Hey Mark,
Yes, I thought that would be a problem. I did try to set up an admin domain on master A that points to master B but it simply says "fail to create network domain". As you can likely see, I'm not the most versed in LDAP. I'm not sure how to do this search you suggested:
>Do a ldapsearch on o=netscaperoot and look for:
.dn: cn=configuration, cn=admin-serv-HOSTNAME, cn=389 Administration Server, >cn=Server Group, cn=HOST.DOMAIN, ou=DOMAIN, o=NetscapeRoot
Can you give me the syntax that would be used?
thanks again,
Yes, I thought that would be a problem. I did try to set up an admin domain on master A that points to master B but it simply says "fail to create network domain". As you can likely see, I'm not the most versed in LDAP. I'm not sure how to do this search you suggested:
>Do a ldapsearch on o=netscaperoot and look for:
.dn: cn=configuration, cn=admin-serv-HOSTNAME, cn=389 Administration Server, >cn=Server Group, cn=HOST.DOMAIN, ou=DOMAIN, o=NetscapeRoot
Can you give me the syntax that would be used?
thanks again,
On Tue, Apr 24, 2012 at 2:12 PM, Mark Reynolds <mareynol@xxxxxxxxxx> wrote:
Hi Herb,
Ok you shouldn't be using "o=netscaperoot" from a different machine, but if both machines are setup EXACTLY the same way, then you might be able to replace the hostname. But this is error prone, and we should try and get the master B registered on master A's console. Did you try setting up a admin domain that points to master B's machine?
see comments below...This isn't the right bind dn we are looking for. :-) We want to see the the results from "uid=admin" and "cn=directory manager".
On 04/24/2012 04:11 PM, Herb Burnswell wrote:Hi Mark,
Thanks for getting back to me, sorry about the confusion. Here's the logs from master B console log on attempts:
[24/Apr/2012:12:09:23 -0700] conn=130 fd=67 slot=67 connection from to
[24/Apr/2012:12:09:23 -0700] conn=130 op=0 BIND dn="cn=admin-serv-masterB, cn=Fedora Administration Server, cn=Server Group, cn=masterB.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot" method=128 version=2
[24/Apr/2012:12:09:23 -0700] conn=130 op=0 RESULT err=32 tag=97 nentries=0 etime=0
[24/Apr/2012:12:09:23 -0700] conn=131 fd=68 slot=68 connection from to
[24/Apr/2012:12:09:23 -0700] conn=131 op=0 BIND dn="cn=admin-serv-masterB, cn=Fedora Administration Server, cn=Server Group, cn=masterB.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot" method=128 version=2
[24/Apr/2012:12:09:23 -0700] conn=131 op=0 RESULT err=32 tag=97 nentries=0 etime=0
This might be caused by some access restrictions. Do a ldapsearch on o=netscaperoot and look for:
[24/Apr/2012:12:32:47] security (23835): for host masterB.sub.domain.biz trying to GET /admin-serv/authenticate, admin40_host_ip_check reports: Unauthorized host ip=, connection rejected
dn: cn=configuration, cn=admin-serv-HOSTNAME, cn=389 Administration Server, cn=Server Group, cn=HOST.DOMAIN, ou=DOMAIN, o=NetscapeRoot
Use ldapmodify to change the settings if needed. Make sure that the host you are trying to connect from is allowed by the settings. You could just set both to "*" for now. You will need to restart the admin server for this change to take effect.
When I was trying to get replication working, I did an initialization of master B from master A backup files (NetscapeRoot and <my_suffix>). I've since done a re-initialization of <my_suffix> to master B from master A console. When I do a search on master B:
./ldapsearch -D "cn=Directory Manager" -w <passwd> -b o=netscaperoot "cn=admin-serv-*"
version: 1
dn: cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Server Group,
cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot
objectClass: top
objectClass: netscapeServer
objectClass: nsAdminServer
objectClass: nsResourceRef
objectClass: groupOfUniqueNames
cn: admin-serv-masterA
nsServerID: admin-serv
serverRoot: /opt/fedora-ds
serverProductName: Administration Server
serverHostName: masterA.sub.domain.biz
uniqueMember: cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Serv
er Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot
installationTimeStamp: 20050916201912Z
userPassword: {SSHA}U4pL3RzNjF2Sder0+NBLIJNZtLEoim6tZfcxjA==
Yes, this version and install is very old. But it appears that all of master A information is on master B regarding admin-serv-<hostname> user on master B. This is not correct right?
I read the documentation that you sent but my install does not include setup-ds-admin.pl, my version is DS 7.1. Is there a way to simply edit the admin-serv-<hostname> if that is in fact the problem?
On Tue, Apr 24, 2012 at 8:34 AM, Mark Reynolds <mareynol@xxxxxxxxxx> wrote:
Hi Herb,
I wanted to see the logs from the server that wasn't working. According to these logs everything is fine. So, you can log into the console for master A, but not master B. Most likely there is no configuration instance/admin server setup. There are a few options. One, you could register master B in the Master A console(using Create New Administration Domain feature), and just use that console to manage both servers. Two, setup a new config instance on the master B machine, and use a separate console.
Option one is definitely the best option. You can still use the console GUI on master B if you want to, but point it to the master A in the administration URL.
Here are some links to some useful document on on this:
Let me know if you have any questions.
On 04/23/2012 07:48 PM, Herb Burnswell wrote:Hey Mark,
Well, to back up a bit, of the dual masters' (A & B) only A has been running consistently for many years. That is why I needed to do a re-initialization of B. The re-initialization was done at the 'my_suffix' level and not NetscapeRoot.
I assumed that the config data would be running on both dual masters. Maybe I am incorrect?
access from Master A for 'admin' bind:
[23/Apr/2012:16:07:50 -0700] conn=2575 fd=71 slot=71 connection from to
[23/Apr/2012:16:07:50 -0700] conn=2575 op=0 BIND dn="uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" method=128 version=3
[23/Apr/2012:16:07:50 -0700] conn=2575 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
[23/Apr/2012:16:07:50 -0700] conn=2575 op=1 SRCH base="cn=statusping, cn=operation, cn=tasks, cn=admin-serv-masterA, cn=fedora administration server, cn=server group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=netscaperoot" scope=0 filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
[23/Apr/2012:16:07:50 -0700] conn=2575 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[23/Apr/2012:16:07:50 -0700] conn=2575 op=2 SRCH base="cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
[23/Apr/2012:16:07:50 -0700] conn=2575 op=2 RESULT err=0 tag=101 nentries=24 etime=0
[23/Apr/2012:16:07:50 -0700] conn=2575 op=3 SRCH base="cn=slapd-masterA, cn=Fedora Directory Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
[23/Apr/2012:16:07:50 -0700] conn=2575 op=3 RESULT err=0 tag=101 nentries=13 etime=0
[23/Apr/2012:16:07:50 -0700] conn=2575 op=4 SRCH base="cn=Fedora Directory Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
[23/Apr/2012:16:07:50 -0700] conn=2575 op=4 RESULT err=0 tag=101 nentries=17 etime=0
[23/Apr/2012:16:07:50 -0700] conn=2575 op=5 SRCH base="cn=Fedora Administration Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
[23/Apr/2012:16:07:50 -0700] conn=2575 op=5 RESULT err=0 tag=101 nentries=24 etime=0
[23/Apr/2012:16:07:50 -0700] conn=2575 op=6 UNBIND
[23/Apr/2012:16:07:50 -0700] conn=2575 op=6 fd=71 closed - U1
access from master A for 'cn=Directory Manager' bind:
[23/Apr/2012:16:37:36 -0700] conn=2594 fd=68 slot=68 connection from to
[23/Apr/2012:16:37:36 -0700] conn=2594 op=0 BIND dn="cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot" method=128 version=3
[23/Apr/2012:16:37:36 -0700] conn=2594 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=admin-serv-masterA,cn=fedora administration server,cn=server group,cn=masterA.sub.domain.biz,ou=sub.domain.biz,o=netscaperoot"
[23/Apr/2012:16:37:36 -0700] conn=2594 op=1 BIND dn="cn=Directory Manager" method=128 version=3
[23/Apr/2012:16:37:36 -0700] conn=2594 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[23/Apr/2012:16:37:36 -0700] conn=2594 op=2 UNBIND
[23/Apr/2012:16:37:36 -0700] conn=2594 op=2 fd=68 closed - U1
This are from master A where logging in as either works fine. It looks like I need to configure o=netscaperoot on master B somehow?
On Mon, Apr 23, 2012 at 1:13 PM, Mark Reynolds <mareynol@xxxxxxxxxx> wrote:
Do you know which server is hosting the config data for the console(o=netscaperoot)? If you do, please provide the access log output showing the "cn=directory manager" and "admin" binds? It might not hurt to restart the admin server.
On 04/23/2012 04:06 PM, Herb Burnswell wrote:Hi All,
After re-initialization of a dual master server I now cannot log into the directory management console as cn=Directory Manager. I receive the error:
Cannot logon because of an incorrect user id, incorrect password, or Directory problem.
Resoponse: HTTP/1.1 401 Unauthorized
Status: 401
URL: http://url/admin-serv/authenticate
I know the password is correct as I can drop into an ldapmodify session with ./ldapmodify -D "cn=Directory Manager" -w <passwd> without error.
I've seen a few inquiries about this issue around the web but nothing to resolve the issue. I see the following in /opt/fedora-ds/admin-serv/logs/error:
security (27749): for host <hostname> trying to GET /admin-serv/authenticate, basic-ncsa reports: user cn=Directory Manager does not exist in pwfile /opt/fedora-ds/admin-serv/config/admpw
It is correct that there is not a line for cn=Directory Manager in admpw, but it is not located in the admpw file on the other dual master and I can log into its management console as cn=Directory Manager without error. They both just contain a line for user 'admin'.
When I try to log in as 'admin' (works fine on other dual master) I receive:
cannot connect to the directory server:
netscape.ldap.LDAPException: error result (32) matchedDN = ou =<domain>,o=netscaperoot; no such object
Is there something else that I need to do after re-initialization? Any guidance is greatly appreciated.
Thanks in advance,
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users