Ryan Braun [ADS] wrote:
Hey guys, I'm setting up 2 mmr servers, and am wondering why
the aci's on both machines don't end up being the same. All of the replication
and configuring of the servers
has been done in perl and NOT the console. Here is the process I used when setting up
the servers. I'm using custom built packages on etch.
ii fedora-ds-admin 1.1.6 Fedora
Administration Server (admin)
ii fedora-ds-admin-console 1.1.2 Fedora Admin
Server Management Console
ii fedora-ds-base 1.1.3 Fedora
Directory Server (base)
ii fedora-ds-console 1.1.2 Fedora
Directory Server Management Console
ii mozldap 6.0.5 Mozilla LDAP C
SDK
ii mozldap-dev 6.0.5 Mozilla LDAP C
SDK
ii mozldap-tools 6.0.5 Mozilla LDAP C
SDK
ii ldapsdk 4.17-4 Enables
applications to manage information s
ii perldap 1.5.2 PerLDAP is a
set of modules written in Perl
ii libadminutil 1.1.7 Utility
library for directory server adminis
ii libsvrcore 4.0.4 Secure PIN
handling using NSS crypto
ii libapache2-mod-nss 1.0.8 mod_nss is an
SSL provider derived from the
1. install mmr1 server using setup-ds-admin.pl
2. install mmr2 server using setup-ds.pl
3. configure ssl/tls on each machine and confirm ldapsearchs etc are encrypted.
4. create root suffix o=netscaperoot on mmr2.
5. enable mmr replication of userroot on both mmr1 and mmr2
6. init UserRoot replication agreement on mmr1.
7. enable mmr replication of o=netscaperoot on both mmr1 and mmr2.
8. init NetscapeRoot replication agreement on mmr1.
9. run register-ds-admin.pl on mmr2
At this point, I can confirm that encryption is working over both machines, all
replication agreements are over SSL and are working as expected. admin server is running
on
both machines, and both servers are accessible from each admin-server instance.
So I opened up the console, and opened up a session to each server and thats when I
noticed the different amount of aci's on each server
on mmr1. o=NetscapeRoot has 5 acis'
UserRoot has 6
cn=schema has 4
cn=monitor has 1
cn=config has 3
on mmr2. o=NetscapeRoot has 5 acis'
UserRoot has 6
cn=schema has 1
cn=monitor has 1
cn=config has 0
So I'm wondering, if mmr2 server is missing those aci's because of the different
install procedure of running setup-ds.pl first, then register-ds-admin.pl
Yes. Looks like there is a bug - doing setup-ds.pl, then
register-ds-admin.pl, should do the same thing as running
setup-ds-admin.pl.
Here are the aci's in question
mmr1 - cn=schema
# schema
dn: cn=schema
aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl
"anonymo
us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
Group"; a
llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, ou=To
pologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator";
allow (a
ll) userdn="ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, o=Net
scapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
groupdn = "l
dap:///cn=slapd-xxxdmns0, cn=Fedora Directory Server, cn=Server Group, cn=xxx
dmns0.xxx.xx.xx.xx, ou=xxx.xx.xx.ca, o=NetscapeRoot";)
mmr2 - cn=schema
# schema
dn: cn=schema
aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl
"anonymo
us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";)
mmr1 - cn=config
dn: cn=config
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
Group"; a
llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, ou=To
pologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator";
allow (a
ll) userdn="ldap:///uid=admin, ou=Administrators, ou=TopologyManagement, o=Ne
tscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
groupdn = "l
dap:///cn=slapd-xxxdmns0, cn=Fedora Directory Server, cn=Server Group, cn=xxx
dmns0.xxx.xx.xx.ca, ou=xxx.xx.xx.ca, o=NetscapeRoot";)
mmr2 - cn=config
none.
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users