Re: How to replicate password lockout attributes from a consumer or hub to a master(s)
by Mark Reynolds
On 8/13/21 2:40 PM, Michael Starling wrote:
>
>
> ------------------------------------------------------------------------
> *From:* Michael Starling <mlstarling31(a)hotmail.com>
> *Sent:* Friday, August 13, 2021 10:41 AM
> *To:* Mark Reynolds <mreynolds(a)redhat.com>; General discussion list
> for the 389 Directory server project. <389-users(a)lists.fedoraproject.org>
> *Subject:* Re: [389-users] How to replicate password lockout
> attributes from a consumer or hub to a master(s)
>
>
> ------------------------------------------------------------------------
> *From:* Michael Starling <mlstarling31(a)hotmail.com>
> *Sent:* Thursday, August 12, 2021 3:29 PM
> *To:* Mark Reynolds <mreynolds(a)redhat.com>; General discussion list
> for the 389 Directory server project. <389-users(a)lists.fedoraproject.org>
> *Subject:* Re: [389-users] How to replicate password lockout
> attributes from a consumer or hub to a master(s)
>
>
> ------------------------------------------------------------------------
> *From:* Mark Reynolds <mreynolds(a)redhat.com>
> *Sent:* Thursday, August 12, 2021 3:16 PM
> *To:* Michael Starling <mlstarling31(a)hotmail.com>; General discussion
> list for the 389 Directory server project.
> <389-users(a)lists.fedoraproject.org>
> *Subject:* Re: [389-users] How to replicate password lockout
> attributes from a consumer or hub to a master(s)
>
>
> On 8/12/21 2:33 PM, Michael Starling wrote:
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Mark Reynolds <mreynolds(a)redhat.com>
>> <mailto:mreynolds@redhat.com>
>> *Sent:* Thursday, August 12, 2021 11:48 AM
>> *To:* General discussion list for the 389 Directory server project.
>> <389-users(a)lists.fedoraproject.org>
>> <mailto:389-users@lists.fedoraproject.org>; Michael Starling
>> <mlstarling31(a)hotmail.com> <mailto:mlstarling31@hotmail.com>
>> *Subject:* Re: [389-users] How to replicate password lockout
>> attributes from a consumer or hub to a master(s)
>>
>>
>> On 8/12/21 10:53 AM, Michael Starling wrote:
>>> Hello.
>>>
>>> I've taken over a large 389-ds environment running on Oracle Linux 8
>>> and the first task I need to complete is to enable password lockouts.
>>>
>>>
>>>
>>> I was able to enable password lockouts successfully however it only
>>> works if the client is pointed directly to a master. The account
>>> locks out and the attributes are propagated down to the hubs and
>>> consumers.
>>>
>>> If the client is pointed to a read-only hub or consumer then the
>>> account does not lockout and the password attributes do not
>>> propagate back to the masters.
>>>
>>> *passwordIsGlobalPolicy*: on is set on all masters, hubs and consumers
>>>
>>> Password policy attributes I expect to replicate:
>>>
>>> *passwordRetryCount*
>>> *accountUnlockTime*
>>> *retryCountResetTime*
>>>
>>> I've tried following the chaining guide below which I think is what
>>> I need to do to get this work as expected, however I've hit a snag.
>>>
>>> https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate....
>>> <https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate....>
>>> 389 Directory Server - Howto:ChainOnUpdate
>>> <https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate....>
>>> Introduction. The usual deployment for a large replication topology
>>> will have the client applications reading from hubs or dedicated
>>> consumers in order to spread out the load and off-load search
>>> request processing from the masters.
>>> directory.fedoraproject.org
>>>
>>> The document states the backend must be added to the hub or
>>> consumer, however when I try and add the following LDIF to the hub I
>>> get the "unwilling to perform" error.
>>>
>>> This makes sense because the hub is read-only so I'm confused as how
>>> I can update the config on a read-only hub or consumer?
>>>
>>> dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config
>>> objectclass: top
>>> objectclass: extensibleObject
>>> objectclass: nsBackendInstance
>>> cn: chainlab
>>> nsslapd-suffix: dc=domain,dc=com
>>> nsfarmserverurl: ldap://dsa1.domain.com:389
>>> ldap://dsa2.domain.com:389 ldap://dsa3.domain.com:389
>>> nsmultiplexorbinddn: uid=repluser,cn=config
>>> nsmultiplexorcredentials: mypassword
>>> nsCheckLocalACI: on
>>>
>>> adding new entry "cn=chainlab,cn=chaining database,cn=plugins,cn=config"
>>> ldap_add: Server is unwilling to perform (53)
>>
>> This is the doc you want to follow to get this working. But it is
>> complicated...
>>
>>
>> In this case I'm not sure why the error 53 is being returned. There
>> is something about that entry it does not like. So please check the
>> access and errors log from the time of this failure (see
>> /var/log/dirsrv/slapd-YOUR_INSTANCE/). There is usually more info
>> logged when an error 53 happens.
>>
>>
>> Also what version of 389-ds-base are you running?
>>
>>
>> Thanks,
>> Mark
>>
>>>
>>> Hub or Consumer
>>>
>>> Step 1 (Hub and Consumer): the chaining backend must be created on
>>> the hub and consumer:
>>>
>>> |dn: cn=chainbe1,cn=chaining database,cn=plugins,cn=config
>>> objectclass: top objectclass: extensibleObject
>>> objectclass: nsBackendInstance cn: chainbe1 nsslapd-suffix: <suffix
>>> to replicate>
>>> nsfarmserverurl: ldap://supplier1:port supplier2:port ... supplierN:port/ # also, ldaps can be used instead
>>> # of ldap for secure connections -
>>> # requires the secure port
>>> nsmultiplexorbinddn: cn=Replication Manager,cn=config # or whatever the replica bind DN is on the supplier
>>> nsmultiplexorcredentials: password nsCheckLocalACI: on |
>>>
>>> Any help would be greatly appreciated.
>>>
>>> Thanks
>>>
>>> _______________________________________________
>>> 389-users mailing list --389-users(a)lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org>
>>> To unsubscribe send an email to389-users-leave(a)lists.fedoraproject.org <mailto:389-users-leave@lists.fedoraproject.org>
>>> Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ <https://docs.fedoraproject.org/en-US/project/code-of-conduct/>
>>> List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines <https://fedoraproject.org/wiki/Mailing_list_guidelines>
>>> List Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fe... <https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...>
>>> Do not reply to spam on the list, report it:https://pagure.io/fedora-infrastructure <https://pagure.io/fedora-infrastructure>
>> --
>> Directory Server Development Team
>>
>> Thanks for getting me the right track Mark. Looks like the
>> "nsFarmServerURL" is not correct.
>>
>> Versions:
>>
>> 389-ds-base-libs-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64
>> 389-ds-base-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64
>>
>> I thought I was maybe hitting the bug described below so I added a
>> trailing "/" but the issue persists.
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1363970
>> <https://bugzilla.redhat.com/show_bug.cgi?id=1363970>
>>
>> nsfarmserverurl: ldap://dsa1.domain.com:389
>> ldap://dsa2.domain.com:389 ldap://dsa3.domain.com:389*/*
>>
>> This is what I see in the logs on the hub when trying to add the LDIF.
>>
>> The idea is for the hub to send these password attributes back to all
>> masters.
>>
>> These are the masters in the environment.
>> ldap://dsa1.domain.com:389
>> ldap://dsa2.domain.com:389
>> ldap://dsa3.domain.com:389
>> [12/Aug/2021:14:12:38.228746875 -0400] - ERR - chaining database -
>> cb_instance_config_initialize -*Error with config attribute
>> nsfarmserverurl : not a valid LDAP URL*
>> [12/Aug/2021:14:12:38.230107318 -0400] - ERR - chaining database -
>> cb_instance_add_config_check_callback - Can't instantiate chaining
>> backend instance chainlab.
>> [12/Aug/2021:14:13:11.436433137 -0400] - ERR - chaining database -
>> cb_instance_config_initialize - Error with config attribute
>> nsfarmserverurl : not a valid LDAP URL
>> [12/Aug/2021:14:13:11.437510161 -0400] - ERR - chaining database -
>> cb_instance_add_config_check_callback - Can't instantiate chaining
>> backend instance chainlab.
>> [12/Aug/2021:14:15:15.652343542 -0400] - ERR - chaining database -
>> cb_instance_config_initialize - Error with config attribute
>> nsfarmserverurl : not a valid LDAP URL
>> [12/Aug/2021:14:15:15.653524818 -0400] - ERR - chaining database -
>> cb_instance_add_config_check_callback - Can't instantiate chaining
>> backend instance chainlab.
>> [12/Aug/2021:14:20:12.212414022 -0400] - ERR - chaining database -
>> cb_instance_config_initialize - Error with config attribute
>> nsfarmserverurl : not a valid LDAP URL
>> [12/Aug/2021:14:20:12.213556900 -0400] - ERR - chaining database -
>> cb_instance_add_config_check_callback - Can't instantiate chaining
>> backend instance chainlab
>>
>>
> Ok, I think its not liking the multiple values in the attribute, even
> though the document says you have multiple urls. I think you need to
> add the config like this:
>
>
> nsfarmserverurl: ldap://dsa1.domain.com:389
>
> nsfarmserverurl: ldap://dsa2.domain.com:389
>
> nsfarmserverurl: ldap://dsa3.domain.com:389
>
>
> Give it a try?
>
>
> HTH,
>
> Mark
>
>
> --
> Directory Server Development Team
> Looks like it only added the first entry. Do I need to add an entry for each MAster?
> dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config
> objectClass: top
> objectClass: extensibleObject
> objectClass: nsBackendInstance
> cn: chainlab
> nsslapd-suffix: dc=domain,dc=com
> *nsfarmserverurl: ldap://dsa1.domain.com:389*
> nsmultiplexorbinddn: uid=replicator,cn=config
> nsmultiplexorcredentials:
> {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUm1aRFUwT1dOak5DMDVPVFl5TXpJMg0KWlMwNE16ZzFNVFl3TXkweU5tVTROekJtWkFBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQTdhVjl4Z0NZcFkzR21YV2x0c293Mg==}u4FHsJF3AVHAqgtGCMXudA==
> nsbindconnectionslimit: 3
> nsoperationconnectionslimit: 20
> nsabandonedsearchcheckinterval: 1
> nsconcurrentbindlimit: 10
> nsconcurrentoperationslimit: 2
> nsproxiedauthorization: on
> nsconnectionlife: 0
> nsbindtimeout: 15
> nsreferralonscopedsearch: off
> nschecklocalaci: on
> nsbindretrylimit: 3
> nsslapd-sizelimit: 2000
> nsslapd-timelimit: 3600
> nshoplimit: 10
> nsmaxresponsedelay: 60
> nsmaxtestresponsedelay: 15
> nsusestarttls: off
> Hi Mark.
> I tried adding the subsequent URL's and it doesn't allow multiple entries for this attribute.
> It appears all the URLS need to be part of the one*nsfarmserverurl***attribute*.*
> **
> *ldap_initialize( ldap://dsa4.domain.com )**
> add nsFarmServerURL:
> ldap://dsa2.domain.com:389
> modifying entry "cn=chainlab,cn=chaining database,cn=plugins,cn=config"
> ldap_modify: Server is unwilling to perform (53)*
> * additional info: Adding attributes is not allowed***
> **
> *I believe I have this working now.*
> **
> *Thank you Mark for getting me pointed in the right direction.*
Were you able to set multiple urls? Or did you just go with one for now?
Mark
--
Directory Server Development Team
2 years, 8 months
Re: How to replicate password lockout attributes from a consumer or hub to a master(s)
by Michael Starling
________________________________
From: Michael Starling <mlstarling31(a)hotmail.com>
Sent: Friday, August 13, 2021 10:41 AM
To: Mark Reynolds <mreynolds(a)redhat.com>; General discussion list for the 389 Directory server project. <389-users(a)lists.fedoraproject.org>
Subject: Re: [389-users] How to replicate password lockout attributes from a consumer or hub to a master(s)
________________________________
From: Michael Starling <mlstarling31(a)hotmail.com>
Sent: Thursday, August 12, 2021 3:29 PM
To: Mark Reynolds <mreynolds(a)redhat.com>; General discussion list for the 389 Directory server project. <389-users(a)lists.fedoraproject.org>
Subject: Re: [389-users] How to replicate password lockout attributes from a consumer or hub to a master(s)
________________________________
From: Mark Reynolds <mreynolds(a)redhat.com>
Sent: Thursday, August 12, 2021 3:16 PM
To: Michael Starling <mlstarling31(a)hotmail.com>; General discussion list for the 389 Directory server project. <389-users(a)lists.fedoraproject.org>
Subject: Re: [389-users] How to replicate password lockout attributes from a consumer or hub to a master(s)
On 8/12/21 2:33 PM, Michael Starling wrote:
________________________________
From: Mark Reynolds <mreynolds(a)redhat.com><mailto:mreynolds@redhat.com>
Sent: Thursday, August 12, 2021 11:48 AM
To: General discussion list for the 389 Directory server project. <389-users(a)lists.fedoraproject.org><mailto:389-users@lists.fedoraproject.org>; Michael Starling <mlstarling31(a)hotmail.com><mailto:mlstarling31@hotmail.com>
Subject: Re: [389-users] How to replicate password lockout attributes from a consumer or hub to a master(s)
On 8/12/21 10:53 AM, Michael Starling wrote:
Hello.
I've taken over a large 389-ds environment running on Oracle Linux 8 and the first task I need to complete is to enable password lockouts.
I was able to enable password lockouts successfully however it only works if the client is pointed directly to a master. The account locks out and the attributes are propagated down to the hubs and consumers.
If the client is pointed to a read-only hub or consumer then the account does not lockout and the password attributes do not propagate back to the masters.
passwordIsGlobalPolicy: on is set on all masters, hubs and consumers
Password policy attributes I expect to replicate:
passwordRetryCount
accountUnlockTime
retryCountResetTime
I've tried following the chaining guide below which I think is what I need to do to get this work as expected, however I've hit a snag.
https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate....
389 Directory Server - Howto:ChainOnUpdate<https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate....>
Introduction. The usual deployment for a large replication topology will have the client applications reading from hubs or dedicated consumers in order to spread out the load and off-load search request processing from the masters.
directory.fedoraproject.org
The document states the backend must be added to the hub or consumer, however when I try and add the following LDIF to the hub I get the "unwilling to perform" error.
This makes sense because the hub is read-only so I'm confused as how I can update the config on a read-only hub or consumer?
dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsBackendInstance
cn: chainlab
nsslapd-suffix: dc=domain,dc=com
nsfarmserverurl: ldap://dsa1.domain.com:389 ldap://dsa2.domain.com:389 ldap://dsa3.domain.com:389
nsmultiplexorbinddn: uid=repluser,cn=config
nsmultiplexorcredentials: mypassword
nsCheckLocalACI: on
adding new entry "cn=chainlab,cn=chaining database,cn=plugins,cn=config"
ldap_add: Server is unwilling to perform (53)
This is the doc you want to follow to get this working. But it is complicated...
In this case I'm not sure why the error 53 is being returned. There is something about that entry it does not like. So please check the access and errors log from the time of this failure (see /var/log/dirsrv/slapd-YOUR_INSTANCE/). There is usually more info logged when an error 53 happens.
Also what version of 389-ds-base are you running?
Thanks,
Mark
Hub or Consumer
Step 1 (Hub and Consumer): the chaining backend must be created on the hub and consumer:
dn: cn=chainbe1,cn=chaining database,cn=plugins,cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsBackendInstance
cn: chainbe1
nsslapd-suffix: <suffix to replicate>
nsfarmserverurl: ldap://supplier1:port supplier2:port ... supplierN:port/ # also, ldaps can be used instead
# of ldap for secure connections -
# requires the secure port
nsmultiplexorbinddn: cn=Replication Manager,cn=config # or whatever the replica bind DN is on the supplier
nsmultiplexorcredentials: password
nsCheckLocalACI: on
Any help would be greatly appreciated.
Thanks
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org<mailto:389-users@lists.fedoraproject.org>
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org<mailto:389-users-leave@lists.fedoraproject.org>
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
Directory Server Development Team
Thanks for getting me the right track Mark. Looks like the "nsFarmServerURL" is not correct.
Versions:
389-ds-base-libs-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64
389-ds-base-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64
I thought I was maybe hitting the bug described below so I added a trailing "/" but the issue persists.
https://bugzilla.redhat.com/show_bug.cgi?id=1363970
nsfarmserverurl: ldap://dsa1.domain.com:389 ldap://dsa2.domain.com:389 ldap://dsa3.domain.com:389/
This is what I see in the logs on the hub when trying to add the LDIF.
The idea is for the hub to send these password attributes back to all masters.
These are the masters in the environment.
ldap://dsa1.domain.com:389
ldap://dsa2.domain.com:389
ldap://dsa3.domain.com:389
[12/Aug/2021:14:12:38.228746875 -0400] - ERR - chaining database - cb_instance_config_initialize - Error with config attribute nsfarmserverurl : not a valid LDAP URL
[12/Aug/2021:14:12:38.230107318 -0400] - ERR - chaining database - cb_instance_add_config_check_callback - Can't instantiate chaining backend instance chainlab.
[12/Aug/2021:14:13:11.436433137 -0400] - ERR - chaining database - cb_instance_config_initialize - Error with config attribute nsfarmserverurl : not a valid LDAP URL
[12/Aug/2021:14:13:11.437510161 -0400] - ERR - chaining database - cb_instance_add_config_check_callback - Can't instantiate chaining backend instance chainlab.
[12/Aug/2021:14:15:15.652343542 -0400] - ERR - chaining database - cb_instance_config_initialize - Error with config attribute nsfarmserverurl : not a valid LDAP URL
[12/Aug/2021:14:15:15.653524818 -0400] - ERR - chaining database - cb_instance_add_config_check_callback - Can't instantiate chaining backend instance chainlab.
[12/Aug/2021:14:20:12.212414022 -0400] - ERR - chaining database - cb_instance_config_initialize - Error with config attribute nsfarmserverurl : not a valid LDAP URL
[12/Aug/2021:14:20:12.213556900 -0400] - ERR - chaining database - cb_instance_add_config_check_callback - Can't instantiate chaining backend instance chainlab
Ok, I think its not liking the multiple values in the attribute, even though the document says you have multiple urls. I think you need to add the config like this:
nsfarmserverurl: ldap://dsa1.domain.com:389
nsfarmserverurl: ldap://dsa2.domain.com:389
nsfarmserverurl: ldap://dsa3.domain.com:389
Give it a try?
HTH,
Mark
--
Directory Server Development Team
Looks like it only added the first entry. Do I need to add an entry for each MAster?
dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsBackendInstance
cn: chainlab
nsslapd-suffix: dc=domain,dc=com
nsfarmserverurl: ldap://dsa1.domain.com:389
nsmultiplexorbinddn: uid=replicator,cn=config
nsmultiplexorcredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUm1aRFUwT1dOak5DMDVPVFl5TXpJMg0KWlMwNE16ZzFNVFl3TXkweU5tVTROekJtWkFBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQTdhVjl4Z0NZcFkzR21YV2x0c293Mg==}u4FHsJF3AVHAqgtGCMXudA==
nsbindconnectionslimit: 3
nsoperationconnectionslimit: 20
nsabandonedsearchcheckinterval: 1
nsconcurrentbindlimit: 10
nsconcurrentoperationslimit: 2
nsproxiedauthorization: on
nsconnectionlife: 0
nsbindtimeout: 15
nsreferralonscopedsearch: off
nschecklocalaci: on
nsbindretrylimit: 3
nsslapd-sizelimit: 2000
nsslapd-timelimit: 3600
nshoplimit: 10
nsmaxresponsedelay: 60
nsmaxtestresponsedelay: 15
nsusestarttls: off
Hi Mark.
I tried adding the subsequent URL's and it doesn't allow multiple entries for this attribute.
It appears all the URLS need to be part of the one nsfarmserverurl attribute.
ldap_initialize( ldap://dsa4.domain.com )
add nsFarmServerURL:
ldap://dsa2.domain.com:389
modifying entry "cn=chainlab,cn=chaining database,cn=plugins,cn=config"
ldap_modify: Server is unwilling to perform (53)
additional info: Adding attributes is not allowed
I believe I have this working now.
Thank you Mark for getting me pointed in the right direction.
2 years, 8 months
Re: How to replicate password lockout attributes from a consumer or hub to a master(s)
by Michael Starling
________________________________
From: Michael Starling <mlstarling31(a)hotmail.com>
Sent: Thursday, August 12, 2021 3:29 PM
To: Mark Reynolds <mreynolds(a)redhat.com>; General discussion list for the 389 Directory server project. <389-users(a)lists.fedoraproject.org>
Subject: Re: [389-users] How to replicate password lockout attributes from a consumer or hub to a master(s)
________________________________
From: Mark Reynolds <mreynolds(a)redhat.com>
Sent: Thursday, August 12, 2021 3:16 PM
To: Michael Starling <mlstarling31(a)hotmail.com>; General discussion list for the 389 Directory server project. <389-users(a)lists.fedoraproject.org>
Subject: Re: [389-users] How to replicate password lockout attributes from a consumer or hub to a master(s)
On 8/12/21 2:33 PM, Michael Starling wrote:
________________________________
From: Mark Reynolds <mreynolds(a)redhat.com><mailto:mreynolds@redhat.com>
Sent: Thursday, August 12, 2021 11:48 AM
To: General discussion list for the 389 Directory server project. <389-users(a)lists.fedoraproject.org><mailto:389-users@lists.fedoraproject.org>; Michael Starling <mlstarling31(a)hotmail.com><mailto:mlstarling31@hotmail.com>
Subject: Re: [389-users] How to replicate password lockout attributes from a consumer or hub to a master(s)
On 8/12/21 10:53 AM, Michael Starling wrote:
Hello.
I've taken over a large 389-ds environment running on Oracle Linux 8 and the first task I need to complete is to enable password lockouts.
I was able to enable password lockouts successfully however it only works if the client is pointed directly to a master. The account locks out and the attributes are propagated down to the hubs and consumers.
If the client is pointed to a read-only hub or consumer then the account does not lockout and the password attributes do not propagate back to the masters.
passwordIsGlobalPolicy: on is set on all masters, hubs and consumers
Password policy attributes I expect to replicate:
passwordRetryCount
accountUnlockTime
retryCountResetTime
I've tried following the chaining guide below which I think is what I need to do to get this work as expected, however I've hit a snag.
https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate....
389 Directory Server - Howto:ChainOnUpdate<https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate....>
Introduction. The usual deployment for a large replication topology will have the client applications reading from hubs or dedicated consumers in order to spread out the load and off-load search request processing from the masters.
directory.fedoraproject.org
The document states the backend must be added to the hub or consumer, however when I try and add the following LDIF to the hub I get the "unwilling to perform" error.
This makes sense because the hub is read-only so I'm confused as how I can update the config on a read-only hub or consumer?
dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsBackendInstance
cn: chainlab
nsslapd-suffix: dc=domain,dc=com
nsfarmserverurl: ldap://dsa1.domain.com:389 ldap://dsa2.domain.com:389 ldap://dsa3.domain.com:389
nsmultiplexorbinddn: uid=repluser,cn=config
nsmultiplexorcredentials: mypassword
nsCheckLocalACI: on
adding new entry "cn=chainlab,cn=chaining database,cn=plugins,cn=config"
ldap_add: Server is unwilling to perform (53)
This is the doc you want to follow to get this working. But it is complicated...
In this case I'm not sure why the error 53 is being returned. There is something about that entry it does not like. So please check the access and errors log from the time of this failure (see /var/log/dirsrv/slapd-YOUR_INSTANCE/). There is usually more info logged when an error 53 happens.
Also what version of 389-ds-base are you running?
Thanks,
Mark
Hub or Consumer
Step 1 (Hub and Consumer): the chaining backend must be created on the hub and consumer:
dn: cn=chainbe1,cn=chaining database,cn=plugins,cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsBackendInstance
cn: chainbe1
nsslapd-suffix: <suffix to replicate>
nsfarmserverurl: ldap://supplier1:port supplier2:port ... supplierN:port/ # also, ldaps can be used instead
# of ldap for secure connections -
# requires the secure port
nsmultiplexorbinddn: cn=Replication Manager,cn=config # or whatever the replica bind DN is on the supplier
nsmultiplexorcredentials: password
nsCheckLocalACI: on
Any help would be greatly appreciated.
Thanks
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org<mailto:389-users@lists.fedoraproject.org>
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org<mailto:389-users-leave@lists.fedoraproject.org>
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
Directory Server Development Team
Thanks for getting me the right track Mark. Looks like the "nsFarmServerURL" is not correct.
Versions:
389-ds-base-libs-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64
389-ds-base-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64
I thought I was maybe hitting the bug described below so I added a trailing "/" but the issue persists.
https://bugzilla.redhat.com/show_bug.cgi?id=1363970
nsfarmserverurl: ldap://dsa1.domain.com:389 ldap://dsa2.domain.com:389 ldap://dsa3.domain.com:389/
This is what I see in the logs on the hub when trying to add the LDIF.
The idea is for the hub to send these password attributes back to all masters.
These are the masters in the environment.
ldap://dsa1.domain.com:389
ldap://dsa2.domain.com:389
ldap://dsa3.domain.com:389
[12/Aug/2021:14:12:38.228746875 -0400] - ERR - chaining database - cb_instance_config_initialize - Error with config attribute nsfarmserverurl : not a valid LDAP URL
[12/Aug/2021:14:12:38.230107318 -0400] - ERR - chaining database - cb_instance_add_config_check_callback - Can't instantiate chaining backend instance chainlab.
[12/Aug/2021:14:13:11.436433137 -0400] - ERR - chaining database - cb_instance_config_initialize - Error with config attribute nsfarmserverurl : not a valid LDAP URL
[12/Aug/2021:14:13:11.437510161 -0400] - ERR - chaining database - cb_instance_add_config_check_callback - Can't instantiate chaining backend instance chainlab.
[12/Aug/2021:14:15:15.652343542 -0400] - ERR - chaining database - cb_instance_config_initialize - Error with config attribute nsfarmserverurl : not a valid LDAP URL
[12/Aug/2021:14:15:15.653524818 -0400] - ERR - chaining database - cb_instance_add_config_check_callback - Can't instantiate chaining backend instance chainlab.
[12/Aug/2021:14:20:12.212414022 -0400] - ERR - chaining database - cb_instance_config_initialize - Error with config attribute nsfarmserverurl : not a valid LDAP URL
[12/Aug/2021:14:20:12.213556900 -0400] - ERR - chaining database - cb_instance_add_config_check_callback - Can't instantiate chaining backend instance chainlab
Ok, I think its not liking the multiple values in the attribute, even though the document says you have multiple urls. I think you need to add the config like this:
nsfarmserverurl: ldap://dsa1.domain.com:389
nsfarmserverurl: ldap://dsa2.domain.com:389
nsfarmserverurl: ldap://dsa3.domain.com:389
Give it a try?
HTH,
Mark
--
Directory Server Development Team
Looks like it only added the first entry. Do I need to add an entry for each MAster?
dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsBackendInstance
cn: chainlab
nsslapd-suffix: dc=domain,dc=com
nsfarmserverurl: ldap://dsa1.domain.com:389
nsmultiplexorbinddn: uid=replicator,cn=config
nsmultiplexorcredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUm1aRFUwT1dOak5DMDVPVFl5TXpJMg0KWlMwNE16ZzFNVFl3TXkweU5tVTROekJtWkFBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQTdhVjl4Z0NZcFkzR21YV2x0c293Mg==}u4FHsJF3AVHAqgtGCMXudA==
nsbindconnectionslimit: 3
nsoperationconnectionslimit: 20
nsabandonedsearchcheckinterval: 1
nsconcurrentbindlimit: 10
nsconcurrentoperationslimit: 2
nsproxiedauthorization: on
nsconnectionlife: 0
nsbindtimeout: 15
nsreferralonscopedsearch: off
nschecklocalaci: on
nsbindretrylimit: 3
nsslapd-sizelimit: 2000
nsslapd-timelimit: 3600
nshoplimit: 10
nsmaxresponsedelay: 60
nsmaxtestresponsedelay: 15
nsusestarttls: off
Hi Mark.
I tried adding the subsequent URL's and it doesn't allow multiple entries for this attribute.
It appears all the URLS need to be part of the one nsfarmserverurl attribute.
ldap_initialize( ldap://dsa4.domain.com )
add nsFarmServerURL:
ldap://dsa2.domain.com:389
modifying entry "cn=chainlab,cn=chaining database,cn=plugins,cn=config"
ldap_modify: Server is unwilling to perform (53)
additional info: Adding attributes is not allowed
2 years, 8 months
Is it possible to get these emails in digest form?
by Bryan K. Walton
Sorry, for the intrusion. I'm trying to determine if it is possible
configure my mailing list subscription so as to get these emails in a
digest form.
I've been unable to locate anything in that regard.
Thanks,
Bryan
2 years, 8 months
Re: How to replicate password lockout attributes from a consumer or hub to a master(s)
by Mark Reynolds
On 8/12/21 2:33 PM, Michael Starling wrote:
>
>
> ------------------------------------------------------------------------
> *From:* Mark Reynolds <mreynolds(a)redhat.com>
> *Sent:* Thursday, August 12, 2021 11:48 AM
> *To:* General discussion list for the 389 Directory server project.
> <389-users(a)lists.fedoraproject.org>; Michael Starling
> <mlstarling31(a)hotmail.com>
> *Subject:* Re: [389-users] How to replicate password lockout
> attributes from a consumer or hub to a master(s)
>
>
> On 8/12/21 10:53 AM, Michael Starling wrote:
>> Hello.
>>
>> I've taken over a large 389-ds environment running on Oracle Linux 8
>> and the first task I need to complete is to enable password lockouts.
>>
>>
>>
>> I was able to enable password lockouts successfully however it only
>> works if the client is pointed directly to a master. The account
>> locks out and the attributes are propagated down to the hubs and
>> consumers.
>>
>> If the client is pointed to a read-only hub or consumer then the
>> account does not lockout and the password attributes do not propagate
>> back to the masters.
>>
>> *passwordIsGlobalPolicy*: on is set on all masters, hubs and consumers
>>
>> Password policy attributes I expect to replicate:
>>
>> *passwordRetryCount*
>> *accountUnlockTime*
>> *retryCountResetTime*
>>
>> I've tried following the chaining guide below which I think is what I
>> need to do to get this work as expected, however I've hit a snag.
>>
>> https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate....
>> <https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate....>
>> 389 Directory Server - Howto:ChainOnUpdate
>> <https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate....>
>> Introduction. The usual deployment for a large replication topology
>> will have the client applications reading from hubs or dedicated
>> consumers in order to spread out the load and off-load search request
>> processing from the masters.
>> directory.fedoraproject.org
>>
>> The document states the backend must be added to the hub or consumer,
>> however when I try and add the following LDIF to the hub I get the
>> "unwilling to perform" error.
>>
>> This makes sense because the hub is read-only so I'm confused as how
>> I can update the config on a read-only hub or consumer?
>>
>> dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config
>> objectclass: top
>> objectclass: extensibleObject
>> objectclass: nsBackendInstance
>> cn: chainlab
>> nsslapd-suffix: dc=domain,dc=com
>> nsfarmserverurl: ldap://dsa1.domain.com:389
>> ldap://dsa2.domain.com:389 ldap://dsa3.domain.com:389
>> nsmultiplexorbinddn: uid=repluser,cn=config
>> nsmultiplexorcredentials: mypassword
>> nsCheckLocalACI: on
>>
>> adding new entry "cn=chainlab,cn=chaining database,cn=plugins,cn=config"
>> ldap_add: Server is unwilling to perform (53)
>
> This is the doc you want to follow to get this working. But it is
> complicated...
>
>
> In this case I'm not sure why the error 53 is being returned. There
> is something about that entry it does not like. So please check the
> access and errors log from the time of this failure (see
> /var/log/dirsrv/slapd-YOUR_INSTANCE/). There is usually more info
> logged when an error 53 happens.
>
>
> Also what version of 389-ds-base are you running?
>
>
> Thanks,
> Mark
>
>>
>> Hub or Consumer
>>
>> Step 1 (Hub and Consumer): the chaining backend must be created on
>> the hub and consumer:
>>
>> |dn: cn=chainbe1,cn=chaining database,cn=plugins,cn=config
>> objectclass: top objectclass: extensibleObject
>> objectclass: nsBackendInstance cn: chainbe1 nsslapd-suffix: <suffix
>> to replicate>
>> nsfarmserverurl: ldap://supplier1:port supplier2:port ... supplierN:port/ # also, ldaps can be used instead
>> # of ldap for secure connections -
>> # requires the secure port
>> nsmultiplexorbinddn: cn=Replication Manager,cn=config # or whatever the replica bind DN is on the supplier
>> nsmultiplexorcredentials: password nsCheckLocalACI: on |
>>
>> Any help would be greatly appreciated.
>>
>> Thanks
>>
>> _______________________________________________
>> 389-users mailing list --389-users(a)lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org>
>> To unsubscribe send an email to389-users-leave(a)lists.fedoraproject.org <mailto:389-users-leave@lists.fedoraproject.org>
>> Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ <https://docs.fedoraproject.org/en-US/project/code-of-conduct/>
>> List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines <https://fedoraproject.org/wiki/Mailing_list_guidelines>
>> List Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fe... <https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...>
>> Do not reply to spam on the list, report it:https://pagure.io/fedora-infrastructure <https://pagure.io/fedora-infrastructure>
> --
> Directory Server Development Team
>
> Thanks for getting me the right track Mark. Looks like the
> "nsFarmServerURL" is not correct.
>
> Versions:
>
> 389-ds-base-libs-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64
> 389-ds-base-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64
>
> I thought I was maybe hitting the bug described below so I added a
> trailing "/" but the issue persists.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1363970
> <https://bugzilla.redhat.com/show_bug.cgi?id=1363970>
>
> nsfarmserverurl: ldap://dsa1.domain.com:389 ldap://dsa2.domain.com:389
> ldap://dsa3.domain.com:389*/*
>
> This is what I see in the logs on the hub when trying to add the LDIF.
>
> The idea is for the hub to send these password attributes back to all
> masters.
>
> These are the masters in the environment.
> ldap://dsa1.domain.com:389
> ldap://dsa2.domain.com:389
> ldap://dsa3.domain.com:389
> [12/Aug/2021:14:12:38.228746875 -0400] - ERR - chaining database -
> cb_instance_config_initialize -*Error with config attribute
> nsfarmserverurl : not a valid LDAP URL*
> [12/Aug/2021:14:12:38.230107318 -0400] - ERR - chaining database -
> cb_instance_add_config_check_callback - Can't instantiate chaining
> backend instance chainlab.
> [12/Aug/2021:14:13:11.436433137 -0400] - ERR - chaining database -
> cb_instance_config_initialize - Error with config attribute
> nsfarmserverurl : not a valid LDAP URL
> [12/Aug/2021:14:13:11.437510161 -0400] - ERR - chaining database -
> cb_instance_add_config_check_callback - Can't instantiate chaining
> backend instance chainlab.
> [12/Aug/2021:14:15:15.652343542 -0400] - ERR - chaining database -
> cb_instance_config_initialize - Error with config attribute
> nsfarmserverurl : not a valid LDAP URL
> [12/Aug/2021:14:15:15.653524818 -0400] - ERR - chaining database -
> cb_instance_add_config_check_callback - Can't instantiate chaining
> backend instance chainlab.
> [12/Aug/2021:14:20:12.212414022 -0400] - ERR - chaining database -
> cb_instance_config_initialize - Error with config attribute
> nsfarmserverurl : not a valid LDAP URL
> [12/Aug/2021:14:20:12.213556900 -0400] - ERR - chaining database -
> cb_instance_add_config_check_callback - Can't instantiate chaining
> backend instance chainlab
>
>
Ok, I think its not liking the multiple values in the attribute, even
though the document says you have multiple urls. I think you need to
add the config like this:
nsfarmserverurl: ldap://dsa1.domain.com:389
nsfarmserverurl: ldap://dsa2.domain.com:389
nsfarmserverurl: ldap://dsa3.domain.com:389
Give it a try?
HTH,
Mark
--
Directory Server Development Team
2 years, 8 months
Re: How to replicate password lockout attributes from a consumer or hub to a master(s)
by Mark Reynolds
On 8/12/21 10:53 AM, Michael Starling wrote:
> Hello.
>
> I've taken over a large 389-ds environment running on Oracle Linux 8
> and the first task I need to complete is to enable password lockouts.
>
>
>
> I was able to enable password lockouts successfully however it only
> works if the client is pointed directly to a master. The account locks
> out and the attributes are propagated down to the hubs and consumers.
>
> If the client is pointed to a read-only hub or consumer then the
> account does not lockout and the password attributes do not propagate
> back to the masters.
>
> *passwordIsGlobalPolicy*: on is set on all masters, hubs and consumers
>
> Password policy attributes I expect to replicate:
>
> *passwordRetryCount*
> *accountUnlockTime*
> *retryCountResetTime*
>
> I've tried following the chaining guide below which I think is what I
> need to do to get this work as expected, however I've hit a snag.
>
> https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate....
> <https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate....>
> 389 Directory Server - Howto:ChainOnUpdate
> <https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate....>
> Introduction. The usual deployment for a large replication topology
> will have the client applications reading from hubs or dedicated
> consumers in order to spread out the load and off-load search request
> processing from the masters.
> directory.fedoraproject.org
>
> The document states the backend must be added to the hub or consumer,
> however when I try and add the following LDIF to the hub I get the
> "unwilling to perform" error.
>
> This makes sense because the hub is read-only so I'm confused as how I
> can update the config on a read-only hub or consumer?
>
> dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config
> objectclass: top
> objectclass: extensibleObject
> objectclass: nsBackendInstance
> cn: chainlab
> nsslapd-suffix: dc=domain,dc=com
> nsfarmserverurl: ldap://dsa1.domain.com:389 ldap://dsa2.domain.com:389
> ldap://dsa3.domain.com:389
> nsmultiplexorbinddn: uid=repluser,cn=config
> nsmultiplexorcredentials: mypassword
> nsCheckLocalACI: on
>
> adding new entry "cn=chainlab,cn=chaining database,cn=plugins,cn=config"
> ldap_add: Server is unwilling to perform (53)
This is the doc you want to follow to get this working. But it is
complicated...
In this case I'm not sure why the error 53 is being returned. There is
something about that entry it does not like. So please check the access
and errors log from the time of this failure (see
/var/log/dirsrv/slapd-YOUR_INSTANCE/). There is usually more info
logged when an error 53 happens.
Also what version of 389-ds-base are you running?
Thanks,
Mark
>
> Hub or Consumer
>
> Step 1 (Hub and Consumer): the chaining backend must be created on the
> hub and consumer:
>
> |dn: cn=chainbe1,cn=chaining database,cn=plugins,cn=config
> objectclass: top objectclass: extensibleObject
> objectclass: nsBackendInstance cn: chainbe1 nsslapd-suffix: <suffix to
> replicate>
> nsfarmserverurl: ldap://supplier1:port supplier2:port ... supplierN:port/ # also, ldaps can be used instead
> # of ldap for secure connections -
> # requires the secure port
> nsmultiplexorbinddn: cn=Replication Manager,cn=config # or whatever the replica bind DN is on the supplier
> nsmultiplexorcredentials: password nsCheckLocalACI: on |
>
> Any help would be greatly appreciated.
>
> Thanks
>
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
--
Directory Server Development Team
2 years, 8 months
How to replicate password lockout attributes from a consumer or hub to a master(s)
by Michael Starling
Hello.
I've taken over a large 389-ds environment running on Oracle Linux 8 and the first task I need to complete is to enable password lockouts.
I was able to enable password lockouts successfully however it only works if the client is pointed directly to a master. The account locks out and the attributes are propagated down to the hubs and consumers.
If the client is pointed to a read-only hub or consumer then the account does not lockout and the password attributes do not propagate back to the masters.
passwordIsGlobalPolicy: on is set on all masters, hubs and consumers
Password policy attributes I expect to replicate:
passwordRetryCount
accountUnlockTime
retryCountResetTime
I've tried following the chaining guide below which I think is what I need to do to get this work as expected, however I've hit a snag.
https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate....
389 Directory Server - Howto:ChainOnUpdate<https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate....>
Introduction. The usual deployment for a large replication topology will have the client applications reading from hubs or dedicated consumers in order to spread out the load and off-load search request processing from the masters.
directory.fedoraproject.org
The document states the backend must be added to the hub or consumer, however when I try and add the following LDIF to the hub I get the "unwilling to perform" error.
This makes sense because the hub is read-only so I'm confused as how I can update the config on a read-only hub or consumer?
dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsBackendInstance
cn: chainlab
nsslapd-suffix: dc=domain,dc=com
nsfarmserverurl: ldap://dsa1.domain.com:389 ldap://dsa2.domain.com:389 ldap://dsa3.domain.com:389
nsmultiplexorbinddn: uid=repluser,cn=config
nsmultiplexorcredentials: mypassword
nsCheckLocalACI: on
adding new entry "cn=chainlab,cn=chaining database,cn=plugins,cn=config"
ldap_add: Server is unwilling to perform (53)
Hub or Consumer
Step 1 (Hub and Consumer): the chaining backend must be created on the hub and consumer:
dn: cn=chainbe1,cn=chaining database,cn=plugins,cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsBackendInstance
cn: chainbe1
nsslapd-suffix: <suffix to replicate>
nsfarmserverurl: ldap://supplier1:port supplier2:port ... supplierN:port/ # also, ldaps can be used instead
# of ldap for secure connections -
# requires the secure port
nsmultiplexorbinddn: cn=Replication Manager,cn=config # or whatever the replica bind DN is on the supplier
nsmultiplexorcredentials: password
nsCheckLocalACI: on
Any help would be greatly appreciated.
Thanks
2 years, 8 months
Unable to promote a replica
by John Thurston
I've installed 389-Directory 1.4 on CentOS 8 from EPEL
https://directory.fedoraproject.org/docs/389ds/download.html
it looks like I have 1.4.4
Today's problem is I'm unable to promote a replica from a 'consumer' to
a 'supplier'. I've tried using the cockpit web-gui, as well as dsconf
from the command line.
When using cockpit, I get a error box containing:
> Failed to promote replica - Failed to create changelog: {'msgtype': 105, 'msgid': 9, 'result': 53, 'desc': 'Server is unwilling to perform', 'ctrls': [], 'info': 'Changelog configuration is part of the backend configuration'}
when using dnsconf, it returns (essentially) the same thing:
> Error: Failed to create changelog: {'msgtype': 105, 'msgid': 9, 'result': 53, 'desc': 'Server is unwilling to perform', 'ctrls': [], 'info': 'Changelog configuration is part of the backend configuration'}
When I look in the audit-log, I see:
> time: 20210802150607
> dn: cn=changelog5,cn=config
> result: 53
> changetype: add
> objectClass: top
> objectClass: nsChangelogConfig
> cn: changelog5
> nsslapd-changelogdir: /var/lib/dirsrv/slapd-dirmaster/changelogdb
> creatorsName: cn=Directory Manager
> modifiersName: cn=Directory Manager
> createTimestamp: 20210802230607Z
> modifyTimestamp: 20210802230607Z
When I look in the error-log, I see NSMMReplicationPlugin is throwing a
NOTICE error message:
> NOTICE - NSMMReplicationPlugin - changelog program - changelog5_config_add - Separate changelog no longer supported; use cn=changelog,<backend> instead
I interpret these to mean dsconf is trying to define the the attribute
"nsslapd-changelogdir" on cn=changelog5,cn=config. And that the
replication plugin is saying, "Not so fast there, cowboy. That's not the
way it is done any more."
What is the correct process to promote a replica?
--
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
John.Thurston(a)alaska.gov
Department of Administration
State of Alaska
2 years, 8 months