[389-users] Re: use GSSAPI behind a haproxy
On Tue, 2018-03-20 at 09:46 +, Alex M wrote: > Hello! > I'm trying setup balancing freeipa with haproxy, using this article: > http://directory.fedoraproject.org/docs/389ds/howto/howto-loadbalance > -gssapi.html, > > On this step: > --- > On the ldap1 server you should extract this keytab: > > kinit > ipa-getkeytab -s dc.ipa.example.com -p > ldap/haproxydemo.ipa.example.com -k /etc/dirsrv/slapd- > localhost/ldap.keytab --retrieve > > Important is the –retrieve flag to prevent the keytab contents > changing. > -- > First, a got "failed to parse result insufficient access rights" > error > > After: > ipa service-allow-retrieve-keytab ldap/haproxydemo.ipa.example.com > --groups=admins > > i get the following error: > Failed to parse result: krbPrincipalKey not found > > So, i run it without -r key. It success. > Then, after i'm adding KRB5_KTNAME=/etc/dirsrv/slapd- > localhost/ldap.keytab to /etc/sysconfig/dirsrv- > After this freeipa fails to start > In my setup - haproxydemo.ipa.example.com - is a haproxy (with ipa > client, A/PTR records) > > ldap1.ipa.example.com (ldap2, ldap3) is a working freeipa replicas > > Any advices, what am i doing wrong? I'm not 100% sure about freeipa. They may have their own advice about load balancing their installs. I would suspect that you don't have a service account and principal for ldap/haproxydemo.ipa.example.com which is why it can't be found. Hope that helps, ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: autosizing the cache
> > > dbmon.sh > Tue Mar 20 02:16:04 UTC 2018 > dbcachefree 432873472 free% 80.629 roevicts 0 hit% 99 pagein 1267 > pageout 23191 > changelog:ent 616509293897 100.0 4359.2 > changelog:dn29262999793332 100.070.6 > userroot:ent 117776408341275 98.4 8594.6 > userroot:dn 117772998722450 100.0 108.5 > > > ls -lh /var/lib/dirsrv/slapd--XXX/db/userRoot > total 121M Yep with a few GB of cache you'll be able to double or triple your number of entries easily. I think you will have few issues from here. Thanks! > Thank you! > Sergei > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-leave@lists.fedoraproject.o > rg ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] subtree level password policy enabled with a few user level pwdPolicysubentry exceptions
Hi, Fine-grained subtree password policy enabled for ou=people,dc=example,dc=com. The same password policy is applied to all users under ou=people,dc=example,dc=com. I need to apply a different password policy to a few users, what is the best way to do it? The following is my failed attempts. using Admin Console, I created "Fine-grained user policy" for uid=exception1,ou=people,dc=example,dc=com. A new policy entry for uid=exception1 was created under "cn=nspwpolicycontainer,ou=people,dc=example,dc=com". audit log has the message: pwdPolicysubentry attribute of "uid=exception1,ou=people,dc=example,dc=com" is successfully replaced with the DN of the new user policy entry. After refreshing the entry "uid=exception1,ou=people,dc=example,dc=com", pwdPolicysubentry attribute is NOT actually changed, it is still the DN of the subtree policy. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: error moving an user
Hi, could you please enable 16385 errorlog-level (16384 defaults and 1 trace) just before the operation and send us the /var/log/dirsrv/slapd-INSTNAME/errors: ldapmodify -h localhost -p 389 -D "cn=Directory manager" -w password << EOF dn: cn=config changetype: modify replace: nsslapd-errorlog-level nsslapd-errorlog-level: 16385 EOF Thanks, Simon - Original Message - > From: "Alberto Viana"> To: "General discussion list for the 389 Directory server project." > <389-users@lists.fedoraproject.org> > Sent: Tuesday, March 20, 2018 6:15:46 PM > Subject: [389-users] error moving an user > > Hey Guys, > > 389 version: 389-Directory/1.3.7.4.20170912git26a9426 B2017.255.1330 > > I'm trying to move one of my users to another OU and I see this kind of > error: > > Error while moving entry > - [LDAP: error code 1 - Operations Error] > java.lang.Exception: [LDAP: error code 1 - Operations Error] > at > > > In the log I see: > > [20/Mar/2018:14:12:27.172553808 -0300] - ERR - ldbm_back_modrdn - > SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set > SLAPI_RESULT_CODE > > I thought that was related to my windows replication, but I disabled it and > I'm still getting the error. > > Any clues? > > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: error moving an user
Anyone? Any clues? On Tue, Mar 20, 2018 at 2:15 PM, Alberto Vianawrote: > Hey Guys, > > 389 version: 389-Directory/1.3.7.4.20170912git26a9426 B2017.255.1330 > > I'm trying to move one of my users to another OU and I see this kind of > error: > > Error while moving entry > - [LDAP: error code 1 - Operations Error] > java.lang.Exception: [LDAP: error code 1 - Operations Error] > at > > > In the log I see: > > [20/Mar/2018:14:12:27.172553808 -0300] - ERR - ldbm_back_modrdn - > SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set > SLAPI_RESULT_CODE > > I thought that was related to my windows replication, but I disabled it > and I'm still getting the error. > > Any clues? > ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org