Syntax violations while reinitializing database
by shardulsk
Hi Folks,
We are trying to move our database from the much older 1.1.2 version to
1.2.11 on a Centos 6 platform. When trying to initialize the 1.2.11
database with a ldif file exported from the older database I am getting
tons of syntax violations. The schema (99user.ldif + dse.ldif extensions)
is the same. Does the newer version have stricter rules?
import userRoot: WARNING: skipping entry
"cn=23609-17622,ou=other,ou=23609,ou=enterprises,o=x.com" which violates
attribute syntax, ending line 7196556 of file "/tmp/qa-db-mod.ldif”
thanks,
SK.
8 years, 10 months
replicate_now script help
by ghiureai
Hi LIst,
I'm new to 389-ds admin , I have cfg a multimaster replication system ,
and read the RHES -DS documentation find the replicate_now script which
is suppose to trigger master rep updates < 10 min, the script fails ,
there is no option for -1 in ldapsearch ...etc
Wodner if any of you have an update script , I 'm running 389-ds on
CentoS 6.5 .
Thank you
Isabella
8 years, 10 months
add user aci problem
by Alberto Viana
389-Directory/1.3.2.17 B2014.182.124
I'm trying to add an user (whitout using the manager, with a regular user):
Without any aci:
ldap_add: Insufficient access (50)
additional info: Insufficient 'add' privilege to the 'userPassword'
attribute
My aci:
dn: ou=test,dc=my,dc=domain
changetype: modify
add: aci
aci: (targetattr = "*") (target = "ldap:///test,dc=my,dc=domain") (version
3.0;acl "POP-AL write permission";allow (all) (userdn =
"ldap:///uid=my_user,ou=app,dc=my,dc=domain");)
Also tried without "target" with same result.
ldap_add: Constraint violation (19)
additional info: invalid password syntax - passwords with storage scheme
are not allowed
I have an older server 389-Directory/1.3.2.17 B2014.182.124, and this works
fine.
What am I missing in the newer version? Or is that a bug?
Thanks
Alberto Viana
8 years, 10 months
Lots of abandoned connections from sssd
by Orion Poplawski
Just recently we're seeing some very strange behavior on our system.
Periodically we will see a sssd process start to have an ever greater
number of connections to our ldap server until the server runs out of
file descriptors. This seems to be happening with a particular user,
who is having trouble logging in at times, particularly with email
(dovecot). We see entries like the following on our sever:
[05/Nov/2014:17:14:51 -0700] conn=1786153 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[05/Nov/2014:17:14:51 -0700] conn=1786153 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[05/Nov/2014:17:14:51 -0700] conn=1786153 SSL 128-bit AES
[05/Nov/2014:17:14:51 -0700] conn=1786153 op=1 BIND
dn="uid=user,ou=People,dc=domain,dc=com" method=128 version=3
[05/Nov/2014:17:14:56 -0700] conn=1786153 op=2 ABANDON targetop=NOTFOUND
msgid=2
[05/Nov/2014:17:14:56 -0700] conn=1786153 op=3 UNBIND
[05/Nov/2014:17:14:56 -0700] conn=1786153 op=3 fd=1022 closed - U1
I don't yet have debug info from the sssd process. Any ideas from the
above?
Restarting the sssd process seems to clear things up for a while.
- Orion
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA/CoRA Division FAX: 303-415-9702
3380 Mitchell Lane orion(a)cora.nwra.com
Boulder, CO 80301 http://www.cora.nwra.com
8 years, 10 months
389ds v.1.3.2.24 replication deadlocks/retry count exceeded
by Ivanov Andrey (M.)
Hi,
I've continued testing 389ds v.1.3.2.24 on CentOS 7. I really have an impression that everything works fine (plugins etc) but the replication seems to be a little fragile. Both of the tickets i've already opened concern replication partially or completely (https://fedorahosted.org/389/ticket/47942 and https://fedorahosted.org/389/ticket/47950).
Here is another issue with replication :
i have two servers with multi-master agreements on each of them (the same configuration as in ticket https://fedorahosted.org/389/ticket/47942).
We add/delete a lot of groups (943, to be exact). Each group may contain a large number of referenced entries, up to ~250 (uniqueMember: dn). MemberOf plugin is activated and works fine. Referential integrity plugin is also activated but of course it is of any sense only when deleting groups (or renaming them). It goes on for a long time (20-30 minutes or more). Some time after the beginning of the operations (typically 5-8 minutes) we have replication erros and inconsistency of the replica concerning the entries mentioned in error log.
When adding and deleting groups the supplier is ok. Howevere the consumer has several (from one to four or five) groupe deletions/adds that are not replicated. The error on the supplier:
[12/Nov/2014:16:46:42 +0100] NSMMReplicationPlugin - agmt="cn=Replication from ldap-edev.polytechnique.fr to ldap-model.polytechnique.fr" (ldap-model:636): Consumer failed to replay change (uniqueid fa90219d-6a8211e4-a42c901a-94623bee, CSN 546380d6000000020000): Operations error (1). Will retry later.
[12/Nov/2014:16:47:55 +0100] NSMMReplicationPlugin - agmt="cn=Replication from ldap-edev.polytechnique.fr to ldap-model.polytechnique.fr" (ldap-model:636): Consumer failed to replay change (uniqueid 1e5367ae-6a8311e4-a42c901a-94623bee, CSN 54638125000000020000): Operations error (1). Will retry later.
[12/Nov/2014:16:53:14 +0100] NSMMReplicationPlugin - agmt="cn=Replication from ldap-edev.polytechnique.fr to ldap-model.polytechnique.fr" (ldap-model:636): Consumer failed to replay change (uniqueid f4e70b85-6a8311e4-a42c901a-94623bee, CSN 54638260000000020000): Operations error (1). Will retry later.
[12/Nov/2014:16:55:12 +0100] NSMMReplicationPlugin - agmt="cn=Replication from ldap-edev.polytechnique.fr to ldap-model.polytechnique.fr" (ldap-model:636): Consumer failed to replay change (uniqueid 3c6d978a-6a8411e4-a42c901a-94623bee, CSN 546382d6000400020000): Operations error (1). Will retry later.
[12/Nov/2014:16:56:31 +0100] NSMMReplicationPlugin - agmt="cn=Replication from ldap-edev.polytechnique.fr to ldap-model.polytechnique.fr" (ldap-model:636): Consumer failed to replay change (uniqueid 6030dd93-6a8411e4-a42c901a-94623bee, CSN 54638325000000020000): Operations error (1). Will retry later.
[12/Nov/2014:16:57:22 +0100] NSMMReplicationPlugin - agmt="cn=Replication from ldap-edev.polytechnique.fr to ldap-model.polytechnique.fr" (ldap-model:636): Consumer failed to replay change (uniqueid 83f42395-6a8411e4-a42c901a-94623bee, CSN 5463835d000000020000): Operations error (1). Will retry later.
The corresponding errors on the consumer seem to hint deadlocks in these cases:
[12/Nov/2014:16:46:41 +0100] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=546380d6000000020000) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock))
[12/Nov/2014:16:46:41 +0100] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (546380d6000000020000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock
[12/Nov/2014:16:46:41 +0100] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for cn=LAN452ESP-2014,ou=2014,ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu (uniqid: fa90219d-6a8211e4-a42c901a-94623bee, optype: 16) to changelog csn 546380d6000000020000
[12/Nov/2014:16:47:54 +0100] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=54638125000000020000) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock))
[12/Nov/2014:16:47:54 +0100] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (54638125000000020000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock
[12/Nov/2014:16:47:54 +0100] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for cn=LAN472EFLE-2014,ou=2014,ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu (uniqid: 1e5367ae-6a8311e4-a42c901a-94623bee, optype: 16) to changelog csn 54638125000000020000
[12/Nov/2014:16:53:13 +0100] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=54638260000000020000) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock))
[12/Nov/2014:16:53:13 +0100] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (54638260000000020000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock
[12/Nov/2014:16:53:13 +0100] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for cn=MAT471-2014,ou=2014,ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu (uniqid: f4e70b85-6a8311e4-a42c901a-94623bee, optype: 16) to changelog csn 54638260000000020000
[12/Nov/2014:16:55:11 +0100] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=546382d6000400020000) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock))
[12/Nov/2014:16:55:11 +0100] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (546382d6000400020000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock
[12/Nov/2014:16:55:11 +0100] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for cn=MEC592-2014,ou=2014,ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu (uniqid: 3c6d978a-6a8411e4-a42c901a-94623bee, optype: 16) to changelog csn 546382d6000400020000
[12/Nov/2014:16:56:29 +0100] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=54638325000000020000) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock))
[12/Nov/2014:16:56:29 +0100] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (54638325000000020000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock
[12/Nov/2014:16:56:29 +0100] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for cn=PHY566-2014,ou=2014,ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu (uniqid: 6030dd93-6a8411e4-a42c901a-94623bee, optype: 16) to changelog csn 54638325000000020000
[12/Nov/2014:16:57:20 +0100] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=5463835d000000020000) failed (rc=-30993 (BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock))
[12/Nov/2014:16:57:20 +0100] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (5463835d000000020000); db error - -30993 BDB0068 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock
[12/Nov/2014:16:57:20 +0100] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for cn=PHY651K-2014,ou=2014,ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu (uniqid: 83f42395-6a8411e4-a42c901a-94623bee, optype: 16) to changelog csn 5463835d000000020000
Each time the failed group entries are different.
The replication agreements look liek this :
0 cn=Replication from ldap-edev.polytechnique.fr to ldap-model.polytechnique.fr,cn=replica,cn=dc\\3Did\\2Cdc\\3Dpolytechnique\\2Cdc\\3Dedu,cn=mapping tree,cn=config
objectClass: top
objectClass: nsDS5ReplicationAgreement
cn: Replication from ldap-edev.polytechnique.fr to ldap-model.polytechnique.fr
description: Replication agreement from server ldap-edev.polytechnique.fr to server ldap-model.polytechnique.fr
nsDS5ReplicaHost: ldap-model.polytechnique.fr
nsDS5ReplicaRoot: dc=id,dc=polytechnique,dc=edu
nsDS5ReplicaPort: 636
nsDS5ReplicaTransportInfo: SSL
nsDS5ReplicaBindDN: cn=RepliX,cn=config
nsDS5ReplicaBindMethod: simple
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE entryusn memberOf
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn
nsds5ReplicaStripAttrs: modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp internalCreatorsname
nsds5replicaBusyWaitTime: 3
nsds5replicaTimeout: 30
nsDS5ReplicaCredentials: {DES}...
nsds5ReplicaEnabled: on
nsds50ruv: {replicageneration} 54636df3000000020000
nsds50ruv: {replica 1 ldap://ldap-model.polytechnique.fr:389} 54637b3c000000010000 54637dce000000010000
nsds50ruv: {replica 2 ldap://ldap-edev.polytechnique.fr:389} 54636ffe000000020000 54637d2d000000020000
nsruvReplicaLastModified: {replica 1 ldap://ldap-model.polytechnique.fr:389} 00000000
nsruvReplicaLastModified: {replica 2 ldap://ldap-edev.polytechnique.fr:389} 00000000
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20141112173922Z
nsds5replicaLastUpdateEnd: 20141112173922Z
nsds5replicaChangesSentSinceStartup: 2:1899/21484
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0
The DNA plug-in is disabled (excluding https://fedorahosted.org/389/ticket/47410)
I've made a ticket concerning this problem (https://fedorahosted.org/389/ticket/47410)
Another problem when doing these tests, with replication agreements suspended is the following message in the error log:
12/Nov/2014:16:15:35 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:15:38 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:15:40 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:15:43 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:15:45 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:15:47 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:15:50 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:15:52 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:15:55 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:15:57 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:15:59 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:16:02 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:16:04 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:16:06 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:16:09 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:16:11 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:16:14 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:16:17 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:16:19 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:16:22 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:16:24 +0100] - Retry count exceeded in modify
...
(it goes on for approx 5 minutes)
[12/Nov/2014:16:20:31 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:20:33 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:20:36 +0100] - Retry count exceeded in modify
[12/Nov/2014:16:20:42 +0100] - Retry count exceeded in modify
During these error messages the server doe snot consume CPU but it is does not allow any changes to continue. Do i need to open another ticket for this second problem?
Thank you!
Regards,
Andrey
8 years, 10 months
Sync problem between AD and 389ds (freeIPA) : no posix attributes sync
by Edouard Guigné
Dear 389-users,
I am trying to make working a sync between my AD win 2008 R2 and FreeIPA
(fedora 20) server.
My goal is to retrieve all my AD users in freeIPA database.
This is my 389 ds version :
*# rpm -q 389-ds-base**
**389-ds-base-1.3.2.23-1.fc20.x86_64*
With "ipa-replica-manage connect --winsync ...", I succeeded to copy
users from AD to FreeIPA (via the sync agreement).
I tried then to sync posix attributes (from my AD which has "Subsystem
for UNIX-based Applications") into the freeIPA server with activating
the posix winsync plugin
I would like to extract attributes from my AD like :
- uidNumber
- gidNumber
- unixHomeDirectory
- loginShell
- msSFU30NisDomain
For this, I turn on the posix winsync plugin according to the
documentation :
http://www.port389.org/docs/389ds/design/winsync-posix.html
1. I enable the plugin this way :
ldapmodify -D "cn=directory manager" -w xxxxx
dn: cn=Posix Winsync API,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
2. And I also added a nisDomain attribut like this :
ldapmodify -x -D "cn=directory manager" -w xxxxx
dn: dc=lmsipa,dc=polytechnique,dc=fr
changetype: modify
replace: nisDomain
nisDomain: lmsadtest
The nisDomain is the same than the msSFU30NisDomain (lmsadtest) in my AD.
3. I restarted the ipa server (ipa-ctl restart).
However, I do not succeed in syncing the posix attributes...
4. I turned on the replication logging level
and this is the log for sync of 1 user account :
...
05/Nov/2014:10:37:28 +0100] NSMMReplicationPlugin - windows sync -
agmt="cn=meTolmscad1test.lmsadtest.polytechnique.fr" (lmscad1test:389):
map_entry_dn_outbound: looking for AD entry for DS
dn="uid=guigne,cn=users,cn=accounts,dc=lmsipa,dc=polytechnique,dc=fr"
username="guigne"
[05/Nov/2014:10:37:28 +0100] - Calling windows entry search request plugin
[05/Nov/2014:10:37:28 +0100] - windows_search_entry: received 2
messages, 1 entries, 0 references
[05/Nov/2014:10:37:29 +0100] NSMMReplicationPlugin - windows sync -
agmt="cn=meTolmscad1test.lmsadtest.polytechnique.fr" (lmscad1test:389):
map_entry_dn_outbound: found AD entry dn="CN=Edouard
Guigné,OU=lms,DC=lmsadtest,DC=polytechnique,DC=fr"
[05/Nov/2014:10:37:29 +0100] - Calling windows entry search request plugin
[05/Nov/2014:10:37:29 +0100] - windows_search_entry: received 2
messages, 1 entries, 0 references
[05/Nov/2014:10:37:29 +0100] NSMMReplicationPlugin - windows sync -
windows_generate_update_mods:
uid=guigne,cn=users,cn=accounts,dc=lmsipa,dc=polytechnique,dc=fr, sn :
values are equal
[05/Nov/2014:10:37:29 +0100] NSMMReplicationPlugin - windows sync -
windows_generate_update_mods:
uid=guigne,cn=users,cn=accounts,dc=lmsipa,dc=polytechnique,dc=fr,
description : values are equal
[05/Nov/2014:10:37:29 +0100] NSMMReplicationPlugin - windows sync -
windows_generate_update_mods:
uid=guigne,cn=users,cn=accounts,dc=lmsipa,dc=polytechnique,dc=fr,
givenName : values are equal
[05/Nov/2014:10:37:29 +0100] NSMMReplicationPlugin - windows sync -
windows_generate_update_mods:
uid=guigne,cn=users,cn=accounts,dc=lmsipa,dc=polytechnique,dc=fr,
codePage : values not present on peer entry
[05/Nov/2014:10:37:29 +0100] NSMMReplicationPlugin - windows sync -
windows_generate_update_mods:
uid=guigne,cn=users,cn=accounts,dc=lmsipa,dc=polytechnique,dc=fr,
scriptPath : values not present on peer entry
[05/Nov/2014:10:37:29 +0100] NSMMReplicationPlugin - windows sync -
windows_generate_update_mods:
uid=guigne,cn=users,cn=accounts,dc=lmsipa,dc=polytechnique,dc=fr,
accountExpires : values not present on peer entry
[05/Nov/2014:10:37:29 +0100] NSMMReplicationPlugin - windows sync -
windows_generate_update_mods:
uid=guigne,cn=users,cn=accounts,dc=lmsipa,dc=polytechnique,dc=fr,
sAMAccountName : values not present on peer entry
[05/Nov/2014:10:37:29 +0100] NSMMReplicationPlugin - windows sync -
windows_generate_update_mods:
uid=guigne,cn=users,cn=accounts,dc=lmsipa,dc=polytechnique,dc=fr, mail :
values are equal
*[05/Nov/2014:10:37:29 +0100] posix-winsync - getNisDomainName: no
nisdomainname found in DC=fr, LDAP Err-1*
[05/Nov/2014:10:37:29 +0100] - smod - windows sync
[05/Nov/2014:10:37:29 +0100] - smod 0 - add: codePage
[05/Nov/2014:10:37:29 +0100] - smod 0 - value: codePage: 0
[05/Nov/2014:10:37:29 +0100] - smod 1 - add: scriptPath
[05/Nov/2014:10:37:29 +0100] - smod 1 - value: scriptPath: Logon_guigne.bat
[05/Nov/2014:10:37:29 +0100] - smod 2 - add: accountExpires
[05/Nov/2014:10:37:29 +0100] - smod 2 - value: accountExpires:
9223372036854775807
[05/Nov/2014:10:37:29 +0100] - smod 3 - add: sAMAccountName
[05/Nov/2014:10:37:29 +0100] - smod 3 - value: sAMAccountName: guigne
[05/Nov/2014:10:37:29 +0100] - smod 4 - add: msSFU30uidnumber
[05/Nov/2014:10:37:29 +0100] - smod 4 - value: msSFU30uidnumber: 12069
[05/Nov/2014:10:37:29 +0100] - smod 5 - add: msSFU30gidnumber
[05/Nov/2014:10:37:29 +0100] - smod 5 - value: msSFU30gidnumber: 4400
[05/Nov/2014:10:37:30 +0100] - smod 6 - add: msSFU30loginshell
[05/Nov/2014:10:37:30 +0100] - smod 6 - value: msSFU30loginshell: /bin/bash
[05/Nov/2014:10:37:30 +0100] NSMMReplicationPlugin - windows sync -
windows_update_remote_entry: modifying entry CN=Edouard
Guigné,OU=lms,DC=lmsadtest,DC=polytechnique,DC=fr
[05/Nov/2014:10:37:30 +0100] NSMMReplicationPlugin - windows sync -
agmt="cn=meTolmscad1test.lmsadtest.polytechnique.fr" (lmscad1test:389):
Received result code 16 (00000057: LdapErr: DSID-0C090B8A, comment:
Error in attribute conversion operation, data 0, v1db1) for modify operation
...
So the Posix attributes are well found but not sync in 389 database.
What does it mean :
*posix-winsync - getNisDomainName: no nisdomainname found in DC=fr, LDAP
Err-1*
May you help me to solve the issue ?
Best Regards,
Ed
8 years, 10 months
Groupe modifications and internalModifiersName
by Ivanov Andrey (M.)
Hi,,
i continue with my tests of 389ds v1.3.2.24. I've encountered another bug or strange behavior (by design?).
I've activated bind dn tracking ( nsslapd-plugin-binddn-tracking: on ). There is an account that has the write to add the entries and to change some attributes (e.g. description). The corresponding ACI:
dn: ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu
aci: (targetattr = " objectClass || uniqueMember || owner || cn || description || businessCategory " ) (version 3.0;acl "Droits de rejouter/supprimer/modifier les groupes et leurs att
ributs";allow ( add, delete, read,compare,search,write )(userdn="ldap:///uid=sync-cours,ou=Comptes generiques,ou=Utilisateurs,dc=id,dc=polytechnique,dc=edu");)
Any attempt to modify an authorized attribute from the list above (for ex., description ) results in
ldap_modify: Insufficient access (50)
additional info: Insufficient 'write' privilege to the 'internalModifiersName' attribute of entry 'cn=mec431-2014,ou=2014,ou=cours,ou=enseignement,ou=groupes,dc=id,dc=polytechnique,dc=edu'.
[11/Nov/2014:10:38:49 +0100] conn=4 fd=256 slot=256 connection from 129.104.31.54 to 129.104.69.49
[11/Nov/2014:10:38:49 +0100] conn=4 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[11/Nov/2014:10:38:49 +0100] conn=4 op=0 RESULT err=14 tag=97 nentries=0 etime=0.008000, SASL bind in progress
[11/Nov/2014:10:38:49 +0100] conn=4 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[11/Nov/2014:10:38:49 +0100] conn=4 op=1 RESULT err=14 tag=97 nentries=0 etime=0.002000, SASL bind in progress
[11/Nov/2014:10:38:49 +0100] conn=4 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[11/Nov/2014:10:38:49 +0100] conn=4 op=2 RESULT err=0 tag=97 nentries=0 etime=0.001000 dn="uid=sync-cours,ou=comptes generiques,ou=utilisateurs,dc=id,dc=polytechnique,dc=edu"
[11/Nov/2014:10:38:49 +0100] conn=4 op=3 SRCH base="dc=id,dc=polytechnique,dc=edu" scope=2 filter="(cn=MEC431-2014)" attrs=ALL
[11/Nov/2014:10:38:49 +0100] conn=4 op=3 RESULT err=0 tag=101 nentries=1 etime=0.003000
[11/Nov/2014:10:39:00 +0100] conn=4 op=4 MOD dn="cn=MEC431-2014,ou=2014,ou=Cours,ou=Enseignement,ou=Groupes,dc=id,dc=polytechnique,dc=edu"
[11/Nov/2014:10:39:00 +0100] conn=4 op=4 RESULT err=50 tag=103 nentries=0 etime=0.002000
is it an expected behavior and i need to add to all the ACIs that allow modifications the right to modify internalModifiersName attribute (if i add it, everything is fine and the attribute internalModifiersName becomes " cn=ldbm database,cn=plugins,cn=config ").
Or is it a bug?
Thank you!
Regards,
8 years, 10 months
Account auto unlock
by harry.devine@faa.gov
We are using 389-ds 1.2.2-1 on a RHEL 6.5 64-bit server. We have users who occasionally lock themselves out due to too many unsuccessful log in attempts. What we can't seem to find is a setting where that lock out could auto unlock after X minutes (like 30 or so). I thought that it used to work that way when we first started with 389-ds a few years ago, but I can't be 100% certain. Any thoughts or guidance on what we can look at or set to make this happen?
Thanks,
Harry
Harry Devine
DOT/FAA/AJM-245
Common ARTS Software Development
harry.devine(a)faa.gov
(609)485-4218
8 years, 10 months
need info for replicate_now script
by ghiureai
Hi List,
I'm new to 389-ds, learning and cfg multimaster replication cfg for ds,
reading the RH doc about having a script to trigger the updates to from
one master to other one in < 10 min , the original script on RH will
not work, is using ldapsearch -1 options seems does not exists in my
current 389-ds on CentOS 6.5. Would anyone be willing to share a
working script for this task?
Thank you
Isabella
8 years, 10 months
Combine entities from several replicated databases to one database
by Andrey Cherepanov
There are a dozen branches in which add and modify users in LDAP. There
is central office in which will plan make joint addressbook with branch
data.
I know that replication works only with database. I can replicate all
branch database to central office. But I don't find way to join entities
to one database by ridht way. Anybody do it?
--
Andrey Cherepanov
ALT Linux
cas(a)altlinux.ru
8 years, 10 months
