Crash with SEGV after compacting
by Niklas Schmatloch
Hi
My organisation is using a replicated 389-dirsrv. Lately, it has been crashing
each time after compacting.
It is replicable on our instances by lowering the compactdb-interval to
trigger the compacting:
dsconf -D "cn=Directory Manager" ldap://127.0.0.1 -w 'PASSWORD_HERE' backend config set --compactdb-interval 300
This is the log:
[03/Aug/2022:16:06:38.552781605 +0200] - NOTICE - checkpoint_threadmain - Compacting DB start: userRoot
[03/Aug/2022:16:06:38.752592692 +0200] - NOTICE - bdb_db_compact_one_db - compactdb: compact userRoot - 8 pages freed
[03/Aug/2022:16:06:44.172233009 +0200] - NOTICE - bdb_db_compact_one_db - compactdb: compact userRoot - 888 pages freed
[03/Aug/2022:16:06:44.179315345 +0200] - NOTICE - checkpoint_threadmain - Compacting DB start: changelog
[03/Aug/2022:16:13:18.020881527 +0200] - NOTICE - bdb_db_compact_one_db - compactdb: compact changelog - 458 pages freed
dirsrv(a)auth-alpha.service: Main process exited, code=killed, status=11/SEGV
dirsrv(a)auth-alpha.service: Failed with result 'signal'.
dirsrv(a)auth-alpha.service: Consumed 2d 6h 22min 1.122s CPU time.
The first steps are done very quickly, but the step before the 458 pages of the
retro-changelog are freed, takes several minutes. In this time the dirsrv writes
more than 10 G and reads more than 7 G (according to iotop).
After this line is printed the dirsrv crashes within seconds.
What I also noticed is, that even though it said it freed a lot of pages the
retro-changelog does not seem to change in size.
The file `/var/lib/dirsrv/slapd-auth-alpha/db/changelog/id2entry.db` is 7.2 G
before and after the compacting.
Debian 11.4
389-ds-base/stable,now 1.4.4.11-2 amd64
Does someone have an idea how to debug / fix this?
Thanks
1 month, 1 week
389-ds and DNS aliases
by Alberto Crescente
Hi, I have 3 ldapservers in a multi-master setup for replication with
TLS. TLS is also used in the connection between servers and sssd clients.
The hostnames of the nodes are server1, server2 and server3, so when I
configured the replication agreement I used these names:
Ex:
dsconf LDAP -D "cn=Directory Manager" repl-agmt create
--suffix="dc=example,dc=com" --host="server2.example.com" --port=636
--conn-protocol=LDAPS --bind-dn="cn=replication manager,cn=config"
--bind-passwd="secret" --bind-method=SIMPLE --init
agreement-server1-to-server2
I'd like to use dns aliases instead of server hostnames in the sssd.conf
file on the clients, so that I can replace a server with a new one by
simply changing the alias, without changing the configuration on the
clients.
So I defined aliases auth1, auth2 and auth3 in DNS and used them in
sssd.conf on clients.
With this configuration I have a problem with TLS certificates. If in
the certificate I set the CN equal to the hostname, the sssd clients
give the following error: "TLS: hostname does not match CN", while if I
set the CN equal to the alias name I get a mismatch error in the replica.
Is there a solution to the problem?
Thanks,
Alberto Crescente.
3 months, 2 weeks
Re: 389-DS Cockpit
by Mark Reynolds
Yes, you install cockpit bridge on your other systems then you can link
them in the Cockpit console. After installing cockpit bridge on all the
hosts, then goto the "man" Cockpit console, top left, open the menu and
you can "add hosts".
HTH,
Mark
On 2/3/23 10:29 AM, Paul Whitney wrote:
> Is it possible to manage more than one 389-ds HOST through the Cockpit
> if I import the host descriptions into the slapd-config instance?
>
> In older version with the Java Console, there was a way to merger all
> of the LDAPS instances into a single view, and could manage them from
> a single console.
>
> Kudos by the way on making the new Cockpit FIPS friendly!
>
> If I cannot manage the LDAP hosts through a single cockpit, do I
> really need to create a slapd-config instance anymore?
>
> Paul M. Whitney, CISSP
> Chesapeake IT Consulting, Inc.
> 890 Hudson Road
> Cambridge, MD 21613
>
> Cell: 410.493.9448
> Email: paul.whitney(a)chesapeake-it.com
> <mailto:paul.whitney@chesapeake-it.com>
> *CONFIDENTIALITY NOTICE*
> The information contained in this facsimile or electronic message is
> confidential information intended for the use of the individual or
> entity named above. If the reader of this message is not the intended
> recipient, or an employee or agent responsible for delivering this
> facsimile message to the intended recipient, you are hereby notified
> that any dissemination, or copying of this communication is strictly
> prohibited. If this message contains non-public personal information
> about any consumer or customer of the sender or intended recipient,
> you are further prohibited under penalty of law from using or
> disclosing the information to any third party by provisions of the
> federal Gramm-Leach-Bliley Act. If you have received this facsimile or
> electronic message in error, please immediately notify us by telephone
> and return or destroy the original message to assure that it is not
> read, copied, or distributed by others.
>
>
> _______________________________________________
> 389-users mailing list --389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fe...
> Do not reply to spam, report it:https://pagure.io/fedora-infrastructure/new_issue
--
Directory Server Development Team
3 months, 2 weeks
Re: Importing Indexes via LDIF
by Pierre Rogier
Editing directly the dse.ldif is a solution as far as the instance is
stopped but fyi:
your ldapmodify command was missing the -a option
(or you should have directly used the ldapadd command)
Without -a option, ldapmodify expect data like:
dn: cn=...
changetype: ...
then the modifier
But since your file contains plain entries without changetype
you must explicitly tell ldapmodify to add them !
On Fri, Feb 3, 2023 at 4:23 PM Paul Whitney <paul.whitney(a)chesapeake-it.com>
wrote:
> Hi Pierre,
>
> Thank you so much for the quick response. I tried:
>
> ldapmodify -f my_groupRoot_of_indexes.ldif -D 'cn=Directory Manager' -w password -x -H ldap://127.0.0.1:3389
>
> But that did not seem to populate the dse.ldif file as I expected.
> However, the format of the entries in the index file was the same so I
> stopped the service and just appended the file to the dse.ldif (cat
> my_groupRoot_of_indexes >> dse.ldif). Service started right back up.
>
> Now to kick of a reindex.
>
> Paul M. Whitney, CISSP
> Chesapeake IT Consulting, Inc.
> 890 Hudson Road
> Cambridge, MD 21613
>
> Work: 443-492-2872
> Cell: 410.493.9448
> Email: paul.whitney(a)chesapeake-it.com
> *CONFIDENTIALITY NOTICE*
> The information contained in this facsimile or electronic message is
> confidential information intended for the use of the individual or entity
> named above. If the reader of this message is not the intended recipient,
> or an employee or agent responsible for delivering this facsimile message
> to the intended recipient, you are hereby notified that any dissemination,
> or copying of this communication is strictly prohibited. If this message
> contains non-public personal information about any consumer or customer of
> the sender or intended recipient, you are further prohibited under penalty
> of law from using or disclosing the information to any third party by
> provisions of the federal Gramm-Leach-Bliley Act. If you have received this
> facsimile or electronic message in error, please immediately notify us by
> telephone and return or destroy the original message to assure that it is
> not read, copied, or distributed by others.
>
> ------------------------------
> *From:* Pierre Rogier <progier(a)redhat.com>
> *Sent:* Friday, February 3, 2023 9:44 AM
> *To:* General discussion list for the 389 Directory server project. <
> 389-users(a)lists.fedoraproject.org>
> *Subject:* [389-users] Re: Importing Indexes via LDIF
>
> Hi Paul,
> Not using dsconf.
> But you could easily do it with ldapsearch and ldapadd
>
> Regards
> Pierre
>
> On Fri, Feb 3, 2023 at 3:34 PM Paul Whitney <
> paul.whitney(a)chesapeake-it.com> wrote:
>
> Greetings, been a while.
>
> I am looking to migrate to RHEL 9 and 389-DS. In lab stood up a
> "supplier" and a "consumer". I have index files for userRoot and
> groupRoot. However, indexes appeared to be stored in dse.ldif. Is there a
> way using the dsconf command to import an ldif of indexes?
>
> Thanks,
>
> Paul M. Whitney, CISSP
> Chesapeake IT Consulting, Inc.
> 890 Hudson Road
> Cambridge, MD 21613
>
> Cell: 410.493.9448
> Email: paul.whitney(a)chesapeake-it.com
> *CONFIDENTIALITY NOTICE*
> The information contained in this facsimile or electronic message is
> confidential information intended for the use of the individual or entity
> named above. If the reader of this message is not the intended recipient,
> or an employee or agent responsible for delivering this facsimile message
> to the intended recipient, you are hereby notified that any dissemination,
> or copying of this communication is strictly prohibited. If this message
> contains non-public personal information about any consumer or customer of
> the sender or intended recipient, you are further prohibited under penalty
> of law from using or disclosing the information to any third party by
> provisions of the federal Gramm-Leach-Bliley Act. If you have received this
> facsimile or electronic message in error, please immediately notify us by
> telephone and return or destroy the original message to assure that it is
> not read, copied, or distributed by others.
>
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
>
>
> --
> --
>
> 389 Directory Server Development Team
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
--
389 Directory Server Development Team
3 months, 3 weeks
389-DS Cockpit
by Paul Whitney
Is it possible to manage more than one 389-ds HOST through the Cockpit if I import the host descriptions into the slapd-config instance?
In older version with the Java Console, there was a way to merger all of the LDAPS instances into a single view, and could manage them from a single console.
Kudos by the way on making the new Cockpit FIPS friendly!
If I cannot manage the LDAP hosts through a single cockpit, do I really need to create a slapd-config instance anymore?
Paul M. Whitney, CISSP
Chesapeake IT Consulting, Inc.
890 Hudson Road
Cambridge, MD 21613
Cell: 410.493.9448
Email: paul.whitney(a)chesapeake-it.com<mailto:paul.whitney@chesapeake-it.com>
CONFIDENTIALITY NOTICE
The information contained in this facsimile or electronic message is confidential information intended for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this facsimile message to the intended recipient, you are hereby notified that any dissemination, or copying of this communication is strictly prohibited. If this message contains non-public personal information about any consumer or customer of the sender or intended recipient, you are further prohibited under penalty of law from using or disclosing the information to any third party by provisions of the federal Gramm-Leach-Bliley Act. If you have received this facsimile or electronic message in error, please immediately notify us by telephone and return or destroy the original message to assure that it is not read, copied, or distributed by others.
3 months, 3 weeks
Re: Importing Indexes via LDIF
by Pierre Rogier
Hi Paul,
Not using dsconf.
But you could easily do it with ldapsearch and ldapadd
Regards
Pierre
On Fri, Feb 3, 2023 at 3:34 PM Paul Whitney <paul.whitney(a)chesapeake-it.com>
wrote:
> Greetings, been a while.
>
> I am looking to migrate to RHEL 9 and 389-DS. In lab stood up a
> "supplier" and a "consumer". I have index files for userRoot and
> groupRoot. However, indexes appeared to be stored in dse.ldif. Is there a
> way using the dsconf command to import an ldif of indexes?
>
> Thanks,
>
> Paul M. Whitney, CISSP
> Chesapeake IT Consulting, Inc.
> 890 Hudson Road
> Cambridge, MD 21613
>
> Cell: 410.493.9448
> Email: paul.whitney(a)chesapeake-it.com
> *CONFIDENTIALITY NOTICE*
> The information contained in this facsimile or electronic message is
> confidential information intended for the use of the individual or entity
> named above. If the reader of this message is not the intended recipient,
> or an employee or agent responsible for delivering this facsimile message
> to the intended recipient, you are hereby notified that any dissemination,
> or copying of this communication is strictly prohibited. If this message
> contains non-public personal information about any consumer or customer of
> the sender or intended recipient, you are further prohibited under penalty
> of law from using or disclosing the information to any third party by
> provisions of the federal Gramm-Leach-Bliley Act. If you have received this
> facsimile or electronic message in error, please immediately notify us by
> telephone and return or destroy the original message to assure that it is
> not read, copied, or distributed by others.
>
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
--
389 Directory Server Development Team
3 months, 3 weeks
Importing Indexes via LDIF
by Paul Whitney
Greetings, been a while.
I am looking to migrate to RHEL 9 and 389-DS. In lab stood up a "supplier" and a "consumer". I have index files for userRoot and groupRoot. However, indexes appeared to be stored in dse.ldif. Is there a way using the dsconf command to import an ldif of indexes?
Thanks,
Paul M. Whitney, CISSP
Chesapeake IT Consulting, Inc.
890 Hudson Road
Cambridge, MD 21613
Cell: 410.493.9448
Email: paul.whitney(a)chesapeake-it.com<mailto:paul.whitney@chesapeake-it.com>
CONFIDENTIALITY NOTICE
The information contained in this facsimile or electronic message is confidential information intended for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this facsimile message to the intended recipient, you are hereby notified that any dissemination, or copying of this communication is strictly prohibited. If this message contains non-public personal information about any consumer or customer of the sender or intended recipient, you are further prohibited under penalty of law from using or disclosing the information to any third party by provisions of the federal Gramm-Leach-Bliley Act. If you have received this facsimile or electronic message in error, please immediately notify us by telephone and return or destroy the original message to assure that it is not read, copied, or distributed by others.
3 months, 3 weeks