Fedora directory users - Jan 2008 - Can''t create users, time for complete wipe and re-install?

Hi folks,
I''m really stumped by this "Insufficient ''add''
privilege" problem.
I can create all the "Administrators" I want for the netscaperoot
directory,
but none of those users can:

A)	Create new users for my hymesruzicka directory 
B)	Create a new "Directory Administrator" for my hymesruzicka
directory
C)	Grant "''add'' privilege" to my existing
"Configuration Administrator"
my hymesruzicka directory
D)	Add a user from the netscaperoot users to my hymesruzicka directory
"Directory Administrator" group
E)	Modify or add the existing ACLs for my hymesruzicka directory

Is there a way to create a new "Directory Administrator" and other
users? If
not, and we have to wipe and re-install from scratch, what must we do to
ensure that we can create users and administrators for our directory?


Thanks!

Listbox wrote:
> Hi folks,
> I''m really stumped by this "Insufficient
''add'' privilege" problem.
> I can create all the "Administrators" I want for the netscaperoot
directory,
> but none of those users can:
>
> A)	Create new users for my hymesruzicka directory 
> B)	Create a new "Directory Administrator" for my hymesruzicka
directory
> C)	Grant "''add'' privilege" to my existing
"Configuration Administrator"
> my hymesruzicka directory
> D)	Add a user from the netscaperoot users to my hymesruzicka directory
> "Directory Administrator" group
> E)	Modify or add the existing ACLs for my hymesruzicka directory
>
> Is there a way to create a new "Directory Administrator" and
other users?
Yes, by adding the appropriate ACIs.  How was the data for your default 
suffix added?  The way it works is that setup adds some ACIs to the 
default suffix you specify during setup to allow the console admin user 
to have access.  If you import your data from another source these ACIs 
will not be created.  You can just do a test install to see exactly what 
acis are created e.g.
ldapsearch -x -D "cn=directory manager" -w yourpassword -b 
o=netscaperoot "aci=*" aci
and
ldapsearch -x -D "cn=directory manager" -w yourpassword -b 
"dc=yourdomain,dc=com" "aci=*" aci
> If
> not, and we have to wipe and re-install from scratch, what must we do to
> ensure that we can create users and administrators for our directory?
>
>
> Thanks!
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Thanks so much!
Now I''m looking in
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#1199651 to see
what I might do to fix things. 
Here is the output from the commands you suggested. At least I can tell one
is bigger than the other :)

ldapsearch -x -D "cn=directory manager" -w mypassword -b
o=netscaperoot
"aci=*" aci
# extended LDIF
#
# LDAPv3
# base <o=netscaperoot> with scope subtree
# filter: aci=*
# requesting: aci 
#

# NetscapeRoot
dn: o=NetscapeRoot
aci: (targetattr="*")(version 3.0; acl "Enable Configuration
Administrator
Gro
 up modification"; allow (all) groupdn="ldap:///cn=Configuration
Administrator
 s, ou=Groups, ou=TopologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(targetfilter=(o=NetscapeRoot))(version 3.0; acl
"Default
  anonymous access"; allow (read, search)
userdn="ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "Enable Group
Expansion"; allow
(read, 
 search, compare) groupdnattr="uniquemember";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group
(trixter)"; allow (all)
gr
 oupdn = "ldap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server
Grou
 p, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)

# TopologyManagement, NetscapeRoot
dn: ou=TopologyManagement, o=NetscapeRoot
aci: (targetattr!="userPassword")(version 3.0; acl "Enable
anonymous
access"; 
 allow (read, search, compare)userdn="ldap:///anyone";)

# Global Preferences, hymesruzicka.org, NetscapeRoot
dn: ou=Global Preferences, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "Enable anonymous access";
allow(read,sea
 rch) userdn="ldap:///anyone";)

# UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr = "*")(version 3.0; acl "Allow saving of User
Preferences";
a
 llow (add) userdn = "ldap:///all";)

# uid\3Dadmin\2C ou\3DAdministrators\2C ou\3DTopologyManagement\2C
o\3DNetsca
 peRoot, UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou="uid=admin, ou=Administrators, ou=TopologyManagement,
o=NetscapeRoot",o
 u=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
 creatorsname";)

# cn\3Dadmin-serv-trixter\2C cn\3DFedora Administration Server\2C
cn\3DServer
  Group\2C cn\3Dtrixter.hymesruzicka.org\2C ou\3Dhymesruzicka.org\2C
o\3DNets
 capeRoot, UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou="cn=admin-serv-trixter, cn=Fedora Administration Server, cn=Server
Grou
 p, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
o=NetscapeRoot",ou=UserP
 references, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
 creatorsname";)

# Server Group, trixter.hymesruzicka.org, hymesruzicka.org, NetscapeRoot
dn: cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
o=Netsc
 apeRoot
aci: (targetattr=*)(targetfilter=(nsconfigRoot=*))(version 3.0; acl "Enable
de
 legated access"; allow (read, search, compare)
groupdn="ldap:///cn=Server
Gro
 up, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow
(read,
s
 earch, compare) userdn="ldap:///cn=admin-serv-trixter, cn=Fedora
Administrati
 on Server, cn=Server Group, cn=trixter.hymesruzicka.org,
ou=hymesruzicka.org,
  o=NetscapeRoot";)

# PublicViews, 1.1, Admin, Global Preferences, hymesruzicka.org,
NetscapeRoot
dn: cn=PublicViews, ou=1.1, ou=Admin, ou=Global Preferences,
ou=hymesruzicka.o
 rg, o=NetscapeRoot
aci: (targetattr = "*")(version 3.0; acl "Allow Authenticated
Users to Save
Pu
 blic Views"; allow (all) userdn = "ldap:///all";)

# slapd-trixter, Fedora Directory Server, Server Group,
trixter.hymesruzicka.
 org, hymesruzicka.org, NetscapeRoot
dn: cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
cn=trixter.
 hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow
(read,
s
 earch, compare) groupdn="ldap:///cn=slapd-trixter, cn=Fedora Directory
Server
 , cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
o=Netsca
 peRoot";)
aci: (targetattr="uniquemember || serverProductName || userpassword ||
descrip
 tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl
"Enable
ac
 cess delegation"; allow (write) groupdn="ldap:///cn=slapd-trixter,
cn=Fedora 
 Directory Server, cn=Server Group, cn=trixter.hymesruzicka.org,
ou=hymesruzic
 ka.org, o=NetscapeRoot";)

# configuration, slapd-trixter, Fedora Directory Server, Server Group,
trixte
 r.hymesruzicka.org, hymesruzicka.org, NetscapeRoot
dn: cn=configuration,cn=slapd-trixter, cn=Fedora Directory Server, cn=Server
G
 roup, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "Enable Server configuration";
allow
(all
 ) groupdn="ldap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server
Gr
 oup, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)

# cn\3Dslapd-trixter\2C cn\3DFedora Directory Server\2C cn\3DServer Group\2C

 cn\3Dtrixter.hymesruzicka.org\2C ou\3Dhymesruzicka.org\2C o\3DNetscapeRoot,

 UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou="cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
cn=trix
 ter.hymesruzicka.org, ou=hymesruzicka.org,
o=NetscapeRoot",ou=UserPreferences
 , ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
 creatorsname";)

# cn\3DDirectory Manager, UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou="cn=Directory Manager",ou=UserPreferences, ou=hymesruzicka.org,
o=Netsc
 apeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
 creatorsname";)

# Fedora Administration Server, Server Group, trixter.hymesruzicka.org,
hymes
 ruzicka.org, NetscapeRoot
dn: cn=Fedora Administration Server, cn=Server Group,
cn=trixter.hymesruzicka.
 org, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(targetfilter=(nsNickName=*))(version 3.0; acl "Enable
dele
 gated access"; allow (read, search, compare)
groupdn="ldap:///cn=Fedora
Admin
 istration Server, cn=Server Group, cn=trixter.hymesruzicka.org,
ou=hymesruzic
 ka.org, o=NetscapeRoot";)

# admin-serv-trixter, Fedora Administration Server, Server Group,
trixter.hym
 esruzicka.org, hymesruzicka.org, NetscapeRoot
dn: cn=admin-serv-trixter, cn=Fedora Administration Server, cn=Server Group,
c
 n=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "Enable delegated access"; allow
(read,
s
 earch, compare) groupdn="ldap:///cn=admin-serv-trixter, cn=Fedora
Administrat
 ion Server, cn=Server Group, cn=trixter.hymesruzicka.org,
ou=hymesruzicka.org
 , o=NetscapeRoot";)
aci: (targetattr="uniquemember || serverProductName || userpassword ||
descrip
 tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl
"Enable
ac
 cess delegation"; allow (write)
groupdn="ldap:///cn=admin-serv-trixter,
cn=Fe
 dora Administration Server, cn=Server Group, cn=trixter.hymesruzicka.org,
ou hymesruzicka.org, o=NetscapeRoot";)

# configuration, admin-serv-trixter, Fedora Administration Server, Server
Gro
 up, trixter.hymesruzicka.org, hymesruzicka.org, NetscapeRoot
dn: cn=configuration, cn=admin-serv-trixter, cn=Fedora Administration
Server, 
 cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
o=Netscape
 Root
aci: (targetattr=*)(version 3.0; acl "Enable delegated admin to access
configu
 ration"; allow (read, search) groupdn="ldap:///cn=Server Group,
cn=trixter.hy
 mesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
aci: (targetattr=*)(version 3.0; acl "Enable Server configuration";
allow
(all
 ) groupdn="ldap:///cn=admin-serv-trixter, cn=Fedora Administration Server,
cn
 =Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
o=NetscapeRo
 ot";)

# uid\3Ddiradmin\2Cou\3DAdministrators\2C ou\3DTopologyManagement\2C
o\3Dnets
 capeRoot, UserPreferences, hymesruzicka.org, NetscapeRoot
dn: ou="uid=diradmin,ou=Administrators, ou=TopologyManagement,
o=netscapeRoot"
 ,ou=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot
aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
userdnattr="
 creatorsname";)

# search result
search: 2
result: 0 Success

# numResponses: 17
# numEntries: 16



ldapsearch -x -D "cn=directory manager" -w anotherpassword -b
"dc=hymesruzicka,dc=org" "aci=*" aci

# extended LDIF
#
# LDAPv3
# base <dc=hymesruzicka,dc=org> with scope subtree
# filter: aci=*
# requesting: aci 
#

# hymesruzicka.org
dn: dc=hymesruzicka, dc=org
aci: (targetattr!="userPassword")(version 3.0; acl "Enable
anonymous
access"; 
 allow (read, search, compare) userdn="ldap:///anyone";)
aci: (targetattr="carLicense || description || displayName ||
facsimileTelepho
 neNumber || homePhone || homePostalAddress || initials || jpegPhoto ||
labele
 dURL || mail || mobile || pager || photo || postOfficeBox || postalAddress
||
  postalCode || preferredDeliveryMethod || preferredLanguage ||
registeredAddr
 ess || roomNumber || secretary || seeAlso || st || street ||
telephoneNumber 
 || telexNumber || title || userCertificate || userPassword ||
userSMIMECertif
 icate || x500UniqueIdentifier")(version 3.0; acl "Enable self write
for
commo
 n attributes"; allow (write) userdn="ldap:///self";)
aci: (targetattr ="*")(version 3.0;acl "Directory Administrators
Group";allow 
 (all) (groupdn = "ldap:///cn=Directory Administrators, dc=hymesruzicka,
dc=or
 g");)

# People, hymesruzicka.org
dn: ou=People, dc=hymesruzicka, dc=org
aci: (targetattr ="userpassword || telephonenumber ||
facsimiletelephonenumber
 ")(version 3.0;acl "Allow self entry modification";allow
(write)(userdn "ld
 ap:///self");)
aci: (targetattr !="cn || sn || uid")(targetfilter
="(ou=Accounting)")(version
  3.0;acl "Accounting Managers Group Permissions";allow
(write)(groupdn "lda
 p:///cn=Accounting Managers,ou=groups,dc=hymesruzicka, dc=org");)
aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Human
Resources)")(ve
 rsion 3.0;acl "HR Group Permissions";allow (write)(groupdn =
"ldap:///cn=HR
M
 anagers,ou=groups,dc=hymesruzicka, dc=org");)
aci: (targetattr !="cn ||sn || uid")(targetfilter ="(ou=Product
Testing)")(ver
 sion 3.0;acl "QA Group Permissions";allow (write)(groupdn =
"ldap:///cn=QA
Ma
 nagers,ou=groups,dc=hymesruzicka, dc=org");)
aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Product
Development)"
 )(version 3.0;acl "Engineering Group Permissions";allow
(write)(groupdn "ld
 ap:///cn=PD Managers,ou=groups,dc=hymesruzicka, dc=org");)

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

Listbox wrote:
> Thanks so much!
> Now I''m looking in
> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#1199651 to
see
> what I might do to fix things. 
>   
If you are using Fedora DS 1.1 I suggest you use this instead - 
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.html
> Here is the output from the commands you suggested. At least I can tell one
> is bigger than the other :)
>   
The console admin user created during setup is uid=admin, 
ou=Administrators, ou=TopologyManagement, o=NetscapeRoot.  You should 
look at the acis which have this user as the subject (e.g. anything with 
userdn="uid=admin, ou=Administrators, ou=TopologyManagement, 
o=NetscapeRoot" in it).  What''s odd is that I don''t see
any acis in
dc=hymesruzicka, dc=org to grant this user access.  setup-ds-admin.pl 
should have created them.

There is also a group created for console admins and this group is 
granted access just like for the above user.  However, this will not 
work for remote instances (instances which do not have the real 
o=NetscapeRoot on them - the console uses pass through authentication on 
instances without o=NetscapeRoot, and group evaluation does not work 
remotely).  This is the groupdn="ldap:///cn=Configuration 
Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot".  So 
this group aci only works on the server which hosts o=NetscapeRoot.  I 
don''t see any acis for this group in dc=hymesruzicka, dc=org either, 
which is odd.

There is another local administrative group created by setup on each 
instance for the local suffix - groupdn = "ldap:///cn=Directory 
Administrators, dc=hymesruzicka, dc=org" - setup-ds-admin.pl will create 
an ACI for this group.  The actual group entry is not created by 
default, so if you want to use this you will need to create the group 
entry cn=Directory Administrators, dc=hymesruzicka, dc=org and add users 
to it.

Also check the acis on the configuration entries cn=config and cn=schema 
and cn=monitor
ldapsearch -x -D "cn=directory manager" -w yourpassword -s sub -b 
cn=config "aci=*" aci
ldapsearch -x -D "cn=directory manager" -w yourpassword -s sub -b 
cn=schema "aci=*" aci
ldapsearch -x -D "cn=directory manager" -w yourpassword -s sub -b 
cn=monitor "aci=*" aci

setup-ds-admin.pl is supposed to create acis for uid=admin, 
ou=Administrators, ou=TopologyManagement, o=NetscapeRoot and the group 
cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, 
o=NetscapeRoot
> ldapsearch -x -D "cn=directory manager" -w mypassword -b
o=netscaperoot
> "aci=*" aci
> # extended LDIF
> #
> # LDAPv3
> # base <o=netscaperoot> with scope subtree
> # filter: aci=*
> # requesting: aci 
> #
>
> # NetscapeRoot
> dn: o=NetscapeRoot
> aci: (targetattr="*")(version 3.0; acl "Enable Configuration
Administrator
> Gro
>  up modification"; allow (all) groupdn="ldap:///cn=Configuration
> Administrator
>  s, ou=Groups, ou=TopologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(targetfilter=(o=NetscapeRoot))(version 3.0;
acl
> "Default
>   anonymous access"; allow (read, search)
userdn="ldap:///anyone";)
> aci: (targetattr="*")(version 3.0; acl "Enable Group
Expansion"; allow
> (read, 
>  search, compare) groupdnattr="uniquemember";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group
(trixter)"; allow (all)
> gr
>  oupdn = "ldap:///cn=slapd-trixter, cn=Fedora Directory Server,
cn=Server
> Grou
>  p, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
o=NetscapeRoot";)
>
> # TopologyManagement, NetscapeRoot
> dn: ou=TopologyManagement, o=NetscapeRoot
> aci: (targetattr!="userPassword")(version 3.0; acl "Enable
anonymous
> access"; 
>  allow (read, search, compare)userdn="ldap:///anyone";)
>
> # Global Preferences, hymesruzicka.org, NetscapeRoot
> dn: ou=Global Preferences, ou=hymesruzicka.org, o=NetscapeRoot
> aci: (targetattr=*)(version 3.0; acl "Enable anonymous access";
> allow(read,sea
>  rch) userdn="ldap:///anyone";)
>
> # UserPreferences, hymesruzicka.org, NetscapeRoot
> dn: ou=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot
> aci: (targetattr = "*")(version 3.0; acl "Allow saving of
User Preferences";
> a
>  llow (add) userdn = "ldap:///all";)
>
> # uid\3Dadmin\2C ou\3DAdministrators\2C ou\3DTopologyManagement\2C
> o\3DNetsca
>  peRoot, UserPreferences, hymesruzicka.org, NetscapeRoot
> dn: ou="uid=admin, ou=Administrators, ou=TopologyManagement,
> o=NetscapeRoot",o
>  u=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot
> aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
> userdnattr="
>  creatorsname";)
>
> # cn\3Dadmin-serv-trixter\2C cn\3DFedora Administration Server\2C
> cn\3DServer
>   Group\2C cn\3Dtrixter.hymesruzicka.org\2C ou\3Dhymesruzicka.org\2C
> o\3DNets
>  capeRoot, UserPreferences, hymesruzicka.org, NetscapeRoot
> dn: ou="cn=admin-serv-trixter, cn=Fedora Administration Server,
cn=Server
> Grou
>  p, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
> o=NetscapeRoot",ou=UserP
>  references, ou=hymesruzicka.org, o=NetscapeRoot
> aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
> userdnattr="
>  creatorsname";)
>
> # Server Group, trixter.hymesruzicka.org, hymesruzicka.org, NetscapeRoot
> dn: cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
> o=Netsc
>  apeRoot
> aci: (targetattr=*)(targetfilter=(nsconfigRoot=*))(version 3.0; acl
"Enable
> de
>  legated access"; allow (read, search, compare)
groupdn="ldap:///cn=Server
> Gro
>  up, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
o=NetscapeRoot";)
> aci: (targetattr=*)(version 3.0; acl "Enable delegated access";
allow (read,
> s
>  earch, compare) userdn="ldap:///cn=admin-serv-trixter, cn=Fedora
> Administrati
>  on Server, cn=Server Group, cn=trixter.hymesruzicka.org,
> ou=hymesruzicka.org,
>   o=NetscapeRoot";)
>
> # PublicViews, 1.1, Admin, Global Preferences, hymesruzicka.org,
> NetscapeRoot
> dn: cn=PublicViews, ou=1.1, ou=Admin, ou=Global Preferences,
> ou=hymesruzicka.o
>  rg, o=NetscapeRoot
> aci: (targetattr = "*")(version 3.0; acl "Allow
Authenticated Users to Save
> Pu
>  blic Views"; allow (all) userdn = "ldap:///all";)
>
> # slapd-trixter, Fedora Directory Server, Server Group,
> trixter.hymesruzicka.
>  org, hymesruzicka.org, NetscapeRoot
> dn: cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
> cn=trixter.
>  hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot
> aci: (targetattr=*)(version 3.0; acl "Enable delegated access";
allow (read,
> s
>  earch, compare) groupdn="ldap:///cn=slapd-trixter, cn=Fedora
Directory
> Server
>  , cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
> o=Netsca
>  peRoot";)
> aci: (targetattr="uniquemember || serverProductName || userpassword ||
> descrip
>  tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl
"Enable
> ac
>  cess delegation"; allow (write)
groupdn="ldap:///cn=slapd-trixter,
> cn=Fedora 
>  Directory Server, cn=Server Group, cn=trixter.hymesruzicka.org,
> ou=hymesruzic
>  ka.org, o=NetscapeRoot";)
>
> # configuration, slapd-trixter, Fedora Directory Server, Server Group,
> trixte
>  r.hymesruzicka.org, hymesruzicka.org, NetscapeRoot
> dn: cn=configuration,cn=slapd-trixter, cn=Fedora Directory Server,
cn=Server
> G
>  roup, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot
> aci: (targetattr=*)(version 3.0; acl "Enable Server
configuration"; allow
> (all
>  ) groupdn="ldap:///cn=slapd-trixter, cn=Fedora Directory Server,
cn=Server
> Gr
>  oup, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
o=NetscapeRoot";)
>
> # cn\3Dslapd-trixter\2C cn\3DFedora Directory Server\2C cn\3DServer
Group\2C
>
>  cn\3Dtrixter.hymesruzicka.org\2C ou\3Dhymesruzicka.org\2C
o\3DNetscapeRoot,
>
>  UserPreferences, hymesruzicka.org, NetscapeRoot
> dn: ou="cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
> cn=trix
>  ter.hymesruzicka.org, ou=hymesruzicka.org,
> o=NetscapeRoot",ou=UserPreferences
>  , ou=hymesruzicka.org, o=NetscapeRoot
> aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
> userdnattr="
>  creatorsname";)
>
> # cn\3DDirectory Manager, UserPreferences, hymesruzicka.org, NetscapeRoot
> dn: ou="cn=Directory Manager",ou=UserPreferences,
ou=hymesruzicka.org,
> o=Netsc
>  apeRoot
> aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
> userdnattr="
>  creatorsname";)
>
> # Fedora Administration Server, Server Group, trixter.hymesruzicka.org,
> hymes
>  ruzicka.org, NetscapeRoot
> dn: cn=Fedora Administration Server, cn=Server Group,
> cn=trixter.hymesruzicka.
>  org, ou=hymesruzicka.org, o=NetscapeRoot
> aci: (targetattr=*)(targetfilter=(nsNickName=*))(version 3.0; acl
"Enable
> dele
>  gated access"; allow (read, search, compare)
groupdn="ldap:///cn=Fedora
> Admin
>  istration Server, cn=Server Group, cn=trixter.hymesruzicka.org,
> ou=hymesruzic
>  ka.org, o=NetscapeRoot";)
>
> # admin-serv-trixter, Fedora Administration Server, Server Group,
> trixter.hym
>  esruzicka.org, hymesruzicka.org, NetscapeRoot
> dn: cn=admin-serv-trixter, cn=Fedora Administration Server, cn=Server
Group,
> c
>  n=trixter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot
> aci: (targetattr=*)(version 3.0; acl "Enable delegated access";
allow (read,
> s
>  earch, compare) groupdn="ldap:///cn=admin-serv-trixter, cn=Fedora
> Administrat
>  ion Server, cn=Server Group, cn=trixter.hymesruzicka.org,
> ou=hymesruzicka.org
>  , o=NetscapeRoot";)
> aci: (targetattr="uniquemember || serverProductName || userpassword ||
> descrip
>  tion")(targetfilter=(objectclass=netscapeServer))(version 3.0; acl
"Enable
> ac
>  cess delegation"; allow (write)
groupdn="ldap:///cn=admin-serv-trixter,
> cn=Fe
>  dora Administration Server, cn=Server Group, cn=trixter.hymesruzicka.org,
> ou>  hymesruzicka.org, o=NetscapeRoot";)
>
> # configuration, admin-serv-trixter, Fedora Administration Server, Server
> Gro
>  up, trixter.hymesruzicka.org, hymesruzicka.org, NetscapeRoot
> dn: cn=configuration, cn=admin-serv-trixter, cn=Fedora Administration
> Server, 
>  cn=Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
> o=Netscape
>  Root
> aci: (targetattr=*)(version 3.0; acl "Enable delegated admin to access
> configu
>  ration"; allow (read, search) groupdn="ldap:///cn=Server Group,
> cn=trixter.hy
>  mesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
> aci: (targetattr=*)(version 3.0; acl "Enable Server
configuration"; allow
> (all
>  ) groupdn="ldap:///cn=admin-serv-trixter, cn=Fedora Administration
Server,
> cn
>  =Server Group, cn=trixter.hymesruzicka.org, ou=hymesruzicka.org,
> o=NetscapeRo
>  ot";)
>
> # uid\3Ddiradmin\2Cou\3DAdministrators\2C ou\3DTopologyManagement\2C
> o\3Dnets
>  capeRoot, UserPreferences, hymesruzicka.org, NetscapeRoot
> dn: ou="uid=diradmin,ou=Administrators, ou=TopologyManagement,
> o=netscapeRoot"
>  ,ou=UserPreferences, ou=hymesruzicka.org, o=NetscapeRoot
> aci: (targetattr=*)(version 3.0; acl "UserDNControl"; allow (all)
> userdnattr="
>  creatorsname";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 17
> # numEntries: 16
>
>
>
> ldapsearch -x -D "cn=directory manager" -w anotherpassword -b
> "dc=hymesruzicka,dc=org" "aci=*" aci
>
> # extended LDIF
> #
> # LDAPv3
> # base <dc=hymesruzicka,dc=org> with scope subtree
> # filter: aci=*
> # requesting: aci 
> #
>
> # hymesruzicka.org
> dn: dc=hymesruzicka, dc=org
> aci: (targetattr!="userPassword")(version 3.0; acl "Enable
anonymous
> access"; 
>  allow (read, search, compare) userdn="ldap:///anyone";)
> aci: (targetattr="carLicense || description || displayName ||
> facsimileTelepho
>  neNumber || homePhone || homePostalAddress || initials || jpegPhoto ||
> labele
>  dURL || mail || mobile || pager || photo || postOfficeBox || postalAddress
> ||
>   postalCode || preferredDeliveryMethod || preferredLanguage ||
> registeredAddr
>  ess || roomNumber || secretary || seeAlso || st || street ||
> telephoneNumber 
>  || telexNumber || title || userCertificate || userPassword ||
> userSMIMECertif
>  icate || x500UniqueIdentifier")(version 3.0; acl "Enable self
write for
> commo
>  n attributes"; allow (write) userdn="ldap:///self";)
> aci: (targetattr ="*")(version 3.0;acl "Directory
Administrators
> Group";allow 
>  (all) (groupdn = "ldap:///cn=Directory Administrators,
dc=hymesruzicka,
> dc=or
>  g");)
>
> # People, hymesruzicka.org
> dn: ou=People, dc=hymesruzicka, dc=org
> aci: (targetattr ="userpassword || telephonenumber ||
> facsimiletelephonenumber
>  ")(version 3.0;acl "Allow self entry modification";allow
(write)(userdn > "ld
>  ap:///self");)
> aci: (targetattr !="cn || sn || uid")(targetfilter
> ="(ou=Accounting)")(version
>   3.0;acl "Accounting Managers Group Permissions";allow
(write)(groupdn > "lda
>  p:///cn=Accounting Managers,ou=groups,dc=hymesruzicka, dc=org");)
> aci: (targetattr !="cn || sn || uid")(targetfilter
="(ou=Human
> Resources)")(ve
>  rsion 3.0;acl "HR Group Permissions";allow (write)(groupdn =
"ldap:///cn=HR
> M
>  anagers,ou=groups,dc=hymesruzicka, dc=org");)
> aci: (targetattr !="cn ||sn || uid")(targetfilter
="(ou=Product
> Testing)")(ver
>  sion 3.0;acl "QA Group Permissions";allow (write)(groupdn =
"ldap:///cn=QA
> Ma
>  nagers,ou=groups,dc=hymesruzicka, dc=org");)
> aci: (targetattr !="cn || sn || uid")(targetfilter
="(ou=Product
> Development)"
>  )(version 3.0;acl "Engineering Group Permissions";allow
(write)(groupdn > "ld
>  ap:///cn=PD Managers,ou=groups,dc=hymesruzicka, dc=org");)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 3
> # numEntries: 2
>
>

Thanks Rich!

I just looked in /usr/share/dirsrv/data, and the file "template.ldif"
looks
like what I get for the ldapquery of acis in dc=hymesruzicka, dc=org. It
does not have any entries for uid=admin ( or uid=%as_uid% ).
I did find the file "16dssuffixadmin.mod.tmpl", and looks like it may
be
useful as a model to make more of the correct acis. Is this a good idea? How
much more should I modify it?

/usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl

# BEGIN COPYRIGHT BLOCK
...
# END COPYRIGHT BLOCK
dn: %ds_suffix%
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "Configuration
Administrators Group";
allow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups,
ou=TopologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration
Administrator"; allow
(all) userdn="ldap:///uid=%as_uid%,ou=Administrators,
ou=TopologyManagement,
o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow
(all) groupdn "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server,
cn=Server Group,
cn=%fqdn%, ou=%domain%, o=NetscapeRoot";)


Thanks again!

************************************************
************************************************
************************************************
for bind in config schema monitor ; do ldapsearch -x -D "cn=directory
manager" -w mypassword -s sub -b cn=$bind "aci=*" aci ; done 
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: aci=*
# requesting: aci 
#

# config
dn: cn=config
aci: (targetattr="*")(version 3.0; acl "Configuration
Administrators Group";
a
 llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups,
ou=To
 pologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration
Administrator"; allow
(a
 ll) userdn="ldap:///uid=admin, ou=Administrators, ou=TopologyManagement,
o=Ne
 tscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow
(all) groupdn "l
 dap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
cn=trix
 ter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)

# SNMP, config
dn: cn=SNMP,cn=config
aci: (target="ldap:///cn=SNMP,cn=config")(targetattr
!="aci")(version
3.0;acl 
 "snmp";allow (read, search, compare)(userdn =
"ldap:///anyone");)

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
aci: (targetattr != "aci")(version 3.0; acl "VLV Request
Control"; allow(
read
 , search, compare, proxy ) userdn = "ldap:///all";)

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3
# extended LDIF
#
# LDAPv3
# base <cn=schema> with scope subtree
# filter: aci=*
# requesting: aci 
#

# schema
dn: cn=schema
aci: (target="ldap:///cn=schema")(targetattr
!="aci")(version 3.0;acl
"anonymo
 us, no acis"; allow (read, search, compare) userdn =
"ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "Configuration
Administrators Group";
a
 llow (all) groupdn="ldap:///cn=Configuration Administrators, ou=Groups,
ou=To
 pologyManagement, o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration
Administrator"; allow
(a
 ll) userdn="ldap:///uid=admin,ou=Administrators, ou=TopologyManagement,
o=Net
 scapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow
(all) groupdn "l
 dap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
cn=trix
 ter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
# extended LDIF
#
# LDAPv3
# base <cn=monitor> with scope subtree
# filter: aci=*
# requesting: aci 
#

# monitor
dn: cn=monitor
aci: (target ="ldap:///cn=monitor*")(targetattr != "aci ||
connection")(versio
 n 3.0; acl "monitor"; allow( read, search, compare ) userdn
"ldap:///anyone
 ";)

# search result
search: 2
result: 0 Success

Listbox wrote:
> Thanks Rich!
>
> I just looked in /usr/share/dirsrv/data, and the file
"template.ldif" looks
> like what I get for the ldapquery of acis in dc=hymesruzicka, dc=org. It
> does not have any entries for uid=admin ( or uid=%as_uid% ).
>   
Right.  That''s the file that is used for just the fedora-ds-base
package
- the admin server and console stuff are
"add-ons".
> I did find the file "16dssuffixadmin.mod.tmpl", and looks like it
may be
> useful as a model to make more of the correct acis. Is this a good idea?
Yes.
> How
> much more should I modify it?
>   
You have to replace the %token% items:
ds_suffix - your suffix e.g. dc=hymesruzicka, dc=org or cn=config or 
cn=schema or etc.
as_uid - admin
or change the entire DN uid=%as_uid%,ou=Administrators, 
ou=TopologyManagement, o=NetscapeRoot to some other DN that you want to 
use for an administrator.

You can just omit the SIE Group ACI

Then just feed that file to ldapmodify e.g.
ldapmodify -x -D "cn=directory manager" -w yourpassword -f
thefile.ldif

Note - make a copy of 16dssuffixadmin.mod.tmpl and edit it - do not edit 
it in place.
> /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl
>
> # BEGIN COPYRIGHT BLOCK
> ...
> # END COPYRIGHT BLOCK
> dn: %ds_suffix%
> changetype: modify
> add: aci
> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrators Group";
> allow (all) groupdn="ldap:///cn=Configuration Administrators,
ou=Groups,
> ou=TopologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrator"; allow
> (all) userdn="ldap:///uid=%as_uid%,ou=Administrators,
ou=TopologyManagement,
> o=NetscapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group";
allow (all) groupdn > "ldap:///cn=slapd-%dsid%, cn=%brand% Directory
Server, cn=Server Group,
> cn=%fqdn%, ou=%domain%, o=NetscapeRoot";)
>
>
> Thanks again!
>
> ************************************************
> ************************************************
> ************************************************
> for bind in config schema monitor ; do ldapsearch -x -D "cn=directory
> manager" -w mypassword -s sub -b cn=$bind "aci=*" aci ; done
> # extended LDIF
> #
> # LDAPv3
> # base <cn=config> with scope subtree
> # filter: aci=*
> # requesting: aci 
> #
>
> # config
> dn: cn=config
> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrators Group";
> a
>  llow (all) groupdn="ldap:///cn=Configuration Administrators,
ou=Groups,
> ou=To
>  pologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrator"; allow
> (a
>  ll) userdn="ldap:///uid=admin, ou=Administrators,
ou=TopologyManagement,
> o=Ne
>  tscapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group";
allow (all) groupdn > "l
>  dap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
> cn=trix
>  ter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr
!="aci")(version
> 3.0;acl 
>  "snmp";allow (read, search, compare)(userdn =
"ldap:///anyone");)
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> aci: (targetattr != "aci")(version 3.0; acl "VLV Request
Control"; allow(
> read
>  , search, compare, proxy ) userdn = "ldap:///all";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 4
> # numEntries: 3
> # extended LDIF
> #
> # LDAPv3
> # base <cn=schema> with scope subtree
> # filter: aci=*
> # requesting: aci 
> #
>
> # schema
> dn: cn=schema
> aci: (target="ldap:///cn=schema")(targetattr
!="aci")(version 3.0;acl
> "anonymo
>  us, no acis"; allow (read, search, compare) userdn =
"ldap:///anyone";)
> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrators Group";
> a
>  llow (all) groupdn="ldap:///cn=Configuration Administrators,
ou=Groups,
> ou=To
>  pologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrator"; allow
> (a
>  ll) userdn="ldap:///uid=admin,ou=Administrators,
ou=TopologyManagement,
> o=Net
>  scapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group";
allow (all) groupdn > "l
>  dap:///cn=slapd-trixter, cn=Fedora Directory Server, cn=Server Group,
> cn=trix
>  ter.hymesruzicka.org, ou=hymesruzicka.org, o=NetscapeRoot";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> # extended LDIF
> #
> # LDAPv3
> # base <cn=monitor> with scope subtree
> # filter: aci=*
> # requesting: aci 
> #
>
> # monitor
> dn: cn=monitor
> aci: (target ="ldap:///cn=monitor*")(targetattr != "aci ||
> connection")(versio
>  n 3.0; acl "monitor"; allow( read, search, compare ) userdn >
"ldap:///anyone
>  ";)
>
> # search result
> search: 2
> result: 0 Success
>
>
>

Got our first user created! 
I have an idea on why the setup-ds-admin.pl may not have worked completely.

When doing the first install, I ran the install script, then aborted it (
within the first few steps ). I thought I was paranoid enough by running
"rpm -erase fedora-ds-1.1.0-3", and deleting the contents of :

/etc/dirsrv
/usr/lib/dirsrv
/usr/share/dirsrv
/var/lock/dirsrv
/var/lib/dirsrv
/var/run/dirsrv
/var/log/dirsrv
/usr/lib/mozldap
/usr/share/doc/mozldap-6.0.5

Before I reinstalled, and re-ran the install script. But I know I ran into a
slapd startup problem because I made a typo, and I only erased the contents
of "/var/run/dirsrv", and left the dir itself.
Untill I tried to create users, that was the only problem due to a previous
install attempt. Maybe this was another.


Thanks again!


-----Original Message-----
From: Rich Megginson [mailto:rmeggins@redhat.com] 
Sent: Wednesday, January 23, 2008 12:33 PM
To: listbox@hymerfania.com
Cc: fedora-directory-users@redhat.com
Subject: Re: NetscapeRootRe: [Fedora-directory-users] Can''t create
users,
time for complete wipe and re-install?

Listbox wrote:
> Thanks Rich!
>
> I just looked in /usr/share/dirsrv/data, and the file
"template.ldif"
> looks like what I get for the ldapquery of acis in dc=hymesruzicka, 
> dc=org. It does not have any entries for uid=admin ( or uid=%as_uid% ).
>   
Right.  That''s the file that is used for just the fedora-ds-base
package
- the admin server and console stuff are
"add-ons".
> I did find the file "16dssuffixadmin.mod.tmpl", and looks like it
may
> be useful as a model to make more of the correct acis. Is this a good
idea?
Yes.
> How
> much more should I modify it?
>   
You have to replace the %token% items:
ds_suffix - your suffix e.g. dc=hymesruzicka, dc=org or cn=config or
cn=schema or etc.
as_uid - admin
or change the entire DN uid=%as_uid%,ou=Administrators,
ou=TopologyManagement, o=NetscapeRoot to some other DN that you want to use
for an administrator.

You can just omit the SIE Group ACI

Then just feed that file to ldapmodify e.g.
ldapmodify -x -D "cn=directory manager" -w yourpassword -f
thefile.ldif

Note - make a copy of 16dssuffixadmin.mod.tmpl and edit it - do not edit it
in place.
> /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl
>
> # BEGIN COPYRIGHT BLOCK
> ...
> # END COPYRIGHT BLOCK
> dn: %ds_suffix%
> changetype: modify
> add: aci
> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrators
> Group"; allow (all) groupdn="ldap:///cn=Configuration
Administrators,
> ou=Groups, ou=TopologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrator";
> allow
> (all) userdn="ldap:///uid=%as_uid%,ou=Administrators, 
> ou=TopologyManagement,
> o=NetscapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group";
allow (all)
> groupdn = "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, 
> cn=Server Group, cn=%fqdn%, ou=%domain%, o=NetscapeRoot";)
>
>
> Thanks again!
>
> ************************************************
> ************************************************
> ************************************************
> for bind in config schema monitor ; do ldapsearch -x -D "cn=directory 
> manager" -w mypassword -s sub -b cn=$bind "aci=*" aci ; done
#
> extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # 
> filter: aci=* # requesting: aci #
>
> # config
> dn: cn=config
> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrators
> Group"; a  llow (all) groupdn="ldap:///cn=Configuration 
> Administrators, ou=Groups, ou=To  pologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrator";
> allow (a
>  ll) userdn="ldap:///uid=admin, ou=Administrators, 
> ou=TopologyManagement, o=Ne
>  tscapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group";
allow (all)
> groupdn = "l  dap:///cn=slapd-trixter, cn=Fedora Directory Server, 
> cn=Server Group, cn=trix  ter.hymesruzicka.org, ou=hymesruzicka.org, 
> o=NetscapeRoot";)
>
> # SNMP, config
> dn: cn=SNMP,cn=config
> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr
!="aci")(version
> 3.0;acl  "snmp";allow (read, search, compare)(userdn = 
> "ldap:///anyone");)
>
> # 2.16.840.1.113730.3.4.9, features, config
> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
> aci: (targetattr != "aci")(version 3.0; acl "VLV Request
Control";
> allow( read  , search, compare, proxy ) userdn = "ldap:///all";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 4
> # numEntries: 3
> # extended LDIF
> #
> # LDAPv3
> # base <cn=schema> with scope subtree
> # filter: aci=*
> # requesting: aci
> #
>
> # schema
> dn: cn=schema
> aci: (target="ldap:///cn=schema")(targetattr
!="aci")(version 3.0;acl
> "anonymo  us, no acis"; allow (read, search, compare) userdn = 
> "ldap:///anyone";)
> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrators
> Group"; a  llow (all) groupdn="ldap:///cn=Configuration 
> Administrators, ou=Groups, ou=To  pologyManagement, o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrator";
> allow (a
>  ll) userdn="ldap:///uid=admin,ou=Administrators, 
> ou=TopologyManagement, o=Net
>  scapeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group";
allow (all)
> groupdn = "l  dap:///cn=slapd-trixter, cn=Fedora Directory Server, 
> cn=Server Group, cn=trix  ter.hymesruzicka.org, ou=hymesruzicka.org, 
> o=NetscapeRoot";)
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> # extended LDIF
> #
> # LDAPv3
> # base <cn=monitor> with scope subtree # filter: aci=* # requesting: 
> aci #
>
> # monitor
> dn: cn=monitor
> aci: (target ="ldap:///cn=monitor*")(targetattr != "aci || 
> connection")(versio  n 3.0; acl "monitor"; allow( read,
search,
> compare ) userdn = "ldap:///anyone
>  ";)
>
> # search result
> search: 2
> result: 0 Success
>
>
>

Listbox wrote:
> Got our first user created! 
> I have an idea on why the setup-ds-admin.pl may not have worked completely.
>
> When doing the first install, I ran the install script, then aborted it (
> within the first few steps ).
If you abort setup before it finishes asking you questions, you should 
be able to run it again, no problem.  If you abort it after the dialog 
section during its configuration section, then you will have to do some 
clean up.
> I thought I was paranoid enough by running
> "rpm -erase fedora-ds-1.1.0-3",
That really doesn''t do anything - the fedora-ds package is now 
completely empty and just Requires (for yum) the "real" packages 
fedora-ds-base, fedora-ds-admin, etc.

It shouldn''t be necessary, but if you really want to remove everything,
you should do something like
yum erase svrcore idm-console-framework
> and deleting the contents of :
>
> /etc/dirsrv
> /usr/lib/dirsrv
>   
/usr/lib64/dirsrv on 64bit systems
> /usr/share/dirsrv
> /var/lock/dirsrv
> /var/lib/dirsrv
> /var/run/dirsrv
> /var/log/dirsrv
>   
Yep. rm -rf all of those
> /usr/lib/mozldap
> /usr/share/doc/mozldap-6.0.5
>   
No, not these.
> Before I reinstalled, and re-ran the install script. But I know I ran into
a
> slapd startup problem because I made a typo, and I only erased the contents
> of "/var/run/dirsrv", and left the dir itself.
>   
> Untill I tried to create users, that was the only problem due to a previous
> install attempt. Maybe this was another.
>
>
> Thanks again!
>
>
> -----Original Message-----
> From: Rich Megginson [mailto:rmeggins@redhat.com] 
> Sent: Wednesday, January 23, 2008 12:33 PM
> To: listbox@hymerfania.com
> Cc: fedora-directory-users@redhat.com
> Subject: Re: NetscapeRootRe: [Fedora-directory-users] Can''t create
users,
> time for complete wipe and re-install?
>
> Listbox wrote:
>   
>> Thanks Rich!
>>
>> I just looked in /usr/share/dirsrv/data, and the file
"template.ldif"
>> looks like what I get for the ldapquery of acis in dc=hymesruzicka, 
>> dc=org. It does not have any entries for uid=admin ( or uid=%as_uid% ).
>>   
>>     
> Right.  That''s the file that is used for just the fedora-ds-base
package
> - the admin server and console stuff are "add-ons".
>   
>> I did find the file "16dssuffixadmin.mod.tmpl", and looks
like it may
>> be useful as a model to make more of the correct acis. Is this a good
>>     
> idea?
> Yes.
>   
>> How
>> much more should I modify it?
>>   
>>     
> You have to replace the %token% items:
> ds_suffix - your suffix e.g. dc=hymesruzicka, dc=org or cn=config or
> cn=schema or etc.
> as_uid - admin
> or change the entire DN uid=%as_uid%,ou=Administrators,
> ou=TopologyManagement, o=NetscapeRoot to some other DN that you want to use
> for an administrator.
>
> You can just omit the SIE Group ACI
>
> Then just feed that file to ldapmodify e.g.
> ldapmodify -x -D "cn=directory manager" -w yourpassword -f
thefile.ldif
>
> Note - make a copy of 16dssuffixadmin.mod.tmpl and edit it - do not edit it
> in place.
>   
>> /usr/share/dirsrv/data/16dssuffixadmin.mod.tmpl
>>
>> # BEGIN COPYRIGHT BLOCK
>> ...
>> # END COPYRIGHT BLOCK
>> dn: %ds_suffix%
>> changetype: modify
>> add: aci
>> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrators
>> Group"; allow (all) groupdn="ldap:///cn=Configuration
Administrators,
>> ou=Groups, ou=TopologyManagement, o=NetscapeRoot";)
>> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrator";
>> allow
>> (all) userdn="ldap:///uid=%as_uid%,ou=Administrators, 
>> ou=TopologyManagement,
>> o=NetscapeRoot";)
>> aci: (targetattr = "*")(version 3.0; acl "SIE
Group"; allow (all)
>> groupdn = "ldap:///cn=slapd-%dsid%, cn=%brand% Directory Server, 
>> cn=Server Group, cn=%fqdn%, ou=%domain%, o=NetscapeRoot";)
>>
>>
>> Thanks again!
>>
>> ************************************************
>> ************************************************
>> ************************************************
>> for bind in config schema monitor ; do ldapsearch -x -D
"cn=directory
>> manager" -w mypassword -s sub -b cn=$bind "aci=*" aci ;
done #
>> extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # 
>> filter: aci=* # requesting: aci #
>>
>> # config
>> dn: cn=config
>> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrators
>> Group"; a  llow (all) groupdn="ldap:///cn=Configuration 
>> Administrators, ou=Groups, ou=To  pologyManagement,
o=NetscapeRoot";)
>> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrator";
>> allow (a
>>  ll) userdn="ldap:///uid=admin, ou=Administrators, 
>> ou=TopologyManagement, o=Ne
>>  tscapeRoot";)
>> aci: (targetattr = "*")(version 3.0; acl "SIE
Group"; allow (all)
>> groupdn = "l  dap:///cn=slapd-trixter, cn=Fedora Directory Server,
>> cn=Server Group, cn=trix  ter.hymesruzicka.org, ou=hymesruzicka.org, 
>> o=NetscapeRoot";)
>>
>> # SNMP, config
>> dn: cn=SNMP,cn=config
>> aci: (target="ldap:///cn=SNMP,cn=config")(targetattr
!="aci")(version
>> 3.0;acl  "snmp";allow (read, search, compare)(userdn = 
>> "ldap:///anyone");)
>>
>> # 2.16.840.1.113730.3.4.9, features, config
>> dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
>> aci: (targetattr != "aci")(version 3.0; acl "VLV Request
Control";
>> allow( read  , search, compare, proxy ) userdn =
"ldap:///all";)
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 4
>> # numEntries: 3
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=schema> with scope subtree
>> # filter: aci=*
>> # requesting: aci
>> #
>>
>> # schema
>> dn: cn=schema
>> aci: (target="ldap:///cn=schema")(targetattr
!="aci")(version 3.0;acl
>> "anonymo  us, no acis"; allow (read, search, compare) userdn
=
>> "ldap:///anyone";)
>> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrators
>> Group"; a  llow (all) groupdn="ldap:///cn=Configuration 
>> Administrators, ou=Groups, ou=To  pologyManagement,
o=NetscapeRoot";)
>> aci: (targetattr="*")(version 3.0; acl "Configuration
Administrator";
>> allow (a
>>  ll) userdn="ldap:///uid=admin,ou=Administrators, 
>> ou=TopologyManagement, o=Net
>>  scapeRoot";)
>> aci: (targetattr = "*")(version 3.0; acl "SIE
Group"; allow (all)
>> groupdn = "l  dap:///cn=slapd-trixter, cn=Fedora Directory Server,
>> cn=Server Group, cn=trix  ter.hymesruzicka.org, ou=hymesruzicka.org, 
>> o=NetscapeRoot";)
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=monitor> with scope subtree # filter: aci=* #
requesting:
>> aci #
>>
>> # monitor
>> dn: cn=monitor
>> aci: (target ="ldap:///cn=monitor*")(targetattr != "aci
||
>> connection")(versio  n 3.0; acl "monitor"; allow( read,
search,
>> compare ) userdn = "ldap:///anyone
>>  ";)
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>>
>>   
>>     
>
>
>