[Fedora-directory-users] Installing 2 MMR servers, and the aci's don't match after everything is setup
Rich Megginson
rmeggins at redhat.com
Thu Feb 19 15:07:10 UTC 2009
Ryan Braun [ADS] wrote:
> Hey guys, I'm setting up 2 mmr servers, and am wondering why the aci's on both machines don't end up being the same. All of the replication and configuring of the servers
> has been done in perl and NOT the console. Here is the process I used when setting up the servers. I'm using custom built packages on etch.
>
> ii fedora-ds-admin 1.1.6 Fedora Administration Server (admin)
> ii fedora-ds-admin-console 1.1.2 Fedora Admin Server Management Console
> ii fedora-ds-base 1.1.3 Fedora Directory Server (base)
> ii fedora-ds-console 1.1.2 Fedora Directory Server Management Console
> ii mozldap 6.0.5 Mozilla LDAP C SDK
> ii mozldap-dev 6.0.5 Mozilla LDAP C SDK
> ii mozldap-tools 6.0.5 Mozilla LDAP C SDK
> ii ldapsdk 4.17-4 Enables applications to manage information s
> ii perldap 1.5.2 PerLDAP is a set of modules written in Perl
> ii libadminutil 1.1.7 Utility library for directory server adminis
> ii libsvrcore 4.0.4 Secure PIN handling using NSS crypto
> ii libapache2-mod-nss 1.0.8 mod_nss is an SSL provider derived from the
>
>
>
> 1. install mmr1 server using setup-ds-admin.pl
> 2. install mmr2 server using setup-ds.pl
> 3. configure ssl/tls on each machine and confirm ldapsearchs etc are encrypted.
> 4. create root suffix o=netscaperoot on mmr2.
> 5. enable mmr replication of userroot on both mmr1 and mmr2
> 6. init UserRoot replication agreement on mmr1.
> 7. enable mmr replication of o=netscaperoot on both mmr1 and mmr2.
> 8. init NetscapeRoot replication agreement on mmr1.
> 9. run register-ds-admin.pl on mmr2
>
> At this point, I can confirm that encryption is working over both machines, all replication agreements are over SSL and are working as expected. admin server is running on
> both machines, and both servers are accessible from each admin-server instance.
>
> So I opened up the console, and opened up a session to each server and thats when I noticed the different amount of aci's on each server
>
> on mmr1. o=NetscapeRoot has 5 acis'
> UserRoot has 6
> cn=schema has 4
> cn=monitor has 1
> cn=config has 3
>
> on mmr2. o=NetscapeRoot has 5 acis'
> UserRoot has 6
> cn=schema has 1
> cn=monitor has 1
> cn=config has 0
>
>
> So I'm wondering, if mmr2 server is missing those aci's because of the different install procedure of running setup-ds.pl first, then register-ds-admin.pl
>
Yes. Looks like there is a bug - doing setup-ds.pl, then
register-ds-admin.pl, should do the same thing as running
setup-ds-admin.pl.
> Here are the aci's in question
>
> mmr1 - cn=schema
> # schema
> dn: cn=schema
> aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymo
> us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a
> llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, ou=To
> pologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a
> ll) userdn="ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, o=Net
> scapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l
> dap:///cn=slapd-xxxdmns0, cn=Fedora Directory Server, cn=Server Group, cn=xxx
> dmns0.xxx.xx.xx.xx, ou=xxx.xx.xx.ca, o=NetscapeRoot";)
>
>
> mmr2 - cn=schema
> # schema
> dn: cn=schema
> aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymo
> us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";)
>
>
> mmr1 - cn=config
> dn: cn=config
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a
> llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, ou=To
> pologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a
> ll) userdn="ldap:///uid=admin, ou=Administrators, ou=TopologyManagement, o=Ne
> tscapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l
> dap:///cn=slapd-xxxdmns0, cn=Fedora Directory Server, cn=Server Group, cn=xxx
> dmns0.xxx.xx.xx.ca, ou=xxx.xx.xx.ca, o=NetscapeRoot";)
>
> mmr2 - cn=config
> none.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090219/fa39de17/attachment.bin>
More information about the Fedora-directory-users
mailing list