well hello all, seems I'm having this problem myself....fresh
install,
and when I go to the configuration tab of the 389-console it tells me:
"The user
uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot does
not have permission to perform this operation."
When I click ok, a box appears asking for DN/pass. If I put the
password in the box...it continues on with no errors (thus the "mind
annoyance"). Then again, if I just click "ok" and then "cancel"
(meaning, I don't put in new credentials) the config tab works then
too. I don't actually see in the logs either what it is that I'm not
being allowed to do, it seems to just be a superfluous re-prompting
for the password. On a lark, I tried putting in the /wrong/
password...which it did indeed not like, telling me "invalid
credentials." Clicked ok, then cancel...and I'm able to access the
configuration tab even after putting in the wrong pass and not
correcting it. I'm assuming it is just using the original credentials
that should have prevented the initial error in the first place, even
though I tried putting in new credentials...
Again, fresh install, on a fresh build of Fedora14. I am tunneling
the console, but that shouldn't matter (?). Is this just a bug in
389-console? Should I open a ticket?
Sure. It's really not a permissions
issue, it was caused by bug fix to
1.2.7
I'm going to continue past it, since it...doesn't seem to be
stopping
me from doing anything. I'm using the standard repos, everything is
current:
Right. It is annoying and should not stop you from doing anything.
389-admin-console-1.1.5-1.fc14.noarch
389-admin-console-doc-1.1.5-1.fc14.noarch
389-adminutil-1.1.13-1.fc14.x86_64
389-admin-1.1.13-2.fc14.x86_64
389-ds-console-1.2.3-1.fc14.noarch
389-ds-console-doc-1.2.3-1.fc14.noarch
389-console-1.1.4-1.fc14.noarch
389-ds-base-1.2.7.5-1.fc14.x86_64
389-dsgw-1.1.6-1.fc14.x86_64
389-ds-1.2.1-1.fc14.noarch
Did I miss the response about what might have been causing this?
Brian
On Wed, Dec 1, 2010 at 4:00 AM, trisooma <trisooma(a)xs4all.nl
<mailto:trisooma@xs4all.nl>> wrote:
> On 11/30/2010 04:33 PM, trisooma wrote:
>>> On 11/30/2010 02:32 PM, Trisooma wrote:
>>>> On 11/30/2010 10:23 PM, Rich Megginson wrote:
>>>>> On 11/30/2010 02:20 PM, trisooma wrote:
>>>>>> If i am reading the code correctly (and looking at the
logging
>>>>>> below), the
>>>>>> line that has a severity of 'crit' should dump info
for the
ldap
>>>>>> server we
>>>>>> are connecting to.
>>>>>> In my case (and Eric's too) only 'ldap://:389'
is printed;
sometimes
>>>>>> even
>>>>>> with an odd number like 23395496 (see Eric's first
post).
>>>>>>
>>>>>> [Tue Nov 30 22:01:43 2010] [crit] openLDAPConnection():
>>>>>> util_ldap_init
>>>>>> failed for ldap://:389
>>>>>> [Tue Nov 30 22:01:43 2010] [warn] Unable to open initial
>>>>>> LDAPConnection to
>>>>>> populate LocalAdmin tasks into cache.
>>>>>> [Tue Nov 30 22:01:44 2010] [notice] Apache/2.2.17 (Unix)
configured
>>>>>> --
>>>>>> resuming normal operations
>>>>>> [Tue Nov 30 22:01:44 2010] [crit] openLDAPConnection():
>>>>>> util_ldap_init
>>>>>> failed for ldap://:389
>>>>>> [Tue Nov 30 22:01:44 2010] [warn] Unable to open initial
>>>>>> LDAPConnection to
>>>>>> populate LocalAdmin tasks into cache.
>>>>>>
>>>>>> The code that logs this error looks like this
>>>>>> [mod_admserv/mod_admserv.c:517]
>>>>>>
>>>>>> ap_log_error(APLOG_MARK, APLOG_CRIT, 0 /* status
*/,
>>>>>> NULL,
>>>>>> "openLDAPConnection():
util_ldap_init failed
>>>>>> for
>>>>>> ldap%s://%s:%d",
>>>>>> data->secure ? "s" :
"",
>>>>>> data->host, data->port);
>>>>>>
>>>>>> It seems that the struct 'data' is not filled with
the correct
>>>>>> values.
>>>>> That's why I asked for your /etc/dirsrv/admin-serv/adm.conf
-
>>>>>
http://lists.fedoraproject.org/pipermail/389-users/2010-November/012548.html
>>>> My bad, see
>>>>
http://lists.fedoraproject.org/pipermail/389-users/2010-November/012551.html
>>> First, upgrade to the latest versions of these components from the
>>> testing repo
>>> yum upgrade --enablerepo=updates-testing 389-admin 389-ds-base
>>> 389-adminutil
>>>
>>> Then, run
>>> setup-ds-admin.pl <
http://setup-ds-admin.pl> -u
>>>
>>> Then try
>>>
>>> ldapsearch -x -LLL -H ldap://icicle.phasma.nl:389/
<
http://icicle.phasma.nl:389/> -D
>>>
"uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -w
>>> youradminpassword -s base -b "cn=389 Administration
Server,cn=Server
>>> Group,cn=icicle.phasma.nl
<
http://icicle.phasma.nl>,ou=phasma.nl
<
http://phasma.nl>,o=NetscapeRoot"
>>>
>>> and
>>>
>>> ldapsearch -x -LLL -H ldap://icicle.phasma.nl:389/
<
http://icicle.phasma.nl:389/> -D
>>>
"uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -w
>>> youradminpassword -s base -b "cn=admin-serv-icicle,cn=389
>>> Administration
>>> Server,cn=Server Group,cn=icicle.phasma.nl
<
http://icicle.phasma.nl>,ou=phasma.nl
<
http://phasma.nl>,o=NetscapeRoot"
>>>
>> Using the above i can confirm that i can now use the console to
log in
>> and
>> administer my DS (though i had to remove
selinux-policy-targeted). The
>> command 'setup-ds-admin.pl <
http://setup-ds-admin.pl> -u' ran
without a hitch.
>>
>> the results of both ldap queries are below:
>>
>> [root@icicle /]# ldapsearch -x -LLL -H
ldap://icicle.phasma.nl:389/ <
http://icicle.phasma.nl:389/> -D
>>
"uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot"
-W -s
>> base -b "cn=389 Administration Server,cn=Server
>> Group,cn=icicle.phasma.nl
<
http://icicle.phasma.nl>,ou=phasma.nl
<
http://phasma.nl>,o=NetscapeRoot"
>> Enter LDAP Password:
>> dn: cn=389 Administration Server,cn=Server
>> Group,cn=icicle.phasma.nl <
http://icicle.phasma.nl>,ou=phasma
>> .nl,o=NetscapeRoot
>> nsBuildSecurity: domestic
>> objectClass: top
>> objectClass: nsApplication
>> objectClass: groupOfUniqueNames
>> cn: 389 Administration Server
>> nsVendor: 389 Project
>> installationTimeStamp: 20101124210830Z
>> nsBuildNumber: 2010.328.157
>> uniqueMember: cn=admin-serv-icicle,cn=389 Administration
>> Server,cn=Server
>> Grou
>> p,cn=icicle.phasma.nl <
http://icicle.phasma.nl>,ou=phasma.nl
<
http://phasma.nl>,o=NetscapeRoot
>> nsServerMigrationClassname:
>> com.netscape.management.admserv.AdminServerProduct
>> @389-admin-1.1.jar
>> nsProductName: 389 Administration Server
>> nsProductVersion: 1.1.13
>> nsNickName: admin
>>
>> [root@icicle /]# ldapsearch -x -LLL -H
ldap://icicle.phasma.nl:389/ <
http://icicle.phasma.nl:389/> -D
>>
"uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot"
-W -s
>> base -b "cn=admin-serv-icicle,cn=389 Administration
Server,cn=Server
>> Group,cn=icicle.phasma.nl
<
http://icicle.phasma.nl>,ou=phasma.nl
<
http://phasma.nl>,o=NetscapeRoot"
>> Enter LDAP Password:
>> dn: cn=admin-serv-icicle,cn=389 Administration Server,cn=Server
>> Group,cn=icicl
>> e.phasma.nl <
http://e.phasma.nl>,ou=phasma.nl
<
http://phasma.nl>,o=NetscapeRoot
>> objectClass: top
>> objectClass: netscapeServer
>> objectClass: nsAdminServer
>> objectClass: nsResourceRef
>> objectClass: groupOfUniqueNames
>> serverHostName: icicle.phasma.nl <
http://icicle.phasma.nl>
>> cn: admin-serv-icicle
>> installationTimeStamp: 20101124210830Z
>> serverProductName: Administration Server
>> uniqueMember: cn=admin-serv-icicle,cn=389 Administration
>> Server,cn=Server
>> Grou
>> p,cn=icicle.phasma.nl <
http://icicle.phasma.nl>,ou=phasma.nl
<
http://phasma.nl>,o=NetscapeRoot
>> nsServerID: admin-serv
>>
>> I proceeded to restart dirsrv-admin, and the log now looks like
this:
>>
>> [Tue Nov 30 23:59:20 2010] [notice] Access Host filter is:
*.phasma.nl <
http://phasma.nl>
>> [Tue Nov 30 23:59:20 2010] [notice] Access Address filter is: *
>> [Tue Nov 30 23:59:21 2010] [notice] Apache/2.2.17 (Unix)
configured --
>> resuming normal operations
>> [Tue Nov 30 23:59:21 2010] [notice] Access Host filter is:
*.phasma.nl <
http://phasma.nl>
>> [Tue Nov 30 23:59:21 2010] [notice] Access Address filter is: *
>> [Wed Dec 01 00:00:17 2010] [notice] [client 127.0.0.1]
>> admserv_host_ip_check: ap_get_remote_host could not resolve
127.0.0.1
>> [Wed Dec 01 00:00:18 2010] [notice] [client 127.0.0.1]
>> admserv_check_authz(): passing [/admin-serv/authenticate] to the
>> userauth
>> handler
>> [Wed Dec 01 00:00:33 2010] [notice] [client 192.168.134.10]
>> admserv_host_ip_check: ap_get_remote_host could not resolve
>> 192.168.134.10
>> [Wed Dec 01 00:00:33 2010] [error] [client 192.168.134.10] File
does not
>> exist: /usr/share/dirsrv/html/java/jars
> This should be ok - it should fallback to
/usr/share/dirsrv/html/java
>> Still some errors are visible in the logfile,
> The one marked [error] above, or are there others? [notice]
messages
> are ok.
No, this is the only one marked as error.
>> but i can log in and add
>> users/groups using the console. When i navigate to 'Directory
Server'>
>> 'Configuration' i get the following error message:
>> 'Insufficient Permissions': The user
>>
uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot does
>> not
>> have permission to perform this operation.
>> When i enter the correct credentials, it seems that everything is
>> working
>> as it is supposed to.
> "correct credentials"?
the password that is set for uid=admin,.......; This is only a minor
annoyance, however it does seem strange that i am asked for the
password
again.
>> The log complains about not being able to do a reverse lookup on
>> 192.168.134.10, but this seems wrong (DNS works both ways):
> Yes. See /etc/dirsrv/admin-serv/console.conf - HostnameLookups
oke, got it.
>> [shadowuser@icicle ~]$ host 192.168.134.10
>> 10.134.168.192.in-addr.arpa domain name pointer
icicle.phasma.nl <
http://icicle.phasma.nl>.
>> [shadowuser@icicle ~]$ host icicle.phasma.nl
<
http://icicle.phasma.nl>
>> icicle.phasma.nl <
http://icicle.phasma.nl> has address
192.168.134.10
>>
>> Thanks for your patience,
>>
>> Regards,
>>
>> Trisooma
>>
>>
>>
>>>>>> BTW. this code was taken from 389-admin-1.1.12.a2
>>>>>>
>>>>>> I hope this helps,
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Trisooma
>>>>>>
>>>>>> --
>>>>>> 389 users mailing list
>>>>>> 389-users(a)lists.fedoraproject.org
<mailto:389-users@lists.fedoraproject.org>
>>>>>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>> --
>>>> 389 users mailing list
>>>> 389-users(a)lists.fedoraproject.org
<mailto:389-users@lists.fedoraproject.org>
>>>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>
>> --
>> 389 users mailing list
>> 389-users(a)lists.fedoraproject.org
<mailto:389-users@lists.fedoraproject.org>
>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
--
389 users mailing list
389-users(a)lists.fedoraproject.org
<mailto:389-users@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users