DES hash values in replicationAgreement with Simple Bind
by Jovan.VUKOTIC@sungard.com
Hi,
We have four 389 DS masters, version 1.2.11 that we are organizing in multi-master replication topology.
On one host we do not have admin server and consequently do not have an option to use 389 Management Console to configure replication agreements.
I configured it from the command line as per Administration Guide( replication manager, changelog, supplier replica and replication agreements entries), but could not establish connection to neither servers from the Agreement due to Invalid credentials error (49).
I suspect the problem is DES hash of
nsDS5ReplicaCredentials
attribute value.
I copied it from another Replication Agreement from the other DS instance pointing to the same Multi-Master replica. That replication Agreement was created in 389 Console and worked fine (i.e. replica got acquired). Hence, I thought since the replication manager entry is the same, copied DES hash would be OK.
It did not work.
Furthermore, when compared with the DES hash created for that very replication manager entry on the third server( again via 389 Console, just for the sake of the test) it turned out to be different.
Do you know any command analog to pwdhash that can generate hash in DES format?
If not, how then to provide nsDS5ReplicaCredentials attribute value of replication agreement entry?
FY reference, I used the following entry to do create Replication agreement:
dn: cn=rAgrmnt1,cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn
=config
objectClass: top
objectClass: nsDS5ReplicationAgreement
description: inst1 supplies inst2
cn: rAgrmnt1
nsDS5ReplicaRoot: dc=example,dc=com
nsDS5ReplicaHost: consumer.replica.com
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: uid=ReplManager,cn=config
nsDS5ReplicaTransportInfo: TLS
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicaCredentials: {DES}secret //copied from another servers dse.ldif file, from its agreement with the same nsDS5ReplicaHost
I will appreciate any help.
Thank you
Jovan Vukotić * Senior Software Engineer * Ambit Treasury Management * SunGard * Banking * Bulevar Milutina Milankovića 136b, Belgrade, Serbia * tel: +381.11.6555-66-1 * jovan.vukotic(a)sungard.com<mailto:jovan.vukotic@sungard.com>
[Description: Description: Description: Description: Description: coc-signature-03-2012]<http://www.capitalize-on-change.com/?email=70150000000Y1Et>
Join the online conversation with SunGard's customers, partners and Industry experts and find an event near you at: www.sungard.com/ten<http://www.capitalize-on-change.com/?email=70150000000Y1Et>.
10 years, 10 months
svn authentication
by Elizabeth Jones
Have any of you run into problems using 389 DS for svn ldap
authentication? I just discovered that our svn instance is not
authenticating successfully with our 389 DS, although I can see from
tcpdumps that it is successfully pulling the password back. I'm wondering
if there is something in the 389 DS that needs to be configured for svn
that I haven't been able to find yet.
thanks,
Elizabeth J
10 years, 10 months
List of errors
by Manel Gimeno Zaragozá
Hello,
I'm having problems adding new users to a 389 -dirsrv form a web admin page, and this is what access the log shows when I send the order to add a new user to the LDAP:
[19/Jun/2013:15:35:35 +0200] conn=1345 op=8 ADD dn="uid=test,ou=people,dc=new,dc=domain,dc=es"
[19/Jun/2013:15:35:35 +0200] conn=1345 op=8 RESULT err=10 tag=105 nentries=0 etime=0
Also I paste all the transaccion log
[19/Jun/2013:15:35:35 +0200] conn=1345 fd=72 slot=72 connection from 192.168.xx.xx to 192.168.xx.xx
[19/Jun/2013:15:35:35 +0200] conn=1345 op=0 BIND dn="uid=new-service,ou=Special Users,dc=new,dc=domain,dc=es" method=128 version=3
[19/Jun/2013:15:35:35 +0200] conn=1345 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=new-service,ou=special users,dc=new,dc=domain,dc=es"
[19/Jun/2013:15:35:35 +0200] conn=1345 op=1 BIND dn="cn=orcladmin" method=128 version=3
[19/Jun/2013:15:35:35 +0200] conn=1345 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=orcladmin"
[19/Jun/2013:15:35:35 +0200] conn=1345 op=2 SRCH base="cn=config" scope=2 filter="(objectClass=vlvsearch)" attrs="* aci"
[19/Jun/2013:15:35:35 +0200] conn=1345 op=2 RESULT err=0 tag=101 nentries=0 etime=0
[19/Jun/2013:15:35:35 +0200] conn=1345 op=3 SRCH base="cn=new,cn=config" scope=2 filter="(&(&(associatedDomain=*))(associatedDomain=new.domain.es))" attrs="* aci"
[19/Jun/2013:15:35:35 +0200] conn=1345 op=3 RESULT err=0 tag=101 nentries=1 etime=0
[19/Jun/2013:15:35:35 +0200] conn=1345 op=4 BIND dn="uid=new-service,ou=Special Users,dc=new,dc=domain,dc=es" method=128 version=3
[19/Jun/2013:15:35:35 +0200] conn=1345 op=4 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=new-service,ou=special users,dc=new,dc=domain,dc=es"
[19/Jun/2013:15:35:35 +0200] conn=1345 op=5 BIND dn="cn=orcladmin" method=128 version=3
[19/Jun/2013:15:35:35 +0200] conn=1345 op=5 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=orcladmin"
[19/Jun/2013:15:35:35 +0200] conn=1345 op=6 SRCH base="cn=config" scope=2 filter="(objectClass=vlvsearch)" attrs="* aci"
[19/Jun/2013:15:35:35 +0200] conn=1345 op=6 RESULT err=0 tag=101 nentries=0 etime=0
[19/Jun/2013:15:35:35 +0200] conn=1345 op=7 SRCH base="cn=new,cn=config" scope=2 filter="(&(&(associatedDomain=*))(associatedDomain=new.domain.es))" attrs="* aci"
[19/Jun/2013:15:35:35 +0200] conn=1345 op=7 RESULT err=0 tag=101 nentries=1 etime=0
[19/Jun/2013:15:35:35 +0200] conn=1345 op=8 ADD dn="uid=test,ou=people,dc=new,dc=domain,dc=es"
[19/Jun/2013:15:35:35 +0200] conn=1345 op=8 RESULT err=10 tag=105 nentries=0 etime=0
[19/Jun/2013:15:35:35 +0200] conn=1345 op=9 UNBIND
[19/Jun/2013:15:35:35 +0200] conn=1345 op=9 fd=72 closed - U1
My question is: how I know what "err=10" means? is there any error code table to know it? I've been searching but I was not able to find any answer.
Thanks & Regards.
Manel
10 years, 10 months
changelog deadlock replication failures with DNA
by Mahadevan, Venkat
Hello,
While doing multiple adds using POSIX uidNumbers and the DNA plugin,
I have noticed errors such as the following:
[12/Jun/2013:11:43:24 -0700] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=51b8c148001e02be0000) failed (rc=-30994 (DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock))
[12/Jun/2013:11:43:24 -0700] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: failed to write entry with csn (51b8c148001e02be0000); db error - -30994 DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock
[12/Jun/2013:11:43:24 -0700] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for uid=jmeter429,dc=tst,dc=id,dc=ubc,dc=ca (uniqid: e62c908c-d38f11e2-96fdeacd-f14f05d6, optype: 16) to changelog csn 51b8c148001e02be0000
[12/Jun/2013:11:43:36 -0700] NSMMReplicationPlugin - changelog program - _cl5WriteOperationTxn: retry (49) the transaction (csn=51b8c154004002be0000) failed (rc=-30994 (DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock))
[12/Jun/2013:11:43:36 -0700] NSMMReplicationPlugin - write_changelog_and_ruv: can't add a change for uid=jmeter797,dc=tst,dc=id,dc=ubc,dc=ca (uniqid: e62c9143-d38f11e2-96fdeacd-f14f05d6, optype: 16) to changelog csn 51b8c154004002be0000
The net effect of these errors is that an entry will be added to the Replication master but
will not sync down to any of the consumers. I am assuming because it is not added
to the changelog database correctly. Doing a bit of research, I tracked this down:
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=907985
And there is also an advisory from RedHat that this bug has been fixed: https://rhn.redhat.com/errata/RHSA-2013-0742.html
"A problem in the lock timing in the DNA plug-in caused a deadlock if the
DNA operation was executed with other plug-ins. This update moves the
release timing of the problematic lock, and the DNA plug-in does not cause
the deadlock. (BZ#929196)"
I am running RHEL 6.4
and 389-ds-base.x86_64 1.2.11.15-14.el6_4 @rhel-x86_64-server-6
So this bug should not be occurring? Should I upgrade to a version of 389-ds-base supplied by EPEL instead of Redhat? Any
insight is most appreciated. Thank you.
Kind regards,
VM
10 years, 10 months
compiling 389 DS
by Alberto Viana
Hello all,
I´m trying to compile a new version of 389 DS (389-ds-base-1.3.0.4) and I´m
getting this error:
gcc -DHAVE_CONFIG_H -I. -DBUILD_NUM=\"2013.168.127\" "-DVENDOR=\"389
Project\"" -DBRAND=\"389\" -DCAPBRAND=\"389\" -UPACKAGE_VERSION
-UPACKAGE_TARNAME -UPACKAGE_STRING -UPACKAGE_BUGREPORT -I./ldap/include
-I./ldap/servers/slapd -I./include -I. -DLOCALSTATEDIR=\"/opt/dirsrv/var\"
-DSYSCONFDIR=\"/opt/dirsrv/etc\" -DLIBDIR=\"/opt/dirsrv/lib\"
-DBINDIR=\"/opt/dirsrv/bin\" -DDATADIR=\"/opt/dirsrv/share\"
-DDOCDIR=\"/opt/dirsrv/share/doc/389-ds-base\"
-DSBINDIR=\"/opt/dirsrv/sbin\"
-DPLUGINDIR=\"/opt/dirsrv/lib/dirsrv/plugins\"
-DTEMPLATEDIR=\"/opt/dirsrv/share/dirsrv/data\" -I/usr/include/nspr
-I/usr/include/nss -I/usr/include/mozldap -I/usr/include/nss
-I/usr/include/nspr -I/usr/include/nspr -I/usr/include/sasl -I/usr/include
-I/usr/include/nspr -I/usr/include/nss -g -O2 -MT
ldap/servers/slapd/libslapd_la-opshared.lo -MD -MP -MF
ldap/servers/slapd/.deps/libslapd_la-opshared.Tpo -c
ldap/servers/slapd/opshared.c -fPIC -DPIC -o
ldap/servers/slapd/.libs/libslapd_la-opshared.o
ldap/servers/slapd/opshared.c: In function âop_shared_searchâ:
ldap/servers/slapd/opshared.c:470:16: error: âLDAP_CANCELLEDâ undeclared
(first use in this function)
ldap/servers/slapd/opshared.c:470:16: note: each undeclared identifier is
reported only once for each function it appears in
ldap/servers/slapd/opshared.c: In function âop_shared_log_error_accessâ:
ldap/servers/slapd/opshared.c:1702:23: warning: format â%lluâ expects
argument of type âlong long unsigned intâ, but argument 3 has type
âPRUint64â [-Wformat]
Also tried 389-ds-base-1.3.0.3 and 389-ds-base-1.2.11.19 with the same
error.
Can anyone point me how to fix it?
Thanks.
Alberto Viana
10 years, 10 months
How to enable "directory browsing" and "Search People" in Outlook 2013?
by Christopher Cheng
I have setup 389 Server on CentOS and configure the followings. I am able
to search with "Advanced Find" using Address Book, but when I click on the
"Name only" in the search option, I cannot list all users in
"ou=Peoples,dc=example,dc=com" and I cannot use the "Search People" in the
ribbon bar to search for users.
# Replace ldap:///all (authentified users) by ldap:///anyone (everyone,
including anonymous)
# old aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control";
allow(read ,search, compare) userdn = "ldap:///all";)
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
changetype: modify
replace: aci
aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control";
allow(read,search,compare) userdn = "ldap:///anyone";)
# Add a special index for Outlook VLV
dn: cn=Outlook Browse,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: Outlook Browse
objectClass: top
objectClass: vlvsearch
aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control";
allow(read,search,compare) userdn = "ldap:///anyone";)
vlvBase: ou=Users,dc=example,dc=com
vlvFilter: (&(mail=*)(cn=*))
vlvScope: 2
dn: cn=Outlook Browse Index,cn=Outlook Browse,cn=userRoot,cn=ldbm
database,cn=plugins,cn=config
changetype: add
cn: Outlook Browse Index
objectClass: top
objectClass: vlvindex
aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control";
allow(read,search,compare) userdn = "ldap:///anyone";)
vlvEnabled: 1
vlvSort: cn
10 years, 10 months
inf file directive for CA certificate file
by Jovan.VUKOTIC@sungard.com
Hi,
We are starting installations of four 389 DS, version 1.2.11 and would like to pass an inf file together with command line parameters to
setup-ds-admin.pl script.
At the moment we have one 389 DS instance installed where Configuration Directory (o=NetscapeRoot ) is placed and where TLS/SSL is enabled.
However, I cannot find an inf file directive for CA certificate file that we are prompted to supply when the script is run interactively. We need that file since a ldap URL to configuration directory is supplied in the form
ldaps://ds1.example.com:636/o=NetscapeRoot
Thanks in advance,
Jovan Vukotic
Jovan Vukotić * Senior Software Engineer * Ambit Treasury Management * SunGard * Banking * Bulevar Milutina Milankovića 136b, Belgrade, Serbia * tel: +381.11.6555-66-1 * jovan.vukotic(a)sungard.com<mailto:jovan.vukotic@sungard.com>
Join the online conversation with SunGard's customers, partners and Industry experts and find an event near you at: www.sungard.com/ten<http://www.capitalize-on-change.com/?email=70150000000Y1Et>.
10 years, 10 months
Console window problems
by Herb Burnswell
All,
I did a new install of 389 DS on RHEL 6.4 via yum. The list of installed
packages/dependencies is:
Jun 06 18:12:33 Installed: libicu-4.2.1-9.1.el6_2.x86_64
Jun 06 18:12:33 Installed: perl-Mozilla-LDAP-1.5.3-4.el6.x86_64
Jun 06 18:12:33 Installed: 389-adminutil-1.1.15-1.el6.x86_64
Jun 06 18:12:33 Installed: jss-4.2.6-24.el6.x86_64
Jun 06 18:12:33 Installed: svrcore-4.0.4-5.1.el6.x86_64
Jun 06 18:12:33 Installed: 389-ds-base-libs-1.2.11.15-14.el6_4.x86_64
Jun 06 18:12:34 Installed: ldapjdk-4.18-6.el6.x86_64
Jun 06 18:12:34 Installed: idm-console-framework-1.1.7-2.el6.noarch
Jun 06 18:12:34 Installed: 389-console-1.1.7-1.el6.noarch
Jun 06 18:12:34 Installed: libsemanage-python-2.0.43-4.2.el6.x86_64
Jun 06 18:12:35 Installed: mod_nss-1.0.8-18.el6.x86_64
Jun 06 18:12:35 Installed: perl-NetAddr-IP-4.027-7.el6.x86_64
Jun 06 18:12:35 Installed: cyrus-sasl-md5-2.1.23-13.el6_3.1.x86_64
Jun 06 18:12:35 Installed: cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64
Jun 06 18:12:35 Installed: perl-Socket6-0.23-3.el6.x86_64
Jun 06 18:12:35 Installed: openldap-clients-2.4.23-32.el6_4.1.x86_64
Jun 06 18:12:36 Installed: setools-libs-3.3.7-4.el6.x86_64
Jun 06 18:12:36 Installed: setools-libs-python-3.3.7-4.el6.x86_64
Jun 06 18:12:36 Installed: audit-libs-python-2.2-2.el6.x86_64
Jun 06 18:13:43 Installed: policycoreutils-python-2.0.83-19.30.el6.x86_64
Jun 06 18:13:44 Installed: 389-ds-base-1.2.11.15-14.el6_4.x86_64
Jun 06 18:13:44 Installed: 389-admin-1.1.29-1.el6.x86_64
Jun 06 18:13:44 Installed: 389-admin-console-1.1.8-1.el6.noarch
Jun 06 18:13:45 Installed: 389-ds-console-1.2.6-1.el6.noarch
Jun 06 18:13:45 Installed: 389-ds-console-doc-1.2.6-1.el6.noarch
Jun 06 18:13:45 Installed: 389-admin-console-doc-1.1.8-1.el6.noarch
Jun 06 18:13:45 Installed: 389-dsgw-1.1.10-1.el6.x86_64
Jun 06 18:13:45 Installed: 389-ds-1.2.2-1.el6.noarch
The install worked fine but when I launch the console window via
389-console, the java windows do not work properly. The full window is not
visible, the buttons on the bottom of the window are not in view. If I try
to drag the window size larger the buttons still do not come into view.
I've set the JAVA_HOME variable to be
JAVA_HOME=/usr/lib/jvm/java-1.6.0-openjdk.x86_64.
I am launching the console via Windows 7, using X-Win-32 2010.
Can anyone point me in the right direction as to how to fix this issue? Is
it the java version? If so, is there a known version of java that will
work with this configuration? Any guidance would be greatly appreciated.
TIA,
Herb
10 years, 10 months
Questions about replication schedules
by Rodney
I'm running 389 DS version 1.2.10.14 for all servers on RHEL 5.8 hosts.
First question, when defining the nsDS5ReplicaUpdateSchedule
attribute for the replication agreement. The Administration manual
says the format should look like this (with no dash in the time range):
nsDS5ReplicaUpdateSchedule: 0030 0045 0123456
The Configuration and Command-Line Tool Reference shows the
format of this attribute with a dash in the time range:
nsDS5ReplicaUpdateSchedule: 0030-0045 0123456
I was wondering which format is correct or do they both work?
I have chosen that 2nd format and get no errors.
Also in the errors log file for the LDAP master where the above agreement
is created, I see this in the log file one minute after the replication time
period is finished and would like to know if this normal for scheduled
replcations:
[13/Jun/2013:00:46:00 -0400] NSMMReplicationPlugin
-agmt="cn=ldaphost(ldaphost:636): Incremental protocol: event
update_window_closed
should not occur in state wait_for_window_to_open; going to sleep
Thanks,
Rodney
10 years, 10 months
ldbm errors when adding/modifying/deleting entries
by Mahadevan, Venkat
Hello,
My apologies if this has been discussed before but I couldn't find anything in the archives
beyond this: https://lists.fedoraproject.org/pipermail/389-commits/2011-January/004560...
The issue I am encountering are the following errors when an entry is being added to the
directory or deleted from the directory - it seems an operations error err=1 corresponds to
a failure in the backend ldbm (see log snippets below).
I can reproduce these errors consistently by running a JMeter test to add and delete
entries. It always transpires that some entries will fail to add or delete and will throw an operations
error err=1 and a corresponding ldbm error.
----------------
In the error log I see things like:
[10/Jun/2013:14:46:43 -0700] - ldbm_back_delete: modify_switch_entries failed
[10/Jun/2013:14:50:58 -0700] - ldbm_back_modify: modify_switch_entries failed
[10/Jun/2013:14:50:59 -0700] - ldbm_back_modify: modify_switch_entries failed
[10/Jun/2013:14:50:59 -0700] - ldbm_back_modify: modify_switch_entries failed
[10/Jun/2013:14:50:59 -0700] - ldbm_back_add: modify_switch_entries failed
[10/Jun/2013:14:50:59 -0700] - ldbm_back_modify: modify_switch_entries failed
[10/Jun/2013:14:51:00 -0700] - ldbm_back_modify: modify_switch_entries failed
[10/Jun/2013:14:51:00 -0700] - ldbm_back_add: modify_switch_entries failed
[10/Jun/2013:14:51:00 -0700] - ldbm_back_modify: modify_switch_entries failed
[10/Jun/2013:14:51:01 -0700] - ldbm_back_modify: modify_switch_entries failed
[10/Jun/2013:14:51:02 -0700] - ldbm_back_modify: modify_switch_entries failed
[10/Jun/2013:14:51:04 -0700] - ldbm_back_modify: modify_switch_entries failed
[10/Jun/2013:14:51:04 -0700] - ldbm_back_add: modify_switch_entries failed
In the access log I see things like:
[10/Jun/2013:14:50:59 -0700] conn=3516 SSL 256-bit AES
[10/Jun/2013:14:50:59 -0700] conn=3516 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[10/Jun/2013:14:50:59 -0700] conn=3516 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[10/Jun/2013:14:50:59 -0700] conn=3516 op=1 ADD dn="uid=jmeter25,dc=dev,dc=id,dc=ubc,dc=ca"
[10/Jun/2013:14:50:59 -0700] conn=3516 op=1 RESULT err=1 tag=105 nentries=0 etime=0 csn=51b64a46001b01f50000
[10/Jun/2013:14:50:59 -0700] conn=3516 op=2 DEL dn="uid=jmeter25,dc=dev,dc=id,dc=ubc,dc=ca"
[10/Jun/2013:14:50:59 -0700] conn=3516 op=2 RESULT err=32 tag=107 nentries=0 etime=0
[10/Jun/2013:14:50:59 -0700] conn=3516 op=3 UNBIND
[10/Jun/2013:14:50:59 -0700] conn=3516 op=3 fd=107 closed - U1
[10/Jun/2013:14:51:00 -0700] conn=3533 SSL 256-bit AES
[10/Jun/2013:14:51:00 -0700] conn=3533 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[10/Jun/2013:14:51:00 -0700] conn=3533 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[10/Jun/2013:14:51:00 -0700] conn=3533 op=1 ADD dn="uid=jmeter57,dc=dev,dc=id,dc=ubc,dc=ca"
[10/Jun/2013:14:51:00 -0700] conn=3533 op=1 RESULT err=1 tag=105 nentries=0 etime=0 csn=51b64a46004d01f50000
[10/Jun/2013:14:51:00 -0700] conn=3533 op=2 DEL dn="uid=jmeter57,dc=dev,dc=id,dc=ubc,dc=ca"
[10/Jun/2013:14:51:00 -0700] conn=3533 op=2 RESULT err=32 tag=107 nentries=0 etime=0
[10/Jun/2013:14:51:00 -0700] conn=3533 op=3 UNBIND
[10/Jun/2013:14:51:00 -0700] conn=3533 op=3 fd=110 closed - U1
Our configuration is as follows:
2 Master servers (writes always go to one) in a MMR config.
3 Replica servers with replication agreements to each of the 2 masters.
RHEL 6.4 x64 Linux 2.6.32-358.2.1.el6.x86_64
389-ds-base.x86_64 1.2.11.15-14.el6_4 @rhel-x86_64-server-6
Has anyone seen this before and solved the issue? This is a big blocker for us before we can deploy in production.
So far, I am really liking 389 and want to see it in use at our institution. Thank you for any assistance.
Kind regards,
--------------------------------------------------------------------
Venkat Mahadevan
Programmer Analyst II, Identity and Access Management
Information Technology | Engage. Envision. Enable.
The University of British Columbia
Tel: 604.822.4112
10 years, 10 months