[Fedora-directory-users] Replicating o=NetscapeRoot for admin server failover

Rich Megginson rmeggins at redhat.com
Wed Oct 1 17:18:46 UTC 2008 

John Dickinson wrote:
> Hi,
>
> Using Fedora DS 1.1.2 (compiled from source) on CentOS 5.1.
>
> I am trying to replicate o=NetscapeRoot for admin server failover and 
> having a few problems.
>
> (I have read 
> http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Replication-Replicating-ADS-for-Failover.html) 
>
>
> The detailed notes I have written on the steps for doing this can be 
> found here 
> http://jadickinson.co.uk/test/howto/replicating-netscaperoot-on-fedora-ds/ 
>
>
> In short I
> 1. have server 1 already running
> 2. Add replication info to server 1
> 3. Install server 2
> 4. on server 2 run setup-ds.pl -f /tmp/config.inf
> 5. On server 1 initialize the consumer
>     So now server 2 has the replicated o=netscaperoot
> 6. on server 2 run register-ds-admin.pl
>
> When I do this I can connect with the console to server 1 and see both 
> servers listed. I can browse the ds and admin console for server 1 OK. 
> However, if I double click to open the directory console for server 2 
> and click on the configuration tab I get a message saying that 
> uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot 
> doesn't have permission to perform this operation. If I connect as 
> cn=Directory Manager it works fine.
>
> The difference seems to be that server 2 lacks the following  entries 
> in the slapd-server2/dse.ldif
>
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators 
> Group"; a
>  llow (all) groupdn="ldap:///cn=Configuration Administrators, 
> ou=Groups, ou=T
>  opologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; 
> allow (a
>  ll) userdn="ldap:///uid=admin, ou=Administrators, 
> ou=TopologyManagement, o=N
>  etscapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) 
> groupdn = "l
>  dap:///cn=slapd-server1, cn=Fedora Directory Server, cn=Server Group, 
> cn=server1.example.com, ou=example.com, o=NetscapeRoot";)
>
> Adding them to dse.ldif on server 2 seems to fix things but I don't 
> understand why they don't exist on server 2 and am concerned that this 
> is a sign of something that I have failed to do correctly.
It's probably a bug in the failover setup procedures.
>
> Also what is the correct way to specify password in 
> nsDS5ReplicaCredentials and userPassword when a) using ldapmodify
Provide the plain text
> or b) editing dse.ldif?
Don't do that.
> The documentation seems to say that you should use the hash of the 
> password but that seems to give odd results.
Where does the documentation say that?
> Plain text passwords seem to work...
Yes - please use plain text passwords.  That's the only way password 
policy can be enforced, among other reasons.
>
> Thanks
> John
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20081001/4f21bf4b/attachment.bin>

More information about the Fedora-directory-users mailing list