DS start debug mode option
by ghiureai
Hi LIst,
I would like to know if there an option to start DS in debug mode ?
we re- installed the OS on host with DS and trying to use an existing
full backup taken before shutdown ,
getting the following : error 1 when trying to start DS ,no errors or
messages are written to DS log
Isabella
4 years, 7 months
Configuring StartTLS
by Galazios, Costa
Hello,
I am converting my 389 instances to use StartTLS and have hit the following snag.
After running setup-ssl.sh, and adding “nsslapd-security:on” to dse.ldif, and restarting both dirsrv and dirsrv-admin, I am trying to do an ldapsearch to test functionality over tcp/389 with StartTLS.
==
[root@ops-ldap-m-00001 slapd-ops-ldap-m-00001]# ldapsearch -x -LLL -ZZ -p 636 -h "ops-ldap-m-00001.svale.netledger.com" -D cn=manager -w password -b "" -s base objectclass=top
ldap_start_tls: Can't contact LDAP server (-1)
[root@ops-ldap-m-00001 slapd-ops-ldap-m-00001]# ldapsearch -x -LLL -ZZ -p 389 -h "ops-ldap-m-00001.svale.netledger.com" -D cn=manager -w password -b "" -s base objectclass=top
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation
[root@ops-ldap-m-00001 slapd-ops-ldap-m-00001]#
==
Can someone help illuminate for me what I’ve done wrong?
To learn more about SuiteWorld, visit
www.netsuite.com/suiteworld.
NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc. and is for the sole use of the intended recipient for the stated purpose. Any improper use or distribution is prohibited. If you are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or destroy all transmitted information. Please note that all communications and information transmitted through this email system may be monitored and retained by NetSuite or its agents and that all incoming email is automatically scanned by a third party spam and filtering service which may result in deletion of a legitimate e-mail before it is read by the intended recipient.
4 years, 7 months
multimaster replication resync after one server offline
by ghiureai
Hi List,
I would like to know what are the steps to resync a ldap server part of
mutlmaster replication env, the server will be taken off line for 1 day ?
Initially I put the server in read only mode while doing the failover to
other master , and next I shutdown it down for some OS maintenance.
What are steps to resync the replication when will be brought back online ?
Isabella
4 years, 7 months
multimaster replication one host offline
by ghiureai
Hi List,
I have cfg LDAP multimaster replication, one of the hosts will be
offline for some days, do I need to disable the replication agreement
completely at this point? (what will be the minimum cfg)
What are the steps to resync the master after is been brought online ?
Thank you
Isabella
4 years, 7 months
problems building RPM for 389-admin
by Giovanni Baruzzi
Hi all,
sorry for a newcomer question.
After having built the RPM for 389-ds-base and 389-adminutil I’m stuck with a problem with 389-admin.
I was not able to find an „official“ SPEC file and I resorted to one found somewhere in Internet.
The problem is that this file requires the definition of the macro %{_unitdir}, which apparetnly is not defined anymore (?) for Fedora.
How can I solve the problem?
Is there a location for the „official“ spec files?
thank you,
Giovanni
4 years, 7 months
selinux problem with centos 7.1
by Angel Bosch
hi,
I'm having problems installing a new test environment on centos 7.1
when I execute setup-ds-admin.pl i get this message:
Adding port 389 to selinux policy failed - ValueError: SELinux policy is not managed or store cannot be accessed.
I've tried with --debug and it keeps retrying every 5 seconds with same message.
# lsb_release -a
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 7.1.1503 (Core)
Release: 7.1.1503
Codename: Core
# sestatus
SELinux status: disabled
the only irregular thing is that im using an openvz container, but I have plenty of other DS inside openvz without any problems.
i managed to continue with the installation with a very dirty hack, I modified DSCreate.pm script and added a return in the beggining of updateSelinuxPolicy sub:
####################################################
sub updateSelinuxPolicy {
my $inf = shift;
return 0;
####################################################
did anyone got this same problem?
abosch
--
4 years, 7 months
question about samba and account lockout
by Kevin Taylor
We've been using the old Sun Directory Server (DSEE7) for a long time and have had things working in such a way that when a user on linux or windows locks the account after so many failures, neither windows nor linux will allow them to log in.
The way that was done was to modify the samba source code (in lib/smbldap.c) to point the SambaKickoffTime variable to pwdaccountlockedtime from the LDAP server. This worked.
We want to move to the 389 directory server and perform the same function, but I'm having some issues. The pwdaccountlockedtime isn't there anymore. When the account locks, I see that we have the accountunlocktime attribute being set.
Unfortunately, I can't use that field for samba since it's looking for unix time in seconds. The default value of accountunlocktime is Jan 1 1970, so samba thinks that this is some date in the year 600,000+.
So, are any of the following things possible? If so, how can I do it?
1) When an account locks out on the DS, automatically set the SambaKickoffTime attribute in DS to the current time in seconds
2) Change the default value of accountunlocktime to 00000000000000Z instead of 1970....
3) Change the format of the sambakickofftime inside of samba so that it will acknowledge what the DS offers it.
4) Some other way to get samba to acknowledge that account cannot login automatically upon lockout from DS.
Thanks for your help.
4 years, 7 months
Troubles with automated deployment of secure 389 server
by Nicolas Martin
Hello,
I've been trying to deploy a secure 389 server with TLS/SSL on the port 636.
If I do things manually, it works alright.
But using the scripts provided on the website, I run into some troubles.
BACKGROUND INFO:
Attached to this mail are the scripts and conf file I use. My setupssl.sh
is a modified version of the setupssl2.ssh meant for DS >= 1.1. I changed
the cipher suite and I changed the name of the admin cert from server-cert
to admin-cert for clarity (I changed manually the name of the certificate
in the admin console configuration file accordingly).
Reason behind the cipher suite change is that the one in the original
script prevents the script from running (AttributeType error) so I used a
cipher suite from a working, manually deployed LDAP server.
I use the packages provided with RHEL6U5. Here are the components version:
389-ds-base-1.2.11.15-34.el6_5.x86_64
389-ds-1.2.2-1.el6.noarch
389-ds-console-1.2.6-1.el6.noarch
389-adminutil-1.1.19-1.el6.x86_64
389-admin-console-1.1.8-1.el6.noarch
389-dsgw-1.1.11-1.el6.x86_64
389-admin-1.1.35-1.el6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-base-libs-1.2.11.15-34.el6_5.x86_64
389-console-1.1.7-1.el6.noarch
openjdk version:
java-1.6.0-openjdk-1.6.0.0-6.1.13.4.el6_5.x86_64
PROBLEM DESCRIPTION:
Once the scripts are ran, I start 389-console using the https URL.
Authentication yields an error message: "Cannot connect..."
Console with debugging enabled shows this error message:
Unable to create ssl socket
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8054)
You are attempting to import a cert with the same issuer/serial as an
existing cert, but that is not the same cert.
/var/log/dirsrv/admin-server/error has the following line:
[error] SSL Library Error: -12271 SSL client cannot verify your certificate
Certificates list from admin server:
admin-cert u,u,u
CA certificate CT,,
Certificates list from slapd-myserver7:
CA certificate CTu,u,u
admin-cert u,u,u
Server-Cert u,u,u
My certificates all have different serial numbers: 1000 for CA, 1001 for
Server-Cert, 1002 for admin-cert.
If I disable the security for the console by setting NSSEngine to Off, I
can log to the console with the normal http URL, but as soon as I access a
certificate-related tab (For example "Manage Certificates" or the
Encryption tab of the server), I get the following error message:
Unable to create ssl socket
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-12263)
SSL received a record that exceeded the maximum permissible length.
Has anyone ever experienced these SSL errors ? Is there something I can
compare between my working, manually deployed LDAP servers and the one that
I try to deploy automatically ?
Thanks in advance.
Regards,
Nicolas Martin
4 years, 7 months
