Replication not excluding attributes
by Iain Morgan
Hi,
I recently tried to setup a slave replica using fractional replication.
The slave replica works, but the attributes which I had intended to
exclude are still being replicated.
The replication agreement on the supplier includes:
% ldapsearch -b cn=config '(cn=Slave)' nsds5replicatedattributelist
dn: cn=Slave,...
nsds5replicatedattributelist: (objectClass=*) $ EXCLUDE passwordAllowChangeTim
e passwordExpirationTime passwordGraceUserTime shadowLastChange passwordHisto
ry
Are there circumstances where nsds5ReplicatedAttributeList is ignored?
--
Iain Morgan
12 years
Replication integrity tool/script
by Manel Gimeno Zaragozá
Hello,
I'm configuring an environment with multi-master replication.
ds - 1.2.10
OS - CentOS release 6.2 (Final)
I'm wondering if there is any tool to check the integrity of both servers, I mean, some tool or script that checks if both servers are exactly the same or if there is some mismatch, just to be sure that replication is working well and we are not missing anything in the process.
Thanks.
Manel
12 years
Problems logging in with 389-console
by Michael Mercier
Hello,
I seem to be having problems using the 389-console GUI.
I am entering the following information into each of the fields:
User ID: cn=Directory Manager
Password: password
Administration URL: http://localhost.localdomain:9830
It fails with the following error:
Cannot logon because of an incorrect User ID,
Incorrect password or Directory problem.
HttpException:
Response: HTTP/1.1 401 Authorization Required
Status: 401
URL: http://localhost.localdomain:9830/admin-serv/authenticate
I have also tried with:
User ID: admin
Password: password
Administration URL: http://localhost.localdomain:9830
It fails with the following error:
Cannot connect to the directory server:
netscape.ldap.LDAPException: error result (32): No such object
I am able to run searches from the command line:
[root@localhost ~]# ldapsearch -x -b o=netscaperoot -D "cn=directory
manager" -w password "nsDirectoryURL=*"
# extended LDIF
#
# LDAPv3
# base <o=netscaperoot> with scope subtree
# filter: nsDirectoryURL=*
# requesting: ALL
#
# UserDirectory, Global Preferences, MyDomain, NetscapeRoot
dn: cn=UserDirectory,ou=Global Preferences,ou=MyDomain,o=NetscapeRoot
objectClass: top
objectClass: nsDirectoryInfo
nsDirectoryURL: ldap://localhost.localdomain:389/dc=mpls
cn: UserDirectory
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@localhost ~]#
If I try to access http://localhost.localdomain:9830 with a web
browser, I am shown the "Services for users" page, but when I click on
"389 Administration Express" i get the following error:
Internal Server Error
The server encountered an internal error or misconfiguration and was
unable to complete your request.
Please contact the server administrator, [no address given] and inform
them of the time the error occurred, and anything you might have done
that may have caused the error.
More information about this error may be available in the server error log.
Apache/2.2 Server at localhost.localdomain Port 9830
Anyone have any ideas?
Thanks,
Mike
[root@localhost ~]# more /etc/redhat-release
Fedora release 16 (Verne)
[root@localhost ~]# rpm -qa|grep 389
389-console-1.1.7-1.fc16.noarch
389-ds-console-doc-1.2.6-1.fc16.noarch
389-ds-base-libs-1.2.10.2-1.fc16.x86_64
389-ds-1.2.2-1.fc15.noarch
389-ds-console-1.2.6-1.fc16.noarch
389-admin-1.1.23-1.fc16.x86_64
389-admin-console-doc-1.1.8-2.fc16.noarch
389-admin-console-1.1.8-2.fc16.noarch
389-dsgw-1.1.7-2.fc16.x86_64
389-adminutil-1.1.14-1.fc16.x86_64
389-ds-base-1.2.10.2-1.fc16.x86_64
12 years
largish member changes causing problems
by Michael Gettes
I am a little perplexed.
I am making a change to a groupOfNames object having some 16069 member attributes. I am deleting nearly 16000 members and then adding nearly 16000 members. CPU goes to 100% and never comes down. I have plenty of memory allocated (700MB) to nss-slapd and I have made the adjustments to allow for large objects (maxbersize). I end up having to kill -9 slapd. the annoying thing is some times it works, some times it doesn't. I can't seem to find any common conditions of the failures (or successes).
ds = 1.2.9.9
RHEL = 5.7
Thoughts?
/mrg
12 years
389 LDAP Multi-threading question
by Justin Piszcz
Hello,
Had an inquiry regarding ns-slapd, was multi-threading always supported from
the first public release?
I've seen ns-slapd (an older version) sit pegged at or near 100% CPU
utilization on a multi-core Xeon system.
I've read elsewhere that someone has seen it hit 200% on a 2 way Xeon system
(from 2007)
http://www.mail-archive.com/fedora-directory-users@redhat.com/msg06164.html
There are obviously other factors in terms of the DB, what you are doing, in
terms of add or add+delete; however was curious if there was an a parameter
or a compile time setting that enables/disables threads, if the default was
always to use multiple threads(?) or is it the case that there are other
non-optimized parameters being used that would not allow ns-slapd to utilize
the other N number of cores?
Justin.
12 years
Enabling replication with changelog max age
by Reinhard Nappert
Hi all,
I have a couple of question regarding the nsslapd-changelogmaxage attribute:
This attribute sets the maximum age that entries are kept in the changelog. Documentation says that a change of the value requires a server restart.
1. Do I have to restart the server, when I enable replication, where I set a value (let's say "30d") during the enabling process - in ldap terms, I include nssslapd-changelogmaxage: 30d as an attribute, when the entry cn=changelog5, cn=config gets added?
2. What happens if I have a changelog (previsously set to unlimited age) and I set the value to 30d. Does it remove every entry older than 30 days, after the restart. It looks to me that the size of the database did not change, because I did not gain any diskspace after I restarted the server.
Thanks,
-Reinhard
12 years
Setup SSL with setup-ds-admin.pl INF
by Jim Finn
I'm trying to script the entire setup of new instances, and have had great
success with setup-ds-admin.pl with an inf.
I want to run nsslapd on both 389 and 636 - How can I configure both ports
and specify my cert within the INF?
Thanks!
Jim Finn
12 years
Re: [389-users] Creating windows sync agreements via ldif
by Carsten Grzemba
Hi,
nsds5BeginReplicaRefresh: start
should do the job.
But I have not done this in a single step, but first add the agreement and then add the attribute nsds5BeginReplicaRefresh: start
Perhaps that helps
Regards
Carsten
Am 26.03.12, schrieb Juan Carlos Camargo <juancar(a)eprinsa.es>:
>
> p { margin: 0; }
>
>
>
> Hi,
>
> I'm making a script to recreate a windows sync agreement in my server and I've found that even the agreement is created and started, no sync in fact ever occurs. I've noticed also that the "cookie" attribute "nsds7DirsyncCookie" is never created for the sync object even after a full resync. No errors are shown , everthing looks normal. If I create the agreement via console then everything works as expected. Can you help me? Probably I'm missing something but cannot figure it out.
>
> Regards!
>
>
> .ldif file:
>
>
> cn: cn=adamuz,cn=replica,cn=dc\3Dmetaeprinsa\2Cdc\3Dorg,cn=mapping tree,cn=config
> changetype: add
> objectClass: top
> objectClass: nsDSWindowsReplicationAgreement
> description: adamuz
> cn: adamuz
> nsds7WindowsReplicaSubtree: dc=adamuz,dc=local
> nsds7DirectoryReplicaSubtree: ou=adamuz,ou=ayuntamientos,ou=usuarios,dc=metaeprinsa,dc=org
> nsds7NewWinUserSyncEnabled: on
> nsds7NewWinGroupSyncEnabled: off
> nsds7WindowsDomain: adamuz.local
> nsDS5ReplicaRoot: dc=metaeprinsa,dc=org
> nsDS5ReplicaHost: adamuzhost.epr
> nsDS5ReplicaPort: 389
> nsDS5ReplicaBindDN: <cn of proxy user>
> nsDS5ReplicaTransportInfo: LDAP
> nsDS5ReplicaCredentials: < pass of proxy user>
> nsds5BeginReplicaRefresh: start
>
>
>
>
>
>
> --
>
>
>
>
>
>
>
> Juan Carlos Camargo Carrillo
>
>
> 957-211157(callto:957-211157) , 650932877(callto:650932877)
>
>
>
>
>
>
>
>
12 years
Replica ID management
by mjames@guesswho.com
Happy Monday, group. This seems like it should be obvious. When I set up a new replication using the console, I'm prompted to enter a unique replica ID. How can I tell if the ID I choose is unique? Is there a best practice for replica ID management?
Thanks, Mike
12 years
High CPU Consumption by ns-slapd
by Tom Tucker
Hello! I have eight 389 DS all running the same OS, same 389 DS version,
handling the same LDAP data and with same HW specs. For some reason my two
dev systems are consistently showing higher cpu than the other 6 systems.
Any troubleshooting suggestions to help determine why this might be?
The two dev DS report the ns-slapd process consuming 0-90+% of the CPU.
The other six servers typically stay below 5%. I have looked at logs,
monitored the number of connections, memory consumption, etc. I just can't
explain it.
Any suggestions?
Thank you,
Tom
389-console-1.1.7-1.fc15.noarch
389-ds-base-1.2.10-0.5.a5.fc15.i686
389-ds-console-doc-1.2.6-1.fc15.noarch
389-admin-1.1.25-1.fc15.i686
389-ds-1.2.2-1.fc15.noarch
389-admin-console-1.1.8-1.fc15.noarch
389-ds-base-libs-1.2.10-0.5.a5.fc15.i686
389-admin-console-doc-1.1.8-1.fc15.noarch
389-ds-console-1.2.6-1.fc15.noarch
389-dsgw-1.1.7-2.fc15.i686
389-adminutil-1.1.14-1.fc15.i686
12 years