Hey Mark,
Yes, I thought that would be a problem. I did try to set up an admin
domain on master A that points to master B but it simply says "fail to
create network domain". As you can likely see, I'm not the most versed in
LDAP. I'm not sure how to do this search you suggested:
.dn: cn=configuration, cn=admin-serv-HOSTNAME, cn=389 Administration
Server, >cn=Server Group, cn=HOST.DOMAIN, ou=DOMAIN, o=NetscapeRoot
Can you give me the syntax that would be used?
thanks again,
Herb
On Tue, Apr 24, 2012 at 2:12 PM, Mark Reynolds <mareynol(a)redhat.com> wrote:
Hi Herb,
Ok you shouldn't be using "o=netscaperoot" from a different machine, but
if both machines are setup EXACTLY the same way, then you might be able to
replace the hostname. But this is error prone, and we should try and get
the master B registered on master A's console. Did you try setting up a
admin domain that points to master B's machine?
see comments below...
On 04/24/2012 04:11 PM, Herb Burnswell wrote:
Hi Mark,
Thanks for getting back to me, sorry about the confusion. Here's the logs
from master B console log on attempts:
[24/Apr/2012:12:09:23 -0700] conn=130 fd=67 slot=67 connection from
10.10.10.25 to 10.10.10.25
[24/Apr/2012:12:09:23 -0700] conn=130 op=0 BIND dn="cn=admin-serv-masterB,
cn=Fedora Administration Server, cn=Server Group, cn=
masterB.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot" method=128
version=2
[24/Apr/2012:12:09:23 -0700] conn=130 op=0 RESULT err=32 tag=97 nentries=0
etime=0
[24/Apr/2012:12:09:23 -0700] conn=131 fd=68 slot=68 connection from
10.10.10.25 to 10.10.10.25
[24/Apr/2012:12:09:23 -0700] conn=131 op=0 BIND dn="cn=admin-serv-masterB,
cn=Fedora Administration Server, cn=Server Group, cn=
masterB.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot" method=128
version=2
[24/Apr/2012:12:09:23 -0700] conn=131 op=0 RESULT err=32 tag=97 nentries=0
etime=0
This isn't the right bind dn we are looking for. :-) We want to see
the the results from "uid=admin" and "cn=directory manager".
[24/Apr/2012:12:32:47] security (23835): for host masterB.sub.domain.biztrying to GET
/admin-serv/authenticate, admin40_host_ip_check reports:
Unauthorized host ip=10.10.10.25, connection rejected
This might be caused by some access restrictions. Do a ldapsearch on
o=netscaperoot and look for:
dn: cn=configuration, cn=admin-serv-HOSTNAME, cn=389 Administration
Server, cn=Server Group, cn=HOST.DOMAIN, ou=DOMAIN, o=NetscapeRoot
nsAdminAccessAddresses
nsAdminAccessHosts
Use ldapmodify to change the settings if needed. Make sure that the host
you are trying to connect from is allowed by the settings. You could just
set both to "*" for now. You will need to restart the admin server for
this change to take effect.
Thanks,
Mark
When I was trying to get replication working, I did an initialization of
master B from master A backup files (NetscapeRoot and <my_suffix>). I've
since done a re-initialization of <my_suffix> to master B from master A
console. When I do a search on master B:
./ldapsearch -D "cn=Directory Manager" -w <passwd> -b o=netscaperoot
"cn=admin-serv-*"
version: 1
dn: cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Server
Group,
cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot
objectClass: top
objectClass: netscapeServer
objectClass: nsAdminServer
objectClass: nsResourceRef
objectClass: groupOfUniqueNames
cn: admin-serv-masterA
nsServerID: admin-serv
serverRoot: /opt/fedora-ds
serverProductName: Administration Server
serverHostName: masterA.sub.domain.biz
uniqueMember: cn=admin-serv-masterA, cn=Fedora Administration Server,
cn=Serv
er Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot
installationTimeStamp: 20050916201912Z
userPassword: {SSHA}U4pL3RzNjF2Sder0+NBLIJNZtLEoim6tZfcxjA==
Yes, this version and install is very old. But it appears that all of
master A information is on master B regarding admin-serv-<hostname> user on
master B. This is not correct right?
I read the documentation that you sent but my install does not include
setup-ds-admin.pl, my version is DS 7.1. Is there a way to simply edit
the admin-serv-<hostname> if that is in fact the problem?
TIA,
Herb
On Tue, Apr 24, 2012 at 8:34 AM, Mark Reynolds <mareynol(a)redhat.com>wrote:
> Hi Herb,
>
> I wanted to see the logs from the server that wasn't working. According
> to these logs everything is fine. So, you can log into the console for
> master A, but not master B. Most likely there is no configuration
> instance/admin server setup. There are a few options. One, you could
> register master B in the Master A console(using Create New Administration
> Domain feature), and just use that console to manage both servers. Two,
> setup a new config instance on the master B machine, and use a separate
> console.
>
> Option one is definitely the best option. You can still use the console
> GUI on master B if you want to, but point it to the master A in the
> administration URL.
>
> Here are some links to some useful document on on this:
>
>
>
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.0/html/Insta...
>
>
>
http://www.google.com/url?sa=t&rct=j&q=red%20hat%20directory%20se...
>
> Let me know if you have any questions.
>
> Mark
>
> On 04/23/2012 07:48 PM, Herb Burnswell wrote:
>
> Hey Mark,
>
> Well, to back up a bit, of the dual masters' (A & B) only A has been
> running consistently for many years. That is why I needed to do a
> re-initialization of B. The re-initialization was done at the 'my_suffix'
> level and not NetscapeRoot.
>
> I assumed that the config data would be running on both dual masters.
> Maybe I am incorrect?
>
> access from Master A for 'admin' bind:
>
> [23/Apr/2012:16:07:50 -0700] conn=2575 fd=71 slot=71 connection from
> 10.10.10.24 to 10.10.10.24
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=0 BIND dn="uid=admin,
> ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" method=128
> version=3
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=0 RESULT err=0 tag=97
> nentries=0 etime=0
> dn="uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=1 SRCH base="cn=statusping,
> cn=operation, cn=tasks, cn=admin-serv-masterA, cn=fedora administration
> server, cn=server group, cn=masterA.sub.domain.biz, ou=sub.domain.biz,
> o=netscaperoot" scope=0 filter="(nsExecRef=*)" attrs="nsExecRef
> nsLogSuppress"
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=1 RESULT err=0 tag=101
> nentries=1 etime=0
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=2 SRCH
> base="cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Server
> Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot"
> scope=2 filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=2 RESULT err=0 tag=101
> nentries=24 etime=0
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=3 SRCH base="cn=slapd-masterA,
> cn=Fedora Directory Server, cn=Server Group, cn=masterA.sub.domain.biz,
> ou=sub.domain.biz, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
> attrs="nsExecRef nsLogSuppress"
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=3 RESULT err=0 tag=101
> nentries=13 etime=0
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=4 SRCH base="cn=Fedora
> Directory Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=
> sub.domain.biz, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
> attrs="nsExecRef nsLogSuppress"
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=4 RESULT err=0 tag=101
> nentries=17 etime=0
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=5 SRCH base="cn=Fedora
> Administration Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=
> sub.domain.biz, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
> attrs="nsExecRef nsLogSuppress"
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=5 RESULT err=0 tag=101
> nentries=24 etime=0
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=6 UNBIND
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=6 fd=71 closed - U1
>
>
> access from master A for 'cn=Directory Manager' bind:
>
> [23/Apr/2012:16:37:36 -0700] conn=2594 fd=68 slot=68 connection from
> 10.10.10.24 to 10.10.10.24
> [23/Apr/2012:16:37:36 -0700] conn=2594 op=0 BIND
> dn="cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Server
> Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot"
> method=128 version=3
> [23/Apr/2012:16:37:36 -0700] conn=2594 op=0 RESULT err=0 tag=97
> nentries=0 etime=0 dn="cn=admin-serv-masterA,cn=fedora administration
> server,cn=server group,cn=masterA.sub.domain.biz,ou=sub.domain.biz
> ,o=netscaperoot"
> [23/Apr/2012:16:37:36 -0700] conn=2594 op=1 BIND dn="cn=Directory
> Manager" method=128 version=3
> [23/Apr/2012:16:37:36 -0700] conn=2594 op=1 RESULT err=0 tag=97
> nentries=0 etime=0 dn="cn=directory manager"
> [23/Apr/2012:16:37:36 -0700] conn=2594 op=2 UNBIND
> [23/Apr/2012:16:37:36 -0700] conn=2594 op=2 fd=68 closed - U1
>
>
> This are from master A where logging in as either works fine. It looks
> like I need to configure o=netscaperoot on master B somehow?
>
> thanks,
>
> Herb
>
>
>
> On Mon, Apr 23, 2012 at 1:13 PM, Mark Reynolds <mareynol(a)redhat.com>wrote:
>
>> Herb,
>>
>> Do you know which server is hosting the config data for the
>> console(o=netscaperoot)? If you do, please provide the access log output
>> showing the "cn=directory manager" and "admin" binds? It
might not hurt to
>> restart the admin server.
>>
>> Thanks,
>> Mark
>>
>>
>>
>> On 04/23/2012 04:06 PM, Herb Burnswell wrote:
>>
>> Hi All,
>>
>> After re-initialization of a dual master server I now cannot log into
>> the directory management console as cn=Directory Manager. I receive the
>> error:
>>
>> Cannot logon because of an incorrect user id, incorrect password, or
>> Directory problem.
>> httpException:
>> Resoponse: HTTP/1.1 401 Unauthorized
>> Status: 401
>> URL:
http://url/admin-serv/authenticate
>>
>> I know the password is correct as I can drop into an ldapmodify session
>> with ./ldapmodify -D "cn=Directory Manager" -w <passwd> without
error.
>>
>> I've seen a few inquiries about this issue around the web but nothing to
>> resolve the issue. I see the following in
>> /opt/fedora-ds/admin-serv/logs/error:
>>
>> security (27749): for host <hostname> trying to GET
>> /admin-serv/authenticate, basic-ncsa reports: user cn=Directory Manager
>> does not exist in pwfile /opt/fedora-ds/admin-serv/config/admpw
>>
>> It is correct that there is not a line for cn=Directory Manager in
>> admpw, but it is not located in the admpw file on the other dual master and
>> I can log into its management console as cn=Directory Manager without
>> error. They both just contain a line for user 'admin'.
>>
>> When I try to log in as 'admin' (works fine on other dual master) I
>> receive:
>>
>> cannot connect to the directory server:
>> netscape.ldap.LDAPException: error result (32) matchedDN = ou
>> =<domain>,o=netscaperoot; no such object
>>
>> Is there something else that I need to do after re-initialization? Any
>> guidance is greatly appreciated.
>>
>> Thanks in advance,
>>
>> Herb
>>
>>
>>
>>
>> --
>> 389 users mailing
list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>