Fabrice Durand
2007-Dec-19 11:33 UTC
[Fedora-directory-users] Problem with nsview hierarchy
Hi, i''ve got a problem with my nsview organizationalunit hierarchy, and i don''t understand what''s wrong. I use my nsview hierarchie to organize my flat user OU (ou=People,dc=test,dc=com). All user have an departmentNumber that i use to filter with nsviewfilter. The problem is that when a script search all OU in the hierarchy, the serveur doesn''t return all the OU. (perl script, php script). I put an ldif file of my directory (ou=annuaire,dc=test,dc=com) and the script i use , to understand what happen. An exemple when i search with a filter "objectClass=organizationalUnit" in ou=annuaire,dc=test,dc=com, fedora directory server return only 17 entries. When i modify the entry ou=annuaire,dc=test,dc=com (delete the value of nsviewfilter and delete objectclass=nsview), the serveur return all the entries(45), but all the users disepeared. I really don''t understand what''s wrong, sometime when i change an "OU" name, the number of return entries changes. If you have an explanation, thank you in advance. Fabrice Durand
The saga continues.. After finally getting the admin-server to run and just briefly verifying that the console would run from my windows machine but not being able to connect because of firewall issues, I''m now picking up the thread again. To briefly recap, there are firewall issues preventing me from connecting easily with the admin server on the machine running fedora-ds. Iow: I can reach the ldap port fine - but not the admin server. I have no control over the firewall, and getting an opening poked in it is turning out to be, if not difficult then at least time consuming. I''ve been trying to sneak around the problem by using ssh-tunneling for now. I can use this to successfully connect the client java console with the server. However, that''s pretty much as far as I''ve been able to get. The Fedora Management Console opens and connects nicely. In the console view, I can see the rootnode of myldap.foo.com, as well as the ldap instance just beneath it and its "Server Group" node. However, if I expand this node and try to click on the "Administration Server" or "Directory Server" leafs, I get a long pause and then an error dialog saying: "Class Loader error: Failed to install a local copy of fedora-admserv-1.0.jar or one of its supporting files: Can not connect to http://myldap.foo.com:56789". Initially,I was thrown off by the class loader heading, assuming I''d left the jar out of the classpath. The jar it''s requestion is indeed not not the classpath, however, the jar in question is not included in the original startconsole script either (meaning I have no idea how the client would find it). In any case I get the exact same error when the jar''s on the cp as well. The client then goes on to try and download the jar - which will not work as the windows machine I''m running it on does not have open internet access - intranet only. However the errmsg also mentions connection problems, and there''s a lengthy delay when clicking the nodes in question consistent with a connection attempt that''s blocked by, say, a firewall. I''ve since verified with Ethereal that the console does indeed try to bypass my ssh tunnel and instead hits the admin server directly, an attempt which is of course blocked by the firewall. In addition, connections to the ldap port are also attempted, though this is not a problem as that port is actually open. Maybe the reason why I can get this far in the first place. However, could anyone confirm that the connection url (in my case ssh tunnel at localhost:56789) is only used for the initial connect, and that later the admin client may try to establish a direct link to the correct url of the servernode? If so, is there any possible workaround for this, or will I basically need a firewall-opening? Or could it be a dependency/classpath problem after all? -- Regards, Audun
Technically the tunneling should work, but I remember having issues with it. Even after making host file additions and making the tunnel properly the LDAP connect was still having issues. I suggest getting the port open otherwise you are just making it hard on yourself. On Dec 19, 2007 9:27 AM, <audunroe@tihlde.org> wrote:> The saga continues.. > > After finally getting the admin-server to run and just briefly verifying > that the console would run from my windows machine but not being able to > connect because of firewall issues, I''m now picking up the thread again. > > To briefly recap, there are firewall issues preventing me from connecting > easily with the admin server on the machine running fedora-ds. Iow: I can > reach the ldap port fine - but not the admin server. I have no control > over the firewall, and getting an opening poked in it is turning out to > be, if not difficult then at least time consuming. I''ve been trying to > sneak around the problem by using ssh-tunneling for now. I can use this to > successfully connect the client java console with the server. However, > that''s pretty much as far as I''ve been able to get. > > The Fedora Management Console opens and connects nicely. In the console > view, I can see the rootnode of myldap.foo.com, as well as the ldap > instance just beneath it and its "Server Group" node. However, if I expand > this node and try to click on the "Administration Server" or "Directory > Server" leafs, I get a long pause and then an error dialog saying: "Class > Loader error: Failed to install a local copy of fedora-admserv-1.0.jar or > one of its supporting files: Can not connect to > http://myldap.foo.com:56789". > > Initially,I was thrown off by the class loader heading, assuming I''d left > the jar out of the classpath. The jar it''s requestion is indeed not not > the classpath, however, the jar in question is not included in the > original startconsole script either (meaning I have no idea how the client > would find it). In any case I get the exact same error when the jar''s on > the cp as well. The client then goes on to try and download the jar - > which will not work as the windows machine I''m running it on does not have > open internet access - intranet only. > > However the errmsg also mentions connection problems, and there''s a > lengthy delay when clicking the nodes in question consistent with a > connection attempt that''s blocked by, say, a firewall. I''ve since verified > with Ethereal that the console does indeed try to bypass my ssh tunnel and > instead hits the admin server directly, an attempt which is of course > blocked by the firewall. In addition, connections to the ldap port are > also attempted, though this is not a problem as that port is actually > open. Maybe the reason why I can get this far in the first place. However, > could anyone confirm that the connection url (in my case ssh tunnel at > localhost:56789) is only used for the initial connect, and that later the > admin client may try to establish a direct link to the correct url of the > servernode? If so, is there any possible workaround for this, or will I > basically need a firewall-opening? Or could it be a dependency/classpath > problem after all? > > -- > Regards, > Audun > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
> Audun, > I connect to my Fedora6 FDS1.0.4 setup from my mac using an X11 > terminal over ssh with forwarding. ssh -XY blah.blah.gov. Then I > run the console from there and everything in terms of security is done > lcalhost on the ldap server, my session shows up on my mac tunneled > entirely through ssh. This gets through any firewall I''ve had to deal > with. > > I''m not clear on whether this works for you in your set up, but I > thought I''d add my 2 cents. Good luck. > > ED.This actually does work, although it''s rather slow over ~200kb/s VPN. Still, beats no console at all. Thanks for the suggestion! An additional question, though: I''ve been using the wiki entry on http://directory.fedoraproject.org/wiki/Howto:WindowsConsole as a reference. Judging by the requirement to copy the ./lib folder and set paths/environment vars for it, java.library.path in particular, the console would seem to use JNI (ie: native calls, not pure/platform-independent Java) for some of its functionality. If so, how could it ever work on Windows? Simply copying the native libs as suggested by the wiki entry would, to the best of my knowledge, accomplish nothing. An older admin console MSI-installer package I came across actually included a handful of DLLs, to reinforce the impression that native calls are used/needed. On the other hand, people seem to have been able to make it work in Windows by simply following the instructions of the wiki, so I''m a bit puzzled. If this is the case, it would seem they''re not needed. (To reiterate: I can run the console under Windows and I can connect to the adm server, but it''s functionally crippled. Either due to a certain firewall that remains closed; JNI, something else entirely, or possibly all three. Hopefully I''ll be able to at least rule out or identify the fw as the culprit by next week ;) -- Regards, Audun
audunroe@tihlde.org wrote:> The saga continues.. > > After finally getting the admin-server to run and just briefly verifying > that the console would run from my windows machine but not being able to > connect because of firewall issues, I''m now picking up the thread again. > > To briefly recap, there are firewall issues preventing me from connecting > easily with the admin server on the machine running fedora-ds. Iow: I can > reach the ldap port fine - but not the admin server. I have no control > over the firewall, and getting an opening poked in it is turning out to > be, if not difficult then at least time consuming. I''ve been trying to > sneak around the problem by using ssh-tunneling for now. I can use this to > successfully connect the client java console with the server. However, > that''s pretty much as far as I''ve been able to get. > > The Fedora Management Console opens and connects nicely. In the console > view, I can see the rootnode of myldap.foo.com, as well as the ldap > instance just beneath it and its "Server Group" node. However, if I expand > this node and try to click on the "Administration Server" or "Directory > Server" leafs, I get a long pause and then an error dialog saying: "Class > Loader error: Failed to install a local copy of fedora-admserv-1.0.jar or > one of its supporting files: Can not connect to > http://myldap.foo.com:56789". >The console supports multiple versions of admin server and directory server. Each unique version of admin server and directory server has its own versioned jar file (e.g. fedora-admserv-1.0.jar, fedora-admserv-1.1.jar, etc.) These jar files are provided via http by the admin server and are downloaded into the ~/.fedora-console/jars (or ~/.fedora-idm-console/jars in 1.1) directory. The console looks for them in there. So one possible workaround would be to just grab those files from the server and copy them to this directory.> Initially,I was thrown off by the class loader heading, assuming I''d left > the jar out of the classpath. The jar it''s requestion is indeed not not > the classpath, however, the jar in question is not included in the > original startconsole script either (meaning I have no idea how the client > would find it). In any case I get the exact same error when the jar''s on > the cp as well. The client then goes on to try and download the jar - > which will not work as the windows machine I''m running it on does not have > open internet access - intranet only. >On windows, the jar file location is a little bit different. See http://directory.fedoraproject.org/wiki/Howto:WindowsConsole for more information.> However the errmsg also mentions connection problems, and there''s a > lengthy delay when clicking the nodes in question consistent with a > connection attempt that''s blocked by, say, a firewall.Right. There is a timeout - I can''t remember how long.> I''ve since verified > with Ethereal that the console does indeed try to bypass my ssh tunnel and > instead hits the admin server directly, an attempt which is of course > blocked by the firewall.Right. Because once the console is started, it ignores the URL you provide in the login dialog box and instead reads the URL from the admin server configuration under o=netscaperoot in the configuration directory server.> In addition, connections to the ldap port are > also attempted, though this is not a problem as that port is actually > open. Maybe the reason why I can get this far in the first place. However, > could anyone confirm that the connection url (in my case ssh tunnel at > localhost:56789) is only used for the initial connect, and that later the > admin client may try to establish a direct link to the correct url of the > servernode? If so, is there any possible workaround for this, or will I > basically need a firewall-opening? Or could it be a dependency/classpath > problem after all? >The best bet is to either open the firewall, or to install the admin server to use a well known http port (e.g. port 80) that most firewalls will leave open by default.> -- > Regards, > Audun > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >