NetscapeRootRe: [Fedora-directory-users] Can't create users, SOLVED!
Listbox
listbox at hymerfania.com
Fri Jan 25 19:31:06 UTC 2008
Got our first user created!
I have an idea on why the setup-ds-admin.pl may not have worked completely.
When doing the first install, I ran the install script, then aborted it (
within the first few steps ). I thought I was paranoid enough by running
"rpm -erase fedora-ds-1.1.0-3", and deleting the contents of :
/etc/dirsrv
/usr/lib/dirsrv
/usr/share/dirsrv
/var/lock/dirsrv
/var/lib/dirsrv
/var/run/dirsrv
/var/log/dirsrv
/usr/lib/mozldap
/usr/share/doc/mozldap-6.0.5
Before I reinstalled, and re-ran the install script. But I know I ran into a
slapd startup problem because I made a typo, and I only erased the contents
of "/var/run/dirsrv", and left the dir itself.
Untill I tried to create users, that was the only problem due to a previous
install attempt. Maybe this was another.
Thanks again!
-----Original Message-----
From: Rich Megginson [mailto:rmeggins at redhat.com]
Sent: Wednesday, January 23, 2008 12:33 PM
To: listbox at hymerfania.com
Cc: fedora-directory-users at redhat.com
Subject: Re: NetscapeRootRe: [Fedora-directory-users] Can't create users,
time for complete wipe and re-install?
Listbox wrote:
> Thanks Rich!
>
> I just looked in /usr/share/dirsrv/data, and the file "template.ldif"
> looks like what I get for the ldapquery of acis in dc=hymesruzicka,
> dc=org. It does not have any entries for uid=admin ( or uid=%as_uid% ).
>
Right. That's the file that is used for just the fedora-ds-base package
- the admin server and console stuff are "add-ons".
> I did find the file "16dssuffixadmin.mod.tmpl", and looks like it may
> be useful as a model to make more of the correct acis. Is this a good
idea?
Yes.
> How
> much more should I modify it?
>
You have to replace the %token% items:
ds_suffix - your suffix e.g. dc=hymesruzicka, dc=org or cn=config or
cn=schema or etc.
as_uid - admin
or change the entire DN uid=%as_uid%,ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot to some other DN that you want to use
for an administrator.
You can just omit the SIE Group ACI
Then just feed that file to ldapmodify e.g.
ldapmodify -x -D "cn=directory manager" -w yourpassword -f thefile.ldif
Note - make a copy of 16dssuffixadmin.mod.tmpl and edit it - do not edit it
in place.
> /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl
>
> # BEGIN COPYRIGHT BLOCK
> ...
> # END COPYRIGHT BLOCK
> dn: %ds_suffix%
> changetype: modify
> add: aci
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
> Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators,
> ou=Groups, ou=TopologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrator";
> allow
> (all) userdn="ldap:///uid=%as_uid%,ou=Administrators,
> ou=TopologyManagement,
> o=NetscapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
> groupdn = "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server,
> cn=Server Group, cn=%fqdn%, ou=%domain%, o=NetscapeRoot";)
>
>
> Thanks again!
>
> ************************************************
> ************************************************
> ************************************************
> for bind in config schema monitor ; do ldapsearch -x -D "cn=directory
> manager" -w mypassword -s sub -b cn=$bind "aci=*" aci ; done #
> extended LDIF # # LDAPv3 # base <cn=config> with scope subtree #
> filter: aci=* # requesting: aci #
>
> # config
> dn: cn=config
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
> Group"; a llow (all) groupdn="ldap:///cn=Configuration
> Administrators, ou=Groups, ou=To pologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrator";
> allow (a
> ll) userdn="ldap:///uid=admin, ou=Administrators,
> ou=TopologyManagement, o=Ne
> tscapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
> groupdn = "l dap:///cn=slapd-trixter, cn=Fedora Directory Server,
> cn=Server Group, cn=trix ter.hymesruzicka.org, ou=hymesruzicka.org,
> o=NetscapeRoot";)
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version
> 3.0;acl "snmp";allow (read, search, compare)(userdn =
> "ldap:///anyone");)
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control";
> allow( read , search, compare, proxy ) userdn = "ldap:///all";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 4
> # numEntries: 3
> # extended LDIF
> #
> # LDAPv3
> # base <cn=schema> with scope subtree
> # filter: aci=*
> # requesting: aci
> #
>
> # schema
> dn: cn=schema
> aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl
> "anonymo us, no acis"; allow (read, search, compare) userdn =
> "ldap:///anyone";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
> Group"; a llow (all) groupdn="ldap:///cn=Configuration
> Administrators, ou=Groups, ou=To pologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrator";
> allow (a
> ll) userdn="ldap:///uid=admin,ou=Administrators,
> ou=TopologyManagement, o=Net
> scapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
> groupdn = "l dap:///cn=slapd-trixter, cn=Fedora Directory Server,
> cn=Server Group, cn=trix ter.hymesruzicka.org, ou=hymesruzicka.org,
> o=NetscapeRoot";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> # extended LDIF
> #
> # LDAPv3
> # base <cn=monitor> with scope subtree # filter: aci=* # requesting:
> aci #
>
> # monitor
> dn: cn=monitor
> aci: (target ="ldap:///cn=monitor*")(targetattr != "aci ||
> connection")(versio n 3.0; acl "monitor"; allow( read, search,
> compare ) userdn = "ldap:///anyone
> ";)
>
> # search result
> search: 2
> result: 0 Success
>
>
>
More information about the Fedora-directory-users
mailing list