Creating windows sync agreements via ldif
by Juan Carlos Camargo
Hi,
I'm making a script to recreate a windows sync agreement in my server and I've found that even the agreement is created and started, no sync in fact ever occurs. I've noticed also that the "cookie" attribute " nsds7DirsyncCookie" is never created for the sync object even after a full resync. No errors are shown , everthing looks normal. If I create the agreement via console then everything works as expected. Can you help me? Probably I'm missing something but cannot figure it out.
Regards!
.ldif file:
cn: cn=adamuz,cn=replica,cn=dc\3Dmetaeprinsa\2Cdc\3Dorg,cn=mapping tree,cn=config
changetype: add
objectClass: top
objectClass: nsDSWindowsReplicationAgreement
description: adamuz
cn: adamuz
nsds7WindowsReplicaSubtree: dc=adamuz,dc=local
nsds7DirectoryReplicaSubtree: ou=adamuz,ou=ayuntamientos,ou=usuarios,dc=metaeprinsa,dc=org
nsds7NewWinUserSyncEnabled: on
nsds7NewWinGroupSyncEnabled: off
nsds7WindowsDomain: adamuz.local
nsDS5ReplicaRoot: dc=metaeprinsa,dc=org
nsDS5ReplicaHost: adamuzhost.epr
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: <cn of proxy user>
nsDS5ReplicaTransportInfo: LDAP
nsDS5ReplicaCredentials: < pass of proxy user>
nsds5BeginReplicaRefresh: start
--
J u an Carlos Camargo Carrillo
957-211157 , 650932877
12 years
Advice - B2 error
by Michael Gettes
I am performing thousands of searches on a single connection and all appears normal. Then, I get the following error in the access log:
...
[25/Mar/2012:22:10:02 -0400] conn=7 op=22701 RESULT err=0 tag=101 nentries=1 etime=0
[25/Mar/2012:22:10:04 -0400] conn=7 op=-1 fd=64 closed error 90 (Message too long) - B2
ds = 1.2.9.9
RHEL = 5.7
Any advice/guidance appreciated.
/mrg
12 years
Adding bunch attribute type from ldif file
by Manel Gimeno Zaragozá
Hello,
I'm new in 389-ds and I'm trying to implement a new LDAP server. This is the packages I've installed:
# rpm -qa | grep 389
389-adminutil-1.1.14-2.el6.x86_64
389-ds-base-libs-1.2.10.4-2.el6.x86_64
389-ds-base-1.2.10.4-2.el6.x86_64
389-admin-console-1.1.8-1.el6.noarch
389-ds-console-1.2.6-1.el6.noarch
389-admin-1.1.25-1.el6.x86_64
389-console-1.1.7-1.el6.noarch
389-dsgw-1.1.7-2.el6.x86_64
And the system is a Centos6
#cat /etc/redhat-release
CentOS release 6.2 (Final)
The problem I've found is I can not add attribute type using an ldif file.
If I try to add it in terminal mode typing the attribute type I have no problem:
#ldapmodify -a -h localhost -p 1389 -D "cn=admin" -W -v
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.99999.1.1.6 NAME 'perditionMailhost' DESC 'Perdition MailHost' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )
also If i try to add it through console, the attribute is added correctly, but if I try to add it using an ldif file it show me the following error:
#cat import.ldif
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.99999.1.1.6 NAME 'perditionMailhost' DESC 'Perdition
MailHost' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN
'user defined' )
#ldapmodify -a -h localhost -p 1389 -D "cn=admin" -W -v -f import.ldif
ldapmodify: wrong attributeType at line 4, entry "cn=schema"
Also If i try to add multiple attributes, I've got the same error:
#cat import2.ldif
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.99999.1.1.6 NAME 'perditionMailhost' DESC 'Perdition
MailHost' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN
'user defined' )
-
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.99999.1.1.19 NAME 'mainDocsDomainBase' DESC 'Dominio base de Docs' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' )
#ldapmodify -a -h localhost -p 1389 -D "cn=admin" -W -v -f import2.ldif
ldapmodify: wrong attributeType at line 4, entry "cn=schema"
am I doing something wrong? did I misunderstand something?
Thanks & Regards.
Manel
12 years
user cn=Directory Manager does not have permissions
by mjames@guesswho.com
Hi, I get this message when I click on the Configuration tab in the Directory Server gui. After I click on OK, I get a log in dialog box. When I enter the Directory Manager password, I am logged in. When I close the Directory Server, I get a 2nd message - There are unsaved changes. Would you like to close?
The 2nd message occurs even if I don't make any changes. Any suggestions on resolving this? TIA, Mike
12 years
Repair replication
by Herb Burnswell
Hi All,
I'm new to LDAP administration and have been tasked with fixing the system
replication of 4 Linux systems running Fedora Directory Services. I am
very comfortable working with Linux/Unix but am not experienced with LDAP.
I've been reading the communications from this user group and reading as
much as I can from documentation. I believe this environment is not too
complex but I am looking for some guidance, any assistance is greatly
appreciated.
Info:
OS: Fedora Core 4
LDAP: Fedora Directory Server v 7.1
First, I know that both the systems and FDS versions are ancient. However,
at this point I need to get the replication working prior to putting
together a migration plan. I have access to the Directory Manager console
and am comfortable running command line commands as well. Either way is
fine.
Questions:
1. How can I find out which system(s) is/are master, consumer, hub, etc?
2. How do I confirm that the systems have the correct credentials for
replication? (I am receiving: "Unable to acquire replica: Permission
denied.")
a. How can I change the bind dn "cn=replication,cn=config" credentials
on each system to ensure replication will work?
3. I assume that upon repairing replication (apparently it has not been
working for several years) the systems will all replicate to the most
recent information. Correct?
Again, any guidance is greatly appreciated.
Thanks in advance,
Herb
12 years
altering replication agreements
by Michael Gettes
EL 5.6 and ds-389 1.2.9.9
I have a question of curiosity…
I have a number of replication agreements. They were initially configured as TLS on port 389. I need them to be moved to SSL on 636. I could re-create the agreements and delete the old ones. OR, what about going into the cn=config, using Console and into the mapping tree and for each agreement I change nsdsReplicaPort and nsdsReplicaTransportInfo to 636 and SSL respectively. Will this work? Or will it screw replication into the floor? Would I need to restart nssldapd?
Thoughts appreciated and MANY thanks in advance.
/mrg
12 years
configuration server setup
by mjames@guesswho.com
I installed a new CentOS6 ldap server into our environment. I ran the setup-ds-admin.pl script and told it to get the config from one of the existing servers. When I use the 389-console, I don't see o=NetscapeRoot on the new Directory server. I do see the baseDN.
So how should I replicate o=NetscapeRoot dn to the new server? I thought that happened automagically during the install.
Thx, Mike
12 years
SASL appname
by Adam Bishop
Hello,
I'm trying to disable some SASL mechanisms (specifically EXTERNAL) as per the RH documentation:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Admin...
It seems that EXTERNAL is not provided by a plugin (as far as I can see?) so I cannot use the first method, of relinking libraries.
I am now trying the second method (creating <appname>.conf with a mech_list), but I am stuck on what to call the .conf file.
Having a quick look at the source code, the SASL appname is not obvious - does anyone know what it is?
Thanks,
Adam Bishop
Janet is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
12 years
SASL and GSSAPI replication help - Error w/ Realm
by Matt Wells
I have a multi-master configuration of 389-directory server. I'm
attempting to replicate w/ SASL/GSSAPI but It's not getting the realm.
Note this replication is not with Windows AD. It's LDAP to LDAP
The error I get is -
[15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
credentials for principal [ldap/server1@] in keytab
[WRFILE:/etc/krb5.keytab]: -1765328164 (Cannot resolve network address
for KDC in requested realm)
[15/Mar/2012:10:48:30 -0700] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure. Minor code may provide more information (Credentials
cache file '/tmp/krb5cc_99' not found))
[15/Mar/2012:10:48:30 -0700] slapi_ldap_bind - Error: could not
perform interactive bind for id [] mech [GSSAPI]: error -2 (Local
error)
In kerberos all principles are created and in the /etc/krb5.keytab the
following exist; additionally the permissions have been set all the
way to 777 to ensure a permissions issue is not in play.
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/server1(a)EXAMPLE.COM
2 2 host/server1(a)EXAMPLE.COM
3 2 host/server1(a)EXAMPLE.COM
4 2 host/server1(a)EXAMPLE.COM
5 2 host/server2(a)EXAMPLE.COM
6 2 host/server2(a)EXAMPLE.COM
7 2 host/server2(a)EXAMPLE.COM
8 2 host/server2(a)EXAMPLE.COM
9 3 ldap/server1(a)EXAMPLE.COM
10 3 ldap/server1(a)EXAMPLE.COM
11 3 ldap/server1(a)EXAMPLE.COM
12 3 ldap/server1(a)EXAMPLE.COM
13 3 ldap/server2(a)EXAMPLE.COM
14 3 ldap/server2(a)EXAMPLE.COM
15 3 ldap/server2(a)EXAMPLE.COM
16 3 ldap/server2(a)EXAMPLE.COM
My question is the following -
Shouldn't my first error from above read
"[15/Mar/2012:10:48:30 -0700] set_krb5_creds - Could not get initial
credentials for principal [ldap/server1(a)EXAMPLE.COM]"
It makes sense to me that I am missing my realm, without that I of
course couldn't get my tgt from the kdc. But where do I define that
realm?
I've looked in the
cn=mapping,cn=sasl,cn=config
but have not seen a realm to define. I've tested for fun changing
these attributes but to no avail.
nssaslmapbase dc=\2,dc=\3
mapregexstring \(.*\)(a)\(.*\)\.\(.*\)
Any help would be greatly appreciated!
Software Version -
RHEL 6.1
---
389-admin-1.1.25-1.el6.x86_64.rpm
389-admin-console-1.1.8-1.el6.noarch.rpm
389-adminutil-1.1.14-2.el6.x86_64.rpm
389-console-1.1.7-1.el6.noarch.rpm
389-ds-console-1.2.6-1.el6.noarch.rpm
389-dsgw-1.1.7-2.el6.x86_64.rpm
12 years
Re: [389-users] Req PPA link for Ubuntu
by s.varadha rajan
FYI
Varad
On Fri, Mar 16, 2012 at 4:06 PM, s.varadha rajan <rajanvaradhu(a)gmail.com>wrote:
> Hi,
>
> Thx for all the reply.Is there any other way right now ?
>
> Thanks & Regards,
> Varad
>
>
> On Thu, Mar 15, 2012 at 1:29 PM, Timo Aaltonen <tjaalton(a)ubuntu.com>wrote:
>
>> On 14.03.2012 07:33, s.varadha rajan wrote:
>> > Hi Team,
>> >
>> > We are trying to install 389 ds server in Ubuntu 10.04 x86-64 edition.
>> we
>> > followed the doc from the site "
>> > https://help.ubuntu.com/community/FedoraDirectoryServer" . In that
>> site,
>> > they have specified the following url,
>> >
>> > deb http://ppa.launchpad.net/ubuntu-389-directory-server/ppa/ubuntu/
>> > karmic maindeb-src
>> > http://ppa.launchpad.net/ubuntu-389-directory-server/ppa/ubuntu/
>> > karmic main.
>>
>> Precise (12.04) already has a (mostly) complete set of 389 included in
>> the official repository. The team repo once had packages for oneiric,
>> maybe for karmic too at some point but those are long gone.
>>
>>
>> --
>> t
>>
>
>
12 years