Re: [Freeipa-users] Replica installation failing
On 03/19/2013 01:12 PM, Bret Wortman wrote: Preparation of the replica data file went without a hitch, but on installation: # ipa-replica-install --setup-dns --no-forwarders replica-info-jsipa.damascusgrp.com http://replica-info-jsipa.damascusgrp.com --skip-conncheck Directory Manager (existing master) password: Configuring NTP daemon (ntpd) : Configuring directory server (dirsrv): Estimated time 1 minute : : [21/30]: setting up initial replication Starting replication, please wait until this has completed. [ipamaster.damascusgrp.com http://ipamaster.damascusgrp.com] reports: Update failed! Status: [-1 - LDAP error: Can't contact LDAP server] : # getenforce Disabled # systemctl status iptables.service iptables.service Loaded: error (Reason: No such file or directory) Active: inactive(dead) # Any ideas? This is a brand-new server just set up via kickstart. It's running Fedora 18 and IPA 3.1.0-2.fc18. _ _ *Bret Wortman* http://damascusgrp.com/ http://damascusgrp.com/ http://bretwortman.com/ http://twitter.com/BretWortman Hello Bret, Is ipamaster.damascusgrp.com still resolvable from the replica machine? I would try running: # host ipamaster.damascusgrp.com ... after the failed ipa-replica-install. There were issues in the past when /etc/resolv.conf changed during replica installation and caused similar error in a middle of ipa-replica-install. If the DNS resolution is OK, I would also check /var/log/dirsvr/slapd-INST/errors on replica and on master - are there any relevant errors? Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replica installation failing
I'm now rebuilding on F17 and Martin's going to try my scenario, which should have worked. Who knows, I may have borked it somehow. — Bret Wortman On Tue, Mar 19, 2013 at 10:19 AM, Bret Wortman bret.wort...@damascusgrp.com wrote: Generation difference. Wrong version of the software -- the F18 version apparently can't read the data generated by my F17 server. And backing it down appears to be nontrivial. Upgrading the master to F18 is a nonstarter as F18 isn't exactly stable in our environment. I guess I'm going to rebuild this box on F17 and try again. I'm kind of surprised that there isn't better backward compatibility here; is it hard to maintain the ability to read the old formats, or are packages you depend on changing too quickly? I'm not trying to be critical or start a flame war here, just to understand. :-) * * *Bret Wortman* http://damascusgrp.com/ http://damascusgrp.com/ http://bretwortman.com/ http://twitter.com/BretWortman On Tue, Mar 19, 2013 at 8:48 AM, Martin Kosek mko...@redhat.com wrote: Ok. This looks like dirsrv errors from the master machine. Are there also any interesting errors on the replica machine? Martin On 03/19/2013 01:45 PM, Bret Wortman wrote: Yes, it's still resolvable. In the errors log: [19/Mar/2013:08:39:53 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [19/Mar/2013:08:39:53 -0400] NSMMReploicationPlugin - agmt=cn=meTojsipa.damascusgrp.com http://meTojsipa.damascusgrp.com (jsipa:389) : Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAQP server) ((null)) and then the first error repeats every few seconds for a while. jsipa.damascusgrp.com http://jsipa.damascusgrp.com is resolvable on ipamaster.damascusgrp.com http://ipamaster.damascusgrp.com. I _have_ noticed that when doing the ipa-server-install --uninstall to clean up after this, that some ports (389, 636) don't get released unless I reboot. I don't know if that's related or a red herring. _ _ *Bret Wortman* http://damascusgrp.com/ http://damascusgrp.com/ http://bretwortman.com/ http://twitter.com/BretWortman On Tue, Mar 19, 2013 at 8:30 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 03/19/2013 01:12 PM, Bret Wortman wrote: Preparation of the replica data file went without a hitch, but on installation: # ipa-replica-install --setup-dns --no-forwarders replica-info-jsipa.damascusgrp.com http://replica-info-jsipa.damascusgrp.com http://replica-info-jsipa.damascusgrp.com --skip-conncheck Directory Manager (existing master) password: Configuring NTP daemon (ntpd) : Configuring directory server (dirsrv): Estimated time 1 minute : : [21/30]: setting up initial replication Starting replication, please wait until this has completed. [ipamaster.damascusgrp.com http://ipamaster.damascusgrp.com http://ipamaster.damascusgrp.com] reports: Update failed! Status: [-1 - LDAP error: Can't contact LDAP server] : # getenforce Disabled # systemctl status iptables.service iptables.service Loaded: error (Reason: No such file or directory) Active: inactive(dead) # Any ideas? This is a brand-new server just set up via kickstart. It's running Fedora 18 and IPA 3.1.0-2.fc18. _ _ *Bret Wortman* http://damascusgrp.com/ http://damascusgrp.com/ http://bretwortman.com/ http://twitter.com/BretWortman Hello Bret, Is ipamaster.damascusgrp.com http://ipamaster.damascusgrp.com still resolvable from the replica machine? I would try running: # host ipamaster.damascusgrp.com http://ipamaster.damascusgrp.com ... after the failed ipa-replica-install. There were issues in the past when /etc/resolv.conf changed during replica installation and caused similar error in a middle of ipa-replica-install. If the DNS resolution is OK, I would also check /var/log/dirsvr/slapd-INST/errors on replica and on master - are there any relevant errors? Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Recent/Decent Install Config Guide?
Hi! Does anyone know of a recent detailed installation/configuration guide for IPA? Is the InstallAndDeploy wiki (http://freeipa.org/page/InstallAndDeploy) still appropriate? It mentions Fedora 7, so I'm thinking it might be a little ancient. Thanks a lot, Guy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Recent/Decent Install Config Guide?
Hi, On Tue, Mar 19, 2013 at 10:48:31AM -0400, Guy Matz wrote: Hi! Does anyone know of a recent detailed installation/configuration guide for IPA? Is the InstallAndDeploy wiki (http://freeipa.org/page/InstallAndDeploy) still appropriate? It mentions Fedora 7, so I'm thinking it might be a little ancient. The 'Identity Management Guide' from the product documentation is RHEL focused, but current: https://access.redhat.com/knowledge/docs/Red_Hat_Enterprise_Linux/ cheers, Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replica installation failing
I tried this scenario and it worked for me. I installed a FreeIPA master on F17 machine (freeipa-server-2.2.2-1.fc17.x86_64), created a replica info file for fedora 18 machine and run ipa-replica-install on this one (freeipa-server-3.1.2-1.fc18.x86_64) and the installation was successful. If you still have the development environment, can you please: 1) Try to make sure you have up-to-date freeipa on f17 and f18, then 2) Create a new replica info file for the replica, copy it on a replica 3) Install the replica If it fails again, we will need to investigate 389-ds-base logs on both server and replica machines to see if that helps us see the root cause. Martin On 03/19/2013 03:42 PM, Bret Wortman wrote: I'm now rebuilding on F17 and Martin's going to try my scenario, which should have worked. Who knows, I may have borked it somehow. — Bret Wortman On Tue, Mar 19, 2013 at 10:19 AM, Bret Wortman bret.wort...@damascusgrp.com mailto:bret.wort...@damascusgrp.com wrote: Generation difference. Wrong version of the software -- the F18 version apparently can't read the data generated by my F17 server. And backing it down appears to be nontrivial. Upgrading the master to F18 is a nonstarter as F18 isn't exactly stable in our environment. I guess I'm going to rebuild this box on F17 and try again. I'm kind of surprised that there isn't better backward compatibility here; is it hard to maintain the ability to read the old formats, or are packages you depend on changing too quickly? I'm not trying to be critical or start a flame war here, just to understand. :-) _ _ *Bret Wortman* http://damascusgrp.com/ http://damascusgrp.com/ http://bretwortman.com/ http://twitter.com/BretWortman On Tue, Mar 19, 2013 at 8:48 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: Ok. This looks like dirsrv errors from the master machine. Are there also any interesting errors on the replica machine? Martin On 03/19/2013 01:45 PM, Bret Wortman wrote: Yes, it's still resolvable. In the errors log: [19/Mar/2013:08:39:53 -0400] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [19/Mar/2013:08:39:53 -0400] NSMMReploicationPlugin - agmt=cn=meTojsipa.damascusgrp.com http://meTojsipa.damascusgrp.com http://meTojsipa.damascusgrp.com (jsipa:389) : Replication bind with SIMPLE auth failed: LDAP error -1 (Can't contact LDAQP server) ((null)) and then the first error repeats every few seconds for a while. jsipa.damascusgrp.com http://jsipa.damascusgrp.com http://jsipa.damascusgrp.com is resolvable on ipamaster.damascusgrp.com http://ipamaster.damascusgrp.com http://ipamaster.damascusgrp.com. I _have_ noticed that when doing the ipa-server-install --uninstall to clean up after this, that some ports (389, 636) don't get released unless I reboot. I don't know if that's related or a red herring. _ _ *Bret Wortman* http://damascusgrp.com/ http://damascusgrp.com/ http://bretwortman.com/ http://twitter.com/BretWortman On Tue, Mar 19, 2013 at 8:30 AM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com mailto:mko...@redhat.com mailto:mko...@redhat.com wrote: On 03/19/2013 01:12 PM, Bret Wortman wrote: Preparation of the replica data file went without a hitch, but on installation: # ipa-replica-install --setup-dns --no-forwarders replica-info-jsipa.damascusgrp.com http://replica-info-jsipa.damascusgrp.com http://replica-info-jsipa.damascusgrp.com http://replica-info-jsipa.damascusgrp.com --skip-conncheck Directory Manager (existing master) password: Configuring NTP daemon (ntpd) : Configuring directory server (dirsrv): Estimated time 1 minute : : [21/30]: setting up initial replication Starting replication, please wait until this has completed. [ipamaster.damascusgrp.com http://ipamaster.damascusgrp.com http://ipamaster.damascusgrp.com http://ipamaster.damascusgrp.com] reports: Update failed! Status: [-1 - LDAP error: Can't contact LDAP server] : # getenforce Disabled # systemctl status
[Freeipa-users] Mail Challenge Password Reset
Is there a mail challenge 3rd party tool that allows for users to change their own passwords if they don't know their password? Something like PWM for LDAP? https://code.google.com/p/pwm/ I've been looking around and no one seems to have done this yet, but wanted to yield to this group before giving up hope. Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Slow ipa performance -- why so many ldap lookups ?
We're struggeling with the performance of IPA, and have tried switching to the ldap backend for sssd to be able to see what's happening. The attached trace is from a RHEL6.4 client running id janfrode with the following sssd backend: --- [domain/IPALDAP] id_provider = ldap auth_provider = ldap ldap_schema = rfc2307bis ldap_uri = ldap://ipa2.example.net, ldap://ipa1.example.net ldap_search_base = dc=example,dc=net ldap_user_search_base = cn=users,cn=accounts,dc=example,dc=net ldap_group_search_base = cn=groups,cn=accounts,dc=example,dc=net ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=net ldap_tls_cacert = /etc/ipa/ca.crt ldap_tls_reqcert = never cache_credentials = True enumerate = false debug_level = 1 krb5_server = ipa1.example.net --- Please ignore the timings in the trace, as the ldap-server had too high debug level when it was collected. What we find very strange in the trace is: - how many ldap searches are done (144!) - that nesting is handled by the client, instead of using memberOf. - that all group members are searched individually, and multiple times if they're members of multiple groups Ldap-searches are probably (without this high debug level) taking 0.02-0.03s, so 144 of these is causing us 3-4s to resolve all my groups. I can get the time id janfrode takes down to less than 1s if I use ldap_schema=rfc2307, turn of nesting and use the cn=compat tree for group lookups... but ideally I'd want to use the ipa-backend so that we can use the IPA HBAC stuff.. -jf trace.bz2 Description: BZip2 compressed data ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ?
On Tue, Mar 19, 2013 at 09:41:23PM +0100, Jan-Frode Myklebust wrote: Hello Jan, I'm sorry you're seeing performance problems. We're struggeling with the performance of IPA, and have tried switching to the ldap backend for sssd to be able to see what's happening. The attached trace is from a RHEL6.4 client running id janfrode with the following sssd backend: You should really use the ipa backend for better performance as it uses the memberof attribute (and a couple of other shortcuts to be able to tell if a missing member is a user or a group based on the format of the DN for example). --- [domain/IPALDAP] id_provider = ldap auth_provider = ldap ldap_schema = rfc2307bis ldap_uri = ldap://ipa2.example.net, ldap://ipa1.example.net ldap_search_base = dc=example,dc=net ldap_user_search_base = cn=users,cn=accounts,dc=example,dc=net ldap_group_search_base = cn=groups,cn=accounts,dc=example,dc=net ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=net ldap_tls_cacert = /etc/ipa/ca.crt ldap_tls_reqcert = never cache_credentials = True enumerate = false debug_level = 1 krb5_server = ipa1.example.net --- Please ignore the timings in the trace, as the ldap-server had too high debug level when it was collected. What we find very strange in the trace is: - how many ldap searches are done (144!) The number really depends on the group structure and nesting levels. - that nesting is handled by the client, instead of using memberOf. I'm sorry, I don't quite understand the problem here. If ipa backend was used, then all groups would be resolved in a single search by fetching the objects the memberof attribute points at. On the other hand, the RFC2307bis schema does not guarantee there is a memberof attribute at all, so the client has to perform multiple queries based on the member attribute. This is one of the prime reasons to stick to the ipa backend as opposed to the LDAP back end with the RFC2307bis schema. - that all group members are searched individually, and multiple times if they're members of multiple groups They shouldn't be fetched multiple times, sounds like a bug to me. How did you measure this metric? Wireshark lookups? Or just analysis of the logs? Ldap-searches are probably (without this high debug level) taking 0.02-0.03s, so 144 of these is causing us 3-4s to resolve all my groups. I can get the time id janfrode takes down to less than 1s if I use ldap_schema=rfc2307, turn of nesting and use the cn=compat tree for group lookups... but ideally I'd want to use the ipa-backend so that we can use the IPA HBAC stuff.. Yes, I would strongly advise against using the compat tree. Let's first take a look if there's maybe a way to optimize the lookups with the ipa back end. Can you tell us a little bit about your nesting structure? How many users, how many groups, how deep is the nesting? By the way, the id command is not really a fair benchmark as, contrary to the initgroups() operation that happens during a login, also fetches all the group members. If you are seeing slow logins, then the best way to benchmark the initgroups is id -G, not id. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Mail Challenge Password Reset
On Tue, Mar 19, 2013 at 3:36 PM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Is there a mail challenge 3rd party tool that allows for users to change their own passwords if they don't know their password? Something like PWM for LDAP? https://code.google.com/p/pwm/ I've been looking around and no one seems to have done this yet, but wanted to yield to this group before giving up hope. No. There is a ticket to add support for this but it isn't planned to be worked on for some time. There was a thread about this last year: https://www.redhat.com/archives/freeipa-users/2012-July/msg00051.html That was me. I still haven't done much -- pwm didn't work out well because when it changes the users password it auto expires as if an admin changed it and I didn't look much past that. With 3.0 users are able to reset their expired passwords and that's 99% of the changes that need to be made at our site (many of my users only use AIX servers, and the version we're running is horribly broken in regards to passing along messages from the auth backend. I set up a Linux VM specifically for account administration of this type, too.) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users