Point-in-time Recovery
by MND EXA
Hi Experts,
We are using 389 DS as authentication source for a web portal. Their is
about 45 millions entries. The user data is distributed accros the
Directory Server (just cn, sn and password are valued) and an Oracle
Database (All identification and business related data). The challenge here
is to keep consistent accros those two systems (a user having an entry in
the database should have one in the Directory Server). This especially
requires being able to perform a point-in-time restore of the Directory
Server (No problem with the Oracle Database, we able to do that).
Our environment is made of two Directory Servers in a multi-master
replication.
I came up with waht I think can be a solution but something is telling me
their should be a better way to do that. So here am to ask for advices from
yours experts :
Here what I think be a solution but not confident about that:
-The backup files and changelog db are store in a share storage monted on
the Directory Server
-Every week, take a (full) backup of the server (using db2bak)
-Whenever their is a issues:
-Disable replication
-Make a point-in-time recovery of my database
-Create a script that dump the changelog db to an ldif file (using
dbscan)
-Parse the ldif to obtain a compliant ldif file
-Truncate the ldif file to juste keep the changes to be restored
-Restore the two Directory Server using their corresponding (full)
backups (the weekly ones)
-Active replication
-Replay the ldif computed from the changelog db using ldapmodify
This seems daunting, cumbersome... So any advices ?
Thank you in advance for your responses.
Kind Regards,
9 years, 6 months
Re: [389-users] upgrade 389ds-base 1.2.2. to last release
by Ghiurea, Isabella
HI Rich,
see this most of ds packages are gome now the setup-ds-admin .pl can't be run:
( I 'm not sure all this packages removed are in last tar ball realese also)
yum erase 389\* idm-console-framework
Loaded plugins: dellsysid, refresh-packagekit, security, versionlock
Setting up Remove Process
Resolving Dependencies
--> Running transaction check
---> Package 389-admin.x86_64 0:1.1.35-1.el6 will be erased
---> Package 389-admin-console.noarch 0:1.1.8-1.el6 will be erased
---> Package 389-admin-console-doc.noarch 0:1.1.8-1.el6 will be erased
---> Package 389-adminutil.x86_64 0:1.1.19-1.el6 will be erased
---> Package 389-console.noarch 0:1.1.7-1.el6 will be erased
---> Package 389-ds.noarch 0:1.2.2-1.el6 will be erased
---> Package 389-ds-base.x86_64 0:1.2.11.15-34.el6_5 will be erased
---> Package 389-ds-base-cadc.x86_64 0:1.3.3.3-sl6_00 will be erased
---> Package 389-ds-base-libs.x86_64 0:1.2.11.15-34.el6_5 will be erased
---> Package 389-ds-console.noarch 0:1.2.6-1.el6 will be erased
---> Package 389-ds-console-doc.noarch 0:1.2.6-1.el6 will be erased
---> Package 389-dsgw.x86_64 0:1.1.11-1.el6 will be erased
---> Package idm-console-framework.noarch 0:1.1.7-2.el6 will be erased
--> Finished Dependency Resolution
Dependencies Resolved
==========================================================================================================================================================
Package Arch Version Repository Size
==========================================================================================================================================================
Removing:
389-admin x86_64 1.1.35-1.el6 @epel 1.2 M
389-admin-console noarch 1.1.8-1.el6 @epel 223 k
389-admin-console-doc noarch 1.1.8-1.el6 @epel 95 k
389-adminutil x86_64 1.1.19-1.el6 @epel 170 k
389-console noarch 1.1.7-1.el6 @epel 79 k
389-ds noarch 1.2.2-1.el6 @epel 12 k
389-ds-base x86_64 1.2.11.15-34.el6_5 @sl-security 4.9 M
389-ds-base-cadc x86_64 1.3.3.3-sl6_00 @cadc 19 M
389-ds-base-libs x86_64 1.2.11.15-34.el6_5 @sl-security 1.0 M
389-ds-console noarch 1.2.6-1.el6 @epel 1.5 M
389-ds-console-doc noarch 1.2.6-1.el6 @epel 176 k
389-dsgw x86_64 1.1.11-1.el6 @epel 3.7 M
idm-console-framework noarch 1.1.7-2.el6 @epel 1.2 M
Transaction Summary
==========================================================================================================================================================
Remove 13 Package(s)
Installed size: 33 M
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Erasing : 389-ds-1.2.2-1.el6.noarch 1/13
Erasing : 389-admin-console-doc-1.1.8-1.el6.noarch 2/13
Erasing : 389-admin-console-1.1.8-1.el6.noarch 3/13
Erasing : 389-console-1.1.7-1.el6.noarch 4/13
Erasing : 389-ds-console-doc-1.2.6-1.el6.noarch 5/13
Erasing : 389-ds-console-1.2.6-1.el6.noarch 6/13
Erasing : idm-console-framework-1.1.7-2.el6.noarch 7/13
Erasing : 389-ds-base-cadc-1.3.3.3-sl6_00.x86_64 8/13
Erasing : 389-dsgw-1.1.11-1.el6.x86_64 9/13
Erasing : 389-admin-1.1.35-1.el6.x86_64 10/13
Erasing : 389-ds-base-1.2.11.15-34.el6_5.x86_64 11/13
Erasing : 389-ds-base-libs-1.2.11.15-34.el6_5.x86_64 12/13
Erasing : 389-adminutil-1.1.19-1.el6.x86_64 13/13
Unable to connect to dbus
Verifying : 389-ds-1.2.2-1.el6.noarch 1/13
Verifying : 389-ds-base-1.2.11.15-34.el6_5.x86_64 2/13
Verifying : 389-admin-1.1.35-1.el6.x86_64 3/13
Verifying : 389-dsgw-1.1.11-1.el6.x86_64 4/13
Verifying : 389-admin-console-1.1.8-1.el6.noarch 5/13
Verifying : 389-ds-base-cadc-1.3.3.3-sl6_00.x86_64 6/13
Verifying : 389-ds-console-doc-1.2.6-1.el6.noarch 7/13
Verifying : idm-console-framework-1.1.7-2.el6.noarch 8/13
Verifying : 389-ds-base-libs-1.2.11.15-34.el6_5.x86_64 9/13
Verifying : 389-admin-console-doc-1.1.8-1.el6.noarch 10/13
Verifying : 389-ds-console-1.2.6-1.el6.noarch 11/13
Verifying : 389-console-1.1.7-1.el6.noarch 12/13
Verifying : 389-adminutil-1.1.19-1.el6.x86_64 13/13
Removed:
389-admin.x86_64 0:1.1.35-1.el6 389-admin-console.noarch 0:1.1.8-1.el6 389-admin-console-doc.noarch 0:1.1.8-1.el6
389-adminutil.x86_64 0:1.1.19-1.el6 389-console.noarch 0:1.1.7-1.el6 389-ds.noarch 0:1.2.2-1.el6
389-ds-base.x86_64 0:1.2.11.15-34.el6_5 389-ds-base-cadc.x86_64 0:1.3.3.3-sl6_00 389-ds-base-libs.x86_64 0:1.2.11.15-34.el6_5
389-ds-console.noarch 0:1.2.6-1.el6 389-ds-console-doc.noarch 0:1.2.6-1.el6 389-dsgw.x86_64 0:1.1.11-1.el6
idm-console-framework.noarch 0:1.1.7-2.el6
Complete!
[root@proc5-01 dirsrv]#
[root@proc5-01 dirsrv]#
[root@proc5-01 dirsrv]# export PATH=/opt/dirsrv/sbin:/opt/dirsrv/bin:$PATH
[root@proc5-01 dirsrv]# setup-ds-admin.pl
-bash: setup-ds-admin.pl: command not found
9 years, 6 months
upgrade 389ds-base 1.2.2. to last release
by Ghiurea, Isabella
Hi,
I'm runing SL6.5, I have installed but not cfg 389-ds-1.2.2-1.el6.noarch package , next we build from source code rpm389-ds-base-cadc-1.3.3.3-sl6_00.x86_64, got installed in /opt/dirsrv., when start setup-ds-admin .pl ( is still showing as 38ds-1.2.2) How can I start using the latest version and upgrade the base 389-ds-base-1.2.2?
Thank you
9 years, 6 months
389-console: "Directory Server" entry disappeared from "Server Group" - how can I get it back?
by Ray
Hi there,
I recently had a permission issue which denied write access to all of
389's directories to the user running 389 (in my case "nobody"). This
lead to corrupted Berkeley DBs (which I fixed by exporting them one by
one with db_dump and then re-creating the db from the dump using
db_load).
This worked to get the service back into a running state: both
dirsrv-admin and dirsrv start just fine again: My various Linux boxes
"see" the users and groups provided by the directory server again.
Yesterday I wanted to make some changes to the directory, however, and I
noticed that the entry "Directory server (<hostname>)" disappeared from
the "Server Group" in my 389-console.
Can anyone here tell me how I get this entry back?
Best,
Ray
9 years, 6 months
NSS SSL failure.
by William
Hi,
(Off list posting, please include me in replies)
I'm having issues getting a freshly provisioned instance of 389 working
with SSL.
In my instance directory, I created a self signed CA and server cert
with:
certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v
120 -d . -2 -f ./pwdfile
certutil -S -n "Server-Cert" -s "cn=ammy.its.adelaide.edu.au" -c "CA
certificate" -t "u,u,u" -m 1001 -v 120 -d . -f ./pwdfile -8 localhost
certutil -d . -V -n Server-Cert -u V
certutil: certificate is valid
Restarting nsslapd I see:
[19/Sep/2014:10:04:47 +091800] - SSL failure: None of the cipher are
valid
[19/Sep/2014:10:04:47 +091800] - ERROR: SSL Initialization phase 2
Failed.
With NO OTHER errors. Higher log levels have not helped.
Here are the relevant parts of dse.ldif for my configuration.
cn=config:
nsslapd-security: on
nsslapd-ssl-check-hostname: off
nsslapd-validate-cert: warn
dn: cn=encryption,cn=config
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: on
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=directory manager
This was from the steps at
http://directory.fedoraproject.org/wiki/Howto:SSL
None of this configuration seems unreasonable.
I would like to know if there are ways to improve my debug output around
this matter. Is there an NSS environment variable I can use to help with
this for example?
9 years, 6 months
Trouble with Replication - Initializing Consumers
by Fong, Trevor
Hi Everyone,
I'm having trouble initializing consumers for replication.
On 2 of the 3 consumers, I get the following message after trying to re-initialize the consumers from the 389-console:
NSMMReplicationPlugin - replica_replace_ruv_tombstone: failed to update replication update vector for replica dc=stg,dc=id,dc=ubc,dc=ca: LDAP error - 1
I've tried to db2ldif dump the database and re-import everything again with ldif2db before re-initializing.
I've even tried to ldif2db an export from the master before re-initializing.
I always get the above error.
Does anyone know what's going on or have any suggestions?
/var/log/dirsrv/slapd-instance/errors extract follows.
Thanks a lot,
Trev
[24/Sep/2014:14:13:13 -0700] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database
[24/Sep/2014:14:13:34 -0700] - import userRoot: Processed 19704 entries -- average rate 980.1/sec, recent rate 980.1/sec, hit ratio 0%
[24/Sep/2014:14:13:37 -0700] - ERROR bulk import abandoned
[24/Sep/2014:14:13:37 -0700] - import userRoot: Aborting all Import threads...
[24/Sep/2014:14:13:44 -0700] - import userRoot: Import threads aborted.
[24/Sep/2014:14:13:44 -0700] - import userRoot: Closing files...
[24/Sep/2014:14:13:44 -0700] - libdb: userRoot/id2entry.db4: unable to flush: No such file or directory
[24/Sep/2014:14:13:44 -0700] - libdb: userRoot/cn.db4: unable to flush: No such file or directory
[24/Sep/2014:14:13:44 -0700] - libdb: userRoot/aci.db4: unable to flush: No such file or directory
[24/Sep/2014:14:13:44 -0700] - libdb: userRoot/departmentnumber.db4: unable to flush: No such file or directory
[24/Sep/2014:14:13:45 -0700] - libdb: userRoot/member.db4: unable to flush: No such file or directory
[24/Sep/2014:14:13:45 -0700] - libdb: userRoot/krbprincipalname.db4: unable to flush: No such file or directory
[24/Sep/2014:14:13:45 -0700] - libdb: userRoot/parentid.db4: unable to flush: No such file or directory
[24/Sep/2014:14:13:45 -0700] - libdb: userRoot/nsuniqueid.db4: unable to flush: No such file or directory
[24/Sep/2014:14:13:45 -0700] - libdb: userRoot/ou.db4: unable to flush: No such file or directory
[24/Sep/2014:14:13:45 -0700] - libdb: userRoot/ubceducwlpuid.db4: unable to flush: No such file or directory
[24/Sep/2014:14:13:45 -0700] - libdb: userRoot/entryrdn.db4: unable to flush: No such file or directory
[24/Sep/2014:14:13:45 -0700] - libdb: userRoot/sn.db4: unable to flush: No such file or directory
[24/Sep/2014:14:13:45 -0700] - libdb: userRoot/givenName.db4: unable to flush: No such file or directory
[24/Sep/2014:14:13:45 -0700] - libdb: userRoot/objectclass.db4: unable to flush: No such file or directory
[24/Sep/2014:14:13:45 -0700] - libdb: userRoot/uniquemember.db4: unable to flush: No such file or directory
[24/Sep/2014:14:13:45 -0700] - libdb: userRoot/uid.db4: unable to flush: No such file or directory
[24/Sep/2014:14:13:45 -0700] - libdb: userRoot/memberOf.db4: unable to flush: No such file or directory
[24/Sep/2014:14:13:45 -0700] - libdb: userRoot/mail.db4: unable to flush: No such file or directory
[24/Sep/2014:14:13:45 -0700] - libdb: userRoot/employeenumber.db4: unable to flush: No such file or directory
[24/Sep/2014:14:13:45 -0700] - import userRoot: Import failed.
[24/Sep/2014:14:13:45 -0700] - process_bulk_import_op: NULL target sdn
[24/Sep/2014:14:13:46 -0700] NSMMReplicationPlugin - replica_replace_ruv_tombstone: failed to update replication update vector for replica dc=stg,dc=id,dc=ubc,dc=ca: LDAP error - 1
9 years, 6 months
Getting error 11 admin limit exceed using Apache Studio
by Ghiurea, Isabella
I 'm getting ds 389, error 11 : limit exceed , trying to cfg nsslapd-sizelimit and nsslapd-lookthroughlimit to -1 unlimitted , can't find in wich cfg file to edit the entry ,next is this dynamic or static parameter?
Thank you
9 years, 6 months
Re: [389-users] 389-users Digest, Vol 112, Issue 16 : How to install the last 389-ds-1.3.3 on SL (Ghiurea, Isabella
by Ghiurea, Isabella
re: How to install the last 389-ds-1.3.3 on SL
Hi Rich,
How do I get 389-ds-1.3.base for SL 6.5 ? I would like to have all the latest updates( inclusive repication)
Thank you
________________________________________
From: 389-users-bounces(a)lists.fedoraproject.org [389-users-bounces(a)lists.fedoraproject.org] On Behalf Of 389-users-request(a)lists.fedoraproject.org [389-users-request(a)lists.fedoraproject.org]
Sent: Wednesday, September 24, 2014 5:35 PM
To: 389-users(a)lists.fedoraproject.org
Subject: 389-users Digest, Vol 112, Issue 16
Send 389-users mailing list submissions to
389-users(a)lists.fedoraproject.org
To subscribe or unsubscribe via the World Wide Web, visit
https://admin.fedoraproject.org/mailman/listinfo/389-users
or, via email, send a message with subject or body 'help' to
389-users-request(a)lists.fedoraproject.org
You can reach the person managing the list at
389-users-owner(a)lists.fedoraproject.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of 389-users digest..."
Today's Topics:
1. Re: register-ds-admin against external LDAP urls (Rich Megginson)
2. DS SSL -CA replication and clients (Ghiurea, Isabella)
3. how to install the last 389-ds-1.3.3 on SL (Ghiurea, Isabella)
4. Re: how to install the last 389-ds-1.3.3 on SL (Rich Megginson)
5. Trouble with Replication - Initializing Consumers (Fong, Trevor)
6. Re: Trouble with Replication - Initializing Consumers
(Fong, Trevor)
----------------------------------------------------------------------
Message: 1
Date: Wed, 24 Sep 2014 08:22:32 -0600
From: Rich Megginson <rmeggins(a)redhat.com>
To: 389-users(a)lists.fedoraproject.org
Subject: Re: [389-users] register-ds-admin against external LDAP urls
Message-ID: <5422D3A8.5080905(a)redhat.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
On 09/24/2014 05:53 AM, Alan Willis wrote:
> The documentation for register-ds-admin.pl
> <http://register-ds-admin.pl> says the following:
>
> "The register-ds-admin.pl <http://register-ds-admin.pl> script does
> not support external LDAP URLs, so the Directory Server instance must
> be registered against a local Admin Server."
>
> Would there be any issues in creating the ldap entries that this
> script creates in a remote configuration directory instead of a local one?
No, and if you figure out the right formula for entries to create,
please let us know.
>
> -alan
>
> --
>
> fistAlan Willis
> Systems Administrator | Riot Games
> Email: alwillis at riotgames.com <http://riotgames.com>
>
> For, to speak out once for all, man only plays when in the full
> meaning of the word he is a man, and /he is only completely a man when
> he plays/. - J.C. Friedrich von Schiller - Letters upon the Æsthetic
> Education of Man
>
>
>
> --
> 389 users mailing list
> 389-users(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
9 years, 6 months
how to install the last 389-ds-1.3.3 on SL
by Ghiurea, Isabella
I'm running Scientific Linux release 6.5,base4.0-amd64,
I have 389-ds -1.2.2-1.el6 package installed using yum , I can 't get the last version 389-ds-1.3.3 via yum installed , what I'm missing?
Isabella
9 years, 6 months
DS SSL -CA replication and clients
by Ghiurea, Isabella
Hi Gurus,
I am learning to cfg 389DS-SSL option , we intend to cfg a multimaster DS replication ,
need to know:
- if would work to have one CA for clients connecting to DS and ANOTHER CA for inter DS replication ?
Next:
We intend to use the replication for failover and load balancing , we will cfg multi master replication ,
- do I need each DS CA to be exchage on each replicate/master DS and also a copy of CA on each clients?
Thank you
Isabella
9 years, 6 months