Re: [Freeipa-users] FreeIPA for AMM users management
Thanks Simo. I've downloaded ca.crt from FreeIPA, converted it to der format, imported to AMM and enabled SSL. But nothing happened, I cannot login to AMM with FreeIPA credentials and cannot see any errors or access records still... DNS has been checked and works (integrated with IPA). -- Best regards, Pavel Zhukov mailto:pa...@zhukoff.net On Thu, 01 Nov 2012, Simo Sorce wrote: On Thu, 2012-11-01 at 15:55 -0400, Simo Sorce wrote: On Thu, 2012-11-01 at 08:27 +0400, Pavel Zhukov wrote: Hi all. I'd like to use FreeIPA for AMM (advanced management module) user management using this instruction [1]. I enabled option use DNS for find LDAP servers and set root DN and Binding method w/ Login Credentials but cannot login with IPA credentials. Logs of dirsrv and kerberos are empty. DNS server works correctly. [1] - http://publib.boulder.ibm.com/infocenter/bladectr/documentation/index.jsp?topic=/com.ibm.bladecenter.advmgtmod.doc/kp1bb_bc_mmug_configldap_ADrolebasedauthen.html I am not sure that bind w/ Login Credentials will work properly if they assume Active Directory. AD has a non standard authentication method that allows to not use a DN to identify a user. We do not support that authentication method. However you should at least see the bind attempt and an error message in the dirsrv access log. If you do not see that then something else is broken before a bind is even attempted, perhaps DNS discovery ? Ah btw, have you enabled SSL ? FreeIPA enforces that simple binds be done on an encrypted channel.If you try to bind with plain text credentials on an unencrypted channel FreeIPA simply returns an error. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA for AMM users management
On 11/02/2012 12:12 AM, Pavel Zhukov wrote: Thanks Simo. I've downloaded ca.crt from FreeIPA, converted it to der format, imported to AMM and enabled SSL. But nothing happened, I cannot login to AMM with FreeIPA credentials and cannot see any errors or access records still... DNS has been checked and works (integrated with IPA). OK lets us start with heavy lifting now. Can you do NS lookup of the IPA server from the AMM box? Can you do kinit from the AMM box against IPA? Can you do ldapsearch from the AMM box against IPA? Do you see anything in the logs from such activity? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Process open FD table is full.
Looks a lot like a problem I have as well. Check out the /proc/xxx/fd directory of the dirsrv process for your IPA realm, in my case it's full of dead pointers to /var/tmp/ldap_xxx where xxx will be the same on one IPA server(I have two in a multi-master setup). These don't clear out until I restart the dirsrv process, so eventually they'll fill up to the FD limit. For now I have a cron job performing a staggered IPA restart on the two servers and a case open with RH, but I haven't gotten any solution yet. This is also RHEL 6.3 by the way, though the problem appeared in 6.2 for me. Regards Johan -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Erinn Looney-Triggs Sent: den 1 november 2012 23:15 To: FreeIPAUsers Subject: [Freeipa-users] Process open FD table is full. Have any folks run into this: PR_Accept() failed, Netscape Portable Runtime error -5971 (Process open FD table is full.) From the dirsrv logs. It appears that this may have been what killed IPA in total on one server for me last night. I can't turn up anything via Google. After a restart of all the IPA processes everything started working again. I have looked into FD limits on the system and it doesn't seem like that is a likely cause. Found info here: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html This is on a RHEL 6.3 system fully updated. Any ideas? -Erinn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Process open FD table is full.
On Fri, 2012-11-02 at 08:38 +, Johan Sunnerstig wrote: Looks a lot like a problem I have as well. Check out the /proc/xxx/fd directory of the dirsrv process for your IPA realm, in my case it's full of dead pointers to /var/tmp/ldap_xxx where xxx will be the same on one IPA server(I have two in a multi-master setup). These don't clear out until I restart the dirsrv process, so eventually they'll fill up to the FD limit. For now I have a cron job performing a staggered IPA restart on the two servers and a case open with RH, but I haven't gotten any solution yet. This is also RHEL 6.3 by the way, though the problem appeared in 6.2 for me. This looks a memory leak in libkrb5 or dirsrv leaving around so krb context. Those files are replay caches. Rich, can you investigate the use of libkrb5 in dirsrv ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Process open FD table is full.
On 11/02/2012 09:06 AM, Simo Sorce wrote: On Fri, 2012-11-02 at 08:38 +, Johan Sunnerstig wrote: Looks a lot like a problem I have as well. Check out the /proc/xxx/fd directory of the dirsrv process for your IPA realm, in my case it's full of dead pointers to /var/tmp/ldap_xxx where xxx will be the same on one IPA server(I have two in a multi-master setup). These don't clear out until I restart the dirsrv process, so eventually they'll fill up to the FD limit. For now I have a cron job performing a staggered IPA restart on the two servers and a case open with RH, but I haven't gotten any solution yet. This is also RHEL 6.3 by the way, though the problem appeared in 6.2 for me. This looks a memory leak in libkrb5 or dirsrv leaving around so krb context. Those files are replay caches. Rich, can you investigate the use of libkrb5 in dirsrv ? https://bugzilla.redhat.com/show_bug.cgi?id=825863 Simo. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Process open FD table is full.
On 11/02/12 00:38, Johan Sunnerstig wrote: Looks a lot like a problem I have as well. Check out the /proc/xxx/fd directory of the dirsrv process for your IPA realm, in my case it's full of dead pointers to /var/tmp/ldap_xxx where xxx will be the same on one IPA server(I have two in a multi-master setup). These don't clear out until I restart the dirsrv process, so eventually they'll fill up to the FD limit. For now I have a cron job performing a staggered IPA restart on the two servers and a case open with RH, but I haven't gotten any solution yet. This is also RHEL 6.3 by the way, though the problem appeared in 6.2 for me. Regards Johan -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Erinn Looney-Triggs Sent: den 1 november 2012 23:15 To: FreeIPAUsers Subject: [Freeipa-users] Process open FD table is full. Have any folks run into this: PR_Accept() failed, Netscape Portable Runtime error -5971 (Process open FD table is full.) From the dirsrv logs. It appears that this may have been what killed IPA in total on one server for me last night. I can't turn up anything via Google. After a restart of all the IPA processes everything started working again. I have looked into FD limits on the system and it doesn't seem like that is a likely cause. Found info here: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html This is on a RHEL 6.3 system fully updated. Any ideas? -Erinn Spot on! That is exactly what is going on, my second ipa server just died this morning, checked /proc/ out before I restarted, full of dead links. Do they have a bugzilla open for your issue that I could attach to? Or could you give me your case number so I can get RH support to reference it and track it? Thanks again, -Erinn signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Process open FD table is full.
On 11/02/12 07:28, Rich Megginson wrote: On 11/02/2012 09:06 AM, Simo Sorce wrote: On Fri, 2012-11-02 at 08:38 +, Johan Sunnerstig wrote: Looks a lot like a problem I have as well. Check out the /proc/xxx/fd directory of the dirsrv process for your IPA realm, in my case it's full of dead pointers to /var/tmp/ldap_xxx where xxx will be the same on one IPA server(I have two in a multi-master setup). These don't clear out until I restart the dirsrv process, so eventually they'll fill up to the FD limit. For now I have a cron job performing a staggered IPA restart on the two servers and a case open with RH, but I haven't gotten any solution yet. This is also RHEL 6.3 by the way, though the problem appeared in 6.2 for me. This looks a memory leak in libkrb5 or dirsrv leaving around so krb context. Those files are replay caches. Rich, can you investigate the use of libkrb5 in dirsrv ? https://bugzilla.redhat.com/show_bug.cgi?id=825863 Simo. Oops missed this, though this is a private bug so I will have to take y'alls word for it being the thing. I hate private bugs. I am going to open a RH support case, just in case that helps in any way. -Erinn signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Process open FD table is full.
On 11/02/2012 10:41 AM, Erinn Looney-Triggs wrote: On 11/02/12 07:28, Rich Megginson wrote: On 11/02/2012 09:06 AM, Simo Sorce wrote: On Fri, 2012-11-02 at 08:38 +, Johan Sunnerstig wrote: Looks a lot like a problem I have as well. Check out the /proc/xxx/fd directory of the dirsrv process for your IPA realm, in my case it's full of dead pointers to /var/tmp/ldap_xxx where xxx will be the same on one IPA server(I have two in a multi-master setup). These don't clear out until I restart the dirsrv process, so eventually they'll fill up to the FD limit. For now I have a cron job performing a staggered IPA restart on the two servers and a case open with RH, but I haven't gotten any solution yet. This is also RHEL 6.3 by the way, though the problem appeared in 6.2 for me. This looks a memory leak in libkrb5 or dirsrv leaving around so krb context. Those files are replay caches. Rich, can you investigate the use of libkrb5 in dirsrv ? https://bugzilla.redhat.com/show_bug.cgi?id=825863 Simo. Oops missed this, though this is a private bug so I will have to take y'alls word for it being the thing. Sorry about that. It appears to be a problem with either krb5 or selinux, and there is a proposed fix for RHEL 6.4 I hate private bugs. I am going to open a RH support case, just in case that helps in any way. Yes, please. -Erinn ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
