[Fedora-directory-users] Installing 2 MMR servers, and the aci's don't match after everything is setup
Ryan Braun [ADS]
ryan.braun at ec.gc.ca
Wed Feb 18 21:25:46 UTC 2009
Hey guys, I'm setting up 2 mmr servers, and am wondering why the aci's on both machines don't end up being the same. All of the replication and configuring of the servers
has been done in perl and NOT the console. Here is the process I used when setting up the servers. I'm using custom built packages on etch.
ii fedora-ds-admin 1.1.6 Fedora Administration Server (admin)
ii fedora-ds-admin-console 1.1.2 Fedora Admin Server Management Console
ii fedora-ds-base 1.1.3 Fedora Directory Server (base)
ii fedora-ds-console 1.1.2 Fedora Directory Server Management Console
ii mozldap 6.0.5 Mozilla LDAP C SDK
ii mozldap-dev 6.0.5 Mozilla LDAP C SDK
ii mozldap-tools 6.0.5 Mozilla LDAP C SDK
ii ldapsdk 4.17-4 Enables applications to manage information s
ii perldap 1.5.2 PerLDAP is a set of modules written in Perl
ii libadminutil 1.1.7 Utility library for directory server adminis
ii libsvrcore 4.0.4 Secure PIN handling using NSS crypto
ii libapache2-mod-nss 1.0.8 mod_nss is an SSL provider derived from the
1. install mmr1 server using setup-ds-admin.pl
2. install mmr2 server using setup-ds.pl
3. configure ssl/tls on each machine and confirm ldapsearchs etc are encrypted.
4. create root suffix o=netscaperoot on mmr2.
5. enable mmr replication of userroot on both mmr1 and mmr2
6. init UserRoot replication agreement on mmr1.
7. enable mmr replication of o=netscaperoot on both mmr1 and mmr2.
8. init NetscapeRoot replication agreement on mmr1.
9. run register-ds-admin.pl on mmr2
At this point, I can confirm that encryption is working over both machines, all replication agreements are over SSL and are working as expected. admin server is running on
both machines, and both servers are accessible from each admin-server instance.
So I opened up the console, and opened up a session to each server and thats when I noticed the different amount of aci's on each server
on mmr1. o=NetscapeRoot has 5 acis'
UserRoot has 6
cn=schema has 4
cn=monitor has 1
cn=config has 3
on mmr2. o=NetscapeRoot has 5 acis'
UserRoot has 6
cn=schema has 1
cn=monitor has 1
cn=config has 0
So I'm wondering, if mmr2 server is missing those aci's because of the different install procedure of running setup-ds.pl first, then register-ds-admin.pl
Here are the aci's in question
mmr1 - cn=schema
# schema
dn: cn=schema
aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymo
us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a
llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, ou=To
pologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a
ll) userdn="ldap:///uid=admin,ou=Administrators, ou=TopologyManagement, o=Net
scapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l
dap:///cn=slapd-xxxdmns0, cn=Fedora Directory Server, cn=Server Group, cn=xxx
dmns0.xxx.xx.xx.xx, ou=xxx.xx.xx.ca, o=NetscapeRoot";)
mmr2 - cn=schema
# schema
dn: cn=schema
aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymo
us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";)
mmr1 - cn=config
dn: cn=config
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a
llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups, ou=To
pologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a
ll) userdn="ldap:///uid=admin, ou=Administrators, ou=TopologyManagement, o=Ne
tscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l
dap:///cn=slapd-xxxdmns0, cn=Fedora Directory Server, cn=Server Group, cn=xxx
dmns0.xxx.xx.xx.ca, ou=xxx.xx.xx.ca, o=NetscapeRoot";)
mmr2 - cn=config
none.
More information about the 389-users
mailing list