[389-users] Re: One way supplier replication is failing on newly installed instance

try to review the access log for connection events related to those from the errors log file mentioned earlier, and also verify on the remote replica, the errors and access log events corresponding to this connection, as well as file descriptors and LDAP thread use, run some netstat and dsconf

[389-users] Re: Determining max CSN of running server

there was an old RHEL-7.4 and RHEL-7.5 issue and fix in 1.3.5.10-20 replication halt - pending list first CSN not committed, pending list increasing https://bugzilla.redhat.com/1460070 https://github.com/389ds/389-ds-base/issues/2346 but you have a (somehow) more recent version,

[389-users] Re: 389 DS 2.3.6 on RHEL 9 replication over TLS

"LDAP error: Can't contact LDAP server (connection error)" is kind of generic, but often relates to PKI trust misconfiguration when TLS is used, a common issue is the issuer / CA certificate(s) chain is not installed, or not trusted. There should be a message in the access log, for example "Peer

[389-users] Re: Solving naming conflicts in replicated environment

Hello William, I am sorry to read you had a not so ideal support experience, I located a case number that seems to match this thread, and we will look into what can be improved, and maybe even we should try to discuss the situation with a meeting. I think it is important to ring an alarm in the

[389-users] Re: Documentation as to how replication works

several ways to access a changelog dsconf IDM-EXAMPLE-TEST replication dump-changelog -o ~/changelog.ldif or use dbscan -f doc ref https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/exporting-up-the-replication-changelog 15.15. EXPORTING THE

[389-users] Re: Documentation as to how replication works

Just wanted to add it is important to try updating the RHEL IdM servers to the current RHEL version ( RHEL-9.x ), and that replication lag depends on many variables, for example: how many replication agreements per replicas, what is the topology ( meshed versus chains, clusters of replicas ),

[389-users] Re: Replication question

I think you are correct for a "no", from the admin guide: " What Directory Units Are Replicated The smallest unit of of the directory which can be replicated is a database. This means that one can replicate an entire database but not a subtree within a database. Therefore, when creating the

[389-users] Re: Unable to establish replication with STARTTLS

The "unable to get issuer certificate" part really means it, and this has been quite a common issue for either LDAPS or STARTTLS, about a missing cert or missing trust flag in the PKI chain of trust of the issuer, and it is usually solved by a "trust anchor" command for the system, or a certutil

[389-users] Re: Unable to establish replication with STARTTLS

manager" -W -H ldaps://ancds10:636 -s base -b "" vendorVersion Thanks, M. On Fri, May 19, 2023 at 4:22 PM John Thurston wrote: > Revisiting this problem of replication and certificates. Thank you Marc > Sauton for pointing out the 'dsconf' command to spill the ca-cert li

[389-users] Re: Unable to establish replication with STARTTLS

the hint for that error, may be at the end of the line, with: certificate verify failed (unable to get issuer certificate) the LDAP instances and systems need to trust the issuers of the newer certificates of each other ( PKI trust chain ). trust anchor ~/some.ca.crt trust list | grep -i "some

[389-users] Re: ACME certificate and NSS databases

The "dsconf some-instance-name security" and dsctl commands can be used to manipulated the certs and keys used by the LDAP service:

[389-users] Re: Replication Problem

that looks like the errors log from 1 / A doing an init of 2 / B there should be some activity about "NOTICE - NSMMReplicationPlugin - changelog program - _cl5ConstructRUV" between [31/Jan/2022:13:01:38.997721794 +] - INFO - NSMMReplicationPlugin - repl5_tot_run - Beginning total update of

[389-users] Re: Help to understand pre-hashed login

you can use the pwdhash command to generate some pre-hashed passwords, and then add them to the configurations or into the user's entries: man pwdhash pwdhash -s SSHA512 pasword {SSHA512}JnzerkmYXKEuMcv...snip... Thanks, M. On Thu, Dec 30, 2021 at 4:05 AM Caderize Caderize wrote: > Hello

[389-users] Re: LDIF imports

The path to the LDIF file is not hardcoded, it is usually a file and/or directory permission and/or SELinux label problem to allow the uid running the LDAP service to read that file. It should be the same as in the default LDIF directory provided as an example. The errors log file should have a

[389-users] Re: Default browsing index generation

in the web UI, it should be under "Database | Suffixes | dc=xx | VLV Indexes" to create a VLV index "Database | Suffixes | dc=xx | VLV Indexes | Create VLV Index" to re-index an existing VLV index "Database | Suffixes | dc=xx | VLV Indexes | select an existing VLV index | Action=Reindex VLV

[389-users] Re: db2ldif unfolded output?

There is no equivalent of the db2ldif.pl -U option in dsctl db2ldif But an export task can be configured with nsNoWrap: true I opened this issue to track your request: https://github.com/389ds/389-ds-base/issues/5081 Thanks, M. On Thu, Dec 23, 2021 at 12:26 PM John Thurston wrote: > With 389

[389-users] Re: 389 1.3 vs 1.4, CentOS 7

389ds 1.3 is not a product so there is no EOL date, but the 1.3.x branches become less active over time, and eventually with zero activity, more like an archive. The Red Hat Directory Server 10 / RHDS-10 product based on 389ds 1.3.x has been EOL on RHEL-7, and the current active version is RHDS-11

[389-users] Re: anonymous binds

depending on the filters used, an error 11 / err=11 / ADMIN_LIMIT_EXCEEDED / "Administrative limit exceeded" could be returned, and depending on the LDAP client, it could be an important error. it may be a good idea to set a DN for nsslapd-anonlimitsdn , see

[389-users] Re: Can't locate CSN - replica issue

does srv2 run 1.4.3.22 ? you could try to delete the BDB region files, first stop the LDAP service, then delete the files /var/lib/dirsrv/slapd-xx/db/"__db.00* or try a more recent 1.4.4.15 or 1.4.4.16 Thanks, M. On Tue, Jun 1, 2021 at 5:30 AM Marco Favero wrote: > Hello, > > I'm dealing

[389-users] Re: 389 console on Windows - command logging

There isn't a console log, but there is all the activity from the HTTP server, in /var/log/dirsrv/admin-serv/access The other possibility is to run the console in debug mode. Note the Java console has been deprecated for more than a year, for a web UI and Python command line tools. ( RHDS-11.0

[389-users] Re: plugin naming

and that should have: https://github.com/389ds/389-ds-base/blob/master/src/lib389/lib389/cli_conf/plugins/retrochangelog.py def create_parser(subparsers): retrochangelog = subparsers.add_parser('retro-changelog', help='Manage and configure Retro Changelog plugin') Thanks, Marc S. On Tue,

[389-users] Re: plugin naming

the first is a more general plugin command, using the CN value of the plugin name, should be consistent between releases, but can be easily customized in the dse.ldif config file when an instance is deployed. the second is dedicated to the "specific" plugins, it is a more recent Python code, the

[389-users] Re: minssf and TLS cipher ordering

about ciphers order and TLS cipher suite discovery, NSS will pick the one with highest strength from the available ciphers, and compatible with the TLS client ( handshake) you can check the configuration with for example (replace the string m1 with an instance name): dsconf m1 security get dsconf

[389-users] Re: dsconf duplicate replica id

you can either run a "dsconf replication get-ruv" like tis example: dsconf -j ldapi://%2fvar%2frun%2fslapd-m1.socket replication get-ruv --suffix=dc=example,dc=test or an ldapsearch to get the RUV records, similar to this example: ldapsearch -o ldif-wrap=no -LLLH ldaps://m1.example.test:636 -D

[389-users] Re: Newbie question: What does NS stand for?

and nsds50 stands for Netscape Directory Server 5.0 as it became iPlanet Directory Server 5.0 in the 2001 time frame with major new features, like: MMR / Multi Master Replication ! hence the famous nsds50ruv records and other replication agreement attributes with the nsds50 prefix string.

[389-users] Re: GSSAPI authentication w/ and w/o rDNS resolution

Try configuring nsslapd-localhost to the "alias" , with nsslapd-listenhost and nsslapd-securelistenhost to the hostname of the system. Thanks, M. On Tue, Jan 12, 2021 at 5:52 AM Julien Rische wrote: > Hello Wiliam, > > Thank you for you response, and sorry for my late one. > Here are more logs

[389-users] Re: Clarification - is this certmap.conf file correct?

and add a default:DNCompscn to match the DN components ? On Tue, Nov 17, 2020 at 5:35 PM William Brown wrote: > > > > > Something missing from the documentation is the DN format expected by > the nsCertSubjectDN attribute. > > > > Is the format CN=X,serialNumber=Y as reported by openssl

[389-users] Re: CPU Scalability / Scaling

On Fri, Aug 14, 2020 at 1:31 PM Ben Spencer wrote: > > > On Fri, Aug 14, 2020, 10:53 AM David Boreham > wrote: > >> >> On 8/14/2020 9:04 AM, Ben Spencer wrote: >> > After a little investigation I didn't find any recent information on >> > how well / linearly 389 scales from a CPU perspective. I

[389-users] Re: dbchangelog Question

A stop/start is required, there are detailed instructions in the online admin guide at https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/moving_the_changelog_directory 15.16. MOVING THE REPLICATION CHANGELOG DIRECTORY Thanks, M. On Wed, Jul 8,

[389-users] Re: 389-DS Failed to get the default state of cipher

I will let others confirm, but the message "_conf_setallciphers - Failed to get the default state of cipher" may not be an actual error, but more a warning that could be ignored, as the the default ciphers are configured later, per the log entries provided. Could you add the nss package version,

[389-users] Re: DNA plugin not working

verify there is an equality index for uidnumber and gidnumber, not just presence, in the entries dn: cn=gidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=uidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config which version of 389-ds-base is this about?

[389-users] Re: Replication manager with expired password

The internal suffix cn=config is not really designed to have a global password policy applied to it. A replication manager usually does not have a password policy. If it is required to have some special DNs with a password policy, they should be in a different suffix. Thanks, M. On Thu, Feb 27,

[389-users] Re: Connections Opened but No BIND Received

the build string 389-Directory/1.3.9.1 B2019.164.1418 corresponds to a RHEL-7.7 with RHDS-10.4 to verify: cat /etc/redhat-release; rpm -q redhat-ds 389-ds-base the access and errors log snippets are showing a "normal" timeout after 10mn, when there is no activity, and they do not really provide

[389-users] Re: Connections Opened but No BIND Received

are the LDAP clients always the same? or is it more like an LDAP server does not accept TLS or SSL connections at all? could it be a temporary situation while some large searches are processed? are there load balancers in between? check for LDAP server descriptors and system entropy. check for

[389-users] Re: how to remove a replication agreement

Only when the LDAP service is stopped: With a manual edit of the dse.ldif configuration file after it is saved/duplicated. Look and "carefully" select entries with definitions for objectClass: nsds5replicationagreement similar to for example dn:

[389-users] Re: DS multimaster replication host crashed, will not restart

Could be a system without enough available RAM to the ns-slapd process, eventually hitting a previously fixed issue. But cannot tell for sure without more details. Try to review the system messages and the ns-slapd errors log file, not just the systemd general status output. Thanks, M. On Tue,

[389-users] Re: How to use Master slave replication between two different domains

The link provided is for an older version no longer maintained. The current link is https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/configuring_directory_databases#Creating_Suffixes-Creating_a_New_Root_Suffix_Using_the_Console LDAP replication

[389-users] Re: DS multimaster replication host crashed, will not restart

The "recovering database" may take a few minutes to complete. Check the errors log file again for any newer messages after the recovery. For the crash, or if till not starting up, try to get a core file and stack trace: https://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes

[389-users] Re: urp_fixup_add_cenotaph errors

could you check the system has 389-ds-base-1.3.9.1-10.el7 or above? do the MODRDN fail with err=53? is it in IPA context with memberof-plugin errors? there was a bug fix in bz 1680245

[389-users] Re: Replacing a default schema for only one instance?

the RHDS-10 custom schema is in /etc/dirsrv/slapd-*/schema/99user.ldif while the "core" schema files have now been located in /usr/share/dirsrv/schema/ you can till use the /etc/dirsrv/slapd-instance_name/schema/ directory , but see the caveat in the online doc at:

[389-users] Re: 389ds can't start after "db error (no disk space)" ... space problem has been resolved

Restore is one way t proceed. A quick way to recover the LDAP service in this situation, is to remove the changelog files and let 389-ds create new ones at start up. Then check for consistency as much as possible. Eventually re-init from another replica. The recovery process may take "some time",

[389-users] Re: Enabling TLS in Directory Server Using the Console

Yes, check the errors log file liek mentioned, and/or the systemd 's dirsrv status , and/or journalctl -r --unit=dirsrv@\* Without logs, I will just speculate the ns-slapd daemon needed the key file password at restart, and was waiting at a prompt, then eventually timed out. if this is the case,

[389-users] Re: 389 DS Time Skew Error

this is the correct document for the full cleanup. it may be possible to recover by just deleting the nsState on a master and doing a reinit of all the replica, but there may be stale csn traces in the ruv in each replication agreement. M. On Mon, Apr 9, 2018 at 5:49 AM, Paul Whitney

[389-users] Re: monitoring

etattr > != "aci || connection")(version 3.0; acl “collectd access"; allow( read, > search, compare ) userdn = "ldap:///uid=collectd,cn= > users,cn=accounts,dc=mydomain,dc=net”;) > > Thanks! > Sergei > > On Dec 21, 2017, at 3:20 PM, Marc Sauton <m

[389-users] Re: monitoring

> I’ve implemented the solution described in the thread. My question now is: > what should I really monitor? > > There are so many metrics to consider. The thread talks about > cn=snmp,cn=monitor. But there are also cn=monitor suffixes under each > backend for example. Is there a recomme

[389-users] Re: monitoring

There is no collectd 389-ds plug-in, but there was a post with an example: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/thread/TTKWB7WA4NEHYM5GDPLDJVIMR34DKNT2/ May be other users already run some similar plug-in? Should we have such plug-in? Thanks, M. On Thu,

[389-users] Re: Recovering a Hub

: line 116: 22793 Segmentation fault > > > Paul M. Whitney > E-mail: paul.whit...@mac.com > Sent from my browser. > > > > On Oct 20, 2017, at 04:38 PM, Marc Sauton <msau...@redhat.com> wrote: > > What were the exact errors when the re-init and off-line impor

[389-users] Re: Recovering a Hub

Sent from my browser. > > > > On Oct 19, 2017, at 12:45 PM, Marc Sauton <msau...@redhat.com> wrote: > > Those 2 methods should work fine, and are the right way to proceed, but > you may need to review the exact errors on why the re-init and import > failed. > Also

[389-users] Re: Recovering a Hub

Those 2 methods should work fine, and are the right way to proceed, but you may need to review the exact errors on why the re-init and import failed. Also check for the 389-ds-base versions on each node. M. On Thu, Oct 19, 2017 at 10:03 AM, Paul Whitney wrote: > Hi, not

[389-users] Re: Odd issue with 389 and updating to Cent 6.8 with TLS/SSL

the error mentioned at the beginning was: [26/Jan/2017:01:02:39 -0500] conn=97 op=-1 fd=64 closed - Unspecified failure while processing SSL Client Key Exchange handshake. And with "TLS_REQCERT demand", there is likely a failed SSL server certificate verification, which may be related to either a

[389-users] Re: Odd issue with 389 and updating to Cent 6.8 with TLS/SSL

This may happen if some LDAP clients are not up to date (what are they? Java clients?) A tcpdump could show the details of the ciphers negociated in the TLS or SSL handshake for the failing LDAP clients. Possible related article: https://access.redhat.com/solutions/2332231 Thanks, M. On Thu, Jan

[389-users] Re: 389 DS - Choosing certificate to authenticate

set nsSSLClientAuth to "required" there are some details in: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#nsSSLClientAuth and

[389-users] Re: 389 DS - Choosing certificate to authenticate

use nsSSLClientAuth under cn=encryption,cn=config to re On Mon, Jan 9, 2017 at 6:40 AM, wrote: > How do you get certificates to populate in the authenticate section. > > At the moment i have my 389 DS to do optional certificate enforcement but > i want to require it...

[389-users] Re: performance degrades over time on CentOS 7

What is the test filter like? Can we see a sanitized sample of the access log with the SRCH and RESULT? If using SSL, review the output of cat /proc/sys/kernel/random/entropy_avail Do we have replication? (and large attribute values?) You may want to run the "dbmon.sh" script to monitor cache

[389-users] Re: 389 directory server console crash and core dump

try with java-1.7.0-openjdk I think it should be java-1.7.0-openjdk-1.7.0.99-2.6.5.0.el6_7 and to switch the JRE, use the command alternatives --config java quit and restart the Java DS console. Thanks, M. On 03/25/2016 01:52 PM, xinhuan zheng wrote: Today I installed the 389 Directory Server

[389-users] Re: Question about re-indexing with db2index.pl

The original error was: [02/Feb/2016:15:27:17 -0600] - import userRoot: WARNING: Skipping entry "uid=user1,ou=Users,ou=Place1,ou=Place2,ou=Groups,dc=mydomain,dc=net" which has no parent, ending at line 0 of file "(bulk import)" which indicates there is "something wrong" in the definition of

Re: [389-users] Searching for userCertificate - what encoding is used in the query filter?

On 01/27/2015 05:56 PM, Graham Leggett wrote: Hi all, I have a query filter that looks like this: (userCertificate={0}${1}) I am trying to search for an explicit certificate in a directory, based on the serial number and the issuer DN. Can anyone confirm what encoding these values need to be

Re: [389-users] MMR Replication issues

The error message Unable to acquire replica: error: permission denied seem to point to a mis-configuration of replication agreement for the DN used to BIND, like a wrong password if basic authentication is used, or a typo in the DN of the attribute nsDS5ReplicaBindDN From http://port389.org/ ,

Re: [389-users] 389-Directory/1.3.1.6 cannot setup replica

On 11/05/2014 12:54 PM, Ivanov Andrey (M.) wrote: * if the virtual machine has only one CPU. Adding a second CPU increases the number of transferred entries before the initialization gets stuck. So it may me some thread/transaction contention or

Re: [389-users] ns-inactivate.pl

On 08/13/2014 11:09 AM, Elizabeth Jones wrote: I'm trying to use ns-inactivate.pl to deactivate user accounts, but I don't know how to get it to use port 636. It works fine on 389 but if I use -p 636 no dice. I dont see that there is a flag to tell it where to find the cert that it needs to

Re: [389-users] slapd process is hang

On 06/01/2014 09:53 AM, G, Rajendra Babu (STSD campus) wrote: Hi All, I am using 389 directory server 1.2.11.21 and I have noticed following error message in the error log and slapd process is stop responding in the mulrtimaster environment. Kindly let me know this fix got fixed in any

Re: [389-users] Uniqueness Attribute for specific objects in a specific subtree

On 04/27/2012 02:35 PM, John A. Sullivan III wrote: Hello, all. We would like to enforce unique cn for groupofuniquenames only and only under a specific part of the DIT. I'll illustrate with: O=Internal,DC=mycompany,DC=com O=External,DC=mycompany,DC=com So we want to enforce unique CNs on

Re: [389-users] 389 on a Redhat VPS?

On 02/08/2012 06:41 PM, Craig T wrote: hi, Has anyone setup 389-ds on a OpenVZ VPS yet? I'm attempting to setup IPA 2.x on my VPS and it's giving odd errors when starting the 389 Directory Server. Spec; Centos 6.2 (x86-64) model name : Intel(R) Xeon(R) CPU E5645 @ 2.40GHz Linux

Re: [389-users] Performance tuning OS side

Disk I/O can be the most common bottleneck, make sure you have enough physical memory to fit id2entry may be one. There are also a few recommendations at http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Performance_Tuning_Guide/system-tuning.html#system-memory You can move the

Re: [389-users] Replication issue

On 10/11/2011 01:22 PM, Reinhard Nappert wrote: Hi, I encountered the following logs in the errors: [06/Oct/2011:10:11:57 +] NSMMReplicationPlugin - changelog program - agmt=cn=srvAtosrvB (srvB:389): CSN 4e8d804a000c not found, we aren't as up to date, or we purged

Re: [389-users] Recover Management Console Password

You should be able to log into the directory console using the directory manager credentials to change the uid=admin password. Or also from the command line, bind as directory manager and try change the userpassword attribute value of the entry

Re: [389-users] Problem - Could not import LDIF file '/ tmp / ldifESlBSW.ldif'. Error: 65280

On 07/21/2011 06:25 PM, mic...@casa.co.cu wrote: Marc Sauton msau...@redhat.com escribió: On 07/21/2011 03:04 PM, Michel Bulgado wrote: Hello Recently I just installed 389-ds-1.2.1-1.el5.noarch from EPEL repo, because in my company we use Active Directory and want to migrate to Linux I

Re: [389-users] issues with 1.2.7.5

On Tue, 2010-12-21 at 16:50 -0500, Robert Viduya wrote: I'm having problems trying to get a clean install of 1.2.7.5 working. We're running RHEL5 and I have the EPEL5.4 repositories configured on it. Yum installed the following when I installed 389-ds: 389-admin.x86_64