Re: Replicating o=NetscapeRoot for admin server failover

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

John Dickinson wrote:

Hi,

Using Fedora DS 1.1.2 (compiled from source) on CentOS 5.1.
I am trying to replicate o=NetscapeRoot for admin server failover and having a few problems.
(I have read http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html)
The detailed notes I have written on the steps for doing this can be found here http://jadickinson.co.uk/test/howto/replicating-netscaperoot-on-fedora-ds/ 

In short I
1. have server 1 already running
2. Add replication info to server 1
3. Install server 2
4. on server 2 run setup-ds.pl -f /tmp/config.inf
5. On server 1 initialize the consumer
    So now server 2 has the replicated o=netscaperoot
6. on server 2 run register-ds-admin.pl
When I do this I can connect with the console to server 1 and see both servers listed. I can browse the ds and admin console for server 1 OK. However, if I double click to open the directory console for server 2 and click on the configuration tab I get a message saying that uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot doesn't have permission to perform this operation. If I connect as cn=Directory Manager it works fine.
The difference seems to be that server 2 lacks the following entries in the slapd-server2/dse.ldif
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, ou=T 
 opologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a ll) userdn="ldap:///uid=admin, ou=Administrators, ou=TopologyManagement, o=N 
 etscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l dap:///cn=slapd-server1, cn=Fedora Directory Server, cn=Server Group, cn=server1.example.com, ou=example.com, o=NetscapeRoot";)
Adding them to dse.ldif on server 2 seems to fix things but I don't understand why they don't exist on server 2 and am concerned that this is a sign of something that I have failed to do correctly. 
It's probably a bug in the failover setup procedures.
Also what is the correct way to specify password in nsDS5ReplicaCredentials and userPassword when a) using ldapmodify 
Provide the plain text

or b) editing dse.ldif?

Don't do that.
The documentation seems to say that you should use the hash of the password but that seems to give odd results. 
Where does the documentation say that?

Plain text passwords seem to work...
Yes - please use plain text passwords. That's the only way password policy can be enforced, among other reasons. 

Thanks
John

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

<<attachment: smime.p7s>>

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux