NIS 389 Directory Server
by Neuhold Christian (TSA)
Hello, for user authentication we use NIS on a Solaris System. Solaris 7/8/9 and Redhat 4/5 access this domain. Now I want to migrate to fedora directoryserver.
What I have done:
* Installed Redhat 5 x86_64
* Installed 389 from EPEL
* Imported NIS Data into 389 with LdapImport from Babel
* Authentication over LDAP and LDAP SSL works. (POSIX Accounts)
* Installed slapi-nis 0.24
* Configured slapi-nis with nis-getting-started.txt
Working:
* Providing NIS MAPS
[root@xxxx ~]# ypwhich -m
users sux7292v.xxx.com
passwd.byuid xxx.xx.com
passwd.byname xxx.xx.com
group.byname xxx.xx.com
group.bygid xxx.xx.com
[root@xxx ~]#
*Get passwd and groups
[root@xxx slapd-xxx]# ypcat passwd | grep tst
tst:*:1346:21:Test:/user/tst:/bin/csh
My problem:
Authentification is not working, login is not possible.
My des.ldif (only nis entries):
dn: cn=NIS Server,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: NIS Server
nsslapd-pluginPath: nisserver-plugin.so
nsslapd-pluginInitfunc: nis_plugin_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-pluginDescription: NIS Server Plugin
nsslapd-pluginVendor: redhat.com
nsslapd-pluginVersion: 0.24
nsslapd-pluginId: nis-plugin
nis-tcp-wrappers-name: ypserv
nsslapd-pluginarg0: 541
modifiersName: cn=directory manager
modifyTimestamp: 20110517110053Z
numSubordinates: 5n
dn: nis-domain=xxx+nis-map=group.bygid,cn=NIS Server,cn=plugins,cn=config
objectClass: extensibleObject
objectClass: top
nis-domain: xxx
nis-map: group.bygid
nis-base: ou=Groups, dc=xxx, dc=com
dn: nis-domain=xxx+nis-map=group.byname,cn=NIS Server,cn=plugins,cn=config
objectClass: extensibleObject
objectClass: top
nis-domain: xxx
nis-map: group.byname
nis-base: ou=Groups, dc=xxx, dc=com
dn: nis-domain=xxx+nis-map=passwd.byname,cn=NIS Server,cn=plugins,cn=config
objectClass: extensibleObject
objectClass: top
nis-domain: xxx
nis-map: passwd.byname
nis-base: ou=People, dc=xxx, dc=com
dn: nis-domain=xxx+nis-map=passwd.byuid,cn=NIS Server,cn=plugins,cn=config
objectClass: extensibleObject
objectClass: top
nis-domain: xxx
nis-map: passwd.byuid
nis-base: ou=People, dc=xxx, dc=com
ypcat passwd old system:
[root@xxx slapd-xxx]# ypcat passwd | grep tst
tst:*:1346:21:Test:/user/tst:/bin/csh
ypcat passwd new system:
[root@xxx ~]# ypcat passwd | grep tst
tst:xOf6bdfgZsCsA:1346:21:Test:/user/tst:/bin/csh
Is it possible to provide the password hash with slapi-nis/389-directory server?
Thanks, br cnu80
-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~
This message may contain confidential and/or privileged information intended
only for the addressee.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose or take any action based
on this message or any information herein. If you have received this
message in error, please advise the sender immediately by reply e-mail and
delete this message. Any views expressed in this message are those of the
individual sender and may not necessarily reflect the
opinions of austriamicrosystems AG.
-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~
Diese E-Mail enthaelt moeglicherweise vertrauliche und/oder rechtlich
geschuetzte Informationen.
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich
erhalten haben, informieren Sie bitte sofort den Absender und loeschen Sie
diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser
Mail ist nicht gestattet. Etwaige in dieser E-mail geaeusserte Ansichten und
Meinungen stammen vom Versender dieser Nachricht und muessen nicht
notwendigerweise mit den Meinungen und Ansichten von austriamicrosystems AG
uebereinstimmen.
~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~
12 years, 11 months
windows sync question
by solarflow99
I have a question about windows sync, in the docs it says the replica role
should be single or multi master, but with single master you can't set
update settings for the bind DN. Will this still work?
Is there a way to sync 1 way, from windows AD -> dirsrv only?
Thanks,
12 years, 11 months
replication with ssl
by solarflow99
I just wonder why i'm getting: RESULT err=2 when I try to use replication
over simple SSL. The replication agreement works when I use ldap with no
encryption, but when I select SSL encryption with ldap it just gives that
error. I'm not looking to use certificates, just simple bind DN/password.
12 years, 11 months
read_state: failed to get generator's state
by Jim Tyrrell
Hi,
I have a setup with 3 389 Directory servers in a master-master setup
which has been working fine until now. One of the servers died this
morning due to a memory issue and now will not restart:
[18/May/2011:12:34:32 +0100] memory allocator - malloc of 1538 bytes
failed; OS error 12 (Cannot allocate memory)
The server has probably allocated all available virtual memory. To solve
this problem, make more virtual memory available to your server, or reduce
one or more of the following server configuration settings:
nsslapd-cachesize (Database Settings - Maximum entries in cache)
nsslapd-cachememsize (Database Settings - Memory available for cache)
nsslapd-dbcachesize (LDBM Plug-in Settings - Maximum cache size)
nsslapd-import-cachesize (LDBM Plug-in Settings - Import cache size).
Can't recover; calling exit(1).
I'm not unable to restart the server, the error log reports the following:
[18/May/2011:12:58:38 +0100] - 389-Directory/1.2.2 B2009.237.206 starting up
[18/May/2011:12:58:38 +0100] uuid - read_state: failed to get
generator's state
[18/May/2011:12:58:38 +0100] uuid - uuid_init: failed to get generator's
state
[18/May/2011:12:58:38 +0100] uniqueid generator - uniqueIDGenInit:
generator initialization failed
[18/May/2011:12:58:38 +0100] - Fatal Error---Failed to initialize
uniqueid generator; error = 13. Exiting now.
389-Directory/1.2.2 B2009.237.206
Any ideas what the issue is and how to fix? Where is it trying to get
the generators state from?
Thanks.
Jim.
12 years, 11 months
help
by Neuhold Christian (TSA)
help
-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~
This message may contain confidential and/or privileged information intended
only for the addressee.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose or take any action based
on this message or any information herein. If you have received this
message in error, please advise the sender immediately by reply e-mail and
delete this message. Any views expressed in this message are those of the
individual sender and may not necessarily reflect the
opinions of austriamicrosystems AG.
-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~
Diese E-Mail enthaelt moeglicherweise vertrauliche und/oder rechtlich
geschuetzte Informationen.
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich
erhalten haben, informieren Sie bitte sofort den Absender und loeschen Sie
diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser
Mail ist nicht gestattet. Etwaige in dieser E-mail geaeusserte Ansichten und
Meinungen stammen vom Versender dieser Nachricht und muessen nicht
notwendigerweise mit den Meinungen und Ansichten von austriamicrosystems AG
uebereinstimmen.
~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~.~-~
12 years, 11 months
Re: [389-users] 389 directory capacity query
by Steven Li
Resent
-----Original Message-----
From: Steven Li
Sent: 5/18/2011 [星期三] 13:50
To: Steven Li; 389-users(a)lists.fedoraproject.org; 389-devel(a)lists.fedoraproject.org
Cc: Ivan Wang
Subject: RE: 389 directory capacity query
Resent
-----Original Message-----
From: Steven Li
Sent: 5/18/2011 [星期三] 13:35
To: 389-users(a)lists.fedoraproject.org; 389-devel(a)lists.fedoraproject.org
Cc: Ivan Wang
Subject: 389 directory capacity query
Hi All
Now I'm begin to apply the 389 Directory server v2.6 into our env. But I want to have a check, do we have a test about the capacity of directory server ?
such as what the maximun entries can be supported, what's the best deployment for large user store.
As I need it to support max 200 millions users. do you think is it possible to store so many entries in the server, and if it's possible, how should
I retrieve it ?
Thanks.
12 years, 11 months
unable to read schema
by Stephen Lorenz
Hi,
We are trying to set up our 389 DS instance and everything seems to work
except that LDAP browsers cannot seem to access the schema. For example, in
the LDAPSort LDAP Admin Tool we receive the error message:
"Unable to read schema!!" Unable to read schema, please login/bind with an
account which has access to schema - You can also rebind with any entry
using the right-click menu and selecting rebind.
However, we are not trying to access the directory anonymously; we receive
this error even when binding as Directory Manager.
We also cannot browser the schema using a standard ldapsearch command.
Any ideas of how to enable schema reading?
Thanks,
Stephen
12 years, 11 months
upgrading to multimaster
by Karoly Czovek
Hi, what is the simpliest way to upgrade a master-slave replica with 4 slaves to a 4way multi-master replica,
with no, or with the less service downtime?
--
Karoly CZOVEK
Global Systems Administrator
MoveOne IT Department
Eastern Europe - Balkans - CIS& Central Asia - Middle East& Africa -
Asia Pacific
phone: +36 1 266 0181 - ext.6710
mobile: +36 70 708 9953
skype: mo_karoly.czovek
email: karoly.czovek(a)moveoneinc.com
web: http://www.moveoneinc.com
12 years, 11 months
Upgrade to 1.2.8.2
by Reinhard Nappert
Hi,
is there somewhere a flag not to switch the entry format?
I don't have an issue with a fresh install (just add nsslapd-subtree-rename-switch: off to template-dse.ldif). But I run into issues, when I upgrade existing Fedora DS 1.1.2 to 389 DS 1.2.8.2.
I run setup-ds.pl -u .....
Thanks,
-Reinhard
12 years, 11 months
MMR issue, when deleting the replica setup.
by Reinhard Nappert
Hi,
I noticed an issue with 389 DS 1.2.7.5, which I have not seen before. Here is what I do:
1. I create a two multi-master setup.
2. I don't perform any changes on the directory.
3. I delete the replica setup on both systems -- everything is fine.
4. I create a two multi-master setup.
5. Perform changes on both systems
6. Modifications get replicated.
7 I delete the replica setup. No I get the following error logs:
[09/May/2011:15:43:18 -0400] - import userRoot: Import complete. Processed 446 entries in 4 seconds. (111.50 entries/sec)
[09/May/2011:15:43:18 -0400] NSMMReplicationPlugin - multimaster_be_state_change: replica o=base is coming online; enabling replication
...
[09/May/2011:15:45:21 -0400] NSMMReplicationPlugin - agmt_delete: begin
[09/May/2011:15:45:22 -0400] NSMMReplicationPlugin - replica_config_delete: Warning: The changelog for replica o=BASE is no longer valid since the replica config is being deleted. Removing the changelog.
[09/May/2011:15:45:22 -0400] NSMMReplicationPlugin - changelog program - _cl5Add Thread: invalid changelog state - 2 <== This is good!
[09/May/2011:15:45:27 -0400] - libdb: <path to>/changelogdb/7773fd02-7a7411e0-ac71f4b1-0fb2d026_4dc840d3000000020000.db4: unable to flush: No such file or directory
[09/May/2011:15:45:27 -0400] - libdb: txn_checkpoint: failed to flush the buffer cache No such file or directory
[09/May/2011:15:45:27 -0400] - Serious Error---Failed to checkpoint database, err=2 (No such file or directory)
Of course, the changelog directory was gone. It looks to me that the server keeps this still somehow in memory.
I enabled the audit-logging: This is what I see there:
time: 20110509154521
dn: cn=changelog5,cn=config
changetype: delete
modifiersname: <credentials>
time: 20110509154522
dn: cn=agreement1,cn=replica,cn=o\3dbase,cn=mapping tree,cn=config
changetype: delete
modifiersname: <credentials>
time: 20110509154522
dn: cn=replica,cn=o\3dbase,cn=mapping tree,cn=config
changetype: delete
modifiersname: <credentials>
time: 20110509154522
dn: cn=o\3dbase,cn=mapping tree,cn=config
changetype: modify
replace: nsslapd-state
nsslapd-state: backend
-
replace: nsslapd-referral
-
replace: modifiersname
modifiersname: <credentials>-
replace: modifytimestamp
-
replace: nsslapd-referral
-
replace: modifiersname
modifiersname: <credentials>
-
replace: modifytimestamp
modifytimestamp: 20110509194522Z
-
time: 20110509154605
dn: cn=uniqueid generator,cn=config
changetype: modify
replace: nsState
nsState:: AM+94nR64AH0sQ+y0CZxbAEAAAAAAAAA
-
replace: modifiersname
modifiersname: cn=server,cn=plugins,cn=config
-
replace: modifytimestamp
modifytimestamp: 20110509194605Z
-
Has somebody has seen this before.
Thanks,
-Reinhard
12 years, 11 months