Hi Karoly,
You give very little information to go by... it might help to provide log files
error and maybe access. Try different loglevels for the error log and explain
in a bit more detail what is going wrong with your installation.
Regards
From: 389-users-boun...@lists.fedoraproject.org
openldap with 4 slave replicas to 389DS,
so i am new in the world of 389DS but my boss is forcing it cos have nice UI ;)
Where i can check for verbose error logs or increase log level?
On Mar 28, 2011, at 12:26 PM, Gerrard Geldenhuis wrote:
Hi Karoly,
You give very little information to go
Hi Daniel,
I would suggest looking at your logs as a start and telling us if you see any
error messages. But even before that the console can be started in debug mode,
the specific flag escapes me now but if you start the console in debug mode it
will most likely tell you what the problem is
cipher changes in
the UI. This would seem unnecessary at best and potentially problematic at
worst.
Regards
-Original Message-
From: 389-users-boun...@lists.fedoraproject.org [mailto:389-users-
boun...@lists.fedoraproject.org] On Behalf Of Gerrard Geldenhuis
Sent: 03 March 2011 10:07
I use the following command.
certutil -A -n 'certname' -t 'u,,' -d . -i certfile.pem
If you change the cert database it has been my expierence that you need to
restart the admin or dir server depending on which db you changed as the
changes don't get re-read after startup.
Regards
Hi
I am currently testing this but would like to double up my testing with any
other experiences in the list.
A security scan has shown my test LDAP server to be vulnerable to weak SSL
encryption. I have turned off all encryption levels below 128 bits in the
Cipher Preference Dialog box for
Hi
If you can see two servers on one but not on the other it is most likely that
you don't have replication setup on the server that shows two servers back to
the other.
Check your logs for errors and 1.2.5 looks rather old, it might be worthwhile
going to a newer version.
Regards
Hi
I have seen an interesting problem which I thought would be useful for anyone
on the list to know. I ran into it ones to many so sharing my solutions to
spare others the suffering. :D
If you have certificates in /etc/pki/tls/certs on a CentOS 5.5 box and one of
the certificates has
You will probably experience the same level of frustration with other open
source products. People give their free time to look into your questions and
have other responsibilities apart too. You are trying to achieve a notoriously
difficult thing which is not necessarily made difficult by
Hi
I was wondering if there is a universal trigger system that I could use in
389 to for example let me know when a group gets a new member, or loses a
member.
The admin guide
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html
has only 9
Hi Daniel,
I am getting 1200 conn/sec on very old hardware so maybe something else is
wrong.
The very first thing to do is to run logconv.pl script which will come
installed with 389. It has a flag for recommendations which I suggest you
enable or just enable every flag.
Sample command:
Hi Amit,
What part of the replication between Server2 and Server3 is not working?
Can you share some logs and how you have set it up, does doing a manual sync
again between Server2 and server3 work? How about a manual send updates? What
error messages are you seeing in the logs?
Regards
From:
=xxx.xx.xxx.xx, connection
rejected
Kind regards,
Eric
Gerrard Geldenhuis wrote:
Hi Eric, As a start always use the fqdn of the host rather than
127.0.0.1 when connecting via the console. Secondly, 389-console has a
debug flag available that you can use while connecting that will shed
-Original Message-
From: 389-users-boun...@lists.fedoraproject.org [mailto:389-users-
boun...@lists.fedoraproject.org] On Behalf Of Eric Donkersloot
Sent: 26 November 2010 15:25
To: 389-users@lists.fedoraproject.org
Subject: [389-users] New 389 ds install - cannot logon to adm
-Original Message-
From: 389-users-boun...@lists.fedoraproject.org [mailto:389-users-
boun...@lists.fedoraproject.org] On Behalf Of Angel Bosch Mora
Sent: 24 November 2010 08:20
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] get base dn
-Original Message-
From: 389-users-boun...@lists.fedoraproject.org [mailto:389-users-
boun...@lists.fedoraproject.org] On Behalf Of Angel Bosch Mora
Sent: 24 November 2010 09:20
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] get base dn
Hi Roberto,
I don't believe that this is the most appropriate list for your post. There is
a devel list which would have been more suitable apart from the fact that it is
two different types of software projects.
Regards
-Original Message-
From:
from server
Gerrard Geldenhuis wrote:
-Original Message-
From: 389-users-boun...@lists.fedoraproject.org [mailto:389-users-
boun...@lists.fedoraproject.org] On Behalf Of Rich Megginson
Sent: 12 November 2010 16:32
To: General discussion list for the 389 Directory server project
identical as far as I am
aware.
Regards
-Original Message-
From: 389-users-boun...@lists.fedoraproject.org [mailto:389-users-
boun...@lists.fedoraproject.org] On Behalf Of Gerrard Geldenhuis
Sent: 24 November 2010 14:09
To: 'General discussion list for the 389 Directory server
Hi
I believe this is down to system libraries but is there any way to make 389-ds
aware of changes in /etc/resolv.conf? In my test environment I have had to
restart the dirsrv to get get changes in resolv.conf take effect.
Specifically I can't initiate a new host using replication if the
We have seen the preload issue too. I have reported it via the links
provided. The fix is as follows:
diff start-ds-admin start-ds-admin.orig 46c46
LD_PRELOAD=/usr/lib64/libldap60.so --- LD_PRELOAD= /libldap60.so
This should be fixed in 389-admin-1.1.12 now in updates-testing - what
Directory
Server 1.2.7
On 11/23/2010 10:19 AM, Gerrard Geldenhuis wrote:
We have seen the preload issue too. I have reported it via the links
provided. The fix is as follows:
diff start-ds-admin start-ds-admin.orig 46c46
LD_PRELOAD=/usr/lib64/libldap60.so --- LD_PRELOAD=
/libldap60.so
Creating directory server . . .
Your new DS instance 'dmz' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin
Hi
I have a bit of a problem with a few 389 servers I recently build...
Firstly how I got there:
I added 4 additional servers to our infrastructure, the servers had 389
installed and configured but as a separate set of 4 servers completely stand
alone. I removed everything with remove-ds-admin
From: 389-users-boun...@lists.fedoraproject.org
[mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Gerrard
Geldenhuis
Sent: 19 November 2010 11:34
To: General discussion list for the 389 Directory server project.
(389-users@lists.fedoraproject.org)
Subject: [389-users] Problems
In both A and B you could have a higher number of attempts than is
actually allowed before the replicated failed login attempts gets written
back to consumer where it will stop the user authenticating. There is a
marginal potential for higher number of potential requests if you don't
chain
Hi
I am trying to decrypt SSL traffic capture with tcpdump in wireshark. A quick
google turned up a page that said the NSS utils does not allow you to expose
your private key. Is there different way or howto that anyone can share to help
decrypt SSL encrypted traffic for 389?
Regards
-ds
On 11/12/2010 8:59 AM, Gerrard Geldenhuis wrote:
I am trying to decrypt SSL traffic capture with tcpdump in wireshark. A quick
google turned up a page that said the NSS utils does not allow you to expose
your private key. Is there different way or howto that anyone can share to help
decrypt
When I do a bind to the consumer(slave) I also see a bind to the
provider(master) this seems really silly. My understanding is that
this behaviour is caused by needing to centrally store login attempts.
I have raised this matter previously but just wanted to double check
that the
-Original Message-
From: 389-users-boun...@lists.fedoraproject.org [mailto:389-users-
boun...@lists.fedoraproject.org] On Behalf Of Rich Megginson
Sent: 12 November 2010 18:22
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Bind to consumer
Hi
We are getting a slow responses from one of our LDAP servers and I am not sure
what is causing the problem I have run a logconv.pl -j and the following is
interesting:
Connections Reset By Peer:0
Resource Unavailable: 136
- 136 (T1) Idle Timeout Exceeded
We have a cache
about this. I thought that you had to have a admin
server for each physical hosts?
Regards
[Gerrard Geldenhuis]
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming
better understanding of
how everything fits together and be able to debug problems with multimaster
much better.
[Gerrard Geldenhuis]
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs
From: 389-users-boun...@lists.fedoraproject.org
[389-users-boun...@lists.fedoraproject.org] on behalf of Daniel Maher
[dma+389us...@witbe.net]
Sent: 09 November 2010 14:58
To: General discussion list for the 389 Directory server project.
Subject:
ssl crenentials on another server ?
On 11/09/2010 04:27 PM, Gerrard Geldenhuis wrote:
There is another document on the wiki which describes how to setup
certificates for a vip that is similar to what you want to do. I can't
find it at the moment but might be worth trolling through the wiki
Hi
I would like to add a few notes to the wiki, is there a special page where I
should be creating an account?
This page http://directory.fedoraproject.org/wiki/Special:Userlogin says: We
are not ready to accept contributions at this time. Is that still true, I am
happy to just send a few
Hi Glad to hear you got your problem sorted, you might also consider using the
FQDN of the servername rather than localhost. This will safe you some trouble
when you enable SSL.
Regards
From: 389-users-boun...@lists.fedoraproject.org
Hi Harry,
It basically means that the object class used to define the user in the
directory from which you exported the user does not exist in 389 or is not
available. It might also help to post an example of the ldif file here for
people to have a look at. It will make debugging your problem
Hi
Just a quick follow-up regarding this thread.
We discovered the real problem encryption of the password.
We have the following line in the ldif file to
nsmultiplexorcredentials: {SSHA}VItDJ0gykk1q8rzsJmIkkj64mAW1kkaZY
We got one server working with chaining and the other not. The
-users] Chaining woes again v2 - solutions
Gerrard Geldenhuis wrote:
Hi
Just a quick follow-up regarding this thread.
We discovered the real problem encryption of the password.
We have the following line in the ldif file to
nsmultiplexorcredentials: {SSHA}VItDJ0gykk1q8rzsJmIkkj64mAW1kkaZY
/2010 04:57 PM, Gerrard Geldenhuis wrote:
Is there a way to dynamically have search basis when queries for certain
data is done.
Yes.
How do you configure clients to be more selective when doing searches
against a ldap directory.
It depends entirely on the software doing the query. Here's
.
Subject: Re: [389-users] Safeguarding against to many established connections
- Missatge original -
On 10/19/2010 12:11 PM, Gerrard Geldenhuis wrote:
Hi We have recently seen an issue were a single client opened up
more than 800 established connections to our directory server. The
client
to many established connections
On 10/19/2010 12:11 PM, Gerrard Geldenhuis wrote:
Hi
We have recently seen an issue were a single client opened up more than 800
established connections to our directory server. The client did have the
proper settings configured and should have closed
Hi
I a bit confused... have you successfully created the entry using the console
and am looking for a ldif example? Or did the creation failed in the console. I
can give you examples of how we create our tree and sub suffixes if that will
help, they are all in ldif format.
Regards
Hi
Not strictly a 389 question but maybe 389 offers a solution.
I have a tree structure as follows:
dc=company
ou=people,dc=company
ou=groups,dc=company
On my client the I have the following searchbase in /etc/ldap.conf
dc=company
If I login as user gerrard and look at the network traffic then
Hi
The admin guide says that one should use ns-newpwpolicy.pl script to set
subtree password policies on the command line. Can we also set this using ldifs
or is there some magic that this script perform that can't be achieved by using
ldifs?
Regards
-users] Magic required for subtree password policy?
Gerrard Geldenhuis wrote:
Hi
The admin guide says that one should use ns-newpwpolicy.pl script to set
subtree password policies on the command line. Can we also set this using
ldifs or is there some magic that this script perform that can't
Hi
Adding a user with the following ldif file:
dn: uid=SystemAuthentication,ou=Service Accounts,dc=mycompany
givenName: System
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Authentication
cn: SystemAuthentication
uid: SystemAuthentication
Hi
I have seen similar problems... in my case the database became corrupt if I
changed it while dirsrv were running.
Also check permissions:
-rw--- 1 nobody root 65536 Aug 12 12:18 cert8.db
-rw--- 1 nobody root 16384 Aug 12 12:18 key3.db
-rw--- 1 nobody root 16384 Sep 28 17:08
Hi
The documentation is not very clear on this...
13.1.5 in the latest Admin Guide mentions how password policy is treated in a
replicated environment but it does not distinguish or confirm that the
behaviour for global and local password policies is treated in the same way
with regards to
Hi
I am in the midsts of debugging this but am hoping anyone can shed some light
on the issue or point me in the right direction.
A certain combination of changes to the global password policy seems to break
the abbility to change a user's password.
us...@client01.example's password:
You are
I have an issue with our Fedora Consumers running 1.2.0 on Fedora 10 in
that they don't seem to be closing old connections and so the open
connections are building up until performance is impacted and
eventually
we run out of file handles.
... cut
tcp_keepalive_time = 600
Hi,
Is there a way of forcing a single user to change his/her password in a
multi-master environment.
The only way it seems possible is to enable per user password policy and then
set the passwordMustChange flag. However since password policy is not
replicated that does not seem like a very
Hi
This is probably OT but I am not having much luck with google. How can I create
SSHA512 strings? I have been using either a php script or slappasswd to create
SSHA password but not sure how to do SSHA512. openssl can create the SHA512
digest but I am not sure how to add the random seed bit.
Hi
I have been doing some testing to see how a database(netscapedb) will catch up
with replicated changes when the server has been shutdown and/or broken.
My test is very basic:
Shutdown master2
Add an entry to netscapedb on master1
Bring up master2
Tail error log for replication messages and
Replication uses an exponential backoff strategy if the consumer is
down. That is, it will wait 1 second, try again, then wait 2 seconds,
try again, then wait 4 seconds, try again, etc. until it hits 5
minutes.
hmmm, I probably did not wait long enough...
I have enabled replication
Hi
As far as I can see the documentation does not make mention of backups other
than the userdb, netscapedb and dse.ldif.
With regards to the certificate databases and admin server configuration is
there any specific strategies, recommendations or readmade scripts?
I am looking at scenarios
Hi Prashanth,
I have not seen similar issues but I would suggest adding a debug entry in PAM
setup. This gives a lot of extra information.
Also since you are debugging disable log caching to enable you to see bind
attempts immediately
dn: cn=config
changetype: modify
replace:
Hi
I have not been able to get ldclt working. I suspect I am not using it
correctly and would appreciate anyone just giving my options a sanity check.
Running the following:
ldclt -h testserver.example.com -p 389 -e bindeach,bindonly -Z
/etc/dirsrv/slapd-testserver -e
Brandon G wrote:
Rich Megginson wrote:
When you first log in to the console, and you type in your ID, the
directory server has no credentials, and has to perform an anonymous
search for uid=youruid to find your BIND DN. This is the same as when
you log in to the operating system - pam has
-users] Automatic master/consumer initialization
Gerrard Geldenhuis wrote:
Hi
Is there any difference between right clicking on a replication agreement
just created and selecting the Initialize Consumer or letting nature go
its course and letting replication happen in the next cycle.
Up until
Hi
Just wanted to double check; We have not created replication agreements between
all masters and in some instances it might take 2 hops for a change to be
replicated everywhere. We are happy with this trade-off in delay for
simplicity. Are we breaking some cardinal rule regarding multi-master
Hi
We ran into a very interesting problem...
We can't run 389-console directly from the server on which it is running
because it is just to slow to use. It takes almost 5 minutes just to login. We
have thus resorted to running the console locally and doing port forwarding
with ssh as 389 and
Hi Stefan,
GOsa² uses its own combination of objectClasses to store information plus its
own set of ACL's to control access to the GUI but this ACL's does not translate
into protection for other access methods that does not go through the GUI.
I think you will get much better support from the
+ERROR: There was an error processing entry
cn=replica,cn=o=NetscapeRoot,cn=mapping tree,cn=config
+Cannot continue processing entries.
Error adding entry 'cn=replica,cn=o=NetscapeRoot,cn=mapping
tree,cn=config'. Error: No such object
Error: Could not create directory server instance
What is also frustrating is that the script is so quiet about why it failed.
I was running setup-ds-admin with -ddd It appears that the script used to
configure the admin server does net get passed the debug flags.
Any further ideas?
I was afraid of that. The admin server part doesn't
Hi
Is there any standard script that comes with 389 that can take a set of
parameters and replace those parameters in a ldif file? For example the
parameters specified in
/usr/share/dirsrv/data/template-suffix-db.ldif
dn: cn=%ds_bename%,cn=ldbm database,cn=plugins,cn=config
I can write my own
There is still some haziness in my mind about the admin server...
I setup a server called master01 using setup-ds-admin.pl and then setup
another physical server called master02 also using setup-ds-admin.pl. The
only difference was that I registered master02 with master01. The effect
is
I forgot to add that all the ldifs works if I run them afterwards just not
during installation.
This string also baffled me a bit:
cn=replica,cn=o\3Dnetscaperoot,cn=mapping tree,cn=config
what does the o\3Dn mean?
I sourced it from the audit log when doing the change in the GUI.
Regards
Hi Natr,
My experience is limited to authentication too, but I would suggest reading
some of the RFC's on ldap which describes how that information is stored. I
would also suggest searching through the openldap mailing list archives. Any
solutions used there should be easily adaptable to 389.
replagreement.ldif
dn: cn=test-aggreement-name,cn=replica,cn=o\3Dnetscaperoot,cn=mapping
tree,cn=config
changetype: add
objectClass: top
objectClass: nsDS5ReplicationAgreement
cn: test-aggreement-name
description: test-description
nsDS5ReplicaHost: 389-master02.example
Hi
The database name NetscapeRoot I assume is a leftover from when 389 was a
netscape product. Is there any plans to eventually change this to 389-root or
something similar. It would be a purely cosmetic change though and probably way
to much work and introduce many bugs... but I thought I
Something else occurred to me. If you have a shared/replicated NetscapeRoot
database and lets say 12 servers over 3 datacentres, 6 providers and 6
consumers. You will end up with 12 servers in a multimaster group for the
netscaperoot database but only 6 servers in a multi master setup for the
Hi
The setup-ds-admin.pl script complains about the following:
==
Your system has been scanned for potential problems, missing patches,
etc. The following output is a report of the items found that need to
be addressed
I understand that on a (physical/virtual) server there can be multiple
directory server instances but only one admin server instance.
However, what I'm wondering is whether it is possible for an instance
of the admin server to manage directory servers on different boxes.
For example, could I
Hi
This is going to seem obvious but is the Replica ID unique to a server or
unique to a database and server. What I mean is that if I setup both
NetscapeRoot and UserRoot to replicate can I use Replica ID of x for both
because they are on the same server or does it need to be x and x+1?
Hi
I was hoping someone can share a methodology of finding the ldif changes that
happens when doing changes in the GUI. I would like to create equivalent ldif
files for all changes that I do in the GUI. Thus far I have been doing before
and after diffs of dse.ldif. I have not done that yet for
What's not necessary? Note that the admin server and directory server
have separate cert databases. Also note that the NSS crypto team is
working towards a unified system-wide cert db.
That could have been more clear, I meant that a lack of certs in the Admin
Server db should not cause
Hi Brandon,
It seems to me that the password policy is being applied to your Directory
Manager user. I recall that you can disable password policy for cn=config users
but can't find that in the documentation now. It is also worth while reading
the second paragraph of 7.1.1.5 in the Admin guide
Hi
If I set
nsslapd-allow-anonymous-access: off
I am not able to login to the 389-console. I can remedy this by checking the
checkbox Use SSL in Console in the Encryption tab on the Directory Server
console. This seems a strange solution to the problem. Why would disabing
anonymous access
Hi
In the management console there is a Security level: domestic
I found no reference to this in the documentation and a quick google revealed
this page:
http://docs.sun.com/source/816-5567-10/3_consol.htm
which suggest that this has to do with the type and level of encryption used.
Thus
Hi
I would appreciate anyone just giving the tasks below a sanity check.
We will have a multimaster setup with various consumers from which clients will
be authenticating off. Clients can not reach the masters directly and can only
reach the consumer servers.
To enable password policies to
From: 389-users-boun...@lists.fedoraproject.org
[389-users-boun...@lists.fedoraproject.org] on behalf of Gordon Messmer
[yiny...@eburg.com]
Sent: 22 July 2010 04:17
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users]
From: 389-users-boun...@lists.fedoraproject.org
[389-users-boun...@lists.fedoraproject.org] on behalf of Gerrard Geldenhuis
[gerrard.geldenh...@betfair.com]
Sent: 21 July 2010 16:37
To: General discussion list for the 389 Directory server project.
Subject
Hi
I have just created 20 000 users each with a private group on two masters 10
000 on each master, with the purpose of testing replication between two masters.
I did not observe any errors in access log and there is no errors logged in the
error log for either of the servers.
I am seeing
Snip snip
Any thoughts or steering in the right direction would be appreciated.
run logconv.pl
The documentation states a few default indexes that gets created and I would
have thought that these would be adequate for effectively finding a user in
a larger database.
running logconv.pl
Hi
There is a bugzilla raised concerns users still being able to login if they
have ssh keys even if there ldap account is disabled.
https://bugzilla.redhat.com/show_bug.cgi?id=455350
I have experimented a bit in PAM with ordering to try and find a solution but
so far I have not been very
] Preventing ssh keys from granting a user access when
LDAP account is disabled.
On 07/20/2010 09:45 AM, Gerrard Geldenhuis wrote:
Hi There is a bugzilla raised concerns users still being able to
login if they have ssh keys even if there ldap account is disabled.
Define disabled. If your only
Hi
In my lab system I am seeing quite a long delay(10+seconds) between the actual
ldap request and the logging of the request in the access log. Is this normal
behavior? and can it be speeded up? Admittedly I have not investigated this
much yet but noticed it and thought I would ask quickly.
Hi
The documentation clearly states that password modification history is not
replicated including account lockout counters. To me that seems a bit pointless
to have if your servers are authenticating against a cluster of 4 machines.
There is no guarantee that next time when you change your
Hi Steven,
Double check that you are using the correct JVM by using alternatives as stated
in the install guide. I don't know if that is the problem but worth checking.
Also double check the install log of yum for a clean install. Have you run
setup-ds-admin.pl script to setup your directory
91 matches
Mail list logo
