[389-users] management console authentication error

Herb Burnswell herbert.burnswell at gmail.com
Mon Apr 23 23:48:16 UTC 2012 

Hey Mark,

Well, to back up a bit, of the dual masters' (A & B) only A has been
running consistently for many years.  That is why I needed to do a
re-initialization of B.  The re-initialization was done at the 'my_suffix'
level and not NetscapeRoot.

I assumed that the config data would be running on both dual masters.
Maybe I am incorrect?

access from Master A for 'admin' bind:

[23/Apr/2012:16:07:50 -0700] conn=2575 fd=71 slot=71 connection from
10.10.10.24 to 10.10.10.24
[23/Apr/2012:16:07:50 -0700] conn=2575 op=0 BIND dn="uid=admin,
ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" method=128
version=3
[23/Apr/2012:16:07:50 -0700] conn=2575 op=0 RESULT err=0 tag=97 nentries=0
etime=0
dn="uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
[23/Apr/2012:16:07:50 -0700] conn=2575 op=1 SRCH base="cn=statusping,
cn=operation, cn=tasks, cn=admin-serv-masterA, cn=fedora administration
server, cn=server group, cn=masterA.sub.domain.biz, ou=sub.domain.biz,
o=netscaperoot" scope=0 filter="(nsExecRef=*)" attrs="nsExecRef
nsLogSuppress"
[23/Apr/2012:16:07:50 -0700] conn=2575 op=1 RESULT err=0 tag=101 nentries=1
etime=0
[23/Apr/2012:16:07:50 -0700] conn=2575 op=2 SRCH
base="cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Server
Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot"
scope=2 filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
[23/Apr/2012:16:07:50 -0700] conn=2575 op=2 RESULT err=0 tag=101
nentries=24 etime=0
[23/Apr/2012:16:07:50 -0700] conn=2575 op=3 SRCH base="cn=slapd-masterA,
cn=Fedora Directory Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=
sub.domain.biz, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
attrs="nsExecRef nsLogSuppress"
[23/Apr/2012:16:07:50 -0700] conn=2575 op=3 RESULT err=0 tag=101
nentries=13 etime=0
[23/Apr/2012:16:07:50 -0700] conn=2575 op=4 SRCH base="cn=Fedora Directory
Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz,
o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" attrs="nsExecRef
nsLogSuppress"
[23/Apr/2012:16:07:50 -0700] conn=2575 op=4 RESULT err=0 tag=101
nentries=17 etime=0
[23/Apr/2012:16:07:50 -0700] conn=2575 op=5 SRCH base="cn=Fedora
Administration Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=
sub.domain.biz, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
attrs="nsExecRef nsLogSuppress"
[23/Apr/2012:16:07:50 -0700] conn=2575 op=5 RESULT err=0 tag=101
nentries=24 etime=0
[23/Apr/2012:16:07:50 -0700] conn=2575 op=6 UNBIND
[23/Apr/2012:16:07:50 -0700] conn=2575 op=6 fd=71 closed - U1


access from master A for 'cn=Directory Manager' bind:

[23/Apr/2012:16:37:36 -0700] conn=2594 fd=68 slot=68 connection from
10.10.10.24 to 10.10.10.24
[23/Apr/2012:16:37:36 -0700] conn=2594 op=0 BIND dn="cn=admin-serv-masterA,
cn=Fedora Administration Server, cn=Server Group, cn=masterA.sub.domain.biz,
ou=sub.domain.biz, o=NetscapeRoot" method=128 version=3
[23/Apr/2012:16:37:36 -0700] conn=2594 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=admin-serv-masterA,cn=fedora administration server,cn=server
group,cn=masterA.sub.domain.biz,ou=sub.domain.biz,o=netscaperoot"
[23/Apr/2012:16:37:36 -0700] conn=2594 op=1 BIND dn="cn=Directory Manager"
method=128 version=3
[23/Apr/2012:16:37:36 -0700] conn=2594 op=1 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"
[23/Apr/2012:16:37:36 -0700] conn=2594 op=2 UNBIND
[23/Apr/2012:16:37:36 -0700] conn=2594 op=2 fd=68 closed - U1


This are from master A where logging in as either works fine.  It looks
like I need to configure o=netscaperoot on master B somehow?

thanks,

Herb



On Mon, Apr 23, 2012 at 1:13 PM, Mark Reynolds <mareynol at redhat.com> wrote:

>  Herb,
>
> Do you know which server is hosting the config data for the
> console(o=netscaperoot)?  If you do, please provide the access log output
> showing the "cn=directory manager" and "admin" binds?  It might not hurt to
> restart the admin server.
>
> Thanks,
> Mark
>
>
>
> On 04/23/2012 04:06 PM, Herb Burnswell wrote:
>
> Hi All,
>
> After re-initialization of a dual master server I now cannot log into the
> directory management console as cn=Directory Manager.  I receive the error:
>
> Cannot logon because of an incorrect user id, incorrect password, or
> Directory problem.
> httpException:
> Resoponse: HTTP/1.1 401 Unauthorized
> Status: 401
> URL: http://url/admin-serv/authenticate
>
> I know the password is correct as I can drop into an ldapmodify session
> with ./ldapmodify -D "cn=Directory Manager" -w <passwd> without error.
>
> I've seen a few inquiries about this issue around the web but nothing to
> resolve the issue.  I see the following in
> /opt/fedora-ds/admin-serv/logs/error:
>
>  security (27749): for host <hostname> trying to GET
> /admin-serv/authenticate, basic-ncsa reports: user cn=Directory Manager
> does not exist in pwfile /opt/fedora-ds/admin-serv/config/admpw
>
> It is correct that there is not a line for cn=Directory Manager in admpw,
> but it is not located in the admpw file on the other dual master and I can
> log into its management console as cn=Directory Manager without error.
> They both just contain a line for user 'admin'.
>
> When I try to log in as 'admin' (works fine on other dual master) I
> receive:
>
> cannot connect to the directory server:
> netscape.ldap.LDAPException: error result (32) matchedDN = ou
> =<domain>,o=netscaperoot; no such object
>
> Is there something else that I need to do after re-initialization?  Any
> guidance is greatly appreciated.
>
> Thanks in advance,
>
> Herb
>
>
>
>
> --
> 389 users mailing list389-users at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120423/3bd9e333/attachment.html>

More information about the 389-users mailing list