5:27 p.m.
Hi folks,
I'm really stumped by this "Insufficient 'add' privilege" problem.
I can create all the "Administrators" I want for the netscaperoot directory,
but none of those users can:
A) Create new users for my hymesruzicka directory
B) Create a new "Directory Administrator" for my hymesruzicka directory
C) Grant "'add' privilege" to my existing "Configuration
Administrator"
my hymesruzicka directory
D) Add a user from the netscaperoot users to my hymesruzicka directory
"Directory Administrator" group
E) Modify or add the existing ACLs for my hymesruzicka directory
Is there a way to create a new "Directory Administrator" and other users? If
not, and we have to wipe and re-install from scratch, what must we do to
ensure that we can create users and administrators for our directory?
Thanks!
12:28 p.m.
New subject: [Fedora-directory-users] Can't create users, time for complete wipe and re-install?
Listbox wrote:
Hi folks,
I'm really stumped by this "Insufficient 'add' privilege" problem.
I can create all the "Administrators" I want for the netscaperoot directory,
but none of those users can:
A) Create new users for my hymesruzicka directory
B) Create a new "Directory Administrator" for my hymesruzicka directory
C) Grant "'add' privilege" to my existing "Configuration
Administrator"
my hymesruzicka directory
D) Add a user from the netscaperoot users to my hymesruzicka directory
"Directory Administrator" group
E) Modify or add the existing ACLs for my hymesruzicka directory
Is there a way to create a new "Directory Administrator" and other users?
Yes, by adding the appropriate ACIs. How was the data for your default
suffix added? The way it works is that setup adds some ACIs to the
default suffix you specify during setup to allow the console admin user
to have access. If you import your data from another source these ACIs
will not be created. You can just do a test install to see exactly what
acis are created e.g.
ldapsearch -x -D "cn=directory manager" -w yourpassword -b
o=netscaperoot "aci=*" aci
and
ldapsearch -x -D "cn=directory manager" -w yourpassword -b
"dc=yourdomain,dc=com" "aci=*" aci
If
not, and we have to wipe and re-install from scratch, what must we do to
ensure that we can create users and administrators for our directory?
Thanks!
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
11:55 a.m.
Thanks so much!
Now I'm looking in
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#1199651 to see
what I might do to fix things.
Here is the output from the commands you suggested. At least I can tell one
is bigger than the other :)
ldapsearch -x -D "cn=directory manager" -w mypassword -b o=netscaperoot
"aci=*" aci
# extended LDIF
#
# LDAPv3
# base <o=netscaperoot> with scope subtree
# filter: aci=*
# requesting: aci
#
# NetscapeRoot
dn: o=NetscapeRoot
aci: (targetattr="*")(version 3.0; acl "Enable Configuration Administrator
Gro
up modification"; allow (all) groupdn="ldap:///cn=Configuration
Administrator
s, ou=Groups, ou=TopologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(targetfilter=(o=NetscapeRoot))(version 3.0; acl
"Default
anonymous access"; allow (read, search) userdn="ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "Enable Group Expansion";
allow
(read,
search, compare) groupdnattr="uniquemember";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group (trixter)"; allow
(all)
gr
oupdn = "ldap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server
Grou
p, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
# TopologyManagement, NetscapeRoot
dn: ou=TopologyManagement, o=NetscapeRoot
aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous
access";
allow (read, search, compare)userdn="ldap:///anyone";)
# Global Preferences, hymesruzicka.org, NetscapeRoot
dn: ou=Global Preferences, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "Enable anonymous access";
allow(read,sea
rch) userdn="ldap:///anyone";)
# UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr = "*")(version 3.0; acl "Allow saving of User
Preferences";
a
llow (add) userdn = "ldap:///all";)
# uid\3Dadmin\2C ou\3DAdministrators\2C ou\3DTopologyManagement\2C
o\3DNetsca
peRoot, UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou="uid=admin, ou=Administrators, ou=TopologyManagement,
o=NetscapeRoot",o
u=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
creatorsname";)
# cn\3Dadmin-serv-trixter\2C cn\3DFedora Administration Server\2C
cn\3DServer
Group\2C cn\3Dtrixter.hymesruzicka.org\2C ou\3Dhymesruzicka.org\2C
o\3DNets
capeRoot, UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou="cn=admin-serv-trixter, cn=Fedora Administration Server, cn=Server
Grou
p, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
o=NetscapeRoot",ou=UserP
references, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
creatorsname";)
# Server Group, trixter.hymesruzicka.org, hymesruzicka.org, NetscapeRoot
dn: cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
o=Netsc
apeRoot
aci: (targetattr=*)(targetfilter=(nsconfigRoot=*))(version 3.0; acl "Enable
de
legated access"; allow (read, search, compare) groupdn="ldap:///cn=Server
Gro
up, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read,
s
earch, compare) userdn="ldap:///cn=admin-serv-trixter, cn=Fedora
Administrati
on Server, cn=Server Group, cn=trixter.hymesruzicka.org,
ou=hymesruzicka.org,
o=NetscapeRoot";)
# PublicViews, 1.1, Admin, Global Preferences, hymesruzicka.org,
NetscapeRoot
dn: cn=PublicViews, ou=1.1, ou=Admin, ou=Global Preferences,
ou=hymesruzicka.o
rg, o=NetscapeRoot
aci: (targetattr = "*")(version 3.0; acl "Allow Authenticated Users to
Save
Pu
blic Views"; allow (all) userdn = "ldap:///all";)
# slapd-trixter, Fedora Directory Server, Server Group,
trixter.hymesruzicka.
org, hymesruzicka.org, NetscapeRoot
dn: cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
cn=trixter.
hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read,
s
earch, compare) groupdn="ldap:///cn=slapd-trixter, cn=Fedora Directory
Server
, cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
o=Netsca
peRoot";)
aci: (targetattr="uniquemember || serverProductName || userpassword ||
descrip
tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl "Enable
ac
cess delegation"; allow (write) groupdn="ldap:///cn=slapd-trixter,
cn=Fedora
Directory Server, cn=Server Group, cn=trixter.hymesruzicka.org,
ou=hymesruzic
ka.org, o=NetscapeRoot";)
# configuration, slapd-trixter, Fedora Directory Server, Server Group,
trixte
r.hymesruzicka.org, hymesruzicka.org, NetscapeRoot
dn: cn=configuration,cn=slapd-trixter, cn=Fedora Directory Server, cn=Server
G
roup, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "Enable Server configuration"; allow
(all
) groupdn="ldap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server
Gr
oup, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
# cn\3Dslapd-trixter\2C cn\3DFedora Directory Server\2C cn\3DServer Group\2C
cn\3Dtrixter.hymesruzicka.org\2C ou\3Dhymesruzicka.org\2C o\3DNetscapeRoot,
UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou="cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
cn=trix
ter.hymesruzicka.org, ou=hymesruzicka.org,
o=NetscapeRoot",ou=UserPreferences
, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
creatorsname";)
# cn\3DDirectory Manager, UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou="cn=Directory Manager",ou=UserPreferences, ou=hymesruzicka.org,
o=Netsc
apeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
creatorsname";)
# Fedora Administration Server, Server Group, trixter.hymesruzicka.org,
hymes
ruzicka.org, NetscapeRoot
dn: cn=Fedora Administration Server, cn=Server Group,
cn=trixter.hymesruzicka.
org, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(targetfilter=(nsNickName=*))(version 3.0; acl "Enable
dele
gated access"; allow (read, search, compare) groupdn="ldap:///cn=Fedora
Admin
istration Server, cn=Server Group, cn=trixter.hymesruzicka.org,
ou=hymesruzic
ka.org, o=NetscapeRoot";)
# admin-serv-trixter, Fedora Administration Server, Server Group,
trixter.hym
esruzicka.org, hymesruzicka.org, NetscapeRoot
dn: cn=admin-serv-trixter, cn=Fedora Administration Server, cn=Server Group,
c
n=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read,
s
earch, compare) groupdn="ldap:///cn=admin-serv-trixter, cn=Fedora
Administrat
ion Server, cn=Server Group, cn=trixter.hymesruzicka.org,
ou=hymesruzicka.org
, o=NetscapeRoot";)
aci: (targetattr="uniquemember || serverProductName || userpassword ||
descrip
tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl "Enable
ac
cess delegation"; allow (write) groupdn="ldap:///cn=admin-serv-trixter,
cn=Fe
dora Administration Server, cn=Server Group, cn=trixter.hymesruzicka.org,
ou=
hymesruzicka.org, o=NetscapeRoot";)
# configuration, admin-serv-trixter, Fedora Administration Server, Server
Gro
up, trixter.hymesruzicka.org, hymesruzicka.org, NetscapeRoot
dn: cn=configuration, cn=admin-serv-trixter, cn=Fedora Administration
Server,
cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
o=Netscape
Root
aci: (targetattr=*)(version 3.0; acl "Enable delegated admin to access
configu
ration"; allow (read, search) groupdn="ldap:///cn=Server Group,
cn=trixter.hy
mesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
aci: (targetattr=*)(version 3.0; acl "Enable Server configuration"; allow
(all
) groupdn="ldap:///cn=admin-serv-trixter, cn=Fedora Administration Server,
cn
=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
o=NetscapeRo
ot";)
# uid\3Ddiradmin\2Cou\3DAdministrators\2C ou\3DTopologyManagement\2C
o\3Dnets
capeRoot, UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou="uid=diradmin,ou=Administrators, ou=TopologyManagement,
o=netscapeRoot"
,ou=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
creatorsname";)
# search result
search: 2
result: 0 Success
# numResponses: 17
# numEntries: 16
ldapsearch -x -D "cn=directory manager" -w anotherpassword -b
"dc=hymesruzicka,dc=org" "aci=*" aci
# extended LDIF
#
# LDAPv3
# base <dc=hymesruzicka,dc=org> with scope subtree
# filter: aci=*
# requesting: aci
#
# hymesruzicka.org
dn: dc=hymesruzicka, dc=org
aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous
access";
allow (read, search, compare) userdn="ldap:///anyone";)
aci: (targetattr="carLicense || description || displayName ||
facsimileTelepho
neNumber || homePhone || homePostalAddress || initials || jpegPhoto ||
labele
dURL || mail || mobile || pager || photo || postOfficeBox || postalAddress
||
postalCode || preferredDeliveryMethod || preferredLanguage ||
registeredAddr
ess || roomNumber || secretary || seeAlso || st || street ||
telephoneNumber
|| telexNumber || title || userCertificate || userPassword ||
userSMIMECertif
icate || x500UniqueIdentifier")(version 3.0; acl "Enable self write for
commo
n attributes"; allow (write) userdn="ldap:///self";)
aci: (targetattr ="*")(version 3.0;acl "Directory Administrators
Group";allow
(all) (groupdn = "ldap:///cn=Directory Administrators, dc=hymesruzicka,
dc=or
g");)
# People, hymesruzicka.org
dn: ou=People, dc=hymesruzicka, dc=org
aci: (targetattr ="userpassword || telephonenumber ||
facsimiletelephonenumber
")(version 3.0;acl "Allow self entry modification";allow (write)(userdn =
"ld
ap:///self");)
aci: (targetattr !="cn || sn || uid")(targetfilter
="(ou=Accounting)")(version
3.0;acl "Accounting Managers Group Permissions";allow (write)(groupdn =
"lda
p:///cn=Accounting Managers,ou=groups,dc=hymesruzicka, dc=org");)
aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Human
Resources)")(ve
rsion 3.0;acl "HR Group Permissions";allow (write)(groupdn =
"ldap:///cn=HR
M
anagers,ou=groups,dc=hymesruzicka, dc=org");)
aci: (targetattr !="cn ||sn || uid")(targetfilter ="(ou=Product
Testing)")(ver
sion 3.0;acl "QA Group Permissions";allow (write)(groupdn =
"ldap:///cn=QA
Ma
nagers,ou=groups,dc=hymesruzicka, dc=org");)
aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Product
Development)"
)(version 3.0;acl "Engineering Group Permissions";allow (write)(groupdn =
"ld
ap:///cn=PD Managers,ou=groups,dc=hymesruzicka, dc=org");)
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
12:28 p.m.
New subject: [Fedora-directory-users] Can't create users, time for complete wipe and re-install?
Listbox wrote:
Thanks so much!
Now I'm looking in
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#1199651 to see
what I might do to fix things.
If you are using Fedora DS 1.1 I suggest you use this instead -
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Cont...
Here is the output from the commands you suggested. At least I can
tell one
is bigger than the other :)
The console admin user created during setup is uid=admin,
ou=Administrators, ou=TopologyManagement, o=NetscapeRoot. You should
look at the acis which have this user as the subject (e.g. anything with
userdn="uid=admin, ou=Administrators, ou=TopologyManagement,
o=NetscapeRoot" in it). What's odd is that I don't see any acis in
dc=hymesruzicka, dc=org to grant this user access. setup-ds-admin.pl
should have created them.
There is also a group created for console admins and this group is
granted access just like for the above user. However, this will not
work for remote instances (instances which do not have the real
o=NetscapeRoot on them - the console uses pass through authentication on
instances without o=NetscapeRoot, and group evaluation does not work
remotely). This is the groupdn="ldap:///cn=Configuration
Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot". So
this group aci only works on the server which hosts o=NetscapeRoot. I
don't see any acis for this group in dc=hymesruzicka, dc=org either,
which is odd.
There is another local administrative group created by setup on each
instance for the local suffix - groupdn = "ldap:///cn=Directory
Administrators, dc=hymesruzicka, dc=org" - setup-ds-admin.pl will create
an ACI for this group. The actual group entry is not created by
default, so if you want to use this you will need to create the group
entry cn=Directory Administrators, dc=hymesruzicka, dc=org and add users
to it.
Also check the acis on the configuration entries cn=config and cn=schema
and cn=monitor
ldapsearch -x -D "cn=directory manager" -w yourpassword -s sub -b
cn=config "aci=*" aci
ldapsearch -x -D "cn=directory manager" -w yourpassword -s sub -b
cn=schema "aci=*" aci
ldapsearch -x -D "cn=directory manager" -w yourpassword -s sub -b
cn=monitor "aci=*" aci
setup-ds-admin.pl is supposed to create acis for uid=admin,
ou=Administrators, ou=TopologyManagement, o=NetscapeRoot and the group
cn=Configuration Administrators, ou=Groups, ou=TopologyManagement,
o=NetscapeRoot
ldapsearch -x -D "cn=directory manager" -w mypassword -b
o=netscaperoot
"aci=*" aci
# extended LDIF
#
# LDAPv3
# base <o=netscaperoot> with scope subtree
# filter: aci=*
# requesting: aci
#
# NetscapeRoot
dn: o=NetscapeRoot
aci: (targetattr="*")(version 3.0; acl "Enable Configuration
Administrator
Gro
up modification"; allow (all) groupdn="ldap:///cn=Configuration
Administrator
s, ou=Groups, ou=TopologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(targetfilter=(o=NetscapeRoot))(version 3.0; acl
"Default
anonymous access"; allow (read, search) userdn="ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "Enable Group Expansion";
allow
(read,
search, compare) groupdnattr="uniquemember";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group (trixter)"; allow
(all)
gr
oupdn = "ldap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server
Grou
p, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
# TopologyManagement, NetscapeRoot
dn: ou=TopologyManagement, o=NetscapeRoot
aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous
access";
allow (read, search, compare)userdn="ldap:///anyone";)
# Global Preferences, hymesruzicka.org, NetscapeRoot
dn: ou=Global Preferences, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "Enable anonymous access";
allow(read,sea
rch) userdn="ldap:///anyone";)
# UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr = "*")(version 3.0; acl "Allow saving of User
Preferences";
a
llow (add) userdn = "ldap:///all";)
# uid\3Dadmin\2C ou\3DAdministrators\2C ou\3DTopologyManagement\2C
o\3DNetsca
peRoot, UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou="uid=admin, ou=Administrators, ou=TopologyManagement,
o=NetscapeRoot",o
u=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
creatorsname";)
# cn\3Dadmin-serv-trixter\2C cn\3DFedora Administration Server\2C
cn\3DServer
Group\2C cn\3Dtrixter.hymesruzicka.org\2C ou\3Dhymesruzicka.org\2C
o\3DNets
capeRoot, UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou="cn=admin-serv-trixter, cn=Fedora Administration Server, cn=Server
Grou
p, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
o=NetscapeRoot",ou=UserP
references, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
creatorsname";)
# Server Group, trixter.hymesruzicka.org, hymesruzicka.org, NetscapeRoot
dn: cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
o=Netsc
apeRoot
aci: (targetattr=*)(targetfilter=(nsconfigRoot=*))(version 3.0; acl "Enable
de
legated access"; allow (read, search, compare) groupdn="ldap:///cn=Server
Gro
up, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read,
s
earch, compare) userdn="ldap:///cn=admin-serv-trixter, cn=Fedora
Administrati
on Server, cn=Server Group, cn=trixter.hymesruzicka.org,
ou=hymesruzicka.org,
o=NetscapeRoot";)
# PublicViews, 1.1, Admin, Global Preferences, hymesruzicka.org,
NetscapeRoot
dn: cn=PublicViews, ou=1.1, ou=Admin, ou=Global Preferences,
ou=hymesruzicka.o
rg, o=NetscapeRoot
aci: (targetattr = "*")(version 3.0; acl "Allow Authenticated Users to
Save
Pu
blic Views"; allow (all) userdn = "ldap:///all";)
# slapd-trixter, Fedora Directory Server, Server Group,
trixter.hymesruzicka.
org, hymesruzicka.org, NetscapeRoot
dn: cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
cn=trixter.
hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read,
s
earch, compare) groupdn="ldap:///cn=slapd-trixter, cn=Fedora Directory
Server
, cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
o=Netsca
peRoot";)
aci: (targetattr="uniquemember || serverProductName || userpassword ||
descrip
tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl "Enable
ac
cess delegation"; allow (write) groupdn="ldap:///cn=slapd-trixter,
cn=Fedora
Directory Server, cn=Server Group, cn=trixter.hymesruzicka.org,
ou=hymesruzic
ka.org, o=NetscapeRoot";)
# configuration, slapd-trixter, Fedora Directory Server, Server Group,
trixte
r.hymesruzicka.org, hymesruzicka.org, NetscapeRoot
dn: cn=configuration,cn=slapd-trixter, cn=Fedora Directory Server, cn=Server
G
roup, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "Enable Server configuration"; allow
(all
) groupdn="ldap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server
Gr
oup, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
# cn\3Dslapd-trixter\2C cn\3DFedora Directory Server\2C cn\3DServer Group\2C
cn\3Dtrixter.hymesruzicka.org\2C ou\3Dhymesruzicka.org\2C o\3DNetscapeRoot,
UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou="cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
cn=trix
ter.hymesruzicka.org, ou=hymesruzicka.org,
o=NetscapeRoot",ou=UserPreferences
, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
creatorsname";)
# cn\3DDirectory Manager, UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou="cn=Directory Manager",ou=UserPreferences, ou=hymesruzicka.org,
o=Netsc
apeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
creatorsname";)
# Fedora Administration Server, Server Group, trixter.hymesruzicka.org,
hymes
ruzicka.org, NetscapeRoot
dn: cn=Fedora Administration Server, cn=Server Group,
cn=trixter.hymesruzicka.
org, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(targetfilter=(nsNickName=*))(version 3.0; acl "Enable
dele
gated access"; allow (read, search, compare) groupdn="ldap:///cn=Fedora
Admin
istration Server, cn=Server Group, cn=trixter.hymesruzicka.org,
ou=hymesruzic
ka.org, o=NetscapeRoot";)
# admin-serv-trixter, Fedora Administration Server, Server Group,
trixter.hym
esruzicka.org, hymesruzicka.org, NetscapeRoot
dn: cn=admin-serv-trixter, cn=Fedora Administration Server, cn=Server Group,
c
n=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read,
s
earch, compare) groupdn="ldap:///cn=admin-serv-trixter, cn=Fedora
Administrat
ion Server, cn=Server Group, cn=trixter.hymesruzicka.org,
ou=hymesruzicka.org
, o=NetscapeRoot";)
aci: (targetattr="uniquemember || serverProductName || userpassword ||
descrip
tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl "Enable
ac
cess delegation"; allow (write) groupdn="ldap:///cn=admin-serv-trixter,
cn=Fe
dora Administration Server, cn=Server Group, cn=trixter.hymesruzicka.org,
ou=
hymesruzicka.org, o=NetscapeRoot";)
# configuration, admin-serv-trixter, Fedora Administration Server, Server
Gro
up, trixter.hymesruzicka.org, hymesruzicka.org, NetscapeRoot
dn: cn=configuration, cn=admin-serv-trixter, cn=Fedora Administration
Server,
cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
o=Netscape
Root
aci: (targetattr=*)(version 3.0; acl "Enable delegated admin to access
configu
ration"; allow (read, search) groupdn="ldap:///cn=Server Group,
cn=trixter.hy
mesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
aci: (targetattr=*)(version 3.0; acl "Enable Server configuration"; allow
(all
) groupdn="ldap:///cn=admin-serv-trixter, cn=Fedora Administration Server,
cn
=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
o=NetscapeRo
ot";)
# uid\3Ddiradmin\2Cou\3DAdministrators\2C ou\3DTopologyManagement\2C
o\3Dnets
capeRoot, UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou="uid=diradmin,ou=Administrators, ou=TopologyManagement,
o=netscapeRoot"
,ou=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
creatorsname";)
# search result
search: 2
result: 0 Success
# numResponses: 17
# numEntries: 16
ldapsearch -x -D "cn=directory manager" -w anotherpassword -b
"dc=hymesruzicka,dc=org" "aci=*" aci
# extended LDIF
#
# LDAPv3
# base <dc=hymesruzicka,dc=org> with scope subtree
# filter: aci=*
# requesting: aci
#
# hymesruzicka.org
dn: dc=hymesruzicka, dc=org
aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous
access";
allow (read, search, compare) userdn="ldap:///anyone";)
aci: (targetattr="carLicense || description || displayName ||
facsimileTelepho
neNumber || homePhone || homePostalAddress || initials || jpegPhoto ||
labele
dURL || mail || mobile || pager || photo || postOfficeBox || postalAddress
||
postalCode || preferredDeliveryMethod || preferredLanguage ||
registeredAddr
ess || roomNumber || secretary || seeAlso || st || street ||
telephoneNumber
|| telexNumber || title || userCertificate || userPassword ||
userSMIMECertif
icate || x500UniqueIdentifier")(version 3.0; acl "Enable self write for
commo
n attributes"; allow (write) userdn="ldap:///self";)
aci: (targetattr ="*")(version 3.0;acl "Directory Administrators
Group";allow
(all) (groupdn = "ldap:///cn=Directory Administrators, dc=hymesruzicka,
dc=or
g");)
# People, hymesruzicka.org
dn: ou=People, dc=hymesruzicka, dc=org
aci: (targetattr ="userpassword || telephonenumber ||
facsimiletelephonenumber
")(version 3.0;acl "Allow self entry modification";allow (write)(userdn
=
"ld
ap:///self");)
aci: (targetattr !="cn || sn || uid")(targetfilter
="(ou=Accounting)")(version
3.0;acl "Accounting Managers Group Permissions";allow (write)(groupdn =
"lda
p:///cn=Accounting Managers,ou=groups,dc=hymesruzicka, dc=org");)
aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Human
Resources)")(ve
rsion 3.0;acl "HR Group Permissions";allow (write)(groupdn =
"ldap:///cn=HR
M
anagers,ou=groups,dc=hymesruzicka, dc=org");)
aci: (targetattr !="cn ||sn || uid")(targetfilter ="(ou=Product
Testing)")(ver
sion 3.0;acl "QA Group Permissions";allow (write)(groupdn =
"ldap:///cn=QA
Ma
nagers,ou=groups,dc=hymesruzicka, dc=org");)
aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Product
Development)"
)(version 3.0;acl "Engineering Group Permissions";allow (write)(groupdn =
"ld
ap:///cn=PD Managers,ou=groups,dc=hymesruzicka, dc=org");)
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
2:17 p.m.
New subject: NetscapeRootRe: [Fedora-directory-users] Can't create users, time for complete wipe and re-install?
Thanks Rich!
I just looked in /usr/share/dirsrv/data, and the file "template.ldif" looks
like what I get for the ldapquery of acis in dc=hymesruzicka, dc=org. It
does not have any entries for uid=admin ( or uid=%as_uid% ).
I did find the file "16dssuffixadmin.mod.tmpl", and looks like it may be
useful as a model to make more of the correct acis. Is this a good idea? How
much more should I modify it?
/usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl
# BEGIN COPYRIGHT BLOCK
...
# END COPYRIGHT BLOCK
dn: %ds_suffix%
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
Group";
allow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups,
ou=TopologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator";
allow
(all) userdn="ldap:///uid=%as_uid%,ou=Administrators, ou=TopologyManagement,
o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
groupdn =
"ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, cn=Server Group,
cn=%fqdn%, ou=%domain%, o=NetscapeRoot";)
Thanks again!
************************************************
************************************************
************************************************
for bind in config schema monitor ; do ldapsearch -x -D "cn=directory
manager" -w mypassword -s sub -b cn=$bind "aci=*" aci ; done
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: aci=*
# requesting: aci
#
# config
dn: cn=config
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
Group";
a
llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups,
ou=To
pologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator";
allow
(a
ll) userdn="ldap:///uid=admin, ou=Administrators, ou=TopologyManagement,
o=Ne
tscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
groupdn =
"l
dap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
cn=trix
ter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version
3.0;acl
"snmp";allow (read, search, compare)(userdn = "ldap:///anyone");)
# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control";
allow(
read
, search, compare, proxy ) userdn = "ldap:///all";)
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
# extended LDIF
#
# LDAPv3
# base <cn=schema> with scope subtree
# filter: aci=*
# requesting: aci
#
# schema
dn: cn=schema
aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl
"anonymo
us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
Group";
a
llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups,
ou=To
pologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator";
allow
(a
ll) userdn="ldap:///uid=admin,ou=Administrators, ou=TopologyManagement,
o=Net
scapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
groupdn =
"l
dap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
cn=trix
ter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
# extended LDIF
#
# LDAPv3
# base <cn=monitor> with scope subtree
# filter: aci=*
# requesting: aci
#
# monitor
dn: cn=monitor
aci: (target ="ldap:///cn=monitor*")(targetattr != "aci ||
connection")(versio
n 3.0; acl "monitor"; allow( read, search, compare ) userdn =
"ldap:///anyone
";)
# search result
search: 2
result: 0 Success
2:32 p.m.
New subject: NetscapeRootRe: [Fedora-directory-users] Can't create users, time for complete wipe and re-install?
Listbox wrote:
Thanks Rich!
I just looked in /usr/share/dirsrv/data, and the file "template.ldif" looks
like what I get for the ldapquery of acis in dc=hymesruzicka, dc=org. It
does not have any entries for uid=admin ( or uid=%as_uid% ).
Right. That's the file that is used for just the fedora-ds-base package
- the admin server and console stuff are "add-ons".
I did find the file "16dssuffixadmin.mod.tmpl", and looks
like it may be
useful as a model to make more of the correct acis. Is this a good idea?
Yes.
How
much more should I modify it?
You have to replace the %token% items:
ds_suffix - your suffix e.g. dc=hymesruzicka, dc=org or cn=config or
cn=schema or etc.
as_uid - admin
or change the entire DN uid=%as_uid%,ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot to some other DN that you want to
use for an administrator.
You can just omit the SIE Group ACI
Then just feed that file to ldapmodify e.g.
ldapmodify -x -D "cn=directory manager" -w yourpassword -f thefile.ldif
Note - make a copy of 16dssuffixadmin.mod.tmpl and edit it - do not edit
it in place.
/usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl
# BEGIN COPYRIGHT BLOCK
...
# END COPYRIGHT BLOCK
dn: %ds_suffix%
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
Group";
allow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups,
ou=TopologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator";
allow
(all) userdn="ldap:///uid=%as_uid%,ou=Administrators, ou=TopologyManagement,
o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
groupdn =
"ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, cn=Server Group,
cn=%fqdn%, ou=%domain%, o=NetscapeRoot";)
Thanks again!
************************************************
************************************************
************************************************
for bind in config schema monitor ; do ldapsearch -x -D "cn=directory
manager" -w mypassword -s sub -b cn=$bind "aci=*" aci ; done
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: aci=*
# requesting: aci
#
# config
dn: cn=config
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
Group";
a
llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups,
ou=To
pologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator";
allow
(a
ll) userdn="ldap:///uid=admin, ou=Administrators, ou=TopologyManagement,
o=Ne
tscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
groupdn =
"l
dap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
cn=trix
ter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config")(targetattr
!="aci")(version
3.0;acl
"snmp";allow (read, search, compare)(userdn = "ldap:///anyone");)
# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control";
allow(
read
, search, compare, proxy ) userdn = "ldap:///all";)
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
# extended LDIF
#
# LDAPv3
# base <cn=schema> with scope subtree
# filter: aci=*
# requesting: aci
#
# schema
dn: cn=schema
aci: (target="ldap:///cn=schema")(targetattr !="aci")(version
3.0;acl
"anonymo
us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
Group";
a
llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups,
ou=To
pologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator";
allow
(a
ll) userdn="ldap:///uid=admin,ou=Administrators, ou=TopologyManagement,
o=Net
scapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
groupdn =
"l
dap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
cn=trix
ter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
# extended LDIF
#
# LDAPv3
# base <cn=monitor> with scope subtree
# filter: aci=*
# requesting: aci
#
# monitor
dn: cn=monitor
aci: (target ="ldap:///cn=monitor*")(targetattr != "aci ||
connection")(versio
n 3.0; acl "monitor"; allow( read, search, compare ) userdn =
"ldap:///anyone
";)
# search result
search: 2
result: 0 Success
1:31 p.m.
New subject: NetscapeRootRe: [Fedora-directory-users] Can't create users, SOLVED!
Got our first user created!
I have an idea on why the setup-ds-admin.pl may not have worked completely.
When doing the first install, I ran the install script, then aborted it (
within the first few steps ). I thought I was paranoid enough by running
"rpm -erase fedora-ds-1.1.0-3", and deleting the contents of :
/etc/dirsrv
/usr/lib/dirsrv
/usr/share/dirsrv
/var/lock/dirsrv
/var/lib/dirsrv
/var/run/dirsrv
/var/log/dirsrv
/usr/lib/mozldap
/usr/share/doc/mozldap-6.0.5
Before I reinstalled, and re-ran the install script. But I know I ran into a
slapd startup problem because I made a typo, and I only erased the contents
of "/var/run/dirsrv", and left the dir itself.
Untill I tried to create users, that was the only problem due to a previous
install attempt. Maybe this was another.
Thanks again!
-----Original Message-----
From: Rich Megginson [mailto:rmeggins@redhat.com]
Sent: Wednesday, January 23, 2008 12:33 PM
To: listbox(a)hymerfania.com
Cc: fedora-directory-users(a)redhat.com
Subject: Re: NetscapeRootRe: [Fedora-directory-users] Can't create users,
time for complete wipe and re-install?
Listbox wrote:
Thanks Rich!
I just looked in /usr/share/dirsrv/data, and the file "template.ldif"
looks like what I get for the ldapquery of acis in dc=hymesruzicka,
dc=org. It does not have any entries for uid=admin ( or uid=%as_uid% ).
Right. That's the file that is used for just the fedora-ds-base package
- the admin server and console stuff are "add-ons".
I did find the file "16dssuffixadmin.mod.tmpl", and looks
like it may
be useful as a model to make more of the correct acis. Is this a good
idea?
Yes.
How
much more should I modify it?
You have to replace the %token% items:
ds_suffix - your suffix e.g. dc=hymesruzicka, dc=org or cn=config or
cn=schema or etc.
as_uid - admin
or change the entire DN uid=%as_uid%,ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot to some other DN that you want to use
for an administrator.
You can just omit the SIE Group ACI
Then just feed that file to ldapmodify e.g.
ldapmodify -x -D "cn=directory manager" -w yourpassword -f thefile.ldif
Note - make a copy of 16dssuffixadmin.mod.tmpl and edit it - do not edit it
in place.
/usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl
# BEGIN COPYRIGHT BLOCK
...
# END COPYRIGHT BLOCK
dn: %ds_suffix%
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators,
ou=Groups, ou=TopologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator";
allow
(all) userdn="ldap:///uid=%as_uid%,ou=Administrators,
ou=TopologyManagement,
o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
groupdn = "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server,
cn=Server Group, cn=%fqdn%, ou=%domain%, o=NetscapeRoot";)
Thanks again!
************************************************
************************************************
************************************************
for bind in config schema monitor ; do ldapsearch -x -D "cn=directory
manager" -w mypassword -s sub -b cn=$bind "aci=*" aci ; done #
extended LDIF # # LDAPv3 # base <cn=config> with scope subtree #
filter: aci=* # requesting: aci #
# config
dn: cn=config
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
Group"; a llow (all) groupdn="ldap:///cn=Configuration
Administrators, ou=Groups, ou=To pologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator";
allow (a
ll) userdn="ldap:///uid=admin, ou=Administrators,
ou=TopologyManagement, o=Ne
tscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
groupdn = "l dap:///cn=slapd-trixter, cn=Fedora Directory Server,
cn=Server Group, cn=trix ter.hymesruzicka.org, ou=hymesruzicka.org,
o=NetscapeRoot";)
# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config")(targetattr !="aci")(version
3.0;acl "snmp";allow (read, search, compare)(userdn =
"ldap:///anyone");)
# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "VLV Request Control";
allow( read , search, compare, proxy ) userdn = "ldap:///all";)
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
# extended LDIF
#
# LDAPv3
# base <cn=schema> with scope subtree
# filter: aci=*
# requesting: aci
#
# schema
dn: cn=schema
aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl
"anonymo us, no acis"; allow (read, search, compare) userdn =
"ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
Group"; a llow (all) groupdn="ldap:///cn=Configuration
Administrators, ou=Groups, ou=To pologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator";
allow (a
ll) userdn="ldap:///uid=admin,ou=Administrators,
ou=TopologyManagement, o=Net
scapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
groupdn = "l dap:///cn=slapd-trixter, cn=Fedora Directory Server,
cn=Server Group, cn=trix ter.hymesruzicka.org, ou=hymesruzicka.org,
o=NetscapeRoot";)
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
# extended LDIF
#
# LDAPv3
# base <cn=monitor> with scope subtree # filter: aci=* # requesting:
aci #
# monitor
dn: cn=monitor
aci: (target ="ldap:///cn=monitor*")(targetattr != "aci ||
connection")(versio n 3.0; acl "monitor"; allow( read, search,
compare ) userdn = "ldap:///anyone
";)
# search result
search: 2
result: 0 Success
1:35 p.m.
New subject: NetscapeRootRe: [Fedora-directory-users] Can't create users, SOLVED!
Listbox wrote:
Got our first user created!
I have an idea on why the setup-ds-admin.pl may not have worked completely.
When doing the first install, I ran the install script, then aborted it (
within the first few steps ).
If you abort setup before it finishes asking you
questions, you should
be able to run it again, no problem. If you abort it after the dialog
section during its configuration section, then you will have to do some
clean up.
I thought I was paranoid enough by running
"rpm -erase fedora-ds-1.1.0-3",
That really doesn't do anything - the
fedora-ds package is now
completely empty and just Requires (for yum) the "real" packages
fedora-ds-base, fedora-ds-admin, etc.
It shouldn't be necessary, but if you really want to remove everything,
you should do something like
yum erase svrcore idm-console-framework
and deleting the contents of :
/etc/dirsrv
/usr/lib/dirsrv
/usr/lib64/dirsrv on 64bit systems
/usr/share/dirsrv
/var/lock/dirsrv
/var/lib/dirsrv
/var/run/dirsrv
/var/log/dirsrv
Yep. rm -rf all of those
/usr/lib/mozldap
/usr/share/doc/mozldap-6.0.5
No, not these.
Before I reinstalled, and re-ran the install script. But I know I ran
into a
slapd startup problem because I made a typo, and I only erased the contents
of "/var/run/dirsrv", and left the dir itself.
Untill I tried to create users, that was the only problem due to a
previous
install attempt. Maybe this was another.
Thanks again!
-----Original Message-----
From: Rich Megginson [mailto:rmeggins@redhat.com]
Sent: Wednesday, January 23, 2008 12:33 PM
To: listbox(a)hymerfania.com
Cc: fedora-directory-users(a)redhat.com
Subject: Re: NetscapeRootRe: [Fedora-directory-users] Can't create users,
time for complete wipe and re-install?
Listbox wrote:
> Thanks Rich!
>
> I just looked in /usr/share/dirsrv/data, and the file "template.ldif"
> looks like what I get for the ldapquery of acis in dc=hymesruzicka,
> dc=org. It does not have any entries for uid=admin ( or uid=%as_uid% ).
>
>
Right. That's the file that is used for just the fedora-ds-base package
- the admin server and console stuff are "add-ons".
> I did find the file "16dssuffixadmin.mod.tmpl", and looks like it may
> be useful as a model to make more of the correct acis. Is this a good
>
idea?
Yes.
> How
> much more should I modify it?
>
>
You have to replace the %token% items:
ds_suffix - your suffix e.g. dc=hymesruzicka, dc=org or cn=config or
cn=schema or etc.
as_uid - admin
or change the entire DN uid=%as_uid%,ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot to some other DN that you want to use
for an administrator.
You can just omit the SIE Group ACI
Then just feed that file to ldapmodify e.g.
ldapmodify -x -D "cn=directory manager" -w yourpassword -f thefile.ldif
Note - make a copy of 16dssuffixadmin.mod.tmpl and edit it - do not edit it
in place.
> /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl
>
> # BEGIN COPYRIGHT BLOCK
> ...
> # END COPYRIGHT BLOCK
> dn: %ds_suffix%
> changetype: modify
> add: aci
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
> Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators,
> ou=Groups, ou=TopologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrator";
> allow
> (all) userdn="ldap:///uid=%as_uid%,ou=Administrators,
> ou=TopologyManagement,
> o=NetscapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
> groupdn = "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server,
> cn=Server Group, cn=%fqdn%, ou=%domain%, o=NetscapeRoot";)
>
>
> Thanks again!
>
> ************************************************
> ************************************************
> ************************************************
> for bind in config schema monitor ; do ldapsearch -x -D "cn=directory
> manager" -w mypassword -s sub -b cn=$bind "aci=*" aci ; done #
> extended LDIF # # LDAPv3 # base <cn=config> with scope subtree #
> filter: aci=* # requesting: aci #
>
> # config
> dn: cn=config
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
> Group"; a llow (all) groupdn="ldap:///cn=Configuration
> Administrators, ou=Groups, ou=To pologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrator";
> allow (a
> ll) userdn="ldap:///uid=admin, ou=Administrators,
> ou=TopologyManagement, o=Ne
> tscapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
> groupdn = "l dap:///cn=slapd-trixter, cn=Fedora Directory Server,
> cn=Server Group, cn=trix ter.hymesruzicka.org, ou=hymesruzicka.org,
> o=NetscapeRoot";)
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr
!="aci")(version
> 3.0;acl "snmp";allow (read, search, compare)(userdn =
> "ldap:///anyone");)
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> aci: (targetattr != "aci")(version 3.0; acl "VLV Request
Control";
> allow( read , search, compare, proxy ) userdn = "ldap:///all";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 4
> # numEntries: 3
> # extended LDIF
> #
> # LDAPv3
> # base <cn=schema> with scope subtree
> # filter: aci=*
> # requesting: aci
> #
>
> # schema
> dn: cn=schema
> aci: (target="ldap:///cn=schema")(targetattr !="aci")(version
3.0;acl
> "anonymo us, no acis"; allow (read, search, compare) userdn =
> "ldap:///anyone";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators
> Group"; a llow (all) groupdn="ldap:///cn=Configuration
> Administrators, ou=Groups, ou=To pologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrator";
> allow (a
> ll) userdn="ldap:///uid=admin,ou=Administrators,
> ou=TopologyManagement, o=Net
> scapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)
> groupdn = "l dap:///cn=slapd-trixter, cn=Fedora Directory Server,
> cn=Server Group, cn=trix ter.hymesruzicka.org, ou=hymesruzicka.org,
> o=NetscapeRoot";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> # extended LDIF
> #
> # LDAPv3
> # base <cn=monitor> with scope subtree # filter: aci=* # requesting:
> aci #
>
> # monitor
> dn: cn=monitor
> aci: (target ="ldap:///cn=monitor*")(targetattr != "aci ||
> connection")(versio n 3.0; acl "monitor"; allow( read, search,
> compare ) userdn = "ldap:///anyone
> ";)
>
> # search result
> search: 2
> result: 0 Success
>
>
>
>
5933
days inactive
5937
days old
389-users@lists.fedoraproject.org
7 comments
2 participants
participants (2)
-
Listbox -
Rich Megginson