Hi,
sorry for this dumb question but I've been searching for it and I can't find it
anywhere.
Where's the script that shows you a report of most searched objects and other
performance related stuff?
I remember using it in my old installations to adjust some indexes but I've
been playing
> > is it possible to lower the severity of fips enabled info from ERR
> > to WARN in messages like this?
> Absolutely, changing it now...
wow!
that was truly fast :)
thanks a lot for your time,
abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol
fitxer
Hi,
is it possible to lower the severity of fips enabled info from ERR to WARN in
messages like this?
[17/May/2021:10:57:02.753271017 +] - ERR - slapd_system_isFIPS - Can not
access /proc/sys/crypto/fips_enabled - assuming FIPS is OFF
can seem a cosmetic change but it breaks my monitoring
> * sanitise the data to be ia5 compliant IE remove accents etc.
I did just that and I leave it here in case anyone is facing same problem (it's
a oneliner):
cat original-data.ldif | perl -pe 's,^gecos:.*,`echo -n "$&" | iconv -f utf-8
-t ascii//translit`,gei' > sanitized-data.ldif
in my
I'm testing a migration from 1.2.8 to latest version and I'm facing some
problem while importing data:
ldap_add: Invalid syntax (21)
additional info: gecos: value #0 invalid per syntax
I understand that I'm using UTF8 data here (ÁLBA GARCÍA LÓPEZ) so I have two
questions:
why old
tps://github.com/389ds/389-ds-base/blob/master/src/lib389/lib389/cli_conf/plugins/retrochangelog.py
> def create_parser(subparsers):
> retrochangelog = subparsers.add_parser('retro-changelog',
> help='Manage
> and configure Retro Changelog plugin')
>
> Thanks,
> Marc
> it was likely the right time to have this change.
> and not subject to change anytime soon.
>
> is it possible a 389-ds-base-1.4.0 from before March 2019 till
> lurking
> around?
>
I'm using debian packages:
dpkg -l | grep 389-ds-base
ii 389-ds-base 1.4.4.11-1
hi,
I vaguely remember discussing this some time ago but I can't find it now.
what's the difference between
dsconf myinstance plugin set --enabled on "Retro Changelog Plugin"
and
dsconf myinstance plugin retro-changelog enable
?
any of them is gonna be deprecated?
I also noticed
> >> As sysadmin I create a lot of script to install/manage services
> >> and is confusing having commands that change that often.
>
> You may find it "more stable" to use lib389 directly rather than the
> CLI then. I think the team should talk about the CLI having an
> "interface guarantee", and
hi!
I'm testing my install recipes on debian and I've found two little problems.
on CentOS I execute
dsconf myinstance plugin retro-changelog enable
but today I tried in debian and it says is an invalid choice:
dsconf instance plugin: error: invalid choice: 'retro-changelog' (choose
> The 'core team' does not have much involvement in the debian 389-ds
> packaging process, but the debian maintainer has always been
> responsive and done a great job from what I am able to observe. I
> would expect there to be "very little" difference between debian and
> centos 389-ds packages.
hi,
I'm not sure if this has been discussed here.
Will this project be impacted in some way by the CentOS decission?
I'm about to start a new setup and I wanted to use CentOS, but now I'm thinking
about Debian.
In that regard, is there any difference between Debian packages and CentOS ones?
> depending on your version of 389, look at "dsctl tls
> import-ca"
>
> {william@ldapkdc 9:12} ~/development $ dsctl localhost tls import-ca
> --help
> usage: dsctl [instance] tls import-ca [-h] cert_path nickname
>
> positional arguments:
> cert_path The path to the x509 cert to import as
hi,
some time ago I asked for a scriptable way of creating a certificate request,
here's the thread:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/thread/EHWWAHOO3S2HZEWJEXTQKDDRH33NLSMU/#HF7ZPVLMUK32AIEEWPEOLUJGZFXXRCEK
I didn't have the time to write
> The feature doesn't exist yet, so if you write a PEM -> NSS tool, the
> project would love to accept it to our source code. It's been
> something I have wanted for a while, and recently I have been
> thinking with containers I should more seriously develop it, but if
> you wanted to add this, we
Hi,
I'm performing some tests and would like to configure a syncrepl client like
this one:
https://github.com/landryb/syncrepl
but I don't find useful information. For example, in this project there's a
demo script that says abut URL argument:
'An LDAP URL with all information
> So your 4 write servers are in mmr. Then you have 2 -> N read-onlys
> as well which scale up and down.
>
> Do you plan to have ldap.example.com point to the IP's of the
> read-onlys directly? Or to a load balancer?
>
yes, we already got that.
> If this was me, just because of the scaling
Hi!
two more questions:
1- when migrating should I take care about ACIs in 99user.ldif? rightnow there
are four entries:
aci: (target="ldap:///cn=schema;)(targetattr !="aci")(version 3.0;acl
"anonymous, no acis"; allow (read, search, compare) userdn = "ldap:///anyone;;)
aci:
hi!
quick question: is there any reason to keep modifyTimestamp, modifiersName,
createTimestamp, and creatorsName when reimporting on a migration?
abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol
fitxer annex, es dirigeix exclusivament a la persona que
> I think to answer this, I'd like to see a diagram or description of
> the network and deployment topology you have in mind to help advise
> for what you want to achieve here :)
>
Is really very simple. Think of it like the typical MMR with 4 nodes:
https://i.imgur.com/DY8aSAo.png
but the
I'm testing this new command:
dsconf instance replication create-manager
and when I create a new manager I can see a new nsDS5ReplicaBindDN on the
replica entry.
but when I remove the manager with "delete-manager" the nsDS5ReplicaBindDN is
not removed.
is there a reason for that? why do
Hi,
is this new command:
dsconf instance replication set --suffix "dc=example,dc=net" --repl-add-ref
master1.example.net
the same as this modification?
REF_LDIF="dn: cn=dc\=example\,dc\=net,cn=mapping tree,cn=config
changetype: modify
replace: nsslapd-referral
nsslapd-referral:
hi!
I'm creating my own MMR script and I would like to know if there's any
limitation with the FQDN used in nsslapd-referral as stated in
> If you have a specific question though, I’d be happy to help!
>
I'm glad you offered :)
these are the attributes I'm currently using:
cn:
description:
displayName::
dn:
employeeNumber:
gecos:
gidNumber:
homeDirectory:
loginShell:
mail:
manager:
member:
memberOf:
objectClass:
hi!
is there a way to access documentation for upcoming 1.4 release?
I would like to see specifically changes in ACIs as stated in this thread:
https://lists.fedorahosted.org/archives/list/389-users@lists.fedoraproject.org/thread/PG5QXDAI2OI4YVIEIDG6QCFIANQPBTSJ/
thanks in advance,
abosch
Hi,
I asked a broad question here:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/thread/7G2Y2ZYBYB7JNOCMIGV5WQMYDAWSD6VM/
but I would like to know specifically if root suffix can be created with
cockpit.
thanks,
abosch
-- Institut Mallorqui d'Afers Socials.
thanks for this detailed explanation.
what time frame are we talking here?
1 year? 1 month?
I'm evaluating an update/migration from my 1.2 installation and I don't mind
waiting a little bit.
> As for today, the best advice I can give is use setup-ds.pl without
> the
> admin tools, and just
> There are a number of users of 389-ds with lxc, just not with the
> admin
> console that I am aware of.
>
ok so is just the admin console that can't be installed on lxc.
is there any work being done in this matter? should I file a bug?
abosch
-- Institut Mallorquí d'Afers Socials. Aquest
hi,
I'm trying to install 1.1.43-1+b1 package on lxc with debian 9 and I get this
error:
invoke-rc.d: initscript dirsrv-admin, action "start" failed.
● dirsrv-admin.service - 389 Administration Server.
Loaded: loaded (/lib/systemd/system/dirsrv-admin.service; disabled; vendor
preset:
is not the same
/etc/ldap.conf
than
/etc/openldap/ldap.conf
seems that you're missing second one.
While attempting to change a directory password I keep getting this message…
[root@xxx ~]# ldappasswd -x -ZZ -D cn=directory manager -w “mypass”
appreciate the help.
From: 389-users-boun...@lists.fedoraproject.org [
mailto:389-users-boun...@lists.fedoraproject.org ] On Behalf Of Angel Bosch
Mora
Sent: Wednesday, September 28, 2011 7:52 AM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users
- Missatge original -
Has anyone engineered a design to run 389-ds servers behind a hardware
load balancer like an f5 LTM? I've found this question presented
before, but never answered.
a) the openldap-clients ldap module will query the first host/uri in
the list until the port goes
hi,
i'm setting up another node on my multimaster environment.
on the new node i can see differencese on entry-id attribute.
is this normal?
i guess this is an internal attribute but i'm not sure if must be shared an
unique across members of replication.
regars,
abosch
--
389 users mailing
hi,
im having problems starting admin server. i can see just this line on log:
[Thu Apr 07 12:26:13 2011] [crit] host_ip_init(): PSET failure: Failed to
create PSET handle (pset error = )
not sure if is related, but we had an accident that changed permissions on some
files (recursive chmod on
- Missatge original -
On 04/07/2011 04:37 AM, Angel Bosch Mora wrote:
hi,
im having problems starting admin server. i can see just this line
on log:
[Thu Apr 07 12:26:13 2011] [crit] host_ip_init(): PSET failure:
Failed to create PSET handle (pset error = )
not sure
- Missatge original -
We are planning out how we are going to move from Active Directory to
389-ds. We can add users to our test environment successfully, and
give the accounts the proper information (uid, shell, etc.). However,
1 area that we are getting stumped at is groups. In our
- Missatge original -
Oddly enough it looks like it comes out as part of the LDIF comment.
If you skip the option to tell it to not output ldif comments you'll
get your base:
$ ldapsearch -d1 -x (uid=example) 21 | grep base
# base dc=example,dc=com (default) with scope subtree
Maybe I am understanding this wrong but could you not just check in
the config what the search base is set to on the client side? What is
the problem you are trying to solve?
yes, you're right. i can just take a look at ldap.conf but there's several
places to look:
- debian/ubuntu uses
hi,
not specifically 389 related but:
is there a way to guess default base dn for clients (the one configured in
/etc/openldap/ldap.conf) with ldapsearch?
i've tried with -v, -n and -d but i only get the server, not the base.
regards,
abosch
--
389 users mailing list
ssl connections need the same FQDN specified in the cert to be used when
connecting.
localhost i hardly going to work.
abosch
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
- Missatge original -
Yes. We never released dsmlgw as an rpm package.
i though i saw something about packages in the docs but i can't find it now.
thanks for the answer.
--
389 users mailing list
389-users@lists.fedoraproject.org
hi,
i can't find last dsml packages anywhere.
must i compile from sources?
i use epel repos.
regards,
abosch
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
hi,
i've some questions about upgrading:
- must i run 'setup-ds-admin.pl -u' everytime there's a new package in the
repos?
- doesn't packaging take care of that?
- does it matter how many instances are configured?
i've been having some strange problems in my (mixed) environment and i just
you must create a certificate with additional hostnames with -8 option.
you can view an example here:
http://docs.sun.com/app/docs/doc/819-5899/6n7uuth9p?l=enn=1a=view
- Missatge original -
Hello,
After having read through the Howto:SSL document on the 389 wiki, i
went ahead and
- Missatge original -
On 10/19/2010 12:11 PM, Gerrard Geldenhuis wrote:
Hi We have recently seen an issue were a single client opened up
more than 800 established connections to our directory server. The
client did have the proper settings configured and should have
closed
hi,
im trying to create the entry for a sub-suffix i've created in the console but
i can't find any instruction.
i've followed official docs:
- Missatge original -
Hi
I a bit confused... have you successfully created the entry using the
console and am looking for a ldif example? Or did the creation failed
in the console. I can give you examples of how we create our tree and
sub suffixes if that will help, they are all in
- Missatge original -
Hi,
We had similar problem before, but I am not sure if it is related to
your case.
The file descriptors that were opened by the ns-slapd process was all
in a CLOSE_WAIT state. You can try execute netstat -anput | grep
CLOSE_WAIT and see if there's a lot of
48 matches
Mail list logo
