[Fedora-directory-users] Problem with ldbm-backend in fds
by neuron ring
Hi,
I have two doubts to be clarified regarding fds ldbm database.
1. Can anyone to help me how to find the total usage of a ldbm backend.
/*
* dbsize.c - ldbm backend routine which returns the size (in bytes)
* that the database occupies on disk.
*/
#include "back-ldbm.h"
int
ldbm_db_size( Slapi_PBlock *pb )
{
/*contents*/
}
what this function doing? i m not able to find any commands
which returns the size of database which occupies the disk space.
what command does that? How to make use of this function "ldbm_db_size"
-----------------------------------------------------------------------------------------------------
2.
/*
* rmdb.c - ldbm backend routine which deletes an entire database.
* This routine is not exposed in the public SLAPI interface. It
* is called by the replication subsystem when then changelog must
* be erased.
*/
#include "back-ldbm.h"
int
ldbm_back_rmdb( Slapi_PBlock *pb )
{
/*contents*/
}
When this function will be called? How to exercise this “ldbm_back_rmdb”.
How to remove the entire DB. I tried
Ldapdelete and rm –rf <back-end directory>
But both of them didn’t access this function “ldbm_back_rmdb”. Can anyone
give me a pointer.
Thanks in advance,
Neuron Ring
15 years, 1 month
[Fedora-directory-users] SSL replication
by Emmanuel BILLOT
Hi,
During our many tests, we've seen a particular behaviour in certs
checking, so wewander if it is not as misconfiguration of our server :
We have installed 2 FDS and replication agrements between it. Those
replication agrement are configurated with the "SSL connection" option
enable, "simple authentification" and a replication manager.
A certificate have been generated for each server, using is FQDN.
Replication is ok.
However, we 've made a mistake in a tests, and one cert was generated
with DNS hostname different from the server it was destinated for and
replication is still working...
How is it possible ? Is there any hostname controle in the SSL connection ?
Ex: toutou.gaia.net (with cert signed toutou.gaia.intranet.net) is
replicating with gri.gaia.net (with cert signed gri.gaia.net)
BR,
--
==========================================
Emmanuel BILLOT
IRD - Orléans
Délégation aux Systèmes d'Information (DSI)
tél : 02 38 49 95 88
==========================================
15 years, 1 month
[Fedora-directory-users] Total number of LDAP entries
by Branimir
Hi list,
can someone tell me where to find the total number of LDAP entries
stored in FDC? I looked up in Console "Status" tab but I could not find
the number.
If someone can give me a hint...
Thank you in advance!
Best regards,
Branimir
15 years, 1 month
[Fedora-directory-users] Unable to properly login with cached password using libpam-ccreds
by Ryan Braun [ADS]
This isn't exactly fds specific, but I figure someone might have run into this
aswell here. I'm trying to setup my ldap clients to cache their passwords so
they are able to login if the network connection to the ldap servers go down.
All servers and clients are running etch.
But I'm having issues getting users to login successfully with a simulated
ldap outtage (just blocking outgoing port 389 with iptables). While the
network is connected, the ldap user newuser is able to ssh in just fine, I
can see that the user's password is cached properly using cc_dump and testing
with cc_test. I don't think it's a problem with me entering in the password
(its just 111111, as you can see with cc_test)
xxxxxx19:~/ldap# cc_dump
Credential Type User Service Cached Credentials
----------------------------------------------------------------------------------
Salted SHA1 newuser any
37955e15e8960ac751616ed1c631f18763806651
xxxxxx19:~/ldap# cc_test -validate any newuser 111111
pam_cc_validate_credentials: Success
xxxxxx19:~/ldap# cc_test -validate any newuser 11111a
pam_cc_validate_credentials: Authentication failure
The oddest part (which must point to pam issues methinks) is that the first
login attempt will always fail, while the second attempt will always work
xxxxxx19:~/ldap# ssh newuser@localhost
newuser@localhost's password:
Permission denied, please try again.
newuser@localhost's password:
You have been logged on using cached credentials.
Linux xxxxxx19 2.6.24-etchnhalf.1-686-bigmem #1 SMP Tue Dec 2 08:50:08 UTC
2008 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 27 14:28:36 2009 from localhost
newuser@xxxxxx19:~$
All cached nss functionality is there during ldap server downtime.
xxxxxx19:~/ldap# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:ldap
reject-with icmp-port-unreachable
xxxxx19:~/ldap# id newuser
uid=1000(newuser) gid=1000(cfwos-user) groups=1000(test-user)
xxxxxx19:~/ldap# grep newuser /etc/passwd
xxxxxx19:~/ldap#
I've installed the following packages on the clients
nss-updatedb
libnss-db
libpam-ccreds
libpam-ldap
libnss-ldap
ldap-utils
Here are my pam configs.
newuser@xxxxxx19:~$ grep -v ^# /etc/pam.d/common-*|strings
/etc/pam.d/common-account:
/etc/pam.d/common-account:
/etc/pam.d/common-account:account sufficient pam_unix.so nullok_secure
/etc/pam.d/common-account:account sufficient pam_ldap.so
/etc/pam.d/common-account:account required pam_permit.so
/etc/pam.d/common-auth:
/etc/pam.d/common-auth:
/etc/pam.d/common-auth:
/etc/pam.d/common-auth:auth sufficient pam_unix.so
/etc/pam.d/common-auth:auth required pam_group.so use_first_pass
/etc/pam.d/common-auth:auth [authinfo_unavail=ignore success=1 default=die]
pam_ldap.so use_first_pass
/etc/pam.d/common-auth:auth [default=done] pam_ccreds.so action=validate
use_first_pass
/etc/pam.d/common-auth:auth [default=done] pam_ccreds.so action=store
use_first_pass
/etc/pam.d/common-auth:auth [default=done] pam_ccreds.so action=update
use_first_pass
/etc/pam.d/common-password:
/etc/pam.d/common-password:
/etc/pam.d/common-password:password sufficient pam_ldap.so
ignore_unknown_user
/etc/pam.d/common-password:password required pam_unix.so nullok obscure
min=4 max=8 md5
/etc/pam.d/common-password:
/etc/pam.d/common-password:
/etc/pam.d/common-session:session required pam_mkhomedir.so
skel=/etc/skel/ umask=0077
/etc/pam.d/common-session:session required pam_unix.so
/etc/pam.d/common-session:session optional pam_ldap.so
newuser@xxxxxx19:~$ grep -v ^# /etc/pam.d/login |strings
auth requisite pam_securetty.so
auth requisite pam_nologin.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard
@include common-account
@include common-session
@include common-password
And the libnss/pam_ldap configs
xxxxxx19:~/ldap# vc /etc/libnss-ldap.conf
base dc=xxx,dc=xx,dc=xx,dc=xx
uri ldap://xxxsrvr0.xxx.xx.xx.xx
uri ldap://xxxsrvr1.xxx.xx.xx.xx
ldap_version 3
rootbinddn cn=directory manager
bind_timelimit 2
bind_policy soft
pam_check_host_attr yes
pam_password exop
tls_cacertdir /etc/ldap/cacerts
xxxxxx19:~/ldap# vc /etc/pam_ldap.conf
base dc=xxx,dc=xx,dc=xx,dc=xx
uri ldap://xxxsrvr0.xxx.xx.xx.xx
uri ldap://xxxsrvr1.xxx.xx.xx.xx
ldap_version 3
rootbinddn cn=directory manager
pam_check_host_attr yes
pam_password exop
ssl start_tls
tls_cacertdir /etc/ldap/cacerts
Here is the log contents from auth.log
xxxxxx19:/var/log# grep 28664 auth.log.work |grep -v nss_ldap
Feb 27 14:51:18 xxxxxx19 sshd[28664]: pam_ldap: ldap_starttls_s: Can't contact
LDAP server
Feb 27 14:51:20 xxxxxx19 sshd[28664]: Failed password for newuser from
xxx.xx.xxx.247 port 44489 ssh2
Feb 27 14:51:36 xxxxxx19 sshd[28664]: pam_ldap: ldap_simple_bind Can't contact
LDAP server
Feb 27 14:51:44 xxxxxx19 sshd[28664]: pam_ldap: ldap_simple_bind Can't contact
LDAP server
Feb 27 14:51:44 xxxxxx19 sshd[28664]: Accepted password for newuser from
xxx.xx.xxx.247 port 44489 ssh2
xxxxxx19:/var/log#
(without a whole bunch of messages from nss_ldap about not being able to find
the server)
Anyone have any ideas?
Ryan Braun
Informatics Operations
Aviation and Defence Services Division
Chief Information Officer Branch, Environment Canada
CIV: (204) 833-2500x2625 CSN: 257-2625 FAX: (204) 833-2524
E-Mail: Ryan.Braun(a)ec.gc.ca
15 years, 1 month
[Fedora-directory-users] Too many FDS open
by James Chavez
Hello Rich, list,
Earlier today we started getting this error in our FDS error log
repeatedly. Obviously connections were being refused at this point. I
had to restart the directory server for the server to function again.
Prior to releasing this box into production I did set the parameters
according to the Installation guide specifications. The output of
"ulimit -n" is 8192. The output of "sysctl -p" is below.(I increased
fs.file-max from 64000)Does anything look off?
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time = 300
fs.file-max = 128000
net.ipv4.ip_local_port_range = 1024 65000
I also changed the setting in the config from
nsslapd-maxdescriptors: 1024 to
nsslapd-maxdescriptors: 8192
Is there a way to tweak these settings so that this will not happen in
the future?
This is a dedicated consumer or read only replica.
Directory size is roughly 20,000 users.
We are running FC9 and FDS 1.1.1-3.
We are lacking in RAM but look to improve on that shortly.
I do see on the web past posts to this list regarding this error, I am
currently looking through them. Is there anyone out there that has
experienced this and gotten past it?
Thanks
James
[25/Feb/2009:13:30:08 -0600] - Not listening for new connections - too
many fds open
[25/Feb/2009:13:30:08 -0600] - Listening for new connections again
[25/Feb/2009:13:30:08 -0600] - Not listening for new connections - too
many fds open
[25/Feb/2009:13:30:08 -0600] - Listening for new connections again
CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
15 years, 1 month
[Fedora-directory-users] Migrating Fedora DS 1.1 to another host by script "migrate-ds-admin"
by Wolf Siedler
Hi!
I need to migrate a Fedora Directory Server (1.1) from one host to
another. Both hosts are on latest CentOS 5 level.
Having read the installation instructions (8.4.3 Migrating a Directory
Server from One Machine to Another), I feel this could (should?) be done
by script migrate-ds-admin.pl.
Keeping the hostname is nor a problem as the old host is about to be
disconnected anyway.
However, I am confused about the script parameters
--oldsroot/--actualroot from the manual. They both refer to the
Directory Server directory in /opt, where it used to be until Fedora DS
1.0.4.
I am unsure what to use for Fedora DS version 1.1.x.
Can anybody advise, please?
Is there any other potential issue I should be aware of?
Needless to say, I appreciate any advice.
Regards,
Wolf
15 years, 1 month
[Fedora-directory-users] SSL certificate problem with config two multimaster servers
by Victor Hugo dos Santos
Hello,
I have a problem with two FDS (1.1.3) both installed in CentOS 5.2
from FedoraCore6 repository.
I'm trying to configure that two servers in multimaster architecture
and SSL enable in console and directory.
- in a clean installation of centos, I install this packages:
============
rpm -qa | grep fedora
fedora-ds-admin-1.1.6-1.fc6
fedora-idm-console-1.1.1-1.fc6
fedora-ds-base-1.1.3-2.fc6
fedora-ds-dsgw-1.1.1-1.fc6
fedora-ds-console-1.1.2-1.fc6
fedora-ds-1.1.2-1.fc6
fedora-ds-admin-console-1.1.2-1.fc6
============
- after installation of packages I run "setup-ds-admin.pl" command in
server FDS1 and work fine.
- finish this process, I run "fedora-idm-console" and configure
certificates to console and directory and all work fine.
- well, now I change to server FDS2 and run "setup-ds-admin.pl"
command, the only difference is that I setup this directory to connect
with FDS1
============
Configuration directory server? [no]: yes
Configuration directory server URL
[ldaps://fds1.mydomain.com:636/o=NetscapeRoot]:
Configuration directory server admin ID [uid=admin, ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot]:
Configuration directory server admin password:
Configuration directory server admin domain [multiexportfoods.com]:
CA certificate filename: /tmp/root.txt
============
and, too work fine.. after finished the installation, I can connect to
both directories (FDS1 and FDS2) from console..
Now, I open Manage Certificates window of FDS2.. in first time, I
put/setup a password and after I can create the certficates to
directory.
after closed this window, I open "Configuration" tab and click in
"Encryption" sub-tab.. in this moment I get this error:
==============
Incorrect Usage
An error has occurred
Could not open file (null). File does not exist or filename is invalid.
==============
I click in OK.. and in "Encryption" sub-tab:
* the "Use this cipher family: RSA" content/block is hidden
* all other options ("enable SSL fot this server" / "Cleitne
Authetication" / "Check hostname against") is disabled
I try:
- reinstall both servers
- configuring FDS2 fist that FDS1, and problem persist (both now in FDS1)
Obs.: If I install both servers independents, work fine.
>From yesterday, I'm searching in the web, bugzilla and wiki.. but I
don't found one solution or other similar problem.
Sincerely, I'm puzzled.. because basically this is a default
installation (two servers connected).. and appears that only me have
this problem !! :-(
thanks for any idea.
--
Victor Hugo dos Santos
Linux Counter #224399
15 years, 1 month