[389-users] management console authentication error

Tue Apr 24 20:11:10 UTC 2012

Hi Mark,

Thanks for getting back to me, sorry about the confusion.  Here's the logs
from master B console log on attempts:

[24/Apr/2012:12:09:23 -0700] conn=130 fd=67 slot=67 connection from
10.10.10.25 to 10.10.10.25
[24/Apr/2012:12:09:23 -0700] conn=130 op=0 BIND dn="cn=admin-serv-masterB,
cn=Fedora Administration Server, cn=Server Group, cn=masterB.sub.domain.biz,
ou=sub.domain.biz, o=NetscapeRoot" method=128 version=2
[24/Apr/2012:12:09:23 -0700] conn=130 op=0 RESULT err=32 tag=97 nentries=0
etime=0
[24/Apr/2012:12:09:23 -0700] conn=131 fd=68 slot=68 connection from
10.10.10.25 to 10.10.10.25
[24/Apr/2012:12:09:23 -0700] conn=131 op=0 BIND dn="cn=admin-serv-masterB,
cn=Fedora Administration Server, cn=Server Group, cn=masterB.sub.domain.biz,
ou=sub.domain.biz, o=NetscapeRoot" method=128 version=2
[24/Apr/2012:12:09:23 -0700] conn=131 op=0 RESULT err=32 tag=97 nentries=0
etime=0

[24/Apr/2012:12:32:47] security (23835): for host
masterB.sub.domain.biztrying to GET /admin-serv/authenticate,
admin40_host_ip_check reports:
Unauthorized host ip=10.10.10.25, connection rejected

When I was trying to get replication working, I did an initialization of
master B from master A backup files (NetscapeRoot and <my_suffix>).  I've
since done a re-initialization of <my_suffix> to master B from master A
console.  When I do a search on master B:

./ldapsearch -D "cn=Directory Manager" -w <passwd> -b o=netscaperoot
"cn=admin-serv-*"

version: 1
dn: cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Server
Group,
 cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot
objectClass: top
objectClass: netscapeServer
objectClass: nsAdminServer
objectClass: nsResourceRef
objectClass: groupOfUniqueNames
cn: admin-serv-masterA
nsServerID: admin-serv
serverRoot: /opt/fedora-ds
serverProductName: Administration Server
serverHostName: masterA.sub.domain.biz
uniqueMember: cn=admin-serv-masterA, cn=Fedora Administration Server,
cn=Serv
 er Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot
installationTimeStamp: 20050916201912Z
userPassword: {SSHA}U4pL3RzNjF2Sder0+NBLIJNZtLEoim6tZfcxjA==

Yes, this version and install is very old.  But it appears that all of
master A information is on master B regarding admin-serv-<hostname> user on
master B.  This is not correct right?

I read the documentation that you sent but my install does not include
setup-ds-admin.pl, my version is DS 7.1.  Is there a way to simply edit the
admin-serv-<hostname> if that is in fact the problem?

TIA,

Herb

On Tue, Apr 24, 2012 at 8:34 AM, Mark Reynolds <mareynol at redhat.com> wrote:

>  Hi Herb,
>
> I wanted to see the logs from the server that wasn't working.  According
> to these logs everything is fine.  So, you can log into the console for
> master A, but not master B.  Most likely there is no configuration
> instance/admin server setup.  There are a few options.  One, you could
> register master B in the Master A console(using Create New Administration
> Domain feature), and just use that console to manage both servers.  Two,
> setup a new config instance on the master B machine, and use a separate
> console.
>
> Option one is definitely the best option.  You can still use the console
> GUI on master B if you want to, but point it to the master A in the
> administration URL.
>
> Here are some links to some useful document on on this:
>
>
> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.0/html/Installation_Guide/Installation_Guide-Advanced_Configuration-Making-DS.html
>
>
> http://www.google.com/url?sa=t&rct=j&q=red%20hat%20directory%20server%20register%20instance%20in%20console&source=web&cd=1&ved=0CCQQFjAA&url=http%3A%2F%2Fdocs.redhat.com%2Fdocs%2Fen-US%2FRed_Hat_Directory_Server%2F8.2%2Fpdf%2FUsing_Red_Hat_Console%2FRed_Hat_Directory_Server-8.2-Using_Red_Hat_Console-en-US.pdf&ei=CMCWT_iAL-qD6AGHjsiUDg&usg=AFQjCNFEcvk6fUEU7UFEbsQI2XDK0fq_aA&cad=rja
>
> Let me know if you have any questions.
>
> Mark
>
> On 04/23/2012 07:48 PM, Herb Burnswell wrote:
>
> Hey Mark,
>
> Well, to back up a bit, of the dual masters' (A & B) only A has been
> running consistently for many years.  That is why I needed to do a
> re-initialization of B.  The re-initialization was done at the 'my_suffix'
> level and not NetscapeRoot.
>
> I assumed that the config data would be running on both dual masters.
> Maybe I am incorrect?
>
> access from Master A for 'admin' bind:
>
> [23/Apr/2012:16:07:50 -0700] conn=2575 fd=71 slot=71 connection from
> 10.10.10.24 to 10.10.10.24
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=0 BIND dn="uid=admin,
> ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" method=128
> version=3
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=0 RESULT err=0 tag=97 nentries=0
> etime=0
> dn="uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=1 SRCH base="cn=statusping,
> cn=operation, cn=tasks, cn=admin-serv-masterA, cn=fedora administration
> server, cn=server group, cn=masterA.sub.domain.biz, ou=sub.domain.biz,
> o=netscaperoot" scope=0 filter="(nsExecRef=*)" attrs="nsExecRef
> nsLogSuppress"
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=1 RESULT err=0 tag=101
> nentries=1 etime=0
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=2 SRCH
> base="cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Server
> Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot"
> scope=2 filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=2 RESULT err=0 tag=101
> nentries=24 etime=0
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=3 SRCH base="cn=slapd-masterA,
> cn=Fedora Directory Server, cn=Server Group, cn=masterA.sub.domain.biz,
> ou=sub.domain.biz, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
> attrs="nsExecRef nsLogSuppress"
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=3 RESULT err=0 tag=101
> nentries=13 etime=0
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=4 SRCH base="cn=Fedora Directory
> Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz,
> o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" attrs="nsExecRef
> nsLogSuppress"
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=4 RESULT err=0 tag=101
> nentries=17 etime=0
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=5 SRCH base="cn=Fedora
> Administration Server, cn=Server Group, cn=masterA.sub.domain.biz, ou=
> sub.domain.biz, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)"
> attrs="nsExecRef nsLogSuppress"
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=5 RESULT err=0 tag=101
> nentries=24 etime=0
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=6 UNBIND
> [23/Apr/2012:16:07:50 -0700] conn=2575 op=6 fd=71 closed - U1
>
>
> access from master A for 'cn=Directory Manager' bind:
>
> [23/Apr/2012:16:37:36 -0700] conn=2594 fd=68 slot=68 connection from
> 10.10.10.24 to 10.10.10.24
> [23/Apr/2012:16:37:36 -0700] conn=2594 op=0 BIND
> dn="cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Server
> Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot"
> method=128 version=3
> [23/Apr/2012:16:37:36 -0700] conn=2594 op=0 RESULT err=0 tag=97 nentries=0
> etime=0 dn="cn=admin-serv-masterA,cn=fedora administration server,cn=server
> group,cn=masterA.sub.domain.biz,ou=sub.domain.biz,o=netscaperoot"
> [23/Apr/2012:16:37:36 -0700] conn=2594 op=1 BIND dn="cn=Directory Manager"
> method=128 version=3
> [23/Apr/2012:16:37:36 -0700] conn=2594 op=1 RESULT err=0 tag=97 nentries=0
> etime=0 dn="cn=directory manager"
> [23/Apr/2012:16:37:36 -0700] conn=2594 op=2 UNBIND
> [23/Apr/2012:16:37:36 -0700] conn=2594 op=2 fd=68 closed - U1
>
>
> This are from master A where logging in as either works fine.  It looks
> like I need to configure o=netscaperoot on master B somehow?
>
> thanks,
>
> Herb
>
>
>
> On Mon, Apr 23, 2012 at 1:13 PM, Mark Reynolds <mareynol at redhat.com>wrote:
>
>>  Herb,
>>
>> Do you know which server is hosting the config data for the
>> console(o=netscaperoot)?  If you do, please provide the access log output
>> showing the "cn=directory manager" and "admin" binds?  It might not hurt to
>> restart the admin server.
>>
>> Thanks,
>> Mark
>>
>>
>>
>> On 04/23/2012 04:06 PM, Herb Burnswell wrote:
>>
>>  Hi All,
>>
>> After re-initialization of a dual master server I now cannot log into the
>> directory management console as cn=Directory Manager.  I receive the error:
>>
>> Cannot logon because of an incorrect user id, incorrect password, or
>> Directory problem.
>> httpException:
>> Resoponse: HTTP/1.1 401 Unauthorized
>> Status: 401
>> URL: http://url/admin-serv/authenticate
>>
>> I know the password is correct as I can drop into an ldapmodify session
>> with ./ldapmodify -D "cn=Directory Manager" -w <passwd> without error.
>>
>> I've seen a few inquiries about this issue around the web but nothing to
>> resolve the issue.  I see the following in
>> /opt/fedora-ds/admin-serv/logs/error:
>>
>>  security (27749): for host <hostname> trying to GET
>> /admin-serv/authenticate, basic-ncsa reports: user cn=Directory Manager
>> does not exist in pwfile /opt/fedora-ds/admin-serv/config/admpw
>>
>> It is correct that there is not a line for cn=Directory Manager in admpw,
>> but it is not located in the admpw file on the other dual master and I can
>> log into its management console as cn=Directory Manager without error.
>> They both just contain a line for user 'admin'.
>>
>> When I try to log in as 'admin' (works fine on other dual master) I
>> receive:
>>
>> cannot connect to the directory server:
>> netscape.ldap.LDAPException: error result (32) matchedDN = ou
>> =<domain>,o=netscaperoot; no such object
>>
>> Is there something else that I need to do after re-initialization?  Any
>> guidance is greatly appreciated.
>>
>> Thanks in advance,
>>
>> Herb
>>
>>
>>
>>
>>   --
>> 389 users mailing list389-users at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120424/855ad21d/attachment.html>