Listbox wrote:
Got our first user created!
I have an idea on why the setup-ds-admin.pl may not have worked completely.
When doing the first install, I ran the install script, then aborted it (
within the first few steps ).
If you abort setup before it finishes asking you
questions, you should
be able to run it again, no problem. If you abort it after the dialog
section during its configuration section, then you will have to do some
clean up.
I thought I was paranoid enough by running
"rpm -erase fedora-ds-1.1.0-3",
That really doesn't do anything - the
fedora-ds package is now
completely empty and just Requires (for yum) the "real" packages
fedora-ds-base, fedora-ds-admin, etc.
It shouldn't be necessary, but if you really want to remove everything,
you should do something like
yum erase svrcore idm-console-framework
and deleting the contents of :
/etc/dirsrv
/usr/lib/dirsrv
/usr/lib64/dirsrv on 64bit systems
/usr/share/dirsrv
/var/lock/dirsrv
/var/lib/dirsrv
/var/run/dirsrv
/var/log/dirsrv
Yep. rm -rf all of those
/usr/lib/mozldap
/usr/share/doc/mozldap-6.0.5
No, not these.
Before I reinstalled, and re-ran the install script. But I know I ran
into a
slapd startup problem because I made a typo, and I only erased the contents
of "/var/run/dirsrv", and left the dir itself.
Untill I tried to create users, that was the only problem due to a
previous
install attempt. Maybe this was another.
Thanks again!
-----Original Message-----
From: Rich Megginson [mailto:rmeggins@redhat.com]
Sent: Wednesday, January 23, 2008 12:33 PM
To: listbox(a)hymerfania.com
Cc: fedora-directory-users(a)redhat.com
Subject: Re: NetscapeRootRe: [Fedora-directory-users] Can't create users,
time for complete wipe and re-install?
Listbox wrote:
> Thanks Rich!
>
> I just looked in /usr/share/dirsrv/data, and the file "template.ldif"
> looks like what I get for the ldapquery of acis in dc=hymesruzicka,
> dc=org. It does not have any entries for uid=admin ( or uid=%as_uid% ).
>
>
Right. That's the file that is used for just the fedora-ds-base package
- the admin server and console stuff are "add-ons".
> I did find the file "16dssuffixadmin.mod.tmpl", and looks like it may
> be useful as a model to make more of the correct acis. Is this a good
>
idea?
Yes.
> How
> much more should I modify it?
>
>
You have to replace the %token% items:
ds_suffix - your suffix e.g. dc=hymesruzicka, dc=org or cn=config or
cn=schema or etc.
as_uid - admin
or change the entire DN uid=%as_uid%,ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot to some other DN that you want to use
for an administrator.
You can just omit the SIE Group ACI
Then just feed that file to ldapmodify e.g.
ldapmodify -x -D "cn=directory manager" -w yourpassword -f thefile.ldif
Note - make a copy of 16dssuffixadmin.mod.tmpl and edit it - do not edit it
in place.
> /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl
>
> # BEGIN COPYRIGHT BLOCK
> ...
> # END COPYRIGHT BLOCK
> dn: %ds_suffix%
> changetype: modify
> add: aci
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
> Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators,
> ou=Groups, ou=TopologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrator";
> allow
> (all) userdn="ldap:///uid=%as_uid%,ou=Administrators,
> ou=TopologyManagement,
> o=NetscapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
> groupdn = "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server,
> cn=Server Group, cn=%fqdn%, ou=%domain%, o=NetscapeRoot";)
>
>
> Thanks again!
>
> ************************************************
> ************************************************
> ************************************************
> for bind in config schema monitor ; do ldapsearch -x -D "cn=directory
> manager" -w mypassword -s sub -b cn=$bind "aci=*" aci ; done #
> extended LDIF # # LDAPv3 # base <cn=config> with scope subtree #
> filter: aci=* # requesting: aci #
>
> # config
> dn: cn=config
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
> Group"; a llow (all) groupdn="ldap:///cn=Configuration
> Administrators, ou=Groups, ou=To pologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrator";
> allow (a
> ll) userdn="ldap:///uid=admin, ou=Administrators,
> ou=TopologyManagement, o=Ne
> tscapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
> groupdn = "l dap:///cn=slapd-trixter, cn=Fedora Directory Server,
> cn=Server Group, cn=trix
ter.hymesruzicka.org,
ou=hymesruzicka.org,
> o=NetscapeRoot";)
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr
!="aci")(version
> 3.0;acl "snmp";allow (read, search, compare)(userdn =
> "ldap:///anyone");)
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> aci: (targetattr != "aci")(version 3.0; acl "VLV Request
Control";
> allow( read , search, compare, proxy ) userdn = "ldap:///all";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 4
> # numEntries: 3
> # extended LDIF
> #
> # LDAPv3
> # base <cn=schema> with scope subtree
> # filter: aci=*
> # requesting: aci
> #
>
> # schema
> dn: cn=schema
> aci: (target="ldap:///cn=schema")(targetattr !="aci")(version
3.0;acl
> "anonymo us, no acis"; allow (read, search, compare) userdn =
> "ldap:///anyone";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
> Group"; a llow (all) groupdn="ldap:///cn=Configuration
> Administrators, ou=Groups, ou=To pologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrator";
> allow (a
> ll) userdn="ldap:///uid=admin,ou=Administrators,
> ou=TopologyManagement, o=Net
> scapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
> groupdn = "l dap:///cn=slapd-trixter, cn=Fedora Directory Server,
> cn=Server Group, cn=trix
ter.hymesruzicka.org,
ou=hymesruzicka.org,
> o=NetscapeRoot";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> # extended LDIF
> #
> # LDAPv3
> # base <cn=monitor> with scope subtree # filter: aci=* # requesting:
> aci #
>
> # monitor
> dn: cn=monitor
> aci: (target ="ldap:///cn=monitor*")(targetattr != "aci ||
> connection")(versio n 3.0; acl "monitor"; allow( read, search,
> compare ) userdn = "ldap:///anyone
> ";)
>
> # search result
> search: 2
> result: 0 Success
>
>
>
>