memberOf task problem
by John A. Sullivan III
Hello, all. We are in the process of upgrading from 8.0 to 8.1. We've
hit a few glitches along the way but most has gone well. However, we
wanted to implement the new memberOf functionality. We successfully
added the plugin by editing dse.ldif and enabled it from the console.
However, we've been unsuccessful in having existing group membership
assigned to the memberOf attribute.
We first tried to run fixup-memberOf.pl but the script does not exist.
There is a template.fixup-memberOf.pl but this does not seem to have
been built into a final script.
We then thought we would use the new task feature of the console. We
went to cn=memberof task,cn=tasks,cn=config and tried to create the task
object. There was no nsDirectoryServerTask objectclass. We added an
nstask but then found there was no basedn attribute we could add. We
then created an extensibleobject instead but still not basedn attribute.
Finally, we resorted to ldapmodify (we hesitated just because we are not
very familiar with the command line tools). First, we did:
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
The Internal Organization has several organizations under it (for
various clients) and then user organizational units under those
organizations. Although it generated no errors, it did not seem to
work. Perhaps I just don't know how to test it. However, the following
did not return an memberOf data:
/usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=myid memberOf
Doing /usr/lib64/mozldap/ldapsearch -b
"ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz" -D "cn=Directory
Manager" -w - -h ldap uid=myid
showed me plenty of attributes but nothing for memberOf
I also tried creating the task with a basedn of
ou=Users,o=client1,o=Internal,dc=ssiservices,dc=biz in case it did not
change objects lower in the tree. Still no success.
Finally I tried:
dn: cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
changetype: add
objectclass: top
objectclass: nsDirectoryServerTask
cn: fixMemberOf
basedn: o=Internal,dc=ssiservices,dc=biz
adding new entry cn=fixMemberOf,cn=memberof task,cn=tasks,cn=config
ldap_add: Object class violation
ldap_add: additional info: unknown object class "nsDirectoryServerTask"
And received the expected unknown object class error.
What are we doing wrong? Are these documentation bugs? Are there
application bugs or do we simply not know what we are doing with tasks
and memberOf? How do we get the memberOf information into our existing
user objects? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan(a)opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
13 years, 9 months
Query blocking server
by Juan Asensio Sánchez
Hi
Samba is making a query to our 389 DS (v. 1.2.2, and too older
versions) that makes the servers freeze. The server is running, and
accepting connections, although the next queries are not processed
until the Samba query is returned. This Samba query takes a long time
to be returned, because it is searching all databases and all objects
in the directory (more than 20000). The filter is
"(&(uid=*)(objectClass=sambaSamAccount))". This query is done when
executing the command "net user" from a Windows or Linux machine. This
queries are executed manually, and intentionally, but should not make
the server freeze. Why is this happening? Is there any option to avoid
this?
Regards.
13 years, 11 months
repl_set_mtn_referrals: could not set referrals for replica
by Juan Asensio Sánchez
Hi
We are having problems with replication. We have four master servers
replicating one database (database 1), and two other servers in other
building that are masters of other database (database 2). Replication
between the databases of the others are in hub mode (server1 of
building1 with server1 of building1, and server2 of building1 with
server2 of building2; server3 and server4 of building1 only have
agreements with server1 and server2 of building1). Yesterday we had to
remove the replica of server4 of database 1. Next, we did ree-enable
the replica and the replication agreements, but the replica was
enabled with a different id than before. Now, we have this error on
all servers, although replication is working fine:
[16/Oct/2009:12:44:39 +0200] NSMMReplicationPlugin -
repl_set_mtn_referrals: could not set referrals for replica
dc=domain,dc=local: 1
(dc=domain,dc=local is the prefix that owns the database 1). I don't
know if this error is critical, but i don't like to see errors in the
log (call me fool if you want). I have read some posts:
- http://blogs.sun.com/marcos/entry/on_cleanruv
- http://blogs.sun.com/piotr/entry/how_to_clean_ruv_s
All about Sun, but i am not sure if this will work, or if it is
dangerous because it says that the solution is unsupported and
irreversible. How can I get rid of this message? is it critical?
Regards and thanks in advance.
13 years, 11 months
AD2008 on 64 bit windows, 389 Directory Server passwords...
by Anne (juniper) Cross
I'm trying to sync passwords from 389 to Active Directory.
If we import users from AD, then try to change their passwords, the
replication locks up.
If we create the users on 389, and sync them back to AD, the password
field passed back is blank in Windows.
Passsync isn't going to work because we're running 64bit Windows, so we
can't sync the passwords *from* AD. I got this working earlier, but
that was with FDS in a test instance several months ago, and I didn't
write down what I did. (And I am kicking myself over that.) We can
live without people changing their passwords on AD as long as we *can*
sync passwords down from 389.
The replication manager account on AD has full Directory Admin privs, so
it *does* have the ability to update passwords.
What am I missing? Our logs are showing us a lot of things that are not
helpful; I will be happy to attach further logs if people can tell me
what to look for, but we've been trying this for two days now, and we're
not any closer than we were when we started.
--
,___,
{o,o} Anne "Juniper" Cross
(___) Senior Linux Systems Engineer and Extropic Crusader
-"-"-- Information Technology, ITA Software
/^^^
13 years, 11 months
added schema not showing up in admin console
by Mike Clayton
I am trying to configure bind to talk directly to 389-ds, i have
converted the dnszone.schema file that ships with bind-sdb to ldif
using:
perl ol-schema-migrate.pl -b /etc/openldap/schema/dnszone.schema
> /etc/dirsrv/slapd-dc0/schema/61bind-dns.ldif
and restarted the dirsrv service. but i can't seem to find an object
class or anything for dnsZone. i looked in the logs and did not see any
mention of dnsZone. Have i missed something or am i just not looking in
the right places
Mike
13 years, 11 months
Replication: update of supplier via referral from consumer not working
by Mitja Mihelič
Hi!
Note: real information (IPs, DNs, FQDNs) has been replaced with generic
information.
I have set up a single-master replication scenario.
supplier: ldap://supplier.example.com:389
consumer: ldap://consumer.example.com:389
Replications works with no problems.
I have entered "ldap://supplier.example.com:389/dc=example, dc=com" in
the "Current URLs for referrals (Optional)" field.
If I understand correctly, when trying to update an entry on the
consumer, the referral should take me to the supplier and perform the
update there.
But I get the following error from the consumers console:
"netscape.ldap.LDAPException: error result (32); No such object; Failed
to follow referral to
ldap://supplier.example.com:389/edupersonprincipalname=user.name@example.com.si,dc=example,"
As you can see, there is a part of the DN missing and I have no idea why...
This is the information from the suppliers error log, again with the
incomplete DN:
[snip]
[29/Oct/2009:10:17:49 +0100] conn=18 fd=70 slot=70 connection from
CONSUMER_IP to SUPPLIER_IP
[29/Oct/2009:10:17:49 +0100] conn=18 op=0 BIND dn="cn=Directory Manager"
method=128 version=3
[29/Oct/2009:10:17:49 +0100] conn=18 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[29/Oct/2009:10:17:49 +0100] conn=18 op=1 MOD
dn="edupersonprincipalname=user.name(a)example.com.si,dc=example,"
[29/Oct/2009:10:17:49 +0100] conn=18 op=1 RESULT err=32 tag=103
nentries=0 etime=0
[29/Oct/2009:10:17:49 +0100] conn=18 op=2 UNBIND
[29/Oct/2009:10:17:49 +0100] conn=18 op=2 fd=70 closed - U1
[/snip]
Regards,
Mitja
13 years, 11 months
mod_authnz_ldap - authorize by group
by Scooby Doo
I was wondering if anyone could share how to properly setup
mod_authnz_ldap to authorize with directory server groups. The wiki has
docs on how to use mod_authz_ldap but nothing for mod_authnz_ldap in the
groups area.
Thank you,
Scooby
<Location "/Files">
AuthName "Restricted Access"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPGroupAttribute uniqueMember
AuthLDAPGroupAttributeIsDN on
AuthLDAPURL
"ldap://localhost/ou=groups,dc=local?uniqueMember?sub?(objectClass=groupOfUniqueNames)"
Require ldap-group "cn=Security,ou=groups,dc=local"
</Location>
http://directory.fedoraproject.org/wiki/Howto:Apache#Authorize_by_Group
13 years, 11 months
changelog issues when re-initing a master
by Robert Viduya
Hi, apologies if this gets posted more than once, I'm having MUA issues.
We have a 4-master, 2-hub, 6-slave set up, scattered over 2 data-
centers. We had been running fine with 2 masters and fedora-ds 1.0.4
on RHEL4 (32-bit), but this past summer, we decided to upgrade to 4
masters, RHEL5 (64-bit) and fedora-ds 1.2.0. We did clean installs,
not upgrades and everything went pretty smoothly.
Lately, however, we've run into a problem where we've had to
reinitialize one of the masters due to database corruption. The
process I've used was, on a running master, to right-click on the
replication agreement in the gui and select "Export". Then I'd scp
the resultant ldif file to the down master and import it using ldif2db.
Once the import was done, restarting the server produces the following
in the errorlog:
[29/Oct/2009:05:21:05 -0400] NSMMReplicationPlugin -
replica_check_for_data_reload: Warning: data for replica
ou=accounts,ou=gtaccounts,ou=departments,dc=gted,dc=gatech,dc=edu was
reloaded and it no longer matches the data in the changelog (replica
data > changelog). Recreating the changelog file. This could affect
replication with replica's consumers in which case the consumers
should be reinitialized.
which is perfectly fine, you expect the changelog to be invalid the
first time the server is brought up after a reinitialize. The problem
is that it does this each and every time the server is restarted from
then on.
This sounds a lot like bug 388021, but nothing I've read in there
helps. I've tried deleting the changelog before importing, deleting
the changelog after importing, setting the changelog size to 1 entry,
delete-and-recreate all agreements... nothing. If the server has a
changelog configured and it gets restarted, it trashes it and recreates.
This system is a production system and importing our data is a good 8
to 12 hour process. Management really doesn't want to give me the
time to start from scratch, so I can't take all the machines down and
rebuild everything. Besides, reinitializing a single master shouldn't
involve a complete rebuild like that.
Any help would be greatly appreciated.
13 years, 11 months
How to integrated FDS with Oracle
by Ajay Kalla
Hello Everyone
I am presently working on FDS and oracle . i faced problem related to users
created on Oracle 10g should be able to
login on client end (like M$ and linux) using FDS. Please help me out.
--
Ajay Kalla
Fedora Ambassador
ajaykalla83(a)fedoraproject.org
GPG 0xEAB7E325
Find me as mikhail @ freenode.net
Idling at ##Koenig-Solutions,#fedora,#fedora-lassroom,##security
13 years, 11 months
Replication over SSL
by Mitja Mihelič
Hi!
I am trying to get replication to work over SSL, but I seem to be
missing something...
To make a long story short: single-master and multi-master replication
without SSL works without a problem.
I have created two Directory servers via the Management Console, one
called master (supplier) and one called replica (consumer).
I have issued a certificate request via the management console for the
supplier and consumer.
Both were signed by a test CA and imported into the corresponding
server's certificate store.
Now, what exactly must I do, to correctly map the certificates and make
them talk to each other ?
I have read the documentation, but I just don't understand how to make
it work.
The following dn is used for replication:
dn: cn=replication manager,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
objectClass: organizationalPerson
cn: replication manager
sn: RM
userPassword: replicate
passwordExpirationTime: 20380119031407Z
Greetings,
Mitja
Read the following lines if you wish to know how I have it set up what I
have done to set up non-SSL replication:
The Directory server instances are using their own ports (supplier:
30389/30636 and consumer: 40389/40636 respectively).
I have inserted a replication user into the dse.ldif files in both the
supplier and the consumer as specified in the documentation.
The supplier has been populated with test entries, enabled the changelog
and replication of the relevant database.
The consumer has been set up accordingly.
I have created an appropriate replication agreement and initialized the
consumer.
All entries replicated as expected and the replica was updating
successfully.
13 years, 11 months
