Advices for setting up multiple kinds of group with a unique user entry.
by DongInn Kim
Hi,
I have a lot of users to add to my 389 DS in my RHEL6 server but they can be divided into two different kinds of group: unix/linux users and web users in 389.
I would like to make each user manage one username and password for two different groups.
It would be optimal if one user entry can be shared in the unix/linux users and web users.
Is it possible?
The reason to have separate groups is to give the explicit access to the different group so that ldapsearch on the specific group would not really show any entries of the different group.
Any advices to setup the 389-DS with this kind of structure would be really appreciated.
Regards,
--
DongInn Kim
dikim33(a)gmail.com
9 years, 5 months
Problems with replication
by Parasit Hendersson
Hi,
Once again we have a problem on our servers , this time with replication.
In the log file repeatedly appear the same entries.
[15/Oct/2013:11:08:43 +0200] NSMMReplicationPlugin - agmt="master port
389 to slave port 389" (slave:389): Beginning linger on the connection
[15/Oct/2013:11:08:43 +0200] NSMMReplicationPlugin - agmt="master port
389 to slave port 389" (slave:389): State: sending_updates -> start_backoff
[15/Oct/2013:11:08:47 +0200] NSMMReplicationPlugin - agmt="master port
389 to slave port 389" (slave:389): State: start_backoff -> backoff
[15/Oct/2013:11:08:47 +0200] NSMMReplicationPlugin - agmt="master port
389 to slave port 389" (slave:389): Cancelling linger on the connection
[15/Oct/2013:11:08:47 +0200] NSMMReplicationPlugin - agmt="master port
389 to slave port 389" (slave:389): Replica was successfully acquired.
[15/Oct/2013:11:08:47 +0200] NSMMReplicationPlugin - agmt="master port
389 to slave port 389" (slave:389): State: backoff -> sending_updates
[15/Oct/2013:11:08:47 +0200] NSMMReplicationPlugin - agmt="master port
389 to slave port 389" (slave:389): Replica has a different generation
ID than the local data.
[15/Oct/2013:11:08:47 +0200] NSMMReplicationPlugin - agmt="master port
389 to slave port 389" (slave:389): Successfully released consumer
[15/Oct/2013:11:08:47 +0200] NSMMReplicationPlugin - agmt="master port
389 to slave port 389" (slave:389): Beginning linger on the connection
I found in the archives and documentation similar problems , but they
all boiled down to the fact that replica isn't initialized.
A given solution in this case it does not help, i made (again)
initialization and the effect is exactly the same. What else can be wrong?
Usually all changes from master are properly replicated, with some
unexplained exceptions and i don't know why.
P. S. The same problem exists in all our slaves nodes.
We use RHEL 6.4 with 389-ds-base-1.2.11.15-11.el6.x86_64
With Regards
Parasit Hendersson
9 years, 5 months
hung 389 master 389-Directory/1.2.11.15 B2013.238.2155
by Michael Gettes
389-Directory/1.2.11.15 B2013.238.2155
Nothing in errors, nothing in access log files
uname -a
Linux XXXX 2.6.32-358.18.1.el6.x86_64 #1 SMP Fri Aug 2 17:04:38 EDT 2013 x86_64 x86_64 x86_64 GNU/Linux
yum list | grep 389
389-admin.x86_64 1.1.29-1.el6 @epel-x86_64-server-6
389-admin-console.noarch 1.1.8-1.el6 @epel-x86_64-server-6
389-admin-console-doc.noarch 1.1.8-1.el6 @epel-x86_64-server-6
389-adminutil.x86_64 1.1.15-1.el6 installed
389-console.noarch 1.1.7-3.el5 installed
389-ds.noarch 1.2.2-1.el6 @epel-x86_64-server-6
389-ds-base.x86_64 1.2.11.15-22.el6_4 @rhel-x86_64-server-6
389-ds-base-debuginfo.x86_64 1.2.11.15-22.el6_4 @rhel-x86_64-server-6-debuginfo
389-ds-base-libs.x86_64 1.2.11.15-22.el6_4 @rhel-x86_64-server-6
389-ds-console.noarch 1.2.6-1.el6 @epel-x86_64-server-6
389-ds-console-doc.noarch 1.2.6-1.el6 @epel-x86_64-server-6
389-dsgw.x86_64 1.1.10-1.el6 @epel-x86_64-server-6
389-admin.i686 1.1.29-1.el6 epel-x86_64-server-6
389-adminutil.i686 1.1.15-1.el6 epel-x86_64-server-6
389-adminutil-devel.i686 1.1.15-1.el6 epel-x86_64-server-6
389-adminutil-devel.x86_64 1.1.15-1.el6 epel-x86_64-server-6
389-ds-base-debuginfo.i686 1.2.11.15-22.el6_4 rhel-x86_64-server-6-debuginfo
389-ds-base-devel.i686 1.2.11.15-22.el6_4 rhel-x86_64-server-optional-6
389-ds-base-devel.x86_64 1.2.11.15-22.el6_4 rhel-x86_64-server-optional-6
389-ds-base-libs.i686 1.2.11.15-22.el6_4 rhel-x86_64-server-6
I have a gcore of ns-slapd
#0 __lll_lock_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:136
#1 0x00007f6f9c6af3be in _L_lock_995 () from /lib64/libpthread.so.0
#2 0x00007f6f9c6af326 in __pthread_mutex_lock (mutex=0x18c8850) at pthread_mutex_lock.c:101
#3 0x00007f6f9cd050b9 in PR_Lock (lock=0x18c8850) at ../../../mozilla/nsprpub/pr/src/pthreads/ptsynch.c:174
#4 0x00007f6f9d390bf0 in nssCertificate_Destroy (c=0x1a0f3f0) at certificate.c:112
#5 0x00007f6f9d684e97 in ssl_ResetSecurityInfo (sec=0x2774888, doMemset=0) at sslsecur.c:947
#6 0x00007f6f9d684f1b in ssl_DestroySecurityInfo (sec=0x2774888) at sslsecur.c:978
#7 0x00007f6f9d6891e5 in ssl_DestroySocketContents (ss=0x2774800) at sslsock.c:404
#8 0x00007f6f9d68a752 in ssl_FreeSocket (ss=0x2774800) at sslsock.c:465
#9 0x00007f6f9d6808b8 in ssl_DefClose (ss=0x2774800) at ssldef.c:206
#10 0x0000000000414301 in connection_cleanup (conn=0x7f6f80753670) at ldap/servers/slapd/connection.c:167
#11 0x0000000000415371 in connection_table_move_connection_out_of_active_list (ct=0x1ca7bc0, c=0x7f6f80753670) at ldap/servers/slapd/conntable.c:322
#12 0x0000000000417d66 in setup_pr_read_pds (ports=0x7fff04c632e0) at ldap/servers/slapd/daemon.c:1702
#13 slapd_daemon (ports=0x7fff04c632e0) at ldap/servers/slapd/daemon.c:1137
#14 0x000000000041f0df in main (argc=7, argv=0x7fff04c63678) at ldap/servers/slapd/main.c:
did a kill -9 of the server (normal kill had no effect). Server is now back up and running.
/mrg
9 years, 5 months
Modification hooks
by Mailing Lists
Hi,
I am discovering the world of LDAPs and disovered 389 Directory Server
as an interesting alternative. However, I am looking for something
pretty specific and can't directly find it in the documentation:
Is there any possibility to have hooks in 389DS which allow a
customizable action to be performed when records are added, modified
and/or deleted?
An example for this would be to inform some third party that a
modification of the directory service has occured, so that this party
can take action on this (the third party could, of course, belong to the
same organization as well).
The only thing I found so far has been replication session hooks
(http://directory.fedoraproject.org/wiki/Replication_Session_Hooks) but
they are obviously meant for replication problems.
Thanks in advance!
9 years, 5 months
EL5 - new testing build - 389-ds-base-1.2.11.24
by Rich Megginson
There are still some of you in the 389 community that are running on
EL5, and we haven't had an update for quite some time.
The 389 team has backported some fixes that allow the 1.2.11 branch to
build on EL5.
There is a new build in epel-testing for EL5 - 389-ds-base-1.2.11.24-1.el5
If you use EL5, please try out the new package and give us your feedback.
9 years, 5 months
Unable to get ldapsearch working with 389 on Fedora 19
by Stephen Watt
Hi Folks
I have 389 installed on F19 on a server with the hostname ldap-srv but I am unable to successfully query it using ldapsearch from another F19 server with the hostname ldap-client. I am an LDAP noob so its possible that this scenario isn't even meant to work. Essentially, I've set up a 389 server and I'm trying to use ldapsearch as a quick sniff test to make sure its working properly before I embark on figuring out how to configure some other F19 servers to use the 389 LDAP service for Authentication.
I think ldap-srv is running correctly using the default configuration as I'm able to bring up the 389-console and create a few users and groups. I am also able to successfully run the following local ldapsearch query on ldap-srv:
ldapsearch -x -s base -b "" "objectclass=*" which prints out a long list of results but ends in:
vendorName: 389 Project
vendorVersion: 389-Directory/1.3.1.7 B2013.240.2228
dataversion: 020130920220244
netscapemdsuffix: cn=ldap://dc=localhost,dc=localdomain:389
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
However, when I try and run a similar query from my ldap-client server, I get the following:
[root@ldap-client ~]# ldapsearch -x -h ldap-srv -s base -b "" "objectclass=*"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
iptables are off on both machines.
Regards
Steve Watt
9 years, 5 months
Problems with setting PasswordExpirationTime
by Parasit Hendersson
Hi,
We have a simple 2-step tool that resets the password, and in the second
step set an expiration date on the "19700101000000Z".
The problem is that sometimes (do not know what it depends on!) expiry
date is not at all overwritten. I'm trying to find in the logs why this
happens, but in general I do not see that operation. How should I set
the log level to trace such an operation?
16384 is not enough, 1024 not generate any extra information about this
problem and still i'm afraid to set 4 on production system.
P.S. Maybe someone has encountered a similar problem?
Best Regards
Parasit Hendersson
9 years, 5 months
Announcing 389 Directory Server version 1.2.11.23
by Rich Megginson
389 Directory Server 1.2.11.23
The 389 Directory Server team is proud to announce 389-ds-base version
1.2.11.23 for EL6.
EL6-only packages are available, in the Testing repository. It will move
to the Stable repositories once it has received some testing from the
community. We encourage you to test and provide feedback in order to
speed up the push to the Stable repositories.
The new packages and versions are:
* 389-ds-base-1.2.11.23-3
A source tarball is available for download at
http://port389.org/sources/389-ds-base-1.2.11.23.tar.bz2
Highlights in 1.2.11.23
* several logconv improvements
* Fine Grained ID List Size - ability to set idlistscanlimit based on
index, index type, flags, and values
* Many, many bug fixes
Installation and Upgrade
See Download <http://port389.org/wiki/Download> for information about
setting up your yum repositories.
To install, use *yum install 389-ds* yum install 389-ds After install
completes, run *setup-ds-admin.pl* to set up your directory server.
setup-ds-admin.pl
To upgrade, use *yum upgrade* yum upgrade After upgrade completes, run
*setup-ds-admin.pl -u* to update your directory server/admin
server/console information. setup-ds-admin.pl -u
See Install_Guide <http://port389.org/wiki/Install_Guide> for more
information about the initial installation, setup, and upgrade
See Source <http://port389.org/wiki/Source> for information about source
tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://admin.fedoraproject.org/mailman/listinfo/389-users
If you find a bug, or would like to see a new feature, file it in our
Trac instance: https://fedorahosted.org/389
Detailed Changelog since 1.2.11.22
Mark Reynolds (11):
* Ticket #356 <https://fedorahosted.org/389/ticket/356> - RFE - Track
bind info
* Ticket 539 <https://fedorahosted.org/389/ticket/539> - logconv.pl
should handle microsecond timing
* Ticket 471 <https://fedorahosted.org/389/ticket/471> - logconv.pl
tool removes the access logs contents if "-M" is not correctly used
* TIcket 419 <https://fedorahosted.org/389/ticket/419> - logconv.pl -
improve memory management
* Ticket 611 <https://fedorahosted.org/389/ticket/611> - logconv.pl
missing stats for StartTLS, LDAPI, and AUTOBIND
* Ticket 47447 <https://fedorahosted.org/389/ticket/47447> -
logconv.pl man page missing -m,-M,-B,-D
* Ticket 47461 <https://fedorahosted.org/389/ticket/47461> -
logconv.pl - Use of comma-less variable list is deprecated
* Ticket 47520 <https://fedorahosted.org/389/ticket/47520> - Fix
various issues with logconv.pl
* Ticket 47509 <https://fedorahosted.org/389/ticket/47509> -
CLEANALLRUV doesnt run across all replicas
Noriko Hosoi (5):
* Ticket #47492 <https://fedorahosted.org/389/ticket/47492> - PassSync
removes User must change password flag on the Windows side
* Ticket #47523 <https://fedorahosted.org/389/ticket/47523> - Set up
replcation/agreement before initializing the sub suffix, the sub
suffix is not found by ldapsearch
* Ticket #47534 <https://fedorahosted.org/389/ticket/47534> - RUV
tombstone search with scope "one" doesn`t work
* Coverity fixes <https://fedorahosted.org/389/ticket/47540> -
Coverity fixes 12023, 12024, and 12025
* Ticket #422 <https://fedorahosted.org/389/ticket/422> - 389-ds-base
- Can't call method "getText"
Rich Megginson (13):
* Bug 999634 <https://bugzilla.redhat.com/show_bug.cgi?id=999634> -
ns-slapd crash due to bogus DN
* Ticket #47516 <https://fedorahosted.org/389/ticket/47516>
replication stops with excessive clock skew
* Ticket #47504 <https://fedorahosted.org/389/ticket/47504>
idlistscanlimit per index/type/value
* Ticket #47336 <https://fedorahosted.org/389/ticket/47336> -
logconv.pl -m not working for all stats
* Ticket #47341 <https://fedorahosted.org/389/ticket/47341> -
logconv.pl -m time calculation is wrong
* Ticket #47348 <https://fedorahosted.org/389/ticket/47341> - add
etimes to per second/minute stats
* Ticket #47387 <https://fedorahosted.org/389/ticket/47387> - improve
logconv.pl performance with large access logs
* Ticket #47501 <https://fedorahosted.org/389/ticket/47501> logconv.pl
uses /var/tmp for BDB temp files
* Ticket 47533 <https://fedorahosted.org/389/ticket/47533> logconv:
some stats do not work across server restarts
Thierry bordaz (tbordaz) (2):
* Ticket 47489 <https://fedorahosted.org/389/ticket/47489> - Under
specific values of nsDS5ReplicaName, replication may get broken or
updates missing
* Ticket 47354 <https://fedorahosted.org/389/ticket/47354> - Indexed
search are logged with 'notes=U' in the access logs
Retrieved from "http://port389.org/wiki/Releases/1.2.11.23"
9 years, 5 months
389 and snmp
by Michael Gettes
I have the ldap-agent working. All I see is
snmpwalk -v 1 -c public localhost .1.3.6.1.4.1.2312
SNMPv2-SMI::enterprises.2312.6.5.1.1.389 = STRING: "389 Replica"
SNMPv2-SMI::enterprises.2312.6.5.1.2.389 = STRING: "389-Directory/1.2.11.15"
SNMPv2-SMI::enterprises.2312.6.5.1.3.389 = STRING: "Computing Services, Carnegie Mellon University"
SNMPv2-SMI::enterprises.2312.6.5.1.4.389 = STRING: "Pittsburgh, PA"
SNMPv2-SMI::enterprises.2312.6.5.1.5.389 = STRING: "YYY(a)lists.andrew.cmu.edu"
SNMPv2-SMI::enterprises.2312.6.5.1.6.389 = STRING: "XXX"
I get the impression I should be seeing a lot more. I followed instructions at:
http://port389.org/wiki/Howto:SNMPMonitoring
uname -a
Linux XXX 2.6.32-358.18.1.el6.x86_64 #1 SMP Fri Aug 2 17:04:38 EDT 2013 x86_64 x86_64 x86_64 GNU/Linux
Guidance appreciated. Thank you!
/mrg
9 years, 5 months
