Re: [389-users] Sync AD with 389-DS Unable to parse response
by Rich Megginson
> Date:
> Fri, 21 Jan 2011 10:25:56 +0100
> To:
> "General discussion list for the 389 Directory server project."
> <389-users(a)lists.fedoraproject.org>
>
>
> Hi Rich,
>
> Thanks for this usefull link.
>
> I have successfully initiate replica between Windows AD and my server
> 389-DS. Ldapsearch is working. But even if everything seems to be ok,
> the update does not work and I do not see any error in the log
> files... So, my AD server stay empty, the accounts are not migrate...
>
> Here you have my access log file which is more verbose...
> (mydomain.com <http://mydomain.com> for the example) :
<snip>
> Obviously I am connecting to the server 389-DS itself whereas it can
> resolve the DNS name of my Windows server... There is no error in the
> AD event viewer while I could see errors on it when it was
> misconfigured (like DirSync errors)... So, basically, the Windows
> server is contacted to my DS-Server over 2 different networks.
>
> Do you think I have to open the ports described in my message ?
>
> -Regards.
I don't know. There is no winsync information in the access log. Note
that the access log records client accesses to the directory server, and
in winsync, the directory server itself acts as a client to AD, so
winsync will log nothing in the access log. The errors log could be
helpful, and especially using the replication log level (which is also
used for winsync logging). The Windows Event Viewer is useless for
winsync issues.
8 years, 6 months
Performance tuning - where to begin?
by Daniel Fenert
Hi,
I have performance problem on 389-ds server and don't really know where
to start fine tuning.
My current setup is master (2xQuadCore, 8GB RAM), few read-only slaves.
It works (more or less) without problems, but I would like to migrate to
multi master (2 master servers).
To check if one master will handle the whole load, I've tried switching
clients from slaves to master one by one.
After switching clients from third slave, I've encountered weird problem
- master was about 50% busy (looking at the cpu, no IO waits), but there
was problem with new connections.
Looking at the network level - there was SYN from client, but no ACK
until one or two retransmissions of SYN.
I've tried increasing thread number (from 30 to 60), but problem still
exists.
The problem is near 400-500 connections/second. My whole load is
~750conn/sec. Looking at the CPU usage, this server should handle the load.
It works stable with load ~300conn/sec.
There are plenty of configuration options, where should I look first?
--
Daniel Fenert
8 years, 6 months
pam_unix(sshd:auth): authentication failure;
by heiko.hess@nextra.de
hi folks,
i have strange entries in the secure log file and i ask me why the log say
pam_unix(sshd:auth): authentication failure but the login works fine, is
this a bug ?
or can anyone tell me how can i fix this .
Feb 10 11:08:38 hostname sshd[4461]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xx.xx.xx.xx user=xxxx
Feb 10 11:08:38 hostname sshd[4461]: Accepted password for xxxx from
xx.xx.xx.xx port 56885 ssh2
Feb 10 11:08:38 hostname sshd[4461]: pam_unix(sshd:session): session
opened for user xxxx by (uid=0)
regards
8 years, 6 months
1.2.8 Windows sync agreement initialization
by Juan Carlos Camargo
Hi,
I'm running 389-ds version 1.2.8 on CentOS 5x and configured a windows
sync agreement against a 2003 active directory server. Everything works
as expected. However, everytime I restart the directory server (service
dirsrv restart) I need to reinitialize the windows agreement. Messages
such as "Replica has no update vector. It has never been initialized"
continously filling the error log until I proceed with the init. But
the replica was initialized and conversations between 389 and AD were
working nicely. And what I would not want at all is to lose any changes
made on either side as a result of the initialization process. My
question then, is this the normal behaviour ?
Thanks!
8 years, 6 months
Giving up 389ds
by Juan Carlos Camargo
I must say, I'm giving up the product. It seems that I'm unable to setup
a successful windows sync agreement to our active directory server. I
got tired of trying, googling, checking the list, posting, getting wrong
answers and so and so.
Good luck!
8 years, 6 months
FYI and OT: PAM Weirdness
by Gerrard Geldenhuis
Hi
I have seen an interesting problem which I thought would be useful for anyone on the list to know. I ran into it ones to many so sharing my solutions to spare others the suffering. :D
If you have certificates in /etc/pki/tls/certs on a CentOS 5.5 box and one of the certificates has root:root 600 permissions it will break LDAP login if you use certificates.
What happens is that as the client libs try to find the correct certificate it cycles through all of the certificates (as shown by strace) finds the correct certificates but also find an unreadable certificate and then refuses to connect to the LDAP server for some tasks. You can login but you will see something like the following:
Last login: Wed Feb 9 09:56:32 2011 from 10.5.11.44
id: cannot find name for user ID xxxx
id: cannot find name for group ID xxxx
id: cannot find name for user ID xxxx
[I have no name!@testbox ~]$
You will also see the following in /var/log/messages
Feb 9 09:53:01 testserver nscd: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)...
Feb 9 09:53:02 testserver nscd: nss_ldap: could not search LDAP server - Server is unavailable
Arguably the file permissions should never be 600, but also arguable the PAM and or other libs should not be so sensitive to fail on only one file being wrong.
Regards
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
8 years, 6 months
Announcing 389 Directory Server version 1.2.8 Alpha 2
by Rich Megginson
The 389 Project team is pleased to announce the release of
389-ds-base-1.2.8 Alpha 2. This release has fixes for bugs found in
1.2.8 alpha 1 testing and earlier releases.
Installation
yum install 389-ds
# or for EPEL
yum install 389-ds
setup-ds-admin.pl
Upgrade
yum upgrade 389-ds-base
# or for EPEL
yum upgrade 389-ds-base
setup-ds-admin.pl -u
How to Give Feedback
The best way to provide feedback is via the Fedora Update system. Each
update is broken down by package and platform. For example, if you are
using Fedora 13, and you have successfully installed or upgraded all of
the packages, and the console and etc. works, then go to the links below
for Fedora 13 and provide feedback.
* 389-ds-base-1.2.8.a2
** EL-5 -
https://admin.fedoraproject.org/updates/389-ds-base-1.2.8-0.2.a2.el5
** Fedora 13 -
https://admin.fedoraproject.org/updates/389-ds-base-1.2.8-0.2.a2.fc13
** Fedora 14 -
https://admin.fedoraproject.org/updates/389-ds-base-1.2.8-0.2.a2.fc14
scroll down to the bottom of the page, and click on the Add a comment >>
link
* select one of the Works for me or Does not work radio buttons, add
text, and click on the Add Comment button
If you are using a build on another platform, just send us an email to
389-users(a)lists.fedoraproject.org
Reporting Bugs
If you find a bug, or would like to see a new feature, you can enter it
here - https://bugzilla.redhat.com/enter_bug.cgi?product=389
More Information
* Release Notes - http://port389.org/wiki/Release_Notes
* Install_Guide - http://port389.org/wiki/Install_Guide
* Download - http://port389.org/wiki/Download
8 years, 6 months
Re: [389-users] Export/import with 389 DS 1.2.7.5
by Reinhard Nappert
I haven't seen any responses so far. Any idea?
Thanks,
-Reinhard
________________________________
From: Reinhard Nappert
Sent: Tuesday, February 01, 2011 9:40 AM
To: '389-users(a)lists.fedoraproject.org'
Subject: Export/import with 389 DS 1.2.7.5
Hi,
I have a working MM setup and I exported my db with db2ldif.pl with the -r option:
db2ldif.pl -D 'cn=Directory Manager' -w password -n userRoot -r -a /tmp/db_replica.ldif
The errors file do not indicate an issue:
[01/Feb/2011:09:23:59 -0500] - Beginning export of 'userRoot'
[01/Feb/2011:09:23:59 -0500] - export userRoot: Processed 1000 entries (10%).
[01/Feb/2011:09:23:59 -0500] - export userRoot: Processed 2000 entries (21%).
[01/Feb/2011:09:23:59 -0500] - export userRoot: Processed 3000 entries (32%).
[01/Feb/2011:09:24:00 -0500] - export userRoot: Processed 4000 entries (43%).
[01/Feb/2011:09:24:00 -0500] - export userRoot: Processed 5000 entries (54%).
[01/Feb/2011:09:24:00 -0500] - export userRoot: Processed 6000 entries (65%).
[01/Feb/2011:09:24:00 -0500] - export userRoot: Processed 7000 entries (76%).
[01/Feb/2011:09:24:00 -0500] - export userRoot: Processed 8000 entries (87%).
[01/Feb/2011:09:24:00 -0500] - export userRoot: Processed 9000 entries (98%).
[01/Feb/2011:09:24:00 -0500] - export userRoot: Processed 9160 entries (100%).
[01/Feb/2011:09:24:00 -0500] - Export finished.
and the ldif file itself looks fine to me as well.
Then, I tried to import the ldif file with
ldif2db.pl -D 'cn=Directory Manager' -w password -n userRoot -i /tmp/db_replica.ldif
This fails with the following errors log:
[01/Feb/2011:09:29:45 -0500] - Bringing userRoot offline...
[01/Feb/2011:09:29:45 -0500] NSMMReplicationPlugin - multimaster_be_state_change: replica o=umc is going offline; disabling replication
[01/Feb/2011:09:29:46 -0500] - entrycache_clear_int: there are still 1 entries in the entry cache. :/
[01/Feb/2011:09:29:49 -0500] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database
[01/Feb/2011:09:29:49 -0500] - import userRoot: Beginning import job...
[01/Feb/2011:09:29:49 -0500] - import userRoot: Index buffering is disabled.
[01/Feb/2011:09:29:49 -0500] - import userRoot: Processing file "/tmp/db_replica.ldif"
[01/Feb/2011:09:29:49 -0500] - BAD CACHE ASSERTION at ../ldap/servers/slapd/back-ldbm/cache.c/883: e->ep_refcnt > 0
Any idea, what is going on there.
Thanks,
-Reinhard
8 years, 6 months
389 DS is reseting connections
by Diego Woitasen
Hi,
I have 389 DS 1.2.7.5 running on Debian Squeeze. It was working fine
but the last days the process started to hang very often. I restart
the service, works fine for a few minutes and hangs again. The process
is running, accept connections but reset them.
The only error message that I see is from ldapsearch:
ldap_start_tls: Can't contact LDAP server (-1)
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I ran ldapsearch with strace, the last lines:
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
fcntl(3, F_SETFD, FD_CLOEXEC) = 0
setsockopt(3, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
setsockopt(3, SOL_TCP, TCP_NODELAY, [1], 4) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(389),
sin_addr=inet_addr("140.191.48.138")}, 16) = 0
write(3, "0\35\2\1\1w\30\200\0261.3.6.1.4.1.1466.20037", 31) = 31
poll([{fd=3, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, -1) = 1
([{fd=3, revents=POLLIN|POLLERR|POLLHUP}])
read(3, 0x11ed85f, 8) = -1 ECONNRESET (Connection
reset by peer)
write(2, "ldap_start_tls: Can't contact LD"..., 47ldap_start_tls:
Can't contact LDAP server (-1)
) = 47
write(2, "ldap_sasl_bind(SIMPLE): Can't co"...,
55ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
) = 55
exit_group(-1)
I tried to trace ns-slapd, but I don't see anything special (except
the ENOTCONN error in getpeername() but it's on a different FD):
2007 accept(6, {sa_family=AF_INET, sin_port=htons(53395),
sin_addr=inet_addr("140.191.48.
138")}, [16]) = 34
2007 fcntl(34, F_GETFL) = 0x2 (flags O_RDWR)
2007 fcntl(34, F_SETFL, O_RDWR|O_NONBLOCK) = 0
2007 fcntl(34, F_DUPFD, 64) = 64
2007 close(34) = 0
2007 setsockopt(64, SOL_TCP, TCP_NODELAY, [0], 4) = 0
2007 getpeername(64, {sa_family=AF_INET, sin_port=htons(53395),
sin_addr=inet_addr("140.1
91.48.138")}, [16]) = 0
2007 getsockname(64, {sa_family=AF_INET, sin_port=htons(389),
sin_addr=inet_addr("140.191
.48.138")}, [16]) = 0
2007 getpeername(7, 0x7fff1acd6e90, [112]) = -1 ENOTCONN (Transport
endpoint is not conne
cted)
2007 poll([{fd=22, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7,
events=POLLIN}, {fd=-1},
{fd=64, events=POLLIN}], 5, 250) = 1 ([{fd=64, revents=POLLIN}])
2007 close(64) = 0
2007 getpeername(7, 0x7fff1acd6e90, [112]) = -1 ENOTCONN (Transport
endpoint is not conne
cted)
2007 poll([{fd=22, events=POLLIN}, {fd=6, events=POLLIN}, {fd=7,
events=POLLIN}, {fd=-1}]
, 4, 250 <unfinished ...>
2010 <... select resumed> ) = 0 (Timeout)
2010 select(0, NULL, NULL, NULL, {0, 100000} <unfinished ...>
2012 <... select resumed> ) = 0 (Timeout)
Any hint to help to find the problem? I tried with different slapd log
levels but i don't see anything special. I don't except a magical
solution, only a hint to discover what's happening.
Regards,
Diego
--
Diego Woitasen
8 years, 6 months
Admin Server not showing Indexes
by Techie
Hi All,
I am using CentOS-DS running on CentOS 5.5 Final. Package versions are below.
I am having an issue where when I create indexes either with
db2index.pl or with an ldap add operation using the cn=index task, my
indexes do not show up in the graphical admin server tool. i get no
errors and the error log says the indexes finish fine. The indexes
also show up under /var/lib/dirsrv/slapd-instance/dbname with a .db4
extension. Has anyone seen this behaviour?
Thank you
##centos-ds-base-8.1.0-0.14.el5.centos.2##
Name : centos-ds-base Relocations: (not relocatable)
Version : 8.1.0 Vendor: CentOS
Release : 0.14.el5.centos.2 Build Date: Thu 14 May
2009 03:41:49 PM CEST
Install Date: Thu 20 Jan 2011 05:22:15 PM CET Build Host:
builder16.centos.org
Group : System Environment/Daemons Source RPM:
centos-ds-base-8.1.0-0.14.el5.centos.2.src.rpm
Size : 4940514 License: GPLv2 with exceptions
Signature : DSA/SHA1, Wed 27 May 2009 12:32:59 AM CEST, Key ID
a8a447dce8562897
URL : http://www.centos.org/
Summary : CentOS Directory Server (base)
Description :
CentOS Directory Server is an LDAPv3 compliant server. The base
package includes
the LDAP server and command line utilities for server administration.
##centos-ds-console-8.1.0-5.el5.centos.2##
Name : centos-ds-console Relocations: (not relocatable)
Version : 8.1.0 Vendor: CentOS
Release : 5.el5.centos.2 Build Date: Thu 14 May
2009 03:37:52 PM CEST
Install Date: Thu 20 Jan 2011 05:22:20 PM CET Build Host:
builder16.centos.org
Group : Applications/System Source RPM:
centos-ds-console-8.1.0-5.el5.centos.2.src.rpm
Size : 1732555 License: GPLv2
Signature : DSA/SHA1, Wed 27 May 2009 12:32:59 AM CEST, Key ID
a8a447dce8562897
URL : http://www.centos.org/
Summary : CentOS Directory Server Management Console
Description :
A Java based remote management console used for Managing CentOS
Directory Server.
##centos-ds-8.1.0-1.el5.centos.2##
Name : centos-ds Relocations: (not relocatable)
Version : 8.1.0 Vendor: CentOS
Release : 1.el5.centos.2 Build Date: Thu 14 May
2009 12:22:43 AM CEST
Install Date: Thu 20 Jan 2011 05:22:21 PM CET Build Host:
builder16.centos.org
Group : System Environment/Daemons Source RPM:
centos-ds-8.1.0-1.el5.centos.2.src.rpm
Size : 136 License: GPL plus exception
Signature : DSA/SHA1, Wed 27 May 2009 12:32:59 AM CEST, Key ID
a8a447dce8562897
URL : http://www.centos.org/
Summary : CentOS Directory, Administration, and Console Suite
Description :
The CentOS Directory Server, Administration Server, and Console Suite provide
the LDAPv3 server, the httpd daemon used to administer the server, and the
console GUI application used for server and user/group administration.
##centos-ds-admin-8.1.0-9.el5.centos.1##
Name : centos-ds-admin Relocations: (not relocatable)
Version : 8.1.0 Vendor: CentOS
Release : 9.el5.centos.1 Build Date: Wed 13 May
2009 06:37:23 PM CEST
Install Date: Thu 20 Jan 2011 05:22:18 PM CET Build Host:
builder16.centos.org
Group : System Environment/Daemons Source RPM:
centos-ds-admin-8.1.0-9.el5.centos.1.src.rpm
Size : 1052283 License: GPLv2
Signature : DSA/SHA1, Wed 27 May 2009 12:32:59 AM CEST, Key ID
a8a447dce8562897
URL : http://www.centos.org/
Summary : CentOS Administration Server (admin)
Description :
CentOS Administration Server is an HTTP agent that provides management features
for CentOS Directory Server. It provides some management web apps that can
be used through a web browser. It provides the authentication, access control,
and CGI utilities used by the console.
8 years, 6 months
