[Fedora-directory-users] directory server setting fail to terminate idle connections
by Brian Fender
I ran into issues hitting the max filedescriptors setting and found that
it was because the server never terminates idle connections. I have an
idle timeout setting of 1200 seconds (20min). If I make an LDAP request
from a client to the directory server, the tcp connection stays in
ESTABLISHED state on the server side forever. I ran tcpdump on the
client side and not a single packet of traffic was sent to the server
during for hours.
Any idea why this connection would not be terminated after 1200 sec?
16 years, 9 months
Re: [Fedora-directory-users] FDS log management - bug?
by Ivanov Andrey (M.)
Hi,
Noriko Hosoi <nhosoi(a)redhat.com> a écrit :
> I tried to reproduce the problem with these config parameters, but I
> could not.
>
> nsslapd-accesslog-logging-enabled: on
> nsslapd-accesslog-maxlogsperdir: 10
> nsslapd-accesslog-mode: 600
> nsslapd-accesslog-maxlogsize: 10
> nsslapd-accesslog-logrotationtime: 1
> nsslapd-accesslog-logrotationtimeunit: day
> nsslapd-accesslog-logrotationsync-enabled: on
> nsslapd-accesslog-logrotationsynchour: 10
> nsslapd-accesslog-logrotationsyncmin: 40
> nsslapd-accesslog: /var/log/redhat-ds/slapd-laputa/access
>
> It rotated the access log at 10:40, but it did not remove my
> older/oldest log access.20070810-173005:
>
> total 11788
> -rw------- 1 nobody nobody 8570855 Aug 13 10:52 access
> -rw------- 1 nobody root 108003 Aug 10 17:33 access.20070810-173005
> -rw------- 1 nobody nobody 1845874 Aug 13 10:33 access.20070813-103043
> -rw------- 1 nobody nobody 1453655 Aug 13 10:40
> access.20070813-103824 <=== rotated at 10:40
> -rw------- 1 nobody root 377 Aug 13 10:40 access.rotationinfo
> -rw------- 1 nobody root 0 Aug 10 17:30 audit
> -rw------- 1 nobody root 63 Aug 10 17:30 audit.rotationinfo
> -rw------- 1 nobody root 5878 Aug 13 10:38 errors
> -rw------- 1 nobody root 63 Aug 10 17:30 errors.rotationinfo
>
> Do you happen to have any other advice I could test on?
> Thanks,
> --noriko
Actually, when you first set the time for the rotation
(nsslapd-accesslog-logrotationsynchour and
nsslapd-accesslog-logrotationsyncmin) everything goes well. It's
starting from the following rotation (after 24 hours) when it starts
to behave differently. So just wait for another 24 hours without
restarting the server...
And it seems to me that i've found the reason of this strange
behaviour. It is a half java console/half server bug:
1. When you set the deletion policy with the java console and if you
don't change at the same time the default time unit (for example, i've
put 12 MONTHs instead of 1 MONTH by default) the console does not put
the attribute 'nsslapd-accesslog-logexpirationtimeunit' (or
'nsslapd-errolog-logexpirationtimeunit' for error logs, maybe the same
problem for audit logs) into the dse.ldif. By default, this attribute
is not present. It puts however the
'nsslapd-accesslog-logexpirationtime' attribute. The first bug.
2. So what happens next... The server finds itself with the
'nsslapd-accesslog-logexpirationtime' set but without the time units.
And when the attribute 'nsslapd-accesslog-logexpirationtimeunit' is
not set, according to the documentation, the server should not delete
the logs at all (cf."If the
unit is unknown by the server, then the log will never expire").
However, that's exactly what it does. It deletes all the logs but the
last rotated one. The second bug.
(concerning the version of the server, it's a compiled rpm from
dsbuild-fds104.tar.gz in CentOS5, x32 architecture)
Anyway, it's a cosmetic bug but since i've ran into it i thought i
should share my experience :)
Talking about cosmetic bugs... There is another small bug concerning
the description of the aci bind rules in the documentation. Namely, in
chapter 6 (managing access control) of the administrator's guide at
the page 240 of the pdf version
(http://www.redhat.com/docs/manuals/dir-server/pdf/ds71admin.pdf) in
the paragraph "Bind Rules/Defining Access Based on Authentication".
While describing various SASL methods it mentions among others the
'GSS-API' keyword that can be used in ACIs. I've tested it and it
turns out that (authmethod = "sasl GSS-API") does not work. What
actually works is (authmethod = "sasl GSSAPI").
Thanks
>
> Andrey Ivanov wrote:
>> I don't know whether it's a feature or a bug :) I have the
>> following configuration for the log management :
>>
>> nsslapd-accesslog-logging-enabled: on
>> nsslapd-accesslog-maxlogsperdir: 365
>> nsslapd-accesslog-mode: 600
>> nsslapd-accesslog-maxlogsize: 120
>> nsslapd-accesslog-logrotationtime: 1
>> nsslapd-accesslog-logrotationtimeunit: day
>> nsslapd-accesslog-logrotationsync-enabled: on
>> nsslapd-accesslog-logrotationsynchour: 0
>> nsslapd-accesslog-logrotationsyncmin: 0
>> nsslapd-accesslog: /Logs/Ldap/access
>>
>> nsslapd-accesslog-logmaxdiskspace: 50000
>> nsslapd-accesslog-logexpirationtime: 12
>> nsslapd-accesslog-logexpirationtimeunit: month
>> nsslapd-accesslog-logminfreediskspace: 2000
>>
>> It means, essentially, that the logs are rotated once a day at
>> midnight (or if the file is larger than 120Mb) and that i keep them
>> for 1 year.
>>
>> If i don't set the log rotation time (logrotationsynchour and
>> logrotationsyncmin) everything is ok, the logs are rotated once a
>> day and then they are kept for the necessary time period.
>> However when i set this rotation time the server deletes ALL the
>> logs but the current and the last one. That is, after each rotation
>> i have the current log (the file 'access') and the previous one
>> (yesterday's log, like access.20070811-000030). All the oher log
>> files are deleted.
>>
>> So if i want to keep the logs i need to copy them to a different
>> place by a cron script which is not very elegant :)
----------------------------------------------------------------
This message was sent using X-WebMail
16 years, 9 months
[Fedora-directory-users] FDS log management - bug?
by Ivanov Andrey (M.)
I don't know whether it's a feature or a bug :) I have the following
configuration for the log management :
nsslapd-accesslog-logging-enabled: on
nsslapd-accesslog-maxlogsperdir: 365
nsslapd-accesslog-mode: 600
nsslapd-accesslog-maxlogsize: 120
nsslapd-accesslog-logrotationtime: 1
nsslapd-accesslog-logrotationtimeunit: day
nsslapd-accesslog-logrotationsync-enabled: on
nsslapd-accesslog-logrotationsynchour: 0
nsslapd-accesslog-logrotationsyncmin: 0
nsslapd-accesslog: /Logs/Ldap/access
nsslapd-accesslog-logmaxdiskspace: 50000
nsslapd-accesslog-logexpirationtime: 12
nsslapd-accesslog-logexpirationtimeunit: month
nsslapd-accesslog-logminfreediskspace: 2000
It means, essentially, that the logs are rotated once a day at
midnight (or if the file is larger than 120Mb) and that i keep them
for 1 year.
If i don't set the log rotation time (logrotationsynchour and
logrotationsyncmin) everything is ok, the logs are rotated once a day
and then they are kept for the necessary time period.
However when i set this rotation time the server deletes ALL the logs
but the current and the last one. That is, after each rotation i have
the current log (the file 'access') and the previous one (yesterday's
log, like access.20070811-000030). All the oher log files are deleted.
So if i want to keep the logs i need to copy them to a different place
by a cron script which is not very elegant :)
So, is it a bug or a feature? :)
Andrey Ivanov
tel +33-(0)1-69-33-99-24
fax +33-(0)1-69-33-99-55
Direction des Systemes d'Information
Ecole Polytechnique
91128 Palaiseau CEDEX
France
----------------------------------------------------------------
This message was sent using X-WebMail
16 years, 9 months
[Fedora-directory-users] moving fds data from one server to its replacement
by Tony
Hi,
I have a fds server that I'd like to move to a different machine. It's
currently running on a CentOS 4.5 system in a vmware virtual machine
using the fedora-ds-1.0.4-1.RHEL4.i386.opt.rpm package. Now that I've
discovered I can install the FC6 rpm version onto CentOS 5 I would
like to move my fds to the main machine and get rid of the virtual
machine.
Is there any recommended way for the easiest way to migrate data from
one fds to its replacement?
Various possibilities jump to mind, and I'll end up working my way
through some tests of these if the list doesn't voice a strong opinion
on this.
I could try to figure out which files fds stores all its data in and
copy them across manually while the servers are stopped.
I could experiment with a backup/restore within the fds admin console
and see if that takes all the config settings as well as my user data.
I'll have to get the new server running with something in order to get
as far as being able to restore the backup, but maybe it will cope
with that.
I could set the old and new servers up to replicate the data between
themselves and then remove the older server.
Anyone care to comment on my guesswork? I didn't find anything in the
docs/faq about this.
--
Cheers,
Tony
16 years, 9 months
[Fedora-directory-users] Get Effective Rights on other entries
by Ivanov Andrey (M.)
Hi,
I've tried to figure out how to know in advance whether the
authentified user has the right to write into a certain attribute of
another user (without being directory manager).
That is, for example, i am authentified as a user
uid=ai,ou=users,dc=example,dc=com and i want to know whether i have
the write privilege on the attribute 'description' of the entry
uid=toto,ou=users,dc=example,dc=com. The only way to find it out is to
ACTUALLY WRITE to that attribute (and delete this written value
afterwards) and see whether i suceed.
I've read the documentation about the "get effective rights" extension
and it turns out that it permits only to find the rights of the OTHER
users on YOUR attributes (if i take the example of the previous
paragraph, the user uid=ai can only find out what other users can do
with his attributes).
So the question is whether there is a way for a simple user (not
directory manager) to see his rights on other entries' attributes
(much like, for example, aclRights attribute in SunONE) without
actually reading/writing to that attributes?
Andrey Ivanov
tel +33-(0)1-69-33-99-24
fax +33-(0)1-69-33-99-55
Direction des Systemes d'Information
Ecole Polytechnique
91128 Palaiseau CEDEX
France
----------------------------------------------------------------
This message was sent using X-WebMail
16 years, 9 months
[Fedora-directory-users] solaris8 simple auth
by Doug Chapman
I'm looking for troubleshooting advice- hope someone has some insight
I can borrow.
Trying to get a Solaris8 client (with the latest ldap patchcluster) to
do simple authentication against FDS.
When setup for anonymous auth, I'm able to do ldap list just fine:
# ldaplist -l passwd tester
dn: cn=test user,ou=People,dc=corp,dc=example,dc=com
givenName: test
sn: user
loginShell: /bin/bash
gidNumber: 1024
uidNumber: 5351
mail: tester(a)example.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uid: tester
gecos: test user
cn: test user
homeDirectory: /nethome/tester
When setup for simple auth (and that's all I've changed), I'm seeing
error 49 (invalid credentials) in the FDS logs:
[10/Aug/2007:14:45:02 -0700] conn=25532 fd=65 slot=65 connection from
172.20.100.85 to 172.20.200.125
[10/Aug/2007:14:45:02 -0700] conn=25532 op=0 BIND
dn="cn=sunldap,ou=profile,dc=corp,dc=example,dc=com" method=128
version=3
[10/Aug/2007:14:45:02 -0700] conn=25532 op=0 RESULT err=49 tag=97
nentries=0 etime=0
[10/Aug/2007:14:45:02 -0700] conn=25532 op=1 UNBIND
[10/Aug/2007:14:45:02 -0700] conn=25532 op=1 fd=65 closed - U1
Here's my /var/ldap/ldap_client_cred file
NS_LDAP_BINDDN= cn=sunldap,ou=profile,dc=corp,dc=example,dc=com
NS_LDAP_BINDPASSWD= {NS1}8cf5886bf25241a5a5045e
How do I verify that the NS1 crypt is correct outside of the solaris
client (or ldap_gen_profile)?
The password in FDS for the above proxy user is stored in CRYPT format
in FDS- is this mismatch really supported ?
I can bind with the 'sunldap' user just fine from my linux hosts using
ldapsearch.
suggestions?
16 years, 9 months
[Fedora-directory-users] Changing filesystem path names from "fedora-ds" to "dirsrv"
by Rich Megginson
We would like to separate the brand name from the filesystem path
naming. The packages will still be called fedora-ds-*.rpm, and if you
run /usr/sbin/ns-slapd -v it will tell you that you are running Fedora
Directory Server, but we would like to use "dirsrv" as the name in
filesystem paths, so
/etc/dirsrv
/usr/lib/dirsrv
/var/log/dirsrv
and so on. From a code standpoint, this basically means the following
change:
*** configure.ac.~1.35.~ 2007-08-01 14:25:15.000000000 -0600
--- configure.ac 2007-08-09 10:14:20.000000000 -0600
***************
*** 2,8 ****
# Process this file with autoconf to produce a configure script.
AC_PREREQ(2.59)
# This version is the version returned by ns-slapd -v
! AC_INIT([fedora-ds], [1.1.0a4], [http://bugzilla.redhat.com/])
# AC_CONFIG_HEADER must be called right after AC_INIT.
AC_CONFIG_HEADERS([config.h])
AM_INIT_AUTOMAKE([1.9 foreign subdir-objects])
--- 2,8 ----
# Process this file with autoconf to produce a configure script.
AC_PREREQ(2.59)
# This version is the version returned by ns-slapd -v
! AC_INIT([dirsrv], [1.1.0a4], [http://bugzilla.redhat.com/])
# AC_CONFIG_HEADER must be called right after AC_INIT.
AC_CONFIG_HEADERS([config.h])
AM_INIT_AUTOMAKE([1.9 foreign subdir-objects])
Then making sure we use PACKAGE_NAME for path naming consistently.
Your comments are welcome.
16 years, 10 months
[Fedora-directory-users] Windows and Linux Profiles???
by Bob Staaf
Hello all,
Please forgive me if this is a duplicate email as the last one seemed to have been made of rubber and is probably still bouncing somewhere....
Anyway, I am looking at implementing Fedora Directory Server in my home network as a learning experience. Right now I have 9 computers in my little network. They are a mix of Windows and Linux machines. What I would like to do is implement single sign-on with roaming profiles.
The question I have though is it possible to have a roaming profile that will work on both a Linux and Windows client and still have things like web browser favorites, documents in sync with both client OSs?
Thanks
Bob
16 years, 10 months
[Fedora-directory-users] Windows and Linux clients???
by Bob Staaf
Hello all,
I have done some searching and have not found the answer I am looking for, hopefully you all have some time for a noob question or two.
I am thinking of implementing Fedora Directory Server in my home network as a learning experience. Right now I have 9 computers in my home network. They are a mix of Windows and Linux. What I want to do is implement single sign-on with roaming profiles.
The question I have though is it possible to have a roaming profile that will work on both a Linux and Windows client and still have things like web browser favorites, documents in sync with both client OSs?
Thanks
Bob
16 years, 10 months