On Friday, July 18, 2014 10:29:07 AM Ludwig Krispenz wrote: > On 07/18/2014 09:50 AM, Martin Kosek wrote: > > On 07/17/2014 04:56 PM, Anthony Messina wrote: > >> After upgrading to Fedora 20's stable 389-ds-base-1.3.2.19-1.fc20.x86_64, > >> I noticed the following errors during the restart cycle. I have a simple > >> 2 host MMR setup. Should I be concerned about these? If so, I'd be open > >> to recommendations. Thanks. -A > >> > >> [17/Jul/2014:07:51:50 -0500] - Entry > >> "dnaHostname=ipa1.example.com+dnaPortNum=389,cn=posix- > >> ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com" -- attribute > >> "dnaremotebindmethod" not allowed > >> > >> [17/Jul/2014:07:51:50 -0500] dna-plugin - dna_update_shared_config: > >> Unable > >> to update shared config entry: > >> dnaHostname=ipa1.example.com+dnaPortNum=389,cn=posix- > >> ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com [error 65] > > > > CC-ing Ludwig and Thierry. Is it possible that 389 DS schema was not > > updated during it's upgrade? (Maybe related to > > https://fedorahosted.org/389/ticket/47779?) FreeIPA itself does not touch > > these attributes (yet). > > the dnaremotebindmethod was added in June2013 to > ....schema/10dna-plugin.ldif and the dnaSharedConfig objectclass - so it > should be there. And in my 1.3.219 installation it is. > Are you sure the entry you want to add has dnaSharedConfig and not > (only) dnaPluginConfig ?
When I diff between the newly installed 10dns-plugin.ldif and the one that was created for my FreeIPA instance, I can see the difference. However, i'm not sure how to reconcile the two such that both FreeIPA & 389 DS are happy. ~]# diff -u /etc/dirsrv/slapd-EXAMPLE-COM/schema/10dna-plugin.ldif /etc/dirsrv/schema/10dna-plugin.ldif --- /etc/dirsrv/slapd-EXAMPLE-COM/schema/10dna-plugin.ldif 2013-08-06 04:14:33.726000000 -0500 +++ /etc/dirsrv/schema/10dna-plugin.ldif 2014-07-03 13:31:44.000000000 -0500 @@ -170,6 +170,38 @@ # ################################################################################ # +attributeTypes: ( 2.16.840.1.113730.3.1.2157 NAME 'dnaRemoteBindCred' + DESC 'Remote bind credentials' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE + X-ORIGIN '389 Directory Server' ) +# +################################################################################ +# +attributeTypes: ( 2.16.840.1.113730.3.1.2158 NAME 'dnaRemoteBindDN' + DESC 'Remote bind DN' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + SINGLE-VALUE + X-ORIGIN '389 Directory Server' ) +# +################################################################################ +# +attributeTypes: ( 2.16.840.1.113730.3.1.2159 NAME 'dnaRemoteConnProtocol' + DESC 'Connection protocol: LDAP, TLS, or SSL' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE + X-ORIGIN '389 Directory Server' ) +# +################################################################################ +# +attributeTypes: ( 2.16.840.1.113730.3.1.2160 NAME 'dnaRemoteBindMethod' + DESC 'Remote bind method: SIMPLE, SSL, SASL/DIGEST-MD5, or SASL/GSSAPI' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE + X-ORIGIN '389 Directory Server' ) +# +################################################################################ +# objectClasses: ( 2.16.840.1.113730.3.2.324 NAME 'dnaPluginConfig' DESC 'DNA plugin configuration' SUP top @@ -185,7 +217,9 @@ dnaSharedCfgDN $ dnaThreshold $ dnaNextRange $ - dnaRangeRequestTimeout $ + dnaRangeRequestTimeout $ + dnaRemoteBindDN $ + dnaRemoteBindCred $ cn ) X-ORIGIN '389 Directory Server' ) @@ -199,6 +233,8 @@ MAY ( dnaHostname $ dnaPortNum $ dnaSecurePortNum $ + dnaRemoteBindMethod $ + dnaRemoteConnProtocol $ dnaRemainingValues ) X-ORIGIN '389 Directory Server' ) -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
signature.asc
Description: This is a digitally signed message part.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project