August 2022 - 389-users - Fedora Mailing-Lists

by Niklas Schmatloch

Hi My organisation is using a replicated 389-dirsrv. Lately, it has been crashing each time after compacting. It is replicable on our instances by lowering the compactdb-interval to trigger the compacting: dsconf -D "cn=Directory Manager" ldap://127.0.0.1 -w 'PASSWORD_HERE' backend config set --compactdb-interval 300 This is the log: [03/Aug/2022:16:06:38.552781605 +0200] - NOTICE - checkpoint_threadmain - Compacting DB start: userRoot [03/Aug/2022:16:06:38.752592692 +0200] - NOTICE - bdb_db_compact_one_db - compactdb: compact userRoot - 8 pages freed [03/Aug/2022:16:06:44.172233009 +0200] - NOTICE - bdb_db_compact_one_db - compactdb: compact userRoot - 888 pages freed [03/Aug/2022:16:06:44.179315345 +0200] - NOTICE - checkpoint_threadmain - Compacting DB start: changelog [03/Aug/2022:16:13:18.020881527 +0200] - NOTICE - bdb_db_compact_one_db - compactdb: compact changelog - 458 pages freed dirsrv(a)auth-alpha.service: Main process exited, code=killed, status=11/SEGV dirsrv(a)auth-alpha.service: Failed with result 'signal'. dirsrv(a)auth-alpha.service: Consumed 2d 6h 22min 1.122s CPU time. The first steps are done very quickly, but the step before the 458 pages of the retro-changelog are freed, takes several minutes. In this time the dirsrv writes more than 10 G and reads more than 7 G (according to iotop). After this line is printed the dirsrv crashes within seconds. What I also noticed is, that even though it said it freed a lot of pages the retro-changelog does not seem to change in size. The file `/var/lib/dirsrv/slapd-auth-alpha/db/changelog/id2entry.db` is 7.2 G before and after the compacting. Debian 11.4 389-ds-base/stable,now 1.4.4.11-2 amd64 Does someone have an idea how to debug / fix this? Thanks

2 months, 2 weeks

4
15
0 / 0

Plugin development licensing

by DUVERT Vincent

Hello, I have a question regarding the licensing of developed 389-ds plugins. The FAQ (https://directory.fedoraproject.org/docs/389ds/FAQ/licensing.html#directo...) indicates that the Directory Server core code is licensed under a GPL + Exception license that allows non-GPL 389-ds plugins to link to 389-ds and to use specific header files. However, the LICENSE file in the current 389-ds-base source does not contain this exception. It was apparently removed by the following commit, when the license was changed to GPLv3+: https://pagure.io/389-ds-base/c/88cae401aee39a19ac6b07c3c36ee8daa07192e7 Does that means that the license exception does not apply to the current version of 389-ds? Regards, Vincent Duvert

4 months, 2 weeks

2
2
0 / 0

Procedure to change the AD used to sync users

by Mihai Carabas

Hello, We are planning to decommision our current PDC AD (Windows 2012R2). This AD is also used to sync users from our 389ds instance to this AD. What would be the correct procedure to update the WinSync agreement? Just update the hostname and run a full sync? Thank you, Mihai Carabas

1 year

3
12
0 / 0

389 server logging format

by tdarby＠arizona.edu

Is there a way to customize the access and errors logging formats? In particular, it would be nice to use a more standard timestamp format. If not, is there some Python code available for parsing the logs?

1 year, 1 month

2
2
0 / 0

NOTICE - Rust will be mandatory starting in 389-ds-base-2.2

by Mark Reynolds

Hello, For many years now we have been offering Rust plugins, and for those that build the server themselves it was possible to disable Rust if it was not wanted. This is no longer going to be an option starting in the next release of 389-ds-base-2.2 (On Fedora 37). We are upgrading the default password storage schema to the Rust password storage scheme PBKDF2_SHA256 for its improved security and performance over the C/NSS version (PBKDF2-SHA256). We are also going to be incorporating Rust into core parts of the server. So leaving Rust optional is no longer going to be an option. Sorry for the inconvenience this will impose on people not wanting to build with Rust, but this is the direction we are moving in with the 389 project. Feel free to ask any questions or voice concerns over this change, and we will do our best to address them. Sincerely, -- Directory Server Development Team

1 year, 1 month

3
4
0 / 0

Announcing 389 Directory Server 2.1.5

by Mark Reynolds

389 Directory Server 2.1.5 The 389 Directory Server team is proud to announce 389-ds-base version 2.1.5 Fedora packages are available on Fedora 36 https://koji.fedoraproject.org/koji/taskinfo?taskID=91179741 <https://koji.fedoraproject.org/koji/taskinfo?taskID=91179741> https://bodhi.fedoraproject.org/updates/FEDORA-2022-f915519968 <https://bodhi.fedoraproject.org/updates/FEDORA-2022-f915519968>- Bodhi The new packages and versions are: * 389-ds-base-2.1.5-1 Source tarballs are available for download atDownload 389-ds-base Source <https://github.com/389ds/389-ds-base/archive/389-ds-base-2.1.5.tar.gz> Highlights in 2.1.5 * Bug fixes * Transition fromBDB(libdb) toLMDBbegun.BDBis still the default backend, but it can be changed toLMDBfor early beta testing. Installation and Upgrade SeeDownload <https://www.port389.org/docs/389ds/download.html>for information about setting up your yum repositories. To install the server use*dnf install 389-ds-base* To install the CockpitUIplugin use*dnf install cockpit-389-ds* After rpm install completes, run*dscreate interactive* For upgrades, simply install the package. There are no further steps required. There are no upgrade steps besides installing the new rpms SeeInstall_Guide <https://www.port389.org/docs/389ds/howto/howto-install-389.html>for more information about the initial installation and setup SeeSource <https://www.port389.org/docs/389ds/development/source.html>for information about source tarballs andSCM(git) access. Feedback We are very interested in your feedback! Please provide feedback and comments to the 389-users mailing list:https://lists.fedoraproject.org/admin/lists/389-users.lists.fedorapr... If you find a bug, or would like to see a new feature, file it in our GitHub project:https://github.com/389ds/389-ds-base * Bump version to 2.1.5 * Issue 5428 - Fix regression with nscpEntryWsi computation * Issue 5423 - Fix missing ‘not’ in description * Issue 5421 -CI- makes replication/acceptance_test.py::test_modify_entry more robust (#5422) * Issue 3903 - fix repl keep alive event interval * Issue 5418 - Sync_repl may crash while managing invalid cookie (#5420) * Issue 5415 - Hostname when set to localhost causing failures in other tests * Issue 5412 - lib389 - do not set backend name to lowercase * Issue 5385 -LMDB- import crash in rdncache_add_elem (#5406) * Issue 3903 - keep alive update event starts too soon * Issue 5397 - Fix various memory leaks * Issue 5399 -UI-LDAPEditor is not updated when we switch instances (#5400) * Issue 3903 - Supplier should do periodic updates * Issue 5377 - Code cleanup: Fix Covscan invalid reference (#5393) * Issue 5392 - dscreate fails when using alternative ports in the SELinux hi_reserved_port_t label range * Issue 5386 -BUG- Update sudoers schema to correctly supportUTF-8 (#5387) * Issue 5388 - fix use-after-free and deadcode * -- Directory Server Development Team

1 year, 1 month

1
0
0 / 0

Re: [EXT]Re: Re: DNA Plugin creating duplicates

by Thierry Bordaz

Hi Todd, Thanks for your explanations, it make sense. To make it work, was it enough to add to the definitions (uidNumber/gidNumber) (usr/share/dirsrv/schema/*) 'ORDERING integerOrderingMatch'. Or did you have to add 'nsMatchingRule: integerOrderingMatch' to the index entry and reindex ? best regards thierry On 8/17/22 5:47 PM, Merritt, Todd R - (tmerritt) wrote: > Hi Theirry, > > It looks like that internal search was failing due to not having the > appropriate matching rules in place. Once I added the indices it > started to behave correctly. I guess it's probably a bug that it does > not indicate that the search failed and/or continues to allocate the > value without really knowing if it's a duplicate or not. > > Thanks, > Todd > ------------------------------------------------------------------------ > *From:* Thierry Bordaz <tbordaz(a)redhat.com> > *Sent:* Wednesday, August 17, 2022 8:30 AM > *To:* General discussion list for the 389 Directory server project. > <389-users(a)lists.fedoraproject.org>; Merritt, Todd R - (tmerritt) > <tmerritt(a)arizona.edu> > *Subject:* [EXT]Re: [389-users] Re: DNA Plugin creating duplicates > > *External Email* > > Hi, > > > sorry to be late on that thread. DNA should prevent duplicate values > via internal searches before allocating. If configured ranges from > server are separated, DNA should not allocate duplicate. Is it > possible that a direct update could set the attribute managed by DNA ? > > > regards > Thierry > > On 8/11/22 9:59 PM, Merritt, Todd R - (tmerritt) wrote: >> Yep, I just tested it out for haha's on my test directory instance >> after skimming the plugin source and seeing that it actually does >> does a range search using >=, <=. Sure enough that seems to have >> resolved it. It did work properly in the current configuration once >> upon a time so either my directory grew enough that the range search >> started to time out without the index or the range search was >> introduced in an update at some point. Thanks for the pointer! >> >> Todd >> ------------------------------------------------------------------------ >> *From:* Patrick M Landry <patrick.landry(a)louisiana.edu> >> <mailto:patrick.landry@louisiana.edu> >> *Sent:* Thursday, August 11, 2022 12:55 PM >> *To:* General discussion list for the 389 Directory server project. >> <389-users(a)lists.fedoraproject.org> >> <mailto:389-users@lists.fedoraproject.org> >> *Subject:* [EXT][389-users] Re: DNA Plugin creating duplicates >> >> *External Email* >> >> Sorry, I just double checked and I *do* have >> the integerOrderingMatch Matching Rule configured for uidNumber and >> gidNumber. I have no idea if that would make a difference for you or not. >> >> -- >> Patrick Landry >> Special Projects Engineer >> University Computing Support Services >> University of Louisiana at Lafayette >> P.O. Box 43621 >> Lafayette, LA 70504 >> (337) 482-6402 >> patrick.landry(a)louisiana.edu <mailto:patrick.landry@louisiana.edu> >> ––––––––––––––––––––––––– >> Université des Acadiens >> >> ------------------------------------------------------------------------ >> *From:* Merritt, Todd R - (tmerritt) <tmerritt(a)arizona.edu> >> <mailto:tmerritt@arizona.edu> >> *Sent:* Thursday, August 11, 2022 2:26 PM >> *To:* General discussion list for the 389 Directory server project. >> <389-users(a)lists.fedoraproject.org> >> <mailto:389-users@lists.fedoraproject.org> >> *Subject:* [389-users] Re: DNA Plugin creating duplicates >> CAUTION: This email originated from outside of UL Lafayette. Do not >> click links or open attachments unless you recognize the sender and >> know the content is safe. >> >> Thanks, that's a good thought. It looks like I do have the index set >> up though. >> >> dn: cn=uidnumber,cn=index,cn=userroot,cn=ldbm >> database,cn=plugins,cn=config >> cn: uidnumber >> nsIndexType: eq >> nsSystemIndex: False >> objectClass: top >> objectClass: nsIndex >> >> Does the index also need to support nsMatchingRule: >> integerOrderingMatch for inequality searching? >> >> Todd >> ------------------------------------------------------------------------ >> *From:* Patrick M Landry <patrick.landry(a)louisiana.edu> >> <mailto:patrick.landry@louisiana.edu> >> *Sent:* Thursday, August 11, 2022 12:16 PM >> *To:* General discussion list for the 389 Directory server project. >> <389-users(a)lists.fedoraproject.org> >> <mailto:389-users@lists.fedoraproject.org> >> *Subject:* [EXT][389-users] Re: DNA Plugin creating duplicates >> >> *External Email* >> >> It has been a long time since I set this up and I am running an older >> version of the server but I did find this in my notes: >> >> Before assigning a number to a new entry theDNAplugin searches >> the directory to ensure that the number is not already being >> used. For this reason indexes had to be created for all of the >> attributes which theDNAplugin can assign values to. >> >> >> Perhaps that is it? >> -- >> Patrick Landry >> Special Projects Engineer >> University Computing Support Services >> University of Louisiana at Lafayette >> P.O. Box 43621 >> Lafayette, LA 70504 >> (337) 482-6402 >> patrick.landry(a)louisiana.edu <mailto:patrick.landry@louisiana.edu> >> ––––––––––––––––––––––––– >> Université des Acadiens >> >> ------------------------------------------------------------------------ >> *From:* Merritt, Todd R - (tmerritt) <tmerritt(a)arizona.edu> >> <mailto:tmerritt@arizona.edu> >> *Sent:* Thursday, August 11, 2022 12:51 PM >> *To:* 389-users(a)lists.fedoraproject.org >> <mailto:389-users@lists.fedoraproject.org> >> <389-users(a)lists.fedoraproject.org> >> <mailto:389-users@lists.fedoraproject.org> >> *Subject:* [389-users] DNA Plugin creating duplicates >> CAUTION: This email originated from outside of UL Lafayette. Do not >> click links or open attachments unless you recognize the sender and >> know the content is safe. >> >> Hi, >> >> I'm running 389ds 2.0.15 on a two node cluster in a multi master >> mode. I'm using the DNA plugin to generate unique uid numbers for new >> accounts. Each directory instance is assigned a unique range of uid >> numbers. It works in so far as it assigns a uid number when it gets >> the magic token but whatever is supposed to be verifying that the uid >> number is not already assigned is not working. I've cranked the error >> log level up, but I don't get anything in the logs that is helpful in >> determining why that validation is not working correctly. >> >> # ansible-managed-uidnumber-generation, Distributed Numeric >> Assignment Plugin, >> plugins, config >> dn: cn=ansible-managed-uidnumber-generation,cn=Distributed Numeric >> Assignment >> Plugin,cn=plugins,cn=config >> objectClass: top >> objectClass: dnaPluginConfig >> cn: ansible-managed-uidnumber-generation >> dnaType: uidNumber >> dnaNextValue: 62009 >> dnaMaxValue: 131000 >> dnaMagicRegen: generate >> dnaFilter: (objectclass=posixAccount) >> dnaScope: ou=Accounts,dc=example,dc=edu >> dnaSharedCfgDN: ou=ranges,ou=Accounts,dc=example,dc=edu >> >> I'm stumped. Anyone have any direction on how to debug this further? >> >> Thanks! >> Todd >> >> _______________________________________________ >> 389-users mailing list --389-users(a)lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> >> To unsubscribe send an email to389-users-leave(a)lists.fedoraproject.org <mailto:389-users-leave@lists.fedoraproject.org> >> Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ <https://docs.fedoraproject.org/en-US/project/code-of-conduct/> >> List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines <https://fedoraproject.org/wiki/Mailing_list_guidelines> >> List Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fe... <https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...> >> Do not reply to spam, report it:https://pagure.io/fedora-infrastructure/new_issue <https://pagure.io/fedora-infrastructure/new_issue>

1 year, 1 month

2
1
0 / 0

Re: DNA Plugin creating duplicates

by Thierry Bordaz

Hi, sorry to be late on that thread. DNA should prevent duplicate values via internal searches before allocating. If configured ranges from server are separated, DNA should not allocate duplicate. Is it possible that a direct update could set the attribute managed by DNA ? regards Thierry On 8/11/22 9:59 PM, Merritt, Todd R - (tmerritt) wrote: > Yep, I just tested it out for haha's on my test directory instance > after skimming the plugin source and seeing that it actually does does > a range search using >=, <=. Sure enough that seems to have resolved > it. It did work properly in the current configuration once upon a time > so either my directory grew enough that the range search started to > time out without the index or the range search was introduced in an > update at some point. Thanks for the pointer! > > Todd > ------------------------------------------------------------------------ > *From:* Patrick M Landry <patrick.landry(a)louisiana.edu> > *Sent:* Thursday, August 11, 2022 12:55 PM > *To:* General discussion list for the 389 Directory server project. > <389-users(a)lists.fedoraproject.org> > *Subject:* [EXT][389-users] Re: DNA Plugin creating duplicates > > *External Email* > > Sorry, I just double checked and I *do* have the integerOrderingMatch > Matching Rule configured for uidNumber and gidNumber. I have no idea > if that would make a difference for you or not. > > -- > Patrick Landry > Special Projects Engineer > University Computing Support Services > University of Louisiana at Lafayette > P.O. Box 43621 > Lafayette, LA 70504 > (337) 482-6402 > patrick.landry(a)louisiana.edu > ––––––––––––––––––––––––– > Université des Acadiens > > ------------------------------------------------------------------------ > *From:* Merritt, Todd R - (tmerritt) <tmerritt(a)arizona.edu> > *Sent:* Thursday, August 11, 2022 2:26 PM > *To:* General discussion list for the 389 Directory server project. > <389-users(a)lists.fedoraproject.org> > *Subject:* [389-users] Re: DNA Plugin creating duplicates > CAUTION: This email originated from outside of UL Lafayette. Do not > click links or open attachments unless you recognize the sender and > know the content is safe. > > Thanks, that's a good thought. It looks like I do have the index set > up though. > > dn: cn=uidnumber,cn=index,cn=userroot,cn=ldbm > database,cn=plugins,cn=config > cn: uidnumber > nsIndexType: eq > nsSystemIndex: False > objectClass: top > objectClass: nsIndex > > Does the index also need to support nsMatchingRule: > integerOrderingMatch for inequality searching? > > Todd > ------------------------------------------------------------------------ > *From:* Patrick M Landry <patrick.landry(a)louisiana.edu> > *Sent:* Thursday, August 11, 2022 12:16 PM > *To:* General discussion list for the 389 Directory server project. > <389-users(a)lists.fedoraproject.org> > *Subject:* [EXT][389-users] Re: DNA Plugin creating duplicates > > *External Email* > > It has been a long time since I set this up and I am running an older > version of the server but I did find this in my notes: > > Before assigning a number to a new entry theDNAplugin searches the > directory to ensure that the number is not already being used. For > this reason indexes had to be created for all of the attributes > which theDNAplugin can assign values to. > > > Perhaps that is it? > -- > Patrick Landry > Special Projects Engineer > University Computing Support Services > University of Louisiana at Lafayette > P.O. Box 43621 > Lafayette, LA 70504 > (337) 482-6402 > patrick.landry(a)louisiana.edu > ––––––––––––––––––––––––– > Université des Acadiens > > ------------------------------------------------------------------------ > *From:* Merritt, Todd R - (tmerritt) <tmerritt(a)arizona.edu> > *Sent:* Thursday, August 11, 2022 12:51 PM > *To:* 389-users(a)lists.fedoraproject.org > <389-users(a)lists.fedoraproject.org> > *Subject:* [389-users] DNA Plugin creating duplicates > CAUTION: This email originated from outside of UL Lafayette. Do not > click links or open attachments unless you recognize the sender and > know the content is safe. > > Hi, > > I'm running 389ds 2.0.15 on a two node cluster in a multi master mode. > I'm using the DNA plugin to generate unique uid numbers for new > accounts. Each directory instance is assigned a unique range of uid > numbers. It works in so far as it assigns a uid number when it gets > the magic token but whatever is supposed to be verifying that the uid > number is not already assigned is not working. I've cranked the error > log level up, but I don't get anything in the logs that is helpful in > determining why that validation is not working correctly. > > # ansible-managed-uidnumber-generation, Distributed Numeric Assignment > Plugin, > plugins, config > dn: cn=ansible-managed-uidnumber-generation,cn=Distributed Numeric > Assignment > Plugin,cn=plugins,cn=config > objectClass: top > objectClass: dnaPluginConfig > cn: ansible-managed-uidnumber-generation > dnaType: uidNumber > dnaNextValue: 62009 > dnaMaxValue: 131000 > dnaMagicRegen: generate > dnaFilter: (objectclass=posixAccount) > dnaScope: ou=Accounts,dc=example,dc=edu > dnaSharedCfgDN: ou=ranges,ou=Accounts,dc=example,dc=edu > > I'm stumped. Anyone have any direction on how to debug this further? > > Thanks! > Todd > > _______________________________________________ > 389-users mailing list -- 389-users(a)lists.fedoraproject.org > To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

1 year, 1 month

2
1
0 / 0

Re: 389-ds-base/cockpit-389-ds on EL9

by Mark Reynolds

On 8/14/22 11:10 AM, Daniel Bird wrote: > > *>>*I will report back any issues as I test. > > So far, no major issues. I’ve set up a supplier replica from our > CentOS 7 service running 1.3.10 from EPEL 7 and all seems well. It did > require a tweak to some legacy schema files that are still hanging > round from when we used the “Sun Directory Server” way back in the > day, that has been the case ever since we moved from the Sun DS server > and upgraded to 389. At some point I’ll clean up and remove the old > data from the directory that references them. > > I also had a small issue setting the SSL cert via cockpit, where it > would keep reverting to the self-signed “Server-Cert” . > What exactly were you trying to do? Were you trying to change the server certificate name to a different one? Thanks, Mark > On reflection, it could have been because I was trying to use an > expired cert, rather than the current one, but it didn’t say there was > a problem. I set it manually via dse.ldif in the end. > > Many thanks > > Dan > > > _______________________________________________ > 389-users mailing list --389-users(a)lists.fedoraproject.org > To unsubscribe send an email to389-users-leave(a)lists.fedoraproject.org > Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fe... > Do not reply to spam, report it:https://pagure.io/fedora-infrastructure/new_issue -- Directory Server Development Team

1 year, 1 month

2
1
0 / 0

Re: 389-ds-base/cockpit-389-ds on EL9

by Daniel Bird

>>I will report back any issues as I test. So far, no major issues. I’ve set up a supplier replica from our CentOS 7 service running 1.3.10 from EPEL 7 and all seems well. It did require a tweak to some legacy schema files that are still hanging round from when we used the “Sun Directory Server” way back in the day, that has been the case ever since we moved from the Sun DS server and upgraded to 389. At some point I’ll clean up and remove the old data from the directory that references them. I also had a small issue setting the SSL cert via cockpit, where it would keep reverting to the self-signed “Server-Cert” . On reflection, it could have been because I was trying to use an expired cert, rather than the current one, but it didn’t say there was a problem. I set it manually via dse.ldif in the end. Many thanks Dan

1 year, 1 month

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users August 2022