________________________________ From: Pierre Rogier <[email protected]> Sent: Monday, August 16, 2021 6:33 AM To: General discussion list for the 389 Directory server project. <[email protected]> Cc: Michael Starling <[email protected]> Subject: Re: [389-users] Re: How to replicate password lockout attributes from a consumer or hub to a master(s)
On Fri, Aug 13, 2021 at 9:42 PM Mark Reynolds <[email protected]<mailto:[email protected]>> wrote: On 8/13/21 2:40 PM, Michael Starling wrote: ________________________________ From: Michael Starling <[email protected]><mailto:[email protected]> Sent: Friday, August 13, 2021 10:41 AM To: Mark Reynolds <[email protected]><mailto:[email protected]>; General discussion list for the 389 Directory server project. <[email protected]><mailto:[email protected]> Subject: Re: [389-users] How to replicate password lockout attributes from a consumer or hub to a master(s) ________________________________ From: Michael Starling <[email protected]><mailto:[email protected]> Sent: Thursday, August 12, 2021 3:29 PM To: Mark Reynolds <[email protected]><mailto:[email protected]>; General discussion list for the 389 Directory server project. <[email protected]><mailto:[email protected]> Subject: Re: [389-users] How to replicate password lockout attributes from a consumer or hub to a master(s) ________________________________ From: Mark Reynolds <[email protected]><mailto:[email protected]> Sent: Thursday, August 12, 2021 3:16 PM To: Michael Starling <[email protected]><mailto:[email protected]>; General discussion list for the 389 Directory server project. <[email protected]><mailto:[email protected]> Subject: Re: [389-users] How to replicate password lockout attributes from a consumer or hub to a master(s) On 8/12/21 2:33 PM, Michael Starling wrote: ________________________________ From: Mark Reynolds <[email protected]><mailto:[email protected]> Sent: Thursday, August 12, 2021 11:48 AM To: General discussion list for the 389 Directory server project. <[email protected]><mailto:[email protected]>; Michael Starling <[email protected]><mailto:[email protected]> Subject: Re: [389-users] How to replicate password lockout attributes from a consumer or hub to a master(s) On 8/12/21 10:53 AM, Michael Starling wrote: Hello. I've taken over a large 389-ds environment running on Oracle Linux 8 and the first task I need to complete is to enable password lockouts. I was able to enable password lockouts successfully however it only works if the client is pointed directly to a master. The account locks out and the attributes are propagated down to the hubs and consumers. If the client is pointed to a read-only hub or consumer then the account does not lockout and the password attributes do not propagate back to the masters. passwordIsGlobalPolicy: on is set on all masters, hubs and consumers Password policy attributes I expect to replicate: passwordRetryCount accountUnlockTime retryCountResetTime I've tried following the chaining guide below which I think is what I need to do to get this work as expected, however I've hit a snag. https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate.html 389 Directory Server - Howto:ChainOnUpdate<https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate.html> Introduction. The usual deployment for a large replication topology will have the client applications reading from hubs or dedicated consumers in order to spread out the load and off-load search request processing from the masters. directory.fedoraproject.org<http://directory.fedoraproject.org> The document states the backend must be added to the hub or consumer, however when I try and add the following LDIF to the hub I get the "unwilling to perform" error. This makes sense because the hub is read-only so I'm confused as how I can update the config on a read-only hub or consumer? Hi Michael, To complete Mark's answer and try to solve your confusion: hub and consumer are read-only replicas (i.e backends) cn=config is another backend that is still writable. So you should not be able to modify the entries in the replicated suffix ( and should instead get referrals towards the master(s)) but you should still be able to modify the config. Regards, Pierre Hi Pierre. Thanks for confirming what I'm seeing. Any idea how to set multiple values in the nsfarmserverurl attribute? dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config objectclass: top objectclass: extensibleObject objectclass: nsBackendInstance cn: chainlab nsslapd-suffix: dc=domain,dc=com nsfarmserverurl: ldap://dsa1.domain.com:389 ldap://dsa2.domain.com:389 ldap://dsa3.domain.com:389 nsmultiplexorbinddn: uid=repluser,cn=config nsmultiplexorcredentials: mypassword nsCheckLocalACI: on adding new entry "cn=chainlab,cn=chaining database,cn=plugins,cn=config" ldap_add: Server is unwilling to perform (53) This is the doc you want to follow to get this working. But it is complicated... In this case I'm not sure why the error 53 is being returned. There is something about that entry it does not like. So please check the access and errors log from the time of this failure (see /var/log/dirsrv/slapd-YOUR_INSTANCE/). There is usually more info logged when an error 53 happens. Also what version of 389-ds-base are you running? Thanks, Mark Hub or Consumer Step 1 (Hub and Consumer): the chaining backend must be created on the hub and consumer: dn: cn=chainbe1,cn=chaining database,cn=plugins,cn=config objectclass: top objectclass: extensibleObject objectclass: nsBackendInstance cn: chainbe1 nsslapd-suffix: <suffix to replicate> nsfarmserverurl: ldap://supplier1:port supplier2:port ... supplierN:port/ # also, ldaps can be used instead # of ldap for secure connections - # requires the secure port nsmultiplexorbinddn: cn=Replication Manager,cn=config # or whatever the replica bind DN is on the supplier nsmultiplexorcredentials: password nsCheckLocalACI: on Any help would be greatly appreciated. Thanks _______________________________________________ 389-users mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure -- Directory Server Development Team Thanks for getting me the right track Mark. Looks like the "nsFarmServerURL" is not correct. Versions: 389-ds-base-libs-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64 389-ds-base-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64 I thought I was maybe hitting the bug described below so I added a trailing "/" but the issue persists. https://bugzilla.redhat.com/show_bug.cgi?id=1363970 nsfarmserverurl: ldap://dsa1.domain.com:389 ldap://dsa2.domain.com:389 ldap://dsa3.domain.com:389/ This is what I see in the logs on the hub when trying to add the LDIF. The idea is for the hub to send these password attributes back to all masters. These are the masters in the environment. ldap://dsa1.domain.com:389 ldap://dsa2.domain.com:389 ldap://dsa3.domain.com:389 [12/Aug/2021:14:12:38.228746875 -0400] - ERR - chaining database - cb_instance_config_initialize - Error with config attribute nsfarmserverurl : not a valid LDAP URL [12/Aug/2021:14:12:38.230107318 -0400] - ERR - chaining database - cb_instance_add_config_check_callback - Can't instantiate chaining backend instance chainlab. [12/Aug/2021:14:13:11.436433137 -0400] - ERR - chaining database - cb_instance_config_initialize - Error with config attribute nsfarmserverurl : not a valid LDAP URL [12/Aug/2021:14:13:11.437510161 -0400] - ERR - chaining database - cb_instance_add_config_check_callback - Can't instantiate chaining backend instance chainlab. [12/Aug/2021:14:15:15.652343542 -0400] - ERR - chaining database - cb_instance_config_initialize - Error with config attribute nsfarmserverurl : not a valid LDAP URL [12/Aug/2021:14:15:15.653524818 -0400] - ERR - chaining database - cb_instance_add_config_check_callback - Can't instantiate chaining backend instance chainlab. [12/Aug/2021:14:20:12.212414022 -0400] - ERR - chaining database - cb_instance_config_initialize - Error with config attribute nsfarmserverurl : not a valid LDAP URL [12/Aug/2021:14:20:12.213556900 -0400] - ERR - chaining database - cb_instance_add_config_check_callback - Can't instantiate chaining backend instance chainlab Ok, I think its not liking the multiple values in the attribute, even though the document says you have multiple urls. I think you need to add the config like this: nsfarmserverurl: ldap://dsa1.domain.com:389 nsfarmserverurl: ldap://dsa2.domain.com:389 nsfarmserverurl: ldap://dsa3.domain.com:389 Give it a try? HTH, Mark -- Directory Server Development Team Looks like it only added the first entry. Do I need to add an entry for each MAster? dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject objectClass: nsBackendInstance cn: chainlab nsslapd-suffix: dc=domain,dc=com nsfarmserverurl: ldap://dsa1.domain.com:389 nsmultiplexorbinddn: uid=replicator,cn=config nsmultiplexorcredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUm1aRFUwT1dOak5DMDVPVFl5TXpJMg0KWlMwNE16ZzFNVFl3TXkweU5tVTROekJtWkFBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQTdhVjl4Z0NZcFkzR21YV2x0c293Mg==}u4FHsJF3AVHAqgtGCMXudA== nsbindconnectionslimit: 3 nsoperationconnectionslimit: 20 nsabandonedsearchcheckinterval: 1 nsconcurrentbindlimit: 10 nsconcurrentoperationslimit: 2 nsproxiedauthorization: on nsconnectionlife: 0 nsbindtimeout: 15 nsreferralonscopedsearch: off nschecklocalaci: on nsbindretrylimit: 3 nsslapd-sizelimit: 2000 nsslapd-timelimit: 3600 nshoplimit: 10 nsmaxresponsedelay: 60 nsmaxtestresponsedelay: 15 nsusestarttls: off Hi Mark. I tried adding the subsequent URL's and it doesn't allow multiple entries for this attribute. It appears all the URLS need to be part of the one nsfarmserverurl attribute. ldap_initialize( ldap://dsa4.domain.com ) add nsFarmServerURL: ldap://dsa2.domain.com:389 modifying entry "cn=chainlab,cn=chaining database,cn=plugins,cn=config" ldap_modify: Server is unwilling to perform (53) additional info: Adding attributes is not allowed I believe I have this working now. Thank you Mark for getting me pointed in the right direction. Were you able to set multiple urls? Or did you just go with one for now? Mark -- Directory Server Development Team _______________________________________________ 389-users mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure -- -- 389 Directory Server Development Team
_______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
