[389-users] report script

[Angel Bosch Mora]

Hi,

sorry for this dumb question but I've been searching for it and I can't find it 
anywhere.

Where's the script that shows you a report of most searched objects and other 
performance related stuff?

I remember using it in my old installations to adjust some indexes but I've 
been playing lately with lot of different versions and I don't see it in 
/usr/lib/dirsrv/

Thanks for your time,

abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[389-users] Re: fips enabled error

[Angel Bosch Mora]

> > is it possible to lower the severity of fips enabled info from ERR
> > to WARN in messages like this?
> Absolutely, changing it now...

wow!

that was truly fast :)

thanks a lot for your time,

abosch


-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[389-users] fips enabled error

[Angel Bosch Mora]

Hi,

is it possible to lower the severity of fips enabled info from ERR to WARN in 
messages like this?

[17/May/2021:10:57:02.753271017 +] - ERR - slapd_system_isFIPS - Can not 
access /proc/sys/crypto/fips_enabled - assuming FIPS is OFF

can seem a cosmetic change but it breaks my monitoring scripts.

thanks in advance,

abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[389-users] Re: gecos syntax

[Angel Bosch Mora]

> * sanitise the data to be ia5 compliant IE remove accents etc.


I did just that and I leave it here in case anyone is facing same problem (it's 
a oneliner):

cat original-data.ldif | perl -pe 's,^gecos:.*,`echo -n "$&" | iconv -f utf-8 
-t ascii//translit`,gei' > sanitized-data.ldif

in my server with 12656 entries and 456278 lines it takes 26 seconds to 
complete.

as always, thanks for your time.

abosch


-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[389-users] gecos syntax

[Angel Bosch Mora]

I'm testing a migration from 1.2.8 to latest version and I'm facing some 
problem while importing data:

ldap_add: Invalid syntax (21)
additional info: gecos: value #0 invalid per syntax

I understand that I'm using UTF8 data here (ÁLBA GARCÍA LÓPEZ) so I have two 
questions:

why old verions allows to fill that data if it's agains syntax?

is there any problem if I change syntax from

1.3.6.1.4.1.1466.115.121.1.26

to

1.3.6.1.4.1.1466.115.121.1.15

in my schemas?

thanks i advance,

abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[389-users] Re: plugin naming

[Angel Bosch Mora]

ok, I understand.

Can I suggest that this form

dsconf myinstance plugin retro-changelog enable

also accepts CN value as plugin name?

it would be easier than jumping from one syntax to another.

I can open a bug/issue if you want.

best regards,

abosch



- Missatge original -
> De: "Marc Sauton" 
> Per: "General discussion list for the 389 Directory server project." 
> <389-users@lists.fedoraproject.org>
> Enviats: Dimarts, 11 de Maig 2021 19:58:28
> Assumpte: [389-users] Re: plugin naming
> 
> and that should have:
> https://github.com/389ds/389-ds-base/blob/master/src/lib389/lib389/cli_conf/plugins/retrochangelog.py
> def create_parser(subparsers):
> retrochangelog = subparsers.add_parser('retro-changelog',
> help='Manage
> and configure Retro Changelog plugin')
> 
> Thanks,
> Marc S.
> 
> 
> On Tue, May 11, 2021 at 12:51 AM Angel Bosch Mora
> 
> wrote:
> 
> > > it was likely the right time to have this change.
> > > and not subject to change anytime soon.
> > >
> > > is it possible a 389-ds-base-1.4.0 from before March 2019 till
> > > lurking
> > > around?
> > >
> >
> > I'm using debian packages:
> >
> > dpkg -l | grep 389-ds-base
> > ii  389-ds-base   1.4.4.11-1
> >  amd64389 Directory Server suite - server
> > ii  389-ds-base-libs:amd641.4.4.11-1
> >  amd64389 Directory Server suite - libraries
> >
> >
> > they seem pretty new to me.
> >
> > abosch
> > -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau,
> > qualsevol fitxer annex, es dirigeix exclusivament a la persona que
> > n'es
> > destinataria i pot contenir informacio confidencial. En cap cas no
> > heu de
> > copiar aquest missatge ni lliurar-lo a terceres persones sense
> > permis
> > expres de l'IMAS. Si no sou la persona destinataria que s'hi indica
> > (o la
> > responsable de lliurar-l'hi) us demanam que ho notifiqueu
> > immediatament a
> > l'adreca electronica de la persona remitent. Abans d'imprimir
> > aquest
> > missatge, pensau si es realment necessari.
> > ___
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to
> > 389-users-le...@lists.fedoraproject.org
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> > Do not reply to spam on the list, report it:
> > https://pagure.io/fedora-infrastructure
> >
> 
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to
> 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
> 
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[389-users] Re: plugin naming

[Angel Bosch Mora]

> it was likely the right time to have this change.
> and not subject to change anytime soon.
> 
> is it possible a 389-ds-base-1.4.0 from before March 2019 till
> lurking
> around?
>

I'm using debian packages:

dpkg -l | grep 389-ds-base
ii  389-ds-base   1.4.4.11-1 amd64  
  389 Directory Server suite - server
ii  389-ds-base-libs:amd641.4.4.11-1 amd64  
  389 Directory Server suite - libraries


they seem pretty new to me.

abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[389-users] plugin naming

[Angel Bosch Mora]

hi,

I vaguely remember discussing this some time ago but I can't find it now.


what's the difference between 

dsconf myinstance plugin set --enabled on "Retro Changelog Plugin"

and

dsconf myinstance plugin retro-changelog enable

?


any of them is gonna be deprecated?

I also noticed that short name is different between versions/distributions 
(retro-changelog vs retrochangelog), so I prefer to use "Retro Changelog 
Plugin" if possible for scripting purpouses.
is that the right way to do it?

best regards,

abosch


-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[389-users] Re: plugin names and debian packages

[Angel Bosch Mora]

> >> As sysadmin I create a lot of script to install/manage services
> >> and is confusing having commands that change that often.
> 
> You may find it "more stable" to use lib389 directly rather than the
> CLI then. I think the team should talk about the CLI having an
> "interface guarantee", and today I don't think I personally would
> want to commit to that (but the team hasn't decided on this). I
> still see room to change and grow the CLI in ways that may be
> breaking, but the core of lib389 today seems "pretty stable".
> 


I understand your recommendation but I don't think I'm going to do that, and I 
think I "shouldn't" do that.

my job as sysadmin is installing, managing, mantaining and monitoring, and 
dsconf wrapping is just what I need.
If I have, for example, a command that tells me if a drive is out of space I 
don't expect to change that command over the years on different linux systems 
with different versions.

I understand that 389 is under heavy refactoring these last years, I'm just a 
little bit tired of version conditionals in my recipes (and by the way, I can't 
find an easy method to check the version with dsconf/dsctl, worth a feature 
request?).


so taking my own example I just expect that `dsconf instance plugin 
retro-changelog enable' is still valid a year/version later.


again, please take my point of view as a frustrated admin with too many tasks 
to do and too little beers to take on my free time (everything is closed right 
now in Mallorca :P)


cheers,

abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: plugin names and debian packages

[Angel Bosch]

> Again I think you are looking at the older version of the server.
>  



ok, I understand.

I see that version 2 is already out.
Can I expect additional changes in dsconf interface or will you try to mantain 
a stable set of parameters?

As sysadmin I create a lot of script to install/manage services and is 
confusing having commands that change that often.

Please take this as a positive criticism :)

abosch


___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: plugin names and debian packages

[Angel Bosch]

thanks for your response Mark,


I can see that two other options are removed. I used to configure 
retro-changelog like this:

dsconf myinstance plugin retrochangelog set --max-age 2d
dsconf myinstance plugin retrochangelog set --attribute 
nsuniqueid:targetUniqueId

but now it doesn't accept those settings.
what's the correct way to configure that?

abosch



- Missatge original -
> De: "Mark Reynolds" 
> Per: "General discussion list for the 389 Directory server project." 
> <389-users@lists.fedoraproject.org>, "Angel
> Bosch Mora" 
> Enviats: Dimecres, 27 de Gener 2021 14:43:19
> Assumpte: [389-users] Re: plugin names and debian packages
> 
> Well 1.4.0 is quite old and is no longer maintained/supported. In
> newer
> versions of 389 it was changed to "retro-changelog".  It probably was
> changed in 1.4.1.
> 
> HTH,
> 
> Mark
> 
> On 1/27/21 5:41 AM, Angel Bosch Mora wrote:
> > hi!
> >
> > I'm testing my install recipes on debian and I've found two little
> > problems.
> >
> > on CentOS I execute
> >   
> >  dsconf myinstance plugin retro-changelog enable
> >
> > but today I tried in debian and it says is an invalid choice:
> >
> >  dsconf instance plugin: error: invalid choice:
> >  'retro-changelog' (choose from 'memberof', 'automember',
> >  'referint', 'rootdn', 'usn', 'accountpolicy', 'attruniq',
> >  'dna', 'linkedattr', 'managedentries', 'passthroughauth',
> >  'retrochangelog', 'whoami', 'list', 'get', 'edit')
> >
> >
> > So retro-changelog is called now retrochangelog.
> >
> > Is that a Debian thing or it changed it's name on a recent version?
> >
> >
> > In addition I executed the command with the new name and it gives
> > me a message without a correct variable.
> >
> >
> >  dsconf myinstance plugin retrochangelog enable
> >  Enabled plugin '%s' Retro Changelog Plugin
> >
> >  dsconf myinstance plugin retrochangelog status
> >  Plugin '%s' is enabled Retro Changelog Plugin
> >
> > it seems a cosmetic error but I just want to be sure if I need to
> > open a bug.
> >
> > here are the version of the packages:
> >
> > dpkg -l | grep 389
> > ii  389-ds-base   1.4.0.21-1
> >   amd64389 Directory Server suite - server
> > ii  389-ds-base-legacy-tools  1.4.0.21-1
> >   amd64Legacy utilities for 389 Directory
> > Server
> > ii  389-ds-base-libs:amd641.4.0.21-1
> >   amd64389 Directory Server suite -
> > libraries
> > ii  python3-lib3891.4.0.21-1
> >   all  Python3 module for accessing and
> > configuring the 389 Directory Server
> >
> >
> > thanks in advance,
> >
> > abosch
> > -- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau,
> > qualsevol fitxer annex, es dirigeix exclusivament a la persona que
> > n'es destinataria i pot contenir informacio confidencial. En cap
> > cas no heu de copiar aquest missatge ni lliurar-lo a terceres
> > persones sense permis expres de l'IMAS. Si no sou la persona
> > destinataria que s'hi indica (o la responsable de lliurar-l'hi) us
> > demanam que ho notifiqueu immediatament a l'adreca electronica de
> > la persona remitent. Abans d'imprimir aquest missatge, pensau si
> > es realment necessari.
> > ___
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to
> > 389-users-le...@lists.fedoraproject.org
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> 
> --
> 
> 389 Directory Server Development Team
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to
> 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> 
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] plugin names and debian packages

[Angel Bosch Mora]

hi!

I'm testing my install recipes on debian and I've found two little problems.

on CentOS I execute
 
dsconf myinstance plugin retro-changelog enable

but today I tried in debian and it says is an invalid choice:

dsconf instance plugin: error: invalid choice: 'retro-changelog' (choose 
from 'memberof', 'automember', 'referint', 'rootdn', 'usn', 'accountpolicy', 
'attruniq', 'dna', 'linkedattr', 'managedentries', 'passthroughauth', 
'retrochangelog', 'whoami', 'list', 'get', 'edit')


So retro-changelog is called now retrochangelog.

Is that a Debian thing or it changed it's name on a recent version?


In addition I executed the command with the new name and it gives me a message 
without a correct variable.


dsconf myinstance plugin retrochangelog enable
Enabled plugin '%s' Retro Changelog Plugin

dsconf myinstance plugin retrochangelog status
Plugin '%s' is enabled Retro Changelog Plugin

it seems a cosmetic error but I just want to be sure if I need to open a bug.

here are the version of the packages:

dpkg -l | grep 389
ii  389-ds-base   1.4.0.21-1   amd64
389 Directory Server suite - server
ii  389-ds-base-legacy-tools  1.4.0.21-1   amd64
Legacy utilities for 389 Directory Server
ii  389-ds-base-libs:amd641.4.0.21-1   amd64
389 Directory Server suite - libraries
ii  python3-lib3891.4.0.21-1   all  
Python3 module for accessing and configuring the 389 Directory Server


thanks in advance,

abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: impact of the CentOS Stream drama

[Angel Bosch Mora]

> The 'core team' does not have much involvement in the debian 389-ds
> packaging process, but the debian maintainer has always been
> responsive and done a great job from what I am able to observe. I
> would expect there to be "very little" difference between debian and
> centos 389-ds packages.
> 
> Additionally, you could also consider opensuse leap and/or suse linux
> enterprise if you want paid support (disclosure - I work for suse
> and am paid to maintain 389-ds in those distributions).
>

thanks a lot for your detailed response.

I'm more a Debian guy but I'm willing to test opensuse.

best regards,

abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] impact of the CentOS Stream drama

[Angel Bosch Mora]

hi,

I'm not sure if this has been discussed here.

Will this project be impacted in some way by the CentOS decission?

I'm about to start a new setup and I wanted to use CentOS, but now I'm thinking 
about Debian.
In that regard, is there any difference between Debian packages and CentOS ones?

thanks in advance,

abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: unattended request cert process

[Angel Bosch Mora]

> depending on your version of 389, look at "dsctl  tls
> import-ca"
> 
> {william@ldapkdc 9:12} ~/development $ dsctl localhost tls import-ca
> --help
> usage: dsctl [instance] tls import-ca [-h] cert_path nickname
> 
> positional arguments:
>   cert_path   The path to the x509 cert to import as a server CA
>   nicknameThe name of the certificate once imported
> 
> optional arguments:
>   -h, --help  show this help message and exit
> 
> This allows you to import a PEM  CA file. There are a number of other
> helpers under the tls subcommand to make cert management easier.
>


all this is pretty new, right?

I can't recall reading this last time I checked docs.

anyway, my main problem is that to deploy a node in a truly unattended mode It 
shouldn't pause at CSR request and continue when CA sign certificates, so I'm 
trying to have some preconfigured cert databases and signed certs.

If there's no way to do that, I can't dynamically create and destroy nodes.

the other option is letting the loadbalancer handle encryption, but official 
docs are very aggressive against that option, but I wonder if I should ignore 
that recommendation and encrypt at LB level.
any hints?

abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] unattended request cert process

[Angel Bosch Mora]

hi,

some time ago I asked for a scriptable way of creating a certificate request, 
here's the thread:

https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/thread/EHWWAHOO3S2HZEWJEXTQKDDRH33NLSMU/#HF7ZPVLMUK32AIEEWPEOLUJGZFXXRCEK

I didn't have the time to write anything and I would like to invest some time 
now.

the goal is to create an unattended script for node creation INCLUDING 
certification with an external CA.


I'm thinking about having several precreated certificate databases and download 
them to nodes.
something like:

openssl rand -base64 16 > pwfile.txt && certutil -N -d . -f pwfile.txt

in several nodes and then scp/wget them to each node.
also, do all CSR beforehand and already signed with our CA so I will have a 
repo of cert databases like:


nss/ca_root.crt
nss/ldap10
nss/ldap10/cert9.db
nss/ldap10/key4.db
nss/ldap10/ldap10.example.com.crt
nss/ldap10/pkcs11.txt
nss/ldap10/pwfile.txt
nss/ldap11
nss/ldap11/cert9.db
nss/ldap11/key4.db
nss/ldap11/ldap11.example.com.crt
nss/ldap11/pkcs11.txt
nss/ldap11/pwfile.txt
nss/ldap12
nss/ldap12/cert9.db
nss/ldap12/key4.db
nss/ldap12/ldap12.example.com.crt
nss/ldap12/pkcs11.txt
nss/ldap12/pwfile.txt
nss/ldap13
nss/ldap13/cert9.db
nss/ldap13/key4.db
nss/ldap13/ldap13.example.com.crt
nss/ldap13/pkcs11.txt
nss/ldap13/pwfile.txt
nss/ldap14
nss/ldap14/cert9.db
nss/ldap14/key4.db
nss/ldap14/ldap14.example.com.crt
nss/ldap14/pkcs11.txt
nss/ldap14/pwfile.txt
nss/ldap15
nss/ldap15/cert9.db
nss/ldap15/key4.db
nss/ldap15/ldap15.example.com.crt
nss/ldap15/pkcs11.txt
nss/ldap15/pwfile.txt


this step is the only one remaining on my recipe of unattended container 
creation, so any help will be really appreciated.



best regards,

abosch


-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: precreation nss databases

[Angel Bosch Mora]

> The feature doesn't exist yet, so if you write a PEM -> NSS tool, the
> project would love to accept it to our source code. It's been
> something I have wanted for a while, and recently I have been
> thinking with containers I should more seriously develop it, but if
> you wanted to add this, we would review and help you achieve it :)
>

ok, I can try to do my best.
The think is I mostly use bash for my scripts with a little python here and 
there, but I can try to write a helper and see if it works.

abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent.
-- Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: precreation nss databases

[Angel Bosch]

> However, be mindful that the if you use attribute encryption, this
> value is stored in the key3.db, and replacement of this file WILL
> destroy your access to your own database! IE if you plan to use this
> strategy, you MUST NOT use attribute encryption at the same time.
>

I'll take that into account.


 
> A better process could be to have a systemd drop in file that on
> "start" takes .PEM files and turns them into the nss db, OR loads
> them into the existing NSS db. This would be useful upstream too, so
> maybe that's a better strategy, and of course, tools for PEM
> management are much better from a sys admin view. Would this be a
> cleaner approach do you think?
>


do you have any docs about this process?
I'm not really sure if I understand you when you say "This would be useful 
upstream too", can you elaborate?


abosch
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] precreation nss databases

[Angel Bosch]

hi,

I'm still evaluating some options to securize dynamic nodes and I have some 
questions regarding certutil and nss databases:


Can I create NSS databases on any directory/server and then move files to 
"/etc/dirsrv/slapd-instance_name" ?

If cert8.db and key3.db files are found in that directory are they used 
automatically by slapd process on reboot?


If both answers are affirmative I'll try to script it and hook it within my 
node creation flow.
is there any other detail I should take care of with this approach?


thanks,

abosch




-- 
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] syncrepl client

[Angel Bosch Mora]

Hi,

I'm performing some tests and would like to configure a syncrepl client like 
this one:

https://github.com/landryb/syncrepl

but I don't find useful information. For example, in this project there's a 
demo script that says abut URL argument:

'An LDAP URL with all information required to do work.'

but I'm not sure what is expecting besides the fqdn and port, a filter? a 
basedn? both?

According to docs 
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/content-synchronization

you can do some exclusion and filtering on server side, so I don't really know 
what must I configure on the client side.

does anyone have any working example of a syncrepl client?

thanks in advance,

abosch


-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent.
-- Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: SSL configuration on dynamic deployments

[Angel Bosch Mora]

> So your 4 write servers are in mmr. Then you have 2 -> N read-onlys
> as well which scale up and down.
> 
> Do you plan to have ldap.example.com point to the IP's of the
> read-onlys directly? Or to a load balancer?
> 

yes, we already got that.


> If this was me, just because of the scaling requirements, I would
> actually recommend TLS termination on the load balancer, then ldap
> plaintext to the 2 -> N consumers (or ldaps to the consumers where
> the LB trusts the CA that signed the readonlies. IE:
> 
> 
> Client -- TLS connection 1 --> [ LB ] -- TLS Connection 2 -->
> [READ_ONLIES]
> 
> TLS connection 1 is presented by the LB, which offers a valid cert/ca
> chain. The LB then would re-encrypt but trusting the CA of tls
> connection 2 which is a self signed to the read_onlies.
> 

OK, I'll try with this approach.


> Another main point here is you'll need to automate that when a
> read-only is scaled up (added), you'll need to automate the addition
> of the replication agreements to the write servers + conduct a full
> reinit on first start.
>

I'm working on that, as you can see from my previous posts, I'm developing our 
custom MMR script to automate everything.


 
> Does that help?
>

Indeed. Thanks a lot for your time,

abosch

-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent.
-- Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] acis in 99user.ldif and target on subtree

[Angel Bosch Mora]

Hi!

two more questions:

1- when migrating should I take care about ACIs in 99user.ldif? rightnow there 
are four entries:

aci: (target="ldap:///cn=schema;)(targetattr !="aci")(version 3.0;acl 
"anonymous, no acis"; allow (read, search, compare) userdn = "ldap:///anyone;;)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; 
allow (all) groupdn="ldap:///cn=Configuration 
Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow 
(all) 
userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot;;)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = 
"ldap:///cn=slapd-hhh-ng,cn=389 Directory Server,cn=Server 
Group,cn=xx.yy.net,ou=xx.net,o=NetscapeRoot";)
modifiersname: cn=directory manager
modifytimestamp: 20101105155413Z

but I never did those.


2- is it mandatory to specify target when setting an ACI in a subtree?




best regards,

abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent.
-- Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] keeping internal attributes on export/import

[Angel Bosch Mora]

hi!

quick question: is there any reason to keep modifyTimestamp, modifiersName, 
createTimestamp, and creatorsName when reimporting on a migration?


abosch

-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent.
-- Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: SSL configuration on dynamic deployments

[Angel Bosch Mora]

> I think to answer this, I'd like to see a diagram or description of
> the network and deployment topology you have in mind to help advise
> for what you want to achieve here :)
>

Is really very simple. Think of it like the typical MMR with 4 nodes:

https://i.imgur.com/DY8aSAo.png

but the number of consumers can go from 2 to N.

all consumers are read only and we have a generic FQDN pointing to them: 
ldap.example.com

and writable suppliers got their FQDN too: ldapw.example.com

is that enough for you?

abosch
 
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent.
-- Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] SSL configuration on dynamic deployments

[Angel Bosch]

Hi again,


continuing with my automation I'm facing now the problem of SSL configuration.

Using certificates at LB level is not recommended acording to 
https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html
sharing keys is also discouraged, so my question is if there is a way to 
prepopulate NSS database with a predefined cert to fast deploy an instance.

I my planned setup I'll have 2 masters and 2 to 10 slaves/consumers (maybe 
more).
It will be extremely rare to stop or reinstall masters, but with consumers I 
want the flexibility to create and destroy them at any moment.

Is there any best practice here?

abosch



-- 
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: referral on update equivalent with dsconf

[Angel Bosch]

replying to myself to clarify the original doubt:

executing something like this on master1 machine:

dsconf master1 repl-agmt create --suffix dc=global --host slave1.example.net 
--port 389 --conn-protocol LDAP --bind-dn cn=repmanager,cn=config --bind-passwd 
 --bind-method SIMPLE  master1-to-slave1

will create replication agreement as described in 15.2.4. of official docs AND 
will modify nsslapd-state and nsslapd-referral on slave1 as described in 
15.2.2. so you don't need to manually perform that last step on consumers.



and I would like to note too that enabling replication with dsconf will also 
create replication manager if you specify --bind-passwd so you save an extra 
step.
the command should be something like this:

dsconf master1 replication enable --suffix dc=global --role master --replica-id 
666 --bind-dn "cn=repmanager,cn=config" --bind-passwd YYY


I'll leave all this here just in case any other script lover needs to modify 
their recipes.


good job!

abosch

- Missatge original -----
> De: "Angel Bosch" 
> Per: "General discussion list for the 389 Directory server project." 
> <389-users@lists.fedoraproject.org>
> Enviats: Dimecres, 22 de Maig 2019 9:32:30
> Assumpte: [389-users] Re: referral on update equivalent with dsconf
> 
> > which is why the cli tools were misleading you here sadly. I think
> > we as a team, need to review and understand what happened here to
> > cause them to mislead a person about their function. :(
> > 
> > Sorry that this confusion occured. Does my answer help?
> >
> 
> sure! you're answers are always very deep and insightful.
> 
> for me the main problem is that new DS 1.4 is right here but docs are
> still about 1.3 and I'm trying to translate my scripts and recipes.
> 
> I was using some kind of old wrappers to install, configure and
> launch my instances and I'm struggling with new tools.
> 
> that being said, I love those new tools! they can need some polishing
> but dsconf and dsctl are awesome!
> 
> keep it this way guys!
> 
> 
> abosch
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to
> 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> 
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: referral on update equivalent with dsconf

[Angel Bosch]

> which is why the cli tools were misleading you here sadly. I think
> we as a team, need to review and understand what happened here to
> cause them to mislead a person about their function. :(
> 
> Sorry that this confusion occured. Does my answer help?
>

sure! you're answers are always very deep and insightful.

for me the main problem is that new DS 1.4 is right here but docs are still 
about 1.3 and I'm trying to translate my scripts and recipes.

I was using some kind of old wrappers to install, configure and launch my 
instances and I'm struggling with new tools.

that being said, I love those new tools! they can need some polishing but 
dsconf and dsctl are awesome!

keep it this way guys!


abosch
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] keeping nsDS5ReplicaBindDN on manager deletion

[Angel Bosch Mora]

I'm testing this new command:

dsconf instance replication create-manager

and when I create a new manager I can see a new nsDS5ReplicaBindDN on the 
replica entry. 
but when I remove the manager with "delete-manager" the nsDS5ReplicaBindDN is 
not removed.

is there a reason for that? why do I need to mantain an old manager entry? 
should I fill a bug?


regards,

abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent.
-- Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] referral on update equivalent with dsconf

[Angel Bosch Mora]

Hi,

is this new command:

dsconf instance replication set --suffix "dc=example,dc=net" --repl-add-ref 
master1.example.net


the same as this modification?

REF_LDIF="dn: cn=dc\=example\,dc\=net,cn=mapping tree,cn=config
changetype: modify
replace: nsslapd-referral
nsslapd-referral: ldap://master1.example.net:389/dc\=example\,dc\=net
-
replace: nsslapd-state
nsslapd-state: referral on update
"

echo "$REF_LDIF" | ldapmodify -h "$HOST" -x -D "$ROOT_DN" -w "$ROOT_PASS"

I'm trying to follow all docs 
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-configuring-replication-cmd

but with new tools, and I'm struggling with some commands.

regards,

abosch





-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent.
-- Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: configuring nsslapd-referral with virtual host

[Angel Bosch]

> Do you have load balancers in here at all? Or is it just directly
> accessible servers? What does the TLS termination?
>

yes, we use LB and VIPs to avoid any failure.


> If you have load balancers/VIP involved, you should set the
> nsslapd-referral to the hostname of the load balancer/VIP, rather
> than to individual servers, and all certs must have the SAN for the
> LB/VIP in them.
> 
> Does that help?
>

absolutely, thanks for your time.

abosch
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] configuring nsslapd-referral with virtual host

[Angel Bosch Mora]

hi!


I'm creating my own MMR script and I would like to know if there's any 
limitation with the FQDN used in nsslapd-referral as stated in 

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-configuring-replication-cmd#Configuring-Replication-Consumers-cmd

we use a virtual IP/hostname for consumer readonly servers (ldapr.example.com) 
and another one for suppliers writable servers (ldapw.example.com).

we configure certs using -8 parameter with additional hostnames so client don't 
complain about name mismatch but I'm not sure if we can find any other problem 
configuring nsslapd-referral with this virtual name instead of real hostname.


any advice?


abosch


-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent.
-- Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: docs for 1.4

[Angel Bosch Mora]

> If you have a specific question though, I’d be happy to help!
>

I'm glad you offered :)

these are the attributes I'm currently using:

cn:
description:
displayName::
dn:
employeeNumber:
gecos:
gidNumber:
homeDirectory:
loginShell:
mail:
manager:
member:
memberOf:
objectClass:
petraSshPublicKey:
printer-make-and-model:
printer-more-info:
printer-uri:
sambaAcctFlags:
sambaNTPassword:
sambaPasswordHistory:
sambaPwdLastSet:
sambaSID:
shadowInactive:
shadowLastChange:
shadowMax:
shadowWarning:
sn:
uid:
uidNumber:


I want to change ACIs from old behaviour to white list aproach.
Should I include objectClass in the ACIs?

Do I need to create a deny-all as last ACI so everything that is not allowed 
gets denied?

In your blog you talk about a toolset to test ACIs, is that tool published 
somewhere?

best regards,

abosch



 
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent.
-- Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] docs for 1.4

[Angel Bosch Mora]

hi!

is there a way to access documentation for upcoming 1.4 release?

I would like to see specifically changes in ACIs as stated in this thread:

https://lists.fedorahosted.org/archives/list/389-users@lists.fedoraproject.org/thread/PG5QXDAI2OI4YVIEIDG6QCFIANQPBTSJ/



thanks in advance,

abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent.
-- Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: creating root suffix from cockpit

[Angel Bosch]

> I am actually working on the UI right now, what exactly would you
> like
> in the UI?  Is creating "sample entries" sufficient for your needs,
> or
> do you actually need just a basic root node entry created?  Adding an
> option to create the root node is trivial, but I want to confirm what
> you are really looking for.
>

for me is enough with basic root entry (with its related database). I will 
import my own LDIF later, so maybe I could use the option to create it with 
dscreate.
Somehow I missed/forgot that option. 


thanks for your time Mark, I'm really looking forward to migrate my old 389 
setup.

best regards,

abosch
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] creating root suffix from cockpit

[Angel Bosch Mora]

Hi,

I asked a broad question here:

https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/thread/7G2Y2ZYBYB7JNOCMIGV5WQMYDAWSD6VM/

but I would like to know specifically if root suffix can be created with 
cockpit.

thanks,

abosch

-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i 
pot contenir informacio confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no 
sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona 
remitent.
-- Abans d'imprimir aquest missatge, pensau si es realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: ACI to allow group to access one attribute

[Angel Bosch]

> I need to see the aci's on your server to help more. Can you please
> send me (either to the list, or directly to my email) the output of:
> 
> ldapsearch -x -b "your basedn" -D 'cn=Directory Manager' -w -H
> ldaps:// '(aci=*)' aci
> 
> That well help me answer the question as to what is causing this
> attribute to be readable,


William was kind enough to answer me directly.


> # /usr/lib/mozldap/ldapsearch -D 'cn=Directory Manager' -j
> /etc/.ldap.secret -b 'dc=global' '(aci=*)' aci
> version: 1
> dn: dc=global
> aci: (targetattr != "userPassword") (version 3.0; acl "Anonymous
> access"; allo
>  w (read, search, compare)userdn = "ldap:///anyone;

See this '!=' in targetattr? This doesn't mean "exclude userPassword
from searches" it means "take the set of every attribute that exists in
the server, and allow search on ALL of them EXCEPT userPassword.". This
aci is a huge security risk because you are disclosing ALL attribute
states.

It's better to have a super long list of attributes here that you trust
to be read. In the next version of Directory Server we fix these
default attributes to have sane content.

> aci: (targetattr != "nsroledn||aci")(version 3.0; acl "Allow self
> entry modifi
>  cation except for nsroledn and aci attributes"; allow (write)userdn
> ="ldap:/
>  //self"

Again, the same effect here: But this time this allows a user to "self
write any attribute that exists EXCEPT these two". Which again has huge
security risks, because now they can self edit objectClass, add a
container type, child entries  They can edit the nsadminlimits, or
more. So again, this needs to be a "targetattr = " list of what you
WANT to allow self write to. 

> aci: (targetattr = "*")(version 3.0; acl "Configuration
> Adminstrator"; allow (
>  all) userdn =
> "ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=N
>  etscapeRoot"
> aci: (targetattr ="*")(version 3.0;acl "Configuration Administrators
> Group";al
>  low (all) (groupdn = "ldap:///cn=Configuration Administrators,
> ou=Groups, ou
>  =TopologyManagement, o=NetscapeRoot")
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow
> (all)groupdn = "ld
>  ap:///dc=global"

These three are probably okay, because you expect these members to be
able to change everything arbitrarily. 



I would like to note that all those acis where defined by default during 
installation and initial configuration of 389, I didn't added anything manually.
I understand now that is lot better to have an explicit list of allowed 
attributes than negative blacklist.
If I get it correctly this is a huge security problem and I've seen lot of ldap 
servers configured this way.

thanks again for your time, william.


abosch





___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

[389-users] Re: 389ds on lxc debian

[Angel Bosch Mora]

thanks for this detailed explanation.
what time frame are we talking here?
1 year? 1 month?
I'm evaluating an update/migration from my 1.2 installation and I don't mind 
waiting a little bit.


> As for today, the best advice I can give is use setup-ds.pl without
> the
> admin tools, and just manage the server from the cli via dse.ldif.
> It's
> not pretty sadly.
>

It's ok, I love working from cli

best regards,

abosch
-- Institut Mallorquí d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'és destinatària i 
pot contenir informació confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permís exprés de l'IMAS. Si no 
sou la persona destinatària que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreça electrònica de la persona 
remitent.
-- Abans d'imprimir aquest missatge, pensau si és realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

[389-users] Re: 389ds on lxc debian

[Angel Bosch Mora]

> There are a number of users of 389-ds with lxc, just not with the
> admin
> console that I am aware of.
> 

ok so is just the admin console that can't be installed on lxc.

is there any work being done in this matter? should I file a bug?

abosch
-- Institut Mallorquí d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'és destinatària i 
pot contenir informació confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permís exprés de l'IMAS. Si no 
sou la persona destinatària que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreça electrònica de la persona 
remitent.
-- Abans d'imprimir aquest missatge, pensau si és realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

[389-users] 389ds on lxc debian

[Angel Bosch Mora]

hi,

I'm trying to install 1.1.43-1+b1 package on lxc with debian 9 and I get this 
error:


invoke-rc.d: initscript dirsrv-admin, action "start" failed.
● dirsrv-admin.service - 389 Administration Server.
   Loaded: loaded (/lib/systemd/system/dirsrv-admin.service; disabled; vendor 
preset: enabled)
   Active: failed (Result: exit-code) since Tue 2018-01-30 12:32:36 CET; 6ms ago
  Process: 15226 ExecStart=/usr/sbin/apache2 -k start -f 
/etc/dirsrv/admin-serv/httpd.conf (code=exited, status=1/FAILURE)

gen 30 12:32:35 Jafar systemd[1]: dirsrv-admin.service: Failed to reset 
devices.list: Operation not permitted
gen 30 12:32:35 Jafar systemd[1]: Starting 389 Administration Server
gen 30 12:32:36 Jafar systemd[1]: dirsrv-admin.service: Control process exited, 
code=exited status=1
gen 30 12:32:36 Jafar systemd[1]: Failed to start 389 Administration Server..
gen 30 12:32:36 Jafar systemd[1]: dirsrv-admin.service: Unit entered failed 
state.
gen 30 12:32:36 Jafar systemd[1]: dirsrv-admin.service: Failed with result 
'exit-code'.


it seems a problema about lxc privileges.

is there anyone running 389 with lxc?

regards,

abosch
-- Institut Mallorquí d'Afers Socials. Aquest missatge, i si escau, qualsevol 
fitxer annex, es dirigeix exclusivament a la persona que n'és destinatària i 
pot contenir informació confidencial. En cap cas no heu de copiar aquest 
missatge ni lliurar-lo a terceres persones sense permís exprés de l'IMAS. Si no 
sou la persona destinatària que s'hi indica (o la responsable de lliurar-l'hi) 
us demanam que ho notifiqueu immediatament a l'adreça electrònica de la persona 
remitent.
-- Abans d'imprimir aquest missatge, pensau si és realment necessari.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

[389-users] Re: How to Restrict user authentication per application?

[Angel Bosch]

Some people already said that but just want to give my 2c.


> - Some application are not using filters along with bind, to control
> user login - for some reasons (e.g. not having the capability, are
> not designed to get user list, or they do not have need to keep
> things about Users, or you can't count on applications be reliable
> in accessing the directory correctly but you need control things
> centrally)
>

Is not the job of 389DS to solve architecture flaws or bad designed apps.
if an app don't have any AUTHORISATION capabilites either you put a proxy in 
front and let only the proxy access directly to the app, or you can't really 
filter who can log in.
any modern network oriented app has some kind of authorisation so we're 
probably talking about legacy or niche apps.


> - LDAP Should be able to protect itself, and have more mature
> policies in Access Control, even for bind operation. For example;
> Think of an environment which a system or application is
> compromised, or has malware, or something like those. In that
> situation we should be able to protect directory with at least bind
> operation ACL, and if possible with more mature access policies.
>

you can say that about any database oriented app, if mysql/oracle/postgres is 
compromised I don't think authorisation is the biggest of your problems.


and in general I think is a bad idea to transfer app logic to 
directory/database. from my experience you lose control with little benefit.
maybe you should take a look at CAS or OpenAM to address those problems.


abosch
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

Re: [389-users] DB account master integrated with LDAP

[Angel Bosch]

This is most related to architecture than LDAP itself, and is exactly what I've 
been doing in my current position.

You have to decide wich of your user directories will be the main one. In our 
case was the HHRR app wich imposed an oracle solution. With sql triggers we 
create the user in our LDAP and then the rest of our apps rely only on LDAP 
queries.

We also have several tasks to synch systems without a direct LDAP connection, 
like old mysql based apps. This scheduled tasks (usually running at night) 
dumps the entire directory, check for updates and modify the destination system.

If you need more details about some specific task don't hesitate to ask.

abosch 

- Missatge original -
> De: "Andy Spooner" 
> Per: 389-users@lists.fedoraproject.org
> Enviats: Dimarts, 3 de Novembre 2015 19:32:44
> Assumpte: [389-users] DB account master integrated with LDAP
> 
> 
> 
> I am using ldap to share user account information across two
> applications. Is it possible to using 'Application 1' as the central
> reference instead of the LDAP server? E.g. Application 1’ holds and
> maintains account information, which updates ldap periodically.
> 'Application 2' will look up LDAP for account informations.
> 'Application 1’ is the main system and will hold millions of
> accounts which would operate quicker from the DB without having to
> refer to LDAP for usernames, passwords, etc. ‘Application2’ will
> require a small subset of users to logon using credentials of users
> in the master database – which can be done via LDAP.
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Question RE: 389DS

[Angel Bosch]

> When SSL-enabling the directory server, am I allowed to use a
> wildcard certificate or is it mandatory the certificate include the
> FQHN?
>

the certificate should always contain the FQDN but you can use the alternate 
extension that allows you to specify multiple names.

this is what I use for my setups:

certutil -R -s "CN=domssm1.xxx.net,OU=aa,O=bb,L=cc,ST=dd,C=dd" -o 
domssm1.csr -d . -a -8 domssm1.xxx.net,ldap.xxx.net,ldap-write.xxx.net


hope that helps,

abosch

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

[389-users] selinux problem with centos 7.1

[Angel Bosch]

hi,

I'm having problems installing a new test environment on centos 7.1

when I execute setup-ds-admin.pl i get this message:

Adding port 389 to selinux policy failed - ValueError: SELinux policy is 
not managed or store cannot be accessed.

I've tried with --debug and it keeps retrying every 5 seconds with same message.

# lsb_release -a
LSB Version::core-4.1-amd64:core-4.1-noarch
Distributor ID: CentOS
Description:CentOS Linux release 7.1.1503 (Core) 
Release:7.1.1503
Codename:   Core


# sestatus 
SELinux status: disabled


the only irregular thing is that im using an openvz container, but I have 
plenty of other DS inside openvz without any problems.

i managed to continue with the installation with a very dirty hack, I modified 
DSCreate.pm script and added a return in the beggining of updateSelinuxPolicy 
sub:



sub updateSelinuxPolicy {
my $inf = shift;
return 0;




did anyone got this same problem?

abosch


-- 
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] selinux problem with centos 7.1

[Angel Bosch]

 I went through this with Mageia. You either need to enable selinux
 (permissive) or compile 389-ds
 without selinux.
 

do you mean I won't be able to execute it without selinux?

or is just the installer?

abosch
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] stable packages for Centos 7

[Angel Bosch]

can someone give me some light on this issue?

I'm getting some presure from my direct bosses and I need all info I can get to 
evaluate our DS environment for next year.

thanks in advance.

abosch



- Missatge original -
 De: Angel Bosch abo...@ticmallorca.net
 Per: 389-users@lists.fedoraproject.org
 Enviats: Dimarts, 23 de Setembre 2014 13:05:33
 Assumpte: stable packages for Centos 7
 
 hi,
 
 I'm planing to migrate some of my servers to 1.3 branch and I don't
 know what packages to use.
 
 I've found packages from mreynolds:
 http://copr.fedoraproject.org/coprs/mreynolds/389-ds-base/
 
 and dfas: http://copr.fedoraproject.org/coprs/dfas/389-ds-dfas/
 
 
 first one seems to be a nightly and I would like to mantain an stable
 install. should I use dfas?
 
 by the way, is the policy-packages situation going to be solved
 anytime? I found very confusing having to deal with several repos to
 get a full installation of 389 DS, and I though this spliting thing
 was temporary just for EL6.
 
 thanks for your time,
 
 abosch
 
 --
 
 
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

[389-users] stable packages for Centos 7

[Angel Bosch]

hi,

I'm planing to migrate some of my servers to 1.3 branch and I don't know what 
packages to use.

I've found packages from mreynolds: 
http://copr.fedoraproject.org/coprs/mreynolds/389-ds-base/

and dfas: http://copr.fedoraproject.org/coprs/dfas/389-ds-dfas/


first one seems to be a nightly and I would like to mantain an stable install. 
should I use dfas?

by the way, is the policy-packages situation going to be solved anytime? I 
found very confusing having to deal with several repos to get a full 
installation of 389 DS, and I though this spliting thing was temporary just for 
EL6.

thanks for your time,

abosch

-- 

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Start TLS request accepted. Server willing to negotiate SSL

[Angel Bosch Mora]

is not the same 

/etc/ldap.conf 

than 

/etc/openldap/ldap.conf 

seems that you're missing second one. 







While attempting to change a directory password I keep getting this message… 



[root@xxx ~]# ldappasswd -x -ZZ -D cn=directory manager -w “mypass” 
uid=se253264,ou=people,dc=xxx,dc=cle=dc=us -a oldpass -s newpass 

ldap_start_tls: Connect error (-11) 

additional info: Start TLS request accepted.Server willing to negotiate SSL. 



In researching this I found to add –d1 for additional debugging information and 
found this probably relevant 



TLS: could not load client CA list 
(file:`',dir:`/etc/openldap/cacerts/cacert.asc'). 

TLS: error:0200A014:system library:opendir:Not a directory ssl_cert.c:816 

TLS: error:140D7002:SSL routines:SSL_add_dir_cert_subjects_to_stack:system lib 
ssl_cert.c:818 

ldap_perror 



I do have the following in my /etc/ldap.conf file 

ssl yes 

tls_cacertdir /etc/openldap/cacerts 

TLS_REQCERT allow 

pam_password exop 



And the cacert.asc does exist in that directory. This is the cacert.asc that 
was created during setup of this machine using the setupssl.sh script and I 
copied it to the requested directory. I am not seeing anything additional on 
the HowtoSSL page and realize that TLS is necessary for the password change 
function. 



Thanks for any help you may have. I am also under the impression I am supposed 
to copy the cacert.asc to each client machine so they can authenticate against 
the cert. is this true also? 

David Hoskinson | DATATRAK International 
Systems Engineer 
Mayfield Heights, Ohio, USA 
+1.440.443.0082 x 124 (p ) | +1.216 .280.5457 (m) 
david.hoskin...@datatrak.net | www.datatrak.net 


-- 
389 users mailing list 
389-us...@lists.fedoraproject.org 
https://admin.fedoraproject.org/mailman/listinfo/389-users 
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Problem with samba and 389 Directory server with LDAPS

[Angel Bosch Mora]

you have two server certificates with almost same name. be carefull about that. 

you can inspect details with 

 certutil -d /etc/dirsrv/slapd-xxx01 -L -n server-cert 


and 


 certutil -d /etc/dirsrv/slapd-xxx01 -L -n Server-cert


or use it with a simple pipe to check Alt Names:

 certutil -d /etc/dirsrv/slapd-xxx01 -L -n Server-cert | grep DNS




- Missatge original - 






[root@xxx ZDRIVE]# certutil -d /etc/dirsrv/slapd-xxx01 -L 



Certificate Nickname Trust Attributes 

SSL,S/MIME,JAR/XPI 



CA certificate CTu,u,u 

server-cert u,u,u 

Server-Cert u,u,u 



Thanks Rich…. 





From: Rich Megginson [mailto:rmegg...@redhat.com] 
Sent: Wednesday, September 28, 2011 9:24 AM 
To: General discussion list for the 389 Directory server project. 
Cc: David Hoskinson 
Subject: Re: [389-users] Problem with samba and 389 Directory server with LDAPS 



On 09/28/2011 06:47 AM, David Hoskinson wrote: 

I do not have a server.crt.. I created my certs using the following page on the 
389 documentation 



http://directory.fedoraproject.org/wiki/Howto:SSL 



which creates a cert8.db and key3.db 



in the past I could do certutil –L something and it would show the cert 
information but can’t seem to find that command anymore. 

certutil -d /etc/dirsrv/slapd-instance -L 





I can authenticate from localhost and any of the client machines even the samba 
server just fine… I just can’t seem to get samba service to connect. If I have 
setup things incorrectly I appreciate the help. 







From: 389-users-boun...@lists.fedoraproject.org [ 
mailto:389-users-boun...@lists.fedoraproject.org ] On Behalf Of Angel Bosch 
Mora 
Sent: Wednesday, September 28, 2011 7:52 AM 
To: General discussion list for the 389 Directory server project. 
Subject: Re: [389-users] Problem with samba and 389 Directory server with LDAPS 




are you sure your certificate is created with your FQDN in it? 

i've had LOT of problems until i've created correctly my certs. 

you can check it with 

openssl x509 -noout -text -in server.crt 

and i recommend that you include your FQDN as Alternative Name even if is your 
hostname, that trick saved me lot of headaches. i always create my certs with 
two alternate names, the FQDN itself and also ldap.mydomain 

this way you don't have any problems with loadbalancing and such. 

to create a petition cert with alternate names you can run (one line) 

certutil -R -s 
CN=myserver.example.com,OU=example,O=example,L=example,ST=example,C=example 
-o example.csr -d . -a -8 myserver.example.com,ldap.example.com 








[2011/09/28 11:23:13, 2] lib/smbldap.c:smbldap_open_connection(786) 

smbldap_open_connection: connection opened 

[2011/09/28 11:23:13, 10] lib/smbldap.c:smbldap_connect_system(951) 

ldap_connect_system: Binding to ldap server ldaps://adm301.stag.cle.us as 
cn=Directory Manager 

[2011/09/28 11:23:13, 2] lib/smbldap.c:smbldap_connect_system(982) 

failed to bind to server ldaps://”FQDN of server”.stag.cle.us with 
dn=cn=Directory Manager Error: Can't contact LDAP server 

(unknown) 



And yes I can resolve the hostname which I have sanitized. 



Thanks for the tip, but that doesn’t seem to help, still have same result. This 
was just working on another machine but I had to put that one back to the way 
it was, and must have missed something. Any more thoughts? 





From: 389-users-boun...@lists.fedoraproject.org [ 
mailto:389-users-boun...@lists.fedoraproject.org ] On Behalf Of Angel Bosch 
Mora 
Sent: Wednesday, September 28, 2011 3:39 AM 
To: General discussion list for the 389 Directory server project. 
Subject: Re: [389-users] Problem with samba and 389 Directory server with LDAPS 




you have to use FQDN when connecting securely. and you have to use the exact 
name used in the certificate. 





I am getting the following message in the /var/log/samba/smbd.log file when I 
start up samba and try to connect as a user. 



[2011/09/27 14:23:33, 1] lib/smbldap.c:another_ldap_try(1153) 

Connection to LDAP server failed for the 15 try! 

[2011/09/27 14:23:34, 10] lib/smbldap.c:smb_ldap_setup_conn(630) 

smb_ldap_setup_connection: ldaps://192.168.3.79 

[2011/09/27 14:23:34, 2] lib/smbldap.c:smbldap_open_connection(786) 

smbldap_open_connection: connection opened 

[2011/09/27 14:23:34, 10] lib/smbldap.c:smbldap_connect_system(951) 

ldap_connect_system: Binding to ldap server ldaps://192.168.x.x as 
cn=directory manager,dc=stag,dc=cle,dc=us 

[2011/09/27 14:23:34, 2] lib/smbldap.c:smbldap_connect_system(982) 

failed to bind to server ldaps://192.168.x.x with dn=cn=directory 
manager,dc=stag,dc=cle,dc=us Error: Can't contact LDAP server 

(unknown) 



Relevant part of the smb.conf 



passdb backend = ldapsam: ldaps://192.168.x.x 

ldap suffix = dc=stag,dc=cle,dc=us 

ldap machine suffix = ou=people 

ldap user suffix = ou=people 

ldap group suffix = ou=groups 

ldap passwd sync = yes 

ldap admin dn = cn=directory manager,dc=stag,dc=cle,dc=us 

obey pam

Re: [389-users] SSL/TLS with a hardware load balancer

[Angel Bosch Mora]

- Missatge original -
 Has anyone engineered a design to run 389-ds servers behind a hardware
 load balancer like an f5 LTM? I've found this question presented
 before, but never answered.
 
 a) the openldap-clients ldap module will query the first host/uri in
 the list until the port goes down
 b) the server can run out of file descriptors or memory and stop
 answering queries without closing the port
 c) pointing clients at a virtualized name on a hardware LB will
 present a name conflict. The SSL cert on the directory server must
 match the v-name on the LB to answer queries, but it must match the
 local hostname for replication agreements.



cd /etc/dirsrv/instance

certutil -R -s 
CN=hostname,OU=example,O=example,L=example,ST=example,C=example -o 
example.csr -d . -a -8 hostname.example.com,ldap.example.com,repl.another.one


this is the only step that can't be done through gui, the rest is in the 
official docs.



abosch
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

[389-users] entry-id conflict

[Angel Bosch Mora]

hi,

i'm setting up another node on my multimaster environment.

on the new node i can see differencese on entry-id attribute.

is this normal?

i guess this is an internal attribute but i'm not sure if must be shared an 
unique across members of replication.

regars,

abosch
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

[389-users] admin server fails to start with PSET failure: Failed to create PSET handle

[Angel Bosch Mora]

hi,

im having problems starting admin server. i can see just this line on log:

[Thu Apr 07 12:26:13 2011] [crit] host_ip_init(): PSET failure: Failed to 
create PSET handle (pset error = )

not sure if is related, but we had an accident that changed permissions on some 
files (recursive chmod on wrong directory). main instance seems to work ok, so 
im a bit lost here.

regards,

abosch
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] admin server fails to start with PSET failure: Failed to create PSET handle

[Angel Bosch Mora]

- Missatge original -
 On 04/07/2011 04:37 AM, Angel Bosch Mora wrote:
  hi,
 
  im having problems starting admin server. i can see just this line
  on log:
 
  [Thu Apr 07 12:26:13 2011] [crit] host_ip_init(): PSET failure:
  Failed to create PSET handle (pset error = )
 
  not sure if is related, but we had an accident that changed
  permissions on some files (recursive chmod on wrong directory). main
  instance seems to work ok, so im a bit lost here.
 What platform? What version of 389-ds-base and 389-admin?
 ls -al /etc/dirsrv/admin-serv

sorry, i was a bit nervous this morning :)


# lsb_release -a
LSB Version:
:core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID: CentOS
Description:CentOS release 5.5 (Final)
Release:5.5
Codename:   Final

# rpm -qa | grep 389
389-admin-1.1.11-1.el5
389-ds-console-doc-1.2.3-1.el5
389-adminutil-1.1.8-4.el5
389-dsgw-1.1.5-1.el5
389-admin-console-doc-1.1.5-1.el5
389-admin-console-1.1.5-1.el5
389-ds-1.2.1-1.el5
389-ds-base-1.2.6.1-2.el5
389-ds-console-1.2.3-1.el5
389-console-1.1.4-1.el5

# ls -al /etc/dirsrv/admin-serv/
total 176
drwxrwx--- 2 root duser  4096 Nov  5 18:21 .
drwxrwxr-x 7 root duser  4096 Nov  5 18:21 ..
-rw-rw 1 root duser   544 Nov  5 18:21 adm.conf
-rw-rw 1 root duser40 Nov  5 18:21 admpw
-rw-rw 1 root duser  3924 Aug 26  2010 admserv.conf
-rw-rw 1 root duser 65536 Mar 15 12:44 cert8.db
-rw-rw 1 root duser  4469 Nov  5 18:21 console.conf
-rw-rw 1 root duser 26827 Nov 11 12:23 httpd.conf
-rw-rw 1 root duser 16384 Mar 15 12:44 key3.db
-rw-rw 1 root duser  9093 Mar 18 10:21 local.conf
-rw-rw 1 root duser  4502 Aug 26  2010 nss.conf
-rw-rw 1 root duser 16384 Nov  5 18:21 secmod.db



this duser is the user/grup created before installation and used for setup-ds.pl

if you need further info, pls just ask.

thnaks,

abosch


--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Questions about groups and group IDs

[Angel Bosch Mora]

- Missatge original -
 We are planning out how we are going to move from Active Directory to
 389-ds. We can add users to our test environment successfully, and
 give the accounts the proper information (uid, shell, etc.). However,
 1 area that we are getting stumped at is groups. In our Active
 Directory currently, we have several groups that we put our users into
 based on their function.
 
 Those groups have unique group IDs. However, when I make a group on
 389-ds, I don't have any way of specifying a group ID. I can make a
 new user and give it a group ID by default, but that group ID doesn't
 exist anywhere and I can't find where to assign it or create it. Any
 ideas on this?


you need to use objectClass: posixGroup in your group template. in theory 
posixGroup and groupOfNames are structural object classes and cannot be 
combined, but in practice there's a variation of the RFC that allows to use 
posixGroup as auxiliar.

http://osdir.com/ml/ldap.umich/2006-07/msg00015.html


regards,

abosch
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] get base dn from ldapsearch

[Angel Bosch Mora]

- Missatge original -
 Oddly enough it looks like it comes out as part of the LDIF comment.
 If you skip the option to tell it to not output ldif comments you'll
 get your base:
 
 
 $ ldapsearch -d1 -x (uid=example) 21 | grep base
 
 
 # base dc=example,dc=com (default) with scope subtree


i don't get any result i my machine and im pretty sure i've my ldap.conf 
configured:


$ ldapsearch -d1 -x (uid=example) 21 | grep base

# base  with scope subtree



can this be a bug?


abosch
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] get base dn from ldapsearch

[Angel Bosch Mora]

 Maybe I am understanding this wrong but could you not just check in
 the config what the search base is set to on the client side? What is
 the problem you are trying to solve?


yes, you're right. i can just take a look at ldap.conf but there's several 
places to look:

- debian/ubuntu uses /etc/ldap/ldap.conf
- RHEL/CentOS uses /etc/openldap/ldap.conf
- custom compilations can use any path. ex: /usr/local/ldap/ldap.conf
- windows openldap uses... i don't really know :P

so what im trying to do is resolving configured base without knowing anything 
about the client.

for example, this command gives me the server even if i dont know anything 
about the conf:

ldapsearch -d1 -x -LLL (uid=example) uid 21 | grep ldap_connect_to_host


im just a little bit surprised that i can't find any debuglevel that gives me 
the BASE


abosch
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

[389-users] get base dn from ldapsearch

[Angel Bosch Mora]

hi,

not specifically 389 related but:

is there a way to guess default base dn for clients (the one configured in 
/etc/openldap/ldap.conf) with ldapsearch?

i've tried with -v, -n and -d but i only get the server, not the base.

regards,

abosch
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] SSl connection to 389 DS server

[Angel Bosch Mora]

ssl connections need the same FQDN specified in the cert to be used when 
connecting.

localhost i hardly going to work.


abosch
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] dsml packages

[Angel Bosch Mora]

- Missatge original -
 Yes. We never released dsmlgw as an rpm package.

i though i saw something about packages in the docs but i can't find it now.

thanks for the answer.

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

[389-users] dsml packages

[Angel Bosch Mora]

hi,

i can't find last dsml packages anywhere.

must i compile from sources?

i use epel repos.

regards,

abosch
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

[389-users] upgrading packages

[Angel Bosch Mora]

hi,

i've some questions about upgrading:

- must i run 'setup-ds-admin.pl -u' everytime there's a new package in the 
repos?

- doesn't packaging take care of that?

- does it matter how many instances are configured?



i've been having some strange problems in my (mixed) environment and i just 
want to clarify some things.


abosch
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] duplicate existing ssl crenentials on another server ?

[Angel Bosch Mora]

you must create a certificate with additional hostnames with -8 option.

you can view an example here:

http://docs.sun.com/app/docs/doc/819-5899/6n7uuth9p?l=enn=1a=view


- Missatge original -
 Hello,
 
 After having read through the Howto:SSL document on the 389 wiki, i
 went ahead and set up SSL for my master instance - it works great, and
 i couldn't be happier. :)
 
 I have a slave set up to do read-only replication from the master ;
 now, the wiki document has information on how to integrate the
 certificate into a slave so that the replication can occur over SSL,
 which i'll no
 doubt do, but that's not what i'm looking for advice on now.
 
 What i'm interested in is actually duplicating the new SSL setup that
 currently exists on the master. I realise that this sounds funny, but
 the reason is simple : in our environment, all of the clients and
 LDAP-aware applications are configured to send requests to a given
 hostname (which is not the base FQDN of the LDAP server - it's
 another, separate hostname entirely). If the master goes down, the
 slave automatically has this separate hostname assigned to it.
 
 (Put another way, it's a sort of poor-man's failover. It's far from
 perfect, and everybody knows it, but that's what's there, so for now
 we live with it. :P )
 
 What i would appear to need, therefore, is to have the slave be able
 to respond to incoming SSL requests with exactly the same credentials
 as the master. Is this even possible, and if so, how would i got about
 doing it ?
 
 Thank you, all.
 
 
 -- Daniel Maher dma + 389users AT witbe DOT net
 -- 389 users mailing list
 389-users@lists.fedoraproject.org
 https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Safeguarding against to many established connections

[Angel Bosch Mora]

- Missatge original -
 On 10/19/2010 12:11 PM, Gerrard Geldenhuis wrote:
  Hi We have recently seen an issue were a single client opened up
  more than 800 established connections to our directory server. The
  client did have the proper settings configured and should have
  closed connections but it did'nt. Is there a way to limit the amount
  of connections per client or close connections from the server side
  after a certain period? Without just making the amount of
  connections ridicuosly high on the directory server how can you
  safeguard against rogue clients.
 
  Our client setting is as follows:
  idle_timelimit 5
  timelimit 10
  bind_timelimit 5
 
  We were unable to log into client and it had file system issues so
  we could not do any further analyses there.
 
  I suspect that solutions to this problem probably falls outside of
  what can be configured in 389?
 
 While it's not a 389-specific suggestion, iptables could easily solve
 this problem for you across the board. :)
 

there's also a setting to close idle connections after X seconds. is somewhere 
in the 389 console, i can't remember now exactly.


abosch
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

[389-users] sub-suffix creation

[Angel Bosch Mora]

hi,

im trying to create the entry for a sub-suffix i've created in the console but 
i can't find any instruction.

i've followed official docs:

http://www.centos.org/docs/5/html/CDS/ag/8.0/Configuring_Directory_Databases-Creating_and_Maintaining_Suffixes.html#Creating_Suffixes-Creating_a_New_Sub_Suffix_Using_the_Console

but there's no info about entries, just databases.

any clue?

abosch


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] sub-suffix creation

[Angel Bosch Mora]

- Missatge original -
 Hi
 I a bit confused... have you successfully created the entry using the
 console and am looking for a ldif example? Or did the creation failed
 in the console. I can give you examples of how we create our tree and
 sub suffixes if that will help, they are all in ldif format.



i've found some additional info here:

http://docs.sun.com/source/816-6698-10/suffixes.html#16762


i was a little bit lost but i've finally managed to create an entry trhough 
console. all examples i found were using ldif and command line for entry 
creation, but is really easy with console. just be carefull with using the 
exact same name as in the suffix database creation.

thanks for your time, anyway.

abosch
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] ns-slapd processes not dying

[Angel Bosch Mora]

- Missatge original -
 Hi,
 
 We had similar problem before, but I am not sure if it is related to
 your case.
 
 The file descriptors that were opened by the ns-slapd process was all
 in a CLOSE_WAIT state. You can try execute netstat -anput | grep
 CLOSE_WAIT and see if there's a lot of dangling CLOSE_WAIT socket
 opened by ns-slapd.


seems that is not the case.

i can see lot of ESTABLISHED connections, but not a single CLOSE_WAIT. ex:


tcp0  0 :::172.26.67.79:389 :::192.168.224.16:53143 
ESTABLISHED 315/ns-slapd


the quick and dirty workaround is restarting the instance every night.


regards,

abosch
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users