1 (Thread 0x9e13c280 (LWP 17245)):
> #0 0xb67bbf2e in strlen () at /lib/libc.so.6
> #1 0xb6a06b40 in dosprintf () at /lib/libnspr4.so
> #2 0x in None ()
>
> Did you install 389-ds-base-debuginfo ?
> How did you get that backtrace ? from a core dumped, pstack ? Can you
>
Still trying to figure this out. It looks like slapd is dying, I thought it
was still running for some reason.
slapd is dying to segfault. strace of it happening doesn't seem to reveal
much:
18:32:41.543717 (+ 0.000801) openat(AT_FDCWD,
"/var/run/dirsrv/slapd-COMPANY-INTERNAL.pid",
Could this be part of the problem now?
[root@ipa-12 master]# ipa-replica-manage list ipa-12.company.internal
ipa-11.company.internal: replica
ipa-13.company.internal: replica
[root@ipa-12 master]# ipa-replica-manage list ipa-13.company.internal
ipa-11.company.internal: replica
Anyone have any further suggestions for troubleshooting this issue with the
web UI?
On Fri, May 18, 2018 at 4:01 PM, Jonathan Vaughn
wrote:
> httpd error_log
>
> [Fri May 18 15:58:29.546255 2018] [wsgi:error] [pid 14004:tid 2903716672]
> [remote 10.10.11.3:59284] ipa:
httpd error_log
[Fri May 18 15:58:29.546255 2018] [wsgi:error] [pid 14004:tid 2903716672]
[remote 10.10.11.3:59284] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Fri May 18 15:58:29.547217 2018] [wsgi:error] [pid 14004:tid 2903716672]
[remote 10.10.11.3:59284] ipa: DEBUG: WSGI
uot;
>>> (ipa-12:5)", protocol = 0x2220930, changecounters = 0x20cb180,
>>> num_changecounters = 0,
>>> max_changecounters = 256, last_update_start_time = 1526499214,
>>> last_update_end_time = 1526499214,
>>> last_update_status = "Error (0)
<rcrit...@redhat.com> wrote:
> Jonathan Vaughn via FreeIPA-users wrote:
> > Oops, hit reply instead of reply-all
> >
> > NSPR RPMs
> >
> > # yum list installed nspr*
> > Installed Packages
> > nspr.armv7hl
> > 4.19.0-1.fc27
> >
as planning to just copy the respective binaries on top of
> the installed ones), but if it turned out the suggested code changes were
> pointless then there's no point waiting for it to finish building.
>
> On Thu, May 17, 2018 at 4:11 PM, Rob Crittenden <rcrit...@redhat.com&
I thought it was fixed. It should have
>> been fixed in 1.3.7.10-1 (https://pagure.io/389-ds-base/issue/49618).
>> In your debug session go "up" into agmt_maxcsn_update() and do:
>>
>> (gdb) p *agmt
>>
>> Then send us that output please.
>>
>
;> '\000' , lock = 0x2741740, consumerRUV = 0x2772e50,
>> consumerSchemaCSN = 0x39da520, consumerRID = 4, tmpConsumerRID = 0,
>> timeout = 120, stop_in_progress = 0, busywaittime = 0, pausetime = 0, priv
>> = 0x0,
>> attrs_to_strip = 0x2757ba0, agreement
L_SOCKET,
>> SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted)
>> <0.51>
>> 15:13:31.665500 (+ 0.000334) setsockopt(33, SOL_SOCKET, SO_SNDBUF,
>> [8388608], 4) = 0 <0.000229>
>> 15:13:31.665973 (+ 0.000468) sendmsg(33,
&g
Copyright (C) 2017 Free Software Foundation, Inc.
>> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.h
>> tml>
>> This is free software: you are free to change and redistribute it.
>> There is NO WARRANTY, to the extent permitted by law. Type "sh
try the code changes, if that build
>> finishes I can try it (I was planning to just copy the respective binaries
>> on top of the installed ones), but if it turned out the suggested code
>> changes were pointless then there's no point waiting for it to finish
>> building.
>>
>
Thanks! I'm looking forward to seeing these fixes hit the Fedora repo :)
On Sat, Jun 2, 2018 at 8:07 AM, Mark Reynolds wrote:
> I was right I did fix all the ARM issues, but not in 1.3.8, only in
> 1.4.0. It was a large change though that required a few patches. I'll see
> what I can do about
Alright, I think I've got everything* working. (* Not running the CA server
on the Arm device, not tested, but from what I've read before I would need
to adjust the startup timeout since OpenJDK is so slow).
1) I removed the Arm replica from the cluster and reimaged the device
entirely and
Created https://pagure.io/389-ds-base/issue/49746
I'll get you the build log once it's done building without the patch.
On Fri, Jun 1, 2018 at 3:54 PM, Mark Reynolds wrote:
>
>
> On 06/01/2018 04:32 PM, Jonathan Vaughn wrote:
>
> Alright, I think I've got everything* working. (* Not running
Yes, I know, not recommended etc, low performance. I'm not going to run the
CA on it. I just want to have a backup LDAP/Kerberos server.
Right now I'm just trying to test things out. I've got a master and a
replica (so you could say two masters I suppose) running in Virtualbox VMs,
and I'm trying
It's still running.
Here's the error log from slapd during that run:
[01/May/2018:19:22:24.567650453 -0500] - ERR - NSMMReplicationPlugin -
multimaster_extop_StartNSDS50ReplicationRequest - conn=42 op=5
replica="dc=company,dc=internal": Unable to acquire replica: error:
permission denied
Looking at migrating from a hodgepodge of 389 DS, kerberos-ldap, and custom
built things that manage our PKI and so on, to FreeIPA (which looks like it
can probably cover all our needs), and had a couple of SSL related
questions.
1) It looks like improvements are proposed for being able to
On Tue, Mar 13, 2018 at 9:07 PM, Fraser Tweedale <ftwee...@redhat.com>
wrote:
> On Tue, Mar 13, 2018 at 07:41:32PM -0500, Jonathan Vaughn via
> FreeIPA-users wrote:
> > Looking at migrating from a hodgepodge of 389 DS, kerberos-ldap, and
> custom
> > built things
If I set up FreeIPA on 10.x.x.x internal IP, and have it manage company.net,
it seems to want to set the NS record to it's FQDN that only will be
reachable internally. The internal IP is SNAT mapped to an external IP (vs
using DMZ), so DNS requests can reach the server via the external IP.
Other
Thanks for the pointers / explanations everyone.
It would be nice if adding a replica didn't reset the SOA/NS, but the main
reason I say that isn't due to the actual work of fixing it, but that once
we're set up with replicas in all our offices we'll add new ones so
infrequently I guarantee this
As an update, TL;DR it doesn't appear that IPA resets any of my override
changes, everything is awesome.
Here's copy paste of my followup on another thread I had started asking
about allow-recursion specifically (so that if someone stumbles upon this
thread instead, they'll get the full howto)
Well, I've tested this and so far no weirdness has occurred when adding a
replica or making various changes via the web UI, as far as I can tell
nothing rewrites the named.conf after the replica has been set up.
Changed "allow-recursion { any; }" to "allow-recursion { internal; }", and
added the
John, thanks for the tip on removing the MNAME to allow the SOA to define
it (changing the SOA was actually the first thing I tried, and when that
didn't work I remembered reading something about fake_mname, which Google
results kept telling me was in named.conf but at some point moved to LDAP
and
Another option might be able to use packages from Ubuntu somehow?
I've been playing with a replica on a device (Rock64) running Armbian
(which appears mostly Ubuntu based, which in turn is Debian based), and was
able to upgrade it from Bionic to Cosmic to get the more recent FreeIPA
packages
We have a use case for letting the FreeIPA named instances handle public
DNS for some zones, but we don't want them to allow anyone to use it as a
recursive resolver (DOS attacks and such).
I tested simply changing 'any' to 'none' for the allow-recursion setting in
/etc/named.conf and that worked
We're planning to set it up this way. Going to be switching from our old
cobbled together LDAP / etc solution to FreeIPA "Soon" (tm).
Have tested things. You'll have to make some changes from defaults.
First, for any replica that is going to be serving DNS publicly (in our
case, only a few will,
ast reduce the impact to just
being very annoying.
On Wed, May 15, 2019 at 9:00 PM Fraser Tweedale wrote:
> On Wed, May 15, 2019 at 05:15:38PM -0400, Rob Crittenden via FreeIPA-users
> wrote:
> > Jonathan Vaughn via FreeIPA-users wrote:
> > > I previously had tested FreeI
If I am reading the documentation right, the effect of having the "8-bit"
character class (decimal 128 or less - though this seems more like 7 bit
plus decimal 128) is that if you change the password policy character
classes from 0 (no checking) to 1, almost anything will match, but unicode
Is it safe to nuke older log files? Some of our CA instances are on VMs
which were only allocated a reasonable amount of space for just running
FreeIPA, and this adds up fast. The ones on physical have space to spare
for some time yet, but some day it would be an issue for them too.
Is there a
I previously had tested FreeIPA running on a Raspberry Pi 3B+ and as long
as I didn't run the Dogtag server on it performance seemed acceptable for
the purpose. These are only being used as local DNS/LDAP/Krb5 replicas,
everything also runs on both physical x86_64 and VM x86_64 servers as well
in
> being very annoying.
>
> On Wed, May 15, 2019 at 9:00 PM Fraser Tweedale
> wrote:
>
>> On Wed, May 15, 2019 at 05:15:38PM -0400, Rob Crittenden via
>> FreeIPA-users wrote:
>> > Jonathan Vaughn via FreeIPA-users wrote:
>> > > I previously had tested Fr
Ah, I didn't realize I could do SSL termination in TCP mode. That would
certainly solve our LDAP HA problem with less effort! I'll try that.
On Wed, Aug 21, 2019 at 8:27 PM Daniel Oetken via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> Why doesn’t terminating SSL on the proxy
Okay, I think I finally got somewhere.
Created the host for the load balancers:
# ipa host-add ipa.example.com
Added a LDAP service for it:
# ipa service-add LDAP/ipa.example.com
Added both IPA servers to the "managed by" attribute:
# ipa service-add-host LDAP/ipa.example.com --host
the multiple SRV records or other means
of assigning / detecting multiple LDAP servers (i.e. Jira, Confluence,
Bitbucket ... )
On Thu, Aug 22, 2019 at 1:22 AM Alexander Bokovoy
wrote:
> On ke, 21 elo 2019, Jonathan Vaughn via FreeIPA-users wrote:
> >Ah, I didn't realize I could do SSL terminati
.. )
>
> Yes, that was clear -- I was more worried on not going that backwards
> with LDAPS replacement of what is relying on LDAP STARTTLS + GSSAPI.
>
> >
> >On Thu, Aug 22, 2019 at 1:22 AM Alexander Bokovoy
> >wrote:
> >
> >> On ke, 21 elo 2019, Jonathan Va
We have some systems which are FreeIPA connected, but (most) users don't
log in as themselves, there's a local system account they use instead
(simplifies file ownership for website changes and such, for example).
Is there a way to have their public keys automatically accepted for this
local
38 matches
Mail list logo