I encountered the following logs in the errors:
[06/Oct/2011:10:11:57 +0000] NSMMReplicationPlugin - changelog program - agmt="cn=srvAtosrvB" (srvB:389): CSN 4e8d804a0000000c0000 not found, we aren't as up to date, or we purged
[06/Oct/2011:10:11:57 +0000] NSMMReplicationPlugin - agmt="cn=srvAtosrvB" (srvB:389): Data required to update replica has been purged. The replica must be reinitialized.
[06/Oct/2011:10:11:57 +0000] NSMMReplicationPlugin - agmt="cn=srvAtosrvB" (srvB:389): Incremental update failed and requires administrator action
Does anyone have an idea, what could have caused this and more importantly, how to fix this?
We are running a 64-bit CentOS that used to be on 5.4, but a few days ago
we put patches on it which brought it up to 5.7. It also updated our
389-ds to the following versions:
rpm -qa 389*
When I try to run the 389-console application now (a user needs his
password reset), I get the following errors:
Exception in thread "main" java.lang.ClassFormatError:
com.netscape.management.client.console.Console (unrecognized class file
Any ideas on how to fix this?
Common ARTS Software Development
I'm doing a backup for mi access logs in several ldap servers and I have
found that some of this logs have been deleted because of rotation info. The
thing is, I want to save all the access log generated in a day in files of
100MB. I have searched the way to do it and now I have to set the maximum
size of the combined archived logs to -1, but I don't know if I can set -1
to the **maximum number of logs for the directory to keep. Is this possible?
I need your expertise... please help me! (Disclaimer: I am a relative
newcomer to 389ds)
I'm running a Java application that keeps user authentication,
permissions, and preferences in ldap. And I'm currently load testing
this application (using Jmeter, 15 concurrent threads, no think time)
and I'm getting really good performance most of the time. However every
5 minutes (from the time I started ldap), 389's CPU usage will spike to
375% (400% = all 4 processors at 100%, 389 normally sits around
15-20%). These pauses last for between 20 - 30 seconds (proportionate
to the load I'm throwing at it) during which our application will just
sit. Since I'm just running the same set of requests at it constantly,
there isn't anything different in terms of our application during those
times, which points to 389 as the culprit (or possibly some glassfish
ldap pool problem).
Glassfish 3.1 final on Java 1.6.0_26 (64 bit server VM)
Fedora 15 64-bit (also observed on Centos 5.4 64-bit)
Have any of you run into this problem? Do you have any possible config
changes I could try? Any possible leads at all?
I am looking at doing certifcate based authentication using 389. The company
where I am working currently issues a certificate for every new starter and
these certs are well managed with regards to sensible expiry dates etc. This
cert is your key to the whole environment and a lot of the applications like
jira/confluence authenticate you based on your certificate.
I have read through the documentation:
and it seems to suggest that it is nessesary to convert the user certificate
and upload it into 389 db. This seems a bit of a duplication. Is there
anyway to "talk" to the certificate provider to ascertain the validity or
not of a certificate and obtain any other required information, rather than
having a copy of the certificate in the database. The documentation also
does not say whether this is the public or private part of
the certificate that needs to be uploaded. I am assuming it is the public
The second part of the question is how would this work with regards to ssh
authentication. Somehow via pam and ssh the certificate must be passed on to
389 when the authentication happens. I am not sure this is currently
possible with pam but would be interested in any suggestions to achieve
something like this.
Looks like 389 doesn't by default have the LDAP Schema for Intranet Mail
Routing schema defined which uses objectClass inetLocalMailRecipient. Any
particular reason for this? Is there a more useful schema?
Technical Manager 303-415-9701 x222
NWRA/CoRA Division FAX: 303-415-9702
3380 Mitchell Lane orion(a)cora.nwra.com
Boulder, CO 80301 http://www.cora.nwra.com
I used 389 Directory Server in the past.... but it has been a long time...
When I start 389-console on top of an ssh session with X, I can't use
the input boxes...
(solved by a local installation of 389-ds but...)
I see for an easy setup of multimaster replication with SSL, I can
still use setupssl2.sh and mmr.pl
But what's the right order?
After setup-ds-admin.pl I first ran setupssl2.sh and then I tried to setup mmr.
I've this fault when I choose --with-ssl.... (replication without ssl works)
[11/Oct/2011:13:15:51 +0200] slapi_ldap_bind - Error: could not send
bind request for id [cn=repman,cn=config] mech [SIMPLE]: error -1
(Can't contact LDAP server) -8054 (You are attempting to import a cert
with the same issuer/serial as an existing cert, but that is not the
same cert.) 107 (Transport endpoint is not connected)
(with the normal replication I also see netscapeRoot, not userRoot)
i ran into a problem with the ACLs.
I set up an account, what needed to acquire only certain attributes, i set the following ACL:
(targetattr = "uid || mail || mailHost || accountType || accountStatus || mailAlternateAddress || mailForwardingAddress || mailUserPassword")
(target = "ldap:///dc=moveone,dc=info")
(targetfilter = ou=People)
acl "Email server can lookup some data";
(userdn = "ldap:///cn=emailServerLookup,ou=People,dc=moveone,dc=info")
but the search is gives back all the attributes, not only the allowed ones.
What i am miss?
ldapsearch -x -LLL -h ds -b ou=People,dc=moveone,dc=info -D "cn=emailServerLookup,ou=People,dc=moveone,dc=info" -w TheSecretPassword uid=karoly.czovek
Global Systems Administrator
MoveOne IT Department
Eastern Europe - Balkans - CIS& Central Asia - Middle East& Africa -
phone: +36 1 266 0181 - ext.6710
mobile: +36 70 708 9953
I am trying to find out the best way to change my password using ldappaswd... and have it also update my samba passwd. From what I am understanding the ldap sync option in samba will do that, but we don't use samba as a domain controller, only as a file server. We change our passwords from command line in linux. Everything I am reading seems to point the opposite direction of what we want to do.
David Hoskinson | DATATRAK International
Mayfield Heights, Ohio, USA
+1.440.443.0082 x 124 (p) | +1.216.280.5457 (m)
david.hoskinson(a)datatrak.net<mailto:email@example.com> | www.datatrak.net<http://www.datatrak.net/>
I have a pretty flat DIT, with all users currently under
ou=people,dc=example,dc=com; these user objects also have posixAccount
attributes, of which loginShell is one.
What I'm trying to achieve is to be able to set a "default" loginShell
to be a restricted shell (/bin/rbash) for developers, but allow that to
be a non-restricted shell on systems which are development hosts.
As an example, on a production host I'd like:
$ ldapsearch -x "(uid=devuser)" uid loginshell
dn: cn=Dev User,ou=People,dc=example,dc=com
while on a development host, I'd like the same search to return
dn: cn=Dev User,ou=People,dc=example,dc=com
I thought I might be able to achieve this by creating a view called
ou=Developers,dc=example,dc=com and using that as a base DN on the
development boxes, then applying a CoS within the view to override the
loginShell attribute, but then the CoS ends up being applied to the
original entry too.
Is there any way that I could:
- have a CoS apply based on client system attributes, like IP
- have a CoS which applies to a view that *doesn't* affect the original
- perhaps make use of cosPriority through two different views, so as to
have ou=Development,... and ou=Production,... (but that would be
answered by the previous option anyway)?
Is there some other clever way to achieve what I'd like? I'd really like
to avoid maintaining 2 separate DITs for the same set of users.