[Freeipa-users] slapi-nis help
Rob Crittenden
rcritten at redhat.com
Thu Aug 13 19:38:58 UTC 2009
Brandon Young wrote:
> Hi all,
>
> I am interested in deploying FreeIPA 1.2.1 on Fedora-11, and testing
> the NIS gateway functionality. I am having difficulties, and am not
> even sure I'm performing the correct steps.
>
> I am using Fedora 11 x86_64 with all the updates available as of
> today. Using ipa-server-1.2.1-4.fc11.x86_64.rpm, which provides
> slapi-nis-0.15 (which is not hte newest, but I *think* should be
> fine)..
>
> I configured ipa server unattended with the following command:
>
> [root at freeipa ~]# /usr/sbin/ipa-server-install -r EXAMPLE.ORG -n
> example.org -p 'secretpw!!' -a 'secretpw!!' -P 'secretpw!!'
> --hostname=freeipa.example.org -N --no-host-dns -u admin -U
>
>
> At this point, I can kinit as the admin user and perform ldap searches
> on the tree. I took the example ldif file from
> /usr/share/doc/slapi-nis-0.15/nis-plugin.ldif and attempted to add it
> as described in the getting started guide here
> (http://git.fedorahosted.org/git/slapi-nis.git/doc?p=slapi-nis.git;a=blob_plain;f=doc/nis-getting-started.txt),
> which is devoid of specific instructions for *how* to add the ldif
> entries. I futzed around with openldap's ldapadd tool, and can't
> figure out how to obtain the necessary access rights to make the
> updates. As nearly as I can tell, the only administrative user is
> uid=admin,cn=users,cn=accounts,dc=example,dc=org. If I do a simple
> bind as that user it fails:
>
> [root at freeipa ~]# ldapadd -a -f nis-plugin.ldif -D
> "uid=admin,cn=users,cn=accounts,dc=stowers-institute,dc=org" -W -x
> Enter LDAP Password:
> adding new entry "cn=NIS Server, cn=plugins, cn=config"
> ldap_add: Insufficient access (50)
>
> Why? Am I using the wrong account? Should I know about another
> account to do this? As nearly as I can tell, there aren't any other
> accounts. Is this the wrong tool to use?
>
> I poked around and found the ipa-ldap-modify command. After modified
> the original example ldif file from this:
>
> dn: cn=NIS Server, cn=plugins, cn=config
> objectclass: top
> objectclass: nsSlapdPlugin
> objectclass: extensibleObject
> cn: NIS Server
> nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so
> nsslapd-plugininitfunc: nis_plugin_init
> nsslapd-plugintype: object
> nsslapd-pluginenabled: on
> nsslapd-pluginid: nis-server
> nsslapd-pluginversion: 0.15
> nsslapd-pluginvendor: redhat.com
> nsslapd-plugindescription: NIS Server Plugin
> nis-tcp-wrappers-name: nis-server
>
>
> ... to this:
>
> dn: cn=NIS Server, cn=plugins, cn=config
> add: objectclass: top
> add: objectclass: nsSlapdPlugin
> add: objectclass: extensibleObject
> add: cn: NIS Server
> add: nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so
> add: nsslapd-plugininitfunc: nis_plugin_init
> add: nsslapd-plugintype: object
> add: nsslapd-pluginenabled: on
> add: nsslapd-pluginid: nis-server
> add: nsslapd-pluginversion: 0.15
> add: nsslapd-pluginvendor: redhat.com
> add: nsslapd-plugindescription: NIS Server Plugin
> add: nis-tcp-wrappers-name: nis-server
>
>
> Now, issuing the command
>
> [root at freeipa ~]# ipa-ldap-updater nis-plugin.ldif
> Directory Manager password:
>
>
> Says it adds the entries. No indication of a problem. BUT, if I
> ldapsearch -b "cn=config", I don't see the new entry. Should I?
>
> At any rate, when I attempt to restart dirsrv, I get the following:
>
> [root at freeipa ~]# service dirsrv restart
> Shutting down dirsrv:
> EXAMPLE-ORG... [ OK ]
> Starting dirsrv:
> EXAMPLE-ORG...[13/Aug/2009:11:42:03 -0500] - Netscape Portable
> Runtime error -5977: /usr/64/dirsrv/plugins// usr / lib64 / dirsrv /
> plugins / nisserver-plugin.so: cannot open shared object file: No such
> file or directory
> [13/Aug/2009:11:42:03 -0500] - Could not open library
> "/usr/64/dirsrv/plugins// usr / lib64 / dirsrv / plugins /
> nisserver-plugin.so" for plugin NIS Server
> [13/Aug/2009:11:42:03 -0500] - Unable to load plugin "cn=NIS Server,
> cn=plugins, cn=config"
> [FAILED]
> *** Warning: 1 instance(s) failed to start
>
>
>
> So, ipa-ldap-updater did *something*. I have no idea why the plugin
> path is getting mangled the way it is, though. Symlinking doesn't
> seem to fix the issue, either. I'm stumped, and suspect I'm doing
> something completely boneheaded. Does anyone else have this working?
> Any guidance would be greatly appreciated.
With ldapadd or ldapmodify you want to use the Directory Manager
credentials, so this would have worked:
% ldapadd -x -D "cn=directory manager" -W -f nis-plugin.ldif
You don't see the entries under cn=config because you need to be
Directory Manager to see them:
% ldapsearch -x -D "cn=directory manager" -W -b "cn=config"
I'd have to see what the config entry looks like to see why it isn't
starting. IIRC DS prints a rather odd message when it can't load a
plugin, though this looks particularly strange. It could be that the
updater didn't write the entry properly.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090813/672c1d87/attachment.bin>
More information about the Freeipa-users
mailing list