<meta charset="utf-8">well hello all, seems I'm having this problem myself....fresh install, and when I go to the configuration tab of the 389-console it tells me:<div><br></div><div>"The user uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot does not have permission to perform this operation."</div>
<div><br></div><div>When I click ok, a box appears asking for DN/pass. If I put the password in the box...it continues on with no errors (thus the "mind annoyance"). Then again, if I just click "ok" and then "cancel" (meaning, I don't put in new credentials) the config tab works then too. I don't actually see in the logs either what it is that I'm not being allowed to do, it seems to just be a superfluous re-prompting for the password. On a lark, I tried putting in the /wrong/ password...which it did indeed not like, telling me "invalid credentials." Clicked ok, then cancel...and I'm able to access the configuration tab even after putting in the wrong pass and not correcting it. I'm assuming it is just using the original credentials that should have prevented the initial error in the first place, even though I tried putting in new credentials...</div>
<div><br></div><div>Again, fresh install, on a fresh build of Fedora14. I am tunneling the console, but that shouldn't matter (?). Is this just a bug in 389-console? Should I open a ticket? I'm going to continue past it, since it...doesn't seem to be stopping me from doing anything. I'm using the standard repos, everything is current:</div>
<div><br></div><div><div>389-admin-console-1.1.5-1.fc14.noarch</div><div>389-admin-console-doc-1.1.5-1.fc14.noarch</div><div>389-adminutil-1.1.13-1.fc14.x86_64</div><div>389-admin-1.1.13-2.fc14.x86_64</div><div>389-ds-console-1.2.3-1.fc14.noarch</div>
<div>389-ds-console-doc-1.2.3-1.fc14.noarch</div><div>389-console-1.1.4-1.fc14.noarch</div><div>389-ds-base-1.2.7.5-1.fc14.x86_64</div><div>389-dsgw-1.1.6-1.fc14.x86_64</div><div>389-ds-1.2.1-1.fc14.noarch</div></div><div>
<br></div><div>Did I miss the response about what might have been causing this?</div><div><br></div><div>Brian</div><br><div class="gmail_quote">On Wed, Dec 1, 2010 at 4:00 AM, trisooma <span dir="ltr"><<a href="mailto:trisooma@xs4all.nl">trisooma@xs4all.nl</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div><div></div><div class="h5">> On 11/30/2010 04:33 PM, trisooma wrote:<br>
>>> On 11/30/2010 02:32 PM, Trisooma wrote:<br>
>>>> On 11/30/2010 10:23 PM, Rich Megginson wrote:<br>
>>>>> On 11/30/2010 02:20 PM, trisooma wrote:<br>
>>>>>> If i am reading the code correctly (and looking at the logging<br>
>>>>>> below), the<br>
>>>>>> line that has a severity of 'crit' should dump info for the ldap<br>
>>>>>> server we<br>
>>>>>> are connecting to.<br>
>>>>>> In my case (and Eric's too) only 'ldap://:389' is printed; sometimes<br>
>>>>>> even<br>
>>>>>> with an odd number like 23395496 (see Eric's first post).<br>
>>>>>><br>
>>>>>> [Tue Nov 30 22:01:43 2010] [crit] openLDAPConnection():<br>
>>>>>> util_ldap_init<br>
>>>>>> failed for ldap://:389<br>
>>>>>> [Tue Nov 30 22:01:43 2010] [warn] Unable to open initial<br>
>>>>>> LDAPConnection to<br>
>>>>>> populate LocalAdmin tasks into cache.<br>
>>>>>> [Tue Nov 30 22:01:44 2010] [notice] Apache/2.2.17 (Unix) configured<br>
>>>>>> --<br>
>>>>>> resuming normal operations<br>
>>>>>> [Tue Nov 30 22:01:44 2010] [crit] openLDAPConnection():<br>
>>>>>> util_ldap_init<br>
>>>>>> failed for ldap://:389<br>
>>>>>> [Tue Nov 30 22:01:44 2010] [warn] Unable to open initial<br>
>>>>>> LDAPConnection to<br>
>>>>>> populate LocalAdmin tasks into cache.<br>
>>>>>><br>
>>>>>> The code that logs this error looks like this<br>
>>>>>> [mod_admserv/mod_admserv.c:517]<br>
>>>>>><br>
>>>>>> ap_log_error(APLOG_MARK, APLOG_CRIT, 0 /* status */,<br>
>>>>>> NULL,<br>
>>>>>> "openLDAPConnection(): util_ldap_init failed<br>
>>>>>> for<br>
>>>>>> ldap%s://%s:%d",<br>
>>>>>> data->secure ? "s" : "",<br>
>>>>>> data->host, data->port);<br>
>>>>>><br>
>>>>>> It seems that the struct 'data' is not filled with the correct<br>
>>>>>> values.<br>
>>>>> That's why I asked for your /etc/dirsrv/admin-serv/adm.conf -<br>
>>>>> <a href="http://lists.fedoraproject.org/pipermail/389-users/2010-November/012548.html" target="_blank">http://lists.fedoraproject.org/pipermail/389-users/2010-November/012548.html</a><br>
>>>> My bad, see<br>
>>>> <a href="http://lists.fedoraproject.org/pipermail/389-users/2010-November/012551.html" target="_blank">http://lists.fedoraproject.org/pipermail/389-users/2010-November/012551.html</a><br>
>>> First, upgrade to the latest versions of these components from the<br>
>>> testing repo<br>
>>> yum upgrade --enablerepo=updates-testing 389-admin 389-ds-base<br>
>>> 389-adminutil<br>
>>><br>
>>> Then, run<br>
>>> <a href="http://setup-ds-admin.pl" target="_blank">setup-ds-admin.pl</a> -u<br>
>>><br>
>>> Then try<br>
>>><br>
>>> ldapsearch -x -LLL -H ldap://<a href="http://icicle.phasma.nl:389/" target="_blank">icicle.phasma.nl:389/</a> -D<br>
>>> "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -w<br>
>>> youradminpassword -s base -b "cn=389 Administration Server,cn=Server<br>
>>> Group,cn=<a href="http://icicle.phasma.nl" target="_blank">icicle.phasma.nl</a>,ou=<a href="http://phasma.nl" target="_blank">phasma.nl</a>,o=NetscapeRoot"<br>
>>><br>
>>> and<br>
>>><br>
>>> ldapsearch -x -LLL -H ldap://<a href="http://icicle.phasma.nl:389/" target="_blank">icicle.phasma.nl:389/</a> -D<br>
>>> "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -w<br>
>>> youradminpassword -s base -b "cn=admin-serv-icicle,cn=389<br>
>>> Administration<br>
>>> Server,cn=Server Group,cn=<a href="http://icicle.phasma.nl" target="_blank">icicle.phasma.nl</a>,ou=<a href="http://phasma.nl" target="_blank">phasma.nl</a>,o=NetscapeRoot"<br>
>>><br>
>> Using the above i can confirm that i can now use the console to log in<br>
>> and<br>
>> administer my DS (though i had to remove selinux-policy-targeted). The<br>
>> command '<a href="http://setup-ds-admin.pl" target="_blank">setup-ds-admin.pl</a> -u' ran without a hitch.<br>
>><br>
>> the results of both ldap queries are below:<br>
>><br>
>> [root@icicle /]# ldapsearch -x -LLL -H ldap://<a href="http://icicle.phasma.nl:389/" target="_blank">icicle.phasma.nl:389/</a> -D<br>
>> "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -W -s<br>
>> base -b "cn=389 Administration Server,cn=Server<br>
>> Group,cn=<a href="http://icicle.phasma.nl" target="_blank">icicle.phasma.nl</a>,ou=<a href="http://phasma.nl" target="_blank">phasma.nl</a>,o=NetscapeRoot"<br>
>> Enter LDAP Password:<br>
>> dn: cn=389 Administration Server,cn=Server<br>
>> Group,cn=<a href="http://icicle.phasma.nl" target="_blank">icicle.phasma.nl</a>,ou=phasma<br>
>> .nl,o=NetscapeRoot<br>
>> nsBuildSecurity: domestic<br>
>> objectClass: top<br>
>> objectClass: nsApplication<br>
>> objectClass: groupOfUniqueNames<br>
>> cn: 389 Administration Server<br>
>> nsVendor: 389 Project<br>
>> installationTimeStamp: 20101124210830Z<br>
>> nsBuildNumber: 2010.328.157<br>
>> uniqueMember: cn=admin-serv-icicle,cn=389 Administration<br>
>> Server,cn=Server<br>
>> Grou<br>
>> p,cn=<a href="http://icicle.phasma.nl" target="_blank">icicle.phasma.nl</a>,ou=<a href="http://phasma.nl" target="_blank">phasma.nl</a>,o=NetscapeRoot<br>
>> nsServerMigrationClassname:<br>
>> com.netscape.management.admserv.AdminServerProduct<br>
>> @389-admin-1.1.jar<br>
>> nsProductName: 389 Administration Server<br>
>> nsProductVersion: 1.1.13<br>
>> nsNickName: admin<br>
>><br>
>> [root@icicle /]# ldapsearch -x -LLL -H ldap://<a href="http://icicle.phasma.nl:389/" target="_blank">icicle.phasma.nl:389/</a> -D<br>
>> "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -W -s<br>
>> base -b "cn=admin-serv-icicle,cn=389 Administration Server,cn=Server<br>
>> Group,cn=<a href="http://icicle.phasma.nl" target="_blank">icicle.phasma.nl</a>,ou=<a href="http://phasma.nl" target="_blank">phasma.nl</a>,o=NetscapeRoot"<br>
>> Enter LDAP Password:<br>
>> dn: cn=admin-serv-icicle,cn=389 Administration Server,cn=Server<br>
>> Group,cn=icicl<br>
>> <a href="http://e.phasma.nl" target="_blank">e.phasma.nl</a>,ou=<a href="http://phasma.nl" target="_blank">phasma.nl</a>,o=NetscapeRoot<br>
>> objectClass: top<br>
>> objectClass: netscapeServer<br>
>> objectClass: nsAdminServer<br>
>> objectClass: nsResourceRef<br>
>> objectClass: groupOfUniqueNames<br>
>> serverHostName: <a href="http://icicle.phasma.nl" target="_blank">icicle.phasma.nl</a><br>
>> cn: admin-serv-icicle<br>
>> installationTimeStamp: 20101124210830Z<br>
>> serverProductName: Administration Server<br>
>> uniqueMember: cn=admin-serv-icicle,cn=389 Administration<br>
>> Server,cn=Server<br>
>> Grou<br>
>> p,cn=<a href="http://icicle.phasma.nl" target="_blank">icicle.phasma.nl</a>,ou=<a href="http://phasma.nl" target="_blank">phasma.nl</a>,o=NetscapeRoot<br>
>> nsServerID: admin-serv<br>
>><br>
>> I proceeded to restart dirsrv-admin, and the log now looks like this:<br>
>><br>
>> [Tue Nov 30 23:59:20 2010] [notice] Access Host filter is: *.<a href="http://phasma.nl" target="_blank">phasma.nl</a><br>
>> [Tue Nov 30 23:59:20 2010] [notice] Access Address filter is: *<br>
>> [Tue Nov 30 23:59:21 2010] [notice] Apache/2.2.17 (Unix) configured --<br>
>> resuming normal operations<br>
>> [Tue Nov 30 23:59:21 2010] [notice] Access Host filter is: *.<a href="http://phasma.nl" target="_blank">phasma.nl</a><br>
>> [Tue Nov 30 23:59:21 2010] [notice] Access Address filter is: *<br>
>> [Wed Dec 01 00:00:17 2010] [notice] [client 127.0.0.1]<br>
>> admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1<br>
>> [Wed Dec 01 00:00:18 2010] [notice] [client 127.0.0.1]<br>
>> admserv_check_authz(): passing [/admin-serv/authenticate] to the<br>
>> userauth<br>
>> handler<br>
>> [Wed Dec 01 00:00:33 2010] [notice] [client 192.168.134.10]<br>
>> admserv_host_ip_check: ap_get_remote_host could not resolve<br>
>> 192.168.134.10<br>
>> [Wed Dec 01 00:00:33 2010] [error] [client 192.168.134.10] File does not<br>
>> exist: /usr/share/dirsrv/html/java/jars<br>
> This should be ok - it should fallback to /usr/share/dirsrv/html/java<br>
>> Still some errors are visible in the logfile,<br>
> The one marked [error] above, or are there others? [notice] messages<br>
> are ok.<br>
<br>
</div></div>No, this is the only one marked as error.<br>
<div class="im"><br>
>> but i can log in and add<br>
>> users/groups using the console. When i navigate to 'Directory Server'><br>
>> 'Configuration' i get the following error message:<br>
>> 'Insufficient Permissions': The user<br>
>> uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot does<br>
>> not<br>
>> have permission to perform this operation.<br>
>> When i enter the correct credentials, it seems that everything is<br>
>> working<br>
>> as it is supposed to.<br>
> "correct credentials"?<br>
<br>
</div>the password that is set for uid=admin,.......; This is only a minor<br>
annoyance, however it does seem strange that i am asked for the password<br>
again.<br>
<div class="im"><br>
>> The log complains about not being able to do a reverse lookup on<br>
>> 192.168.134.10, but this seems wrong (DNS works both ways):<br>
> Yes. See /etc/dirsrv/admin-serv/console.conf - HostnameLookups<br>
<br>
</div>oke, got it.<br>
<div><div></div><div class="h5"><br>
>> [shadowuser@icicle ~]$ host 192.168.134.10<br>
>> 10.134.168.192.in-addr.arpa domain name pointer <a href="http://icicle.phasma.nl" target="_blank">icicle.phasma.nl</a>.<br>
>> [shadowuser@icicle ~]$ host <a href="http://icicle.phasma.nl" target="_blank">icicle.phasma.nl</a><br>
>> <a href="http://icicle.phasma.nl" target="_blank">icicle.phasma.nl</a> has address 192.168.134.10<br>
>><br>
>> Thanks for your patience,<br>
>><br>
>> Regards,<br>
>><br>
>> Trisooma<br>
>><br>
>><br>
>><br>
>>>>>> BTW. this code was taken from 389-admin-1.1.12.a2<br>
>>>>>><br>
>>>>>> I hope this helps,<br>
>>>>>><br>
>>>>>> Regards,<br>
>>>>>><br>
>>>>>> Trisooma<br>
>>>>>><br>
>>>>>> --<br>
>>>>>> 389 users mailing list<br>
>>>>>> <a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
>>>>>> <a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
>>>> --<br>
>>>> 389 users mailing list<br>
>>>> <a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
>>>> <a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
>>><br>
>><br>
>> --<br>
>> 389 users mailing list<br>
>> <a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
>> <a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
><br>
><br>
<br>
<br>
--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
</div></div></blockquote></div><br>