[Freeipa-users] slapi-nis help

Rob Crittenden rcritten at redhat.com
Thu Aug 13 19:38:58 UTC 2009 

Brandon Young wrote:
> Hi all,
> 
> I am interested in deploying FreeIPA 1.2.1 on Fedora-11, and testing
> the NIS gateway functionality.  I am having difficulties, and am not
> even sure I'm performing the correct steps.
> 
> I am using Fedora 11 x86_64 with all the updates available as of
> today.  Using ipa-server-1.2.1-4.fc11.x86_64.rpm, which provides
> slapi-nis-0.15 (which is not hte newest, but I *think* should be
> fine)..
> 
> I configured ipa server unattended with the following command:
> 
> [root at freeipa ~]# /usr/sbin/ipa-server-install -r EXAMPLE.ORG -n
> example.org -p 'secretpw!!' -a 'secretpw!!' -P 'secretpw!!'
> --hostname=freeipa.example.org -N --no-host-dns -u admin -U
> 
> 
> At this point, I can kinit as the admin user and perform ldap searches
> on the tree.  I took the example ldif file from
> /usr/share/doc/slapi-nis-0.15/nis-plugin.ldif and attempted to add it
> as described in the getting started guide here
> (http://git.fedorahosted.org/git/slapi-nis.git/doc?p=slapi-nis.git;a=blob_plain;f=doc/nis-getting-started.txt),
> which is devoid of specific instructions for *how* to add the ldif
> entries.  I futzed around with openldap's ldapadd tool, and can't
> figure out how to obtain the necessary access rights to make the
> updates.  As nearly as I can tell, the only administrative user is
> uid=admin,cn=users,cn=accounts,dc=example,dc=org.  If I do a simple
> bind as that user it fails:
> 
> [root at freeipa ~]# ldapadd -a -f nis-plugin.ldif -D
> "uid=admin,cn=users,cn=accounts,dc=stowers-institute,dc=org" -W -x
> Enter LDAP Password:
> adding new entry "cn=NIS Server, cn=plugins, cn=config"
> ldap_add: Insufficient access (50)
> 
> Why?  Am I using the wrong account?  Should I know about another
> account to do this?  As nearly as I can tell, there aren't any other
> accounts.  Is this the wrong tool to use?
> 
> I poked around and found the ipa-ldap-modify command.  After modified
> the original example ldif file from this:
> 
> dn: cn=NIS Server, cn=plugins, cn=config
> objectclass: top
> objectclass: nsSlapdPlugin
> objectclass: extensibleObject
> cn: NIS Server
> nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so
> nsslapd-plugininitfunc: nis_plugin_init
> nsslapd-plugintype: object
> nsslapd-pluginenabled: on
> nsslapd-pluginid: nis-server
> nsslapd-pluginversion: 0.15
> nsslapd-pluginvendor: redhat.com
> nsslapd-plugindescription: NIS Server Plugin
> nis-tcp-wrappers-name: nis-server
> 
> 
> ... to this:
> 
> dn: cn=NIS Server, cn=plugins, cn=config
> add: objectclass: top
> add: objectclass: nsSlapdPlugin
> add: objectclass: extensibleObject
> add: cn: NIS Server
> add: nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so
> add: nsslapd-plugininitfunc: nis_plugin_init
> add: nsslapd-plugintype: object
> add: nsslapd-pluginenabled: on
> add: nsslapd-pluginid: nis-server
> add: nsslapd-pluginversion: 0.15
> add: nsslapd-pluginvendor: redhat.com
> add: nsslapd-plugindescription: NIS Server Plugin
> add: nis-tcp-wrappers-name: nis-server
> 
> 
> Now, issuing the command
> 
> [root at freeipa ~]# ipa-ldap-updater nis-plugin.ldif
> Directory Manager password:
> 
> 
> Says it adds the entries.  No indication of a problem.  BUT, if I
> ldapsearch -b "cn=config", I don't see the new entry.  Should I?
> 
> At any rate, when I attempt to restart dirsrv, I get the following:
> 
> [root at freeipa ~]# service dirsrv restart
> Shutting down dirsrv:
>     EXAMPLE-ORG...                               [  OK  ]
> Starting dirsrv:
>     EXAMPLE-ORG...[13/Aug/2009:11:42:03 -0500] - Netscape Portable
> Runtime error -5977: /usr/64/dirsrv/plugins// usr / lib64 / dirsrv /
> plugins / nisserver-plugin.so: cannot open shared object file: No such
> file or directory
> [13/Aug/2009:11:42:03 -0500] - Could not open library
> "/usr/64/dirsrv/plugins// usr / lib64 / dirsrv / plugins /
> nisserver-plugin.so" for plugin NIS Server
> [13/Aug/2009:11:42:03 -0500] - Unable to load plugin "cn=NIS Server,
> cn=plugins, cn=config"
>                                                            [FAILED]
>   *** Warning: 1 instance(s) failed to start
> 
> 
> 
> So, ipa-ldap-updater did *something*.  I have no idea why the plugin
> path is getting mangled the way it is, though.  Symlinking doesn't
> seem to fix the issue, either.  I'm stumped, and suspect I'm doing
> something completely boneheaded.  Does anyone else have this working?
> Any guidance would be greatly appreciated.

With ldapadd or ldapmodify you want to use the Directory Manager 
credentials, so this would have worked:

% ldapadd -x -D "cn=directory manager" -W -f nis-plugin.ldif

You don't see the entries under cn=config because you need to be 
Directory Manager to see them:

% ldapsearch -x -D "cn=directory manager" -W -b "cn=config"

I'd have to see what the config entry looks like to see why it isn't 
starting. IIRC DS prints a rather odd message when it can't load a 
plugin, though this looks particularly strange. It could be that the 
updater didn't write the entry properly.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090813/672c1d87/attachment.bin>

More information about the Freeipa-users mailing list