date:20111013

Assuming that the errors and warnings are not a big deal, can you suggest
any reasons that we would have connections stacking up and timing out?  The
use case is likely heavier on write than would be standard for LDAP, but it
seems the failure threshold (number of connections) is very low.  This is
hosted on a multi-core machine (virtual machine) and when it gets bad, our
operations people say that a single core of the machine is pegged at 100%
CPU while others are essentially idle.  Are there parts of Apache DS that
have thread affinity and would be stuck to a single processor?

Any thoughts would be appreciated,
Craig

On Wednesday, October 12, 2011, Emmanuel Lecharny wrote:

 On 10/12/11 10:24 PM, Craig Setera wrote:

 Hello,


 Hi,

 which ADS version are you using ? Is it still 1.5.5 ?


 Last week I was asking about indexing and performance gains from those
 indexes.  The question stemmed from some performance problems that we are
 currently having in our environment.  In that environment, we are seeing
 extremely poor performance and Apache DS getting bogged down after a
 relatively small number of connections (under 100).  When that happens,
 the
 connections start to stack up and eventually time out.  I was surprised
 by
 the performance, but was looking at things like indexing and disabling
 sync
 on write as ways to improve the situation.

 Now, I've received some logs from testing and I'm beginning to wonder if
 there is something else going on.  I'm seeing many entries in the logs
 that
 look like:

 [18:27:52] WARN [org.apache.directory.server.**ldap.LdapSession] -
 AbandonableRequest with messageId 2 not found in outstandingRequests.
 [18:27:53] WARN [org.apache.directory.shared.**asn1.ber.Asn1Decoder] -
 The PDU
 has been fully decoded but there are still bytes in the buffer.
 [18:27:53] WARN [org.apache.directory.shared.**asn1.ber.Asn1Decoder] -
 The PDU
 has been fully decoded but there are still bytes in the buffer.
 [18:27:53] WARN [org.apache.directory.server.**ldap.LdapSession] -
 AbandonableRequest with messageId 2 not found in outstandingRequests.
 [18:27:53] WARN [org.apache.directory.shared.**asn1.ber.Asn1Decoder] -
 The PDU
 has been fully decoded but there are still bytes in the buffer.
 [18:27:53] WARN [org.apache.directory.shared.**asn1.ber.Asn1Decoder] -
 The PDU
 has been fully decoded but there are still bytes in the buffer.

 This message just means that some data has been received, decoded
 correctly, but we have still some remaining bytes in the buffer. It's a
 warning, not an error. The remaining bytes will be decoded later. Nothing to
 be scared about.



 --
 Regards,
 Cordialement,
 Emmanuel Lécharny
 www.iktek.com



-- 
Craig Setera
Director, Product Engineering
mFoundry
p 415.324.5801
cr...@mfoundry.com

Re: Performance issues and strange logs

2011-10-13 Thread Emmanuel Lecharny


On 10/13/11 5:31 PM, Craig Setera wrote:

Assuming that the errors and warnings are not a big deal, can you suggest
any reasons that we would have connections stacking up and timing out?  The
use case is likely heavier on write than would be standard for LDAP, but it
seems the failure threshold (number of connections) is very low.  This is
hosted on a multi-core machine (virtual machine) and when it gets bad, our
operations people say that a single core of the machine is pegged at 100%
CPU while others are essentially idle.  Are there parts of Apache DS that
have thread affinity and would be stuck to a single processor?
Ok, 1.5.5 is pretty old, and depends on MINA-2.0.0-M6. This version of 
the NIO framework sometime gets stuck with 100% CPU (it's a JVM bug) 
when some session are closed just after having been opened (basically, 
the selector loop get crazy and eats 100% CPU looping).


It might be the reason why you see this 100% CPU for some sessions (as 
we have one selector per CPU, the other sessions might be ok).


I would suggest you switch to at least 1.5.7, but even better to 2.0.0-M3.


--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com

Re: Performance issues and strange logs

Is it possible to switch out just MINA or would that break something?

On Thursday, October 13, 2011, Emmanuel Lecharny wrote:

 On 10/13/11 5:31 PM, Craig Setera wrote:

 Assuming that the errors and warnings are not a big deal, can you suggest
 any reasons that we would have connections stacking up and timing out?
  The
 use case is likely heavier on write than would be standard for LDAP, but
 it
 seems the failure threshold (number of connections) is very low.  This is
 hosted on a multi-core machine (virtual machine) and when it gets bad, our
 operations people say that a single core of the machine is pegged at 100%
 CPU while others are essentially idle.  Are there parts of Apache DS that
 have thread affinity and would be stuck to a single processor?

 Ok, 1.5.5 is pretty old, and depends on MINA-2.0.0-M6. This version of the
 NIO framework sometime gets stuck with 100% CPU (it's a JVM bug) when some
 session are closed just after having been opened (basically, the selector
 loop get crazy and eats 100% CPU looping).

 It might be the reason why you see this 100% CPU for some sessions (as we
 have one selector per CPU, the other sessions might be ok).

 I would suggest you switch to at least 1.5.7, but even better to 2.0.0-M3.


 --
 Regards,
 Cordialement,
 Emmanuel Lécharny
 www.iktek.com



-- 
Craig Setera
Director, Product Engineering
mFoundry
p 415.324.5801
cr...@mfoundry.com

Re: Performance issues and strange logs


On 10/13/11 5:53 PM, Craig Setera wrote:

Is it possible to switch out just MINA or would that break something?


It *should* be possible, as the MINA API has been frozen in 2.0.0-RC1.


--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com

Re: Performance issues and strange logs

We have a custom interceptor plugged in to 1.5.5.  Did anything change in
1.5.7 that would break that?  If not, we may be best off to just move to
1.5.7.

Thanks again,
craig

On Thursday, October 13, 2011, Emmanuel Lécharny wrote:

 On 10/13/11 5:53 PM, Craig Setera wrote:

 Is it possible to switch out just MINA or would that break something?


 It *should* be possible, as the MINA API has been frozen in 2.0.0-RC1.


 --
 Regards,
 Cordialement,
 Emmanuel Lécharny
 www.iktek.com



-- 
Craig Setera
Director, Product Engineering
mFoundry
p 415.324.5801
cr...@mfoundry.com

Re: Performance issues and strange logs

On Thu, Oct 13, 2011 at 12:52 PM, Craig Setera cr...@mfoundry.com wrote:
 We have a custom interceptor plugged in to 1.5.5.  Did anything change in
 1.5.7 that would break that?  If not, we may be best off to just move to
 1.5.7.

hard to tell without knowing(at least in a very high level view) what
this interceptor does
 Thanks again,
 craig

 On Thursday, October 13, 2011, Emmanuel Lécharny wrote:

 On 10/13/11 5:53 PM, Craig Setera wrote:

 Is it possible to switch out just MINA or would that break something?


 It *should* be possible, as the MINA API has been frozen in 2.0.0-RC1.


 --
 Regards,
 Cordialement,
 Emmanuel Lécharny
 www.iktek.com



 --
 Craig Setera
 Director, Product Engineering
 mFoundry
 p 415.324.5801
 cr...@mfoundry.com




-- 
Kiran Ayyagari

Re: Performance issues and strange logs

High-level... does alteration of the values of some of our schema
attributes.  So, it sits in the flow and alters the data for those
particular attributes as they flow through.

On Thursday, October 13, 2011, Kiran Ayyagari wrote:

 On Thu, Oct 13, 2011 at 12:52 PM, Craig Setera 
 cr...@mfoundry.comjavascript:;
 wrote:
  We have a custom interceptor plugged in to 1.5.5.  Did anything change in
  1.5.7 that would break that?  If not, we may be best off to just move to
  1.5.7.
 
 hard to tell without knowing(at least in a very high level view) what
 this interceptor does
  Thanks again,
  craig
 
  On Thursday, October 13, 2011, Emmanuel Lécharny wrote:
 
  On 10/13/11 5:53 PM, Craig Setera wrote:
 
  Is it possible to switch out just MINA or would that break something?
 
 
  It *should* be possible, as the MINA API has been frozen in 2.0.0-RC1.
 
 
  --
  Regards,
  Cordialement,
  Emmanuel Lécharny
  www.iktek.com
 
 
 
  --
  Craig Setera
  Director, Product Engineering
  mFoundry
  p 415.324.5801
  cr...@mfoundry.com javascript:;
 



 --
 Kiran Ayyagari



-- 
Craig Setera
Director, Product Engineering
mFoundry
p 415.324.5801
cr...@mfoundry.com

Re: Performance issues and strange logs

On Thu, Oct 13, 2011 at 2:10 PM, Craig Setera cr...@mfoundry.com wrote:
 High-level... does alteration of the values of some of our schema
 attributes.  So, it sits in the flow and alters the data for those
 particular attributes as they flow through.

ok, should work in the latest code without any issues (might require
fixing some imports)
 On Thursday, October 13, 2011, Kiran Ayyagari wrote:

 On Thu, Oct 13, 2011 at 12:52 PM, Craig Setera 
 cr...@mfoundry.comjavascript:;
 wrote:
  We have a custom interceptor plugged in to 1.5.5.  Did anything change in
  1.5.7 that would break that?  If not, we may be best off to just move to
  1.5.7.
 
 hard to tell without knowing(at least in a very high level view) what
 this interceptor does
  Thanks again,
  craig
 
  On Thursday, October 13, 2011, Emmanuel Lécharny wrote:
 
  On 10/13/11 5:53 PM, Craig Setera wrote:
 
  Is it possible to switch out just MINA or would that break something?
 
 
  It *should* be possible, as the MINA API has been frozen in 2.0.0-RC1.
 
 
  --
  Regards,
  Cordialement,
  Emmanuel Lécharny
  www.iktek.com
 
 
 
  --
  Craig Setera
  Director, Product Engineering
  mFoundry
  p 415.324.5801
  cr...@mfoundry.com javascript:;
 



 --
 Kiran Ayyagari



 --
 Craig Setera
 Director, Product Engineering
 mFoundry
 p 415.324.5801
 cr...@mfoundry.com




-- 
Kiran Ayyagari

Re: Performance issues and strange logs

Oh... Hopefully it works without recompile or this gets trickier.  I guess
we will find out soon enough.

Thanks,
Craig

On Thursday, October 13, 2011, Kiran Ayyagari wrote:

 On Thu, Oct 13, 2011 at 2:10 PM, Craig Setera 
 cr...@mfoundry.comjavascript:;
 wrote:
  High-level... does alteration of the values of some of our schema
  attributes.  So, it sits in the flow and alters the data for those
  particular attributes as they flow through.
 
 ok, should work in the latest code without any issues (might require
 fixing some imports)



-- 
Craig Setera
Director, Product Engineering
mFoundry
p 415.324.5801
cr...@mfoundry.com

Re: Replication configuration

2011-10-13 Thread Jonathan Disher

I built 1180264 (after much difficulty, getting deb packages to build, so I 
could deploy it to my admin nodes), but can't get it to start because things 
are missing, and unfortunately the documentation for 2.0 is, well, nonexistent. 
 Right now it's vomiting on the lack of any schema ldif/structure being 
present.  I am trying to not build locally on the admin nodes, they need to 
remain clean and reproducible, deployable binary packages are required (I need 
to build, at last count, approx 13 replicas world wide).

I will svn up and rebuild, but I suspect that will not fix my schema problems.  
Is there any 2.0 documentation in any functional state?

-j

On Oct 11, 2011, at 1:24 PM, Kiran Ayyagari wrote:

 the trunk is back to stable condition, you can svn up your local copy
 or checkout the head directly
 
 On Mon, Oct 10, 2011 at 6:32 PM, Kiran Ayyagari kayyag...@apache.org wrote:
 http://svn.apache.org/repos/asf/directory/apacheds/trunk-with-dependencies
 
 please checkout the revision 1180264 cause currently there are few
 changes that destabilized the trunk (should be back to normal in
 couple days)
 
 Please let us know if you have any issues.
 
 On Mon, Oct 10, 2011 at 6:06 PM, Jonathan Disher jdis...@parad.net wrote:
 So, I checked out trunk and appear to have gotten ApacheDS 1.5.  Where do I 
 check out the 2.0 tree?
 
 -j
 
 On Oct 6, 2011, at 5:30 PM, Kiran Ayyagari wrote:
 
 This has been fixed, please see
 https://issues.apache.org/jira/browse/DIRSERVER-1666
 for the details. Appreciate if you can verify the fix and report your 
 findings.
 
 On Thu, Oct 6, 2011 at 3:33 PM, Kiran Ayyagari kayyag...@apache.org 
 wrote:
 I confirm the presence of this issue, (which seems to be introduced
 during some code cleanup)
 will commit a fix in another 7 hours and let you know.
 Thanks for the detailed trace.
 
 On Thu, Oct 6, 2011 at 2:57 PM, Jonathan Disher jdis...@parad.net wrote:
 Yes, I did.
 
 Actually, I am getting this:
 
 [18:55:46] ERROR 
 [org.apache.directory.server.ldap.replication.provider.SyncReplRequestHandler]
  - Failed to initialize the log files required by the syncrepl provider
 java.lang.NullPointerException
at 
 org.apache.directory.server.ldap.replication.provider.SyncReplSearchListener.init(SyncReplSearchListener.java:98)
at 
 org.apache.directory.server.ldap.replication.provider.SyncReplRequestHandler.registerPersistentSearches(SyncReplRequestHandler.java:929)
at 
 org.apache.directory.server.ldap.replication.provider.SyncReplRequestHandler.start(SyncReplRequestHandler.java:171)
at 
 org.apache.directory.server.ldap.LdapServer.startReplicationProducer(LdapServer.java:506)
at 
 org.apache.directory.server.ldap.LdapServer.start(LdapServer.java:488)
at 
 org.apache.directory.server.ApacheDsService.startLdap(ApacheDsService.java:374)
at 
 org.apache.directory.server.ApacheDsService.start(ApacheDsService.java:174)
at 
 org.apache.directory.server.ApacheDsTanukiWrapper.start(ApacheDsTanukiWrapper.java:71)
at 
 org.tanukisoftware.wrapper.WrapperManager$12.run(WrapperManager.java:2788)
 [18:55:46] ERROR [PROVIDER_LOG] - Failed to initialize the log files 
 required by the syncrepl provider
 java.lang.NullPointerException
at 
 org.apache.directory.server.ldap.replication.provider.SyncReplSearchListener.init(SyncReplSearchListener.java:98)
at 
 org.apache.directory.server.ldap.replication.provider.SyncReplRequestHandler.registerPersistentSearches(SyncReplRequestHandler.java:929)
at 
 org.apache.directory.server.ldap.replication.provider.SyncReplRequestHandler.start(SyncReplRequestHandler.java:171)
at 
 org.apache.directory.server.ldap.LdapServer.startReplicationProducer(LdapServer.java:506)
at 
 org.apache.directory.server.ldap.LdapServer.start(LdapServer.java:488)
at 
 org.apache.directory.server.ApacheDsService.startLdap(ApacheDsService.java:374)
at 
 org.apache.directory.server.ApacheDsService.start(ApacheDsService.java:174)
at 
 org.apache.directory.server.ApacheDsTanukiWrapper.start(ApacheDsTanukiWrapper.java:71)
at 
 org.tanukisoftware.wrapper.WrapperManager$12.run(WrapperManager.java:2788)
 [18:55:46] ERROR [org.apache.directory.server.ApacheDsService] - Cannot 
 start the server : java.lang.NullPointerException
 [18:56:42] WARN 
 [org.apache.directory.server.ldap.handlers.SearchHandler] - This server 
 does not allow replication
 
 Permissions should be fine (it runs as root, I need to listen on 389), 
 so creating files shouldn't be a problem.
 
 -j
 
 On Oct 6, 2011, at 11:48 AM, Kiran Ayyagari wrote:
 
 did you add the attribute 'ads-replReqHandler' and restarted the server?
 
 On Thu, Oct 6, 2011 at 2:26 PM, Jonathan Disher jdis...@parad.net 
 wrote:
 So, I did, and I followed the directions.  I get this on my slave:
 
 [18:37:13] WARN 
 [org.apache.directory.server.ldap.handlers.SearchHandler] - This 
 server does not allow

Re: Replication configuration

On Thu, Oct 13, 2011 at 2:54 PM, Jonathan Disher jdis...@parad.net wrote:
 I built 1180264 (after much difficulty, getting deb packages to build, so I 
 could deploy it to my admin nodes), but can't get it to start because things 
 are missing, and unfortunately the documentation for 2.0 is, well, 
 nonexistent.  Right now it's vomiting on the lack of any schema 
 ldif/structure being present.  I am trying to not build locally on the admin 
 nodes, they need to remain clean and reproducible, deployable binary packages 
 are required (I need to build, at last count, approx 13 replicas world wide).

 I will svn up and rebuild, but I suspect that will not fix my schema 
 problems.  Is there any 2.0 documentation in any functional state?

please give a try after doing svn up (I confirm that server starts up
fine, tested with the archive installer)
Note that you can safely ignore even if there are kerberos test
failures which maven reports like

ApacheDS Protocol Kerberos Test ... FAILURE

let us know if you have any issues

 -j

 On Oct 11, 2011, at 1:24 PM, Kiran Ayyagari wrote:

 the trunk is back to stable condition, you can svn up your local copy
 or checkout the head directly

 On Mon, Oct 10, 2011 at 6:32 PM, Kiran Ayyagari kayyag...@apache.org wrote:
 http://svn.apache.org/repos/asf/directory/apacheds/trunk-with-dependencies

 please checkout the revision 1180264 cause currently there are few
 changes that destabilized the trunk (should be back to normal in
 couple days)

 Please let us know if you have any issues.

 On Mon, Oct 10, 2011 at 6:06 PM, Jonathan Disher jdis...@parad.net wrote:
 So, I checked out trunk and appear to have gotten ApacheDS 1.5.  Where do 
 I check out the 2.0 tree?

 -j

 On Oct 6, 2011, at 5:30 PM, Kiran Ayyagari wrote:

 This has been fixed, please see
 https://issues.apache.org/jira/browse/DIRSERVER-1666
 for the details. Appreciate if you can verify the fix and report your 
 findings.

 On Thu, Oct 6, 2011 at 3:33 PM, Kiran Ayyagari kayyag...@apache.org 
 wrote:
 I confirm the presence of this issue, (which seems to be introduced
 during some code cleanup)
 will commit a fix in another 7 hours and let you know.
 Thanks for the detailed trace.

 On Thu, Oct 6, 2011 at 2:57 PM, Jonathan Disher jdis...@parad.net 
 wrote:
 Yes, I did.

 Actually, I am getting this:

 [18:55:46] ERROR 
 [org.apache.directory.server.ldap.replication.provider.SyncReplRequestHandler]
  - Failed to initialize the log files required by the syncrepl provider
 java.lang.NullPointerException
        at 
 org.apache.directory.server.ldap.replication.provider.SyncReplSearchListener.init(SyncReplSearchListener.java:98)
        at 
 org.apache.directory.server.ldap.replication.provider.SyncReplRequestHandler.registerPersistentSearches(SyncReplRequestHandler.java:929)
        at 
 org.apache.directory.server.ldap.replication.provider.SyncReplRequestHandler.start(SyncReplRequestHandler.java:171)
        at 
 org.apache.directory.server.ldap.LdapServer.startReplicationProducer(LdapServer.java:506)
        at 
 org.apache.directory.server.ldap.LdapServer.start(LdapServer.java:488)
        at 
 org.apache.directory.server.ApacheDsService.startLdap(ApacheDsService.java:374)
        at 
 org.apache.directory.server.ApacheDsService.start(ApacheDsService.java:174)
        at 
 org.apache.directory.server.ApacheDsTanukiWrapper.start(ApacheDsTanukiWrapper.java:71)
        at 
 org.tanukisoftware.wrapper.WrapperManager$12.run(WrapperManager.java:2788)
 [18:55:46] ERROR [PROVIDER_LOG] - Failed to initialize the log files 
 required by the syncrepl provider
 java.lang.NullPointerException
        at 
 org.apache.directory.server.ldap.replication.provider.SyncReplSearchListener.init(SyncReplSearchListener.java:98)
        at 
 org.apache.directory.server.ldap.replication.provider.SyncReplRequestHandler.registerPersistentSearches(SyncReplRequestHandler.java:929)
        at 
 org.apache.directory.server.ldap.replication.provider.SyncReplRequestHandler.start(SyncReplRequestHandler.java:171)
        at 
 org.apache.directory.server.ldap.LdapServer.startReplicationProducer(LdapServer.java:506)
        at 
 org.apache.directory.server.ldap.LdapServer.start(LdapServer.java:488)
        at 
 org.apache.directory.server.ApacheDsService.startLdap(ApacheDsService.java:374)
        at 
 org.apache.directory.server.ApacheDsService.start(ApacheDsService.java:174)
        at 
 org.apache.directory.server.ApacheDsTanukiWrapper.start(ApacheDsTanukiWrapper.java:71)
        at 
 org.tanukisoftware.wrapper.WrapperManager$12.run(WrapperManager.java:2788)
 [18:55:46] ERROR [org.apache.directory.server.ApacheDsService] - Cannot 
 start the server : java.lang.NullPointerException
 [18:56:42] WARN 
 [org.apache.directory.server.ldap.handlers.SearchHandler] - This server 
 does not allow replication

 Permissions should be fine (it runs as root, I need to listen on 389), 
 so creating files shouldn't be a problem.

 -j

 On Oct 6,

Re: ApacheDS Password policy issues

On Tue, Oct 11, 2011 at 3:11 PM, carlo.acco...@ibs-ag.com wrote:
Hi, I've been working with the password policy functionality this week and
have encountered a few issues I'm hoping you can help clarify.

These attributes are on the policy itself unless otherwise specified.

1. ads-pwdminlength (minimum # of chars require for a password) having
a non-zero value accepts passwords that are any length.

a. I didn't test ads-pwdmaxlength but might check that while you're
there.

2. The value ads-pwmaxage is supposed to be how long a password is
valid (in seconds).

a. Setting this to a non-zero value causes a pwdChangedTime attribute
to be set on the user when their password changes (ok)

b. However it never enforces the expiry

i. The
ads-pwdgraceauthnlimit ( # of grace logins after expiration) doesn't seem to
have any effect

ii. Also
setting ads-pwdexpirewarning above and below the max age doesn't seem to
matter either

c. If it did expire, how is this indicated on the user object ?

have fixed this issue. Server indicates the user about expiry by
sending the ppolicy response control after setting the value
for timeBeforeExpiration property to the time left before the password expires.
Note that this only happens if the user sent a request with ppolicy
control (OID - 1.3.6.1.4.1.42.2.27.8.5.1)

3. When ads-pwdmaxfailure (number of times failed bind is permitted) is
set to 5 , it allows 11 login failures before locking the account.

a. Each login failure creates an additional pwdFailureTime attribute
for the user (ok)

b. pwdAccountLockedTime attribute is created after the 11th failed
bind. (Also what we want, but after 5 failures)

c. This might be some caching issue because I think once it took 13
failed attempts before it locked.

this is a bit strange, do you have some custom caching mechanism in
place? OR some custom authenticator
implementation that doesn't inherit the AbstractAuthenticator?

4. When ads-pwdinhistory (# of old passwords kept so they're not
reused) is set to 5 .

a. Users initially have no pwdHistory attribute (ok)

b. Each of the first 5 password changes happens successfully. Each time
adding new pwdHistory attribute to the user. (ok)

c. On the 6th change, the exception below occurs. It's like it needs
to reuse the first pwdHistory attribute but cannot.

have fixed this issue, please verify with the latest trunk and let us know.
#!RESULT ERROR
#!CONNECTION ldap://localhost:10389
#!DATE 2011-10-11T14:32:58.205
#!ERROR [LDAP: error code 20 - ATTRIBUTE_OR_VALUE_EXISTS: failed for
MessageType : MODIFY_REQUEST Message ID : 29 Modify Request
Object : 'uid=1286309809116,ou=users,ou=int,o=cpro'
Modification[0] Operation : replace
Modification userPassword: '0x7B 0x53 0x48 0x41 0x7D 0x79 0x59 0x53 0x75
0x30 0x42 0x53 0x75 0x78 0x32 0x49 ...'
org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@3d1acad9:
ERR_54 Cannot add a value which is already present : '0x32 0x30 0x31 0x31
0x31 0x30 0x31 0x31 0x31 0x38 0x33 0x32 0x30 0x34 0x5A 0x23 ...']
dn: uid=1286309809117,ou=users,ou=int,o=cpro
changetype: modify
replace: userPassword

userPassword:: e1NIQX15VVN1MEJTdXgySTZWUEJaSGFCNmhmMUxkaTA9

I'll keep testing and thank you in advance!!
Carlo Accorsi

--
Kiran Ayyagari

Re: Performance issues and strange logs


On 10/13/11 6:52 PM, Craig Setera wrote:

We have a custom interceptor plugged in to 1.5.5.  Did anything change in
1.5.7 that would break that?  If not, we may be best off to just move to
1.5.7.


I don't know. Can you post the interceptor method's signatures?


--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com

Re: Performance issues and strange logs

Unfortunately, it appears there was a lot of refactoring between 1.5.5 and
1.5.7.  It looks like MINA was updated in 1.5.6... do you have any idea if
the refactoring in that case would be less than what I'm seeing?

Thanks again,
Craig

On Thursday, October 13, 2011, Craig Setera wrote:

 Oh... Hopefully it works without recompile or this gets trickier.  I guess
 we will find out soon enough.

 Thanks,
 Craig

 --
 Craig Setera
 Director, Product Engineering
 mFoundry
 p 415.324.5801
 cr...@mfoundry.com javascript:_e({}, 'cvml', 'cr...@mfoundry.com');




-- 
Craig Setera
Director, Product Engineering
mFoundry
p 415.324.5801
cr...@mfoundry.com

Re: Performance issues and strange logs

Looks like our emails crossed along the way.  The breakage is pretty
extensive.  I can work through it, but wondering if 1.5.6 would be any
better?

On Thursday, October 13, 2011, Emmanuel Lécharny wrote:

 On 10/13/11 6:52 PM, Craig Setera wrote:

 We have a custom interceptor plugged in to 1.5.5.  Did anything change in
 1.5.7 that would break that?  If not, we may be best off to just move to
 1.5.7.


 I don't know. Can you post the interceptor method's signatures?


 --
 Regards,
 Cordialement,
 Emmanuel Lécharny
 www.iktek.com



-- 
Craig Setera
Director, Product Engineering
mFoundry
p 415.324.5801
cr...@mfoundry.com

Re: Performance issues and strange logs

2011-10-13 Thread Emmanuel Lecharny


On 10/13/11 10:43 PM, Craig Setera wrote:

Unfortunately, it appears there was a lot of refactoring between 1.5.5 and
1.5.7.  It looks like MINA was updated in 1.5.6... do you have any idea if
the refactoring in that case would be less than what I'm seeing?


Again, it's hard to tell. If you provide your interceptor's method 
signatures, I can check.



--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com

Re: Performance issues and strange logs

I appreciate the offer.  Unfortunately, it is quite a lot of code.  I'm
going to try a new version of MINA inside of 1.5.5 and see what happens.

On Thursday, October 13, 2011, Emmanuel Lecharny wrote:

 On 10/13/11 10:43 PM, Craig Setera wrote:

 Unfortunately, it appears there was a lot of refactoring between 1.5.5 and
 1.5.7.  It looks like MINA was updated in 1.5.6... do you have any idea if
 the refactoring in that case would be less than what I'm seeing?


 Again, it's hard to tell. If you provide your interceptor's method
 signatures, I can check.


 --
 Regards,
 Cordialement,
 Emmanuel Lécharny
 www.iktek.com



-- 
Craig Setera
Director, Product Engineering
mFoundry
p 415.324.5801
cr...@mfoundry.com

Re: Performance issues and strange logs


On 10/13/11 11:01 PM, Craig Setera wrote:

I appreciate the offer.  Unfortunately, it is quite a lot of code.  I'm
going to try a new version of MINA inside of 1.5.5 and see what happens.


Just the method's signature, not the code. If there is some issue with 
1.5.7, it will be around the signatures.



--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com

Re: Performance issues and strange logs

Having connected my code to the 1.5.7 code it is more than that.  I think I
may have reached into more internals for my implementation than I should
have and that that is the primary problem.  With that said, my initial tests
with Mina 2.0.4 underneath 1.5.5 seem to be working.  Is there anything I
would want to look for that might not be obvious in that scenario?

Thanks yet again,
Craig

On Thursday, October 13, 2011, Emmanuel Lécharny wrote:

 On 10/13/11 11:01 PM, Craig Setera wrote:

 I appreciate the offer.  Unfortunately, it is quite a lot of code.  I'm
 going to try a new version of MINA inside of 1.5.5 and see what happens.


 Just the method's signature, not the code. If there is some issue with
 1.5.7, it will be around the signatures.


 --
 Regards,
 Cordialement,
 Emmanuel Lécharny
 www.iktek.com



-- 
Craig Setera
Director, Product Engineering
mFoundry
p 415.324.5801
cr...@mfoundry.com

Re: Replication configuration

2011-10-13 Thread Jonathan Disher

Yeah, kerberos failed, I commented it out because I don't run it.

I will let you know

-j
On Oct 13, 2011, at 11:54 AM, Jonathan Disher wrote:

 I built 1180264 (after much difficulty, getting deb packages to build, so I 
 could deploy it to my admin nodes), but can't get it to start because things 
 are missing, and unfortunately the documentation for 2.0 is, well, 
 nonexistent.  Right now it's vomiting on the lack of any schema 
 ldif/structure being present.  I am trying to not build locally on the admin 
 nodes, they need to remain clean and reproducible, deployable binary packages 
 are required (I need to build, at last count, approx 13 replicas world wide).
 
 I will svn up and rebuild, but I suspect that will not fix my schema 
 problems.  Is there any 2.0 documentation in any functional state?
 
 -j
 
 On Oct 11, 2011, at 1:24 PM, Kiran Ayyagari wrote:
 
 the trunk is back to stable condition, you can svn up your local copy
 or checkout the head directly
 
 On Mon, Oct 10, 2011 at 6:32 PM, Kiran Ayyagari kayyag...@apache.org wrote:
 http://svn.apache.org/repos/asf/directory/apacheds/trunk-with-dependencies
 
 please checkout the revision 1180264 cause currently there are few
 changes that destabilized the trunk (should be back to normal in
 couple days)
 
 Please let us know if you have any issues.
 
 On Mon, Oct 10, 2011 at 6:06 PM, Jonathan Disher jdis...@parad.net wrote:
 So, I checked out trunk and appear to have gotten ApacheDS 1.5.  Where do 
 I check out the 2.0 tree?
 
 -j
 
 On Oct 6, 2011, at 5:30 PM, Kiran Ayyagari wrote:
 
 This has been fixed, please see
 https://issues.apache.org/jira/browse/DIRSERVER-1666
 for the details. Appreciate if you can verify the fix and report your 
 findings.
 
 On Thu, Oct 6, 2011 at 3:33 PM, Kiran Ayyagari kayyag...@apache.org 
 wrote:
 I confirm the presence of this issue, (which seems to be introduced
 during some code cleanup)
 will commit a fix in another 7 hours and let you know.
 Thanks for the detailed trace.
 
 On Thu, Oct 6, 2011 at 2:57 PM, Jonathan Disher jdis...@parad.net 
 wrote:
 Yes, I did.
 
 Actually, I am getting this:
 
 [18:55:46] ERROR 
 [org.apache.directory.server.ldap.replication.provider.SyncReplRequestHandler]
  - Failed to initialize the log files required by the syncrepl provider
 java.lang.NullPointerException
   at 
 org.apache.directory.server.ldap.replication.provider.SyncReplSearchListener.init(SyncReplSearchListener.java:98)
   at 
 org.apache.directory.server.ldap.replication.provider.SyncReplRequestHandler.registerPersistentSearches(SyncReplRequestHandler.java:929)
   at 
 org.apache.directory.server.ldap.replication.provider.SyncReplRequestHandler.start(SyncReplRequestHandler.java:171)
   at 
 org.apache.directory.server.ldap.LdapServer.startReplicationProducer(LdapServer.java:506)
   at 
 org.apache.directory.server.ldap.LdapServer.start(LdapServer.java:488)
   at 
 org.apache.directory.server.ApacheDsService.startLdap(ApacheDsService.java:374)
   at 
 org.apache.directory.server.ApacheDsService.start(ApacheDsService.java:174)
   at 
 org.apache.directory.server.ApacheDsTanukiWrapper.start(ApacheDsTanukiWrapper.java:71)
   at 
 org.tanukisoftware.wrapper.WrapperManager$12.run(WrapperManager.java:2788)
 [18:55:46] ERROR [PROVIDER_LOG] - Failed to initialize the log files 
 required by the syncrepl provider
 java.lang.NullPointerException
   at 
 org.apache.directory.server.ldap.replication.provider.SyncReplSearchListener.init(SyncReplSearchListener.java:98)
   at 
 org.apache.directory.server.ldap.replication.provider.SyncReplRequestHandler.registerPersistentSearches(SyncReplRequestHandler.java:929)
   at 
 org.apache.directory.server.ldap.replication.provider.SyncReplRequestHandler.start(SyncReplRequestHandler.java:171)
   at 
 org.apache.directory.server.ldap.LdapServer.startReplicationProducer(LdapServer.java:506)
   at 
 org.apache.directory.server.ldap.LdapServer.start(LdapServer.java:488)
   at 
 org.apache.directory.server.ApacheDsService.startLdap(ApacheDsService.java:374)
   at 
 org.apache.directory.server.ApacheDsService.start(ApacheDsService.java:174)
   at 
 org.apache.directory.server.ApacheDsTanukiWrapper.start(ApacheDsTanukiWrapper.java:71)
   at 
 org.tanukisoftware.wrapper.WrapperManager$12.run(WrapperManager.java:2788)
 [18:55:46] ERROR [org.apache.directory.server.ApacheDsService] - Cannot 
 start the server : java.lang.NullPointerException
 [18:56:42] WARN 
 [org.apache.directory.server.ldap.handlers.SearchHandler] - This server 
 does not allow replication
 
 Permissions should be fine (it runs as root, I need to listen on 389), 
 so creating files shouldn't be a problem.
 
 -j
 
 On Oct 6, 2011, at 11:48 AM, Kiran Ayyagari wrote:
 
 did you add the attribute 'ads-replReqHandler' and restarted the 
 server?
 
 On Thu, Oct 6, 2011 at 2:26 PM, Jonathan Disher jdis...@parad.net 
 wrote:
 So, I did, and I followed the

RE: ApacheDS Password policy issues

2011-10-13 Thread Carlo.Accorsi

Thank you so much. I won't be able to test all you fixed until Monday but I'll 
let you know. 

I meant to get back to you about the ads-pwcheckquality. When I have it set to 
2,  I get exceptions for length. (ok, thanks)
We set the userPassword attribute using the code snip below. 

String strPassword = foo;
MessageDigest oMsgDigest = MessageDigest.getInstance(SHA);
oMsgDigest.update(strPassword.getBytes());
 byte[] b = oMsgDigest.digest();
String strResult = {SHA}+getEncodeBase64(b);

When we try and do this (with ads-pwcheckquality=2)
javax.naming.directory.InvalidAttributeValueException is thrown .. cannot 
verify the quality of the non-cleartext passwords

OK fine. I'd be happy to  just set the clear text value but how does it know 
the pw algorithm to store it with? Or does it not matter anymore? Thanks!!


-Original Message-
From: ayyagariki...@gmail.com [mailto:ayyagariki...@gmail.com] On Behalf Of 
Kiran Ayyagari
Sent: Thursday, October 13, 2011 4:17 PM
To: users@directory.apache.org
Subject: Re: ApacheDS Password policy issues

On Tue, Oct 11, 2011 at 3:11 PM,  carlo.acco...@ibs-ag.com wrote:
 Hi, I've been working with the password policy functionality this week and 
 have encountered a few issues I'm hoping you can help clarify.

 These attributes are on the policy itself unless otherwise specified.


 1.       ads-pwdminlength (minimum # of chars require for a password) having 
 a non-zero value accepts passwords that are any length.

 a.       I didn't test ads-pwdmaxlength but might check that while you're 
 there.



 2.       The value ads-pwmaxage is supposed to be how long a password is 
 valid (in seconds).

 a.       Setting this to a non-zero value causes a pwdChangedTime 
 attribute to be set on the user when their password changes (ok)

 b.      However it never enforces the expiry

                                                              i.      
 The ads-pwdgraceauthnlimit ( # of grace logins after expiration) 
 doesn't seem to have any effect

                                                            ii.      
 Also setting  ads-pwdexpirewarning above and below  the max age 
 doesn't seem to matter either

 c.       If it did expire, how is this indicated on the user object ?


have fixed this issue. Server indicates the user about expiry by sending the 
ppolicy response control after setting the value for timeBeforeExpiration 
property to the time left before the password expires.
Note that this only happens if the user sent a request with ppolicy control 
(OID - 1.3.6.1.4.1.42.2.27.8.5.1)

 3.       When ads-pwdmaxfailure (number of times failed bind is permitted) is 
 set to 5 , it allows 11 login failures before locking the account.

 a.       Each login failure creates an additional pwdFailureTime 
 attribute for the user (ok)

 b.      pwdAccountLockedTime attribute is created after the 11th  
 failed bind. (Also what we want, but after 5 failures)

 c.       This might be some caching issue because I think once it took 13 
 failed attempts before it locked.


this is a bit strange, do you have some custom caching mechanism in place? OR 
some custom authenticator implementation that doesn't inherit the 
AbstractAuthenticator?

 4.       When ads-pwdinhistory (# of old passwords kept so they're not 
 reused) is set to 5 .

 a.       Users initially have no pwdHistory attribute (ok)

 b.      Each of the first 5 password changes happens successfully. 
 Each time adding new pwdHistory attribute to the user. (ok)

 c.       On the 6th  change, the exception below occurs. It's like it needs 
 to reuse the first pwdHistory attribute but cannot.


have fixed this issue, please verify with the latest trunk and let us know.
 #!RESULT ERROR
 #!CONNECTION ldap://localhost:10389
 #!DATE 2011-10-11T14:32:58.205
 #!ERROR [LDAP: error code 20 - ATTRIBUTE_OR_VALUE_EXISTS: failed for 
 MessageType : MODIFY_REQUEST Message ID : 29     Modify Request         
 Object : 'uid=1286309809116,ou=users,ou=int,o=cpro'             
 Modification[0]                 Operation :  replace                 
 Modification     userPassword: '0x7B 0x53 0x48 0x41 0x7D 0x79 0x59 
 0x53 0x75 0x30 0x42 0x53 0x75 0x78 0x32 0x49 ...' 
 org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@3d1ac
 ad9: ERR_54 Cannot add a value which is already present : '0x32 0x30 
 0x31 0x31 0x31 0x30 0x31 0x31 0x31 0x38 0x33 0x32 0x30 0x34 0x5A 0x23 
 ...']
 dn: uid=1286309809117,ou=users,ou=int,o=cpro
 changetype: modify
 replace: userPassword

 userPassword:: e1NIQX15VVN1MEJTdXgySTZWUEJaSGFCNmhmMUxkaTA9




 I'll keep testing and thank you in advance!!
 Carlo Accorsi







--
Kiran Ayyagari

Re: Performance issues and strange logs


On 10/13/11 11:22 PM, Craig Setera wrote:

Having connected my code to the 1.5.7 code it is more than that.  I think I
may have reached into more internals for my implementation than I should
have and that that is the primary problem.  With that said, my initial tests
with Mina 2.0.4 underneath 1.5.5 seem to be working.  Is there anything I
would want to look for that might not be obvious in that scenario?


Not that much. May be compare the LdapServer class, we may have changed 
the way we have initialized the MINA layer there (the startNetwork 
method, from the top of my head).



--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com

Re: ApacheDS Password policy issues

On Thu, Oct 13, 2011 at 5:45 PM, carlo.acco...@ibs-ag.com wrote:
Thank you so much. I won't be able to test all you fixed until Monday but
I'll let you know.

I meant to get back to you about the ads-pwcheckquality. When I have it set
to 2, I get exceptions for length. (ok, thanks)
We set the userPassword attribute using the code snip below.

String strPassword = foo;
MessageDigest oMsgDigest = MessageDigest.getInstance(SHA);
oMsgDigest.update(strPassword.getBytes());
byte[] b = oMsgDigest.digest();
String strResult = {SHA}+getEncodeBase64(b);

When we try and do this (with ads-pwcheckquality=2)
javax.naming.directory.InvalidAttributeValueException is thrown .. cannot
verify the quality of the non-cleartext passwords

OK fine. I'd be happy to just set the clear text value but how does it know
the pw algorithm to store it with? Or does it not matter anymore? Thanks!!

there is an interceptor enabled by default for hashing the passwords
using hash method 'SSHA', so clear text passwords will be checked
for ppolicy conformance and hashed before storing into server

-Original Message-
From: ayyagariki...@gmail.com [mailto:ayyagariki...@gmail.com] On Behalf Of
Kiran Ayyagari
Sent: Thursday, October 13, 2011 4:17 PM
To: users@directory.apache.org
Subject: Re: ApacheDS Password policy issues

These attributes are on the policy itself unless otherwise specified.

1. ads-pwdminlength (minimum # of chars require for a password) having
a non-zero value accepts passwords that are any length.

a. I didn't test ads-pwdmaxlength but might check that while you're
there.

2. The value ads-pwmaxage is supposed to be how long a password is
valid (in seconds).

a. Setting this to a non-zero value causes a pwdChangedTime
attribute to be set on the user when their password changes (ok)

b. However it never enforces the expiry

i.
The ads-pwdgraceauthnlimit ( # of grace logins after expiration)
doesn't seem to have any effect

ii.
Also setting ads-pwdexpirewarning above and below the max age
doesn't seem to matter either

c. If it did expire, how is this indicated on the user object ?

have fixed this issue. Server indicates the user about expiry by sending the
ppolicy response control after setting the value for timeBeforeExpiration
property to the time left before the password expires.
Note that this only happens if the user sent a request with ppolicy control
(OID - 1.3.6.1.4.1.42.2.27.8.5.1)

3. When ads-pwdmaxfailure (number of times failed bind is permitted)
is set to 5 , it allows 11 login failures before locking the account.

a. Each login failure creates an additional pwdFailureTime
attribute for the user (ok)

b. pwdAccountLockedTime attribute is created after the 11th
failed bind. (Also what we want, but after 5 failures)

c. This might be some caching issue because I think once it took 13
failed attempts before it locked.

this is a bit strange, do you have some custom caching mechanism in place? OR
some custom authenticator implementation that doesn't inherit the
AbstractAuthenticator?

4. When ads-pwdinhistory (# of old passwords kept so they're not
reused) is set to 5 .

a. Users initially have no pwdHistory attribute (ok)

b. Each of the first 5 password changes happens successfully.
Each time adding new pwdHistory attribute to the user. (ok)

c. On the 6th change, the exception below occurs. It's like it needs
to reuse the first pwdHistory attribute but cannot.

have fixed this issue, please verify with the latest trunk and let us know.
#!RESULT ERROR
#!CONNECTION ldap://localhost:10389
#!DATE 2011-10-11T14:32:58.205
#!ERROR [LDAP: error code 20 - ATTRIBUTE_OR_VALUE_EXISTS: failed for
MessageType : MODIFY_REQUEST Message ID : 29 Modify Request
Object : 'uid=1286309809116,ou=users,ou=int,o=cpro'
Modification[0] Operation : replace
Modification userPassword: '0x7B 0x53 0x48 0x41 0x7D 0x79 0x59
0x53 0x75 0x30 0x42 0x53 0x75 0x78 0x32 0x49 ...'
org.apache.directory.shared.ldap.model.message.ModifyRequestImpl@3d1ac
ad9: ERR_54 Cannot add a value which is already present : '0x32 0x30
0x31 0x31 0x31 0x30 0x31 0x31 0x31 0x38 0x33 0x32 0x30 0x34 0x5A 0x23
...']
dn: uid=1286309809117,ou=users,ou=int,o=cpro
changetype: modify
replace: userPassword

userPassword:: e1NIQX15VVN1MEJTdXgySTZWUEJaSGFCNmhmMUxkaTA9

I'll keep testing and thank you in advance!!
Carlo Accorsi

--
Kiran Ayyagari

Re: Apache Directory LDAP client API persistent search

2011-10-13 Thread Stefan Seelmann

On Thu, Oct 6, 2011 at 11:05 PM, Emmanuel Lecharny elecha...@gmail.com wrote:
 On 10/6/11 10:44 PM, Charles FENDT wrote:

 Hi,

 I'm trying to work with Apache DS for a central repository and Apache
 Directory LDAP Client API on Java servers to request in the repository.
 It work pretty good... except one thing : I need to make persistent sear
 in the LDAP server... and i can't make it work...
 I didn't found any example or howto on which base my code...

 So I'm asking for some help !

 You may check this test :

 http://svn.apache.org/viewvc/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/search/PersistentSearchIT.java?revision=1124675view=markup

 It implements a persistent search.

 Be aware that this test is a bit complex, but feel free to post your
 question on this mailing list.

Hm, the linked test uses JNDI to perform persistent search. Does the
LDAP API also support persistent search and if yes are there examples?

Re: Apache Directory LDAP client API persistent search