Hi Everyone,
We are in the process of migrating from an old OpenLDAP service to 389-DS.
We currently synchronise users and attributes from an Oracle DB to OpenLDAP
service using an aging set of custom scripts and DB triggers.
We would like to do something similar for 389-DS but using a
*Bump*
Surely we can't be the only ones who want to this?
Trev
From: Fong, Trevor
Sent: April-22-14 3:33 PM
To: '389-users@lists.fedoraproject.org'
Subject: Sync from RDBMS to LDAP
Hi Everyone,
We are in the process of migrating from an old OpenLDAP service to 389-DS.
We currently synchronise
from RDBMS to LDAP
Sorry that kind of thing is always a custom scripting job.
-- Sent from my HP Pre3
On Apr 28, 2014 13:27, Fong, Trevor
trevor.f...@ubc.camailto:trevor.f...@ubc.ca wrote:
*Bump*
Surely we can't be the only ones who want to this?
Trev
From
Hi Everyone,
After taking over the LDAP service from a colleague, I updated the 389 DS
service to the latest release by issuing a yum update Then when
searching around the 389-ds documentation, I came across the install page that
said that I must use yum upgrade ... and not update.
My
where the -obsoletes flag says to remove packages that have been made
obsolete by the upgrade (say you're upgrading from 5.9 to 6.5).
Cheers!
David
On May 20, 2014, at 10:00, Rich Megginson
rmegg...@redhat.commailto:rmegg...@redhat.com wrote:
On 05/20/2014 10:58 AM, Fong, Trevor wrote:
Hi
Hi Everyone,
Searches and any kind of access to a particular ou seem to be hanging (yep,
even tried deleting it and it's children) so I ran db2index and left it running
all night. It's still running 20 hours later - is that normal? If it's not,
is it OK to kill the process? What would you
Hi Everyone,
I'm having trouble initializing consumers for replication.
On 2 of the 3 consumers, I get the following message after trying to
re-initialize the consumers from the 389-console:
NSMMReplicationPlugin - replica_replace_ruv_tombstone: failed to update
replication update vector
And nope, reindexing with
/usr/lib64/dirsrv/slapd-instance/db2index.pl -v -D cn=Directory Manager -w
xxx -n userRoot
didn't help either.
Trev
From: 389-users-boun...@lists.fedoraproject.org
[mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Fong, Trevor
Sent: Wednesday, September
...@lists.fedoraproject.org] On Behalf Of Fong, Trevor
Sent: Wednesday, September 24, 2014 4:21 PM
To: 389-users@lists.fedoraproject.org
Subject: Re: [389-users] Trouble with Replication - Initializing Consumers
Hi Noriko,
Thanks for your response. We’re running 389-Directory/1.2.11.29
?
Thanks,
Trev
From: Fong, Trevor Fong trevor.f...@ubc.camailto:trevor.f...@ubc.ca
Reply-To:
389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org
389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org
Date: Wednesday, November 26, 2014 at 3:07 PM
To:
389-users
-users@lists.fedoraproject.org
389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org,
Trevor Fong trevor.f...@ubc.camailto:trevor.f...@ubc.ca
Subject: Re: [389-users] 389-ds and Multi CPU's
On 12/08/2014 02:08 PM, Fong, Trevor wrote:
Hi Everyone,
We’ve inherited a 389-ds
and Multi CPU's
On 12/08/2014 05:43 PM, Fong, Trevor wrote:
Hi Mike,
It's Mark :-) I get that a lot for some reason.
Thanks for the reply. The typical result of the result is:
[08/Dec/2014:07:08:04 -0800] conn=130262 op=1 RESULT err=0 tag=101 nentries=5
etime=0
Yeah this looks fine
Last message got embargoed for being over-length. Trimming this mail.
Trev
From: Fong, Trevor Fong trevor.f...@ubc.camailto:trevor.f...@ubc.ca
Date: Thursday, December 11, 2014 at 9:03 AM
To: mreyno...@redhat.commailto:mreyno...@redhat.com
mreyno...@redhat.commailto:mreyno...@redhat.com,
389
@lists.fedoraproject.org
389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org
Subject: Re: [389-users] 389-ds and Multi CPU's
On 12/09/2014 05:58 PM, Fong, Trevor wrote:
Hi Mark,
I’ve afraid adding nsIndexIDListScanLimit to
cn=objectclass,cn=index,cn=userRoot,cn=ldbm database
BTW, we were able to artificially make it work by changing the dnaFilter to the
emplid of our test user:
dnaFilter: ((employeeNumber=12345)(objectclass=posixAccount))
Trev
From: Trevor Fong trevor.f...@ubc.camailto:trevor.f...@ubc.ca
Date: Thursday, July 16, 2015 at 4:47 PM
To:
:19 PM
To:
389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org
389-users@lists.fedoraproject.orgmailto:389-users@lists.fedoraproject.org
Subject: Re: [389-users] DNA Plugin Causes 389-DS to Crash if Large Number of
Candidates
On 07/16/2015 05:47 PM, Fong, Trevor wrote:
Hi
Hi Guys,
We’re running 389-ds 1.2.11.29-1.el6 and are experimenting with the DNA plugin.
When trying to set an existing account’s uidNumber to the magic regen number
of 9, we get the error message in the errors log:
Allocation of a new value for range cn=uid numbers,cn=distributed
Hi German,
Thanks for your suggestion. I’m happy to confirm that setting userRoot’s
nsslapd-cachememsize: 429496730 (1/15th of previous value of 6 GB) has
addressed the memory issue for now, and % Mem for the ns-slapd process seems to
be at a manageable level.
Thanks very much,
Trev
On
Hi German,
Thanks very much for your reply.
Just to make sure I have it straight, I’ve currently got userRoot’s
nsslapd-cachememsize = 6 GB on at 16GB machine.
I should change that to nsslapd-cachememsize = 6 GB / 15 = 429496730
Do I have that right?
Thanks again,
Trev
On 2015-10-20, 10:23
Hi Everyone,
A question about how to best go about doing access control on db-linked
directories. Given the below 2-directory setup (Dir1 has a db link set up to
Dir2, and vice versa), is the shown ACI setup possible/advisable? If not,
what’s the best way to make it work?:
Dir1:
Hi William,
Thanks very much for your reply.
On 2016-03-29, 4:23 PM, "William Brown" <wibr...@redhat.com> wrote:
>On Tue, 2016-03-29 at 22:49 +, Fong, Trevor wrote:
>> Hi Everyone,
>>
>> A question about how to best go about doing access contr
Can we set nsIDListScanLimit=7 (or whatever) for a service account instead
of changing the system nsslapd-idlistscanlimit setting?
Thanks,
Trev
From: Anthony Winstanley
Reply-To: "389-users@lists.fedoraproject.org"
<389-users@lists.fedoraproject.org>
Date: Friday,
Tue, 2018-02-20 at 23:36 +, Fong, Trevor wrote:
>> Hi William,
>>
>> Thanks a lot for your reply.
>>
>> That's correct - replication schedule is not enabled.
>> No - there are definitely changes to replicate - I know, I made th
Hi Everyone,
I was wondering what experiences people have had with large groups (> 100k
members) in 389 DS?
Particularly interested in loading, managing and syncing them.
WRT syncing – how do people efficiently sync large groups? Most sync utilities
sync at the attribute level; if the changed
-ds and migrated along with changes. Replication (master/master) is
solid, keeps up with day to day changes fine, very stable. Overall no issues
for 10+ years using it with steady growth. We are moving away to another
solution but by not because of 389ds. Good luck. -Trevor
From: Fong, Trevor [ma
Hi Everyone,
I’ve set up a new 389 DS cluster (389-Directory/1.3.6.1 B2018.016.1710) and
have set up a replication agreement from our old cluster
(389-Directory/1.2.11.15 B2014.300.2010) to a master node in the new cluster.
Problem is that updates in the old cluster take up to 15 mins to make
t;will...@blackhats.net.au> wrote:
On Sat, 2018-02-17 at 01:49 +, Fong, Trevor wrote:
> Hi Everyone,
>
> I’ve set up a new 389 DS cluster (389-Directory/1.3.6.1
> B2018.016.1710) and have set up a replication agreement from our old
> cluster (389-D
difference.
Still interested in other people’s experience with large groups.
From: "Fong, Trevor" <trevor.f...@ubc.ca>
Reply-To: "389-users@lists.fedoraproject.org"
<389-users@lists.fedoraproject.org>
Date: Thursday, April 26, 2018 at 11:06 AM
To: "389-user
Hi There,
I'm trying to set up dynamic groups with 389 DS (1.3.7.5 B2018.184.1411) but my
queries against it don't seem to be returning any members.
I have a user set up like this:
objectClass: eduPerson
objectClass: inetLocalMailRecipient
objectClass: inetOrgPerson
objectClass: inetUser
Hi Everyone,
I've configured 2 new 389 DS hubs (eg new1.example.com, new2.example.com) and
have connected them to our main 389 DS cluster.
They each have their own self-signed certificate, and replication is working
well.
I now want to load-balance these 2 nodes under their own VIP/hostname:
rt
dn: cn=RSA,cn=encryption,cn=config
changetype: modify
replace: nsSSLPersonalitySSL
nsSSLPersonalitySSL: *.example.com - CA
6. Restart 389 DS
systemctl restart dirsrv.target
Thanks,
Trev
On 2019-07-26, 5:49 PM, "William Brown" wrote:
> On 27 Jul 2019, at
Thanks William.
Just wanted to make an update to report that recovery via ldif2db was
successful last night.
Thanks,
Trev
On 2020-09-17, 7:37 PM, "William Brown" wrote:
> I don't want to do an db2ldif during production time since it will put
the db into read-only mode.
> The
Hi Everyone,
I'm having an issue re-initializing our secondary muti-master replicated 389 DS
provider node via 389-Console > replication agreement > "Initialize Consumer".
It eventually aborts the update with an error "import userRoot: Thread
monitoring returned: -23"
Would anyone know how to
Hi William,
Thanks for your suggestion about db2ldif.
Doesn't db2ldif put the server into read-only mode? We would want to avoid
that as that is our primary provider.
Thanks,
Trev
On 2020-09-17, 4:52 PM, "William Brown" wrote:
Hi there,
> On 18 Sep 2020, a
y provider with it.
Thanks,
Trev
From: "Fong, Trevor"
Reply-To: "389-users@lists.fedoraproject.org"
<389-users@lists.fedoraproject.org>
Date: Thursday, September 17, 2020 at 7:02 PM
To: "389-users@lists.fedoraproject.org" <389-users@lists.fedoraproject.org>
Subj
, "William Brown" wrote:
Yes, I think it does. So in that case it would be good to check the
replication configurations and connectivity between the servers is good to
eliminate that as a possible cause.
> On 18 Sep 2020, at 10:02, Fong, Trevor wrote:
>
e/memoryusage#DB_and_entry_cache_RAM_usage
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/configuration_command_and_file_reference/database_plug_in_attributes#nsslapd_cache_autosize
Thanks,
M.
On Thu, Sep 17, 2020 at 4:10 PM Fong, Trevor
mailto:trevor.f...@ubc.ca&
Hi There,
We tried to dynamically a new schema dynamically using
/usr/lib64/dirsrv/slapd-eldapp1/schema-reload.pl
Unfortunately, (and unknown to us at the time) the objectClass definition
misspelt a couple of the attribute names.
The schema reload process should have picked that up and refused
Hi abosch,
Have you looked at preconfiguring the cert db's with a wildcard cert from a CA
to avoid the request/sign dance?
Trev
On 2020-12-02, 1:04 AM, "Angel Bosch Mora" wrote:
[CAUTION: Non-UBC Email]
> depending on your version of 389, look at "dsctl tls
> import-ca"
39 matches
Mail list logo