FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 04-23-2012, 08:06 PM
Herb Burnswell
 
Default management console authentication error

Hi All,

After re-initialization of a dual master server I now cannot log into the directory management console as cn=Directory Manager.* I receive the error:

Cannot logon because of an incorrect user id, incorrect password, or Directory problem.

httpException:
Resoponse: HTTP/1.1 401 Unauthorized
Status: 401
URL: http://url/admin-serv/authenticate

I know the password is correct as I can drop into an ldapmodify session with ./ldapmodify -D "cn=Directory Manager" -w <passwd> without error.


I've seen a few inquiries about this issue around the web but nothing to resolve the issue.* I see the following in /opt/fedora-ds/admin-serv/logs/error:

*security (27749): for host <hostname> trying to GET /admin-serv/authenticate, basic-ncsa reports: user cn=Directory Manager does not exist in pwfile /opt/fedora-ds/admin-serv/config/admpw


It is correct that there is not a line for cn=Directory Manager in admpw, but it is not located in the admpw file on the other dual master and I can log into its management console as cn=Directory Manager without error.* They both just contain a line for user 'admin'.


When I try to log in as 'admin' (works fine on other dual master) I receive:

cannot connect to the directory server:
netscape.ldap.LDAPException: error result (32) matchedDN = ou =<domain>,o=netscaperoot; no such object


Is there something else that I need to do after re-initialization?* Any guidance is greatly appreciated.

Thanks in advance,

Herb



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 04-23-2012, 08:13 PM
Mark Reynolds
 
Default management console authentication error

Herb,



Do you know which server is hosting the config data for the
console(o=netscaperoot)?* If you do, please provide the access log
output showing the "cn=directory manager" and "admin" binds?* It
might not hurt to restart the admin server.



Thanks,

Mark







On 04/23/2012 04:06 PM, Herb Burnswell wrote:
Hi All,



After re-initialization of a dual master server I now cannot log
into the directory management console as cn=Directory Manager.* I
receive the error:



Cannot logon because of an incorrect user id, incorrect password,
or Directory problem.

httpException:

Resoponse: HTTP/1.1 401 Unauthorized

Status: 401

URL: http://url/admin-serv/authenticate



I know the password is correct as I can drop into an ldapmodify
session with ./ldapmodify -D "cn=Directory Manager" -w
<passwd> without error.



I've seen a few inquiries about this issue around the web but
nothing to resolve the issue.* I see the following in
/opt/fedora-ds/admin-serv/logs/error:



*security (27749): for host <hostname> trying to GET
/admin-serv/authenticate, basic-ncsa reports: user cn=Directory
Manager does not exist in pwfile
/opt/fedora-ds/admin-serv/config/admpw



It is correct that there is not a line for cn=Directory Manager in
admpw, but it is not located in the admpw file on the other dual
master and I can log into its management console as cn=Directory
Manager without error.* They both just contain a line for user
'admin'.



When I try to log in as 'admin' (works fine on other dual master)
I receive:



cannot connect to the directory server:

netscape.ldap.LDAPException: error result (32) matchedDN = ou
=<domain>,o=netscaperoot; no such object



Is there something else that I need to do after
re-initialization?* Any guidance is greatly appreciated.



Thanks in advance,



Herb










--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 04-23-2012, 11:48 PM
Herb Burnswell
 
Default management console authentication error

Hey Mark,

Well, to back up a bit, of the dual masters' (A & B) only A has been running consistently for many years.* That is why I needed to do a re-initialization of B.* The re-initialization was done at the 'my_suffix' level and not NetscapeRoot.


I assumed that the config data would be running on both dual masters.* Maybe I am incorrect?

access from Master A for 'admin' bind:

[23/Apr/2012:16:07:50 -0700] conn=2575 fd=71 slot=71 connection from 10.10.10.24 to 10.10.10.24

[23/Apr/2012:16:07:50 -0700] conn=2575 op=0 BIND dn="uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" method=128 version=3
[23/Apr/2012:16:07:50 -0700] conn=2575 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,ou=administrators,ou=topologymanagem ent,o=netscaperoot"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=1 SRCH base="cn=statusping, cn=operation, cn=tasks, cn=admin-serv-masterA, cn=fedora administration server, cn=server group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=netscaperoot" scope=0 filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[23/Apr/2012:16:07:50 -0700] conn=2575 op=2 SRCH base="cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=2 RESULT err=0 tag=101 nentries=24 etime=0
[23/Apr/2012:16:07:50 -0700] conn=2575 op=3 SRCH base="cn=slapd-masterA, cn=Fedora Directory Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=3 RESULT err=0 tag=101 nentries=13 etime=0
[23/Apr/2012:16:07:50 -0700] conn=2575 op=4 SRCH base="cn=Fedora Directory Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=4 RESULT err=0 tag=101 nentries=17 etime=0
[23/Apr/2012:16:07:50 -0700] conn=2575 op=5 SRCH base="cn=Fedora Administration Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=5 RESULT err=0 tag=101 nentries=24 etime=0
[23/Apr/2012:16:07:50 -0700] conn=2575 op=6 UNBIND
[23/Apr/2012:16:07:50 -0700] conn=2575 op=6 fd=71 closed - U1


access from master A for 'cn=Directory Manager' bind:


[23/Apr/2012:16:37:36 -0700] conn=2594 fd=68 slot=68 connection from 10.10.10.24 to 10.10.10.24
[23/Apr/2012:16:37:36 -0700] conn=2594 op=0 BIND dn="cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot" method=128 version=3

[23/Apr/2012:16:37:36 -0700] conn=2594 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=admin-serv-masterA,cn=fedora administration server,cn=server group,cn=masterA.sub.domain.biz,ou=sub.domain.biz, o=netscaperoot"

[23/Apr/2012:16:37:36 -0700] conn=2594 op=1 BIND dn="cn=Directory Manager" method=128 version=3
[23/Apr/2012:16:37:36 -0700] conn=2594 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"

[23/Apr/2012:16:37:36 -0700] conn=2594 op=2 UNBIND
[23/Apr/2012:16:37:36 -0700] conn=2594 op=2 fd=68 closed - U1


This are from master A where logging in as either works fine.* It looks like I need to configure o=netscaperoot on master B somehow?


thanks,

Herb



On Mon, Apr 23, 2012 at 1:13 PM, Mark Reynolds <mareynol@redhat.com> wrote:






Herb,



Do you know which server is hosting the config data for the
console(o=netscaperoot)?* If you do, please provide the access log
output showing the "cn=directory manager" and "admin" binds?* It
might not hurt to restart the admin server.



Thanks,

Mark







On 04/23/2012 04:06 PM, Herb Burnswell wrote:
Hi All,



After re-initialization of a dual master server I now cannot log
into the directory management console as cn=Directory Manager.* I
receive the error:



Cannot logon because of an incorrect user id, incorrect password,
or Directory problem.

httpException:

Resoponse: HTTP/1.1 401 Unauthorized

Status: 401

URL: http://url/admin-serv/authenticate



I know the password is correct as I can drop into an ldapmodify
session with ./ldapmodify -D "cn=Directory Manager" -w
<passwd> without error.



I've seen a few inquiries about this issue around the web but
nothing to resolve the issue.* I see the following in
/opt/fedora-ds/admin-serv/logs/error:



*security (27749): for host <hostname> trying to GET
/admin-serv/authenticate, basic-ncsa reports: user cn=Directory
Manager does not exist in pwfile
/opt/fedora-ds/admin-serv/config/admpw



It is correct that there is not a line for cn=Directory Manager in
admpw, but it is not located in the admpw file on the other dual
master and I can log into its management console as cn=Directory
Manager without error.* They both just contain a line for user
'admin'.



When I try to log in as 'admin' (works fine on other dual master)
I receive:



cannot connect to the directory server:

netscape.ldap.LDAPException: error result (32) matchedDN = ou
=<domain>,o=netscaperoot; no such object



Is there something else that I need to do after
re-initialization?* Any guidance is greatly appreciated.



Thanks in advance,



Herb










--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 04-24-2012, 03:34 PM
Mark Reynolds
 
Default management console authentication error

Hi Herb,



I wanted to see the logs from the server that wasn't working.*
According to these logs everything is fine.* So, you can log into
the console for master A, but not master B.* Most likely there is no
configuration instance/admin server setup.* There are a few
options.* One, you could register master B in the Master A
console(using Create New Administration Domain feature), and just
use that console to manage both servers.* Two, setup a new config
instance on the master B machine, and use a separate console.



Option one is definitely the best option.* You can still use the
console GUI on master B if you want to, but point it to the master A
in the administration URL.*



Here are some links to some useful document on on this:



http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.0/html/Installation_Guide/Installation_Guide-Advanced_Configuration-Making-DS.html



http://www.google.com/url?sa=t&rct=j&q=red%20hat%20directory%20server%20 register%20instance%20in%20console&source=web&cd=1 &ved=0CCQQFjAA&url="">



Let me know if you have any questions.



Mark



On 04/23/2012 07:48 PM, Herb Burnswell wrote:

Hey Mark,



Well, to back up a bit, of the dual masters' (A & B) only A
has been running consistently for many years.* That is why I
needed to do a re-initialization of B.* The re-initialization
was done at the 'my_suffix' level and not NetscapeRoot.



I assumed that the config data would be running on both dual
masters.* Maybe I am incorrect?



access from Master A for 'admin' bind:



[23/Apr/2012:16:07:50 -0700] conn=2575 fd=71 slot=71 connection
from 10.10.10.24 to 10.10.10.24

[23/Apr/2012:16:07:50 -0700] conn=2575 op=0 BIND dn="uid=admin,
ou=Administrators, ou=TopologyManagement, o=NetscapeRoot"
method=128 version=3

[23/Apr/2012:16:07:50 -0700] conn=2575 op=0 RESULT err=0 tag=97
nentries=0 etime=0
dn="uid=admin,ou=administrators,ou=topologymanagem ent,o=netscaperoot"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=1 SRCH
base="cn=statusping, cn=operation, cn=tasks,
cn=admin-serv-masterA, cn=fedora administration server,
cn=server group, cn=masterA.sub.domain.biz,
ou=sub.domain.biz,
o=netscaperoot" scope=0 filter="(nsExecRef=*)" attrs="nsExecRef
nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=1 RESULT err=0 tag=101
nentries=1 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=2 SRCH
base="cn=admin-serv-masterA, cn=Fedora Administration Server,
cn=Server Group, cn=masterA.sub.domain.biz,
ou=sub.domain.biz,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" attrs="nsExecRef
nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=2 RESULT err=0 tag=101
nentries=24 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=3 SRCH
base="cn=slapd-masterA, cn=Fedora Directory Server, cn=Server
Group, cn=masterA.sub.domain.biz,
ou=sub.domain.biz,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" attrs="nsExecRef
nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=3 RESULT err=0 tag=101
nentries=13 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=4 SRCH base="cn=Fedora
Directory Server, cn=Server Group, cn=masterA.sub.domain.biz,
ou=sub.domain.biz,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" attrs="nsExecRef
nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=4 RESULT err=0 tag=101
nentries=17 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=5 SRCH base="cn=Fedora
Administration Server, cn=Server Group, cn=masterA.sub.domain.biz,
ou=sub.domain.biz,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" attrs="nsExecRef
nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=5 RESULT err=0 tag=101
nentries=24 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=6 UNBIND

[23/Apr/2012:16:07:50 -0700] conn=2575 op=6 fd=71 closed - U1





access from master A for 'cn=Directory Manager' bind:



[23/Apr/2012:16:37:36 -0700] conn=2594 fd=68 slot=68 connection
from 10.10.10.24 to 10.10.10.24

[23/Apr/2012:16:37:36 -0700] conn=2594 op=0 BIND
dn="cn=admin-serv-masterA, cn=Fedora Administration Server,
cn=Server Group, cn=masterA.sub.domain.biz,
ou=sub.domain.biz,
o=NetscapeRoot" method=128 version=3

[23/Apr/2012:16:37:36 -0700] conn=2594 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=admin-serv-masterA,cn=fedora
administration server,cn=server group,cn=masterA.sub.domain.biz,ou=sub.domain.biz, o=netscaperoot"

[23/Apr/2012:16:37:36 -0700] conn=2594 op=1 BIND
dn="cn=Directory Manager" method=128 version=3

[23/Apr/2012:16:37:36 -0700] conn=2594 op=1 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=directory manager"

[23/Apr/2012:16:37:36 -0700] conn=2594 op=2 UNBIND

[23/Apr/2012:16:37:36 -0700] conn=2594 op=2 fd=68 closed - U1





This are from master A where logging in as either works fine.*
It looks like I need to configure o=netscaperoot on master B
somehow?



thanks,



Herb







On Mon, Apr 23, 2012 at 1:13 PM, Mark
Reynolds <mareynol@redhat.com>
wrote:


Herb,



Do you know which server is hosting the config data for
the console(o=netscaperoot)?* If you do, please provide
the access log output showing the "cn=directory manager"
and "admin" binds?* It might not hurt to restart the admin
server.



Thanks,

Mark








On 04/23/2012 04:06 PM, Herb Burnswell wrote:



Hi All,



After re-initialization of a dual master server I
now cannot log into the directory management console
as cn=Directory Manager.* I receive the error:



Cannot logon because of an incorrect user id,
incorrect password, or Directory problem.

httpException:

Resoponse: HTTP/1.1 401 Unauthorized

Status: 401

URL: http://url/admin-serv/authenticate



I know the password is correct as I can drop into an
ldapmodify session with ./ldapmodify -D
"cn=Directory Manager" -w <passwd> without
error.



I've seen a few inquiries about this issue around
the web but nothing to resolve the issue.* I see the
following in /opt/fedora-ds/admin-serv/logs/error:



*security (27749): for host <hostname> trying
to GET /admin-serv/authenticate, basic-ncsa reports:
user cn=Directory Manager does not exist in pwfile
/opt/fedora-ds/admin-serv/config/admpw



It is correct that there is not a line for
cn=Directory Manager in admpw, but it is not located
in the admpw file on the other dual master and I can
log into its management console as cn=Directory
Manager without error.* They both just contain a
line for user 'admin'.



When I try to log in as 'admin' (works fine on other
dual master) I receive:



cannot connect to the directory server:

netscape.ldap.LDAPException: error result (32)
matchedDN = ou =<domain>,o=netscaperoot; no
such object



Is there something else that I need to do after
re-initialization?* Any guidance is greatly
appreciated.



Thanks in advance,



Herb













--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users










--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 04-24-2012, 08:11 PM
Herb Burnswell
 
Default management console authentication error

Hi Mark,

Thanks for getting back to me, sorry about the confusion.* Here's the logs from master B console log on attempts:

[24/Apr/2012:12:09:23 -0700] conn=130 fd=67 slot=67 connection from 10.10.10.25 to 10.10.10.25

[24/Apr/2012:12:09:23 -0700] conn=130 op=0 BIND dn="cn=admin-serv-masterB, cn=Fedora Administration Server, cn=Server Group, cn=masterB.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot" method=128 version=2

[24/Apr/2012:12:09:23 -0700] conn=130 op=0 RESULT err=32 tag=97 nentries=0 etime=0
[24/Apr/2012:12:09:23 -0700] conn=131 fd=68 slot=68 connection from 10.10.10.25 to 10.10.10.25
[24/Apr/2012:12:09:23 -0700] conn=131 op=0 BIND dn="cn=admin-serv-masterB, cn=Fedora Administration Server, cn=Server Group, cn=masterB.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot" method=128 version=2

[24/Apr/2012:12:09:23 -0700] conn=131 op=0 RESULT err=32 tag=97 nentries=0 etime=0


[24/Apr/2012:12:32:47] security (23835): for host masterB.sub.domain.biz trying to GET /admin-serv/authenticate, admin40_host_ip_check reports: Unauthorized host ip=10.10.10.25, connection rejected


When I was trying to get replication working, I did an initialization of master B from master A backup files (NetscapeRoot and <my_suffix>).* I've since done a re-initialization of <my_suffix> to master B from master A console.* When I do a search on master B:


./ldapsearch -D "cn=Directory Manager" -w <passwd> -b o=netscaperoot "cn=admin-serv-*"

version: 1
dn: cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Server Group,
*cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot

objectClass: top
objectClass: netscapeServer
objectClass: nsAdminServer
objectClass: nsResourceRef
objectClass: groupOfUniqueNames
cn: admin-serv-masterA
nsServerID: admin-serv
serverRoot: /opt/fedora-ds

serverProductName: Administration Server
serverHostName: masterA.sub.domain.biz
uniqueMember: cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Serv
*er Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot

installationTimeStamp: 20050916201912Z
userPassword: {SSHA}U4pL3RzNjF2Sder0+NBLIJNZtLEoim6tZfcxjA==


Yes, this version and install is very old.* But it appears that all of master A information is on master B regarding admin-serv-<hostname> user on master B.* This is not correct right?


I read the documentation that you sent but my install does not include setup-ds-admin.pl, my version is DS 7.1.* Is there a way to simply edit the admin-serv-<hostname> if that is in fact the problem?


TIA,

Herb

On Tue, Apr 24, 2012 at 8:34 AM, Mark Reynolds <mareynol@redhat.com> wrote:






Hi Herb,



I wanted to see the logs from the server that wasn't working.*
According to these logs everything is fine.* So, you can log into
the console for master A, but not master B.* Most likely there is no
configuration instance/admin server setup.* There are a few
options.* One, you could register master B in the Master A
console(using Create New Administration Domain feature), and just
use that console to manage both servers.* Two, setup a new config
instance on the master B machine, and use a separate console.



Option one is definitely the best option.* You can still use the
console GUI on master B if you want to, but point it to the master A
in the administration URL.*



Here are some links to some useful document on on this:



http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.0/html/Installation_Guide/Installation_Guide-Advanced_Configuration-Making-DS.html




http://www.google.com/url?sa=t&rct=j&q=red%20hat%20directory%20server%20 register%20instance%20in%20console&source=web&cd=1 &ved=0CCQQFjAA&url="">




Let me know if you have any questions.



Mark



On 04/23/2012 07:48 PM, Herb Burnswell wrote:

Hey Mark,



Well, to back up a bit, of the dual masters' (A & B) only A
has been running consistently for many years.* That is why I
needed to do a re-initialization of B.* The re-initialization
was done at the 'my_suffix' level and not NetscapeRoot.



I assumed that the config data would be running on both dual
masters.* Maybe I am incorrect?



access from Master A for 'admin' bind:



[23/Apr/2012:16:07:50 -0700] conn=2575 fd=71 slot=71 connection
from 10.10.10.24 to 10.10.10.24

[23/Apr/2012:16:07:50 -0700] conn=2575 op=0 BIND dn="uid=admin,
ou=Administrators, ou=TopologyManagement, o=NetscapeRoot"
method=128 version=3

[23/Apr/2012:16:07:50 -0700] conn=2575 op=0 RESULT err=0 tag=97
nentries=0 etime=0
dn="uid=admin,ou=administrators,ou=topologymanagem ent,o=netscaperoot"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=1 SRCH
base="cn=statusping, cn=operation, cn=tasks,
cn=admin-serv-masterA, cn=fedora administration server,
cn=server group, cn=masterA.sub.domain.biz,
ou=sub.domain.biz,
o=netscaperoot" scope=0 filter="(nsExecRef=*)" attrs="nsExecRef
nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=1 RESULT err=0 tag=101
nentries=1 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=2 SRCH
base="cn=admin-serv-masterA, cn=Fedora Administration Server,
cn=Server Group, cn=masterA.sub.domain.biz,
ou=sub.domain.biz,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" attrs="nsExecRef
nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=2 RESULT err=0 tag=101
nentries=24 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=3 SRCH
base="cn=slapd-masterA, cn=Fedora Directory Server, cn=Server
Group, cn=masterA.sub.domain.biz,
ou=sub.domain.biz,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" attrs="nsExecRef
nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=3 RESULT err=0 tag=101
nentries=13 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=4 SRCH base="cn=Fedora
Directory Server, cn=Server Group, cn=masterA.sub.domain.biz,
ou=sub.domain.biz,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" attrs="nsExecRef
nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=4 RESULT err=0 tag=101
nentries=17 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=5 SRCH base="cn=Fedora
Administration Server, cn=Server Group, cn=masterA.sub.domain.biz,
ou=sub.domain.biz,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" attrs="nsExecRef
nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=5 RESULT err=0 tag=101
nentries=24 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=6 UNBIND

[23/Apr/2012:16:07:50 -0700] conn=2575 op=6 fd=71 closed - U1





access from master A for 'cn=Directory Manager' bind:



[23/Apr/2012:16:37:36 -0700] conn=2594 fd=68 slot=68 connection
from 10.10.10.24 to 10.10.10.24

[23/Apr/2012:16:37:36 -0700] conn=2594 op=0 BIND
dn="cn=admin-serv-masterA, cn=Fedora Administration Server,
cn=Server Group, cn=masterA.sub.domain.biz,
ou=sub.domain.biz,
o=NetscapeRoot" method=128 version=3

[23/Apr/2012:16:37:36 -0700] conn=2594 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=admin-serv-masterA,cn=fedora
administration server,cn=server group,cn=masterA.sub.domain.biz,ou=sub.domain.biz, o=netscaperoot"


[23/Apr/2012:16:37:36 -0700] conn=2594 op=1 BIND
dn="cn=Directory Manager" method=128 version=3

[23/Apr/2012:16:37:36 -0700] conn=2594 op=1 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=directory manager"

[23/Apr/2012:16:37:36 -0700] conn=2594 op=2 UNBIND

[23/Apr/2012:16:37:36 -0700] conn=2594 op=2 fd=68 closed - U1





This are from master A where logging in as either works fine.*
It looks like I need to configure o=netscaperoot on master B
somehow?



thanks,



Herb







On Mon, Apr 23, 2012 at 1:13 PM, Mark
Reynolds <mareynol@redhat.com>
wrote:


Herb,



Do you know which server is hosting the config data for
the console(o=netscaperoot)?* If you do, please provide
the access log output showing the "cn=directory manager"
and "admin" binds?* It might not hurt to restart the admin
server.



Thanks,

Mark








On 04/23/2012 04:06 PM, Herb Burnswell wrote:



Hi All,



After re-initialization of a dual master server I
now cannot log into the directory management console
as cn=Directory Manager.* I receive the error:



Cannot logon because of an incorrect user id,
incorrect password, or Directory problem.

httpException:

Resoponse: HTTP/1.1 401 Unauthorized

Status: 401

URL: http://url/admin-serv/authenticate



I know the password is correct as I can drop into an
ldapmodify session with ./ldapmodify -D
"cn=Directory Manager" -w <passwd> without
error.



I've seen a few inquiries about this issue around
the web but nothing to resolve the issue.* I see the
following in /opt/fedora-ds/admin-serv/logs/error:



*security (27749): for host <hostname> trying
to GET /admin-serv/authenticate, basic-ncsa reports:
user cn=Directory Manager does not exist in pwfile
/opt/fedora-ds/admin-serv/config/admpw



It is correct that there is not a line for
cn=Directory Manager in admpw, but it is not located
in the admpw file on the other dual master and I can
log into its management console as cn=Directory
Manager without error.* They both just contain a
line for user 'admin'.



When I try to log in as 'admin' (works fine on other
dual master) I receive:



cannot connect to the directory server:

netscape.ldap.LDAPException: error result (32)
matchedDN = ou =<domain>,o=netscaperoot; no
such object



Is there something else that I need to do after
re-initialization?* Any guidance is greatly
appreciated.



Thanks in advance,



Herb













--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users












--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 04-24-2012, 09:12 PM
Mark Reynolds
 
Default management console authentication error

Hi Herb,



Ok you shouldn't be using "o=netscaperoot" from a different machine,
but if both machines are setup EXACTLY the same way, then you might
be able to replace the hostname.* But this is error prone, and we
should try and get the master B registered on master A's console.*
Did you try setting up a admin domain that points to master B's
machine?



see comments below...



On 04/24/2012 04:11 PM, Herb Burnswell wrote:

Hi Mark,



Thanks for getting back to me, sorry about the confusion.*
Here's the logs from master B console log on attempts:



[24/Apr/2012:12:09:23 -0700] conn=130 fd=67 slot=67 connection
from 10.10.10.25 to 10.10.10.25

[24/Apr/2012:12:09:23 -0700] conn=130 op=0 BIND
dn="cn=admin-serv-masterB, cn=Fedora Administration Server,
cn=Server Group, cn=masterB.sub.domain.biz,
ou=sub.domain.biz,
o=NetscapeRoot" method=128 version=2

[24/Apr/2012:12:09:23 -0700] conn=130 op=0 RESULT err=32 tag=97
nentries=0 etime=0

[24/Apr/2012:12:09:23 -0700] conn=131 fd=68 slot=68 connection
from 10.10.10.25 to 10.10.10.25

[24/Apr/2012:12:09:23 -0700] conn=131 op=0 BIND
dn="cn=admin-serv-masterB, cn=Fedora Administration Server,
cn=Server Group, cn=masterB.sub.domain.biz,
ou=sub.domain.biz,
o=NetscapeRoot" method=128 version=2

[24/Apr/2012:12:09:23 -0700] conn=131 op=0 RESULT err=32 tag=97
nentries=0 etime=0



This isn't the right bind dn we are looking for.* :-) ** We want to
see the the results from "uid=admin" and "cn=directory manager".






[24/Apr/2012:12:32:47] security (23835): for host masterB.sub.domain.biz
trying to GET /admin-serv/authenticate, admin40_host_ip_check
reports: Unauthorized host ip=10.10.10.25, connection rejected



This might be caused by some access restrictions.* Do a ldapsearch
on o=netscaperoot and look for:



dn: cn=configuration, cn=admin-serv-HOSTNAME, cn=389 Administration
Server, cn=Server Group, cn=HOST.DOMAIN, ou=DOMAIN, o=NetscapeRoot



nsAdminAccessAddresses

nsAdminAccessHosts



Use ldapmodify to change the settings if needed.* Make sure that the
host you are trying to connect from is allowed by the settings.* You
could just set both to "*" for now.* You will need to restart the
admin server for this change to take effect.



Thanks,

Mark







When I was trying to get replication working, I did an
initialization of master B from master A backup files
(NetscapeRoot and <my_suffix>).* I've since done a
re-initialization of <my_suffix> to master B from master A
console.* When I do a search on master B:



./ldapsearch -D "cn=Directory Manager" -w <passwd> -b
o=netscaperoot "cn=admin-serv-*"



version: 1

dn: cn=admin-serv-masterA, cn=Fedora Administration Server,
cn=Server Group,

*cn=masterA.sub.domain.biz,
ou=sub.domain.biz,
o=NetscapeRoot

objectClass: top

objectClass: netscapeServer

objectClass: nsAdminServer

objectClass: nsResourceRef

objectClass: groupOfUniqueNames

cn: admin-serv-masterA

nsServerID: admin-serv

serverRoot: /opt/fedora-ds

serverProductName: Administration Server

serverHostName: masterA.sub.domain.biz

uniqueMember: cn=admin-serv-masterA, cn=Fedora Administration
Server, cn=Serv

*er Group, cn=masterA.sub.domain.biz,
ou=sub.domain.biz,
o=NetscapeRoot

installationTimeStamp: 20050916201912Z

userPassword: {SSHA}U4pL3RzNjF2Sder0+NBLIJNZtLEoim6tZfcxjA==





Yes, this version and install is very old.* But it appears that
all of master A information is on master B regarding
admin-serv-<hostname> user on master B.* This is not
correct right?



I read the documentation that you sent but my install does not
include setup-ds-admin.pl, my
version is DS 7.1.* Is there a way to simply edit the
admin-serv-<hostname> if that is in fact the problem?



TIA,



Herb



On Tue, Apr 24, 2012 at 8:34 AM, Mark
Reynolds <mareynol@redhat.com>
wrote:




Hi Herb,



I wanted to see the logs from the server that wasn't
working.* According to these logs everything is fine.*
So, you can log into the console for master A, but not
master B.* Most likely there is no configuration
instance/admin server setup.* There are a few
options.* One, you could register master B in the
Master A console(using Create New Administration
Domain feature), and just use that console to manage
both servers.* Two, setup a new config instance on the
master B machine, and use a separate console.



Option one is definitely the best option.* You can
still use the console GUI on master B if you want to,
but point it to the master A in the administration
URL.*



Here are some links to some useful document on on
this:



http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.0/html/Installation_Guide/Installation_Guide-Advanced_Configuration-Making-DS.html



http://www.google.com/url?sa=t&rct=j&q=red%20hat%20directory%20server%20 register%20instance%20in%20console&source=web&cd=1 &ved=0CCQQFjAA&url="">



Let me know if you have any questions.



Mark



On 04/23/2012 07:48 PM, Herb Burnswell wrote:

Hey Mark,



Well, to back up a bit, of the dual masters' (A
& B) only A has been running consistently for
many years.* That is why I needed to do a
re-initialization of B.* The re-initialization was
done at the 'my_suffix' level and not
NetscapeRoot.



I assumed that the config data would be running on
both dual masters.* Maybe I am incorrect?



access from Master A for 'admin' bind:



[23/Apr/2012:16:07:50 -0700] conn=2575 fd=71
slot=71 connection from 10.10.10.24 to 10.10.10.24

[23/Apr/2012:16:07:50 -0700] conn=2575 op=0 BIND
dn="uid=admin, ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot" method=128
version=3

[23/Apr/2012:16:07:50 -0700] conn=2575 op=0 RESULT
err=0 tag=97 nentries=0 etime=0
dn="uid=admin,ou=administrators,ou=topologymanagem ent,o=netscaperoot"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=1 SRCH
base="cn=statusping, cn=operation, cn=tasks,
cn=admin-serv-masterA, cn=fedora administration
server, cn=server group, cn=masterA.sub.domain.biz, ou=sub.domain.biz,
o=netscaperoot" scope=0 filter="(nsExecRef=*)"
attrs="nsExecRef nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=1 RESULT
err=0 tag=101 nentries=1 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=2 SRCH
base="cn=admin-serv-masterA, cn=Fedora
Administration Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
attrs="nsExecRef nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=2 RESULT
err=0 tag=101 nentries=24 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=3 SRCH
base="cn=slapd-masterA, cn=Fedora Directory
Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
attrs="nsExecRef nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=3 RESULT
err=0 tag=101 nentries=13 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=4 SRCH
base="cn=Fedora Directory Server, cn=Server Group,
cn=masterA.sub.domain.biz, ou=sub.domain.biz,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
attrs="nsExecRef nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=4 RESULT
err=0 tag=101 nentries=17 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=5 SRCH
base="cn=Fedora Administration Server, cn=Server
Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
attrs="nsExecRef nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=5 RESULT
err=0 tag=101 nentries=24 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=6 UNBIND

[23/Apr/2012:16:07:50 -0700] conn=2575 op=6 fd=71
closed - U1





access from master A for 'cn=Directory Manager'
bind:



[23/Apr/2012:16:37:36 -0700] conn=2594 fd=68
slot=68 connection from 10.10.10.24 to 10.10.10.24

[23/Apr/2012:16:37:36 -0700] conn=2594 op=0 BIND
dn="cn=admin-serv-masterA, cn=Fedora
Administration Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz,
o=NetscapeRoot" method=128 version=3

[23/Apr/2012:16:37:36 -0700] conn=2594 op=0 RESULT
err=0 tag=97 nentries=0 etime=0
dn="cn=admin-serv-masterA,cn=fedora administration
server,cn=server group,cn=masterA.sub.domain.biz,ou=sub.domain.biz, o=netscaperoot"

[23/Apr/2012:16:37:36 -0700] conn=2594 op=1 BIND
dn="cn=Directory Manager" method=128 version=3

[23/Apr/2012:16:37:36 -0700] conn=2594 op=1 RESULT
err=0 tag=97 nentries=0 etime=0 dn="cn=directory
manager"

[23/Apr/2012:16:37:36 -0700] conn=2594 op=2 UNBIND

[23/Apr/2012:16:37:36 -0700] conn=2594 op=2 fd=68
closed - U1





This are from master A where logging in as either
works fine.* It looks like I need to configure
o=netscaperoot on master B somehow?



thanks,



Herb







On Mon, Apr 23, 2012 at
1:13 PM, Mark Reynolds <mareynol@redhat.com>
wrote:


Herb,



Do you know which server is hosting the
config data for the
console(o=netscaperoot)?* If you do, please
provide the access log output showing the
"cn=directory manager" and "admin" binds?*
It might not hurt to restart the admin
server.



Thanks,

Mark








On 04/23/2012 04:06 PM, Herb Burnswell
wrote:



Hi All,



After re-initialization of a dual
master server I now cannot log into
the directory management console as
cn=Directory Manager.* I receive the
error:



Cannot logon because of an incorrect
user id, incorrect password, or
Directory problem.

httpException:

Resoponse: HTTP/1.1 401 Unauthorized

Status: 401

URL: http://url/admin-serv/authenticate



I know the password is correct as I
can drop into an ldapmodify session
with ./ldapmodify -D "cn=Directory
Manager" -w <passwd> without
error.



I've seen a few inquiries about this
issue around the web but nothing to
resolve the issue.* I see the
following in
/opt/fedora-ds/admin-serv/logs/error:



*security (27749): for host
<hostname> trying to GET
/admin-serv/authenticate, basic-ncsa
reports: user cn=Directory Manager
does not exist in pwfile
/opt/fedora-ds/admin-serv/config/admpw



It is correct that there is not a line
for cn=Directory Manager in admpw, but
it is not located in the admpw file on
the other dual master and I can log
into its management console as
cn=Directory Manager without error.*
They both just contain a line for user
'admin'.



When I try to log in as 'admin' (works
fine on other dual master) I receive:



cannot connect to the directory
server:

netscape.ldap.LDAPException: error
result (32) matchedDN = ou
=<domain>,o=netscaperoot; no
such object



Is there something else that I need to
do after re-initialization?* Any
guidance is greatly appreciated.



Thanks in advance,



Herb













--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



















--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 04-24-2012, 10:52 PM
Herb Burnswell
 
Default management console authentication error

Hey Mark,

Yes, I thought that would be a problem.* I did try to set up an admin domain on master A that points to master B but it simply says "fail to create network domain".* As you can likely see, I'm not the most versed in LDAP.* I'm not sure how to do this search you suggested:


>Do a ldapsearch
on o=netscaperoot and look for:



.dn: cn=configuration, cn=admin-serv-HOSTNAME, cn=389 Administration
Server, >cn=Server Group, cn=HOST.DOMAIN, ou=DOMAIN, o=NetscapeRoot

Can you give me the syntax that would be used?

thanks again,

Herb



On Tue, Apr 24, 2012 at 2:12 PM, Mark Reynolds <mareynol@redhat.com> wrote:






Hi Herb,



Ok you shouldn't be using "o=netscaperoot" from a different machine,
but if both machines are setup EXACTLY the same way, then you might
be able to replace the hostname.* But this is error prone, and we
should try and get the master B registered on master A's console.*
Did you try setting up a admin domain that points to master B's
machine?



see comments below...



On 04/24/2012 04:11 PM, Herb Burnswell wrote:

Hi Mark,



Thanks for getting back to me, sorry about the confusion.*
Here's the logs from master B console log on attempts:



[24/Apr/2012:12:09:23 -0700] conn=130 fd=67 slot=67 connection
from 10.10.10.25 to 10.10.10.25

[24/Apr/2012:12:09:23 -0700] conn=130 op=0 BIND
dn="cn=admin-serv-masterB, cn=Fedora Administration Server,
cn=Server Group, cn=masterB.sub.domain.biz,
ou=sub.domain.biz,
o=NetscapeRoot" method=128 version=2

[24/Apr/2012:12:09:23 -0700] conn=130 op=0 RESULT err=32 tag=97
nentries=0 etime=0

[24/Apr/2012:12:09:23 -0700] conn=131 fd=68 slot=68 connection
from 10.10.10.25 to 10.10.10.25

[24/Apr/2012:12:09:23 -0700] conn=131 op=0 BIND
dn="cn=admin-serv-masterB, cn=Fedora Administration Server,
cn=Server Group, cn=masterB.sub.domain.biz,
ou=sub.domain.biz,
o=NetscapeRoot" method=128 version=2

[24/Apr/2012:12:09:23 -0700] conn=131 op=0 RESULT err=32 tag=97
nentries=0 etime=0



This isn't the right bind dn we are looking for.* :-) ** We want to
see the the results from "uid=admin" and "cn=directory manager".






[24/Apr/2012:12:32:47] security (23835): for host masterB.sub.domain.biz
trying to GET /admin-serv/authenticate, admin40_host_ip_check
reports: Unauthorized host ip=10.10.10.25, connection rejected



This might be caused by some access restrictions.* Do a ldapsearch
on o=netscaperoot and look for:



dn: cn=configuration, cn=admin-serv-HOSTNAME, cn=389 Administration
Server, cn=Server Group, cn=HOST.DOMAIN, ou=DOMAIN, o=NetscapeRoot



nsAdminAccessAddresses

nsAdminAccessHosts



Use ldapmodify to change the settings if needed.* Make sure that the
host you are trying to connect from is allowed by the settings.* You
could just set both to "*" for now.* You will need to restart the
admin server for this change to take effect.



Thanks,

Mark







When I was trying to get replication working, I did an
initialization of master B from master A backup files
(NetscapeRoot and <my_suffix>).* I've since done a
re-initialization of <my_suffix> to master B from master A
console.* When I do a search on master B:



./ldapsearch -D "cn=Directory Manager" -w <passwd> -b
o=netscaperoot "cn=admin-serv-*"



version: 1

dn: cn=admin-serv-masterA, cn=Fedora Administration Server,
cn=Server Group,

*cn=masterA.sub.domain.biz,
ou=sub.domain.biz,
o=NetscapeRoot

objectClass: top

objectClass: netscapeServer

objectClass: nsAdminServer

objectClass: nsResourceRef

objectClass: groupOfUniqueNames

cn: admin-serv-masterA

nsServerID: admin-serv

serverRoot: /opt/fedora-ds

serverProductName: Administration Server

serverHostName: masterA.sub.domain.biz

uniqueMember: cn=admin-serv-masterA, cn=Fedora Administration
Server, cn=Serv

*er Group, cn=masterA.sub.domain.biz,
ou=sub.domain.biz,
o=NetscapeRoot

installationTimeStamp: 20050916201912Z

userPassword: {SSHA}U4pL3RzNjF2Sder0+NBLIJNZtLEoim6tZfcxjA==





Yes, this version and install is very old.* But it appears that
all of master A information is on master B regarding
admin-serv-<hostname> user on master B.* This is not
correct right?



I read the documentation that you sent but my install does not
include setup-ds-admin.pl, my
version is DS 7.1.* Is there a way to simply edit the
admin-serv-<hostname> if that is in fact the problem?



TIA,



Herb



On Tue, Apr 24, 2012 at 8:34 AM, Mark
Reynolds <mareynol@redhat.com>
wrote:




Hi Herb,



I wanted to see the logs from the server that wasn't
working.* According to these logs everything is fine.*
So, you can log into the console for master A, but not
master B.* Most likely there is no configuration
instance/admin server setup.* There are a few
options.* One, you could register master B in the
Master A console(using Create New Administration
Domain feature), and just use that console to manage
both servers.* Two, setup a new config instance on the
master B machine, and use a separate console.



Option one is definitely the best option.* You can
still use the console GUI on master B if you want to,
but point it to the master A in the administration
URL.*



Here are some links to some useful document on on
this:



http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.0/html/Installation_Guide/Installation_Guide-Advanced_Configuration-Making-DS.html




http://www.google.com/url?sa=t&rct=j&q=red%20hat%20directory%20server%20 register%20instance%20in%20console&source=web&cd=1 &ved=0CCQQFjAA&url="">




Let me know if you have any questions.



Mark



On 04/23/2012 07:48 PM, Herb Burnswell wrote:

Hey Mark,



Well, to back up a bit, of the dual masters' (A
& B) only A has been running consistently for
many years.* That is why I needed to do a
re-initialization of B.* The re-initialization was
done at the 'my_suffix' level and not
NetscapeRoot.



I assumed that the config data would be running on
both dual masters.* Maybe I am incorrect?



access from Master A for 'admin' bind:



[23/Apr/2012:16:07:50 -0700] conn=2575 fd=71
slot=71 connection from 10.10.10.24 to 10.10.10.24

[23/Apr/2012:16:07:50 -0700] conn=2575 op=0 BIND
dn="uid=admin, ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot" method=128
version=3

[23/Apr/2012:16:07:50 -0700] conn=2575 op=0 RESULT
err=0 tag=97 nentries=0 etime=0
dn="uid=admin,ou=administrators,ou=topologymanagem ent,o=netscaperoot"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=1 SRCH
base="cn=statusping, cn=operation, cn=tasks,
cn=admin-serv-masterA, cn=fedora administration
server, cn=server group, cn=masterA.sub.domain.biz, ou=sub.domain.biz,
o=netscaperoot" scope=0 filter="(nsExecRef=*)"
attrs="nsExecRef nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=1 RESULT
err=0 tag=101 nentries=1 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=2 SRCH
base="cn=admin-serv-masterA, cn=Fedora
Administration Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
attrs="nsExecRef nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=2 RESULT
err=0 tag=101 nentries=24 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=3 SRCH
base="cn=slapd-masterA, cn=Fedora Directory
Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
attrs="nsExecRef nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=3 RESULT
err=0 tag=101 nentries=13 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=4 SRCH
base="cn=Fedora Directory Server, cn=Server Group,
cn=masterA.sub.domain.biz, ou=sub.domain.biz,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
attrs="nsExecRef nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=4 RESULT
err=0 tag=101 nentries=17 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=5 SRCH
base="cn=Fedora Administration Server, cn=Server
Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
attrs="nsExecRef nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=5 RESULT
err=0 tag=101 nentries=24 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=6 UNBIND

[23/Apr/2012:16:07:50 -0700] conn=2575 op=6 fd=71
closed - U1





access from master A for 'cn=Directory Manager'
bind:



[23/Apr/2012:16:37:36 -0700] conn=2594 fd=68
slot=68 connection from 10.10.10.24 to 10.10.10.24

[23/Apr/2012:16:37:36 -0700] conn=2594 op=0 BIND
dn="cn=admin-serv-masterA, cn=Fedora
Administration Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz,
o=NetscapeRoot" method=128 version=3

[23/Apr/2012:16:37:36 -0700] conn=2594 op=0 RESULT
err=0 tag=97 nentries=0 etime=0
dn="cn=admin-serv-masterA,cn=fedora administration
server,cn=server group,cn=masterA.sub.domain.biz,ou=sub.domain.biz, o=netscaperoot"


[23/Apr/2012:16:37:36 -0700] conn=2594 op=1 BIND
dn="cn=Directory Manager" method=128 version=3

[23/Apr/2012:16:37:36 -0700] conn=2594 op=1 RESULT
err=0 tag=97 nentries=0 etime=0 dn="cn=directory
manager"

[23/Apr/2012:16:37:36 -0700] conn=2594 op=2 UNBIND

[23/Apr/2012:16:37:36 -0700] conn=2594 op=2 fd=68
closed - U1





This are from master A where logging in as either
works fine.* It looks like I need to configure
o=netscaperoot on master B somehow?



thanks,



Herb







On Mon, Apr 23, 2012 at
1:13 PM, Mark Reynolds <mareynol@redhat.com>
wrote:


Herb,



Do you know which server is hosting the
config data for the
console(o=netscaperoot)?* If you do, please
provide the access log output showing the
"cn=directory manager" and "admin" binds?*
It might not hurt to restart the admin
server.



Thanks,

Mark








On 04/23/2012 04:06 PM, Herb Burnswell
wrote:



Hi All,



After re-initialization of a dual
master server I now cannot log into
the directory management console as
cn=Directory Manager.* I receive the
error:



Cannot logon because of an incorrect
user id, incorrect password, or
Directory problem.

httpException:

Resoponse: HTTP/1.1 401 Unauthorized

Status: 401

URL: http://url/admin-serv/authenticate



I know the password is correct as I
can drop into an ldapmodify session
with ./ldapmodify -D "cn=Directory
Manager" -w <passwd> without
error.



I've seen a few inquiries about this
issue around the web but nothing to
resolve the issue.* I see the
following in
/opt/fedora-ds/admin-serv/logs/error:



*security (27749): for host
<hostname> trying to GET
/admin-serv/authenticate, basic-ncsa
reports: user cn=Directory Manager
does not exist in pwfile
/opt/fedora-ds/admin-serv/config/admpw



It is correct that there is not a line
for cn=Directory Manager in admpw, but
it is not located in the admpw file on
the other dual master and I can log
into its management console as
cn=Directory Manager without error.*
They both just contain a line for user
'admin'.



When I try to log in as 'admin' (works
fine on other dual master) I receive:



cannot connect to the directory
server:

netscape.ldap.LDAPException: error
result (32) matchedDN = ou
=<domain>,o=netscaperoot; no
such object



Is there something else that I need to
do after re-initialization?* Any
guidance is greatly appreciated.



Thanks in advance,



Herb













--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





















--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 04-24-2012, 11:08 PM
Herb Burnswell
 
Default management console authentication error

Ok, I was able to get it working.* I just went to a backup of the files prior to when I did the bak2db of master A to master B.* I replaced /path/to/db/NetscapeRoot/* files with the backed up files.


Now the search:

./ldapsearch -D "cn=Directory Manager" -w <passwd> -b o=netscaperoot "cn=admin-serv-*"

returns the expected results and I'm able to log into the DS console.


Mark, thanks for all of your help.* At least I'm learning with each mistake ;-)...

Herb

On Tue, Apr 24, 2012 at 3:52 PM, Herb Burnswell <herbert.burnswell@gmail.com> wrote:

Hey Mark,

Yes, I thought that would be a problem.* I did try to set up an admin domain on master A that points to master B but it simply says "fail to create network domain".* As you can likely see, I'm not the most versed in LDAP.* I'm not sure how to do this search you suggested:



>Do a ldapsearch
on o=netscaperoot and look for:



.dn: cn=configuration, cn=admin-serv-HOSTNAME, cn=389 Administration
Server, >cn=Server Group, cn=HOST.DOMAIN, ou=DOMAIN, o=NetscapeRoot

Can you give me the syntax that would be used?

thanks again,

Herb




On Tue, Apr 24, 2012 at 2:12 PM, Mark Reynolds <mareynol@redhat.com> wrote:






Hi Herb,



Ok you shouldn't be using "o=netscaperoot" from a different machine,
but if both machines are setup EXACTLY the same way, then you might
be able to replace the hostname.* But this is error prone, and we
should try and get the master B registered on master A's console.*
Did you try setting up a admin domain that points to master B's
machine?



see comments below...



On 04/24/2012 04:11 PM, Herb Burnswell wrote:

Hi Mark,



Thanks for getting back to me, sorry about the confusion.*
Here's the logs from master B console log on attempts:



[24/Apr/2012:12:09:23 -0700] conn=130 fd=67 slot=67 connection
from 10.10.10.25 to 10.10.10.25

[24/Apr/2012:12:09:23 -0700] conn=130 op=0 BIND
dn="cn=admin-serv-masterB, cn=Fedora Administration Server,
cn=Server Group, cn=masterB.sub.domain.biz,
ou=sub.domain.biz,
o=NetscapeRoot" method=128 version=2

[24/Apr/2012:12:09:23 -0700] conn=130 op=0 RESULT err=32 tag=97
nentries=0 etime=0

[24/Apr/2012:12:09:23 -0700] conn=131 fd=68 slot=68 connection
from 10.10.10.25 to 10.10.10.25

[24/Apr/2012:12:09:23 -0700] conn=131 op=0 BIND
dn="cn=admin-serv-masterB, cn=Fedora Administration Server,
cn=Server Group, cn=masterB.sub.domain.biz,
ou=sub.domain.biz,
o=NetscapeRoot" method=128 version=2

[24/Apr/2012:12:09:23 -0700] conn=131 op=0 RESULT err=32 tag=97
nentries=0 etime=0



This isn't the right bind dn we are looking for.* :-) ** We want to
see the the results from "uid=admin" and "cn=directory manager".






[24/Apr/2012:12:32:47] security (23835): for host masterB.sub.domain.biz
trying to GET /admin-serv/authenticate, admin40_host_ip_check
reports: Unauthorized host ip=10.10.10.25, connection rejected



This might be caused by some access restrictions.* Do a ldapsearch
on o=netscaperoot and look for:



dn: cn=configuration, cn=admin-serv-HOSTNAME, cn=389 Administration
Server, cn=Server Group, cn=HOST.DOMAIN, ou=DOMAIN, o=NetscapeRoot



nsAdminAccessAddresses

nsAdminAccessHosts



Use ldapmodify to change the settings if needed.* Make sure that the
host you are trying to connect from is allowed by the settings.* You
could just set both to "*" for now.* You will need to restart the
admin server for this change to take effect.



Thanks,

Mark







When I was trying to get replication working, I did an
initialization of master B from master A backup files
(NetscapeRoot and <my_suffix>).* I've since done a
re-initialization of <my_suffix> to master B from master A
console.* When I do a search on master B:



./ldapsearch -D "cn=Directory Manager" -w <passwd> -b
o=netscaperoot "cn=admin-serv-*"



version: 1

dn: cn=admin-serv-masterA, cn=Fedora Administration Server,
cn=Server Group,

*cn=masterA.sub.domain.biz,
ou=sub.domain.biz,
o=NetscapeRoot

objectClass: top

objectClass: netscapeServer

objectClass: nsAdminServer

objectClass: nsResourceRef

objectClass: groupOfUniqueNames

cn: admin-serv-masterA

nsServerID: admin-serv

serverRoot: /opt/fedora-ds

serverProductName: Administration Server

serverHostName: masterA.sub.domain.biz

uniqueMember: cn=admin-serv-masterA, cn=Fedora Administration
Server, cn=Serv

*er Group, cn=masterA.sub.domain.biz,
ou=sub.domain.biz,
o=NetscapeRoot

installationTimeStamp: 20050916201912Z

userPassword: {SSHA}U4pL3RzNjF2Sder0+NBLIJNZtLEoim6tZfcxjA==





Yes, this version and install is very old.* But it appears that
all of master A information is on master B regarding
admin-serv-<hostname> user on master B.* This is not
correct right?



I read the documentation that you sent but my install does not
include setup-ds-admin.pl, my
version is DS 7.1.* Is there a way to simply edit the
admin-serv-<hostname> if that is in fact the problem?



TIA,



Herb



On Tue, Apr 24, 2012 at 8:34 AM, Mark
Reynolds <mareynol@redhat.com>
wrote:




Hi Herb,



I wanted to see the logs from the server that wasn't
working.* According to these logs everything is fine.*
So, you can log into the console for master A, but not
master B.* Most likely there is no configuration
instance/admin server setup.* There are a few
options.* One, you could register master B in the
Master A console(using Create New Administration
Domain feature), and just use that console to manage
both servers.* Two, setup a new config instance on the
master B machine, and use a separate console.



Option one is definitely the best option.* You can
still use the console GUI on master B if you want to,
but point it to the master A in the administration
URL.*



Here are some links to some useful document on on
this:



http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.0/html/Installation_Guide/Installation_Guide-Advanced_Configuration-Making-DS.html





http://www.google.com/url?sa=t&rct=j&q=red%20hat%20directory%20server%20 register%20instance%20in%20console&source=web&cd=1 &ved=0CCQQFjAA&url="">





Let me know if you have any questions.



Mark



On 04/23/2012 07:48 PM, Herb Burnswell wrote:

Hey Mark,



Well, to back up a bit, of the dual masters' (A
& B) only A has been running consistently for
many years.* That is why I needed to do a
re-initialization of B.* The re-initialization was
done at the 'my_suffix' level and not
NetscapeRoot.



I assumed that the config data would be running on
both dual masters.* Maybe I am incorrect?



access from Master A for 'admin' bind:



[23/Apr/2012:16:07:50 -0700] conn=2575 fd=71
slot=71 connection from 10.10.10.24 to 10.10.10.24

[23/Apr/2012:16:07:50 -0700] conn=2575 op=0 BIND
dn="uid=admin, ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot" method=128
version=3

[23/Apr/2012:16:07:50 -0700] conn=2575 op=0 RESULT
err=0 tag=97 nentries=0 etime=0
dn="uid=admin,ou=administrators,ou=topologymanagem ent,o=netscaperoot"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=1 SRCH
base="cn=statusping, cn=operation, cn=tasks,
cn=admin-serv-masterA, cn=fedora administration
server, cn=server group, cn=masterA.sub.domain.biz, ou=sub.domain.biz,
o=netscaperoot" scope=0 filter="(nsExecRef=*)"
attrs="nsExecRef nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=1 RESULT
err=0 tag=101 nentries=1 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=2 SRCH
base="cn=admin-serv-masterA, cn=Fedora
Administration Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
attrs="nsExecRef nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=2 RESULT
err=0 tag=101 nentries=24 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=3 SRCH
base="cn=slapd-masterA, cn=Fedora Directory
Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
attrs="nsExecRef nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=3 RESULT
err=0 tag=101 nentries=13 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=4 SRCH
base="cn=Fedora Directory Server, cn=Server Group,
cn=masterA.sub.domain.biz, ou=sub.domain.biz,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
attrs="nsExecRef nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=4 RESULT
err=0 tag=101 nentries=17 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=5 SRCH
base="cn=Fedora Administration Server, cn=Server
Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
attrs="nsExecRef nsLogSuppress"

[23/Apr/2012:16:07:50 -0700] conn=2575 op=5 RESULT
err=0 tag=101 nentries=24 etime=0

[23/Apr/2012:16:07:50 -0700] conn=2575 op=6 UNBIND

[23/Apr/2012:16:07:50 -0700] conn=2575 op=6 fd=71
closed - U1





access from master A for 'cn=Directory Manager'
bind:



[23/Apr/2012:16:37:36 -0700] conn=2594 fd=68
slot=68 connection from 10.10.10.24 to 10.10.10.24

[23/Apr/2012:16:37:36 -0700] conn=2594 op=0 BIND
dn="cn=admin-serv-masterA, cn=Fedora
Administration Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz,
o=NetscapeRoot" method=128 version=3

[23/Apr/2012:16:37:36 -0700] conn=2594 op=0 RESULT
err=0 tag=97 nentries=0 etime=0
dn="cn=admin-serv-masterA,cn=fedora administration
server,cn=server group,cn=masterA.sub.domain.biz,ou=sub.domain.biz, o=netscaperoot"



[23/Apr/2012:16:37:36 -0700] conn=2594 op=1 BIND
dn="cn=Directory Manager" method=128 version=3

[23/Apr/2012:16:37:36 -0700] conn=2594 op=1 RESULT
err=0 tag=97 nentries=0 etime=0 dn="cn=directory
manager"

[23/Apr/2012:16:37:36 -0700] conn=2594 op=2 UNBIND

[23/Apr/2012:16:37:36 -0700] conn=2594 op=2 fd=68
closed - U1





This are from master A where logging in as either
works fine.* It looks like I need to configure
o=netscaperoot on master B somehow?



thanks,



Herb







On Mon, Apr 23, 2012 at
1:13 PM, Mark Reynolds <mareynol@redhat.com>
wrote:


Herb,



Do you know which server is hosting the
config data for the
console(o=netscaperoot)?* If you do, please
provide the access log output showing the
"cn=directory manager" and "admin" binds?*
It might not hurt to restart the admin
server.



Thanks,

Mark








On 04/23/2012 04:06 PM, Herb Burnswell
wrote:



Hi All,



After re-initialization of a dual
master server I now cannot log into
the directory management console as
cn=Directory Manager.* I receive the
error:



Cannot logon because of an incorrect
user id, incorrect password, or
Directory problem.

httpException:

Resoponse: HTTP/1.1 401 Unauthorized

Status: 401

URL: http://url/admin-serv/authenticate



I know the password is correct as I
can drop into an ldapmodify session
with ./ldapmodify -D "cn=Directory
Manager" -w <passwd> without
error.



I've seen a few inquiries about this
issue around the web but nothing to
resolve the issue.* I see the
following in
/opt/fedora-ds/admin-serv/logs/error:



*security (27749): for host
<hostname> trying to GET
/admin-serv/authenticate, basic-ncsa
reports: user cn=Directory Manager
does not exist in pwfile
/opt/fedora-ds/admin-serv/config/admpw



It is correct that there is not a line
for cn=Directory Manager in admpw, but
it is not located in the admpw file on
the other dual master and I can log
into its management console as
cn=Directory Manager without error.*
They both just contain a line for user
'admin'.



When I try to log in as 'admin' (works
fine on other dual master) I receive:



cannot connect to the directory
server:

netscape.ldap.LDAPException: error
result (32) matchedDN = ou
=<domain>,o=netscaperoot; no
such object



Is there something else that I need to
do after re-initialization?* Any
guidance is greatly appreciated.



Thanks in advance,



Herb













--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users























--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 05:18 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org