July 2006 - 389-users - Fedora Mailing-Lists

[Fedora-directory-users] certutil: generating new .db files for server

by Brian Jones

Hi all, I'm generating new *.db files for my server, where I will install a new root ca, and a new server cert (new *.db files allows me to easily test and back out). I have a couple of questions about *.db files and how FDS uses them: 1. When I use certutil -N to create the new db files, is the value I give to the '-P' flag arbitrary, or does the server look for a specific value based on instance name or something? I have new files called 'slapd-ldap-cert8.db' and 'slapd-ldap-key3.db', because I thought this prefix value was arbitrary, but FDS fails to start because it says that files ' slapd-ldap-testbox-cert8.db' and 'slapd-ldap-testbox-key3.db' are missing. Those are the *old* db file names. 2. Related to 1, how do I (from the command line) change what files FDS looks for? Is this possible? Recommended? 3. Is it true that I cannot reuse a signed server certificate in a newly created database, even if the new database has the same root ca installed as the old one? I need to generate a request every time I run certutil -N? 4. Are there other rules that these files have to conform to in order for the server to start up? Are there docs on this that I've missed? Links? I've seen the mozilla NSS docs, but they're mostly for developers (except for the decent certutil reference), and the RHDS docs do everything from the GUI as far as I've seen. Thanks. brian.

17 years, 2 months

2
3
0 / 0

[Fedora-directory-users] phpQLAdmin schema

by Carlos Cesario

Hi peoples! I have qmail and fedora-ds integrated, and I trying to use phpqladmin (http://phpqladmin.com/), but I'm having problems with schema. I get the schema from phpqladmin and try convert it using ol-schema-migrate.pl (http://www.netauth.com/~jacksonm/ldap/ol-schema-migrate.pl), but when I start the slapd I receive one error, maybe somebody with more experiency can hep me Details and schemas =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ldaptest:/tmp # wget http://www.netauth.com/~jacksonm/ldap/ol-schema-migrate.pl ...... 23:54:23 (20.15 KB/s) - `ol-schema-migrate.pl' saved [14877/14877] ldaptest:/tmp # cp /srv/www/htdocs/phpQLAdmin/schemas/phpQLAdmin.schema . ldaptest:/tmp # chmod a+x ol-schema-migrate.pl ldaptest:/tmp # ./ol-schema-migrate.pl -b phpQLAdmin.schema > phpQLAdmin.schema.converted ldaptest:/tmp # cp phpQLAdmin.schema.converted /opt/fedora-ds/slapd-ldaptest/config/schema/55ns-phpQLAdmin.ldif ldaptest:/tmp # /opt/fedora-ds/slapd-ldaptest/start-slapd [08/Jul/2006:23:57:08 -0300] dse - The entry cn=schema in file /opt/fedora-ds/slapd-ldaptest/config/schema/55ns-phpQLAdmin.ldif is invalid, error code 21 (Invalid syntax) - attribute type administrator: Missing parent attribute syntax OID [08/Jul/2006:23:57:08 -0300] dse - Please edit the file to correct the reported problems and then restart the server. ldaptest:/tmp # =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Schemas original and converts is attached Any idea abou solve this error ? Thanks Carlos

17 years, 2 months

2
1
0 / 0

[Fedora-directory-users] Strange problem -- LDAP server hosed

by Mike Mueller

Hey guys... I hope I can provide sufficient detail to get a clue here, but I don't have much info about what's happening yet. We are using Fedora DS v1.0.2, and the client is a Java application using JNDI. The client is doing some tests that involve manipulating the schema, adding/removing attributes, adding/modifying/removing object classes. During this process, objects of these types are created in the directory, too. What's happening is that it seems like objects with duplicate names are being created, i.e. cn=object1 is created twice. The second time it gets created, its name is nsuniqueid=<alphanumeric string>. I'm not sure how this could happen, because typically if you tried to create a duplicate entry, you'd get a javax.naming.directory.NameAlreadyBoundException. What's worse, I can't delete any of these entries. When I try to, it says "Operation not allowed on nonleaf" (doing this via the graphical console), although the object in question is a leaf. Typically, even for nonleafs, the GUI would recursively delete everything. The only fix for this problem was to delete the underlying database behind the root suffix, and recreate it fresh. Obviously this is a serious problem, in a production environment, we can't afford to be doing something like this. This has happened on two of our servers now, and on the second one, I'm unable to even delete the database! It got halfway through, and then sits there hanging. That server is completely out of commision now. Any information would be appreciated!! Mike

17 years, 2 months

3
5
0 / 0

[Fedora-directory-users] Re: Changing the hostname domain of the fedora server

by Philip Kime

I tried this but it's a real pain. In the end, I just re-installed and used replication to populate again - actually took less time. PK

17 years, 2 months

1
0
0 / 0

[Fedora-directory-users] Addendum howto install fds on ubuntu

by Olivier Brugman

Hi all, One requires the termcap-compat package for installation of fds on Ubuntu and Debian. Unfortunately, this package is not available for the x86_64 platform. In order to install fds on a Ubuntu Dapper x86_64 xen-U this workaround seems to work for me: - Get the termcap-5.4-4.noarch.rpm and libtermcap-2.0.8-41.x86_64.rpm package from the Fedora Core 4 x86_64 distribution. - Convert these two packages to .deb and install them (dpkg -i). Regards, Olivier Brugman

17 years, 2 months

2
1
0 / 0

[Fedora-directory-users] critical problem with fds

by basile

find that after enabling audit log time: 20060705152654 dn: cn=uniqueid generator,cn=config changetype: modify replace: nsState nsState:: AbId0eoziQDf45YlAADsUgEAAAAAAAAA what does it means ? thanks basile

17 years, 2 months

2
1
0 / 0

[Fedora-directory-users] Changing the hostname domain of the fedora server

by Philip Kime

Suddenly, I have to change the DNS domain for two Fedora-DS servers. The IP and hostname remain the same. They have replication agreements with other servers. Are there any guidelines for doing this? I suspect it's a horrible thing to have to do ...? PK -- Philip Kime

17 years, 2 months

2
1
0 / 0

[Fedora-directory-users] Any recommendation for a decent up to date LDAP book?

by Chun Tat David Chu

I would like to learn more about the LDAP, but a lot of the book I found on amazon.com are more than 2-3 years old. I am afraid they're out of date. Is there any good books that you guys would like to suggest? I am interested in in-depth LDAP explaination/usages/design/schema design. I don't really want to be product specific because the last 2 years, we already switched 3 directory server. From Sun DS to OpenLDAP to Fedora DS. Thanks in advance! David

17 years, 2 months

4
4
0 / 0

[Fedora-directory-users]command line not working

by Jim Patterson

newbie I was able to set up directory server and import the Example.ldif into the server (using console). But whenever I try and do a command line modify,delete or search I get the following errors. My server was set up to run on port 42645 and I also tried port 389. This is my second install the first was typical and the second was express. I must have missed something in the documentation. [root@station100 ldif]# ldapdelete -D "cn=Directory Manager, dc=example,dc=com"-wpassword -h station100 -p 42645 "cn=Ted Morris,ou=People,dc=example,dc=com" ldap_sasl_interactive_bind_s: Local error (-2) [root@station100 ldif]# ldapdelete -D "cn=Directory Manager, dc=example,dc=com"-wpassword -h station100 -p 389 "cn=Ted Morris,ou=People,dc=example,dc=com" SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available:

17 years, 2 months

2
2
0 / 0

[Fedora-directory-users] critical problem with fds

by basile

hi our fds stop without any error message , nothing in the logs when it is started , it take 11 , 12 % of cpu time our mailer works with fds so it s a bit critical there are about 2000 users and 6500 alias thanks for help do you think these parameters i havent change can explain this : NOTICE : The tcp_conn_req_max_q value is currently 128, which will limit the value of listen backlog which can be configured. It can be raised by adding to /etc/init.d/inetinit, after any adb command, an entry similar to: TRANSPORT_NAME[10]=tcp NDD_NAME[10]=tcp_conn_req_max_q NDD_VALUE[10]=1024 NOTICE : The tcp_keepalive_interval is set to 7200000 milliseconds (120 minutes). This may cause temporary server congestion from lost client connections. An entry similar to the following should be added to /etc/init.d/inetinit: TRANSPORT_NAME[10]=tcp NDD_NAME[10]=tcp_keepalive_interval NDD_VALUE[10]=600000 NOTICE : The NDD tcp_rexmit_interval_initial is currently set to 3000 milliseconds (3 seconds). This may cause packet loss for clients on Solaris 2.5.1 due to a bug in that version of Solaris. If the clients are not using Solaris 2.5.1, no problems should occur. NOTICE : If the directory service is intended only for LAN or private high-speed WAN environment, this interval can be reduced by adding an entry similar to the following to /etc/init.d/inetinit file: TRANSPORT_NAME[10]=tcp NDD_NAME[10]=tcp_rexmit_interval_initial NDD_VALUE[10]=500 NOTICE : The NDD tcp_ip_abort_cinterval is currently set to 180000 milliseconds (180 seconds). This may cause long delays in establishing outgoing connections if the destination server is down. NOTICE : If the directory service is intended only for LAN or private high-speed WAN environment, this interval can be reduced by adding an entry similar to the following to /etc/init.d/inetinit file: TRANSPORT_NAME[10]=tcp NDD_NAME[10]=tcp_ip_abort_cinterval NDD_VALUE[10]=10000 NOTICE : The NDD tcp_ip_abort_interval is currently set to 180000 milliseconds (180 seconds). This may cause long delays in detecting connection failure if the destination server is down. NOTICE : If the directory service is intended only for LAN or private high-speed WAN environment, this interval can be reduced by adding an entry similar to the following to /etc/init.d/inetinit: TRANSPORT_NAME[10]=tcp NDD_NAME[10]=tcp_ip_abort_interval NDD_VALUE[10]=60000 NOTICE : The TCP initial sequence number generation is not based on RFC 1948. If this directory service is intended for external access, add the following to /etc/init.d/inetinit: ndd -set /dev/tcp tcp_strong_iss 2 NOTICE : The NDD tcp_smallest_anon_port is currently 32768. This allows a maximum of 32768 simultaneous connections. More ports can be made available by adding an entry similar to the following to /etc/init.d/inetinit: TRANSPORT_NAME[10]=tcp NDD_NAME[10]=tcp_smallest_anon_port NDD_VALUE[10]=8192 WARNING: tcp_deferred_ack_interval is currently 100 milliseconds. This will cause the operating system to insert artificial delays in the LDAP protocol. It should be reduced during load testing. An entry similar to the following can be added to the /etc/init.d/inetinit file: TRANSPORT_NAME[10]=tcp NDD_NAME[10]=tcp_deferred_ack_interval NDD_VALUE[10]=5 WARNING: There are only 256 file descriptors (soft limit) available, which limit the number of simultaneous connections. Additional file descriptors, up to 65536 (hard limit), are available by issuing 'ulimit' ('limit' for tcsh) command with proper arguments. ulimit -n 4096 NOTICE : / partition has less space available, 1584MB, than the largest allowable core file size of 2048MB. A daemon process which dumps core could cause the root partition to be filled. ERROR : The above errors MUST be corrected before proceeding.

17 years, 2 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users July 2006