Unable to establish replication with STARTTLS
by John Thurston
I have two hosts with 389-Directory/1.4.4.17 B2021.280.1354 on CentOS
Stream release 8 (4.18.0-448.el8.x86_64)
On a.state.ak.us, there is one instance defined (call this instance #1)
On b.state.ak.us, there are two instances defined (call them #2 and #3)
Instances #1 and #3 have GlobalSign certificates installed. Instance #2
currently has a Let's Encrypt certificate installed. All instances also
have root and intermediate certs in their databases for GlobalSign,
which are marked with Trust Flags "CT,,".
I can define instance #2 as a supplier, and define a replication
agreement which populates #3. This works with both LDAPS and STARTTLS.
If I, instead, try to define the same replication agreement on instance
#1, it fails with:
> slapi_ldap_bind - Error: could not send startTLS request: error -11
> (Connect error)
>
> NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=DS11-1to3"
> (b:389) - Replication bind with SIMPLE auth failed: LDAP error -11
> (Connect error) (error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify failed
> (unable to get issuer certificate))
>
> slapi_ldap_bind - Error: could not send startTLS request: error -11
> (Connect error)
I am unable to figure out how instances #1 and #2 differ.
Instance #1 has long-established supplier-agreements (using both LDAPS
and STARTTLS) with other instances of 389-Directory. So I know instance
#1 can function correctly as a supplier. Instance #3 demonstrates it can
be a consumer when supplied by instance #2. I can perform LDAPS and
STARTTLS queries from a.state.ak.us to instance #3, so I know it is
listening on the network and not blocked by a host-based firewall.
Any suggestions of where to look, or config-attributes to check, would
be appreciated.
--
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
John.Thurston(a)alaska.gov
Department of Administration
State of Alaska
4 days, 14 hours
Announcing 389 Directory Server 2.2.8
by Mark Reynolds
389 Directory Server 2.2.8
The 389 Directory Server team is proud to announce 389-ds-base version 2.2.8
Fedora packages are available on Fedora 37
https://koji.fedoraproject.org/koji/taskinfo?taskID=101293586
<https://koji.fedoraproject.org/koji/taskinfo?taskID=101293586>
https://bodhi.fedoraproject.org/updates/FEDORA-2023-560cd47894
<https://bodhi.fedoraproject.org/updates/FEDORA-2023-560cd47894> - Bohdi
The new packages and versions are:
* 389-ds-base-2.2.8-2
Source tarballs are available for download at Download
389-ds-base Source
<https://github.com/389ds/389-ds-base/archive/389-ds-base-2.2.8.tar.gz>
Highlights in 2.2.8
* New LDAP Alias Entries plugin
* Provide a history for LastLoginTime
* New Password Administrator feature to skip updating the target
entry’s password state attributes
* New Account Policy plugin features allows you to to enforce both
inactivity and expiration at the same time
* UI - replication monitor report can be loaded and saved in the
.dsrc file
Installation and Upgrade
See Download <https://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install the server use *dnf install 389-ds-base*
To install the Cockpit UI plugin use *dnf install cockpit-389-ds*
After rpm install completes, run *dscreate interactive*
For upgrades, simply install the package. There are no further
steps required.
There are no upgrade steps besides installing the new rpms
See Install_Guide
<https://www.port389.org/docs/389ds/howto/howto-install-389.html> for
more information about the initial installation and setup
See Source <https://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
If you find a bug, or would like to see a new feature, file it in our
GitHub project: https://github.com/389ds/389-ds-base
* Bump version to 2.2.8
* Issue 5752 - RFE - Provide a history for LastLoginTime (#5753)
* Issue 5770 - RFE - Extend Password Adminstrators to allow skipping
password info updates
* Issue 5768 - CLI/UI - cert checks are too strict, and other issues
* Issue 5765 - Improve installer selinux handling
* Issue 5643 - Memory leak in entryrdn during delete (#5717)
* Issue 152 - RFE - Add support for LDAP alias entries
* Issue 5052 - BUG - Custom filters prevented entry deletion (#5060)
* Issue 5704 - crash in sync_refresh_initial_content (#5720)
* Issue 5738 - RFE - UI - Read/write replication monitor info to
.dsrc file
*
Issue 5749 - RFE - Allow Account Policy Plugin to handle inactivity
and expiration at the same time
* Bump version to 2.2.7-2
* Issue 5734 - RFE - Exclude pwdFailureTime and ContextCSN (#5735)
* Issue 5726 - ns-slapd crashing in ldbm_back_upgradednformat (#5727)
* Issue 5714 - UI - fix typo, db settings, log settings, and LDAP
editor paginations
* Issue 5710 - subtree search statistics for index lookup does not
report ancestorid/entryrdn lookups (#5711)
* Issue 1081 - Stop schema replication from overwriting x-origin
* Bump webpack from 5.75.0 to 5.76.0 in /src/cockpit/389-console (#5699)
* Issue 5598 - (3rd) In 2.x, SRCH throughput drops by 10% because of
handling of referral (#5692)
* Issue 5598 - (2nd) In 2.x, SRCH throughput drops by 10% because of
handling of referral (#5691)
* Issue 5687 - UI - sensitive information disclosure
* Issue 4583 - Update specfile to skip checks of ASAN builds
* Issue 5550 - dsconf monitor crashes with Error math domain error (#5553)
* Issue 3604 - UI - Add support for Subject Alternative Names in CSR
* Issue 5600 - buffer overflow when enabling sync repl plugin when
dynamic plugins is enabled
* Fix build break
* Issue 5640 - Update logconv for new logging format
* Issue 5545 - A random crash in import over lmdb (#5546)
* Issue 5490 - tombstone in entryrdn index with lmdb but not with
bdb (#5498)
* Issue 5408 - lmdb import is slow (#5481)
* Issue 5162 - CI - fix error message for invalid pem file
* Issue 5598 - In 2.x, SRCH throughput drops by 10% because of
handling of referral (#5604)
* Issue 5671 - covscan - clang warning (#5672)
* Issue 5267 - CI - Fix issues with nsslapd-return-original-entrydn
* Issue 5666 - CLI - Add timeout parameter for tasks
* Issue 5567 - CLI - make ldifgen use the same default ldif name for
all options
* Issue 5162 - Lib389 - verify certificate type before adding
* Issue 5630 - CLI - need to add logging filter for stdout
* Issue 5646 - CLI/UI - do not hardcode password storage schemes
* Issue 5640 - Update logconv for new logging format
* Issue 5652 - Libasan crash in replication/cascading_test (#5659)
* Issue 5658 - CLI - unable to add attribute with matching rule
* Issue 5653 - covscan - fix invalid dereference
* Issue 5648 - Covscan - Compiler warnings (#5651)
* Issue 5630 - CLI - error messages should goto stderr
* Issue 2435 - RFE - Raise IDL Scan Limit to INT_MAX (#5639)
* Issue 5632 - CLI - improve error handling with db2ldif
* Issue 5578 - dscreate ds-root does not normalize paths (#5613)
* Issue 5560 - dscreate run by non superuser set defaults requiring
superuser privilege (#5579)
* Issue 5624 - RFE - UI - export certificates, and import text base64
encoded certificates
* Issue 4293 - RFE - CLI - add dsrc options for setting user and
group subtrees
* Issue 5497 - boolean attributes should be case insensitive
--
Directory Server Development Team
1 week, 2 days
Announcing 389 Directory Server 2.3.4
by Mark Reynolds
389 Directory Server 2.3.4
The 389 Directory Server team is proud to announce 389-ds-base version 2.3.4
Fedora packages are available on Fedora f38
Fedora 38:
https://koji.fedoraproject.org/koji/taskinfo?taskID=101288860
<https://koji.fedoraproject.org/koji/taskinfo?taskID=101288860>
Bodhi:
https://bodhi.fedoraproject.org/updates/FEDORA-2023-6b49d21832
<https://bodhi.fedoraproject.org/updates/FEDORA-2023-6b49d21832>
The new packages and versions are:
* 389-ds-base-2.3.4-1
Source tarballs are available for download at Download
389-ds-base Source
<https://github.com/389ds/389-ds-base/archive/389-ds-base-2.3.4.tar.gz>
Highlights in 2.3.4
* New LDAP Alias Entries plugin
* Provide a history for LastLoginTime
* New Password Administrator feature to skip updating the target
entry’s password state attributes
* New Account Policy plugin features allows you to to enforce both
inactivity and expiration at the same time
* UI - replication monitor report can be loaded and saved in the
.dsrc file
Installation and Upgrade
See Download <https://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install the server use *dnf install 389-ds-base*
To install the Cockpit UI plugin use *dnf install cockpit-389-ds*
After rpm install completes, run *dscreate interactive*
For upgrades, simply install the package. There are no further
steps required.
There are no upgrade steps besides installing the new rpms
See Install_Guide
<https://www.port389.org/docs/389ds/howto/howto-install-389.html> for
more information about the initial installation and setup
See Source <https://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
If you find a bug, or would like to see a new feature, file it in our
GitHub project: https://github.com/389ds/389-ds-base
* Bump version to 2.3.4
* Issue 5752 - RFE - Provide a history for LastLoginTime (#5753)
* Issue 5770 - RFE - Extend Password Administrators to allow skipping
password info updates
* Issue 5768 - CLI/UI - cert checks are too strict, and other issues
* Issue 5765 - Improve installer selinux handling
* Issue 5643 - Memory leak in entryrdn during delete (#5717)
* Issue 152 - RFE - Add support for LDAP alias entries
* Issue 5052 - BUG - Custom filters prevented entry deletion (#5060)
* Issue 5704 - crash in sync_refresh_initial_content (#5720)
* Issue 5738 - RFE - UI - Read/write replication monitor info to
.dsrc file
* Issue 5749 - RFE - Allow Account Policy Plugin to handle inactivity
and expiration at the same time
*
Issue 2562 - Copy config files into backup directory
* Bump version to 2.3.4
* Issue 5726 - ns-slapd crashing in ldbm_back_upgradednformat (#5727)
* Issue 5718 - Memory leak in connection table (#5719)
* Issue 5705 - Add config parameter to close client conns on failed
bind (#5712)
* Issue 5714 - UI - fix typo, db settings, log settings, and LDAP
editor paginations
* Issue 5701 - CLI - Fix referral mode setting (#5708)
* Bump openssl from 0.10.45 to 0.10.48 in /src (#5709)
* Issue 5710 - subtree search statistics for index lookup does not
report ancestorid/entryrdn lookups (#5711)
* Issue 5697 - Obsolete nsslapd-ldapimaprootdn attribute (#5698)
* Issue 1081 - Stop schema replication from overwriting x-origin
* Issue 4812 - Listener thread does not scale with a high num of
established connections (#5706)
* Issue 4812 - Listener thread does not scale with a high num of
established connections (#5681)
* Bump webpack from 5.75.0 to 5.76.0 in /src/cockpit/389-console (#5699)
* Issue 5598 - (3rd) In 2.x, SRCH throughput drops by 10% because of
handling of referral (#5692)
* Issue 5598 - (2nd) In 2.x, SRCH throughput drops by 10% because of
handling of referral (#5691)
* Issue 5687 - UI - sensitive information disclosure
* Issue 5661 - LMDB hangs while Rebuilding the replication changelog
RUV (#5676)
* Issue 5554 - Add more tests to security_basic_test suite
* Issue 4583 - Update specfile to skip checks of ASAN builds
* Issue 4758 - Add tests for WebUI
* Issue 3604 - UI - Add support for Subject Alternative Names in CSR
* Issue 5600 - buffer overflow when enabling sync repl plugin when
dynamic plugins is enabled
* Issue 5640 - Update logconv for new logging format
* Issue 5162 - CI - fix error message for invalid pem file
* Issue 5598 - In 2.x, SRCH throughput drops by 10% because of
handling of referral (#5604)
* Issue 5671 - covscan - clang warning (#5672)
* Issue 5267 - CI - Fix issues with nsslapd-return-original-entrydn
* Issue 5666 - CLI - Add timeout parameter for tasks
* Issue 5567 - CLI - make ldifgen use the same default ldif name for
all options
* Issue 5647 - Fix unused variable warning from previous commit (#5670)
* Issue 5162 - Lib389 - verify certificate type before adding
* Issue 5642 - Build fails against setuptools 67.0.0
* Issue 5630 - CLI - need to add logging filter for stdout
* Issue 5646 - CLI/UI - do not hardcode password storage schemes
* Issue 5640 - Update logconv for new logging format
* issue 5647 - covscan: memory leak in audit log when adding
entries (#5650)
* Issue 5658 - CLI - unable to add attribute with matching rule
* Issue 5653 - covscan - fix invalid dereference
* Issue 5652 - Libasan crash in replication/cascading_test (#5659)
* Issue 5628 - Handle graceful timeout in CI tests (#5657)
* Issue 5648 - Covscan - Compiler warnings (#5651)
* Issue 5630 - CLI - error messages should goto stderr
* Issue 2435 - RFE - Raise IDL Scan Limit to INT_MAX (#5639)
* Issue 5632 - CLI - improve error handling with db2ldif
* Issue 5517 - Replication conflict CI test sometime fails (#5518)
* Issue 5634 - Deprecated warning related to github action workflow
code (#5635)
* Issue 5637 - Covscan - fix Buffer Overflows (#5638)
* Issue 5624 - RFE - UI - export certificates, and import text base64
encoded certificates
* Bump tokio from 1.24.1 to 1.25.0 in /src (#5629)
* Issue 4577 - Add LMDB pytest github action (#5627)
* Issue 4293 - RFE - CLI - add dsrc options for setting user and
group subtrees
* Remove stale libevent(-devel) dependency
* Issue 5578 - dscreate ds-root does not normaile paths (#5613)
* Issue 5497 - boolean attributes should be case insensitive
--
Directory Server Development Team
1 week, 2 days
Announcing 389 Directory Server 2.4.1
by Mark Reynolds
389 Directory Server 2.4.1
The 389 Directory Server team is proud to announce 389-ds-base version 2.4.1
Fedora packages are available on Rawhide (f39)
Rawhide:
https://koji.fedoraproject.org/koji/taskinfo?taskID=101287079
<https://koji.fedoraproject.org/koji/taskinfo?taskID=101287079>
The new packages and versions are:
* 389-ds-base-2.4.1-1
Source tarballs are available for download at Download
389-ds-base Source
<https://github.com/389ds/389-ds-base/archive/389-ds-base-2.4.1.tar.gz>
Highlights in 2.4.1
* LDAP Alias Entries plugin
* New Password Administrator feature to skip updating the target
entry’s password state attributes
* New Account Policy plugin features allows you to to enforce both
inactivity and expiration at the same time
* UI - replication monitor report can be loaded and saved in the
.dsrc file
* Provide a history for LastLoginTime
Installation and Upgrade
See Download <https://www.port389.org/docs/389ds/download.html> for
information about setting up your yum repositories.
To install the server use *dnf install 389-ds-base*
To install the Cockpit UI plugin use *dnf install cockpit-389-ds*
After rpm install completes, run *dscreate interactive*
For upgrades, simply install the package. There are no further
steps required.
There are no upgrade steps besides installing the new rpms
See Install_Guide
<https://www.port389.org/docs/389ds/howto/howto-install-389.html> for
more information about the initial installation and setup
See Source <https://www.port389.org/docs/389ds/development/source.html>
for information about source tarballs and SCM (git) access.
Feedback
We are very interested in your feedback!
Please provide feedback and comments to the 389-users mailing list:
https://lists.fedoraproject.org/admin/lists/389-users.lists.fedoraproject...
If you find a bug, or would like to see a new feature, file it in our
GitHub project: https://github.com/389ds/389-ds-base
* Bump version to 2.4.1
* Issue 5770 - RFE - Extend Password Adminstrators to allow skipping
password info updates
* Issue 5768 - CLI/UI - cert checks are too strict, and other issues
* Issue 5722 - fix compilation warnings (#5771)
* Issue 5765 - Improve installer selinux handling
* Issue 152 - RFE - Add support for LDAP alias entries
* Issue 5052 - BUG - Custom filters prevented entry deletion (#5060)
* Issue 5752 - RFE - Provide a history for LastLoginTime (#5753)
* Issue 5722 - RFE When a filter contains ‘nsrole’, improve response
time by rewriting the filter (#5723)
* Issue 5704 - crash in sync_refresh_initial_content (#5720)
* Issue 5738 - RFE - UI - Read/write replication monitor info to
.dsrc file
* Issue 5156 - build warnings (#5758)
* Issue 5749 - RFE - Allow Account Policy Plugin to handle inactivity
and expiration at the same time
* Issue 5743 - Disabling replica crashes the server (#5746)
* Issue 2562 - Copy config files into backup directory
* Issue 5156 - fix build breakage from slapi-memberof commit
*
Issue 4758 - Add tests for WebUI
* Bump version to 2.4.0
* Issue 5156 - RFE that implement slapi_memberof (#5694)
* Issue 5734 - RFE - Exclude pwdFailureTime and ContextCSN (#5735)
* Issue 5726 - ns-slapd crashing in ldbm_back_upgradednformat (#5727)
* Issue 4758 - Add tests for WebUI
* Issue 5718 - Memory leak in connection table (#5719)
* Issue 5705 - Add config parameter to close client conns on failed
bind (#5712)
* Issue 4758 - Add tests for WebUI
* Issue 5643 - Memory leak in entryrdn during delete (#5717)
* Issue 5714 - UI - fix typo, db settings, log settings, and LDAP
editor paginations
* Issue 5701 - CLI - Fix referral mode setting (#5708)
* Bump openssl from 0.10.45 to 0.10.48 in /src (#5709)
* Issue 5710 - subtree search statistics for index lookup does not
report ancestorid/entryrdn lookups (#5711)
* Issue 5697 - Obsolete nsslapd-ldapimaprootdn attribute (#5698)
* Issue 1081 - Stop schema replication from overwriting x-origin
* Issue 4812 - Listener thread does not scale with a high num of
established connections (#5706)
* Issue 4812 - Listener thread does not scale with a high num of
established connections (#5681)
* Bump webpack from 5.75.0 to 5.76.0 in /src/cockpit/389-console (#5699)
* Issue 5598 - (3rd) In 2.x, SRCH throughput drops by 10% because of
handling of referral (#5692)
* Issue 5598 - (2nd) In 2.x, SRCH throughput drops by 10% because of
handling of referral (#5691)
* Issue 5687 - UI - sensitive information disclosure
* Issue 5661 - LMDB hangs while Rebuilding the replication changelog
RUV (#5676)
* Issue 5554 - Add more tests to security_basic_test suite
* Issue 4583 - Update specfile to skip checks of ASAN builds
* Issue 4758 - Add tests for WebUI
* Issue 3604 - UI - Add support for Subject Alternative Names in CSR
* Issue 5600 - buffer overflow when enabling sync repl plugin when
dynamic plugins is enabled
* Issue 5640 - Update logconv for new logging format
* Issue 5162 - CI - fix error message for invalid pem file
* Issue 5598 - In 2.x, SRCH throughput drops by 10% because of
handling of referral (#5604)
* Issue 5671 - covscan - clang warning (#5672)
* Issue 5267 - CI - Fix issues with nsslapd-return-original-entrydn
* Issue 5666 - CLI - Add timeout parameter for tasks
* Issue 5567 - CLI - make ldifgen use the same default ldif name for
all options
* Issue 5647 - Fix unused variable warning from previous commit (#5670)
* Issue 5162 - Lib389 - verify certificate type before adding
* Issue 5642 - Build fails against setuptools 67.0.0
* Issue 5630 - CLI - need to add logging filter for stdout
* Issue 5646 - CLI/UI - do not hardcode password storage schemes
* Issue 5640 - Update logconv for new logging format
* issue 5647 - covscan: memory leak in audit log when adding
entries (#5650)
* Issue 5658 - CLI - unable to add attribute with matching rule
* Issue 5653 - covscan - fix invalid dereference
* Issue 5652 - Libasan crash in replication/cascading_test (#5659)
* Issue 5628 - Handle graceful timeout in CI tests (#5657)
* Issue 5648 - Covscan - Compiler warnings (#5651)
* Issue 5630 - CLI - error messages should goto stderr
* Issue 2435 - RFE - Raise IDL Scan Limit to INT_MAX (#5639)
* Issue 5632 - CLI - improve error handling with db2ldif
* Issue 5517 - Replication conflict CI test sometime fails (#5518)
* Issue 5634 - Deprecated warning related to github action workflow
code (#5635)
* Issue 5637 - Covscan - fix Buffer Overflows (#5638)
* Issue 5624 - RFE - UI - export certificates, and import text base64
encoded certificates
* Bump tokio from 1.24.1 to 1.25.0 in /src (#5629)
* Issue 4577 - Add LMDB pytest github action (#5627)
* Issue 4293 - RFE - CLI - add dsrc options for setting user and
group subtrees
* Remove stale libevent(-devel) dependency
* Issue 5578 - dscreate ds-root does not normaile paths (#5613)
* Issue 5497 - boolean attributes should be case insensitive
--
Directory Server Development Team
1 week, 2 days
Re: Subsuffixes not displaying
by Pierre Rogier
Hi Jason,
Sorry for the late answer.
Thank you for this interesting piece of information !
I double checked on the latest version and this time I got the same
behaviour.
one level scoped search does not return the sub-suffix.
So it is a plain bug.
FYI: I created issue https://github.com/389ds/389-ds-base/issues/5772
Regards,
Pierre
On Fri, May 12, 2023 at 5:30 PM Jason Villarroel <jvillarr(a)fiu.edu> wrote:
> Good morning Pierre,
>
>
>
> We tested something different this time.
>
> We created a new root suffix on the same server called dc=oestest,dc=fiu
> and created a sub suffix ou=testentry,ou=oestest,dc=fiu and still
> encountered same behavior.
>
> Performing the search ldapsearch -D "cn=manager" -W -b cn=config
> "(objectclass=nsMappingTree)" displayed the test entry having
> dc=oestest,dc=fiu as the parent suffix.
>
>
>
> dn: cn=dc\3Doestest\2Cdc\3Dfiu,cn=mapping tree,cn=config
>
> objectClass: top
>
> objectClass: extensibleObject
>
> objectClass: nsMappingTree
>
> cn: dc=oestest,dc=fiu
>
> cn: dc\=oestest\,dc\=fiu
>
> nsslapd-state: backend
>
> nsslapd-backend: testoestest
>
>
>
>
>
> # ou\3Dtestentry\2Cdc\3Doestest\2Cdc\3Dfiu, mapping tree, config
>
> dn: cn=ou\3Dtestentry\2Cdc\3Doestest\2Cdc\3Dfiu,cn=mapping tree,cn=config
>
> objectClass: top
>
> objectClass: extensibleObject
>
> objectClass: nsMappingTree
>
> cn: ou=testentry,dc=oestest,dc=fiu
>
> cn: ou\=testentry\,dc\=oestest\,dc\=fiu
>
> nsslapd-state: backend
>
> nsslapd-backend: testentrydb
>
> nsslapd-parent-suffix: dc=oestest,dc=fiu
>
>
>
>
>
> Using an ldap browser and using the manager account with the base dn of
> the root suffix only displayed the root suffix and not the subsuffix.
> Similar behavior was seen when running an ldap search with the -s one
> parameter. If the ldapsearch was performed with the -s sub parameter, then
> the OU was displayed.
>
>
>
> It seems that with this version subsuffixes on different databases are not
> displayed and only OUs from the root suffix are displayed.
>
> Please advise.
>
>
>
>
>
>
>
>
>
> Jason Villarroel
>
> Systems Administrator
>
> Florida International University
>
> Division of Information Technology – Enterprise Systems
>
> PC 120
>
> 305-348-2687 (Office)
>
> 305-348-3686 (Fax)
>
>
>
>
> <https://fiu.service-now.com/sp?id=kb_article&sys_id=dd81ca14db54fa4019f17...>
>
> *Division of Information Technology staff will never ask for your
> password.*
>
> *Never email your password or share confidential information in emails.*
>
>
>
>
>
>
>
>
>
> *From:* Pierre Rogier <progier(a)redhat.com>
> *Sent:* Thursday, May 4, 2023 11:02 AM
> *To:* General discussion list for the 389 Directory server project. <
> 389-users(a)lists.fedoraproject.org>
> *Subject:* [389-users] Re: Subsuffixes not displaying
>
>
>
> *Note: This message originated from outside the FIU Faculty/Staff email
> system.*
>
>
>
> I do not have this behavior on very recent version based on main branch:
> Instance "supplier1" has been restarted
> + exec ldapsearch -Q -LLL -Y EXTERNAL -H
> ldapi://%2fhome%2fprogier%2fsb%2f389%2ftst%2fci-install%2fvar%2frun%2fslapd-supplier1.socket
> -b cn=config '(objectClass=nsMappingTree)'
> dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
> objectClass: top
> objectClass: extensibleObject
> objectClass: nsMappingTree
> cn: dc=example,dc=com
> cn: dc\=example\,dc\=com
> nsslapd-state: backend
> nsslapd-backend: userroot
> nsslapd-referral: ldap://linux.home:5556/dc%3Dexample%2Cdc%3Dcom
>
> dn: cn=dc\3Dfoo\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
> objectClass: top
> objectClass: extensibleObject
> objectClass: nsMappingTree
> cn: dc=foo,dc=example,dc=com
> cn: dc\=foo\,dc\=example\,dc\=com
> nsslapd-state: backend
> nsslapd-backend: be2
> nsslapd-parent-suffix: dc=example,dc=com
>
> + exec ldapsearch -Q -LLL -Y EXTERNAL -H
> ldapi://%2fhome%2fprogier%2fsb%2f389%2ftst%2fci-install%2fvar%2frun%2fslapd-supplier1.socket
> -b dc=example,dc=com dc=foo
> dn: dc=foo,dc=example,dc=com
> objectClass: top
> objectClass: domain
> dc: foo
> description: dc=foo,dc=example,dc=com
>
> Using the directory manager account rules out aci issues so I am puzzled.
> I wonder if it could be specific to the 389-ds-base-2.2.6-2.el8.x86_64
> version
> but I am surprised because the 389ds 2.2.6 version is only a few months
> old ...
>
> A last point: have you restarted the instance after changing the orphan
> flags ?
>
>
>
> On Thu, May 4, 2023 at 3:55 PM Jason Villarroel <jvillarr(a)fiu.edu> wrote:
>
> Hello Pierre,
>
>
>
> We created a new root suffix on one of our DR servers called
> dc=oestest,dc=fiu and created a sub suffix ou=testentry,ou=oestest,dc=fiu
> and still encountered same behavior.
>
>
>
> Performing the search ldapsearch -D "cn=manager" -W -b cn=config
> "(objectclass=nsMappingTree)" displayed the test entry having
> dc=oestest,dc=fiu as the parent suffix.
>
>
>
> dn: cn=dc\3Doestest\2Cdc\3Dfiu,cn=mapping tree,cn=config
>
> objectClass: top
>
> objectClass: extensibleObject
>
> objectClass: nsMappingTree
>
> cn: dc=oestest,dc=fiu
>
> cn: dc\=oestest\,dc\=fiu
>
> nsslapd-state: backend
>
> nsslapd-backend: testoestest
>
>
>
>
>
> # ou\3Dtestentry\2Cdc\3Doestest\2Cdc\3Dfiu, mapping tree, config
>
> dn: cn=ou\3Dtestentry\2Cdc\3Doestest\2Cdc\3Dfiu,cn=mapping tree,cn=config
>
> objectClass: top
>
> objectClass: extensibleObject
>
> objectClass: nsMappingTree
>
> cn: ou=testentry,dc=oestest,dc=fiu
>
> cn: ou\=testentry\,dc\=oestest\,dc\=fiu
>
> nsslapd-state: backend
>
> nsslapd-backend: testentrydb
>
> nsslapd-parent-suffix: dc=oestest,dc=fiu
>
>
>
> Using an ldap browser and using the the manager account with the base dn
> of the root suffix only displayed the root suffix and not the subsuffix.
> Similar behavior was seen when running an ldap search with the -s one
> parameter. If the ldapsearch was performed with the -s sub parameter, then
> the OU was displayed.
>
>
>
> It seems that with this version subsuffixes on different databases are not
> displayed and only OUs from the root suffix are displayed.
>
>
>
> Please advise.
>
> Thank you.
>
>
>
> <Data snipped to compoy to the 100K limit>
>
>
>
> --
>
> --
>
> 389 Directory Server Development Team
>
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> <https://urldefense.com/v3/__https:/docs.fedoraproject.org/en-US/project/c...>
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> <https://urldefense.com/v3/__https:/fedoraproject.org/wiki/Mailing_list_gu...>
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
> <https://urldefense.com/v3/__https:/lists.fedoraproject.org/archives/list/...>
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
> <https://urldefense.com/v3/__https:/pagure.io/fedora-infrastructure/new_is...>
>
>
>
>
> --
>
> --
>
> 389 Directory Server Development Team
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
--
389 Directory Server Development Team
1 week, 4 days
Re: Subsuffixes not displaying
by Pierre Rogier
I do not have this behavior on very recent version based on main branch:
Instance "supplier1" has been restarted
+ exec ldapsearch -Q -LLL -Y EXTERNAL -H
ldapi://%2fhome%2fprogier%2fsb%2f389%2ftst%2fci-install%2fvar%2frun%2fslapd-supplier1.socket
-b cn=config '(objectClass=nsMappingTree)'
dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: dc=example,dc=com
cn: dc\=example\,dc\=com
nsslapd-state: backend
nsslapd-backend: userroot
nsslapd-referral: ldap://linux.home:5556/dc%3Dexample%2Cdc%3Dcom
dn: cn=dc\3Dfoo\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: dc=foo,dc=example,dc=com
cn: dc\=foo\,dc\=example\,dc\=com
nsslapd-state: backend
nsslapd-backend: be2
nsslapd-parent-suffix: dc=example,dc=com
+ exec ldapsearch -Q -LLL -Y EXTERNAL -H
ldapi://%2fhome%2fprogier%2fsb%2f389%2ftst%2fci-install%2fvar%2frun%2fslapd-supplier1.socket
-b dc=example,dc=com dc=foo
dn: dc=foo,dc=example,dc=com
objectClass: top
objectClass: domain
dc: foo
description: dc=foo,dc=example,dc=com
Using the directory manager account rules out aci issues so I am puzzled.
I wonder if it could be specific to the 389-ds-base-2.2.6-2.el8.x86_64
version
but I am surprised because the 389ds 2.2.6 version is only a few months
old ...
A last point: have you restarted the instance after changing the orphan
flags ?
On Thu, May 4, 2023 at 3:55 PM Jason Villarroel <jvillarr(a)fiu.edu> wrote:
> Hello Pierre,
>
>
>
> We created a new root suffix on one of our DR servers called
> dc=oestest,dc=fiu and created a sub suffix ou=testentry,ou=oestest,dc=fiu
> and still encountered same behavior.
>
>
>
> Performing the search ldapsearch -D "cn=manager" -W -b cn=config
> "(objectclass=nsMappingTree)" displayed the test entry having
> dc=oestest,dc=fiu as the parent suffix.
>
>
>
> dn: cn=dc\3Doestest\2Cdc\3Dfiu,cn=mapping tree,cn=config
>
> objectClass: top
>
> objectClass: extensibleObject
>
> objectClass: nsMappingTree
>
> cn: dc=oestest,dc=fiu
>
> cn: dc\=oestest\,dc\=fiu
>
> nsslapd-state: backend
>
> nsslapd-backend: testoestest
>
>
>
>
>
> # ou\3Dtestentry\2Cdc\3Doestest\2Cdc\3Dfiu, mapping tree, config
>
> dn: cn=ou\3Dtestentry\2Cdc\3Doestest\2Cdc\3Dfiu,cn=mapping tree,cn=config
>
> objectClass: top
>
> objectClass: extensibleObject
>
> objectClass: nsMappingTree
>
> cn: ou=testentry,dc=oestest,dc=fiu
>
> cn: ou\=testentry\,dc\=oestest\,dc\=fiu
>
> nsslapd-state: backend
>
> nsslapd-backend: testentrydb
>
> nsslapd-parent-suffix: dc=oestest,dc=fiu
>
>
>
> Using an ldap browser and using the the manager account with the base dn
> of the root suffix only displayed the root suffix and not the subsuffix.
> Similar behavior was seen when running an ldap search with the -s one
> parameter. If the ldapsearch was performed with the -s sub parameter, then
> the OU was displayed.
>
>
>
> It seems that with this version subsuffixes on different databases are not
> displayed and only OUs from the root suffix are displayed.
>
>
>
> Please advise.
>
> Thank you.
>
>
>
> <Data snipped to compoy to the 100K limit>
>
>
>
> --
>
> --
>
> 389 Directory Server Development Team
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
--
389 Directory Server Development Team
2 weeks, 1 day
Re: Subsuffixes not displaying
by Pierre Rogier
Hi Jason,
In theory you should be able to have the same behavior:
Here is a small table that summarizes the behavior.
Old Version
New version
subsuffix 2 suffixes subsuffix 2 suffixes
subtree search behavior on “parent” suffix see entries on both suffix see
only parent suffix see entries on both suffix see only parent suffix
subsuffix mapping tree attribute: nsslapd-parent-suffix set unset ignored
ignored
subsuffix mapping tree attribute: orphan N/A N/A unset set
default when using dsconf backend create –suffix subsuffix
without setting –parent-suffix No Yes Yes No
IMHO you should first check the mapping tree entries: i.e ldapsearch -b
cn=config "(objectclass=nsMappingTree)"
in your case you should not orphan the subsuffix as you want to be able to
able to get the subsuffix entries while searching the parent suffix
Regards,
Pierre
On Wed, May 3, 2023 at 5:56 PM Jason Villarroel <jvillarr(a)fiu.edu> wrote:
> Hello,
>
> We are having an issue when using an ldap browser or even the ldapsearch
> command subsuffixes that are on a separate backend database are not
> displayed when specifying the parent suffix as the base dn. In previous
> versions when specifying the parent suffix as the base dn the subsuffixes
> were listed. Currently only entries related to the primary userRoot
> database are displayed. The root dse also does not display the subsuffixes.
>
>
>
> If we run the "dsconf INSTANCE backend suffix set --enable-orphan dbname"
> command the missing suffix appears in the root dse but still does not
> appear in when listing the entries in the base dn.
>
>
>
> The subsuffixes are accessible if we specify them as the base dn or access
> them via the built in ldap browser vi cockpit.
>
>
>
> You can perform the following ldap search on V11 and V12 and will see the
> differences in the results:
>
>
>
> ldapsearch -D "cn=manager" -W -b "dc=example,dc=com" -s one -x
> "(objectclass=*)" dn
>
>
>
>
>
> V11 returns
>
> # numResponses: 15
> # numEntries: 14
>
>
>
> V12 returns
>
> # numResponses: 12
> # numEntries: 11
>
>
>
>
>
> Version we have installed
>
> 389-ds-base-libs-2.2.6-2.el8.x86_64
>
> 389-ds-base-2.2.6-2.el8.x86_64
>
>
>
> Previous versions we were running
>
> 389-ds-base-libs-1.4.3.13-1
>
> 389-ds-base-1.4.3.13-1
>
>
>
>
>
>
>
>
>
> Jason Villarroel
>
> Systems Administrator
>
> Florida International University
>
> Division of Information Technology – Enterprise Systems
>
> PC 120
>
> 305-348-2687 (Office)
>
> 305-348-3686 (Fax)
>
>
>
>
> <https://fiu.service-now.com/sp?id=kb_article&sys_id=dd81ca14db54fa4019f17...>
>
> *Division of Information Technology staff will never ask for your
> password.*
>
> *Never email your password or share confidential information in emails.*
>
>
>
>
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
--
--
389 Directory Server Development Team
3 weeks, 2 days
Subsuffixes not displaying
by Jason Villarroel
Hello,
We are having an issue when using an ldap browser or even the ldapsearch command subsuffixes that are on a separate backend database are not displayed when specifying the parent suffix as the base dn. In previous versions when specifying the parent suffix as the base dn the subsuffixes were listed. Currently only entries related to the primary userRoot database are displayed. The root dse also does not display the subsuffixes.
If we run the "dsconf INSTANCE backend suffix set --enable-orphan dbname" command the missing suffix appears in the root dse but still does not appear in when listing the entries in the base dn.
The subsuffixes are accessible if we specify them as the base dn or access them via the built in ldap browser vi cockpit.
You can perform the following ldap search on V11 and V12 and will see the differences in the results:
ldapsearch -D "cn=manager" -W -b "dc=example,dc=com" -s one -x "(objectclass=*)" dn
V11 returns
# numResponses: 15
# numEntries: 14
V12 returns
# numResponses: 12
# numEntries: 11
Version we have installed
389-ds-base-libs-2.2.6-2.el8.x86_64
389-ds-base-2.2.6-2.el8.x86_64
Previous versions we were running
389-ds-base-libs-1.4.3.13-1
389-ds-base-1.4.3.13-1
Jason Villarroel
Systems Administrator
Florida International University
Division of Information Technology - Enterprise Systems
PC 120
305-348-2687 (Office)
305-348-3686 (Fax)
[cid:image001.png@01D97DA7.F7C1BD60]<https://fiu.service-now.com/sp?id=kb_article&sys_id=dd81ca14db54fa4019f17...>
Division of Information Technology staff will never ask for your password.
Never email your password or share confidential information in emails.
3 weeks, 3 days
Re: 389 Ldap Cleanallruv Replica Crash
by Thierry Bordaz
Hi Juan,
Thanks for raising this issue. The crash can be reproduced and I opened
https://github.com/389ds/389-ds-base/issues/5751
It is a side effect of a CL refactoring done in 2.x branch.
best regards
thierry
On 5/2/23 21:00, Juan Quintanilla wrote:
> Hi,
>
> I recently installed 389-ds-base-libs-2.2.6-2.el8.x86_64 and
> 389-ds-base-2.2.6-2.el8.x86_64 on an ALma Linux 8 Server, but I'm
> encountering an issue with removing offline replicas from our existing
> 389 Ldap.
>
> When the command below is executed on one of the suppliers:
>
> dsconf INSTANCE_NAME repl-tasks cleanallruv --suffix
> "ou=sample,dc=test,dc=dom" --replica-id 20 --force-cleaning
>
> The entry is removed from the ldap supplier, and when the change is
> sent to the secondary supplier it is also removed with no problem.
> The issue is when the change is sent to the consumer, the slapd
> process will instantly crash. When the consumer instance is brought
> back up the entry that needed to be removed is gone.
>
> Has anyone encountered a similar issue with the consumers crashing
> during a cleanallruv request or cleanruv?
>
> I also tried running a cleanruv task on each server, suppliers have no
> issue. When the command is run on the readonly consumers the slapd
> process crashes.
>
> ldapmodify -x -D "cn=manager" -W <<EOF
> dn: cn=replica,cn=ou\3Dsample\2Cdc\3Dtest\2Cdc\3Ddom,cn=mapping
> tree,cn=config
> changetype: modify
> replace: nsds5task
> nsds5task: CLEANRUV20
> EOF
>
> There is no recorded error in the logs to indicate the reason for the
> crash.
>
> Thanks!
>
> *Juan
> *
>
>
> _______________________________________________
> 389-users mailing list --389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fe...
> Do not reply to spam, report it:https://pagure.io/fedora-infrastructure/new_issue
3 weeks, 4 days
