Brandon Young wrote:
Hi all,

I am interested in deploying FreeIPA 1.2.1 on Fedora-11, and testing
the NIS gateway functionality.  I am having difficulties, and am not
even sure I'm performing the correct steps.

I am using Fedora 11 x86_64 with all the updates available as of
today.  Using ipa-server-1.2.1-4.fc11.x86_64.rpm, which provides
slapi-nis-0.15 (which is not hte newest, but I *think* should be

I configured ipa server unattended with the following command:

[r...@freeipa ~]# /usr/sbin/ipa-server-install -r EXAMPLE.ORG -n -p 'secretpw!!' -a 'secretpw!!' -P 'secretpw!!' -N --no-host-dns -u admin -U

At this point, I can kinit as the admin user and perform ldap searches
on the tree.  I took the example ldif file from
/usr/share/doc/slapi-nis-0.15/nis-plugin.ldif and attempted to add it
as described in the getting started guide here
which is devoid of specific instructions for *how* to add the ldif
entries.  I futzed around with openldap's ldapadd tool, and can't
figure out how to obtain the necessary access rights to make the
updates.  As nearly as I can tell, the only administrative user is
uid=admin,cn=users,cn=accounts,dc=example,dc=org.  If I do a simple
bind as that user it fails:

[r...@freeipa ~]# ldapadd -a -f nis-plugin.ldif -D
"uid=admin,cn=users,cn=accounts,dc=stowers-institute,dc=org" -W -x
Enter LDAP Password:
adding new entry "cn=NIS Server, cn=plugins, cn=config"
ldap_add: Insufficient access (50)

Why?  Am I using the wrong account?  Should I know about another
account to do this?  As nearly as I can tell, there aren't any other
accounts.  Is this the wrong tool to use?

I poked around and found the ipa-ldap-modify command.  After modified
the original example ldif file from this:

dn: cn=NIS Server, cn=plugins, cn=config
objectclass: top
objectclass: nsSlapdPlugin
objectclass: extensibleObject
cn: NIS Server
nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/
nsslapd-plugininitfunc: nis_plugin_init
nsslapd-plugintype: object
nsslapd-pluginenabled: on
nsslapd-pluginid: nis-server
nsslapd-pluginversion: 0.15
nsslapd-plugindescription: NIS Server Plugin
nis-tcp-wrappers-name: nis-server

... to this:

dn: cn=NIS Server, cn=plugins, cn=config
add: objectclass: top
add: objectclass: nsSlapdPlugin
add: objectclass: extensibleObject
add: cn: NIS Server
add: nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/
add: nsslapd-plugininitfunc: nis_plugin_init
add: nsslapd-plugintype: object
add: nsslapd-pluginenabled: on
add: nsslapd-pluginid: nis-server
add: nsslapd-pluginversion: 0.15
add: nsslapd-pluginvendor:
add: nsslapd-plugindescription: NIS Server Plugin
add: nis-tcp-wrappers-name: nis-server

Now, issuing the command

[r...@freeipa ~]# ipa-ldap-updater nis-plugin.ldif
Directory Manager password:

Says it adds the entries.  No indication of a problem.  BUT, if I
ldapsearch -b "cn=config", I don't see the new entry.  Should I?

At any rate, when I attempt to restart dirsrv, I get the following:

[r...@freeipa ~]# service dirsrv restart
Shutting down dirsrv:
    EXAMPLE-ORG...                               [  OK  ]
Starting dirsrv:
    EXAMPLE-ORG...[13/Aug/2009:11:42:03 -0500] - Netscape Portable
Runtime error -5977: /usr/64/dirsrv/plugins// usr / lib64 / dirsrv /
plugins / cannot open shared object file: No such
file or directory
[13/Aug/2009:11:42:03 -0500] - Could not open library
"/usr/64/dirsrv/plugins// usr / lib64 / dirsrv / plugins /" for plugin NIS Server
[13/Aug/2009:11:42:03 -0500] - Unable to load plugin "cn=NIS Server,
cn=plugins, cn=config"
  *** Warning: 1 instance(s) failed to start

So, ipa-ldap-updater did *something*.  I have no idea why the plugin
path is getting mangled the way it is, though.  Symlinking doesn't
seem to fix the issue, either.  I'm stumped, and suspect I'm doing
something completely boneheaded.  Does anyone else have this working?
Any guidance would be greatly appreciated.

With ldapadd or ldapmodify you want to use the Directory Manager credentials, so this would have worked:

% ldapadd -x -D "cn=directory manager" -W -f nis-plugin.ldif

You don't see the entries under cn=config because you need to be Directory Manager to see them:

% ldapsearch -x -D "cn=directory manager" -W -b "cn=config"

I'd have to see what the config entry looks like to see why it isn't starting. IIRC DS prints a rather odd message when it can't load a plugin, though this looks particularly strange. It could be that the updater didn't write the entry properly.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Freeipa-users mailing list

Reply via email to