Master caught in infinite loop
by Daniel Fenert
Hi,
I'm using 389ds 1.2.5 with replication, my current setup:
Master
| \
L1 L2
| \ | \
S1 S2 S3 S4
L* - acting as slave to "master" and master to "S*"
S* - slaves to L*
>From time to time (usually few months between problems) we encounter
"master" going to some infinite loop.
After analyzing access log, it looks like it stops doing queries, and
accepts new connections until it runs out of fd's.
After that, it won't stop peacefully, only SIGKILL saves the day.
Workload:
Master is used only for updates, maybe 20 connections/s.
L* are used only for replication.
All bind's and search queries are targeted to S* which are read only.
With previous setup (less complicated), we've also seen this problem:
Master
| | | \
S1 S2 S3 S4...
Is there a chance that upgrading to latest version will fix the problem?
Were there any fixes nearby? Upgrade will be complex as hell ;)
Error log from last problem:
- Not listening for new connections - too many fds open
- slapd shutting down - signaling operation threads
- slapd shutting down - waiting for 120 threads to terminate
... SIGKILL ...
- 389-Directory/1.2.5 B2010.012.2034 starting up
- Detected Disorderly Shutdown last time Directory Server was running,
recovering database.
- slapd started. Listening on All Interfaces port 389 for LDAP requests
Number of fds: 4096.
--
Daniel Fenert
12 years, 5 months
Log rotate question
by Moisés Barba Pérez
Hi,
I would like to configure the errors, access and audit logs to rotate every
day at 00:00, regardless of the current size of the log, I would like to
rotate them in files of 100MB each one, and finally, not to limit the
number of log files.
The thing is:
1.- To rotate every day at 00:00 I guess is:
nsslapd-accesslog-logrotationtime:1 -> Each 1
nsslapd-accesslog-logrotationtimeunit: day -> day
nsslapd-accesslog-logrotationsync-enable: on -> do rotate at
nsslapd-accesslog-logrotationsynchour: 0 -> hour 00
nsslapd-accesslog-logrotationsyncmin: 0 -> minute 00
2.- To rotate at log size:
nsslapd-accesslog-maxlogsize: 100 -> rotate at size of 100MB
3.- Not to limit the number of log files:
nsslapd-accesslog-logmaxdiskspace: -1
The question is about "nsslapd-accesslog-maxlogsperdir" because if you try
to modify "nsslapd-accesslog-logmaxdiskspace" to -1 the dirsrv console say
that the value is lower than "nsslapd-accesslog-maxlogsperdir". I can set
the values using ldapmodify with a ldif file but... Can't I delete
"nsslapd-accesslog-maxlogsperdir", set to null or something like that?
Maybe "nsslapd-accesslog-logmaxdiskspace" value of -1 set the maxlogsperdir
to undefined?
I would than you if you clarify this to me.
Regards,
Moses.
12 years, 5 months
Re: [389-users] slapd crashes when put the database on read only mode while updates are coming to the server
by Rich Megginson
> Hi,
>
> When I put the database on read only mode(nsslapd-readonly : on) while
> changes are coming to the server, “ns-slapd” process abort
>
Does it produce a core dump, or just exit?
Why are you trying to put the db into read-only mode?
What platform? What version of 389-ds-base?
>
> abnormally with the following error message.
>
> “NSMMReplicationPlugin - replica_write_ruv: failed to update RUV
> tombstone for o=SWIFT; LDAP error – 53”
>
This seems correct - if the database is in read-only mode, it cannot
process the update operation, which includes writing the replication
state information (the RUV tombstone). But it shouldn't exit and it
definitely should not core dump.
>
> Below is the one pattern which is from error log where I see this
> occurring.
>
> ======================================
>
> [15/Nov/2011:11:57:59 +051800] - do_modify: dn (cn=userRoot,cn=ldbm
> database,cn=plugins,cn=config)
>
> [15/Nov/2011:11:57:59 +051800] - modifications:
>
> [15/Nov/2011:11:57:59 +051800] - replace: nsslapd-readonly
>
> [15/Nov/2011:11:57:59 +051800] - mtn_lock : lock count : 1
>
> [15/Nov/2011:11:57:59 +051800] - mapping tree selected backend :
> frontend-internal
>
> [15/Nov/2011:11:57:59 +051800] - mtn_unlock : lock count : 0
>
> [15/Nov/2011:11:57:59 +051800] - mtn_lock : lock count : 1
>
> [15/Nov/2011:11:57:59 +051800] - mapping tree selected backend :
> frontend-internal
>
> [15/Nov/2011:11:57:59 +051800] - mtn_unlock : lock count : 0
>
> [15/Nov/2011:11:57:59 +051800] - mapping tree release backend :
> frontend-internal
>
> [15/Nov/2011:11:57:59 +051800] - nsslapd-readonly: on
>
> [15/Nov/2011:11:57:59 +051800] - replace: nsslapd-readonly
>
> [15/Nov/2011:11:57:59 +051800] - -
>
> [15/Nov/2011:11:57:59 +051800] - modifiersname: cn=directory manager
>
> [15/Nov/2011:11:57:59 +051800] - replace: modifiersname
>
> [15/Nov/2011:11:57:59 +051800] - -
>
> [15/Nov/2011:11:57:59 +051800] - modifytimestamp: 20111115062759Z
>
> [15/Nov/2011:11:57:59 +051800] - replace: modifytimestamp
>
> [15/Nov/2011:11:57:59 +051800] - -
>
> [15/Nov/2011:11:57:59 +051800] - mtn_lock : lock count : 1
>
> [15/Nov/2011:11:57:59 +051800] - mapping tree selected backend :
> frontend-internal
>
> [15/Nov/2011:11:57:59 +051800] - mtn_unlock : lock count : 0
>
> [15/Nov/2011:11:57:59 +051800] - nsState:
>
> [15/Nov/2011:11:58:00 +051800] - replace: nsState
>
> [15/Nov/2011:11:58:00 +051800] - -
>
> [15/Nov/2011:11:58:00 +051800] - modifiersname: cn=Multimaster
> Replication Plugin,cn=plugins,cn=config
>
> [15/Nov/2011:11:58:00 +051800] - replace: modifiersname
>
> [15/Nov/2011:11:58:00 +051800] - -
>
> [15/Nov/2011:11:58:00 +051800] - modifytimestamp: 20111115062759Z
>
> [15/Nov/2011:11:58:00 +051800] - replace: modifytimestamp
>
> [15/Nov/2011:11:58:00 +051800] - -
>
> [15/Nov/2011:11:58:00 +051800] - mtn_lock : lock count : 1
>
> [15/Nov/2011:11:58:00 +051800] - mapping tree selected backend : userRoot
>
> [15/Nov/2011:11:58:00 +051800] - mtn_unlock : lock count : 0
>
> [15/Nov/2011:11:58:00 +051800] NSMMReplicationPlugin -
> replica_write_ruv: failed to update RUV tombstone for dc=ind, dc=hp,
> dc=com; LDAP error – 53
>
> ====================
>
> While database put on the read only mode and the same time replica
> state is getting updated which is in-tern try to update the replica
> RUV, it gets into this issue.
>
> Anybody has any thought into this issue why it’s happening?
>
The code doesn't expect the database to be in read-only mode while it is
receiving updates?
>
> When the “nsState” do gets updated for the replica?
>
When it needs to be.
>
> Regards,
>
> Jyoti
>
12 years, 5 months
Re: [389-users] Sync UNIX Attributes from AD to 389ds
by Carsten Grzemba
Hi,
it's a recurring question: 389ds itself cannot sync Unix Attributes. But it has a winsync API where it is possible to add additional functionality to the sync code in a plugin. I have develop such a plugin:
The source repository is
https://github.com/cgrzemba/Posix-Winsync-Plugin-for-389-directory-server
If you need some cunsulting services for implementing this, we can talk about.
Regards
Carsten Grzemba
Am 15.11.11, schrieb Walter Neu <w.neu(a)eurodata.de>:
> Hi all,
>
> I have installed a 389ds which sync entries from an Active Directory running on Windows 2008 R2 Enterprise Server. Everything works fine even Password Sync. But I have still 2 problems I don't get solved:
>
> 1. It's not possible to sync the UNIX attributes from AD to 389ds. Any hints?
> 2. Passwords are not synced during an initial full re-syncronization. Only password changes on an AD are synced. So I have to reset a user's password and after that the password will be transmitted to the 389ds.
>
> Best regards
>
>
>
12 years, 5 months
Sync UNIX Attributes from AD to 389ds
by Walter Neu
Hi all,
I have installed a 389ds which sync entries from an Active Directory
running on Windows 2008 R2 Enterprise Server. Everything works fine even
Password Sync. But I have still 2 problems I don't get solved:
1. It's not possible to sync the UNIX attributes from AD to 389ds.
Any hints?
2. Passwords are not synced during an initial full re-syncronization.
Only password changes on an AD are synced. So I have to reset a user's
password and after that the password will be transmitted to the 389ds.
Best regards
12 years, 5 months
Restricting access to replication manager DN
by Iain Morgan
Hello,
I think I already know the answer to this question, but I'd like to make
sure. I would like to restrict which source IP addresses may bind to a
replication manager DN on a consumer. As far as I can see, there is no
way to to this . Is that correct?
To me, this looks like a variation of bz#458187.
Thanks
--
Iain Morgan
12 years, 5 months
Unable to Manage Registered Servers from Console
by Tom Tucker
I would appreciate any troubleshooting advise you might have regarding my
registered ldap servers. I am referring to the first page you see when
launching the console (servers listed underneath Servers and Applications).
I see my servers listed, however I am unable to open them. Their "Server
status" always reports "Stopped" even though the remote servers are running.
Based on my tcpdump capture below the 'admin prohibited' message is a clear
indication of the problem, but I can't seem to correct it. I have reran
the setup several times, confirmed the password and such.
What am I missing?
==============================================================================
13:35:27.458489 IP serverA.mydomain.com.30940 > serverB.mydomain.com.ldap:
Flags [S], seq 404137883, win 14600, options [mss 1460,sackOK,TS val
348721371 ecr 0,nop,wscale 6], length 0
13:35:27.458591 IP serverB.mydomain.com > serverA.mydomain.com: ICMP host
serverB.mydomain.com unreachable - admin prohibited, length 68
Please specify the information about your configuration directory
server. The following information is required:
- host (fully qualified), port (non-secure or secure), suffix,
protocol (ldap or ldaps) - this information should be provided in the
form of an LDAP url e.g. for non-secure
ldap://host.example.com:389/o=NetscapeRoot
or for secure
ldaps://host.example.com:636/o=NetscapeRoot
- admin ID and password
- admin domain
- a CA certificate file may be required if you choose to use ldaps and
security has not yet been configured - the file must be in PEM/ASCII
format - specify the absolute path and filename
Configuration directory server URL [ldap://
serverA.mydomain.com:389/o=NetscapeRoot]:
Configuration directory server admin ID
[uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot]:
Configuration directory server admin password:
Configuration directory server admin domain [mydomain.com]:
12 years, 5 months
Turn off anonymous bind
by David Hoskinson
We want to restrict all queries to authenticated queries. As our system sits now I can anonymously query and return ntlmpassword and see the hash as well as most other entries. We would like this to not be the case, and requires directory manager and pass or a similar approved user to do ldap queries.
I have set nslapd-allow-anonymous-access to off in advanced properties for config, and added the binddn string and bindpw string to /etc/ldap.conf on the 389 server machine. When I try to log back in, I get password authentication failed, please verify that the username and password are correct. If I turn the setting back to on, it works again.
Am I missing something... or is this not the correct method to achieve my goal.
Thanks.
David Hoskinson | DATATRAK International
Systems Engineer
Mayfield Heights, Ohio, USA
+1.440.443.0082 x 124 (p) | +1.216.280.5457 (m)
david.hoskinson(a)datatrak.net<mailto:david.hoskinson@datatrak.net> | www.datatrak.net<http://www.datatrak.net/>
12 years, 5 months
Replication and Password Changes
by Tom Tucker
Please pardon any blunders in my LDAP vernacular. My LDAP exposure has
been limited thus far.
I am testing Fedora 389 Directory Server as a replacement from my antique
Sun One (5.X) directory server. Things have gone well so far btw.
Q1) My first hurdle was confirming my ability to perform succesful export
and imports between the two platforms. As I continue to test, what is the
recommended approach for importing any changes since my last import? Do I
need to delete everything on the Fedora DS and do a fresh import or what?
Any recommendations here? If yes, please provide steps.
Q2) My company has three data centers. My initial thought was to configure
the new ldap environment in a multi-master configuration. Assuming ServerA
(in DC3 is unavailable (shown below) and clients are now communicating with
ServerB, how do we handle any password changes on the client side? Is this
just not possible or do I need to reconsider my architecture?
DC1 ServerA (supplier)
ServerB (consumer RO)
DC2 ServerA (supplier)
ServerB (consumer RO)
DC3 ServerA (supplier)
ServerB (consumer RO)
Thank you for your time and assistance.
System Data
-------------------
389-dsgw-1.1.7-2.fc15.i686
389-console-1.1.7-1.fc15.noarch
389-admin-1.1.23-1.fc15.i686
389-adminutil-1.1.14-1.fc15.i686
389-ds-base-1.2.10-0.4.a4.fc15.i686
389-ds-console-doc-1.2.6-1.fc15.noarch
389-ds-console-1.2.6-1.fc15.noarch
389-ds-1.2.1-2.fc15.noarch
389-ds-base-libs-1.2.10-0.4.a4.fc15.i686
389-admin-console-1.1.8-1.fc15.noarch
389-admin-console-doc-1.1.8-1.fc15.noarch
# cat /etc/redhat-release
Fedora release 15 (Lovelock)
12 years, 5 months
RO Access to Consumers
by Nick Cappelletti
I've been using dirsrv for some time now, but have always had issues with the RO access on the consumers. I recently started looking into it again, but I'm still having issues with how to truly restrict write access to them.
Here is my problem: I have a single master with 3 consumers. I can make changes to the master, with those changes replicating down to the consumes with no problems. BUT, I can login to the consumer and make changes to the DB, luckily it doesn't get replicated back up to the master.
I have tried a few things; 1: setting nssldapd-readonly to 'on' (which caused major issues on the consumers) in cn=ldbm database,cn=plugins,cn=config; and I've also tried updating the nsds5replicatype to 2, which should set it to a consumer (read-only replica).
I'm not sure if there is a way to do it with host specific ACI's but if anyone has any suggestions, I all ears. :)
Thanks, and I look forward to any comments you might have.
Nick Cappelletti
nick(a)switchtower.com
12 years, 5 months