[Fedora-directory-users] Installing 2 MMR servers, and the aci's don't match after everything is setup

Rich Megginson rmeggins at redhat.com
Thu Feb 19 15:07:10 UTC 2009 

Ryan Braun [ADS] wrote:
> Hey guys,  I'm setting up 2 mmr servers,  and am wondering why the aci's on both machines don't end up being the same.  All of the replication and configuring of the servers 
> has been done in perl and NOT the console.  Here is the process I used when setting up the servers.  I'm using custom built packages on etch.
>
> ii  fedora-ds-admin                   1.1.6                                Fedora Administration Server (admin)
> ii  fedora-ds-admin-console           1.1.2                                Fedora Admin Server Management Console
> ii  fedora-ds-base                    1.1.3                                Fedora Directory Server (base)
> ii  fedora-ds-console                 1.1.2                                Fedora Directory Server Management Console
> ii  mozldap                           6.0.5                                Mozilla LDAP C SDK
> ii  mozldap-dev                       6.0.5                                Mozilla LDAP C SDK
> ii  mozldap-tools                     6.0.5                                Mozilla LDAP C SDK
> ii  ldapsdk                           4.17-4                               Enables applications to manage information s
> ii  perldap                           1.5.2                                PerLDAP is a set of modules written in Perl
> ii  libadminutil                      1.1.7                                Utility library for directory server adminis
> ii  libsvrcore                        4.0.4                                Secure PIN handling using NSS crypto
> ii  libapache2-mod-nss                1.0.8                                mod_nss is an SSL provider derived from the
>
>
>
> 1.  install mmr1 server using setup-ds-admin.pl
> 2.  install mmr2 server using setup-ds.pl
> 3.  configure ssl/tls on each machine and confirm ldapsearchs etc are encrypted.
> 4.  create root suffix o=netscaperoot on mmr2.
> 5.  enable mmr replication of userroot on both mmr1 and mmr2
> 6.  init UserRoot replication agreement on mmr1.
> 7.  enable mmr replication of o=netscaperoot on both mmr1 and mmr2.
> 8.  init NetscapeRoot replication agreement on mmr1.
> 9.  run register-ds-admin.pl on mmr2
>
> At this point,  I can confirm that encryption is working over both machines,  all replication agreements are over SSL and are working as expected.  admin server is running on 
> both machines,  and both servers are accessible from each admin-server instance.
>
> So I opened up the console,  and opened up a session to each server and thats when I noticed the different amount of aci's on each server
>
> on mmr1.  o=NetscapeRoot has 5 acis'
> 		 UserRoot has 6
> 		 cn=schema has 4
> 		 cn=monitor has 1
> 		 cn=config has 3
>
> on mmr2.  o=NetscapeRoot has 5 acis'
> 		 UserRoot has 6
> 		 cn=schema has 1
> 		 cn=monitor has 1
> 		 cn=config has 0
>
>
> So I'm wondering,  if mmr2 server is missing those aci's because of the different install procedure of running setup-ds.pl first,  then register-ds-admin.pl
>   
Yes.  Looks like there is a bug - doing setup-ds.pl, then 
register-ds-admin.pl, should do the same thing as running 
setup-ds-admin.pl. 
> Here are the aci's in question
>
> mmr1 - cn=schema
> # schema
> dn: cn=schema
> aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymo
>  us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a
>  llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, ou=To
>  pologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a
>  ll) userdn="ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, o=Net
>  scapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l
>  dap:///cn=slapd-xxxdmns0, cn=Fedora Directory Server, cn=Server Group, cn=xxx
>  dmns0.xxx.xx.xx.xx, ou=xxx.xx.xx.ca, o=NetscapeRoot";)
>
>
> mmr2 - cn=schema
> # schema
> dn: cn=schema
> aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymo
>  us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";)
>
>
> mmr1 - cn=config
> dn: cn=config
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a
>  llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, ou=To
>  pologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a
>  ll) userdn="ldap:///uid=admin, ou=Administrators, ou=TopologyManagement, o=Ne
>  tscapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l
>  dap:///cn=slapd-xxxdmns0, cn=Fedora Directory Server, cn=Server Group, cn=xxx
>  dmns0.xxx.xx.xx.ca, ou=xxx.xx.xx.ca, o=NetscapeRoot";)
>
> mmr2 - cn=config
> none.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090219/fa39de17/attachment.bin>

More information about the Fedora-directory-users mailing list