Re: How to replicate password lockout attributes from a consumer or hub to a master(s) - 389-users - Fedora mailing-lists

16 Aug 2021

      On 8/16/21 12:01 PM, Michael Starling wrote:
...

*From:* Michael Starling mlstarling31@hotmail.com
*Sent:* Monday, August 16, 2021 10:54 AM
*To:* Pierre Rogier progier@redhat.com; General discussion list for 
the 389 Directory server project. 389-users@lists.fedoraproject.org
*Subject:* [389-users] Re: How to replicate password lockout 
attributes from a consumer or hub to a master(s)

*From:* Pierre Rogier progier@redhat.com
*Sent:* Monday, August 16, 2021 6:33 AM
*To:* General discussion list for the 389 Directory server project. 
389-users@lists.fedoraproject.org
*Cc:* Michael Starling mlstarling31@hotmail.com
*Subject:* Re: [389-users] Re: How to replicate password lockout 
attributes from a consumer or hub to a master(s)
On Fri, Aug 13, 2021 at 9:42 PM Mark Reynolds <mreynolds@redhat.com 
mailto:mreynolds@redhat.com> wrote:
On 8/13/21 2:40 PM, Michael Starling wrote:

...
------------------------------------------------------------------------
*From:* Michael Starling <mlstarling31@hotmail.com>
<mailto:mlstarling31@hotmail.com>
*Sent:* Friday, August 13, 2021 10:41 AM
*To:* Mark Reynolds <mreynolds@redhat.com>
<mailto:mreynolds@redhat.com>; General discussion list for the
389 Directory server project. <389-users@lists.fedoraproject.org>
<mailto:389-users@lists.fedoraproject.org>
*Subject:* Re: [389-users] How to replicate password lockout
attributes from a consumer or hub to a master(s)

------------------------------------------------------------------------
*From:* Michael Starling <mlstarling31@hotmail.com>
<mailto:mlstarling31@hotmail.com>
*Sent:* Thursday, August 12, 2021 3:29 PM
*To:* Mark Reynolds <mreynolds@redhat.com>
<mailto:mreynolds@redhat.com>; General discussion list for the
389 Directory server project. <389-users@lists.fedoraproject.org>
<mailto:389-users@lists.fedoraproject.org>
*Subject:* Re: [389-users] How to replicate password lockout
attributes from a consumer or hub to a master(s)

------------------------------------------------------------------------
*From:* Mark Reynolds <mreynolds@redhat.com>
<mailto:mreynolds@redhat.com>
*Sent:* Thursday, August 12, 2021 3:16 PM
*To:* Michael Starling <mlstarling31@hotmail.com>
<mailto:mlstarling31@hotmail.com>; General discussion list for
the 389 Directory server project.
<389-users@lists.fedoraproject.org>
<mailto:389-users@lists.fedoraproject.org>
*Subject:* Re: [389-users] How to replicate password lockout
attributes from a consumer or hub to a master(s)

On 8/12/21 2:33 PM, Michael Starling wrote:

...
------------------------------------------------------------------------
*From:* Mark Reynolds <mreynolds@redhat.com>
<mailto:mreynolds@redhat.com>
*Sent:* Thursday, August 12, 2021 11:48 AM
*To:* General discussion list for the 389 Directory server
project. <389-users@lists.fedoraproject.org>
<mailto:389-users@lists.fedoraproject.org>; Michael Starling
<mlstarling31@hotmail.com> <mailto:mlstarling31@hotmail.com>
*Subject:* Re: [389-users] How to replicate password lockout
attributes from a consumer or hub to a master(s)

On 8/12/21 10:53 AM, Michael Starling wrote:

...
Hello.

I've taken over a large 389-ds environment running on Oracle
Linux 8 and the first task I need to complete is to enable
password lockouts.

I was able to enable password lockouts successfully however it
only works if the client is pointed directly to a master. The
account locks out and the attributes are propagated down to the
hubs and consumers.

If the client is pointed to a read-only hub or consumer then
the account does not lockout and the password attributes do not
propagate back to the masters.

*passwordIsGlobalPolicy*: on is set on all masters, hubs and
consumers

Password policy attributes I expect to replicate:

*passwordRetryCount*
*accountUnlockTime*
*retryCountResetTime*

I've tried following the chaining guide below which I think is
what I need to do to get this work as expected, however I've
hit a snag.

https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate.html
<https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate.html>
389 Directory Server - Howto:ChainOnUpdate
<https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate.html>
Introduction. The usual deployment for a large replication
topology will have the client applications reading from hubs or
dedicated consumers in order to spread out the load and
off-load search request processing from the masters.
directory.fedoraproject.org <http://directory.fedoraproject.org>

The document states the backend must be added to the hub or
consumer, however when I try and add the following LDIF to the
hub I get the "unwilling to perform" error.

This makes sense because the hub is read-only so I'm confused
as how I can update the config on a read-only hub or consumer?

Hi Michael,
To complete Mark's answer and try to solve your confusion:
 hub and consumer are read-only replicas (i.e backends)
 cn=config is another backend that is still writable.
So you should not be able to modify the entries in the replicated suffix (
   and should instead get referrals towards the master(s)) but you 
should still be able to modify the config.
Regards,
   Pierre
Hi Pierre.
Thanks for confirming what I'm seeing.
Any idea how to set multiple values in the nsfarmserverurl**attribute*?*
...
...
...
dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsBackendInstance
cn: chainlab
nsslapd-suffix: dc=domain,dc=com
nsfarmserverurl: ldap://dsa1.domain.com:389
ldap://dsa2.domain.com:389 ldap://dsa3.domain.com:389
nsmultiplexorbinddn: uid=repluser,cn=config
nsmultiplexorcredentials: mypassword
nsCheckLocalACI: on

adding new entry "cn=chainlab,cn=chaining
database,cn=plugins,cn=config"
ldap_add: Server is unwilling to perform (53)

This is the doc you want to follow to get this working. But it
is complicated...

In this case I'm not sure why the error 53 is being returned. 
There is something about that entry it does not like.  So please
check the access and errors log from the time of this failure
(see /var/log/dirsrv/slapd-YOUR_INSTANCE/). There is usually
more info logged when an error 53 happens.

Also what version of 389-ds-base are you running?

Thanks,
Mark

...
        Hub or Consumer

Step 1 (Hub and Consumer): the chaining backend must be created
on the hub and consumer:

|dn: cn=chainbe1,cn=chaining database,cn=plugins,cn=config
objectclass: top objectclass: extensibleObject
objectclass: nsBackendInstance cn: chainbe1
nsslapd-suffix: <suffix to replicate>
nsfarmserverurl: ldap://supplier1:port supplier2:port ... supplierN:port/ # also, ldaps can be used instead
                                                                          # of ldap for secure connections -
                                                                          # requires the secure port
nsmultiplexorbinddn: cn=Replication Manager,cn=config # or whatever the replica bind DN is on the supplier
nsmultiplexorcredentials: password nsCheckLocalACI: on |

Any help would be greatly appreciated.

Thanks

_______________________________________________
389-users mailing list --389-users@lists.fedoraproject.org  <mailto:389-users@lists.fedoraproject.org>
To unsubscribe send an email to389-users-leave@lists.fedoraproject.org  <mailto:389-users-leave@lists.fedoraproject.org>
Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/  <https://docs.fedoraproject.org/en-US/project/code-of-conduct/>
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines  <https://fedoraproject.org/wiki/Mailing_list_guidelines>
List Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org  <https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org>
Do not reply to spam on the list, report it:https://pagure.io/fedora-infrastructure  <https://pagure.io/fedora-infrastructure>

-- 
Directory Server Development Team

Thanks for getting me the right track Mark. Looks like the
"nsFarmServerURL" is not correct.

Versions:

389-ds-base-libs-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64
389-ds-base-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64

I thought I was maybe hitting the bug described below so I added
a trailing "/" but the issue persists.

https://bugzilla.redhat.com/show_bug.cgi?id=1363970
<https://bugzilla.redhat.com/show_bug.cgi?id=1363970>

nsfarmserverurl: ldap://dsa1.domain.com:389
ldap://dsa2.domain.com:389 ldap://dsa3.domain.com:389*/*

This is what I see in the logs on the hub when trying to add the
LDIF.

The idea is for the hub to send these password attributes back
to all masters.

These are the masters in the environment.
ldap://dsa1.domain.com:389
ldap://dsa2.domain.com:389
ldap://dsa3.domain.com:389
[12/Aug/2021:14:12:38.228746875 -0400] - ERR - chaining database
- cb_instance_config_initialize -*Error with config attribute
nsfarmserverurl : not a valid LDAP URL*
[12/Aug/2021:14:12:38.230107318 -0400] - ERR - chaining database
- cb_instance_add_config_check_callback - Can't instantiate
chaining backend instance chainlab.
[12/Aug/2021:14:13:11.436433137 -0400] - ERR - chaining database
- cb_instance_config_initialize - Error with config attribute
nsfarmserverurl : not a valid LDAP URL
[12/Aug/2021:14:13:11.437510161 -0400] - ERR - chaining database
- cb_instance_add_config_check_callback - Can't instantiate
chaining backend instance chainlab.
[12/Aug/2021:14:15:15.652343542 -0400] - ERR - chaining database
- cb_instance_config_initialize - Error with config attribute
nsfarmserverurl : not a valid LDAP URL
[12/Aug/2021:14:15:15.653524818 -0400] - ERR - chaining database
- cb_instance_add_config_check_callback - Can't instantiate
chaining backend instance chainlab.
[12/Aug/2021:14:20:12.212414022 -0400] - ERR - chaining database
- cb_instance_config_initialize - Error with config attribute
nsfarmserverurl : not a valid LDAP URL
[12/Aug/2021:14:20:12.213556900 -0400] - ERR - chaining database
- cb_instance_add_config_check_callback - Can't instantiate
chaining backend instance chainlab

Ok, I think its not liking the multiple values in the attribute,
even though the document says you have multiple urls.  I think
you need to add the config like this:

nsfarmserverurl: ldap://dsa1.domain.com:389

nsfarmserverurl: ldap://dsa2.domain.com:389

nsfarmserverurl: ldap://dsa3.domain.com:389

Give it a try?

HTH,

Mark

-- 
Directory Server Development Team
Looks like it only added the first entry. Do I need to add an entry for each MAster?
dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsBackendInstance
cn: chainlab
nsslapd-suffix: dc=domain,dc=com
*nsfarmserverurl: ldap://dsa1.domain.com:389*
nsmultiplexorbinddn: uid=replicator,cn=config
nsmultiplexorcredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUm1aRFUwT1dOak5DMDVPVFl5TXpJMg0KWlMwNE16ZzFNVFl3TXkweU5tVTROekJtWkFBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQTdhVjl4Z0NZcFkzR21YV2x0c293Mg==}u4FHsJF3AVHAqgtGCMXudA==
nsbindconnectionslimit: 3
nsoperationconnectionslimit: 20
nsabandonedsearchcheckinterval: 1
nsconcurrentbindlimit: 10
nsconcurrentoperationslimit: 2
nsproxiedauthorization: on
nsconnectionlife: 0
nsbindtimeout: 15
nsreferralonscopedsearch: off
nschecklocalaci: on
nsbindretrylimit: 3
nsslapd-sizelimit: 2000
nsslapd-timelimit: 3600
nshoplimit: 10
nsmaxresponsedelay: 60
nsmaxtestresponsedelay: 15
nsusestarttls: off
Hi Mark.
I tried adding the subsequent URL's and it doesn't allow multiple entries for this attribute.
It appears all the URLS need to be part of the one*nsfarmserverurl***attribute*.*
**
*ldap_initialize( ldap://dsa4.domain.com )**
add nsFarmServerURL:
ldap://dsa2.domain.com:389
modifying entry "cn=chainlab,cn=chaining
database,cn=plugins,cn=config"
ldap_modify: Server is unwilling to perform (53)*
*        additional info: Adding attributes is not allowed***
**
*I believe I have this working now.*
**
*Thank you Mark for getting me pointed in the right direction.*

Were you able to set multiple urls?  Or did you just go with one
for now?

Mark

-- 
Directory Server Development Team

_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
<mailto:389-users@lists.fedoraproject.org>
To unsubscribe send an email to
389-users-leave@lists.fedoraproject.org
<mailto:389-users-leave@lists.fedoraproject.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
<https://docs.fedoraproject.org/en-US/project/code-of-conduct/>
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
<https://fedoraproject.org/wiki/Mailing_list_guidelines>
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
<https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org>
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
<https://pagure.io/fedora-infrastructure>

--
Yikes..I figured it out.  You only specify the protocol once.
nsfarmserverurl: *ldap*://dsa1.domain.com:389 dsa2.domain.com:389 
dsa3.domain.com:389/
Actually this is vaguely mentioned in the RHDS 10 admin guide:
2.3.1.2.4. Providing a List of Failover Servers
There can be additional LDAP URLs for servers included to use in the 
case of failure. Add alternate servers to the /|nsFarmServerURL|/ 
attribute, separated by spaces.
nsFarmServerURL: ldap://example.com us.example.com:389 africa.example.com:1000/
In this sample LDAP URL, the database link first contacts the server 
|example.com| on the standard port to service an operation. If it does 
not respond, the database link then contacts the server |us.example.com| 
on port |389|. If this server fails, it then contacts 
|africa.example.com| on port |1000|.
You didn't run into this, but our CLI tools/UI are definitely not 
handling this correctly either.  I will open a bug for that.
Thanks,
Mark
...
389 Directory Server Development Team

389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-- 
Directory Server Development Team