Re: [389-users] management console authentication error

Mark Reynolds Tue, 24 Apr 2012 14:12:52 -0700

Hi Herb,

Ok you shouldn't be using "o=netscaperoot" from a different machine, butif both machines are setup EXACTLY the same way, then you might be ableto replace the hostname. But this is error prone, and we should try andget the master B registered on master A's console. Did you try settingup a admin domain that points to master B's machine?


see comments below...

On 04/24/2012 04:11 PM, Herb Burnswell wrote:

Hi Mark,
Thanks for getting back to me, sorry about the confusion. Here's thelogs from master B console log on attempts:
[24/Apr/2012:12:09:23 -0700] conn=130 fd=67 slot=67 connection from10.10.10.25 to 10.10.10.25[24/Apr/2012:12:09:23 -0700] conn=130 op=0 BINDdn="cn=admin-serv-masterB, cn=Fedora Administration Server, cn=ServerGroup, cn=masterB.sub.domain.biz <http://masterB.sub.domain.biz>,ou=sub.domain.biz <http://sub.domain.biz>, o=NetscapeRoot" method=128version=2[24/Apr/2012:12:09:23 -0700] conn=130 op=0 RESULT err=32 tag=97nentries=0 etime=0[24/Apr/2012:12:09:23 -0700] conn=131 fd=68 slot=68 connection from10.10.10.25 to 10.10.10.25[24/Apr/2012:12:09:23 -0700] conn=131 op=0 BINDdn="cn=admin-serv-masterB, cn=Fedora Administration Server, cn=ServerGroup, cn=masterB.sub.domain.biz <http://masterB.sub.domain.biz>,ou=sub.domain.biz <http://sub.domain.biz>, o=NetscapeRoot" method=128version=2[24/Apr/2012:12:09:23 -0700] conn=131 op=0 RESULT err=32 tag=97nentries=0 etime=0

This isn't the right bind dn we are looking for. :-) We want to seethe the results from "uid=admin" and "cn=directory manager".

[24/Apr/2012:12:32:47] security (23835): for hostmasterB.sub.domain.biz <http://masterB.sub.domain.biz> trying to GET/admin-serv/authenticate, admin40_host_ip_check reports: Unauthorizedhost ip=10.10.10.25, connection rejected

This might be caused by some access restrictions. Do a ldapsearch ono=netscaperoot and look for:

dn: cn=configuration, cn=admin-serv-HOSTNAME, cn=389 AdministrationServer, cn=Server Group, cn=HOST.DOMAIN, ou=DOMAIN, o=NetscapeRoot


nsAdminAccessAddresses
nsAdminAccessHosts

Use ldapmodify to change the settings if needed. Make sure that thehost you are trying to connect from is allowed by the settings. Youcould just set both to "*" for now. You will need to restart the adminserver for this change to take effect.


Thanks,
Mark

When I was trying to get replication working, I did an initializationof master B from master A backup files (NetscapeRoot and<my_suffix>). I've since done a re-initialization of <my_suffix> tomaster B from master A console. When I do a search on master B:

./ldapsearch -D "cn=Directory Manager" -w <passwd> -b o=netscaperoot"cn=admin-serv-*"


version: 1

dn: cn=admin-serv-masterA, cn=Fedora Administration Server, cn=ServerGroup,cn=masterA.sub.domain.biz <http://masterA.sub.domain.biz>,ou=sub.domain.biz <http://sub.domain.biz>, o=NetscapeRoot

objectClass: top
objectClass: netscapeServer
objectClass: nsAdminServer
objectClass: nsResourceRef
objectClass: groupOfUniqueNames
cn: admin-serv-masterA
nsServerID: admin-serv
serverRoot: /opt/fedora-ds
serverProductName: Administration Server
serverHostName: masterA.sub.domain.biz <http://masterA.sub.domain.biz>

uniqueMember: cn=admin-serv-masterA, cn=Fedora Administration Server,cn=Server Group, cn=masterA.sub.domain.biz <http://masterA.sub.domain.biz>,ou=sub.domain.biz <http://sub.domain.biz>, o=NetscapeRoot

installationTimeStamp: 20050916201912Z
userPassword: {SSHA}U4pL3RzNjF2Sder0+NBLIJNZtLEoim6tZfcxjA==

Yes, this version and install is very old. But it appears that all ofmaster A information is on master B regarding admin-serv-<hostname>user on master B. This is not correct right?

I read the documentation that you sent but my install does not includesetup-ds-admin.pl <http://setup-ds-admin.pl>, my version is DS 7.1.Is there a way to simply edit the admin-serv-<hostname> if that is infact the problem?


TIA,

Herb

On Tue, Apr 24, 2012 at 8:34 AM, Mark Reynolds <[email protected]<mailto:[email protected]>> wrote:


    Hi Herb,

I wanted to see the logs from the server that wasn't working.According to these logs everything is fine. So, you can log into

    the console for master A, but not master B.  Most likely there is
    no configuration instance/admin server setup.  There are a few
    options.  One, you could register master B in the Master A
    console(using Create New Administration Domain feature), and just
    use that console to manage both servers.  Two, setup a new config
    instance on the master B machine, and use a separate console.

    Option one is definitely the best option.  You can still use the
    console GUI on master B if you want to, but point it to the master
    A in the administration URL.

    Here are some links to some useful document on on this:

    
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.0/html/Installation_Guide/Installation_Guide-Advanced_Configuration-Making-DS.html

    
http://www.google.com/url?sa=t&rct=j&q=red%20hat%20directory%20server%20register%20instance%20in%20console&source=web&cd=1&ved=0CCQQFjAA&url=http%3A%2F%2Fdocs.redhat.com%2Fdocs%2Fen-US%2FRed_Hat_Directory_Server%2F8.2%2Fpdf%2FUsing_Red_Hat_Console%2FRed_Hat_Directory_Server-8.2-Using_Red_Hat_Console-en-US.pdf&ei=CMCWT_iAL-qD6AGHjsiUDg&usg=AFQjCNFEcvk6fUEU7UFEbsQI2XDK0fq_aA&cad=rja
    
<http://www.google.com/url?sa=t&rct=j&q=red%20hat%20directory%20server%20register%20instance%20in%20console&source=web&cd=1&ved=0CCQQFjAA&url=http%3A%2F%2Fdocs.redhat.com%2Fdocs%2Fen-US%2FRed_Hat_Directory_Server%2F8.2%2Fpdf%2FUsing_Red_Hat_Console%2FRed_Hat_Directory_Server-8.2-Using_Red_Hat_Console-en-US.pdf&ei=CMCWT_iAL-qD6AGHjsiUDg&usg=AFQjCNFEcvk6fUEU7UFEbsQI2XDK0fq_aA&cad=rja>

    Let me know if you have any questions.

    Mark

    On 04/23/2012 07:48 PM, Herb Burnswell wrote:

    Hey Mark,

    Well, to back up a bit, of the dual masters' (A & B) only A has
    been running consistently for many years.  That is why I needed
    to do a re-initialization of B.  The re-initialization was done
    at the 'my_suffix' level and not NetscapeRoot.

    I assumed that the config data would be running on both dual
    masters.  Maybe I am incorrect?

    access from Master A for 'admin' bind:

    [23/Apr/2012:16:07:50 -0700] conn=2575 fd=71 slot=71 connection
    from 10.10.10.24 to 10.10.10.24
    [23/Apr/2012:16:07:50 -0700] conn=2575 op=0 BIND dn="uid=admin,
    ou=Administrators, ou=TopologyManagement, o=NetscapeRoot"
    method=128 version=3
    [23/Apr/2012:16:07:50 -0700] conn=2575 op=0 RESULT err=0 tag=97
    nentries=0 etime=0
    dn="uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot"
    [23/Apr/2012:16:07:50 -0700] conn=2575 op=1 SRCH
    base="cn=statusping, cn=operation, cn=tasks,
    cn=admin-serv-masterA, cn=fedora administration server, cn=server
    group, cn=masterA.sub.domain.biz <http://masterA.sub.domain.biz>,
    ou=sub.domain.biz <http://sub.domain.biz>, o=netscaperoot"
    scope=0 filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
    [23/Apr/2012:16:07:50 -0700] conn=2575 op=1 RESULT err=0 tag=101
    nentries=1 etime=0
    [23/Apr/2012:16:07:50 -0700] conn=2575 op=2 SRCH
    base="cn=admin-serv-masterA, cn=Fedora Administration Server,
    cn=Server Group, cn=masterA.sub.domain.biz
    <http://masterA.sub.domain.biz>, ou=sub.domain.biz
    <http://sub.domain.biz>, o=NetscapeRoot" scope=2
    filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
    [23/Apr/2012:16:07:50 -0700] conn=2575 op=2 RESULT err=0 tag=101
    nentries=24 etime=0
    [23/Apr/2012:16:07:50 -0700] conn=2575 op=3 SRCH
    base="cn=slapd-masterA, cn=Fedora Directory Server, cn=Server
    Group, cn=masterA.sub.domain.biz <http://masterA.sub.domain.biz>,
    ou=sub.domain.biz <http://sub.domain.biz>, o=NetscapeRoot"
    scope=2 filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
    [23/Apr/2012:16:07:50 -0700] conn=2575 op=3 RESULT err=0 tag=101
    nentries=13 etime=0
    [23/Apr/2012:16:07:50 -0700] conn=2575 op=4 SRCH base="cn=Fedora
    Directory Server, cn=Server Group, cn=masterA.sub.domain.biz
    <http://masterA.sub.domain.biz>, ou=sub.domain.biz
    <http://sub.domain.biz>, o=NetscapeRoot" scope=2
    filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
    [23/Apr/2012:16:07:50 -0700] conn=2575 op=4 RESULT err=0 tag=101
    nentries=17 etime=0
    [23/Apr/2012:16:07:50 -0700] conn=2575 op=5 SRCH base="cn=Fedora
    Administration Server, cn=Server Group, cn=masterA.sub.domain.biz
    <http://masterA.sub.domain.biz>, ou=sub.domain.biz
    <http://sub.domain.biz>, o=NetscapeRoot" scope=2
    filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress"
    [23/Apr/2012:16:07:50 -0700] conn=2575 op=5 RESULT err=0 tag=101
    nentries=24 etime=0
    [23/Apr/2012:16:07:50 -0700] conn=2575 op=6 UNBIND
    [23/Apr/2012:16:07:50 -0700] conn=2575 op=6 fd=71 closed - U1


    access from master A for 'cn=Directory Manager' bind:

    [23/Apr/2012:16:37:36 -0700] conn=2594 fd=68 slot=68 connection
    from 10.10.10.24 to 10.10.10.24
    [23/Apr/2012:16:37:36 -0700] conn=2594 op=0 BIND
    dn="cn=admin-serv-masterA, cn=Fedora Administration Server,
    cn=Server Group, cn=masterA.sub.domain.biz
    <http://masterA.sub.domain.biz>, ou=sub.domain.biz
    <http://sub.domain.biz>, o=NetscapeRoot" method=128 version=3
    [23/Apr/2012:16:37:36 -0700] conn=2594 op=0 RESULT err=0 tag=97
    nentries=0 etime=0 dn="cn=admin-serv-masterA,cn=fedora
    administration server,cn=server group,cn=masterA.sub.domain.biz
    <http://masterA.sub.domain.biz>,ou=sub.domain.biz
    <http://sub.domain.biz>,o=netscaperoot"
    [23/Apr/2012:16:37:36 -0700] conn=2594 op=1 BIND dn="cn=Directory
    Manager" method=128 version=3
    [23/Apr/2012:16:37:36 -0700] conn=2594 op=1 RESULT err=0 tag=97
    nentries=0 etime=0 dn="cn=directory manager"
    [23/Apr/2012:16:37:36 -0700] conn=2594 op=2 UNBIND
    [23/Apr/2012:16:37:36 -0700] conn=2594 op=2 fd=68 closed - U1


    This are from master A where logging in as either works fine.  It
    looks like I need to configure o=netscaperoot on master B somehow?

    thanks,

    Herb



    On Mon, Apr 23, 2012 at 1:13 PM, Mark Reynolds
    <[email protected] <mailto:[email protected]>> wrote:

        Herb,

        Do you know which server is hosting the config data for the
        console(o=netscaperoot)?  If you do, please provide the
        access log output showing the "cn=directory manager" and
        "admin" binds?  It might not hurt to restart the admin server.

        Thanks,
        Mark



        On 04/23/2012 04:06 PM, Herb Burnswell wrote:

        Hi All,

        After re-initialization of a dual master server I now cannot
        log into the directory management console as cn=Directory
        Manager.  I receive the error:

        Cannot logon because of an incorrect user id, incorrect
        password, or Directory problem.
        httpException:
        Resoponse: HTTP/1.1 401 Unauthorized
        Status: 401
        URL: http://url/admin-serv/authenticate

        I know the password is correct as I can drop into an
        ldapmodify session with ./ldapmodify -D "cn=Directory
        Manager" -w <passwd> without error.

        I've seen a few inquiries about this issue around the web
        but nothing to resolve the issue.  I see the following in
        /opt/fedora-ds/admin-serv/logs/error:

         security (27749): for host <hostname> trying to GET
        /admin-serv/authenticate, basic-ncsa reports: user
        cn=Directory Manager does not exist in pwfile
        /opt/fedora-ds/admin-serv/config/admpw

        It is correct that there is not a line for cn=Directory
        Manager in admpw, but it is not located in the admpw file on
        the other dual master and I can log into its management
        console as cn=Directory Manager without error.  They both
        just contain a line for user 'admin'.

        When I try to log in as 'admin' (works fine on other dual
        master) I receive:

        cannot connect to the directory server:
        netscape.ldap.LDAPException: error result (32) matchedDN =
        ou =<domain>,o=netscaperoot; no such object

        Is there something else that I need to do after
        re-initialization?  Any guidance is greatly appreciated.

        Thanks in advance,

        Herb




        --
        389 users mailing list
        [email protected]  
<mailto:[email protected]>
        https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] management console authentication error

Reply via email to