[Fedora-directory-users] db2ldif causes server to hang
by Steve Halstead
Hi,
We are currently having problems where by a Fedora DS LDAP server which
has been running for several days begins to hang. The consequence of
this is that further LDAP commands (e.g. ldapsearch and db2ldif)
triggered by cron jobs start but fail to complete. The only way to
recover is to run "killall -9 ns-slapd" and then restarting the server
in the usual way.
On an hourly basis, db2ldif is used to export our LDAP repository to an
LDIF file. Looking through the logs, it would appear that the server can
start to hang if db2ldif is interrupted in some way.
The last time that we saw the server hang, in the access log we had
ldapsearch and "Netscape Replication Start Session" both accessing the
server at the same time as our db2ldif export process was running. In
the error log it could be seen that db2ldif stopped mid-way through
exporting users. All further executions of db2ldif failed to complete.
It would seem that db2lif is generating some sort of lock which isn't
released if it is interrupted.
I have managed to reproduce this server hang by running db2ldif and
killing it with CTRL+C.
We are currently running fedora-ds 1.0.2 on RHEL 4 but I have tried
1.0.4 and had a similar experience.
Has anybody else had a similar experience, or even better, know how to
fix it?
Thanks,
Steve
16 years, 11 months
[Fedora-directory-users] New Root Object creation problem
by Marcin Mazurek
Hello,
I'm new to FDS, going through docs to learn how it works. I'm having
problems with creation of new root object for newly created database.
As docs says, after creation of new database, I should assign it to new
suffix by creation of new root entry. When I right click on "New Root
Object" is inactive. I'm logged in with Directory Manager (tried it on
example ldap server instance and new one created by myslef). What did I
miss?
best regards
--
Marcin Mazurek
http://www.netsync.pl/ - :::: - nic-hdl: MM3380-RIPE
GnuPG 6687 E661 98B0 AEE6 DA8B 7F48 AEE4 776F 5688 DC89
16 years, 11 months
[Fedora-directory-users] Problem with passsync between FDS and AD
by Alexandre MOREL
Hi,
I know some problems with the use of passsync. FDS
(fedora-ds-1.0.4-1.FC6) is setup on a Red Hat 4.1.1-30.
The active directory is a windows 2003 server standard.
When i start passsync service nothing happen, no synchronization between
the two directory servers.
I have the following entry in the logs :
Active Directory :
passsync.log
06/08/07 09:21:25: PassSync service started
06/08/07 09:21:25: Password list is empty. Waiting for passhook event
Fedora DS :
access:
[08/Jun/2007:09:24:29 +0200] conn=26 op=0 BIND dn="cn=directory manager"
method=128 version=2
[08/Jun/2007:09:24:29 +0200] conn=26 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[08/Jun/2007:09:24:29 +0200] conn=26 op=1 UNBIND
[08/Jun/2007:09:24:29 +0200] conn=26 op=1 fd=64 closed - U1
[08/Jun/2007:09:24:30 +0200] conn=27 fd=64 slot=64 SSL connection from
aaa.bbb.ccc.dd to www.xx.yy.zzz
[08/Jun/2007:09:24:30 +0200] conn=27 SSL 128-bit RC4
[08/Jun/2007:09:24:30 +0200] conn=27 op=0 BIND dn="cn=directory manager"
method=128 version=2
[08/Jun/2007:09:24:30 +0200] conn=27 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[08/Jun/2007:09:24:30 +0200] conn=27 op=1 UNBIND
[08/Jun/2007:09:24:30 +0200] conn=27 op=1 fd=64 closed - U1
there is 3 minutes between the two host.
PassSync say that it have no password list, but in the FDS access log we
can see it don't do the search like this line in other query via
ldapsearch tool:
[07/Jun/2007:17:43:00 +0200] conn=23 op=1 SRCH
base="ou=people,dc=toto,dc=fr" scope=2 filter="(uid=*)" attrs=ALL
Some additionals handling i do on the active directory :
I restart after the setup of passsync.msi
I try to regsvr32 the passhook.dll, but windows say : there is no entry
point of DllRegisterServer. It is a problem ?
I suppose it's not a SSL connection problem, but someone have an idea to
help me ?
Cordially
Alexandre MOREL
16 years, 12 months
[Fedora-directory-users] ACI trouble: binding as a UID in an "hidden" branch
by Sascha Wilde
Hi *,
I'm having a directory with an basedn:
dc=foo, dc=bar
containing an "sub directory" named "internal":
cn=internal, dc=foo, dc=bar
Now I want to hide "internal" and its children from most users, with
exception of the members of some administrative groups, so I added an
ACI to "internal" like this:
(targetattr = "*") (version 3.0;acl "hide internal";
deny (read,write,delete,add)
(groupdn != "ldap:///cn=admin,cn=internal,dc=foo,dc=bar" and
groupdn != "ldap:///cn=configuration administrators,ou=groups,
ou=topologymanagement,o=netscaperoot");)
Now I have a user cn=manager,cn=internal,dc=foo,dc=bar who is member
of the group cn=admin,cn=internal,dc=foo,dc=bar and should be allowed
to access "internal" and its children.
But this doesn't work: I can't even bind as
cn=manager,cn=internal,dc=foo,dc=bar I suppose because the user is an
child of "internal", and so anonymous isn't allowed to access the
object for authentication.
How can I achieve that it is possible to bind as a user in the hidden
sub directory without making it world readable?
cheers
sascha
--
Sascha Wilde OpenPGP key: 4BB86568
Intevation GmbH, Osnabrück http://www.intevation.de/~wilde/
Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
16 years, 12 months
[Fedora-directory-users] Replication fails due to lack of permissions
by Brian Fender
I started with two Redhat EL3U5 servers, setting up the newest available
directory server (fedora-ds rpm) on each server with an identical
configuration. I set up Single Master replication according to this
guide:
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/replicat.html#11088
49. That is, I created a 'cn=replication manager,cn=config' by pasting
the example entry from the guide in the config/dse.ldif on the slave
(consumer) server. I verified this account works by using LDAP
Browser/Editor, I can log in and view my LDAP directory 'dc=foo,dc=net'.
I cannot, however, add or delete any foo.net entries when logged in as
the replication manager. When I configured a replication agreement on
the master/supplier and restarted both servers, it errors out with:
NSMMReplicationPlugin - agmt="cn=myagreement" (192:1389): Unable to
acquire replica: permission denied. The bind dn "cn=replication
manager,cn=config" does not have permission to supply replication
updates to the replica. Will retry later.
I had specified the ip address of the slave/consumer server when setting
up the replication agreement, but because it refers to it as '192:1389'
in the logs I thought maybe it was looking for a hostname. Getting past
the fact that it will not allow underscores in the consumer name (I
assume this is a bug), I added an /etc/hosts entry for the consumer on
the master and recreated the replication agreement and restarted both
servers. I still have the same problem:
NSMMReplicationPlugin - agmt="cn=myagreement" (testappserver2:1389):
Unable to acquire replica: permission denied. The bind dn
"cn=replication manager,cn=config" does not have permission to supply
replication updates to the replica. Will retry later.
On the slave/consumer, I get:
NSMMReplicationPlugin - conn=9 op=3 replica="dc=foo,dc=net": Unable to
acquire replica: error: permission denied
Any idea why this is happening? Shouldn't the replication manager have
read/write permissions to the userRoot by default since it inherits all
the administrator roles?
16 years, 12 months
[Fedora-directory-users] Load Testing question
by Anderson, Cary
I am still playing around with load/stress testing my FDS install. I am using slamd to run the tests, and I am running the basic load, and the basic search tests against my test boxes, The slamd client and the FDS server are on identical hardware running RHEL4 with 2G memory, and 2 Intel Xeon 3.6GHz processors. The issue I am seeing is that I am getting "cannot connect to the ldap server" errors once I push the "threads per client" past 2400. My question is am I hitting a limit on the OS (max tcp connections)? Or a FDS limit? My assumption was that given appropriate hardware, and proper configuration, I could expect FDS to handle more than 2400 concurrent connections. Any insights as to what I might be missing would be greatly appreciated.
Thanks
FDS Config:
Performance settings are:
Time Limit: 3600
Max file descriptors: 65535
Database Link Connection Management Settings
Max TCP connections: 6
Bind Timeout: 15
Max binds per conn: 20
Timeout before Abandon: 1
Max LDAP Conn: 40
Max bind retries: 6
Max operations/conn: 2
Database Settings:
Max Cache Size: 66060288
Mem Avail for cache: 105622733
Note: uidnumber is indexed
SLAMD test parameters:
Scheduled Start Time 06/05/2007 13:10:46
Scheduled Stop Time (not specified)
Scheduled Duration 300 seconds
Number of Clients 1
Wait for Available Clients true
Monitor Clients if Available false
Threads per Client 2400
Thread Startup Delay 0 milliseconds
Statistics Collection Interval 60 seconds
Job Dependencies (none specified)
Notify on Completion (none specified)
Parameter Information
Directory Server Host app2
Directory Server Port 389
Bind DN (not specified)
Bind Password (not specified)
Search Base dc=calpers,dc=ca,dc=gov
Search Scope Whole Subtree
Search Filter uidnumber=50000
Filter File URL (not specified)
Attributes to Return uidnumber
Warm Up Time 0
Cool Down Time 0
Search Size Limit 0
Search Time Limit 0
Time Between Requests (ms) 0
Use SSL false
Blindly Trust Any Certificate true
SSL Key Store (not specified)
SSL Key Store Password (not specified)
SSL Trust Store (not specified)
SSL Trust Store Password (not specified)
Number of Iterations -1
Always Disconnect false
Follow Referrals false
Cary Anderson, Systems Software Specialist
UNIX/Linux Services
Information Technology Services Branch
Technology Services & Support Division / Data Center Section
System Software & Storage Infrastructure
fCalPERS
Phone: (916) 795-2588
Fax: (916) 795-2424
16 years, 12 months
[Fedora-directory-users] ACIs not propagating to subtrees?
by Sascha Wilde
Hi *,
is there an way to make ACIs which don't propagate to subtrees?
I want to change the default ACIs, so that they don't apply to some
subtrees, then I could write some simple allow rules for this subtrees
instead of writing deny rules with certain rather complex exceptions.
cheers
sascha
--
Sascha Wilde OpenPGP key: 4BB86568
Intevation GmbH, Osnabrück http://www.intevation.de/~wilde/
Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
16 years, 12 months
[Fedora-directory-users] FDS on EL4 startup errors
by Tom Diehl
Hi,
I am trying to get FDS running on a fully updated EL4 machine. I installed
the fedora-ds-1.0.4-1.RHEL4 rpm and all looks fine until I try to start the
admin console. When I do that I get the following errors:
(pocono pts7) # ./startconsole -u admin -a http://pocono.keenanmotorgroup.com:47868/
Warning: -ms8m not understood. Ignoring.
Warning: -mx64m not understood. Ignoring.
Exception in thread "GtkMain" java.lang.UnsatisfiedLinkError: gtkInit
at _Jv_LookupJNIMethod (/usr/lib64/libgcj.so.5.0.0)
at _Jv_JNIMethod.call(ffi_cif, void, ffi_raw, void) (/usr/lib64/libgcj.so.5.0.0)
at gnu.java.awt.peer.gtk.GtkMainThread.run() (Unknown Source)
at java.lang.Thread.run() (/usr/lib64/libgcj.so.5.0.0)
at _Jv_ThreadRun(java.lang.Thread) (/usr/lib64/libgcj.so.5.0.0)
at GC_start_routine (/usr/lib64/libgcj.so.5.0.0)
at __clone (/lib64/tls/libc-2.3.4.so)
If I try telnetting to port 47868 I get connection refused.
(pocono pts9) # telnet pocono.keenanmotorgroup.com 47868
Trying 10.42.123.11...
telnet: connect to address 10.42.123.11: Connection refused
(pocono pts9) #
Does anyone know what I am doing wrong?
So far google and the documentation have not revealed anything useful.
Regards,
--
Tom Diehl tdiehl(a)rogueind.com Spamtrap address mtd123(a)rogueind.com
17 years
[Fedora-directory-users] Win Sync doesn't work
by Luigi Santangelo
Hi all, I'm driving crazy. I hope that you can help me. I cannot to
establish a sync from Fedora DS to Active Directory (Windows 2000
Server). It seems to me a certificates' problem. In the Fedora
Directory Server, Server Certs Tab, I installed the Fedora's cert (this
cert is signed by my self-signed CA). In the CA Certs Tab, I installed
the self-signed CA's Cert. On the windows Side, in the PassSync, I
installed the Fedora Cert. The PassSync works fine and I can syncronize
the users' password when this are changed. On Windows 2000 server, I
installed, also, the CA's cert. Is it exact? Or are there any errors?
When I create the Sync, from fedora, I completed the wizard with no
errors. But when I right click into sync and I initiate full re-
syncronization, this error appaers: "The consumer initialization has
unsuccesfully completed. The error received by the replica is: '81 -
LDAP error: Can't contact LDAP > server'". If I try to connect it to my
server Win using 389 port, and only the Windows Groups are been
synchronized (in the Fedora Directory I see only Windows Groups and no
user). Another question: In my Windows Box, shall I install kerberos?
Thanks all.
Luigi
Naviga e telefona senza limiti con Tiscali
Scopri le promozioni Tiscali Adsl: navighi e telefoni senza canone Telecom
http://abbonati.tiscali.it/adsl/
17 years
[Fedora-directory-users] nss_ldap - using full DNs in member attribute
by Stipl, Stepan
Hi,
I'm trying to setup authentication against Fedora DS on Linux box
(Gentoo). Everything is working fine, except for one thing - I have
groups with members in uniqueMember attributes and I have there full DNs
- like "uid=sstipl,ou=users,dc=example,dc=com", but the nss expects me
to have there just logins (uid's value in this case).
So when I do "getent group" I receive something like this from groups
from LDAP:
testgroup:*:1010:uid=sstipl,ou=users,dc=example,dc=com,
uid=jsmith,ou=users,dc=example,dc=com
Any idea how to setup probably nss? to use just RND value (uid's in this
case) from the uniqueMember attribute? To get this:
"testgroup:*:1010:sstipl,jsmith"
many thanks.
.stepan
17 years