On 05/18/2018 04:07 PM, None via FreeIPA-users wrote: > El 18/05/18 a las 16:52, Mark Reynolds escribió: >> >> On 05/18/2018 03:13 PM, i...@tecnoaccion.com.ar wrote: >>> El 18/05/18 a las 16:09, Mark Reynolds escribió: >>>> On 05/18/2018 03:01 PM, None via FreeIPA-users wrote: >>>>> hi! >>>>> >>>>> I'm new to FreeIPA, I inherited a FreeIPA infrastructure, and I'm >>>>> trying to have a Nagios check for the replication status (without >>>>> indicating a password). I found this article: >>>>> <https://danieljamesscott.org/11-articles/application-guides/26-freeipa-replication-monitoring.html>. >>>>> >>>>> >>>>> It's exactly what I want to do >>>>> >>>>> but, when I try to do the ldapmodify thing with >>>>> grant_anonymous_replication_view.ldif (only changing >>>>> cn="dc=example,dc=com" according to my installation), I get: >>>>> >>>>> $ ldapmodify -x -D "cn=directory manager" -W -f >>>>> grant_anonymous_replication_view.ldif -h ipa.mydomain.com.ar >>>>> Enter LDAP Password: >>>>> >>>>> >>>>> and it doesn't accept admin or directory manager password (?) >>>> Do you get an invalid credentials error (49), or? >>> >>> that's right, I get: >>> ldap_bind: Invalid credentials (49) >>> >>> >>> >>>>> do I have to make other changes to the ldif? >>>> No >>>>> or, what is the password I need? >>>> Only you would know, if you don't know it then you can always reset >>>> the >>>> directory manager password: >>>> >>>> http://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html >>> >>> I do have admin and directory manager password, I tried with both, and >>> I got the same result (?) >> Sounds like you don't have the correct password if you are getting error >> 49. The only other thing it could be is that the "cn=directory manager" >> account is not setup as "cn=directory manager" in your setup. You can >> confirm by grepping for "nsslapd-rootdn" from >> /etc/dirsrv/slapd-YOUR_INSTANCE/dse.ldif. If it is set to "cn=directory >> manager', then you have the wrong password and you should reset it. >> Otherwise you have the wrong DN. It's one or the other. > > > great! > > it was the wrong password... Now I get this: > > ldapmodify: wrong attributeType at line 5, entry > "cn="dc=example,dc=com",cn=mapping tree,cn=config" > > > the full ldif is: > > dn: cn="dc=example,dc=com",cn=mapping tree,cn=config > changetype: modify > add: aci > aci: > (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version > 3.0; aci "permission:Read Replication Agreements"; allow (read, > search, compare) groupdn = "ldap:///anyone";;)
I think the problem is the aci value. Its multiple lines, maybe its wrapped weird. There s a few ways to fix it. In LDAP you would precede a line break with a space. So something like this: dn: cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement) (objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";;) Or, it has to be one long line. I am attaching a ldif with two examples you can pick from. > > > > where "example" is the name of my domain without tld > > > do I need to change another thing in the ldif? > > > thanks in advance, > René > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/DWRVK75TX74VYQR5CBLSWJQRMSCX6NSG/
dn: cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement) (objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";;) Or dn: cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";;)
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/2B4IMZ6NQBCCVNAVPBPPDP5PJITMPIFJ/
