[Fedora-directory-users] Can't create users, time for complete wipe and re-install?
Rich Megginson
rmeggins at redhat.com
Wed Jan 23 18:28:13 UTC 2008
Listbox wrote:
> Thanks so much!
> Now I'm looking in
> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#1199651 to see
> what I might do to fix things.
>
If you are using Fedora DS 1.1 I suggest you use this instead -
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.html
> Here is the output from the commands you suggested. At least I can tell one
> is bigger than the other :)
>
The console admin user created during setup is uid=admin,
ou=Administrators, ou=TopologyManagement, o=NetscapeRoot. You should
look at the acis which have this user as the subject (e.g. anything with
userdn="uid=admin, ou=Administrators, ou=TopologyManagement,
o=NetscapeRoot" in it). What's odd is that I don't see any acis in
dc=hymesruzicka, dc=org to grant this user access. setup-ds-admin.pl
should have created them.
There is also a group created for console admins and this group is
granted access just like for the above user. However, this will not
work for remote instances (instances which do not have the real
o=NetscapeRoot on them - the console uses pass through authentication on
instances without o=NetscapeRoot, and group evaluation does not work
remotely). This is the groupdn="ldap:///cn=Configuration
Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot". So
this group aci only works on the server which hosts o=NetscapeRoot. I
don't see any acis for this group in dc=hymesruzicka, dc=org either,
which is odd.
There is another local administrative group created by setup on each
instance for the local suffix - groupdn = "ldap:///cn=Directory
Administrators, dc=hymesruzicka, dc=org" - setup-ds-admin.pl will create
an ACI for this group. The actual group entry is not created by
default, so if you want to use this you will need to create the group
entry cn=Directory Administrators, dc=hymesruzicka, dc=org and add users
to it.
Also check the acis on the configuration entries cn=config and cn=schema
and cn=monitor
ldapsearch -x -D "cn=directory manager" -w yourpassword -s sub -b
cn=config "aci=*" aci
ldapsearch -x -D "cn=directory manager" -w yourpassword -s sub -b
cn=schema "aci=*" aci
ldapsearch -x -D "cn=directory manager" -w yourpassword -s sub -b
cn=monitor "aci=*" aci
setup-ds-admin.pl is supposed to create acis for uid=admin,
ou=Administrators, ou=TopologyManagement, o=NetscapeRoot and the group
cn=Configuration Administrators, ou=Groups, ou=TopologyManagement,
o=NetscapeRoot
> ldapsearch -x -D "cn=directory manager" -w mypassword -b o=netscaperoot
> "aci=*" aci
> # extended LDIF
> #
> # LDAPv3
> # base <o=netscaperoot> with scope subtree
> # filter: aci=*
> # requesting: aci
> #
>
> # NetscapeRoot
> dn: o=NetscapeRoot
> aci: (targetattr="*")(version 3.0; acl "Enable Configuration Administrator
> Gro
> up modification"; allow (all) groupdn="ldap:///cn=Configuration
> Administrator
> s, ou=Groups, ou=TopologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(targetfilter=(o=NetscapeRoot))(version 3.0; acl
> "Default
> anonymous access"; allow (read, search) userdn="ldap:///anyone";)
> aci: (targetattr="*")(version 3.0; acl "Enable Group Expansion"; allow
> (read,
> search, compare) groupdnattr="uniquemember";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group (trixter)"; allow (all)
> gr
> oupdn = "ldap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server
> Grou
> p, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
>
> # TopologyManagement, NetscapeRoot
> dn: ou=TopologyManagement, o=NetscapeRoot
> aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous
> access";
> allow (read, search, compare)userdn="ldap:///anyone";)
>
> # Global Preferences, hymesruzicka.org, NetscapeRoot
> dn: ou=Global Preferences, ou=hymesruzicka.org, o=NetscapeRoot
> aci: (targetattr=*)(version 3.0; acl "Enable anonymous access";
> allow(read,sea
> rch) userdn="ldap:///anyone";)
>
> # UserPreferences, hymesruzicka.org, NetscapeRoot
> dn: ou=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot
> aci: (targetattr = "*")(version 3.0; acl "Allow saving of User Preferences";
> a
> llow (add) userdn = "ldap:///all";)
>
> # uid\3Dadmin\2C ou\3DAdministrators\2C ou\3DTopologyManagement\2C
> o\3DNetsca
> peRoot, UserPreferences, hymesruzicka.org, NetscapeRoot
> dn: ou="uid=admin, ou=Administrators, ou=TopologyManagement,
> o=NetscapeRoot",o
> u=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot
> aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
> userdnattr="
> creatorsname";)
>
> # cn\3Dadmin-serv-trixter\2C cn\3DFedora Administration Server\2C
> cn\3DServer
> Group\2C cn\3Dtrixter.hymesruzicka.org\2C ou\3Dhymesruzicka.org\2C
> o\3DNets
> capeRoot, UserPreferences, hymesruzicka.org, NetscapeRoot
> dn: ou="cn=admin-serv-trixter, cn=Fedora Administration Server, cn=Server
> Grou
> p, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
> o=NetscapeRoot",ou=UserP
> references, ou=hymesruzicka.org, o=NetscapeRoot
> aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
> userdnattr="
> creatorsname";)
>
> # Server Group, trixter.hymesruzicka.org, hymesruzicka.org, NetscapeRoot
> dn: cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
> o=Netsc
> apeRoot
> aci: (targetattr=*)(targetfilter=(nsconfigRoot=*))(version 3.0; acl "Enable
> de
> legated access"; allow (read, search, compare) groupdn="ldap:///cn=Server
> Gro
> up, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
> aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read,
> s
> earch, compare) userdn="ldap:///cn=admin-serv-trixter, cn=Fedora
> Administrati
> on Server, cn=Server Group, cn=trixter.hymesruzicka.org,
> ou=hymesruzicka.org,
> o=NetscapeRoot";)
>
> # PublicViews, 1.1, Admin, Global Preferences, hymesruzicka.org,
> NetscapeRoot
> dn: cn=PublicViews, ou=1.1, ou=Admin, ou=Global Preferences,
> ou=hymesruzicka.o
> rg, o=NetscapeRoot
> aci: (targetattr = "*")(version 3.0; acl "Allow Authenticated Users to Save
> Pu
> blic Views"; allow (all) userdn = "ldap:///all";)
>
> # slapd-trixter, Fedora Directory Server, Server Group,
> trixter.hymesruzicka.
> org, hymesruzicka.org, NetscapeRoot
> dn: cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
> cn=trixter.
> hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot
> aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read,
> s
> earch, compare) groupdn="ldap:///cn=slapd-trixter, cn=Fedora Directory
> Server
> , cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
> o=Netsca
> peRoot";)
> aci: (targetattr="uniquemember || serverProductName || userpassword ||
> descrip
> tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl "Enable
> ac
> cess delegation"; allow (write) groupdn="ldap:///cn=slapd-trixter,
> cn=Fedora
> Directory Server, cn=Server Group, cn=trixter.hymesruzicka.org,
> ou=hymesruzic
> ka.org, o=NetscapeRoot";)
>
> # configuration, slapd-trixter, Fedora Directory Server, Server Group,
> trixte
> r.hymesruzicka.org, hymesruzicka.org, NetscapeRoot
> dn: cn=configuration,cn=slapd-trixter, cn=Fedora Directory Server, cn=Server
> G
> roup, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot
> aci: (targetattr=*)(version 3.0; acl "Enable Server configuration"; allow
> (all
> ) groupdn="ldap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server
> Gr
> oup, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
>
> # cn\3Dslapd-trixter\2C cn\3DFedora Directory Server\2C cn\3DServer Group\2C
>
> cn\3Dtrixter.hymesruzicka.org\2C ou\3Dhymesruzicka.org\2C o\3DNetscapeRoot,
>
> UserPreferences, hymesruzicka.org, NetscapeRoot
> dn: ou="cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
> cn=trix
> ter.hymesruzicka.org, ou=hymesruzicka.org,
> o=NetscapeRoot",ou=UserPreferences
> , ou=hymesruzicka.org, o=NetscapeRoot
> aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
> userdnattr="
> creatorsname";)
>
> # cn\3DDirectory Manager, UserPreferences, hymesruzicka.org, NetscapeRoot
> dn: ou="cn=Directory Manager",ou=UserPreferences, ou=hymesruzicka.org,
> o=Netsc
> apeRoot
> aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
> userdnattr="
> creatorsname";)
>
> # Fedora Administration Server, Server Group, trixter.hymesruzicka.org,
> hymes
> ruzicka.org, NetscapeRoot
> dn: cn=Fedora Administration Server, cn=Server Group,
> cn=trixter.hymesruzicka.
> org, ou=hymesruzicka.org, o=NetscapeRoot
> aci: (targetattr=*)(targetfilter=(nsNickName=*))(version 3.0; acl "Enable
> dele
> gated access"; allow (read, search, compare) groupdn="ldap:///cn=Fedora
> Admin
> istration Server, cn=Server Group, cn=trixter.hymesruzicka.org,
> ou=hymesruzic
> ka.org, o=NetscapeRoot";)
>
> # admin-serv-trixter, Fedora Administration Server, Server Group,
> trixter.hym
> esruzicka.org, hymesruzicka.org, NetscapeRoot
> dn: cn=admin-serv-trixter, cn=Fedora Administration Server, cn=Server Group,
> c
> n=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot
> aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow (read,
> s
> earch, compare) groupdn="ldap:///cn=admin-serv-trixter, cn=Fedora
> Administrat
> ion Server, cn=Server Group, cn=trixter.hymesruzicka.org,
> ou=hymesruzicka.org
> , o=NetscapeRoot";)
> aci: (targetattr="uniquemember || serverProductName || userpassword ||
> descrip
> tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl "Enable
> ac
> cess delegation"; allow (write) groupdn="ldap:///cn=admin-serv-trixter,
> cn=Fe
> dora Administration Server, cn=Server Group, cn=trixter.hymesruzicka.org,
> ou=
> hymesruzicka.org, o=NetscapeRoot";)
>
> # configuration, admin-serv-trixter, Fedora Administration Server, Server
> Gro
> up, trixter.hymesruzicka.org, hymesruzicka.org, NetscapeRoot
> dn: cn=configuration, cn=admin-serv-trixter, cn=Fedora Administration
> Server,
> cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
> o=Netscape
> Root
> aci: (targetattr=*)(version 3.0; acl "Enable delegated admin to access
> configu
> ration"; allow (read, search) groupdn="ldap:///cn=Server Group,
> cn=trixter.hy
> mesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
> aci: (targetattr=*)(version 3.0; acl "Enable Server configuration"; allow
> (all
> ) groupdn="ldap:///cn=admin-serv-trixter, cn=Fedora Administration Server,
> cn
> =Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
> o=NetscapeRo
> ot";)
>
> # uid\3Ddiradmin\2Cou\3DAdministrators\2C ou\3DTopologyManagement\2C
> o\3Dnets
> capeRoot, UserPreferences, hymesruzicka.org, NetscapeRoot
> dn: ou="uid=diradmin,ou=Administrators, ou=TopologyManagement,
> o=netscapeRoot"
> ,ou=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot
> aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
> userdnattr="
> creatorsname";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 17
> # numEntries: 16
>
>
>
> ldapsearch -x -D "cn=directory manager" -w anotherpassword -b
> "dc=hymesruzicka,dc=org" "aci=*" aci
>
> # extended LDIF
> #
> # LDAPv3
> # base <dc=hymesruzicka,dc=org> with scope subtree
> # filter: aci=*
> # requesting: aci
> #
>
> # hymesruzicka.org
> dn: dc=hymesruzicka, dc=org
> aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous
> access";
> allow (read, search, compare) userdn="ldap:///anyone";)
> aci: (targetattr="carLicense || description || displayName ||
> facsimileTelepho
> neNumber || homePhone || homePostalAddress || initials || jpegPhoto ||
> labele
> dURL || mail || mobile || pager || photo || postOfficeBox || postalAddress
> ||
> postalCode || preferredDeliveryMethod || preferredLanguage ||
> registeredAddr
> ess || roomNumber || secretary || seeAlso || st || street ||
> telephoneNumber
> || telexNumber || title || userCertificate || userPassword ||
> userSMIMECertif
> icate || x500UniqueIdentifier")(version 3.0; acl "Enable self write for
> commo
> n attributes"; allow (write) userdn="ldap:///self";)
> aci: (targetattr ="*")(version 3.0;acl "Directory Administrators
> Group";allow
> (all) (groupdn = "ldap:///cn=Directory Administrators, dc=hymesruzicka,
> dc=or
> g");)
>
> # People, hymesruzicka.org
> dn: ou=People, dc=hymesruzicka, dc=org
> aci: (targetattr ="userpassword || telephonenumber ||
> facsimiletelephonenumber
> ")(version 3.0;acl "Allow self entry modification";allow (write)(userdn =
> "ld
> ap:///self");)
> aci: (targetattr !="cn || sn || uid")(targetfilter
> ="(ou=Accounting)")(version
> 3.0;acl "Accounting Managers Group Permissions";allow (write)(groupdn =
> "lda
> p:///cn=Accounting Managers,ou=groups,dc=hymesruzicka, dc=org");)
> aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Human
> Resources)")(ve
> rsion 3.0;acl "HR Group Permissions";allow (write)(groupdn = "ldap:///cn=HR
> M
> anagers,ou=groups,dc=hymesruzicka, dc=org");)
> aci: (targetattr !="cn ||sn || uid")(targetfilter ="(ou=Product
> Testing)")(ver
> sion 3.0;acl "QA Group Permissions";allow (write)(groupdn = "ldap:///cn=QA
> Ma
> nagers,ou=groups,dc=hymesruzicka, dc=org");)
> aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Product
> Development)"
> )(version 3.0;acl "Engineering Group Permissions";allow (write)(groupdn =
> "ld
> ap:///cn=PD Managers,ou=groups,dc=hymesruzicka, dc=org");)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 3
> # numEntries: 2
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20080123/ac2273f2/attachment.bin>
More information about the 389-users
mailing list