What is the changelog:ent and changelog:dn (dbmon.sh output) refers in 389 (ldap)
by Matveev Alexey
Hello!
I have FreeIPA 4.5.2 and tune it performance for adding more than 100k users.
I have a question about script dbmon.sh (or for 389 DS db in general)
The output of the dbmon.sh says:
....
dbcachefree 2374205440 free% 88.446 roevicts 0 hit% 99 pagein 36901 pageout 62843
....
dbname count free free% size
changelog:ent 505 7367 0.4 4138.2
changelog:dn 141699 55 0.0 74.0
userroot:ent 147205 1220895664 56.9 6294.5
userroot:dn 133806 500270863 97.7 87.7
ipaca:ent 98 9719014 92.7 7823.9
ipaca:dn 98 10476664 99.9 92.8
I'm new to 389 and need some explanation. I know that the dbcachefree is nsslapd-dbcachesize, userroot:ent is nsslapd-cachememsize, userroot:dn is nsslapd-dncachememsize.
What is changelog:ent and changelog:dn?
Thanks in advance!
Alex
6 years, 9 months
Announcing python-lib389 1.0.4
by Mark Reynolds
python-lib389-1.0.4
The 389 Directory Server team is proud to announce python-lib389
version 1.0.4.
Source tarballs are available for download at Download python-lib389
source code <http://www.port389.org/binaries/python-lib389-1.0.4.tar.bz2>.
Fedora packages are in testing for Fedora 25, 26, and Rawhide repositories.
F25: https://bodhi.fedoraproject.org/updates/FEDORA-2017-1e52ff27ab
F26: https://bodhi.fedoraproject.org/updates/FEDORA-2017-ed66370476
Rawhide: https://koji.fedoraproject.org/koji/taskinfo?taskID=20121272
Highlights in 1.0.4
* Several functional areas have finally been completed
* Various features have been made more portable
* Many bug fixes
Installation
See Source <http://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject....
If you find a bug, or would like to see a new feature, file it using
trac: https://pagure.io/lib389/new_issue
Detailed Changelog since 1.0.3
* Bump verson to 1.0.4-1
* Ticket 67 - get attr by type
* Ticket 70 - Improve repl tools
* Ticket 50 - typo in db2* in dsctl
* Ticket 31 - Add status command and SkipNested support for MemberOf
* Ticket 31 - Add functional tests for MemberOf plugin
* Ticket 66 - expand healthcheck for Directory Server
* Ticket 69 - add specfile requires
* Ticket 31 - Initial MemberOf plugin support
* Ticket 50 - Add db2* tasks to dsctl
* Ticket 65 - Add m2c2 topology
* Ticket 63 - part 2, agreement test
* Ticket 63 - lib389 python 3 fix
* Ticket 62 - dirsrv offline log
* Ticket 60 - add dsrc to dsconf and dsidm
* Ticket 32 - Add TLS external bind support for testing
* Ticket 27 - Fix get function in tests
* Ticket 28 - userAccount for older versions without nsmemberof
* Ticket 27 - Improve dseldif API
* Ticket 30 - Add initial support for account lock and unlock.
* Ticket 29 - fix incorrect format in tools
* Ticket 28 - Change default objectClasses for users and groups
* Ticket 1 - Fix missing dn / rdn on config.
* Ticket 27 - Add a module for working with dse.ldif file
* Ticket 1 - cn=config comparison
* Ticket 21 - Missing serverid in dirsrv_test due to incorrect allocation
* Ticket 26 - improve lib389 sasl support
* Ticket 24 - Join paths using os.path.join instead of
string concatenation
* Ticket 25 - Fix RUV *repr* function
* Ticket 23 - Use DirSrv.exists() instead of manually checking for
instance’s existence
* Ticket 1 - cn=config comparison
* Ticket 22 - Specify a basedn parameter for IDM modules
* Ticket 19 - missing readme.md in python3
* Ticket 20 - Use the DN_DM constant instead of hard coding its value
* Ticket 19 - Missing file and improve make
* Ticket 14 - Remane dsadm to dsctl
* Ticket 16 - Reset InstScriptsEnabled argument during the init
* Ticket 14 - Remane dsadm to dsctl
* Ticket 13 - Add init function to create new domain entries
* Ticket 15 - Improve instance configuration ability
* Ticket 10 - Improve command line tool arguments
* Ticket 9 - Convert readme to MD
* Ticket 7 - Add pause and resume methods to topology fixtures
* Ticket 49172 - Allow lib389 to read system schema and instance
* Bump version to 1.0.3-3
* Adjust spec file for Require dependencies
* Bump version to 1.0.3-2
* Fix specfile issues with python3
* Bump verson to 1.0.3-1
* Ticket 5 - Fix container build on fedora
* Ticket 4 - Cert detection breaks some tests
* Ticket 49137 - Add sasl plain tests, lib389 support
* Ticket 2 - pytest mark with version relies on root
* Ticket 49126 - DIT management tool
* dbscan - Support additional options (-t truncate -R)
* Ticket 49101 - Python 2 generate example entries
* Ticket 49103 - python 2 support for installer
* Fixed regression with offline db2ldif
* Ticket 47747 - Add topology_i2 and topology_i3
* Ticket 49087 - lib389 resolve jenkins issues
* Ticket 48413 - Improvements to lib389 for rest
* Ticket 49083 - Support prefix for discovery of the defaults.inf file.
* Ticket 49055 - Fix debugging mode issue
* Ticket 49060 - Increase number of masters, hubs and consumers
in topology
* Ticket 47747 - Add more topology fixtures
* Ticket 47840 - Add InstScriptsEnabled argument
* Ticket 47747 - Add topology fixtures module
* Ticket 48707 - Implement draft-wibrown-ldapssotoken-01
* Ticket 49022 - Lib389, py3 installer cannot create entries in backend
* Ticket 49024 - Fix paths to the dbdir parent
* Ticket 49024 - Fix db_dir paths
* Ticket 49024 - Fix paths in tools module
* Ticket 48961 - Fix lib389 minor issues shown by 48961 test
* Fix runUpgrade tool issues
* Ticket 49010 - Lib389 fails to start with systemctl changes
* Ticket 49007 - lib389 fixes for paths to use online values
* Ticket 49005 - Update lib389 to work in containers correctly.
* Ticket 48991 - Fix lib389 spec for python2 and python3
* Ticket 48984 - Add lib389 paths module
* Ticket 48951 - dsadm dsconfig status and plugin
* Ticket 47957 - Update the replication “idle” status string
* Ticket 48951 - dsadm and dsconf base files
* Ticket 48952 - Restart command needs a sleep
* Ticket 48949 - Fix ups for style and correctness
* Ticket 48949 - added copying slapd-collations.conf
* Ticket 48949 - change default file path generation - use os.path.join
* Ticket 48949 - os.makedirs() exist_ok not python2 compatible,
added try/except
*
Ticket 48949 - configparser fallback not python2 compatible
* Bump version to 1.0.2
* Ticket 48946 - openConnection should not fully popluate DirSrv object
* Ticket 48832 - Add DirSrvTools.getLocalhost() function
* Ticket 48382 - Fix serverCmd to get sbin dir properly
* Bug 1347760 - Information disclosure via repeated use of LDAP ADD
operation, etc.
* Ticket 48937 - Cleanup valgrind wrapper script
* Ticket 48923 - Fix additional issue with serverCmd
* Ticket 48923 - serverCmd timeout not working as expected
* Ticket 48917 - Attribute presence
* Ticket 48911 - Plugin improvements for lib389
* Ticket 48911 - Improve plugin support based on new mapped objects
* Ticket 48910 - Fixes for backend tests and lib389 reliability.
* Ticket 48860 - Add replication tools
* Ticket 48888 - Correction to create of dsldapobject
* Ticket 48886 - Fix NSS SSL library in lib389
* Ticket 48885 - Fix spec file requires
* Ticket 48884 - Bugfixes for mapped object and new connections
* Ticket 48878 - better style for backend in backend test.py
* Ticket 48878 - pep8 fixes part 2
* Ticket 48878 - pep8 fixes and fix rpm to build
* Ticket 48853 - Prerelease installer
* Ticket 48820 - Begin to test compatability with py.test3, and the
new orm
* Ticket 48434 - Fix for negative tz offsets
* Ticket 48857 - Remove python-krbV from lib389
* Ticket 48820 - Move Encryption and RSA to the new object types
* Ticket 48431 - lib389 integrate ldclt
* Ticket 48434 - lib389 logging tools
* Ticket 48796 - add function to remove logs
* Ticket 48771 - lib389 - get ns-slapd version
* Ticket 48830 - Convert lib389 to ip route tools
* Ticket 48763 - backup should run regardless of existing backups.
* Ticket 48434 - lib389 logging tools
* Ticket 48798 - EL6 compat for lib389 tests for DH params
* Ticket 48798 - lib389 add ability to create nss ca and certificate
* Ticket 48433 - Aci linting tools
* Ticket 48791 - format args in server tools
* Ticket 48399 - Helper makefile is missing mkdir dist
* Ticket 48399 - Helper makefile is missing mkdir dist
* Ticket 48794 - lib389 build requires are on a single line
* Ticket 48660 - Add function to convert binary values in an entry
to base64
* Ticket 48764 - Fix mit krb password to be random.
* Ticket 48765 - Change default ports for standalone topology
* Ticket 48750 - Clean up logging to improve command experience
* Ticket 48751 - Improve lib389 ldapi support
* Ticket 48399 - Add helper makefile to lib389 to build and install
* Ticket 48661 - Agreement test suite fails at the test changes case
* Ticket 48407 - Add test coverage module for lib389 repo
* Ticket 48357 - clitools should standarise their args
* Ticket 48560 - Make verbose handling consistent
* Ticket 48419 - getadminport() should not a be a static method
* Ticket 48415 - Add default domain parameter
* Ticket 48408 - RFE escaped default suffix for tests
* Ticket 48405 - python-lib389 in rawhide is missing dependencies
* Ticket 48401 - Revert typecheck
* Ticket 48401 - lib389 Entry hasAttr returs dict instead of false
* Ticket 48390 - RFE Improvements to lib389 monitor features for rest389
* Ticket 48358 - Add new spec file
* Ticket 48371 - weaker host check on localhost.localdomain
6 years, 10 months
BMK
by andrei.shlidt@gmail.com
Sent from my iPhone
6 years, 10 months
Migration from OpenLDAP to 389 DS
by b.kalan@iskratel.si
Hi,
I'm completely new in LDAP and I have one task to do. Task is migration from OpenLDAP to 389 DS.
I have installed 389 and now I try to import schema from OpenLDAP. First I create export of schema from OpenLDAP.
config.ldif is done with command: slapcat -F /opt/ldap/mn/slapd.d/ -b "cn=config" > conf.ldif
itnetmanager.ldif is done via java LDAP Browser.
Then I try to convert this ldif files with scripts at http://www.port389.org/docs/389ds/scripts.html, but I did not succeed.
Can someone help me, how can I convert ldif files from OpenLDAP, that be useful for import to 389 DS?
Here are few rows from both file:
itnetmanager_schema_export.ldif
dn: cn={12}itnetmanager, cn=schema, cn=config
olcObjectClasses: {0} ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DES
C 'IskratelprepaidPinSub' MUST ( itPrepaidPin $ itDirectoryNumber ) )
olcObjectClasses: {1} ( 1.3.6.1.4.1.1332.1000.30.2 NAME 'itPrepaidCgPNSub' DE
SC 'IskratelprepaidCgPNSub' MUST ( itCgPN $ itDirectoryNumber ) )
olcObjectClasses: {2} ( 1.3.6.1.4.1.1332.1000.30.3 NAME 'itPrepaidSubAccount'
DESC 'IskratelprepaidSubAccount' MUST ( itDirectoryNumber $ itAccountStatus
$ itAccountBalance $ itDateOfLastUsed $ itDateOfExpiry $ itLanguageCode $ i
tUnsucRechargeAtt $ itStatGroupId $ itPrepaidSetId))
olcObjectClasses: {3} ( 1.3.6.1.4.1.1332.1000.30.4 NAME 'itPrepaidSet' DESC '
IskratelprepaidSet' MUST ( itPrepaidSetId $ itPrepaidSetName $ itWelcomeMsgM
ode $ itLanguageMode $ itCbMode $ itRechargeAuth $ itLockAuth $ itRrReqMode
$ itMaxCallAtt $ itMaxRechargeAtt $ itSimultCallsAuth $ itLowBalanceWarn $ i
tNearExpiryWarn $ itNegAccBalance $ itMaxAccBalance $ itSuspensionDur $ itMi
nCallDur $ itLowBalanceValue1 $ itLowBalanceValue2 $ itCnPNDisplayMode $ itP
repaidSubsType $ itAvailDurMsgAuth $ itAccBalMsgAuth $ itOrgChargeCode $ itV
alidityTime ))
...
olcAttributeTypes: {262} ( 1.3.6.1.4.1.1332.1000.10.266 NAME ('itDefaultPolic
yProfile') DESC 'Is User Policy Default' EQUALITY booleanMatch SUBSTR caseIg
noreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {263} ( 1.3.6.1.4.1.1332.1000.10.267 NAME ('itPasswordHist
ory') DESC 'User Password History' EQUALITY caseIgnoreMatch SUBSTR caseIgnor
eSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
objectClass: olcSchemaConfig
cn: {12}itnetmanager
config.ldif
dn: cn=config
olcLogLevel: 0
olcConnMaxPending: 100
olcConcurrency: 0
olcWriteTimeout: 0
olcArgsFile: /var/run/openldap/slapd_mn.args
olcIndexSubstrAnyStep: 2
olcSockbufMaxIncoming: 262143
olcTLSCertificateKeyFile: /opt/ldap/mn/certs/password
objectClass: olcGlobal
olcIndexIntLen: 4
olcConnMaxPendingAuth: 1000
olcTLSCertificateFile: "OpenLDAP Server"
cn: config
olcIndexSubstrIfMinLen: 2
olcAttributeOptions: lang-
olcPidFile: /var/run/openldap/slapd_mn.pid
olcConfigDir: /opt/ldap/mn/slapd.d/
olcReverseLookup: FALSE
olcGentleHUP: FALSE
olcTLSCACertificatePath: /opt/ldap/mn/certs
olcReadOnly: FALSE
olcTLSVerifyClient: never
olcThreads: 16
olcIndexSubstrAnyLen: 4
olcToolThreads: 1
olcSockbufMaxIncomingAuth: 16777215
olcIdleTimeout: 0
olcSaslSecProps: noplain,noanonymous
olcConfigFile: /opt/ldap/mn/slapd.conf
olcAuthzPolicy: none
olcIndexSubstrIfMaxLen: 4
olcAllows: bind_v2
olcLocalSSF: 71
dn: cn=schema, cn=config
olcObjectClasses: ( 2.5.6.0 NAME 'top' DESC 'top of the superclass chain' ABS
TRACT MUST objectClass )
olcObjectClasses: ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' DESC
'RFC4512: extensible object' SUP top AUXILIARY )
olcObjectClasses: ( 2.5.6.1 NAME 'alias' DESC 'RFC4512: an alias' SUP top STR
UCTURAL MUST aliasedObjectName )
...
olcAccess: {2}to attrs=itPasswordFtp by group/groupOfUniqueNames/uniqueMembe
r.exact="cn=adminrole,ou=group,l=Kranj,c=SI" write by * none
olcAccess: {3}to attrs=itPasswordDb by group/groupOfUniqueNames/uniqueMember
.exact="cn=adminrole,ou=group,l=Kranj,c=SI" write by * none
olcDbConfig: {0}# Set location for txn log files
olcDbConfig: {1}set_lg_dir /opt/ldap/mn/ldapDB
olcDbConfig: {2}# Set cache size 20MB
olcDbConfig: {3}set_cachesize 0 20971520 0
olcDbConfig: {4}set_lg_regionmax 262144
olcDbConfig: {5}set_lg_bsize 2097152
olcDbConfig: {6}# Automatically remove log files that are no longer needed.
olcDbConfig: {7}set_flags DB_LOG_AUTOREMOVE
olcDbConfig: {8}# Just use these settings when doing slapadd...
olcDbConfig: {9}# set_flags DB_TXN_NOSYNC
olcDbIDLcacheSize: 0
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDbShmKey: 0
olcMaxDerefDepth: 10
olcLastMod: TRUE
olcDbCacheFree: 5
olcDbCacheSize: 150000
olcDbDirtyRead: FALSE
olcReadOnly: FALSE
olcDbSearchStack: 16
olcDatabase: {2}bdb
olcDbDNcacheSize: 0
olcRootPW: {MD5}tGVcx24Qek2C4rq4tk32Wg==
olcDbCheckpoint: 10 1
olcRootDN: cn=ldapadmin,l=Kranj,c=SI
olcDbDirectory: /opt/ldap/mn/ldapDB
olcSizeLimit: 150000
Thank you!
br,rtmktl
6 years, 10 months
Re: Migration from OpenLDAP to 389 DS
by Kalan Blaz
Hi Mark,
Thank you very much for your help. Now I hit to another problem and maybe you can help me. At OpenLDAP we have two "super users" which has read/write/delete access for whole tree. Now in 389 DS I can do changes or view the data only if I am login as cn=directory manager. All my "super users" are already in 389 DS database, but I do not know how to set them proper rights. Here is an example with ldapsearch:
ldapsearch -D "cn=directory manager" -w iskratel -b "l=kranj,c=si" -p 1317 -h kalanvm1.csi.iskratel.mak | grep numResponses
# numResponses: 108
ldapsearch -D "uid=mnadmin,ou=user,l=Kranj,c=si" -w mzPLlgQ3 -b "l=kranj,c=si" -p 1317 -h kalanvm1.csi.iskratel.mak | grep numResponses
# numResponses: 1
So my question here is, what I must do, that user mnadmin have r/w/d permissions and will see the same tree as directory manager does?
Best regards,
Blaz
6 years, 10 months
Issues enabling SSL/TLS for config DS
by dave_horton2001@hotmail.com
I am having difficulty getting the config DS connection working over TLS. When I enable this and attempt to log into the console, I receive an "Authentication Failed" error.
The admin server log shows:
[Tue Jun 13 21:34:16.649391 2017] [:error] [pid 2246:tid 140216580957952] Could not bind as [cn=Directory Manager]: ldap error -1: Can't contact LDAP server
[Tue Jun 13 21:34:16.650706 2017] [:error] [pid 2246:tid 140216580957952] Could not bind as [cn=Directory Manager]: ldap error -1: Can't contact LDAP server
[Tue Jun 13 21:34:16.653671 2017] [:crit] [pid 2246:tid 140216580957952] buildUGInfo(): unable to initialize TLS connection to LDAP host ldap.example.com port 636: 4
[Tue Jun 13 21:34:16.653758 2017] [auth_basic:error] [pid 2246:tid 140216580957952] [client 127.0.0.1:36728] AH01618: user cn=Directory Manager not found: /admin-serv/authenticate
DS access log shows:
[13/Jun/2017:21:34:16.648487859 +1000] conn=12 fd=64 slot=64 SSL connection from 127.0.0.1 to 127.0.1.1
[13/Jun/2017:21:34:16.649537136 +1000] conn=12 op=-1 fd=64 closed - Encountered end of file.
[13/Jun/2017:21:34:16.649934634 +1000] conn=13 fd=64 slot=64 SSL connection from 127.0.0.1 to 127.0.1.1
[13/Jun/2017:21:34:16.650851904 +1000] conn=13 op=-1 fd=64 closed - Encountered end of file.
[13/Jun/2017:21:34:16.651700770 +1000] conn=14 fd=64 slot=64 SSL connection from 127.0.0.1 to 127.0.1.1
[13/Jun/2017:21:34:16.653398027 +1000] conn=14 op=-1 fd=64 closed - Encountered end of file.
Editing /etc/dirsrv/admin-serv/adm.conf to replace the ldapurl with the insecure version allows the console login to proceed again. Tick the box for secure config DS, restart and the issue appears. From the DS access log it seems the SSL/TLS connection may be aborting unexpectedly.
ldapsearch over LDAPS or using STARTTLS both seem to work fine.
Is there any way of confirming where the issue lies?
Versions installed (running on Fedora25)
# yum list installed | grep 389
Redirecting to '/usr/bin/dnf list installed' (see 'man yum2dnf')
389-admin.x86_64 1.1.46-1.fc25 @updates
389-admin-console.noarch 1.1.12-1.fc25 @fedora
389-admin-console-doc.noarch 1.1.12-1.fc25 @fedora
389-adminutil.x86_64 1.1.23-1.fc25 @fedora
389-console.noarch 1.1.18-1.fc25 @fedora
389-ds.noarch 1.2.2-8.fc24 @fedora
389-ds-base.x86_64 1.3.5.17-3.fc25 @updates
389-ds-base-libs.x86_64 1.3.5.17-3.fc25 @updates
389-ds-console.noarch 1.2.16-1.fc25 @fedora
389-ds-console-doc.noarch 1.2.16-1.fc25 @fedora
389-dsgw.x86_64 1.1.11-10.fc25 @fedora
6 years, 10 months
Broken replicas and CleanRUV question
by Predrag Zečević - Technical Support Analyst
Hi all,
long time ago we have started with 389-DS and due to lack of experience
I have installed and used admin server (which is abandoned later,
because it is too complicated and requires someone at keyboard).
As consequence of that, we have started to replicate netscapeRoot
space... During time, we have upgraded s/w from initial
389-ds-1.2.1-1.el5 (started from FDS repository, moved to EPEL one
later) to today's 389-ds-base-1.3.5.14-1.el6.x86_64 (this one is
compiled from source and that was introduced before we have migrated
boxes from RHEL5 to RHEL6 - actually CentOS OS).
During various phases of upgrades, netscapeRoot replicas went out of
sync (we did not spotted that, because of bug in monitoring script -
that is another issue).
Our setup includes MultiMaster ReadWrite replication (ldap1 <--> ldap2)
and one ReadOnly (ldap3, consumes from both suppliers in MMR).
Right now, this:
$ for ldap in ldap1 ldap2; do
ldapsearch -x -H ldaps://${ldap}.MyDomain.com -b "cn=mapping
tree,cn=config" -D "cn=Directory Manager" -w ${DMPASS} -o ldif-wrap=no
objectClass=nsDS5ReplicationAgreement |\
awk -vLDAP=${ldap} '/^dn/ {printf("#===== %s =====#\n%s\n", LDAP,
$0); next}; /^nsDS5ReplicaHost:/ {printf("%s\n", $0); next;};
/^nsds5replicaLastUpdateStatus:/ {printf("%s\n", $0); next;}'
done
returns (I have excluded working MyDomain replicas output):
$ #===== ldap1 =====#
dn: cn=2eLDAPmmr,cn=replica,cn=o\3Dnetscaperoot,cn=mapping tree,cn=config
nsDS5ReplicaHost: ldap2.MyDomain.com
nsds5replicaLastUpdateStatus: Error (0) No replication sessions started
since server startup
#===== ldap1 =====#
dn: cn=2eLDAPror,cn=replica,cn=o\3Dnetscaperoot,cn=mapping tree,cn=config
nsDS5ReplicaHost: ldap3.MyDomain.com
nsds5replicaLastUpdateStatus: Error (0) No replication sessions started
since server startup
#===== ldap2 =====#
dn: cn=2eLDAPmmr,cn=replica,cn=o\3Dnetscaperoot,cn=mapping tree,cn=config
nsDS5ReplicaHost: ldap1.MyDomain.com
nsds5replicaLastUpdateStatus: Error (0) No replication sessions started
since server startup
#===== ldap2 =====#
dn: cn=2eLDAPror,cn=replica,cn=o\3Dnetscaperoot,cn=mapping tree,cn=config
nsDS5ReplicaHost: ldap3.MyDomain.com
nsds5replicaLastUpdateStatus: Error (0) No replication sessions started
since server startup
I have tried various tricks to recover that replication, but w/o luck...
When I check (for example ldap1) with this:
$ ldapsearch -xLLLo ldif-wrap=no -H ldaps://ldap1.MyDomain.com -D
'cn=directory manager' -w ${DMPASS} -b o=netscapeRoot
'(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'
I get as result:
dn: cn=replica,cn=o\3Dnetscaperoot,cn=mapping tree,cn=config
objectClass: nsDS5Replica
objectClass: top
nsDS5ReplicaRoot: o=netscaperoot
nsDS5ReplicaType: 3
nsDS5Flags: 1
nsDS5ReplicaId: 11
nsds5ReplicaPurgeDelay: 604800
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaReferral: ldap://ldap2.MyDomain.com:636/o%3dnetscaperoot
cn: replica
nsState:: CwAAAAAAAACRKiRZAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAA==
nsDS5ReplicaName: dc964102-1dd111b2-8970c75e-63880000
nsds50ruv: {replicageneration} 4dcb9f790000000b0000
nsds50ruv: {replica 11 ldap://ldap1.MyDomain.com:0}
nsds50ruv: {replica 21 ldap://ldap2.MyDomain.com:0} 4dda4a3a000000150000
4fd5f742000300150000
nsds5agmtmaxcsn: o=netscaperoot;2eLDAPror;ldap3.MyDomain.com;636;unavailable
nsruvReplicaLastModified: {replica 11 ldap://ldap1.MyDomain.com:0} 00000000
nsruvReplicaLastModified: {replica 21 ldap://ldap2.MyDomain.com:0} 00000000
nsds5ReplicaChangeCount: 1
nsds5replicareapactive: 0
Tried to CleanRUV (ldif applied with ldapmodify command to all suppliers
and consumers):
$ cat /tmp/ldap.cleanRUV-tasks-for-netscapeRoot-replica.11.ldif
dn: cn=replica,cn=o\3Dnetscaperoot,cn=mapping tree,cn=config
changetype: modify
replace: nsds5task
nsds5task: CLEANRUV11
At some moment, ldap1 replied:
"ldap_modify: Server is unwilling to perform (53)"
which explains nothing, because that error means:
"Indicates that the LDAP server cannot process the request because of
server-defined restrictions. This error is returned for the following
reasons: The add entry request violates the server's structure
rules...OR...The modify attribute request specifies attributes that
users cannot modify...OR...Password restrictions prevent the
action...OR...Connection restrictions prevent the action. "
Right now, CleanRUV task is stuck... and replication is still broken...
Similar situation is present on ldap2, with RUV 21 (if not worse):
dn: cn=replica,cn=o\3Dnetscaperoot,cn=mapping tree,cn=config
objectClass: nsDS5Replica
objectClass: top
nsDS5ReplicaRoot: o=netscaperoot
nsDS5ReplicaType: 3
nsDS5Flags: 1
nsDS5ReplicaId: 21
nsds5ReplicaPurgeDelay: 604800
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaReferral: ldap://ldap1.MyDomain.com:636/o%3dnetscaperoot
cn: replica
nsState:: FQAAAAAAAADeiyVZAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAA==
nsDS5ReplicaName: cb016902-1dd111b2-821cbcea-f7780000
nsds50ruv: {replicageneration} 4dcb9f790000000b0000
nsds50ruv: {replica 21 ldap://ldap2.MyDomain.com:0} 4dda4a3a000000150000
4fd5f742000300150000
nsds5agmtmaxcsn: o=netscaperoot;2eLDAPmmr;ldap1.MyDomain.com;636;unavailable
nsds5agmtmaxcsn: o=netscaperoot;2eLDAPror;ldap3.MyDomain.com;636;unavailable
nsruvReplicaLastModified: {replica 21 ldap://ldap2.MyDomain.com:0} 00000000
nsds5ReplicaChangeCount: 1
nsds5replicareapactive: 0
# What would be proper way to get out from this situation?
# Do I have to execute CleanAllRUV task and start replication from
scratch or there is better way?
BTW, loglevel is set to 8192, so from ldap1 logs:
$ sudo grep cleanruv_task: /var/log/dirsrv/slapd-ldap?/errors
[31/May/2017:09:11:39 +0200] NSMMReplicationPlugin - cleanruv_task:
cleaning rid (11)...
we see that task is "started" and never finished
Any advice or documentation (which is more up-2-date) than:
*
http://directory.fedoraproject.org/docs/389ds/howto/howto-cleanruv.html#c...
*
https://access.redhat.com/documentation/en-us/red_hat_directory_server/9....
*
http://directory.fedoraproject.org/docs/389ds/FAQ/troubleshoot-cleanallru...
(CleanRUV FAQ troubleshooting is missing at all)
is welcome.
With best regards.
Predrag Zečević
--
Predrag Zečević
Technical Support Analyst
2e Systems GmbH
Telephone: +49 6196 9505 815, Facsimile: +49 6196 9505 894
Mobile: +49 174 3109 288, Skype: predrag.zecevic
E-mail: predrag.zecevic(a)2e-systems.com
Headquarter: 2e Systems GmbH, Königsteiner Str. 87,
65812 Bad Soden am Taunus, Germany
Company registration: Amtsgericht Königstein (Germany), HRB 7303
Managing director: Phil Douglas
http://www.2e-systems.com/ - Making your business fly!
6 years, 10 months
notes=A for filter with undefined attribute
by albert.luo@uwindsor.ca
Hi,
Xerox printer's LDAP connectivity's default search filter is (|(uid=someone)(samaccountname=someone)). samaccountname is not a defined attribute. This search filter will result notes=A, causing performance issue.
Is there a way to avoid searching samaccountname=someone, since samaccountname is not a defined attribute. Thank you!
6 years, 10 months
v1.2 and v1.3 differences in return results for lookthroughlimit exceeding search
by albert.luo@uwindsor.ca
Hi,
In the following example, consumer replica v1.3 return err=11 with no entries. v1.2 return err=4, with the first 20 entries which is the size limit. Is this difference a change in the implementation or a configuration difference I am missing?
The look through limit is the default 5000. The tree has more than 50,000 entries.
What is even more puzzling is that the master repica running v1.3 return the same result as v1.2. Only consumer replica v1.3 return err=11 with no entry.
Thank you very much.
389-Directory/1.3.5.10 B2017.115.1411, consumer replica
$ ldapsearch -x -H ldaps://ldapv1.3:636 -b "ou=People,dc=example,dc=com" -s one -a always -z 1000 "(objectClass=*)" "hasSubordinates" "objectClass"
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=example,dc=com> with scope oneLevel
# filter: (objectClass=*)
# requesting: hasSubordinates objectClass
#
# search result
search: 2
result: 11 Administrative limit exceeded
# numResponses: 1
access log:
RESULT err=11 tag=101 nentries=0 etime=0 notes=A
389-Directory/1.2.11.15 B2016.155.1910
$ ldapsearch -x -H ldaps://ldapv1.2:636 -b "ou=People,dc=example,dc=com" -s one -a always -z 1000 "(objectClass=*)" "hasSubordinates" "objectClass"
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=uwindsor,dc=ca> with scope oneLevel
# filter: (objectClass=*)
# requesting: hasSubordinates objectClass
#
….
# search result
search: 2
result: 4 Size limit exceeded
# numResponses: 21
# numEntries: 20
access log
RESULT err=4 tag=101 nentries=20 etime=0 notes=A
6 years, 10 months
Need to re-register 389ds servers
by wudadin2003@gmail.com
I have a multi-master environment setup and all of the 389ds servers were registered to a server that is no longer available. How can I re-register all of the 389 servers to a new master without losing data?
Running setup-ds-admin.pl -u on a different master fails:Running setup-ds-admin.pl -u one a different master fails saying that the uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot password is invalid
I am not even user that the admin user exists because when I try to back up the NetscapeRoot, tells me that the database does not exist:
# /usr/lib64/dirsrv/slapd-super-name-01/db2ldif -U -n NetscapeRoot -a backup_nsroot_20170602.ldif
Exported ldif file: backup_nsroot_20170602.ldif
[02/Jun/2017:13:00:39 -0500] - reading config file /etc/dirsrv/slapd-super-name-01/slapd-collations.conf
[02/Jun/2017:13:00:39 -0500] - line 45: collation "" "" "" 1 3 2.16.840.1.113730.3.3.2.0.1 default
[02/Jun/2017:13:00:39 -0500] - line 46: collation ar "" "" 1 3 2.16.840.1.113730.3.3.2.1.1 ar
[02/Jun/2017:13:00:39 -0500] - line 47: collation be "" "" 1 3 2.16.840.1.113730.3.3.2.2.1 be
[02/Jun/2017:13:00:39 -0500] - line 48: collation bg "" "" 1 3 2.16.840.1.113730.3.3.2.3.1 bg
[02/Jun/2017:13:00:39 -0500] - line 49: collation ca "" "" 1 3 2.16.840.1.113730.3.3.2.4.1 ca
[02/Jun/2017:13:00:39 -0500] - line 50: collation cs "" "" 1 3 2.16.840.1.113730.3.3.2.5.1 cs
[02/Jun/2017:13:00:39 -0500] - line 51: collation da "" "" 1 3 2.16.840.1.113730.3.3.2.6.1 da
[02/Jun/2017:13:00:39 -0500] - line 52: collation de "" "" 1 3 2.16.840.1.113730.3.3.2.7.1 de
[02/Jun/2017:13:00:39 -0500] - line 53: collation de AT "" 1 3 2.16.840.1.113730.3.3.2.8.1 de-AT
[02/Jun/2017:13:00:39 -0500] - line 54: collation de CH "" 1 3 2.16.840.1.113730.3.3.2.9.1 de-CH
[02/Jun/2017:13:00:39 -0500] - line 55: collation el "" "" 1 3 2.16.840.1.113730.3.3.2.10.1 el
[02/Jun/2017:13:00:39 -0500] - line 56: collation en "" "" 1 3 2.16.840.1.113730.3.3.2.11.1 en en-US
[02/Jun/2017:13:00:39 -0500] - line 57: collation en CA "" 1 3 2.16.840.1.113730.3.3.2.12.1 en-CA
[02/Jun/2017:13:00:39 -0500] - line 58: collation en GB "" 1 3 2.16.840.1.113730.3.3.2.13.1 en-GB
[02/Jun/2017:13:00:39 -0500] - line 59: collation en IE "" 1 3 2.16.840.1.113730.3.3.2.14.1 en-IE
[02/Jun/2017:13:00:39 -0500] - line 60: collation es "" "" 1 3 2.16.840.1.113730.3.3.2.15.1 es es-ES
[02/Jun/2017:13:00:39 -0500] - line 61: collation et "" "" 1 3 2.16.840.1.113730.3.3.2.16.1 et
[02/Jun/2017:13:00:39 -0500] - line 62: collation fi "" "" 1 3 2.16.840.1.113730.3.3.2.17.1 fi
[02/Jun/2017:13:00:39 -0500] - line 63: collation fr "" "" 1 3 2.16.840.1.113730.3.3.2.18.1 fr fr-FR
[02/Jun/2017:13:00:39 -0500] - line 64: collation fr BE "" 1 3 2.16.840.1.113730.3.3.2.19.1 fr-BE
[02/Jun/2017:13:00:39 -0500] - line 65: collation fr CA "" 1 3 2.16.840.1.113730.3.3.2.20.1 fr-CA
[02/Jun/2017:13:00:39 -0500] - line 66: collation fr CH "" 1 3 2.16.840.1.113730.3.3.2.21.1 fr-CH
[02/Jun/2017:13:00:39 -0500] - line 67: collation hr "" "" 1 3 2.16.840.1.113730.3.3.2.22.1 hr
[02/Jun/2017:13:00:39 -0500] - line 68: collation hu "" "" 1 3 2.16.840.1.113730.3.3.2.23.1 hu
[02/Jun/2017:13:00:39 -0500] - line 69: collation is "" "" 1 3 2.16.840.1.113730.3.3.2.24.1 is
[02/Jun/2017:13:00:39 -0500] - line 70: collation it "" "" 1 3 2.16.840.1.113730.3.3.2.25.1 it
[02/Jun/2017:13:00:39 -0500] - line 71: collation it CH "" 1 3 2.16.840.1.113730.3.3.2.26.1 it-CH
[02/Jun/2017:13:00:39 -0500] - line 72: collation iw "" "" 1 3 2.16.840.1.113730.3.3.2.27.1 iw
[02/Jun/2017:13:00:39 -0500] - line 73: collation ja "" "" 1 3 2.16.840.1.113730.3.3.2.28.1 ja
[02/Jun/2017:13:00:40 -0500] - line 74: collation ko "" "" 1 3 2.16.840.1.113730.3.3.2.29.1 ko
[02/Jun/2017:13:00:40 -0500] - line 75: collation lt "" "" 1 3 2.16.840.1.113730.3.3.2.30.1 lt
[02/Jun/2017:13:00:40 -0500] - line 76: collation lv "" "" 1 3 2.16.840.1.113730.3.3.2.31.1 lv
[02/Jun/2017:13:00:40 -0500] - line 77: collation mk "" "" 1 3 2.16.840.1.113730.3.3.2.32.1 mk
[02/Jun/2017:13:00:40 -0500] - line 78: collation nl "" "" 1 3 2.16.840.1.113730.3.3.2.33.1 nl
[02/Jun/2017:13:00:40 -0500] - line 79: collation nl BE "" 1 3 2.16.840.1.113730.3.3.2.34.1 nl-BE
[02/Jun/2017:13:00:40 -0500] - line 80: collation no "" "" 1 3 2.16.840.1.113730.3.3.2.35.1 no
[02/Jun/2017:13:00:40 -0500] - line 81: collation no NO B 1 3 2.16.840.1.113730.3.3.2.36.1 no-NO-B
[02/Jun/2017:13:00:40 -0500] - line 82: collation no NO NY 1 3 2.16.840.1.113730.3.3.2.37.1 no-NO-NY
[02/Jun/2017:13:00:40 -0500] - line 83: collation pl "" "" 1 3 2.16.840.1.113730.3.3.2.38.1 pl
[02/Jun/2017:13:00:40 -0500] - line 84: collation ro "" "" 1 3 2.16.840.1.113730.3.3.2.39.1 ro
[02/Jun/2017:13:00:40 -0500] - line 85: collation ru "" "" 1 3 2.16.840.1.113730.3.3.2.40.1 ru
[02/Jun/2017:13:00:40 -0500] - line 86: collation sh "" "" 1 3 2.16.840.1.113730.3.3.2.41.1 sh
[02/Jun/2017:13:00:40 -0500] - line 87: collation sk "" "" 1 3 2.16.840.1.113730.3.3.2.42.1 sk
[02/Jun/2017:13:00:40 -0500] - line 88: collation sl "" "" 1 3 2.16.840.1.113730.3.3.2.43.1 sl
[02/Jun/2017:13:00:40 -0500] - line 89: collation sq "" "" 1 3 2.16.840.1.113730.3.3.2.44.1 sq
[02/Jun/2017:13:00:40 -0500] - line 90: collation sr "" "" 1 3 2.16.840.1.113730.3.3.2.45.1 sr
[02/Jun/2017:13:00:40 -0500] - line 91: collation sv "" "" 1 3 2.16.840.1.113730.3.3.2.46.1 sv
[02/Jun/2017:13:00:40 -0500] - line 92: collation tr "" "" 1 3 2.16.840.1.113730.3.3.2.47.1 tr
[02/Jun/2017:13:00:40 -0500] - line 93: collation uk "" "" 1 3 2.16.840.1.113730.3.3.2.48.1 uk
[02/Jun/2017:13:00:40 -0500] - line 94: collation zh "" "" 1 3 2.16.840.1.113730.3.3.2.49.1 zh
[02/Jun/2017:13:00:40 -0500] - line 95: collation zh TW "" 1 3 2.16.840.1.113730.3.3.2.50.1 zh-TW
[02/Jun/2017:13:00:40 -0500] - line 97: collation "" "" "" 3 3 2.16.840.1.113730.3.3.2.0.3
[02/Jun/2017:13:00:40 -0500] - line 98: collation en "" "" 3 3 2.16.840.1.113730.3.3.2.11.3
[02/Jun/2017:13:00:40 -0500] SSL Initialization - supported range by NSS: min: SSL3, max: TLS1.2
[02/Jun/2017:13:00:40 -0500] - ERROR: Could not find backend 'NetscapeRoot'.
# rpm -qa 389*
389-console-1.1.7-1.el6.noarch
389-ds-base-1.2.11.15-68.el6_7.x86_64
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-base-libs-1.2.11.15-68.el6_7.x86_64
389-admin-1.1.35-1.el6.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-admin-console-doc-1.1.8-1.el6.noarch
389-ds-1.2.2-1.el6.noarch
389-adminutil-1.1.19-1.el6.x86_64
389-admin-console-1.1.8-1.el6.noarch
389-dsgw-1.1.11-1.el6.x86_64
# cat /etc/centos-release
CentOS release 6.7 (Final)
#
Any help would be greatly appreciated.
Thank you
6 years, 10 months