NetscapeRootRe: [Fedora-directory-users] Can't create users, time for complete wipe and re-install?

Rich Megginson rmeggins at redhat.com
Wed Jan 23 20:32:41 UTC 2008 

Listbox wrote:
> Thanks Rich!
>
> I just looked in /usr/share/dirsrv/data, and the file "template.ldif" looks
> like what I get for the ldapquery of acis in dc=hymesruzicka, dc=org. It
> does not have any entries for uid=admin ( or uid=%as_uid% ).
>   
Right.  That's the file that is used for just the fedora-ds-base package 
- the admin server and console stuff are "add-ons".
> I did find the file "16dssuffixadmin.mod.tmpl", and looks like it may be
> useful as a model to make more of the correct acis. Is this a good idea?
Yes.
> How
> much more should I modify it?
>   
You have to replace the %token% items:
ds_suffix - your suffix e.g. dc=hymesruzicka, dc=org or cn=config or 
cn=schema or etc.
as_uid - admin
or change the entire DN uid=%as_uid%,ou=Administrators, 
ou=TopologyManagement, o=NetscapeRoot to some other DN that you want to 
use for an administrator.

You can just omit the SIE Group ACI

Then just feed that file to ldapmodify e.g.
ldapmodify -x -D "cn=directory manager" -w yourpassword -f thefile.ldif

Note - make a copy of 16dssuffixadmin.mod.tmpl and edit it - do not edit 
it in place.
> /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl
>
> # BEGIN COPYRIGHT BLOCK
> ...
> # END COPYRIGHT BLOCK
> dn: %ds_suffix%
> changetype: modify
> add: aci
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group";
> allow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups,
> ou=TopologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow
> (all) userdn="ldap:///uid=%as_uid%,ou=Administrators, ou=TopologyManagement,
> o=NetscapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn =
> "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, cn=Server Group,
> cn=%fqdn%, ou=%domain%, o=NetscapeRoot";)
>
>
> Thanks again!
>
> ************************************************
> ************************************************
> ************************************************
> for bind in config schema monitor ; do ldapsearch -x -D "cn=directory
> manager" -w mypassword -s sub -b cn=$bind "aci=*" aci ; done 
> # extended LDIF
> #
> # LDAPv3
> # base <cn=config> with scope subtree
> # filter: aci=*
> # requesting: aci 
> #
>
> # config
> dn: cn=config
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group";
> a
>  llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups,
> ou=To
>  pologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow
> (a
>  ll) userdn="ldap:///uid=admin, ou=Administrators, ou=TopologyManagement,
> o=Ne
>  tscapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn =
> "l
>  dap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
> cn=trix
>  ter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version
> 3.0;acl 
>  "snmp";allow (read, search, compare)(userdn = "ldap:///anyone");)
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; allow(
> read
>  , search, compare, proxy ) userdn = "ldap:///all";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 4
> # numEntries: 3
> # extended LDIF
> #
> # LDAPv3
> # base <cn=schema> with scope subtree
> # filter: aci=*
> # requesting: aci 
> #
>
> # schema
> dn: cn=schema
> aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl
> "anonymo
>  us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group";
> a
>  llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups,
> ou=To
>  pologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow
> (a
>  ll) userdn="ldap:///uid=admin,ou=Administrators, ou=TopologyManagement,
> o=Net
>  scapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn =
> "l
>  dap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
> cn=trix
>  ter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> # extended LDIF
> #
> # LDAPv3
> # base <cn=monitor> with scope subtree
> # filter: aci=*
> # requesting: aci 
> #
>
> # monitor
> dn: cn=monitor
> aci: (target ="ldap:///cn=monitor*")(targetattr != "aci ||
> connection")(versio
>  n 3.0; acl "monitor"; allow( read, search, compare ) userdn =
> "ldap:///anyone
>  ";)
>
> # search result
> search: 2
> result: 0 Success
>
>
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080123/0396fbf4/attachment.bin>

More information about the Fedora-directory-users mailing list