One of the projects on my plate is to have a working backup of an existing fedora-ds server. I installed fedora-ds under CentOS 5.2 and copied over the files that result from ns-slapd db2archive from the existing server to the new machine.
First off, I know nothing about LDAP or fedora-ds in particular :-)
After looking at the existing server and what I had after installing on the new server, I decided that running /usr/sbin/setup-ds-admin.pl was probably necessary. I went through, answering the questions as best I could (and figuring that the answers would be overwritten when I restored the backup). I got this:
[08/07/10:10:18:52] - [Setup] Info Are you ready to set up your servers? [08/07/10:10:18:56] - [Setup] Info yes [08/07/10:10:18:56] - [Setup] Info Creating directory server . . . [08/07/10:10:18:59] - [Setup] Info Your new DS instance 'unix-services2' was suc cessfully created. [08/07/10:10:18:59] - [Setup] Info Creating the configuration directory server . . . [08/07/10:10:22:08] - [Setup] Fatal Error: failed to open an LDAP connection to host 'unix-services2.my.domain.com.com' port '389' as user 'cn=Directory Ma nager'. Error: unknown. [08/07/10:10:22:08] - [Setup] Fatal Failed to create the configuration directory server [08/07/10:10:22:08] - [Setup] Fatal Exiting . . . Log file is '/tmp/setupVSpvCl.log
Yes, that's two ".com"s No idea why.
So, I stop the dirsrv process and try:
[root@localhost ~]# ns-slapd archive2db -D /etc/dirsrv/slapd-unix-services2 -a /var/lib/dirsrv/slapd-unix-services2/in [10/Jul/2008:11:05:39 -0700] - ERROR: target server has no NetscapeRoot configured [10/Jul/2008:11:05:39 -0700] - archive2db: Failed to read backup file set. Either the directory specified doesn't exist, or it exists but doesn't contain a valid backup set, or file permissions prevent the server reading the backup set. error=53 (Invalid request descriptor)
I have no idea what a NetscapeRoot is, why I would want one, or how I'd get it. Googling didn't help me... I found many references to "-0 netscaperoot", but that seems to be in reference to /etc/dirsrv/admin-serv/adm.conf which does not exist on my new server.
What is the easiest way for me to do this? Can I simply copy adm.conf (and other files? Which ones?) from the existing server? Or is there some mysterious problem about why the setup script couldn't contact the LDAP server which is to blame?
John Oliver wrote:
One of the projects on my plate is to have a working backup of an existing fedora-ds server. I installed fedora-ds under CentOS 5.2 and copied over the files that result from ns-slapd db2archive from the existing server to the new machine.
First off, I know nothing about LDAP or fedora-ds in particular :-)
After looking at the existing server and what I had after installing on the new server, I decided that running /usr/sbin/setup-ds-admin.pl was probably necessary. I went through, answering the questions as best I could (and figuring that the answers would be overwritten when I restored the backup). I got this:
[08/07/10:10:18:52] - [Setup] Info Are you ready to set up your servers? [08/07/10:10:18:56] - [Setup] Info yes [08/07/10:10:18:56] - [Setup] Info Creating directory server . . . [08/07/10:10:18:59] - [Setup] Info Your new DS instance 'unix-services2' was suc cessfully created. [08/07/10:10:18:59] - [Setup] Info Creating the configuration directory server . . . [08/07/10:10:22:08] - [Setup] Fatal Error: failed to open an LDAP connection to host 'unix-services2.my.domain.com.com' port '389' as user 'cn=Directory Ma nager'. Error: unknown. [08/07/10:10:22:08] - [Setup] Fatal Failed to create the configuration directory server [08/07/10:10:22:08] - [Setup] Fatal Exiting . . . Log file is '/tmp/setupVSpvCl.log
Yes, that's two ".com"s No idea why.
Check /etc/hosts, /etc/nsswitch.conf, and /etc/resolv.conf, and check that against what you typed in as your hostname and what DNS resolves it to.
So, I stop the dirsrv process and try:
[root@localhost ~]# ns-slapd archive2db -D /etc/dirsrv/slapd-unix-services2 -a /var/lib/dirsrv/slapd-unix-services2/in [10/Jul/2008:11:05:39 -0700] - ERROR: target server has no NetscapeRoot configured [10/Jul/2008:11:05:39 -0700] - archive2db: Failed to read backup file set. Either the directory specified doesn't exist, or it exists but doesn't contain a valid backup set, or file permissions prevent the server reading the backup set. error=53 (Invalid request descriptor)
Don't use ns-slapd archive2db directly - use the scripts in /usr/lib/dirsrv/slapd-instance (db2bak, bak2db, etc.) instead.
I have no idea what a NetscapeRoot is, why I would want one, or how I'd get it. Googling didn't help me... I found many references to "-0 netscaperoot", but that seems to be in reference to /etc/dirsrv/admin-serv/adm.conf which does not exist on my new server.
What is the easiest way for me to do this? Can I simply copy adm.conf (and other files? Which ones?) from the existing server? Or is there some mysterious problem about why the setup script couldn't contact the LDAP server which is to blame?
I have managed to the Fedora Directory server console loaded and running and when I go the directory tab I see manage password policy. But when I select it the window pops up quickly clears to a blank window. Does anyone know how I can get an export of the current password policy? Or ever a screen shot at this point that is not blank. ( I am connecting to the server through VNC)
Doug Mallory
Mallory, Doug (TPUSA) wrote:
I have managed to the Fedora Directory server console loaded and running and when I go the directory tab I see manage password policy. But when I select it the window pops up quickly clears to a blank window.
This bug is very difficult to reproduce. Can you reproduce it by running fedora-idm-console -D 9 -f console.log, edit console.log to remove any sensitive data, then email me the log?
Does anyone know how I can get an export of the current password policy?
You had sent out a previous email with the list of attributes. The list from the current schema is correct - looks like the admin guide doesn't have the new ones. The others are documented here - http://directory.fedoraproject.org/wiki/Password_Syntax
Or ever a screen shot at this point that is not blank. ( I am connecting to the server through VNC)
Doug Mallory
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
anyone know how I can get an export of the current password policy?
You had sent out a previous email with the list of attributes. The list
from the current schema is correct - looks like the admin guide doesn't have the new ones. The others are documented here - http://directory.fedoraproject.org/wiki/Password_Syntax
Or
I can see the schema I just need to see what the current settings are or export them to a flat file and gan give the auditors. (ldif would work)
Doug
Mallory, Doug (TPUSA) wrote:
anyone know how I can get an export of the current password policy?
You had sent out a previous email with the list of attributes. The list
from the current schema is correct - looks like the admin guide doesn't have the new ones. The others are documented here - http://directory.fedoraproject.org/wiki/Password_Syntax
Or
I can see the schema I just need to see what the current settings are or export them to a flat file and gan give the auditors. (ldif would work)
ldapsearch -s base -b cn=config then just grab those attributes from the LDIF output
Doug
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Using this command it returns nothing ldapsearch -s dc=twi,dc=dom -b cn=config
Doug
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Rich Megginson Sent: Thursday, July 10, 2008 9:29 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Getting closer getting apassword policyexport
Mallory, Doug (TPUSA) wrote:
anyone know how I can get an export of the current password policy?
You had sent out a previous email with the list of attributes. The
list
from the current schema is correct - looks like the admin guide
doesn't
have the new ones. The others are documented here - http://directory.fedoraproject.org/wiki/Password_Syntax
Or
I can see the schema I just need to see what the current settings are
or
export them to a flat file and gan give the auditors. (ldif would
work)
ldapsearch -s base -b cn=config then just grab those attributes from the LDIF output
Doug
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Mallory, Doug (TPUSA) wrote:
Using this command it returns nothing ldapsearch -s dc=twi,dc=dom -b cn=config
You have to authenticate as a privileged user - try ldapsearch -x -D "cn=directory manager" -w thepassword -s base -b "cn=config" "objectclass=*"
Doug
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Rich Megginson Sent: Thursday, July 10, 2008 9:29 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Getting closer getting apassword policyexport
Mallory, Doug (TPUSA) wrote:
anyone know how I can get an export of the current password policy?
You had sent out a previous email with the list of attributes. The
list
from the current schema is correct - looks like the admin guide
doesn't
have the new ones. The others are documented here - http://directory.fedoraproject.org/wiki/Password_Syntax
Or
I can see the schema I just need to see what the current settings are
or
export them to a flat file and gan give the auditors. (ldif would
work)
ldapsearch -s base -b cn=config then just grab those attributes from the LDIF output
Doug
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
This is what I have now and it does not like the syntax.
ldapsearch -x -D "cn=directory manager" -w LDSPASSWORD! -s dc=twi,dc=dom -b cn=config "objectclass=*"
Doug Mallory, CISM, CISSP
Sr Network Security Engineer
Cell 859-420-5609
Office 859-514-4833
Fax 859-514-5833
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Rich Megginson Sent: Monday, July 14, 2008 9:01 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Getting closergetting apassword policyexport
Mallory, Doug (TPUSA) wrote:
Using this command it returns nothing ldapsearch -s dc=twi,dc=dom -b cn=config
You have to authenticate as a privileged user - try ldapsearch -x -D "cn=directory manager" -w thepassword -s base -b "cn=config" "objectclass=*"
Doug
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Rich Megginson Sent: Thursday, July 10, 2008 9:29 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Getting closer getting apassword policyexport
Mallory, Doug (TPUSA) wrote:
anyone know how I can get an export of the current password policy?
You had sent out a previous email with the list of attributes. The
list
from the current schema is correct - looks like the admin guide
doesn't
have the new ones. The others are documented here - http://directory.fedoraproject.org/wiki/Password_Syntax
Or
I can see the schema I just need to see what the current settings are
or
export them to a flat file and gan give the auditors. (ldif would
work)
ldapsearch -s base -b cn=config then just grab those attributes from the LDIF output
Doug
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Mallory, Doug (TPUSA) wrote:
This is what I have now and it does not like the syntax.
ldapsearch -x -D "cn=directory manager" -w LDSPASSWORD! -s dc=twi,dc=dom -b cn=config "objectclass=*"
Ah, I see - when I say "-s base" I mean that literally, not "-s <your base suffix>"
Doug Mallory, CISM, CISSP
Sr Network Security Engineer
Cell 859-420-5609
Office 859-514-4833
Fax 859-514-5833
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Rich Megginson Sent: Monday, July 14, 2008 9:01 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Getting closergetting apassword policyexport
Mallory, Doug (TPUSA) wrote:
Using this command it returns nothing ldapsearch -s dc=twi,dc=dom -b cn=config
You have to authenticate as a privileged user - try ldapsearch -x -D "cn=directory manager" -w thepassword -s base -b "cn=config" "objectclass=*"
Doug
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Rich Megginson Sent: Thursday, July 10, 2008 9:29 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Getting closer getting apassword policyexport
Mallory, Doug (TPUSA) wrote:
anyone know how I can get an export of the current password policy?
You had sent out a previous email with the list of attributes. The
list
from the current schema is correct - looks like the admin guide
doesn't
have the new ones. The others are documented here - http://directory.fedoraproject.org/wiki/Password_Syntax
Or
I can see the schema I just need to see what the current settings are
or
export them to a flat file and gan give the auditors. (ldif would
work)
ldapsearch -s base -b cn=config then just grab those attributes from the LDIF output
Doug
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
That got hat I was looking for Thanks!
Doug Mallory
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Rich Megginson Sent: Monday, July 14, 2008 10:23 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users]Getting closergetting apassword policyexport
Mallory, Doug (TPUSA) wrote:
This is what I have now and it does not like the syntax.
ldapsearch -x -D "cn=directory manager" -w LDSPASSWORD! -s
dc=twi,dc=dom
-b cn=config "objectclass=*"
Ah, I see - when I say "-s base" I mean that literally, not "-s <your base suffix>"
Doug Mallory, CISM, CISSP
Sr Network Security Engineer
Cell 859-420-5609
Office 859-514-4833
Fax 859-514-5833
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Rich Megginson Sent: Monday, July 14, 2008 9:01 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Getting closergetting apassword policyexport
Mallory, Doug (TPUSA) wrote:
Using this command it returns nothing ldapsearch -s dc=twi,dc=dom -b cn=config
You have to authenticate as a privileged user - try ldapsearch -x -D "cn=directory manager" -w thepassword -s base -b "cn=config" "objectclass=*"
Doug
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Rich Megginson Sent: Thursday, July 10, 2008 9:29 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Getting closer getting
apassword
policyexport
Mallory, Doug (TPUSA) wrote:
anyone know how I can get an export of the current password policy?
You had sent out a previous email with the list of attributes. The
list
from the current schema is correct - looks like the admin guide
doesn't
have the new ones. The others are documented here - http://directory.fedoraproject.org/wiki/Password_Syntax
Or
I can see the schema I just need to see what the current settings
are
or
export them to a flat file and gan give the auditors. (ldif would
work)
ldapsearch -s base -b cn=config then just grab those attributes from the LDIF output
Doug
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Mallory, Doug (TPUSA) wrote:
I have managed to the Fedora Directory server console loaded and running and when I go the directory tab I see manage password policy. But when I select it the window pops up quickly clears to a blank window. Does anyone know how I can get an export of the current password policy? Or ever a screen shot at this point that is not blank. ( I am connecting to the server through VNC)
Try expanding the dialog window to the right. I've seen something similar before with specific JREs where the dialog is smaller than the contents, so it displays nothing.
Doug Mallory
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
I have installed the console on my Winders workstation and pointed it to the server on port 1500. I can log into the console but I don't see the servers and applications like I see running it form the server. Am I missing a step?
I was hopping running it from my workstation I could see the panel.
Doug Mallory
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Nathan Kinder Sent: Thursday, July 10, 2008 7:34 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Getting closer getting a password policyexport
Mallory, Doug (TPUSA) wrote:
I have managed to the Fedora Directory server console loaded and
running
and when I go the directory tab I see manage password policy. But when
I
select it the window pops up quickly clears to a blank window. Does anyone know how I can get an export of the current password policy? Or ever a screen shot at this point that is not blank. ( I am connecting
to
the server through VNC)
Try expanding the dialog window to the right. I've seen something similar before with specific JREs where the dialog is smaller than the contents, so it displays nothing.
Doug Mallory
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
On Thu, Jul 10, 2008 at 01:40:25PM -0600, Rich Megginson wrote:
John Oliver wrote:
One of the projects on my plate is to have a working backup of an existing fedora-ds server. I installed fedora-ds under CentOS 5.2 and copied over the files that result from ns-slapd db2archive from the existing server to the new machine.
First off, I know nothing about LDAP or fedora-ds in particular :-)
After looking at the existing server and what I had after installing on the new server, I decided that running /usr/sbin/setup-ds-admin.pl was probably necessary. I went through, answering the questions as best I could (and figuring that the answers would be overwritten when I restored the backup). I got this:
[08/07/10:10:18:52] - [Setup] Info Are you ready to set up your servers? [08/07/10:10:18:56] - [Setup] Info yes [08/07/10:10:18:56] - [Setup] Info Creating directory server . . . [08/07/10:10:18:59] - [Setup] Info Your new DS instance 'unix-services2' was suc cessfully created. [08/07/10:10:18:59] - [Setup] Info Creating the configuration directory server . . . [08/07/10:10:22:08] - [Setup] Fatal Error: failed to open an LDAP connection to host 'unix-services2.my.domain.com.com' port '389' as user 'cn=Directory Ma nager'. Error: unknown. [08/07/10:10:22:08] - [Setup] Fatal Failed to create the configuration directory server [08/07/10:10:22:08] - [Setup] Fatal Exiting . . . Log file is '/tmp/setupVSpvCl.log
Yes, that's two ".com"s No idea why.
Check /etc/hosts, /etc/nsswitch.conf, and /etc/resolv.conf, and check that against what you typed in as your hostname and what DNS resolves it to.
All are correct. /etc/hosts has the correct FQDN as well as hostname. /etc/resolv.conf is pointed to two working DNS servers. And /etc/nsswitch.conf has "hosts: files dns"
Is there a way to tell it to remove the problematic stuff and try to set up again?
So, I stop the dirsrv process and try:
[root@localhost ~]# ns-slapd archive2db -D /etc/dirsrv/slapd-unix-services2 -a /var/lib/dirsrv/slapd-unix-services2/in [10/Jul/2008:11:05:39 -0700] - ERROR: target server has no NetscapeRoot configured [10/Jul/2008:11:05:39 -0700] - archive2db: Failed to read backup file set. Either the directory specified doesn't exist, or it exists but doesn't contain a valid backup set, or file permissions prevent the server reading the backup set. error=53 (Invalid request descriptor)
Don't use ns-slapd archive2db directly - use the scripts in /usr/lib/dirsrv/slapd-instance (db2bak, bak2db, etc.) instead.
[root@unix-services2 ~]# /usr/lib/dirsrv/slapd-unix-services2/bak2db /var/lib/dirsrv/slapd-unix-services2/in/ [10/Jul/2008:14:56:40 -0700] - ERROR: target server has no NetscapeRoot configured [10/Jul/2008:14:56:40 -0700] - archive2db: Failed to read backup file set. Either the directory specified doesn't exist, or it exists but doesn't contain a valid backup set, or file permissions prevent the server reading the backup set. error=53 (Invalid request descriptor) [root@unix-services2 ~]# ls /var/lib/dirsrv/slapd-unix-services2/in/ DBVERSION dse_instance.ldif NetscapeRoot dse_index.ldif log.0000000076 userRoot
John Oliver wrote:
On Thu, Jul 10, 2008 at 01:40:25PM -0600, Rich Megginson wrote:
John Oliver wrote:
One of the projects on my plate is to have a working backup of an existing fedora-ds server. I installed fedora-ds under CentOS 5.2 and copied over the files that result from ns-slapd db2archive from the existing server to the new machine.
First off, I know nothing about LDAP or fedora-ds in particular :-)
After looking at the existing server and what I had after installing on the new server, I decided that running /usr/sbin/setup-ds-admin.pl was probably necessary. I went through, answering the questions as best I could (and figuring that the answers would be overwritten when I restored the backup). I got this:
[08/07/10:10:18:52] - [Setup] Info Are you ready to set up your servers? [08/07/10:10:18:56] - [Setup] Info yes [08/07/10:10:18:56] - [Setup] Info Creating directory server . . . [08/07/10:10:18:59] - [Setup] Info Your new DS instance 'unix-services2' was suc cessfully created. [08/07/10:10:18:59] - [Setup] Info Creating the configuration directory server . . . [08/07/10:10:22:08] - [Setup] Fatal Error: failed to open an LDAP connection to host 'unix-services2.my.domain.com.com' port '389' as user 'cn=Directory Ma nager'. Error: unknown. [08/07/10:10:22:08] - [Setup] Fatal Failed to create the configuration directory server [08/07/10:10:22:08] - [Setup] Fatal Exiting . . . Log file is '/tmp/setupVSpvCl.log
Yes, that's two ".com"s No idea why.
Check /etc/hosts, /etc/nsswitch.conf, and /etc/resolv.conf, and check that against what you typed in as your hostname and what DNS resolves it to.
All are correct. /etc/hosts has the correct FQDN as well as hostname. /etc/resolv.conf is pointed to two working DNS servers. And /etc/nsswitch.conf has "hosts: files dns"
Is there a way to tell it to remove the problematic stuff and try to set up again?
When you run setup-ds-admin.pl, and it asks you for the hostname, does it have the correct hostname or the bogus one? If you specify the correct hostname at the dialog prompt, it will use the correct one throughout.
So, I stop the dirsrv process and try:
[root@localhost ~]# ns-slapd archive2db -D /etc/dirsrv/slapd-unix-services2 -a /var/lib/dirsrv/slapd-unix-services2/in [10/Jul/2008:11:05:39 -0700] - ERROR: target server has no NetscapeRoot configured [10/Jul/2008:11:05:39 -0700] - archive2db: Failed to read backup file set. Either the directory specified doesn't exist, or it exists but doesn't contain a valid backup set, or file permissions prevent the server reading the backup set. error=53 (Invalid request descriptor)
Don't use ns-slapd archive2db directly - use the scripts in /usr/lib/dirsrv/slapd-instance (db2bak, bak2db, etc.) instead.
[root@unix-services2 ~]# /usr/lib/dirsrv/slapd-unix-services2/bak2db /var/lib/dirsrv/slapd-unix-services2/in/ [10/Jul/2008:14:56:40 -0700] - ERROR: target server has no NetscapeRoot configured [10/Jul/2008:14:56:40 -0700] - archive2db: Failed to read backup file set. Either the directory specified doesn't exist, or it exists but doesn't contain a valid backup set, or file permissions prevent the server reading the backup set. error=53 (Invalid request descriptor) [root@unix-services2 ~]# ls /var/lib/dirsrv/slapd-unix-services2/in/ DBVERSION dse_instance.ldif NetscapeRoot dse_index.ldif log.0000000076 userRoot
The backup was created in a server with both userRoot and NetscapeRoot, but you are attempting to restore it in a server that does not have NetscapeRoot. You need to create a root suffix called o=NetscapeRoot with an associated database called NetscapeRoot. You can do this in the console. *http://tinyurl.com/595tyy*
If you don't want NetscapeRoot at all, you could try exporting your old database to LDIF using db2ldif or db2ldif.pl, to get just the userRoot part (i.e. the suffix that you keep your real user&group data in).
On Thu, Jul 10, 2008 at 04:18:28PM -0600, Rich Megginson wrote:
When you run setup-ds-admin.pl, and it asks you for the hostname, does it have the correct hostname or the bogus one? If you specify the correct hostname at the dialog prompt, it will use the correct one throughout.
I'm not sure... I can no longer run that script because...
Configuration directory server administrator ID [admin]: Password: Password (confirm): Error: the server already exists at '/etc/dirsrv/slapd-unix-services2' Please remove it first if you really want to recreate it, or use a different ServerIdentifier to create another instance. When using Silent or Express mode, some of the dialogs are skipped, but validation is still performed on the default or given answers. You should run this program again and choose Typical or Custom mode in order to provide a valid input for the problem dialog.
Exiting . . .
I've tried to remove it, but
[root@unix-services2 ~]# /usr/sbin/ds_removal -s unix-services2 -w mypassword
Error:The server '' is not reachable. Error: unknown error
[10/Jul/2008:14:56:40 -0700] - ERROR: target server has no NetscapeRoot configured [10/Jul/2008:14:56:40 -0700] - archive2db: Failed to read backup file set. Either the directory specified doesn't exist, or it exists but doesn't contain a valid backup set, or file permissions prevent the server reading the backup set. error=53 (Invalid request descriptor) [root@unix-services2 ~]# ls /var/lib/dirsrv/slapd-unix-services2/in/ DBVERSION dse_instance.ldif NetscapeRoot dse_index.ldif log.0000000076 userRoot
The backup was created in a server with both userRoot and NetscapeRoot, but you are attempting to restore it in a server that does not have NetscapeRoot. You need to create a root suffix called o=NetscapeRoot with an associated database called NetscapeRoot. You can do this in the console. *http://tinyurl.com/595tyy*
Unfortunately, I don't know what "o=NetscapeRoot" means. I see references to that all over the place. On the working server, there's a /etc/dirsrv/admin-serv/adm.conf file that contains that line, but I do not have an adm.conf on this new server.
Is there a way to back out of this without uninstalling fedora-ds? make it completely forget about everything I've done so I can just start from scratch and try again?
Since I figured I was pretty well screwed anyway, I deleted /etc/dirsrv/slapd-unix-services2 and re-ran setup-ds-admin.pl To my amazement, it was able to complete successfully! It went all the way through, create an adm.conf and other files, etc. I was able to log in to the web admin screen.
So, I ran /usr/lib/dirsrv/slapd-unix-services2/bak2db to restore the database I'd copied over. That looked very promising, but there were two points where it said it was deleting an attribute of unix-services2 and then adding one for unix-services, which is the other, live machine. After that, clicking on Fedora Administration Express gave me an error. I just went back to copy-and-paste it, but now I get an Internal Server Error, and /var/log/httpd is empty.
Since I seemed to make some progress, I stopped dirsrv, deleted /etc/dirsrv/slapd-unix-services2 and re-ran setup-ds-admin.pl When it was done, I could get in to the admin interface again, only now it shows me slapd-unix-services and slapd-unix-services2 So, I'm not sure if that's progress or not.
I want to wind up with a working backup of slapd-unix-services so if that machine takes a crap, I can just bring up an interface with it's IP address on slapd-unix-services2 and keep LDAP authentication working while I puzzle out what went wrong on the first server.
John Oliver wrote:
Since I figured I was pretty well screwed anyway, I deleted /etc/dirsrv/slapd-unix-services2 and re-ran setup-ds-admin.pl To my amazement, it was able to complete successfully! It went all the way through, create an adm.conf and other files, etc. I was able to log in to the web admin screen.
So, I ran /usr/lib/dirsrv/slapd-unix-services2/bak2db to restore the database I'd copied over.
Unfortunately (for your case), when you do bak2db, it copies all of the databases - your user/group database (userRoot), and the console information database (NetscapeRoot). So if you restore it on your new instance . . .
That looked very promising, but there were two points where it said it was deleting an attribute of unix-services2 and then adding one for unix-services, which is the other, live machine. After that, clicking on Fedora Administration Express gave me an error.
. . . you wipe out the new information you just created with setup-ds-admin.pl
I just went back to copy-and-paste it, but now I get an Internal Server Error, and /var/log/httpd is empty.
/var/log/dirsrv/admin-serv - but it doesn't matter, because the restore from the other backup probably wiped out the information needed by the console.
Since I seemed to make some progress, I stopped dirsrv, deleted /etc/dirsrv/slapd-unix-services2
and /var/*/dirsrv/slapd-unix-services2, and /usr/lib/dirsrv/slapd-unix-services2, and /usr/lib64/dirsrv/slapd-unix-services2, and /var/log/dirsrv/admin-serv, and all files in /etc/dirsrv/admin-serv except for admserv.conf, httpd.conf, console.conf, and nss.conf
and re-ran setup-ds-admin.pl When it was done, I could get in to the admin interface again, only now it shows me slapd-unix-services and slapd-unix-services2 So, I'm not sure if that's progress or not.
I want to wind up with a working backup of slapd-unix-services so if that machine takes a crap, I can just bring up an interface with it's IP address on slapd-unix-services2 and keep LDAP authentication working while I puzzle out what went wrong on the first server.
Replication?
On Thu, Jul 10, 2008 at 07:29:03PM -0600, Rich Megginson wrote:
John Oliver wrote:
I want to wind up with a working backup of slapd-unix-services so if that machine takes a crap, I can just bring up an interface with it's IP address on slapd-unix-services2 and keep LDAP authentication working while I puzzle out what went wrong on the first server.
Replication?
For some reason, I thought that's be more trouble to set up than what I was trying :-)
Is http://www.redhat.com/docs/manuals/dir-server/ag/replicat.htm#pgfId-1027091 the best doc to use to learn more?
Thanks for all your help, Rich!
John Oliver wrote:
On Thu, Jul 10, 2008 at 07:29:03PM -0600, Rich Megginson wrote:
John Oliver wrote:
I want to wind up with a working backup of slapd-unix-services so if that machine takes a crap, I can just bring up an interface with it's IP address on slapd-unix-services2 and keep LDAP authentication working while I puzzle out what went wrong on the first server.
Replication?
For some reason, I thought that's be more trouble to set up than what I was trying :-)
Is http://www.redhat.com/docs/manuals/dir-server/ag/replicat.htm#pgfId-1027091 the best doc to use to learn more?
I suggest using the 8.0 version of the guide instead - http://www.redhat.com/docs/manuals/dir-server/ag/8.0/index.html
Thanks for all your help, Rich!
John Oliver wrote:
On Thu, Jul 10, 2008 at 04:18:28PM -0600, Rich Megginson wrote:
When you run setup-ds-admin.pl, and it asks you for the hostname, does it have the correct hostname or the bogus one? If you specify the correct hostname at the dialog prompt, it will use the correct one throughout.
I'm not sure... I can no longer run that script because...
Configuration directory server administrator ID [admin]: Password: Password (confirm): Error: the server already exists at '/etc/dirsrv/slapd-unix-services2' Please remove it first if you really want to recreate it, or use a different ServerIdentifier to create another instance. When using Silent or Express mode, some of the dialogs are skipped, but validation is still performed on the default or given answers. You should run this program again and choose Typical or Custom mode in order to provide a valid input for the problem dialog.
Exiting . . .
I've tried to remove it, but
[root@unix-services2 ~]# /usr/sbin/ds_removal -s unix-services2 -w mypassword
Error:The server '' is not reachable. Error: unknown error
Yep. This is a bug due to be fixed soon. In the meantime: service dirsrv stop unix-services2 rm -rf /etc/dirsrv/slapd-unix-services2 /var/*/dirsrv/slapd-unix-services2* /usr/lib/dirsrv/slapd-unix-services2 /usr/lib64/dirsrv/slapd-unix-services2 rm -rf /var/log/dirsrv/admin-serv remove all files from /etc/dirsrv/admin-serv except for httpd.conf, admserv.conf, console.conf, and nss.conf
[10/Jul/2008:14:56:40 -0700] - ERROR: target server has no NetscapeRoot configured [10/Jul/2008:14:56:40 -0700] - archive2db: Failed to read backup file set. Either the directory specified doesn't exist, or it exists but doesn't contain a valid backup set, or file permissions prevent the server reading the backup set. error=53 (Invalid request descriptor) [root@unix-services2 ~]# ls /var/lib/dirsrv/slapd-unix-services2/in/ DBVERSION dse_instance.ldif NetscapeRoot dse_index.ldif log.0000000076 userRoot
The backup was created in a server with both userRoot and NetscapeRoot, but you are attempting to restore it in a server that does not have NetscapeRoot. You need to create a root suffix called o=NetscapeRoot with an associated database called NetscapeRoot. You can do this in the console. *http://tinyurl.com/595tyy*
Unfortunately, I don't know what "o=NetscapeRoot" means. I see references to that all over the place. On the working server, there's a /etc/dirsrv/admin-serv/adm.conf file that contains that line, but I do not have an adm.conf on this new server.
Is there a way to back out of this without uninstalling fedora-ds? make it completely forget about everything I've done so I can just start from scratch and try again?
389-users@lists.fedoraproject.org