[Fedora-directory-users] Replicating o=NetscapeRoot for admin server failover
Rich Megginson
rmeggins at redhat.com
Wed Oct 1 17:18:46 UTC 2008
John Dickinson wrote:
> Hi,
>
> Using Fedora DS 1.1.2 (compiled from source) on CentOS 5.1.
>
> I am trying to replicate o=NetscapeRoot for admin server failover and
> having a few problems.
>
> (I have read
> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html)
>
>
> The detailed notes I have written on the steps for doing this can be
> found here
> http://jadickinson.co.uk/test/howto/replicating-netscaperoot-on-fedora-ds/
>
>
> In short I
> 1. have server 1 already running
> 2. Add replication info to server 1
> 3. Install server 2
> 4. on server 2 run setup-ds.pl -f /tmp/config.inf
> 5. On server 1 initialize the consumer
> So now server 2 has the replicated o=netscaperoot
> 6. on server 2 run register-ds-admin.pl
>
> When I do this I can connect with the console to server 1 and see both
> servers listed. I can browse the ds and admin console for server 1 OK.
> However, if I double click to open the directory console for server 2
> and click on the configuration tab I get a message saying that
> uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
> doesn't have permission to perform this operation. If I connect as
> cn=Directory Manager it works fine.
>
> The difference seems to be that server 2 lacks the following entries
> in the slapd-server2/dse.ldif
>
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
> Group"; a
> llow (all) groupdn="ldap:///cn=Configuration Administrators,
> ou=Groups, ou=T
> opologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrator";
> allow (a
> ll) userdn="ldap:///uid=admin, ou=Administrators,
> ou=TopologyManagement, o=N
> etscapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
> groupdn = "l
> dap:///cn=slapd-server1, cn=Fedora Directory Server, cn=Server Group,
> cn=server1.example.com, ou=example.com, o=NetscapeRoot";)
>
> Adding them to dse.ldif on server 2 seems to fix things but I don't
> understand why they don't exist on server 2 and am concerned that this
> is a sign of something that I have failed to do correctly.
It's probably a bug in the failover setup procedures.
>
> Also what is the correct way to specify password in
> nsDS5ReplicaCredentials and userPassword when a) using ldapmodify
Provide the plain text
> or b) editing dse.ldif?
Don't do that.
> The documentation seems to say that you should use the hash of the
> password but that seems to give odd results.
Where does the documentation say that?
> Plain text passwords seem to work...
Yes - please use plain text passwords. That's the only way password
policy can be enforced, among other reasons.
>
> Thanks
> John
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20081001/4f21bf4b/attachment.bin>
More information about the Fedora-directory-users
mailing list