Re: Erasing and rewriting 389
by Patrick Landry
That's pretty much the steps I follow to completely remove
a 389 DS installation.
I presume your "existing scripts" attempt to recreate your DIT. Do they
produce any error messages?
----- Original Message -----
From: "Charlie Mordant" <cmordant1(a)gmail.com>
To: "General discussion list for the 389 Directory server project." <389-users(a)lists.fedoraproject.org>
Sent: Monday, April 25, 2016 3:51:28 PM
Subject: [389-users] Erasing and rewriting 389
Hi Laposte experts (French national mailing delivery)!
I'm trying some experiments some simple things on 389 ds.
I've an existing 389 installation, with some users, groups and acls (on fedora 21), and I'm trying to uninstall, erase my existing ldap to reinstall it.
So my script is:
* remove-ds-admin.pl -a -f -y
* service stop (dirsrv@myldap, dirsrv-admin)
* yum uninstall 389-*
* rm -rf /**dirsrv*/**
* then reinstalling with my existing script.
As it looks like a nice thing, it seems that there's a catch: my dc=tld,dc=dn subgroups are not created.
Is there something somewhere that I should be aware to be able to remove everything?
Best regards,
Charlie
--
Charlie Mordant
Full OSGI/EE stack made with Karaf: https://github.com/OsgiliathEnterprise/net.osgiliath.parent
--
389-users mailing list
389-users(a)lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
--
Patrick Landry
Director, UCSS
University of Louisiana at Lafayette
pml(a)louisiana.edu
7 years, 10 months
Question about Managed Entries Plugin
by Patrick Landry
I have a newly installed 389 Directory Server instance and I am trying to make use of the Manged Entries plugin. I have configured two entries with the same originfilter and originscope, each referencing a different template. My intent is when a source entry is created two managed entries will be created in separate subtrees. When I configure each of the entries individually, they work find. Creating a source entry results in the creation of the managed entry in the appropriate location with the appropriate attributed. But when I configure both of the Managed Entries at the same time only one of the managed entries gets created.
Is this a limitation of the Managed Entries plugin? Is it possible to configure two Managed Entry configuration so that the creation of a single source entry results in the creation of two manged entries?
Any feedback or advice would be appreciated.
--
patrick
7 years, 10 months
ldap dbmon output questions
by ghiureai
Hello List,
I am running some search performance tests , basic ldapsearch augument
"cn" , on local ldap host with rsearch, and
seeing readwaiters: values chainng , here is a sample from dbmon
currentconnections: 41
totalconnections: 6407
currentconnectionsatmaxthreads: 0
maxthreadsperconnhits: 0
dtablesize: 8192
readwaiters: 9
opsinitiated: 41305380
opscompleted: 41305371
entriessent: 48910644
bytessent: 3952907569
currenttime: 20160425192119Z
starttime: 20160425025259Z
nbackends: 2
backendmonitordn: cn=monitor,cn=userRoot,cn=ldbm
database,cn=plugins,cn=config
backendmonitordn: cn=monitor,cn=NetscapeRoot,cn=ldbm
database,cn=plugins,cn=co
nfig
I read the documentation for dbmon output but still need to understand
what can generate this process to wait ( the search ldap is runn
locally on host), I there anything can be tune in ldap cfg to
have this redwaiters number close to null ?
LDAP version:
389-ds-base-1.3.4.4-000.x86_64
389-ds-console-1.2.12-000.noarch
7 years, 10 months
Create Certificate Signing Request File
by xinhuan zheng
Hello,
I need to create certificate signing request file that can be sent to certificate authority vendors, like GoDaddy, etc. I have two questions:
1) The certutil command line output a CSR file which has different format than the CSR file generated using 389-console the GUI. The main difference is that the certutil command line generates something like:
Certificate request generated by Netscape certutil
Phone: xxx-xxx-xxxx
Common Name: ....
Email: (not specified)
Organization: my organization
State: ...
Country: US
Following above, it's the "BEGIN NEW CERTIFICATE" section.
However, if it's GUI, only "BEGIN NEW CERTIFICATE" section is there.
Why the two methods generates output file different? Will it be ok to just use certuti command output with "BEGIN NEW CERTIFICATE" section to send to vendor?
2) Do I also need to create certificate signing request file for each admin server? Will that be the same procedure for the directory server instance?
Thanks,
- xinhuan
7 years, 11 months
Questions about password expiration
by Todor Petkov
Hello,
before enabling password expiration, I would like to ask some questions:
1) When I enable it, the counter will start and the users will have X
days before the password expires, is this correct? It will not block
some user, that has never changed his password since created an year ago.
2) Is there a script that sends email notification to the user that the
password will expire in X days? I googled it, but so far only scripts
for Active Directory show up.
3) Can an user be excluded from password expiration?
The server in question is Centos6, with 389 versions:
389-ds-base-1.2.11.15-72.el6_7.x86_64
389-admin-console-1.1.8-1.el6.noarch
389-ds-1.2.2-1.el6.noarch
389-adminutil-1.1.19-1.el6.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-admin-console-doc-1.1.8-1.el6.noarch
389-admin-1.1.35-1.el6.x86_64
389-ds-base-libs-1.2.11.15-72.el6_7.x86_64
389-console-1.1.7-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-dsgw-1.1.11-1.el6.x86_64
Regards,
7 years, 11 months
389 directory server console and httpd.worker process
by xinhuan zheng
I want to understand more about 389 directory server. There is a administrative console, 389-console, appearing to be a complete GUI written in Java. There is another process, httpd.worker. When I launch the 389-console, I need to type in (3) information. The administrative cn, bind passwor, and the URL of that httpd.worker is listening on. How does the GUI console interact with the httpd.worker? Who is submitting the requests to the directory server instance? The 389 GUI console or the httpd.worker? Why it needs two separate processes to interact with directory server? Is there a diagram to describe such interaction so I can visualize?
- xinhuan
7 years, 11 months
Create 389 directory server secure connections
by xinhuan zheng
Hello All,
I screwed up my 389 directory server console authentication today because I need to set up TLS secure connections. I first started reading this document: http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html. The document refers to a nice shell script from github: https://raw.githubusercontent.com/richm/scripts/master/setupssl2.sh. I downloaded the script, read it through. The script allows a couple environment variable setup, one of them is REMOTE variable. I really plan to have another directory server for replication so I thought that would be nice to generate it's certificate, etc beforehand. So I set up that environment variable. Then I ran command below:
REMOTE=labd2.christianbook.com; export REMOTE
./setupssl2.sh /etc/diresrv/slapd-userauth1
The very first time I got error because labd2 remote host doesn't exist yet, the script cannot generate the certificate for it because it cannot connect to it. But I typed in "Directory Manager" password, so it changed dse.ldif file. I tried to restart dirsrv-admin and dirsrv, only dirsrv-admin restarted successfully, the userauth1 instance failed restarting. Then I manually copy back dse.ldif.startOK file to dse.ldif file then restart userauth1 instance. It was restarted successfully. Then I unset REMOTE, re-run the setupssl2 script. Once it's finished, I then restarted both dirsrv-admin and dirsrv. They both restarted successfully. However, when I ran /usr/bin/389-console command, I got below error:
Cannot logon because of an incorrect User ID, Incorrect password or Directory problem.
HttpException:
HTTP/1.1 401 Authorization Required
Status: 401
URL: https://labd1.christianbook.com:9830/admin-serv/authenticate
I also tried to do ldapsearch but wasn't successful either:
# ldapsearch -d 5 -x -L -b 'dc=christianbook,dc=com'
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_close_socket: 3
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_close_socket: 3
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
It appears that when admin server TLS change takes effect but when the instance TLS wasn't in effect, then admin server cannot reconnect to instance directory server. I don't know how to fix that. Please help. Note this is 389 directory server 1.2.2 and 389 console 1.1.7. They are recent versions running on CentOS 6.7
Thanks,
- xinhuan
7 years, 11 months
entryrdn-index warning during import
by ghiureai
Hi Gurus,
I am importing userRoot/DS data ( ldif2db -n userRoot) from a master
replication DS into a standalone DS and see the following lines when
import jobs starts ,
but continue and all the entries are been imported :
(the export created with : db2ldif -n userRoot )
.....entryrdn-index - _entryrdn_index_read: Suffix "dc=xx,dc=xxxt" not
found: DB_NOTFOUND: No matching key/data pair found(-30988)
entryrdn-index - _entryrdn_index_read: Suffix "dc=xxx,dc=xxxx" not
found: DB_NOTFOUND: No matching key/data pair found(-30988)
Next I run db2index.pl rebuild the entryrdn , are this steps
sufficient ? why do I see the above lines ?
My env:
rpm -qa | grep 389-ds
389-ds-console-1.2.12-000.noarch
389-ds-base-1.3.4.4-000.x86_64
Thank you
7 years, 11 months
Change users password using horde's module passwd
by wodel youchi
Hi,
I am trying to make horde's module passwd let users change their passwords.
In the configuration file of the moduke there are two options for ldap :
- ldap : this option uses the users credentials to modify the password (the
user change his password with his credentials).
- ldapadmin : this option uses the admin, such as the Directory Manager to
modify the user's password.
the first one, didn't work for me, I get in the horde log : could not
replace userPassword attribute, LDAP server : constraint violation.
the second one worked.
In the error log of 389DS, I didn't find any useful error message.
PS : tls is enabled.
any idea?
Regards.
7 years, 11 months
CentOS 6 Upgrade and 389DS
by Paul Whitney
We upgraded our CentOS 6 build yesterday and managed to break our 389DS service. We have isolated the problem to a package: nss-3.21.0-0.3. When we role back the update to a previous version the 389ds service works fine. Has anyone else experienced this?
Paul M. Whitney
E-mail: paul.whitney(a)mac.com
Sent from my browser.
7 years, 11 months