[Freeipa-users] Re: replication problem

On 06/11/2017 01:49 PM, Adrian HY via FreeIPA-users wrote: > I think I detected the problem. The error log in the replica writes: > > *[11/Jun/2017:13:36:06.360241021 -0400] SASL encrypted packet length > exceeds maximum allowed limit (length=2483849, limit=2097152). Change > the

[Freeipa-users] Re: Replication failing on some records

On 06/07/2017 10:58 AM, Nick Campion via FreeIPA-users wrote: > > Hi all, > > > > We have a 3 master setup that is failing to replicate changes from a > particular node to the other IPA instances. The replication status > says it's all fine, however the record hasn't been changed on the >

[Freeipa-users] Re: replication problem

On 06/13/2017 10:34 AM, Eric Renfro via FreeIPA-users wrote: > Huh.. Well, who'da thunk it. I just literally reported the same kind of > trouble I was having, which looks like it matches this same situation, > with the ipa-replica-install failing to initiate replication because of > Invalid

[Freeipa-users] Re: Can't install ipa-server-4.5.0 on RHEL 7.4: Could not import LDIF file '/var/lib/dirsrv/boot.ldif'. Error: 768.

On 10/04/2017 01:30 PM, Rob Crittenden via FreeIPA-users wrote: > Markovich via FreeIPA-users wrote: >> Hello freeipa-users! >> >> I'm trying to install ipa-server-4.5.0-21.0.1.el7_4.1.2.x86_64 on Red Hat >> Enterprise Linux Server release 7.4 (Maipo) but getting error: >> >> [Setup] Info Could

[Freeipa-users] Re: IPA crashed and after restarting services seeing "Replica has a different generation ID than the local data." in log

On 10/18/2017 09:06 AM, john.bowman--- via FreeIPA-users wrote: > Howdy! Looks like the IPA application crashed on one of our servers (RHEL 6) > early this morning and after restarting it I saw the following in > /var/log/dirsrv/slapd-TLD/errors log: > > [18/Oct/2017:07:35:49 -0500] - slapd

[Freeipa-users] Re: FreeIPA server: Replication issues

Hi James, On 11/15/2017 10:11 AM, James Harrison via FreeIPA-users wrote: > Hello, > I am using Centos to host our FreeIPA servers. We have a CA-less setup. > > I have upgraded to Centos 7.4 and FreeIPA version : VERSION: 4.5.0, > API_VERSION: 2.228 > > The upgrade of both went off without any

[Freeipa-users] Re: Major Server Failure

.  One, "cn=Replication Manager cloneAgreement1-fitch.-pki-tomcat,ou=csusers,cn=config" does not exist on the server, or two, you are using the wrong password for this entry in the replication agreement. > > > > *Michael Rainey* > Network Representative > Naval Researc

[Freeipa-users] Re: Major Server Failure

fitch ~]# ipa-replica-manage list fitch. >> Directory Manager password: >> >> kodiak.: replica >> piston.: replica >> tierod.: replica > > > *Michael Rainey* > Network Representative > Naval Research Laboratory, Code 7320 > Building 1009, Room C156 &g

[Freeipa-users] Re: attrlist_replace - attr_replace failed

On 05/09/2018 08:25 AM, Sandor Juhasz via FreeIPA-users wrote: > Hello, > > we have a 4 way master master replication. Which is finnaly > working, but we still see one error: > > [09/May/2018:14:21:27.882261986 +0200] attrlist_replace - attr_replace > (nsslapd-referral,

[Freeipa-users] Re: Major Server Failure

On 05/10/2018 03:30 PM, Rob Crittenden wrote: > Michael Rainey (Contractor, Code 7320) via FreeIPA-users wrote: >> Sigh... My replication agreements really do seem to be completely >> jacked up.  I would have expected the hostname replica agreements and >> the hostname csreplica agreements to

[Freeipa-users] Re: replication test

On 05/21/2018 10:32 AM, i...@tecnoaccion.com.ar wrote: > El 21/05/18 a las 11:20, Mark Reynolds escribió: >> >> On 05/21/2018 10:16 AM, i...@tecnoaccion.com.ar wrote: >>> El 18/05/18 a las 20:02, Mark Reynolds escribió: On 05/18/2018 04:07 PM, None via FreeIPA-users wrote: > El 18/05/18

[Freeipa-users] Re: replication test

On 05/21/2018 10:16 AM, i...@tecnoaccion.com.ar wrote: > El 18/05/18 a las 20:02, Mark Reynolds escribió: >> >> On 05/18/2018 04:07 PM, None via FreeIPA-users wrote: >>> El 18/05/18 a las 16:52, Mark Reynolds escribió: On 05/18/2018 03:13 PM, i...@tecnoaccion.com.ar wrote: > El 18/05/18

[Freeipa-users] Re: Dir Mgr passwd won't change?

On 05/21/2018 02:02 PM, Kat via FreeIPA-users wrote: > Stopping 389-ds was the first step for sure - I would not fall for > that one! :-) > > No access to Dir Manager, I don't know what this means either, but please try this: ldapsearch -D "cn=directory manager" -W -s base -b "" objectclass=top

[Freeipa-users] Re: Major Server Failure

On 05/22/2018 11:24 AM, Michael Rainey (Contractor, Code 7320) via FreeIPA-users wrote: > Well I'm sure how this happened.  It looks like I have an Identity > server that has a replication agreement with itself.  Is there a > method to help clean this up? > >> # ipa-replica-manage list sump. -v

[Freeipa-users] Re: Major Server Failure

On 05/22/2018 05:32 PM, Michael Rainey (Contractor, Code 7320) via FreeIPA-users wrote: > The mystery continues.  It seems might be working but in reality it's > not.  The replica has stopped updating from the master and is unable > to talk to the LDAP server.  I'm fairly certain this is a

[Freeipa-users] Re: Problems setting up replica on Raspberry Pi 3B (ARM)

This looks really familiar and I thought it was fixed.  It should have been fixed in 1.3.7.10-1 (https://pagure.io/389-ds-base/issue/49618).   In your debug session go "up" into agmt_maxcsn_update() and do: (gdb) p *agmt Then send us that output please. Thanks, Mark On 05/15/2018 05:29 PM,

[Freeipa-users] Re: replication test

On 05/18/2018 03:01 PM, None via FreeIPA-users wrote: > hi! > > I'm new to FreeIPA, I inherited a FreeIPA infrastructure, and I'm > trying to have a Nagios check for the replication status (without > indicating a password). I found this article: >

[Freeipa-users] Re: replication test

On 05/18/2018 03:13 PM, i...@tecnoaccion.com.ar wrote: > El 18/05/18 a las 16:09, Mark Reynolds escribió: >> >> On 05/18/2018 03:01 PM, None via FreeIPA-users wrote: >>> hi! >>> >>> I'm new to FreeIPA, I inherited a FreeIPA infrastructure, and I'm >>> trying to have a Nagios check for the

[Freeipa-users] Re: Problems setting up replica on Raspberry Pi 3B (ARM)

On 05/16/2018 03:43 PM, Jonathan Vaughn wrote: > The installed version of 389* is 1.3.7.10-1.fc27 for armv7hl, which > appears to be the latest available version. Perhaps something is off with the inttypes on Raspberry.  Are you building this yourself on Raspberry?  Can we make code changes and

[Freeipa-users] Re: replication test

On 05/18/2018 04:07 PM, None via FreeIPA-users wrote: > El 18/05/18 a las 16:52, Mark Reynolds escribió: >> >> On 05/18/2018 03:13 PM, i...@tecnoaccion.com.ar wrote: >>> El 18/05/18 a las 16:09, Mark Reynolds escribió: On 05/18/2018 03:01 PM, None via FreeIPA-users wrote: > hi! >

[Freeipa-users] Re: Problems setting up replica on Raspberry Pi 3B (ARM)

On 06/01/2018 04:32 PM, Jonathan Vaughn wrote: Alright, I think I've got everything* working. (* Not running the CA server on the Arm device, not tested, but from what I've read before I would need to adjust the startup timeout since OpenJDK is so slow). 1) I removed the Arm replica from

[Freeipa-users] Re: Problems setting up replica on Raspberry Pi 3B (ARM)

I was right I did fix all the ARM issues, but not in 1.3.8, only in 1.4.0.  It was a large change though that required a few patches.  I'll see what I can do about backporting the changes... On 06/01/2018 05:38 PM, Jonathan Vaughn wrote: Created https://pagure.io/389-ds-base/issue/49746

[Freeipa-users] Re: ERR - attrlist_replace - attr_replace (nsslapd-referral,

https://pagure.io/389-ds-base/c/6f585fa9adaa83efa98b72aa112e162f180b0ad1 On 08/01/2018 09:55 PM, James Harrison via FreeIPA-users wrote: Any ideas, anyone? This is a known "issue".  The message itself is harmless, and it has been "fixed" in 389-ds-base-1.3.6.1-22 On Tue, 31 Jul 2018 at

[Freeipa-users] Re: Diagnose cause of Directory Services failure

On 10/17/18 11:03 AM, Mike Conner via FreeIPA-users wrote: I've configured FreeIPA with an AD trust that is handling workstation logins at my organization. Things have been going well, but I've noticed a couple of times that the Directory Services process is consuming a lot of CPU. This

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

On 10/23/18 12:54 PM, Ralph Crongeyer via FreeIPA-users wrote: Can this be manually removed? W currently can't login to the web portal due to this issue. http://www.port389.org/docs/389ds/howto/howto-cleanruv.html#cleanallruv Or you can run:   cleanallruv.pl -h HTH, Mark On Fri, Oct 19,

[Freeipa-users] Re: replication sync issues

On 11/2/18 12:21 PM, Grant Janssen via FreeIPA-users wrote: I’ve tried both force-sync AND re-initialize on both hosts. I do have a question about the error in the log. though the error posts on the “master”, it appears to indicate an issue with the slave. the slave syslog is clean. when the

[Freeipa-users] Re: Limits exceeded for this query

On 12/20/18 10:13 AM, lune voo via FreeIPA-users wrote: Re Florence. I performed the following command : ipa config-mod --searchtimelimit=5 It solved this "problem". May I ask what can be the impacts on increasing searchtimelimit please ? Hi Lune, The purpose of setting these kinds of

[Freeipa-users] Re: Force TLS connection

On 11/27/18 10:14 AM, Peter Tselios via FreeIPA-users wrote: Hello, My understanding is that FreeIPA is configured to accept connections on port 389 and the StartTLS is configured. I managed to connect to the IPA server by using ldapsearch -x and without -ZZ so, I suppose the TLS is not

[Freeipa-users] Re: IPA-Backup fails

On 5/31/19 8:44 AM, Mark Reynolds via FreeIPA-users wrote: On 5/31/19 8:20 AM, Rob Crittenden wrote: Dirk Streubel via FreeIPA-users wrote: Hello, have a little Problem with a full backup of my IPA Server. The command : ipa-backup -d, doesn't work, the output is this: papython.ipautil

[Freeipa-users] Re: IPA-Backup fails

On 5/31/19 8:20 AM, Rob Crittenden wrote: Dirk Streubel via FreeIPA-users wrote: Hello, have a little Problem with a full backup of my IPA Server. The command : ipa-backup -d, doesn't work, the output is this: papython.ipautil: DEBUG: stderr=ipa: INFO: The ipactl command was successful

[Freeipa-users] Re: ipa-replica-install latest failure attempt:

On 12/2/19 1:10 PM, Auerbach, Steven via FreeIPA-users wrote: A couple of follow-up questions and some results of an ldap search... In your suggested ldapmodify statement: ldapmodify -h -p 389 -D "cn=directory manager" -W dn: cn=replica,cn=, cn=mapping tree,cn=config changetype: modify

[Freeipa-users] Re: Directory server on a dedicated filesystem?

Directory Server also comes with a "Disk Monitoring" feature that will gracefully stop a server if any disk the server uses becomes full.  It can also attempt to free disk space by optionally removing rotated logs, and adjusting log levels.

[Freeipa-users] Fwd: Re: LDAP Server stop to response after a period of time

Thanks for help,I encounter the same problem again today. There is stacktrace,it is really really helpful to get the more detail of server looks like server always hangs after request    op=1 BIND dn="" method=sasl version=3 mech=GSSAPI Please take a look of stacktrace.log  and access.log

[Freeipa-users] Re: LDAP Server stop to response after a period of time

A stack trace would be very useful in determining why the Directory Server is misbehaving.  You can grab stack traces following these steps: http://www.port389.org/docs/389ds/FAQ/faq.html#sts=Debugging%C2%A0Hangs Thanks, Mark On 3/7/20 11:48 PM, Lays Dragon via FreeIPA-users wrote: I

[Freeipa-users] Re: replica install fails

On 4/14/20 6:04 AM, Alexandru David via FreeIPA-users wrote: Hi all I have two centos 8 servers. One is installed and configured as master and AD trust controller. The second one, I'm trying to configure it as a replica, but what ever I do, the replica server fails to start. Environment :

[Freeipa-users] Re: Issue with memberOf plugin.

On 5/7/20 4:38 AM, Mary Georgiou via FreeIPA-users wrote: Hello, In our set-up, we have a DB with all the users and groups, which we use as ground truth for provisioning the forementioned objects in FreeIPA (2 master servers + replicas). We are continuously synchronizing entries (~6

[Freeipa-users] Re: ipa migrate failing

Please provide the Directory Server access log snippet from this failure as well. Thanks, Mark On 10/26/20 7:59 AM, Per Qvindesland via FreeIPA-users wrote: Hi While running the command:   echo password123 | ipa migrate-ds --with-compat ldap://ipofldap:389

[Freeipa-users] Re: Change password hash for LDAP

You can change the password storage scheme using dsconf or ldapmodify depending on what version of 389-ds-base you have.  On 389-ds-base-1.4.x you can use "dsconf", on older versions you will need to use ldapmodify: # dsconf slapd-YOUR_INSTANCE config replace passwordStorageScheme=SSHA512 Or

[Freeipa-users] Re: cipher support and nsSSL3Ciphers: +all

On 6/16/20 6:07 PM, Chris Herdt via FreeIPA-users wrote: On Tue, Jun 16, 2020 at 12:58 PM Chris Herdt > wrote: I have an appliance that I want to use with our FreeIPA-provided LDAP servers. The appliance only supports the following ciphers:

[Freeipa-users] Re: Still issues with member_of

On 6/3/20 6:10 AM, Mary Georgiou via FreeIPA-users wrote: Dear all, We are still experiencing issues with the memberOf plugin for which you may have some advice. We are constantly synchronizing accounts and groups into freeipa from external resources. At each time we have approx 60.000+

[Freeipa-users] Re: Still issues with member_of

On 6/3/20 8:42 AM, Mary Georgiou via FreeIPA-users wrote: Hello, Thanks a lot for the prompt answer. Could you clarify a bit more this point please: "but if you are using nested groups then you can not set this:" Sorry, so nested groups are where groups are members of other groups.  For

[Freeipa-users] Re: FreeIPA - Replica - Install

Yes this was a problem.  Schema replciation was failing because version of the entryuuid pugin added a new syntax plugin, which can not be replicated.  So it broke replication and would lead to errors like this. The minimum version of 389-ds-base-2.x you need is:     389-ds-base-2.0.8 This

[Freeipa-users] Re: IPA slapd parameter tuning

On 9/16/21 5:20 PM, Kathy Zhu via FreeIPA-users wrote: Hi List, One of my ipa server's database had issue and left many log entries like the following in messages and slapd errors log: *Sep 16 08*:34:28 ipa0 ns-slapd: [16/Sep/2021:08:34:28.886632992 -0700] - ERR - libdb - BDB0060 PANIC:

[Freeipa-users] Re: Changing IPA AD Account sync to new AD domain

On 7/14/21 11:27 AM, Rob Crittenden wrote: Jim Kilborn via FreeIPA-users wrote: We have migrated our AD users to a new domain (ie example.com -> examplenew.com) and I now need to change our IPA AD sync replication to use the new domain. I can remove the old replication agreement and create the

[Freeipa-users] Re: ipahealthcheck.ds.dse.DSECheck.DSSKEWLE0003: The time skew is over 24 hours.

Hi Louis, So these time skew errors typically happen when the system clock is adjusted.  Technically nothing is broken and replication is working, but if the time skew continues to "increase" it will cause problems eventually... Out of curiosity, were any of these systems running on AWS?

[Freeipa-users] Re: Allowing LDAP only via SSL?

On 8/3/21 6:34 AM, Sam Morris via FreeIPA-users wrote: But is it possible to completely disable port 389 if we don't want any client to ever try non-SSL connections? That will block communication between IPA servers, and from clients to servers. Just for completeness, setting nsslapd-port to

[Freeipa-users] Re: Hard Crash of Server Corrupted IPA

On 8/10/21 10:41 AM, Rob Crittenden via FreeIPA-users wrote: Auerbach, Steven wrote: [10/Aug/2021:09:03:52.832686801 -0400] - NOTICE - dblayer_start - Detected Disorderly Shutdown last time Directory Server was running, recovering database. [10/Aug/2021:09:03:53.307038716 -0400] - ERR - libdb

[Freeipa-users] Re: Deletion of dse.ldif - why/when?

It is not IPA deleting the dse.ldif, but possibly a startup/shutdown issue with Directory Server (389-ds-base).  There was a known bug about this, but it was fixed a few years ago. What version of 389-ds-base are you running?  Do you see any "Disorderly shutdown" messages in the DS errors log?

[Freeipa-users] Re: ERR - log_result - Internal unindexed search

Kathy, You need to make sure there are equality indexes for the following attributes: * changenumber * targetuniqueid Run these commands on all your servers: # ldapmodify -D "cn=directory manager" -W dn: cn=changenumber,cn=index,cn=userroot,cn=ldbm database,cn=plugins,cn=config

[Freeipa-users] Re: ERR - log_result - Internal unindexed search

Ugh, sorry had a typo, each attribute is specified with "-t".  So replace the "-a" with a "-t": db2index.pl -D "cn=directory manager" -w Nur09089 -n userroot -t changenumber:eq -t targetuniqueid:eq Mark On 3/28/22 3:44 PM, Kathy Zhu wrote: Hi Mark, Thank you! After

[Freeipa-users] Re: ERR - log_result - Internal unindexed search

On 3/28/22 4:35 PM, Kathy Zhu wrote: Thank you, Mark! Actually, since the typo, I read the manual page and googled db2index.pl command. It is suggested to stop the dirsrv process before running the command. If there were no typo, I would run it without stopping. Thank

[Freeipa-users] Re: parse the audit logs

The audit log is essentially just a list of LDIF commands.  If you remove the "time" and "result" lines you can redirect the log straight to ldapmodify: time: 20220126111500 dn: cn=config,cn=ldbm database,cn=plugins,cn=config result: 0 changetype: modify replace: nsslapd-lookthroughlimit

[Freeipa-users] Re: parse the audit logs

On 1/26/22 1:02 PM, Kathy Zhu via FreeIPA-users wrote: Thanks Mark and Florence for your replies! I will check directory389 list to see if there is any useful information. By turning on audit logging, we'd like to have a record of what was changed, when and by whom. For example, we should be

[Freeipa-users] Re: parse the audit logs

On 1/26/22 8:51 PM, Kathy Zhu via FreeIPA-users wrote: Thanks both Rob and Mark for your replies! Take user creation as an example: in /var/log/httpd/error_log: via GUI -  what, when and who via CLI - what, when and admin (since admin privilege is needed) in

[Freeipa-users] Re: Time skew is 82 years off, with no replicas

On 8/24/23 11:46 AM, Rob Crittenden via FreeIPA-users wrote: Kevin Konzem via FreeIPA-users wrote: I did run the script to check the CSN generator states, this output is below: ./readNsState.py dse.ldif nsState is HACdFOVkYBI+mwAEAA== Little Endian For

[Freeipa-users] Re: Errors in dirsrv log

On 8/15/23 7:08 AM, Alexander Bokovoy via FreeIPA-users wrote: On Няд, 13 жні 2023, Ranbir via FreeIPA-users wrote: I'm seeing errors like the ones below on my ipa servers (excuse the wrapping): [11/Aug/2023:22:07:37.684144411 -0700] - ERR - get_value_from_string - type does not match:

[Freeipa-users] Re: After upgrade, only one direction replication while should be bi-directions replication

On 6/2/22 1:38 PM, Rob Crittenden wrote: Kathy Zhu via FreeIPA-users wrote: Hi Team, We upgraded our Centos 7 IPA masters to the latest: CentOS Linux release 7.9.2009 (Core) *ipa*-server.x86_64                      4.6.8-5.el7.centos.10 *389-ds*-base.x86_64                    

[Freeipa-users] Re: Port 389 on IPA servers

On 7/15/22 8:15 AM, Rob Crittenden via FreeIPA-users wrote: Ronald Wimmer via FreeIPA-users wrote: The official RedHat doumentation states The TCP port 389 is not required to be open on IdM servers for trust, but it is necessary for clients communicating with the IdM server. Is this still

[Freeipa-users] Re: LDAP not starting for IPA-Server

On 9/27/22 4:36 PM, Nick Polites via FreeIPA-users wrote: I added the nsslapd-securePort: 636 but port 636 is not listening. 389 is working. Do I need to do something else to get 636 working? nsslapd-security needs to be "on" for the secure port to be activated.  This does require as server

[Freeipa-users] Re: ipa-healthcheck errors

On 11/20/22 9:06 AM, Sam Morris via FreeIPA-users wrote: On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn via FreeIPA-users wrote: Hi all, I managed to get rid of another error but I still have plenty erros left. Any help would be apreciated. ipa-healthcheck errors remaining:

[Freeipa-users] Re: ipa-healthcheck errors

On 11/20/22 10:51 AM, Rob Verduijn wrote: Op zo 20 nov. 2022 15:57 schreef Mark Reynolds : On 11/20/22 9:06 AM, Sam Morris via FreeIPA-users wrote: > On Sat, 2022-11-19 at 11:57 +0100, Rob Verduijn via FreeIPA-users > wrote: >> Hi all, >> >> I managed to get rid of

[Freeipa-users] Re: ipa-healthcheck errors

On 11/20/22 3:39 PM, Rob Verduijn wrote: thanx any clues about the other errors? Sorry I'm not that familiar with IPA - I'm just a Directory Server guy.  I'm sure someone from the IPA team will respond tomorrow. ipa-healthcheck args=({'msgtype': 101, 'msgid': 3, 'result': 32, 'desc': 'No

[Freeipa-users] Re: dirsrv times out at startup

Hi Roberto, On 11/17/22 11:36 AM, Roberto Cornacchia via FreeIPA-users wrote: Yesterday I installed a replica on a clean Rocky 9 system. No issues at all. Everything seemed to work fine. Today the machine was rebooted (no dnf updates, no system changes) and ipa could not start anymore.

[Freeipa-users] Re: AccountPolicy erroring for some users

Hi Lukas, It's being worked on right now. Thanks, Mark :-) On 7/12/23 7:38 AM, Lucas Diedrich via FreeIPA-users wrote: Hey Marc, thanks for sending the link, opened a ticket here: https://github.com/389ds/389-ds-base/issues/5834 Thanks. Em ter., 11 de jul. de 2023 às 15:37, Mark Reynolds

[Freeipa-users] Re: AccountPolicy erroring for some users

On 7/11/23 12:56 PM, LUCAS GUILHERME DIEDRICH via FreeIPA-users wrote: Hey, Since i updated to the lastest Freeipa version (IPA, version: 4.10.1), i started noticing some error in the 389 error.log. [11/Jul/2023:13:50:20.591388308 -0300] - ERR - acct_update_login_history - Modify error 20

[Freeipa-users] Re: After "writeback to ldap failed" -- silent total freeipa failure / deadlock.

On 8/9/23 2:00 AM, Alexander Bokovoy wrote: On Аўт, 08 жні 2023, Harry G Coin wrote: Thanks for your help.  Details below.  The problem 'moved' in I hope a diagnositcally useful way, but the system remains broken. On 8/8/23 08:54, Alexander Bokovoy wrote: On Аўт, 08 жні 2023, Harry G Coin

[Freeipa-users] Re: replication troubles

On 2/8/24 10:14 AM, Natxo Asenjo wrote: On Thu, Feb 8, 2024 at 3:56 PM Mark Reynolds wrote: What version of 389-ds-base is installed?  There were bugs around csn location that were fixed in the very latest version of the LDAP server on RHEL 7.9.  So make sure you are running the

[Freeipa-users] Re: replication troubles

What version of 389-ds-base is installed?  There were bugs around csn location that were fixed in the very latest version of the LDAP server on RHEL 7.9.  So make sure you are running the latest version of 389-ds-base. As for replication being broken, you can confirm this by making a "dummy"