Re: How to replicate password lockout attributes from a consumer or hub to a master(s)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 






From: Mark Reynolds <mreynolds@xxxxxxxxxx>
Sent: Friday, August 13, 2021 3:41 PM
To: Michael Starling <mlstarling31@xxxxxxxxxxx>; General discussion list for the 389 Directory server project. <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [389-users] How to replicate password lockout attributes from a consumer or hub to a master(s)
 


On 8/13/21 2:40 PM, Michael Starling wrote:



From: Michael Starling <mlstarling31@xxxxxxxxxxx>
Sent: Friday, August 13, 2021 10:41 AM
To: Mark Reynolds <mreynolds@xxxxxxxxxx>; General discussion list for the 389 Directory server project. <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [389-users] How to replicate password lockout attributes from a consumer or hub to a master(s)
 



From: Michael Starling <mlstarling31@xxxxxxxxxxx>
Sent: Thursday, August 12, 2021 3:29 PM
To: Mark Reynolds <mreynolds@xxxxxxxxxx>; General discussion list for the 389 Directory server project. <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [389-users] How to replicate password lockout attributes from a consumer or hub to a master(s)
 



From: Mark Reynolds <mreynolds@xxxxxxxxxx>
Sent: Thursday, August 12, 2021 3:16 PM
To: Michael Starling <mlstarling31@xxxxxxxxxxx>; General discussion list for the 389 Directory server project. <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [389-users] How to replicate password lockout attributes from a consumer or hub to a master(s)
 


On 8/12/21 2:33 PM, Michael Starling wrote:



From: Mark Reynolds <mreynolds@xxxxxxxxxx>
Sent: Thursday, August 12, 2021 11:48 AM
To: General discussion list for the 389 Directory server project. <389-users@xxxxxxxxxxxxxxxxxxxxxxx>; Michael Starling <mlstarling31@xxxxxxxxxxx>
Subject: Re: [389-users] How to replicate password lockout attributes from a consumer or hub to a master(s)
 


On 8/12/21 10:53 AM, Michael Starling wrote:
Hello.

I've taken over a large 389-ds environment running on Oracle Linux 8 and the first task I need to complete is to enable password lockouts.



I was able to enable password lockouts successfully however it only works if the client is pointed directly to a master. The account locks out and the attributes are propagated down to the hubs and consumers.

If the client is pointed to a read-only hub or consumer then the account does not lockout and the password attributes do not propagate back to the masters.

passwordIsGlobalPolicy: on is set on all masters, hubs and consumers

Password policy attributes I expect to replicate:

passwordRetryCount
accountUnlockTime
retryCountResetTime

I've tried following the chaining guide below which I think is what I need to do to get this work as expected, however I've hit a snag.

The document states the backend must be added to the hub or consumer, however when I try and add the following LDIF to the hub I get the "unwilling to perform" error.

This makes sense because the hub is read-only so I'm confused as how I can update the config on a read-only hub or consumer?

dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsBackendInstance
cn: chainlab
nsslapd-suffix: dc=domain,dc=com
nsmultiplexorbinddn: uid=repluser,cn=config
nsmultiplexorcredentials: mypassword
nsCheckLocalACI: on

adding new entry "cn=chainlab,cn=chaining database,cn=plugins,cn=config"
ldap_add: Server is unwilling to perform (53)

This is the doc you want to follow to get this working.  But it is complicated... 


In this case I'm not sure why the error 53 is being returned.  There is something about that entry it does not like.  So please check the access and errors log from the time of this failure (see /var/log/dirsrv/slapd-YOUR_INSTANCE/).  There is usually more info logged when an error 53 happens.


Also what version of 389-ds-base are you running?


Thanks,
Mark

Hub or Consumer

Step 1 (Hub and Consumer): the chaining backend must be created on the hub and consumer:

dn: cn=chainbe1,cn=chaining database,cn=plugins,cn=config    
objectclass: top    
objectclass: extensibleObject    
objectclass: nsBackendInstance    
cn: chainbe1    
nsslapd-suffix: <suffix to replicate>
nsfarmserverurl: ldap://supplier1:port supplier2:port ... supplierN:port/ # also, ldaps can be used instead
                                                                          # of ldap for secure connections -
                                                                          # requires the secure port
nsmultiplexorbinddn: cn=Replication Manager,cn=config # or whatever the replica bind DN is on the supplier
nsmultiplexorcredentials: password    
nsCheckLocalACI: on    

Any help would be greatly appreciated.

Thanks

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-- 
Directory Server Development Team

Thanks for getting me the right track Mark. Looks like the "nsFarmServerURL" is not correct.

Versions:

389-ds-base-libs-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64 389-ds-base-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64

I thought I was maybe hitting the bug described below so I added a trailing "/" but the issue persists.

This is what I see in the logs on the hub when trying to add the LDIF.

The idea is for the hub to send these password attributes back to all masters.

These are the masters in the environment.
[12/Aug/2021:14:12:38.228746875 -0400] - ERR - chaining database - cb_instance_config_initialize - Error with config attribute nsfarmserverurl : not a valid LDAP URL
[12/Aug/2021:14:12:38.230107318 -0400] - ERR - chaining database - cb_instance_add_config_check_callback - Can't instantiate chaining backend instance chainlab.
[12/Aug/2021:14:13:11.436433137 -0400] - ERR - chaining database - cb_instance_config_initialize - Error with config attribute nsfarmserverurl : not a valid LDAP URL
[12/Aug/2021:14:13:11.437510161 -0400] - ERR - chaining database - cb_instance_add_config_check_callback - Can't instantiate chaining backend instance chainlab.
[12/Aug/2021:14:15:15.652343542 -0400] - ERR - chaining database - cb_instance_config_initialize - Error with config attribute nsfarmserverurl : not a valid LDAP URL
[12/Aug/2021:14:15:15.653524818 -0400] - ERR - chaining database - cb_instance_add_config_check_callback - Can't instantiate chaining backend instance chainlab.
[12/Aug/2021:14:20:12.212414022 -0400] - ERR - chaining database - cb_instance_config_initialize - Error with config attribute nsfarmserverurl : not a valid LDAP URL
[12/Aug/2021:14:20:12.213556900 -0400] - ERR - chaining database - cb_instance_add_config_check_callback - Can't instantiate chaining backend instance chainlab

Ok, I think its not liking the multiple values in the attribute, even though the document says you have multiple urls.  I think you need to add the config like this:


nsfarmserverurl: ldap://dsa1.domain.com:389

nsfarmserverurl: ldap://dsa2.domain.com:389

nsfarmserverurl: ldap://dsa3.domain.com:389


Give it a try?


HTH,

Mark


-- 
Directory Server Development Team

Looks like it only added the first entry. Do I need to add an entry for each MAster?

dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsBackendInstance
cn: chainlab
nsslapd-suffix: dc=domain,dc=com
nsmultiplexorbinddn: uid=replicator,cn=config
nsmultiplexorcredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUm1aRFUwT1dOak5DMDVPVFl5TXpJMg0KWlMwNE16ZzFNVFl3TXkweU5tVTROekJtWkFBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQTdhVjl4Z0NZcFkzR21YV2x0c293Mg==}u4FHsJF3AVHAqgtGCMXudA==
nsbindconnectionslimit: 3
nsoperationconnectionslimit: 20
nsabandonedsearchcheckinterval: 1
nsconcurrentbindlimit: 10
nsconcurrentoperationslimit: 2
nsproxiedauthorization: on
nsconnectionlife: 0
nsbindtimeout: 15
nsreferralonscopedsearch: off
nschecklocalaci: on
nsbindretrylimit: 3
nsslapd-sizelimit: 2000
nsslapd-timelimit: 3600
nshoplimit: 10
nsmaxresponsedelay: 60
nsmaxtestresponsedelay: 15
nsusestarttls: off

Hi Mark.

I tried adding the subsequent URL's and it doesn't allow multiple entries for this attribute. 
It appears all the URLS need to be part of the one nsfarmserverurl attribute.

ldap_initialize( ldap://dsa4.domain.com )
add nsFarmServerURL:
modifying entry "cn=chainlab,cn=chaining database,cn=plugins,cn=config"
ldap_modify: Server is unwilling to perform (53)
        additional info: Adding attributes is not allowed

I believe I have this working now.

Thank you Mark for getting me pointed in the right direction.

Were you able to set multiple urls?  Or did you just go with one for now?


Mark

-- 
Directory Server Development Team

I was only able to use one URL because I can't figure out the syntax for multiple values on one line of the attribute. Sending to the one URL to does propagates from the master to everywhere else. I tested this and it works as expected.
The shortcoming would be in a failover scenario so I need to figure out the best way to handle this or get the correct syntax for multiple vales for the 
nsfarmserverurl attribute.

As an alternative can I add additional entries to the chaining database with the URL for each master?
i.e cn=chainlab2,cn=chaining database,cn=plugins,cn=config  
cn=chainlab3,cn=chaining database,cn=plugins,cn=config
cn=chainlab3,cn=chaining database,cn=plugins,cn=config

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux