Slow Console Interaction
by Wendt, Trevor
Hello All,
I'm working with the new 389 Console for Windows v1.1.6 connecting to my remote server. When opening the console it sits at the "Initializing..." screen for exactly 10 minutes (600 seconds), then the console opens. Once open I see the "Server Group" and the admin/directory servers listed. Any action to open either server takes another 10 minutes.
I made a few config tweaks in admin-serv/local.conf to clear admserv_check notices in the error logs. No other errors are showing in the logs (/var/log/dirsrv/*/*).
I've lowered the cache settings from the default 600 to 30 for testing in the dse.ldif; no change.
Firewalls are off everywhere. I get the same results running the console on the local DS server as I do running from my remote windows desktops (WinXP 32bit and a Win7 64bit desktop; both running Java 1.6.0_20).
I am able to connect with Apache Directory Studio and other LDAP browsers without the 10 minute wait time; it seems specific to the console. Any suggestions?
Thanks!
________________________________
This electronic message transmission contains information from Black Hills Corporation, its affiliate or subsidiary, which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware the disclosure, copying, distribution or use of the contents of this information is prohibited. If you received this electronic transmission in error, please reply to sender immediately; then delete this message without copying it or further reading.
13 years, 5 months
Segfault
by Edward Z. Yang
We've had ns-slapd segfault on us recently twice; we don't have
a core dump (since the daemon script turns off core dumps, but
hopefully we'll have one next time it happens) and I was wondering
if anyone had seen this before:
ns-slapd[2725]: segfault at 10a3000010af ip 0000003d58c95785 sp 00007ff2abf04040 error 4 in libcrypto.so.0.9.8n[3d58c00000+15b000]
ns-slapd[2727]: segfault at 10a3000010af ip 0000003d58c95785 sp 00007ff2aab02040 error 4 in libcrypto.so.0.9.8n[3d58c00000+15b000]
Cheers,
Edward
13 years, 5 months
build/package scripts for debian and ubuntu
by Ryan Braun [ADS]
Here are the scripts I've created for building and packaging 389 for various
debian and ubuntu distributions.
Current targets are etch,lenny,squeeze,karmic and lucid.
I haven't tested these extensively, but they all seem to build/install and
return proper results when running test ldapsearch's.
One slight note, on any target newer then etch, you'll likely need to sym
link /usr/lib/nss/libsofttokn3.so to /usr/lib or the building of mozldap will
break and the directory server will not function aswell. Not sure why that
is yet.
Give them a whirl and let me know how they work for you.
Ryan Braun
Aviation and Defence Services Division
Chief Information Officer Branch, Environment Canada
CIV: 204-833-2500x2625 CSN: 257-2625 FAX: 204-833-2558
E-Mail: Ryan.Braun(a)ec.gc.ca
13 years, 5 months
Tuning recommendation for multi-master replicated LDAPs
by Chun Tat David Chu
Hi All,
I am noticing some differenences in performance between single operated LDAP
(no replication configured) and multi-master replicated LDAP.
For example in a single operated LDAP, I can perform about 50-60 writes to
the LDAP (create and delete entry) and for a multi-master replicated LDAP I
can only perform about 10-20 writes (create and delete entry). Sometime it
could even drop to single digit.
The multi-master replicated LDAP is configured to "Always keep directories
in sync". Do you think that is the culprit to why write operations are
slower on multi-master replicated LDAPs?
Does anyone have any recommendation on how to tune my LDAPs?
Thanks,
David
13 years, 5 months
NSMMReplicationPlugin - Can't resurrect tombstone
by Chun Tat David Chu
Hi all,
I am hitting some problem with my replicated directory server. I saw the
following error messages from the errors log file.
[17/Sep/2010:09:47:51 -0400] NSMMReplicationPlugin - conn=1 op=4
csn=4c9363a9000000020000: Can't resurrect tombstone
ou=test,dc=example,dc=com to glue reason 'deletedEntryHasChildren', error=68
Can anyone tell me what could cause this problem and how to prevent it from
happening again?
Thanks!
David
13 years, 5 months
Migration Assistance Fedora-DS 1.04 to 389-ds 1.2.6
by Wendt, Trevor
Hello. I need some help with migrating a Fedora-Directory/1.0.4 B2006.312.1539 to the latest 389-ds-base-1.2.6-1.el5 from epel. Running on RHEL 5 (Linux 2.6.18-53.1.14.el5PAE #1 SMP Tue Feb 19 07:32:39 EST 2008 i686 i686 i386 GNU/Linux).
The new 389-ds will be on the same server as the current fedora-ds so I have tried using migrate-ds-admin.pl script as well as doing the ldif export/import for cross platform migrations. Regardless of the method, I eventually hit the following error.
----------------------------------
[29/Sep/2010:17:39:12 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreIA5Match] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[29/Sep/2010:17:39:12 -0600] attr_syntax_create - Error: the SUBSTR matching rule [caseIgnoreIA5SubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [dc]
[29/Sep/2010:17:39:12 -0600] dse - The entry cn=schema in file /etc/dirsrv/slapd-bhc/schema/60mozilla.ldif is invalid, error code 20 (Type or value exists) - attribute type nsAIMid: Does not match the OID "1.3.6.1.4.1.13769.2.4". Another attribute type is already using the name or OID.
[29/Sep/2010:17:39:12 -0600] dse - Please edit the file to correct the reported problems and then restart the server.
----------------------------------
The Fedora install is an out of the box installation with a master/consumer configuration. I read somewhere that removing the old ldif file from my fedora-ds scheme folder may clear the error but no way to know which one may be conflicting wit the new 60mozilla.ldif file.
In my old fedora-ds/<instance_name>/config/scheme folder are the following:
00core.ldif
05rfc2247.ldif
05rfc2927.ldif
10presence.ldif
10rfc2307.ldif
20subscriber.ldif
25java-object.ldif
28pilot.ldif
30ns-common.ldif
50ns-admin.ldif
50ns-calendar.ldif
50ns-certificate.ldif
50ns-compass.ldif
50ns-delegated-admin.ldif
50ns-directory.ldif
50ns-legacy.ldif
50ns-mail.ldif
50ns-mcd-browser.ldif
50ns-mcd-config.ldif
50ns-mcd-li.ldif
50ns-mcd-mail.ldif
50ns-media.ldif
50ns-mlm.ldif
50ns-msg.ldif
50ns-netshare.ldif
50ns-news.ldif
50ns-proxy.ldif
50ns-value.ldif
50ns-wcal.ldif
50ns-web.ldif
51ns-calendar.ldif
60pam-plugin.ldif
99user.ldif
Any suggestions on what I need to do to get around this error?
Thanks!
________________________________
This electronic message transmission contains information from Black Hills Corporation, its affiliate or subsidiary, which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware the disclosure, copying, distribution or use of the contents of this information is prohibited. If you received this electronic transmission in error, please reply to sender immediately; then delete this message without copying it or further reading.
13 years, 5 months
err=14 when binding with kerberos/sasl, normal behavior?
by Ryan Braun [ADS]
I've only just started playing with kerberos and sasl. So I'm not 100% sure if this is normal behavior.
My ldapsearch's work, but on the server, I need 3 bind attempts before actually binding successfully. The first 2 throw err=14 SASL bind in progress, then the third always works.
From the server
[06/Oct/2010:16:55:47 +0000] conn=16 fd=64 slot=64 connection from 192.xx.xxx.xxx to 192.xx.xxx.xxx
[06/Oct/2010:16:55:47 +0000] conn=16 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[06/Oct/2010:16:55:47 +0000] conn=16 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[06/Oct/2010:16:55:47 +0000] conn=16 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[06/Oct/2010:16:55:47 +0000] conn=16 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[06/Oct/2010:16:55:47 +0000] conn=16 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[06/Oct/2010:16:55:47 +0000] conn=16 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=ryan,ou=people,dc=xxx,dc=xx,dc=xx,dc=xx"
[06/Oct/2010:16:55:47 +0000] conn=16 op=3 SRCH base="dc=xxx,dc=xx,dc=xx,dc=xx" scope=2 filter="(objectClass=*)" attrs=ALL
[06/Oct/2010:16:55:47 +0000] conn=16 op=3 RESULT err=0 tag=101 nentries=10 etime=0 notes=U
[06/Oct/2010:16:55:47 +0000] conn=16 op=4 UNBIND
[06/Oct/2010:16:55:47 +0000] conn=16 op=4 fd=64 closed - U1
and the client
ryan@krbclient:~$ ldapsearch -Y GSSAPI -h kerberos -b "dc=xxx,dc=xx,dc=xx,dc=xx" "objectclass=*"
SASL/GSSAPI authentication started
SASL username: ryan(a)XXX.XX.XX.XX
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=xxx,dc=xx,dc=xx,dc=xx> with scope subtree
# filter: objectclass=*
# requesting: ALL
#
# xxx.xx.xx.xx
dn: dc=xxx,dc=xx,dc=xx,dc=xx
objectClass: top
objectClass: domain
dc: isb
# Directory Administrators, xxx.xx.xx.xx
dn: cn=Directory Administrators,dc=xxx,dc=xx,dc=xx,dc=xx
objectClass: top
objectClass: groupofuniquenames
cn: Directory Administrators
uniqueMember: cn=Directory Manager
# Groups, xxx.xx.xx.xx
dn: ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx
objectClass: top
objectClass: organizationalunit
ou: Groups
# People, xxx.xx.xx.xx
dn: ou=People,dc=xxx,dc=xx,dc=xx,dc=xx
objectClass: top
objectClass: organizationalunit
ou: People
# Special Users, xxx.xx.xx.xx
dn: ou=Special Users,dc=xxx,dc=xx,dc=xx,dc=xx
objectClass: top
objectClass: organizationalUnit
ou: Special Users
description: Special Administrative Accounts
# Accounting Managers, Groups, xxx.xx.xx.xx
dn: cn=Accounting Managers,ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx
objectClass: top
objectClass: groupOfUniqueNames
cn: Accounting Managers
ou: groups
description: People who can manage accounting entries
uniqueMember: cn=Directory Manager
# HR Managers, Groups, xxx.xx.xx.xx
dn: cn=HR Managers,ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx
objectClass: top
objectClass: groupOfUniqueNames
cn: HR Managers
ou: groups
description: People who can manage HR entries
uniqueMember: cn=Directory Manager
# QA Managers, Groups, xxx.xx.xx.xx
dn: cn=QA Managers,ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx
objectClass: top
objectClass: groupOfUniqueNames
cn: QA Managers
ou: groups
description: People who can manage QA entries
uniqueMember: cn=Directory Manager
# PD Managers, Groups, xxx.xx.xx.xx
dn: cn=PD Managers,ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx
objectClass: top
objectClass: groupOfUniqueNames
cn: PD Managers
ou: groups
description: People who can manage engineer entries
uniqueMember: cn=Directory Manager
# ryan, People, xxx.xx.xx.xx
dn: uid=ryan,ou=People,dc=xxx,dc=xx,dc=xx,dc=xx
uid: ryan
givenName: ryan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: braun
cn: ryan
# search result
search: 4
result: 0 Success
# numResponses: 11
# numEntries: 10
Ryan Braun
Aviation and Defence Services Division
Chief Information Officer Branch, Environment Canada
CIV: 204-833-2500x2625 CSN: 257-2625 FAX: 204-833-2558
E-Mail: Ryan.Braun(a)ec.gc.ca
13 years, 5 months
sun iplanet migration
by Drexel Atkinson
Has anyone posted a migration plan/steps to move from the sun iplanet
5.2 to fedora 389? I could use some guidance on the steps,
limitations, issues.
thanks,
-drex
13 years, 5 months
GSSAPI authentication to Directory Server
by Matt Carey
I'm trying to follow the Kerberos howto guide at
http://directory.fedoraproject.org/wiki/Howto:Kerberos but am having an issue
authenticating to the Directory Server with GSSAPI/Kerberos tickets:
$ /usr/lib/mozldap/ldapsearch -h station1.example.com -p 389 -o mech=GSSAPI -o
authid="mcarey(a)STATION1.EXAMPLE.COM" -o authzid="mcarey(a)STATION1.EXAMPLE.COM"
-b "dc=example,dc=com" "(cn=*)"
Bind Error: Invalid credentials
Bind Error: additional info: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context
Attempt with OpenLDAP client:
$ /usr/bin/ldapsearch -Y GSSAPI -X u:mcarey -b "" -s base -LLL -H
ldap://station1.example.com -b "dc=example,dc=com" "(cn=*)"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context
Resulting in the following entries in the access log on the DS:
# tail -5 access
[04/Oct/2010:10:44:14 -0400] conn=18 fd=68 slot=68 connection from 10.100.0.45
to 10.100.0.45
[04/Oct/2010:10:44:14 -0400] conn=18 op=0 BIND dn="" method=sasl version=3
mech=GSSAPI
[04/Oct/2010:10:44:14 -0400] conn=18 op=0 RESULT err=49 tag=97 nentries=0
etime=0
[04/Oct/2010:10:44:14 -0400] conn=18 op=1 UNBIND
[04/Oct/2010:10:44:14 -0400] conn=18 op=1 fd=68 closed - U1
>From what I can tell the Kerberos infrastructure and OS components are setup
accordingly:
GSSAPI is a viable SASL mechanism:
$ /usr/lib/mozldap/ldapsearch -b "" -h station1 -p 389 -s base "(objectClass=*)"
supportedSASLMechanisms
version: 1
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: ANONYMOUS
supportedSASLMechanisms: PLAIN
Directory Server keytab and contents:
# grep "nsslapd-localuser" dse.ldif
nsslapd-localuser: nobody
# ls -la ds.keytab
-rw------- 1 nobody nobody 172 Oct 3 13:21 ds.keytab
# ktutil
ktutil: rkt ./ds.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 3 ldap/station1.example.com(a)STATION1.EXAMPLE.COM
2 3 ldap/station1.example.com(a)STATION1.EXAMPLE.COM
# grep KRB /etc/sysconfig/dirsrv
KRB5_KTNAME=/etc/dirsrv/ds.keytab ; export KRB5_KTNAME
SASL maps in Directory Server:
dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: Kerberos uid mapping
nsSaslMapRegexString: \(.*\)(a)\(.*\)\.\(.*\)
nsSaslMapBaseDNTemplate: dc=\2,dc=\3
nsSaslMapFilterTemplate: (uid=\1)
dn: cn=Station1 Kerberos Mapping,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: Station1 Kerberos Mapping
nsSaslMapRegexString: (.*)(a)STATATION1.EXAMPLE.COM
nsSaslMapFilterTemplate: (objectclass=inetOrgPerson)
nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=example,dc=com
dn: cn=station1 map,cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsSaslMapping
cn: example map
cn: station1 map
nsSaslMapRegexString: \(.*\)
nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com
nsSaslMapFilterTemplate: (cn=\1)
Getting a ticket from the KDC:
[mcarey@station1 ~]$ kdestroy
[mcarey@station1 ~]$ kinit
Password for mcarey(a)STATION1.EXAMPLE.COM:
[mcarey@station1 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_5000_hYlO20
Default principal: mcarey(a)STATION1.EXAMPLE.COM
Valid starting Expires Service principal
10/04/10 10:57:20 10/04/10 17:37:20
krbtgt/STATION1.EXAMPLE.COM(a)STATION1.EXAMPLE.COM
Kerberos 4 ticket cache: /tmp/tkt5000
klist: You have no tickets cached
Any help or pointers people have would be greatly appreciated.
13 years, 5 months