Brandon Young wrote:
Hi all,I am interested in deploying FreeIPA 1.2.1 on Fedora-11, and testing the NIS gateway functionality. I am having difficulties, and am not even sure I'm performing the correct steps. I am using Fedora 11 x86_64 with all the updates available as of today. Using ipa-server-1.2.1-4.fc11.x86_64.rpm, which provides slapi-nis-0.15 (which is not hte newest, but I *think* should be fine).. I configured ipa server unattended with the following command: [r...@freeipa ~]# /usr/sbin/ipa-server-install -r EXAMPLE.ORG -n example.org -p 'secretpw!!' -a 'secretpw!!' -P 'secretpw!!' --hostname=freeipa.example.org -N --no-host-dns -u admin -U At this point, I can kinit as the admin user and perform ldap searches on the tree. I took the example ldif file from /usr/share/doc/slapi-nis-0.15/nis-plugin.ldif and attempted to add it as described in the getting started guide here (http://git.fedorahosted.org/git/slapi-nis.git/doc?p=slapi-nis.git;a=blob_plain;f=doc/nis-getting-started.txt), which is devoid of specific instructions for *how* to add the ldif entries. I futzed around with openldap's ldapadd tool, and can't figure out how to obtain the necessary access rights to make the updates. As nearly as I can tell, the only administrative user is uid=admin,cn=users,cn=accounts,dc=example,dc=org. If I do a simple bind as that user it fails: [r...@freeipa ~]# ldapadd -a -f nis-plugin.ldif -D "uid=admin,cn=users,cn=accounts,dc=stowers-institute,dc=org" -W -x Enter LDAP Password: adding new entry "cn=NIS Server, cn=plugins, cn=config" ldap_add: Insufficient access (50) Why? Am I using the wrong account? Should I know about another account to do this? As nearly as I can tell, there aren't any other accounts. Is this the wrong tool to use? I poked around and found the ipa-ldap-modify command. After modified the original example ldif file from this: dn: cn=NIS Server, cn=plugins, cn=config objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObject cn: NIS Server nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so nsslapd-plugininitfunc: nis_plugin_init nsslapd-plugintype: object nsslapd-pluginenabled: on nsslapd-pluginid: nis-server nsslapd-pluginversion: 0.15 nsslapd-pluginvendor: redhat.com nsslapd-plugindescription: NIS Server Plugin nis-tcp-wrappers-name: nis-server ... to this: dn: cn=NIS Server, cn=plugins, cn=config add: objectclass: top add: objectclass: nsSlapdPlugin add: objectclass: extensibleObject add: cn: NIS Server add: nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so add: nsslapd-plugininitfunc: nis_plugin_init add: nsslapd-plugintype: object add: nsslapd-pluginenabled: on add: nsslapd-pluginid: nis-server add: nsslapd-pluginversion: 0.15 add: nsslapd-pluginvendor: redhat.com add: nsslapd-plugindescription: NIS Server Plugin add: nis-tcp-wrappers-name: nis-server Now, issuing the command [r...@freeipa ~]# ipa-ldap-updater nis-plugin.ldif Directory Manager password: Says it adds the entries. No indication of a problem. BUT, if I ldapsearch -b "cn=config", I don't see the new entry. Should I? At any rate, when I attempt to restart dirsrv, I get the following: [r...@freeipa ~]# service dirsrv restart Shutting down dirsrv: EXAMPLE-ORG... [ OK ] Starting dirsrv: EXAMPLE-ORG...[13/Aug/2009:11:42:03 -0500] - Netscape Portable Runtime error -5977: /usr/64/dirsrv/plugins// usr / lib64 / dirsrv / plugins / nisserver-plugin.so: cannot open shared object file: No such file or directory [13/Aug/2009:11:42:03 -0500] - Could not open library "/usr/64/dirsrv/plugins// usr / lib64 / dirsrv / plugins / nisserver-plugin.so" for plugin NIS Server [13/Aug/2009:11:42:03 -0500] - Unable to load plugin "cn=NIS Server, cn=plugins, cn=config" [FAILED] *** Warning: 1 instance(s) failed to start So, ipa-ldap-updater did *something*. I have no idea why the plugin path is getting mangled the way it is, though. Symlinking doesn't seem to fix the issue, either. I'm stumped, and suspect I'm doing something completely boneheaded. Does anyone else have this working? Any guidance would be greatly appreciated.
With ldapadd or ldapmodify you want to use the Directory Manager credentials, so this would have worked:
% ldapadd -x -D "cn=directory manager" -W -f nis-plugin.ldifYou don't see the entries under cn=config because you need to be Directory Manager to see them:
% ldapsearch -x -D "cn=directory manager" -W -b "cn=config"I'd have to see what the config entry looks like to see why it isn't starting. IIRC DS prints a rather odd message when it can't load a plugin, though this looks particularly strange. It could be that the updater didn't write the entry properly.
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users