[Freeipa-users] slapi-nis help

Brandon Young bkyoung at gmail.com
Thu Aug 13 19:19:23 UTC 2009 

Hi all,

I am interested in deploying FreeIPA 1.2.1 on Fedora-11, and testing
the NIS gateway functionality.  I am having difficulties, and am not
even sure I'm performing the correct steps.

I am using Fedora 11 x86_64 with all the updates available as of
today.  Using ipa-server-1.2.1-4.fc11.x86_64.rpm, which provides
slapi-nis-0.15 (which is not hte newest, but I *think* should be
fine)..

I configured ipa server unattended with the following command:

[root at freeipa ~]# /usr/sbin/ipa-server-install -r EXAMPLE.ORG -n
example.org -p 'secretpw!!' -a 'secretpw!!' -P 'secretpw!!'
--hostname=freeipa.example.org -N --no-host-dns -u admin -U


At this point, I can kinit as the admin user and perform ldap searches
on the tree.  I took the example ldif file from
/usr/share/doc/slapi-nis-0.15/nis-plugin.ldif and attempted to add it
as described in the getting started guide here
(http://git.fedorahosted.org/git/slapi-nis.git/doc?p=slapi-nis.git;a=blob_plain;f=doc/nis-getting-started.txt),
which is devoid of specific instructions for *how* to add the ldif
entries.  I futzed around with openldap's ldapadd tool, and can't
figure out how to obtain the necessary access rights to make the
updates.  As nearly as I can tell, the only administrative user is
uid=admin,cn=users,cn=accounts,dc=example,dc=org.  If I do a simple
bind as that user it fails:

[root at freeipa ~]# ldapadd -a -f nis-plugin.ldif -D
"uid=admin,cn=users,cn=accounts,dc=stowers-institute,dc=org" -W -x
Enter LDAP Password:
adding new entry "cn=NIS Server, cn=plugins, cn=config"
ldap_add: Insufficient access (50)

Why?  Am I using the wrong account?  Should I know about another
account to do this?  As nearly as I can tell, there aren't any other
accounts.  Is this the wrong tool to use?

I poked around and found the ipa-ldap-modify command.  After modified
the original example ldif file from this:

dn: cn=NIS Server, cn=plugins, cn=config
objectclass: top
objectclass: nsSlapdPlugin
objectclass: extensibleObject
cn: NIS Server
nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so
nsslapd-plugininitfunc: nis_plugin_init
nsslapd-plugintype: object
nsslapd-pluginenabled: on
nsslapd-pluginid: nis-server
nsslapd-pluginversion: 0.15
nsslapd-pluginvendor: redhat.com
nsslapd-plugindescription: NIS Server Plugin
nis-tcp-wrappers-name: nis-server


... to this:

dn: cn=NIS Server, cn=plugins, cn=config
add: objectclass: top
add: objectclass: nsSlapdPlugin
add: objectclass: extensibleObject
add: cn: NIS Server
add: nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so
add: nsslapd-plugininitfunc: nis_plugin_init
add: nsslapd-plugintype: object
add: nsslapd-pluginenabled: on
add: nsslapd-pluginid: nis-server
add: nsslapd-pluginversion: 0.15
add: nsslapd-pluginvendor: redhat.com
add: nsslapd-plugindescription: NIS Server Plugin
add: nis-tcp-wrappers-name: nis-server


Now, issuing the command

[root at freeipa ~]# ipa-ldap-updater nis-plugin.ldif
Directory Manager password:


Says it adds the entries.  No indication of a problem.  BUT, if I
ldapsearch -b "cn=config", I don't see the new entry.  Should I?

At any rate, when I attempt to restart dirsrv, I get the following:

[root at freeipa ~]# service dirsrv restart
Shutting down dirsrv:
    EXAMPLE-ORG...                               [  OK  ]
Starting dirsrv:
    EXAMPLE-ORG...[13/Aug/2009:11:42:03 -0500] - Netscape Portable
Runtime error -5977: /usr/64/dirsrv/plugins// usr / lib64 / dirsrv /
plugins / nisserver-plugin.so: cannot open shared object file: No such
file or directory
[13/Aug/2009:11:42:03 -0500] - Could not open library
"/usr/64/dirsrv/plugins// usr / lib64 / dirsrv / plugins /
nisserver-plugin.so" for plugin NIS Server
[13/Aug/2009:11:42:03 -0500] - Unable to load plugin "cn=NIS Server,
cn=plugins, cn=config"
                                                           [FAILED]
  *** Warning: 1 instance(s) failed to start



So, ipa-ldap-updater did *something*.  I have no idea why the plugin
path is getting mangled the way it is, though.  Symlinking doesn't
seem to fix the issue, either.  I'm stumped, and suspect I'm doing
something completely boneheaded.  Does anyone else have this working?
Any guidance would be greatly appreciated.


--
Brandon

More information about the Freeipa-users mailing list