Fedora directory users - Nov 2009 - [389-users] Admin-console doesn't work after upgrade

Hi, 
recently our LDAP server (CentOS 5.4) got upgraded, so we no longer have
the command fedora-idm-console, but instead have gotten 389-console. The
LDAP service it self works flawlessly, but when trying to open the admin
console it fails with 

"netscape.ldap.LDAPException: error result (32); No such object"

Running "service dirsrv-admin status" returns that the admin server is
running, and running 389-console with -D indicates that the server
indeed replies. 

So, is there some extra configuration needed after upgrading, such as
running setup-ds-admin.pl again? If so, where can I look up the
information provided on the initial setup?

This is using 389-ds version 1.1.3, CentOS 5.4, Java 1.6.0 (OpenJDK
Runtime Environment (build 1.6.0-b09))

-- 
mvh Jens Ådne Rydland

Jens Ådne Rydland wrote:
> Hi, 
> recently our LDAP server (CentOS 5.4) got upgraded, so we no longer have
> the command fedora-idm-console, but instead have gotten 389-console. The
> LDAP service it self works flawlessly, but when trying to open the admin
> console it fails with 
>
> "netscape.ldap.LDAPException: error result (32); No such object"
>
> Running "service dirsrv-admin status" returns that the admin
server is
> running, and running 389-console with -D indicates that the server
> indeed replies. 
>
> So, is there some extra configuration needed after upgrading, such as
> running setup-ds-admin.pl again?
Yes.  You always have to run setup-ds-admin.pl -u after an upgrade, to 
refresh the console information.
http://directory.fedoraproject.org/wiki/Install_Guide#Upgrading
Note that 389-ds-base 1.2.2 and 389-admin 1.1.8 and earlier have a bug 
in that they do not update the console information properly.  If you run 
into this problem, you might consider upgrading to 389-ds-base 1.2.3 and 
389-admin 1.1.9 which you can find in the testing repo.
http://directory.fedoraproject.org/wiki/Release_Notes
> If so, where can I look up the
> information provided on the initial setup?
>
> This is using 389-ds version 1.1.3, CentOS 5.4, Java 1.6.0 (OpenJDK
> Runtime Environment (build 1.6.0-b09))
>
>

On Tue, Nov 03, 2009 at 10:28:19AM -0700, Rich Megginson
wrote:
> Jens Ådne Rydland wrote:
>> Hi, recently our LDAP server (CentOS 5.4) got upgraded, so we no longer
>> have
>> the command fedora-idm-console, but instead have gotten 389-console.
The
>> LDAP service it self works flawlessly, but when trying to open the
admin
>> console it fails with 
>>
>> "netscape.ldap.LDAPException: error result (32); No such
object"
>>
>> Running "service dirsrv-admin status" returns that the admin
server is
>> running, and running 389-console with -D indicates that the server
>> indeed replies. 
>>
>> So, is there some extra configuration needed after upgrading, such as
>> running setup-ds-admin.pl again?
> Yes.  You always have to run setup-ds-admin.pl -u after an upgrade, to  
> refresh the console information.
> http://directory.fedoraproject.org/wiki/Install_Guide#Upgrading
> Note that 389-ds-base 1.2.2 and 389-admin 1.1.8 and earlier have a bug  
> in that they do not update the console information properly.  If you run  
> into this problem, you might consider upgrading to 389-ds-base 1.2.3 and  
> 389-admin 1.1.9 which you can find in the testing repo.
> http://directory.fedoraproject.org/wiki/Release_Notes
Right. And when I try to run setup-ds-admin.pl -u I''m asked about misc.
information that I don''t have readily available, but most of it is
auto-filled in, and I guess it stored in some configuration file from
the previous time the admin-server was set up? 

Seems like no matter what I enter it returns "Error:  No such object"
or
"Error: Invalid credentials". At least the last one I suppose means it
managed to connect to the LDAP server, but got the wrong admin password
or something? If it is the wrong password, how can I reset it? 

-- 
regards, Jens Ådne Rydland

Jens Ådne Rydland wrote:
> On Tue, Nov 03, 2009 at 10:28:19AM -0700, Rich Megginson wrote:
>   
>> Jens Ådne Rydland wrote:
>>     
>>> Hi, recently our LDAP server (CentOS 5.4) got upgraded, so we no
longer
>>> have
>>> the command fedora-idm-console, but instead have gotten
389-console. The
>>> LDAP service it self works flawlessly, but when trying to open the
admin
>>> console it fails with 
>>>
>>> "netscape.ldap.LDAPException: error result (32); No such
object"
>>>
>>> Running "service dirsrv-admin status" returns that the
admin server is
>>> running, and running 389-console with -D indicates that the server
>>> indeed replies. 
>>>
>>> So, is there some extra configuration needed after upgrading, such
as
>>> running setup-ds-admin.pl again?
>>>       
>
>   
>> Yes.  You always have to run setup-ds-admin.pl -u after an upgrade, to
>> refresh the console information.
>> http://directory.fedoraproject.org/wiki/Install_Guide#Upgrading
>> Note that 389-ds-base 1.2.2 and 389-admin 1.1.8 and earlier have a bug
>> in that they do not update the console information properly.  If you
run
>> into this problem, you might consider upgrading to 389-ds-base 1.2.3
and
>> 389-admin 1.1.9 which you can find in the testing repo.
>> http://directory.fedoraproject.org/wiki/Release_Notes
>>     
>
> Right. And when I try to run setup-ds-admin.pl -u I''m asked about
misc.
> information that I don''t have readily available, but most of it is
> auto-filled in, and I guess it stored in some configuration file from
> the previous time the admin-server was set up? 
>   
Right.  /etc/dirsrv/admin-serv/adm.conf mostly.  The only information 
you must provide is the admin password.  Everything else should be 
auto-filled in.
> Seems like no matter what I enter it returns "Error:  No such
object" or
> "Error: Invalid credentials". At least the last one I suppose
means it
> managed to connect to the LDAP server, but got the wrong admin password
> or something? If it is the wrong password, how can I reset it?
Do you use the console?  What username and password do you use?  I 
suppose you could also use the directory manager DN and password for 
your configuration directory server (the server that holds the 
o=NetscapeRoot information).

On Wed, Nov 04, 2009 at 07:22:53AM -0700, Rich Megginson
wrote:
> Jens Ådne Rydland wrote:
>> Right. And when I try to run setup-ds-admin.pl -u I''m asked
about misc.
>> information that I don''t have readily available, but most of
it is
>> auto-filled in, and I guess it stored in some configuration file from
>> the previous time the admin-server was set up?   
> Right.  /etc/dirsrv/admin-serv/adm.conf mostly.  The only information  
> you must provide is the admin password.  Everything else should be  
> auto-filled in.
Yes, everything is auto-filled in, except that when using just the
auto-filled in information I get the error "Invalid credentials". So I
suspected that I had somehow gotten the password wrong, and tried
resetting it, but this didn''t help.
>> Seems like no matter what I enter it returns "Error:  No such
object" or
>> "Error: Invalid credentials". At least the last one I suppose
means it
>> managed to connect to the LDAP server, but got the wrong admin password
>> or something? If it is the wrong password, how can I reset it?
> Do you use the console?  What username and password do you use?  I  
> suppose you could also use the directory manager DN and password for  
> your configuration directory server (the server that holds the  
> o=NetscapeRoot information).
Using the console isn''t possible as the console doesn''t start,
as stated
in my first message in this thread. That is, I can''t login with the
console at least, it fails with 
"netscape.ldap.LDAPException: error result (32); No such object". 

I use the same username and password for the console that I''ve always
used, and this is the same as what I enter when running
setup-ds-admin.pl, which is rejected with "Error: Invalid
credentials".

I have also tried resetting this password following the howto at
http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword, but
this didn''t help either. 

-- 
regards, Jens Ådne Rydland

Jens Ådne Rydland wrote:
> On Wed, Nov 04, 2009 at 07:22:53AM -0700, Rich Megginson wrote:
>   
>> Jens Ådne Rydland wrote:
>>     
>>> Right. And when I try to run setup-ds-admin.pl -u I''m
asked about misc.
>>> information that I don''t have readily available, but most
of it is
>>> auto-filled in, and I guess it stored in some configuration file
from
>>> the previous time the admin-server was set up?   
>>>       
>
>   
>> Right.  /etc/dirsrv/admin-serv/adm.conf mostly.  The only information  
>> you must provide is the admin password.  Everything else should be  
>> auto-filled in.
>>     
>
> Yes, everything is auto-filled in, except that when using just the
> auto-filled in information I get the error "Invalid credentials".
So I
> suspected that I had somehow gotten the password wrong, and tried
> resetting it, but this didn''t help.
>
>   
>>> Seems like no matter what I enter it returns "Error:  No such
object" or
>>> "Error: Invalid credentials". At least the last one I
suppose means it
>>> managed to connect to the LDAP server, but got the wrong admin
password
>>> or something? If it is the wrong password, how can I reset it?
>>>       
>
>   
>> Do you use the console?  What username and password do you use?  I  
>> suppose you could also use the directory manager DN and password for  
>> your configuration directory server (the server that holds the  
>> o=NetscapeRoot information).
>>     
>
> Using the console isn''t possible as the console doesn''t
start, as stated
> in my first message in this thread. That is, I can''t login with
the
> console at least, it fails with 
> "netscape.ldap.LDAPException: error result (32); No such object".
>
> I use the same username and password for the console that I''ve
always
> used, and this is the same as what I enter when running
> setup-ds-admin.pl, which is rejected with "Error: Invalid
credentials".
>   
Try this:
ldapsearch -x -h configdshostname -D "uid=admin, ou=Administrators, 
ou=TopologyManagement, o=NetscapeRoot" -w "consoleuserpassword"
-s base
-b "o=netscaperoot"

The -D binddn should be the same as what''s in 
/etc/dirsrv/admin-serv/adm.conf

If this command gives you Invalid credentials, then you have most likely 
forgotten your console admin password, which is _not_ the same as the 
directory manager password, which is why following the directions below 
did not do anything.

If you need to reset your console admin password, do something like this:
ldapmodify -x -h configdshostname -D "cn=directory manager" -w 
dirmgrpassword
dn: uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
changetype: modify
replace: userPassword
userPassword: thenewpassword
> I have also tried resetting this password following the howto at
> http://directory.fedoraproject.org/wiki/Howto:ResetDirMgrPassword, but
> this didn''t help either.

On Wed, Nov 04, 2009 at 08:34:40AM -0700, Rich Megginson
wrote:
> Try this:
> ldapsearch -x -h configdshostname -D "uid=admin, ou=Administrators,  
> ou=TopologyManagement, o=NetscapeRoot" -w
"consoleuserpassword" -s base
> -b "o=netscaperoot"
>
> The -D binddn should be the same as what''s in  
> /etc/dirsrv/admin-serv/adm.conf
>
> If this command gives you Invalid credentials, then you have most likely  
> forgotten your console admin password, which is _not_ the same as the  
> directory manager password, which is why following the directions below  
> did not do anything.
>
> If you need to reset your console admin password, do something like this:
> ldapmodify -x -h configdshostname -D "cn=directory manager" -w  
> dirmgrpassword
> dn: uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot
> changetype: modify
> replace: userPassword
> userPassword: thenewpassword
Ah, yes, that fixed it, now the console works, thank you. 

-- 
regards, Jens Ådne Rydland