389-users February 2011

389-users@lists.fedoraproject.org

31 participants
35 discussions

Is there a way to upgrade to 1.2.7 without the subtree-rename feature switched on
by Reinhard Nappert 23 Feb '11

23 Feb '11

Hi, I want to upgrade from 1.1.2 to 1.2.7.5, but I am not interested in using the subtree-rename feature. Question: can I call sbin/setup-ds.pl -u with a parameter indicating that I do not want to have this feature. Thanks, -Reinhard

2 1

[389-Users] Repopulating Multi-Master Replicated Directory
by Chun Tat David Chu 23 Feb '11

23 Feb '11

Hi All I have a question about repopulating 2 or more multi-master replicated directory. Here's my scenario... 1) I exported the whole directory database into LDIF. 2) I need to repopulate two directories that are configured with multi-master replication scheme Knowing that one way to do this is simply repopulate one directory and let the replication does the rest by re-initializing the other directory. But can I import the same LDIF file individually to both directories to reduce synchronization time? The goal here is to minimize the time needed for directory synchronization. Thanks in advance! David

3 3

389 Server and MMR
by cfr100＠acm.org 22 Feb '11

22 Feb '11

Hello, I'm trying to set up 389 on a CenOS 5.5 machine using the setup-ds-admin.pl script and the mmr.pl script. They seem to be inconsistent with each other. setup-ds-admin.pl wants a "directory server identifier" (defaults to short name). This becomes the slapd instance name in /etc/dirsrv. mmr.pl wants a fqdn for host1 and host2. It then creates an instance in /etc/dirsrv based on this long name (failed attempt to update the existing instance??). Henceforth, a "service dirsrv restart" will try to stop and start /etc/dirsrv/slapd-hostname and /etc/dirsrv/slapd-fqdn. The later will fail and replication will no succeed. setup-ds-admin.pl fails if you give fqdn as an identifier. mmr.pl fails if you give a short name for host. And there is no method to really start over. setup-ds-admin.pl seems to spew files and directories across at least /etc, /var/spool and /var/run. Am I missing something? What is the recommended way of doing this? Thanks Chuck

2 1

Moving from FDS to 389DS
by Utkarsh Sengar 18 Feb '11

18 Feb '11

Hi Guys, I am trying to move an old fedora DS to the current version. (I wish I could tell you the versions, but I am not able to figure out how to get the version numbers). Anyway, I exported the ldif from the old server and imported into the new server: ./ldif2db -n NetscapeRoot -i /ldap/NetscapeRoot.ldif ./ldif2db -n userRoot -i /dap/userRoot.ldif I see a lot of warnings when I import userRoot.ldif about bad entry, skipping. And when I browse the new setup, I do not see the entries. So, my question is: How can I move my existing FDS to a new FDS. -- Thanks, Utkarsh Sengar <http://utkarshsengar.com>

2 6

389 1.2.7.5 build on RHEL6
by Daniel R. Gore 18 Feb '11

18 Feb '11

I have finally got 389 to build completely on a RHEL6 virtual systems. Unfortunately, I cannot get the console(s) to work correctly. When I execute the /usr/sbin/389-console script, I get a console, but it shows three empty input fields with no description of what they are for and three little tabs across the bottom that appear to be for something, but have no labels. I clicked on one of them and it closed the console. I also could not get the idm-console -a http://localhost:9830 to work. Any suggestions would be great. I am running out of time and may have to build a rhel5.5 system to run DS on. I would prefer to do it on RHEL6 for many reason. It sure would be nice to have the RHEL6 RPM builds for DS. Thanks. Dan -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

3 8

(Insufficient 'write' privileges to the 'userPassword') when executing passwd change
by Beamon, John 18 Feb '11

18 Feb '11

This is a new install, straight from the docs with 4 boxes in an MMR setup. Attempting a password change from a Linux command line, I get this feedback. > $ passwd Changing password for user jbeamon. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Insufficient access Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=jbeamon,ou=people,dc=example,dc=com'. passwd: Permission denied > I zeroed out the access and error logs in advance. The error log was empty; the access log was nothing but SRCH, BIND, and RESULT entries for my account. Nothing about access problems or attempted modifies. A web search for this error message revealed one conversation in Jan 2009 that ended with "I fixed my aci and the problem went away". I haven't knowingly changed any acis since install. At the global level, user may change password. At the userRoot suffix level, user can change password and fine-grained policy is enabled. A password reset by directory manager succeeds and replicates around. Does anyone else recognize this? -j

2 2

Performance differences between 1.1.2 and 1.2.6/1.2.7
by Reinhard Nappert 18 Feb '11

18 Feb '11

Hi, I noticed that the search performance increased quite a bit with 1.2.6/1.2.7.5, compared to 1.1.2. I did a rather simple test, where I randomly searched objects from a small database with about 25.000 objects. I assume that those objects are cached. The tests were performed on a 2 Dual CPU (1.8 GH clock speed) box with 16 GB RAM. I did perform 7.000.000 searches with 7 threads (1.000.000 searches per thread). Both directory instances were configured in exactly the same way. I got 5630 searches/sec for the 1.2.7.5 directory instance, whereas I got 6890 searches/sec for the 1.1.2 directory instance. I was wondering what the reason for the performance decrease is. Thanks, -Reinhard

3 3

Trying to delete one entry
by Rafael Cervillera Cortés 16 Feb '11

16 Feb '11

Hi, gurus! We have a 389DS and the following problem deleting an entry. Our server has multiple databases and the problem only appears in one, we can remove entries from cn=users but not from other subtree. All databases are not in read only mode. ldapdelete shows an ldap_delete: Operations error (1). In another subtree we can delete any entry without problems. In the inspect of the ACIs we haven't found anything wrong (same ACI in both subtrees). Attached is the modified output of ldapdelete with debug mode 2147483647. Thanks in advance. --

4 7

Remediating Encryption Levels
by Gerrard Geldenhuis 16 Feb '11

16 Feb '11

Hi I am currently testing this but would like to double up my testing with any other experiences in the list. A security scan has shown my test LDAP server to be vulnerable to weak SSL encryption. I have turned off all encryption levels below 128 bits in the Cipher Preference Dialog box for both the admin and dirsrv. I am testing whether this will have any effect on any connection within my setup that uses SSL, thus chaining, replication, console and general authentication from CentOS and Red Hat clients. My understanding is that having those lower levels like DES 56 enabled allows such a connection but the connection encryption level will be determined by what the client initiates if supported at the server. So if the client initiates a 128bit RC4 it will be a 128bit RC4 connection. With this in mind what would be the default level of encryption if the client is "internal" to the 389DS. Thus would be the encryption level for chaining and replication and connecting to the console. If an encryption level is not supported what is the negotiating logic to determine a working connection? Regards ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________

2 1

replicating netscaperoot, server2 not in server1 console
by Beamon, John 15 Feb '11

15 Feb '11

Running 389-ds 1.2.5 on two servers. I followed the techniques in this link, which uses setup-ds.pl and postpones registering until after the config has been built from LDIF and o=netscaperoot has been initialized. http://sinodun.com/howto/replicating-netscaperoot-on-fedora-ds/ Connecting the console to server2, I find both server1 and server2 listed. Connecting the console to server1, only server1 is listed. This is not a failover design yet. I've tried running register-ds.pl to register server2 at server1's CDS, but the script does not ask where you want to register. > ============================================================================== Candidate servers to register: /etc/dirsrv/slapd-chi01osi112 ============================================================================== Do you want to use this server as Configuration Directory Server? Directory server identifier [chi01osi112]: > What might I have missed? Thanks. -j

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users February 2011