Re: NetscapeRootRe: [Fedora-directory-users] Can't create users, SOLVED!

Got our first user created! I have an idea on why the setup-ds-admin.pl may not have worked completely. When doing the first install, I ran the install script, then aborted it ( within the first few steps ).

I thought I was paranoid enough by running "rpm -erase fedora-ds-1.1.0-3",

and deleting the contents of : /etc/dirsrv /usr/lib/dirsrv

/usr/share/dirsrv /var/lock/dirsrv /var/lib/dirsrv /var/run/dirsrv /var/log/dirsrv

/usr/lib/mozldap /usr/share/doc/mozldap-6.0.5

Before I reinstalled, and re-ran the install script. But I know I ran into a slapd startup problem because I made a typo, and I only erased the contents of "/var/run/dirsrv", and left the dir itself.

Untill I tried to create users, that was the only problem due to a previous install attempt. Maybe this was another. Thanks again! -----Original Message----- From: Rich Megginson [mailto:rmeggins@redhat.com] Sent: Wednesday, January 23, 2008 12:33 PM To: listbox(a)hymerfania.com Cc: fedora-directory-users(a)redhat.com Subject: Re: NetscapeRootRe: [Fedora-directory-users] Can't create users, time for complete wipe and re-install? Listbox wrote: > Thanks Rich! > > I just looked in /usr/share/dirsrv/data, and the file "template.ldif" > looks like what I get for the ldapquery of acis in dc=hymesruzicka, > dc=org. It does not have any entries for uid=admin ( or uid=%as_uid% ). > > Right. That's the file that is used for just the fedora-ds-base package - the admin server and console stuff are "add-ons". > I did find the file "16dssuffixadmin.mod.tmpl", and looks like it may > be useful as a model to make more of the correct acis. Is this a good > idea? Yes. > How > much more should I modify it? > > You have to replace the %token% items: ds_suffix - your suffix e.g. dc=hymesruzicka, dc=org or cn=config or cn=schema or etc. as_uid - admin or change the entire DN uid=%as_uid%,ou=Administrators, ou=TopologyManagement, o=NetscapeRoot to some other DN that you want to use for an administrator. You can just omit the SIE Group ACI Then just feed that file to ldapmodify e.g. ldapmodify -x -D "cn=directory manager" -w yourpassword -f thefile.ldif Note - make a copy of 16dssuffixadmin.mod.tmpl and edit it - do not edit it in place. > /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl > > # BEGIN COPYRIGHT BLOCK > ... > # END COPYRIGHT BLOCK > dn: %ds_suffix% > changetype: modify > add: aci > aci: (targetattr="*")(version 3.0; acl "Configuration Administrators > Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators, > ou=Groups, ou=TopologyManagement, o=NetscapeRoot";) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; > allow > (all) userdn="ldap:///uid=%as_uid%,ou=Administrators, > ou=TopologyManagement, > o=NetscapeRoot";) > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) > groupdn = "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, > cn=Server Group, cn=%fqdn%, ou=%domain%, o=NetscapeRoot";) > > > Thanks again! > > ************************************************ > ************************************************ > ************************************************ > for bind in config schema monitor ; do ldapsearch -x -D "cn=directory > manager" -w mypassword -s sub -b cn=$bind "aci=*" aci ; done # > extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # > filter: aci=* # requesting: aci # > > # config > dn: cn=config > aci: (targetattr="*")(version 3.0; acl "Configuration Administrators > Group"; a llow (all) groupdn="ldap:///cn=Configuration > Administrators, ou=Groups, ou=To pologyManagement, o=NetscapeRoot";) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; > allow (a > ll) userdn="ldap:///uid=admin, ou=Administrators, > ou=TopologyManagement, o=Ne > tscapeRoot";) > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) > groupdn = "l dap:///cn=slapd-trixter, cn=Fedora Directory Server, > cn=Server Group, cn=trix ter.hymesruzicka.org, ou=hymesruzicka.org, > o=NetscapeRoot";) > > # SNMP, config > dn: cn=SNMP,cn=config > aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version > 3.0;acl "snmp";allow (read, search, compare)(userdn = > "ldap:///anyone");) > > # 2.16.840.1.113730.3.4.9, features, config > dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config > aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control"; > allow( read , search, compare, proxy ) userdn = "ldap:///all";) > > # search result > search: 2 > result: 0 Success > > # numResponses: 4 > # numEntries: 3 > # extended LDIF > # > # LDAPv3 > # base <cn=schema> with scope subtree > # filter: aci=* > # requesting: aci > # > > # schema > dn: cn=schema > aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl > "anonymo us, no acis"; allow (read, search, compare) userdn = > "ldap:///anyone";) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrators > Group"; a llow (all) groupdn="ldap:///cn=Configuration > Administrators, ou=Groups, ou=To pologyManagement, o=NetscapeRoot";) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; > allow (a > ll) userdn="ldap:///uid=admin,ou=Administrators, > ou=TopologyManagement, o=Net > scapeRoot";) > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) > groupdn = "l dap:///cn=slapd-trixter, cn=Fedora Directory Server, > cn=Server Group, cn=trix ter.hymesruzicka.org, ou=hymesruzicka.org, > o=NetscapeRoot";) > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > # extended LDIF > # > # LDAPv3 > # base <cn=monitor> with scope subtree # filter: aci=* # requesting: > aci # > > # monitor > dn: cn=monitor > aci: (target ="ldap:///cn=monitor*")(targetattr != "aci || > connection")(versio n 3.0; acl "monitor"; allow( read, search, > compare ) userdn = "ldap:///anyone > ";) > > # search result > search: 2 > result: 0 Success > > > >