Hello Everyone, Can't log in to directory admin console.
On directry server set
nsslapd-allow-anonymous-access: rootdse
but Netscape admin account can't get access to read of config.
For my prospective is blocker, admin group can't manage it.
Workaround steps: To work around the problem, could you try these steps? Stop the server. Edit /etc/dirsrv/slapd-YOURSERVER/dse.ldif as follows: nsslapd-allow-anonymous-access: on Restart the server and login from the Console. I think it's successful. Stop the server. and set nsslapd-allow-anonymous-access back to rootdse. Restart the server. Please try to login from Console again. It's supposed to work.
Note: searching "uid=<admin>" to get its DN should be done somehow even if rootdse is set. If anon search is not available, we should prompt something else (e.g., directory manager?) to obtain the admin DN and store it? Or if it is available at the install time, we should pick it up and store it?
Adminutil Patch 0001-Ticket-47850-nsslapd-allow-anonymous-access-rootdse-.2.patch
If anonymous access is turned off on the configuration DS instance, we MUST use some account to bind with in order to resolve user ID's into real DN's. The idea here is to create a new user, used only for searching the o=netscaperoot and the user suffix(es). Then this DN and its clear-text password are stored in adm.conf. This account info is then retrieved to do the user id lookup when logging into the console.
I don't like storing the password in clear-text, but I'm not sure there is an easy way around this. The file is owned by the admin server user, if someone can access this file, then they can do a lot more damage than just searching the server(which can also be refined with ACLs).
Admin Server 0001-Ticket-47850-nsslapd-allow-anonymous-access-rootdse-.patch
To ssh://git.fedorahosted.org/git/389/admin.git 100d11c..0ef82b0 master -> master
commit 0ef82b0123a7800402c9085353aafbd8a49a8fde Author: Mark Reynolds mreynolds@redhat.com Date: Tue Sep 2 14:30:26 2014 -0400
To ssh://git.fedorahosted.org/git/389/adminutil.git 069de33..83f800d master -> master
commit 83f800df5019b54c06b3c4cd1d5b64234f1f5d9d Author: Mark Reynolds mreynolds@redhat.com Date: Tue Sep 2 11:20:09 2014 -0400
Metadata Update from @mreynolds: - Issue assigned to mreynolds - Issue set to the milestone: 389-admin,console 1.1.36
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1181
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.