Use of Mfwk in DSEE
Hello,
Can anyone the use of Mfwk in DSEE 6.3. can anyone provide the links for Documents / Examples for mfwk?
Can i use the Mfwk to notify an LDAP Change from One Java Components to another Java Components (similar to Plugins functionality)?
Regards,
Srini
The Java ES monitoring framework is for exposing instrumentation on a single server instance, http://docs.sun.com/app/docs/doc/820-2765/fnyvg
For change notification, you'll either want to let the data propagate by replication, http://docs.sun.com/app/docs/doc/820-2765/fnysf, or by taking changes from the change log (also referenced in that chapter).
How to set up replication and the retro change log is all described in the admin guide.
Similar Messages
-
How to use trigger/plugin in DSEE 6.3.1
Hi All,
I have DSEE 6.3.1 installed and would like to setup an trigger whenever an application user changes some attributes in LDAP, I googled and came across we can use triggers but not sure how to use those. Is triggers are same as plugins or one of the builtin plugin provide trigger functionality?
The requirement is- Whenever an application owner changes any attribute in LDAP I want to set an trigger and get that changed value in a plain text file for audit purpose. The trigger should work post commit and not pre commit just want to confirm the changes as been written in LDAP.
Found following plugins available in DSEE 6.3.1-
7-bit check
ACL Plugin
ACL preoperation
Binary Syntax
Boolean Syntax
CLEAR
CRYPT
Case Exact String Syntax
Case Ignore String Syntax
CaseExactMatch Plugin
Class of Service
Country String Syntax
DES
DSMLv2-SOAP-HTTP
Distinguished Name Syntax
Generalized Time Syntax
Integer Syntax
Internationalization Plugin
MemberOf Plugin
Monitoring Plugin
Multimaster Replication Plugin
NS-MTA-MD5
ObjectDeletionMatch
Octet String Syntax
Pass Through Authentication
Postal Address Syntax
RMCE
Replication Repair
Retro Changelog Plugin
Roles Plugin
SHA
SSHA
State Change Plugin
Strong Password Check
Telephone Syntax
URI Syntax
chaining database
gle
ldbm database
pswsync
referential integrity postoperation
subtree entry counter for departments in domains
subtree entry counter for domains within a domain
subtree entry counter for mail lists
subtree entry counter for nested departments
subtree entry counter for total domains
subtree entry counter for users
uid uniqueness
value counter for departments
value counter for mail lists
Request your help in this issue.I am trying to use the regular ldapsearch command from commandline and not any C/Java code, like-
ldapsearch -D "cn=directory manager" -p 1389 -h localhost -w abcd1234 -r -C PS:any:1:0 -b dc=abc,dc=com ou=emp
despite using -r and -C option it just comes out displaying below entries
ou=emp,dc=abc,dc=com
ou=emp
objectClass=top
objectClass=organizationalUnit
also tried with below command -
ldapsearch -D "cn=directory manager" -p 1389 -h localhost -w abcd1234 -r -C PS:any:1:0 -b dc=techm,dc=com objectclass=person
it displays long list and just comes out, not sure why its not doing the persistent search after using -r and -C options.
request you to give some good idea on this. -
Migrating Linux shadow-file MD5 passwords to Sun DSEE for Solaris/SunMail
Hello all,
We are about to undertake migration of an outdated mail server based on RedHat 7.2 and Sendmail/ipop3d to Sun Messaging Server (JCS6u2). While the filesystem/mail are not a problem, we're stuck at the question of how to best migrate old users' identities.
The old Linux system used user names and password hashes stored in /etc/passwd and /etc/shadow files. Hashes are mostly MD5 and a few seem like crypt.
Question is: are there known incompatibilities between password hashes (algorithms, expected format) in Linux and Sun products - Solaris/DSEE/SunMail?
That is, if we just take strings like these:
usemd5:$1$Wu7IqFT5$TeUht3OMdeSSBB3Vab4dB.:11262:0:::::134540116
usecrypt:DD2kEwCD8nies:10220::::::
Can we simply place the second column as the userPassword attribute in Sun DSEE and expect that users would be able to log in to LDAP-enabled Solaris and Sun Mail with their old passwords knownst only to them?
If not, is there some simple modification/translation of such hashes to a format accepted by Sun products?
Or are these formats/algorithms known to be incompatible somehow in a fatal manner, so our only option would be generation of new passwords for Sun DSEE and its clients?
Thanks,
//JimJust to reclarify or throw more information:
a password - cleartext value - testuser1 has 32-digit HEX value as - 41da76f0fc3ec62a6939e634bfb6a342
Same password when converted to Base64 pattern becomes - Qdp28Pw+xippOeY0v7ajQg==
But when I use pwdhash utility in DSE after configuring CRYPT to use MD5 hashes it becomes -
{crypt}$md5$$LiB/H70zXr3xfQPoXVuUQ1
I used below command :
pwdhash -D /opt/SUNWdsee/dsee6/ds6/slapd-oha-dev -s CRYPT testuser1
Actual hash value of pwdhash is -LiB/H70zXr3xfQPoXVuUQ1 with rest of the prefix is to meet RFC standard and salt and algo name separator.
I am wondering if Sun MD5 default uses any salt even when I haven't used or DS does it. Or if any other MD5 option is there which can be used.
Thanks,
Gaurav -
Migration Users with MD5 Passwords to Directory Server 6.1 on Solaris 10
Hi,
We are currently in a requirement of migrating some users to a application database to inside LDAP. Currently Application maintained the passwords in the MD5 hash form. Typical 32 digit Hex value - 41da76f0fc3ec62a6939e634bfb6a342
Is there a way we can migrate these Users password to directory Server as-is so that they don't end up facing the prospect of resetting post migration.
I have done some of the initial ground work but seems to be missing other critical info if at all it's possible.
I believe it's possible to have CRYPT password policy (which directory server uses from underlying OS) as one of the plug-ins to configure in a way that underlying CRYPT utility starts to process/provide/support MD5 hashes. I got it to work, my using the below command on DSEE instance:
dsconf set-plugin-prop -p 389 CRYPT argument:'$md5$'
But for some reasons the MD5 hash (Sun MD5 library) provides does not match with the original hash value. It's 22 char long (as I have not specified any salt length) so I am assuming it's Base64 encoded. I have a perl script which converts the original 32-digit hex values to a base64 encoded representation (which I have also verified with other open source tools)
Is there a way I can tweak CRYPT utility or something so that it understands typical standard MD5 hashes. (Confused between Sun MD5 and BSD (Linux) MD5 - none of them seems to match standard MD5 generated value).
Any leads on this would be really helpful ?Just to reclarify or throw more information:
a password - cleartext value - testuser1 has 32-digit HEX value as - 41da76f0fc3ec62a6939e634bfb6a342
Same password when converted to Base64 pattern becomes - Qdp28Pw+xippOeY0v7ajQg==
But when I use pwdhash utility in DSE after configuring CRYPT to use MD5 hashes it becomes -
{crypt}$md5$$LiB/H70zXr3xfQPoXVuUQ1
I used below command :
pwdhash -D /opt/SUNWdsee/dsee6/ds6/slapd-oha-dev -s CRYPT testuser1
Actual hash value of pwdhash is -LiB/H70zXr3xfQPoXVuUQ1 with rest of the prefix is to meet RFC standard and salt and algo name separator.
I am wondering if Sun MD5 default uses any salt even when I haven't used or DS does it. Or if any other MD5 option is there which can be used.
Thanks,
Gaurav -
Using DSEE 6.3.1 on T2000 - cool threads
I'm starting to wonder if we purchased the wrong hardware for our LDAP server upgrade. We are replacing DS5.2 on Solaris 9 running on V240 hardware with DSEE 6.3.1 Solaris 10 on T2000 hardware.
It seems the DSEE6.3.1 instance only takes advantage of one of the 32 cool thread processors, basically a waste for the rest of them. Furthermore, it seems that each of the 32 cool thread processors runs slower than the dual processor V240 by about 20% (using LDAP SDK searchrate tool). I do note the CPU utilization being way down on the T2000 (10%) versus the V240 (60- 80%), but why the slower performance? We have enough RAM to fit the entire directory into memory - cache settings set appropriately for database cache and entry cache (99% hit ratio). Indexes are identical on the two systems.
So, are all the observations I've made seem consistent with the T2000 design? Is there anything more I can do to improve performance? Any way to get the DSEE instance to use more than one cool thread concurrently? Would changing nsslapd-ds-home-directory to /tmp help with performance? Thought this should only be done on systems in which the entire directory could not fit into memory.DS 6.x cannot really make use of all the threads available in your T2000. In some cases, it has actually been observed that DS performance degrades when too many vcpus are available. The sweet spot seems to be around 12 - 16. One configuration that has been used in the past is to create a zone for the DS that only has 12 - 16 CPUs and then to run DPS on another zone to make use of the rest of the hardware resources.
There is also the polling thread count, which was added to DSEE 6 specifically to remove a bottleneck encountered in the T2K platform. Before the T2K, there wasn't a need to consider more than one polling thread (that's the thread that manages the incoming request queue), but with so many vcpus, only having one polling thread was a significant bottleneck. You can experiment with raising that.
That said, I would not really consider the T2K an ideal hardware platform for the DS. The new Nehalem or AMD rigs are likely to give you better bang for your buck. -
Hello DS experts.
We have ds 5.1 sp3 running on Solaris 8. It seems that by default we only have maximum of 1024 file descriptors.
In file <server_root>/config/dse.ldif I see in the cn=config entry the attribute nsslapd-maxdescriptors. This attribute has value 1024.
I want to increase the max FD to 4096 by editing /etc/system.
Now, my question is.. when I reboot my system will the DS when it starts up change the nsslapd-maxdescriptors value from 1024 to 4096 automatically.. OR do I have to 'manually' set it after the DS (hopefully) restarts.
Thanks in advance.From the OS level, you have to modify /etc/systemand
manually change that value for ulimit. After thatyou
need restart the Unix server to let the changestake
effective.
Then from the application level, you also have to
increase your setting as mentioned.
However, even though 64-bit OS allow for 4096 FD,
there is limit on application level. If your
Directory server is running on 32-bit mode, the
actually FD will be up to 256, unless your DS is
running on 64-bit mode.This is incorrect. A 32-bit directory server can use
up to
~ 65k file descriptors assuming kernel/process limits
and
the application asks for them. I've ran plenty of 32
bit DS
servers with 4k file descriptors with no problem.As I experienced, you can set 4096 or whatever in the DS level. However only 256 FD can only be used. In environment where you run 32-bit application (DS or iDAR), when the totall connections hit around 256, the service will become unstable, even though the service is still running.
Please check the following link for more information.
Thanks!
>
* update /etc/system with fd settingsck > * stop directory server
* update limit in dse.ldif to 4096
* bounce server
Thanks! -
How to use one certificate for two directory servers?
Hi,
running Sun DSEE 6.3.1 on two servers, server 1 has name ds1.example.com, server 2 has name ds2.example.com. There is a round robin DNS record ds.example.com, which alternates between:
ds1.example.com
ds2.example.com
and
ds2.example.com
ds1.example.com
An LDAP client connects to one of the servers over SSL using the name ds.example.com. We want to generate a certificate using the name ds.example.com and use it on both directory servers.
If we generate a CSR using DSCC on server 1 and get back a signed certificate, the certificate can be installed correctly on server 1. However, if we use the same signed certificate on server 2 it fails with error:
Unable to find private key for this certificate.
Failed to add the certificate.
Error executing the operation. The error code is 11.
What is the correct way to generate one CSR, have it signed by a CA and then implement this signed certificate on multiple servers?
/rolfFrom one Directory Server (ds1) generate CSR with the name ds.example.com in the request. Once you get the signed cert import it into the same server you generated CSR with. Then from ds1.example.com :
scp -p <slapd install/instance path>/alias/* <account>@ds2.example.com:<slapd install/instance path>/alias/
to copy the contents of the alias path to the same location on the other Directory Server. Make sure file permissions are the same. -
Dsee 6.2, idsconfig, vlv index processing problems
Hey Folks,
I ran into a problem where the idsconfig script failed on creating 4 vlvindex entries. I had to modify the script to allow me to troubleshoot the problem. I ended up fixing the problem manually, but I'm still not to sure why it happened to begin with. It seems like a race condition, but i could be dead wrong. I thought it might have been the way I answered the idsconfig questions but I went over it quite a bit. This post may be a bit long, but I want to provide enough information.
- Solaris 10 08/07 fully patched (using smpatch) as of 1/10/2008
- DSEE 6.2
- idsconfig that comes bundled with Solaris 10 08/07
- All this is being done inside a logical domain (ldom) on a T2000 using a file image as a disk
The first thing I did was make the following modifications to the idsconfig script so it would not exit on error while adding vlv index entries, and also commented out the cleanup process so I could view the temp file created by idsconfig
Original Code from the add_vlv_indexes() function:
# Add the index.
${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/vlv_index_${i} ${VERB}"
if [ $? -ne 0 ]; then
${ECHO} " ERROR: Adding VLV index for ${i} failed!"
cleanup
exit 1
fiSame code, after my modifications:
# Add the index.
${EVAL} "${LDAPMODIFY} -a ${LDAP_ARGS} -f ${TMPDIR}/vlv_index_${i} ${VERB}"
if [ $? -ne 0 ]; then
${ECHO} " ERROR: Adding VLV index for ${i} failed!"
#cleanup
#exit 1
fiHere is the full output of the way I used idsconfig to configure the directory:
It is strongly recommended that you BACKUP the directory server
before running idsconfig.
Hit Ctrl-C at any time before the final confirmation to exit.
Do you wish to continue with server setup (y/n/h)? [n] y
Enter the JES Directory Server's hostname to setup: machinename-ldom1
Enter the port number for iDS (h=help): [389]
Enter the directory manager DN: [cn=Directory Manager]
Enter passwd for cn=Directory Manager :
Enter the domainname to be served (h=help): [example.edu]
Enter LDAP Base DN (h=help): [dc=example,dc=edu]
Checking LDAP Base DN ...
Validating LDAP Base DN and Suffix ...
sasl/GSSAPI is not supported by this LDAP server
Enter the profile name (h=help): [default]
Default server list (h=help): [10.1.8.15]
Preferred server list (h=help):
Choose desired search scope (one, sub, h=help): [one]
The following are the supported credential levels:
1 anonymous
2 proxy
3 proxy anonymous
4 self
5 self proxy
6 self proxy anonymous
Choose Credential level [h=help]: [1] 2
The following are the supported Authentication Methods:
1 none
2 simple
3 sasl/DIGEST-MD5
4 tls:simple
5 tls:sasl/DIGEST-MD5
6 sasl/GSSAPI
Choose Authentication Method (h=help): [1] 2
Current authenticationMethod: simple
Do you want to add another Authentication Method? n
Do you want the clients to follow referrals (y/n/h)? [n]
Do you want to modify the server timelimit value (y/n/h)? [n]
Do you want to modify the server sizelimit value (y/n/h)? [n]
Do you want to store passwords in "crypt" format (y/n/h)? [n]
Do you want to setup a Service Authentication Methods (y/n/h)? [n] y
Do you want to setup a Service Auth. Method for "pam_ldap" (y/n/h)? [n] y
The following are the supported Authentication Methods:
1 simple
2 sasl/DIGEST-MD5
3 tls:simple
4 tls:sasl/DIGEST-MD5
5 sasl/GSSAPI
Choose Service Authentication Method: [1] 1
Current authenticationMethod: pam_ldap:simple
Do you want to add another Authentication Method? n
Do you want to setup a Service Auth. Method for "keyserv" (y/n/h)? [n]
Do you want to setup a Service Auth. Method for "passwd-cmd" (y/n/h)? [n] y
The following are the supported Authentication Methods:
1 simple
2 sasl/DIGEST-MD5
3 tls:simple
4 tls:sasl/DIGEST-MD5
5 sasl/GSSAPI
Choose Service Authentication Method: [1] 1
Current authenticationMethod: passwd-cmd:simple
Do you want to add another Authentication Method? n
Client search time limit in seconds (h=help): [30]
Profile Time To Live in seconds (h=help): [43200]
Bind time limit in seconds (h=help): [10]
Do you wish to setup Service Search Descriptors (y/n/h)? [n] n
Summary of Configuration
1 Domain to serve : example.edu
2 Base DN to setup : dc=example,dc=edu
3 Profile name to create : default
4 Default Server List : 10.1.8.15
5 Preferred Server List :
6 Default Search Scope : one
7 Credential Level : proxy
8 Authentication Method : simple
9 Enable Follow Referrals : FALSE
10 iDS Time Limit :
11 iDS Size Limit :
12 Enable crypt password storage : FALSE
13 Service Auth Method pam_ldap : pam_ldap:simple
14 Service Auth Method keyserv :
15 Service Auth Method passwd-cmd: passwd-cmd:simple
16 Search Time Limit : 30
17 Profile Time to Live : 43200
18 Bind Limit : 10
19 Service Search Descriptors Menu
Enter config value to change: (1-19 0=commit changes) [0]
Enter DN for proxy agent: [cn=proxyagent,ou=profile,dc=example,dc=edu] uid=admin-user,ou=People,dc=example,dc=edu
Enter passwd for proxyagent:
Re-enter passwd:
ERROR: passwords don't match; try again.
Enter passwd for proxyagent:
Re-enter passwd:
WARNING: About to start committing changes. (y=continue, n=EXIT) y
1. Schema attributes have been updated.
2. Schema objectclass definitions have been added.
3. NisDomainObject added to dc=example,dc=edu.
4. Top level "ou" containers complete.
5. automount maps: auto_home auto_direct auto_master auto_shared processed.
6. ACI for dc=example,dc=edu modified to disable self modify.
7. Add of VLV Access Control Information (ACI).
8. Proxy Agent uid=admin-user,ou=People,dc=example,dc=edu already exists.
9. Give uid=admin-user,ou=People,dc=example,dc=edu read permission for password.
10. Generated client profile and loaded on server.
11. Processing eq,pres indexes:
uidNumber (eq,pres) Finished indexing.
ipNetworkNumber (eq,pres) Finished indexing.
gidnumber (eq,pres) Finished indexing.
oncrpcnumber (eq,pres) Finished indexing.
automountKey (eq,pres) Finished indexing.
12. Processing eq,pres,sub indexes:
ipHostNumber (eq,pres,sub) Finished indexing.
membernisnetgroup (eq,pres,sub) Finished indexing.
nisnetgrouptriple (eq,pres,sub) Finished indexing.
13. Processing VLV indexes:
example.edu.getgrent vlv_index Entry created
example.edu.gethostent vlv_index Entry created
example.edu.getnetent vlv_index Entry created
ERROR: Adding VLV index for example.edu.getpwent failed!
example.edu.getpwent vlv_index Entry created
example.edu.getrpcent vlv_index Entry created
ERROR: Adding VLV index for example.edu.getspent failed!
example.edu.getspent vlv_index Entry created
example.edu.getauhoent vlv_index Entry created
ERROR: Adding VLV index for example.edu.getsoluent failed!
example.edu.getsoluent vlv_index Entry created
ERROR: Adding VLV index for example.edu.getauduent failed!
example.edu.getauduent vlv_index Entry created
example.edu.getauthent vlv_index Entry created
example.edu.getexecent vlv_index Entry created
example.edu.getprofent vlv_index Entry created
example.edu.getmailent vlv_index Entry created
example.edu.getbootent vlv_index Entry created
example.edu.getethent vlv_index Entry created
example.edu.getngrpent vlv_index Entry created
example.edu.getipnent vlv_index Entry created
example.edu.getmaskent vlv_index Entry created
example.edu.getprent vlv_index Entry created
example.edu.getip4ent vlv_index Entry created
example.edu.getip6ent vlv_index Entry created
idsconfig: Setup of iDS server machinename-ldom1 is complete.
Note: idsconfig has created entries for VLV indexes. Use the
directoryserver(1m) script on machinename-ldom1 to stop
the server and then enter the following vlvindex
sub-commands to create the actual VLV indexes:
directoryserver -s inst_name vlvindex -n example -T example.edu.getgrent
directoryserver -s inst_name vlvindex -n example -T example.edu.gethostent
directoryserver -s inst_name vlvindex -n example -T example.edu.getnetent
directoryserver -s inst_name vlvindex -n example -T example.edu.getpwent
directoryserver -s inst_name vlvindex -n example -T example.edu.getrpcent
directoryserver -s inst_name vlvindex -n example -T example.edu.getspent
directoryserver -s inst_name vlvindex -n example -T example.edu.getauhoent
directoryserver -s inst_name vlvindex -n example -T example.edu.getsoluent
directoryserver -s inst_name vlvindex -n example -T example.edu.getauduent
directoryserver -s inst_name vlvindex -n example -T example.edu.getauthent
directoryserver -s inst_name vlvindex -n example -T example.edu.getexecent
directoryserver -s inst_name vlvindex -n example -T example.edu.getprofent
directoryserver -s inst_name vlvindex -n example -T example.edu.getmailent
directoryserver -s inst_name vlvindex -n example -T example.edu.getbootent
directoryserver -s inst_name vlvindex -n example -T example.edu.getethent
directoryserver -s inst_name vlvindex -n example -T example.edu.getngrpent
directoryserver -s inst_name vlvindex -n example -T example.edu.getipnent
directoryserver -s inst_name vlvindex -n example -T example.edu.getmaskent
directoryserver -s inst_name vlvindex -n example -T example.edu.getprent
directoryserver -s inst_name vlvindex -n example -T example.edu.getip4ent
directoryserver -s inst_name vlvindex -n example -T example.edu.getip6entSince I still had the temp files to look through I was able to find out what entries where not created, and manually added them myself without problems.
The four entries were:
ERROR: Adding VLV index for example.edu.getpwent failed!
ERROR: Adding VLV index for example.edu.getspent failed!
ERROR: Adding VLV index for example.edu.getsoluent failed!
ERROR: Adding VLV index for example.edu.getauduent failed!I then was able to run the following commands successfully:
dsadm reindex -l -t example.edu.getgrent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.gethostent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getnetent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getrpcent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getspent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getauhoent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getauhoent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getsoluent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getauhoent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getauduent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getauthent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getexecent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getprofent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getmailent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getbootent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getethent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getngrpent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getipnent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getmaskent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getprent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getip4ent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=edu
dsadm reindex -l -t example.edu.getip6ent /usr/local/ds6-instances/slapd-inst_name dc=example,dc=eduIm really not sure why I ran into this problem, and was hoping someone would be able to shine some light on something that i possibly could have done wrong. I have read blogs about others running this script on dsee 6.x successfully, so thinking its a bug doesn't seem right.
If anyone wants me to test something or provide more info, i'd be happy to.
Thanks for reading,
Deejam
Edited by: Deejam on Jan 14, 2008 3:44 PM
Edited by: Deejam on Jan 14, 2008 7:57 PMThanks for the response. Sorry about not including the logs. I should have. I have gathered the full logs during the time idsconfig was trying to add the vlvindex entries. I did see that there where a few err=32 codes on the ADD operations on the entries that I had to add manually.
Here is one thing I did notice when I was adding the 4 entries manually. In each of the ldif files idsconfig creates, there are 2 entries as in the following example.
dn: cn=example.edu_passwd_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: vlvSearch
cn: example.edu_passwd_vlv_index
vlvbase: ou=people,dc=example,dc=edu
vlvscope: 1
vlvfilter: (objectClass=posixAccount)
aci: (target="ldap:///cn=example.edu_passwd_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config")(targetattr="*")(version 3.0; acl "Config";allow(read,search,compare)userdn="ldap:///anyone";)
dn: cn=example.edu.getpwent,cn=example.edu_passwd_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config
cn: example.edu.getpwent
vlvSort: cn uid
objectclass: top
objectclass: vlvIndex After idsconfig was done running the entry with the dn of "dn: cn=example.edu_passwd_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" was created, but the "dn: cn=example.edu.getpwent,cn=example.edu_passwd_vlv_index,cn=example,cn=ldbm" was not created.
This is weird because according to the logs (if i am reading them right) the add operation for the dn that was actually created seemed like it failed.
[14/Jan/2008:14:34:34 -0600] conn=115 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33406 to 192.168.1.1
[14/Jan/2008:14:34:34 -0600] conn=115 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:34 -0600] conn=115 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:34 -0600] conn=115 op=1 msgId=2 - ADD dn="cn=example.edu_passwd_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:34 -0600] conn=115 op=1 msgId=2 - RESULT err=32 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:34 -0600] conn=115 op=2 msgId=3 - UNBIND
[14/Jan/2008:14:34:34 -0600] conn=115 op=2 msgId=-1 - closing from 192.168.1.1:33406 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:35 -0600] conn=115 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=1
[14/Jan/2008:14:34:35 -0600] conn=115 op=-1 msgId=-1 - closed.So in fixing it manually I just fed an ldif file that looked like the following:
dn: cn=example.edu.getpwent,cn=example.edu_passwd_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config
changetype: add
cn: example.edu.getpwent
vlvSort: cn uid
objectclass: top
objectclass: vlvIndexThanks again for the help, and as mentioned before, i will be happy to test, or provide more information,
Deejam
Here are the logs as mentioned above.
[14/Jan/2008:14:34:33 -0600] conn=108 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33399 to 192.168.1.1
[14/Jan/2008:14:34:33 -0600] conn=108 op=0 msgId=1 - SRCH base="cn=example.edu.getgrent,cn=example.edu_group_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:33 -0600] conn=108 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:33 -0600] conn=108 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:33 -0600] conn=108 op=1 msgId=-1 - closing from 192.168.1.1:33399 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:33 -0600] conn=109 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33400 to 192.168.1.1
[14/Jan/2008:14:34:33 -0600] conn=108 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:33 -0600] conn=109 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:33 -0600] conn=109 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:33 -0600] conn=109 op=1 msgId=2 - ADD dn="cn=example.edu_group_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:33 -0600] conn=109 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:33 -0600] conn=109 op=2 msgId=3 - ADD dn="cn=example.edu.getgrent,cn=example.edu_group_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:34 -0600] conn=109 op=2 msgId=3 - RESULT err=0 tag=105 nentries=0 etime=1
[14/Jan/2008:14:34:34 -0600] conn=109 op=3 msgId=4 - UNBIND
[14/Jan/2008:14:34:34 -0600] conn=109 op=3 msgId=-1 - closing from 192.168.1.1:33400 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:34 -0600] conn=110 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33401 to 192.168.1.1
[14/Jan/2008:14:34:34 -0600] conn=109 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:34 -0600] conn=110 op=0 msgId=1 - SRCH base="cn=example.edu.gethostent,cn=example.edu_hosts_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:34 -0600] conn=110 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:34 -0600] conn=110 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:34 -0600] conn=110 op=1 msgId=-1 - closing from 192.168.1.1:33401 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:34 -0600] conn=111 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33402 to 192.168.1.1
[14/Jan/2008:14:34:34 -0600] conn=110 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:34 -0600] conn=111 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:34 -0600] conn=111 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:34 -0600] conn=111 op=1 msgId=2 - ADD dn="cn=example.edu_hosts_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:34 -0600] conn=111 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:34 -0600] conn=111 op=2 msgId=3 - ADD dn="cn=example.edu.gethostent,cn=example.edu_hosts_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:34 -0600] conn=111 op=2 msgId=3 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:34 -0600] conn=111 op=3 msgId=4 - UNBIND
[14/Jan/2008:14:34:34 -0600] conn=111 op=3 msgId=-1 - closing from 192.168.1.1:33402 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:34 -0600] conn=112 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33403 to 192.168.1.1
[14/Jan/2008:14:34:34 -0600] conn=111 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:34 -0600] conn=112 op=0 msgId=1 - SRCH base="cn=example.edu.getnetent,cn=example.edu_networks_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:34 -0600] conn=112 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:34 -0600] conn=112 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:34 -0600] conn=112 op=1 msgId=-1 - closing from 192.168.1.1:33403 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:34 -0600] conn=113 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33404 to 192.168.1.1
[14/Jan/2008:14:34:34 -0600] conn=112 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:34 -0600] conn=113 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:34 -0600] conn=113 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:34 -0600] conn=113 op=1 msgId=2 - ADD dn="cn=example.edu_networks_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:34 -0600] conn=113 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:34 -0600] conn=113 op=2 msgId=3 - ADD dn="cn=example.edu.getnetent,cn=example.edu_networks_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:34 -0600] conn=113 op=2 msgId=3 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:34 -0600] conn=113 op=3 msgId=4 - UNBIND
[14/Jan/2008:14:34:34 -0600] conn=113 op=3 msgId=-1 - closing from 192.168.1.1:33404 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:34 -0600] conn=114 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33405 to 192.168.1.1
[14/Jan/2008:14:34:34 -0600] conn=113 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:34 -0600] conn=114 op=0 msgId=1 - SRCH base="cn=example.edu.getpwent,cn=example.edu_passwd_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:34 -0600] conn=114 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:34 -0600] conn=114 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:34 -0600] conn=114 op=1 msgId=-1 - closing from 192.168.1.1:33405 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:34 -0600] conn=115 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33406 to 192.168.1.1
[14/Jan/2008:14:34:34 -0600] conn=114 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:34 -0600] conn=115 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:34 -0600] conn=115 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:34 -0600] conn=115 op=1 msgId=2 - ADD dn="cn=example.edu_passwd_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:34 -0600] conn=115 op=1 msgId=2 - RESULT err=32 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:34 -0600] conn=115 op=2 msgId=3 - UNBIND
[14/Jan/2008:14:34:34 -0600] conn=115 op=2 msgId=-1 - closing from 192.168.1.1:33406 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:35 -0600] conn=115 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=1
[14/Jan/2008:14:34:35 -0600] conn=116 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33407 to 192.168.1.1
[14/Jan/2008:14:34:35 -0600] conn=115 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:35 -0600] conn=116 op=0 msgId=1 - SRCH base="cn=example.edu.getrpcent,cn=example.edu_rpc_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:35 -0600] conn=116 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:35 -0600] conn=116 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:35 -0600] conn=116 op=1 msgId=-1 - closing from 192.168.1.1:33407 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:35 -0600] conn=117 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33408 to 192.168.1.1
[14/Jan/2008:14:34:35 -0600] conn=116 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:35 -0600] conn=117 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:35 -0600] conn=117 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:35 -0600] conn=117 op=1 msgId=2 - ADD dn="cn=example.edu_rpc_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:35 -0600] conn=117 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:35 -0600] conn=117 op=2 msgId=3 - ADD dn="cn=example.edu.getrpcent,cn=example.edu_rpc_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:35 -0600] conn=117 op=2 msgId=3 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:35 -0600] conn=117 op=3 msgId=4 - UNBIND
[14/Jan/2008:14:34:35 -0600] conn=117 op=3 msgId=-1 - closing from 192.168.1.1:33408 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:35 -0600] conn=118 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33409 to 192.168.1.1
[14/Jan/2008:14:34:35 -0600] conn=117 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:35 -0600] conn=118 op=0 msgId=1 - SRCH base="cn=example.edu.getspent,cn=example.edu_shadow_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:35 -0600] conn=118 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:35 -0600] conn=118 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:35 -0600] conn=118 op=1 msgId=-1 - closing from 192.168.1.1:33409 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:35 -0600] conn=119 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33410 to 192.168.1.1
[14/Jan/2008:14:34:35 -0600] conn=118 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:35 -0600] conn=119 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:35 -0600] conn=119 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:35 -0600] conn=119 op=1 msgId=2 - ADD dn="cn=example.edu_shadow_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:35 -0600] conn=119 op=1 msgId=2 - RESULT err=32 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:35 -0600] conn=119 op=2 msgId=3 - UNBIND
[14/Jan/2008:14:34:35 -0600] conn=119 op=2 msgId=-1 - closing from 192.168.1.1:33410 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:35 -0600] conn=119 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:35 -0600] conn=120 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33411 to 192.168.1.1
[14/Jan/2008:14:34:35 -0600] conn=119 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:35 -0600] conn=120 op=0 msgId=1 - SRCH base="cn=example.edu.getauhoent,cn=example.edu_auho_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:35 -0600] conn=120 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:35 -0600] conn=120 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:35 -0600] conn=120 op=1 msgId=-1 - closing from 192.168.1.1:33411 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:35 -0600] conn=121 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33412 to 192.168.1.1
[14/Jan/2008:14:34:35 -0600] conn=120 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:35 -0600] conn=121 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:35 -0600] conn=121 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:35 -0600] conn=121 op=1 msgId=2 - ADD dn="cn=example.edu_auho_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:35 -0600] conn=121 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:35 -0600] conn=121 op=2 msgId=3 - ADD dn="cn=example.edu.getauhoent,cn=example.edu_auho_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:35 -0600] conn=121 op=2 msgId=3 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:35 -0600] conn=121 op=3 msgId=4 - UNBIND
[14/Jan/2008:14:34:35 -0600] conn=121 op=3 msgId=-1 - closing from 192.168.1.1:33412 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:36 -0600] conn=122 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33413 to 192.168.1.1
[14/Jan/2008:14:34:36 -0600] conn=121 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:36 -0600] conn=122 op=0 msgId=1 - SRCH base="cn=example.edu.getsoluent,cn=example.edu_solu_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:36 -0600] conn=122 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:36 -0600] conn=122 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:36 -0600] conn=122 op=1 msgId=-1 - closing from 192.168.1.1:33413 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:36 -0600] conn=123 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33414 to 192.168.1.1
[14/Jan/2008:14:34:36 -0600] conn=122 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:36 -0600] conn=123 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:36 -0600] conn=123 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:36 -0600] conn=123 op=1 msgId=2 - ADD dn="cn=example.edu_solu_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:36 -0600] conn=123 op=1 msgId=2 - RESULT err=32 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:36 -0600] conn=123 op=2 msgId=3 - UNBIND
[14/Jan/2008:14:34:36 -0600] conn=123 op=2 msgId=-1 - closing from 192.168.1.1:33414 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:36 -0600] conn=123 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:36 -0600] conn=124 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33415 to 192.168.1.1
[14/Jan/2008:14:34:36 -0600] conn=123 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:36 -0600] conn=124 op=0 msgId=1 - SRCH base="cn=example.edu.getauduent,cn=example.edu_audu_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:36 -0600] conn=124 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:36 -0600] conn=124 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:36 -0600] conn=124 op=1 msgId=-1 - closing from 192.168.1.1:33415 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:36 -0600] conn=125 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33416 to 192.168.1.1
[14/Jan/2008:14:34:36 -0600] conn=124 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:36 -0600] conn=125 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:36 -0600] conn=125 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:36 -0600] conn=125 op=1 msgId=2 - ADD dn="cn=example.edu_audu_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:36 -0600] conn=125 op=1 msgId=2 - RESULT err=32 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:36 -0600] conn=125 op=2 msgId=3 - UNBIND
[14/Jan/2008:14:34:36 -0600] conn=125 op=2 msgId=-1 - closing from 192.168.1.1:33416 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:36 -0600] conn=125 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:36 -0600] conn=126 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33417 to 192.168.1.1
[14/Jan/2008:14:34:36 -0600] conn=125 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:36 -0600] conn=126 op=0 msgId=1 - SRCH base="cn=example.edu.getauthent,cn=example.edu_auth_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:36 -0600] conn=126 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:36 -0600] conn=126 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:36 -0600] conn=126 op=1 msgId=-1 - closing from 192.168.1.1:33417 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:36 -0600] conn=127 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33418 to 192.168.1.1
[14/Jan/2008:14:34:36 -0600] conn=126 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:36 -0600] conn=127 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:36 -0600] conn=127 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:36 -0600] conn=127 op=1 msgId=2 - ADD dn="cn=example.edu_auth_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:36 -0600] conn=127 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:36 -0600] conn=127 op=2 msgId=3 - ADD dn="cn=example.edu.getauthent,cn=example.edu_auth_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:36 -0600] conn=127 op=2 msgId=3 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:36 -0600] conn=127 op=3 msgId=4 - UNBIND
[14/Jan/2008:14:34:36 -0600] conn=127 op=3 msgId=-1 - closing from 192.168.1.1:33418 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:36 -0600] conn=128 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33419 to 192.168.1.1
[14/Jan/2008:14:34:36 -0600] conn=127 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:36 -0600] conn=128 op=0 msgId=1 - SRCH base="cn=example.edu.getexecent,cn=example.edu_exec_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:36 -0600] conn=128 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:36 -0600] conn=128 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:36 -0600] conn=128 op=1 msgId=-1 - closing from 192.168.1.1:33419 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:37 -0600] conn=129 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33420 to 192.168.1.1
[14/Jan/2008:14:34:37 -0600] conn=128 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:37 -0600] conn=129 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:37 -0600] conn=129 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:37 -0600] conn=129 op=1 msgId=2 - ADD dn="cn=example.edu_exec_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:37 -0600] conn=129 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:37 -0600] conn=129 op=2 msgId=3 - ADD dn="cn=example.edu.getexecent,cn=example.edu_exec_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:37 -0600] conn=129 op=2 msgId=3 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:37 -0600] conn=129 op=3 msgId=4 - UNBIND
[14/Jan/2008:14:34:37 -0600] conn=129 op=3 msgId=-1 - closing from 192.168.1.1:33420 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:37 -0600] conn=130 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33421 to 192.168.1.1
[14/Jan/2008:14:34:37 -0600] conn=129 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:37 -0600] conn=130 op=0 msgId=1 - SRCH base="cn=example.edu.getprofent,cn=example.edu_prof_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:37 -0600] conn=130 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:37 -0600] conn=130 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:37 -0600] conn=130 op=1 msgId=-1 - closing from 192.168.1.1:33421 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:37 -0600] conn=131 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33422 to 192.168.1.1
[14/Jan/2008:14:34:37 -0600] conn=130 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:37 -0600] conn=131 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:37 -0600] conn=131 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:37 -0600] conn=131 op=1 msgId=2 - ADD dn="cn=example.edu_prof_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:37 -0600] conn=131 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:37 -0600] conn=131 op=2 msgId=3 - ADD dn="cn=example.edu.getprofent,cn=example.edu_prof_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:37 -0600] conn=131 op=2 msgId=3 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:37 -0600] conn=131 op=3 msgId=4 - UNBIND
[14/Jan/2008:14:34:37 -0600] conn=131 op=3 msgId=-1 - closing from 192.168.1.1:33422 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:37 -0600] conn=132 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33423 to 192.168.1.1
[14/Jan/2008:14:34:37 -0600] conn=131 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:37 -0600] conn=132 op=0 msgId=1 - SRCH base="cn=example.edu.getmailent,cn=example.edu_mail_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:37 -0600] conn=132 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:37 -0600] conn=132 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:37 -0600] conn=132 op=1 msgId=-1 - closing from 192.168.1.1:33423 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:38 -0600] conn=133 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33424 to 192.168.1.1
[14/Jan/2008:14:34:38 -0600] conn=132 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:38 -0600] conn=133 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:38 -0600] conn=133 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:38 -0600] conn=133 op=1 msgId=2 - ADD dn="cn=example.edu_mail_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:38 -0600] conn=133 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:38 -0600] conn=133 op=2 msgId=3 - ADD dn="cn=example.edu.getmailent,cn=example.edu_mail_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:38 -0600] conn=133 op=2 msgId=3 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:38 -0600] conn=133 op=3 msgId=4 - UNBIND
[14/Jan/2008:14:34:38 -0600] conn=133 op=3 msgId=-1 - closing from 192.168.1.1:33424 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:38 -0600] conn=134 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33425 to 192.168.1.1
[14/Jan/2008:14:34:38 -0600] conn=133 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:38 -0600] conn=134 op=0 msgId=1 - SRCH base="cn=example.edu.getbootent,cn=example.edu__boot_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:38 -0600] conn=134 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:38 -0600] conn=134 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:38 -0600] conn=134 op=1 msgId=-1 - closing from 192.168.1.1:33425 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:38 -0600] conn=135 op=-1 msgId=-1 - fd=54 slot=54 LDAP connection from 192.168.1.1:33426 to 192.168.1.1
[14/Jan/2008:14:34:38 -0600] conn=134 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:38 -0600] conn=135 op=0 msgId=1 - BIND dn="cn=Directory Manager" method=128 version=3
[14/Jan/2008:14:34:38 -0600] conn=135 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[14/Jan/2008:14:34:38 -0600] conn=135 op=1 msgId=2 - ADD dn="cn=example.edu__boot_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:38 -0600] conn=135 op=1 msgId=2 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:38 -0600] conn=135 op=2 msgId=3 - ADD dn="cn=example.edu.getbootent,cn=example.edu__boot_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config"
[14/Jan/2008:14:34:38 -0600] conn=135 op=2 msgId=3 - RESULT err=0 tag=105 nentries=0 etime=0
[14/Jan/2008:14:34:38 -0600] conn=135 op=3 msgId=4 - UNBIND
[14/Jan/2008:14:34:38 -0600] conn=135 op=3 msgId=-1 - closing from 192.168.1.1:33426 - U1 - Connection closed by unbind client -
[14/Jan/2008:14:34:38 -0600] conn=136 op=-1 msgId=-1 - fd=51 slot=51 LDAP connection from 192.168.1.1:33427 to 192.168.1.1
[14/Jan/2008:14:34:38 -0600] conn=135 op=-1 msgId=-1 - closed.
[14/Jan/2008:14:34:38 -0600] conn=136 op=0 msgId=1 - SRCH base="cn=example.edu.getethent,cn=example.edu_ethers_vlv_index,cn=example,cn=ldbm database,cn=plugins,cn=config" scope=0 filter="(objectClass=*)" attrs=ALL
[14/Jan/2008:14:34:38 -0600] conn=136 op=0 msgId=1 - RESULT err=32 tag=101 nentries=0 etime=0
[14/Jan/2008:14:34:38 -0600] conn=136 op=1 msgId=2 - UNBIND
[14/Jan/2008:14:34:38 -0600] conn=136 -
Creating Job definition using Command line.
Hi all,
is there a possibility to create a job through command line, with parameter as CMD and source as any batch file and scheduling it on the fly.
Let me know...
Always
sai.yes, you can use ldapmodify to add objectclasses. You should modify cn=schema and follow the objectclasses and attributes syntax. You can check config/schema directory in any dsee instance for examples.
Other way is adding objectclasses editing directly 99user.ldif schema file whereas dsee is down. -
Pam.conf does not use ldap for password length check when changing passwd
I have already posted this in the directory server forum but since it is to do with pam not using ldap I thought there might be some pam experts who check this forum.
I have dsee 6.0 installed on a solaris 10 server (client).
I have a solaris 9 server (server) set up to use ldap authentication.
bash-2.05# cat /var/ldap/ldap_client_file
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= X, Y
NS_LDAP_SEARCH_BASEDN= dc=A,dc= B,dc= C
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_SERVER_PREF= X.A.B.C, Y.A.B.C
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=A,dc=B,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_BIND_TIME= 10
bash-2.05# cat /var/ldap/ldap_client_cred
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=A,dc=B,dc=C
NS_LDAP_BINDPASSWD= {NS1}6ff7353e346f87a7
bash-2.05# cat /etc/nsswitch.conf
# /etc/nsswitch.ldap:
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: files ldap
group: files ldap
# consult /etc "files" only if ldap is down.
hosts: files dns
ipnodes: files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes: ldap [NOTFOUND=return] files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: ldap
automount: files ldap
aliases: files ldap
# for efficient getservbyname() avoid ldap
services: files ldap
sendmailvars: files
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap
bash-2.05# cat /etc/pam.conf
#ident "@(#)pam.conf 1.20 02/01/23 SMI"
# Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1 debug
login auth required pam_dhkeys.so.1 debug
login auth required pam_dial_auth.so.1 debug
login auth binding pam_unix_auth.so.1 server_policy debug
login auth required pam_ldap.so.1 use_first_pass debug
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1 use_first_pass
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1 use_first_pass
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
other auth requisite pam_authtok_get.so.1 debug
other auth required pam_dhkeys.so.1 debug
other auth binding pam_unix_auth.so.1 server_policy debug
other auth required pam_ldap.so.1 use_first_pass debug
# passwd command (explicit because of a different authentication module)
passwd auth binding pam_passwd_auth.so.1 server_policy debug
passwd auth required pam_ldap.so.1 use_first_pass debug
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1 debug
other account required pam_projects.so.1 debug
other account binding pam_unix_account.so.1 server_policy debug
other account required pam_ldap.so.1 no_pass debug
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1 debug
other password requisite pam_authtok_get.so.1 debug
other password requisite pam_authtok_check.so.1 debug
other password required pam_authtok_store.so.1 server_policy debug
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
I can ssh into client with user VV which does not exist locally but exists in the directory server. This is from /var/adm/messages on the ldap client):
May 17 15:25:07 client sshd[26956]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
May 17 15:25:11 client sshd[26956]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
May 17 15:25:11 client sshd[26956]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd VV), flags = 0
May 17 15:25:11 client sshd[26956]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = VV ruser = not set rhost = h.A.B.C
May 17 15:25:11 client sshd[26956]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:25:11 client sshd[26956]: [ID 724664 auth.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:25:11 client sshd[26956]: [ID 100510 auth.debug] ldap pam_sm_acct_mgmt(VV), flags = 0
May 17 15:25:11 client sshd[26953]: [ID 800047 auth.info] Accepted keyboard-interactive/pam for VV from 10.115.1.251 port 2703 ssh2
May 17 15:25:11 client sshd[26953]: [ID 914923 auth.debug] pam_dhkeys: no valid mechs found. Trying AUTH_DES.
May 17 15:25:11 client sshd[26953]: [ID 499478 auth.debug] pam_dhkeys: get_and_set_seckey: could not get secret key for keytype 192-0
May 17 15:25:11 client sshd[26953]: [ID 507889 auth.debug] pam_dhkeys: mech key totals:
May 17 15:25:11 client sshd[26953]: [ID 991756 auth.debug] pam_dhkeys: 0 valid mechanism(s)
May 17 15:25:11 client sshd[26953]: [ID 898160 auth.debug] pam_dhkeys: 0 secret key(s) retrieved
May 17 15:25:11 client sshd[26953]: [ID 403608 auth.debug] pam_dhkeys: 0 passwd decrypt successes
May 17 15:25:11 client sshd[26953]: [ID 327308 auth.debug] pam_dhkeys: 0 secret key(s) set
May 17 15:25:11 client sshd[26958]: [ID 965073 auth.debug] pam_dhkeys: cred reinit/refresh ignored
If I try to then change the password with the `passwd` command it does not use the password policy on the directory server but the default defined in /etc/default/passwd
bash-2.05$ passwd
passwd: Changing password for VV
Enter existing login password:
New Password:
passwd: Password too short - must be at least 8 characters.
Please try again
May 17 15:26:17 client passwd[27014]: [ID 285619 user.debug] ldap pam_sm_authenticate(passwd VV), flags = 0
May 17 15:26:17 client passwd[27014]: [ID 509786 user.debug] roles pam_sm_authenticate, service = passwd user = VV ruser = not set rhost = not set
May 17 15:26:17 client passwd[27014]: [ID 579461 user.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:26:17 client passwd[27014]: [ID 724664 user.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:26:17 client passwd[27014]: [ID 100510 user.debug] ldap pam_sm_acct_mgmt(VV), flags = 80000000
May 17 15:26:17 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:17 client passwd[27014]: [ID 988707 user.debug] read_authtok: Copied AUTHTOK to OLDAUTHTOK
May 17 15:26:20 client passwd[27014]: [ID 558286 user.debug] pam_authtok_check: pam_sm_chauthok called
May 17 15:26:20 client passwd[27014]: [ID 271931 user.debug] pam_authtok_check: minimum length from /etc/default/passwd: 8
May 17 15:26:20 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:20 client passwd[27014]: [ID 417489 user.debug] pam_dhkeys: OLDRPCPASS already set
I am using the default policy on the directory server which states a minimum password length of 6 characters.
server:root:LDAP_Master:/var/opt/SUNWdsee/dscc6/dcc/ads/ldif#dsconf get-server-prop -h server -p 389|grep ^pwd-
pwd-accept-hashed-pwd-enabled : N/A
pwd-check-enabled : off
pwd-compat-mode : DS6-mode
pwd-expire-no-warning-enabled : on
pwd-expire-warning-delay : 1d
pwd-failure-count-interval : 10m
pwd-grace-login-limit : disabled
pwd-keep-last-auth-time-enabled : off
pwd-lockout-duration : disabled
pwd-lockout-enabled : off
pwd-lockout-repl-priority-enabled : on
pwd-max-age : disabled
pwd-max-failure-count : 3
pwd-max-history-count : disabled
pwd-min-age : disabled
pwd-min-length : 6
pwd-mod-gen-length : 6
pwd-must-change-enabled : off
pwd-root-dn-bypass-enabled : off
pwd-safe-modify-enabled : off
pwd-storage-scheme : CRYPT
pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
pwd-strong-check-enabled : off
pwd-strong-check-require-charset : lower
pwd-strong-check-require-charset : upper
pwd-strong-check-require-charset : digit
pwd-strong-check-require-charset : special
pwd-supported-storage-scheme : CRYPT
pwd-supported-storage-scheme : SHA
pwd-supported-storage-scheme : SSHA
pwd-supported-storage-scheme : NS-MTA-MD5
pwd-supported-storage-scheme : CLEAR
pwd-user-change-enabled : off
Whereas /etc/default/passwd on the ldap client says passwords must be 8 characters. This is seen with the pam_authtok_check: minimum length from /etc/default/passwd: 8
. It is clearly not using the policy from the directory server but checking locally. So I can login ok using the ldap server for authentication but when I try to change the password it does not use the policy from the server which says I only need a minimum lenght of 6 characters.
I have read that pam_ldap is only supported for directory server 5.2. Because I am running ds6 and with password compatability in ds6 mode maybe this is my problem. Does anyone know of any updated pam_ldap modules for solaris 9?
Edited by: ericduggan on Sep 8, 2008 5:30 AMyou can try passwd -r ldap for changing the ldap passwds...
-
Installing DSEE 7 on Windows 2008 R2 SP1 64-bit does nothing
Hi All,
Has anyone been able to install DSEE 7 on Windows 2008 R2 SP1 64-bit? Is it supported?
I followed the instructions and when run the command (as the Administrator) below nothing happen, it simply return an empty command prompt. Ms VC 2008 Redistributables (the one that come with the archive) is installed.
dsccsetup.exe war-file-create
dsccsetp.exe ads-create
When run the same command using the same archive on Windows 7 64-bit it does prompt for further input or report error.
Any suggestions or help would be much appreciated.
Shane LWindows 2008 R2 is not listed as a supported OS in the release notes.
http://docs.oracle.com/cd/E19424-01/820-4805/820-4805.pdf
It lists:
Microsoft Windows Server 2008 Standard Edition for x86 and x64 Service Pack 1
Microsoft Windows Server 2008 Enterprise Edition for x86 and x64 Service Pack 1
If you are able to go to the next version, it is listed as supported in the release notes for ODSEE 11g:
http://www.oracle.com/technetwork/middleware/downloads/odsee-11gr1certmatrix-161592.xls
I have not tried 11g on 2008 R2 myself, but if it is in the certification matrix, it should work.
Hope that helps,
Eric -
Is there support in certmap.conf for using DN's with dc= attributes
Hi Folks-
The Question:
Is there any support on certmap.conf (or the like) for dealing with suffixes that use the "dc=example,dc=com" format (in either 5.2 or 6.0)?
The Details/Background:
Like many places our suffixes are named ending with "dc" attributes (e.g. dc=example,dc=com). I've been setting up SSL Client Certificate based authentication. It's working via the CmapLdapAttr with a custom attribute/class added to the schema (I haven't finished with VerifyCert yet).
The docs say that DNComps and FilterComps support the following RDN keywords: cn, ou, o, c, l, st, e, and mail. Notably missing from both is "dc". This seems to leave no valid value for DNComps (forcing all the searches to be across ALL suffixes including cn=config and co). With those global searches FilterComps also seems to be fairly limited (especially if uid is not part of the Certificate's Subject DN which it arguably shouldn't be in many situations).
It seems all I'm left with is CmapLdapAttr (after creating the custom attribute & class) with every search across all suffixes. I don't think I can (or should) place indexes in the stuff in dse.ldif, hopefully they won't stop the other suffixes to be searched using their indexes and these should be small enough (and hopefully in memory) that they don't make a real difference.
Thanks,
-Scott-Ok, so as far as I can tell that just leaves using "CmapLdapAttr" with a custom attribute (& class) extension to the schema.
Since I won't be able to restrict the suffix being searched it's going to do at least 6 separate scans: one each on userRoot (and any other user suffixes), NetscapeRoot, "", cn=schema, cn=config, and cn=monitor (based on what it's reported in the logs already).
(1) Am I correct in my assumption that creating indexes on attributes in the suffixes in dse.ldif is probably not possible and would be a bad idea?
My guess is that everything in dse.ldif gets loaded into memory on startup and stays there. Also these aren't that big so the combination should mean that their search time is negligible.
(2) When automatically searching all 6+ suffixes (on every client certificate authenticated connection) will it perform indexed searches on userRoot & NetscapeRoot (assuming the correct indexes exist for CmapLdapAttr) and unindexed searches for the suffixes in dse.ldif? Or will the lack of indexes in the dse.ldif suffixes cause all of the searches to be unindexed?
(3) Is there something I'm missing that would be a better approach?
Thanks,
-Scott- -
UDESEncrypt Errors when using the JAVA engine (NW IDM 7.0)
Folks,
I'm seeing an error when I use the uDESEncrypt function with the Java Engine in NW IDM SP2 Patch 3.
The error I am getting is:
runFunctionsInString($FUNCTION.encrPWD()$$) got exception
org.mozilla.javascript.EvaluatorException: uDESEncrypt: Key should be exactly 24 bytes long.
The code calling it is:
// Main function: encrPWD
function encrPWD(Par){
//Example calling DSE internal function
//UserFunc.uStop("Terminated by user");
key = "C:\Program Files\SAP\IdM\Workflow\configs\KEY\keys.ini";
OutString = UserFunc.uDESEncrypt(key, Par);
return OutString;
I have also seen this error when using Patch 4.
Interestingly enough, the error does not occur when using the Windows Engine. Anyone else seeing this?
Thanks,
MattHi Matthew,
Try to replace the '\' with '
key = "C:
Program Files
SAP
IdM
Workflow
configs
KEY
keys.ini";
Alternative approaches,
1) setting key empty and it will look into %DSE_HOME%\KEY\key.ini
which should be C:\Program Files\SAP\IdM\Identity Center\Key\key.ini on default installation path.
2) or setting the key to something like = 6D5A2AF59B1CDD7F9592484F178331C891537A3F9B91D362
a 24 byte key...
Also when using DES you should ensure that in Identity Center underneath Options/General
you have encryption algorithm set to 3DES.
Normally if you intend to use this for password provisioning in IC you would also
on the identity store (for instance 'Enterprise people') underneath 'password policy' check
of for 'enable password provisioning.'
By doing so the MX_ENCRYPTED_PASSWORD with be set when operating through
workflow (3DES encryption version of the MX_PASSWORD) which allows you to obtain password
when provisioning to other target systems... -
How to use KAWT with "Sun Java Wireless Toolkit 2.3 Beta"?
Hi!
Im new to developing java for mobile devices so all of this is pretty confusing for me. I started with installing suns:s "Wireless Toolkit 2.3 Beta" and it works fine but now I want to use awt classes so I started to look it up and that�s how I found out about kawt. I followed the tutorial at http://www.kawt.de/ and i was able to use it for Java Wireless Toolkit 1.0.4_02 so that it compiled fine and was run able.
Then I tried the same thing in v 2.3 but I got a error that looked like this "Uncaught exception java/lang/NoClassDefFoundError: awtDemo: /awt/event/ActionListener: Cannot create class in system package." when i tried to run it. It compiled fine when I pressed the build button witch wouldn�t have happened if i hadn�t installed it correctly. So I�m wondering if someone knows were to find a tutorial for installing kawt for "Sun Java Wireless Toolkit 2.3 Beta" or if anyone knows what might be wrong?
I'd welcome any help
Thanks!If using the zip install of DSEE, you need to use your own java container to host DSEE. Try downloading the latest Tomcat (http://tomcat.apache.org) and deploying your dscc in it.
-
Native ldap client doesn't work with an openldap Server : No root DSE data
Hello!
My configuration :
- an openldap 2.2.23 server (linux debian) (server name = serv_annu)
- a ldap client (solaris 10) (server name = client_annu)
I want to configure my client by using Solaris Native ldap and I follow the excellent doc of gary tay (http://web.singnet.com.sg/~garyttt)
I use TLS and I had generated a certificate by using Mozilla . TLS works because ldapsearch from my solaris client works:
FROM CLIENT_ANNU:
+# ldapsearch -h server_annu -p 636 -b"dc=mydomain,dc=fr" -s base -Z -P /var/ldap/cert8.db "objectclass=*"+
version: 1
dn: dc=mydomain,dc=fr
dc: mydomain
objectClass: top
objectClass: dcObject
objectClass: organization
objectClass: nisDomainObject
nisDomain: mydomain.fr
o: mydomain
LOG FROM SERVER_ANNU:
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 fd=10 ACCEPT from IP=172.30.69.216:36020 (IP=0.0.0.0:636)
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 op=0 SRCH base="dc=mydomain,dc=fr" scope=0 deref=0 filter="(objectClass=*)"
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 op=1 UNBIND
Apr 2 09:52:40 server_annu slapd[17068]: conn=267 fd=10 closed
1) I add DUAConfigProfile.schema and solaris.schema on my openldap server.
2) I add a nisDomainObject at the root DN (see the result of the ldapsearch above)
3) I Add ACL in slapd.conf to allow reading of rootDSE.
access to dn.base="" by ssf=128 * read
4) I launch on my solaris client
crle -u -s /usr/lib/mps
crle -64 -u -s /usr/lib/mps/64
5) I can't apply result.c patch on my openldap server (production server!) then I can't create /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred by using ldapclient command. Then I create manually /var/ldap/ldap_client_file and /var/ldap/ldap_client_cred : the syntax is correct because the "ldapclient list" command works :
+# ldapclient list+
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=toto,ou=People,dc=people1,dc=mydomain,dc=fr
+NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411+
NS_LDAP_SERVERS= server_annu
NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=fr
NS_LDAP_AUTH= tls:simple
NS_LDAP_CREDENTIAL_LEVEL= anonymous
NOTE : I've had to add NS_LDAP_BINDDN and NS_LDAP_BINDPASSWD even if I use anonymous credential level because I get an error when I launch ldap client process.
Then here, everything is apparently OK but when I enable ldap client process the cachemgr process is running about 30s then it crashes:
FROM CLIENT_ANNU:
svcadm disable /network/ldap/client;svcadm enable /network/ldap/client
+/etc/init.d/nscd stop;/etc/init.d/nscd start+
LOG FROM SERVER_ANNU:
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 fd=10 ACCEPT from IP=172.30.69.216:36021 (IP=0.0.0.0:389)
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=0 SRCH attr=supportedControl supportedsaslmechanisms
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 op=1 UNBIND
Apr 2 09:54:59 server_annu slapd[17068]: conn=268 fd=10 closed
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 fd=10 ACCEPT from IP=172.30.69.216:36022 (IP=0.0.0.0:389)
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=0 SRCH attr=supportedControl supportedsaslmechanisms
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 op=1 UNBIND
Apr 2 09:54:59 server_annu slapd[17068]: conn=269 fd=10 closed...
FROM CLIENT ANNU :
+# /usr/lib/ldap/ldap_cachemgr -g+
cachemgr configuration:
server debug level 0
server log file "/var/ldap/cachemgr.log"
number of calls to ldapcachemgr 2
cachemgr cache data statistics:
Configuration refresh information:
Previous refresh time: 2008/04/02 09:58:12
Next refresh time: 2008/04/02 21:58:12
Server information:
Previous refresh time: 2008/04/02 09:58:32
Next refresh time: 2008/04/02 09:58:33
server: server_annu, status: ERROR
error message: No root DSE data returned.*
Cache data information:
Maximum cache entries: 256
Number of cache entries: 0
My problem is why I get the following error message : No root DSE data returned.
Thanks in advance for your help!Hi
Is your OpenLDAP server configured to allow anonymous read of the rootDSE attributes ?
Regards,
Ludovic.
Maybe you are looking for
-
Why is the sync option from iMac to iPad mini not working
I have a IMac and an iPad mini (new) I have iPassword on my Mac and have set up the option on both Mac and iPad to sync iPassword between the 2 . Part of this set up is setting up 'secret' word and when on the ipad all i have to do is entering the "s
-
Hi SAP Gurus, How to use L_IDOC_ERROR_SAVE I am unable to find out what to populate in I_CATEGORIE, I_RESULT. Thanks, Krishna
-
My iPhone 4 won't update to ios 6
WHen I go into settings on my phone to update it says it needs at least 2.5 of memory to update. My phone has plenty of memory but won't let me install IOS 6. What do I do?
-
Well I'm thinking to buy an iMac but not an expensive one. I have found an iMac with OS X v.10.7 Lion ,with 27" LED-backlit glossy widescreen TFT display and main memory 4GB DDR2 1333MHz in a good price and eventually I could afford. But my question
-
Help reqd to config.Eclipse + Lombaz for debugging on Weblogic 8.1
By: c srini Help-Eclipse Lombaz config -debug on Weblogic [ reply ] 2005-07-12 21:31 Require help to configure my project in Eclipse with Lmbaz onto Weblogic 8.1. Following is a brief scenario of my problem: I have an existing web-based project that