[Freeipa-users] slapi-nis help

Brandon Young bkyoung at gmail.com
Thu Aug 13 22:04:30 UTC 2009 

Aha!  That worked, and the ldapadd was successful, and the ldapsearch
revealed the new entries, and the dirsrv restarted!  Now I can see
ypserv when I look at rpcinfo.  Thank you very much, Rob.

--
Brandon

On Thu, Aug 13, 2009 at 2:38 PM, Rob Crittenden<rcritten at redhat.com> wrote:
> Brandon Young wrote:
>>
>> Hi all,
>>
>> I am interested in deploying FreeIPA 1.2.1 on Fedora-11, and testing
>> the NIS gateway functionality.  I am having difficulties, and am not
>> even sure I'm performing the correct steps.
>>
>> I am using Fedora 11 x86_64 with all the updates available as of
>> today.  Using ipa-server-1.2.1-4.fc11.x86_64.rpm, which provides
>> slapi-nis-0.15 (which is not hte newest, but I *think* should be
>> fine)..
>>
>> I configured ipa server unattended with the following command:
>>
>> [root at freeipa ~]# /usr/sbin/ipa-server-install -r EXAMPLE.ORG -n
>> example.org -p 'secretpw!!' -a 'secretpw!!' -P 'secretpw!!'
>> --hostname=freeipa.example.org -N --no-host-dns -u admin -U
>>
>>
>> At this point, I can kinit as the admin user and perform ldap searches
>> on the tree.  I took the example ldif file from
>> /usr/share/doc/slapi-nis-0.15/nis-plugin.ldif and attempted to add it
>> as described in the getting started guide here
>>
>> (http://git.fedorahosted.org/git/slapi-nis.git/doc?p=slapi-nis.git;a=blob_plain;f=doc/nis-getting-started.txt),
>> which is devoid of specific instructions for *how* to add the ldif
>> entries.  I futzed around with openldap's ldapadd tool, and can't
>> figure out how to obtain the necessary access rights to make the
>> updates.  As nearly as I can tell, the only administrative user is
>> uid=admin,cn=users,cn=accounts,dc=example,dc=org.  If I do a simple
>> bind as that user it fails:
>>
>> [root at freeipa ~]# ldapadd -a -f nis-plugin.ldif -D
>> "uid=admin,cn=users,cn=accounts,dc=stowers-institute,dc=org" -W -x
>> Enter LDAP Password:
>> adding new entry "cn=NIS Server, cn=plugins, cn=config"
>> ldap_add: Insufficient access (50)
>>
>> Why?  Am I using the wrong account?  Should I know about another
>> account to do this?  As nearly as I can tell, there aren't any other
>> accounts.  Is this the wrong tool to use?
>>
>> I poked around and found the ipa-ldap-modify command.  After modified
>> the original example ldif file from this:
>>
>> dn: cn=NIS Server, cn=plugins, cn=config
>> objectclass: top
>> objectclass: nsSlapdPlugin
>> objectclass: extensibleObject
>> cn: NIS Server
>> nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so
>> nsslapd-plugininitfunc: nis_plugin_init
>> nsslapd-plugintype: object
>> nsslapd-pluginenabled: on
>> nsslapd-pluginid: nis-server
>> nsslapd-pluginversion: 0.15
>> nsslapd-pluginvendor: redhat.com
>> nsslapd-plugindescription: NIS Server Plugin
>> nis-tcp-wrappers-name: nis-server
>>
>>
>> ... to this:
>>
>> dn: cn=NIS Server, cn=plugins, cn=config
>> add: objectclass: top
>> add: objectclass: nsSlapdPlugin
>> add: objectclass: extensibleObject
>> add: cn: NIS Server
>> add: nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so
>> add: nsslapd-plugininitfunc: nis_plugin_init
>> add: nsslapd-plugintype: object
>> add: nsslapd-pluginenabled: on
>> add: nsslapd-pluginid: nis-server
>> add: nsslapd-pluginversion: 0.15
>> add: nsslapd-pluginvendor: redhat.com
>> add: nsslapd-plugindescription: NIS Server Plugin
>> add: nis-tcp-wrappers-name: nis-server
>>
>>
>> Now, issuing the command
>>
>> [root at freeipa ~]# ipa-ldap-updater nis-plugin.ldif
>> Directory Manager password:
>>
>>
>> Says it adds the entries.  No indication of a problem.  BUT, if I
>> ldapsearch -b "cn=config", I don't see the new entry.  Should I?
>>
>> At any rate, when I attempt to restart dirsrv, I get the following:
>>
>> [root at freeipa ~]# service dirsrv restart
>> Shutting down dirsrv:
>>    EXAMPLE-ORG...                               [  OK  ]
>> Starting dirsrv:
>>    EXAMPLE-ORG...[13/Aug/2009:11:42:03 -0500] - Netscape Portable
>> Runtime error -5977: /usr/64/dirsrv/plugins// usr / lib64 / dirsrv /
>> plugins / nisserver-plugin.so: cannot open shared object file: No such
>> file or directory
>> [13/Aug/2009:11:42:03 -0500] - Could not open library
>> "/usr/64/dirsrv/plugins// usr / lib64 / dirsrv / plugins /
>> nisserver-plugin.so" for plugin NIS Server
>> [13/Aug/2009:11:42:03 -0500] - Unable to load plugin "cn=NIS Server,
>> cn=plugins, cn=config"
>>                                                           [FAILED]
>>  *** Warning: 1 instance(s) failed to start
>>
>>
>>
>> So, ipa-ldap-updater did *something*.  I have no idea why the plugin
>> path is getting mangled the way it is, though.  Symlinking doesn't
>> seem to fix the issue, either.  I'm stumped, and suspect I'm doing
>> something completely boneheaded.  Does anyone else have this working?
>> Any guidance would be greatly appreciated.
>
> With ldapadd or ldapmodify you want to use the Directory Manager
> credentials, so this would have worked:
>
> % ldapadd -x -D "cn=directory manager" -W -f nis-plugin.ldif
>
> You don't see the entries under cn=config because you need to be Directory
> Manager to see them:
>
> % ldapsearch -x -D "cn=directory manager" -W -b "cn=config"
>
> I'd have to see what the config entry looks like to see why it isn't
> starting. IIRC DS prints a rather odd message when it can't load a plugin,
> though this looks particularly strange. It could be that the updater didn't
> write the entry properly.
>
> rob
>

More information about the Freeipa-users mailing list