On 01/14/2011 05:27 PM, Brian LaMere wrote: > well hello all, seems I'm having this problem myself....fresh install, > and when I go to the configuration tab of the 389-console it tells me: > > "The user > uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot does > not have permission to perform this operation." > > When I click ok, a box appears asking for DN/pass. If I put the > password in the box...it continues on with no errors (thus the "mind > annoyance"). Then again, if I just click "ok" and then "cancel" > (meaning, I don't put in new credentials) the config tab works then > too. I don't actually see in the logs either what it is that I'm not > being allowed to do, it seems to just be a superfluous re-prompting > for the password. On a lark, I tried putting in the /wrong/ > password...which it did indeed not like, telling me "invalid > credentials." Clicked ok, then cancel...and I'm able to access the > configuration tab even after putting in the wrong pass and not > correcting it. I'm assuming it is just using the original credentials > that should have prevented the initial error in the first place, even > though I tried putting in new credentials... > > Again, fresh install, on a fresh build of Fedora14. I am tunneling > the console, but that shouldn't matter (?). Is this just a bug in > 389-console? Should I open a ticket? Sure. It's really not a permissions issue, it was caused by bug fix to 1.2.7 > I'm going to continue past it, since it...doesn't seem to be stopping > me from doing anything. I'm using the standard repos, everything is > current: Right. It is annoying and should not stop you from doing anything. > > 389-admin-console-1.1.5-1.fc14.noarch > 389-admin-console-doc-1.1.5-1.fc14.noarch > 389-adminutil-1.1.13-1.fc14.x86_64 > 389-admin-1.1.13-2.fc14.x86_64 > 389-ds-console-1.2.3-1.fc14.noarch > 389-ds-console-doc-1.2.3-1.fc14.noarch > 389-console-1.1.4-1.fc14.noarch > 389-ds-base-1.2.7.5-1.fc14.x86_64 > 389-dsgw-1.1.6-1.fc14.x86_64 > 389-ds-1.2.1-1.fc14.noarch > > Did I miss the response about what might have been causing this? > > Brian > > On Wed, Dec 1, 2010 at 4:00 AM, trisooma <trisooma at xs4all.nl > <mailto:trisooma at xs4all.nl>> wrote: > > > On 11/30/2010 04:33 PM, trisooma wrote: > >>> On 11/30/2010 02:32 PM, Trisooma wrote: > >>>> On 11/30/2010 10:23 PM, Rich Megginson wrote: > >>>>> On 11/30/2010 02:20 PM, trisooma wrote: > >>>>>> If i am reading the code correctly (and looking at the logging > >>>>>> below), the > >>>>>> line that has a severity of 'crit' should dump info for the > ldap > >>>>>> server we > >>>>>> are connecting to. > >>>>>> In my case (and Eric's too) only 'ldap://:389' is printed; > sometimes > >>>>>> even > >>>>>> with an odd number like 23395496 (see Eric's first post). > >>>>>> > >>>>>> [Tue Nov 30 22:01:43 2010] [crit] openLDAPConnection(): > >>>>>> util_ldap_init > >>>>>> failed for ldap://:389 > >>>>>> [Tue Nov 30 22:01:43 2010] [warn] Unable to open initial > >>>>>> LDAPConnection to > >>>>>> populate LocalAdmin tasks into cache. > >>>>>> [Tue Nov 30 22:01:44 2010] [notice] Apache/2.2.17 (Unix) > configured > >>>>>> -- > >>>>>> resuming normal operations > >>>>>> [Tue Nov 30 22:01:44 2010] [crit] openLDAPConnection(): > >>>>>> util_ldap_init > >>>>>> failed for ldap://:389 > >>>>>> [Tue Nov 30 22:01:44 2010] [warn] Unable to open initial > >>>>>> LDAPConnection to > >>>>>> populate LocalAdmin tasks into cache. > >>>>>> > >>>>>> The code that logs this error looks like this > >>>>>> [mod_admserv/mod_admserv.c:517] > >>>>>> > >>>>>> ap_log_error(APLOG_MARK, APLOG_CRIT, 0 /* status */, > >>>>>> NULL, > >>>>>> "openLDAPConnection(): > util_ldap_init failed > >>>>>> for > >>>>>> ldap%s://%s:%d", > >>>>>> data->secure ? "s" : "", > >>>>>> data->host, data->port); > >>>>>> > >>>>>> It seems that the struct 'data' is not filled with the correct > >>>>>> values. > >>>>> That's why I asked for your /etc/dirsrv/admin-serv/adm.conf - > >>>>> > http://lists.fedoraproject.org/pipermail/389-users/2010-November/012548.html > >>>> My bad, see > >>>> > http://lists.fedoraproject.org/pipermail/389-users/2010-November/012551.html > >>> First, upgrade to the latest versions of these components from the > >>> testing repo > >>> yum upgrade --enablerepo=updates-testing 389-admin 389-ds-base > >>> 389-adminutil > >>> > >>> Then, run > >>> setup-ds-admin.pl <http://setup-ds-admin.pl> -u > >>> > >>> Then try > >>> > >>> ldapsearch -x -LLL -H ldap://icicle.phasma.nl:389/ > <http://icicle.phasma.nl:389/> -D > >>> > "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -w > >>> youradminpassword -s base -b "cn=389 Administration > Server,cn=Server > >>> Group,cn=icicle.phasma.nl > <http://icicle.phasma.nl>,ou=phasma.nl > <http://phasma.nl>,o=NetscapeRoot" > >>> > >>> and > >>> > >>> ldapsearch -x -LLL -H ldap://icicle.phasma.nl:389/ > <http://icicle.phasma.nl:389/> -D > >>> > "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -w > >>> youradminpassword -s base -b "cn=admin-serv-icicle,cn=389 > >>> Administration > >>> Server,cn=Server Group,cn=icicle.phasma.nl > <http://icicle.phasma.nl>,ou=phasma.nl > <http://phasma.nl>,o=NetscapeRoot" > >>> > >> Using the above i can confirm that i can now use the console to > log in > >> and > >> administer my DS (though i had to remove > selinux-policy-targeted). The > >> command 'setup-ds-admin.pl <http://setup-ds-admin.pl> -u' ran > without a hitch. > >> > >> the results of both ldap queries are below: > >> > >> [root at icicle /]# ldapsearch -x -LLL -H > ldap://icicle.phasma.nl:389/ <http://icicle.phasma.nl:389/> -D > >> > "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" > -W -s > >> base -b "cn=389 Administration Server,cn=Server > >> Group,cn=icicle.phasma.nl > <http://icicle.phasma.nl>,ou=phasma.nl > <http://phasma.nl>,o=NetscapeRoot" > >> Enter LDAP Password: > >> dn: cn=389 Administration Server,cn=Server > >> Group,cn=icicle.phasma.nl <http://icicle.phasma.nl>,ou=phasma > >> .nl,o=NetscapeRoot > >> nsBuildSecurity: domestic > >> objectClass: top > >> objectClass: nsApplication > >> objectClass: groupOfUniqueNames > >> cn: 389 Administration Server > >> nsVendor: 389 Project > >> installationTimeStamp: 20101124210830Z > >> nsBuildNumber: 2010.328.157 > >> uniqueMember: cn=admin-serv-icicle,cn=389 Administration > >> Server,cn=Server > >> Grou > >> p,cn=icicle.phasma.nl <http://icicle.phasma.nl>,ou=phasma.nl > <http://phasma.nl>,o=NetscapeRoot > >> nsServerMigrationClassname: > >> com.netscape.management.admserv.AdminServerProduct > >> @389-admin-1.1.jar > >> nsProductName: 389 Administration Server > >> nsProductVersion: 1.1.13 > >> nsNickName: admin > >> > >> [root at icicle /]# ldapsearch -x -LLL -H > ldap://icicle.phasma.nl:389/ <http://icicle.phasma.nl:389/> -D > >> > "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" > -W -s > >> base -b "cn=admin-serv-icicle,cn=389 Administration > Server,cn=Server > >> Group,cn=icicle.phasma.nl > <http://icicle.phasma.nl>,ou=phasma.nl > <http://phasma.nl>,o=NetscapeRoot" > >> Enter LDAP Password: > >> dn: cn=admin-serv-icicle,cn=389 Administration Server,cn=Server > >> Group,cn=icicl > >> e.phasma.nl <http://e.phasma.nl>,ou=phasma.nl > <http://phasma.nl>,o=NetscapeRoot > >> objectClass: top > >> objectClass: netscapeServer > >> objectClass: nsAdminServer > >> objectClass: nsResourceRef > >> objectClass: groupOfUniqueNames > >> serverHostName: icicle.phasma.nl <http://icicle.phasma.nl> > >> cn: admin-serv-icicle > >> installationTimeStamp: 20101124210830Z > >> serverProductName: Administration Server > >> uniqueMember: cn=admin-serv-icicle,cn=389 Administration > >> Server,cn=Server > >> Grou > >> p,cn=icicle.phasma.nl <http://icicle.phasma.nl>,ou=phasma.nl > <http://phasma.nl>,o=NetscapeRoot > >> nsServerID: admin-serv > >> > >> I proceeded to restart dirsrv-admin, and the log now looks like > this: > >> > >> [Tue Nov 30 23:59:20 2010] [notice] Access Host filter is: > *.phasma.nl <http://phasma.nl> > >> [Tue Nov 30 23:59:20 2010] [notice] Access Address filter is: * > >> [Tue Nov 30 23:59:21 2010] [notice] Apache/2.2.17 (Unix) > configured -- > >> resuming normal operations > >> [Tue Nov 30 23:59:21 2010] [notice] Access Host filter is: > *.phasma.nl <http://phasma.nl> > >> [Tue Nov 30 23:59:21 2010] [notice] Access Address filter is: * > >> [Wed Dec 01 00:00:17 2010] [notice] [client 127.0.0.1] > >> admserv_host_ip_check: ap_get_remote_host could not resolve > 127.0.0.1 > >> [Wed Dec 01 00:00:18 2010] [notice] [client 127.0.0.1] > >> admserv_check_authz(): passing [/admin-serv/authenticate] to the > >> userauth > >> handler > >> [Wed Dec 01 00:00:33 2010] [notice] [client 192.168.134.10] > >> admserv_host_ip_check: ap_get_remote_host could not resolve > >> 192.168.134.10 > >> [Wed Dec 01 00:00:33 2010] [error] [client 192.168.134.10] File > does not > >> exist: /usr/share/dirsrv/html/java/jars > > This should be ok - it should fallback to > /usr/share/dirsrv/html/java > >> Still some errors are visible in the logfile, > > The one marked [error] above, or are there others? [notice] > messages > > are ok. > > No, this is the only one marked as error. > > >> but i can log in and add > >> users/groups using the console. When i navigate to 'Directory > Server'> > >> 'Configuration' i get the following error message: > >> 'Insufficient Permissions': The user > >> > uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot does > >> not > >> have permission to perform this operation. > >> When i enter the correct credentials, it seems that everything is > >> working > >> as it is supposed to. > > "correct credentials"? > > the password that is set for uid=admin,.......; This is only a minor > annoyance, however it does seem strange that i am asked for the > password > again. > > >> The log complains about not being able to do a reverse lookup on > >> 192.168.134.10, but this seems wrong (DNS works both ways): > > Yes. See /etc/dirsrv/admin-serv/console.conf - HostnameLookups > > oke, got it. > > >> [shadowuser at icicle ~]$ host 192.168.134.10 > >> 10.134.168.192.in-addr.arpa domain name pointer > icicle.phasma.nl <http://icicle.phasma.nl>. > >> [shadowuser at icicle ~]$ host icicle.phasma.nl > <http://icicle.phasma.nl> > >> icicle.phasma.nl <http://icicle.phasma.nl> has address > 192.168.134.10 > >> > >> Thanks for your patience, > >> > >> Regards, > >> > >> Trisooma > >> > >> > >> > >>>>>> BTW. this code was taken from 389-admin-1.1.12.a2 > >>>>>> > >>>>>> I hope this helps, > >>>>>> > >>>>>> Regards, > >>>>>> > >>>>>> Trisooma > >>>>>> > >>>>>> -- > >>>>>> 389 users mailing list > >>>>>> 389-users at lists.fedoraproject.org > <mailto:389-users at lists.fedoraproject.org> > >>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users > >>>> -- > >>>> 389 users mailing list > >>>> 389-users at lists.fedoraproject.org > <mailto:389-users at lists.fedoraproject.org> > >>>> https://admin.fedoraproject.org/mailman/listinfo/389-users > >>> > >> > >> -- > >> 389 users mailing list > >> 389-users at lists.fedoraproject.org > <mailto:389-users at lists.fedoraproject.org> > >> https://admin.fedoraproject.org/mailman/listinfo/389-users > > > > > > > -- > 389 users mailing list > 389-users at lists.fedoraproject.org > <mailto:389-users at lists.fedoraproject.org> > https://admin.fedoraproject.org/mailman/listinfo/389-users > > > > -- > 389 users mailing list > 389-users at lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20110114/1946397b/attachment-0001.html
