The directory server has a windows synchronization agreement for one
AD OU, it initiate Full Re-Synchronization OK and running normal. the
user info and password was synchronized.
But if there are two or more the windows synchronization agreements for
others AD OU, the initiate Full Re-Synchronization will be failed. Error
screen message as below:
The consumer initialization has unsuccessfully completed.
The error recived by the replica is: 1 Total update aborted. LDAP error:
And I checked the erroe log. It said:
NSMMReplicationPlugin - agmt="cn=ou1" (testdc:636): Replica has no update
vector. It has never been initialized.
But the user info can update to AD from 389 Directory Server. And the user
info & password can update to 389 DS from AD.
I am very confused.
Any one can help to explain this or solve it. Thanks a lot.
I have seen a weird behavior of my DS (1.1.2). It has a very small database (only about 2300 objects). A client performed a one-level search retrieving the children. The server find 114 objects, but the search was very slow:
[06/May/2010:12:23:11 +0000] conn=127 op=149 SRCH base=<base> scope=1 filter="(&(&(objectClass=<xyz>)(<att1>=value))(!(<att2>=TRUE)))"
yes, the filter is a bit complex, but both attribute types <att1> and <att2> are indexed. This search usually is fast. It looks to me that the server is already in a funny state.
[06/May/2010:12:23:17 +0000] conn=127 op=149 RESULT err=3 tag=101 nentries=114 etime=7
When the client gets the results, it iterates over those and gets its children, like:
[06/May/2010:12:23:17 +0000] conn=127 op=150 SRCH base=<dn of result from previous SRCH> scope=1 filter="(&(&(objectClass=<uvw>)(<attr3>=*))(!(<attr2>=TRUE)))" attrs=ALL.
Those searches are quick:
[06/May/2010:12:23:17 +0000] conn=127 op=150 RESULT err=0 tag=101 nentries=1 etime=0
but somehow the server does not process on of the requests, when the client iterates over the results:
[06/May/2010:12:23:18 +0000] conn=127 op=263 SRCH base=<dn of result from previous SRCH> scope=1 filter="(&(&(objectClass=<uvw>)(<attr3>=*))(!(<attr2>=TRUE)))" attrs=ALL.
[06/May/2010:12:23:18 +0000] conn=127 op=263 RESULT err=0 tag=101 nentries=1 etime=0
[06/May/2010:12:23:26 +0000] conn=127 op=265 SRCH base=<dn of result from previous SRCH> scope=1 filter="(&(&(objectClass=<uvw>)(<attr3>=*))(!(<attr2>=TRUE)))" attrs=ALL.
[06/May/2010:12:23:26 +0000] conn=127 op=265 RESULT err=0 tag=101 nentries=0 etime=0
You can see that the server skipped op=264. It looks to me that the request came in, but somehow the server joked up, before it could log the request in access.
Has anybody seen such a behavior before?
i am building an LDAP directory from the ground up and plan to set users up
so a few different applications can use this as an
authentication/authorization backend. however, today some of these
applications use uids like jsmith while others use empid like 123456. is
there any way, without duplicating user entries to allow these applications
to both authenticate?
- for example, if i have a user base dn of: ou=people,o=company.com
- i have a user with uid=jsmith and employeeNumber=123456
can some applications authenticate with dn:uid=jsmith,ou=people,o=
company.com while others use dn: employeeNumber=123456,ou=people,o=
company.com? i think the answer is no for that, so what if I give the user
multiple uid values? uid=jsmith AND uid=123456, but the dn that allows
binding always seems to be the uid i set first.
i'm at a loss here, there really has to be a way to do it. the only way i
can see is to allow the applications to bind with some other DN, then do
searches for employeeNumber=123456 to try and match the values up on their
end, then pull the dn from their search results and use that dn to re-bind
with the supplied password...but that seems like overkill to me.
thanks for any insight!
Not sure if this is a good place to ask.
I was just wondering what is how often a new version of RHDS is release?
The latest RHDS is 8.1, is there an estimation of when RHDS 8.2 would be
I have found 2 methods for allowing individual users, or groups access
to certain hosts via the directory server. (document link)
1. the host attribute
on server: the host attribute can be defined after adding a user, it
must list each host by fqdn that the user has access to
on client: configure to check for the host attribute in the ldap.conf
-does not scale, if we add a host we then have to go and add that
host to each allowed user, management would be time consuming as
users, or hosts grow
2. define groups of users, and systems in directory server by using
on server: definition of the host, and user groups in the ldap server
on client: configure pam in /etc/pam/system-auth to check if user
belongs to approved user group & system belongs to approved system group
on client: configure pam_group module in /etc/security/group.conf
-not as simple, uses an old beast (NIS)
-NIS adds an additional layer of complexity and points of failure
-doesn't allow me to grant a single user auth on a single system (if
Is there a third better option? Any suggestions or links to
documentation would be highly appreciated. Thank you for your time.
Hi, i have some problems with suffixs, im new to LDAP so maybe im
misunderstanding concepts, Ok here it goes...
Im working with centos-ds. Im asking here beacause the solutions probably can
be apllied in 389-like software such as centos. well, i have the server up and
running with some entries, but im interested on enabling diferent databases
for some objects. The idea is to have an especific configuration for each
object, because it represents diferents systems that probably will have
diferents resource needs and access controls.
So, under the root suffix on configuration tab of 389-console(yes im using 389-
console on centos-ds) i right click it and add a new sub-suffix. For instance i
name it "ou=systems" and also the database with the same name is created and
The thing is that when im browsing the directory, there isn't a ou=system on
the main tree, instead is shown only on the main(right) section of the gui. Im
going to add an entry and i have an permission error. That's odd becausa im
"admin/Directory Manager" user.
Can anybode help me? maybe im wrong trying to apply a sub-suffix to solve a
custom database configuration per some objects.
Sorry for late response.
Yes, it resolves the DN properly along with secondary groups.
[psundaram@ldap02 ~]$ id psundaram
I will test the mapping attribute in a week or so.
On Thu, 2010-05-06 at 14:45 -0400, Prashanth Sundaram wrote:
> I got around this by changing the ldap.conf.
> pam_filter objectclass=posixAccount
> pam_member_attribute uniquemember
> I haven;t tested this but you can also map the memberuid and memberof
> to Uniquememember. So the nss_ldap checks the uniquemember value every
> nss_map_attribute memberuid uniqueMember
> nss_map_attribute member uniqueMember
> My Group looks like this.
> dn: cn=GROUP1,ou=Group,dc=DOMAIN,dc=COM
> objectClass: groupOfUniqueNames
> objectClass: posixGroup
> objectClass: top
> gidNumber: 3300
> uniqueMember: uid=userid1,ou=People,dc=DOMAIN,dc=COM
> uniqueMember: uid=userid2,ou=People,dc=DOMAIN,dc=COM
> uniqueMember: uid=userid3,ou=People,dc=DOMAIN,dc=COM
> uniqueMember: uid=userid4,ou=People,dc=DOMAIN,dc=COM
> uniqueMember: uid=userid5,ou=People,dc=DOMAIN,dc=COM
Does getent properly handle the DN? I may be wrong but I thought I tried
this and it failed. I could easily have messed up due to my ignorance.
Thanks - John
Hi folks, I have a network with various linux distributions. While these
distributions share a lot of the same group names, their corresponding
Can ldap groups contain multiple group numbers?
Should I be approaching this from a different angle?
aRDy Music/Rick Dicaire
I got around this by changing the ldap.conf.
I haven;t tested this but you can also map the memberuid and memberof to
Uniquememember. So the nss_ldap checks the uniquemember value every time.
nss_map_attribute memberuid uniqueMember
nss_map_attribute member uniqueMember
My Group looks like this.
Rick Dicaire wrote:
> On Tue, May 4, 2010 at 7:07 AM, John A. Sullivan III
> <jsullivan at opensourcedevel.com
<https://admin.fedoraproject.org/mailman/listinfo/389-users> > wrote:
>>> Why doesn't the group I'd added the user to show?
>> I do not know if it is the same issue but I found I had to add the
>> posixgroup objectclass to the group; I had to add the memberuid
> As a followup, is this group issue something specific to 389, or ldap
> in general?
ldap in general
> I'm wondering if I should try another ldap server implementation.
you'll probably have to do the same or similar with another ldap server