FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 10-01-2008, 05:14 PM
John Dickinson
 
Default Replicating o=NetscapeRoot for admin server failover

Hi,

Using Fedora DS 1.1.2 (compiled from source) on CentOS 5.1.

I am trying to replicate o=NetscapeRoot for admin server failover and
having a few problems.


(I have read http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html)

The detailed notes I have written on the steps for doing this can be
found here http://jadickinson.co.uk/test/howto/replicating-netscaperoot-on-fedora-ds/


In short I
1. have server 1 already running
2. Add replication info to server 1
3. Install server 2
4. on server 2 run setup-ds.pl -f /tmp/config.inf
5. On server 1 initialize the consumer
So now server 2 has the replicated o=netscaperoot
6. on server 2 run register-ds-admin.pl

When I do this I can connect with the console to server 1 and see both
servers listed. I can browse the ds and admin console for server 1 OK.
However, if I double click to open the directory console for server 2
and click on the configuration tab I get a message saying that
uid=admin,ou=administrators,ou=topologymanagement, o=netscaperoot
doesn't have permission to perform this operation. If I connect as
cn=Directory Manager it works fine.


The difference seems to be that server 2 lacks the following entries
in the slapd-server2/dse.ldif


aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
Group"; a
llow (all) groupdn="ldap:///cn=Configuration Administrators,
ou=Groups, ou=T

opologyManagement, o=NetscapeRoot"
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator";
allow (a
ll) userdn="ldap:///uid=admin, ou=Administrators,
ou=TopologyManagement, o=N

etscapeRoot"
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
groupdn = "l
dap:///cn=slapd-server1, cn=Fedora Directory Server, cn=Server
Group, cn=server1.example.com, ou=example.com, o=NetscapeRoot"


Adding them to dse.ldif on server 2 seems to fix things but I don't
understand why they don't exist on server 2 and am concerned that this
is a sign of something that I have failed to do correctly.


Also what is the correct way to specify password in
nsDS5ReplicaCredentials and userPassword when a) using ldapmodify or
b) editing dse.ldif? The documentation seems to say that you should
use the hash of the password but that seems to give odd results. Plain
text passwords seem to work...


Thanks
John

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 
Old 10-01-2008, 05:18 PM
Rich Megginson
 
Default Replicating o=NetscapeRoot for admin server failover

John Dickinson wrote:

Hi,

Using Fedora DS 1.1.2 (compiled from source) on CentOS 5.1.

I am trying to replicate o=NetscapeRoot for admin server failover and
having a few problems.


(I have read
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html)



The detailed notes I have written on the steps for doing this can be
found here
http://jadickinson.co.uk/test/howto/replicating-netscaperoot-on-fedora-ds/



In short I
1. have server 1 already running
2. Add replication info to server 1
3. Install server 2
4. on server 2 run setup-ds.pl -f /tmp/config.inf
5. On server 1 initialize the consumer
So now server 2 has the replicated o=netscaperoot
6. on server 2 run register-ds-admin.pl

When I do this I can connect with the console to server 1 and see both
servers listed. I can browse the ds and admin console for server 1 OK.
However, if I double click to open the directory console for server 2
and click on the configuration tab I get a message saying that
uid=admin,ou=administrators,ou=topologymanagement, o=netscaperoot
doesn't have permission to perform this operation. If I connect as
cn=Directory Manager it works fine.


The difference seems to be that server 2 lacks the following entries
in the slapd-server2/dse.ldif


aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
Group"; a
llow (all) groupdn="ldap:///cn=Configuration Administrators,
ou=Groups, ou=T

opologyManagement, o=NetscapeRoot"
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator";
allow (a
ll) userdn="ldap:///uid=admin, ou=Administrators,
ou=TopologyManagement, o=N

etscapeRoot"
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
groupdn = "l
dap:///cn=slapd-server1, cn=Fedora Directory Server, cn=Server Group,
cn=server1.example.com, ou=example.com, o=NetscapeRoot"


Adding them to dse.ldif on server 2 seems to fix things but I don't
understand why they don't exist on server 2 and am concerned that this
is a sign of something that I have failed to do correctly.

It's probably a bug in the failover setup procedures.


Also what is the correct way to specify password in
nsDS5ReplicaCredentials and userPassword when a) using ldapmodify

Provide the plain text

or b) editing dse.ldif?

Don't do that.
The documentation seems to say that you should use the hash of the
password but that seems to give odd results.

Where does the documentation say that?

Plain text passwords seem to work...
Yes - please use plain text passwords. That's the only way password
policy can be enforced, among other reasons.


Thanks
John

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
 

Thread Tools




All times are GMT. The time now is 03:19 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org