NetscapeRootRe: [Fedora-directory-users] Can't create users, SOLVED!

Fri Jan 25 19:31:06 UTC 2008

Got our first user created! 
I have an idea on why the setup-ds-admin.pl may not have worked completely.

When doing the first install, I ran the install script, then aborted it (
within the first few steps ). I thought I was paranoid enough by running
"rpm -erase fedora-ds-1.1.0-3", and deleting the contents of :

/etc/dirsrv
/usr/lib/dirsrv
/usr/share/dirsrv
/var/lock/dirsrv
/var/lib/dirsrv
/var/run/dirsrv
/var/log/dirsrv
/usr/lib/mozldap
/usr/share/doc/mozldap-6.0.5

Before I reinstalled, and re-ran the install script. But I know I ran into a
slapd startup problem because I made a typo, and I only erased the contents
of "/var/run/dirsrv", and left the dir itself.
Untill I tried to create users, that was the only problem due to a previous
install attempt. Maybe this was another.

Thanks again!

-----Original Message-----
From: Rich Megginson [mailto:rmeggins at redhat.com] 
Sent: Wednesday, January 23, 2008 12:33 PM
To: listbox at hymerfania.com
Cc: fedora-directory-users at redhat.com
Subject: Re: NetscapeRootRe: [Fedora-directory-users] Can't create users,
time for complete wipe and re-install?

Listbox wrote:
> Thanks Rich!
>
> I just looked in /usr/share/dirsrv/data, and the file "template.ldif" 
> looks like what I get for the ldapquery of acis in dc=hymesruzicka, 
> dc=org. It does not have any entries for uid=admin ( or uid=%as_uid% ).
>   
Right.  That's the file that is used for just the fedora-ds-base package
- the admin server and console stuff are "add-ons".
> I did find the file "16dssuffixadmin.mod.tmpl", and looks like it may 
> be useful as a model to make more of the correct acis. Is this a good
idea?
Yes.
> How
> much more should I modify it?
>   
You have to replace the %token% items:
ds_suffix - your suffix e.g. dc=hymesruzicka, dc=org or cn=config or
cn=schema or etc.
as_uid - admin
or change the entire DN uid=%as_uid%,ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot to some other DN that you want to use
for an administrator.

You can just omit the SIE Group ACI

Then just feed that file to ldapmodify e.g.
ldapmodify -x -D "cn=directory manager" -w yourpassword -f thefile.ldif

Note - make a copy of 16dssuffixadmin.mod.tmpl and edit it - do not edit it
in place.
> /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl
>
> # BEGIN COPYRIGHT BLOCK
> ...
> # END COPYRIGHT BLOCK
> dn: %ds_suffix%
> changetype: modify
> add: aci
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators 
> Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators, 
> ou=Groups, ou=TopologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; 
> allow
> (all) userdn="ldap:///uid=%as_uid%,ou=Administrators, 
> ou=TopologyManagement,
> o=NetscapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) 
> groupdn = "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, 
> cn=Server Group, cn=%fqdn%, ou=%domain%, o=NetscapeRoot";)
>
>
> Thanks again!
>
> ************************************************
> ************************************************
> ************************************************
> for bind in config schema monitor ; do ldapsearch -x -D "cn=directory 
> manager" -w mypassword -s sub -b cn=$bind "aci=*" aci ; done # 
> extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # 
> filter: aci=* # requesting: aci #
>
> # config
> dn: cn=config
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators 
> Group"; a  llow (all) groupdn="ldap:///cn=Configuration 
> Administrators, ou=Groups, ou=To  pologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; 
> allow (a
>  ll) userdn="ldap:///uid=admin, ou=Administrators, 
> ou=TopologyManagement, o=Ne
>  tscapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) 
> groupdn = "l  dap:///cn=slapd-trixter, cn=Fedora Directory Server, 
> cn=Server Group, cn=trix  ter.hymesruzicka.org, ou=hymesruzicka.org, 
> o=NetscapeRoot";)
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version 
> 3.0;acl  "snmp";allow (read, search, compare)(userdn = 
> "ldap:///anyone");)
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; 
> allow( read  , search, compare, proxy ) userdn = "ldap:///all";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 4
> # numEntries: 3
> # extended LDIF
> #
> # LDAPv3
> # base <cn=schema> with scope subtree
> # filter: aci=*
> # requesting: aci
> #
>
> # schema
> dn: cn=schema
> aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl 
> "anonymo  us, no acis"; allow (read, search, compare) userdn = 
> "ldap:///anyone";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators 
> Group"; a  llow (all) groupdn="ldap:///cn=Configuration 
> Administrators, ou=Groups, ou=To  pologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; 
> allow (a
>  ll) userdn="ldap:///uid=admin,ou=Administrators, 
> ou=TopologyManagement, o=Net
>  scapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) 
> groupdn = "l  dap:///cn=slapd-trixter, cn=Fedora Directory Server, 
> cn=Server Group, cn=trix  ter.hymesruzicka.org, ou=hymesruzicka.org, 
> o=NetscapeRoot";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> # extended LDIF
> #
> # LDAPv3
> # base <cn=monitor> with scope subtree # filter: aci=* # requesting: 
> aci #
>
> # monitor
> dn: cn=monitor
> aci: (target ="ldap:///cn=monitor*")(targetattr != "aci || 
> connection")(versio  n 3.0; acl "monitor"; allow( read, search, 
> compare ) userdn = "ldap:///anyone
>  ";)
>
> # search result
> search: 2
> result: 0 Success
>
>
>   