Hello,
We are moving to Ubuntu 22.04 across our servers: is there a recommended Ubuntu
repo for 389 Directory?
On a related note is there an official Docker image?
We have about 250,000 users and currently have 6 replicas all running CentOS 7.
thanks,
Thanks for the info William and Thierry, this all makes sense.
We'll start testing in the coming weeks and see how it goes.
-morgan
> On May 19, 2022, at 03:25, Thierry Bordaz wrote:
>
>
> On 5/19/22 1:51 AM, William Brown wrote:
>>
>>> On 19 May 2022, at
Hello Everyone,
We are merging our student directory (about 200,000 entries) into our existing
employee directory (about 25,000 entries).
They're a pair of multi-master replicas on virtual hardware that can easily be
expanded if needed though hardware performance hasn't been an issue.
Does
Hello,
Would someone mind taking a look at the below and tell me what I am missing??
I have a requirement to make a group readable by its members:
morgan@m1macbook ~ % ldapmodify -H ldaps://prdds22.domain.org -x -y pass.txt -f
duo_aci_example.ldif
modifying entry
Can anyone provide insight on why the below might be happening, my best guess
is a corrupt uniquemember index??
I initially tried it as a user which also fails but switched to Directory
Manager to rule out an access control issue.
We have identical prod, dev, and test environments and I only
is the version to go.
>
> my 2cts
>
> regards
> thierry
>
> On 11/10/21 4:18 AM, Morgan Jones wrote:
>> Hello!
>>
>> Is it advisable to run 389 1.3 in production?
>>
>> If not is there a suggested way to install 1.4 in CentOS 7? On first blu
Hello!
Is it advisable to run 389 1.3 in production?
If not is there a suggested way to install 1.4 in CentOS 7? On first blush to
install 389 from source it’s looking like I’m going to need to install libicu
from source, the version that ships is an older version:
> checking for ICU... no
> On Sep 28, 2021, at 6:09 PM, Mark Reynolds wrote:
>
> You are not, you set it up correctly. One thing you did not list was that
> you are supposed to add an aci that allows that group to update the
> userpassword attribute, but that would not explain the constraint violation.
> It could
May I have a sanity check here? I am attempting to add pre-hashed passwords to
users. If I’ve read the documentation correctly this should work. I’ve also
tried putting uid=selectivesync389,ou=svc_accts,dc=domain,dc=org directly in
passwordAdminDN:
morgan@woodrow-2 ~ % ldapsearch -H
Thanks Mark, I should have been able to find that.
Is there a downside to leaving this on all the time?
-morgan
> On Oct 4, 2017, at 3:53 PM, Mark Reynolds <marey...@redhat.com> wrote:
>
> Hi Morgan,
>
> On 10/04/2017 03:46 PM, Morgan Jones wrote:
>> I’m worki
I’m working on importing a Ldif from an older version of Redhat and have a few
dozen of the below: is there a way to increase debugging such that it tells me
which attribute violates syntax? I’ve looked and can’t find anything. We have
a moderately complex custom schema and it’s tough to
cord $
> KXRecord $ CERTRecord $ A6Record $ DNAMERecord $ APLRecord $ DSRecord $
> SSHFPRecord $ IPSECKEYRecord $ RRSIGRecord $ NSECRecord $ DNSKEYRecord $
> DHCIDRecord $ SPFRecord )
> )
>
> Tomas
>
>
>
> On 24 September 2017 at 04:12, Morgan Jones <mo
Tomas,
It’s been a while since I’ve done it but I seem to remember it being relatively
straightforward to convert between OpenLDAP's and 389’s schema formats. Have
you made an attempt to convert the PowerDNS schema?
-morgan
> On Sep 22, 2017, at 6:13 AM, Tomáš Brandýský
pect "Directory server network port"
> send "389\r"
> expect "Directory server identifier"
> send "\r"
> expect "Suffix"
> send "\r"
> expect "Directory Manager DN"
> send "\r"
> expect "Password
be willing to post a
sanitized version of your inf so we can compare notes?
I agree expect is clunky, I’m curious to find out what your problem is as I’ve
been living this issue for the last week or so.
-morgan
> On Sep 18, 2017, at 4:41 PM, Morgan Jones <mor...@morganjones.org&
https://github.com/morganllj/ansible-playbooks/blob/3bf0fa9ee5c69c10940eaa2163b6d69155767475/templates/adm.conf.j2
https://github.com/morganllj/ansible-playbooks/blob/3bf0fa9ee5c69c10940eaa2163b6d69155767475/install_389.yml
-morgan
> On Sep 15, 2017, at 12:56 PM, Morgan Jones &
Patrick,
I have no experience using the admin console for access control or your
particular problem but I can share what we did that I think accomplishes your
goal as we similarly decided to block anonymous access. To oversimplify we
modified the stock acis with an explicit list of what
Mark,
I set up an account and gave it a +1. If I need to do more don’t hesitate to
ask.
Thanks for taking care of this.
-morgan
> On Sep 14, 2017, at 4:57 PM, Mark Reynolds <marey...@redhat.com> wrote:
>
>
>
> On 09/14/2017 04:12 PM, Morgan Jones wrote:
>>
Julian,
Sorry on the name mix-up, typing quickly.
-morgan
> On Sep 15, 2017, at 12:56 PM, Morgan Jones <mor...@morganjones.org> wrote:
>
> Hello Julia,
>
> I’m troubleshooting this exact behavior. So far I’ve found if you create an
> /etc/dirsrv/admin-serv/ad
Hello Julia,
I’m troubleshooting this exact behavior. So far I’ve found if you create an
/etc/dirsrv/admin-serv/adm.conf before the silent install it works. However we
just went through a host domain name change (long story) and I’m having I think
unrelated problems. I hope to resolve that
i.fedoraproject.org/koji/taskinfo?taskID=21865518
>
> Here is the bodhi link that requires "karma" to become an official
> update in epel7
>
> https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-cec2fcb8ae
>
> Regards,
> Mark
>
> On 09/14/2017
-framework-1.1.17-5.fc27.noarch.rpm
yum install 389-ds
-morgan
> On Sep 13, 2017, at 6:28 PM, Morgan Jones <mor...@morganjones.org> wrote:
>
> As of just today a yum install 389-ds fails for me with
>
> --> Processing Conflict: jss-4.4.0-7.el7.x86_64 conflicts
> idm
As of just today a yum install 389-ds fails for me with
--> Processing Conflict: jss-4.4.0-7.el7.x86_64 conflicts idm-console-framework
< 1.1.17-4
--> Finished Dependency Resolution
Error: jss conflicts with idm-console-framework-1.1.17-1.el7.noarch
It appears to be an update to jss in early
at.com> wrote:
>
>
>
> On 08/23/2017 03:09 PM, Morgan Jones wrote:
>> Mark,
>>
>> See attached. The break in the log is where it hung and then came back to
>> life.
> Odd, I don't see the connection being closed. Looks like the client
> (the consol
Aug 23, 2017, at 12:35 PM, Mark Reynolds <marey...@redhat.com> wrote:
>
>
>
> On 08/23/2017 12:31 PM, Morgan Jones wrote:
>>> On Aug 23, 2017, at 12:17 PM, Mark Reynolds <marey...@redhat.com> wrote:
>>>
>>>
>>>> [pid 27442] recv
> On Aug 23, 2017, at 12:17 PM, Mark Reynolds wrote:
>
>
>> [pid 27442] recvmsg(14, 0x7f3880ef74d0, 0) = -1 EAGAIN (Resource temporarily
>> unavailable)
>> [pid 27442] recvmsg(14, 0x7f3880ef74d0, 0) = -1 EAGAIN (Resource temporarily
>> unavailable)
>> [pid 27442]
> On Aug 23, 2017, at 11:32 AM, Mark Reynolds <marey...@redhat.com> wrote:
>
>
>
> On 08/23/2017 11:18 AM, Morgan Jones wrote:
>>
>> I’m registering remote servers. We have a total of 5. It starts to hang
>> after installing the 4th.
> Do you see
unavailable)
[pid 27442] poll([{fd=14, events=POLLRDNORM}, {fd=15, events=POLLRDNORM}], 2,
500
[pid 27440] <... futex resumed> ) = -1 ETIMEDOUT (Connection timed out)
[pid 27440] futex(0x7f38940cfd28, FUTEX_WAKE_PRIVATE, 1) = 0
-morgan
> On Aug 23, 2017, at 11:18 AM, Morgan Jon
> On Aug 22, 2017, at 2:15 PM, Mark Reynolds <marey...@redhat.com> wrote:
>
>
>
> On 08/22/2017 01:36 PM, Morgan Jones wrote:
>> Thanks—is there a trick to turning on admin-serv logging? I don’t have one
>> and at least on first blush don’t see a means of ena
sage that keeps repeating is expected
> when the console is idle (it's waiting for you to do something).
>
> Perhaps there is something in the admin logs:
>
> /var/log/dirsrv/admin-serv
>
> Regards,
> Mark
>
> On 08/16/2017 03:39 PM, Morgan Jones wrote:
>> Hello
Hello Mark,
See attached, "AbstractServerObject.StatusThread: waiting for change listeners
to register” repeats presumably forever after it hangs.
Thanks,
-morgan
java.util.prefs.userRoot=/home1/morgan/.389-console
java.runtime.name=OpenJDK Runtime Environment
I’m in the process of installing 389 in CentOS 7 from epel (versions below) and
find that the console becomes unresponsive after I install the 4th server. I
can open the console and expand a few servers but within 30 seconds it
consistently hangs. I am storing configuration data in one
n May 29, 2016, at 23:04, William Brown <wibr...@redhat.com> wrote:
>
> On Mon, 2016-05-23 at 11:52 -0400, Morgan Jones wrote:
>> Hello William,
>>
>> Is this what you’re looking for? I’ve included the full entry below but it
>> appears pwdPolicySubentry is operat
orgSponsorHomeOrgCD: x
orgAcceptedTermsofUse: FALSE
orgSponsorEIDN: x
orgGAFEOverrideOrgUnit: /STAFF/x/x
sambaSID: x
mail: mor...@domain.org
orgAccountActive: TRUE
homeDirectory: /home/morgan
gecos: Morgan Jones
loginShell: /bin/bash
uidNumber: x
gidNumber: x
orgEIDN: x
orgHomeOrgCD: x
givenName: Morgan
sn
> On May 19, 2016, at 19:04, William Brown wrote:
>
> It would be good to get a look at the object that is affected here. Can you
> show me: pwdpolicysubentry from the affected user
> entry?
>
> Then can you also show the contents of the dn listed by that
>
I am following up in hopes that maybe this was just missed the first time
around. Is anyone using a subtree password policy in a recent version of 389
and does it work?
thanks,
-morgan
> On May 11, 2016, at 16:51, Morgan Jones <mor...@morganjones.org> wrote:
>
>
&
Hello,
We are configuring password policy in 389 directory. We’re running what I
believe is the latest stable version form the Epel repository on CentOS 6:
[root@devldapm03 ~]# rpm -qa|grep 389
389-admin-1.1.35-1.el6.x86_64
389-console-1.1.7-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
or
data that doesn’t match the RFC.
I can, of course, work through it attribute by attribute but I’m surprised have
to do that when usually the server logs the problem verbosely.
thanks,
-morgan
Morgan Jones wrote:
I am working on a move from CentOS Directory (8.2.8) on CentOS 5 to 389-ds
/syntax-validation.html#syntax-validation-script
I dont know why the ldapmodify command succeded, maybe someone can answer
this.
KELMENI Lulzim
Le 19/05/2014 22:38, Morgan Jones a écrit :
I am working on a move from CentOS Directory (8.2.8) on CentOS 5 to 389-ds
1.2.11 on CentOS
The yum man page explains it: basically upgrade removes obsoleted packages. I
don’t know that it will affect the 389 packages but it’s always a good idea to
use upgrade with caution.
-morgan
On May 20, 2014, at 1:00 PM, Rich Megginson rmegg...@redhat.com wrote:
On 05/20/2014 10:58 AM,
I am working on a move from CentOS Directory (8.2.8) on CentOS 5 to 389-ds
1.2.11 on CentOS 6. I’m using a combination of the CentOS repositories and
epel as suggested here.
I'm finding ldif2db rejects entries while if I add them via ldapmodify they go
in with no errors. This is a problem
On Apr 3, 2014, at 5:11 PM, Rich Megginson rmegg...@redhat.com wrote:
On 04/03/2014 02:56 PM, Morgan Jones wrote:
On Apr 3, 2014, at 3:39 PM, Rich Megginson rmegg...@redhat.com wrote:
On 04/03/2014 01:35 PM, Michael Gettes wrote:
Yeah, I hear what you’re saying. 47758 is due to running
On Apr 4, 2014, at 3:20 PM, Rich Megginson rmegg...@redhat.com wrote:
On 04/04/2014 01:04 PM, Morgan Jones wrote:
On Apr 3, 2014, at 5:11 PM, Rich Megginson rmegg...@redhat.com wrote:
On 04/03/2014 02:56 PM, Morgan Jones wrote:
On Apr 3, 2014, at 3:39 PM, Rich Megginson rmegg...@redhat.com
On Mar 6, 2014, at 11:32 AM, Ludwig Krispenz lkris...@redhat.com wrote:
On 03/04/2014 11:10 PM, Morgan Jones wrote:
On Mar 4, 2014, at 3:20 AM, Ludwig Krispenz lkris...@redhat.com wrote:
Are groups involved in the acis and do these groups during these runs ?
Yes, most of our ACIs use
On Mar 6, 2014, at 11:51 AM, Ludwig Krispenz lkris...@redhat.com wrote:
One more question. Do the searches always match only one entry or one they
should see and some they shouldn't ?
In every case where we've seen this problem it's a search for one entry
(uid=username) that the bind dn is
For testing I know TLS_REQCERT never works.
For production I use:
TLS_REQCERT demand
TLS_CACERT /path/to/ca_cert.pem
If TLS_REQCERT never works then there's something wrong with your cert most
likely. Though I'd expect a generic connection error if were just having a
problem verifying the
On Mar 4, 2014, at 3:20 AM, Ludwig Krispenz lkris...@redhat.com wrote:
Are groups involved in the acis and do these groups during these runs ?
Yes, most of our ACIs use groups to determine access. I'm not sure I
understand the second part of your question though.
you can't, it was
We're pulling our hair out over this issue and wondering if it rings a bell for
anyone or perhaps there's a bug fix in a later version of 389 that might
resolve it. I've looked and not found anything but it's also not the easiest
issue to search for. We are on CentOS DS now but can move to
On Mar 3, 2014, at 11:24 AM, Rich Megginson rmegg...@redhat.com wrote:
On 03/03/2014 08:56 AM, Morgan Jones wrote:
We're pulling our hair out over this issue and wondering if it rings a bell
for anyone or perhaps there's a bug fix in a later version of 389 that
might resolve it. I've
On Mar 3, 2014, at 11:07 AM, Ludwig Krispenz lkris...@redhat.com wrote:
Hi,
so you say that a search with a specific bind user sometimes succeeds and
sometimes doesn't ?
Correct.
If so, could you run this withe aci logging enabled ?
Sure though we are still unable to repeat the problem
Louis,
Did you create cn=replication manager? It looks like you did not.
Try this to see if it's there:
ldapsearch -H ldaps://ldap02 -D cn=directory\ manager -w pass -LLLb
cn=replication manager,cn=config objectclass=\*
replace ldaps with ldap of course if you have not set up ssl.
I believe
Either I'm missing something or password policies just don't work in Redhat
(CentOS) directory 8.2.8.
I started by creating a subtree policy on the command line:
# ./ns-newpwpolicy.pl -D cn=directory\ manager -w pass -h localhost -S
ou=students,dc=domain,dc=org
adding new entry
the
consumer.
So now that I have it working how do I test it and validate it?
Louis
On Aug 22, 2013, at 3:25 PM, Morgan Jones mor...@morganjones.org wrote:
Louis,
Did you create cn=replication manager? It looks like you did not.
Try this to see if it's there:
ldapsearch -H ldaps
Venkat et al,
Yes, well at least all of the users in the group do. Though we provision
programmatically so I'd guess all or at least the vast majority of our users do.
-morgan
On Aug 12, 2013, at 2:32 PM, Mahadevan, Venkat wrote:
Do all of your user entries have the inetUser objectClass on
I have a client running CentOS directory 8.2.8, CentOS 5. We have a two
multi-masters with two read-only replicas.
We enabled the memberof plugin and it shows group memberships unreliably at
best. Is this a known issue or I am perhaps missing something?
For example:
ldapsearch -x -w
On Mar 22, 2013, at 12:04 PM, Rich Megginson wrote:
On 03/21/2013 02:45 PM, Morgan Jones wrote:
Hello everyone,
We've standardized on CentOS Directory our ~30,000 user directory
environment. It's a 6 servers total: two multi-master, two read-only
consumers with a full replication
Hello everyone,
We've standardized on CentOS Directory our ~30,000 user directory environment.
It's a 6 servers total: two multi-master, two read-only consumers with a full
replication agreement and two read-only consumers with a partial replication.
We have a specific problem that we were
57 matches
Mail list logo