Re: Installing 2 MMR servers, and the aci's don't match after everything is setup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Ryan Braun [ADS] wrote:
Hey guys, I'm setting up 2 mmr servers, and am wondering why the aci's on both machines don't end up being the same. All of the replication and configuring of the servers has been done in perl and NOT the console. Here is the process I used when setting up the servers. I'm using custom built packages on etch. 

ii  fedora-ds-admin                   1.1.6                                Fedora Administration Server (admin)
ii  fedora-ds-admin-console           1.1.2                                Fedora Admin Server Management Console
ii  fedora-ds-base                    1.1.3                                Fedora Directory Server (base)
ii  fedora-ds-console                 1.1.2                                Fedora Directory Server Management Console
ii  mozldap                           6.0.5                                Mozilla LDAP C SDK
ii  mozldap-dev                       6.0.5                                Mozilla LDAP C SDK
ii  mozldap-tools                     6.0.5                                Mozilla LDAP C SDK
ii  ldapsdk                           4.17-4                               Enables applications to manage information s
ii  perldap                           1.5.2                                PerLDAP is a set of modules written in Perl
ii  libadminutil                      1.1.7                                Utility library for directory server adminis
ii  libsvrcore                        4.0.4                                Secure PIN handling using NSS crypto
ii  libapache2-mod-nss                1.0.8                                mod_nss is an SSL provider derived from the



1.  install mmr1 server using setup-ds-admin.pl
2.  install mmr2 server using setup-ds.pl
3.  configure ssl/tls on each machine and confirm ldapsearchs etc are encrypted.
4.  create root suffix o=netscaperoot on mmr2.
5.  enable mmr replication of userroot on both mmr1 and mmr2
6.  init UserRoot replication agreement on mmr1.
7.  enable mmr replication of o=netscaperoot on both mmr1 and mmr2.
8.  init NetscapeRoot replication agreement on mmr1.
9.  run register-ds-admin.pl on mmr2
At this point, I can confirm that encryption is working over both machines, all replication agreements are over SSL and are working as expected. admin server is running on both machines, and both servers are accessible from each admin-server instance. 

So I opened up the console,  and opened up a session to each server and thats when I noticed the different amount of aci's on each server

on mmr1.  o=NetscapeRoot has 5 acis'
		 UserRoot has 6
		 cn=schema has 4
		 cn=monitor has 1
		 cn=config has 3

on mmr2.  o=NetscapeRoot has 5 acis'
		 UserRoot has 6
		 cn=schema has 1
		 cn=monitor has 1
		 cn=config has 0


So I'm wondering,  if mmr2 server is missing those aci's because of the different install procedure of running setup-ds.pl first,  then register-ds-admin.pl
Yes. Looks like there is a bug - doing setup-ds.pl, then register-ds-admin.pl, should do the same thing as running setup-ds-admin.pl. 
Here are the aci's in question

mmr1 - cn=schema
# schema
dn: cn=schema
aci: (target="ldap:///cn=schema";)(targetattr !="aci")(version 3.0;acl "anonymo
 us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";;)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a
 llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, ou=To
 pologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a
 ll) userdn="ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, o=Net
 scapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l
 dap:///cn=slapd-xxxdmns0, cn=Fedora Directory Server, cn=Server Group, cn=xxx
 dmns0.xxx.xx.xx.xx, ou=xxx.xx.xx.ca, o=NetscapeRoot";)


mmr2 - cn=schema
# schema
dn: cn=schema
aci: (target="ldap:///cn=schema";)(targetattr !="aci")(version 3.0;acl "anonymo
 us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";;)


mmr1 - cn=config
dn: cn=config
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a
 llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, ou=To
 pologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a
 ll) userdn="ldap:///uid=admin, ou=Administrators, ou=TopologyManagement, o=Ne
 tscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l
 dap:///cn=slapd-xxxdmns0, cn=Fedora Directory Server, cn=Server Group, cn=xxx
 dmns0.xxx.xx.xx.ca, ou=xxx.xx.xx.ca, o=NetscapeRoot";)

mmr2 - cn=config
none.

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

<<attachment: smime.p7s>>

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux