From mjdshop at earthlink.net Fri Mar 2 22:12:15 2007 From: mjdshop at earthlink.net (MJD Shop Account) Date: Fri, 2 Mar 2007 17:12:15 -0500 (GMT-05:00) Subject: [Fedora-directory-users] not enough file descriptors Message-ID: <29740437.1172873535738.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> I have a problem with running out of file descriptors. I get this repeating message periodically in the /opt/fedora-ds/slapd-/logs/errors file: [02/Mar/2007:13:25:45 -0500] - Not listening for new connections - too many fds open [02/Mar/2007:13:25:46 -0500] - Listening for new connections again [02/Mar/2007:13:25:47 -0500] - Not listening for new connections - too many fds open [02/Mar/2007:13:25:47 -0500] - Listening for new connections again ... When this happens, the users cannot log in for long periods and get angry. Imagine that. I do have this in a multi-master configuration with a second master, which is different hardware and does not show this error. I read the tuning page http://directory.fedora.redhat.com/wiki/Performance_Tuning#Linux, which recommends updating the filedescriptors limit like so: echo "64000" > /proc/sys/fs/file-max However mine is already well above that: # cat /proc/sys/fs/file-max 128456 How much higher should I be setting it? I am running RHEL 4 update 4, single Pentium III 1.4GHz processor, 1280MB of memory. I don't have any settinsg in sysctl.conf or /etc/security/limites for soft/hard limits, how do I tell what the defaults on soft/hard limits are? From gholbert at broadcom.com Fri Mar 2 22:16:15 2007 From: gholbert at broadcom.com (George Holbert) Date: Fri, 02 Mar 2007 14:16:15 -0800 Subject: [Fedora-directory-users] not enough file descriptors In-Reply-To: <29740437.1172873535738.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> References: <29740437.1172873535738.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> Message-ID: <45E8A22F.9080502@broadcom.com> What is the value of the "nsslapd-maxdescriptors" attribute on cn=config? MJD Shop Account wrote: > I have a problem with running out of file descriptors. I get this repeating message periodically in the /opt/fedora-ds/slapd-/logs/errors file: > [02/Mar/2007:13:25:45 -0500] - Not listening for new connections - too many fds open > [02/Mar/2007:13:25:46 -0500] - Listening for new connections again > [02/Mar/2007:13:25:47 -0500] - Not listening for new connections - too many fds open > [02/Mar/2007:13:25:47 -0500] - Listening for new connections again > ... > > When this happens, the users cannot log in for long periods and get angry. Imagine that. I do have this in a multi-master configuration with a second master, which is different hardware and does not show this error. > > I read the tuning page http://directory.fedora.redhat.com/wiki/Performance_Tuning#Linux, which recommends updating the filedescriptors limit like so: > echo "64000" > /proc/sys/fs/file-max > > However mine is already well above that: > # cat /proc/sys/fs/file-max > 128456 > > How much higher should I be setting it? I am running RHEL 4 update 4, single Pentium III 1.4GHz processor, 1280MB of memory. > > I don't have any settinsg in sysctl.conf or /etc/security/limites for soft/hard limits, how do I tell what the defaults on soft/hard limits are? > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From rmeggins at redhat.com Fri Mar 2 22:17:24 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 02 Mar 2007 15:17:24 -0700 Subject: [Fedora-directory-users] not enough file descriptors In-Reply-To: <29740437.1172873535738.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> References: <29740437.1172873535738.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> Message-ID: <45E8A274.2090705@redhat.com> MJD Shop Account wrote: > I have a problem with running out of file descriptors. I get this repeating message periodically in the /opt/fedora-ds/slapd-/logs/errors file: > [02/Mar/2007:13:25:45 -0500] - Not listening for new connections - too many fds open > [02/Mar/2007:13:25:46 -0500] - Listening for new connections again > [02/Mar/2007:13:25:47 -0500] - Not listening for new connections - too many fds open > [02/Mar/2007:13:25:47 -0500] - Listening for new connections again > ... > > When this happens, the users cannot log in for long periods and get angry. Imagine that. I do have this in a multi-master configuration with a second master, which is different hardware and does not show this error. > > I read the tuning page http://directory.fedora.redhat.com/wiki/Performance_Tuning#Linux, which recommends updating the filedescriptors limit like so: > echo "64000" > /proc/sys/fs/file-max > > However mine is already well above that: > # cat /proc/sys/fs/file-max > 128456 > > How much higher should I be setting it? I am running RHEL 4 update 4, single Pentium III 1.4GHz processor, 1280MB of memory. > > I don't have any settinsg in sysctl.conf or /etc/security/limites for soft/hard limits, how do I tell what the defaults on soft/hard limits are? > I think you also have to edit /opt/fedora-ds/slapd-instance/start-slapd and put 'ulimit -n yourlimit' somewhere near the top of the file. > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mjdshop at earthlink.net Fri Mar 2 22:52:23 2007 From: mjdshop at earthlink.net (MJD Shop Account) Date: Fri, 2 Mar 2007 17:52:23 -0500 (GMT-05:00) Subject: [Fedora-directory-users] not enough file descriptors Message-ID: <5664889.1172875943467.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> ah! only 1024. What is considered a reasonable value? Is it setting this or picking it up from the defaults such as ulimits? I assume I need to do this on all of the multi-masters and consumers to be the same, or do I? Does it propagate? I'm not sharing the config tree among different servers. -----Original Message----- >From: George Holbert >Sent: Mar 2, 2007 5:16 PM >To: MJD Shop Account , "General discussion list for the Fedora Directory server project." >Subject: Re: [Fedora-directory-users] not enough file descriptors > >What is the value of the "nsslapd-maxdescriptors" attribute on cn=config? > >MJD Shop Account wrote: >> I have a problem with running out of file descriptors. I get this repeating message periodically in the /opt/fedora-ds/slapd-/logs/errors file: >> [02/Mar/2007:13:25:45 -0500] - Not listening for new connections - too many fds open >> [02/Mar/2007:13:25:46 -0500] - Listening for new connections again >> [02/Mar/2007:13:25:47 -0500] - Not listening for new connections - too many fds open >> [02/Mar/2007:13:25:47 -0500] - Listening for new connections again >> ... >> >> When this happens, the users cannot log in for long periods and get angry. Imagine that. I do have this in a multi-master configuration with a second master, which is different hardware and does not show this error. >> >> I read the tuning page http://directory.fedora.redhat.com/wiki/Performance_Tuning#Linux, which recommends updating the filedescriptors limit like so: >> echo "64000" > /proc/sys/fs/file-max >> >> However mine is already well above that: >> # cat /proc/sys/fs/file-max >> 128456 >> >> How much higher should I be setting it? I am running RHEL 4 update 4, single Pentium III 1.4GHz processor, 1280MB of memory. >> >> I don't have any settinsg in sysctl.conf or /etc/security/limites for soft/hard limits, how do I tell what the defaults on soft/hard limits are? >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > From rmeggins at redhat.com Fri Mar 2 22:55:48 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 02 Mar 2007 15:55:48 -0700 Subject: [Fedora-directory-users] not enough file descriptors In-Reply-To: <5664889.1172875943467.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> References: <5664889.1172875943467.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> Message-ID: <45E8AB74.5000400@redhat.com> MJD Shop Account wrote: > ah! only 1024. What is considered a reasonable value? Is it setting this or picking it up from the defaults such as ulimits? > The server sets this itself. So you have to set the value yourself. See http://www.redhat.com/docs/manuals/dir-server/pdf/ds71cli.pdf - search for nsslapd-conntablesize and nsslapd-maxdescriptors > I assume I need to do this on all of the multi-masters and consumers to be the same, or do I? Does it propagate? I'm not sharing the config tree among different servers. > > -----Original Message----- > >> From: George Holbert >> Sent: Mar 2, 2007 5:16 PM >> To: MJD Shop Account , "General discussion list for the Fedora Directory server project." >> Subject: Re: [Fedora-directory-users] not enough file descriptors >> >> What is the value of the "nsslapd-maxdescriptors" attribute on cn=config? >> >> MJD Shop Account wrote: >> >>> I have a problem with running out of file descriptors. I get this repeating message periodically in the /opt/fedora-ds/slapd-/logs/errors file: >>> [02/Mar/2007:13:25:45 -0500] - Not listening for new connections - too many fds open >>> [02/Mar/2007:13:25:46 -0500] - Listening for new connections again >>> [02/Mar/2007:13:25:47 -0500] - Not listening for new connections - too many fds open >>> [02/Mar/2007:13:25:47 -0500] - Listening for new connections again >>> ... >>> >>> When this happens, the users cannot log in for long periods and get angry. Imagine that. I do have this in a multi-master configuration with a second master, which is different hardware and does not show this error. >>> >>> I read the tuning page http://directory.fedora.redhat.com/wiki/Performance_Tuning#Linux, which recommends updating the filedescriptors limit like so: >>> echo "64000" > /proc/sys/fs/file-max >>> >>> However mine is already well above that: >>> # cat /proc/sys/fs/file-max >>> 128456 >>> >>> How much higher should I be setting it? I am running RHEL 4 update 4, single Pentium III 1.4GHz processor, 1280MB of memory. >>> >>> I don't have any settinsg in sysctl.conf or /etc/security/limites for soft/hard limits, how do I tell what the defaults on soft/hard limits are? >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mjdshop at earthlink.net Fri Mar 2 23:29:28 2007 From: mjdshop at earthlink.net (MJD Shop Account) Date: Fri, 2 Mar 2007 18:29:28 -0500 (GMT-05:00) Subject: [Fedora-directory-users] not enough file descriptors Message-ID: <32987180.1172878168596.JavaMail.root@elwamui-milano.atl.sa.earthlink.net> I found that the user limits were by default 1024 and I could not set the nsslapd-maxdescriptors higher than that, so I upped the default limits and changed nsslapd-maxdescriptors to 2048. We'll see how that works out. Thanks Richard and George! -----Original Message----- >From: Richard Megginson >Sent: Mar 2, 2007 5:55 PM >To: MJD Shop Account , "General discussion list for the Fedora Directory server project." >Cc: George Holbert >Subject: Re: [Fedora-directory-users] not enough file descriptors > >MJD Shop Account wrote: >> ah! only 1024. What is considered a reasonable value? Is it setting this or picking it up from the defaults such as ulimits? >> >The server sets this itself. So you have to set the value yourself. > >See http://www.redhat.com/docs/manuals/dir-server/pdf/ds71cli.pdf - >search for nsslapd-conntablesize and nsslapd-maxdescriptors >> I assume I need to do this on all of the multi-masters and consumers to be the same, or do I? Does it propagate? I'm not sharing the config tree among different servers. >> >> -----Original Message----- >> >>> From: George Holbert >>> Sent: Mar 2, 2007 5:16 PM >>> To: MJD Shop Account , "General discussion list for the Fedora Directory server project." >>> Subject: Re: [Fedora-directory-users] not enough file descriptors >>> >>> What is the value of the "nsslapd-maxdescriptors" attribute on cn=config? >>> >>> MJD Shop Account wrote: >>> >>>> I have a problem with running out of file descriptors. I get this repeating message periodically in the /opt/fedora-ds/slapd-/logs/errors file: >>>> [02/Mar/2007:13:25:45 -0500] - Not listening for new connections - too many fds open >>>> [02/Mar/2007:13:25:46 -0500] - Listening for new connections again >>>> [02/Mar/2007:13:25:47 -0500] - Not listening for new connections - too many fds open >>>> [02/Mar/2007:13:25:47 -0500] - Listening for new connections again >>>> ... >>>> >>>> When this happens, the users cannot log in for long periods and get angry. Imagine that. I do have this in a multi-master configuration with a second master, which is different hardware and does not show this error. >>>> >>>> I read the tuning page http://directory.fedora.redhat.com/wiki/Performance_Tuning#Linux, which recommends updating the filedescriptors limit like so: >>>> echo "64000" > /proc/sys/fs/file-max >>>> >>>> However mine is already well above that: >>>> # cat /proc/sys/fs/file-max >>>> 128456 >>>> >>>> How much higher should I be setting it? I am running RHEL 4 update 4, single Pentium III 1.4GHz processor, 1280MB of memory. >>>> >>>> I don't have any settinsg in sysctl.conf or /etc/security/limites for soft/hard limits, how do I tell what the defaults on soft/hard limits are? >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>>> >>> >>> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> From y-hira at nttpc.co.jp Mon Mar 5 01:51:49 2007 From: y-hira at nttpc.co.jp (Yasuhiro Hiraishi) Date: Mon, 05 Mar 2007 10:51:49 +0900 Subject: [Fedora-directory-users] 'Server Side Sorting' in many entries Problem.... Message-ID: <20070305104236.CB2D.Y-HIRA@nttpc.co.jp> Hello. I am planning to use the Fedora Directory Server in Redhat Linux ES4.0 to do 'Server Side Sorting'. The system processed around 4000 entries successfully. However, when the system tried processing more than 5000 entries, it returned an error such as 'LDAP_UNWILLING_TO_PERFORM'. Does anyone know how to fix this problem? Just in case, Ishow you the error logs below... -------------------------- [01/Mar/2007:14:07:15 +0900] conn=96 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 [01/Mar/2007:14:07:15 +0900] conn=96 op=0 BIND dn="" method=128 version=3 [01/Mar/2007:14:07:15 +0900] conn=96 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [01/Mar/2007:14:07:15 +0900] conn=96 op=1 SRCH base="ou=Users,o=Section,o=Company" scope=1 filter="(uid=*)" attrs=ALL [01/Mar/2007:14:07:15 +0900] conn=96 op=1 SORT uid (*) [01/Mar/2007:14:07:16 +0900] conn=96 op=1 RESULT err=4 tag=101 nentries=1000 etime=1 notes=U [01/Mar/2007:14:07:17 +0900] conn=96 op=2 UNBIND [01/Mar/2007:14:07:17 +0 ----- Bellow, I done ------------------------------------------ 1. Install Fedora Directory Service. 2. Change look-through limit in Database Setting to 2147483647 from the Server Console. 3. Creating Presence and Substring Indexes of 'uid' from the Server Console 4. I start entry .... -- Thank you. From darren.paxton at mercer.com Mon Mar 5 11:36:23 2007 From: darren.paxton at mercer.com (Paxton, Darren) Date: Mon, 05 Mar 2007 11:36:23 +0000 Subject: [Fedora-directory-users] User Account Management Message-ID: <1173094583.15393.18.camel@MUKLWDP01.mercer.com> Hi all I've managed to get a few features that I'd been struggling with working on FDS, however I'd appreciate any guidance with the following: Our service desk is outsourced and I'm looking to replace an existing NIS implementation with LDAP (probably Redhat, but until we prove it to be reliable I'm sticking with FDS for now). I'm trying to avoid using the Administrator accounts set up in O=NetscapeRoot and create user accounts within the main dc=example,dc=com schema and give them access to the relevant subtrees to be able to create user accounts, reset passwords etc - effectively delegating restricted admin access whilst still ensuring the security model. I thought i had achieved this by setting an Access Role on the target OU and specifying that a group I had already created would have full access to all attributes (I can refine this later to restrict down to the bare minimum). Below is the syntax obtained from the GUI console when setting up the restriction (targetattr = "*") (target = "ldap:///ou=Laser,dc=example,dc=com") (version 3.0; acl "Sdesk"; allow (all) (groupdn = "ldap:///cn=gpServiceDesk,ou=Groups, dc=example,dc=com") ;) however, when I attempt to add a user via the newuser.pl script I obtained from netauth, I get the following: failed to add entry: Insufficient 'write' privilege to the 'userPassword' attribute at ./newuser.pl line 232, line 228. Has anyone implemented a security model like this and if so, would they be able to share any experiences. Thanks Darren -- Darren Paxton, European Midrange Systems Senior Engineer Centralised Operations | MMC Global Technology Infrastructure (MGTI) Mercer Human Resource Consulting | Mercury Court, Tithebarn Street, Liverpool, L2 2QH, Merseyside, UK +44 (0) 151 242 7216 | Mobile +44 (0) 7789 0 30027 | darren.paxton at mercer.com www.mmc.com This e-mail and any attachments may be confidential or legally privileged.If you received this message in error or are not the intended recipient, you should destroy the email message and any attachments or copies, and you are prohibited from retaining, distributing, disclosing or using any information contained herein. Please inform us of the erroneous delivery by return e-mail. Thank you for your co-operation. Mercer Human Resource Consulting Limited is authorised and regulated by the Financial Services Authority. Registered in England No. 984275. Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU. -------------- next part -------------- An HTML attachment was scrubbed... URL: From aaron.cline at gmail.com Mon Mar 5 16:08:11 2007 From: aaron.cline at gmail.com (Aaron Cline) Date: Mon, 5 Mar 2007 11:08:11 -0500 Subject: [Fedora-directory-users] pam_ldap: error trying to bind as user (Constraint violation) Message-ID: <2f8a29cb0703050808t1f90cc8k96bc40413a3c7759@mail.gmail.com> Hello: I'm using FedoraDS 1.0.3 to perform authentication functions to servers in a DMZ. This morning a user was able to log in but then 1 minute later they tried to use sudo as themselves and they were denied. They continued to be denied for the next 10 minutes before they gave up. I pulled the following errors from the system log of the system they were logged into: Mar 5 14:24:37 low-tcw-103 sudo(pam_unix)[10957]: check pass; user unknown Mar 5 14:24:37 low-tcw-103 sudo(pam_unix)[10957]: authentication failure; logname=marnelc uid=0 euid=0 tty=pts/1 ruser= rhost= Mar 5 14:24:37 low-tcw-103 sudo[10957]: pam_ldap: error trying to bind as user "uid=marnelc,ou=ISG,ou=Lowell,ou=People,dc=pii-dmz,dc=ext" (Invalid credentials) Mar 5 14:24:43 low-tcw-103 sudo(pam_unix)[10957]: check pass; user unknown Mar 5 14:24:43 low-tcw-103 sudo[10957]: pam_ldap: error trying to bind as user "uid=marnelc,ou=ISG,ou=Lowell,ou=People,dc=pii-dmz,dc=ext" (Constraint violation) It looks to me that the first time the user must have typed the wrong password, but after that I don't know what happened. I don't see any obvious errors in either the access or error log files on the LDAP server. Has anyone seen this before? Thanks for any info or advice. Aaron -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Mar 5 17:28:34 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 05 Mar 2007 10:28:34 -0700 Subject: [Fedora-directory-users] 'Server Side Sorting' in many entries Problem.... In-Reply-To: <20070305104236.CB2D.Y-HIRA@nttpc.co.jp> References: <20070305104236.CB2D.Y-HIRA@nttpc.co.jp> Message-ID: <45EC5342.6030706@redhat.com> Yasuhiro Hiraishi wrote: > Hello. > > I am planning to use the Fedora Directory Server > in Redhat Linux ES4.0 to do 'Server Side Sorting'. > The system processed around 4000 entries successfully. > However, when the system tried processing more than 5000 entries, > it returned an error such as 'LDAP_UNWILLING_TO_PERFORM'. > > Does anyone know how to fix this problem? > > Just in case, Ishow you the error logs below... > > -------------------------- > [01/Mar/2007:14:07:15 +0900] conn=96 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 > [01/Mar/2007:14:07:15 +0900] conn=96 op=0 BIND dn="" method=128 version=3 > [01/Mar/2007:14:07:15 +0900] conn=96 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" > [01/Mar/2007:14:07:15 +0900] conn=96 op=1 SRCH base="ou=Users,o=Section,o=Company" scope=1 filter="(uid=*)" attrs=ALL > [01/Mar/2007:14:07:15 +0900] conn=96 op=1 SORT uid (*) > [01/Mar/2007:14:07:16 +0900] conn=96 op=1 RESULT err=4 tag=101 nentries=1000 etime=1 notes=U > [01/Mar/2007:14:07:17 +0900] conn=96 op=2 UNBIND > [01/Mar/2007:14:07:17 +0 > ----- > > Bellow, I done > ------------------------------------------ > 1. Install Fedora Directory Service. > 2. Change look-through limit in Database Setting to 2147483647 from the Server Console. > 3. Creating Presence and Substring Indexes of 'uid' from the Server Console > Was there not already a presence index for uid? This may also be a problem with the search sizelimit. > 4. I start entry .... > -- > > Thank you. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From prowley at redhat.com Mon Mar 5 17:32:26 2007 From: prowley at redhat.com (Pete Rowley) Date: Mon, 05 Mar 2007 09:32:26 -0800 Subject: [Fedora-directory-users] User Account Management In-Reply-To: <1173094583.15393.18.camel@MUKLWDP01.mercer.com> References: <1173094583.15393.18.camel@MUKLWDP01.mercer.com> Message-ID: <45EC542A.9020303@redhat.com> Paxton, Darren wrote: > > failed to add entry: Insufficient 'write' privilege to the > 'userPassword' attribute at ./newuser.pl line 232, line 228. Do you have a deny acl for userPassword - if so it will take precedence. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon Mar 5 17:30:49 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 05 Mar 2007 10:30:49 -0700 Subject: [Fedora-directory-users] User Account Management In-Reply-To: <1173094583.15393.18.camel@MUKLWDP01.mercer.com> References: <1173094583.15393.18.camel@MUKLWDP01.mercer.com> Message-ID: <45EC53C9.8030402@redhat.com> Paxton, Darren wrote: > Hi all > > I've managed to get a few features that I'd been struggling with > working on FDS, however I'd appreciate any guidance with the following: > > Our service desk is outsourced and I'm looking to replace an existing > NIS implementation with LDAP (probably Redhat, but until we prove it > to be reliable I'm sticking with FDS for now). > > I'm trying to avoid using the Administrator accounts set up in > O=NetscapeRoot and create user accounts within the main > dc=example,dc=com schema and give them access to the relevant subtrees > to be able to create user accounts, reset passwords etc - effectively > delegating restricted admin access whilst still ensuring the security > model. > > I thought i had achieved this by setting an Access Role on the target > OU and specifying that a group I had already created would have full > access to all attributes (I can refine this later to restrict down to > the bare minimum). > > Below is the syntax obtained from the GUI console when setting up the > restriction > > (targetattr = "*") > (target = "ldap:///ou=Laser,dc=example,dc=com") > (version 3.0; > acl "Sdesk"; > allow (all) > (groupdn = "ldap:///cn=gpServiceDesk,ou=Groups, dc=example,dc=com") > ;) > > however, when I attempt to add a user via the newuser.pl script I > obtained from netauth, I get the following: > > failed to add entry: Insufficient 'write' privilege to the > 'userPassword' attribute at ./newuser.pl line 232, line 228. If add an entry without the userPassword attribute, does it succeed? Do you have an ACI on dc=example,dc=com or ou=Laser that denies access to the userPassword attribute (e.g. (targetattr!=userPassword))? > > Has anyone implemented a security model like this and if so, would > they be able to share any experiences. > > Thanks > > Darren > > > > -- > *Darren Paxton*, European Midrange Systems Senior Engineer > Centralised Operations | MMC Global Technology Infrastructure (MGTI) > Mercer Human Resource Consulting | Mercury Court, Tithebarn Street, > Liverpool, L2 2QH, Merseyside, UK > +44 (0) 151 242 7216 | Mobile +44 (0) 7789 0 30027 | > _darren.paxton at mercer.com _ > _www.mmc.com _ > > > > This e-mail and any attachments may be confidential or legally > privileged.If you received this message in error or are not the > intended recipient, you should destroy the email message and any > attachments or copies, and you are prohibited from retaining, > distributing, disclosing or using any information contained herein. > Please inform us of the erroneous delivery by return e-mail. Thank you > for your co-operation. > > Mercer Human Resource Consulting Limited is authorised and regulated > by the Financial Services Authority. Registered in England No. 984275. > Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Justin.Crawford at cusys.edu Mon Mar 5 18:18:39 2007 From: Justin.Crawford at cusys.edu (Justin Crawford) Date: Mon, 5 Mar 2007 11:18:39 -0700 Subject: [Fedora-directory-users] slapd crash on replicate attempt In-Reply-To: <45EC53C9.8030402@redhat.com> Message-ID: <7315857F21D51B449CC55ADE3A5683182C020C@ex2k3.ad.cusys.edu> Hi- This morning a multi-master pair that has been running since Nov. 5 crashed. There is only one clue, in the error log of one of the directories: NSMMReplicationPlugin - agmt="cn=auth_ldap2 to auth_ldap1" (ldap:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. That appears to be the last thing either process said before they both gave up, almost simultaneously. Can anyone help me understand what happened? It looks like the replication agreements survived; at least, in the replication configuration section of each directory's console, there is a message with a current time saying "Incremental update succeeded." Thanks! Justin From edlinuxguru at gmail.com Mon Mar 5 18:59:30 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Mon, 5 Mar 2007 13:59:30 -0500 Subject: [Fedora-directory-users] slapd crash on replicate attempt In-Reply-To: <7315857F21D51B449CC55ADE3A5683182C020C@ex2k3.ad.cusys.edu> References: <45EC53C9.8030402@redhat.com> <7315857F21D51B449CC55ADE3A5683182C020C@ex2k3.ad.cusys.edu> Message-ID: Make sure that when you created an account for replication that the acount did not expire and lock out. On 3/5/07, Justin Crawford wrote: > > Hi- > > This morning a multi-master pair that has been running since Nov. 5 > crashed. There is only one clue, in the error log of one of the > directories: > > NSMMReplicationPlugin - agmt="cn=auth_ldap2 to auth_ldap1" (ldap:389): > Unable to receive the response for a startReplication extended operation > to consumer (Can't contact LDAP server). Will retry later. > > That appears to be the last thing either process said before they both > gave up, almost simultaneously. > > Can anyone help me understand what happened? > > It looks like the replication agreements survived; at least, in the > replication configuration section of each directory's console, there is > a message with a current time saying "Incremental update succeeded." > > Thanks! > > Justin > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Justin.Crawford at cusys.edu Mon Mar 5 22:39:34 2007 From: Justin.Crawford at cusys.edu (Justin Crawford) Date: Mon, 5 Mar 2007 15:39:34 -0700 Subject: [Fedora-directory-users] slapd crash on replicate attempt In-Reply-To: Message-ID: <7315857F21D51B449CC55ADE3A5683182C020F@ex2k3.ad.cusys.edu> I think the replication error may be a response to the crash, and not necessarily a clue to the the cause. One of the slapd processes just crashed again, and the logs on the second server show only the same replication error. I take it to mean the replication can't continue, because the slapd process on the other server has crashed. Anyway, today is the first time in 5 months that either of these servers has had any issue whatsoever. Are there other documented instances of the fedora server crashing hard without generating errors? We're running 1.0.2. $ uname -r -v -p -i -o 2.6.9-34.0.2.ELsmp #1 SMP Fri Jun 30 10:32:04 EDT 2006 x86_64 x86_64 GNU/Linux Thanks! Justin ________________________________ From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Eddie C Sent: Monday, March 05, 2007 12:00 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] slapd crash on replicate attempt Make sure that when you created an account for replication that the acount did not expire and lock out. On 3/5/07, Justin Crawford < Justin.Crawford at cusys.edu > wrote: Hi- This morning a multi-master pair that has been running since Nov. 5 crashed. There is only one clue, in the error log of one of the directories: NSMMReplicationPlugin - agmt="cn=auth_ldap2 to auth_ldap1" (ldap:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. That appears to be the last thing either process said before they both gave up, almost simultaneously. Can anyone help me understand what happened? It looks like the replication agreements survived; at least, in the replication configuration section of each directory's console, there is a message with a current time saying "Incremental update succeeded." Thanks! Justin -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From jepoy25 at lycos.com Tue Mar 6 02:03:43 2007 From: jepoy25 at lycos.com (Jeffrey Jamisola) Date: Mon, 05 Mar 2007 21:03:43 -0500 (EST) Subject: [Fedora-directory-users] Password Sync Error Message-ID: <20070305210343.HM.00000000000003y@jepoy25.bos-mail-wwl4.lycos.com> An HTML attachment was scrubbed... URL: From ivan.mitev at gmail.com Tue Mar 6 14:24:49 2007 From: ivan.mitev at gmail.com (ivan mitev) Date: Tue, 6 Mar 2007 16:24:49 +0200 Subject: [Fedora-directory-users] 2 user passwords ? / updates on consumer without referral Message-ID: hello list ! i'm doing some tests to replace our openldap based ldap infrastructure with fds; i'm really happy with fds compared to openldap, but i'm running into a little problem... what i'm trying to achieve: we have 2 different user passwords: one for our lan, the other for the dmz (imap, jabber, ...) ; the ldap supplier is in the lan, and there's a consumer in the dmz; the lan password should be used for user/services binding to the lan server, while the dmz password should be used for user/services binding to the dmz server is there a simple way to do that with fds (eg. a plugin where one can choose which attribute fds uses for binds) ? with openldap, on the supplier, the lan password was stored in userPassword, and the dmz password was stored in obsDmzPassword (from our custom schema) ; the userPassword attribute was excluded from the lan->dmz replication, and we had a script that would connect to the dmz as the directory manager (-> so no referral with this user) and which would copy the content of obsDmzPassword to userPassword that's ugly, but it worked fine now, with fds, i managed to do the same thing, when selecting "use the databases" under "suffix request processing" on the consumer ; however, this setting goes back to "return referrals for update operations" after each full consumer initialization ; is there a way to prevent that from happening ? thanks ! ivan -------------- next part -------------- An HTML attachment was scrubbed... URL: From jfgamsby at lbl.gov Tue Mar 6 18:08:02 2007 From: jfgamsby at lbl.gov (Jeff Gamsby) Date: Tue, 06 Mar 2007 10:08:02 -0800 Subject: [Fedora-directory-users] Password Sync Error In-Reply-To: <20070305210343.HM.00000000000003y@jepoy25.bos-mail-wwl4.lycos.com> References: <20070305210343.HM.00000000000003y@jepoy25.bos-mail-wwl4.lycos.com> Message-ID: <45EDAE02.1080804@lbl.gov> Have you tried connecting on port 636 using the FQDN of the directory server rather than the IP address? Did you export the Windows cert and import it into the Directory Server? This is how I did it, first on Windows 2000 server then on 2003 server. My Setup: Fedora Core 4 Fedora Directory Server 1.0.2 Windows 2000 Server Install FDS ( or reinstall: rpm -qa | grep fedora-ds | xargs rpm -e; rm -rf /opt/fedora-ds ; rpm -i fedora-ds-1.0.2 ) create certificates, etc.. I used this simple script that I wrote: (cd to /opt/fedora-ds/alias) ----------------------------------------------------------------------- echo -n "Creating password and noise file..." echo "8904859034905834-580943502385430958430958049385" > /opt/fedora-ds/alias/pwdfile.txt echo "8374893jkhsdfjkhdjksfah89dskjfkdghkjdfhguiert9348khkfhgkjfd79" > /opt/fedora-ds/alias/noise.txt echo -n "Creating Databases..." $serverroot/shared/bin/certutil -N -d . -f pwdfile.txt echo -n "Generating encryption key..." $serverroot/shared/bin/certutil -G -d . -z noise.txt -f pwdfile.txt echo -n "Generating self-signed certificate..." $serverroot/shared/bin/certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d . -z noise.txt -f pwdfile.txt echo -n "Generating server certificate.." $serverroot/shared/bin/certutil -S -n "Server-Cert" -s "cn=hostname.of.fds" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d . -z noise.txt -f pwdfile.txt mv key3.db slapd-host-key3.db mv cert8.db slapd-host-cert8.db ln -s slapd-host-key3.db key3.db ln -s slapd-host-cert8.db cert8.db echo -n "Setting permissions.." chown nobody.nobody /opt/fedora-ds/alias/slapd-name* echo -n "Exporting certificate.." $serverroot/shared/bin/certutil -L -d . -n "CA certificate" -r > cacert.der echo "Converting certificate.." openssl x509 -inform DER -in cacert.der -outform PEM -out cacert.pem echo "Copying cacert.pem to /etc/openldap/cacerts.." cp cacert.pem /etc/openldap/cacerts/ echo -n "Enabling SSL in FDS" echo "" echo -n "Please enter Manager password..(twice)" ldapmodify -x -D cn=Manager -W -f /tmp/ssl_enable.ldif ldapmodify -x -D cn=Manager -W -a -f /tmp/addRSA.ldif --------------------------------------------------------- restart FDS Test SSL connections and ldapsearch netstat -an | grep 636 Install Active Directory on Windows Server Install Certificate Services --> Enterprise root CA reboot Enable SSL on AD 1. Install Certificate Services on Windows 2000 Server and an Enterprise Certificate Authority in the Active Directory Domain. Make sure you install an Enterprise Certificate Authority. 2. Create a Security (Group) Policy to direct Domain Controllers to get an SSL certificate from the Certificate Authority (CA). 1. Open the Active Directory Users and Computers Administrative tool. 2. Under the domain, right-click on Domain Controllers. 3. Select Properties. 4. In the Group Policy tab, click to edit the Default Domain Controllers Policy. 5. Go to Computer Configuration->Windows Settings->Security Settings->Public Key Policies. 6. Right click Automatic Certificate Request Settings. 7. Select New. 8. Select Automatic Certificate Request. 9. Run the wizard. Select the Certificate Template for a Domain Controller. 10. Select your Enterprise Certificate Authority as the CA. Selecting a third-party CA works as well. 11. Complete the wizard. 12. All Domain Controllers now automatically request a certificate from the CA, and support LDAP using SSL on port 636. 3. Retrieve the Certificate Authority Certificate 1. Open a Web browser on the AD machine 2. Go to http://localhost/certsrv/ 3. Select the task Retrieve the CA certificate or certificate revocation list. 4. Click Next. 5. The next page automatically highlights the CA certificate. Click Download CA certificate. 6. A new download window opens. Save the file to the hard drive. Save in DER mode Copy file to FDS server, convert to PEM format openssl x509 -inform DER -in ad-cert.der -outform PEM -out ad-cert.pem Import AD CA cert into FDS certutil -A -d . -P slapd-instance- -t "CT,CT,CT" -a -i ad-cert.pem check certs ( from /opt/fedora-ds/alias) certutil -L -d . -P slapd-instance Check ldapsearch from FDS to AD ldapsearch -Z -P -h -p -D " -w < sync manager password> -s -b "" "" Install PassSync on Windows machine. Follow directions from Howto:WindowsSync (certificate creation) restart AD server Enable Replication in Directory Server Console: Go to configuration tab --> Replication --> enable changelog --> default Expand Replication, click UserRoot Check "Enable Replica" Single-master Right Click UserRoot --> Create new windows sync agreement Up log level in FDS: dn: cn=config changetype: modify replace: nsslapd-errorlog-level nsslapd-errorlog-level: 8192 ldapmodify -x -D "cn=directory manager" -a -f repl_log.ldif restart FDS right click win sync agreement --> Initiate Full Sync check error logs (/opt/fedora/slapd-instance/logs/errors) In order for users to be created on the Windows side, users must have certain attributes. e.g. dn: uid=TBird,ou=People, dc=server,dc=com givenName: Tweetie ntUserCreateNewAccount: true objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: ntuser objectClass: posixAccount facsimileTelephoneNumber: 510-555-5555 uid: TBird mail: tbird server com uidNumber: 71209 cn: Tweetie Bird ntUserComment: Tweetie Bird User Account telephoneNumber: 510-555-5555 loginShell: /bin/bash ntUserDomainId: tbird gidNumber: 5000 ntUserDeleteAccount: true gecos: Tweetie Bird homeDirectory: /home/tbird sn: Bird userPassword:: Jeffrey Jamisola wrote: > Yes, Ive already tried to add port 389 and 636 on iptables > and restart the iptables service, same error result. > Then tried to disable firewall on linux server, same error: > > "Can not connect to ldap server in syncPasswords" > > Ive use a tool called LdapAdmin.exe to connect to Directory > Server PC from Active Directory PC, using credentials below: > > Host: 192.36.253.152 > Port Number: 389 or 636 > User Name: Directory Manager > Password: Directory Manager password > Base: ou=People,dc=example,dc=com > > It successfully connect to the Directory Server. > Yet during password sync, it cannot contact the directory server. > > Are there some other way? > > > > > > Jeffrey Jamisola wrote: > > Synchronization of users between active directory and directory server > is already done. However, I am trying to synchronize password for > redhat directory server & windows 2003 > > active directory. > > Installed Password Sync for active directory with the following: > > Host Name: 192.36.253.152 > Port Number: 389 > User Name: Directory Manager > Password: > Cert Token: > Search Base: ou=People,dc=example,dc=com > > > > > Checking the password sync log file, found this error: > > --------------- > 02/09/07 19:18:32 : Ldap bind error in Connect > 81:Can't connect to LDAP Server > 02/09/07 19:18:32 : Can not connect to ldap server in syncPasswords > > Firewall? > > -------------- > > does anyone know how to solve this problem? > > ------------------------------------------------------------------------ > > *Create and Share your own Video Clip Playlist in minutes at Lycos MIX > (_http://mix.lycos.com_ )* > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 From sheridanj.west at gmail.com Tue Mar 6 21:37:28 2007 From: sheridanj.west at gmail.com (SheridanJ West) Date: Tue, 6 Mar 2007 21:37:28 +0000 Subject: [Fedora-directory-users] sorry retarded question on fds and tcpip no luck in faq Message-ID: Excuse me - i need a big clue I have a fc6 box with many ethernet cards in ip runs ..... [rfc 1918 range] - local garbage postgres... [proper ip 1] www postfix cyrus-imap [proper ip 2] " [proper ip 3] " [proper ip 4] " with fds - 1.04 (most recent) it appears i can only run one port 389/636 using the java startconsole then its using some odd port number for each new domain rather than ideally [proper ip 1] www postfix ldap:389 ldap:90009 ldap:90010 ldap:900011 [proper ip 2] " noldap running [proper ip 3] " [proper ip 4] " The carter book on ldap appears to make no mention of a 'listen' like command you fing in apache, theres a hint in the the fds wiki of an inf file where things like server identifier can be specified but is fds upto the job each ldap stores will be light with data, rather than big So is what im trying to do possible with fds ?, I think no is the answer with java. Any responses (even rude ones most welcome) From david_list at boreham.org Tue Mar 6 22:39:05 2007 From: david_list at boreham.org (David Boreham) Date: Tue, 06 Mar 2007 15:39:05 -0700 Subject: [Fedora-directory-users] sorry retarded question on fds and tcpip no luck in faq In-Reply-To: References: Message-ID: <45EDED89.2060206@boreham.org> You want to bind each of several slapd processes to a different local IP address, listening on the same port ? I'm almost certain you can do that. Probably not with the java console though. You'd need to find the config in the docs and enter it in dse.ldif by hand. Note that you really don't need to do this if you can ensure that clients authenticate (you can use access control rules to wall them off from each other). If you need anonymous access using a default suffix on port 389 then yes you do need to do what you're asking. SheridanJ West wrote: > Excuse me - i need a big clue > > I have a fc6 box with many ethernet cards in > > ip runs ..... > [rfc 1918 range] - local garbage postgres... > [proper ip 1] www postfix cyrus-imap > [proper ip 2] " > [proper ip 3] " > [proper ip 4] " > > with fds - 1.04 (most recent) it appears i can only run one port > 389/636 using the java startconsole then its using some odd port > number for each new domain rather than ideally > > [proper ip 1] www postfix ldap:389 ldap:90009 ldap:90010 ldap:900011 > [proper ip 2] " noldap running > [proper ip 3] " > [proper ip 4] " > > The carter book on ldap appears to make no mention of a 'listen' like > command you fing in apache, theres a hint in the the fds wiki of an > inf file where things like server identifier can be specified but is > fds upto the job > > each ldap stores will be light with data, rather than big > > So is what im trying to do possible with fds ?, I think no is the > answer with java. > > Any responses (even rude ones most welcome) > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From trevor.wendt at aquila.com Wed Mar 7 00:52:27 2007 From: trevor.wendt at aquila.com (Wendt, Trevor) Date: Tue, 6 Mar 2007 18:52:27 -0600 Subject: [Fedora-directory-users] Multi-Master Replication Problems Message-ID: > I'm having some significant issues getting my multi-master servers > synchronized after a network outage this past weekend. First I was > getting: > > error--> NSMMReplicationPlugin - agmt="cn=srv1-to-srv2" (srv2:389): > Replica has a different generation ID than the local data. > > Then after numerous attempts to clear out the change log and > reinitialize the consumer from srv1 to srv2, and failing each time > hitting a "ratio 0%" error (we increased server memory and > corresponding database/cache settings to no avail): > > error--> import userRoot: Processed 48136 entries -- average rate > 2292.2/sec, recent rate 2292.1/sec, hit ratio 0% > > Finally tried a local file restore db2ldif (with -r) and ldif2db and > one from db2bak. Upon restore on both servers, now on the "good" > server (srv1) I see: > > error--> NSMMReplicationPlugin - replica_check_for_data_reload: > Warning: data for replica dc=,dc=com was reloaded and it no > longer matches the data in the changelog (replica data > changelog). > Recreating the changelog file. This could affect replication with > replica's consumers in which case the consumers should be > reinitialized. > > AND > > error--> NSMMReplicationPlugin - csnplCommit: can't find csn > 45ee0228000000010000 > error--> NSMMReplicationPlugin - ruv_update_ruv: cannot commit csn > 45ee0228000000010000 > error--> NSMMReplicationPlugin - replica_update_ruv: unable to update > RUV for replica dc=,dc=com, csn = 45ee0228000000010000 > > These are both after clearing the changelogdb (multiple times) and of > course no synchronization. > > At this point I am stuck and would appreciate any help in getting this > resolved. First I need to resolve the "NSMMReplicationPlugin - > csnplCommit: can't find csn" problems so I can try the command line > again. > > Thanks much! > -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Wed Mar 7 01:25:49 2007 From: david_list at boreham.org (David Boreham) Date: Tue, 06 Mar 2007 18:25:49 -0700 Subject: [Fedora-directory-users] Multi-Master Replication Problems In-Reply-To: References: Message-ID: <45EE149D.2080707@boreham.org> Wendt, Trevor wrote: > I'm having some significant issues getting my multi-master servers > synchronized after a network outage this past weekend. First I was > getting: > > error--> NSMMReplicationPlugin - agmt="cn=srv1-to-srv2" (srv2:389): > Replica has a different generation ID than the local data. > > Then after numerous attempts to clear out the change log and > reinitialize the consumer from srv1 to srv2, and failing each time > hitting a "ratio 0%" error (we increased server memory and > corresponding database/cache settings to no avail): > > error--> import userRoot: Processed 48136 entries -- average rate > 2292.2/sec, recent rate 2292.1/sec, hit ratio 0% > Are you thinking this is an 'error' ? It looks fine to me. 2300 entries/s processed. The hit ratio won't fill out until the load has been going for a few cycles, which it may never get to with a small number of entries. The generation ID errors sound like real errors, but those should be resolvable with the correct replica re-initialization done. From trevor.wendt at aquila.com Wed Mar 7 01:48:45 2007 From: trevor.wendt at aquila.com (Wendt, Trevor) Date: Tue, 6 Mar 2007 19:48:45 -0600 Subject: [Fedora-directory-users] Multi-Master Replication Problems In-Reply-To: <45EE149D.2080707@boreham.org> Message-ID: "Are you thinking this is an 'error' ? It looks fine to me. 2300 entries/s processed. The hit ratio won't fill out until the load has been going for a few cycles, which it may never get to with a small number of entries." It get's up to 100% then it backs down to 0% and holds at a processed number. This only occurs when trying to initialize the consumer from the supplier through the console. We have well over 100k entries. Example of such behavior: - import userRoot: Processed 21552 entries -- average rate 1077.6/sec, recent rate 1077.5/sec, hit ratio 0% - import userRoot: Processed 52769 entries -- average rate 1319.2/sec, recent rate 1319.2/sec, hit ratio 100% - import userRoot: Processed 64526 entries -- average rate 1075.4/sec, recent rate 1074.3/sec, hit ratio 100% - import userRoot: Processed 64526 entries -- average rate 806.6/sec, recent rate 293.9/sec, hit ratio 0% - import userRoot: Processed 64526 entries -- average rate 638.9/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries -- average rate 533.3/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries -- average rate 457.6/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries -- average rate 400.8/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries -- average rate 356.5/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries -- average rate 321.0/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries -- average rate 292.0/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries -- average rate 267.7/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries -- average rate 247.2/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries -- average rate 183.8/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 2) -- average rate 214745138.5/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 2) -- average rate 107372569.2/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 2) -- average rate 71581712.8/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 2) -- average rate 53686284.6/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 2) -- average rate 42949027.7/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 2) -- average rate 35790856.4/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 2) -- average rate 30677876.9/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 2) -- average rate 26843142.3/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 2) -- average rate 23728744.6/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 2) -- average rate 21367675.5/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 2) -- average rate 15505064.2/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 2) -- average rate 14460952.1/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 2) -- average rate 13548589.2/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 3) -- average rate 214745138.5/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 3) -- average rate 107372569.2/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 3) -- average rate 71581712.8/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 3) -- average rate 53686284.6/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 3) -- average rate 42523789.8/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 3) -- average rate 35495064.2/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 3) -- average rate 30460303.3/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 3) -- average rate 26676414.7/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 3) -- average rate 23728744.6/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 3) -- average rate 16776963.9/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 3) -- average rate 15561241.9/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 3) -- average rate 14509806.7/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 3) -- average rate 13591464.5/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 4) -- average rate 214745138.5/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 4) -- average rate 107372569.2/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 4) -- average rate 71581712.8/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 4) -- average rate 53686284.6/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 4) -- average rate 42949027.7/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 4) -- average rate 35790856.4/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 4) -- average rate 30677876.9/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 4) -- average rate 26843142.3/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 4) -- average rate 16776963.9/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 4) -- average rate 15561241.9/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 4) -- average rate 14509806.7/sec, recent rate 0.0/sec, hit ratio 0% - import userRoot: Processed 64526 entries (pass 4) -- average rate 13591464.5/sec, recent rate 0.0/sec, hit ratio 0% ###################### "The generation ID errors sound like real errors, but those should be resolvable with the correct replica re-initialization done." I've tried re-initializing the consumer multiple times with no success. The NSMMReplicationPlugin - replica_check_for_data_reload and the "csn" errors are on my supplier server. When my srv2 went offline my srv1 became the "Master" so I can't go from srv2 to srv1 without losing entries. This is the dilemma... Thanks for you're suggestions. Please, keep them coming. ###################### https://www.redhat.com/archives/fedora-directory-users/2007-March/msg000 20.html From ulf.weltman at hp.com Wed Mar 7 02:10:25 2007 From: ulf.weltman at hp.com (Ulf Weltman) Date: Tue, 06 Mar 2007 18:10:25 -0800 Subject: [Fedora-directory-users] Multi-Master Replication Problems In-Reply-To: References: Message-ID: <45EE1F11.5070006@hp.com> Wendt, Trevor wrote: > ###################### > "The generation ID errors sound like real errors, but those should be > resolvable with the correct replica re-initialization done." > > I've tried re-initializing the consumer multiple times with no success. > The NSMMReplicationPlugin - replica_check_for_data_reload and the "csn" > errors are on my supplier server. When my srv2 went offline my srv1 > became the "Master" so I can't go from srv2 to srv1 without losing > entries. This is the dilemma... > > Thanks for you're suggestions. Please, keep them coming. > > ###################### Can you show us the RUV from the server that produces the csnplCommit error? ldapsearch -x -D "cn=directory manager" -W -s base -b "nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,dc=,dc=com" "(&(objectclass=*)(objectclass=nstombstone))" And your replica configuration? ldapsearch -x -D "cn=directory manager" -W -b "cn=config" "(objectclass=nsds5replica)" From trevor.wendt at aquila.com Wed Mar 7 02:29:27 2007 From: trevor.wendt at aquila.com (Wendt, Trevor) Date: Tue, 6 Mar 2007 20:29:27 -0600 Subject: [Fedora-directory-users] Multi-Master Replication Problems In-Reply-To: <45EE1F11.5070006@hp.com> Message-ID: "Can you show us the RUV from the server that produces the csnplCommit error?" All I get is "ldap_search: No such object" Replica Configuration -- in it's current state. version: 1 dn: cn=replica,cn="dc=,dc=com",cn=mapping tree,cn=config objectClass: nsDS5Replica objectClass: top nsDS5ReplicaRoot: dc=,dc=com nsDS5ReplicaType: 3 nsDS5Flags: 1 nsDS5ReplicaId: 1 nsds5ReplicaPurgeDelay: 604800 nsDS5ReplicaBindDN: uid=,cn=config cn: replica nsState:: AQAAAAQh7kUAAAAAAAAAAAEAAAA= nsDS5ReplicaName: 1848ed03-1dd211b2-808393a4-a3ae0000 nsds5ReplicaChangeCount: 41 nsds5replicareapactive: 0 -----Original Message----- > "The generation ID errors sound like real errors, but those should be > resolvable with the correct replica re-initialization done." > > I've tried re-initializing the consumer multiple times with no success. > The NSMMReplicationPlugin - replica_check_for_data_reload and the "csn" > errors are on my supplier server. When my srv2 went offline my srv1 > became the "Master" so I can't go from srv2 to srv1 without losing > entries. This is the dilemma... > > Thanks for you're suggestions. Please, keep them coming. > Can you show us the RUV from the server that produces the csnplCommit error? ldapsearch -x -D "cn=directory manager" -W -s base -b "nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,dc=,dc=com" "(&(objectclass=*)(objectclass=nstombstone))" And your replica configuration? ldapsearch -x -D "cn=directory manager" -W -b "cn=config" "(objectclass=nsds5replica)" ####### REF: https://www.redhat.com/archives/fedora-directory-users/2007-March/msg000 20.html From y-hira at nttpc.co.jp Wed Mar 7 03:33:10 2007 From: y-hira at nttpc.co.jp (Yasuhiro Hiraishi) Date: Wed, 07 Mar 2007 12:33:10 +0900 Subject: [Fedora-directory-users] 'Server Side Sorting' in many entries Problem.... In-Reply-To: <45EC5342.6030706@redhat.com> References: <20070305104236.CB2D.Y-HIRA@nttpc.co.jp> <45EC5342.6030706@redhat.com> Message-ID: <20070307120949.A34F.Y-HIRA@nttpc.co.jp> Hello.. > > Bellow, I done > > ------------------------------------------ > > 1. Install Fedora Directory Service. > > 2. Change look-through limit in Database Setting to 2147483647 from the Server Console. > > 3. Creating Presence and Substring Indexes of 'uid' from the Server Console > > > Was there not already a presence index for uid? Sorry. I had a mistake. There was already a presence index. > This may also be a problem with the search sizelimit. What dose 'sizelimit' mean? Do you mean configulation which limits how many entirues are retuned from a FDS server? Is it possible to use 'Server Side Sorting' with sizelimit at a client side? I want to know why 'Server Side Sorting' is working in 4000 entries but not working in rather than 5000 entries, In those of situations 'sizelimit' is 1000. I will show you the access log when success. -------------------------- [01/Mar/2007:14:05:24 +0900] conn=93 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 [01/Mar/2007:14:05:24 +0900] conn=93 op=0 BIND dn="" method=128 version=3 [01/Mar/2007:14:05:24 +0900] conn=93 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [01/Mar/2007:14:05:24 +0900] conn=93 op=1 SRCH base="ou=Users,o=Section,o=Company" scope=1 filter="(uid=*)" attrs=ALL [01/Mar/2007:14:05:24 +0900] conn=93 op=1 SORT uid (4000) [01/Mar/2007:14:05:26 +0900] conn=93 op=1 RESULT err=4 tag=101 nentries=1000 etime=2 notes=U [01/Mar/2007:14:05:26 +0900] conn=93 op=2 UNBIND [01/Mar/2007:14:05:26 +0900] conn=93 op=2 fd=68 closed - U1 --- Do you know how to use 'Server Side Sorting' in any amount of entriyes with client side sizelimit? Thank you. On Mon, 05 Mar 2007 10:28:34 -0700 Richard Megginson wrote: > Yasuhiro Hiraishi wrote: > > Hello. > > > > I am planning to use the Fedora Directory Server > > in Redhat Linux ES4.0 to do 'Server Side Sorting'. > > The system processed around 4000 entries successfully. > > However, when the system tried processing more than 5000 entries, > > it returned an error such as 'LDAP_UNWILLING_TO_PERFORM'. > > > > Does anyone know how to fix this problem? > > > > Just in case, Ishow you the error logs below... > > > > -------------------------- > > [01/Mar/2007:14:07:15 +0900] conn=96 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 > > [01/Mar/2007:14:07:15 +0900] conn=96 op=0 BIND dn="" method=128 version=3 > > [01/Mar/2007:14:07:15 +0900] conn=96 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" > > [01/Mar/2007:14:07:15 +0900] conn=96 op=1 SRCH base="ou=Users,o=Section,o=Company" scope=1 filter="(uid=*)" attrs=ALL > > [01/Mar/2007:14:07:15 +0900] conn=96 op=1 SORT uid (*) > > [01/Mar/2007:14:07:16 +0900] conn=96 op=1 RESULT err=4 tag=101 nentries=1000 etime=1 notes=U > > [01/Mar/2007:14:07:17 +0900] conn=96 op=2 UNBIND > > [01/Mar/2007:14:07:17 +0 > > ----- > > > > Bellow, I done > > ------------------------------------------ > > 1. Install Fedora Directory Service. > > 2. Change look-through limit in Database Setting to 2147483647 from the Server Console. > > 3. Creating Presence and Substring Indexes of 'uid' from the Server Console > > > Was there not already a presence index for uid? > > This may also be a problem with the search sizelimit. > > 4. I start entry .... > > -- > > > > Thank you. > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From rmeggins at redhat.com Wed Mar 7 03:40:33 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 06 Mar 2007 20:40:33 -0700 Subject: [Fedora-directory-users] 'Server Side Sorting' in many entries Problem.... In-Reply-To: <20070307120949.A34F.Y-HIRA@nttpc.co.jp> References: <20070305104236.CB2D.Y-HIRA@nttpc.co.jp> <45EC5342.6030706@redhat.com> <20070307120949.A34F.Y-HIRA@nttpc.co.jp> Message-ID: <45EE3431.6090403@redhat.com> Yasuhiro Hiraishi wrote: > Hello.. > > >>> Bellow, I done >>> ------------------------------------------ >>> 1. Install Fedora Directory Service. >>> 2. Change look-through limit in Database Setting to 2147483647 from the Server Console. >>> 3. Creating Presence and Substring Indexes of 'uid' from the Server Console >>> >>> >> Was there not already a presence index for uid? >> > Sorry. I had a mistake. There was already a presence index. > > >> This may also be a problem with the search sizelimit. >> > What dose 'sizelimit' mean? > Do you mean configulation which limits how many entirues are retuned from a FDS server? > Yes. > Is it possible to use 'Server Side Sorting' with sizelimit at a client side? > You mean, have the client set the size limit? Yes, but the client cannot set the maximum to be higher than the maximum configured on the server side. The sizelimit is part of the LDAP Search Request. > I want to know why 'Server Side Sorting' is working in 4000 entries > but not working in rather than 5000 entries, > In those of situations 'sizelimit' is 1000. > What are your server and client side sizelimit settings? > I will show you the access log when success. > -------------------------- > [01/Mar/2007:14:05:24 +0900] conn=93 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 > [01/Mar/2007:14:05:24 +0900] conn=93 op=0 BIND dn="" method=128 version=3 > [01/Mar/2007:14:05:24 +0900] conn=93 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" > [01/Mar/2007:14:05:24 +0900] conn=93 op=1 SRCH base="ou=Users,o=Section,o=Company" scope=1 filter="(uid=*)" attrs=ALL > [01/Mar/2007:14:05:24 +0900] conn=93 op=1 SORT uid (4000) > [01/Mar/2007:14:05:26 +0900] conn=93 op=1 RESULT err=4 tag=101 nentries=1000 etime=2 notes=U > [01/Mar/2007:14:05:26 +0900] conn=93 op=2 UNBIND > [01/Mar/2007:14:05:26 +0900] conn=93 op=2 fd=68 closed - U1 > --- > > Do you know how to use 'Server Side Sorting' in any amount of entriyes with client side sizelimit? > > Thank you. > > On Mon, 05 Mar 2007 10:28:34 -0700 > Richard Megginson wrote: > > >> Yasuhiro Hiraishi wrote: >> >>> Hello. >>> >>> I am planning to use the Fedora Directory Server >>> in Redhat Linux ES4.0 to do 'Server Side Sorting'. >>> The system processed around 4000 entries successfully. >>> However, when the system tried processing more than 5000 entries, >>> it returned an error such as 'LDAP_UNWILLING_TO_PERFORM'. >>> >>> Does anyone know how to fix this problem? >>> >>> Just in case, Ishow you the error logs below... >>> >>> -------------------------- >>> [01/Mar/2007:14:07:15 +0900] conn=96 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 >>> [01/Mar/2007:14:07:15 +0900] conn=96 op=0 BIND dn="" method=128 version=3 >>> [01/Mar/2007:14:07:15 +0900] conn=96 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" >>> [01/Mar/2007:14:07:15 +0900] conn=96 op=1 SRCH base="ou=Users,o=Section,o=Company" scope=1 filter="(uid=*)" attrs=ALL >>> [01/Mar/2007:14:07:15 +0900] conn=96 op=1 SORT uid (*) >>> [01/Mar/2007:14:07:16 +0900] conn=96 op=1 RESULT err=4 tag=101 nentries=1000 etime=1 notes=U >>> [01/Mar/2007:14:07:17 +0900] conn=96 op=2 UNBIND >>> [01/Mar/2007:14:07:17 +0 >>> ----- >>> >>> Bellow, I done >>> ------------------------------------------ >>> 1. Install Fedora Directory Service. >>> 2. Change look-through limit in Database Setting to 2147483647 from the Server Console. >>> 3. Creating Presence and Substring Indexes of 'uid' from the Server Console >>> >>> >> Was there not already a presence index for uid? >> >> This may also be a problem with the search sizelimit. >> >>> 4. I start entry .... >>> -- >>> >>> Thank you. >>> >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Mar 7 03:55:43 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 06 Mar 2007 20:55:43 -0700 Subject: [Fedora-directory-users] slapd crash on replicate attempt In-Reply-To: <7315857F21D51B449CC55ADE3A5683182C020F@ex2k3.ad.cusys.edu> References: <7315857F21D51B449CC55ADE3A5683182C020F@ex2k3.ad.cusys.edu> Message-ID: <45EE37BF.8070106@redhat.com> Justin Crawford wrote: > I think the replication error may be a response to the crash, and not > necessarily a clue to the the cause. > > One of the slapd processes just crashed again, and the logs on the > second server show only the same replication error. I take it to mean > the replication can't continue, because the slapd process on the other > server has crashed. > > Anyway, today is the first time in 5 months that either of these > servers has had any issue whatsoever. Something must have changed. Even something that may appear at first glance to be innocuous. Are you using VLV (browsing index in the console)? > Are there other documented instances of the fedora server crashing > hard without generating errors? > We're running 1.0.2. > > $ uname -r -v -p -i -o > 2.6.9-34.0.2.ELsmp #1 SMP Fri Jun 30 10:32:04 EDT 2006 x86_64 x86_64 > GNU/Linux > > Thanks! > Justin > > ------------------------------------------------------------------------ > *From:* fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] *On Behalf Of > *Eddie C > *Sent:* Monday, March 05, 2007 12:00 PM > *To:* General discussion list for the Fedora Directory server project. > *Subject:* Re: [Fedora-directory-users] slapd crash on replicate > attempt > > Make sure that when you created an account for replication that > the acount did not expire and lock out. > > On 3/5/07, *Justin Crawford* < Justin.Crawford at cusys.edu > > wrote: > > Hi- > > This morning a multi-master pair that has been running since > Nov. 5 > crashed. There is only one clue, in the error log of one of the > directories: > > NSMMReplicationPlugin - agmt="cn=auth_ldap2 to auth_ldap1" > (ldap:389): > Unable to receive the response for a startReplication extended > operation > to consumer (Can't contact LDAP server). Will retry later. > > That appears to be the last thing either process said before > they both > gave up, almost simultaneously. > > Can anyone help me understand what happened? > > It looks like the replication agreements survived; at least, > in the > replication configuration section of each directory's console, > there is > a message with a current time saying "Incremental update > succeeded." > > Thanks! > > Justin > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Justin.Crawford at cusys.edu Wed Mar 7 04:06:55 2007 From: Justin.Crawford at cusys.edu (Justin Crawford) Date: Tue, 6 Mar 2007 21:06:55 -0700 Subject: [Fedora-directory-users] slapd crash on replicate attempt In-Reply-To: <45EE37BF.8070106@redhat.com> Message-ID: <7315857F21D51B449CC55ADE3A5683182C0216@ex2k3.ad.cusys.edu> > > One of the slapd processes just crashed again, and the logs on the > > second server show only the same replication error. I take > it to mean > > the replication can't continue, because the slapd process > on the other > > server has crashed. > > > > Anyway, today is the first time in 5 months that either of these > > servers has had any issue whatsoever. > Something must have changed. Even something that may appear at first > glance to be innocuous. Agreed. The servers themselves were not patched immediately prior to the change; they did get some patches in the week before, but nothing that appears to have a direct connection. We did implement a new authenticating client application during the previous week. But I keep thinking that no client should be able to cause a slapd server crash (at least not without some evidence of intense load); therefore, a change to client applications does not strike me as a likely culprit. > > Are you using VLV (browsing index in the console)? Yes, on a few subtrees, but these tend to be created on the spot by administrators, and not managed strictly (should they be?). I suppose one of those could've been created on a subtree at any time, but I don't believe one was created in the days immediately prior to the crash. Why do you ask? FYI, we rebooted the host machines last night and restared slapd with debug 1. Neither slapd process crashed today. Justin From prowley at redhat.com Wed Mar 7 05:28:33 2007 From: prowley at redhat.com (Pete Rowley) Date: Tue, 06 Mar 2007 21:28:33 -0800 Subject: [Fedora-directory-users] 'Server Side Sorting' in many entries Problem.... In-Reply-To: <20070307120949.A34F.Y-HIRA@nttpc.co.jp> References: <20070305104236.CB2D.Y-HIRA@nttpc.co.jp> <45EC5342.6030706@redhat.com> <20070307120949.A34F.Y-HIRA@nttpc.co.jp> Message-ID: <45EE4D81.6080500@redhat.com> Yasuhiro Hiraishi wrote: > > I will show you the access log when success. > -------------------------- > [01/Mar/2007:14:05:24 +0900] conn=93 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 > [01/Mar/2007:14:05:24 +0900] conn=93 op=0 BIND dn="" method=128 version=3 > [01/Mar/2007:14:05:24 +0900] conn=93 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" > [01/Mar/2007:14:05:24 +0900] conn=93 op=1 SRCH base="ou=Users,o=Section,o=Company" scope=1 filter="(uid=*)" attrs=ALL > [01/Mar/2007:14:05:24 +0900] conn=93 op=1 SORT uid (4000) > [01/Mar/2007:14:05:26 +0900] conn=93 op=1 RESULT err=4 tag=101 nentries=1000 etime=2 notes=U > [01/Mar/2007:14:05:26 +0900] conn=93 op=2 UNBIND > [01/Mar/2007:14:05:26 +0900] conn=93 op=2 fd=68 closed - U1 > this isn't success, it returned error code 4, size limit exceeded. You didn't get back all your entries. Since you don't get any entries back for 5000, I'll take a guess and say you get back error code 3, time limit exceeded (it never finishes the sort). -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From edlinuxguru at gmail.com Wed Mar 7 07:14:51 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Wed, 7 Mar 2007 02:14:51 -0500 Subject: [Fedora-directory-users] sorry retarded question on fds and tcpip no luck in faq In-Reply-To: <45EDED89.2060206@boreham.org> References: <45EDED89.2060206@boreham.org> Message-ID: This is probably a tricky thing but it might be possible to run each in a chroot jail. Edward On 3/6/07, David Boreham wrote: > > > You want to bind each of several slapd processes to a different > local IP address, listening on the same port ? > I'm almost certain you can do that. Probably not with the > java console though. You'd need to find the config > in the docs and enter it in dse.ldif by hand. > > Note that you really don't need to do this if you can > ensure that clients authenticate (you can use access control > rules to wall them off from each other). > > If you need anonymous access using a default suffix > on port 389 then yes you do need to do what you're asking. > > SheridanJ West wrote: > > > Excuse me - i need a big clue > > > > I have a fc6 box with many ethernet cards in > > > > ip runs ..... > > [rfc 1918 range] - local garbage postgres... > > [proper ip 1] www postfix cyrus-imap > > [proper ip 2] " > > [proper ip 3] " > > [proper ip 4] " > > > > with fds - 1.04 (most recent) it appears i can only run one port > > 389/636 using the java startconsole then its using some odd port > > number for each new domain rather than ideally > > > > [proper ip 1] www postfix ldap:389 ldap:90009 ldap:90010 ldap:900011 > > [proper ip 2] " noldap running > > [proper ip 3] " > > [proper ip 4] " > > > > The carter book on ldap appears to make no mention of a 'listen' like > > command you fing in apache, theres a hint in the the fds wiki of an > > inf file where things like server identifier can be specified but is > > fds upto the job > > > > each ldap stores will be light with data, rather than big > > > > So is what im trying to do possible with fds ?, I think no is the > > answer with java. > > > > Any responses (even rude ones most welcome) > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jepoy25 at lycos.com Wed Mar 7 10:34:30 2007 From: jepoy25 at lycos.com (Jeffrey Jamisola) Date: Wed, 07 Mar 2007 05:34:30 -0500 (EST) Subject: [Fedora-directory-users] Password Sync Error Message-ID: <20070307053430.HM.000000000000043@jepoy25.bos-mail-wwl4.lycos.com> An HTML attachment was scrubbed... URL: From jfgamsby at lbl.gov Wed Mar 7 17:53:40 2007 From: jfgamsby at lbl.gov (Jeff Gamsby) Date: Wed, 07 Mar 2007 09:53:40 -0800 Subject: [Fedora-directory-users] Password Sync Error In-Reply-To: <20070307053430.HM.000000000000043@jepoy25.bos-mail-wwl4.lycos.com> References: <20070307053430.HM.000000000000043@jepoy25.bos-mail-wwl4.lycos.com> Message-ID: <45EEFC24.5020206@lbl.gov> From what I remember, you must install Certificate Services on the AD server in order to enable LDAP over SSL. It was part of the email that I sent to you yesterday. You can confirm SSL communication by querying the address book on the AD server on port 636 (http://support.microsoft.com/kb/238007/EN-US/). You can also run 'netstat -an | more' and look for 0.0.0.0:636, this means that the AD server is listening on the secure LDAP port. You then need to export the AD certificate and import it into the FDS server (below). After that, you can test communication by running an ldapsearch from the FDS server to the AD server. There is an example below, something like this: cd /opt/fedora-ds/alias ; ldapsearch -Z -P . -h hostname.of.ad.server -p 636 -D "cn=Administrator,cn=Users,dc=server,dc=example.dc=com" -W -s base -b "cn=Users,dc=server,dc=example,dc=com" "cn=*" It's been a while, but I think that I have this right. Someone please correct me if I'm wrong. Good luck ---From last post--- 3. Retrieve the Certificate Authority Certificate 1. Open a Web browser on the AD machine 2. Go to http://localhost/certsrv/ 3. Select the task Retrieve the CA certificate or certificate revocation list. 4. Click Next. 5. The next page automatically highlights the CA certificate. Click Download CA certificate. 6. A new download window opens. Save the file to the hard drive. Save in DER mode Copy file to FDS server, convert to PEM format openssl x509 -inform DER -in ad-cert.der -outform PEM -out ad-cert.pem Import AD CA cert into FDS certutil -A -d . -P slapd-instance- -t "CT,CT,CT" -a -i ad-cert.pem check certs ( from /opt/fedora-ds/alias) certutil -L -d . -P slapd-instance Check ldapsearch from FDS to AD ldapsearch -Z -P -h -p -D " -w < sync manager password> -s -b "" "" Jeffrey Jamisola wrote: > Hi Jeff, > > Thanks for the reply. > > Can I have the following instruction if it is available: > > 1. How to install Certificate Services, then Enterprise root CA > > 2. How to enable SSL on AD > > Since my AD is Windows Server 2003 > > > Thank you, > Jeffrey > ------------------------------------------------------------------------ > > *Create and Share your own Video Clip Playlist in minutes at Lycos MIX > (_http://mix.lycos.com_ )* > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 From ulf.weltman at hp.com Wed Mar 7 19:02:50 2007 From: ulf.weltman at hp.com (Ulf Weltman) Date: Wed, 07 Mar 2007 11:02:50 -0800 Subject: [Fedora-directory-users] Multi-Master Replication Problems In-Reply-To: References: Message-ID: <45EF0C5A.4020106@hp.com> I'd love to know how your RUV could be missing. I wonder if whatever problem left you with mismatched generation ID still persists, it seemed odd that happened after a network outage. If the RUV entry was missing that would explain it, that's where the generation ID of the local data is stored. Did you get replication running again? Do your masters have updates that need to be merged? If they're in sync or are only diverged by testing-related updates, I would try... back up my two masters, for potential restore or future investigation (db2bak) export one master to LDIF without -r (db2ldif) import that LDIF into the same master (ldif2db) perform the search for the RUV entry to make sure its created this time after the import completes (ldapsearch for the magic nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff entry) initialize the other master, either via online initialization or LDIF with -r (db2ldif -r) And if you can determine how you ended up in the state where the RUV is missing, post at bugzilla.redhat.com Wendt, Trevor wrote: > "Can you show us the RUV from the server that produces the csnplCommit > error?" > All I get is "ldap_search: No such object" > > Replica Configuration -- in it's current state. > version: 1 > dn: cn=replica,cn="dc=,dc=com",cn=mapping tree,cn=config > objectClass: nsDS5Replica > objectClass: top > nsDS5ReplicaRoot: dc=,dc=com > nsDS5ReplicaType: 3 > nsDS5Flags: 1 > nsDS5ReplicaId: 1 > nsds5ReplicaPurgeDelay: 604800 > nsDS5ReplicaBindDN: uid=,cn=config > cn: replica > nsState:: AQAAAAQh7kUAAAAAAAAAAAEAAAA= > nsDS5ReplicaName: 1848ed03-1dd211b2-808393a4-a3ae0000 > nsds5ReplicaChangeCount: 41 > nsds5replicareapactive: 0 > > > > -----Original Message----- > >> "The generation ID errors sound like real errors, but those should be >> resolvable with the correct replica re-initialization done." >> >> I've tried re-initializing the consumer multiple times with no >> > success. > >> The NSMMReplicationPlugin - replica_check_for_data_reload and the >> > "csn" > >> errors are on my supplier server. When my srv2 went offline my srv1 >> became the "Master" so I can't go from srv2 to srv1 without losing >> entries. This is the dilemma... >> >> Thanks for you're suggestions. Please, keep them coming. >> >> > Can you show us the RUV from the server that produces the csnplCommit > error? > ldapsearch -x -D "cn=directory manager" -W -s base -b > "nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,dc=,dc=com" > "(&(objectclass=*)(objectclass=nstombstone))" > > And your replica configuration? > ldapsearch -x -D "cn=directory manager" -W -b "cn=config" > "(objectclass=nsds5replica)" > > ####### > REF: > https://www.redhat.com/archives/fedora-directory-users/2007-March/msg000 > 20.html > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From klafaso at beehivesecurity.com Wed Mar 7 19:13:22 2007 From: klafaso at beehivesecurity.com (Keith M. Lafaso) Date: Wed, 07 Mar 2007 14:13:22 -0500 Subject: [Fedora-directory-users] Newuser.pl Script from Netauth and Automatic UID generation question Message-ID: I cannot seem to find the newuser.pl script from http://www.netauth.com. Does anyone know where to get the script now? Also, has anyone tried the Fedora DS gets posix/unix automatic uid generation posted on February 8th. If so, how do you get it and set it up? Thanks, Keith From rmeggins at redhat.com Wed Mar 7 21:03:04 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 07 Mar 2007 14:03:04 -0700 Subject: [Fedora-directory-users] slapd crash on replicate attempt In-Reply-To: <7315857F21D51B449CC55ADE3A5683182C0216@ex2k3.ad.cusys.edu> References: <7315857F21D51B449CC55ADE3A5683182C0216@ex2k3.ad.cusys.edu> Message-ID: <45EF2888.5060807@redhat.com> Justin Crawford wrote: >>> One of the slapd processes just crashed again, and the logs on the >>> second server show only the same replication error. I take >>> >> it to mean >> >>> the replication can't continue, because the slapd process >>> >> on the other >> >>> server has crashed. >>> >>> Anyway, today is the first time in 5 months that either of these >>> servers has had any issue whatsoever. >>> >> Something must have changed. Even something that may appear at first >> glance to be innocuous. >> > > Agreed. The servers themselves were not patched immediately prior to > the change; they did get some patches in the week before, but nothing > that appears to have a direct connection. > > We did implement a new authenticating client application during the > previous week. But I keep thinking that no client should be able to > cause a slapd server crash (at least not without some evidence of > intense load); therefore, a change to client applications does not > strike me as a likely culprit. > > >> Are you using VLV (browsing index in the console)? >> > > Yes, on a few subtrees, but these tend to be created on the spot by > administrators, and not managed strictly (should they be?). I suppose > one of those could've been created on a subtree at any time, but I don't > believe one was created in the days immediately prior to the crash. Why > do you ask? > We've seen problems with VLV before. > FYI, we rebooted the host machines last night and restared slapd with > debug 1. Neither slapd process crashed today. > Please let us know if you can reproduce the crash. Running with debug 1 should help immensly, if you can afford the slowdown - running in debug mode can really slow down production machines. http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting However, we do have a tool available that would allow you to run with full debugging in a production environment. It buffers the log output into a circular buffer of the last N lines, and you tell it how many N is (e.g. 10,000). However, the server may perform well enough even with debug 1, in which case you probably don't need it. > Justin > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mjdshop at earthlink.net Thu Mar 8 00:03:32 2007 From: mjdshop at earthlink.net (MJD Shop Account) Date: Wed, 7 Mar 2007 19:03:32 -0500 (GMT-05:00) Subject: [Fedora-directory-users] ldap too many connections from clients? following ldap even for local accounts? Message-ID: <30308207.1173312212019.JavaMail.root@elwamui-sweet.atl.sa.earthlink.net> An HTML attachment was scrubbed... URL: From gholbert at broadcom.com Thu Mar 8 01:42:43 2007 From: gholbert at broadcom.com (George Holbert) Date: Wed, 07 Mar 2007 17:42:43 -0800 Subject: [Fedora-directory-users] ldap too many connections from clients? following ldap even for local accounts? In-Reply-To: <30308207.1173312212019.JavaMail.root@elwamui-sweet.atl.sa.earthlink.net> References: <30308207.1173312212019.JavaMail.root@elwamui-sweet.atl.sa.earthlink.net> Message-ID: <45EF6A13.3050102@broadcom.com> > If a machine is disconnected from the network, a login attempt as > 'root' user (with local passwd file entry and password) fails. > ... > I think I need to configure something such that the nsswitch.conf > entry tells it to stop if it finds the 'files' entry and not proceed > to the 'ldap' entry. I thought this would happen by default. At least for authentication, this behavior depends also on your PAM config. You need to make sure that the auth and account stacks will succeed for local accounts (e.g., root) without asking pam_ldap. What's in your /etc/pam.d/system-auth files on your RHEL3 and RHEL4 clients? MJD Shop Account wrote: > I'm having some odd ldap issues with connection or lack thereof to > ldap server when nsswitch.conf and pam.d/system-auth are configured to > used FDS ldap server. > > I'm running both RHEL3 and RHEL4 clients. My servers are RHEL4 update > 4 and FDS 1.0.4. My /etc/ldap.conf is configured with two host > names. I've noticed these issues: > > * If a machine is disconnected from the network, a login attempt > as 'root' user (with local passwd file entry and password) > fails. The system appears to accept the password, but sits for > maybe a minute, then dumps you back to the login prompt. I've > had to boot off rescue CD and shell in to remove 'ldap' from > the /etc/nsswitch.conf file to get around this in some instances. > > My relevant /etc/ldap.conf entries are: > passwd: files ldap > shadow: files > group: files ldap > netgroup: files ldap > > * I noticed that a anhy randomly chosen client has a few > connections to the ldap server that persist. The connections > are tied to processes that also should have local entries only > in the local /etc/passwd files. Here's an example: > # netstat -a | grep ldap > tcp 38 0 clienthostname:32771 serverhostname:ldap > CLOSE_WAIT > # fuser 32771/tcp > here: 32771 > 32771/tcp: 3729 > # ps -ef | grep 3729 | grep -v grep > ntp 3729 1 0 Feb23 ? 00:00:00 ntpd -u ntp:ntp > -p /var/run/ntpd.pid -g > # > > * I notice that doing a "netstat -a" on the server that most > clients are using takes a long time. It spits out a bunch, > then slows down when reporting the entries that are ESTABLISHED > ldap connections: > tcp 0 0 ldapserver:ldap ldapclient:35908 ESTABLISHED > I see that some clients have very many connections, I would > expect just one or two. Here's one client that had a whole > bunch, most disappeared before I could capture this bash shell > command output. This output is for jobs associated with ports > connecting to ldap server: > # for i in `netstat -a | grep ldap | cut -d: -f2 | cut -d" " > -f1`; do for j in `(fuser $i/tcp | cut -b 23-26)`; do ps -ef | > grep $j | grep -v grep; done; done > xfs 2726 1 0 Feb20 ? 00:00:00 xfs -droppriv > -daemon > root 3138 3031 0 Feb20 ? 00:00:00 > /usr/bin/gdm-binary bell-style none > root 3418 3138 0 18:32 ? 00:00:02 /usr/X11R6/bin/X > :0 -auth /var/gdm/:0.Xauth vt7 > gdm 3430 3138 0 18:32 ? 00:00:00 /usr/bin/gdmgreeter > root 2477 2617 0 18:22 ? 00:00:01 sshd: root at pts/0 > root 2481 2477 0 18:22 pts/0 00:00:00 -tcsh > > I ran a similar command on a client computer where the user is > running a lot of jobs, I got 53 lines of output. Basically > every job is maintaining an ldap connection, I guess. > > * I think I need to configure something such that the > nsswitch.conf entry tells it to stop if it finds the 'files' > entry and not proceed to the 'ldap' entry. I thought this would > happen by default. > > * I think the above problem is possibly leading to many more ldap > connections than are necessary which in turn may be causing > performance issues on the server, ALTHOUGH the cpu load and > memory load does not appear inordinately heavy > > * I tried running nscd (for caching the info) once, it seemed to > cause too many problems so I turned it off. I have tried > something like implementing pam_ccache, I don't think it would > help the too-many-connections, just the issue with no logins > when off the net. > > * Here's my /etc/ldap.conf minus the usual comment lines, I'm > doing anonymous binds. Maybe there's some keepalive flag that > should be set or unset?: > host server1 server2 > base dc=example,dc=com > ldap_version 3 > scope sub > bind_timelimit 10 > pam_lookup_policy yes > pam_password exop > nss_base_passwd ou=People,dc=example,dc=com?one > nss_base_group ou=Group,dc=example,dc=com?one > nss_base_services ou=Services,dc=example,dc=com?one > nss_base_aliases ou=Aliases,dc=example,dc=com?one > nss_base_netgroup ou=Netgroup,dc=example,dc=com?one > ssl start_tls > tls_checkpeer yes > tls_cacertfile /usr/share/ssl/certs/servercert.pem > tls_ciphers TLSv1 > pam_password md5 > > Any suggestions on what I might be doing wrong are greatly appreciated! > > -Marty > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From mjdshop at earthlink.net Thu Mar 8 04:13:42 2007 From: mjdshop at earthlink.net (MJD Shop Account) Date: Wed, 7 Mar 2007 23:13:42 -0500 (GMT-05:00) Subject: [Fedora-directory-users] ldap too many connections from clients? following ldap even for local accounts? Message-ID: <32441679.1173327222533.JavaMail.root@elwamui-karabash.atl.sa.earthlink.net> My RH3 system-auth is as follows: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so #account required /lib/security/$ISA/pam_deny.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password sufficient /lib/security/$ISA/pam_krb5.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so session optional /lib/security/$ISA/pam_krb5.so My RH4 version is the same, with this difference: --- system-auth.RH3 2006-10-25 22:49:19.000000000 -0400 +++ system-auth.RH4 2006-10-25 22:42:05.000000000 -0400 @@ -8,6 +8,7 @@ auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow +account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so #account required /lib/security/$ISA/pam_deny.so -----Original Message----- >From: George Holbert >Sent: Mar 7, 2007 8:42 PM >To: MJD Shop Account , "General discussion list for the Fedora Directory server project." >Subject: Re: [Fedora-directory-users] ldap too many connections from clients? following ldap even for local accounts? > >> If a machine is disconnected from the network, a login attempt as >> 'root' user (with local passwd file entry and password) fails. >> ... >> I think I need to configure something such that the nsswitch.conf >> entry tells it to stop if it finds the 'files' entry and not proceed >> to the 'ldap' entry. I thought this would happen by default. > >At least for authentication, this behavior depends also on your PAM config. > >You need to make sure that the auth and account stacks will succeed for >local accounts (e.g., root) without asking pam_ldap. >What's in your /etc/pam.d/system-auth files on your RHEL3 and RHEL4 clients? > > >MJD Shop Account wrote: >> I'm having some odd ldap issues with connection or lack thereof to >> ldap server when nsswitch.conf and pam.d/system-auth are configured to >> used FDS ldap server. >> >> I'm running both RHEL3 and RHEL4 clients. My servers are RHEL4 update >> 4 and FDS 1.0.4. My /etc/ldap.conf is configured with two host >> names. I've noticed these issues: >> >> * If a machine is disconnected from the network, a login attempt >> as 'root' user (with local passwd file entry and password) >> fails. The system appears to accept the password, but sits for >> maybe a minute, then dumps you back to the login prompt. I've >> had to boot off rescue CD and shell in to remove 'ldap' from >> the /etc/nsswitch.conf file to get around this in some instances. >> >> My relevant /etc/ldap.conf entries are: >> passwd: files ldap >> shadow: files >> group: files ldap >> netgroup: files ldap >> >> * I noticed that a anhy randomly chosen client has a few >> connections to the ldap server that persist. The connections >> are tied to processes that also should have local entries only >> in the local /etc/passwd files. Here's an example: >> # netstat -a | grep ldap >> tcp 38 0 clienthostname:32771 serverhostname:ldap >> CLOSE_WAIT >> # fuser 32771/tcp >> here: 32771 >> 32771/tcp: 3729 >> # ps -ef | grep 3729 | grep -v grep >> ntp 3729 1 0 Feb23 ? 00:00:00 ntpd -u ntp:ntp >> -p /var/run/ntpd.pid -g >> # >> >> * I notice that doing a "netstat -a" on the server that most >> clients are using takes a long time. It spits out a bunch, >> then slows down when reporting the entries that are ESTABLISHED >> ldap connections: >> tcp 0 0 ldapserver:ldap ldapclient:35908 ESTABLISHED >> I see that some clients have very many connections, I would >> expect just one or two. Here's one client that had a whole >> bunch, most disappeared before I could capture this bash shell >> command output. This output is for jobs associated with ports >> connecting to ldap server: >> # for i in `netstat -a | grep ldap | cut -d: -f2 | cut -d" " >> -f1`; do for j in `(fuser $i/tcp | cut -b 23-26)`; do ps -ef | >> grep $j | grep -v grep; done; done >> xfs 2726 1 0 Feb20 ? 00:00:00 xfs -droppriv >> -daemon >> root 3138 3031 0 Feb20 ? 00:00:00 >> /usr/bin/gdm-binary bell-style none >> root 3418 3138 0 18:32 ? 00:00:02 /usr/X11R6/bin/X >> :0 -auth /var/gdm/:0.Xauth vt7 >> gdm 3430 3138 0 18:32 ? 00:00:00 /usr/bin/gdmgreeter >> root 2477 2617 0 18:22 ? 00:00:01 sshd: root at pts/0 >> root 2481 2477 0 18:22 pts/0 00:00:00 -tcsh >> >> I ran a similar command on a client computer where the user is >> running a lot of jobs, I got 53 lines of output. Basically >> every job is maintaining an ldap connection, I guess. >> >> * I think I need to configure something such that the >> nsswitch.conf entry tells it to stop if it finds the 'files' >> entry and not proceed to the 'ldap' entry. I thought this would >> happen by default. >> >> * I think the above problem is possibly leading to many more ldap >> connections than are necessary which in turn may be causing >> performance issues on the server, ALTHOUGH the cpu load and >> memory load does not appear inordinately heavy >> >> * I tried running nscd (for caching the info) once, it seemed to >> cause too many problems so I turned it off. I have tried >> something like implementing pam_ccache, I don't think it would >> help the too-many-connections, just the issue with no logins >> when off the net. >> >> * Here's my /etc/ldap.conf minus the usual comment lines, I'm >> doing anonymous binds. Maybe there's some keepalive flag that >> should be set or unset?: >> host server1 server2 >> base dc=example,dc=com >> ldap_version 3 >> scope sub >> bind_timelimit 10 >> pam_lookup_policy yes >> pam_password exop >> nss_base_passwd ou=People,dc=example,dc=com?one >> nss_base_group ou=Group,dc=example,dc=com?one >> nss_base_services ou=Services,dc=example,dc=com?one >> nss_base_aliases ou=Aliases,dc=example,dc=com?one >> nss_base_netgroup ou=Netgroup,dc=example,dc=com?one >> ssl start_tls >> tls_checkpeer yes >> tls_cacertfile /usr/share/ssl/certs/servercert.pem >> tls_ciphers TLSv1 >> pam_password md5 >> >> Any suggestions on what I might be doing wrong are greatly appreciated! >> >> -Marty >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > From gholbert at broadcom.com Thu Mar 8 06:33:57 2007 From: gholbert at broadcom.com (George Holbert) Date: Wed, 7 Mar 2007 22:33:57 -0800 Subject: [Fedora-directory-users] ldap too many connections from clients? following ldap even for local accounts? References: <32441679.1173327222533.JavaMail.root@elwamui-karabash.atl.sa.earthlink.net> Message-ID: <001001c7614b$bff16be0$53fdf00a@chunky> For RHEL3, change: account required /lib/security/$ISA/pam_unix.so broken_shadow to: account sufficient /lib/security/$ISA/pam_unix.so broken_shadow Keep in mind that this will make the account stack succeed in most cases before it hits pam_ldap, which means pam_ldap won't be used for enforcing account policy. See below for an alternate method, if this matters for you. For RHEL4, disconnected root login _should_ already be working, beause of the extra line: account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet As you can probably tell, this line makes the stack succeed if the user's uid is less than 100, which is of course true for root. The alternate RHEL3 fix would be to manually compile and deploy pam_succeed_if.so on your RHEL3 clients, and use the same system-auth you currently have on your RHEL4 clients. ----- Original Message ----- From: "MJD Shop Account" To: "George Holbert" ; "General discussion list for the Fedora Directory server project." Sent: Wednesday, March 07, 2007 8:13 PM Subject: Re: [Fedora-directory-users] ldap too many connections from clients? following ldap even for local accounts? > My RH3 system-auth is as follows: > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass > auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass > auth required /lib/security/$ISA/pam_deny.so > > account required /lib/security/$ISA/pam_unix.so broken_shadow > account [default=bad success=ok user_unknown=ignore] > /lib/security/$ISA/pam_ldap.so > account [default=bad success=ok user_unknown=ignore] > /lib/security/$ISA/pam_krb5.so > #account required /lib/security/$ISA/pam_deny.so > > password requisite /lib/security/$ISA/pam_cracklib.so retry=3 > password sufficient /lib/security/$ISA/pam_unix.so nullok > use_authtok md5 shadow > password sufficient /lib/security/$ISA/pam_ldap.so use_authtok > password sufficient /lib/security/$ISA/pam_krb5.so use_authtok > password required /lib/security/$ISA/pam_deny.so > > session required /lib/security/$ISA/pam_limits.so > session required /lib/security/$ISA/pam_unix.so > session optional /lib/security/$ISA/pam_ldap.so > session optional /lib/security/$ISA/pam_krb5.so > > > My RH4 version is the same, with this difference: > --- system-auth.RH3 2006-10-25 22:49:19.000000000 -0400 > +++ system-auth.RH4 2006-10-25 22:42:05.000000000 -0400 > @@ -8,6 +8,7 @@ > auth required /lib/security/$ISA/pam_deny.so > > account required /lib/security/$ISA/pam_unix.so broken_shadow > +account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 > quiet > account [default=bad success=ok user_unknown=ignore] > /lib/security/$ISA/pam_ldap.so > account [default=bad success=ok user_unknown=ignore] > /lib/security/$ISA/pam_krb5.so > #account required /lib/security/$ISA/pam_deny.so > > > -----Original Message----- >>From: George Holbert >>Sent: Mar 7, 2007 8:42 PM >>To: MJD Shop Account , "General discussion list for >>the Fedora Directory server project." >>Subject: Re: [Fedora-directory-users] ldap too many connections from >>clients? following ldap even for local accounts? >> >>> If a machine is disconnected from the network, a login attempt as >>> 'root' user (with local passwd file entry and password) fails. >>> ... >>> I think I need to configure something such that the nsswitch.conf >>> entry tells it to stop if it finds the 'files' entry and not proceed >>> to the 'ldap' entry. I thought this would happen by default. >> >>At least for authentication, this behavior depends also on your PAM >>config. >> >>You need to make sure that the auth and account stacks will succeed for >>local accounts (e.g., root) without asking pam_ldap. >>What's in your /etc/pam.d/system-auth files on your RHEL3 and RHEL4 >>clients? >> >> >>MJD Shop Account wrote: >>> I'm having some odd ldap issues with connection or lack thereof to >>> ldap server when nsswitch.conf and pam.d/system-auth are configured to >>> used FDS ldap server. >>> >>> I'm running both RHEL3 and RHEL4 clients. My servers are RHEL4 update >>> 4 and FDS 1.0.4. My /etc/ldap.conf is configured with two host >>> names. I've noticed these issues: >>> >>> * If a machine is disconnected from the network, a login attempt >>> as 'root' user (with local passwd file entry and password) >>> fails. The system appears to accept the password, but sits for >>> maybe a minute, then dumps you back to the login prompt. I've >>> had to boot off rescue CD and shell in to remove 'ldap' from >>> the /etc/nsswitch.conf file to get around this in some instances. >>> >>> My relevant /etc/ldap.conf entries are: >>> passwd: files ldap >>> shadow: files >>> group: files ldap >>> netgroup: files ldap >>> >>> * I noticed that a anhy randomly chosen client has a few >>> connections to the ldap server that persist. The connections >>> are tied to processes that also should have local entries only >>> in the local /etc/passwd files. Here's an example: >>> # netstat -a | grep ldap >>> tcp 38 0 clienthostname:32771 serverhostname:ldap >>> CLOSE_WAIT >>> # fuser 32771/tcp >>> here: 32771 >>> 32771/tcp: 3729 >>> # ps -ef | grep 3729 | grep -v grep >>> ntp 3729 1 0 Feb23 ? 00:00:00 ntpd -u ntp:ntp >>> -p /var/run/ntpd.pid -g >>> # >>> >>> * I notice that doing a "netstat -a" on the server that most >>> clients are using takes a long time. It spits out a bunch, >>> then slows down when reporting the entries that are ESTABLISHED >>> ldap connections: >>> tcp 0 0 ldapserver:ldap ldapclient:35908 ESTABLISHED >>> I see that some clients have very many connections, I would >>> expect just one or two. Here's one client that had a whole >>> bunch, most disappeared before I could capture this bash shell >>> command output. This output is for jobs associated with ports >>> connecting to ldap server: >>> # for i in `netstat -a | grep ldap | cut -d: -f2 | cut -d" " >>> -f1`; do for j in `(fuser $i/tcp | cut -b 23-26)`; do ps -ef | >>> grep $j | grep -v grep; done; done >>> xfs 2726 1 0 Feb20 ? 00:00:00 xfs -droppriv >>> -daemon >>> root 3138 3031 0 Feb20 ? 00:00:00 >>> /usr/bin/gdm-binary bell-style none >>> root 3418 3138 0 18:32 ? 00:00:02 /usr/X11R6/bin/X >>> :0 -auth /var/gdm/:0.Xauth vt7 >>> gdm 3430 3138 0 18:32 ? 00:00:00 >>> /usr/bin/gdmgreeter >>> root 2477 2617 0 18:22 ? 00:00:01 sshd: root at pts/0 >>> root 2481 2477 0 18:22 pts/0 00:00:00 -tcsh >>> >>> I ran a similar command on a client computer where the user is >>> running a lot of jobs, I got 53 lines of output. Basically >>> every job is maintaining an ldap connection, I guess. >>> >>> * I think I need to configure something such that the >>> nsswitch.conf entry tells it to stop if it finds the 'files' >>> entry and not proceed to the 'ldap' entry. I thought this would >>> happen by default. >>> >>> * I think the above problem is possibly leading to many more ldap >>> connections than are necessary which in turn may be causing >>> performance issues on the server, ALTHOUGH the cpu load and >>> memory load does not appear inordinately heavy >>> >>> * I tried running nscd (for caching the info) once, it seemed to >>> cause too many problems so I turned it off. I have tried >>> something like implementing pam_ccache, I don't think it would >>> help the too-many-connections, just the issue with no logins >>> when off the net. >>> >>> * Here's my /etc/ldap.conf minus the usual comment lines, I'm >>> doing anonymous binds. Maybe there's some keepalive flag that >>> should be set or unset?: >>> host server1 server2 >>> base dc=example,dc=com >>> ldap_version 3 >>> scope sub >>> bind_timelimit 10 >>> pam_lookup_policy yes >>> pam_password exop >>> nss_base_passwd ou=People,dc=example,dc=com?one >>> nss_base_group ou=Group,dc=example,dc=com?one >>> nss_base_services ou=Services,dc=example,dc=com?one >>> nss_base_aliases ou=Aliases,dc=example,dc=com?one >>> nss_base_netgroup ou=Netgroup,dc=example,dc=com?one >>> ssl start_tls >>> tls_checkpeer yes >>> tls_cacertfile /usr/share/ssl/certs/servercert.pem >>> tls_ciphers TLSv1 >>> pam_password md5 >>> >>> Any suggestions on what I might be doing wrong are greatly appreciated! >>> >>> -Marty >>> >>> ------------------------------------------------------------------------ >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> >> > > > From phil.allred at brooklaw.edu Fri Mar 9 02:14:50 2007 From: phil.allred at brooklaw.edu (Phil Allred) Date: Thu, 08 Mar 2007 21:14:50 -0500 Subject: [Fedora-directory-users] Samba/Fedora DS/Windows Password Sync Message-ID: <45F0C31A.7050609@brooklaw.edu> Here at Brooklyn Law School, we use Fedora DS together with a samba schema quite succesfully. All students and most faculty log in to lab computers and desktops that are members of a Samba domain. We avoid using NT servers as much as possible for open source reasons, but our faculty is hoping we can move them to an exchange server running on NT 2003. In a test environment, we were able to get password sync happening between an NT server and a replica of our DS, but are wondering how to keep our samba passwords updated. Currently, we have a web front end pointed at a perl script loosely based on the smb-ldap scripts from IDEALX. These keep our sambantpassword, sambalmpassword, and unix passwords synced. If we continue to use this script to update passwords on Fedora DS, will fedora pick up the password and send it down to the windows server? I assume there is not much I could do to get it to work in the other direction, which would be ok -- we would require users to continue to change their passwords through our web front end. Any thoughts or suggestions would be greatly appreciated. Phil Allred From chaks.yoper at gmail.com Fri Mar 9 06:54:10 2007 From: chaks.yoper at gmail.com (Chakkaradeep C C) Date: Fri, 9 Mar 2007 19:54:10 +1300 Subject: [Fedora-directory-users] User Authentication and Adding Clients Message-ID: Hi All, I just installed FDS in my FC6 box and created OU, Groups and Users, but I was not able to login using the name and password which i created in the FDS into my machine, is anything wrong? And also, I would be happy if someone could help me or redirect me to some article explaining how to add Ubuntu/FC machines as clients to the domain. Thanks, -- Regards, C.C.Chakkaradeep, http://chakkaradeep.wordpress.com -- "Sometimes it's better not to ask - or to listen - when people tell you something can't be done. I didnt ask for permission or approval. I just went ahead and did it." - from "Direct from Dell" -------------- next part -------------- An HTML attachment was scrubbed... URL: From darren.paxton at mercer.com Fri Mar 9 11:14:38 2007 From: darren.paxton at mercer.com (Paxton, Darren) Date: Fri, 09 Mar 2007 11:14:38 +0000 Subject: [Fedora-directory-users] User Account Management In-Reply-To: <1173094583.15393.18.camel@MUKLWDP01.mercer.com> References: <1173094583.15393.18.camel@MUKLWDP01.mercer.com> Message-ID: <1173438878.4146.21.camel@MUKLWDP01.mercer.com> Hi again Thanks for the suggestions re the ACI - I managed to resolve that part, but now have hit yet another wall with the "interesting" way in which our accounts are set up. As I stated, we have a service desk that manage all the user accounts, however, I've just been reliably informed that they are only going to be managing the password resets of any user accounts, and that a subgroup of the department I'm building the directory for, will actually be creating the user accounts. Here's where it gets interesting - although the subgroup will be creating the accounts, they will not be permitted to reset any passwords hence I'm now in a confusing place. I've looked at the ACIs and the service desk part was easy enough to achieve, I thought the other part would be as simple as denying write permission to the userpassword attribute, but this doesnt work as I'm assuming setting the password at user creation is effectively a form of write to the attribute. The question therefore, is can you allow a person/group to be able to create user accounts, but not have the ability to modify the password attribute after its created. I'd like to trust the users not to be resetting passwords on their own, however we need to have an auditable trail of the user permissions that details this. Thanks in advance for any help (and for the help supplied so far!) Darren This e-mail and any attachments may be confidential or legally privileged.If you received this message in error or are not the intended recipient, you should destroy the email message and any attachments or copies, and you are prohibited from retaining, distributing, disclosing or using any information contained herein. Please inform us of the erroneous delivery by return e-mail. Thank you for your co-operation. Mercer Human Resource Consulting Limited is authorised and regulated by the Financial Services Authority. Registered in England No. 984275. Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ABliss at preferredcare.org Fri Mar 9 13:38:03 2007 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Fri, 9 Mar 2007 08:38:03 -0500 Subject: [Fedora-directory-users] User Authentication and Adding Clients In-Reply-To: References: Message-ID: for your fds box, the easiest way (I think) to set the box up to authenticate against your ldap server is to run authconfig. I'm not as familiar with ubuntu, as such you should be able to modify your /etc/nsswitch.conf , pam, and ldap.conf files by hand.... http://directory.fedora.redhat.com/wiki/Howto:PAM Aaron ________________________________ From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Chakkaradeep C C Sent: Friday, March 09, 2007 1:54 AM To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] User Authentication and Adding Clients Hi All, I just installed FDS in my FC6 box and created OU, Groups and Users, but I was not able to login using the name and password which i created in the FDS into my machine, is anything wrong? And also, I would be happy if someone could help me or redirect me to some article explaining how to add Ubuntu/FC machines as clients to the domain. Thanks, -- Regards, C.C.Chakkaradeep, http://chakkaradeep.wordpress.com -- "Sometimes it's better not to ask - or to listen - when people tell you something can't be done. I didnt ask for permission or approval. I just went ahead and did it." - from "Direct from Dell" Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -------------- next part -------------- An HTML attachment was scrubbed... URL: From agnaldofreitas at hotmail.com Fri Mar 9 13:49:41 2007 From: agnaldofreitas at hotmail.com (Agnaldo Freitas) Date: Fri, 9 Mar 2007 10:49:41 -0300 Subject: [Fedora-directory-users] Problems with syncronism between Fedora-DS and Samba Message-ID: Hi List, Since second semester of 2006, i'm trying to config Samba(PDC and BDC) + Fedora Directory Server. Some informations: SO: Cent0S 4.3 x86_64 Fedora-DS(Ldap) with Simple Bind Samba 3.0.10 (I'll upgrade it in next CenOS version) password hash: Crypt (Linux, Fedora-DS and Samba) Problems: 1 - [root at netuno1 ~]# passwd samuel Changing password for user samuel. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information changed for samuel passwd: all authentication tokens updated successfully. Why this line "Enter login(LDAP) password:", if is root that is changing the samuel's password? It does not happen when the user is from /etc/passwd!. 2 - Depend on pam_passord (howto:wiki sugests exop) parameter smbpasswd fails: [root at netuno1 ~]# smbpasswd samuel ldapsam_modify_entry: LDAP Password could not be changed for user samuel: Confidentiality required Operation requires a secure connection. ldapsam_update_sam_account: failed to modify user with uid = samuel, error: Operation requires a secure connection. (Success) Failed to modify entry for user samuel. Failed to modify password entry for user samuel 3 - When user try to change his password using CTRL + ALT + DEL from windows, after typing the passwords: If ldap passwd sync = yes is set in /etc/samba/smb.conf, it returns the message: current password or user's name is incorrect, in other hands, if unix password sync = yes (password chat ...) is set, it returns the message: you do not have permission to modify the password, and only samba passwd is changed (in both cases). I need userPassword for single sign on because i use other services. Why the smbldap-passwd always runs ok from the prompt and not from the password program parameter ?! I could see in the web that many people using Openldap, also have (had) the same problem. I am despaired, because i am has much time without obtaining the solution for this problem. Please, help me! What to do? Grateful for your attention, Agnaldo Freitas -------------- next part -------------- An HTML attachment was scrubbed... URL: From ABliss at preferredcare.org Fri Mar 9 14:05:54 2007 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Fri, 9 Mar 2007 09:05:54 -0500 Subject: [Fedora-directory-users] Samba/Fedora DS/Windows Password Sync In-Reply-To: <45F0C31A.7050609@brooklaw.edu> References: <45F0C31A.7050609@brooklaw.edu> Message-ID: Phil, After you setup your native windows domain, you can join your samba server to the domain and configure it to use the domain controller for authentication. Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Phil Allred Sent: Thursday, March 08, 2007 9:15 PM To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] Samba/Fedora DS/Windows Password Sync Here at Brooklyn Law School, we use Fedora DS together with a samba schema quite succesfully. All students and most faculty log in to lab computers and desktops that are members of a Samba domain. We avoid using NT servers as much as possible for open source reasons, but our faculty is hoping we can move them to an exchange server running on NT 2003. In a test environment, we were able to get password sync happening between an NT server and a replica of our DS, but are wondering how to keep our samba passwords updated. Currently, we have a web front end pointed at a perl script loosely based on the smb-ldap scripts from IDEALX. These keep our sambantpassword, sambalmpassword, and unix passwords synced. If we continue to use this script to update passwords on Fedora DS, will fedora pick up the password and send it down to the windows server? I assume there is not much I could do to get it to work in the other direction, which would be ok -- we would require users to continue to change their passwords through our web front end. Any thoughts or suggestions would be greatly appreciated. Phil Allred -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From mjdshop at earthlink.net Fri Mar 9 15:54:32 2007 From: mjdshop at earthlink.net (MJD Shop Account) Date: Fri, 9 Mar 2007 10:54:32 -0500 (GMT-05:00) Subject: [Fedora-directory-users] ldap too many connections from clients? following ldap even for local accounts? Message-ID: <28251081.1173455672883.JavaMail.root@elwamui-cypress.atl.sa.earthlink.net> I tried playing with this under RH4 and thought it was not work, although it turns out I needed to reboot to get it recognized (is there a way to re-load pam after changing system-auth?) Changing the pam_unix.so line to 'sufficient' instead of 'required' worked in either the case of having the pam_succeed_if.so' line present or commented out. Leaving that line in, and leaving the pam_unix.so as 'required' also worked, but taking out pam_succeed_if.so and leaving pam_unix.so 'required' failed. And, I'm pretty sure having both pam_succeed_if.so present and having pam_unix.so 'required' failed too, until I rebooted. That is to say, given the machine was up and talking to ldap, if I just unplugged the network cable without rebooting, it failed for me. Since this was the setup before (ie not an issue with PAM recognizing a change) this still concerns me, but at least I know a reboot will get me out of any bind of not being able to log in as root. By the way, you might have noticed I had pam_deny.so commented out. I forget why, but I remember testing and thinking either it didn't work with that in, or made no sense to me. Would I be right in suspecting I should be adding it back in if I make pam_unix.so sufficient instead of required? If I don't will it allow anyone in? If I understand what's going on now, since nsswitch.conf has, for instance, 'passwd' with 'files ldap', the PAM setup is hitting ldap twice, once via pam_unix.so which sees the ldap by way off the nsswitch.conf nss_ldap.so, and then again if it were to invoke pam_ldap.so directly. This seems somewhat redundant, but I don't see a way out of it since I'm pretty sure all hell breaks loose if you don't have ldap in nsswitch.conf (since most regular users are defined on the ldap directory). ULtimately my goal is this: system accounts like root and other locally defined accounts take precedence over ldap, if they are defined locally and have a local password, it does not need to go through ldap or kerberos. On the other hand, because we are transitioning account management, I do have local accounts for users with locked local passwords, and I want the kerberos password to be effective. This seems to work in the current setup, I guess I need to verify it still does if I make this change. -----Original Message----- >From: George Holbert >Sent: Mar 8, 2007 1:33 AM >To: MJD Shop Account , "General discussion list for the Fedora Directory server project." >Subject: Re: [Fedora-directory-users] ldap too many connections from clients? following ldap even for local accounts? > >For RHEL3, >change: >account required /lib/security/$ISA/pam_unix.so broken_shadow >to: >account sufficient /lib/security/$ISA/pam_unix.so broken_shadow > >Keep in mind that this will make the account stack succeed in most cases >before it hits pam_ldap, which means pam_ldap won't be used for enforcing >account policy. See below for an alternate method, if this matters for you. > >For RHEL4, disconnected root login _should_ already be working, beause of >the extra line: >account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 >quiet > >As you can probably tell, this line makes the stack succeed if the user's >uid is less than 100, which is of course true for root. > >The alternate RHEL3 fix would be to manually compile and deploy >pam_succeed_if.so on your RHEL3 clients, and use the same system-auth you >currently have on your RHEL4 clients. > > >----- Original Message ----- >From: "MJD Shop Account" >To: "George Holbert" ; "General discussion list for >the Fedora Directory server project." >Sent: Wednesday, March 07, 2007 8:13 PM >Subject: Re: [Fedora-directory-users] ldap too many connections from >clients? following ldap even for local accounts? > > >> My RH3 system-auth is as follows: >> #%PAM-1.0 >> # This file is auto-generated. >> # User changes will be destroyed the next time authconfig is run. >> auth required /lib/security/$ISA/pam_env.so >> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok >> auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass >> auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass >> auth required /lib/security/$ISA/pam_deny.so >> >> account required /lib/security/$ISA/pam_unix.so broken_shadow >> account [default=bad success=ok user_unknown=ignore] >> /lib/security/$ISA/pam_ldap.so >> account [default=bad success=ok user_unknown=ignore] >> /lib/security/$ISA/pam_krb5.so >> #account required /lib/security/$ISA/pam_deny.so >> >> password requisite /lib/security/$ISA/pam_cracklib.so retry=3 >> password sufficient /lib/security/$ISA/pam_unix.so nullok >> use_authtok md5 shadow >> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok >> password sufficient /lib/security/$ISA/pam_krb5.so use_authtok >> password required /lib/security/$ISA/pam_deny.so >> >> session required /lib/security/$ISA/pam_limits.so >> session required /lib/security/$ISA/pam_unix.so >> session optional /lib/security/$ISA/pam_ldap.so >> session optional /lib/security/$ISA/pam_krb5.so >> >> >> My RH4 version is the same, with this difference: >> --- system-auth.RH3 2006-10-25 22:49:19.000000000 -0400 >> +++ system-auth.RH4 2006-10-25 22:42:05.000000000 -0400 >> @@ -8,6 +8,7 @@ >> auth required /lib/security/$ISA/pam_deny.so >> >> account required /lib/security/$ISA/pam_unix.so broken_shadow >> +account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 >> quiet >> account [default=bad success=ok user_unknown=ignore] >> /lib/security/$ISA/pam_ldap.so >> account [default=bad success=ok user_unknown=ignore] >> /lib/security/$ISA/pam_krb5.so >> #account required /lib/security/$ISA/pam_deny.so >> >> >> -----Original Message----- >>>From: George Holbert >>>Sent: Mar 7, 2007 8:42 PM >>>To: MJD Shop Account , "General discussion list for >>>the Fedora Directory server project." >>>Subject: Re: [Fedora-directory-users] ldap too many connections from >>>clients? following ldap even for local accounts? >>> >>>> If a machine is disconnected from the network, a login attempt as >>>> 'root' user (with local passwd file entry and password) fails. >>>> ... >>>> I think I need to configure something such that the nsswitch.conf >>>> entry tells it to stop if it finds the 'files' entry and not proceed >>>> to the 'ldap' entry. I thought this would happen by default. >>> >>>At least for authentication, this behavior depends also on your PAM >>>config. >>> >>>You need to make sure that the auth and account stacks will succeed for >>>local accounts (e.g., root) without asking pam_ldap. >>>What's in your /etc/pam.d/system-auth files on your RHEL3 and RHEL4 >>>clients? >>> >>> >>>MJD Shop Account wrote: >>>> I'm having some odd ldap issues with connection or lack thereof to >>>> ldap server when nsswitch.conf and pam.d/system-auth are configured to >>>> used FDS ldap server. >>>> >>>> I'm running both RHEL3 and RHEL4 clients. My servers are RHEL4 update >>>> 4 and FDS 1.0.4. My /etc/ldap.conf is configured with two host >>>> names. I've noticed these issues: >>>> >>>> * If a machine is disconnected from the network, a login attempt >>>> as 'root' user (with local passwd file entry and password) >>>> fails. The system appears to accept the password, but sits for >>>> maybe a minute, then dumps you back to the login prompt. I've >>>> had to boot off rescue CD and shell in to remove 'ldap' from >>>> the /etc/nsswitch.conf file to get around this in some instances. >>>> >>>> My relevant /etc/ldap.conf entries are: >>>> passwd: files ldap >>>> shadow: files >>>> group: files ldap >>>> netgroup: files ldap >>>> >>>> * I noticed that a anhy randomly chosen client has a few >>>> connections to the ldap server that persist. The connections >>>> are tied to processes that also should have local entries only >>>> in the local /etc/passwd files. Here's an example: >>>> # netstat -a | grep ldap >>>> tcp 38 0 clienthostname:32771 serverhostname:ldap >>>> CLOSE_WAIT >>>> # fuser 32771/tcp >>>> here: 32771 >>>> 32771/tcp: 3729 >>>> # ps -ef | grep 3729 | grep -v grep >>>> ntp 3729 1 0 Feb23 ? 00:00:00 ntpd -u ntp:ntp >>>> -p /var/run/ntpd.pid -g >>>> # >>>> >>>> * I notice that doing a "netstat -a" on the server that most >>>> clients are using takes a long time. It spits out a bunch, >>>> then slows down when reporting the entries that are ESTABLISHED >>>> ldap connections: >>>> tcp 0 0 ldapserver:ldap ldapclient:35908 ESTABLISHED >>>> I see that some clients have very many connections, I would >>>> expect just one or two. Here's one client that had a whole >>>> bunch, most disappeared before I could capture this bash shell >>>> command output. This output is for jobs associated with ports >>>> connecting to ldap server: >>>> # for i in `netstat -a | grep ldap | cut -d: -f2 | cut -d" " >>>> -f1`; do for j in `(fuser $i/tcp | cut -b 23-26)`; do ps -ef | >>>> grep $j | grep -v grep; done; done >>>> xfs 2726 1 0 Feb20 ? 00:00:00 xfs -droppriv >>>> -daemon >>>> root 3138 3031 0 Feb20 ? 00:00:00 >>>> /usr/bin/gdm-binary bell-style none >>>> root 3418 3138 0 18:32 ? 00:00:02 /usr/X11R6/bin/X >>>> :0 -auth /var/gdm/:0.Xauth vt7 >>>> gdm 3430 3138 0 18:32 ? 00:00:00 >>>> /usr/bin/gdmgreeter >>>> root 2477 2617 0 18:22 ? 00:00:01 sshd: root at pts/0 >>>> root 2481 2477 0 18:22 pts/0 00:00:00 -tcsh >>>> >>>> I ran a similar command on a client computer where the user is >>>> running a lot of jobs, I got 53 lines of output. Basically >>>> every job is maintaining an ldap connection, I guess. >>>> >>>> * I think I need to configure something such that the >>>> nsswitch.conf entry tells it to stop if it finds the 'files' >>>> entry and not proceed to the 'ldap' entry. I thought this would >>>> happen by default. >>>> >>>> * I think the above problem is possibly leading to many more ldap >>>> connections than are necessary which in turn may be causing >>>> performance issues on the server, ALTHOUGH the cpu load and >>>> memory load does not appear inordinately heavy >>>> >>>> * I tried running nscd (for caching the info) once, it seemed to >>>> cause too many problems so I turned it off. I have tried >>>> something like implementing pam_ccache, I don't think it would >>>> help the too-many-connections, just the issue with no logins >>>> when off the net. >>>> >>>> * Here's my /etc/ldap.conf minus the usual comment lines, I'm >>>> doing anonymous binds. Maybe there's some keepalive flag that >>>> should be set or unset?: >>>> host server1 server2 >>>> base dc=example,dc=com >>>> ldap_version 3 >>>> scope sub >>>> bind_timelimit 10 >>>> pam_lookup_policy yes >>>> pam_password exop >>>> nss_base_passwd ou=People,dc=example,dc=com?one >>>> nss_base_group ou=Group,dc=example,dc=com?one >>>> nss_base_services ou=Services,dc=example,dc=com?one >>>> nss_base_aliases ou=Aliases,dc=example,dc=com?one >>>> nss_base_netgroup ou=Netgroup,dc=example,dc=com?one >>>> ssl start_tls >>>> tls_checkpeer yes >>>> tls_cacertfile /usr/share/ssl/certs/servercert.pem >>>> tls_ciphers TLSv1 >>>> pam_password md5 >>>> >>>> Any suggestions on what I might be doing wrong are greatly appreciated! >>>> >>>> -Marty >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> -- >>>> Fedora-directory-users mailing list >>>> Fedora-directory-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> >>> >> >> >> > > From joshkel at gmail.com Fri Mar 9 19:09:58 2007 From: joshkel at gmail.com (Josh Kelley) Date: Fri, 9 Mar 2007 14:09:58 -0500 Subject: [Fedora-directory-users] Problems with syncronism between Fedora-DS and Samba In-Reply-To: References: Message-ID: <97cbd1a90703091109w17dc45abq3698d7af2d5b47de@mail.gmail.com> On 3/9/07, Agnaldo Freitas wrote: > 1 - [root at netuno1 ~]# passwd samuel > > Changing password for user samuel. > Enter login(LDAP) password: > New UNIX password: > Retype new UNIX password: > LDAP password information changed for samuel > passwd: all authentication tokens updated successfully. > > > Why this line "Enter login(LDAP) password:", if is root that is changing the > samuel's password? It does not happen when the user is from /etc/passwd!. I think that it's asking for root's password to bind to the LDAP directory. If you set the rootbinddn parameter in /etc/ldap.conf and create /etc/ldap.secret (mode 600) containing the root DN's password, then that message should go away. Note that the passwd command won't update Samba passwords stored in LDAP. There has been talk of adding a plugin to FDS to let it automatically synchronize Samba passwords when it receives a password change, but I don't think that's been done. > 2 - Depend on pam_passord (howto:wiki sugests exop) parameter smbpasswd > fails: > > [root at netuno1 ~]# smbpasswd samuel > ldapsam_modify_entry: LDAP Password could not be changed for user samuel: > Confidentiality required > Operation requires a secure connection. > ldapsam_update_sam_account: failed to modify user with uid = samuel, error: > Operation requires a secure connection. > (Success) > Failed to modify entry for user samuel. > Failed to modify password entry for user samuel > > > 3 - When user try to change his password using CTRL + ALT + DEL from > windows, after typing the passwords: > > If ldap passwd sync = yes is set in /etc/samba/smb.conf, it returns > the message: current password or user's name is incorrect, in other hands, > if unix password sync = yes (password chat ...) is set, it > returns the message: you do not have permission to modify the password, > and only samba passwd is changed (in both cases). I need > userPassword for single sign on because i use other services. > > Why the smbldap-passwd always runs ok from the prompt and not from the > password program parameter ?! I haven't used smbldap-passwd, so I can't really help you there. Using "ldap passwd sync" instead of "unix password sync" should work. Did you make sure to set your root DN password in Samba by running "smbpasswd -W"? We're using a setup very similar to you (Samba PDC, FDS with simple bind), and here are the settings that we're using. In /etc/samba/smb.conf: passdb backend = ldapsam:"ldaps://ldapserver.example.com/" ldap admin dn = "cn=Directory Manager" ldap suffix = "dc=example,dc=com" ldap password sync = yes In /etc/ldap.conf: pam_passwd md5 Then run "smbpasswd -W" to let Samba store the admin DN / root DN. We don't use passwd chat or exop. Your problems in #2 and #3 sound like more of a Samba issue than an FDS issue. I'll be glad to answer any questions I can, but if you continue to have trouble, you might have better luck on the Samba mailing list. Josh Kelley From clockwork at sigsys.org Fri Mar 9 19:47:48 2007 From: clockwork at sigsys.org (clockwork at sigsys.org) Date: Fri, 9 Mar 2007 14:47:48 -0500 Subject: [Fedora-directory-users] Guide to setting up a replica. Message-ID: <5849d9130703091147o6b0dd3f7x3e2e2d2c8efcd8ad@mail.gmail.com> All, Does anyone know of a good guide to setting up read only ssl enabled replicas ? I see many guides to setting up multiple masters, but nothing directly about multiple read only ssl replicas. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jfgamsby at lbl.gov Fri Mar 9 19:57:44 2007 From: jfgamsby at lbl.gov (Jeff Gamsby) Date: Fri, 09 Mar 2007 11:57:44 -0800 Subject: [Fedora-directory-users] Samba/Fedora DS/Windows Password Sync In-Reply-To: <45F0C31A.7050609@brooklaw.edu> References: <45F0C31A.7050609@brooklaw.edu> Message-ID: <45F1BC38.1070709@lbl.gov> Using PassSync, changing the passwords from the AD/NT side will also change passwords on the Fedora DS side. It will not however change the Samba passwords. If you have "ldap passwd sync = yes" in your Samba config, then you can use smbpasswd to change all passwords at the same time. If you migrate over to an AD server in place of Samba, you can use domain logins and have users change their password in Windows which would also change the Fedora DS password as well. Jeff Phil Allred wrote: > Here at Brooklyn Law School, we use Fedora DS together with a samba > schema quite succesfully. All students and most faculty log in to > lab computers and desktops that are members of a Samba domain. We > avoid using NT servers as much as possible for open source reasons, > but our faculty is hoping we can move them to an exchange server > running on NT 2003. In a test environment, we were able to get > password sync happening between an NT server and a replica of our DS, > but are wondering how to keep our samba passwords updated. Currently, > we have a web front end pointed at a perl script loosely based on the > smb-ldap scripts from IDEALX. These keep our sambantpassword, > sambalmpassword, and unix passwords synced. > If we continue to use this script to update passwords on Fedora DS, > will fedora pick up the password and send it down to the windows > server? I assume there is not much I could do to get it to work in > the other direction, which would be ok -- we would require users to > continue to change their passwords through our web front end. > > Any thoughts or suggestions would be greatly appreciated. > > > Phil Allred > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Jeff Gamsby Center for X-Ray Optics Lawrence Berkeley National Laboratory (510) 486-7783 From lesmikesell at gmail.com Fri Mar 9 20:37:05 2007 From: lesmikesell at gmail.com (Les Mikesell) Date: Fri, 09 Mar 2007 14:37:05 -0600 Subject: [Fedora-directory-users] Samba/Fedora DS/Windows Password Sync In-Reply-To: <45F1BC38.1070709@lbl.gov> References: <45F0C31A.7050609@brooklaw.edu> <45F1BC38.1070709@lbl.gov> Message-ID: <45F1C571.5020507@gmail.com> Jeff Gamsby wrote: > Using PassSync, changing the passwords from the AD/NT side will also > change passwords on the Fedora DS side. It will not however change the > Samba passwords. If you have "ldap passwd sync = yes" in your Samba > config, then you can use smbpasswd to change all passwords at the same > time. If you migrate over to an AD server in place of Samba, you can use > domain logins and have users change their password in Windows which > would also change the Fedora DS password as well. Is there a way to sync from AD and then use LDAP authentication for Linux boxes that don't know about AD? I thought I saw something earlier that said the Posix acount information didn't sync. If that is true can you configure Linux to use whatever password does sync? -- Les Mikesell lesmikesell at gmail.com From jfgamsby at lbl.gov Fri Mar 9 21:30:12 2007 From: jfgamsby at lbl.gov (Jeff Gamsby) Date: Fri, 09 Mar 2007 13:30:12 -0800 Subject: [Fedora-directory-users] Samba/Fedora DS/Windows Password Sync In-Reply-To: <45F1C571.5020507@gmail.com> References: <45F0C31A.7050609@brooklaw.edu> <45F1BC38.1070709@lbl.gov> <45F1C571.5020507@gmail.com> Message-ID: <45F1D1E4.3040004@lbl.gov> > Is there a way to sync from AD and then use LDAP authentication for > Linux boxes that don't know about AD? I thought I saw something > earlier that said the Posix acount information didn't sync. If that > is true can you configure Linux to use whatever password does sync? > Yes, I think that is the preferred method. Have windows users talk to AD and Linux users talk to LDAP. You can use LDAP for authentication and to store the automount maps for home directories. I believe that is correct, only passwords, groups, account deletion/creation are covered. You wouldn't want to create accounts on the AD side. For example, I have a Fedora DS server that serves mail/web/samba authentication, but have an AD server that serves all windows domain accounts. The PassSync gives me a way of having a "single-sign on" so users only have to change one password. I used to use an OpenLDAP/Samba PDC configuration, but this works much better. If you still want to use Samba as a file server, you can use Idmap which is stored on the LDAP server to maintain the uid/gid mappings to make users/permissions almost completely transparent between platforms. -- Jeff Gamsby From mjdshop at earthlink.net Fri Mar 9 22:24:56 2007 From: mjdshop at earthlink.net (MJD Shop Account) Date: Fri, 9 Mar 2007 17:24:56 -0500 (GMT-05:00) Subject: [Fedora-directory-users] Guide to setting up a replica. Message-ID: <22422728.1173479096029.JavaMail.root@elwamui-cypress.atl.sa.earthlink.net> An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: con2mmr.pl Type: application/octet-stream Size: 16158 bytes Desc: not available URL: From mj at sci.fi Fri Mar 9 23:48:09 2007 From: mj at sci.fi (Mike Jackson) Date: Sat, 10 Mar 2007 01:48:09 +0200 Subject: [Fedora-directory-users] Guide to setting up a replica. In-Reply-To: <22422728.1173479096029.JavaMail.root@elwamui-cypress.atl.sa.earthlink.net> References: <22422728.1173479096029.JavaMail.root@elwamui-cypress.atl.sa.earthlink.net> Message-ID: <45F1F239.9060306@sci.fi> MJD Shop Account wrote: > This might not be what you wanted, but hopefully it is useful to you or > someone else. Not long ago I took the mmr.pl script and modified it to > do the replication agreements for supplier->read-only consumer, but I > don't think I ever posted it back out. Here it is, with apologies to > the original author of mmr.pl. It assumes the supplier is a > multi-master enabled supplier. No guarantees it works, you should > compare to mmr.pl to understand it (but, it worked for me). > > I'm just looking at the header, Mike Jackson is the original author so > I've cc'ed him. Mike you're welcome to take this and distribute it as > your own as far as I'm concerned. Hi, Thanks. I'll take a look at it soon. BR, Mike -- http://www.netauth.com - LDAP Directory Consulting -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3277 bytes Desc: S/MIME Cryptographic Signature URL: From richard at powerset.com Mon Mar 12 23:55:56 2007 From: richard at powerset.com (Richard Hesse) Date: Mon, 12 Mar 2007 16:55:56 -0700 Subject: [Fedora-directory-users] Windows Sync audit log? Message-ID: Symptom: Group members are randomly being dropped from group objects. Frequency: Usually after a user is added to the group. I've checked the normal FDS audit log and nothing unusual appears. Just the expected modify operations to the group object, adding new values for uniqueMember. Since we've established a Windows sync agreement, I'm guessing that something is screwing up over there. Is there an audit log I can check out to see if my hunch is correct? The only log I've found relates to changing user's passwords and doesn't take any group modifications into account. Thanks. -richard From y-hira at nttpc.co.jp Tue Mar 13 06:14:23 2007 From: y-hira at nttpc.co.jp (Yasuhiro Hiraishi) Date: Tue, 13 Mar 2007 15:14:23 +0900 Subject: [Fedora-directory-users] 'Server Side Sorting' in many entries Problem.... In-Reply-To: <45EE3431.6090403@redhat.com> References: <20070307120949.A34F.Y-HIRA@nttpc.co.jp> <45EE3431.6090403@redhat.com> Message-ID: <20070313151246.88DA.Y-HIRA@nttpc.co.jp> Hello, > You mean, have the client set the size limit? Yes, but the client > cannot set the maximum to be higher than the maximum configured on the > server side. The sizelimit is part of the LDAP Search Request. Yes, I mean, have the client set size limit. > What are your server and client side sizelimit settings? I set "1000" as the client size limit and set "2147483647" as the server side size limit in those parameters: ? "Perfomance tab" -> "sizelimit" ? "Database Link Setting" -> "Default Creation Parameter tab" -> "sizelimit" ? "Database Setting" -> "LDBM-Plugin Setting tab" -> "Look-through limit" I'm not sure which parameters are actually the server side size limit. Thank you. On Tue, 06 Mar 2007 20:40:33 -0700 Richard Megginson wrote: > Yasuhiro Hiraishi wrote: > > Hello.. > > > > > >>> Bellow, I done > >>> ------------------------------------------ > >>> 1. Install Fedora Directory Service. > >>> 2. Change look-through limit in Database Setting to 2147483647 from the Server Console. > >>> 3. Creating Presence and Substring Indexes of 'uid' from the Server Console > >>> > >>> > >> Was there not already a presence index for uid? > >> > > Sorry. I had a mistake. There was already a presence index. > > > > > >> This may also be a problem with the search sizelimit. > >> > > What dose 'sizelimit' mean? > > Do you mean configulation which limits how many entirues are retuned from a FDS server? > > > Yes. > > Is it possible to use 'Server Side Sorting' with sizelimit at a client side? > > > You mean, have the client set the size limit? Yes, but the client > cannot set the maximum to be higher than the maximum configured on the > server side. The sizelimit is part of the LDAP Search Request. > > I want to know why 'Server Side Sorting' is working in 4000 entries > > but not working in rather than 5000 entries, > > In those of situations 'sizelimit' is 1000. > > > What are your server and client side sizelimit settings? > > I will show you the access log when success. > > -------------------------- > > [01/Mar/2007:14:05:24 +0900] conn=93 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 > > [01/Mar/2007:14:05:24 +0900] conn=93 op=0 BIND dn="" method=128 version=3 > > [01/Mar/2007:14:05:24 +0900] conn=93 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" > > [01/Mar/2007:14:05:24 +0900] conn=93 op=1 SRCH base="ou=Users,o=Section,o=Company" scope=1 filter="(uid=*)" attrs=ALL > > [01/Mar/2007:14:05:24 +0900] conn=93 op=1 SORT uid (4000) > > [01/Mar/2007:14:05:26 +0900] conn=93 op=1 RESULT err=4 tag=101 nentries=1000 etime=2 notes=U > > [01/Mar/2007:14:05:26 +0900] conn=93 op=2 UNBIND > > [01/Mar/2007:14:05:26 +0900] conn=93 op=2 fd=68 closed - U1 > > --- > > > > Do you know how to use 'Server Side Sorting' in any amount of entriyes with client side sizelimit? > > > > Thank you. > > > > On Mon, 05 Mar 2007 10:28:34 -0700 > > Richard Megginson wrote: > > > > > >> Yasuhiro Hiraishi wrote: > >> > >>> Hello. > >>> > >>> I am planning to use the Fedora Directory Server > >>> in Redhat Linux ES4.0 to do 'Server Side Sorting'. > >>> The system processed around 4000 entries successfully. > >>> However, when the system tried processing more than 5000 entries, > >>> it returned an error such as 'LDAP_UNWILLING_TO_PERFORM'. > >>> > >>> Does anyone know how to fix this problem? > >>> > >>> Just in case, Ishow you the error logs below... > >>> > >>> -------------------------- > >>> [01/Mar/2007:14:07:15 +0900] conn=96 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 > >>> [01/Mar/2007:14:07:15 +0900] conn=96 op=0 BIND dn="" method=128 version=3 > >>> [01/Mar/2007:14:07:15 +0900] conn=96 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" > >>> [01/Mar/2007:14:07:15 +0900] conn=96 op=1 SRCH base="ou=Users,o=Section,o=Company" scope=1 filter="(uid=*)" attrs=ALL > >>> [01/Mar/2007:14:07:15 +0900] conn=96 op=1 SORT uid (*) > >>> [01/Mar/2007:14:07:16 +0900] conn=96 op=1 RESULT err=4 tag=101 nentries=1000 etime=1 notes=U > >>> [01/Mar/2007:14:07:17 +0900] conn=96 op=2 UNBIND > >>> [01/Mar/2007:14:07:17 +0 > >>> ----- > >>> > >>> Bellow, I done > >>> ------------------------------------------ > >>> 1. Install Fedora Directory Service. > >>> 2. Change look-through limit in Database Setting to 2147483647 from the Server Console. > >>> 3. Creating Presence and Substring Indexes of 'uid' from the Server Console > >>> > >>> > >> Was there not already a presence index for uid? > >> > >> This may also be a problem with the search sizelimit. > >> > >>> 4. I start entry .... > >>> -- > >>> > >>> Thank you. > >>> > >>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >>> > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From chaks.yoper at gmail.com Tue Mar 13 06:48:03 2007 From: chaks.yoper at gmail.com (Chakkaradeep C C) Date: Tue, 13 Mar 2007 19:48:03 +1300 Subject: [Fedora-directory-users] User Authentication and Adding Clients In-Reply-To: References: Message-ID: Hi, On 3/10/07, Bliss, Aaron wrote: > > for your fds box, the easiest way (I think) to set the box up to > authenticate against your ldap server is to run authconfig. I'm not as > familiar with ubuntu, as such you should be able to modify your > /etc/nsswitch.conf , pam, and ldap.conf files by hand.... > > http://directory.fedora.redhat.com/wiki/Howto:PAM > Hi, If I reboot, my Directory Server is not starting and I tried this - http://directory.fedora.redhat.com/wiki/Howto:SysVInit , but Its not working. Even after adding the services to chkconfig, the Directory Server is not getting automatically started. But If i manually do, service fedora-ds-admin start after the restart, it does start. I want to setup my machine (where FDS is installed) to allow User authentication via Directory Server. I do configure authconfig, but I think unless I start the slapd and directory server, the ldap authentication will not be possible. I would be happy if anyone could help me on this. Thanks in advance. -- Regards, C.C.Chakkaradeep, http://chakkaradeep.wordpress.com -- "Sometimes it's better not to ask - or to listen - when people tell you something can't be done. I didnt ask for permission or approval. I just went ahead and did it." - from "Direct from Dell" -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Mar 13 13:59:13 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 13 Mar 2007 07:59:13 -0600 Subject: [Fedora-directory-users] 'Server Side Sorting' in many entries Problem.... In-Reply-To: <20070313151246.88DA.Y-HIRA@nttpc.co.jp> References: <20070307120949.A34F.Y-HIRA@nttpc.co.jp> <45EE3431.6090403@redhat.com> <20070313151246.88DA.Y-HIRA@nttpc.co.jp> Message-ID: <45F6AE31.2050209@redhat.com> Yasuhiro Hiraishi wrote: > Hello, > > >> You mean, have the client set the size limit? Yes, but the client >> cannot set the maximum to be higher than the maximum configured on the >> server side. The sizelimit is part of the LDAP Search Request. >> > > Yes, I mean, have the client set size limit. > > >> What are your server and client side sizelimit settings? >> > > I set "1000" as the client size limit and > set "2147483647" as the server side size limit in those parameters: > > ? "Perfomance tab" -> "sizelimit" > ? "Database Link Setting" -> "Default Creation Parameter tab" -> > "sizelimit" > ? "Database Setting" -> "LDBM-Plugin Setting tab" -> "Look-through limit" > > I'm not sure which parameters are actually the server side size limit. > All of these are server side limits. What is your client? > > Thank you. > > On Tue, 06 Mar 2007 20:40:33 -0700 > Richard Megginson wrote: > > >> Yasuhiro Hiraishi wrote: >> >>> Hello.. >>> >>> >>> >>>>> Bellow, I done >>>>> ------------------------------------------ >>>>> 1. Install Fedora Directory Service. >>>>> 2. Change look-through limit in Database Setting to 2147483647 from the Server Console. >>>>> 3. Creating Presence and Substring Indexes of 'uid' from the Server Console >>>>> >>>>> >>>>> >>>> Was there not already a presence index for uid? >>>> >>>> >>> Sorry. I had a mistake. There was already a presence index. >>> >>> >>> >>>> This may also be a problem with the search sizelimit. >>>> >>>> >>> What dose 'sizelimit' mean? >>> Do you mean configulation which limits how many entirues are retuned from a FDS server? >>> >>> >> Yes. >> >>> Is it possible to use 'Server Side Sorting' with sizelimit at a client side? >>> >>> >> You mean, have the client set the size limit? Yes, but the client >> cannot set the maximum to be higher than the maximum configured on the >> server side. The sizelimit is part of the LDAP Search Request. >> >>> I want to know why 'Server Side Sorting' is working in 4000 entries >>> but not working in rather than 5000 entries, >>> In those of situations 'sizelimit' is 1000. >>> >>> >> What are your server and client side sizelimit settings? >> >>> I will show you the access log when success. >>> -------------------------- >>> [01/Mar/2007:14:05:24 +0900] conn=93 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 >>> [01/Mar/2007:14:05:24 +0900] conn=93 op=0 BIND dn="" method=128 version=3 >>> [01/Mar/2007:14:05:24 +0900] conn=93 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" >>> [01/Mar/2007:14:05:24 +0900] conn=93 op=1 SRCH base="ou=Users,o=Section,o=Company" scope=1 filter="(uid=*)" attrs=ALL >>> [01/Mar/2007:14:05:24 +0900] conn=93 op=1 SORT uid (4000) >>> [01/Mar/2007:14:05:26 +0900] conn=93 op=1 RESULT err=4 tag=101 nentries=1000 etime=2 notes=U >>> [01/Mar/2007:14:05:26 +0900] conn=93 op=2 UNBIND >>> [01/Mar/2007:14:05:26 +0900] conn=93 op=2 fd=68 closed - U1 >>> --- >>> >>> Do you know how to use 'Server Side Sorting' in any amount of entriyes with client side sizelimit? >>> >>> Thank you. >>> >>> On Mon, 05 Mar 2007 10:28:34 -0700 >>> Richard Megginson wrote: >>> >>> >>> >>>> Yasuhiro Hiraishi wrote: >>>> >>>> >>>>> Hello. >>>>> >>>>> I am planning to use the Fedora Directory Server >>>>> in Redhat Linux ES4.0 to do 'Server Side Sorting'. >>>>> The system processed around 4000 entries successfully. >>>>> However, when the system tried processing more than 5000 entries, >>>>> it returned an error such as 'LDAP_UNWILLING_TO_PERFORM'. >>>>> >>>>> Does anyone know how to fix this problem? >>>>> >>>>> Just in case, Ishow you the error logs below... >>>>> >>>>> -------------------------- >>>>> [01/Mar/2007:14:07:15 +0900] conn=96 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 >>>>> [01/Mar/2007:14:07:15 +0900] conn=96 op=0 BIND dn="" method=128 version=3 >>>>> [01/Mar/2007:14:07:15 +0900] conn=96 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" >>>>> [01/Mar/2007:14:07:15 +0900] conn=96 op=1 SRCH base="ou=Users,o=Section,o=Company" scope=1 filter="(uid=*)" attrs=ALL >>>>> [01/Mar/2007:14:07:15 +0900] conn=96 op=1 SORT uid (*) >>>>> [01/Mar/2007:14:07:16 +0900] conn=96 op=1 RESULT err=4 tag=101 nentries=1000 etime=1 notes=U >>>>> [01/Mar/2007:14:07:17 +0900] conn=96 op=2 UNBIND >>>>> [01/Mar/2007:14:07:17 +0 >>>>> ----- >>>>> >>>>> Bellow, I done >>>>> ------------------------------------------ >>>>> 1. Install Fedora Directory Service. >>>>> 2. Change look-through limit in Database Setting to 2147483647 from the Server Console. >>>>> 3. Creating Presence and Substring Indexes of 'uid' from the Server Console >>>>> >>>>> >>>>> >>>> Was there not already a presence index for uid? >>>> >>>> This may also be a problem with the search sizelimit. >>>> >>>> >>>>> 4. I start entry .... >>>>> -- >>>>> >>>>> Thank you. >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From clockwork at sigsys.org Tue Mar 13 16:37:13 2007 From: clockwork at sigsys.org (clockwork at sigsys.org) Date: Tue, 13 Mar 2007 12:37:13 -0400 Subject: [Fedora-directory-users] Error while running setup: security library: bad database. Message-ID: <5849d9130703130937j67f4893agdb76f3b049821946@mail.gmail.com> So when I run the setup script for 1.0.4 on RHEL 4.4 I get the following error: [13/Mar/2007:11:56:47 -0400] - SSL alert: Security Initialization: NSS initialization failed (Netscape Portable Runtime error -8174 - security library: bad database.): path: /opt/fedora-ds/alias/, certdb prefix: slapd-util3-, keydb prefix: slapd-util3-. [slapd-util3]: [13/Mar/2007:11:56:47 -0400] - ERROR: NSS Initialization Failed. error:[13/Mar/2007:11:56:47 -0400] - ERROR: NSS Initialization\nFailed. system_errno:2 I'm not exactly clear on what its trying to do, since it creates those files I'm not sure what its failing at trying to do. Is it looking for a library thats not installed ? I have tried pointing ld to the right stuff, and I have all of the ldd deps solved for the slapd binary. However I think there is something I'm missing. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Mar 13 20:42:29 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 13 Mar 2007 14:42:29 -0600 Subject: [Fedora-directory-users] Error while running setup: security library: bad database. In-Reply-To: <5849d9130703130937j67f4893agdb76f3b049821946@mail.gmail.com> References: <5849d9130703130937j67f4893agdb76f3b049821946@mail.gmail.com> Message-ID: <45F70CB5.1090809@redhat.com> clockwork at sigsys.org wrote: > So when I run the setup script for 1.0.4 on RHEL 4.4 I get the > following error: > > [13/Mar/2007:11:56:47 -0400] - SSL alert: Security Initialization: NSS > initialization failed (Netscape Portable Runtime error -8174 - > security library: bad database.): path: /opt/fedora-ds/alias/, certdb > prefix: slapd-util3-, keydb prefix: slapd-util3-. > [slapd-util3]: [13/Mar/2007:11:56:47 -0400] - ERROR: NSS > Initialization Failed. > error:[13/Mar/2007:11:56:47 -0400] - ERROR: NSS Initialization\nFailed. > system_errno:2 ls -al /opt/fedora-ds/alias grep nsslapd-localuser /opt/fedora-ds/slapd-util3/config/dse.ldif > > > I'm not exactly clear on what its trying to do, since it creates those > files I'm not sure what its failing at trying to do. Is it looking for > a library thats not installed ? I have tried pointing ld to the right > stuff, and I have all of the ldd deps solved for the slapd binary. > However I think there is something I'm missing. > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Bill.Bailey at northlandchurch.net Tue Mar 13 21:27:35 2007 From: Bill.Bailey at northlandchurch.net (Bill Bailey) Date: Tue, 13 Mar 2007 17:27:35 -0400 Subject: [Fedora-directory-users] LDAP and RDBMS Integration Message-ID: <690BA3B35A2861419CBF6833BD537AD224375E@nacdmail.NORTHLANDCC.NET> Hi, I noticed on the list of features an item indicating that data interoperability plug-ins are available to allow the use of an RDBMS as a data source, but I'm having trouble locating the specifics (e.g. which databases, what sort of integration, etc.) in the documentation. Anyone have any pointers on where I can find more information on this? In particular, I'm struggling with whether to use a directory server for user management or a database. If I store users in my LDAP directory (e.g. username, password, name, address, phone, etc.), there is still user data that I need to store in a database (e.g. transaction data or other frequently modified data) ... and I need to be able to correlate the two. For example, for reporting I may need to display both the basic user info and demographic information that is so well suited for a directory alongside data that comes from a database. This seems to me problematic since the data models and query languages are different. And even if I could make the LDAP data look like something I could query with SQL ... and join with real RDBMS tables ... it would seem likely that performance might be less than great. My thinking is that if I could get the LDAP server to use e.g. MySQL under the covers for storage, but I could still get access (read-only) to the underlying tables, I might be able to have the best of both worlds (assuming the underlying table structure was amenable to being joined to my tables without to many contortions). I'm guessing my dilemma isn't new ... has anyone else struggled with this and, if so, how did you resolve it? And have been satisfied with the solution you selected? Thanks for any input or comments. Bill Bailey -------------- next part -------------- An HTML attachment was scrubbed... URL: From gholbert at broadcom.com Tue Mar 13 21:55:18 2007 From: gholbert at broadcom.com (George Holbert) Date: Tue, 13 Mar 2007 14:55:18 -0700 Subject: [Fedora-directory-users] LDAP and RDBMS Integration In-Reply-To: <690BA3B35A2861419CBF6833BD537AD224375E@nacdmail.NORTHLANDCC.NET> References: <690BA3B35A2861419CBF6833BD537AD224375E@nacdmail.NORTHLANDCC.NET> Message-ID: <45F71DC6.7010602@broadcom.com> Sun recently released a LDAP proxy server product which is advertised as a solution to this kind of problem. The idea is it acts as a frontend LDAP server to multiple types of backend data sources. Here's the man page to the commandline config program (dpconf), which will give you an idea of what it's supposed to be able to do: http://docs.sun.com/app/docs/doc/819-0986/6n3chglmc?a=view I haven't used it personally, but looks like it might be of interest for you. Bill Bailey wrote: > > Hi, > > I noticed on the list of features an item indicating that data > interoperability plug-ins are available to allow the use of an RDBMS > as a data source, but I?m having trouble locating the specifics (e.g. > which databases, what sort of integration, etc.) in the documentation. > Anyone have any pointers on where I can find more information on this? > > In particular, I?m struggling with whether to use a directory server > for user management or a database. If I store users in my LDAP > directory (e.g. username, password, name, address, phone, etc.), there > is still user data that I need to store in a database (e.g. > transaction data or other frequently modified data) ? and I need to be > able to correlate the two. For example, for reporting I may need to > display both the basic user info and demographic information that is > so well suited for a directory alongside data that comes from a > database. This seems to me problematic since the data models and query > languages are different. And even if I could make the LDAP data look > like something I could query with SQL ? and join with real RDBMS > tables ? it would seem likely that performance might be less than great. > > My thinking is that if I could get the LDAP server to use e.g. MySQL > under the covers for storage, but I could still get access (read-only) > to the underlying tables, I might be able to have the best of both > worlds (assuming the underlying table structure was amenable to being > joined to my tables without to many contortions). I?m guessing my > dilemma isn?t new ? has anyone else struggled with this and, if so, > how did you resolve it? And have been satisfied with the solution you > selected? > > > Thanks for any input or comments. > > Bill Bailey > > ------------------------------------------------------------------------ From rmeggins at redhat.com Tue Mar 13 22:18:08 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 13 Mar 2007 16:18:08 -0600 Subject: [Fedora-directory-users] LDAP and RDBMS Integration In-Reply-To: <690BA3B35A2861419CBF6833BD537AD224375E@nacdmail.NORTHLANDCC.NET> References: <690BA3B35A2861419CBF6833BD537AD224375E@nacdmail.NORTHLANDCC.NET> Message-ID: <45F72320.6090607@redhat.com> Bill Bailey wrote: > > Hi, > > I noticed on the list of features an item indicating that data > interoperability plug-ins are available to allow the use of an RDBMS > as a data source, but I?m having trouble locating the specifics (e.g. > which databases, what sort of integration, etc.) in the documentation. > Anyone have any pointers on where I can find more information on this? > http://directory.fedora.redhat.com/wiki/FAQ#Can_I_replace_Sleepycat_with_Oracle.2C_or_Postgres.2C_etc..3F There are no plug-ins available. The plug-in architecture will allow this, but someone must write some C code in order to be able to do this. > > In particular, I?m struggling with whether to use a directory server > for user management or a database. If I store users in my LDAP > directory (e.g. username, password, name, address, phone, etc.), there > is still user data that I need to store in a database (e.g. > transaction data or other frequently modified data) ? and I need to be > able to correlate the two. For example, for reporting I may need to > display both the basic user info and demographic information that is > so well suited for a directory alongside data that comes from a > database. This seems to me problematic since the data models and query > languages are different. And even if I could make the LDAP data look > like something I could query with SQL ? and join with real RDBMS > tables ? it would seem likely that performance might be less than great. > > My thinking is that if I could get the LDAP server to use e.g. MySQL > under the covers for storage, but I could still get access (read-only) > to the underlying tables, I might be able to have the best of both > worlds (assuming the underlying table structure was amenable to being > joined to my tables without to many contortions). I?m guessing my > dilemma isn?t new ? has anyone else struggled with this and, if so, > how did you resolve it? And have been satisfied with the solution you > selected? > > > Thanks for any input or comments. > > Bill Bailey > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From y-hira at nttpc.co.jp Wed Mar 14 01:18:57 2007 From: y-hira at nttpc.co.jp (Yasuhiro Hiraishi) Date: Wed, 14 Mar 2007 10:18:57 +0900 Subject: [Fedora-directory-users] 'Server Side Sorting' in many entries Problem.... In-Reply-To: <45F6AE31.2050209@redhat.com> References: <20070313151246.88DA.Y-HIRA@nttpc.co.jp> <45F6AE31.2050209@redhat.com> Message-ID: <20070314100317.B457.Y-HIRA@nttpc.co.jp> Hello. > What is your client? I use perl-ldap-0.33. http://search.cpan.org/~gbarr/perl-ldap-0.33/ If you know more better library. please tell me. My goal is to use 'Server Side Sorting' in any amount of entriyes with client side sizelimit. Thank you. On Tue, 13 Mar 2007 07:59:13 -0600 Richard Megginson wrote: > Yasuhiro Hiraishi wrote: > > Hello, > > > > > >> You mean, have the client set the size limit? Yes, but the client > >> cannot set the maximum to be higher than the maximum configured on the > >> server side. The sizelimit is part of the LDAP Search Request. > >> > > > > Yes, I mean, have the client set size limit. > > > > > >> What are your server and client side sizelimit settings? > >> > > > > I set "1000" as the client size limit and > > set "2147483647" as the server side size limit in those parameters: > > > > ? "Perfomance tab" -> "sizelimit" > > ? "Database Link Setting" -> "Default Creation Parameter tab" -> > > "sizelimit" > > ? "Database Setting" -> "LDBM-Plugin Setting tab" -> "Look-through limit" > > > > I'm not sure which parameters are actually the server side size limit. > > > All of these are server side limits. > > What is your client? > > > > Thank you. > > > > On Tue, 06 Mar 2007 20:40:33 -0700 > > Richard Megginson wrote: > > > > > >> Yasuhiro Hiraishi wrote: > >> > >>> Hello.. > >>> > >>> > >>> > >>>>> Bellow, I done > >>>>> ------------------------------------------ > >>>>> 1. Install Fedora Directory Service. > >>>>> 2. Change look-through limit in Database Setting to 2147483647 from the Server Console. > >>>>> 3. Creating Presence and Substring Indexes of 'uid' from the Server Console > >>>>> > >>>>> > >>>>> > >>>> Was there not already a presence index for uid? > >>>> > >>>> > >>> Sorry. I had a mistake. There was already a presence index. > >>> > >>> > >>> > >>>> This may also be a problem with the search sizelimit. > >>>> > >>>> > >>> What dose 'sizelimit' mean? > >>> Do you mean configulation which limits how many entirues are retuned from a FDS server? > >>> > >>> > >> Yes. > >> > >>> Is it possible to use 'Server Side Sorting' with sizelimit at a client side? > >>> > >>> > >> You mean, have the client set the size limit? Yes, but the client > >> cannot set the maximum to be higher than the maximum configured on the > >> server side. The sizelimit is part of the LDAP Search Request. > >> > >>> I want to know why 'Server Side Sorting' is working in 4000 entries > >>> but not working in rather than 5000 entries, > >>> In those of situations 'sizelimit' is 1000. > >>> > >>> > >> What are your server and client side sizelimit settings? > >> > >>> I will show you the access log when success. > >>> -------------------------- > >>> [01/Mar/2007:14:05:24 +0900] conn=93 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 > >>> [01/Mar/2007:14:05:24 +0900] conn=93 op=0 BIND dn="" method=128 version=3 > >>> [01/Mar/2007:14:05:24 +0900] conn=93 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" > >>> [01/Mar/2007:14:05:24 +0900] conn=93 op=1 SRCH base="ou=Users,o=Section,o=Company" scope=1 filter="(uid=*)" attrs=ALL > >>> [01/Mar/2007:14:05:24 +0900] conn=93 op=1 SORT uid (4000) > >>> [01/Mar/2007:14:05:26 +0900] conn=93 op=1 RESULT err=4 tag=101 nentries=1000 etime=2 notes=U > >>> [01/Mar/2007:14:05:26 +0900] conn=93 op=2 UNBIND > >>> [01/Mar/2007:14:05:26 +0900] conn=93 op=2 fd=68 closed - U1 > >>> --- > >>> > >>> Do you know how to use 'Server Side Sorting' in any amount of entriyes with client side sizelimit? > >>> > >>> Thank you. > >>> > >>> On Mon, 05 Mar 2007 10:28:34 -0700 > >>> Richard Megginson wrote: > >>> > >>> > >>> > >>>> Yasuhiro Hiraishi wrote: > >>>> > >>>> > >>>>> Hello. > >>>>> > >>>>> I am planning to use the Fedora Directory Server > >>>>> in Redhat Linux ES4.0 to do 'Server Side Sorting'. > >>>>> The system processed around 4000 entries successfully. > >>>>> However, when the system tried processing more than 5000 entries, > >>>>> it returned an error such as 'LDAP_UNWILLING_TO_PERFORM'. > >>>>> > >>>>> Does anyone know how to fix this problem? > >>>>> > >>>>> Just in case, Ishow you the error logs below... > >>>>> > >>>>> -------------------------- > >>>>> [01/Mar/2007:14:07:15 +0900] conn=96 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 > >>>>> [01/Mar/2007:14:07:15 +0900] conn=96 op=0 BIND dn="" method=128 version=3 > >>>>> [01/Mar/2007:14:07:15 +0900] conn=96 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" > >>>>> [01/Mar/2007:14:07:15 +0900] conn=96 op=1 SRCH base="ou=Users,o=Section,o=Company" scope=1 filter="(uid=*)" attrs=ALL > >>>>> [01/Mar/2007:14:07:15 +0900] conn=96 op=1 SORT uid (*) > >>>>> [01/Mar/2007:14:07:16 +0900] conn=96 op=1 RESULT err=4 tag=101 nentries=1000 etime=1 notes=U > >>>>> [01/Mar/2007:14:07:17 +0900] conn=96 op=2 UNBIND > >>>>> [01/Mar/2007:14:07:17 +0 > >>>>> ----- > >>>>> > >>>>> Bellow, I done > >>>>> ------------------------------------------ > >>>>> 1. Install Fedora Directory Service. > >>>>> 2. Change look-through limit in Database Setting to 2147483647 from the Server Console. > >>>>> 3. Creating Presence and Substring Indexes of 'uid' from the Server Console > >>>>> > >>>>> > >>>>> > >>>> Was there not already a presence index for uid? > >>>> > >>>> This may also be a problem with the search sizelimit. > >>>> > >>>> > >>>>> 4. I start entry .... > >>>>> -- > >>>>> > >>>>> Thank you. > >>>>> > >>>>> > >>>>> -- > >>>>> Fedora-directory-users mailing list > >>>>> Fedora-directory-users at redhat.com > >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>> > >>>>> > >>>>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >>> > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From rmeggins at redhat.com Wed Mar 14 02:38:16 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 13 Mar 2007 20:38:16 -0600 Subject: [Fedora-directory-users] 'Server Side Sorting' in many entries Problem.... In-Reply-To: <20070314100317.B457.Y-HIRA@nttpc.co.jp> References: <20070313151246.88DA.Y-HIRA@nttpc.co.jp> <45F6AE31.2050209@redhat.com> <20070314100317.B457.Y-HIRA@nttpc.co.jp> Message-ID: <45F76018.1090909@redhat.com> Yasuhiro Hiraishi wrote: > Hello. > > >> What is your client? >> > I use perl-ldap-0.33. > http://search.cpan.org/~gbarr/perl-ldap-0.33/ > > If you know more better library. please tell me. > My goal is to use 'Server Side Sorting' in any amount of entriyes with client side sizelimit. > I'm not sure I understand. Do you want to return the entries in sorted order, 1000 at a time? If you want to be able to page through sorted entries, you should probably using Virtual List View (VLV), also known as a Browsing Index in the Console. > Thank you. > > On Tue, 13 Mar 2007 07:59:13 -0600 > Richard Megginson wrote: > > >> Yasuhiro Hiraishi wrote: >> >>> Hello, >>> >>> >>> >>>> You mean, have the client set the size limit? Yes, but the client >>>> cannot set the maximum to be higher than the maximum configured on the >>>> server side. The sizelimit is part of the LDAP Search Request. >>>> >>>> >>> Yes, I mean, have the client set size limit. >>> >>> >>> >>>> What are your server and client side sizelimit settings? >>>> >>>> >>> I set "1000" as the client size limit and >>> set "2147483647" as the server side size limit in those parameters: >>> >>> ? "Perfomance tab" -> "sizelimit" >>> ? "Database Link Setting" -> "Default Creation Parameter tab" -> >>> "sizelimit" >>> ? "Database Setting" -> "LDBM-Plugin Setting tab" -> "Look-through limit" >>> >>> I'm not sure which parameters are actually the server side size limit. >>> >>> >> All of these are server side limits. >> >> What is your client? >> >>> Thank you. >>> >>> On Tue, 06 Mar 2007 20:40:33 -0700 >>> Richard Megginson wrote: >>> >>> >>> >>>> Yasuhiro Hiraishi wrote: >>>> >>>> >>>>> Hello.. >>>>> >>>>> >>>>> >>>>> >>>>>>> Bellow, I done >>>>>>> ------------------------------------------ >>>>>>> 1. Install Fedora Directory Service. >>>>>>> 2. Change look-through limit in Database Setting to 2147483647 from the Server Console. >>>>>>> 3. Creating Presence and Substring Indexes of 'uid' from the Server Console >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> Was there not already a presence index for uid? >>>>>> >>>>>> >>>>>> >>>>> Sorry. I had a mistake. There was already a presence index. >>>>> >>>>> >>>>> >>>>> >>>>>> This may also be a problem with the search sizelimit. >>>>>> >>>>>> >>>>>> >>>>> What dose 'sizelimit' mean? >>>>> Do you mean configulation which limits how many entirues are retuned from a FDS server? >>>>> >>>>> >>>>> >>>> Yes. >>>> >>>> >>>>> Is it possible to use 'Server Side Sorting' with sizelimit at a client side? >>>>> >>>>> >>>>> >>>> You mean, have the client set the size limit? Yes, but the client >>>> cannot set the maximum to be higher than the maximum configured on the >>>> server side. The sizelimit is part of the LDAP Search Request. >>>> >>>> >>>>> I want to know why 'Server Side Sorting' is working in 4000 entries >>>>> but not working in rather than 5000 entries, >>>>> In those of situations 'sizelimit' is 1000. >>>>> >>>>> >>>>> >>>> What are your server and client side sizelimit settings? >>>> >>>> >>>>> I will show you the access log when success. >>>>> -------------------------- >>>>> [01/Mar/2007:14:05:24 +0900] conn=93 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 >>>>> [01/Mar/2007:14:05:24 +0900] conn=93 op=0 BIND dn="" method=128 version=3 >>>>> [01/Mar/2007:14:05:24 +0900] conn=93 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" >>>>> [01/Mar/2007:14:05:24 +0900] conn=93 op=1 SRCH base="ou=Users,o=Section,o=Company" scope=1 filter="(uid=*)" attrs=ALL >>>>> [01/Mar/2007:14:05:24 +0900] conn=93 op=1 SORT uid (4000) >>>>> [01/Mar/2007:14:05:26 +0900] conn=93 op=1 RESULT err=4 tag=101 nentries=1000 etime=2 notes=U >>>>> [01/Mar/2007:14:05:26 +0900] conn=93 op=2 UNBIND >>>>> [01/Mar/2007:14:05:26 +0900] conn=93 op=2 fd=68 closed - U1 >>>>> --- >>>>> >>>>> Do you know how to use 'Server Side Sorting' in any amount of entriyes with client side sizelimit? >>>>> >>>>> Thank you. >>>>> >>>>> On Mon, 05 Mar 2007 10:28:34 -0700 >>>>> Richard Megginson wrote: >>>>> >>>>> >>>>> >>>>> >>>>>> Yasuhiro Hiraishi wrote: >>>>>> >>>>>> >>>>>> >>>>>>> Hello. >>>>>>> >>>>>>> I am planning to use the Fedora Directory Server >>>>>>> in Redhat Linux ES4.0 to do 'Server Side Sorting'. >>>>>>> The system processed around 4000 entries successfully. >>>>>>> However, when the system tried processing more than 5000 entries, >>>>>>> it returned an error such as 'LDAP_UNWILLING_TO_PERFORM'. >>>>>>> >>>>>>> Does anyone know how to fix this problem? >>>>>>> >>>>>>> Just in case, Ishow you the error logs below... >>>>>>> >>>>>>> -------------------------- >>>>>>> [01/Mar/2007:14:07:15 +0900] conn=96 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 >>>>>>> [01/Mar/2007:14:07:15 +0900] conn=96 op=0 BIND dn="" method=128 version=3 >>>>>>> [01/Mar/2007:14:07:15 +0900] conn=96 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" >>>>>>> [01/Mar/2007:14:07:15 +0900] conn=96 op=1 SRCH base="ou=Users,o=Section,o=Company" scope=1 filter="(uid=*)" attrs=ALL >>>>>>> [01/Mar/2007:14:07:15 +0900] conn=96 op=1 SORT uid (*) >>>>>>> [01/Mar/2007:14:07:16 +0900] conn=96 op=1 RESULT err=4 tag=101 nentries=1000 etime=1 notes=U >>>>>>> [01/Mar/2007:14:07:17 +0900] conn=96 op=2 UNBIND >>>>>>> [01/Mar/2007:14:07:17 +0 >>>>>>> ----- >>>>>>> >>>>>>> Bellow, I done >>>>>>> ------------------------------------------ >>>>>>> 1. Install Fedora Directory Service. >>>>>>> 2. Change look-through limit in Database Setting to 2147483647 from the Server Console. >>>>>>> 3. Creating Presence and Substring Indexes of 'uid' from the Server Console >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> Was there not already a presence index for uid? >>>>>> >>>>>> This may also be a problem with the search sizelimit. >>>>>> >>>>>> >>>>>> >>>>>>> 4. I start entry .... >>>>>>> -- >>>>>>> >>>>>>> Thank you. >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Fedora-directory-users mailing list >>>>>>> Fedora-directory-users at redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>> -- >>>>> Fedora-directory-users mailing list >>>>> Fedora-directory-users at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>>> >>>>> >>>>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From y-hira at nttpc.co.jp Wed Mar 14 03:21:50 2007 From: y-hira at nttpc.co.jp (Yasuhiro Hiraishi) Date: Wed, 14 Mar 2007 12:21:50 +0900 Subject: [Fedora-directory-users] 'Server Side Sorting' in many entries Problem.... In-Reply-To: <45F76018.1090909@redhat.com> References: <20070314100317.B457.Y-HIRA@nttpc.co.jp> <45F76018.1090909@redhat.com> Message-ID: <20070314121755.B45A.Y-HIRA@nttpc.co.jp> Hello. > I'm not sure I understand. Do you want to return the entries in sorted > order, 1000 at a time? Yes. > If you want to be able to page through sorted > entries, you should probably using Virtual List View (VLV), also known > as a Browsing Index in the Console. Thank you very match. I try to use VLV Index. Thanks. On Tue, 13 Mar 2007 20:38:16 -0600 Richard Megginson wrote: > Yasuhiro Hiraishi wrote: > > Hello. > > > > > >> What is your client? > >> > > I use perl-ldap-0.33. > > http://search.cpan.org/~gbarr/perl-ldap-0.33/ > > > > If you know more better library. please tell me. > > My goal is to use 'Server Side Sorting' in any amount of entriyes with client side sizelimit. > > > I'm not sure I understand. Do you want to return the entries in sorted > order, 1000 at a time? If you want to be able to page through sorted > entries, you should probably using Virtual List View (VLV), also known > as a Browsing Index in the Console. > > Thank you. > > > > On Tue, 13 Mar 2007 07:59:13 -0600 > > Richard Megginson wrote: > > > > > >> Yasuhiro Hiraishi wrote: > >> > >>> Hello, > >>> > >>> > >>> > >>>> You mean, have the client set the size limit? Yes, but the client > >>>> cannot set the maximum to be higher than the maximum configured on the > >>>> server side. The sizelimit is part of the LDAP Search Request. > >>>> > >>>> > >>> Yes, I mean, have the client set size limit. > >>> > >>> > >>> > >>>> What are your server and client side sizelimit settings? > >>>> > >>>> > >>> I set "1000" as the client size limit and > >>> set "2147483647" as the server side size limit in those parameters: > >>> > >>> ? "Perfomance tab" -> "sizelimit" > >>> ? "Database Link Setting" -> "Default Creation Parameter tab" -> > >>> "sizelimit" > >>> ? "Database Setting" -> "LDBM-Plugin Setting tab" -> "Look-through limit" > >>> > >>> I'm not sure which parameters are actually the server side size limit. > >>> > >>> > >> All of these are server side limits. > >> > >> What is your client? > >> > >>> Thank you. > >>> > >>> On Tue, 06 Mar 2007 20:40:33 -0700 > >>> Richard Megginson wrote: > >>> > >>> > >>> > >>>> Yasuhiro Hiraishi wrote: > >>>> > >>>> > >>>>> Hello.. > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>>> Bellow, I done > >>>>>>> ------------------------------------------ > >>>>>>> 1. Install Fedora Directory Service. > >>>>>>> 2. Change look-through limit in Database Setting to 2147483647 from the Server Console. > >>>>>>> 3. Creating Presence and Substring Indexes of 'uid' from the Server Console > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> Was there not already a presence index for uid? > >>>>>> > >>>>>> > >>>>>> > >>>>> Sorry. I had a mistake. There was already a presence index. > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>> This may also be a problem with the search sizelimit. > >>>>>> > >>>>>> > >>>>>> > >>>>> What dose 'sizelimit' mean? > >>>>> Do you mean configulation which limits how many entirues are retuned from a FDS server? > >>>>> > >>>>> > >>>>> > >>>> Yes. > >>>> > >>>> > >>>>> Is it possible to use 'Server Side Sorting' with sizelimit at a client side? > >>>>> > >>>>> > >>>>> > >>>> You mean, have the client set the size limit? Yes, but the client > >>>> cannot set the maximum to be higher than the maximum configured on the > >>>> server side. The sizelimit is part of the LDAP Search Request. > >>>> > >>>> > >>>>> I want to know why 'Server Side Sorting' is working in 4000 entries > >>>>> but not working in rather than 5000 entries, > >>>>> In those of situations 'sizelimit' is 1000. > >>>>> > >>>>> > >>>>> > >>>> What are your server and client side sizelimit settings? > >>>> > >>>> > >>>>> I will show you the access log when success. > >>>>> -------------------------- > >>>>> [01/Mar/2007:14:05:24 +0900] conn=93 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 > >>>>> [01/Mar/2007:14:05:24 +0900] conn=93 op=0 BIND dn="" method=128 version=3 > >>>>> [01/Mar/2007:14:05:24 +0900] conn=93 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" > >>>>> [01/Mar/2007:14:05:24 +0900] conn=93 op=1 SRCH base="ou=Users,o=Section,o=Company" scope=1 filter="(uid=*)" attrs=ALL > >>>>> [01/Mar/2007:14:05:24 +0900] conn=93 op=1 SORT uid (4000) > >>>>> [01/Mar/2007:14:05:26 +0900] conn=93 op=1 RESULT err=4 tag=101 nentries=1000 etime=2 notes=U > >>>>> [01/Mar/2007:14:05:26 +0900] conn=93 op=2 UNBIND > >>>>> [01/Mar/2007:14:05:26 +0900] conn=93 op=2 fd=68 closed - U1 > >>>>> --- > >>>>> > >>>>> Do you know how to use 'Server Side Sorting' in any amount of entriyes with client side sizelimit? > >>>>> > >>>>> Thank you. > >>>>> > >>>>> On Mon, 05 Mar 2007 10:28:34 -0700 > >>>>> Richard Megginson wrote: > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>> Yasuhiro Hiraishi wrote: > >>>>>> > >>>>>> > >>>>>> > >>>>>>> Hello. > >>>>>>> > >>>>>>> I am planning to use the Fedora Directory Server > >>>>>>> in Redhat Linux ES4.0 to do 'Server Side Sorting'. > >>>>>>> The system processed around 4000 entries successfully. > >>>>>>> However, when the system tried processing more than 5000 entries, > >>>>>>> it returned an error such as 'LDAP_UNWILLING_TO_PERFORM'. > >>>>>>> > >>>>>>> Does anyone know how to fix this problem? > >>>>>>> > >>>>>>> Just in case, Ishow you the error logs below... > >>>>>>> > >>>>>>> -------------------------- > >>>>>>> [01/Mar/2007:14:07:15 +0900] conn=96 fd=68 slot=68 connection from 127.0.0.1 to 127.0.0.1 > >>>>>>> [01/Mar/2007:14:07:15 +0900] conn=96 op=0 BIND dn="" method=128 version=3 > >>>>>>> [01/Mar/2007:14:07:15 +0900] conn=96 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" > >>>>>>> [01/Mar/2007:14:07:15 +0900] conn=96 op=1 SRCH base="ou=Users,o=Section,o=Company" scope=1 filter="(uid=*)" attrs=ALL > >>>>>>> [01/Mar/2007:14:07:15 +0900] conn=96 op=1 SORT uid (*) > >>>>>>> [01/Mar/2007:14:07:16 +0900] conn=96 op=1 RESULT err=4 tag=101 nentries=1000 etime=1 notes=U > >>>>>>> [01/Mar/2007:14:07:17 +0900] conn=96 op=2 UNBIND > >>>>>>> [01/Mar/2007:14:07:17 +0 > >>>>>>> ----- > >>>>>>> > >>>>>>> Bellow, I done > >>>>>>> ------------------------------------------ > >>>>>>> 1. Install Fedora Directory Service. > >>>>>>> 2. Change look-through limit in Database Setting to 2147483647 from the Server Console. > >>>>>>> 3. Creating Presence and Substring Indexes of 'uid' from the Server Console > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> Was there not already a presence index for uid? > >>>>>> > >>>>>> This may also be a problem with the search sizelimit. > >>>>>> > >>>>>> > >>>>>> > >>>>>>> 4. I start entry .... > >>>>>>> -- > >>>>>>> > >>>>>>> Thank you. > >>>>>>> > >>>>>>> > >>>>>>> -- > >>>>>>> Fedora-directory-users mailing list > >>>>>>> Fedora-directory-users at redhat.com > >>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>> -- > >>>>> Fedora-directory-users mailing list > >>>>> Fedora-directory-users at redhat.com > >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>>>> > >>>>> > >>>>> > >>> -- > >>> Fedora-directory-users mailing list > >>> Fedora-directory-users at redhat.com > >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users > >>> > >>> > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From rgunawans at yahoo.co.uk Wed Mar 14 08:42:35 2007 From: rgunawans at yahoo.co.uk (Robby Gunawan S.) Date: Wed, 14 Mar 2007 08:42:35 +0000 (GMT) Subject: [Fedora-directory-users] accessing Fedora DS from other subnet Message-ID: <20070314084235.37768.qmail@web86915.mail.ukl.yahoo.com> Dear all, How to setup Fedora DS so the directory can access from other subnet? my subnet is 172.18.x.x and my branch subnet is 192.168.x.x, we're connect using VSAT. We can ping each other, remote each other, the 389 port is already open, but why still not working? Thanks. Regards, Robby Gunawan S ___________________________________________________________ New Yahoo! Mail is the ultimate force in competitive emailing. Find out more at the Yahoo! Mail Championships. Plus: play games and win prizes. http://uk.rd.yahoo.com/evt=44106/*http://mail.yahoo.net/uk From yoram.kahana at gmail.com Wed Mar 14 10:07:36 2007 From: yoram.kahana at gmail.com (Yoram Kahana) Date: Wed, 14 Mar 2007 12:07:36 +0200 Subject: [Fedora-directory-users] tls_checkpeer for the openldap API Message-ID: <37d92a190703140307r53a2df9dwd7a959c32ce2a567@mail.gmail.com> Hi I am using the FDS with the SSL/TLS enable. I had to activate my ldap.confconfig file to the "tls_checkpeer no" keyword. It works fine and solved the problem. I am looking for the corresponding solution when using the openldap (or Fedora) API. After the ldap_start_tls_s(ldap,NULL,NULL) I am getting the problem that the server certificate failed in the verifying procedure. Any idea for how to define (through the API) to ignore the server certificate similar to the tls_checkpeer Thanks in advance Yoram -------------- next part -------------- An HTML attachment was scrubbed... URL: From gregory.depaix at inrp.fr Wed Mar 14 15:43:24 2007 From: gregory.depaix at inrp.fr (=?ISO-8859-15?Q?Gr=E9gory_Depaix?=) Date: Wed, 14 Mar 2007 16:43:24 +0100 Subject: [Fedora-directory-users] admin-server error and cloning incapacity Message-ID: <45F8181C.3070506@inrp.fr> Hi, I an running FDS 1.0.2 and 1.0.4 and I've got the same problem on both boxes : the admin-server error logs shows this : [Wed Mar 14 14:06:19 2007] [notice] [client x.x.x.x] admserv_host_ip_check: ap_get_remote_host could not resolve x.x.x.x [Wed Mar 14 14:06:19 2007] [error] [client x.x.x.x] client denied by server configuration: /opt/fedora-ds/Operation I can access to the console interface and directory server'sinterface. I don't know how to fix that issue. Moreover, I think since this time, I can't clone anymore directory server configuration.... Any idea what could be causing this error ? Thanks, Greg -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4509 bytes Desc: S/MIME Cryptographic Signature URL: From gholbert at broadcom.com Wed Mar 14 19:45:49 2007 From: gholbert at broadcom.com (George Holbert) Date: Wed, 14 Mar 2007 12:45:49 -0700 Subject: [Fedora-directory-users] lookthrough vs. sizelimit Message-ID: <45F850ED.2080509@broadcom.com> Something I've been wondering about: It seems like nsslapd-lookthroughlimit and nsslapd-sizelimit effectively do the same thing, but just return a different error code. If nsslapd-lookthroughlimit is lower, the error code is 11 and the error message is: ldap_search: Administrative limit exceeded If nsslapd-sizelimit is lower, the error code is 4 and the error message is: ldap_search: Sizelimit exceeded I've read the description of both of these variables many times in the documentation, and I think I understand the theoretical difference. But in practical terms, it still seems like whichever has the higher value will never have an effect, since the lower limit on the other is always hit first. Can anyone describe a practical situation where both the lookthrough and size limits would come into play? Is there any particular reason to prefer one or the other to enforce maximum search result limits? Thank you! -- George From pengle at rice.edu Wed Mar 14 20:09:45 2007 From: pengle at rice.edu (Paul Engle) Date: Wed, 14 Mar 2007 15:09:45 -0500 Subject: [Fedora-directory-users] lookthrough vs. sizelimit In-Reply-To: <45F850ED.2080509@broadcom.com> References: <45F850ED.2080509@broadcom.com> Message-ID: <3A7023E236590800802F9B18@nueces.is.rice.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As I understand it, sizelimit determines the maximum number of results that are returned from the search, whereas lookthroughlimit determines the maximum number of things that will be searched in the first place. Frankly, in our setup I have lookthroughlimit set to -1 (unlimited). Since the order of the searching is non-deterministic, I can't fathom any use for it. It has to be at least as large as your largest searchable tree, or else there will be entries that can never be returned in a search. If anyone out there is using this parameter, can you explain how/why? -paul - --On Wednesday, March 14, 2007 12:45:49 PM -0700 George Holbert wrote: > Something I've been wondering about: > It seems like nsslapd-lookthroughlimit and nsslapd-sizelimit effectively > do the same thing, but just return a different error code. > > If nsslapd-lookthroughlimit is lower, the error code is 11 and the error > message is: > ldap_search: Administrative limit exceeded > > If nsslapd-sizelimit is lower, the error code is 4 and the error message > is: > ldap_search: Sizelimit exceeded > > I've read the description of both of these variables many times in the > documentation, and I think I understand the theoretical difference. But > in practical terms, it still seems like whichever has the higher value > will never have an effect, since the lower limit on the other is always > hit first. > > Can anyone describe a practical situation where both the lookthrough and > size limits would come into play? > Is there any particular reason to prefer one or the other to enforce > maximum search result limits? > > > Thank you! > -- George > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > - -- Paul D. Engle | Rice University Sr. Systems Administrator | Information Technology - MS119 (713) 348-4702 | P.O. Box 1892 pengle at rice.edu | Houston, TX 77251-1892 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFF+FadCpkISWtyHNsRAuUVAKC3jFoDbyrl9ut37XhwySrBMX4MOQCcCton eggDv1KLhHc1Y8dctEjZIq4= =XnpW -----END PGP SIGNATURE----- From david_list at boreham.org Wed Mar 14 20:14:41 2007 From: david_list at boreham.org (David Boreham) Date: Wed, 14 Mar 2007 14:14:41 -0600 Subject: [Fedora-directory-users] lookthrough vs. sizelimit In-Reply-To: <3A7023E236590800802F9B18@nueces.is.rice.edu> References: <45F850ED.2080509@broadcom.com> <3A7023E236590800802F9B18@nueces.is.rice.edu> Message-ID: <45F857B1.1060101@boreham.org> The notion behind lookthrough limit is that the administrator can dermine an upper bound for the amount of WORK that the server will perform for a given client's search. This is basically a simple form of denial of service control. So clients that hit the limit are not expected to receive useful results at all. The client should say something like 'the server didn't complete your search because you burned too much gas'. I believe it is fairly common to want to set a lookthrough limit for 'ordinary' users, but have an infinite limit for special accounts that are expected to perform expensive searches. There are other ways to skin the cat, for example denying certain users the ability to perform un-indexed searches at all. Paul Engle wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > >As I understand it, sizelimit determines the maximum number of results that >are returned from the search, whereas lookthroughlimit determines the >maximum number of things that will be searched in the first place. > >Frankly, in our setup I have lookthroughlimit set to -1 (unlimited). Since >the order of the searching is non-deterministic, I can't fathom any use for >it. It has to be at least as large as your largest searchable tree, or else >there will be entries that can never be returned in a search. If anyone out >there is using this parameter, can you explain how/why? > > -paul > >- --On Wednesday, March 14, 2007 12:45:49 PM -0700 George Holbert > wrote: > > > >>Something I've been wondering about: >>It seems like nsslapd-lookthroughlimit and nsslapd-sizelimit effectively >>do the same thing, but just return a different error code. >> >>If nsslapd-lookthroughlimit is lower, the error code is 11 and the error >>message is: >>ldap_search: Administrative limit exceeded >> >>If nsslapd-sizelimit is lower, the error code is 4 and the error message >>is: >>ldap_search: Sizelimit exceeded >> >>I've read the description of both of these variables many times in the >>documentation, and I think I understand the theoretical difference. But >>in practical terms, it still seems like whichever has the higher value >>will never have an effect, since the lower limit on the other is always >>hit first. >> >>Can anyone describe a practical situation where both the lookthrough and >>size limits would come into play? >>Is there any particular reason to prefer one or the other to enforce >>maximum search result limits? >> >> >>Thank you! >>-- George >> >> >>-- >>Fedora-directory-users mailing list >>Fedora-directory-users at redhat.com >>https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > > > >- -- >Paul D. Engle | Rice University >Sr. Systems Administrator | Information Technology - MS119 >(713) 348-4702 | P.O. Box 1892 >pengle at rice.edu | Houston, TX 77251-1892 >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.6 (GNU/Linux) > >iD8DBQFF+FadCpkISWtyHNsRAuUVAKC3jFoDbyrl9ut37XhwySrBMX4MOQCcCton >eggDv1KLhHc1Y8dctEjZIq4= >=XnpW >-----END PGP SIGNATURE----- > >-- >Fedora-directory-users mailing list >Fedora-directory-users at redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From gholbert at broadcom.com Wed Mar 14 20:28:05 2007 From: gholbert at broadcom.com (George Holbert) Date: Wed, 14 Mar 2007 13:28:05 -0700 Subject: [Fedora-directory-users] lookthrough vs. sizelimit In-Reply-To: <45F857B1.1060101@boreham.org> References: <45F850ED.2080509@broadcom.com> <3A7023E236590800802F9B18@nueces.is.rice.edu> <45F857B1.1060101@boreham.org> Message-ID: <45F85AD5.30700@broadcom.com> > The notion behind lookthrough limit is that the administrator > can dermine an upper bound for the amount of WORK that > the server will perform for a given client's search. That makes sense. Does this mean if a sizelimit (not lookthrough) is hit, the server continues searching the database, even though it has already returned error code 4 to the client? Thanks for the responses, -- George David Boreham wrote: > > The notion behind lookthrough limit is that the administrator > can dermine an upper bound for the amount of WORK that > the server will perform for a given client's search. This is > basically a simple form of denial of service control. > So clients that hit the limit are not expected to receive > useful results at all. The client should say something like > 'the server didn't complete your search because you burned > too much gas'. > > I believe it is fairly common to want to set a lookthrough limit > for 'ordinary' users, but have an infinite limit for special accounts > that are expected to perform expensive searches. > > There are other ways to skin the cat, for example denying > certain users the ability to perform un-indexed searches at all. > > > Paul Engle wrote: > >> As I understand it, sizelimit determines the maximum number of >> results that are returned from the search, whereas lookthroughlimit >> determines the maximum number of things that will be searched in the >> first place. >> >> Frankly, in our setup I have lookthroughlimit set to -1 (unlimited). >> Since the order of the searching is non-deterministic, I can't fathom >> any use for it. It has to be at least as large as your largest >> searchable tree, or else there will be entries that can never be >> returned in a search. If anyone out there is using this parameter, >> can you explain how/why? >> >> -paul >> >> - --On Wednesday, March 14, 2007 12:45:49 PM -0700 George Holbert >> wrote: >> >> >> >>> Something I've been wondering about: >>> It seems like nsslapd-lookthroughlimit and nsslapd-sizelimit >>> effectively >>> do the same thing, but just return a different error code. >>> >>> If nsslapd-lookthroughlimit is lower, the error code is 11 and the >>> error >>> message is: >>> ldap_search: Administrative limit exceeded >>> >>> If nsslapd-sizelimit is lower, the error code is 4 and the error >>> message >>> is: >>> ldap_search: Sizelimit exceeded >>> >>> I've read the description of both of these variables many times in the >>> documentation, and I think I understand the theoretical difference. >>> But >>> in practical terms, it still seems like whichever has the higher value >>> will never have an effect, since the lower limit on the other is always >>> hit first. >>> >>> Can anyone describe a practical situation where both the lookthrough >>> and >>> size limits would come into play? >>> Is there any particular reason to prefer one or the other to enforce >>> maximum search result limits? >>> >>> >>> Thank you! >>> -- George >>> >>> >>> >> >> >> >> - -- Paul D. Engle | Rice University >> Sr. Systems Administrator | Information Technology - MS119 >> (713) 348-4702 | P.O. Box 1892 >> pengle at rice.edu | Houston, TX 77251-1892 From david_list at boreham.org Wed Mar 14 21:30:40 2007 From: david_list at boreham.org (David Boreham) Date: Wed, 14 Mar 2007 15:30:40 -0600 Subject: [Fedora-directory-users] lookthrough vs. sizelimit In-Reply-To: <45F85AD5.30700@broadcom.com> References: <45F850ED.2080509@broadcom.com> <3A7023E236590800802F9B18@nueces.is.rice.edu> <45F857B1.1060101@boreham.org> <45F85AD5.30700@broadcom.com> Message-ID: <45F86980.1090407@boreham.org> George Holbert wrote: >> The notion behind lookthrough limit is that the administrator >> can dermine an upper bound for the amount of WORK that >> the server will perform for a given client's search. > > > That makes sense. > Does this mean if a sizelimit (not lookthrough) is hit, the server > continues searching the database, even though it has already returned > error code 4 to the client? No. That'd be quite silly, wouldn't it ? It _might_ do a bunch of work up front to service a search only to discover when sending entries back to the client that the size limit is exceeded. From gholbert at broadcom.com Wed Mar 14 22:02:11 2007 From: gholbert at broadcom.com (George Holbert) Date: Wed, 14 Mar 2007 15:02:11 -0700 Subject: [Fedora-directory-users] lookthrough vs. sizelimit In-Reply-To: <45F86980.1090407@boreham.org> References: <45F850ED.2080509@broadcom.com> <3A7023E236590800802F9B18@nueces.is.rice.edu> <45F857B1.1060101@boreham.org> <45F85AD5.30700@broadcom.com> <45F86980.1090407@boreham.org> Message-ID: <45F870E3.6000305@broadcom.com> > No. That'd be quite silly, wouldn't it ? Absolutely :), that's why I was curious. So correct me if this wrong, but sounds like either of the two can be used to limit how much the server works on a search, but they each take effect at a different part of the search algorithm. I still wonder why you'd choose one over the other to implement result limits? Seems kind of like a door with two knobs. Maybe there's some specific cases where one is preferable. Thanks again for the replies, -- George David Boreham wrote: > George Holbert wrote: > >>> The notion behind lookthrough limit is that the administrator >>> can dermine an upper bound for the amount of WORK that >>> the server will perform for a given client's search. >> >> >> That makes sense. >> Does this mean if a sizelimit (not lookthrough) is hit, the server >> continues searching the database, even though it has already returned >> error code 4 to the client? > > No. That'd be quite silly, wouldn't it ? > > It _might_ do a bunch of work up front to service a search > only to discover when sending entries back to the client that the > size limit is exceeded. > > > > > From rmeggins at redhat.com Wed Mar 14 22:16:41 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 14 Mar 2007 16:16:41 -0600 Subject: [Fedora-directory-users] lookthrough vs. sizelimit In-Reply-To: <45F870E3.6000305@broadcom.com> References: <45F850ED.2080509@broadcom.com> <3A7023E236590800802F9B18@nueces.is.rice.edu> <45F857B1.1060101@boreham.org> <45F85AD5.30700@broadcom.com> <45F86980.1090407@boreham.org> <45F870E3.6000305@broadcom.com> Message-ID: <45F87449.3020603@redhat.com> George Holbert wrote: >> No. That'd be quite silly, wouldn't it ? > > Absolutely :), that's why I was curious. > So correct me if this wrong, but sounds like either of the two can be > used to limit how much the server works on a search, but they each > take effect at a different part of the search algorithm. > I still wonder why you'd choose one over the other to implement result > limits? Seems kind of like a door with two knobs. Maybe there's some > specific cases where one is preferable. In general, lookthroughlimit is much stricter than sizelimit. For example, let's say a user wants to do an unindexed search for (description=*something*). Let's say that there are 5000 users and 1000 users who have a description attribute that matches *something*. The server will have to search through every entry in sequential (indeterminate) order to find matches. If you set lookthroughlimit to be 1000, and set sizelimit to be unlimited, the server will look at up to 1000 entries looking for description=*something*. Some of them may match, some of them may not, and the server will return 1000 or fewer entries (indeterminate). The server is limited in the amount of work it performs searching through the database. If you set sizelimit to be 1000, and set lookthroughlimit to be unlimited, the server could look at all 5000 user entries, until it finds 1000 entries which match, at which point it will terminate the search and return the 1000 entries to the user. > > Thanks again for the replies, > -- George > > > David Boreham wrote: >> George Holbert wrote: >> >>>> The notion behind lookthrough limit is that the administrator >>>> can dermine an upper bound for the amount of WORK that >>>> the server will perform for a given client's search. >>> >>> >>> That makes sense. >>> Does this mean if a sizelimit (not lookthrough) is hit, the server >>> continues searching the database, even though it has already >>> returned error code 4 to the client? >> >> No. That'd be quite silly, wouldn't it ? >> >> It _might_ do a bunch of work up front to service a search >> only to discover when sending entries back to the client that the >> size limit is exceeded. >> >> >> >> >> > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From gholbert at broadcom.com Wed Mar 14 22:24:04 2007 From: gholbert at broadcom.com (George Holbert) Date: Wed, 14 Mar 2007 15:24:04 -0700 Subject: [Fedora-directory-users] lookthrough vs. sizelimit In-Reply-To: <45F87449.3020603@redhat.com> References: <45F850ED.2080509@broadcom.com> <3A7023E236590800802F9B18@nueces.is.rice.edu> <45F857B1.1060101@boreham.org> <45F85AD5.30700@broadcom.com> <45F86980.1090407@boreham.org> <45F870E3.6000305@broadcom.com> <45F87449.3020603@redhat.com> Message-ID: <45F87604.3050709@broadcom.com> That clarifies it perfectly. Thanks for the example! Richard Megginson wrote: > In general, lookthroughlimit is much stricter than sizelimit. > > For example, let's say a user wants to do an unindexed search for > (description=*something*). Let's say that there are 5000 users and > 1000 users who have a description attribute that matches *something*. > The server will have to search through every entry in sequential > (indeterminate) order to find matches. > > If you set lookthroughlimit to be 1000, and set sizelimit to be > unlimited, the server will look at up to 1000 entries looking for > description=*something*. Some of them may match, some of them may > not, and the server will return 1000 or fewer entries > (indeterminate). The server is limited in the amount of work it > performs searching through the database. > > If you set sizelimit to be 1000, and set lookthroughlimit to be > unlimited, the server could look at all 5000 user entries, until it > finds 1000 entries which match, at which point it will terminate the > search and return the 1000 entries to the user. From Bkosick at mxlogic.com Wed Mar 14 23:30:05 2007 From: Bkosick at mxlogic.com (Brian Kosick) Date: Wed, 14 Mar 2007 17:30:05 -0600 Subject: [Fedora-directory-users] FDS and Automatic home dir creation Message-ID: <1173915005.3980.16.camel@mxlrmt-190.corp.mxlogic.com> Hi All, I just found out about the fantastic pam_mkhomedir.so pam module. I have it working somewhat, I just need to know if what I want to do is possible. Here's my setup: FC4 with Fedora Directory Server 1.04 and is also the NFS /home share. On this server I have in the /etc/pam.d/system-auth file the following entry session required pam_mkhomedir.so skel=/etc/skel umask=0077 Then I have client machines that use FDS and the /home NFS share to provide central login and /home dir capabilities. The /home dir itself is NFS export RO and only the user dirs are RW within it. Using ldap (hostobject, pam_check_host_attr) attributes, I do not let users login to the FDS /home share server, just the clients. I want to know it it is possible that the first time a user logs into one of the clients that it can somehow be passed to the /home dir server to create the users home dir. I have it working with test users currently, but ONLY when they are allowed to login into the /home dir server, not any of the clients. Any help, suggestions would be appreciated! Thanks, Brian -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From chaks.yoper at gmail.com Thu Mar 15 00:53:29 2007 From: chaks.yoper at gmail.com (Chakkaradeep C C) Date: Thu, 15 Mar 2007 06:23:29 +0530 Subject: [Fedora-directory-users] User Authentication and Adding Clients In-Reply-To: References: Message-ID: Hi All, If I reboot, my Directory Server is not starting and I tried this - > http://directory.fedora.redhat.com/wiki/Howto:SysVInit , but Its not > working. Even after adding the services to chkconfig, the Directory Server > is not getting automatically started. But If i manually do, service > fedora-ds-admin start after the restart, it does start. > Well, the problem here was that System Message Bus was not starting for some reason without the fedora-ds and fedora-ds-admin started. And also, in my rc5.d scripts directory, fedora-ds and fedora-ds-admin were the last services to start, so I just shifted the two services to start before the system-message-bus service and now I do get FDS started after a Restart :). Has anybody encountered with this problem earlier?. I didnt find this info in Wiki, hence thought I could share. I want to setup my machine (where FDS is installed) to allow User > authentication via Directory Server. I do configure authconfig, but I think > unless I start the slapd and directory server, the ldap authentication will > not be possible. > I still dont have any possible clue to do the above for my FDS box. I would be happy if anyone could help me out please. Thanks in advance. -- Regards, C.C.Chakkaradeep, http://chakkaradeep.wordpress.com -- "Sometimes it's better not to ask - or to listen - when people tell you something can't be done. I didnt ask for permission or approval. I just went ahead and did it." - from "Direct from Dell" -------------- next part -------------- An HTML attachment was scrubbed... URL: From ABliss at preferredcare.org Thu Mar 15 02:19:45 2007 From: ABliss at preferredcare.org (Bliss, Aaron) Date: Wed, 14 Mar 2007 22:19:45 -0400 Subject: [Fedora-directory-users] FDS and Automatic home dir creation In-Reply-To: <1173915005.3980.16.camel@mxlrmt-190.corp.mxlogic.com> References: <1173915005.3980.16.camel@mxlrmt-190.corp.mxlogic.com> Message-ID: Just wondering, do the nfs clients have write permissions to the nfs mount point? Aaron -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Brian Kosick Sent: Wednesday, March 14, 2007 7:30 PM To: fedora-directory-users at redhat.com Subject: [Fedora-directory-users] FDS and Automatic home dir creation Hi All, I just found out about the fantastic pam_mkhomedir.so pam module. I have it working somewhat, I just need to know if what I want to do is possible. Here's my setup: FC4 with Fedora Directory Server 1.04 and is also the NFS /home share. On this server I have in the /etc/pam.d/system-auth file the following entry session required pam_mkhomedir.so skel=/etc/skel umask=0077 Then I have client machines that use FDS and the /home NFS share to provide central login and /home dir capabilities. The /home dir itself is NFS export RO and only the user dirs are RW within it. Using ldap (hostobject, pam_check_host_attr) attributes, I do not let users login to the FDS /home share server, just the clients. I want to know it it is possible that the first time a user logs into one of the clients that it can somehow be passed to the /home dir server to create the users home dir. I have it working with test users currently, but ONLY when they are allowed to login into the /home dir server, not any of the clients. Any help, suggestions would be appreciated! Thanks, Brian Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. From Bkosick at mxlogic.com Thu Mar 15 03:25:12 2007 From: Bkosick at mxlogic.com (Brian Kosick) Date: Wed, 14 Mar 2007 21:25:12 -0600 Subject: [Fedora-directory-users] FDS and Automatic home dir creation In-Reply-To: References: <1173915005.3980.16.camel@mxlrmt-190.corp.mxlogic.com> Message-ID: <1173929112.4087.1.camel@mxlrmt-190.corp.mxlogic.com> Hi Aaron, No the Directory /home is not RW, just the user dirs within it. I use autofs to mount/umount the dirs as needed. The entry looks like this * -soft,intr,nodev,tcp,rw server.domain.com:/home/& Brian On Wed, 2007-03-14 at 22:19 -0400, Bliss, Aaron wrote: > Just wondering, do the nfs clients have write permissions to the nfs > mount point? > > Aaron > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com > [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Brian > Kosick > Sent: Wednesday, March 14, 2007 7:30 PM > To: fedora-directory-users at redhat.com > Subject: [Fedora-directory-users] FDS and Automatic home dir creation > > Hi All, > > I just found out about the fantastic pam_mkhomedir.so pam module. I > have it working somewhat, I just need to know if what I want to do is > possible. > Here's my setup: > > FC4 with Fedora Directory Server 1.04 and is also the NFS /home share. > On this server I have in the /etc/pam.d/system-auth file the following > entry > > session required pam_mkhomedir.so skel=/etc/skel > umask=0077 > > Then I have client machines that use FDS and the /home NFS share to > provide central login and /home dir capabilities. > The /home dir itself is NFS export RO and only the user dirs are RW > within it. > > Using ldap (hostobject, pam_check_host_attr) attributes, I do not let > users login to the FDS /home share server, just the clients. > I want to know it it is possible that the first time a user logs into > one of the clients that it can somehow be passed to the /home dir server > to create the users home dir. > > I have it working with test users currently, but ONLY when they are > allowed to login into the /home dir server, not any of the clients. > > Any help, suggestions would be appreciated! > > Thanks, > Brian > > Confidentiality Notice: > The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From edlinuxguru at gmail.com Thu Mar 15 15:26:51 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Thu, 15 Mar 2007 11:26:51 -0400 Subject: [Fedora-directory-users] LDAP and RDBMS Integration In-Reply-To: <45F72320.6090607@redhat.com> References: <690BA3B35A2861419CBF6833BD537AD224375E@nacdmail.NORTHLANDCC.NET> <45F72320.6090607@redhat.com> Message-ID: This is an interesting topic. Is there even a suggested database schema for this? Or the person who designs the c-code would desgn the schema as well? Edward On 3/13/07, Richard Megginson wrote: > > Bill Bailey wrote: > > > > Hi, > > > > I noticed on the list of features an item indicating that data > > interoperability plug-ins are available to allow the use of an RDBMS > > as a data source, but I'm having trouble locating the specifics (e.g. > > which databases, what sort of integration, etc.) in the documentation. > > Anyone have any pointers on where I can find more information on this? > > > > http://directory.fedora.redhat.com/wiki/FAQ#Can_I_replace_Sleepycat_with_Oracle.2C_or_Postgres.2C_etc..3F > > There are no plug-ins available. The plug-in architecture will allow > this, but someone must write some C code in order to be able to do this. > > > > In particular, I'm struggling with whether to use a directory server > > for user management or a database. If I store users in my LDAP > > directory (e.g. username, password, name, address, phone, etc.), there > > is still user data that I need to store in a database (e.g. > > transaction data or other frequently modified data) ? and I need to be > > able to correlate the two. For example, for reporting I may need to > > display both the basic user info and demographic information that is > > so well suited for a directory alongside data that comes from a > > database. This seems to me problematic since the data models and query > > languages are different. And even if I could make the LDAP data look > > like something I could query with SQL ? and join with real RDBMS > > tables ? it would seem likely that performance might be less than great. > > > > My thinking is that if I could get the LDAP server to use e.g. MySQL > > under the covers for storage, but I could still get access (read-only) > > to the underlying tables, I might be able to have the best of both > > worlds (assuming the underlying table structure was amenable to being > > joined to my tables without to many contortions). I'm guessing my > > dilemma isn't new ? has anyone else struggled with this and, if so, > > how did you resolve it? And have been satisfied with the solution you > > selected? > > > > > > Thanks for any input or comments. > > > > Bill Bailey > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Mar 15 15:32:22 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 15 Mar 2007 09:32:22 -0600 Subject: [Fedora-directory-users] LDAP and RDBMS Integration In-Reply-To: References: <690BA3B35A2861419CBF6833BD537AD224375E@nacdmail.NORTHLANDCC.NET> <45F72320.6090607@redhat.com> Message-ID: <45F96706.2060000@redhat.com> Eddie C wrote: > This is an interesting topic. > > Is there even a suggested database schema for this? Or the person who > designs the c-code would desgn the schema as well? I don't know if there is a database schema for this. I think each database vendor comes up with their own, or even each application that uses the database for authentication. On a related note, I notice that there are PAM SQL modules which allow you to use PAM to authenticate against credentials stored in an RDBMS. Google shows that there are PAM modules for mysql, postgres, informix, db2, and oracle. With the Fedora DS PAM passthru plugin, you should be able to pass authentication through to the database, with the appropriate PAM SQL module and configuration. That would at least solve the case where you want to use the RDBMS as the authoritative store for passwords. > > > Edward > > > On 3/13/07, *Richard Megginson* > wrote: > > Bill Bailey wrote: > > > > Hi, > > > > I noticed on the list of features an item indicating that data > > interoperability plug-ins are available to allow the use of an RDBMS > > as a data source, but I'm having trouble locating the specifics > (e.g. > > which databases, what sort of integration, etc.) in the > documentation. > > Anyone have any pointers on where I can find more information on > this? > > > http://directory.fedora.redhat.com/wiki/FAQ#Can_I_replace_Sleepycat_with_Oracle.2C_or_Postgres.2C_etc..3F > > > There are no plug-ins available. The plug-in architecture will allow > this, but someone must write some C code in order to be able to do > this. > > > > In particular, I'm struggling with whether to use a directory > server > > for user management or a database. If I store users in my LDAP > > directory (e.g. username, password, name, address, phone, etc.), > there > > is still user data that I need to store in a database (e.g. > > transaction data or other frequently modified data) ? and I need > to be > > able to correlate the two. For example, for reporting I may need to > > display both the basic user info and demographic information > that is > > so well suited for a directory alongside data that comes from a > > database. This seems to me problematic since the data models and > query > > languages are different. And even if I could make the LDAP data > look > > like something I could query with SQL ? and join with real RDBMS > > tables ? it would seem likely that performance might be less > than great. > > > > My thinking is that if I could get the LDAP server to use e.g. MySQL > > under the covers for storage, but I could still get access > (read-only) > > to the underlying tables, I might be able to have the best of both > > worlds (assuming the underlying table structure was amenable to > being > > joined to my tables without to many contortions). I'm guessing my > > dilemma isn't new ? has anyone else struggled with this and, if so, > > how did you resolve it? And have been satisfied with the > solution you > > selected? > > > > > > Thanks for any input or comments. > > > > Bill Bailey > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From darren.paxton at mercer.com Mon Mar 19 09:17:03 2007 From: darren.paxton at mercer.com (Paxton, Darren) Date: Mon, 19 Mar 2007 09:17:03 +0000 Subject: [Fedora-directory-users] Replication Possibilities Message-ID: <1174295823.14607.14.camel@MUKLWDP01.mercer.com> Hi again all, Managed to get myself to a pretty good place with my configuration, but would appreciate another pointer from yourselves. Currently I have the system up and running with two servers (master1 and master2) in a 2-way multi-master replication mode. Master1 also has a Windows Synchronisation Agreement with adserver1, which is also working, however it is working in a two-way mode, propagating changes made on the Fedora Directory back to Active Directory. Unfortunately, our current strategy is to have Active Directory as the single Directory for user management so as to make our Service Desk more efficient. We also have a policy of removing all single points of failure from within our enterprise, therefore I was looking at having two windows sync agreements from two Fedora Master servers to two different members of the same Active Directory. The two Fedora Servers would also obviously need to be in sync (hence the multi-master setup) but probably with a number of read-only consumer servers dotted around the globe. The question, therefore, is what would be the best way in terms of replication design, to achieve this objective? Basically, I want to achieve the following: AD2 -> FD2 <-> FD1 <- AD1 / | |\ / | | \ V V V V FD3 FD4 FD5 FD6 Thanks in advance for any assistance you can provde. Cheers Darren This e-mail and any attachments may be confidential or legally privileged.If you received this message in error or are not the intended recipient, you should destroy the email message and any attachments or copies, and you are prohibited from retaining, distributing, disclosing or using any information contained herein. Please inform us of the erroneous delivery by return e-mail. Thank you for your co-operation. Mercer Human Resource Consulting Limited is authorised and regulated by the Financial Services Authority. Registered in England No. 984275. Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU. -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Mon Mar 19 14:06:10 2007 From: david_list at boreham.org (David Boreham) Date: Mon, 19 Mar 2007 08:06:10 -0600 Subject: [Fedora-directory-users] Replication Possibilities In-Reply-To: <1174295823.14607.14.camel@MUKLWDP01.mercer.com> References: <1174295823.14607.14.camel@MUKLWDP01.mercer.com> Message-ID: <45FE98D2.40604@boreham.org> Paxton, Darren wrote: > Unfortunately, our current strategy is to have Active Directory as the > single Directory for user management so as to make our Service Desk > more efficient. We also have a policy of removing all single points of > failure from within our enterprise, therefore I was looking at having > two windows sync agreements from two Fedora Master servers to two > different members of the same Active Directory. You can configure this setup, but I don't think it'll quite work. Bad things such as loops between the AD replication and FDS replication can occur. Ulf Weltman did some investigation on this a while back. You might be able to find his comments in the list archive. From edlinuxguru at gmail.com Mon Mar 19 14:06:47 2007 From: edlinuxguru at gmail.com (Eddie C) Date: Mon, 19 Mar 2007 10:06:47 -0400 Subject: [Fedora-directory-users] Replication Possibilities In-Reply-To: <1174295823.14607.14.camel@MUKLWDP01.mercer.com> References: <1174295823.14607.14.camel@MUKLWDP01.mercer.com> Message-ID: I can not give an authoritative answer, but if your active directory is 2003 server your active directory itself is multimaster ( no more PDC and SDC ). It seems theorically possible to install active directory sync on both nodes but leave it running only on one domain controller. Something like this: AD2 <-> AD1 | LoadBalancer | FD2 <->FD1 Here are some maybes. The configuration of the winsync agreements might have issues communicating with a proxy or load balanced LDAP server. Also I do not know of any HA product that would be able to fail winsync on a windows server. On 3/19/07, Paxton, Darren wrote: > Hi again all, > > Managed to get myself to a pretty good place with my configuration, but > would appreciate another pointer from yourselves. > > Currently I have the system up and running with two servers (master1 and > master2) in a 2-way multi-master replication mode. > > Master1 also has a Windows Synchronisation Agreement with adserver1, which > is also working, however it is working in a two-way mode, propagating > changes made on the Fedora Directory back to Active Directory. > > Unfortunately, our current strategy is to have Active Directory as the > single Directory for user management so as to make our Service Desk more > efficient. We also have a policy of removing all single points of failure > from within our enterprise, therefore I was looking at having two windows > sync agreements from two Fedora Master servers to two different members of > the same Active Directory. > > The two Fedora Servers would also obviously need to be in sync (hence the > multi-master setup) but probably with a number of read-only consumer servers > dotted around the globe. > > The question, therefore, is what would be the best way in terms of > replication design, to achieve this objective? > > Basically, I want to achieve the following: > > AD2 -> FD2 <-> FD1 <- AD1 > / | |\ > / | | \ > V V V V > FD3 FD4 FD5 FD6 > > Thanks in advance for any assistance you can provde. > > Cheers > > Darren > > > > This e-mail and any attachments may be confidential or legally > privileged.If you received this message in error or are not the intended > recipient, you should destroy the email message and any attachments or > copies, and you are prohibited from retaining, distributing, disclosing or > using any information contained herein. Please inform us of the erroneous > delivery by return e-mail. Thank you for your co-operation. > > Mercer Human Resource Consulting Limited is authorised and regulated by > the Financial Services Authority. Registered in England No. 984275. > Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU. > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Mon Mar 19 14:11:20 2007 From: david_list at boreham.org (David Boreham) Date: Mon, 19 Mar 2007 08:11:20 -0600 Subject: [Fedora-directory-users] Replication Possibilities In-Reply-To: References: <1174295823.14607.14.camel@MUKLWDP01.mercer.com> Message-ID: <45FE9A08.8030702@boreham.org> Eddie C wrote: > I can not give an authoritative answer, but if your active directory > is 2003 server your active directory itself is multimaster ( no more > PDC and SDC ). It seems theorically possible to install active > directory sync on both nodes but leave it running only on one domain > controller. Something like this: > > > AD2 <-> AD1 > | > LoadBalancer > | > FD2 <->FD1 > This is a cool idea, but it may not work because FDS uses the AD sync control to perform incremental inbound updates. It's quite likely that the two AD servers would have different states for the sync cookie. You could work around this by initiating a full sync when failing over between ADs. From darren.paxton at mercer.com Mon Mar 19 14:56:46 2007 From: darren.paxton at mercer.com (Paxton, Darren) Date: Mon, 19 Mar 2007 14:56:46 +0000 Subject: [Fedora-directory-users] Replication Possibilities In-Reply-To: <45FE9A08.8030702@boreham.org> References: <1174295823.14607.14.camel@MUKLWDP01.mercer.com> <45FE9A08.8030702@boreham.org> Message-ID: <1174316206.29761.0.camel@MUKLWDP01.mercer.com> On Mon, 2007-03-19 at 08:11 -0600, David Boreham wrote: Eddie C wrote: > I can not give an authoritative answer, but if your active directory > is 2003 server your active directory itself is multimaster ( no more > PDC and SDC ). It seems theorically possible to install active > directory sync on both nodes but leave it running only on one domain > controller. Something like this: > > > AD2 <-> AD1 > | > LoadBalancer > | > FD2 <->FD1 > This is a cool idea, but it may not work because FDS uses the AD sync control to perform incremental inbound updates. It's quite likely that the two AD servers would have different states for the sync cookie. You could work around this by initiating a full sync when failing over between ADs. THanks for the comments so far, it appears that if I can mitigate the risk, then I can just leave a single agreement in place between FDS and AD. The other question though, regarding one-way from AD to FDS - anyone got any thoughts on that? Cheers Darren This e-mail and any attachments may be confidential or legally privileged.If you received this message in error or are not the intended recipient, you should destroy the email message and any attachments or copies, and you are prohibited from retaining, distributing, disclosing or using any information contained herein. Please inform us of the erroneous delivery by return e-mail. Thank you for your co-operation. Mercer Human Resource Consulting Limited is authorised and regulated by the Financial Services Authority. Registered in England No. 984275. Registered Office: 1 Tower Place West, Tower Place, London, EC3R 5BU. -------------- next part -------------- An HTML attachment was scrubbed... URL: From david_list at boreham.org Mon Mar 19 15:33:35 2007 From: david_list at boreham.org (David Boreham) Date: Mon, 19 Mar 2007 09:33:35 -0600 Subject: [Fedora-directory-users] Replication Possibilities In-Reply-To: <1174316206.29761.0.camel@MUKLWDP01.mercer.com> References: <1174295823.14607.14.camel@MUKLWDP01.mercer.com> <45FE9A08.8030702@boreham.org> <1174316206.29761.0.camel@MUKLWDP01.mercer.com> Message-ID: <45FEAD4F.2020705@boreham.org> Paxton, Darren wrote: > The other question though, regarding one-way from AD to FDS - anyone > got any thoughts on that? The sync code wasn't designed to allow this. However there are a couple of things you could consider : 1. configure FDS access control to disallow modifications on attributes that are sync'ed to AD. If there are no pretinent modifications then nothing will get sync'ed to AD. 2. Hack the code to turn off the FDS->AD (outbound) change propagation. From clockwork at sigsys.org Mon Mar 19 16:41:19 2007 From: clockwork at sigsys.org (clockwork at sigsys.org) Date: Mon, 19 Mar 2007 12:41:19 -0400 Subject: [Fedora-directory-users] "error trying to bind as user" Message-ID: <5849d9130703190941i4a94aa7bib2789059cd1c13a6@mail.gmail.com> Alright, I have a very odd problem. I created a new user and added them to an existing group. When they try to ssh into an environment that the group has permissions with it works on 1 (of 3) boxes and fails on the others. The error is as follows: sshd[20205]: pam_ldap: error trying to bind as user "uid=user,ou=People,dc=domain,dc=com" (Invalid credentials) Does anyone have any idea what could be causing this issue ? Its very frustrating cause there is no way for me to know what they will or wont be able to log into. ldapsearch, getent etc return the correct data. -------------- next part -------------- An HTML attachment was scrubbed... URL: From clockwork at sigsys.org Mon Mar 19 17:12:06 2007 From: clockwork at sigsys.org (clockwork at sigsys.org) Date: Mon, 19 Mar 2007 13:12:06 -0400 Subject: [Fedora-directory-users] pam_ldap: error trying to bind as user (Constraint violation) In-Reply-To: <2f8a29cb0703050808t1f90cc8k96bc40413a3c7759@mail.gmail.com> References: <2f8a29cb0703050808t1f90cc8k96bc40413a3c7759@mail.gmail.com> Message-ID: <5849d9130703191012i5b3be641kcbcb06c5ddb03c44@mail.gmail.com> Aaron/All, I'm seeing the same thing with logins via ssh, on rhel 4 the error logs as: "pam_ldap: error trying to bind as user "uid=name,ou=People,dc=domain,dc=com" (Invalid credentials)" rhel 3: "pam_ldap: error trying to bind as user "uid=name,ou=People,dc=domain,dc=com" (Constraint violation)" The user works on another rhel4 box with the same config as the one throwing the error, so I'm at a loss. On 3/5/07, Aaron Cline wrote: > > Hello: > > I'm using FedoraDS 1.0.3 to perform authentication functions to servers in > a DMZ. This morning a user was able to log in but then 1 minute later they > tried to use sudo as themselves and they were denied. They continued to be > denied for the next 10 minutes before they gave up. I pulled the following > errors from the system log of the system they were logged into: > > Mar 5 14:24:37 low-tcw-103 sudo(pam_unix)[10957]: check pass; user > unknown > Mar 5 14:24:37 low-tcw-103 sudo(pam_unix)[10957]: authentication failure; > logname=marnelc uid=0 euid=0 tty=pts/1 ruser= rhost= > Mar 5 14:24:37 low-tcw-103 sudo[10957]: pam_ldap: error trying to bind as > user "uid=marnelc,ou=ISG,ou=Lowell,ou=People,dc=pii-dmz,dc=ext" (Invalid > credentials) > Mar 5 14:24:43 low-tcw-103 sudo(pam_unix)[10957]: check pass; user > unknown > Mar 5 14:24:43 low-tcw-103 sudo[10957]: pam_ldap: error trying to bind as > user "uid=marnelc,ou=ISG,ou=Lowell,ou=People,dc=pii-dmz,dc=ext" ( > Constraint violation) > > It looks to me that the first time the user must have typed the wrong > password, but after that I don't know what happened. > > I don't see any obvious errors in either the access or error log files on > the LDAP server. Has anyone seen this before? > > Thanks for any info or advice. > > Aaron > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ulf.weltman at hp.com Mon Mar 19 18:08:27 2007 From: ulf.weltman at hp.com (Ulf Weltman) Date: Mon, 19 Mar 2007 11:08:27 -0700 Subject: [Fedora-directory-users] Replication Possibilities In-Reply-To: <45FE98D2.40604@boreham.org> References: <1174295823.14607.14.camel@MUKLWDP01.mercer.com> <45FE98D2.40604@boreham.org> Message-ID: <45FED19B.50107@hp.com> David Boreham wrote: > Paxton, Darren wrote: > >> Unfortunately, our current strategy is to have Active Directory as >> the single Directory for user management so as to make our Service >> Desk more efficient. We also have a policy of removing all single >> points of failure from within our enterprise, therefore I was looking >> at having two windows sync agreements from two Fedora Master servers >> to two different members of the same Active Directory. > > You can configure this setup, but I don't think it'll quite work. > Bad things such as loops between the AD replication and > FDS replication can occur. Ulf Weltman did some investigation > on this a while back. You might be able to find his comments > in the list archive. > This is the configuration I debugged: In a configuration with two DS in MMR (M1 and M2) and two AD in the same domain (AD1 and AD2), M1 is configured to sync with AD1 and M2 to sync with AD2, and password sync on AD1 pointing to M1 and on AD2 pointing to M2, we have a ring configuration with good availability. From what I hear it went into use with a couple of limitations: Dual winsync paths results in LDAP ADD collision on AD (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=182515) Dual winsync paths results in LDAP DEL collision on DS (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=184155) From augusto.rocha at augustschell.com Tue Mar 20 00:59:35 2007 From: augusto.rocha at augustschell.com (Alexandre Augusto da Rocha) Date: Mon, 19 Mar 2007 19:59:35 -0500 Subject: [Fedora-directory-users] Password replication problems between a multi-master system and AD Message-ID: <45FF31F7.2000003@augustschell.com> I am using RHDS instead of FD, so if this issue has been addressed in FD please forgive me. To exemplify the issues I'll use the model: AD <-> RHDS1 <-> RHDS2. Only one master is setup to sync to AD, which is the standard setup. Since password sync uses clear text to replicate to AD, password changes on RHDS2 will not propagate correctly to AD. RHDS2 sends the hash to RHDS1 which in turn sends it to AD. AD assumes the hash to be the actual clear text pw and attempts to use it to login to RHDS1. This creates a loop where one server keeps sending what it believes to be the new password to the other. I _think_ that if I add a replication agreement between RHDS2 and AD it will not fix my problem as even if RHDS2 sends the password ok to AD, RHDS1 will still try to send the update it received from RHDS2. Is this assumption correct? What is the best course of action? How can I tell if a password update is done on the server or pushed thru replication? -------------- next part -------------- An embedded message was scrubbed... From: Alexandre Augusto da Rocha Subject: Password replication problems between a multi-master system and AD Date: Mon, 19 Mar 2007 19:23:17 -0500 Size: 8047 URL: From jimh at u.washington.edu Tue Mar 20 22:43:12 2007 From: jimh at u.washington.edu (Jim Hogan) Date: Tue, 20 Mar 2007 15:43:12 -0700 Subject: [Fedora-directory-users] Integrating EMC NAS (and Solaris How-To) Message-ID: <46006380.5040701@u.washington.edu> I am trialing an EMC NS350 as a candidate NAS to serve CIFS and NFS clients (XP, OSX, and Linux). I have set up a working Samba 3.x domain with FDS 1.01 back end and I have an older, borrowed NetApp Filer (DataOnTap 6.5) working fine as a temporary NFS/CIFS server authing against LDAP/Samba. With the EMC, official support is limited to AD and Sun iPlanet LDAP. The latter limitation of support is turning out to be less theoretical than I might have hoped. It seems like the EMC wants to behave like an "official" iPlanet/Sun client. I am thinking that the solution to this problem could be to config FDS as laid out in the Solaris Client How-To here: http://directory.fedora.redhat.com/wiki/Howto:SolarisClient I have a couple of questions. First, has anybody done this (integrated an EMC) who has a cut-and-dried report on doing it? Second, the second schema for NIS domain seems relevant only if the client is also binding to a NIS domain. I'm not. Or hope not to be :) Then, is the following step -- adding nisdomain attribute -- also optional? Seems like it should be. I am going to try the EMC with the stock set of serviceSearchDescriptor listed in the How-To's example profile. If anybody else has improved on that for an EMC, I would be interested in your comments. There were both pros and cons when comparing NetApp and EMC offerings this time. It is a bit ironic that NetApp isn't nearly as Linux-y as EMCs Celerra product, yet LDAP was a breeze to set up on the Filer itself. In contrast, very little client-side non-iPlanet configuration is possible on the EMC, so I don't see much alternative to going through this server-side Solaris-style config change (and hope that it works!) Thanks, Jim From rmeggins at redhat.com Wed Mar 21 02:44:20 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 20 Mar 2007 20:44:20 -0600 Subject: [Fedora-directory-users] Password replication problems between a multi-master system and AD In-Reply-To: <45FF31F7.2000003@augustschell.com> References: <45FF31F7.2000003@augustschell.com> Message-ID: <46009C04.2090101@redhat.com> Alexandre Augusto da Rocha wrote: > I am using RHDS instead of FD, so if this issue has been addressed in > FD please forgive me. > > To exemplify the issues I'll use the model: > AD <-> RHDS1 <-> RHDS2. > > Only one master is setup to sync to AD, which is the standard setup. > Since password sync uses clear text to replicate to AD, password > changes on RHDS2 will not propagate correctly to AD. RHDS2 sends the > hash to RHDS1 which in turn sends it to AD. AD assumes the hash to be > the actual clear text pw and attempts to use it to login to RHDS1. > This creates a loop where one server keeps sending what it believes to > be the new password to the other. > I _think_ that if I add a replication agreement between RHDS2 and AD > it will not fix my problem as even if RHDS2 sends the password ok to > AD, RHDS1 will still try to send the update it received from RHDS2. > Is this assumption correct? https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=207893 > What is the best course of action? How can I tell if a password > update is done on the server or pushed thru replication? > > ------------------------------------------------------------------------ > > Subject: > Password replication problems between a multi-master system and AD > From: > Alexandre Augusto da Rocha > Date: > Mon, 19 Mar 2007 19:23:17 -0500 > To: > fedora-directory-users at redhat.com > > To: > fedora-directory-users at redhat.com > > > I am using RHDS instead of FD, so if this issue has been addressed in > FD please forgive me. > > To exemplify the issues I'll use the model: > AD <-> RHDS1 <-> RHDS2. > > Only one master is setup to sync to AD, which is the standard setup. > Since password sync uses clear text to replicate to AD, password > changes on RHDS2 will not propagate correctly to AD. RHDS2 sends the > hash to RHDS1 which in turn sends it to AD. AD assumes the hash to be > the actual clear text pw and attempts to use it to login to RHDS1. > This creates a loop where one server keeps sending what it believes to > be the new password to the other. > I _think_ that if I add a replication agreement between RHDS2 and AD > it will not fix my problem as even if RHDS2 sends the password ok to > AD, RHDS1 will still try to send the update it received from RHDS2. > Is this assumption correct? > What is the best course of action? How can I tell if a password > update is done on the server or pushed thru replication? > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jimh at u.washington.edu Wed Mar 21 17:57:00 2007 From: jimh at u.washington.edu (Jim Hogan) Date: Wed, 21 Mar 2007 10:57:00 -0700 Subject: [Fedora-directory-users] nisDomain/Solaris schema not loading??? Message-ID: <460171EC.3070003@u.washington.edu> I am running FDS 1.02 in master/client setup on Centos 4.4. With respect to an earlier query about an EMC NAS and Solaris client config, I am running into a more basic problem with one of the two schema from the Solaris How-To (http://directory.fedora.redhat.com/wiki/Howto:SolarisClient), (I named these 62DUAConfigProfile.ldif and 63nisDomain.ldif because I already had a Samba schema on 61). I was easily able to load the provided 62DUAConfigProfile schema file (and I created a profile object for the EMC client that relied on attributes in that schema). I can see those new DUA attributes like profileTTL. However, When I attempted to add the 63nisDomain.ldif schema, I can restart the FDS slapd without error, but the nis* attributes do not then show up in the FDS directory schema no matter how I look (try to add attribute in phpLDAPadmin, or via FDS console under config-->schema or elsewhere). I have a 2 server master/client setup and have added the schema files on both and restarted slapd on both several times There are a few other nis* attributes visible (nismap, nisnetgroup, nisobject) but none of these seem to duplicate what are provided by 63nisDomain.ldif. This config file appeared elsewhere on line and I tried it from 2 sources but it looked to be identical. I was able to make the slapd fail on restart by adding an unwanted space/CR to the file, so it seems like slapd is definitely trying to read it. I have verified that the LDIF on both FDS servers is identical. I turned logging up to 64 on slapd to get config processing errors, but it didn't yield much: config - Unknown attribute mod will be ignored [21/Mar/2007:10:21:28 -0700] - Fedora-Directory/1.0.2 B2006.060.1928 starting up [21/Mar/2007:10:21:28 -0700] - Unknown config attribute readonly [21/Mar/2007:10:21:28 -0700] - DNS ldap.example.com -> DN dc=ldap,dc=example,dc=com [21/Mar/2007:10:21:28 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests [21/Mar/2007:10:21:29 -0700] - Listening on All Interfaces port 636 for LDAPS requests Not sure what those unknowns are, but I removed the nisDomain.ldif from config/schema and restarted; the error log output was unchanged. In case there was some unknown precedence issue, I changed the order of the 2 new LDIF to make nisDomain first, 62. I then moved it ahead of Samba schema to "59". No change. The LDIF I am using now is pasted below -- a one-attribute-per-line format. I am at a bit of a stand on this. I am *really* not understanding why I can't find any of these attributes. But, it feels like one of those times (they come about 10 times a year) where somebody may hit Jim with a very large clue stick -- like I am really missing something :( Any insight appreciated. Jim Current 63NisDomain.ldif: dn: cn=schema attributeTypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublickey' DESC 'nisPublickey' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey' DESC 'nisSecretkey' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.1.1.1.12 SUP name NAME 'nisDomain' DESC 'NIS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' DESC 'mgrpRFC822MailMember' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser' DESC 'nisNetIdUser' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup' DESC 'nisNetIdGroup' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost' DESC 'nisNetIdHost' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) objectClasses: ( 1.3.6.1.1.1.2.14 NAME 'NisKeyObject' DESC 'NisKeyObject' SUP top MUST ( cn $ nisPublickey $ nisSecretkey ) MAY ( uidNumber $ description ) ) objectClasses: ( 1.3.1.6.1.1.1.2.15 NAME 'nisDomainObject' DESC 'nisDomainObject' SUP top AUXILIARY MUST ( nisDomain ) ) objectClasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' DESC 'mailGroup' SUP top MUST ( mail ) MAY ( cn $ mgrpRFC822MailMember ) ) objectClasses: ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId' DESC 'nisNetId' SUP top MUST ( cn ) MAY ( nisNetIdUser $ nisNetIdGroup $ nisNetIdHost ) ) From rmeggins at redhat.com Wed Mar 21 18:05:20 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 21 Mar 2007 12:05:20 -0600 Subject: [Fedora-directory-users] nisDomain/Solaris schema not loading??? In-Reply-To: <460171EC.3070003@u.washington.edu> References: <460171EC.3070003@u.washington.edu> Message-ID: <460173E0.6080806@redhat.com> Jim Hogan wrote: > I am running FDS 1.02 in master/client setup on Centos 4.4. With > respect to an earlier query about an EMC NAS and Solaris client > config, I am running into a more basic problem with one of the two > schema from the Solaris How-To > (http://directory.fedora.redhat.com/wiki/Howto:SolarisClient), (I > named these 62DUAConfigProfile.ldif and 63nisDomain.ldif because I > already had a Samba schema on 61). You can use the same number as long as the schema in one file does not refer to the schema in the other file with the same number. I don't think the nisDomain schema refers to the samba schema, or vice versa. > I was easily able to load the provided 62DUAConfigProfile schema file > (and I created a profile object for the EMC client that relied on > attributes in that schema). I can see those new DUA attributes like > profileTTL. > > However, When I attempted to add the 63nisDomain.ldif schema, I can > restart the FDS slapd without error, but the nis* attributes do not > then show up in the FDS directory schema no matter how I look (try to > add attribute in phpLDAPadmin, or via FDS console under > config-->schema or elsewhere). I have a 2 server master/client setup > and have added the schema files on both and restarted slapd on both > several times For the authoritative view of the schema, use ldapsearch: ldapsearch -x -s base -b "cn=schema" | grep nis > > There are a few other nis* attributes visible (nismap, nisnetgroup, > nisobject) but none of these seem to duplicate what are provided by > 63nisDomain.ldif. > > This config file appeared elsewhere on line and I tried it from 2 > sources but it looked to be identical. I was able to make the slapd > fail on restart by adding an unwanted space/CR to the file, so it > seems like slapd is definitely trying to read it. I have verified > that the LDIF on both FDS servers is identical. I turned logging up > to 64 on slapd to get config processing errors, but it didn't yield much: > > config - Unknown attribute mod will be ignored > [21/Mar/2007:10:21:28 -0700] - Fedora-Directory/1.0.2 B2006.060.1928 > starting up > [21/Mar/2007:10:21:28 -0700] - Unknown config attribute readonly > [21/Mar/2007:10:21:28 -0700] - DNS ldap.example.com -> DN > dc=ldap,dc=example,dc=com > [21/Mar/2007:10:21:28 -0700] - slapd started. Listening on All > Interfaces port 389 for LDAP requests > [21/Mar/2007:10:21:29 -0700] - Listening on All Interfaces port 636 > for LDAPS requests > > Not sure what those unknowns are, but I removed the nisDomain.ldif > from config/schema and restarted; the error log output was unchanged. That's odd. Try start-slapd -d 1 - this will spew out a large amount of text, but should reveal any config file parsing problems. > > In case there was some unknown precedence issue, I changed the order > of the 2 new LDIF to make nisDomain first, 62. I then moved it ahead > of Samba schema to "59". No change. > > The LDIF I am using now is pasted below -- a one-attribute-per-line > format. > > I am at a bit of a stand on this. I am *really* not understanding why > I can't find any of these attributes. But, it feels like one of those > times (they come about 10 times a year) where somebody may hit Jim > with a very large clue stick -- like I am really missing something :( I don't see anything obvious. > > Any insight appreciated. > > Jim > > Current 63NisDomain.ldif: > > dn: cn=schema > attributeTypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublickey' DESC > 'nisPublickey' EQUALITY caseIgnoreIA5Match SYNTAX > 1.3.6.1.4.1.1466.115.121.1.26 ) > attributeTypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey' DESC > 'nisSecretkey' EQUALITY caseIgnoreIA5Match SYNTAX > 1.3.6.1.4.1.1466.115.121.1.26 ) > attributeTypes: ( 1.3.6.1.4.1.1.1.1.12 SUP name NAME 'nisDomain' DESC > 'NIS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) > attributeTypes: ( 2.16.840.1.113730.3.1.30 NAME 'mgrpRFC822MailMember' > DESC 'mgrpRFC822MailMember' EQUALITY caseIgnoreIA5Match SYNTAX > 1.3.6.1.4.1.1466.115.121.1.26 ) > attributeTypes: ( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser' DESC > 'nisNetIdUser' EQUALITY caseExactIA5Match SYNTAX > 1.3.6.1.4.1.1466.115.121.1.26 ) > attributeTypes: ( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup' DESC > 'nisNetIdGroup' EQUALITY caseExactIA5Match SYNTAX > 1.3.6.1.4.1.1466.115.121.1.26 ) > attributeTypes: ( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost' DESC > 'nisNetIdHost' EQUALITY caseExactIA5Match SYNTAX > 1.3.6.1.4.1.1466.115.121.1.26 ) > objectClasses: ( 1.3.6.1.1.1.2.14 NAME 'NisKeyObject' DESC > 'NisKeyObject' SUP top MUST ( cn $ nisPublickey $ nisSecretkey ) MAY ( > uidNumber $ description ) ) > objectClasses: ( 1.3.1.6.1.1.1.2.15 NAME 'nisDomainObject' DESC > 'nisDomainObject' SUP top AUXILIARY MUST ( nisDomain ) ) > objectClasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' DESC > 'mailGroup' SUP top MUST ( mail ) MAY ( cn $ mgrpRFC822MailMember ) ) > objectClasses: ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId' DESC > 'nisNetId' SUP top MUST ( cn ) MAY ( nisNetIdUser $ nisNetIdGroup $ > nisNetIdHost ) ) > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jimh at u.washington.edu Wed Mar 21 21:00:28 2007 From: jimh at u.washington.edu (Jim Hogan) Date: Wed, 21 Mar 2007 14:00:28 -0700 Subject: [Fedora-directory-users] nisDomain/Solaris schema not loading??? In-Reply-To: <460173E0.6080806@redhat.com> References: <460171EC.3070003@u.washington.edu> <460173E0.6080806@redhat.com> Message-ID: <46019CEC.7080403@u.washington.edu> Richard, Progress.... Richard Megginson wrote: > Jim Hogan wrote: >> I am running FDS 1.02 in master/client setup on Centos 4.4. With >> respect to an earlier query about an EMC NAS and Solaris client >> config, I am running into a more basic problem with one of the two >> schema from the Solaris How-To >> (http://directory.fedora.redhat.com/wiki/Howto:SolarisClient), (I >> named these 62DUAConfigProfile.ldif and 63nisDomain.ldif because I >> already had a Samba schema on 61). > You can use the same number as long as the schema in one file does not > refer to the schema in the other file with the same number. I don't > think the nisDomain schema refers to the samba schema, or vice versa. I wasn't sure but that is good to know. I hope I will never crowd the remaining space between 64 and 98, though :) >> I was easily able to load the provided 62DUAConfigProfile schema file >> (and I created a profile object for the EMC client that relied on >> attributes in that schema). I can see those new DUA attributes like >> profileTTL. >> >> However, When I attempted to add the 63nisDomain.ldif schema, I can >> restart the FDS slapd without error, but the nis* attributes do not >> then show up in the FDS directory schema no matter how I look (try to >> add attribute in phpLDAPadmin, or via FDS console under >> config-->schema or elsewhere). I have a 2 server master/client setup >> and have added the schema files on both and restarted slapd on both >> several times > For the authoritative view of the schema, use ldapsearch: > ldapsearch -x -s base -b "cn=schema" | grep nis Well, I wandered off for a while and came back and there they were -- nis* objects/attributes. So I moved the schema back to 63*, restarted, went to lunch and they are still there. Does restart order matter for that (schema adds)? I didn't think so. I am not sure what It did. So I was able to add the nisDomainObject objectcalss and nisDomain attribute for my domain object. (I will say that the much lengthier document referenced in the How To was very helpful in helping me confirm what to do there.) So no, the iPlanet client service on the EMC is able to find its profile and such. Still doesn't work, but progress. I will now return to that thread. Thanks! Jim > >> >> There are a few other nis* attributes visible (nismap, nisnetgroup, >> nisobject) but none of these seem to duplicate what are provided by >> 63nisDomain.ldif. >> >> This config file appeared elsewhere on line and I tried it from 2 >> sources but it looked to be identical. I was able to make the slapd >> fail on restart by adding an unwanted space/CR to the file, so it >> seems like slapd is definitely trying to read it. I have verified >> that the LDIF on both FDS servers is identical. I turned logging up >> to 64 on slapd to get config processing errors, but it didn't yield >> much: >> >> config - Unknown attribute mod will be ignored >> [21/Mar/2007:10:21:28 -0700] - Fedora-Directory/1.0.2 B2006.060.1928 >> starting up >> [21/Mar/2007:10:21:28 -0700] - Unknown config attribute readonly >> [21/Mar/2007:10:21:28 -0700] - DNS ldap.example.com -> DN >> dc=ldap,dc=example,dc=com >> [21/Mar/2007:10:21:28 -0700] - slapd started. Listening on All >> Interfaces port 389 for LDAP requests >> [21/Mar/2007:10:21:29 -0700] - Listening on All Interfaces port 636 >> for LDAPS requests >> >> Not sure what those unknowns are, but I removed the nisDomain.ldif >> from config/schema and restarted; the error log output was unchanged. > That's odd. Try start-slapd -d 1 - this will spew out a large amount > of text, but should reveal any config file parsing problems. >> >> In case there was some unknown precedence issue, I changed the order >> of the 2 new LDIF to make nisDomain first, 62. I then moved it ahead >> of Samba schema to "59". No change. >> >> The LDIF I am using now is pasted below -- a one-attribute-per-line >> format. >> >> I am at a bit of a stand on this. I am *really* not understanding >> why I can't find any of these attributes. But, it feels like one of >> those times (they come about 10 times a year) where somebody may hit >> Jim with a very large clue stick -- like I am really missing >> something :( > I don't see anything obvious. >> >> Any insight appreciated. >> >> Jim >> >> Current 63NisDomain.ldif: >> >> dn: cn=schema >> attributeTypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublickey' DESC >> 'nisPublickey' EQUALITY caseIgnoreIA5Match SYNTAX >> 1.3.6.1.4.1.1466.115.121.1.26 ) >> attributeTypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretkey' DESC >> 'nisSecretkey' EQUALITY caseIgnoreIA5Match SYNTAX >> 1.3.6.1.4.1.1466.115.121.1.26 ) >> attributeTypes: ( 1.3.6.1.4.1.1.1.1.12 SUP name NAME 'nisDomain' DESC >> 'NIS domain' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) >> attributeTypes: ( 2.16.840.1.113730.3.1.30 NAME >> 'mgrpRFC822MailMember' DESC 'mgrpRFC822MailMember' EQUALITY >> caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) >> attributeTypes: ( 1.3.6.1.4.1.42.2.27.1.1.12 NAME 'nisNetIdUser' DESC >> 'nisNetIdUser' EQUALITY caseExactIA5Match SYNTAX >> 1.3.6.1.4.1.1466.115.121.1.26 ) >> attributeTypes: ( 1.3.6.1.4.1.42.2.27.1.1.13 NAME 'nisNetIdGroup' >> DESC 'nisNetIdGroup' EQUALITY caseExactIA5Match SYNTAX >> 1.3.6.1.4.1.1466.115.121.1.26 ) >> attributeTypes: ( 1.3.6.1.4.1.42.2.27.1.1.14 NAME 'nisNetIdHost' DESC >> 'nisNetIdHost' EQUALITY caseExactIA5Match SYNTAX >> 1.3.6.1.4.1.1466.115.121.1.26 ) >> objectClasses: ( 1.3.6.1.1.1.2.14 NAME 'NisKeyObject' DESC >> 'NisKeyObject' SUP top MUST ( cn $ nisPublickey $ nisSecretkey ) MAY >> ( uidNumber $ description ) ) >> objectClasses: ( 1.3.1.6.1.1.1.2.15 NAME 'nisDomainObject' DESC >> 'nisDomainObject' SUP top AUXILIARY MUST ( nisDomain ) ) >> objectClasses: ( 2.16.840.1.113730.3.2.4 NAME 'mailGroup' DESC >> 'mailGroup' SUP top MUST ( mail ) MAY ( cn $ mgrpRFC822MailMember ) ) >> objectClasses: ( 1.3.6.1.4.1.42.2.27.1.2.6 NAME 'nisNetId' DESC >> 'nisNetId' SUP top MUST ( cn ) MAY ( nisNetIdUser $ nisNetIdGroup $ >> nisNetIdHost ) ) >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- /***************************************************************/ Jim Hogan jimh at u.washington.edu Director, Computing Support Department of Environmental and Occupational Health Sciences 4225 Roosevelt Way NE, Room 301F Box 354695 206-616-7836 /***************************************************************/ From jimh at u.washington.edu Wed Mar 21 22:37:44 2007 From: jimh at u.washington.edu (Jim Hogan) Date: Wed, 21 Mar 2007 15:37:44 -0700 Subject: [Fedora-directory-users] More re: Integrating EMC NAS (and Solaris How-To) In-Reply-To: <46006380.5040701@u.washington.edu> References: <46006380.5040701@u.washington.edu> Message-ID: <4601B3B8.1050701@u.washington.edu> My overall goal is still getting this EMC to work so I don't have to take it apart and send it back. I think I am getting real close (to not sending it back). Richard M. graciously helped me through some problems, probably self-induced, with loading of the NIS/Solaris schema mentioned in the FDS Solaris How-To. After following the steps in the How-To, I purged and redid the client profile with a defined TTL of 5 minutes and then I erased the EMC's client/bind/profile config and started over. Many more things now work. When, on the EMC, I issue "server_ldap servername -info -verbose" I see that it now has the profile's TTL and timestamp and it actual has a correct mapping of group to ou=Groups. Progress! However, as an example pasted below shows, it was still only resolving users by numeric uid. No attempt as resolving group name/id worked. No problem binding that I immediately saw. This *seemed* like some sort of an attribute mapping issue, but then I saw that group queries worked maybe 1 time in 4. When I started looking more closely at LDAP logs, I realized the NAS' queries weren't making it to the LDAP server/daemon. Name resolution. The EMC NS350 is functionally divided into a "control station" and a "data mover". These each have their own /etc/hosts and nsswitch.conf. DNS lookup for LDAP server apparently wasn't fast enough for the EMC, so I have temporarily changed LDAP server spec in the iPlanet client profile to the LDAP server's IP. Now I am seeing consistent results for group/user queries. I'll add an updated hosts file to the data mover. So the initial NIS schema and profile simply hid another problem. It is looking like I might be able to keep this thing. Jim [nasadmin]$ server_ldap server_2 -lookup -group staff server_2 : Unable to get information for group staff [nasadmin]$ server_ldap server_2 -lookup -group 2611 server_2 : Unable to get information for group 2600 [nasadmin]$ server_ldap server_2 -lookup -gid 2611 server_2 : Unable to get information for gid 2600 [nasadmin]$ server_ldap server_2 -lookup -user jimh server_2 : Unable to get information for user jimh [nasadmin]$ server_ldap server_2 -lookup -uid jim server_2 : Unable to get information for uid 0 [nasadmin]$ server_ldap server_2 -lookup -uid 1111 server_2 : user: jim, uid: 1111, gid: 2611 Jim Hogan wrote: > I am trialing an EMC NS350 as a candidate NAS to serve CIFS and NFS > clients (XP, OSX, and Linux). I have set up a working Samba 3.x > domain with FDS 1.01 back end and I have an older, borrowed NetApp > Filer (DataOnTap 6.5) working fine as a temporary NFS/CIFS server > authing against LDAP/Samba. > > With the EMC, official support is limited to AD and Sun iPlanet LDAP. > The latter limitation of support is turning out to be less theoretical > than I might have hoped. It seems like the EMC wants to behave like > an "official" iPlanet/Sun client. > > I am thinking that the solution to this problem could be to config FDS > as laid out in the Solaris Client How-To here: > > http://directory.fedora.redhat.com/wiki/Howto:SolarisClient > > I have a couple of questions. First, has anybody done this > (integrated an EMC) who has a cut-and-dried report on doing it? > Second, the second schema for NIS domain seems relevant only if the > client is also binding to a NIS domain. I'm not. Or hope not to be :) > Then, is the following step -- adding nisdomain attribute -- also > optional? Seems like it should be. > I am going to try the EMC with the stock set of > serviceSearchDescriptor listed in the How-To's example profile. If > anybody else has improved on that for an EMC, I would be interested in > your comments. > > There were both pros and cons when comparing NetApp and EMC offerings > this time. It is a bit ironic that NetApp isn't nearly as Linux-y as > EMCs Celerra product, yet LDAP was a breeze to set up on the Filer > itself. In contrast, very little client-side non-iPlanet > configuration is possible on the EMC, so I don't see much alternative > to going through this server-side Solaris-style config change (and > hope that it works!) > > Thanks, > > Jim > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From D.R.Barker at exeter.ac.uk Thu Mar 22 09:25:12 2007 From: D.R.Barker at exeter.ac.uk (David Barker) Date: Thu, 22 Mar 2007 09:25:12 +0000 Subject: [Fedora-directory-users] Integrating EMC NAS (and Solaris How-To) In-Reply-To: <46006380.5040701@u.washington.edu> References: <46006380.5040701@u.washington.edu> Message-ID: <46024B78.5030509@exeter.ac.uk> Jim Hogan wrote: > I am trialing an EMC NS350 as a candidate NAS to serve CIFS and NFS > clients (XP, OSX, and Linux). I have set up a working Samba 3.x > domain with FDS 1.01 back end and I have an older, borrowed NetApp > Filer (DataOnTap 6.5) working fine as a temporary NFS/CIFS server > authing against LDAP/Samba. > > With the EMC, official support is limited to AD and Sun iPlanet LDAP. > The latter limitation of support is turning out to be less theoretical > than I might have hoped. It seems like the EMC wants to behave like > an "official" iPlanet/Sun client. > > I am thinking that the solution to this problem could be to config FDS > as laid out in the Solaris Client How-To here: > > http://directory.fedora.redhat.com/wiki/Howto:SolarisClient > > I have a couple of questions. First, has anybody done this > (integrated an EMC) who has a cut-and-dried report on doing it? Yes ;-) You will need a profile - ours look something like this: dn: cn=default, ou=profile, dc=exeter,dc=ac,dc=uk defaultSearchBase: dc=exeter,dc=ac,dc=uk authenticationMethod: simple followReferrals: TRUE bindTimeLimit: 2 profileTTL: 43200 searchTimeLimit: 30 serviceAuthenticationMethod: pam_ldap:simple objectClass: top objectClass: DUAConfigProfile defaultServerList: 1.2.3.4 1.2.3.3 1.2.3.2 credentialLevel: proxy cn: default serviceSearchDescriptor: passwd:ou=People,dc=exeter,dc=ac,dc=uk?sub serviceSearchDescriptor: group:ou=group,dc=exeter,dc=ac,dc=uk?sub serviceSearchDescriptor: user_attr:ou=people,dc=exeter,dc=ac,dc=uk?sub serviceSearchDescriptor: shadow:ou=People,dc=exeter,dc=ac,dc=uk?sub defaultSearchScope: one Once you have a profile, run on the control station: [nasadmin at XXXXCS nasadmin]$ server_ldap server_2 -set -domain exeter.ac.uk -servers 1.2.3.4 -profile default If you have multiple directories (I assume you do) - pass in any one of the IP's, but make sure they're all in the profile. Once you have run it, verify that all is well: [nasadmin at RCRNSCS nasadmin]$ server_ldap server_2 -info server_2 : LDAP domain: exeter.ac.uk State: Configured - Connected NIS domain: exeter.ac.uk Profile Name: default Profile TTL: 43200 seconds Next Profile update in 43197 seconds Connected to LDAP server address: 1.2.3.4 - port 389 [nasadmin at RCRNSCS nasadmin]$ server_ldap server_2 -lookup -user guest500 server_2 : user: guest500, uid: 1577, gid: 1001 [nasadmin at RCRNSCS nasadmin]$ From stpierre at NebrWesleyan.edu Thu Mar 22 14:38:22 2007 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Thu, 22 Mar 2007 09:38:22 -0500 (CDT) Subject: [Fedora-directory-users] MMR broken, reinitialization erases db Message-ID: Sometime earlier this week (still trying to determine when), the multi-master replication on one of our databases broke. I tried to reinitialize it between a few of the hosts, and I got a bunch of errors: [22/Mar/2007:09:27:39 -0500] NSMMReplicationPlugin - multimaster_be_state_change: replica o=isp is going offline; disabling replication [22/Mar/2007:09:27:41 -0500] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [22/Mar/2007:09:27:45 -0500] - ERROR bulk import abandoned [22/Mar/2007:09:27:45 -0500] - import userRoot: Aborting all import threads... [22/Mar/2007:09:27:53 -0500] - import userRoot: Import threads aborted. [22/Mar/2007:09:27:53 -0500] - import userRoot: Closing files... [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/owner.db4: unable to flush: No such file or directory [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/mail.db4: unable to flush: No such file or directory [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/modifytimestamp.db4: unable to flush: No such file or directory [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/telephoneNumber.db4: unable to flush: No such file or directory [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/nsUniqueId.db4: unable to flush: No such file or directory [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/objectclass.db4: unable to flush:No such file or directory [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/ou.db4: unable to flush: No such file or directory [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/icsCalendar.db4: unable to flush:No such file or directory [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/sambaSID.db4: unable to flush: Nosuch file or directory [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/givenName.db4: unable to flush: No such file or directory [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/gidnumber.db4: unable to flush: No such file or directory [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/createtimestamp.db4: unable to flush: No such file or directory [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/cn.db4: unable to flush: No such file or directory [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/sn.db4: unable to flush: No such file or directory [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/uid.db4: unable to flush: No suchfile or directory [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/uidNumber.db4: unable to flush: No such file or directory [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/aci.db4: unable to flush: No suchfile or directory [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/uniquemember.db4: unable to flush: No such file or directory [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/parentid.db4: unable to flush: Nosuch file or directory [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/entrydn.db4: unable to flush: No such file or directory [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/id2entry.db4: unable to flush: Nosuch file or directory [22/Mar/2007:09:27:57 -0500] - import userRoot: Import failed. [22/Mar/2007:09:27:57 -0500] - process_bulk_import_op: NULL backend This erased the database, and I was left with no data. Subsequently, I've restarted FDS, restored from backup using bak2db.pl, and it still doesn't work. Any ideas? Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University ---------------------------- Never send mail to thobrux at nebrwesleyan.edu From rmeggins at redhat.com Thu Mar 22 15:05:12 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 22 Mar 2007 09:05:12 -0600 Subject: [Fedora-directory-users] MMR broken, reinitialization erases db In-Reply-To: References: Message-ID: <46029B28.7050705@redhat.com> Chris St. Pierre wrote: > Sometime earlier this week (still trying to determine when), the > multi-master replication on one of our databases broke. I tried to > reinitialize it between a few of the hosts, and I got a bunch of > errors: > > [22/Mar/2007:09:27:39 -0500] NSMMReplicationPlugin - > multimaster_be_state_change: replica o=isp is going offline; disabling > replication > [22/Mar/2007:09:27:41 -0500] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [22/Mar/2007:09:27:45 -0500] - ERROR bulk import abandoned ???? You might try enabling the replication log level to see what is going on here. > [22/Mar/2007:09:27:45 -0500] - import userRoot: Aborting all import > threads... > [22/Mar/2007:09:27:53 -0500] - import userRoot: Import threads > aborted. > [22/Mar/2007:09:27:53 -0500] - import userRoot: Closing files... > [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/owner.db4: unable to > flush: No such file or directory > [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/mail.db4: unable to > flush: No such file or directory > [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/modifytimestamp.db4: > unable to flush: No such file or directory > [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/telephoneNumber.db4: > unable to flush: No such file or directory > [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/nsUniqueId.db4: unable > to flush: No such file or directory > [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/objectclass.db4: unable > to flush:No such file or directory > [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/ou.db4: unable to > flush: No such file or directory > [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/icsCalendar.db4: unable > to flush:No such file or directory > [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/sambaSID.db4: unable to > flush: Nosuch file or directory > [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/givenName.db4: unable > to flush: No such file or directory > [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/gidnumber.db4: unable > to flush: No such file or directory > [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/createtimestamp.db4: > unable to flush: No such file or directory > [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/cn.db4: unable to > flush: No such file or directory > [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/sn.db4: unable to > flush: No such file or directory > [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/uid.db4: unable to > flush: No suchfile or directory > [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/uidNumber.db4: unable > to flush: No such file or directory > [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/aci.db4: unable to > flush: No suchfile or directory > [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/uniquemember.db4: > unable to flush: No such file or directory > [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/parentid.db4: unable to > flush: Nosuch file or directory > [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/entrydn.db4: unable to > flush: No such file or directory > [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/id2entry.db4: unable to > flush: Nosuch file or directory > [22/Mar/2007:09:27:57 -0500] - import userRoot: Import failed. > [22/Mar/2007:09:27:57 -0500] - process_bulk_import_op: NULL backend > > This erased the database, and I was left with no data. Subsequently, > I've restarted FDS, restored from backup using bak2db.pl, and it still > doesn't work. > > Any ideas? > > Chris St. Pierre > Unix Systems Administrator > Nebraska Wesleyan University > ---------------------------- > Never send mail to thobrux at nebrwesleyan.edu > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From stpierre at NebrWesleyan.edu Thu Mar 22 16:20:39 2007 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Thu, 22 Mar 2007 11:20:39 -0500 (CDT) Subject: [Fedora-directory-users] MMR broken, reinitialization erases db In-Reply-To: <46029B28.7050705@redhat.com> References: <46029B28.7050705@redhat.com> Message-ID: On Thu, 22 Mar 2007, Richard Megginson wrote: > ???? You might try enabling the replication log level to see what > is going on here. Not much more data from that: [22/Mar/2007:11:18:09 -0500] - repl5_inc_waitfor_async_results: 0 0 [22/Mar/2007:11:18:09 -0500] - repl5_inc_result_threadmain starting [22/Mar/2007:11:18:09 -0500] NSMMReplicationPlugin - conn=1067 op=61 repl="o=isp": Released replica [22/Mar/2007:11:18:10 -0500] NSMMReplicationPlugin - conn=1074 op=3 repl="o=isp": Begin total protocol [22/Mar/2007:11:18:10 -0500] NSMMReplicationPlugin - conn=1074 op=3 repl="o=isp": Acquired replica [22/Mar/2007:11:18:10 -0500] NSMMReplicationPlugin - multimaster_be_state_change: replica o=isp is going offline; disabling replication [22/Mar/2007:11:18:10 -0500] - repl5_inc_result_threadmain exiting [22/Mar/2007:11:18:10 -0500] agmt="cn="Replication to zeppo.nebrwesleyan.edu (o=isp)"" (zeppo:389) - session end: state=0 load=0 sent=0 skipped=0 [22/Mar/2007:11:18:11 -0500] NSMMReplicationPlugin - agmt="cn="Replication to zeppo.nebrwesleyan.edu (o=isp)"" (zeppo:389): Successfully released consumer [22/Mar/2007:11:18:11 -0500] NSMMReplicationPlugin - agmt="cn="Replication to zeppo.nebrwesleyan.edu (o=isp)"" (zeppo:389): Beginning linger on the connection [22/Mar/2007:11:18:11 -0500] NSMMReplicationPlugin - agmt="cn="Replication to zeppo.nebrwesleyan.edu (o=isp)"" (zeppo:389): State: sending_updates -> wait_for_changes [22/Mar/2007:11:18:11 -0500] NSMMReplicationPlugin - agmt="cn="Replication to zeppo.nebrwesleyan.edu (o=isp)"" (zeppo:389): State: wait_for_changes -> wait_for_changes [22/Mar/2007:11:18:11 -0500] NSMMReplicationPlugin - agmt="cn="Replication to zeppo.nebrwesleyan.edu (o=isp)"" (zeppo:389): Cancelling linger on the connection [22/Mar/2007:11:18:11 -0500] NSMMReplicationPlugin - agmt="cn="Replication to zeppo.nebrwesleyan.edu (o=isp)"" (zeppo:389): Disconnected from the consumer [22/Mar/2007:11:18:11 -0500] NSMMReplicationPlugin - agmt="cn="Replication to zeppo.nebrwesleyan.edu (o=isp)"" (zeppo:389): repl5_inc_stop: protocol stopped after 0 seconds [22/Mar/2007:11:18:11 -0500] NSMMReplicationPlugin - conn=0 op=0 repl="o=isp": Replica in use locking_purl=conn=1074 id=3 [22/Mar/2007:11:18:11 -0500] NSMMReplicationPlugin - replica_disable_replication: replica o=isp is acquired [22/Mar/2007:11:18:12 -0500] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [22/Mar/2007:11:18:12 -0500] NSMMReplicationPlugin - conn=1074 op=3 repl="o=isp": StartNSDS50ReplicationRequest: response=0 rc=0 [22/Mar/2007:11:18:16 -0500] - ERROR bulk import abandoned [22/Mar/2007:11:18:16 -0500] - import userRoot: Aborting all import threads... [22/Mar/2007:11:18:24 -0500] - import userRoot: Import threads aborted. [22/Mar/2007:11:18:24 -0500] - import userRoot: Closing files... [22/Mar/2007:11:18:27 -0500] - libdb: userRoot/owner.db4: unable to flush: No such file or directory [22/Mar/2007:11:18:27 -0500] - libdb: userRoot/mail.db4: unable to flush: No such file or directory [22/Mar/2007:11:18:27 -0500] - libdb: userRoot/modifytimestamp.db4: unable to flush: No such file or directory [22/Mar/2007:11:18:27 -0500] - libdb: userRoot/icsCalendar.db4: unable to flush: No such file or directory [22/Mar/2007:11:18:27 -0500] - libdb: userRoot/telephoneNumber.db4: unable to flush: No such file or directory [22/Mar/2007:11:18:27 -0500] - libdb: userRoot/nsUniqueId.db4: unable to flush:No such file or directory [22/Mar/2007:11:18:27 -0500] - libdb: userRoot/objectclass.db4: unable to flush: No such file or directory [22/Mar/2007:11:18:27 -0500] - libdb: userRoot/ou.db4: unable to flush: No suchfile or directory [22/Mar/2007:11:18:27 -0500] - libdb: userRoot/sambaSID.db4: unable to flush: No such file or directory [22/Mar/2007:11:18:27 -0500] - libdb: userRoot/givenName.db4: unable to flush: No such file or directory [22/Mar/2007:11:18:27 -0500] - libdb: userRoot/gidnumber.db4: unable to flush: No such file or directory [22/Mar/2007:11:18:28 -0500] - libdb: userRoot/createtimestamp.db4: unable to flush: No such file or directory [22/Mar/2007:11:18:28 -0500] - libdb: userRoot/cn.db4: unable to flush: No suchfile or directory [22/Mar/2007:11:18:28 -0500] - libdb: userRoot/sn.db4: unable to flush: No suchfile or directory [22/Mar/2007:11:18:28 -0500] - libdb: userRoot/uid.db4: unable to flush: No such file or directory [22/Mar/2007:11:18:28 -0500] - libdb: userRoot/uidNumber.db4: unable to flush: No such file or directory [22/Mar/2007:11:18:28 -0500] - libdb: userRoot/aci.db4: unable to flush: No such file or directory [22/Mar/2007:11:18:28 -0500] - libdb: userRoot/uniquemember.db4: unable to flush: No such file or directory [22/Mar/2007:11:18:28 -0500] - libdb: userRoot/parentid.db4: unable to flush: No such file or directory [22/Mar/2007:11:18:28 -0500] - libdb: userRoot/entrydn.db4: unable to flush: Nosuch file or directory [22/Mar/2007:11:18:28 -0500] - libdb: userRoot/id2entry.db4: unable to flush: No such file or directory [22/Mar/2007:11:18:28 -0500] - import userRoot: Import failed. [22/Mar/2007:11:18:28 -0500] NSMMReplicationPlugin - Aborting total update in progress for replicated area o=isp connid=1074 [22/Mar/2007:11:18:28 -0500] - process_bulk_import_op: NULL backend [22/Mar/2007:11:18:28 -0500] NSMMReplicationPlugin - conn=1074 op=-1 repl="o=isp": Released replica [22/Mar/2007:11:18:29 -0500] NSMMReplicationPlugin - conn=1077 op=3 repl="o=isp": Begin incremental protocol [22/Mar/2007:11:18:30 -0500] NSMMReplicationPlugin - conn=1077 op=3 repl="o=isp": Acquired replica [22/Mar/2007:11:18:30 -0500] NSMMReplicationPlugin - conn=1077 op=3 repl="o=isp": StartNSDS50ReplicationRequest: response=0 rc=0 Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University ---------------------------- Never send mail to thobrux at nebrwesleyan.edu From nhosoi at redhat.com Thu Mar 22 16:58:07 2007 From: nhosoi at redhat.com (Noriko Hosoi) Date: Thu, 22 Mar 2007 08:58:07 -0800 Subject: [Fedora-directory-users] MMR broken, reinitialization erases db In-Reply-To: References: <46029B28.7050705@redhat.com> Message-ID: <4602B59F.4000006@redhat.com> The message is displayed when the "connection is destroyed"... Could there be any error messages on the other side? Do you see something related in the errors and/or access logs? /* connection was destroyed while we were still storing the extension -- * this is bad news and means we have a bulk import that needs to be * aborted! */ LDAPDebug(LDAP_DEBUG_ANY, "ERROR bulk import abandoned\n", 0, 0, 0); Chris St. Pierre wrote: > On Thu, 22 Mar 2007, Richard Megginson wrote: > >> ???? You might try enabling the replication log level to see what >> is going on here. > > Not much more data from that: > > [22/Mar/2007:11:18:09 -0500] - repl5_inc_waitfor_async_results: 0 0 > [22/Mar/2007:11:18:09 -0500] - repl5_inc_result_threadmain starting > [22/Mar/2007:11:18:09 -0500] NSMMReplicationPlugin - conn=1067 op=61 > repl="o=isp": Released replica > [22/Mar/2007:11:18:10 -0500] NSMMReplicationPlugin - conn=1074 op=3 > repl="o=isp": Begin total protocol > [22/Mar/2007:11:18:10 -0500] NSMMReplicationPlugin - conn=1074 op=3 > repl="o=isp": Acquired replica > [22/Mar/2007:11:18:10 -0500] NSMMReplicationPlugin - > multimaster_be_state_change: replica o=isp is going offline; disabling > replication > [22/Mar/2007:11:18:10 -0500] - repl5_inc_result_threadmain exiting > [22/Mar/2007:11:18:10 -0500] agmt="cn="Replication to > zeppo.nebrwesleyan.edu (o=isp)"" (zeppo:389) - session end: state=0 > load=0 sent=0 skipped=0 > [22/Mar/2007:11:18:11 -0500] NSMMReplicationPlugin - > agmt="cn="Replication to zeppo.nebrwesleyan.edu (o=isp)"" (zeppo:389): > Successfully released consumer > [22/Mar/2007:11:18:11 -0500] NSMMReplicationPlugin - > agmt="cn="Replication to zeppo.nebrwesleyan.edu (o=isp)"" (zeppo:389): > Beginning linger on the connection > [22/Mar/2007:11:18:11 -0500] NSMMReplicationPlugin - > agmt="cn="Replication to zeppo.nebrwesleyan.edu (o=isp)"" (zeppo:389): > State: sending_updates -> wait_for_changes > [22/Mar/2007:11:18:11 -0500] NSMMReplicationPlugin - > agmt="cn="Replication to zeppo.nebrwesleyan.edu (o=isp)"" (zeppo:389): > State: wait_for_changes -> wait_for_changes > [22/Mar/2007:11:18:11 -0500] NSMMReplicationPlugin - > agmt="cn="Replication to zeppo.nebrwesleyan.edu (o=isp)"" (zeppo:389): > Cancelling linger on the connection > [22/Mar/2007:11:18:11 -0500] NSMMReplicationPlugin - > agmt="cn="Replication to zeppo.nebrwesleyan.edu (o=isp)"" (zeppo:389): > Disconnected from the consumer > [22/Mar/2007:11:18:11 -0500] NSMMReplicationPlugin - > agmt="cn="Replication to zeppo.nebrwesleyan.edu (o=isp)"" (zeppo:389): > repl5_inc_stop: protocol stopped after 0 seconds > [22/Mar/2007:11:18:11 -0500] NSMMReplicationPlugin - conn=0 op=0 > repl="o=isp": Replica in use locking_purl=conn=1074 id=3 > [22/Mar/2007:11:18:11 -0500] NSMMReplicationPlugin - > replica_disable_replication: replica o=isp is acquired > [22/Mar/2007:11:18:12 -0500] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [22/Mar/2007:11:18:12 -0500] NSMMReplicationPlugin - conn=1074 op=3 > repl="o=isp": StartNSDS50ReplicationRequest: response=0 rc=0 > [22/Mar/2007:11:18:16 -0500] - ERROR bulk import abandoned > [22/Mar/2007:11:18:16 -0500] - import userRoot: Aborting all import > threads... > [22/Mar/2007:11:18:24 -0500] - import userRoot: Import threads > aborted. > [22/Mar/2007:11:18:24 -0500] - import userRoot: Closing files... > [22/Mar/2007:11:18:27 -0500] - libdb: userRoot/owner.db4: unable to > flush: No such file or directory > [22/Mar/2007:11:18:27 -0500] - libdb: userRoot/mail.db4: unable to > flush: No such file or directory > [22/Mar/2007:11:18:27 -0500] - libdb: userRoot/modifytimestamp.db4: > unable to flush: No such file or directory > [22/Mar/2007:11:18:27 -0500] - libdb: userRoot/icsCalendar.db4: unable > to flush: No such file or directory > [22/Mar/2007:11:18:27 -0500] - libdb: userRoot/telephoneNumber.db4: > unable to flush: No such file or directory > [22/Mar/2007:11:18:27 -0500] - libdb: userRoot/nsUniqueId.db4: unable > to flush:No such file or directory > [22/Mar/2007:11:18:27 -0500] - libdb: userRoot/objectclass.db4: unable > to flush: No such file or directory > [22/Mar/2007:11:18:27 -0500] - libdb: userRoot/ou.db4: unable to > flush: No suchfile or directory > [22/Mar/2007:11:18:27 -0500] - libdb: userRoot/sambaSID.db4: unable to > flush: No such file or directory > [22/Mar/2007:11:18:27 -0500] - libdb: userRoot/givenName.db4: unable > to flush: No such file or directory > [22/Mar/2007:11:18:27 -0500] - libdb: userRoot/gidnumber.db4: unable > to flush: No such file or directory > [22/Mar/2007:11:18:28 -0500] - libdb: userRoot/createtimestamp.db4: > unable to flush: No such file or directory > [22/Mar/2007:11:18:28 -0500] - libdb: userRoot/cn.db4: unable to > flush: No suchfile or directory > [22/Mar/2007:11:18:28 -0500] - libdb: userRoot/sn.db4: unable to > flush: No suchfile or directory > [22/Mar/2007:11:18:28 -0500] - libdb: userRoot/uid.db4: unable to > flush: No such file or directory > [22/Mar/2007:11:18:28 -0500] - libdb: userRoot/uidNumber.db4: unable > to flush: No such file or directory > [22/Mar/2007:11:18:28 -0500] - libdb: userRoot/aci.db4: unable to > flush: No such file or directory > [22/Mar/2007:11:18:28 -0500] - libdb: userRoot/uniquemember.db4: > unable to flush: No such file or directory > [22/Mar/2007:11:18:28 -0500] - libdb: userRoot/parentid.db4: unable to > flush: No such file or directory > [22/Mar/2007:11:18:28 -0500] - libdb: userRoot/entrydn.db4: unable to > flush: Nosuch file or directory > [22/Mar/2007:11:18:28 -0500] - libdb: userRoot/id2entry.db4: unable to > flush: No such file or directory > [22/Mar/2007:11:18:28 -0500] - import userRoot: Import failed. > [22/Mar/2007:11:18:28 -0500] NSMMReplicationPlugin - Aborting total > update in progress for replicated area o=isp connid=1074 > [22/Mar/2007:11:18:28 -0500] - process_bulk_import_op: NULL backend > [22/Mar/2007:11:18:28 -0500] NSMMReplicationPlugin - conn=1074 op=-1 > repl="o=isp": Released replica > [22/Mar/2007:11:18:29 -0500] NSMMReplicationPlugin - conn=1077 op=3 > repl="o=isp": Begin incremental protocol > [22/Mar/2007:11:18:30 -0500] NSMMReplicationPlugin - conn=1077 op=3 > repl="o=isp": Acquired replica > [22/Mar/2007:11:18:30 -0500] NSMMReplicationPlugin - conn=1077 op=3 > repl="o=isp": StartNSDS50ReplicationRequest: response=0 rc=0 > > Chris St. Pierre > Unix Systems Administrator > Nebraska Wesleyan University > ---------------------------- > Never send mail to thobrux at nebrwesleyan.edu > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From stpierre at NebrWesleyan.edu Thu Mar 22 16:12:12 2007 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Thu, 22 Mar 2007 11:12:12 -0500 (CDT) Subject: [Fedora-directory-users] MMR broken, reinitialization erases db In-Reply-To: <46029B28.7050705@redhat.com> References: <46029B28.7050705@redhat.com> Message-ID: On Thu, 22 Mar 2007, Richard Megginson wrote: > ???? You might try enabling the replication log level to see what > is going on here. How do I do that? Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University ---------------------------- Never send mail to thobrux at nebrwesleyan.edu From vsi at ebi.ac.uk Thu Mar 22 17:04:08 2007 From: vsi at ebi.ac.uk (Ville Silventoinen) Date: Thu, 22 Mar 2007 17:04:08 +0000 (GMT) Subject: [Fedora-directory-users] Deleting database Message-ID: I'm using Fedora DS 1.0.4. I've written an application that uses Fedora DS and next I'm planning to write unit tests. I'm wondering if there is a way to delete the whole userRoot database and create it again? I searched the documentation and there seems to be a way to create the database from command line, but no way to delete it, except from the GUI? The reason I'd like to re-create the database is that it simplifies writing unit tests. Before each test case I'd like to re-create the database and import a fixture. Well, that's how I've done unit tests for database applications before, perhaps someone has a better approach? Thank you for any advice! Best regards, Ville From rmeggins at redhat.com Thu Mar 22 17:07:25 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Thu, 22 Mar 2007 11:07:25 -0600 Subject: [Fedora-directory-users] Deleting database In-Reply-To: References: Message-ID: <4602B7CD.6060401@redhat.com> Ville Silventoinen wrote: > I'm using Fedora DS 1.0.4. I've written an application that uses > Fedora DS and next I'm planning to write unit tests. I'm wondering if > there is a way to delete the whole userRoot database and create it > again? I searched the documentation and there seems to be a way to > create the database from command line, but no way to delete it, except > from the GUI? Just delete the entry (e.g. delete cn=userRoot,cn=ldbm database,cn=plugins,cn=config). You will have to do some sort of recursive deletion to remove all of the child entries. I think this is what the GUI does - just check the access logs for the server after deleting the database in the console. > > The reason I'd like to re-create the database is that it simplifies > writing unit tests. Before each test case I'd like to re-create the > database and import a fixture. Well, that's how I've done unit tests > for database applications before, perhaps someone has a better approach? > > Thank you for any advice! > > Best regards, > Ville > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From stpierre at NebrWesleyan.edu Thu Mar 22 18:03:48 2007 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Thu, 22 Mar 2007 13:03:48 -0500 (CDT) Subject: [Fedora-directory-users] MMR broken, reinitialization erases db In-Reply-To: <4602B59F.4000006@redhat.com> References: <46029B28.7050705@redhat.com> <4602B59F.4000006@redhat.com> Message-ID: On Thu, 22 Mar 2007, Noriko Hosoi wrote: > The message is displayed when the "connection is destroyed"... Could there be > any error messages on the other side? Do you see something related in the > errors and/or access logs? > Here's what I get on the supplier: [22/Mar/2007:12:58:11 -0500] NSMMReplicationPlugin - Beginning total update of replica "agmt="cn="Replication to groucho.nebrwesleyan.edu (o=isp)"" (groucho:389)". [22/Mar/2007:12:58:26 -0500] NSMMReplicationPlugin - agmt="cn="Replication to groucho.nebrwesleyan.edu (o=isp)"" (groucho:389): Failed to send extended operation: LDAP error 81 (Can't contact LDAP server) [22/Mar/2007:12:58:27 -0500] NSMMReplicationPlugin - agmt="cn="Replication to groucho.nebrwesleyan.edu (o=isp)"" (groucho:389): Received error 89: NULL for totalupdate operation [22/Mar/2007:12:58:27 -0500] NSMMReplicationPlugin - agmt="cn="Replication to groucho.nebrwesleyan.edu (o=isp)"" (groucho:389): Received error 89: NULL for totalupdate operation [22/Mar/2007:12:58:27 -0500] NSMMReplicationPlugin - agmt="cn="Replication to groucho.nebrwesleyan.edu (o=isp)"" (groucho:389): Received error 89: NULL for totalupdate operation [22/Mar/2007:12:58:27 -0500] NSMMReplicationPlugin - agmt="cn="Replication to groucho.nebrwesleyan.edu (o=isp)"" (groucho:389): Received error 89: NULL for totalupdate operation [22/Mar/2007:12:58:27 -0500] NSMMReplicationPlugin - agmt="cn="Replication to groucho.nebrwesleyan.edu (o=isp)"" (groucho:389): Received error 89: NULL for totalupdate operation [22/Mar/2007:12:58:27 -0500] NSMMReplicationPlugin - agmt="cn="Replication to groucho.nebrwesleyan.edu (o=isp)"" (groucho:389): Received error 89: NULL for totalupdate operation [22/Mar/2007:12:58:27 -0500] NSMMReplicationPlugin - agmt="cn="Replication to groucho.nebrwesleyan.edu (o=isp)"" (groucho:389): Received error 89: NULL for totalupdate operation [22/Mar/2007:12:58:27 -0500] NSMMReplicationPlugin - agmt="cn="Replication to groucho.nebrwesleyan.edu (o=isp)"" (groucho:389): Received error 89: NULL for totalupdate operation [22/Mar/2007:12:58:27 -0500] NSMMReplicationPlugin - agmt="cn="Replication to groucho.nebrwesleyan.edu (o=isp)"" (groucho:389): Received error 89: NULL for totalupdate operation [22/Mar/2007:12:58:27 -0500] NSMMReplicationPlugin - agmt="cn="Replication to groucho.nebrwesleyan.edu (o=isp)"" (groucho:389): Received error 89: NULL for totalupdate operation [22/Mar/2007:12:58:27 -0500] NSMMReplicationPlugin - agmt="cn="Replication to groucho.nebrwesleyan.edu (o=isp)"" (groucho:389): Received error 89: NULL for totalupdate operation [22/Mar/2007:12:58:27 -0500] NSMMReplicationPlugin - agmt="cn="Replication to groucho.nebrwesleyan.edu (o=isp)"" (groucho:389): Received error 89: NULL for totalupdate operation [22/Mar/2007:12:58:27 -0500] NSMMReplicationPlugin - agmt="cn="Replication to groucho.nebrwesleyan.edu (o=isp)"" (groucho:389): Received error 89: NULL for totalupdate operation [22/Mar/2007:12:58:27 -0500] NSMMReplicationPlugin - agmt="cn="Replication to groucho.nebrwesleyan.edu (o=isp)"" (groucho:389): Received error 89: NULL for totalupdate operation [22/Mar/2007:12:58:27 -0500] NSMMReplicationPlugin - agmt="cn="Replication to groucho.nebrwesleyan.edu (o=isp)"" (groucho:389): Warning: unable to send endReplication extended operation (Bad parameter to an ldap routine) Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University ---------------------------- Never send mail to thobrux at nebrwesleyan.edu From stpierre at NebrWesleyan.edu Thu Mar 22 21:15:47 2007 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Thu, 22 Mar 2007 16:15:47 -0500 (CDT) Subject: [Fedora-directory-users] MMR broken, reinitialization erases db In-Reply-To: References: Message-ID: With the help of a couple folks on IRC (thanks richm, uffe!), here's what I figured out I can do: In order to get two machines doing MMR again, I first got rid of any MMR agreements between them, and then shut them both down. Then I chose one and exported the LDAP database with: /opt/fedora-ds/slapd-instance/db2ldif -n userRoot I copied the LDIF file to the other node. Then I imported it on both: /opt/fedora-ds/slapd-instance/ldif2db -n userRoot -i / /opt/fedora-ds/slapd-instance/ldif/2007_03_22_141131.ldif Then I went into the changelogdb/ folder and blew away all of the __db.*, *.db4, and log.* files. At this point, I started Fedora DS on both nodes again. I then used mmr.pl to re-initialize the MMR agreement between the two of them, and all was well. I've now got MMR working again between three nodes; the fourth will get added back in late tonight. This may be more cautious than is necessary, but it's working. I still have no clue what caused this initially, but I don't really care (unless it happens again). Thanks for everyone's help! Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University On Thu, 22 Mar 2007, Chris St. Pierre wrote: > Sometime earlier this week (still trying to determine when), the > multi-master replication on one of our databases broke. I tried to > reinitialize it between a few of the hosts, and I got a bunch of > errors: > > [22/Mar/2007:09:27:39 -0500] NSMMReplicationPlugin - > multimaster_be_state_change: replica o=isp is going offline; disabling > replication > [22/Mar/2007:09:27:41 -0500] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [22/Mar/2007:09:27:45 -0500] - ERROR bulk import abandoned > [22/Mar/2007:09:27:45 -0500] - import userRoot: Aborting all import > threads... > [22/Mar/2007:09:27:53 -0500] - import userRoot: Import threads > aborted. > [22/Mar/2007:09:27:53 -0500] - import userRoot: Closing files... > [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/owner.db4: unable to > flush: No such file or directory > [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/mail.db4: unable to > flush: No such file or directory > [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/modifytimestamp.db4: > unable to flush: No such file or directory > [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/telephoneNumber.db4: > unable to flush: No such file or directory > [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/nsUniqueId.db4: unable > to flush: No such file or directory > [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/objectclass.db4: unable > to flush:No such file or directory > [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/ou.db4: unable to > flush: No such file or directory > [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/icsCalendar.db4: unable > to flush:No such file or directory > [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/sambaSID.db4: unable to > flush: Nosuch file or directory > [22/Mar/2007:09:27:56 -0500] - libdb: userRoot/givenName.db4: unable > to flush: No such file or directory > [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/gidnumber.db4: unable > to flush: No such file or directory > [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/createtimestamp.db4: > unable to flush: No such file or directory > [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/cn.db4: unable to > flush: No such file or directory > [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/sn.db4: unable to > flush: No such file or directory > [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/uid.db4: unable to > flush: No suchfile or directory > [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/uidNumber.db4: unable > to flush: No such file or directory > [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/aci.db4: unable to > flush: No suchfile or directory > [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/uniquemember.db4: > unable to flush: No such file or directory > [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/parentid.db4: unable to > flush: Nosuch file or directory > [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/entrydn.db4: unable to > flush: No such file or directory > [22/Mar/2007:09:27:57 -0500] - libdb: userRoot/id2entry.db4: unable to > flush: Nosuch file or directory > [22/Mar/2007:09:27:57 -0500] - import userRoot: Import failed. > [22/Mar/2007:09:27:57 -0500] - process_bulk_import_op: NULL backend > > This erased the database, and I was left with no data. Subsequently, > I've restarted FDS, restored from backup using bak2db.pl, and it still > doesn't work. > > Any ideas? > > Chris St. Pierre > Unix Systems Administrator > Nebraska Wesleyan University > ---------------------------- > Never send mail to thobrux at nebrwesleyan.edu > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From rnappert at juniper.net Thu Mar 22 21:18:40 2007 From: rnappert at juniper.net (Reinhard Nappert) Date: Thu, 22 Mar 2007 17:18:40 -0400 Subject: [Fedora-directory-users] consumer reinitialization ... Message-ID: <3525C9833C09ED418C6FD6CD9514668C0132C008@emailwf1.jnpr.net> Hi, I work with Fedora DS 1.0.4 in an replicated environment (no matter if multi-master or master slave relationship). When I switch the role of one consumer (let's say from a supplier (multi-master setup) to a dedicated consumer), I get the following error: [20/Mar/2007:11:55:24 -0400] agmt="cn=master2slave" (slave:389) - Can't locate CSN 46000257000000020000 in the changelog (DB rc=-30990). The con sumer may need to be reinitialized. Is there a way to avoid this. It really does not change anything on the master side. Thanks, -Reinhard -------------- next part -------------- An HTML attachment was scrubbed... URL: From Julien.Guyon at cr-lorraine.fr Fri Mar 23 08:10:19 2007 From: Julien.Guyon at cr-lorraine.fr (Guyon Julien) Date: Fri, 23 Mar 2007 09:10:19 +0100 Subject: [Fedora-directory-users] Error message: Failed to initialize cipher AES in attrcrypt_init Message-ID: <7D86D714DBC59741AA1E7D52D66C757712E6FF@exch-hr-1.crlorraine> Hi, Since I configure SSL (based on information found at http://directory.fedora.redhat.com/wiki/Howto:SSL), the following messages appear in errors log. The directory is starting and working well and also my AD passwords are correctly synchronised using WindowsSync over SSL. At start time, [22/Mar/2007:09:44:05 +0100] - Fedora-Directory/1.0.2 B2006.060.1928 starting up [22/Mar/2007:09:44:05 +0100] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [22/Mar/2007:09:44:05 +0100] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [22/Mar/2007:09:44:05 +0100] - Failed to initialize cipher AES in attrcrypt_init [22/Mar/2007:09:44:05 +0100] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [22/Mar/2007:09:44:05 +0100] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [22/Mar/2007:09:44:05 +0100] - Failed to initialize cipher AES in attrcrypt_init [22/Mar/2007:09:44:05 +0100] - slapd started. Listening on All Interfaces port 1389 for LDAP requests [22/Mar/2007:09:44:05 +0100] - Listening on All Interfaces port 1636 for LDAPS requests Such question has already been posted one year ago but the answer was not sufficient to correct the problem. Any ideas? Cdt Julien Guyon Ing?nieur Syst?mes, R?seaux & T?l?coms Conseil R?gional de Lorraine T?l: (+33) 3 87 33 63 14 M?l: julien.guyon at cr-lorraine.fr -------------- next part -------------- An HTML attachment was scrubbed... URL: From vsi at ebi.ac.uk Fri Mar 23 11:01:43 2007 From: vsi at ebi.ac.uk (Ville Silventoinen) Date: Fri, 23 Mar 2007 11:01:43 +0000 (GMT) Subject: [Fedora-directory-users] Deleting database In-Reply-To: <4602B7CD.6060401@redhat.com> References: <4602B7CD.6060401@redhat.com> Message-ID: On Thu, 22 Mar 2007, Richard Megginson wrote: > Ville Silventoinen wrote: >> I'm using Fedora DS 1.0.4. I've written an application that uses Fedora DS >> and next I'm planning to write unit tests. I'm wondering if there is a way >> to delete the whole userRoot database and create it again? I searched the >> documentation and there seems to be a way to create the database from >> command line, but no way to delete it, except from the GUI? > Just delete the entry (e.g. delete cn=userRoot,cn=ldbm > database,cn=plugins,cn=config). You will have to do some sort of recursive > deletion to remove all of the child entries. I think this is what the GUI > does - just check the access logs for the server after deleting the database > in the console. Thank you Richard, that worked very well. I also delete the mapping tree entry, which maps the suffix to the backend database: dn: cn="dc=ebi,dc=ac,dc=uk",cn=mapping tree,cn=config objectclass: top objectclass: extensibleObject objectclass: nsMappingTree nsslapd-state: backend nsslapd-backend: userRoot cn: dc=ebi,dc=ac,dc=uk The GUI works slightly differently, it sets nsslapd-state to "disabled" and removes the nsslapd-backend attribute. If anyone has a need for a script that can delete and create a database, I can send it to the list. I use Python with python-ldap package. Thank you very much for a fast response! Ville From rmeggins at redhat.com Fri Mar 23 13:21:46 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 23 Mar 2007 07:21:46 -0600 Subject: [Fedora-directory-users] Deleting database In-Reply-To: References: <4602B7CD.6060401@redhat.com> Message-ID: <4603D46A.8050704@redhat.com> Ville Silventoinen wrote: > On Thu, 22 Mar 2007, Richard Megginson wrote: > >> Ville Silventoinen wrote: >>> I'm using Fedora DS 1.0.4. I've written an application that uses >>> Fedora DS and next I'm planning to write unit tests. I'm wondering >>> if there is a way to delete the whole userRoot database and create >>> it again? I searched the documentation and there seems to be a way >>> to create the database from command line, but no way to delete it, >>> except from the GUI? >> Just delete the entry (e.g. delete cn=userRoot,cn=ldbm >> database,cn=plugins,cn=config). You will have to do some sort of >> recursive deletion to remove all of the child entries. I think this >> is what the GUI does - just check the access logs for the server >> after deleting the database in the console. > > Thank you Richard, that worked very well. I also delete the mapping > tree entry, which maps the suffix to the backend database: > > dn: cn="dc=ebi,dc=ac,dc=uk",cn=mapping tree,cn=config > objectclass: top > objectclass: extensibleObject > objectclass: nsMappingTree > nsslapd-state: backend > nsslapd-backend: userRoot > cn: dc=ebi,dc=ac,dc=uk > > The GUI works slightly differently, it sets nsslapd-state to > "disabled" and removes the nsslapd-backend attribute. > > If anyone has a need for a script that can delete and create a > database, I can send it to the list. I use Python with python-ldap > package. > > Thank you very much for a fast response! If you just want to restore the database to it's initial state, you can just do an import - ldif2db or ldif2db.pl - this will remove the previous contents and create a new database. This might be sufficient for your purposes, without having to delete the database and mapping tree entries. See ldif2db.pl for how to invoke an import operation via ldap - you can do something similar in python-ldap: def startTaskAndWait(self,entry,verbose=False): # start the task dn = entry.dn self.add_s(entry) entry = self.getEntry(dn, ldap.SCOPE_BASE) if not entry: if verbose: print "Entry %s was added successfully, but I cannot search it" % dn return -1 elif verbose: print entry # wait for task completion - task is complete when the nsTaskExitCode attr is set attrlist = ['nsTaskLog', 'nsTaskStatus', 'nsTaskExitCode', 'nsTaskCurrentItem', 'nsTaskTotalItems'] done = False exitCode = 0 while not done: time.sleep(1) entry = self.getEntry(dn, ldap.SCOPE_BASE, "(objectclass=*)", attrlist) if verbose: print entry if entry.nsTaskExitCode: exitCode = int(entry.nsTaskExitCode) done = True return exitCode def importLDIF(self,file,suffix,be=None,verbose=False): cn = "import" + str(int(time.time())); dn = "cn=%s, cn=import, cn=tasks, cn=config" % cn entry = Entry(dn) entry.setValues('objectclass', 'top', 'extensibleObject') entry.setValues('cn', cn) entry.setValues('nsFilename', file) if be: entry.setValues('nsInstance', be) else: entry.setValues('nsIncludeSuffix', suffix) rc = self.startTaskAndWait(entry, verbose) if rc: if verbose: print "Error: import task %s for file %s exited with %d" % (cn,file,rc) else: if verbose: print "Import task %s for file %s completed successfully" % (cn,file) return rc > > Ville > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From stpierre at NebrWesleyan.edu Fri Mar 23 15:02:05 2007 From: stpierre at NebrWesleyan.edu (Chris St. Pierre) Date: Fri, 23 Mar 2007 10:02:05 -0500 (CDT) Subject: [Fedora-directory-users] MMR broken, reinitialization erases db In-Reply-To: References: Message-ID: On Thu, 22 Mar 2007, Chris St. Pierre wrote: > I still have no clue what caused this initially, but I don't really > care (unless it happens again). Predictably, it happened again. In fact, it happened as soon as I made the MMR cluster live again and operations started coming in. Here's the error message: [23/Mar/2007:09:59:02 -0500] - csngen_adjust_time: adjustment limit exceeded; value - 86401, limit - 86400 [23/Mar/2007:09:59:03 -0500] NSMMReplicationPlugin - conn=12 op=21 replica="o=isp": Unable to acquire replica: error: excessive clock skew The 'value' in the first line is always 86401. All four of our nodes have the same time; all use NTP against the same NTP server. All were patched for DST and subsequently rebooted. What the heck? Any ideas? Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University ---------------------------- Never send mail to thobrux at nebrwesleyan.edu From vsi at ebi.ac.uk Fri Mar 23 15:52:32 2007 From: vsi at ebi.ac.uk (Ville Silventoinen) Date: Fri, 23 Mar 2007 15:52:32 +0000 (GMT) Subject: [Fedora-directory-users] Deleting database In-Reply-To: <4603D46A.8050704@redhat.com> References: <4602B7CD.6060401@redhat.com> <4603D46A.8050704@redhat.com> Message-ID: On Fri, 23 Mar 2007, Richard Megginson wrote: > Ville Silventoinen wrote: >> On Thu, 22 Mar 2007, Richard Megginson wrote: >> >>> Ville Silventoinen wrote: >>>> I'm using Fedora DS 1.0.4. I've written an application that uses Fedora >>>> DS and next I'm planning to write unit tests. I'm wondering if there is a >>>> way to delete the whole userRoot database and create it again? I searched >>>> the documentation and there seems to be a way to create the database from >>>> command line, but no way to delete it, except from the GUI? >>> Just delete the entry (e.g. delete cn=userRoot,cn=ldbm >>> database,cn=plugins,cn=config). You will have to do some sort of >>> recursive deletion to remove all of the child entries. I think this is >>> what the GUI does - just check the access logs for the server after >>> deleting the database in the console. >> >> Thank you Richard, that worked very well. I also delete the mapping tree >> entry, which maps the suffix to the backend database: >> >> dn: cn="dc=ebi,dc=ac,dc=uk",cn=mapping tree,cn=config >> objectclass: top >> objectclass: extensibleObject >> objectclass: nsMappingTree >> nsslapd-state: backend >> nsslapd-backend: userRoot >> cn: dc=ebi,dc=ac,dc=uk >> >> The GUI works slightly differently, it sets nsslapd-state to "disabled" and >> removes the nsslapd-backend attribute. >> >> If anyone has a need for a script that can delete and create a database, I >> can send it to the list. I use Python with python-ldap package. >> >> Thank you very much for a fast response! > If you just want to restore the database to it's initial state, you can just > do an import - ldif2db or ldif2db.pl - this will remove the previous contents > and create a new database. This might be sufficient for your purposes, > without having to delete the database and mapping tree entries. See > ldif2db.pl for how to invoke an import operation via ldap This may be a stupid question but how do I get ldif2db.pl to remove the previous contents so it can create the entries? I tried like this: ./ldif2db.pl -v -D "cn=Directory Manager" -w mypassword -n userRoot -i /path/to/userRoot.ldif but in the errors log it shows for every entry "WARNING: Skipping duplicate entry". Thanks for the Python example! Ville From rmeggins at redhat.com Fri Mar 23 15:55:51 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 23 Mar 2007 09:55:51 -0600 Subject: [Fedora-directory-users] Deleting database In-Reply-To: References: <4602B7CD.6060401@redhat.com> <4603D46A.8050704@redhat.com> Message-ID: <4603F887.30407@redhat.com> Ville Silventoinen wrote: > On Fri, 23 Mar 2007, Richard Megginson wrote: > >> Ville Silventoinen wrote: >>> On Thu, 22 Mar 2007, Richard Megginson wrote: >>> >>>> Ville Silventoinen wrote: >>>>> I'm using Fedora DS 1.0.4. I've written an application that uses >>>>> Fedora DS and next I'm planning to write unit tests. I'm wondering >>>>> if there is a way to delete the whole userRoot database and create >>>>> it again? I searched the documentation and there seems to be a way >>>>> to create the database from command line, but no way to delete it, >>>>> except from the GUI? >>>> Just delete the entry (e.g. delete cn=userRoot,cn=ldbm >>>> database,cn=plugins,cn=config). You will have to do some sort of >>>> recursive deletion to remove all of the child entries. I think >>>> this is what the GUI does - just check the access logs for the >>>> server after deleting the database in the console. >>> >>> Thank you Richard, that worked very well. I also delete the mapping >>> tree entry, which maps the suffix to the backend database: >>> >>> dn: cn="dc=ebi,dc=ac,dc=uk",cn=mapping tree,cn=config >>> objectclass: top >>> objectclass: extensibleObject >>> objectclass: nsMappingTree >>> nsslapd-state: backend >>> nsslapd-backend: userRoot >>> cn: dc=ebi,dc=ac,dc=uk >>> >>> The GUI works slightly differently, it sets nsslapd-state to >>> "disabled" and removes the nsslapd-backend attribute. >>> >>> If anyone has a need for a script that can delete and create a >>> database, I can send it to the list. I use Python with python-ldap >>> package. >>> >>> Thank you very much for a fast response! >> If you just want to restore the database to it's initial state, you >> can just do an import - ldif2db or ldif2db.pl - this will remove the >> previous contents and create a new database. This might be >> sufficient for your purposes, without having to delete the database >> and mapping tree entries. See ldif2db.pl for how to invoke an import >> operation via ldap > > This may be a stupid question but how do I get ldif2db.pl to remove > the previous contents so it can create the entries? > > I tried like this: > > ./ldif2db.pl -v -D "cn=Directory Manager" -w mypassword -n userRoot > -i /path/to/userRoot.ldif > > but in the errors log it shows for every entry "WARNING: Skipping > duplicate entry". That usually means there are duplicate entries in your userRoot.ldif file - can you post it somewhere and post the link to it here? I'd rather not spam the list with a large ldif file. > > Thanks for the Python example! > > Ville > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From vsi at ebi.ac.uk Fri Mar 23 16:27:21 2007 From: vsi at ebi.ac.uk (Ville Silventoinen) Date: Fri, 23 Mar 2007 16:27:21 +0000 (GMT) Subject: [Fedora-directory-users] Deleting database In-Reply-To: <4603F887.30407@redhat.com> References: <4602B7CD.6060401@redhat.com> <4603D46A.8050704@redhat.com> <4603F887.30407@redhat.com> Message-ID: On Fri, 23 Mar 2007, Richard Megginson wrote: > Ville Silventoinen wrote: >> On Fri, 23 Mar 2007, Richard Megginson wrote: >> >>> Ville Silventoinen wrote: >>>> On Thu, 22 Mar 2007, Richard Megginson wrote: >>>> >>>>> Ville Silventoinen wrote: >>>>>> I'm using Fedora DS 1.0.4. I've written an application that uses Fedora >>>>>> DS and next I'm planning to write unit tests. I'm wondering if there is >>>>>> a way to delete the whole userRoot database and create it again? I >>>>>> searched the documentation and there seems to be a way to create the >>>>>> database from command line, but no way to delete it, except from the >>>>>> GUI? >>>>> Just delete the entry (e.g. delete cn=userRoot,cn=ldbm >>>>> database,cn=plugins,cn=config). You will have to do some sort of >>>>> recursive deletion to remove all of the child entries. I think this is >>>>> what the GUI does - just check the access logs for the server after >>>>> deleting the database in the console. >>>> >>>> Thank you Richard, that worked very well. I also delete the mapping tree >>>> entry, which maps the suffix to the backend database: >>>> >>>> dn: cn="dc=ebi,dc=ac,dc=uk",cn=mapping tree,cn=config >>>> objectclass: top >>>> objectclass: extensibleObject >>>> objectclass: nsMappingTree >>>> nsslapd-state: backend >>>> nsslapd-backend: userRoot >>>> cn: dc=ebi,dc=ac,dc=uk >>>> >>>> The GUI works slightly differently, it sets nsslapd-state to "disabled" >>>> and removes the nsslapd-backend attribute. >>>> >>>> If anyone has a need for a script that can delete and create a database, >>>> I can send it to the list. I use Python with python-ldap package. >>>> >>>> Thank you very much for a fast response! >>> If you just want to restore the database to it's initial state, you can >>> just do an import - ldif2db or ldif2db.pl - this will remove the previous >>> contents and create a new database. This might be sufficient for your >>> purposes, without having to delete the database and mapping tree entries. >>> See ldif2db.pl for how to invoke an import operation via ldap >> >> This may be a stupid question but how do I get ldif2db.pl to remove the >> previous contents so it can create the entries? >> >> I tried like this: >> >> ./ldif2db.pl -v -D "cn=Directory Manager" -w mypassword -n userRoot -i >> /path/to/userRoot.ldif >> >> but in the errors log it shows for every entry "WARNING: Skipping duplicate >> entry". > That usually means there are duplicate entries in your userRoot.ldif file - > can you post it somewhere and post the link to it here? I'd rather not spam > the list with a large ldif file. Thanks Richard! You were right, all the entries were defined twice in the file. I don't understand how that happened, I used the "Export Databases" task in the Console to create the file. If the file already exists, does it append new entries to it? I must have done something wrong... Just tested the import, it works very well. Entries are modified, removed and added to restore the original database. It's very fast too (my test server runs on an old Pentium 3): Processed 9854 entries in 9 seconds. (1094.89 entries/sec) Thank you again! Ville From rmeggins at redhat.com Fri Mar 23 16:28:02 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Fri, 23 Mar 2007 10:28:02 -0600 Subject: [Fedora-directory-users] Deleting database In-Reply-To: References: <4602B7CD.6060401@redhat.com> <4603D46A.8050704@redhat.com> <4603F887.30407@redhat.com> Message-ID: <46040012.2000708@redhat.com> Ville Silventoinen wrote: > On Fri, 23 Mar 2007, Richard Megginson wrote: > >> Ville Silventoinen wrote: >>> On Fri, 23 Mar 2007, Richard Megginson wrote: >>> >>>> Ville Silventoinen wrote: >>>>> On Thu, 22 Mar 2007, Richard Megginson wrote: >>>>> >>>>>> Ville Silventoinen wrote: >>>>>>> I'm using Fedora DS 1.0.4. I've written an application that uses >>>>>>> Fedora DS and next I'm planning to write unit tests. I'm >>>>>>> wondering if there is a way to delete the whole userRoot >>>>>>> database and create it again? I searched the documentation and >>>>>>> there seems to be a way to create the database from command >>>>>>> line, but no way to delete it, except from the GUI? >>>>>> Just delete the entry (e.g. delete cn=userRoot,cn=ldbm >>>>>> database,cn=plugins,cn=config). You will have to do some sort of >>>>>> recursive deletion to remove all of the child entries. I think >>>>>> this is what the GUI does - just check the access logs for the >>>>>> server after deleting the database in the console. >>>>> >>>>> Thank you Richard, that worked very well. I also delete the >>>>> mapping tree entry, which maps the suffix to the backend database: >>>>> >>>>> dn: cn="dc=ebi,dc=ac,dc=uk",cn=mapping tree,cn=config >>>>> objectclass: top >>>>> objectclass: extensibleObject >>>>> objectclass: nsMappingTree >>>>> nsslapd-state: backend >>>>> nsslapd-backend: userRoot >>>>> cn: dc=ebi,dc=ac,dc=uk >>>>> >>>>> The GUI works slightly differently, it sets nsslapd-state to >>>>> "disabled" and removes the nsslapd-backend attribute. >>>>> >>>>> If anyone has a need for a script that can delete and create a >>>>> database, I can send it to the list. I use Python with python-ldap >>>>> package. >>>>> >>>>> Thank you very much for a fast response! >>>> If you just want to restore the database to it's initial state, you >>>> can just do an import - ldif2db or ldif2db.pl - this will remove >>>> the previous contents and create a new database. This might be >>>> sufficient for your purposes, without having to delete the database >>>> and mapping tree entries. See ldif2db.pl for how to invoke an >>>> import operation via ldap >>> >>> This may be a stupid question but how do I get ldif2db.pl to remove >>> the previous contents so it can create the entries? >>> >>> I tried like this: >>> >>> ./ldif2db.pl -v -D "cn=Directory Manager" -w mypassword -n >>> userRoot -i /path/to/userRoot.ldif >>> >>> but in the errors log it shows for every entry "WARNING: Skipping >>> duplicate entry". >> That usually means there are duplicate entries in your userRoot.ldif >> file - can you post it somewhere and post the link to it here? I'd >> rather not spam the list with a large ldif file. > > Thanks Richard! You were right, all the entries were defined twice in > the file. I don't understand how that happened, I used the "Export > Databases" > task in the Console to create the file. If the file already exists, > does it append new entries to it? I must have done something wrong... It might append to it. I'm not sure. > > Just tested the import, it works very well. Entries are modified, > removed and added to restore the original database. It's very fast too > (my test server runs on an old Pentium 3): > > Processed 9854 entries in 9 seconds. (1094.89 entries/sec) > > Thank you again! > > Ville > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From vsi at ebi.ac.uk Fri Mar 23 17:01:20 2007 From: vsi at ebi.ac.uk (Ville Silventoinen) Date: Fri, 23 Mar 2007 17:01:20 +0000 (GMT) Subject: [Fedora-directory-users] VLV index and uid attribute Message-ID: I know there was an earlier thread about using uid attribute for sorting and that it's not supported by the Console: http://www.mail-archive.com/fedora-directory-users at redhat.com/msg04439.html However, I thought I'd try following approach: 1. I deleted previous Browsing index for People by using the Console. 2. I created following VLV entries as it suggests in the Admin Guide "Managing Indexes" chapter (my database is called "ebiRoot"): dn: cn=MCC ou=People dc=ebi dc=ac dc=uk,cn=ebiRoot,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: vlvSearch cn: MCC ou=People dc=ebi dc=ac dc=uk vlvBase: ou=People,dc=ebi,dc=ac,dc=uk vlvScope: 1 vlvFilter: (|(objectclass=*)(objectclass=ldapsubentry)) dn: cn=by MCC ou=People dc=ebi dc=ac dc=uk,cn=MCC ou=People dc=ebi dc=ac dc=uk,cn=ebiRoot,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: vlvIndex cn: by MCC ou=People dc=ebi dc=ac dc=uk vlvSort: uid 3. Then I shutdown slapd and ran the vlvindex command: $ ./vlvindex -n ebiRoot -T "by MCC ou=People dc=ebi dc=ac dc=uk" [23/Mar/2007:16:47:05 +0000] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [23/Mar/2007:16:47:05 +0000] - dblayer_instance_start: pagesize: 4096, pages: 518726, procpages: 6433 [23/Mar/2007:16:47:05 +0000] - cache autosizing: import cache: 204800k [23/Mar/2007:16:47:05 +0000] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096 [23/Mar/2007:16:47:06 +0000] - ebiRoot: Indexing VLV: by MCC ou=People dc=ebi dc=ac dc=uk [23/Mar/2007:16:47:06 +0000] - ebiRoot: Indexed 1000 entries (70%). [23/Mar/2007:16:47:06 +0000] - ebiRoot: Finished indexing. Looks like everything went well from the output. 4. Start slapd, start the console. When I view People, they are still sorted by cn. Why does it ignore the VLV config that created above? I also confirmed from Console that vlvsort is set to "uid". This is not a major problem, I'm just curious why the above solution doesn't work? It looks like Console doesn't care what the vlvSort value is? I don't understand how it can sort with cn when there is no index. Thanks! Ville From a.nguyen at cingular.com Fri Mar 23 17:48:57 2007 From: a.nguyen at cingular.com (Nguyen, A (Alex)) Date: Fri, 23 Mar 2007 10:48:57 -0700 Subject: [Fedora-directory-users] java 64bit libjss3.0 Can't load AMD 64-bit .so on a AMD 64-bit platform Message-ID: Hi, I'm fairly new to FDS and was going thru the manual on configuring encryption for the Administration and Directory Servers. The problem begins after configuring SSL for the Admin Server and restarting the console. Attempts to start the console yielded this Java exception listed below. I've read in previous threads where there was a mismatch between the lib and the Java version but in this case, both are 64bit. [root at brpswg01 fedora-ds]# ./startconsole -u admin -a https://`hostname`:43811 Exception in thread "main" java.lang.UnsatisfiedLinkError: /opt/app/fedora-ds/lib/libjss3.so: Can't load AMD 64-bit .so on a AMD 64-bit platform at java.lang.ClassLoader$NativeLibrary.load(Native Method) at java.lang.ClassLoader.loadLibrary0(Unknown Source) at java.lang.ClassLoader.loadLibrary(Unknown Source) at java.lang.Runtime.loadLibrary0(Unknown Source) at java.lang.System.loadLibrary(Unknown Source) at org.mozilla.jss.CryptoManager.loadNativeLibraries(CryptoManager.java:133 0) at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:822) at org.mozilla.jss.CryptoManager.initialize(CryptoManager.java:795) at com.netscape.management.client.util.UtilConsoleGlobals.initJSS(Unknown Source) at com.netscape.management.client.comm.HttpsChannel.(Unknown Source) at com.netscape.management.client.comm.HttpManager.createChannel(Unknown Source) at com.netscape.management.client.comm.CommManager.send(Unknown Source) at com.netscape.management.client.comm.CommManager.send(Unknown Source) at com.netscape.management.client.comm.HttpManager.get(Unknown Source) at com.netscape.management.client.console.Console.invoke_task(Unknown Source) at com.netscape.management.client.console.Console.authenticate_user(Unknown Source) at com.netscape.management.client.console.Console.(Unknown Source) at com.netscape.management.client.console.Console.main(Unknown Source) [root at brpswg01 fedora-ds]# file /opt/app/fedora-ds/lib/libjss3.so /opt/app/fedora-ds/lib/libjss3.so: ELF 64-bit LSB shared object, AMD x86-64, version 1 (SYSV), not stripped [root at brpswg01 fedora-ds]# file `which java` /opt/app/jre1.5.0_11/bin/java: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for GNU/Linux 2.4.0, dynamically linked (uses shared libs), stripped [root at brpswg01 fedora-ds]# md5sum /opt/app/fedora-ds/lib/libjss3.so 2098364ec91d9b354e9086806852ae5d /opt/app/fedora-ds/lib/libjss3.so At this point, the console will not startup but the Directory Server is fine (I can query and modify userRoot db just fine). I'm running FDS 1.0.4 on RHEL 4 Update 4 (2.6.9-42.0.10.ELsmp) with Sun JRE 1.5.0_11. If someone has some pointers on where I'm going wrong, that'll be much appreciated. Thx, -an -------------- next part -------------- An HTML attachment was scrubbed... URL: From ulf.weltman at hp.com Fri Mar 23 17:55:00 2007 From: ulf.weltman at hp.com (Ulf Weltman) Date: Fri, 23 Mar 2007 10:55:00 -0700 Subject: [Fedora-directory-users] VLV index and uid attribute In-Reply-To: References: Message-ID: <46041474.2080302@hp.com> Ville Silventoinen wrote: > I know there was an earlier thread about using uid attribute for > sorting and that it's not supported by the Console: > > http://www.mail-archive.com/fedora-directory-users at redhat.com/msg04439.html > > > However, I thought I'd try following approach: > > 1. I deleted previous Browsing index for People by using the Console. > > 2. I created following VLV entries as it suggests in the Admin Guide > "Managing Indexes" chapter (my database is called "ebiRoot"): > > dn: cn=MCC ou=People dc=ebi dc=ac dc=uk,cn=ebiRoot,cn=ldbm > database,cn=plugins,cn=config > objectClass: top > objectClass: vlvSearch > cn: MCC ou=People dc=ebi dc=ac dc=uk > vlvBase: ou=People,dc=ebi,dc=ac,dc=uk > vlvScope: 1 > vlvFilter: (|(objectclass=*)(objectclass=ldapsubentry)) > > dn: cn=by MCC ou=People dc=ebi dc=ac dc=uk,cn=MCC ou=People dc=ebi > dc=ac dc=uk,cn=ebiRoot,cn=ldbm database,cn=plugins,cn=config > objectClass: top > objectClass: vlvIndex > cn: by MCC ou=People dc=ebi dc=ac dc=uk > vlvSort: uid > > 3. Then I shutdown slapd and ran the vlvindex command: > > $ ./vlvindex -n ebiRoot -T "by MCC ou=People dc=ebi dc=ac dc=uk" > > [23/Mar/2007:16:47:05 +0000] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [23/Mar/2007:16:47:05 +0000] - dblayer_instance_start: pagesize: 4096, > pages: 518726, procpages: 6433 > [23/Mar/2007:16:47:05 +0000] - cache autosizing: import cache: 204800k > [23/Mar/2007:16:47:05 +0000] - li_import_cache_autosize: 50, > import_pages: 51200, pagesize: 4096 > [23/Mar/2007:16:47:06 +0000] - ebiRoot: Indexing VLV: by MCC ou=People > dc=ebi dc=ac dc=uk > [23/Mar/2007:16:47:06 +0000] - ebiRoot: Indexed 1000 entries (70%). > [23/Mar/2007:16:47:06 +0000] - ebiRoot: Finished indexing. > > Looks like everything went well from the output. > > 4. Start slapd, start the console. When I view People, they are still > sorted by cn. Why does it ignore the VLV config that created above? I > also confirmed from Console that vlvsort is set to "uid". The DirBrowser in the Directory Console sends a control requesting serverside sorting for an order of cn,givenname,o,ou,sn. Configurable sort order is an RFE for a future release. http://cvs.fedora.redhat.com/lxr/dirsec/source/directoryconsole/src/com/netscape/admin/dirserv/browser/BrowserController.java#75 > > This is not a major problem, I'm just curious why the above solution > doesn't work? It looks like Console doesn't care what the vlvSort > value is? I don't understand how it can sort with cn when there is no > index. > > Thanks! > Ville > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From david_list at boreham.org Fri Mar 23 19:16:19 2007 From: david_list at boreham.org (David Boreham) Date: Fri, 23 Mar 2007 13:16:19 -0600 Subject: [Fedora-directory-users] VLV index and uid attribute In-Reply-To: References: Message-ID: <46042783.2020104@boreham.org> Ville Silventoinen wrote: > This is not a major problem, I'm just curious why the above solution > doesn't work? It looks like Console doesn't care what the vlvSort > value is? I don't understand how it can sort with cn when there is no > index. A client may present any VLV request it likes to the server. The server will attempt to service the request and respond. Indices are used if possible, but they are optional. So in your case the VLV requests made by the console would have become unindexed. If the number of entries is reasonably small performance would remain good. From nhosoi at redhat.com Fri Mar 23 23:50:21 2007 From: nhosoi at redhat.com (Noriko Hosoi) Date: Fri, 23 Mar 2007 15:50:21 -0800 Subject: [Fedora-directory-users] Deleting database In-Reply-To: <46040012.2000708@redhat.com> References: <4602B7CD.6060401@redhat.com> <4603D46A.8050704@redhat.com> <4603F887.30407@redhat.com> <46040012.2000708@redhat.com> Message-ID: <460467BD.8090109@redhat.com> Richard Megginson wrote: > Ville Silventoinen wrote: >> On Fri, 23 Mar 2007, Richard Megginson wrote: >> >>> Ville Silventoinen wrote: >>>> On Fri, 23 Mar 2007, Richard Megginson wrote: >>>> >>>>> Ville Silventoinen wrote: >>>>>> On Thu, 22 Mar 2007, Richard Megginson wrote: >>>>>> >>>>>>> Ville Silventoinen wrote: >>>>>>>> I'm using Fedora DS 1.0.4. I've written an application that >>>>>>>> uses Fedora DS and next I'm planning to write unit tests. I'm >>>>>>>> wondering if there is a way to delete the whole userRoot >>>>>>>> database and create it again? I searched the documentation and >>>>>>>> there seems to be a way to create the database from command >>>>>>>> line, but no way to delete it, except from the GUI? >>>>>>> Just delete the entry (e.g. delete cn=userRoot,cn=ldbm >>>>>>> database,cn=plugins,cn=config). You will have to do some sort >>>>>>> of recursive deletion to remove all of the child entries. I >>>>>>> think this is what the GUI does - just check the access logs for >>>>>>> the server after deleting the database in the console. >>>>>> >>>>>> Thank you Richard, that worked very well. I also delete the >>>>>> mapping tree entry, which maps the suffix to the backend database: >>>>>> >>>>>> dn: cn="dc=ebi,dc=ac,dc=uk",cn=mapping tree,cn=config >>>>>> objectclass: top >>>>>> objectclass: extensibleObject >>>>>> objectclass: nsMappingTree >>>>>> nsslapd-state: backend >>>>>> nsslapd-backend: userRoot >>>>>> cn: dc=ebi,dc=ac,dc=uk >>>>>> >>>>>> The GUI works slightly differently, it sets nsslapd-state to >>>>>> "disabled" and removes the nsslapd-backend attribute. >>>>>> >>>>>> If anyone has a need for a script that can delete and create a >>>>>> database, I can send it to the list. I use Python with >>>>>> python-ldap package. >>>>>> >>>>>> Thank you very much for a fast response! >>>>> If you just want to restore the database to it's initial state, >>>>> you can just do an import - ldif2db or ldif2db.pl - this will >>>>> remove the previous contents and create a new database. This >>>>> might be sufficient for your purposes, without having to delete >>>>> the database and mapping tree entries. See ldif2db.pl for how to >>>>> invoke an import operation via ldap >>>> >>>> This may be a stupid question but how do I get ldif2db.pl to remove >>>> the previous contents so it can create the entries? >>>> >>>> I tried like this: >>>> >>>> ./ldif2db.pl -v -D "cn=Directory Manager" -w mypassword -n >>>> userRoot -i /path/to/userRoot.ldif >>>> >>>> but in the errors log it shows for every entry "WARNING: Skipping >>>> duplicate entry". >>> That usually means there are duplicate entries in your userRoot.ldif >>> file - can you post it somewhere and post the link to it here? I'd >>> rather not spam the list with a large ldif file. >> >> Thanks Richard! You were right, all the entries were defined twice in >> the file. I don't understand how that happened, I used the "Export >> Databases" >> task in the Console to create the file. If the file already exists, >> does it append new entries to it? I must have done something wrong... > It might append to it. I'm not sure. I could not reproduce it. If I choose the same file name to export database, I get "File '' already exists. Its contents will be overwritten. Do you want to continue?" dialog box, and my existing file is really overwritten... >> >> Just tested the import, it works very well. Entries are modified, >> removed and added to restore the original database. It's very fast >> too (my test server runs on an old Pentium 3): >> >> Processed 9854 entries in 9 seconds. (1094.89 entries/sec) >> >> Thank you again! >> >> Ville >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From james at jameswhite.org Sun Mar 25 18:06:24 2007 From: james at jameswhite.org (James S. White) Date: Sun, 25 Mar 2007 13:06:24 -0500 (CDT) Subject: [Fedora-directory-users] LDAP Server Unwilling to perform replication? Message-ID: So I'm trying to set up a repication agreement and I get "LDAP server unwilling to perform". Any thoughts as to why this error might occur. It's not very descriptive. This is a replication agreement Name:: sapphire-topaz Replica Entry DN:: cn=replica,cn="dc=int,dc=domain,dc=com",cn=mapping tree,cn=config Supplier: sapphire.int.domain.com:636 Consumer: topaz.int.domain.com:636 Using encrypted SSL connection Authenticate using: Simple authentication Replicated subtree:: dc=int,dc=domain,dc=com Attributes: null Schedule: Always keep directories in sync ----------------------------------------------------------------------- James S. White primary/voip: (615) 469-0268 220 Hidden Valley Rd. .O. mobile: (256) 476-2619 Danville, AL 35619 ..O work: (615) 445-7338 http://www.jameswhite.org OOO work cell: (615) 517-6552 james at jameswhite.org fax: (866) 260-5465 ----------------------------------------------------------------------- America will never be destroyed from the outside. If we falter and lose our freedoms, it will be because we destroyed ourselves. -- Abraham Lincoln From james at jameswhite.org Sun Mar 25 19:51:56 2007 From: james at jameswhite.org (James S. White) Date: Sun, 25 Mar 2007 14:51:56 -0500 (CDT) Subject: [Fedora-directory-users] Adding custom attributes without the gui Message-ID: How does one add custom attributes and objectclasses without using the GUI in fedora-ds? ----------------------------------------------------------------------- James S. White primary/voip: (615) 469-0268 220 Hidden Valley Rd. .O. mobile: (256) 476-2619 Danville, AL 35619 ..O work: (615) 445-7338 http://www.jameswhite.org OOO work cell: (615) 517-6552 james at jameswhite.org fax: (866) 260-5465 ----------------------------------------------------------------------- America will never be destroyed from the outside. If we falter and lose our freedoms, it will be because we destroyed ourselves. -- Abraham Lincoln From vsi at ebi.ac.uk Mon Mar 26 08:57:19 2007 From: vsi at ebi.ac.uk (Ville Silventoinen) Date: Mon, 26 Mar 2007 09:57:19 +0100 (BST) Subject: [Fedora-directory-users] Adding custom attributes without the gui In-Reply-To: References: Message-ID: On Sun, 25 Mar 2007, James S. White wrote: > How does one add custom attributes and objectclasses without using the > GUI in fedora-ds? > I added my custom definitions directly to the slapd-HOSTNAME/config/schema/99user.ldif file. Then restart slapd. It is mentioned in the Deployment Guide: http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/schema.html#17755 Cheers, Ville From vsi at ebi.ac.uk Mon Mar 26 09:00:13 2007 From: vsi at ebi.ac.uk (Ville Silventoinen) Date: Mon, 26 Mar 2007 10:00:13 +0100 (BST) Subject: [Fedora-directory-users] Deleting database In-Reply-To: <460467BD.8090109@redhat.com> References: <4602B7CD.6060401@redhat.com> <4603D46A.8050704@redhat.com> <4603F887.30407@redhat.com> <46040012.2000708@redhat.com> <460467BD.8090109@redhat.com> Message-ID: On Fri, 23 Mar 2007, Noriko Hosoi wrote: > Richard Megginson wrote: >> Ville Silventoinen wrote: >>> On Fri, 23 Mar 2007, Richard Megginson wrote: >>> >>>> Ville Silventoinen wrote: >>>>> On Fri, 23 Mar 2007, Richard Megginson wrote: >>>>> >>>>>> Ville Silventoinen wrote: >>>>>>> On Thu, 22 Mar 2007, Richard Megginson wrote: >>>>>>> >>>>>>>> Ville Silventoinen wrote: >>>>>>>>> I'm using Fedora DS 1.0.4. I've written an application that uses >>>>>>>>> Fedora DS and next I'm planning to write unit tests. I'm wondering >>>>>>>>> if there is a way to delete the whole userRoot database and create >>>>>>>>> it again? I searched the documentation and there seems to be a way >>>>>>>>> to create the database from command line, but no way to delete it, >>>>>>>>> except from the GUI? >>>>>>>> Just delete the entry (e.g. delete cn=userRoot,cn=ldbm >>>>>>>> database,cn=plugins,cn=config). You will have to do some sort of >>>>>>>> recursive deletion to remove all of the child entries. I think this >>>>>>>> is what the GUI does - just check the access logs for the server >>>>>>>> after deleting the database in the console. >>>>>>> >>>>>>> Thank you Richard, that worked very well. I also delete the mapping >>>>>>> tree entry, which maps the suffix to the backend database: >>>>>>> >>>>>>> dn: cn="dc=ebi,dc=ac,dc=uk",cn=mapping tree,cn=config >>>>>>> objectclass: top >>>>>>> objectclass: extensibleObject >>>>>>> objectclass: nsMappingTree >>>>>>> nsslapd-state: backend >>>>>>> nsslapd-backend: userRoot >>>>>>> cn: dc=ebi,dc=ac,dc=uk >>>>>>> >>>>>>> The GUI works slightly differently, it sets nsslapd-state to >>>>>>> "disabled" and removes the nsslapd-backend attribute. >>>>>>> >>>>>>> If anyone has a need for a script that can delete and create a >>>>>>> database, I can send it to the list. I use Python with python-ldap >>>>>>> package. >>>>>>> >>>>>>> Thank you very much for a fast response! >>>>>> If you just want to restore the database to it's initial state, you can >>>>>> just do an import - ldif2db or ldif2db.pl - this will remove the >>>>>> previous contents and create a new database. This might be sufficient >>>>>> for your purposes, without having to delete the database and mapping >>>>>> tree entries. See ldif2db.pl for how to invoke an import operation via >>>>>> ldap >>>>> >>>>> This may be a stupid question but how do I get ldif2db.pl to remove the >>>>> previous contents so it can create the entries? >>>>> >>>>> I tried like this: >>>>> >>>>> ./ldif2db.pl -v -D "cn=Directory Manager" -w mypassword -n userRoot -i >>>>> /path/to/userRoot.ldif >>>>> >>>>> but in the errors log it shows for every entry "WARNING: Skipping >>>>> duplicate entry". >>>> That usually means there are duplicate entries in your userRoot.ldif file >>>> - can you post it somewhere and post the link to it here? I'd rather not >>>> spam the list with a large ldif file. >>> >>> Thanks Richard! You were right, all the entries were defined twice in the >>> file. I don't understand how that happened, I used the "Export Databases" >>> task in the Console to create the file. If the file already exists, does >>> it append new entries to it? I must have done something wrong... >> It might append to it. I'm not sure. > I could not reproduce it. If I choose the same file name to export database, > I get "File '' already exists. Its contents will be overwritten. > Do you want to continue?" dialog box, and my existing file is really > overwritten... I tried it as well, I couldn't reproduce the problem either. Unfortunately I deleted the file so I cannot check in which order the entries were. Thanks for the help. Ville From vsi at ebi.ac.uk Mon Mar 26 09:33:40 2007 From: vsi at ebi.ac.uk (Ville Silventoinen) Date: Mon, 26 Mar 2007 10:33:40 +0100 (BST) Subject: [Fedora-directory-users] VLV index and uid attribute In-Reply-To: <46042783.2020104@boreham.org> References: <46042783.2020104@boreham.org> Message-ID: On Fri, 23 Mar 2007, David Boreham wrote: > Ville Silventoinen wrote: > >> This is not a major problem, I'm just curious why the above solution >> doesn't work? It looks like Console doesn't care what the vlvSort value is? >> I don't understand how it can sort with cn when there is no index. > > A client may present any VLV request it likes to the server. > The server will attempt to service the request and respond. > Indices are used if possible, but they are optional. > So in your case the VLV requests made by the console > would have become unindexed. If the number of entries > is reasonably small performance would remain good. > David and Ulf: Thanks for the explanation. Looking forward for the new feature. Cheers, Ville From vsi at ebi.ac.uk Mon Mar 26 10:36:08 2007 From: vsi at ebi.ac.uk (Ville Silventoinen) Date: Mon, 26 Mar 2007 11:36:08 +0100 (BST) Subject: [Fedora-directory-users] Create Browsing Index gets stuck Message-ID: I'm sorry if this has already been discussed or reported as a bug. I tried to find the bug report, but couldn't find it so here goes: Quite often when I have removed all entries and put them back and tried to create a Browsing Index with the Console, the Console gets stuck. I have few times left it for hours but nothing happens. In this case I deleted the previous browsing index from the GUI and tried to create it again for People with 1400 entries. The GUI tells me it has done "Adding browsing index entries to server" (ticked) but it is still "Creating browsing index in server" (not ticked). It stays in this window forever. The "Server status for creating browsing index" window is empty. I cannot see any error messages in slapd-HOSTNAME/logs/errors or admin-serv/logs/error log. The startconsole terminal doesn't show any Java exceptions. Is there anywhere else I could look for clues? If I force the window to close, the database goes to read-only mode. I close the Console, shutdown the slapd, change the database back to read-write mode and restart everything. The Console shows the index has been created, but if I look at slapd-HOSTNAME/db/ebiRoot/ directory, I cannot see a vlv#bymccoupeopledcebidcacdcuk.db4 file, so I guess the index doesn't really exist? With just 1400 entries it's difficult to tell. Sometimes I do get the index created, but quite often not. I'm using Fedora DS 1.0.4 on CentOS 4.4 with following JRE: Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_09-b01) Java HotSpot(TM) Server VM (build 1.5.0_09-b01, mixed mode) Thanks for any help! Ville From james at jameswhite.org Mon Mar 26 13:32:36 2007 From: james at jameswhite.org (James S. White) Date: Mon, 26 Mar 2007 08:32:36 -0500 (CDT) Subject: [Fedora-directory-users] Can't Create Root Entry Message-ID: So I'm logged in as cn="Directory Manager" on Fedora Directory Server 1.0.4 and I've created the database for dc=ama,dc=domain,dc=com under the configuratio n tab, but when I try to create the new root object under the Directory tab is complains: Can't Create Root Entry Only the Directory Manager has the right to create the Root Entry Log in as Directory Manager to be able to perform this operation. ----------------------------------------------------------------------- James S. White primary/voip: (615) 469-0268 220 Hidden Valley Rd. .O. mobile: (256) 476-2619 Danville, AL 35619 ..O work: (615) 445-7338 http://www.jameswhite.org OOO work cell: (615) 517-6552 james at jameswhite.org fax: (866) 260-5465 ----------------------------------------------------------------------- America will never be destroyed from the outside. If we falter and lose our freedoms, it will be because we destroyed ourselves. -- Abraham Lincoln From james at jameswhite.org Mon Mar 26 13:57:56 2007 From: james at jameswhite.org (James S. White) Date: Mon, 26 Mar 2007 08:57:56 -0500 (CDT) Subject: [Fedora-directory-users] Can't Create Root Entry In-Reply-To: Message-ID: I kludged my way around this. I just exported a dc=int,dc=domain,dc=com that was there and then edited the resulting ldif, and initialized the ama db from it. The ama root now exists. ----------------------------------------------------------------------- James S. White primary/voip: (615) 469-0268 220 Hidden Valley Rd. .O. mobile: (256) 476-2619 Danville, AL 35619 ..O work: (615) 445-7338 http://www.jameswhite.org OOO work cell: (615) 517-6552 james at jameswhite.org fax: (866) 260-5465 ----------------------------------------------------------------------- America will never be destroyed from the outside. If we falter and lose our freedoms, it will be because we destroyed ourselves. -- Abraham Lincoln On Mon, 26 Mar 2007, James S. White wrote: > So I'm logged in as cn="Directory Manager" on Fedora Directory Server 1.0.4 > and I've created the database for dc=ama,dc=domain,dc=com under the configuratio > n tab, but when I try to create the new root object under the Directory tab > is complains: > > Can't Create Root Entry > Only the Directory Manager has the right to create the Root Entry > Log in as Directory Manager to be able to perform this operation. > > > ----------------------------------------------------------------------- > James S. White primary/voip: (615) 469-0268 > 220 Hidden Valley Rd. .O. mobile: (256) 476-2619 > Danville, AL 35619 ..O work: (615) 445-7338 > http://www.jameswhite.org OOO work cell: (615) 517-6552 > james at jameswhite.org fax: (866) 260-5465 > ----------------------------------------------------------------------- > America will never be destroyed from the outside. If we falter and lose > our freedoms, it will be because we destroyed ourselves. > -- Abraham Lincoln > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From gholbert at broadcom.com Mon Mar 26 17:51:44 2007 From: gholbert at broadcom.com (George Holbert) Date: Mon, 26 Mar 2007 10:51:44 -0700 Subject: [Fedora-directory-users] Adding custom attributes without the gui In-Reply-To: References: Message-ID: <46080830.6040809@broadcom.com> http://www.redhat.com/docs/manuals/dir-server/schema/7.1/schemaTOC.html http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/schema.html James S. White wrote: > How does one add custom attributes and objectclasses without using the > GUI in fedora-ds From rmeggins at redhat.com Mon Mar 26 18:23:21 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Mon, 26 Mar 2007 12:23:21 -0600 Subject: [Fedora-directory-users] LDAP Server Unwilling to perform replication? In-Reply-To: References: Message-ID: <46080F99.1060107@redhat.com> James S. White wrote: > So I'm trying to set up a repication agreement and I get "LDAP server unwilling to perform". Any thoughts as to why this error might occur. It's not very descriptive. > Not sure. Try checking the error log. > This is a replication agreement > Name:: sapphire-topaz > Replica Entry DN:: cn=replica,cn="dc=int,dc=domain,dc=com",cn=mapping tree,cn=config > Supplier: sapphire.int.domain.com:636 > Consumer: topaz.int.domain.com:636 > Using encrypted SSL connection > Authenticate using: Simple authentication > Replicated subtree:: dc=int,dc=domain,dc=com > Attributes: null > Schedule: Always keep directories in sync > > ----------------------------------------------------------------------- > James S. White primary/voip: (615) 469-0268 > 220 Hidden Valley Rd. .O. mobile: (256) 476-2619 > Danville, AL 35619 ..O work: (615) 445-7338 > http://www.jameswhite.org OOO work cell: (615) 517-6552 > james at jameswhite.org fax: (866) 260-5465 > ----------------------------------------------------------------------- > America will never be destroyed from the outside. If we falter and lose > our freedoms, it will be because we destroyed ourselves. > -- Abraham Lincoln > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Julien.Guyon at cr-lorraine.fr Tue Mar 27 09:19:35 2007 From: Julien.Guyon at cr-lorraine.fr (Guyon Julien) Date: Tue, 27 Mar 2007 11:19:35 +0200 Subject: [Fedora-directory-users] Error message: Failed to initialize cipherAES in attrcrypt_init In-Reply-To: <7D86D714DBC59741AA1E7D52D66C757712E6FF@exch-hr-1.crlorraine> Message-ID: <7D86D714DBC59741AA1E7D52D66C757712E705@exch-hr-1.crlorraine> Hi, So nobody has an idea of the problem. See you Julien Guyon Ing?nieur Syst?mes, R?seaux & T?l?coms Conseil R?gional de Lorraine T?l: (+33) 3 87 33 63 14 M?l: julien.guyon at cr-lorraine.fr ________________________________ De : fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] De la part de Guyon Julien Envoy? : vendredi 23 mars 2007 09:10 ? : fedora-directory-users at redhat.com Cc : Jean-Baptiste CHARPENTIER Objet : [Fedora-directory-users] Error message: Failed to initialize cipherAES in attrcrypt_init Hi, Since I configure SSL (based on information found at http://directory.fedora.redhat.com/wiki/Howto:SSL), the following messages appear in errors log. The directory is starting and working well and also my AD passwords are correctly synchronised using WindowsSync over SSL. At start time, [22/Mar/2007:09:44:05 +0100] - Fedora-Directory/1.0.2 B2006.060.1928 starting up [22/Mar/2007:09:44:05 +0100] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [22/Mar/2007:09:44:05 +0100] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [22/Mar/2007:09:44:05 +0100] - Failed to initialize cipher AES in attrcrypt_init [22/Mar/2007:09:44:05 +0100] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES [22/Mar/2007:09:44:05 +0100] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init [22/Mar/2007:09:44:05 +0100] - Failed to initialize cipher AES in attrcrypt_init [22/Mar/2007:09:44:05 +0100] - slapd started. Listening on All Interfaces port 1389 for LDAP requests [22/Mar/2007:09:44:05 +0100] - Listening on All Interfaces port 1636 for LDAPS requests Such question has already been posted one year ago but the answer was not sufficient to correct the problem. Any ideas? Cdt Julien Guyon Ing?nieur Syst?mes, R?seaux & T?l?coms Conseil R?gional de Lorraine T?l: (+33) 3 87 33 63 14 M?l: julien.guyon at cr-lorraine.fr _________________________________________________________________________ Ce message a ?t? v?rifi? par l'antivirus de MDaemon (md6). Par pr?caution, n'ouvrez pas de pi?ces jointes de correspondants inconnus. _________________________________________________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From capareci at uol.com.br Tue Mar 27 14:12:27 2007 From: capareci at uol.com.br (Renato Ribeiro da Silva) Date: Tue, 27 Mar 2007 11:12:27 -0300 Subject: [Fedora-directory-users] Unindexed Search question Message-ID: I'm trying to understand why the search below is not indexed. [27/Mar/2007:06:54:21 -0300] conn=341590 op=2 SRCH base="dc=domain,dc=com" scope=2 filter="(objectClass=posixAccount)" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [27/Mar/2007:06:54:26 -0300] conn=341590 op=2 RESULT err=0 tag=101 nentries=8975 etime=5 notes=U I look for the configuration of the indexes in the database and the objectclass attribute has system(read-only) index of Equality. Any idea? Thanks in advance, Renato. From rmeggins at redhat.com Tue Mar 27 14:32:06 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 27 Mar 2007 08:32:06 -0600 Subject: [Fedora-directory-users] Unindexed Search question In-Reply-To: References: Message-ID: <46092AE6.9060804@redhat.com> Renato Ribeiro da Silva wrote: > I'm trying to understand why the search below is not indexed. > > [27/Mar/2007:06:54:21 -0300] conn=341590 op=2 SRCH base="dc=domain,dc=com" scope=2 filter="(objectClass=posixAccount)" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" > > [27/Mar/2007:06:54:26 -0300] conn=341590 op=2 RESULT err=0 tag=101 nentries=8975 etime=5 notes=U > > I look for the configuration of the indexes in the database and the objectclass attribute has system(read-only) index of Equality. > Any idea? > nentries=8975 You might be running into the list scan limit - see http://www.redhat.com/docs/manuals/dir-server/ag/7.1/index1.html#1110655 > Thanks in advance, > Renato. > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From labinfo.suporte at unifacs.br Tue Mar 27 17:45:21 2007 From: labinfo.suporte at unifacs.br (Paulo Estrela - Suporte LabInfo UNIFACS) Date: Tue, 27 Mar 2007 14:45:21 -0300 Subject: [Fedora-directory-users] http-client plugin Message-ID: <02e401c77097$b82c1da0$fc001cac@labinfo.unifacs.br> Hi, What does the http-client plugin and how can I use it? []'s Paulo Estrela From rmeggins at redhat.com Tue Mar 27 17:44:15 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 27 Mar 2007 11:44:15 -0600 Subject: [Fedora-directory-users] http-client plugin In-Reply-To: <02e401c77097$b82c1da0$fc001cac@labinfo.unifacs.br> References: <02e401c77097$b82c1da0$fc001cac@labinfo.unifacs.br> Message-ID: <460957EF.50001@redhat.com> Paulo Estrela - Suporte LabInfo UNIFACS wrote: > Hi, > > What does the http-client plugin and how can I use it? > Take a look at the presence plugin code. > > []'s > > Paulo Estrela > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Cary_Anderson at CalPERS.ca.gov Tue Mar 27 19:39:40 2007 From: Cary_Anderson at CalPERS.ca.gov (Anderson, Cary) Date: Tue, 27 Mar 2007 12:39:40 -0700 Subject: [Fedora-directory-users] Question about the type of binds that are done after authentication Message-ID: <611085D774BEAE4C9E4959C53EB7A9760E4C2DE0@hqk110.calpers.ca.gov> I have been asked a question relating to when authenticated and anonymous binds are made to a LDAP directory, and I was hoping someone might be able to provide some assistance... After a user authenticates to Linux server via LDAP, and issues a UNIX command, say ls will subsequent queries to LDAP be made in order to determine the uid of the user issuing the command for purposes of determining if the user can execute the command, and read the directory/file target of the ls command, or is that cached in the initial authentication? If subsequent LDAP queries are made for this type of information, are they authenticated or anonymous binds? Thanks in advanced. Cary Anderson, Systems Software Specialist UNIX/Linux Services Information Technology Services Branch Technology Services & Support Division / Data Center Section System Software & Storage Infrastructure fCalPERS Phone: (916) 795-2588 Fax: (916) 795-2424 -------------- next part -------------- An HTML attachment was scrubbed... URL: From gholbert at broadcom.com Tue Mar 27 19:56:07 2007 From: gholbert at broadcom.com (George Holbert) Date: Tue, 27 Mar 2007 12:56:07 -0700 Subject: [Fedora-directory-users] Question about the type of binds that are done after authentication In-Reply-To: <611085D774BEAE4C9E4959C53EB7A9760E4C2DE0@hqk110.calpers.ca.gov> References: <611085D774BEAE4C9E4959C53EB7A9760E4C2DE0@hqk110.calpers.ca.gov> Message-ID: <460976D7.2090301@broadcom.com> > After a user authenticates to Linux server via LDAP, and issues a UNIX > command, say ls will subsequent queries to LDAP be made in order to > determine the uid of the user issuing the command for purposes of > determining if the user can execute the command, and read the > directory/file target of the ls command, or is that cached in the > initial authentication? UID and GID information is not cached as part of authentication. The name service switch setting for passwd (configured in /etc/nsswitch.conf) determines how UID lookups are done for usernames. The most common nsswitch setting for a purely LDAP environment would probably be: passwd: files ldap > If subsequent LDAP queries are made for this type of information, are > they authenticated or anonymous binds? This depends on your nss_ldap settings. It can be done either way. But the authenticated binds are done by a proxy DN (similar to a service account), not the individual DNs of users logged into Linux. Note also that nscd will cache name service lookups from any source, including LDAP. This can be useful in reducing the load on your LDAP servers. Anderson, Cary wrote: > > I have been asked a question relating to when authenticated and > anonymous binds are made to a LDAP directory, and I was hoping someone > might be able to provide some assistance... > > After a user authenticates to Linux server via LDAP, and issues a UNIX > command, say ls will subsequent queries to LDAP be made in order to > determine the uid of the user issuing the command for purposes of > determining if the user can execute the command, and read the > directory/file target of the ls command, or is that cached in the > initial authentication? If subsequent LDAP queries are made for this > type of information, are they authenticated or anonymous binds? > > Thanks in advanced. > > > ------------------------------------------------------------------------ From ajs at th.ph.bham.ac.uk Tue Mar 27 20:43:23 2007 From: ajs at th.ph.bham.ac.uk (Andy Schofield) Date: Tue, 27 Mar 2007 21:43:23 +0100 Subject: [Fedora-directory-users] Trying to set up a simple authentication and file server Message-ID: <20070327214323.066801a9@localhost.localdomain> Please excuse the obvious newbie posting: I am struggling to get my head round fedora-ds and what I am trying to do must be so standard. I am trying to set up a simple server for about 20 users that allows clients running Redhat Enterprise 4 to authenticate over ldap and find the automounter map which tells them how to automount a users home space. We are moving from a solaris NIS server which from a clients perspective is trivial to setup: you just run system-config-authentication + enable "configure NIS" + fill in the NIS domain and the NIS server and it just works. Running system-config-authentication also has an option to enable "configure LDAP" where you fill in the LDAP Search Base DN and the LDAP Server. I would like to create the server that will respond appropriately. So my questions: (1) Is fedora-ds the right tool for the job? Perhaps it is using a sledgehammer to crack a nut. (2) I've more or less got the authentication bit working but the console seems counter intuitive. The opening screen has a tab "Users and Group" which allows you to search and add users but this, as far as I can see, as nothing to do with the users that the server will authenticate. They need to be added way down the tree, by opening the Directory Server, choosing the suffix and rightclicking the "People" and adding new. Is this the correct method of adding users? (I don't want to import them from the passwd file - there are so few of them I want to do things by hand). (3) How do I add the automap? Various websites talk about "automountInformation:" entry, but where does that come in? It does not appear as an attribute I can add to a person. (4) Does anyone know of a simple walk-through documentation to do this as I am surely not the first person to try and do this with FDS? Thanks for your help Andy From pkime at Shopzilla.com Tue Mar 27 20:47:50 2007 From: pkime at Shopzilla.com (Philip Kime) Date: Tue, 27 Mar 2007 13:47:50 -0700 Subject: [Fedora-directory-users] Creating a dynamic group to mirror a netgroup? Message-ID: <9C0091F428E697439E7A773FFD083427A92BFA@szexchange.Shopzilla.inc> Always the way - the LDAP enabled app/hardware falls one inch short of doing what you need ... In this case a Juniper VPN box which I need to check LDAP netgroup membership for access control but it doesn't quite understand netgroups. The nisnetgrouptriple=(,username,) format is the stumbling block as I need just the username. I was looking at creating a dynamic group on the LDAP server itself to contain the same usernames as in the netgroup but in a simple format the VPN box could query. Anybody have an idea how to do this with dynamic groups? Essentially, I need a query to turn this: cn=netgroup1 nisnetgrouptriple=(,user1,) nisnetgrouptriple=(,user2,) into something like this: cn=dynamic-group1 uniquemember=user1 uniquemember=user2 PK -- Philip Kime NOPS Systems Architect 310 401 0407 -------------- next part -------------- An HTML attachment was scrubbed... URL: From gholbert at broadcom.com Tue Mar 27 21:10:06 2007 From: gholbert at broadcom.com (George Holbert) Date: Tue, 27 Mar 2007 14:10:06 -0700 Subject: [Fedora-directory-users] Trying to set up a simple authentication and file server In-Reply-To: <20070327214323.066801a9@localhost.localdomain> References: <20070327214323.066801a9@localhost.localdomain> Message-ID: <4609882E.7000805@broadcom.com> Hi Andy, Not to discourage you, but if you're going to switch from NIS to LDAP, be prepared to spend a lot of time. For a single site with 20 users, the simplicity of NIS might make it a better choice, particularly since you and your co-workers are already familiar with it. > (1) Is fedora-ds the right tool for the job? Perhaps it is using a > sledgehammer to crack a nut. FDS is a great tool, but yeah, it is kind of a sledgehammer for your case. > (3) How do I add the automap? Various websites talk about > "automountInformation:" entry, but where does that come in? It does not > appear as an attribute I can add to a person. You need to add some extra schema. http://directory.fedora.redhat.com/wiki/Howto:Automount > (4) Does anyone know of a simple walk-through documentation to do this > as I am surely not the first person to try and do this with FDS? Gary Tay has a lot of good notes on NIS-to-LDAP topics here: http://web.singnet.com.sg/~garyttt I don't know of any one-size-fits-all recipes. Good luck! -- George Andy Schofield wrote: > Please excuse the obvious newbie posting: I am struggling to get my > head round fedora-ds and what I am trying to do must be so standard. > > I am trying to set up a simple server for about 20 users that allows > clients running Redhat Enterprise 4 to authenticate over ldap and find > the automounter map which tells them how to automount a users home > space. > > We are moving from a solaris NIS server which from a clients > perspective is trivial to setup: > you just run system-config-authentication > + enable "configure NIS" > + fill in the NIS domain and the NIS server and it just works. > > Running system-config-authentication also has an option to enable > "configure LDAP" where you fill in the LDAP Search Base DN and the LDAP > Server. I would like to create the server that will respond > appropriately. > > So my questions: > > (1) Is fedora-ds the right tool for the job? Perhaps it is using a > sledgehammer to crack a nut. > > (2) I've more or less got the authentication bit working but the > console seems counter intuitive. The opening screen has a tab "Users > and Group" which allows you to search and add users but this, as far as > I can see, as nothing to do with the users that the server will > authenticate. They need to be added way down the tree, > by opening the Directory Server, > choosing the suffix and rightclicking the "People" and adding new. > Is this the correct method of adding users? > (I don't want to import them from the passwd file - there are so few of > them I want to do things by hand). > > (3) How do I add the automap? Various websites talk about > "automountInformation:" entry, but where does that come in? It does not > appear as an attribute I can add to a person. > > (4) Does anyone know of a simple walk-through documentation to do this > as I am surely not the first person to try and do this with FDS? > > Thanks for your help > Andy From joshkel at gmail.com Tue Mar 27 21:45:26 2007 From: joshkel at gmail.com (Josh Kelley) Date: Tue, 27 Mar 2007 17:45:26 -0400 Subject: [Fedora-directory-users] Recovering from database corruption? Message-ID: <97cbd1a90703271445n353e125mf3534f19461fe3af@mail.gmail.com> I'm afraid that I may have messed up our FDS installation and would greatly appreciate advice on how to fix things. We have two Fedora Directory Servers, urim and thummim, set up to replicate changes to each other. Following a combination of hardware failure and administrator error (i.e., I thought that the server was hung and killed it, possibly while it was in the middle of recovery), the database got corrupted on urim, and it refused to start, giving the following errors in its log file: [27/Mar/2007:17:10:18 -0400] - libdb: Ignoring log file: /opt/fedora-ds/slapd-urim/db/log.0000000164: magic number 0, not 40988 [27/Mar/2007:17:10:20 -0400] - libdb: Invalid log file: log.0000000164: Invalid argument [27/Mar/2007:17:10:20 -0400] - libdb: PANIC: Invalid argument [27/Mar/2007:17:10:20 -0400] - libdb: PANIC: DB_RUNRECOVERY: Fatal error, run database recovery [27/Mar/2007:17:10:20 -0400] - Opening database environment (/opt/fedora-ds/slapd-urim/db) failed. err=-30978: DB_RUNRECOVERY: Fatal error, run database recovery [27/Mar/2007:17:10:20 -0400] - start: Failed to init database, err=-30978 DB_RUNRECOVERY: Fatal error, run database recovery So then I moved the invalid log file out of the way and successfully started FDS. Since urim was now out of date and had some database inconsistencies, I opened the administrative console on thummim, selected the replication agreement to urim, and told it to (re)initialize the consumer. Everything appears to be correct now; however, in the error logs on urim, I got the following warning/error: [27/Mar/2007:17:23:43 -0400] NSMMReplicationPlugin - replica_reload_ruv: Warning: new data for replica dc=local does not match the data in the changelog. Recreating the changelog file. This could affect replication with replica's consumers in which case the consumers should be reinitialized. Does this mean that I now need to reinitialize thummim as well? Or is this warning the result of urim's changelog forcibly being sync'ed with thummim, and everything's okay now? Thank you. Josh Kelley From rmeggins at redhat.com Tue Mar 27 22:12:37 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Tue, 27 Mar 2007 16:12:37 -0600 Subject: [Fedora-directory-users] Recovering from database corruption? In-Reply-To: <97cbd1a90703271445n353e125mf3534f19461fe3af@mail.gmail.com> References: <97cbd1a90703271445n353e125mf3534f19461fe3af@mail.gmail.com> Message-ID: <460996D5.3090101@redhat.com> Josh Kelley wrote: > I'm afraid that I may have messed up our FDS installation and would > greatly appreciate advice on how to fix things. > > We have two Fedora Directory Servers, urim and thummim, set up to > replicate changes to each other. Following a combination of hardware > failure and administrator error (i.e., I thought that the server was > hung and killed it, possibly while it was in the middle of recovery), > the database got corrupted on urim, and it refused to start, giving > the following errors in its log file: > > [27/Mar/2007:17:10:18 -0400] - libdb: Ignoring log file: > /opt/fedora-ds/slapd-urim/db/log.0000000164: magic number 0, not 40988 > [27/Mar/2007:17:10:20 -0400] - libdb: Invalid log file: > log.0000000164: Invalid argument > [27/Mar/2007:17:10:20 -0400] - libdb: PANIC: Invalid argument > [27/Mar/2007:17:10:20 -0400] - libdb: PANIC: DB_RUNRECOVERY: Fatal > error, run database recovery > [27/Mar/2007:17:10:20 -0400] - Opening database environment > (/opt/fedora-ds/slapd-urim/db) failed. err=-30978: DB_RUNRECOVERY: > Fatal error, run database recovery > [27/Mar/2007:17:10:20 -0400] - start: Failed to init database, > err=-30978 DB_RUNRECOVERY: Fatal error, run database recovery > > So then I moved the invalid log file out of the way and successfully > started FDS. Since urim was now out of date and had some database > inconsistencies, I opened the administrative console on thummim, > selected the replication agreement to urim, and told it to > (re)initialize the consumer. > > Everything appears to be correct now; however, in the error logs on > urim, I got the following warning/error: > [27/Mar/2007:17:23:43 -0400] NSMMReplicationPlugin - > replica_reload_ruv: Warning: new data for replica dc=local does not > match the data in the changelog. > Recreating the changelog file. This could affect replication with > replica's consumers in which case the consumers should be > reinitialized. > > Does this mean that I now need to reinitialize thummim as well? Or is > this warning the result of urim's changelog forcibly being sync'ed > with thummim, and everything's okay now? The latter, I think. I think you should be ok now. > > Thank you. > > Josh Kelley > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Victor.Rodriguez at gribbles.com.au Wed Mar 28 06:43:35 2007 From: Victor.Rodriguez at gribbles.com.au (Victor Rodriguez) Date: Wed, 28 Mar 2007 16:43:35 +1000 Subject: [Fedora-directory-users] Error : Critical extension unavailable Message-ID: Good Afternoon: I have installed Fedora Directory Server on a test enviroment because I need to link 2 diferents ldap servers (Openldap and eDirectory) on my company throught only one (Fedora Directory Server). I have created a database link to my first ldap server (openldap) and when I try to connect throught my Fedora Directory Server I get this error: Critical extension unavailable Do I need to set up anything else? Regards, Victor Rodriguez Attention: The information contained in this message and or attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any system and destroy any copies. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of The Gribbles Group. Thank You. Whilst every effort has been made to ensure that this e-mail message and any attachments are free from viruses, you should scan this message and any attachments. Under no circumstances do we accept liability for any loss or damage which may result from your receipt of this message or any attachment. -------------- next part -------------- An HTML attachment was scrubbed... URL: From yoram.kahana at gmail.com Wed Mar 28 10:30:32 2007 From: yoram.kahana at gmail.com (Yoram Kahana) Date: Wed, 28 Mar 2007 12:30:32 +0200 Subject: [Fedora-directory-users] configuring SSL without using the "check peer no" option Message-ID: <37d92a190703280330y46140920te60aefcf941d70f4@mail.gmail.com> Hi 1. After several FDS 1.0.4.1 installations i have the impresion that there is a problem with the admin server database certificate initialisation. It cause a situation were i cant start the manage certificate option in tasks. 2. I am getting an error telling my peer cant trust the server certificate. When using the option check peer no it solve the problem. are these problem related? My goal is to use the SSL for authenticate and encrypt the traffic between the client (my own code with openLdap API, and PAM/NSS) i have tried two certificate types -------------- next part -------------- An HTML attachment was scrubbed... URL: From yoram.kahana at gmail.com Wed Mar 28 10:35:05 2007 From: yoram.kahana at gmail.com (Yoram Kahana) Date: Wed, 28 Mar 2007 12:35:05 +0200 Subject: [Fedora-directory-users] configuring SSL without using the "check peer no" option Message-ID: <37d92a190703280335o662d57e8rf577295ad2ccc725@mail.gmail.com> Hi 1. After several FDS 1.0.4.1 installations i have the impresion that there is a problem with the admin server database certificate initialisation. It cause a situation were i cant start the manage certificate option in tasks. 2. I am getting an error telling my peer cant trust the server certificate. When using the option check peer no it solve the problem. are these problem related? My goal is to use the SSL for authenticate and encrypt the traffic between the client (my own code with openLdap API, and PAM/NSS) I have tried two certificate types 1. from the Linux openssl 2. from Verisign test trial certificate What do i miss? How can i fix the verify the server certificate problem? Thanks in advance Yoram -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.biggerstaff at healthalliance.co.nz Tue Mar 27 20:48:42 2007 From: peter.biggerstaff at healthalliance.co.nz (Peter Biggerstaff) Date: Wed, 28 Mar 2007 08:48:42 +1200 Subject: [Fedora-directory-users] Fedora Directry as a domain controller Message-ID: <1175028522.6919.1.camel@CMH020831.healthcare> Is it possible to use Fedora DS as a windows PDC? so I can manage windows and Linux clients from the same directory? Kind Regards, Peter Biggerstaff Linux Desktop Development Specialist P 09 276 00 00 F 09 276 0256 Ext 2478 M 021 784 167 peter.biggerstaff at healthalliance.co.nz www.healthalliance.co.nz healthAlliance New Zealand - = Visit the HealthAlliance website at http://www.healthalliance.co.nz = - This e-mail message and any accompanying attachments may contain information that is confidential and subject to legal privilege. If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. If you have received this message in error, please notify the sender immediately and delete this message. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Mar 28 13:50:10 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 28 Mar 2007 07:50:10 -0600 Subject: [Fedora-directory-users] Error : Critical extension unavailable In-Reply-To: References: Message-ID: <460A7292.1000401@redhat.com> Victor Rodriguez wrote: > Good Afternoon: > > I have installed Fedora Directory Server on a test enviroment because > I need to link 2 diferents ldap servers (Openldap and eDirectory) on > my company throught only one (Fedora Directory Server). I have created > a database link to my first ldap server (openldap) and when I try to > connect throught my Fedora Directory Server I get this error: Critical > extension unavailable > > Do I need to set up anything else? The Fedora DS chaining database (database link) uses the Proxy Auth control. I think you can disable this. Check the docs for the chaining database configuration. It may be that the console does not allow you to set this, but you can set it manually. http://www.redhat.com/docs/manuals/dir-server/pdf/ds71cli.pdf - search for nsProxiedAuthorization If there are other controls being sent by Fedora DS, you can disable those too - search for nsTransmittedControls in the above document. > > Regards, > > *Victor Rodriguez* > > > / / > > /Attention:/ > > /The information contained in this message and or attachments is > intended only for the person or entity to which it is addressed and > may contain confidential and/or privileged material. Any review, > retransmission, dissemination or other use of, or taking of any action > in reliance upon, this information by persons or entities other than > the intended recipient is prohibited. If you received this in error, > please contact the sender and delete the material from any system and > destroy any copies./ > > /Any views expressed in this message are those of the individual > sender and may not necessarily reflect the views of The Gribbles Group./ > > /Thank You./ > > /Whilst every effort has been made to ensure that this e-mail message > and any attachments are free from viruses, you should scan this > message and any attachments. > Under no circumstances do we accept liability for any loss or damage > which may result from your receipt of this message or any attachment./ > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Mar 28 13:51:31 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 28 Mar 2007 07:51:31 -0600 Subject: [Fedora-directory-users] configuring SSL without using the "check peer no" option In-Reply-To: <37d92a190703280335o662d57e8rf577295ad2ccc725@mail.gmail.com> References: <37d92a190703280335o662d57e8rf577295ad2ccc725@mail.gmail.com> Message-ID: <460A72E3.5080504@redhat.com> Yoram Kahana wrote: > Hi > > 1. After several FDS 1.0.4.1 installations i have > the impresion that there is a problem with the admin server database > certificate initialisation. It cause a situation were i cant start the > manage certificate option in tasks. > 2. I am getting an error telling my peer cant trust the server > certificate. When using the option check peer no it solve the problem. > are these problem related? > > > My goal is to use the SSL for authenticate and encrypt the traffic > between the client (my own code with openLdap API, and PAM/NSS) > > I have tried two certificate types > 1. from the Linux openssl > 2. from Verisign test trial certificate > > What do i miss? > > How can i fix the verify the server certificate problem? I'm not sure. I suggest you start here first - http://directory.fedora.redhat.com/wiki/Howto:SSL#Console_SSL_Information > > Thanks in advance > Yoram > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From kylet at panix.com Wed Mar 28 14:22:12 2007 From: kylet at panix.com (Kyle Tucker) Date: Wed, 28 Mar 2007 10:22:12 -0400 (EDT) Subject: [Fedora-directory-users] Trying to set up a simple authentication and file server In-Reply-To: <20070327214323.066801a9@localhost.localdomain> Message-ID: <200703281422.l2SEMCL03623@panix1.panix.com> > (1) Is fedora-ds the right tool for the job? Perhaps it is using a > sledgehammer to crack a nut. I've set it up for a company with as little as 4 people. The payoff is being able to use centralized auth for ssh, Apache, Samba, Bugzilla and more. > (2) I've more or less got the authentication bit working but the > console seems counter intuitive. The opening screen has a tab "Users > and Group" which allows you to search and add users but this, as far as > I can see, as nothing to do with the users that the server will > authenticate. They need to be added way down the tree, > by opening the Directory Server, > choosing the suffix and rightclicking the "People" and adding new. > Is this the correct method of adding users? > (I don't want to import them from the passwd file - there are so few of > them I want to do things by hand). I have put a INSTALL summary file and a bunch a scripts I use to maintain Unix accounts with FDS online. It may be of help to you. http://www.panix.com/~kylet/ldap > (3) How do I add the automap? Various websites talk about > "automountInformation:" entry, but where does that come in? It does not > appear as an attribute I can add to a person. automaps are separate entries in the directory. I've not used them yet, but enough shops are using them that it must be easily implemented. I know we use it one place I work under SunONE DS (essentially the same as FDS) and it looks pretty straight forward. Feel free to email me offline if you'd like some help of snippets of the schema and/or LDIF samples. -- - Kyle --------------------------------------------- kylet at panix.com http://www.panix.com/~kylet --------------------------------------------- From ankur_agwal at yahoo.com Wed Mar 28 15:00:45 2007 From: ankur_agwal at yahoo.com (Ankur Agarwal) Date: Wed, 28 Mar 2007 08:00:45 -0700 (PDT) Subject: [Fedora-directory-users] How to disable anonymous bind to LDAP? Message-ID: <20070328150045.77410.qmail@web54112.mail.re2.yahoo.com> Hi, Would like to know how to disable anonymous bind? Is there any configuration level change to be done? regards, Ankur --------------------------------- Don't be flakey. Get Yahoo! Mail for Mobile and always stay connected to friends. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ankur_agwal at yahoo.com Wed Mar 28 15:00:23 2007 From: ankur_agwal at yahoo.com (Ankur Agarwal) Date: Wed, 28 Mar 2007 08:00:23 -0700 (PDT) Subject: [Fedora-directory-users] How to disable anonymous bind to LDAP? Message-ID: <20070328150023.23788.qmail@web54106.mail.re2.yahoo.com> Hi, Would like to know how to disable anonymous bind? Is there any configuration level change to be done? regards, Ankur --------------------------------- Never miss an email again! Yahoo! Toolbar alerts you the instant new Mail arrives. Check it out. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Mar 28 15:15:56 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 28 Mar 2007 09:15:56 -0600 Subject: [Fedora-directory-users] How to disable anonymous bind to LDAP? In-Reply-To: <20070328150023.23788.qmail@web54106.mail.re2.yahoo.com> References: <20070328150023.23788.qmail@web54106.mail.re2.yahoo.com> Message-ID: <460A86AC.6040803@redhat.com> Ankur Agarwal wrote: > Hi, > > Would like to know how to disable anonymous bind? Is there any > configuration level change to be done? You cannot disable anonymous binds to Fedora DS. You can, however, use access control to restrict what anonymous users are able to do. > > regards, > Ankur > > ------------------------------------------------------------------------ > Never miss an email again! > Yahoo! Toolbar > > alerts you the instant new Mail arrives. Check it out. > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From ankur_agwal at yahoo.com Wed Mar 28 15:00:24 2007 From: ankur_agwal at yahoo.com (Ankur Agarwal) Date: Wed, 28 Mar 2007 08:00:24 -0700 (PDT) Subject: [Fedora-directory-users] How to disable anonymous bind to LDAP? Message-ID: <20070328150024.94564.qmail@web54111.mail.re2.yahoo.com> Hi, Would like to know how to disable anonymous bind? Is there any configuration level change to be done? regards, Ankur --------------------------------- 8:00? 8:25? 8:40? Find a flick in no time with theYahoo! Search movie showtime shortcut. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pkime at Shopzilla.com Wed Mar 28 19:11:11 2007 From: pkime at Shopzilla.com (Philip Kime) Date: Wed, 28 Mar 2007 12:11:11 -0700 Subject: [Fedora-directory-users] Conditional Cos/Roles? Message-ID: <9C0091F428E697439E7A773FFD083427A92C02@szexchange.Shopzilla.inc> Is it possible to do this - Include a user in a dynamic group/assign a role/add a CoS attribute if some arbitrary other attribute contains the uid? I can't quite see a way to do this. I have a load of nisnetgrouptriple attributes containing usernames in the form "(,uid,)" and I need to make a dynamic group or add a CoS attribute to enable a NIS unware app to check basic netgroup membership - everything just seems to fall short of being able to do this. PK -- Philip Kime NOPS Systems Architect 310 401 0407 -------------- next part -------------- An HTML attachment was scrubbed... URL: From yoram.kahana at gmail.com Wed Mar 28 19:17:33 2007 From: yoram.kahana at gmail.com (Yoram Kahana) Date: Wed, 28 Mar 2007 21:17:33 +0200 Subject: [Fedora-directory-users] CA certificate format Message-ID: <37d92a190703281217i17db4058kc4a12d09102c2afe@mail.gmail.com> Hi Does anyone has an idea on which format should i save the ca certificate in the clients (for SSL communication) ? Is it PEM, DER, BER Thanks in advance Yoram -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Mar 28 19:18:27 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 28 Mar 2007 13:18:27 -0600 Subject: [Fedora-directory-users] CA certificate format In-Reply-To: <37d92a190703281217i17db4058kc4a12d09102c2afe@mail.gmail.com> References: <37d92a190703281217i17db4058kc4a12d09102c2afe@mail.gmail.com> Message-ID: <460ABF83.1060106@redhat.com> Yoram Kahana wrote: > Hi > > Does anyone has an idea on which format should i save the ca > certificate in the clients (for SSL communication) ? > Is it PEM, DER, BER It depends - what client are you trying to configure? Did you see this - http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients > > > Thanks in advance > > Yoram > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From yoram.kahana at gmail.com Wed Mar 28 19:56:04 2007 From: yoram.kahana at gmail.com (Yoram Kahana) Date: Wed, 28 Mar 2007 21:56:04 +0200 Subject: [Fedora-directory-users] CA certificate format In-Reply-To: <460ABF83.1060106@redhat.com> References: <37d92a190703281217i17db4058kc4a12d09102c2afe@mail.gmail.com> <460ABF83.1060106@redhat.com> Message-ID: <37d92a190703281256x11e02296qa90278393d5b8615@mail.gmail.com> Hi Richard, Great thanks for the link, i'll check it tomorrow morning (it's late in the evening here). I am using RHEL update 4. Seems that the link contain answers for all i need again Great thanks Yoram On 3/28/07, Richard Megginson wrote: > > Yoram Kahana wrote: > > Hi > > > > Does anyone has an idea on which format should i save the ca > > certificate in the clients (for SSL communication) ? > > Is it PEM, DER, BER > It depends - what client are you trying to configure? Did you see this > - http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients > > > > > > Thanks in advance > > > > Yoram > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prowley at redhat.com Wed Mar 28 20:15:12 2007 From: prowley at redhat.com (Pete Rowley) Date: Wed, 28 Mar 2007 13:15:12 -0700 Subject: [Fedora-directory-users] Conditional Cos/Roles? In-Reply-To: <9C0091F428E697439E7A773FFD083427A92C02@szexchange.Shopzilla.inc> References: <9C0091F428E697439E7A773FFD083427A92C02@szexchange.Shopzilla.inc> Message-ID: <460ACCD0.2050204@redhat.com> Philip Kime wrote: > Is it possible to do this - > > Include a user in a dynamic group/assign a role/add a CoS attribute if > some arbitrary other attribute contains the uid? > > I can't quite see a way to do this. I have a load of nisnetgrouptriple > attributes containing usernames in the form "(,uid,)" and I need to > make a dynamic group or add a CoS attribute to enable a NIS unware app > to check basic netgroup membership - everything just seems to fall > short of being able to do this. > This would require a custom plugin, probably a virtual attribute service provider plugin. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From ajs at th.ph.bham.ac.uk Wed Mar 28 20:56:27 2007 From: ajs at th.ph.bham.ac.uk (Andy Schofield) Date: Wed, 28 Mar 2007 21:56:27 +0100 Subject: [Fedora-directory-users] Trying to set up a simple authentication and file server In-Reply-To: <4609882E.7000805@broadcom.com> References: <20070327214323.066801a9@localhost.localdomain> <4609882E.7000805@broadcom.com> Message-ID: <20070328215627.438734f3@localhost.localdomain> Thanks for the help, George and Kyle. I have basic authentication working now. > > (3) How do I add the automap? Various websites talk about > > "automountInformation:" entry, but where does that come in? It does > > not appear as an attribute I can add to a person. > > You need to add some extra schema. > http://directory.fedora.redhat.com/wiki/Howto:Automount > I have also got the autofs maps working too. At least it works for a Redhat Enterprise 4.4 client. I have not yet tested it on a solaris client (and I am sure it won't work for them). So you need to add the scheme that Georges pointed out in the link above: http://directory.fedora.redhat.com/wiki/Howto:Automount You save it as an .ldif file, but you can't import it via the console. I added it to the /opt/fedora-ds/slapd-*/config/schema directory with a suitable high number like 90. This now gives you the appropriate objects. Here are some ldif files that allow a client to find auto.master and auto.home. dn: automountmapname=auto_master,dc=mydom,dc=com automountInformation: ldap:myldap.host.com:automountmapname=auto_home,dc=mydom,dc=com --timeout=120 automountKey: /home automountMapName: auto_master objectClass: top objectClass: automount objectClass: automountmap dn: automountmapname=auto_home,dc=mydom,dc=com automountMapName: auto_home objectClass: top objectClass: automountmap objectClass: automount automountKey: * automountInformation: -fstype=nfs,rw,hard,intr,nosuid myfileserver.com:/export/home/& Note that in /etc/nsswitch.conf you should have automount: files ldap and have the ldap server correctly setup in /etc/ldap.conf Note that in /etc/sysconfig/autofs is an option to use auto_master and auto.master interchangably. Hope this helps some other newbie. Andy From Colin.Coe at woodside.com.au Thu Mar 29 00:20:41 2007 From: Colin.Coe at woodside.com.au (Coe, Colin C. (Unix Engineer)) Date: Thu, 29 Mar 2007 08:20:41 +0800 Subject: [Fedora-directory-users] Failover between masters Message-ID: Hi all We are currently using Sun's Directory server and have had some problems with clients failing over to the other master if one fails. The clients are a minxute of RHEL 3 WS and Solaris 8 (SPARC), and the Sun Directory servers are both Solars 9 (SPARC) running Directory One 5.1. /etc/ldap.conf host 1.1.1.1 2.2.2.2 port 636 ldap_version 3 base o=unix,dc=company,dc=com scope sub timelimit 5 bind_timelimit 3 ssl on pam_filter objectclass=posixAccount pam_login_attribute uid pam_member_attribute memberUid pam_password crypt idle_timelimit 3600 /etc/openldap/ldap.conf BASE o=unix,dc=company,dc=com HOST ldap1.company.com ldap2.company.com PORT 636 SASL_SECPROPS "noanonymous,noplain" SIZELIMIT 0 TIMELIMIT 0 DEREF never TLS_CACERT /etc/ssl/ldap/cacert.pem TLS_REQCERT demand We're using the bog standard nscd daemons provided by the OS vendors. We also use IDSync to synchronise user passwords from AD to LDAP but not from LDAP to AD. What we're finding is if ldap1 dies for some reason, the clients don't failover to ldap2. We don't know if the problem is client side or server side. Would Fedora Directory Server, set up in a similar manner, also not failover properly? While we're prepared to look at Fed DS, there is a feeling that it too will behave in the same manner, given they are both forks of the same project. Comments? Thanks CC NOTICE: This email and any attachments are confidential. They may contain legally privileged information or copyright material. You must not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages and all attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Mar 29 00:26:16 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 28 Mar 2007 18:26:16 -0600 Subject: [Fedora-directory-users] Failover between masters In-Reply-To: References: Message-ID: <460B07A8.8000706@redhat.com> Coe, Colin C. (Unix Engineer) wrote: > > Hi all > > We are currently using Sun's Directory server and have had some > problems with clients failing over to the other master if one fails. > The clients are a minxute of RHEL 3 WS and Solaris 8 (SPARC), and the > Sun Directory servers are both Solars 9 (SPARC) running Directory One 5.1. > > /etc/ldap.conf > host 1.1.1.1 2.2.2.2 > port 636 > ldap_version 3 > base o=unix,dc=company,dc=com > scope sub > timelimit 5 > bind_timelimit 3 > ssl on > pam_filter objectclass=posixAccount > pam_login_attribute uid > pam_member_attribute memberUid > pam_password crypt > idle_timelimit 3600 > > /etc/openldap/ldap.conf > BASE o=unix,dc=company,dc=com > HOST ldap1.company.com ldap2.company.com > PORT 636 > SASL_SECPROPS "noanonymous,noplain" > SIZELIMIT 0 > TIMELIMIT 0 > DEREF never > TLS_CACERT /etc/ssl/ldap/cacert.pem > TLS_REQCERT demand > > We're using the bog standard nscd daemons provided by the OS vendors. > We also use IDSync to synchronise user passwords from AD to LDAP but > not from LDAP to AD. > > What we're finding is if ldap1 dies for some reason, the clients don't > failover to ldap2. > > We don't know if the problem is client side or server side. Would > Fedora Directory Server, set up in a similar manner, also not failover > properly? > It wouldn't make any difference. I'm pretty sure failover is a properly of the client. Are you sure you have the multiple hosts configured correctly in your ldap.conf files? > > While we're prepared to look at Fed DS, there is a feeling that it too > will behave in the same manner, given they are both forks of the same > project. > > Comments? > > Thanks > > CC > > NOTICE: This email and any attachments are confidential. > They may contain legally privileged information or > copyright material. You must not read, copy, use or > disclose them without authorisation. If you are not an > intended recipient, please contact us at once by return > email and then delete both messages and all attachments. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From Colin.Coe at woodside.com.au Thu Mar 29 00:35:22 2007 From: Colin.Coe at woodside.com.au (Coe, Colin C. (Unix Engineer)) Date: Thu, 29 Mar 2007 08:35:22 +0800 Subject: [Fedora-directory-users] Failover between masters In-Reply-To: <460B07A8.8000706@redhat.com> Message-ID: See inline comments > > Coe, Colin C. (Unix Engineer) wrote: > > > > Hi all > > > > We are currently using Sun's Directory server and have had some > > problems with clients failing over to the other master if > one fails. > > The clients are a minxute of RHEL 3 WS and Solaris 8 > (SPARC), and the > > Sun Directory servers are both Solars 9 (SPARC) running > Directory One 5.1. > > > > /etc/ldap.conf > > host 1.1.1.1 2.2.2.2 > > port 636 > > ldap_version 3 > > base o=unix,dc=company,dc=com > > scope sub > > timelimit 5 > > bind_timelimit 3 > > ssl on > > pam_filter objectclass=posixAccount > > pam_login_attribute uid > > pam_member_attribute memberUid > > pam_password crypt > > idle_timelimit 3600 > > > > /etc/openldap/ldap.conf > > BASE o=unix,dc=company,dc=com > > HOST ldap1.company.com ldap2.company.com > > PORT 636 > > SASL_SECPROPS "noanonymous,noplain" > > SIZELIMIT 0 > > TIMELIMIT 0 > > DEREF never > > TLS_CACERT /etc/ssl/ldap/cacert.pem > > TLS_REQCERT demand > > > > We're using the bog standard nscd daemons provided by the > OS vendors. > > We also use IDSync to synchronise user passwords from AD to > LDAP but > > not from LDAP to AD. > > > > What we're finding is if ldap1 dies for some reason, the > clients don't > > failover to ldap2. > > > > We don't know if the problem is client side or server side. Would > > Fedora Directory Server, set up in a similar manner, also > not failover > > properly? > > > It wouldn't make any difference. I'm pretty sure failover is > a properly > of the client. Are you sure you have the multiple hosts configured > correctly in your ldap.conf files? No, I'm not 100% sure that the clients are set right. My sanitised /etc/ldap and /etc/openldap/ldap.conf are shown above. Can you suggest any improvements to them? > > > > While we're prepared to look at Fed DS, there is a feeling > that it too > > will behave in the same manner, given they are both forks > of the same > > project. > > > > Comments? > > > > Thanks > > > > CC > > NOTICE: This email and any attachments are confidential. They may contain legally privileged information or copyright material. You must not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages and all attachments. From gholbert at broadcom.com Thu Mar 29 00:33:39 2007 From: gholbert at broadcom.com (George Holbert) Date: Wed, 28 Mar 2007 17:33:39 -0700 Subject: [Fedora-directory-users] Failover between masters In-Reply-To: References: Message-ID: <460B0963.8080306@broadcom.com> > > > What we're finding is if ldap1 dies for some reason, the clients don't > failover to ldap2. > > We don't know if the problem is client side or server side. > When ldap1 dies, do you see any activity in ldap2's access log? If not, you know the clients aren't making the switch to ldap2. On one of your Linux LDAP clients, try doing this while ldap1 is down: # service nscd stop # strace getent passwd Among the tons of output should be some indication of what LDAP servers are being tried. Coe, Colin C. (Unix Engineer) wrote: > > Hi all > > We are currently using Sun's Directory server and have had some > problems with clients failing over to the other master if one fails. > The clients are a minxute of RHEL 3 WS and Solaris 8 (SPARC), and the > Sun Directory servers are both Solars 9 (SPARC) running Directory One 5.1. > > /etc/ldap.conf > host 1.1.1.1 2.2.2.2 > port 636 > ldap_version 3 > base o=unix,dc=company,dc=com > scope sub > timelimit 5 > bind_timelimit 3 > ssl on > pam_filter objectclass=posixAccount > pam_login_attribute uid > pam_member_attribute memberUid > pam_password crypt > idle_timelimit 3600 > > /etc/openldap/ldap.conf > BASE o=unix,dc=company,dc=com > HOST ldap1.company.com ldap2.company.com > PORT 636 > SASL_SECPROPS "noanonymous,noplain" > SIZELIMIT 0 > TIMELIMIT 0 > DEREF never > TLS_CACERT /etc/ssl/ldap/cacert.pem > TLS_REQCERT demand > > We're using the bog standard nscd daemons provided by the OS vendors. > We also use IDSync to synchronise user passwords from AD to LDAP but > not from LDAP to AD. > > What we're finding is if ldap1 dies for some reason, the clients don't > failover to ldap2. > > We don't know if the problem is client side or server side. Would > Fedora Directory Server, set up in a similar manner, also not failover > properly? While we're prepared to look at Fed DS, there is a feeling > that it too will behave in the same manner, given they are both forks > of the same project. > > Comments? > > Thanks > > CC > From rmeggins at redhat.com Thu Mar 29 01:09:32 2007 From: rmeggins at redhat.com (Richard Megginson) Date: Wed, 28 Mar 2007 19:09:32 -0600 Subject: [Fedora-directory-users] Failover between masters In-Reply-To: References: Message-ID: <460B11CC.2090802@redhat.com> Coe, Colin C. (Unix Engineer) wrote: > See inline comments > > >> Coe, Colin C. (Unix Engineer) wrote: >> >>> Hi all >>> >>> We are currently using Sun's Directory server and have had some >>> problems with clients failing over to the other master if >>> >> one fails. >> >>> The clients are a minxute of RHEL 3 WS and Solaris 8 >>> >> (SPARC), and the >> >>> Sun Directory servers are both Solars 9 (SPARC) running >>> >> Directory One 5.1. >> >>> /etc/ldap.conf >>> host 1.1.1.1 2.2.2.2 >>> port 636 >>> ldap_version 3 >>> base o=unix,dc=company,dc=com >>> scope sub >>> timelimit 5 >>> bind_timelimit 3 >>> ssl on >>> pam_filter objectclass=posixAccount >>> pam_login_attribute uid >>> pam_member_attribute memberUid >>> pam_password crypt >>> idle_timelimit 3600 >>> >>> /etc/openldap/ldap.conf >>> BASE o=unix,dc=company,dc=com >>> HOST ldap1.company.com ldap2.company.com >>> PORT 636 >>> SASL_SECPROPS "noanonymous,noplain" >>> SIZELIMIT 0 >>> TIMELIMIT 0 >>> DEREF never >>> TLS_CACERT /etc/ssl/ldap/cacert.pem >>> TLS_REQCERT demand >>> >>> We're using the bog standard nscd daemons provided by the >>> >> OS vendors. >> >>> We also use IDSync to synchronise user passwords from AD to >>> >> LDAP but >> >>> not from LDAP to AD. >>> >>> What we're finding is if ldap1 dies for some reason, the >>> >> clients don't >> >>> failover to ldap2. >>> >>> We don't know if the problem is client side or server side. Would >>> Fedora Directory Server, set up in a similar manner, also >>> >> not failover >> >>> properly? >>> >>> >> It wouldn't make any difference. I'm pretty sure failover is >> a properly >> of the client. Are you sure you have the multiple hosts configured >> correctly in your ldap.conf files? >> > > No, I'm not 100% sure that the clients are set right. My sanitised > /etc/ldap and /etc/openldap/ldap.conf are shown above. Can you suggest > any improvements to them? > I don't know. I'm not familiar with failover configuration. > >>> While we're prepared to look at Fed DS, there is a feeling >>> >> that it too >> >>> will behave in the same manner, given they are both forks >>> >> of the same >> >>> project. >>> >>> Comments? >>> >>> Thanks >>> >>> CC >>> >>> > > NOTICE: This email and any attachments are confidential. > They may contain legally privileged information or > copyright material. You must not read, copy, use or > disclose them without authorisation. If you are not an > intended recipient, please contact us at once by return > email and then delete both messages and all attachments. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From vsi at ebi.ac.uk Thu Mar 29 11:18:25 2007 From: vsi at ebi.ac.uk (Ville Silventoinen) Date: Thu, 29 Mar 2007 12:18:25 +0100 (BST) Subject: [Fedora-directory-users] db_verify Message-ID: After I import about 1400 accounts to a new database (ebiRoot, People subtree), I get lot of errors when I run verify-db.pl (slapd has been stopped): Verify log files in db ... Good Verify db/ebiRoot/uid.db4 ... Good Verify db/ebiRoot/mail.db4 ... DB ERROR: db_verify: Page 37: out-of-order key at entry 247 DB ERROR: db_verify: Page 37: out-of-order key at entry 503 ... Same error for ancestorid.db4, objectclass.db4, parentid.db4, cn.db4, givenName.db4 and sn.db4. I have run db2index and re-run verify-db.pl but I don't see any difference. Here is what db2index says about ebiRoot: [29/Mar/2007:12:04:26 +0100] upgrade DB - ebiRoot: Start upgradedb. [29/Mar/2007:12:04:26 +0100] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [29/Mar/2007:12:04:26 +0100] - import ebiRoot: Index buffering enabled with bucket size 100 [29/Mar/2007:12:04:27 +0100] - import ebiRoot: Workers finished; cleaning up... [29/Mar/2007:12:04:28 +0100] - import ebiRoot: Workers cleaned up. [29/Mar/2007:12:04:28 +0100] - import ebiRoot: Cleaning up producer thread... [29/Mar/2007:12:04:28 +0100] - import ebiRoot: Indexing complete. Post-processing... [29/Mar/2007:12:04:28 +0100] - import ebiRoot: Flushing caches... [29/Mar/2007:12:04:28 +0100] - import ebiRoot: Closing files... [29/Mar/2007:12:04:29 +0100] - import ebiRoot: Import complete. Processed 1424 entries in 3 seconds. (474.67 entries/sec) Does that WARNING "No other process is alloed to access the database" mean something is wrong? How can I locate those "out-of order keys" the db_verify lists? I tried with dbscan but I don't think I'm giving the right entry id: $ ./dbscan -K 247 -f db/ebiRoot/mail.db4 Can't set cursor to returned item: DB_NOTFOUND: No matching key/data pair found Is there a way to find out which entries are causing the problem? Can there be illegal characters in the entries? If I import a considerably smaller set of entries (120), I get no errors. I noticed there was a similar thread here but no conclusion: http://www.mail-archive.com/fedora-directory-users at redhat.com/msg04461.html Sorry for so many questions, I've spent couple of days trying to solve the problem. If I delete a database with the Console, it leaves behind couple of index files: -rw------- 1 w3secure systems 16384 Mar 28 17:05 ancestorid.db4 -rw------- 1 w3secure systems 18 Mar 28 17:03 DBVERSION -rw------- 1 w3secure systems 32768 Mar 28 17:05 id2entry.db4 These index files don't seem to shrink when new entries are imported. dbscan still shows the deleted entries in id2entry. I noticed a problem when I import a small set of entries, delete the database, import large set of entries and if I query the entries, I get the entries from the first set (they don't exist in the second set). I can reproduce the problem. If I delete ancestorid.db4 and id2entry.db4 manually when I delete the database, I don't have this problem. Is there a reason why those two files are not deleted? Or can this whole thing be caused by corrupted data? Ville From srigler at marathonoil.com Thu Mar 29 12:03:55 2007 From: srigler at marathonoil.com (Stephen C. Rigler) Date: Thu, 29 Mar 2007 07:03:55 -0500 Subject: [Fedora-directory-users] Failover between masters In-Reply-To: References: Message-ID: <1175169835.30729.4.camel@houuc8> I've never seen it work adequately with RHEL 3 & 4 or Solaris 8 clients (solaris 9 seems to work fine). We use Piranha (which also distributes the load nicely) to get around it. -Steve On Thu, 2007-03-29 at 08:20 +0800, Coe, Colin C. (Unix Engineer) wrote: > > Hi all > > We are currently using Sun's Directory server and have had some > problems with clients failing over to the other master if one fails. > The clients are a minxute of RHEL 3 WS and Solaris 8 (SPARC), and the > Sun Directory servers are both Solars 9 (SPARC) running Directory One > 5.1. > > /etc/ldap.conf > host 1.1.1.1 2.2.2.2 > port 636 > ldap_version 3 > base o=unix,dc=company,dc=com > scope sub > timelimit 5 > bind_timelimit 3 > ssl on > pam_filter objectclass=posixAccount > pam_login_attribute uid > pam_member_attribute memberUid > pam_password crypt > idle_timelimit 3600 > > /etc/openldap/ldap.conf > BASE o=unix,dc=company,dc=com > HOST ldap1.company.com ldap2.company.com > PORT 636 > SASL_SECPROPS "noanonymous,noplain" > SIZELIMIT 0 > TIMELIMIT 0 > DEREF never > TLS_CACERT /etc/ssl/ldap/cacert.pem > TLS_REQCERT demand > > We're using the bog standard nscd daemons provided by the OS vendors. > We also use IDSync to synchronise user passwords from AD to LDAP but > not from LDAP to AD. > > What we're finding is if ldap1 dies for some reason, the clients don't > failover to ldap2. > > We don't know if the problem is client side or server side. Would > Fedora Directory Server, set up in a similar manner, also not failover > properly? While we're prepared to look at Fed DS, there is a feeling > that it too will behave in the same manner, given they are both forks > of the same project. > > Comments? > > Thanks > > CC > > NOTICE: This email and any attachments are confidential. > They may contain legally privileged information or > copyright material. You must not read, copy, use or > disclose them without authorisation. If you are not an > intended recipient, please contact us at once by return > email and then delete both messages and all attachments. > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From ajs at th.ph.bham.ac.uk Thu Mar 29 15:09:00 2007 From: ajs at th.ph.bham.ac.uk (Andy Schofield) Date: Thu, 29 Mar 2007 16:09:00 +0100 Subject: [Fedora-directory-users] How to change password storage method? Message-ID: <20070329160900.64afc416@thpc30.ph.bham.ac.uk> I must be missing something here but I tried following the instructions here http://www.csse.uwa.edu.au/~ashley/fedora-ds/fedora-ds-26072006.html but to no avail. I want the passwords for all Users in People to be stored in md5. Everything I have done (like selecting a user and "Managing passwords" leaves them in SSHA which is presumably some default. My real problem is that clients are broadcasting passwords in the clear (despite pam being told to use md5 with ldap). I am assuming that is because the ldap server is using SSHA and pam is using md5 so they negotiate to send passwords in the clear. Does that sound right? Thanks Andy From yoram.kahana at gmail.com Thu Mar 29 15:20:47 2007 From: yoram.kahana at gmail.com (Yoram Kahana) Date: Thu, 29 Mar 2007 17:20:47 +0200 Subject: [Fedora-directory-users] CA certificate format In-Reply-To: <460ABF83.1060106@redhat.com> References: <37d92a190703281217i17db4058kc4a12d09102c2afe@mail.gmail.com> <460ABF83.1060106@redhat.com> Message-ID: <37d92a190703290820y295cb056h8a13a09882cb8187@mail.gmail.com> Hi Richard, Indeed it solved one of the problems, I didnt hash the ca certificte in the client side. now i am getting new message TLS: *hostname does not match CN in peer certificate* ** if i understand the meaning the CN and the hostname are not identical but thats not the situation now. I have also tried the opensll s_client -debug -connect (the output is enclosed) seems that throgh the openssl it works fine, where am i wrong? Can you see if you have any clue great thanks Yoram On 3/28/07, Richard Megginson wrote: > > Yoram Kahana wrote: > > Hi > > > > Does anyone has an idea on which format should i save the ca > > certificate in the clients (for SSL communication) ? > > Is it PEM, DER, BER > It depends - what client are you trying to configure? Did you see this > - http://directory.fedora.redhat.com/wiki/Howto:SSL#Configure_LDAP_clients > > > > > > Thanks in advance > > > > Yoram > > ------------------------------------------------------------------------ > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- openssl s_client -debug -connect r1-ows-07:636 CONNECTED(00000003) write to 00675450 [00675F50] (142 bytes => 142 (0x8E)) 0000 - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00 ......c... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ 0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00 ..3..2../.....f. 0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00 .............c.. 0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40 b..a...........@ 0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00 ..e..d..`....... 0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 24 9c ..............$. 0070 - 49 e8 7b b6 bf 6a 36 4a-4a f8 04 25 d9 b8 a7 8e I.{..j6JJ..%.... 0080 - 57 d7 67 c2 3a 6d 72 d0-d9 37 3f f5 ac 07 W.g.:mr..7?... read from 00675450 [0067B4B0] (7 bytes => 7 (0x7)) 0000 - 16 03 01 08 23 02 ....#. 0007 - read from 00675450 [0067B4B7] (2081 bytes => 1441 (0x5A1)) 0000 - 00 46 03 01 00 28 82 f7-c8 e3 77 83 de 5f 86 53 .F...(....w.._.S 0010 - 5d 5a 76 33 04 fe bd a6-b8 02 ee 88 c4 bd e8 6c ]Zv3...........l 0020 - 18 b9 ee f6 20 22 92 d7-0e b4 ae aa df c2 83 b7 .... ".......... 0030 - 07 22 94 af 91 d8 2a 92-da 0c d6 3e d5 7a ee 8f ."....*....>.z.. 0040 - 7f 26 28 3a 56 00 35 00-0b 00 06 dd 00 06 da 00 .&(:V.5......... 0050 - 03 6e 30 82 03 6a 30 82-02 d3 a0 03 02 01 02 02 .n0..j0......... 0060 - 01 01 30 0d 06 09 2a 86-48 86 f7 0d 01 01 04 05 ..0...*.H....... 0070 - 00 30 81 83 31 0b 30 09-06 03 55 04 06 13 02 49 .0..1.0...U....I 0080 - 4c 31 0f 30 0d 06 03 55-04 08 13 06 49 73 72 61 L1.0...U....Isra 0090 - 65 6c 31 10 30 0e 06 03-55 04 07 13 07 54 65 6c el1.0...U....Tel 00a0 - 41 76 69 76 31 11 30 0f-06 03 55 04 0a 13 08 4e Aviv1.0...U....N 00b0 - 65 73 73 20 4c 74 64 31-0e 30 0c 06 03 55 04 0b ess Ltd1.0...U.. 00c0 - 13 05 4c 4d 41 44 53 31-0e 30 0c 06 03 55 04 03 ..LMADS1.0...U.. 00d0 - 13 05 59 6f 72 61 6d 31-1e 30 1c 06 09 2a 86 48 ..Yoram1.0...*.H 00e0 - 86 f7 0d 01 09 01 16 0f-79 6f 72 61 6d 40 62 61 ........yoram at ba 00f0 - 6d 61 6d 2e 63 6f 6d 30-1e 17 0d 30 37 30 33 32 mam.com0...07032 0100 - 39 31 33 35 31 35 35 5a-17 0d 30 38 30 33 32 38 9135155Z..080328 0110 - 31 33 35 31 35 35 5a 30-5f 31 0b 30 09 06 03 55 135155Z0_1.0...U 0120 - 04 06 13 02 49 4c 31 0f-30 0d 06 03 55 04 08 13 ....IL1.0...U... 0130 - 06 49 73 72 61 65 6c 31-11 30 0f 06 03 55 04 0a .Israel1.0...U.. 0140 - 13 08 4e 65 73 73 20 4c-74 64 31 0e 30 0c 06 03 ..Ness Ltd1.0... 0150 - 55 04 0b 13 05 4c 4d 41-44 53 31 1c 30 1a 06 03 U....LMADS1.0... 0160 - 55 04 03 13 13 72 31 2d-6f 77 73 2d 30 37 2e 72 U....r1-ows-07.r 0170 - 6f 63 61 66 2e 6f 72 67-30 81 9f 30 0d 06 09 2a ocaf.org0..0...* 0180 - 86 48 86 f7 0d 01 01 01-05 00 03 81 8d 00 30 81 .H............0. 0190 - 89 02 81 81 00 c5 12 31-28 e2 de c6 4a 3d 59 7e .......1(...J=Y~ 01a0 - d8 f2 c4 5e ca 00 6a 08-52 c1 58 ce 3a 38 dc 58 ...^..j.R.X.:8.X 01b0 - 7d 0b c9 83 5d 9e 77 bc-09 9f c4 6e 5a 54 19 ff }...].w....nZT.. 01c0 - 7b 3f 14 6b 40 51 ed 42-ba 34 d8 89 49 07 21 2b {?.k at Q.B.4..I.!+ 01d0 - 89 4f bf 9c 5c 15 1b 61-03 1f 2f 95 b3 23 1b 6f .O..\..a../..#.o 01e0 - c2 a9 a2 21 17 ab 62 10-ef 27 27 ae d8 46 84 4b ...!..b..''..F.K 01f0 - 86 b6 f2 8d b1 3e 45 0d-16 1a 8e 99 90 6d a4 5e .....>E......m.^ 0200 - 6e 9a f6 f2 b5 d0 fb cb-c2 ec f0 a3 7a 5b 20 59 n...........z[ Y 0210 - 02 00 13 80 0f 02 03 01-00 01 a3 82 01 0f 30 82 ..............0. 0220 - 01 0b 30 09 06 03 55 1d-13 04 02 30 00 30 2c 06 ..0...U....0.0,. 0230 - 09 60 86 48 01 86 f8 42-01 0d 04 1f 16 1d 4f 70 .`.H...B......Op 0240 - 65 6e 53 53 4c 20 47 65-6e 65 72 61 74 65 64 20 enSSL Generated 0250 - 43 65 72 74 69 66 69 63-61 74 65 30 1d 06 03 55 Certificate0...U 0260 - 1d 0e 04 16 04 14 f8 72-da cb af d2 d8 e1 18 17 .......r........ 0270 - ec 9e 80 10 89 d1 13 07-a6 e3 30 81 b0 06 03 55 ..........0....U 0280 - 1d 23 04 81 a8 30 81 a5-80 14 26 9a 3c 03 60 32 .#...0....&.<.`2 0290 - a4 25 36 ce 56 ae 33 a1-30 45 e2 85 27 a2 a1 81 .%6.V.3.0E..'... 02a0 - 89 a4 81 86 30 81 83 31-0b 30 09 06 03 55 04 06 ....0..1.0...U.. 02b0 - 13 02 49 4c 31 0f 30 0d-06 03 55 04 08 13 06 49 ..IL1.0...U....I 02c0 - 73 72 61 65 6c 31 10 30-0e 06 03 55 04 07 13 07 srael1.0...U.... 02d0 - 54 65 6c 41 76 69 76 31-11 30 0f 06 03 55 04 0a TelAviv1.0...U.. 02e0 - 13 08 4e 65 73 73 20 4c-74 64 31 0e 30 0c 06 03 ..Ness Ltd1.0... 02f0 - 55 04 0b 13 05 4c 4d 41-44 53 31 0e 30 0c 06 03 U....LMADS1.0... 0300 - 55 04 03 13 05 59 6f 72-61 6d 31 1e 30 1c 06 09 U....Yoram1.0... 0310 - 2a 86 48 86 f7 0d 01 09-01 16 0f 79 6f 72 61 6d *.H........yoram 0320 - 40 62 61 6d 61 6d 2e 63-6f 6d 82 01 00 30 0d 06 @bamam.com...0.. 0330 - 09 2a 86 48 86 f7 0d 01-01 04 05 00 03 81 81 00 .*.H............ 0340 - 88 38 ad c8 e4 df c9 85-68 2f e6 8b d0 1f 37 fd .8......h/....7. 0350 - c4 7d 0c ca 01 5f 58 fb-3d 00 d4 f0 d0 f3 fe bb .}..._X.=....... 0360 - e5 7f e2 44 6f 8c 43 7a-9f cc d6 6b 85 40 9c 04 ...Do.Cz...k. at .. 0370 - 22 20 28 32 bf f9 d9 a5-85 e3 62 7a fb e7 2c 54 " (2......bz..,T 0380 - 7a 45 bc b8 a9 4e ce 9e-9d 87 37 d0 06 4b 06 c7 zE...N....7..K.. 0390 - 51 d4 27 c9 77 f7 e7 c2-2d ac 3d bb 4e 43 df 69 Q.'.w...-.=.NC.i 03a0 - b8 54 8c 80 4e 86 d7 a0-86 3a c2 a3 7d 15 ab 31 .T..N....:..}..1 03b0 - 3f 19 6a d7 09 bb 89 5b-ce 30 83 33 4c 7a bc 5c ?.j....[.0.3Lz.\ 03c0 - 00 03 66 30 82 03 62 30-82 02 cb a0 03 02 01 02 ..f0..b0........ 03d0 - 02 01 00 30 0d 06 09 2a-86 48 86 f7 0d 01 01 04 ...0...*.H...... 03e0 - 05 00 30 81 83 31 0b 30-09 06 03 55 04 06 13 02 ..0..1.0...U.... 03f0 - 49 4c 31 0f 30 0d 06 03-55 04 08 13 06 49 73 72 IL1.0...U....Isr 0400 - 61 65 6c 31 10 30 0e 06-03 55 04 07 13 07 54 65 ael1.0...U....Te 0410 - 6c 41 76 69 76 31 11 30-0f 06 03 55 04 0a 13 08 lAviv1.0...U.... 0420 - 4e 65 73 73 20 4c 74 64-31 0e 30 0c 06 03 55 04 Ness Ltd1.0...U. 0430 - 0b 13 05 4c 4d 41 44 53-31 0e 30 0c 06 03 55 04 ...LMADS1.0...U. 0440 - 03 13 05 59 6f 72 61 6d-31 1e 30 1c 06 09 2a 86 ...Yoram1.0...*. 0450 - 48 86 f7 0d 01 09 01 16-0f 79 6f 72 61 6d 40 62 H........yoram at b 0460 - 61 6d 61 6d 2e 63 6f 6d-30 1e 17 0d 30 37 30 33 amam.com0...0703 0470 - 32 39 31 33 35 31 33 34-5a 17 0d 30 38 30 33 32 29135134Z..08032 0480 - 38 31 33 35 31 33 34 5a-30 81 83 31 0b 30 09 06 8135134Z0..1.0.. 0490 - 03 55 04 06 13 02 49 4c-31 0f 30 0d 06 03 55 04 .U....IL1.0...U. 04a0 - 08 13 06 49 73 72 61 65-6c 31 10 30 0e 06 03 55 ...Israel1.0...U 04b0 - 04 07 13 07 54 65 6c 41-76 69 76 31 11 30 0f 06 ....TelAviv1.0.. 04c0 - 03 55 04 0a 13 08 4e 65-73 73 20 4c 74 64 31 0e .U....Ness Ltd1. 04d0 - 30 0c 06 03 55 04 0b 13-05 4c 4d 41 44 53 31 0e 0...U....LMADS1. 04e0 - 30 0c 06 03 55 04 03 13-05 59 6f 72 61 6d 31 1e 0...U....Yoram1. 04f0 - 30 1c 06 09 2a 86 48 86-f7 0d 01 09 01 16 0f 79 0...*.H........y 0500 - 6f 72 61 6d 40 62 61 6d-61 6d 2e 63 6f 6d 30 81 oram at bamam.com0. 0510 - 9f 30 0d 06 09 2a 86 48-86 f7 0d 01 01 01 05 00 .0...*.H........ 0520 - 03 81 8d 00 30 81 89 02-81 81 00 a1 9c f4 b7 8b ....0........... 0530 - 80 35 c5 b7 60 73 da bb-01 7d 33 36 74 1f 67 5d .5..`s...}36t.g] 0540 - eb ff b5 ca 79 1a 1b 3a-9d ce da 62 4c c8 19 0b ....y..:...bL... 0550 - 80 e0 7c 4a 4f bb 8f 59-05 b7 a8 c2 ae 5b fe 7c ..|JO..Y.....[.| 0560 - 74 91 e5 cf d3 54 3b 4e-88 24 50 84 24 b2 16 d8 t....T;N.$P.$... 0570 - 9c 1d bd 8c 31 8b d7 28-df 06 24 a8 e1 76 b7 72 ....1..(..$..v.r 0580 - ee 37 75 e2 89 84 b7 ed-51 76 2c b3 1a eb 6c 5c .7u.....Qv,...l\ 0590 - 64 87 7d 3a 12 39 4b c0-23 fa a8 63 0e a0 77 c8 d.}:.9K.#..c..w. 05a0 - 4d M read from 00675450 [0067BA58] (640 bytes => 640 (0x280)) 0000 - 9c b7 59 cc 06 a3 ad 79-6c 53 02 03 01 00 01 a3 ..Y....ylS...... 0010 - 81 e3 30 81 e0 30 1d 06-03 55 1d 0e 04 16 04 14 ..0..0...U...... 0020 - 26 9a 3c 03 60 32 a4 25-36 ce 56 ae 33 a1 30 45 &.<.`2.%6.V.3.0E 0030 - e2 85 27 a2 30 81 b0 06-03 55 1d 23 04 81 a8 30 ..'.0....U.#...0 0040 - 81 a5 80 14 26 9a 3c 03-60 32 a4 25 36 ce 56 ae ....&.<.`2.%6.V. 0050 - 33 a1 30 45 e2 85 27 a2-a1 81 89 a4 81 86 30 81 3.0E..'.......0. 0060 - 83 31 0b 30 09 06 03 55-04 06 13 02 49 4c 31 0f .1.0...U....IL1. 0070 - 30 0d 06 03 55 04 08 13-06 49 73 72 61 65 6c 31 0...U....Israel1 0080 - 10 30 0e 06 03 55 04 07-13 07 54 65 6c 41 76 69 .0...U....TelAvi 0090 - 76 31 11 30 0f 06 03 55-04 0a 13 08 4e 65 73 73 v1.0...U....Ness 00a0 - 20 4c 74 64 31 0e 30 0c-06 03 55 04 0b 13 05 4c Ltd1.0...U....L 00b0 - 4d 41 44 53 31 0e 30 0c-06 03 55 04 03 13 05 59 MADS1.0...U....Y 00c0 - 6f 72 61 6d 31 1e 30 1c-06 09 2a 86 48 86 f7 0d oram1.0...*.H... 00d0 - 01 09 01 16 0f 79 6f 72-61 6d 40 62 61 6d 61 6d .....yoram at bamam 00e0 - 2e 63 6f 6d 82 01 00 30-0c 06 03 55 1d 13 04 05 .com...0...U.... 00f0 - 30 03 01 01 ff 30 0d 06-09 2a 86 48 86 f7 0d 01 0....0...*.H.... 0100 - 01 04 05 00 03 81 81 00-39 46 ea ff b6 f0 6f 69 ........9F....oi 0110 - e4 69 d5 bd a6 d5 86 be-a5 91 a2 53 46 75 db c6 .i.........SFu.. 0120 - 5f 60 a1 f8 dc b2 54 27-d5 e6 d5 e1 ad d6 08 cd _`....T'........ 0130 - 42 5a 07 e7 e3 4f 0b 45-23 47 36 98 3e b1 be 09 BZ...O.E#G6.>... 0140 - 12 fe bc 50 e4 1a 93 6d-4a aa d5 56 f4 40 94 26 ...P...mJ..V. at .& 0150 - 69 b9 a1 21 3c 04 46 17-84 4b 96 88 1c 20 9b 9a i..!<.F..K... .. 0160 - 5b 6d 33 d6 4d ce 64 1d-15 85 78 3c 2a 1f 33 38 [m3.M.d...x<*.38 0170 - 96 39 58 39 88 ba 36 cc-af ce 8c 40 fc 45 5a b1 .9X9..6.... at .EZ. 0180 - 65 ba 8c 15 24 d1 52 b6-0d 00 00 f0 02 01 02 00 e...$.R......... 0190 - eb 00 61 30 5f 31 0b 30-09 06 03 55 04 06 13 02 ..a0_1.0...U.... 01a0 - 55 53 31 20 30 1e 06 03-55 04 0a 13 17 52 53 41 US1 0...U....RSA 01b0 - 20 44 61 74 61 20 53 65-63 75 72 69 74 79 2c 20 Data Security, 01c0 - 49 6e 63 2e 31 2e 30 2c-06 03 55 04 0b 13 25 53 Inc.1.0,..U...%S 01d0 - 65 63 75 72 65 20 53 65-72 76 65 72 20 43 65 72 ecure Server Cer 01e0 - 74 69 66 69 63 61 74 69-6f 6e 20 41 75 74 68 6f tification Autho 01f0 - 72 69 74 79 00 86 30 81-83 31 0b 30 09 06 03 55 rity..0..1.0...U 0200 - 04 06 13 02 49 4c 31 0f-30 0d 06 03 55 04 08 13 ....IL1.0...U... 0210 - 06 49 73 72 61 65 6c 31-10 30 0e 06 03 55 04 07 .Israel1.0...U.. 0220 - 13 07 54 65 6c 41 76 69-76 31 11 30 0f 06 03 55 ..TelAviv1.0...U 0230 - 04 0a 13 08 4e 65 73 73-20 4c 74 64 31 0e 30 0c ....Ness Ltd1.0. 0240 - 06 03 55 04 0b 13 05 4c-4d 41 44 53 31 0e 30 0c ..U....LMADS1.0. 0250 - 06 03 55 04 03 13 05 59-6f 72 61 6d 31 1e 30 1c ..U....Yoram1.0. 0260 - 06 09 2a 86 48 86 f7 0d-01 09 01 16 0f 79 6f 72 ..*.H........yor 0270 - 61 6d 40 62 61 6d 61 6d-2e 63 6f 6d 0e am at bamam.com. 0280 - depth=1 /C=IL/ST=Israel/L=TelAviv/O=Ness Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com verify error:num=19:self signed certificate in certificate chain verify return:0 write to 00675450 [00687150] (12 bytes => 12 (0xC)) 0000 - 16 03 01 00 07 0b 00 00-03 ......... 000c - write to 00675450 [00687150] (139 bytes => 139 (0x8B)) 0000 - 16 03 01 00 86 10 00 00-82 00 80 37 d0 c6 7a 6b ...........7..zk 0010 - 54 18 16 df d0 6f 90 8f-b1 8a 45 45 7f 15 47 04 T....o....EE..G. 0020 - 10 ba 23 1a f9 f7 54 50-05 ee 4c e9 79 fe 31 1a ..#...TP..L.y.1. 0030 - e2 c1 4a e9 f5 e2 b9 e1-d5 17 e6 e8 28 a9 ee 76 ..J.........(..v 0040 - b9 ce 5f 59 68 62 a3 8c-07 ee e0 0e 91 b4 df 0d .._Yhb.......... 0050 - 71 9b ce 38 d2 4b 3d d9-c4 1f e9 74 0e 96 c5 cb q..8.K=....t.... 0060 - d3 12 57 6c 9a 0c 3b fd-83 3a e4 fd a6 2a ee 8c ..Wl..;..:...*.. 0070 - e1 67 eb d2 11 3b 6a 03-9c a0 73 38 10 76 89 f0 .g...;j...s8.v.. 0080 - 81 03 dd 91 4d 43 7d 99-f4 a4 b6 ....MC}.... write to 00675450 [00687150] (6 bytes => 6 (0x6)) 0000 - 14 03 01 00 01 01 ...... write to 00675450 [00687150] (53 bytes => 53 (0x35)) 0000 - 16 03 01 00 30 09 40 51-48 34 87 0b 53 20 ff 0d ....0. at QH4..S .. 0010 - 2f 7c 96 04 a6 cc 0d bf-4a 76 b1 4e 4d bb fa 39 /|......Jv.NM..9 0020 - 4b 60 6e 47 3e 87 41 77-9c a2 e3 7b 1b 36 0e 9e K`nG>.Aw...{.6.. 0030 - c6 4c 74 eb 7a .Lt.z read from 00675450 [0067B4B0] (5 bytes => 5 (0x5)) 0000 - 14 03 01 00 01 ..... read from 00675450 [0067B4B5] (1 bytes => 1 (0x1)) 0000 - 01 . read from 00675450 [0067B4B0] (5 bytes => 5 (0x5)) 0000 - 16 03 01 00 30 ....0 read from 00675450 [0067B4B5] (48 bytes => 48 (0x30)) 0000 - 75 da a7 8d 28 fb 5d c1-b5 04 0a 9e c1 00 d1 19 u...(.]......... 0010 - 9f 74 ff 44 38 4b f3 57-73 e7 f4 0f d1 8b 9c a5 .t.D8K.Ws....... 0020 - 92 39 22 4d 7e 78 c9 66-ff d4 48 81 8a 15 2b e1 .9"M~x.f..H...+. --- Certificate chain 0 s:/C=IL/ST=Israel/O=Ness Ltd/OU=LMADS/CN=r1-ows-07.rocaf.org i:/C=IL/ST=Israel/L=TelAviv/O=Ness Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com 1 s:/C=IL/ST=Israel/L=TelAviv/O=Ness Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com i:/C=IL/ST=Israel/L=TelAviv/O=Ness Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com --- Server certificate -----BEGIN CERTIFICATE----- MIIDajCCAtOgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgzELMAkGA1UEBhMCSUwx DzANBgNVBAgTBklzcmFlbDEQMA4GA1UEBxMHVGVsQXZpdjERMA8GA1UEChMITmVz cyBMdGQxDjAMBgNVBAsTBUxNQURTMQ4wDAYDVQQDEwVZb3JhbTEeMBwGCSqGSIb3 DQEJARYPeW9yYW1AYmFtYW0uY29tMB4XDTA3MDMyOTEzNTE1NVoXDTA4MDMyODEz NTE1NVowXzELMAkGA1UEBhMCSUwxDzANBgNVBAgTBklzcmFlbDERMA8GA1UEChMI TmVzcyBMdGQxDjAMBgNVBAsTBUxNQURTMRwwGgYDVQQDExNyMS1vd3MtMDcucm9j YWYub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFEjEo4t7GSj1Zftjy xF7KAGoIUsFYzjo43Fh9C8mDXZ53vAmfxG5aVBn/ez8Ua0BR7UK6NNiJSQchK4lP v5xcFRthAx8vlbMjG2/CqaIhF6tiEO8nJ67YRoRLhrbyjbE+RQ0WGo6ZkG2kXm6a 9vK10PvLwuzwo3pbIFkCABOADwIDAQABo4IBDzCCAQswCQYDVR0TBAIwADAsBglg hkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0O BBYEFPhy2suv0tjhGBfsnoAQidETB6bjMIGwBgNVHSMEgagwgaWAFCaaPANgMqQl Ns5WrjOhMEXihSeioYGJpIGGMIGDMQswCQYDVQQGEwJJTDEPMA0GA1UECBMGSXNy YWVsMRAwDgYDVQQHEwdUZWxBdml2MREwDwYDVQQKEwhOZXNzIEx0ZDEOMAwGA1UE CxMFTE1BRFMxDjAMBgNVBAMTBVlvcmFtMR4wHAYJKoZIhvcNAQkBFg95b3JhbUBi YW1hbS5jb22CAQAwDQYJKoZIhvcNAQEEBQADgYEAiDityOTfyYVoL+aL0B83/cR9 DMoBX1j7PQDU8NDz/rvlf+JEb4xDep/M1muFQJwEIiAoMr/52aWF42J6++csVHpF vLipTs6enYc30AZLBsdR1CfJd/fnwi2sPbtOQ99puFSMgE6G16CGOsKjfRWrMT8Z atcJu4lbzjCDM0x6vFw= -----END CERTIFICATE----- subject=/C=IL/ST=Israel/O=Ness Ltd/OU=LMADS/CN=r1-ows-07.rocaf.org issuer=/C=IL/ST=Israel/L=TelAviv/O=Ness Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com --- Acceptable client certificate CA names /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority /C=IL/ST=Israel/L=TelAviv/O=Ness Ltd/OU=LMADS/CN=Yoram/emailAddress=yoram at bamam.com --- SSL handshake has read 2147 bytes and written 352 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 2292D70EB4AEAADFC283B7072294AF91D82A92DA0CD63ED57AEE8F7F26283A56 Session-ID-ctx: Master-Key: 5D9CC7C076BF70BBAECB1BC1588E666C75EB12956F231AF9B3E2F3F4E164AF7BFEEAC912F7482E286F9C819F199FB3E1 Key-Arg : None Krb5 Principal: None Start Time: 1175181192 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- From stephane.armanet at ch-st-julien.fr Thu Mar 29 15:57:22 2007 From: stephane.armanet at ch-st-julien.fr (Stephane ARMANET) Date: Thu, 29 Mar 2007 17:57:22 +0200 Subject: [Fedora-directory-users] samba CTRL ALT DEL password sync problem Message-ID: <460BE1E2.3090805@ch-st-julien.fr> An HTML attachment was scrubbed... URL: From ajs at th.ph.bham.ac.uk Thu Mar 29 16:28:40 2007 From: ajs at th.ph.bham.ac.uk (Andy Schofield) Date: Thu, 29 Mar 2007 17:28:40 +0100 Subject: [Fedora-directory-users] How to change password storage method? In-Reply-To: <20070329160900.64afc416@thpc30.ph.bham.ac.uk> References: <20070329160900.64afc416@thpc30.ph.bham.ac.uk> Message-ID: <20070329172840.033adce2@thpc30.ph.bham.ac.uk> On Thu, 29 Mar 2007 16:09:00 +0100 Andy Schofield wrote: > > I want the passwords for all Users in People to be stored in md5. > Everything I have done (like selecting a user and "Managing passwords" > leaves them in SSHA which is presumably some default. Sorry - found it in the manual http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1074672 > > My real problem is that clients are broadcasting passwords in the > clear (despite pam being told to use md5 with ldap). I am assuming > that is because the ldap server is using SSHA and pam is using md5 so > they negotiate to send passwords in the clear. Does that sound right? However - it has not solved this problem. The password is still being sent in the clear. I have /etc/ldap.conf including the line: pam_password md5 I was hoping that it ensure only hashed passwords would be sent to the FDS server. Any other ideas how to fix this? Andy > > Thanks > Andy > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From vsi at ebi.ac.uk Thu Mar 29 16:29:59 2007 From: vsi at ebi.ac.uk (Ville Silventoinen) Date: Thu, 29 Mar 2007 17:29:59 +0100 (BST) Subject: [Fedora-directory-users] How to change password storage method? In-Reply-To: <20070329160900.64afc416@thpc30.ph.bham.ac.uk> References: <20070329160900.64afc416@thpc30.ph.bham.ac.uk> Message-ID: On Thu, 29 Mar 2007, Andy Schofield wrote: > I want the passwords for all Users in People to be stored in md5. > Everything I have done (like selecting a user and "Managing passwords" > leaves them in SSHA which is presumably some default. You can change the default password storage scheme by modifying cn=config passwordStorageScheme attribute. It should be in slapd-HOST/config/dse.ldif (look for "dn: cn=config"), if not then you can add the attribute. You can also change it in the Console: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1086306 I don't think it affects passwords already stored, only new entries. Hope this helps. Ville From rspencer at auspicecorp.com Thu Mar 29 17:20:19 2007 From: rspencer at auspicecorp.com (Roger Spencer) Date: Thu, 29 Mar 2007 13:20:19 -0400 (EDT) Subject: [Fedora-directory-users] samba CTRL ALT DEL password sync problem In-Reply-To: <460BE1E2.3090805@ch-st-julien.fr> Message-ID: <674501563.7561175188819335.JavaMail.root@po1.auspiceinc.com> Trying changing: ldap passwd sync = no unix password sync = Yes Works for me. ----- Original Message ----- From: "Stephane ARMANET" To: Fedora-directory-users at redhat.com Sent: Thursday, March 29, 2007 11:57:22 AM (GMT-0500) America/New_York Subject: [Fedora-directory-users] samba CTRL ALT DEL password sync problem Hello List I try to configure samba workig with FDS. It's look OK I can connect but when user try to change his password using CTRL + ALT + DEL from windows, after typing the passwords it returns: "current password or user's name is incorrect...." The samba-pasword is change but not the userPassword attribute The logs of samba tells: [2007/03/19 12:28:51, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1574) ldapsam_modify_entry: LDAP Password could not be changed for user user1: Confidentiality required Operation requires a secure connection. [2007/03/19 12:28:51, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1720) ldapsam_update_sam_account: failed to modify user with uid = user1, error: Operation requires a secure connection. (Success) [2007/03/19 12:28:51, 0] libsmb/smbencrypt.c:decode_pw_buffer(539) decode_pw_buffer: incorrect password length (-1886846999). [2007/03/19 12:28:51, 0] libsmb/smbencrypt.c:decode_pw_buffer(540) decode_pw_buffer: check that 'encrypt passwords = yes' My smb.conf: [global] workgroup = TEST2DOM netbios name = SERVADM os level = 65 domain logons = yes domain master = yes local master = yes security = user encrypt passwords = true pam password change = no ####### CONFIG LDAP ################ add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null -g 515 -c 'Machine Account' -s /bin/false %u add user script = /usr/sbin/smbldap-useradd -a -m '%u' delete user script = /usr/sbin/smbldap-userdel -r '%u' add group script = /usr/sbin/smbldap-groupadd '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' # Connexion LDAP passdb backend = ldapsam:ldap://ds.ch-st-julien.intra ldap admin dn = uid=admin,dc=ch-st-julien,dc=fr ldap suffix = dc=ch-st-julien,dc=fr ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers passwd chat debug = Yes ldap passwd sync = yes unix password sync = no passwd program = /usr/bin/smbldap-passwd -u %U passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\spassword:* %n\n . ###### Gestion des ACL ####### nt acl support = yes # gestion heritage inherit acls = yes Is anyone has ever meet this problem ??? Thank's -- ARMANET Stephane -------------- next part -------------- An HTML attachment was scrubbed... URL: From prowley at redhat.com Thu Mar 29 17:38:05 2007 From: prowley at redhat.com (Pete Rowley) Date: Thu, 29 Mar 2007 10:38:05 -0700 Subject: [Fedora-directory-users] How to change password storage method? In-Reply-To: <20070329172840.033adce2@thpc30.ph.bham.ac.uk> References: <20070329160900.64afc416@thpc30.ph.bham.ac.uk> <20070329172840.033adce2@thpc30.ph.bham.ac.uk> Message-ID: <460BF97D.2070304@redhat.com> Andy Schofield wrote: >> My real problem is that clients are broadcasting passwords in the >> clear (despite pam being told to use md5 with ldap). I am assuming >> that is because the ldap server is using SSHA and pam is using md5 so >> they negotiate to send passwords in the clear. Does that sound right? >> > > However - it has not solved this problem. The password is still being > sent in the clear. I have /etc/ldap.conf including the line: > What you need is not a hashed password sent over the wire (which achieves very little) but an encrypted transport using SSL, or SASL and kerberos. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From nhosoi at redhat.com Thu Mar 29 17:51:24 2007 From: nhosoi at redhat.com (Noriko Hosoi) Date: Thu, 29 Mar 2007 09:51:24 -0800 Subject: [Fedora-directory-users] db_verify In-Reply-To: References: Message-ID: <460BFC9C.4010507@redhat.com> Hello, Ville; Ville Silventoinen wrote: > After I import about 1400 accounts to a new database (ebiRoot, People > subtree), I get lot of errors when I run verify-db.pl (slapd has been > stopped): > > Verify log files in db ... Good > Verify db/ebiRoot/uid.db4 ... Good > Verify db/ebiRoot/mail.db4 ... > DB ERROR: db_verify: Page 37: out-of-order key at entry 247 > DB ERROR: db_verify: Page 37: out-of-order key at entry 503 > ... > > Same error for ancestorid.db4, objectclass.db4, parentid.db4, cn.db4, > givenName.db4 and sn.db4. How about id2entry.db4? Is it broken? (It's a primary db file.) > > I have run db2index and re-run verify-db.pl but I don't see any > difference. Here is what db2index says about ebiRoot: > > [29/Mar/2007:12:04:26 +0100] upgrade DB - ebiRoot: Start upgradedb. > [29/Mar/2007:12:04:26 +0100] - WARNING: Import is running with > nsslapd-db-private-import-mem on; No other process is allowed to > access the database > [29/Mar/2007:12:04:26 +0100] - import ebiRoot: Index buffering enabled > with bucket size 100 > [29/Mar/2007:12:04:27 +0100] - import ebiRoot: Workers finished; > cleaning up... > [29/Mar/2007:12:04:28 +0100] - import ebiRoot: Workers cleaned up. > [29/Mar/2007:12:04:28 +0100] - import ebiRoot: Cleaning up producer > thread... > [29/Mar/2007:12:04:28 +0100] - import ebiRoot: Indexing complete. > Post-processing... > [29/Mar/2007:12:04:28 +0100] - import ebiRoot: Flushing caches... > [29/Mar/2007:12:04:28 +0100] - import ebiRoot: Closing files... > [29/Mar/2007:12:04:29 +0100] - import ebiRoot: Import complete. > Processed 1424 entries in 3 seconds. (474.67 entries/sec) > > > Does that WARNING "No other process is alloed to access the database" > mean something is wrong? No, that's just a warning not to access the backend ebiRoot. > > How can I locate those "out-of order keys" the db_verify lists? I > tried with dbscan but I don't think I'm giving the right entry id: Right. 247 is the Berkeley DB's internal id. > > $ ./dbscan -K 247 -f db/ebiRoot/mail.db4 > Can't set cursor to returned item: DB_NOTFOUND: No matching key/data > pair found What happens if you just run dbscan for all the keys in mail.db4 (without the -K option)? E.g., ./dbscan -n -r db/ebiRoot/mail.db4 Do you get any errors? > Is there a way to find out which entries are causing the problem? Can > there be illegal characters in the entries? Could it be possible to share your data with us? (sample data would be good.) Thanks, --noriko > > If I import a considerably smaller set of entries (120), I get no > errors. I noticed there was a similar thread here but no conclusion: > > http://www.mail-archive.com/fedora-directory-users at redhat.com/msg04461.html > > > Sorry for so many questions, I've spent couple of days trying to solve > the problem. > > If I delete a database with the Console, it leaves behind couple of > index files: > > -rw------- 1 w3secure systems 16384 Mar 28 17:05 ancestorid.db4 > -rw------- 1 w3secure systems 18 Mar 28 17:03 DBVERSION > -rw------- 1 w3secure systems 32768 Mar 28 17:05 id2entry.db4 > > These index files don't seem to shrink when new entries are imported. > dbscan still shows the deleted entries in id2entry. > > I noticed a problem when I import a small set of entries, delete the > database, import large set of entries and if I query the entries, I > get the entries from the first set (they don't exist in the second > set). I can reproduce the problem. If I delete ancestorid.db4 and > id2entry.db4 manually when I delete the database, I don't have this > problem. Is there a reason why those two files are not deleted? Or can > this whole thing be caused by corrupted data? > > > Ville > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From gholbert at broadcom.com Thu Mar 29 18:13:46 2007 From: gholbert at broadcom.com (George Holbert) Date: Thu, 29 Mar 2007 11:13:46 -0700 Subject: [Fedora-directory-users] How to change password storage method? In-Reply-To: <460BF97D.2070304@redhat.com> References: <20070329160900.64afc416@thpc30.ph.bham.ac.uk> <20070329172840.033adce2@thpc30.ph.bham.ac.uk> <460BF97D.2070304@redhat.com> Message-ID: <460C01DA.4000500@broadcom.com> > > However - it has not solved this problem. The password is still being > sent in the clear. I have /etc/ldap.conf including the line: > > pam_password md5 pam_password controls how new passwords are hashed locally before updating an account's password attribute, i.e. when someone changes their password. If you want the hash setting on the server to always be honored, use "pam_password clear". Comments from PADL's ldap.conf: # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. #pam_password clear Pete Rowley wrote: > Andy Schofield wrote: >>> My real problem is that clients are broadcasting passwords in the >>> clear (despite pam being told to use md5 with ldap). I am assuming >>> that is because the ldap server is using SSHA and pam is using md5 so >>> they negotiate to send passwords in the clear. Does that sound right? >>> >> >> However - it has not solved this problem. The password is still being >> sent in the clear. I have /etc/ldap.conf including the line: >> > What you need is not a hashed password sent over the wire (which > achieves very little) but an encrypted transport using SSL, or SASL > and kerberos. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From ajs at th.ph.bham.ac.uk Thu Mar 29 18:28:27 2007 From: ajs at th.ph.bham.ac.uk (Andy Schofield) Date: Thu, 29 Mar 2007 19:28:27 +0100 Subject: [Fedora-directory-users] How to change password storage method? In-Reply-To: <460BF97D.2070304@redhat.com> References: <20070329160900.64afc416@thpc30.ph.bham.ac.uk> <20070329172840.033adce2@thpc30.ph.bham.ac.uk> <460BF97D.2070304@redhat.com> Message-ID: <20070329192827.4474e41a@thpc30.ph.bham.ac.uk> On Thu, 29 Mar 2007 10:38:05 -0700 Pete Rowley wrote: > > However - it has not solved this problem. The password is still > > being sent in the clear. I have /etc/ldap.conf including the line: > > > What you need is not a hashed password sent over the wire (which > achieves very little) but an encrypted transport using SSL, or SASL > and kerberos. Yes - I agree and I am working on getting SSL going. However, a hashed password is better than nothing surely. Even NIS didn't sent passwords in the clear. But I see that the /etc/ldap.conf line I have been playing with only affects password updates and probably there is nothing I can do to prevent clear passwords apart from SSL. (Just as George points out) Thanks Andy > > -- > Pete > From prowley at redhat.com Thu Mar 29 18:45:56 2007 From: prowley at redhat.com (Pete Rowley) Date: Thu, 29 Mar 2007 11:45:56 -0700 Subject: [Fedora-directory-users] How to change password storage method? In-Reply-To: <20070329192827.4474e41a@thpc30.ph.bham.ac.uk> References: <20070329160900.64afc416@thpc30.ph.bham.ac.uk> <20070329172840.033adce2@thpc30.ph.bham.ac.uk> <460BF97D.2070304@redhat.com> <20070329192827.4474e41a@thpc30.ph.bham.ac.uk> Message-ID: <460C0964.2080601@redhat.com> Andy Schofield wrote: > However, a hashed password is better than nothing surely. Even NIS > didn't sent passwords in the clear. > Not from the DS point of view - if it accepts a hashed password in the bind then that is equivalent to the original password, so nothing is really achieved. It /may/ delay the ability of an attacker to log in to a machine using LDAP as the authentication mechanism, but md5 has known vulnerabilities in that regard and cannot be recommended. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From Victor.Rodriguez at gribbles.com.au Thu Mar 29 23:17:30 2007 From: Victor.Rodriguez at gribbles.com.au (Victor Rodriguez) Date: Fri, 30 Mar 2007 09:17:30 +1000 Subject: [Fedora-directory-users] Error : Critical extension unavailable Message-ID: >Richard Megginson wrote: >The Fedora DS chaining database (database link) uses the Proxy Auth >control. I think you can disable this. Check the docs for the chaining >database configuration. It may be that the console does not allow you >to set this, but you can set it manually. http://www.redhat.com/docs/manuals/dir-server/pdf/ds71cli.pdf - search >for nsProxiedAuthorization >If there are other controls being sent by Fedora DS, you can disable >those too - search for nsTransmittedControls in the above document. Hi Richard: I have disabled these control but the problem still continue, this error only happen with openldap because when I connect to Novell eDirectory ldap server I have a different error: I dont have permisions to read the database link. Any idea? Regards, Victor Rodriguez IT Technical Support Officer System & Database Administrator Attention: The information contained in this message and or attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any system and destroy any copies. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of The Gribbles Group. Thank You. Whilst every effort has been made to ensure that this e-mail message and any attachments are free from viruses, you should scan this message and any attachments. Under no circumstances do we accept liability for any loss or damage which may result from your receipt of this message or any attachment. -------------- next part -------------- An HTML attachment was scrubbed... URL: From diwakoe at gmail.com Fri Mar 30 02:34:43 2007 From: diwakoe at gmail.com (Diwakoe) Date: Fri, 30 Mar 2007 10:34:43 +0800 Subject: [Fedora-directory-users] Suse client PAM setting Message-ID: Dear all, I'm new using FDS, right now the server is used for Global Address List for thunderbird, and I want to expand for central login with suse client. Could you please give me some hint how to configure my suse 10.1 as client can login using FDS on FC6. Any help is appreciated. Regards, Diwa From mvheukelom at van-boxtel-software.nl Fri Mar 30 08:17:51 2007 From: mvheukelom at van-boxtel-software.nl (Michiel van Heukelom - Van Boxtel Software BV) Date: Fri, 30 Mar 2007 10:17:51 +0200 Subject: [Fedora-directory-users] Connect Active Directory to my LDAP Message-ID: <005001c772a3$e8bf37f0$800101df@vbs.local> I've got the Fedora LDAP service running, connecting from other Linux server is no problem. the next step is to sunchronize the database to Active Directory. Is there a way to keep my Fedora LDAP as a master database and the AD server (W2003) as a member. So that i should only configure my users on my LDAP server and not on my AD server Met vriendelijke groet, Michiel van Heukelom Van Boxtel Software B.V. Telefoon: +31 (0) 492 - 327 357 Fax: +31 (0) 492 - 324 326 E-mail: mvheukelom at van-boxtel-software.nl Website: www.van-boxtel-software.nl -------------- next part -------------- An HTML attachment was scrubbed... URL: From labinfo.suporte at unifacs.br Fri Mar 30 14:59:59 2007 From: labinfo.suporte at unifacs.br (Paulo Estrela - Suporte LabInfo UNIFACS) Date: Fri, 30 Mar 2007 11:59:59 -0300 Subject: [Fedora-directory-users] Connect Active Directory to my LDAP References: <005001c772a3$e8bf37f0$800101df@vbs.local> Message-ID: <001b01c772dc$16958de0$fc001cac@labinfo.unifacs.br> Hi, Did you enable SSL on FDS and AD? It must be enabled for sync works. Information is avaiable on FDS documentation page. Paulo Estrela ----- Original Message ----- From: Michiel van Heukelom - Van Boxtel Software BV To: fedora-directory-users at redhat.com Sent: Friday, March 30, 2007 5:17 AM Subject: [Fedora-directory-users] Connect Active Directory to my LDAP I've got the Fedora LDAP service running, connecting from other Linux server is no problem. the next step is to sunchronize the database to Active Directory. Is there a way to keep my Fedora LDAP as a master database and the AD server (W2003) as a member. So that i should only configure my users on my LDAP server and not on my AD server Met vriendelijke groet, Michiel van Heukelom Van Boxtel Software B.V. Telefoon: +31 (0) 492 - 327 357 Fax: +31 (0) 492 - 324 326 E-mail: mvheukelom at van-boxtel-software.nl Website: www.van-boxtel-software.nl ------------------------------------------------------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From joshkel at gmail.com Fri Mar 30 15:21:31 2007 From: joshkel at gmail.com (Josh Kelley) Date: Fri, 30 Mar 2007 11:21:31 -0400 Subject: [Fedora-directory-users] Fedora Directry as a domain controller In-Reply-To: <1175028522.6919.1.camel@CMH020831.healthcare> References: <1175028522.6919.1.camel@CMH020831.healthcare> Message-ID: <97cbd1a90703300821w222bafc2ua4f1a21b883215fc@mail.gmail.com> On 3/27/07, Peter Biggerstaff wrote: > > Is it possible to use Fedora DS as a windows PDC? so I can manage windows > and Linux clients from the same directory? > FDS by itself cannot serve as a Windows PDC; that's well outside the scope of what it's designed to do. Samba is designed to service as an (Windows NT 4-style) PDC. It needs to store information about Windows users and clients somehow, and FDS makes an excellent backend for storing this data for Samba. The Samba HOWTO Collection and Samba-3 By Example (both of which are on Samba's web site) contain more information about how to set this up. Josh Kelley -------------- next part -------------- An HTML attachment was scrubbed... URL: From augusto.rocha at augustschell.com Fri Mar 30 15:21:49 2007 From: augusto.rocha at augustschell.com (Alexandre Augusto da Rocha) Date: Fri, 30 Mar 2007 11:21:49 -0400 Subject: [Fedora-directory-users] Connect Active Directory to my LDAP In-Reply-To: <001b01c772dc$16958de0$fc001cac@labinfo.unifacs.br> References: <005001c772a3$e8bf37f0$800101df@vbs.local> <001b01c772dc$16958de0$fc001cac@labinfo.unifacs.br> Message-ID: <460D2B0D.2010802@augustschell.com> This is not true. You don't need SSL if AD will be a true slave. SLL is only required if you want to allow users to change their passwords on AD and have that propagated to FDS. -Auggy Paulo Estrela - Suporte LabInfo UNIFACS wrote: > Hi, > > Did you enable SSL on FDS and AD? It must be enabled for sync works. > Information is avaiable on FDS documentation page. > > Paulo Estrela > > ----- Original Message ----- > *From:* Michiel van Heukelom - Van Boxtel Software BV > > *To:* fedora-directory-users at redhat.com > > *Sent:* Friday, March 30, 2007 5:17 AM > *Subject:* [Fedora-directory-users] Connect Active Directory to my LDAP > > I've got the Fedora LDAP service running, connecting from other > Linux server is no problem. > the next step is to sunchronize the database to Active Directory. > Is there a way to keep my Fedora LDAP as a master database and the > AD server (W2003) as a member. > So that i should only configure my users on my LDAP server and not > on my AD server > > Met vriendelijke groet, > > Michiel van Heukelom > > *Van Boxtel Software B.V.* > > > > Telefoon: +31 (0) 492 - 327 357 > Fax: +31 (0) 492 - 324 326 > E-mail: mvheukelom at van-boxtel-software.nl > > Website: www.van-boxtel-software.nl > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4472 bytes Desc: S/MIME Cryptographic Signature URL: From joshkel at gmail.com Fri Mar 30 15:31:15 2007 From: joshkel at gmail.com (Josh Kelley) Date: Fri, 30 Mar 2007 11:31:15 -0400 Subject: [Fedora-directory-users] Failover between masters In-Reply-To: References: <460B07A8.8000706@redhat.com> Message-ID: <97cbd1a90703300831o72d7ebc6o29b04d6f10037dfa@mail.gmail.com> On 3/28/07, Coe, Colin C. (Unix Engineer) wrote: > No, I'm not 100% sure that the clients are set right. My sanitised > /etc/ldap and /etc/openldap/ldap.conf are shown above. Can you suggest > any improvements to them? We're using RHEL 3 and CentOS 4 with ldap.conf files pretty much like you described, and failover works. The only difference I see is that in /etc/openldap/ldap.conf, instead of HOST ldap1.company.com ldap2.company.com we use URI ldaps://ldap1.company.com ldaps://ldap2.company.com But that shouldn't make any difference. On Fedora 6, instead of setting up /etc/ldap.conf as Host 1.1.1.1 2.2.2.2 we instead have to use uri ldaps://1.1.1.1/ ldaps://2.2.2.2/ I'm assuming that the new version of nss_ldap parses the config file differently but haven't bothered tracking down details. (nss_ldap is version 207 on RHEL 3, 226 on CentOS 4, and 253 on Fedora 6.) Josh Kelley From ajs at th.ph.bham.ac.uk Fri Mar 30 15:51:28 2007 From: ajs at th.ph.bham.ac.uk (Andy Schofield) Date: Fri, 30 Mar 2007 16:51:28 +0100 Subject: [Fedora-directory-users] Comments on the setupssl.sh enabling SSL script Message-ID: <20070330165128.4fa72913@thpc30.ph.bham.ac.uk> Well, I have succeeding in getting SSL going and the howto is very helpful for this: http://directory.fedora.redhat.com/wiki/Howto:SSL and in particular the script: setupssl.sh http://directory.fedora.redhat.com/download/setupssl.sh In doing so I came across a number of gotchas which might help others. (1) The script uses "ldapmodify" from the openldap-clients package and not from the fedora-ds/shared/bin supplied one. The options are different and ldapmodify needs to be in the path. I've no idea why. (2) The script almost does everything for you. In particular you will find in /opt/fedora-ds/alias the cacert.asc file which you need to give to the clients. You do not need to export it which was just as well as the command given in the howto did not work for me. (3) The default names of the certificates are not correct if you want to ensure that the administrator console is encrypted too. You need to cd /opt/fedora-ds/alias cp admin-serv-serverID-cert8.db admin-serv-hostname-cert8.db cp admin-serv-serverID-key3.db admin-serv-hostname-key3.db where you replace serverID by your serverID name and hostname by the first part of your hostname. If I was confident that these points were not my mistakes, or were peculiarities of my setup then I'd update the wiki. Andy From vsi at ebi.ac.uk Fri Mar 30 16:09:33 2007 From: vsi at ebi.ac.uk (Ville Silventoinen) Date: Fri, 30 Mar 2007 17:09:33 +0100 (BST) Subject: [Fedora-directory-users] db_verify In-Reply-To: <460BFC9C.4010507@redhat.com> References: <460BFC9C.4010507@redhat.com> Message-ID: Hi Noriko, thanks for you reply. On Thu, 29 Mar 2007, Noriko Hosoi wrote: > Ville Silventoinen wrote: > >> Same error for ancestorid.db4, objectclass.db4, parentid.db4, cn.db4, >> givenName.db4 and sn.db4. > > How about id2entry.db4? Is it broken? (It's a primary db file.) No, id2entry.db4 is Good. >> How can I locate those "out-of order keys" the db_verify lists? I tried >> with dbscan but I don't think I'm giving the right entry id: > > Right. 247 is the Berkeley DB's internal id. OK, so there's no way to use it to locate which entry is causing the problem? >> $ ./dbscan -K 247 -f db/ebiRoot/mail.db4 >> Can't set cursor to returned item: DB_NOTFOUND: No matching key/data pair >> found > > What happens if you just run dbscan for all the keys in mail.db4 (without the > -K option)? E.g., ./dbscan -n -r db/ebiRoot/mail.db4 > Do you get any errors? I assume you meant "dbscan -n -r -f db/ebiRoot/mail.db4". I see lot of numbers, no errors as far as I can tell. >> Is there a way to find out which entries are causing the problem? Can there >> be illegal characters in the entries? > > Could it be possible to share your data with us? (sample data would be > good.) I asked my manager but he doesn't think it's a good idea for security reasons. The problem is that the data is our NIS mail.aliases and passwd, and we don't want to distribute them to the internet. He suggested I'll modify the data, so I can send a sample to you. I'll do that next week. What would you be looking for in the data? Perhaps I could do it here? Today I have been trying to narrow down which entries in our mail.aliases cause the problem. We have about 8400 aliases (includes majordomo and mailman aliases) and if I sort them alphabetically and import only entries 250-500, I get following errors from verify-db.pl: Verify log files in db ... Good Verify db/ebiRoot/ancestorid.db4 ... DB ERROR: db_verify: Page 2: out-of-order key at entry 254 DB ERROR: db_verify: DB->verify: db/ebiRoot/ancestorid.db4: DB_VERIFY_BAD: Database verification failed Secondary index file ancestorid.db4 in db/ebiRoot is corrupted. Please run db2index(.pl) for reindexing. Verify db/ebiRoot/objectclass.db4 ... DB ERROR: db_verify: Page 2: out-of-order key at entry 255 DB ERROR: db_verify: DB->verify: db/ebiRoot/objectclass.db4: DB_VERIFY_BAD: Database verification failed Secondary index file objectclass.db4 in db/ebiRoot is corrupted. Please run db2index(.pl) for reindexing. Verify db/ebiRoot/nsuniqueid.db4 ... Good Verify db/ebiRoot/parentid.db4 ... DB ERROR: db_verify: Page 1: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: DB->verify: db/ebiRoot/parentid.db4: DB_VERIFY_BAD: Database verification failed Secondary index file parentid.db4 in db/ebiRoot is corrupted. Please run db2index(.pl) for reindexing. Verify db/ebiRoot/cn.db4 ... DB ERROR: db_verify: Page 2: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: Page 6: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: Page 8: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: Page 11: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: Page 3: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: Page 12: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: Page 4: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: Page 10: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: Page 5: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: Page 7: unsorted duplicate set in sorted-dup database DB ERROR: db_verify: DB->verify: db/ebiRoot/cn.db4: DB_VERIFY_BAD: Database verification failed Secondary index file cn.db4 in db/ebiRoot is corrupted. Please run db2index(.pl) for reindexing. So there's a new error "unsorted duplicate set in sorted-dup database". What does it mean? Curious thing is that I cannot narrow down the problematic entries any further. I've tried importing entries 300-450 and 275-475, but there's no error. Also tried with two different sets from various ranges, but no success yet. It only seems to happen when I import at least 250 entries. This is how a single entry looks like: dn: cn=foobar-dev-local,ou=Aliases,dc=ebi,dc=ac,dc=uk cn: foobar-dev-local objectClass: top objectClass: nisMailAlias rfc822MailMember: "|/homes/majordom/wrapper stripmime.pl|/homes/majordom/wra pper resend -l foobar-dev foobar-dev-outgoing" I also tried skipping all entries with double quotes, but I still got errors. There can be several rfc822MailMember attribute values, as you probably know. Thanks for your time, I really appreciate it. Ville From glenn at mail.txwes.edu Fri Mar 30 16:28:13 2007 From: glenn at mail.txwes.edu (Glenn) Date: Fri, 30 Mar 2007 10:28:13 -0600 Subject: [Fedora-directory-users] PSET failure Message-ID: <20070330162035.M51998@mail.txwes.edu> Hello, again! I'm trying to install Fedora DS 1.0.4 on Red Hat EL4. Everything goes smoothly until I try to enable SSL in the admin server console. When I try to save new settings on the Encryption tab and the User DS tab, I get a message, "PSET failure. PSET attribute creation or local cache update failed!" After that, I back out of the admin console without saving changes. When I go back into the admin console, the certificate has disappeared from the drop-down list. It sounds like a problem with file permissions, but I don't know what files might be involved. Hoping you can help. Thanks. -G. From sys.mailing at gmail.com Fri Mar 30 16:57:18 2007 From: sys.mailing at gmail.com (Bjorn Oglefjorn) Date: Fri, 30 Mar 2007 12:57:18 -0400 Subject: [Fedora-directory-users] Complicated ACI Definitions Message-ID: <926ab61b0703300957s6b34b75bjafdee7dd9541f408@mail.gmail.com> Or maybe it's not so complicated and I don't know how. ;) This is what I'm trying to accomplish: Users who are a member of the group 'cn=support' can perform ALL operations on 'userPassword', except on targets which are a member of group 'cn=admins' or 'cn=bosses'. Is this possible? I can't figure out how. Thanks in advance! --BO -------------- next part -------------- An HTML attachment was scrubbed... URL: From gholbert at broadcom.com Fri Mar 30 17:42:05 2007 From: gholbert at broadcom.com (George Holbert) Date: Fri, 30 Mar 2007 10:42:05 -0700 Subject: [Fedora-directory-users] ip in ACI bind rules Message-ID: <460D4BED.4030909@broadcom.com> I've noticed that the 'ip' keyword in ACI bind rules seems to have no effect on its own. For example, This does not deny access to IP 1.2.3.4: aci: (version 3.0; acl "Deny 1.2.3.4"; deny(all) (ip = "1.2.3.4");) But when combined with a userdn clause like this, it works: aci: (version 3.0; acl "Deny 1.2.3.4"; deny(all) (userdn = "ldap:///anyone") and (ip = "1.2.3.4");) Is this known/expected behavior? Just want to make sure I'm interpreting this right. Thanks a lot, -- George From nkinder at redhat.com Fri Mar 30 17:55:43 2007 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 30 Mar 2007 10:55:43 -0700 Subject: [Fedora-directory-users] Connect Active Directory to my LDAP In-Reply-To: <460D2B0D.2010802@augustschell.com> References: <005001c772a3$e8bf37f0$800101df@vbs.local> <001b01c772dc$16958de0$fc001cac@labinfo.unifacs.br> <460D2B0D.2010802@augustschell.com> Message-ID: <460D4F1F.8030901@redhat.com> Alexandre Augusto da Rocha wrote: > This is not true. You don't need SSL if AD will be a true slave. SLL > is only required if you want to allow users to change their passwords > on AD and have that propagated to FDS. Not exactly. You need SSL to allow passwords to be synchronized in either direction. AD will not accept an update to the password over LDAP without SSL. -NGK > -Auggy > > Paulo Estrela - Suporte LabInfo UNIFACS wrote: >> Hi, >> >> Did you enable SSL on FDS and AD? It must be enabled for sync works. >> Information is avaiable on FDS documentation page. >> >> Paulo Estrela >> ----- Original Message ----- >> *From:* Michiel van Heukelom - Van Boxtel Software BV >> >> *To:* fedora-directory-users at redhat.com >> >> *Sent:* Friday, March 30, 2007 5:17 AM >> *Subject:* [Fedora-directory-users] Connect Active Directory to >> my LDAP >> >> I've got the Fedora LDAP service running, connecting from other >> Linux server is no problem. >> the next step is to sunchronize the database to Active Directory. >> Is there a way to keep my Fedora LDAP as a master database and the >> AD server (W2003) as a member. >> So that i should only configure my users on my LDAP server and not >> on my AD server >> >> Met vriendelijke groet, >> >> Michiel van Heukelom >> >> *Van Boxtel Software B.V.* >> >> >> Telefoon: +31 (0) 492 - 327 357 >> Fax: +31 (0) 492 - 324 326 >> E-mail: mvheukelom at van-boxtel-software.nl >> >> Website: www.van-boxtel-software.nl >> >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From nhosoi at redhat.com Fri Mar 30 17:57:10 2007 From: nhosoi at redhat.com (Noriko Hosoi) Date: Fri, 30 Mar 2007 09:57:10 -0800 Subject: [Fedora-directory-users] db_verify In-Reply-To: References: <460BFC9C.4010507@redhat.com> Message-ID: <460D4F76.8040404@redhat.com> Ville Silventoinen wrote: > Hi Noriko, thanks for you reply. > > On Thu, 29 Mar 2007, Noriko Hosoi wrote: > [...] >>> Is there a way to find out which entries are causing the problem? >>> Can there be illegal characters in the entries? >> >> Could it be possible to share your data with us? (sample data would >> be good.) > > I asked my manager but he doesn't think it's a good idea for security > reasons. The problem is that the data is our NIS mail.aliases and > passwd, and we don't want to distribute them to the internet. He > suggested I'll modify the data, so I can send a sample to you. I'll do > that next week. That would be great. Thanks! I'm interested in what type of characters your data contain. E.g., character set is UTF-8? Some of your DNs could contain any special characters such as '\'? etc... > What would you be looking for in the data? Perhaps I could do it here? > > Today I have been trying to narrow down which entries in our > mail.aliases cause the problem. We have about 8400 aliases (includes > majordomo and mailman aliases) and if I sort them alphabetically and > import only entries 250-500, I get following errors from verify-db.pl: > > Verify log files in db ... Good > Verify db/ebiRoot/ancestorid.db4 ... > DB ERROR: db_verify: Page 2: out-of-order key at entry 254 > DB ERROR: db_verify: DB->verify: db/ebiRoot/ancestorid.db4: > DB_VERIFY_BAD: Database verification failed > Secondary index file ancestorid.db4 in db/ebiRoot is corrupted. > Please run db2index(.pl) for reindexing. > Verify db/ebiRoot/objectclass.db4 ... > DB ERROR: db_verify: Page 2: out-of-order key at entry 255 > DB ERROR: db_verify: DB->verify: db/ebiRoot/objectclass.db4: > DB_VERIFY_BAD: Database verification failed > Secondary index file objectclass.db4 in db/ebiRoot is corrupted. > Please run db2index(.pl) for reindexing. > Verify db/ebiRoot/nsuniqueid.db4 ... Good > Verify db/ebiRoot/parentid.db4 ... > DB ERROR: db_verify: Page 1: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: DB->verify: db/ebiRoot/parentid.db4: > DB_VERIFY_BAD: Database verification failed > Secondary index file parentid.db4 in db/ebiRoot is corrupted. > Please run db2index(.pl) for reindexing. > Verify db/ebiRoot/cn.db4 ... > DB ERROR: db_verify: Page 2: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: Page 6: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: Page 8: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: Page 11: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: Page 3: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: Page 12: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: Page 4: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: Page 10: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: Page 5: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: Page 7: unsorted duplicate set in sorted-dup > database > DB ERROR: db_verify: DB->verify: db/ebiRoot/cn.db4: DB_VERIFY_BAD: > Database verification failed > Secondary index file cn.db4 in db/ebiRoot is corrupted. > Please run db2index(.pl) for reindexing. > > > So there's a new error "unsorted duplicate set in sorted-dup > database". What does it mean? It does not say much... Our secondary indexes are sorted-dup database. OIDs in the entries sharing the same key are supposed to be sorted in each key-value. It looks the internal sorting is broken. I have a couple of questions... So, in your ldif data, the mail attribute also has this type of value: "|/homes/majordom/wrapper stripmime.pl|/homes/majordom/wrapper resend -l foobar-dev foobar-dev-outgoing"? And your mail index has the default indexing type: presence, equality, and substring? What type of indexing does the rfc822MailMember attribute have? Have we already heard what platform you are running the FDS on? Thanks, --noriko > Curious thing is that I cannot narrow down the problematic entries any > further. I've tried importing entries 300-450 and 275-475, but there's > no error. Also tried with two different sets from various ranges, but > no success yet. It only seems to happen when I import at least 250 > entries. > > This is how a single entry looks like: > > dn: cn=foobar-dev-local,ou=Aliases,dc=ebi,dc=ac,dc=uk > cn: foobar-dev-local > objectClass: top > objectClass: nisMailAlias > rfc822MailMember: "|/homes/majordom/wrapper > stripmime.pl|/homes/majordom/wra > pper resend -l foobar-dev foobar-dev-outgoing" > > I also tried skipping all entries with double quotes, but I still got > errors. There can be several rfc822MailMember attribute values, as you > probably know. > > Thanks for your time, I really appreciate it. > > > Ville > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From gholbert at broadcom.com Fri Mar 30 21:27:31 2007 From: gholbert at broadcom.com (George Holbert) Date: Fri, 30 Mar 2007 14:27:31 -0700 Subject: [Fedora-directory-users] virtual attributes in targetfilter Message-ID: <460D80C3.3050701@broadcom.com> Under recent versions of FDS, is it OK to use virtual attributes (i.e., nsRole or CoS-generated) in ACI targetfilters? In earlier versions of Netscape DS, this was not recommended, and this is still mentioned in the RHDS 7.1 docs: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#1013769 However, in testing I haven't seen any problems so far doing this, and have noticed examples of it elsewhere, e.g.: http://www.redhat.com/archives/fedora-directory-users/2005-June/msg00188.html Are the docs just a little dated on this, or is it still not a good idea? Thank you! -- George From prowley at redhat.com Fri Mar 30 22:09:05 2007 From: prowley at redhat.com (Pete Rowley) Date: Fri, 30 Mar 2007 15:09:05 -0700 Subject: [Fedora-directory-users] virtual attributes in targetfilter In-Reply-To: <460D80C3.3050701@broadcom.com> References: <460D80C3.3050701@broadcom.com> Message-ID: <460D8A81.1070103@redhat.com> George Holbert wrote: > > Are the docs just a little dated on this, or is it still not a good idea? I believe this warning was written before virtual attribute evaluation was added to the filter code (so searches etc. didn't work with virtual attributes) - that is no longer the case and hasn't been for many years. -- Pete -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3241 bytes Desc: S/MIME Cryptographic Signature URL: From pkime at Shopzilla.com Fri Mar 30 22:37:35 2007 From: pkime at Shopzilla.com (Philip Kime) Date: Fri, 30 Mar 2007 15:37:35 -0700 Subject: [Fedora-directory-users] "Bad Ber Tag Encountered" in log analysis Message-ID: <9C0091F428E697439E7A773FFD083427A92C2A@szexchange.Shopzilla.inc> I was looking through the logconv.pl output and I see that the majority of connection codes are B1 Bad Ber Tag Encountered Should I be worried about this? LDAP seems to be working fine and has been for months. PK -- Philip Kime NOPS Systems Architect 310 401 0407 -------------- next part -------------- An HTML attachment was scrubbed... URL: