[389-users] management console authentication error
Mark Reynolds
mareynol at redhat.com
Tue Apr 24 21:12:38 UTC 2012
Hi Herb,
Ok you shouldn't be using "o=netscaperoot" from a different machine, but
if both machines are setup EXACTLY the same way, then you might be able
to replace the hostname. But this is error prone, and we should try and
get the master B registered on master A's console. Did you try setting
up a admin domain that points to master B's machine?
see comments below...
On 04/24/2012 04:11 PM, Herb Burnswell wrote:
> Hi Mark,
>
> Thanks for getting back to me, sorry about the confusion. Here's the
> logs from master B console log on attempts:
>
> [24/Apr/2012:12:09:23 -0700] conn=130 fd=67 slot=67 connection from
> 10.10.10.25 to 10.10.10.25
> [24/Apr/2012:12:09:23 -0700] conn=130 op=0 BIND
> dn="cn=admin-serv-masterB, cn=Fedora Administration Server, cn=Server
> Group, cn=masterB.sub.domain.biz <http://masterB.sub.domain.biz>,
> ou=sub.domain.biz <http://sub.domain.biz>, o=NetscapeRoot" method=128
> version=2
> [24/Apr/2012:12:09:23 -0700] conn=130 op=0 RESULT err=32 tag=97
> nentries=0 etime=0
> [24/Apr/2012:12:09:23 -0700] conn=131 fd=68 slot=68 connection from
> 10.10.10.25 to 10.10.10.25
> [24/Apr/2012:12:09:23 -0700] conn=131 op=0 BIND
> dn="cn=admin-serv-masterB, cn=Fedora Administration Server, cn=Server
> Group, cn=masterB.sub.domain.biz <http://masterB.sub.domain.biz>,
> ou=sub.domain.biz <http://sub.domain.biz>, o=NetscapeRoot" method=128
> version=2
> [24/Apr/2012:12:09:23 -0700] conn=131 op=0 RESULT err=32 tag=97
> nentries=0 etime=0
This isn't the right bind dn we are looking for. :-) We want to see
the the results from "uid=admin" and "cn=directory manager".
>
>
> [24/Apr/2012:12:32:47] security (23835): for host
> masterB.sub.domain.biz <http://masterB.sub.domain.biz> trying to GET
> /admin-serv/authenticate, admin40_host_ip_check reports: Unauthorized
> host ip=10.10.10.25, connection rejected
This might be caused by some access restrictions. Do a ldapsearch on
o=netscaperoot and look for:
dn: cn=configuration, cn=admin-serv-HOSTNAME, cn=389 Administration
Server, cn=Server Group, cn=HOST.DOMAIN, ou=DOMAIN, o=NetscapeRoot
nsAdminAccessAddresses
nsAdminAccessHosts
Use ldapmodify to change the settings if needed. Make sure that the
host you are trying to connect from is allowed by the settings. You
could just set both to "*" for now. You will need to restart the admin
server for this change to take effect.
Thanks,
Mark
>
> When I was trying to get replication working, I did an initialization
> of master B from master A backup files (NetscapeRoot and
> <my_suffix>). I've since done a re-initialization of <my_suffix> to
> master B from master A console. When I do a search on master B:
>
> ./ldapsearch -D "cn=Directory Manager" -w <passwd> -b o=netscaperoot
> "cn=admin-serv-*"
>
> version: 1
> dn: cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Server
> Group,
> cn=masterA.sub.domain.biz <http://masterA.sub.domain.biz>,
> ou=sub.domain.biz <http://sub.domain.biz>, o=NetscapeRoot
> objectClass: top
> objectClass: netscapeServer
> objectClass: nsAdminServer
> objectClass: nsResourceRef
> objectClass: groupOfUniqueNames
> cn: admin-serv-masterA
> nsServerID: admin-serv
> serverRoot: /opt/fedora-ds
> serverProductName: Administration Server
> serverHostName: masterA.sub.domain.biz <http://masterA.sub.domain.biz>
> uniqueMember: cn=admin-serv-masterA, cn=Fedora Administration Server,
> cn=Serv
> er Group, cn=masterA.sub.domain.biz <http://masterA.sub.domain.biz>,
> ou=sub.domain.biz <http://sub.domain.biz>, o=NetscapeRoot
> installationTimeStamp: 20050916201912Z
> userPassword: {SSHA}U4pL3RzNjF2Sder0+NBLIJNZtLEoim6tZfcxjA==
>
>
> Yes, this version and install is very old. But it appears that all of
> master A information is on master B regarding admin-serv-<hostname>
> user on master B. This is not correct right?
>
> I read the documentation that you sent but my install does not include
> setup-ds-admin.pl <http://setup-ds-admin.pl>, my version is DS 7.1.
> Is there a way to simply edit the admin-serv-<hostname> if that is in
> fact the problem?
>
> TIA,
>
> Herb
>
> On Tue, Apr 24, 2012 at 8:34 AM, Mark Reynolds <mareynol at redhat.com
> <mailto:mareynol at redhat.com>> wrote:
>
> Hi Herb,
>
> I wanted to see the logs from the server that wasn't working.
> According to these logs everything is fine. So, you can log into
> the console for master A, but not master B. Most likely there is
> no configuration instance/admin server setup. There are a few
> options. One, you could register master B in the Master A
> console(using Create New Administration Domain feature), and just
> use that console to manage both servers. Two, setup a new config
> instance on the master B machine, and use a separate console.
>
> Option one is definitely the best option. You can still use the
> console GUI on master B if you want to, but point it to the master
> A in the administration URL.
>
> Here are some links to some useful document on on this:
>
> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.0/html/Installation_Guide/Installation_Guide-Advanced_Configuration-Making-DS.html
>
> http://www.google.com/url?sa=t&rct=j&q=red%20hat%20directory%20server%20register%20instance%20in%20console&source=web&cd=1&ved=0CCQQFjAA&url=http%3A%2F%2Fdocs.redhat.com%2Fdocs%2Fen-US%2FRed_Hat_Directory_Server%2F8.2%2Fpdf%2FUsing_Red_Hat_Console%2FRed_Hat_Directory_Server-8.2-Using_Red_Hat_Console-en-US.pdf&ei=CMCWT_iAL-qD6AGHjsiUDg&usg=AFQjCNFEcvk6fUEU7UFEbsQI2XDK0fq_aA&cad=rja
> <http://www.google.com/url?sa=t&rct=j&q=red%20hat%20directory%20server%20register%20instance%20in%20console&source=web&cd=1&ved=0CCQQFjAA&url=http%3A%2F%2Fdocs.redhat.com%2Fdocs%2Fen-US%2FRed_Hat_Directory_Server%2F8.2%2Fpdf%2FUsing_Red_Hat_Console%2FRed_Hat_Directory_Server-8.2-Using_Red_Hat_Console-en-US.pdf&ei=CMCWT_iAL-qD6AGHjsiUDg&usg=AFQjCNFEcvk6fUEU7UFEbsQI2XDK0fq_aA&cad=rja>
>
> Let me know if you have any questions.
>
> Mark
>
> On 04/23/2012 07:48 PM, Herb Burnswell wrote:
>> Hey Mark,
>>
>> Well, to back up a bit, of the dual masters' (A & B) only A has
>> been running consistently for many years. That is why I needed
>> to do a re-initialization of B. The re-initialization was done
>> at the 'my_suffix' level and not NetscapeRoot.
>>
>> I assumed that the config data would be running on both dual
>> masters. Maybe I am incorrect?
>>
>> access from Master A for 'admin' bind:
>>
>> [23/Apr/2012:16:07:50 -0700] conn=2575 fd=71 slot=71 connection
>> from 10.10.10.24 to 10.10.10.24
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=0 BIND dn="uid=admin,
>> ou=Administrators, ou=TopologyManagement, o=NetscapeRoot"
>> method=128 version=3
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=0 RESULT err=0 tag=97
>> nentries=0 etime=0
>> dn="uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=1 SRCH
>> base="cn=statusping, cn=operation, cn=tasks,
>> cn=admin-serv-masterA, cn=fedora administration server, cn=server
>> group, cn=masterA.sub.domain.biz <http://masterA.sub.domain.biz>,
>> ou=sub.domain.biz <http://sub.domain.biz>, o=netscaperoot"
>> scope=0 filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=1 RESULT err=0 tag=101
>> nentries=1 etime=0
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=2 SRCH
>> base="cn=admin-serv-masterA, cn=Fedora Administration Server,
>> cn=Server Group, cn=masterA.sub.domain.biz
>> <http://masterA.sub.domain.biz>, ou=sub.domain.biz
>> <http://sub.domain.biz>, o=NetscapeRoot" scope=2
>> filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=2 RESULT err=0 tag=101
>> nentries=24 etime=0
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=3 SRCH
>> base="cn=slapd-masterA, cn=Fedora Directory Server, cn=Server
>> Group, cn=masterA.sub.domain.biz <http://masterA.sub.domain.biz>,
>> ou=sub.domain.biz <http://sub.domain.biz>, o=NetscapeRoot"
>> scope=2 filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=3 RESULT err=0 tag=101
>> nentries=13 etime=0
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=4 SRCH base="cn=Fedora
>> Directory Server, cn=Server Group, cn=masterA.sub.domain.biz
>> <http://masterA.sub.domain.biz>, ou=sub.domain.biz
>> <http://sub.domain.biz>, o=NetscapeRoot" scope=2
>> filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=4 RESULT err=0 tag=101
>> nentries=17 etime=0
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=5 SRCH base="cn=Fedora
>> Administration Server, cn=Server Group, cn=masterA.sub.domain.biz
>> <http://masterA.sub.domain.biz>, ou=sub.domain.biz
>> <http://sub.domain.biz>, o=NetscapeRoot" scope=2
>> filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=5 RESULT err=0 tag=101
>> nentries=24 etime=0
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=6 UNBIND
>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=6 fd=71 closed - U1
>>
>>
>> access from master A for 'cn=Directory Manager' bind:
>>
>> [23/Apr/2012:16:37:36 -0700] conn=2594 fd=68 slot=68 connection
>> from 10.10.10.24 to 10.10.10.24
>> [23/Apr/2012:16:37:36 -0700] conn=2594 op=0 BIND
>> dn="cn=admin-serv-masterA, cn=Fedora Administration Server,
>> cn=Server Group, cn=masterA.sub.domain.biz
>> <http://masterA.sub.domain.biz>, ou=sub.domain.biz
>> <http://sub.domain.biz>, o=NetscapeRoot" method=128 version=3
>> [23/Apr/2012:16:37:36 -0700] conn=2594 op=0 RESULT err=0 tag=97
>> nentries=0 etime=0 dn="cn=admin-serv-masterA,cn=fedora
>> administration server,cn=server group,cn=masterA.sub.domain.biz
>> <http://masterA.sub.domain.biz>,ou=sub.domain.biz
>> <http://sub.domain.biz>,o=netscaperoot"
>> [23/Apr/2012:16:37:36 -0700] conn=2594 op=1 BIND dn="cn=Directory
>> Manager" method=128 version=3
>> [23/Apr/2012:16:37:36 -0700] conn=2594 op=1 RESULT err=0 tag=97
>> nentries=0 etime=0 dn="cn=directory manager"
>> [23/Apr/2012:16:37:36 -0700] conn=2594 op=2 UNBIND
>> [23/Apr/2012:16:37:36 -0700] conn=2594 op=2 fd=68 closed - U1
>>
>>
>> This are from master A where logging in as either works fine. It
>> looks like I need to configure o=netscaperoot on master B somehow?
>>
>> thanks,
>>
>> Herb
>>
>>
>>
>> On Mon, Apr 23, 2012 at 1:13 PM, Mark Reynolds
>> <mareynol at redhat.com <mailto:mareynol at redhat.com>> wrote:
>>
>> Herb,
>>
>> Do you know which server is hosting the config data for the
>> console(o=netscaperoot)? If you do, please provide the
>> access log output showing the "cn=directory manager" and
>> "admin" binds? It might not hurt to restart the admin server.
>>
>> Thanks,
>> Mark
>>
>>
>>
>> On 04/23/2012 04:06 PM, Herb Burnswell wrote:
>>> Hi All,
>>>
>>> After re-initialization of a dual master server I now cannot
>>> log into the directory management console as cn=Directory
>>> Manager. I receive the error:
>>>
>>> Cannot logon because of an incorrect user id, incorrect
>>> password, or Directory problem.
>>> httpException:
>>> Resoponse: HTTP/1.1 401 Unauthorized
>>> Status: 401
>>> URL: http://url/admin-serv/authenticate
>>>
>>> I know the password is correct as I can drop into an
>>> ldapmodify session with ./ldapmodify -D "cn=Directory
>>> Manager" -w <passwd> without error.
>>>
>>> I've seen a few inquiries about this issue around the web
>>> but nothing to resolve the issue. I see the following in
>>> /opt/fedora-ds/admin-serv/logs/error:
>>>
>>> security (27749): for host <hostname> trying to GET
>>> /admin-serv/authenticate, basic-ncsa reports: user
>>> cn=Directory Manager does not exist in pwfile
>>> /opt/fedora-ds/admin-serv/config/admpw
>>>
>>> It is correct that there is not a line for cn=Directory
>>> Manager in admpw, but it is not located in the admpw file on
>>> the other dual master and I can log into its management
>>> console as cn=Directory Manager without error. They both
>>> just contain a line for user 'admin'.
>>>
>>> When I try to log in as 'admin' (works fine on other dual
>>> master) I receive:
>>>
>>> cannot connect to the directory server:
>>> netscape.ldap.LDAPException: error result (32) matchedDN =
>>> ou =<domain>,o=netscaperoot; no such object
>>>
>>> Is there something else that I need to do after
>>> re-initialization? Any guidance is greatly appreciated.
>>>
>>> Thanks in advance,
>>>
>>> Herb
>>>
>>>
>>>
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org <mailto:389-users at lists.fedoraproject.org>
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120424/05df6b12/attachment.html>
More information about the 389-users
mailing list