[389-users] New 389 ds install - cannot logon to adm console

Rich Megginson rmeggins at redhat.com
Tue Nov 30 23:38:34 UTC 2010 

On 11/30/2010 04:33 PM, trisooma wrote:
>> On 11/30/2010 02:32 PM, Trisooma wrote:
>>>     On 11/30/2010 10:23 PM, Rich Megginson wrote:
>>>> On 11/30/2010 02:20 PM, trisooma wrote:
>>>>> If i am reading the code correctly (and looking at the logging
>>>>> below), the
>>>>> line that has a severity of 'crit' should dump info for the ldap
>>>>> server we
>>>>> are connecting to.
>>>>> In my case (and Eric's too) only 'ldap://:389' is printed; sometimes
>>>>> even
>>>>> with an odd number like 23395496 (see Eric's first post).
>>>>>
>>>>> [Tue Nov 30 22:01:43 2010] [crit] openLDAPConnection(): util_ldap_init
>>>>> failed for ldap://:389
>>>>> [Tue Nov 30 22:01:43 2010] [warn] Unable to open initial
>>>>> LDAPConnection to
>>>>> populate LocalAdmin tasks into cache.
>>>>> [Tue Nov 30 22:01:44 2010] [notice] Apache/2.2.17 (Unix) configured --
>>>>> resuming normal operations
>>>>> [Tue Nov 30 22:01:44 2010] [crit] openLDAPConnection(): util_ldap_init
>>>>> failed for ldap://:389
>>>>> [Tue Nov 30 22:01:44 2010] [warn] Unable to open initial
>>>>> LDAPConnection to
>>>>> populate LocalAdmin tasks into cache.
>>>>>
>>>>> The code that logs this error looks like this
>>>>> [mod_admserv/mod_admserv.c:517]
>>>>>
>>>>>            ap_log_error(APLOG_MARK, APLOG_CRIT, 0 /* status */, NULL,
>>>>>                         "openLDAPConnection(): util_ldap_init failed
>>>>> for
>>>>> ldap%s://%s:%d",
>>>>>                         data->secure ? "s" : "",
>>>>>                         data->host, data->port);
>>>>>
>>>>> It seems that the struct 'data' is not filled with the correct values.
>>>> That's why I asked for your /etc/dirsrv/admin-serv/adm.conf -
>>>> http://lists.fedoraproject.org/pipermail/389-users/2010-November/012548.html
>>> My bad, see
>>> http://lists.fedoraproject.org/pipermail/389-users/2010-November/012551.html
>> First, upgrade to the latest versions of these components from the
>> testing repo
>> yum upgrade --enablerepo=updates-testing 389-admin 389-ds-base
>> 389-adminutil
>>
>> Then, run
>> setup-ds-admin.pl -u
>>
>> Then try
>>
>> ldapsearch -x -LLL -H ldap://icicle.phasma.nl:389/ -D
>> "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -w
>> youradminpassword -s base -b "cn=389 Administration Server,cn=Server
>> Group,cn=icicle.phasma.nl,ou=phasma.nl,o=NetscapeRoot"
>>
>> and
>>
>> ldapsearch -x -LLL -H ldap://icicle.phasma.nl:389/ -D
>> "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -w
>> youradminpassword -s base -b "cn=admin-serv-icicle,cn=389 Administration
>> Server,cn=Server Group,cn=icicle.phasma.nl,ou=phasma.nl,o=NetscapeRoot"
>>
> Using the above i can confirm that i can now use the console to log in and
> administer my DS (though i had to remove selinux-policy-targeted). The
> command 'setup-ds-admin.pl -u' ran without a hitch.
>
> the results of both ldap queries are below:
>
> [root at icicle /]# ldapsearch -x -LLL -H ldap://icicle.phasma.nl:389/ -D
> "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -W -s
> base -b "cn=389 Administration Server,cn=Server
> Group,cn=icicle.phasma.nl,ou=phasma.nl,o=NetscapeRoot"
> Enter LDAP Password:
> dn: cn=389 Administration Server,cn=Server
> Group,cn=icicle.phasma.nl,ou=phasma
>   .nl,o=NetscapeRoot
> nsBuildSecurity: domestic
> objectClass: top
> objectClass: nsApplication
> objectClass: groupOfUniqueNames
> cn: 389 Administration Server
> nsVendor: 389 Project
> installationTimeStamp: 20101124210830Z
> nsBuildNumber: 2010.328.157
> uniqueMember: cn=admin-serv-icicle,cn=389 Administration Server,cn=Server
> Grou
>   p,cn=icicle.phasma.nl,ou=phasma.nl,o=NetscapeRoot
> nsServerMigrationClassname:
> com.netscape.management.admserv.AdminServerProduct
>   @389-admin-1.1.jar
> nsProductName: 389 Administration Server
> nsProductVersion: 1.1.13
> nsNickName: admin
>
> [root at icicle /]# ldapsearch -x -LLL -H ldap://icicle.phasma.nl:389/ -D
> "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -W -s
> base -b "cn=admin-serv-icicle,cn=389 Administration Server,cn=Server
> Group,cn=icicle.phasma.nl,ou=phasma.nl,o=NetscapeRoot"
> Enter LDAP Password:
> dn: cn=admin-serv-icicle,cn=389 Administration Server,cn=Server
> Group,cn=icicl
>   e.phasma.nl,ou=phasma.nl,o=NetscapeRoot
> objectClass: top
> objectClass: netscapeServer
> objectClass: nsAdminServer
> objectClass: nsResourceRef
> objectClass: groupOfUniqueNames
> serverHostName: icicle.phasma.nl
> cn: admin-serv-icicle
> installationTimeStamp: 20101124210830Z
> serverProductName: Administration Server
> uniqueMember: cn=admin-serv-icicle,cn=389 Administration Server,cn=Server
> Grou
>   p,cn=icicle.phasma.nl,ou=phasma.nl,o=NetscapeRoot
> nsServerID: admin-serv
>
> I proceeded to restart dirsrv-admin, and the log now looks like this:
>
> [Tue Nov 30 23:59:20 2010] [notice] Access Host filter is: *.phasma.nl
> [Tue Nov 30 23:59:20 2010] [notice] Access Address filter is: *
> [Tue Nov 30 23:59:21 2010] [notice] Apache/2.2.17 (Unix) configured --
> resuming normal operations
> [Tue Nov 30 23:59:21 2010] [notice] Access Host filter is: *.phasma.nl
> [Tue Nov 30 23:59:21 2010] [notice] Access Address filter is: *
> [Wed Dec 01 00:00:17 2010] [notice] [client 127.0.0.1]
> admserv_host_ip_check: ap_get_remote_host could not resolve 127.0.0.1
> [Wed Dec 01 00:00:18 2010] [notice] [client 127.0.0.1]
> admserv_check_authz(): passing [/admin-serv/authenticate] to the userauth
> handler
> [Wed Dec 01 00:00:33 2010] [notice] [client 192.168.134.10]
> admserv_host_ip_check: ap_get_remote_host could not resolve 192.168.134.10
> [Wed Dec 01 00:00:33 2010] [error] [client 192.168.134.10] File does not
> exist: /usr/share/dirsrv/html/java/jars
This should be ok - it should fallback to /usr/share/dirsrv/html/java
> Still some errors are visible in the logfile,
The one marked [error] above, or are there others?  [notice] messages 
are ok.
> but i can log in and add
> users/groups using the console. When i navigate to 'Directory Server'>
> 'Configuration' i get the following error message:
> 'Insufficient Permissions': The user
> uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot does not
> have permission to perform this operation.
> When i enter the correct credentials, it seems that everything is working
> as it is supposed to.
"correct credentials"?
> The log complains about not being able to do a reverse lookup on
> 192.168.134.10, but this seems wrong (DNS works both ways):
Yes.  See /etc/dirsrv/admin-serv/console.conf - HostnameLookups
> [shadowuser at icicle ~]$ host 192.168.134.10
> 10.134.168.192.in-addr.arpa domain name pointer icicle.phasma.nl.
> [shadowuser at icicle ~]$ host icicle.phasma.nl
> icicle.phasma.nl has address 192.168.134.10
>
> Thanks for your patience,
>
> Regards,
>
> Trisooma
>
>
>
>>>>> BTW. this code was taken from 389-admin-1.1.12.a2
>>>>>
>>>>> I hope this helps,
>>>>>
>>>>> Regards,
>>>>>
>>>>> Trisooma
>>>>>
>>>>> --
>>>>> 389 users mailing list
>>>>> 389-users at lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

More information about the 389-users mailing list