[389-users] 389 in Ubuntu 22.04

Hello, We are moving to Ubuntu 22.04 across our servers: is there a recommended Ubuntu repo for 389 Directory? On a related note is there an official Docker image? We have about 250,000 users and currently have 6 replicas all running CentOS 7. thanks,

[389-users] Re: 389 scalability

Thanks for the info William and Thierry, this all makes sense. We'll start testing in the coming weeks and see how it goes. -morgan > On May 19, 2022, at 03:25, Thierry Bordaz wrote: > > > On 5/19/22 1:51 AM, William Brown wrote: >> >>> On 19 May 2022, at

[389-users] 389 scalability

Hello Everyone, We are merging our student directory (about 200,000 entries) into our existing employee directory (about 25,000 entries). They're a pair of multi-master replicas on virtual hardware that can easily be expanded if needed though hardware performance hasn't been an issue. Does

[389-users] aci sanity check

Hello, Would someone mind taking a look at the below and tell me what I am missing?? I have a requirement to make a group readable by its members: morgan@m1macbook ~ % ldapmodify -H ldaps://prdds22.domain.org -x -y pass.txt -f duo_aci_example.ldif modifying entry

[389-users] search inconsistencies

Can anyone provide insight on why the below might be happening, my best guess is a corrupt uniquemember index?? I initially tried it as a user which also fails but switched to Directory Manager to rule out an access control issue. We have identical prod, dev, and test environments and I only

[389-users] Re: 389 1.3 vs 1.4, CentOS 7

is the version to go. > > my 2cts > > regards > thierry > > On 11/10/21 4:18 AM, Morgan Jones wrote: >> Hello! >> >> Is it advisable to run 389 1.3 in production? >> >> If not is there a suggested way to install 1.4 in CentOS 7? On first blu

[389-users] 389 1.3 vs 1.4, CentOS 7

Hello! Is it advisable to run 389 1.3 in production? If not is there a suggested way to install 1.4 in CentOS 7? On first blush to install 389 from source it’s looking like I’m going to need to install libicu from source, the version that ships is an older version: > checking for ICU... no

[389-users] Re: passwordAdminDN help

> On Sep 28, 2021, at 6:09 PM, Mark Reynolds wrote: > > You are not, you set it up correctly. One thing you did not list was that > you are supposed to add an aci that allows that group to update the > userpassword attribute, but that would not explain the constraint violation. > It could

[389-users] passwordAdminDN help

May I have a sanity check here? I am attempting to add pre-hashed passwords to users. If I’ve read the documentation correctly this should work. I’ve also tried putting uid=selectivesync389,ou=svc_accts,dc=domain,dc=org directly in passwordAdminDN: morgan@woodrow-2 ~ % ldapsearch -H

[389-users] Re: Locating syntax violations

Thanks Mark, I should have been able to find that. Is there a downside to leaving this on all the time? -morgan > On Oct 4, 2017, at 3:53 PM, Mark Reynolds <marey...@redhat.com> wrote: > > Hi Morgan, > > On 10/04/2017 03:46 PM, Morgan Jones wrote: >> I’m worki

[389-users] Locating syntax violations

I’m working on importing a Ldif from an older version of Redhat and have a few dozen of the below: is there a way to increase debugging such that it tells me which attribute violates syntax? I’ve looked and can’t find anything. We have a moderately complex custom schema and it’s tough to

[389-users] Re: dnsdomain schema missing in 389 Directory server - can not run PowerDNS LDAP backend

cord $ > KXRecord $ CERTRecord $ A6Record $ DNAMERecord $ APLRecord $ DSRecord $ > SSHFPRecord $ IPSECKEYRecord $ RRSIGRecord $ NSECRecord $ DNSKEYRecord $ > DHCIDRecord $ SPFRecord ) > ) > > Tomas > > > > On 24 September 2017 at 04:12, Morgan Jones <mo

[389-users] Re: dnsdomain schema missing in 389 Directory server - can not run PowerDNS LDAP backend

Tomas, It’s been a while since I’ve done it but I seem to remember it being relatively straightforward to convert between OpenLDAP's and 389’s schema formats. Have you made an attempt to convert the PowerDNS schema? -morgan > On Sep 22, 2017, at 6:13 AM, Tomáš Brandýský

[389-users] Re: Possible bug? - Silent install behaves differently from interactive

pect "Directory server network port" > send "389\r" > expect "Directory server identifier" > send "\r" > expect "Suffix" > send "\r" > expect "Directory Manager DN" > send "\r" > expect "Password

[389-users] Re: Possible bug? - Silent install behaves differently from interactive

be willing to post a sanitized version of your inf so we can compare notes? I agree expect is clunky, I’m curious to find out what your problem is as I’ve been living this issue for the last week or so. -morgan > On Sep 18, 2017, at 4:41 PM, Morgan Jones <mor...@morganjones.org&

[389-users] Re: Possible bug? - Silent install behaves differently from interactive

https://github.com/morganllj/ansible-playbooks/blob/3bf0fa9ee5c69c10940eaa2163b6d69155767475/templates/adm.conf.j2 https://github.com/morganllj/ansible-playbooks/blob/3bf0fa9ee5c69c10940eaa2163b6d69155767475/install_389.yml -morgan > On Sep 15, 2017, at 12:56 PM, Morgan Jones &

[389-users] Re: Error after setting nsslapd-allow-anonymous-access:rootdse

Patrick, I have no experience using the admin console for access control or your particular problem but I can share what we did that I think accomplishes your goal as we similarly decided to block anonymous access. To oversimplify we modified the stock acis with an explicit list of what

[389-users] Re: jss and idm-console-framework conflict

Mark, I set up an account and gave it a +1. If I need to do more don’t hesitate to ask. Thanks for taking care of this. -morgan > On Sep 14, 2017, at 4:57 PM, Mark Reynolds <marey...@redhat.com> wrote: > > > > On 09/14/2017 04:12 PM, Morgan Jones wrote: >>

[389-users] Re: Possible bug? - Silent install behaves differently from interactive

Julian, Sorry on the name mix-up, typing quickly. -morgan > On Sep 15, 2017, at 12:56 PM, Morgan Jones <mor...@morganjones.org> wrote: > > Hello Julia, > > I’m troubleshooting this exact behavior. So far I’ve found if you create an > /etc/dirsrv/admin-serv/ad

[389-users] Re: Possible bug? - Silent install behaves differently from interactive

Hello Julia, I’m troubleshooting this exact behavior. So far I’ve found if you create an /etc/dirsrv/admin-serv/adm.conf before the silent install it works. However we just went through a host domain name change (long story) and I’m having I think unrelated problems. I hope to resolve that

[389-users] Re: jss and idm-console-framework conflict

i.fedoraproject.org/koji/taskinfo?taskID=21865518 > > Here is the bodhi link that requires "karma" to become an official > update in epel7 > > https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-cec2fcb8ae > > Regards, > Mark > > On 09/14/2017

[389-users] Re: jss and idm-console-framework conflict

-framework-1.1.17-5.fc27.noarch.rpm yum install 389-ds -morgan > On Sep 13, 2017, at 6:28 PM, Morgan Jones <mor...@morganjones.org> wrote: > > As of just today a yum install 389-ds fails for me with > > --> Processing Conflict: jss-4.4.0-7.el7.x86_64 conflicts > idm

[389-users] jss and idm-console-framework conflict

As of just today a yum install 389-ds fails for me with --> Processing Conflict: jss-4.4.0-7.el7.x86_64 conflicts idm-console-framework < 1.1.17-4 --> Finished Dependency Resolution Error: jss conflicts with idm-console-framework-1.1.17-1.el7.noarch It appears to be an update to jss in early

[389-users] Re: Console hang after 4th server install

at.com> wrote: > > > > On 08/23/2017 03:09 PM, Morgan Jones wrote: >> Mark, >> >> See attached. The break in the log is where it hung and then came back to >> life. > Odd, I don't see the connection being closed. Looks like the client > (the consol

[389-users] Re: Console hang after 4th server install

Aug 23, 2017, at 12:35 PM, Mark Reynolds <marey...@redhat.com> wrote: > > > > On 08/23/2017 12:31 PM, Morgan Jones wrote: >>> On Aug 23, 2017, at 12:17 PM, Mark Reynolds <marey...@redhat.com> wrote: >>> >>> >>>> [pid 27442] recv

[389-users] Re: Console hang after 4th server install

> On Aug 23, 2017, at 12:17 PM, Mark Reynolds wrote: > > >> [pid 27442] recvmsg(14, 0x7f3880ef74d0, 0) = -1 EAGAIN (Resource temporarily >> unavailable) >> [pid 27442] recvmsg(14, 0x7f3880ef74d0, 0) = -1 EAGAIN (Resource temporarily >> unavailable) >> [pid 27442]

[389-users] Re: Console hang after 4th server install

> On Aug 23, 2017, at 11:32 AM, Mark Reynolds <marey...@redhat.com> wrote: > > > > On 08/23/2017 11:18 AM, Morgan Jones wrote: >> >> I’m registering remote servers. We have a total of 5. It starts to hang >> after installing the 4th. > Do you see

[389-users] Re: Console hang after 4th server install

unavailable) [pid 27442] poll([{fd=14, events=POLLRDNORM}, {fd=15, events=POLLRDNORM}], 2, 500 [pid 27440] <... futex resumed> ) = -1 ETIMEDOUT (Connection timed out) [pid 27440] futex(0x7f38940cfd28, FUTEX_WAKE_PRIVATE, 1) = 0 -morgan > On Aug 23, 2017, at 11:18 AM, Morgan Jon

[389-users] Re: Console hang after 4th server install

> On Aug 22, 2017, at 2:15 PM, Mark Reynolds <marey...@redhat.com> wrote: > > > > On 08/22/2017 01:36 PM, Morgan Jones wrote: >> Thanks—is there a trick to turning on admin-serv logging? I don’t have one >> and at least on first blush don’t see a means of ena

[389-users] Re: Console hang after 4th server install

sage that keeps repeating is expected > when the console is idle (it's waiting for you to do something). > > Perhaps there is something in the admin logs: > > /var/log/dirsrv/admin-serv > > Regards, > Mark > > On 08/16/2017 03:39 PM, Morgan Jones wrote: >> Hello

[389-users] Re: Console hang after 4th server install

Hello Mark, See attached, "AbstractServerObject.StatusThread: waiting for change listeners to register” repeats presumably forever after it hangs. Thanks, -morgan java.util.prefs.userRoot=/home1/morgan/.389-console java.runtime.name=OpenJDK Runtime Environment

[389-users] Console hang after 4th server install

I’m in the process of installing 389 in CentOS 7 from epel (versions below) and find that the console becomes unresponsive after I install the 4th server. I can open the console and expand a few servers but within 30 seconds it consistently hangs. I am storing configuration data in one

[389-users] Re: subtree password policy woes

n May 29, 2016, at 23:04, William Brown <wibr...@redhat.com> wrote: > > On Mon, 2016-05-23 at 11:52 -0400, Morgan Jones wrote: >> Hello William, >> >> Is this what you’re looking for? I’ve included the full entry below but it >> appears pwdPolicySubentry is operat

[389-users] Re: subtree password policy woes

orgSponsorHomeOrgCD: x orgAcceptedTermsofUse: FALSE orgSponsorEIDN: x orgGAFEOverrideOrgUnit: /STAFF/x/x sambaSID: x mail: mor...@domain.org orgAccountActive: TRUE homeDirectory: /home/morgan gecos: Morgan Jones loginShell: /bin/bash uidNumber: x gidNumber: x orgEIDN: x orgHomeOrgCD: x givenName: Morgan sn

[389-users] Re: subtree password policy woes

> On May 19, 2016, at 19:04, William Brown wrote: > > It would be good to get a look at the object that is affected here. Can you > show me: pwdpolicysubentry from the affected user > entry? > > Then can you also show the contents of the dn listed by that >

[389-users] Re: subtree password policy woes

I am following up in hopes that maybe this was just missed the first time around. Is anyone using a subtree password policy in a recent version of 389 and does it work? thanks, -morgan > On May 11, 2016, at 16:51, Morgan Jones <mor...@morganjones.org> wrote: > > &

[389-users] subtree password policy woes

Hello, We are configuring password policy in 389 directory. We’re running what I believe is the latest stable version form the Epel repository on CentOS 6: [root@devldapm03 ~]# rpm -qa|grep 389 389-admin-1.1.35-1.el6.x86_64 389-console-1.1.7-1.el6.noarch 389-ds-console-doc-1.2.6-1.el6.noarch

Re: [389-users] db2ldif vs ldapmodify: turn up debugging of db2ldif?

or data that doesn’t match the RFC. I can, of course, work through it attribute by attribute but I’m surprised have to do that when usually the server logs the problem verbosely. thanks, -morgan Morgan Jones wrote: I am working on a move from CentOS Directory (8.2.8) on CentOS 5 to 389-ds

Re: [389-users] db2ldif vs ldapmodify: turn up debugging of db2ldif?

/syntax-validation.html#syntax-validation-script I dont know why the ldapmodify command succeded, maybe someone can answer this. KELMENI Lulzim Le 19/05/2014 22:38, Morgan Jones a écrit : I am working on a move from CentOS Directory (8.2.8) on CentOS 5 to 389-ds 1.2.11 on CentOS

Re: [389-users] Yum Update vs Yum Upgrade

The yum man page explains it: basically upgrade removes obsoleted packages. I don’t know that it will affect the 389 packages but it’s always a good idea to use upgrade with caution. -morgan On May 20, 2014, at 1:00 PM, Rich Megginson rmegg...@redhat.com wrote: On 05/20/2014 10:58 AM,

[389-users] db2ldif vs ldapmodify: turn up debugging of db2ldif?

I am working on a move from CentOS Directory (8.2.8) on CentOS 5 to 389-ds 1.2.11 on CentOS 6. I’m using a combination of the CentOS repositories and epel as suggested here. I'm finding ldif2db rejects entries while if I add them via ldapmodify they go in with no errors. This is a problem

Re: [389-users] 1.2.11.29 prediction?

On Apr 3, 2014, at 5:11 PM, Rich Megginson rmegg...@redhat.com wrote: On 04/03/2014 02:56 PM, Morgan Jones wrote: On Apr 3, 2014, at 3:39 PM, Rich Megginson rmegg...@redhat.com wrote: On 04/03/2014 01:35 PM, Michael Gettes wrote: Yeah, I hear what you’re saying. 47758 is due to running

Re: [389-users] 1.2.11.29 prediction?

On Apr 4, 2014, at 3:20 PM, Rich Megginson rmegg...@redhat.com wrote: On 04/04/2014 01:04 PM, Morgan Jones wrote: On Apr 3, 2014, at 5:11 PM, Rich Megginson rmegg...@redhat.com wrote: On 04/03/2014 02:56 PM, Morgan Jones wrote: On Apr 3, 2014, at 3:39 PM, Rich Megginson rmegg...@redhat.com

Re: [389-users] Some bind DNs sporadically can't search users

On Mar 6, 2014, at 11:32 AM, Ludwig Krispenz lkris...@redhat.com wrote: On 03/04/2014 11:10 PM, Morgan Jones wrote: On Mar 4, 2014, at 3:20 AM, Ludwig Krispenz lkris...@redhat.com wrote: Are groups involved in the acis and do these groups during these runs ? Yes, most of our ACIs use

Re: [389-users] Some bind DNs sporadically can't search users

On Mar 6, 2014, at 11:51 AM, Ludwig Krispenz lkris...@redhat.com wrote: One more question. Do the searches always match only one entry or one they should see and some they shouldn't ? In every case where we've seen this problem it's a search for one entry (uid=username) that the bind dn is

Re: [389-users] Multi-Master Replication Issue

For testing I know TLS_REQCERT never works. For production I use: TLS_REQCERT demand TLS_CACERT /path/to/ca_cert.pem If TLS_REQCERT never works then there's something wrong with your cert most likely. Though I'd expect a generic connection error if were just having a problem verifying the

Re: [389-users] Some bind DNs sporadically can't search users

On Mar 4, 2014, at 3:20 AM, Ludwig Krispenz lkris...@redhat.com wrote: Are groups involved in the acis and do these groups during these runs ? Yes, most of our ACIs use groups to determine access. I'm not sure I understand the second part of your question though. you can't, it was

[389-users] Some bind DNs sporadically can't search users

We're pulling our hair out over this issue and wondering if it rings a bell for anyone or perhaps there's a bug fix in a later version of 389 that might resolve it. I've looked and not found anything but it's also not the easiest issue to search for. We are on CentOS DS now but can move to

Re: [389-users] Some bind DNs sporadically can't search users

On Mar 3, 2014, at 11:24 AM, Rich Megginson rmegg...@redhat.com wrote: On 03/03/2014 08:56 AM, Morgan Jones wrote: We're pulling our hair out over this issue and wondering if it rings a bell for anyone or perhaps there's a bug fix in a later version of 389 that might resolve it. I've

Re: [389-users] Some bind DNs sporadically can't search users

On Mar 3, 2014, at 11:07 AM, Ludwig Krispenz lkris...@redhat.com wrote: Hi, so you say that a search with a specific bind user sometimes succeeds and sometimes doesn't ? Correct. If so, could you run this withe aci logging enabled ? Sure though we are still unable to repeat the problem

Re: [389-users] Problems setting up MMR

Louis, Did you create cn=replication manager? It looks like you did not. Try this to see if it's there: ldapsearch -H ldaps://ldap02 -D cn=directory\ manager -w pass -LLLb cn=replication manager,cn=config objectclass=\* replace ldaps with ldap of course if you have not set up ssl. I believe

[389-users] problems with password policies

Either I'm missing something or password policies just don't work in Redhat (CentOS) directory 8.2.8. I started by creating a subtree policy on the command line: # ./ns-newpwpolicy.pl -D cn=directory\ manager -w pass -h localhost -S ou=students,dc=domain,dc=org adding new entry

Re: [389-users] Problems setting up MMR

the consumer. So now that I have it working how do I test it and validate it? Louis On Aug 22, 2013, at 3:25 PM, Morgan Jones mor...@morganjones.org wrote: Louis, Did you create cn=replication manager? It looks like you did not. Try this to see if it's there: ldapsearch -H ldaps

Re: [389-users] memberof plugin unreliable?

Venkat et al, Yes, well at least all of the users in the group do. Though we provision programmatically so I'd guess all or at least the vast majority of our users do. -morgan On Aug 12, 2013, at 2:32 PM, Mahadevan, Venkat wrote: Do all of your user entries have the inetUser objectClass on

[389-users] memberof plugin unreliable?

I have a client running CentOS directory 8.2.8, CentOS 5. We have a two multi-masters with two read-only replicas. We enabled the memberof plugin and it shows group memberships unreliably at best. Is this a known issue or I am perhaps missing something? For example: ldapsearch -x -w

Re: [389-users] centOS vs Redhat vs 389 and partial replication problems

On Mar 22, 2013, at 12:04 PM, Rich Megginson wrote: On 03/21/2013 02:45 PM, Morgan Jones wrote: Hello everyone, We've standardized on CentOS Directory our ~30,000 user directory environment. It's a 6 servers total: two multi-master, two read-only consumers with a full replication

[389-users] centOS vs Redhat vs 389 and partial replication problems

Hello everyone, We've standardized on CentOS Directory our ~30,000 user directory environment. It's a 6 servers total: two multi-master, two read-only consumers with a full replication agreement and two read-only consumers with a partial replication. We have a specific problem that we were