Ok, I was able to get it working. I just went to a backup of the files
prior to when I did the bak2db of master A to master B. I replaced
/path/to/db/NetscapeRoot/* files with the backed up files.
Now the search:
./ldapsearch -D "cn=Directory Manager" -w <passwd> -b o=netscaperoot
"cn=admin-serv-*"
returns the expected results and I'm able to log into the DS console.
Mark, thanks for all of your help. At least I'm learning with each mistake
;-)...
Herb
On Tue, Apr 24, 2012 at 3:52 PM, Herb Burnswell <herbert.burnswell(a)gmail.com
Hey Mark,
Yes, I thought that would be a problem. I did try to set up an admin
domain on master A that points to master B but it simply says "fail to
create network domain". As you can likely see, I'm not the most versed in
LDAP. I'm not sure how to do this search you suggested:
>Do a ldapsearch on o=netscaperoot and look for:
.dn: cn=configuration, cn=admin-serv-HOSTNAME, cn=389 Administration
Server, >cn=Server Group, cn=HOST.DOMAIN, ou=DOMAIN, o=NetscapeRoot
Can you give me the syntax that would be used?
thanks again,
Herb
On Tue, Apr 24, 2012 at 2:12 PM, Mark Reynolds <mareynol(a)redhat.com>wrote:
> Hi Herb,
>
> Ok you shouldn't be using "o=netscaperoot" from a different machine,
but
> if both machines are setup EXACTLY the same way, then you might be able to
> replace the hostname. But this is error prone, and we should try and get
> the master B registered on master A's console. Did you try setting up a
> admin domain that points to master B's machine?
>
> see comments below...
>
>
> On 04/24/2012 04:11 PM, Herb Burnswell wrote:
>
> Hi Mark,
>
> Thanks for getting back to me, sorry about the confusion. Here's the
> logs from master B console log on attempts:
>
> [24/Apr/2012:12:09:23 -0700] conn=130 fd=67 slot=67 connection from
> 10.10.10.25 to 10.10.10.25
> [24/Apr/2012:12:09:23 -0700] conn=130 op=0 BIND
> dn="cn=admin-serv-masterB, cn=Fedora Administration Server, cn=Server
> Group, cn=masterB.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot"
> method=128 version=2
> [24/Apr/2012:12:09:23 -0700] conn=130 op=0 RESULT err=32 tag=97
> nentries=0 etime=0
> [24/Apr/2012:12:09:23 -0700] conn=131 fd=68 slot=68 connection from
> 10.10.10.25 to 10.10.10.25
> [24/Apr/2012:12:09:23 -0700] conn=131 op=0 BIND
> dn="cn=admin-serv-masterB, cn=Fedora Administration Server, cn=Server
> Group, cn=masterB.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot"
> method=128 version=2
> [24/Apr/2012:12:09:23 -0700] conn=131 op=0 RESULT err=32 tag=97
> nentries=0 etime=0
>
> This isn't the right bind dn we are looking for. :-) We want to see
> the the results from "uid=admin" and "cn=directory manager".
>
>
>
> [24/Apr/2012:12:32:47] security (23835): for host masterB.sub.domain.biztrying to GET
/admin-serv/authenticate, admin40_host_ip_check reports:
> Unauthorized host ip=10.10.10.25, connection rejected
>
> This might be caused by some access restrictions. Do a ldapsearch on
> o=netscaperoot and look for:
>
> dn: cn=configuration, cn=admin-serv-HOSTNAME, cn=389 Administration
> Server, cn=Server Group, cn=HOST.DOMAIN, ou=DOMAIN, o=NetscapeRoot
>
> nsAdminAccessAddresses
> nsAdminAccessHosts
>
> Use ldapmodify to change the settings if needed. Make sure that the host
> you are trying to connect from is allowed by the settings. You could just
> set both to "*" for now. You will need to restart the admin server for
> this change to take effect.
>
> Thanks,
> Mark
>
>
>
> When I was trying to get replication working, I did an initialization of
> master B from master A backup files (NetscapeRoot and <my_suffix>). I've
> since done a re-initialization of <my_suffix> to master B from master A
> console. When I do a search on master B:
>
> ./ldapsearch -D "cn=Directory Manager" -w <passwd> -b o=netscaperoot
> "cn=admin-serv-*"
>
> version: 1
> dn: cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Server
> Group,
> cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot
> objectClass: top
> objectClass: netscapeServer
> objectClass: nsAdminServer
> objectClass: nsResourceRef
> objectClass: groupOfUniqueNames
> cn: admin-serv-masterA
> nsServerID: admin-serv
> serverRoot: /opt/fedora-ds
> serverProductName: Administration Server
> serverHostName: masterA.sub.domain.biz
> uniqueMember: cn=admin-serv-masterA, cn=Fedora Administration Server,
> cn=Serv
> er Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot
> installationTimeStamp: 20050916201912Z
> userPassword: {SSHA}U4pL3RzNjF2Sder0+NBLIJNZtLEoim6tZfcxjA==
>
>
> Yes, this version and install is very old. But it appears that all of
> master A information is on master B regarding admin-serv-<hostname> user on
> master B. This is not correct right?
>
> I read the documentation that you sent but my install does not include
> setup-ds-admin.pl, my version is DS 7.1. Is there a way to simply edit
> the admin-serv-<hostname> if that is in fact the problem?
>
> TIA,
>
> Herb
>
> On Tue, Apr 24, 2012 at 8:34 AM, Mark Reynolds <mareynol(a)redhat.com>wrote:
>
>> Hi Herb,
>>
>> I wanted to see the logs from the server that wasn't working. According
>> to these logs everything is fine. So, you can log into the console for
>> master A, but not master B. Most likely there is no configuration
>> instance/admin server setup. There are a few options. One, you could
>> register master B in the Master A console(using Create New Administration
>> Domain feature), and just use that console to manage both servers. Two,
>> setup a new config instance on the master B machine, and use a separate
>> console.
>>
>> Option one is definitely the best option. You can still use the console
>> GUI on master B if you want to, but point it to the master A in the
>> administration URL.
>>
>> Here are some links to some useful document on on this:
>>
>>
>>
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.0/html/Insta...
>>
>>
>>
http://www.google.com/url?sa=t&rct=j&q=red%20hat%20directory%20se...
>>
>> Let me know if you have any questions.
>>
>> Mark
>>
>> On 04/23/2012 07:48 PM, Herb Burnswell wrote:
>>
>> Hey Mark,
>>
>> Well, to back up a bit, of the dual masters' (A & B) only A has been
>> running consistently for many years. That is why I needed to do a
>> re-initialization of B. The re-initialization was done at the
'my_suffix'
>> level and not NetscapeRoot.
>>
>> I assumed that the config data would be running on both dual masters.
>> Maybe I am incorrect?
>>
>> access from Master A for 'admin' bind:
>>
>> [23/Apr/2012:16:07:50 -0700] conn=2575 fd=71 slot=71 connection from
>> 10.10.10.24 to 10.10.10.24
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=0 BIND dn="uid=admin,
>> ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" method=128
>> version=3
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=0 RESULT err=0 tag=97
>> nentries=0 etime=0
>> dn="uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=1 SRCH base="cn=statusping,
>> cn=operation, cn=tasks, cn=admin-serv-masterA, cn=fedora administration
>> server, cn=server group, cn=masterA.sub.domain.biz, ou=sub.domain.biz,
>> o=netscaperoot" scope=0 filter="(nsExecRef=*)"
attrs="nsExecRef
>> nsLogSuppress"
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=1 RESULT err=0 tag=101
>> nentries=1 etime=0
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=2 SRCH
>> base="cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Server
>> Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot"
>> scope=2 filter="(nsExecRef=*)" attrs="nsExecRef
nsLogSuppress"
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=2 RESULT err=0 tag=101
>> nentries=24 etime=0
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=3 SRCH base="cn=slapd-masterA,
>> cn=Fedora Directory Server, cn=Server Group, cn=masterA.sub.domain.biz,
>> ou=sub.domain.biz, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
>> attrs="nsExecRef nsLogSuppress"
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=3 RESULT err=0 tag=101
>> nentries=13 etime=0
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=4 SRCH base="cn=Fedora
>> Directory Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=
>> sub.domain.biz, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
>> attrs="nsExecRef nsLogSuppress"
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=4 RESULT err=0 tag=101
>> nentries=17 etime=0
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=5 SRCH base="cn=Fedora
>> Administration Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=
>> sub.domain.biz, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
>> attrs="nsExecRef nsLogSuppress"
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=5 RESULT err=0 tag=101
>> nentries=24 etime=0
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=6 UNBIND
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=6 fd=71 closed - U1
>>
>>
>> access from master A for 'cn=Directory Manager' bind:
>>
>> [23/Apr/2012:16:37:36 -0700] conn=2594 fd=68 slot=68 connection from
>> 10.10.10.24 to 10.10.10.24
>> [23/Apr/2012:16:37:36 -0700] conn=2594 op=0 BIND
>> dn="cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Server
>> Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot"
>> method=128 version=3
>> [23/Apr/2012:16:37:36 -0700] conn=2594 op=0 RESULT err=0 tag=97
>> nentries=0 etime=0 dn="cn=admin-serv-masterA,cn=fedora administration
>> server,cn=server group,cn=masterA.sub.domain.biz,ou=sub.domain.biz
>> ,o=netscaperoot"
>> [23/Apr/2012:16:37:36 -0700] conn=2594 op=1 BIND dn="cn=Directory
>> Manager" method=128 version=3
>> [23/Apr/2012:16:37:36 -0700] conn=2594 op=1 RESULT err=0 tag=97
>> nentries=0 etime=0 dn="cn=directory manager"
>> [23/Apr/2012:16:37:36 -0700] conn=2594 op=2 UNBIND
>> [23/Apr/2012:16:37:36 -0700] conn=2594 op=2 fd=68 closed - U1
>>
>>
>> This are from master A where logging in as either works fine. It looks
>> like I need to configure o=netscaperoot on master B somehow?
>>
>> thanks,
>>
>> Herb
>>
>>
>>
>> On Mon, Apr 23, 2012 at 1:13 PM, Mark Reynolds <mareynol(a)redhat.com>wrote:
>>
>>> Herb,
>>>
>>> Do you know which server is hosting the config data for the
>>> console(o=netscaperoot)? If you do, please provide the access log output
>>> showing the "cn=directory manager" and "admin" binds? It
might not hurt to
>>> restart the admin server.
>>>
>>> Thanks,
>>> Mark
>>>
>>>
>>>
>>> On 04/23/2012 04:06 PM, Herb Burnswell wrote:
>>>
>>> Hi All,
>>>
>>> After re-initialization of a dual master server I now cannot log into
>>> the directory management console as cn=Directory Manager. I receive the
>>> error:
>>>
>>> Cannot logon because of an incorrect user id, incorrect password, or
>>> Directory problem.
>>> httpException:
>>> Resoponse: HTTP/1.1 401 Unauthorized
>>> Status: 401
>>> URL:
http://url/admin-serv/authenticate
>>>
>>> I know the password is correct as I can drop into an ldapmodify session
>>> with ./ldapmodify -D "cn=Directory Manager" -w <passwd>
without error.
>>>
>>> I've seen a few inquiries about this issue around the web but nothing
>>> to resolve the issue. I see the following in
>>> /opt/fedora-ds/admin-serv/logs/error:
>>>
>>> security (27749): for host <hostname> trying to GET
>>> /admin-serv/authenticate, basic-ncsa reports: user cn=Directory Manager
>>> does not exist in pwfile /opt/fedora-ds/admin-serv/config/admpw
>>>
>>> It is correct that there is not a line for cn=Directory Manager in
>>> admpw, but it is not located in the admpw file on the other dual master and
>>> I can log into its management console as cn=Directory Manager without
>>> error. They both just contain a line for user 'admin'.
>>>
>>> When I try to log in as 'admin' (works fine on other dual master) I
>>> receive:
>>>
>>> cannot connect to the directory server:
>>> netscape.ldap.LDAPException: error result (32) matchedDN = ou
>>> =<domain>,o=netscaperoot; no such object
>>>
>>> Is there something else that I need to do after re-initialization? Any
>>> guidance is greatly appreciated.
>>>
>>> Thanks in advance,
>>>
>>> Herb
>>>
>>>
>>>
>>>
>>> --
>>> 389 users mailing
list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>>
>>
>