subtree stacking/subtree virtual views
by Petr Spacek
Hello,
I'm looking for some way how to "stack" LDAP sub-trees one on top of another.
What I mean: Let's have two subtrees:
dc=lower and dc=upper
dc=lower contains objects:
cn=obj1
cn=obj2,attr A = 2
cn=obj3
dc=upper contains objects:
cn=obj2,attr A = 4
cn=obj4
Now I push dc=upper on top of dc=lower (let say it creates dc=stack)
Queries with base dc=stack will return:
cn=obj1 --> same object as in dc=lower
cn=obj2 --> same object as in dc=upper, attr A = 2
cn=obj3 --> same object as in dc=lower
cn=obj4 --> same object as in dc=upper
I saw overlays "relay" and "rwm" in OpenLDAP. Is there any support in 389 for
this use case?
I need to override several records from "lower" subtree with object from
"upper" subtree. Problem is, that subtree "lower" can contain 10 000 objects
and I need to override only 5 of them. I'm searching for effective way how to
accomplish this without copying whole subtree "lower" to "upper".
Thanks for your time.
Petr^2 Spacek
11 years, 11 months
compressed log files
by Michael Gettes
Hi, I figured I would ask the question here before proceeding with a RFE.
I searched TRAC and couldn't locate any relevant tickets.
I'd like to have 389 compress rotated log files to save significant amounts of disk space. Additionally, logconv.pl and other relevant tools would need to be modified to dynamically uncompress logfiles being processed (yes, I know I could gunzip -c and stuff like that but it would be easy to modify the tool to "do the right thing"). Is this a reasonable RFE or is it deemed "out of scope"?
thanks
/mrg
11 years, 11 months
unhashed#user#password field
by Alberto Viana
I have a 389 DS server replication agreement whith an AD Server and when I
change the password in the windows side it replicates into 389 but via 389
console I can see this field "unhashed#user#password" in clear text.
How can I encrypt this field? Is it possible?
I tried the following configuration:
Source:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Admin...
dn: cn=unhashed#user#password,cn=encrypted attributes,cn=userRoot,cn=ldbm
data
base,cn=plugins,cn=config
objectClass: top
objectClass: nsAttributeEncryption
cn: unhashed#user#password
nsEncryptionAlgorithm: AES
If I restart my server the field is gone.
The fact is that I need to avoid my admin to see the user´s password.
11 years, 11 months
Strange Disk IO issue
by Brad Schuetz
I have recently upgraded our 389 servers from pretty old versions that
were a mix and match of 389 release and CentOS released versions (all on
centos 5) to the latest (on centos6) (specific RPMs listed below).
I did this though a full ldif dump of the original server and imported
into a freshly installed new master server. Then I setup the
replication agreements with the 7 slave servers and everything was
running fine.
After about a week I starting having a problem with the hubs servers
where all of them after (possibly exactly) 24 hours would start going
crazy on the disk IO (95-100% according to sysstat) of that server
making queries to ldap slow. The master server does not exhibit this
problem, it will run completely fine.
A simple restart of the dirsrv process corrects the issue and then it
will run for another 24 hours before repeating the issue.
The hardware running each node is somewhat different with varying disk
speeds underlying, but all exhibit the same behavior.
This happens the same on the 2 nodes that get relatively little traffic
and the 5 nodes that get a lot of traffic.
I was originally on the 389-ds-base release that shipped with CentOS6
and have changed to the version from the
<http://repos.fedorapeople.org/repos/rmeggins/389-ds-base/epel-389-ds-base...>
repo, both do the same thing.
Any thoughts/suggestions on how to fix or further diagnose this? I've
had no luck with strace or error logs to find any issues. At this point
I've unfortunately had to resort to a cron job to restart all of my LDAP
hubs.
Installed RPMs:
389-ds-console-1.2.6-1.el6.noarch
389-ds-1.2.2-1.el6.noarch
389-console-1.1.7-1.el6.noarch
389-admin-console-1.1.8-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-dsgw-1.1.9-1.el6.x86_64
389-admin-1.1.29-1.el6.x86_64
389-ds-base-1.2.10.7-1.el6.x86_64
389-adminutil-1.1.15-1.el6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
389-ds-base-libs-1.2.10.7-1.el6.x86_64
--
Brad
11 years, 11 months
Sync with active directory doubts
by Alberto Viana
Hello,
I have 2 389 DS servers a 6 AD servers and i read this on red hat
documetation about windows replication:
"There can only be a single sync agreement between the Directory Server
environment and the Active Directory environment. Multiple sync agreements
to the same Active Directory domain can create entry conflicts."
Now I´m trying the following scenario:
server2 389(consumer) <- replication -> server1 389 <- replication ->
Server1 AD
Server2 AD
Server3 AD
So in my master 389 server (server1) I have 3 agreements with 3 different
AD servers. It´s not clear if "Active Directory environment" means just one
AD server.
Just to make clear that the 6 AD servers are in the same Active Directory
domain and all replicate information with each other. I have this number of
AD servers because they are located in different places(physically).
Can this scenario create entry conflitc? Am I suppose to sync with just one
AD server?
Thanks,
Alberto Viana
11 years, 11 months
Issues with 389 <-> AD sync and user creation
by Orion Poplawski
We're trying to modify our already heavily modified version of fdstools to add
ntUser attributes to users. When we use it to create a new user (or add
ntUser attributes to and existing user) we end up with two new users in AD and
the cn: attribute of the user in 389 is modified to have CNF:<guid> added
which indicates a conflict in the database.
If we check the Enable NT User Attributes and create New NT Account in
389-console everything seems to work. We're not able to see what we're doing
differently. Except that perhaps 389-console is setting ntUniqueId, but I
didn't think it was supposed to do that, that the AD sync was supposed to
handle it.
In fdstools we're setting ntUserDomainId, ntUserCreateNewAccount, and
ntUserDeleteAccount. Which seems to be all we need to do according to
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Admin...
389-ds-1.2.1-1.el5
389-ds-base-1.2.9.9-1.el5
Ideas?
TIA,
Orion
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 http://www.nwra.com
11 years, 11 months
disabled user attribute
by Alberto Viana
I have an 389 DS server 1.2.10 and I disabled/inactivated a user just for
test (via 389 console) but I could not find what attribute was modified
with this change. I need to know how to identify a disabled/inactivated
user.
11 years, 11 months
No password change forced at first logon
by Ali Jawad
Hi
I did check the box that says User Must Change Password After Reset in Data
under configuration I also did set the same policy for specific users.
However, I am not being asked to change password on first logons through
ssh or direct console on server, the same is true when I do change the
password of a user "I guess this is what password reset means".
I am not using Fine Grain Password settings.
Any ideas ?
Thanks
11 years, 11 months