On 03/09/2011 10:11 AM, Stephen Agar wrote:
> I've seen multiple different types of changes in there flagged as this
> - Some was a custom "directory string" attribute, being change from
> value notActivated to activated
I suppose this might be a problem if the schema were somehow different
between the two servers, which could happen if you added the schema via
a file and not via LDAP.
> - Some password account lockout attributes, resettime, etc.
> - Most are modifications to the "memberof" attribute, which is set by
> the member plugin
memberof should not be replicated - see
there is an Important Note on that page about replicating memberof
> - Some are password changes
I suppose this could be possible if the password policy is different on
the supplier and the consumer
> In all cases that i've checked, the data seems to be correct and
> consistent across all 4 nodes.
> Thanks for any insight.
> On Tue, Mar 8, 2011 at 3:21 PM, Rich Megginson <rmeggins(a)redhat.com
> <mailto:email@example.com>> wrote:
> On 03/08/2011 11:17 AM, Stephen Agar wrote:
>> I have a 4 server multi master replication setup going on. We
>> get a lot of errors like this:
>> NSMMReplicationPlugin - agmt="cn="Replication to server""
>> (server:636): Consumer failed to replay change (uniqueid
>> 2365a885-b85511df-ad54b6ca-51ecbecb, CSN 4d6ceae5000700010000):
>> DSA is unwilling to perform. Will retry later.
>> I've used cl-dump on all four nodes to dump the logs and track
>> these down. However, all of the "offending" changes that say
>> they weren't made do indeed seem to be applied on all 4 nodes.
> What are these changes? What operations, attributes, values, etc.
>> Is there a command I can use to remove specific entries from the
>> changelog? In the past, i've just re-initialized nodes to get
>> rid of these, but that's certainly not the preferred way to do this.
>> 389 users mailing list
>> 389-users(a)lists.fedoraproject.org <mailto:firstname.lastname@example.org>
I have a 4 server multi master replication setup going on. We get a lot of
errors like this:
NSMMReplicationPlugin - agmt="cn="Replication to server"" (server:636):
Consumer failed to replay change (uniqueid
2365a885-b85511df-ad54b6ca-51ecbecb, CSN 4d6ceae5000700010000): DSA is
unwilling to perform. Will retry later.
I've used cl-dump on all four nodes to dump the logs and track these down.
However, all of the "offending" changes that say they weren't made do indeed
seem to be applied on all 4 nodes. Is there a command I can use to remove
specific entries from the changelog? In the past, i've just re-initialized
nodes to get rid of these, but that's certainly not the preferred way to do
I hope you can help me in order to set up my first 389 Server.
My situation : fresh install of 389 (Fedora 14), installed the DS via
yum from the standard repos. Everything seems to work properly, DNA as well.
Basically i've got 2 problems and 1 question.
First of all, i work with 389 console ):
1) Adding a new group (e.g. administrator) i see that there is not the GID
attribute and i have to add it (by hand) every time (Advanced propertis
---> Object class ---> Add value ---> Posix Group); it's very boring :-)
How can i fix this issue? In general, is it possible to modify the basic
DIT ? Indeed i'd like to add much more information (manager, company,...an
so on) for each new users in a fast way.
2) I'm writing a Web interface able to manage users account (e.g.:password).
For some operations(reset pw) i need a Bind DN user, right? Ok, please
could you help me write an ACL (principle of least privilege) for this
user? i don't like to use the directory manage (cn=directory manager). My
idea is to create a new user able to handle only his OU, and nothing else!
3) I have a PKI. can i manage(store) users keys(public and private)
directly through 389? If so, how? could you point me in the right
Thank you very much.
have a nice weekend
Andrea Modesto Rossi
At $WORKk we are having a discusion about the scalability of different
directory server products, and I thought I'd reach out and see anyone had
any information that I could feed back into our dialogue. There are three
main points that i'm curious about, first the statement was made that Red
Hat doesn't suggest RHDS 8.* for use in enterprise environments and instead
suggests an LDAP server that uses or comes with Jboss (OpenDS or OpenLDAP
maybe? I was a bit unclear on this point... ). Second, 389/RHDS is in fact
just Sun Directory Server 5.0. And finally that RHDS/389
isn't compatible with the following products:
Sun IdM v6.1, 7.2, 8.1.1
I'd really like to be able to provide some constructive feedback to
my collages, since the feels like a matter of misunderstanding and
an opportunity to educate each other.
Thanks in advance for any feedback!
Unfortunately I am stuck with a slightly older version of 389 at the moment so if this is fixed in a later version then great otherwise I include the details to try an reproduce.
Open admin console
Select Encryption tab and then click on settings button.
Select TLS tab and remove( uncheck) all ciphers below 128bits level
Click Ok, and save
Exit admin console
Restart admin server
Log into admin console again.
The unchecked ciphers removed a moment ago is checked again...
Monitoring the audit log does show that changes are being made, I need to go through it with a fine tooth comb though.
Any thoughts on why this is happening, a bug a feature to protect against dumb users maybe?
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
I have a classic Class of Service that I want to modify. Currently it
applies one attribute on each assigned entry. I have three other
attributes that I'd like to have the same CoS apply. I'm not sure how to
identify more than one cosattribute. Do I simply add multiple
cossattribute attributes to the CoS definition or is there a format for
listing multiple attribute values in the cosattribute attributes in the
Recently i had ssl certs expire on my directory servers, currently i have
one running without using an ssl cert, the secondary server is still set to
use the old cert and as such it is not functioning. On the primary server
the admin server has been set to use a new self signed cert but we are
locked out of that. Is there a way to change what cert the ldap server will
load without the use of the admin server ?