John Dickinson wrote: > Hi, > > Using Fedora DS 1.1.2 (compiled from source) on CentOS 5.1. > > I am trying to replicate o=NetscapeRoot for admin server failover and > having a few problems. > > (I have read > http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html) > > > The detailed notes I have written on the steps for doing this can be > found here > http://jadickinson.co.uk/test/howto/replicating-netscaperoot-on-fedora-ds/ > > > In short I > 1. have server 1 already running > 2. Add replication info to server 1 > 3. Install server 2 > 4. on server 2 run setup-ds.pl -f /tmp/config.inf > 5. On server 1 initialize the consumer > So now server 2 has the replicated o=netscaperoot > 6. on server 2 run register-ds-admin.pl > > When I do this I can connect with the console to server 1 and see both > servers listed. I can browse the ds and admin console for server 1 OK. > However, if I double click to open the directory console for server 2 > and click on the configuration tab I get a message saying that > uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot > doesn't have permission to perform this operation. If I connect as > cn=Directory Manager it works fine. > > The difference seems to be that server 2 lacks the following entries > in the slapd-server2/dse.ldif > > aci: (targetattr="*")(version 3.0; acl "Configuration Administrators > Group"; a > llow (all) groupdn="ldap:///cn=Configuration Administrators, > ou=Groups, ou=T > opologyManagement, o=NetscapeRoot";) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; > allow (a > ll) userdn="ldap:///uid=admin, ou=Administrators, > ou=TopologyManagement, o=N > etscapeRoot";) > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) > groupdn = "l > dap:///cn=slapd-server1, cn=Fedora Directory Server, cn=Server Group, > cn=server1.example.com, ou=example.com, o=NetscapeRoot";) > > Adding them to dse.ldif on server 2 seems to fix things but I don't > understand why they don't exist on server 2 and am concerned that this > is a sign of something that I have failed to do correctly. It's probably a bug in the failover setup procedures. > > Also what is the correct way to specify password in > nsDS5ReplicaCredentials and userPassword when a) using ldapmodify Provide the plain text > or b) editing dse.ldif? Don't do that. > The documentation seems to say that you should use the hash of the > password but that seems to give odd results. Where does the documentation say that? > Plain text passwords seem to work... Yes - please use plain text passwords. That's the only way password policy can be enforced, among other reasons. > > Thanks > John > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20081001/4f21bf4b/attachment.bin
