Re: Bumblebee and Fedora 19

2013-07-21 Thread Andrey Ivanov 
Could you try to exec optirun with "-vv --debug" options to see verbose
output?
Try to uncomment BusID "PCI:01:00:0" string in
/etc/bumblebee/xorg.conf.nvidia (Ubuntu bug with same error)
Show bumblebee config files.



2013/7/21 Junayeed Ahnaf 

> I got that, but I'm seeing another kind of problem now:
>
> [root@localhost nirjhor]# optirun glxgears -info
> [ 1145.228326] [ERROR]Cannot access secondary GPU - error: [XORG] (EE) No
> devices detected.
>
> [ 1145.228366] [ERROR]Aborting because fallback start is disabled.
> [root@localhost nirjhor]#
>
> Help?
>
>
> Junayeed Ahnaf Nirjhor
> Software Engineer @ Hulu 
> Twitter @ Nirjhor 
>
>
> --
> Date: Sun, 21 Jul 2013 13:57:32 +0400
> Subject: Re: Bumblebee and Fedora 19
> From: anviva...@gmail.com
> To: users@lists.fedoraproject.org
>
>
> Check if package xorg-x11-drv-mouse is installed in your system.
>
>
> 2013/7/21 Junayeed Ahnaf 
>
> Hello,
>
> I'm trying to install bumblebee on my laptop. But when I'm trying "optirun
> glxgears info" this error is showing:
>
>
> [root@localhost nirjhor]# optirun glxgears info
> [ 1691.769152] [ERROR]Cannot access secondary GPU - error: [XORG] (EE)
> Failed to load module "mouse" (module does not exist, 0)
>
> [ 1691.769189] [ERROR]Aborting because fallback start is disabled.
> [root@localhost nirjhor]#
>
>  Just for the info :
>
> [root@localhost nirjhor]# lspci -vnn | grep '\''[030[02]\]'
> 00:02.0 VGA compatible controller [0300]: Intel Corporation 3rd Gen Core
> processor Graphics Controller [8086:0166] (rev 09) (prog-if 00 [VGA
> controller])
> 01:00.0 3D controller [0302]: NVIDIA Corporation GK107M [GeForce GT 740M]
> [10de:0fdf] (rev a1)
> [root@localhost nirjhor]#
>
> Can anyone help me solve it?
>
> Junayeed Ahnaf Nirjhor
> Software Engineer @ Hulu 
> Twitter @ Nirjhor 
>
> --
> users mailing list
> users@lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
>
>
>
>
> --
> Andrey V Ivanov
>
> -- users mailing list users@lists.fedoraproject.org To unsubscribe or
> change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users Guidelines:
> http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question?
> Ask away: http://ask.fedoraproject.org
>
> --
> users mailing list
> users@lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
>
>


-- 
Andrey V Ivanov
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Bumblebee and Fedora 19

2013-07-21 Thread Andrey Ivanov 
Check if package xorg-x11-drv-mouse is installed in your system.


2013/7/21 Junayeed Ahnaf 

> Hello,
>
> I'm trying to install bumblebee on my laptop. But when I'm trying "optirun
> glxgears info" this error is showing:
>
>
> [root@localhost nirjhor]# optirun glxgears info
> [ 1691.769152] [ERROR]Cannot access secondary GPU - error: [XORG] (EE)
> Failed to load module "mouse" (module does not exist, 0)
>
> [ 1691.769189] [ERROR]Aborting because fallback start is disabled.
> [root@localhost nirjhor]#
>
>  Just for the info :
>
> [root@localhost nirjhor]# lspci -vnn | grep '\''[030[02]\]'
> 00:02.0 VGA compatible controller [0300]: Intel Corporation 3rd Gen Core
> processor Graphics Controller [8086:0166] (rev 09) (prog-if 00 [VGA
> controller])
> 01:00.0 3D controller [0302]: NVIDIA Corporation GK107M [GeForce GT 740M]
> [10de:0fdf] (rev a1)
> [root@localhost nirjhor]#
>
> Can anyone help me solve it?
>
> Junayeed Ahnaf Nirjhor
> Software Engineer @ Hulu 
> Twitter @ Nirjhor 
>
> --
> users mailing list
> users@lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
>
>


-- 
Andrey V Ivanov
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: disanle ssdp

2013-07-06 Thread Andrey Ivanov 
Maybe it's a router-generated traffic.
e.g. an Asus router has "Enable UPnP" option in "IP" settings.


2013/7/5 Kevin Wilson 

> Hello,
> I see that from time to time I get in fedora 18 this traffic:
>
> SSDP - Simple Service Discovery Protocol
>
>  every 2-3 minutes a couple of frames for address: 239.255.255.255.
>
> I tried to disable bluetooth with no help.
>
> google shows that this might be some upnp client, but I don't know how
> to find it and disable it
>
> any ideas?
>
> regards,
> Kevin
> --
> users mailing list
> users@lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
>



-- 
Andrey V Ivanov
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

[389-users] Extended control or extop

2013-04-09 Thread Andrey Ivanov 
Hi,

I remember reading somewhere on 389 DS site or in dev commits or in trac a
request or a realisation of the an extended control/operation that returns
the LDAP entries referenced by some attribute.
Something like you make a search of a group with this extended control, the
search takes all the 'uniqueMembers' and returns all the LDAP entries
referenced by the values of 'uniqueMember'. Could you point to me the right
control name or OID? Is it already present in some version  of 389DS?

Thanks!
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Named log pipe + normal access log

2012-02-24 Thread Andrey Ivanov 
And/or you could use the "tee" command ("man tee") in the pipe...


2012/2/23 Rich Megginson 

> On 02/23/2012 08:34 AM, Daniel Fenert wrote:
>
>> Hi,
>>
>> I'd like to log to named pipe (just like said here:
>> http://directory.**fedoraproject.org/wiki/Named_**Pipe_Log_Script)
>> for some
>> live analysis and ALSO log to access log as usual.
>> Is it possible?
>>
> You would have to alter the named pipe log script to write the regular
> access log file itself - the server cannot write to two different access
> logs at the same time.
>
>  I'd like to avoid logging everything via this script (I have 1GB logs
>> every 20 minutes in peak hours on each slave).
>>
>>
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

[389-users] Fwd: [389-announce] Please Help Test 389 Directory Server 1.2.7

2010-11-23 Thread Andrey Ivanov 
Hi Rich,

I have two issues with this new version (that i have compiled from the
git sources)

here is the first issue :

there were some changes to the memberfo plugin (Bug 620927) that added
a more rigorous verification of memberofgroupattr parameter of
MemberOf plugin. We use the uniqueMember/memberOf attribute pair to
manage our groups and backlinks. This configuration does not work with
the 1.2.7 server :

[23/Nov/2010:17:32:51 +0100] memberof-plugin - Error 53: The
uniqueMember configuration attribute must be set to an attribute
defined to use the Distinguished Name syntax. (illegal value:
memberOfGroupAttr)
[23/Nov/2010:17:32:51 +0100] memberof-plugin - configuration failed
(DSA is unwilling to perform)
[23/Nov/2010:17:32:51 +0100] - Failed to start postoperation plugin
MemberOf Plugin
[23/Nov/2010:17:32:51 +0100] memberof-plugin - only one memberOf
plugin instance can be used
[23/Nov/2010:17:32:51 +0100] memberof-plugin - configuration failed
(Bad parameter to an ldap routine)
[23/Nov/2010:17:32:51 +0100] - Failed to start postoperation plugin
MemberOf Plugin
[23/Nov/2010:17:32:51 +0100] memberof-plugin - only one memberOf
plugin instance can be used
[23/Nov/2010:17:32:51 +0100] memberof-plugin - configuration failed
(Bad parameter to an ldap routine)
[23/Nov/2010:17:32:51 +0100] - Failed to start postoperation plugin
MemberOf Plugin
[23/Nov/2010:17:32:51 +0100] memberof-plugin - only one memberOf
plugin instance can be used
[23/Nov/2010:17:32:51 +0100] memberof-plugin - configuration failed
(Bad parameter to an ldap routine)
[23/Nov/2010:17:32:51 +0100] - Failed to start postoperation plugin
MemberOf Plugin
[23/Nov/2010:17:32:51 +0100] - Error: Failed to resolve plugin dependencies
[23/Nov/2010:17:32:51 +0100] - Error: postoperation plugin MemberOf
Plugin is not started


The thing is that uniquemember does not have the DN syntax, it has
"Name and Optional UID syntax" :

attributeTypes: ( 2.5.4.50 NAME 'uniqueMember'
 EQUALITY uniqueMemberMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.34
 X-ORIGIN 'RFC 4519' )

Our memberOf configuration:
dn: cn=MemberOf Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: MemberOf Plugin
nsslapd-pluginPath: libmemberof-plugin
nsslapd-pluginInitfunc: memberof_postop_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
memberofgroupattr: uniqueMember
memberofattr: memberOf
nsslapd-pluginId: memberof
nsslapd-pluginVersion: 1.2.7
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: memberof plugin



The second issue : when using sutup-ds-admin there is a LD_PRELOAD
libldap60.so error. I used the sources mod_nss-1.0.8.tar.gz,
389-admin-1.1.12.a2.tar.bz2 and 389-adminutil-1.1.13.tar.bz2 to
compile teh admin server.

Creating directory server . . .
Your new DS instance 'dmz' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
Starting admin server . . .
output: ERROR: ld.so: object '/libldap60.so' from LD_PRELOAD cannot be
preloaded: ignored.
The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is '/tmp/setupXxX7a5.log'


2010/11/22 Rich Megginson :
> 389-ds-base-1.2.7 is now in Testing.  This release adds some new
> features and fixes many bugs.  Please help us test. The sooner we can
> get this release tested, the sooner we can push it to Stable and make it
> generally available.
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] GSSAPI authentication to Directory Server

2010-10-04 Thread Andrey Ivanov 
Hi,

Try

kinit username

klist -e

/usr/bin/ldapsearch  -Y GSSAPI -h station1.example.com -b
"dc=example,dc=com" "(cn=*)"

klist -e

At least, that's how it works in our system


2010/10/4 Matt Carey 

> I'm trying to follow the Kerberos howto guide at
> http://directory.fedoraproject.org/wiki/Howto:Kerberos but am having an
> issue authenticating to the Directory Server with GSSAPI/Kerberos tickets:
> $ /usr/lib/mozldap/ldapsearch -h station1.example.com -p 389 -o
> mech=GSSAPI -o authid="mca...@station1.example.com"  -o authzid="
> mca...@station1.example.com" -b "dc=example,dc=com" "(cn=*)"
> Bind Error: Invalid credentials
> Bind Error: additional info: SASL(-13): authentication failure: GSSAPI
> Failure: gss_accept_sec_context
>
> Attempt with OpenLDAP client:
> $ /usr/bin/ldapsearch  -Y GSSAPI -X u:mcarey -b "" -s base -LLL -H ldap://
> station1.example.com -b "dc=example,dc=com" "(cn=*)"
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: SASL(-13): authentication failure: GSSAPI Failure:
> gss_accept_sec_context
>
>
> Resulting in the following entries in the access log on the DS:
> # tail -5 access
> [04/Oct/2010:10:44:14 -0400] conn=18 fd=68 slot=68 connection from
> 10.100.0.45 to 10.100.0.45
> [04/Oct/2010:10:44:14 -0400] conn=18 op=0 BIND dn="" method=sasl version=3
> mech=GSSAPI
> [04/Oct/2010:10:44:14 -0400] conn=18 op=0 RESULT err=49 tag=97 nentries=0
> etime=0
> [04/Oct/2010:10:44:14 -0400] conn=18 op=1 UNBIND
> [04/Oct/2010:10:44:14 -0400] conn=18 op=1 fd=68 closed - U1
>
>
> From what I can tell the Kerberos infrastructure and OS components are
> setup accordingly:
> GSSAPI is a viable SASL mechanism:
> $ /usr/lib/mozldap/ldapsearch -b "" -h station1 -p 389 -s base
> "(objectClass=*)" supportedSASLMechanisms
> version: 1
> dn:
> supportedSASLMechanisms: EXTERNAL
> supportedSASLMechanisms: DIGEST-MD5
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: LOGIN
> supportedSASLMechanisms: CRAM-MD5
> supportedSASLMechanisms: ANONYMOUS
> supportedSASLMechanisms: PLAIN
>
> Directory Server keytab and contents:
> # grep "nsslapd-localuser" dse.ldif
> nsslapd-localuser: nobody
> # ls -la ds.keytab
> -rw--- 1 nobody nobody 172 Oct  3 13:21 ds.keytab
> # ktutil
> ktutil:  rkt ./ds.keytab
> ktutil:  l
> slot KVNO Principal
>  
> -
>13 ldap/station1.example@station1.example.com
>23 ldap/station1.example@station1.example.com
> # grep KRB /etc/sysconfig/dirsrv
> KRB5_KTNAME=/etc/dirsrv/ds.keytab ; export KRB5_KTNAME
>
> SASL maps in Directory Server:
> dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config
> objectClass: top
> objectClass: nsSaslMapping
> cn: Kerberos uid mapping
> nsSaslMapRegexString: \(.*\)@\(.*\)\.\(.*\)
> nsSaslMapBaseDNTemplate: dc=\2,dc=\3
> nsSaslMapFilterTemplate: (uid=\1)
>
> dn: cn=Station1 Kerberos Mapping,cn=mapping,cn=sasl,cn=config
> objectClass: top
> objectClass: nsSaslMapping
> cn: Station1 Kerberos Mapping
> nsSaslMapRegexString: (.*)@STATATION1.EXAMPLE.COM
> nsSaslMapFilterTemplate: (objectclass=inetOrgPerson)
> nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=example,dc=com
>
> dn: cn=station1 map,cn=mapping,cn=sasl,cn=config
> objectClass: top
> objectClass: nsSaslMapping
> cn: example map
> cn: station1 map
> nsSaslMapRegexString: \(.*\)
> nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com
> nsSaslMapFilterTemplate: (cn=\1)
>
> Getting a ticket from the KDC:
> [mca...@station1 ~]$ kdestroy
> [mca...@station1 ~]$ kinit
> Password for mca...@station1.example.com:
> [mca...@station1 ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_5000_hYlO20
> Default principal: mca...@station1.example.com
> Valid starting ExpiresService principal
> 10/04/10 10:57:20  10/04/10 17:37:20  krbtgt/STATION1.EXAMPLE.COM@
> STATION1.EXAMPLE.COM
> Kerberos 4 ticket cache: /tmp/tkt5000
> klist: You have no tickets cached
>
> Any help or pointers people have would be greatly appreciated.
>
>
> --
> 389 users mailing list
> 389-us...@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] entryrdn-index error message in error log

2010-08-25 Thread Andrey Ivanov 
Well, i've sorted out this problem. Rich has pointed out that it's an
html/xml escape. He was right. Since i was working on our production servers
there were some requests constantly coming in. I've searched through the
access logs and found that the source of the problem is a broken web
application  that requests an incorrect DN :

[25/Aug/2010:21:25:21 +0200] conn=4201 op=1 SRCH base="cn=cadre
d',astreinte,ou=objets,dc=id,dc=polytechnique,dc=edu" scope=0
filter="(&(&(objectClass=X-Object)(ou=*)))" attrs="* modifyTimestamp"
[25/Aug/2010:21:25:21 +0200] conn=4201 op=1 RESULT err=32 tag=101 nentries=0
etime=0.002000

These requests generate the messages i've seen in error log :
[25/Aug/2010:21:25:21 +0200] entryrdn-index - entryrdn_index_read: Param
error: Failed to convert cn=cadre
d',astreinte,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN
[25/Aug/2010:21:25:21 +0200] - dn2entry: Failed to get id for cn=cadre
d',astreinte,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index
(34)
[25/Aug/2010:21:25:21 +0200] entryrdn-index - entryrdn_index_read: Param
error: Failed to convert astreinte,ou=objets,dc=id,dc=polytechnique,dc=edu
to Slapi_RDN

So there is no problem in the server code, it's a broken application. It
applies to both 6rc7  and 7rc1 versions of course. The reason why i thought
there was no problem in rc7 case is that i've made the tests with rc7 at
21h00, at this time there were no users and so no requests from the
above-mentioned application :))
I was alarmed because on our servers there are very few error messages in
error logs and i know them all. This sort of error message (incorrect DN or
filter in ldap search requests) was not logged in previous 389 versions,
it's a behavour change...
So the only thing that i should look into is the server crash during SSL
incremental replication in the current git version.




2010/8/25 Noriko Hosoi 
>
>  On 08/25/2010 10:44 AM, Rich Megginson wrote:
>>
>> Noriko Hosoi wrote:
>>>
>>>  Hi Andrey,
>>>
>>> Looking at this line,', is not a UTF-8 representation of
>>> apostrophe.  Rather a Latin-1 representation?  Also, it contains ','
>>> in the rdn value without an escape.  It's considered a separator
>>> between rdns. I wonder who created the input DN...?
>>>
>>> entryrdn-index - entryrdn_index_read: Param error: Failed to convert
>>> cn=salon d',honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to
>>> Slapi_RDN
>>>
>> ', looks like some sort of html/xml escape?
>>
http://www.theukwebdesigncompany.com/articles/entity-escape-characters.php
>
> Thanks, Rich!  You are right!  And I don't think our DN normalizer
supports it.
>
> Andrey, what you observe is ...
> 389 v1.2.6.rc7 has no problem to handle cn=salon d',honneur, but
1.2.7.a1 does?
>
> We haven't touched the normalizer between 1.2.6.rc7 and 1.2.7.a1, I
think...
> --noriko
>>>
>>> Thanks,
>>> --noriko
>>>
>>> On 08/25/2010 08:35 AM, Andrey Ivanov wrote:
>>>>
>>>> Hi,
>>>>
>>>> i'm continuing to test the latest version of 389. Here are the error
>>>> messages that i've seen (it happened only once for now) in error log :
>>>>
>>>> [25/Aug/2010:17:21:10 +0200] entryrdn-index - entryrdn_index_read:
>>>> Param error: Failed to convert cn=salon
>>>> d',honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN
>>>> [25/Aug/2010:17:21:10 +0200] - dn2entry: Failed to get id for
>>>> cn=salon d',honneur,ou=objets,dc=id,dc=polytechnique,dc=edu from
>>>> entryrdn index (34)
>>>> [25/Aug/2010:17:21:10 +0200] entryrdn-index - entryrdn_index_read:
>>>> Param error: Failed to convert
>>>> honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN
>>>> [25/Aug/2010:17:21:10 +0200] - dn2entry: Failed to get id for
>>>> honneur,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index
(34)
>>>>
>>>>
>>>> The object in question is
>>>> cn=SALON D'HONNEUR,ou=Objets,dc=id,dc=polytechnique,dc=edu
>>>> departmentNumber: DG/SG/MG/REST
>>>> objectClass: top
>>>> cn: SALON D'HONNEUR
>>>>
>>>> What is the problem with this entry, conversion to Slapi_DN and
>>>> entryrdn index? Here are the
>>>> corresponding entries extracted with dbscan :
>>>>
>>>> 5370:cn=salon d'honneur
>>>>ID: 5370; RDN: "cn=SALON D'HONNEUR";

Re: [389-users] entryrdn-index error message in error log

2010-08-25 Thread Andrey Ivanov 
I'll try to reproduce the problem tomorrow on my test server using the same
ldif file. The server had also the changelog enabled (for replication
purposes).

2010/8/25 Noriko Hosoi 

>  Thanks for your input, Andrey!  I tested the latest server (built from git
> trunk) using your data.  I had no problem to add the entry and search it
> using scope base or sub.  Could you please give us the steps how to
> reproduce your problem?
>
> Thanks!
> --noriko
>
>
> On 08/25/2010 10:49 AM, Andrey Ivanov wrote:
>
> 2010/8/25 Noriko Hosoi 
>
>>  Hi Andrey,
>>
>> Looking at this line, ', is not a UTF-8 representation of apostrophe.
>>  Rather a Latin-1 representation?  Also, it contains ',' in the rdn value
>> without an escape.  It's considered a separator between rdns. I wonder who
>> created the input DN...?
>
> Hi Noriko, i have exported the complete ldif of userRoot database with
> db2ldif.pl of our current production server - 1.2.5.rc3 :
> db2ldif.pl -D "cn=Backup, cn=config" -w  'some password '-n userRoot -a
> /Backup/prod_base_`/bin/date +%Y_%b_%d_%Hh%Mm%Ss`.ldif
>
> The corresponding extract from ldif file is
> ...
> # entry-id: 5405
> dn: cn=SALON D'HONNEUR,ou=objets,dc=id,dc=polytechnique,dc=edu
> nsUniqueId: 50a40f2e-251a11de-99ffa90c-effa97ef
> modifyTimestamp: 20100129123533Z
> modifiersName:
> uid=andrey.ivanov,ou=personnel,ou=utilisateurs,dc=id,dc=polytec
>  hnique,dc=edu
> departmentNumber: DG/SG/MG/REST
> telephoneNumber: +33169333703
> X-UniqueId: 50a40f2e-251a11de-99ffa90c-effa97ef
> ou: ou=rest,ou=mg,ou=sg,ou=dg,ou=organisation,dc=id,dc=polytechnique,dc=edu
> title: SALON D'HONNEUR
> objectClass: top
> objectClass: X-Object
> cn: SALON D'HONNEUR
> X-majaxIndex: 17988
> creatorsName:
> createTimestamp: 20090811160546Z
> ...
>
>  The error seems to appear only in 1.2.7.a1 version, the 1.2.6.rc7 version
> does not show any errors at all concerning this entry...
>
>
>>
>> entryrdn-index - entryrdn_index_read: Param error: Failed to convert
>> cn=salon d',honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN
>>
>>  Thanks,
>>  --noriko
>>
>>
>> On 08/25/2010 08:35 AM, Andrey Ivanov wrote:
>>
>>> Hi,
>>>
>>> i'm continuing to test the latest version of 389. Here are the error
>>> messages that i've seen (it happened only once for now) in error log :
>>>
>>> [25/Aug/2010:17:21:10 +0200] entryrdn-index - entryrdn_index_read: Param
>>> error: Failed to convert cn=salon
>>> d',honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN
>>> [25/Aug/2010:17:21:10 +0200] - dn2entry: Failed to get id for cn=salon
>>> d',honneur,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index
>>> (34)
>>> [25/Aug/2010:17:21:10 +0200] entryrdn-index - entryrdn_index_read: Param
>>> error: Failed to convert honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to
>>> Slapi_RDN
>>> [25/Aug/2010:17:21:10 +0200] - dn2entry: Failed to get id for
>>> honneur,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index (34)
>>>
>>>
>>> The object in question is
>>> cn=SALON D'HONNEUR,ou=Objets,dc=id,dc=polytechnique,dc=edu
>>> departmentNumber: DG/SG/MG/REST
>>> objectClass: top
>>> cn: SALON D'HONNEUR
>>>
>>> What is the problem with this entry, conversion to Slapi_DN and entryrdn
>>> index? Here are the
>>> corresponding entries extracted with dbscan :
>>>
>>> 5370:cn=salon d'honneur
>>>   ID: 5370; RDN: "cn=SALON D'HONNEUR"; NRDN: "cn=salon d'honneur"
>>>
>>> C3106:ou=objets
>>>   ID: 5370; RDN: "cn=SALON D'HONNEUR"; NRDN: "cn=salon d'honneur"
>>>
>>> P5370:cn=salon d'honneur
>>>   ID: 3106; RDN: "ou=Objets"; NRDN: "ou=objets"
>>>
>>>
>>>
>>> I have not made any upgrades of the existing server. Instead, i have
>>> exported the ldif by db2ldif and then imported it into the new server,
>>> so there was no conversion phase.
>>>
>>>
>>> Andrey Ivanov
>>> tel +33-(0)1-69-33-99-24
>>> fax +33-(0)1-69-33-99-55
>>>
>>> Direction des Systemes d'Information
>>> Ecole Polytechnique
>>> 91128 Palaiseau CEDEX
>>> France
>>>
>>> --
>>> 389 users mailing list
>>> 389-us...@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>
>>
>>
>> --
>> 389 users mailing list
>> 389-us...@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
>
> --
> 389 users mailing 
> list389-us...@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
> --
> 389 users mailing list
> 389-us...@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Incremental Replication over SSL ( and startTLS) with simple bind crashes the latest version

2010-08-25 Thread Andrey Ivanov 
2010/8/25 Rich Megginson 

> Andrey Ivanov wrote:
>
>> I wanted to configure the replication over SSL (both with SSL
>> mechanism which was available in previous versions) and by TLS using
>> simple bind (both in multimaster or single master-dedicated consumer
>> models).
>>
>> I've tried to configure it with command line and with the console. The
>> configuration and the initial initialisation are ok :
>>
>> [25/Aug/2010:18:30:44 +0200] NSMMReplicationPlugin -
>> replica_config_delete: Warning: The changelog for replica
>> dc=id,dc=polytechnique,dc=edu is no longer valid since the replica config is
>> being deleted.  Removing the changelog.
>> [25/Aug/2010:18:34:33 +0200] NSMMReplicationPlugin -
>> multimaster_be_state_change: replica dc=id,dc=polytechnique,dc=edu is going
>> offline; disabling replication
>> [25/Aug/2010:18:34:33 +0200] - WARNING: Import is running with
>> nsslapd-db-private-import-mem on; No other process is allowed to access the
>> database
>> [25/Aug/2010:18:34:39 +0200] - import userRoot: Workers finished; cleaning
>> up...
>> [25/Aug/2010:18:34:40 +0200] - import userRoot: Workers cleaned up.
>> [25/Aug/2010:18:34:40 +0200] - import userRoot: Indexing complete.
>>  Post-processing...
>> [25/Aug/2010:18:34:40 +0200] - import userRoot: Flushing caches...
>> [25/Aug/2010:18:34:40 +0200] - import userRoot: Closing files...
>> [25/Aug/2010:18:34:40 +0200] - import userRoot: Import complete.
>>  Processed 9523 entries in 7 seconds. (1360.43 entries/sec)
>> [25/Aug/2010:18:34:40 +0200] NSMMReplicationPlugin -
>> multimaster_be_state_change: replica dc=id,dc=polytechnique,dc=edu is coming
>> online; enabling replication
>>
>> But  when i continue and try to make a change on a master the consumer
>> server  crashes.  So the total replica initialisation is ok but even a
>> single  incremental  update  crashes the consumer server. And there is
>> nothing  helpful  in logs. I haven't tried the 1.2.6.rc7 version, i've
>> tried  the latest code version (as of today). Don't know if it matters
>> (there  seem  to  be  a  lot  of coverity defects that have been fixed
>> between rc7 and a1).
>>
>>
> Can you get a core file and a stack trace?


Rich, just as i thought, this crash happens only with today's snapshot of
1.2.7.a1 version only. I've compiled 1.2.6.rc7 and the replication works
smoothly and without any problem. I didn't have a lot of time to generate a
stack trace because i was migrating our production servers. I thought the
latest build should be stable but it seems that the changes between 6rc7 and
7a1 introduce some problems with incremental replication as well as with
apostrophs in DN (my second mail). So for now i will migrate to 1.2.6.rc7.
I'll test the a1 version later when i will have time...

Thanks!
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] entryrdn-index error message in error log

2010-08-25 Thread Andrey Ivanov 
2010/8/25 Noriko Hosoi 

>  Hi Andrey,
>
> Looking at this line, ', is not a UTF-8 representation of apostrophe.
>  Rather a Latin-1 representation?  Also, it contains ',' in the rdn value
> without an escape.  It's considered a separator between rdns. I wonder who
> created the input DN...?

Hi Noriko, i have exported the complete ldif of userRoot database with
db2ldif.pl of our current production server - 1.2.5.rc3 :
db2ldif.pl -D "cn=Backup, cn=config" -w  'some password '-n userRoot -a
/Backup/prod_base_`/bin/date +%Y_%b_%d_%Hh%Mm%Ss`.ldif

The corresponding extract from ldif file is
...
# entry-id: 5405
dn: cn=SALON D'HONNEUR,ou=objets,dc=id,dc=polytechnique,dc=edu
nsUniqueId: 50a40f2e-251a11de-99ffa90c-effa97ef
modifyTimestamp: 20100129123533Z
modifiersName:
uid=andrey.ivanov,ou=personnel,ou=utilisateurs,dc=id,dc=polytec
 hnique,dc=edu
departmentNumber: DG/SG/MG/REST
telephoneNumber: +33169333703
X-UniqueId: 50a40f2e-251a11de-99ffa90c-effa97ef
ou: ou=rest,ou=mg,ou=sg,ou=dg,ou=organisation,dc=id,dc=polytechnique,dc=edu
title: SALON D'HONNEUR
objectClass: top
objectClass: X-Object
cn: SALON D'HONNEUR
X-majaxIndex: 17988
creatorsName:
createTimestamp: 20090811160546Z
...

 The error seems to appear only in 1.2.7.a1 version, the 1.2.6.rc7 version
does not show any errors at all concerning this entry...


>
> entryrdn-index - entryrdn_index_read: Param error: Failed to convert
> cn=salon d',honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN
>
> Thanks,
> --noriko
>
>
> On 08/25/2010 08:35 AM, Andrey Ivanov wrote:
>
>> Hi,
>>
>> i'm continuing to test the latest version of 389. Here are the error
>> messages that i've seen (it happened only once for now) in error log :
>>
>> [25/Aug/2010:17:21:10 +0200] entryrdn-index - entryrdn_index_read: Param
>> error: Failed to convert cn=salon
>> d',honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN
>> [25/Aug/2010:17:21:10 +0200] - dn2entry: Failed to get id for cn=salon
>> d',honneur,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index
>> (34)
>> [25/Aug/2010:17:21:10 +0200] entryrdn-index - entryrdn_index_read: Param
>> error: Failed to convert honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to
>> Slapi_RDN
>> [25/Aug/2010:17:21:10 +0200] - dn2entry: Failed to get id for
>> honneur,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index (34)
>>
>>
>> The object in question is
>> cn=SALON D'HONNEUR,ou=Objets,dc=id,dc=polytechnique,dc=edu
>> departmentNumber: DG/SG/MG/REST
>> objectClass: top
>> cn: SALON D'HONNEUR
>>
>> What is the problem with this entry, conversion to Slapi_DN and entryrdn
>> index? Here are the
>> corresponding entries extracted with dbscan :
>>
>> 5370:cn=salon d'honneur
>>   ID: 5370; RDN: "cn=SALON D'HONNEUR"; NRDN: "cn=salon d'honneur"
>>
>> C3106:ou=objets
>>   ID: 5370; RDN: "cn=SALON D'HONNEUR"; NRDN: "cn=salon d'honneur"
>>
>> P5370:cn=salon d'honneur
>>   ID: 3106; RDN: "ou=Objets"; NRDN: "ou=objets"
>>
>>
>>
>> I have not made any upgrades of the existing server. Instead, i have
>> exported the ldif by db2ldif and then imported it into the new server,
>> so there was no conversion phase.
>>
>>
>> Andrey Ivanov
>> tel +33-(0)1-69-33-99-24
>> fax +33-(0)1-69-33-99-55
>>
>> Direction des Systemes d'Information
>> Ecole Polytechnique
>> 91128 Palaiseau CEDEX
>> France
>>
>> --
>> 389 users mailing list
>> 389-us...@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
>
>
> --
> 389 users mailing list
> 389-us...@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

[389-users] Incremental Replication over SSL ( and startTLS) with simple bind crashes the latest version

2010-08-25 Thread Andrey Ivanov 
I wanted to configure the replication over SSL (both with SSL
mechanism which was available in previous versions) and by TLS using
simple bind (both in multimaster or single master-dedicated consumer models).

I've tried to configure it with command line and with the console. The
configuration and the initial initialisation are ok :

[25/Aug/2010:18:30:44 +0200] NSMMReplicationPlugin - replica_config_delete: 
Warning: The changelog for replica dc=id,dc=polytechnique,dc=edu is no longer 
valid since the replica config is being deleted.  Removing the changelog.
[25/Aug/2010:18:34:33 +0200] NSMMReplicationPlugin - 
multimaster_be_state_change: replica dc=id,dc=polytechnique,dc=edu is going 
offline; disabling replication
[25/Aug/2010:18:34:33 +0200] - WARNING: Import is running with 
nsslapd-db-private-import-mem on; No other process is allowed to access the 
database
[25/Aug/2010:18:34:39 +0200] - import userRoot: Workers finished; cleaning up...
[25/Aug/2010:18:34:40 +0200] - import userRoot: Workers cleaned up.
[25/Aug/2010:18:34:40 +0200] - import userRoot: Indexing complete.  
Post-processing...
[25/Aug/2010:18:34:40 +0200] - import userRoot: Flushing caches...
[25/Aug/2010:18:34:40 +0200] - import userRoot: Closing files...
[25/Aug/2010:18:34:40 +0200] - import userRoot: Import complete.  Processed 
9523 entries in 7 seconds. (1360.43 entries/sec)
[25/Aug/2010:18:34:40 +0200] NSMMReplicationPlugin - 
multimaster_be_state_change: replica dc=id,dc=polytechnique,dc=edu is coming 
online; enabling replication

But  when i continue and try to make a change on a master the consumer
server  crashes.  So the total replica initialisation is ok but even a
single  incremental  update  crashes the consumer server. And there is
nothing  helpful  in logs. I haven't tried the 1.2.6.rc7 version, i've
tried  the latest code version (as of today). Don't know if it matters
(there  seem  to  be  a  lot  of coverity defects that have been fixed
between rc7 and a1).


Andrey Ivanov
tel +33-(0)1-69-33-99-24
fax +33-(0)1-69-33-99-55

Direction des Systemes d'Information
Ecole Polytechnique
91128 Palaiseau CEDEX
France

--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] entryrdn-index error message in error log

2010-08-25 Thread Andrey Ivanov 

AI> i'm continuing to test the latest version of 389. Here are the error
AI> messages that i've seen (it happened only once for now) in error log :

AI> [25/Aug/2010:17:21:10 +0200] entryrdn-index -
AI> entryrdn_index_read: Param error: Failed to convert cn=salon
AI> d',honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN
AI> [25/Aug/2010:17:21:10 +0200] - dn2entry: Failed to get id for
AI> cn=salon d',honneur,ou=objets,dc=id,dc=polytechnique,dc=edu from 
entryrdn index (34)
AI> [25/Aug/2010:17:21:10 +0200] entryrdn-index -
AI> entryrdn_index_read: Param error: Failed to convert
AI> honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN
AI> [25/Aug/2010:17:21:10 +0200] - dn2entry: Failed to get id for
AI> honneur,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index (34)


These messages continue to appear, each time for a new entry. All
these entries contain the apostrophe "'":

[25/Aug/2010:18:34:31 +0200] entryrdn-index - entryrdn_index_read: Param error: 
Failed to convert cn=cadre 
d',astreinte,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN
[25/Aug/2010:18:34:31 +0200] - dn2entry: Failed to get id for cn=cadre 
d',astreinte,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index 
(34)
[25/Aug/2010:18:34:31 +0200] entryrdn-index - entryrdn_index_read: Param error: 
Failed to convert astreinte,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN
[25/Aug/2010:18:34:31 +0200] - dn2entry: Failed to get id for 
astreinte,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index (34)

...



Andrey Ivanov
tel +33-(0)1-69-33-99-24
fax +33-(0)1-69-33-99-55

Direction des Systemes d'Information
Ecole Polytechnique
91128 Palaiseau CEDEX
France

--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

[389-users] entryrdn-index error message in error log

2010-08-25 Thread Andrey Ivanov 
Hi,

i'm continuing to test the latest version of 389. Here are the error
messages that i've seen (it happened only once for now) in error log :

[25/Aug/2010:17:21:10 +0200] entryrdn-index - entryrdn_index_read: Param error: 
Failed to convert cn=salon 
d',honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN
[25/Aug/2010:17:21:10 +0200] - dn2entry: Failed to get id for cn=salon 
d',honneur,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index (34)
[25/Aug/2010:17:21:10 +0200] entryrdn-index - entryrdn_index_read: Param error: 
Failed to convert honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN
[25/Aug/2010:17:21:10 +0200] - dn2entry: Failed to get id for 
honneur,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index (34)


The object in question is
cn=SALON D'HONNEUR,ou=Objets,dc=id,dc=polytechnique,dc=edu
departmentNumber: DG/SG/MG/REST
objectClass: top
cn: SALON D'HONNEUR

What is the problem with this entry, conversion to Slapi_DN and entryrdn index? 
Here are the
corresponding entries extracted with dbscan :

5370:cn=salon d'honneur
  ID: 5370; RDN: "cn=SALON D'HONNEUR"; NRDN: "cn=salon d'honneur"

C3106:ou=objets
  ID: 5370; RDN: "cn=SALON D'HONNEUR"; NRDN: "cn=salon d'honneur"

P5370:cn=salon d'honneur
  ID: 3106; RDN: "ou=Objets"; NRDN: "ou=objets"



I have not made any upgrades of the existing server. Instead, i have
exported the ldif by db2ldif and then imported it into the new server,
so there was no conversion phase.


Andrey Ivanov
tel +33-(0)1-69-33-99-24
fax +33-(0)1-69-33-99-55

Direction des Systemes d'Information
Ecole Polytechnique
91128 Palaiseau CEDEX
France

--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Outlook VLV index and western europe diacritics

2010-08-25 Thread Andrey Ivanov 
2010/8/25 Rich Megginson 

> Andrey Ivanov wrote:
>
>> Hi,
>>
>> I  am  testing  the  389 latest git version. There is one thing i have
>> noticed  concerning Outlook browsing of LDAP and VLV indexes. Though i
>> think  the  change  has  happened already some time ago, in one of the
>> previous versions.
>>
>>
> Can you confirm the last version that this worked in?  I suspect this had
> something to do with my matching rule changes in 1.2.6.  The goal is that it
> should work the same way as before, so this is definitely a bug.

No. It is not a bug, it was my mistake.  I've just tested  several versions
of 389 and FDS (1.2.x, 1.1.x and 1.0.4). They all exhibit the same behavior
concerning the sorting of CNs in VLV browsing.

So then i still have this second question - is there a way to change the vlv
index sort in order to sort according to nsMatchingRule? Or it would be a
feature request?

*)  i've tried to add collation rules to vlv index entries but putting  the
  value   of   the  attribute  vlvSort  to
"cn:2.16.840.1.113730.3.3.2.18.1.6"   or  to  "cn:fr". It   does  not  work.
Instead of changing the sorting order it produces some strange  contents in
the index vlv#outlookbrowseindex.db4 file.

**)  then  i  thought that maybe i should change the cn index ordering and i
have added "nsMatchingRule: 2.16.840.1.113730.3.3.2.18.1" to the cn  indexes
 in  dse.ldif. However reindexing does not  actually change the  order in
cn.db4  (even  after  reindexing by smth explicit like db2index -n userRoot
-t cn:eq,pres,sub:2.16.840.1.113730.3.3.2.18.1 ) in the index .db4 files.
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

[389-users] Outlook VLV index and western europe diacritics

2010-08-24 Thread Andrey Ivanov 
Hi,

I  am  testing  the  389 latest git version. There is one thing i have
noticed  concerning Outlook browsing of LDAP and VLV indexes. Though i
think  the  change  has  happened already some time ago, in one of the
previous versions.

To make the LDAP Outlook browsing work correctly i've always used the steps 
described in the
doc
(http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Creating_Indexes-Creating_VLV_Indexes.html)
:

dn: cn=Outlook Browse,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn: Outlook Browse
objectClass: top
objectClass: vlvsearch
vlvBase: ou=Utilisateurs,dc=id,dc=polytechnique,dc=edu
vlvFilter: (&(mail=*)(cn=*))
vlvScope: 2


dn: cn=Outlook Browse Index,cn=Outlook Browse,cn=userRoot,cn=ldbm database,cn=
 plugins,cn=config
cn: Outlook Browse Index
objectClass: top
objectClass: vlvindex
vlvEnabled: 1
vlvSort: cn



This  creates a VLV index, sorts  the  entries  by  cn  and  shows  them in 
Outlook :
[24/Aug/2010:16:42:19 +0200] conn=24 op=2 SRCH 
base="ou=utilisateurs,dc=id,dc=polytechnique,dc=edu" scope=2 
filter="(&(mail=*)(cn=*))" attrs="cn cn mail roleOccupant display-name 
displayName sn sn co o o givenName legacyexchangedn objectClass uid 
mailnickname title company physicalDeliveryOfficeName telephoneNumber"
[24/Aug/2010:16:42:19 +0200] conn=24 op=2 SORT cn 
[24/Aug/2010:16:42:19 +0200] conn=24 op=2 VLV 0:0:xac 7860:8001 (0)
[24/Aug/2010:16:42:19 +0200] conn=24 op=2 RESULT err=0 tag=101 nentries=1 
etime=0.009000
[24/Aug/2010:16:42:19 +0200] conn=24 op=3 SRCH 
base="ou=utilisateurs,dc=id,dc=polytechnique,dc=edu" scope=2 
filter="(&(mail=*)(cn=*))" attrs="cn cn mail roleOccupant display-name 
displayName sn sn co o o givenName legacyexchangedn objectClass uid 
mailnickname title company physicalDeliveryOfficeName telephoneNumber"
[24/Aug/2010:16:42:19 +0200] conn=24 op=3 SORT cn 
[24/Aug/2010:16:42:19 +0200] conn=24 op=3 VLV 0:27:7859:8001 7860:8001 (0)
[24/Aug/2010:16:42:19 +0200] conn=24 op=3 RESULT err=0 tag=101 nentries=28 
etime=0.019000



In  (relatively  old) previous versions of the server the sorting took
into  account  the  accentuated letters (like é, for example). The CNs
with  these  letters  were  sorted  correctly  (that is, é after d and
before f). So the entries were sorted by VLV like this :

...
Tdo Not
Ten Toys
Tén Toys   <<<--
Tfk Nev
Tgl Mu
...
Tzzz Too
Uart New
...

With the recent versions the server orders the CN strictly according to ASCII
(i think) :

...
Tdo Not
Ten Toys
Tfk Nev
Tgl Mu
...
Tzzz Too
Tén Toys<<<--
Uart New
...


That is, all the diacritical letters appear after "z".

I have looked into the vlv#outlookbrowseindex.db4 file by dbscan and
the order corresponds exactly to what Outlook shows.

The questions are :
-whether it is how it should work and
-how do i revert to the old server behavior.


The  sorting  with  collation  (that is, smth like
my $sort_control = Net::LDAP::Control::Sort -> new( order => 
"cn:2.16.840.1.113730.3.3.2.18.1.6", critical => 1)
) works perfectly (i.e. é is after d and before f).

I've tried several ideas to return to the old behavior :

*)  i've tried to add collation rules to vlv index entries but putting
the   value   of   the  attribute  vlvSort  to
"cn:2.16.840.1.113730.3.3.2.18.1.6"   or  to  "cn:fr"  does  not  work
either. Instead of changing the sorting order it produces some strange
contents in the index vlv#outlookbrowseindex.db4 file.


**)  then  i  thought that maybe i should change the cn index ordering
and i have added "nsMatchingRule: 2.16.840.1.113730.3.3.2.18.1" to the
cn  indexes  in  dse.ldif. However reindexing does not actually change
the  order  (even  after  reindexing by smth explicit like db2index -n
userRoot -t cn:eq,pres,sub:2.16.840.1.113730.3.3.2.18.1 ) in the index
.db4 files.


Any ideas/suggestions?


Andrey Ivanov
tel +33-(0)1-69-33-99-24
fax +33-(0)1-69-33-99-55

Direction des Systemes d'Information
Ecole Polytechnique
91128 Palaiseau CEDEX
France

--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] RHDS and Radius Certificate

2010-03-24 Thread Andrey Ivanov 
2010/3/23 Natr Brazell 

> I think I would understand it more if I understood the following sections:
>
> cacertfile =  /usr/local/etc/freeradius/certs/CA_certif.crt
> (If I am doing testing how to I make this file)
>
>
>
It's the public certificate of the CA that has signed (in our case) both 389
and freeradius certificates.



> Do I really need this section.  I don't have, nor will I have any Wi-Fi and
> all users connecting in my case are on the same VLAN.
>
> access_attr_used_for_allow = yes
> access_attr = "X-Vlan-WiFi"
> dictionary_mapping = ${raddbdir}/ldap.attrmap
>
> No, as i told you this section is only necessary if you want to pass some
parameters from LDAP to radius. In your case you don't need this.



> Again as in the first note above.
>
> private_key_file = ${certdir}/
> certificate_file = ${certdir}/<
> CA_file = ${certdir}/CA_certif.crt
> Doing an initial test without the need of an official CA.  What's the
> difference in the above 3 files and how to I generate them.  If I sound like
> a dunce, I am in this respect.  PKI is fairly new for me to configure.  I
> understand it in theory but getting all the pieces to fit is confusing.
>
These are private key and certificate of the freeradius server signed by a
CA . In our case it's the same CA as in cacertfile. In order to generate
them we use openssl, you can try tinyCA or some other web/gui manager of
PKI. It's more of certificates/PKI question than LDAP one...



>

> Thanks for the useful responses.
> N
> 2010/3/23 Andrey Ivanov 
>
> Hi,
>>
>> exactly the same freeradius configuration applies to RHDS and OpenLdap.
>> Depending on how you want to authenticate users you may use either
>> login/password or user certificate, both types of authentification are
>> configurable on freeradius and on RHDS.  We use freeradius with 3 master 389
>> servers and login/password (EAP-TTLS with PAP) and it works without any
>> problem. Here is an example of modules/ldap freradius config file for our
>> case :
>>
>> ldap Ldap-First {
>> server = 
>> port = 389
>> net_timeout = 2
>> timeout = 10
>> timelimit = 10
>> #ldap_debug = 0x
>> identity = "uid=radius,dc=example,dc=com"
>> password = 
>> ldap_connections_number = 5
>> basedn = "ou=users,dc=example,dc=com"
>> filter = "(&(uid=%{User-Name})(objectClass=inetOrgPerson))"
>> base_filter = "(objectclass=inetOrgPerson)"
>>
>> tls {
>> start_tls = yes
>> tls_mode = no
>> cacertfile =
>> /usr/local/etc/freeradius/certs/CA_certif.crt
>> require_cert = demand
>> }
>>
>> access_attr_used_for_allow = yes
>> access_attr = "X-Vlan-WiFi"
>> dictionary_mapping = ${raddbdir}/ldap.attrmap
>>
>> set_auth_type = yes
>> }
>>
>>
>> Here X-Vlan-WiFi is the attribute that we use to determine the VLAN where
>> the user should be after connection. CA_certif.crt is the certif of the
>> certification authority that signed ldap's certificate (used during
>> establishing the TLS session between radius and ldap server) and radius'
>> certificate.
>>
>> The file eap.conf :
>> eap {
>> default_eap_type = ttls
>> timer_expire = 60
>> ignore_unknown_eap_types = no
>> cisco_accounting_username_bug = no
>> max_sessions = 2048
>>
>> tls {
>> certdir = ${confdir}/certs
>>
>> private_key_file = ${certdir}/
>> certificate_file = ${certdir}/<
>> CA_file = ${certdir}/CA_certif.crt
>> cipher_list = "DEFAULT"
>>
>> dh_file = ${certdir}/dh
>> random_file = ${certdir}/random
>>
>> fragment_size = 1024
>> include_length = yes
>>
>> }
>>
>> ttls {
>> default_eap_type = md5
>> copy_request_to_tunnel = yes
>> use_tunneled_reply = yes
>> }
>> }
>>
>> 2010/3/22 Natr Brazell 
>>
>>>  I am trying to configure my freeradius box to use TLS to my RHDS
>>> server.  I find many references to what to do with OpenL

Re: [389-users] search on mail attribute no longer case insensative

2010-01-27 Thread Andrey Ivanov 
I've just tested it. Yes, i confirm, the search for the "mail"
attribute is case-sensitive. In our system it's not a problem because
all the mails are lowercase... I think it is somehow connected to the
syntax validation feature included recently...

2010/1/27 Terry Soucy :
> Good morning Folks,
>
> We upgraded from 389 DS 1.2.2 to 1.2.5 this AM and found that searches
> on the mail attribute are no longer case insensative.  Has anyone else
> found this?
>
> Terry
> --
> Terry Soucy, Systems Analyst              Integrated Technology Services
> University of New Brunswick, Fredericton Campus   http://www.unbf.ca/its
> Voice: 506.447.3018     Fax: 506.453.3590     E-mail: terry.so...@unb.ca
> **    ITS is a scent-reduced workplace -  www.unbf.ca/its/policies    **
> --
> 389 users mailing list
> 389-us...@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] require ssl/tls only for binding as user

2010-01-11 Thread Andrey Ivanov 
You have also this (starting from version 1.2.1) :

* Add require secure binds switch
  o This adds a new configuration attribute named
nsslapd-require-secure-binds. When enabled, a simple bind will only be
allowed over a secure transport (SSL/TLS or a SASL privacy layer). An
attempt to do a simple bind over an insecure transport will return a
LDAP result of LDAP_CONFIDENTIALITY_REQUIRED. This new setting will
not affect anonymous or unauthenticated binds.
  o The default setting is to have this option disabled.



2010/1/11 Johannes Woerner :
>> I'm evaluating the migrating of an openldap installation to
>>
>> > 389 directory server (ca 1200 user objects).
>> > With openldap I can restrict client authentication to ssl/tls ldap
>> > connections and
>> > in parallel allow anonymous (unencrypted) access to items like phone
>> > number etc.
>> > (slapd.conf with: "security simple_bind=56")
>> >
>> > Is there a way you can do this with 389 directory server?
>> Yes. By using ACIs and the features described here :
>>
>> http://directory.fedoraproject.org/wiki/Roadmap#389_Directory_Server_1.2.3_-_October_7.2C_2009
>
> Thank you, I missed this.
>
> Best regards
> Johannes
>
> --
> 389 users mailing list
> 389-us...@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users