[Fedora-directory-users] FDS Crashing!

Nicholas Byrne nicholas.byrne at quadriga.com
Thu Jan 18 19:51:40 UTC 2007


in /opt/fedora-ds/slapd-<host>/ldif/Example.ldif there are the default 
aci's i believe im looking for (snippet) -

aci: (target ="ldap:///dc=example,dc=com")(targetattr !=
 "userPassword")(version 3.0;acl "Anonymous read-search access";
 allow (read, search, compare)(userdn = "ldap:///anyone");)
aci: (target="ldap:///dc=example,dc=com") (targetattr =
  "*")(version 3.0; acl "allow all Admin group"; allow(all) groupdn =
  "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)

and some more for ou=people. I'll try these (with modifications) and 
hopefully that should do it.

Nicholas Byrne wrote:
> running
>
> ldapsearch -x -D "cn=directory manager" -w password -b "dc=tech" 
> "aci=*" aci
>
> i get -
>
> # tech
> dn: dc=tech
> aci: (targetattr = "*") (version 3.0;acl 
> "DefaultReadAllandWriteSelf";allow (a
> ll)(userdn = "ldap:///anyone");)
>
> Thats it, it is the one i created (disclaimer in case of embarrassment 
> - don't know that much about aci's yet!).
>
> Richard Megginson wrote:
>> Nicholas Byrne wrote:
>>>
>>>
>>> Richard Megginson wrote:
>>>> Nicholas Byrne wrote:
>>>>>
>>>>>
>>>>> Richard Megginson wrote:
>>>>>> Nicholas Byrne wrote:
>>>>>>>
>>>>>>>
>>>>>>> Richard Megginson wrote:
>>>>>>>> Nicholas Byrne wrote:
>>>>>>>>> I'm using 1.0.4-1 release. My configuration fairly basic using 
>>>>>>>>> "one way" windows sync (ref: 
>>>>>>>>> https://www.redhat.com/archives/fedora-directory-users/2006-December/msg00070.html). 
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> It's been working well until this morning for going on a month 
>>>>>>>>> (fortunately it's not live yet, but was planning to put it 
>>>>>>>>> live this weekend - not anymore!). I'm not sure what occurred 
>>>>>>>>> exactly, a few password changes and minor updates to a couple 
>>>>>>>>> of attributes but since a few hours ago any attempt to write 
>>>>>>>>> to anything in the userRoot database fails and slapd crashes. 
>>>>>>>>> I've looked in the error and access logs but it doesn't give 
>>>>>>>>> much away - on restart i see:
>>>>>>>>>
>>>>>>>>> [18/Jan/2007:14:48:42 +0000] - Fedora-Directory/1.0.4 
>>>>>>>>> B2006.312.435 starting up
>>>>>>>>> [18/Jan/2007:14:48:42 +0000] - Detected Disorderly Shutdown 
>>>>>>>>> last time Directory Server was running, recovering database.
>>>>>>>>> [18/Jan/2007:14:48:43 +0000] - slapd started.  Listening on 
>>>>>>>>> All Interfaces port 389 for LDAP requests
>>>>>>>>> [18/Jan/2007:14:48:43 +0000] - Listening on All Interfaces 
>>>>>>>>> port 636 for LDAPS requests
>>>>>>>>>
>>>>>>>>> What can do to get more info?
>>>>>>>> start-slapd -d 1
>>>>>>>> or
>>>>>>>> http://directory.fedora.redhat.com/wiki/FAQ#Troubleshooting and 
>>>>>>>> use the TRACE debug level. 
>>>>>>> thanks, the server takes a long time to fully start and is 
>>>>>>> really quite slow with this switch. I suppose thats normal.
>>>>>> Yes.
>>>>>>> Any hints as to what else to look for, there is an enormous 
>>>>>>> amount of output. The log ends (when it crashes when i attempt 
>>>>>>> any write operation) with a segmentation fault.
>>>>>> So, not just a write of userPassword, but of any attribute?
>>>>> Yep thats correct
>>>>>>>>>
>>>>>>>>> Yesterday i did password change using ldappasswd and i found 
>>>>>>>>> this issue 
>>>>>>>>> (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179723) 
>>>>>>>>> just now - my directory does have a password policy. Is this 
>>>>>>>>> fixed in 1.0.4?
>>>>>>>> Yes, it is supposed to be - but if you reproduced it with 
>>>>>>>> 1.0.4, then I guess not :-(
>>>>>>>>
>>>>>>>> So, if I understand correctly - you used ldappasswd to change a 
>>>>>>>> user's password, and you have password policy enabled (global 
>>>>>>>> or local?), and you can crash the server.
>>>>>>> I have all three requirements it seems to reproduce this bug, 1. 
>>>>>>> ssl on, 2. password policy global and local/subtree and i've 
>>>>>>> used ldappassword (yesterday) - uh oh!
>>>>>>>
>>>>>>> My issue is slightly different in that the server crashes when 
>>>>>>> any update is attempted, not just a modify password.
>>>>>>>
>>>>>>> Is there any way to restore an old database and turn off all 
>>>>>>> password policy for the time being without writing to the 
>>>>>>> directory / user database? Probably not i suppose, at least not 
>>>>>>> easily. So is my best bet to dump the directory to ldif and do 
>>>>>>> a  reinstall and reconfigure. What do you think?
>>>>>> If the database is corrupted, just a dump to LDIF and a reimport 
>>>>>> might do the trick.  If not, then I suggest disabling the local 
>>>>>> password policy to see if that fixes the problem.
>>>>> i did a dump and ended up having to do a ldif2db (as i couldn't 
>>>>> write to the live database without a crash) and i seem to be back 
>>>>> up and running except i don't have the default ACI's anymore. How 
>>>>> can i recreate them?
>>>>
>>>> Are you sure they're missing?  Did you use ldapsearch to look for 
>>>> them?  Remember that the aci attribute is operational and must be 
>>>> specified on the ldapsearch command line.
>>> The process i followed was ("tech" is my top level dn/domain) -
>>>
>>> ldapsearch -x -b "dc=tech" | egrep -v '^pwdpolicysubentry|^ tainer' 
>>> > tech.ldif
>>> vi tech.ldif # remove subtree password policy - "dn: 
>>> cn=nsPwPolicyContainer,ou=People,dc=tech"
>>> stop-slapd
>>> ldif2db -n userRoot -i tech.ldif &> ~/import.log
>>>
>>> So maybe i missed them out, are aci's stored in the NetscapeRoot or 
>>> "userRoot" db?
>> Both.  acis are stored with the the regular data in the database.
>>>
>>> I had to add a single generic one to my top level domain (tech) be 
>>> able to read it without being  "cn=Domain Manager". I 've used the 
>>> FD console to look for ACI's but none seem obvious and i'm sure 
>>> there were a number of default ACI's (selfwrite, read for all - not 
>>> sure of names/dn's etc) but now there appear to be none.
>>>
>>> After adding this generic one on the dc=tech dn, running "ldapsearch 
>>> -x" and looking through output, it appears aci's are stored 
>>> elsewhere. Where?
>> try this:
>> ldapsearch -x -D "cn=directory manager" -w password -b "dc=tech" 
>> "aci=*" aci
>>> Thanks again
>>>>
>>>>> Is there wiki/manual page or a script with the default ones, thats 
>>>>> all i need for the time being.
>>>>>>
>>>>>> At any rate, please file a bug http://bugzilla.redhat.com/ and 
>>>>>> list OS + version + bitsize, and detailed steps about how to 
>>>>>> reproduce the bug.  My inclination is that this is a bug which 
>>>>>> will require a patch to address.
>>>>> Will do, and help so far the support Richard.
>>>>>>>>>
>>>>>>>>> I have tried a restore from a week old backup (using bak2db) 
>>>>>>>>> but that didn't fix the problem so anyone got any idea whats 
>>>>>>>>> going on and how i might start fixing this - Help!?
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>> Nick
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> This e-mail is the property of Quadriga Worldwide Ltd, 
>>>>>>>>> intended for the addressee only and confidential.  Any 
>>>>>>>>> dissemination, copying or distribution of this message or any 
>>>>>>>>> attachments is strictly prohibited.
>>>>>>>>>
>>>>>>>>> If you have received this message in error, please notify us 
>>>>>>>>> immediately by replying to the message and deleting it from 
>>>>>>>>> your computer.
>>>>>>>>>
>>>>>>>>> Messages sent to and from Quadriga may be monitored.
>>>>>>>>>
>>>>>>>>> Quadriga cannot guarantee any message delivery method is 
>>>>>>>>> secure or error-free.  Information could be intercepted, 
>>>>>>>>> corrupted, lost, destroyed, arrive late or incomplete, or 
>>>>>>>>> contain viruses.
>>>>>>>>>
>>>>>>>>> We do not accept responsibility for any errors or omissions in 
>>>>>>>>> this message and/or attachment that arise as a result of 
>>>>>>>>> transmission.
>>>>>>>>>
>>>>>>>>> You should carry out your own virus checks before opening any 
>>>>>>>>> attachment.
>>>>>>>>>
>>>>>>>>> Any views or opinions presented are solely those of the author 
>>>>>>>>> and do not necessarily represent those of Quadriga.
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> Fedora-directory-users mailing list
>>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>> ------------------------------------------------------------------------ 
>>>>>>>>
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Fedora-directory-users mailing list
>>>>>>>> Fedora-directory-users at redhat.com
>>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>>>   
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> This e-mail is the property of Quadriga Worldwide Ltd, intended 
>>>>>>> for the addressee only and confidential.  Any dissemination, 
>>>>>>> copying or distribution of this message or any attachments is 
>>>>>>> strictly prohibited.
>>>>>>>
>>>>>>> If you have received this message in error, please notify us 
>>>>>>> immediately by replying to the message and deleting it from your 
>>>>>>> computer.
>>>>>>>
>>>>>>> Messages sent to and from Quadriga may be monitored.
>>>>>>>
>>>>>>> Quadriga cannot guarantee any message delivery method is secure 
>>>>>>> or error-free.  Information could be intercepted, corrupted, 
>>>>>>> lost, destroyed, arrive late or incomplete, or contain viruses.
>>>>>>>
>>>>>>> We do not accept responsibility for any errors or omissions in 
>>>>>>> this message and/or attachment that arise as a result of 
>>>>>>> transmission.
>>>>>>>
>>>>>>> You should carry out your own virus checks before opening any 
>>>>>>> attachment.
>>>>>>>
>>>>>>> Any views or opinions presented are solely those of the author 
>>>>>>> and do not necessarily represent those of Quadriga.
>>>>>>>
>>>>>>> -- 
>>>>>>> Fedora-directory-users mailing list
>>>>>>> Fedora-directory-users at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>> ------------------------------------------------------------------------ 
>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> Fedora-directory-users mailing list
>>>>>> Fedora-directory-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>   
>>>>>
>>>>>
>>>>>
>>>>> This e-mail is the property of Quadriga Worldwide Ltd, intended 
>>>>> for the addressee only and confidential.  Any dissemination, 
>>>>> copying or distribution of this message or any attachments is 
>>>>> strictly prohibited.
>>>>>
>>>>> If you have received this message in error, please notify us 
>>>>> immediately by replying to the message and deleting it from your 
>>>>> computer.
>>>>>
>>>>> Messages sent to and from Quadriga may be monitored.
>>>>>
>>>>> Quadriga cannot guarantee any message delivery method is secure or 
>>>>> error-free.  Information could be intercepted, corrupted, lost, 
>>>>> destroyed, arrive late or incomplete, or contain viruses.
>>>>>
>>>>> We do not accept responsibility for any errors or omissions in 
>>>>> this message and/or attachment that arise as a result of 
>>>>> transmission.
>>>>>
>>>>> You should carry out your own virus checks before opening any 
>>>>> attachment.
>>>>>
>>>>> Any views or opinions presented are solely those of the author and 
>>>>> do not necessarily represent those of Quadriga.
>>>>>
>>>>> -- 
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>> ------------------------------------------------------------------------ 
>>>>
>>>>
>>>> -- 
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>   
>>>
>>>
>>>
>>> This e-mail is the property of Quadriga Worldwide Ltd, intended for 
>>> the addressee only and confidential.  Any dissemination, copying or 
>>> distribution of this message or any attachments is strictly prohibited.
>>>
>>> If you have received this message in error, please notify us 
>>> immediately by replying to the message and deleting it from your 
>>> computer.
>>>
>>> Messages sent to and from Quadriga may be monitored.
>>>
>>> Quadriga cannot guarantee any message delivery method is secure or 
>>> error-free.  Information could be intercepted, corrupted, lost, 
>>> destroyed, arrive late or incomplete, or contain viruses.
>>>
>>> We do not accept responsibility for any errors or omissions in this 
>>> message and/or attachment that arise as a result of transmission.
>>>
>>> You should carry out your own virus checks before opening any 
>>> attachment.
>>>
>>> Any views or opinions presented are solely those of the author and 
>>> do not necessarily represent those of Quadriga.
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> ------------------------------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
>
>
> This e-mail is the property of Quadriga Worldwide Ltd, intended for 
> the addressee only and confidential.  Any dissemination, copying or 
> distribution of this message or any attachments is strictly prohibited.
>
> If you have received this message in error, please notify us 
> immediately by replying to the message and deleting it from your 
> computer.
>
> Messages sent to and from Quadriga may be monitored.
>
> Quadriga cannot guarantee any message delivery method is secure or 
> error-free.  Information could be intercepted, corrupted, lost, 
> destroyed, arrive late or incomplete, or contain viruses.
>
> We do not accept responsibility for any errors or omissions in this 
> message and/or attachment that arise as a result of transmission.
>
> You should carry out your own virus checks before opening any attachment.
>
> Any views or opinions presented are solely those of the author and do 
> not necessarily represent those of Quadriga.
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>



This e-mail is the property of Quadriga Worldwide Ltd, intended for the addressee only and confidential.  Any dissemination, copying or distribution of this message or any attachments is strictly prohibited.

If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.

Messages sent to and from Quadriga may be monitored.

Quadriga cannot guarantee any message delivery method is secure or error-free.  Information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses.

We do not accept responsibility for any errors or omissions in this message and/or attachment that arise as a result of transmission.

You should carry out your own virus checks before opening any attachment.

Any views or opinions presented are solely those of the author and do not necessarily represent those of Quadriga.




More information about the Fedora-directory-users mailing list