "dc=mg" cn: ou=bh,dc=mg #Create Database link dn: cn=particaoLink,cn=chaining database,cn=plugins,cn=config objectclass: top objectclass: extensibleObject objectclass: nsBackendInstance nsslapd-suffix: ou=bh,dc=mg nsfarmserverurl: ldap://172.25.0.13:389/ nsmultiplexorbinddn: uid=replicator,cn=config nsmultiplexorcredentials: secret cn: particaoLink Configuration for the Other Server ./ldapmodify -a -D "cn=directory manager" -w- -f /tmp/subpartition.ldif #Create the database dn: cn=particaoManual,cn=ldbm database,cn=plugins,cn=config objectclass: extensibleObject objectclass: nsBackendInstance nsslapd-suffix: "ou=bh,dc=mg" #Create root suffix dn: cn="ou=bh,dc=mg",cn=mapping tree,cn=config objectclass: top objectclass: extensibleObject objectclass: nsMappingTree nsslapd-state: backend nsslapd-backend: particaoManual cn: ou=bh,dc=mg att, Jorge Santos -------------- next part -------------- An HTML attachment was scrubbed... URL: From mj at sci.fi Sat Sep 23 15:29:08 2006 From: mj at sci.fi (Mike Jackson) Date: Sat, 23 Sep 2006 18:29:08 +0300 Subject: [Fedora-directory-users] Command line replication setup In-Reply-To: <31906224.2801158926866432.JavaMail.root@lisa.it-linux.cl> References: <31906224.2801158926866432.JavaMail.root@lisa.it-linux.cl> Message-ID: <451552C4.5040504@sci.fi> Patricio A. Bruna wrote: > i couldn't download the mmr.pl script. Sorry, web server was misbehaving. It's working now; try it again -- mike From francois.beretti at gmail.com Mon Sep 25 08:53:33 2006 From: francois.beretti at gmail.com (=?ISO-8859-1?Q?Fran=E7ois_Beretti?=) Date: Mon, 25 Sep 2006 10:53:33 +0200 Subject: [Fedora-directory-users] Re: Does userattr="parent[1].attribute#LDAPURL" work ? In-Reply-To: <85d6be850609221053i500532f5ga5454251977a4b57@mail.gmail.com> References: <85d6be850609221053i500532f5ga5454251977a4b57@mail.gmail.com> Message-ID: <85d6be850609250153q445bb430jaf7ce3506e67bdc2@mail.gmail.com> Hi again, since my first post may be complex, I made a much simpler sample, with standard objects. I created a root suffix 'o=bug' with two ACI: aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr ="description#LDAPURL";) aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr ="parent[1].description#LDAPURL";) Then I added a user, uid=testuser,o=bug Then, an organizationalUnit, ou=testparentobject,o=bug with the description: ldap:///o=bug??sub?(uid=testuser) According the ACIs, testuser dhould be able to modify ou=testparentobject and to create child objects under it. But he only can modify it. I don't find where I made a mistake. I join you my LDIF files and LDAP commands. Thank you for your help Fran?ois Here are the LDIF files : ---------- o=bug dump ------- dn: o=bug aci: (targetattr != "userPassword") (version 3.0; acl "Anonymous access"; allow (read, search, compare)userdn = "ldap:///anyone";) aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr ="description#LDAPURL";) aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr ="parent[1].description#LDAPURL";) o: bug objectClass: top objectClass: organization dn: uid=testuser,o=bug uid: testuser givenName: Test objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: User cn: Test User userPassword: toto dn: ou=testparentobject,o=bug ou: testparentobject description: ldap:///o=bug??sub?(uid=testuser) objectClass: top objectClass: organizationalunit --------- modification command ---------- $ ldapmodify -x -D 'uid=testuser,o=bug' -w toto -f object-modification.ldif modifying entry "ou=testparentobject,o=bug" $ --------- creation command ----------- $ ldapadd -x -D 'uid=testuser,o=bug' -w toto -f object-creation.ldif adding new entry "ou=testchildobject,ou=testparentobject,o=bug" ldap_add: Insufficient access (50) additional info: Insufficient 'add' privilege to add the entry 'ou=testchildobject,ou=testparentobject,o=bug'. $ ---------- modification LDIF file ---------------- dn: ou=testparentobject,o=bug changetype: modify replace: telephoneNumber telephoneNumber: 0123456789 ---------- creation LDIF file -------------- dn: ou=testchildobject,ou=testparentobject,o=bug objectClass: top objectClass: organizationalUnit ou: testchildobject -------------- next part -------------- An HTML attachment was scrubbed... URL: From dellacod at newschool.edu Mon Sep 25 15:01:39 2006 From: dellacod at newschool.edu (Dave Della Costa) Date: Mon, 25 Sep 2006 11:01:39 -0400 Subject: [Fedora-directory-users] Confusion over admserv_host_ip_check message Message-ID: <4517EF53.6020005@newschool.edu> Hi folks, I'm having a lot of problems getting into the console admin to the server remotely. I'm getting this in the admin-serv/logs/error log (I've changed the IPs below, obviously...they are all the same one FYI): [Mon Sep 25 08:51:57 2006] [notice] [client xxx.xx.xx.xxx] admserv_host_ip_check: ap_get_remote_host could not resolve xxx.xx.xx.xxx [Mon Sep 25 08:51:57 2006] [warn] [client xxx.xx.xx.xxx] admserv_host_ip_check: failed to get host by ip addr [xxx.xx.xx.xxx] - check your host and DNS configuration [Mon Sep 25 08:51:57 2006] [notice] [client xxx.xx.xx.xxx] admserv_host_ip_check: Unauthorized host ip=xxx.xx.xx.xxx, connection rejected I tried to use ldapmodify to open up the restriction, per the instructions here: http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt ..like so: dn: dn of your admin server config entry changetype: modify replace: nsAdminAccessAddresses nsAdminAccessHosts nsAdminAccessAddresses: nsAdminAccessHosts: (I left them blank per this mailing list post: http://www.redhat.com/archives/fedora-directory-users/2005-December/msg00343.html) I've checked this doc, but it seems to be about what you can do AFTER you get the console running: http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt I feel like it's going to be really simple to fix this, but I just am pretty unfamiliar with directory server and LDAP in general. Thanks for any help or instructions-- Best, Dave From francois.beretti at gmail.com Mon Sep 25 18:15:05 2006 From: francois.beretti at gmail.com (=?ISO-8859-1?Q?Fran=E7ois_Beretti?=) Date: Mon, 25 Sep 2006 20:15:05 +0200 Subject: [Fedora-directory-users] Re: Does userattr="parent[1].attribute#LDAPURL" work ? In-Reply-To: <85d6be850609250153q445bb430jaf7ce3506e67bdc2@mail.gmail.com> References: <85d6be850609221053i500532f5ga5454251977a4b57@mail.gmail.com> <85d6be850609250153q445bb430jaf7ce3506e67bdc2@mail.gmail.com> Message-ID: <85d6be850609251115s4c69eaa0wdd4ad8ad34e1eb5@mail.gmail.com> Hi, I seem to have found a workaround (at least for my special case) by using a macro ACI : (targetattr="*")(target="ldap:///cn=*,cn=($dn),o=bug")(version 3.0; acl "Test 2"; allow (all) userdn ="ldap:///o=bug??sub?(nsuniqueid=[$dn])";) This works for my first post, which is my real life problem, where I want to give right on an object to the user whose nsuniqueid equals the cn of the object's parent. For my second post, this workaround does not work, since it is based on a DN component, while I store the information in an attribute not used in the DN (description). Maybe I should file a bug. Fran?ois 2006/9/25, Fran?ois Beretti : > > Hi again, > > since my first post may be complex, I made a much simpler sample, with > standard objects. > > I created a root suffix 'o=bug' > > with two ACI: > aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr > ="description#LDAPURL";) > aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr > ="parent[1].description#LDAPURL";) > > Then I added a user, uid=testuser,o=bug > > Then, an organizationalUnit, ou=testparentobject,o=bug > with the description: ldap:///o=bug??sub?(uid=testuser) > > According the ACIs, testuser dhould be able to modify ou=testparentobject > and to create child objects under it. > > But he only can modify it. > > I don't find where I made a mistake. > > I join you my LDIF files and LDAP commands. > > > Thank you for your help > > Fran?ois > > > > Here are the LDIF files : > ---------- o=bug dump ------- > dn: o=bug > aci: (targetattr != "userPassword") (version 3.0; acl "Anonymous access"; > allow (read, search, compare)userdn = "ldap:///anyone";) > aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr > ="description#LDAPURL";) > aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr > ="parent[1].description#LDAPURL";) > o: bug > objectClass: top > objectClass: organization > > dn: uid=testuser,o=bug > uid: testuser > givenName: Test > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > sn: User > cn: Test User > userPassword: toto > > dn: ou=testparentobject,o=bug > ou: testparentobject > description: ldap:///o=bug??sub?(uid=testuser) > objectClass: top > objectClass: organizationalunit > > > > > --------- modification command ---------- > $ ldapmodify -x -D 'uid=testuser,o=bug' -w toto -f > object-modification.ldif > modifying entry "ou=testparentobject,o=bug" > $ > > --------- creation command ----------- > $ ldapadd -x -D 'uid=testuser,o=bug' -w toto -f object-creation.ldif > adding new entry "ou=testchildobject,ou=testparentobject,o=bug" > ldap_add: Insufficient access (50) > additional info: Insufficient 'add' privilege to add the entry > 'ou=testchildobject,ou=testparentobject,o=bug'. > $ > > > > > ---------- modification LDIF file ---------------- > dn: ou=testparentobject,o=bug > changetype: modify > replace: telephoneNumber > telephoneNumber: 0123456789 > > > > > ---------- creation LDIF file -------------- > dn: ou=testchildobject,ou=testparentobject,o=bug > objectClass: top > objectClass: organizationalUnit > ou: testchildobject > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From kevinjj33 at yahoo.com Mon Sep 25 19:43:07 2006 From: kevinjj33 at yahoo.com (kevin james) Date: Mon, 25 Sep 2006 12:43:07 -0700 (PDT) Subject: [Fedora-directory-users] Extending inetOrgPerson's schema to support custom attributes Message-ID: <20060925194307.29627.qmail@web42405.mail.scd.yahoo.com> Hello All, I'm trying to extend the inetOrgPerson's schema in order to better support our companie's user profile. I 've been doing some googling and I understand that modifications need to be done to the 99users.ldif file, I've tried a couple of settings but I'm unable to see my custom attributes show up in the list of schema attributes for the inetOrgPerson class. Here's what I've done so far. Any help would be greatly appreciated. These are the lines I added to the bottom of the 99users.ldif file. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kevinjj33 at yahoo.com Mon Sep 25 19:46:45 2006 From: kevinjj33 at yahoo.com (kevin james) Date: Mon, 25 Sep 2006 12:46:45 -0700 (PDT) Subject: [Fedora-directory-users] Re: Extending inetOrgPerson's schema to support custom attributes Message-ID: <20060925194645.93098.qmail@web42409.mail.scd.yahoo.com> Oops I pressed the enter key and the mail got sent, Yahoo Beta Mail is too Ajaxified :) These were the lines I added to the bottom of the 99users.ldif My custom attribute being called "policyNos" attributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.2 NAME 'policyNos' DESC 'Policy Numbers for Insured' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) I was able to restart slapd with no problems, but it still doesnt show up in my list of attrbutes for inetOrgPerson. Again any suggestions would be greatly appreciated. Thanks, Kevin ----- Original Message ---- From: kevin james To: fedora-directory-users at redhat.com Sent: Monday, September 25, 2006 3:43:07 PM Subject: Extending inetOrgPerson's schema to support custom attributes Hello All, I'm trying to extend the inetOrgPerson's schema in order to better support our companie's user profile. I 've been doing some googling and I understand that modifications need to be done to the 99users.ldif file, I've tried a couple of settings but I'm unable to see my custom attributes show up in the list of schema attributes for the inetOrgPerson class. Here's what I've done so far. Any help would be greatly appreciated. These are the lines I added to the bottom of the 99users.ldif file. -------------- next part -------------- An HTML attachment was scrubbed... URL: From francois.beretti at gmail.com Mon Sep 25 19:59:11 2006 From: francois.beretti at gmail.com (=?ISO-8859-1?Q?Fran=E7ois_Beretti?=) Date: Mon, 25 Sep 2006 21:59:11 +0200 Subject: [Fedora-directory-users] Re: Extending inetOrgPerson's schema to support custom attributes In-Reply-To: <20060925194645.93098.qmail@web42409.mail.scd.yahoo.com> References: <20060925194645.93098.qmail@web42409.mail.scd.yahoo.com> Message-ID: <85d6be850609251259m830ee9ej7cfd58d02e4138bc@mail.gmail.com> Hi, a few thoughts from someone who is not a fedoraDS expert : - you created a new attribute type, but did not add it to the inetorgperson class definition. So the class itself is not modified. The way the LDIF files are named does not imply you modify a given class. Only the number has a meaning, and this represents the order of the files analysing at the server startup - I am not sure, but I believe that 99users.ldif should not be modified, because it represents a view of the directory schema, and is not a configuration file. Again, I am really not sure, I don't have a fedora instance at home and can't check this - standard classes should not be modified. You should create an auxiliary objectClass containing you custom attribute types, and have your users implement both inetOrgPerson and your auxiliary class. This can also be a way to determine if a given user is configured for our application or not (if it implements your aux class or not) To achieve this, you should create a file named, for example, 70kevin.ldif and put all your custom schema in it. Then start your server. Regards, Fran?ois 2006/9/25, kevin james : > > Oops I pressed the enter key and the mail got sent, Yahoo Beta Mail is too > Ajaxified :) > > These were the lines I added to the bottom of the 99users.ldif > My custom attribute being called "policyNos" > > attributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.2 NAME 'policyNos' DESC 'Policy > Numbers for Insured' EQUALITY caseIgnoreMatch SYNTAX > 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) > I was able to restart slapd with no problems, but it still doesnt show up > in my list of attrbutes for inetOrgPerson. > > Again any suggestions would be greatly appreciated. > > Thanks, > Kevin > ----- Original Message ---- > From: kevin james > To: fedora-directory-users at redhat.com > Sent: Monday, September 25, 2006 3:43:07 PM > Subject: Extending inetOrgPerson's schema to support custom attributes > > Hello All, > > I'm trying to extend the inetOrgPerson's schema in order to better support > our companie's > user profile. I 've been doing some googling and I understand that > modifications need to be done to the 99users.ldif file, I've tried a > couple of settings but I'm unable to see my custom attributes show up in the > list of schema attributes for the inetOrgPerson class. > > Here's what I've done so far. Any help would be greatly appreciated. > > These are the lines I added to the bottom of the 99users.ldif file. > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From david.bogen at icecube.wisc.edu Mon Sep 25 20:33:22 2006 From: david.bogen at icecube.wisc.edu (David Bogen) Date: Mon, 25 Sep 2006 15:33:22 -0500 Subject: [Fedora-directory-users] Confusion over admserv_host_ip_check message In-Reply-To: <4517EF53.6020005@newschool.edu> References: <4517EF53.6020005@newschool.edu> Message-ID: <45183D12.7010704@icecube.wisc.edu> Dave Della Costa wrote: > > http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt > See the section entitled "How to set the hosts/IP addresses allowed to access the Admin Server" and pay special attention to the NOTE: about the bug that you are likely encountering. David -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3298 bytes Desc: S/MIME Cryptographic Signature URL: From kevinjj33 at yahoo.com Mon Sep 25 20:37:52 2006 From: kevinjj33 at yahoo.com (kevin james) Date: Mon, 25 Sep 2006 13:37:52 -0700 (PDT) Subject: [Fedora-directory-users] Re: Extending inetOrgPerson's schema to support custom attributes Message-ID: <20060925203752.2642.qmail@web42407.mail.scd.yahoo.com> Francois, Thanks for your quick and helpful reply, I tried what you explained, So I create a new file called 70kevin.ldif and put this into it dn: cn=schema objectClass: top objectClass: inetorgPerson objectClass: subschema attributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.2 NAME 'policyNos' DESC 'Policy Num bers for Insured' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121. 1.15 X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.12274.1.1.2.1 NAME 'externalUser' DESC '' SUP inet orgPerson AUXILLARY MAY ( policyNos ) X-ORIGIN 'user defined' ) I restarted slapd and I got this warning "Entry "cn=schema" missing attribute "sn" required by object class "inetOrgPerson"" I can see 'externalUser' but when I try to create a new user, it asks me for the policyNos attribute but not the other attributes of inetOrgPerson, when I try to create the object I get an object violation error. I didnt quite understand this part you mentioned , what else could I be missing. .....and have your users implement both inetOrgPerson and your auxiliary class. Any ideas ? Thanks, Kevin ----- Original Message ---- From: kevin james To: Fran?ois Beretti Sent: Monday, September 25, 2006 4:37:04 PM Subject: Re: [Fedora-directory-users] Re: Extending inetOrgPerson's schema to support custom attributes Francois, Thanks for your quick and helpful reply, I tried what you explained, So I create a new file called 70kevin.ldif and put this into it dn: cn=schema objectClass: top objectClass: inetorgPerson objectClass: subschema attributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.2 NAME 'policyNos' DESC 'Policy Num bers for Insured' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121. 1.15 X-ORIGIN 'user defined' ) objectClasses: ( 1.3.6.1.4.1.12274.1.1.2.1 NAME 'externalUser' DESC '' SUP inet orgPerson AUXILLARY MAY ( policyNos ) X-ORIGIN 'user defined' ) I restarted slapd and I got this warning "Entry "cn=schema" missing attribute "sn" required by object class "inetOrgPerson"" I can see 'externalUser' but when I try to create a new user, it asks me for the policyNos attribute but not the other attributes of inetOrgPerson, when I try to create the object I get an object violation error. I didnt quite understand this part you mentioned , what else could I be missing. .....and have your users implement both inetOrgPerson and your auxiliary class. Any ideas ? Thanks, Kevin ----- Original Message ---- From: Fran?ois Beretti To: kevin james ; General discussion list for the Fedora Directory server project. Sent: Monday, September 25, 2006 3:59:11 PM Subject: Re: [Fedora-directory-users] Re: Extending inetOrgPerson's schema to support custom attributes Hi, a few thoughts from someone who is not a fedoraDS expert : - you created a new attribute type, but did not add it to the inetorgperson class definition. So the class itself is not modified. The way the LDIF files are named does not imply you modify a given class. Only the number has a meaning, and this represents the order of the files analysing at the server startup - I am not sure, but I believe that 99users.ldif should not be modified, because it represents a view of the directory schema, and is not a configuration file. Again, I am really not sure, I don't have a fedora instance at home and can't check this - standard classes should not be modified. You should create an auxiliary objectClass containing you custom attribute types, and have your users implement both inetOrgPerson and your auxiliary class. This can also be a way to determine if a given user is configured for our application or not (if it implements your aux class or not) To achieve this, you should create a file named, for example, 70kevin.ldif and put all your custom schema in it. Then start your server. Regards, Fran?ois 2006/9/25, kevin james < kevinjj33 at yahoo.com>: Oops I pressed the enter key and the mail got sent, Yahoo Beta Mail is too Ajaxified :) These were the lines I added to the bottom of the 99users.ldif My custom attribute being called "policyNos" attributeTypes: ( 1.3.6.1.4.1.5923.1.1.1.2 NAME 'policyNos' DESC 'Policy Numbers for Insured' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) I was able to restart slapd with no problems, but it still doesnt show up in my list of attrbutes for inetOrgPerson. Again any suggestions would be greatly appreciated. Thanks, Kevin ----- Original Message ---- From: kevin james < kevinjj33 at yahoo.com> To: fedora-directory-users at redhat.com Sent: Monday, September 25, 2006 3:43:07 PM Subject: Extending inetOrgPerson's schema to support custom attributes Hello All, I'm trying to extend the inetOrgPerson's schema in order to better support our companie's user profile. I 've been doing some googling and I understand that modifications need to be done to the 99users.ldif file, I've tried a couple of settings but I'm unable to see my custom attributes show up in the list of schema attributes for the inetOrgPerson class. Here's what I've done so far. Any help would be greatly appreciated. These are the lines I added to the bottom of the 99users.ldif file. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Mon Sep 25 20:42:51 2006 From: david_list at boreham.org (David Boreham) Date: Mon, 25 Sep 2006 14:42:51 -0600 Subject: [Fedora-directory-users] Re: Extending inetOrgPerson's schema to support custom attributes In-Reply-To: <20060925203752.2642.qmail@web42407.mail.scd.yahoo.com> References: <20060925203752.2642.qmail@web42407.mail.scd.yahoo.com> Message-ID: <45183F4B.3080205@boreham.org> > Any ideas ? Yes. RTFM : http://www.redhat.com/docs/manuals/dir-server/ag/7.1/scmacfg.html#1079595 Use the GUI to extend schema and see what it puts in the ldif files. Then you can copy that content to extend schema in a server sans GUI. From kevinjj33 at yahoo.com Mon Sep 25 20:52:32 2006 From: kevinjj33 at yahoo.com (kevin james) Date: Mon, 25 Sep 2006 13:52:32 -0700 (PDT) Subject: [Fedora-directory-users] Re: Extending inetOrgPerson's schema to support custom attributes In-Reply-To: <45183F4B.3080205@boreham.org> Message-ID: <20060925205232.59414.qmail@web42401.mail.scd.yahoo.com> Ahhh thanks, I did not know the Fedora DS GUI could modify schema, I'll have to get my GUI working now. ----- Original Message ---- From: David Boreham To: General discussion list for the Fedora Directory server project. Sent: Monday, September 25, 2006 4:42:51 PM Subject: Re: [Fedora-directory-users] Re: Extending inetOrgPerson's schema to support custom attributes > Any ideas ? Yes. RTFM : http://www.redhat.com/docs/manuals/dir-server/ag/7.1/scmacfg.html#1079595 Use the GUI to extend schema and see what it puts in the ldif files. Then you can copy that content to extend schema in a server sans GUI. -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From gmessmer at u.washington.edu Tue Sep 26 05:55:24 2006 From: gmessmer at u.washington.edu (Gordon Messmer) Date: Mon, 25 Sep 2006 22:55:24 -0700 Subject: [Fedora-directory-users] GSSAPI / kerberos Message-ID: <4518C0CC.5080505@u.washington.edu> Is anyone using GSSAPI / kerberos in production? I've come across what looks like a bug, and I'd like any available info from other users: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=208058 From yinyang at eburg.com Tue Sep 26 05:44:38 2006 From: yinyang at eburg.com (Gordon Messmer) Date: Mon, 25 Sep 2006 22:44:38 -0700 Subject: [Fedora-directory-users] GSSAPI / kerberos Message-ID: <4518BE46.400@eburg.com> Is anyone using GSSAPI / kerberos in production? I've come across what looks like a bug, and I'd like any available info from other users: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=208058 From dellacod at newschool.edu Tue Sep 26 15:09:58 2006 From: dellacod at newschool.edu (Dave Della Costa) Date: Tue, 26 Sep 2006 11:09:58 -0400 Subject: [Fedora-directory-users] Confusion over admserv_host_ip_check message In-Reply-To: <45183D12.7010704@icecube.wisc.edu> References: <4517EF53.6020005@newschool.edu> <45183D12.7010704@icecube.wisc.edu> Message-ID: <451942C6.6070607@newschool.edu> Arrggh...I'm trying, but I keep getting this output: ldap_modify: No such object Any suggestions on what this means? Thanks, Dave David Bogen wrote: > Dave Della Costa wrote: > >>http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt >> > > See the section entitled > > "How to set the hosts/IP addresses allowed to access the Admin Server" > > and pay special attention to the NOTE: about the bug that you are likely > encountering. > > David > > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From patrick.morris at hp.com Tue Sep 26 15:09:03 2006 From: patrick.morris at hp.com (Morris, Patrick) Date: Tue, 26 Sep 2006 11:09:03 -0400 Subject: [Fedora-directory-users] Confusion over admserv_host_ip_checkmessage In-Reply-To: <451942C6.6070607@newschool.edu> Message-ID: > Arrggh...I'm trying, but I keep getting this output: > > ldap_modify: No such object > > Any suggestions on what this means? > > David Bogen wrote: > > Dave Della Costa wrote: > > > >>http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt > >> > > > > See the section entitled > > > > "How to set the hosts/IP addresses allowed to access the > Admin Server" > > > > and pay special attention to the NOTE: about the bug that you are > > likely encountering. It means you're trying to modify an object that doesn't exist. More detail about what you're doing would be helpful. From dellacod at newschool.edu Tue Sep 26 15:25:38 2006 From: dellacod at newschool.edu (Dave Della Costa) Date: Tue, 26 Sep 2006 11:25:38 -0400 Subject: [Fedora-directory-users] Confusion over admserv_host_ip_checkmessage In-Reply-To: References: Message-ID: <45194672.1000303@newschool.edu> Sorry, I'm such a noob at LDAP...I need to do some more reading. I'm following David Bogen's instructions and executing the commands from the section he gave (which is what I was trying before as well). It looks like this: server bin # ./ldapmodify -D "cn=directory manager" -w password dn: some.server.com changetype: modify replace: nsAdminAccessHosts nsAdminAccessAddresses nsAdminAccessHosts: nsAdminAccessAddresses: 224.0.0.0 modifying entry fortress.parsons.edu ldap_modify: No such object server bin # I thought I was set up, but I guess not? RTFM would be an appropriate response, if you don't mind pointing me in the direction of a good doc... Thanks! Dave Morris, Patrick wrote: >>Arrggh...I'm trying, but I keep getting this output: >> >>ldap_modify: No such object >> >>Any suggestions on what this means? >> >>David Bogen wrote: >> >>>Dave Della Costa wrote: >>> >>> >>>>http://directory.fedora.redhat.com/wiki/Howto:AdminServerLDAPMgmt >>>> >>> >>>See the section entitled >>> >>>"How to set the hosts/IP addresses allowed to access the >> >>Admin Server" >> >>>and pay special attention to the NOTE: about the bug that you are >>>likely encountering. > > > It means you're trying to modify an object that doesn't exist. More > detail about what you're doing would be helpful. From patrick.morris at hp.com Tue Sep 26 15:28:26 2006 From: patrick.morris at hp.com (Morris, Patrick) Date: Tue, 26 Sep 2006 11:28:26 -0400 Subject: [Fedora-directory-users] Confusion overadmserv_host_ip_checkmessage In-Reply-To: <45194672.1000303@newschool.edu> Message-ID: > Sorry, I'm such a noob at LDAP...I need to do some more reading. > > I'm following David Bogen's instructions and executing the > commands from the section he gave (which is what I was trying > before as well). It looks like this: > > server bin # ./ldapmodify -D "cn=directory manager" -w password > dn: some.server.com > changetype: modify > replace: nsAdminAccessHosts nsAdminAccessAddresses > nsAdminAccessHosts: > nsAdminAccessAddresses: 224.0.0.0 That DN is incorrect. See the top of the "How to find the Admin Server configuration entry" part of that How-To for how to find the correct DN using ldapsearch. From dellacod at newschool.edu Tue Sep 26 15:44:19 2006 From: dellacod at newschool.edu (Dave Della Costa) Date: Tue, 26 Sep 2006 11:44:19 -0400 Subject: [Fedora-directory-users] Confusion overadmserv_host_ip_checkmessage In-Reply-To: References: Message-ID: <45194AD3.2080007@newschool.edu> Thanks Patrick! That was the help I needed. I've got the console up now. Best, Dave Morris, Patrick wrote: >>Sorry, I'm such a noob at LDAP...I need to do some more reading. >> >>I'm following David Bogen's instructions and executing the >>commands from the section he gave (which is what I was trying >>before as well). It looks like this: >> >>server bin # ./ldapmodify -D "cn=directory manager" -w password >>dn: some.server.com >>changetype: modify >>replace: nsAdminAccessHosts nsAdminAccessAddresses >>nsAdminAccessHosts: >>nsAdminAccessAddresses: 224.0.0.0 > > > That DN is incorrect. > > See the top of the "How to find the Admin Server configuration entry" > part of that How-To for how to find the correct DN using ldapsearch. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From gmessmer at u.washington.edu Tue Sep 26 23:14:21 2006 From: gmessmer at u.washington.edu (Gordon Messmer) Date: Tue, 26 Sep 2006 16:14:21 -0700 Subject: [Fedora-directory-users] [HELP] creating partition by command line In-Reply-To: References: Message-ID: <4519B44D.7020006@u.washington.edu> Jorge Santos wrote: > I tried create one partition by command line, but it doesn't work. > And when I've tried to restart the console admin, it doesn's work too > and when I did a search for cn=mapping tree,cn=config subtree, it > didn't return anything. > I Tried follow the tutorial at this site: > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#17741 > > I Created the database for root suffix, the root suffix(dc=mg), sub > suffix(ou=bh,dc=mg) and the database link(Contain a Referral for other > Server) for sub suffix at Main Server . > In the other server I created the root suffix(ou=bh,dc=mg) and the > database for this root suffix. > The LDIF's that i used for create these partitions as follow: You're trying to do a lot of things here, and not explaining what part didn't work. Why don't you start at the beginning: tell us each step you've gone through, what you expected that step to accomplish, and what did or did not work. From jo.de.troy at gmail.com Wed Sep 27 19:55:06 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Wed, 27 Sep 2006 21:55:06 +0200 Subject: [Fedora-directory-users] next release? Message-ID: Hello, I was wondering when a next official release will be available. Kind Regards, Jo From rmeggins at redhat.com Wed Sep 27 19:02:10 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 27 Sep 2006 13:02:10 -0600 Subject: [Fedora-directory-users] next release? In-Reply-To: References: Message-ID: <451ACAB2.8000001@redhat.com> Jo De Troy wrote: > Hello, > > I was wondering when a next official release will be available. We don't really know yet. We were hoping to have a beta of version 1.1 available within the next couple of weeks. This would be the new packaging of just the core DS i.e. the beta wouldn't have the admin server, console, etc. > > Kind Regards, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From gmessmer at u.washington.edu Wed Sep 27 20:07:25 2006 From: gmessmer at u.washington.edu (Gordon Messmer) Date: Wed, 27 Sep 2006 13:07:25 -0700 Subject: [Fedora-directory-users] next release? In-Reply-To: <451ACAB2.8000001@redhat.com> References: <451ACAB2.8000001@redhat.com> Message-ID: <451AD9FD.9040105@u.washington.edu> Richard Megginson wrote: > Jo De Troy wrote: >> Hello, >> >> I was wondering when a next official release will be available. > We don't really know yet. We were hoping to have a beta of version > 1.1 available within the next couple of weeks. This would be the new > packaging of just the core DS i.e. the beta wouldn't have the admin > server, console, etc. Will there be a 1.0.3? I like the packaging well enough as it is, and would like to see an official release with the SASL encryption fix that was just checked into CVS. From rmeggins at redhat.com Wed Sep 27 19:10:30 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 27 Sep 2006 13:10:30 -0600 Subject: [Fedora-directory-users] next release? In-Reply-To: <451AD9FD.9040105@u.washington.edu> References: <451ACAB2.8000001@redhat.com> <451AD9FD.9040105@u.washington.edu> Message-ID: <451ACCA6.7000807@redhat.com> Gordon Messmer wrote: > Richard Megginson wrote: >> Jo De Troy wrote: >>> Hello, >>> >>> I was wondering when a next official release will be available. >> We don't really know yet. We were hoping to have a beta of version >> 1.1 available within the next couple of weeks. This would be the new >> packaging of just the core DS i.e. the beta wouldn't have the admin >> server, console, etc. > > Will there be a 1.0.3? We hadn't planned on it. Is there a lot of demand? Would it be possible to drop support for RHEL3 and Fedora Core 4 if we do? > I like the packaging well enough as it is, and would like to see an > official release with the SASL encryption fix that was just checked > into CVS. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From gmessmer at u.washington.edu Wed Sep 27 20:18:59 2006 From: gmessmer at u.washington.edu (Gordon Messmer) Date: Wed, 27 Sep 2006 13:18:59 -0700 Subject: [Fedora-directory-users] next release? In-Reply-To: <451ACCA6.7000807@redhat.com> References: <451ACAB2.8000001@redhat.com> <451AD9FD.9040105@u.washington.edu> <451ACCA6.7000807@redhat.com> Message-ID: <451ADCB3.2060301@u.washington.edu> Richard Megginson wrote: > Gordon Messmer wrote: >> Will there be a 1.0.3? > We hadn't planned on it. Is there a lot of demand? Would it be > possible to drop support for RHEL3 and Fedora Core 4 if we do? Can't speak for the level of demand, but I'd like to see a 1.0.x version that didn't break when using GSSAPI. Maybe that's just because I don't know what else is changing for 1.1. I'm running 1.0.2 on RHEL 4. From david.bogen at icecube.wisc.edu Wed Sep 27 20:47:03 2006 From: david.bogen at icecube.wisc.edu (David Bogen) Date: Wed, 27 Sep 2006 15:47:03 -0500 Subject: [Fedora-directory-users] next release? In-Reply-To: <451ACCA6.7000807@redhat.com> References: <451ACAB2.8000001@redhat.com> <451AD9FD.9040105@u.washington.edu> <451ACCA6.7000807@redhat.com> Message-ID: <451AE347.3060600@icecube.wisc.edu> Richard Megginson wrote: > We hadn't planned on it. Is there a lot of demand? Would it be > possible to drop support for RHEL3 and Fedora Core 4 if we do? I'd like to see support for RHEL3 continued. David -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3298 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Wed Sep 27 20:51:53 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Wed, 27 Sep 2006 22:51:53 +0200 Subject: [Fedora-directory-users] next release? Message-ID: Hi, I'd also like a 1.0.3 release which includes the ldappasswd_crash solution. What's the status of the samba integration for password sync? In the new packaging will the admin-server, etc then be seperate rpms? Kind Regards, Jo From rmeggins at redhat.com Wed Sep 27 20:04:08 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 27 Sep 2006 14:04:08 -0600 Subject: [Fedora-directory-users] next release? In-Reply-To: References: Message-ID: <451AD938.4090704@redhat.com> Jo De Troy wrote: > Hi, > > I'd also like a 1.0.3 release which includes the ldappasswd_crash > solution. What platform(s)? > What's the status of the samba integration for password sync? No work has been done in this area. > In the new packaging will the admin-server, etc then be seperate rpms? Yes. So if you just want the core DS, you can just install that rpm. There will also be separate RPMs for dsgw, console, org chart, etc. > > Kind Regards, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From jo.de.troy at gmail.com Wed Sep 27 21:10:37 2006 From: jo.de.troy at gmail.com (Jo De Troy) Date: Wed, 27 Sep 2006 23:10:37 +0200 Subject: [Fedora-directory-users] next release? Message-ID: Hi, I'd be particularly interested in a 1.0.3 release on RHEL4 for i386. Would it be possible in the new packaging to update only the ldapserver and not eg the dsgw. And the other way around? Kind Regards, Jo From rmeggins at redhat.com Wed Sep 27 20:23:29 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 27 Sep 2006 14:23:29 -0600 Subject: [Fedora-directory-users] next release? In-Reply-To: References: Message-ID: <451ADDC1.3060909@redhat.com> Jo De Troy wrote: > Hi, > > I'd be particularly interested in a 1.0.3 release on RHEL4 for i386. > Would it be possible in the new packaging to update only the > ldapserver and not eg the dsgw. > And the other way around? Yes, that's the idea with the new packaging, to decouple the components from each other. So we could have a release of console that just updated the console jar files without touching the ds or admin server or etc. > > Kind Regards, > Jo > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Wed Sep 27 21:23:51 2006 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 27 Sep 2006 14:23:51 -0700 Subject: [Fedora-directory-users] CoS + SASL problems? In-Reply-To: References: Message-ID: <451AEBE7.2070603@redhat.com> Hai Zaar wrote: > Dear list! > > I'm using FDS-1.0.2 together with Heimdal Kerberos as NIS replacement. > I having rather strange problem with SASL. > I have two posixGroups. The first is > cn=peopleGroup,ou=people,dc=example,dc=com and the other is > cn=testGroup,ou=Groups,dc=example,dc=com > testGroup is affected by Pointer CoS - this important! > > On client I run: > # kinit foo > # ldapsearch -h directory.example.com -b "dc=example,dc=com" -s sub > -Y GSSAPI -I '(&(objectClass=posixGroup)(cn=peopleGroup))' > Search returns sane results. However running serach for testGroup > returns the following: > --------------------------- > # ldapsearch -h directory.example.com -b "dc=example,dc=com" -s sub > -Y GSSAPI -I '(&(objectClass=posixGroup)(cn=testGroup))' > SASL/GSSAPI authentication started > SASL Interaction > Please enter your authorization name: > SASL username: foo at EXAMPLE.COM > SASL SSF: 56 > SASL installing layers > # extended LDIF > # > # LDAPv3 > # base with scope subtree > # filter: (&(objectClass=posixGroup)(cn=testGroup)) > # requesting: ALL > # > > ldap_result: Can't contact LDAP server (-1) > --------------------------- > If I remove CoS from ou=Groups,dc=example,dc=com, then It all works OK > (but of course I do not get any of 'uniquememeber' attributes that > come from CoS). > > The most strange things is however that if I set > SASL_SECPROPS maxssf=0 > in /etc/openldap/ldap.conf, then everything works just fine (but no > security). > > To the end, here is what FDS access log says: > [10/Sep/2006:17:02:51 +0300] conn=111 fd=67 slot=67 connection from > 10.0.2.236 to 10.0.0.10 > [10/Sep/2006:17:02:51 +0300] conn=111 op=0 BIND dn="" method=sasl > version=3 mech=GSSAPI > [10/Sep/2006:17:02:51 +0300] conn=111 op=0 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > [10/Sep/2006:17:02:51 +0300] conn=111 op=1 BIND dn="" method=sasl > version=3 mech=GSSAPI > [10/Sep/2006:17:02:51 +0300] conn=111 op=1 RESULT err=14 tag=97 > nentries=0 etime=0, SASL bind in progress > [10/Sep/2006:17:02:51 +0300] conn=111 op=2 BIND dn="" method=sasl > version=3 mech=GSSAPI > [10/Sep/2006:17:02:51 +0300] conn=111 op=2 RESULT err=0 tag=97 > nentries=0 etime=0 dn="uid=foo,ou=people,dc=example,dc=com" > [10/Sep/2006:17:02:51 +0300] conn=111 op=3 SRCH > base="dc=example,dc=com" scope=2 > filter="(&(objectClass=posixGroup)(cn=testGroup))" attrs=ALL > [10/Sep/2006:17:02:51 +0300] conn=111 op=3 fd=67 closed - B4 > It looks like server just drops connection. Error logs indicate nothing. > > Any ideas anyone? I'm unable to reproduce the issue. Could you supply us with your COS template, COS definition, and testGroup entries? -NGK > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From del at babel.com.au Thu Sep 28 10:48:51 2006 From: del at babel.com.au (Del) Date: Thu, 28 Sep 2006 20:48:51 +1000 Subject: [Fedora-directory-users] next release? In-Reply-To: <451ADCB3.2060301@u.washington.edu> References: <451ACAB2.8000001@redhat.com> <451AD9FD.9040105@u.washington.edu> <451ACCA6.7000807@redhat.com> <451ADCB3.2060301@u.washington.edu> Message-ID: <451BA893.70101@babel.com.au> >> We hadn't planned on it. Is there a lot of demand? Would it be >> possible to drop support for RHEL3 and Fedora Core 4 if we do? I still have a lot of sites running FC3, simply because it's the last release with PHP 4 and PHP 5 breaks the PEAR LDAP module. If you are going to support RHEL 4 then you may as well support FC3. OTOH most of my FC4 sites have moved up to FC5. -- Del Babel Com Australia http://www.babel.com.au/ ph: 02 9368 0728 fax: 02 9368 0758 From jorgecb at gmail.com Thu Sep 28 14:51:07 2006 From: jorgecb at gmail.com (Jorge Santos) Date: Thu, 28 Sep 2006 11:51:07 -0300 Subject: [Fedora-directory-users] [HELP] creating partition by command line In-Reply-To: <4519B44D.7020006@u.washington.edu> References: <4519B44D.7020006@u.washington.edu> Message-ID: Ok, I Would like to setup a partition by command line and i'd tried to follow the tutorial in this site: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#17741 But, when I finished to follow the tutorial(create the partition in one server e the subpartition in the other server), I can't restart the slapd. I realized that information in "cn=mapping tree,cn=config" was lost. And the only thing that I need is to create a partition in the master server (dc=mg) and create a sub-partition in the other server (ou=bh,dc=mg) If you did anything like this, can you post the ldif's that you used, please. I don't know why the configuration failed, because I followed the tutorial correctly. Jorge Santos On 9/26/06, Gordon Messmer wrote: > > Jorge Santos wrote: > > I tried create one partition by command line, but it doesn't work. > > And when I've tried to restart the console admin, it doesn's work too > > and when I did a search for cn=mapping tree,cn=config subtree, it > > didn't return anything. > > I Tried follow the tutorial at this site: > > > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#17741 > > > > I Created the database for root suffix, the root suffix(dc=mg), sub > > suffix(ou=bh,dc=mg) and the database link(Contain a Referral for other > > Server) for sub suffix at Main Server . > > In the other server I created the root suffix(ou=bh,dc=mg) and the > > database for this root suffix. > > The LDIF's that i used for create these partitions as follow: > > You're trying to do a lot of things here, and not explaining what part > didn't work. Why don't you start at the beginning: tell us each step > you've gone through, what you expected that step to accomplish, and what > did or did not work. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gmessmer at u.washington.edu Thu Sep 28 15:31:02 2006 From: gmessmer at u.washington.edu (Gordon Messmer) Date: Thu, 28 Sep 2006 08:31:02 -0700 Subject: [Fedora-directory-users] [HELP] creating partition by command line In-Reply-To: References: <4519B44D.7020006@u.washington.edu> Message-ID: <451BEAB6.1050609@u.washington.edu> Jorge Santos wrote: > I Would like to setup a partition by command line and i'd tried to > follow the tutorial in this site: > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/entry_dist.html#17741 > I don't see any "tutorial" at that URL, so I still don't know exactly what you're trying to do. That document covers a number of different topics, not all of which will be used together. I tried following the configuration in your earlier email a second time, and it looks like on one server, you're creating an LDBM database for the suffix "ou=bh,dc=mg", and then creating a link to another server for the same suffix. I'm pretty sure you can only do one of those two things for a given suffix. In other words, your configuration can't include two identical entries, 'cn="ou=bh,dc=mg",cn=mapping tree,cn=config'. So, try explaining the topology that you're trying to achieve as an end result, and maybe we can give you a better idea of how to approach it. > But, when I finished to follow the tutorial(create the partition in > one server e the subpartition in the other server), I can't restart > the slapd. I realized that information in "cn=mapping tree,cn=config" > was lost. On which host? Your original message didn't give names or IP numbers for the servers, which you should include. > And the only thing that I need is to create a partition in the master > server (dc=mg) and create a sub-partition in the other server > (ou=bh,dc=mg) If that's the case, you probably don't want a database link, unless you want the "other" server to contain a database for which the "master" server will also answer. If the two servers have different suffixes, how are they related? From jorgecb at gmail.com Thu Sep 28 17:39:33 2006 From: jorgecb at gmail.com (Jorge Santos) Date: Thu, 28 Sep 2006 14:39:33 -0300 Subject: [Fedora-directory-users] [HELP] creating partition by command line In-Reply-To: <451BEAB6.1050609@u.washington.edu> References: <4519B44D.7020006@u.washington.edu> <451BEAB6.1050609@u.washington.edu> Message-ID: Ok, now I Will explain what I want. I would like to distribute my data and the mechanics of data distribution which I'm trying to use is about suffixes. I make a figure explain my topology and it's following as attachment. dc=mg is my root suffix which is stored in the Server 1 ou=bh,dc=mg is my sub-suffix of dc=mg and it's stored in the Server 2 Now, I'm trying to do this topology by command line It is a Distributed Topology and I get more information about distributed data by using suffix in this site: http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/referral.html#1000217 Jorge Santos -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: example.jpg Type: image/jpeg Size: 12457 bytes Desc: not available URL: From gmessmer at u.washington.edu Thu Sep 28 20:04:35 2006 From: gmessmer at u.washington.edu (Gordon Messmer) Date: Thu, 28 Sep 2006 13:04:35 -0700 Subject: [Fedora-directory-users] [HELP] creating partition by command line In-Reply-To: References: <4519B44D.7020006@u.washington.edu> <451BEAB6.1050609@u.washington.edu> Message-ID: <451C2AD3.9040604@u.washington.edu> Jorge Santos wrote: > > It is a Distributed Topology and I get more information about > distributed data by using suffix in this site: > http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/referral.html#1000217 OK, it's starting to become more clear. Now: *why* are you trying to create a distributed topology? Are you trying to allow management of the sub-suffix by a different group? Are you trying to establish a proxy? Are you trying to replicate the database for better performance, or higher availability? From jorgecb at gmail.com Thu Sep 28 20:51:29 2006 From: jorgecb at gmail.com (Jorge Santos) Date: Thu, 28 Sep 2006 17:51:29 -0300 Subject: [Fedora-directory-users] [HELP] creating partition by command line In-Reply-To: <451C2AD3.9040604@u.washington.edu> References: <4519B44D.7020006@u.washington.edu> <451BEAB6.1050609@u.washington.edu> <451C2AD3.9040604@u.washington.edu> Message-ID: I'm trying to allow management of the sub-suffix by a different group, to increase the perfomance and because of scalability Jorge Santos -------------- next part -------------- An HTML attachment was scrubbed... URL: From wilmer5 at gmail.com Thu Sep 28 20:57:34 2006 From: wilmer5 at gmail.com (Wilmer Jaramillo M.) Date: Thu, 28 Sep 2006 16:57:34 -0400 Subject: [Fedora-directory-users] number of output show in a search Message-ID: <2b26c4260609281357n3f046cbcg21d967cbef04e844@mail.gmail.com> The Directory Server by default allow make consults anonymous with ldapsearch, this is ok, nevertheless, exists the way of limit the number of attributes/lines/output show with anonymous user?, also to implement rules in where the user and administrator's users only can see a max of N atributes in a search for example, of the attribute 'mail'. ej. $ ldapsearch -x mail 1.- # Afrodita Alvarez, joe, People, example.com dn: cn=Afrodita Alvarez,uid=wilmer,ou=People,dc=example,dc=com mail: aalvarez at example.com 2.- # aperez, juancarlos, People, example.com dn: uid=aperez,uid=juancarlos,ou=People,dc=example,dc=com mail: aperez at example.com ... N.- ...Full Users Output. I want: $ ldapsearch -x mail 1.- # Afrodita Alvarez, joe, People, example.com dn: cn=Afrodita Alvarez,uid=wilmer,ou=People,dc=example,dc=com mail: aalvarez at example.com 2.- # aperez, juancarlos, People, example.com dn: uid=aperez,uid=juancarlos,ou=People,dc=example,dc=com mail: jcarlos at example.com ... 25.- .... only max. 25 users. thanks. -- Wilmer Jaramillo M. TALUG - http://www.linuxtachira.org GPG Key Fingerprint = 0666 D0D3 24CE 8935 9C24 BBF1 87DD BEA2 A4B2 1E8A From radek at eadresa.cz Fri Sep 29 22:00:48 2006 From: radek at eadresa.cz (Radek Hladik) Date: Sat, 30 Sep 2006 00:00:48 +0200 Subject: [Fedora-directory-users] Default locale Message-ID: <451D9790.3040809@eadresa.cz> Hi all, how can I switch default locale used by FDS for sorting and string comparsion? Or at least can this be set per LDAP connection? Radek From rmeggins at redhat.com Fri Sep 29 21:17:19 2006 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 29 Sep 2006 15:17:19 -0600 Subject: [Fedora-directory-users] number of output show in a search In-Reply-To: <2b26c4260609281357n3f046cbcg21d967cbef04e844@mail.gmail.com> References: <2b26c4260609281357n3f046cbcg21d967cbef04e844@mail.gmail.com> Message-ID: <451D8D5F.3000607@redhat.com> Wilmer Jaramillo M. wrote: > The Directory Server by default allow make consults anonymous with > ldapsearch, this is ok, nevertheless, exists the way of limit the > number of attributes/lines/output show with anonymous user?, also to > implement rules in where the user and administrator's users only can > see a max of N atributes in a search for example, of the attribute > 'mail'. > ej. $ ldapsearch -x mail > 1.- # Afrodita Alvarez, joe, People, example.com > dn: cn=Afrodita Alvarez,uid=wilmer,ou=People,dc=example,dc=com > mail: aalvarez at example.com > 2.- # aperez, juancarlos, People, example.com > dn: uid=aperez,uid=juancarlos,ou=People,dc=example,dc=com > mail: aperez at example.com > ... > N.- ...Full Users Output. > > I want: > $ ldapsearch -x mail > 1.- # Afrodita Alvarez, joe, People, example.com > dn: cn=Afrodita Alvarez,uid=wilmer,ou=People,dc=example,dc=com > mail: aalvarez at example.com > 2.- # aperez, juancarlos, People, example.com > dn: uid=aperez,uid=juancarlos,ou=People,dc=example,dc=com > mail: jcarlos at example.com > ... > 25.- .... only max. 25 users. Set the attribute nsslapd-sizelimit in cn=config. You can also set size limits on a per-user/per-group basis. See http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1085603 for more information. > > thanks. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature URL: From gmessmer at u.washington.edu Fri Sep 29 22:35:55 2006 From: gmessmer at u.washington.edu (Gordon Messmer) Date: Fri, 29 Sep 2006 15:35:55 -0700 Subject: [Fedora-directory-users] [HELP] creating partition by command line In-Reply-To: References: <4519B44D.7020006@u.washington.edu> <451BEAB6.1050609@u.washington.edu> <451C2AD3.9040604@u.washington.edu> Message-ID: <451D9FCB.3070807@u.washington.edu> Jorge Santos wrote: > I'm trying to allow management of the sub-suffix by a different group, > to increase the perfomance and because of scalability The former can be done with ACIs, and AFIAK, you'll only get the latter if you set up database replication rather than database links. If you want to follow the replication route, two different configurations spring immediately to mind. In the first, you set up "dc=mg" (which is an unusual configuration; "dc" is the short name aka "domaincomponent", which normally is used to describe a DNS name: redhat.com == dc=redhat,dc=com) on the master server, and create "ou=bh" underneath it. Create an administrative account in ou=People,dc=mg, and give that account write access to "ou=bh,dc=mg". Then, set up the same root on your second server, and establish replication of the dc=mg suffix to that server. You can make the secondary server a read-only consumer, or if you like, you can set them both up as multi-master read-write servers, in which case they each need a replication agreement to the other. The other configuration that's possible is to set up each suffix on its respective server, and then create a read-only replica of the other server's suffix on the opposite. In this configuration, serverA would have a read-write dc=mg, and a read-only ou=bh,dc=mg; serverB would have a read-write ou=bh,dc=mg, and a read-only dc=mg. Searches would work against either server, and writes would be redirected by referrals. Clients that don't follow referrals would need to write to the correct server explicitly. So.. which way would you rather go? From sergio.diaze at gmail.com Sat Sep 30 06:57:20 2006 From: sergio.diaze at gmail.com (Sergio Diaz) Date: Sat, 30 Sep 2006 01:57:20 -0500 Subject: [Fedora-directory-users] FDS and AD Message-ID: <1159599441.4176.14.camel@oslec> Hi People, Its Possible Sync only in One Way ? Users Windows AD -> FDS. Or the other scenario its like OpenLDAP have a Meta Backend (2 LDAPs, 1 AD), its possible with FDS ? Regards, Sergio -------------- next part -------------- An HTML attachment was scrubbed... URL: