Ok, I was able to get it working. I just went to a backup of the files prior to when I did the bak2db of master A to master B. I replaced /path/to/db/NetscapeRoot/* files with the backed up files.
Now the search: ./ldapsearch -D "cn=Directory Manager" -w <passwd> -b o=netscaperoot "cn=admin-serv-*" returns the expected results and I'm able to log into the DS console. Mark, thanks for all of your help. At least I'm learning with each mistake ;-)... Herb On Tue, Apr 24, 2012 at 3:52 PM, Herb Burnswell <[email protected] > wrote: > Hey Mark, > > Yes, I thought that would be a problem. I did try to set up an admin > domain on master A that points to master B but it simply says "fail to > create network domain". As you can likely see, I'm not the most versed in > LDAP. I'm not sure how to do this search you suggested: > > > >Do a ldapsearch on o=netscaperoot and look for: > > .dn: cn=configuration, cn=admin-serv-HOSTNAME, cn=389 Administration > Server, >cn=Server Group, cn=HOST.DOMAIN, ou=DOMAIN, o=NetscapeRoot > > Can you give me the syntax that would be used? > > thanks again, > > Herb > > > > > On Tue, Apr 24, 2012 at 2:12 PM, Mark Reynolds <[email protected]>wrote: > >> Hi Herb, >> >> Ok you shouldn't be using "o=netscaperoot" from a different machine, but >> if both machines are setup EXACTLY the same way, then you might be able to >> replace the hostname. But this is error prone, and we should try and get >> the master B registered on master A's console. Did you try setting up a >> admin domain that points to master B's machine? >> >> see comments below... >> >> >> On 04/24/2012 04:11 PM, Herb Burnswell wrote: >> >> Hi Mark, >> >> Thanks for getting back to me, sorry about the confusion. Here's the >> logs from master B console log on attempts: >> >> [24/Apr/2012:12:09:23 -0700] conn=130 fd=67 slot=67 connection from >> 10.10.10.25 to 10.10.10.25 >> [24/Apr/2012:12:09:23 -0700] conn=130 op=0 BIND >> dn="cn=admin-serv-masterB, cn=Fedora Administration Server, cn=Server >> Group, cn=masterB.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot" >> method=128 version=2 >> [24/Apr/2012:12:09:23 -0700] conn=130 op=0 RESULT err=32 tag=97 >> nentries=0 etime=0 >> [24/Apr/2012:12:09:23 -0700] conn=131 fd=68 slot=68 connection from >> 10.10.10.25 to 10.10.10.25 >> [24/Apr/2012:12:09:23 -0700] conn=131 op=0 BIND >> dn="cn=admin-serv-masterB, cn=Fedora Administration Server, cn=Server >> Group, cn=masterB.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot" >> method=128 version=2 >> [24/Apr/2012:12:09:23 -0700] conn=131 op=0 RESULT err=32 tag=97 >> nentries=0 etime=0 >> >> This isn't the right bind dn we are looking for. :-) We want to see >> the the results from "uid=admin" and "cn=directory manager". >> >> >> >> [24/Apr/2012:12:32:47] security (23835): for host >> masterB.sub.domain.biztrying to GET /admin-serv/authenticate, >> admin40_host_ip_check reports: >> Unauthorized host ip=10.10.10.25, connection rejected >> >> This might be caused by some access restrictions. Do a ldapsearch on >> o=netscaperoot and look for: >> >> dn: cn=configuration, cn=admin-serv-HOSTNAME, cn=389 Administration >> Server, cn=Server Group, cn=HOST.DOMAIN, ou=DOMAIN, o=NetscapeRoot >> >> nsAdminAccessAddresses >> nsAdminAccessHosts >> >> Use ldapmodify to change the settings if needed. Make sure that the host >> you are trying to connect from is allowed by the settings. You could just >> set both to "*" for now. You will need to restart the admin server for >> this change to take effect. >> >> Thanks, >> Mark >> >> >> >> When I was trying to get replication working, I did an initialization of >> master B from master A backup files (NetscapeRoot and <my_suffix>). I've >> since done a re-initialization of <my_suffix> to master B from master A >> console. When I do a search on master B: >> >> ./ldapsearch -D "cn=Directory Manager" -w <passwd> -b o=netscaperoot >> "cn=admin-serv-*" >> >> version: 1 >> dn: cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Server >> Group, >> cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot >> objectClass: top >> objectClass: netscapeServer >> objectClass: nsAdminServer >> objectClass: nsResourceRef >> objectClass: groupOfUniqueNames >> cn: admin-serv-masterA >> nsServerID: admin-serv >> serverRoot: /opt/fedora-ds >> serverProductName: Administration Server >> serverHostName: masterA.sub.domain.biz >> uniqueMember: cn=admin-serv-masterA, cn=Fedora Administration Server, >> cn=Serv >> er Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot >> installationTimeStamp: 20050916201912Z >> userPassword: {SSHA}U4pL3RzNjF2Sder0+NBLIJNZtLEoim6tZfcxjA== >> >> >> Yes, this version and install is very old. But it appears that all of >> master A information is on master B regarding admin-serv-<hostname> user on >> master B. This is not correct right? >> >> I read the documentation that you sent but my install does not include >> setup-ds-admin.pl, my version is DS 7.1. Is there a way to simply edit >> the admin-serv-<hostname> if that is in fact the problem? >> >> TIA, >> >> Herb >> >> On Tue, Apr 24, 2012 at 8:34 AM, Mark Reynolds <[email protected]>wrote: >> >>> Hi Herb, >>> >>> I wanted to see the logs from the server that wasn't working. According >>> to these logs everything is fine. So, you can log into the console for >>> master A, but not master B. Most likely there is no configuration >>> instance/admin server setup. There are a few options. One, you could >>> register master B in the Master A console(using Create New Administration >>> Domain feature), and just use that console to manage both servers. Two, >>> setup a new config instance on the master B machine, and use a separate >>> console. >>> >>> Option one is definitely the best option. You can still use the console >>> GUI on master B if you want to, but point it to the master A in the >>> administration URL. >>> >>> Here are some links to some useful document on on this: >>> >>> >>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.0/html/Installation_Guide/Installation_Guide-Advanced_Configuration-Making-DS.html >>> >>> >>> http://www.google.com/url?sa=t&rct=j&q=red%20hat%20directory%20server%20register%20instance%20in%20console&source=web&cd=1&ved=0CCQQFjAA&url=http%3A%2F%2Fdocs.redhat.com%2Fdocs%2Fen-US%2FRed_Hat_Directory_Server%2F8.2%2Fpdf%2FUsing_Red_Hat_Console%2FRed_Hat_Directory_Server-8.2-Using_Red_Hat_Console-en-US.pdf&ei=CMCWT_iAL-qD6AGHjsiUDg&usg=AFQjCNFEcvk6fUEU7UFEbsQI2XDK0fq_aA&cad=rja >>> >>> Let me know if you have any questions. >>> >>> Mark >>> >>> On 04/23/2012 07:48 PM, Herb Burnswell wrote: >>> >>> Hey Mark, >>> >>> Well, to back up a bit, of the dual masters' (A & B) only A has been >>> running consistently for many years. That is why I needed to do a >>> re-initialization of B. The re-initialization was done at the 'my_suffix' >>> level and not NetscapeRoot. >>> >>> I assumed that the config data would be running on both dual masters. >>> Maybe I am incorrect? >>> >>> access from Master A for 'admin' bind: >>> >>> [23/Apr/2012:16:07:50 -0700] conn=2575 fd=71 slot=71 connection from >>> 10.10.10.24 to 10.10.10.24 >>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=0 BIND dn="uid=admin, >>> ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" method=128 >>> version=3 >>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=0 RESULT err=0 tag=97 >>> nentries=0 etime=0 >>> dn="uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot" >>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=1 SRCH base="cn=statusping, >>> cn=operation, cn=tasks, cn=admin-serv-masterA, cn=fedora administration >>> server, cn=server group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, >>> o=netscaperoot" scope=0 filter="(nsExecRef=*)" attrs="nsExecRef >>> nsLogSuppress" >>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=1 RESULT err=0 tag=101 >>> nentries=1 etime=0 >>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=2 SRCH >>> base="cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Server >>> Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot" >>> scope=2 filter="(nsExecRef=*)" attrs="nsExecRef nsLogSuppress" >>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=2 RESULT err=0 tag=101 >>> nentries=24 etime=0 >>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=3 SRCH base="cn=slapd-masterA, >>> cn=Fedora Directory Server, cn=Server Group, cn=masterA.sub.domain.biz, >>> ou=sub.domain.biz, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" >>> attrs="nsExecRef nsLogSuppress" >>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=3 RESULT err=0 tag=101 >>> nentries=13 etime=0 >>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=4 SRCH base="cn=Fedora >>> Directory Server, cn=Server Group, cn=masterA.sub.domain.biz, ou= >>> sub.domain.biz, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" >>> attrs="nsExecRef nsLogSuppress" >>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=4 RESULT err=0 tag=101 >>> nentries=17 etime=0 >>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=5 SRCH base="cn=Fedora >>> Administration Server, cn=Server Group, cn=masterA.sub.domain.biz, ou= >>> sub.domain.biz, o=NetscapeRoot" scope=2 filter="(nsExecRef=*)" >>> attrs="nsExecRef nsLogSuppress" >>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=5 RESULT err=0 tag=101 >>> nentries=24 etime=0 >>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=6 UNBIND >>> [23/Apr/2012:16:07:50 -0700] conn=2575 op=6 fd=71 closed - U1 >>> >>> >>> access from master A for 'cn=Directory Manager' bind: >>> >>> [23/Apr/2012:16:37:36 -0700] conn=2594 fd=68 slot=68 connection from >>> 10.10.10.24 to 10.10.10.24 >>> [23/Apr/2012:16:37:36 -0700] conn=2594 op=0 BIND >>> dn="cn=admin-serv-masterA, cn=Fedora Administration Server, cn=Server >>> Group, cn=masterA.sub.domain.biz, ou=sub.domain.biz, o=NetscapeRoot" >>> method=128 version=3 >>> [23/Apr/2012:16:37:36 -0700] conn=2594 op=0 RESULT err=0 tag=97 >>> nentries=0 etime=0 dn="cn=admin-serv-masterA,cn=fedora administration >>> server,cn=server group,cn=masterA.sub.domain.biz,ou=sub.domain.biz >>> ,o=netscaperoot" >>> [23/Apr/2012:16:37:36 -0700] conn=2594 op=1 BIND dn="cn=Directory >>> Manager" method=128 version=3 >>> [23/Apr/2012:16:37:36 -0700] conn=2594 op=1 RESULT err=0 tag=97 >>> nentries=0 etime=0 dn="cn=directory manager" >>> [23/Apr/2012:16:37:36 -0700] conn=2594 op=2 UNBIND >>> [23/Apr/2012:16:37:36 -0700] conn=2594 op=2 fd=68 closed - U1 >>> >>> >>> This are from master A where logging in as either works fine. It looks >>> like I need to configure o=netscaperoot on master B somehow? >>> >>> thanks, >>> >>> Herb >>> >>> >>> >>> On Mon, Apr 23, 2012 at 1:13 PM, Mark Reynolds <[email protected]>wrote: >>> >>>> Herb, >>>> >>>> Do you know which server is hosting the config data for the >>>> console(o=netscaperoot)? If you do, please provide the access log output >>>> showing the "cn=directory manager" and "admin" binds? It might not hurt to >>>> restart the admin server. >>>> >>>> Thanks, >>>> Mark >>>> >>>> >>>> >>>> On 04/23/2012 04:06 PM, Herb Burnswell wrote: >>>> >>>> Hi All, >>>> >>>> After re-initialization of a dual master server I now cannot log into >>>> the directory management console as cn=Directory Manager. I receive the >>>> error: >>>> >>>> Cannot logon because of an incorrect user id, incorrect password, or >>>> Directory problem. >>>> httpException: >>>> Resoponse: HTTP/1.1 401 Unauthorized >>>> Status: 401 >>>> URL: http://url/admin-serv/authenticate >>>> >>>> I know the password is correct as I can drop into an ldapmodify session >>>> with ./ldapmodify -D "cn=Directory Manager" -w <passwd> without error. >>>> >>>> I've seen a few inquiries about this issue around the web but nothing >>>> to resolve the issue. I see the following in >>>> /opt/fedora-ds/admin-serv/logs/error: >>>> >>>> security (27749): for host <hostname> trying to GET >>>> /admin-serv/authenticate, basic-ncsa reports: user cn=Directory Manager >>>> does not exist in pwfile /opt/fedora-ds/admin-serv/config/admpw >>>> >>>> It is correct that there is not a line for cn=Directory Manager in >>>> admpw, but it is not located in the admpw file on the other dual master and >>>> I can log into its management console as cn=Directory Manager without >>>> error. They both just contain a line for user 'admin'. >>>> >>>> When I try to log in as 'admin' (works fine on other dual master) I >>>> receive: >>>> >>>> cannot connect to the directory server: >>>> netscape.ldap.LDAPException: error result (32) matchedDN = ou >>>> =<domain>,o=netscaperoot; no such object >>>> >>>> Is there something else that I need to do after re-initialization? Any >>>> guidance is greatly appreciated. >>>> >>>> Thanks in advance, >>>> >>>> Herb >>>> >>>> >>>> >>>> >>>> -- >>>> 389 users mailing >>>> [email protected]https://admin.fedoraproject.org/mailman/listinfo/389-users >>>> >>>> >>> >> >
-- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
