We have a master - master replication agreement. When we initialize the replication it works perfectly we can see changes to a test user we have set up go up and down from the two servers. However at some point the replication stops and we cannot get replication to start once again. The only way we can get replication to start once again is to recreate the replication agreement and then it fails again. Can anyone please point us in a direction. I am relatively new to 389 so any help would be greatly appreciated.
Santos U. Ramirez
Linux Systems Administrator
National DCP, LLC
150 Depot Street
Bellingham, Ma. 02019
This email and any attachments are intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, do not copy or forward to any unauthorized persons, permanently delete the original and notify the sender by replying to this email.
I would like to help to understand how does the timing of passwords
between Directory Server and AD (Windows8). Configured unidirectional
timing (LDAP->AD), not installed the Windows side PassSync.
The Directory Server is with password in Sha256 and I can only
synchronize passwords with AD if you change the password in plain text
by ldappasswd command. (I know that this password is stored in the
How do I adjust the timing between the Directory Server and AD with
different encryption using a feeling (ldap->ad), without putting
passwords in plain text?
I would like to know how can I use memberof or member attributes to affect
an appropriate gidNumber to my users to avoid this error: id: can not find
the name of the group identifier 38468
Hi Bellow is my sssd.conf
with bellow setting, user cant login.
but if i remove ldap_access_filter , then all user can access
What i am doing wrong...
i just want user from "techops" group to access this server..
any help will be really grateful .
config_file_version = 2
services = nss, pam
domains = LDAP
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://auth2.xxxxxx.lan/,ldap://auth1.xxxxxxxlan/
ldap_search_base = l=uk,dc=xxxx,dc=lan
ldap_tls_reqcert = demand
cache_credentials = true
enumerate = true
debug_level = 10
ldap_tls_cacertdir = /etc/openldap/xxx/
ldap_tls_cert = /etc/openldap/cacerts/CA-xxx.crt
access_provider = ldap
ldap_access_filter = memberUid=cn=techops,ou=groups,l=uk,dc=xxxx,dc=lan
#entry_cache_timeout = 600
#ldap_network_timeout = 3
and the log i get from secure file
2013-05-28T22:13:02.782543+01:00 uk-xxxxx-1 sshd: pam_sss(sshd:auth):
received for user mtest: 9 (Authentication service cannot retrieve
2013-05-28T22:13:04.597478+01:00 uk-xxxx-1 sshd: Failed password for
mtest from xxx.xx.xx.xx port 52664 ssh2
I enabled Posix Winsync API, everything works. After, I decide to change to
older versions of windows Posix attributes as describe in the documentation:
And now replication doesn't work, I went to the log error and get:
"uidNumber/gidNumber required by object class "posixAccount""
But in my Active Directory, I want to synchronise some users how don't have
It's possible or do I need to synchronize just users with posix attribute
when this plug-in is enable ?
Computer: centos 6.4
Just to recount an experience in the hope that it saves someone else some trouble.
I was trying to use the ./db2index.pl script to regenerate my indexes, and the script point blank refused to work, telling me:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
To debug this, hack the db2index.pl script to pass the "-d 1" parameter to ldapsearch, which tells ldapsearch to give debug messages instead of the cryptic failure message.
In my case it revealed that db2index.pl was trying to contact the externally accessible public IP of the box on port 389, instead of localhost as it should have in my case. To fix the problem I had to manually hack the script.
Ideally this script shouldn't make blind assumptions as to the name of the LDAP server, but leave it up to the caller.
I am still really struggling with something that should be a simple query, but isn't. I have a filter that returns just one single result, as follows:
[25/May/2013:20:54:16 +0100] conn=82 op=10 SRCH base="o=Foo,c=GB" scope=2 filter="(&(associatedDomain=example.com)(!(associatedDomain=host.example.com)))" attrs="associatedDomain"
[25/May/2013:20:54:17 +0100] conn=82 op=10 RESULT err=4 tag=101 nentries=1 etime=1 notes=U
This query however returns the following error:
Search error 4: Size limit exceeded
The "notes=U" in the log gives an excessively cryptic clue - the query wasn't indexed, and the error message seems to be misleading, as it doesn't seem to be the size limit that is exceeded, but rather the time limit.
I have indexed the associatedDomain attribute as follows:
dn: cn=associatedDomain,cn=default indexes,cn=config,cn=ldbm database,cn=plu
Am I correct in understanding that a "eq" index is not enough to handle the "not" part of the filter above?
What do you have to do to index a "not" filter?
I encountered a similar issue.
I got it when creating an index with the vlvindex command, which was
apparently not correct.
The index creation failed with a segfault and after that I could not
start the server anymore.
I was also unable to do deletion of the index, since ldap was not up.
The error log showed also the rebuilding the database, with no
I also tried deleting the vlv named file I found somewhere, with no succes.
Finally because of time pressure I just started over (by removing
everything with remove-ds-admin.pl).
I did find some selinux entry : SELinux is preventing /bin/bash from
search access on the directory
This might have been a cause for the issue, but I am unsure.
I think this situation should somehow be fixable, but I had no clue how.
Now I am off doing a reinstall and a re-import.
Hope this helps anyone, if anyone knows what to do, please post :).
We are using Red Hat Enterprise Directory Server (which is a stable 389).
We have been using the retro changelog plugin from the old iPlanet
server for synchronisation to other systems.
Yesterday we noticed that for some reason, when an LDAP modification
is made, 2 entries turn up in de changelog LDAP tree.
It does not seem to happen when the 389-console client is used and a
change is made directly to an account with it,
but when an LDAP modify is done, while the slapd access logs shows 1
modification, the changelog has two entries.
This seems to be a bug.
Does anyone know how to solve this?
I have not found anybody having the issue and nothing in the
These duplicate entries might result in performance issues on the
Any help is greatly appreciated!
I am trying LDAP authentication for users logged in CentOS by PAM. Also I have disabled(off) nsslapd-anonymous-access flag to restrict anonymous access by providing the binddn and bindpw.
I have changed binddn and bindpw in /etc/ldap.conf for PAM to bind with LDAP to authenticate user.
ie) When a user is trying to ssh pam will be communicated to bind with LDAP by reading /etc/ldap.conf to bind with LDAP to authenticate the corresponding user.
User authentication is not working every time. ie)some time the user is authenticated and sometimes the user is not authenticated.
i have verified the tools 389 FDS, nscd ,ssd, are properly running in CentOS.
I have tried by doing ldapsearch for the corresponding user. The result shows the user properly.