<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Herb,<br>
<br>
Ok you shouldn't be using "o=netscaperoot" from a different machine,
but if both machines are setup EXACTLY the same way, then you might
be able to replace the hostname. But this is error prone, and we
should try and get the master B registered on master A's console.
Did you try setting up a admin domain that points to master B's
machine?<br>
<br>
see comments below...<br>
<br>
On 04/24/2012 04:11 PM, Herb Burnswell wrote:
<blockquote
cite="mid:CAOuzmw5EpZ=987vw8vfEY8y8xriH1_87ica-x1=Cd292b6GCgQ@mail.gmail.com"
type="cite">
<div class="gmail_extra">Hi Mark,<br>
<br>
Thanks for getting back to me, sorry about the confusion.
Here's the logs from master B console log on attempts:<br>
<br>
[24/Apr/2012:12:09:23 -0700] conn=130 fd=67 slot=67 connection
from 10.10.10.25 to 10.10.10.25<br>
[24/Apr/2012:12:09:23 -0700] conn=130 op=0 BIND
dn="cn=admin-serv-masterB, cn=Fedora Administration Server,
cn=Server Group, cn=<a moz-do-not-send="true"
href="http://masterB.sub.domain.biz">masterB.sub.domain.biz</a>,
ou=<a moz-do-not-send="true" href="http://sub.domain.biz">sub.domain.biz</a>,
o=NetscapeRoot" method=128 version=2<br>
[24/Apr/2012:12:09:23 -0700] conn=130 op=0 RESULT err=32 tag=97
nentries=0 etime=0<br>
[24/Apr/2012:12:09:23 -0700] conn=131 fd=68 slot=68 connection
from 10.10.10.25 to 10.10.10.25<br>
[24/Apr/2012:12:09:23 -0700] conn=131 op=0 BIND
dn="cn=admin-serv-masterB, cn=Fedora Administration Server,
cn=Server Group, cn=<a moz-do-not-send="true"
href="http://masterB.sub.domain.biz">masterB.sub.domain.biz</a>,
ou=<a moz-do-not-send="true" href="http://sub.domain.biz">sub.domain.biz</a>,
o=NetscapeRoot" method=128 version=2<br>
[24/Apr/2012:12:09:23 -0700] conn=131 op=0 RESULT err=32 tag=97
nentries=0 etime=0<br>
</div>
</blockquote>
This isn't the right bind dn we are looking for. :-) We want to
see the the results from "uid=admin" and "cn=directory manager".<br>
<blockquote
cite="mid:CAOuzmw5EpZ=987vw8vfEY8y8xriH1_87ica-x1=Cd292b6GCgQ@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<br>
[24/Apr/2012:12:32:47] security (23835): for host <a
moz-do-not-send="true" href="http://masterB.sub.domain.biz">masterB.sub.domain.biz</a>
trying to GET /admin-serv/authenticate, admin40_host_ip_check
reports: Unauthorized host ip=10.10.10.25, connection rejected<br>
</div>
</blockquote>
This might be caused by some access restrictions. Do a ldapsearch
on o=netscaperoot and look for:<br>
<br>
dn: cn=configuration, cn=admin-serv-HOSTNAME, cn=389 Administration
Server, cn=Server Group, cn=HOST.DOMAIN, ou=DOMAIN, o=NetscapeRoot<br>
<br>
nsAdminAccessAddresses<br>
nsAdminAccessHosts<br>
<br>
Use ldapmodify to change the settings if needed. Make sure that the
host you are trying to connect from is allowed by the settings. You
could just set both to "*" for now. You will need to restart the
admin server for this change to take effect.<br>
<br>
Thanks,<br>
Mark<br>
<br>
<blockquote
cite="mid:CAOuzmw5EpZ=987vw8vfEY8y8xriH1_87ica-x1=Cd292b6GCgQ@mail.gmail.com"
type="cite">
<div class="gmail_extra">
<br>
When I was trying to get replication working, I did an
initialization of master B from master A backup files
(NetscapeRoot and <my_suffix>). I've since done a
re-initialization of <my_suffix> to master B from master A
console. When I do a search on master B:<br>
<br>
./ldapsearch -D "cn=Directory Manager" -w <passwd> -b
o=netscaperoot "cn=admin-serv-*"<br>
<br>
version: 1<br>
dn: cn=admin-serv-masterA, cn=Fedora Administration Server,
cn=Server Group, <br>
cn=<a moz-do-not-send="true"
href="http://masterA.sub.domain.biz">masterA.sub.domain.biz</a>,
ou=<a moz-do-not-send="true" href="http://sub.domain.biz">sub.domain.biz</a>,
o=NetscapeRoot<br>
objectClass: top<br>
objectClass: netscapeServer<br>
objectClass: nsAdminServer<br>
objectClass: nsResourceRef<br>
objectClass: groupOfUniqueNames<br>
cn: admin-serv-masterA<br>
nsServerID: admin-serv<br>
serverRoot: /opt/fedora-ds<br>
serverProductName: Administration Server<br>
serverHostName: <a moz-do-not-send="true"
href="http://masterA.sub.domain.biz">masterA.sub.domain.biz</a><br>
uniqueMember: cn=admin-serv-masterA, cn=Fedora Administration
Server, cn=Serv<br>
er Group, cn=<a moz-do-not-send="true"
href="http://masterA.sub.domain.biz">masterA.sub.domain.biz</a>,
ou=<a moz-do-not-send="true" href="http://sub.domain.biz">sub.domain.biz</a>,
o=NetscapeRoot<br>
installationTimeStamp: 20050916201912Z<br>
userPassword: {SSHA}U4pL3RzNjF2Sder0+NBLIJNZtLEoim6tZfcxjA==<br>
<br>
<br>
Yes, this version and install is very old. But it appears that
all of master A information is on master B regarding
admin-serv-<hostname> user on master B. This is not
correct right?<br>
<br>
I read the documentation that you sent but my install does not
include <a moz-do-not-send="true"
href="http://setup-ds-admin.pl">setup-ds-admin.pl</a>, my
version is DS 7.1. Is there a way to simply edit the
admin-serv-<hostname> if that is in fact the problem?<br>
<br>
TIA,<br>
<br>
Herb<br>
<br>
<div class="gmail_quote">On Tue, Apr 24, 2012 at 8:34 AM, Mark
Reynolds <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mareynol@redhat.com" target="_blank">mareynol@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb">
<div class="h5">
<div bgcolor="#FFFFFF" text="#000000"> Hi Herb,<br>
<br>
I wanted to see the logs from the server that wasn't
working. According to these logs everything is fine.
So, you can log into the console for master A, but not
master B. Most likely there is no configuration
instance/admin server setup. There are a few
options. One, you could register master B in the
Master A console(using Create New Administration
Domain feature), and just use that console to manage
both servers. Two, setup a new config instance on the
master B machine, and use a separate console.<br>
<br>
Option one is definitely the best option. You can
still use the console GUI on master B if you want to,
but point it to the master A in the administration
URL. <br>
<br>
Here are some links to some useful document on on
this:<br>
<br>
<a moz-do-not-send="true"
href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.0/html/Installation_Guide/Installation_Guide-Advanced_Configuration-Making-DS.html"
target="_blank">http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.0/html/Installation_Guide/Installation_Guide-Advanced_Configuration-Making-DS.html</a><br>
<br>
<a moz-do-not-send="true"
href="http://www.google.com/url?sa=t&rct=j&q=red%20hat%20directory%20server%20register%20instance%20in%20console&source=web&cd=1&ved=0CCQQFjAA&url=http%3A%2F%2Fdocs.redhat.com%2Fdocs%2Fen-US%2FRed_Hat_Directory_Server%2F8.2%2Fpdf%2FUsing_Red_Hat_Console%2FRed_Hat_Directory_Server-8.2-Using_Red_Hat_Console-en-US.pdf&ei=CMCWT_iAL-qD6AGHjsiUDg&usg=AFQjCNFEcvk6fUEU7UFEbsQI2XDK0fq_aA&cad=rja"
target="_blank">http://www.google.com/url?sa=t&rct=j&q=red%20hat%20directory%20server%20register%20instance%20in%20console&source=web&cd=1&ved=0CCQQFjAA&url=http%3A%2F%2Fdocs.redhat.com%2Fdocs%2Fen-US%2FRed_Hat_Directory_Server%2F8.2%2Fpdf%2FUsing_Red_Hat_Console%2FRed_Hat_Directory_Server-8.2-Using_Red_Hat_Console-en-US.pdf&ei=CMCWT_iAL-qD6AGHjsiUDg&usg=AFQjCNFEcvk6fUEU7UFEbsQI2XDK0fq_aA&cad=rja</a><br>
<br>
Let me know if you have any questions.<br>
<br>
Mark<br>
<br>
On 04/23/2012 07:48 PM, Herb Burnswell wrote:
<blockquote type="cite">
<div class="gmail_extra">Hey Mark,<br>
<br>
Well, to back up a bit, of the dual masters' (A
& B) only A has been running consistently for
many years. That is why I needed to do a
re-initialization of B. The re-initialization was
done at the 'my_suffix' level and not
NetscapeRoot.<br>
<br>
I assumed that the config data would be running on
both dual masters. Maybe I am incorrect?<br>
<br>
access from Master A for 'admin' bind:<br>
<br>
[23/Apr/2012:16:07:50 -0700] conn=2575 fd=71
slot=71 connection from 10.10.10.24 to 10.10.10.24<br>
[23/Apr/2012:16:07:50 -0700] conn=2575 op=0 BIND
dn="uid=admin, ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot" method=128
version=3<br>
[23/Apr/2012:16:07:50 -0700] conn=2575 op=0 RESULT
err=0 tag=97 nentries=0 etime=0
dn="uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"<br>
[23/Apr/2012:16:07:50 -0700] conn=2575 op=1 SRCH
base="cn=statusping, cn=operation, cn=tasks,
cn=admin-serv-masterA, cn=fedora administration
server, cn=server group, cn=<a
moz-do-not-send="true"
href="http://masterA.sub.domain.biz"
target="_blank">masterA.sub.domain.biz</a>, ou=<a
moz-do-not-send="true"
href="http://sub.domain.biz" target="_blank">sub.domain.biz</a>,
o=netscaperoot" scope=0 filter="(nsExecRef=*)"
attrs="nsExecRef nsLogSuppress"<br>
[23/Apr/2012:16:07:50 -0700] conn=2575 op=1 RESULT
err=0 tag=101 nentries=1 etime=0<br>
[23/Apr/2012:16:07:50 -0700] conn=2575 op=2 SRCH
base="cn=admin-serv-masterA, cn=Fedora
Administration Server, cn=Server Group, cn=<a
moz-do-not-send="true"
href="http://masterA.sub.domain.biz"
target="_blank">masterA.sub.domain.biz</a>, ou=<a
moz-do-not-send="true"
href="http://sub.domain.biz" target="_blank">sub.domain.biz</a>,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
attrs="nsExecRef nsLogSuppress"<br>
[23/Apr/2012:16:07:50 -0700] conn=2575 op=2 RESULT
err=0 tag=101 nentries=24 etime=0<br>
[23/Apr/2012:16:07:50 -0700] conn=2575 op=3 SRCH
base="cn=slapd-masterA, cn=Fedora Directory
Server, cn=Server Group, cn=<a
moz-do-not-send="true"
href="http://masterA.sub.domain.biz"
target="_blank">masterA.sub.domain.biz</a>, ou=<a
moz-do-not-send="true"
href="http://sub.domain.biz" target="_blank">sub.domain.biz</a>,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
attrs="nsExecRef nsLogSuppress"<br>
[23/Apr/2012:16:07:50 -0700] conn=2575 op=3 RESULT
err=0 tag=101 nentries=13 etime=0<br>
[23/Apr/2012:16:07:50 -0700] conn=2575 op=4 SRCH
base="cn=Fedora Directory Server, cn=Server Group,
cn=<a moz-do-not-send="true"
href="http://masterA.sub.domain.biz"
target="_blank">masterA.sub.domain.biz</a>, ou=<a
moz-do-not-send="true"
href="http://sub.domain.biz" target="_blank">sub.domain.biz</a>,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
attrs="nsExecRef nsLogSuppress"<br>
[23/Apr/2012:16:07:50 -0700] conn=2575 op=4 RESULT
err=0 tag=101 nentries=17 etime=0<br>
[23/Apr/2012:16:07:50 -0700] conn=2575 op=5 SRCH
base="cn=Fedora Administration Server, cn=Server
Group, cn=<a moz-do-not-send="true"
href="http://masterA.sub.domain.biz"
target="_blank">masterA.sub.domain.biz</a>, ou=<a
moz-do-not-send="true"
href="http://sub.domain.biz" target="_blank">sub.domain.biz</a>,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
attrs="nsExecRef nsLogSuppress"<br>
[23/Apr/2012:16:07:50 -0700] conn=2575 op=5 RESULT
err=0 tag=101 nentries=24 etime=0<br>
[23/Apr/2012:16:07:50 -0700] conn=2575 op=6 UNBIND<br>
[23/Apr/2012:16:07:50 -0700] conn=2575 op=6 fd=71
closed - U1<br>
<br>
<br>
access from master A for 'cn=Directory Manager'
bind:<br>
<br>
[23/Apr/2012:16:37:36 -0700] conn=2594 fd=68
slot=68 connection from 10.10.10.24 to 10.10.10.24<br>
[23/Apr/2012:16:37:36 -0700] conn=2594 op=0 BIND
dn="cn=admin-serv-masterA, cn=Fedora
Administration Server, cn=Server Group, cn=<a
moz-do-not-send="true"
href="http://masterA.sub.domain.biz"
target="_blank">masterA.sub.domain.biz</a>, ou=<a
moz-do-not-send="true"
href="http://sub.domain.biz" target="_blank">sub.domain.biz</a>,
o=NetscapeRoot" method=128 version=3<br>
[23/Apr/2012:16:37:36 -0700] conn=2594 op=0 RESULT
err=0 tag=97 nentries=0 etime=0
dn="cn=admin-serv-masterA,cn=fedora administration
server,cn=server group,cn=<a
moz-do-not-send="true"
href="http://masterA.sub.domain.biz"
target="_blank">masterA.sub.domain.biz</a>,ou=<a
moz-do-not-send="true"
href="http://sub.domain.biz" target="_blank">sub.domain.biz</a>,o=netscaperoot"<br>
[23/Apr/2012:16:37:36 -0700] conn=2594 op=1 BIND
dn="cn=Directory Manager" method=128 version=3<br>
[23/Apr/2012:16:37:36 -0700] conn=2594 op=1 RESULT
err=0 tag=97 nentries=0 etime=0 dn="cn=directory
manager"<br>
[23/Apr/2012:16:37:36 -0700] conn=2594 op=2 UNBIND<br>
[23/Apr/2012:16:37:36 -0700] conn=2594 op=2 fd=68
closed - U1<br>
<br>
<br>
This are from master A where logging in as either
works fine. It looks like I need to configure
o=netscaperoot on master B somehow?<br>
<br>
thanks,<br>
<br>
Herb<br>
<br>
<br>
<br>
<div class="gmail_quote">On Mon, Apr 23, 2012 at
1:13 PM, Mark Reynolds <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mareynol@redhat.com"
target="_blank">mareynol@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Herb,<br>
<br>
Do you know which server is hosting the
config data for the
console(o=netscaperoot)? If you do, please
provide the access log output showing the
"cn=directory manager" and "admin" binds?
It might not hurt to restart the admin
server.<br>
<br>
Thanks,<br>
Mark <br>
<div>
<div> <br>
<br>
<br>
On 04/23/2012 04:06 PM, Herb Burnswell
wrote: </div>
</div>
<blockquote type="cite">
<div>
<div>Hi All,<br>
<br>
After re-initialization of a dual
master server I now cannot log into
the directory management console as
cn=Directory Manager. I receive the
error:<br>
<br>
Cannot logon because of an incorrect
user id, incorrect password, or
Directory problem.<br>
httpException:<br>
Resoponse: HTTP/1.1 401 Unauthorized<br>
Status: 401<br>
URL: <a moz-do-not-send="true"
href="http://url/admin-serv/authenticate"
target="_blank">http://url/admin-serv/authenticate</a><br>
<br>
I know the password is correct as I
can drop into an ldapmodify session
with ./ldapmodify -D "cn=Directory
Manager" -w <passwd> without
error.<br>
<br>
I've seen a few inquiries about this
issue around the web but nothing to
resolve the issue. I see the
following in
/opt/fedora-ds/admin-serv/logs/error:<br>
<br>
security (27749): for host
<hostname> trying to GET
/admin-serv/authenticate, basic-ncsa
reports: user cn=Directory Manager
does not exist in pwfile
/opt/fedora-ds/admin-serv/config/admpw<br>
<br>
It is correct that there is not a line
for cn=Directory Manager in admpw, but
it is not located in the admpw file on
the other dual master and I can log
into its management console as
cn=Directory Manager without error.
They both just contain a line for user
'admin'.<br>
<br>
When I try to log in as 'admin' (works
fine on other dual master) I receive:<br>
<br>
cannot connect to the directory
server:<br>
netscape.ldap.LDAPException: error
result (32) matchedDN = ou
=<domain>,o=netscaperoot; no
such object<br>
<br>
Is there something else that I need to
do after re-initialization? Any
guidance is greatly appreciated.<br>
<br>
Thanks in advance,<br>
<br>
Herb<br>
<br>
<br>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<span><font color="#888888">
<pre>--
389 users mailing list
<a moz-do-not-send="true" href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a>
<a moz-do-not-send="true" href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</font></span></blockquote>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
</body>
</html>