[389-users] New 389 ds install - cannot logon to adm console

Brian LaMere brian at cukerinteractive.com
Sat Jan 15 00:27:00 UTC 2011


well hello all, seems I'm having this problem myself....fresh install, and
when I go to the configuration tab of the 389-console it tells me:

"The user uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
does not have permission to perform this operation."

When I click ok, a box appears asking for DN/pass.  If I put the password in
the box...it continues on with no errors (thus the "mind annoyance").  Then
again, if I just click "ok" and then "cancel" (meaning, I don't put in new
credentials) the config tab works then too.  I don't actually see in the
logs either what it is that I'm not being allowed to do, it seems to just be
a superfluous re-prompting for the password.  On a lark, I tried putting in
the /wrong/ password...which it did indeed not like, telling me "invalid
credentials."  Clicked ok, then cancel...and I'm able to access the
configuration tab even after putting in the wrong pass and not correcting
it.  I'm assuming it is just using the original credentials that should have
prevented the initial error in the first place, even though I tried putting
in new credentials...

Again, fresh install, on a fresh build of Fedora14.  I am tunneling the
console, but that shouldn't matter (?).  Is this just a bug in 389-console?
 Should I open a ticket?  I'm going to continue past it, since it...doesn't
seem to be stopping me from doing anything.  I'm using the standard repos,
everything is current:

389-admin-console-1.1.5-1.fc14.noarch
389-admin-console-doc-1.1.5-1.fc14.noarch
389-adminutil-1.1.13-1.fc14.x86_64
389-admin-1.1.13-2.fc14.x86_64
389-ds-console-1.2.3-1.fc14.noarch
389-ds-console-doc-1.2.3-1.fc14.noarch
389-console-1.1.4-1.fc14.noarch
389-ds-base-1.2.7.5-1.fc14.x86_64
389-dsgw-1.1.6-1.fc14.x86_64
389-ds-1.2.1-1.fc14.noarch

Did I miss the response about what might have been causing this?

Brian

On Wed, Dec 1, 2010 at 4:00 AM, trisooma <trisooma at xs4all.nl> wrote:

> > On 11/30/2010 04:33 PM, trisooma wrote:
> >>> On 11/30/2010 02:32 PM, Trisooma wrote:
> >>>>     On 11/30/2010 10:23 PM, Rich Megginson wrote:
> >>>>> On 11/30/2010 02:20 PM, trisooma wrote:
> >>>>>> If i am reading the code correctly (and looking at the logging
> >>>>>> below), the
> >>>>>> line that has a severity of 'crit' should dump info for the ldap
> >>>>>> server we
> >>>>>> are connecting to.
> >>>>>> In my case (and Eric's too) only 'ldap://:389' is printed; sometimes
> >>>>>> even
> >>>>>> with an odd number like 23395496 (see Eric's first post).
> >>>>>>
> >>>>>> [Tue Nov 30 22:01:43 2010] [crit] openLDAPConnection():
> >>>>>> util_ldap_init
> >>>>>> failed for ldap://:389
> >>>>>> [Tue Nov 30 22:01:43 2010] [warn] Unable to open initial
> >>>>>> LDAPConnection to
> >>>>>> populate LocalAdmin tasks into cache.
> >>>>>> [Tue Nov 30 22:01:44 2010] [notice] Apache/2.2.17 (Unix) configured
> >>>>>> --
> >>>>>> resuming normal operations
> >>>>>> [Tue Nov 30 22:01:44 2010] [crit] openLDAPConnection():
> >>>>>> util_ldap_init
> >>>>>> failed for ldap://:389
> >>>>>> [Tue Nov 30 22:01:44 2010] [warn] Unable to open initial
> >>>>>> LDAPConnection to
> >>>>>> populate LocalAdmin tasks into cache.
> >>>>>>
> >>>>>> The code that logs this error looks like this
> >>>>>> [mod_admserv/mod_admserv.c:517]
> >>>>>>
> >>>>>>            ap_log_error(APLOG_MARK, APLOG_CRIT, 0 /* status */,
> >>>>>> NULL,
> >>>>>>                         "openLDAPConnection(): util_ldap_init failed
> >>>>>> for
> >>>>>> ldap%s://%s:%d",
> >>>>>>                         data->secure ? "s" : "",
> >>>>>>                         data->host, data->port);
> >>>>>>
> >>>>>> It seems that the struct 'data' is not filled with the correct
> >>>>>> values.
> >>>>> That's why I asked for your /etc/dirsrv/admin-serv/adm.conf -
> >>>>>
> http://lists.fedoraproject.org/pipermail/389-users/2010-November/012548.html
> >>>> My bad, see
> >>>>
> http://lists.fedoraproject.org/pipermail/389-users/2010-November/012551.html
> >>> First, upgrade to the latest versions of these components from the
> >>> testing repo
> >>> yum upgrade --enablerepo=updates-testing 389-admin 389-ds-base
> >>> 389-adminutil
> >>>
> >>> Then, run
> >>> setup-ds-admin.pl -u
> >>>
> >>> Then try
> >>>
> >>> ldapsearch -x -LLL -H ldap://icicle.phasma.nl:389/ -D
> >>> "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -w
> >>> youradminpassword -s base -b "cn=389 Administration Server,cn=Server
> >>> Group,cn=icicle.phasma.nl,ou=phasma.nl,o=NetscapeRoot"
> >>>
> >>> and
> >>>
> >>> ldapsearch -x -LLL -H ldap://icicle.phasma.nl:389/ -D
> >>> "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -w
> >>> youradminpassword -s base -b "cn=admin-serv-icicle,cn=389
> >>> Administration
> >>> Server,cn=Server Group,cn=icicle.phasma.nl,ou=phasma.nl
> ,o=NetscapeRoot"
> >>>
> >> Using the above i can confirm that i can now use the console to log in
> >> and
> >> administer my DS (though i had to remove selinux-policy-targeted). The
> >> command 'setup-ds-admin.pl -u' ran without a hitch.
> >>
> >> the results of both ldap queries are below:
> >>
> >> [root at icicle /]# ldapsearch -x -LLL -H ldap://icicle.phasma.nl:389/ -D
> >> "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -W -s
> >> base -b "cn=389 Administration Server,cn=Server
> >> Group,cn=icicle.phasma.nl,ou=phasma.nl,o=NetscapeRoot"
> >> Enter LDAP Password:
> >> dn: cn=389 Administration Server,cn=Server
> >> Group,cn=icicle.phasma.nl,ou=phasma
> >>   .nl,o=NetscapeRoot
> >> nsBuildSecurity: domestic
> >> objectClass: top
> >> objectClass: nsApplication
> >> objectClass: groupOfUniqueNames
> >> cn: 389 Administration Server
> >> nsVendor: 389 Project
> >> installationTimeStamp: 20101124210830Z
> >> nsBuildNumber: 2010.328.157
> >> uniqueMember: cn=admin-serv-icicle,cn=389 Administration
> >> Server,cn=Server
> >> Grou
> >>   p,cn=icicle.phasma.nl,ou=phasma.nl,o=NetscapeRoot
> >> nsServerMigrationClassname:
> >> com.netscape.management.admserv.AdminServerProduct
> >>   @389-admin-1.1.jar
> >> nsProductName: 389 Administration Server
> >> nsProductVersion: 1.1.13
> >> nsNickName: admin
> >>
> >> [root at icicle /]# ldapsearch -x -LLL -H ldap://icicle.phasma.nl:389/ -D
> >> "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -W -s
> >> base -b "cn=admin-serv-icicle,cn=389 Administration Server,cn=Server
> >> Group,cn=icicle.phasma.nl,ou=phasma.nl,o=NetscapeRoot"
> >> Enter LDAP Password:
> >> dn: cn=admin-serv-icicle,cn=389 Administration Server,cn=Server
> >> Group,cn=icicl
> >>   e.phasma.nl,ou=phasma.nl,o=NetscapeRoot
> >> objectClass: top
> >> objectClass: netscapeServer
> >> objectClass: nsAdminServer
> >> objectClass: nsResourceRef
> >> objectClass: groupOfUniqueNames
> >> serverHostName: icicle.phasma.nl
> >> cn: admin-serv-icicle
> >> installationTimeStamp: 20101124210830Z
> >> serverProductName: Administration Server
> >> uniqueMember: cn=admin-serv-icicle,cn=389 Administration
> >> Server,cn=Server
> >> Grou
> >>   p,cn=icicle.phasma.nl,ou=phasma.nl,o=NetscapeRoot
> >> nsServerID: admin-serv
> >>
> >> I proceeded to restart dirsrv-admin, and the log now looks like this:
> >>
> >> [Tue Nov 30 23:59:20 2010] [notice] Access Host filter is: *.phasma.nl
> >> [Tue Nov 30 23:59:20 2010] [notice] Access Address filter is: *
> >> [Tue Nov 30 23:59:21 2010] [notice] Apache/2.2.17 (Unix) configured --
> >> resuming normal operations
> >> [Tue Nov 30 23:59:21 2010] [notice] Access Host filter is: *.phasma.nl
> >> [Tue Nov 30 23:59:21 2010] [notice] Access Address filter is: *
> >> [Wed Dec 01 00:00:17 2010] [notice] [client 127.0.0.1]
> >> admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1
> >> [Wed Dec 01 00:00:18 2010] [notice] [client 127.0.0.1]
> >> admserv_check_authz(): passing [/admin-serv/authenticate] to the
> >> userauth
> >> handler
> >> [Wed Dec 01 00:00:33 2010] [notice] [client 192.168.134.10]
> >> admserv_host_ip_check: ap_get_remote_host could not resolve
> >> 192.168.134.10
> >> [Wed Dec 01 00:00:33 2010] [error] [client 192.168.134.10] File does not
> >> exist: /usr/share/dirsrv/html/java/jars
> > This should be ok - it should fallback to /usr/share/dirsrv/html/java
> >> Still some errors are visible in the logfile,
> > The one marked [error] above, or are there others?  [notice] messages
> > are ok.
>
> No, this is the only one marked as error.
>
> >> but i can log in and add
> >> users/groups using the console. When i navigate to 'Directory Server'>
> >> 'Configuration' i get the following error message:
> >> 'Insufficient Permissions': The user
> >> uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot does
> >> not
> >> have permission to perform this operation.
> >> When i enter the correct credentials, it seems that everything is
> >> working
> >> as it is supposed to.
> > "correct credentials"?
>
> the password that is set for uid=admin,.......; This is only a minor
> annoyance, however it does seem strange that i am asked for the password
> again.
>
> >> The log complains about not being able to do a reverse lookup on
> >> 192.168.134.10, but this seems wrong (DNS works both ways):
> > Yes.  See /etc/dirsrv/admin-serv/console.conf - HostnameLookups
>
> oke, got it.
>
> >> [shadowuser at icicle ~]$ host 192.168.134.10
> >> 10.134.168.192.in-addr.arpa domain name pointer icicle.phasma.nl.
> >> [shadowuser at icicle ~]$ host icicle.phasma.nl
> >> icicle.phasma.nl has address 192.168.134.10
> >>
> >> Thanks for your patience,
> >>
> >> Regards,
> >>
> >> Trisooma
> >>
> >>
> >>
> >>>>>> BTW. this code was taken from 389-admin-1.1.12.a2
> >>>>>>
> >>>>>> I hope this helps,
> >>>>>>
> >>>>>> Regards,
> >>>>>>
> >>>>>> Trisooma
> >>>>>>
> >>>>>> --
> >>>>>> 389 users mailing list
> >>>>>> 389-users at lists.fedoraproject.org
> >>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
> >>>> --
> >>>> 389 users mailing list
> >>>> 389-users at lists.fedoraproject.org
> >>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
> >>>
> >>
> >> --
> >> 389 users mailing list
> >> 389-users at lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/389-users
> >
> >
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110114/c2986ab9/attachment.html>


More information about the 389-users mailing list