[389-users] Password History in a Replicated Environment
Hi The documentation clearly states that password modification history is not replicated including account lockout counters. To me that seems a bit pointless to have if your servers are authenticating against a cluster of 4 machines. There is no guarantee that next time when you change your password that the history will be captured by the same server. I am sure I am not the only person that has had to deal with this dilemma and am curious about other possible solutions to this problem. The problem being to keep a shared used password between multi masters. I would really appreciate any thoughts or shared expierences in dealing with the limitations of the password policy in a multimaster environment. Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Slow logging
Hi In my lab system I am seeing quite a long delay(10+seconds) between the actual ldap request and the logging of the request in the access log. Is this normal behavior? and can it be speeded up? Admittedly I have not investigated this much yet but noticed it and thought I would ask quickly. Using latest stable from EPEL and Centos 5.5 fully updated. Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Preventing ssh keys from granting a user access when LDAP account is disabled.
> > >From: 389-users-boun...@lists.fedoraproject.org >[389-users-boun...@lists.fedoraproject.org] on behalf of Gordon Messmer >[yiny...@eburg.com] >Sent: 20 July 2010 18:32 >To: General discussion list for the 389 Directory server project. >Subject: Re: [389-users] Preventing ssh keys from granting a user access when >LDAP account is disabled. > >On 07/20/2010 09:45 AM, Gerrard Geldenhuis wrote: >> Hi There is a bugzilla raised concerns users still being able to >> login if they have ssh keys even if there ldap account is disabled. > >Define "disabled". If your only flag is the userpassword field, you >won't find a good solution to this problem, since that field will never >be used by an ssh session using keys. Good point... I define disabled as setting the user as disabled in in the console or the user having typed his password wrong to many times and then getting locked out. I still don't understand pam as well as I should but it would make sense to me for PAM to "check" LDAP before checking ssh... It does so when you don't have ssh keys and would deny a user if he/she is disabled. Maybe I should change a password sufficient to password required. I guess I need to play around a bit more. > >I believe you can use pam_access(5) to grant login access only to >members of a group in your directory, and remove users from that group >when you disable their login access. That was my plan but it is not perfect... In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Large amount of users in Directory causes timeouts on client login.
Hi I have just created 20 000 users each with a private group on two masters 10 000 on each master, with the purpose of testing replication between two masters. I did not observe any errors in access log and there is no errors logged in the error log for either of the servers. I am seeing strange behavior though firstly a getent only returns 2028 rows according the wc. That is not a problem as I am aware that there is a setting somewhere that limits search size. What is strange though is that trying to login as any user just times out on me. if I do su - testuser39043 on a client machine pam creates the home directory but then nothing happens ( I have configured pam to create a home dir when it does not exist) I have the following errors in /var/log/messages Jul 21 16:19:32 client01 -bash: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)... Jul 21 16:19:37 client01 -bash: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)... Jul 21 16:19:45 client01 -bash: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)... Eventually after a while I get the following login: [I have no na...@client01 ~]$ with this error message before hand: id: cannot find name for user ID 7280 When I try to su - randomname I get an immediate response back to say that the user does not exist which is true. The console is also behaving in a strange way. I can see a number of users ( i have not increase the default limit of returned users in the console ) and when I double click on a user I get the relevant information back. However if I do a search for the same user by right clicking on people and typing in the username I don't get any results returned. When I retested the behavior for writing the email the behaviour has changed so I can now find a user when searching for it in the console but I still can't login to a box. The two masters have almost no CPU load and is not swapping. They are virtualboxes with only 500mb ram so maybe that is the source of the problem... I can see the request in the log file on the master server when I do a su - username on the client server but the information never gets returned back to pam. Any thoughts or steering in the right direction would be appreciated. The documentation states a few default indexes that gets created and I would have thought that these would be adequate for effectively finding a user in a larger database. Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Large amount of users in Directory causes timeouts on client login.
Snip snip >> Any thoughts or steering in the right direction would be appreciated. >> > >run logconv.pl > >> The documentation states a few default indexes that gets created and I would >> have thought that these would be adequate for effectively finding a user in >> a >larger database. >> running logconv.pl has turned up empty handed no recommendations or problems. I can do a ldapsearch from the client which turns up all of the neccesary information. nscd is not running so can't interfere. It looks like a client problem. I am digging further... Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Security Level = Domestic
Hi In the management console there is a Security level: domestic I found no reference to this in the documentation and a quick google revealed this page: http://docs.sun.com/source/816-5567-10/3_consol.htm which suggest that this has to do with the type and level of encryption used. Thus this refer to the level of encryption used in the SSL certificates? Best Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] admin account expires, expire time refuses to update
Hi Brandon, It seems to me that the password policy is being applied to your Directory Manager user. I recall that you can disable password policy for cn=config users but can't find that in the documentation now. It is also worth while reading the second paragraph of 7.1.1.5 in the Admin guide which refers to a bug regarding password policy. That might not be true any more so read it with a pinch of salt. Regards From: 389-users-boun...@lists.fedoraproject.org [389-users-boun...@lists.fedoraproject.org] on behalf of Brandon G [...@solv.com] Sent: 09 August 2010 18:30 To: 389-us...@lists.fedoraproject.org Subject: [389-users] admin account expires, expire time refuses to update I am in a curious situation (and by curious I mean frustratingly annoying). I have enabled strong password policies, including expirations, across my tree (policy of the site). This has since effected my 'admin' account in uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot. I discovered this was happening when I was no longer to login to the IDM/admin console. Unfortunately, the IDM gave a very obtuse error about not being able to find an object. I discovered the real problem when I tried an ldapsearch with the admin uid, and it then returned password expired. This is a side issue, not part of the core problem. I used ldapmodify with "cn=directory manager" and changed the password hash. I can then login with IDM again. I then go (in IDM) to the admin account and I change passwordexpirationtime to be 2040Z (i.e. some time in the distant future). I save this change; restart the directory server and the account is expired again. If I go through the same reset process and pull up the value, it has not committed the passwordexpirationtime attribute, it is back to the original setting(!?) To be even more confusing, if I do an ldapsearch on the uid=admin account, it doesn't even show the passwordexpirationtime attribute (and thus cannot be updated). I can only see/change this via IDM. Can anybody explain this behavior? Is there a better way to exclude the admin account from the password policies of the server? Can somebody explain why I can see some attributes on uid=admin that cannot be seen with ldapsearch? Versions: 389-ds-console-1.2.0-5 389-admin-1.1.9-1 389-admin-console-1.1.4-2 389-console-1.1.3-5 389-ds-base-1.2.3-1 389-admin-console-doc-1.1.4-2 389-adminutil-1.1.8-4 389-ds-console-doc-1.2.0-5 389-dsgw-1.1.4-1 389-ds-1.1.3-5 RHEL 5.5 Any help/insight into this matter would be greatly appreciated. -B.G. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Console breaks when enabling no anoymous binding
Hi If I set nsslapd-allow-anonymous-access: off I am not able to login to the 389-console. I can remedy this by checking the checkbox "Use SSL in Console" in the Encryption tab on the Directory Server console. This seems a strange solution to the problem. Why would disabing anonymous access break console access and why would enabling "Use SSL in Console" fix it? I get another interesting error as well with the "Use SSL in Console" checkbox checked. Login to Management Console Open Directory Console Click on Configuration tab Click on Encryption tab I get "An error has occured" Could not open file(null). File does not exist or filename is invalid. After I click on OK, I can proceed to the Encryption tab. Is this a bug or me not configuring something. The error message is not very helpfull. Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Console breaks when enabling no anoymous binding
> >From: 389-users-boun...@lists.fedoraproject.org >[389-users-boun...@lists.fedoraproject.org] on behalf of Gerrard Geldenhuis >[gerrard.geldenh...@betfair.com] >Sent: 10 August 2010 16:00 >To: 389-us...@lists.fedoraproject.org >Subject: [389-users] Console breaks when enabling no anoymous binding > >Hi >If I set >nsslapd-allow-anonymous-access: off >I am not able to login to the 389-console. I can remedy this by checking the >checkbox "Use SSL in Console" in the Encryption tab on the Directory Server >console. >This seems a strange solution to the problem. Why would disabing >anonymous access break console access and why would enabling "Use SSL in >Console" fix it? > >I get another interesting error as well with the "Use SSL in Console" checkbox >checked. >Login to Management Console >Open Directory Console >Click on Configuration tab >Click on Encryption tab > >I get "An error has occured" >Could not open file(null). File does not exist or filename is invalid. > >After I click on OK, I can proceed to the Encryption tab. Is this a bug or me >not configuring something. The error message is not very helpful. > I found the cause of the problem for the "An error has occurred". When you first click on Manage Certificates in the Admin Server console it prompts you for a password and I believe create the cert store in /etc/dirsrv/admin-serv/ I then added the same CA that I used in /etc/dirsrv/slapd-testmasterserver/ cert db. However if you then again remove this CA you get the error has mentioned message as mentioned above. This is probably not strictly spoken a bug but it would be really "nice" if the error message could tell you that the cert database for the admin console is empty. I am not sure why it what the interdependence is but from my 10 000 feet view it seems not necessary. If there is any agreement I will file this as an enhancement request on bugzilla. Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] "Researching" ldif changes
Hi I was hoping someone can share a methodology of finding the ldif changes that happens when doing changes in the GUI. I would like to create equivalent ldif files for all changes that I do in the GUI. Thus far I have been doing before and after diffs of dse.ldif. I have not done that yet for netscaperoot. Is there any logic with regards to which settings gets stored in which database. As an example I have used this page: http://directory.fedoraproject.org/wiki/Howto:SSL#Verify_SSL_is_enabled to assist with ldif'ing ssl settings but what bothers me is that a comparison between dse.ldif with the ldif applied to enable ssl from the howto page and a dse.ldif with ssl enabled via the gui differs significantly. I am not referring to timestamp differences but to additional fields that gets added when enabling SSL via the GUI. Specifically for this example I have not been able to find where "Use SSL in Console" should be set and thus can't include it in my ldif file Best Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Clarification on admin server and console
>> I understand that on a (physical/virtual) server there can be multiple >> directory server instances but only one admin server instance. >> However, what I'm wondering is whether it is possible for an instance >> of the admin server to manage directory servers on different boxes. >> For example, could I have one admin server per location - where a >> location houses X physical servers each running a DS instance (a mix >> of read-only consumers and read-write suppliers)? This brings obvious >> benefits as regards easier backup and a single point of >> administration, but also becomes a bit of a single point of failure. >> >There must be an admin server on the physical machine that hosts the >directory server. Some of the admin server tasks are CGI based e.g. >certificate management, log viewing, server stop/start/restart. These >cannot be done remotely. There is still some haziness in my mind about the admin server... I setup a server called master01 using setup-ds-admin.pl and then setup another physical server called master02 also using setup-ds-admin.pl. The only difference was that I "registered" master02 with master01. The effect is that when I run 389-console from the command line logging into either master01 or master02 I get both master01 and master02 listed in the directory tree. Each one has a server group with an admin server and directory server listed. However the admin server for master02 points to master01 by default when looking at the settings. I have a configured client that authenticates against master02 and then fails over to master01. If I shutdown master01(shutdown -h now) and restart master02 I am still able to authenticate from the client server or at least get results for getent passwd. master02 does not have a netscaperoot so that seems shared if you register master02 with master01. Now for my question, I have read above that you have said that we must have an admin server on each physical server. I believe we have... I can do a service dirsrv-admin start/stop/restart on master02. * So what does the "registration" during installation actually do? * I registering one physical server to another physical server a bad idea as I described above. * What is the reliance of master02 on master01. I did notice that I can't start the 389-console at all if master01.dirsrv service is not running. We plan to have quite a number of servers and it would be nice to have a "centralized control panel" where you can easily access all servers and select servers from a drop down box when setting up replication agreements. Thus what I have experimented with above is basically trying to achieve this control panel but I would like to be sure that it is done correctly. The other concern is that we don't want to introduce a central point of failure for the convenience of having a centralized control panel. >> >> >> >> If not, is it necessary/standard to run an admin server per physical >> server, and then group them in the console by having them all share a >> single configuration server (as specified in setup-ds-admin.pl)? >> Although again this creates a single POF, at least with administration >> - or have I got the wrong end of the stick entirely? >> >> >> >> One more point: the Console and Admin Server documentation has >> diagrams which reference "external programs"; what kind of things does >> this refer to? Is there a typical use case? >> >I'm not sure (can you provide a URL?) but the "external programs" are >probably the aforementioned CGI programs. http://www.redhat.com/docs/manuals/dir-server/8.2/console/html/chap-Console_Guide-Introducing_Red_Hat_Console_and_Administration_Server.html Figure 1.2 was what Jonathan referred to. Best Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Replica ID uniqueness between NetscapeRoot and userRoot
Hi This is going to seem obvious but is the Replica ID unique to a server or unique to a database and server. What I mean is that if I setup both NetscapeRoot and UserRoot to replicate can I use Replica ID of x for both because they are on the same server or does it need to be x and x+1? Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Clarification on admin server and console
>> >> What is also frustrating is that the script is so quiet about why it failed. >> I was running setup-ds-admin with -ddd It appears that the script used to >> configure the >>admin server does net get passed the debug flags. >> >> Any further ideas? >> >I was afraid of that. The admin server part doesn't like it that >NetscapeRoot already exists, and instead of just continuing, it errors >and exits. If you are a perl hacker, I suppose you could hack the >AdminUtil.pm and/or AdminServer.pm. >> Regards >> Thanks, afraid not, I generally try to stay away from Perl. Is it worthwhile supporting ldif files during the initial install? It does seem to add a lot of complexity. For me whether I run a few scripts during installation of after does not matter that much. Aesthetically it is probably nicer to have all configuration in one place i.e. in the install script. It would be nice to be able to specify when additional ldif files should be executed. Is that the purpose of InstallLdifFile or is that only during the slapd setup? Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Variables in ldif files
Hi Is there any standard script that comes with 389 that can take a set of parameters and replace those parameters in a ldif file? For example the parameters specified in /usr/share/dirsrv/data/template-suffix-db.ldif dn: cn=%ds_bename%,cn=ldbm database,cn=plugins,cn=config I can write my own but if there is something I can just adopt that would be very useful. Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] GOSA as a frontend for the 389 Directory Server?
Hi Stefan, GOsa² uses its own combination of objectClasses to store information plus its own set of ACL's to control access to the GUI but this ACL's does not translate into protection for other access methods that does not go through the GUI. I think you will get much better support from the GOsa² mailing list with regards to get it working with 389. The developer of GOsa² actively responds and I have got answers to all my GOsa² related questions there. The GOsa² team is also busy rewriting a lot of the documentation of which a lot is in French currently so there might be something available already that covers implementation with 389. Best Regards > >From: 389-users-boun...@lists.fedoraproject.org >[389-users-boun...@lists.fedoraproject.org] on behalf of Stefan-Michael >Guenther [38...@in-put.de] >Sent: 18 August 2010 21:29 >To: 389-us...@lists.fedoraproject.org >Subject: [389-users] GOSA as a frontend for the 389 Directory Server? > >Hello, > >one of our clients wants to use GOSA (https://oss.gonicus.de/labs/gosa/) >as a frontend for the 389 DS. > >I found a number of postings that configuring GOSA to work with the 398 >DS isn't easy. > >Therefore my question is whether anyone has a working combination and >might publish a howto on it? > >Otherwise I would have to find my way through it and write the docu on it. > >Thanks for any hints & suggestions, > >Stefan In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Inconsistency between GUI and ldapquery regarding replication agreements
Hi We ran into a very interesting problem... We can't run 389-console directly from the server on which it is running because it is just to slow to use. It takes almost 5 minutes just to login. We have thus resorted to running the console locally and doing port forwarding with ssh as 389 and 636 is blocked. This worked great until now. We created aliases to localhost for the server names eg: 127.0.0.1 authserver1.example.com authserver1 ssh -f -N -L 9830:authserver1:9830 authserver-ip ssh -f -N -L 389:authserver1:389 authserver-ip ssh -f -N -L 636:authserver1:636 authserver-ip This works for individual servers but we now have a shared netscaperoot. What happens is that when we open up the console and connect to the any directory server we are actually connecting to localhost and thus end up seeing the same information for each server (not completely) it confuses the GUI no end. This email's purpose is two fold, one is for the record and hopefully someone else will read this and not make the same mistake. Two, realizing that I have asked this before any suggestions for speeding up the console. It just seems odd that there is such a fast difference between running the console locally and running it remotely via ssh. Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] not all masters are born equal?
Hi Just wanted to double check; We have not created replication agreements between all masters and in some instances it might take 2 hops for a change to be replicated everywhere. We are happy with this trade-off in delay for simplicity. Are we breaking some cardinal rule regarding multi-master or is this acceptable? The idea is to have edge servers in each DC that speaks to other DC edge servers and internally things are more verbal. A simplified attempt at a diagram. changes in dc1master02 will take two replications before it reaches dc2master02 dc1 dc2 master02 <-> master01 <-> master01 <-> master02 This question pertains both to a shared NetscapeRootDB and userDB databases. Best Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Debug PTA and PAM-PTA stack for ldap timeout
Hi Prashanth, I have not seen similar issues but I would suggest adding a debug entry in PAM setup. This gives a lot of extra information. Also since you are debugging disable log caching to enable you to see bind attempts immediately dn: cn=config changetype: modify replace: nsslapd-accesslog-logbuffering nsslapd-accesslog-logbuffering: off There is various other logging options which you can easily enable on the 389-console to increase decrease logging for specific actions. Regards > -Original Message- > From: 389-users-boun...@lists.fedoraproject.org [mailto:389-users- > boun...@lists.fedoraproject.org] On Behalf Of Prashanth Sundaram > Sent: 15 September 2010 16:27 > To: 389-us...@lists.fedoraproject.org > Subject: [389-users] Debug PTA and PAM-PTA stack for ldap timeout > > Hello, > > We are having some ldap timeout issues in out MMR-SLAVE ldap setup. A > user is unable to ssh to random hosts at random times. > > Terminal Error: Permission denied (publickey,gssapi-with-mic,password) > secure logs: pam_ldap: ldap_result Timed out > Failed password for psundaram from 10.1.0.120 port 22039 > ssh2 > > > Sifting thru logs tell the user's password was successfully > authenticated upstream by looking at dirsrv access log with err=0. The > clients connecting to slave incur regular timeouts and the login fails > but it is not case with clients connecting to Master directly. > > Setup: Two Masters with MMR, Two Slaves with MMR. The authentication > for > clients connecting to the slave ldap server goes to the master via PTA > plugin and then from Master it goes to Windows AD via PAM-PTA. > > Client->Slave--(PTA)-->Master--(PAM-PTA)-->AD(This is where all > passwords are) > > I understand we have might have a long traversal for the > authentication, > but we have set considerably high timeout limits. > > /etc/ldap.conf > timelimit 120 > bind_timelimit 5 > bind_policy hard > idle_timelimit 3600 > > slave ldap server > nsslapd-idletimeout: 86400 > nsbindtimeout: 15 > nsslapd-timelimit: 3600 > > Master ldap server > nsslapd-idletimeout: 7200 > nsbindtimeout: 15 > nsslapd-timelimit: 3600 > > > Anybody had similar issue or can share some debugging tips? > > -Prashanth > > -- > 389 users mailing list > 389-us...@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Using ldclt
Hi
I have not been able to get ldclt working. I suspect I am not using it
correctly and would appreciate anyone just giving my options a sanity check.
Running the following:
ldclt -h testserver.example.com -p 389 -e bindeach,bindonly -Z
/etc/dirsrv/slapd-testserver -e
cltcertname=certname,keydbfile=key3.db,keydbpin=password -V
Running that give me an error:
ldclt version 4.23
/usr/bin/ldclt: line 47: 2352 Segmentation fault ${dir}/${COMMAND} "$@"
I have tried both the server and the CA cert names as options n the
cltcertname. Some of the CA certs have spaces in so I enclose it in single
quotes which then still gives me an segmentation fault
Best Regards
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Manual and automatic catch up of replication
> > > Replication uses an exponential backoff strategy if the consumer is > down. That is, it will wait 1 second, try again, then wait 2 seconds, > try again, then wait 4 seconds, try again, etc. until it hits 5 > minutes. > > > > hmmm, I probably did not wait long enough... I have enabled replication monitoring on all my servers at the moment. Is there any log that specifically log the exponential back-off and the current backup-off waiting time? Alternatively can that value be read somewhere? If not I believe it would be useful to have in the logs and I could raise a feature request in bugzilla. Does the exponential backoff reset after 5 minutes back to 1 second or does it stay at 5 minute interval checking? Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Recovery Strategy
Hi As far as I can see the documentation does not make mention of backups other than the userdb, netscapedb and dse.ldif. With regards to the certificate databases and admin server configuration is there any specific strategies, recommendations or readmade scripts? I am looking at scenarios where we would lose a server completely. I have considered two possible ways of recovering and would appreciate any thoughts ,recommendations or warnings of peril. Backup the following files: tar : /etc/dirsrv/slapd-/dse.ldif /etc/dirsrv/slapd-/pin.txt /etc/dirsrv/slapd-/*.db /etc/dirsrv/admin-serv/* /var/lib/dirsrv/slapd-ie1auth002/bak/* Recovery method #1: yum install 389-ds -y untar all files and create directories. use bak2db to restore databases service dirsrv start Recovery method #2: Summary: Install software and "build from scratch" Gory detail: yum install 389-ds -y setup-ds.pl -f settings.file -s Copy *.db files back enable-changelog create netscape root suffix enable master replica for netscape root re-initiate from other master register-ds-admin -f setingsfile -s -u There would be two ways of getting data back either be re-populating from other databases or by restoring the backed up data using bak2db. I have not yet tested these methods so there might be omissions in the steps above. Best Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Connections not closing
> I have an issue with our Fedora Consumers running 1.2.0 on Fedora 10 in > that they don't seem to be closing old connections and so the open > connections are building up until performance is impacted and > eventually > we run out of file handles. > ... cut > > tcp_keepalive_time = 600 > tcp_keepalive_intvl = 75 > tcp_keepalive_probes = 9 > > Why are these connections not timing out after the Idle time? At the > moment I am having to regularly restart the directory service in order > to clear the connections down. > Hi Jim, I have not yet run into such issues ... which is not to say I won't. Our tcp_keepalive_time is set to 300, whether that will make a difference is difficult to say but worth a try I would say. Best Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] How to force a user to change his/her password in a Multi master environment
Hi, Is there a way of forcing a single user to change his/her password in a multi-master environment. The only way it seems possible is to enable per user password policy and then set the passwordMustChange flag. However since password policy is not replicated that does not seem like a very good solution. The documentation makes mention when reading about the passwordMustChange flag that if it is set globally and the password is reset by the Directory Manager then the user will be prompted to change his/her password on first login. What does this "reset" actually mean, what values gets changed? I have not seen a way to reset a password for a user in the 389-concole and can thus could not deduce what the possible ldif modifications would be. If the answers to this is in the documentation please then point me in the general direction but I have not found any answers to the above questions in the documentation yet. Best Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] SSHA and friends
Hi This is probably OT but I am not having much luck with google. How can I create SSHA512 strings? I have been using either a php script or slappasswd to create SSHA password but not sure how to do SSHA512. openssl can create the SHA512 digest but I am not sure how to add the random seed bit. My question probably illuminate my lack of understanding of the subject. Best Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Not allowed to change password once it has expired
Hi I am in the midsts of debugging this but am hoping anyone can shed some light on the issue or point me in the right direction. A certain combination of changes to the global password policy seems to break the abbility to change a user's password. us...@client01.example's password: You are required to change your LDAP password immediately. Last login: Mon Sep 27 16:06:18 2010 from 10.5.11.115 Connection to client01.example closed. When it works it looks like: ssh client01 -l user1 us...@client01's password: You are required to change your LDAP password immediately. Creating directory '/home/user1'. WARNING: Your password has expired. You must change your password now and login again! Changing password for user user1 Enter login(LDAP) password: Connection to client01 closed. Settings that we have toggled in the global password policy is: Enable fine-grained password policy User must change password after reset Allow changes in x days We don't change anything on the client so I am 99% sure its not a a pam misconfiguration. Best Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] 389 DS 1.2.6. and certificates
Hi I have seen similar problems... in my case the database became corrupt if I changed it while dirsrv were running. Also check permissions: -rw--- 1 nobody root 65536 Aug 12 12:18 cert8.db -rw--- 1 nobody root 16384 Aug 12 12:18 key3.db -rw--- 1 nobody root 16384 Sep 28 17:08 secmod.db and my CA only have CT,, Not sure that would make a difference but worth checking. Regards From: 389-users-boun...@lists.fedoraproject.org [389-users-boun...@lists.fedoraproject.org] on behalf of Reinhard Nappert [rnapp...@juniper.net] Sent: 28 September 2010 16:24 To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] 389 DS 1.2.6. and certificates Yes, I built it myself on 4.4. No, it does not make a difference when I change the files to read only, before I restart the server -Original Message- From: 389-users-boun...@lists.fedoraproject.org [mailto:389-users-boun...@lists.fedoraproject.org] On Behalf Of Rich Megginson Sent: Tuesday, September 28, 2010 11:05 AM To: General discussion list for the 389 Directory server project. Subject: Re: [389-users] 389 DS 1.2.6. and certificates Reinhard Nappert wrote: > Hi, > I built and installed the 389 Directory Server 1.2.6 on CentOS 4.4. Do you mean 5.5? Or did you build it yourself? > The server works fine. > Then, I generated the certs (using certutil) and imported them in the > cert-store. The certs are generated basically generated by the > setupssl2.sh script. When I list the certs afterwards, everything > looks fine: > > certutil -L -d /etc/dirsrv/ > CA certificate CTu,u,u > u,u,u > However, when I restart the server, I get the following error and the > server does not come up anymore: > [28/Sep/2010:10:45:40 -0400] - SSL alert: Security Initialization: NSS > initialization failed (Netscape Portable Runtime error -8174 - > security library: bad database.): certdir: /etc/dirsrv/ > > Not surprisingly, the certutil -L -d comes up with the same error: > certutil: function failed: security library: bad database. > > Any idea, what goes wrong there? Not sure. After running the script to generate the certs, can you change the cert8.db, key3.db, and secmod.db files to be read only (mode 0400), before starting the directory server? Does that help? > > Thanks, > -Reinhard > > -- > -- > > -- > 389 users mailing list > 389-us...@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] User insert fails... because of pwpolicy?
Hi
Adding a user with the following ldif file:
dn: uid=SystemAuthentication,ou=Service Accounts,dc=mycompany
givenName: System
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Authentication
cn: SystemAuthentication
uid: SystemAuthentication
userPassword: {SSHA}blah
fails with:
ldapadd: Object class violation (65)
additional info: single-valued attribute "passwordExpirationTime" has
multiple values
Does this fail because the enabled password policy is also trying to add a
value?
Is there a way to override this other than doing a ldapmodify after adding the
users?
Best Regards
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Magic required for subtree password policy?
__ >From: 389-users-boun...@lists.fedoraproject.org >[389-users-boun...@lists.fedoraproject.org] on behalf of Rich Megginson >[rmegg...@redhat.com] >Sent: 13 October 2010 15:57 >To: General discussion list for the 389 Directory server project. >Subject: Re: [389-users] Magic required for subtree password policy? > >Gerrard Geldenhuis wrote: > Hi > The admin guide says that one should use ns-newpwpolicy.pl script to set > subtree password policies on the command line. Can we also set this using > ldifs or is there some magic that this script perform >that can't be achieved > by using ldifs? >> >Depends on what you mean by magic. If you're starting from scratch, a >clean tree, you should be able to do everything by ldif files + >ldapmodify. If you want to add to or modify an existing subtree >password policy, that may be difficult to do with just ldif files - you >may have to search first, then alter your ldif based on the search results. Thanks, the question was related to starting from scratch. > >The ns-newpwpolicy.pl script essentially just generates ldif and passes >that to ldapmodify. > >See >http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Configuring_the_Password_Policy->Configuring_SubtreeUser_Password_Policy_Using_the_Command_Line >> Regards I did read that documentation, but I was unclear wether the documentation wanted you to only use the command or whether modifying using ldifs were permitted. I guess that specifying the command prevents unnecessary support calls or emails on the list because of faulty configuration. Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Greedy PAM
Hi Not strictly a 389 question but maybe 389 offers a solution. I have a tree structure as follows: dc=company ou=people,dc=company ou=groups,dc=company On my client the I have the following searchbase in /etc/ldap.conf dc=company If I login as user gerrard and look at the network traffic then every possible user is send to the client. This is not a problem yet but would be a problem on a slow link or with lots of users. Changing the base to ou=people,dc=company works in that the search results returned is way smaller, but breaks everything else because group membership is not in that base. Is there a way to dynamically have search basis when queries for certain data is done. How do you configure clients to be more selective when doing searches against a ldap directory. Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Triggers
Hi I was wondering if there is a universal "trigger" system that I could use in 389 to for example let me know when a group gets a new member, or loses a member. The admin guide http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html has only 9 entries for the word trigger. The USN plugin looked the most similar to what I want to do. My aim is to be able to monitor for group modifications and email someone appropriate when the group membership changes. I was hoping this is something I can achieve without to much or any external programming as I would like it to be contained logically within 389. I would appreciate any guidance on how to go about doing this and what other people have done. Do I need to write my own plugin? Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Performance tuning - where to begin?
Hi Daniel, I am getting 1200 conn/sec on very old hardware so maybe something else is wrong. The very first thing to do is to run logconv.pl script which will come installed with 389. It has a flag for recommendations which I suggest you enable or just enable every flag. Sample command: logconv.pl /var/log/dirsrv/slapd-/access -efcibaltnxrgjyp I don't yet understand all the errors that this tool reports but it is a good start. One other thing, I disabled log buffering at one stage to debug something. I forgot about this and then ended up debugging why the server was so slow until I realized that is what I had done. So make sure you have logbuffering enabled. dn: cn=config changetype: modify replace: nsslapd-accesslog-logbuffering nsslapd-accesslog-logbuffering: on Regards > -Original Message- > From: 389-users-boun...@lists.fedoraproject.org [mailto:389-users- > boun...@lists.fedoraproject.org] On Behalf Of Daniel Fenert > Sent: 03 February 2011 16:30 > To: General discussion list for the 389 Directory server project. > Subject: [389-users] Performance tuning - where to begin? > > Hi, > > I have performance problem on 389-ds server and don't really know where > to start fine tuning. > > My current setup is master (2xQuadCore, 8GB RAM), few read-only slaves. > It works (more or less) without problems, but I would like to migrate to > multi master (2 master servers). > > To check if one master will handle the whole load, I've tried switching > clients from slaves to master one by one. > > After switching clients from third slave, I've encountered weird problem > - master was about 50% busy (looking at the cpu, no IO waits), but there was > problem with new connections. > Looking at the network level - there was SYN from client, but no ACK until > one or two retransmissions of SYN. > > I've tried increasing thread number (from 30 to 60), but problem still exists. > > The problem is near 400-500 connections/second. My whole load is > ~750conn/sec. Looking at the CPU usage, this server should handle the load. > It works stable with load ~300conn/sec. > > There are plenty of configuration options, where should I look first? > > -- > Daniel Fenert > -- > 389 users mailing list > 389-us...@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Remediating Encryption Levels
Hi I am currently testing this but would like to double up my testing with any other experiences in the list. A security scan has shown my test LDAP server to be vulnerable to weak SSL encryption. I have turned off all encryption levels below 128 bits in the Cipher Preference Dialog box for both the admin and dirsrv. I am testing whether this will have any effect on any connection within my setup that uses SSL, thus chaining, replication, console and general authentication from CentOS and Red Hat clients. My understanding is that having those lower levels like DES 56 enabled allows such a connection but the connection encryption level will be determined by what the client initiates if supported at the server. So if the client initiates a 128bit RC4 it will be a 128bit RC4 connection. With this in mind what would be the default level of encryption if the client is "internal" to the 389DS. Thus would be the encryption level for chaining and replication and connecting to the console. If an encryption level is not supported what is the negotiating logic to determine a working connection? Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Chaining woes again v2 - solutions
>
>From: 389-users-boun...@lists.fedoraproject.org
>[389-users-boun...@lists.fedoraproject.org] on behalf of Rich Megginson
>[rmegg...@redhat.com]
>Sent: 21 October 2010 15:22
>To: General discussion list for the 389 Directory server project.
>Subject: Re: [389-users] Chaining woes again v2 - solutions
>
>Gerrard Geldenhuis wrote:
>> Hi
>> Just a quick follow-up regarding this thread.
>>
>> We discovered the real problem encryption of the password.
>>
>> We have the following line in the ldif file to
>> nsmultiplexorcredentials: {SSHA}VItDJ0gykk1q8rzsJmIkkj64mAW1kkaZY
>>
>That's very bad. This looks as though the password was set manually to
>the output of pwdhash. You must always submit a clear text password to
>the directory server in an ldap add or modify request for this attribute.
>> We got one server working with chaining and the other not. The difference
>> turned out to be how the password was stored and on the one box we changed
>> the password via the console to make sure it was correct.
>>
>> We have noted asmall inconsistencies which we would like to verify
>>
>> On our production system the entry in dse.ldif looks like follows:
>> nsmultiplexorcredentials::
>> e0RFU31ZczJMghghdtZkpTakl5Y29OYVIwc0NUdnpMVmFUU1JDd1
>>
>> hZNfsadfasdfsaZY143NkduYmJRenBK33sdfsadffdssiRUpvDlvQjRvUWR4ai9uZ2lWbzJQejduWj
>> NMcHE4UWR4Sw==
>>
>This is base64 encoded - it should usually not be base64 encoded when
>output by ldapsearch, but the decoded version is quite strange:
>python
> >>> import base64
> >>>
>base64.b64decode('e0RFU31ZczJMghghdtZkpTakl5Y29OYVIwc0NUdnpMVmFUU1JDd1hZNfsadfasdfsaZY143NkduYmJRenBK33sdfsadffdssiRUpvDlvQjRvUWR4ai9uZ2lWbzJQejduWjNMcHE4UWR4Sw==')
>'{DES}Ys2L\x82\x18!v\xd6d\xa56\xa4\x97\x966\xf4\xe6\x15#\x0745Gg\xa4\xc5f\x15E5$7u\x85\x93_\xb1\xa7_j\xc7_\xb1\xa6X\xd7\x8d\xcd\x91\xdb\x98\x98\x94^\x9c\x12\xb7\xde\xc7_\xb1\xa7_}\xdb,\x89\x15)\xbc9oB4oQdxj/ngiVo2Pz7nZ3Lpq8QdxK'
>and the length is 106. I'm not sure what this is or how it got there.
sorry that is my mistake, I modified it by hand, adding and removed characters.
>> and on our test system it looks like follows:
>> nsmultiplexorcredentials: {DES}slo6RKJHfEqtcfbpLWHdgQ==
>>
>This is correct.
The question still remains why we would have DES and base64 encoding if we used
the exact same method to change the password.
>> Apart from the length which is due to use using a much longer password in
>> production why does the test system use a {DES} and the production system
>> does not.
>Well, they both use a {DES} it's just that one is base64 encoded for
>some reason.
That is probably not that big a worry but the inconsitency should be noted. If
you want I can test this again to see if this is a version issue or something
else. Maybe it is length related... I will test that too.
>> In both cases we used the 389-console to make the changes.
>>
>> The version differences is: (test on the left, prod on the right)
>>
>> 389-admin-1.1.11-1.el5 |
>> 389-admin-1.1.11-0.6.rc2.el5
>> 389-admin-console-1.1.5-1.el5 |
>> 389-admin-console-1.1.5-1.el5
>> 389-admin-console-doc-1.1.5-1.el5 |
>> 389-admin-console-doc-1.1.5-1.el5
>> 389-adminutil-1.1.8-4.el5 |
>> 389-adminutil-1.1.8-4.el5
>> 389-console-1.1.4-1.el5|
>> 389-console-1.1.4-1.el5
>> 389-ds-1.2.1-1.el5 |
>> 389-ds-1.2.1-1.el5
>> 389-ds-base-1.2.6.1-1.el5 |
>> 389-ds-base-1.2.6-0.11.rc7.el5
>> 389-ds-console-1.2.3-1.el5 |
>> 389-ds-console-1.2.3-1.el5
>> 389-ds-console-doc-1.2.3-1.el5 |
>> 389-ds-console-doc-1.2.3-1.el5
>> 389-dsgw-1.1.5-1.el5 |
>> 389-dsgw-1.1.5-1.el5
>>
>> On the client when we tried to do a password change the error we would see
>> was operations error which is not very usefull.
>How did you attempt the password change, what was the exact error
>message you saw, what was in the directory server access and errors logs
>for the password change operation?
I will need to recreate the env and conditions. I will post the detail here
tomorrow.
>> We did not see authentication issues on the consumer server with chaining
>&
Re: [389-users] Bind to consumer binds to provider as well
> > > > When I do a bind to the consumer(slave) I also see a bind to the > > provider(master) this seems really silly. My understanding is that > > this behaviour is caused by needing to centrally store login attempts. > > I have raised this matter previously but just wanted to double check > > that the behaviour I am seeing is expected and not due to a > > misconfiguration on our part. > > > Are you using Chain On Update for Binds? > http://directory.fedoraproject.org/wiki/Howto:ChainOnUpdate > > We are indeed, we used that howto to set it up. Reading it now again it does say it will use the chaining backend for binds. Why is that? If we replicate changes down to the consumer how can the data be "fresher" than the consumer? Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Bind to consumer binds to provider as well
> -Original Message- > From: 389-users-boun...@lists.fedoraproject.org [mailto:389-users- > boun...@lists.fedoraproject.org] On Behalf Of Rich Megginson > Sent: 12 November 2010 18:22 > To: General discussion list for the 389 Directory server project. > Subject: Re: [389-users] Bind to consumer binds to provider as well > > > I can imagine though that with this approach you can potentially have > more auth attempts than is allowed for. > > > I guess we need some sort of fine grained approach, so that you would only > chain certain operations, and only under certain conditions. What would > that look like? Admittedly my knowledge of the internals is close to zero and I am not sure what the list of possible operations are. I am also not aware what the motivation behind the current design is. We had a discussion about the different types of race conditions that one might possibly run into. A. Current behaviour All bind requests go to master Failed logins gets replicated back to consumer B. Suggested behaviour All bind requests stay local Failed bind requests gets chained back to master Master replicates failed login attempts back to consumer. In both A and B you could have a higher number of attempts than is actually allowed before the replicated failed login attempts gets written back to consumer where it will stop the user authenticating. There is a marginal potential for higher number of potential requests if you don't chain bind requests. However this would probably only be exposed if someone is trying to programmatically break the system as normal retry time on the console would take longer than the time it would take to replicate failed login attempts back. If the delay time between the consumer and the chaining backend is quite big then it makes authenticating against the chaining backend rather slow and takes away scalability in my opionion. Although you would need a very high number of bind requests before it becomes a problem. Latency is really the big issue here. > > > >> In order to have global password policy. Let's say for example that > >> you have password policy which states accounts are locked out after 3 > >> unsuccessful login attempts. If you have 5 directory servers, each > >> with local password policy, that effectively means an attacker has 15 > >> tries to guess the password instead of 3. > >> > >>> If we replicate changes down to the consumer how can the data be > >>> > >> "fresher" than the consumer? > >> In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Fwd: [389-announce] Please Help Test 389 Directory Server 1.2.7
> > Creating directory server . . . > Your new DS instance 'dmz' was successfully created. > Creating the configuration directory server . . . > Beginning Admin Server creation . . . > Creating Admin Server files and directories . . . > Updating adm.conf . . . > Updating admpw . . . > Registering admin server with the configuration directory server . . . > Updating adm.conf with information from configuration directory server . . . > Updating the configuration for the httpd engine . . . > Starting admin server . . . > output: ERROR: ld.so: object '/libldap60.so' from LD_PRELOAD cannot be > preloaded: ignored. > The admin server was successfully started. > Admin server was successfully created, configured, and started. > Exiting . . . > Log file is '/tmp/setupXxX7a5.log' > > We have seen the preload issue too. I have reported it via the links provided. The fix is as follows: diff start-ds-admin start-ds-admin.orig 46c46 < LD_PRELOAD="/usr/lib64/libldap60.so" --- > LD_PRELOAD=" /libldap60.so" Just find the file called start-ds-admin and fix the line by adding /usr/lib64/ to it. Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Slow response from server
> -Original Message- > From: 389-users-boun...@lists.fedoraproject.org [mailto:389-users- > boun...@lists.fedoraproject.org] On Behalf Of Rich Megginson > Sent: 12 November 2010 18:45 > To: General discussion list for the 389 Directory server project. > Subject: Re: [389-users] Slow response from server > > Gerrard Geldenhuis wrote: > >> -Original Message- > >> From: 389-users-boun...@lists.fedoraproject.org [mailto:389-users- > >> boun...@lists.fedoraproject.org] On Behalf Of Rich Megginson > >> Sent: 12 November 2010 16:32 > >> To: General discussion list for the 389 Directory server project. > >> Subject: Re: [389-users] Slow response from server > >> > >> Gerrard Geldenhuis wrote: > >> > >>> Hi > >>> > >>> We are getting a slow responses from one of our LDAP servers and I > >>> am not sure what is causing the problem I have run a logconv.pl -j > >>> and the following is interesting: > >>> > >>> > > > > > > >>> Connections Reset By Peer:0 > >>> > >>> Resource Unavailable: 136 > >>> > >>> - 136 (T1) Idle Timeout Exceeded > >>> > >>> > >> does logconv.pl -V show anything like unindexed searches, admin limit > >> exceeded, long operation times? > >> > >>> > >>> > > > > No admin limit exceeded or long operation times. > > > > Stricly spoken we don't have unindexed searches but my test bash script > caused quite a number of. We are seeing random timeouts to this specific > server when doing a search like the following: > > while true ; do ldapsearch -h ldapserver.company -ZZ -x -W -D > > "uid=johndoe,ou=people,dc=company" -b "dc=company" -L -y pwd ; sleep > > 0.5; done > > > > Watching the performance figures in the console does not highlight any > specific problems. > > > > I am fairly certain that it is an internal network issue but I need to have > proof which is why we are currently doing tcpdumps. > > > You're using TLS - if you remove the -ZZ, do you still have the same > problem? We are seeing the same problem with or without TLS based searches. At the moment I am not seeing the error... There is no retransmits or packets errors so most likely not a networking issue. I have compared the config between this non-working server and another working server and there is very little difference between them. The normal timestamp change differences and order of some entries but nothing else. Any suggestions on where to look next...? To refresh what the thread was about. We are seeing timeouts against a 389 server on occasion when doing a very simple bind. The servers is a provider server with chaining configured. Password policy is configured to be global. Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Slow response from server
Interesting statistics when running ldclt... On the problematic server I see: ldclt[16390]: Average rate:7.10/thr ( 7.10/sec), total: 71 ldclt[16390]: Average rate:6.80/thr ( 6.80/sec), total: 68 ldclt[16390]: Average rate:6.90/thr ( 6.90/sec), total: 69 ldclt[16390]: Average rate:7.00/thr ( 7.00/sec), total: 70 and on the functioning server I see: ldclt[16420]: Average rate: 1397.00/thr (1397.00/sec), total: 13970 ldclt[16420]: Average rate: 1336.70/thr (1336.70/sec), total: 13367 ldclt[16420]: Average rate: 1387.20/thr (1387.20/sec), total: 13872 ldclt[16420]: Average rate: 1387.80/thr (1387.80/sec), total: 13878 ldclt[16420]: Average rate: 1332.70/thr (1332.70/sec), total: 13327 clearly one server is much more capable than the other what could be the cause of that? They both have identical hardware and were configured identical as far as I am aware. Regards > -Original Message- > From: 389-users-boun...@lists.fedoraproject.org [mailto:389-users- > boun...@lists.fedoraproject.org] On Behalf Of Gerrard Geldenhuis > Sent: 24 November 2010 14:09 > To: 'General discussion list for the 389 Directory server project.' > Subject: Re: [389-users] Slow response from server > > > -Original Message- > > From: 389-users-boun...@lists.fedoraproject.org [mailto:389-users- > > boun...@lists.fedoraproject.org] On Behalf Of Rich Megginson > > Sent: 12 November 2010 18:45 > > To: General discussion list for the 389 Directory server project. > > Subject: Re: [389-users] Slow response from server > > > > Gerrard Geldenhuis wrote: > > >> -Original Message- > > >> From: 389-users-boun...@lists.fedoraproject.org [mailto:389-users- > > >> boun...@lists.fedoraproject.org] On Behalf Of Rich Megginson > > >> Sent: 12 November 2010 16:32 > > >> To: General discussion list for the 389 Directory server project. > > >> Subject: Re: [389-users] Slow response from server > > >> > > >> Gerrard Geldenhuis wrote: > > >> > > >>> Hi > > >>> > > >>> We are getting a slow responses from one of our LDAP servers and I > > >>> am not sure what is causing the problem I have run a logconv.pl -j > > >>> and the following is interesting: > > >>> > > >>> > > > > > > > > > >>> Connections Reset By Peer:0 > > >>> > > >>> Resource Unavailable: 136 > > >>> > > >>> - 136 (T1) Idle Timeout Exceeded > > >>> > > >>> > > >> does logconv.pl -V show anything like unindexed searches, admin > > >> limit exceeded, long operation times? > > >> > > >>> > > >>> > > > > > > No admin limit exceeded or long operation times. > > > > > > Stricly spoken we don't have unindexed searches but my test bash > > > script > > caused quite a number of. We are seeing random timeouts to this > > specific server when doing a search like the following: > > > while true ; do ldapsearch -h ldapserver.company -ZZ -x -W -D > > > "uid=johndoe,ou=people,dc=company" -b "dc=company" -L -y pwd ; > sleep > > > 0.5; done > > > > > > Watching the performance figures in the console does not highlight > > > any > > specific problems. > > > > > > I am fairly certain that it is an internal network issue but I need > > > to have > > proof which is why we are currently doing tcpdumps. > > > > > You're using TLS - if you remove the -ZZ, do you still have the same > > problem? > > We are seeing the same problem with or without TLS based searches. At the > moment I am not seeing the error... > There is no retransmits or packets errors so most likely not a networking > issue. I have compared the config between this non-working server and > another working server and there is very little difference between them. > The normal timestamp change differences and order of some entries but > nothing else. > > Any suggestions on where to look next...? > > To refresh what the thread was about. We are seeing timeouts against a 389 > server on occasion when doing a very simple bind. The servers is a provider > server with chaining configured. Password policy is configured to be global. > > Regards > > > > ___ > _ > In order to protect our email recipients, Betfair Group use SkyScan from > MessageLabs to scan all Incoming and Outgoing mail for viruses. > > ___ > _ > -- > 389 users mailing list > 389-us...@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
