[Fedora-directory-users] Unable to delete replication changelog
by Chun Tat David Chu
Hi, we're using Fedora DS 1.0.2.
I'm trying to delete the replication change log by unchecking the "Enable
Chanelog" box. After I done that, I click the button "Save", and I see the
following message.
"Error disabling changelog."
"The error is 'Operations error'
I then look at the "Error Log" and saw the following.
"NSMMReplicationPlugin - changelog program - changelog5_config_delete:
chagelog is not configured".
Any idea what's going on?
Thanks in advance.
- dc
15 years
[Fedora-directory-users] 3-way MMR problem on 1.01-4
by Ken Marsh
Hi,
OK, I have a problem with MultiMaster Replication between my 3 x 1.01-4
FDS. I have already tried the following:
Stop servers A and C
Delete the contents of the changelog database directory
restart
push a replication to each from Server B (successful)
While my data was momentarily in sync, I immediately went back to the
problem where incremental updates (users updating passwords) failed.
Here is a typical set of errors from logs/errors on server A:
[07/Mar/2008:15:46:31 -0500] agmt="cn="Replication to B.company.com""
(B:389) - Can't locate CSN 47d04e2e000000010000 in the changelog (DB
rc=-30990). The consumer may need to be reinitialized.
[07/Mar/2008:15:46:31 -0500] agmt="cn="Replication to C.company.com""
(C:389) - Can't locate CSN 47d04e2e000000010000 in the changelog (DB
rc=-30990). The consumer may need to be reinitialized.
The logs on B and C are analogous. Both have the following (This from
C):
[07/Mar/2008:07:46:48 -0500] - import userRoot: Workers finished;
cleaning up...
[07/Mar/2008:07:46:48 -0500] - import userRoot: Workers cleaned up.
[07/Mar/2008:07:46:48 -0500] - import userRoot: Indexing complete.
Post-processing...
[07/Mar/2008:07:46:48 -0500] - import userRoot: Flushing caches...
[07/Mar/2008:07:46:48 -0500] - import userRoot: Closing files...
[07/Mar/2008:07:46:49 -0500] - import userRoot: Import complete.
Processed 496 entries in 5 seconds. (99.20 entries/sec)
[07/Mar/2008:07:46:49 -0500] NSMMReplicationPlugin -
multimaster_be_state_change: replica dc=company,dc=com is coming online;
enabling replication
[07/Mar/2008:07:46:49 -0500] NSMMReplicationPlugin - replica_reload_ruv:
Warning: new data for replica dc=company,dc=com does not match the data
in the changelog.
Recreating the changelog file. This could affect replication with
replica's consumers in which case the consumers should be
reinitialized.
The user data started out on 7.1 on Directory Server "A". I installed
and replicated it to servers B and C and ran it like that for a while,
and replication worked fine. Then I replaced 7.1 with 1.01-4 on A (just
as 1.1 was released), and replication has been broken since.
I am willing to lose whatever updates or differences necessary to get
these sync'ed up ASAP, any tips?
Thanks for looking,
Ken Marsh
15 years
Re: [Fedora-directory-users] netscapeRoot and Config propagation
by Ken Marsh
Rich,
The script mentioned in "8.14. Replicating o=NetscapeRoot for
Administration Server Failover", "setup-ds-admin.pl" was not installed
on any of my three Directory Servers. It does not seem to exist in
fedora-ds-1.0.4-1-FC6.x86_64.opt.rpm or fedora-ds-1.0.4-1.RHEL3.rpm . I
even converted them to CPIO using rpm2cpio and dumped them, to no avail.
Do you know where I can download this script?
Thanks,
Ken Marsh
15 years
Re: [Fedora-directory-users] netscapeRoot and Config propagation
by Ken Marsh
Rich Megginson wrote:
>By default replication should replicate everything - it does not care
what >type of data it is.
Thanks, Rich. This just confirms what I suspected- my replication is
broken.
I'll start a new thread on that one.
>The console/admin server don't really work that way. You should use
>o=NetscapeRoot replication for failover, not general load balancing.
Sorry, I only meant, I want to be able to get from any DS from any Admin
Console.
>See
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replicatio
n-Replicating-ADS-for-Failover.html
Looks like exactly what I need.
Thanks again,
Ken Marsh
15 years
Re: [Fedora-directory-users] netscapeRoot and Config propagation
by Ken Marsh
solarflow99 wrote:
>is this actually a requirement, or does adding their groups from the
console
>give them the extra GID access?
If your question is, "is newgrp on Linux required to use the permissions
of the added group?"
The answer depends on your O/S and your file system and mount point ACL
settings, but on my Red Hat E4 system with ext3, I don't need to newgrp.
Ken Marsh
ANS System Administration Lead
(410) 876-9200
15 years
[Fedora-directory-users] Per DB Windows sync between different BaseDN
by Enrico M. V. Fasanelli
Dear all,
a question on the Windows Sync.
Scenario:
example.com is spread in some sites (a.example.com, b.example.com, etc.
etc) and in a few of this there is already an AD domain. For example
there is an AD domain win.a.example.com, another one w2k.c.example.com,
but the site b.example.com doesn't run any AD.
In the FDS 4-way Multi Master "core" servers, you setup one DB per site,
related to the corresponding suffix, and in each site you configure a
consumer for the site-specific DB.
Core Servers
BaseDN dc=example,dc=com
DataBase userRoot
BaseDN dc=a,dc=example,dc=com
Database aUserRoot
BaseDN dc=b,dc=example,dc=com
Database bUserRoot
BaseDN dc=c,dc=example,dc=com
Database cUserRoot
The "Site-x" local server(s) will receive only the userRoot and
xUserRoot via the replication defined in the suppliers core servers.
Now the question:
it is possible to define the Windows Syncs agreements between
a) aUserRoot DataBase (dc=a,dc=example,dc=com) and the AD domain
dc=win,dc=a,dc=example,dc=com
b) cUserRoot (dc=c,dc=example,dc=com) and the AD domain
dc=w2k,dc=c,dc=example,dc=com
?
Thank you in advance.
Ciao,
Enrico
--
Non seguire nessuna strada...
...creala! (Pubblicita'...)
15 years
[Fedora-directory-users] netscapeRoot and Config propagation
by Ken Marsh
Thanks everyone for answering on the Groups question. I was so focused
People ou in the GUI I didn't see the Group ou a few menu lines up. :-)
I went into it and rediscovered that I knew how to create posixgroups
two years ago. I created a new one succesfully and added users to it. On
an LDAP-ified Linux host they can now newgrp to that group.
Now I have two more complicated questions.
1. Group info does not multi-master replicate like user info does.
Specifically, I would like to manage posixgroups from any MultiMaster
server. My new posix group is stuck on just the server I created it on.
2. Config data does not multi-master replicate like user info does.
It would be nice to administer any server from any server. At the moment
the only way I know how to do this is on installation. I don't want to
reinstall any DS at this point, though. My understanding is that mmr.pl
sets up replication for only userRoot, not NetscapeRoot.
I went through the Admin GUI and under the Configuration tab,
Replication->NetscapeRoot I checked "Enable Replica", checked
MultiMaster and set up the Current Supplier DN's to cn=repman,cn=config
just like userRoot.
Now it has a replica entry under Directory Tab->config->mapping tree
just like dc=company,dc=com . However the attributes under
o=NetscapeRoot do not have the nsslapd-backend and nsslapd-referral
attributes. I'm guessing I need something like mmr.pl except for
NetscapeRoot to fill in the blanks.
Is there a howto for this, or any tips?
Once again, thanks to the Fedora DS development team for a great
product. Despite my noobish questions, it has saved me countless
manhours and been very reliable.
Ken Marsh
ANS System Administration Lead
(410) 876-9200
15 years
[Fedora-directory-users] Install fails to create domain after re-install
by Steve Jacobson
All,
I had a successful installation of FDS 1.1 on CentOS 5.1 x86_64. I had a
bunch of cruft in the directory from a poor migration, so I decided to start
over with a re-install to get things clean. The uninstall was successful,
and I wiped /etc/dirsrv, /var/lib/dirsrv, and /usr/share/dirsrv. Then I
re-installed, and ran setup-ds-admin.pl. The dialogs were as expected, and
seemed to be just fine. The setup program reported that everything was
fine, and the directory was created. However, the domain didn¹t
materialize. There was nothing in the setup log to hint at any problem. I
found the following messages in /var/log/messages:
Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen
/usr/lib/sasl2/libcrammd5.so.2: /usr/lib/sasl2/libcrammd5.so.2: wrong ELF
class: ELFCLASS32
Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen
/usr/lib/sasl2/libanonymous.so.2: /usr/lib/sasl2/libanonymous.so.2: wrong
ELF class: ELFCLASS32
Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen
/usr/lib/sasl2/libplain.so.2: /usr/lib/sasl2/libplain.so.2: wrong ELF class:
ELFCLASS32
Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen
/usr/lib/sasl2/libgssapiv2.so.2: /usr/lib/sasl2/libgssapiv2.so.2: wrong ELF
class: ELFCLASS32
Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen
/usr/lib/sasl2/liblogin.so.2: /usr/lib/sasl2/liblogin.so.2: wrong ELF class:
ELFCLASS32
Mar 5 19:20:38 corp-admin-001 ns-slapd: unable to dlopen
/usr/lib/sasl2/libdigestmd5.so.2: /usr/lib/sasl2/libdigestmd5.so.2: wrong
ELF class: ELFCLASS32
So, this implies that ns-slapd is trying to get at the 32 bit libraries
instead of the 64 bit versions.
I tried setting LD_LIBRARY_PATH to /usr/lib64, I¹ve tried renaming
/usr/lib/sasl2 to get it out of the path, hoping the software would just
find the right version.
After these two attempts, the setup procedure created without generating any
error messages. However, the domain still failed to be created.
Any advice on where to look, or what else to try?
Thanks!
-steve j
--
Steve Jacobson Cozi IT Manager m: 206.310.7760 www.cozi.com
15 years
Re: [Fedora-directory-users] Setting up Multiple Directory Servers - in a multi-master mesh. Having problems with admin server.
by Ben Cohen
Rich Megginson wrote:
> I think there is a bug somewhere that causes the directory server
> you select to be the configuration directory server (in your case,
> generic-02) to have the pass through auth plugin enabled. Try this -
> when you get to the prompt to input the password for the
> Administrator User, in another window, shutdown that directory
> server, edit dse.ldif -search for the Pass Through Auth plugin (not
> the PAM pass through auth plugin) and set the nsslapd-pluginEnabled
> attribute to off, then restart that server. Then resume with the
> prompt to input the password.
I tried this but the The Pass Through Auth plugin was already off...
Ben
15 years
[Fedora-directory-users] Adding users to additional Linux/Posix groups
by Ken Marsh
Hi,
I read the previous post on Unix groups, and I read the linked
information on mapping to ACI's. This is far more involved then my
question (and I didn't find the answer, either).
I am looking to simply add a Linux user to more than one Posix group.
I've searched through the docs and have yet to find a clear simple
explanation of how to do this. Do I just use commas to separate on the
value in the existing posix group attributes?
Thanks,
Ken Marsh
ANS System Administration Lead
(410) 876-9200
15 years
