Aha! That worked, and the ldapadd was successful, and the ldapsearch
revealed the new entries, and the dirsrv restarted! Now I can see
ypserv when I look at rpcinfo. Thank you very much, Rob.
--
Brandon
On Thu, Aug 13, 2009 at 2:38 PM, Rob Crittenden wrote:
> Brandon Young wrote:
>>
>> Hi all,
>>
>> I am interested in deploying FreeIPA 1.2.1 on Fedora-11, and testing
>> the NIS gateway functionality. I am having difficulties, and am not
>> even sure I'm performing the correct steps.
>>
>> I am using Fedora 11 x86_64 with all the updates available as of
>> today. Using ipa-server-1.2.1-4.fc11.x86_64.rpm, which provides
>> slapi-nis-0.15 (which is not hte newest, but I *think* should be
>> fine)..
>>
>> I configured ipa server unattended with the following command:
>>
>> [r...@freeipa ~]# /usr/sbin/ipa-server-install -r EXAMPLE.ORG -n
>> example.org -p 'secretpw!!' -a 'secretpw!!' -P 'secretpw!!'
>> --hostname=freeipa.example.org -N --no-host-dns -u admin -U
>>
>>
>> At this point, I can kinit as the admin user and perform ldap searches
>> on the tree. I took the example ldif file from
>> /usr/share/doc/slapi-nis-0.15/nis-plugin.ldif and attempted to add it
>> as described in the getting started guide here
>>
>> (http://git.fedorahosted.org/git/slapi-nis.git/doc?p=slapi-nis.git;a=blob_plain;f=doc/nis-getting-started.txt),
>> which is devoid of specific instructions for *how* to add the ldif
>> entries. I futzed around with openldap's ldapadd tool, and can't
>> figure out how to obtain the necessary access rights to make the
>> updates. As nearly as I can tell, the only administrative user is
>> uid=admin,cn=users,cn=accounts,dc=example,dc=org. If I do a simple
>> bind as that user it fails:
>>
>> [r...@freeipa ~]# ldapadd -a -f nis-plugin.ldif -D
>> "uid=admin,cn=users,cn=accounts,dc=stowers-institute,dc=org" -W -x
>> Enter LDAP Password:
>> adding new entry "cn=NIS Server, cn=plugins, cn=config"
>> ldap_add: Insufficient access (50)
>>
>> Why? Am I using the wrong account? Should I know about another
>> account to do this? As nearly as I can tell, there aren't any other
>> accounts. Is this the wrong tool to use?
>>
>> I poked around and found the ipa-ldap-modify command. After modified
>> the original example ldif file from this:
>>
>> dn: cn=NIS Server, cn=plugins, cn=config
>> objectclass: top
>> objectclass: nsSlapdPlugin
>> objectclass: extensibleObject
>> cn: NIS Server
>> nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so
>> nsslapd-plugininitfunc: nis_plugin_init
>> nsslapd-plugintype: object
>> nsslapd-pluginenabled: on
>> nsslapd-pluginid: nis-server
>> nsslapd-pluginversion: 0.15
>> nsslapd-pluginvendor: redhat.com
>> nsslapd-plugindescription: NIS Server Plugin
>> nis-tcp-wrappers-name: nis-server
>>
>>
>> ... to this:
>>
>> dn: cn=NIS Server, cn=plugins, cn=config
>> add: objectclass: top
>> add: objectclass: nsSlapdPlugin
>> add: objectclass: extensibleObject
>> add: cn: NIS Server
>> add: nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so
>> add: nsslapd-plugininitfunc: nis_plugin_init
>> add: nsslapd-plugintype: object
>> add: nsslapd-pluginenabled: on
>> add: nsslapd-pluginid: nis-server
>> add: nsslapd-pluginversion: 0.15
>> add: nsslapd-pluginvendor: redhat.com
>> add: nsslapd-plugindescription: NIS Server Plugin
>> add: nis-tcp-wrappers-name: nis-server
>>
>>
>> Now, issuing the command
>>
>> [r...@freeipa ~]# ipa-ldap-updater nis-plugin.ldif
>> Directory Manager password:
>>
>>
>> Says it adds the entries. No indication of a problem. BUT, if I
>> ldapsearch -b "cn=config", I don't see the new entry. Should I?
>>
>> At any rate, when I attempt to restart dirsrv, I get the following:
>>
>> [r...@freeipa ~]# service dirsrv restart
>> Shutting down dirsrv:
>> EXAMPLE-ORG... [ OK ]
>> Starting dirsrv:
>> EXAMPLE-ORG...[13/Aug/2009:11:42:03 -0500] - Netscape Portable
>> Runtime error -5977: /usr/64/dirsrv/plugins// usr / lib64 / dirsrv /
>> plugins / nisserver-plugin.so: cannot open shared object file: No such
>> file or directory
>> [13/Aug/2009:11:42:03 -0500] - Could not open library
>> "/usr/64/dirsrv/plugins// usr / lib64 / dirsrv / plugins /
>> nisserver-plugin.so" for plugin NIS Server
>> [13/Aug/2009:11:42:03 -0500] - Unable to load plugin "cn=NIS Server,
>> cn=plugins, cn=config"
>> [FAILED]
>> *** Warning: 1 instance(s) failed to start
>>
>>
>>
>> So, ipa-ldap-updater did *something*. I have no idea why the plugin
>> path is getting mangled the way it is, though. Symlinking doesn't
>> seem to fix the issue, either. I'm stumped, and suspect I'm doing
>> something completely boneheaded. Does anyone else have this working?
>> Any guidance would be greatly appreciated.
>
> With ldapadd or ldapmodify you want to use the Directory Manager
> credentials, so this would have worked:
>
> % ldapadd -x -D "cn=directory manager" -W -f nis-plugin.ld