389-users March 2010

389-users@lists.fedoraproject.org

53 participants
57 discussions

Migration Issues With Admin Server LDIF Import
by Brian Provenzano 15 Mar '10

15 Mar '10

I'm still on the road to trying to migrate from FDS 1.0.4 to 389 DS 1.2.5. Thanks to Rich's help yesterday in a previous thread (Cross Migration Problem From FDS 1.0.x to 386 Directory Server) I was able to fix an import issue with an existing ldif schema (presense.ldif). Anyway, I am now running to the following issue when the migration script tries to read/migrate my data from LDIF ( I have a userRoot.ldif and NetscapeRoot.ldif). I assume it is the NetscapeRoot.ldif that is the issue: # ./migrate-ds-admin.pl --oldsroot /tmp/fedora-ds --actualsroot /opt/fedora-ds General.ConfigDirectoryAdminPwd='mypassword' Beginning migration of Directory and Administration servers from /tmp/fedora-ds . . . Beginning migration of directory server instances in /tmp/fedora-ds . . . Your new DS instance 'slapd-ldap' was successfully created. Beginning migration of Administration server from /tmp/fedora-ds . . . Creating Admin Server files and directories . . . dn: cn=Tasks, cn=admin-serv-ldap, cn=389 Administration Server, cn=Server Grou p, cn=ldap.mcs.local, ou=mcs.local, o=NetscapeRoot objectclass: top objectclass: nsResourceRef cn: Tasks Error adding entry 'cn=Tasks, cn=admin-serv-ldap, cn=389 Administration Server, cn=Server Group, cn=ldap.mcs.local, ou=mcs.local, o=NetscapeRoot'. Error: No such object Exiting . . . Log file is '/tmp/migrate5naZZB.log' Here is the /tmp/migrate5naZZB.log' log file: --------------------- [10/03/12:10:58:57] - [Migration] Info Beginning migration of Directory and Administration servers from /tmp/fedora-ds . . . [10/03/12:10:58:57] - [Migration] Info Beginning migration of directory server instances in /tmp/fedora-ds . . . [10/03/12:10:59:00] - [Migration] Info Your new DS instance 'slapd-ldap' was successfully created. [10/03/12:10:59:13] - [Migration] Info Copying /tmp/fedora-ds/alias/slapd-ldap-cert8.db to /etc/dirsrv/slapd-ldap/cert8.db [10/03/12:10:59:13] - [Migration] Info Copying /tmp/fedora-ds/alias/slapd-ldap-key3.db to /etc/dirsrv/slapd-ldap/key3.db [10/03/12:10:59:13] - [Migration] Info Copying /tmp/fedora-ds/alias/secmod.db to /etc/dirsrv/slapd-ldap/secmod.db [10/03/12:10:59:13] - [Migration] Info No /tmp/fedora-ds/alias/slapd-ldap-pin.txt to migrate [10/03/12:10:59:13] - [Migration] Info Copying /tmp/fedora-ds/shared/config/certmap.conf to /etc/dirsrv/slapd-ldap/ certmap.co nf [10/03/12:10:59:14] - [Migration] Info Beginning migration of Administration server from /tmp/fedora-ds . . . [10/03/12:10:59:15] - [Migration] Info Creating Admin Server files and directories . . . [10/03/12:10:59:15] - [Migration] Debug No file to migrate: /tmp/fedora-ds/alias/admin-serv-ldap-cert8.db [10/03/12:10:59:15] - [Migration] Debug No file to migrate: /tmp/fedora-ds/alias/admin-serv-ldap-key3.db [10/03/12:10:59:15] - [Migration] Info Copying /tmp/fedora-ds/alias/secmod.db to /etc/dirsrv/admin-serv/secmod.db [10/03/12:10:59:15] - [Migration] Info No /tmp/fedora-ds/alias/admin-serv-ldap-pin.txt to migrate [10/03/12:10:59:15] - [Migration] Info Copying /tmp/fedora-ds/shared/config/certmap.conf to /etc/dirsrv/admin-serv/ certmap.co nf [10/03/12:10:59:15] - [Migration] Info Error adding entry 'cn=Tasks, cn=admin-serv-ldap, cn=389 Administration Server, cn=Ser ver Group, cn=ldap.mcs.local, ou=mcs.local, o=NetscapeRoot'. Error: No such object [10/03/12:10:59:15] - [Migration] Fatal Exiting . . . Log file is '/tmp/migrate5naZZB.log' Thanks, Brian

2 20

Fedora Directory Server
by Wall, Patrick 15 Mar '10

15 Mar '10

Hi. I'm new to using Fedora Directory Server, so please pardon me if this is a newbie question. The directory server was setup by someone else, and has been running for many months, so unfortunately, I don't have much background information on how it was setup. I searched thru various on-line helps and it appears to be setup properly as it is working for various userids. However, there are a few userids defined, that no matter what I set the passwd to, if one attempts to login as one of those users: "Access denied". I can create a new user, set a passwd, log in no problem (it'll create the home directory and everything). I've even tried deleting the userid that doesn't work, and then re-creating, same issue. Doesn't like the passwd. (all userids are created the same, just different home paths and UID numbers. Any thoughts? Patrick

2 6

Error in add and modifying operation
by Fabio Isgrò 15 Mar '10

15 Mar '10

Hi to all, I'm using the lastest stable version of 389-ds and I have a strange issue when cut and paste an user from a branch to another or import an user that has SSHA as password scheme. This is a specimen of user extracted with db2ldif > # entry-id: 41964 > dn: uid=TestUser,ou=Milano,ou=PuntiPeriferici,ou=Persone,o=Domain > mail: testUser(a)domain.it > uid: testUser > givenName: testUser > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > sn: testUser > cn: testUser > userPassword: {SSHA}Qm33jLgIeXUNOOdESn9g+fMeg59ecxRQnRPKMA== > creatorsName: > uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot > modifiersName: > uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot > createTimestamp: 20100205124926Z > modifyTimestamp: 20100205124926Z > nsUniqueId: c2d9a301-1dd111b2-80d0d492-e75cfaf > When I'm trying to import this ldif via mozldap ldapmodify or console I get this error uid=TestUser,ou=Milano,ou=PuntiPeriferici,ou=Persone,o=Domain: netscape.ldap.LDAPException: error result (19); invalid password syntax - passwords with storage scheme are not allowed intestead with OpenLdap ldapmodify it works Perfectly. Some ideas ? Thanks in Advance Fabio Isgrò

1 0

Directory Server help
by Natr Brazell 15 Mar '10

15 Mar '10

All, I'm new to the community and apologize if posting to the wrong area. I'm looking for "_current_" information relating to a forum or documentation on RHEL Directory Server wrt to application integration. I'm making the assumption that the FDS is a parallel effort. I've used RHDS for basic user authentication but would like to do more with it. The docs that come with it are pretty extensive but really don't cover basic things such as integrating say autofs etc. Everywhere I read it says things like "you can easily extend it to do ..." but no where does it say "here's how". Probably just looking in the wrong places. If this is the wrong area, please advise on where to post if you know. No flaming please. Nate

5 4

NB: can't login/connect to FDS
by Brad Fuller 15 Mar '10

15 Mar '10

HI, I'm brand new to FDS/LDAP. I've set up the server, seems to run fine, can log in to the admin/dir console and create people. I've tried to set up a fedora 12 client so that I can log in accessing the FDS server but I don't seem to be making any connection to it . I've edited /etc/ldap.conf to add the base dc= dc=com and added "host" keyword To /etc/nsswitch.conf I've added passwd: files ldap shadow: files ldap group: files ldap that is all that I've changed /var/log/messages and /var/log/secure don't show any activity on either the server or client. I receive "authorization failure" when trying to log in. Are there any tools that I can use to see if my client is seeing the ldap server? Have I missed something in the configuration? BTW, I've looked and searched and read the 3 RH DS documents, but I didn't see anything that I've missed. I appreciate your help! brad -- Brad Fuller +1 (408) 335-0112

5 10

unable to setup Multimaster replication
by ankush grover 15 Mar '10

15 Mar '10

Hi Friends, I have installed 389 version 1.26a on Centos 5.4 32-bit and trying to configure MultiMaster replication on 2 nodes. I have installed and configured 389, however facing issues while configuring Multimaster replication. Machine A: ldaptest.example.com Machine B: ldaptest2.example.com Below are the lines I have added for the replication on both the nodes (file name replication.ldif) ldapmodify -x -h localhost -D "cn=Manager" -W -f replication.ldif dn: cn=replication manager,cn=config objectClass: inetorgperson objectClass: person objectClass: top cn: replication manager sn: RM userPassword: testtest passwordExpirationTime: 20380119031407Z Machine A: Replica ID: 2 Purge Delay: 7 days Current Supplier DN: cn=replication manager,cn=config,ou=People,dc=ankush,dc=com Current URLs: ldap://ldaptest.example.com:389/dc=ankush,dc=com Replication Agreement: Supplier: Machine A Consumer: Machine B Replicated Subtree: dc=ankush,dc=com Last Update Message: Replication Error acquiring replica: permission denied. Error Code:3 Schedule: Always Keep directories in Sync Connection: Use LDAP(no encryption) Simple(Bind DN/Password): cn=replication manager,cn=config Password: testtest Machine A: Replica ID: 2 Purge Delay: 7 days Current Supplier DN: cn=replication manager,cn=config,ou=People,dc=ankush,dc=com Current URLs: ldap://ldaptest2.example.com:389/dc=ankush,dc=com Replication Agreement: Supplier: Machine A Consumer: Machine B Replicated Subtree: dc=ankush,dc=com Last Update Message: Replication Error acquiring replica: permission denied. Error Code:3 Schedule: Always Keep directories in Sync Connection: Use LDAP(no encryption) Simple(Bind DN/Password): cn=replication manager,cn=config Password: testtest The replication is not working and I am not able to figure out what exactly is wrong. Regards Ankush

1 0

Partial subtree replication
by Joel Heenan 11 Mar '10

11 Mar '10

Is it possible instead of replicating an entire database, to replicate just a subtree within the database to a consumer? The situation is that we have a set of multi-masters that manage one tree (dc=customers,dc=company) while we want to sync our main tree dc=company. Unfortunately when I tried this dc=company wiped out the dc=customers subtree. How can I sync just dc=company without wiping out the extra subtree it has? Would it help if I split the multi-master into two separate databases? Joel

2 1

Password policies and account policies with PAM
by Ivan Ferreira 11 Mar '10

11 Mar '10

Hi everybody. I'm testing the password policies and account lockout policies on Directory Server 1.2.2. For account lockout policies, it seems that it does not works with pam authentication, for example for services like login or ssh. If I set the account lockout on 3 failures, I can login to the system after any number of failures. No relevant messages on logs. The same for the password change after reset. It's not required to change the password. ¿Does anybody successfully configured password and account policies for OS authentication? In /etc/ldap.conf I have: pam_lookup_policy yes Thanks in advance. ________________________________ AVISO LEGAL: Esta información es privada y confidencial y está dirigida únicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha información por favor elimine el mensaje. La distribución o copia de este mensaje está estrictamente prohibida. Esta comunicación es sólo para propósitos de información y no debe ser considerada como propuesta, aceptación ni como una declaración de voluntad oficial de NUCLEO S.A. La transmisión de e-mails no garantiza que el correo electrónico sea seguro o libre de error. Por consiguiente, no manifestamos que esta información sea completa o precisa. Toda información está sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice.

2 3

slapd didn't close connection and get into CLOSE_WAIT state
by Chun Tat David Chu 11 Mar '10

11 Mar '10

Hi All, I am running 389 DS version 1.2.5, build number 2010.012.2034 on RHEL 5.2. I have a problem that slapd didn't close a connection and eventually get into a CLOSE_WAIT state after my JAVA application exit. The scenario only happen when my application registers a NamingListener via the JAVA JNDI (Java Naming Directory Interface). I believe the NamingListener is equivalent to the Persistent Search. This problem doesn't exist if I don't use the JNDI NamingListener capability. >From my understanding, I did everything correctly in my application. I create a context, add a listener, do some stuffs, remove the listener and then close the context. One thing I notice is that in the slapd's error log, I see the following... "-get_ldapmessage_controls failed: 12 (Unavailable critical extension) (op=Abandon)". This message prints out right after I remove the listener and before my application closes the context. The closest bug report I found is this and it said the problem has been resolved. https://bugzilla.redhat.com/show_bug.cgi?id=450575 At this point, I'm clueless. :-( Can someone help me or give me some recommendation that I could try? I will attach my JAVA JNDI replicator along with this e-mail. You will need to modify 2-3 lines of code to get it running in your environment. Search for "MODIFY ME" and that should be the lines that you need to modify. Thanks! David

2 16

Options for paid assistance?
by Dave 10 Mar '10

10 Mar '10

Hello all, I'm setting up a small deployment (under 500 user entries) and find myself poring over a lot of manuals. I'm in a time crunch and would love is to hand this off to a specialist to log into my server and perform the required work such as performance tuning, schema creation, plugin configurations, etc. Question: how do others find ad-hoc paid help within the community? Presumably RedHat Support will answer questions and troubleshoot but won't actually log in to your server and do the work? Is it appropriate to post the project/job to this list? I've explored the major freelance sites but skills for managing this server seem to be quite niche and not widely available. Any advice would be appreciated! Thanks -Dave

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users March 2010