Re: replication partially working
Guys i found the problem and don't know how to solve it.. DN's which have ACLs on them (administrativerole, accesscontrolsubentry) don't replicate attributes even when I grant everything for everyone. When i remove ACLs, everything works. I tested this on both master and slave clear servers, just added new partition, DN and ACL on it. I suppose this is not intended. Maybe its bug? On 05/10/2012 01:01 PM, Kiran Ayyagari wrote: try with a clean slave and see if you get the same error (it shouldn't happen, report here otherwise will take a look) On Thu, May 10, 2012 at 4:28 PM, houmles houm...@gmail.com wrote: maybe, but i really don't remember, i did lot of experiments to get full replication working On 05/10/2012 12:46 PM, Kiran Ayyagari wrote: did you, by any chance, modify the password of the user in slave to the same value that is being replicated later? On Thu, May 10, 2012 at 4:01 PM, houmles houm...@gmail.com wrote: i have only 2 test users on that ldap, i am in testing phase before deploying to live so definitely no one changing password. this error popups in the same time as i changed the value and slave tried to sync. On 05/10/2012 12:26 PM, Kiran Ayyagari wrote: this error is not related to replication, it is a password policy related error some user is trying to change the password but is giving a value that he has used earlier as password. On Thu, May 10, 2012 at 3:53 PM, houmles houm...@gmail.com wrote: This error shows on slave server. I happens only when i tried to modify any attribute. DN syncing works and don't have any errors. jvm 1| [12:18:39] ERROR [org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl] - invalid reuse of password present in password history jvm 1| org.apache.directory.shared.ldap.model.exception.LdapOperationException: invalid reuse of password present in password history jvm 1| at org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:956) jvm 1| at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:599) jvm 1| at org.apache.directory.server.core.normalization.NormalizationInterceptor.modify(NormalizationInterceptor.java:248) jvm 1| at org.apache.directory.server.core.DefaultOperationManager.modify(DefaultOperationManager.java:660) jvm 1| at org.apache.directory.server.core.shared.DefaultCoreSession.modify(DefaultCoreSession.java:590) jvm 1| at org.apache.directory.server.core.shared.DefaultCoreSession.modify(DefaultCoreSession.java:564) jvm 1| at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.modify(ReplicationConsumerImpl.java:985) jvm 1| at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.handleSearchResult(ReplicationConsumerImpl.java:361) jvm 1| at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.doSyncSearch(ReplicationConsumerImpl.java:618) jvm 1| at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.startSync(ReplicationConsumerImpl.java:505) jvm 1| at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.start(ReplicationConsumerImpl.java:548) jvm 1| at org.apache.directory.server.ldap.LdapServer$2.run(LdapServer.java:660) jvm 1| at java.lang.Thread.run(Thread.java:722) On 05/10/2012 11:23 AM, Kiran Ayyagari wrote: this looks valid, do you have any error logs? On Thu, May 10, 2012 at 2:09 PM, houmles houm...@gmail.com wrote: here it is: dn: ads-replconsumerid=1,ou=replConsumers,ads-serverId=ldapServer,ou=servers ,ads-directoryServiceId=default,ou=config objectclass: top objectclass: ads-base objectclass: ads-replConsumer ads-replaliasderefmode: never ads-replattributes: * ads-replconsumerid: 1 ads-replprovhostname: x.x.x.x ads-replprovport: 10389 ads-replrefreshinterval: 6 ads-replrefreshnpersist: true ads-replsearchfilter: (objectClass=*) ads-replsearchscope: sub ads-replsearchsizelimit: 0 ads-replsearchtimeout: 0 ads-repluserdn: uid=admin,ou=system ads-repluserpassword:: x ads-searchbasedn: dc=xxx,dc=xx ads-replstrictcertvalidation: false ads-replusetls: false On 05/10/2012 10:29 AM, Kiran Ayyagari wrote: can you provide the complete entry data with DN ads-replConsumerId=whatever-id-you-have-here,ou=replConsumers,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config (remove the seerver IP and user credentials if they are sensitive) On Thu, May 10, 2012 at 1:38 PM, houmles houm...@gmail.com wrote: ups, forgot to mention 2.0.0-M6 On 05/10/2012 10:00 AM, Emmanuel Lécharny wrote: Le 5/10/12 9:48 AM, houmles a écrit : Hi, Hi, I have fully working one ADS and want to replicate it to another. I followed some tutorial and managed to replicate it but only just
Re: replication partially working
Le 5/11/12 11:12 AM, houmles a écrit : Guys i found the problem and don't know how to solve it.. DN's which have ACLs on them (administrativerole, accesscontrolsubentry) don't replicate attributes even when I grant everything for everyone. When i remove ACLs, everything works. I tested this on both master and slave clear servers, just added new partition, DN and ACL on it. I suppose this is not intended. Maybe its bug? I wonder if we transfert Operational Attributes. Can you add the followin values : ads-replattributes: administrativeRole ads-replattributes: accessControlSubentry -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: replication partially working
I already have ads-replattributes: * but even when i explicitly add those 2 attributes it doesnt work. On 05/11/2012 12:03 PM, Emmanuel Lécharny wrote: Le 5/11/12 11:12 AM, houmles a écrit : Guys i found the problem and don't know how to solve it.. DN's which have ACLs on them (administrativerole, accesscontrolsubentry) don't replicate attributes even when I grant everything for everyone. When i remove ACLs, everything works. I tested this on both master and slave clear servers, just added new partition, DN and ACL on it. I suppose this is not intended. Maybe its bug? I wonder if we transfert Operational Attributes. Can you add the followin values : ads-replattributes: administrativeRole ads-replattributes: accessControlSubentry
PasswordPolicy and admin user
Hi I spot a strange behaviour in Apache DS 2M6 (basic configuration, nothing special). When I try to bind with the admin account, asking for the PasswordPolicyControl, it fails to bind. As soon as I remove the control it works fine. I don't know if it is a bug or not but I did not find anything in the specifications about that. Thanks in advance M. HashtableString, String environment = new HashtableString, String(); environment.put(Context.INITIAL_CONTEXT_FACTORY, com.sun.jndi.ldap.LdapCtxFactory); environment.put(Context.PROVIDER_URL, ldap://localhost:389/;); environment.put(Context.SECURITY_PRINCIPAL, uid=admin,ou=system); environment.put(Context.SECURITY_CREDENTIALS, secret); environment.put(LdapContext.CONTROL_FACTORIES, org.springframework.security.ldap.ppolicy.PasswordPolicyControlFactory); LdapContext ldapContext = new InitialLdapContext(environment, new Control[] {new PasswordPolicyControl(false)}); Control[] controls = ldapContext.getResponseControls(); for (int j = 0; controls != null j controls.length; j++) { System.out.println(controls[j]); } ldapContext.close(); --- javax.naming.AuthenticationException: [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: null]
Re: replication partially working
Found something more.. I have ou object and description in it. I can modify that description and replicate it as long as administrativeRole is not present. When I add administrativeRole, I got this error when I try to modify or add any attribute: jvm 1| [15:21:29] ERROR [org.apache.directory.server.core.schema.SchemaInterceptor] - ERR_54 Cannot add a value which is already present : accessControlSpecificArea jvm 1| [15:21:29] ERROR [org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl] - ERR_54 Cannot add a value which is already present : accessControlSpecificArea jvm 1| org.apache.directory.shared.ldap.model.exception.LdapAttributeInUseException: ERR_54 Cannot add a value which is already present : accessControlSpecificArea jvm 1| at org.apache.directory.server.core.schema.SchemaInterceptor.checkModifyEntry(SchemaInterceptor.java:858) jvm 1| at org.apache.directory.server.core.schema.SchemaInterceptor.modify(SchemaInterceptor.java:1390) jvm 1| at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:599) jvm 1| at org.apache.directory.server.core.hash.PasswordHashingInterceptor.modify(PasswordHashingInterceptor.java:113) jvm 1| at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:599) jvm 1| at org.apache.directory.server.core.kerberos.KeyDerivationInterceptor.modify(KeyDerivationInterceptor.java:164) jvm 1| at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:599) jvm 1| at org.apache.directory.server.core.exception.ExceptionInterceptor.modify(ExceptionInterceptor.java:298) jvm 1| at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:599) jvm 1| at org.apache.directory.server.core.authz.DefaultAuthorizationInterceptor.modify(DefaultAuthorizationInterceptor.java:288) jvm 1| at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:599) jvm 1| at org.apache.directory.server.core.authz.AciAuthorizationInterceptor.modify(AciAuthorizationInterceptor.java:855) jvm 1| at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:599) jvm 1| at org.apache.directory.server.core.referral.ReferralInterceptor.modify(ReferralInterceptor.java:309) jvm 1| at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:599) jvm 1| at org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:1050) jvm 1| at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:599) jvm 1| at org.apache.directory.server.core.normalization.NormalizationInterceptor.modify(NormalizationInterceptor.java:248) jvm 1| at org.apache.directory.server.core.DefaultOperationManager.modify(DefaultOperationManager.java:660) jvm 1| at org.apache.directory.server.core.shared.DefaultCoreSession.modify(DefaultCoreSession.java:590) jvm 1| at org.apache.directory.server.core.shared.DefaultCoreSession.modify(DefaultCoreSession.java:564) jvm 1| at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.modify(ReplicationConsumerImpl.java:985) jvm 1| at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.handleSearchResult(ReplicationConsumerImpl.java:361) jvm 1| at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.doSyncSearch(ReplicationConsumerImpl.java:618) jvm 1| at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.startSync(ReplicationConsumerImpl.java:505) jvm 1| at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.start(ReplicationConsumerImpl.java:548) jvm 1| at org.apache.directory.server.ldap.LdapServer$2.run(LdapServer.java:660) jvm 1| at java.lang.Thread.run(Thread.java:722) On 05/11/2012 12:03 PM, Emmanuel Lécharny wrote: Le 5/11/12 11:12 AM, houmles a écrit : Guys i found the problem and don't know how to solve it.. DN's which have ACLs on them (administrativerole, accesscontrolsubentry) don't replicate attributes even when I grant everything for everyone. When i remove ACLs, everything works. I tested this on both master and slave clear servers, just added new partition, DN and ACL on it. I suppose this is not intended. Maybe its bug? I wonder if we transfert Operational Attributes. Can you add the followin values : ads-replattributes: administrativeRole ads-replattributes: accessControlSubentry
Re: PasswordPolicy and admin user
Le 5/11/12 3:15 PM, Mathieu Pousse a écrit : Hi I spot a strange behaviour in Apache DS 2M6 (basic configuration, nothing special). When I try to bind with the admin account, asking for the PasswordPolicyControl, it fails to bind. As soon as I remove the control it works fine. What would be good is to provide the BindRequest the server receives. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com