I exported some databases into LDIF files (db2ldif) and imported them in DS8.1 freshly installed.
Then, I went to the "o=" subtree and activated password policy like this "Users much change their passwords after 1 day".
I took a user in this subtree and changed the password. Normally, I should see a new attribute "PasswordExpirationTime" but it seems not.
So, as a test, I created a new o= subtree like this: o=TestPwd,dc=test,dc=net
Then, I created a new user inside it: ebobo
After, I activated a password policy, I saw that two entries were created in this subtree like this:
cn=nSPwPolicyContainer,o=TestPwd,dc=test,dc=net (two entries inside)
"cn=nsPwPolicyEntry,o=TestPwd,dc=test,dc=net" (I can see this attr: passwordexp on)
I changed ebobo's password and I still doesn't see the new attribute "PasswordExpirationTime" in "Advanced properties" in the console. If I check on "Show all Allowd Attributes", I can see this attribute but it isn't set.
I tried to set the PasswordExpirationTime myself in ebobo's account in this format: 200901011223Z but this account isn't de-activated because of the expiration time, I can still log-on on some sites with this account.
I took a look in access/error logs and there were not errors, only normal operations. I can provide it if needed.
I'm wondering if there's any other step to successfully activate the max age password policy ?
Got a phone? Get Hotmail & Messenger for mobile!
I am a first-time user of the 389 DS -- version 1.1.3-6.el5 installed
from the EPEL RPMs.
When I try to enter my first user, using web interface, I keep running
into an error when trying to enter people that says:
An error occured while contacting the LDAP server.
(Object class violation - unknown object class "nsaimpresence")
I've scanned the files in /etc/dirsrv as well as /usr/share/dirsrv (grep
-ri nsaim) but the only thing I see is nsaimid. There doesn't seem to
be anyone else talking about this, which makes me think I must've done
something wrong, but whatever it is I've done it again: after erasing
and starting over I'm back at the same roadblock. I can enter groups,
OUs, anything but people.
I found a reference to 10presence.ldif being deprecated and an old
schema from RHDS 6.2 docs, but trying to re-create that file got me nowhere.
Can anyone tell me how to get past this problem?
Thanks in advance for any assistance.
I have an issue on referral and read-only replica.
My setup consists of two multi-master suppliers and 1 read-only replica
MM1 <-> MM2
The replication is configured to use SSL, port 636.
I notice that the automatic referral is done via the unencrypted port 389.
What do I need to do to ensure the referral is done over the SSL port 636 as
I have Winsync agreements simply to pull accounts from AD. No pass
sync configured, nothing pushed from Directory Server to AD, simply
pulling account info from AD to Directory Server with no password.
I did full synchronization to pull accounts from AD and it was
successful, many accounts were populated.
My issue is that I get this in the error log..
NSMMReplicationPlugin - agmt="cn=winsync" Replica has no update vector
It seems that Winsync is working but I don't know how serious this is
or if it can be ignored. My feeling is that it must mean something
because it is consistently logging every 4 seconds.
I did some reading and RUV is described as..
A collection of information within each replica that determines how up
to date the replica is with respect to other replicas for that
I also read that...
This information is stored on both the supplier and the consumer and
that it determines which changes need to be replicated..And that each
server should know more about its own replica ID than the other
I am probably missing the obvious as I have only 1 replica.. can
someone please help my understanding?
Is there any to make the LDAP server cache common searches, or generate a
prebuilt result set, updating it everytime an entry of the set is modified?
We have a management tool that makes the same search multiple times to get
the full list of the users (about 40000), so the CPU use raise everytime the
search is made. The search always use the same filter and the same returning
attributes, but the data is distributed among different databases and
I have read some about VLV indexes, but i am not sure if they fit our
requierements. Also, VLV indexes are configured per database, not for the
entire suffix, that is what we need.
Any ideas? Regards.
I'm using fedora ds as authentication server for my network. I've
configured the environment so that linux gets users and groups
information from the ldap.
The problem is that I'm getting incomplete information! groups
definitions are missing.
I'll give you an example: a user has a uid, a primary gid and
secondary gids. I'm not getting secondary gids.
I would like "user" to be member of "group1" and "group2". If I ask
the ldap with getent I get these information:
getent passwd user
getent group group1
getent group group2
as you can see user has id 496 and gid 601. user is member also of
group2 (gid 600)
But if I query the system about the "user", I get:
uid=496(user) gid=601(group1) groups=601(group1)
Have you ever seen this behaviour? Have you got suggestions?
The default value of response size limit in directory server is 2000 entries.
I couldn't find any documentation that explains clearly what could cause any issues if I set it to unlimited (-1). I have some clients that would want to get a bulk response according to some search patterns. Actually, we have around 5000 objects that could be returned to clients.
Is by putting a size limit to -1 would cause an impact to the server performance ?
Why does the size limit exists? Because of small clients and networks with high latency/low bandwith ?
What is the difference between getting a bulk response in one shot and in paged mode; I mean does the paged mode really relieve the load on the server side, ie: sending 1000 responses in 5 pages instead of giving 5000 responses in one shot ?
Thank you in advance!
Take your contacts everywhere