how to quickly recover from a corrupt database in multiple master configuration
by mark benschop
Hi All,
I'm having a problem on a CentOs Directory Server 8.1 multiple master setup.
The database of one of the servers has been marked as corrupt and has been
brought offline by the Directory Server.
Ldapclients querying the ldapserver for e.g. loggin in of users get an
errormessage, effectively disabling users to log in.
I'm wondering what the best method is to recover from this situation.
I can think of a few :
1) Starting the ldapserver, deleting the database, recreating it and
restoring a backup.
2) Starting the ldapserver, deleting the database and reinitialising the
server from the other master.
Can anyone give me some hints if this wil work or would another approach be
better ?
Thanks for your advise,
Mark
13 years, 9 months
Install the 389 directory server error
by 馬小布
Hi ,all :
When I install the 389 ds today , there is a very strange thing on
installing it .
Please see the following messages, by the way , I installed the 389 ds
version is 1.1.3 via the rpm packages:
[root@foo dirsrv]# setup-ds-admin.pl
==============================================================================
This program will set up the 389 Directory and Administration Servers.
It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
- Press "Enter" to choose the default and go to the next screen
- Type "Control-B" then "Enter" to go back to the previous screen
- Type "Control-C" to cancel the setup program
Would you like to continue with set up? [yes]:
==============================================================================
BY SETTING UP AND USING THIS SOFTWARE YOU ARE CONSENTING TO BE BOUND BY
AND ARE BECOMING A PARTY TO THE AGREEMENT FOUND IN THE
LICENSE.TXT FILE. IF YOU DO NOT AGREE TO ALL OF THE TERMS
OF THIS AGREEMENT, PLEASE DO NOT SET UP OR USE THIS SOFTWARE.
Do you agree to the license terms? [no]: yes
==============================================================================
Your system has been scanned for potential problems, missing patches,
etc. The following output is a report of the items found that need to
be addressed before running this software in a production
environment.
389 Directory Server system tuning analysis version 10-AUGUST-2007.
NOTICE : System is x86_64-unknown-linux2.6.18-128.7.1.el5 (2 processors).
WARNING: 994MB of physical memory is available on the system. 1024MB is
recommended for best performance on large production system.
NOTICE : The net.ipv4.tcp_keepalive_time is set to 7200000 milliseconds
(120 minutes). This may cause temporary server congestion from lost
client connections.
WARNING: There are only 1024 file descriptors (hard limit) available, which
limit the number of simultaneous connections.
WARNING: There are only 1024 file descriptors (soft limit) available, which
limit the number of simultaneous connections.
Would you like to continue? [no]: yes
==============================================================================
Choose a setup type:
1. Express
Allows you to quickly set up the servers using the most
common options and pre-defined defaults. Useful for quick
evaluation of the products.
2. Typical
Allows you to specify common defaults and options.
3. Custom
Allows you to specify more advanced options. This is
recommended for experienced server administrators only.
To accept the default shown in brackets, press the Enter key.
Choose a setup type [2]:
==============================================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: eros.example.com.
To accept the default shown in brackets, press the Enter key.
Computer name [foo]:
The hostname foo does not look like a
fully qualified host and domain name.
If you feel you have made a mistake,
please go back to this dialog and enter another name.
==============================================================================
The servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user). The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.
If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.
System User [nobody]:
System Group [nobody]:
==============================================================================
Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers. If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server. To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
<hostname>.<domainname>(e.g. hostname.example.com), the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).
If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.
Do you want to register this software with an existing
configuration directory server? [no]:
==============================================================================
Please enter the administrator ID for the configuration directory
server. This is the ID typically used to log in to the console. You
will also be prompted for the password.
Configuration directory server
administrator ID [admin]:
Password:
Password (confirm):
==============================================================================
The information stored in the configuration directory server can be
separated into different Administration Domains. If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.
If you are not using administrative domains, press Enter to select the
default. Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.
Administration Domain [foo]:
==============================================================================
The standard directory server network port number is 389. However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.
Directory server network port [389]:
==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.
Directory server identifier [foo]:
==============================================================================
The standard directory server network port number is 389. However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.
Directory server network port [389]:
==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.
Directory server identifier [foo]:
==============================================================================
The standard directory server network port number is 389. However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.
Directory server network port [389]:
==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.
Directory server identifier [foo]:
Why is it become that? Could someone give me some suggestions?
Thanks in advance~
13 years, 9 months
Announcing 389 Directory Server 1.2.6 Release Candidate 2
by Rich Megginson
The 389 team is pleased to announce the availability of Release
Candidate 2 of version 1.2.6. This release has a couple of bug fixes.
***We need your help! Please help us test this software.*** It is a
release candidate, so it may have a few glitches, but it has been tested
for regressions and for new feature bugs. The Fedora system
strongly encourages packages to be in Testing until verified and pushed
to Stable. If we don't get any feedback while the packages are in
Testing, the packages will remain in limbo, or get pushed to Stable.
The more testing we get, the faster we can release these packages to
Stable. See the Release Notes for information about how to provide
testing feedback (or just send an email to
389-users(a)lists.fedoraproject.org).
The packages that need testing are:
* 389-ds-base-1.2.6.rc2 - 389-ds-base
There are some new console/java packages too, and there is a new version
of the 389-ds "meta" package - 1.2.1
* Release Notes - http://port389.org/wiki/Release_Notes
* Install_Guide - http://port389.org/wiki/Install_Guide
* Download - http://port389.org/wiki/Download
=== Bugs Fixed ===
This release contains a couple of bug fixes. The complete list of bugs
fixed is found at the link below. Note that bugs marked as MODIFIED
have been fixed but are still in testing.
* Tracking bug for 1.2.6 release -
https://bugzilla.redhat.com/showdependencytree.cgi?id=543590&hide_resolved=0
13 years, 9 months
userPassword and {KERBEROS}username@REALM
by Arnar Gunnarsson
I'm using the 389 DS to authenticate users agains all sorts of services
(HTTP/IMAP/OpenVPN/etc) using the userPassword attribute.
Now, I've recently installed a kerberos server for secure authentication
and configured the 389 DS against the kerberos server, and am able to
authenticate to the 389 DS using GSSAPI and perform searches. All is
well.
But here's my dilemma:
Let's say the password in the LDAP userPassword attribute is “password1”
and I change the kerberos password to “password2”, I now have two
different passwords.
I've seen references on some OpenLDAP related mailing lists that you can
put {KERBEROS}username@REALM in the userPassword attribute as a way of
saying: “I don't have the password on file, but hang on – I'll just ask
the kerberos server to check if the supplied password is correct”. Does
389 DS support something like this?
Thanks.
--
Arnar 'Addi' Gunnarsson | System Administrator
http://addi.org/GPG-KEY.asc | RHCE · MCSA
13 years, 9 months
Synchronizing passwords
by Juan Asensio Sánchez
Hi
Is 389DS able to compute sambaLMPassword and sambaNTPassword automatically
when userPassword is updated? Is there any pugin? If not, which plugin is
the best to take as base to do this?
Regards.
13 years, 9 months
attribute name case sensitivity
by Mike Li
Looks like the ldap server forces lower case sensitivity (or is that set as
default somewhere). When I add an attribute, it always turn all letters to
lower case. How do I make it case sensitive?
Thanks.
13 years, 9 months
Restart of replicated servers
by Mitja Mihelič
Hi!
We currently have the following setup.
consumer1 <------ supplier1 <---multi-master-repl---> supplier2 ------>
consumer2
What is the correct order in which to restart directory servers so that
all replication agreements will come up OK ?
That is without us having to reinitialize all of the consumers.
Knowing how to do it in this setup would also help:
supplier1 ------> consumer1
Regards,
Mitja
13 years, 9 months
two guys who bit some more than we could chew...(?)
by olof nord
Dear Sirs,
we need your help.
We are two guys, Olof Nord and
Thobias Nylander, studying the secondary year on upper high school at kattegattgymnasiet,
Halland, sweden. google maps
link
We
have a Local Networking class where we are supposed to set up and
maintain an LDAP based directory server.
We had the opportunity
to work with some other programs (and OS), and we chose 389 Directory server.
Now
we've been struggling with this program for several weeks, and soon we
have to report what's been done. And we have nothing to report.
We
have been following several guides, but one major guide we have been reading is red hat's official guide,
but it feels like we dont really get this straight.
whats been done:
we have been able to install and
setup the program.
we have also managed to install another program
for adding users through a GUI, called luma.
BUT
we can
start, but not logon to the 389-console, and we cant get luma to connect to our
server.
we have succeded with starting service dirsrv.
We are working on a PC with Fedora 13 installed,updated,
and the PC is in every other way working as it should. (exept no flash...)
I
think i't a good thing to add here that we both are very experienced
windows users and that we, in this course, have worked with Microsofts
alternative Directory server quite a while.
Our goal is to be able to log into the 389-console and to add some users. We would also like to do some more things like sharing folders and create sub-admins.
consider this as a cry for help to a stretched hand, grasping for the mainland knowing he is almost ashore.
Kindest regards,
Olof Nord and
Thobias Nylander
_________________________________________________________________
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969
13 years, 9 months
Referral not working...
by Reinhard Nappert
Hi,
I configured a master slave setup where the userRoot db has an referral to the master configured. See dse.lif entry:
dn: cn="o=BASE",cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: "o=BASE"
nsslapd-state: referral on update
nsslapd-backend: userRoot
modifiersName: cn=server,cn=plugins,cn=config
modifyTimestamp: 20100604203934Z
nsslapd-referral: ldap://master:389/o=UMC
numSubordinates: 1
So, when I access the slave and try to add an object, I get the following error:
javax.naming.NamingException: [LDAP: error code 1 - Mapping tree node for o=base is set to return a referral, but no referral is configured for it].
This is weird, because you clearly see that the referral is configured.
The access file says:
[04/Jun/2010:16:40:18 -0400] conn=16 op=3 ADD dn="ou=test,o=base"
[04/Jun/2010:16:40:18 -0400] conn=16 op=3 RESULT err=10 tag=105 nentries=0 etime=0
This is standard ldap stuff and I know that it worked before.
Any idea?
Thanks,
-Reinhard
13 years, 9 months