RHDS 8.1 and SNMP
by Edward "koko" Konetzko
I am wonder if SNMP monitoring works in RHDS 8.1 if so I need some help
getting it working.
The docs I have been using are linked below
http://directory.fedoraproject.org/wiki/Howto:SNMPMonitoring
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Monitoring_DS_Usi...
The /etc/snmp/snmp.conf file
com2sec notConfigUser default public
group notConfigGroup v1 notConfigUser
group notConfigGroup v2c notConfigUser
view systemview included .1.3.6.1.2.1.1
view systemview included .1.3.6.1.2.1.25.1.1
access notConfigGroup "" any noauth exact systemview
none none
com2sec local localhost ldap
group MyROGroup any local
view all included .1
access MyROGroup "" any noauth 0 all none none
syslocation Unknown (edit /etc/snmp/snmpd.conf)
syscontact Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
pass .1.3.6.1.4.1.4413.4.1 /usr/bin/ucd5820stat
master agentx
The /etc/dirsrv/config/ldap-agent.conf
# Config file for AgentX access so FDS can pass snmp variables to net-snmp
# This is the agent config file.
#
# Start the agent with /opt/fedora-ds/bin/slapd/server/ldap-agent
/opt/fedora-ds/ldap-agent.conf
#
#
## AgentX Master ##
#
# Where the agent communicates with the AgentX Master (net-snmp).
# If not specified uses the net-snmp default of a UNIX socket
# at /var/agentx/master. RTFM if you decide to use a differing location...
#
agentx-master /var/agentx/master
## AgentX Logdir ##
#
# Where the agent logs its logfile...
#
agent-logdir /var/log/dirsrv/agent/
#
## Server ##
#
# Which FDS instance you wish to monitor.
# This should be the absolute path to the log dir of the FDS instance.
#
server slapd-ldap-master-n01
When I run "snmpwalk -v 1 -c ldap localhost
.1.3.6.1.4.1.2312.6.1.1.3.389" I get nothing back but when I run
"snmpwalk -v 1 -c ldap localhost .1.3.6.1.4.1.2312" the following is
returned.
SNMPv2-SMI::enterprises.2312.6.5.1.1.389 = STRING: "ldap master server"
SNMPv2-SMI::enterprises.2312.6.5.1.2.389 = STRING: "Red Hat-Directory/8.1.0"
SNMPv2-SMI::enterprises.2312.6.5.1.3.389 = STRING: "Rackspace Cloud"
SNMPv2-SMI::enterprises.2312.6.5.1.4.389 = STRING: "Lab"
SNMPv2-SMI::enterprises.2312.6.5.1.5.389 = STRING: "not made yet"
SNMPv2-SMI::enterprises.2312.6.5.1.6.389 = STRING: "ldap-master-n01"
All of that is correct with what is set in the Directory server.
If I run "strings /var/run/dirsrv/slapd-ldap-master-n01.stats" I get
the following back and I am wondering if there is supposed to be
something where it says "Not Available"?
Red Hat-Directory/8.1.0
ldap-master-n01
ldap master server
Rackspace Cloud
not made yet
Not Available
Not Available
Not Available
Not Available
Not Available
Not Available
Not Available
Not Available
Not Available
Not Available
/usr/bin/ldap-agent-bin -D /etc/dirsrv/config/ldap-agent.conf just
outputs the following over and over again in its log file.
2009-08-13 18:51:57 Reloading stats.
2009-08-13 18:51:57 Opening stats file
(/var/run/dirsrv/slapd-ldap-master-n01.stats) for server: 389
Thanks in advance.
Edward
14 years, 7 months
Specifying failover configuration servers
by Ryan Braun [ADS]
In my testing lab, I have setup 2 servers using MMR replicating both userroot
and netscaperoot. All replication is working between the 2 servers. My 3rd
server, a consumer read-only replica of userroot, I registered to the first
of the 2 MMR servers. My question, is how do I configure the slave server
to be able to contact the second (or any other) MMR server to get is admin
server configs automatically if the first server ever goes boom? Eventually
we will have 4 MMR servers, 2 groups of 2 with ip takeover style HA, for
example
westldap.example.com (virtual ip)
westldap0.example.com
westldap1.example.com
eastldap.example.com (virtual ip)
eastldap0.example.com
eastldap1.example.com
On the slave server, adm.conf looks like so (with host specific details
replaced). Would I just add another ldapurl option? And would the server be
smart enough to fail over to the next server listed?
AdminDomain: example.com
sysuser: nobody
isie: cn=389 Administration Server, cn=Server Group, cn=ywgsrvr4.example.com,
ou=example.com, o=NetscapeRoot
SuiteSpotGroup: nogroup
sysgroup: nogroup
userdn: uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
ldapurl: ldap://srvr0.example.com:389/o=NetscapeRoot
SuiteSpotUserID: nobody
sie: cn=admin-serv-srvr4, cn=389 Administration Server, cn=Server Group,
cn=srvr4.example.com, ou=example.com, o=NetscapeRoot
Also, on the slave server I found this in dse.ldif
dn: cn=Pass Through Authentication,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: Pass Through Authentication
nsslapd-pluginPath: libpassthru-plugin
nsslapd-pluginInitfunc: passthruauth_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
nsslapd-pluginarg0: ldap://srvr0.example.com:389/o=NetscapeRoot
nsslapd-pluginId: passthruauth
nsslapd-pluginVersion: 1.2.1
nsslapd-pluginVendor: Fedora Project
nsslapd-pluginDescription: pass through authentication plugin
I am guessing this pass thru allows me to login to the admin server on
srvr0.example.com, and then allow me access to the slave server. If so, I
would assume I would need an entry like this for each MMR server? Would I
need a whole entry? or just stack the nsslapd-pluginarg0 attribute with all
the servers ie
dn: cn=Pass Through Authentication,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: Pass Through Authentication
nsslapd-pluginPath: libpassthru-plugin
nsslapd-pluginInitfunc: passthruauth_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
nsslapd-pluginarg0: ldap://srvr0.example.com:389/o=NetscapeRoot
nsslapd-pluginarg0: ldap://srvr1.example.com:389/o=NetscapeRoot
nsslapd-pluginarg0: ldap://srvr.example.com:389/o=NetscapeRoot
nsslapd-pluginId: passthruauth
nsslapd-pluginVersion: 1.2.1
nsslapd-pluginVendor: Fedora Project
nsslapd-pluginDescription: pass through authentication plugin
All servers are running debian etch|lenny with the following versions
ii port389-admin 1.1.8
Fedora Administration Server (admin)
ii port389-adminutil 1.1.8
Utility library for directory server adminis
ii port389-base 1.2.1
Fedora Directory Server (base)
Thanks
Ryan
14 years, 7 months
Re: [389-users] Command line to request certificate
by Prashanth Sundaram
Rich,
I went forward with manual SSL install. I still see the console showing
ldap.foo.com:389 on the top tree level. The ³User DS² field in Admin server
points to ldap.foo.com:636. I have set all the encryption via console. Am I
missing something? When I issue ldapsearch p 389, it returns
ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional
info: SASL(-4): no mechanism available:
When I issue, ldapsearch p 636 is asks for pass but hangs thereafter. I
have imported 500 entries. Also my indexes don¹t seem to work, when
searched on console. I used proper ldapsearch with all possible switches -x
, -Z, -ZZ. After I enabled indexing on the directory level and ou levels,
when I click on search with nothing on search bar, it retuns the ou levels
and not users. So I manually indexed individual users, they don;t show up
anyway.
Thanks,
14 years, 7 months
Re: [389-users] Command line to request certificate
by Prashanth Sundaram
Rich,
The script that you directed me to, it installs the CA cert in the server
cert tab when I check in console. I tried manually adding it but it would
still end up along with Directory server-cert. Also the admin server-cert
shows up here as well.
How do I troubleshoot that? The certs are fine in Admin server, but not in
Directory instance.
http://directory.fedoraproject.org/wiki/Howto:SSL#Script
Another question: Since I am going to have two ldap servers and VIPs, can I
just specify the DNS host names with the certificate like add certutil
S.... 8 ldap.foo1.com.ldap.foo2.com within the script, saving extra work?
Thanks for your help!!
14 years, 7 months
security problems
by Marco Strullato
Hi all,
years ago I set up a ldap fedora directory server that is the used for pki
authentication by many servers. In that period I didn't care much about
security but now I would like to close security holes.
I see that the directory manager password is stored in ldap.conf and rebuild
sshd.conf (for pki)
I see also that if I restrict access (600) to these files the authentication
process does not end correctly because the uid and gid are not taken by
ldap. Probabily during the user logon these files must be readable.
By my point of view the solution could be to encrypt the directory manager
password or to create a read only user. What do you suggest me? and how to
implement?
Regards,
Marco Strullato
14 years, 7 months
Command line to request certificate
by Prashanth Sundaram
All,
I know I am being a bummer here, but I am running into problems now and
then. The reason is I am trying to script out the FDS deployment.
Here are my questions:
1. What is the command line equivalent of requesting a server certificate
for Admin Server and Directory server? The console works fine.
I am using openssl to generate certificates in x509 format.
2. In order to setup subsequent FDS servers, I should copy /etc/dirsrv
; /usr/lib/dirsrv / ; /var/lib/dirsrv to the other hosts. Is this
correct? And Run register-ds-admin.pl
3.If I do as in 2. Not sure if the certificates will cause issue. Also
I am using ldap.domain.com as server identifier and mapping a virtual IP for
load balancing purpose. I read that server name should be same as hostname,
but I am using a DNS record if ldap.domain.com. Will it cause any issues?
Thanks,
Prashanth
14 years, 7 months
OpenLDAP as a slave of Fedora Directory Server?
by Anne (juniper) Cross
I've been through the FDS/389 website, and the best I've come up with is
this: http://directory.fedoraproject.org/wiki/Howto:OpenldapIntegration
Unfortunately, that gives me the sync in the wrong direction. We have
pre-existing OpenLDAP servers that belong to a different group. We're
supposed to be their ultimate source of data - once we get set up - but
they won't change their servers from OpenLDAP because, as they say, they
know how they work and why should they do more work.
I don't need data synced back from OpenLDAP, but syncrepl doesn't appear
to do the right thing when pointed at an FDS directory server, so what's
the secret, undocumented method? Even a hint would help. Google just
keeps turning up pages where people have named their box "Fedora" and
it's all openldap to openldap.
--
,___,
{o,o} Anne "Juniper" Cross
(___) Senior Linux Systems Engineer and Extropic Crusader
-"-"-- Information Technology, ITA Software
/^^^
14 years, 7 months
no modifiable attributes specified
by Dharmin Mandalia
Hello
On my dir server, I am seeing lots of similar to below messages, how this
can be resolve so I don't see below error msg.. appreciate your help.
on dvfnds01 , is the supplier
# tail -f /var/log/dirsrv/slap-*/access
[05/Aug/2009:09:07:19 +0000] NSMMReplicationPlugin - agmt="cn=dvfnds02"
(dvfnds02:636): Consumer failed to replay change (uniqueid
059b5581-0d2511dd-ae03d7e3-3dfce5fc, CSN 4a794bc8000000010000): DSA is
unwilling to perform. Will retry later.
on dvfnds02 , is the consumer
# tail -f /var/log/dirsrv/slap-*/access
[05/Aug/2009:09:07:19 +0000] conn=3561655 SSL 256-bit AES
[05/Aug/2009:09:07:19 +0000] conn=3561655 op=0 BIND dn="cn=Replication
Manager,cn=config" method=128 version=3
[05/Aug/2009:09:07:19 +0000] conn=3561655 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=replication manager,cn=config"
[05/Aug/2009:09:07:19 +0000] conn=3561655 op=1 SRCH base="" scope=0
filter="(objectClass=*)" attrs="supportedControl supportedExtension"
[05/Aug/2009:09:07:19 +0000] conn=3561655 op=1 RESULT err=0 tag=101
nentries=1 etime=0
[05/Aug/2009:09:07:19 +0000] conn=3561655 op=2 SRCH base="" scope=0
filter="(objectClass=*)" attrs="supportedControl supportedExtension"
[05/Aug/2009:09:07:19 +0000] conn=3561655 op=2 RESULT err=0 tag=101
nentries=1 etime=0
[05/Aug/2009:09:07:19 +0000] conn=3561655 op=3 EXT
oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session"
[05/Aug/2009:09:07:19 +0000] conn=3561655 op=3 RESULT err=0 tag=120
nentries=0 etime=0
[05/Aug/2009:09:07:19 +0000] conn=3561655 op=4 SRCH
base="cn=replica,cn=\22dc=TB,dc=be\22,cn=mapping tree,cn=config" scope=0
filter="(objectClass=*)" attrs="nsDS5ReplicaId"
[05/Aug/2009:09:07:19 +0000] conn=3561655 op=4 RESULT err=32 tag=101
nentries=0 etime=0
[05/Aug/2009:09:07:19 +0000] conn=3561655 op=5 MOD
dn="uid=john.elle,ou=people,ou=EB,dc=TB,dc=be", no modifiable attributes
specified
[05/Aug/2009:09:07:19 +0000] conn=3561655 op=5 RESULT err=53 tag=103
nentries=0 etime=0
[05/Aug/2009:09:07:19 +0000] conn=3561656 fd=186 slot=186 SSL connection
from 192.168.3.12 to 192.168.3.134
[05/Aug/2009:09:07:19 +0000] conn=3561656 op=-1 fd=186 closed -
Encountered end of file.
Does anyone have a list of what error code 53 is or error code 32 is..
Thanks...
Regards
Dharmin
14 years, 7 months