From benetage at hotmail.com Thu Sep 3 17:50:58 2009 From: benetage at hotmail.com (Mister Anonyme) Date: Thu, 3 Sep 2009 13:50:58 -0400 Subject: [389-users] How to restore replica admin in the master Message-ID: Hi, I have two masters (in multi-master mode, they replicate each other) and 6 slaves. I added a new schema file in /etc/dirsrv/slapd-XXX/schema and I restarted all dirsrv. I learned later that I had to stop the replication before adding a new schema file. Because of that, the netscaperoot seems to be corrupted because I wasn't able to do replication between two masters. So, I had to completely re-install two masters and re-import the database but is there a way to re-configure the admin part of each replica (slave) servers ? I could completely re-install slaves too but if I can reconfigure the admin so I can see all replicas in the Redhat Management Console, it would be nice. Thank you! _________________________________________________________________ New! Faster Messenger access on the new MSN homepage http://go.microsoft.com/?linkid=9677406 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jsullivan at opensourcedevel.com Thu Sep 3 18:14:04 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Thu, 03 Sep 2009 14:14:04 -0400 Subject: [389-users] How to restore replica admin in the master In-Reply-To: References: Message-ID: <1252001644.6491.31.camel@jaspav.missionsit.net.missionsit.net> On Thu, 2009-09-03 at 13:50 -0400, Mister Anonyme wrote: > Hi, > > I have two masters (in multi-master mode, they replicate each other) > and 6 slaves. > > I added a new schema file in /etc/dirsrv/slapd-XXX/schema and I > restarted all dirsrv. I learned later that I had to stop the > replication before adding a new schema file. Because of that, the > netscaperoot seems to be corrupted because I wasn't able to do > replication between two masters. > > So, I had to completely re-install two masters and re-import the > database but is there a way to re-configure the admin part of each > replica (slave) servers ? I could completely re-install slaves too > but if I can reconfigure the admin so I can see all replicas in the > Redhat Management Console, it would be nice. > Ouch! I think I understand. Unfortunately, I'm on the run and can't explore it in detail but here is an excerpt from our internal documentation on restoring the admin relationship between slave and master and losing and then restoring the master from the slave database: Once the data is restored, we need to tell LDAP1 that it is the configuration master and that LDAP2 uses it. On LDAP1 run "register-ds-admin.pl" Then, on LDAP2 run "setup-ds-admin.pl -u" but, for some reason, it insists on installing the CA cert and, since it already exists in the database, it errors. So we first remove the existing CA cert: cd /etc/dirsrv/admin-serv certutil -D -d . -n "CA certificate" then run setup-ds-admin.pl -u and take defaults except we must enter the path the to CA cert (/etc/dirsrv/admin-serv/MyCA.pem). Hope this helps. I think the original threads where Rich Megginson helped us through this scenario are still in the archive. Good luck - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From benetage at hotmail.com Thu Sep 3 18:47:06 2009 From: benetage at hotmail.com (Mister Anonyme) Date: Thu, 3 Sep 2009 14:47:06 -0400 Subject: [389-users] How to restore replica admin in the master In-Reply-To: <1252001644.6491.31.camel@jaspav.missionsit.net.missionsit.net> References: <1252001644.6491.31.camel@jaspav.missionsit.net.missionsit.net> Message-ID: Hi, I tried with setup-ds-admin.pl but the configuration files is already present so this setup fails. I forgot to add that I use the version 8.0. Anyway, if I completely re-install two masters servers, configurations files for slaves will be lost. It seems that I don't have a choice to re-install slaves too. As a final word, for those who use 8.0 and are using replication system, don't add a new schema file in /etc/dirsrv/slapd-XXXX/schema. I'll tell you why: I read the docs for DS 8.0 and anywhere it talks about add new schema file but I found it myself by digging in /etc/dirsrv and I tested it in the lab. Later, when I added a new bunch of users, I noticed that the replication was stopped between two masters, but not between master and slaves. I tried to understand why it doesn't work anymore and I found out by reading in 8.1 (the next version that we don't use it yet) documentation that it says that we need to stop all replication before adding a new schema file. Heh, good to know, but it was already too late. I tried everything like removing/creating replication agreement, removing local database, recreate it, etc, the second master doesn't just want to start the replication. However, the replication between the first master and slaves is working well because I first added a new schema file on the slave, the restarted the slapd. After, I added it on the first master, and then restarted it. In fact, it worked very well until I added a new bunch of users with the new attribute that's only present from the new schema file that I added earlier. Since then, the replication between two master just stopped, even o=netscaperoot isn't replicated anymore. The worst thing is, I first tried adding a new schema in the lab and it worked flawlessly, even when I added some users. I found out that the problem arise only when I restart again one of two masters. In other words, I stop the slapd, I add a new schema, I fire it up. I do the same thing on the second master. It works. I stop again the second, and bam, you lost the replication and you just corrupted some database including the o=netscaperoot. So, be cautious when you add a new schema file ;-) > Subject: Re: [389-users] How to restore replica admin in the master > From: jsullivan at opensourcedevel.com > To: fedora-directory-users at redhat.com > Date: Thu, 3 Sep 2009 14:14:04 -0400 > > On Thu, 2009-09-03 at 13:50 -0400, Mister Anonyme wrote: > > Hi, > > > > I have two masters (in multi-master mode, they replicate each other) > > and 6 slaves. > > > > I added a new schema file in /etc/dirsrv/slapd-XXX/schema and I > > restarted all dirsrv. I learned later that I had to stop the > > replication before adding a new schema file. Because of that, the > > netscaperoot seems to be corrupted because I wasn't able to do > > replication between two masters. > > > > So, I had to completely re-install two masters and re-import the > > database but is there a way to re-configure the admin part of each > > replica (slave) servers ? I could completely re-install slaves too > > but if I can reconfigure the admin so I can see all replicas in the > > Redhat Management Console, it would be nice. > > > > Ouch! I think I understand. Unfortunately, I'm on the run and can't > explore it in detail but here is an excerpt from our internal > documentation on restoring the admin relationship between slave and > master and losing and then restoring the master from the slave database: > > Once the data is restored, we need to tell LDAP1 that it is the > configuration master and that LDAP2 uses it. > On LDAP1 run "register-ds-admin.pl" > Then, on LDAP2 run "setup-ds-admin.pl -u" but, for some reason, it > insists on installing the CA cert and, since it already exists in the > database, it errors. So we first remove the existing CA cert: > cd /etc/dirsrv/admin-serv > certutil -D -d . -n "CA certificate" > then run setup-ds-admin.pl -u and take defaults except we must enter the > path the to CA cert (/etc/dirsrv/admin-serv/MyCA.pem). > > Hope this helps. I think the original threads where Rich Megginson > helped us through this scenario are still in the archive. Good luck - > John > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan at opensourcedevel.com > > http://www.spiritualoutreach.com > Making Christianity intelligible to secular society > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users _________________________________________________________________ Click less, chat more: Messenger on MSN.ca http://go.microsoft.com/?linkid=9677404 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Sep 3 19:30:30 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 03 Sep 2009 13:30:30 -0600 Subject: [389-users] How to restore replica admin in the master In-Reply-To: References: <1252001644.6491.31.camel@jaspav.missionsit.net.missionsit.net> Message-ID: <4AA01956.4060704@redhat.com> Mister Anonyme wrote: > Hi, > > I tried with setup-ds-admin.pl but the configuration files is already > present so this setup fails. I forgot to add that I use the version 8.0. 8.0 had a problem in that it could not register a server with a remote configuration DS. This problem has been fixed in 8.1. > > Anyway, if I completely re-install two masters servers, configurations > files for slaves will be lost. It seems that I don't have a choice to > re-install slaves too. > > As a final word, for those who use 8.0 and are using replication > system, don't add a new schema file in /etc/dirsrv/slapd-XXXX/schema. > I'll tell you why: > > I read the docs for DS 8.0 and anywhere it talks about add new schema > file but I found it myself by digging in /etc/dirsrv and I tested it > in the lab. If those docs need to be corrected, please send us the links. Also note that in 8.0: If you want to add new schema to an existing instance, you must add the files to /etc/dirsrv/slapd-instancename/schema, then restart the server for the schema changes to take effect /etc/dirsrv/schema is only for new instances only - existing servers don't use these files schema files are not replicated - the only way to replicate schema is to add the new schema over LDAP With 8.1 you have the ability to add schema files, then have the server reload them without having to restart the server, but the schema files added by copying them to the server instance schema directory will still not be replicated. > > Later, when I added a new bunch of users, I noticed that the > replication was stopped between two masters, but not between master > and slaves. I tried to understand why it doesn't work anymore Anything in the errors or access logs? > and I found out by reading in 8.1 (the next version that we don't use > it yet) documentation that it says that we need to stop all > replication before adding a new schema file. Can you provide a link to the documentation? > > Heh, good to know, but it was already too late. > > I tried everything like removing/creating replication agreement, > removing local database, recreate it, etc, the second master doesn't > just want to start the replication. However, the replication between > the first master and slaves is working well because I first added a > new schema file on the slave, the restarted the slapd. After, I added > it on the first master, and then restarted it. In fact, it worked > very well until I added a new bunch of users with the new attribute > that's only present from the new schema file that I added earlier. > Since then, the replication between two master just stopped, even > o=netscaperoot isn't replicated anymore. > > The worst thing is, I first tried adding a new schema in the lab and > it worked flawlessly, even when I added some users. I found out that > the problem arise only when I restart again one of two masters. In > other words, I stop the slapd, I add a new schema, I fire it up. I do > the same thing on the second master. It works. I stop again the > second, and bam, you lost the replication and you just corrupted some > database including the o=netscaperoot. I'm not really sure what's going on here. I seriously doubt there is any data corruption happening (unless there is some disk/hardware failure). I would first suggest you check your errors log in /var/log/dirsrv/slapd-instancename/errors > > So, be cautious when you add a new schema file ;-) > > > > Subject: Re: [389-users] How to restore replica admin in the master > > From: jsullivan at opensourcedevel.com > > To: fedora-directory-users at redhat.com > > Date: Thu, 3 Sep 2009 14:14:04 -0400 > > > > On Thu, 2009-09-03 at 13:50 -0400, Mister Anonyme wrote: > > > Hi, > > > > > > I have two masters (in multi-master mode, they replicate each other) > > > and 6 slaves. > > > > > > I added a new schema file in /etc/dirsrv/slapd-XXX/schema and I > > > restarted all dirsrv. I learned later that I had to stop the > > > replication before adding a new schema file. Because of that, the > > > netscaperoot seems to be corrupted because I wasn't able to do > > > replication between two masters. > > > > > > So, I had to completely re-install two masters and re-import the > > > database but is there a way to re-configure the admin part of each > > > replica (slave) servers ? I could completely re-install slaves too > > > but if I can reconfigure the admin so I can see all replicas in the > > > Redhat Management Console, it would be nice. > > > > > > > Ouch! I think I understand. Unfortunately, I'm on the run and can't > > explore it in detail but here is an excerpt from our internal > > documentation on restoring the admin relationship between slave and > > master and losing and then restoring the master from the slave database: > > > > Once the data is restored, we need to tell LDAP1 that it is the > > configuration master and that LDAP2 uses it. > > On LDAP1 run "register-ds-admin.pl" > > Then, on LDAP2 run "setup-ds-admin.pl -u" but, for some reason, it > > insists on installing the CA cert and, since it already exists in the > > database, it errors. So we first remove the existing CA cert: > > cd /etc/dirsrv/admin-serv > > certutil -D -d . -n "CA certificate" > > then run setup-ds-admin.pl -u and take defaults except we must enter the > > path the to CA cert (/etc/dirsrv/admin-serv/MyCA.pem). > > > > Hope this helps. I think the original threads where Rich Megginson > > helped us through this scenario are still in the archive. Good luck - > > John > > -- > > John A. Sullivan III > > Open Source Development Corporation > > +1 207-985-7880 > > jsullivan at opensourcedevel.com > > > > http://www.spiritualoutreach.com > > Making Christianity intelligible to secular society > > > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > Faster Hotmail access now on the new MSN homepage. > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From benetage at hotmail.com Thu Sep 3 20:00:00 2009 From: benetage at hotmail.com (Mister Anonyme) Date: Thu, 3 Sep 2009 16:00:00 -0400 Subject: [389-users] How to restore replica admin in the master In-Reply-To: <4AA01956.4060704@redhat.com> References: <1252001644.6491.31.camel@jaspav.missionsit.net.missionsit.net> <4AA01956.4060704@redhat.com> Message-ID: > Date: Thu, 3 Sep 2009 13:30:30 -0600 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [389-users] How to restore replica admin in the master > If those docs need to be corrected, please send us the links. Also note > that in 8.0: > If you want to add new schema to an existing instance, you must add the > files to /etc/dirsrv/slapd-instancename/schema, then restart the server > for the schema changes to take effect > /etc/dirsrv/schema is only for new instances only - existing servers > don't use these files > schema files are not replicated - the only way to replicate schema is to > add the new schema over LDAP I read docs from here: http://www.redhat.com/docs/manuals/dir-server/ About schemas, I read here: http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command_File_Reference-Core_Server_Configuration_Reference.html#Configuration_Command_File_Reference-Server_Configuration___Overview-LDIF_Configuration_Files___Location And here: http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Extending_the_Directory_Schema.html I just can't find the description you just put here ? It must be hidden in some obscure area... or I need eyeglasses. > With 8.1 you have the ability to add schema files, then have the server > reload them without having to restart the server, but the schema files > added by copying them to the server instance schema directory will still > not be replicated. Yep exactly. > > > > Later, when I added a new bunch of users, I noticed that the > > replication was stopped between two masters, but not between master > > and slaves. I tried to understand why it doesn't work anymore > Anything in the errors or access logs? Yep, it happens each time I add a new schema on a replicated system. Here are the logs: Master A: [02/Sep/2009:10:15:17 -0400] NSMMReplicationPlugin - agmt="cn=INSTANCE_prod" (SERVER:389): Unable to acquire replica: there is no replicated area "dc=name,dc=domain,dc=net" on the consumer server. Replication is aborting. [02/Sep/2009:10:15:17 -0400] NSMMReplicationPlugin - agmt="cn=INSTANCE_prod" (SERVER:389): Incremental update failed and requires administrator action [02/Sep/2009:11:44:09 -0400] NSMMReplicationPlugin - agmt="cn=INSTANCE_netscaperoot" (SERVER:389): Unable to acquire replica: there is no replicated area "o=netscaperoot" on the consumer server. Replication is aborting. [02/Sep/2009:11:44:09 -0400] NSMMReplicationPlugin - agmt="cn=INSTANCE_netscaperoot" (SERVER:389): Incremental update failed and requires administrator action Master B: [02/Sep/2009:11:15:18 -0400] NSMMReplicationPlugin - conn=73 op=3 replica="unknown": Unable to acquire replica: error: no such replica [02/Sep/2009:11:44:10 -0400] NSMMReplicationPlugin - conn=3572 op=3 replica="unknown": Unable to acquire replica: error: no such replica Take note that it happens only when I add a new schema and I restart the server. When I restart without adding a new schema, I don't have that kind of error, it just works. What I did is I copy the schema in /etc/dirsrv/slapd-XXXX/schema and then I restart the server. However, in the lab, at the installation, I initially copied the schema (before the the start of the replication) and started both servers and it works flawlessly. > > and I found out by reading in 8.1 (the next version that we don't use > > it yet) documentation that it says that we need to stop all > > replication before adding a new schema file. > Can you provide a link to the documentation? There you go: http://www.redhat.com/docs/manuals/dir-server/8.1/admin/dynamically-reloading-schema.html#reloading-schema-with-replication > I'm not really sure what's going on here. I seriously doubt there is > any data corruption happening (unless there is some disk/hardware > failure). I would first suggest you check your errors log in > /var/log/dirsrv/slapd-instancename/errors Maybe ? I find it very weird too but the fact is: I'm able to reproduce the issue in the lab. More than one. I already verified the logs and I also enabled the verbose mode by doing this: dn: cn=config changetype: modify replace: nsslapd-errorlog-level nsslapd-errorlog-level: 8192 Thanks! _________________________________________________________________ New! Open Messenger faster on the MSN homepage http://go.microsoft.com/?linkid=9677405 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Sep 3 20:29:33 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 03 Sep 2009 14:29:33 -0600 Subject: [389-users] How to restore replica admin in the master In-Reply-To: References: <1252001644.6491.31.camel@jaspav.missionsit.net.missionsit.net> <4AA01956.4060704@redhat.com> Message-ID: <4AA0272D.8000001@redhat.com> Mister Anonyme wrote: > > > > Date: Thu, 3 Sep 2009 13:30:30 -0600 > > From: rmeggins at redhat.com > > To: fedora-directory-users at redhat.com > > Subject: Re: [389-users] How to restore replica admin in the master > > > > If those docs need to be corrected, please send us the links. Also note > > that in 8.0: > > If you want to add new schema to an existing instance, you must add the > > files to /etc/dirsrv/slapd-instancename/schema, then restart the server > > for the schema changes to take effect > > /etc/dirsrv/schema is only for new instances only - existing servers > > don't use these files > > schema files are not replicated - the only way to replicate schema is to > > add the new schema over LDAP > > I read docs from here: > > http://www.redhat.com/docs/manuals/dir-server/ <%20%20http://www.redhat.com/docs/manuals/dir-server/> > > > About schemas, I read here: > http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command_File_Reference-Core_Server_Configuration_Reference.html#Configuration_Command_File_Reference-Server_Configuration___Overview-LDIF_Configuration_Files___Location > <%20http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command_File_Reference-Core_Server_Configuration_Reference.html#Configuration_Command_File_Reference-Server_Configuration___Overview-LDIF_Configuration_Files___Location> 2.1.1 is incorrect https://bugzilla.redhat.com/show_bug.cgi?id=521139 Bug 521139 - incorrect config and schema file location This is also incorrect in the 8.1 Schema Reference (although it is a different incorrect location); https://bugzilla.redhat.com/show_bug.cgi?id=521140 Bug 521140 - incorrect schema file location Thank your for reporting this bug - it should be fixed shortly. Other than that, it doesn't really talk about how to extend the schema with schema files. I'm not really sure where it talks about that. > > And here: > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Extending_the_Directory_Schema.html > <%20http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Extending_the_Directory_Schema.html> This section describes how to manage the schema using the console - it says nothing about using schema files. > > > > I just can't find the description you just put here ? It must be > hidden in some obscure area... or I need eyeglasses. I don't know if it is documented. > > > > > With 8.1 you have the ability to add schema files, then have the server > > reload them without having to restart the server, but the schema files > > added by copying them to the server instance schema directory will > still > > not be replicated. > > > Yep exactly. > > > > > > > > Later, when I added a new bunch of users, I noticed that the > > > replication was stopped between two masters, but not between master > > > and slaves. I tried to understand why it doesn't work anymore > > Anything in the errors or access logs? > > Yep, it happens each time I add a new schema on a replicated system. > Here are the logs: > > > Master A: > > [02/Sep/2009:10:15:17 -0400] NSMMReplicationPlugin - > agmt="cn=INSTANCE_prod" (SERVER:389): Unable to acquire replica: there > is no replicated area "dc=name,dc=domain,dc=net" on the consumer > server. Replication is aborting. no replicated area "dc=name,dc=domain,dc=net" on the consumer server This means something has broken or removed the replication configuration. A schema file should not be able to do that. > [02/Sep/2009:10:15:17 -0400] NSMMReplicationPlugin - > agmt="cn=INSTANCE_prod" (SERVER:389): Incremental update failed and > requires administrator action > [02/Sep/2009:11:44:09 -0400] NSMMReplicationPlugin - > agmt="cn=INSTANCE_netscaperoot" (SERVER:389): Unable to acquire > replica: there is no replicated area "o=netscaperoot" on the consumer > server. Replication is aborting. > [02/Sep/2009:11:44:09 -0400] NSMMReplicationPlugin - > agmt="cn=INSTANCE_netscaperoot" (SERVER:389): Incremental update > failed and requires administrator action > > > Master B: > > [02/Sep/2009:11:15:18 -0400] NSMMReplicationPlugin - conn=73 op=3 > replica="unknown": Unable to acquire replica: error: no such replica > [02/Sep/2009:11:44:10 -0400] NSMMReplicationPlugin - conn=3572 op=3 > replica="unknown": Unable to acquire replica: error: no such replica > > Take note that it happens only when I add a new schema and I restart > the server. When I restart without adding a new schema, I don't have > that kind of error, it just works. > > What I did is I copy the schema in /etc/dirsrv/slapd-XXXX/schema and > then I restart the server. Can you post your schema file? > > However, in the lab, at the installation, I initially copied the > schema (before the the start of the replication) and started both > servers and it works flawlessly. > > > > > and I found out by reading in 8.1 (the next version that we don't use > > > it yet) documentation that it says that we need to stop all > > > replication before adding a new schema file. > > Can you provide a link to the documentation? > > There you go: > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/dynamically-reloading-schema.html#reloading-schema-with-replication > <%20http://www.redhat.com/docs/manuals/dir-server/8.1/admin/dynamically-reloading-schema.html#reloading-schema-with-replication> > > > > I'm not really sure what's going on here. I seriously doubt there is > > any data corruption happening (unless there is some disk/hardware > > failure). I would first suggest you check your errors log in > > /var/log/dirsrv/slapd-instancename/errors > > > Maybe ? I find it very weird too but the fact is: I'm able to > reproduce the issue in the lab. More than one. I already verified > the logs and I also enabled the verbose mode by doing this: > > dn: cn=config > changetype: modify > replace: nsslapd-errorlog-level > nsslapd-errorlog-level: 8192 > > > Thanks! > > > > ------------------------------------------------------------------------ > New! Open Hotmail faster on the new MSN homepage! > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Sep 3 20:31:20 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 03 Sep 2009 14:31:20 -0600 Subject: [389-users] How to restore replica admin in the master In-Reply-To: References: <1252001644.6491.31.camel@jaspav.missionsit.net.missionsit.net> <4AA01956.4060704@redhat.com> Message-ID: <4AA02798.8020304@redhat.com> Mister Anonyme wrote: > > > > Date: Thu, 3 Sep 2009 13:30:30 -0600 > > From: rmeggins at redhat.com > > To: fedora-directory-users at redhat.com > > Subject: Re: [389-users] How to restore replica admin in the master > > > > If those docs need to be corrected, please send us the links. Also note > > that in 8.0: > > If you want to add new schema to an existing instance, you must add the > > files to /etc/dirsrv/slapd-instancename/schema, then restart the server > > for the schema changes to take effect > > /etc/dirsrv/schema is only for new instances only - existing servers > > don't use these files > > schema files are not replicated - the only way to replicate schema is to > > add the new schema over LDAP > > I read docs from here: > > http://www.redhat.com/docs/manuals/dir-server/ <%20%20http://www.redhat.com/docs/manuals/dir-server/> > > > About schemas, I read here: > http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command_File_Reference-Core_Server_Configuration_Reference.html#Configuration_Command_File_Reference-Server_Configuration___Overview-LDIF_Configuration_Files___Location > <%20http://www.redhat.com/docs/manuals/dir-server/cli/8.0/Configuration_Command_File_Reference-Core_Server_Configuration_Reference.html#Configuration_Command_File_Reference-Server_Configuration___Overview-LDIF_Configuration_Files___Location> > > And here: > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Extending_the_Directory_Schema.html > <%20http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Extending_the_Directory_Schema.html> > > > > I just can't find the description you just put here ? It must be > hidden in some obscure area... or I need eyeglasses. > > > > > With 8.1 you have the ability to add schema files, then have the server > > reload them without having to restart the server, but the schema files > > added by copying them to the server instance schema directory will > still > > not be replicated. > > > Yep exactly. > > > > > > > > Later, when I added a new bunch of users, I noticed that the > > > replication was stopped between two masters, but not between master > > > and slaves. I tried to understand why it doesn't work anymore > > Anything in the errors or access logs? > > Yep, it happens each time I add a new schema on a replicated system. > Here are the logs: > > > Master A: > > [02/Sep/2009:10:15:17 -0400] NSMMReplicationPlugin - > agmt="cn=INSTANCE_prod" (SERVER:389): Unable to acquire replica: there > is no replicated area "dc=name,dc=domain,dc=net" on the consumer > server. Replication is aborting. > [02/Sep/2009:10:15:17 -0400] NSMMReplicationPlugin - > agmt="cn=INSTANCE_prod" (SERVER:389): Incremental update failed and > requires administrator action > [02/Sep/2009:11:44:09 -0400] NSMMReplicationPlugin - > agmt="cn=INSTANCE_netscaperoot" (SERVER:389): Unable to acquire > replica: there is no replicated area "o=netscaperoot" on the consumer > server. Replication is aborting. > [02/Sep/2009:11:44:09 -0400] NSMMReplicationPlugin - > agmt="cn=INSTANCE_netscaperoot" (SERVER:389): Incremental update > failed and requires administrator action > > > Master B: > > [02/Sep/2009:11:15:18 -0400] NSMMReplicationPlugin - conn=73 op=3 > replica="unknown": Unable to acquire replica: error: no such replica > [02/Sep/2009:11:44:10 -0400] NSMMReplicationPlugin - conn=3572 op=3 > replica="unknown": Unable to acquire replica: error: no such replica > > Take note that it happens only when I add a new schema and I restart > the server. When I restart without adding a new schema, I don't have > that kind of error, it just works. > > What I did is I copy the schema in /etc/dirsrv/slapd-XXXX/schema and > then I restart the server. > > However, in the lab, at the installation, I initially copied the > schema (before the the start of the replication) and started both > servers and it works flawlessly. > > > > > and I found out by reading in 8.1 (the next version that we don't use > > > it yet) documentation that it says that we need to stop all > > > replication before adding a new schema file. > > Can you provide a link to the documentation? > > There you go: > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/dynamically-reloading-schema.html#reloading-schema-with-replication > <%20http://www.redhat.com/docs/manuals/dir-server/8.1/admin/dynamically-reloading-schema.html#reloading-schema-with-replication> How did you stop and restart replication? > > > > I'm not really sure what's going on here. I seriously doubt there is > > any data corruption happening (unless there is some disk/hardware > > failure). I would first suggest you check your errors log in > > /var/log/dirsrv/slapd-instancename/errors > > > Maybe ? I find it very weird too but the fact is: I'm able to > reproduce the issue in the lab. More than one. I already verified > the logs and I also enabled the verbose mode by doing this: > > dn: cn=config > changetype: modify > replace: nsslapd-errorlog-level > nsslapd-errorlog-level: 8192 > > > Thanks! > > > > ------------------------------------------------------------------------ > New! Open Hotmail faster on the new MSN homepage! > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From benetage at hotmail.com Thu Sep 3 21:00:09 2009 From: benetage at hotmail.com (Mister Anonyme) Date: Thu, 3 Sep 2009 17:00:09 -0400 Subject: [389-users] How to restore replica admin in the master In-Reply-To: <4AA0272D.8000001@redhat.com> References: <1252001644.6491.31.camel@jaspav.missionsit.net.missionsit.net> <4AA01956.4060704@redhat.com> <4AA0272D.8000001@redhat.com> Message-ID: > Date: Thu, 3 Sep 2009 14:29:33 -0600 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [389-users] How to restore replica admin in the master > > > > > [02/Sep/2009:10:15:17 -0400] NSMMReplicationPlugin - > > agmt="cn=INSTANCE_prod" (SERVER:389): Unable to acquire replica: there > > is no replicated area "dc=name,dc=domain,dc=net" on the consumer > > server. Replication is aborting. > no replicated area "dc=name,dc=domain,dc=net" on the consumer server > This means something has broken or removed the replication > configuration. A schema file should not be able to do that. I know, myself, I don't understand how a schema file could break it. I removed all replication agreements and re-created and those errors are still present until a do a complete reinstallation of both DS master servers. > > What I did is I copy the schema in /etc/dirsrv/slapd-XXXX/schema and > > then I restart the server. > Can you post your schema file? > See attached file. _________________________________________________________________ New: Messenger sign-in on the MSN homepage http://go.microsoft.com/?linkid=9677403 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 98radius.ldif Type: application/octet-stream Size: 27773 bytes Desc: not available URL: From benetage at hotmail.com Thu Sep 3 21:04:14 2009 From: benetage at hotmail.com (Mister Anonyme) Date: Thu, 3 Sep 2009 17:04:14 -0400 Subject: [389-users] How to restore replica admin in the master In-Reply-To: <4AA02798.8020304@redhat.com> References: <1252001644.6491.31.camel@jaspav.missionsit.net.missionsit.net> <4AA01956.4060704@redhat.com> <4AA02798.8020304@redhat.com> Message-ID: > Date: Thu, 3 Sep 2009 14:31:20 -0600 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [389-users] How to restore replica admin in the master > > There you go: > > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/dynamically-reloading-schema.html#reloading-schema-with-replication > > <%20http://www.redhat.com/docs/manuals/dir-server/8.1/admin/dynamically-reloading-schema.html#reloading-schema-with-replication> > How did you stop and restart replication? I didn't try it. Actually, I copied the schema file and then finished the installation of the Multi-Master Replication. I don't think we can simply stop the replication on a running MMR on DS 8.0, I think we need to remove all replication agreements before adding a new schema file. Maybe with DS 8.1 we can stop it ? _________________________________________________________________ Click less, chat more: Messenger on MSN.ca http://go.microsoft.com/?linkid=9677404 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Sep 3 21:27:38 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 03 Sep 2009 15:27:38 -0600 Subject: [389-users] How to restore replica admin in the master In-Reply-To: References: <1252001644.6491.31.camel@jaspav.missionsit.net.missionsit.net> <4AA01956.4060704@redhat.com> <4AA02798.8020304@redhat.com> Message-ID: <4AA034CA.9040204@redhat.com> Mister Anonyme wrote: > > > > Date: Thu, 3 Sep 2009 14:31:20 -0600 > > From: rmeggins at redhat.com > > To: fedora-directory-users at redhat.com > > Subject: Re: [389-users] How to restore replica admin in the master > > > > There you go: > > > > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/dynamically-reloading-schema.html#reloading-schema-with-replication > > > > > <%20http://www.redhat.com/docs/manuals/dir-server/8.1/admin/dynamically-reloading-schema.html#reloading-schema-with-replication> > > > How did you stop and restart replication? > > > I didn't try it. Actually, I copied the schema file and then finished > the installation of the Multi-Master Replication. > > I don't think we can simply stop the replication on a running MMR on > DS 8.0, I think we need to remove all replication agreements before > adding a new schema file. No, you should not need to remove the replication agreements. With 8.0, you should just be able to add the schema file to /etc/dirsrv/slapd-instance/schema and restart the server. With 8.1, you add the schema file to /etc/dirsrv/slapd-instance/schema and run the schema reload task. > Maybe with DS 8.1 we can stop it ? > > ------------------------------------------------------------------------ > Faster Hotmail access now on the new MSN homepage. > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Sep 3 21:30:19 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 03 Sep 2009 15:30:19 -0600 Subject: [389-users] How to restore replica admin in the master In-Reply-To: References: <1252001644.6491.31.camel@jaspav.missionsit.net.missionsit.net> <4AA01956.4060704@redhat.com> <4AA0272D.8000001@redhat.com> Message-ID: <4AA0356B.3040604@redhat.com> Mister Anonyme wrote: > > > > Date: Thu, 3 Sep 2009 14:29:33 -0600 > > From: rmeggins at redhat.com > > To: fedora-directory-users at redhat.com > > Subject: Re: [389-users] How to restore replica admin in the master > > > > > > > > [02/Sep/2009:10:15:17 -0400] NSMMReplicationPlugin - > > > agmt="cn=INSTANCE_prod" (SERVER:389): Unable to acquire replica: > there > > > is no replicated area "dc=name,dc=domain,dc=net" on the consumer > > > server. Replication is aborting. > > > no replicated area "dc=name,dc=domain,dc=net" on the consumer server > > This means something has broken or removed the replication > > configuration. A schema file should not be able to do that. > > I know, myself, I don't understand how a schema file could break it. > I removed all replication agreements and re-created and those errors > are still present until a do a complete reinstallation of both DS > master servers. Let me see if I understand what's going on. You copy a schema file to the /etc/dirsrv/slapd-instance/schema directory on the supplier, restart the supplier, and you get that error from the consumer? What's in the consumer error log? Do you have a cn=replica, cn="dc=name,dc=domain,dc=net", cn=mapping tree, cn-config entry in the consumer dse.ldif? > > > > > What I did is I copy the schema in /etc/dirsrv/slapd-XXXX/schema and > > > then I restart the server. > > > Can you post your schema file? > > > > See attached file. Seems ok - unlikely to be the culprit . . . > > > > ------------------------------------------------------------------------ > Less clicking: Hotmail access on the new MSN homepage. > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From beyonddc.storage at gmail.com Thu Sep 3 21:24:26 2009 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Thu, 3 Sep 2009 17:24:26 -0400 Subject: [389-users] Which version of NSS is bundled with Fedora Directory 1.0.2 Message-ID: <20e4c38c0909031424j2cd932fdpfe6e7af3b494aa74@mail.gmail.com> Hi All, We're using a fairly old Fedora Directory, version 1.0.2. fedora-ds-1.0.2-1.FC5.x86_64.opt.rpm - b4776cb6ff6c2c44b5af2f5be05493c4 What I would like to find out is which version of NSS is bundled with Fedora Directory 1.0.2? fedora-ds /opt/fedora-ds/alias/libnssckbi.so fedora-ds /opt/fedora-ds/bin/admin/admin/bin/nss_pcache fedora-ds /opt/fedora-ds/bin/admin/lib/libmodnss.so fedora-ds /opt/fedora-ds/bin/admin/lib/libnss3.so fedora-ds /opt/fedora-ds/bin/slapd/lib/libnss3.so fedora-ds /opt/fedora-ds/clients/lib/libnss3.so fedora-ds /opt/fedora-ds/shared/config/template/nss.conf.tmpl fedora-ds /opt/fedora-ds/shared/lib/libnss3.so Thanks!! David -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Sep 3 22:13:41 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 03 Sep 2009 16:13:41 -0600 Subject: [389-users] Which version of NSS is bundled with Fedora Directory 1.0.2 In-Reply-To: <20e4c38c0909031424j2cd932fdpfe6e7af3b494aa74@mail.gmail.com> References: <20e4c38c0909031424j2cd932fdpfe6e7af3b494aa74@mail.gmail.com> Message-ID: <4AA03F95.2000903@redhat.com> Chun Tat David Chu wrote: > Hi All, > > We're using a fairly old Fedora Directory, version 1.0.2. > fedora-ds-1.0.2-1.FC5.x86_64.opt.rpm - b4776cb6ff6c2c44b5af2f5be05493c4 > > What I would like to find out is which version of NSS is bundled with > Fedora Directory 1.0.2? > fedora-ds /opt/fedora-ds/alias/libnssckbi.so > fedora-ds /opt/fedora-ds/bin/admin/admin/bin/nss_pcache > fedora-ds /opt/fedora-ds/bin/admin/lib/libmodnss.so > fedora-ds /opt/fedora-ds/bin/admin/lib/libnss3.so > fedora-ds /opt/fedora-ds/bin/slapd/lib/libnss3.so > fedora-ds /opt/fedora-ds/clients/lib/libnss3.so > fedora-ds > /opt/fedora-ds/shared/config/template/nss.conf.tmpl > fedora-ds /opt/fedora-ds/shared/lib/libnss3.so I'm not sure - can you use readelf -V on one of the libnss3.so > > Thanks!! > > David > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From benetage at hotmail.com Fri Sep 4 12:21:29 2009 From: benetage at hotmail.com (Mister Anonyme) Date: Fri, 4 Sep 2009 08:21:29 -0400 Subject: [389-users] How to restore replica admin in the master In-Reply-To: <4AA0356B.3040604@redhat.com> References: <1252001644.6491.31.camel@jaspav.missionsit.net.missionsit.net> <4AA01956.4060704@redhat.com> <4AA0272D.8000001@redhat.com> <4AA0356B.3040604@redhat.com> Message-ID: > Date: Thu, 3 Sep 2009 15:30:19 -0600 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [389-users] How to restore replica admin in the master > > See attached file. > Seems ok - unlikely to be the culprit . . . > > You're right. I found out that the schema was just a coincidence. I found out that it was the replication was working will until I restart one of two masters. In fact, I never restarted it since it was up. Here's the file.inf on the second master, at the installation: [General] AdminDomain = domain.net SuiteSpotGroup = nobody ConfigDirectoryLdapURL = ldap://MASTERA:389/o=NetscapeRoot ConfigDirectoryAdminID = admin FullMachineName = SERVER SuiteSpotUserID = nobody ConfigDirectoryAdminPwd = PASS [admin] ServerAdminID = admin ServerAdminPwd = pass SysUser = nobody Port = 9830 [slapd] InstallLdifFile = suggest ServerIdentifier = LOCALSERVER ServerPort = 389 AddOrgEntries = Yes RootDN = cn=Directory Manager RootDNPwd = PASS Suffix = dc=bd,dc=domain,dc=net UseExistingMC = Yes AddSampleEntries = No ConfigFile = netscaperootdb.ldif ConfigFile = devdb.ldif ConfigFile = proddb.ldif ConfigFile = repluser.ldif ConfigFile = changelog.ldif ConfigFile = replica.ldif ConfigFile = replagreement.ldif What I did is I removed all ConfigFile lines and I simply executed ldapmodify on each file after the /usr/sbin/setup-ds.pl (I had to modify each file by adding "changetype: add"). It seems to fix the issue. I added a new schema and replication is still working even if the other master doesn't have it. I restarted both masters, and it still works. It seems it break the "implementation" if I use ConfigFile directly in the file.inf at the installation. That's why I was able to "reproduce" the issue because I was using the same installation method. _________________________________________________________________ New: Messenger sign-in on the MSN homepage http://go.microsoft.com/?linkid=9677403 -------------- next part -------------- An HTML attachment was scrubbed... URL: From kenneho.ndu at gmail.com Fri Sep 4 12:34:08 2009 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Fri, 4 Sep 2009 14:34:08 +0200 Subject: [389-users] Configuring StartTLS Message-ID: Hi all. I'm setting up Red Hat Directory Server (RHDS) 8.1 at work, and would like to have our LDAP clients use StartTLS when communicating with the RHDS. I've searched the documentation, but can't seems to find any documentation on exactly _how_ to set the RHDS and the clients to allow StartTLS. I'm sure I've seen it somewhere in the documentation earlier, but now it's gone. Can anyone point me to relevant documentation, either in the Fedora/RHDS manuals or on the web? I believe the /etc/ldap.conf file on the clients should have a line that says "ssl start_tls", but I'm definately not sure. Best regards, Kenneth Holter -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri Sep 4 13:27:22 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 04 Sep 2009 09:27:22 -0400 Subject: [389-users] Which version of NSS is bundled with Fedora Directory 1.0.2 In-Reply-To: <20e4c38c0909031424j2cd932fdpfe6e7af3b494aa74@mail.gmail.com> References: <20e4c38c0909031424j2cd932fdpfe6e7af3b494aa74@mail.gmail.com> Message-ID: <4AA115BA.1080201@redhat.com> Chun Tat David Chu wrote: > Hi All, > > We're using a fairly old Fedora Directory, version 1.0.2. > fedora-ds-1.0.2-1.FC5.x86_64.opt.rpm - b4776cb6ff6c2c44b5af2f5be05493c4 > > What I would like to find out is which version of NSS is bundled with > Fedora Directory 1.0.2? > fedora-ds /opt/fedora-ds/alias/libnssckbi.so > fedora-ds /opt/fedora-ds/bin/admin/admin/bin/nss_pcache > fedora-ds /opt/fedora-ds/bin/admin/lib/libmodnss.so > fedora-ds /opt/fedora-ds/bin/admin/lib/libnss3.so > fedora-ds /opt/fedora-ds/bin/slapd/lib/libnss3.so > fedora-ds /opt/fedora-ds/clients/lib/libnss3.so > fedora-ds > /opt/fedora-ds/shared/config/template/nss.conf.tmpl > fedora-ds /opt/fedora-ds/shared/lib/libnss3.so > If you have the rcs package installed you can try ident: % ident /lib/libnss3.so $Header: NSS 3.12.4.1 Beta Jun 22 2009 22:31:39 $ % rpm -q nss nss-3.12.3.99.3-2.11.3.fc11.i586 This is on F-11. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From jsullivan at opensourcedevel.com Fri Sep 4 13:45:23 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Fri, 04 Sep 2009 09:45:23 -0400 Subject: [389-users] Configuring StartTLS In-Reply-To: References: Message-ID: <1252071923.6484.10.camel@jaspav.missionsit.net.missionsit.net> On Fri, 2009-09-04 at 14:34 +0200, Kenneth Holter wrote: > Hi all. > > > I'm setting up Red Hat Directory Server (RHDS) 8.1 at work, and would > like to have our LDAP clients use StartTLS when communicating with the > RHDS. I've searched the documentation, but can't seems to find any > documentation on exactly _how_ to set the RHDS and the clients to > allow StartTLS. I'm sure I've seen it somewhere in the documentation > earlier, but now it's gone. Can anyone point me to relevant > documentation, either in the Fedora/RHDS manuals or on the web? I > believe the /etc/ldap.conf file on the clients should have a line that > says "ssl start_tls", but I'm definately not sure. > > Assuming you've already configured your LDAP servers for TLS communication, here is an expunged excerpt from our internal documentation on how we set it up. You will need to adapt it to your needs, of course, e.g., we do not allow anonymous binds and hence must define binddn and bindpw: Now that we have defined the users, we need to install and configure the LDAP client and related modules for all installed servers. We will start with server01. First copy the CA cert (MyCA.pem) into /etc/pki/tls/certs/ and ensure it is world readable. Then: yum install nscd nss_ldap authconfig authconfig --update --enableldap --enableldapauth --disablenis --enablecache --ldapserver=ldap.mycompany.com --ldapbasedn=dc=mycompany,dc=com --enableldaptls We must edit the resultant /etc/ldap.conf file as follows: binddn bindpw rootbinddn (we will not set this for the guests) tls_cacertfile /etc/pki/tls/certs/MyCA.pem (toward the bottom) uri ldap://ldap.mycompany.com/ ssl start_tls pam_password md5 tls_checkpeer yes comment out tls_certdir Create the /etc/ldap.secret file containing the passphrase and set it rw for root only (chmod 600 /etc/ldap.secret). Edit /etc/nscd.conf to change the group positive cache limit (positive-time-to-live) to 600 seconds from the default 3600. Otherwise, group changes may take up to an hour to propagate. Edit /etc/pam.d/system-auth by changing: password sufficient pam_unix.so shadow nullok try_first_pass use_authtok to password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok (addition of md5) lest we only use the first eight characters of any password. It looks like this is the new default setting so no need to change it. Hope this helps to get you started - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From benetage at hotmail.com Fri Sep 4 14:00:20 2009 From: benetage at hotmail.com (Mister Anonyme) Date: Fri, 4 Sep 2009 10:00:20 -0400 Subject: [389-users] How to restore replica admin in the master In-Reply-To: References: <1252001644.6491.31.camel@jaspav.missionsit.net.missionsit.net> <4AA01956.4060704@redhat.com> <4AA0272D.8000001@redhat.com> <4AA0356B.3040604@redhat.com> Message-ID: I forgot to add errors files. As you can see, it works until I restart the server. I took a look in dse.ldif and they are present. From: benetage at hotmail.com To: fedora-directory-users at redhat.com Subject: RE: [389-users] How to restore replica admin in the master Date: Fri, 4 Sep 2009 08:21:29 -0400 > Date: Thu, 3 Sep 2009 15:30:19 -0600 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [389-users] How to restore replica admin in the master > > See attached file. > Seems ok - unlikely to be the culprit . . . > > You're right. I found out that the schema was just a coincidence. I found out that it was the replication was working will until I restart one of two masters. In fact, I never restarted it since it was up. Here's the file.inf on the second master, at the installation: [General] AdminDomain = domain.net SuiteSpotGroup = nobody ConfigDirectoryLdapURL = ldap://MASTERA:389/o=NetscapeRoot ConfigDirectoryAdminID = admin FullMachineName = SERVER SuiteSpotUserID = nobody ConfigDirectoryAdminPwd = PASS [admin] ServerAdminID = admin ServerAdminPwd = pass SysUser = nobody Port = 9830 [slapd] InstallLdifFile = suggest ServerIdentifier = LOCALSERVER ServerPort = 389 AddOrgEntries = Yes RootDN = cn=Directory Manager RootDNPwd = PASS Suffix = dc=bd,dc=domain,dc=net UseExistingMC = Yes AddSampleEntries = No ConfigFile = netscaperootdb.ldif ConfigFile = devdb.ldif ConfigFile = proddb.ldif ConfigFile = repluser.ldif ConfigFile = changelog.ldif ConfigFile = replica.ldif ConfigFile = replagreement.ldif What I did is I removed all ConfigFile lines and I simply executed ldapmodify on each file after the /usr/sbin/setup-ds.pl (I had to modify each file by adding "changetype: add"). It seems to fix the issue. I added a new schema and replication is still working even if the other master doesn't have it. I restarted both masters, and it still works. It seems it break the "implementation" if I use ConfigFile directly in the file.inf at the installation. That's why I was able to "reproduce" the issue because I was using the same installation method. Less clicking: Hotmail access on the new MSN homepage. _________________________________________________________________ New! Get to Messenger faster: Sign-in here now! http://go.microsoft.com/?linkid=9677407 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: mastera.errors Type: application/octet-stream Size: 6540 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: masterb.errors Type: application/octet-stream Size: 7786 bytes Desc: not available URL: From beyonddc.storage at gmail.com Fri Sep 4 14:06:42 2009 From: beyonddc.storage at gmail.com (Chun Tat David Chu) Date: Fri, 4 Sep 2009 10:06:42 -0400 Subject: [389-users] Which version of NSS is bundled with Fedora Directory 1.0.2 In-Reply-To: <4AA115BA.1080201@redhat.com> References: <20e4c38c0909031424j2cd932fdpfe6e7af3b494aa74@mail.gmail.com> <4AA115BA.1080201@redhat.com> Message-ID: <20e4c38c0909040706w58b52c5bp4c85cc658a2ca07b@mail.gmail.com> The ident command works great! Thanks Rob! :-) Running 'ident /opt/fedora-ds/shared/lib/libnss3.so' shows the following NSS 3.11 Apr 21 2006 15:13:34 - dc On Fri, Sep 4, 2009 at 9:27 AM, Rob Crittenden wrote: > Chun Tat David Chu wrote: > >> Hi All, >> >> We're using a fairly old Fedora Directory, version 1.0.2. >> fedora-ds-1.0.2-1.FC5.x86_64.opt.rpm - b4776cb6ff6c2c44b5af2f5be05493c4 >> >> What I would like to find out is which version of NSS is bundled with >> Fedora Directory 1.0.2? >> fedora-ds /opt/fedora-ds/alias/libnssckbi.so >> fedora-ds /opt/fedora-ds/bin/admin/admin/bin/nss_pcache >> fedora-ds /opt/fedora-ds/bin/admin/lib/libmodnss.so >> fedora-ds /opt/fedora-ds/bin/admin/lib/libnss3.so >> fedora-ds /opt/fedora-ds/bin/slapd/lib/libnss3.so >> fedora-ds /opt/fedora-ds/clients/lib/libnss3.so >> fedora-ds >> /opt/fedora-ds/shared/config/template/nss.conf.tmpl >> fedora-ds /opt/fedora-ds/shared/lib/libnss3.so >> >> > If you have the rcs package installed you can try ident: > > % ident /lib/libnss3.so > $Header: NSS 3.12.4.1 Beta Jun 22 2009 22:31:39 $ > % rpm -q nss > nss-3.12.3.99.3-2.11.3.fc11.i586 > > This is on F-11. > > rob > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri Sep 4 14:48:39 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 04 Sep 2009 08:48:39 -0600 Subject: [389-users] Configuring StartTLS In-Reply-To: References: Message-ID: <4AA128C7.6010605@redhat.com> Kenneth Holter wrote: > Hi all. > > > I'm setting up Red Hat Directory Server (RHDS) 8.1 at work, and would > like to have our LDAP clients use StartTLS when communicating with the > RHDS. I've searched the documentation, but can't seems to find any > documentation on exactly _how_ to set the RHDS If you set up RHDS for TLS/SSL communications, then StartTLS will automatically work - there is no additional configuration on the server side. > and the clients to allow StartTLS. I'm sure I've seen it somewhere in > the documentation earlier, but now it's gone. Can anyone point me to > relevant documentation, either in the Fedora/RHDS manuals or on the > web? I believe the /etc/ldap.conf file on the clients should have a > line that says "ssl start_tls", but I'm definately not sure. > > Best regards, > Kenneth Holter > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Sep 4 14:59:48 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 04 Sep 2009 08:59:48 -0600 Subject: [389-users] How to restore replica admin in the master In-Reply-To: References: <1252001644.6491.31.camel@jaspav.missionsit.net.missionsit.net> <4AA01956.4060704@redhat.com> <4AA0272D.8000001@redhat.com> <4AA0356B.3040604@redhat.com> Message-ID: <4AA12B64.1010606@redhat.com> Mister Anonyme wrote: > > > Date: Thu, 3 Sep 2009 15:30:19 -0600 > > From: rmeggins at redhat.com > > To: fedora-directory-users at redhat.com > > Subject: Re: [389-users] How to restore replica admin in the master > > > > See attached file. > > Seems ok - unlikely to be the culprit . . . > > > > > You're right. I found out that the schema was just a coincidence. > > I found out that it was the replication was working will until I > restart one of two masters. In fact, I never restarted it since it > was up. > > Here's the file.inf on the second master, at the installation: > > [General] > AdminDomain = domain.net > SuiteSpotGroup = nobody > ConfigDirectoryLdapURL = ldap://MASTERA:389/o=NetscapeRoot > ConfigDirectoryAdminID = admin > FullMachineName = SERVER > SuiteSpotUserID = nobody > ConfigDirectoryAdminPwd = PASS > > [admin] > ServerAdminID = admin > ServerAdminPwd = pass > SysUser = nobody > Port = 9830 > > [slapd] > InstallLdifFile = suggest > ServerIdentifier = LOCALSERVER > ServerPort = 389 > AddOrgEntries = Yes > RootDN = cn=Directory Manager > RootDNPwd = PASS > Suffix = dc=bd,dc=domain,dc=net > UseExistingMC = Yes You also need SlapdConfigForMC = No not sure if that's causing the problems > AddSampleEntries = No > ConfigFile = netscaperootdb.ldif > ConfigFile = devdb.ldif > ConfigFile = proddb.ldif > ConfigFile = repluser.ldif > ConfigFile = changelog.ldif > ConfigFile = replica.ldif > ConfigFile = replagreement.ldif > > What I did is I removed all ConfigFile lines and I simply executed > ldapmodify on each file after the /usr/sbin/setup-ds.pl (I had to > modify each file by adding "changetype: add"). It seems to fix the > issue. I added a new schema and replication is still working even if > the other master doesn't have it. I restarted both masters, and it > still works. I would have to review all of these ldif files - one or more of them are causing problems. > > It seems it break the "implementation" if I use ConfigFile directly in > the file.inf at the installation. That's why I was able to > "reproduce" the issue because I was using the same installation method. > > > > ------------------------------------------------------------------------ > Less clicking: Hotmail access on the new MSN homepage. > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From tuckerd at lyle.smu.edu Fri Sep 4 18:59:51 2009 From: tuckerd at lyle.smu.edu (Doug Tucker) Date: Fri, 04 Sep 2009 13:59:51 -0500 Subject: [389-users] Pass Sync Doesn't Work Message-ID: <1252090791.22958.11.camel@thor.seas.smu.edu> Greetings All, This is a last ditch effort on my part to try to find a solution. I have spent 2 months preparing, testing, and troubleshooting a FDS to AD sync. User accounts sync fine both ways, but unfortunately that part is not what we are truly after. We already have a user account process for creating the accounts in both place, what we are after is password syncing between FDS and MS AD. The Pass Sync utility has been installed on the PDC AD machine, and the service is running, but best we can tell it simply isn't doing anything. If you change a password in AD, it does not get replicated to FDS. I'm really not sure where to go from here. I was hoping to find a log where passync was writing the changes to be replicated just to see if it was capturing them, but cannot find in the documentation where that exists. I did find the log on the passync directory, but all it shows is the startup of the service. Any help would be greatly appreciated. Sincerely, Doug Tucker SMU From ckannan at redhat.com Fri Sep 4 22:54:01 2009 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Fri, 04 Sep 2009 15:54:01 -0700 Subject: [389-users] Pass Sync Doesn't Work In-Reply-To: <1252090791.22958.11.camel@thor.seas.smu.edu> References: <1252090791.22958.11.camel@thor.seas.smu.edu> Message-ID: <4AA19A89.8030609@redhat.com> On 09/04/2009 11:59 AM, Doug Tucker wrote: > Greetings All, > > This is a last ditch effort on my part to try to find a solution. I > have spent 2 months preparing, testing, and troubleshooting a FDS to AD > sync. User accounts sync fine both ways, but unfortunately that part is > not what we are truly after. We already have a user account process for > creating the accounts in both place, what we are after is password > syncing between FDS and MS AD. The Pass Sync utility has been installed > on the PDC AD machine, and the service is running, but best we can tell > it simply isn't doing anything. If you change a password in AD, it does > not get replicated to FDS. I'm really not sure where to go from here. > I was hoping to find a log where passync was writing the changes to be > replicated just to see if it was capturing them, but cannot find in the > documentation where that exists. I did find the log on the passync > directory, but all it shows is the startup of the service. Any help > would be greatly appreciated. > 1 - In windows registry-HKLM-Software-PasswordSync, change the "log level" setting from "0" to "1" 2 - Restart the passsync service 3 - look for passsync.log under C:\Program Files\*Password Synchronization\ --Chandra > Sincerely, > > Doug Tucker > SMU > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From ckannan at redhat.com Fri Sep 4 23:12:20 2009 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Fri, 04 Sep 2009 16:12:20 -0700 Subject: [389-users] Pass Sync Doesn't Work In-Reply-To: <4AA19A89.8030609@redhat.com> References: <1252090791.22958.11.camel@thor.seas.smu.edu> <4AA19A89.8030609@redhat.com> Message-ID: <4AA19ED4.1060804@redhat.com> On 09/04/2009 03:54 PM, Chandrasekar Kannan wrote: > On 09/04/2009 11:59 AM, Doug Tucker wrote: >> Greetings All, >> >> This is a last ditch effort on my part to try to find a solution. I >> have spent 2 months preparing, testing, and troubleshooting a FDS to AD >> sync. User accounts sync fine both ways, but unfortunately that part is >> not what we are truly after. We already have a user account process for >> creating the accounts in both place, what we are after is password >> syncing between FDS and MS AD. The Pass Sync utility has been installed >> on the PDC AD machine, and the service is running, but best we can tell >> it simply isn't doing anything. If you change a password in AD, it does >> not get replicated to FDS. I'm really not sure where to go from here. >> I was hoping to find a log where passync was writing the changes to be >> replicated just to see if it was capturing them, but cannot find in the >> documentation where that exists. documented here - http://directory.fedoraproject.org/wiki/Howto:WindowsSync#PassSync_Logging >> I did find the log on the passync >> directory, but all it shows is the startup of the service. Any help >> would be greatly appreciated. > > 1 - In windows registry-HKLM-Software-PasswordSync, > change the "log level" setting from "0" to "1" > > 2 - Restart the passsync service > > 3 - look for passsync.log under C:\Program Files\*Password > Synchronization\ > > > --Chandra > > > >> Sincerely, >> >> Doug Tucker >> SMU >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From evplus at yandex.ru Mon Sep 7 18:54:06 2009 From: evplus at yandex.ru (Evgeniy) Date: Mon, 07 Sep 2009 22:54:06 +0400 Subject: [389-users] question about migration from OpenLdap 2.3 to Fedora DS 1.1 (or RHDS) Message-ID: <109861252349646@webmail48.yandex.ru> Hello migrate from OpenLdap 2.3 to Fedora DS 1.1 (or RHDS) . When I try make as in http://directory.fedoraproject.org/wiki/Howto:OpenLDAPMigration I have errors , when tun script LdapImport.pl from http://wiki.babel.com.au/index.php?area=Linux_Projects&page=LdapImport What is optomal way of migration ? -- ---______________________________________________--- Evgeniy From tuckerd at lyle.smu.edu Tue Sep 8 14:05:24 2009 From: tuckerd at lyle.smu.edu (Doug Tucker) Date: Tue, 08 Sep 2009 09:05:24 -0500 Subject: [389-users] Pass Sync Doesn't Work In-Reply-To: <4AA19ED4.1060804@redhat.com> References: <1252090791.22958.11.camel@thor.seas.smu.edu> <4AA19A89.8030609@redhat.com> <4AA19ED4.1060804@redhat.com> Message-ID: <1252418724.16260.3.camel@thor.seas.smu.edu> > >> would be greatly appreciated. > > > > 1 - In windows registry-HKLM-Software-PasswordSync, > > change the "log level" setting from "0" to "1" > > > > 2 - Restart the passsync service > > > > 3 - look for passsync.log under C:\Program Files\*Password > > Synchronization\ > > > > > > --Chandra > > Thanks, I'll ask the windows guy to set this. I haven't seen anything about this, but merely thinking. If the passync service is installed on the PDC host, if a windows user changes their password, but are connected to the BDC when they do so, will passync still catch the change? From jeff.moody at evscorporation.com Tue Sep 8 14:17:27 2009 From: jeff.moody at evscorporation.com (Jeff Moody) Date: Tue, 8 Sep 2009 09:17:27 -0500 Subject: [389-users] Pass Sync Doesn't Work In-Reply-To: <1252418724.16260.3.camel@thor.seas.smu.edu> References: <1252090791.22958.11.camel@thor.seas.smu.edu> <4AA19A89.8030609@redhat.com> <4AA19ED4.1060804@redhat.com> <1252418724.16260.3.camel@thor.seas.smu.edu> Message-ID: <712B6F0C7079C0459DB8A063743A3CB0BE3E03A8@evsxmail1.evscorporation.com> It should. The BDC will replicate the change to the PDC and that should register as a password change to PassSync and that will then replicate the change to the 389 server. I have PassSync running in our environment and have had users change their password from the office which is running a secondary DC and the change gets reflected in the 389 system within <5 minutes of the AD replication. ---- Jeff Moody Senior Systems Engineer ? EVS Corporation 5050 Poplar Avenue ,Suite 1600 Memphis, Tennessee 38157 (901) 259-2387 - 24x7 Helpdesk (901) 881-0919 - Office (901) 497-1444 - Cell jeff.moody at evscorporation.com -----Original Message----- From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Doug Tucker Sent: Tuesday, September 08, 2009 9:05 AM To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] Pass Sync Doesn't Work > >> would be greatly appreciated. > > > > 1 - In windows registry-HKLM-Software-PasswordSync, > > change the "log level" setting from "0" to "1" > > > > 2 - Restart the passsync service > > > > 3 - look for passsync.log under C:\Program Files\*Password > > Synchronization\ > > > > > > --Chandra > > Thanks, I'll ask the windows guy to set this. I haven't seen anything about this, but merely thinking. If the passync service is installed on the PDC host, if a windows user changes their password, but are connected to the BDC when they do so, will passync still catch the change? -- 389 users mailing list 389-users at redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users From tuckerd at lyle.smu.edu Tue Sep 8 16:14:35 2009 From: tuckerd at lyle.smu.edu (Doug Tucker) Date: Tue, 08 Sep 2009 11:14:35 -0500 Subject: [389-users] Pass Sync Doesn't Work In-Reply-To: <712B6F0C7079C0459DB8A063743A3CB0BE3E03A8@evsxmail1.evscorporation.com> References: <1252090791.22958.11.camel@thor.seas.smu.edu> <4AA19A89.8030609@redhat.com> <4AA19ED4.1060804@redhat.com> <1252418724.16260.3.camel@thor.seas.smu.edu> <712B6F0C7079C0459DB8A063743A3CB0BE3E03A8@evsxmail1.evscorporation.com> Message-ID: <1252426475.16260.12.camel@thor.seas.smu.edu> > > -----Original Message----- > From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Doug Tucker > Sent: Tuesday, September 08, 2009 9:05 AM > To: General discussion list for the 389 Directory server project. > Subject: Re: [389-users] Pass Sync Doesn't Work > > > > >> would be greatly appreciated. > > > > > > 1 - In windows registry-HKLM-Software-PasswordSync, > > > change the "log level" setting from "0" to "1" > > > > > > 2 - Restart the passsync service > > > > > > 3 - look for passsync.log under C:\Program Files\*Password > > > Synchronization\ > > > > > > > > > --Chandra > > > > Thanks, I'll ask the windows guy to set this. I haven't seen anything > about this, but merely thinking. If the passync service is installed on > the PDC host, if a windows user changes their password, but are > connected to the BDC when they do so, will passync still catch the > change? OK! The logging was a tremendous help to at least seeing where the failure is. When the password change is made on the PDC, passync DOES catch it and replicate to 389. However, if the password change occurs on the BDC, even though we see the change replicated to the PDC, passync is NOT catching it and replicating to 389. Does anyone have any ideas? From ckannan at redhat.com Tue Sep 8 18:05:35 2009 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Tue, 08 Sep 2009 11:05:35 -0700 Subject: [389-users] Pass Sync Doesn't Work In-Reply-To: <1252426475.16260.12.camel@thor.seas.smu.edu> References: <1252090791.22958.11.camel@thor.seas.smu.edu> <4AA19A89.8030609@redhat.com> <4AA19ED4.1060804@redhat.com> <1252418724.16260.3.camel@thor.seas.smu.edu> <712B6F0C7079C0459DB8A063743A3CB0BE3E03A8@evsxmail1.evscorporation.com> <1252426475.16260.12.camel@thor.seas.smu.edu> Message-ID: <4AA69CEF.8060401@redhat.com> On 09/08/2009 09:14 AM, Doug Tucker wrote: > >> -----Original Message----- >> From: fedora-directory-users-bounces at redhat.com [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Doug Tucker >> Sent: Tuesday, September 08, 2009 9:05 AM >> To: General discussion list for the 389 Directory server project. >> Subject: Re: [389-users] Pass Sync Doesn't Work >> >> >> >>>>> would be greatly appreciated. >>>>> >>>> 1 - In windows registry-HKLM-Software-PasswordSync, >>>> change the "log level" setting from "0" to "1" >>>> >>>> 2 - Restart the passsync service >>>> >>>> 3 - look for passsync.log under C:\Program Files\*Password >>>> Synchronization\ >>>> >>>> >>>> --Chandra >>>> >>>> >> Thanks, I'll ask the windows guy to set this. I haven't seen anything >> about this, but merely thinking. If the passync service is installed on >> the PDC host, if a windows user changes their password, but are >> connected to the BDC when they do so, will passync still catch the >> change? >> > OK! The logging was a tremendous help to at least seeing where the > failure is. When the password change is made on the PDC, passync DOES > catch it and replicate to 389. However, if the password change occurs > on the BDC, even though we see the change replicated to the PDC, passync > is NOT catching it and replicating to 389. Does anyone have any ideas? > I believe The Password Sync Service must be installed on every Active Directory domain controller. > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tuckerd at lyle.smu.edu Tue Sep 8 18:30:55 2009 From: tuckerd at lyle.smu.edu (Doug Tucker) Date: Tue, 08 Sep 2009 13:30:55 -0500 Subject: [389-users] Pass Sync Doesn't Work In-Reply-To: <4AA69CEF.8060401@redhat.com> References: <1252090791.22958.11.camel@thor.seas.smu.edu> <4AA19A89.8030609@redhat.com> <4AA19ED4.1060804@redhat.com> <1252418724.16260.3.camel@thor.seas.smu.edu> <712B6F0C7079C0459DB8A063743A3CB0BE3E03A8@evsxmail1.evscorporation.com> <1252426475.16260.12.camel@thor.seas.smu.edu> <4AA69CEF.8060401@redhat.com> Message-ID: <1252434655.16260.17.camel@thor.seas.smu.edu> > > OK! The logging was a tremendous help to at least seeing where the > > failure is. When the password change is made on the PDC, passync DOES > > catch it and replicate to 389. However, if the password change occurs > > on the BDC, even though we see the change replicated to the PDC, passync > > is NOT catching it and replicating to 389. Does anyone have any ideas? > > > > I believe The Password Sync Service must be installed on every Active > Directory domain controller. It appeared that way for no other reason than it wasn't working, but I can't find anything in the documentation to indicate that, and someone else that responded indicated he sees the change after the BDC replicates it to the PDC. Was just hoping for some official word that states that this must be done. Sincerely, Doug From patrick.morris at hp.com Tue Sep 8 20:04:23 2009 From: patrick.morris at hp.com (Morris, Patrick) Date: Tue, 8 Sep 2009 13:04:23 -0700 Subject: [389-users] Pass Sync Doesn't Work In-Reply-To: <1252434655.16260.17.camel@thor.seas.smu.edu> References: <1252090791.22958.11.camel@thor.seas.smu.edu> <4AA19A89.8030609@redhat.com> <4AA19ED4.1060804@redhat.com> <1252418724.16260.3.camel@thor.seas.smu.edu> <712B6F0C7079C0459DB8A063743A3CB0BE3E03A8@evsxmail1.evscorporation.com> <1252426475.16260.12.camel@thor.seas.smu.edu> <4AA69CEF.8060401@redhat.com> <1252434655.16260.17.camel@thor.seas.smu.edu> Message-ID: <20090908200423.GA16881@bakgwai.americas.hpqcorp.net> On Tue, 08 Sep 2009, Doug Tucker wrote: > > > > OK! The logging was a tremendous help to at least seeing where the > > > failure is. When the password change is made on the PDC, passync DOES > > > catch it and replicate to 389. However, if the password change occurs > > > on the BDC, even though we see the change replicated to the PDC, passync > > > is NOT catching it and replicating to 389. Does anyone have any ideas? > > > > > > > I believe The Password Sync Service must be installed on every Active > > Directory domain controller. > > It appeared that way for no other reason than it wasn't working, but I > can't find anything in the documentation to indicate that, and someone > else that responded indicated he sees the change after the BDC > replicates it to the PDC. Was just hoping for some official word that > states that this must be done. I'm not seeing anything in the docs either, but it would make sense, since I'm relatively sure that when the password syncs from one Active Directory replica to another (no such thing as PDCs and BDCs these days, y'know), I'd assume it's passing the hash and not the password, so there'd be no way to get it into your LDAP server. If that's the case (and I'm pretty sure it is), you'd need PassSync set up on all of your Active Directory servers, since any of them could be the one the user gave the actual password to. From ckannan at redhat.com Tue Sep 8 23:08:56 2009 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Tue, 08 Sep 2009 16:08:56 -0700 Subject: [389-users] Pass Sync Doesn't Work In-Reply-To: <20090908200423.GA16881@bakgwai.americas.hpqcorp.net> References: <1252090791.22958.11.camel@thor.seas.smu.edu> <4AA19A89.8030609@redhat.com> <4AA19ED4.1060804@redhat.com> <1252418724.16260.3.camel@thor.seas.smu.edu> <712B6F0C7079C0459DB8A063743A3CB0BE3E03A8@evsxmail1.evscorporation.com> <1252426475.16260.12.camel@thor.seas.smu.edu> <4AA69CEF.8060401@redhat.com> <1252434655.16260.17.camel@thor.seas.smu.edu> <20090908200423.GA16881@bakgwai.americas.hpqcorp.net> Message-ID: <4AA6E408.9010004@redhat.com> On 09/08/2009 01:04 PM, Morris, Patrick wrote: > On Tue, 08 Sep 2009, Doug Tucker wrote: > > >> >>>> OK! The logging was a tremendous help to at least seeing where the >>>> failure is. When the password change is made on the PDC, passync DOES >>>> catch it and replicate to 389. However, if the password change occurs >>>> on the BDC, even though we see the change replicated to the PDC, passync >>>> is NOT catching it and replicating to 389. Does anyone have any ideas? >>>> >>>> >>> I believe The Password Sync Service must be installed on every Active >>> Directory domain controller. >>> >> It appeared that way for no other reason than it wasn't working, but I >> can't find anything in the documentation to indicate that, and someone >> else that responded indicated he sees the change after the BDC >> replicates it to the PDC. Was just hoping for some official word that >> states that this must be done. >> > I'm not seeing anything in the docs either, which docs are you referring to ? Have a url ?. > but it would make sense, > since I'm relatively sure that when the password syncs from one Active > Directory replica to another (no such thing as PDCs and BDCs these days, > y'know), I'd assume it's passing the hash and not the password, so > there'd be no way to get it into your LDAP server. > > If that's the case (and I'm pretty sure it is), you'd need PassSync set > up on all of your Active Directory servers, since any of them could be > the one the user gave the actual password to. > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From tuckerd at lyle.smu.edu Wed Sep 9 13:59:15 2009 From: tuckerd at lyle.smu.edu (Doug Tucker) Date: Wed, 09 Sep 2009 08:59:15 -0500 Subject: [389-users] Pass Sync Doesn't Work In-Reply-To: <4AA6E408.9010004@redhat.com> References: <1252090791.22958.11.camel@thor.seas.smu.edu> <4AA19A89.8030609@redhat.com> <4AA19ED4.1060804@redhat.com> <1252418724.16260.3.camel@thor.seas.smu.edu> <712B6F0C7079C0459DB8A063743A3CB0BE3E03A8@evsxmail1.evscorporation.com> <1252426475.16260.12.camel@thor.seas.smu.edu> <4AA69CEF.8060401@redhat.com> <1252434655.16260.17.camel@thor.seas.smu.edu> <20090908200423.GA16881@bakgwai.americas.hpqcorp.net> <4AA6E408.9010004@redhat.com> Message-ID: <1252504755.16260.23.camel@thor.seas.smu.edu> On Tue, 2009-09-08 at 16:08 -0700, Chandrasekar Kannan wrote: > On 09/08/2009 01:04 PM, Morris, Patrick wrote: > > On Tue, 08 Sep 2009, Doug Tucker wrote: > > > > > >> > >>>> OK! The logging was a tremendous help to at least seeing where the > >>>> failure is. When the password change is made on the PDC, passync DOES > >>>> catch it and replicate to 389. However, if the password change occurs > >>>> on the BDC, even though we see the change replicated to the PDC, passync > >>>> is NOT catching it and replicating to 389. Does anyone have any ideas? > >>>> > >>>> > >>> I believe The Password Sync Service must be installed on every Active > >>> Directory domain controller. > >>> > >> It appeared that way for no other reason than it wasn't working, but I > >> can't find anything in the documentation to indicate that, and someone > >> else that responded indicated he sees the change after the BDC > >> replicates it to the PDC. Was just hoping for some official word that > >> states that this must be done. > >> > > I'm not seeing anything in the docs either, > > which docs are you referring to ? Have a url ?. > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html This is what I have been using for how to set this up. I cannot find any reference to the need to install passync on all of the controllers in the domain, it only references the primary. And according to our windows guy here, MS changed terminology, but there is definitely a primary and then the others are bdc's. I agreed that from just a thinking perspective it would have to be done, but then someone in this thread earlier indicated that changes made to his bdc were synced to 389 after it replicated to the pdc, which kinda left me in limbo that I may still have something wrong, and before I have the windows guy start installing it everywhere, I wanted to hear from someone truly "in the know" of what needed to be done. From hugo.etievant at inrp.fr Wed Sep 9 14:03:31 2009 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Wed, 09 Sep 2009 16:03:31 +0200 Subject: [389-users] Error in passsync service : "No entries yet" Message-ID: <4AA7B5B3.3020108@inrp.fr> hello, My actual architecture : - two 389DS server (version 1.1.3) on Fedora8 32bits - two Active Directory on Windows Server 2003 Standard edition 32bits domain controler (AD servers are both synchronized with "Active Directory Intrasite Replication") In january 2009, multimaster replication protocol was enabled between two 389DS, and a passync service installed in only one AD with one replication agreement between the AD server and one 389DS. Password synchronization is successful. In september 2009, a second AD server is installed with passync service and a second replication agreement between one 389DS and the second AD. But Password synchronization does not work with the second AD. passsync.log : 09/09/09 15:04:44: PassSync service initialized 09/09/09 15:04:44: PassSync service running 09/09/09 15:04:45: No entries yet 09/09/09 15:12:40: No entries yet 09/09/09 15:26:33: No entries yet 09/09/09 15:35:02: No entries yet "No entries yet" error message occure for each user password change on AD. 389DS can't catch windows password change. my architecture schema : 389DS n?1 ^----MMR-------------------> 389DS n?2 ^----Win-Sync-Agreement---> (passsync) AD n?1 ^----Win-Sync-Agreement---> (passsync) AD n?2 How can i resolve this problem, please ? regards -- * Hugo ?ti?vant * From ckannan at redhat.com Wed Sep 9 15:11:02 2009 From: ckannan at redhat.com (Chandrasekar Kannan) Date: Wed, 09 Sep 2009 08:11:02 -0700 Subject: [389-users] Pass Sync Doesn't Work In-Reply-To: <1252504755.16260.23.camel@thor.seas.smu.edu> References: <1252090791.22958.11.camel@thor.seas.smu.edu> <4AA19A89.8030609@redhat.com> <4AA19ED4.1060804@redhat.com> <1252418724.16260.3.camel@thor.seas.smu.edu> <712B6F0C7079C0459DB8A063743A3CB0BE3E03A8@evsxmail1.evscorporation.com> <1252426475.16260.12.camel@thor.seas.smu.edu> <4AA69CEF.8060401@redhat.com> <1252434655.16260.17.camel@thor.seas.smu.edu> <20090908200423.GA16881@bakgwai.americas.hpqcorp.net> <4AA6E408.9010004@redhat.com> <1252504755.16260.23.camel@thor.seas.smu.edu> Message-ID: <4AA7C586.3040008@redhat.com> On 09/09/2009 06:59 AM, Doug Tucker wrote: > On Tue, 2009-09-08 at 16:08 -0700, Chandrasekar Kannan wrote: > >> On 09/08/2009 01:04 PM, Morris, Patrick wrote: >> >>> On Tue, 08 Sep 2009, Doug Tucker wrote: >>> >>> >>> >>>> >>>> >>>>>> OK! The logging was a tremendous help to at least seeing where the >>>>>> failure is. When the password change is made on the PDC, passync DOES >>>>>> catch it and replicate to 389. However, if the password change occurs >>>>>> on the BDC, even though we see the change replicated to the PDC, passync >>>>>> is NOT catching it and replicating to 389. Does anyone have any ideas? >>>>>> >>>>>> >>>>>> >>>>> I believe The Password Sync Service must be installed on every Active >>>>> Directory domain controller. >>>>> >>>>> >>>> It appeared that way for no other reason than it wasn't working, but I >>>> can't find anything in the documentation to indicate that, and someone >>>> else that responded indicated he sees the change after the BDC >>>> replicates it to the PDC. Was just hoping for some official word that >>>> states that this must be done. >>>> >>>> >>> I'm not seeing anything in the docs either, >>> >> which docs are you referring to ? Have a url ?. >> >> > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync.html > updated url http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync.html#Windows_Sync-About_Windows_Sync has a reference to that ... "The Password Sync Service must be installed on every Active Directory domain controller" hope that helps... > This is what I have been using for how to set this up. I cannot find > any reference to the need to install passync on all of the controllers > in the domain, it only references the primary. And according to our > windows guy here, MS changed terminology, but there is definitely a > primary and then the others are bdc's. > > I agreed that from just a thinking perspective it would have to be done, > but then someone in this thread earlier indicated that changes made to > his bdc were synced to 389 after it replicated to the pdc, which kinda > left me in limbo that I may still have something wrong, and before I > have the windows guy start installing it everywhere, I wanted to hear > from someone truly "in the know" of what needed to be done. > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From kevinb at analograils.com Fri Sep 11 02:46:21 2009 From: kevinb at analograils.com (Kevin Bowling) Date: Thu, 10 Sep 2009 22:46:21 -0400 Subject: [389-users] 389 unusable on F11? Message-ID: <4AA9B9FD.8090504@analograils.com> Hi, I have been running FDS/389 on a F11 xen DomU for several months. I use it as the backend for UNIX username/passwords and also for redMine (a Ruby on Rails bug tracker) for http://www.gnucapplus.org/. This VM would regularly lock up every week or so when 389 was still called FDS. I've since upgraded to 389 by issuing 'yum upgrade' as well as running the 'setup-...-.pl -u' script and now it barely goes a day before crashing. When ldap crashes, the whole box basically becomes unresponsive. I left the Xen hardware console open to see what was up and the only thing I could conclude was that 389 was crashing (if I issued a service start it came back to life). Doing anything like a top or ls will completely kill the box. Likewise, the logs show nothing at or before the time of crash. I suspected too few file descriptors but changing that to a very high number had no impact. I was about to do a rip and replace with OpenLDAP which I use very sucesessfully for our corporate systems but figured I ought to see if anyone here can help or if I can submit any kind of meaningful bug report first. I assume I will need to run 389's slapd without daemonizing it and hope it spits something useful out to stderr. Any advice here would be greatly appreciated, as would any success stories of using 389 on F11. I'm not subscribed to the list so please CC. Regards, Kevin Bowing From nhosoi at redhat.com Fri Sep 11 16:43:02 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Fri, 11 Sep 2009 09:43:02 -0700 Subject: [389-users] 389 unusable on F11? In-Reply-To: <4AA9B9FD.8090504@analograils.com> References: <4AA9B9FD.8090504@analograils.com> Message-ID: <4AAA7E16.5080309@redhat.com> On 09/10/2009 07:46 PM, Kevin Bowling wrote: > Hi, > > I have been running FDS/389 on a F11 xen DomU for several months. I > use it as the backend for UNIX username/passwords and also for redMine > (a Ruby on Rails bug tracker) for http://www.gnucapplus.org/. > > This VM would regularly lock up every week or so when 389 was still > called FDS. I've since upgraded to 389 by issuing 'yum upgrade' as > well as running the 'setup-...-.pl -u' script and now it barely goes a > day before crashing. When ldap crashes, the whole box basically > becomes unresponsive. > > I left the Xen hardware console open to see what was up and the only > thing I could conclude was that 389 was crashing (if I issued a > service start it came back to life). Doing anything like a top or ls > will completely kill the box. Likewise, the logs show nothing at or > before the time of crash. I suspected too few file descriptors but > changing that to a very high number had no impact. > > I was about to do a rip and replace with OpenLDAP which I use very > sucesessfully for our corporate systems but figured I ought to see if > anyone here can help or if I can submit any kind of meaningful bug > report first. I assume I will need to run 389's slapd without > daemonizing it and hope it spits something useful out to stderr. Any > advice here would be greatly appreciated, as would any success stories > of using 389 on F11. Hello Kevin, You specified the platform "F11 xen DomU". Did you have a chance to run the 389 server on any other platforms? I'm wondering if the crash is observed only on the specific platform or not. Is the server running on the 64-bit machine or 32-bit? If you start the server with "-d 1" option, the server will run as the trace mode. (E.g., /usr/lib[64]/dirsrv/slapd-YOURID/start-slapd -d 1) I'm afraid it might be a memory leak. When you restart the 389 server, could you check the size of ns-slapd some time like every hour and see if the server size keeps growing or stops? Also, the server quits if it fails to write to the errors log. If it happens, it's logged in the system log. Does the messages file on the system happen to have some logs related to the 389 server? Thanks, --noriko > > I'm not subscribed to the list so please CC. > > Regards, > > Kevin Bowing > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users From nhosoi at redhat.com Fri Sep 11 17:23:35 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Fri, 11 Sep 2009 10:23:35 -0700 Subject: [389-users] 389 unusable on F11? In-Reply-To: <4AAA8559.8000900@analograils.com> References: <4AA9B9FD.8090504@analograils.com> <4AAA7E16.5080309@redhat.com> <4AAA8559.8000900@analograils.com> Message-ID: <4AAA8797.4020804@redhat.com> On 09/11/2009 10:14 AM, Kevin Bowling wrote: > [...] > > I captured some output while running in trace, see the end of this > message. The system is 64-bit, I have not run on any other boxes. A > cursory look with top showed only 10MB or so RSS memory. Your server received a shutdown signal. It looks to me it's a normal shutdown... (Not a server crash...) [11/Sep/2009:10:01:39 -0700] - ldbm backend done flushing [11/Sep/2009:10:01:39 -0700] - ldbm backend flushing [11/Sep/2009:10:01:39 -0700] - ldbm backend done flushing *[11/Sep/2009:10:01:39 -0700] - slapd shutting down - signaling operation threads * *[11/Sep/2009:10:01:40 -0700] - slapd shutting down - waiting for 30 threads to terminate * *[11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:40 -0700] - slapd shutting down - waiting for 29 threads to terminate * [...] > > Regards, > Kevin > > [11/Sep/2009:09:58:44 -0700] - => id2entry( 48 ) > [11/Sep/2009:09:58:44 -0700] - <= id2entry 7f025401f5a0 (cache) > [11/Sep/2009:09:58:44 -0700] - => id2entry( 50 ) > [11/Sep/2009:09:58:44 -0700] - <= id2entry 7f0254021190 (cache) > [11/Sep/2009:09:58:44 -0700] - => slapi_reslimit_get_integer_limit() > conn=0xa856beb0, handle=3 > [11/Sep/2009:09:58:44 -0700] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [11/Sep/2009:09:58:44 -0700] - => slapi_reslimit_get_integer_limit() > conn=0xa856bc60, handle=3 > [11/Sep/2009:09:58:44 -0700] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [11/Sep/2009:09:58:44 -0700] - => slapi_reslimit_get_integer_limit() > conn=0xa856bd88, handle=3 > [11/Sep/2009:09:58:44 -0700] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [11/Sep/2009:09:58:44 -0700] - => slapi_reslimit_get_integer_limit() > conn=0xa856bb38, handle=3 > [11/Sep/2009:09:58:44 -0700] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [11/Sep/2009:09:58:44 -0700] - => slapi_reslimit_get_integer_limit() > conn=0xa856ba10, handle=3 > [11/Sep/2009:09:58:44 -0700] - <= slapi_reslimit_get_integer_limit() > returning NO VALUE > [11/Sep/2009:09:58:44 -0700] - => send_ldap_result 0:: > [11/Sep/2009:09:58:44 -0700] - <= send_ldap_result > [11/Sep/2009:09:58:50 -0700] - ldbm backend flushing > [11/Sep/2009:09:58:50 -0700] - ldbm backend done flushing > [11/Sep/2009:09:58:50 -0700] - ldbm backend flushing > [11/Sep/2009:09:58:50 -0700] - ldbm backend done flushing > [11/Sep/2009:09:59:20 -0700] - ldbm backend flushing > [11/Sep/2009:09:59:20 -0700] - ldbm backend done flushing > [11/Sep/2009:09:59:20 -0700] - ldbm backend flushing > [11/Sep/2009:09:59:20 -0700] - ldbm backend done flushing > [11/Sep/2009:09:59:50 -0700] - ldbm backend flushing > [11/Sep/2009:09:59:50 -0700] - ldbm backend done flushing > [11/Sep/2009:09:59:50 -0700] - ldbm backend flushing > [11/Sep/2009:09:59:50 -0700] - ldbm backend done flushing > [11/Sep/2009:10:00:20 -0700] - ldbm backend flushing > [11/Sep/2009:10:00:20 -0700] - ldbm backend done flushing > [11/Sep/2009:10:00:20 -0700] - ldbm backend flushing > [11/Sep/2009:10:00:20 -0700] - ldbm backend done flushing > [11/Sep/2009:10:00:50 -0700] - ldbm backend flushing > [11/Sep/2009:10:01:03 -0700] - ldbm backend done flushing > [11/Sep/2009:10:01:03 -0700] - ldbm backend flushing > [11/Sep/2009:10:01:04 -0700] - ldbm backend done flushing > [11/Sep/2009:10:01:35 -0700] - ldbm backend flushing > [11/Sep/2009:10:01:39 -0700] - ldbm backend done flushing > [11/Sep/2009:10:01:39 -0700] - ldbm backend flushing > [11/Sep/2009:10:01:39 -0700] - ldbm backend done flushing > [11/Sep/2009:10:01:39 -0700] - ldbm backend flushing > [11/Sep/2009:10:01:39 -0700] - ldbm backend done flushing > [11/Sep/2009:10:01:39 -0700] - ldbm backend flushing > [11/Sep/2009:10:01:39 -0700] - ldbm backend done flushing > [11/Sep/2009:10:01:39 -0700] - slapd shutting down - signaling > operation threads > [11/Sep/2009:10:01:40 -0700] - slapd shutting down - waiting for 30 > threads to terminate > [11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:40 -0700] - slapd shutting down - waiting for 29 > threads to terminate > [11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:41 -0700] - slapd shutting down - waiting for 28 > threads to terminate > [11/Sep/2009:10:01:41 -0700] - slapd shutting down - closing down > internal subsystems and plugins > [11/Sep/2009:10:01:41 -0700] - slapd shutting down - waiting for > backends to close down > [11/Sep/2009:10:01:42 -0700] - => slapi_control_present (looking for > 1.3.6.1.4.1.42.2.27.8.5.1) > [11/Sep/2009:10:01:42 -0700] - <= slapi_control_present 0 (NO CONTROLS) > [11/Sep/2009:10:01:42 -0700] - modify_update_last_modified_attr > [11/Sep/2009:10:01:42 -0700] - Calling plugin 'Distributed Numeric > Assignment internal preop plugin' #0 type 421 > [11/Sep/2009:10:01:42 -0700] dna-plugin - --> dna_pre_op > [11/Sep/2009:10:01:42 -0700] dna-plugin - <-- dna_pre_op > [11/Sep/2009:10:01:42 -0700] - Calling plugin 'Legacy replication > internal preoperation plugin' #1 type 421 > [11/Sep/2009:10:01:42 -0700] - Calling plugin 'Multimaster replication > internal preoperation plugin' #2 type 421 > [11/Sep/2009:10:01:42 -0700] - => entry_apply_mods > [11/Sep/2009:10:01:42 -0700] - <= entry_apply_mods 0 > [11/Sep/2009:10:01:42 -0700] - => send_ldap_result 0:: > [11/Sep/2009:10:01:42 -0700] - <= send_ldap_result > [11/Sep/2009:10:01:42 -0700] - ps_service_persistent_searches: entry > "cn=uniqueid generator,cn=config" not enqueued on any persistent > search lists > [11/Sep/2009:10:01:42 -0700] - Calling plugin 'Class of Service > internalpostoperation plugin' #0 type 521 > [11/Sep/2009:10:01:42 -0700] - --> cos_post_op > [11/Sep/2009:10:01:42 -0700] - --> cos_cache_change_notify > [11/Sep/2009:10:01:42 -0700] - --> cos_cache_template_index_bsearch > [11/Sep/2009:10:01:42 -0700] - --> cos_cache_getref > [11/Sep/2009:10:01:42 -0700] - <-- cos_cache_getref > [11/Sep/2009:10:01:42 -0700] - <-- cos_cache_template_index_bsearch > [11/Sep/2009:10:01:42 -0700] - <-- cos_cache_change_notify > [11/Sep/2009:10:01:42 -0700] - <-- cos_post_op > [11/Sep/2009:10:01:42 -0700] - Calling plugin 'Legacy replication > internal postoperation plugin' #1 type 521 > [11/Sep/2009:10:01:43 -0700] - Calling plugin 'Multimaster replication > internal postoperation plugin' #2 type 521 > [11/Sep/2009:10:01:43 -0700] - Calling plugin 'Retrocl internal > postoperation plugin' #3 type 521 > not applying change if not logging > [11/Sep/2009:10:01:43 -0700] - Calling plugin 'Roles > internalpostoperation plugin' #4 type 521 > [11/Sep/2009:10:01:43 -0700] - Calling plugin 'Legacy Replication > Plugin' #0 type 210 > [11/Sep/2009:10:01:43 -0700] - Calling plugin 'Roles Plugin' #0 type 210 > [11/Sep/2009:10:01:43 -0700] - Calling plugin 'Multimaster Replication > Plugin' #0 type 210 > [11/Sep/2009:10:01:43 -0700] - Calling plugin 'HTTP Client' #0 type 210 > [11/Sep/2009:10:01:43 -0700] - Calling plugin 'Class of Service' #0 > type 210 > [11/Sep/2009:10:01:43 -0700] - --> cos_close > [11/Sep/2009:10:01:43 -0700] - --> cos_cache_stop > [11/Sep/2009:10:01:43 -0700] - <-- cos_cache_wait_on_change thread exit > [11/Sep/2009:10:01:43 -0700] - --> cos_cache_release > [11/Sep/2009:10:01:43 -0700] - <-- cos_cache_release > [11/Sep/2009:10:01:43 -0700] - <-- cos_cache_stop > [11/Sep/2009:10:01:43 -0700] - <-- cos_close > [11/Sep/2009:10:01:43 -0700] - Calling plugin 'ACL Plugin' #0 type 210 > [11/Sep/2009:10:01:43 -0700] - Calling plugin 'Views' #0 type 210 > [11/Sep/2009:10:01:43 -0700] views-plugin - --> views_close > [11/Sep/2009:10:01:43 -0700] views-plugin - --> views_cache_free > [11/Sep/2009:10:01:43 -0700] views-plugin - <-- views_cache_free > [11/Sep/2009:10:01:43 -0700] views-plugin - <-- views_close > [11/Sep/2009:10:01:43 -0700] - Calling plugin 'State Change Plugin' #0 > type 210 > [11/Sep/2009:10:01:43 -0700] statechange-plugin - --> statechange_close > [11/Sep/2009:10:01:43 -0700] statechange-plugin - <-- statechange_close > [11/Sep/2009:10:01:43 -0700] - Calling plugin 'ldbm database' #0 type 210 > [11/Sep/2009:10:01:43 -0700] - ldbm backend syncing > [11/Sep/2009:10:01:43 -0700] - Waiting for 4 database threads to stop > [11/Sep/2009:10:01:43 -0700] - Leaving deadlock_threadmain > [11/Sep/2009:10:01:44 -0700] - Leaving checkpoint_threadmain before > checkpoint > [11/Sep/2009:10:01:44 -0700] - Checkpointing database ... > [11/Sep/2009:10:01:44 -0700] - Leaving checkpoint_threadmain > [11/Sep/2009:10:01:44 -0700] - Leaving trickle_threadmain priv > [11/Sep/2009:10:01:44 -0700] - Leaving perf_threadmain > [11/Sep/2009:10:01:45 -0700] - All database threads now stopped > [11/Sep/2009:10:01:45 -0700] - ldbm backend done syncing > [11/Sep/2009:10:01:45 -0700] - Calling plugin 'chaining database' #0 > type 210 > [11/Sep/2009:10:01:45 -0700] - Removed [1] entries from the dse tree. > [11/Sep/2009:10:01:45 -0700] - Removed [166] entries from the dse tree. > [11/Sep/2009:10:01:45 -0700] - ldbm backend cleaning up > [11/Sep/2009:10:01:45 -0700] - ldbm backend cleaning up > [11/Sep/2009:10:01:45 -0700] - slapd shutting down - backends closed down > [11/Sep/2009:10:01:45 -0700] - => reslimit_update_from_entry() > conn=0xa856ba10, entry=0x0 > [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting > limit for handle 0 (based on nsLookThroughLimit) > [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting > limit for handle 1 (based on nsSizeLimit) > [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting > limit for handle 2 (based on nsTimeLimit) > [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting > limit for handle 3 (based on nsIdleTimeout) > [11/Sep/2009:10:01:45 -0700] - <= reslimit_update_from_entry() > returning status 0 > [11/Sep/2009:10:01:45 -0700] - => reslimit_update_from_entry() > conn=0xa856bb38, entry=0x0 > [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting > limit for handle 0 (based on nsLookThroughLimit) > [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting > limit for handle 1 (based on nsSizeLimit) > [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting > limit for handle 2 (based on nsTimeLimit) > [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting > limit for handle 3 (based on nsIdleTimeout) > [11/Sep/2009:10:01:45 -0700] - <= reslimit_update_from_entry() > returning status 0 > [11/Sep/2009:10:01:45 -0700] - => reslimit_update_from_entry() > conn=0xa856bd88, entry=0x0 > [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting > limit for handle 0 (based on nsLookThroughLimit) > [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting > limit for handle 1 (based on nsSizeLimit) > [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting > limit for handle 2 (based on nsTimeLimit) > [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting > limit for handle 3 (based on nsIdleTimeout) > [11/Sep/2009:10:01:45 -0700] - <= reslimit_update_from_entry() > returning status 0 > [11/Sep/2009:10:01:45 -0700] - => reslimit_update_from_entry() > conn=0xa856beb0, entry=0x0 > [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting > limit for handle 0 (based on nsLookThroughLimit) > [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting > limit for handle 1 (based on nsSizeLimit) > [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting > limit for handle 2 (based on nsTimeLimit) > [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting > limit for handle 3 (based on nsIdleTimeout) > [11/Sep/2009:10:01:45 -0700] - <= reslimit_update_from_entry() > returning status 0 > [11/Sep/2009:10:01:45 -0700] - slapd stopped. > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3250 bytes Desc: S/MIME Cryptographic Signature URL: From kevinb at analograils.com Fri Sep 11 17:14:01 2009 From: kevinb at analograils.com (Kevin Bowling) Date: Fri, 11 Sep 2009 13:14:01 -0400 Subject: [389-users] 389 unusable on F11? In-Reply-To: <4AAA7E16.5080309@redhat.com> References: <4AA9B9FD.8090504@analograils.com> <4AAA7E16.5080309@redhat.com> Message-ID: <4AAA8559.8000900@analograils.com> On 9/11/2009 12:43 PM, Noriko Hosoi wrote: > On 09/10/2009 07:46 PM, Kevin Bowling wrote: >> Hi, >> >> I have been running FDS/389 on a F11 xen DomU for several months. I >> use it as the backend for UNIX username/passwords and also for >> redMine (a Ruby on Rails bug tracker) for http://www.gnucapplus.org/. >> >> This VM would regularly lock up every week or so when 389 was still >> called FDS. I've since upgraded to 389 by issuing 'yum upgrade' as >> well as running the 'setup-...-.pl -u' script and now it barely goes >> a day before crashing. When ldap crashes, the whole box basically >> becomes unresponsive. >> >> I left the Xen hardware console open to see what was up and the only >> thing I could conclude was that 389 was crashing (if I issued a >> service start it came back to life). Doing anything like a top or ls >> will completely kill the box. Likewise, the logs show nothing at or >> before the time of crash. I suspected too few file descriptors but >> changing that to a very high number had no impact. >> >> I was about to do a rip and replace with OpenLDAP which I use very >> sucesessfully for our corporate systems but figured I ought to see if >> anyone here can help or if I can submit any kind of meaningful bug >> report first. I assume I will need to run 389's slapd without >> daemonizing it and hope it spits something useful out to stderr. Any >> advice here would be greatly appreciated, as would any success >> stories of using 389 on F11. > Hello Kevin, > > You specified the platform "F11 xen DomU". Did you have a chance to > run the 389 server on any other platforms? I'm wondering if the crash > is observed only on the specific platform or not. Is the server > running on the 64-bit machine or 32-bit? > > If you start the server with "-d 1" option, the server will run as the > trace mode. (E.g., /usr/lib[64]/dirsrv/slapd-YOURID/start-slapd -d 1) > > I'm afraid it might be a memory leak. When you restart the 389 > server, could you check the size of ns-slapd some time like every hour > and see if the server size keeps growing or stops? Also, the server > quits if it fails to write to the errors log. If it happens, it's > logged in the system log. Does the messages file on the system > happen to have some logs related to the 389 server? > > Thanks, > --noriko >> >> I'm not subscribed to the list so please CC. >> >> Regards, >> >> Kevin Bowing >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > I captured some output while running in trace, see the end of this message. The system is 64-bit, I have not run on any other boxes. A cursory look with top showed only 10MB or so RSS memory. Regards, Kevin [11/Sep/2009:09:58:44 -0700] - => id2entry( 48 ) [11/Sep/2009:09:58:44 -0700] - <= id2entry 7f025401f5a0 (cache) [11/Sep/2009:09:58:44 -0700] - => id2entry( 50 ) [11/Sep/2009:09:58:44 -0700] - <= id2entry 7f0254021190 (cache) [11/Sep/2009:09:58:44 -0700] - => slapi_reslimit_get_integer_limit() conn=0xa856beb0, handle=3 [11/Sep/2009:09:58:44 -0700] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [11/Sep/2009:09:58:44 -0700] - => slapi_reslimit_get_integer_limit() conn=0xa856bc60, handle=3 [11/Sep/2009:09:58:44 -0700] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [11/Sep/2009:09:58:44 -0700] - => slapi_reslimit_get_integer_limit() conn=0xa856bd88, handle=3 [11/Sep/2009:09:58:44 -0700] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [11/Sep/2009:09:58:44 -0700] - => slapi_reslimit_get_integer_limit() conn=0xa856bb38, handle=3 [11/Sep/2009:09:58:44 -0700] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [11/Sep/2009:09:58:44 -0700] - => slapi_reslimit_get_integer_limit() conn=0xa856ba10, handle=3 [11/Sep/2009:09:58:44 -0700] - <= slapi_reslimit_get_integer_limit() returning NO VALUE [11/Sep/2009:09:58:44 -0700] - => send_ldap_result 0:: [11/Sep/2009:09:58:44 -0700] - <= send_ldap_result [11/Sep/2009:09:58:50 -0700] - ldbm backend flushing [11/Sep/2009:09:58:50 -0700] - ldbm backend done flushing [11/Sep/2009:09:58:50 -0700] - ldbm backend flushing [11/Sep/2009:09:58:50 -0700] - ldbm backend done flushing [11/Sep/2009:09:59:20 -0700] - ldbm backend flushing [11/Sep/2009:09:59:20 -0700] - ldbm backend done flushing [11/Sep/2009:09:59:20 -0700] - ldbm backend flushing [11/Sep/2009:09:59:20 -0700] - ldbm backend done flushing [11/Sep/2009:09:59:50 -0700] - ldbm backend flushing [11/Sep/2009:09:59:50 -0700] - ldbm backend done flushing [11/Sep/2009:09:59:50 -0700] - ldbm backend flushing [11/Sep/2009:09:59:50 -0700] - ldbm backend done flushing [11/Sep/2009:10:00:20 -0700] - ldbm backend flushing [11/Sep/2009:10:00:20 -0700] - ldbm backend done flushing [11/Sep/2009:10:00:20 -0700] - ldbm backend flushing [11/Sep/2009:10:00:20 -0700] - ldbm backend done flushing [11/Sep/2009:10:00:50 -0700] - ldbm backend flushing [11/Sep/2009:10:01:03 -0700] - ldbm backend done flushing [11/Sep/2009:10:01:03 -0700] - ldbm backend flushing [11/Sep/2009:10:01:04 -0700] - ldbm backend done flushing [11/Sep/2009:10:01:35 -0700] - ldbm backend flushing [11/Sep/2009:10:01:39 -0700] - ldbm backend done flushing [11/Sep/2009:10:01:39 -0700] - ldbm backend flushing [11/Sep/2009:10:01:39 -0700] - ldbm backend done flushing [11/Sep/2009:10:01:39 -0700] - ldbm backend flushing [11/Sep/2009:10:01:39 -0700] - ldbm backend done flushing [11/Sep/2009:10:01:39 -0700] - ldbm backend flushing [11/Sep/2009:10:01:39 -0700] - ldbm backend done flushing [11/Sep/2009:10:01:39 -0700] - slapd shutting down - signaling operation threads [11/Sep/2009:10:01:40 -0700] - slapd shutting down - waiting for 30 threads to terminate [11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:40 -0700] - slapd shutting down - waiting for 29 threads to terminate [11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:41 -0700] - op_thread received shutdown signal [11/Sep/2009:10:01:41 -0700] - slapd shutting down - waiting for 28 threads to terminate [11/Sep/2009:10:01:41 -0700] - slapd shutting down - closing down internal subsystems and plugins [11/Sep/2009:10:01:41 -0700] - slapd shutting down - waiting for backends to close down [11/Sep/2009:10:01:42 -0700] - => slapi_control_present (looking for 1.3.6.1.4.1.42.2.27.8.5.1) [11/Sep/2009:10:01:42 -0700] - <= slapi_control_present 0 (NO CONTROLS) [11/Sep/2009:10:01:42 -0700] - modify_update_last_modified_attr [11/Sep/2009:10:01:42 -0700] - Calling plugin 'Distributed Numeric Assignment internal preop plugin' #0 type 421 [11/Sep/2009:10:01:42 -0700] dna-plugin - --> dna_pre_op [11/Sep/2009:10:01:42 -0700] dna-plugin - <-- dna_pre_op [11/Sep/2009:10:01:42 -0700] - Calling plugin 'Legacy replication internal preoperation plugin' #1 type 421 [11/Sep/2009:10:01:42 -0700] - Calling plugin 'Multimaster replication internal preoperation plugin' #2 type 421 [11/Sep/2009:10:01:42 -0700] - => entry_apply_mods [11/Sep/2009:10:01:42 -0700] - <= entry_apply_mods 0 [11/Sep/2009:10:01:42 -0700] - => send_ldap_result 0:: [11/Sep/2009:10:01:42 -0700] - <= send_ldap_result [11/Sep/2009:10:01:42 -0700] - ps_service_persistent_searches: entry "cn=uniqueid generator,cn=config" not enqueued on any persistent search lists [11/Sep/2009:10:01:42 -0700] - Calling plugin 'Class of Service internalpostoperation plugin' #0 type 521 [11/Sep/2009:10:01:42 -0700] - --> cos_post_op [11/Sep/2009:10:01:42 -0700] - --> cos_cache_change_notify [11/Sep/2009:10:01:42 -0700] - --> cos_cache_template_index_bsearch [11/Sep/2009:10:01:42 -0700] - --> cos_cache_getref [11/Sep/2009:10:01:42 -0700] - <-- cos_cache_getref [11/Sep/2009:10:01:42 -0700] - <-- cos_cache_template_index_bsearch [11/Sep/2009:10:01:42 -0700] - <-- cos_cache_change_notify [11/Sep/2009:10:01:42 -0700] - <-- cos_post_op [11/Sep/2009:10:01:42 -0700] - Calling plugin 'Legacy replication internal postoperation plugin' #1 type 521 [11/Sep/2009:10:01:43 -0700] - Calling plugin 'Multimaster replication internal postoperation plugin' #2 type 521 [11/Sep/2009:10:01:43 -0700] - Calling plugin 'Retrocl internal postoperation plugin' #3 type 521 not applying change if not logging [11/Sep/2009:10:01:43 -0700] - Calling plugin 'Roles internalpostoperation plugin' #4 type 521 [11/Sep/2009:10:01:43 -0700] - Calling plugin 'Legacy Replication Plugin' #0 type 210 [11/Sep/2009:10:01:43 -0700] - Calling plugin 'Roles Plugin' #0 type 210 [11/Sep/2009:10:01:43 -0700] - Calling plugin 'Multimaster Replication Plugin' #0 type 210 [11/Sep/2009:10:01:43 -0700] - Calling plugin 'HTTP Client' #0 type 210 [11/Sep/2009:10:01:43 -0700] - Calling plugin 'Class of Service' #0 type 210 [11/Sep/2009:10:01:43 -0700] - --> cos_close [11/Sep/2009:10:01:43 -0700] - --> cos_cache_stop [11/Sep/2009:10:01:43 -0700] - <-- cos_cache_wait_on_change thread exit [11/Sep/2009:10:01:43 -0700] - --> cos_cache_release [11/Sep/2009:10:01:43 -0700] - <-- cos_cache_release [11/Sep/2009:10:01:43 -0700] - <-- cos_cache_stop [11/Sep/2009:10:01:43 -0700] - <-- cos_close [11/Sep/2009:10:01:43 -0700] - Calling plugin 'ACL Plugin' #0 type 210 [11/Sep/2009:10:01:43 -0700] - Calling plugin 'Views' #0 type 210 [11/Sep/2009:10:01:43 -0700] views-plugin - --> views_close [11/Sep/2009:10:01:43 -0700] views-plugin - --> views_cache_free [11/Sep/2009:10:01:43 -0700] views-plugin - <-- views_cache_free [11/Sep/2009:10:01:43 -0700] views-plugin - <-- views_close [11/Sep/2009:10:01:43 -0700] - Calling plugin 'State Change Plugin' #0 type 210 [11/Sep/2009:10:01:43 -0700] statechange-plugin - --> statechange_close [11/Sep/2009:10:01:43 -0700] statechange-plugin - <-- statechange_close [11/Sep/2009:10:01:43 -0700] - Calling plugin 'ldbm database' #0 type 210 [11/Sep/2009:10:01:43 -0700] - ldbm backend syncing [11/Sep/2009:10:01:43 -0700] - Waiting for 4 database threads to stop [11/Sep/2009:10:01:43 -0700] - Leaving deadlock_threadmain [11/Sep/2009:10:01:44 -0700] - Leaving checkpoint_threadmain before checkpoint [11/Sep/2009:10:01:44 -0700] - Checkpointing database ... [11/Sep/2009:10:01:44 -0700] - Leaving checkpoint_threadmain [11/Sep/2009:10:01:44 -0700] - Leaving trickle_threadmain priv [11/Sep/2009:10:01:44 -0700] - Leaving perf_threadmain [11/Sep/2009:10:01:45 -0700] - All database threads now stopped [11/Sep/2009:10:01:45 -0700] - ldbm backend done syncing [11/Sep/2009:10:01:45 -0700] - Calling plugin 'chaining database' #0 type 210 [11/Sep/2009:10:01:45 -0700] - Removed [1] entries from the dse tree. [11/Sep/2009:10:01:45 -0700] - Removed [166] entries from the dse tree. [11/Sep/2009:10:01:45 -0700] - ldbm backend cleaning up [11/Sep/2009:10:01:45 -0700] - ldbm backend cleaning up [11/Sep/2009:10:01:45 -0700] - slapd shutting down - backends closed down [11/Sep/2009:10:01:45 -0700] - => reslimit_update_from_entry() conn=0xa856ba10, entry=0x0 [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting limit for handle 0 (based on nsLookThroughLimit) [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting limit for handle 1 (based on nsSizeLimit) [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting limit for handle 2 (based on nsTimeLimit) [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting limit for handle 3 (based on nsIdleTimeout) [11/Sep/2009:10:01:45 -0700] - <= reslimit_update_from_entry() returning status 0 [11/Sep/2009:10:01:45 -0700] - => reslimit_update_from_entry() conn=0xa856bb38, entry=0x0 [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting limit for handle 0 (based on nsLookThroughLimit) [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting limit for handle 1 (based on nsSizeLimit) [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting limit for handle 2 (based on nsTimeLimit) [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting limit for handle 3 (based on nsIdleTimeout) [11/Sep/2009:10:01:45 -0700] - <= reslimit_update_from_entry() returning status 0 [11/Sep/2009:10:01:45 -0700] - => reslimit_update_from_entry() conn=0xa856bd88, entry=0x0 [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting limit for handle 0 (based on nsLookThroughLimit) [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting limit for handle 1 (based on nsSizeLimit) [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting limit for handle 2 (based on nsTimeLimit) [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting limit for handle 3 (based on nsIdleTimeout) [11/Sep/2009:10:01:45 -0700] - <= reslimit_update_from_entry() returning status 0 [11/Sep/2009:10:01:45 -0700] - => reslimit_update_from_entry() conn=0xa856beb0, entry=0x0 [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting limit for handle 0 (based on nsLookThroughLimit) [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting limit for handle 1 (based on nsSizeLimit) [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting limit for handle 2 (based on nsTimeLimit) [11/Sep/2009:10:01:45 -0700] - reslimit_update_from_entry(): setting limit for handle 3 (based on nsIdleTimeout) [11/Sep/2009:10:01:45 -0700] - <= reslimit_update_from_entry() returning status 0 [11/Sep/2009:10:01:45 -0700] - slapd stopped. From kevinb at analograils.com Fri Sep 11 17:25:34 2009 From: kevinb at analograils.com (Kevin Bowling) Date: Fri, 11 Sep 2009 13:25:34 -0400 Subject: [389-users] 389 unusable on F11? In-Reply-To: <4AAA8797.4020804@redhat.com> References: <4AA9B9FD.8090504@analograils.com> <4AAA7E16.5080309@redhat.com> <4AAA8559.8000900@analograils.com> <4AAA8797.4020804@redhat.com> Message-ID: <4AAA880E.3050505@analograils.com> On 9/11/2009 1:23 PM, Noriko Hosoi wrote: > On 09/11/2009 10:14 AM, Kevin Bowling wrote: >> [...] >> >> I captured some output while running in trace, see the end of this >> message. The system is 64-bit, I have not run on any other boxes. A >> cursory look with top showed only 10MB or so RSS memory. > Your server received a shutdown signal. It looks to me it's a normal > shutdown... (Not a server crash...) > I apologize, I had a script in cron.hourly to restart the service in one of my attempts to circumvent the crash. I've removed this and am running with tracing enabled again, hopefully to catch the culprit! > [11/Sep/2009:10:01:39 -0700] - ldbm backend done flushing > [11/Sep/2009:10:01:39 -0700] - ldbm backend flushing > [11/Sep/2009:10:01:39 -0700] - ldbm backend done flushing > *[11/Sep/2009:10:01:39 -0700] - slapd shutting down - signaling > operation threads * > *[11/Sep/2009:10:01:40 -0700] - slapd shutting down - waiting for 30 > threads to terminate * > *[11/Sep/2009:10:01:40 -0700] - op_thread received shutdown signal > [11/Sep/2009:10:01:40 -0700] - slapd shutting down - waiting for 29 > threads to terminate * > [...] -------------- next part -------------- An HTML attachment was scrubbed... URL: From okelet at gmail.com Tue Sep 15 12:26:09 2009 From: okelet at gmail.com (=?UTF-8?Q?Juan_Asensio_S=C3=A1nchez?=) Date: Tue, 15 Sep 2009 14:26:09 +0200 Subject: [389-users] 389 upgrade Message-ID: <52a9d2e30909150526uac7413bo804cab2e845c7e68@mail.gmail.com> Hi I am trying to upgrade some of our FDS servers. The test versions we are using for upgrade are (the same that the production servers): [root at fdsold ~]# rpm -qa | grep -i fedora fedora-ds-dsgw-1.1.1-1.fc6 fedora-ds-1.1.2-1.fc6 fedora-ds-admin-1.1.2-2.fc6 fedora-ds-console-1.1.2-1.fc6 fedora-idm-console-1.1.0-5.fc6 fedora-ds-base-1.1.3-2.fc6 fedora-ds-admin-console-1.1.2-1.fc6 We have two test servers, with replication agreements between them, and SSL configured for directory and console; 389 port is disabled. Then we upgrade FDS/389 with this command (we do not want to upgrade the full server): yum upgrade 389-admin 389-admin-console 389-console 389-ds 389-ds-base 389-ds-console 389-dsgw The upgrade is done correctly, then we run "setup-ds-admin.pl -u": [root at fdsnew ~]# setup-ds-admin.pl -u ============================================================================== The update option will allow you to re-register your servers with the configuration directory server and update the information about your servers that the console and admin server uses. You will need your configuration directory server admin ID and password to continue. Continue? [yes]: ============================================================================== Please specify the information about your configuration directory server. The following information is required: - host (fully qualified), port (non-secure or secure), suffix, protocol (ldap or ldaps) - this information should be provided in the form of an LDAP url e.g. for non-secure ldap://host.example.com:389/o=NetscapeRoot or for secure ldaps://host.example.com:636/o=NetscapeRoot - admin ID and password - admin domain - a CA certificate file may be required if you choose to use ldaps and security has not yet been configured - the file must be in PEM/ASCII format - specify the absolute path and filename Configuration directory server URL [ldaps://fdsnew.sacyl.es:636/o=NetscapeRoot]: Configuration directory server admin ID [uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot]: Configuration directory server admin password: Configuration directory server admin domain [center2.sacyl.es]: CA certificate filename: /etc/openldap/cacerts/cert-CA-cacert.pem ============================================================================== The interactive phase is complete. The script will now set up your servers. Enter No or go Back if you want to change something. Are you ready to set up your servers? [yes]: Registering the directory server instances with the configuration directory server . . . Beginning Admin Server reconfiguration . . . Registering admin server with the configuration directory server . . . Updating adm.conf with information from configuration directory server . . . Exiting . . . Log file is '/tmp/setupwDn6B0.log' And reboot... After that, when connecting with the console, we have two entries for the directory server and two for the administration server. One of each does not show the icon it should, and when I click on it, it tries to download new jars, but it can not. If I use the old item for the administration console (that shows the icon), in the encryption tab , SSL is disabled, but before the upgrade it was enabled, but if i try to access the server with the browser, i must use https (??). Why is SSL disabled? And if it is disabled, why must I access using https? Is there any step I haven't done? Regards and thanks in advance. From rmeggins at redhat.com Tue Sep 15 14:23:56 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 15 Sep 2009 08:23:56 -0600 Subject: [389-users] 389 upgrade In-Reply-To: <52a9d2e30909150526uac7413bo804cab2e845c7e68@mail.gmail.com> References: <52a9d2e30909150526uac7413bo804cab2e845c7e68@mail.gmail.com> Message-ID: <4AAFA37C.4020803@redhat.com> Juan Asensio S?nchez wrote: > Hi > > I am trying to upgrade some of our FDS servers. The test versions we > are using for upgrade are (the same that the production servers): > > [root at fdsold ~]# rpm -qa | grep -i fedora > fedora-ds-dsgw-1.1.1-1.fc6 > fedora-ds-1.1.2-1.fc6 > fedora-ds-admin-1.1.2-2.fc6 > fedora-ds-console-1.1.2-1.fc6 > fedora-idm-console-1.1.0-5.fc6 > fedora-ds-base-1.1.3-2.fc6 > fedora-ds-admin-console-1.1.2-1.fc6 > > We have two test servers, with replication agreements between them, > and SSL configured for directory and console; 389 port is disabled. > Then we upgrade FDS/389 with this command (we do not want to upgrade > the full server): > > yum upgrade 389-admin 389-admin-console 389-console 389-ds 389-ds-base > 389-ds-console 389-dsgw > > The upgrade is done correctly, then we run "setup-ds-admin.pl -u": > > [root at fdsnew ~]# setup-ds-admin.pl -u > > ============================================================================== > The update option will allow you to re-register your servers with the > configuration directory server and update the information about your > servers that the console and admin server uses. You will need your > configuration directory server admin ID and password to continue. > > Continue? [yes]: > > ============================================================================== > Please specify the information about your configuration directory > server. The following information is required: > - host (fully qualified), port (non-secure or secure), suffix, > protocol (ldap or ldaps) - this information should be provided in the > form of an LDAP url e.g. for non-secure > ldap://host.example.com:389/o=NetscapeRoot > or for secure > ldaps://host.example.com:636/o=NetscapeRoot > - admin ID and password > - admin domain > - a CA certificate file may be required if you choose to use ldaps and > security has not yet been configured - the file must be in PEM/ASCII > format - specify the absolute path and filename > > Configuration directory server URL > [ldaps://fdsnew.sacyl.es:636/o=NetscapeRoot]: > Configuration directory server admin ID [uid=admin, ou=Administrators, > ou=TopologyManagement, o=NetscapeRoot]: > Configuration directory server admin password: > Configuration directory server admin domain [center2.sacyl.es]: > CA certificate filename: /etc/openldap/cacerts/cert-CA-cacert.pem > > ============================================================================== > The interactive phase is complete. The script will now set up your > servers. Enter No or go Back if you want to change something. > > Are you ready to set up your servers? [yes]: > Registering the directory server instances with the configuration > directory server . . . > Beginning Admin Server reconfiguration . . . > Registering admin server with the configuration directory server . . . > Updating adm.conf with information from configuration directory server . . . > Exiting . . . > Log file is '/tmp/setupwDn6B0.log' > > And reboot... After that, when connecting with the console, we have > two entries for the directory server and two for the administration > server. Yep, this is a known bug. You can ignore the Fedora ones - the 389 ones are the real ones. > One of each does not show the icon it should, and when I click > on it, it tries to download new jars, but it can not. What error does it give? > If I use the old > item for the administration console (that shows the icon), in the > encryption tab , SSL is disabled, but before the upgrade it was > enabled, but if i try to access the server with the browser, i must > use https (??). Why is SSL disabled? And if it is disabled, why must I > access using https? Is there any step I haven't done? > This is also a bug. The update procedure does not preserve the SSL settings for your old (Fedora) servers when it adds the new (389) servers. > Regards and thanks in advance. > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jonas at bravenet.com Tue Sep 15 23:07:02 2009 From: jonas at bravenet.com (Jonas Courteau) Date: Tue, 15 Sep 2009 16:07:02 -0700 Subject: [389-users] Syncing Active/Inactive status through Windows Sync Message-ID: <1253056022.22563.6.camel@jcourteau-desktop> Hello all: I've currently got Active Directory (on Windows 2003) syncing nicely with DS, but I'm noticing that the AD Disabled/Enabled status is not syncing with the DS Active/Inactive status. Looking though all the docs, I don't see any mention that it SHOULD sync, especially seeing as it's not in the table of synced items in the Windows Sync chapter of the manual. However, I have seen a few posts out and about on the Internet that imply that the status does sync over, but nothing definitive. Anyone able to provide the final word on if this is supposed to work or not? Thanks! Jonas Courteau From rmeggins at redhat.com Wed Sep 16 00:00:47 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 15 Sep 2009 18:00:47 -0600 Subject: [389-users] Syncing Active/Inactive status through Windows Sync In-Reply-To: <1253056022.22563.6.camel@jcourteau-desktop> References: <1253056022.22563.6.camel@jcourteau-desktop> Message-ID: <4AB02AAF.6030604@redhat.com> Jonas Courteau wrote: > Hello all: > > I've currently got Active Directory (on Windows 2003) syncing nicely > with DS, but I'm noticing that the AD Disabled/Enabled status is not > syncing with the DS Active/Inactive status. Looking though all the > docs, I don't see any mention that it SHOULD sync, especially seeing as > it's not in the table of synced items in the Windows Sync chapter of the > manual. > > However, I have seen a few posts out and about on the Internet that > imply that the status does sync over, but nothing definitive. Anyone > able to provide the final word on if this is supposed to work or not? > It is not supposed to work. It does not work. > Thanks! > > Jonas Courteau > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From okelet at gmail.com Wed Sep 16 08:53:29 2009 From: okelet at gmail.com (=?UTF-8?Q?Juan_Asensio_S=C3=A1nchez?=) Date: Wed, 16 Sep 2009 10:53:29 +0200 Subject: [389-users] 389 upgrade In-Reply-To: <4AAFA37C.4020803@redhat.com> References: <52a9d2e30909150526uac7413bo804cab2e845c7e68@mail.gmail.com> <4AAFA37C.4020803@redhat.com> Message-ID: <52a9d2e30909160153s77ee881fmbdd2298f5cb97e70@mail.gmail.com> >> >> And reboot... After that, when connecting with the console, we have >> two entries for the directory server and two for the administration >> server. > > Yep, this is a known bug. ?You can ignore the Fedora ones - the 389 ones are > the real ones. Is there any bug open about this and how to fix/remove these entries? >> One of each does not show the icon it should, and when I click >> on it, it tries to download new jars, but it can not. > > What error does it give? Failed to install a local copy of 389-ds-1.2.jar or one of it supporting files. Please ensure that the appropiate console package is installed on the Administration Server. HTTP response timeout I think it is trying to get the files with http instead of https, although I have connected to the console with https. >> >> If I use the old >> item for the administration console (that shows the icon), in the >> encryption tab , SSL is disabled, but before the upgrade it was >> enabled, but if i try to access the server with the browser, i must >> use https (??). Why is SSL disabled? And if it is disabled, why must I >> access using https? Is there any step I haven't done? >> > > This is also a bug. ?The update procedure does not preserve the SSL settings > for your old (Fedora) servers when it adds the new (389) servers. But how can I connect to the console with https if the upgrade has disabled it? From hugo.etievant at inrp.fr Wed Sep 16 09:19:24 2009 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Wed, 16 Sep 2009 11:19:24 +0200 Subject: [389-users] Error in passsync service : "No entries yet" In-Reply-To: <4AA7B5B3.3020108@inrp.fr> References: <4AA7B5B3.3020108@inrp.fr> Message-ID: <4AB0AD9C.4010307@inrp.fr> hello, I have more informations about this error. In fact the error message "No entries yet" replace the old message "Failed to load entries from file" that means the file "%sysPath\\system32\\passhook.dat" used by passsync service can not store password in this passhook.dat file cf : https://bugzilla.redhat.com/show_bug.cgi?id=471408 I have restarted the windows box after instaling PassSync.msi in order to have the passhook.dll plugin registered. But that do not solve my problem. Why entries can not be loaded from passhook file ? Regards Hugo Etievant a ?crit : > hello, > > My actual architecture : > - two 389DS server (version 1.1.3) on Fedora8 32bits > - two Active Directory on Windows Server 2003 Standard edition 32bits > domain controler (AD servers are both synchronized with "Active > Directory Intrasite Replication") > > In january 2009, multimaster replication protocol was enabled between > two 389DS, and a passync service installed in only one AD with one > replication agreement between the AD server and one 389DS. > Password synchronization is successful. > > In september 2009, a second AD server is installed with passync > service and a second replication agreement between one 389DS and the > second AD. > But Password synchronization does not work with the second AD. > > passsync.log : > 09/09/09 15:04:44: PassSync service initialized > 09/09/09 15:04:44: PassSync service running > 09/09/09 15:04:45: No entries yet > 09/09/09 15:12:40: No entries yet > 09/09/09 15:26:33: No entries yet > 09/09/09 15:35:02: No entries yet > > "No entries yet" error message occure for each user password change on > AD. > 389DS can't catch windows password change. > > my architecture schema : > 389DS n?1 > ^----MMR-------------------> 389DS n?2 > ^----Win-Sync-Agreement---> (passsync) AD n?1 > ^----Win-Sync-Agreement---> (passsync) AD n?2 > > How can i resolve this problem, please ? > > > regards > -- * Hugo ?ti?vant * From michel.urvoy at gmail.com Wed Sep 16 11:24:06 2009 From: michel.urvoy at gmail.com (Michel Urvoy) Date: Wed, 16 Sep 2009 13:24:06 +0200 Subject: [389-users] 389-DS install problem on CentOS Message-ID: Hi, I have tried to install 389-ds-base 1.2.2-1.el5 (i386) on CentOS from dirsrv repos, but the public key is missing. I get : Public key for 389-ds-base-1.2.2-1.el5.i386.rpm is not installed. >From where can I get the key? From okelet at gmail.com Wed Sep 16 11:31:58 2009 From: okelet at gmail.com (=?UTF-8?Q?Juan_Asensio_S=C3=A1nchez?=) Date: Wed, 16 Sep 2009 13:31:58 +0200 Subject: [389-users] 389-DS install problem on CentOS In-Reply-To: References: Message-ID: <52a9d2e30909160431g165d0ba5t49962c12c6c9b4bc@mail.gmail.com> http://directory.fedoraproject.org/wiki/Download: rpm --import 'http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA7B02652' 2009/9/16 Michel Urvoy : > Hi, > I have tried to install 389-ds-base ?1.2.2-1.el5 (i386) on CentOS from > dirsrv repos, but the public key is missing. > I get : > Public key for 389-ds-base-1.2.2-1.el5.i386.rpm is not installed. > >From where can I get the key? > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From rmeggins at redhat.com Wed Sep 16 13:22:00 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 16 Sep 2009 07:22:00 -0600 Subject: [389-users] Error in passsync service : "No entries yet" In-Reply-To: <4AB0AD9C.4010307@inrp.fr> References: <4AA7B5B3.3020108@inrp.fr> <4AB0AD9C.4010307@inrp.fr> Message-ID: <4AB0E678.1060905@redhat.com> Hugo Etievant wrote: > hello, > > I have more informations about this error. > > In fact the error message "No entries yet" replace the old message > "Failed to load entries from file" that means the file > "%sysPath\\system32\\passhook.dat" used by passsync service can not > store password in this passhook.dat file > cf : https://bugzilla.redhat.com/show_bug.cgi?id=471408 > > I have restarted the windows box after instaling PassSync.msi in order > to have the passhook.dll plugin registered. > But that do not solve my problem. > > Why entries can not be loaded from passhook file ? Because there are no entries in the file. Try changing the password of a user on the Windows box. > > > Regards > > > > Hugo Etievant a ?crit : >> hello, >> >> My actual architecture : >> - two 389DS server (version 1.1.3) on Fedora8 32bits >> - two Active Directory on Windows Server 2003 Standard edition 32bits >> domain controler (AD servers are both synchronized with "Active >> Directory Intrasite Replication") >> >> In january 2009, multimaster replication protocol was enabled between >> two 389DS, and a passync service installed in only one AD with one >> replication agreement between the AD server and one 389DS. >> Password synchronization is successful. >> >> In september 2009, a second AD server is installed with passync >> service and a second replication agreement between one 389DS and the >> second AD. >> But Password synchronization does not work with the second AD. >> >> passsync.log : >> 09/09/09 15:04:44: PassSync service initialized >> 09/09/09 15:04:44: PassSync service running >> 09/09/09 15:04:45: No entries yet >> 09/09/09 15:12:40: No entries yet >> 09/09/09 15:26:33: No entries yet >> 09/09/09 15:35:02: No entries yet >> >> "No entries yet" error message occure for each user password change >> on AD. >> 389DS can't catch windows password change. >> >> my architecture schema : >> 389DS n?1 >> ^----MMR-------------------> 389DS n?2 >> ^----Win-Sync-Agreement---> (passsync) AD n?1 >> ^----Win-Sync-Agreement---> (passsync) AD n?2 >> >> How can i resolve this problem, please ? >> >> >> regards >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From hugo.etievant at inrp.fr Wed Sep 16 13:35:18 2009 From: hugo.etievant at inrp.fr (Hugo Etievant) Date: Wed, 16 Sep 2009 15:35:18 +0200 Subject: [389-users] Error in passsync service : "No entries yet" In-Reply-To: <4AB0E678.1060905@redhat.com> References: <4AA7B5B3.3020108@inrp.fr> <4AB0AD9C.4010307@inrp.fr> <4AB0E678.1060905@redhat.com> Message-ID: <4AB0E996.3080601@inrp.fr> Rich Megginson a ?crit : > Hugo Etievant wrote: >> hello, >> >> I have more informations about this error. >> >> In fact the error message "No entries yet" replace the old message >> "Failed to load entries from file" that means the file >> "%sysPath\\system32\\passhook.dat" used by passsync service can not >> store password in this passhook.dat file >> cf : https://bugzilla.redhat.com/show_bug.cgi?id=471408 >> >> I have restarted the windows box after instaling PassSync.msi in >> order to have the passhook.dll plugin registered. >> But that do not solve my problem. >> >> Why entries can not be loaded from passhook file ? > Because there are no entries in the file. Try changing the password > of a user on the Windows box. I change user password (many times, for many users) on the Windows box, but I have the same message "No entries yet" each time. The same error occurs when user password is reset by Administrator. Reboot of Windows Server do not change the facts. regards -- * Hugo ?ti?vant * From kenneho.ndu at gmail.com Fri Sep 18 15:10:36 2009 From: kenneho.ndu at gmail.com (Kenneth Holter) Date: Fri, 18 Sep 2009 17:10:36 +0200 Subject: [389-users] Problems with password syntax checking: invalid password syntax Message-ID: Hi all. I'm running Red Hat Directory Server 8.1.0, and are having some problems with password syntax checking. When I don't enable the syntax checking, everything works fine. But when I enable it it seems to discard even pretty strong passwords. In the example belov I've configured password syntax checking like this: - Password minimum length: 8 - Minimum required character categories: 1 - Minimum token length: 3 (btw, don't know why I need to set this) The new password I try to change to has two digits, four lower case letters, one uppercase letter, and one special character. So it should be far more complicated that the above settings call for. This is the output: #### Output start [root at server ~]# ssh kenneth at localhost kenneth at localhost's password: You are required to change your LDAP password immediately. Last login: Fri Sep 18 16:37:26 2009 from localhost.localdomain Welcome to the server! WARNING: Your password has expired. You must change your password now and login again! Changing password for user kenneth. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Constraint violation invalid password syntax - passwords with storage scheme are not allowed passwd: Permission denied Connection to localhost closed. ##### Output end So basically what I'm wondering about is exactly which constraint I'm violating. In other words, what does the "password with storage scheme are not allowed" tell me? Best regards, Kenneth Holter -------------- next part -------------- An HTML attachment was scrubbed... URL: From nkinder at redhat.com Fri Sep 18 15:28:12 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 18 Sep 2009 08:28:12 -0700 Subject: [389-users] Problems with password syntax checking: invalid password syntax In-Reply-To: References: Message-ID: <4AB3A70C.6090702@redhat.com> On 09/18/2009 08:10 AM, Kenneth Holter wrote: > Hi all. > I'm running Red Hat Directory Server 8.1.0, and are having some > problems with password syntax checking. When I don't enable the syntax > checking, everything works fine. But when I enable it it seems to > discard even pretty strong passwords. In the example belov I've > configured password syntax checking like this: > > * Password minimum length: 8 > * Minimum required character categories: 1 > * Minimum token length: 3 (btw, don't know why I need to set this) > This is the token length to use for a "trivial words" check. This prevents someone from using portions of their cn, uid, etc. values in their password. The values are broken into tokens of this length and the password is then checked to see if any of the tokens exist. > The new password I try to change to has two digits, four lower case > letters, one uppercase letter, and one special character. So it should > be far more complicated that the above settings call for. This is the > output: > #### Output start > [root at server ~]# ssh kenneth at localhost > kenneth at localhost's password: > You are required to change your LDAP password immediately. > Last login: Fri Sep 18 16:37:26 2009 from localhost.localdomain > > Welcome to the server! > > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user kenneth. > Enter login(LDAP) password: > New UNIX password: > Retype new UNIX password: > LDAP password information update failed: Constraint violation > invalid password syntax - passwords with storage scheme are not allowed > passwd: Permission denied > Connection to localhost closed. > > ##### Output end > So basically what I'm wondering about is exactly which constraint I'm > violating. In other words, what does the "password with storage scheme > are not allowed" tell me? Your password is being hashed by your client system before it is sent to the Directory Server. This is not allowed since the server would have no way to enforce it's password policy against a pre-hashed password. You need to configure /etc/ldap.conf to send the clear text password to the LDAP server. You should use SSL/TLS to protect the password in transit. > Best regards, > Kenneth Holter > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mclayton at speakeasy.net Sat Sep 19 17:03:14 2009 From: mclayton at speakeasy.net (Mike Clayton) Date: Sat, 19 Sep 2009 11:03:14 -0600 Subject: [389-users] added schema not showing up in admin console Message-ID: <1253379794.24448.6.camel@minibox.poolofdespair.net> I am trying to configure bind to talk directly to 389-ds, i have converted the dnszone.schema file that ships with bind-sdb to ldif using: perl ol-schema-migrate.pl -b /etc/openldap/schema/dnszone.schema > /etc/dirsrv/slapd-dc0/schema/61bind-dns.ldif and restarted the dirsrv service. but i can't seem to find an object class or anything for dnsZone. i looked in the logs and did not see any mention of dnsZone. Have i missed something or am i just not looking in the right places Mike From okelet at gmail.com Mon Sep 21 07:07:28 2009 From: okelet at gmail.com (=?UTF-8?Q?Juan_Asensio_S=C3=A1nchez?=) Date: Mon, 21 Sep 2009 09:07:28 +0200 Subject: [389-users] Problems starting dirsrv-admin Message-ID: <52a9d2e30909210007y279dcab2tf6ae151d3e4be26a@mail.gmail.com> Hi For some time i am having troubles starting dirsrv-admin. It worked fine, but now it doesn't start. When I run /etc/init.d/dirsrv-admin start, the process hangs, and after 10 minutes, i get this error: [root at XXXXXX ~]# /etc/init.d/dirsrv-admin start Starting dirsrv-admin: *** Error: dirsrv-admin failed to start [FALL?] If i run this command manually, using strace for debug, the last lines before a segmentation fault are these (full output attached): [root at XXXXXX ~]# strace /usr/sbin/httpd.worker -k start -f /etc/dirsrv/admin-serv/httpd.conf -e debug -X [...] open("/etc/hosts", O_RDONLY) = 6 fcntl64(6, F_GETFD) = 0 fcntl64(6, F_SETFD, FD_CLOEXEC) = 0 fstat64(6, {st_mode=S_IFREG|0644, st_size=505, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f99000 read(6, "# Do not remove the following li"..., 4096) = 505 read(6, "", 4096) = 0 close(6) = 0 munmap(0xb7f99000, 4096) = 0 open("/etc/hosts", O_RDONLY) = 6 fcntl64(6, F_GETFD) = 0 fcntl64(6, F_SETFD, FD_CLOEXEC) = 0 fstat64(6, {st_mode=S_IFREG|0644, st_size=505, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f99000 read(6, "# Do not remove the following li"..., 4096) = 505 close(6) = 0 munmap(0xb7f99000, 4096) = 0 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 6 fcntl64(6, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(6, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(6, {sa_family=AF_INET, sin_port=htons(636), sin_addr=inet_addr("XX.XX.XX.XX")}, 16) = -1 EINPROGRESS (Operation now in progress) poll([{fd=6, events=POLLPRI|POLLOUT}], 1, 5000) = 1 ([{fd=6, revents=POLLOUT}]) getsockopt(6, SOL_SOCKET, SO_ERROR, [0], [4]) = 0 getpeername(6, {sa_family=AF_INET, sin_port=htons(636), sin_addr=inet_addr("XX.XX.XX.XX")}, [16]) = 0 time(NULL) = 1253515556 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++ XX.XX.XX.XX is the IP address of the server. [root at XXXXXX ~]# rpm -qa | grep fedora fedora-ds-admin-1.1.1-1.fc6 fedora-ds-1.1.0-3.fc6 fedora-ds-base-1.1.0-3.fc6 fedora-admin-console-1.1.0-4.fc6 fedora-idm-console-1.1.0-5.fc6 fedora-ds-console-1.1.0-5.fc6 [root at XXXXXX ~]# uname -a Linux XXXXXXXXXXXXXXXXXXX 2.6.18-128.1.10.el5.centos.plusPAE #1 SMP Mon May 11 07:51:33 EDT 2009 i686 i686 i386 GNU/Linux Any idea why is happening this? The LDAP server itself is working fine. Regards. From okelet at gmail.com Mon Sep 21 07:11:40 2009 From: okelet at gmail.com (=?UTF-8?Q?Juan_Asensio_S=C3=A1nchez?=) Date: Mon, 21 Sep 2009 09:11:40 +0200 Subject: [389-users] Re: Problems starting dirsrv-admin In-Reply-To: <52a9d2e30909210007y279dcab2tf6ae151d3e4be26a@mail.gmail.com> References: <52a9d2e30909210007y279dcab2tf6ae151d3e4be26a@mail.gmail.com> Message-ID: <52a9d2e30909210011i1ac79dd5ye314c36e45bb319a@mail.gmail.com> Hi again I forgot to say, that running /etc/init.d/dirsrv-admin start, after the error, i can see that the http daemon is running, but not listening in the port it should: [root at XXXXXXXXXXXX ~]# ps aux | grep admin root 29413 0.0 0.0 5060 2084 pts/0 S 08:54 0:00 /usr/sbin/nss_pcache off /etc/dirsrv/admin-serv root 29417 0.0 0.0 27176 2324 ? S 08:54 0:00 /usr/sbin/httpd.worker -k start -f /etc/dirsrv/admin-serv/httpd.conf root 30925 0.0 0.0 3940 740 pts/0 S+ 09:07 0:00 grep admin [root at XXXXXXXXXXXX ~]# netstat -ptan | grep ":2000" [root at XXXXXXXXXXXX ~]# Attached now the full output of strace. Regards. El d?a 21 de septiembre de 2009 09:07, Juan Asensio S?nchez escribi?: > Hi > > For some time i am having troubles starting dirsrv-admin. It worked > fine, but now it doesn't start. When I run /etc/init.d/dirsrv-admin > start, the process hangs, and after 10 minutes, i get this error: > > [root at XXXXXX ~]# /etc/init.d/dirsrv-admin start > Starting dirsrv-admin: > *** Error: dirsrv-admin failed to start ? ? ? ? ? ? ? ? ? ?[FALL?] > > If i run this command manually, using strace for debug, the last lines > before a segmentation fault are these (full output attached): > > [root at XXXXXX ~]# strace /usr/sbin/httpd.worker -k start -f > /etc/dirsrv/admin-serv/httpd.conf -e debug -X > [...] > open("/etc/hosts", O_RDONLY) ? ? ? ? ? ?= 6 > fcntl64(6, F_GETFD) ? ? ? ? ? ? ? ? ? ? = 0 > fcntl64(6, F_SETFD, FD_CLOEXEC) ? ? ? ? = 0 > fstat64(6, {st_mode=S_IFREG|0644, st_size=505, ...}) = 0 > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, > 0) = 0xb7f99000 > read(6, "# Do not remove the following li"..., 4096) = 505 > read(6, "", 4096) ? ? ? ? ? ? ? ? ? ? ? = 0 > close(6) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?= 0 > munmap(0xb7f99000, 4096) ? ? ? ? ? ? ? ?= 0 > open("/etc/hosts", O_RDONLY) ? ? ? ? ? ?= 6 > fcntl64(6, F_GETFD) ? ? ? ? ? ? ? ? ? ? = 0 > fcntl64(6, F_SETFD, FD_CLOEXEC) ? ? ? ? = 0 > fstat64(6, {st_mode=S_IFREG|0644, st_size=505, ...}) = 0 > mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, > 0) = 0xb7f99000 > read(6, "# Do not remove the following li"..., 4096) = 505 > close(6) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?= 0 > munmap(0xb7f99000, 4096) ? ? ? ? ? ? ? ?= 0 > socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 6 > fcntl64(6, F_GETFL) ? ? ? ? ? ? ? ? ? ? = 0x2 (flags O_RDWR) > fcntl64(6, F_SETFL, O_RDWR|O_NONBLOCK) ?= 0 > connect(6, {sa_family=AF_INET, sin_port=htons(636), > sin_addr=inet_addr("XX.XX.XX.XX")}, 16) = -1 EINPROGRESS (Operation > now in progress) > poll([{fd=6, events=POLLPRI|POLLOUT}], 1, 5000) = 1 ([{fd=6, revents=POLLOUT}]) > getsockopt(6, SOL_SOCKET, SO_ERROR, [0], [4]) = 0 > getpeername(6, {sa_family=AF_INET, sin_port=htons(636), > sin_addr=inet_addr("XX.XX.XX.XX")}, [16]) = 0 > time(NULL) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?= 1253515556 > --- SIGSEGV (Segmentation fault) @ 0 (0) --- > +++ killed by SIGSEGV +++ > > XX.XX.XX.XX is the IP address of the server. > > [root at XXXXXX ~]# rpm -qa | grep fedora > fedora-ds-admin-1.1.1-1.fc6 > fedora-ds-1.1.0-3.fc6 > fedora-ds-base-1.1.0-3.fc6 > fedora-admin-console-1.1.0-4.fc6 > fedora-idm-console-1.1.0-5.fc6 > fedora-ds-console-1.1.0-5.fc6 > > [root at XXXXXX ~]# uname -a > Linux XXXXXXXXXXXXXXXXXXX 2.6.18-128.1.10.el5.centos.plusPAE #1 SMP > Mon May 11 07:51:33 EDT 2009 i686 i686 i386 GNU/Linux > > Any idea why is happening this? The LDAP server itself is working fine. > > Regards. > -------------- next part -------------- A non-text attachment was scrubbed... Name: dirsrv-admin-start.log Type: text/x-log Size: 66092 bytes Desc: not available URL: From bbahar3 at gmail.com Mon Sep 21 07:40:48 2009 From: bbahar3 at gmail.com (Eric) Date: Mon, 21 Sep 2009 12:10:48 +0430 Subject: [389-users] 389-ds-1.2.jar console error Message-ID: <38a27c8c0909210040v6ed3cfe9w145112df4997712b@mail.gmail.com> Hi I had fedora-ds-1.1.3 installed on a vps centos 5.3. Its console was opened from another centos 5. I have upgraded system centos 5 and know it opens console with this error: failed to install a local copy of 389-ds-1.2.jar. I didn't change anything on my server. What happend? -------------- next part -------------- An HTML attachment was scrubbed... URL: From emmanuel.billot at ird.fr Mon Sep 21 11:35:29 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Mon, 21 Sep 2009 13:35:29 +0200 Subject: [389-users] Tunning Message-ID: <4AB76501.4040405@ird.fr> Hi, I'm searching for a best practive documentation about tunning DB, like nsslapd-lookthroughlimit nsslapd-sizelimit Our DIT contains 20 000 entries, what parameters can we use and how for having a best configured dirsrv ? RG, -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From allanhougham at hotmail.com Mon Sep 21 15:57:32 2009 From: allanhougham at hotmail.com (Allan Gaston Hougham) Date: Mon, 21 Sep 2009 15:57:32 +0000 Subject: [389-users] Configuring Multimaster Replication In-Reply-To: <1253379794.24448.6.camel@minibox.poolofdespair.net> References: <1253379794.24448.6.camel@minibox.poolofdespair.net> Message-ID: Hi, I trying to create a Multimaster Replication (two master only, active-active) and I tryed with this solution but this issue is not working http://directory.fedoraproject.org/wiki/Howto:MultiMasterReplication Is posible to have two masters servers? any have this implementation in production? Thanks a lot!! Allan _________________________________________________________________ Prob? los mejores juegos online en MSN http://juegos.ar.msn.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From psundaram at wgen.net Mon Sep 21 15:59:10 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Mon, 21 Sep 2009 11:59:10 -0400 Subject: [389-users] SASL mapping question Message-ID: Dear All, I have few questions related to SASL mapping in 389-ds. I am using Windows AD as kerberos server and here?s the tree in both 389-ds and AD. In Active Directory: Users are located in different OU?s like FullTime, PartTime, Contractors etc. example: ou=FullTime, OU=Users, OU=CompanyName,DC=ADDomain,DC=com In 389-DS Users are located only in one OU example: ou=People,DC=ldapdomain,DC=com <<<<<<<>>>>>> 1. Is my SASL mapping correct? nsSaslMapRegexString: \(.*\)@ldapdomain.com nsSaslFilterTemplate: (objectclass=user) nsSaslBaseDNTemplate: sAMAccountName=\1,ou=Users,ou=CompanyName,dc=ADDomain,dc=com 2. Since users are in sub-ou in ADDomain, do I have to create separate SASL mapping for each out? If, so then how will the 389-ds know if the user is in PartTime OU and not in FullTime OU. 3. How many SASL mapping should I have? By default I see 4 listed, should I remove all others? I have read the RFCs which correspond but not sure why I need them. Thanks, Prashanth -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Mon Sep 21 17:23:37 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 21 Sep 2009 11:23:37 -0600 Subject: [389-users] Re: Problems starting dirsrv-admin In-Reply-To: <52a9d2e30909210011i1ac79dd5ye314c36e45bb319a@mail.gmail.com> References: <52a9d2e30909210007y279dcab2tf6ae151d3e4be26a@mail.gmail.com> <52a9d2e30909210011i1ac79dd5ye314c36e45bb319a@mail.gmail.com> Message-ID: <4AB7B699.6000306@redhat.com> Juan Asensio S?nchez wrote: > Hi again > > I forgot to say, that running /etc/init.d/dirsrv-admin start, after > the error, i can see that the http daemon is running, but not > listening in the port it should: > > [root at XXXXXXXXXXXX ~]# ps aux | grep admin > root 29413 0.0 0.0 5060 2084 pts/0 S 08:54 0:00 > /usr/sbin/nss_pcache off /etc/dirsrv/admin-serv > root 29417 0.0 0.0 27176 2324 ? S 08:54 0:00 > /usr/sbin/httpd.worker -k start -f /etc/dirsrv/admin-serv/httpd.conf > root 30925 0.0 0.0 3940 740 pts/0 S+ 09:07 0:00 grep admin > [root at XXXXXXXXXXXX ~]# netstat -ptan | grep ":2000" > [root at XXXXXXXXXXXX ~]# > > Attached now the full output of strace. > According to the strace, it is bound to port 2000: bind(3, {sa_family=AF_INET, sin_port=htons(2000), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 What's in the admin server error log? /var/log/dirsrv/admin-serv/error ? > Regards. > > > El d?a 21 de septiembre de 2009 09:07, Juan Asensio S?nchez > escribi?: > >> Hi >> >> For some time i am having troubles starting dirsrv-admin. It worked >> fine, but now it doesn't start. When I run /etc/init.d/dirsrv-admin >> start, the process hangs, and after 10 minutes, i get this error: >> >> [root at XXXXXX ~]# /etc/init.d/dirsrv-admin start >> Starting dirsrv-admin: >> *** Error: dirsrv-admin failed to start [FALL?] >> >> If i run this command manually, using strace for debug, the last lines >> before a segmentation fault are these (full output attached): >> >> [root at XXXXXX ~]# strace /usr/sbin/httpd.worker -k start -f >> /etc/dirsrv/admin-serv/httpd.conf -e debug -X >> [...] >> open("/etc/hosts", O_RDONLY) = 6 >> fcntl64(6, F_GETFD) = 0 >> fcntl64(6, F_SETFD, FD_CLOEXEC) = 0 >> fstat64(6, {st_mode=S_IFREG|0644, st_size=505, ...}) = 0 >> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, >> 0) = 0xb7f99000 >> read(6, "# Do not remove the following li"..., 4096) = 505 >> read(6, "", 4096) = 0 >> close(6) = 0 >> munmap(0xb7f99000, 4096) = 0 >> open("/etc/hosts", O_RDONLY) = 6 >> fcntl64(6, F_GETFD) = 0 >> fcntl64(6, F_SETFD, FD_CLOEXEC) = 0 >> fstat64(6, {st_mode=S_IFREG|0644, st_size=505, ...}) = 0 >> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, >> 0) = 0xb7f99000 >> read(6, "# Do not remove the following li"..., 4096) = 505 >> close(6) = 0 >> munmap(0xb7f99000, 4096) = 0 >> socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 6 >> fcntl64(6, F_GETFL) = 0x2 (flags O_RDWR) >> fcntl64(6, F_SETFL, O_RDWR|O_NONBLOCK) = 0 >> connect(6, {sa_family=AF_INET, sin_port=htons(636), >> sin_addr=inet_addr("XX.XX.XX.XX")}, 16) = -1 EINPROGRESS (Operation >> now in progress) >> poll([{fd=6, events=POLLPRI|POLLOUT}], 1, 5000) = 1 ([{fd=6, revents=POLLOUT}]) >> getsockopt(6, SOL_SOCKET, SO_ERROR, [0], [4]) = 0 >> getpeername(6, {sa_family=AF_INET, sin_port=htons(636), >> sin_addr=inet_addr("XX.XX.XX.XX")}, [16]) = 0 >> time(NULL) = 1253515556 >> --- SIGSEGV (Segmentation fault) @ 0 (0) --- >> +++ killed by SIGSEGV +++ >> >> XX.XX.XX.XX is the IP address of the server. >> >> [root at XXXXXX ~]# rpm -qa | grep fedora >> fedora-ds-admin-1.1.1-1.fc6 >> fedora-ds-1.1.0-3.fc6 >> fedora-ds-base-1.1.0-3.fc6 >> fedora-admin-console-1.1.0-4.fc6 >> fedora-idm-console-1.1.0-5.fc6 >> fedora-ds-console-1.1.0-5.fc6 >> >> [root at XXXXXX ~]# uname -a >> Linux XXXXXXXXXXXXXXXXXXX 2.6.18-128.1.10.el5.centos.plusPAE #1 SMP >> Mon May 11 07:51:33 EDT 2009 i686 i686 i386 GNU/Linux >> >> Any idea why is happening this? The LDAP server itself is working fine. >> >> Regards. >> >> >> ------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jfenal at gmail.com Mon Sep 21 19:55:32 2009 From: jfenal at gmail.com (=?UTF-8?B?SsOpcsO0bWUgRmVuYWw=?=) Date: Mon, 21 Sep 2009 21:55:32 +0200 Subject: [389-users] Tunning In-Reply-To: <4AB76501.4040405@ird.fr> References: <4AB76501.4040405@ird.fr> Message-ID: <40a14bc10909211255y4c0bdd59w747637f4a32c2aca@mail.gmail.com> 2009/9/21 Emmanuel BILLOT : > Hi, > > I'm searching for a best practive documentation about tunning DB, like > nsslapd-lookthroughlimit > nsslapd-sizelimit > > Our DIT contains 20 000 entries, what parameters can we use and how for > having a best configured dirsrv ? > Hi Emmanuel, did you check this documentation ? http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Indexes.html#About_Indexes-Overview_of_the_Searching_Algorithm The answer will depend of your entries, and what you'd want to achieve. Given the number of entries in your directory, and memory available in nowadays server, setting those values to the number of entries should be fine. Regards, J. From andrey.ivanov at polytechnique.fr Mon Sep 21 20:03:12 2009 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Mon, 21 Sep 2009 22:03:12 +0200 Subject: [389-users] Tunning In-Reply-To: <4AB76501.4040405@ird.fr> References: <4AB76501.4040405@ird.fr> Message-ID: <1601b8650909211303i1a84e8dj9c0a88e6814667df@mail.gmail.com> Bonjour Emmanuel, you may take a look at this thread : https://www.redhat.com/archives/fedora-directory-users/2009-June/msg00178.html, the matter is discussed in details. Using indexes where necessary is generally your best bet :) Here is our memory config for about 8000 entries : #dn: cn=config,cn=ldbm database,cn=plugins,cn=config # nsslapd-lookthroughlimit: 20000 # nsslapd-dbcachesize: 268435456 # nsslapd-db-checkpoint-interval: 15 # #dn: cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config # nsslapd-cachememsize: 5242880 (memoire en octets, 5Mo, la base est petite) # nsslapd-cachesize: -1 (nombre max des entrees, on laisse par defaut) # #dn: cn=userRoot,cn=ldbm database,cn=plugins,cn=config # nsslapd-cachememsize: 104857600 (en moyenne, selon mes experiences, 5ko/entree - taille pour 20000 entrees) # nsslapd-cachesize: -1 (nombre max des entrees, on laisse par defaut) @+ 2009/9/21 Emmanuel BILLOT : > Hi, > > I'm searching for a best practive documentation about tunning DB, like > nsslapd-lookthroughlimit > nsslapd-sizelimit > > Our DIT contains 20 000 entries, what parameters can we use and how for having a best configured dirsrv ? > > RG, From rmeggins at redhat.com Mon Sep 21 20:18:09 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 21 Sep 2009 14:18:09 -0600 Subject: [389-users] 389 upgrade In-Reply-To: <52a9d2e30909160153s77ee881fmbdd2298f5cb97e70@mail.gmail.com> References: <52a9d2e30909150526uac7413bo804cab2e845c7e68@mail.gmail.com> <4AAFA37C.4020803@redhat.com> <52a9d2e30909160153s77ee881fmbdd2298f5cb97e70@mail.gmail.com> Message-ID: <4AB7DF81.9090005@redhat.com> Juan Asensio S?nchez wrote: >>> And reboot... After that, when connecting with the console, we have >>> two entries for the directory server and two for the administration >>> server. >>> >> Yep, this is a known bug. You can ignore the Fedora ones - the 389 ones are >> the real ones. >> > > Is there any bug open about this and how to fix/remove these entries? > There is a bug open - https://bugzilla.redhat.com/show_bug.cgi?id=520493 389 1.2.3 will contain code to fix these issues during update - this code is now in our SCM - Unfortunately, fixing/removing these entries manually will be tricky > >>> One of each does not show the icon it should, and when I click >>> on it, it tries to download new jars, but it can not. >>> >> What error does it give? >> > > Failed to install a local copy of 389-ds-1.2.jar or one of it supporting files. > Please ensure that the appropiate console package is installed on the > Administration Server. > HTTP response timeout > > I think it is trying to get the files with http instead of https, > although I have connected to the console with https. > One of the side effects of the bug is that it nukes your tls/ssl configuration. > >>> If I use the old >>> item for the administration console (that shows the icon), in the >>> encryption tab , SSL is disabled, but before the upgrade it was >>> enabled, but if i try to access the server with the browser, i must >>> use https (??). Why is SSL disabled? And if it is disabled, why must I >>> access using https? Is there any step I haven't done? >>> >>> >> This is also a bug. The update procedure does not preserve the SSL settings >> for your old (Fedora) servers when it adds the new (389) servers. >> > > But how can I connect to the console with https if the upgrade has disabled it? > You need to find the entries that the console uses to get the TLS/SSL information: ldapsearch -LLL -x -D "cn=directory manager" -w yourpassword -b o=NetscapeRoot objectclass=nsConfig dn you can ignore the entries that start with cn=task summary For the entry that begins with cn=configuration, cn=admin-serv-..... do an ldapmodify like this: ldapmodify x -D "cn=directory manager" -w yourpassword dn: cn=configuration, cn=admin-serv-..... changetype: modify replace: nsServerSecurity nsServerSecurity: on For the entries that begin with cn=slapd-........ do an ldapmodify like this: ldapmodify x -D "cn=directory manager" -w yourpassword dn: cn=slapd-....... changetype: modify replace: nsServerSecurity nsServerSecurity: on You should also verify the nsSecureServerPort attribute in the cn=slapd-.... entries if you used a port other than 636. After you make these changes, restart your admin server (service dirsrv-admin restart), then try the console again. > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From psundaram at wgen.net Tue Sep 22 03:02:43 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Mon, 21 Sep 2009 23:02:43 -0400 Subject: [389-users] PAM PTA partially working Message-ID: Hello, PS: I am sorry to paste such big error log. I spend some time tweaking around the PAM PTA plug-in, so i can authenticate users against Active Directory. I configured the PAM PTA plug-in, krb5.conf, /etc/pam.d/ldapserver for kerberos authentication against AD. So to begin with I had only one user in 389-ds which is same as the local account name(uid=psundaram) on the DS. With all the configuration set, I was able to get the ldapsearch working for this user. Even when I change the password on the AD side, I can use the new password to show ldif results. [root at centos-lin ~]# ldapsearch -h centos-lin.fedorads.net -b "dc=fedorads,dc=net" -D "uid=psundaram,ou=People,dc=fedorads,dc=net" -W -x [root at centos-lin ~]# less/var/log/dirsrv/slapd-centos-lin/errors/ [21/Sep/2009:18:08:30 -0400] NSACLPlugin - #### conn=2 op=1 binddn="" [21/Sep/2009:18:08:30 -0400] NSACLPlugin - conn=2 op=1 (main): Deny search on entry(cn=change-sie-password,cn=commands,cn=admin-s erv-centos-lin,cn=389 administration server,cn=server group,cn=centos-lin.fedorads.net,ou=fedorads.net,o=netscaperoot).attr(nsExe cRef) to anonymous: no aci matched the subject by aci(16): aciname= "SIE Group (centos-lin)", acidn="o=netscaperoot" [21/Sep/2009:22:13:44 -0400] NSACLPlugin - #### conn=3 op=1 binddn="uid=psundaram,ou=people,dc=fedorads,dc=net" [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow search on entry(dc=fedorads,dc=net).attr(objectClass) to uid =psundaram,ou=people,dc=fedorads,dc=net: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=fedorads,dc=net" [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(dc=fedorads,dc=net).attr(objectClass) to uid=p sundaram,ou=people,dc=fedorads,dc=net: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=fedorads,dc=net" [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(dc=fedorads,dc=net).attr(objectClass) to uid=p sundaram,ou=people,dc=fedorads,dc=net: cached allow by aci(2) [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(dc=fedorads,dc=net).attr(dc) to uid=psundaram, ou=people,dc=fedorads,dc=net: cached allow by aci(2) [21/Sep/2009:22:13:44 -0400] NSACLPlugin - #### conn=3 op=1 binddn="uid=psundaram,ou=people,dc=fedorads,dc=net" [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow search on entry(cn=directory administrators,dc=fedorads,dc=n et).attr(objectClass) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (on entry): Allow read on entry(cn=directory administrators,dc=fedorads,dc =net).attr(NULL) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (on attr): Allow read on entry(cn=directory administrators,dc=fedorads,dc= net).attr(objectClass) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(cn=directory administrators,dc=fedorads,dc=net ).attr(cn) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached allow by aci(2) [21/Sep/2009:22:13:44 -0400] NSACLPlugin - #### conn=3 op=1 binddn="uid=psundaram,ou=people,dc=fedorads,dc=net" [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow search on entry(ou=groups,dc=fedorads,dc=net).attr(objectCla ss) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (on entry): Allow read on entry(ou=groups,dc=fedorads,dc=net).attr(NULL) t o uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(ou=groups,dc=fedorads,dc=net).attr(objectClass ) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached allow by aci(2) But when I created another account, uid=tjordan which exists in AD as well (but does not have a local acount like above user) the authentication fails. [root at centos-lin ~]# ldapsearch -h centos-lin.fedorads.net -b "dc=fedorads,dc=net" -D "uid=tjordan,ou=People,dc=fedorads,dc=net" -W -x Enter LDAP Password: ldap_bind: Operations error (1) additional info: Unknown PAM error [Permission denied] for user id [tjordan], bind DN [uid=tjordan,ou=people,dc=fedorads,dc=net] less /var/log/dirsrv/slapd-centos-lin/errors [21/Sep/2009:22:36:48 -0400] pam_passthru-plugin - Error from PAM during pam_authenticate (6: Permission denied) [21/Sep/2009:22:36:48 -0400] pam_passthru-plugin - Unknown PAM error [Permission denied] for user id [tjordan], bind DN [uid=tjor dan,ou=people,dc=fedorads,dc=net] >From what I see, there is something related to anonymous bind, but I am not sure what that is. Can someone help me understand what the problem is and how can I fix, If you know? Here is my PAM PTA dn: cn=PAM Pass Through Auth,cn=plugins,cn=config cn: PAM Pass Through Auth nsslapd-pluginPath: libpam-passthru-plugin nsslapd-pluginInitfunc: pam_passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginloadglobal: true nsslapd-plugin-depends-on-type: database pamMissingSuffix: ALLOW pamExcludeSuffix: cn=config pamExcludeSuffix: o=NetscapeRoot pamIDMapMethod: RDN pamIDAttr: notUsedWithRDNMethod pamFallback: FALSE pamSecure: FALSE pamService: ldapserver nsslapd-pluginId: pam_passthruauth nsslapd-pluginVersion: 1.2.2 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: PAM pass through authentication plugin modifiersName: cn=directory manager modifyTimestamp: 20090921225438Z Thanks, Prashanth From okelet at gmail.com Tue Sep 22 06:47:12 2009 From: okelet at gmail.com (=?UTF-8?Q?Juan_Asensio_S=C3=A1nchez?=) Date: Tue, 22 Sep 2009 08:47:12 +0200 Subject: [389-users] Re: Problems starting dirsrv-admin In-Reply-To: <4AB7B699.6000306@redhat.com> References: <52a9d2e30909210007y279dcab2tf6ae151d3e4be26a@mail.gmail.com> <52a9d2e30909210011i1ac79dd5ye314c36e45bb319a@mail.gmail.com> <4AB7B699.6000306@redhat.com> Message-ID: <52a9d2e30909212347k388a2325r3cdb85cdf22618c8@mail.gmail.com> > > According to the strace, it is bound to port 2000: > bind(3, {sa_family=AF_INET, sin_port=htons(2000), > sin_addr=inet_addr("0.0.0.0")}, 16) = 0 > Yes, we changed the default configuration. > What's in the admin server error log? ?/var/log/dirsrv/admin-serv/error > ? This is the content of the file (from last restart): [Tue Sep 22 08:30:33 2009] [info] mod_unique_id: using ip addr 10.40.38.9 [Tue Sep 22 08:30:34 2009] [info] Initializing SSL Session Cache of size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. [Tue Sep 22 08:30:34 2009] [info] Init: Initializing (virtual) servers for SSL [Tue Sep 22 08:30:34 2009] [info] Configuring server for SSL protocol [Tue Sep 22 08:30:34 2009] [info] SSL2 is not supported [Tue Sep 22 08:30:34 2009] [debug] nss_engine_init.c(592): Enabling SSL3 [Tue Sep 22 08:30:34 2009] [debug] nss_engine_init.c(597): Enabling TLS [Tue Sep 22 08:30:34 2009] [debug] nss_engine_init.c(768): Configuring permitted SSL ciphers [-des,-rc2export,-rc4export,-desede3,-rc4,-rc2,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5] [Tue Sep 22 08:30:34 2009] [info] Using nickname ldapb1-cert. [Tue Sep 22 08:30:34 2009] [info] Server: Apache/2.2.9, Interface: mod_nss/2.2.9, Library: NSS/3.12.0.3 [Tue Sep 22 08:30:34 2009] [debug] mod_admserv.c(2238): [30763] Cache expiration set to 600 seconds [Tue Sep 22 08:30:34 2009] [debug] mod_admserv.c(2341): Added StartConfigDs task entry [cn=startconfigds,cn=operation,cn=tasks,cn=admin-serv-XXXXXXXXXXXXXXXXXXX,cn=fedora administration server,cn=server group,cn=XXXXXXXXXXX.XXXXXXXXX.XXX,ou=XXXXXXXX.XXX,o=netscaperoot:start_config_ds:] for user [LocalSuper] [Tue Sep 22 08:30:34 2009] [notice] Access Host filter is: *.XXXXXX.XXX [Tue Sep 22 08:30:34 2009] [notice] Access Address filter is: * [Tue Sep 22 08:30:34 2009] [info] Shutting down SSL Session ID Cache [Tue Sep 22 08:30:34 2009] [info] mod_unique_id: using ip addr 10.40.38.9 [Tue Sep 22 08:30:35 2009] [info] Initializing SSL Session Cache of size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. [Tue Sep 22 08:30:35 2009] [info] Server: Apache/2.2.9, Interface: mod_nss/2.2.9, Library: NSS/3.12.0.3 [Tue Sep 22 08:30:35 2009] [debug] mod_admserv.c(2238): [30765] Cache expiration set to 600 seconds From rmeggins at redhat.com Tue Sep 22 13:54:52 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Sep 2009 07:54:52 -0600 Subject: [389-users] PAM PTA partially working In-Reply-To: References: Message-ID: <4AB8D72C.2080703@redhat.com> Prashanth Sundaram wrote: > Hello, > > PS: I am sorry to paste such big error log. > > I spend some time tweaking around the PAM PTA plug-in, so i can authenticate users against Active Directory. I configured the PAM PTA plug-in, krb5.conf, /etc/pam.d/ldapserver for kerberos authentication against AD. > > So to begin with I had only one user in 389-ds which is same as the local account name(uid=psundaram) on the DS. With all the configuration set, I was able to get the ldapsearch working for this user. Even when I change the password on the AD side, I can use the new password to show ldif results. > > [root at centos-lin ~]# ldapsearch -h centos-lin.fedorads.net -b "dc=fedorads,dc=net" -D "uid=psundaram,ou=People,dc=fedorads,dc=net" -W -x > > [root at centos-lin ~]# less/var/log/dirsrv/slapd-centos-lin/errors/ > [21/Sep/2009:18:08:30 -0400] NSACLPlugin - #### conn=2 op=1 binddn="" > [21/Sep/2009:18:08:30 -0400] NSACLPlugin - conn=2 op=1 (main): Deny search on entry(cn=change-sie-password,cn=commands,cn=admin-s > erv-centos-lin,cn=389 administration server,cn=server group,cn=centos-lin.fedorads.net,ou=fedorads.net,o=netscaperoot).attr(nsExe > cRef) to anonymous: no aci matched the subject by aci(16): aciname= "SIE Group (centos-lin)", acidn="o=netscaperoot" > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - #### conn=3 op=1 binddn="uid=psundaram,ou=people,dc=fedorads,dc=net" > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow search on entry(dc=fedorads,dc=net).attr(objectClass) to uid > =psundaram,ou=people,dc=fedorads,dc=net: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=fedorads,dc=net" > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(dc=fedorads,dc=net).attr(objectClass) to uid=p > sundaram,ou=people,dc=fedorads,dc=net: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=fedorads,dc=net" > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(dc=fedorads,dc=net).attr(objectClass) to uid=p > sundaram,ou=people,dc=fedorads,dc=net: cached allow by aci(2) > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(dc=fedorads,dc=net).attr(dc) to uid=psundaram, > ou=people,dc=fedorads,dc=net: cached allow by aci(2) > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - #### conn=3 op=1 binddn="uid=psundaram,ou=people,dc=fedorads,dc=net" > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow search on entry(cn=directory administrators,dc=fedorads,dc=n > et).attr(objectClass) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (on entry): Allow read on entry(cn=directory administrators,dc=fedorads,dc > =net).attr(NULL) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (on attr): Allow read on entry(cn=directory administrators,dc=fedorads,dc= > net).attr(objectClass) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(cn=directory administrators,dc=fedorads,dc=net > ).attr(cn) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached allow by aci(2) > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - #### conn=3 op=1 binddn="uid=psundaram,ou=people,dc=fedorads,dc=net" > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow search on entry(ou=groups,dc=fedorads,dc=net).attr(objectCla > ss) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (on entry): Allow read on entry(ou=groups,dc=fedorads,dc=net).attr(NULL) t > o uid=psundaram,ou=people,dc=fedorads,dc=net: cached context/parent allow > [21/Sep/2009:22:13:44 -0400] NSACLPlugin - conn=3 op=1 (main): Allow read on entry(ou=groups,dc=fedorads,dc=net).attr(objectClass > ) to uid=psundaram,ou=people,dc=fedorads,dc=net: cached allow by aci(2) > > > > But when I created another account, uid=tjordan which exists in AD as well (but does not have a local acount like above user) the authentication fails. > > [root at centos-lin ~]# ldapsearch -h centos-lin.fedorads.net -b "dc=fedorads,dc=net" -D "uid=tjordan,ou=People,dc=fedorads,dc=net" -W -x > Enter LDAP Password: > ldap_bind: Operations error (1) > additional info: Unknown PAM error [Permission denied] for user id [tjordan], bind DN [uid=tjordan,ou=people,dc=fedorads,dc=net] > > > less /var/log/dirsrv/slapd-centos-lin/errors > [21/Sep/2009:22:36:48 -0400] pam_passthru-plugin - Error from PAM during pam_authenticate (6: Permission denied) > [21/Sep/2009:22:36:48 -0400] pam_passthru-plugin - Unknown PAM error [Permission denied] for user id [tjordan], bind DN [uid=tjor > dan,ou=people,dc=fedorads,dc=net] > > > >From what I see, there is something related to anonymous bind, but I am not sure what that is. Can someone help me understand what the problem is and how can I fix, If you know? > Does it work if you create a local user account for uid=tjordan? > > Here is my PAM PTA > dn: cn=PAM Pass Through Auth,cn=plugins,cn=config > cn: PAM Pass Through Auth > nsslapd-pluginPath: libpam-passthru-plugin > nsslapd-pluginInitfunc: pam_passthruauth_init > nsslapd-pluginType: preoperation > nsslapd-pluginEnabled: on > nsslapd-pluginloadglobal: true > nsslapd-plugin-depends-on-type: database > pamMissingSuffix: ALLOW > pamExcludeSuffix: cn=config > pamExcludeSuffix: o=NetscapeRoot > pamIDMapMethod: RDN > pamIDAttr: notUsedWithRDNMethod > pamFallback: FALSE > pamSecure: FALSE > pamService: ldapserver > nsslapd-pluginId: pam_passthruauth > nsslapd-pluginVersion: 1.2.2 > nsslapd-pluginVendor: 389 Project > nsslapd-pluginDescription: PAM pass through authentication plugin > modifiersName: cn=directory manager > modifyTimestamp: 20090921225438Z > > > > Thanks, > Prashanth > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Sep 22 13:57:07 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Sep 2009 07:57:07 -0600 Subject: [389-users] Re: Problems starting dirsrv-admin In-Reply-To: <52a9d2e30909212347k388a2325r3cdb85cdf22618c8@mail.gmail.com> References: <52a9d2e30909210007y279dcab2tf6ae151d3e4be26a@mail.gmail.com> <52a9d2e30909210011i1ac79dd5ye314c36e45bb319a@mail.gmail.com> <4AB7B699.6000306@redhat.com> <52a9d2e30909212347k388a2325r3cdb85cdf22618c8@mail.gmail.com> Message-ID: <4AB8D7B3.8050903@redhat.com> Juan Asensio S?nchez wrote: >> According to the strace, it is bound to port 2000: >> bind(3, {sa_family=AF_INET, sin_port=htons(2000), >> sin_addr=inet_addr("0.0.0.0")}, 16) = 0 >> >> > > Yes, we changed the default configuration. > > >> What's in the admin server error log? /var/log/dirsrv/admin-serv/error >> ? >> > > This is the content of the file (from last restart): > > [Tue Sep 22 08:30:33 2009] [info] mod_unique_id: using ip addr 10.40.38.9 > [Tue Sep 22 08:30:34 2009] [info] Initializing SSL Session Cache of > size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. > [Tue Sep 22 08:30:34 2009] [info] Init: Initializing (virtual) servers for SSL > [Tue Sep 22 08:30:34 2009] [info] Configuring server for SSL protocol > [Tue Sep 22 08:30:34 2009] [info] SSL2 is not supported > [Tue Sep 22 08:30:34 2009] [debug] nss_engine_init.c(592): Enabling SSL3 > [Tue Sep 22 08:30:34 2009] [debug] nss_engine_init.c(597): Enabling TLS > [Tue Sep 22 08:30:34 2009] [debug] nss_engine_init.c(768): Configuring > permitted SSL ciphers > [-des,-rc2export,-rc4export,-desede3,-rc4,-rc2,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5] > [Tue Sep 22 08:30:34 2009] [info] Using nickname ldapb1-cert. > [Tue Sep 22 08:30:34 2009] [info] Server: Apache/2.2.9, Interface: > mod_nss/2.2.9, Library: NSS/3.12.0.3 > [Tue Sep 22 08:30:34 2009] [debug] mod_admserv.c(2238): [30763] Cache > expiration set to 600 seconds > [Tue Sep 22 08:30:34 2009] [debug] mod_admserv.c(2341): Added > StartConfigDs task entry > [cn=startconfigds,cn=operation,cn=tasks,cn=admin-serv-XXXXXXXXXXXXXXXXXXX,cn=fedora > administration server,cn=server > group,cn=XXXXXXXXXXX.XXXXXXXXX.XXX,ou=XXXXXXXX.XXX,o=netscaperoot:start_config_ds:] > for user [LocalSuper] > [Tue Sep 22 08:30:34 2009] [notice] Access Host filter is: *.XXXXXX.XXX > [Tue Sep 22 08:30:34 2009] [notice] Access Address filter is: * > [Tue Sep 22 08:30:34 2009] [info] Shutting down SSL Session ID Cache > [Tue Sep 22 08:30:34 2009] [info] mod_unique_id: using ip addr 10.40.38.9 > [Tue Sep 22 08:30:35 2009] [info] Initializing SSL Session Cache of > size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. > [Tue Sep 22 08:30:35 2009] [info] Server: Apache/2.2.9, Interface: > mod_nss/2.2.9, Library: NSS/3.12.0.3 > [Tue Sep 22 08:30:35 2009] [debug] mod_admserv.c(2238): [30765] Cache > expiration set to 600 seconds > And after this you get a SEGV? > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From psundaram at wgen.net Tue Sep 22 14:14:07 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Tue, 22 Sep 2009 10:14:07 -0400 Subject: [389-users] PAM PTA partially working Message-ID: Yes, it works when there is a matching local user account. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Sep 22 14:28:04 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Sep 2009 08:28:04 -0600 Subject: [389-users] PAM PTA partially working In-Reply-To: References: Message-ID: <4AB8DEF4.30700@redhat.com> Prashanth Sundaram wrote: > > Yes, it works when there is a matching local user account. do you mean an account in /etc/passwd? or an account in LDAP? > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From psundaram at wgen.net Tue Sep 22 14:32:05 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Tue, 22 Sep 2009 10:32:05 -0400 Subject: [389-users] PAM PTA partially working Message-ID: The account in /etc/passwd.. Prashanth Sundaram wrote: > > Yes, it works when there is a matching local user account. do you mean an account in /etc/passwd? or an account in LDAP? > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users redhat com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Sep 22 14:36:11 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Sep 2009 08:36:11 -0600 Subject: [389-users] PAM PTA partially working In-Reply-To: References: Message-ID: <4AB8E0DB.7010900@redhat.com> Prashanth Sundaram wrote: > The account in /etc/passwd.. Seems like a pam problem and/or misconfiguration then - if it finds the entry using pam_krb5, it should never look at /etc/passwd. > > ------------------------------------------------------------------------ > Prashanth Sundaram wrote: > > > Yes, it works when there is a matching local user account. > > do you mean an account in /etc/passwd? or an account in LDAP? > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users redhat com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From psundaram at wgen.net Tue Sep 22 14:42:19 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Tue, 22 Sep 2009 10:42:19 -0400 Subject: [389-users] PAM PTA partially working In-Reply-To: <4AB8E0DB.7010900@redhat.com> Message-ID: Here is my /etc/pam.d/ldapserver auth sufficient /lib/security/pam_krb5.so use_first_pass forwardable password sufficient /lib/security/pam_krb5.so use_authtok session optional /lib/security/pam_krb5.so account sufficient /lib/security/pam_krb5.so ~ ~ To revisit, here's the observation: pamsecure when set to TRUE authenticates users only to the password in 389-ds, but when set to FALSE will authenticate to the AD password only if the uid exists in /etc/passwd. On 9/22/09 10:36 AM, "Rich Megginson" wrote: > Prashanth Sundaram wrote: >> The account in /etc/passwd.. > Seems like a pam problem and/or misconfiguration then - if it finds the > entry using pam_krb5, it should never look at /etc/passwd. >> >> ------------------------------------------------------------------------ >> Prashanth Sundaram wrote: >> >> >> Yes, it works when there is a matching local user account. >> >> do you mean an account in /etc/passwd? or an account in LDAP? >> >> ------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users redhat com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > From okelet at gmail.com Tue Sep 22 15:07:15 2009 From: okelet at gmail.com (=?UTF-8?Q?Juan_Asensio_S=C3=A1nchez?=) Date: Tue, 22 Sep 2009 17:07:15 +0200 Subject: [389-users] Re: Problems starting dirsrv-admin In-Reply-To: <4AB8D7B3.8050903@redhat.com> References: <52a9d2e30909210007y279dcab2tf6ae151d3e4be26a@mail.gmail.com> <52a9d2e30909210011i1ac79dd5ye314c36e45bb319a@mail.gmail.com> <4AB7B699.6000306@redhat.com> <52a9d2e30909212347k388a2325r3cdb85cdf22618c8@mail.gmail.com> <4AB8D7B3.8050903@redhat.com> Message-ID: <52a9d2e30909220807v6401e382h83a1ea3cde52380a@mail.gmail.com> 2009/9/22 Rich Megginson : > Juan Asensio S?nchez wrote: >>> >>> According to the strace, it is bound to port 2000: >>> bind(3, {sa_family=AF_INET, sin_port=htons(2000), >>> sin_addr=inet_addr("0.0.0.0")}, 16) = 0 >>> >>> >> >> Yes, we changed the default configuration. >> >> >>> >>> What's in the admin server error log? ?/var/log/dirsrv/admin-serv/error >>> ? >>> >> >> This is the content of the file (from last restart): >> >> [Tue Sep 22 08:30:33 2009] [info] mod_unique_id: using ip addr 10.40.38.9 >> [Tue Sep 22 08:30:34 2009] [info] Initializing SSL Session Cache of >> size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. >> [Tue Sep 22 08:30:34 2009] [info] Init: Initializing (virtual) servers for >> SSL >> [Tue Sep 22 08:30:34 2009] [info] Configuring server for SSL protocol >> [Tue Sep 22 08:30:34 2009] [info] SSL2 is not supported >> [Tue Sep 22 08:30:34 2009] [debug] nss_engine_init.c(592): Enabling SSL3 >> [Tue Sep 22 08:30:34 2009] [debug] nss_engine_init.c(597): Enabling TLS >> [Tue Sep 22 08:30:34 2009] [debug] nss_engine_init.c(768): Configuring >> permitted SSL ciphers >> >> [-des,-rc2export,-rc4export,-desede3,-rc4,-rc2,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5] >> [Tue Sep 22 08:30:34 2009] [info] Using nickname ldapb1-cert. >> [Tue Sep 22 08:30:34 2009] [info] Server: Apache/2.2.9, Interface: >> mod_nss/2.2.9, Library: NSS/3.12.0.3 >> [Tue Sep 22 08:30:34 2009] [debug] mod_admserv.c(2238): [30763] Cache >> expiration set to 600 seconds >> [Tue Sep 22 08:30:34 2009] [debug] mod_admserv.c(2341): Added >> StartConfigDs task entry >> >> [cn=startconfigds,cn=operation,cn=tasks,cn=admin-serv-XXXXXXXXXXXXXXXXXXX,cn=fedora >> administration server,cn=server >> >> group,cn=XXXXXXXXXXX.XXXXXXXXX.XXX,ou=XXXXXXXX.XXX,o=netscaperoot:start_config_ds:] >> for user [LocalSuper] >> [Tue Sep 22 08:30:34 2009] [notice] Access Host filter is: *.XXXXXX.XXX >> [Tue Sep 22 08:30:34 2009] [notice] Access Address filter is: * >> [Tue Sep 22 08:30:34 2009] [info] Shutting down SSL Session ID Cache >> [Tue Sep 22 08:30:34 2009] [info] mod_unique_id: using ip addr 10.40.38.9 >> [Tue Sep 22 08:30:35 2009] [info] Initializing SSL Session Cache of >> size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. >> [Tue Sep 22 08:30:35 2009] [info] Server: Apache/2.2.9, Interface: >> mod_nss/2.2.9, Library: NSS/3.12.0.3 >> [Tue Sep 22 08:30:35 2009] [debug] mod_admserv.c(2238): [30765] Cache >> expiration set to 600 seconds >> > > And after this you get a SEGV? Yes. That's the output of running /etc/init.d/dirsrv start. The SEGV is seen when running the command with strace (strace /usr/sbin/httpd.worker -k start -f), called from /usr/sbin/start-ds-admin. No idea why this is happening because it was sometime working without any problems. >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From andrey.ivanov at polytechnique.fr Tue Sep 22 15:21:29 2009 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Tue, 22 Sep 2009 17:21:29 +0200 Subject: [389-users] PAM PTA partially working In-Reply-To: References: <4AB8E0DB.7010900@redhat.com> Message-ID: <1601b8650909220821g479e7c23yd83636d123b26771@mail.gmail.com> Hi, You should not verify the users locally (there is a "no_user_check" to add). The authoritative source of validation should be AD/Kerberos. Here is the config that works for us : auth sufficient /lib/security/pam_krb5.so no_user_check account required /lib/security/pam_krb5.so no_user_check 2009/9/22 Prashanth Sundaram : > Here is my /etc/pam.d/ldapserver > > auth ? ? ? ?sufficient ? ?/lib/security/pam_krb5.so use_first_pass > forwardable > > password ? ?sufficient ? ?/lib/security/pam_krb5.so use_authtok > > session ? ? optional ? ? ?/lib/security/pam_krb5.so > > account ? ? sufficient ? ?/lib/security/pam_krb5.so > ~ > ~ > > > To revisit, here's the observation: pamsecure when set to TRUE authenticates > users only to the password in 389-ds, but when set to FALSE will > authenticate to the AD password only if the uid exists in /etc/passwd. > > > On 9/22/09 10:36 AM, "Rich Megginson" wrote: > >> Prashanth Sundaram wrote: >>> The account in /etc/passwd.. >> Seems like a pam problem and/or misconfiguration then - if it finds the >> entry using pam_krb5, it should never look at /etc/passwd. >>> >>> ------------------------------------------------------------------------ >>> Prashanth Sundaram wrote: >>> >>> >>> ? ? Yes, it works when there is a matching local user account. >>> >>> do you mean an account in /etc/passwd? ?or an account in LDAP? From rmeggins at redhat.com Tue Sep 22 15:25:30 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Sep 2009 09:25:30 -0600 Subject: [389-users] PAM PTA partially working In-Reply-To: References: Message-ID: <4AB8EC6A.4020904@redhat.com> Prashanth Sundaram wrote: > Here is my /etc/pam.d/ldapserver > > auth sufficient /lib/security/pam_krb5.so use_first_pass > forwardable > > password sufficient /lib/security/pam_krb5.so use_authtok > > session optional /lib/security/pam_krb5.so > > account sufficient /lib/security/pam_krb5.so > ~ > ~ > > > To revisit, here's the observation: pamsecure when set to TRUE authenticates > users only to the password in 389-ds, but when set to FALSE will > authenticate to the AD password only if the uid exists in /etc/passwd. > That's really bizarre - the only place where pamSecure is used is here: if (cfg->pamptconfig_secure) { /* is a secure connection required? */ int is_ssl = 0; slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl); if (!is_ssl) { slapi_log_error( SLAPI_LOG_PLUGIN, PAM_PASSTHRU_PLUGIN_SUBSYSTEM, "<= connection not secure (secure connection required; check config)"); return retcode; } } That is, if pamSecure is true, requests will be rejected unless using TLS/SSL. Do you have your directory server configured to use TLS/SSL when using pamSecure: TRUE? > > On 9/22/09 10:36 AM, "Rich Megginson" wrote: > > >> Prashanth Sundaram wrote: >> >>> The account in /etc/passwd.. >>> >> Seems like a pam problem and/or misconfiguration then - if it finds the >> entry using pam_krb5, it should never look at /etc/passwd. >> >>> ------------------------------------------------------------------------ >>> Prashanth Sundaram wrote: >>> >>> >>> Yes, it works when there is a matching local user account. >>> >>> do you mean an account in /etc/passwd? or an account in LDAP? >>> >>> ------------------------------------------------------------------------ >>> >>> -- >>> 389 users mailing list >>> 389-users redhat com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue Sep 22 16:04:08 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Sep 2009 10:04:08 -0600 Subject: [389-users] Re: Problems starting dirsrv-admin In-Reply-To: <52a9d2e30909220807v6401e382h83a1ea3cde52380a@mail.gmail.com> References: <52a9d2e30909210007y279dcab2tf6ae151d3e4be26a@mail.gmail.com> <52a9d2e30909210011i1ac79dd5ye314c36e45bb319a@mail.gmail.com> <4AB7B699.6000306@redhat.com> <52a9d2e30909212347k388a2325r3cdb85cdf22618c8@mail.gmail.com> <4AB8D7B3.8050903@redhat.com> <52a9d2e30909220807v6401e382h83a1ea3cde52380a@mail.gmail.com> Message-ID: <4AB8F578.4050804@redhat.com> Juan Asensio S?nchez wrote: > 2009/9/22 Rich Megginson : > >> Juan Asensio S?nchez wrote: >> >>>> According to the strace, it is bound to port 2000: >>>> bind(3, {sa_family=AF_INET, sin_port=htons(2000), >>>> sin_addr=inet_addr("0.0.0.0")}, 16) = 0 >>>> >>>> >>>> >>> Yes, we changed the default configuration. >>> >>> >>> >>>> What's in the admin server error log? /var/log/dirsrv/admin-serv/error >>>> ? >>>> >>>> >>> This is the content of the file (from last restart): >>> >>> [Tue Sep 22 08:30:33 2009] [info] mod_unique_id: using ip addr 10.40.38.9 >>> [Tue Sep 22 08:30:34 2009] [info] Initializing SSL Session Cache of >>> size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. >>> [Tue Sep 22 08:30:34 2009] [info] Init: Initializing (virtual) servers for >>> SSL >>> [Tue Sep 22 08:30:34 2009] [info] Configuring server for SSL protocol >>> [Tue Sep 22 08:30:34 2009] [info] SSL2 is not supported >>> [Tue Sep 22 08:30:34 2009] [debug] nss_engine_init.c(592): Enabling SSL3 >>> [Tue Sep 22 08:30:34 2009] [debug] nss_engine_init.c(597): Enabling TLS >>> [Tue Sep 22 08:30:34 2009] [debug] nss_engine_init.c(768): Configuring >>> permitted SSL ciphers >>> >>> [-des,-rc2export,-rc4export,-desede3,-rc4,-rc2,+rsa_rc2_40_md5,+rsa_rc4_128_md5,+rsa_3des_sha,+rsa_rc4_40_md5,+fips_des_sha,+fips_3des_sha,+rsa_des_sha,-rsa_null_md5] >>> [Tue Sep 22 08:30:34 2009] [info] Using nickname ldapb1-cert. >>> [Tue Sep 22 08:30:34 2009] [info] Server: Apache/2.2.9, Interface: >>> mod_nss/2.2.9, Library: NSS/3.12.0.3 >>> [Tue Sep 22 08:30:34 2009] [debug] mod_admserv.c(2238): [30763] Cache >>> expiration set to 600 seconds >>> [Tue Sep 22 08:30:34 2009] [debug] mod_admserv.c(2341): Added >>> StartConfigDs task entry >>> >>> [cn=startconfigds,cn=operation,cn=tasks,cn=admin-serv-XXXXXXXXXXXXXXXXXXX,cn=fedora >>> administration server,cn=server >>> >>> group,cn=XXXXXXXXXXX.XXXXXXXXX.XXX,ou=XXXXXXXX.XXX,o=netscaperoot:start_config_ds:] >>> for user [LocalSuper] >>> [Tue Sep 22 08:30:34 2009] [notice] Access Host filter is: *.XXXXXX.XXX >>> [Tue Sep 22 08:30:34 2009] [notice] Access Address filter is: * >>> [Tue Sep 22 08:30:34 2009] [info] Shutting down SSL Session ID Cache >>> [Tue Sep 22 08:30:34 2009] [info] mod_unique_id: using ip addr 10.40.38.9 >>> [Tue Sep 22 08:30:35 2009] [info] Initializing SSL Session Cache of >>> size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. >>> [Tue Sep 22 08:30:35 2009] [info] Server: Apache/2.2.9, Interface: >>> mod_nss/2.2.9, Library: NSS/3.12.0.3 >>> [Tue Sep 22 08:30:35 2009] [debug] mod_admserv.c(2238): [30765] Cache >>> expiration set to 600 seconds >>> >>> >> And after this you get a SEGV? >> > > Yes. That's the output of running /etc/init.d/dirsrv start. The SEGV > is seen when running the command with strace (strace > /usr/sbin/httpd.worker -k start -f), called from > /usr/sbin/start-ds-admin. No idea why this is happening because it was > sometime working without any problems. > Does it core dump immediately, or after some time? Try this - ulimit -c unlimited, then start it with /usr/sbin/start-ds-admin I'm not sure where it will core dump - maybe in /, or in your $PWD, or maybe even in /var/log/dirsrv/admin-serv > >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From patrick.morris at hp.com Tue Sep 22 15:27:13 2009 From: patrick.morris at hp.com (Morris, Patrick) Date: Tue, 22 Sep 2009 08:27:13 -0700 Subject: [389-users] Configuring Multimaster Replication Message-ID: <20090922152713.GC13864@bakgwai.americas.hpqcorp.net> On Mon, 21 Sep 2009, Allan Gaston Hougham wrote: > Hi, > > I trying to create a Multimaster Replication (two master only, active-active) > and I tryed with this solution but this issue is not working > > http://directory.fedoraproject.org/wiki/Howto:MultiMasterReplication > > Is posible to have two masters servers? any have this implementation in production? A couple things: 1. When starting a new thread, don't reply to someone else's message and change the subject. Those of use with threaded mail readers probably won't see it, since your message will be included in a thread on a totally different subject. 2. Yes, multi-master replication works. Give us some details about what's not working for you and what's in your logs and someone can probably help you out. From psundaram at wgen.net Tue Sep 22 21:15:08 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Tue, 22 Sep 2009 17:15:08 -0400 Subject: [389-users] PAM PTA partially working Message-ID: Rich, Andrey?s suggestion worked. Yes, I have enabled SSL in the Admin server and Directory Server. But it still would fall back on 389-ds password, when ?pamsecure=TRUE?. If I set pamsecure=FALSE, the authentication passed through to the AD as intended. How do I secure the communication between 389-ds and LDAP server? I used wireshark to capture packets, and it?s all clear. > > To revisit, here's the observation: pamsecure when set to TRUE authenticates > users only to the password in 389-ds, but when set to FALSE will > authenticate to the AD password only if the uid exists in /etc/passwd. > That's really bizarre - the only place where pamSecure is used is here: if (cfg->pamptconfig_secure) { /* is a secure connection required? */ int is_ssl = 0; slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl); if (!is_ssl) { slapi_log_error( SLAPI_LOG_PLUGIN, PAM_PASSTHRU_PLUGIN_SUBSYSTEM, "<= connection not secure (secure connection required; check config)"); return retcode; } } That is, if pamSecure is true, requests will be rejected unless using TLS/SSL. Do you have your directory server configured to use TLS/SSL when using pamSecure: TRUE? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue Sep 22 21:21:42 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 22 Sep 2009 15:21:42 -0600 Subject: [389-users] PAM PTA partially working In-Reply-To: References: Message-ID: <4AB93FE6.2010804@redhat.com> Prashanth Sundaram wrote: > Rich, > > Andrey?s suggestion worked. Yes, I have enabled SSL in the Admin > server and Directory Server. But it still would fall back on 389-ds > password, when ?pamsecure=TRUE?. If I set pamsecure=FALSE, the > authentication passed through to the AD as intended. > > How do I secure the communication between 389-ds and LDAP server? I'm not sure what you mean - 389-ds is the LDAP server? > I used wireshark to capture packets, and it?s all clear. man pam_ldap - you'll have to configure /etc/ldap.conf to use TLS and provide a CA cert. > > > > > To revisit, here's the observation: pamsecure when set to TRUE > authenticates > users only to the password in 389-ds, but when set to FALSE will > authenticate to the AD password only if the uid exists in /etc/passwd. > > That's really bizarre - the only place where pamSecure is used is here: > if (cfg->pamptconfig_secure) { /* is a secure connection required? */ > int is_ssl = 0; > slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl); > if (!is_ssl) { > slapi_log_error( SLAPI_LOG_PLUGIN, PAM_PASSTHRU_PLUGIN_SUBSYSTEM, "<= > connection not secure (secure connection required; check config)"); > return retcode; > } > } > That is, if pamSecure is true, requests will be rejected unless using > TLS/SSL. Do you have your directory server configured to use TLS/SSL > when using pamSecure: TRUE? > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From okelet at gmail.com Wed Sep 23 06:58:35 2009 From: okelet at gmail.com (=?UTF-8?Q?Juan_Asensio_S=C3=A1nchez?=) Date: Wed, 23 Sep 2009 08:58:35 +0200 Subject: [389-users] 389 upgrade In-Reply-To: <4AB7DF81.9090005@redhat.com> References: <52a9d2e30909150526uac7413bo804cab2e845c7e68@mail.gmail.com> <4AAFA37C.4020803@redhat.com> <52a9d2e30909160153s77ee881fmbdd2298f5cb97e70@mail.gmail.com> <4AB7DF81.9090005@redhat.com> Message-ID: <52a9d2e30909222358v1fe52f9cje1c2182f02a3cdc4@mail.gmail.com> Hi Thanks Rich for your help. I finally have upgraded FDS to 389. I'll try to remove the entries in the admin console referring to the old Fedora DS. Now I will test replication and some other things. One more thing. Where is the parameter to fully disable anonymous connections? Regards. 2009/9/21 Rich Megginson : > Juan Asensio S?nchez wrote: >>>> >>>> And reboot... After that, when connecting with the console, we have >>>> two entries for the directory server and two for the administration >>>> server. >>>> >>> >>> Yep, this is a known bug. ?You can ignore the Fedora ones - the 389 ones >>> are >>> the real ones. >>> >> >> Is there any bug open about this and how to fix/remove these entries? >> > > There is a bug open - https://bugzilla.redhat.com/show_bug.cgi?id=520493 > > 389 1.2.3 will contain code to fix these issues during update - this code is > now in our SCM - Unfortunately, fixing/removing these entries manually will > be tricky >> >> >>>> >>>> One of each does not show the icon it should, and when I click >>>> on it, it tries to download new jars, but it can not. >>>> >>> >>> What error does it give? >>> >> >> Failed to install a local copy of 389-ds-1.2.jar or one of it supporting >> files. >> Please ensure that the appropiate console package is installed on the >> Administration Server. >> HTTP response timeout >> >> I think it is trying to get the files with http instead of https, >> although I have connected to the console with https. >> > > One of the side effects of the bug is that it nukes your tls/ssl > configuration. >> >> >>>> >>>> If I use the old >>>> item for the administration console (that shows the icon), in the >>>> encryption tab , SSL is disabled, but before the upgrade it was >>>> enabled, but if i try to access the server with the browser, i must >>>> use https (??). Why is SSL disabled? And if it is disabled, why must I >>>> access using https? Is there any step I haven't done? >>>> >>>> >>> >>> This is also a bug. ?The update procedure does not preserve the SSL >>> settings >>> for your old (Fedora) servers when it adds the new (389) servers. >>> >> >> But how can I connect to the console with https if the upgrade has >> disabled it? >> > > You need to find the entries that the console uses to get the TLS/SSL > information: > ldapsearch -LLL -x -D "cn=directory manager" -w yourpassword -b > o=NetscapeRoot objectclass=nsConfig dn > > you can ignore the entries that start with cn=task summary > > For the entry that begins with cn=configuration, cn=admin-serv-..... > do an ldapmodify like this: > ldapmodify x -D "cn=directory manager" -w yourpassword > dn: cn=configuration, cn=admin-serv-..... > changetype: modify > replace: nsServerSecurity > nsServerSecurity: on > > > For the entries that begin with cn=slapd-........ > do an ldapmodify like this: > ldapmodify x -D "cn=directory manager" -w yourpassword > dn: cn=slapd-....... > changetype: modify > replace: nsServerSecurity > nsServerSecurity: on > > > You should also verify the nsSecureServerPort attribute in the cn=slapd-.... > entries if you used a port other than 636. > > After you make these changes, restart your admin server (service > dirsrv-admin restart), then try the console again. >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From lejeczek at jatymy.org Wed Sep 23 09:40:14 2009 From: lejeczek at jatymy.org (lejeczek) Date: Wed, 23 Sep 2009 10:40:14 +0100 Subject: [389-users] jar jar jar.. 386-console Message-ID: <4AB9ECFE.2010706@jatymy.org> jar :) dear all, I've always had problems with missing messy jars, particularly after upgrades. does anybody know why, when I fire up 386-console clean, and want to connect to dir or admin server, console complains about being not able to find fedora-ds, fedora-admin respectively. there are no such files on the server, it all 389*jar now, right? which one is it to say what jar should be used, console or admin server? where to go to fix it? it's always felt to me like this part fedora-ds was wobbly. cheers Pawel From rmeggins at redhat.com Wed Sep 23 13:17:34 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 23 Sep 2009 07:17:34 -0600 Subject: [389-users] jar jar jar.. 386-console In-Reply-To: <4AB9ECFE.2010706@jatymy.org> References: <4AB9ECFE.2010706@jatymy.org> Message-ID: <4ABA1FEE.1090903@redhat.com> lejeczek wrote: > jar :) dear all, > I've always had problems with missing messy jars, particularly after > upgrades. > does anybody know why, when I fire up 386-console clean, and want to > connect > to dir or admin server, console complains about being not able to find > fedora-ds, fedora-admin respectively. > there are no such files on the server, it all 389*jar now, right? > > which one is it to say what jar should be used, console or admin server? > where to go to fix it? it's always felt to me like this part fedora-ds > was wobbly. https://bugzilla.redhat.com/show_bug.cgi?id=520493 > > cheers > Pawel > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From psundaram at wgen.net Wed Sep 23 14:34:21 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Wed, 23 Sep 2009 10:34:21 -0400 Subject: [389-users] PAM PTA partially working Message-ID: Andrey, Thanks for the info. It worked for me. :) Just another question, I want to secure the communication with AD secure. I read that AD is not SSL compatible and supports startTLS. What security mechanism have you used in your systems with AD? http://www.directory.fedora.redhat.com/wiki?title=Server_To_Server_Conn&redi rect=no Hi, You should not verify the users locally (there is a "no_user_check" to add). The authoritative source of validation should be AD/Kerberos. Here is the config that works for us : auth sufficient /lib/security/pam_krb5.so no_user_check account required /lib/security/pam_krb5.so no_user_check -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at runyanrants.net Wed Sep 23 15:06:12 2009 From: lists at runyanrants.net (Legatus) Date: Wed, 23 Sep 2009 10:06:12 -0500 Subject: [389-users] User password changes Message-ID: I am working in a fairly tight security world, and need a good solution for users to change their own password via a web interface. What are some of the solutions that you have used in your environments? -- JD Runyan Joan Crawford - "I, Joan Crawford, I believe in the dollar. Everything I earn, I spend." -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Sep 23 15:47:16 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 23 Sep 2009 09:47:16 -0600 Subject: [389-users] PAM PTA partially working In-Reply-To: References: Message-ID: <4ABA4304.2080403@redhat.com> Prashanth Sundaram wrote: > > Andrey, > > Thanks for the info. It worked for me. :) Just another question, I > want to secure the communication with AD secure. I read that AD is not > SSL compatible and supports startTLS. AD is TLS/SSL compatible and it supports startTLS. Winsync supports both LDAPS and LDAP with startTLS. > What security mechanism have you used in your systems with AD? > > http://www.directory.fedora.redhat.com/wiki?title=Server_To_Server_Conn&redirect=no > > > > Hi, > > You should not verify the users locally (there is a "no_user_check" to > add). The authoritative source of validation should be AD/Kerberos. > Here is the config that works for us : > > auth sufficient /lib/security/pam_krb5.so no_user_check > account required /lib/security/pam_krb5.so no_user_check > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From lejeczek at jatymy.org Wed Sep 23 19:07:14 2009 From: lejeczek at jatymy.org (lejeczek) Date: Wed, 23 Sep 2009 20:07:14 +0100 Subject: [389-users] template scripts Message-ID: <4ABA71E2.5010607@jatymy.org> dear all quickie, is it possible to manually(not gui) make use of templates files from script-templates, like: db2bak, db2ldif, and perl scripts, basically what I'm trying to do is to take backup and gui console is broken, no tasks have been ever set. cheers Pawel From lejeczek at jatymy.org Wed Sep 23 19:17:30 2009 From: lejeczek at jatymy.org (lejeczek) Date: Wed, 23 Sep 2009 20:17:30 +0100 Subject: [389-users] jar jar jar.. 386-console In-Reply-To: <4ABA1FEE.1090903@redhat.com> References: <4AB9ECFE.2010706@jatymy.org> <4ABA1FEE.1090903@redhat.com> Message-ID: <4ABA744A.3010601@jatymy.org> thanks On 23/09/09 14:17, Rich Megginson wrote: > lejeczek wrote: >> jar :) dear all, >> I've always had problems with missing messy jars, particularly after >> upgrades. >> does anybody know why, when I fire up 386-console clean, and want to >> connect >> to dir or admin server, console complains about being not able to find >> fedora-ds, fedora-admin respectively. >> there are no such files on the server, it all 389*jar now, right? >> >> which one is it to say what jar should be used, console or admin server? >> where to go to fix it? it's always felt to me like this part >> fedora-ds was wobbly. > https://bugzilla.redhat.com/show_bug.cgi?id=520493 > >> >> cheers >> Pawel >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Wed Sep 23 19:22:01 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 23 Sep 2009 13:22:01 -0600 Subject: [389-users] template scripts In-Reply-To: <4ABA71E2.5010607@jatymy.org> References: <4ABA71E2.5010607@jatymy.org> Message-ID: <4ABA7559.7070608@redhat.com> lejeczek wrote: > dear all quickie, > is it possible to manually(not gui) make use of templates files > from script-templates, like: > db2bak, db2ldif, and perl scripts, > basically what I'm trying to do is to take backup and gui console is > broken, > no tasks have been ever set. Do you have the scripts in /usr/lib/dirsrv/slapd-instancename or /usr/lib64/dirsrv/slapd-instancename? > > cheers > Pawel > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Wed Sep 23 20:51:11 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 23 Sep 2009 14:51:11 -0600 Subject: [389-users] 389 upgrade In-Reply-To: <52a9d2e30909222358v1fe52f9cje1c2182f02a3cdc4@mail.gmail.com> References: <52a9d2e30909150526uac7413bo804cab2e845c7e68@mail.gmail.com> <4AAFA37C.4020803@redhat.com> <52a9d2e30909160153s77ee881fmbdd2298f5cb97e70@mail.gmail.com> <4AB7DF81.9090005@redhat.com> <52a9d2e30909222358v1fe52f9cje1c2182f02a3cdc4@mail.gmail.com> Message-ID: <4ABA8A3F.2090409@redhat.com> Juan Asensio S?nchez wrote: > Hi > > Thanks Rich for your help. I finally have upgraded FDS to 389. I'll > try to remove the entries in the admin console referring to the old > Fedora DS. Now I will test replication and some other things. > > One more thing. Where is the parameter to fully disable anonymous connections? > nsslapd-allow-unauthenticated-binds in cn=config > Regards. > > 2009/9/21 Rich Megginson : > >> Juan Asensio S?nchez wrote: >> >>>>> And reboot... After that, when connecting with the console, we have >>>>> two entries for the directory server and two for the administration >>>>> server. >>>>> >>>>> >>>> Yep, this is a known bug. You can ignore the Fedora ones - the 389 ones >>>> are >>>> the real ones. >>>> >>>> >>> Is there any bug open about this and how to fix/remove these entries? >>> >>> >> There is a bug open - https://bugzilla.redhat.com/show_bug.cgi?id=520493 >> >> 389 1.2.3 will contain code to fix these issues during update - this code is >> now in our SCM - Unfortunately, fixing/removing these entries manually will >> be tricky >> >>> >>>>> One of each does not show the icon it should, and when I click >>>>> on it, it tries to download new jars, but it can not. >>>>> >>>>> >>>> What error does it give? >>>> >>>> >>> Failed to install a local copy of 389-ds-1.2.jar or one of it supporting >>> files. >>> Please ensure that the appropiate console package is installed on the >>> Administration Server. >>> HTTP response timeout >>> >>> I think it is trying to get the files with http instead of https, >>> although I have connected to the console with https. >>> >>> >> One of the side effects of the bug is that it nukes your tls/ssl >> configuration. >> >>> >>>>> If I use the old >>>>> item for the administration console (that shows the icon), in the >>>>> encryption tab , SSL is disabled, but before the upgrade it was >>>>> enabled, but if i try to access the server with the browser, i must >>>>> use https (??). Why is SSL disabled? And if it is disabled, why must I >>>>> access using https? Is there any step I haven't done? >>>>> >>>>> >>>>> >>>> This is also a bug. The update procedure does not preserve the SSL >>>> settings >>>> for your old (Fedora) servers when it adds the new (389) servers. >>>> >>>> >>> But how can I connect to the console with https if the upgrade has >>> disabled it? >>> >>> >> You need to find the entries that the console uses to get the TLS/SSL >> information: >> ldapsearch -LLL -x -D "cn=directory manager" -w yourpassword -b >> o=NetscapeRoot objectclass=nsConfig dn >> >> you can ignore the entries that start with cn=task summary >> >> For the entry that begins with cn=configuration, cn=admin-serv-..... >> do an ldapmodify like this: >> ldapmodify x -D "cn=directory manager" -w yourpassword >> dn: cn=configuration, cn=admin-serv-..... >> changetype: modify >> replace: nsServerSecurity >> nsServerSecurity: on >> >> >> For the entries that begin with cn=slapd-........ >> do an ldapmodify like this: >> ldapmodify x -D "cn=directory manager" -w yourpassword >> dn: cn=slapd-....... >> changetype: modify >> replace: nsServerSecurity >> nsServerSecurity: on >> >> >> You should also verify the nsSecureServerPort attribute in the cn=slapd-.... >> entries if you used a port other than 636. >> >> After you make these changes, restart your admin server (service >> dirsrv-admin restart), then try the console again. >> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Wed Sep 23 21:02:51 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 23 Sep 2009 14:02:51 -0700 Subject: [389-users] 389 upgrade In-Reply-To: <4ABA8A3F.2090409@redhat.com> References: <52a9d2e30909150526uac7413bo804cab2e845c7e68@mail.gmail.com> <4AAFA37C.4020803@redhat.com> <52a9d2e30909160153s77ee881fmbdd2298f5cb97e70@mail.gmail.com> <4AB7DF81.9090005@redhat.com> <52a9d2e30909222358v1fe52f9cje1c2182f02a3cdc4@mail.gmail.com> <4ABA8A3F.2090409@redhat.com> Message-ID: <4ABA8CFB.2030300@redhat.com> On 09/23/2009 01:51 PM, Rich Megginson wrote: > Juan Asensio S?nchez wrote: >> Hi >> >> Thanks Rich for your help. I finally have upgraded FDS to 389. I'll >> try to remove the entries in the admin console referring to the old >> Fedora DS. Now I will test replication and some other things. >> >> One more thing. Where is the parameter to fully disable anonymous >> connections? > nsslapd-allow-unauthenticated-binds in cn=config This setting is not for controlling anonymous binds. It is for controlling unauthenticated binds (where a bind DN is specified without a password, which results in anonymous). A true anonymous bind (empty or NULL bind DN) will still be allowed regardless of this setting. I am working on a new setting for disabling anonymous access right now. This will restruct not only BIND operations, but other operations that are attempted as anonymous since LDAPv3 doesn't require a BIND operation to be performed. >> Regards. >> >> 2009/9/21 Rich Megginson : >>> Juan Asensio S?nchez wrote: >>>>>> And reboot... After that, when connecting with the console, we have >>>>>> two entries for the directory server and two for the administration >>>>>> server. >>>>>> >>>>> Yep, this is a known bug. You can ignore the Fedora ones - the >>>>> 389 ones >>>>> are >>>>> the real ones. >>>>> >>>> Is there any bug open about this and how to fix/remove these entries? >>>> >>> There is a bug open - >>> https://bugzilla.redhat.com/show_bug.cgi?id=520493 >>> >>> 389 1.2.3 will contain code to fix these issues during update - this >>> code is >>> now in our SCM - Unfortunately, fixing/removing these entries >>> manually will >>> be tricky >>>>>> One of each does not show the icon it should, and when I click >>>>>> on it, it tries to download new jars, but it can not. >>>>>> >>>>> What error does it give? >>>>> >>>> Failed to install a local copy of 389-ds-1.2.jar or one of it >>>> supporting >>>> files. >>>> Please ensure that the appropiate console package is installed on the >>>> Administration Server. >>>> HTTP response timeout >>>> >>>> I think it is trying to get the files with http instead of https, >>>> although I have connected to the console with https. >>>> >>> One of the side effects of the bug is that it nukes your tls/ssl >>> configuration. >>>>>> If I use the old >>>>>> item for the administration console (that shows the icon), in the >>>>>> encryption tab , SSL is disabled, but before the upgrade it was >>>>>> enabled, but if i try to access the server with the browser, i must >>>>>> use https (??). Why is SSL disabled? And if it is disabled, why >>>>>> must I >>>>>> access using https? Is there any step I haven't done? >>>>>> >>>>>> >>>>> This is also a bug. The update procedure does not preserve the SSL >>>>> settings >>>>> for your old (Fedora) servers when it adds the new (389) servers. >>>>> >>>> But how can I connect to the console with https if the upgrade has >>>> disabled it? >>>> >>> You need to find the entries that the console uses to get the TLS/SSL >>> information: >>> ldapsearch -LLL -x -D "cn=directory manager" -w yourpassword -b >>> o=NetscapeRoot objectclass=nsConfig dn >>> >>> you can ignore the entries that start with cn=task summary >>> >>> For the entry that begins with cn=configuration, cn=admin-serv-..... >>> do an ldapmodify like this: >>> ldapmodify x -D "cn=directory manager" -w yourpassword >>> dn: cn=configuration, cn=admin-serv-..... >>> changetype: modify >>> replace: nsServerSecurity >>> nsServerSecurity: on >>> >>> >>> For the entries that begin with cn=slapd-........ >>> do an ldapmodify like this: >>> ldapmodify x -D "cn=directory manager" -w yourpassword >>> dn: cn=slapd-....... >>> changetype: modify >>> replace: nsServerSecurity >>> nsServerSecurity: on >>> >>> >>> You should also verify the nsSecureServerPort attribute in the >>> cn=slapd-.... >>> entries if you used a port other than 636. >>> >>> After you make these changes, restart your admin server (service >>> dirsrv-admin restart), then try the console again. >>>> -- >>>> 389 users mailing list >>>> 389-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mikael.kermorgant at gmail.com Wed Sep 23 22:40:01 2009 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Thu, 24 Sep 2009 00:40:01 +0200 Subject: [389-users] Class of service removal Message-ID: <9711147e0909231540k7b8a279apc32a4c23ae7ef475@mail.gmail.com> Hello, I'm using 389 ds 1.2.0. I've created a class of service on ou=people, which adds an attribute with a specific attribute. I've proceded in 3 steps : 1 - created an object of objectclass nscontainer named cn=cosTemplates at the root of my tree 2 - under that object, created an object of class cosTemplate and extensibleobject - added the desired attribute with default value for ou=people 3 - created a class of service with the wizzard "New -> Class of service" by right clicking on ou=people. Strange thing is that the class of service applies, but I can't find any object that corresponds to the class of service itself. I tried to search with this filter (objectclass=cos*) but I don't get it. Would you have any idea about how to find it in order to remove it for example ? Best regards, -- Mikael Kermorgant From mikael.kermorgant at gmail.com Wed Sep 23 22:47:52 2009 From: mikael.kermorgant at gmail.com (Mikael Kermorgant) Date: Thu, 24 Sep 2009 00:47:52 +0200 Subject: [389-users] Re: Class of service removal In-Reply-To: <9711147e0909231540k7b8a279apc32a4c23ae7ef475@mail.gmail.com> References: <9711147e0909231540k7b8a279apc32a4c23ae7ef475@mail.gmail.com> Message-ID: <9711147e0909231547sb7bc616r5fa678b727741a06@mail.gmail.com> Hello again, I've finally found it, but only via browsing slowly among the thousands of accounts under ou=people. Isn't there a better way to find and edit/remove a class of service ? Regards, Mikael Kermorgant On Thu, Sep 24, 2009 at 12:40 AM, Mikael Kermorgant wrote: > Hello, > > I'm using 389 ds 1.2.0. > > I've created a class of service on ou=people, which adds an attribute > with a specific attribute. > > I've proceded in 3 steps : > 1 - created an object of objectclass nscontainer named cn=cosTemplates > at the root of my tree > 2 - under that object, created an object of class cosTemplate and > extensibleobject - added the desired attribute with default value for > ou=people > 3 - created a class of service with the wizzard "New -> Class of > service" by right clicking on ou=people. > > Strange thing is that the class of service applies, but I can't find > any object that corresponds to the class of service itself. > I tried to search with this filter (objectclass=cos*) but I don't get it. > > Would you have any idea about how to find it in order to remove it for example ? > > Best regards, > > -- > Mikael Kermorgant > -- Mikael Kermorgant From muzzol at gmail.com Thu Sep 24 06:26:08 2009 From: muzzol at gmail.com (muzzol) Date: Thu, 24 Sep 2009 08:26:08 +0200 Subject: [389-users] User password changes In-Reply-To: References: Message-ID: <4a3f02760909232326l60ae0c7aq9bd6da72ff1e59e7@mail.gmail.com> 2009/9/23 Legatus : > I am working in a fairly tight security world, and need a good solution for > users to change their own password via a web interface. What are some of the > solutions that you have used in your environments? > webmin/usermin -- ======================== ^ ^ O O (_ _) muzzol(a)muzzol.com ======================== jabber id: muzzol(a)jabber.dk ======================== No atribueixis qualitats humanes als ordinadors. No els hi agrada. ======================== "El gobierno espa?ol s?lo habla con terroristas, homosexuales y catalanes, a ver cuando se decide a hablar con gente normal" Jim?nez Losantos ======================== bomb terrorism bush aznar teletubbies From wxiluo at gmail.com Thu Sep 24 08:57:29 2009 From: wxiluo at gmail.com (Michael Kang) Date: Thu, 24 Sep 2009 16:57:29 +0800 Subject: [389-users] Migrating a Directory Server from 389-ds to FreeIPA Message-ID: <97725cf0909240157i3a821982w6eb2ca27d056407f@mail.gmail.com> Dear Fedora Directory community, I'm help my PL migrating Fedora directory server(storing employees info and Linux user accounts) from 389-ds(1.1.x) to FreeIPA(1.2.2). I backed up from the command line using the *db2bak* command-line script. I got two LDIF files and two folders(userRoot and NetscapeRoot) which contains many db4 files. After reading the FreeIPA Administrator Guide, I realized there is no * db2bak* or *bak2db* commands for FreeIPA users. So I copy those LDIF files and folders to /var/lib/dirsrv/ directly. Then I run *service dirsvr restart*, the dirsvr instance cannot start anymore. The instance names of 389-ds and FreeIPA are different. So I want to learn more about 389-ds server. I run *yum install 389-ds* in Fedora 9 i386. I got message: No package 389-ds available. My system is already updated. What's the new name of the 389-ds package? How can I finish this hard job? Have anybody ever migrated successfully? I need your help.. Best Regards, Michael -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -------------- next part -------------- An HTML attachment was scrubbed... URL: From okelet at gmail.com Thu Sep 24 09:23:09 2009 From: okelet at gmail.com (=?UTF-8?Q?Juan_Asensio_S=C3=A1nchez?=) Date: Thu, 24 Sep 2009 11:23:09 +0200 Subject: [389-users] Migrating a Directory Server from 389-ds to FreeIPA In-Reply-To: <97725cf0909240157i3a821982w6eb2ca27d056407f@mail.gmail.com> References: <97725cf0909240157i3a821982w6eb2ca27d056407f@mail.gmail.com> Message-ID: <52a9d2e30909240223i4598a641l6bb5e531a2558214@mail.gmail.com> 2009/9/24 Michael Kang : > Dear Fedora Directory community, > > I'm help my PL migrating Fedora directory server(storing employees info and > Linux user accounts) from 389-ds(1.1.x) to FreeIPA(1.2.2). I backed up from > the command line using the db2bak command-line script. I got two LDIF files > and two folders(userRoot and NetscapeRoot) which contains many db4 files. > > After reading the FreeIPA Administrator Guide, I realized there is no db2bak > or bak2db commands for FreeIPA users. So I copy those LDIF files and folders > to /var/lib/dirsrv/ directly. Then I run service dirsvr > restart, the dirsvr instance cannot start anymore. The instance names of > 389-ds and FreeIPA are different. > > So I want to learn more about 389-ds server. I run yum install 389-ds in > Fedora 9 i386. I got message: No package 389-ds available. My system is > already updated. What's the new name of the 389-ds package? > Have you added the 389 repositories? http://directory.fedoraproject.org/wiki/Download > How can I finish this hard job? Have anybody ever migrated successfully? I > need your help.. > > Best Regards, > Michael > > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant awakens,miracles > happen. > > Personal blog: http://ufusion.org - United Fusion > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > From wxiluo at gmail.com Thu Sep 24 10:06:00 2009 From: wxiluo at gmail.com (Michael Kang) Date: Thu, 24 Sep 2009 18:06:00 +0800 Subject: [389-users] Migrating a Directory Server from 389-ds to FreeIPA In-Reply-To: <52a9d2e30909240223i4598a641l6bb5e531a2558214@mail.gmail.com> References: <97725cf0909240157i3a821982w6eb2ca27d056407f@mail.gmail.com> <52a9d2e30909240223i4598a641l6bb5e531a2558214@mail.gmail.com> Message-ID: <97725cf0909240306r5f80e557le03e3fa08706882c@mail.gmail.com> I did add below repo: > cd /etc/yum.repos.d > wget http://directory.fedoraproject.org/sources/idmcommon.repo > wget http://directory.fedoraproject.org/sources/dirsrv.repo > Is that right? 2009/9/24 Juan Asensio S?nchez > 2009/9/24 Michael Kang : > > Dear Fedora Directory community, > > > > I'm help my PL migrating Fedora directory server(storing employees info > and > > Linux user accounts) from 389-ds(1.1.x) to FreeIPA(1.2.2). I backed up > from > > the command line using the db2bak command-line script. I got two LDIF > files > > and two folders(userRoot and NetscapeRoot) which contains many db4 files. > > > > After reading the FreeIPA Administrator Guide, I realized there is no > db2bak > > or bak2db commands for FreeIPA users. So I copy those LDIF files and > folders > > to /var/lib/dirsrv/ directly. Then I run service dirsvr > > restart, the dirsvr instance cannot start anymore. The instance names of > > 389-ds and FreeIPA are different. > > > > So I want to learn more about 389-ds server. I run yum install 389-ds in > > Fedora 9 i386. I got message: No package 389-ds available. My system is > > already updated. What's the new name of the 389-ds package? > > > > Have you added the 389 repositories? > > http://directory.fedoraproject.org/wiki/Download > > > > How can I finish this hard job? Have anybody ever migrated successfully? > I > > need your help.. > > > > Best Regards, > > Michael > > > > -- > > Michael Kang?????? > > There is a giant asleep within every man. When the giant awakens,miracles > > happen. > > > > Personal blog: http://ufusion.org - United Fusion > > > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Sep 24 13:50:14 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 24 Sep 2009 07:50:14 -0600 Subject: [389-users] Migrating a Directory Server from 389-ds to FreeIPA In-Reply-To: <97725cf0909240157i3a821982w6eb2ca27d056407f@mail.gmail.com> References: <97725cf0909240157i3a821982w6eb2ca27d056407f@mail.gmail.com> Message-ID: <4ABB7916.9060903@redhat.com> Michael Kang wrote: > Dear Fedora Directory community, > > I'm help my PL migrating Fedora directory server(storing employees > info and Linux user accounts) from 389-ds(1.1.x) to FreeIPA(1.2.2). I > backed up from the command line using the */db2bak/* command-line > script. I got two LDIF files and two folders(userRoot and > NetscapeRoot) which contains many db4 files. db2bak does not produce LDIF files - db2ldif does > > After reading the FreeIPA Administrator Guide, I realized there is no > */db2bak/* or */bak2db/* commands for FreeIPA users. They are still there, but you probably don't want to use them. You will have to use db2ldif to export to LDIF, then migrate the LDIF data to the format that IPA expects. > So I copy those LDIF files and folders to /var/lib/dirsrv/ instance> directly. Nope, that will not work. > Then I run */service dirsvr restart/*, the dirsvr instance cannot > start anymore. The instance names of 389-ds and FreeIPA are different. > > So I want to learn more about 389-ds server. I run */yum install > 389-ds/* in Fedora 9 i386. I got message: No package 389-ds available. > My system is already updated. What's the new name of the 389-ds package? Fedora 9 is end of life. There are no 389 binaries for Fedora 9. I suggest upgrading to Fedora 10 or 11. > > How can I finish this hard job? Have anybody ever migrated > successfully? I need your help.. > > Best Regards, > Michael > > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant > awakens,miracles happen. > > Personal blog: http://ufusion.org - United Fusion > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From psundaram at wgen.net Thu Sep 24 18:19:35 2009 From: psundaram at wgen.net (Prashanth Sundaram) Date: Thu, 24 Sep 2009 14:19:35 -0400 Subject: [389-users] Posix attributes plugin Message-ID: Thanks Rich and Everyone who helped me with this project. Thanks for being patient and answering my questions :) I have finally got my 389-ds working and meeting most of requirements, but there is this one last piece which will be great to have: posix Attributes generator/sync So I was able to sync the users from AD and all the fields are populated except the posix attributes. Is there a generator plugin, that automatically assign the next uidNumber, defaultshell, default homedir etc to new user synced? Or is there a tool/configuration to sync posix Attributes from AD? (I don?t yet maintain the posix attributes in AD, but I if I have to then I will export it for existing users.) -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Thu Sep 24 19:49:25 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 24 Sep 2009 13:49:25 -0600 Subject: [389-users] Posix attributes plugin In-Reply-To: References: Message-ID: <4ABBCD45.6080407@redhat.com> Prashanth Sundaram wrote: > Thanks Rich and Everyone who helped me with this project. Thanks for > being patient and answering my questions :) > > I have finally got my 389-ds working and meeting most of requirements, > but there is this one last piece which will be great to have: posix > Attributes generator/sync > > So I was able to sync the users from AD and all the fields are > populated except the posix attributes. Is there a generator plugin, > that automatically assign the next uidNumber, defaultshell, default > homedir etc to new user synced? The IPA winsync plugin will do this (and sync account enable/disable as well) - this plugin does not work with plain 389-ds. > > Or is there a tool/configuration to sync posix Attributes from AD? (I > don?t yet maintain the posix attributes in AD, but I if I have to then > I will export it for existing users.) > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Thu Sep 24 19:49:56 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 24 Sep 2009 13:49:56 -0600 Subject: [389-users] Migrating a Directory Server from 389-ds to FreeIPA In-Reply-To: <97725cf0909240306r5f80e557le03e3fa08706882c@mail.gmail.com> References: <97725cf0909240157i3a821982w6eb2ca27d056407f@mail.gmail.com> <52a9d2e30909240223i4598a641l6bb5e531a2558214@mail.gmail.com> <97725cf0909240306r5f80e557le03e3fa08706882c@mail.gmail.com> Message-ID: <4ABBCD64.7010803@redhat.com> Michael Kang wrote: > I did add below repo: > > cd /etc/yum.repos.d > wget http://directory.fedoraproject.org/sources/idmcommon.repo > wget http://directory.fedoraproject.org/sources/dirsrv.repo > > > Is that right? Yes. > > 2009/9/24 Juan Asensio S?nchez > > > 2009/9/24 Michael Kang >: > > Dear Fedora Directory community, > > > > I'm help my PL migrating Fedora directory server(storing > employees info and > > Linux user accounts) from 389-ds(1.1.x) to FreeIPA(1.2.2). I > backed up from > > the command line using the db2bak command-line script. I got two > LDIF files > > and two folders(userRoot and NetscapeRoot) which contains many > db4 files. > > > > After reading the FreeIPA Administrator Guide, I realized there > is no db2bak > > or bak2db commands for FreeIPA users. So I copy those LDIF files > and folders > > to /var/lib/dirsrv/ directly. Then I run service dirsvr > > restart, the dirsvr instance cannot start anymore. The instance > names of > > 389-ds and FreeIPA are different. > > > > So I want to learn more about 389-ds server. I run yum install > 389-ds in > > Fedora 9 i386. I got message: No package 389-ds available. My > system is > > already updated. What's the new name of the 389-ds package? > > > > Have you added the 389 repositories? > > http://directory.fedoraproject.org/wiki/Download > > > > How can I finish this hard job? Have anybody ever migrated > successfully? I > > need your help.. > > > > Best Regards, > > Michael > > > > -- > > Michael Kang?????? > > There is a giant asleep within every man. When the giant > awakens,miracles > > happen. > > > > Personal blog: http://ufusion.org - United Fusion > > > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant > awakens,miracles happen. > > Personal blog: http://ufusion.org - United Fusion > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From jonas at bravenet.com Thu Sep 24 21:23:53 2009 From: jonas at bravenet.com (Jonas Courteau) Date: Thu, 24 Sep 2009 14:23:53 -0700 Subject: [389-users] Using different bind user to add tasks Message-ID: <1253827433.22563.33.camel@jcourteau-desktop> Hi: I was wondering how to go about setting up an ACI to allow a different user to add specific tasks. For example, say I created a special user cn=backups,cn=config (or similar) and I wanted that user to be able to add cn=backup,cn=tasks,cn=config entries to schedule backups, but not allow them to do any other tasks. The idea here is to have a specific user to trigger the backups remotely without having to be including the directory manager password in scripts. I've been poking around with various ACIs but so far I'm kinda feeling around in the dark. I'm sure someone else has done something along these lines - any suggestions? Also, if you think this idea is silly and you wish to share your backup best practices, I'd love to hear! Thanks! Jonas From koippa at gmail.com Fri Sep 25 06:15:14 2009 From: koippa at gmail.com (Kimmo Koivisto) Date: Fri, 25 Sep 2009 09:15:14 +0300 Subject: [389-users] Deleting entries that are not modified recently Message-ID: Hello I'm using fedora-ds-1.0.4-1.RHEL4 and I have an application that creates and modifies entries located in FDS. Application does not remote old entries, and I cannot change how application works. I would like to delete entries that are not modified recently with either plain ldapsearch+ldapdelete or using some FDS tools, perl scipt etc. So, my question is, what is the easiest way to delete entries, for example older that 3 months? Regards, Kimmo From okelet at gmail.com Fri Sep 25 06:36:53 2009 From: okelet at gmail.com (=?UTF-8?Q?Juan_Asensio_S=C3=A1nchez?=) Date: Fri, 25 Sep 2009 08:36:53 +0200 Subject: [389-users] Deleting entries that are not modified recently In-Reply-To: References: Message-ID: <52a9d2e30909242336r60babc7al7748c161dcb80ca5@mail.gmail.com> Hi All entries in the directory have some operational attributes called createTimestamp, modifiTimestamp, creatorsName and modifiersName. With them, you can check when an entry has been created or modified, and who did it. I think this is what you are looking for. Those attributes, thar are operational, are not returned when you ask for all attributes, you must specify their names manually: ldapsearch ...... "(objectClass=*)" * createTimestamp Regards 2009/9/25 Kimmo Koivisto : > Hello > > I'm using fedora-ds-1.0.4-1.RHEL4 and I have an application that > creates and modifies entries located in FDS. > Application does not remote old entries, and I cannot change how > application works. > > I would like to delete entries that are not modified recently with > either plain ldapsearch+ldapdelete or using some FDS tools, perl scipt > etc. > > So, my question is, what is the easiest way to delete entries, for > example older that 3 months? > > Regards, > Kimmo > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From koippa at gmail.com Fri Sep 25 06:47:17 2009 From: koippa at gmail.com (Kimmo Koivisto) Date: Fri, 25 Sep 2009 09:47:17 +0300 Subject: [389-users] Deleting entries that are not modified recently In-Reply-To: <52a9d2e30909242336r60babc7al7748c161dcb80ca5@mail.gmail.com> References: <52a9d2e30909242336r60babc7al7748c161dcb80ca5@mail.gmail.com> Message-ID: Hello Thanks for your answer. I know about those timestamps, but I don't know if I can compare timestamps with ldapsearch. So, is it possible to compare or search entries older that defined timestamp, for example: ldapsearch "(objectClass=*)" * modifyTimestamp>20090801000000Z or how I could do this? Regards, Kimmo 2009/9/25 Juan Asensio S?nchez : > Hi > > All entries in the directory have some operational attributes called > createTimestamp, modifiTimestamp, creatorsName and modifiersName. With > them, you can check when an entry has been created or modified, and > who did it. I think this is what you are looking for. > > Those attributes, thar are operational, are not returned when you ask > for all attributes, you must specify their names manually: > > ldapsearch ...... "(objectClass=*)" * createTimestamp > > Regards > > 2009/9/25 Kimmo Koivisto : >> Hello >> >> I'm using fedora-ds-1.0.4-1.RHEL4 and I have an application that >> creates and modifies entries located in FDS. >> Application does not remote old entries, and I cannot change how >> application works. >> >> I would like to delete entries that are not modified recently with >> either plain ldapsearch+ldapdelete or using some FDS tools, perl scipt >> etc. >> >> So, my question is, what is the easiest way to delete entries, for >> example older that 3 months? >> >> Regards, >> Kimmo >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From wxiluo at gmail.com Fri Sep 25 06:58:47 2009 From: wxiluo at gmail.com (Michael Kang) Date: Fri, 25 Sep 2009 14:58:47 +0800 Subject: [389-users] Do not find db2bak or ldif2db command Message-ID: <97725cf0909242358l20bbccb0h83b39bea199f8cfe@mail.gmail.com> Dear Fedora Directory community, After system upgrade is complete, I run yum install 389-ds to install fedora directory server on Fedora 11. I don't have db2bak or ldif2db command(or scripts). Did I miss some packages? Regards, Michael -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrey.ivanov at polytechnique.fr Fri Sep 25 08:55:23 2009 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Fri, 25 Sep 2009 10:55:23 +0200 Subject: [389-users] Using different bind user to add tasks In-Reply-To: <1253827433.22563.33.camel@jcourteau-desktop> References: <1253827433.22563.33.camel@jcourteau-desktop> Message-ID: <1601b8650909250155j6d02256y6f5e4f47d19747d6@mail.gmail.com> Hi, we've also made a special account with a random password ("cn=Backup, cn=config") . The following aci is positioned on "cn=tasks,cn=config" : aci: (target ="ldap:///cn=export,cn=tasks,cn=config")(version 3.0;acl "Backup user can launch export tasks";allow (add) ((userdn = "ldap:///cn=Backup,cn=config") and (ip='$LDAP_SERVER_IP_ADRESS' ));) And the script for the backups in cron is like this : db2ldif.pl -D "cn=Backup, cn=config" -w 1ffd702ed7560c805483489bd928c3da878c2adf -n userRoot -a /Backup/prod_base_`/bin/date +%Y_%b_%d_%Hh%Mm%Ss`.ldif Here is a snippet of the bash script to make all this : mkdir -p /Backup chown -R ldap:ldap /Backup PWD_BACKUP=`(ps auxww ; w ; date) | sha1sum | awk '{print $1}'` HASHED_PWD_BACKUP=`$FDS_BASE_DIR/bin/pwdhash -s SSHA $PWD_BACKUP`; echo "dn: cn=Backup, cn=config" > /tmp/fds_backup.ldif echo "objectClass: top" >> /tmp/fds_backup.ldif echo "objectClass: person" >> /tmp/fds_backup.ldif echo "cn: Backup" >> /tmp/fds_backup.ldif echo "sn: Backup" >> /tmp/fds_backup.ldif echo "userPassword: $HASHED_PWD_BACKUP" >> /tmp/fds_backup.ldif echo "description: Backup User" >> /tmp/fds_backup.ldif echo 'dn: cn=tasks,cn=config' > /tmp/fds_backup_acl.ldif echo 'changetype: modify' >> /tmp/fds_backup_acl.ldif echo 'add: aci' >> /tmp/fds_backup_acl.ldif echo 'aci: (target ="ldap:///cn=export,cn=tasks,cn=config")(version 3.0;acl "Backup user can launch export tasks";allow (add) ((userdn = "ldap:///cn=Backup,cn=config") and (ip='$LDAP_SERVER_IP_ADRESS' ));)' >> /tmp/fds_backup_acl.ldif $MOZ_LDAPMODIFY -a -v -h localhost -p $PORT_LDAP_SERVER -V 3 -D "cn=Directory Manager" -w '' -f /tmp/fds_backup.ldif $MOZ_LDAPMODIFY -a -v -h localhost -p $PORT_LDAP_SERVER -V 3 -D "cn=Directory Manager" -w '' -f /tmp/fds_backup_acl.ldif rm -fr /tmp/fds_backup.ldif rm -fr /tmp/fds_backup_acl.ldif 2009/9/24 Jonas Courteau : > Hi: > > I was wondering how to go about setting up an ACI to allow a different > user to add specific tasks. ?For example, say I created a special user > cn=backups,cn=config (or similar) and I wanted that user to be able to > add cn=backup,cn=tasks,cn=config entries to schedule backups, but not > allow them to do any other tasks. > > The idea here is to have a specific user to trigger the backups remotely > without having to be including the directory manager password in > scripts. > > I've been poking around with various ACIs but so far I'm kinda feeling > around in the dark. ?I'm sure someone else has done something along > these lines - any suggestions? ?Also, if you think this idea is silly > and you wish to share your backup best practices, I'd love to hear! > > Thanks! > > Jonas > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > From koippa at gmail.com Fri Sep 25 10:16:36 2009 From: koippa at gmail.com (Kimmo Koivisto) Date: Fri, 25 Sep 2009 13:16:36 +0300 Subject: [389-users] Deleting entries that are not modified recently In-Reply-To: References: <52a9d2e30909242336r60babc7al7748c161dcb80ca5@mail.gmail.com> Message-ID: Hello This was what I needed to search entries: ldapsearch -x -b xx -D xxx -w xxx "(&(cn=*)(modifytimestamp<=2009092513000000Z)(objectclass=person))" But then, how to pipe ldapsearch and ldapdelete to delete the result dn's of ldapsearch? Regards, Kimmo 2009/9/25 Kimmo Koivisto : > Hello > > Thanks for your answer. > > I know about those timestamps, but I don't know if I can compare > timestamps with ldapsearch. > > So, is it possible to compare or search entries older that defined > timestamp, for example: > > ldapsearch "(objectClass=*)" * modifyTimestamp>20090801000000Z > > or how I could do this? > > Regards, > Kimmo > > > 2009/9/25 Juan Asensio S?nchez : >> Hi >> >> All entries in the directory have some operational attributes called >> createTimestamp, modifiTimestamp, creatorsName and modifiersName. With >> them, you can check when an entry has been created or modified, and >> who did it. I think this is what you are looking for. >> >> Those attributes, thar are operational, are not returned when you ask >> for all attributes, you must specify their names manually: >> >> ldapsearch ...... "(objectClass=*)" * createTimestamp >> >> Regards >> >> 2009/9/25 Kimmo Koivisto : >>> Hello >>> >>> I'm using fedora-ds-1.0.4-1.RHEL4 and I have an application that >>> creates and modifies entries located in FDS. >>> Application does not remote old entries, and I cannot change how >>> application works. >>> >>> I would like to delete entries that are not modified recently with >>> either plain ldapsearch+ldapdelete or using some FDS tools, perl scipt >>> etc. >>> >>> So, my question is, what is the easiest way to delete entries, for >>> example older that 3 months? >>> >>> Regards, >>> Kimmo >>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > From jsullivan at opensourcedevel.com Fri Sep 25 11:06:23 2009 From: jsullivan at opensourcedevel.com (John A. Sullivan III) Date: Fri, 25 Sep 2009 07:06:23 -0400 Subject: [389-users] Do not find db2bak or ldif2db command In-Reply-To: <97725cf0909242358l20bbccb0h83b39bea199f8cfe@mail.gmail.com> References: <97725cf0909242358l20bbccb0h83b39bea199f8cfe@mail.gmail.com> Message-ID: <1253876783.6484.1.camel@jaspav.missionsit.net.missionsit.net> On Fri, 2009-09-25 at 14:58 +0800, Michael Kang wrote: > Dear Fedora Directory community, > > After system upgrade is complete, I run yum install 389-ds to install > fedora directory server on Fedora 11. > > I don't have db2bak or ldif2db command(or scripts). Did I miss some > packages? In my CentOS 5.3 installation, they installed to /usr/lib64/dirsrv/slapd-ldap2/db2bak /usr/lib64/dirsrv/slapd-ldap2/db2bak.pl in other words /usr/lib64/dirsrv// or do you mean they disappeared after upgrading? - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society From rmeggins at redhat.com Fri Sep 25 17:29:54 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 25 Sep 2009 11:29:54 -0600 Subject: [389-users] Do not find db2bak or ldif2db command In-Reply-To: <97725cf0909242358l20bbccb0h83b39bea199f8cfe@mail.gmail.com> References: <97725cf0909242358l20bbccb0h83b39bea199f8cfe@mail.gmail.com> Message-ID: <4ABCFE12.5030208@redhat.com> Michael Kang wrote: > Dear Fedora Directory community, > > After system upgrade is complete, I run yum install 389-ds to install > fedora directory server on Fedora 11. > > I don't have db2bak or ldif2db command(or scripts). Did I miss some > packages? They are not part of the package. They are generated from templates when you run setup-ds-admin.pl to create an instance of directory server. You can see the templates by doing rpm -ql 389-ds-base | grep template- > > Regards, > Michael > > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant > awakens,miracles happen. > > Personal blog: http://ufusion.org - United Fusion > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Sep 25 17:31:38 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 25 Sep 2009 11:31:38 -0600 Subject: [389-users] Deleting entries that are not modified recently In-Reply-To: References: <52a9d2e30909242336r60babc7al7748c161dcb80ca5@mail.gmail.com> Message-ID: <4ABCFE7A.9040804@redhat.com> Kimmo Koivisto wrote: > Hello > > This was what I needed to search entries: > > ldapsearch -x -b xx -D xxx -w xxx > "(&(cn=*)(modifytimestamp<=2009092513000000Z)(objectclass=person))" > > But then, how to pipe ldapsearch and ldapdelete to delete the result > dn's of ldapsearch? > specify "dn" as the attribute to return - just add it to the end of the command line - also add -LLL to the ldapsearch command line to make it less verbose you will then have output like dn: somedn blank line repeat..... You will have to use sed/awk/perl to strip the "dn: " from the DNs, and ignore the blank lines > Regards, > Kimmo > > 2009/9/25 Kimmo Koivisto : > >> Hello >> >> Thanks for your answer. >> >> I know about those timestamps, but I don't know if I can compare >> timestamps with ldapsearch. >> >> So, is it possible to compare or search entries older that defined >> timestamp, for example: >> >> ldapsearch "(objectClass=*)" * modifyTimestamp>20090801000000Z >> >> or how I could do this? >> >> Regards, >> Kimmo >> >> >> 2009/9/25 Juan Asensio S?nchez : >> >>> Hi >>> >>> All entries in the directory have some operational attributes called >>> createTimestamp, modifiTimestamp, creatorsName and modifiersName. With >>> them, you can check when an entry has been created or modified, and >>> who did it. I think this is what you are looking for. >>> >>> Those attributes, thar are operational, are not returned when you ask >>> for all attributes, you must specify their names manually: >>> >>> ldapsearch ...... "(objectClass=*)" * createTimestamp >>> >>> Regards >>> >>> 2009/9/25 Kimmo Koivisto : >>> >>>> Hello >>>> >>>> I'm using fedora-ds-1.0.4-1.RHEL4 and I have an application that >>>> creates and modifies entries located in FDS. >>>> Application does not remote old entries, and I cannot change how >>>> application works. >>>> >>>> I would like to delete entries that are not modified recently with >>>> either plain ldapsearch+ldapdelete or using some FDS tools, perl scipt >>>> etc. >>>> >>>> So, my question is, what is the easiest way to delete entries, for >>>> example older that 3 months? >>>> >>>> Regards, >>>> Kimmo >>>> >>>> -- >>>> 389 users mailing list >>>> 389-users at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>>> >>>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Sat Sep 26 02:48:18 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 25 Sep 2009 20:48:18 -0600 Subject: [389-users] Re: Class of service removal In-Reply-To: <9711147e0909231547sb7bc616r5fa678b727741a06@mail.gmail.com> References: <9711147e0909231540k7b8a279apc32a4c23ae7ef475@mail.gmail.com> <9711147e0909231547sb7bc616r5fa678b727741a06@mail.gmail.com> Message-ID: <4ABD80F2.3020802@redhat.com> Mikael Kermorgant wrote: > Hello again, > > I've finally found it, but only via browsing slowly among the > thousands of accounts under ou=people. > > Isn't there a better way to find and edit/remove a class of service ? > The class of service definition entry is an "ldapSubEntry" - this is sort of like an "operational entry" - hidden from regular ldap search operations. You must specify the search filter (objectclass=ldapSubEntry) to find these objects. If you want to search for entries of this type with additional search criteria, use the & operator - (&(objectclass=ldapSubEntry)(cn=mycostemplatename)) > Regards, > > Mikael Kermorgant > > On Thu, Sep 24, 2009 at 12:40 AM, Mikael Kermorgant > wrote: > >> Hello, >> >> I'm using 389 ds 1.2.0. >> >> I've created a class of service on ou=people, which adds an attribute >> with a specific attribute. >> >> I've proceded in 3 steps : >> 1 - created an object of objectclass nscontainer named cn=cosTemplates >> at the root of my tree >> 2 - under that object, created an object of class cosTemplate and >> extensibleobject - added the desired attribute with default value for >> ou=people >> 3 - created a class of service with the wizzard "New -> Class of >> service" by right clicking on ou=people. >> >> Strange thing is that the class of service applies, but I can't find >> any object that corresponds to the class of service itself. >> I tried to search with this filter (objectclass=cos*) but I don't get it. >> >> Would you have any idea about how to find it in order to remove it for example ? >> >> Best regards, >> >> -- >> Mikael Kermorgant >> >> > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From wxiluo at gmail.com Sun Sep 27 06:39:38 2009 From: wxiluo at gmail.com (Michael Kang) Date: Sun, 27 Sep 2009 14:39:38 +0800 Subject: [389-users] Do not find db2bak or ldif2db command In-Reply-To: <4ABCFE12.5030208@redhat.com> References: <97725cf0909242358l20bbccb0h83b39bea199f8cfe@mail.gmail.com> <4ABCFE12.5030208@redhat.com> Message-ID: <97725cf0909262339h65be6221lfc183c7c96945edd@mail.gmail.com> Rich Megginson is right. I've got it: */usr/share/dirsrv/script-templates/template-db2bak.pl* Another question: How to use those templates? I searched all the documents on Fedora 389 directory website(http://directory.fedoraproject.org/wiki/Documentation). But I didn't find any tutorials. On Sat, Sep 26, 2009 at 1:29 AM, Rich Megginson wrote: > Michael Kang wrote: > >> Dear Fedora Directory community, >> >> After system upgrade is complete, I run yum install 389-ds to install >> fedora directory server on Fedora 11. >> >> I don't have db2bak or ldif2db command(or scripts). Did I miss some >> packages? >> > They are not part of the package. They are generated from templates when > you run setup-ds-admin.pl to create an instance of directory server. You > can see the templates by doing > rpm -ql 389-ds-base | grep template- > >> >> Regards, >> Michael >> >> -- >> Michael Kang?????? >> There is a giant asleep within every man. When the giant awakens,miracles >> happen. >> >> Personal blog: http://ufusion.org - United Fusion >> ------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -------------- next part -------------- An HTML attachment was scrubbed... URL: From zreoxx at gmail.com Sun Sep 27 09:09:42 2009 From: zreoxx at gmail.com (Andreas Andersson) Date: Sun, 27 Sep 2009 11:09:42 +0200 Subject: [389-users] Do not find db2bak or ldif2db command In-Reply-To: <97725cf0909262339h65be6221lfc183c7c96945edd@mail.gmail.com> References: <97725cf0909242358l20bbccb0h83b39bea199f8cfe@mail.gmail.com> <4ABCFE12.5030208@redhat.com> <97725cf0909262339h65be6221lfc183c7c96945edd@mail.gmail.com> Message-ID: <1F096C24-1D5D-4022-A46D-81FFB5D79245@gmail.com> Hi! http://directory.fedoraproject.org/wiki/Documentation#Use_and_Deployment Under "These are the official Red Hat Directory Server 8.1 docs but they apply to 389 DS 1.1: " you will find "Configuration, Command, and File Reference" which desribes how to use these commands in detail: http://www.redhat.com/docs/manuals/dir-server/8.1/cli/Configuration_Command_File_Reference-Command_Line_Scripts-Perl_Scripts.html#Configuration_Command_File_Reference-Perl_Scripts-db2bak.pl_Create_backup_of_database Regards - Andreas On Sep 27, 2009, at 8:39 AM, Michael Kang wrote: > Rich Megginson is right. > > I've got it: /usr/share/dirsrv/script-templates/template-db2bak.pl > > Another question: > How to use those templates? I searched all the documents on Fedora > 389 directory website(http://directory.fedoraproject.org/wiki/Documentation > ). But I didn't find any tutorials. > > > On Sat, Sep 26, 2009 at 1:29 AM, Rich Megginson > wrote: > Michael Kang wrote: > Dear Fedora Directory community, > > After system upgrade is complete, I run yum install 389-ds to > install fedora directory server on Fedora 11. > > I don't have db2bak or ldif2db command(or scripts). Did I miss some > packages? > They are not part of the package. They are generated from templates > when you run setup-ds-admin.pl to create an instance of directory > server. You can see the templates by doing > rpm -ql 389-ds-base | grep template- > > Regards, > Michael > > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant > awakens,miracles happen. > > Personal blog: http://ufusion.org - United Fusion > ------------------------------------------------------------------------ > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant > awakens,miracles happen. > > Personal blog: http://ufusion.org - United Fusion > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From wxiluo at gmail.com Sun Sep 27 09:22:02 2009 From: wxiluo at gmail.com (Michael Kang) Date: Sun, 27 Sep 2009 17:22:02 +0800 Subject: [389-users] Do not find db2bak or ldif2db command In-Reply-To: <1F096C24-1D5D-4022-A46D-81FFB5D79245@gmail.com> References: <97725cf0909242358l20bbccb0h83b39bea199f8cfe@mail.gmail.com> <4ABCFE12.5030208@redhat.com> <97725cf0909262339h65be6221lfc183c7c96945edd@mail.gmail.com> <1F096C24-1D5D-4022-A46D-81FFB5D79245@gmail.com> Message-ID: <97725cf0909270222x315ef014n2f7ffd7803b9d20a@mail.gmail.com> Wow! Thanks ~!~! On Sun, Sep 27, 2009 at 5:09 PM, Andreas Andersson wrote: > Hi! > > http://directory.fedoraproject.org/wiki/Documentation#Use_and_Deployment > > Under "These are the official Red Hat Directory Server 8.1 docs but they > apply to 389 DS 1.1: " > you will find "Configuration, Command, and File Reference" which desribes > how to use these commands in detail: > > http://www.redhat.com/docs/manuals/dir-server/8.1/cli/Configuration_Command_File_Reference-Command_Line_Scripts-Perl_Scripts.html#Configuration_Command_File_Reference-Perl_Scripts-db2bak.pl_Create_backup_of_database > > Regards - Andreas > > On Sep 27, 2009, at 8:39 AM, Michael Kang wrote: > > Rich Megginson is right. > > I've got it: */usr/share/dirsrv/script-templates/template-db2bak.pl* > > Another question: > How to use those templates? I searched all the documents on Fedora 389 > directory website(http://directory.fedoraproject.org/wiki/Documentation). > But I didn't find any tutorials. > > > On Sat, Sep 26, 2009 at 1:29 AM, Rich Megginson wrote: > >> Michael Kang wrote: >> >>> Dear Fedora Directory community, >>> >>> After system upgrade is complete, I run yum install 389-ds to install >>> fedora directory server on Fedora 11. >>> >>> I don't have db2bak or ldif2db command(or scripts). Did I miss some >>> packages? >>> >> They are not part of the package. They are generated from templates when >> you run setup-ds-admin.pl to create an instance of directory server. You >> can see the templates by doing >> rpm -ql 389-ds-base | grep template- >> >>> >>> Regards, >>> Michael >>> >>> -- >>> Michael Kang?????? >>> There is a giant asleep within every man. When the giant awakens,miracles >>> happen. >>> >>> Personal blog: http://ufusion.org - United Fusion >>> ------------------------------------------------------------------------ >>> >>> -- >>> 389 users mailing list >>> 389-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >> >> >> >> -- >> 389 users mailing list >> 389-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> > > > -- > Michael Kang?????? > There is a giant asleep within every man. When the giant awakens,miracles > happen. > > Personal blog: http://ufusion.org - United Fusion > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- Michael Kang?????? There is a giant asleep within every man. When the giant awakens,miracles happen. Personal blog: http://ufusion.org - United Fusion -------------- next part -------------- An HTML attachment was scrubbed... URL: From meher.renuka at gmail.com Tue Sep 29 08:21:56 2009 From: meher.renuka at gmail.com (renuka meher) Date: Tue, 29 Sep 2009 13:51:56 +0530 Subject: [389-users] authentication proxy Message-ID: Hi, I am working on a project wherein i have to deploy Redhat's Dogtag Certificate System in my organisation. I have set up a fedora directory server on a system. There is an existing windows Active directory server. What i need is as follows: I need to use ldap for authentication check, in read only mode..A method to check if the username and password is correct. Something like Authentication proxy.. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From emmanuel.billot at ird.fr Tue Sep 29 10:15:59 2009 From: emmanuel.billot at ird.fr (Emmanuel BILLOT) Date: Tue, 29 Sep 2009 12:15:59 +0200 Subject: [389-users] Synchronze userPrincipalName Message-ID: <4AC1DE5F.3060104@ird.fr> Hi, Is it possible to add userPrincipalName as an synchronized attribut between 389DS and AD ? It is the last useful attribut that we need in our DIT... BR, -- ========================================== Emmanuel BILLOT IRD - Orl?ans D?l?gation aux Syst?mes d'Information (DSI) t?l : 02 38 49 95 88 ========================================== From okelet at gmail.com Wed Sep 30 08:32:41 2009 From: okelet at gmail.com (=?UTF-8?Q?Juan_Asensio_S=C3=A1nchez?=) Date: Wed, 30 Sep 2009 10:32:41 +0200 Subject: [389-users] Multiple versions of FDS in the same server Message-ID: <52a9d2e30909300132t112a3dc2r931c4d051d7b01c@mail.gmail.com> Hi I don't know why, but I have multiple versions of the FDS packages installed in the same server: --------------------------------------------------------------------------------------------------------------- [root at XXXXXXXXXXXXXX ~]# rpm -qa | grep fedora | sort fedora-admin-console-1.1.0-4.fc6 fedora-ds-1.1.0-3.fc6 fedora-ds-1.1.2-1.fc6 fedora-ds-admin-1.1.1-1.fc6 fedora-ds-admin-1.1.2-2.fc6 fedora-ds-admin-console-1.1.2-1.fc9 fedora-ds-admin-debuginfo-1.1.1-1.fc6 fedora-ds-admin-debuginfo-1.1.2-2.fc6 fedora-ds-base-1.1.0-3.fc6 fedora-ds-base-1.1.3-2.fc6 fedora-ds-base-debuginfo-1.1.1-1.fc6 fedora-ds-base-devel-1.1.0-3.fc6 fedora-ds-base-devel-1.1.3-2.fc6 fedora-ds-console-1.1.0-5.fc6 fedora-ds-console-1.1.2-2.fc9 fedora-ds-dsgw-1.1.1-1.fc6 fedora-idm-console-1.1.0-5.fc6 fedora-idm-console-debuginfo-1.1.0-5.fc6 --------------------------------------------------------------------------------------------------------------- How can this be possible? When updating, old versions shouldn't be removed? What will happen when I'll try to update to 389DS 1.2? --------------------------------------------------------------------------------------------------------------- [root at XXXXXXXXXXXXXXXXX yum.repos.d]# yum upgrade 389-ds Loaded plugins: fastestmirror Determining fastest mirrors idmcommon 100% |=========================| 951 B 00:00 dirsrv 100% |=========================| 951 B 00:00 idmcommon-noarch 100% |=========================| 951 B 00:00 dirsrv-noarch 100% |=========================| 951 B 00:00 Setting up Upgrade Process Resolving Dependencies --> Running transaction check ---> Package 389-ds.noarch 0:1.1.3-4.el5 set to be updated --> Processing Dependency: 389-ds-console for package: 389-ds --> Processing Dependency: 389-ds-console-doc for package: 389-ds --> Processing Dependency: 389-admin-console-doc for package: 389-ds --> Processing Dependency: 389-admin for package: 389-ds --> Processing Dependency: 389-admin-console for package: 389-ds --> Processing Dependency: 389-dsgw for package: 389-ds --> Processing Dependency: 389-console for package: 389-ds --> Processing Dependency: 389-ds-base for package: 389-ds --> Running transaction check ---> Package 389-console.noarch 0:1.1.3-3.el5 set to be updated ---> Package 389-dsgw.i386 0:1.1.4-1.el5 set to be updated --> Processing Dependency: fedora-ds-base = 1.1.0-3.fc6 for package: fedora-ds-base-devel ---> Package 389-ds-console.noarch 0:1.2.0-4.el5 set to be updated ---> Package 389-ds-console-doc.noarch 0:1.2.0-4.el5 set to be updated ---> Package 389-ds-base.i386 0:1.2.2-1.el5 set to be updated --> Processing Dependency: fedora-ds-base = 1.1.3-2.fc6 for package: fedora-ds-base-devel ---> Package 389-admin.i386 0:1.1.8-4.el5 set to be updated ---> Package 389-admin-console.noarch 0:1.1.4-1.el5 set to be updated ---> Package 389-admin-console-doc.noarch 0:1.1.4-1.el5 set to be updated --> Running transaction check ---> Package 389-ds-base-devel.i386 0:1.2.2-1.el5 set to be updated --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================= Installing: 389-admin i386 1.1.8-4.el5 dirsrv 368 k replacing fedora-ds-admin.i386 1.1.1-1.fc6 389-admin-console noarch 1.1.4-1.el5 dirsrv 201 k replacing fedora-ds-admin-console.noarch 1.1.2-1.fc9 389-console noarch 1.1.3-3.el5 idmcommon-noarch 72 k replacing fedora-idm-console.i386 1.1.0-5.fc6 389-ds noarch 1.1.3-4.el5 dirsrv-noarch 8.6 k replacing fedora-ds.i386 1.1.2-1.fc6 389-ds-base i386 1.2.2-1.el5 dirsrv-noarch 1.7 M replacing fedora-ds-base.i386 1.1.3-2.fc6 389-ds-base-devel i386 1.2.2-1.el5 dirsrv-noarch 57 k replacing fedora-ds-base-devel.i386 1.1.0-3.fc6 389-ds-console noarch 1.2.0-4.el5 dirsrv-noarch 1.4 M replacing fedora-ds-console.noarch 1.1.0-5.fc6 389-dsgw i386 1.1.4-1.el5 dirsrv 1.1 M replacing fedora-ds-dsgw.i386 1.1.1-1.fc6 Installing for dependencies: 389-admin-console-doc noarch 1.1.4-1.el5 dirsrv 39 k 389-ds-console-doc noarch 1.2.0-4.el5 dirsrv 53 k Transaction Summary ============================================================================================================================================================= Install 10 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 4.9 M --------------------------------------------------------------------------------------------------------------- It won't remove all old versions? I know this is a topic more about general package management than 389DS, but any help is wellcome. Regards. From nhosoi at redhat.com Wed Sep 30 18:38:38 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Wed, 30 Sep 2009 11:38:38 -0700 Subject: [389-users] 389 unusable on F11? In-Reply-To: <4AC3974A.5040102@analograils.com> References: <4AA9B9FD.8090504@analograils.com> <4AAA7E16.5080309@redhat.com> <4AC3974A.5040102@analograils.com> Message-ID: <4AC3A5AE.1090503@redhat.com> On 09/30/2009 10:37 AM, Kevin Bowling wrote: >> [...] > > It was stable for 17 days while running with debug enabled to > console. I upgraded to the F11 2.6.30 kernel rebase, and now I get > some debugging info on the console. I'm taking a wild guess that it > is timing related. Where should I place a bug report? Hi, Does this mean the 389 server did not get crashed, but blocked possibly by Xen OS? INFO: task ns-slapd:1034 blocked for more than 120 seconds. It looks some other daemon was also affected. INFO: task kjournald:61 blocked for more than 120 seconds. If it's a Xen issue, you could go to this page, https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora then choose "xen" for Component. Thanks, --noriko > Regards, > Kevin > > [root at buildbox-a2 ~]# xm console 8 > INFO: task kjournald:61 blocked for more than 120 seconds. > "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. > kjournald D ffff88003e932000 0 61 2 > ffff88003e919d40 0000000000000246 ffffffff8100e45c 0000000000000000 > 000000001cee5db8 ffff88003e919d20 ffffffff8100ee82 0000000000000202 > ffff88003e9c83a8 000000000000e2e8 ffff88003e9c83a8 0000000000012d00 > Call Trace: > [] ? xen_force_evtchn_callback+0x20/0x36 > [] ? check_events+0x12/0x20 > [] ? xen_restore_fl_direct_end+0x0/0x1 > [] ? _spin_unlock_irqrestore+0x4e/0x64 > [] schedule+0x21/0x49 > [] journal_commit_transaction+0x13d/0xe42 > [] ? xen_force_evtchn_callback+0x20/0x36 > [] ? autoremove_wake_function+0x0/0x5f > [] ? try_to_del_timer_sync+0x69/0x87 > [] kjournald+0xfd/0x253 > [] ? autoremove_wake_function+0x0/0x5f > [] ? kjournald+0x0/0x253 > [] kthread+0x6d/0xae > [] child_rip+0xa/0x20 > [] ? restore_args+0x0/0x30 > [] ? child_rip+0x0/0x20 > INFO: task ns-slapd:1034 blocked for more than 120 seconds. > "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. > ns-slapd D ffffc20000000000 0 1034 1 > ffff88003dd87908 0000000000000282 ffff88003dd87868 ffffffff8100ed0d > ffff88003dd86000 00000000e59205a0 ffff88003dd87888 ffffffff8107957a > ffff88003d4fe0e8 000000000000e2e8 ffff88003d4fe0e8 0000000000012d00 > Call Trace: > [] ? xen_clocksource_get_cycles+0x1c/0x32 > [] ? clocksource_read+0x22/0x38 > [] ? ktime_get_ts+0x61/0x7d > [] ? sync_buffer+0x0/0x6b > [] schedule+0x21/0x49 > [] io_schedule+0x44/0x6c > [] sync_buffer+0x53/0x6b > [] __wait_on_bit_lock+0x55/0xb2 > [] ? find_get_page+0x64/0xa3 > [] out_of_line_wait_on_bit_lock+0x7d/0x9c > [] ? sync_buffer+0x0/0x6b > [] ? wake_bit_function+0x0/0x5a > [] __lock_buffer+0x3d/0x53 > [] lock_buffer+0x49/0x64 > [] do_get_write_access+0x82/0x3f3 > [] ? journal_add_journal_head+0xce/0x162 > [] journal_get_write_access+0x3a/0x65 > [] __ext3_journal_get_write_access+0x34/0x74 > [] ext3_reserve_inode_write+0x50/0xaa > [] ext3_mark_inode_dirty+0x4f/0x80 > [] ext3_dirty_inode+0x79/0xa7 > [] __mark_inode_dirty+0x45/0x190 > [] file_update_time+0xc0/0x113 > [] do_wp_page+0x610/0x658 > [ "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. > kjournald D ffff88003e932000 0 61 2 > ffff88003e919d40 0000000000000246 ffffffff8100e45c 0000000000000000 > 000000001cee5db8 ffff88003e919d20 ffffffff8100ee82 0000000000000202 > ffff88003e9c83a8 000000000000e2e8 ffff88003e9c83a8 0000000000012d00 > Call Trace: > [] ? xen_force_evtchn_callback+0x20/0x36 > [] ? check_events+0x12/0x20 > [] ? xen_restore_fl_direct_end+0x0/0x1 > [] ? _spin_unlock_irqrestore+0x4e/0x64 > [] schedule+0x21/0x49 > [] journal_commit_transaction+0x13d/0xe42 > [] ? xen_force_evtchn_callback+0x20/0x36 > [] ? autoremove_wake_function+0x0/0x5f > [] ? try_to_del_timer_sync+0x69/0x87 > [] kjournald+0xfd/0x253 > [] ? autoremove_wake_function+0x0/0x5f > [] ? kjournald+0x0/0x253 > [] kthread+0x6d/0xae > [] child_rip+0xa/0x20 > [] ? restore_args+0x0/0x30 > [] ? child_rip+0x0/0x20 > INFO: task ns-slapd:1034 blocked for more than 120 seconds. > "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. > ns-slapd D ffffc20000000000 0 1034 1 > ffff88003dd87908 0000000000000282 ffff88003dd87868 ffffffff8100ed0d > ffff88003dd86000 00000000e59205a0 ffff88003dd87888 ffffffff8107957a > ffff88003d4fe0e8 000000000000e2e8 ffff88003d4fe0e8 0000000000012d00 > Call Trace: > [] ? xen_clocksource_get_cycles+0x1c/0x32 > [] ? clocksource_read+0x22/0x38 > [] ? ktime_get_ts+0x61/0x7d > [] ? sync_buffer+0x0/0x6b > [] schedule+0x21/0x49 > [] io_schedule+0x44/0x6c > [] sync_buffer+0x53/0x6b > [] __wait_on_bit_lock+0x55/0xb2 > [] ? find_get_page+0x64/0xa3 > [] out_of_line_wait_on_bit_lock+0x7d/0x9c > [] ? sync_buffer+0x0/0x6b > [] ? wake_bit_function+0x0/0x5a > [] __lock_buffer+0x3d/0x53 > [] lock_buffer+0x49/0x64 > [] do_get_write_access+0x82/0x3f3 > [] ? journal_add_journal_head+0xce/0x162 > [] journal_get_write_access+0x3a/0x65 > [] __ext3_journal_get_write_access+0x34/0x74 > [] ext3_reserve_inode_write+0x50/0xaa > [] ext3_mark_inode_dirty+0x4f/0x80 > [] ext3_dirty_inode+0x79/0xa7 > [] __mark_inode_dirty+0x45/0x190 > [] file_update_time+0xc0/0x113 > [] do_wp_page+0x610/0x658 > [] ? __raw_callee_save_xen_pmd_val+0x11/0x1e > [] handle_mm_fault+0x6a2/0x72e > [] ? _spin_unlock_irqrestore+0x4e/0x64 > [] do_page_fault+0x226/0x24f > [] page_fault+0x25/0x30 > INFO: task ns-slapd:1040 blocked for more than 120 seconds. > "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. > ns-slapd D ffff88003e932024 0 1040 1 > ffff88003bc119f8 0000000000000282 ffffffff8100e45c ffffc20000025410 > 00000000f1efb74c ffff88003bc119d8 ffffffff8100ee82 0000000000000004 > ffff88003bc0b248 000000000000e2e8 ffff88003bc0b248 0000000000012d00 > Call Trace: > [] ? xen_force_evtchn_callback+0x20/0x36 > [] ? check_events+0x12/0x20 > [] ? xen_restore_fl_direct_end+0x0/0x1 > [] ? _spin_unlock_irqrestore+0x4e/0x64 > [] ? check_events+0x12/0x20 > [] schedule+0x21/0x49 > [] start_this_handle+0x2d4/0x373 > [] ? autoremove_wake_function+0x0/0x5f > [] journal_start+0xb7/0x106 > [] ext3_journal_start_sb+0x62/0x78 > [] ext3_journal_start+0x28/0x3e > [] ext3_dirty_inode+0x3e > > From kevinb at analograils.com Wed Sep 30 17:37:14 2009 From: kevinb at analograils.com (Kevin Bowling) Date: Wed, 30 Sep 2009 13:37:14 -0400 Subject: [389-users] 389 unusable on F11? In-Reply-To: <4AAA7E16.5080309@redhat.com> References: <4AA9B9FD.8090504@analograils.com> <4AAA7E16.5080309@redhat.com> Message-ID: <4AC3974A.5040102@analograils.com> On 9/11/2009 12:43 PM, Noriko Hosoi wrote: > On 09/10/2009 07:46 PM, Kevin Bowling wrote: >> Hi, >> >> I have been running FDS/389 on a F11 xen DomU for several months. I >> use it as the backend for UNIX username/passwords and also for >> redMine (a Ruby on Rails bug tracker) for http://www.gnucapplus.org/. >> >> This VM would regularly lock up every week or so when 389 was still >> called FDS. I've since upgraded to 389 by issuing 'yum upgrade' as >> well as running the 'setup-...-.pl -u' script and now it barely goes >> a day before crashing. When ldap crashes, the whole box basically >> becomes unresponsive. >> >> I left the Xen hardware console open to see what was up and the only >> thing I could conclude was that 389 was crashing (if I issued a >> service start it came back to life). Doing anything like a top or ls >> will completely kill the box. Likewise, the logs show nothing at or >> before the time of crash. I suspected too few file descriptors but >> changing that to a very high number had no impact. >> >> I was about to do a rip and replace with OpenLDAP which I use very >> sucesessfully for our corporate systems but figured I ought to see if >> anyone here can help or if I can submit any kind of meaningful bug >> report first. I assume I will need to run 389's slapd without >> daemonizing it and hope it spits something useful out to stderr. Any >> advice here would be greatly appreciated, as would any success >> stories of using 389 on F11. > Hello Kevin, > > You specified the platform "F11 xen DomU". Did you have a chance to > run the 389 server on any other platforms? I'm wondering if the crash > is observed only on the specific platform or not. Is the server > running on the 64-bit machine or 32-bit? > > If you start the server with "-d 1" option, the server will run as the > trace mode. (E.g., /usr/lib[64]/dirsrv/slapd-YOURID/start-slapd -d 1) > > I'm afraid it might be a memory leak. When you restart the 389 > server, could you check the size of ns-slapd some time like every hour > and see if the server size keeps growing or stops? Also, the server > quits if it fails to write to the errors log. If it happens, it's > logged in the system log. Does the messages file on the system > happen to have some logs related to the 389 server? > > Thanks, > --noriko >> >> I'm not subscribed to the list so please CC. >> >> Regards, >> >> Kevin Bowing It was stable for 17 days while running with debug enabled to console. I upgraded to the F11 2.6.30 kernel rebase, and now I get some debugging info on the console. I'm taking a wild guess that it is timing related. Where should I place a bug report? Regards, Kevin [root at buildbox-a2 ~]# xm console 8 INFO: task kjournald:61 blocked for more than 120 seconds. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. kjournald D ffff88003e932000 0 61 2 ffff88003e919d40 0000000000000246 ffffffff8100e45c 0000000000000000 000000001cee5db8 ffff88003e919d20 ffffffff8100ee82 0000000000000202 ffff88003e9c83a8 000000000000e2e8 ffff88003e9c83a8 0000000000012d00 Call Trace: [] ? xen_force_evtchn_callback+0x20/0x36 [] ? check_events+0x12/0x20 [] ? xen_restore_fl_direct_end+0x0/0x1 [] ? _spin_unlock_irqrestore+0x4e/0x64 [] schedule+0x21/0x49 [] journal_commit_transaction+0x13d/0xe42 [] ? xen_force_evtchn_callback+0x20/0x36 [] ? autoremove_wake_function+0x0/0x5f [] ? try_to_del_timer_sync+0x69/0x87 [] kjournald+0xfd/0x253 [] ? autoremove_wake_function+0x0/0x5f [] ? kjournald+0x0/0x253 [] kthread+0x6d/0xae [] child_rip+0xa/0x20 [] ? restore_args+0x0/0x30 [] ? child_rip+0x0/0x20 INFO: task ns-slapd:1034 blocked for more than 120 seconds. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. ns-slapd D ffffc20000000000 0 1034 1 ffff88003dd87908 0000000000000282 ffff88003dd87868 ffffffff8100ed0d ffff88003dd86000 00000000e59205a0 ffff88003dd87888 ffffffff8107957a ffff88003d4fe0e8 000000000000e2e8 ffff88003d4fe0e8 0000000000012d00 Call Trace: [] ? xen_clocksource_get_cycles+0x1c/0x32 [] ? clocksource_read+0x22/0x38 [] ? ktime_get_ts+0x61/0x7d [] ? sync_buffer+0x0/0x6b [] schedule+0x21/0x49 [] io_schedule+0x44/0x6c [] sync_buffer+0x53/0x6b [] __wait_on_bit_lock+0x55/0xb2 [] ? find_get_page+0x64/0xa3 [] out_of_line_wait_on_bit_lock+0x7d/0x9c [] ? sync_buffer+0x0/0x6b [] ? wake_bit_function+0x0/0x5a [] __lock_buffer+0x3d/0x53 [] lock_buffer+0x49/0x64 [] do_get_write_access+0x82/0x3f3 [] ? journal_add_journal_head+0xce/0x162 [] journal_get_write_access+0x3a/0x65 [] __ext3_journal_get_write_access+0x34/0x74 [] ext3_reserve_inode_write+0x50/0xaa [] ext3_mark_inode_dirty+0x4f/0x80 [] ext3_dirty_inode+0x79/0xa7 [] __mark_inode_dirty+0x45/0x190 [] file_update_time+0xc0/0x113 [] do_wp_page+0x610/0x658 [ /proc/sys/kernel/hung_task_timeout_secs" disables this message. kjournald D ffff88003e932000 0 61 2 ffff88003e919d40 0000000000000246 ffffffff8100e45c 0000000000000000 000000001cee5db8 ffff88003e919d20 ffffffff8100ee82 0000000000000202 ffff88003e9c83a8 000000000000e2e8 ffff88003e9c83a8 0000000000012d00 Call Trace: [] ? xen_force_evtchn_callback+0x20/0x36 [] ? check_events+0x12/0x20 [] ? xen_restore_fl_direct_end+0x0/0x1 [] ? _spin_unlock_irqrestore+0x4e/0x64 [] schedule+0x21/0x49 [] journal_commit_transaction+0x13d/0xe42 [] ? xen_force_evtchn_callback+0x20/0x36 [] ? autoremove_wake_function+0x0/0x5f [] ? try_to_del_timer_sync+0x69/0x87 [] kjournald+0xfd/0x253 [] ? autoremove_wake_function+0x0/0x5f [] ? kjournald+0x0/0x253 [] kthread+0x6d/0xae [] child_rip+0xa/0x20 [] ? restore_args+0x0/0x30 [] ? child_rip+0x0/0x20 INFO: task ns-slapd:1034 blocked for more than 120 seconds. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. ns-slapd D ffffc20000000000 0 1034 1 ffff88003dd87908 0000000000000282 ffff88003dd87868 ffffffff8100ed0d ffff88003dd86000 00000000e59205a0 ffff88003dd87888 ffffffff8107957a ffff88003d4fe0e8 000000000000e2e8 ffff88003d4fe0e8 0000000000012d00 Call Trace: [] ? xen_clocksource_get_cycles+0x1c/0x32 [] ? clocksource_read+0x22/0x38 [] ? ktime_get_ts+0x61/0x7d [] ? sync_buffer+0x0/0x6b [] schedule+0x21/0x49 [] io_schedule+0x44/0x6c [] sync_buffer+0x53/0x6b [] __wait_on_bit_lock+0x55/0xb2 [] ? find_get_page+0x64/0xa3 [] out_of_line_wait_on_bit_lock+0x7d/0x9c [] ? sync_buffer+0x0/0x6b [] ? wake_bit_function+0x0/0x5a [] __lock_buffer+0x3d/0x53 [] lock_buffer+0x49/0x64 [] do_get_write_access+0x82/0x3f3 [] ? journal_add_journal_head+0xce/0x162 [] journal_get_write_access+0x3a/0x65 [] __ext3_journal_get_write_access+0x34/0x74 [] ext3_reserve_inode_write+0x50/0xaa [] ext3_mark_inode_dirty+0x4f/0x80 [] ext3_dirty_inode+0x79/0xa7 [] __mark_inode_dirty+0x45/0x190 [] file_update_time+0xc0/0x113 [] do_wp_page+0x610/0x658 [] ? __raw_callee_save_xen_pmd_val+0x11/0x1e [] handle_mm_fault+0x6a2/0x72e [] ? _spin_unlock_irqrestore+0x4e/0x64 [] do_page_fault+0x226/0x24f [] page_fault+0x25/0x30 INFO: task ns-slapd:1040 blocked for more than 120 seconds. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. ns-slapd D ffff88003e932024 0 1040 1 ffff88003bc119f8 0000000000000282 ffffffff8100e45c ffffc20000025410 00000000f1efb74c ffff88003bc119d8 ffffffff8100ee82 0000000000000004 ffff88003bc0b248 000000000000e2e8 ffff88003bc0b248 0000000000012d00 Call Trace: [] ? xen_force_evtchn_callback+0x20/0x36 [] ? check_events+0x12/0x20 [] ? xen_restore_fl_direct_end+0x0/0x1 [] ? _spin_unlock_irqrestore+0x4e/0x64 [] ? check_events+0x12/0x20 [] schedule+0x21/0x49 [] start_this_handle+0x2d4/0x373 [] ? autoremove_wake_function+0x0/0x5f [] journal_start+0xb7/0x106 [] ext3_journal_start_sb+0x62/0x78 [] ext3_journal_start+0x28/0x3e [] ext3_dirty_inode+0x3e