Unable to establish replication with STARTTLS
by John Thurston
I have two hosts with 389-Directory/1.4.4.17 B2021.280.1354 on CentOS
Stream release 8 (4.18.0-448.el8.x86_64)
On a.state.ak.us, there is one instance defined (call this instance #1)
On b.state.ak.us, there are two instances defined (call them #2 and #3)
Instances #1 and #3 have GlobalSign certificates installed. Instance #2
currently has a Let's Encrypt certificate installed. All instances also
have root and intermediate certs in their databases for GlobalSign,
which are marked with Trust Flags "CT,,".
I can define instance #2 as a supplier, and define a replication
agreement which populates #3. This works with both LDAPS and STARTTLS.
If I, instead, try to define the same replication agreement on instance
#1, it fails with:
> slapi_ldap_bind - Error: could not send startTLS request: error -11
> (Connect error)
>
> NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=DS11-1to3"
> (b:389) - Replication bind with SIMPLE auth failed: LDAP error -11
> (Connect error) (error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify failed
> (unable to get issuer certificate))
>
> slapi_ldap_bind - Error: could not send startTLS request: error -11
> (Connect error)
I am unable to figure out how instances #1 and #2 differ.
Instance #1 has long-established supplier-agreements (using both LDAPS
and STARTTLS) with other instances of 389-Directory. So I know instance
#1 can function correctly as a supplier. Instance #3 demonstrates it can
be a consumer when supplied by instance #2. I can perform LDAPS and
STARTTLS queries from a.state.ak.us to instance #3, so I know it is
listening on the network and not blocked by a host-based firewall.
Any suggestions of where to look, or config-attributes to check, would
be appreciated.
--
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
John.Thurston(a)alaska.gov
Department of Administration
State of Alaska
4 days, 13 hours
389 DS memory growth
by Nazarenko, Alexander
Hello colleagues,
On March 22nd we updated the 389-ds-base.x86_64 and 389-ds-base-libs.x86_64 packages on our eight RHEL 7.9 production servers from version 1.3.10.2-17.el7_9 to version 1.3.11.1-1.el7_9. We also updated the kernel from kernel 3.10.0-1160.80.1.el7.x86_64 to kernel-3.10.0-1160.88.1.el7.x86_64 during the same update.
Approximately 12 days later, on April 3rd, all the hosts started exhibiting memory growth issues whereby the “slapd” process was using over 90% of the available system memory of 32GB, which was NOT happening for a couple of years prior to applying any of the available package updates on the systems.
Two of the eight hosts act as Primaries (formerly referred to as masters), while 6 of the hosts act as read-only replicas. Three of the read-only replicas are used by our authorization system while the other three read-only replicas are used by customer-based applications.
Currently we use system controls to restrict the memory usage.
My question is whether this is something that other users also experience, and what is the recommended way to stabilize the DS servers in this type of situation?
Thanks,
- Alex
1 month
Announcing 389 Directory Server 2.4.0
by Mark Reynolds
389 Directory Server 2.4.0
The 389 Directory Server team is proud to announce 389-ds-base version 2.4.0
Fedora packages are available on Rawhide (Fedora 39)
Rawhide:
https://koji.fedoraproject.org/koji/taskinfo?taskID=100388694
<https://koji.fedoraproject.org/koji/taskinfo?taskID=100388694>
The new packages and versions are:
* 389-ds-base-2.4.0-1
Source tarballs are available for download at Download
389-ds-base Source
<https://github.com/389ds/389-ds-base/archive/389-ds-base-2.4.0.tar.gz>
Highlights in 2.4.0
* Enhancements, and Bug fixes
Installation and Upgrade
See Download <https://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install the server use *dnf install 389-ds-base*
To install the Cockpit UI plugin use *dnf install cockpit-389-ds*
After rpm install completes, run *dscreate interactive*
For upgrades, simply install the package. There are no further
steps required.
There are no upgrade steps besides installing the new rpms
See Install_Guide
<https://www.port389.org/docs/389ds/howto/howto-install-389.html> for
more information about the initial installation and setup
See Source <https://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
If you find a bug, or would like to see a new feature, file it in our
GitHub project: https://github.com/389ds/389-ds-base
* Bump version to 2.4.0
* Issue 5156 - RFE that implement slapi_memberof (#5694)
* Issue 5734 - RFE - Exclude pwdFailureTime and ContextCSN (#5735)
* Issue 5726 - ns-slapd crashing in ldbm_back_upgradednformat (#5727)
* Issue 4758 - Add tests for WebUI
* Issue 5718 - Memory leak in connection table (#5719)
* Issue 5705 - Add config parameter to close client conns on failed
bind (#5712)
* Issue 4758 - Add tests for WebUI
* Issue 5643 - Memory leak in entryrdn during delete (#5717)
* Issue 5714 - UI - fix typo, db settings, log settings, and LDAP
editor paginations
* Issue 5701 - CLI - Fix referral mode setting (#5708)
* Bump openssl from 0.10.45 to 0.10.48 in /src (#5709)
* Issue 5710 - subtree search statistics for index lookup does not
report ancestorid/entryrdn lookups (#5711)
* Issue 5697 - Obsolete nsslapd-ldapimaprootdn attribute (#5698)
* Issue 1081 - Stop schema replication from overwriting x-origin
* Issue 4812 - Listener thread does not scale with a high num of
established connections (#5706)
* Issue 4812 - Listener thread does not scale with a high num of
established connections (#5681)
* Bump webpack from 5.75.0 to 5.76.0 in /src/cockpit/389-console (#5699)
* Issue 5598 - (3rd) In 2.x, SRCH throughput drops by 10% because of
handling of referral (#5692)
* Issue 5598 - (2nd) In 2.x, SRCH throughput drops by 10% because of
handling of referral (#5691)
* Issue 5687 - UI - sensitive information disclosure
* Issue 5661 - LMDB hangs while Rebuilding the replication changelog
RUV (#5676)
* Issue 5554 - Add more tests to security_basic_test suite
* Issue 4583 - Update specfile to skip checks of ASAN builds
* Issue 4758 - Add tests for WebUI
* Issue 3604 - UI - Add support for Subject Alternative Names in CSR
* Issue 5600 - buffer overflow when enabling sync repl plugin when
dynamic plugins is enabled
* Issue 5640 - Update logconv for new logging format
* Issue 5162 - CI - fix error message for invalid pem file
* Issue 5598 - In 2.x, SRCH throughput drops by 10% because of
handling of referral (#5604)
* Issue 5671 - covscan - clang warning (#5672)
* Issue 5267 - CI - Fix issues with nsslapd-return-original-entrydn
* Issue 5666 - CLI - Add timeout parameter for tasks
* Issue 5567 - CLI - make ldifgen use the same default ldif name for
all options
* Issue 5647 - Fix unused variable warning from previous commit (#5670)
* Issue 5162 - Lib389 - verify certificate type before adding
* Issue 5642 - Build fails against setuptools 67.0.0
* Issue 5630 - CLI - need to add logging filter for stdout
* Issue 5646 - CLI/UI - do not hardcode password storage schemes
* Issue 5640 - Update logconv for new logging format
* issue 5647 - covscan: memory leak in audit log when adding
entries (#5650)
* Issue 5658 - CLI - unable to add attribute with matching rule
* Issue 5653 - covscan - fix invalid dereference
* Issue 5652 - Libasan crash in replication/cascading_test (#5659)
* Issue 5628 - Handle graceful timeout in CI tests (#5657)
* Issue 5648 - Covscan - Compiler warnings (#5651)
* Issue 5630 - CLI - error messages should goto stderr
* Issue 2435 - RFE - Raise IDL Scan Limit to INT_MAX (#5639)
* Issue 5632 - CLI - improve error handling with db2ldif
* Issue 5517 - Replication conflict CI test sometime fails (#5518)
* Issue 5634 - Deprecated warning related to github action workflow
code (#5635)
* Issue 5637 - Covscan - fix Buffer Overflows (#5638)
* Issue 5624 - RFE - UI - export certificates, and import text base64
encoded certificates
* Bump tokio from 1.24.1 to 1.25.0 in /src (#5629)
* Issue 4577 - Add LMDB pytest github action (#5627)
* Issue 4293 - RFE - CLI - add dsrc options for setting user and
group subtrees
* Remove stale libevent(-devel) dependency
* Issue 5578 - dscreate ds-root does not normaile paths (#5613)
* Issue 5497 - boolean attributes should be case insensitive
--
Directory Server Development Team
1 month
Announcing 389 Directory Server 2.3.3
by Mark Reynolds
389 Directory Server 2.3.3
The 389 Directory Server team is proud to announce 389-ds-base version 2.3.3
Fedora packages are available on Fedora 38
Rawhide:
https://koji.fedoraproject.org/koji/taskinfo?taskID=100387023
<https://koji.fedoraproject.org/koji/taskinfo?taskID=100387023>
Bodhi:
https://bodhi.fedoraproject.org/updates/FEDORA-2023-834b89af31
<https://bodhi.fedoraproject.org/updates/FEDORA-2023-834b89af31>
The new packages and versions are:
* 389-ds-base-2.3.3-1
Source tarballs are available for download at Download
389-ds-base Source
<https://github.com/389ds/389-ds-base/archive/389-ds-base-2.3.3.tar.gz>
Highlights in 2.3.3
* Enhancements, Security and Bug fixes
Installation and Upgrade
See Download <https://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install the server use *dnf install 389-ds-base*
To install the Cockpit UI plugin use *dnf install cockpit-389-ds*
After rpm install completes, run *dscreate interactive*
For upgrades, simply install the package. There are no further
steps required.
There are no upgrade steps besides installing the new rpms
See Install_Guide
<https://www.port389.org/docs/389ds/howto/howto-install-389.html> for
more information about the initial installation and setup
See Source <https://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
If you find a bug, or would like to see a new feature, file it in our
GitHub project: https://github.com/389ds/389-ds-base
* Bump version to 2.3.3
* Issue 5726 - ns-slapd crashing in ldbm_back_upgradednformat (#5727)
* Issue 5718 - Memory leak in connection table (#5719)
* Issue 5705 - Add config parameter to close client conns on failed
bind (#5712)
* Issue 5714 - UI - fix typo, db settings, log settings, and LDAP
editor paginations
* Issue 5701 - CLI - Fix referral mode setting (#5708)
* Bump openssl from 0.10.45 to 0.10.48 in /src (#5709)
* Issue 5710 - subtree search statistics for index lookup does not
report ancestorid/entryrdn lookups (#5711)
* Issue 5697 - Obsolete nsslapd-ldapimaprootdn attribute (#5698)
* Issue 1081 - Stop schema replication from overwriting x-origin
* Issue 4812 - Listener thread does not scale with a high num of
established connections (#5706)
* Issue 4812 - Listener thread does not scale with a high num of
established connections (#5681)
* Bump webpack from 5.75.0 to 5.76.0 in /src/cockpit/389-console (#5699)
* Issue 5598 - (3rd) In 2.x, SRCH throughput drops by 10% because of
handling of referral (#5692)
* Issue 5598 - (2nd) In 2.x, SRCH throughput drops by 10% because of
handling of referral (#5691)
* Issue 5687 - UI - sensitive information disclosure
* Issue 5661 - LMDB hangs while Rebuilding the replication changelog
RUV (#5676)
* Issue 5554 - Add more tests to security_basic_test suite
* Issue 4583 - Update specfile to skip checks of ASAN builds
* Issue 4758 - Add tests for WebUI
* Issue 3604 - UI - Add support for Subject Alternative Names in CSR
* Issue 5600 - buffer overflow when enabling sync repl plugin when
dynamic plugins is enabled
* Issue 5640 - Update logconv for new logging format
* Issue 5162 - CI - fix error message for invalid pem file
* Issue 5598 - In 2.x, SRCH throughput drops by 10% because of
handling of referral (#5604)
* Issue 5671 - covscan - clang warning (#5672)
* Issue 5267 - CI - Fix issues with nsslapd-return-original-entrydn
* Issue 5666 - CLI - Add timeout parameter for tasks
* Issue 5567 - CLI - make ldifgen use the same default ldif name for
all options
* Issue 5647 - Fix unused variable warning from previous commit (#5670)
* Issue 5162 - Lib389 - verify certificate type before adding
* Issue 5642 - Build fails against setuptools 67.0.0
* Issue 5630 - CLI - need to add logging filter for stdout
* Issue 5646 - CLI/UI - do not hardcode password storage schemes
* Issue 5640 - Update logconv for new logging format
* issue 5647 - covscan: memory leak in audit log when adding
entries (#5650)
* Issue 5658 - CLI - unable to add attribute with matching rule
* Issue 5653 - covscan - fix invalid dereference
* Issue 5652 - Libasan crash in replication/cascading_test (#5659)
* Issue 5628 - Handle graceful timeout in CI tests (#5657)
* Issue 5648 - Covscan - Compiler warnings (#5651)
* Issue 5630 - CLI - error messages should goto stderr
* Issue 2435 - RFE - Raise IDL Scan Limit to INT_MAX (#5639)
* Issue 5632 - CLI - improve error handling with db2ldif
* Issue 5517 - Replication conflict CI test sometime fails (#5518)
* Issue 5634 - Deprecated warning related to github action workflow
code (#5635)
* Issue 5637 - Covscan - fix Buffer Overflows (#5638)
* Issue 5624 - RFE - UI - export certificates, and import text base64
encoded certificates
* Bump tokio from 1.24.1 to 1.25.0 in /src (#5629)
* Issue 4577 - Add LMDB pytest github action (#5627)
* Issue 4293 - RFE - CLI - add dsrc options for setting user and
group subtrees
* Remove stale libevent(-devel) dependency
* Issue 5578 - dscreate ds-root does not normaile paths (#5613)
* Issue 5497 - boolean attributes should be case insensitive
* Bump version to 2.3.2
* Issue 5547 - automember plugin improvements
* Issue 5607, 5351, 5611 - UI/CLI - fix various issues
* Issue 5610 - Build failure on Debian
* Issue 5608 - UI - need to replace some “const” with “let”
* Issue 5560 - dscreate run by non superuser set defaults requiring
superuser privilege (#5579)
* Issue 3604 - Create a private key/CSR with dsconf/Cockpit (#5584)
* Issue 5605 - Adding a slapi_log_backtrace function in libslapd (#5606)
* Issue 5602 - UI - browser crash when trying to modify read-only variable
* Issue 5581 - UI - Support cockpit dark theme
* Issue 5593 - CLI - dsidm account subtree-status fails with TypeError
* Issue 5591 - BUG - Segfault in cl5configtrim with invalid confi (#5592)
* Fix latest npm audit failures
* Issue 5599 - CI - webui tests randomly fail
* Issue 5348 - RFE - CLI - add functionality to do bulk updates to entries
* Issue 5588 - Fix CI tests
* Issue 5585 - lib389 password policy DN handling is incorrect (#5587)
* Issue 5521 - UI - Update plugins for new split PAM and LDAP pass
thru auth
* Bump json5 from 2.2.1 to 2.2.3 in /src/cockpit/389-console
* Issue 5236 - UI add specialized group edit modal
* Issue 5550 - dsconf monitor crashes with Error math domain error (#5553)
* Issue 5278 - CLI - dsidm asks for the old password on password reset
* Issue 5531 - CI - use universal_lines in capture_output
* Issue 5425 - CLI - add confirmation arg when deleting backend
* Issue 5558 - non-root instance fails to start on creation (#5559)
* Issue 5545 - A random crash in import over lmdb (#5546)
* Issue 3615 - CLI - prevent virtual attribute indexing
* Update specfile and rust crates
* Issue 5413 - Allow multiple MemberOf fixup tasks with
different bases/filters
* Issue 5554 - Add more tests to security_basic_test suite (#5555)
* Issue 5561 - Nightly tests are failing
* Issue 5521 - RFE - split pass through auth cli
* Issue 5521 - BUG - Pam PTA multiple issues
* Issue 5544 - Increase default task TTL
* Issue 5526 - RFE - Improve saslauthd migration options (#5528)
* Issue 5539 - Make logger’s parameter name unified (#5540)
* Issue 5541 - Fix typo in lib389.cli_conf.backend._get_backend (#5542)
* Issue 3729 - (cont) RFE Extend log of operations statistics in
access log (#5538)
* Issue 5534 - Fix a rebase typo (#5537)
* Issue 5534 - Add copyright text to the repository files
--
Directory Server Development Team
1 month
Announcing 389 Directory Server 2.2.7
by Mark Reynolds
389 Directory Server 2.2.7
The 389 Directory Server team is proud to announce 389-ds-base version 2.2.7
Fedora packages are available on Fedora 37
https://koji.fedoraproject.org/koji/buildinfo?buildID=2192884
<https://koji.fedoraproject.org/koji/buildinfo?buildID=2192884>
https://bodhi.fedoraproject.org/updates/FEDORA-2023-2b32a0879e
<https://bodhi.fedoraproject.org/updates/FEDORA-2023-2b32a0879e> - Bohdi
The new packages and versions are:
* 389-ds-base-2.2.7-2
Source tarballs are available for download at Download
389-ds-base Source
<https://github.com/389ds/389-ds-base/archive/389-ds-base-2.2.7.tar.gz>
Highlights in 2.2.7
* Enhancements, Security, and Bug fixes
Installation and Upgrade
See Download <https://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install the server use *dnf install 389-ds-base*
To install the Cockpit UI plugin use *dnf install cockpit-389-ds*
After rpm install completes, run *dscreate interactive*
For upgrades, simply install the package. There are no further
steps required.
There are no upgrade steps besides installing the new rpms
See Install_Guide
<https://www.port389.org/docs/389ds/howto/howto-install-389.html> for
more information about the initial installation and setup
See Source <https://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
If you find a bug, or would like to see a new feature, file it in our
GitHub project: https://github.com/389ds/389-ds-base
* Bump version to 2.2.7-2
* Issue 5734 - RFE - Exclude pwdFailureTime and ContextCSN (#5735)
* Issue 5726 - ns-slapd crashing in ldbm_back_upgradednformat (#5727)
* Issue 5714 - UI - fix typo, db settings, log settings, and LDAP
editor paginations
* Issue 5710 - subtree search statistics for index lookup does not
report ancestorid/entryrdn lookups (#5711)
* Issue 1081 - Stop schema replication from overwriting x-origin
* Bump webpack from 5.75.0 to 5.76.0 in /src/cockpit/389-console (#5699)
* Issue 5598 - (3rd) In 2.x, SRCH throughput drops by 10% because of
handling of referral (#5692)
* Issue 5598 - (2nd) In 2.x, SRCH throughput drops by 10% because of
handling of referral (#5691)
* Issue 5687 - UI - sensitive information disclosure
* Issue 4583 - Update specfile to skip checks of ASAN builds
* Issue 5550 - dsconf monitor crashes with Error math domain error (#5553)
* Issue 3604 - UI - Add support for Subject Alternative Names in CSR
* Issue 5600 - buffer overflow when enabling sync repl plugin when
dynamic plugins is enabled
* Fix build break
* Issue 5640 - Update logconv for new logging format
* Issue 5545 - A random crash in import over lmdb (#5546)
* Issue 5490 - tombstone in entryrdn index with lmdb but not with
bdb (#5498)
* Issue 5408 - lmdb import is slow (#5481)
* Issue 5162 - CI - fix error message for invalid pem file
* Issue 5598 - In 2.x, SRCH throughput drops by 10% because of
handling of referral (#5604)
* Issue 5671 - covscan - clang warning (#5672)
* Issue 5267 - CI - Fix issues with nsslapd-return-original-entrydn
* Issue 5666 - CLI - Add timeout parameter for tasks
* Issue 5567 - CLI - make ldifgen use the same default ldif name for
all options
* Issue 5162 - Lib389 - verify certificate type before adding
* Issue 5630 - CLI - need to add logging filter for stdout
* Issue 5646 - CLI/UI - do not hardcode password storage schemes
* Issue 5640 - Update logconv for new logging format
* Issue 5652 - Libasan crash in replication/cascading_test (#5659)
* Issue 5658 - CLI - unable to add attribute with matching rule
* Issue 5653 - covscan - fix invalid dereference
* Issue 5648 - Covscan - Compiler warnings (#5651)
* Issue 5630 - CLI - error messages should goto stderr
* Issue 2435 - RFE - Raise IDL Scan Limit to INT_MAX (#5639)
* Issue 5632 - CLI - improve error handling with db2ldif
* Issue 5578 - dscreate ds-root does not normalize paths (#5613)
* Issue 5560 - dscreate run by non superuser set defaults requiring
superuser privilege (#5579)
* Issue 5624 - RFE - UI - export certificates, and import text base64
encoded certificates
* Issue 4293 - RFE - CLI - add dsrc options for setting user and
group subtrees
* Issue 5497 - boolean attributes should be case insensitive
* Bump version to 2.2.6
* Issue 5607, 5351, 5611 - UI/CLI - fix various issues
* Issue 5608 - UI - need to replace some “const” with “let”
* Issue 3604 - UI - Create a private key/CSR with dsconf/Cockpit (#5584)
* Issue 5602 - UI - browser crash when trying to modify read-only variable
* Issue 5581 - UI - Support cockpit dark theme
* Issue 5593 - CLI - dsidm account subtree-status fails with TypeError
* Issue 5591 - BUG - Segfault in cl5configtrim with invalid confi (#5592)
* Fix latest npm audit failures
* Issue 5599 - CI - webui tests randomly fail
* Issue 5348 - RFE - CLI - add functionality to do bulk updates to entries
* Issue 5526 - RFE - Improve saslauthd migration options (#5528)
* Issue 5588 - Fix CI tests
* Issue 5585 - lib389 password policy DN handling is incorrect (#5587)
* Issue 5521 - UI - Update plugins for new split PAM and LDAP pass
thru auth
--
Directory Server Development Team
1 month
Announcing 389 Directory Server 2.1.8
by Mark Reynolds
389 Directory Server 2.1.8
The 389 Directory Server team is proud to announce 389-ds-base version 2.1.8
Fedora packages are available on Fedora 36
https://koji.fedoraproject.org/koji/taskinfo?taskID=100382283
<https://koji.fedoraproject.org/koji/taskinfo?taskID=100382283>
https://bodhi.fedoraproject.org/updates/FEDORA-2023-1c19398137
<https://bodhi.fedoraproject.org/updates/FEDORA-2023-1c19398137> - Bodhi
The new packages and versions are:
* 389-ds-base-2.1.8-1
Source tarballs are available for download at Download
389-ds-base Source
<https://github.com/389ds/389-ds-base/archive/389-ds-base-2.1.8.tar.gz>
Highlights in 2.1.8
* Enhancements, Security, and Bug fixes
Installation and Upgrade
See Download <https://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install the server use *dnf install 389-ds-base*
To install the Cockpit UI plugin use *dnf install cockpit-389-ds*
After rpm install completes, run *dscreate interactive*
For upgrades, simply install the package. There are no further
steps required.
There are no upgrade steps besides installing the new rpms
See Install_Guide
<https://www.port389.org/docs/389ds/howto/howto-install-389.html> for
more information about the initial installation and setup
See Source <https://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
If you find a bug, or would like to see a new feature, file it in our
GitHub project: https://github.com/389ds/389-ds-base
* Bump version to 2.1.8
* Issue 5734 - RFE - Exclude pwdFailureTime and ContextCSN (#5735)
* Issue 5726 - ns-slapd crashing in ldbm_back_upgradednformat (#5727)
* Issue 5714 - UI - fix typo, db settings, log settings, and LDAP
editor paginations
* Issue 1081 - Stop schema replication from overwriting x-origin
* Bump webpack from 5.75.0 to 5.76.0 in /src/cockpit/389-console (#5699)
* Issue 5598 - fix testcase
* Issue 5598 - (3rd) In 2.x, SRCH throughput drops by 10% because of
handling of referral (#5692)
* Issue 5598 - (2nd) In 2.x, SRCH throughput drops by 10% because of
handling of referral (#5691)
* Issue 5687 - UI - sensitive information disclosure
* Issue 4583 - Update specfile to skip checks of ASAN builds
* Issue 5550 - dsconf monitor crashes with Error math domain error (#5553)
* Issue 3604 - UI - Add support for Subject Alternative Names in CSR
* Fix build break
* Issue 5640 - Update logconv for new logging format
* Issue 5545 - A random crash in import over lmdb (#5546)
* Issue 5490 - tombstone in entryrdn index with lmdb but not with
bdb (#5498)
* Issue 5408 - lmdb import is slow (#5481)
* Issue 5162 - CI - fix error message for invalid pem file
* Issue 5598 - In 2.x, SRCH throughput drops by 10% because of
handling of referral (#5604)
* Issue 5666 - CLI - Add timeout parameter for tasks
* Issue 5567 - CLI - make ldifgen use the same default ldif name for
all options
* Issue 5162 - Lib389 - verify certificate type before adding
* Issue 5630 - CLI - need to add logging filter for stdout
* Issue 5646 - CLI/UI - do not hardcode password storage schemes
* Issue 5640 - Update logconv for new logging format
* Issue 5652 - Libasan crash in replication/cascading_test (#5659)
* Issue 5658 - CLI - unable to add attribute with matching rule
* Issue 5653 - covscan - fix invalid dereference
* Issue 5648 - Covscan - Compiler warnings (#5651)
* Issue 5630 - CLI - error messages should goto stderr
* Issue 2435 - RFE - Raise IDL Scan Limit to INT_MAX (#5639)
* Issue 5632 - CLI - improve error handling with db2ldif
* Issue 5578 - dscreate ds-root does not normaile paths (#5613)
* Issue 5560 - dscreate run by non superuser set defaults requiring
superuser privilege (#5579)
* Issue 5624 - RFE - UI - export certificates, and import text base64
encoded certificates
* Issue 4293 - RFE - CLI - add dsrc options for setting user and
group subtrees
* Issue 5497 - boolean attributes should be case insensitive
* Bump version to 2.1.7
* Issue 5607, 5351, 5611 - UI/CLI - fix various issues
* Issue 5608 - UI - need to replace some “const” with “let”
* Issue 3604 - Create a private key/CSR with dsconf/Cockpit (#5584)
* Issue 5602 - UI - browser crash when trying to modify read-only variable
* Issue 5581 - UI - Support cockpit dark theme
* Issue 5593 - CLI - dsidm account subtree-status fails with TypeError
* Issue 5591 - BUG - Segfault in cl5configtrim with invalid confi (#5592)
* Fix latest npm audit failures
* Issue 5599 - CI - webui tests randomly fail
* Issue 5348 - RFE - CLI - add functionality to do bulk updates to entries
* Issue 5526 - RFE - Improve saslauthd migration options (#5528)
* Issue 5588 - Fix CI tests
* Issue 5585 - lib389 password policy DN handling is incorrect (#5587)
* Issue 5521 - UI - Update plugins for new split PAM and LDAP pass
thru auth
* Issue 5236 - UI add specialized group edit modal
* Issue 5278 - CLI - dsidm asks for the old password on password reset
* Issue 5531 - CI - use universal_lines in capture_output
* Issue 5505 - Fix compiler warning (#5506)
* Issue 3615 - CLI - prevent virtual attribute indexing
* Issue 5413 - Allow mutliple MemberOf fixup tasks with
different bases/filters
* Issue 5561 - Nightly tests are failing
* Issue 5521 - RFE - split pass through auth cli
* Issue 5521 - BUG - Pam PTA multiple issues
* Issue 5544 - Increase default task TTL
* Issue 5541 - Fix typo in |lib389.cli_conf.backend._get_backend| (#5542)
* Issue 5539 - Make logger’s parameter name unified (#5540)
* Issue 5534 - Fix a rebase typo (#5537)
* Issue 5534 - Add copyright text to the repository files
--
Directory Server Development Team
1 month
A more profound replication monitoring of 389-ds instance
by dweller dweller
Hello everyone,
I have a request for advice on how to approach monitoring of replication in an environment with approximately 30 FreeIPA servers, all in a master-master replication agreement, using 389-ds (389-ds-base-1.4.3.28-6). I am currently looking for ways to reduce the number of replicas (because there are more to come) and need to justify it to the architecture department with evidence based on experimental observations.
The problem we are facing is that our installation has started experiencing lags in some operations, such as adding user groups, HBAC, and SUDO rules and the most heaviest (by the impact) is automember-rebuild operation.
The number of entities being added is not large, with a maximum of 10 groups and several sudo and HBAC rules, though for automember-rebuild I don't know for certain cause for now I didn't figure out what operations are done internally by this. The "lag" manifests as latency in LDAP operations, leading to timeouts, which in turn causes some services that rely on Kerberos or DNS (because FreeIPA uses LDAP directory for everything) to go down. Our monitoring system also shows that the outage propagates through replicas as replication progresses.
The classic approach of monitoring replication agreements through the nsds5replicaLastUpdateStatus attribute is not sufficient. We need a more dynamic approach that can show the "waves" or replication sessions throughout the environment, which can help in further tuning replication parameters.
I am facing the following problems:
1) The only way to get full replication information currently is to turn on full debug for error logs. While this can be done in test environments, I cannot rely on it in production. I thought that BPF could be the answer, but I am not sure if dirsrv has internal support (predefined probe points) for it. Has anyone from the developers tried to use BPF to monitor some features in 389-ds?
2) Regardless of BPF support, I can still try to implement monitoring with it, in conjunction with debug symbols. However, another problem is that I do not know the exact algorithm of the replication process. I have read this article (https://www.port389.org/docs/389ds/design/replication_troubleshooting.html), but it is still obscure for my purposes. Can you shed some light on the approach I should take here? In my mind, the first step should be very basic - attach to a set of consumer level functions responsible for receiving replica updates, and monitor the latency, the amount of incoming connections at a given point in time, and so on. But if you could point me in the right direction (other than just directly pointing to the repository and searching the source code), I would greatly appreciate it.
3) This feature (https://directory.fedoraproject.org/docs/389ds/design/log-operation-stats...) is not supported for my version of 389-ds, is it? Is there a way to patch my version to support it?
Thank you in advance for your help.
1 month
Crash with SEGV after compacting
by Niklas Schmatloch
Hi
My organisation is using a replicated 389-dirsrv. Lately, it has been crashing
each time after compacting.
It is replicable on our instances by lowering the compactdb-interval to
trigger the compacting:
dsconf -D "cn=Directory Manager" ldap://127.0.0.1 -w 'PASSWORD_HERE' backend config set --compactdb-interval 300
This is the log:
[03/Aug/2022:16:06:38.552781605 +0200] - NOTICE - checkpoint_threadmain - Compacting DB start: userRoot
[03/Aug/2022:16:06:38.752592692 +0200] - NOTICE - bdb_db_compact_one_db - compactdb: compact userRoot - 8 pages freed
[03/Aug/2022:16:06:44.172233009 +0200] - NOTICE - bdb_db_compact_one_db - compactdb: compact userRoot - 888 pages freed
[03/Aug/2022:16:06:44.179315345 +0200] - NOTICE - checkpoint_threadmain - Compacting DB start: changelog
[03/Aug/2022:16:13:18.020881527 +0200] - NOTICE - bdb_db_compact_one_db - compactdb: compact changelog - 458 pages freed
dirsrv(a)auth-alpha.service: Main process exited, code=killed, status=11/SEGV
dirsrv(a)auth-alpha.service: Failed with result 'signal'.
dirsrv(a)auth-alpha.service: Consumed 2d 6h 22min 1.122s CPU time.
The first steps are done very quickly, but the step before the 458 pages of the
retro-changelog are freed, takes several minutes. In this time the dirsrv writes
more than 10 G and reads more than 7 G (according to iotop).
After this line is printed the dirsrv crashes within seconds.
What I also noticed is, that even though it said it freed a lot of pages the
retro-changelog does not seem to change in size.
The file `/var/lib/dirsrv/slapd-auth-alpha/db/changelog/id2entry.db` is 7.2 G
before and after the compacting.
Debian 11.4
389-ds-base/stable,now 1.4.4.11-2 amd64
Does someone have an idea how to debug / fix this?
Thanks
1 month, 1 week
Using dsctl and .dscrc: How to properly connect to a remote instance?
by Johannes Kastl
Hi all,
sorry if this is a dumb one, but I am not getting dsctl working with a remote
instance running in Kubernetes. In fact, I am not getting it to read the .dscrc
file at all, it seems.
In my user's home directory I have this ~/.dsrc (copied and adapted from the
Getting started guide):
[ldap389]
uri = ldap://192.168.99.165
basedn = dc=example,dc=de
binddn = cn=Directory Manager
But when calling "/usr/sbin/dsctl ldap389 status" it says it cannot find the
instance information.
$ /usr/sbin/dsctl ldap389 status
No such instance 'ldap389'
Unable to access instance information. Are you running as the correct user?
(usually dirsrv or root)
So I copied the file to /root/.dsrc and executed the command as root: Same error.
I am guessing it does not find the file, so I tried to use the "dsctl dsrc"
command, but I think this is broken. It does not accept anything without an
instance argument, although the manpage says to call it as "dscl dsrc ..."
> $ sudo /usr/sbin/dsctl dsrc display
> usage: dsctl [-h] [-v] [-j] [-l]
> [instance] {restart,start,stop,status,remove,db2index,db2bak,db2ldif,dbverify,bak2db,ldif2db,backups,ldifs,tls,healthcheck,get-nsstate,ldifgen,dsrc,cockpit,dblib} ...
> dsctl: error: argument {restart,start,stop,status,remove,db2index,db2bak,db2ldif,dbverify,bak2db,ldif2db,backups,ldifs,tls,healthcheck,get-nsstate,ldifgen,dsrc,cockpit,dblib}: invalid choice: 'display' (choose from 'restart', 'start', 'stop', 'status', 'remove', 'db2index', 'db2bak', 'db2ldif', 'dbverify', 'bak2db', 'ldif2db', 'backups', 'ldifs', 'tls', 'healthcheck', 'get-nsstate', 'ldifgen', 'dsrc', 'cockpit', 'dblib')
When calling it with an instance I am back to the "No such instance" error I had
previously.
OS is openSUSE Tumbleweed, package version is lib389-2.3.2~git53.a01e230-1.1.x86_64.
Any hints are welcome!
Kind Regards,
Johannes
--
Johannes Kastl
Linux Consultant & Trainer
Tel.: +49 (0) 151 2372 5802
Mail: kastl(a)b1-systems.de
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg
http://www.b1-systems.de
GF: Ralph Dehner
Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
1 month, 1 week