After I import about 1400 accounts to a new database (ebiRoot, People
subtree), I get lot of errors when I run verify-db.pl (slapd has been stopped):
Verify log files in db ... Good
Verify db/ebiRoot/uid.db4 ... Good
Verify db/ebiRoot/mail.db4 ...
DB ERROR: db_verify: Page 37: out-of-order key at entry 247
DB ERROR: db_verify: Page 37: out-of-order key at entry 503
Same error for ancestorid.db4, objectclass.db4, parentid.db4, cn.db4,
givenName.db4 and sn.db4.
I have run db2index and re-run verify-db.pl but I don't see any
difference. Here is what db2index says about ebiRoot:
[29/Mar/2007:12:04:26 +0100] upgrade DB - ebiRoot: Start upgradedb.
[29/Mar/2007:12:04:26 +0100] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database
[29/Mar/2007:12:04:26 +0100] - import ebiRoot: Index buffering enabled with bucket size 100
[29/Mar/2007:12:04:27 +0100] - import ebiRoot: Workers finished; cleaning up...
[29/Mar/2007:12:04:28 +0100] - import ebiRoot: Workers cleaned up.
[29/Mar/2007:12:04:28 +0100] - import ebiRoot: Cleaning up producer thread...
[29/Mar/2007:12:04:28 +0100] - import ebiRoot: Indexing complete. Post-processing...
[29/Mar/2007:12:04:28 +0100] - import ebiRoot: Flushing caches...
[29/Mar/2007:12:04:28 +0100] - import ebiRoot: Closing files...
[29/Mar/2007:12:04:29 +0100] - import ebiRoot: Import complete. Processed
1424 entries in 3 seconds. (474.67 entries/sec)
Does that WARNING "No other process is alloed to access the database" mean
something is wrong?
How can I locate those "out-of order keys" the db_verify lists? I tried
with dbscan but I don't think I'm giving the right entry id:
$ ./dbscan -K 247 -f db/ebiRoot/mail.db4
Can't set cursor to returned item: DB_NOTFOUND: No matching key/data pair found
Is there a way to find out which entries are causing the problem? Can
there be illegal characters in the entries?
If I import a considerably smaller set of entries (120), I get no errors.
I noticed there was a similar thread here but no conclusion:
Sorry for so many questions, I've spent couple of days trying to
solve the problem.
If I delete a database with the Console, it leaves behind couple of index files:
-rw------- 1 w3secure systems 16384 Mar 28 17:05 ancestorid.db4
-rw------- 1 w3secure systems 18 Mar 28 17:03 DBVERSION
-rw------- 1 w3secure systems 32768 Mar 28 17:05 id2entry.db4
These index files don't seem to shrink when new entries are imported.
dbscan still shows the deleted entries in id2entry.
I noticed a problem when I import a small set of entries, delete the
database, import large set of entries and if I query the entries, I get
the entries from the first set (they don't exist in the second set). I can
reproduce the problem. If I delete ancestorid.db4 and id2entry.db4
manually when I delete the database, I don't have this problem. Is there a
reason why those two files are not deleted? Or can this whole thing be
caused by corrupted data?
I'm sorry if this has already been discussed or reported as a bug. I tried
to find the bug report, but couldn't find it so here goes:
Quite often when I have removed all entries and put them back and tried to
create a Browsing Index with the Console, the Console gets stuck. I have
few times left it for hours but nothing happens. In this case I deleted
the previous browsing index from the GUI and tried to create it again for
People with 1400 entries. The GUI tells me it has done "Adding browsing
index entries to server" (ticked) but it is still "Creating browsing index
in server" (not ticked). It stays in this window forever. The "Server
status for creating browsing index" window is empty.
I cannot see any error messages in slapd-HOSTNAME/logs/errors or
admin-serv/logs/error log. The startconsole terminal doesn't show any Java
exceptions. Is there anywhere else I could look for clues?
If I force the window to close, the database goes to read-only mode. I
close the Console, shutdown the slapd, change the database back to
read-write mode and restart everything. The Console shows the index has
been created, but if I look at slapd-HOSTNAME/db/ebiRoot/ directory, I
cannot see a vlv#bymccoupeopledcebidcacdcuk.db4 file, so I guess the
index doesn't really exist? With just 1400 entries it's difficult to tell.
Sometimes I do get the index created, but quite often not.
I'm using Fedora DS 1.0.4 on CentOS 4.4 with following JRE:
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_09-b01)
Java HotSpot(TM) Server VM (build 1.5.0_09-b01, mixed mode)
Thanks for any help!
Or maybe it's not so complicated and I don't know how. ;)
This is what I'm trying to accomplish:
Users who are a member of the group 'cn=support'
can perform ALL operations on 'userPassword',
except on targets which are a member of group 'cn=admins' or 'cn=bosses'.
Is this possible? I can't figure out how. Thanks in advance!
I've noticed that the 'ip' keyword in ACI bind rules seems to have no
effect on its own. For example,
This does not deny access to IP 126.96.36.199:
aci: (version 3.0; acl "Deny 188.8.131.52"; deny(all) (ip = "184.108.40.206");)
But when combined with a userdn clause like this, it works:
aci: (version 3.0; acl "Deny 220.127.116.11"; deny(all) (userdn = "ldap:///anyone") and (ip = "18.104.22.168");)
Is this known/expected behavior?
Just want to make sure I'm interpreting this right.
Thanks a lot,
I was looking through the logconv.pl output and I see that the majority
of connection codes are
B1 Bad Ber Tag Encountered
Should I be worried about this? LDAP seems to be working fine and has
been for months.
NOPS Systems Architect
310 401 0407
Hello, again! I'm trying to install Fedora DS 1.0.4 on Red Hat EL4.
Everything goes smoothly until I try to enable SSL in the admin server
console. When I try to save new settings on the Encryption tab and the User
DS tab, I get a message, "PSET failure. PSET attribute creation or local
cache update failed!"
After that, I back out of the admin console without saving changes. When I
go back into the admin console, the certificate has disappeared from the
drop-down list. It sounds like a problem with file permissions, but I don't
know what files might be involved.
Hoping you can help. Thanks. -G.
>Richard Megginson wrote:
>The Fedora DS chaining database (database link) uses the Proxy Auth
>control. I think you can disable this. Check the docs for the chaining
>database configuration. It may be that the console does not allow you
>to set this, but you can set it manually.
http://www.redhat.com/docs/manuals/dir-server/pdf/ds71cli.pdf - search
>If there are other controls being sent by Fedora DS, you can disable
>those too - search for nsTransmittedControls in the above document.
I have disabled these control but the problem still continue, this error
only happen with openldap because when I connect to Novell eDirectory
ldap server I have a different error: I dont have permisions to read the
IT Technical Support Officer
System & Database Administrator
The information contained in this message and or attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any system and destroy any copies.
Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of The Gribbles Group.
Whilst every effort has been made to ensure that this e-mail message and any attachments are free from viruses, you should scan this message and any attachments.
Under no circumstances do we accept liability for any loss or damage which may result from your receipt of this message or any attachment.
I've got the Fedora LDAP service running, connecting from other Linux server is no problem.
the next step is to sunchronize the database to Active Directory.
Is there a way to keep my Fedora LDAP as a master database and the AD server (W2003) as a member.
So that i should only configure my users on my LDAP server and not on my AD server
Met vriendelijke groet,
Michiel van Heukelom
Van Boxtel Software B.V.
Telefoon: +31 (0) 492 - 327 357
Fax: +31 (0) 492 - 324 326