[389-users] Re: use GSSAPI behind a haproxy

[William Brown]

On Tue, 2018-03-20 at 09:46 +, Alex M wrote:
> Hello!
> I'm trying setup balancing freeipa with haproxy, using this article: 
> http://directory.fedoraproject.org/docs/389ds/howto/howto-loadbalance
> -gssapi.html, 
> 
> On this step:
> ---
> On the ldap1 server you should extract this keytab:
> 
> kinit 
> ipa-getkeytab -s dc.ipa.example.com -p
> ldap/haproxydemo.ipa.example.com -k /etc/dirsrv/slapd-
> localhost/ldap.keytab --retrieve
> 
> Important is the –retrieve flag to prevent the keytab contents
> changing.
> --
> First, a got "failed to parse result insufficient access rights"
> error
> 
> After:
>  ipa service-allow-retrieve-keytab ldap/haproxydemo.ipa.example.com
> --groups=admins
> 
>  i get the following error:
> Failed to parse result: krbPrincipalKey not found
> 
> So, i run it without -r key.  It success. 
> Then, after i'm adding KRB5_KTNAME=/etc/dirsrv/slapd-
> localhost/ldap.keytab to /etc/sysconfig/dirsrv-
> After this freeipa fails to start
> In my setup - haproxydemo.ipa.example.com - is a  haproxy (with ipa
> client, A/PTR records)
> 
> ldap1.ipa.example.com (ldap2, ldap3)  is a working freeipa replicas
> 
> Any advices, what am i doing wrong?

I'm not 100% sure about freeipa. They may have their own advice about
load balancing their installs. 

I would suspect that you don't have a service account and principal for
ldap/haproxydemo.ipa.example.com which is why it can't be found.

Hope that helps,
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

[389-users] Re: autosizing the cache

[William Brown]

> 
> > dbmon.sh
> Tue Mar 20 02:16:04 UTC 2018
> dbcachefree 432873472 free% 80.629 roevicts 0 hit% 99 pagein 1267
> pageout 23191
> changelog:ent 616509293897  100.0  4359.2
> changelog:dn29262999793332  100.070.6
>  userroot:ent  117776408341275   98.4  8594.6
>  userroot:dn   117772998722450  100.0   108.5
> 
> > ls -lh /var/lib/dirsrv/slapd--XXX/db/userRoot
> total 121M

Yep with a few GB of cache you'll be able to double or triple your
number of entries easily. I think you will have few issues from here.

Thanks! 

> Thank you!
>   Sergei
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.o
> rg
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

[389-users] subtree level password policy enabled with a few user level pwdPolicysubentry exceptions

[albert . luo]

Hi,

Fine-grained subtree password policy enabled for ou=people,dc=example,dc=com. 
The same password policy is applied to all users under 
ou=people,dc=example,dc=com. I need to apply a different password policy to a 
few users, what is the best way to do it?

The following is my failed attempts.

using Admin Console, I created "Fine-grained user policy" for 
uid=exception1,ou=people,dc=example,dc=com. A new policy entry for 
uid=exception1 was created under 
"cn=nspwpolicycontainer,ou=people,dc=example,dc=com". audit log has the 
message: pwdPolicysubentry attribute of 
"uid=exception1,ou=people,dc=example,dc=com" is successfully replaced with the 
DN of the new user policy entry. After refreshing the entry 
"uid=exception1,ou=people,dc=example,dc=com", pwdPolicysubentry  attribute is 
NOT actually changed, it is still the DN of the subtree policy.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

[389-users] Re: error moving an user

[Simon Pichugin]

Hi,
could you please enable 16385 errorlog-level (16384 defaults and 1 trace) just 
before the operation and send us the /var/log/dirsrv/slapd-INSTNAME/errors:

ldapmodify -h localhost -p 389 -D "cn=Directory manager" -w password << EOF
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 16385
EOF

Thanks,
Simon

- Original Message -
> From: "Alberto Viana" 
> To: "General discussion list for the 389 Directory server project." 
> <389-users@lists.fedoraproject.org>
> Sent: Tuesday, March 20, 2018 6:15:46 PM
> Subject: [389-users] error moving an user
> 
> Hey Guys,
> 
> 389 version: 389-Directory/1.3.7.4.20170912git26a9426 B2017.255.1330
> 
> I'm trying to move one of my users to another OU and I see this kind of
> error:
> 
> Error while moving entry
> - [LDAP: error code 1 - Operations Error]
> java.lang.Exception: [LDAP: error code 1 - Operations Error]
> at
> 
> 
> In the log I see:
> 
> [20/Mar/2018:14:12:27.172553808 -0300] - ERR - ldbm_back_modrdn -
> SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set
> SLAPI_RESULT_CODE
> 
> I thought that was related to my windows replication, but I disabled it and
> I'm still getting the error.
> 
> Any clues?
> 
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> 
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

[389-users] Re: error moving an user

[Alberto Viana]

Anyone?

Any clues?

On Tue, Mar 20, 2018 at 2:15 PM, Alberto Viana  wrote:

> Hey Guys,
>
> 389 version: 389-Directory/1.3.7.4.20170912git26a9426 B2017.255.1330
>
> I'm trying to move one of my users to another OU and I see this kind of
> error:
>
> Error while moving entry
>  - [LDAP: error code 1 - Operations Error]
> java.lang.Exception: [LDAP: error code 1 - Operations Error]
> at
>
>
> In the log I see:
>
> [20/Mar/2018:14:12:27.172553808 -0300] - ERR - ldbm_back_modrdn -
> SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set
> SLAPI_RESULT_CODE
>
> I thought that was related to my windows replication, but I disabled it
> and I'm still getting the error.
>
> Any clues?
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org