Re: [389-users] New 389 ds install - cannot logon to adm console

Fri, 14 Jan 2011 16:35:29 -0800 

On 01/14/2011 05:27 PM, Brian LaMere wrote:
well hello all, seems I'm having this problem myself....fresh install, and when I go to the configuration tab of the 389-console it tells me: 


"The user 
uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot does 
not have permission to perform this operation."



When I click ok, a box appears asking for DN/pass.  If I put the 
password in the box...it continues on with no errors (thus the "mind 
annoyance").  Then again, if I just click "ok" and then "cancel" 
(meaning, I don't put in new credentials) the config tab works then 
too.  I don't actually see in the logs either what it is that I'm not 
being allowed to do, it seems to just be a superfluous re-prompting 
for the password.  On a lark, I tried putting in the /wrong/ 
password...which it did indeed not like, telling me "invalid 
credentials."  Clicked ok, then cancel...and I'm able to access the 
configuration tab even after putting in the wrong pass and not 
correcting it.  I'm assuming it is just using the original credentials 
that should have prevented the initial error in the first place, even 
though I tried putting in new credentials...



Again, fresh install, on a fresh build of Fedora14.  I am tunneling 
the console, but that shouldn't matter (?).  Is this just a bug in 
389-console?  Should I open a ticket?

Sure.  It's really not a permissions issue, it was caused by bug fix to 
1.2.7

I'm going to continue past it, since it...doesn't seem to be stopping 
me from doing anything.  I'm using the standard repos, everything is 
current:

Right.  It is annoying and should not stop you from doing anything.


389-admin-console-1.1.5-1.fc14.noarch
389-admin-console-doc-1.1.5-1.fc14.noarch
389-adminutil-1.1.13-1.fc14.x86_64
389-admin-1.1.13-2.fc14.x86_64
389-ds-console-1.2.3-1.fc14.noarch
389-ds-console-doc-1.2.3-1.fc14.noarch
389-console-1.1.4-1.fc14.noarch
389-ds-base-1.2.7.5-1.fc14.x86_64
389-dsgw-1.1.6-1.fc14.x86_64
389-ds-1.2.1-1.fc14.noarch

Did I miss the response about what might have been causing this?

Brian


On Wed, Dec 1, 2010 at 4:00 AM, trisooma <[email protected] 
<mailto:[email protected]>> wrote:


    > On 11/30/2010 04:33 PM, trisooma wrote:
    >>> On 11/30/2010 02:32 PM, Trisooma wrote:
    >>>>     On 11/30/2010 10:23 PM, Rich Megginson wrote:
    >>>>> On 11/30/2010 02:20 PM, trisooma wrote:
    >>>>>> If i am reading the code correctly (and looking at the logging
    >>>>>> below), the
    >>>>>> line that has a severity of 'crit' should dump info for the
    ldap
    >>>>>> server we
    >>>>>> are connecting to.
    >>>>>> In my case (and Eric's too) only 'ldap://:389' is printed;
    sometimes
    >>>>>> even
    >>>>>> with an odd number like 23395496 (see Eric's first post).
    >>>>>>
    >>>>>> [Tue Nov 30 22:01:43 2010] [crit] openLDAPConnection():
    >>>>>> util_ldap_init
    >>>>>> failed for ldap://:389
    >>>>>> [Tue Nov 30 22:01:43 2010] [warn] Unable to open initial
    >>>>>> LDAPConnection to
    >>>>>> populate LocalAdmin tasks into cache.
    >>>>>> [Tue Nov 30 22:01:44 2010] [notice] Apache/2.2.17 (Unix)
    configured
    >>>>>> --
    >>>>>> resuming normal operations
    >>>>>> [Tue Nov 30 22:01:44 2010] [crit] openLDAPConnection():
    >>>>>> util_ldap_init
    >>>>>> failed for ldap://:389
    >>>>>> [Tue Nov 30 22:01:44 2010] [warn] Unable to open initial
    >>>>>> LDAPConnection to
    >>>>>> populate LocalAdmin tasks into cache.
    >>>>>>
    >>>>>> The code that logs this error looks like this
    >>>>>> [mod_admserv/mod_admserv.c:517]
    >>>>>>
    >>>>>>            ap_log_error(APLOG_MARK, APLOG_CRIT, 0 /* status */,
    >>>>>> NULL,
    >>>>>>                         "openLDAPConnection():
    util_ldap_init failed
    >>>>>> for
    >>>>>> ldap%s://%s:%d",
    >>>>>>                         data->secure ? "s" : "",
    >>>>>>                         data->host, data->port);
    >>>>>>
    >>>>>> It seems that the struct 'data' is not filled with the correct
    >>>>>> values.
    >>>>> That's why I asked for your /etc/dirsrv/admin-serv/adm.conf -
    >>>>>
    http://lists.fedoraproject.org/pipermail/389-users/2010-November/012548.html
    >>>> My bad, see
    >>>>
    http://lists.fedoraproject.org/pipermail/389-users/2010-November/012551.html
    >>> First, upgrade to the latest versions of these components from the
    >>> testing repo
    >>> yum upgrade --enablerepo=updates-testing 389-admin 389-ds-base
    >>> 389-adminutil
    >>>
    >>> Then, run
    >>> setup-ds-admin.pl <http://setup-ds-admin.pl> -u
    >>>
    >>> Then try
    >>>
    >>> ldapsearch -x -LLL -H ldap://icicle.phasma.nl:389/
    <http://icicle.phasma.nl:389/> -D
    >>>
    "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -w
    >>> youradminpassword -s base -b "cn=389 Administration
    Server,cn=Server
    >>> Group,cn=icicle.phasma.nl
    <http://icicle.phasma.nl>,ou=phasma.nl
    <http://phasma.nl>,o=NetscapeRoot"
    >>>
    >>> and
    >>>
    >>> ldapsearch -x -LLL -H ldap://icicle.phasma.nl:389/
    <http://icicle.phasma.nl:389/> -D
    >>>
    "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" -w
    >>> youradminpassword -s base -b "cn=admin-serv-icicle,cn=389
    >>> Administration
    >>> Server,cn=Server Group,cn=icicle.phasma.nl
    <http://icicle.phasma.nl>,ou=phasma.nl
    <http://phasma.nl>,o=NetscapeRoot"
    >>>
    >> Using the above i can confirm that i can now use the console to
    log in
    >> and
    >> administer my DS (though i had to remove
    selinux-policy-targeted). The
    >> command 'setup-ds-admin.pl <http://setup-ds-admin.pl> -u' ran
    without a hitch.
    >>
    >> the results of both ldap queries are below:
    >>
    >> [root@icicle /]# ldapsearch -x -LLL -H
    ldap://icicle.phasma.nl:389/ <http://icicle.phasma.nl:389/> -D
    >>
    "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot"
    -W -s
    >> base -b "cn=389 Administration Server,cn=Server
    >> Group,cn=icicle.phasma.nl
    <http://icicle.phasma.nl>,ou=phasma.nl
    <http://phasma.nl>,o=NetscapeRoot"
    >> Enter LDAP Password:
    >> dn: cn=389 Administration Server,cn=Server
    >> Group,cn=icicle.phasma.nl <http://icicle.phasma.nl>,ou=phasma
    >>   .nl,o=NetscapeRoot
    >> nsBuildSecurity: domestic
    >> objectClass: top
    >> objectClass: nsApplication
    >> objectClass: groupOfUniqueNames
    >> cn: 389 Administration Server
    >> nsVendor: 389 Project
    >> installationTimeStamp: 20101124210830Z
    >> nsBuildNumber: 2010.328.157
    >> uniqueMember: cn=admin-serv-icicle,cn=389 Administration
    >> Server,cn=Server
    >> Grou
    >>   p,cn=icicle.phasma.nl <http://icicle.phasma.nl>,ou=phasma.nl
    <http://phasma.nl>,o=NetscapeRoot
    >> nsServerMigrationClassname:
    >> com.netscape.management.admserv.AdminServerProduct
    >>   @389-admin-1.1.jar
    >> nsProductName: 389 Administration Server
    >> nsProductVersion: 1.1.13
    >> nsNickName: admin
    >>
    >> [root@icicle /]# ldapsearch -x -LLL -H
    ldap://icicle.phasma.nl:389/ <http://icicle.phasma.nl:389/> -D
    >>
    "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot"
    -W -s
    >> base -b "cn=admin-serv-icicle,cn=389 Administration
    Server,cn=Server
    >> Group,cn=icicle.phasma.nl
    <http://icicle.phasma.nl>,ou=phasma.nl
    <http://phasma.nl>,o=NetscapeRoot"
    >> Enter LDAP Password:
    >> dn: cn=admin-serv-icicle,cn=389 Administration Server,cn=Server
    >> Group,cn=icicl
    >> e.phasma.nl <http://e.phasma.nl>,ou=phasma.nl
    <http://phasma.nl>,o=NetscapeRoot
    >> objectClass: top
    >> objectClass: netscapeServer
    >> objectClass: nsAdminServer
    >> objectClass: nsResourceRef
    >> objectClass: groupOfUniqueNames
    >> serverHostName: icicle.phasma.nl <http://icicle.phasma.nl>
    >> cn: admin-serv-icicle
    >> installationTimeStamp: 20101124210830Z
    >> serverProductName: Administration Server
    >> uniqueMember: cn=admin-serv-icicle,cn=389 Administration
    >> Server,cn=Server
    >> Grou
    >>   p,cn=icicle.phasma.nl <http://icicle.phasma.nl>,ou=phasma.nl
    <http://phasma.nl>,o=NetscapeRoot
    >> nsServerID: admin-serv
    >>
    >> I proceeded to restart dirsrv-admin, and the log now looks like
    this:
    >>
    >> [Tue Nov 30 23:59:20 2010] [notice] Access Host filter is:
    *.phasma.nl <http://phasma.nl>
    >> [Tue Nov 30 23:59:20 2010] [notice] Access Address filter is: *
    >> [Tue Nov 30 23:59:21 2010] [notice] Apache/2.2.17 (Unix)
    configured --
    >> resuming normal operations
    >> [Tue Nov 30 23:59:21 2010] [notice] Access Host filter is:
    *.phasma.nl <http://phasma.nl>
    >> [Tue Nov 30 23:59:21 2010] [notice] Access Address filter is: *
    >> [Wed Dec 01 00:00:17 2010] [notice] [client 127.0.0.1]
    >> admserv_host_ip_check: ap_get_remote_host could not resolve
    127.0.0.1
    >> [Wed Dec 01 00:00:18 2010] [notice] [client 127.0.0.1]
    >> admserv_check_authz(): passing [/admin-serv/authenticate] to the
    >> userauth
    >> handler
    >> [Wed Dec 01 00:00:33 2010] [notice] [client 192.168.134.10]
    >> admserv_host_ip_check: ap_get_remote_host could not resolve
    >> 192.168.134.10
    >> [Wed Dec 01 00:00:33 2010] [error] [client 192.168.134.10] File
    does not
    >> exist: /usr/share/dirsrv/html/java/jars
    > This should be ok - it should fallback to
    /usr/share/dirsrv/html/java
    >> Still some errors are visible in the logfile,
    > The one marked [error] above, or are there others?  [notice]
    messages
    > are ok.

    No, this is the only one marked as error.

    >> but i can log in and add
    >> users/groups using the console. When i navigate to 'Directory
    Server'>
    >> 'Configuration' i get the following error message:
    >> 'Insufficient Permissions': The user
    >>
    uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot does
    >> not
    >> have permission to perform this operation.
    >> When i enter the correct credentials, it seems that everything is
    >> working
    >> as it is supposed to.
    > "correct credentials"?

    the password that is set for uid=admin,.......; This is only a minor
    annoyance, however it does seem strange that i am asked for the
    password
    again.

    >> The log complains about not being able to do a reverse lookup on
    >> 192.168.134.10, but this seems wrong (DNS works both ways):
    > Yes.  See /etc/dirsrv/admin-serv/console.conf - HostnameLookups

    oke, got it.

    >> [shadowuser@icicle ~]$ host 192.168.134.10
    >> 10.134.168.192.in-addr.arpa domain name pointer
    icicle.phasma.nl <http://icicle.phasma.nl>.
    >> [shadowuser@icicle ~]$ host icicle.phasma.nl
    <http://icicle.phasma.nl>
    >> icicle.phasma.nl <http://icicle.phasma.nl> has address
    192.168.134.10
    >>
    >> Thanks for your patience,
    >>
    >> Regards,
    >>
    >> Trisooma
    >>
    >>
    >>
    >>>>>> BTW. this code was taken from 389-admin-1.1.12.a2
    >>>>>>
    >>>>>> I hope this helps,
    >>>>>>
    >>>>>> Regards,
    >>>>>>
    >>>>>> Trisooma
    >>>>>>
    >>>>>> --
    >>>>>> 389 users mailing list
    >>>>>> [email protected]
    <mailto:[email protected]>
    >>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
    >>>> --
    >>>> 389 users mailing list
    >>>> [email protected]
    <mailto:[email protected]>
    >>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
    >>>
    >>
    >> --
    >> 389 users mailing list
    >> [email protected]
    <mailto:[email protected]>
    >> https://admin.fedoraproject.org/mailman/listinfo/389-users
    >
    >


    --
    389 users mailing list
    [email protected]
    <mailto:[email protected]>
    https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/389-users





















					Reply via email to