headers
Roberto Polli | 24 May 17:49
Picon
Favicon

About 389 cache and backend behavior

Hi all,

where can I find a brief description of the 389 communication between:
 - client
 - 389 cache
 - 389 backend
 - COS and VLV 

Is there a way to dwell into it without reading the code?

Thx+ Peace,
R.
--

-- 
Roberto Polli
Community Manager
Babel S.r.l. - http://www.babel.it
T: +39.06.9826.9651 M: +39.340.652.2736 F: +39.06.9826.9680
P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma)

CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere 
confidenziale per i destinatari in indirizzo.
E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati 
nel messaggio originale.
Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di 
comunicarlo al mittente e cancellarlo immediatamente.
--
389 users mailing list
389-users <at> lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
Permalink | Reply | 0 comments |
headers
Chris Cawley | 23 May 20:59
Favicon

Upgrade to fedora 16 with real CA fails

Hello,

 

 

    I went through some of the docs/emails; however, it still seems like

    The NSS is not working correctly.

    On a separate, but related issue, it seems like you cannot use

    the GUI to generate a key with 2048 bits.  To get a real CA, some

    vendors ask for this.

        -          Thanks

        -          Chris

 

Chris Cawley

System Administrator

Washington Research Library Consortium

301-390-2049

cawley <at> wrlc.org

 

 

--
389 users mailing list
389-users <at> lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
Permalink | Reply | 3 comments |
headers
Lucas Sweany | 22 May 23:32
Favicon

Disable unhashed#user#password altogether

Is there a way to prevent the unhashed#user#password attribute from being stored or used at all? I don't need it to be replicated anywhere--I presume that the hashed password will be enough to authenticate users.

Thanks,

-Lucas

--
389 users mailing list
389-users <at> lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
Permalink | Reply | 7 comments |
headers
Petr Spacek | 22 May 19:18
Picon
Favicon

subtree stacking/subtree virtual views

Hello,

I'm looking for some way how to "stack" LDAP sub-trees one on top of another.

What I mean: Let's have two subtrees:
dc=lower  and  dc=upper

dc=lower contains objects:
cn=obj1
cn=obj2,attr A = 2
cn=obj3

dc=upper contains objects:
cn=obj2,attr A = 4
cn=obj4

Now I push dc=upper on top of dc=lower (let say it creates dc=stack)
Queries with base dc=stack will return:
cn=obj1 --> same object as in dc=lower
cn=obj2 --> same object as in dc=upper, attr A = 2
cn=obj3 --> same object as in dc=lower
cn=obj4 --> same object as in dc=upper

I saw overlays "relay" and "rwm" in OpenLDAP. Is there any support in 389 for 
this use case?

I need to override several records from "lower" subtree with object from 
"upper" subtree. Problem is, that subtree "lower" can contain 10 000 objects 
and I need to override only 5 of them. I'm searching for effective way how to 
accomplish this without copying whole subtree "lower" to "upper".

Thanks for your time.

Petr^2 Spacek
--
389 users mailing list
389-users <at> lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
Permalink | Reply | 0 comments |
headers
Michael R. Gettes | 21 May 17:18
Picon

compressed log files

Hi,  I figured I would ask the question here before proceeding with a RFE.

I searched TRAC and couldn't locate any relevant tickets.

I'd like to have 389 compress rotated log files to save significant amounts of disk space.  Additionally,
logconv.pl and other relevant tools would need to be modified to dynamically uncompress logfiles being
processed (yes, I know I could gunzip -c and stuff like that but it would be easy to modify the tool to "do the
right thing").  Is this a reasonable RFE or is it deemed "out of scope"?

thanks

/mrg
--
389 users mailing list
389-users <at> lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
Permalink | Reply | 2 comments |
headers
Carsten Grzemba | 21 May 07:59
Picon
Favicon

Re: cannot build admin-console on Mandriva

Hi,

look at the RPM spec, there you can see that there ant options to prevent the external downloads.

Regards

Am 21.05.12, schrieb Liutauras Adomaitis <liutauras.adomaitis <at> gmail.com>:

Hi all,

this is my acquaintance with 389 directory server. I need to build
admin console so I can connect to an installed server.
I'm following instructions in
http://directory.fedoraproject.org/wiki/BuildingConsole
Everything went fine up until "Building Directory Server Console
(389-ds-console)".
Then I launch ant in the 389-ds-console directory I get:

Buildfile: build.xml

prepare_build:

import_console:
    [input] An imports file must be specified.  Enter the imports file
that you want to use: [imports]
imports.FC3
    [mkdir] Created dir: /usr/local/src/imports/console
      [get] Getting:
http://port389.org/built/components/console/1.0/20051027/RHEL4_x86_gcc3_OPT.OBJ/console10.tar.gz
      [get] To: /usr/local/src/imports/console/console10.tar.gz
      [get] Error opening connection java.io.FileNotFoundException:
http://port389.org/built/components/console/1.0/20051027/RHEL4_x86_gcc3_OPT.OBJ/console10.tar.gz
      [get] Error opening connection java.io.FileNotFoundException:
http://port389.org/built/components/console/1.0/20051027/RHEL4_x86_gcc3_OPT.OBJ/console10.tar.gz
      [get] Error opening connection java.io.FileNotFoundException:
http://port389.org/built/components/console/1.0/20051027/RHEL4_x86_gcc3_OPT.OBJ/console10.tar.gz
      [get] Can't get
http://port389.org/built/components/console/1.0/20051027/RHEL4_x86_gcc3_OPT.OBJ/console10.tar.gz
to /usr/local/src/imports/console/console10.tar.gz

BUILD FAILED
/usr/local/src/389-ds-console-1.2.6/build.xml:71: Can't get
http://port389.org/built/components/console/1.0/20051027/RHEL4_x86_gcc3_OPT.OBJ/console10.tar.gz
to /usr/local/src/imports/console/console10.tar.gz

Then prompted for import file I specified import.FC3 file. Which, as
far as I can see, provides URL to download installer a file, but the
URL is not valid as you can see from install log.

I have downloaded these versions so far:
389-console-1.1.7.tar.bz2
389-ds-console-1.2.6.tar.bz2
idm-console-framework-1.1.7.tar.bz2

Any ideas?
thanks
Liutauras
--
389 users mailing list
389-users <at> lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
Carsten Grzemba
--
389 users mailing list
389-users <at> lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
Permalink | Reply | 1 comment |
headers
Liutauras Adomaitis | 21 May 07:47
Picon

cannot build admin-console on Mandriva

Hi all,

this is my acquaintance with 389 directory server. I need to build
admin console so I can connect to an installed server.
I'm following instructions in
http://directory.fedoraproject.org/wiki/BuildingConsole
Everything went fine up until "Building Directory Server Console
(389-ds-console)".
Then I launch ant in the 389-ds-console directory I get:

Buildfile: build.xml

prepare_build:

import_console:
    [input] An imports file must be specified.  Enter the imports file
that you want to use: [imports]
imports.FC3
    [mkdir] Created dir: /usr/local/src/imports/console
      [get] Getting:
http://port389.org/built/components/console/1.0/20051027/RHEL4_x86_gcc3_OPT.OBJ/console10.tar.gz
      [get] To: /usr/local/src/imports/console/console10.tar.gz
      [get] Error opening connection java.io.FileNotFoundException:
http://port389.org/built/components/console/1.0/20051027/RHEL4_x86_gcc3_OPT.OBJ/console10.tar.gz
      [get] Error opening connection java.io.FileNotFoundException:
http://port389.org/built/components/console/1.0/20051027/RHEL4_x86_gcc3_OPT.OBJ/console10.tar.gz
      [get] Error opening connection java.io.FileNotFoundException:
http://port389.org/built/components/console/1.0/20051027/RHEL4_x86_gcc3_OPT.OBJ/console10.tar.gz
      [get] Can't get
http://port389.org/built/components/console/1.0/20051027/RHEL4_x86_gcc3_OPT.OBJ/console10.tar.gz
to /usr/local/src/imports/console/console10.tar.gz

BUILD FAILED
/usr/local/src/389-ds-console-1.2.6/build.xml:71: Can't get
http://port389.org/built/components/console/1.0/20051027/RHEL4_x86_gcc3_OPT.OBJ/console10.tar.gz
to /usr/local/src/imports/console/console10.tar.gz

Then prompted for import file I specified import.FC3 file. Which, as
far as I can see, provides URL to download installer a file, but the
URL is not valid as you can see from install log.

I have downloaded these versions so far:
389-console-1.1.7.tar.bz2
389-ds-console-1.2.6.tar.bz2
idm-console-framework-1.1.7.tar.bz2

Any ideas?
thanks
Liutauras
--
389 users mailing list
389-users <at> lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
Permalink | Reply | 0 comments |
headers
Alberto Viana | 18 May 20:13
Picon

unhashed#user#password field

I have a 389 DS server replication agreement whith an AD Server and when I change the password in the windows side it replicates into 389 but via 389 console I can see this field "unhashed#user#password" in clear text.


How can I encrypt this field? Is it possible?


I tried the following configuration:


dn: cn=unhashed#user#password,cn=encrypted attributes,cn=userRoot,cn=ldbm data
base,cn=plugins,cn=config
objectClass: top
objectClass: nsAttributeEncryption
cn: unhashed#user#password
nsEncryptionAlgorithm: AES

If I restart my server the field is gone.

The fact is that I need to avoid my admin to see the user´s password. 
--
389 users mailing list
389-users <at> lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
Permalink | Reply | 2 comments |
headers
Alberto Viana | 17 May 23:26
Picon

Sync with active directory doubts

Hello,


I have 2 389 DS servers a 6 AD servers and i read this on red hat documetation about windows replication:

"There can only be a single sync agreement between the Directory Server environment and the Active Directory environment. Multiple sync agreements to the same Active Directory domain can create entry conflicts."

Now I´m trying the following scenario:


server2 389(consumer) <- replication -> server1 389 <- replication -> Server1 AD
                                                                                               Server2 AD
                                                                                               Server3 AD

So in my master 389 server (server1) I have 3 agreements with 3 different AD servers. It´s not clear if "Active Directory environment" means just one AD server.

Just to make clear that the 6 AD servers are in the same Active Directory domain and all replicate information with each other. I have this number of AD servers because they are located in different places(physically).


Can this scenario create entry conflitc? Am I suppose to sync with just one AD server?



Thanks,

Alberto Viana


--
389 users mailing list
389-users <at> lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
Permalink | Reply | 4 comments |
headers
Brad Schuetz | 15 May 01:54
Favicon

Strange Disk IO issue

I have recently upgraded our 389 servers from pretty old versions that
were a mix and match of 389 release and CentOS released versions (all on
centos 5) to the latest (on centos6) (specific RPMs listed below).

I did this though a full ldif dump of the original server and imported
into a freshly installed new master server.  Then I setup the
replication agreements with the 7 slave servers and everything was
running fine. 

After about a week I starting having a problem with the hubs servers
where all of them after (possibly exactly) 24 hours would start going
crazy on the disk IO (95-100% according to sysstat) of that server
making queries to ldap slow.  The master server does not exhibit this
problem, it will run completely fine.

A simple restart of the dirsrv process corrects the issue and then it
will run for another 24 hours before repeating the issue.

The hardware running each node is somewhat different with varying disk
speeds underlying, but all exhibit the same behavior.

This happens the same on the 2 nodes that get relatively little traffic
and the 5 nodes that get a lot of traffic.

I was originally on the 389-ds-base release that shipped with CentOS6
and have changed to the version from the
<http://repos.fedorapeople.org/repos/rmeggins/389-ds-base/epel-389-ds-base.repo>
repo, both do the same thing.

Any thoughts/suggestions on how to fix or further diagnose this?  I've
had no luck with strace or error logs to find any issues.  At this point
I've unfortunately had to resort to a cron job to restart all of my LDAP
hubs.

Installed RPMs:
389-ds-console-1.2.6-1.el6.noarch
389-ds-1.2.2-1.el6.noarch
389-console-1.1.7-1.el6.noarch
389-admin-console-1.1.8-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-dsgw-1.1.9-1.el6.x86_64
389-admin-1.1.29-1.el6.x86_64
389-ds-base-1.2.10.7-1.el6.x86_64
389-adminutil-1.1.15-1.el6.x86_64
389-admin-console-doc-1.1.8-1.el6.noarch
389-ds-base-libs-1.2.10.7-1.el6.x86_64

--
Brad
--
389 users mailing list
389-users <at> lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
Permalink | Reply | 21 comments |
headers
Alberto Viana | 11 May 16:51
Picon

disabled user attribute

I have an 389 DS server 1.2.10 and I disabled/inactivated  a user just for test (via 389 console) but I could not find what attribute was modified with this change. I need to know how to identify a disabled/inactivated user. 

--
389 users mailing list
389-users <at> lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
Permalink | Reply | 1 comment |

Gmane