Re: [389-users] MemberOf plugin beahvior change in 1.3.3.
Looks like the behavior change was introduced in this ticket: https://fedorahosted.org/389/ticket/47810 2015-08-04 11:13 GMT+02:00 Andrey Ivanov andrey.iva...@polytechnique.fr: Hi, just wanted to share our experience. We've recently migrated from 1.3.2.x to 1.3.3.x in our production environment (CentOS7, x86_64, three 389ds in multimaster replication). So far everything looks fine but we have two issues - one important and the other is more a documentation flaw/behavior change. * The important issue - crash at shutdown when ACIs with ip address are present (https://fedorahosted.org/389/ticket/48233). The possible effect could be the database corruption and/or replication problems after shutdown and restart (replica_check_for_data_reload: Warning: disordely shutdown for replica dc=example,dc=com. Check if DB RUV needs to be updated). The workaround for now is that we are not restarting our 389ds servers :) ** The change of behavior/consistency issue: since memberOf plugin has been redesigned in 1.3.3 ( http://www.port389.org/docs/389ds/design/memberof-plugin-configuration.html) its behavior has changed a bit. Previously the plugin added uniqueMember attribute in any case when it was requested and tried to add the memberOf to the linked entry. If memberOfwas not allowed by schema there was an error message like this one: Entry uid=user1,ou=People,dc=example,dc=com -- attribute memberOf not allowed In the version 1.3.3 (both rpm in CentOS 7.1 and compiled from source 1.3.3.12) this behavior has changed - the plugin refuses to add the uniqueMember attribute if the corresponding linked entry is not allowed to have the memberOf attribute. Example using the standard sample entries installed with the server (dc=example,dc=com): Activate memberOf plugin with nsslapd-pluginEnabled: on memberofgroupattr: uniquemember memberofattr: memberOf Add the following group: cn=LDAP Test group,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupofuniquenames cn: LDAP Test Group Try to add the following member (the entry exists and is of objectClass=inetOrgOPerson): dn: cn=LDAP Test group,ou=Groups,dc=example,dc=com changetype: modify add: uniqueMember uniqueMember: uid=user1,ou=People,dc=example,dc=com - The modification of uniqueMember will be refused with error 65 (object class violation). The error log: [04/Aug/2015:10:58:17 +0200] - Entry uid=user1,ou=People,dc=example,dc=com -- attribute memberOf not allowed [04/Aug/2015:10:58:17 +0200] memberof-plugin - memberof_postop_modify: failed to add dn (cn=LDAP Test group,ou=Groups,dc=example,dc=com) to target. Error (65) At the same time if we do replace of uniquemember instead of add, then it works: dn: cn=LDAP Test group,ou=Groups,dc=example,dc=com changetype: modify replace: uniqueMember uniqueMember: uid=user1,ou=People,dc=example,dc=com - The error message in this case is information only and the modification is not refused: [04/Aug/2015:11:04:45 +0200] - Entry uid=user1,ou=People,dc=example,dc=com -- attribute memberOf not allowed So either this change in behavior is intentional and in this case : - it should be present in release notes/documentation - it should be consistent - the replaceoperation should not work since add does not work or, if it is not intentional, it should return to the old behavior - only informational error message (like withreplace). In this case, the add operation should be fixed and allowed. For now, as a workaround we have changed the schema to allow memberOf attribute in all the classes used in entries referenced by uniqueMember in our directory. Regards, Andrey -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] MemberOf plugin beahvior change in 1.3.3.
Hi, just wanted to share our experience. We've recently migrated from 1.3.2.x to 1.3.3.x in our production environment (CentOS7, x86_64, three 389ds in multimaster replication). So far everything looks fine but we have two issues - one important and the other is more a documentation flaw/behavior change. * The important issue - crash at shutdown when ACIs with ip address are present (https://fedorahosted.org/389/ticket/48233). The possible effect could be the database corruption and/or replication problems after shutdown and restart (replica_check_for_data_reload: Warning: disordely shutdown for replica dc=example,dc=com. Check if DB RUV needs to be updated). The workaround for now is that we are not restarting our 389ds servers :) ** The change of behavior/consistency issue: since memberOf plugin has been redesigned in 1.3.3 ( http://www.port389.org/docs/389ds/design/memberof-plugin-configuration.html) its behavior has changed a bit. Previously the plugin added uniqueMember attribute in any case when it was requested and tried to add the memberOf to the linked entry. If memberOfwas not allowed by schema there was an error message like this one: Entry uid=user1,ou=People,dc=example,dc=com -- attribute memberOf not allowed In the version 1.3.3 (both rpm in CentOS 7.1 and compiled from source 1.3.3.12) this behavior has changed - the plugin refuses to add the uniqueMember attribute if the corresponding linked entry is not allowed to have the memberOf attribute. Example using the standard sample entries installed with the server (dc=example,dc=com): Activate memberOf plugin with nsslapd-pluginEnabled: on memberofgroupattr: uniquemember memberofattr: memberOf Add the following group: cn=LDAP Test group,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupofuniquenames cn: LDAP Test Group Try to add the following member (the entry exists and is of objectClass=inetOrgOPerson): dn: cn=LDAP Test group,ou=Groups,dc=example,dc=com changetype: modify add: uniqueMember uniqueMember: uid=user1,ou=People,dc=example,dc=com - The modification of uniqueMember will be refused with error 65 (object class violation). The error log: [04/Aug/2015:10:58:17 +0200] - Entry uid=user1,ou=People,dc=example,dc=com -- attribute memberOf not allowed [04/Aug/2015:10:58:17 +0200] memberof-plugin - memberof_postop_modify: failed to add dn (cn=LDAP Test group,ou=Groups,dc=example,dc=com) to target. Error (65) At the same time if we do replace of uniquemember instead of add, then it works: dn: cn=LDAP Test group,ou=Groups,dc=example,dc=com changetype: modify replace: uniqueMember uniqueMember: uid=user1,ou=People,dc=example,dc=com - The error message in this case is information only and the modification is not refused: [04/Aug/2015:11:04:45 +0200] - Entry uid=user1,ou=People,dc=example,dc=com -- attribute memberOf not allowed So either this change in behavior is intentional and in this case : - it should be present in release notes/documentation - it should be consistent - the replaceoperation should not work since add does not work or, if it is not intentional, it should return to the old behavior - only informational error message (like withreplace). In this case, the add operation should be fixed and allowed. For now, as a workaround we have changed the schema to allow memberOf attribute in all the classes used in entries referenced by uniqueMember in our directory. Regards, Andrey -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] MemberOf plugin beahvior change in 1.3.3.
Hi Mark, thank you for your rapid reply, 2015-08-04 16:14 GMT+02:00 Mark Reynolds marey...@redhat.com: Looks like the behavior change was introduced in this ticket: https://fedorahosted.org/389/ticket/47810 Yes, with the introduction of backend transaction plugins in 1.3.3, if a plugin fails to do its job, the entire operation should fail. This applies to all the plugins now. I believe this was documented in the DS 10 release notes, and for upstream releases the ticket that applied this change was listed here( http://www.port389.org/docs/389ds/releases/release-1-3-3-0.html). I apologize for any inconvenience this has caused you. See more comments below... No problem. On the contrary, I really think it's better that the whole operation is rejected now - at least, there is a certain consistency, atomicity and logic now. An yes, the general idea of transaction plugins was mentioned several times and i've seen it in the release notes but the real implications are a bit less obvious, as i have found it on my own example :) ** The change of behavior/consistency issue: since memberOf plugin has been redesigned in 1.3.3 ( http://www.port389.org/docs/389ds/design/memberof-plugin-configuration.html) its behavior has changed a bit. As you noted this design change is not what impacted the behavior you are now seeing, but the change to make most plugins backend transaction aware. Yes, absolutely. It was my initial hypothesis until i have found (using git) the ticket that introduced the change. The modification of uniqueMember will be refused with error 65 (object class violation). The error log: [04/Aug/2015:10:58:17 +0200] - Entry uid=user1,ou=People,dc=example,dc=com -- attribute memberOf not allowed [04/Aug/2015:10:58:17 +0200] memberof-plugin - memberof_postop_modify: failed to add dn (cn=LDAP Test group,ou=Groups,dc=example,dc=com) to target. Error (65) At the same time if we do replace of uniquemember instead of add, then it works: dn: cn=LDAP Test group,ou=Groups,dc=example,dc=com changetype: modify replace: uniqueMember uniqueMember: uid=user1,ou=People,dc=example,dc=com - The error message in this case is information only and the modification is not refused: [04/Aug/2015:11:04:45 +0200] - Entry uid=user1,ou=People,dc=example,dc=com -- attribute memberOf not allowed This is a bug then, it should have been refused. I'll reopen ticket 47810 to address this... Ok, the consistent behavior should be a priority -if it does not work for add it should not work for replace either. If you want, i can open a separate ticket. For now, as a workaround we have changed the schema to allow memberOf attribute in all the classes used in entries referenced by uniqueMember in our directory. Or use a standard objectclass that allows memberOf like: inetUser. Yep. Especially since it's an auxiliary class. But in our case historically we have two or three custom classes with special attributes not present in standard LDAP schema, it's easier to change the schema for these two classes than to rewrite all the software creating and managing the entries with these custom classes. Thank you! -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Issue with memberOf Plugin
Hi Christopher, Try to use memberofgroupattr: uniquemember instead of the default value memberofgroupattr: member in the plugin configuration entry. The detailed documentation can be found here: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Configuration_Command_and_File_Reference/memberof-attributes.html Regards, 2015-07-09 20:22 GMT+02:00 Christopher Westerfield westerfield.ch...@gmail.com: Hi, I hope someone here can help me. I’m having the same issue on two other managed systems. So first of all Distribution: Debian Installed 389 LDAP Server: 1.3.3.5 Installed with Kolab Groupware Server My Problem is, that I can’t Query against the memberOf Flag This would be the Query that I need to get Working *((uid=cwest)(memberOf=cn=general-users,ou=Groups,ou=Domain.com http://Domain.com,dc=ldap,dc=treedomain,dc=tld**))* *But I don’t get any results on the query.* *This would be the group data:* * # LDIF Export for cn=General-Users,ou=Groups,ou=Domain.com http://Domain.com,dc=ldap,dc=treedomain,dc=tld # Server: Saila (ldap://localhost) # Search Scope: base # Search Filter: (objectClass=*) # Total Entries: 1 # # Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net http://phpldapadmin.sourceforge.net) on July 9, 2015 6:17 pm # Version: 1.2.3 version: 1 # Entry 1: cn=General-Users,ou=Groups,ou=Domain.com http://Domain.com,dc=ldap,dc=treedomain,dc=tld dn: cn=General-Users,ou=Groups,ou=Domain.com http://Domain.com,dc=ldap,dc=treedomain,dc=tld cn: General-Users objectclass: top objectclass: groupofuniquenames uniquemember: uid=saicher,ou=People,ou=Domain.com http://Domain.com,dc=ldap,dc=treedomain,dc=tld uniquemember: uid=thoralf,ou=People,ou=Domain.com http://Domain.com,dc=ldap,dc=treedomain,dc=tld uniquemember: uid=cwesterfield,ou=People,ou=Domain.com http://Domain.com,dc=ldap,dc=treedomain,dc=tld uniquemember: uid=freygeist,ou=People,ou=Domain.com http://Domain.com,dc=ldap,dc=treedomain,dc=tld uniquemember: uid=requiem,ou=People,ou=Domain.com http://Domain.com,dc=ldap,dc=treedomain,dc=tldAnd this is the Plugin Configuration from the cn=config database:# LDIF Export for cn=MemberOf Plugin,cn=plugins,cn=config # Server: Saila (ldap://localhost) # Search Scope: base # Search Filter: (objectClass=*) # Total Entries: 1 # # Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net http://phpldapadmin.sourceforge.net) on July 9, 2015 6:20 pm # Version: 1.2.3 version: 1 # Entry 1: cn=MemberOf Plugin,cn=plugins,cn=config dn: cn=MemberOf Plugin,cn=plugins,cn=config cn: MemberOf Plugin memberofattr: memberOf memberofgroupattr: member nsslapd-plugin-depends-on-type: database nsslapd-plugindescription: memberof plugin nsslapd-pluginenabled: on nsslapd-pluginid: memberof nsslapd-plugininitfunc: memberof_postop_init nsslapd-pluginpath: libmemberof-plugin nsslapd-plugintype: betxnpostoperation nsslapd-pluginvendor: none nsslapd-pluginversion: none objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObjectI need this feature really bad as several of the connected Software need the memberOf flag to work properly.I hope somebody can help me with this.My openldap Servers don’t have this issue, but they don’t use replication and skaling.thxChris* -- Mit freundlichen Grüßen Christopher Westerfield *Tel:*+49-(0)8161 - 49-24-09-8 *Fax: *+49-(0)8161 - 91-05-07-2 Mobil: +49-(0)176-985-845-77 Internet: *http://www.dsws.biz http://www.dsws.biz/* Anschrift: Thalhauser Strasse 23a 85354 Freising Bayern Deutschland Büro Zeiten: Termine nur nach Vereinbarung/Anmeldung Email: Buchhaltung: buchhalt...@dsws.biz Support: supp...@dsws.biz Abuse: ab...@dsws.biz -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] _cl5CompactDBs: failed to compact
Thank you, Ludwig and Rich. Yes, i'm sure that the changes were effective. When starting the server says smth like resizing max db lock count: 2 - 10 And db_stat shows the correct new number of locks. Ok, i'll try to increase the locks further and see when the problem disappears. 2015-06-19 15:35 GMT+02:00 Ludwig Krispenz lkris...@redhat.com: On 06/19/2015 03:25 PM, Rich Megginson wrote: On 06/19/2015 04:29 AM, Ivanov Andrey (M.) wrote: Hi Noriko, -- There are three MMR replicating servers. It's one month of uptime and the servers wanted to trim the replication log. Here is what i've found in error log on each of them : 1st server: [18/Jun/2015:08:04:31 +0200] - libdb: BDB2055 Lock table is out of available lock entries May not matter, but could you please try increasing the value of this db config parameter? The default value is 1. dn: cn=config,cn=ldbm database,cn=plugins,cn=config nsslapd-db-locks: 1 Ok. I've increased nsslapd-db-locks to 2 and reduced nsslapd-changelogcompactdb-interval to 3600 in cn=changelog5,cn=config to see the changelog free event more frequently. No change. I have still : [19/Jun/2015:10:36:46 +0200] - libdb: BDB2055 Lock table is out of available lock entries [19/Jun/2015:10:36:46 +0200] NSMMReplicationPlugin - changelog program - _cl5CompactDBs: failed to compact a45fa684-f28d11e4-af27aa63-5121b7ef; db error - 12 Cannot allocate memory [18/Jun/2015:08:04:31 +0200] NSMMReplicationPlugin - changelog program - _cl5CompactDBs: failed to compact a45fa684-f28d11e4-af27aa63-5121b7ef; db error - 12 Cannot allocate memory I don't thing there is any problem even if the DBs are not compacted. It was introduced just to release the free pages in the db files. But I'd also like to learn why the compact fails with ENOMEM here. Ok, thanks. I'm guessing that bdb returns ENOMEM when it runs out of locks. I think the only remedy is to just keep increasing the number of locks until this error goes away. I don't know how to estimate how many locks are required ahead of time. I think compact can be consuming many locks, maybe for each of the pages in the cldb, and then there is this bug: https://fedorahosted.org/389/ticket/47934 did you verify that your changes have been effective ? try the db_stat: db_stat -c -h /var/lib/dirsrv/slapd-INSTANCE/db/ | grep locks -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] _cl5CompactDBs: failed to compact
looks like the problem is fixed. As Rich suggested, the error message about memory was actually about insufficient number of locks. As i see from the stats, bdb needed about 45000 locks during the freeing of the changelog - 5 times more than the default value 1. Here are the database stats: 1600Initial number of locks allocated 10 Maximum number of locks possible 45452 Current number of locks allocated 32 Number of current locks 43917 Maximum number of locks at any one time 3 Maximum number of locks in any one bucket Thanks for helping me resolve this problem! 2015-06-20 13:22 GMT+02:00 Andrey Ivanov andrey.iva...@polytechnique.fr: Thank you, Ludwig and Rich. Yes, i'm sure that the changes were effective. When starting the server says smth like resizing max db lock count: 2 - 10 And db_stat shows the correct new number of locks. Ok, i'll try to increase the locks further and see when the problem disappears. 2015-06-19 15:35 GMT+02:00 Ludwig Krispenz lkris...@redhat.com: On 06/19/2015 03:25 PM, Rich Megginson wrote: On 06/19/2015 04:29 AM, Ivanov Andrey (M.) wrote: Hi Noriko, -- There are three MMR replicating servers. It's one month of uptime and the servers wanted to trim the replication log. Here is what i've found in error log on each of them : 1st server: [18/Jun/2015:08:04:31 +0200] - libdb: BDB2055 Lock table is out of available lock entries May not matter, but could you please try increasing the value of this db config parameter? The default value is 1. dn: cn=config,cn=ldbm database,cn=plugins,cn=config nsslapd-db-locks: 1 Ok. I've increased nsslapd-db-locks to 2 and reduced nsslapd-changelogcompactdb-interval to 3600 in cn=changelog5,cn=config to see the changelog free event more frequently. No change. I have still : [19/Jun/2015:10:36:46 +0200] - libdb: BDB2055 Lock table is out of available lock entries [19/Jun/2015:10:36:46 +0200] NSMMReplicationPlugin - changelog program - _cl5CompactDBs: failed to compact a45fa684-f28d11e4-af27aa63-5121b7ef; db error - 12 Cannot allocate memory [18/Jun/2015:08:04:31 +0200] NSMMReplicationPlugin - changelog program - _cl5CompactDBs: failed to compact a45fa684-f28d11e4-af27aa63-5121b7ef; db error - 12 Cannot allocate memory I don't thing there is any problem even if the DBs are not compacted. It was introduced just to release the free pages in the db files. But I'd also like to learn why the compact fails with ENOMEM here. Ok, thanks. I'm guessing that bdb returns ENOMEM when it runs out of locks. I think the only remedy is to just keep increasing the number of locks until this error goes away. I don't know how to estimate how many locks are required ahead of time. I think compact can be consuming many locks, maybe for each of the pages in the cldb, and then there is this bug: https://fedorahosted.org/389/ticket/47934 did you verify that your changes have been effective ? try the db_stat: db_stat -c -h /var/lib/dirsrv/slapd-INSTANCE/db/ | grep locks -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] multimaster replication questions
Hi, you could use the attributes nsds5replicaLastUpdateStart and nsds5replicaLastUpdateEnd. In my case, for example: nsds5replicaLastUpdateStart: 20141202184042Z nsds5replicaLastUpdateEnd: 20141202184044Z the time is in UTC, so some conversion to local time will be required, 2014-12-02 19:18 GMT+01:00 ghiureai isabella.ghiu...@nrc-cnrc.gc.ca: Hi, - I would like to get from DS when the last transaction from master1/suplier was sent to consumer and the time stamp was processed by consumer using ldapsearch option , any suggestion , I 'm using the objectClass=nsDS5ReplicationAgreement but can get time stamp. - I'm usig 389-console admin :replication status and all the following entries show as : consumer initialization not in progress last consumer update message : not available last consumer initialization began : not available the option for continuous refresh is on How can I get this entries to show the time stamp for last transaction processed by supplier? -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] [389-announce] Announcing the revised port389.org wiki
Hi Mark, very nice work indeed, the new site is clear and straightforward. I have a small question about it. With the previous site (port389.org) there was a standard wiki feature called last 50/500 modifications during last 7/30 days. I used to click on it regularly to know when the site changed and what new pages were added or modified. It allowed me to stay informed and in without clicking on all the links of the site. Is it possible to bring back that sort of feature? Thanks again for the good job! 2014-08-25 21:59 GMT+02:00 Mark Reynolds marey...@redhat.com: We are pleased to announce the launch of our new wiki http://www.port389.org http://port389.org The site has been significantly revised, and moved to a more stable environment. The layout, content, and organization has all been improved. Please note, you will need to revise any old bookmarks you may have, as the old ones will probably not work anymore. Also, if you would like to add/edit content on the site you just need to file a ticket https://fedorahosted.org/389/newticket (use wiki as the component), add your content(preferably in MarkDown format, but not required), and we will post it. Thanks! 389 Project Team -- 389 announce mailing list 389-annou...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-announce -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: Bumblebee and Fedora 19
Check if package xorg-x11-drv-mouse is installed in your system. 2013/7/21 Junayeed Ahnaf nirj...@outlook.com Hello, I'm trying to install bumblebee on my laptop. But when I'm trying optirun glxgears info this error is showing: [root@localhost nirjhor]# optirun glxgears info [ 1691.769152] [ERROR]Cannot access secondary GPU - error: [XORG] (EE) Failed to load module mouse (module does not exist, 0) [ 1691.769189] [ERROR]Aborting because fallback start is disabled. [root@localhost nirjhor]# Just for the info : [root@localhost nirjhor]# lspci -vnn | grep '\''[030[02]\]' 00:02.0 VGA compatible controller [0300]: Intel Corporation 3rd Gen Core processor Graphics Controller [8086:0166] (rev 09) (prog-if 00 [VGA controller]) 01:00.0 3D controller [0302]: NVIDIA Corporation GK107M [GeForce GT 740M] [10de:0fdf] (rev a1) [root@localhost nirjhor]# Can anyone help me solve it? Junayeed Ahnaf Nirjhor Software Engineer @ Hulu http://hulu.com Twitter @ Nirjhor http://twitter.com/nirjhor -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org -- Andrey V Ivanov -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Bumblebee and Fedora 19
Could you try to exec optirun with -vv --debug options to see verbose output? Try to uncomment BusID PCI:01:00:0 string in /etc/bumblebee/xorg.conf.nvidia (Ubuntu bug with same error) Show bumblebee config files. 2013/7/21 Junayeed Ahnaf nirj...@outlook.com I got that, but I'm seeing another kind of problem now: [root@localhost nirjhor]# optirun glxgears -info [ 1145.228326] [ERROR]Cannot access secondary GPU - error: [XORG] (EE) No devices detected. [ 1145.228366] [ERROR]Aborting because fallback start is disabled. [root@localhost nirjhor]# Help? Junayeed Ahnaf Nirjhor Software Engineer @ Hulu http://hulu.com Twitter @ Nirjhor http://twitter.com/nirjhor -- Date: Sun, 21 Jul 2013 13:57:32 +0400 Subject: Re: Bumblebee and Fedora 19 From: anviva...@gmail.com To: users@lists.fedoraproject.org Check if package xorg-x11-drv-mouse is installed in your system. 2013/7/21 Junayeed Ahnaf nirj...@outlook.com Hello, I'm trying to install bumblebee on my laptop. But when I'm trying optirun glxgears info this error is showing: [root@localhost nirjhor]# optirun glxgears info [ 1691.769152] [ERROR]Cannot access secondary GPU - error: [XORG] (EE) Failed to load module mouse (module does not exist, 0) [ 1691.769189] [ERROR]Aborting because fallback start is disabled. [root@localhost nirjhor]# Just for the info : [root@localhost nirjhor]# lspci -vnn | grep '\''[030[02]\]' 00:02.0 VGA compatible controller [0300]: Intel Corporation 3rd Gen Core processor Graphics Controller [8086:0166] (rev 09) (prog-if 00 [VGA controller]) 01:00.0 3D controller [0302]: NVIDIA Corporation GK107M [GeForce GT 740M] [10de:0fdf] (rev a1) [root@localhost nirjhor]# Can anyone help me solve it? Junayeed Ahnaf Nirjhor Software Engineer @ Hulu http://hulu.com Twitter @ Nirjhor http://twitter.com/nirjhor -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org -- Andrey V Ivanov -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org -- Andrey V Ivanov -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: disanle ssdp
Maybe it's a router-generated traffic. e.g. an Asus router has Enable UPnP option in IP settings. 2013/7/5 Kevin Wilson wkev...@gmail.com Hello, I see that from time to time I get in fedora 18 this traffic: SSDP - Simple Service Discovery Protocol every 2-3 minutes a couple of frames for address: 239.255.255.255. I tried to disable bluetooth with no help. google shows that this might be some upnp client, but I don't know how to find it and disable it any ideas? regards, Kevin -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org -- Andrey V Ivanov -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
[389-users] Extended control or extop
Hi, I remember reading somewhere on 389 DS site or in dev commits or in trac a request or a realisation of the an extended control/operation that returns the LDAP entries referenced by some attribute. Something like you make a search of a group with this extended control, the search takes all the 'uniqueMembers' and returns all the LDAP entries referenced by the values of 'uniqueMember'. Could you point to me the right control name or OID? Is it already present in some version of 389DS? Thanks! -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Get Effective Rights on centOS 6
Hi Josh,
i'm using perl scripts for this since openldap client does not support this
control out of box:
Here is a typical script :
#!/usr/bin/perl
use strict;
use Net::LDAP;
use Net::LDAP::Constant qw(LDAP_SUCCESS LDAP_NO_SUCH_ATTRIBUTE
LDAP_NO_SUCH_OBJECT LDAP_PROTOCOL_ERROR LDAP_COMPARE_TRUE LDAP_COMPARE_FALSE
LDAP_TYPE_OR_VALUE_EXISTS);
use Net::LDAP::Util qw(escape_filter_value);
use Net::LDAP::Search;
use Net::LDAP::Control;
use Authen::SASL;
use Unicode::Normalize;
use Data::Dumper;
require Encode;
# Connection to LDAP by SASL, you can change it to simple bind
my $ldap = Net::LDAP - new (ldap.example.com, port = 389, version = 3
) or die $!;
my $sasl = Authen::SASL - new( 'GSSAPI');
my $result = $ldap - bind( , sasl = $sasl, version = 3 );
my $user = uid=who's rights we are testing,ou=Users,dc=example,dc=com;
my $control = Net::LDAP::Control - new( type =
1.3.6.1.4.1.42.2.27.9.5.2, value = dn:.$user, critical = 1);
my $ldap_filter = (objectClass=*);
my $result_search = $ldap - search (
base= uid=on who's entry we test the
rights,ou=Users,dc=example,dc=com,
scope = base,
filter = $ldap_filter,
control = [ $control ]
);
foreach my $ldap_entry ($result_search - entries())
{
print Dumper (\$ldap_entry);
}
@+
2012/5/29 Josh Ellsworth jellswo...@primaticsfinancial.com
So, I’m trying to debug some ACLs and need to use the Get Effective
Rights search control. My issue is that my centos 6 box does not have the
Mozilla LDAP packages and I can’t see how to install them. I read somewhere
that they are deprecated – are there any plans to support the Get Effective
Rights in the future?
** **
Josh
--
Joshua Ellsworth
System Administrator, Primatics Financial
Phone: 571.765.7528
jellswo...@primaticsfinancial.com
** **
** **
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Documentation to set up 389DS on Centos 6.2
Hi Alberto, Le 24 avril 2012 16:15, Alberto Suárez asua...@gobiernodecanarias.org a écrit : httpd.worker: Syntax error on line 735 of /etc/dirsrv/admin-serv/httpd.**conf: Could not open configuartion file /etc/dirsrv/admin-serv/nss.**conf: Permission denied I have played with that file's permissions, even setting them as 777, but nothing changes. It is currently owned by user fedora-ds group fedora-ds and permissions are set to 400. It may be SELinux-related -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] 389 vs Sun DS ldapmodify performance
I've forgotten Linked Attributes plugin, you could also disable it. Don't you have some exotic type of index activated for uniqueMember (like substring)? The default value is only the equality index in dse.ldif dn: cn=uniquemember,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,c n=config objectClass: top objectClass: nsIndex cn: uniquemember nsSystemIndex: false nsIndexType: eq In any case, batch write loads are quite particular. You could try to play with nsslapd-db-checkpoint-interval and nsslapd-db-durable-transaction config attributes while you run your batch uniqueMember modifications. You could also try disabling completely or limiting logging intensity ( http://directory.fedoraproject.org/wiki/Named_Pipe_Log_Script) . In my VM tests (RHEL5, 1 vCPU Xeon E5640 @ 2.67GHz, 1Gb mem, 389DS v1.2.10.6) with our production environment (~20k users, groups of ~6000 members created as in your case with perl scripts using ldapmodify running on the same VM) a group of 6000 uniqueMembers is created in 3 minutes 10 sec (190s) from scratch. Using dstat i see that the main problem is disk writes (transaction logs of db4): total-cpu-usage -dsk/total- -net/total- ---paging-- ---system-- usr sys idl wai hiq siq| read writ| recv send| in out | int csw 91 0 0 9 0 0| 040M| 120B 978B| 0 0 | 316 325 90 3 0 7 0 0| 040M| 60B 310B| 0 0 | 184 294 92 2 0 5 0 1| 040M| 60B 310B| 0 0 | 160 297 93 1 0 5 0 1| 040M| 60B 310B| 0 0 | 159 312 93 3 1 1 0 2| 024M| 60B 310B| 0 0 | 206 372 76 4 2 18 0 0| 040M| 60B 310B| 0 0 | 165 265 94 0 0 6 0 0| 040M| 60B 310B| 0 0 | 221 275 90 1 0 7 1 1| 041M| 60B 310B| 0 0 | 479 313 86 2 0 11 1 0| 040M| 60B 310B| 0 0 | 403 306 93 0 0 6 0 1| 020M| 120B 364B| 0 0 | 489 298 90 1 0 9 0 0| 040M| 60B 310B| 0 0 | 389 296 88 1 0 11 0 0| 040M| 60B 310B| 0 0 | 358 319 76 0 0 23 1 0| 041M| 60B 310B| 0 0 | 403 303 @+ Le 19 avril 2012 18:50, Russell Beall be...@usc.edu a écrit : Thanks for the tips. I scanned the dse.ldif for those plugins and I found definitions for them all, but they all have nsslapd-pluginEnabled: off. There is something special about the uniquemember attribute that requires additional processing different from other attributes... Ldapmodify of other attributes runs pretty quick. Regards, Russ. On Apr 19, 2012, at 2:20 AM, Andrey Ivanov wrote: Hi Russel, Le 18 avril 2012 23:06, Russell Beall be...@usc.edu a écrit : On Apr 18, 2012, at 11:15 AM, Rich Megginson wrote: Yeah, this particular operation has not been optimized. I believe SunDS added explicit optimizations for this particular case. It is becoming painfully apparent as I write more detailed tests. 389 takes time to add or delete uniquemember values proportionate to the number of values being operated on and is using about twice as much time to delete as it does to add. Sun DS appears to have perhaps an almost O(1) algorithm in play on both adding and deleting values. Is there perhaps some kind of referential integrity setting that is being used and forcing some kind of lookup of each value, one that we could perhaps turn off? We wouldn't need such a check because our metadirectory process handles the integrity/consistency checking already. There is memberOf plugin that maintains the memberOf attribute for groups. I don't know whether it is activated by default or not. You could try to disable it. There is also referential integrity plugin, attribute uniqueness plugin, maybe USN plugin or custom indexes that could consume a lot of CPU. Make sure you've disabled them if you don't need them. @+ -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] largish member changes causing problems
It may also be the memberOf plugin, is the attribute memberOf replicated in your configuration? I tested deleting/adding/replacing in one shot a group of ~6000 entries with memberOf and referint enabled. It took about 30 seconds to complete but it never hanged (389DS v1.2.9.10). 2012/3/27 Michael Gettes get...@gmail.com: Ref int is not on. On Mar 27, 2012 10:11 AM, Mark Reynolds marey...@redhat.com wrote: Michael, Something else to check is the Referential Integrity Plugin. Is it enabled? If it is, something that I have seen that helps is to set the interval from 0 to 1 second. Or turn it off to rule it out, but then of course it won't do its job. Regards, Mark On 03/26/2012 10:25 PM, Michael R. Gettes wrote: I am a little perplexed. I am making a change to a groupOfNames object having some 16069 member attributes. I am deleting nearly 16000 members and then adding nearly 16000 members. CPU goes to 100% and never comes down. I have plenty of memory allocated (700MB) to nss-slapd and I have made the adjustments to allow for large objects (maxbersize). I end up having to kill -9 slapd. the annoying thing is some times it works, some times it doesn't. I can't seem to find any common conditions of the failures (or successes). ds = 1.2.9.9 RHEL = 5.7 Thoughts? /mrg -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Named log pipe + normal access log
And/or you could use the tee command (man tee) in the pipe... 2012/2/23 Rich Megginson rmegg...@redhat.com On 02/23/2012 08:34 AM, Daniel Fenert wrote: Hi, I'd like to log to named pipe (just like said here: http://directory.**fedoraproject.org/wiki/Named_**Pipe_Log_Scripthttp://directory.fedoraproject.org/wiki/Named_Pipe_Log_Script) for some live analysis and ALSO log to access log as usual. Is it possible? You would have to alter the named pipe log script to write the regular access log file itself - the server cannot write to two different access logs at the same time. I'd like to avoid logging everything via this script (I have 1GB logs every 20 minutes in peak hours on each slave). -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Wiki/FireFox 9.0 problem
Hi, looks like the current wiki code has a problem with FireFox 9.0, the menu is displayed under the main content div. It seems ( http://support.mozilla.org/en-US/questions/906789#answer-290813 or http://forums.mozillazine.org/viewtopic.php?f=25t=2392487) like a browser sniffing problem in wiki javascript code: This is caused by browser sniffing that has been broken in Firefox 9. The property navigator.taintEnabled is no longer supported so the wrong css file gets loaded which sets the margin-left of the div column-content to zero. As a result there is less room for the navigation div which is pushed down. Don't know whether FireFox devs will get back the navigator.taintEnabled property or the wiki code base should be patched... The same problem appears on a lot of other wiki sites (including, for example, http://k5wiki.kerberos.org) @+ -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Wiki/FireFox 9.0 problem
After some research apparently it was fixed in MediaWiki 1.16 released 2010-07-28 (https://bugzilla.wikimedia.org/show_bug.cgi?id=31807) 2012/1/4 Andrey Ivanov andrey.iva...@polytechnique.fr Hi, looks like the current wiki code has a problem with FireFox 9.0, the menu is displayed under the main content div. It seems ( http://support.mozilla.org/en-US/questions/906789#answer-290813 or http://forums.mozillazine.org/viewtopic.php?f=25t=2392487) like a browser sniffing problem in wiki javascript code: This is caused by browser sniffing that has been broken in Firefox 9. The property navigator.taintEnabled is no longer supported so the wrong css file gets loaded which sets the margin-left of the div column-content to zero. As a result there is less room for the navigation div which is pushed down. Don't know whether FireFox devs will get back the navigator.taintEnabled property or the wiki code base should be patched... The same problem appears on a lot of other wiki sites (including, for example, http://k5wiki.kerberos.org) @+ -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] 389 server on production
Hi, we are using 389 in production environment since 2006 or 2007. It is a central authentication/authorization mechanism for ~2 accounts, ~500 (occasional search from 5000) workstations, ~20-30 web applications. We have 3 multi-masters in replication. Everything is very stable so far. You may have problems if you check-out and compile the code or install the latest development (alpha or non-stable, early rc) versions. I would recommend 1.2.9.10 as the latest stable version. The only support for 389 is the web site wiki, this list and bugzilla, the developers in general are available and very reactive, it happened several times that a patch for a bug that i filed was available in less than 24 hours... However you should acquire yourself some skills since you (the server admin) are the last resort in case of a problem, not RedHat or developers. If you want a commercial support you should go for RedHat Directory Server. RedHat also has the training for RHDS Administration... @+ 2011/10/21 Alex Pershyn alex.pers...@enabil.com: Hi all, Can anybody tell me about using 389 in production environment? Is it stable? Were there many issues with it? Is there any support in case of production trouble? Thanks, Alex Pershyn, Application architect, Enabil Solutions Ltd -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Fwd: 389 v1.2.9.8 freeze/deadlock
Hi Rich, The same test in 1.2.8.3 is ok, the important information being that it is also a paged search. here is the log for the same search for 1.2.8.3 (i'm in the process of rolling back to that version): [01/Sep/2011:16:19:39 +0200] conn=5 op=2 fd=128 closed - U1 [01/Sep/2011:16:19:41 +0200] conn=6 fd=128 slot=128 connection from 129.104.31.63 to 129.104.69.49 [01/Sep/2011:16:19:41 +0200] conn=6 op=0 BIND dn= method=128 version=3 [01/Sep/2011:16:19:41 +0200] conn=6 op=0 RESULT err=0 tag=97 nentries=0 etime=0.017000 dn= [01/Sep/2011:16:19:41 +0200] conn=6 op=1 SRCH base=ou=etudiants,ou=utilisateurs,dc=id,dc=polytechnique,dc=edu scope=2 filter=((mail=*)(|(mail=le tallec*)(cn=le tallec*)(sn=le tallec*)(givenName=le tallec*)(displayName=le tallec*))) attrs=cn cn mail roleOccupant display-name displayName sn sn co o o givenName legacyexchangedn objectClass uid mailnickname title company physicalDeliveryOfficeName telephoneNumber [01/Sep/2011:16:19:41 +0200] conn=6 op=1 SORT cn (1) [01/Sep/2011:16:19:41 +0200] conn=6 op=1 RESULT err=0 tag=101 nentries=0 etime=0.021000 notes=P [01/Sep/2011:16:19:41 +0200] conn=6 op=2 UNBIND [01/Sep/2011:16:19:41 +0200] conn=6 op=2 fd=128 closed - U1 How do i compile the server with debug symbols? This would be sufficient or not: export CFLAGS=-g export CXXFLAGS=-g ? @+ 2011/9/1 Rich Megginson rmegg...@redhat.com: On 09/01/2011 08:08 AM, Andrey Ivanov wrote: Hi, i've tried to install the 1.2.9.8 testing version in our production environment but there is a regular freeze/deadlock after a particular search. It is a search sent by outlook 2003 (you type the name of the person and then click Check the name button that generates an LDAP request). The person does not exist in the given subtree, here is the corresponding connection in the logs : [01/Sep/2011:13:42:34 +0200] conn=938 fd=129 slot=129 connection from x.x.x.x to y.y.y.y [01/Sep/2011:13:42:34 +0200] conn=938 op=0 BIND dn= method=128 version=3 [01/Sep/2011:13:42:34 +0200] conn=938 op=0 RESULT err=0 tag=97 nentries=0 etime=0.00 dn= [01/Sep/2011:13:42:34 +0200] conn=938 op=1 SRCH base=ou=etudiants,ou=utilisateurs,dc=id,dc=polytechnique,dc=edu scope=2 filter=((mail=*)(|(mail=le tallec*)(cn=le tallec*)(sn=le tallec*)(givenName=le tallec*)(displayName=le tallec*))) attrs=cn cn mail roleOccupant display-name displayName sn sn co o o givenName legacyexchangedn objectClass uid mailnickname title company physicalDeliveryOfficeName telephoneNumber [01/Sep/2011:13:42:34 +0200] conn=938 op=1 SORT cn (1) end of access log, nothing in error log, server freezes The problem is reproducible each time, here is the interesting part of the gdb trace : Thread 42 (Thread 0x42201940 (LWP 25005)): #0 0x0038644cd722 in select () from /lib64/libc.so.6 No symbol table info available. #1 0x2b8ffb1bf959 in DS_Sleep () from /Local/dirsrv/lib/dirsrv/libslapd.so.0 No symbol table info available. #2 0x2b900104e51e in deadlock_threadmain () from /Local/dirsrv/lib/dirsrv/plugins/libback-ldbm.so No symbol table info available. #3 0x0038670284ad in ?? () from /usr/lib64/libnspr4.so No symbol table info available. #4 0x00386500673d in start_thread () from /lib64/libpthread.so.0 No symbol table info available. #5 0x0038644d44bd in clone () from /lib64/libc.so.6 No symbol table info available. ... This is the database housekeeping thread that checks for database deadlocks. This is normal. Thread 24 (Thread 0x4d613940 (LWP 25023)): #0 0x00386500d4c4 in __lll_lock_wait () from /lib64/libpthread.so.0 No symbol table info available. #1 0x003865008e50 in _L_lock_1233 () from /lib64/libpthread.so.0 No symbol table info available. #2 0x003865008dd3 in pthread_mutex_lock () from /lib64/libpthread.so.0 No symbol table info available. #3 0x003867022ec9 in PR_Lock () from /usr/lib64/libnspr4.so No symbol table info available. #4 0x2b8ffb18b308 in slapi_pblock_get () from /Local/dirsrv/lib/dirsrv/libslapd.so.0 No symbol table info available. #5 0x2b88ac54 in DS_LASIpGetter () from /Local/dirsrv/lib/dirsrv/plugins/libacl-plugin.so No symbol table info available. #6 0x2b90001bfb08 in ACL_GetAttribute () from /Local/dirsrv/lib/dirsrv/libns-dshttpd.so.0 No symbol table info available. #7 0x2b90001be979 in LASIpEval () from /Local/dirsrv/lib/dirsrv/libns-dshttpd.so.0 No symbol table info available. #8 0x2b90001c0c30 in ACLEvalAce(NSErr_s*, ACLEvalHandle*, ACLExprHandle*, unsigned long*, PListStruct_s**, PListStruct_s*) () from /Local/dirsrv/lib/dirsrv/libns-dshttpd.so.0 No symbol table info available. #9 0x2b90001c11ce in ACL_INTEvalTestRights(NSErr_s*, ACLEvalHandle*, char**, char**, char**, char**, char**, int*, unsigned long*) () from /Local/dirsrv/lib/dirsrv/libns-dshttpd.so.0 No symbol table info available. #10 0x2b90001c1956 in ACL_EvalTestRights () from /Local/dirsrv/lib/dirsrv/libns
Re: [389-users] [389-announce] Announcing 389 Directory Server version 1.2.8 Release Candidate 2
Hi Rich, 2011/3/25 Rich Megginson rmegg...@redhat.com: The 389 Project team is pleased to announce the release of 389-ds-base-1.2.8 Release Candidate 2. This release has fixes for bugs found in 1.2.8 testing and bugs from earlier releases. i've made a rapid test compiling from today's sources (1.2.8.rc3 or rc4 i think). I haven't seen any immediately obvious bugs. It is also much more stable than 1.2.7.5. However i've noticed that the order of operations in logs is not always correct : [30/Mar/2011:14:17:03 +0200] conn=13 fd=128 slot=128 connection from 127.0.0.1 to 127.0.0.1 [30/Mar/2011:14:17:03 +0200] conn=13 op=0 BIND dn= method=128 version=3 [30/Mar/2011:14:17:03 +0200] conn=13 op=1 SRCH base=dc=id,dc=polytechnique,dc=edu scope=2 filter=((|(objectClass=X-Misc)(objectClass=X-Object))(!(X-UniqueId=*))) attrs=nsUniqueId [30/Mar/2011:14:17:03 +0200] conn=13 op=1 RESULT err=0 tag=101 nentries=0 etime=0.117000 notes=U [30/Mar/2011:14:17:03 +0200] conn=13 op=2 UNBIND [30/Mar/2011:14:17:03 +0200] conn=13 op=2 fd=128 closed - U1 [30/Mar/2011:14:17:03 +0200] conn=13 op=0 RESULT err=0 tag=97 nentries=0 etime=0.021000 dn= (the result of op=0 is after op=2) or [30/Mar/2011:14:20:19 +0200] conn=19 fd=128 slot=128 connection from local to /Local/dirsrv/var/run/slapd-dmz.socket [30/Mar/2011:14:20:19 +0200] conn=19 AUTOBIND dn=cn=X LDAP Root [30/Mar/2011:14:20:19 +0200] conn=19 op=0 BIND dn=cn=X LDAP Root method=sasl version=3 mech=EXTERNAL [30/Mar/2011:14:20:19 +0200] conn=19 op=1 SRCH base=dc=id,dc=polytechnique,dc=edu scope=2 filter=((|(objectClass=X-Misc)(objectClass=X-Object))(!(X-UniqueId=*))) attrs=nsUniqueId [30/Mar/2011:14:20:19 +0200] conn=19 op=2 UNBIND [30/Mar/2011:14:20:19 +0200] conn=19 op=2 fd=128 closed - U1 [30/Mar/2011:14:20:19 +0200] conn=19 op=0 RESULT err=0 tag=97 nentries=0 etime=0.012000 dn=cn=X LDAP Root [30/Mar/2011:14:20:19 +0200] conn=19 op=1 RESULT err=0 tag=101 nentries=0 etime=0.108000 notes=U (the result of op=0 and op=1 is after op=2) It is not something new, i've tested on 1.2.6.1 (our production environment) and this behavior it is also present. I observe it much more often when the log buffering is off. Don't know if it's a bug or it's because of several threads writing in parallel and it's an expected phenomenon... @+ -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Server Side Sort, Virtual List View and Aci
Hi Luca Noriko, I've made a bug report with a test script and an ldif to reproduce it : https://bugzilla.redhat.com/show_bug.cgi?id=688182 (using th VLV config adapted for MS Outlook browsing) If Luca observes some other additional phenomena related to this bug he can complete @+ 2011/3/16 Luca Menegus lu...@dbmsrl.com: Hi Noriko, tonight or tomorrow I'll have the time to prepare the bug report along with a test case Luca Luca Menegus D.B.M. S.r.l Via Enrico Noe, 23 - 20133 Milano (MI) Italy. Phone: +39 02 45473052 Mobile: +39 3346220663 - Original Message - From: Noriko Hosoi nho...@redhat.com To: 389-users@lists.fedoraproject.org Sent: Tuesday, March 15, 2011 5:35:19 PM Subject: Re: [389-users] Server Side Sort, Virtual List View and Aci Hi Luca, Hi Andrey, Could you open a bug on the bugzilla under 389? We'd like to investigate it. Thanks, --noriko Andrey Ivanov wrote: Hi Luca, I have the same problem - i have two OUs and an ACI that hides one of these OUs to anonymous users. When i implement a VLV index level higher than these two OUs and use Outlook to browse the directory everything is rather scrambled because if the VLV indexes. So the problem really is the joint use of ACIs hiding some of the entries and VLV indexes. Don't know whether it can be considered as a bug or as a feature request but this is what we need desperately before deploying it large scale (primarily Outlook clients using this VLV)... @+ 2011/3/14 Luca Meneguslu...@dbmsrl.com: Hi, when searching ds using ServerSideSearch control and VirtualListView control it does not seem to take into account the configured ACIs when returning the contentCount field of the VirtualListView response control. The contentCount field of the VLV response control it will be set to the total number of entries matching the search and not to the number of entries matching the search AND searcheable by the user performing the search. Example: - there are 10 people in the directory, 5 in peopleA ou and 5 in people B ou - userA can search (and read) the anything under peopleA - userB can search (and read) the anything under peopleB - SuperUser can search (and read) the anything If I bind and search as SuperUser everything works as expected (contentCount is 10) and I can scroll through the rs as expected. If I bind and search as UserA contentCount is still 10 and the resultset contains holes. For instance if sort the search so that entries under peopleB come first then requesting (using VLV control fiels) 5 entries from entry #1 returns an empty rs, while requesting 5 entries from entry #5 returns the expected 5 entry under peopleA. The behavior when searching as userB is consistent (the other 5 entries are returned). I'm using 389-ds-base-1.2.7.5-1.fc14.x86_64 under fc14-x86_64. I'm I doing something wrong, or is this the expected behavior? Luca -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Triggers
Hi Gerrard , you could use a persistent search on your group to achieve that. Otherwise you need to write a server plug-in... Here is a past discussion of persistent search with perl code : http://lists.fedoraproject.org/pipermail/389-users/2009-August/009991.html @+ 2011/2/3 Gerrard Geldenhuis gerrard.geldenh...@betfair.com: Hi I was wondering if there is a universal trigger system that I could use in 389 to for example let me know when a group gets a new member, or loses a member. The admin guide http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html has only 9 entries for the word trigger. The USN plugin looked the most similar to what I want to do. My aim is to be able to monitor for group modifications and email someone appropriate when the group membership changes. I was hoping this is something I can achieve without to much or any external programming as I would like it to be contained logically within 389. I would appreciate any guidance on how to go about doing this and what other people have done. Do I need to write my own plugin? Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] How to get alternate versions of src RPM's via yum, or better yet without yum?
I usually take the latest source files for the ds, admin server, adminutil and mod_nss from http://directory.fedoraproject.org/sources/ and then use a customized script to compile, install, configure and import the ldif fronm the production. But i don't see any new source files there since the 29th october... 2010/11/30 Les Mikesell lesmikes...@gmail.com: On 11/30/2010 8:09 AM, brandon wrote: Shorter answer: Yum will attempt to obtain files from whatever repository you tell it to use. If you want to download files from an RHEL 5 repo, all you you need to do is configure said repo and tell Yum to use it. As an addendum, you might be particularly interested in yumdownloader, which is a tool for downloading packages (including source RPMs) without actually installing them. ... -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] get base dn from ldapsearch
Hi, yes, you need to make a search like this : ldapsearch -x -h ldap-test.example.com -b -s base namingContexts # extended LDIF # # LDAPv3 # base with scope baseObject # filter: (objectclass=*) # requesting: namingContexts # # dn: namingContexts: dc=example,dc=com namingContexts: o=netscaperoot # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 @+ 2010/11/24 Angel Bosch Mora angbo...@conselldemallorca.net: hi, not specifically 389 related but: is there a way to guess default base dn for clients (the one configured in /etc/openldap/ldap.conf) with ldapsearch? i've tried with -v, -n and -d but i only get the server, not the base. regards, abosch -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Fwd: [389-announce] Please Help Test 389 Directory Server 1.2.7
Hi Nathan, Prior to 1.2.7, how was this configuration working for you? What sort of values were you setting in the uniqueMember attribute? The memberOf plug-in really needs a full DN to work, which is why the restriction to use an attribute with the DN syntax was added. We use the uniqueMember attribute in a rather typical manner for group objects: to list the DNs of the sub-groups and members : cn=My Group,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupofuniquenames cn: My Group uniqueMember: uid=someone,ou=Users,dc=example,dc=com uniqueMember: cn=Another Group,ou=Groups,dc=example,dc=com It's a relatively common way of uniqueMember usage, not limited to our environment, i think. @+ -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Fwd: [389-announce] Please Help Test 389 Directory Server 1.2.7
Hi Nathan, The thing is that uniquemember does not have the DN syntax, it has Name and Optional UID syntax : attributeTypes: ( 2.5.4.50 NAME 'uniqueMember' EQUALITY uniqueMemberMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 X-ORIGIN 'RFC 4519' ) Please open a bug on this. My current thinking is that we should also allow the grouping attribute to use this syntax, but you should be aware that memberOf will not work if you actually have the optional UID part present. You were faster than me, thank you :) I think this notice (one should be aware that memberOf will not work if the optional UID part present in an attribute with Name and Optional UID syntax) should be added to the documentation on memberOf plug-in of the future RedHat release. I will add this snippet to the bug. @+ -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Fwd: [389-announce] Please Help Test 389 Directory Server 1.2.7
2010/11/23 Rich Megginson rmegg...@redhat.com: n for the httpd engine . . . Starting admin server . . . output: ERROR: ld.so: object '/libldap60.so' from LD_PRELOAD cannot be preloaded: ignored. The admin server was successfully started. Admin server was successfully created, configured, and started. Exiting . . . Log file is '/tmp/setupXxX7a5.log' We have seen the preload issue too. I have reported it via the links provided. The fix is as follows: diff start-ds-admin start-ds-admin.orig 46c46 LD_PRELOAD=/usr/lib64/libldap60.so --- LD_PRELOAD= /libldap60.so This should be fixed in 389-admin-1.1.12 now in updates-testing - what platform? Fedora 14 or other? I've compiled the sources from here : http://directory.fedoraproject.org/sources/389-admin-1.1.12.a2.tar.bz2 (CentOS 5.5 x86_64 too) -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Fwd: [389-announce] Please Help Test 389 Directory Server 1.2.7
Hi Rich, I have two issues with this new version (that i have compiled from the git sources) here is the first issue : there were some changes to the memberfo plugin (Bug 620927) that added a more rigorous verification of memberofgroupattr parameter of MemberOf plugin. We use the uniqueMember/memberOf attribute pair to manage our groups and backlinks. This configuration does not work with the 1.2.7 server : [23/Nov/2010:17:32:51 +0100] memberof-plugin - Error 53: The uniqueMember configuration attribute must be set to an attribute defined to use the Distinguished Name syntax. (illegal value: memberOfGroupAttr) [23/Nov/2010:17:32:51 +0100] memberof-plugin - configuration failed (DSA is unwilling to perform) [23/Nov/2010:17:32:51 +0100] - Failed to start postoperation plugin MemberOf Plugin [23/Nov/2010:17:32:51 +0100] memberof-plugin - only one memberOf plugin instance can be used [23/Nov/2010:17:32:51 +0100] memberof-plugin - configuration failed (Bad parameter to an ldap routine) [23/Nov/2010:17:32:51 +0100] - Failed to start postoperation plugin MemberOf Plugin [23/Nov/2010:17:32:51 +0100] memberof-plugin - only one memberOf plugin instance can be used [23/Nov/2010:17:32:51 +0100] memberof-plugin - configuration failed (Bad parameter to an ldap routine) [23/Nov/2010:17:32:51 +0100] - Failed to start postoperation plugin MemberOf Plugin [23/Nov/2010:17:32:51 +0100] memberof-plugin - only one memberOf plugin instance can be used [23/Nov/2010:17:32:51 +0100] memberof-plugin - configuration failed (Bad parameter to an ldap routine) [23/Nov/2010:17:32:51 +0100] - Failed to start postoperation plugin MemberOf Plugin [23/Nov/2010:17:32:51 +0100] - Error: Failed to resolve plugin dependencies [23/Nov/2010:17:32:51 +0100] - Error: postoperation plugin MemberOf Plugin is not started The thing is that uniquemember does not have the DN syntax, it has Name and Optional UID syntax : attributeTypes: ( 2.5.4.50 NAME 'uniqueMember' EQUALITY uniqueMemberMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 X-ORIGIN 'RFC 4519' ) Our memberOf configuration: dn: cn=MemberOf Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: MemberOf Plugin nsslapd-pluginPath: libmemberof-plugin nsslapd-pluginInitfunc: memberof_postop_init nsslapd-pluginType: postoperation nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database memberofgroupattr: uniqueMember memberofattr: memberOf nsslapd-pluginId: memberof nsslapd-pluginVersion: 1.2.7 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: memberof plugin The second issue : when using sutup-ds-admin there is a LD_PRELOAD libldap60.so error. I used the sources mod_nss-1.0.8.tar.gz, 389-admin-1.1.12.a2.tar.bz2 and 389-adminutil-1.1.13.tar.bz2 to compile teh admin server. Creating directory server . . . Your new DS instance 'dmz' was successfully created. Creating the configuration directory server . . . Beginning Admin Server creation . . . Creating Admin Server files and directories . . . Updating adm.conf . . . Updating admpw . . . Registering admin server with the configuration directory server . . . Updating adm.conf with information from configuration directory server . . . Updating the configuration for the httpd engine . . . Starting admin server . . . output: ERROR: ld.so: object '/libldap60.so' from LD_PRELOAD cannot be preloaded: ignored. The admin server was successfully started. Admin server was successfully created, configured, and started. Exiting . . . Log file is '/tmp/setupXxX7a5.log' 2010/11/22 Rich Megginson rmegg...@redhat.com: 389-ds-base-1.2.7 is now in Testing. This release adds some new features and fixes many bugs. Please help us test. The sooner we can get this release tested, the sooner we can push it to Stable and make it generally available. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Safeguarding against to many established connections
Hi, you may be interested in the following threads with some solutions : http://lists.fedoraproject.org/pipermail/389-users/2010-September/012149.html http://lists.fedoraproject.org/pipermail/389-users/2009-February/009062.html @+ 2010/10/19 Gerrard Geldenhuis gerrard.geldenh...@betfair.com I suspect that solutions to this problem probably falls outside of what can be configured in 389? While it's not a 389-specific suggestion, iptables could easily solve this problem for you across the board. :) Do you have thoughts on criteria for iptables... how do you differentiate between 800 healthy connections and 800 duff ones if both have an ESTABLISHED state? Do you just assume it will never be that much and limit accordingly or do you do time limit to say that connections should never be maintained longer than x minutes and require clients to re-establish connections? Regards In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] GSSAPI authentication to Directory Server
Hi, Try kinit username mdp klist -e /usr/bin/ldapsearch -Y GSSAPI -h station1.example.com -b dc=example,dc=com (cn=*) klist -e you should see the additional ticket ldap/station1.example.com At least, that's how it works in our system 2010/10/4 Matt Carey cvstealth2...@yahoo.com I'm trying to follow the Kerberos howto guide at http://directory.fedoraproject.org/wiki/Howto:Kerberos but am having an issue authenticating to the Directory Server with GSSAPI/Kerberos tickets: $ /usr/lib/mozldap/ldapsearch -h station1.example.com -p 389 -o mech=GSSAPI -o authid=mca...@station1.example.com -o authzid= mca...@station1.example.com -b dc=example,dc=com (cn=*) Bind Error: Invalid credentials Bind Error: additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context Attempt with OpenLDAP client: $ /usr/bin/ldapsearch -Y GSSAPI -X u:mcarey -b -s base -LLL -H ldap:// station1.example.com -b dc=example,dc=com (cn=*) SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context Resulting in the following entries in the access log on the DS: # tail -5 access [04/Oct/2010:10:44:14 -0400] conn=18 fd=68 slot=68 connection from 10.100.0.45 to 10.100.0.45 [04/Oct/2010:10:44:14 -0400] conn=18 op=0 BIND dn= method=sasl version=3 mech=GSSAPI [04/Oct/2010:10:44:14 -0400] conn=18 op=0 RESULT err=49 tag=97 nentries=0 etime=0 [04/Oct/2010:10:44:14 -0400] conn=18 op=1 UNBIND [04/Oct/2010:10:44:14 -0400] conn=18 op=1 fd=68 closed - U1 From what I can tell the Kerberos infrastructure and OS components are setup accordingly: GSSAPI is a viable SASL mechanism: $ /usr/lib/mozldap/ldapsearch -b -h station1 -p 389 -s base (objectClass=*) supportedSASLMechanisms version: 1 dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: LOGIN supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: ANONYMOUS supportedSASLMechanisms: PLAIN Directory Server keytab and contents: # grep nsslapd-localuser dse.ldif nsslapd-localuser: nobody # ls -la ds.keytab -rw--- 1 nobody nobody 172 Oct 3 13:21 ds.keytab # ktutil ktutil: rkt ./ds.keytab ktutil: l slot KVNO Principal - 13 ldap/station1.example@station1.example.com 23 ldap/station1.example@station1.example.com # grep KRB /etc/sysconfig/dirsrv KRB5_KTNAME=/etc/dirsrv/ds.keytab ; export KRB5_KTNAME SASL maps in Directory Server: dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: Kerberos uid mapping nsSaslMapRegexString: \(.*\)@\(.*\)\.\(.*\) nsSaslMapBaseDNTemplate: dc=\2,dc=\3 nsSaslMapFilterTemplate: (uid=\1) dn: cn=Station1 Kerberos Mapping,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: Station1 Kerberos Mapping nsSaslMapRegexString: (.*)@STATATION1.EXAMPLE.COM nsSaslMapFilterTemplate: (objectclass=inetOrgPerson) nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=example,dc=com dn: cn=station1 map,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: example map cn: station1 map nsSaslMapRegexString: \(.*\) nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com nsSaslMapFilterTemplate: (cn=\1) Getting a ticket from the KDC: [mca...@station1 ~]$ kdestroy [mca...@station1 ~]$ kinit Password for mca...@station1.example.com: [mca...@station1 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_5000_hYlO20 Default principal: mca...@station1.example.com Valid starting ExpiresService principal 10/04/10 10:57:20 10/04/10 17:37:20 krbtgt/STATION1.EXAMPLE.COM@ STATION1.EXAMPLE.COM Kerberos 4 ticket cache: /tmp/tkt5000 klist: You have no tickets cached Any help or pointers people have would be greatly appreciated. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Connections not closing
Hi, you may have a (software/hadrware) firewall or switch/load balancer issue between ldap server and other servers. Some firewalls and switches don't let the RSET packets pass correctly. I've seen such a thing once between a database server and the web server. It was a hardware firewall (and switch) problem. If it's not a frewall/switch problem you should also reduce nsslapd-idletimeout of cn=config A part of our sysctl.conf file on 389 server is very similar to yours, so the problem is not in the kernel config: # The total session drop time will be (net.ipv4.tcp_keepalive_time + net.ipv4.tcp_keepalive_probes*net.ipv4.tcp_keepalive_intvl) # Time of session inactivity when the kernel will start to send probe packets net.ipv4.tcp_keepalive_time = 1200 # How long the kernel waits in between probes net.ipv4.tcp_keepalive_intvl = 30 We have three 389DS v1.2.6 on x86_64 servers, each one having ~100 parallel sessions, ~5 connections and more than million searches per day, and absolutely no problem with lingering tcp connecs. Among the services using the LDAP we have also FreeRadius... 2010/9/22 Jim Tyrrell j...@scusting.com On the console I have currently configured an Idle Timeout of 300 seconds and added timeout config to the Fedora OS: tcp_keepalive_time = 600 tcp_keepalive_intvl = 75 tcp_keepalive_probes = 9 Why are these connections not timing out after the Idle time? At the moment I am having to regularly restart the directory service in order to clear the connections down. Thanks. Jim. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] ns-slapd processes not dying
Hi,
You can try to change the following parameters to reduce the timeouts of the
connections :
* system parameters (reduce keepalive time to 700 seconds):
echo net.ipv4.tcp_keepalive_time =
700 /etc/sysctl.conf
sysctl -p
* 389 parameters in cn=config (change the maximum time limit per search
operation to 120 sec set idle connection timeout to 600 sec):
nsslapd-timelimit: 120
nsslapd-idletimeout: 600
The file descriptor number used by a connecton can be seen in access log
(fd=139) :
[28/Aug/2010:14:35:08 +0200] conn=58377 fd=139 slot=139 SSL connection from
x.x.x.x to x.x.x.x
You may also use /logconv.pl utility to see the long requests, number of
parallel/oncurrent connections and file descriptor usage ('Highest FD
taken')
Total Connections:2855
Peak Concurrent Connections: 4
Total Operations: 157116
Total Results:157139
Overall Performance: 100.0%
...
FDs Taken:3112
FDs Returned: 3112
Highest FD Taken: 143
...
- Top 20 Most Frequent etimes -
156965 etime=0
58 etime=1
58 etime=3
58 etime=2
@+
2010/8/27 Angel Bosch Mora angbo...@conselldemallorca.net
hi,
i had problems with too many fds open on some instances and after digging
a bit i've found that ns-slapd dont die.
i got 5 similar installations and this is happening just in two of them and
i can't identify what is about.
i've been recollecting process informations and i know for sure that the
only process that keep increasing is ns-slapd and eventually, after some
weeks, 389 starts refusing new connections and i got the too many fds open
message.
i can increase max fds but the problem of processes keeping alive is still
there.
anyone facing similar situation?
regards,
abosch
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Outlook VLV index and western europe diacritics
2010/8/25 Rich Megginson rmegg...@redhat.com Andrey Ivanov wrote: Hi, I am testing the 389 latest git version. There is one thing i have noticed concerning Outlook browsing of LDAP and VLV indexes. Though i think the change has happened already some time ago, in one of the previous versions. Can you confirm the last version that this worked in? I suspect this had something to do with my matching rule changes in 1.2.6. The goal is that it should work the same way as before, so this is definitely a bug. No. It is not a bug, it was my mistake. I've just tested several versions of 389 and FDS (1.2.x, 1.1.x and 1.0.4). They all exhibit the same behavior concerning the sorting of CNs in VLV browsing. So then i still have this second question - is there a way to change the vlv index sort in order to sort according to nsMatchingRule? Or it would be a feature request? *) i've tried to add collation rules to vlv index entries but putting the value of the attribute vlvSort to cn:2.16.840.1.113730.3.3.2.18.1.6 or to cn:fr. It does not work. Instead of changing the sorting order it produces some strange contents in the index vlv#outlookbrowseindex.db4 file. **) then i thought that maybe i should change the cn index ordering and i have added nsMatchingRule: 2.16.840.1.113730.3.3.2.18.1 to the cn indexes in dse.ldif. However reindexing does not actually change the order in cn.db4 (even after reindexing by smth explicit like db2index -n userRoot -t cn:eq,pres,sub:2.16.840.1.113730.3.3.2.18.1 ) in the index .db4 files. -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] entryrdn-index error message in error log
Hi, i'm continuing to test the latest version of 389. Here are the error messages that i've seen (it happened only once for now) in error log : [25/Aug/2010:17:21:10 +0200] entryrdn-index - entryrdn_index_read: Param error: Failed to convert cn=salon d#039,honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN [25/Aug/2010:17:21:10 +0200] - dn2entry: Failed to get id for cn=salon d#039,honneur,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index (34) [25/Aug/2010:17:21:10 +0200] entryrdn-index - entryrdn_index_read: Param error: Failed to convert honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN [25/Aug/2010:17:21:10 +0200] - dn2entry: Failed to get id for honneur,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index (34) The object in question is cn=SALON D'HONNEUR,ou=Objets,dc=id,dc=polytechnique,dc=edu departmentNumber: DG/SG/MG/REST objectClass: top cn: SALON D'HONNEUR What is the problem with this entry, conversion to Slapi_DN and entryrdn index? Here are the corresponding entries extracted with dbscan : 5370:cn=salon d'honneur ID: 5370; RDN: cn=SALON D'HONNEUR; NRDN: cn=salon d'honneur C3106:ou=objets ID: 5370; RDN: cn=SALON D'HONNEUR; NRDN: cn=salon d'honneur P5370:cn=salon d'honneur ID: 3106; RDN: ou=Objets; NRDN: ou=objets I have not made any upgrades of the existing server. Instead, i have exported the ldif by db2ldif and then imported it into the new server, so there was no conversion phase. Andrey Ivanov tel +33-(0)1-69-33-99-24 fax +33-(0)1-69-33-99-55 Direction des Systemes d'Information Ecole Polytechnique 91128 Palaiseau CEDEX France -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] entryrdn-index error message in error log
AI i'm continuing to test the latest version of 389. Here are the error AI messages that i've seen (it happened only once for now) in error log : AI [25/Aug/2010:17:21:10 +0200] entryrdn-index - AI entryrdn_index_read: Param error: Failed to convert cn=salon AI d#039,honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN AI [25/Aug/2010:17:21:10 +0200] - dn2entry: Failed to get id for AI cn=salon d#039,honneur,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index (34) AI [25/Aug/2010:17:21:10 +0200] entryrdn-index - AI entryrdn_index_read: Param error: Failed to convert AI honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN AI [25/Aug/2010:17:21:10 +0200] - dn2entry: Failed to get id for AI honneur,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index (34) These messages continue to appear, each time for a new entry. All these entries contain the apostrophe ': [25/Aug/2010:18:34:31 +0200] entryrdn-index - entryrdn_index_read: Param error: Failed to convert cn=cadre d#039,astreinte,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN [25/Aug/2010:18:34:31 +0200] - dn2entry: Failed to get id for cn=cadre d#039,astreinte,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index (34) [25/Aug/2010:18:34:31 +0200] entryrdn-index - entryrdn_index_read: Param error: Failed to convert astreinte,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN [25/Aug/2010:18:34:31 +0200] - dn2entry: Failed to get id for astreinte,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index (34) ... Andrey Ivanov tel +33-(0)1-69-33-99-24 fax +33-(0)1-69-33-99-55 Direction des Systemes d'Information Ecole Polytechnique 91128 Palaiseau CEDEX France -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Incremental Replication over SSL ( and startTLS) with simple bind crashes the latest version
I wanted to configure the replication over SSL (both with SSL mechanism which was available in previous versions) and by TLS using simple bind (both in multimaster or single master-dedicated consumer models). I've tried to configure it with command line and with the console. The configuration and the initial initialisation are ok : [25/Aug/2010:18:30:44 +0200] NSMMReplicationPlugin - replica_config_delete: Warning: The changelog for replica dc=id,dc=polytechnique,dc=edu is no longer valid since the replica config is being deleted. Removing the changelog. [25/Aug/2010:18:34:33 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=id,dc=polytechnique,dc=edu is going offline; disabling replication [25/Aug/2010:18:34:33 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [25/Aug/2010:18:34:39 +0200] - import userRoot: Workers finished; cleaning up... [25/Aug/2010:18:34:40 +0200] - import userRoot: Workers cleaned up. [25/Aug/2010:18:34:40 +0200] - import userRoot: Indexing complete. Post-processing... [25/Aug/2010:18:34:40 +0200] - import userRoot: Flushing caches... [25/Aug/2010:18:34:40 +0200] - import userRoot: Closing files... [25/Aug/2010:18:34:40 +0200] - import userRoot: Import complete. Processed 9523 entries in 7 seconds. (1360.43 entries/sec) [25/Aug/2010:18:34:40 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=id,dc=polytechnique,dc=edu is coming online; enabling replication But when i continue and try to make a change on a master the consumer server crashes. So the total replica initialisation is ok but even a single incremental update crashes the consumer server. And there is nothing helpful in logs. I haven't tried the 1.2.6.rc7 version, i've tried the latest code version (as of today). Don't know if it matters (there seem to be a lot of coverity defects that have been fixed between rc7 and a1). Andrey Ivanov tel +33-(0)1-69-33-99-24 fax +33-(0)1-69-33-99-55 Direction des Systemes d'Information Ecole Polytechnique 91128 Palaiseau CEDEX France -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] entryrdn-index error message in error log
2010/8/25 Noriko Hosoi nho...@redhat.com Hi Andrey, Looking at this line, #039, is not a UTF-8 representation of apostrophe. Rather a Latin-1 representation? Also, it contains ',' in the rdn value without an escape. It's considered a separator between rdns. I wonder who created the input DN...? Hi Noriko, i have exported the complete ldif of userRoot database with db2ldif.pl of our current production server - 1.2.5.rc3 : db2ldif.pl -D cn=Backup, cn=config -w 'some password '-n userRoot -a /Backup/prod_base_`/bin/date +%Y_%b_%d_%Hh%Mm%Ss`.ldif The corresponding extract from ldif file is ... # entry-id: 5405 dn: cn=SALON D'HONNEUR,ou=objets,dc=id,dc=polytechnique,dc=edu nsUniqueId: 50a40f2e-251a11de-99ffa90c-effa97ef modifyTimestamp: 20100129123533Z modifiersName: uid=andrey.ivanov,ou=personnel,ou=utilisateurs,dc=id,dc=polytec hnique,dc=edu departmentNumber: DG/SG/MG/REST telephoneNumber: +33169333703 X-UniqueId: 50a40f2e-251a11de-99ffa90c-effa97ef ou: ou=rest,ou=mg,ou=sg,ou=dg,ou=organisation,dc=id,dc=polytechnique,dc=edu title: SALON D'HONNEUR objectClass: top objectClass: X-Object cn: SALON D'HONNEUR X-majaxIndex: 17988 creatorsName: createTimestamp: 20090811160546Z ... The error seems to appear only in 1.2.7.a1 version, the 1.2.6.rc7 version does not show any errors at all concerning this entry... entryrdn-index - entryrdn_index_read: Param error: Failed to convert cn=salon d#039,honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN Thanks, --noriko On 08/25/2010 08:35 AM, Andrey Ivanov wrote: Hi, i'm continuing to test the latest version of 389. Here are the error messages that i've seen (it happened only once for now) in error log : [25/Aug/2010:17:21:10 +0200] entryrdn-index - entryrdn_index_read: Param error: Failed to convert cn=salon d#039,honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN [25/Aug/2010:17:21:10 +0200] - dn2entry: Failed to get id for cn=salon d#039,honneur,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index (34) [25/Aug/2010:17:21:10 +0200] entryrdn-index - entryrdn_index_read: Param error: Failed to convert honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN [25/Aug/2010:17:21:10 +0200] - dn2entry: Failed to get id for honneur,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index (34) The object in question is cn=SALON D'HONNEUR,ou=Objets,dc=id,dc=polytechnique,dc=edu departmentNumber: DG/SG/MG/REST objectClass: top cn: SALON D'HONNEUR What is the problem with this entry, conversion to Slapi_DN and entryrdn index? Here are the corresponding entries extracted with dbscan : 5370:cn=salon d'honneur ID: 5370; RDN: cn=SALON D'HONNEUR; NRDN: cn=salon d'honneur C3106:ou=objets ID: 5370; RDN: cn=SALON D'HONNEUR; NRDN: cn=salon d'honneur P5370:cn=salon d'honneur ID: 3106; RDN: ou=Objets; NRDN: ou=objets I have not made any upgrades of the existing server. Instead, i have exported the ldif by db2ldif and then imported it into the new server, so there was no conversion phase. Andrey Ivanov tel +33-(0)1-69-33-99-24 fax +33-(0)1-69-33-99-55 Direction des Systemes d'Information Ecole Polytechnique 91128 Palaiseau CEDEX France -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Incremental Replication over SSL ( and startTLS) with simple bind crashes the latest version
2010/8/25 Rich Megginson rmegg...@redhat.com Andrey Ivanov wrote: I wanted to configure the replication over SSL (both with SSL mechanism which was available in previous versions) and by TLS using simple bind (both in multimaster or single master-dedicated consumer models). I've tried to configure it with command line and with the console. The configuration and the initial initialisation are ok : [25/Aug/2010:18:30:44 +0200] NSMMReplicationPlugin - replica_config_delete: Warning: The changelog for replica dc=id,dc=polytechnique,dc=edu is no longer valid since the replica config is being deleted. Removing the changelog. [25/Aug/2010:18:34:33 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=id,dc=polytechnique,dc=edu is going offline; disabling replication [25/Aug/2010:18:34:33 +0200] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [25/Aug/2010:18:34:39 +0200] - import userRoot: Workers finished; cleaning up... [25/Aug/2010:18:34:40 +0200] - import userRoot: Workers cleaned up. [25/Aug/2010:18:34:40 +0200] - import userRoot: Indexing complete. Post-processing... [25/Aug/2010:18:34:40 +0200] - import userRoot: Flushing caches... [25/Aug/2010:18:34:40 +0200] - import userRoot: Closing files... [25/Aug/2010:18:34:40 +0200] - import userRoot: Import complete. Processed 9523 entries in 7 seconds. (1360.43 entries/sec) [25/Aug/2010:18:34:40 +0200] NSMMReplicationPlugin - multimaster_be_state_change: replica dc=id,dc=polytechnique,dc=edu is coming online; enabling replication But when i continue and try to make a change on a master the consumer server crashes. So the total replica initialisation is ok but even a single incremental update crashes the consumer server. And there is nothing helpful in logs. I haven't tried the 1.2.6.rc7 version, i've tried the latest code version (as of today). Don't know if it matters (there seem to be a lot of coverity defects that have been fixed between rc7 and a1). Can you get a core file and a stack trace? Rich, just as i thought, this crash happens only with today's snapshot of 1.2.7.a1 version only. I've compiled 1.2.6.rc7 and the replication works smoothly and without any problem. I didn't have a lot of time to generate a stack trace because i was migrating our production servers. I thought the latest build should be stable but it seems that the changes between 6rc7 and 7a1 introduce some problems with incremental replication as well as with apostrophs in DN (my second mail). So for now i will migrate to 1.2.6.rc7. I'll test the a1 version later when i will have time... Thanks! -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] entryrdn-index error message in error log
I'll try to reproduce the problem tomorrow on my test server using the same ldif file. The server had also the changelog enabled (for replication purposes). 2010/8/25 Noriko Hosoi nho...@redhat.com Thanks for your input, Andrey! I tested the latest server (built from git trunk) using your data. I had no problem to add the entry and search it using scope base or sub. Could you please give us the steps how to reproduce your problem? Thanks! --noriko On 08/25/2010 10:49 AM, Andrey Ivanov wrote: 2010/8/25 Noriko Hosoi nho...@redhat.com Hi Andrey, Looking at this line, #039, is not a UTF-8 representation of apostrophe. Rather a Latin-1 representation? Also, it contains ',' in the rdn value without an escape. It's considered a separator between rdns. I wonder who created the input DN...? Hi Noriko, i have exported the complete ldif of userRoot database with db2ldif.pl of our current production server - 1.2.5.rc3 : db2ldif.pl -D cn=Backup, cn=config -w 'some password '-n userRoot -a /Backup/prod_base_`/bin/date +%Y_%b_%d_%Hh%Mm%Ss`.ldif The corresponding extract from ldif file is ... # entry-id: 5405 dn: cn=SALON D'HONNEUR,ou=objets,dc=id,dc=polytechnique,dc=edu nsUniqueId: 50a40f2e-251a11de-99ffa90c-effa97ef modifyTimestamp: 20100129123533Z modifiersName: uid=andrey.ivanov,ou=personnel,ou=utilisateurs,dc=id,dc=polytec hnique,dc=edu departmentNumber: DG/SG/MG/REST telephoneNumber: +33169333703 X-UniqueId: 50a40f2e-251a11de-99ffa90c-effa97ef ou: ou=rest,ou=mg,ou=sg,ou=dg,ou=organisation,dc=id,dc=polytechnique,dc=edu title: SALON D'HONNEUR objectClass: top objectClass: X-Object cn: SALON D'HONNEUR X-majaxIndex: 17988 creatorsName: createTimestamp: 20090811160546Z ... The error seems to appear only in 1.2.7.a1 version, the 1.2.6.rc7 version does not show any errors at all concerning this entry... entryrdn-index - entryrdn_index_read: Param error: Failed to convert cn=salon d#039,honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN Thanks, --noriko On 08/25/2010 08:35 AM, Andrey Ivanov wrote: Hi, i'm continuing to test the latest version of 389. Here are the error messages that i've seen (it happened only once for now) in error log : [25/Aug/2010:17:21:10 +0200] entryrdn-index - entryrdn_index_read: Param error: Failed to convert cn=salon d#039,honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN [25/Aug/2010:17:21:10 +0200] - dn2entry: Failed to get id for cn=salon d#039,honneur,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index (34) [25/Aug/2010:17:21:10 +0200] entryrdn-index - entryrdn_index_read: Param error: Failed to convert honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN [25/Aug/2010:17:21:10 +0200] - dn2entry: Failed to get id for honneur,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index (34) The object in question is cn=SALON D'HONNEUR,ou=Objets,dc=id,dc=polytechnique,dc=edu departmentNumber: DG/SG/MG/REST objectClass: top cn: SALON D'HONNEUR What is the problem with this entry, conversion to Slapi_DN and entryrdn index? Here are the corresponding entries extracted with dbscan : 5370:cn=salon d'honneur ID: 5370; RDN: cn=SALON D'HONNEUR; NRDN: cn=salon d'honneur C3106:ou=objets ID: 5370; RDN: cn=SALON D'HONNEUR; NRDN: cn=salon d'honneur P5370:cn=salon d'honneur ID: 3106; RDN: ou=Objets; NRDN: ou=objets I have not made any upgrades of the existing server. Instead, i have exported the ldif by db2ldif and then imported it into the new server, so there was no conversion phase. Andrey Ivanov tel +33-(0)1-69-33-99-24 fax +33-(0)1-69-33-99-55 Direction des Systemes d'Information Ecole Polytechnique 91128 Palaiseau CEDEX France -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list389-us...@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] entryrdn-index error message in error log
Well, i've sorted out this problem. Rich has pointed out that it's an html/xml escape. He was right. Since i was working on our production servers there were some requests constantly coming in. I've searched through the access logs and found that the source of the problem is a broken web application that requests an incorrect DN : [25/Aug/2010:21:25:21 +0200] conn=4201 op=1 SRCH base=cn=cadre d#039,astreinte,ou=objets,dc=id,dc=polytechnique,dc=edu scope=0 filter=(((objectClass=X-Object)(ou=*))) attrs=* modifyTimestamp [25/Aug/2010:21:25:21 +0200] conn=4201 op=1 RESULT err=32 tag=101 nentries=0 etime=0.002000 These requests generate the messages i've seen in error log : [25/Aug/2010:21:25:21 +0200] entryrdn-index - entryrdn_index_read: Param error: Failed to convert cn=cadre d#039,astreinte,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN [25/Aug/2010:21:25:21 +0200] - dn2entry: Failed to get id for cn=cadre d#039,astreinte,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index (34) [25/Aug/2010:21:25:21 +0200] entryrdn-index - entryrdn_index_read: Param error: Failed to convert astreinte,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN So there is no problem in the server code, it's a broken application. It applies to both 6rc7 and 7rc1 versions of course. The reason why i thought there was no problem in rc7 case is that i've made the tests with rc7 at 21h00, at this time there were no users and so no requests from the above-mentioned application :)) I was alarmed because on our servers there are very few error messages in error logs and i know them all. This sort of error message (incorrect DN or filter in ldap search requests) was not logged in previous 389 versions, it's a behavour change... So the only thing that i should look into is the server crash during SSL incremental replication in the current git version. 2010/8/25 Noriko Hosoi nho...@redhat.com On 08/25/2010 10:44 AM, Rich Megginson wrote: Noriko Hosoi wrote: Hi Andrey, Looking at this line,#039, is not a UTF-8 representation of apostrophe. Rather a Latin-1 representation? Also, it contains ',' in the rdn value without an escape. It's considered a separator between rdns. I wonder who created the input DN...? entryrdn-index - entryrdn_index_read: Param error: Failed to convert cn=salon d#039,honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN #039, looks like some sort of html/xml escape? http://www.theukwebdesigncompany.com/articles/entity-escape-characters.php Thanks, Rich! You are right! And I don't think our DN normalizer supports it. Andrey, what you observe is ... 389 v1.2.6.rc7 has no problem to handle cn=salon d#039,honneur, but 1.2.7.a1 does? We haven't touched the normalizer between 1.2.6.rc7 and 1.2.7.a1, I think... --noriko Thanks, --noriko On 08/25/2010 08:35 AM, Andrey Ivanov wrote: Hi, i'm continuing to test the latest version of 389. Here are the error messages that i've seen (it happened only once for now) in error log : [25/Aug/2010:17:21:10 +0200] entryrdn-index - entryrdn_index_read: Param error: Failed to convert cn=salon d#039,honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN [25/Aug/2010:17:21:10 +0200] - dn2entry: Failed to get id for cn=salon d#039,honneur,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index (34) [25/Aug/2010:17:21:10 +0200] entryrdn-index - entryrdn_index_read: Param error: Failed to convert honneur,ou=objets,dc=id,dc=polytechnique,dc=edu to Slapi_RDN [25/Aug/2010:17:21:10 +0200] - dn2entry: Failed to get id for honneur,ou=objets,dc=id,dc=polytechnique,dc=edu from entryrdn index (34) The object in question is cn=SALON D'HONNEUR,ou=Objets,dc=id,dc=polytechnique,dc=edu departmentNumber: DG/SG/MG/REST objectClass: top cn: SALON D'HONNEUR What is the problem with this entry, conversion to Slapi_DN and entryrdn index? Here are the corresponding entries extracted with dbscan : 5370:cn=salon d'honneur ID: 5370; RDN: cn=SALON D'HONNEUR; NRDN: cn=salon d'honneur C3106:ou=objets ID: 5370; RDN: cn=SALON D'HONNEUR; NRDN: cn=salon d'honneur P5370:cn=salon d'honneur ID: 3106; RDN: ou=Objets; NRDN: ou=objets I have not made any upgrades of the existing server. Instead, i have exported the ldif by db2ldif and then imported it into the new server, so there was no conversion phase. Andrey Ivanov tel +33-(0)1-69-33-99-24 fax +33-(0)1-69-33-99-55 Direction des Systemes d'Information Ecole Polytechnique 91128 Palaiseau CEDEX France -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Outlook VLV index and western europe diacritics
Hi, I am testing the 389 latest git version. There is one thing i have noticed concerning Outlook browsing of LDAP and VLV indexes. Though i think the change has happened already some time ago, in one of the previous versions. To make the LDAP Outlook browsing work correctly i've always used the steps described in the doc (http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Creating_Indexes-Creating_VLV_Indexes.html) : dn: cn=Outlook Browse,cn=userRoot,cn=ldbm database,cn=plugins,cn=config cn: Outlook Browse objectClass: top objectClass: vlvsearch vlvBase: ou=Utilisateurs,dc=id,dc=polytechnique,dc=edu vlvFilter: ((mail=*)(cn=*)) vlvScope: 2 dn: cn=Outlook Browse Index,cn=Outlook Browse,cn=userRoot,cn=ldbm database,cn= plugins,cn=config cn: Outlook Browse Index objectClass: top objectClass: vlvindex vlvEnabled: 1 vlvSort: cn This creates a VLV index, sorts the entries by cn and shows them in Outlook : [24/Aug/2010:16:42:19 +0200] conn=24 op=2 SRCH base=ou=utilisateurs,dc=id,dc=polytechnique,dc=edu scope=2 filter=((mail=*)(cn=*)) attrs=cn cn mail roleOccupant display-name displayName sn sn co o o givenName legacyexchangedn objectClass uid mailnickname title company physicalDeliveryOfficeName telephoneNumber [24/Aug/2010:16:42:19 +0200] conn=24 op=2 SORT cn [24/Aug/2010:16:42:19 +0200] conn=24 op=2 VLV 0:0:xac 7860:8001 (0) [24/Aug/2010:16:42:19 +0200] conn=24 op=2 RESULT err=0 tag=101 nentries=1 etime=0.009000 [24/Aug/2010:16:42:19 +0200] conn=24 op=3 SRCH base=ou=utilisateurs,dc=id,dc=polytechnique,dc=edu scope=2 filter=((mail=*)(cn=*)) attrs=cn cn mail roleOccupant display-name displayName sn sn co o o givenName legacyexchangedn objectClass uid mailnickname title company physicalDeliveryOfficeName telephoneNumber [24/Aug/2010:16:42:19 +0200] conn=24 op=3 SORT cn [24/Aug/2010:16:42:19 +0200] conn=24 op=3 VLV 0:27:7859:8001 7860:8001 (0) [24/Aug/2010:16:42:19 +0200] conn=24 op=3 RESULT err=0 tag=101 nentries=28 etime=0.019000 In (relatively old) previous versions of the server the sorting took into account the accentuated letters (like é, for example). The CNs with these letters were sorted correctly (that is, é after d and before f). So the entries were sorted by VLV like this : ... Tdo Not Ten Toys Tén Toys -- Tfk Nev Tgl Mu ... Tzzz Too Uart New ... With the recent versions the server orders the CN strictly according to ASCII (i think) : ... Tdo Not Ten Toys Tfk Nev Tgl Mu ... Tzzz Too Tén Toys-- Uart New ... That is, all the diacritical letters appear after z. I have looked into the vlv#outlookbrowseindex.db4 file by dbscan and the order corresponds exactly to what Outlook shows. The questions are : -whether it is how it should work and -how do i revert to the old server behavior. The sorting with collation (that is, smth like my $sort_control = Net::LDAP::Control::Sort - new( order = cn:2.16.840.1.113730.3.3.2.18.1.6, critical = 1) ) works perfectly (i.e. é is after d and before f). I've tried several ideas to return to the old behavior : *) i've tried to add collation rules to vlv index entries but putting the value of the attribute vlvSort to cn:2.16.840.1.113730.3.3.2.18.1.6 or to cn:fr does not work either. Instead of changing the sorting order it produces some strange contents in the index vlv#outlookbrowseindex.db4 file. **) then i thought that maybe i should change the cn index ordering and i have added nsMatchingRule: 2.16.840.1.113730.3.3.2.18.1 to the cn indexes in dse.ldif. However reindexing does not actually change the order (even after reindexing by smth explicit like db2index -n userRoot -t cn:eq,pres,sub:2.16.840.1.113730.3.3.2.18.1 ) in the index .db4 files. Any ideas/suggestions? Andrey Ivanov tel +33-(0)1-69-33-99-24 fax +33-(0)1-69-33-99-55 Direction des Systemes d'Information Ecole Polytechnique 91128 Palaiseau CEDEX France -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] NS-SLAPD unusual spikes (process taking to over 95% of cpu time periodically)
Hi, You may take a look at : http://www.redhat.com/docs/manuals/dir-server/8.1/admin/memoryusage.html Some nice explications of cache structures and design can also be found on the sun (soon oracle) site : http://docs.sun.com/source/817-5220/caching.html 2010/4/1 Alan Orlič Belšak alan.or...@zd-lj.si One more question, any recommendations about that? How big should be cache, what to do for better performance, etc? Bye, Alan On 1.4.2010 8:59, Alan Orlič Belšak wrote: Nevermind, found the problem, nsslapd-cachememsize, changed the size of cache and the process immediately start to work normaly. Bye, Alan On 1.4.2010 8:05, Alan Orlič Belšak wrote: Hello, we're using Fedora 1.2.5 with samba 3.5.1 and in the last time on the server we're getting unusual activity of ns-slapd process - every few seconds it goes from sleep to 100% of cpu time and stays there for a few seconds. I have no idea why, our userroot database is only 30 MB (1500 users, 1000 computers), we're using LDAP just for that. The only thing I changed in the last time is that I added some informations like address, office, position etc. Those fields aren't indexed, can this be a problem? Bye, Alan -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] RHDS and Radius Certificate
2010/3/23 Natr Brazell natrbraz...@gmail.com
I think I would understand it more if I understood the following sections:
cacertfile = /usr/local/etc/freeradius/certs/CA_certif.crt
(If I am doing testing how to I make this file)
It's the public certificate of the CA that has signed (in our case) both 389
and freeradius certificates.
Do I really need this section. I don't have, nor will I have any Wi-Fi and
all users connecting in my case are on the same VLAN.
access_attr_used_for_allow = yes
access_attr = X-Vlan-WiFi
dictionary_mapping = ${raddbdir}/ldap.attrmap
No, as i told you this section is only necessary if you want to pass some
parameters from LDAP to radius. In your case you don't need this.
Again as in the first note above.
private_key_file = ${certdir}/radius-server.key
certificate_file = ${certdir}/radius-server.crt
CA_file = ${certdir}/CA_certif.crt
Doing an initial test without the need of an official CA. What's the
difference in the above 3 files and how to I generate them. If I sound like
a dunce, I am in this respect. PKI is fairly new for me to configure. I
understand it in theory but getting all the pieces to fit is confusing.
These are private key and certificate of the freeradius server signed by a
CA . In our case it's the same CA as in cacertfile. In order to generate
them we use openssl, you can try tinyCA or some other web/gui manager of
PKI. It's more of certificates/PKI question than LDAP one...
Thanks for the useful responses.
N
2010/3/23 Andrey Ivanov andrey.iva...@polytechnique.fr
Hi,
exactly the same freeradius configuration applies to RHDS and OpenLdap.
Depending on how you want to authenticate users you may use either
login/password or user certificate, both types of authentification are
configurable on freeradius and on RHDS. We use freeradius with 3 master 389
servers and login/password (EAP-TTLS with PAP) and it works without any
problem. Here is an example of modules/ldap freradius config file for our
case :
ldap Ldap-First {
server = ldap server fqdn
port = 389
net_timeout = 2
timeout = 10
timelimit = 10
#ldap_debug = 0x
identity = uid=radius,dc=example,dc=com
password = password
ldap_connections_number = 5
basedn = ou=users,dc=example,dc=com
filter = ((uid=%{User-Name})(objectClass=inetOrgPerson))
base_filter = (objectclass=inetOrgPerson)
tls {
start_tls = yes
tls_mode = no
cacertfile =
/usr/local/etc/freeradius/certs/CA_certif.crt
require_cert = demand
}
access_attr_used_for_allow = yes
access_attr = X-Vlan-WiFi
dictionary_mapping = ${raddbdir}/ldap.attrmap
set_auth_type = yes
}
Here X-Vlan-WiFi is the attribute that we use to determine the VLAN where
the user should be after connection. CA_certif.crt is the certif of the
certification authority that signed ldap's certificate (used during
establishing the TLS session between radius and ldap server) and radius'
certificate.
The file eap.conf :
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
tls {
certdir = ${confdir}/certs
private_key_file = ${certdir}/radius-server.key
certificate_file = ${certdir}/radius-server.crt
CA_file = ${certdir}/CA_certif.crt
cipher_list = DEFAULT
dh_file = ${certdir}/dh
random_file = ${certdir}/random
fragment_size = 1024
include_length = yes
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
}
2010/3/22 Natr Brazell natrbraz...@gmail.com
I am trying to configure my freeradius box to use TLS to my RHDS
server. I find many references to what to do with OpenLDAP however nothing
good with RHDS or FDS. Do I need a certificate for every user
authenticating against my LDAP server through Radius or just a certificate
from my Radius server to my LDAP server? Any pointers would be most
helpful.
Thanks,
Nate
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389
Re: [389-users] RHDS and Radius Certificate
Hi,
exactly the same freeradius configuration applies to RHDS and OpenLdap.
Depending on how you want to authenticate users you may use either
login/password or user certificate, both types of authentification are
configurable on freeradius and on RHDS. We use freeradius with 3 master 389
servers and login/password (EAP-TTLS with PAP) and it works without any
problem. Here is an example of modules/ldap freradius config file for our
case :
ldap Ldap-First {
server = ldap server fqdn
port = 389
net_timeout = 2
timeout = 10
timelimit = 10
#ldap_debug = 0x
identity = uid=radius,dc=example,dc=com
password = password
ldap_connections_number = 5
basedn = ou=users,dc=example,dc=com
filter = ((uid=%{User-Name})(objectClass=inetOrgPerson))
base_filter = (objectclass=inetOrgPerson)
tls {
start_tls = yes
tls_mode = no
cacertfile = /usr/local/etc/freeradius/certs/CA_certif.crt
require_cert = demand
}
access_attr_used_for_allow = yes
access_attr = X-Vlan-WiFi
dictionary_mapping = ${raddbdir}/ldap.attrmap
set_auth_type = yes
}
Here X-Vlan-WiFi is the attribute that we use to determine the VLAN where
the user should be after connection. CA_certif.crt is the certif of the
certification authority that signed ldap's certificate (used during
establishing the TLS session between radius and ldap server) and radius'
certificate.
The file eap.conf :
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
tls {
certdir = ${confdir}/certs
private_key_file = ${certdir}/radius-server.key
certificate_file = ${certdir}/radius-server.crt
CA_file = ${certdir}/CA_certif.crt
cipher_list = DEFAULT
dh_file = ${certdir}/dh
random_file = ${certdir}/random
fragment_size = 1024
include_length = yes
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
}
2010/3/22 Natr Brazell natrbraz...@gmail.com
I am trying to configure my freeradius box to use TLS to my RHDS server. I
find many references to what to do with OpenLDAP however nothing good with
RHDS or FDS. Do I need a certificate for every user authenticating against
my LDAP server through Radius or just a certificate from my Radius server to
my LDAP server? Any pointers would be most helpful.
Thanks,
Nate
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Reindexing the database
Hi, if everything is ok you should not ever need to reindex the database manually. You need to reindex it only if there were signs of database corruption, database file losses or some strange inconsistencies during your searches. To reindex online (on 64-bit systems) : /usr/lib64/dirsrv/slapd-slapd-id/db2index.pl -v -D cn=Directory Manager -w - -n userRoot You will see the results of reindexing in /var/log/dirsrv/slapd-slapd-id/errors 2010/3/16 Diretorio Livre tisdn.li...@serpro.gov.br Hi, We're using Fedora Directory Server 1.2.0 and we've never reindex the database. Is it important to periodically reindex the database? I haven't found the reindex topic in the documentation. Thanks in advance, -- SIEDN - Diretorio Livre Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o equívoco. This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] nss_ldap: failed to bind to LDAP server
man nss_ldap and man ldap.conf. The parameters you may be interested in : bind_policy nss_connect_policy bind_timelimit 2010/2/3 Majian jian...@gmail.com: Hi , guys: I'm currently using the 389 directory server on CentOS 5 , but today it displays something log like this : Dec 22 06:27:56 xscreenserver : nss_ldap: failed to bind to LDAP server ldap://192.168.0.134: Can't contact LDAP server Dec 22 06:27:56 :xscreenserver: nss_ldap: reconnecting to LDAP server (sleeping 64 seconds)... Dec 22 06:29:00 :xscreenserver : nss_ldap: failed to bind to LDAP server ldap://192.168.0.134: Can't contact LDAP server . The LDAP Server is located in the other server and It takes around 10 minuted for ldao to come up waiting for all the bind timeouts . I've tried googling without some useful imformation . Could someone give some suggestions to me ? Thanks in advances ~. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] sort on createTimestamp via JNDI
Hi, the server does support the server-side sorting. However if the server considers that the sorting task is too expensive it sends you an error. When you sort on a certain attribute be sure * to have an index on it with the corresponding matching rule (http://www.redhat.com/docs/manuals/dir-server/8.1/admin/index-sort-order.html) and * be sure that the number of sorted entries does not exceeed nsslapd-idlistscanlimit (http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Managing_Indexes.html), otherwise the search will be considered unindexed and as a consequence too expensive Other than that the sorting works perfectly... 2010/1/29 Derek Alexander d.alexan...@lse.ac.uk: Hi, Was trying to do a search against the directory, with results sorted on the createTimestamp attribute using JNDI. Got this back: javax.naming.OperationNotSupportedException: [LDAP: error code 12 - Sort Response Control]; remaining name '...' Any idea of the reason for this? I was under the impression that server-side sorting was supported. Cheers, Derek Please access the attached hyperlink for an important electronic communications disclaimer: http://www.lse.ac.uk/collections/planningAndCorporatePolicy/legalandComplianceTeam/legal/disclaimer.htm -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] search on mail attribute no longer case insensative
I've just tested it. Yes, i confirm, the search for the mail attribute is case-sensitive. In our system it's not a problem because all the mails are lowercase... I think it is somehow connected to the syntax validation feature included recently... 2010/1/27 Terry Soucy tso...@unb.ca: Good morning Folks, We upgraded from 389 DS 1.2.2 to 1.2.5 this AM and found that searches on the mail attribute are no longer case insensative. Has anyone else found this? Terry -- Terry Soucy, Systems Analyst Integrated Technology Services University of New Brunswick, Fredericton Campus http://www.unbf.ca/its Voice: 506.447.3018 Fax: 506.453.3590 E-mail: terry.so...@unb.ca ** ITS is a scent-reduced workplace - www.unbf.ca/its/policies ** -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-us...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] error log showing Detected Disorderly Shutdown on startup
the server was not correctly shut down the last time (power outage/disk full/kill-9 on the server pid/out of memory/ etc etc ). If this is not the case than it may also be a sign of disk corruption... 2010/1/23 Rankin, Kent kent.ran...@orau.org: Upon startup, this is occurring: [23/Jan/2010:12:31:42 -0500] - 389-Directory/1.2.4 B2009.307.1545 starting up [23/Jan/2010:12:31:42 -0500] - Detected Disorderly Shutdown last time Directory Server was running, recovering database. Any ideas? Thanks. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
