Multi-Master Replication
by Reinhard Nappert
Rich, you mentioned in one of your answers regarding the limit of Masters in a replicated environment , quote
"There really isn't a limit. The limit was only for the old Red Hat Directory Server, and only so far as customer support goes. The only real hard limit is 65534 masters."
I was wondering when this limit was gone. More specifically, does Fedora Directory Server 1.1.2 already work without that limitation.
Thanks,
-Reinhard
13 years, 5 months
Chaining woes again...
by Gerrard Geldenhuis
Hi
I have setup chaining but it is not working at all and I am not sure how to debug it further.
I am using:
389-admin-1.1.11-0.6.rc2.el5
389-admin-console-1.1.5-1.el5
389-admin-console-doc-1.1.5-1.el5
389-adminutil-1.1.8-4.el5
389-console-1.1.4-1.el5
389-ds-1.2.1-1.el5
389-ds-base-1.2.6-0.11.rc7.el5
389-ds-console-1.2.3-1.el5
389-ds-console-doc-1.2.3-1.el5
389-dsgw-1.1.5-1.el5
The setup is 4 servers, two multimasters and two consumers. Client can only speak to the consumers and thus referrals won't work.
I have used the following ldif to setup chaining:
dn: cn=chainingBackend,cn=chaining database,cn=plugins,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
objectClass: nsBackendInstance
cn: chainingBackend
nsslapd-suffix: dc=mycompany
nsmultiplexorbinddn: cn=replication manager,cn=config
nsusestarttls: on
nsfarmserverurl: ldaps://masterfqdn1:636 masterfqdn2:636/
nsmultiplexorcredentials: {SSHA}blah
nsbindconnectionslimit: 5
nsconcurrentoperationslimit: 5
nsconnectionlife: 130
nsbindtimeout: 3
nsbindretrylimit: 3
nsmaxresponsedelay: 3
nsmaxtestresponsedelay: 5
dn: cn=dc\3dmycompany,cn=mapping tree,cn=config
changetype: modify
add: nsslapd-backend
nsslapd-backend: chainingBackend
-
replace: nsslapd-state
nsslapd-state: backend
-
replace: nsslapd-distribution-plugin
nsslapd-distribution-plugin: /usr/lib64/dirsrv/plugins/libreplication-plugin.so
-
replace: nsslapd-distribution-funct
nsslapd-distribution-funct: repl_chain_on_update
dn: cn=config,cn=chaining database,cn=plugins,cn=config
changetype: modify
add: nsTransmittedControls
nsTransmittedControls: 2.16.840.1.113730.3.4.12
The ACI has been created to allow the Replication Manager user proxy access.
When I run the following on the client:
dn: uid=john,ou=people,dc=mycompany
changetype: modify
add: mobile
mobile: 1234
The entry gets added but only locally, it thus seems to be completely ignoring the chaining I have setup. I see the following in the consumer log after creation:
[29/Sep/2010:13:00:11 +0000] start_tls - Received extended operation request with OID 1.3.6.1.4.1.1466.20037
[29/Sep/2010:13:00:11 +0000] start_tls - Start TLS extended operation request confirmed.
[29/Sep/2010:13:00:11 +0000] start_tls - Start TLS request accepted.Server willing to negotiate SSL.
[29/Sep/2010:13:00:11 +0000] start_tls - Starting SSL Handshake.
[29/Sep/2010:13:00:11 +0000] NS7bitAttr - MODIFY begin
[29/Sep/2010:13:00:11 +0000] NSMMReplicationPlugin - Purged state information from entry uid=rytis,ou=People,dc=betfair up to CSN 4c99ec08000000010000
[29/Sep/2010:13:00:12 +0000] roles-plugin - --> roles_post_op
[29/Sep/2010:13:00:12 +0000] roles-plugin - --> roles_cache_change_notify
[29/Sep/2010:13:00:12 +0000] roles-plugin - <-- roles_cache_change_notify: not a role entry
[29/Sep/2010:13:00:12 +0000] roles-plugin - <-- roles_post_op
There is some other replay failure errors which I am not sure is related. Having done the the test twice I did not see the replay errors again in the master log. I am going to simplify my test environment as I currently have 4 servers which all are verbal about replication and I multimaster netscapedb which adds to the complications.
I have enabled Replication and Plug-ins for the error log, is there any other recommended logs that I should enable that can assist me in debugging chaining issues.
Best Regards
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
13 years, 5 months
nsView problem
by Procunier, Greg
Hello,
I have tried creating test directory similar to the example given from
Red Hat in this image:
http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/images/virv
iew3.png
The goal was to have a nsViewFilter reach into the global user bucket
(ou=People,dc=mgt,dc=ont,dc=srv) and populate a lower level branch with
relevant user information
(ou=People,ou=A,ou=Projects,dc=mgt,dc=ont,dc=srv).
This does not work at all; the nsViewFilter only works if that filter is
on the same level as the objects it needs to search which is
contradictory to the image Red hat has pushed out.
I was under the impression that container structures (such as
organization units or organizations) with nsViewFilter attributes recurs
the root of the directory to create their abstractions. If that were
the case then the Red Hat image would be correct. As it is right now it
does not seem to be the case.
I am using Red Hat Directory server 8.2 (redhat-ds-8.2.0-2) on RHEL5.
I am hoping I am doing something terribly wrong and some one can point
it out for me.
--- SNIP (test.ldif) ---
dn: dc=mgt,dc=ont,dc=srv
objectClass: top
objectClass: domain
dc: mgt
dn: ou=People,dc=mgt,dc=ont,dc=srv
objectClass: top
objectClass: organizationalUnit
ou: People
dn: uid=doe_john,ou=People,dc=mgt,dc=ont,dc=srv
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: person
gidNumber: 65534
givenName: John
sn: Doe
displayName: John Doe
uid: doe_john
homeDirectory: /home/domain_users/doe_john
gecos: Test User 1
loginShell: /bin/bash
shadowFlag: 0
shadowMin: 0
shadowMax: 99999
shadowWarning: 0
shadowInactive: 99999
shadowLastChange: 12011
shadowExpire: 99999
cn: John Doe
uidNumber: 48465
dn: uid=doe_jane,ou=People,dc=mgt,dc=ont,dc=srv
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: person
gidNumber: 65534
givenName: Jane
sn: Doe
displayName: doe_jane
uid: doe_jane
homeDirectory: /home/domain_users/doe_jane
gecos: Test User 2
loginShell: /bin/bash
shadowFlag: 0
shadowMin: 0
shadowMax: 99999
shadowWarning: 0
shadowInactive: 99999
shadowLastChange: 12011
shadowExpire: 99999
cn: doe_jane
uidNumber: 31388
dn: ou=Projects,dc=mgt,dc=ont,dc=srv
objectClass: top
objectClass: organizationalUnit
ou: Projects
dn: ou=A,ou=Projects,dc=mgt,dc=ont,dc=srv
objectClass: top
objectClass: organizationalUnit
ou: A
dn: ou=B,ou=Projects,dc=mgt,dc=ont,dc=srv
objectClass: top
objectClass: organizationalUnit
ou: B
dn: ou=People,ou=A,ou=Projects,dc=mgt,dc=ont,dc=srv
objectClass: top
objectClass: organizationalUnit
objectClass: nsView
ou: People
nsViewFilter: (uidNumber=48465)
dn: ou=People,ou=B,ou=Projects,dc=mgt,dc=ont,dc=srv
objectClass: top
objectClass: organizationalUnit
objectClass: nsView
ou: People
nsViewFilter: (uidNumber=31388)
-- SNIP (ldapsearch output) --
[root@directory]# ldapsearch -b ou=Projects,dc=mgt,dc=ont,dc=srv -x
objectclass=\*
# extended LDIF
#
# LDAPv3
# base <ou=Projects,dc=mgt,dc=ont,dc=srv> with scope subtree
# filter: objectclass=*
# requesting: ALL
#
# Projects, mgt.ont.srv
dn: ou=Projects,dc=mgt,dc=ont,dc=srv
objectClass: top
objectClass: organizationalUnit
ou: Projects
# A, Projects, mgt.ont.srv
dn: ou=A,ou=Projects,dc=mgt,dc=ont,dc=srv
objectClass: top
objectClass: organizationalUnit
ou: A
# B, Projects, mgt.ont.srv
dn: ou=B,ou=Projects,dc=mgt,dc=ont,dc=srv
objectClass: top
objectClass: organizationalUnit
ou: B
# People, A, Projects, mgt.ont.srv
dn: ou=People,ou=A,ou=Projects,dc=mgt,dc=ont,dc=srv
objectClass: top
objectClass: organizationalUnit
objectClass: nsView
ou: People
nsViewFilter: (uidNumber=48465)
# People, B, Projects, mgt.ont.srv
dn: ou=People,ou=B,ou=Projects,dc=mgt,dc=ont,dc=srv
objectClass: top
objectClass: organizationalUnit
objectClass: nsView
ou: People
nsViewFilter: (uidNumber=31388)
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
-- SNIP --
13 years, 6 months
Please Help Test 389 Directory Server 1.2.6.1
by Rich Megginson
389-ds-base-1.2.6.1-2 is now in Testing. This release fixes the
crashing problems seen with Windows Sync, and fixes some other crashing
problems usually seen with deletion operations. Please help us test.
The sooner we can get this release tested, the sooner we can push it to
Stable and make it generally available.
Installation
yum install 389-ds --enablerepo=updates-testing
# or for EPEL
yum install 389-ds --enablerepo=epel-testing
setup-ds-admin.pl
Upgrade
yum upgrade --enablerepo=updates-testing 389-ds-base
# or for EPEL
yum upgrade --enablerepo=epel-testing 389-ds-base
setup-ds-admin.pl -u
How to Give Feedback
The best way to provide feedback is via the Fedora Update system. Each
update is broken down by package and platform. For example, if you are
using Fedora 12, and you have successfully installed or upgraded all of
the packages, and the console and etc. works, then go to the links below
for Fedora 12 and provide feedback.
* 389-ds-base-1.2.6.1-2
** EL-5 - https://admin.fedoraproject.org/updates/389-ds-base-1.2.6.1-2.el5
** Fedora 12 -
https://admin.fedoraproject.org/updates/389-ds-base-1.2.6.1-2.fc12
** Fedora 13 -
https://admin.fedoraproject.org/updates/389-ds-base-1.2.6.1-2.fc13
** Fedora 14 -
https://admin.fedoraproject.org/updates/389-ds-base-1.2.6.1-2.fc14
scroll down to the bottom of the page, and click on the Add a comment >>
link
* select one of the Works for me or Does not work radio buttons, add
text, and click on the Add Comment button
If you are using a build on another platform, just send us an email to
389-users(a)lists.fedoraproject.org
Reporting Bugs
If you find a bug, or would like to see a new feature, you can enter it
here - https://bugzilla.redhat.com/enter_bug.cgi?product=389
More Information
* Release Notes - http://port389.org/wiki/Release_Notes
* Install_Guide - http://port389.org/wiki/Install_Guide
* Download - http://port389.org/wiki/Download
13 years, 6 months
Help disabling SSL
by Sean Carolan
Due to some issues with an expired SSL cert I had to disable SSL on
our 389 directory server. It's working fine for authentication
without SSL, but I have lost all ability to manage the server via the
management console. It appears that the management console still
wants to connect to the directory server on port 636, but I see no way
to change what port it uses. Also, both Administration server and
Directory server are showing Server status: Stopped, even though I
know both are running.
Anyone have some pointers on how to disable all SSL on the management console?
13 years, 6 months
389 for Ubuntu: launchpad & co
by Roberto Polli
Hi all,
I saw that 389 for Ubuntu is quite old, like 1.2.0...
I'd like to revive the launchpad repository but seems there's nobody there...
Is there somebody of the ubuntu-packager *here* ?
Peace,
R.
--
Roberto Polli
Babel S.r.l. - http://www.babel.it
Tel. +39.06.91801075 - fax +39.06.91612446
Tel. cel +39.340.6522736
P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma)
"Il seguente messaggio contiene informazioni riservate. Qualora questo
messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene
notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio
erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto
della legge in materia di protezione dei dati personali."
13 years, 6 months
synchronization state between replicas
by Barry Sitompul
Hi All,
Does 389-DS provide a tool to check the synchronization state between
replicas to check whether or not the replicas have converged?
I recall there was a tool called 'insync' that came with Sun Directory
Servers quite some time ago. Just wondering if 389-DS has something
similar. If not, what's the best way to check that?
Thanks!
Bazza
13 years, 6 months