Migration Issues With Admin Server LDIF Import
by Brian Provenzano
I'm still on the road to trying to migrate from FDS 1.0.4 to 389 DS 1.2.5.
Thanks to Rich's help yesterday in a previous thread (Cross Migration
Problem From FDS 1.0.x to 386 Directory Server) I was able to fix an import
issue with an existing ldif schema (presense.ldif).
Anyway, I am now running to the following issue when the migration script
tries to read/migrate my data from LDIF ( I have a userRoot.ldif and
NetscapeRoot.ldif). I assume it is the NetscapeRoot.ldif that is the issue:
# ./migrate-ds-admin.pl --oldsroot /tmp/fedora-ds --actualsroot
/opt/fedora-ds General.ConfigDirectoryAdminPwd='mypassword'
Beginning migration of Directory and Administration servers from
/tmp/fedora-ds . . .
Beginning migration of directory server instances in /tmp/fedora-ds . . .
Your new DS instance 'slapd-ldap' was successfully created.
Beginning migration of Administration server from /tmp/fedora-ds . . .
Creating Admin Server files and directories . . .
dn: cn=Tasks, cn=admin-serv-ldap, cn=389 Administration Server, cn=Server
Grou
p, cn=ldap.mcs.local, ou=mcs.local, o=NetscapeRoot
objectclass: top
objectclass: nsResourceRef
cn: Tasks
Error adding entry 'cn=Tasks, cn=admin-serv-ldap, cn=389 Administration
Server, cn=Server Group, cn=ldap.mcs.local, ou=mcs.local, o=NetscapeRoot'.
Error: No such object
Exiting . . .
Log file is '/tmp/migrate5naZZB.log'
Here is the /tmp/migrate5naZZB.log' log file:
---------------------
[10/03/12:10:58:57] - [Migration] Info Beginning migration of Directory and
Administration servers from /tmp/fedora-ds . . .
[10/03/12:10:58:57] - [Migration] Info Beginning migration of directory
server instances in /tmp/fedora-ds . . .
[10/03/12:10:59:00] - [Migration] Info Your new DS instance 'slapd-ldap' was
successfully created.
[10/03/12:10:59:13] - [Migration] Info Copying
/tmp/fedora-ds/alias/slapd-ldap-cert8.db to /etc/dirsrv/slapd-ldap/cert8.db
[10/03/12:10:59:13] - [Migration] Info Copying
/tmp/fedora-ds/alias/slapd-ldap-key3.db to /etc/dirsrv/slapd-ldap/key3.db
[10/03/12:10:59:13] - [Migration] Info Copying
/tmp/fedora-ds/alias/secmod.db to /etc/dirsrv/slapd-ldap/secmod.db
[10/03/12:10:59:13] - [Migration] Info No
/tmp/fedora-ds/alias/slapd-ldap-pin.txt to migrate
[10/03/12:10:59:13] - [Migration] Info Copying
/tmp/fedora-ds/shared/config/certmap.conf to /etc/dirsrv/slapd-ldap/
certmap.co
nf
[10/03/12:10:59:14] - [Migration] Info Beginning migration of Administration
server from /tmp/fedora-ds . . .
[10/03/12:10:59:15] - [Migration] Info Creating Admin Server files and
directories . . .
[10/03/12:10:59:15] - [Migration] Debug No file to migrate:
/tmp/fedora-ds/alias/admin-serv-ldap-cert8.db
[10/03/12:10:59:15] - [Migration] Debug No file to migrate:
/tmp/fedora-ds/alias/admin-serv-ldap-key3.db
[10/03/12:10:59:15] - [Migration] Info Copying
/tmp/fedora-ds/alias/secmod.db to /etc/dirsrv/admin-serv/secmod.db
[10/03/12:10:59:15] - [Migration] Info No
/tmp/fedora-ds/alias/admin-serv-ldap-pin.txt to migrate
[10/03/12:10:59:15] - [Migration] Info Copying
/tmp/fedora-ds/shared/config/certmap.conf to /etc/dirsrv/admin-serv/
certmap.co
nf
[10/03/12:10:59:15] - [Migration] Info Error adding entry 'cn=Tasks,
cn=admin-serv-ldap, cn=389 Administration Server, cn=Ser
ver Group, cn=ldap.mcs.local, ou=mcs.local, o=NetscapeRoot'. Error: No such
object
[10/03/12:10:59:15] - [Migration] Fatal Exiting . . .
Log file is '/tmp/migrate5naZZB.log'
Thanks,
Brian
13 years, 8 months
Fedora Directory Server
by Wall, Patrick
Hi.
I'm new to using Fedora Directory Server, so please pardon me if this is
a newbie question.
The directory server was setup by someone else, and has been running for
many months, so unfortunately, I don't have much background information
on how it was setup. I searched thru various on-line helps and it
appears to be setup properly as it is working for various userids.
However, there are a few userids defined, that no matter what I set the
passwd to, if one attempts to login as one of those users: "Access
denied".
I can create a new user, set a passwd, log in no problem (it'll create
the home directory and everything).
I've even tried deleting the userid that doesn't work, and then
re-creating, same issue. Doesn't like the passwd.
(all userids are created the same, just different home paths and UID
numbers.
Any thoughts?
Patrick
13 years, 8 months
Error in add and modifying operation
by Fabio Isgrò
Hi to all,
I'm using the lastest stable version of 389-ds and I have a strange
issue when cut and paste an user from a branch to another or import an
user that has SSHA as password scheme.
This is a specimen of user extracted with db2ldif
> # entry-id: 41964
> dn: uid=TestUser,ou=Milano,ou=PuntiPeriferici,ou=Persone,o=Domain
> mail: testUser(a)domain.it
> uid: testUser
> givenName: testUser
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> sn: testUser
> cn: testUser
> userPassword: {SSHA}Qm33jLgIeXUNOOdESn9g+fMeg59ecxRQnRPKMA==
> creatorsName:
> uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
> modifiersName:
> uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
> createTimestamp: 20100205124926Z
> modifyTimestamp: 20100205124926Z
> nsUniqueId: c2d9a301-1dd111b2-80d0d492-e75cfaf
>
When I'm trying to import this ldif via mozldap ldapmodify or console I
get this error
uid=TestUser,ou=Milano,ou=PuntiPeriferici,ou=Persone,o=Domain:
netscape.ldap.LDAPException: error result (19); invalid password syntax
- passwords with storage scheme are not allowed
intestead with OpenLdap ldapmodify it works Perfectly.
Some ideas ?
Thanks in Advance
Fabio Isgrò
13 years, 8 months
Directory Server help
by Natr Brazell
All,
I'm new to the community and apologize if posting to the wrong area. I'm
looking for "_current_" information relating to a forum or documentation on
RHEL Directory Server wrt to application integration. I'm making the
assumption that the FDS is a parallel effort. I've used RHDS for basic user
authentication but would like to do more with it. The docs that come with
it are pretty extensive but really don't cover basic things such as
integrating say autofs etc. Everywhere I read it says things like "you can
easily extend it to do ..." but no where does it say "here's how".
Probably just looking in the wrong places.
If this is the wrong area, please advise on where to post if you know. No
flaming please.
Nate
13 years, 8 months
NB: can't login/connect to FDS
by Brad Fuller
HI,
I'm brand new to FDS/LDAP. I've set up the server, seems to run fine,
can log in to the admin/dir console and create people.
I've tried to set up a fedora 12 client so that I can log in accessing
the FDS server but I don't seem to be making any connection to it
.
I've edited /etc/ldap.conf to add the base dc= dc=com and added "host" keyword
To /etc/nsswitch.conf I've added
passwd: files ldap
shadow: files ldap
group: files ldap
that is all that I've changed
/var/log/messages and /var/log/secure don't show any activity on
either the server or client.
I receive "authorization failure" when trying to log in.
Are there any tools that I can use to see if my client is seeing the
ldap server?
Have I missed something in the configuration?
BTW, I've looked and searched and read the 3 RH DS documents, but I
didn't see anything that I've missed.
I appreciate your help!
brad
--
Brad Fuller
+1 (408) 335-0112
13 years, 8 months
unable to setup Multimaster replication
by ankush grover
Hi Friends,
I have installed 389 version 1.26a on Centos 5.4 32-bit and trying to
configure MultiMaster replication on 2 nodes. I have installed and
configured 389, however facing issues while configuring Multimaster
replication.
Machine A: ldaptest.example.com
Machine B: ldaptest2.example.com
Below are the lines I have added for the replication on both the nodes
(file name replication.ldif)
ldapmodify -x -h localhost -D "cn=Manager" -W -f replication.ldif
dn: cn=replication manager,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
cn: replication manager
sn: RM
userPassword: testtest
passwordExpirationTime: 20380119031407Z
Machine A:
Replica ID: 2
Purge Delay: 7 days
Current Supplier DN: cn=replication manager,cn=config,ou=People,dc=ankush,dc=com
Current URLs: ldap://ldaptest.example.com:389/dc=ankush,dc=com
Replication Agreement:
Supplier: Machine A
Consumer: Machine B
Replicated Subtree: dc=ankush,dc=com
Last Update Message: Replication Error acquiring replica: permission
denied. Error Code:3
Schedule: Always Keep directories in Sync
Connection: Use LDAP(no encryption)
Simple(Bind DN/Password): cn=replication manager,cn=config
Password: testtest
Machine A:
Replica ID: 2
Purge Delay: 7 days
Current Supplier DN: cn=replication manager,cn=config,ou=People,dc=ankush,dc=com
Current URLs: ldap://ldaptest2.example.com:389/dc=ankush,dc=com
Replication Agreement:
Supplier: Machine A
Consumer: Machine B
Replicated Subtree: dc=ankush,dc=com
Last Update Message: Replication Error acquiring replica: permission
denied. Error Code:3
Schedule: Always Keep directories in Sync
Connection: Use LDAP(no encryption)
Simple(Bind DN/Password): cn=replication manager,cn=config
Password: testtest
The replication is not working and I am not able to figure out what
exactly is wrong.
Regards
Ankush
13 years, 8 months
Partial subtree replication
by Joel Heenan
Is it possible instead of replicating an entire database, to replicate
just a subtree within the database to a consumer?
The situation is that we have a set of multi-masters that manage one
tree (dc=customers,dc=company) while we want to sync our main tree
dc=company. Unfortunately when I tried this dc=company wiped out the
dc=customers subtree.
How can I sync just dc=company without wiping out the extra subtree it
has? Would it help if I split the multi-master into two separate
databases?
Joel
13 years, 9 months
Password policies and account policies with PAM
by Ivan Ferreira
Hi everybody.
I'm testing the password policies and account lockout policies on Directory Server 1.2.2.
For account lockout policies, it seems that it does not works with pam authentication, for example for services like login or ssh.
If I set the account lockout on 3 failures, I can login to the system after any number of failures. No relevant messages on logs.
The same for the password change after reset. It's not required to change the password.
¿Does anybody successfully configured password and account policies for OS authentication?
In /etc/ldap.conf I have:
pam_lookup_policy yes
Thanks in advance.
________________________________
AVISO LEGAL: Esta información es privada y confidencial y está dirigida únicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha información por favor elimine el mensaje. La distribución o copia de este mensaje está estrictamente prohibida. Esta comunicación es sólo para propósitos de información y no debe ser considerada como propuesta, aceptación ni como una declaración de voluntad oficial de NUCLEO S.A. La transmisión de e-mails no garantiza que el correo electrónico sea seguro o libre de error. Por consiguiente, no manifestamos que esta información sea completa o precisa. Toda información está sujeta a alterarse sin previo aviso.
This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from NUCLEO S.A. . Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice.
13 years, 9 months
slapd didn't close connection and get into CLOSE_WAIT state
by Chun Tat David Chu
Hi All,
I am running 389 DS version 1.2.5, build number 2010.012.2034 on RHEL 5.2.
I have a problem that slapd didn't close a connection and eventually get
into a CLOSE_WAIT state after my JAVA application exit.
The scenario only happen when my application registers a NamingListener via
the JAVA JNDI (Java Naming Directory Interface). I believe the
NamingListener is equivalent to the Persistent Search. This problem doesn't
exist if I don't use the JNDI NamingListener capability.
>From my understanding, I did everything correctly in my application. I
create a context, add a listener, do some stuffs, remove the listener and
then close the context.
One thing I notice is that in the slapd's error log, I see the following...
"-get_ldapmessage_controls failed: 12 (Unavailable critical extension)
(op=Abandon)".
This message prints out right after I remove the listener and before my
application closes the context.
The closest bug report I found is this and it said the problem has been
resolved.
https://bugzilla.redhat.com/show_bug.cgi?id=450575
At this point, I'm clueless. :-(
Can someone help me or give me some recommendation that I could try?
I will attach my JAVA JNDI replicator along with this e-mail. You will need
to modify 2-3 lines of code to get it running in your environment. Search
for "MODIFY ME" and that should be the lines that you need to modify.
Thanks!
David
13 years, 9 months
Options for paid assistance?
by Dave
Hello all, I'm setting up a small deployment (under 500 user entries)
and find myself poring over a lot of manuals. I'm in a time crunch and
would love is to hand this off to a specialist to log into my server and
perform the required work such as performance tuning, schema creation,
plugin configurations, etc.
Question: how do others find ad-hoc paid help within the community?
Presumably RedHat Support will answer questions and troubleshoot but
won't actually log in to your server and do the work? Is it
appropriate to post the project/job to this list? I've explored the
major freelance sites but skills for managing this server seem to be
quite niche and not widely available. Any advice would be appreciated!
Thanks -Dave
13 years, 9 months