Hello every one
I have a strange problem Im trying to use 389 server in a large organization and i have to break the directory into several sub suffixes or root suffixes. there is the scenario I work for Large company A Large company A owns 1) subsidiary b 2) subsidiary c 3) subsidiary d
Large company A uses domain example.com subsidiary b uses domain b.example.com subsidiary c uses domain c.example.com subsidiary d uses domain d.example.com
I would like to separate each of the subsidiaries into their own sub suffix partially because of security reasons also to minimize unneeded replication for local read only slaves at the subsidiary sites, and I would also like the administrator at each subsidiary to have the option of manage their own users or having the administrators at the parent company do it for them.
now creating the sub suffix with its own database is fairly well documented and works well with ou's but doesn't seem to work with dc's if i create the new suffix as a dc and go into the users and groups in the console and try to add a user to the new dc it wont let me. if i use the Users drop down menu and try to change directory and set the base to the new dc (e.g. dc=b,dc=example,dc=com) it tells me the dc isn't valid
I also tried creating a root suffix and ran into the same problem so what am i missing? Is there some initial database population step I didn't see in the documentation or do i need to setup some ACIs or what?
never mind I found the answer
apparently you have to go into the "Directory" tab in the directory server and create a domain object because its not automatically created when you create the database under the sub dn
On Fri, Jul 27, 2012 at 7:03 PM, Paul Robert Marino prmarino1@gmail.com wrote:
Hello every one
I have a strange problem Im trying to use 389 server in a large organization and i have to break the directory into several sub suffixes or root suffixes. there is the scenario I work for Large company A Large company A owns
- subsidiary b
- subsidiary c
- subsidiary d
Large company A uses domain example.com subsidiary b uses domain b.example.com subsidiary c uses domain c.example.com subsidiary d uses domain d.example.com
I would like to separate each of the subsidiaries into their own sub suffix partially because of security reasons also to minimize unneeded replication for local read only slaves at the subsidiary sites, and I would also like the administrator at each subsidiary to have the option of manage their own users or having the administrators at the parent company do it for them.
now creating the sub suffix with its own database is fairly well documented and works well with ou's but doesn't seem to work with dc's if i create the new suffix as a dc and go into the users and groups in the console and try to add a user to the new dc it wont let me. if i use the Users drop down menu and try to change directory and set the base to the new dc (e.g. dc=b,dc=example,dc=com) it tells me the dc isn't valid
I also tried creating a root suffix and ran into the same problem so what am i missing? Is there some initial database population step I didn't see in the documentation or do i need to setup some ACIs or what?
Paul Robert Marino wrote:
Hello every one
I have a strange problem Im trying to use 389 server in a large organization and i have to break the directory into several sub suffixes or root suffixes. there is the scenario I work for Large company A Large company A owns
- subsidiary b
- subsidiary c
- subsidiary d
Large company A uses domain example.com subsidiary b uses domain b.example.com subsidiary c uses domain c.example.com subsidiary d uses domain d.example.com
I would like to separate each of the subsidiaries into their own sub suffix partially because of security reasons also to minimize unneeded replication for local read only slaves at the subsidiary sites, and I would also like the administrator at each subsidiary to have the option of manage their own users or having the administrators at the parent company do it for them.
now creating the sub suffix with its own database is fairly well documented and works well with ou's but doesn't seem to work with dc's if i create the new suffix as a dc and go into the users and groups in the console and try to add a user to the new dc it wont let me. if i use the Users drop down menu and try to change directory and set the base to the new dc (e.g. dc=b,dc=example,dc=com) it tells me the dc isn't valid
I also tried creating a root suffix and ran into the same problem so what am i missing? Is there some initial database population step I didn't see in the documentation or do i need to setup some ACIs or what?
There should not be any problem to create sub suffix starting with "dc". $ ldapsearch -LLLx [...] -b "dc=example,dc=com" dn dn: dc=example,dc=com dn: dc=B,dc=example,dc=com dn: dc=C,dc=example,dc=com dn: dc=D,dc=example,dc=com
I put dc=B in Broot, dc=C in Croot, and dc=D in Droot. $ ls /var/lib/dirsrv/slapd-ID/db Broot/ DBVERSION NetscapeRoot/ __db.002 __db.004 __db.006 userRoot/ Croot/ Droot/ __db.001 __db.003 __db.005 log.0000000001
Do you see any errors in the error log? /var/log/dirsrv/slapd-ID/errors
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Noriko Thanks for the reply as I mentioned in my previous email I assumed that when I created the sub suffix database for dc=b,dc=example,dc=com it would automaticly add the dn to the database but it doesn't so I manualy added it and it works now.
For clarity that step should be added to the documentation. The way I figured it out is I just tried to add a new subdomain without adding a sub suffix and I got a warning message saying I may wan to add the sub suffix first On Jul 27, 2012 8:50 PM, "Noriko Hosoi" nhosoi@redhat.com wrote:
Paul Robert Marino wrote:
Hello every one
I have a strange problem Im trying to use 389 server in a large organization and i have to break the directory into several sub suffixes or root suffixes. there is the scenario I work for Large company A Large company A owns
- subsidiary b
- subsidiary c
- subsidiary d
Large company A uses domain example.com subsidiary b uses domain b.example.com subsidiary c uses domain c.example.com subsidiary d uses domain d.example.com
I would like to separate each of the subsidiaries into their own sub suffix partially because of security reasons also to minimize unneeded replication for local read only slaves at the subsidiary sites, and I would also like the administrator at each subsidiary to have the option of manage their own users or having the administrators at the parent company do it for them.
now creating the sub suffix with its own database is fairly well documented and works well with ou's but doesn't seem to work with dc's if i create the new suffix as a dc and go into the users and groups in the console and try to add a user to the new dc it wont let me. if i use the Users drop down menu and try to change directory and set the base to the new dc (e.g. dc=b,dc=example,dc=com) it tells me the dc isn't valid
I also tried creating a root suffix and ran into the same problem so what am i missing? Is there some initial database population step I didn't see in the documentation or do i need to setup some ACIs or what?
There should not be any problem to create sub suffix starting with "dc". $ ldapsearch -LLLx [...] -b "dc=example,dc=com" dn dn: dc=example,dc=com dn: dc=B,dc=example,dc=com dn: dc=C,dc=example,dc=com dn: dc=D,dc=example,dc=com
I put dc=B in Broot, dc=C in Croot, and dc=D in Droot. $ ls /var/lib/dirsrv/slapd-ID/db Broot/ DBVERSION NetscapeRoot/ __db.002 __db.004 __db.006 userRoot/ Croot/ Droot/ __db.001 __db.003 __db.005 log.0000000001
Do you see any errors in the error log? /var/log/dirsrv/slapd-ID/**errors
--
389 users mailing list 389-users@lists.fedoraproject.**org 389-users@lists.fedoraproject.org https://admin.fedoraproject.**org/mailman/listinfo/389-usershttps://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.**org 389-users@lists.fedoraproject.org https://admin.fedoraproject.**org/mailman/listinfo/389-usershttps://admin.fedoraproject.org/mailman/listinfo/389-users
Hi Paul,
Paul Robert Marino wrote:
Noriko Thanks for the reply as I mentioned in my previous email I assumed that when I created the sub suffix database for dc=b,dc=example,dc=com it would automaticly add the dn to the database but it doesn't so I manualy added it and it works now.
For clarity that step should be added to the documentation. The way I figured it out is I just tried to add a new subdomain without adding a sub suffix and I got a warning message saying I may wan to add the sub suffix first
When I created the sub suffix/subdomain, I used the Console. Here's what I did. Open Dorectory Console. Choose Configuration tab Choose the parent suffix under Data (dc=example,dc=com, in my example) Right click shows a menu; choose "New Sub Suffix". Fill "New Suffix" and "Database name" box Then, the new sub suffix is generated (e.g., dc=B,dc=example,dc=com") Expand the new sub suffix; choose the underlying database (having the Database name you assigned) Right click shows a menu; choose "Initialize database" Give the ldif file to initialize the sub suffix/subdomain.
Thanks, --noriko
On Jul 27, 2012 8:50 PM, "Noriko Hosoi" <nhosoi@redhat.com mailto:nhosoi@redhat.com> wrote:
Paul Robert Marino wrote: Hello every one I have a strange problem Im trying to use 389 server in a large organization and i have to break the directory into several sub suffixes or root suffixes. there is the scenario I work for Large company A Large company A owns 1) subsidiary b 2) subsidiary c 3) subsidiary d Large company A uses domain example.com <http://example.com> subsidiary b uses domain b.example.com <http://b.example.com> subsidiary c uses domain c.example.com <http://c.example.com> subsidiary d uses domain d.example.com <http://d.example.com> I would like to separate each of the subsidiaries into their own sub suffix partially because of security reasons also to minimize unneeded replication for local read only slaves at the subsidiary sites, and I would also like the administrator at each subsidiary to have the option of manage their own users or having the administrators at the parent company do it for them. now creating the sub suffix with its own database is fairly well documented and works well with ou's but doesn't seem to work with dc's if i create the new suffix as a dc and go into the users and groups in the console and try to add a user to the new dc it wont let me. if i use the Users drop down menu and try to change directory and set the base to the new dc (e.g. dc=b,dc=example,dc=com) it tells me the dc isn't valid I also tried creating a root suffix and ran into the same problem so what am i missing? Is there some initial database population step I didn't see in the documentation or do i need to setup some ACIs or what? There should not be any problem to create sub suffix starting with "dc". $ ldapsearch -LLLx [...] -b "dc=example,dc=com" dn dn: dc=example,dc=com dn: dc=B,dc=example,dc=com dn: dc=C,dc=example,dc=com dn: dc=D,dc=example,dc=com I put dc=B in Broot, dc=C in Croot, and dc=D in Droot. $ ls /var/lib/dirsrv/slapd-ID/db Broot/ DBVERSION NetscapeRoot/ __db.002 __db.004 __db.006 userRoot/ Croot/ Droot/ __db.001 __db.003 __db.005 log.0000000001 Do you see any errors in the error log? /var/log/dirsrv/slapd-ID/errors -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org