date:20151020

[389-users] I cannot find how can I start the console under CentOS.

2015-10-20 Thread Giovanni Baruzzi

Dear friends,

How can I start the administration console under Linux?
I¹m not able to find any start file.

Thank you,
Giovanni






smime.p7s
Description: S/MIME cryptographic signature
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] DS crashed /killed by OS

2015-10-20 Thread Fong, Trevor

Hi German,

Thanks very much for your reply.
Just to make sure I have it straight, I’ve currently got userRoot’s 
nsslapd-cachememsize = 6 GB on at 16GB machine.
I should change that to nsslapd-cachememsize = 6 GB / 15 = 429496730
Do I have that right?

Thanks again,
Trev




On 2015-10-20, 10:23 AM, "389-users-boun...@lists.fedoraproject.org on behalf 
of German Parente" <389-users-boun...@lists.fedoraproject.org on behalf of 
gpare...@redhat.com> wrote:

>Hi Trevor,
>
>no problem. In fact, this issue has been investigated by the experts and it's 
>due to fragmentation. A fix is being tested right internally but not delivered 
>yet, to use a different allocator.
>
>The official workaround is different to the one I have proposed. It's finally 
>to define entry cache rather small since the fragmentation could be like 
>
>15 * size of entry cache.
>
>So, we need something like (15 * size of entry cache )  <  Available memory.
>
>Thanks and regards,
>
>German.
>
>
>
>- Original Message -
>> From: "Trevor Fong" 
>> To: "General discussion list for the 389 Directory server project." 
>> <389-users@lists.fedoraproject.org>
>> Sent: Tuesday, October 20, 2015 7:09:46 PM
>> Subject: Re: [389-users] DS crashed /killed by OS
>> 
>> Hi German,
>> 
>> Apologies for resurrecting an old thread.
>> We're also experiencing something similar.  We're currently running
>> 389-ds-base-1.2.11.15-48.el6_6.x86_64
>> 
>> I'm afraid I don't have login privileges in order to view the details of the
>> bug you linked.
>> Could you please post details of how you defined an entry cache to include
>> the whole db, and why this works?
>> 
>> FYI - moves are afoot re upgrading DS on a set of new servers, but in the
>> meantime, we need to address this issue.
>> 
>> 
>> Thanks a lot,
>> Trev
>> 
>> 
>> 
>> 
>> 
>> On 2015-02-05, 1:57 AM, "389-users-boun...@lists.fedoraproject.org on behalf
>> of German Parente" <389-users-boun...@lists.fedoraproject.org on behalf of
>> gpare...@redhat.com> wrote:
>> 
>> >
>> >Hi,
>> >
>> >we have had several customer cases showing this behavior. In one of these
>> >cases, we have confirmed it was due to memory fragmentation after
>> >cache-trashing.
>> >
>> >We have stopped seeing this behavior by defining an entry cache which
>> >includes the whole db (when possible, of course).
>> >
>> >Details can be found at:
>> >
>> >https://bugzilla.redhat.com/show_bug.cgi?id=1186512
>> >Apparent memory leak in ns-slapd; OOM-Killer invoked
>> >
>> >Regards,
>> >
>> >German
>> >
>> >- Original Message -
>> >> From: "David Boreham" 
>> >> To: 389-users@lists.fedoraproject.org
>> >> Sent: Wednesday, February 4, 2015 8:50:55 PM
>> >> Subject: Re: [389-users] DS crashed /killed by OS
>> >> 
>> >> On 2/4/2015 11:20 AM, ghiureai wrote:
>> >> 
>> >> 
>> >> 
>> >> Out of memory: Kill process 2090 (ns-slapd) score 954 or sacrifice child
>> >> 
>> >> It wasn't clear to me from your post whether you already have a good
>> >> understanding of the OOM killer behavior in the kernel.
>> >> On the chance that you're not yet familiar with its ways, suggest reading,
>> >> for example this article :
>> >> http://unix.stackexchange.com/questions/153585/how-oom-killer-decides-which-process-to-kill-first
>> >> I mention this because it may not be the DS that is the problem (not
>> >> saying
>> >> that it absolutely is not, but it might not be).
>> >> The OMM killer picks a process that is using a large amount of memory, and
>> >> kills it in order to preserve system stability.
>> >> This does not necessarily imply that the process it kills is the process
>> >> that
>> >> is causing the system to run out of memory.
>> >> You said that the DS "crashed", but in fact the kernel killed it -- not
>> >> quite
>> >> the same thing!
>> >> 
>> >> It is also possible that the system has insufficient memory for the
>> >> processes
>> >> it is running, DS cache size and so on.
>> >> Certainly it is worthwhile checking that the DS hasn't been inadvertently
>> >> configured to use more peak memory than the machine has available.
>> >> 
>> >> Bottom line : there are a few potential explanations, including but not
>> >> limited to a memory leak in the DS process.
>> >> Some analysis will be needed to identify the cause. As a precaution, if
>> >> you
>> >> can -- configure more swap space on the box.
>> >> This will allow more runway before the kernel starts looking for processes
>> >> to
>> >> kill, and hence more time to figure out what's using memory and why.
>> >> 
>> >> 
>> >> 
>> >> 
>> >> 
>> >> 
>> >> --
>> >> 389 users mailing list
>> >> 389-users@lists.fedoraproject.org
>> >> https://admin.fedoraproject.org/mailman/listinfo/389-users
>> >--
>> >389 users mailing list
>> >389-users@lists.fedoraproject.org
>> >https://admin.fedoraproject.org/mailman/listinfo/389-users
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>>

Re: [389-users] Help with understanding 389-ds, multiple server setup and TLS/SSL

2015-10-20 Thread Noriko Hosoi


On 10/20/2015 10:02 AM, Tom Fallon wrote:


Hi folks

I've inherited a 389-ds server (let's call that Server1) running 
version 389-Management-Console/1.1.7 B2011.172.2016 on which I've been 
tasked with getting replication working on a second server (Server2). 
I am not new to Linux but am new to System Administration having made 
the jump from Helpdesk recently so please bear with me if these seem 
like stupid questions


I've struck one hurdle already whereby I can no longer log in on the 
Console to Server1 and am getting error:


Error:
Cannot logon because of an incorrect User ID
Incorrect password or Directory problem.
java.io  interruptedIOException: HTTP response timeout

I think this has occurred while I tried to get SSL certs 
copied/exported to a Server2 as log files show the following.


[06/Oct/2015:23:46:46 +0100] attrcrypt - attrcrypt_cipher_init: 
symmetric key failed to unwrap with the private key; Cert might have 
been renewed since the key is wrapped.  To recover the encrypted 
contents, keep the wrapped symmetric key value.
[06/Oct/2015:23:46:46 +0100] attrcrypt - All prepared ciphers are not 
available. Please disable attribute encryption.
[06/Oct/2015:23:46:46 +0100] attrcrypt - attrcrypt_unwrap_key: failed 
to unwrap key for cipher AES
[06/Oct/2015:23:46:46 +0100] attrcrypt - attrcrypt_cipher_init: 
symmetric key failed to unwrap with the private key; Cert might have 
been renewed since the key is wrapped.  To recover the encrypted 
contents, keep the wrapped symmetric key value.
[06/Oct/2015:23:46:46 +0100] attrcrypt - attrcrypt_unwrap_key: failed 
to unwrap key for cipher 3DES
[06/Oct/2015:23:46:46 +0100] attrcrypt - attrcrypt_cipher_init: 
symmetric key failed to unwrap with the private key; Cert might have 
been renewed since the key is wrapped.  To recover the encrypted 
contents, keep the wrapped symmetric key value.
[06/Oct/2015:23:46:46 +0100] attrcrypt - All prepared ciphers are not 
available. Please disable attribute encryption.
[06/Oct/2015:23:46:47 +0100] - Skipping CoS Definition 
cn=nsAccountInactivation_cos,dc=example,dc=com--no CoS Templates 
found, which should be added before the CoS Definition.
[06/Oct/2015:23:46:47 +0100] - slapd started.  Listening on All 
Interfaces port 389 for LDAP requests
[06/Oct/2015:23:46:47 +0100] - Listening on All Interfaces port 636 
for LDAPS requests


So in theory I recreate the SSL certs on Server1 export to Server2 and 
continue on.


I'd appreciate if someone could help in my understanding of how this 
is supposed to work in a multi server environment as despite reading 
the documentation 
here:https://access.redhat.com/documentation/en/red-hat-directory-server/ I'm 
struggling to get my head around things.


My understanding is there are these main components (I'm ignoring SNMP 
bit for now):


- Directory Server located at /etc/dirsrv/slapd-instance and 
containing all the LDAP server pieces and command line tools
- Admin Server located at /etc/dirsrv/admin-serv - docs refer to the 
controlling portals which access LDAP server and refers to "Using the 
Admin server" guide - I'm presuming this is the Administration Guide now
- Directory Server console - various docs I've read refer to this as 
the Directory Server Console or the Admin Console which then 
bamboozles me as to whether its incorporated in Directory Server or 
Admin Server.


I've been trying to follow this guide to multi-master SSL setup 
-http://directory.fedoraproject.org/docs/389ds/howto/howto-walkthroughmultimasterssl.html and 
tweaking for my version of OS (Centos 6.7) and 389-ds but not getting 
very far.


Can anyone point me to a more up to date guide or provide some form of 
idiot-proof guide to get this working? I've been banging my head on 
this for a couple weeks now and despite reading the docs and a load of 
googling I'm not getting very far.


I have the install part down ok including disktuning, file 
descriptors, keepalive, port ranges etc and 389-ds itself of course. 
And on Server2 I can log in to the console using http and a basic LDAP 
test works fine using:


ldapsearch -x -b "dc=example,dc=com"

I think whoever setup the existing Directory Server used a self-signed 
cert as there are pwdfile and noise.txt files in the slapd-instance 
directory so looks like something like this was used to generate the 
CA Cert and Server Cert


certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d 
*.* -z noise.txt -f pwdfile.txt
certutil -S -n "Server-Cert" -s "cn=server.example.com 
,cn=Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d 
*.* -z noise.txt -f pwdfile.txt


What I don't have a note of is the unique numbers entered with the -m 
switch. Is there a way to tell what these are after the fact as I 
believe they need to be unique across servers, correct?


Also can someone explain how I export the CA Cert from server 1 to 
server 2 - the docs don't cover that

Re: [389-users] updating/removing user indexes Q

2015-10-20 Thread ghiureai




 Hi Mark as per your advise,
I checked the

/var/lib/dirsr5v/slapd-INSTANCE/db/useroot/ the files are gone

BUT seeing this lines
 when exporting ldap instance, this are the indexes  I removed few days 
ago and saw them back


plugin_mr_find - Error: matching rule plugin for 
[caseIgnoreOrderingMatch-default] not found
[19/Oct/2015:21:59:04 -0700] plugin_mr_find - Error: matching rule plugin for 
[caseIgnoreSubstringMatch-default] not found
[19/Oct/2015:21:59:04 -0700] plugin_mr_find - Error: matching rule plugin for 
[caseIgnoreOrderingMatch-default] not found
[19/Oct/2015:21:59:04 -0700] plugin_mr_find - Error: matching rule plugin for 
[caseIgnoreSubstringMatch-default] not found
[19/Oct/2015:21:59:04 -0700] plugin_mr_find - Error: matching rule plugin for 
[caseIgnoreSubstringMatch-default] not found
[19/Oct/2015:21:59:04 -0700] - Backend Instance(s):
[19/Oct/2015:21:59:04 -0700] -  userRoot
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=uniquemember,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=telephoneNumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=sn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=seeAlso,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=owner,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=member,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=mailHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=mailAlternateAddress,cn=index,cn=userRoot,cn=ldbm 
database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=mail,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=givenName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=numericid,cn=index,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config]





On 10/20/2015 08:58 AM, ghiureai wrote:




Mark , thank you for reply, the main reason I was asking is:
 I seen several times when I removed  user indexes using admin console 
and  after 2-3 days they re-appeared back  ? This is something 
strange, I am running backups and exports on daily bases on on this 
database but can explain how the indexes are getting re-create  back ??

Thank you

Isabella
On 10/20/2015 08:42 AM, ghiureai wrote:

Hi List,
I would like to know if after removing user indexes using the admin 
console there is need to run the
|db2index.pl| script  while the ldap is shutdown  or should be fine 
to run with DS online?

Thank you
Isabella





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

[389-users] updating/removing user indexes Q

2015-10-20 Thread ghiureai


Hi List,
I would like to know if after removing user indexes using the admin 
console there is need to run the
|db2index.pl| script  while the ldap is shutdown  or should be fine to 
run with DS online?

Thank you
Isabella

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] updating/removing user indexes Q

2015-10-20 Thread Mark Reynolds




On 10/20/2015 11:42 AM, ghiureai wrote:

Hi List,
I would like to know if after removing user indexes using the admin 
console there is need to run the
|db2index.pl| script  while the ldap is shutdown  or should be fine to 
run with DS online?
There is no need to run db2index if you are removing an index, and it is 
fine to do so while the server is running.  db2index is only used for 
indexing/reindexing existing attributes.

Thank you
Isabella



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] updating/removing user indexes Q

2015-10-20 Thread Mark Reynolds




On 10/20/2015 11:58 AM, ghiureai wrote:




Mark , thank you for reply, the main reason I was asking is:
 I seen several times when I removed  user indexes using admin console 
and  after 2-3 days they re-appeared back  ? This is something 
strange, I am running backups and exports on daily bases on on this 
database but can explain how the indexes are getting re-create  back ??

I've never heard of that happening on its own.

Next time you remove an index, check the FS to see if the file is removed:

example, delete "cn" index and make sure this file is removed:

/var/lib/dirsr5v/slapd-INSTANCE/db/useroot/cn.db

Also make sure that the index entry is removed from cn=config:

# ldapsearch -D "cn=directory manager" -W -b cn=config cn=cn


Now a "restore" can add this file back and update the config.  Are you 
sure you haven't done a restore?


So if the index reappears check cn=config and FS.  Also check if it 
happens after doing a backup - you need find out what is triggering the 
resurrection of the index.


Mark


Thank you

Isabella
On 10/20/2015 08:42 AM, ghiureai wrote:

Hi List,
I would like to know if after removing user indexes using the admin 
console there is need to run the
|db2index.pl| script  while the ldap is shutdown  or should be fine 
to run with DS online?

Thank you
Isabella





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

[389-users] Help with understanding 389-ds, multiple server setup and TLS/SSL

2015-10-20 Thread Tom Fallon

Hi folks

I've inherited a 389-ds server (let's call that Server1) running version
389-Management-Console/1.1.7 B2011.172.2016 on which I've been tasked with
getting replication working on a second server (Server2). I am not new to
Linux but am new to System Administration having made the jump from
Helpdesk recently so please bear with me if these seem like stupid
questions

I've struck one hurdle already whereby I can no longer log in on the
Console to Server1 and am getting error:

Error:
Cannot logon because of an incorrect User ID
Incorrect password or Directory problem.
java.io interruptedIOException: HTTP response timeout

I think this has occurred while I tried to get SSL certs copied/exported to
a Server2 as log files show the following.

[06/Oct/2015:23:46:46 +0100] attrcrypt - attrcrypt_cipher_init: symmetric
key failed to unwrap with the private key; Cert might have been renewed
since the key is wrapped.  To recover the encrypted contents, keep the
wrapped symmetric key value.
[06/Oct/2015:23:46:46 +0100] attrcrypt - All prepared ciphers are not
available. Please disable attribute encryption.
[06/Oct/2015:23:46:46 +0100] attrcrypt - attrcrypt_unwrap_key: failed to
unwrap key for cipher AES
[06/Oct/2015:23:46:46 +0100] attrcrypt - attrcrypt_cipher_init: symmetric
key failed to unwrap with the private key; Cert might have been renewed
since the key is wrapped.  To recover the encrypted contents, keep the
wrapped symmetric key value.
[06/Oct/2015:23:46:46 +0100] attrcrypt - attrcrypt_unwrap_key: failed to
unwrap key for cipher 3DES
[06/Oct/2015:23:46:46 +0100] attrcrypt - attrcrypt_cipher_init: symmetric
key failed to unwrap with the private key; Cert might have been renewed
since the key is wrapped.  To recover the encrypted contents, keep the
wrapped symmetric key value.
[06/Oct/2015:23:46:46 +0100] attrcrypt - All prepared ciphers are not
available. Please disable attribute encryption.
[06/Oct/2015:23:46:47 +0100] - Skipping CoS Definition
cn=nsAccountInactivation_cos,dc=example,dc=com--no CoS Templates found,
which should be added before the CoS Definition.
[06/Oct/2015:23:46:47 +0100] - slapd started.  Listening on All Interfaces
port 389 for LDAP requests
[06/Oct/2015:23:46:47 +0100] - Listening on All Interfaces port 636 for
LDAPS requests

So in theory I recreate the SSL certs on Server1 export to Server2 and
continue on.

I'd appreciate if someone could help in my understanding of how this is
supposed to work in a multi server environment as despite reading the
documentation here:
https://access.redhat.com/documentation/en/red-hat-directory-server/ I'm
struggling to get my head around things.

My understanding is there are these main components (I'm ignoring SNMP bit
for now):

- Directory Server located at /etc/dirsrv/slapd-instance and containing all
the LDAP server pieces and command line tools
- Admin Server located at /etc/dirsrv/admin-serv - docs refer to the
controlling portals which access LDAP server and refers to "Using the Admin
server" guide - I'm presuming this is the Administration Guide now
- Directory Server console - various docs I've read refer to this as the
Directory Server Console or the Admin Console which then bamboozles me as
to whether its incorporated in Directory Server or Admin Server.

I've been trying to follow this guide to multi-master SSL setup -
http://directory.fedoraproject.org/docs/389ds/howto/howto-walkthroughmultimasterssl.html
and
tweaking for my version of OS (Centos 6.7) and 389-ds but not getting very
far.

Can anyone point me to a more up to date guide or provide some form of
idiot-proof guide to get this working? I've been banging my head on this
for a couple weeks now and despite reading the docs and a load of googling
I'm not getting very far.

I have the install part down ok including disktuning, file descriptors,
keepalive, port ranges etc and 389-ds itself of course. And on Server2 I
can log in to the console using http and a basic LDAP test works fine using:

ldapsearch -x -b "dc=example,dc=com"

I think whoever setup the existing Directory Server used a self-signed cert
as there are pwdfile and noise.txt files in the slapd-instance directory so
looks like something like this was used to generate the CA Cert and Server
Cert

certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d
*.* -z noise.txt -f pwdfile.txt
certutil -S -n "Server-Cert" -s "cn=server.example.com
,cn=Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d *.*
 -z noise.txt -f pwdfile.txt

What I don't have a note of is the unique numbers entered with the -m
switch. Is there a way to tell what these are after the fact as I believe
they need to be unique across servers, correct?

Also can someone explain how I export the CA Cert from server 1 to server 2
- the docs don't cover that part as far as I can tell other than this
command which as far as I can see exports the CA Cert on the server you run
that command on to ascii format.

[389-users] Help with understanding 389-ds, multiple server setup and TLS/SSL

2015-10-20 Thread Tom Fallon

Hi folks

I've inherited a 389-ds server (let's call that Server1) running version
389-Management-Console/1.1.7 B2011.172.2016 on which I've been tasked with
getting replication working on a second server (Server2). I am not new to
Linux but am new to System Administration having made the jump from
Helpdesk recently so please bear with me if these seem like stupid
questions

I've struck one hurdle already whereby I can no longer log in on the
Console to Server1 and am getting error:

Error:
Cannot logon because of an incorrect User ID
Incorrect password or Directory problem.
java.io interruptedIOException: HTTP response timeout

I think this has occurred while I tried to get SSL certs copied/exported to
a Server2 as log files show the following.

[06/Oct/2015:23:46:46 +0100] attrcrypt - attrcrypt_cipher_init: symmetric
key failed to unwrap with the private key; Cert might have been renewed
since the key is wrapped.  To recover the encrypted contents, keep the
wrapped symmetric key value.
[06/Oct/2015:23:46:46 +0100] attrcrypt - All prepared ciphers are not
available. Please disable attribute encryption.
[06/Oct/2015:23:46:46 +0100] attrcrypt - attrcrypt_unwrap_key: failed to
unwrap key for cipher AES
[06/Oct/2015:23:46:46 +0100] attrcrypt - attrcrypt_cipher_init: symmetric
key failed to unwrap with the private key; Cert might have been renewed
since the key is wrapped.  To recover the encrypted contents, keep the
wrapped symmetric key value.
[06/Oct/2015:23:46:46 +0100] attrcrypt - attrcrypt_unwrap_key: failed to
unwrap key for cipher 3DES
[06/Oct/2015:23:46:46 +0100] attrcrypt - attrcrypt_cipher_init: symmetric
key failed to unwrap with the private key; Cert might have been renewed
since the key is wrapped.  To recover the encrypted contents, keep the
wrapped symmetric key value.
[06/Oct/2015:23:46:46 +0100] attrcrypt - All prepared ciphers are not
available. Please disable attribute encryption.
[06/Oct/2015:23:46:47 +0100] - Skipping CoS Definition
cn=nsAccountInactivation_cos,dc=example,dc=com--no CoS Templates found,
which should be added before the CoS Definition.
[06/Oct/2015:23:46:47 +0100] - slapd started.  Listening on All Interfaces
port 389 for LDAP requests
[06/Oct/2015:23:46:47 +0100] - Listening on All Interfaces port 636 for
LDAPS requests

So in theory I recreate the SSL certs on Server1 export to Server2 and
continue on.

I'd appreciate if someone could help in my understanding of how this is
supposed to work in a multi server environment as despite reading the
documentation here:
https://access.redhat.com/documentation/en/red-hat-directory-server/ I'm
struggling to get my head around things.

My understanding is there are these main components (I'm ignoring SNMP bit
for now):

- Directory Server located at /etc/dirsrv/slapd-instance and containing all
the LDAP server pieces and command line tools
- Admin Server located at /etc/dirsrv/admin-serv - docs refer to the
controlling portals which access LDAP server and refers to "Using the Admin
server" guide - I'm presuming this is the Administration Guide now
- Directory Server console - various docs I've read refer to this as the
Directory Server Console or the Admin Console which then bamboozles me as
to whether its incorporated in Directory Server or Admin Server.

I've been trying to follow this guide to multi-master SSL setup -
http://directory.fedoraproject.org/docs/389ds/howto/howto-walkthroughmultimasterssl.html
and
tweaking for my version of OS (Centos 6.7) and 389-ds but not getting very
far.

Can anyone point me to a more up to date guide or provide some form of
idiot-proof guide to get this working? I've been banging my head on this
for a couple weeks now and despite reading the docs and a load of googling
I'm not getting very far.

I have the install part down ok including disktuning, file descriptors,
keepalive, port ranges etc and 389-ds itself of course. And on Server2 I
can log in to the console using http and a basic LDAP test works fine using:

ldapsearch -x -b "dc=example,dc=com"

I think whoever setup the existing Directory Server used a self-signed cert
as there are pwdfile and noise.txt files in the slapd-instance directory so
looks like something like this was used to generate the CA Cert and Server
Cert

certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d
*.* -z noise.txt -f pwdfile.txt
certutil -S -n "Server-Cert" -s "cn=server.example.com
,cn=Directory Server" -c "CA certificate" -t "u,u,u" -m 1001 -v 120 -d *.*
 -z noise.txt -f pwdfile.txt

What I don't have a note of is the unique numbers entered with the -m
switch. Is there a way to tell what these are after the fact as I believe
they need to be unique across servers, correct?

Also can someone explain how I export the CA Cert from server 1 to server 2
- the docs don't cover that part as far as I can tell other than this
command which as far as I can see exports the CA Cert on the server you run
that command on to ascii format.

Re: [389-users] DS crashed /killed by OS

2015-10-20 Thread German Parente

Hi Trevor,

no problem. In fact, this issue has been investigated by the experts and it's 
due to fragmentation. A fix is being tested right internally but not delivered 
yet, to use a different allocator.

The official workaround is different to the one I have proposed. It's finally 
to define entry cache rather small since the fragmentation could be like 

15 * size of entry cache.

So, we need something like (15 * size of entry cache )  <  Available memory.

Thanks and regards,

German.



- Original Message -
> From: "Trevor Fong" 
> To: "General discussion list for the 389 Directory server project." 
> <389-users@lists.fedoraproject.org>
> Sent: Tuesday, October 20, 2015 7:09:46 PM
> Subject: Re: [389-users] DS crashed /killed by OS
> 
> Hi German,
> 
> Apologies for resurrecting an old thread.
> We're also experiencing something similar.  We're currently running
> 389-ds-base-1.2.11.15-48.el6_6.x86_64
> 
> I'm afraid I don't have login privileges in order to view the details of the
> bug you linked.
> Could you please post details of how you defined an entry cache to include
> the whole db, and why this works?
> 
> FYI - moves are afoot re upgrading DS on a set of new servers, but in the
> meantime, we need to address this issue.
> 
> 
> Thanks a lot,
> Trev
> 
> 
> 
> 
> 
> On 2015-02-05, 1:57 AM, "389-users-boun...@lists.fedoraproject.org on behalf
> of German Parente" <389-users-boun...@lists.fedoraproject.org on behalf of
> gpare...@redhat.com> wrote:
> 
> >
> >Hi,
> >
> >we have had several customer cases showing this behavior. In one of these
> >cases, we have confirmed it was due to memory fragmentation after
> >cache-trashing.
> >
> >We have stopped seeing this behavior by defining an entry cache which
> >includes the whole db (when possible, of course).
> >
> >Details can be found at:
> >
> >https://bugzilla.redhat.com/show_bug.cgi?id=1186512
> >Apparent memory leak in ns-slapd; OOM-Killer invoked
> >
> >Regards,
> >
> >German
> >
> >- Original Message -
> >> From: "David Boreham" 
> >> To: 389-users@lists.fedoraproject.org
> >> Sent: Wednesday, February 4, 2015 8:50:55 PM
> >> Subject: Re: [389-users] DS crashed /killed by OS
> >> 
> >> On 2/4/2015 11:20 AM, ghiureai wrote:
> >> 
> >> 
> >> 
> >> Out of memory: Kill process 2090 (ns-slapd) score 954 or sacrifice child
> >> 
> >> It wasn't clear to me from your post whether you already have a good
> >> understanding of the OOM killer behavior in the kernel.
> >> On the chance that you're not yet familiar with its ways, suggest reading,
> >> for example this article :
> >> http://unix.stackexchange.com/questions/153585/how-oom-killer-decides-which-process-to-kill-first
> >> I mention this because it may not be the DS that is the problem (not
> >> saying
> >> that it absolutely is not, but it might not be).
> >> The OMM killer picks a process that is using a large amount of memory, and
> >> kills it in order to preserve system stability.
> >> This does not necessarily imply that the process it kills is the process
> >> that
> >> is causing the system to run out of memory.
> >> You said that the DS "crashed", but in fact the kernel killed it -- not
> >> quite
> >> the same thing!
> >> 
> >> It is also possible that the system has insufficient memory for the
> >> processes
> >> it is running, DS cache size and so on.
> >> Certainly it is worthwhile checking that the DS hasn't been inadvertently
> >> configured to use more peak memory than the machine has available.
> >> 
> >> Bottom line : there are a few potential explanations, including but not
> >> limited to a memory leak in the DS process.
> >> Some analysis will be needed to identify the cause. As a precaution, if
> >> you
> >> can -- configure more swap space on the box.
> >> This will allow more runway before the kernel starts looking for processes
> >> to
> >> kill, and hence more time to figure out what's using memory and why.
> >> 
> >> 
> >> 
> >> 
> >> 
> >> 
> >> --
> >> 389 users mailing list
> >> 389-users@lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/389-users
> >--
> >389 users mailing list
> >389-users@lists.fedoraproject.org
> >https://admin.fedoraproject.org/mailman/listinfo/389-users
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] updating/removing user indexes Q

2015-10-20 Thread ghiureai





Mark , thank you for reply, the main reason I was asking is:
 I seen several times when I removed  user indexes using admin console 
and  after 2-3 days they re-appeared back  ? This is something strange, 
I am running backups and exports on daily bases on on this database but 
can explain how the indexes are getting re-create  back ??

Thank you

Isabella
On 10/20/2015 08:42 AM, ghiureai wrote:

Hi List,
I would like to know if after removing user indexes using the admin 
console there is need to run the
|db2index.pl| script  while the ldap is shutdown  or should be fine to 
run with DS online?

Thank you
Isabella



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] updating/removing user indexes Q

2015-10-20 Thread ghiureai


Hi Mark,

As per developers  advise , I removed most the index listed here, we 
have memberof pluging on   and mutl-master rep pluging on,

I removed :mail, mailHost, telephoneNumber,seeAlso, owner,

ntUserDomainI,ntUniqueId, mailAlternateAddress,givenName almost 12 indexes 
removed.
After rebooting the DS I see the indexes are been put back possible by some of the 
plugins wich are one "on" by default with 389DS base instalation.
What would you advise  which one of them should be removed , how about the 
plugings associated   with this indexes?


Thank you so much
Isabella



On 10/20/2015 09:47 AM, ghiureai wrote:



 Hi Mark as per your advise,
I checked the
/var/lib/dirsr5v/slapd-INSTANCE/db/useroot/ the files are gone
BUT seeing this lines
 when exporting ldap instance, this are the indexes  I removed few 
days ago and saw them back


plugin_mr_find - Error: matching rule plugin for 
[caseIgnoreOrderingMatch-default] not found
[19/Oct/2015:21:59:04 -0700] plugin_mr_find - Error: matching rule plugin for 
[caseIgnoreSubstringMatch-default] not found
[19/Oct/2015:21:59:04 -0700] plugin_mr_find - Error: matching rule plugin for 
[caseIgnoreOrderingMatch-default] not found
[19/Oct/2015:21:59:04 -0700] plugin_mr_find - Error: matching rule plugin for 
[caseIgnoreSubstringMatch-default] not found
[19/Oct/2015:21:59:04 -0700] plugin_mr_find - Error: matching rule plugin for 
[caseIgnoreSubstringMatch-default] not found
[19/Oct/2015:21:59:04 -0700] - Backend Instance(s):
[19/Oct/2015:21:59:04 -0700] -  userRoot
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=uniquemember,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=telephoneNumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=sn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=seeAlso,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=owner,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=member,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=mailHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=mailAlternateAddress,cn=index,cn=userRoot,cn=ldbm 
database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=mail,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=givenName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config]
[19/Oct/2015:21:59:04 -0700] - Added database config entry 
[cn=numericid,cn=index,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config]





On 10/20/2015 08:58 AM, ghiureai wrote:




Mark , thank you for reply, the main reason I was asking is:
 I seen several times when I removed  user indexes using admin  
console and  after 2-3 days they re-appeared back  ? This is 
something strange, I am running backups and exports on daily bases on 
on this database but can explain how the indexes are getting 
re-create  back ??

Thank you

Isabella
On 10/20/2015 08:42 AM, ghiureai wrote:

Hi List,
I would like to know if after removing user indexes using the admin 
console there is need to run the
|db2index.pl| script  while the ldap is shutdown  or should be fine 
to run with DS online?

Thank you
Isabella







--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

[389-users] nsAccountLock - Server is unwilling to perform

2015-10-20 Thread Mitja Mihelič


Hi!

We are using using nsAccountLock=true to lock user accounts. We also 
have dovecot authenticating users against the 389DS.

If we set nsAccountLock=true, then we get
Oct 20 14:39:30 SERVER dovecot: auth: Error: 
ldap(USERNAME,193.X.Y.Z,): ldap_bind() failed: Server 
is unwilling to perform
Oct 20 14:39:31 SERVER dovecot: auth: 
ldap(USERNAME,193.X.Y.Z,): Falling back to expired 
data from cache
Dovecot thinks the server is not working properly so it reads login info 
from its cache and authentication succeeds.


Can I set 389DS to return a different response?
Something that says: "User is locked" or "Authentication failed"...

Kind regards, Mitja

--
--
Mitja Mihelič
ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 8800, fax: +386 1 479 88 99

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

[389-users] I cannot find how can I start the console under CentOS.

Re: [389-users] DS crashed /killed by OS

Re: [389-users] Help with understanding 389-ds, multiple server setup and TLS/SSL

Re: [389-users] updating/removing user indexes Q

[389-users] updating/removing user indexes Q

Re: [389-users] updating/removing user indexes Q

Re: [389-users] updating/removing user indexes Q

[389-users] Help with understanding 389-ds, multiple server setup and TLS/SSL

[389-users] Help with understanding 389-ds, multiple server setup and TLS/SSL

Re: [389-users] DS crashed /killed by OS

Re: [389-users] updating/removing user indexes Q

Re: [389-users] updating/removing user indexes Q

[389-users] nsAccountLock - Server is unwilling to perform

13 matches

Site Navigation

Mail list logo

Footer information