389-users April 2013

389-users@lists.fedoraproject.org

38 participants
41 discussions

Error 53 setting up ChainOnUpdate
by A Iqbal 12 Apr '13

12 Apr '13

Greetings, New to server 389 and am trying to set up chainonupdate so my consumers can forward updates to master servers. Using the recipe at http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate#Problems_During… OS is CentOS 6.3 389 version in use is... 389-ds-1.2.2-1.el6.noarch 389-ds-base-1.2.10.2-20.el6_3.x86_64 No hubs involved, 4 masters and multiple consumers. Last step requires adding attributes as following, replace: nsslapd-state nsslapd-state: backend add: nsslapd-backend nsslapd-backend: chainbe1 add: nsslapd-distribution-plugin nsslapd-distribution-plugin: /serverroot/lib/replication-plugin.so # or .sl (HPUX) or .dll (NT) add: nsslapd-distribution-funct nsslapd-distribution-funct: repl_chain_on_update able to set first 2 , specific error is 53 when setting 'nsslapd-distribution-funct' and 'nsslapd-distribution-plugin' which has led me nowhere specific Somewhere in this, my consumer replica has wiped itself and refuses to be restored, I am planning to rebuild the machine, adding as it might be of relevance. Would appreciate anyone sharing any pointers or logs I can look into to proceed. Kind Regards, A Iqbal.

4 3

Fwd: passwordRetryCount not incrementing past 1
by Eric Gingras 12 Apr '13

12 Apr '13

Hi, I have not received any input on this one, if you could kindly inform if some information is missing I'd like to get this resolved. Many thanks Eric -------- Original Message -------- Subject: passwordRetryCount not incrementing past 1 Date: 2013-04-10 09:17 From: Eric Gingras <eric(a)go2devnull.net> To: <389-users(a)lists.fedoraproject.org> Hi, I have an issue with account lockout. Setup: 2-node in MMR config 389-Directory/1.2.10.26 B2013.023.2027 (from fedorapeople repo) RHEL 6.4 x86_64 What I did (as per docs), doing this as a subtree or local policy: dn: cn=config changetype: modify replace: passwordIsGlobalPolicy passwordIsGlobalPolicy: on dn: cn=cn\=nsPwPolicyEntry\,ou\=People\,dc\=<REMOVED>\,dc\=com,cn=nsPwPolicyContainer,ou=People,dc=<REMOVED>,dc=com changetype: modify replace: passwordExp passwordExp: on - replace: passwordMaxAge passwordMaxAge: 7862400 - replace: passwordHistory passwordHistory: on - replace: passwordInHistory passwordInHistory: 3 - replace: passwordCheckSyntax passwordCheckSyntax: on - replace: passwordMinDigits passwordMinDigits: 1 - replace: passwordMinSpecials passwordMinSpecials: 1 - replace: passwordMinLowers passwordMinLowers: 1 - replace: passwordMinUppers passwordMinUppers: 1 - replace: passwordMinLength passwordMinLength: 8 - replace: passwordStorageScheme passwordStorageScheme: SSHA512 - replace: passwordLockout passwordLockout: on - add: passwordMaxFailure passwordMaxFailure: 3 - add: passwordUnlock passwordUnlock: off I also need to track loginTime (no time-based lockout), again as per doc: dn: cn=Account Policy Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on dn: cn=Account Policy Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginarg0 nsslapd-pluginarg0: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config changetype: modify replace: alwaysrecordlogin alwaysrecordlogin: yes - add: stateattrname stateattrname: lastLoginTime - add: altstateattrname altstateattrname: createTimestamp - add: specattrname specattrname: acctPolicySubentry - add: limitattrname limitattrname: accountInactivityLimit Restarted: service dirsrv restart both nodes What I get (after purposely trying to bind with wrong pwd many times): No lockout, passwordRetryCount stays at 1 dn: uid=<REMOVED>,ou=People,dc=<REMOVED>,dc=com passwordRetryCount: 1 retryCountResetTime: 20130410130146Z lastLoginTime: 20130409193943Z passwordExpirationTime: 20130709182434Z userPassword:: <REMOVED> mail: <REMOVED> sn: <REMOVED> preferredLanguage: en cn: <REMOVED> uid: <REMOVED> objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top givenName: <REMOVED> I'm freshly out of ideas, thanks for helping. Eric

2 2

Initialization with fds 1.2.0 and 389-ds 1.2.10 failure
by carne_de_passaro 12 Apr '13

12 Apr '13

Hello folks, I have a test environment with a FDS version 1.2.0 on a Debian 5.0 x86 and a 389-ds 1.2.10.12-1.el6.x86_64 on a CentOS 6.3 x86_64. I have two suffix on the FDS, a root suffix and a subsuffix. I've configured two replication agreements, one for suffix. When I'm try to initialize the root suffix, which contains a few objects, it's works just fine, but when I try to initialize the subsuffix, which contains about 90.000 objects, it's fails and give me the error "Total update aborted. System error. Error code -2" on the FDS console. Looking at the 389-ds error log file I gave this: [09/Apr/2013:11:01:45 -0300] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=foo,dc=gov,dc=br is going offline; disabling replication [09/Apr/2013:11:01:45 -0300] NSMMReplicationPlugin - conn=0 op=0 repl="dc=foo,dc=gov,dc=br": Replica in use locking_purl=conn=2 id=3 [09/Apr/2013:11:01:45 -0300] NSMMReplicationPlugin - replica_disable_replication: replica dc=foo,dc=gov,dc=br is acquired [09/Apr/2013:11:01:45 -0300] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [09/Apr/2013:11:01:45 -0300] NSMMReplicationPlugin - conn=2 op=3 repl="dc=foo,dc=gov,dc=br": StartNSDS50ReplicationRequest: response=0 rc=0 [09/Apr/2013:11:02:06 -0300] - import foo: Processed 17727 entries -- average rate 886.4/sec, recent rate 886.3/sec, hit ratio 0% [09/Apr/2013:11:02:29 -0300] - import foo: Processed 32924 entries -- average rate 765.7/sec, recent rate 765.7/sec, hit ratio 98% [09/Apr/2013:11:02:43 -0300] - slapi_start_bulk_import: bulk import is not supported by this (default) backend [09/Apr/2013:11:02:46 -0300] NSMMReplicationPlugin - Error -12: could not import entry dn (null) for total update operation conn=2 op=43381 [09/Apr/2013:11:02:46 -0300] - ERROR bulk import abandoned [09/Apr/2013:11:02:46 -0300] - import foo: Aborting all Import threads... [09/Apr/2013:11:02:51 -0300] - import foo: Import threads aborted. [09/Apr/2013:11:02:53 -0300] - import foo: Closing files... [09/Apr/2013:11:02:57 -0300] - libdb: foo/nsuniqueid.db4: unable to flush: No such file or directory [09/Apr/2013:11:02:57 -0300] - libdb: foo/objectclass.db4: unable to flush: No such file or directory [09/Apr/2013:11:02:57 -0300] - libdb: foo/cn.db4: unable to flush: No such file or directory [09/Apr/2013:11:02:57 -0300] - libdb: foo/mailAlternateAddress.db4: unable to flush: No such file or directory [09/Apr/2013:11:02:57 -0300] - libdb: foo/uniquemember.db4: unable to flush: No such file or directory [09/Apr/2013:11:02:57 -0300] - libdb: foo/telephoneNumber.db4: unable to flush: No such file or directory [09/Apr/2013:11:02:57 -0300] - libdb: foo/parentid.db4: unable to flush: No such file or directory [09/Apr/2013:11:02:57 -0300] - libdb: foo/mail.db4: unable to flush: No such file or directory [09/Apr/2013:11:02:57 -0300] - libdb: foo/sn.db4: unable to flush: No such file or directory [09/Apr/2013:11:02:57 -0300] - libdb: foo/givenName.db4: unable to flush: No such file or directory [09/Apr/2013:11:02:57 -0300] - libdb: foo/entryrdn.db4: unable to flush: No such file or directory [09/Apr/2013:11:02:57 -0300] - libdb: foo/uid.db4: unable to flush: No such file or directory [09/Apr/2013:11:02:58 -0300] - libdb: foo/id2entry.db4: unable to flush: No such file or directory [09/Apr/2013:11:02:58 -0300] - import foo: Import failed. [09/Apr/2013:11:02:58 -0300] NSMMReplicationPlugin - Aborting total update in progress for replicated area dc=foo,dc=gov,dc=br connid=2 [09/Apr/2013:11:02:58 -0300] - process_bulk_import_op: NULL target sdn [09/Apr/2013:11:02:58 -0300] NSMMReplicationPlugin - conn=2 op=-1 repl="dc=foo,dc=gov,dc=br": Released replica and at the end of the 389-ds access log I gave this: [09/Apr/2013:11:02:43 -0300] conn=2 op=43380 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [09/Apr/2013:11:02:43 -0300] conn=2 op=43380 RESULT err=0 tag=120 nentries=0 etime=0 [09/Apr/2013:11:02:43 -0300] conn=2 op=43381 EXT oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry" [09/Apr/2013:11:02:46 -0300] conn=2 op=-1 fd=65 closed - B4 What does means that error B4 ? Thanks in advance, Danilo

2 10

objectclass question
by Vesa Alho 12 Apr '13

12 Apr '13

Hi, I have the following structure: cn=Project1,ou=Projects,dc=domain,dc=com cn=Project2,ou=Projects,dc=domain,dc=com .... I need to add email address field to entries cn=* I assume I can achieve this by adding objectclass "mailrecipient" and then setting attribute "mail" with desired email address? Question: Can I somehow define default objectclasses for ou= or do I need to define objectclasses always "manually" when adding new cn= entries? Thanks! -Mr. Vesa Alho

2 3

Not saving smart referral authentication details???
by Kevin Thorpe 11 Apr '13

11 Apr '13

Hi I'm using smart referrals to pull in a list of users from a foreign LDAP server. It's not keeping the authentication details so if I restart the dirsrv then those org units no longer work. bug? or is it something I'm doing? centos 5.7 dirsrv 8.2 -- Kevin Thorpe Chief Technical Officer PI Benchmark

2 3

referential integrity with multi-master replication
by Casey Feskens 10 Apr '13

10 Apr '13

I'm bumping into an issue with referential integrity using 389-ds-base-1.2.11.15 on RHEL 6.4 and multi-master replication and seeking clarification. I have three servers configured for three-way multi-master replication: ds1, ds2, ds3. The admin guide for directory server 8.2 seems to recommend only enabling referential integrity on a single producer, so I have enabled referential integrity on ds1. When I perform a modrdn on ds1, referential integrity kicks in, and the change is replicated. When perform a modrdn on ds2 or 3, the modrdn works, but it never tickles referential integrity on ds1. Should I really be enabling referential integrity on all the masters, or is there something else that I'm missing? On a semi-related note, on ds1, where referential integrity is enabled and occurring, I've noticed that nsslapd-pluginEnabled is set to 'off' in the running directory server, even though referential integrity is working, and it is set to 'on' in dse.ldif. Has anyone seen this behavior? Thanks, Casey -- --------------------------------------------- Casey Feskens <cfeskens(a)willamette.edu> Assistant Director of Systems Services Willamette Integrated Technology Services Willamette University, Salem, OR ---------------------------------------------

1 0

New EL6 389-ds-base-1.2.11.21 test builds
by Rich Megginson 10 Apr '13

10 Apr '13

If you are using the EL6 builds from the epel-389-ds-base as described here http://port389.org/wiki/Download you will probably be interested in upgrading to 1.2.11 at some point. I have made the latest 1.2.11.21 build available in the epel-testing-389-ds-base repo. If there is enough positive feedback I will make 1.2.11 the "stable" version and deprecate the 1.2.10 version current in epel-389-ds-base.

1 0

Integrating external LDAP servers.
by Kevin Thorpe 10 Apr '13

10 Apr '13

Now I've got further down the line. I set up a new ou and a smart referral to the external ou and it's now appearing as I wish: my domain ou=people (website users) ou=staff (us, obviously) ou=Utilisateurs,their domain This appears fine in the idm console and I can see all their users. Sadly I now can't see them through my LDAP admin tool off the server, even logged in as the admin user. Is this a permissions issue? -- Kevin Thorpe Chief Technical Officer PI Benchmark

1 0

Managed to chain via a database link once but not again
by Kevin Thorpe 10 Apr '13

10 Apr '13

I followed these instructions and managed to chain to a client's external LDAP domain once. Deleted it while fiddling about and now I'm getting 'Critical extension unavailable'. WHICH extension? Nothing in the logs either so I have no clue as to where to look. http://directory.fedoraproject.org/wiki/Howto:ChainToAD -- Kevin Thorpe Chief Technical Officer PI Benchmark

2 1

General questions
by alexandre 10 Apr '13

10 Apr '13

Hi, anyone knows about Windows Password Synchronisation, if it's soon available for Windows 2012 server ? And the last one: it's easy to configure multi replication with multiple Active Directory domains ? Thanks, Alex PS: I'm new in this list, and I want to thanks everyone for the reactivity, I'm impressed.

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users April 2013