Hi Flo, Thanks so much for your detailed and fast response. I'm using "reply all" - is that the correct action here?Or should I just be replying to freeipa-users only? I didn't see anything about it in the list guidelines...
I tried my best to do what you suggested: > In order to diagnose the DuplicateEntry issue, you can have a look at 389ds > log files in /var/log/dirsrv/slapd-<DOMAIN>. The access file contains the > access log and you should see an ADD operation with the dn of the user you're > trying to create. > Once you have located the line, note the conn=xx number as well as the op=yy > number and look for the result of this operation, with the same conn= and op= > values: In the access_log I can see the searches taking place: 8/Mar/2022:19:16:12.259426408 +101800] conn=3123 fd=95 slot=95 connection from 192.168.100.130 to 192.168.100.130 [08/Mar/2022:19:16:12.262755827 +101800] conn=3123 op=0 BIND dn="" method=sasl version=3 mech=GSS-SPNEGO [08/Mar/2022:19:16:12.265064697 +101800] conn=3123 op=0 RESULT err=0 tag=97 nentries=0 wtime=0.000201096 optime=0.002320006 etime=0.002518948 dn="uid=admin,cn=users,cn=accounts,dc=[removed],dc=net" [08/Mar/2022:19:16:12.268399248 +101800] conn=3123 op=1 SRCH base="cn=ipaconfig,cn=etc,dc=[removed],dc=net" scope=0 filter="(objectClass=*)" attrs=ALL [08/Mar/2022:19:16:12.269620613 +101800] conn=3123 op=1 RESULT err=0 tag=101 nentries=1 wtime=0.000106498 optime=0.001222174 etime=0.001326049 [08/Mar/2022:19:16:12.271806550 +101800] conn=3123 op=2 SRCH base="uid=mynewuser,cn=deleted users,cn=accounts,cn=provisioning,dc=[removed],dc=net" scope=0 filter="(objectClass=*)" attrs="distinguishedName" [08/Mar/2022:19:16:12.272126465 +101800] conn=3123 op=2 RESULT err=32 tag=101 nentries=0 wtime=0.000093627 optime=0.000321737 etime=0.000412649 [08/Mar/2022:19:16:12.273027239 +101800] conn=3123 op=3 SRCH base="cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=[removed],dc=net" scope=0 filter="(objectClass=*)" attrs="* aci" [08/Mar/2022:19:16:12.273566108 +101800] conn=3123 op=3 RESULT err=0 tag=101 nentries=1 wtime=0.000098087 optime=0.000540082 etime=0.000635405 [08/Mar/2022:19:16:12.274714387 +101800] conn=3123 op=4 SRCH base="cn=mynewuser,cn=groups,cn=accounts,dc=[removed],dc=net" scope=0 filter="(objectClass=*)" attrs="distinguishedName" [08/Mar/2022:19:16:12.275024708 +101800] conn=3123 op=4 RESULT err=32 tag=101 nentries=0 wtime=0.000095170 optime=0.000311745 etime=0.000404349 [08/Mar/2022:19:16:12.281628405 +101800] conn=3123 op=5 ADD dn="uid=mynewuser,cn=users,cn=accounts,dc=[removed],dc=net", add values for type objectClass failed [08/Mar/2022:19:16:12.281702770 +101800] conn=3123 op=5 RESULT err=20 tag=105 nentries=0 wtime=-4219620.593567071 optime=4219619.406721314 etime=0.000285773 [08/Mar/2022:19:16:12.282506634 +101800] conn=3123 op=6 UNBIND [08/Mar/2022:19:16:12.282534963 +101800] conn=3123 op=6 fd=95 closed error - U1 Results are err=32 (noSuchObject) when searching for the user first and then err=20 (attributeOrValueExists) when trying to add it.... Hmmm. Seems odd to me. > If the log file doesn't contain enough details, there are also additional > steps that can help: > - increase the error log level as described in > https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/configuration_command_and_file_reference/core_server_configuration_reference#cnconfig-nsslapd_errorlog_level_Error_Log_Level > - enable the audit log as described in > https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/configuration_command_and_file_reference/core_server_configuration_reference#cnconfig-nsslapd_auditlog_logging_enabled_Audit_Log_Enable_Logging > So I tried to increase the log level and enable the audit log. I did some reading and then the following actions, I'm not 100% sure if this was correct, but it seemed successful: # ldapmodify -x -D "cn=directory manager" -W Enter LDAP Password: dn: cn=config changetype: modify replace: nsslapd-errorlog-level nsslapd-errorlog-level: 1024 [CTRL-D] modifying entry "cn=config" (And repeat for nsslapd-auditlog-logging-enabled: on) # ldapsearch -H ldap://$HOSTNAME -D 'cn=Directory Manager' -W -x -s base -b 'cn=config' | grep errorlog Enter LDAP Password: nsslapd-errorlog-level: 128 nsslapd-errorlog-logging-enabled: on [...] I tried with various levels, but strangely above 128 I get no log entries at all in error_log and from 128 and below I get thousands. Every single line seems to be prefixed with NSACLPlugin and nothing looked useful to my eye... /var/log/dirsrv/slapd-[REMOVED]-NET/errors [08/Mar/2022:20:39:51.039696183 +101800] - DEBUG - NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt target_attr_not allow_rule ) [08/Mar/2022:20:39:51.040371707 +101800] - DEBUG - NSACLPlugin - ACI RULE type:(groupdn ) [08/Mar/2022:20:39:51.041071014 +101800] - DEBUG - NSACLPlugin - Slapi_Entry DN:dc=[removed],dc=net [08/Mar/2022:20:39:51.041730833 +101800] - DEBUG - NSACLPlugin - ***END ACL INFO***************************** [08/Mar/2022:20:39:51.042491716 +101800] - DEBUG - NSACLPlugin - acl__scan_for_acis - Num of ALLOW Handles:3, DENY handles:0 [08/Mar/2022:20:39:51.043154236 +101800] - DEBUG - NSACLPlugin - acl_access_allowed - Processed attr:uid for entry:uid=postfix,cn=users,cn=accounts,dc=[removed],dc=net [08/Mar/2022:20:39:51.043930791 +101800] - DEBUG - NSACLPlugin - acl__TestRights - 1. Evaluating ALLOW aci(93) " "permission:System: Read User Standard Attributes"" [08/Mar/2022:20:39:51.044651773 +101800] - DEBUG - NSACLPlugin - acl__TestRights - Found SEARCH ALLOW in cache Did I enable the debug logging correctly? Thanks Pillarama _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
