Error 53 setting up ChainOnUpdate
by A Iqbal
Greetings,
New to server 389 and am trying to set up chainonupdate so my consumers can
forward updates to master servers. Using the recipe at
http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate#Problems_Duri...
OS is CentOS 6.3
389 version in use is...
389-ds-1.2.2-1.el6.noarch
389-ds-base-1.2.10.2-20.el6_3.x86_64
No hubs involved, 4 masters and multiple consumers.
Last step requires adding attributes as following,
replace: nsslapd-state
nsslapd-state: backend
add: nsslapd-backend
nsslapd-backend: chainbe1
add: nsslapd-distribution-plugin
nsslapd-distribution-plugin: /serverroot/lib/replication-plugin.so # or .sl
(HPUX) or .dll (NT)
add: nsslapd-distribution-funct
nsslapd-distribution-funct: repl_chain_on_update
able to set first 2 , specific error is 53 when setting
'nsslapd-distribution-funct' and 'nsslapd-distribution-plugin' which has
led me nowhere specific
Somewhere in this, my consumer replica has wiped itself and refuses to be
restored, I am planning to rebuild the machine, adding as it might be of
relevance.
Would appreciate anyone sharing any pointers or logs I can look into to
proceed.
Kind Regards, A Iqbal.
9 years, 11 months
Fwd: passwordRetryCount not incrementing past 1
by Eric Gingras
Hi,
I have not received any input on this one, if you could kindly inform
if some information is missing I'd like to get this resolved.
Many thanks
Eric
-------- Original Message --------
Subject: passwordRetryCount not incrementing past 1
Date: 2013-04-10 09:17
From: Eric Gingras <eric(a)go2devnull.net>
To: <389-users(a)lists.fedoraproject.org>
Hi,
I have an issue with account lockout.
Setup:
2-node in MMR config
389-Directory/1.2.10.26 B2013.023.2027 (from fedorapeople repo)
RHEL 6.4 x86_64
What I did (as per docs), doing this as a subtree or local policy:
dn: cn=config
changetype: modify
replace: passwordIsGlobalPolicy
passwordIsGlobalPolicy: on
dn:
cn=cn\=nsPwPolicyEntry\,ou\=People\,dc\=<REMOVED>\,dc\=com,cn=nsPwPolicyContainer,ou=People,dc=<REMOVED>,dc=com
changetype: modify
replace: passwordExp
passwordExp: on
-
replace: passwordMaxAge
passwordMaxAge: 7862400
-
replace: passwordHistory
passwordHistory: on
-
replace: passwordInHistory
passwordInHistory: 3
-
replace: passwordCheckSyntax
passwordCheckSyntax: on
-
replace: passwordMinDigits
passwordMinDigits: 1
-
replace: passwordMinSpecials
passwordMinSpecials: 1
-
replace: passwordMinLowers
passwordMinLowers: 1
-
replace: passwordMinUppers
passwordMinUppers: 1
-
replace: passwordMinLength
passwordMinLength: 8
-
replace: passwordStorageScheme
passwordStorageScheme: SSHA512
-
replace: passwordLockout
passwordLockout: on
-
add: passwordMaxFailure
passwordMaxFailure: 3
-
add: passwordUnlock
passwordUnlock: off
I also need to track loginTime (no time-based lockout), again as per
doc:
dn: cn=Account Policy Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
dn: cn=Account Policy Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginarg0
nsslapd-pluginarg0: cn=config,cn=Account Policy
Plugin,cn=plugins,cn=config
dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
changetype: modify
replace: alwaysrecordlogin
alwaysrecordlogin: yes
-
add: stateattrname
stateattrname: lastLoginTime
-
add: altstateattrname
altstateattrname: createTimestamp
-
add: specattrname
specattrname: acctPolicySubentry
-
add: limitattrname
limitattrname: accountInactivityLimit
Restarted:
service dirsrv restart both nodes
What I get (after purposely trying to bind with wrong pwd many times):
No lockout, passwordRetryCount stays at 1
dn: uid=<REMOVED>,ou=People,dc=<REMOVED>,dc=com
passwordRetryCount: 1
retryCountResetTime: 20130410130146Z
lastLoginTime: 20130409193943Z
passwordExpirationTime: 20130709182434Z
userPassword:: <REMOVED>
mail: <REMOVED>
sn: <REMOVED>
preferredLanguage: en
cn: <REMOVED>
uid: <REMOVED>
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
givenName: <REMOVED>
I'm freshly out of ideas, thanks for helping.
Eric
9 years, 11 months
Initialization with fds 1.2.0 and 389-ds 1.2.10 failure
by carne_de_passaro
Hello folks,
I have a test environment with a FDS version 1.2.0 on a Debian 5.0 x86 and
a 389-ds 1.2.10.12-1.el6.x86_64 on a CentOS 6.3 x86_64.
I have two suffix on the FDS, a root suffix and a subsuffix. I've
configured two replication agreements, one for suffix. When I'm try to
initialize the root suffix, which contains a few objects, it's works just
fine, but when I try to initialize the subsuffix, which contains about
90.000 objects, it's fails and give me the error "Total update aborted.
System error. Error code -2" on the FDS console.
Looking at the 389-ds error log file I gave this:
[09/Apr/2013:11:01:45 -0300] NSMMReplicationPlugin -
multimaster_be_state_change: replica dc=foo,dc=gov,dc=br is going offline;
disabling replication
[09/Apr/2013:11:01:45 -0300] NSMMReplicationPlugin - conn=0 op=0
repl="dc=foo,dc=gov,dc=br": Replica in use locking_purl=conn=2 id=3
[09/Apr/2013:11:01:45 -0300] NSMMReplicationPlugin -
replica_disable_replication: replica dc=foo,dc=gov,dc=br is acquired
[09/Apr/2013:11:01:45 -0300] - WARNING: Import is running with
nsslapd-db-private-import-mem on; No other process is allowed to access the
database
[09/Apr/2013:11:01:45 -0300] NSMMReplicationPlugin - conn=2 op=3
repl="dc=foo,dc=gov,dc=br": StartNSDS50ReplicationRequest: response=0 rc=0
[09/Apr/2013:11:02:06 -0300] - import foo: Processed 17727 entries --
average rate 886.4/sec, recent rate 886.3/sec, hit ratio 0%
[09/Apr/2013:11:02:29 -0300] - import foo: Processed 32924 entries --
average rate 765.7/sec, recent rate 765.7/sec, hit ratio 98%
[09/Apr/2013:11:02:43 -0300] - slapi_start_bulk_import: bulk import is not
supported by this (default) backend
[09/Apr/2013:11:02:46 -0300] NSMMReplicationPlugin - Error -12: could not
import entry dn (null) for total update operation conn=2 op=43381
[09/Apr/2013:11:02:46 -0300] - ERROR bulk import abandoned
[09/Apr/2013:11:02:46 -0300] - import foo: Aborting all Import threads...
[09/Apr/2013:11:02:51 -0300] - import foo: Import threads aborted.
[09/Apr/2013:11:02:53 -0300] - import foo: Closing files...
[09/Apr/2013:11:02:57 -0300] - libdb: foo/nsuniqueid.db4: unable to flush:
No such file or directory
[09/Apr/2013:11:02:57 -0300] - libdb: foo/objectclass.db4: unable to flush:
No such file or directory
[09/Apr/2013:11:02:57 -0300] - libdb: foo/cn.db4: unable to flush: No such
file or directory
[09/Apr/2013:11:02:57 -0300] - libdb: foo/mailAlternateAddress.db4: unable
to flush: No such file or directory
[09/Apr/2013:11:02:57 -0300] - libdb: foo/uniquemember.db4: unable to
flush: No such file or directory
[09/Apr/2013:11:02:57 -0300] - libdb: foo/telephoneNumber.db4: unable to
flush: No such file or directory
[09/Apr/2013:11:02:57 -0300] - libdb: foo/parentid.db4: unable to flush: No
such file or directory
[09/Apr/2013:11:02:57 -0300] - libdb: foo/mail.db4: unable to flush: No
such file or directory
[09/Apr/2013:11:02:57 -0300] - libdb: foo/sn.db4: unable to flush: No such
file or directory
[09/Apr/2013:11:02:57 -0300] - libdb: foo/givenName.db4: unable to flush:
No such file or directory
[09/Apr/2013:11:02:57 -0300] - libdb: foo/entryrdn.db4: unable to flush: No
such file or directory
[09/Apr/2013:11:02:57 -0300] - libdb: foo/uid.db4: unable to flush: No such
file or directory
[09/Apr/2013:11:02:58 -0300] - libdb: foo/id2entry.db4: unable to flush: No
such file or directory
[09/Apr/2013:11:02:58 -0300] - import foo: Import failed.
[09/Apr/2013:11:02:58 -0300] NSMMReplicationPlugin - Aborting total update
in progress for replicated area dc=foo,dc=gov,dc=br connid=2
[09/Apr/2013:11:02:58 -0300] - process_bulk_import_op: NULL target sdn
[09/Apr/2013:11:02:58 -0300] NSMMReplicationPlugin - conn=2 op=-1
repl="dc=foo,dc=gov,dc=br": Released replica
and at the end of the 389-ds access log I gave this:
[09/Apr/2013:11:02:43 -0300] conn=2 op=43380 EXT
oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry"
[09/Apr/2013:11:02:43 -0300] conn=2 op=43380 RESULT err=0 tag=120
nentries=0 etime=0
[09/Apr/2013:11:02:43 -0300] conn=2 op=43381 EXT
oid="2.16.840.1.113730.3.5.6" name="Netscape Replication Total Update Entry"
[09/Apr/2013:11:02:46 -0300] conn=2 op=-1 fd=65 closed - B4
What does means that error B4 ?
Thanks in advance,
Danilo
9 years, 11 months
objectclass question
by Vesa Alho
Hi,
I have the following structure:
cn=Project1,ou=Projects,dc=domain,dc=com
cn=Project2,ou=Projects,dc=domain,dc=com
....
I need to add email address field to entries cn=*
I assume I can achieve this by adding objectclass "mailrecipient" and
then setting attribute "mail" with desired email address?
Question: Can I somehow define default objectclasses for ou= or do I
need to define objectclasses always "manually" when adding new cn= entries?
Thanks!
-Mr. Vesa Alho
9 years, 11 months
Not saving smart referral authentication details???
by Kevin Thorpe
Hi I'm using smart referrals to pull in a list of users from a foreign LDAP
server.
It's not keeping the authentication details so if I restart the dirsrv then
those
org units no longer work. bug? or is it something I'm doing?
centos 5.7 dirsrv 8.2
--
Kevin Thorpe
Chief Technical Officer
PI Benchmark
9 years, 11 months
referential integrity with multi-master replication
by Casey Feskens
I'm bumping into an issue with referential integrity using
389-ds-base-1.2.11.15 on RHEL 6.4 and multi-master replication and seeking
clarification.
I have three servers configured for three-way multi-master replication:
ds1, ds2, ds3. The admin guide for directory server 8.2 seems to
recommend only enabling referential integrity on a single producer, so I
have enabled referential integrity on ds1. When I perform a modrdn on ds1,
referential integrity kicks in, and the change is replicated. When perform
a modrdn on ds2 or 3, the modrdn works, but it never tickles referential
integrity on ds1.
Should I really be enabling referential integrity on all the masters, or is
there something else that I'm missing?
On a semi-related note, on ds1, where referential integrity is enabled and
occurring, I've noticed that nsslapd-pluginEnabled is set to 'off' in the
running directory server, even though referential integrity is working, and
it is set to 'on' in dse.ldif. Has anyone seen this behavior?
Thanks,
Casey
--
---------------------------------------------
Casey Feskens <cfeskens(a)willamette.edu>
Assistant Director of Systems Services
Willamette Integrated Technology Services
Willamette University, Salem, OR
---------------------------------------------
9 years, 11 months
New EL6 389-ds-base-1.2.11.21 test builds
by Rich Megginson
If you are using the EL6 builds from the epel-389-ds-base as described here
http://port389.org/wiki/Download
you will probably be interested in upgrading to 1.2.11 at some point. I
have made the latest 1.2.11.21 build available in the
epel-testing-389-ds-base repo. If there is enough positive feedback I
will make 1.2.11 the "stable" version and deprecate the 1.2.10 version
current in epel-389-ds-base.
9 years, 11 months
Integrating external LDAP servers.
by Kevin Thorpe
Now I've got further down the line. I set up a new ou and a smart referral
to the external ou and it's now appearing as I wish:
my domain
ou=people (website users)
ou=staff (us, obviously)
ou=Utilisateurs,their domain
This appears fine in the idm console and I can see all their users. Sadly I
now can't see them through my LDAP admin tool off the server, even logged
in as the admin user. Is this a permissions issue?
--
Kevin Thorpe
Chief Technical Officer
PI Benchmark
9 years, 11 months
General questions
by alexandre
Hi,
anyone knows about Windows Password Synchronisation, if it's soon available
for Windows 2012 server ?
And the last one:
it's easy to configure multi replication with multiple Active Directory
domains ?
Thanks,
Alex
PS: I'm new in this list, and I want to thanks everyone for the reactivity,
I'm impressed.
9 years, 11 months
