> On 14 Apr 2020, at 23:45, CHAMBERLAIN James <james.chamberl...@3ds.com> wrote: > > That… could be possible. One key difference between testing and production > is that testing has a single master where production has a multi-master > cluster. I don’t recall setting a range in production, since I only had DNA > enabled on a single member of the cluster at that point. I’ll take a look in > that direction.
Yeah, I seem to recall that DNA is quite fiddly to get setup correctly. I'd probably reread the docs: https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/dna I haven't personally configured it in a long time, but if that doesn't get you going, I'll have a look further. Perhaps also check you are using the magic value: uidNumber: 0 Abset attributes don't trigger DNA, you need the magic value iirc. > > Thanks, > > James > > >> On Apr 13, 2020, at 7:30 PM, William Brown <wbr...@suse.de> wrote: >> >> Could it be that the server hasn't allocated a DNA range from the DNA master? >> >>> On 14 Apr 2020, at 05:51, CHAMBERLAIN James <james.chamberl...@3ds.com> >>> wrote: >>> >>> Hi Mark, >>> >>> The test user I’m trying to add looks like this: >>> >>> dn: uid=testuser1,ou=People,dc=example,dc=com >>> uid: testuser1 >>> objectClass: person >>> objectClass: organizationalPerson >>> objectClass: inetOrgPerson >>> objectClass: posixAccount >>> objectClass: top >>> sn: Chamberlain >>> gidNumber: 1000 >>> gecos: James Chamberlain >>> cn: James Chamberlain >>> homeDirectory: /home/testuser1 >>> givenName: James >>> loginShell: /bin/bash >>> >>> I’ve modified nsslapd-accesslog-level and nsslapd-plugin-logging. >>> >>> Here’s the clip from the failed add: >>> >>> [13/Apr/2020:15:45:44.267195367 -0400] conn=3592 op=0 BIND dn="cn=Directory >>> Manager" method=128 version=3 >>> [13/Apr/2020:15:45:44.267289421 -0400] conn=3592 op=0 RESULT err=0 tag=97 >>> nentries=0 etime=0.0000152598 dn="cn=Directory Manager" >>> [13/Apr/2020:15:45:44.267922468 -0400] conn=3592 op=1 ADD >>> dn="uid=testuser1,ou=People,dc=example,dc=com" >>> [13/Apr/2020:15:45:44.298730119 -0400] conn=3592 op=2 UNBIND >>> [13/Apr/2020:15:45:44.298744887 -0400] conn=3592 op=2 fd=81 closed - U1 >>> [13/Apr/2020:15:45:44.298822076 -0400] conn=3592 op=1 RESULT err=1 tag=105 >>> nentries=0 etime=0.0031312230 >>> >>> Best regards, >>> >>> James Chamberlain >>> >>> >>>> On Apr 13, 2020, at 2:53 PM, Mark Reynolds <mreyno...@redhat.com> wrote: >>>> >>>> Okay, so logging in DNA stinks in this scenario. It does a lot of >>>> internal searches and if one of them "fails" you get an operations error. >>>> So we need to enable other logging... >>>> >>>> First what does the entry look like that you are trying to add? >>>> >>>> Second, run this ldapmodify >>>> >>>> ldapmodify -D "cn=directory manager" -W >>>> dn: cn=config >>>> changetype: modify >>>> replace: nsslapd-accesslog-level >>>> nsslapd-acceslog-level: 260 (default level 256 plus 4 for internal >>>> operations) >>>> - >>>> replace: nsslapd-plugin-logging >>>> nsslapd-plugin-logging: on >>>> >>>> >>>> Then add another user, wait 30 seconds for the access log to buffer, and >>>> then provide the access log clip from the failed add. >>>> >>>> Thanks, >>>> Mark >>>> >>>> >>>> On 4/13/20 2:41 PM, CHAMBERLAIN James wrote: >>>>> Hi Mark, >>>>> >>>>> Thanks for getting back to me. After adjusting nsslapd-errorlog-level, >>>>> here’s what I’ve got. >>>>> >>>>> # grep dna-plugin /var/log/dirsrv/slapd-example/errors >>>>> [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - >>>>> _dna_pre_op_add - dn does not match filter >>>>> [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - >>>>> _dna_pre_op_add - adding uidNumber to >>>>> uid=testuser1,ou=People,dc=example,dc=com as -2 >>>>> [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - >>>>> _dna_pre_op_add - retrieved value 0 ret 1 >>>>> [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - >>>>> _dna_pre_op_add - Failed to allocate a new ID!! 2 >>>>> [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op >>>>> - Operation failure [1] >>>>> >>>>> And here’s the DNA config: >>>>> >>>>> dn: cn=UID numbers,cn=Distributed Numeric Assignment >>>>> Plugin,cn=plugins,cn=config >>>>> objectClass: top >>>>> objectClass: extensibleObject >>>>> cn: UID numbers >>>>> dnaType: uidNumber >>>>> dnamaxvalue: 100000 >>>>> dnamagicregen: 0 >>>>> dnafilter: (objectclass=posixAccount) >>>>> dnascope: dc=example,dc=com >>>>> dnanextvalue: 25000 >>>>> >>>>> dn: cn=GID numbers,cn=Distributed Numeric Assignment >>>>> Plugin,cn=plugins,cn=config >>>>> objectClass: top >>>>> objectClass: extensibleObject >>>>> cn: GID numbers >>>>> dnaType: gidNumber >>>>> dnamaxvalue: 100000 >>>>> dnamagicregen: 0 >>>>> dnafilter: (objectclass=posixGroup) >>>>> dnascope: dc=example,dc=com >>>>> dnanextvalue: 25000 >>>>> >>>>> Best regards, >>>>> >>>>> James >>>>> >>>>> >>>>>> On Apr 13, 2020, at 2:25 PM, Mark Reynolds <mreyno...@redhat.com> wrote: >>>>>> >>>>>> Enabling plugin logging will provide a little more detail about what is >>>>>> going wrong: >>>>>> >>>>>> ldapmodify -D "cn=directory manager" -W >>>>>> dn: cn=config >>>>>> changetype: modify >>>>>> replace: nsslapd-errorlog-level >>>>>> nsslapd-errorlog-level: 65536 >>>>>> >>>>>> >>>>>> After running the test you can disable the debug plugin logging by >>>>>> setting the log level to zero. >>>>>> >>>>>> Then share what information is logging when you add a new user. This >>>>>> is most likely a configuration error so hopefully we can find out what >>>>>> went wrong in your set up. Can you also provide the DNA config entries? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Mark >>>>>> >>>>>> On 4/13/20 1:50 PM, CHAMBERLAIN James wrote: >>>>>>> Hi all, >>>>>>> >>>>>>> I’m trying to use the DNA plugin to add uidNumbers on posixAccounts. >>>>>>> Everything worked fine in testing, but now that it’s in production I’m >>>>>>> seeing the following error: >>>>>>> >>>>>>> ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2 >>>>>>> >>>>>>> I’ve followed the advice in the knowledge base >>>>>>> (https://access.redhat.com/solutions/875133), about adding an equality >>>>>>> index with an nsMatchingRule of integerOrderingMatch, but have not seen >>>>>>> any difference in the server’s behavior. Any ideas what I should try >>>>>>> next? >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> James >>>>>>> This email and any attachments are intended solely for the use of the >>>>>>> individual or entity to whom it is addressed and may be confidential >>>>>>> and/or privileged. >>>>>>> If you are not one of the named recipients or have received this email >>>>>>> in error, >>>>>>> (i) you should not read, disclose, or copy it, >>>>>>> (ii) please notify sender of your receipt by reply email and delete >>>>>>> this email and all attachments, >>>>>>> (iii) Dassault Systèmes does not accept or assume any liability or >>>>>>> responsibility for any use of or reliance on this email. >>>>>>> >>>>>>> Please be informed that your personal data are processed according to >>>>>>> our data privacy policy as described on our website. Should you have >>>>>>> any questions related to personal data protection, please contact 3DS >>>>>>> Data Protection Officer at 3ds.compliance-priv...@3ds.com >>>>>>> >>>>>>> For other languages, go to https://www.3ds.com/terms/email-disclaimer >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> 389-users mailing list -- >>>>>>> 389-users@lists.fedoraproject.org >>>>>>> >>>>>>> To unsubscribe send an email to >>>>>>> 389-users-le...@lists.fedoraproject.org >>>>>>> >>>>>>> Fedora Code of Conduct: >>>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>> >>>>>>> List Guidelines: >>>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>> >>>>>>> List Archives: >>>>>>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org >>>>>> -- >>>>>> >>>>>> 389 Directory Server Development Team >>>>>> >>>>> This email and any attachments are intended solely for the use of the >>>>> individual or entity to whom it is addressed and may be confidential >>>>> and/or privileged. >>>>> >>>>> If you are not one of the named recipients or have received this email in >>>>> error, >>>>> >>>>> (i) you should not read, disclose, or copy it, >>>>> >>>>> (ii) please notify sender of your receipt by reply email and delete this >>>>> email and all attachments, >>>>> >>>>> (iii) Dassault Systèmes does not accept or assume any liability or >>>>> responsibility for any use of or reliance on this email. >>>>> >>>>> >>>>> Please be informed that your personal data are processed according to our >>>>> data privacy policy as described on our website. Should you have any >>>>> questions related to personal data protection, please contact 3DS Data >>>>> Protection Officer at >>>>> 3ds.compliance-priv...@3ds.com<mailto:3ds.compliance-priv...@3ds.com> >>>>> >>>>> >>>>> For other languages, go to https://www.3ds.com/terms/email-disclaimer >>>> >>>> -- >>>> >>>> 389 Directory Server Development Team >>>> >>> >>> This email and any attachments are intended solely for the use of the >>> individual or entity to whom it is addressed and may be confidential and/or >>> privileged. >>> >>> If you are not one of the named recipients or have received this email in >>> error, >>> >>> (i) you should not read, disclose, or copy it, >>> >>> (ii) please notify sender of your receipt by reply email and delete this >>> email and all attachments, >>> >>> (iii) Dassault Systèmes does not accept or assume any liability or >>> responsibility for any use of or reliance on this email. >>> >>> >>> Please be informed that your personal data are processed according to our >>> data privacy policy as described on our website. Should you have any >>> questions related to personal data protection, please contact 3DS Data >>> Protection Officer at >>> 3ds.compliance-priv...@3ds.com<mailto:3ds.compliance-priv...@3ds.com> >>> >>> >>> For other languages, go to https://www.3ds.com/terms/email-disclaimer >>> _______________________________________________ >>> 389-users mailing list -- 389-users@lists.fedoraproject.org >>> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org >> >> — >> Sincerely, >> >> William Brown >> >> Senior Software Engineer, 389 Directory Server >> SUSE Labs >> _______________________________________________ >> 389-users mailing list -- 389-users@lists.fedoraproject.org >> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > > This email and any attachments are intended solely for the use of the > individual or entity to whom it is addressed and may be confidential and/or > privileged. > > If you are not one of the named recipients or have received this email in > error, > > (i) you should not read, disclose, or copy it, > > (ii) please notify sender of your receipt by reply email and delete this > email and all attachments, > > (iii) Dassault Systèmes does not accept or assume any liability or > responsibility for any use of or reliance on this email. > > > Please be informed that your personal data are processed according to our > data privacy policy as described on our website. Should you have any > questions related to personal data protection, please contact 3DS Data > Protection Officer at > 3ds.compliance-priv...@3ds.com<mailto:3ds.compliance-priv...@3ds.com> > > > For other languages, go to https://www.3ds.com/terms/email-disclaimer > _______________________________________________ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
