starttls does not work with chaining backend
by Jacek Nykis
Hi,
I am trying to setup chaining backend and I encountered some problems.
I setup nsBackendInstance object with all attributes but it would seem that "nsusestarttls" does not have any effect. Here is what happens:
If I use ldaps over port 636 everything is fine:
nsusestarttls: off
nsfarmserverurl: ldaps://xxx:636
But when I change values to below it stops:
nsusestarttls: on
nsfarmserverurl: ldap://xxx:389
Logs on master server suggest that slave does not use startTLS when connecting.
On slave server I can see this:
[02/Sep/2010:15:53:22 +0000] conn=1 fd=64 slot=64 connection from <client IP> to <Slave IP>
[02/Sep/2010:15:53:22 +0000] conn=1 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[02/Sep/2010:15:53:22 +0000] conn=1 op=0 RESULT err=0 tag=120 nentries=0 etime=0
[02/Sep/2010:15:53:22 +0000] conn=1 SSL 256-bit AES
[02/Sep/2010:15:53:22 +0000] conn=1 op=1 BIND dn="uid=xxx,ou=xxx,dc=xxx" method=128 version=3
[02/Sep/2010:15:53:22 +0000] conn=1 op=1 RESULT err=13 tag=97 nentries=0 etime=0
[02/Sep/2010:15:53:22 +0000] conn=1 op=-1 fd=64 closed - B1
On master:
[02/Sep/2010:15:53:22 +0000] conn=34 fd=64 slot=64 connection from <Slave IP> to <Master IP>
[02/Sep/2010:15:53:22 +0000] conn=34 op=0 BIND dn="uid=xxx,ou=xxx,dc=xxx" method=128 version=3
[02/Sep/2010:15:53:22 +0000] conn=34 op=0 RESULT err=13 tag=97 nentries=0 etime=0
We would prefer to use startTLS on port 389, does anybody know if this is possible or if anything else is required to make it work?
--
Jacek Nykis
IS Unix Frontend Engineer
Fax: +44 (0) 20 8834 8001
Yahoo! Messenger: nykisj
Betfair Limited | Winslow Road | Hammersmith Embankment | London | W6 9HP
Company No. 5140986
P Please consider the environment before printing
The information in this e-mail and any attachment is confidential and is intended only for the named recipient(s). The e-mail may not be disclosed or used by any person other than the addressee, nor may it be copied in any way. If you are not a named recipient please notify the sender immediately and delete any copies of this message. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Any view or opinions presented are solely those of the author and do not necessarily represent those of the company. Betfair (r) and the BETFAIR LOGO are registered trade marks of The Sporting Exchange Limited.
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
13 years, 7 months
Error setting up MMR
by Steffen Blume
Hi,
I have tried to setup up multi master replication without success. The
two ldap servers are running fine. Then I execute the mmr.pl script (on b):
./mmr.pl --host1 a.domain.local --host2 b.domain.local --bindpw secret
--host1_id 1 --host2_id 2 --repmanpw secret --base "dc=domain, dc=local"
--create
--- error log on a ---
[01/Sep/2010:14:11:39 +0200] NSMMReplicationPlugin -
agmt="cn="Replication to b.domain.local"" (b:389): Replica has a
different generation ID than the local data.
[01/Sep/2010:14:11:42 +0200] NSMMReplicationPlugin - Beginning total
update of replica "agmt="cn="Replication to b.domain.local"" (b:389)".
[01/Sep/2010:14:11:47 +0200] NSMMReplicationPlugin - Finished total
update of replica "agmt="cn="Replication to b.domain.local"" (b:389)".
Sent 1375 entries.
--------------------
--- error log on b ---
[01/Sep/2010:14:11:39 +0200] NSMMReplicationPlugin -
agmt="cn="Replication to a.domain.local"" (a:389): Replica has a
different generation ID than the local data.
[01/Sep/2010:14:11:40 +0200] NSMMReplicationPlugin -
repl_set_mtn_referrals: could not set referrals for replica
dc=domain,dc=local: 32
[01/Sep/2010:14:11:40 +0200] NSMMReplicationPlugin -
multimaster_be_state_change: replica dc=domain,dc=local is going
offline; disabling replication
[01/Sep/2010:14:11:41 +0200] - somehow, there are still 200 entries in
the entry cache. :/
[01/Sep/2010:14:11:42 +0200] - WARNING: Import is running with
nsslapd-db-private-import-mem on; No other process is allowed to access
the database
[01/Sep/2010:14:11:46 +0200] - import userRoot: Workers finished;
cleaning up...
[01/Sep/2010:14:11:46 +0200] - import userRoot: Workers cleaned up.
[01/Sep/2010:14:11:46 +0200] - import userRoot: Indexing complete.
Post-processing...
[01/Sep/2010:14:11:46 +0200] - import userRoot: Flushing caches...
[01/Sep/2010:14:11:46 +0200] - import userRoot: Closing files...
[01/Sep/2010:14:11:46 +0200] - somehow, there are still 200 entries in
the entry cache. :/
[01/Sep/2010:14:11:47 +0200] - import userRoot: Import complete.
Processed 1375 entries in 5 seconds. (275.00 entries/sec)
[01/Sep/2010:14:11:47 +0200] NSMMReplicationPlugin -
multimaster_be_state_change: replica dc=domain,dc=local is coming
online; enabling replication
[01/Sep/2010:14:11:47 +0200] NSMMReplicationPlugin -
_replica_configure_ruv: failed to create replica ruv tombstone entry
(dc=domain, dc=local); LDAP error - 68
[01/Sep/2010:14:11:47 +0200] NSMMReplicationPlugin -
replica_enable_replication: reloading ruv failed
[01/Sep/2010:14:11:49 +0200] NSMMReplicationPlugin -
_replica_configure_ruv: failed to create replica ruv tombstone entry
(dc=domain, dc=local); LDAP error - 68
[01/Sep/2010:14:12:19 +0200] NSMMReplicationPlugin -
_replica_configure_ruv: failed to create replica ruv tombstone entry
(dc=domain, dc=local); LDAP error - 68
[01/Sep/2010:14:12:49 +0200] NSMMReplicationPlugin -
_replica_configure_ruv: failed to create replica ruv tombstone entry
(dc=domain, dc=local); LDAP error - 68
[01/Sep/2010:14:13:19 +0200] NSMMReplicationPlugin -
_replica_configure_ruv: failed to create replica ruv tombstone entry
(dc=domain, dc=local); LDAP error - 68
[01/Sep/2010:14:13:49 +0200] NSMMReplicationPlugin -
_replica_configure_ruv: failed to create replica ruv tombstone entry
(dc=domain, dc=local); LDAP error - 68
--------------------
So what do the errors "repl_set_mtn_referrals: could not set referrals"
and "_replica_configure_ruv: failed to create replica ruv tombstone
entry" mean?
The messages on b stop, when I restart the ldap server. But the
replication is not working. On the first replication setup not all the
data was copied. I removed the replication configuration with mmr.pl and
set it up again with same error messages.
When I change something (in uid=sbl,ou=people,...) on a the error log of
a shows
--- error log on a ---
[01/Sep/2010:14:35:20 +0200] NSMMReplicationPlugin -
agmt="cn="Replication to b.domain.local"" (b:389): Replica has a
different generation ID than the local data.
[01/Sep/2010:14:35:24 +0200] NSMMReplicationPlugin -
agmt="cn="Replication to b.domain.local"" (b:389): Replica has a
different generation ID than the local data.
[01/Sep/2010:14:35:28 +0200] NSMMReplicationPlugin -
agmt="cn="Replication to b.domain.local"" (b:389): Replica has a
different generation ID than the local data.
...
--------------------
Nothing in error log on b. But in access log:
--- acces log on b ---
[01/Sep/2010:14:35:20 +0200] conn=0 op=3 SRCH base="ou=People,
dc=domain, dc=local" scope=1 filter="(objectClass=*)" attrs="objectClass"
[01/Sep/2010:14:35:20 +0200] conn=0 op=7 EXT
oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session"
[01/Sep/2010:14:35:20 +0200] conn=0 op=7 RESULT err=0 tag=120 nentries=0
etime=0
[01/Sep/2010:14:35:20 +0200] conn=0 op=8 EXT
oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session"
[01/Sep/2010:14:35:20 +0200] conn=0 op=8 RESULT err=0 tag=120 nentries=0
etime=0
[01/Sep/2010:14:35:20 +0200] conn=0 op=3 RESULT err=0 tag=101
nentries=100 etime=0 notes=U
[01/Sep/2010:14:35:20 +0200] conn=0 op=4 SRCH base="ou=People,
dc=domain, dc=local" scope=1 filter="(objectClass=*)" attrs="objectClass"
[01/Sep/2010:14:35:20 +0200] conn=0 op=4 RESULT err=0 tag=101
nentries=82 etime=0
[01/Sep/2010:14:35:24 +0200] conn=0 op=10 EXT
oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session"
[01/Sep/2010:14:35:24 +0200] conn=0 op=10 RESULT err=0 tag=120
nentries=0 etime=0
[01/Sep/2010:14:35:24 +0200] conn=0 op=11 EXT
oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session"
[01/Sep/2010:14:35:24 +0200] conn=0 op=11 RESULT err=0 tag=120
nentries=0 etime=0
[01/Sep/2010:14:35:25 +0200] conn=0 op=5 SRCH
base="uid=sbl,ou=People,dc=domain,dc=local" scope=0
filter="(objectClass=*)" attrs=ALL
[01/Sep/2010:14:35:25 +0200] conn=0 op=5 RESULT err=0 tag=101 nentries=1
etime=0
[01/Sep/2010:14:35:27 +0200] conn=0 op=12 EXT
oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session"
[01/Sep/2010:14:35:27 +0200] conn=0 op=12 RESULT err=0 tag=120
nentries=0 etime=0
[01/Sep/2010:14:35:27 +0200] conn=0 op=13 EXT
oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session"
[01/Sep/2010:14:35:27 +0200] conn=0 op=13 RESULT err=0 tag=120
nentries=0 etime=0
...
--------------------
Both 389 DS versions are 1.2.4. I compiled it myself for OpenSolaris
(SunOS 5.11 snv_111b)
Regards,
Steffen
--
Dipl.-Ing. Steffen Blume Institute of Microelectronic Systems
phone : +49-511-762-19605 Leibniz Universität Hannover
fax : +49-511-762-19601 Appelstr. 4, 30167 Hannover, Germany
mail : sblume(a)ims.uni-hannover.de
13 years, 7 months
SSL Cert Issue
by John Mancuso
Two questions:
1. I have generated self-signed ssl/ca certs trying both the
"certutil" method from the redhat doc and also the standard "openssl
x509 req -new" method. After installing the certs and enabling secure
ldaps replication both result in
slapi_ldap_bind - Error: could not send bind request for id
[cn=replication manager,cn=config] mech [SIMPLE]: error 81 (Can't
contact LDAP server) -8172 (Peer's certificate issuer has been marked
as not trusted by the user.) 11 (Resource temporarily unavailable)
Is there a known issue with self-signed certs?
2. If there is an issue with the above, we may end up purchasing a
wildcard cert for replicating across subdomains. I know in the HTML
world some web browsers complain about ssl wildcard certs across
subdomains. Any possible issues with this approach?
ldaps://supplier_ldap.mycompany.com----> ldaps://consumer_ldap.dev.mycompany.com
13 years, 8 months
changelogdb has gotten large...
by Hartmann, Tim
Hi,
I've run into a situation where one of the files in /var/lib/dirsrv/<instance>/changelogdb has grown almost as large as the partition it's on. In my directory server configs, I noticed I was keeping an unlimited changelog, so I set that to what seems like a reasonably long amount of time (18 weeks) but didn't see any decrease in the file size. I'm wondering now about the best course of action. I can
a) move the whole dirsrv directory to another partition with more space available and symlink the old location to the new, which worked when I tested it, but I wanted to make sure I wouldn't be hosing something up the next time I upgrade.
b) find some means of manually shrinking the *.db ( can you even do that?)
c) point dirsrv at a new location, and reinitialize the consumers (which doesn't seem all that desirable)
Has anyone else found it necessary to shrink your changelogdb?
Thanks
-Tim
13 years, 8 months
ns-slapd processes not dying
by Angel Bosch Mora
hi,
i had problems with "too many fds open" on some instances and after digging a bit i've found that ns-slapd dont die.
i got 5 similar installations and this is happening just in two of them and i can't identify what is about.
i've been recollecting process informations and i know for sure that the only process that keep increasing is ns-slapd and eventually, after some weeks, 389 starts refusing new connections and i got the "too many fds open" message.
i can increase max fds but the problem of processes keeping alive is still there.
anyone facing similar situation?
regards,
abosch
13 years, 8 months
ACI which allows subtree modification only
by Ondrej Ivanič
Hi,
Is it possible to create ACI which allows any change to subtree under
bind DN? Here is an example:
ou=UnitA, dc=example, dc=com
uid=adminA, ou=UnitA, dc=example, dc=com (member of Admin group)
uid=userA1, ou=UnitA, dc=example, dc=com
uid=userA2, ou=UnitA, dc=example, dc=com
uid=userA3, ou=UnitA, dc=example, dc=com
ou=UnitB, dc=example, dc=com
uid=adminB, ou=UnitB, dc=example, dc=com (member of Admin group)
uid=userB1, ou=UnitB, dc=example, dc=com
The idea is that admin could change anything (modify/add/remove
attributes) under his 'ou' i.e. adminA has full access to all DNs
under ou=UnitA, dc=example, dc=com but no access to ou=UnitB
I tried the following ACI:
(target="ldap:///($dn)) (targetattr = "*")
(version 3.0; acl "Administrator access"; allow (all)
roledn="ldap:///cn=Administrator,dc=example,dc=com";)
But AdminA could change anything under ou=UnitB. Any ideas how to
fix/change ACI?
PS. Please CC me because i'm not on the list.
Thanks,
--
Ondrej Ivanic
(ondrej.ivanic(a)gmail.com)
13 years, 8 months
superior attributes (not object classes)
by Brian LaMere
Regarding superior attributes, I found this email from 4 years ago:
https://www.redhat.com/archives/fedora-directory-users/2006-July/msg00059...
In it, "Mike" said "Seems that my schema conversion tool doesn't support
attribute inheritance...[snip]...I will keep this in mind for a feature
enhancement."
rfc2252 defines superior attributes, and it was something I was using in my
schema definition since I have a lot of new attributes and all but 4 of them
had one of 5 different configs of "EQUALITY|ORDERING" and "SYNTAX". Not
only was it cleaner to be able to just inherit the syntax and matching
rules, it also was faster ;) Obviously, it doesn't keep me from doing
anything.
Was this ever looked at again for a feature enhancement? Is it already
available, if I do X thing?
During the schema reload, I got this error (for context):
dse - The entry cn=schema in file
/etc/dirsrv/slapd-(server)/schema/97hosting.ldif is invalid, error code 21
(Invalid syntax) - attribute type nocastr128: Missing parent attribute
syntax OID
I got it because I was using "SUP nocastr128" in an attributeType, after
defining an attributeType of nocastr128 with the base components I wanted to
inherit.
Thanks,
Brian LaMere
ps - I have 2 more emails I'm sending; since they are on different subjects,
I thought I'd break them into different emails. Please let me know if this
was a bad idea and I won't do it again.
13 years, 8 months
problem creating dynamic groups
by Anderson, Cary
Has anyone had success creating dynamic groups for objectclasses not associated with users and groups? I was trying to create a dynamic group for the various iphost objects I have created, but none of the search strings I have created return any associated iphosts.
ldap:///dc=xxx,dc=xxx,dc=xx??sub? (&(objectclass=people)(sn=anderson)) Works
ldap:///dc=xxx,dc=xxx,dc=xx??sub? (&(objectclass=infra)(description=webserver)) Fails
Thanks
Cary Anderson
13 years, 8 months
Outlook VLV index and western europe diacritics
by Andrey Ivanov
Hi,
I am testing the 389 latest git version. There is one thing i have
noticed concerning Outlook browsing of LDAP and VLV indexes. Though i
think the change has happened already some time ago, in one of the
previous versions.
To make the LDAP Outlook browsing work correctly i've always used the steps described in the
doc
(http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Creating_Ind...)
:
dn: cn=Outlook Browse,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn: Outlook Browse
objectClass: top
objectClass: vlvsearch
vlvBase: ou=Utilisateurs,dc=id,dc=polytechnique,dc=edu
vlvFilter: (&(mail=*)(cn=*))
vlvScope: 2
dn: cn=Outlook Browse Index,cn=Outlook Browse,cn=userRoot,cn=ldbm database,cn=
plugins,cn=config
cn: Outlook Browse Index
objectClass: top
objectClass: vlvindex
vlvEnabled: 1
vlvSort: cn
This creates a VLV index, sorts the entries by cn and shows them in Outlook :
[24/Aug/2010:16:42:19 +0200] conn=24 op=2 SRCH base="ou=utilisateurs,dc=id,dc=polytechnique,dc=edu" scope=2 filter="(&(mail=*)(cn=*))" attrs="cn cn mail roleOccupant display-name displayName sn sn co o o givenName legacyexchangedn objectClass uid mailnickname title company physicalDeliveryOfficeName telephoneNumber"
[24/Aug/2010:16:42:19 +0200] conn=24 op=2 SORT cn
[24/Aug/2010:16:42:19 +0200] conn=24 op=2 VLV 0:0:xac 7860:8001 (0)
[24/Aug/2010:16:42:19 +0200] conn=24 op=2 RESULT err=0 tag=101 nentries=1 etime=0.009000
[24/Aug/2010:16:42:19 +0200] conn=24 op=3 SRCH base="ou=utilisateurs,dc=id,dc=polytechnique,dc=edu" scope=2 filter="(&(mail=*)(cn=*))" attrs="cn cn mail roleOccupant display-name displayName sn sn co o o givenName legacyexchangedn objectClass uid mailnickname title company physicalDeliveryOfficeName telephoneNumber"
[24/Aug/2010:16:42:19 +0200] conn=24 op=3 SORT cn
[24/Aug/2010:16:42:19 +0200] conn=24 op=3 VLV 0:27:7859:8001 7860:8001 (0)
[24/Aug/2010:16:42:19 +0200] conn=24 op=3 RESULT err=0 tag=101 nentries=28 etime=0.019000
In (relatively old) previous versions of the server the sorting took
into account the accentuated letters (like é, for example). The CNs
with these letters were sorted correctly (that is, é after d and
before f). So the entries were sorted by VLV like this :
...
Tdo Not
Ten Toys
Tén Toys <<<--
Tfk Nev
Tgl Mu
...
Tzzz Too
Uart New
...
With the recent versions the server orders the CN strictly according to ASCII
(i think) :
...
Tdo Not
Ten Toys
Tfk Nev
Tgl Mu
...
Tzzz Too
Tén Toys <<<--
Uart New
...
That is, all the diacritical letters appear after "z".
I have looked into the vlv#outlookbrowseindex.db4 file by dbscan and
the order corresponds exactly to what Outlook shows.
The questions are :
-whether it is how it should work and
-how do i revert to the old server behavior.
The sorting with collation (that is, smth like
my $sort_control = Net::LDAP::Control::Sort -> new( order => "cn:2.16.840.1.113730.3.3.2.18.1.6", critical => 1)
) works perfectly (i.e. é is after d and before f).
I've tried several ideas to return to the old behavior :
*) i've tried to add collation rules to vlv index entries but putting
the value of the attribute vlvSort to
"cn:2.16.840.1.113730.3.3.2.18.1.6" or to "cn:fr" does not work
either. Instead of changing the sorting order it produces some strange
contents in the index vlv#outlookbrowseindex.db4 file.
**) then i thought that maybe i should change the cn index ordering
and i have added "nsMatchingRule: 2.16.840.1.113730.3.3.2.18.1" to the
cn indexes in dse.ldif. However reindexing does not actually change
the order (even after reindexing by smth explicit like db2index -n
userRoot -t cn:eq,pres,sub:2.16.840.1.113730.3.3.2.18.1 ) in the index
.db4 files.
Any ideas/suggestions?
Andrey Ivanov
tel +33-(0)1-69-33-99-24
fax +33-(0)1-69-33-99-55
Direction des Systemes d'Information
Ecole Polytechnique
91128 Palaiseau CEDEX
France
13 years, 8 months