Hi,
sorry for this dumb question but I've been searching for it and I can't find it
anywhere.
Where's the script that shows you a report of most searched objects and other
performance related stuff?
I remember using it in my old installations to adjust some indexes but I've
been playing
> > is it possible to lower the severity of fips enabled info from ERR
> > to WARN in messages like this?
> Absolutely, changing it now...
wow!
that was truly fast :)
thanks a lot for your time,
abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol
fitxer
Hi,
is it possible to lower the severity of fips enabled info from ERR to WARN in
messages like this?
[17/May/2021:10:57:02.753271017 +] - ERR - slapd_system_isFIPS - Can not
access /proc/sys/crypto/fips_enabled - assuming FIPS is OFF
can seem a cosmetic change but it breaks my monitoring
> * sanitise the data to be ia5 compliant IE remove accents etc.
I did just that and I leave it here in case anyone is facing same problem (it's
a oneliner):
cat original-data.ldif | perl -pe 's,^gecos:.*,`echo -n "$&" | iconv -f utf-8
-t ascii//translit`,gei' > sanitized-data.ldif
in my
I'm testing a migration from 1.2.8 to latest version and I'm facing some
problem while importing data:
ldap_add: Invalid syntax (21)
additional info: gecos: value #0 invalid per syntax
I understand that I'm using UTF8 data here (ÁLBA GARCÍA LÓPEZ) so I have two
questions:
why old
tps://github.com/389ds/389-ds-base/blob/master/src/lib389/lib389/cli_conf/plugins/retrochangelog.py
> def create_parser(subparsers):
> retrochangelog = subparsers.add_parser('retro-changelog',
> help='Manage
> and configure Retro Changelog plugin')
>
> Thanks,
> Marc
> it was likely the right time to have this change.
> and not subject to change anytime soon.
>
> is it possible a 389-ds-base-1.4.0 from before March 2019 till
> lurking
> around?
>
I'm using debian packages:
dpkg -l | grep 389-ds-base
ii 389-ds-base 1.4.4.11-1
hi,
I vaguely remember discussing this some time ago but I can't find it now.
what's the difference between
dsconf myinstance plugin set --enabled on "Retro Changelog Plugin"
and
dsconf myinstance plugin retro-changelog enable
?
any of them is gonna be deprecated?
I also noticed
> >> As sysadmin I create a lot of script to install/manage services
> >> and is confusing having commands that change that often.
>
> You may find it "more stable" to use lib389 directly rather than the
> CLI then. I think the team should talk about the CLI having an
> "interface guarantee", and
> Again I think you are looking at the older version of the server.
>
ok, I understand.
I see that version 2 is already out.
Can I expect additional changes in dsconf interface or will you try to mantain
a stable set of parameters?
As sysadmin I create a lot of script to install/manage
accept those settings.
what's the correct way to configure that?
abosch
- Missatge original -
> De: "Mark Reynolds"
> Per: "General discussion list for the 389 Directory server project."
> <389-users@lists.fedoraproject.org>, "Angel
> Bosch Mora
hi!
I'm testing my install recipes on debian and I've found two little problems.
on CentOS I execute
dsconf myinstance plugin retro-changelog enable
but today I tried in debian and it says is an invalid choice:
dsconf instance plugin: error: invalid choice: 'retro-changelog' (choose
> The 'core team' does not have much involvement in the debian 389-ds
> packaging process, but the debian maintainer has always been
> responsive and done a great job from what I am able to observe. I
> would expect there to be "very little" difference between debian and
> centos 389-ds packages.
hi,
I'm not sure if this has been discussed here.
Will this project be impacted in some way by the CentOS decission?
I'm about to start a new setup and I wanted to use CentOS, but now I'm thinking
about Debian.
In that regard, is there any difference between Debian packages and CentOS ones?
> depending on your version of 389, look at "dsctl tls
> import-ca"
>
> {william@ldapkdc 9:12} ~/development $ dsctl localhost tls import-ca
> --help
> usage: dsctl [instance] tls import-ca [-h] cert_path nickname
>
> positional arguments:
> cert_path The path to the x509 cert to import as
hi,
some time ago I asked for a scriptable way of creating a certificate request,
here's the thread:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/thread/EHWWAHOO3S2HZEWJEXTQKDDRH33NLSMU/#HF7ZPVLMUK32AIEEWPEOLUJGZFXXRCEK
I didn't have the time to write
> The feature doesn't exist yet, so if you write a PEM -> NSS tool, the
> project would love to accept it to our source code. It's been
> something I have wanted for a while, and recently I have been
> thinking with containers I should more seriously develop it, but if
> you wanted to add this, we
> However, be mindful that the if you use attribute encryption, this
> value is stored in the key3.db, and replacement of this file WILL
> destroy your access to your own database! IE if you plan to use this
> strategy, you MUST NOT use attribute encryption at the same time.
>
I'll take that into
hi,
I'm still evaluating some options to securize dynamic nodes and I have some
questions regarding certutil and nss databases:
Can I create NSS databases on any directory/server and then move files to
"/etc/dirsrv/slapd-instance_name" ?
If cert8.db and key3.db files are found in that
Hi,
I'm performing some tests and would like to configure a syncrepl client like
this one:
https://github.com/landryb/syncrepl
but I don't find useful information. For example, in this project there's a
demo script that says abut URL argument:
'An LDAP URL with all information
> So your 4 write servers are in mmr. Then you have 2 -> N read-onlys
> as well which scale up and down.
>
> Do you plan to have ldap.example.com point to the IP's of the
> read-onlys directly? Or to a load balancer?
>
yes, we already got that.
> If this was me, just because of the scaling
Hi!
two more questions:
1- when migrating should I take care about ACIs in 99user.ldif? rightnow there
are four entries:
aci: (target="ldap:///cn=schema;)(targetattr !="aci")(version 3.0;acl
"anonymous, no acis"; allow (read, search, compare) userdn = "ldap:///anyone;;)
aci:
hi!
quick question: is there any reason to keep modifyTimestamp, modifiersName,
createTimestamp, and creatorsName when reimporting on a migration?
abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol
fitxer annex, es dirigeix exclusivament a la persona que
> I think to answer this, I'd like to see a diagram or description of
> the network and deployment topology you have in mind to help advise
> for what you want to achieve here :)
>
Is really very simple. Think of it like the typical MMR with 4 nodes:
https://i.imgur.com/DY8aSAo.png
but the
Hi again,
continuing with my automation I'm facing now the problem of SSL configuration.
Using certificates at LB level is not recommended acording to
https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html
sharing keys is also discouraged, so my question is if there is a way to
YYY
I'll leave all this here just in case any other script lover needs to modify
their recipes.
good job!
abosch
- Missatge original -----
> De: "Angel Bosch"
> Per: "General discussion list for the 389 Directory server project."
> <389-users@lists.fed
> which is why the cli tools were misleading you here sadly. I think
> we as a team, need to review and understand what happened here to
> cause them to mislead a person about their function. :(
>
> Sorry that this confusion occured. Does my answer help?
>
sure! you're answers are always very
I'm testing this new command:
dsconf instance replication create-manager
and when I create a new manager I can see a new nsDS5ReplicaBindDN on the
replica entry.
but when I remove the manager with "delete-manager" the nsDS5ReplicaBindDN is
not removed.
is there a reason for that? why do
Hi,
is this new command:
dsconf instance replication set --suffix "dc=example,dc=net" --repl-add-ref
master1.example.net
the same as this modification?
REF_LDIF="dn: cn=dc\=example\,dc\=net,cn=mapping tree,cn=config
changetype: modify
replace: nsslapd-referral
nsslapd-referral:
> Do you have load balancers in here at all? Or is it just directly
> accessible servers? What does the TLS termination?
>
yes, we use LB and VIPs to avoid any failure.
> If you have load balancers/VIP involved, you should set the
> nsslapd-referral to the hostname of the load balancer/VIP,
hi!
I'm creating my own MMR script and I would like to know if there's any
limitation with the FQDN used in nsslapd-referral as stated in
> If you have a specific question though, I’d be happy to help!
>
I'm glad you offered :)
these are the attributes I'm currently using:
cn:
description:
displayName::
dn:
employeeNumber:
gecos:
gidNumber:
homeDirectory:
loginShell:
mail:
manager:
member:
memberOf:
objectClass:
hi!
is there a way to access documentation for upcoming 1.4 release?
I would like to see specifically changes in ACIs as stated in this thread:
https://lists.fedorahosted.org/archives/list/389-users@lists.fedoraproject.org/thread/PG5QXDAI2OI4YVIEIDG6QCFIANQPBTSJ/
thanks in advance,
abosch
> I am actually working on the UI right now, what exactly would you
> like
> in the UI? Is creating "sample entries" sufficient for your needs,
> or
> do you actually need just a basic root node entry created? Adding an
> option to create the root node is trivial, but I want to confirm what
>
Hi,
I asked a broad question here:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/thread/7G2Y2ZYBYB7JNOCMIGV5WQMYDAWSD6VM/
but I would like to know specifically if root suffix can be created with
cockpit.
thanks,
abosch
-- Institut Mallorqui d'Afers Socials.
> I need to see the aci's on your server to help more. Can you please
> send me (either to the list, or directly to my email) the output of:
>
> ldapsearch -x -b "your basedn" -D 'cn=Directory Manager' -w -H
> ldaps:// '(aci=*)' aci
>
> That well help me answer the question as to what is causing
thanks for this detailed explanation.
what time frame are we talking here?
1 year? 1 month?
I'm evaluating an update/migration from my 1.2 installation and I don't mind
waiting a little bit.
> As for today, the best advice I can give is use setup-ds.pl without
> the
> admin tools, and just
> There are a number of users of 389-ds with lxc, just not with the
> admin
> console that I am aware of.
>
ok so is just the admin console that can't be installed on lxc.
is there any work being done in this matter? should I file a bug?
abosch
-- Institut Mallorquí d'Afers Socials. Aquest
hi,
I'm trying to install 1.1.43-1+b1 package on lxc with debian 9 and I get this
error:
invoke-rc.d: initscript dirsrv-admin, action "start" failed.
● dirsrv-admin.service - 389 Administration Server.
Loaded: loaded (/lib/systemd/system/dirsrv-admin.service; disabled; vendor
preset:
Some people already said that but just want to give my 2c.
> - Some application are not using filters along with bind, to control
> user login - for some reasons (e.g. not having the capability, are
> not designed to get user list, or they do not have need to keep
> things about Users, or you
This is most related to architecture than LDAP itself, and is exactly what I've
been doing in my current position.
You have to decide wich of your user directories will be the main one. In our
case was the HHRR app wich imposed an oracle solution. With sql triggers we
create the user in our
> When SSL-enabling the directory server, am I allowed to use a
> wildcard certificate or is it mandatory the certificate include the
> FQHN?
>
the certificate should always contain the FQDN but you can use the alternate
extension that allows you to specify multiple names.
this is what I use
hi,
I'm having problems installing a new test environment on centos 7.1
when I execute setup-ds-admin.pl i get this message:
Adding port 389 to selinux policy failed - ValueError: SELinux policy is
not managed or store cannot be accessed.
I've tried with --debug and it keeps retrying
I went through this with Mageia. You either need to enable selinux
(permissive) or compile 389-ds
without selinux.
do you mean I won't be able to execute it without selinux?
or is just the installer?
abosch
--
389 users mailing list
389-users@lists.fedoraproject.org
can someone give me some light on this issue?
I'm getting some presure from my direct bosses and I need all info I can get to
evaluate our DS environment for next year.
thanks in advance.
abosch
- Missatge original -
De: Angel Bosch abo...@ticmallorca.net
Per: 389-users
hi,
I'm planing to migrate some of my servers to 1.3 branch and I don't know what
packages to use.
I've found packages from mreynolds:
http://copr.fedoraproject.org/coprs/mreynolds/389-ds-base/
and dfas: http://copr.fedoraproject.org/coprs/dfas/389-ds-dfas/
first one seems to be a nightly
is not the same
/etc/ldap.conf
than
/etc/openldap/ldap.conf
seems that you're missing second one.
While attempting to change a directory password I keep getting this message…
[root@xxx ~]# ldappasswd -x -ZZ -D cn=directory manager -w “mypass”
appreciate the help.
From: 389-users-boun...@lists.fedoraproject.org [
mailto:389-users-boun...@lists.fedoraproject.org ] On Behalf Of Angel Bosch
Mora
Sent: Wednesday, September 28, 2011 7:52 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users
- Missatge original -
Has anyone engineered a design to run 389-ds servers behind a hardware
load balancer like an f5 LTM? I've found this question presented
before, but never answered.
a) the openldap-clients ldap module will query the first host/uri in
the list until the port goes
hi,
i'm setting up another node on my multimaster environment.
on the new node i can see differencese on entry-id attribute.
is this normal?
i guess this is an internal attribute but i'm not sure if must be shared an
unique across members of replication.
regars,
abosch
--
389 users mailing
hi,
im having problems starting admin server. i can see just this line on log:
[Thu Apr 07 12:26:13 2011] [crit] host_ip_init(): PSET failure: Failed to
create PSET handle (pset error = )
not sure if is related, but we had an accident that changed permissions on some
files (recursive chmod on
- Missatge original -
On 04/07/2011 04:37 AM, Angel Bosch Mora wrote:
hi,
im having problems starting admin server. i can see just this line
on log:
[Thu Apr 07 12:26:13 2011] [crit] host_ip_init(): PSET failure:
Failed to create PSET handle (pset error = )
not sure
- Missatge original -
We are planning out how we are going to move from Active Directory to
389-ds. We can add users to our test environment successfully, and
give the accounts the proper information (uid, shell, etc.). However,
1 area that we are getting stumped at is groups. In our
- Missatge original -
Oddly enough it looks like it comes out as part of the LDIF comment.
If you skip the option to tell it to not output ldif comments you'll
get your base:
$ ldapsearch -d1 -x (uid=example) 21 | grep base
# base dc=example,dc=com (default) with scope subtree
Maybe I am understanding this wrong but could you not just check in
the config what the search base is set to on the client side? What is
the problem you are trying to solve?
yes, you're right. i can just take a look at ldap.conf but there's several
places to look:
- debian/ubuntu uses
hi,
not specifically 389 related but:
is there a way to guess default base dn for clients (the one configured in
/etc/openldap/ldap.conf) with ldapsearch?
i've tried with -v, -n and -d but i only get the server, not the base.
regards,
abosch
--
389 users mailing list
ssl connections need the same FQDN specified in the cert to be used when
connecting.
localhost i hardly going to work.
abosch
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
- Missatge original -
Yes. We never released dsmlgw as an rpm package.
i though i saw something about packages in the docs but i can't find it now.
thanks for the answer.
--
389 users mailing list
389-users@lists.fedoraproject.org
hi,
i can't find last dsml packages anywhere.
must i compile from sources?
i use epel repos.
regards,
abosch
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
hi,
i've some questions about upgrading:
- must i run 'setup-ds-admin.pl -u' everytime there's a new package in the
repos?
- doesn't packaging take care of that?
- does it matter how many instances are configured?
i've been having some strange problems in my (mixed) environment and i just
you must create a certificate with additional hostnames with -8 option.
you can view an example here:
http://docs.sun.com/app/docs/doc/819-5899/6n7uuth9p?l=enn=1a=view
- Missatge original -
Hello,
After having read through the Howto:SSL document on the 389 wiki, i
went ahead and
- Missatge original -
On 10/19/2010 12:11 PM, Gerrard Geldenhuis wrote:
Hi We have recently seen an issue were a single client opened up
more than 800 established connections to our directory server. The
client did have the proper settings configured and should have
closed
hi,
im trying to create the entry for a sub-suffix i've created in the console but
i can't find any instruction.
i've followed official docs:
- Missatge original -
Hi
I a bit confused... have you successfully created the entry using the
console and am looking for a ldif example? Or did the creation failed
in the console. I can give you examples of how we create our tree and
sub suffixes if that will help, they are all in
- Missatge original -
Hi,
We had similar problem before, but I am not sure if it is related to
your case.
The file descriptors that were opened by the ns-slapd process was all
in a CLOSE_WAIT state. You can try execute netstat -anput | grep
CLOSE_WAIT and see if there's a lot of
65 matches
Mail list logo
