In our set-up, we have a DB with all the users and groups, which we use as ground truth for provisioning the forementioned objects in FreeIPA (2 master servers + replicas).
We are continuously synchronizing entries (~60000 users and 60000 groups, where groups might have 0 to 20000 members) from the DB to FreeIPA. In each cycle of synch, we are figuring out the differences and add, delete, or change existing entries.
The first sync (through which we had to import all 120000 objects) clogged the server totally, and after tweaking the 389DS we ended up disabling the memberOf plugin where it finally worked (we followed the FreeIPA documentation).
One of the advice to follow is to do the sync and then run the fixup task in the server where the provisioning happened.
The fixup still clogs the server after some point and stops.
The errors we get in the log are the following:
[06/May/2020:18:16:59.862308719 +0200] - INFO - memberof-plugin - memberof_fixup_task_thread - Memberof task starts (filter: "(|(objectclass=inetuser)(objectclass=inetadmin)(objectclass=nsmemberof))") ...
[06/May/2020:20:07:49.545606214 +0200] - ERR - libdb - BDB2055 Lock table is out of available lock entries
[06/May/2020:20:07:49.547921580 +0200] - ERR - idl_new_delete_key - idl_new.c BAD 22, err=12 Cannot allocate memory
[06/May/2020:20:07:49.548930035 +0200] - ERR - addordel_values_sv - database index operation failed BAD 1130, err=12 Cannot allocate memory
[06/May/2020:20:07:49.549779631 +0200] - ERR - addordel_values_sv - database index operation failed BAD 1140, err=12 Cannot allocate memory
[06/May/2020:20:07:49.550612745 +0200] - ERR - index_addordel_values_ext_sv - database index operation failed BAD 1230, err=12 Cannot allocate memory
[06/May/2020:20:07:49.551444741 +0200] - ERR - index_add_mods - database index operation failed BAD 1041, err=12 Cannot allocate memory
[06/May/2020:20:07:49.552457769 +0200] - ERR - index_add_mods - database index operation failed BAD 1040, err=12 Cannot allocate memory
[06/May/2020:20:07:49.553305019 +0200] - ERR - ldbm_back_modify - index_add_mods failed, err=12 Cannot allocate memory
We increased the number of DB locks and set the `nsslapd-cache-autosize` to 50% (server has currently 13G of memory).
The only thing we saw was that one thread was using 100% of one of the CPUs.
Any advice on how to deal with this? We would really need to have memberOf attribute.
Thank you in advance!
actually i can't provision new repliacs due to this on Centos 8.1:
it seems that the ipa package was compiled against an old samba version but this samba in version 4.9.1 seems to be now removed from the mirrors
dnf install samba-4.9.1
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 0:04:52 ago on Tue May 5 10:54:57 2020.
No match for argument: samba-4.9.1
Error: Unable to find a match: samba-4.9.1
so i tried to download the samba-4.9.1.rpm from here to manually install it, https://koji.mbox.centos.org/koji/buildinfo?buildID=460
but no success because of 403 forbidden ..
maybe i should better write this mail to a centos 8 mailing list but i thought i will try first here, because freeipa is the affected tool ..
does somebody maybe know another workaround for this?
ÖAMTC I BAUMGASSE 129 I 1030 WIEN
Elias Rami | Devops Engineer
M +43 664 613 1346
elias.rami(a)oeamtc.at | www.oeamtc.at<http://www.oeamtc.at/> | ÖAMTC ZVR 7300335108
Jetzt 6 Monate prämienfrei! Auch online abschließbar.
Nur für Mitglieder.
*Versicherungsagent: ÖAMTC Betriebe Ges.m.b.H., GISA-Zahl: 23409217
Versicherer: Generali Versicherung AG
Wichtiger Hinweis/Important Information:
Dieses E-Mail samt Anlagen („E-Mail“) dient nur zur Information. Erklärungen via E-Mail sind nicht rechtsverbindlich, sondern bedürfen der schriftlichen Bestätigung samt firmenmäßiger/statutenmäßiger Unterfertigung durch Mitglieder der Geschäftsleitung in vertretungsbefugter Anzahl. Für die Richtigkeit oder Vollständigkeit der übermittelten Informationen/Daten, für Übermittlungsfehler, für fehlgeleitete E-Mails oder für einen verspäteten Empfang wird nicht gehaftet. Eigene elektronische Empfangs- oder Lesebestätigungen gelten nicht als Bestätigung für den Erhalt eines E-Mails. Der Inhalt dieses E-Mails ist vertraulich. Wenn Sie nicht der angegebene Adressat oder dessen Vertreter sind, informieren Sie bitte umgehend den Absender und löschen Sie dieses E-Mail von Ihrem System. Die unerlaubte Weitergabe oder Nutzung ist nicht gestattet.
This e-mail and any attachment (“e-mail”) serves information purposes only. Statements via e-mail are not legally binding but require written confirmation including the signatures of the required number of managing directors under statutory provisions. We are not liable for the accuracy and sufficiency of the provided information/data, for any transmission error, misdirection, loss or delay of an e-mail. Electronic reading receipts are no confirmation for receipt of an e-mail. This e-mail is confidential. If you are not the addressee or his representative, please notify the sender immediately and delete this e-mail from your system. Any disclosure or use is prohibited.
Angus Clarke via FreeIPA-users wrote:
> We don't use FreeIPA passwords for user accounts however some accounts
> have had passwords set which is noticed from time to time. I would like
> to revert those account passwords to the point when the user was newly
> added but the password not yet set.
> I don't see anything obvious in the documentation, perhaps there is some
> behind the scenes way of achieving this? (For reference, I used to put
> "!!" in /etc/shadow when using local files)
There is no equivalent of "no password allowed" in IPA. I think there is
or was an RFE for this at one point.
To clear out existing password attributes you'd need to use ldapmodify
and bind as the Directory Manager to remove them.
$ ldapmodify -x -D 'cn=directory manager' -W
Enter LDAP Password:
<extra blank line>
1) When moving an IPA Cluster member to another VLAN, is it only
necessary to change the member's DNS entries in the primary IPA's DNS
config, then change the IP on the secondary's network config? Or is
there more steps that would need to be done?
2) Can I join an IPA client to an IPA server using an alternate
non-previliged account that has minimal permissions, instead of the
admin type account?
ipa-client-install --force-join -p admin -w "$TMPP" --fixed-primary
--server=$IPA01.$NDOMAIN --server=$IPA02.$NDOMAIN --domain=$NDOMAIN
I've created a user with a role that has Host Enrollment and Host
Administrators. However, perhaps Host Administrators will give too many
permissions, including removal of existing hosts. Wondering if there
isn't a more restrictive set of permissions I could give.
We don't use FreeIPA passwords for user accounts however some accounts have had passwords set which is noticed from time to time. I would like to revert those account passwords to the point when the user was newly added but the password not yet set.
I don't see anything obvious in the documentation, perhaps there is some behind the scenes way of achieving this? (For reference, I used to put "!!" in /etc/shadow when using local files)
Thanks a lot
Let's suppose I have two AD groups:
In FreeIPA, I would like to give unixadmin group access to ALL FreeIPA
Whereas for the unixusers, I would like to give R/O access.
I've already done the group mappings from AD to FreeIPA.
What is the best way to achieve this? I'm finding related links online
but not quite what I'm looking for.
I did a test to see if nesting the unixadmin group within the FreeIPA
admins group would work but I still can't login to FreeIPA with my AD
user, despite my ID residing in the unixadmin group which in turn is
nested in the FreeIPA admins group.
This is FreeIPA 4.6.4 .