FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 08-17-2010, 04:06 PM
Rich Megginson
 
Default Clarification on admin server and console

Gerrard Geldenhuis wrote:
>>> replagreement.ldif
>>> ~~~~~~~~~~~~
>>> dn: cn=test-aggreement-name,cn=replica,cn=o3Dnetscaperoot,cn=mapping tree,cn=config
>>> changetype: add
>>> objectClass: top
>>> objectClass: nsDS5ReplicationAgreement
>>> cn: test-aggreement-name
>>> description: test-description
>>> nsDS5ReplicaHost: 389-master02.example
>>> nsDS5ReplicaPort: 389
>>> nsDS5ReplicaBindDN: cn=Replication Manager
>>> nsDS5ReplicaBindMethod: SIMPLE
>>> nsDS5ReplicaRoot: o=netscaperoot
>>> nsDS5ReplicaTransportInfo: TLS
>>> nsDS5ReplicaCredentials: {DES}blahblah
>>>
>>>
>> You should add the nsDS5ReplicaCredentials as clear text and let the
>> server encrypt it.
>>
>> This is a bug - if you remove the changetype: add it should work.
>> Please file a bug about this issue.
>>
>
> Will file bug shortly. It still however does not work when I remove the changetype: add line.
> Adding the replication user works,
> Enabling the changelog works
> but enabling the replica fails.
> I have changed the ldif slightly to:
>
> dn: cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config
> objectClass: top
> objectClass: nsDS5Replica
> objectclass: extensibleObject
> cn: replica
> nsDS5ReplicaRoot: o=NetscapeRoot
> nsDS5ReplicaId: 1
> nsDS5ReplicaType: 3
> nsDS5Flags: 1
> nsds5ReplicaPurgeDelay: 604800
> nsDS5ReplicaBindDN: cn=Replication Manager,cn=config
>
>
> The log file:
>
> +Entry cn=changelog5,cn=config is added
> +Processing 03replica.ldif ...
> +++check_and_add_entry: Entry not found cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config error No such object
> +ERROR: adding an entry cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config failed, error: No such object
> dn: cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config
> objectclass: top
> objectclass: nsDS5Replica
> objectclass: extensibleObject
> cn: replica
> nsds5replicaroot: o=NetscapeRoot
> nsds5replicaid: 1
> nsds5replicatype: 3
> nsds5flags: 1
> nsds5replicapurgedelay: 604800
> nsds5replicabinddn: cn=Replication Manager,cn=config
>
> +ERROR: There was an error processing entry cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config
> +Cannot continue processing entries.
> Error adding entry 'cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config'. Error: No such object
> Error: Could not create directory server instance '389-master01'.
> Exiting . . .
>
This means the parent entry cn="o=NetscapeRoot",cn=mapping
tree,cn=config does not exist - yes, this is a problem because, when
setting up the server to be a configuration directory server, the
o=NetscapeRoot suffix and database are added later, after the initial
instance creation, when the ConfigFile directives are processed. I
suppose you could add those as well - use the file
/usr/share/dirsrv/data/template-suffix-db.ldif - make a copy - replace
%ds_bename% with NetscapeRoot and %ds_suffix% with o=NetscapeRoot - use
that file as the first ConfigFile directive. Then, when
setup-ds-admin.pl tries to add those, it should be ok if they already exist.
>
> Regards
>
> __________________________________________________ ______________________
> In order to protect our email recipients, Betfair Group use SkyScan from
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
>
> __________________________________________________ ______________________
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 08-17-2010, 05:46 PM
Gerrard Geldenhuis
 
Default Clarification on admin server and console

>>
>> +Entry cn=changelog5,cn=config is added
>> +Processing 03replica.ldif ...
>> +++check_and_add_entry: Entry not found cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config error No such object
>> +ERROR: adding an entry cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config failed, error: No such object
>> dn: cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config
>> objectclass: top
>> objectclass: nsDS5Replica
>> objectclass: extensibleObject
>> cn: replica
>> nsds5replicaroot: o=NetscapeRoot
>> nsds5replicaid: 1
>> nsds5replicatype: 3
>> nsds5flags: 1
>> nsds5replicapurgedelay: 604800
>> nsds5replicabinddn: cn=Replication Manager,cn=config
>>
>> +ERROR: There was an error processing entry cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config
>> +Cannot continue processing entries.
>> Error adding entry 'cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config'. Error: No such object
>> Error: Could not create directory server instance '389-master01'.
>> Exiting . . .
>>
>This means the parent entry cn="o=NetscapeRoot",cn=mapping
>tree,cn=config does not exist - yes, this is a problem because, when
>setting up the server to be a configuration directory server, the
>o=NetscapeRoot suffix and database are added later, after the initial
>instance creation, when the ConfigFile directives are processed. I
>suppose you could add those as well - use the file
>/usr/share/dirsrv/data/template-suffix-db.ldif - make a copy - replace
>%ds_bename% with NetscapeRoot and %ds_suffix% with o=NetscapeRoot - use
>that file as the first ConfigFile directive. Then, when
>setup-ds-admin.pl tries to add those, it should be ok if they already exist.

Thanks I will try the re-ordering and see if I can get it working that way. I discovered a previous thread with the same file which also mentions a bug in the documentation. The bug still exists I will raise an bugzilla to get the documentation clarified on the requirements of creating a root entry.

The thread I am referring to is: http://www.mail-archive.com/fedora-directory-users@redhat.com/msg08032.html

Something else occurred to me. If you have a shared/replicated NetscapeRoot database and lets say 12 servers over 3 datacentres, 6 providers and 6 consumers. You will end up with 12 servers in a multimaster group for the netscaperoot database but only 6 servers in a multi master setup for the userdata database. That seems quite a lot of masters for NetscapeRoot. Is that considered to many and/or is there any recommendations when having that many servers?

Regards

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 08-17-2010, 06:03 PM
Gerrard Geldenhuis
 
Default Clarification on admin server and console

>Something else occurred to me. If you have a shared/replicated NetscapeRoot database and lets say 12 servers over 3 datacentres, 6 providers and 6 consumers. >You will end up with 12 servers in a multimaster group for the netscaperoot database but only 6 servers in a multi master setup for the userdata database. That >seems quite a lot of masters for NetscapeRoot. Is that considered to many and/or is there any recommendations when having that many servers?

To have all changes only 1 server away you need 28 replication agreements for 6 servers. Well at least for the userdb, 12 servers requieres LOT more replication agreements if you want changes replicating immediately to all servers. 24 Agreements if you are replicating sequentially. A lot more if you want all servers to replicate to all servers.
I guess one can live with NetscapeRoot changes taking a few minutes to arrive everywhere.

Regards

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 08-17-2010, 06:39 PM
Rich Megginson
 
Default Clarification on admin server and console

Gerrard Geldenhuis wrote:
>> Something else occurred to me. If you have a shared/replicated NetscapeRoot database and lets say 12 servers over 3 datacentres, 6 providers and 6 consumers. >You will end up with 12 servers in a multimaster group for the netscaperoot database but only 6 servers in a multi master setup for the userdata database. That >seems quite a lot of masters for NetscapeRoot. Is that considered to many and/or is there any recommendations when having that many servers?
>>
>
> To have all changes only 1 server away you need 28 replication agreements for 6 servers. Well at least for the userdb, 12 servers requieres LOT more replication agreements if you want changes replicating immediately to all servers. 24 Agreements if you are replicating sequentially. A lot more if you want all servers to replicate to all servers.
> I guess one can live with NetscapeRoot changes taking a few minutes to arrive everywhere.
>
NetscapeRoot changes are not frequent and are usually small.
> Regards
>
> __________________________________________________ ______________________
> In order to protect our email recipients, Betfair Group use SkyScan from
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
>
> __________________________________________________ ______________________
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 08-18-2010, 09:51 AM
Gerrard Geldenhuis
 
Default Clarification on admin server and console

>>
>> +ERROR: There was an error processing entry cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config
>> +Cannot continue processing entries.
>> Error adding entry 'cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config'. Error: No such object
>> Error: Could not create directory server instance '389-master01'.
>> Exiting . . .
>>
>This means the parent entry cn="o=NetscapeRoot",cn=mapping
>tree,cn=config does not exist - yes, this is a problem because, when
>setting up the server to be a configuration directory server, the
>o=NetscapeRoot suffix and database are added later, after the initial
>instance creation, when the ConfigFile directives are processed. I
>suppose you could add those as well - use the file
>/usr/share/dirsrv/data/template-suffix-db.ldif - make a copy - replace
>%ds_bename% with NetscapeRoot and %ds_suffix% with o=NetscapeRoot - use
>that file as the first ConfigFile directive. Then, when
>setup-ds-admin.pl tries to add those, it should be ok if they already exist.
>

I used the modified template file:
dn: cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsBackendInstance
nsslapd-suffix: o=NetscapeRoot
cn: NetscapeRoot

dn: cn=encrypted attribute keys,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: encrypted attributes keys

dn: cn=encrypted attributes,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: encrypted attributes

dn: cn="o=NetscapeRoot",cn=mapping tree,cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsMappingTree
cn: o=NetscapeRoot
cn: "o=NetscapeRoot"
nsslapd-state: backend
nsslapd-backend: NetscapeRoot


The creation goes fine: ( I have copied the template file so I am not using the original one )

+Processing template-suffix-db.ldif ...
+++check_and_add_entry: Entry not found cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config error No such object
+Entry cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config is added
+++check_and_add_entry: Entry not found cn=encrypted attribute keys,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config error No such object
+Entry cn=encrypted attribute keys,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config is added
+++check_and_add_entry: Entry not found cn=encrypted attributes,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config error No such object
+Entry cn=encrypted attributes,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config is added
+++check_and_add_entry: Entry not found cn="o=NetscapeRoot",cn=mapping tree,cn=config error No such object
+Entry cn="o=NetscapeRoot",cn=mapping tree,cn=config is added


But when the script has finished running I get the following error:

Your new DS instance '389-master01' was successfully created.
Creating the configuration directory server . . .
The suffix 'o=NetscapeRoot' already exists. Config entry DN 'cn=o3DNetscapeRoot,cn=mapping tree,cn=config'.

Failed to create the configuration directory server

What is also frustrating is that the script is so quiet about why it failed. I was running setup-ds-admin with -ddd It appears that the script used to configure the admin server does net get passed the debug flags.

Any further ideas?

Regards

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 08-18-2010, 12:40 PM
Rich Megginson
 
Default Clarification on admin server and console

Gerrard Geldenhuis wrote:
>>> +ERROR: There was an error processing entry cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config
>>> +Cannot continue processing entries.
>>> Error adding entry 'cn=replica,cn="o=NetscapeRoot",cn=mapping tree,cn=config'. Error: No such object
>>> Error: Could not create directory server instance '389-master01'.
>>> Exiting . . .
>>>
>>>
>> This means the parent entry cn="o=NetscapeRoot",cn=mapping
>> tree,cn=config does not exist - yes, this is a problem because, when
>> setting up the server to be a configuration directory server, the
>> o=NetscapeRoot suffix and database are added later, after the initial
>> instance creation, when the ConfigFile directives are processed. I
>> suppose you could add those as well - use the file
>> /usr/share/dirsrv/data/template-suffix-db.ldif - make a copy - replace
>> %ds_bename% with NetscapeRoot and %ds_suffix% with o=NetscapeRoot - use
>> that file as the first ConfigFile directive. Then, when
>> setup-ds-admin.pl tries to add those, it should be ok if they already exist.
>>
>>
>
> I used the modified template file:
> dn: cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
> objectclass: top
> objectclass: extensibleObject
> objectclass: nsBackendInstance
> nsslapd-suffix: o=NetscapeRoot
> cn: NetscapeRoot
>
> dn: cn=encrypted attribute keys,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: encrypted attributes keys
>
> dn: cn=encrypted attributes,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: encrypted attributes
>
> dn: cn="o=NetscapeRoot",cn=mapping tree,cn=config
> objectclass: top
> objectclass: extensibleObject
> objectclass: nsMappingTree
> cn: o=NetscapeRoot
> cn: "o=NetscapeRoot"
> nsslapd-state: backend
> nsslapd-backend: NetscapeRoot
>
>
> The creation goes fine: ( I have copied the template file so I am not using the original one )
>
> +Processing template-suffix-db.ldif ...
> +++check_and_add_entry: Entry not found cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config error No such object
> +Entry cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config is added
> +++check_and_add_entry: Entry not found cn=encrypted attribute keys,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config error No such object
> +Entry cn=encrypted attribute keys,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config is added
> +++check_and_add_entry: Entry not found cn=encrypted attributes,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config error No such object
> +Entry cn=encrypted attributes,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config is added
> +++check_and_add_entry: Entry not found cn="o=NetscapeRoot",cn=mapping tree,cn=config error No such object
> +Entry cn="o=NetscapeRoot",cn=mapping tree,cn=config is added
>
>
> But when the script has finished running I get the following error:
>
> Your new DS instance '389-master01' was successfully created.
> Creating the configuration directory server . . .
> The suffix 'o=NetscapeRoot' already exists. Config entry DN 'cn=o3DNetscapeRoot,cn=mapping tree,cn=config'.
>
> Failed to create the configuration directory server
>
> What is also frustrating is that the script is so quiet about why it failed. I was running setup-ds-admin with -ddd It appears that the script used to configure the admin server does net get passed the debug flags.
>
> Any further ideas?
>
I was afraid of that. The admin server part doesn't like it that
NetscapeRoot already exists, and instead of just continuing, it errors
and exits. If you are a perl hacker, I suppose you could hack the
AdminUtil.pm and/or AdminServer.pm.
> Regards
>
> __________________________________________________ ______________________
> In order to protect our email recipients, Betfair Group use SkyScan from
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
>
> __________________________________________________ ______________________
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 08-18-2010, 02:00 PM
Gerrard Geldenhuis
 
Default Clarification on admin server and console

>>
>> What is also frustrating is that the script is so quiet about why it failed. I was running setup-ds-admin with -ddd It appears that the script used to configure the >>admin server does net get passed the debug flags.
>>
>> Any further ideas?
>>
>I was afraid of that. The admin server part doesn't like it that
>NetscapeRoot already exists, and instead of just continuing, it errors
>and exits. If you are a perl hacker, I suppose you could hack the
>AdminUtil.pm and/or AdminServer.pm.
>> Regards
>>

Thanks, afraid not, I generally try to stay away from Perl.

Is it worthwhile supporting ldif files during the initial install? It does seem to add a lot of complexity.
For me whether I run a few scripts during installation of after does not matter that much. Aesthetically it is probably nicer to have all configuration in one place i.e. in the install script. It would be nice to be able to specify when additional ldif files should be executed. Is that the purpose of InstallLdifFile or is that only during the slapd setup?

Regards

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 08-18-2010, 02:07 PM
Rich Megginson
 
Default Clarification on admin server and console

Gerrard Geldenhuis wrote:
>>> What is also frustrating is that the script is so quiet about why it failed. I was running setup-ds-admin with -ddd It appears that the script used to configure the >>admin server does net get passed the debug flags.
>>>
>>> Any further ideas?
>>>
>>>
>> I was afraid of that. The admin server part doesn't like it that
>> NetscapeRoot already exists, and instead of just continuing, it errors
>> and exits. If you are a perl hacker, I suppose you could hack the
>> AdminUtil.pm and/or AdminServer.pm.
>>
>>> Regards
>>>
>>>
>
> Thanks, afraid not, I generally try to stay away from Perl.
>
+1
> Is it worthwhile supporting ldif files during the initial install? It does seem to add a lot of complexity.
>
It allows you to do a lot of customization at the same time as running
setup, using relatively simple LDIF files, without having to resort to
writing scripts.
> For me whether I run a few scripts during installation of after does not matter that much. Aesthetically it is probably nicer to have all configuration in one place i.e. in the install script. It would be nice to be able to specify when additional ldif files should be executed.
Yes, but that quickly gets into script territory and out of LDIF territory.
> Is that the purpose of InstallLdifFile or is that only during the slapd setup?
>
The purpose of InstallLdifFile is to allow you to populate your data
(i.e. your users and groups) at setup time.
> Regards
>
> __________________________________________________ ______________________
> In order to protect our email recipients, Betfair Group use SkyScan from
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
>
> __________________________________________________ ______________________
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 07:30 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org