Re: Database Repair issues (M20 and M23)
I may have the build running. I will let you know. Thanks again. On Thu, May 18, 2017 at 11:12 AM, Ezsra McDonald <ezsra.mcdon...@gmail.com> wrote: > Emmanuel,Thank you for your response, > > It cannot find a dependency `Could not resolve dependencies for project > org.apache.directory.server:apacheds-interceptors-admin: > bundle:2.0.0-M24-SNAPSHOT` > > > > On Thu, May 18, 2017 at 10:23 AM, Emmanuel Lécharny <elecha...@gmail.com> > wrote: > >> Hi Ezra, >> >> there were some bug in the command line which has been fixed in trunk. >> We don't have nightly build for ApacheDS, but you can easily build the >> project : k-just run 'mvn clean install' at the root of checked out >> soure (svn co http://svn.apache.org/repos/asf/directory/apacheds/trunk), >> then move to the 'installers' directory and type 'mvn clean install >> -Pinstallers', that will generate an installer for your target OS (in >> installers/target/installers directory) >> >> >> >> Le 17/05/2017 à 00:56, Ezsra McDonald a écrit : >> > We are running ADS M20 on Linux. >> > >> > We had some database issues so we tried the partition-plumber.jar. It >> seems >> > to run fine and rebuilds everything. Next we try to start the server. >> The >> > server startup takes nearly 15 minutes. Once we get the banner we >> connect >> > to the server. The partition is empty. >> > >> > Next, we tried installing M23 and created a partition. We replaced the >> > partition with the partition data from the M20 instance. >> > >> > We see the following in the wrapper log however the instance never >> seems to >> > start complete. >> > >> > TATUS | wrapper | 2017/05/16 17:40:07 | --> Wrapper Started as Daemon >> > STATUS | wrapper | 2017/05/16 17:40:07 | Launching a JVM... >> > INFO | jvm 1| 2017/05/16 17:40:07 | Wrapper (Version 3.2.3) >> > http://wrapper.tanukisoftware.org >> > INFO | jvm 1| 2017/05/16 17:40:07 | Copyright 1999-2006 Tanuki >> > Software, Inc. All Rights Reserved. >> > INFO | jvm 1| 2017/05/16 17:40:07 | >> > INFO | jvm 1| 2017/05/16 17:40:08 | Trying to repair the following >> > data :/opt/ApacheDS/var/lib/default >> > INFO | jvm 1| 2017/05/16 17:40:08 | Starting the service. >> > >> > I don't see any logs related to repairs. Those would be handy. Maybe it >> is >> > still repairing but I can't tell. The files are not changing size on the >> > file system. >> > >> > >> > If I restart M23 with the repair argument we get an error: >> > >> > Repairing ApacheDS - default... >> > FATAL | wrapper | Unable to resolve the full path of the configuration >> > file, wrapper.app.parameter.1=repair: No such file or directory >> > Starting ApacheDS - default... >> > >> >> -- >> Emmanuel Lecharny >> >> Symas.com >> directory.apache.org >> >> >
Re: Database Repair issues (M20 and M23)
Emmanuel,Thank you for your response, It cannot find a dependency `Could not resolve dependencies for project org.apache.directory.server:apacheds-interceptors-admin:bundle:2.0.0-M24-SNAPSHOT` On Thu, May 18, 2017 at 10:23 AM, Emmanuel Lécharny <elecha...@gmail.com> wrote: > Hi Ezra, > > there were some bug in the command line which has been fixed in trunk. > We don't have nightly build for ApacheDS, but you can easily build the > project : k-just run 'mvn clean install' at the root of checked out > soure (svn co http://svn.apache.org/repos/asf/directory/apacheds/trunk), > then move to the 'installers' directory and type 'mvn clean install > -Pinstallers', that will generate an installer for your target OS (in > installers/target/installers directory) > > > > Le 17/05/2017 à 00:56, Ezsra McDonald a écrit : > > We are running ADS M20 on Linux. > > > > We had some database issues so we tried the partition-plumber.jar. It > seems > > to run fine and rebuilds everything. Next we try to start the server. The > > server startup takes nearly 15 minutes. Once we get the banner we connect > > to the server. The partition is empty. > > > > Next, we tried installing M23 and created a partition. We replaced the > > partition with the partition data from the M20 instance. > > > > We see the following in the wrapper log however the instance never seems > to > > start complete. > > > > TATUS | wrapper | 2017/05/16 17:40:07 | --> Wrapper Started as Daemon > > STATUS | wrapper | 2017/05/16 17:40:07 | Launching a JVM... > > INFO | jvm 1| 2017/05/16 17:40:07 | Wrapper (Version 3.2.3) > > http://wrapper.tanukisoftware.org > > INFO | jvm 1| 2017/05/16 17:40:07 | Copyright 1999-2006 Tanuki > > Software, Inc. All Rights Reserved. > > INFO | jvm 1| 2017/05/16 17:40:07 | > > INFO | jvm 1| 2017/05/16 17:40:08 | Trying to repair the following > > data :/opt/ApacheDS/var/lib/default > > INFO | jvm 1| 2017/05/16 17:40:08 | Starting the service. > > > > I don't see any logs related to repairs. Those would be handy. Maybe it > is > > still repairing but I can't tell. The files are not changing size on the > > file system. > > > > > > If I restart M23 with the repair argument we get an error: > > > > Repairing ApacheDS - default... > > FATAL | wrapper | Unable to resolve the full path of the configuration > > file, wrapper.app.parameter.1=repair: No such file or directory > > Starting ApacheDS - default... > > > > -- > Emmanuel Lecharny > > Symas.com > directory.apache.org > >
Re: Database Repair issues (M20 and M23)
Any suggestions? On Tue, May 16, 2017 at 5:56 PM, Ezsra McDonald <ezsra.mcdon...@gmail.com> wrote: > We are running ADS M20 on Linux. > > We had some database issues so we tried the partition-plumber.jar. It > seems to run fine and rebuilds everything. Next we try to start the server. > The server startup takes nearly 15 minutes. Once we get the banner we > connect to the server. The partition is empty. > > Next, we tried installing M23 and created a partition. We replaced the > partition with the partition data from the M20 instance. > > We see the following in the wrapper log however the instance never seems > to start complete. > > TATUS | wrapper | 2017/05/16 17:40:07 | --> Wrapper Started as Daemon > STATUS | wrapper | 2017/05/16 17:40:07 | Launching a JVM... > INFO | jvm 1| 2017/05/16 17:40:07 | Wrapper (Version 3.2.3) > http://wrapper.tanukisoftware.org > INFO | jvm 1| 2017/05/16 17:40:07 | Copyright 1999-2006 Tanuki > Software, Inc. All Rights Reserved. > INFO | jvm 1| 2017/05/16 17:40:07 | > INFO | jvm 1| 2017/05/16 17:40:08 | Trying to repair the following > data :/opt/ApacheDS/var/lib/default > INFO | jvm 1| 2017/05/16 17:40:08 | Starting the service. > > I don't see any logs related to repairs. Those would be handy. Maybe it is > still repairing but I can't tell. The files are not changing size on the > file system. > > > If I restart M23 with the repair argument we get an error: > > Repairing ApacheDS - default... > FATAL | wrapper | Unable to resolve the full path of the configuration > file, wrapper.app.parameter.1=repair: No such file or directory > Starting ApacheDS - default... >
Database Repair issues (M20 and M23)
We are running ADS M20 on Linux. We had some database issues so we tried the partition-plumber.jar. It seems to run fine and rebuilds everything. Next we try to start the server. The server startup takes nearly 15 minutes. Once we get the banner we connect to the server. The partition is empty. Next, we tried installing M23 and created a partition. We replaced the partition with the partition data from the M20 instance. We see the following in the wrapper log however the instance never seems to start complete. TATUS | wrapper | 2017/05/16 17:40:07 | --> Wrapper Started as Daemon STATUS | wrapper | 2017/05/16 17:40:07 | Launching a JVM... INFO | jvm 1| 2017/05/16 17:40:07 | Wrapper (Version 3.2.3) http://wrapper.tanukisoftware.org INFO | jvm 1| 2017/05/16 17:40:07 | Copyright 1999-2006 Tanuki Software, Inc. All Rights Reserved. INFO | jvm 1| 2017/05/16 17:40:07 | INFO | jvm 1| 2017/05/16 17:40:08 | Trying to repair the following data :/opt/ApacheDS/var/lib/default INFO | jvm 1| 2017/05/16 17:40:08 | Starting the service. I don't see any logs related to repairs. Those would be handy. Maybe it is still repairing but I can't tell. The files are not changing size on the file system. If I restart M23 with the repair argument we get an error: Repairing ApacheDS - default... FATAL | wrapper | Unable to resolve the full path of the configuration file, wrapper.app.parameter.1=repair: No such file or directory Starting ApacheDS - default...
Re: Export to a stand-alone OpenLDAP server - operational attributes
Ah, Slapcat maybe. I'll give it a try. Thanks On Wed, Oct 26, 2016 at 7:16 PM, Lohr, Donald <loh...@jmu.edu> wrote: > I can not speak to OpenLDAP, but if it is like others, you can not add > operational attributes through a conventional ldapadd / ldapmodify > operation. Some LDAP products have a bulk load process that is done with > the directory service module stopped, that allows you to add certain > operational attributes. But be aware that if you a moving from one vendors > product to another, you may have to use some form of scripting to reformat > the time based attributes. > > > > > On 10/26/16 5:35 PM, Ezsra McDonald wrote: > >> What is the trick to export the LDAP to a OpenLDAP server used for other >> purposes? OpenLDAP does not want to allow the add of operational >> attributes. We need the password history and aging to come over. >> >> Has anyone done this? >> >> --Ezsra >> >>
Export to a stand-alone OpenLDAP server - operational attributes
What is the trick to export the LDAP to a OpenLDAP server used for other purposes? OpenLDAP does not want to allow the add of operational attributes. We need the password history and aging to come over. Has anyone done this? --Ezsra
Upgrade procedures?
I did some searches for upgrade procedures. Are they posted somewhere? Upgrade from M20 to M23 using .bin binary package. Thanks, --Ezsra
Index on mail attribute does not work
We had to rebuild our ADS using the plumber and the indexes did not build right. We removed the mail index from the partition and restarted the instance. Then we added a partition back and started it again. It takes a while but finally starts. We still can do wild card searches like we could before. They take a long time to run. ldapsearch -LLL -x -H ldap://localhost:10389/ -b "ou=People,dc=www,dc=somewhere,dc=com" "mail=*usern...@somewhere.com*" ADS M20 Linux OS This is pretty urgent if anyone can help. --EZ
Re: Full SYNC_REFRESH required
does partition-plumber do anything that could impact replication? I backed out the index rebuilds and the replication works. What can I add to log4j.properties to get a better look at the replication processes? I added the following but they are not too helpful: # Replication logs log4j.logger.org.apache.directory.server.PROVIDER_LOG=INFO log4j.logger.org.apache.directory.server.CONSUMER_LOG=INFO On Fri, Jun 10, 2016 at 11:54 AM, Ezsra McDonald <ezsra.mcdon...@gmail.com> wrote: > ADS M20 > Enterprise Linux > > What does "Full SYNC_REFRESH required" mean? > > This is what I have done: > 1. Rebuilt node1's indexes using partition-plumber > 2. Copied the rebuilt partition over to replace the partition on node2. > (node2 had some major corruption on the master.db file) > 3. restarted the instances. > 4. Observed logs and saw "Full SYNC_REFRESH required from node2" on the > node1 wrapper.log > > If I change a record on node1 it replicates to node2. If I change a record > on node2 it does not appear to replicate to node1. > > >
Full SYNC_REFRESH required
ADS M20 Enterprise Linux What does "Full SYNC_REFRESH required" mean? This is what I have done: 1. Rebuilt node1's indexes using partition-plumber 2. Copied the rebuilt partition over to replace the partition on node2. (node2 had some major corruption on the master.db file) 3. restarted the instances. 4. Observed logs and saw "Full SYNC_REFRESH required from node2" on the node1 wrapper.log If I change a record on node1 it replicates to node2. If I change a record on node2 it does not appear to replicate to node1.
Re: Move ADS to new location on disk
I removed the connection from studio and created a new one. All good. On Thu, Jun 9, 2016 at 9:23 PM, Ezsra McDonald <ezsra.mcdon...@gmail.com> wrote: > After relocating ADS to a new filesystem the partition is empty when I > browse it in Apache Directory Studio. But I can do a search and find > results. Any idea why? > > > > On Thu, Jun 9, 2016 at 5:58 PM, Ezsra McDonald <ezsra.mcdon...@gmail.com> > wrote: > >> I figured it out. >> >> wrapper-instance.conf contains a line "#include >> /opt/foo/ApacheDS/opt/conf/wrapper.conf" >> >> Okay, how many of you think that line is a comment? It is not. You have >> to correct that line leaving the '#' at the beginning. >> >> This works: >> >> "#include /opt/ApacheDS/opt/conf/wrapper.conf" >> >> >> >> On Thu, Jun 9, 2016 at 5:13 PM, Ezsra McDonald <ezsra.mcdon...@gmail.com> >> wrote: >> >>> I found a wrapper.log in /opt/ApacheDS/opt/bin >>> >>> STATUS | wrapper | 2016/06/08 16:57:41 | --> Wrapper Started as Daemon >>> STATUS | wrapper | 2016/06/08 16:57:41 | Launching a JVM... >>> ERROR | wrapper | 2016/06/08 16:57:41 | JVM exited while loading the >>> application. >>> INFO | jvm 1| 2016/06/08 16:57:41 | Error: Could not find or load >>> main class Main >>> STATUS | wrapper | 2016/06/08 16:57:45 | Launching a JVM... >>> ERROR | wrapper | 2016/06/08 16:57:45 | JVM exited while loading the >>> application. >>> INFO | jvm 2| 2016/06/08 16:57:45 | Error: Could not find or load >>> main class Main >>> STATUS | wrapper | 2016/06/08 16:57:49 | Launching a JVM... >>> ERROR | wrapper | 2016/06/08 16:57:49 | JVM exited while loading the >>> application. >>> INFO | jvm 3| 2016/06/08 16:57:49 | Error: Could not find or load >>> main class Main >>> STATUS | wrapper | 2016/06/08 16:57:54 | Launching a JVM... >>> ERROR | wrapper | 2016/06/08 16:57:54 | JVM exited while loading the >>> application. >>> INFO | jvm 4| 2016/06/08 16:57:54 | Error: Could not find or load >>> main class Main >>> STATUS | wrapper | 2016/06/08 16:57:58 | Launching a JVM... >>> ERROR | wrapper | 2016/06/08 16:57:58 | JVM exited while loading the >>> application. >>> INFO | jvm 5| 2016/06/08 16:57:58 | Error: Could not find or load >>> main class Main >>> FATAL | wrapper | 2016/06/08 16:57:58 | There were 5 failed launches >>> in a row, each lasting less than 300 seconds. Giving up. >>> FATAL | wrapper | 2016/06/08 16:57:58 | There may be a configuration >>> problem: please check the logs. >>> STATUS | wrapper | 2016/06/08 16:57:58 | <-- Wrapper Stopped >>> >>> I am not a java guy so no clue. :-) >>> >>> I'll google a bit. >>> >>> On Thu, Jun 9, 2016 at 4:39 PM, Ezsra McDonald <ezsra.mcdon...@gmail.com >>> > wrote: >>> >>>> Hmm, Seems to be a problem still. >>>> >>>> I did the following : >>>> >>>> >>>> cd /servers/ApacheDS/ >>>> # Tar up opt var folders >>>> sudo tar czvf ~/ads-server.tgz * >>>> cd /opt/ApacheDS/ >>>> sudo tar xzvf ~/ads-server.tgz >>>> sudo vi /etc/init.d/apacheds-2.0.0-M20-default >>>> CHANGE FILE: /etc/init.d/apacheds-2.0.0-M20-default >>>> LINE NUMBER: 36 >>>> >>>> /opt/ApacheDS/opt/bin/apacheds $1 default >>>> sudo vi /opt/ApacheDS/opt/bin/apacheds >>>> CHANGE FILE: /opt/ApacheDS/opt/bin/apacheds >>>> LINE NUMBERS: 30 & 31 >>>> >>>> INSTALLATION_DIRECTORY="/opt/ApacheDS/opt" >>>> INSTANCES_DIRECTORY="/opt/ApacheDS/var/lib" >>>> >>>> The server fails to start >>>> >>>> PS shows the following process but it dies shortly after issuing the >>>> start command: >>>> >>>> apacheds 16052 1 0 16:22 ?00:00:00 >>>> /opt/ApacheDS/opt/bin/wrapper >>>> /opt/ApacheDS/var/lib/default/conf/wrapper-instance.conf >>>> set.INSTANCE_DIRECTORY=/opt/ApacheDS/var/lib/default set.INSTANCE=default >>>> wrapper.syslog.ident=apacheds >>>> wrapper.pidfile=/opt/ApacheDS/var/lib/default/run/apacheds-default.pid >>>> wrapper.daemonize=TRUE >>>> >>>> The last thing in the logs is a log from when I stopped the instance: >>>> >>>>
Re: Move ADS to new location on disk
After relocating ADS to a new filesystem the partition is empty when I browse it in Apache Directory Studio. But I can do a search and find results. Any idea why? On Thu, Jun 9, 2016 at 5:58 PM, Ezsra McDonald <ezsra.mcdon...@gmail.com> wrote: > I figured it out. > > wrapper-instance.conf contains a line "#include > /opt/foo/ApacheDS/opt/conf/wrapper.conf" > > Okay, how many of you think that line is a comment? It is not. You have to > correct that line leaving the '#' at the beginning. > > This works: > > "#include /opt/ApacheDS/opt/conf/wrapper.conf" > > > > On Thu, Jun 9, 2016 at 5:13 PM, Ezsra McDonald <ezsra.mcdon...@gmail.com> > wrote: > >> I found a wrapper.log in /opt/ApacheDS/opt/bin >> >> STATUS | wrapper | 2016/06/08 16:57:41 | --> Wrapper Started as Daemon >> STATUS | wrapper | 2016/06/08 16:57:41 | Launching a JVM... >> ERROR | wrapper | 2016/06/08 16:57:41 | JVM exited while loading the >> application. >> INFO | jvm 1| 2016/06/08 16:57:41 | Error: Could not find or load >> main class Main >> STATUS | wrapper | 2016/06/08 16:57:45 | Launching a JVM... >> ERROR | wrapper | 2016/06/08 16:57:45 | JVM exited while loading the >> application. >> INFO | jvm 2| 2016/06/08 16:57:45 | Error: Could not find or load >> main class Main >> STATUS | wrapper | 2016/06/08 16:57:49 | Launching a JVM... >> ERROR | wrapper | 2016/06/08 16:57:49 | JVM exited while loading the >> application. >> INFO | jvm 3| 2016/06/08 16:57:49 | Error: Could not find or load >> main class Main >> STATUS | wrapper | 2016/06/08 16:57:54 | Launching a JVM... >> ERROR | wrapper | 2016/06/08 16:57:54 | JVM exited while loading the >> application. >> INFO | jvm 4| 2016/06/08 16:57:54 | Error: Could not find or load >> main class Main >> STATUS | wrapper | 2016/06/08 16:57:58 | Launching a JVM... >> ERROR | wrapper | 2016/06/08 16:57:58 | JVM exited while loading the >> application. >> INFO | jvm 5| 2016/06/08 16:57:58 | Error: Could not find or load >> main class Main >> FATAL | wrapper | 2016/06/08 16:57:58 | There were 5 failed launches in >> a row, each lasting less than 300 seconds. Giving up. >> FATAL | wrapper | 2016/06/08 16:57:58 | There may be a configuration >> problem: please check the logs. >> STATUS | wrapper | 2016/06/08 16:57:58 | <-- Wrapper Stopped >> >> I am not a java guy so no clue. :-) >> >> I'll google a bit. >> >> On Thu, Jun 9, 2016 at 4:39 PM, Ezsra McDonald <ezsra.mcdon...@gmail.com> >> wrote: >> >>> Hmm, Seems to be a problem still. >>> >>> I did the following : >>> >>> >>> cd /servers/ApacheDS/ >>> # Tar up opt var folders >>> sudo tar czvf ~/ads-server.tgz * >>> cd /opt/ApacheDS/ >>> sudo tar xzvf ~/ads-server.tgz >>> sudo vi /etc/init.d/apacheds-2.0.0-M20-default >>> CHANGE FILE: /etc/init.d/apacheds-2.0.0-M20-default >>> LINE NUMBER: 36 >>> >>> /opt/ApacheDS/opt/bin/apacheds $1 default >>> sudo vi /opt/ApacheDS/opt/bin/apacheds >>> CHANGE FILE: /opt/ApacheDS/opt/bin/apacheds >>> LINE NUMBERS: 30 & 31 >>> >>> INSTALLATION_DIRECTORY="/opt/ApacheDS/opt" >>> INSTANCES_DIRECTORY="/opt/ApacheDS/var/lib" >>> >>> The server fails to start >>> >>> PS shows the following process but it dies shortly after issuing the >>> start command: >>> >>> apacheds 16052 1 0 16:22 ?00:00:00 >>> /opt/ApacheDS/opt/bin/wrapper >>> /opt/ApacheDS/var/lib/default/conf/wrapper-instance.conf >>> set.INSTANCE_DIRECTORY=/opt/ApacheDS/var/lib/default set.INSTANCE=default >>> wrapper.syslog.ident=apacheds >>> wrapper.pidfile=/opt/ApacheDS/var/lib/default/run/apacheds-default.pid >>> wrapper.daemonize=TRUE >>> >>> The last thing in the logs is a log from when I stopped the instance: >>> >>> STATUS | wrapper | 2016/06/08 15:03:22 | <-- Wrapper Stopped >>> >>> >>> I added a 'set -x' to /opt/ApacheDS/opt/bin/apacheds and started the >>> server again: >>> >>> >>> + INSTANCE=default >>> + INSTALLATION_DIRECTORY=/opt/ApacheDS/opt >>> + INSTANCES_DIRECTORY=/opt/ApacheDS/var/lib >>> + INSTANCE_DIRECTORY=/opt/ApacheDS/var/lib/default >>> + APP_NAME=apacheds >>> + APP_LONG_NAME='ApacheDS - default' >>> + WRAPPER_CMD=/opt/ApacheDS/opt/bin/wrapper >>> + WRAPP
Re: Move ADS to new location on disk
I figured it out. wrapper-instance.conf contains a line "#include /opt/foo/ApacheDS/opt/conf/wrapper.conf" Okay, how many of you think that line is a comment? It is not. You have to correct that line leaving the '#' at the beginning. This works: "#include /opt/ApacheDS/opt/conf/wrapper.conf" On Thu, Jun 9, 2016 at 5:13 PM, Ezsra McDonald <ezsra.mcdon...@gmail.com> wrote: > I found a wrapper.log in /opt/ApacheDS/opt/bin > > STATUS | wrapper | 2016/06/08 16:57:41 | --> Wrapper Started as Daemon > STATUS | wrapper | 2016/06/08 16:57:41 | Launching a JVM... > ERROR | wrapper | 2016/06/08 16:57:41 | JVM exited while loading the > application. > INFO | jvm 1| 2016/06/08 16:57:41 | Error: Could not find or load > main class Main > STATUS | wrapper | 2016/06/08 16:57:45 | Launching a JVM... > ERROR | wrapper | 2016/06/08 16:57:45 | JVM exited while loading the > application. > INFO | jvm 2| 2016/06/08 16:57:45 | Error: Could not find or load > main class Main > STATUS | wrapper | 2016/06/08 16:57:49 | Launching a JVM... > ERROR | wrapper | 2016/06/08 16:57:49 | JVM exited while loading the > application. > INFO | jvm 3| 2016/06/08 16:57:49 | Error: Could not find or load > main class Main > STATUS | wrapper | 2016/06/08 16:57:54 | Launching a JVM... > ERROR | wrapper | 2016/06/08 16:57:54 | JVM exited while loading the > application. > INFO | jvm 4| 2016/06/08 16:57:54 | Error: Could not find or load > main class Main > STATUS | wrapper | 2016/06/08 16:57:58 | Launching a JVM... > ERROR | wrapper | 2016/06/08 16:57:58 | JVM exited while loading the > application. > INFO | jvm 5| 2016/06/08 16:57:58 | Error: Could not find or load > main class Main > FATAL | wrapper | 2016/06/08 16:57:58 | There were 5 failed launches in > a row, each lasting less than 300 seconds. Giving up. > FATAL | wrapper | 2016/06/08 16:57:58 | There may be a configuration > problem: please check the logs. > STATUS | wrapper | 2016/06/08 16:57:58 | <-- Wrapper Stopped > > I am not a java guy so no clue. :-) > > I'll google a bit. > > On Thu, Jun 9, 2016 at 4:39 PM, Ezsra McDonald <ezsra.mcdon...@gmail.com> > wrote: > >> Hmm, Seems to be a problem still. >> >> I did the following : >> >> >> cd /servers/ApacheDS/ >> # Tar up opt var folders >> sudo tar czvf ~/ads-server.tgz * >> cd /opt/ApacheDS/ >> sudo tar xzvf ~/ads-server.tgz >> sudo vi /etc/init.d/apacheds-2.0.0-M20-default >> CHANGE FILE: /etc/init.d/apacheds-2.0.0-M20-default >> LINE NUMBER: 36 >> >> /opt/ApacheDS/opt/bin/apacheds $1 default >> sudo vi /opt/ApacheDS/opt/bin/apacheds >> CHANGE FILE: /opt/ApacheDS/opt/bin/apacheds >> LINE NUMBERS: 30 & 31 >> >> INSTALLATION_DIRECTORY="/opt/ApacheDS/opt" >> INSTANCES_DIRECTORY="/opt/ApacheDS/var/lib" >> >> The server fails to start >> >> PS shows the following process but it dies shortly after issuing the >> start command: >> >> apacheds 16052 1 0 16:22 ?00:00:00 >> /opt/ApacheDS/opt/bin/wrapper >> /opt/ApacheDS/var/lib/default/conf/wrapper-instance.conf >> set.INSTANCE_DIRECTORY=/opt/ApacheDS/var/lib/default set.INSTANCE=default >> wrapper.syslog.ident=apacheds >> wrapper.pidfile=/opt/ApacheDS/var/lib/default/run/apacheds-default.pid >> wrapper.daemonize=TRUE >> >> The last thing in the logs is a log from when I stopped the instance: >> >> STATUS | wrapper | 2016/06/08 15:03:22 | <-- Wrapper Stopped >> >> >> I added a 'set -x' to /opt/ApacheDS/opt/bin/apacheds and started the >> server again: >> >> >> + INSTANCE=default >> + INSTALLATION_DIRECTORY=/opt/ApacheDS/opt >> + INSTANCES_DIRECTORY=/opt/ApacheDS/var/lib >> + INSTANCE_DIRECTORY=/opt/ApacheDS/var/lib/default >> + APP_NAME=apacheds >> + APP_LONG_NAME='ApacheDS - default' >> + WRAPPER_CMD=/opt/ApacheDS/opt/bin/wrapper >> + WRAPPER_CONF=/opt/ApacheDS/var/lib/default/conf/wrapper-instance.conf >> + PRIORITY= >> + PIDDIR=/opt/ApacheDS/var/lib/default/run >> + RUN_AS_USER=apacheds >> + RUN_AS_GROUP=apacheds >> + case $0 in >> + SCRIPT=/opt/ApacheDS/opt/bin/apacheds >> + CHANGED=true >> + '[' Xtrue '!=' X ']' >> ++ echo /opt/ApacheDS/opt/bin/apacheds >> ++ sed -e 's; ;:;g' >> + SAFESCRIPT=/opt/ApacheDS/opt/bin/apacheds >> ++ echo /opt/ApacheDS/opt/bin/apacheds >> ++ sed -e 's;/; ;g' >> + TOKENS=' opt ApacheDS opt bin apacheds' >> + REALPATH= >> + for C in '$TOKENS' >> ++ echo opt >> ++ sed -e 's;:; ;g' >> + C=o
Re: Move ADS to new location on disk
I found a wrapper.log in /opt/ApacheDS/opt/bin STATUS | wrapper | 2016/06/08 16:57:41 | --> Wrapper Started as Daemon STATUS | wrapper | 2016/06/08 16:57:41 | Launching a JVM... ERROR | wrapper | 2016/06/08 16:57:41 | JVM exited while loading the application. INFO | jvm 1| 2016/06/08 16:57:41 | Error: Could not find or load main class Main STATUS | wrapper | 2016/06/08 16:57:45 | Launching a JVM... ERROR | wrapper | 2016/06/08 16:57:45 | JVM exited while loading the application. INFO | jvm 2| 2016/06/08 16:57:45 | Error: Could not find or load main class Main STATUS | wrapper | 2016/06/08 16:57:49 | Launching a JVM... ERROR | wrapper | 2016/06/08 16:57:49 | JVM exited while loading the application. INFO | jvm 3| 2016/06/08 16:57:49 | Error: Could not find or load main class Main STATUS | wrapper | 2016/06/08 16:57:54 | Launching a JVM... ERROR | wrapper | 2016/06/08 16:57:54 | JVM exited while loading the application. INFO | jvm 4| 2016/06/08 16:57:54 | Error: Could not find or load main class Main STATUS | wrapper | 2016/06/08 16:57:58 | Launching a JVM... ERROR | wrapper | 2016/06/08 16:57:58 | JVM exited while loading the application. INFO | jvm 5| 2016/06/08 16:57:58 | Error: Could not find or load main class Main FATAL | wrapper | 2016/06/08 16:57:58 | There were 5 failed launches in a row, each lasting less than 300 seconds. Giving up. FATAL | wrapper | 2016/06/08 16:57:58 | There may be a configuration problem: please check the logs. STATUS | wrapper | 2016/06/08 16:57:58 | <-- Wrapper Stopped I am not a java guy so no clue. :-) I'll google a bit. On Thu, Jun 9, 2016 at 4:39 PM, Ezsra McDonald <ezsra.mcdon...@gmail.com> wrote: > Hmm, Seems to be a problem still. > > I did the following : > > > cd /servers/ApacheDS/ > # Tar up opt var folders > sudo tar czvf ~/ads-server.tgz * > cd /opt/ApacheDS/ > sudo tar xzvf ~/ads-server.tgz > sudo vi /etc/init.d/apacheds-2.0.0-M20-default > CHANGE FILE: /etc/init.d/apacheds-2.0.0-M20-default > LINE NUMBER: 36 > > /opt/ApacheDS/opt/bin/apacheds $1 default > sudo vi /opt/ApacheDS/opt/bin/apacheds > CHANGE FILE: /opt/ApacheDS/opt/bin/apacheds > LINE NUMBERS: 30 & 31 > > INSTALLATION_DIRECTORY="/opt/ApacheDS/opt" > INSTANCES_DIRECTORY="/opt/ApacheDS/var/lib" > > The server fails to start > > PS shows the following process but it dies shortly after issuing the start > command: > > apacheds 16052 1 0 16:22 ?00:00:00 > /opt/ApacheDS/opt/bin/wrapper > /opt/ApacheDS/var/lib/default/conf/wrapper-instance.conf > set.INSTANCE_DIRECTORY=/opt/ApacheDS/var/lib/default set.INSTANCE=default > wrapper.syslog.ident=apacheds > wrapper.pidfile=/opt/ApacheDS/var/lib/default/run/apacheds-default.pid > wrapper.daemonize=TRUE > > The last thing in the logs is a log from when I stopped the instance: > > STATUS | wrapper | 2016/06/08 15:03:22 | <-- Wrapper Stopped > > > I added a 'set -x' to /opt/ApacheDS/opt/bin/apacheds and started the > server again: > > > + INSTANCE=default > + INSTALLATION_DIRECTORY=/opt/ApacheDS/opt > + INSTANCES_DIRECTORY=/opt/ApacheDS/var/lib > + INSTANCE_DIRECTORY=/opt/ApacheDS/var/lib/default > + APP_NAME=apacheds > + APP_LONG_NAME='ApacheDS - default' > + WRAPPER_CMD=/opt/ApacheDS/opt/bin/wrapper > + WRAPPER_CONF=/opt/ApacheDS/var/lib/default/conf/wrapper-instance.conf > + PRIORITY= > + PIDDIR=/opt/ApacheDS/var/lib/default/run > + RUN_AS_USER=apacheds > + RUN_AS_GROUP=apacheds > + case $0 in > + SCRIPT=/opt/ApacheDS/opt/bin/apacheds > + CHANGED=true > + '[' Xtrue '!=' X ']' > ++ echo /opt/ApacheDS/opt/bin/apacheds > ++ sed -e 's; ;:;g' > + SAFESCRIPT=/opt/ApacheDS/opt/bin/apacheds > ++ echo /opt/ApacheDS/opt/bin/apacheds > ++ sed -e 's;/; ;g' > + TOKENS=' opt ApacheDS opt bin apacheds' > + REALPATH= > + for C in '$TOKENS' > ++ echo opt > ++ sed -e 's;:; ;g' > + C=opt > + REALPATH=/opt > + '[' -h /opt ']' > + for C in '$TOKENS' > ++ echo ApacheDS > ++ sed -e 's;:; ;g' > + C=ApacheDS > + REALPATH=/opt/ApacheDS > + '[' -h /opt/ApacheDS ']' > + for C in '$TOKENS' > ++ echo opt > ++ sed -e 's;:; ;g' > + C=opt > + REALPATH=/opt/ApacheDS/opt > + '[' -h /opt/ApacheDS/opt ']' > + for C in '$TOKENS' > ++ echo bin > ++ sed -e 's;:; ;g' > + C=bin > + REALPATH=/opt/ApacheDS/opt/bin > + '[' -h /opt/ApacheDS/opt/bin ']' > + for C in '$TOKENS' > ++ echo apacheds > ++ sed -e 's;:; ;g' > + C=apacheds > + REALPATH=/opt/ApacheDS/opt/bin/apacheds > + '[' -h /opt/ApacheDS/opt/bin/apacheds ']' > + '[' /opt/ApacheDS/opt/bin/apacheds = /opt/ApacheDS/opt/bin/apacheds ']' > + CHANGED= > + '[' X '!=' X ']' > ++ dirname /opt/ApacheDS/opt/bin/apacheds > + cd /opt/A
Re: Move ADS to new location on disk
acheDS/opt/bin/apacheds + CHANGED=true + '[' Xtrue '!=' X ']' ++ echo /opt/ApacheDS/opt/bin/apacheds ++ sed -e 's; ;:;g' + SAFESCRIPT=/opt/ApacheDS/opt/bin/apacheds ++ echo /opt/ApacheDS/opt/bin/apacheds ++ sed -e 's;/; ;g' + TOKENS=' opt ApacheDS opt bin apacheds' + REALPATH= + for C in '$TOKENS' ++ echo opt ++ sed -e 's;:; ;g' + C=opt + REALPATH=/opt + '[' -h /opt ']' + for C in '$TOKENS' ++ echo ApacheDS ++ sed -e 's;:; ;g' + C=ApacheDS + REALPATH=/opt/ApacheDS + '[' -h /opt/ApacheDS ']' + for C in '$TOKENS' ++ echo opt ++ sed -e 's;:; ;g' + C=opt + REALPATH=/opt/ApacheDS/opt + '[' -h /opt/ApacheDS/opt ']' + for C in '$TOKENS' ++ echo bin ++ sed -e 's;:; ;g' + C=bin + REALPATH=/opt/ApacheDS/opt/bin + '[' -h /opt/ApacheDS/opt/bin ']' + for C in '$TOKENS' ++ echo apacheds ++ sed -e 's;:; ;g' + C=apacheds + REALPATH=/opt/ApacheDS/opt/bin/apacheds + '[' -h /opt/ApacheDS/opt/bin/apacheds ']' + '[' /opt/ApacheDS/opt/bin/apacheds = /opt/ApacheDS/opt/bin/apacheds ']' + CHANGED= + '[' X '!=' X ']' ++ dirname /opt/ApacheDS/opt/bin/apacheds + cd /opt/ApacheDS/opt/bin ++ pwd + REALDIR=/opt/ApacheDS/opt/bin ++ echo /opt/ApacheDS/var/lib/default/run ++ cut -c1,1 + FIRST_CHAR=/ + '[' / '!=' / ']' ++ echo /opt/ApacheDS/opt/bin/wrapper ++ cut -c1,1 + FIRST_CHAR=/ + '[' / '!=' / ']' ++ echo /opt/ApacheDS/var/lib/default/conf/wrapper-instance.conf ++ cut -c1,1 + FIRST_CHAR=/ + '[' / '!=' / ']' + ANCHORFILE=/opt/ApacheDS/var/lib/default/run/default.anchor + PIDFILE=/opt/ApacheDS/var/lib/default/run/apacheds-default.pid + LOCKDIR=/var/lock/subsys + LOCKFILE=/var/lock/subsys/default + pid= + PSEXE=/usr/bin/ps + '[' '!' -x /usr/bin/ps ']' + PSEXE=/bin/ps + '[' '!' -x /bin/ps ']' ++ uname -s ++ tr '[:upper:]' '[:lower:]' ++ tr -d '[:blank:]' + DIST_OS=linux + case "$DIST_OS" in ++ uname -p ++ tr '[:upper:]' '[:lower:]' ++ tr -d '[:blank:]' + DIST_ARCH=x86_64 + '[' x86_64 = unknown ']' + case "$DIST_ARCH" in + DIST_ARCH=x86 + '[' X = X ']' + CMDNICE= + '[' X = X ']' + ANCHORPROP= + IGNOREPROP= + LOCKPROP= + '[' -d /var/lock/subsys ']' + '[' -w /var/lock/subsys ']' + '[' xstart = x ']' + '[' xdefault = x ']' + case "$1" in + checkUser touchlock start default + '[' Xapacheds '!=' X ']' + IDEXE=/usr/xpg4/bin/id + '[' '!' -x /usr/xpg4/bin/id ']' + IDEXE=/usr/bin/id + '[' '!' -x /usr/bin/id ']' ++ /usr/bin/id -u -n + '[' apacheds = apacheds ']' + RUN_AS_USER= + '[' X '!=' X ']' + start + echo 'Starting ApacheDS - default...' Starting ApacheDS - default... + getpid + '[' -f /opt/ApacheDS/var/lib/default/run/apacheds-default.pid ']' + '[' X = X ']' + COMMAND_LINE=' "/opt/ApacheDS/opt/bin/wrapper" "/opt/ApacheDS/var/lib/default/conf/wrapper-instance.conf" set.INSTANCE_DIRECTORY="/opt/ApacheDS/var/lib/default" set.INSTANCE="default" wrapper.syslog.ident="apacheds" wrapper.pidfile="/opt/ApacheDS/var/lib/default/run/apacheds-default.pid" wrapper.daemonize=TRUE ' + eval '"/opt/ApacheDS/opt/bin/wrapper"' '"/opt/ApacheDS/var/lib/default/conf/wrapper-instance.conf"' 'set.INSTANCE_DIRECTORY="/opt/ApacheDS/var/lib/default"' 'set.INSTANCE="default"' 'wrapper.syslog.ident="apacheds"' 'wrapper.pidfile="/opt/ApacheDS/var/lib/default/run/apacheds-default.pid"' wrapper.daemonize=TRUE ++ /opt/ApacheDS/opt/bin/wrapper /opt/ApacheDS/var/lib/default/conf/wrapper-instance.conf set.INSTANCE_DIRECTORY=/opt/ApacheDS/var/lib/default set.INSTANCE=default wrapper.syslog.ident=apacheds wrapper.pidfile=/opt/ApacheDS/var/lib/default/run/apacheds-default.pid wrapper.daemonize=TRUE + exit 0 + '[' 'Xwrapper.lockfile="/var/lock/subsys/default"' '!=' X ']' + getpid + '[' -f /opt/ApacheDS/var/lib/default/run/apacheds-default.pid ']' + '[' -r /opt/ApacheDS/var/lib/default/run/apacheds-default.pid ']' ++ cat /opt/ApacheDS/var/lib/default/run/apacheds-default.pid + pid=15893 + '[' X15893 = X ']' + exit 0 Let me know if you need anything else. On Thu, Jun 9, 2016 at 10:48 AM, Emmanuel Lécharny <elecha...@gmail.com> wrote: > Le 09/06/16 à 17:18, Ezsra McDonald a écrit : > > Good question, sorry > > > > The OS is Enterprise Linux. > > > > I used the apacheds-2.0.0-M20-64bit.bin installer. > > The directories teh server is using are described in > http://directory.apache.org/apacheds/advanced-ug/2.2-instance-layout.html > > Data will be stored in the partitions sub-directory. > > If you move the whole tree, it should work, assuming you also change the > /etc/init.d/apacheds script to point on this new directory. > > You may have a look at the various configuration files that may contain > root based paths. > > >
Re: Move ADS to new location on disk
Good question, sorry The OS is Enterprise Linux. I used the apacheds-2.0.0-M20-64bit.bin installer. -Ez On Thu, Jun 9, 2016 at 9:40 AM, Emmanuel Lécharny <elecha...@gmail.com> wrote: > Le 09/06/16 à 15:47, Ezsra McDonald a écrit : > > RE: ADS M20 > > > > We need to move our ADS instance to a different location on storage. Is > > there a simple way to do this? I tried but the instance won't start after > > moving it. I do not see any errors in the logs. > > What is your OS ? > > Have you used the installer for this OS, or the generic one ? >
Move ADS to new location on disk
RE: ADS M20 We need to move our ADS instance to a different location on storage. Is there a simple way to do this? I tried but the instance won't start after moving it. I do not see any errors in the logs. --Ez
Re: To exist or not exist ??
I can rebuild indexes on one of the nodes but the second node in the multi-master cluster is not able to rebuild indexes. I am running M20. Ldap search error I get: sudo ldapsearch -H ldap://localhost:10389/ -D uid=admin,ou=system -W -z 0 -b ou=people,dc=www,dc=somewhere,dc=com -LLL -s sub -x "(objectclass=*)" Internal (implementation specific) error (80) Additional information: OTHER: failed for MessageType : SEARCH_REQUEST Message ID : 2 SearchRequest baseDn : 'ou=people,dc=www,dc=somewhere,dc=com' filter : '(objectClass=*)' scope : whole subtree typesOnly : false Size Limit : no limit Time Limit : no limit Deref Aliases : never Deref Aliases attributes : org.apache.directory.api.ldap.model.message.SearchRequestImpl@1c3fc51: null Here is the error I get with partition-plumber sudo java -jar partition-plumber.jar -d /opt/servers/ApacheDS/var/lib/default -p dc=www,dc=somewhere,dc=com org.apache.directory.api.ldap.model.exception.LdapOtherException: java.io.UTFDataFormatException at org.apache.directory.server.core.api.partition.AbstractPartition.initialize(AbstractPartition.java:94) at org.apache.directory.server.core.DefaultDirectoryService.initialize(DefaultDirectoryService.java:1807) at org.apache.directory.server.core.DefaultDirectoryService.startup(DefaultDirectoryService.java:1244) at org.apache.directory.server.ApacheDsService.initDirectoryService(ApacheDsService.java:318) at org.apache.directory.server.ApacheDsService.start(ApacheDsService.java:182) at org.apache.directory.PartitionPlumber.start(PartitionPlumber.java:72) at org.apache.directory.PartitionPlumber.main(PartitionPlumber.java:378) Caused by: org.apache.directory.api.ldap.model.exception.LdapOtherException: java.io.UTFDataFormatException at org.apache.directory.server.core.api.partition.AbstractPartition.initialize(AbstractPartition.java:94) at org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.addContextPartition(DefaultPartitionNexus.java:800) at org.apache.directory.server.core.shared.partition.DefaultPartitionNexus.doInit(DefaultPartitionNexus.java:224) at org.apache.directory.server.core.api.partition.AbstractPartition.initialize(AbstractPartition.java:89) ... 6 more Caused by: org.apache.directory.api.ldap.model.cursor.CursorException: java.io.UTFDataFormatException at org.apache.directory.server.core.partition.impl.btree.jdbm.NoDupsCursor.next(NoDupsCursor.java:311) at org.apache.directory.server.core.partition.impl.btree.jdbm.JdbmPartition.buildUserIndex(JdbmPartition.java:351) at org.apache.directory.server.core.partition.impl.btree.jdbm.JdbmPartition.doInit(JdbmPartition.java:218) at org.apache.directory.server.core.api.partition.AbstractPartition.initialize(AbstractPartition.java:89) ... 9 more Caused by: java.io.UTFDataFormatException at java.io.ObjectInputStream$BlockDataInputStream.readUTFSpan(ObjectInputStream.java:3111) at java.io.ObjectInputStream$BlockDataInputStream.readUTFBody(ObjectInputStream.java:3055) at java.io.ObjectInputStream$BlockDataInputStream.readUTF(ObjectInputStream.java:2867) at java.io.ObjectInputStream.readUTF(ObjectInputStream.java:1073) at org.apache.directory.api.ldap.model.entry.StringValue.readExternal(StringValue.java:518) at org.apache.directory.api.ldap.model.entry.DefaultAttribute.readExternal(DefaultAttribute.java:2084) at org.apache.directory.server.core.partition.impl.btree.jdbm.EntrySerializer.deserialize(EntrySerializer.java:219) at jdbm.btree.BPage.deserialize(BPage.java:1188) at jdbm.btree.BPage.deserialize(BPage.java:81) at jdbm.recman.BaseRecordManager.fetch(BaseRecordManager.java:329) at jdbm.recman.CacheRecordManager.fetch(CacheRecordManager.java:264) at jdbm.btree.BPage.loadBPage(BPage.java:949) at jdbm.btree.BPage.access$000(BPage.java:81) at jdbm.btree.BPage$Browser.getNext(BPage.java:1395) at org.apache.directory.server.core.partition.impl.btree.jdbm.NoDupsCursor.next(NoDupsCursor.java:291) ... 12 more On Wed, Sep 2, 2015 at 7:43 PM, Kiran Ayyagari <kayyag...@apache.org> wrote: > On Thu, Sep 3, 2015 at 5:52 AM, Ezsra McDonald <ezsra.mcdon...@gmail.com> > wrote: > > > Does anyone know what to do? Is there a way to recreate the master.db > > file? > > > > > On Tue, Sep 1, 2015 at 3:47 PM, Ezsra McDonald <ezsra.mcdon...@gmail.com> > > wrote: > > > > > I had a user who could not login using his LDAP creds. When I > > investigated > > > I found that his record exists in one instance but not the other. So I > > > tried exporting his record and importing it to the second instance. > > > > >
Re: ADS returns password expired when wrong password provided
Thanks for your response. We are running ADS M20. I assume it is functioning the same as M21? --Ezsra On Sat, Apr 2, 2016 at 12:42 PM, Emmanuel Lécharny <elecha...@gmail.com> wrote: > Le 31/03/16 20:21, Ezsra McDonald a écrit : > > We have ApacheDS configured to expire passwords after a fixed amount of > > time. If a user lets their password expire and that user attempts to > > authenticate with an *invalid* password, ADS will respond with an error > > code related to their password being expired rather than a response > stating > > their password entry was invalid. > > First of all, which version of ApacheDS are you using ? > > Now, with the latest version (2.0.0-M21), when you try to bind with a > correct or incorrect password when the correct password has expired, you > get this response : > > > Correct Password, expired : > --- > MessageType : BIND_RESPONSE > Message ID : 2 > BindResponse > Ldap Result > Result code : (INVALID_CREDENTIALS) invalidCredentials > Matched Dn : '' > Diagnostic message : 'INVALID_CREDENTIALS: Bind failed: > password expired' > > Incorrect Password, expired : > - > MessageType : BIND_RESPONSE > Message ID : 2 > BindResponse > Ldap Result > Result code : (INVALID_CREDENTIALS) invalidCredentials > Matched Dn : '' > Diagnostic message : 'INVALID_CREDENTIALS: Bind failed: > ERR_229 Cannot authenticate user cn=userExpireWarningToo,ou=system' > > > The diagnostic message is different, but it's hard to use it. You still > can determinate in which case you are, if you add the PasswordPolicy > control to your BindRequest, because then you will get back the reason > why the bind was rejected : > > > > Correct Password, expired, with PasswordPolicy control : > > MessageType : BIND_RESPONSE > Message ID : 2 > BindResponse > Ldap Result > Result code : (INVALID_CREDENTIALS) invalidCredentials > Matched Dn : '' > Diagnostic message : 'INVALID_CREDENTIALS: Bind failed: > password expired' > PasswordPolicy[criticality:false] PasswordPolicyResponse > [timeBeforeExpiration=-1, graceAuthNRemaining=-1, > ppolicyError=PASSWORD_EXPIRED] > > > Incorrect Password, expired, with PasswordPolicy control : > -- > MessageType : BIND_RESPONSE > Message ID : 2 > BindResponse > Ldap Result > Result code : (INVALID_CREDENTIALS) invalidCredentials > Matched Dn : '' > Diagnostic message : 'INVALID_CREDENTIALS: Bind failed: > ERR_229 Cannot authenticate user cn=userExpireWarningToo,ou=system' > > > As you can see, in the second case, you will get no PasswordPolicy > response control in the result. > > > > > This is not the desired behavior for a couple of reasons. First, it is > > confusing our users because they assume that if our SSO portal tells them > > their password has expired, that they did enter the correct existing > > password. So when they get sent to our password change screen, they will > > enter the invalid existing password that they used initially, thinking it > > was correct. > It's up to you to send the PasswordPolicy control and return a message > to the user based on the response you get. > > > > > The other issue is a matter of security. It is possible for anyone to > > determine if an account is expired just by entering the correct username. > > If the password has expired, it's not anymore usable, so it's safe, > unless your user has picked a password that he/she use somewhere else. > there is a bit of education to push here... > Regardless, for an attacker, knowing that an account has expired if of > little interest. > > Or Am I wrong ? > > > > > Are there any suggestions on how to configure ADS to first verify the > > password is valid before responding with an account expired code. > > No, but we can change the result we return. My perception is that the > base response should not tell the user that the password has expired, > unless the PasswordPolicy control is explicitely sent. It will be up to > the user to determinate if he wasn't able to login because his password > has expired or because he tried with the wrong password. > > wdyt ? > >
ADS returns password expired when wrong password provided
We have ApacheDS configured to expire passwords after a fixed amount of time. If a user lets their password expire and that user attempts to authenticate with an *invalid* password, ADS will respond with an error code related to their password being expired rather than a response stating their password entry was invalid. This is not the desired behavior for a couple of reasons. First, it is confusing our users because they assume that if our SSO portal tells them their password has expired, that they did enter the correct existing password. So when they get sent to our password change screen, they will enter the invalid existing password that they used initially, thinking it was correct. The other issue is a matter of security. It is possible for anyone to determine if an account is expired just by entering the correct username. Are there any suggestions on how to configure ADS to first verify the password is valid before responding with an account expired code. --Ezsra
Re: syncrepl-data contents are large
I do not see that attribute (ads-replLogPurgeThresholdCount) defined. On Tue, Mar 29, 2016 at 10:34 PM, Kiran Ayyagari <kayyag...@apache.org> wrote: > On Wed, Mar 30, 2016 at 2:06 AM, Ezsra McDonald <ezsra.mcdon...@gmail.com> > wrote: > > > What are these files in /../var/lib/default/syncrepl-data? Could this > > be related to my Replication issues? > > > > these are the logs containing event data, looks like either the server's > consumers are not connecting > or the log cleaner is not purging these event logs, what is the value you > set for > ads-replLogPurgeThresholdCount attribute in the consumer entries present > under ou=system on the master? > > > syncrepl-data$ sudo du -h * > > 1.3MREPL_EVENT_LOG.1.lg > > 5.7MREPL_EVENT_LOG.2.lg > > 16MREPL_EVENT_LOG.3.lg > > 2.2GREPL_EVENT_LOG.4.db < > > 8.3MREPL_EVENT_LOG.4.lg > > 1.5GREPL_EVENT_LOG.5.db < > > 2.1MREPL_EVENT_LOG.5.lg > > > > > > Running ADS M20 > > > > --Ezsra > > > Kiran >
syncrepl-data contents are large
What are these files in /../var/lib/default/syncrepl-data? Could this be related to my Replication issues? syncrepl-data$ sudo du -h * 1.3MREPL_EVENT_LOG.1.lg 5.7MREPL_EVENT_LOG.2.lg 16MREPL_EVENT_LOG.3.lg 2.2GREPL_EVENT_LOG.4.db < 8.3MREPL_EVENT_LOG.4.lg 1.5GREPL_EVENT_LOG.5.db < 2.1MREPL_EVENT_LOG.5.lg Running ADS M20 --Ezsra
MultiMaster out of sync
I have discovered that our MultiMaster servers are out of sync. How do we foce the servers to replicate un-replicated entries?
Re: disable password policy for admin
Is there a way to apply a new password policy that does not enforce password aging? I am trying to add the pwdPolicySubEntry attribute to a user using the Directory Studio but no luck so far. On Thu, Dec 17, 2015 at 5:48 PM, Emmanuel Lécharny <elecha...@gmail.com> wrote: > Le 18/12/15 00:02, Ezsra McDonald a écrit : > > How do you prevent the Admin user's password from expiring? We would like > > to have that user ignore the policy. > > > This has been fixed recently : > > https://issues.apache.org/jira/browse/DIRSERVER-2084 > > We still have to release 2.0.0-M21 (something I'm currently working on) >
disable password policy for admin
How do you prevent the Admin user's password from expiring? We would like to have that user ignore the policy.
Re: disable password policy for admin
Yes, that is right. I created a new policy with that setting. How do I assign the policy to the admin user using the gui? I am trying with ldapmodify but so far no luck. LDIF File: dn: uid=admin,ou=system add: pwdPolicySubEntry pwdPolicySubEntry: ads-pwdid=admin,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config My Modify command: ldapmodify -h apacheds.server.com -p 10389 -D uid=admin,ou=system -W -x -f modify.ldif On Thu, Dec 17, 2015 at 5:58 PM, Emmanuel Lécharny <elecha...@gmail.com> wrote: > Le 18/12/15 00:52, Ezsra McDonald a écrit : > > Is there a way to apply a new password policy that does not enforce > > password aging? I am trying to add the pwdPolicySubEntry attribute to a > > user using the Directory Studio but no luck so far. > > from te top of my head, if you use 0 as the value, it's equivalent to > infinite. > >
Re: disable password policy for admin
Corrected LDIF file now works: dn: uid=admin,ou=system changetype: modify add: pwdPolicySubEntry pwdPolicySubEntry: ads-pwdid=admin,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config On Thu, Dec 17, 2015 at 6:20 PM, Ezsra McDonald <ezsra.mcdon...@gmail.com> wrote: > Yes, that is right. > > I created a new policy with that setting. How do I assign the policy to > the admin user using the gui? > > > > I am trying with ldapmodify but so far no luck. > > > LDIF File: > > dn: uid=admin,ou=system > > add: pwdPolicySubEntry > pwdPolicySubEntry: > ads-pwdid=admin,ou=passwordPolicies,ads-interceptorId=authenticationInterceptor,ou=interceptors,ads-directoryServiceId=default,ou=config > > > > > My Modify command: > > ldapmodify -h apacheds.server.com -p 10389 -D uid=admin,ou=system -W -x > -f modify.ldif > > > > > On Thu, Dec 17, 2015 at 5:58 PM, Emmanuel Lécharny <elecha...@gmail.com> > wrote: > >> Le 18/12/15 00:52, Ezsra McDonald a écrit : >> > Is there a way to apply a new password policy that does not enforce >> > password aging? I am trying to add the pwdPolicySubEntry attribute to a >> > user using the Directory Studio but no luck so far. >> >> from te top of my head, if you use 0 as the value, it's equivalent to >> infinite. >> >> >
Re: Admin password expired
Kiran, You are our hero!! Thank you so much for all the assistance. I will be following up with our team about the current password policies and get a monitor on this. Thanks again! On Fri, Sep 18, 2015 at 12:23 PM, Kiran Ayyagari <kayyag...@apache.org> wrote: > On Sat, Sep 19, 2015 at 1:21 AM, Ezsra McDonald <ezsra.mcdon...@gmail.com> > wrote: > > > One server worked, the other gave this error: > > > > Exception in thread "main" java.lang.UnsupportedClassVersionError: > > org/apache/directory/server/core/api/InstanceLayout : Unsupported > > major.minor version 51.0 > > > make sure you are running the same version of java on both machines, or > just > build that jar on this failing box and execute > > > at java.lang.ClassLoader.defineClass1(Native Method) > > at java.lang.ClassLoader.defineClass(ClassLoader.java:643) > > at > > java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) > > at java.net.URLClassLoader.defineClass(URLClassLoader.java:277) > > at java.net.URLClassLoader.access$000(URLClassLoader.java:73) > > at java.net.URLClassLoader$1.run(URLClassLoader.java:212) > > at java.security.AccessController.doPrivileged(Native Method) > > at java.net.URLClassLoader.findClass(URLClassLoader.java:205) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:323) > > at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:268) > > at > org.apache.directory.PasswordResetter.main(PasswordResetter.java:57) > > > > On Fri, Sep 18, 2015 at 12:07 PM, Kiran Ayyagari <kayyag...@apache.org> > > wrote: > > > > > On Sat, Sep 19, 2015 at 12:40 AM, Ezsra McDonald < > > ezsra.mcdon...@gmail.com > > > > > > > wrote: > > > > > > > Is the jar resetting the password aging stuff? > > > > > > > ah this must be the reason, committed a change, please test with the > > latest > > > build > > > https://people.apache.org/~kayyagari/ads-passwd-reset.jar > > > > > > > > > > > On Fri, Sep 18, 2015 at 11:39 AM, Ezsra McDonald < > > > ezsra.mcdon...@gmail.com > > > > > > > > > wrote: > > > > > > > > > Stopping all the instances allowed the jar to exit back to shell, > but > > > it > > > > > still says the password is expired when I start the instance and > try > > to > > > > > login. > > > > > > > > > > On Fri, Sep 18, 2015 at 11:28 AM, Kiran Ayyagari < > > kayyag...@apache.org > > > > > > > > > wrote: > > > > > > > > > >> try stopping all nodes, and run this command on one of them and > > > restart > > > > >> both > > > > >> > > > > >> On Sat, Sep 19, 2015 at 12:27 AM, Ezsra McDonald < > > > > >> ezsra.mcdon...@gmail.com> > > > > >> wrote: > > > > >> > > > > >> > Yeah...it never comes back to prompt. Is there a plan B? > > > > >> > > > > > >> > On Fri, Sep 18, 2015 at 11:22 AM, Kiran Ayyagari < > > > > kayyag...@apache.org> > > > > >> > wrote: > > > > >> > > > > > >> > > On Sat, Sep 19, 2015 at 12:11 AM, Ezsra McDonald < > > > > >> > ezsra.mcdon...@gmail.com > > > > >> > > > > > > > >> > > wrote: > > > > >> > > > > > > >> > > > Does it matter that the ADS servers are in Multi-Master > > setup? > > > > >> > > > > > > > >> > > no, the change should be propagated to the other nodes after > > > > starting > > > > >> the > > > > >> > > node on which the > > > > >> > > password was changed. > > > > >> > > > > > > >> > > And if you used this password on other nodes to connect to the > > > > updated > > > > >> > node > > > > >> > > then you need to > > > > >> > > login to the other nodes and change the old password in > > > replication > > > > >> > > configurations > > > > >> > > > > > > >> > > > > > > > >> > > >
Admin password expired
I am researching but if anyone can suggest a solution, it appears my uid=admin,ou=system password expired. I did not realize the aging applied to the admin user. Urgently need to resolve this issue.
Re: Admin password expired
ADS M20 Thanks On Fri, Sep 18, 2015 at 8:46 AM, Kiran Ayyagari <kayyag...@apache.org> wrote: > which version of the server are you using? > > On Fri, Sep 18, 2015 at 9:44 PM, Ezsra McDonald <ezsra.mcdon...@gmail.com> > wrote: > > > I am researching but if anyone can suggest a solution, it appears my > > uid=admin,ou=system password expired. I did not realize the aging applied > > to the admin user. > > > > Urgently need to resolve this issue. > > > > > > -- > Kiran Ayyagari > http://keydap.com >
Re: Admin password expired
Stopping all the instances allowed the jar to exit back to shell, but it still says the password is expired when I start the instance and try to login. On Fri, Sep 18, 2015 at 11:28 AM, Kiran Ayyagari <kayyag...@apache.org> wrote: > try stopping all nodes, and run this command on one of them and restart > both > > On Sat, Sep 19, 2015 at 12:27 AM, Ezsra McDonald <ezsra.mcdon...@gmail.com > > > wrote: > > > Yeah...it never comes back to prompt. Is there a plan B? > > > > On Fri, Sep 18, 2015 at 11:22 AM, Kiran Ayyagari <kayyag...@apache.org> > > wrote: > > > > > On Sat, Sep 19, 2015 at 12:11 AM, Ezsra McDonald < > > ezsra.mcdon...@gmail.com > > > > > > > wrote: > > > > > > > Does it matter that the ADS servers are in Multi-Master setup? > > > > > > > no, the change should be propagated to the other nodes after starting > the > > > node on which the > > > password was changed. > > > > > > And if you used this password on other nodes to connect to the updated > > node > > > then you need to > > > login to the other nodes and change the old password in replication > > > configurations > > > > > > > > > > > On Fri, Sep 18, 2015 at 10:51 AM, Ezsra McDonald < > > > ezsra.mcdon...@gmail.com > > > > > > > > > wrote: > > > > > > > > > It did in dev as well. But prod I waited a couple minutes. When I > > > > > restarted password was not changed. > > > > > > > > > > On Fri, Sep 18, 2015 at 10:50 AM, Kiran Ayyagari < > > kayyag...@apache.org > > > > > > > > > wrote: > > > > > > > > > >> On Fri, Sep 18, 2015 at 11:42 PM, Ezsra McDonald < > > > > >> ezsra.mcdon...@gmail.com> > > > > >> wrote: > > > > >> > > > > >> > Is there any reason why this jar would report "Successfully > > modified > > > > >> > password" but not return to the shell prompt? > > > > >> > > > > > >> it might be taking a while to stop the server, but on OS X (my > > > machine) > > > > >> where I tested > > > > >> it returns immediately > > > > >> > > > > >> > > > > > >> > On Fri, Sep 18, 2015 at 10:33 AM, Ezsra McDonald < > > > > >> ezsra.mcdon...@gmail.com > > > > >> > > > > > > >> > wrote: > > > > >> > > > > > >> > > I was wrong. Test loign on the wrong instance, sorry. It > worked > > in > > > > >> Dev. > > > > >> > > > > > > >> > > On Fri, Sep 18, 2015 at 10:20 AM, Ezsra McDonald < > > > > >> > ezsra.mcdon...@gmail.com > > > > >> > > > wrote: > > > > >> > > > > > > >> > >> Thanks Kiran, > > > > >> > >> > > > > >> > >> I ran this the jar targeting my dev instance > > > > >> > >> > > > > >> > >> /opt/ads/var/lib/default > > > > >> > >> > > > > >> > >> log4j:WARN No appenders could be found for logger > > > > >> > >> (org.apache.directory.server.ApacheDsService). > > > > >> > >> log4j:WARN Please initialize the log4j system properly. > > > > >> > >> log4j:WARN See > > > > http://logging.apache.org/log4j/1.2/faq.html#noconfig > > > > >> > for > > > > >> > >> more info. > > > > >> > >>_ _ > > > > >> > >> / \ _ _____ ___| |__ ___| _ \/ ___| > > > > >> > >> / _ \ | '_ \ / _` |/ __| '_ \ / _ \ | | \___ \ > > > > >> > >> / ___ \| |_) | (_| | (__| | | | __/ |_| |___) | > > > > >> > >>/_/ \_\ .__/ \__,_|\___|_| |_|\___|/|/ > > > > >> > >>|_| > > > > >> > >> > > > > >> > >> Successfully modified password > > > > >> > >> > > > > >> > >> > > > > >> > >>
Re: Admin password expired
Is the jar resetting the password aging stuff? On Fri, Sep 18, 2015 at 11:39 AM, Ezsra McDonald <ezsra.mcdon...@gmail.com> wrote: > Stopping all the instances allowed the jar to exit back to shell, but it > still says the password is expired when I start the instance and try to > login. > > On Fri, Sep 18, 2015 at 11:28 AM, Kiran Ayyagari <kayyag...@apache.org> > wrote: > >> try stopping all nodes, and run this command on one of them and restart >> both >> >> On Sat, Sep 19, 2015 at 12:27 AM, Ezsra McDonald < >> ezsra.mcdon...@gmail.com> >> wrote: >> >> > Yeah...it never comes back to prompt. Is there a plan B? >> > >> > On Fri, Sep 18, 2015 at 11:22 AM, Kiran Ayyagari <kayyag...@apache.org> >> > wrote: >> > >> > > On Sat, Sep 19, 2015 at 12:11 AM, Ezsra McDonald < >> > ezsra.mcdon...@gmail.com >> > > > >> > > wrote: >> > > >> > > > Does it matter that the ADS servers are in Multi-Master setup? >> > > > >> > > no, the change should be propagated to the other nodes after starting >> the >> > > node on which the >> > > password was changed. >> > > >> > > And if you used this password on other nodes to connect to the updated >> > node >> > > then you need to >> > > login to the other nodes and change the old password in replication >> > > configurations >> > > >> > > > >> > > > On Fri, Sep 18, 2015 at 10:51 AM, Ezsra McDonald < >> > > ezsra.mcdon...@gmail.com >> > > > > >> > > > wrote: >> > > > >> > > > > It did in dev as well. But prod I waited a couple minutes. When I >> > > > > restarted password was not changed. >> > > > > >> > > > > On Fri, Sep 18, 2015 at 10:50 AM, Kiran Ayyagari < >> > kayyag...@apache.org >> > > > >> > > > > wrote: >> > > > > >> > > > >> On Fri, Sep 18, 2015 at 11:42 PM, Ezsra McDonald < >> > > > >> ezsra.mcdon...@gmail.com> >> > > > >> wrote: >> > > > >> >> > > > >> > Is there any reason why this jar would report "Successfully >> > modified >> > > > >> > password" but not return to the shell prompt? >> > > > >> > >> > > > >> it might be taking a while to stop the server, but on OS X (my >> > > machine) >> > > > >> where I tested >> > > > >> it returns immediately >> > > > >> >> > > > >> > >> > > > >> > On Fri, Sep 18, 2015 at 10:33 AM, Ezsra McDonald < >> > > > >> ezsra.mcdon...@gmail.com >> > > > >> > > >> > > > >> > wrote: >> > > > >> > >> > > > >> > > I was wrong. Test loign on the wrong instance, sorry. It >> worked >> > in >> > > > >> Dev. >> > > > >> > > >> > > > >> > > On Fri, Sep 18, 2015 at 10:20 AM, Ezsra McDonald < >> > > > >> > ezsra.mcdon...@gmail.com >> > > > >> > > > wrote: >> > > > >> > > >> > > > >> > >> Thanks Kiran, >> > > > >> > >> >> > > > >> > >> I ran this the jar targeting my dev instance >> > > > >> > >> >> > > > >> > >> /opt/ads/var/lib/default >> > > > >> > >> >> > > > >> > >> log4j:WARN No appenders could be found for logger >> > > > >> > >> (org.apache.directory.server.ApacheDsService). >> > > > >> > >> log4j:WARN Please initialize the log4j system properly. >> > > > >> > >> log4j:WARN See >> > > > http://logging.apache.org/log4j/1.2/faq.html#noconfig >> > > > >> > for >> > > > >> > >> more info. >> > > > >> > >>_ _ >> > > > >> > >> / \ _ _____ ___| |__ ___| _ \/ ___| >> > > > >> > >> / _ \ | '_ \ / _` |/ __| '_ \ / _ \ | | \___ \ >> &g
Re: Admin password expired
Is there any reason why this jar would report "Successfully modified password" but not return to the shell prompt? On Fri, Sep 18, 2015 at 10:33 AM, Ezsra McDonald <ezsra.mcdon...@gmail.com> wrote: > I was wrong. Test loign on the wrong instance, sorry. It worked in Dev. > > On Fri, Sep 18, 2015 at 10:20 AM, Ezsra McDonald <ezsra.mcdon...@gmail.com > > wrote: > >> Thanks Kiran, >> >> I ran this the jar targeting my dev instance >> >> /opt/ads/var/lib/default >> >> log4j:WARN No appenders could be found for logger >> (org.apache.directory.server.ApacheDsService). >> log4j:WARN Please initialize the log4j system properly. >> log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for >> more info. >>_ _ >> / \ _ _____ ___| |__ ___| _ \/ ___| >> / _ \ | '_ \ / _` |/ __| '_ \ / _ \ | | \___ \ >> / ___ \| |_) | (_| | (__| | | | __/ |_| |___) | >>/_/ \_\ .__/ \__,_|\___|_| |_|\___|/|/ >>|_| >> >> Successfully modified password >> >> >> But the password was still the old password. >> >> On Fri, Sep 18, 2015 at 9:57 AM, Kiran Ayyagari <kayyag...@apache.org> >> wrote: >> >>> On Fri, Sep 18, 2015 at 10:37 PM, Ezsra McDonald < >>> ezsra.mcdon...@gmail.com> >>> wrote: >>> >>> > Any ideas Kiran? I tried using ldapmodify with a LDIF as below: >>> > >>> > sorry for the delay, was building a tool to change the password cause >>> any >>> other means of changing >>> it doesn't work >>> >>> please follow the below steps: >>> >>> 1. get the ads-passwd-reset.jar from here >>> https://people.apache.org/~kayyagari/ads-passwd-reset.jar >>> 2. stop the server >>> 3. run the command >>> java -jar target/ads-passwd-reset.jar >>> >>> >>> your-path-to-DS-instance : the path to the instance you are using, >>> most likely it is the 'default' instance >>> so something >>> /instances/default >>> user-dn : uid=admin,ou=system >>> new-password : the new password >>> >>> 4. after successful execution of above command start the server >>> >>> If you would like to build this tool then check it out from >>> http://svn.apache.org/repos/asf/directory/sandbox/kayyagari/passwd-reset/ >>> >>> Let me know if you need further assistance. >>> >>> >>> >>> > dn: uid=admin,ou=system >>> > changetype: modify >>> > replace: userPassword >>> > userPassword: PW_HERE_PLEASE >>> > >>> > I assume it needs more system attributes to get around this? >>> > >>> > Is there a config entry that can disable password aging that I can >>> change >>> > with an editor and restart the instance? >>> > >>> > >>> > On Fri, Sep 18, 2015 at 8:51 AM, Ezsra McDonald < >>> ezsra.mcdon...@gmail.com> >>> > wrote: >>> > >>> > > ADS M20 >>> > > >>> > > Thanks >>> > > >>> > > On Fri, Sep 18, 2015 at 8:46 AM, Kiran Ayyagari < >>> kayyag...@apache.org> >>> > > wrote: >>> > > >>> > >> which version of the server are you using? >>> > >> >>> > >> On Fri, Sep 18, 2015 at 9:44 PM, Ezsra McDonald < >>> > ezsra.mcdon...@gmail.com >>> > >> > >>> > >> wrote: >>> > >> >>> > >> > I am researching but if anyone can suggest a solution, it appears >>> my >>> > >> > uid=admin,ou=system password expired. I did not realize the aging >>> > >> applied >>> > >> > to the admin user. >>> > >> > >>> > >> > Urgently need to resolve this issue. >>> > >> > >>> > >> >>> > >> >>> > >> >>> > >> -- >>> > >> Kiran Ayyagari >>> > >> http://keydap.com >>> > >> >>> > > >>> > > >>> > >>> >>> >>> >>> -- >>> Kiran Ayyagari >>> http://keydap.com >>> >> >> >
Re: Admin password expired
Thanks Kiran, I ran this the jar targeting my dev instance /opt/ads/var/lib/default log4j:WARN No appenders could be found for logger (org.apache.directory.server.ApacheDsService). log4j:WARN Please initialize the log4j system properly. log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info. _ _ / \ _ _____ ___| |__ ___| _ \/ ___| / _ \ | '_ \ / _` |/ __| '_ \ / _ \ | | \___ \ / ___ \| |_) | (_| | (__| | | | __/ |_| |___) | /_/ \_\ .__/ \__,_|\___|_| |_|\___|/|/ |_| Successfully modified password But the password was still the old password. On Fri, Sep 18, 2015 at 9:57 AM, Kiran Ayyagari <kayyag...@apache.org> wrote: > On Fri, Sep 18, 2015 at 10:37 PM, Ezsra McDonald <ezsra.mcdon...@gmail.com > > > wrote: > > > Any ideas Kiran? I tried using ldapmodify with a LDIF as below: > > > > sorry for the delay, was building a tool to change the password cause any > other means of changing > it doesn't work > > please follow the below steps: > > 1. get the ads-passwd-reset.jar from here > https://people.apache.org/~kayyagari/ads-passwd-reset.jar > 2. stop the server > 3. run the command > java -jar target/ads-passwd-reset.jar > > > your-path-to-DS-instance : the path to the instance you are using, > most likely it is the 'default' instance > so something > /instances/default > user-dn : uid=admin,ou=system > new-password : the new password > > 4. after successful execution of above command start the server > > If you would like to build this tool then check it out from > http://svn.apache.org/repos/asf/directory/sandbox/kayyagari/passwd-reset/ > > Let me know if you need further assistance. > > > > > dn: uid=admin,ou=system > > changetype: modify > > replace: userPassword > > userPassword: PW_HERE_PLEASE > > > > I assume it needs more system attributes to get around this? > > > > Is there a config entry that can disable password aging that I can change > > with an editor and restart the instance? > > > > > > On Fri, Sep 18, 2015 at 8:51 AM, Ezsra McDonald < > ezsra.mcdon...@gmail.com> > > wrote: > > > > > ADS M20 > > > > > > Thanks > > > > > > On Fri, Sep 18, 2015 at 8:46 AM, Kiran Ayyagari <kayyag...@apache.org> > > > wrote: > > > > > >> which version of the server are you using? > > >> > > >> On Fri, Sep 18, 2015 at 9:44 PM, Ezsra McDonald < > > ezsra.mcdon...@gmail.com > > >> > > > >> wrote: > > >> > > >> > I am researching but if anyone can suggest a solution, it appears my > > >> > uid=admin,ou=system password expired. I did not realize the aging > > >> applied > > >> > to the admin user. > > >> > > > >> > Urgently need to resolve this issue. > > >> > > > >> > > >> > > >> > > >> -- > > >> Kiran Ayyagari > > >> http://keydap.com > > >> > > > > > > > > > > > > -- > Kiran Ayyagari > http://keydap.com >
Re: Admin password expired
It did in dev as well. But prod I waited a couple minutes. When I restarted password was not changed. On Fri, Sep 18, 2015 at 10:50 AM, Kiran Ayyagari <kayyag...@apache.org> wrote: > On Fri, Sep 18, 2015 at 11:42 PM, Ezsra McDonald <ezsra.mcdon...@gmail.com > > > wrote: > > > Is there any reason why this jar would report "Successfully modified > > password" but not return to the shell prompt? > > > it might be taking a while to stop the server, but on OS X (my machine) > where I tested > it returns immediately > > > > > On Fri, Sep 18, 2015 at 10:33 AM, Ezsra McDonald < > ezsra.mcdon...@gmail.com > > > > > wrote: > > > > > I was wrong. Test loign on the wrong instance, sorry. It worked in Dev. > > > > > > On Fri, Sep 18, 2015 at 10:20 AM, Ezsra McDonald < > > ezsra.mcdon...@gmail.com > > > > wrote: > > > > > >> Thanks Kiran, > > >> > > >> I ran this the jar targeting my dev instance > > >> > > >> /opt/ads/var/lib/default > > >> > > >> log4j:WARN No appenders could be found for logger > > >> (org.apache.directory.server.ApacheDsService). > > >> log4j:WARN Please initialize the log4j system properly. > > >> log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig > > for > > >> more info. > > >>_ _ > > >> / \ _ _____ ___| |__ ___| _ \/ ___| > > >> / _ \ | '_ \ / _` |/ __| '_ \ / _ \ | | \___ \ > > >> / ___ \| |_) | (_| | (__| | | | __/ |_| |___) | > > >> /_/ \_\ .__/ \__,_|\___|_| |_|\___|/|/ > > >>|_| > > >> > > >> Successfully modified password > > >> > > >> > > >> But the password was still the old password. > > >> > > >> On Fri, Sep 18, 2015 at 9:57 AM, Kiran Ayyagari <kayyag...@apache.org > > > > >> wrote: > > >> > > >>> On Fri, Sep 18, 2015 at 10:37 PM, Ezsra McDonald < > > >>> ezsra.mcdon...@gmail.com> > > >>> wrote: > > >>> > > >>> > Any ideas Kiran? I tried using ldapmodify with a LDIF as below: > > >>> > > > >>> > sorry for the delay, was building a tool to change the password > cause > > >>> any > > >>> other means of changing > > >>> it doesn't work > > >>> > > >>> please follow the below steps: > > >>> > > >>> 1. get the ads-passwd-reset.jar from here > > >>> https://people.apache.org/~kayyagari/ads-passwd-reset.jar > > >>> 2. stop the server > > >>> 3. run the command > > >>> java -jar target/ads-passwd-reset.jar > > >>> > > >>> > > >>> your-path-to-DS-instance : the path to the instance you are > using, > > >>> most likely it is the 'default' instance > > >>> so something > > >>> /instances/default > > >>> user-dn : uid=admin,ou=system > > >>> new-password : the new password > > >>> > > >>> 4. after successful execution of above command start the server > > >>> > > >>> If you would like to build this tool then check it out from > > >>> > > > http://svn.apache.org/repos/asf/directory/sandbox/kayyagari/passwd-reset/ > > >>> > > >>> Let me know if you need further assistance. > > >>> > > >>> > > >>> > > >>> > dn: uid=admin,ou=system > > >>> > changetype: modify > > >>> > replace: userPassword > > >>> > userPassword: PW_HERE_PLEASE > > >>> > > > >>> > I assume it needs more system attributes to get around this? > > >>> > > > >>> > Is there a config entry that can disable password aging that I can > > >>> change > > >>> > with an editor and restart the instance? > > >>> > > > >>> > > > >>> > On Fri, Sep 18, 2015 at 8:51 AM, Ezsra McDonald < > > >>> ezsra.mcdon...@gmail.com> > > >>> > wrote: > > >>> > > > >>> > > ADS M20 > > >>> > > > > >>> > > Thanks > > >>> > > > > >>> > > On Fri, Sep 18, 2015 at 8:46 AM, Kiran Ayyagari < > > >>> kayyag...@apache.org> > > >>> > > wrote: > > >>> > > > > >>> > >> which version of the server are you using? > > >>> > >> > > >>> > >> On Fri, Sep 18, 2015 at 9:44 PM, Ezsra McDonald < > > >>> > ezsra.mcdon...@gmail.com > > >>> > >> > > > >>> > >> wrote: > > >>> > >> > > >>> > >> > I am researching but if anyone can suggest a solution, it > > appears > > >>> my > > >>> > >> > uid=admin,ou=system password expired. I did not realize the > > aging > > >>> > >> applied > > >>> > >> > to the admin user. > > >>> > >> > > > >>> > >> > Urgently need to resolve this issue. > > >>> > >> > > > >>> > >> > > >>> > >> > > >>> > >> > > >>> > >> -- > > >>> > >> Kiran Ayyagari > > >>> > >> http://keydap.com > > >>> > >> > > >>> > > > > >>> > > > > >>> > > > >>> > > >>> > > >>> > > >>> -- > > >>> Kiran Ayyagari > > >>> http://keydap.com > > >>> > > >> > > >> > > > > > > > > > -- > Kiran Ayyagari > http://keydap.com >
Re: Admin password expired
I executed ctrl+c and started the instance. The PW change did not get saved. On Fri, Sep 18, 2015 at 10:42 AM, Ezsra McDonald <ezsra.mcdon...@gmail.com> wrote: > Is there any reason why this jar would report "Successfully modified > password" but not return to the shell prompt? > > On Fri, Sep 18, 2015 at 10:33 AM, Ezsra McDonald <ezsra.mcdon...@gmail.com > > wrote: > >> I was wrong. Test loign on the wrong instance, sorry. It worked in Dev. >> >> On Fri, Sep 18, 2015 at 10:20 AM, Ezsra McDonald < >> ezsra.mcdon...@gmail.com> wrote: >> >>> Thanks Kiran, >>> >>> I ran this the jar targeting my dev instance >>> >>> /opt/ads/var/lib/default >>> >>> log4j:WARN No appenders could be found for logger >>> (org.apache.directory.server.ApacheDsService). >>> log4j:WARN Please initialize the log4j system properly. >>> log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig >>> for more info. >>>_ _ >>> / \ _ _____ ___| |__ ___| _ \/ ___| >>> / _ \ | '_ \ / _` |/ __| '_ \ / _ \ | | \___ \ >>> / ___ \| |_) | (_| | (__| | | | __/ |_| |___) | >>>/_/ \_\ .__/ \__,_|\___|_| |_|\___|/|/ >>>|_| >>> >>> Successfully modified password >>> >>> >>> But the password was still the old password. >>> >>> On Fri, Sep 18, 2015 at 9:57 AM, Kiran Ayyagari <kayyag...@apache.org> >>> wrote: >>> >>>> On Fri, Sep 18, 2015 at 10:37 PM, Ezsra McDonald < >>>> ezsra.mcdon...@gmail.com> >>>> wrote: >>>> >>>> > Any ideas Kiran? I tried using ldapmodify with a LDIF as below: >>>> > >>>> > sorry for the delay, was building a tool to change the password cause >>>> any >>>> other means of changing >>>> it doesn't work >>>> >>>> please follow the below steps: >>>> >>>> 1. get the ads-passwd-reset.jar from here >>>> https://people.apache.org/~kayyagari/ads-passwd-reset.jar >>>> 2. stop the server >>>> 3. run the command >>>> java -jar target/ads-passwd-reset.jar >>>> >>>> >>>> your-path-to-DS-instance : the path to the instance you are using, >>>> most likely it is the 'default' instance >>>> so something >>>> /instances/default >>>> user-dn : uid=admin,ou=system >>>> new-password : the new password >>>> >>>> 4. after successful execution of above command start the server >>>> >>>> If you would like to build this tool then check it out from >>>> >>>> http://svn.apache.org/repos/asf/directory/sandbox/kayyagari/passwd-reset/ >>>> >>>> Let me know if you need further assistance. >>>> >>>> >>>> >>>> > dn: uid=admin,ou=system >>>> > changetype: modify >>>> > replace: userPassword >>>> > userPassword: PW_HERE_PLEASE >>>> > >>>> > I assume it needs more system attributes to get around this? >>>> > >>>> > Is there a config entry that can disable password aging that I can >>>> change >>>> > with an editor and restart the instance? >>>> > >>>> > >>>> > On Fri, Sep 18, 2015 at 8:51 AM, Ezsra McDonald < >>>> ezsra.mcdon...@gmail.com> >>>> > wrote: >>>> > >>>> > > ADS M20 >>>> > > >>>> > > Thanks >>>> > > >>>> > > On Fri, Sep 18, 2015 at 8:46 AM, Kiran Ayyagari < >>>> kayyag...@apache.org> >>>> > > wrote: >>>> > > >>>> > >> which version of the server are you using? >>>> > >> >>>> > >> On Fri, Sep 18, 2015 at 9:44 PM, Ezsra McDonald < >>>> > ezsra.mcdon...@gmail.com >>>> > >> > >>>> > >> wrote: >>>> > >> >>>> > >> > I am researching but if anyone can suggest a solution, it >>>> appears my >>>> > >> > uid=admin,ou=system password expired. I did not realize the aging >>>> > >> applied >>>> > >> > to the admin user. >>>> > >> > >>>> > >> > Urgently need to resolve this issue. >>>> > >> > >>>> > >> >>>> > >> >>>> > >> >>>> > >> -- >>>> > >> Kiran Ayyagari >>>> > >> http://keydap.com >>>> > >> >>>> > > >>>> > > >>>> > >>>> >>>> >>>> >>>> -- >>>> Kiran Ayyagari >>>> http://keydap.com >>>> >>> >>> >> >
Re: Admin password expired
Does it matter that the ADS servers are in Multi-Master setup? On Fri, Sep 18, 2015 at 10:51 AM, Ezsra McDonald <ezsra.mcdon...@gmail.com> wrote: > It did in dev as well. But prod I waited a couple minutes. When I > restarted password was not changed. > > On Fri, Sep 18, 2015 at 10:50 AM, Kiran Ayyagari <kayyag...@apache.org> > wrote: > >> On Fri, Sep 18, 2015 at 11:42 PM, Ezsra McDonald < >> ezsra.mcdon...@gmail.com> >> wrote: >> >> > Is there any reason why this jar would report "Successfully modified >> > password" but not return to the shell prompt? >> > >> it might be taking a while to stop the server, but on OS X (my machine) >> where I tested >> it returns immediately >> >> > >> > On Fri, Sep 18, 2015 at 10:33 AM, Ezsra McDonald < >> ezsra.mcdon...@gmail.com >> > > >> > wrote: >> > >> > > I was wrong. Test loign on the wrong instance, sorry. It worked in >> Dev. >> > > >> > > On Fri, Sep 18, 2015 at 10:20 AM, Ezsra McDonald < >> > ezsra.mcdon...@gmail.com >> > > > wrote: >> > > >> > >> Thanks Kiran, >> > >> >> > >> I ran this the jar targeting my dev instance >> > >> >> > >> /opt/ads/var/lib/default >> > >> >> > >> log4j:WARN No appenders could be found for logger >> > >> (org.apache.directory.server.ApacheDsService). >> > >> log4j:WARN Please initialize the log4j system properly. >> > >> log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig >> > for >> > >> more info. >> > >>_ _ >> > >> / \ _ _____ ___| |__ ___| _ \/ ___| >> > >> / _ \ | '_ \ / _` |/ __| '_ \ / _ \ | | \___ \ >> > >> / ___ \| |_) | (_| | (__| | | | __/ |_| |___) | >> > >>/_/ \_\ .__/ \__,_|\___|_| |_|\___|/|/ >> > >>|_| >> > >> >> > >> Successfully modified password >> > >> >> > >> >> > >> But the password was still the old password. >> > >> >> > >> On Fri, Sep 18, 2015 at 9:57 AM, Kiran Ayyagari < >> kayyag...@apache.org> >> > >> wrote: >> > >> >> > >>> On Fri, Sep 18, 2015 at 10:37 PM, Ezsra McDonald < >> > >>> ezsra.mcdon...@gmail.com> >> > >>> wrote: >> > >>> >> > >>> > Any ideas Kiran? I tried using ldapmodify with a LDIF as below: >> > >>> > >> > >>> > sorry for the delay, was building a tool to change the password >> cause >> > >>> any >> > >>> other means of changing >> > >>> it doesn't work >> > >>> >> > >>> please follow the below steps: >> > >>> >> > >>> 1. get the ads-passwd-reset.jar from here >> > >>> https://people.apache.org/~kayyagari/ads-passwd-reset.jar >> > >>> 2. stop the server >> > >>> 3. run the command >> > >>> java -jar target/ads-passwd-reset.jar >> >> > >>> >> > >>> >> > >>> your-path-to-DS-instance : the path to the instance you are >> using, >> > >>> most likely it is the 'default' instance >> > >>> so something >> > >>> /instances/default >> > >>> user-dn : uid=admin,ou=system >> > >>> new-password : the new password >> > >>> >> > >>> 4. after successful execution of above command start the server >> > >>> >> > >>> If you would like to build this tool then check it out from >> > >>> >> > >> http://svn.apache.org/repos/asf/directory/sandbox/kayyagari/passwd-reset/ >> > >>> >> > >>> Let me know if you need further assistance. >> > >>> >> > >>> >> > >>> >> > >>> > dn: uid=admin,ou=system >> > >>> > changetype: modify >> > >>> > replace: userPassword >> > >>> > userPassword: PW_HERE_PLEASE >> > >>> > >> > >>> > I assume it needs more system attributes to get around this? >> > >>> > >> > >>> > Is there a config entry that can disable password aging that I can >> > >>> change >> > >>> > with an editor and restart the instance? >> > >>> > >> > >>> > >> > >>> > On Fri, Sep 18, 2015 at 8:51 AM, Ezsra McDonald < >> > >>> ezsra.mcdon...@gmail.com> >> > >>> > wrote: >> > >>> > >> > >>> > > ADS M20 >> > >>> > > >> > >>> > > Thanks >> > >>> > > >> > >>> > > On Fri, Sep 18, 2015 at 8:46 AM, Kiran Ayyagari < >> > >>> kayyag...@apache.org> >> > >>> > > wrote: >> > >>> > > >> > >>> > >> which version of the server are you using? >> > >>> > >> >> > >>> > >> On Fri, Sep 18, 2015 at 9:44 PM, Ezsra McDonald < >> > >>> > ezsra.mcdon...@gmail.com >> > >>> > >> > >> > >>> > >> wrote: >> > >>> > >> >> > >>> > >> > I am researching but if anyone can suggest a solution, it >> > appears >> > >>> my >> > >>> > >> > uid=admin,ou=system password expired. I did not realize the >> > aging >> > >>> > >> applied >> > >>> > >> > to the admin user. >> > >>> > >> > >> > >>> > >> > Urgently need to resolve this issue. >> > >>> > >> > >> > >>> > >> >> > >>> > >> >> > >>> > >> >> > >>> > >> -- >> > >>> > >> Kiran Ayyagari >> > >>> > >> http://keydap.com >> > >>> > >> >> > >>> > > >> > >>> > > >> > >>> > >> > >>> >> > >>> >> > >>> >> > >>> -- >> > >>> Kiran Ayyagari >> > >>> http://keydap.com >> > >>> >> > >> >> > >> >> > > >> > >> >> >> >> -- >> Kiran Ayyagari >> http://keydap.com >> > >
Re: Admin password expired
One server worked, the other gave this error: Exception in thread "main" java.lang.UnsupportedClassVersionError: org/apache/directory/server/core/api/InstanceLayout : Unsupported major.minor version 51.0 at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:643) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) at java.net.URLClassLoader.defineClass(URLClassLoader.java:277) at java.net.URLClassLoader.access$000(URLClassLoader.java:73) at java.net.URLClassLoader$1.run(URLClassLoader.java:212) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:205) at java.lang.ClassLoader.loadClass(ClassLoader.java:323) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294) at java.lang.ClassLoader.loadClass(ClassLoader.java:268) at org.apache.directory.PasswordResetter.main(PasswordResetter.java:57) On Fri, Sep 18, 2015 at 12:07 PM, Kiran Ayyagari <kayyag...@apache.org> wrote: > On Sat, Sep 19, 2015 at 12:40 AM, Ezsra McDonald <ezsra.mcdon...@gmail.com > > > wrote: > > > Is the jar resetting the password aging stuff? > > > ah this must be the reason, committed a change, please test with the latest > build > https://people.apache.org/~kayyagari/ads-passwd-reset.jar > > > > > On Fri, Sep 18, 2015 at 11:39 AM, Ezsra McDonald < > ezsra.mcdon...@gmail.com > > > > > wrote: > > > > > Stopping all the instances allowed the jar to exit back to shell, but > it > > > still says the password is expired when I start the instance and try to > > > login. > > > > > > On Fri, Sep 18, 2015 at 11:28 AM, Kiran Ayyagari <kayyag...@apache.org > > > > > wrote: > > > > > >> try stopping all nodes, and run this command on one of them and > restart > > >> both > > >> > > >> On Sat, Sep 19, 2015 at 12:27 AM, Ezsra McDonald < > > >> ezsra.mcdon...@gmail.com> > > >> wrote: > > >> > > >> > Yeah...it never comes back to prompt. Is there a plan B? > > >> > > > >> > On Fri, Sep 18, 2015 at 11:22 AM, Kiran Ayyagari < > > kayyag...@apache.org> > > >> > wrote: > > >> > > > >> > > On Sat, Sep 19, 2015 at 12:11 AM, Ezsra McDonald < > > >> > ezsra.mcdon...@gmail.com > > >> > > > > > >> > > wrote: > > >> > > > > >> > > > Does it matter that the ADS servers are in Multi-Master setup? > > >> > > > > > >> > > no, the change should be propagated to the other nodes after > > starting > > >> the > > >> > > node on which the > > >> > > password was changed. > > >> > > > > >> > > And if you used this password on other nodes to connect to the > > updated > > >> > node > > >> > > then you need to > > >> > > login to the other nodes and change the old password in > replication > > >> > > configurations > > >> > > > > >> > > > > > >> > > > On Fri, Sep 18, 2015 at 10:51 AM, Ezsra McDonald < > > >> > > ezsra.mcdon...@gmail.com > > >> > > > > > > >> > > > wrote: > > >> > > > > > >> > > > > It did in dev as well. But prod I waited a couple minutes. > When > > I > > >> > > > > restarted password was not changed. > > >> > > > > > > >> > > > > On Fri, Sep 18, 2015 at 10:50 AM, Kiran Ayyagari < > > >> > kayyag...@apache.org > > >> > > > > > >> > > > > wrote: > > >> > > > > > > >> > > > >> On Fri, Sep 18, 2015 at 11:42 PM, Ezsra McDonald < > > >> > > > >> ezsra.mcdon...@gmail.com> > > >> > > > >> wrote: > > >> > > > >> > > >> > > > >> > Is there any reason why this jar would report "Successfully > > >> > modified > > >> > > > >> > password" but not return to the shell prompt? > > >> > > > >> > > > >> > &
Re: ApacheDS M20 Backup & Restore
Thanks Kiran, is '(user+operational)' a filter or are you saying I have to list all the attributes specifically? I don't like the later. What if someone starts using additional attributes without my knowledge. Can you give an example? On Tue, Sep 1, 2015 at 6:38 PM, Kiran Ayyagari <kayyag...@apache.org> wrote: > On Wed, Sep 2, 2015 at 5:02 AM, Ezsra McDonald <ezsra.mcdon...@gmail.com> > wrote: > > > So how does one retain password history and other system attributes in > the > > backup using ldapsearch? If I can, how do I restore those values? Do I > need > > additional access? > > > include all (user+operational) attributes in the search request you use for > backing up data > you can restore them by connecting as uid=admin,ou=system user > > > > > On Mon, Aug 24, 2015 at 11:06 PM, Kiran Ayyagari <kayyag...@apache.org> > > wrote: > > > > > On Tue, Aug 25, 2015 at 2:40 AM, Ezsra McDonald < > > ezsra.mcdon...@gmail.com> > > > wrote: > > > > > > > So, documentation is incomplete for Backup and restore. Are there any > > new > > > > developments in this area? > > > > > > > > I know of the following two options: > > > > > > > > 1. Shutdown the instance and archive the partition. Not attractive > due > > to > > > > downtime. > > > > > > > > 2. LDIF export somehow, ldapsearch a assume. Not attractive due to > how > > > long > > > > it will take to export 300K entries and inconsistent backup. > > > > > > > > What is the method for ldapsearch to be able to pull all entries and > > not > > > > just the first thousand entries? > > > > > > > remove the -z option for unlimited size and search using > > > uid=admin,ou=system user > > > > > > > > > > > A direct export would be nice. > > > > > > > > --Ezsra > > > > > > > > > > > > > > > > -- > > > Kiran Ayyagari > > > http://keydap.com > > > > > > > > > -- > Kiran Ayyagari > http://keydap.com >
Re: To exist or not exist ??
Does anyone know what to do? Is there a way to recreate the master.db file? On Tue, Sep 1, 2015 at 3:47 PM, Ezsra McDonald <ezsra.mcdon...@gmail.com> wrote: > I had a user who could not login using his LDAP creds. When I investigated > I found that his record exists in one instance but not the other. So I > tried exporting his record and importing it to the second instance. > > If I chose to Add the entry I get "Add: ERR_250_ENTRY_ALREADY_EXISTS" > > So, I choose to update his entry and get "NO_SUCH_OBJECT: failed for > MessageType : MODIFY_REQUEST" > > I exported the People OU from both nodes and ran a diff on them. There are > 4 entries in node1 but not in node2. There are 7 entries in node2 but not > in node1. > > I went to the partition folder and grepped for the UID. > > The server with the valid user record node1 > > -bash-3.2$ grep 682402b4 * > Binary file 1.3.6.1.4.1.18060.0.4.1.2.50.db matches > Binary file master.db matches > > The server with the corrupt user record node2 > > -bash-3.2$ grep 682402b4 * > Binary file 1.3.6.1.4.1.18060.0.4.1.2.50.db matches > > It appears there may be some issues with the master.db file. > > Any idea what is going on here? How can I resolve this issue? > > Additional info: >ADS M20 >Multi-Master mode >
Re: ApacheDS M20 Backup & Restore
So how does one retain password history and other system attributes in the backup using ldapsearch? If I can, how do I restore those values? Do I need additional access? On Mon, Aug 24, 2015 at 11:06 PM, Kiran Ayyagari <kayyag...@apache.org> wrote: > On Tue, Aug 25, 2015 at 2:40 AM, Ezsra McDonald <ezsra.mcdon...@gmail.com> > wrote: > > > So, documentation is incomplete for Backup and restore. Are there any new > > developments in this area? > > > > I know of the following two options: > > > > 1. Shutdown the instance and archive the partition. Not attractive due to > > downtime. > > > > 2. LDIF export somehow, ldapsearch a assume. Not attractive due to how > long > > it will take to export 300K entries and inconsistent backup. > > > > What is the method for ldapsearch to be able to pull all entries and not > > just the first thousand entries? > > > remove the -z option for unlimited size and search using > uid=admin,ou=system user > > > > > A direct export would be nice. > > > > --Ezsra > > > > > > -- > Kiran Ayyagari > http://keydap.com >
To exist or not exist ??
I had a user who could not login using his LDAP creds. When I investigated I found that his record exists in one instance but not the other. So I tried exporting his record and importing it to the second instance. If I chose to Add the entry I get "Add: ERR_250_ENTRY_ALREADY_EXISTS" So, I choose to update his entry and get "NO_SUCH_OBJECT: failed for MessageType : MODIFY_REQUEST" I exported the People OU from both nodes and ran a diff on them. There are 4 entries in node1 but not in node2. There are 7 entries in node2 but not in node1. I went to the partition folder and grepped for the UID. The server with the valid user record node1 -bash-3.2$ grep 682402b4 * Binary file 1.3.6.1.4.1.18060.0.4.1.2.50.db matches Binary file master.db matches The server with the corrupt user record node2 -bash-3.2$ grep 682402b4 * Binary file 1.3.6.1.4.1.18060.0.4.1.2.50.db matches It appears there may be some issues with the master.db file. Any idea what is going on here? How can I resolve this issue? Additional info: ADS M20 Multi-Master mode
ApacheDS M20 Backup Restore
So, documentation is incomplete for Backup and restore. Are there any new developments in this area? I know of the following two options: 1. Shutdown the instance and archive the partition. Not attractive due to downtime. 2. LDIF export somehow, ldapsearch a assume. Not attractive due to how long it will take to export 300K entries and inconsistent backup. What is the method for ldapsearch to be able to pull all entries and not just the first thousand entries? A direct export would be nice. --Ezsra
Re: Multi-Master Replication issues - Memory and out of sync
It looks like one instance is out of sync. How do I get it back in sync? I was going to shutdown the bad node and one of the good nodes. Then copy the partition form the good node. I noticed there is a syncrepl-data folder that has journals in it. Do those need to be copied as well? On Thu, Aug 13, 2015 at 9:41 PM, Kiran Ayyagari kayyag...@apache.org wrote: On Thu, Aug 13, 2015 at 11:11 PM, Ezsra McDonald ezsra.mcdon...@gmail.com wrote: First, How much memory should a Multi-Master node require? The Master pool is made up of four nodes. I currently have -Xms1024m and -Xmx2048m. I seem to be running out of memory: this should be enough, not a whole lot of entries should live in the memory Exception in thread pool-2-thread-14 java.lang.OutOfMemoryError: GC overhead limit exceeded can you please take* a memory dump of the server process? and attach it to a jira ticket. * please follow this doc if needed http://blogs.atlassian.com/2013/03/so-you-want-your-jvms-heap/ I have more than 330k entries in my LDAP partition. Next, I collected the contextCsn values over a few seconds. I used iTerm to execute the commands on all nodes simultaneously. I am confused by what I am seeing. Do these values make any since? yes, all the nodes are appearing to be in sync based on the given values NODE 1A NODE 2A NODE 1B NODE 2B 1 20150813111645.934000Z#00#001#00 20150813130350.592000Z#00#001#00 20150813130350.592000Z#00#001#00 20150813111652.523000Z#00#001#00 2 what partition the above value belongs to?, I assume this is not a replicated partition 20150813111645.934000Z#00#001#00 20150813111645.934000Z#00#001#00 20150813130350.592000Z#00#001#00 20150813111645.934000Z#00#001#00 3 20150813111645.934000Z#00#001#00 20150813111645.934000Z#00#001#00 20150813130350.592000Z#00#001#00 20150813111645.934000Z#00#001#00 4 20150813142625.893000Z#00#001#00 20150813111645.934000Z#00#001#00 20150813130350.92Z#00#001#00 20150813111645.934000Z#00#001#00 5 20150813130356.42Z#00#001#00 20150813130350.592000Z#00#001#00 20150813111645.934000Z#00#001#00 20150813111645.934000Z#00#001#00 -- Kiran Ayyagari http://keydap.com
Multi-Master Replication issues - Memory and out of sync
First, How much memory should a Multi-Master node require? The Master pool is made up of four nodes. I currently have -Xms1024m and -Xmx2048m. I seem to be running out of memory: Exception in thread pool-2-thread-14 java.lang.OutOfMemoryError: GC overhead limit exceeded I have more than 330k entries in my LDAP partition. Next, I collected the contextCsn values over a few seconds. I used iTerm to execute the commands on all nodes simultaneously. I am confused by what I am seeing. Do these values make any since? NODE 1A NODE 2A NODE 1B NODE 2B 1 20150813111645.934000Z#00#001#00 20150813130350.592000Z#00#001#00 20150813130350.592000Z#00#001#00 20150813111652.523000Z#00#001#00 2 20150813111645.934000Z#00#001#00 20150813111645.934000Z#00#001#00 20150813130350.592000Z#00#001#00 20150813111645.934000Z#00#001#00 3 20150813111645.934000Z#00#001#00 20150813111645.934000Z#00#001#00 20150813130350.592000Z#00#001#00 20150813111645.934000Z#00#001#00 4 20150813142625.893000Z#00#001#00 20150813111645.934000Z#00#001#00 20150813130350.92Z#00#001#00 20150813111645.934000Z#00#001#00 5 20150813130356.42Z#00#001#00 20150813130350.592000Z#00#001#00 20150813111645.934000Z#00#001#00 20150813111645.934000Z#00#001#00
Re: ERROR: var/lib/default/run has been locked by another directory service.
I do not see the file there: SOMEPATH/var/lib/default/run$ ls -altr total 8 drwxr-xr-x 8 apacheds apacheds 4096 Jun 17 19:11 .. drwxr-xr-x 2 apacheds apacheds 4096 Jul 17 13:59 . This is very puzzling. INFO | jvm 1| 2015/07/17 12:16:38 | [12:16:38] ERROR [org.apache.directory.server.core.DefaultDirectoryService] - the working directory SOMEPATH/var/lib/default/run has been locked by another directory service. How does a Directory get locked by another directory service? It does not appear to be complaining about the PID file. --Ezsra On Fri, Jul 17, 2015 at 5:30 PM, Emmanuel Lécharny elecha...@gmail.com wrote: Le 18/07/15 00:13, Ezsra McDonald a écrit : Yes, it is in the config. I only changed it for posting in this forum. Ah, ok. Check the content of the run directory, looking for the .dirservice.lock file (not ethe '.' at the beginning. On linux, ls -altr should show this file. Simply delete it.
Re: ERROR: var/lib/default/run has been locked by another directory service.
The instance is running and has synchronized with its Multi-Master peer. Thank you for the feedback. --Ezsra On Mon, Jul 20, 2015 at 12:16 PM, Emmanuel Lécharny elecha...@gmail.com wrote: Le 20/07/15 19:00, Ezsra McDonald a écrit : I gave up and reinstalled the instance. This was a strange one. Yep... Hope it works now.
Re: ERROR: var/lib/default/run has been locked by another directory service.
I gave up and reinstalled the instance. This was a strange one. On Mon, Jul 20, 2015 at 10:35 AM, Emmanuel Lécharny elecha...@gmail.com wrote: Le 20/07/15 16:56, Ezsra McDonald a écrit : I do not see the file there: SOMEPATH/var/lib/default/run$ ls -altr total 8 drwxr-xr-x 8 apacheds apacheds 4096 Jun 17 19:11 .. drwxr-xr-x 2 apacheds apacheds 4096 Jul 17 13:59 . What about : sudo find / -name .dirservice.lock ? (might take a while)
ERROR: var/lib/default/run has been locked by another directory service.
Anyone ever run into this when trying to restart ADS M20? The system was rebooted without shutting down cleanly. STATUS | wrapper | 2015/07/17 12:16:33 | -- Wrapper Started as Daemon STATUS | wrapper | 2015/07/17 12:16:33 | Launching a JVM... INFO | jvm 1| 2015/07/17 12:16:34 | Wrapper (Version 3.2.3) http://wrapper.tanukisoftware.org INFO | jvm 1| 2015/07/17 12:16:34 | Copyright 1999-2006 Tanuki Software, Inc. All Rights Reserved. INFO | jvm 1| 2015/07/17 12:16:34 | INFO | jvm 1| 2015/07/17 12:16:38 | [12:16:38] ERROR [org.apache.directory.server.core.DefaultDirectoryService] - the working directory SOMEPATH/var/lib/default/run has been locked by another directory service. INFO | jvm 1| 2015/07/17 12:16:38 | [12:16:38] ERROR [org.apache.directory.server.wrapper.ApacheDsTanukiWrapper] - Failed to start the service. INFO | jvm 1| 2015/07/17 12:16:38 | java.lang.RuntimeException: the working directory SOMEPATH/var/lib/default/run has been locked by another directory service. INFO | jvm 1| 2015/07/17 12:16:38 | at org.apache.directory.server.core.DefaultDirectoryService.lockWorkDir(DefaultDirectoryService.java:2178) INFO | jvm 1| 2015/07/17 12:16:38 | at org.apache.directory.server.core.DefaultDirectoryService.startup(DefaultDirectoryService.java:1216) INFO | jvm 1| 2015/07/17 12:16:38 | at org.apache.directory.server.ApacheDsService.initDirectoryService(ApacheDsService.java:318) INFO | jvm 1| 2015/07/17 12:16:38 | at org.apache.directory.server.ApacheDsService.start(ApacheDsService.java:182) INFO | jvm 1| 2015/07/17 12:16:38 | at org.apache.directory.server.wrapper.ApacheDsTanukiWrapper.start(ApacheDsTanukiWrapper.java:72) INFO | jvm 1| 2015/07/17 12:16:38 | at org.tanukisoftware.wrapper.WrapperManager$12.run(WrapperManager.java:2788) STATUS | wrapper | 2015/07/17 12:16:40 | -- Wrapper Stopped Any assistance would be appreciated
Re: ERROR: var/lib/default/run has been locked by another directory service.
There is no PID file when I start the service. On Fri, Jul 17, 2015 at 11:33 AM, Sunil Kalahasti kvsu...@hotmail.com wrote: There would be pid file under that folder. Delete that and try to start again. Thanks, Sunil Kalahasti On 17-Jul-2015, at 10:00 pm, Ezsra McDonald ezsra.mcdon...@gmail.com wrote: Anyone ever run into this when trying to restart ADS M20? The system was rebooted without shutting down cleanly. STATUS | wrapper | 2015/07/17 12:16:33 | -- Wrapper Started as Daemon STATUS | wrapper | 2015/07/17 12:16:33 | Launching a JVM... INFO | jvm 1| 2015/07/17 12:16:34 | Wrapper (Version 3.2.3) http://wrapper.tanukisoftware.org INFO | jvm 1| 2015/07/17 12:16:34 | Copyright 1999-2006 Tanuki Software, Inc. All Rights Reserved. INFO | jvm 1| 2015/07/17 12:16:34 | INFO | jvm 1| 2015/07/17 12:16:38 | [12:16:38] ERROR [org.apache.directory.server.core.DefaultDirectoryService] - the working directory SOMEPATH/var/lib/default/run has been locked by another directory service. INFO | jvm 1| 2015/07/17 12:16:38 | [12:16:38] ERROR [org.apache.directory.server.wrapper.ApacheDsTanukiWrapper] - Failed to start the service. INFO | jvm 1| 2015/07/17 12:16:38 | java.lang.RuntimeException: the working directory SOMEPATH/var/lib/default/run has been locked by another directory service. INFO | jvm 1| 2015/07/17 12:16:38 | at org.apache.directory.server.core.DefaultDirectoryService.lockWorkDir(DefaultDirectoryService.java:2178) INFO | jvm 1| 2015/07/17 12:16:38 | at org.apache.directory.server.core.DefaultDirectoryService.startup(DefaultDirectoryService.java:1216) INFO | jvm 1| 2015/07/17 12:16:38 | at org.apache.directory.server.ApacheDsService.initDirectoryService(ApacheDsService.java:318) INFO | jvm 1| 2015/07/17 12:16:38 | at org.apache.directory.server.ApacheDsService.start(ApacheDsService.java:182) INFO | jvm 1| 2015/07/17 12:16:38 | at org.apache.directory.server.wrapper.ApacheDsTanukiWrapper.start(ApacheDsTanukiWrapper.java:72) INFO | jvm 1| 2015/07/17 12:16:38 | at org.tanukisoftware.wrapper.WrapperManager$12.run(WrapperManager.java:2788) STATUS | wrapper | 2015/07/17 12:16:40 | -- Wrapper Stopped Any assistance would be appreciated
Re: ERROR: var/lib/default/run has been locked by another directory service.
Yes, it is in the config. I only changed it for posting in this forum. The system has been working fine for weeks until we had the unclean system reboot this morning. I removed the PID file myself and tried to restart the server. On Fri, Jul 17, 2015 at 4:16 PM, Emmanuel Lécharny elecha...@gmail.com wrote: Le 17/07/15 22:55, Ezsra McDonald a écrit : That directory is empty. Ok, but I have asked what is in SOMEPATH/var/lib/default/run I assume that SOMEPATH is something that is present in one of your script, we don't add it in ApacheDS.
Re: ERROR: var/lib/default/run has been locked by another directory service.
That directory is empty. Ezra~$ ls -la /var/lib/default/run total 8 drwxr-xr-x 2 apacheds apacheds 4096 Jul 17 13:59 . drwxr-xr-x 8 apacheds apacheds 4096 Jun 17 19:11 .. On Fri, Jul 17, 2015 at 3:15 PM, Emmanuel Lécharny elecha...@gmail.com wrote: Le 17/07/15 19:54, Ezsra McDonald a écrit : There is no PID file when I start the service. What's in your directory SOMEPATH/var/lib/default/run ? On Fri, Jul 17, 2015 at 11:33 AM, Sunil Kalahasti kvsu...@hotmail.com wrote: There would be pid file under that folder. Delete that and try to start again. Thanks, Sunil Kalahasti On 17-Jul-2015, at 10:00 pm, Ezsra McDonald ezsra.mcdon...@gmail.com wrote: Anyone ever run into this when trying to restart ADS M20? The system was rebooted without shutting down cleanly. STATUS | wrapper | 2015/07/17 12:16:33 | -- Wrapper Started as Daemon STATUS | wrapper | 2015/07/17 12:16:33 | Launching a JVM... INFO | jvm 1| 2015/07/17 12:16:34 | Wrapper (Version 3.2.3) http://wrapper.tanukisoftware.org INFO | jvm 1| 2015/07/17 12:16:34 | Copyright 1999-2006 Tanuki Software, Inc. All Rights Reserved. INFO | jvm 1| 2015/07/17 12:16:34 | INFO | jvm 1| 2015/07/17 12:16:38 | [12:16:38] ERROR [org.apache.directory.server.core.DefaultDirectoryService] - the working directory SOMEPATH/var/lib/default/run has been locked by another directory service. INFO | jvm 1| 2015/07/17 12:16:38 | [12:16:38] ERROR [org.apache.directory.server.wrapper.ApacheDsTanukiWrapper] - Failed to start the service. INFO | jvm 1| 2015/07/17 12:16:38 | java.lang.RuntimeException: the working directory SOMEPATH/var/lib/default/run has been locked by another directory service. INFO | jvm 1| 2015/07/17 12:16:38 | at org.apache.directory.server.core.DefaultDirectoryService.lockWorkDir(DefaultDirectoryService.java:2178) INFO | jvm 1| 2015/07/17 12:16:38 | at org.apache.directory.server.core.DefaultDirectoryService.startup(DefaultDirectoryService.java:1216) INFO | jvm 1| 2015/07/17 12:16:38 | at org.apache.directory.server.ApacheDsService.initDirectoryService(ApacheDsService.java:318) INFO | jvm 1| 2015/07/17 12:16:38 | at org.apache.directory.server.ApacheDsService.start(ApacheDsService.java:182) INFO | jvm 1| 2015/07/17 12:16:38 | at org.apache.directory.server.wrapper.ApacheDsTanukiWrapper.start(ApacheDsTanukiWrapper.java:72) INFO | jvm 1| 2015/07/17 12:16:38 | at org.tanukisoftware.wrapper.WrapperManager$12.run(WrapperManager.java:2788) STATUS | wrapper | 2015/07/17 12:16:40 | -- Wrapper Stopped Any assistance would be appreciated
Re: ApacheDS Import via CLI
So, after some testing we are planning to import to one of the four master with replication disabled. We will then stop the instance, tar up and distribute the partition folder to the other three nodes. Thanks for the help. On Mon, Jun 15, 2015 at 9:49 PM, Kiran Ayyagari kayyag...@apache.org wrote: On Tue, Jun 16, 2015 at 5:49 AM, Ezsra McDonald ezsra.mcdon...@gmail.com wrote: Carlo, Yes, Excellent suggestion Carlo! That did the trick. Now, I have a total of four servers in the Multi-Master setup, nodes A and B in data center 1 and nodes C and D in data center 2. If I ldapadd to node A and only have replication enabled with node B I get 4500 entries per minute. When I add nodes C and D to the replication I get 1800 entries per minute. What is involved if I wanted to copy the data files after the import from node A to nodes C and D? Do I just tar up the related partition folder from node A and untar it on nodes C and D? Or, is there more involved? What is the procedure? stop the server before copying and exclude system and config partitions while copying On Mon, Jun 15, 2015 at 9:35 AM, carlo.acco...@ibs-ag.com wrote: Not sure how you have this set, but for our initial import we set the following property: ads-partitionsynconwrite: FALSE This property is found where you define your partition. dn: ads-partitionId=mypartition,ou=partitions,ads-directoryServiceId=default,ou=config Setting this false allowed us to import ~80K entries in about 15-20 mins. Also, if you're using password policies, we disabled those too for the initial import. Good Luck. -Original Message- From: Ezsra McDonald [mailto:ezsra.mcdon...@gmail.com] Sent: Saturday, June 13, 2015 5:16 PM To: users Subject: Re: ApacheDS Import via CLI Having the server down for the initial import is not a problem. I am able to load 650 - 700 entries a minute. With almost 340k entries to import this will take too long. My estimate is approximate 8.5 hours. I tried breaking the import into four files and executing four ldapadds simultaneously but that does not improve the load rate. I really did not expect the import would be faster but I am desperate to get the migration done in less than three hours. This is just informational. I really don't expect there are any solutions to meet my desired 3 hour window. Thanks for the assistance. I will inform my team of my findings. On Fri, Jun 12, 2015 at 10:29 PM, Emmanuel Lécharny elecha...@gmail.com wrote: Le 12/06/15 23:18, Ezsra McDonald a écrit : The OpenLDAP ldapadd utility works. I wish there was a direct load kind of utility like slapadd. Ldapadd is slow but studio is slower. Everything that inject data into a live server will be slow. In the near future, we will have a bulk import tool that will be way faster, but it will require the server to be down. -- Kiran Ayyagari http://keydap.com
Re: Consumer logs IllegalStateException and VALUE_ALREADY_EXISTS
I am going a different direction. I'll load the data to a single instance and then distribute a copy of the partition to each host in the Multi-Master pool. It seems to be a faster process and no errors have occurred going this route. Thanks for thew help. On Sat, Jun 20, 2015 at 10:41 AM, Kiran Ayyagari kayyag...@apache.org wrote: On Sat, Jun 20, 2015 at 11:24 PM, Ezsra McDonald ezsra.mcdon...@gmail.com wrote: As I was saying before I prematurely hit the send key: I am new to ApacheDS M20. I attempted to import 350k entries to a Multi-Rplication setup using ldapadd last night and found this in the logs this morning. I really don't know what it wants me to do. check that your keys are immutable, and that you have used synchronization properly Where do I find this information at? I did check my replication setup and it looks right. This entry was repeated in the logs: INFO | jvm 1| 2015/06/20 07:30:16 | java.lang.IllegalStateException: Entry.next=null, data[removeIndex]=6f9128a9-c235-4d90-aecb-7e9ecb58441a=java.lang.Object@62dbd1cc previous=6f9128a9-c235-4d90-aecb-7e9ecb58441a=java.lang.Object@62dbd1cc key=938ea455-e1e5-4eca-bf2a-d99a00500865 value=java.lang.Object@271f5be size=1000 maxSize=1000 Please check that your keys are immutable, and that you have used synchronization properly. If so, then please report this to commons-...@jakarta.apache.org as a bug. it is properly synchronized, so I don't see why it is complaining, never the less I have to get rid of this LRUMap, it is not the first time we had issues with it (we had a serious problem with in Mavibot) INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.commons.collections.map.LRUMap.reuseMapping(LRUMap.java:301) INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.commons.collections.map.LRUMap.addMapping(LRUMap.java:267) INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.commons.collections.map.AbstractHashedMap.put(AbstractHashedMap.java:284) INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.getLockFor(ReplicationConsumerImpl.java:1406) INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.handleSearchResultEntry(ReplicationConsumerImpl.java:356) INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.doSyncSearch(ReplicationConsumerImpl.java:769) INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.startSync(ReplicationConsumerImpl.java:566) INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.directory.server.ldap.LdapServer$2.run(LdapServer.java:743) INFO | jvm 1| 2015/06/20 07:30:16 | at java.lang.Thread.run(Thread.java:745) Also, The following was repeated in the logs for the system the ldapadd targeted. The message repeated for what may be every entry are the following. The database was empty to begin with. INFO | jvm 1| 2015/06/19 19:20:54 | [19:20:54] WARN [org.apache.directory.api.ldap.model.entry.DefaultAttribute] - ERR_04486_VALUE_ALREADY_EXISTS The value 'organizationalPerson' already exists in the attribute (objectClass) this can be ignore, just a log but at wrong level Many hours later the logs for the targeted import node logged the following. It then became unresponsive. NFO | jvm 1| 2015/06/20 07:30:20 | [07:30:20] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] - Unexpected exception forcing session to close: sending disconnect notice to client. INFO | jvm 1| 2015/06/20 07:30:20 | java.lang.OutOfMemoryError: GC overhead limit exceeded can you take a memory dump of this process, that would help me debug it better There are four nodes in the Multi-Master configuration. Two in each data center. The contextCSN does not match on the node that reported the java.lang.IllegalStateException. can you share the configuration files of all the nodes (strip the passwords and host names) -- Kiran Ayyagari http://keydap.com
Consumer logs IllegalStateException
I am new to ApacheDS M20. I attempted to import 350k entries to a Multi-Rplication setup using ldapadd last night and found this in the logs this morning. I really don't know what it wants me to do. check that your keys are immutable, and that you have used synchronization properly : Where do I find this information at? I did check my replication setup and it looks right. This entry was repeated in the logs: INFO | jvm 1| 2015/06/20 07:30:16 | java.lang.IllegalStateException: Entry.next=null, data[removeIndex]=6f9128a9-c235-4d90-aecb-7e9ecb58441a=java.lang.Object@62dbd1cc previous=6f9128a9-c235-4d90-aecb-7e9ecb58441a=java.lang.Object@62dbd1cc key=938ea455-e1e5-4eca-bf2a-d99a00500865 value=java.lang.Object@271f5be size=1000 maxSize=1000 Please check that your keys are immutable, and that you have used synchronization properly. If so, then please report this to commons-...@jakarta.apache.org as a bug. INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.commons.collections.map.LRUMap.reuseMapping(LRUMap.java:301) INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.commons.collections.map.LRUMap.addMapping(LRUMap.java:267) INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.commons.collections.map.AbstractHashedMap.put(AbstractHashedMap.java:284) INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.getLockFor(ReplicationConsumerImpl.java:1406) INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.handleSearchResultEntry(ReplicationConsumerImpl.java:356) INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.doSyncSearch(ReplicationConsumerImpl.java:769) INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.startSync(ReplicationConsumerImpl.java:566) INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.directory.server.ldap.LdapServer$2.run(LdapServer.java:743) INFO | jvm 1| 2015/06/20 07:30:16 | at java.lang.Thread.run(Thread.java:745) Also, repeated for what may be every entry are the following:
Consumer logs IllegalStateException and VALUE_ALREADY_EXISTS
As I was saying before I prematurely hit the send key: I am new to ApacheDS M20. I attempted to import 350k entries to a Multi-Rplication setup using ldapadd last night and found this in the logs this morning. I really don't know what it wants me to do. check that your keys are immutable, and that you have used synchronization properly Where do I find this information at? I did check my replication setup and it looks right. This entry was repeated in the logs: INFO | jvm 1| 2015/06/20 07:30:16 | java.lang.IllegalStateException: Entry.next=null, data[removeIndex]=6f9128a9-c235-4d90-aecb-7e9ecb58441a=java.lang.Object@62dbd1cc previous=6f9128a9-c235-4d90-aecb-7e9ecb58441a=java.lang.Object@62dbd1cc key=938ea455-e1e5-4eca-bf2a-d99a00500865 value=java.lang.Object@271f5be size=1000 maxSize=1000 Please check that your keys are immutable, and that you have used synchronization properly. If so, then please report this to commons-...@jakarta.apache.org as a bug. INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.commons.collections.map.LRUMap.reuseMapping(LRUMap.java:301) INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.commons.collections.map.LRUMap.addMapping(LRUMap.java:267) INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.commons.collections.map.AbstractHashedMap.put(AbstractHashedMap.java:284) INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.getLockFor(ReplicationConsumerImpl.java:1406) INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.handleSearchResultEntry(ReplicationConsumerImpl.java:356) INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.doSyncSearch(ReplicationConsumerImpl.java:769) INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.startSync(ReplicationConsumerImpl.java:566) INFO | jvm 1| 2015/06/20 07:30:16 | at org.apache.directory.server.ldap.LdapServer$2.run(LdapServer.java:743) INFO | jvm 1| 2015/06/20 07:30:16 | at java.lang.Thread.run(Thread.java:745) Also, The following was repeated in the logs for the system the ldapadd targeted. The message repeated for what may be every entry are the following. The database was empty to begin with. INFO | jvm 1| 2015/06/19 19:20:54 | [19:20:54] WARN [org.apache.directory.api.ldap.model.entry.DefaultAttribute] - ERR_04486_VALUE_ALREADY_EXISTS The value 'organizationalPerson' already exists in the attribute (objectClass) Many hours later the logs for the targeted import node logged the following. It then became unresponsive. NFO | jvm 1| 2015/06/20 07:30:20 | [07:30:20] WARN [org.apache.directory.server.ldap.LdapProtocolHandler] - Unexpected exception forcing session to close: sending disconnect notice to client. INFO | jvm 1| 2015/06/20 07:30:20 | java.lang.OutOfMemoryError: GC overhead limit exceeded There are four nodes in the Multi-Master configuration. Two in each data center. The contextCSN does not match on the node that reported the java.lang.IllegalStateException.
Re: Large replica files in /tmp
I don't think it is a bug. These files were generated during the very large import via ldapadd. The replica files filled the /tmp file system which I believe snowballed into other issues so the replication may not have completed. I was hoping I could configure ADS to use a different location for the replica files. I am also working with our system guys to have the tmp file system increased. On the note of replication completing. What is the best way to tell the status of replication on ADS? Even getting a count of entries in the database would be helpful. On Mon, Jun 15, 2015 at 9:52 PM, Kiran Ayyagari kayyag...@apache.org wrote: On Tue, Jun 16, 2015 at 9:31 AM, Ezsra McDonald ezsra.mcdon...@gmail.com wrote: Greetings I assume this has to do with the import of 300+k entries to my LDAP. What do these mean? Do they have to be in /tmp? Can I put them somewhere else? they are created by the replication subsystem, they are supposed to be deleted after use, can you file a bug? -rw-r--r-- 1 apacheds apacheds 0 Jun 15 20:32 replica2007608221525362157.sorted-data -rw-r--r-- 1 apacheds apacheds 0 Jun 15 20:32 replica2007608221525362157.sorted-data.db -rw-r--r-- 1 apacheds apacheds 685559808 Jun 15 20:45 replica2007608221525362157.sorted-data.lg ADS M20 --Ez -- Kiran Ayyagari http://keydap.com
Re: Large replica files in /tmp
On Tue, Jun 16, 2015 at 10:31 AM, Kiran Ayyagari kayyag...@apache.org wrote: On Tue, Jun 16, 2015 at 11:16 PM, Ezsra McDonald ezsra.mcdon...@gmail.com wrote: I don't think it is a bug. These files were generated during the very large import via ldapadd. The replica files filled the /tmp file system which I believe snowballed into other issues so the replication may not have completed. I was hoping I could configure ADS to use a different location for the replica files. I am also working with our system guys to have the tmp file system increased. the files with extension .sorted-data are created while searching with a sort control and these files will be deleted when the associated cursor gets closed. To make sure I understand, these were not created by the replication process but by a query? I may have opened a browser on my People OU with 300k entries it it. Would this cause he sorted-data files? And something is not right and these files are still hanging around, was the server stopped using ctrl+c ? or are you running server on windows? When I saw the file system was full I stopped ADS. On the note of replication completing. What is the best way to tell the status of replication on ADS? Even getting a count of entries in the database would be helpful. the best way is to compare the contentEntryCsn on the base entry of each partition I planned to write a CLI to do this, but it still remained in the TODO list. I'll take a look at contentEntryCsn, thanks. On Mon, Jun 15, 2015 at 9:52 PM, Kiran Ayyagari kayyag...@apache.org wrote: On Tue, Jun 16, 2015 at 9:31 AM, Ezsra McDonald ezsra.mcdon...@gmail.com wrote: Greetings I assume this has to do with the import of 300+k entries to my LDAP. What do these mean? Do they have to be in /tmp? Can I put them somewhere else? they are created by the replication subsystem, they are supposed to be deleted after use, can you file a bug? -rw-r--r-- 1 apacheds apacheds 0 Jun 15 20:32 replica2007608221525362157.sorted-data -rw-r--r-- 1 apacheds apacheds 0 Jun 15 20:32 replica2007608221525362157.sorted-data.db -rw-r--r-- 1 apacheds apacheds 685559808 Jun 15 20:45 replica2007608221525362157.sorted-data.lg ADS M20 --Ez -- Kiran Ayyagari http://keydap.com -- Kiran Ayyagari http://keydap.com
Re: Large replica files in /tmp
On Tue, Jun 16, 2015 at 11:01 AM, Ezsra McDonald ezsra.mcdon...@gmail.com wrote: On Tue, Jun 16, 2015 at 10:31 AM, Kiran Ayyagari kayyag...@apache.org wrote: On Tue, Jun 16, 2015 at 11:16 PM, Ezsra McDonald ezsra.mcdon...@gmail.com wrote: I don't think it is a bug. These files were generated during the very large import via ldapadd. The replica files filled the /tmp file system which I believe snowballed into other issues so the replication may not have completed. I was hoping I could configure ADS to use a different location for the replica files. I am also working with our system guys to have the tmp file system increased. the files with extension .sorted-data are created while searching with a sort control and these files will be deleted when the associated cursor gets closed. To make sure I understand, these were not created by the replication process but by a query? I may have opened a browser on my People OU with 300k entries it it. Would this cause he sorted-data files? And something is not right and these files are still hanging around, was the server stopped using ctrl+c ? or are you running server on windows? When I saw the file system was full I stopped ADS. On the note of replication completing. What is the best way to tell the status of replication on ADS? Even getting a count of entries in the database would be helpful. the best way is to compare the contentEntryCsn on the base entry of each partition I planned to write a CLI to do this, but it still remained in the TODO list. I'll take a look at contentEntryCsn, thanks. I could not find the contentEntryCsn attribute but I did find entryCSN. This seems to be an index or something. What am I looking for? I made a change to a user's e-mail address. The change was replicated but this value stayed the same. On Mon, Jun 15, 2015 at 9:52 PM, Kiran Ayyagari kayyag...@apache.org wrote: On Tue, Jun 16, 2015 at 9:31 AM, Ezsra McDonald ezsra.mcdon...@gmail.com wrote: Greetings I assume this has to do with the import of 300+k entries to my LDAP. What do these mean? Do they have to be in /tmp? Can I put them somewhere else? they are created by the replication subsystem, they are supposed to be deleted after use, can you file a bug? -rw-r--r-- 1 apacheds apacheds 0 Jun 15 20:32 replica2007608221525362157.sorted-data -rw-r--r-- 1 apacheds apacheds 0 Jun 15 20:32 replica2007608221525362157.sorted-data.db -rw-r--r-- 1 apacheds apacheds 685559808 Jun 15 20:45 replica2007608221525362157.sorted-data.lg ADS M20 --Ez -- Kiran Ayyagari http://keydap.com -- Kiran Ayyagari http://keydap.com
Large replica files in /tmp
Greetings I assume this has to do with the import of 300+k entries to my LDAP. What do these mean? Do they have to be in /tmp? Can I put them somewhere else? -rw-r--r-- 1 apacheds apacheds 0 Jun 15 20:32 replica2007608221525362157.sorted-data -rw-r--r-- 1 apacheds apacheds 0 Jun 15 20:32 replica2007608221525362157.sorted-data.db -rw-r--r-- 1 apacheds apacheds 685559808 Jun 15 20:45 replica2007608221525362157.sorted-data.lg ADS M20 --Ez
Re: ApacheDS Import via CLI
Carlo, Yes, Excellent suggestion Carlo! That did the trick. Now, I have a total of four servers in the Multi-Master setup, nodes A and B in data center 1 and nodes C and D in data center 2. If I ldapadd to node A and only have replication enabled with node B I get 4500 entries per minute. When I add nodes C and D to the replication I get 1800 entries per minute. What is involved if I wanted to copy the data files after the import from node A to nodes C and D? Do I just tar up the related partition folder from node A and untar it on nodes C and D? Or, is there more involved? What is the procedure? On Mon, Jun 15, 2015 at 9:35 AM, carlo.acco...@ibs-ag.com wrote: Not sure how you have this set, but for our initial import we set the following property: ads-partitionsynconwrite: FALSE This property is found where you define your partition. dn: ads-partitionId=mypartition,ou=partitions,ads-directoryServiceId=default,ou=config Setting this false allowed us to import ~80K entries in about 15-20 mins. Also, if you're using password policies, we disabled those too for the initial import. Good Luck. -Original Message- From: Ezsra McDonald [mailto:ezsra.mcdon...@gmail.com] Sent: Saturday, June 13, 2015 5:16 PM To: users Subject: Re: ApacheDS Import via CLI Having the server down for the initial import is not a problem. I am able to load 650 - 700 entries a minute. With almost 340k entries to import this will take too long. My estimate is approximate 8.5 hours. I tried breaking the import into four files and executing four ldapadds simultaneously but that does not improve the load rate. I really did not expect the import would be faster but I am desperate to get the migration done in less than three hours. This is just informational. I really don't expect there are any solutions to meet my desired 3 hour window. Thanks for the assistance. I will inform my team of my findings. On Fri, Jun 12, 2015 at 10:29 PM, Emmanuel Lécharny elecha...@gmail.com wrote: Le 12/06/15 23:18, Ezsra McDonald a écrit : The OpenLDAP ldapadd utility works. I wish there was a direct load kind of utility like slapadd. Ldapadd is slow but studio is slower. Everything that inject data into a live server will be slow. In the near future, we will have a bulk import tool that will be way faster, but it will require the server to be down.
Re: ApacheDS Import via CLI
Having the server down for the initial import is not a problem. I am able to load 650 - 700 entries a minute. With almost 340k entries to import this will take too long. My estimate is approximate 8.5 hours. I tried breaking the import into four files and executing four ldapadds simultaneously but that does not improve the load rate. I really did not expect the import would be faster but I am desperate to get the migration done in less than three hours. This is just informational. I really don't expect there are any solutions to meet my desired 3 hour window. Thanks for the assistance. I will inform my team of my findings. On Fri, Jun 12, 2015 at 10:29 PM, Emmanuel Lécharny elecha...@gmail.com wrote: Le 12/06/15 23:18, Ezsra McDonald a écrit : The OpenLDAP ldapadd utility works. I wish there was a direct load kind of utility like slapadd. Ldapadd is slow but studio is slower. Everything that inject data into a live server will be slow. In the near future, we will have a bulk import tool that will be way faster, but it will require the server to be down.
Re: ApacheDS Multi Master config issues
2. Do both instances need to start with the same data? Can node1 contain a imported LDIF and will Node 1 eventual synchronize to node 2? yes, they eventually synchronize Okay, I think I know what is happening. The node with the LDIF loaded in it is logging the following error: INFO | jvm 1| 2015/06/12 14:50:35 | Exception in thread pool-7-thread-1 java.lang.OutOfMemoryError: Java heap space INFO | jvm 1| 2015/06/12 14:50:35 | at java.nio.HeapByteBuffer.init(HeapByteBuffer.java:57) INFO | jvm 1| 2015/06/12 14:50:35 | at java.nio.ByteBuffer.allocate(ByteBuffer.java:335) This is even after making these config changes: # Initial Java Heap Size (in MB) wrapper.java.initmemory=2048 # Maximum Java Heap Size (in MB) wrapper.java.maxmemory=2048 Any ideas? On Thu, Jun 4, 2015 at 1:42 AM, Kiran Ayyagari kayyag...@apache.org wrote: On Thu, Jun 4, 2015 at 5:44 AM, Ezsra McDonald ezsra.mcdon...@gmail.com wrote: Greetings, I am new to ApacheDS. We are running v2.0 M19. I am having issues getting my pair of LDAP instances working in Multi Master mode. If you can answer a few questions please: 1. Is it a problem if both instances are listening on port 10389 on different hosts (Node 1 Node 2)? Do they have to use different ports? no, not needed 2. Do both instances need to start with the same data? Can node1 contain a imported LDIF and will Node 1 eventual synchronize to node 2? yes, they eventually synchronize CONFIGURATION: In my current setup I have imported the LDIF to both nodes. I configured Replication as follows using the Director Studio: * PORT: Both nodes listen on port 10389. * ID: consumer host name * REP MODE: Refresh and persist * REMOTE HOST: Consumer host name * REM PORT: 10389 * BIND: uid=admin,ou=system * BIND PW: NOT_SHARING :-P * USE STARTTLS: enabled * BASE DB: dc=www,dc=somewhere,dc=com * FILTER: (objectClass=*) * SCOPE: SUBTREE * ATTRIBUTES: All SYMPTOMS: When I setup the Replication and restart the instances I am able to login to node 2 but node 1 won't allow me to connect. If I stop both nodes and start only node 1 I can login to node1. By login I am using Studio to login as uid=admin,ou=system. what error are you getting, can you post any errors from the server log If I run a netstat I can see a connection between each node. One from Node 1 to Node 2 and one from node 2 to node 1. If I were to enable some debugging what particular logging should I enable? you can use this config http://pastebin.com/5U7NuRir -Ez -- Kiran Ayyagari http://keydap.com
Re: ApacheDS Import via CLI
The OpenLDAP ldapadd utility works. I wish there was a direct load kind of utility like slapadd. Ldapadd is slow but studio is slower. Anyway, thanks for the help. --Ez On Thu, Jun 11, 2015 at 1:24 AM, Ezsra McDonald ezsra.mcdon...@gmail.com wrote: Thanks, I will give it a try. On Thu, Jun 11, 2015 at 1:23 AM, Kiran Ayyagari kayyag...@apache.org wrote: On Thu, Jun 11, 2015 at 2:17 PM, Ezsra McDonald ezsra.mcdon...@gmail.com wrote: Is that from the Linux openldap-clients RPM or somewhere else? yes, from that package On Wed, Jun 10, 2015 at 10:57 PM, Kiran Ayyagari kayyag...@apache.org wrote: On Thu, Jun 11, 2015 at 11:31 AM, Ezsra McDonald ezsra.mcdon...@gmail.com wrote: So, I need to import 330k records to my directory in a short amount of time. Is there a CLI that will do the job or is the Studio the only option? one easy way is to use ldapadd command, e.g ldapadd -H ldap://localhost:10389 -x -D uid=admin,ou=system -W -f mydata.ldif make sure that your LDIF file is sorted in parent entry first order. I am running 2.0.0 M19. Thanks, --EZ -- Kiran Ayyagari http://keydap.com -- Kiran Ayyagari http://keydap.com
ApacheDS Import via CLI
So, I need to import 330k records to my directory in a short amount of time. Is there a CLI that will do the job or is the Studio the only option? I am running 2.0.0 M19. Thanks, --EZ
ApacheDS Multi Master config issues
Greetings, I am new to ApacheDS. We are running v2.0 M19. I am having issues getting my pair of LDAP instances working in Multi Master mode. If you can answer a few questions please: 1. Is it a problem if both instances are listening on port 10389 on different hosts (Node 1 Node 2)? Do they have to use different ports? 2. Do both instances need to start with the same data? Can node1 contain a imported LDIF and will Node 1 eventual synchronize to node 2? CONFIGURATION: In my current setup I have imported the LDIF to both nodes. I configured Replication as follows using the Director Studio: * PORT: Both nodes listen on port 10389. * ID: consumer host name * REP MODE: Refresh and persist * REMOTE HOST: Consumer host name * REM PORT: 10389 * BIND: uid=admin,ou=system * BIND PW: NOT_SHARING :-P * USE STARTTLS: enabled * BASE DB: dc=www,dc=somewhere,dc=com * FILTER: (objectClass=*) * SCOPE: SUBTREE * ATTRIBUTES: All SYMPTOMS: When I setup the Replication and restart the instances I am able to login to node 2 but node 1 won't allow me to connect. If I stop both nodes and start only node 1 I can login to node1. By login I am using Studio to login as uid=admin,ou=system. If I run a netstat I can see a connection between each node. One from Node 1 to Node 2 and one from node 2 to node 1. If I were to enable some debugging what particular logging should I enable? -Ez
