Aha! That worked, and the ldapadd was successful, and the ldapsearch revealed the new entries, and the dirsrv restarted! Now I can see ypserv when I look at rpcinfo. Thank you very much, Rob.
-- Brandon On Thu, Aug 13, 2009 at 2:38 PM, Rob Crittenden<[email protected]> wrote: > Brandon Young wrote: >> >> Hi all, >> >> I am interested in deploying FreeIPA 1.2.1 on Fedora-11, and testing >> the NIS gateway functionality. I am having difficulties, and am not >> even sure I'm performing the correct steps. >> >> I am using Fedora 11 x86_64 with all the updates available as of >> today. Using ipa-server-1.2.1-4.fc11.x86_64.rpm, which provides >> slapi-nis-0.15 (which is not hte newest, but I *think* should be >> fine).. >> >> I configured ipa server unattended with the following command: >> >> [r...@freeipa ~]# /usr/sbin/ipa-server-install -r EXAMPLE.ORG -n >> example.org -p 'secretpw!!' -a 'secretpw!!' -P 'secretpw!!' >> --hostname=freeipa.example.org -N --no-host-dns -u admin -U >> >> >> At this point, I can kinit as the admin user and perform ldap searches >> on the tree. I took the example ldif file from >> /usr/share/doc/slapi-nis-0.15/nis-plugin.ldif and attempted to add it >> as described in the getting started guide here >> >> (http://git.fedorahosted.org/git/slapi-nis.git/doc?p=slapi-nis.git;a=blob_plain;f=doc/nis-getting-started.txt), >> which is devoid of specific instructions for *how* to add the ldif >> entries. I futzed around with openldap's ldapadd tool, and can't >> figure out how to obtain the necessary access rights to make the >> updates. As nearly as I can tell, the only administrative user is >> uid=admin,cn=users,cn=accounts,dc=example,dc=org. If I do a simple >> bind as that user it fails: >> >> [r...@freeipa ~]# ldapadd -a -f nis-plugin.ldif -D >> "uid=admin,cn=users,cn=accounts,dc=stowers-institute,dc=org" -W -x >> Enter LDAP Password: >> adding new entry "cn=NIS Server, cn=plugins, cn=config" >> ldap_add: Insufficient access (50) >> >> Why? Am I using the wrong account? Should I know about another >> account to do this? As nearly as I can tell, there aren't any other >> accounts. Is this the wrong tool to use? >> >> I poked around and found the ipa-ldap-modify command. After modified >> the original example ldif file from this: >> >> dn: cn=NIS Server, cn=plugins, cn=config >> objectclass: top >> objectclass: nsSlapdPlugin >> objectclass: extensibleObject >> cn: NIS Server >> nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so >> nsslapd-plugininitfunc: nis_plugin_init >> nsslapd-plugintype: object >> nsslapd-pluginenabled: on >> nsslapd-pluginid: nis-server >> nsslapd-pluginversion: 0.15 >> nsslapd-pluginvendor: redhat.com >> nsslapd-plugindescription: NIS Server Plugin >> nis-tcp-wrappers-name: nis-server >> >> >> ... to this: >> >> dn: cn=NIS Server, cn=plugins, cn=config >> add: objectclass: top >> add: objectclass: nsSlapdPlugin >> add: objectclass: extensibleObject >> add: cn: NIS Server >> add: nsslapd-pluginpath: /usr/lib64/dirsrv/plugins/nisserver-plugin.so >> add: nsslapd-plugininitfunc: nis_plugin_init >> add: nsslapd-plugintype: object >> add: nsslapd-pluginenabled: on >> add: nsslapd-pluginid: nis-server >> add: nsslapd-pluginversion: 0.15 >> add: nsslapd-pluginvendor: redhat.com >> add: nsslapd-plugindescription: NIS Server Plugin >> add: nis-tcp-wrappers-name: nis-server >> >> >> Now, issuing the command >> >> [r...@freeipa ~]# ipa-ldap-updater nis-plugin.ldif >> Directory Manager password: >> >> >> Says it adds the entries. No indication of a problem. BUT, if I >> ldapsearch -b "cn=config", I don't see the new entry. Should I? >> >> At any rate, when I attempt to restart dirsrv, I get the following: >> >> [r...@freeipa ~]# service dirsrv restart >> Shutting down dirsrv: >> EXAMPLE-ORG... [ OK ] >> Starting dirsrv: >> EXAMPLE-ORG...[13/Aug/2009:11:42:03 -0500] - Netscape Portable >> Runtime error -5977: /usr/64/dirsrv/plugins// usr / lib64 / dirsrv / >> plugins / nisserver-plugin.so: cannot open shared object file: No such >> file or directory >> [13/Aug/2009:11:42:03 -0500] - Could not open library >> "/usr/64/dirsrv/plugins// usr / lib64 / dirsrv / plugins / >> nisserver-plugin.so" for plugin NIS Server >> [13/Aug/2009:11:42:03 -0500] - Unable to load plugin "cn=NIS Server, >> cn=plugins, cn=config" >> [FAILED] >> *** Warning: 1 instance(s) failed to start >> >> >> >> So, ipa-ldap-updater did *something*. I have no idea why the plugin >> path is getting mangled the way it is, though. Symlinking doesn't >> seem to fix the issue, either. I'm stumped, and suspect I'm doing >> something completely boneheaded. Does anyone else have this working? >> Any guidance would be greatly appreciated. > > With ldapadd or ldapmodify you want to use the Directory Manager > credentials, so this would have worked: > > % ldapadd -x -D "cn=directory manager" -W -f nis-plugin.ldif > > You don't see the entries under cn=config because you need to be Directory > Manager to see them: > > % ldapsearch -x -D "cn=directory manager" -W -b "cn=config" > > I'd have to see what the config entry looks like to see why it isn't > starting. IIRC DS prints a rather odd message when it can't load a plugin, > though this looks particularly strange. It could be that the updater didn't > write the entry properly. > > rob > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
