[389-Users] Repopulating Multi-Master Replicated Directory
by Chun Tat David Chu
Hi All
I have a question about repopulating 2 or more multi-master replicated
directory.
Here's my scenario...
1) I exported the whole directory database into LDIF.
2) I need to repopulate two directories that are configured with
multi-master replication scheme
Knowing that one way to do this is simply repopulate one directory and let
the replication does the rest by re-initializing the other directory.
But can I import the same LDIF file individually to both directories to
reduce synchronization time?
The goal here is to minimize the time needed for directory synchronization.
Thanks in advance!
David
13 years, 2 months
389 Server and MMR
by cfr100@acm.org
Hello,
I'm trying to set up 389 on a CenOS 5.5 machine using the
setup-ds-admin.pl script and the mmr.pl script. They seem to be
inconsistent with each other.
setup-ds-admin.pl wants a "directory server identifier" (defaults to
short name). This becomes the slapd instance name in /etc/dirsrv.
mmr.pl wants a fqdn for host1 and host2. It then creates an instance
in /etc/dirsrv based on this long name (failed attempt to update the
existing instance??).
Henceforth, a "service dirsrv restart" will try to stop and start
/etc/dirsrv/slapd-hostname and /etc/dirsrv/slapd-fqdn. The later will
fail and replication will no succeed. setup-ds-admin.pl fails if you
give fqdn as an identifier. mmr.pl fails if you give a short name for
host.
And there is no method to really start over. setup-ds-admin.pl seems
to spew files and directories across at least /etc, /var/spool and
/var/run.
Am I missing something? What is the recommended way of doing this?
Thanks
Chuck
13 years, 2 months
Moving from FDS to 389DS
by Utkarsh Sengar
Hi Guys,
I am trying to move an old fedora DS to the current version. (I wish I could
tell you the versions, but I am not able to figure out how to get the
version numbers).
Anyway, I exported the ldif from the old server and imported into the new
server:
./ldif2db -n NetscapeRoot -i /ldap/NetscapeRoot.ldif
./ldif2db -n userRoot -i /dap/userRoot.ldif
I see a lot of warnings when I import userRoot.ldif about bad entry,
skipping. And when I browse the new setup, I do not see the entries.
So, my question is: How can I move my existing FDS to a new FDS.
--
Thanks,
Utkarsh Sengar <http://utkarshsengar.com>
13 years, 2 months
389 1.2.7.5 build on RHEL6
by Daniel R. Gore
I have finally got 389 to build completely on a RHEL6 virtual systems.
Unfortunately, I cannot get the console(s) to work correctly. When I
execute the /usr/sbin/389-console script, I get a console, but it shows
three empty input fields with no description of what they are for and
three little tabs across the bottom that appear to be for something, but
have no labels. I clicked on one of them and it closed the console. I
also could not get the idm-console -a http://localhost:9830 to work.
Any suggestions would be great.
I am running out of time and may have to build a rhel5.5 system to run
DS on. I would prefer to do it on RHEL6 for many reason. It sure would
be nice to have the RHEL6 RPM builds for DS.
Thanks.
Dan
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
13 years, 2 months
(Insufficient 'write' privileges to the 'userPassword') when executing passwd change
by Beamon, John
This is a new install, straight from the docs with 4 boxes in an MMR setup. Attempting a password change from a Linux command line, I get this feedback.
>
$ passwd
Changing password for user jbeamon.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Insufficient access
Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=jbeamon,ou=people,dc=example,dc=com'.
passwd: Permission denied
>
I zeroed out the access and error logs in advance. The error log was empty; the access log was nothing but SRCH, BIND, and RESULT entries for my account. Nothing about access problems or attempted modifies.
A web search for this error message revealed one conversation in Jan 2009 that ended with "I fixed my aci and the problem went away". I haven't knowingly changed any acis since install. At the global level, user may change password. At the userRoot suffix level, user can change password and fine-grained policy is enabled. A password reset by directory manager succeeds and replicates around. Does anyone else recognize this?
-j
13 years, 2 months
Performance differences between 1.1.2 and 1.2.6/1.2.7
by Reinhard Nappert
Hi,
I noticed that the search performance increased quite a bit with 1.2.6/1.2.7.5, compared to 1.1.2.
I did a rather simple test, where I randomly searched objects from a small database with about 25.000 objects. I assume that those objects are cached.
The tests were performed on a 2 Dual CPU (1.8 GH clock speed) box with 16 GB RAM.
I did perform 7.000.000 searches with 7 threads (1.000.000 searches per thread). Both directory instances were configured in exactly the same way.
I got 5630 searches/sec for the 1.2.7.5 directory instance, whereas
I got 6890 searches/sec for the 1.1.2 directory instance.
I was wondering what the reason for the performance decrease is.
Thanks,
-Reinhard
13 years, 2 months
Trying to delete one entry
by Rafael Cervillera Cortés
Hi, gurus!
We have a 389DS and the following problem deleting an entry.
Our server has multiple databases and the problem only appears in one,
we can remove entries from cn=users but not from other subtree.
All databases are not in read only mode.
ldapdelete shows an ldap_delete: Operations error (1).
In another subtree we can delete any entry without problems.
In the inspect of the ACIs we haven't found anything wrong (same ACI in
both subtrees).
Attached is the modified output of ldapdelete with debug mode 2147483647.
Thanks in advance.
--
13 years, 2 months
Remediating Encryption Levels
by Gerrard Geldenhuis
Hi
I am currently testing this but would like to double up my testing with any other experiences in the list.
A security scan has shown my test LDAP server to be vulnerable to weak SSL encryption. I have turned off all encryption levels below 128 bits in the Cipher Preference Dialog box for both the admin and dirsrv.
I am testing whether this will have any effect on any connection within my setup that uses SSL, thus chaining, replication, console and general authentication from CentOS and Red Hat clients.
My understanding is that having those lower levels like DES 56 enabled allows such a connection but the connection encryption level will be determined by what the client initiates if supported at the server. So if the client initiates a 128bit RC4 it will be a 128bit RC4 connection. With this in mind what would be the default level of encryption if the client is "internal" to the 389DS. Thus would be the encryption level for chaining and replication and connecting to the console.
If an encryption level is not supported what is the negotiating logic to determine a working connection?
Regards
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
13 years, 2 months
replicating netscaperoot, server2 not in server1 console
by Beamon, John
Running 389-ds 1.2.5 on two servers. I followed the techniques in this link, which uses setup-ds.pl and postpones registering until after the config has been built from LDIF and o=netscaperoot has been initialized.
http://sinodun.com/howto/replicating-netscaperoot-on-fedora-ds/
Connecting the console to server2, I find both server1 and server2 listed.
Connecting the console to server1, only server1 is listed.
This is not a failover design yet. I've tried running register-ds.pl to register server2 at server1's CDS, but the script does not ask where you want to register.
>
==============================================================================
Candidate servers to register:
/etc/dirsrv/slapd-chi01osi112
==============================================================================
Do you want to use this server as Configuration Directory Server?
Directory server identifier [chi01osi112]:
>
What might I have missed? Thanks.
-j
13 years, 2 months