Re: NetscapeRootRe: Can't create users, SOLVED!

[Rich Megginson <rmeggins@xxxxxxxxxx>]

Listbox wrote:
> Got our first user created! 
> I have an idea on why the setup-ds-admin.pl may not have worked completely.
>
> When doing the first install, I ran the install script, then aborted it (
> within the first few steps ).
If you abort setup before it finishes asking you questions, you should 
be able to run it again, no problem.  If you abort it after the dialog 
section during its configuration section, then you will have to do some 
clean up.
> I thought I was paranoid enough by running
> "rpm -erase fedora-ds-1.1.0-3",
That really doesn't do anything - the fedora-ds package is now 
completely empty and just Requires (for yum) the "real" packages 
fedora-ds-base, fedora-ds-admin, etc.

It shouldn't be necessary, but if you really want to remove everything, 
you should do something like
yum erase svrcore idm-console-framework
> and deleting the contents of :
>
> /etc/dirsrv
> /usr/lib/dirsrv
>   
/usr/lib64/dirsrv on 64bit systems
> /usr/share/dirsrv
> /var/lock/dirsrv
> /var/lib/dirsrv
> /var/run/dirsrv
> /var/log/dirsrv
>   
Yep. rm -rf all of those
> /usr/lib/mozldap
> /usr/share/doc/mozldap-6.0.5
>   
No, not these.
> Before I reinstalled, and re-ran the install script. But I know I ran into a
> slapd startup problem because I made a typo, and I only erased the contents
> of "/var/run/dirsrv", and left the dir itself.
>   

> Untill I tried to create users, that was the only problem due to a previous
> install attempt. Maybe this was another.
>
>
> Thanks again!
>
>
> -----Original Message-----
> From: Rich Megginson [mailto:rmeggins@xxxxxxxxxx] 
> Sent: Wednesday, January 23, 2008 12:33 PM
> To: listbox@xxxxxxxxxxxxxx
> Cc: fedora-directory-users@xxxxxxxxxx
> Subject: Re: NetscapeRootRe:  Can't create users,
> time for complete wipe and re-install?
>
> Listbox wrote:
>   
> > Thanks Rich!
> >
> > I just looked in /usr/share/dirsrv/data, and the file "template.ldif" 
> > looks like what I get for the ldapquery of acis in dc=hymesruzicka, 
> > dc=org. It does not have any entries for uid=admin ( or uid=%as_uid% ).
> >   
> >     
> Right.  That's the file that is used for just the fedora-ds-base package
> - the admin server and console stuff are "add-ons".
>   
> > I did find the file "16dssuffixadmin.mod.tmpl", and looks like it may 
> > be useful as a model to make more of the correct acis. Is this a good
> >     
> idea?
> Yes.
>   
> > How
> > much more should I modify it?
> >   
> >     
> You have to replace the %token% items:
> ds_suffix - your suffix e.g. dc=hymesruzicka, dc=org or cn=config or
> cn=schema or etc.
> as_uid - admin
> or change the entire DN uid=%as_uid%,ou=Administrators,
> ou=TopologyManagement, o=NetscapeRoot to some other DN that you want to use
> for an administrator.
>
> You can just omit the SIE Group ACI
>
> Then just feed that file to ldapmodify e.g.
> ldapmodify -x -D "cn=directory manager" -w yourpassword -f thefile.ldif
>
> Note - make a copy of 16dssuffixadmin.mod.tmpl and edit it - do not edit it
> in place.
>   
> > /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl
> >
> > # BEGIN COPYRIGHT BLOCK
> > ...
> > # END COPYRIGHT BLOCK
> > dn: %ds_suffix%
> > changetype: modify
> > add: aci
> > aci: (targetattr="*")(version 3.0; acl "Configuration Administrators 
> > Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators, 
> > ou=Groups, ou=TopologyManagement, o=NetscapeRoot";)
> > aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; 
> > allow
> > (all) userdn="ldap:///uid=%as_uid%,ou=Administrators, 
> > ou=TopologyManagement,
> > o=NetscapeRoot";)
> > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) 
> > groupdn = "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, 
> > cn=Server Group, cn=%fqdn%, ou=%domain%, o=NetscapeRoot";)
> >
> >
> > Thanks again!
> >
> > ************************************************
> > ************************************************
> > ************************************************
> > for bind in config schema monitor ; do ldapsearch -x -D "cn=directory 
> > manager" -w mypassword -s sub -b cn=$bind "aci=*" aci ; done # 
> > extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # 
> > filter: aci=* # requesting: aci #
> >
> > # config
> > dn: cn=config
> > aci: (targetattr="*")(version 3.0; acl "Configuration Administrators 
> > Group"; a  llow (all) groupdn="ldap:///cn=Configuration 
> > Administrators, ou=Groups, ou=To  pologyManagement, o=NetscapeRoot";)
> > aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; 
> > allow (a
> >  ll) userdn="ldap:///uid=admin, ou=Administrators, 
> > ou=TopologyManagement, o=Ne
> >  tscapeRoot";)
> > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) 
> > groupdn = "l  dap:///cn=slapd-trixter, cn=Fedora Directory Server, 
> > cn=Server Group, cn=trix  ter.hymesruzicka.org, ou=hymesruzicka.org, 
> > o=NetscapeRoot";)
> >
> > # SNMP, config
> > dn: cn=SNMP,cn=config
> > aci: (target="ldap:///cn=SNMP,cn=config";)(targetattr !="aci")(version 
> > 3.0;acl  "snmp";allow (read, search, compare)(userdn = 
> > "ldap:///anyone";);)
> >
> > # 2.16.840.1.113730.3.4.9, features, config
> > dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> > aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; 
> > allow( read  , search, compare, proxy ) userdn = "ldap:///all";;)
> >
> > # search result
> > search: 2
> > result: 0 Success
> >
> > # numResponses: 4
> > # numEntries: 3
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <cn=schema> with scope subtree
> > # filter: aci=*
> > # requesting: aci
> > #
> >
> > # schema
> > dn: cn=schema
> > aci: (target="ldap:///cn=schema";)(targetattr !="aci")(version 3.0;acl 
> > "anonymo  us, no acis"; allow (read, search, compare) userdn = 
> > "ldap:///anyone";;)
> > aci: (targetattr="*")(version 3.0; acl "Configuration Administrators 
> > Group"; a  llow (all) groupdn="ldap:///cn=Configuration 
> > Administrators, ou=Groups, ou=To  pologyManagement, o=NetscapeRoot";)
> > aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; 
> > allow (a
> >  ll) userdn="ldap:///uid=admin,ou=Administrators, 
> > ou=TopologyManagement, o=Net
> >  scapeRoot";)
> > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) 
> > groupdn = "l  dap:///cn=slapd-trixter, cn=Fedora Directory Server, 
> > cn=Server Group, cn=trix  ter.hymesruzicka.org, ou=hymesruzicka.org, 
> > o=NetscapeRoot";)
> >
> > # search result
> > search: 2
> > result: 0 Success
> >
> > # numResponses: 2
> > # numEntries: 1
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <cn=monitor> with scope subtree # filter: aci=* # requesting: 
> > aci #
> >
> > # monitor
> > dn: cn=monitor
> > aci: (target ="ldap:///cn=monitor*";)(targetattr != "aci || 
> > connection")(versio  n 3.0; acl "monitor"; allow( read, search, 
> > compare ) userdn = "ldap:///anyone
> >  ";)
> >
> > # search result
> > search: 2
> > result: 0 Success
> >
> >
> >   
> >     
>
>
>

<<attachment: smime.p7s>>

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users