389-users February 2023

389-users@lists.fedoraproject.org

7 participants
9 discussions

ERR - slapi_ldap_bind - Could not send bind request for id [(anon)] authentication mechanism [EXTERNAL]: error -1 (Can't contact LDAP server), system error 0 (no error), network error 0
by Graham Leggett 11 Dec '23

11 Dec '23

Hi all, We have a long standing 389ds master LDAP server that was found to be unable to contact it’s slaves. Most specifically, the slaves show nothing in their logs about any kind of connection, while the master is logging this: [12/Nov/2019:21:39:47.212715697 +0000] - ERR - slapi_ldap_bind - Could not send bind request for id [(anon)] authentication mechanism [EXTERNAL]: error -1 (Can't contact LDAP server), system error 0 (no error), network error 0 (Unknown error, host “ldap01:636”) Key is "system error 0 (no error)”, which leaves us stumped. The error is obviously “success”. Has anyone seen this kind of thing before? This is 389ds running on CentOS7 as follows: 389-ds-base-1.3.9.1-10.el7.x86_64 Regards, Graham —

3 9

Crash with SEGV after compacting
by Niklas Schmatloch 12 Jul '23

12 Jul '23

Hi My organisation is using a replicated 389-dirsrv. Lately, it has been crashing each time after compacting. It is replicable on our instances by lowering the compactdb-interval to trigger the compacting: dsconf -D "cn=Directory Manager" ldap://127.0.0.1 -w 'PASSWORD_HERE' backend config set --compactdb-interval 300 This is the log: [03/Aug/2022:16:06:38.552781605 +0200] - NOTICE - checkpoint_threadmain - Compacting DB start: userRoot [03/Aug/2022:16:06:38.752592692 +0200] - NOTICE - bdb_db_compact_one_db - compactdb: compact userRoot - 8 pages freed [03/Aug/2022:16:06:44.172233009 +0200] - NOTICE - bdb_db_compact_one_db - compactdb: compact userRoot - 888 pages freed [03/Aug/2022:16:06:44.179315345 +0200] - NOTICE - checkpoint_threadmain - Compacting DB start: changelog [03/Aug/2022:16:13:18.020881527 +0200] - NOTICE - bdb_db_compact_one_db - compactdb: compact changelog - 458 pages freed dirsrv(a)auth-alpha.service: Main process exited, code=killed, status=11/SEGV dirsrv(a)auth-alpha.service: Failed with result 'signal'. dirsrv(a)auth-alpha.service: Consumed 2d 6h 22min 1.122s CPU time. The first steps are done very quickly, but the step before the 458 pages of the retro-changelog are freed, takes several minutes. In this time the dirsrv writes more than 10 G and reads more than 7 G (according to iotop). After this line is printed the dirsrv crashes within seconds. What I also noticed is, that even though it said it freed a lot of pages the retro-changelog does not seem to change in size. The file `/var/lib/dirsrv/slapd-auth-alpha/db/changelog/id2entry.db` is 7.2 G before and after the compacting. Debian 11.4 389-ds-base/stable,now 1.4.4.11-2 amd64 Does someone have an idea how to debug / fix this? Thanks

4 15

Plugin development licensing
by DUVERT Vincent 09 May '23

09 May '23

Hello, I have a question regarding the licensing of developed 389-ds plugins. The FAQ (https://directory.fedoraproject.org/docs/389ds/FAQ/licensing.html#directory…) indicates that the Directory Server core code is licensed under a GPL + Exception license that allows non-GPL 389-ds plugins to link to 389-ds and to use specific header files. However, the LICENSE file in the current 389-ds-base source does not contain this exception. It was apparently removed by the following commit, when the license was changed to GPLv3+: https://pagure.io/389-ds-base/c/88cae401aee39a19ac6b07c3c36ee8daa07192e7 Does that means that the license exception does not apply to the current version of 389-ds? Regards, Vincent Duvert

2 2

389-ds and DNS aliases
by Alberto Crescente 13 Feb '23

13 Feb '23

Hi, I have 3 ldapservers in a multi-master setup for replication with TLS. TLS is also used in the connection between servers and sssd clients. The hostnames of the nodes are server1, server2 and server3, so when I configured the replication agreement I used these names: Ex: dsconf LDAP -D "cn=Directory Manager" repl-agmt create --suffix="dc=example,dc=com" --host="server2.example.com" --port=636 --conn-protocol=LDAPS --bind-dn="cn=replication manager,cn=config" --bind-passwd="secret" --bind-method=SIMPLE --init agreement-server1-to-server2 I'd like to use dns aliases instead of server hostnames in the sssd.conf file on the clients, so that I can replace a server with a new one by simply changing the alias, without changing the configuration on the clients. So I defined aliases auth1, auth2 and auth3 in DNS and used them in sssd.conf on clients. With this configuration I have a problem with TLS certificates. If in the certificate I set the CN equal to the hostname, the sssd clients give the following error: "TLS: hostname does not match CN", while if I set the CN equal to the alias name I get a mismatch error in the replica. Is there a solution to the problem? Thanks, Alberto Crescente.

2 1

Re: 389-DS Cockpit
by Mark Reynolds 10 Feb '23

10 Feb '23

Yes, you install cockpit bridge on your other systems then you can link them in the Cockpit console. After installing cockpit bridge on all the hosts, then goto the "man" Cockpit console, top left, open the menu and you can "add hosts". HTH, Mark On 2/3/23 10:29 AM, Paul Whitney wrote: > Is it possible to manage more than one 389-ds HOST through the Cockpit > if I import the host descriptions into the slapd-config instance? > > In older version with the Java Console, there was a way to merger all > of the LDAPS instances into a single view, and could manage them from > a single console. > > Kudos by the way on making the new Cockpit FIPS friendly! > > If I cannot manage the LDAP hosts through a single cockpit, do I > really need to create a slapd-config instance anymore? > > Paul M. Whitney, CISSP > Chesapeake IT Consulting, Inc. > 890 Hudson Road > Cambridge, MD 21613 > > Cell: 410.493.9448 > Email: paul.whitney(a)chesapeake-it.com > <mailto:paul.whitney@chesapeake-it.com> > *CONFIDENTIALITY NOTICE* > The information contained in this facsimile or electronic message is > confidential information intended for the use of the individual or > entity named above. If the reader of this message is not the intended > recipient, or an employee or agent responsible for delivering this > facsimile message to the intended recipient, you are hereby notified > that any dissemination, or copying of this communication is strictly > prohibited. If this message contains non-public personal information > about any consumer or customer of the sender or intended recipient, > you are further prohibited under penalty of law from using or > disclosing the information to any third party by provisions of the > federal Gramm-Leach-Bliley Act. If you have received this facsimile or > electronic message in error, please immediately notify us by telephone > and return or destroy the original message to assure that it is not > read, copied, or distributed by others. > > > _______________________________________________ > 389-users mailing list --389-users(a)lists.fedoraproject.org > To unsubscribe send an email to389-users-leave(a)lists.fedoraproject.org > Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fedo… > Do not reply to spam, report it:https://pagure.io/fedora-infrastructure/new_issue -- Directory Server Development Team

3 3

Re: Importing Indexes via LDIF
by Pierre Rogier 03 Feb '23

03 Feb '23

Editing directly the dse.ldif is a solution as far as the instance is stopped but fyi: your ldapmodify command was missing the -a option (or you should have directly used the ldapadd command) Without -a option, ldapmodify expect data like: dn: cn=... changetype: ... then the modifier But since your file contains plain entries without changetype you must explicitly tell ldapmodify to add them ! On Fri, Feb 3, 2023 at 4:23 PM Paul Whitney <paul.whitney(a)chesapeake-it.com> wrote: > Hi Pierre, > > Thank you so much for the quick response. I tried: > > ldapmodify -f my_groupRoot_of_indexes.ldif -D 'cn=Directory Manager' -w password -x -H ldap://127.0.0.1:3389 > > But that did not seem to populate the dse.ldif file as I expected. > However, the format of the entries in the index file was the same so I > stopped the service and just appended the file to the dse.ldif (cat > my_groupRoot_of_indexes >> dse.ldif). Service started right back up. > > Now to kick of a reindex. > > Paul M. Whitney, CISSP > Chesapeake IT Consulting, Inc. > 890 Hudson Road > Cambridge, MD 21613 > > Work: 443-492-2872 > Cell: 410.493.9448 > Email: paul.whitney(a)chesapeake-it.com > *CONFIDENTIALITY NOTICE* > The information contained in this facsimile or electronic message is > confidential information intended for the use of the individual or entity > named above. If the reader of this message is not the intended recipient, > or an employee or agent responsible for delivering this facsimile message > to the intended recipient, you are hereby notified that any dissemination, > or copying of this communication is strictly prohibited. If this message > contains non-public personal information about any consumer or customer of > the sender or intended recipient, you are further prohibited under penalty > of law from using or disclosing the information to any third party by > provisions of the federal Gramm-Leach-Bliley Act. If you have received this > facsimile or electronic message in error, please immediately notify us by > telephone and return or destroy the original message to assure that it is > not read, copied, or distributed by others. > > ------------------------------ > *From:* Pierre Rogier <progier(a)redhat.com> > *Sent:* Friday, February 3, 2023 9:44 AM > *To:* General discussion list for the 389 Directory server project. < > 389-users(a)lists.fedoraproject.org> > *Subject:* [389-users] Re: Importing Indexes via LDIF > > Hi Paul, > Not using dsconf. > But you could easily do it with ldapsearch and ldapadd > > Regards > Pierre > > On Fri, Feb 3, 2023 at 3:34 PM Paul Whitney < > paul.whitney(a)chesapeake-it.com> wrote: > > Greetings, been a while. > > I am looking to migrate to RHEL 9 and 389-DS. In lab stood up a > "supplier" and a "consumer". I have index files for userRoot and > groupRoot. However, indexes appeared to be stored in dse.ldif. Is there a > way using the dsconf command to import an ldif of indexes? > > Thanks, > > Paul M. Whitney, CISSP > Chesapeake IT Consulting, Inc. > 890 Hudson Road > Cambridge, MD 21613 > > Cell: 410.493.9448 > Email: paul.whitney(a)chesapeake-it.com > *CONFIDENTIALITY NOTICE* > The information contained in this facsimile or electronic message is > confidential information intended for the use of the individual or entity > named above. If the reader of this message is not the intended recipient, > or an employee or agent responsible for delivering this facsimile message > to the intended recipient, you are hereby notified that any dissemination, > or copying of this communication is strictly prohibited. If this message > contains non-public personal information about any consumer or customer of > the sender or intended recipient, you are further prohibited under penalty > of law from using or disclosing the information to any third party by > provisions of the federal Gramm-Leach-Bliley Act. If you have received this > facsimile or electronic message in error, please immediately notify us by > telephone and return or destroy the original message to assure that it is > not read, copied, or distributed by others. > > _______________________________________________ > 389-users mailing list -- 389-users(a)lists.fedoraproject.org > To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject… > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > > > -- > -- > > 389 Directory Server Development Team > _______________________________________________ > 389-users mailing list -- 389-users(a)lists.fedoraproject.org > To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject… > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- -- 389 Directory Server Development Team

1 0

389-DS Cockpit
by Paul Whitney 03 Feb '23

03 Feb '23

Is it possible to manage more than one 389-ds HOST through the Cockpit if I import the host descriptions into the slapd-config instance? In older version with the Java Console, there was a way to merger all of the LDAPS instances into a single view, and could manage them from a single console. Kudos by the way on making the new Cockpit FIPS friendly! If I cannot manage the LDAP hosts through a single cockpit, do I really need to create a slapd-config instance anymore? Paul M. Whitney, CISSP Chesapeake IT Consulting, Inc. 890 Hudson Road Cambridge, MD 21613 Cell: 410.493.9448 Email: paul.whitney(a)chesapeake-it.com<mailto:paul.whitney@chesapeake-it.com> CONFIDENTIALITY NOTICE The information contained in this facsimile or electronic message is confidential information intended for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this facsimile message to the intended recipient, you are hereby notified that any dissemination, or copying of this communication is strictly prohibited. If this message contains non-public personal information about any consumer or customer of the sender or intended recipient, you are further prohibited under penalty of law from using or disclosing the information to any third party by provisions of the federal Gramm-Leach-Bliley Act. If you have received this facsimile or electronic message in error, please immediately notify us by telephone and return or destroy the original message to assure that it is not read, copied, or distributed by others.

1 0

Re: Importing Indexes via LDIF
by Pierre Rogier 03 Feb '23

03 Feb '23

Hi Paul, Not using dsconf. But you could easily do it with ldapsearch and ldapadd Regards Pierre On Fri, Feb 3, 2023 at 3:34 PM Paul Whitney <paul.whitney(a)chesapeake-it.com> wrote: > Greetings, been a while. > > I am looking to migrate to RHEL 9 and 389-DS. In lab stood up a > "supplier" and a "consumer". I have index files for userRoot and > groupRoot. However, indexes appeared to be stored in dse.ldif. Is there a > way using the dsconf command to import an ldif of indexes? > > Thanks, > > Paul M. Whitney, CISSP > Chesapeake IT Consulting, Inc. > 890 Hudson Road > Cambridge, MD 21613 > > Cell: 410.493.9448 > Email: paul.whitney(a)chesapeake-it.com > *CONFIDENTIALITY NOTICE* > The information contained in this facsimile or electronic message is > confidential information intended for the use of the individual or entity > named above. If the reader of this message is not the intended recipient, > or an employee or agent responsible for delivering this facsimile message > to the intended recipient, you are hereby notified that any dissemination, > or copying of this communication is strictly prohibited. If this message > contains non-public personal information about any consumer or customer of > the sender or intended recipient, you are further prohibited under penalty > of law from using or disclosing the information to any third party by > provisions of the federal Gramm-Leach-Bliley Act. If you have received this > facsimile or electronic message in error, please immediately notify us by > telephone and return or destroy the original message to assure that it is > not read, copied, or distributed by others. > > _______________________________________________ > 389-users mailing list -- 389-users(a)lists.fedoraproject.org > To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject… > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- -- 389 Directory Server Development Team

2 1

Importing Indexes via LDIF
by Paul Whitney 03 Feb '23

03 Feb '23

Greetings, been a while. I am looking to migrate to RHEL 9 and 389-DS. In lab stood up a "supplier" and a "consumer". I have index files for userRoot and groupRoot. However, indexes appeared to be stored in dse.ldif. Is there a way using the dsconf command to import an ldif of indexes? Thanks, Paul M. Whitney, CISSP Chesapeake IT Consulting, Inc. 890 Hudson Road Cambridge, MD 21613 Cell: 410.493.9448 Email: paul.whitney(a)chesapeake-it.com<mailto:paul.whitney@chesapeake-it.com> CONFIDENTIALITY NOTICE The information contained in this facsimile or electronic message is confidential information intended for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this facsimile message to the intended recipient, you are hereby notified that any dissemination, or copying of this communication is strictly prohibited. If this message contains non-public personal information about any consumer or customer of the sender or intended recipient, you are further prohibited under penalty of law from using or disclosing the information to any third party by provisions of the federal Gramm-Leach-Bliley Act. If you have received this facsimile or electronic message in error, please immediately notify us by telephone and return or destroy the original message to assure that it is not read, copied, or distributed by others.

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users February 2023