Re: Can't create users, time for complete wipe and re-install?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Listbox wrote:

Thanks so much!
Now I'm looking in
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#1199651 to see
what I might do to fix things.
If you are using Fedora DS 1.1 I suggest you use this instead - http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.html 
Here is the output from the commands you suggested. At least I can tell one
is bigger than the other :)
The console admin user created during setup is uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot. You should look at the acis which have this user as the subject (e.g. anything with userdn="uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" in it). What's odd is that I don't see any acis in dc=hymesruzicka, dc=org to grant this user access. setup-ds-admin.pl should have created them.
There is also a group created for console admins and this group is granted access just like for the above user. However, this will not work for remote instances (instances which do not have the real o=NetscapeRoot on them - the console uses pass through authentication on instances without o=NetscapeRoot, and group evaluation does not work remotely). This is the groupdn="ldap:///cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot". So this group aci only works on the server which hosts o=NetscapeRoot. I don't see any acis for this group in dc=hymesruzicka, dc=org either, which is odd.
There is another local administrative group created by setup on each instance for the local suffix - groupdn = "ldap:///cn=Directory Administrators, dc=hymesruzicka, dc=org" - setup-ds-admin.pl will create an ACI for this group. The actual group entry is not created by default, so if you want to use this you will need to create the group entry cn=Directory Administrators, dc=hymesruzicka, dc=org and add users to it.
Also check the acis on the configuration entries cn=config and cn=schema and cn=monitor ldapsearch -x -D "cn=directory manager" -w yourpassword -s sub -b cn=config "aci=*" aci ldapsearch -x -D "cn=directory manager" -w yourpassword -s sub -b cn=schema "aci=*" aci ldapsearch -x -D "cn=directory manager" -w yourpassword -s sub -b cn=monitor "aci=*" aci
setup-ds-admin.pl is supposed to create acis for uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot and the group cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot 
ldapsearch -x -D "cn=directory manager" -w mypassword -b o=netscaperoot
"aci=*" aci
# extended LDIF
#
# LDAPv3
# base <o=netscaperoot> with scope subtree
# filter: aci=*
# requesting: aci # 

# NetscapeRoot
dn: o=NetscapeRoot
aci: (targetattr="*")(version 3.0; acl "Enable Configuration Administrator
Gro
 up modification"; allow (all) groupdn="ldap:///cn=Configuration
Administrator
 s, ou=Groups, ou=TopologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(targetfilter=(o=NetscapeRoot))(version 3.0; acl
"Default
  anonymous access"; allow (read, search) userdn="ldap:///anyone";;)
aci: (targetattr="*")(version 3.0; acl "Enable Group Expansion"; allow
(read, search, compare) groupdnattr="uniquemember";) 
aci: (targetattr = "*")(version 3.0; acl "SIE Group (trixter)"; allow (all)
gr
 oupdn = "ldap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server
Grou
 p, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)

# TopologyManagement, NetscapeRoot
dn: ou=TopologyManagement, o=NetscapeRoot
aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous
access"; allow (read, search, compare)userdn="ldap:///anyone";;) 

# Global Preferences, hymesruzicka.org, NetscapeRoot
dn: ou=Global Preferences, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "Enable anonymous access";
allow(read,sea
 rch) userdn="ldap:///anyone";;)

# UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr = "*")(version 3.0; acl "Allow saving of User Preferences";
a
 llow (add) userdn = "ldap:///all";;)

# uid\3Dadmin\2C ou\3DAdministrators\2C ou\3DTopologyManagement\2C
o\3DNetsca
 peRoot, UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou="uid=admin, ou=Administrators, ou=TopologyManagement,
o=NetscapeRoot",o
 u=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
 creatorsname";)

# cn\3Dadmin-serv-trixter\2C cn\3DFedora Administration Server\2C
cn\3DServer
  Group\2C cn\3Dtrixter.hymesruzicka.org\2C ou\3Dhymesruzicka.org\2C
o\3DNets
 capeRoot, UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou="cn=admin-serv-trixter, cn=Fedora Administration Server, cn=Server
Grou
 p, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
o=NetscapeRoot",ou=UserP
 references, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
 creatorsname";)

# Server Group, trixter.hymesruzicka.org, hymesruzicka.org, NetscapeRoot
dn: cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
o=Netsc
 apeRoot
aci: (targetattr=*)(targetfilter=(nsconfigRoot=*))(version 3.0; acl "Enable
de
 legated access"; allow (read, search, compare) groupdn="ldap:///cn=Server
Gro
 up, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read,
s
 earch, compare) userdn="ldap:///cn=admin-serv-trixter, cn=Fedora
Administrati
 on Server, cn=Server Group, cn=trixter.hymesruzicka.org,
ou=hymesruzicka.org,
  o=NetscapeRoot";)

# PublicViews, 1.1, Admin, Global Preferences, hymesruzicka.org,
NetscapeRoot
dn: cn=PublicViews, ou=1.1, ou=Admin, ou=Global Preferences,
ou=hymesruzicka.o
 rg, o=NetscapeRoot
aci: (targetattr = "*")(version 3.0; acl "Allow Authenticated Users to Save
Pu
 blic Views"; allow (all) userdn = "ldap:///all";;)

# slapd-trixter, Fedora Directory Server, Server Group,
trixter.hymesruzicka.
 org, hymesruzicka.org, NetscapeRoot
dn: cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
cn=trixter.
 hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read,
s
 earch, compare) groupdn="ldap:///cn=slapd-trixter, cn=Fedora Directory
Server
 , cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
o=Netsca
 peRoot";)
aci: (targetattr="uniquemember || serverProductName || userpassword ||
descrip
 tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl "Enable
ac
 cess delegation"; allow (write) groupdn="ldap:///cn=slapd-trixter,
cn=Fedora Directory Server, cn=Server Group, cn=trixter.hymesruzicka.org, 
ou=hymesruzic
 ka.org, o=NetscapeRoot";)

# configuration, slapd-trixter, Fedora Directory Server, Server Group,
trixte
 r.hymesruzicka.org, hymesruzicka.org, NetscapeRoot
dn: cn=configuration,cn=slapd-trixter, cn=Fedora Directory Server, cn=Server
G
 roup, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "Enable Server configuration"; allow
(all
 ) groupdn="ldap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server
Gr
 oup, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)

# cn\3Dslapd-trixter\2C cn\3DFedora Directory Server\2C cn\3DServer Group\2C

 cn\3Dtrixter.hymesruzicka.org\2C ou\3Dhymesruzicka.org\2C o\3DNetscapeRoot,

 UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou="cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
cn=trix
 ter.hymesruzicka.org, ou=hymesruzicka.org,
o=NetscapeRoot",ou=UserPreferences
 , ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
 creatorsname";)

# cn\3DDirectory Manager, UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou="cn=Directory Manager",ou=UserPreferences, ou=hymesruzicka.org,
o=Netsc
 apeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
 creatorsname";)

# Fedora Administration Server, Server Group, trixter.hymesruzicka.org,
hymes
 ruzicka.org, NetscapeRoot
dn: cn=Fedora Administration Server, cn=Server Group,
cn=trixter.hymesruzicka.
 org, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(targetfilter=(nsNickName=*))(version 3.0; acl "Enable
dele
 gated access"; allow (read, search, compare) groupdn="ldap:///cn=Fedora
Admin
 istration Server, cn=Server Group, cn=trixter.hymesruzicka.org,
ou=hymesruzic
 ka.org, o=NetscapeRoot";)

# admin-serv-trixter, Fedora Administration Server, Server Group,
trixter.hym
 esruzicka.org, hymesruzicka.org, NetscapeRoot
dn: cn=admin-serv-trixter, cn=Fedora Administration Server, cn=Server Group,
c
 n=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read,
s
 earch, compare) groupdn="ldap:///cn=admin-serv-trixter, cn=Fedora
Administrat
 ion Server, cn=Server Group, cn=trixter.hymesruzicka.org,
ou=hymesruzicka.org
 , o=NetscapeRoot";)
aci: (targetattr="uniquemember || serverProductName || userpassword ||
descrip
 tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl "Enable
ac
 cess delegation"; allow (write) groupdn="ldap:///cn=admin-serv-trixter,
cn=Fe
 dora Administration Server, cn=Server Group, cn=trixter.hymesruzicka.org,
ou=
 hymesruzicka.org, o=NetscapeRoot";)

# configuration, admin-serv-trixter, Fedora Administration Server, Server
Gro
 up, trixter.hymesruzicka.org, hymesruzicka.org, NetscapeRoot
dn: cn=configuration, cn=admin-serv-trixter, cn=Fedora Administration
Server, cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, 
o=Netscape
 Root
aci: (targetattr=*)(version 3.0; acl "Enable delegated admin to access
configu
 ration"; allow (read, search) groupdn="ldap:///cn=Server Group,
cn=trixter.hy
 mesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
aci: (targetattr=*)(version 3.0; acl "Enable Server configuration"; allow
(all
 ) groupdn="ldap:///cn=admin-serv-trixter, cn=Fedora Administration Server,
cn
 =Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
o=NetscapeRo
 ot";)

# uid\3Ddiradmin\2Cou\3DAdministrators\2C ou\3DTopologyManagement\2C
o\3Dnets
 capeRoot, UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou="uid=diradmin,ou=Administrators, ou=TopologyManagement,
o=netscapeRoot"
 ,ou=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
 creatorsname";)

# search result
search: 2
result: 0 Success

# numResponses: 17
# numEntries: 16



ldapsearch -x -D "cn=directory manager" -w anotherpassword -b
"dc=hymesruzicka,dc=org" "aci=*" aci

# extended LDIF
#
# LDAPv3
# base <dc=hymesruzicka,dc=org> with scope subtree
# filter: aci=*
# requesting: aci # 

# hymesruzicka.org
dn: dc=hymesruzicka, dc=org
aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous
access"; allow (read, search, compare) userdn="ldap:///anyone";;) 
aci: (targetattr="carLicense || description || displayName ||
facsimileTelepho
 neNumber || homePhone || homePostalAddress || initials || jpegPhoto ||
labele
 dURL || mail || mobile || pager || photo || postOfficeBox || postalAddress
||
  postalCode || preferredDeliveryMethod || preferredLanguage ||
registeredAddr
 ess || roomNumber || secretary || seeAlso || st || street ||
telephoneNumber || telexNumber || title || userCertificate || userPassword || 
userSMIMECertif
 icate || x500UniqueIdentifier")(version 3.0; acl "Enable self write for
commo
 n attributes"; allow (write) userdn="ldap:///self";;)
aci: (targetattr ="*")(version 3.0;acl "Directory Administrators
Group";allow (all) (groupdn = "ldap:///cn=Directory Administrators, dc=hymesruzicka, 
dc=or
 g");)

# People, hymesruzicka.org
dn: ou=People, dc=hymesruzicka, dc=org
aci: (targetattr ="userpassword || telephonenumber ||
facsimiletelephonenumber
 ")(version 3.0;acl "Allow self entry modification";allow (write)(userdn =
"ld
 ap:///self");)
aci: (targetattr !="cn || sn || uid")(targetfilter
="(ou=Accounting)")(version
  3.0;acl "Accounting Managers Group Permissions";allow (write)(groupdn =
"lda
 p:///cn=Accounting Managers,ou=groups,dc=hymesruzicka, dc=org");)
aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Human
Resources)")(ve
 rsion 3.0;acl "HR Group Permissions";allow (write)(groupdn = "ldap:///cn=HR
M
 anagers,ou=groups,dc=hymesruzicka, dc=org");)
aci: (targetattr !="cn ||sn || uid")(targetfilter ="(ou=Product
Testing)")(ver
 sion 3.0;acl "QA Group Permissions";allow (write)(groupdn = "ldap:///cn=QA
Ma
 nagers,ou=groups,dc=hymesruzicka, dc=org");)
aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Product
Development)"
 )(version 3.0;acl "Engineering Group Permissions";allow (write)(groupdn =
"ld
 ap:///cn=PD Managers,ou=groups,dc=hymesruzicka, dc=org");)

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

<<attachment: smime.p7s>>

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux