[389-users] Re: Directory Administrators vs. Password Administrators

Hi, I assume your question is about privileges 'Directory manager' vs 'Password Administrators'. They are both allowed to bypass the password policy (global or local) and set any value they want. While 'Directory manager' does not need specific ACI, Administrators belonging to

[389-users] Re: Determining max CSN of running server

On 2/29/24 21:31, William Faulk wrote: Thanks, Pierre and Thierry. After quite some time of poring over these debug logs, I've found some anomalies and they seem like they're matching up with the idea that the affected replica isn't updating its own RUV correctly. The logs show a change

[389-users] Re: Determining max CSN of running server

I think Pierre may refer to http://www.port389.org/docs/389ds/design/csn-pending-lists-and-ruv-update.html https://pagure.io/389-ds-base/issue/49287 On 2/29/24 23:21, William Faulk wrote: FYI: There is a list of pending operations to ensure that the RUV is not updated while an older operation

[389-users] Re: Determining max CSN of running server

On 2/29/24 05:12, William Faulk wrote: Might be worth re-reading Well, I still don't really know the details of the replication process. I have deduced that changes originated on a replica seem to prompt that replica to start a replication process with its peers, but I don't really know what

[389-users] Re: 389 DS 2.3.6 on RHEL 9 replication over TLS

You may follow the doc to configure TLS on your both suppliers [1] and check the trusted CA on both side [2]. On troubleshooting side you may look at [3] [1]

[389-users] Re: 389-ds-base name log pipe problems

Hi, It would be helpful to have some details how you configured the log pipe and did the tests. I wonder if it could be related to https://github.com/389ds/389-ds-base/issues/198. regards thierry On 12/7/23 09:06, Nyquist wrote: Hello We are using 18 389-ds-base-1.3.10.2, Recently,

[389-users] Re: Documentation as to how replication works

On 11/16/23 02:50, John Apple II wrote: Hi, William,   I am working on trying to figure out how to some basic monitoring IdM Replication with a non-Directory-Manager service-account for some internal work I do where we use IdM, and I'm trying to work on figuring out how to create a

[389-users] Re: Documentation as to how replication works

Hi, The explanation below looks excellent to me. You may also have a look at https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/deployment_guide/designing_the_replication_process#doc-wrapper Regarding the initial concern "having regular problems with missed

[389-users] Re: Allow User to Change Expired Password

On 11/8/23 15:55, Aaron Enders wrote: Hello, Question: Is there a way to allow users to change their password if the password has already expired? I've been fighting this issue for months now and havn't found a resolution. My users are able to change their password if it is not expired

[389-users] Re: err=19 in a BIND operation

On 10/5/23 14:58, Ciber Center wrote: Hi team, I'm getting an result err=19 in a BIND operation, Anyone knows why this can happen? this is the connection trace conn=2894185 fd=205 slot=205 connection from client_ip to server_ip conn=2894185 op=0 BIND

[389-users] Re: Setting "lock" time of an account in the future

, Oct 3, 2023 at 8:55 AM Thierry Bordaz wrote: On 10/3/23 01:11, Mark Reynolds wrote: On 10/2/23 4:13 AM, Cenk Y. wrote: Hi Mark, thanks for the response. We already use password lockout plugin, but what I need is the opposite. I want to * Create an account

[389-users] Re: Setting "lock" time of an account in the future

On 10/3/23 01:11, Mark Reynolds wrote: On 10/2/23 4:13 AM, Cenk Y. wrote: Hi Mark, thanks for the response. We already use password lockout plugin, but what I need is the opposite. I want to * Create an account, activate it * Set an expiration date, so that after that date account is

[389-users] Re: Migration: importing an OU to a new instance

On 9/13/23 19:57, tda...@arizona.edu wrote: Thanks for the quick reply. My issue is this: Server A has two OUs, call them ou=A and ou=B. Server B has two OUs, ou=A (empty) and ou=C. I want to copy the data from ou=A on server A to ou=A on server B. There are no ou=B entries in the export

[389-users] Re: Migration: importing an OU to a new instance

On 9/13/23 18:44, tda...@arizona.edu wrote: I've read this doc: https://access.redhat.com/documentation/en-us/red_hat_directory_server/12/html/importing_and_exporting_data/importing-data-to-directory-server_importing-and-exporting-data The export from server A to an LDIF file works and I've

[389-users] Re: 389-ds freezes with deadlock

d search and > update on thread62. The equality index is set for changeNumber. I will assume that this is a different "problem" and has nothing to do with the high cpu load and freezes and not look further into it for the time. Kind regards Julian Am 12.09.23 um 14:21 schrieb Thie

[389-users] Re: 389-ds freezes with deadlock

ly should start way higher. If it is possible that this is the cause I will kick them to stop that ;) I am running version 2.3.1 on Debian 12, installed from the Debian repositories. Kind regards Julian Am 08.09.23 um 13:23 schrieb Thierry Bordaz: Hi Julian, It looks that an update (Threa

[389-users] Re: 389-ds freezes with deadlock

this error message: [07/Sep/2023:15:22:43.410333038 +0200] - ERR - ldbm_back_seq - deadlock retry BAD 1601, err=0 Unexpected dbimpl error code and the remote program that called also stopped working at that time. Thanks Julian Kippels Am 28.08.23 um 14:28 schrieb Thierry Bordaz: Hi Julian, I agree

[389-users] Re: Crash with SEGV after compacting

Hi, The crash is already fixed in 1.4.4 with https://github.com/389ds/389-ds-base/issues/4778 The fix was about scheduling of compaction but revisit this part of code and actually fixed this crash. I fully agree with Mark suggestion to move to 2.x as this branch is not maintained except for

[389-users] Re: 389-ds freezes with deadlock

Hi Julian, I agree with Mark suggestion. If new connections are failing a pstack + error logged msg would be helpful. Regarding the error logged. LDAP server relies on a database that, under pressure by multiple threads, may end into a db_lock deadlock. In such situation the DB, selects one

[389-users] Re: nsslapd-referral remove issues

Hi, My understanding is that you may try to remove a value (looking like a referral) from a replication configuration entry (under cn=config/dse.ldif). Could you cut/paste a sample of the entry you want to update and the value you want to get rid ? If you are trying to remove a server from

[389-users] Re: Crash with SEGV after compacting

On 7/12/23 10:14, Mathieu Baudier wrote: Hello, Many thanks for the quick analysis! The crash is already fixed in 1.4.4 with https://github.com/389ds/389-ds-base/issues/4778 The fix was about scheduling of compaction but revisit this part of code and actually fixed this crash. I will raise

[389-users] Re: Crash with SEGV after compacting

Hi, The crash is already fixed in 1.4.4 with https://github.com/389ds/389-ds-base/issues/4778 The fix was about scheduling of compaction but revisit this part of code and actually fixed this crash. I fully agree with Mark suggestion to move to 2.x as this branch is not maintained except for

[389-users] Re: Crash with SEGV after compacting

they will want to patch it for Debian 11. So, maybe I will have to look at Debian 12 / bookworm (the new 'Debian stable'), and see whether the issue still occurs. Cheers, Mathieu On Tue, 2023-07-11 at 11:51 +0200, Thierry Bordaz wrote: Hi, What version are you running ? Are you running a replicated

[389-users] Re: Crash with SEGV after compacting

Hi, What version are you running ? Are you running a replicated topology, what is the crashing server (supplier, consumer, hub) ? Do you have a backtrace of the crash (with debugsource) ? Unfortunately I doubt compaction can be disabled (it is part of the checkpointing that is mandatory).

[389-users] Re: 389 Ldap Cleanallruv Replica Crash

Hi Juan, Thanks for raising this issue. The crash can be reproduced and I opened https://github.com/389ds/389-ds-base/issues/5751 It is a side effect of a CL refactoring done in 2.x branch. best regards thierry On 5/2/23 21:00, Juan Quintanilla wrote: Hi, I recently installed

[389-users] Re: 389 DS memory growth

, and never comes back. Thoughts, suggestions are much appreciated. - Alex *From: *Thierry Bordaz *Date: *Tuesday, April 18, 2023 at 12:37 PM *To: *"Nazarenko, Alexander" , "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproj

[389-users] Re: A more profound replication monitoring of 389-ds instance

Hi, I agree that it is complex task to master such FreeIPA deployment. FreeIPA enables many components, 389ds is just one of them, and several of them could contribute when a problem occurs. My main concern here is that you express a need to monitor (how well FreeIPA deployment works) rather

[389-users] Re: A more profound replication monitoring of 389-ds instance

Hi, I agree that it is complex task to master such FreeIPA deployment. FreeIPA enables many components, 389ds is just one of them, and several of them could contribute when a problem occurs. My main concern here is that you express a need to monitor (how well FreeIPA deployment works) rather

[389-users] Re: A more profound replication monitoring of 389-ds instance

Hi, I read your first post. I found it very interesting but was not able to get a clear understanding of your needs. This second post would also need additional details. The cn=ldbm database monitoring will mainly return stats about DB activity and are IMHO a bit raw data. In the posts you

[389-users] Re: 389 DS memory growth

plan profile a typical server for memory usage, and plan to keep posted. *- Alwes* *From: *Thierry Bordaz *Date: *Tuesday, April 18, 2023 at 11:47 AM *To: *"General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org>, "Nazarenko, A

[389-users] Re: 389 DS memory growth

Hi, Note that the initial memory footprint of an instance 1.3.11 is larger that an 1.3.10 one. On RHEL 7.9 2Gb VM, an instance 1.3.11 is 1Gb while 1.3.10 is 0.5Gb. Instances have the same DS tuning. The difference comes from extra chunks of anonymous memory (heap) that are possibly related

[389-users] Re: 389 DS memory growth

/Invalid%20Access%20with%C2%A0Valgrind regards thierry On 4/17/23 09:35, Thierry Bordaz wrote: Hi, Thanks for raising this issue. Actually the version is an upgrade of 389 7.9.18 to 7.9.21. It contains only 3 bug fixes  - 5497: boolean attribute should be case insensitive  - 5440: memberof can

[389-users] Re: 389 DS memory growth

Hi, Thanks for raising this issue. Actually the version is an upgrade of 389 7.9.18 to 7.9.21. It contains only 3 bug fixes  - 5497: boolean attribute should be case insensitive  - 5440: memberof can be slow when multiple membership attribute are defined  - 5565: support of PBKDF2-SHA512 in

[389-users] Re: 2.x query performance problem

Hi Claas, Rereading that thread I have a doubt regarding cache priming. The search returns ~500 groups. The first lookup of those groups is significantly longer because of entry cache priming. Could you confirm that if you do twice the same search (1.4 and 2.x), the second search in 1.4 is

[389-users] Re: 2.x query performance problem

to 1.4.x ist still present :)  ( 0.0x sec vs 0.9 sec) thanks and best regards Claas *Gesendet:* Montag, 13. März 2023 um 17:55 Uhr *Von:* "Thierry Bordaz" *An:* 389-users@lists.fedoraproject.org *Betreff:* [389-users] Re: 2.x query performance problem Hi Class, First, thank you sooo

[389-users] Re: 2.x query performance problem

ted. Need to revisit this part of the fix. best regards thierry On 3/14/23 17:21, Thierry Bordaz wrote: Hi Claas, Good, that means that the 2x manageDSAit is now fixed. I tried to reproduce locally (2.x) and I think I succeeded: [14/Mar/2023:16:45:54.283507824 +0100] conn=1 op=1 SRCH base="

[389-users] Re: 2.x query performance problem

time, got etimes with 0,9 sec after import and reindexing (with and without option) but a little difference to 1.4.x ist still present :)  ( 0.0x sec vs 0.9 sec) thanks and best regards Claas *Gesendet:* Montag, 13. März 2023 um 17:55 Uhr *Von:* "Thierry Bordaz" *An:* 389-users@lists.fe

[389-users] Re: 2.x query performance problem

Hi Class, First, thank you sooo much for your tests. This is really helpful. So my understanding is that this same req was * [10, 30]ms in 1.4 * [900, 1700]ms in 2.x o A possibility is that the filter evaluation (against the 532 returned entry) is the responsible of the 1700ms

[389-users] Re: Replication agreements creation order

On 3/13/23 08:50, Alberto Crescente wrote: On 3/13/23 01:01, William Brown wrote: Error log test-389-ds-3 [10/Mar/2023:18:27:29.275950935 +0100] - ERR - agmt="cn=agreement-test-389-ds-3-to-test-389-ds-1" (test-389-ds-1:636) - clcache_load_buffer - Can't locate CSN 640b564d0003 in

[389-users] Re: 2.x query performance problem

pstack-tool? regards Claas *Gesendet:* Dienstag, 07. März 2023 um 15:38 Uhr *Von:* "Thierry Bordaz" *An:* 389-users@lists.fedoraproject.org *Betreff:* [389-users] Re: 2.x query performance problem Hi Claas, I do not recall a specific change 1.4.4 vs 2.0 that could explain this. Do y

[389-users] Re: 2.x query performance problem

Hi Claas, I do not recall a specific change 1.4.4 vs 2.0 that could explain this. Do you confirm that 'uniqueMember' is indexed in equality on both ? What are the SRCH records in the access logs (notes=A ?). On 2.0, it lasts 2sec, you may try to capture few pstacks that would give some tips.

[389-users] Re: Wrong password hash algorithm returned

"cn=Directory Manager" -w '{{ vault_dirsrv_directory_manager_password }}' ldap://localhost pwpolicy set --pwdscheme=SSHA And when I checked using cockpit it was set to SSHA, but still some accounts were set to PBKDF2_SHA256. Julian Am 24.11.22 um 12:19 schrieb Thierry Bordaz:

[389-users] Re: Wrong password hash algorithm returned

ll remains as SSHA. Julian Am 22.11.22 um 15:30 schrieb Thierry Bordaz: On 11/22/22 10:28, Julian Kippels wrote: Hi Thierry, that's a nasty catch… On the one hand I think this is a nice feature to improve security, but on the other hand PBKDF2_SHA256 is the one algorithm that freeradius c

[389-users] Re: Wrong password hash algorithm returned

o go. Else you could change the default password storage to SSHA and keep nsslapd-enable-upgrade-hash=on. So that it will revert, on bind, to the SSHA hash. thierry Julian Am 22.11.22 um 09:56 schrieb Thierry Bordaz: Hi Julian, This is likely the impact of https://github.com/389ds/389

[389-users] Re: Wrong password hash algorithm returned

Hi Julian, This is likely the impact of https://github.com/389ds/389-ds-base/issues/2480 that was introduced in 1.4.x. On 1.4.4 default hash is PBKDF2, this ticket upgrade hash of user entries during the user bind (enabled with nsslapd-enable-upgrade-hash). best regards thierry On

[389-users] Re: [EXT]Re: Re: DNA Plugin creating duplicates

that it does not indicate that the search failed and/or continues to allocate the value without really knowing if it's a duplicate or not. Thanks, Todd *From:* Thierry Bordaz *Sent:* Wednesday, August 17, 2022 8:30 AM *To:* General

[389-users] Re: DNA Plugin creating duplicates

Hi, sorry to be late on that thread. DNA should prevent duplicate values via internal searches before allocating. If configured ranges from server are separated, DNA should not allocate duplicate. Is it possible that a direct update could set the attribute managed by DNA ? regards Thierry

[389-users] Re: Retro Changelog trimming causes deadlock

Hi Kees, Please install debuginfo and debugsource rpm from 389-ds and slapi-nis. once they are installed, you can collect a complete backtrace and also collect information about db pages (db_stat -CA -N -h /var/lib/dirsrv/slapd-/db/). This deadlock is possibly

[389-users] Re: Retro Changelog trimming not working

On 7/13/22 5:08 PM, Kees Bakker wrote: On 13-07-2022 16:31, Thierry Bordaz wrote: EXTERNAL E-MAIL On 7/13/22 3:18 PM, Kees Bakker wrote: On 13-07-2022 13:39, Kees Bakker wrote: On 13-07-2022 13:01, Kees Bakker wrote: Hi, [...] In other words, with 1.4.3.28 I don't get to see

[389-users] Re: Retro Changelog trimming not working

On 7/13/22 3:18 PM, Kees Bakker wrote: On 13-07-2022 13:39, Kees Bakker wrote: On 13-07-2022 13:01, Kees Bakker wrote: Hi, [...] In other words, with 1.4.3.28 I don't get to see the message with first_time and cur_time. I'm quite puzzled how that can happen. The code is like this (stripped

[389-users] Re: 389 scalability

On 5/19/22 1:51 AM, William Brown wrote: On 19 May 2022, at 00:48, Morgan Jones wrote: Hello Everyone, We are merging our student directory (about 200,000 entries) into our existing employee directory (about 25,000 entries). They're a pair of multi-master replicas on virtual hardware

[389-users] Re: Absolute True and False Filters

On 5/12/22 3:13 PM, Mike Mercier wrote: Hello, I am attempting to use the Microsoft ECMA Connector (Azure AD Connect) to synchronize user information from Azure AD to 389DS.  Microsoft does claim 389DS is supported, see:

[389-users] Re: 389DS + Ubuntu

On 3/31/22 2:25 PM, iyagomailru Alexander Yakovlev wrote: Mark, Thierry, thank You. I would really want to execute this command, but the 'config' option is missing in my version 389-ds, so I was asking for advice on how to configure it in another way. I am not expert of mdb use but I think

[389-users] Re: 389DS + Ubuntu

Hi, I think the command should be 'dsconf instance backend config set --db_lib mdb'. Now I am unsure if it is sufficient to switch to mdb database. Pierre ? regards thierry On 3/31/22 12:20 PM, iyagomailru Alexander Yakovlev wrote: More precisely, there is no backend option # dsconf

[389-users] Re: unconventional replication, alma 8 master to centos 7 slave: Unable to acquire replica: error: no such replica

On 3/24/22 2:17 PM, Mark Reynolds wrote: On 3/24/22 8:38 AM, Lewis Robson wrote: Hello all, i am working to do multi master with two different versions of OS (alma 8 and centos 7), this means that the 389 on alma 8 is using dsidm and cockpit and the 389 on centos 7 is using 389console with

[389-users] Re: Replication Problem

may check through this link: https://pastebin.ubuntu.com/p/ktN5HsBrNf/ Thanks On 1/31/22 11:24, Thierry Bordaz wrote: Hi, It returns 404 "page not found" regards thierry On 1/30/22 7:58 AM, Mansoor Raeesi wrote: Thanks for your kind reply, logging is enabled already and this

[389-users] Re: Replication Problem

Hi, There are several possible cause why the replication agreement failed to complete the total update. I suggest you enable replication debug log on A and B (https://www.port389.org/docs/389ds/FAQ/faq.html#Troubleshooting), before retrying a total update. If it is the first time you are

[389-users] Re: Log4j patch/update for 1.3.x

Hi, You are right, onlly java console could be affected but none of the RHDS versions (including 1.3) is impacted by Log4j CVE (https://access.redhat.com/security/vulnerabilities/RHSB-2021-009). So there is no plan to release a patch in 1.3 for this CVE. best regards thierry On 12/21/21

[389-users] Re: 389-DS Internal unindexed search

. Hellooo Ludwig, Thanks for this nice and simple idea. I opened https://github.com/389ds/389-ds-base/issues/5004. best regards thierry Regards, Ludwig Mark On Mon, Nov 15, 2021 at 3:22 PM Thierry Bordaz wrote: Hi, The referential integrity plugins uses internal searches

[389-users] Re: 389-DS Internal unindexed search

ark On Mon, Nov 15, 2021 at 3:22 PM Thierry Bordaz wrote: Hi, The referential integrity plugins uses internal searches to retrieve which entries referred to the target entry. The plugin uses equality searches, that are indexed, but for MODRDN it uses substring fil

[389-users] Re: 389-DS Internal unindexed search

Hi, The referential integrity plugins uses internal searches to retrieve which entries referred to the target entry. The plugin uses equality searches, that are indexed, but for MODRDN it uses substring filter. As membership attributes (member, uniquemember,...) are not indexed in substring,

[389-users] Re: 389 1.3 vs 1.4, CentOS 7

Hi Morgan, 389 1.3 and 1.4 are both advisable in production. You may hit some dependencies difficulties building 1.4 on centos7, as 1.3 was released on centos7 and 1.4 on centos8. I would suggest that you upgrade to centos8 as 1.4 contains more features and improvements but if you target

[389-users] Re: Cleaning up a disabled replica

In addition to the previous feedbacks, some comments inlined On 11/1/21 11:57 PM, Morgan, Iain (ARC-TN)[InuTeq, LLC] wrote: Hi, I've got a bit of an unusual situation. I have two test servers that were configured as a multi-master replication pair. One of the servers needed to be used for

[389-users] Re: global passwd policy for DS with existing users

, then the reset password expires. * The reset password is valid to authenticate a fixed delay after the reset time regards thierry Isabella *From:*Thierry Bordaz [mailto:tbor...@redhat.com] *Sent:* September 14, 2021 7:13 AM *To:* General discussion list for the 389 Directory server project. <

[389-users] Re: global passwd policy for DS with existing users

On 9/14/21 3:15 PM, Mark Reynolds wrote: On 9/10/21 5:14 PM, Ghiurea, Isabella wrote: ·Thank you Mark, · I am considering  the  DS global password Policy with  the configuration to have the users  “must” change their passwords according to a schedule. If the schedule is fixed delay of

[389-users] Re: Enabling retro changelog maxage with 3 million entries make dirsrv not respond anymore

On 9/6/21 3:40 PM, Kees Bakker wrote: On 06-09-2021 14:34, Thierry Bordaz wrote: On 9/6/21 1:55 PM, Kees Bakker wrote: Hi, First a bit of context. CentOS 7, FreeIPA 389-ds-base-snmp-1.3.9.1-13.el7_7.x86_64 389-ds-base-libs-1.3.9.1-13.el7_7.x86_64 389-ds-base-1.3.9.1-13.el7_7.x86_64 A long

[389-users] Re: Enabling retro changelog maxage with 3 million entries make dirsrv not respond anymore

On 9/6/21 1:55 PM, Kees Bakker wrote: Hi, First a bit of context. CentOS 7, FreeIPA 389-ds-base-snmp-1.3.9.1-13.el7_7.x86_64 389-ds-base-libs-1.3.9.1-13.el7_7.x86_64 389-ds-base-1.3.9.1-13.el7_7.x86_64 A long time ago I was experiencing a deadlock during retro changelog cleanup and I was

[389-users] Re: nsslapd-conntablesize & nsslapd-maxfiledescriptors

On 9/5/21 11:45 PM, William Brown wrote: On 3 Sep 2021, at 23:37, Michael Starling wrote: Given the current settings on a directory server I'm still seeing the errors below in the logs at peak times. "ERR - setup_pr_read_pds - Not listening for new connections - too many fds open"

[389-users] Re: WARN - content-sync-plugin

Hi Orion, Nothing alarming just an message logged with a wrong WARN flag. It should be INFO or debug rather than WARN. See the discussion https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/thread/OM6UTEY2VYSM6G6USZIQRCIOLROVASBP/ regards thierry On 8/30/21 6:48

[389-users] Re: Several "DB retried operation targets" messages per day

On 8/12/21 4:39 PM, Mark Reynolds wrote: On 8/12/21 10:21 AM, Kees Bakker wrote: On 12-08-2021 16:00, Mark Reynolds wrote: On 8/12/21 9:57 AM, Kees Bakker wrote: On 12-08-2021 14:21, Mark Reynolds wrote: On 8/12/21 5:16 AM, William Brown wrote: hey there, Some of your messages have been

[389-users] Re: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock

Hi Kees, Rotte successfully processed the problematic update (60fe85350013), updating the database and recording the update in the changelog. Later Rotte tried to replicate the update to linge  but the update failed on linge [26/Jul/2021:11:44:37.947738548 +0200] - ERR -

[389-users] Re: memberOf Plugin report inconsistent states

On 7/15/21 2:56 PM, Tobias Ernstberger wrote: Hello, it is well known and documented, that the memberOf attribute can have inconsistent states (e.g. by manipulating it directly). There is also a Fix-Up Task to repair that. Question: Is there also a way to report/list all current

[389-users] Announcing 389 Directory Server 2.0.6

389 Directory Server 2.0.6 The 389 Directory Server team is proud to announce 389-ds-base version 2.0.6 Fedora packages are available on Fedora 34 and Rawhide Fedora 34: https://koji.fedoraproject.org/koji/taskinfo?taskID=70696310

[389-users] Re: Can't locate CSN - replica issue

On 6/17/21 2:11 PM, Marco Favero wrote: Ah, I don't have RA rh5-->dr-rh1. So, I could setup a RA from all multimaster to dr-rh1 to avoid this kind of problems. I'm not sure to understand. Really, I have a real time RA from rh5 to rh1, and from rh1 to rh5. So, if I initialize rh1 from rh5,

[389-users] Re: Can't locate CSN - replica issue

On 6/17/21 12:58 PM, Marco Favero wrote: On 6/17/21 10:55 AM, Marco Favero wrote: Hi Marco, good to know you fixed the issue. If I read you correctly you fixed it via setting nsDS5ReplicaHost=FQDN of the consumer host in the replication agreement supplier->consumer. What is surprising is that

[389-users] Re: [Freeipa-users] Re: Consumer failed to replay change Operations error (1)

Hello Alfred, If it is IPA deployment I doubt that you hit [1] because it only applies on read-only replica (hub/consumer). Also this bug is fixed in the version you are running. The consumer (redactedauth0003.redacted.com

[389-users] Re: Can't locate CSN - replica issue

On 6/7/21 9:39 AM, Marco Favero wrote: Gasp, I suspect the problem seems to be here. In the agreements I see dn: cn=it 2--\3E1,cn=replica,cn=c\3Dit,cn=mapping tree,cn=config objectClass: top objectClass: nsds5replicationagreement cn: it 2-->1 cn: it 2--\>1 nsDS5ReplicaRoot: c=it description:

[389-users] Re: how to configure cn attribute case sensitive

On 4/27/21 5:38 AM, William Brown wrote: On 27 Apr 2021, at 09:42, Mark Reynolds wrote: On 4/26/21 3:34 PM, Ghiurea, Isabella wrote: Hi List, I need help with the following ldap issue , we are running 389-ds-base-1.3.7.5-24.el7_5.x86_64 -how to check if 389-DS is cfg to be case

[389-users] Announcing 389 Directory Server 2.0.4

389 Directory Server 2.0.4 The 389 Directory Server team is proud to announce 389-ds-base version 2.0.4 Fedora packages are available on Fedora 34 and Rawhide Fedora 34: https://koji.fedoraproject.org/koji/taskinfo?taskID=65380611

[389-users] Announcing 389 Directory Server 1.4.4.15

389 Directory Server 1.4.4.15 The 389 Directory Server team is proud to announce 389-ds-base version 1.4.4.15 Fedora packages are available on Fedora 33. Fedora 33: https://koji.fedoraproject.org/koji/taskinfo?taskID=65298461

[389-users] Re: dsconf idempotency

Hi Marco, I agree with you that the command setting the attributes to the same existing values should not fail. Output could differ from "Successfully changed ..." to let us know that no MOD were applied but IMHO it should succeeds as well. Please would you open a new bug

[389-users] Announcing 389 Directory Server 1.4.4.14

389 Directory Server 1.4.4.14 The 389 Directory Server team is proud to announce 389-ds-base version 1.4.4.14 Fedora packages are available on Fedora 33. Fedora 33: https://koji.fedoraproject.org/koji/taskinfo?taskID=64115273

[389-users] Announcing 389 Directory Server 1.4.3.22

389 Directory Server 1.4.3.22 The 389 Directory Server team is proud to announce 389-ds-base version 1.4.3.22 Fedora packages are available on Fedora 32. https://koji.fedoraproject.org/koji/taskinfo?taskID=64103798 - Fedora 

[389-users] Re: Finding cause of 389ds sefault crash

Hi, By any chance do you know if the crash (SIGSEV) dumped a core ? In such case you may install debuginfo rpm and analyze (gdb) the reason of the crash. I am not sure the crash is due to a DB corruption/breakage but clearly the crash will trigger a recovery. Is the suffix (userRoot)

[389-users] Announcing 389 Directory Server 1.4.3.21

389 Directory Server 1.4.3.21 The 389 Directory Server team is proud to announce 389-ds-base version 1.4.3.21 Fedora packages are available on Fedora 32. https://koji.fedoraproject.org/koji/taskinfo?taskID=63077711 - Fedora 

[389-users] Announcing 389 Directory Server 1.4.3.19

389 Directory Server 1.4.3.19 The 389 Directory Server team is proud to announce 389-ds-base version 1.4.3.19 Fedora packages are available on Fedora 32. https://koji.fedoraproject.org/koji/taskinfo?taskID=61767145 - Fedora 

[389-users] Re: ERR - _entryrdn_insert_key - Same DN (dn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,dc=cesnet,dc=cz) is already in the ,entryrdn file with different ID 10458. Expected ID is 10459

On 1/18/21 5:04 PM, Jan Tomasek wrote: Hi Thierry, On 15. 01. 21 11:06, thierry bordaz wrote: Would you be able to run those commands: dbscan -f /var/lib/dirsrv//db/cesnet_cz /nsuniqueid.db -k =fff-fff-fff-fff -r =fff-fff-fff-fff This seqfaults: root@cml3

[389-users] Re: ERR - _entryrdn_insert_key - Same DN (dn: nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff,dc=cesnet,dc=cz) is already in the ,entryrdn file with different ID 10458. Expected ID is 10459

Hi Jan, Would you be able to run those commands: dbscan -f /var/lib/dirsrv//db/cesnet_cz /nsuniqueid.db -k =fff-fff-fff-fff -r =fff-fff-fff-fff then for each ID dbscan -f /var/lib/dirsrv//db/cesnet_cz /id2entry.db -K thanks it could help to diagnose. regards

[389-users] Re: Max number of users in a group?

Hi I would also suggest to check that it exists indexes for the membership attributes (pres, eq). Also for memberof if memberof plugin is enabled. If referential integrity is enable you would also index for substrings. regards thierry On 10/23/20 1:32 AM, William Brown wrote: Some work was

[389-users] Re: OS err 12 - Cannot allocate memory

On 10/9/20 11:10 AM, Jan Kowalsky wrote: Hey, thanks so much for your answers. When restarting dirsrv we find in logs: libdb: BDB2034 unable to allocate memory for mutex; resize mutex region mmap in opening database environment failed trying to allocate 50 bytes. (OS err 12 - Cannot

[389-users] Re: OS err 12 - Cannot allocate memory

Hi, Tuning of DBD #mutex is not possible and BDB uses a default value based on #hash buckets. This error is quite rare and I have no explanation why it happened in your deployment. Could you share the DB tuning entry (cn=config,cn=ldbm database,cn=plugins,cn=config). Also looking at the

[389-users] Re: Complex MMR scenarios

On 10/2/20 12:11 AM, William Brown wrote: On 1 Oct 2020, at 20:27, Eugen Lamers wrote: Hi, we want to setup a Multi Master Replication that represents a scenario with several mobile environments which need to replicate with some immobile server from time to time. Is it possible - and

[389-users] Re: Changing the name of a DS-389 attribute or adding a new field

Hi, EmployeeID looks to be a direct mapping of EmployeeNumber. EmployeeNumber is defined in rfc2798 and delivered as a standard definition in /share/dirsrv/schema/06inetorgperson.ldif. Even if defining EmployeeId as alias of EmployeeNumber is possible I would not recommend to update a

[389-users] Re: [EXTERNAL] Re: Re: Re: new server setup hanging

Hi, Sorry to come late on this thread, my understanding is that your second server is looking like hanging. Is it consuming CPU ? does it accept new connections, new operations ? is it "hanging" because of bad response time ? The server being idle, are you sure connections are reaching the

[389-users] Re: replication problems

availability), can you post here the ticket so I can follow up the fix? I will check out and read about the asan. Thanks a lot. Alberto Viana On Mon, May 11, 2020 at 10:21 AM thierry bordaz <mailto:tbor...@redhat.com>> wrote: Hi Alberto, I think I reproduced the same cras

[389-users] Re: replication problems

Hi Alberto, I think I reproduced the same crash locally: (gdb) where #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1  0x7f4137c13972 in __GI_abort () at abort.c:100 #2  0x7f4137e6c241 in PR_Assert (     s=0x7f4138437420 "(vs->sorted ==

[389-users] Re: DNA plugin not working

Hi James, I would guess that the allocated range is exhausted, means next value reached maxValue. Possibly part of the range was taken by an other replica. You can try to get more details with ldapmodify -D "cn=directory manager" -W dn: cn=config changetype: modify replace:

[389-users] Re: ACI limiting read to groups a user is member of

On 2/17/20 5:26 AM, Grant Byers wrote: Got it.. (userattr = "uniqueMember#USERDN") It allows  a member of a groupofUniqueName to read/search that group. If you are also supporting GroupofName groups you may want to add the bind rule (userasttr="member#userDN"). With this rule, targetfilter

[389-users] Re: 389 replication issue

Hi Frank, keep alive entry was introduced https://fedorahosted.org/389/ticket/48266 the ADD failed but does the entry exists on the re-initialized replica ? It is looking like it was created during total init, so its replicaition (ADD) may fail because the entry already exists. thanks thierry

Re: [389-users] Replication error after initializing consumer

thierry On 08/22/2014 09:22 PM, Shilen Patel wrote: I first noticed it in a suffix that had about 90K entries. After that, I was reproducing it in a suffix with about 280 entries. Thanks! -- Shilen From: thierry bordaz tbor...@redhat.com mailto:tbor...@redhat.com Date: Friday, August 22, 2014 3:18

  1   2   >