[389-users] 389-console

Ldap Tester ldap.tester at gmail.com
Fri May 22 15:30:01 UTC 2015 

I would like to return to a problem that I have had since I first posted
about it on Feb 29, 2012, and which was never resolved.  I have been
successfully running 2 FDS multi-masters since I installed them in ~2007,
and which have been updated ever since with yum.  My current package set is:
389-admin-1.1.38-1.fc21.x86_64
389-admin-console-1.1.8-7.fc21.noarch
389-admin-console-doc-1.1.8-7.fc21.noarch
389-adminutil-1.1.21-1.fc21.x86_64
389-console-1.1.7-7.fc21.noarch
389-ds-1.2.2-6.fc21.noarch
389-ds-base-1.3.3.8-1.fc21.x86_64
389-ds-base-devel-1.3.3.8-1.fc21.x86_64
389-ds-base-libs-1.3.3.8-1.fc21.x86_64
389-ds-console-1.2.7-4.fc21.noarch
389-ds-console-doc-1.2.7-4.fc21.noarch
389-dsgw-1.1.11-4.fc21.x86_64

The directory service is working fine.  I use it only to authenticate user
logins on ~dozen fedora clients.  I can run 389-console on one of the
masters, but not the other.  I used to be able to run it before 2012. Now
when I run 389-console and log in, I get:
Cannot connect to the directory server:
netscape.ldap.LDAPException: error result (32): No such object

I tried running setup-ds-admin.pl -u, but it yields:
Configuration directory server URL [ldap://XXXX.org:389/o%3DNetscapeRoot]:
Configuration directory server admin ID [uid=admin, ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot]:
Configuration directory server admin password:
Configuration directory server admin domain [org]:
Could not authenticate as user 'uid=admin, ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot' to server
'ldap://XXXX.org:389/o%3DNetscapeRoot'.  Error: No such object

I notice that when I start dirsrv-admin, I get the following message in
/var/log/dirsrv/admin-serv/error:
[:crit] [pid 18514:tid 140642010404992] populate_tasks_from_server():
Unable to search [cn=admin-serv-XXXX, cn=389 Administration Server,
cn=Server Group, cn=XXXX.org, ou=org, o=NetscapeRoot] for LDAPConnection
[XXXX.org:389]

Each server is its own configuration directory server.  There is a
replication agreement between the two servers, but only on userRoot, not
NetscapeRoot.

I also note that ldapsearch -x -b "o=NetscapeRoot" on the problem server
yields:
# extended LDIF
#
# LDAPv3
# base <o=NetscapeRoot> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# NetscapeRoot
dn: o=NetscapeRoot
objectClass: top
objectClass: organization
o: NetscapeRoot

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

The same command on the working server produces a response with 46 entries
and lots of good things in it.  Did my NetscapeRoot somehow get emptied?
How do I get it back?


I thought a "restoreconfig" command would help me, but I never did a
"saveconfig" and don't have any /var/lib/dirsrv/slapd-XXXX/bak/*.ldif
files.  I do have a
/var/lib/dirsrv/slapd-XXXX/ldif/XXXX-NetscapeRoot-2010_09_16_090402.ldif
file, but it's quite old and from the documentation that I read, it says it
is an "example" file.  I do have backups in
/var/lib/dirsrv/slapd-XXXX/bak/.  Among others, I have ones from
2011_07_20_10_54_37/ and 2012_02_20_13_29_00/.  I believe everything was
working correctly in 2011, but not by 2012.  Could this help in any way?

Alternatively, I just now did a saveconfig, and it produced an .ldif file
with 146 entries!  If I now restore from that file, might that fix things
up?  Can it hurt to try?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20150522/59006e77/attachment.html>

More information about the 389-users mailing list