hi!
I'm new to FreeIPA, I inherited a FreeIPA infrastructure, and I'm trying to have a Nagios check for the replication status (without indicating a password). I found this article: https://danieljamesscott.org/11-articles/application-guides/26-freeipa-replication-monitoring.html. It's exactly what I want to do
but, when I try to do the ldapmodify thing with grant_anonymous_replication_view.ldif (only changing cn="dc=example,dc=com" according to my installation), I get:
$ ldapmodify -x -D "cn=directory manager" -W -f grant_anonymous_replication_view.ldif -h ipa.mydomain.com.ar Enter LDAP Password:
and it doesn't accept admin or directory manager password (?)
do I have to make other changes to the ldif?
or, what is the password I need?
or, is it another way of making this test without indicating passwords in plaintext?
thanks in advance, René
On 05/18/2018 03:01 PM, None via FreeIPA-users wrote:
hi!
I'm new to FreeIPA, I inherited a FreeIPA infrastructure, and I'm trying to have a Nagios check for the replication status (without indicating a password). I found this article: https://danieljamesscott.org/11-articles/application-guides/26-freeipa-replication-monitoring.html. It's exactly what I want to do
but, when I try to do the ldapmodify thing with grant_anonymous_replication_view.ldif (only changing cn="dc=example,dc=com" according to my installation), I get:
$ ldapmodify -x -D "cn=directory manager" -W -f grant_anonymous_replication_view.ldif -h ipa.mydomain.com.ar Enter LDAP Password:
and it doesn't accept admin or directory manager password (?)
Do you get an invalid credentials error (49), or?
do I have to make other changes to the ldif?
No
or, what is the password I need?
Only you would know, if you don't know it then you can always reset the directory manager password:
http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html
HTH, Mark
or, is it another way of making this test without indicating passwords in plaintext?
thanks in advance, René _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
El 18/05/18 a las 16:09, Mark Reynolds escribió:
On 05/18/2018 03:01 PM, None via FreeIPA-users wrote:
hi!
I'm new to FreeIPA, I inherited a FreeIPA infrastructure, and I'm trying to have a Nagios check for the replication status (without indicating a password). I found this article: https://danieljamesscott.org/11-articles/application-guides/26-freeipa-replication-monitoring.html. It's exactly what I want to do
but, when I try to do the ldapmodify thing with grant_anonymous_replication_view.ldif (only changing cn="dc=example,dc=com" according to my installation), I get:
$ ldapmodify -x -D "cn=directory manager" -W -f grant_anonymous_replication_view.ldif -h ipa.mydomain.com.ar Enter LDAP Password:
and it doesn't accept admin or directory manager password (?)
Do you get an invalid credentials error (49), or?
that's right, I get: ldap_bind: Invalid credentials (49)
do I have to make other changes to the ldif?
No
or, what is the password I need?
Only you would know, if you don't know it then you can always reset the directory manager password:
http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html
I do have admin and directory manager password, I tried with both, and I got the same result (?)
thanks, René
On 05/18/2018 03:13 PM, ipa@tecnoaccion.com.ar wrote:
El 18/05/18 a las 16:09, Mark Reynolds escribió:
On 05/18/2018 03:01 PM, None via FreeIPA-users wrote:
hi!
I'm new to FreeIPA, I inherited a FreeIPA infrastructure, and I'm trying to have a Nagios check for the replication status (without indicating a password). I found this article: https://danieljamesscott.org/11-articles/application-guides/26-freeipa-replication-monitoring.html.
It's exactly what I want to do
but, when I try to do the ldapmodify thing with grant_anonymous_replication_view.ldif (only changing cn="dc=example,dc=com" according to my installation), I get:
$ ldapmodify -x -D "cn=directory manager" -W -f grant_anonymous_replication_view.ldif -h ipa.mydomain.com.ar Enter LDAP Password:
and it doesn't accept admin or directory manager password (?)
Do you get an invalid credentials error (49), or?
that's right, I get: ldap_bind: Invalid credentials (49)
do I have to make other changes to the ldif?
No
or, what is the password I need?
Only you would know, if you don't know it then you can always reset the directory manager password:
http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html
I do have admin and directory manager password, I tried with both, and I got the same result (?)
Sounds like you don't have the correct password if you are getting error 49. The only other thing it could be is that the "cn=directory manager" account is not setup as "cn=directory manager" in your setup. You can confirm by grepping for "nsslapd-rootdn" from /etc/dirsrv/slapd-YOUR_INSTANCE/dse.ldif. If it is set to "cn=directory manager', then you have the wrong password and you should reset it. Otherwise you have the wrong DN. It's one or the other.
Regards, Mark
thanks, René
El 18/05/18 a las 16:52, Mark Reynolds escribió:
On 05/18/2018 03:13 PM, ipa@tecnoaccion.com.ar wrote:
El 18/05/18 a las 16:09, Mark Reynolds escribió:
On 05/18/2018 03:01 PM, None via FreeIPA-users wrote:
hi!
I'm new to FreeIPA, I inherited a FreeIPA infrastructure, and I'm trying to have a Nagios check for the replication status (without indicating a password). I found this article: https://danieljamesscott.org/11-articles/application-guides/26-freeipa-replication-monitoring.html.
It's exactly what I want to do
but, when I try to do the ldapmodify thing with grant_anonymous_replication_view.ldif (only changing cn="dc=example,dc=com" according to my installation), I get:
$ ldapmodify -x -D "cn=directory manager" -W -f grant_anonymous_replication_view.ldif -h ipa.mydomain.com.ar Enter LDAP Password:
and it doesn't accept admin or directory manager password (?)
Do you get an invalid credentials error (49), or?
that's right, I get: ldap_bind: Invalid credentials (49)
do I have to make other changes to the ldif?
No
or, what is the password I need?
Only you would know, if you don't know it then you can always reset the directory manager password:
http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html
I do have admin and directory manager password, I tried with both, and I got the same result (?)
Sounds like you don't have the correct password if you are getting error 49. The only other thing it could be is that the "cn=directory manager" account is not setup as "cn=directory manager" in your setup. You can confirm by grepping for "nsslapd-rootdn" from /etc/dirsrv/slapd-YOUR_INSTANCE/dse.ldif. If it is set to "cn=directory manager', then you have the wrong password and you should reset it. Otherwise you have the wrong DN. It's one or the other.
great!
it was the wrong password... Now I get this:
ldapmodify: wrong attributeType at line 5, entry "cn="dc=example,dc=com",cn=mapping tree,cn=config"
the full ldif is:
dn: cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";)
where "example" is the name of my domain without tld
do I need to change another thing in the ldif?
thanks in advance, René
On 05/18/2018 04:07 PM, None via FreeIPA-users wrote:
El 18/05/18 a las 16:52, Mark Reynolds escribió:
On 05/18/2018 03:13 PM, ipa@tecnoaccion.com.ar wrote:
El 18/05/18 a las 16:09, Mark Reynolds escribió:
On 05/18/2018 03:01 PM, None via FreeIPA-users wrote:
hi!
I'm new to FreeIPA, I inherited a FreeIPA infrastructure, and I'm trying to have a Nagios check for the replication status (without indicating a password). I found this article: https://danieljamesscott.org/11-articles/application-guides/26-freeipa-replication-monitoring.html.
It's exactly what I want to do
but, when I try to do the ldapmodify thing with grant_anonymous_replication_view.ldif (only changing cn="dc=example,dc=com" according to my installation), I get:
$ ldapmodify -x -D "cn=directory manager" -W -f grant_anonymous_replication_view.ldif -h ipa.mydomain.com.ar Enter LDAP Password:
and it doesn't accept admin or directory manager password (?)
Do you get an invalid credentials error (49), or?
that's right, I get: ldap_bind: Invalid credentials (49)
do I have to make other changes to the ldif?
No
or, what is the password I need?
Only you would know, if you don't know it then you can always reset the directory manager password:
http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html
I do have admin and directory manager password, I tried with both, and I got the same result (?)
Sounds like you don't have the correct password if you are getting error 49. The only other thing it could be is that the "cn=directory manager" account is not setup as "cn=directory manager" in your setup. You can confirm by grepping for "nsslapd-rootdn" from /etc/dirsrv/slapd-YOUR_INSTANCE/dse.ldif. If it is set to "cn=directory manager', then you have the wrong password and you should reset it. Otherwise you have the wrong DN. It's one or the other.
great!
it was the wrong password... Now I get this:
ldapmodify: wrong attributeType at line 5, entry "cn="dc=example,dc=com",cn=mapping tree,cn=config"
the full ldif is:
dn: cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";)
I think the problem is the aci value. Its multiple lines, maybe its wrapped weird. There s a few ways to fix it. In LDAP you would precede a line break with a space. So something like this:
dn: cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement) (objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";)
Or, it has to be one long line. I am attaching a ldif with two examples you can pick from.
where "example" is the name of my domain without tld
do I need to change another thing in the ldif?
thanks in advance, René _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
El 18/05/18 a las 20:02, Mark Reynolds escribió:
On 05/18/2018 04:07 PM, None via FreeIPA-users wrote:
El 18/05/18 a las 16:52, Mark Reynolds escribió:
On 05/18/2018 03:13 PM, ipa@tecnoaccion.com.ar wrote:
El 18/05/18 a las 16:09, Mark Reynolds escribió:
On 05/18/2018 03:01 PM, None via FreeIPA-users wrote:
hi!
I'm new to FreeIPA, I inherited a FreeIPA infrastructure, and I'm trying to have a Nagios check for the replication status (without indicating a password). I found this article: https://danieljamesscott.org/11-articles/application-guides/26-freeipa-replication-monitoring.html.
It's exactly what I want to do
but, when I try to do the ldapmodify thing with grant_anonymous_replication_view.ldif (only changing cn="dc=example,dc=com" according to my installation), I get:
$ ldapmodify -x -D "cn=directory manager" -W -f grant_anonymous_replication_view.ldif -h ipa.mydomain.com.ar Enter LDAP Password:
and it doesn't accept admin or directory manager password (?)
Do you get an invalid credentials error (49), or?
that's right, I get: ldap_bind: Invalid credentials (49)
do I have to make other changes to the ldif?
No
or, what is the password I need?
Only you would know, if you don't know it then you can always reset the directory manager password:
http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html
I do have admin and directory manager password, I tried with both, and I got the same result (?)
Sounds like you don't have the correct password if you are getting error 49. The only other thing it could be is that the "cn=directory manager" account is not setup as "cn=directory manager" in your setup. You can confirm by grepping for "nsslapd-rootdn" from /etc/dirsrv/slapd-YOUR_INSTANCE/dse.ldif. If it is set to "cn=directory manager', then you have the wrong password and you should reset it. Otherwise you have the wrong DN. It's one or the other.
great!
it was the wrong password... Now I get this:
ldapmodify: wrong attributeType at line 5, entry "cn="dc=example,dc=com",cn=mapping tree,cn=config"
the full ldif is:
dn: cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";)
I think the problem is the aci value. Its multiple lines, maybe its wrapped weird. There s a few ways to fix it. In LDAP you would precede a line break with a space. So something like this:
dn: cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement) (objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";)
Or, it has to be one long line. I am attaching a ldif with two examples you can pick from.
hi!
I tried both ldifs, they report the same:
# ldapmodify -x -D "cn=Directory Manager" -W -f 1.ldif -h ipa.example.com.ar Enter LDAP Password: modifying entry "cn="dc=example,dc=com",cn=mapping tree,cn=config" ldap_modify: No such object (32)
# ldapmodify -x -D "cn=Directory Manager" -W -f 2.ldif -h example.tecnoaccion.com.ar Enter LDAP Password: modifying entry "cn="dc=example,dc=com",cn=mapping tree,cn=config" ldap_modify: No such object (32)
best regards, René
On 05/21/2018 10:16 AM, ipa@tecnoaccion.com.ar wrote:
El 18/05/18 a las 20:02, Mark Reynolds escribió:
On 05/18/2018 04:07 PM, None via FreeIPA-users wrote:
El 18/05/18 a las 16:52, Mark Reynolds escribió:
On 05/18/2018 03:13 PM, ipa@tecnoaccion.com.ar wrote:
El 18/05/18 a las 16:09, Mark Reynolds escribió:
On 05/18/2018 03:01 PM, None via FreeIPA-users wrote: > hi! > > I'm new to FreeIPA, I inherited a FreeIPA infrastructure, and I'm > trying to have a Nagios check for the replication status (without > indicating a password). I found this article: > https://danieljamesscott.org/11-articles/application-guides/26-freeipa-replication-monitoring.html. > > > > It's exactly what I want to do > > but, when I try to do the ldapmodify thing with > grant_anonymous_replication_view.ldif (only changing > cn="dc=example,dc=com" according to my installation), I get: > > $ ldapmodify -x -D "cn=directory manager" -W -f > grant_anonymous_replication_view.ldif -h ipa.mydomain.com.ar > Enter LDAP Password: > > > and it doesn't accept admin or directory manager password (?) Do you get an invalid credentials error (49), or?
that's right, I get: ldap_bind: Invalid credentials (49)
> do I have to make other changes to the ldif? No > or, what is the password I need? Only you would know, if you don't know it then you can always reset the directory manager password:
http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html
I do have admin and directory manager password, I tried with both, and I got the same result (?)
Sounds like you don't have the correct password if you are getting error 49. The only other thing it could be is that the "cn=directory manager" account is not setup as "cn=directory manager" in your setup. You can confirm by grepping for "nsslapd-rootdn" from /etc/dirsrv/slapd-YOUR_INSTANCE/dse.ldif. If it is set to "cn=directory manager', then you have the wrong password and you should reset it. Otherwise you have the wrong DN. It's one or the other.
great!
it was the wrong password... Now I get this:
ldapmodify: wrong attributeType at line 5, entry "cn="dc=example,dc=com",cn=mapping tree,cn=config"
the full ldif is:
dn: cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";)
I think the problem is the aci value. Its multiple lines, maybe its wrapped weird. There s a few ways to fix it. In LDAP you would precede a line break with a space. So something like this:
dn: cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement) (objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";)
Or, it has to be one long line. I am attaching a ldif with two examples you can pick from.
hi!
I tried both ldifs, they report the same:
# ldapmodify -x -D "cn=Directory Manager" -W -f 1.ldif -h ipa.example.com.ar Enter LDAP Password: modifying entry "cn="dc=example,dc=com",cn=mapping tree,cn=config" ldap_modify: No such object (32)
# ldapmodify -x -D "cn=Directory Manager" -W -f 2.ldif -h example.tecnoaccion.com.ar Enter LDAP Password: modifying entry "cn="dc=example,dc=com",cn=mapping tree,cn=config" ldap_modify: No such object (32)
Its probably the quotes around dc=example,dc=com
Try replacing it with;
cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
best regards, René
El 21/05/18 a las 11:20, Mark Reynolds escribió:
On 05/21/2018 10:16 AM, ipa@tecnoaccion.com.ar wrote:
El 18/05/18 a las 20:02, Mark Reynolds escribió:
On 05/18/2018 04:07 PM, None via FreeIPA-users wrote:
El 18/05/18 a las 16:52, Mark Reynolds escribió:
On 05/18/2018 03:13 PM, ipa@tecnoaccion.com.ar wrote:
El 18/05/18 a las 16:09, Mark Reynolds escribió: > On 05/18/2018 03:01 PM, None via FreeIPA-users wrote: >> hi! >> >> I'm new to FreeIPA, I inherited a FreeIPA infrastructure, and I'm >> trying to have a Nagios check for the replication status (without >> indicating a password). I found this article: >> https://danieljamesscott.org/11-articles/application-guides/26-freeipa-replication-monitoring.html. >> >> >> >> It's exactly what I want to do >> >> but, when I try to do the ldapmodify thing with >> grant_anonymous_replication_view.ldif (only changing >> cn="dc=example,dc=com" according to my installation), I get: >> >> $ ldapmodify -x -D "cn=directory manager" -W -f >> grant_anonymous_replication_view.ldif -h ipa.mydomain.com.ar >> Enter LDAP Password: >> >> >> and it doesn't accept admin or directory manager password (?) > Do you get an invalid credentials error (49), or? that's right, I get: ldap_bind: Invalid credentials (49)
>> do I have to make other changes to the ldif? > No >> or, what is the password I need? > Only you would know, if you don't know it then you can always reset > the > directory manager password: > > http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html > I do have admin and directory manager password, I tried with both, and I got the same result (?)
Sounds like you don't have the correct password if you are getting error 49. The only other thing it could be is that the "cn=directory manager" account is not setup as "cn=directory manager" in your setup. You can confirm by grepping for "nsslapd-rootdn" from /etc/dirsrv/slapd-YOUR_INSTANCE/dse.ldif. If it is set to "cn=directory manager', then you have the wrong password and you should reset it. Otherwise you have the wrong DN. It's one or the other.
great!
it was the wrong password... Now I get this:
ldapmodify: wrong attributeType at line 5, entry "cn="dc=example,dc=com",cn=mapping tree,cn=config"
the full ldif is:
dn: cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";)
I think the problem is the aci value. Its multiple lines, maybe its wrapped weird. There s a few ways to fix it. In LDAP you would precede a line break with a space. So something like this:
dn: cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement) (objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";)
Or, it has to be one long line. I am attaching a ldif with two examples you can pick from.
hi!
I tried both ldifs, they report the same:
# ldapmodify -x -D "cn=Directory Manager" -W -f 1.ldif -h ipa.example.com.ar Enter LDAP Password: modifying entry "cn="dc=example,dc=com",cn=mapping tree,cn=config" ldap_modify: No such object (32)
# ldapmodify -x -D "cn=Directory Manager" -W -f 2.ldif -h example.tecnoaccion.com.ar Enter LDAP Password: modifying entry "cn="dc=example,dc=com",cn=mapping tree,cn=config" ldap_modify: No such object (32)
Its probably the quotes around dc=example,dc=com
Try replacing it with;
cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
hi Mark!
thank you very much for your help
the result in both ldifs continues to be:
ldap_modify: No such object (32)
I'm attaching the sanitized ldifs just in case
best regards, René
El 21/05/18 a las 11:20, Mark Reynolds escribió:
On 05/21/2018 10:16 AM, ipa@tecnoaccion.com.ar wrote:
El 18/05/18 a las 20:02, Mark Reynolds escribió:
On 05/18/2018 04:07 PM, None via FreeIPA-users wrote:
El 18/05/18 a las 16:52, Mark Reynolds escribió:
On 05/18/2018 03:13 PM, ipa@tecnoaccion.com.ar wrote:
El 18/05/18 a las 16:09, Mark Reynolds escribió: > On 05/18/2018 03:01 PM, None via FreeIPA-users wrote: >> hi! >> >> I'm new to FreeIPA, I inherited a FreeIPA infrastructure, and I'm >> trying to have a Nagios check for the replication status (without >> indicating a password). I found this article: >> https://danieljamesscott.org/11-articles/application-guides/26-freeipa-replication-monitoring.html. >> >> >> >> It's exactly what I want to do >> >> but, when I try to do the ldapmodify thing with >> grant_anonymous_replication_view.ldif (only changing >> cn="dc=example,dc=com" according to my installation), I get: >> >> $ ldapmodify -x -D "cn=directory manager" -W -f >> grant_anonymous_replication_view.ldif -h ipa.mydomain.com.ar >> Enter LDAP Password: >> >> >> and it doesn't accept admin or directory manager password (?) > Do you get an invalid credentials error (49), or? that's right, I get: ldap_bind: Invalid credentials (49)
>> do I have to make other changes to the ldif? > No >> or, what is the password I need? > Only you would know, if you don't know it then you can always reset > the > directory manager password: > > http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html > I do have admin and directory manager password, I tried with both, and I got the same result (?)
Sounds like you don't have the correct password if you are getting error 49. The only other thing it could be is that the "cn=directory manager" account is not setup as "cn=directory manager" in your setup. You can confirm by grepping for "nsslapd-rootdn" from /etc/dirsrv/slapd-YOUR_INSTANCE/dse.ldif. If it is set to "cn=directory manager', then you have the wrong password and you should reset it. Otherwise you have the wrong DN. It's one or the other.
great!
it was the wrong password... Now I get this:
ldapmodify: wrong attributeType at line 5, entry "cn="dc=example,dc=com",cn=mapping tree,cn=config"
the full ldif is:
dn: cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";)
I think the problem is the aci value. Its multiple lines, maybe its wrapped weird. There s a few ways to fix it. In LDAP you would precede a line break with a space. So something like this:
dn: cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement) (objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";)
Or, it has to be one long line. I am attaching a ldif with two examples you can pick from.
hi!
I tried both ldifs, they report the same:
# ldapmodify -x -D "cn=Directory Manager" -W -f 1.ldif -h ipa.example.com.ar Enter LDAP Password: modifying entry "cn="dc=example,dc=com",cn=mapping tree,cn=config" ldap_modify: No such object (32)
# ldapmodify -x -D "cn=Directory Manager" -W -f 2.ldif -h example.tecnoaccion.com.ar Enter LDAP Password: modifying entry "cn="dc=example,dc=com",cn=mapping tree,cn=config" ldap_modify: No such object (32)
Its probably the quotes around dc=example,dc=com
Try replacing it with;
cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
hi Mark!
thank you very much for your help
the result in both ldifs continues to be:
ldap_modify: No such object (32)
I'm attaching the sanitized ldifs just in case
best regards, René
On 05/21/2018 10:32 AM, ipa@tecnoaccion.com.ar wrote:
El 21/05/18 a las 11:20, Mark Reynolds escribió:
On 05/21/2018 10:16 AM, ipa@tecnoaccion.com.ar wrote:
El 18/05/18 a las 20:02, Mark Reynolds escribió:
On 05/18/2018 04:07 PM, None via FreeIPA-users wrote:
El 18/05/18 a las 16:52, Mark Reynolds escribió:
On 05/18/2018 03:13 PM, ipa@tecnoaccion.com.ar wrote: > El 18/05/18 a las 16:09, Mark Reynolds escribió: >> On 05/18/2018 03:01 PM, None via FreeIPA-users wrote: >>> hi! >>> >>> I'm new to FreeIPA, I inherited a FreeIPA infrastructure, and I'm >>> trying to have a Nagios check for the replication status (without >>> indicating a password). I found this article: >>> https://danieljamesscott.org/11-articles/application-guides/26-freeipa-replication-monitoring.html. >>> >>> >>> >>> >>> It's exactly what I want to do >>> >>> but, when I try to do the ldapmodify thing with >>> grant_anonymous_replication_view.ldif (only changing >>> cn="dc=example,dc=com" according to my installation), I get: >>> >>> $ ldapmodify -x -D "cn=directory manager" -W -f >>> grant_anonymous_replication_view.ldif -h ipa.mydomain.com.ar >>> Enter LDAP Password: >>> >>> >>> and it doesn't accept admin or directory manager password (?) >> Do you get an invalid credentials error (49), or? > that's right, I get: > ldap_bind: Invalid credentials (49) > > > >>> do I have to make other changes to the ldif? >> No >>> or, what is the password I need? >> Only you would know, if you don't know it then you can always >> reset >> the >> directory manager password: >> >> http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html >> >> > I do have admin and directory manager password, I tried with both, > and > I got the same result (?) Sounds like you don't have the correct password if you are getting error 49. The only other thing it could be is that the "cn=directory manager" account is not setup as "cn=directory manager" in your setup. You can confirm by grepping for "nsslapd-rootdn" from /etc/dirsrv/slapd-YOUR_INSTANCE/dse.ldif. If it is set to "cn=directory manager', then you have the wrong password and you should reset it. Otherwise you have the wrong DN. It's one or the other.
great!
it was the wrong password... Now I get this:
ldapmodify: wrong attributeType at line 5, entry "cn="dc=example,dc=com",cn=mapping tree,cn=config"
the full ldif is:
dn: cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";)
I think the problem is the aci value. Its multiple lines, maybe its wrapped weird. There s a few ways to fix it. In LDAP you would precede a line break with a space. So something like this:
dn: cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement) (objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";)
Or, it has to be one long line. I am attaching a ldif with two examples you can pick from.
hi!
I tried both ldifs, they report the same:
# ldapmodify -x -D "cn=Directory Manager" -W -f 1.ldif -h ipa.example.com.ar Enter LDAP Password: modifying entry "cn="dc=example,dc=com",cn=mapping tree,cn=config" ldap_modify: No such object (32)
# ldapmodify -x -D "cn=Directory Manager" -W -f 2.ldif -h example.tecnoaccion.com.ar Enter LDAP Password: modifying entry "cn="dc=example,dc=com",cn=mapping tree,cn=config" ldap_modify: No such object (32)
Its probably the quotes around dc=example,dc=com
Try replacing it with;
cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
So the problem is that you really don't have a backend suffix "dc=example,dc=com"
Try this:
ldapsearch -xLLL -D "cn=Directory Manager" -W -b cn=config nsslapd-backend=*
This will dump your backends, find DN from the entry for your database and put that in the LDIF file
Mark
hi Mark!
thank you very much for your help
the result in both ldifs continues to be:
ldap_modify: No such object (32)
I'm attaching the sanitized ldifs just in case
best regards, René
El 21/05/18 a las 11:44, Mark Reynolds escribió:
On 05/21/2018 10:32 AM, ipa@tecnoaccion.com.ar wrote:
El 21/05/18 a las 11:20, Mark Reynolds escribió:
On 05/21/2018 10:16 AM, ipa@tecnoaccion.com.ar wrote:
El 18/05/18 a las 20:02, Mark Reynolds escribió:
On 05/18/2018 04:07 PM, None via FreeIPA-users wrote:
El 18/05/18 a las 16:52, Mark Reynolds escribió: > On 05/18/2018 03:13 PM, ipa@tecnoaccion.com.ar wrote: >> El 18/05/18 a las 16:09, Mark Reynolds escribió: >>> On 05/18/2018 03:01 PM, None via FreeIPA-users wrote: >>>> hi! >>>> >>>> I'm new to FreeIPA, I inherited a FreeIPA infrastructure, and I'm >>>> trying to have a Nagios check for the replication status (without >>>> indicating a password). I found this article: >>>> https://danieljamesscott.org/11-articles/application-guides/26-freeipa-replication-monitoring.html. >>>> >>>> >>>> >>>> >>>> It's exactly what I want to do >>>> >>>> but, when I try to do the ldapmodify thing with >>>> grant_anonymous_replication_view.ldif (only changing >>>> cn="dc=example,dc=com" according to my installation), I get: >>>> >>>> $ ldapmodify -x -D "cn=directory manager" -W -f >>>> grant_anonymous_replication_view.ldif -h ipa.mydomain.com.ar >>>> Enter LDAP Password: >>>> >>>> >>>> and it doesn't accept admin or directory manager password (?) >>> Do you get an invalid credentials error (49), or? >> that's right, I get: >> ldap_bind: Invalid credentials (49) >> >> >> >>>> do I have to make other changes to the ldif? >>> No >>>> or, what is the password I need? >>> Only you would know, if you don't know it then you can always >>> reset >>> the >>> directory manager password: >>> >>> http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html >>> >>> >> I do have admin and directory manager password, I tried with both, >> and >> I got the same result (?) > Sounds like you don't have the correct password if you are getting > error > 49. The only other thing it could be is that the "cn=directory > manager" > account is not setup as "cn=directory manager" in your setup. > You can > confirm by grepping for "nsslapd-rootdn" from > /etc/dirsrv/slapd-YOUR_INSTANCE/dse.ldif. If it is set to > "cn=directory > manager', then you have the wrong password and you should reset it. > Otherwise you have the wrong DN. It's one or the other. great!
it was the wrong password... Now I get this:
ldapmodify: wrong attributeType at line 5, entry "cn="dc=example,dc=com",cn=mapping tree,cn=config"
the full ldif is:
dn: cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";)
I think the problem is the aci value. Its multiple lines, maybe its wrapped weird. There s a few ways to fix it. In LDAP you would precede a line break with a space. So something like this:
dn: cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement) (objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";)
Or, it has to be one long line. I am attaching a ldif with two examples you can pick from.
hi!
I tried both ldifs, they report the same:
# ldapmodify -x -D "cn=Directory Manager" -W -f 1.ldif -h ipa.example.com.ar Enter LDAP Password: modifying entry "cn="dc=example,dc=com",cn=mapping tree,cn=config" ldap_modify: No such object (32)
# ldapmodify -x -D "cn=Directory Manager" -W -f 2.ldif -h example.tecnoaccion.com.ar Enter LDAP Password: modifying entry "cn="dc=example,dc=com",cn=mapping tree,cn=config" ldap_modify: No such object (32)
Its probably the quotes around dc=example,dc=com
Try replacing it with;
cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
So the problem is that you really don't have a backend suffix "dc=example,dc=com"
Try this:
ldapsearch -xLLL -D "cn=Directory Manager" -W -b cn=config nsslapd-backend=*
This will dump your backends, find DN from the entry for your database and put that in the LDIF file
excellent! I could ldapmodify the ldif, and now I can test with a anonymous ldapsearch
thank you very much!
René
freeipa-users@lists.fedorahosted.org