By: Sankar Balasubramaniam user 20 Feb 2017 at 3:14 a.m. CST

6 Responses
Sankar Balasubramaniam gravatar
I was able to setup the cache refresh process to bind with an exisitng AD server by following the instructions under https://www.gluu.org/gluu-server-cache-refresh-configuration-part-1/, part-2 and part-3. As mentioned in https://github.com/rngadam/docs-1/blob/master/sources/articles/cache-refresh.md, I enabled 'Keep External Person' during the setup and expected that I will be able to login as admin after the cache refresh. But i couldn't. Then I tried to follow the instructions under 'https://gluu.org/docs/operation/faq/#no-admin-access-after-cache-refresh' to see if i can add my personal id to the admin group. But the '/opt/opendj/bin/ldapsearch' command fails as below -bash-4.2# /opt/opendj/bin/ldapsearch -h localhost -p 1636 -D "cn=directory manager" -j ~/.pw -Z -X -b "o=gluu" "uid=$newgluuadmin" uid givenName sn cn The simple bind attempt failed Result Code: 49 (Invalid Credentials) Can you please advice on how to gain admin access after cache refresh?

By Mohib Zico staff 20 Feb 2017 at 4:03 a.m. CST

Mohib Zico gravatar
BindDN should be 'cn=directory manager,o=gluu'.

By Sankar Balasubramaniam user 20 Feb 2017 at 4:55 a.m. CST

Sankar Balasubramaniam gravatar
Hi Mohib, I tried with the following variations but still simple bind fails. 1) I remember mapping only sn, uid and cn attributes with AD. I didn't have givenName. So excluded it here. /opt/opendj/bin/ldapsearch -h localhost -p 1636 -D "cn=directory manager,o=gluu" -j ~/.pw -Z -X -b "cn=o=gluu" "uid=$newgluuadmin" uid sn cn 2) Just added -D "cn=directory manager,o=gluu" like you suggested /opt/opendj/bin/ldapsearch -h localhost -p 1636 -D "cn=directory manager,o=gluu" -j ~/.pw -Z -X -b "o=gluu" "uid=$newgluuadmin" uid givenName sn cn

By Michael Schwartz Account Admin 20 Feb 2017 at 1:10 p.m. CST

Michael Schwartz gravatar
The user `cn=directory manager,o=gluu` is already present. It was a change from 2.x-->3.x (OpenLDAP require a super user in each namespace). To give your LDAP user the admin role in oxTrust, just make sure the DN of that user is listed as a `member` of the Manager group.

By Sankar Balasubramaniam user 23 Feb 2017 at 3:45 a.m. CST

Sankar Balasubramaniam gravatar
Hi Mike, Apologies for the delay. What should be the password in '~/.pw' file for the user 'cn=directory manager,o=gluu' ?

By Mohib Zico staff 01 Mar 2017 at 2:15 p.m. CST

Mohib Zico gravatar
>> What should be the password in '~/.pw' file for the user 'cn=directory manager,o=gluu' ? .pw is that password which you used during installation.

By Sankar Balasubramaniam user 07 Mar 2017 at 10:39 a.m. CST

Sankar Balasubramaniam gravatar
Hi, I was able to proceed further after adding the original admin password and -D "cn=directory manager,o=gluu". But the '/opt/opendj/ldif/groups.ldif' file was empty by default. So the following command failed -bash-4.2# head -n1 /opt/opendj/ldif/groups.ldif > $ldiffile head: cannot open ‘/opt/opendj/ldif/groups.ldif’ for reading: No such file or directory So the addManagers.ldif didn't have the DN entry and hence resulted in the error -bash-4.2# /opt/opendj/bin/ldapmodify -h localhost -p 1636 -D "cn=directory manager,o=gluu" -j ~/.pw -Z -X -f addManagers.ldif Error at or near line 1 in LDIF file addManagers.ldif: org.opends.server.util.LDIFException: Unable to parse LDIF entry starting at line 1 because the first line does not contain a DN (the first line was "changetype: modify" Any idea why '/opt/opendj/ldif/groups.ldif' file was empty, or how to proceed further with this ?