Ryan Braun [ADS] wrote: > Hey guys, I'm setting up 2 mmr servers, and am wondering why the aci's on both machines don't end up being the same. All of the replication and configuring of the servers > has been done in perl and NOT the console. Here is the process I used when setting up the servers. I'm using custom built packages on etch. > > ii fedora-ds-admin 1.1.6 Fedora Administration Server (admin) > ii fedora-ds-admin-console 1.1.2 Fedora Admin Server Management Console > ii fedora-ds-base 1.1.3 Fedora Directory Server (base) > ii fedora-ds-console 1.1.2 Fedora Directory Server Management Console > ii mozldap 6.0.5 Mozilla LDAP C SDK > ii mozldap-dev 6.0.5 Mozilla LDAP C SDK > ii mozldap-tools 6.0.5 Mozilla LDAP C SDK > ii ldapsdk 4.17-4 Enables applications to manage information s > ii perldap 1.5.2 PerLDAP is a set of modules written in Perl > ii libadminutil 1.1.7 Utility library for directory server adminis > ii libsvrcore 4.0.4 Secure PIN handling using NSS crypto > ii libapache2-mod-nss 1.0.8 mod_nss is an SSL provider derived from the > > > > 1. install mmr1 server using setup-ds-admin.pl > 2. install mmr2 server using setup-ds.pl > 3. configure ssl/tls on each machine and confirm ldapsearchs etc are encrypted. > 4. create root suffix o=netscaperoot on mmr2. > 5. enable mmr replication of userroot on both mmr1 and mmr2 > 6. init UserRoot replication agreement on mmr1. > 7. enable mmr replication of o=netscaperoot on both mmr1 and mmr2. > 8. init NetscapeRoot replication agreement on mmr1. > 9. run register-ds-admin.pl on mmr2 > > At this point, I can confirm that encryption is working over both machines, all replication agreements are over SSL and are working as expected. admin server is running on > both machines, and both servers are accessible from each admin-server instance. > > So I opened up the console, and opened up a session to each server and thats when I noticed the different amount of aci's on each server > > on mmr1. o=NetscapeRoot has 5 acis' > UserRoot has 6 > cn=schema has 4 > cn=monitor has 1 > cn=config has 3 > > on mmr2. o=NetscapeRoot has 5 acis' > UserRoot has 6 > cn=schema has 1 > cn=monitor has 1 > cn=config has 0 > > > So I'm wondering, if mmr2 server is missing those aci's because of the different install procedure of running setup-ds.pl first, then register-ds-admin.pl > Yes. Looks like there is a bug - doing setup-ds.pl, then register-ds-admin.pl, should do the same thing as running setup-ds-admin.pl. > Here are the aci's in question > > mmr1 - cn=schema > # schema > dn: cn=schema > aci: (target="ldap:///cn=schema";)(targetattr !="aci")(version 3.0;acl "anonymo > us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";;) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a > llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, ou=To > pologyManagement, o=NetscapeRoot";) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a > ll) userdn="ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, o=Net > scapeRoot";) > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l > dap:///cn=slapd-xxxdmns0, cn=Fedora Directory Server, cn=Server Group, cn=xxx > dmns0.xxx.xx.xx.xx, ou=xxx.xx.xx.ca, o=NetscapeRoot";) > > > mmr2 - cn=schema > # schema > dn: cn=schema > aci: (target="ldap:///cn=schema";)(targetattr !="aci")(version 3.0;acl "anonymo > us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";;) > > > mmr1 - cn=config > dn: cn=config > aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a > llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, ou=To > pologyManagement, o=NetscapeRoot";) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a > ll) userdn="ldap:///uid=admin, ou=Administrators, ou=TopologyManagement, o=Ne > tscapeRoot";) > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l > dap:///cn=slapd-xxxdmns0, cn=Fedora Directory Server, cn=Server Group, cn=xxx > dmns0.xxx.xx.xx.ca, ou=xxx.xx.xx.ca, o=NetscapeRoot";) > > mmr2 - cn=config > none. > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090219/fa39de17/attachment.bin
