------------------------------------------------------------------------
*From:* Michael Starling <mlstarling31(a)hotmail.com>
*Sent:* Friday, August 13, 2021 10:41 AM
*To:* Mark Reynolds <mreynolds(a)redhat.com>; General discussion list
for the 389 Directory server project. <389-users(a)lists.fedoraproject.org>
*Subject:* Re: [389-users] How to replicate password lockout
attributes from a consumer or hub to a master(s)
------------------------------------------------------------------------
*From:* Michael Starling <mlstarling31(a)hotmail.com>
*Sent:* Thursday, August 12, 2021 3:29 PM
*To:* Mark Reynolds <mreynolds(a)redhat.com>; General discussion list
for the 389 Directory server project. <389-users(a)lists.fedoraproject.org>
*Subject:* Re: [389-users] How to replicate password lockout
attributes from a consumer or hub to a master(s)
------------------------------------------------------------------------
*From:* Mark Reynolds <mreynolds(a)redhat.com>
*Sent:* Thursday, August 12, 2021 3:16 PM
*To:* Michael Starling <mlstarling31(a)hotmail.com>; General discussion
list for the 389 Directory server project.
<389-users(a)lists.fedoraproject.org>
*Subject:* Re: [389-users] How to replicate password lockout
attributes from a consumer or hub to a master(s)
On 8/12/21 2:33 PM, Michael Starling wrote:
>
>
> ------------------------------------------------------------------------
> *From:* Mark Reynolds <mreynolds(a)redhat.com>
> <mailto:mreynolds@redhat.com>
> *Sent:* Thursday, August 12, 2021 11:48 AM
> *To:* General discussion list for the 389 Directory server project.
> <389-users(a)lists.fedoraproject.org>
> <mailto:389-users@lists.fedoraproject.org>; Michael Starling
> <mlstarling31(a)hotmail.com> <mailto:mlstarling31@hotmail.com>
> *Subject:* Re: [389-users] How to replicate password lockout
> attributes from a consumer or hub to a master(s)
>
>
> On 8/12/21 10:53 AM, Michael Starling wrote:
>> Hello.
>>
>> I've taken over a large 389-ds environment running on Oracle Linux 8
>> and the first task I need to complete is to enable password lockouts.
>>
>>
>>
>> I was able to enable password lockouts successfully however it only
>> works if the client is pointed directly to a master. The account
>> locks out and the attributes are propagated down to the hubs and
>> consumers.
>>
>> If the client is pointed to a read-only hub or consumer then the
>> account does not lockout and the password attributes do not
>> propagate back to the masters.
>>
>> *passwordIsGlobalPolicy*: on is set on all masters, hubs and consumers
>>
>> Password policy attributes I expect to replicate:
>>
>> *passwordRetryCount*
>> *accountUnlockTime*
>> *retryCountResetTime*
>>
>> I've tried following the chaining guide below which I think is what
>> I need to do to get this work as expected, however I've hit a snag.
>>
>>
https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate....
>>
<
https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate....
>> 389 Directory Server - Howto:ChainOnUpdate
>>
<
https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate....
>> Introduction. The usual deployment for a large replication topology
>> will have the client applications reading from hubs or dedicated
>> consumers in order to spread out the load and off-load search
>> request processing from the masters.
>>
directory.fedoraproject.org
>>
>> The document states the backend must be added to the hub or
>> consumer, however when I try and add the following LDIF to the hub I
>> get the "unwilling to perform" error.
>>
>> This makes sense because the hub is read-only so I'm confused as how
>> I can update the config on a read-only hub or consumer?
>>
>> dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config
>> objectclass: top
>> objectclass: extensibleObject
>> objectclass: nsBackendInstance
>> cn: chainlab
>> nsslapd-suffix: dc=domain,dc=com
>> nsfarmserverurl: ldap://dsa1.domain.com:389
>> ldap://dsa2.domain.com:389 ldap://dsa3.domain.com:389
>> nsmultiplexorbinddn: uid=repluser,cn=config
>> nsmultiplexorcredentials: mypassword
>> nsCheckLocalACI: on
>>
>> adding new entry "cn=chainlab,cn=chaining
database,cn=plugins,cn=config"
>> ldap_add: Server is unwilling to perform (53)
>
> This is the doc you want to follow to get this working. But it is
> complicated...
>
>
> In this case I'm not sure why the error 53 is being returned. There
> is something about that entry it does not like. So please check the
> access and errors log from the time of this failure (see
> /var/log/dirsrv/slapd-YOUR_INSTANCE/). There is usually more info
> logged when an error 53 happens.
>
>
> Also what version of 389-ds-base are you running?
>
>
> Thanks,
> Mark
>
>>
>> Hub or Consumer
>>
>> Step 1 (Hub and Consumer): the chaining backend must be created on
>> the hub and consumer:
>>
>> |dn: cn=chainbe1,cn=chaining database,cn=plugins,cn=config
>> objectclass: top objectclass: extensibleObject
>> objectclass: nsBackendInstance cn: chainbe1 nsslapd-suffix: <suffix
>> to replicate>
>>
nsfarmserverurl: ldap://supplier1:port supplier2:port ... supplierN:port/ # also, ldaps can be used instead
>>
# of ldap for secure connections -
>>
# requires the secure port
>>
nsmultiplexorbinddn: cn=Replication Manager,cn=config # or whatever the replica bind DN is on the supplier
>> nsmultiplexorcredentials: password nsCheckLocalACI: on |
>>
>> Any help would be greatly appreciated.
>>
>> Thanks
>>
>> _______________________________________________
>> 389-users mailing list --389-users(a)lists.fedoraproject.org
<mailto:389-users@lists.fedoraproject.org>
>> To unsubscribe send an email to389-users-leave(a)lists.fedoraproject.org
<mailto:389-users-leave@lists.fedoraproject.org>
>> Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
<
https://docs.fedoraproject.org/en-US/project/code-of-conduct/>
>> List
Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
<
https://fedoraproject.org/wiki/Mailing_list_guidelines>
>> List
Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fe...
<
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
>> Do not reply to spam on the list, report
it:https://pagure.io/fedora-infrastructure
<
https://pagure.io/fedora-infrastructure>
> --
> Directory Server Development Team
>
> Thanks for getting me the right track Mark. Looks like the
> "nsFarmServerURL" is not correct.
>
> Versions:
>
> 389-ds-base-libs-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64
> 389-ds-base-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64
>
> I thought I was maybe hitting the bug described below so I added a
> trailing "/" but the issue persists.
>
>
https://bugzilla.redhat.com/show_bug.cgi?id=1363970
> <
https://bugzilla.redhat.com/show_bug.cgi?id=1363970>
>
> nsfarmserverurl: ldap://dsa1.domain.com:389
> ldap://dsa2.domain.com:389 ldap://dsa3.domain.com:389*/*
>
> This is what I see in the logs on the hub when trying to add the LDIF.
>
> The idea is for the hub to send these password attributes back to all
> masters.
>
> These are the masters in the environment.
> ldap://dsa1.domain.com:389
> ldap://dsa2.domain.com:389
> ldap://dsa3.domain.com:389
> [12/Aug/2021:14:12:38.228746875 -0400] - ERR - chaining database -
> cb_instance_config_initialize -*Error with config attribute
> nsfarmserverurl : not a valid LDAP URL*
> [12/Aug/2021:14:12:38.230107318 -0400] - ERR - chaining database -
> cb_instance_add_config_check_callback - Can't instantiate chaining
> backend instance chainlab.
> [12/Aug/2021:14:13:11.436433137 -0400] - ERR - chaining database -
> cb_instance_config_initialize - Error with config attribute
> nsfarmserverurl : not a valid LDAP URL
> [12/Aug/2021:14:13:11.437510161 -0400] - ERR - chaining database -
> cb_instance_add_config_check_callback - Can't instantiate chaining
> backend instance chainlab.
> [12/Aug/2021:14:15:15.652343542 -0400] - ERR - chaining database -
> cb_instance_config_initialize - Error with config attribute
> nsfarmserverurl : not a valid LDAP URL
> [12/Aug/2021:14:15:15.653524818 -0400] - ERR - chaining database -
> cb_instance_add_config_check_callback - Can't instantiate chaining
> backend instance chainlab.
> [12/Aug/2021:14:20:12.212414022 -0400] - ERR - chaining database -
> cb_instance_config_initialize - Error with config attribute
> nsfarmserverurl : not a valid LDAP URL
> [12/Aug/2021:14:20:12.213556900 -0400] - ERR - chaining database -
> cb_instance_add_config_check_callback - Can't instantiate chaining
> backend instance chainlab
>
>
Ok, I think its not liking the multiple values in the attribute, even
though the document says you have multiple urls. I think you need to
add the config like this:
nsfarmserverurl: ldap://dsa1.domain.com:389
nsfarmserverurl: ldap://dsa2.domain.com:389
nsfarmserverurl: ldap://dsa3.domain.com:389
Give it a try?
HTH,
Mark
--
Directory Server Development Team
Looks like it only added the first entry. Do I need to add an entry for each MAster?
dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsBackendInstance
cn: chainlab
nsslapd-suffix: dc=domain,dc=com
*nsfarmserverurl: ldap://dsa1.domain.com:389*
nsmultiplexorbinddn: uid=replicator,cn=config
nsmultiplexorcredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUm1aRFUwT1dOak5DMDVPVFl5TXpJMg0KWlMwNE16ZzFNVFl3TXkweU5tVTROekJtWkFBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQTdhVjl4Z0NZcFkzR21YV2x0c293Mg==}u4FHsJF3AVHAqgtGCMXudA==
nsbindconnectionslimit: 3
nsoperationconnectionslimit: 20
nsabandonedsearchcheckinterval: 1
nsconcurrentbindlimit: 10
nsconcurrentoperationslimit: 2
nsproxiedauthorization: on
nsconnectionlife: 0
nsbindtimeout: 15
nsreferralonscopedsearch: off
nschecklocalaci: on
nsbindretrylimit: 3
nsslapd-sizelimit: 2000
nsslapd-timelimit: 3600
nshoplimit: 10
nsmaxresponsedelay: 60
nsmaxtestresponsedelay: 15
nsusestarttls: off
Hi Mark.
I tried adding the subsequent URL's and it doesn't allow multiple entries for
this attribute.
It appears all the URLS need to be part of the one*nsfarmserverurl***attribute*.*
**
*ldap_initialize(
ldap://dsa4.domain.com )**
add nsFarmServerURL:
ldap://dsa2.domain.com:389
modifying entry "cn=chainlab,cn=chaining database,cn=plugins,cn=config"
ldap_modify: Server is unwilling to perform (53)*
* additional info: Adding attributes is not allowed***
**
*I believe I have this working now.*
**
*Thank you Mark for getting me pointed in the right direction.*
Were you able to set multiple urls? Or did you just go with one for now?
Mark
--
Directory Server Development Team