ldapsearch to get users with expired password
by Juan Asensio Sánchez
Hi
Is there any way to obtain the users with expired/expiring password?
Hi have activated the password policy, making the password expire
after X days, and warn them after X-10 days. Now, I want to create a
cron job to send an email to users warning them about its password
expiration. I know I can get that information about the user is
binding, but not for the users obtained from a search.
Thanks in advance.
13 years
Problems to access Directory Server from remote console with 389-console
by Daniel Gonzalez
Hi Guys,
My name is Daniel Gonzalez and I am new to this mailing list, I hope to
ayduar as I can while I'm learning a bit more about Directory Server 389.
I would also start with my first question.
I tested 389 on a Virtualbox virtual machine, I installed it
Fedora 14 (Minimal instalation)
389-ds
I followed the wizard to set 389-run setup-ds ds-admin.pl and all goes
well there
But when I try to connect from a console 389 on another machine I fail to
Am I doing something wrong? I need some configuration.
I turned off the iptables for this I'm not blocking ports or something
but still not working.
The good news is that if I worked in there too I have my machine I
installed fedora 14 389-ds and successfully run setup-ds-admin.pl to run
389-console and console to open it immediately login
I hope you can make me some suggestion.
13 years
LDAP aliases with Postfix mail server
by laxman Singh Rathore
Hello,
I have Postfix mail server with out aliases, now need to setup aliases for
mail account reside both mail server and fedora-ds on same server. can
anybody tell me how to perform this task.
I need to perform this on my server.
Thanks in advance
--
Thanks and Regards
Laxman Singh Mandloi
Linux Administrator /Trainer
13 years
Sync uidNumber between AD and directory server
by Pavel
Hi,
Is it possible to sync uidNumber and gidNumber from AD 2008 to DS. If
not is there any way to map this attributes? Documentation is showing
only hard coded pre-define attribute is being synchronize. Thanks
13 years
389 Memory issue
by Moisés Barba Pérez
Hi,
I'm having a memory issue with 389 Directory server. The problem "*cannot
allocate memory*" appears very often and don't find the source.
The exactly log is this:
memory allocator - malloc of 4629376 bytes failed; OS error 12 (Cannot
> allocate memory)
> The server has probably allocated all available virtual memory. To solve
> this problem, make more virtual memory available to your server, or reduce
> one or more of the following server configuration settings:
> nsslapd-cachesize (Database Settings - Maximum entries in cache)
> nsslapd-cachememsize (Database Settings - Memory available for cache)
> nsslapd-dbcachesize (LDBM Plug-in Settings - Maximum cache size)
> nsslapd-import-cachesize (LDBM Plug-in Settings - Import cache size).
> Can't recover; calling exit(1).
>
- The server is a CentOS 5.5 32bits with
2.6.18-194.3.1.el5.centos.plusPAE kernel. The server has 12G memory, I know
that a 32bits kernel can't manage 12G but the kelnel is PAE so I can use
about 4G and the server never rise this value of used memory before crash.
5G of swap. 8 processors.
- The directory server is 389-ds-base-1.2.5-1.el5, with 27 different db.
I have about 40k users in the directory. I have been talking in irc channel
with Rich about directory caches and y I have try with this configurations
without a resolution for the problem:
dbcachesize = 2 * (SUM all .db4 size) | each cachememsize = 10M (default) ->
fails
dbcachesize = 10M (default) | db$i cachememsize = 2 * (db$i/id2entry.db4
size) -> fails
dbcachesize = 10M (default) | db$i cachememsize = 4 * (db$i/id2entry.db4
size) -> fails
Te SUM for all .db4 files size is about 800M.
I have monitor the db with *db_stat* comand and I get always a entry ratio
for id2entry db betwen 50 and 60% in all cases. The value for
max-file-descriptors in 389 is 65355. The size of the hugepagesize is 2M.
This is the ulimit -a results:
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 208896
max locked memory (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files (-n) 64000
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 1024
cpu time (seconds, -t) unlimited
max user processes (-u) 208896
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
I have read in Metalink an error for sun one directory server 5.2 that this
problem can be caused because of "multiple memory pool" but I couldn't find
where it is configured (I guess 389 split from sun one in this version). And
I don't know if it is important to my problem.
The OS error 12 is a default message from operating system for memory
allocation and I'm thinking in a linux scheduler problem, but I don't find
nothing.
If somebody have an idea, please tell me...
Regards,
Moses.
13 years
Change of attibute syntaxes between versions
by Juan Asensio Sánchez
Hi
We had in version 1.1.3, some values in the attribute
destinationIndicator with tildes and special chars; in that version
the syntax of the attribute was Directory String. We have updated to
version 1.2.5, and now, when running syntax-validate.pl, it reports
that those values violate the syntax, because the syntax of the
attribute has changed to Printable String. Why has the syntax changed?
How can I solve this issue? We have a replicated environment, so I
can't (or shouldn't) modify the standard schema files. The same
happens with the attribute searchGuide.
Something similar happens with the attribute nsViewFilter, altough
this attribute has not changed its syntax across these two versions.
Ths script reports that this filter violates the syntax:
(ou=*ou=AABBB,ou=Recursos,o=XXXX,dc=YYY,dc=ZZ)
But I think this filter is valid. Why is the tool reporting that error?
Also, if I try to import an exported database that contains those
values, the server fails because of the syntax errors.
Regards and thanks in advance.
13 years
Server Side Sort, Virtual List View and Aci
by Luca Menegus
Hi,
when searching ds using ServerSideSearch control and VirtualListView control it does not seem to take into account the configured ACIs when returning the contentCount field of the VirtualListView response control.
The contentCount field of the VLV response control it will be set to the total number of entries matching the search and not to the number of entries matching the search AND searcheable by the user performing the search.
Example:
- there are 10 people in the directory, 5 in peopleA ou and 5 in people B ou
- userA can search (and read) the anything under peopleA
- userB can search (and read) the anything under peopleB
- SuperUser can search (and read) the anything
If I bind and search as SuperUser everything works as expected (contentCount is 10) and I can "scroll" through the rs as expected.
If I bind and search as UserA contentCount is still 10 and the resultset contains "holes". For instance if sort the search so that entries under peopleB come first then requesting (using VLV control fiels) 5 entries from entry #1 returns an empty rs, while requesting 5 entries from entry #5 returns the expected 5 entry under peopleA.
The behavior when searching as userB is consistent (the other 5 entries are returned).
I'm using 389-ds-base-1.2.7.5-1.fc14.x86_64 under fc14-x86_64.
I'm I doing something wrong, or is this the expected behavior?
Luca
13 years
Manage Certificates button item (slightly different)
by Christopher Wood
These bugs are almost exactly the issue I'm experiencing:
https://bugzilla.redhat.com/show_bug.cgi?id=430499
https://bugzilla.redhat.com/show_bug.cgi?id=442103
In my case, the admin server on host1 can use the "Manage Certificates" button on the admin server, and the directory server installed on the same host. So the bug is not happening to me.
However, I get "java.net.ConnectException: Connection refused" when I use the "Manage Certificates" button on host2's directory server that I registered with host1's admin server.
I don't get any output on the console when I repeat this procedure having run 389-console from the command line. I don't see anything immediately obvious under /var/log/dirsrv/*/errors on both servers. I can run ldapsearch against ldaps://host1 and ldaps://host2.
Would you list denizens possibly have any hints as to how to troubleshoot this?
13 years
Re: [389-users] Changelog Modification
by Rich Megginson
On 03/09/2011 10:34 PM, Stephen Agar wrote:
> In my previous reading it seemed like fractional replication wasn't
> possible in a multi-master environment. Statements like this from the
> administrators guide: "Fractional replication can only be done where
> the consumer is a read-only replica" are what i'm referring to. Am I
> misunderstanding what fractional replication is?
It is now supported in most cases. Please direct me to statements like
the above in our docs and I will fix them.
>
> Thanks
>
> On Wed, Mar 9, 2011 at 11:18 AM, Rich Megginson <rmeggins(a)redhat.com
> <mailto:rmeggins@redhat.com>> wrote:
>
> On 03/09/2011 10:11 AM, Stephen Agar wrote:
>> I've seen multiple different types of changes in there flagged as
>> this issue.
>> - Some was a custom "directory string" attribute, being change
>> from value notActivated to activated
> I suppose this might be a problem if the schema were somehow
> different between the two servers, which could happen if you added
> the schema via a file and not via LDAP.
>
>> - Some password account lockout attributes, resettime, etc.
> See
> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-singl...
>
>
>> - Most are modifications to the "memberof" attribute, which is
>> set by the member plugin
> memberof should not be replicated - see
> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-singl...
>
> there is an Important Note on that page about replicating memberof
>> - Some are password changes
> I suppose this could be possible if the password policy is
> different on the supplier and the consumer
>
>>
>> In all cases that i've checked, the data seems to be correct and
>> consistent across all 4 nodes.
>>
>> Thanks for any insight.
>>
>> --stephen
>>
>>
>> On Tue, Mar 8, 2011 at 3:21 PM, Rich Megginson
>> <rmeggins(a)redhat.com <mailto:rmeggins@redhat.com>> wrote:
>>
>> On 03/08/2011 11:17 AM, Stephen Agar wrote:
>>> I have a 4 server multi master replication setup going on.
>>> We get a lot of errors like this:
>>>
>>> NSMMReplicationPlugin - agmt="cn="Replication to server""
>>> (server:636): Consumer failed to replay change (uniqueid
>>> 2365a885-b85511df-ad54b6ca-51ecbecb, CSN
>>> 4d6ceae5000700010000): DSA is unwilling to perform. Will
>>> retry later.
>>>
>>> I've used cl-dump on all four nodes to dump the logs and
>>> track these down. However, all of the "offending" changes
>>> that say they weren't made do indeed seem to be applied on
>>> all 4 nodes.
>> What are these changes? What operations, attributes, values,
>> etc.
>>> Is there a command I can use to remove specific entries from
>>> the changelog? In the past, i've just re-initialized nodes
>>> to get rid of these, but that's certainly not the preferred
>>> way to do this.
>>>
>>> Thanks,
>>> Stephen
>>>
>>>
>>> --
>>> 389 users mailing list
>>> 389-users(a)lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org>
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>
>
13 years