389-users April 2023

389-users@lists.fedoraproject.org

15 participants
14 discussions

ERR - slapi_ldap_bind - Could not send bind request for id [(anon)] authentication mechanism [EXTERNAL]: error -1 (Can't contact LDAP server), system error 0 (no error), network error 0
by Graham Leggett 11 Dec '23

11 Dec '23

Hi all, We have a long standing 389ds master LDAP server that was found to be unable to contact it’s slaves. Most specifically, the slaves show nothing in their logs about any kind of connection, while the master is logging this: [12/Nov/2019:21:39:47.212715697 +0000] - ERR - slapi_ldap_bind - Could not send bind request for id [(anon)] authentication mechanism [EXTERNAL]: error -1 (Can't contact LDAP server), system error 0 (no error), network error 0 (Unknown error, host “ldap01:636”) Key is "system error 0 (no error)”, which leaves us stumped. The error is obviously “success”. Has anyone seen this kind of thing before? This is 389ds running on CentOS7 as follows: 389-ds-base-1.3.9.1-10.el7.x86_64 Regards, Graham —

3 9

Crash with SEGV after compacting
by Niklas Schmatloch 12 Jul '23

12 Jul '23

Hi My organisation is using a replicated 389-dirsrv. Lately, it has been crashing each time after compacting. It is replicable on our instances by lowering the compactdb-interval to trigger the compacting: dsconf -D "cn=Directory Manager" ldap://127.0.0.1 -w 'PASSWORD_HERE' backend config set --compactdb-interval 300 This is the log: [03/Aug/2022:16:06:38.552781605 +0200] - NOTICE - checkpoint_threadmain - Compacting DB start: userRoot [03/Aug/2022:16:06:38.752592692 +0200] - NOTICE - bdb_db_compact_one_db - compactdb: compact userRoot - 8 pages freed [03/Aug/2022:16:06:44.172233009 +0200] - NOTICE - bdb_db_compact_one_db - compactdb: compact userRoot - 888 pages freed [03/Aug/2022:16:06:44.179315345 +0200] - NOTICE - checkpoint_threadmain - Compacting DB start: changelog [03/Aug/2022:16:13:18.020881527 +0200] - NOTICE - bdb_db_compact_one_db - compactdb: compact changelog - 458 pages freed dirsrv(a)auth-alpha.service: Main process exited, code=killed, status=11/SEGV dirsrv(a)auth-alpha.service: Failed with result 'signal'. dirsrv(a)auth-alpha.service: Consumed 2d 6h 22min 1.122s CPU time. The first steps are done very quickly, but the step before the 458 pages of the retro-changelog are freed, takes several minutes. In this time the dirsrv writes more than 10 G and reads more than 7 G (according to iotop). After this line is printed the dirsrv crashes within seconds. What I also noticed is, that even though it said it freed a lot of pages the retro-changelog does not seem to change in size. The file `/var/lib/dirsrv/slapd-auth-alpha/db/changelog/id2entry.db` is 7.2 G before and after the compacting. Debian 11.4 389-ds-base/stable,now 1.4.4.11-2 amd64 Does someone have an idea how to debug / fix this? Thanks

4 15

Unable to establish replication with STARTTLS
by John Thurston 06 Jun '23

06 Jun '23

I have two hosts with 389-Directory/1.4.4.17 B2021.280.1354 on CentOS Stream release 8 (4.18.0-448.el8.x86_64) On a.state.ak.us, there is one instance defined (call this instance #1) On b.state.ak.us, there are two instances defined (call them #2 and #3) Instances #1 and #3 have GlobalSign certificates installed. Instance #2 currently has a Let's Encrypt certificate installed. All instances also have root and intermediate certs in their databases for GlobalSign, which are marked with Trust Flags "CT,,". I can define instance #2 as a supplier, and define a replication agreement which populates #3. This works with both LDAPS and STARTTLS. If I, instead, try to define the same replication agreement on instance #1, it fails with: > slapi_ldap_bind - Error: could not send startTLS request: error -11 > (Connect error) > > NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=DS11-1to3" > (b:389) - Replication bind with SIMPLE auth failed: LDAP error -11 > (Connect error) (error:1416F086:SSL > routines:tls_process_server_certificate:certificate verify failed > (unable to get issuer certificate)) > > slapi_ldap_bind - Error: could not send startTLS request: error -11 > (Connect error) I am unable to figure out how instances #1 and #2 differ. Instance #1 has long-established supplier-agreements (using both LDAPS and STARTTLS) with other instances of 389-Directory. So I know instance #1 can function correctly as a supplier. Instance #3 demonstrates it can be a consumer when supplied by instance #2. I can perform LDAPS and STARTTLS queries from a.state.ak.us to instance #3, so I know it is listening on the network and not blocked by a host-based firewall. Any suggestions of where to look, or config-attributes to check, would be appreciated. -- -- Do things because you should, not just because you can. John Thurston 907-465-8591 John.Thurston(a)alaska.gov Department of Administration State of Alaska

4 9

Plugin development licensing
by DUVERT Vincent 09 May '23

09 May '23

Hello, I have a question regarding the licensing of developed 389-ds plugins. The FAQ (https://directory.fedoraproject.org/docs/389ds/FAQ/licensing.html#directory…) indicates that the Directory Server core code is licensed under a GPL + Exception license that allows non-GPL 389-ds plugins to link to 389-ds and to use specific header files. However, the LICENSE file in the current 389-ds-base source does not contain this exception. It was apparently removed by the following commit, when the license was changed to GPLv3+: https://pagure.io/389-ds-base/c/88cae401aee39a19ac6b07c3c36ee8daa07192e7 Does that means that the license exception does not apply to the current version of 389-ds? Regards, Vincent Duvert

2 2

389 DS memory growth
by Nazarenko, Alexander 27 Apr '23

27 Apr '23

Hello colleagues, On March 22nd we updated the 389-ds-base.x86_64 and 389-ds-base-libs.x86_64 packages on our eight RHEL 7.9 production servers from version 1.3.10.2-17.el7_9 to version 1.3.11.1-1.el7_9. We also updated the kernel from kernel 3.10.0-1160.80.1.el7.x86_64 to kernel-3.10.0-1160.88.1.el7.x86_64 during the same update. Approximately 12 days later, on April 3rd, all the hosts started exhibiting memory growth issues whereby the “slapd” process was using over 90% of the available system memory of 32GB, which was NOT happening for a couple of years prior to applying any of the available package updates on the systems. Two of the eight hosts act as Primaries (formerly referred to as masters), while 6 of the hosts act as read-only replicas. Three of the read-only replicas are used by our authorization system while the other three read-only replicas are used by customer-based applications. Currently we use system controls to restrict the memory usage. My question is whether this is something that other users also experience, and what is the recommended way to stabilize the DS servers in this type of situation? Thanks, - Alex

4 16

Announcing 389 Directory Server 2.4.0
by Mark Reynolds 26 Apr '23

26 Apr '23

389 Directory Server 2.4.0 The 389 Directory Server team is proud to announce 389-ds-base version 2.4.0 Fedora packages are available on Rawhide (Fedora 39) Rawhide: https://koji.fedoraproject.org/koji/taskinfo?taskID=100388694 <https://koji.fedoraproject.org/koji/taskinfo?taskID=100388694> The new packages and versions are: * 389-ds-base-2.4.0-1 Source tarballs are available for download at Download 389-ds-base Source <https://github.com/389ds/389-ds-base/archive/389-ds-base-2.4.0.tar.gz> Highlights in 2.4.0 * Enhancements, and Bug fixes Installation and Upgrade See Download <https://www.port389.org/docs/389ds/download.html> for information about setting up your yum repositories. To install the server use *dnf install 389-ds-base* To install the Cockpit UI plugin use *dnf install cockpit-389-ds* After rpm install completes, run *dscreate interactive* For upgrades, simply install the package. There are no further steps required. There are no upgrade steps besides installing the new rpms See Install_Guide <https://www.port389.org/docs/389ds/howto/howto-install-389.html> for more information about the initial installation and setup See Source <https://www.port389.org/docs/389ds/development/source.html> for information about source tarballs and SCM (git) access. Feedback We are very interested in your feedback! Please provide feedback and comments to the 389-users mailing list: https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject.o… If you find a bug, or would like to see a new feature, file it in our GitHub project: https://github.com/389ds/389-ds-base * Bump version to 2.4.0 * Issue 5156 - RFE that implement slapi_memberof (#5694) * Issue 5734 - RFE - Exclude pwdFailureTime and ContextCSN (#5735) * Issue 5726 - ns-slapd crashing in ldbm_back_upgradednformat (#5727) * Issue 4758 - Add tests for WebUI * Issue 5718 - Memory leak in connection table (#5719) * Issue 5705 - Add config parameter to close client conns on failed bind (#5712) * Issue 4758 - Add tests for WebUI * Issue 5643 - Memory leak in entryrdn during delete (#5717) * Issue 5714 - UI - fix typo, db settings, log settings, and LDAP editor paginations * Issue 5701 - CLI - Fix referral mode setting (#5708) * Bump openssl from 0.10.45 to 0.10.48 in /src (#5709) * Issue 5710 - subtree search statistics for index lookup does not report ancestorid/entryrdn lookups (#5711) * Issue 5697 - Obsolete nsslapd-ldapimaprootdn attribute (#5698) * Issue 1081 - Stop schema replication from overwriting x-origin * Issue 4812 - Listener thread does not scale with a high num of established connections (#5706) * Issue 4812 - Listener thread does not scale with a high num of established connections (#5681) * Bump webpack from 5.75.0 to 5.76.0 in /src/cockpit/389-console (#5699) * Issue 5598 - (3rd) In 2.x, SRCH throughput drops by 10% because of handling of referral (#5692) * Issue 5598 - (2nd) In 2.x, SRCH throughput drops by 10% because of handling of referral (#5691) * Issue 5687 - UI - sensitive information disclosure * Issue 5661 - LMDB hangs while Rebuilding the replication changelog RUV (#5676) * Issue 5554 - Add more tests to security_basic_test suite * Issue 4583 - Update specfile to skip checks of ASAN builds * Issue 4758 - Add tests for WebUI * Issue 3604 - UI - Add support for Subject Alternative Names in CSR * Issue 5600 - buffer overflow when enabling sync repl plugin when dynamic plugins is enabled * Issue 5640 - Update logconv for new logging format * Issue 5162 - CI - fix error message for invalid pem file * Issue 5598 - In 2.x, SRCH throughput drops by 10% because of handling of referral (#5604) * Issue 5671 - covscan - clang warning (#5672) * Issue 5267 - CI - Fix issues with nsslapd-return-original-entrydn * Issue 5666 - CLI - Add timeout parameter for tasks * Issue 5567 - CLI - make ldifgen use the same default ldif name for all options * Issue 5647 - Fix unused variable warning from previous commit (#5670) * Issue 5162 - Lib389 - verify certificate type before adding * Issue 5642 - Build fails against setuptools 67.0.0 * Issue 5630 - CLI - need to add logging filter for stdout * Issue 5646 - CLI/UI - do not hardcode password storage schemes * Issue 5640 - Update logconv for new logging format * issue 5647 - covscan: memory leak in audit log when adding entries (#5650) * Issue 5658 - CLI - unable to add attribute with matching rule * Issue 5653 - covscan - fix invalid dereference * Issue 5652 - Libasan crash in replication/cascading_test (#5659) * Issue 5628 - Handle graceful timeout in CI tests (#5657) * Issue 5648 - Covscan - Compiler warnings (#5651) * Issue 5630 - CLI - error messages should goto stderr * Issue 2435 - RFE - Raise IDL Scan Limit to INT_MAX (#5639) * Issue 5632 - CLI - improve error handling with db2ldif * Issue 5517 - Replication conflict CI test sometime fails (#5518) * Issue 5634 - Deprecated warning related to github action workflow code (#5635) * Issue 5637 - Covscan - fix Buffer Overflows (#5638) * Issue 5624 - RFE - UI - export certificates, and import text base64 encoded certificates * Bump tokio from 1.24.1 to 1.25.0 in /src (#5629) * Issue 4577 - Add LMDB pytest github action (#5627) * Issue 4293 - RFE - CLI - add dsrc options for setting user and group subtrees * Remove stale libevent(-devel) dependency * Issue 5578 - dscreate ds-root does not normaile paths (#5613) * Issue 5497 - boolean attributes should be case insensitive -- Directory Server Development Team

1 0

Announcing 389 Directory Server 2.3.3
by Mark Reynolds 26 Apr '23

26 Apr '23

389 Directory Server 2.3.3 The 389 Directory Server team is proud to announce 389-ds-base version 2.3.3 Fedora packages are available on Fedora 38 Rawhide: https://koji.fedoraproject.org/koji/taskinfo?taskID=100387023 <https://koji.fedoraproject.org/koji/taskinfo?taskID=100387023> Bodhi: https://bodhi.fedoraproject.org/updates/FEDORA-2023-834b89af31 <https://bodhi.fedoraproject.org/updates/FEDORA-2023-834b89af31> The new packages and versions are: * 389-ds-base-2.3.3-1 Source tarballs are available for download at Download 389-ds-base Source <https://github.com/389ds/389-ds-base/archive/389-ds-base-2.3.3.tar.gz> Highlights in 2.3.3 * Enhancements, Security and Bug fixes Installation and Upgrade See Download <https://www.port389.org/docs/389ds/download.html> for information about setting up your yum repositories. To install the server use *dnf install 389-ds-base* To install the Cockpit UI plugin use *dnf install cockpit-389-ds* After rpm install completes, run *dscreate interactive* For upgrades, simply install the package. There are no further steps required. There are no upgrade steps besides installing the new rpms See Install_Guide <https://www.port389.org/docs/389ds/howto/howto-install-389.html> for more information about the initial installation and setup See Source <https://www.port389.org/docs/389ds/development/source.html> for information about source tarballs and SCM (git) access. Feedback We are very interested in your feedback! Please provide feedback and comments to the 389-users mailing list: https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject.o… If you find a bug, or would like to see a new feature, file it in our GitHub project: https://github.com/389ds/389-ds-base * Bump version to 2.3.3 * Issue 5726 - ns-slapd crashing in ldbm_back_upgradednformat (#5727) * Issue 5718 - Memory leak in connection table (#5719) * Issue 5705 - Add config parameter to close client conns on failed bind (#5712) * Issue 5714 - UI - fix typo, db settings, log settings, and LDAP editor paginations * Issue 5701 - CLI - Fix referral mode setting (#5708) * Bump openssl from 0.10.45 to 0.10.48 in /src (#5709) * Issue 5710 - subtree search statistics for index lookup does not report ancestorid/entryrdn lookups (#5711) * Issue 5697 - Obsolete nsslapd-ldapimaprootdn attribute (#5698) * Issue 1081 - Stop schema replication from overwriting x-origin * Issue 4812 - Listener thread does not scale with a high num of established connections (#5706) * Issue 4812 - Listener thread does not scale with a high num of established connections (#5681) * Bump webpack from 5.75.0 to 5.76.0 in /src/cockpit/389-console (#5699) * Issue 5598 - (3rd) In 2.x, SRCH throughput drops by 10% because of handling of referral (#5692) * Issue 5598 - (2nd) In 2.x, SRCH throughput drops by 10% because of handling of referral (#5691) * Issue 5687 - UI - sensitive information disclosure * Issue 5661 - LMDB hangs while Rebuilding the replication changelog RUV (#5676) * Issue 5554 - Add more tests to security_basic_test suite * Issue 4583 - Update specfile to skip checks of ASAN builds * Issue 4758 - Add tests for WebUI * Issue 3604 - UI - Add support for Subject Alternative Names in CSR * Issue 5600 - buffer overflow when enabling sync repl plugin when dynamic plugins is enabled * Issue 5640 - Update logconv for new logging format * Issue 5162 - CI - fix error message for invalid pem file * Issue 5598 - In 2.x, SRCH throughput drops by 10% because of handling of referral (#5604) * Issue 5671 - covscan - clang warning (#5672) * Issue 5267 - CI - Fix issues with nsslapd-return-original-entrydn * Issue 5666 - CLI - Add timeout parameter for tasks * Issue 5567 - CLI - make ldifgen use the same default ldif name for all options * Issue 5647 - Fix unused variable warning from previous commit (#5670) * Issue 5162 - Lib389 - verify certificate type before adding * Issue 5642 - Build fails against setuptools 67.0.0 * Issue 5630 - CLI - need to add logging filter for stdout * Issue 5646 - CLI/UI - do not hardcode password storage schemes * Issue 5640 - Update logconv for new logging format * issue 5647 - covscan: memory leak in audit log when adding entries (#5650) * Issue 5658 - CLI - unable to add attribute with matching rule * Issue 5653 - covscan - fix invalid dereference * Issue 5652 - Libasan crash in replication/cascading_test (#5659) * Issue 5628 - Handle graceful timeout in CI tests (#5657) * Issue 5648 - Covscan - Compiler warnings (#5651) * Issue 5630 - CLI - error messages should goto stderr * Issue 2435 - RFE - Raise IDL Scan Limit to INT_MAX (#5639) * Issue 5632 - CLI - improve error handling with db2ldif * Issue 5517 - Replication conflict CI test sometime fails (#5518) * Issue 5634 - Deprecated warning related to github action workflow code (#5635) * Issue 5637 - Covscan - fix Buffer Overflows (#5638) * Issue 5624 - RFE - UI - export certificates, and import text base64 encoded certificates * Bump tokio from 1.24.1 to 1.25.0 in /src (#5629) * Issue 4577 - Add LMDB pytest github action (#5627) * Issue 4293 - RFE - CLI - add dsrc options for setting user and group subtrees * Remove stale libevent(-devel) dependency * Issue 5578 - dscreate ds-root does not normaile paths (#5613) * Issue 5497 - boolean attributes should be case insensitive * Bump version to 2.3.2 * Issue 5547 - automember plugin improvements * Issue 5607, 5351, 5611 - UI/CLI - fix various issues * Issue 5610 - Build failure on Debian * Issue 5608 - UI - need to replace some “const” with “let” * Issue 5560 - dscreate run by non superuser set defaults requiring superuser privilege (#5579) * Issue 3604 - Create a private key/CSR with dsconf/Cockpit (#5584) * Issue 5605 - Adding a slapi_log_backtrace function in libslapd (#5606) * Issue 5602 - UI - browser crash when trying to modify read-only variable * Issue 5581 - UI - Support cockpit dark theme * Issue 5593 - CLI - dsidm account subtree-status fails with TypeError * Issue 5591 - BUG - Segfault in cl5configtrim with invalid confi (#5592) * Fix latest npm audit failures * Issue 5599 - CI - webui tests randomly fail * Issue 5348 - RFE - CLI - add functionality to do bulk updates to entries * Issue 5588 - Fix CI tests * Issue 5585 - lib389 password policy DN handling is incorrect (#5587) * Issue 5521 - UI - Update plugins for new split PAM and LDAP pass thru auth * Bump json5 from 2.2.1 to 2.2.3 in /src/cockpit/389-console * Issue 5236 - UI add specialized group edit modal * Issue 5550 - dsconf monitor crashes with Error math domain error (#5553) * Issue 5278 - CLI - dsidm asks for the old password on password reset * Issue 5531 - CI - use universal_lines in capture_output * Issue 5425 - CLI - add confirmation arg when deleting backend * Issue 5558 - non-root instance fails to start on creation (#5559) * Issue 5545 - A random crash in import over lmdb (#5546) * Issue 3615 - CLI - prevent virtual attribute indexing * Update specfile and rust crates * Issue 5413 - Allow multiple MemberOf fixup tasks with different bases/filters * Issue 5554 - Add more tests to security_basic_test suite (#5555) * Issue 5561 - Nightly tests are failing * Issue 5521 - RFE - split pass through auth cli * Issue 5521 - BUG - Pam PTA multiple issues * Issue 5544 - Increase default task TTL * Issue 5526 - RFE - Improve saslauthd migration options (#5528) * Issue 5539 - Make logger’s parameter name unified (#5540) * Issue 5541 - Fix typo in lib389.cli_conf.backend._get_backend (#5542) * Issue 3729 - (cont) RFE Extend log of operations statistics in access log (#5538) * Issue 5534 - Fix a rebase typo (#5537) * Issue 5534 - Add copyright text to the repository files -- Directory Server Development Team

1 0

Announcing 389 Directory Server 2.2.7
by Mark Reynolds 26 Apr '23

26 Apr '23

389 Directory Server 2.2.7 The 389 Directory Server team is proud to announce 389-ds-base version 2.2.7 Fedora packages are available on Fedora 37 https://koji.fedoraproject.org/koji/buildinfo?buildID=2192884 <https://koji.fedoraproject.org/koji/buildinfo?buildID=2192884> https://bodhi.fedoraproject.org/updates/FEDORA-2023-2b32a0879e <https://bodhi.fedoraproject.org/updates/FEDORA-2023-2b32a0879e> - Bohdi The new packages and versions are: * 389-ds-base-2.2.7-2 Source tarballs are available for download at Download 389-ds-base Source <https://github.com/389ds/389-ds-base/archive/389-ds-base-2.2.7.tar.gz> Highlights in 2.2.7 * Enhancements, Security, and Bug fixes Installation and Upgrade See Download <https://www.port389.org/docs/389ds/download.html> for information about setting up your yum repositories. To install the server use *dnf install 389-ds-base* To install the Cockpit UI plugin use *dnf install cockpit-389-ds* After rpm install completes, run *dscreate interactive* For upgrades, simply install the package. There are no further steps required. There are no upgrade steps besides installing the new rpms See Install_Guide <https://www.port389.org/docs/389ds/howto/howto-install-389.html> for more information about the initial installation and setup See Source <https://www.port389.org/docs/389ds/development/source.html> for information about source tarballs and SCM (git) access. Feedback We are very interested in your feedback! Please provide feedback and comments to the 389-users mailing list: https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject.o… If you find a bug, or would like to see a new feature, file it in our GitHub project: https://github.com/389ds/389-ds-base * Bump version to 2.2.7-2 * Issue 5734 - RFE - Exclude pwdFailureTime and ContextCSN (#5735) * Issue 5726 - ns-slapd crashing in ldbm_back_upgradednformat (#5727) * Issue 5714 - UI - fix typo, db settings, log settings, and LDAP editor paginations * Issue 5710 - subtree search statistics for index lookup does not report ancestorid/entryrdn lookups (#5711) * Issue 1081 - Stop schema replication from overwriting x-origin * Bump webpack from 5.75.0 to 5.76.0 in /src/cockpit/389-console (#5699) * Issue 5598 - (3rd) In 2.x, SRCH throughput drops by 10% because of handling of referral (#5692) * Issue 5598 - (2nd) In 2.x, SRCH throughput drops by 10% because of handling of referral (#5691) * Issue 5687 - UI - sensitive information disclosure * Issue 4583 - Update specfile to skip checks of ASAN builds * Issue 5550 - dsconf monitor crashes with Error math domain error (#5553) * Issue 3604 - UI - Add support for Subject Alternative Names in CSR * Issue 5600 - buffer overflow when enabling sync repl plugin when dynamic plugins is enabled * Fix build break * Issue 5640 - Update logconv for new logging format * Issue 5545 - A random crash in import over lmdb (#5546) * Issue 5490 - tombstone in entryrdn index with lmdb but not with bdb (#5498) * Issue 5408 - lmdb import is slow (#5481) * Issue 5162 - CI - fix error message for invalid pem file * Issue 5598 - In 2.x, SRCH throughput drops by 10% because of handling of referral (#5604) * Issue 5671 - covscan - clang warning (#5672) * Issue 5267 - CI - Fix issues with nsslapd-return-original-entrydn * Issue 5666 - CLI - Add timeout parameter for tasks * Issue 5567 - CLI - make ldifgen use the same default ldif name for all options * Issue 5162 - Lib389 - verify certificate type before adding * Issue 5630 - CLI - need to add logging filter for stdout * Issue 5646 - CLI/UI - do not hardcode password storage schemes * Issue 5640 - Update logconv for new logging format * Issue 5652 - Libasan crash in replication/cascading_test (#5659) * Issue 5658 - CLI - unable to add attribute with matching rule * Issue 5653 - covscan - fix invalid dereference * Issue 5648 - Covscan - Compiler warnings (#5651) * Issue 5630 - CLI - error messages should goto stderr * Issue 2435 - RFE - Raise IDL Scan Limit to INT_MAX (#5639) * Issue 5632 - CLI - improve error handling with db2ldif * Issue 5578 - dscreate ds-root does not normalize paths (#5613) * Issue 5560 - dscreate run by non superuser set defaults requiring superuser privilege (#5579) * Issue 5624 - RFE - UI - export certificates, and import text base64 encoded certificates * Issue 4293 - RFE - CLI - add dsrc options for setting user and group subtrees * Issue 5497 - boolean attributes should be case insensitive * Bump version to 2.2.6 * Issue 5607, 5351, 5611 - UI/CLI - fix various issues * Issue 5608 - UI - need to replace some “const” with “let” * Issue 3604 - UI - Create a private key/CSR with dsconf/Cockpit (#5584) * Issue 5602 - UI - browser crash when trying to modify read-only variable * Issue 5581 - UI - Support cockpit dark theme * Issue 5593 - CLI - dsidm account subtree-status fails with TypeError * Issue 5591 - BUG - Segfault in cl5configtrim with invalid confi (#5592) * Fix latest npm audit failures * Issue 5599 - CI - webui tests randomly fail * Issue 5348 - RFE - CLI - add functionality to do bulk updates to entries * Issue 5526 - RFE - Improve saslauthd migration options (#5528) * Issue 5588 - Fix CI tests * Issue 5585 - lib389 password policy DN handling is incorrect (#5587) * Issue 5521 - UI - Update plugins for new split PAM and LDAP pass thru auth -- Directory Server Development Team

1 0

Announcing 389 Directory Server 2.1.8
by Mark Reynolds 26 Apr '23

26 Apr '23

389 Directory Server 2.1.8 The 389 Directory Server team is proud to announce 389-ds-base version 2.1.8 Fedora packages are available on Fedora 36 https://koji.fedoraproject.org/koji/taskinfo?taskID=100382283 <https://koji.fedoraproject.org/koji/taskinfo?taskID=100382283> https://bodhi.fedoraproject.org/updates/FEDORA-2023-1c19398137 <https://bodhi.fedoraproject.org/updates/FEDORA-2023-1c19398137> - Bodhi The new packages and versions are: * 389-ds-base-2.1.8-1 Source tarballs are available for download at Download 389-ds-base Source <https://github.com/389ds/389-ds-base/archive/389-ds-base-2.1.8.tar.gz> Highlights in 2.1.8 * Enhancements, Security, and Bug fixes Installation and Upgrade See Download <https://www.port389.org/docs/389ds/download.html> for information about setting up your yum repositories. To install the server use *dnf install 389-ds-base* To install the Cockpit UI plugin use *dnf install cockpit-389-ds* After rpm install completes, run *dscreate interactive* For upgrades, simply install the package. There are no further steps required. There are no upgrade steps besides installing the new rpms See Install_Guide <https://www.port389.org/docs/389ds/howto/howto-install-389.html> for more information about the initial installation and setup See Source <https://www.port389.org/docs/389ds/development/source.html> for information about source tarballs and SCM (git) access. Feedback We are very interested in your feedback! Please provide feedback and comments to the 389-users mailing list: https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject.o… If you find a bug, or would like to see a new feature, file it in our GitHub project: https://github.com/389ds/389-ds-base * Bump version to 2.1.8 * Issue 5734 - RFE - Exclude pwdFailureTime and ContextCSN (#5735) * Issue 5726 - ns-slapd crashing in ldbm_back_upgradednformat (#5727) * Issue 5714 - UI - fix typo, db settings, log settings, and LDAP editor paginations * Issue 1081 - Stop schema replication from overwriting x-origin * Bump webpack from 5.75.0 to 5.76.0 in /src/cockpit/389-console (#5699) * Issue 5598 - fix testcase * Issue 5598 - (3rd) In 2.x, SRCH throughput drops by 10% because of handling of referral (#5692) * Issue 5598 - (2nd) In 2.x, SRCH throughput drops by 10% because of handling of referral (#5691) * Issue 5687 - UI - sensitive information disclosure * Issue 4583 - Update specfile to skip checks of ASAN builds * Issue 5550 - dsconf monitor crashes with Error math domain error (#5553) * Issue 3604 - UI - Add support for Subject Alternative Names in CSR * Fix build break * Issue 5640 - Update logconv for new logging format * Issue 5545 - A random crash in import over lmdb (#5546) * Issue 5490 - tombstone in entryrdn index with lmdb but not with bdb (#5498) * Issue 5408 - lmdb import is slow (#5481) * Issue 5162 - CI - fix error message for invalid pem file * Issue 5598 - In 2.x, SRCH throughput drops by 10% because of handling of referral (#5604) * Issue 5666 - CLI - Add timeout parameter for tasks * Issue 5567 - CLI - make ldifgen use the same default ldif name for all options * Issue 5162 - Lib389 - verify certificate type before adding * Issue 5630 - CLI - need to add logging filter for stdout * Issue 5646 - CLI/UI - do not hardcode password storage schemes * Issue 5640 - Update logconv for new logging format * Issue 5652 - Libasan crash in replication/cascading_test (#5659) * Issue 5658 - CLI - unable to add attribute with matching rule * Issue 5653 - covscan - fix invalid dereference * Issue 5648 - Covscan - Compiler warnings (#5651) * Issue 5630 - CLI - error messages should goto stderr * Issue 2435 - RFE - Raise IDL Scan Limit to INT_MAX (#5639) * Issue 5632 - CLI - improve error handling with db2ldif * Issue 5578 - dscreate ds-root does not normaile paths (#5613) * Issue 5560 - dscreate run by non superuser set defaults requiring superuser privilege (#5579) * Issue 5624 - RFE - UI - export certificates, and import text base64 encoded certificates * Issue 4293 - RFE - CLI - add dsrc options for setting user and group subtrees * Issue 5497 - boolean attributes should be case insensitive * Bump version to 2.1.7 * Issue 5607, 5351, 5611 - UI/CLI - fix various issues * Issue 5608 - UI - need to replace some “const” with “let” * Issue 3604 - Create a private key/CSR with dsconf/Cockpit (#5584) * Issue 5602 - UI - browser crash when trying to modify read-only variable * Issue 5581 - UI - Support cockpit dark theme * Issue 5593 - CLI - dsidm account subtree-status fails with TypeError * Issue 5591 - BUG - Segfault in cl5configtrim with invalid confi (#5592) * Fix latest npm audit failures * Issue 5599 - CI - webui tests randomly fail * Issue 5348 - RFE - CLI - add functionality to do bulk updates to entries * Issue 5526 - RFE - Improve saslauthd migration options (#5528) * Issue 5588 - Fix CI tests * Issue 5585 - lib389 password policy DN handling is incorrect (#5587) * Issue 5521 - UI - Update plugins for new split PAM and LDAP pass thru auth * Issue 5236 - UI add specialized group edit modal * Issue 5278 - CLI - dsidm asks for the old password on password reset * Issue 5531 - CI - use universal_lines in capture_output * Issue 5505 - Fix compiler warning (#5506) * Issue 3615 - CLI - prevent virtual attribute indexing * Issue 5413 - Allow mutliple MemberOf fixup tasks with different bases/filters * Issue 5561 - Nightly tests are failing * Issue 5521 - RFE - split pass through auth cli * Issue 5521 - BUG - Pam PTA multiple issues * Issue 5544 - Increase default task TTL * Issue 5541 - Fix typo in |lib389.cli_conf.backend._get_backend| (#5542) * Issue 5539 - Make logger’s parameter name unified (#5540) * Issue 5534 - Fix a rebase typo (#5537) * Issue 5534 - Add copyright text to the repository files -- Directory Server Development Team

1 0

A more profound replication monitoring of 389-ds instance
by dweller dweller 21 Apr '23

21 Apr '23

Hello everyone, I have a request for advice on how to approach monitoring of replication in an environment with approximately 30 FreeIPA servers, all in a master-master replication agreement, using 389-ds (389-ds-base-1.4.3.28-6). I am currently looking for ways to reduce the number of replicas (because there are more to come) and need to justify it to the architecture department with evidence based on experimental observations. The problem we are facing is that our installation has started experiencing lags in some operations, such as adding user groups, HBAC, and SUDO rules and the most heaviest (by the impact) is automember-rebuild operation. The number of entities being added is not large, with a maximum of 10 groups and several sudo and HBAC rules, though for automember-rebuild I don't know for certain cause for now I didn't figure out what operations are done internally by this. The "lag" manifests as latency in LDAP operations, leading to timeouts, which in turn causes some services that rely on Kerberos or DNS (because FreeIPA uses LDAP directory for everything) to go down. Our monitoring system also shows that the outage propagates through replicas as replication progresses. The classic approach of monitoring replication agreements through the nsds5replicaLastUpdateStatus attribute is not sufficient. We need a more dynamic approach that can show the "waves" or replication sessions throughout the environment, which can help in further tuning replication parameters. I am facing the following problems: 1) The only way to get full replication information currently is to turn on full debug for error logs. While this can be done in test environments, I cannot rely on it in production. I thought that BPF could be the answer, but I am not sure if dirsrv has internal support (predefined probe points) for it. Has anyone from the developers tried to use BPF to monitor some features in 389-ds? 2) Regardless of BPF support, I can still try to implement monitoring with it, in conjunction with debug symbols. However, another problem is that I do not know the exact algorithm of the replication process. I have read this article (https://www.port389.org/docs/389ds/design/replication_troubleshooting.html) but it is still obscure for my purposes. Can you shed some light on the approach I should take here? In my mind, the first step should be very basic - attach to a set of consumer level functions responsible for receiving replica updates, and monitor the latency, the amount of incoming connections at a given point in time, and so on. But if you could point me in the right direction (other than just directly pointing to the repository and searching the source code), I would greatly appreciate it. 3) This feature (https://directory.fedoraproject.org/docs/389ds/design/log-operation-stats.h…) is not supported for my version of 389-ds, is it? Is there a way to patch my version to support it? Thank you in advance for your help.

3 7

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users April 2023