389-ds opensuse container questions
by tdarby@email.arizona.edu
Hi,
My team is preparing to move to containerized 389-ds instances after years of running on two AWS EC2 instances in multi-master replication behind a AWS classic load balancer. All data is on separate EBS volumes. The 389-ds version is 1.3.9.0. I'm mainly curious about the right way to use the container, so questions:
1. Is the container considered production-ready?
2. I see that the container will create a new instance if it doesn't find one. How does it determine that an instance exists?
3. What setup config options are available to the container? I see mention of container.inf, but it's not clear what all I can put in that. For the install of our current directory, we need to make dse.ldif changes, ACI changes, schema changes and other things. I realize I can do all this after the container creates the bare instance, but I'm wondering how much the container install could do for me.
4. How big of a deal is it going to be moving from 1.3.9.0 to the latest version?
Additionally, we were wondering if it's possible to have an AWS load balancer handle the TLS exchanges instead of the LDAP instances. In other words, install the certificate on the load balancer and have it talk unencrypted to the LDAP instances over port 389.
Thanks,
Tim
7 months, 1 week
Problem with 389-console in 389-server 389-server 1.3.10
by rainer@ultra-secure.de
Hi,
some things like replication are easier to check in the console, so I
wanted to start it (using vnc, connecting to localhost).
However, I get this in the logs:
[Mon May 30 14:18:13.142469 2022] [:crit] [pid 19008:tid
140048162359424] sslinit: NSS is required to use LDAPS, but security
initialization failed [-8015:The certificate/key database is in
an old, unsupported format or failed to open.].
[Mon May 30 14:18:15.138593 2022] [:crit] [pid 19011:tid
140048162359424] sslinit: NSS is required to use LDAPS, but security
initialization failed [-8015:The certificate/key database is in
an old, unsupported format or failed to open.].
[Mon May 30 14:18:17.141229 2022] [:crit] [pid 19016:tid
140048162359424] sslinit: NSS is required to use LDAPS, but security
initialization failed [-8015:The certificate/key database is in
an old, unsupported format or failed to open.].
Versions:
389-admin-1.1.46-4.el7.x86_64
389-admin-console-1.1.12-1.el7.noarch
389-admin-console-doc-1.1.12-1.el7.noarch
389-adminutil-1.1.22-2.el7.x86_64
389-console-1.1.19-6.el7.noarch
389-ds-base-1.3.10.2-15.el7_9.x86_64
389-ds-base-libs-1.3.10.2-15.el7_9.x86_64
389-ds-base-snmp-1.3.10.2-15.el7_9.x86_64
389-ds-console-1.2.16-1.el7.noarch
389-ds-console-doc-1.2.16-1.el7.noarch
This seems to some sort of generic error, so I'm not sure how to
proceed..
Any ideas?
Best Regards
Rainer
8 months
Log rotation options with 1.4.4
by John Thurston
I have an instance of 389-Directory running 1.4.4 on CentOS, for which
we keep an audit log. We've established size-based log rotation.
To reduce the likelihood of the audit log being accidentally altered,
I'd like to mark it as 'append only', using 'chattr':
chattr +a audit.log
This works great, until rotation time. Since "rename" is not "append",
any effort to mv the file out of the way fails. Is there a
pre/post-rotation mechanism through which I could:
disable the append-only restriction
let the log rotation happen
re-enable append-only on the new log file
--
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
John.Thurston(a)alaska.gov
Department of Administration
State of Alaska
8 months, 1 week
389 scalability
by Morgan Jones
Hello Everyone,
We are merging our student directory (about 200,000 entries) into our existing employee directory (about 25,000 entries).
They're a pair of multi-master replicas on virtual hardware that can easily be expanded if needed though hardware performance hasn't been an issue.
Does this justify creating separate database for students? Aside from basic tuning are here any big pitfalls we should look out for?
We're still on CentOS 7 for the time being:
[root@prdds21 morgan]# rpm -qa|grep 389
389-admin-1.1.46-4.el7.x86_64
389-console-1.1.19-6.el7.noarch
389-dsgw-1.1.11-5.el7.x86_64
389-admin-console-1.1.12-1.el7.noarch
389-ds-1.2.2-6.el7.noarch
389-ds-base-libs-1.3.10.2-13.el7_9.x86_64
389-ds-base-1.3.10.2-13.el7_9.x86_64
389-adminutil-1.1.22-2.el7.x86_64
389-admin-console-doc-1.1.12-1.el7.noarch
389-ds-console-doc-1.2.16-1.el7.noarch
389-ds-console-1.2.16-1.el7.noarch
[root@prdds21 morgan]#
thank you,
-morgan
8 months, 2 weeks
389ds External LDAP Authentication
by parimala nitesh
Hi 389DS team,
I'm new to 389ds. I've a question. I've a Server1 with 389ds installed. I've external LDAP(this can be 389ds or Openldap) on different server2. Is there a way to integrate 389ds LDAP to external LDAP (Basically all the users of external LDAP should also be authenticated via 389ds LDAP on server1 also)? How can I achieve it? Can you share any documentation relating to this? Can someone help me in this?
Thanks in advance
Regards
Nitesh
8 months, 2 weeks
Migrating passwd, group, & shadow to 389-ds
by Felipe Gasper
Hello,
I’m planning a migration of Linux account data from /etc/ files to 389-ds (or OpenLDAP/slapd, but for now I’m leaning toward 389-ds).
I have a few questions that I hoped folks here might help with?
- What kinds of automation tools do folks use for creating/updating/removing dirsrv entries? I’m assuming there is something that abstracts over all of the actual schema details?
- What tools have folks used for migration of existing account data? I see a package of Perl scripts that some distros provide; is that about it?
- When creating a new posixAccount & posixGroup, how are UIDs and GIDs to be chosen? If I have 10,000 users, do I have to grab all 10,000 posixAccount and posixGroup entries to determine which is the next unused UID & GID, or is there some cleaner solution?
- Are there tools to facilitate race safety if, e.g., two concurrent queries try to create an account at the same time?
- I see that OpenLDAP/slapd can embed a Perl interpreter or exec arbitrary commands to fulfill queries. Can 389-ds do something similar to implement dynamic query results?
Thank you in advance!
cheers,
-Felipe Gasper
8 months, 3 weeks
Absolute True and False Filters
by Mike Mercier
Hello,
I am attempting to use the Microsoft ECMA Connector (Azure AD Connect) to
synchronize user information from Azure AD to 389DS. Microsoft does claim
389DS is supported, see:
https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/...
While configuring the ECMA connector wizard, the 'Global' page displays the
following message:
Mandatory Features Not Found:
[1.3.1.4.1.4203.1.5.3] True/False Filters
I believe the below command displays what is supported?
[root@localhost ~]# ldapsearch -H ldap://localhost -x -s base -b "" +
I do not see the specific OID from above listed in the output. Is the
feature supported by 389DS? Is there a plugin available that will add
support?
Anyone have any experience trying to sync information between 389DS and
Azure AD?
Thanks,
Mike
8 months, 3 weeks
Build issues on Ubuntu
by Felipe Gasper
Hello,
I’m trying to build the latest 389 release on Ubuntu 20.04 using OS packages.
I think I’ve found a couple issues:
1) (trivial) The configure script doesn’t check for liblmdb’s existence.
2) (fatal) The build fails, thus:
-----
make[1]: Entering directory '/home/ubuntu/code/389-ds-base-389-ds-base-2.1.1'
/bin/bash ./libtool --tag=CC --mode=link gcc -g -O2 -lcrack -o dbscan ldap/servers/slapd/tools/dbscan-dbscan.o -lplds4 -lplc4 -lnspr4 libback-ldbm.la
libtool: link: gcc -g -O2 -o .libs/dbscan ldap/servers/slapd/tools/dbscan-dbscan.o -lcrack -lplds4 -lplc4 -lnspr4 ./.libs/libback-ldbm.so -Wl,-rpath -Wl,/opt/dirsrv/lib/dirsrv/plugins
/usr/bin/ld: ldap/servers/slapd/tools/dbscan-dbscan.o: undefined reference to symbol 'slapi_ch_realloc'
/usr/bin/ld: /home/ubuntu/code/389-ds-base-389-ds-base-2.1.1/.libs/libslapd.so.0: error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
-----
slapi_ch_realloc() comes from 389 itself, so I would _think_ this to be an internal error, rather than a problem caused by system libraries?
Thank you in advance!
cheers,
-Felipe Gasper
8 months, 3 weeks
389ds External LDAP Authentication
by parimala nitesh
Hi 389DS team,
I'm new to 389ds. I've a question. I've a Server1 with 389ds installed. I've external LDAP(this can be 389ds or Openldap) on different server2. Is there a way to integrate 389ds LDAP to external LDAP (Basically all the users of external LDAP should also be authenticated via 389ds LDAP on server1 also)? How can I achieve it? Can you share any documentation relating to this? Can someone help me in this?
Thanks in advance
Regards
Nitesh
9 months
389ds External LDAP Authentication
by parimala nitesh
Hi 389DS team,
I'm new to 389ds. I've a question. I've a Server1 with 389ds installed. I've external LDAP(this can be 389ds or Openldap) on different server2. Is there a way to integrate 389ds LDAP to external LDAP (Basically all the users of external LDAP should also be authenticated via 389ds LDAP on server1 also)? How can I achieve it? Can you share any documentation relating to this? Can someone help me in this?
Thanks in advance
Regards
Nitesh
9 months