[389-users] Re: DNA plugin not working

2020-05-05 Thread Mark Reynolds 

You should be able to create different entries under:

|cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config ||dn: cn=UID 
numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config 
objectClass: top objectClass: extensibleObject cn: UID numbers 
dnatype: uidNumber dnamaxvalue: 1 dnamagicregen: 0 dnafilter: 
(objectclass=posixAccount) dnascope: dc=example,dc=com dnanextvalue: 500 dn: cn=GID 
numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config 
objectClass: top objectClass: extensibleObject cn: GID numbers dnatype: 
gidNumber dnamaxvalue: 1 dnamagicregen: 0 
dnafilter: (objectclass=posixGroup) dnascope: dc=example,dc=com 
dnanextvalue: 500|




On 5/5/20 1:57 PM, CHAMBERLAIN James wrote:
After a quick test, creating a second DNA entry under 
cn=plugins,cn=config was clearly not the way to go.  Adding it worked, 
but the test server refused to restart.  For any future reader who 
finds themselves in a similar situation, I got it back up and running 
again by removing that entry from /etc/dirsrv/slapd-/dse.ldif.


Best regards,

James

On May 5, 2020, at 12:45 PM, CHAMBERLAIN James 
mailto:james.chamberl...@3ds.com>> wrote:


Would adding the following create the second instance of DNA so I can 
manage UID and GID numbers separately, or am I overthinking this and 
it’s just a separate entry under cn=Distributed Numeric Assignment?


dn: cn=Distributed Numeric Assignment Plugin 2,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: nsContainer
cn: Distributed Numeric Assignment Plugin 2
nsslapd-pluginInitfunc: dna_init
nsslapd-pluginType: bepreoperation
nsslapd-pluginEnabled: on
nsslapd-pluginPath: libdna-plugin
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: Distributed Numeric Assignment 2
nsslapd-pluginVersion: 1.3.7.5
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: Distributed Numeric Assignment plugin

Thanks,

James


On Apr 30, 2020, at 2:25 PM, CHAMBERLAIN James 
mailto:james.chamberl...@3ds.com>> wrote:


Is it possible to create multiple instances of the DNA plugin on 
CentOS 7 / RHDS 10 / 389-ds-base-1.3.7.5-28.el7_5.x86_64?  The 
section on how to do this was added to the RHDS 11 documentation, 
and uses dsconf to do it.  If it is possible, could anyone 
comment on what dsconf is doing behind the scenes so I can replicate 
that?


Thanks,

James

On Apr 17, 2020, at 6:17 PM, Mark Reynolds > wrote:



On 4/17/20 5:19 PM, CHAMBERLAIN James wrote:

Hi all,

Thank you all for your help.  I’ve gotten DNA working.  I’ll be 
doing some further work to convince myself that I understand 
exactly what I did that got it working and can replicate it; but 
in the meantime, I had a question or two.


Do I correctly understand RHDS 11 Administration Guide, section 
7.4.3.1, to mean that if I want to have DNA manage uidNumber and 
gidNumber separately using different ranges, I’ll need to create 
two instances of the plugin?


I’m not finding dsconf on CentOS 7, including under “yum 
whatprovides ‘*/dsconf’”.  Am I missing something?  Was this tool 
released in something more recent than 1.3.7.5-28?


You need the RHDS 10 docs, only CentOS 8 has the new CLI tools 
(389-ds-base-1.4.x)


https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/

Sorry have to run, but I'll try and respond to your questions next 
week...




I suspect that the key differences between my original setup and 
what’s working now are the establishment of a dnaSharedCfgDN and 
non-overlapping initial ranges.  My original test setup was a 
single master server, which didn’t need these things.  It was 
suggested that I may need to include the attribute I wanted DNA to 
manage as part of creating an entry, and that I should give it 
dnaMagicRegen's value. However, this does not appear that it’s 
necessary - I was able to add a test user without specifying a 
uidNumber and DNA generated it for me.


Thanks,

James


On Apr 16, 2020, at 1:38 PM, CHAMBERLAIN James 
mailto:james.chamberl...@3ds.com>> wrote:


Hi Thierry,

The thing is, while this is on the production multi-master 
cluster, it’s not being used yet.  Any new entries being added 
have uidNumber set explicitly, except for my test entry.  I’ve 
been trying a few things and have a different error message now 
but the same result.  I’ll update the thread shortly with further 
details.


Best regards,

James


On Apr 16, 2020, at 1:23 PM, thierry bordaz > wrote:


Hi James,

I would guess that the allocated range is exhausted, means next 
value reached maxValue.

Possibly part of the range was taken by an other replica.

You can try to get more details with

ldapmodify -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-accesslog-level
nsslapd-acceslog-level: 260 (default level 256 plus 4 for 
internal operations)

-
replace: nsslapd-plugin-logging

[389-users] Re: DNA plugin not working

2020-05-05 Thread CHAMBERLAIN James 
Would adding the following create the second instance of DNA so I can manage 
UID and GID numbers separately, or am I overthinking this and it’s just a 
separate entry under cn=Distributed Numeric Assignment?

dn: cn=Distributed Numeric Assignment Plugin 2,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: nsContainer
cn: Distributed Numeric Assignment Plugin 2
nsslapd-pluginInitfunc: dna_init
nsslapd-pluginType: bepreoperation
nsslapd-pluginEnabled: on
nsslapd-pluginPath: libdna-plugin
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: Distributed Numeric Assignment 2
nsslapd-pluginVersion: 1.3.7.5
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: Distributed Numeric Assignment plugin

Thanks,

James


On Apr 30, 2020, at 2:25 PM, CHAMBERLAIN James 
mailto:james.chamberl...@3ds.com>> wrote:

Is it possible to create multiple instances of the DNA plugin on CentOS 7 / 
RHDS 10 / 389-ds-base-1.3.7.5-28.el7_5.x86_64?  The section on how to do this 
was added to the RHDS 11 documentation, and uses dsconf to do it.  If it is 
possible, could anyone comment on what dsconf is doing behind the scenes so I 
can replicate that?

Thanks,

James

On Apr 17, 2020, at 6:17 PM, Mark Reynolds 
mailto:mreyno...@redhat.com>> wrote:


On 4/17/20 5:19 PM, CHAMBERLAIN James wrote:
Hi all,

Thank you all for your help.  I’ve gotten DNA working.  I’ll be doing some 
further work to convince myself that I understand exactly what I did that got 
it working and can replicate it; but in the meantime, I had a question or two.

Do I correctly understand RHDS 11 Administration Guide, section 7.4.3.1, to 
mean that if I want to have DNA manage uidNumber and gidNumber separately using 
different ranges, I’ll need to create two instances of the plugin?

I’m not finding dsconf on CentOS 7, including under “yum whatprovides 
‘*/dsconf’”.  Am I missing something?  Was this tool released in something more 
recent than 1.3.7.5-28?

You need the RHDS 10 docs, only CentOS 8 has the new CLI tools 
(389-ds-base-1.4.x)

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/

Sorry have to run, but I'll try and respond to your questions next week...


I suspect that the key differences between my original setup and what’s working 
now are the establishment of a dnaSharedCfgDN and non-overlapping initial 
ranges.  My original test setup was a single master server, which didn’t need 
these things.  It was suggested that I may need to include the attribute I 
wanted DNA to manage as part of creating an entry, and that I should give it 
dnaMagicRegen's value. However, this does not appear that it’s necessary - I 
was able to add a test user without specifying a uidNumber and DNA generated it 
for me.

Thanks,

James


On Apr 16, 2020, at 1:38 PM, CHAMBERLAIN James 
mailto:james.chamberl...@3ds.com>> wrote:

Hi Thierry,

The thing is, while this is on the production multi-master cluster, it’s not 
being used yet.  Any new entries being added have uidNumber set explicitly, 
except for my test entry.  I’ve been trying a few things and have a different 
error message now but the same result.  I’ll update the thread shortly with 
further details.

Best regards,

James


On Apr 16, 2020, at 1:23 PM, thierry bordaz 
mailto:tbor...@redhat.com>> wrote:

Hi James,

I would guess that the allocated range is exhausted, means next value reached 
maxValue.
Possibly part of the range was taken by an other replica.

You can try to get more details with

ldapmodify -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-accesslog-level
nsslapd-acceslog-level: 260   (default level 256 plus 4 for internal 
operations)
-
replace: nsslapd-plugin-logging
nsslapd-plugin-logging: on

and lookup at the entry ldapsearch -D DM... -b "cn=UID numbers,cn=Distributed 
Numeric Assignment Plugin,cn=plugins,cn=config" -s base nscpentrywsi


best regards
thierry
On 4/13/20 8:41 PM, CHAMBERLAIN James wrote:
Hi Mark,

Thanks for getting back to me.  After adjusting nsslapd-errorlog-level, here’s 
what I’ve got.

# grep dna-plugin /var/log/dirsrv/slapd-example/errors
[13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
dn does not match filter
[13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
adding uidNumber to uid=testuser1,ou=People,dc=example,dc=com as -2
[13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
retrieved value 0 ret 1
[13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add - 
Failed to allocate a new ID!! 2
[13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - 
Operation failure [1]

And here’s the DNA config:

dn: cn=UID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: UID numbers
dnaType: uidNumber
dnamaxvalue: 10
dnamagicregen: 0
dnafilter:

[389-users] Re: DNA plugin not working

2020-04-30 Thread CHAMBERLAIN James 
Is it possible to create multiple instances of the DNA plugin on CentOS 7 / 
RHDS 10 / 389-ds-base-1.3.7.5-28.el7_5.x86_64?  The section on how to do this 
was added to the RHDS 11 documentation, and uses dsconf to do it.  If it is 
possible, could anyone comment on what dsconf is doing behind the scenes so I 
can replicate that?

Thanks,

James

On Apr 17, 2020, at 6:17 PM, Mark Reynolds 
mailto:mreyno...@redhat.com>> wrote:


On 4/17/20 5:19 PM, CHAMBERLAIN James wrote:
Hi all,

Thank you all for your help.  I’ve gotten DNA working.  I’ll be doing some 
further work to convince myself that I understand exactly what I did that got 
it working and can replicate it; but in the meantime, I had a question or two.

Do I correctly understand RHDS 11 Administration Guide, section 7.4.3.1, to 
mean that if I want to have DNA manage uidNumber and gidNumber separately using 
different ranges, I’ll need to create two instances of the plugin?

I’m not finding dsconf on CentOS 7, including under “yum whatprovides 
‘*/dsconf’”.  Am I missing something?  Was this tool released in something more 
recent than 1.3.7.5-28?

You need the RHDS 10 docs, only CentOS 8 has the new CLI tools 
(389-ds-base-1.4.x)

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/

Sorry have to run, but I'll try and respond to your questions next week...


I suspect that the key differences between my original setup and what’s working 
now are the establishment of a dnaSharedCfgDN and non-overlapping initial 
ranges.  My original test setup was a single master server, which didn’t need 
these things.  It was suggested that I may need to include the attribute I 
wanted DNA to manage as part of creating an entry, and that I should give it 
dnaMagicRegen's value. However, this does not appear that it’s necessary - I 
was able to add a test user without specifying a uidNumber and DNA generated it 
for me.

Thanks,

James


On Apr 16, 2020, at 1:38 PM, CHAMBERLAIN James 
mailto:james.chamberl...@3ds.com>> wrote:

Hi Thierry,

The thing is, while this is on the production multi-master cluster, it’s not 
being used yet.  Any new entries being added have uidNumber set explicitly, 
except for my test entry.  I’ve been trying a few things and have a different 
error message now but the same result.  I’ll update the thread shortly with 
further details.

Best regards,

James


On Apr 16, 2020, at 1:23 PM, thierry bordaz 
mailto:tbor...@redhat.com>> wrote:

Hi James,

I would guess that the allocated range is exhausted, means next value reached 
maxValue.
Possibly part of the range was taken by an other replica.

You can try to get more details with

ldapmodify -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-accesslog-level
nsslapd-acceslog-level: 260   (default level 256 plus 4 for internal 
operations)
-
replace: nsslapd-plugin-logging
nsslapd-plugin-logging: on

and lookup at the entry ldapsearch -D DM... -b "cn=UID numbers,cn=Distributed 
Numeric Assignment Plugin,cn=plugins,cn=config" -s base nscpentrywsi


best regards
thierry
On 4/13/20 8:41 PM, CHAMBERLAIN James wrote:
Hi Mark,

Thanks for getting back to me.  After adjusting nsslapd-errorlog-level, here’s 
what I’ve got.

# grep dna-plugin /var/log/dirsrv/slapd-example/errors
[13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
dn does not match filter
[13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
adding uidNumber to uid=testuser1,ou=People,dc=example,dc=com as -2
[13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
retrieved value 0 ret 1
[13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add - 
Failed to allocate a new ID!! 2
[13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - 
Operation failure [1]

And here’s the DNA config:

dn: cn=UID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: UID numbers
dnaType: uidNumber
dnamaxvalue: 10
dnamagicregen: 0
dnafilter: (objectclass=posixAccount)
dnascope: dc=example,dc=com
dnanextvalue: 25000

dn: cn=GID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: GID numbers
dnaType: gidNumber
dnamaxvalue: 10
dnamagicregen: 0
dnafilter: (objectclass=posixGroup)
dnascope: dc=example,dc=com
dnanextvalue: 25000

Best regards,

James


On Apr 13, 2020, at 2:25 PM, Mark Reynolds 
mailto:mreyno...@redhat.com>> wrote:

Enabling plugin logging will provide a little more detail about what is going 
wrong:

ldapmodify -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 65536


After running the test you can disable the debug plugin logging by setting the 
log level to zero.

Then share what information is logging when you add a new user.   This is most 
likely a

[389-users] Re: DNA plugin not working

2020-04-20 Thread CHAMBERLAIN James 
On Apr 19, 2020, at 7:13 PM, William Brown 
mailto:wbr...@suse.de>> wrote:

On 18 Apr 2020, at 07:19, CHAMBERLAIN James 
mailto:james.chamberl...@3ds.com>> wrote:

Hi all,

Thank you all for your help.  I’ve gotten DNA working.  I’ll be doing some 
further work to convince myself that I understand exactly what I did that got 
it working and can replicate it; but in the meantime, I had a question or two.

Do I correctly understand RHDS 11 Administration Guide, section 7.4.3.1, to 
mean that if I want to have DNA manage uidNumber and gidNumber separately using 
different ranges, I’ll need to create two instances of the plugin?


Yes, but I'd advise against it. gidnumber and uidnumbers are effectively 
equivalent in linux/unix.

Consider you have a generic users group like:

william:students
alice:students

etc.

Well, now on every system you have to change the umasks to remove generic write 
from the group, else everyone can access everyone elses things. I believe there 
are also some rights from groups that may allow ptracing and other things.

This is why on FreeIPA they use the MEP to generate a user private group on the 
fly for every user. It's best to have every account generate just a gidnumber, 
and then duplicate that to the uidnumber for users only.

I've considered a weird but via option would actually be a sssd.conf where you 
have ldap_user_uid_number point at gidNumber, and add posixGroup to every 
posixAccount, so you only need gidNumbers ….

My case may be an edge case these days.  We make extensive use of groups to 
grant multiple users access to common files.  We don’t do generic groups and 
groups never overlap; nor do user accounts ever change groups.


I’m not finding dsconf on CentOS 7, including under “yum whatprovides 
‘*/dsconf’”.  Am I missing something?  Was this tool released in something more 
recent than 1.3.7.5-28?

The dsconf and friends are centos 8 only, with 389-ds 1.4., I think mark said 
this in a different follow up.

Thanks for this note, both Mark and William.


I suspect that the key differences between my original setup and what’s working 
now are the establishment of a dnaSharedCfgDN and non-overlapping initial 
ranges.  My original test setup was a single master server, which didn’t need 
these things.  It was suggested that I may need to include the attribute I 
wanted DNA to manage as part of creating an entry, and that I should give it 
dnaMagicRegen's value. However, this does not appear that it’s necessary - I 
was able to add a test user without specifying a uidNumber and DNA generated it 
for me.

Thanks,

James


On Apr 16, 2020, at 1:38 PM, CHAMBERLAIN James 
mailto:james.chamberl...@3ds.com>> wrote:

Hi Thierry,

The thing is, while this is on the production multi-master cluster, it’s not 
being used yet.  Any new entries being added have uidNumber set explicitly, 
except for my test entry.  I’ve been trying a few things and have a different 
error message now but the same result.  I’ll update the thread shortly with 
further details.

Best regards,

James


On Apr 16, 2020, at 1:23 PM, thierry bordaz 
mailto:tbor...@redhat.com>> wrote:

Hi James,

I would guess that the allocated range is exhausted, means next value reached 
maxValue.
Possibly part of the range was taken by an other replica.

You can try to get more details with

ldapmodify -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-accesslog-level
nsslapd-acceslog-level: 260   (default level 256 plus 4 for internal 
operations)
-
replace: nsslapd-plugin-logging
nsslapd-plugin-logging: on

and lookup at the entry ldapsearch -D DM... -b "cn=UID numbers,cn=Distributed 
Numeric Assignment Plugin,cn=plugins,cn=config" -s base nscpentrywsi


best regards
thierry
On 4/13/20 8:41 PM, CHAMBERLAIN James wrote:
Hi Mark,

Thanks for getting back to me.  After adjusting nsslapd-errorlog-level, here’s 
what I’ve got.

# grep dna-plugin /var/log/dirsrv/slapd-example/errors
[13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
dn does not match filter
[13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
adding uidNumber to uid=testuser1,ou=People,dc=example,dc=com as -2
[13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
retrieved value 0 ret 1
[13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add - 
Failed to allocate a new ID!! 2
[13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - 
Operation failure [1]

And here’s the DNA config:

dn: cn=UID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: UID numbers
dnaType: uidNumber
dnamaxvalue: 10
dnamagicregen: 0
dnafilter: (objectclass=posixAccount)
dnascope: dc=example,dc=com
dnanextvalue: 25000

dn: cn=GID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: GID

[389-users] Re: DNA plugin not working

2020-04-19 Thread William Brown 


> On 18 Apr 2020, at 07:19, CHAMBERLAIN James  wrote:
> 
> Hi all,
> 
> Thank you all for your help.  I’ve gotten DNA working.  I’ll be doing some 
> further work to convince myself that I understand exactly what I did that got 
> it working and can replicate it; but in the meantime, I had a question or two.
> 
> Do I correctly understand RHDS 11 Administration Guide, section 7.4.3.1, to 
> mean that if I want to have DNA manage uidNumber and gidNumber separately 
> using different ranges, I’ll need to create two instances of the plugin?
> 

Yes, but I'd advise against it. gidnumber and uidnumbers are effectively 
equivalent in linux/unix. 

Consider you have a generic users group like:

william:students
alice:students

etc. 

Well, now on every system you have to change the umasks to remove generic write 
from the group, else everyone can access everyone elses things. I believe there 
are also some rights from groups that may allow ptracing and other things.

This is why on FreeIPA they use the MEP to generate a user private group on the 
fly for every user. It's best to have every account generate just a gidnumber, 
and then duplicate that to the uidnumber for users only. 

I've considered a weird but via option would actually be a sssd.conf where you 
have ldap_user_uid_number point at gidNumber, and add posixGroup to every 
posixAccount, so you only need gidNumbers  


> I’m not finding dsconf on CentOS 7, including under “yum whatprovides 
> ‘*/dsconf’”.  Am I missing something?  Was this tool released in something 
> more recent than 1.3.7.5-28?

The dsconf and friends are centos 8 only, with 389-ds 1.4., I think mark said 
this in a different follow up. 

> 
> I suspect that the key differences between my original setup and what’s 
> working now are the establishment of a dnaSharedCfgDN and non-overlapping 
> initial ranges.  My original test setup was a single master server, which 
> didn’t need these things.  It was suggested that I may need to include the 
> attribute I wanted DNA to manage as part of creating an entry, and that I 
> should give it dnaMagicRegen's value.  However, this does not appear that 
> it’s necessary - I was able to add a test user without specifying a uidNumber 
> and DNA generated it for me.
> 
> Thanks,
> 
> James
> 
> 
>> On Apr 16, 2020, at 1:38 PM, CHAMBERLAIN James  
>> wrote:
>> 
>> Hi Thierry,
>> 
>> The thing is, while this is on the production multi-master cluster, it’s not 
>> being used yet.  Any new entries being added have uidNumber set explicitly, 
>> except for my test entry.  I’ve been trying a few things and have a 
>> different error message now but the same result.  I’ll update the thread 
>> shortly with further details.
>> 
>> Best regards,
>> 
>> James
>> 
>> 
>>> On Apr 16, 2020, at 1:23 PM, thierry bordaz  wrote:
>>> 
>>> Hi James,
>>> 
>>> I would guess that the allocated range is exhausted, means next value 
>>> reached maxValue.
>>> Possibly part of the range was taken by an other replica.
>>> 
>>> You can try to get more details with
>>> 
>>> ldapmodify -D "cn=directory manager" -W
>>> dn: cn=config
>>> changetype: modify
>>> replace: nsslapd-accesslog-level
>>> nsslapd-acceslog-level: 260   (default level 256 plus 4 for internal 
>>> operations)
>>> -
>>> replace: nsslapd-plugin-logging
>>> nsslapd-plugin-logging: on
>>> 
>>> and lookup at the entry ldapsearch -D DM... -b "cn=UID 
>>> numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" -s 
>>> base nscpentrywsi
>>> 
>>> 
>>> best regards
>>> thierry
>>> On 4/13/20 8:41 PM, CHAMBERLAIN James wrote:
 Hi Mark,
 
 Thanks for getting back to me.  After adjusting nsslapd-errorlog-level, 
 here’s what I’ve got.
 
 # grep dna-plugin /var/log/dirsrv/slapd-example/errors
 [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - 
 _dna_pre_op_add - dn does not match filter
 [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - 
 _dna_pre_op_add - adding uidNumber to 
 uid=testuser1,ou=People,dc=example,dc=com as -2
 [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - 
 _dna_pre_op_add - retrieved value 0 ret 1
 [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - 
 _dna_pre_op_add - Failed to allocate a new ID!! 2
 [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - 
 Operation failure [1]
 
 And here’s the DNA config:
 
 dn: cn=UID numbers,cn=Distributed Numeric Assignment 
 Plugin,cn=plugins,cn=config
 objectClass: top
 objectClass: extensibleObject
 cn: UID numbers
 dnaType: uidNumber
 dnamaxvalue: 10
 dnamagicregen: 0
 dnafilter: (objectclass=posixAccount)
 dnascope: dc=example,dc=com
 dnanextvalue: 25000
 
 dn: cn=GID numbers,cn=Distributed Numeric Assignment 
 Plugin,cn=plugins,cn=config
 objectClass: top
 objectClass: extensibleObject
 cn: GID numbers
 dnaType:

[389-users] Re: DNA plugin not working

2020-04-17 Thread Mark Reynolds 


On 4/17/20 5:19 PM, CHAMBERLAIN James wrote:

Hi all,

Thank you all for your help.  I’ve gotten DNA working.  I’ll be doing some 
further work to convince myself that I understand exactly what I did that got 
it working and can replicate it; but in the meantime, I had a question or two.

Do I correctly understand RHDS 11 Administration Guide, section 7.4.3.1, to 
mean that if I want to have DNA manage uidNumber and gidNumber separately using 
different ranges, I’ll need to create two instances of the plugin?

I’m not finding dsconf on CentOS 7, including under “yum whatprovides 
‘*/dsconf’”.  Am I missing something?  Was this tool released in something more 
recent than 1.3.7.5-28?


You need the RHDS 10 docs, only CentOS 8 has the new CLI tools 
(389-ds-base-1.4.x)


https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/

Sorry have to run, but I'll try and respond to your questions next week...



I suspect that the key differences between my original setup and what’s working 
now are the establishment of a dnaSharedCfgDN and non-overlapping initial 
ranges.  My original test setup was a single master server, which didn’t need 
these things.  It was suggested that I may need to include the attribute I 
wanted DNA to manage as part of creating an entry, and that I should give it 
dnaMagicRegen's value.  However, this does not appear that it’s necessary - I 
was able to add a test user without specifying a uidNumber and DNA generated it 
for me.

Thanks,

James



On Apr 16, 2020, at 1:38 PM, CHAMBERLAIN James  
wrote:

Hi Thierry,

The thing is, while this is on the production multi-master cluster, it’s not 
being used yet.  Any new entries being added have uidNumber set explicitly, 
except for my test entry.  I’ve been trying a few things and have a different 
error message now but the same result.  I’ll update the thread shortly with 
further details.

Best regards,

James



On Apr 16, 2020, at 1:23 PM, thierry bordaz  wrote:

Hi James,

I would guess that the allocated range is exhausted, means next value reached 
maxValue.
Possibly part of the range was taken by an other replica.

You can try to get more details with

ldapmodify -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-accesslog-level
nsslapd-acceslog-level: 260   (default level 256 plus 4 for internal 
operations)
-
replace: nsslapd-plugin-logging
nsslapd-plugin-logging: on

and lookup at the entry ldapsearch -D DM... -b "cn=UID numbers,cn=Distributed 
Numeric Assignment Plugin,cn=plugins,cn=config" -s base nscpentrywsi


best regards
thierry
On 4/13/20 8:41 PM, CHAMBERLAIN James wrote:

Hi Mark,

Thanks for getting back to me.  After adjusting nsslapd-errorlog-level, here’s 
what I’ve got.

# grep dna-plugin /var/log/dirsrv/slapd-example/errors
[13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
dn does not match filter
[13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
adding uidNumber to uid=testuser1,ou=People,dc=example,dc=com as -2
[13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
retrieved value 0 ret 1
[13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add - 
Failed to allocate a new ID!! 2
[13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - 
Operation failure [1]

And here’s the DNA config:

dn: cn=UID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: UID numbers
dnaType: uidNumber
dnamaxvalue: 10
dnamagicregen: 0
dnafilter: (objectclass=posixAccount)
dnascope: dc=example,dc=com
dnanextvalue: 25000

dn: cn=GID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: GID numbers
dnaType: gidNumber
dnamaxvalue: 10
dnamagicregen: 0
dnafilter: (objectclass=posixGroup)
dnascope: dc=example,dc=com
dnanextvalue: 25000

Best regards,

James



On Apr 13, 2020, at 2:25 PM, Mark Reynolds  wrote:

Enabling plugin logging will provide a little more detail about what is going 
wrong:

ldapmodify -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 65536


After running the test you can disable the debug plugin logging by setting the 
log level to zero.

Then share what information is logging when you add a new user.   This is most 
likely a configuration error so hopefully we can find out what went wrong in 
your set up.  Can you also provide the DNA config entries?

Thanks,

Mark

On 4/13/20 1:50 PM, CHAMBERLAIN James wrote:

Hi all,

I’m trying to use the DNA plugin to add uidNumbers on posixAccounts.  
Everything worked fine in testing, but now that it’s in production I’m seeing 
the following error:

ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2

I’ve followed the advice in the knowledge base

[389-users] Re: DNA plugin not working

2020-04-17 Thread CHAMBERLAIN James 
Hi all,

Thank you all for your help.  I’ve gotten DNA working.  I’ll be doing some 
further work to convince myself that I understand exactly what I did that got 
it working and can replicate it; but in the meantime, I had a question or two.

Do I correctly understand RHDS 11 Administration Guide, section 7.4.3.1, to 
mean that if I want to have DNA manage uidNumber and gidNumber separately using 
different ranges, I’ll need to create two instances of the plugin?

I’m not finding dsconf on CentOS 7, including under “yum whatprovides 
‘*/dsconf’”.  Am I missing something?  Was this tool released in something more 
recent than 1.3.7.5-28?

I suspect that the key differences between my original setup and what’s working 
now are the establishment of a dnaSharedCfgDN and non-overlapping initial 
ranges.  My original test setup was a single master server, which didn’t need 
these things.  It was suggested that I may need to include the attribute I 
wanted DNA to manage as part of creating an entry, and that I should give it 
dnaMagicRegen's value.  However, this does not appear that it’s necessary - I 
was able to add a test user without specifying a uidNumber and DNA generated it 
for me.

Thanks,

James


> On Apr 16, 2020, at 1:38 PM, CHAMBERLAIN James  
> wrote:
>
> Hi Thierry,
>
> The thing is, while this is on the production multi-master cluster, it’s not 
> being used yet.  Any new entries being added have uidNumber set explicitly, 
> except for my test entry.  I’ve been trying a few things and have a different 
> error message now but the same result.  I’ll update the thread shortly with 
> further details.
>
> Best regards,
>
> James
>
>
>> On Apr 16, 2020, at 1:23 PM, thierry bordaz  wrote:
>>
>> Hi James,
>>
>> I would guess that the allocated range is exhausted, means next value 
>> reached maxValue.
>> Possibly part of the range was taken by an other replica.
>>
>> You can try to get more details with
>>
>> ldapmodify -D "cn=directory manager" -W
>> dn: cn=config
>> changetype: modify
>> replace: nsslapd-accesslog-level
>> nsslapd-acceslog-level: 260   (default level 256 plus 4 for internal 
>> operations)
>> -
>> replace: nsslapd-plugin-logging
>> nsslapd-plugin-logging: on
>>
>> and lookup at the entry ldapsearch -D DM... -b "cn=UID 
>> numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" -s 
>> base nscpentrywsi
>>
>>
>> best regards
>> thierry
>> On 4/13/20 8:41 PM, CHAMBERLAIN James wrote:
>>> Hi Mark,
>>>
>>> Thanks for getting back to me.  After adjusting nsslapd-errorlog-level, 
>>> here’s what I’ve got.
>>>
>>> # grep dna-plugin /var/log/dirsrv/slapd-example/errors
>>> [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - 
>>> _dna_pre_op_add - dn does not match filter
>>> [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - 
>>> _dna_pre_op_add - adding uidNumber to 
>>> uid=testuser1,ou=People,dc=example,dc=com as -2
>>> [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - 
>>> _dna_pre_op_add - retrieved value 0 ret 1
>>> [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add 
>>> - Failed to allocate a new ID!! 2
>>> [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - 
>>> Operation failure [1]
>>>
>>> And here’s the DNA config:
>>>
>>> dn: cn=UID numbers,cn=Distributed Numeric Assignment 
>>> Plugin,cn=plugins,cn=config
>>> objectClass: top
>>> objectClass: extensibleObject
>>> cn: UID numbers
>>> dnaType: uidNumber
>>> dnamaxvalue: 10
>>> dnamagicregen: 0
>>> dnafilter: (objectclass=posixAccount)
>>> dnascope: dc=example,dc=com
>>> dnanextvalue: 25000
>>>
>>> dn: cn=GID numbers,cn=Distributed Numeric Assignment 
>>> Plugin,cn=plugins,cn=config
>>> objectClass: top
>>> objectClass: extensibleObject
>>> cn: GID numbers
>>> dnaType: gidNumber
>>> dnamaxvalue: 10
>>> dnamagicregen: 0
>>> dnafilter: (objectclass=posixGroup)
>>> dnascope: dc=example,dc=com
>>> dnanextvalue: 25000
>>>
>>> Best regards,
>>>
>>> James
>>>
>>>
 On Apr 13, 2020, at 2:25 PM, Mark Reynolds  wrote:

 Enabling plugin logging will provide a little more detail about what is 
 going wrong:

 ldapmodify -D "cn=directory manager" -W
 dn: cn=config
 changetype: modify
 replace: nsslapd-errorlog-level
 nsslapd-errorlog-level: 65536


 After running the test you can disable the debug plugin logging by setting 
 the log level to zero.

 Then share what information is logging when you add a new user.   This is 
 most likely a configuration error so hopefully we can find out what went 
 wrong in your set up.  Can you also provide the DNA config entries?

 Thanks,

 Mark

 On 4/13/20 1:50 PM, CHAMBERLAIN James wrote:
> Hi all,
>
> I’m trying to use the DNA plugin to add uidNumbers on posixAccounts.  
> Everything worked fine in testing, but now that it’s in production I’m 
> seeing the following error:
>
>

[389-users] Re: DNA plugin not working

2020-04-16 Thread CHAMBERLAIN James 
Hi Thierry,

The thing is, while this is on the production multi-master cluster, it’s not 
being used yet.  Any new entries being added have uidNumber set explicitly, 
except for my test entry.  I’ve been trying a few things and have a different 
error message now but the same result.  I’ll update the thread shortly with 
further details.

Best regards,

James


> On Apr 16, 2020, at 1:23 PM, thierry bordaz  wrote:
>
> Hi James,
>
> I would guess that the allocated range is exhausted, means next value reached 
> maxValue.
> Possibly part of the range was taken by an other replica.
>
> You can try to get more details with
>
> ldapmodify -D "cn=directory manager" -W
> dn: cn=config
> changetype: modify
> replace: nsslapd-accesslog-level
> nsslapd-acceslog-level: 260   (default level 256 plus 4 for internal 
> operations)
> -
> replace: nsslapd-plugin-logging
> nsslapd-plugin-logging: on
>
> and lookup at the entry ldapsearch -D DM... -b "cn=UID numbers,cn=Distributed 
> Numeric Assignment Plugin,cn=plugins,cn=config" -s base nscpentrywsi
>
>
> best regards
> thierry
> On 4/13/20 8:41 PM, CHAMBERLAIN James wrote:
>> Hi Mark,
>>
>> Thanks for getting back to me.  After adjusting nsslapd-errorlog-level, 
>> here’s what I’ve got.
>>
>> # grep dna-plugin /var/log/dirsrv/slapd-example/errors
>> [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - 
>> _dna_pre_op_add - dn does not match filter
>> [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - 
>> _dna_pre_op_add - adding uidNumber to 
>> uid=testuser1,ou=People,dc=example,dc=com as -2
>> [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - 
>> _dna_pre_op_add - retrieved value 0 ret 1
>> [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add 
>> - Failed to allocate a new ID!! 2
>> [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - 
>> Operation failure [1]
>>
>> And here’s the DNA config:
>>
>> dn: cn=UID numbers,cn=Distributed Numeric Assignment 
>> Plugin,cn=plugins,cn=config
>> objectClass: top
>> objectClass: extensibleObject
>> cn: UID numbers
>> dnaType: uidNumber
>> dnamaxvalue: 10
>> dnamagicregen: 0
>> dnafilter: (objectclass=posixAccount)
>> dnascope: dc=example,dc=com
>> dnanextvalue: 25000
>>
>> dn: cn=GID numbers,cn=Distributed Numeric Assignment 
>> Plugin,cn=plugins,cn=config
>> objectClass: top
>> objectClass: extensibleObject
>> cn: GID numbers
>> dnaType: gidNumber
>> dnamaxvalue: 10
>> dnamagicregen: 0
>> dnafilter: (objectclass=posixGroup)
>> dnascope: dc=example,dc=com
>> dnanextvalue: 25000
>>
>> Best regards,
>>
>> James
>>
>>
>>> On Apr 13, 2020, at 2:25 PM, Mark Reynolds  wrote:
>>>
>>> Enabling plugin logging will provide a little more detail about what is 
>>> going wrong:
>>>
>>> ldapmodify -D "cn=directory manager" -W
>>> dn: cn=config
>>> changetype: modify
>>> replace: nsslapd-errorlog-level
>>> nsslapd-errorlog-level: 65536
>>>
>>>
>>> After running the test you can disable the debug plugin logging by setting 
>>> the log level to zero.
>>>
>>> Then share what information is logging when you add a new user.   This is 
>>> most likely a configuration error so hopefully we can find out what went 
>>> wrong in your set up.  Can you also provide the DNA config entries?
>>>
>>> Thanks,
>>>
>>> Mark
>>>
>>> On 4/13/20 1:50 PM, CHAMBERLAIN James wrote:
 Hi all,

 I’m trying to use the DNA plugin to add uidNumbers on posixAccounts.  
 Everything worked fine in testing, but now that it’s in production I’m 
 seeing the following error:

 ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2

 I’ve followed the advice in the knowledge base 
 (https://access.redhat.com/solutions/875133), about adding an equality 
 index with an nsMatchingRule of integerOrderingMatch, but have not seen 
 any difference in the server’s behavior.  Any ideas what I should try next?

 Thanks,

 James
 This email and any attachments are intended solely for the use of the 
 individual or entity to whom it is addressed and may be confidential 
 and/or privileged.
 If you are not one of the named recipients or have received this email in 
 error,
 (i) you should not read, disclose, or copy it,
 (ii) please notify sender of your receipt by reply email and delete this 
 email and all attachments,
 (iii) Dassault Systèmes does not accept or assume any liability or 
 responsibility for any use of or reliance on this email.

 Please be informed that your personal data are processed according to our 
 data privacy policy as described on our website. Should you have any 
 questions related to personal data protection, please contact 3DS Data 
 Protection Officer at 3ds.compliance-priv...@3ds.com

 For other languages, go to https://www.3ds.com/terms/email-disclaimer


 ___
 389-users

[389-users] Re: DNA plugin not working

2020-04-16 Thread thierry bordaz 

Hi James,

I would guess that the allocated range is exhausted, means next value 
reached maxValue.

Possibly part of the range was taken by an other replica.

You can try to get more details with

ldapmodify -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-accesslog-level
nsslapd-acceslog-level: 260   (default level 256 plus 4 for internal 
operations)
-
replace: nsslapd-plugin-logging
nsslapd-plugin-logging: on

and lookup at the entry ldapsearch -D DM... -b "cn=UID numbers,cn=Distributed 
Numeric Assignment Plugin,cn=plugins,cn=config" -s base nscpentrywsi


best regards
thierry
On 4/13/20 8:41 PM, CHAMBERLAIN James wrote:

Hi Mark,

Thanks for getting back to me.  After adjusting nsslapd-errorlog-level, here’s 
what I’ve got.

# grep dna-plugin /var/log/dirsrv/slapd-example/errors
[13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
dn does not match filter
[13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
adding uidNumber to uid=testuser1,ou=People,dc=example,dc=com as -2
[13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
retrieved value 0 ret 1
[13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add - 
Failed to allocate a new ID!! 2
[13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - 
Operation failure [1]

And here’s the DNA config:

dn: cn=UID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: UID numbers
dnaType: uidNumber
dnamaxvalue: 10
dnamagicregen: 0
dnafilter: (objectclass=posixAccount)
dnascope: dc=example,dc=com
dnanextvalue: 25000

dn: cn=GID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: GID numbers
dnaType: gidNumber
dnamaxvalue: 10
dnamagicregen: 0
dnafilter: (objectclass=posixGroup)
dnascope: dc=example,dc=com
dnanextvalue: 25000

Best regards,

James



On Apr 13, 2020, at 2:25 PM, Mark Reynolds  wrote:

Enabling plugin logging will provide a little more detail about what is going 
wrong:

ldapmodify -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 65536


After running the test you can disable the debug plugin logging by setting the 
log level to zero.

Then share what information is logging when you add a new user.   This is most 
likely a configuration error so hopefully we can find out what went wrong in 
your set up.  Can you also provide the DNA config entries?

Thanks,

Mark

On 4/13/20 1:50 PM, CHAMBERLAIN James wrote:

Hi all,

I’m trying to use the DNA plugin to add uidNumbers on posixAccounts.  
Everything worked fine in testing, but now that it’s in production I’m seeing 
the following error:

ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2

I’ve followed the advice in the knowledge base 
(https://access.redhat.com/solutions/875133), about adding an equality index 
with an nsMatchingRule of integerOrderingMatch, but have not seen any 
difference in the server’s behavior.  Any ideas what I should try next?

Thanks,

James
This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.
If you are not one of the named recipients or have received this email in error,
(i) you should not read, disclose, or copy it,
(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,
(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.

Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
at 3ds.compliance-priv...@3ds.com

For other languages, go to https://www.3ds.com/terms/email-disclaimer


___
389-users mailing list --
389-users@lists.fedoraproject.org

To unsubscribe send an email to
389-users-le...@lists.fedoraproject.org

Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

--

389 Directory Server Development Team


This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Systèmes does not accept or assume

[389-users] Re: DNA plugin not working

2020-04-14 Thread William Brown 


> On 14 Apr 2020, at 23:45, CHAMBERLAIN James  wrote:
> 
> That… could be possible.  One key difference between testing and production 
> is that testing has a single master where production has a multi-master 
> cluster.  I don’t recall setting a range in production, since I only had DNA 
> enabled on a single member of the cluster at that point.  I’ll take a look in 
> that direction.

Yeah, I seem to recall that DNA is quite fiddly to get setup correctly. I'd 
probably reread the docs:

https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/dna

I haven't personally configured it in a long time, but if that doesn't get you 
going, I'll have a look further.

Perhaps also check you are using the magic value:

uidNumber: 0

Abset attributes don't trigger DNA, you need the magic value iirc. 


> 
> Thanks,
> 
> James
> 
> 
>> On Apr 13, 2020, at 7:30 PM, William Brown  wrote:
>> 
>> Could it be that the server hasn't allocated a DNA range from the DNA master?
>> 
>>> On 14 Apr 2020, at 05:51, CHAMBERLAIN James  
>>> wrote:
>>> 
>>> Hi Mark,
>>> 
>>> The test user I’m trying to add looks like this:
>>> 
>>> dn: uid=testuser1,ou=People,dc=example,dc=com
>>> uid: testuser1
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: inetOrgPerson
>>> objectClass: posixAccount
>>> objectClass: top
>>> sn: Chamberlain
>>> gidNumber: 1000
>>> gecos: James Chamberlain
>>> cn: James Chamberlain
>>> homeDirectory: /home/testuser1
>>> givenName: James
>>> loginShell: /bin/bash
>>> 
>>> I’ve modified nsslapd-accesslog-level and nsslapd-plugin-logging.
>>> 
>>> Here’s the clip from the failed add:
>>> 
>>> [13/Apr/2020:15:45:44.267195367 -0400] conn=3592 op=0 BIND dn="cn=Directory 
>>> Manager" method=128 version=3
>>> [13/Apr/2020:15:45:44.267289421 -0400] conn=3592 op=0 RESULT err=0 tag=97 
>>> nentries=0 etime=0.152598 dn="cn=Directory Manager"
>>> [13/Apr/2020:15:45:44.267922468 -0400] conn=3592 op=1 ADD 
>>> dn="uid=testuser1,ou=People,dc=example,dc=com"
>>> [13/Apr/2020:15:45:44.298730119 -0400] conn=3592 op=2 UNBIND
>>> [13/Apr/2020:15:45:44.298744887 -0400] conn=3592 op=2 fd=81 closed - U1
>>> [13/Apr/2020:15:45:44.298822076 -0400] conn=3592 op=1 RESULT err=1 tag=105 
>>> nentries=0 etime=0.0031312230
>>> 
>>> Best regards,
>>> 
>>> James Chamberlain
>>> 
>>> 
 On Apr 13, 2020, at 2:53 PM, Mark Reynolds  wrote:
 
 Okay, so logging in DNA stinks in this scenario.  It does a lot of 
 internal searches and if one of them "fails" you get an operations error.  
 So we need to enable other logging...
 
 First what does the entry look like that you are trying to add?
 
 Second, run this ldapmodify
 
 ldapmodify -D "cn=directory manager" -W
 dn: cn=config
 changetype: modify
 replace: nsslapd-accesslog-level
 nsslapd-acceslog-level: 260   (default level 256 plus 4 for internal 
 operations)
 -
 replace: nsslapd-plugin-logging
 nsslapd-plugin-logging: on
 
 
 Then add another user, wait 30 seconds for the access log to buffer, and 
 then provide the access log clip from the failed add.
 
 Thanks,
 Mark
 
 
 On 4/13/20 2:41 PM, CHAMBERLAIN James wrote:
> Hi Mark,
> 
> Thanks for getting back to me.  After adjusting nsslapd-errorlog-level, 
> here’s what I’ve got.
> 
> # grep dna-plugin /var/log/dirsrv/slapd-example/errors
> [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - 
> _dna_pre_op_add - dn does not match filter
> [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - 
> _dna_pre_op_add - adding uidNumber to 
> uid=testuser1,ou=People,dc=example,dc=com as -2
> [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - 
> _dna_pre_op_add - retrieved value 0 ret 1
> [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - 
> _dna_pre_op_add - Failed to allocate a new ID!! 2
> [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op 
> - Operation failure [1]
> 
> And here’s the DNA config:
> 
> dn: cn=UID numbers,cn=Distributed Numeric Assignment 
> Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: UID numbers
> dnaType: uidNumber
> dnamaxvalue: 10
> dnamagicregen: 0
> dnafilter: (objectclass=posixAccount)
> dnascope: dc=example,dc=com
> dnanextvalue: 25000
> 
> dn: cn=GID numbers,cn=Distributed Numeric Assignment 
> Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: GID numbers
> dnaType: gidNumber
> dnamaxvalue: 10
> dnamagicregen: 0
> dnafilter: (objectclass=posixGroup)
> dnascope: dc=example,dc=com
> dnanextvalue: 25000
> 
> Best regards,
> 
> James
> 
> 
>> On Apr 13, 2020, at 2:25 PM, Mark Reynolds  wrote:
>>

[389-users] Re: DNA plugin not working

2020-04-14 Thread CHAMBERLAIN James 
That… could be possible.  One key difference between testing and production is 
that testing has a single master where production has a multi-master cluster.  
I don’t recall setting a range in production, since I only had DNA enabled on a 
single member of the cluster at that point.  I’ll take a look in that direction.

Thanks,

James


> On Apr 13, 2020, at 7:30 PM, William Brown  wrote:
>
> Could it be that the server hasn't allocated a DNA range from the DNA master?
>
>> On 14 Apr 2020, at 05:51, CHAMBERLAIN James  
>> wrote:
>>
>> Hi Mark,
>>
>> The test user I’m trying to add looks like this:
>>
>> dn: uid=testuser1,ou=People,dc=example,dc=com
>> uid: testuser1
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: inetOrgPerson
>> objectClass: posixAccount
>> objectClass: top
>> sn: Chamberlain
>> gidNumber: 1000
>> gecos: James Chamberlain
>> cn: James Chamberlain
>> homeDirectory: /home/testuser1
>> givenName: James
>> loginShell: /bin/bash
>>
>> I’ve modified nsslapd-accesslog-level and nsslapd-plugin-logging.
>>
>> Here’s the clip from the failed add:
>>
>> [13/Apr/2020:15:45:44.267195367 -0400] conn=3592 op=0 BIND dn="cn=Directory 
>> Manager" method=128 version=3
>> [13/Apr/2020:15:45:44.267289421 -0400] conn=3592 op=0 RESULT err=0 tag=97 
>> nentries=0 etime=0.152598 dn="cn=Directory Manager"
>> [13/Apr/2020:15:45:44.267922468 -0400] conn=3592 op=1 ADD 
>> dn="uid=testuser1,ou=People,dc=example,dc=com"
>> [13/Apr/2020:15:45:44.298730119 -0400] conn=3592 op=2 UNBIND
>> [13/Apr/2020:15:45:44.298744887 -0400] conn=3592 op=2 fd=81 closed - U1
>> [13/Apr/2020:15:45:44.298822076 -0400] conn=3592 op=1 RESULT err=1 tag=105 
>> nentries=0 etime=0.0031312230
>>
>> Best regards,
>>
>> James Chamberlain
>>
>>
>>> On Apr 13, 2020, at 2:53 PM, Mark Reynolds  wrote:
>>>
>>> Okay, so logging in DNA stinks in this scenario.  It does a lot of internal 
>>> searches and if one of them "fails" you get an operations error.  So we 
>>> need to enable other logging...
>>>
>>> First what does the entry look like that you are trying to add?
>>>
>>> Second, run this ldapmodify
>>>
>>> ldapmodify -D "cn=directory manager" -W
>>> dn: cn=config
>>> changetype: modify
>>> replace: nsslapd-accesslog-level
>>> nsslapd-acceslog-level: 260   (default level 256 plus 4 for internal 
>>> operations)
>>> -
>>> replace: nsslapd-plugin-logging
>>> nsslapd-plugin-logging: on
>>>
>>>
>>> Then add another user, wait 30 seconds for the access log to buffer, and 
>>> then provide the access log clip from the failed add.
>>>
>>> Thanks,
>>> Mark
>>>
>>>
>>> On 4/13/20 2:41 PM, CHAMBERLAIN James wrote:
 Hi Mark,

 Thanks for getting back to me.  After adjusting nsslapd-errorlog-level, 
 here’s what I’ve got.

 # grep dna-plugin /var/log/dirsrv/slapd-example/errors
 [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - 
 _dna_pre_op_add - dn does not match filter
 [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - 
 _dna_pre_op_add - adding uidNumber to 
 uid=testuser1,ou=People,dc=example,dc=com as -2
 [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - 
 _dna_pre_op_add - retrieved value 0 ret 1
 [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - 
 _dna_pre_op_add - Failed to allocate a new ID!! 2
 [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - 
 Operation failure [1]

 And here’s the DNA config:

 dn: cn=UID numbers,cn=Distributed Numeric Assignment 
 Plugin,cn=plugins,cn=config
 objectClass: top
 objectClass: extensibleObject
 cn: UID numbers
 dnaType: uidNumber
 dnamaxvalue: 10
 dnamagicregen: 0
 dnafilter: (objectclass=posixAccount)
 dnascope: dc=example,dc=com
 dnanextvalue: 25000

 dn: cn=GID numbers,cn=Distributed Numeric Assignment 
 Plugin,cn=plugins,cn=config
 objectClass: top
 objectClass: extensibleObject
 cn: GID numbers
 dnaType: gidNumber
 dnamaxvalue: 10
 dnamagicregen: 0
 dnafilter: (objectclass=posixGroup)
 dnascope: dc=example,dc=com
 dnanextvalue: 25000

 Best regards,

 James


> On Apr 13, 2020, at 2:25 PM, Mark Reynolds  wrote:
>
> Enabling plugin logging will provide a little more detail about what is 
> going wrong:
>
> ldapmodify -D "cn=directory manager" -W
> dn: cn=config
> changetype: modify
> replace: nsslapd-errorlog-level
> nsslapd-errorlog-level: 65536
>
>
> After running the test you can disable the debug plugin logging by 
> setting the log level to zero.
>
> Then share what information is logging when you add a new user.   This is 
> most likely a configuration error so hopefully we can find out what went 
> wrong in your set up.  Can you also provide the DNA config entries?
>
> Thanks,
>
> Mark
>
> On 4/13/20

[389-users] Re: DNA plugin not working

2020-04-13 Thread William Brown 
Could it be that the server hasn't allocated a DNA range from the DNA master? 

> On 14 Apr 2020, at 05:51, CHAMBERLAIN James  wrote:
> 
> Hi Mark,
> 
> The test user I’m trying to add looks like this:
> 
> dn: uid=testuser1,ou=People,dc=example,dc=com
> uid: testuser1
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> sn: Chamberlain
> gidNumber: 1000
> gecos: James Chamberlain
> cn: James Chamberlain
> homeDirectory: /home/testuser1
> givenName: James
> loginShell: /bin/bash
> 
> I’ve modified nsslapd-accesslog-level and nsslapd-plugin-logging.
> 
> Here’s the clip from the failed add:
> 
> [13/Apr/2020:15:45:44.267195367 -0400] conn=3592 op=0 BIND dn="cn=Directory 
> Manager" method=128 version=3
> [13/Apr/2020:15:45:44.267289421 -0400] conn=3592 op=0 RESULT err=0 tag=97 
> nentries=0 etime=0.152598 dn="cn=Directory Manager"
> [13/Apr/2020:15:45:44.267922468 -0400] conn=3592 op=1 ADD 
> dn="uid=testuser1,ou=People,dc=example,dc=com"
> [13/Apr/2020:15:45:44.298730119 -0400] conn=3592 op=2 UNBIND
> [13/Apr/2020:15:45:44.298744887 -0400] conn=3592 op=2 fd=81 closed - U1
> [13/Apr/2020:15:45:44.298822076 -0400] conn=3592 op=1 RESULT err=1 tag=105 
> nentries=0 etime=0.0031312230
> 
> Best regards,
> 
> James Chamberlain
> 
> 
>> On Apr 13, 2020, at 2:53 PM, Mark Reynolds  wrote:
>> 
>> Okay, so logging in DNA stinks in this scenario.  It does a lot of internal 
>> searches and if one of them "fails" you get an operations error.  So we need 
>> to enable other logging...
>> 
>> First what does the entry look like that you are trying to add?
>> 
>> Second, run this ldapmodify
>> 
>> ldapmodify -D "cn=directory manager" -W
>> dn: cn=config
>> changetype: modify
>> replace: nsslapd-accesslog-level
>> nsslapd-acceslog-level: 260   (default level 256 plus 4 for internal 
>> operations)
>> -
>> replace: nsslapd-plugin-logging
>> nsslapd-plugin-logging: on
>> 
>> 
>> Then add another user, wait 30 seconds for the access log to buffer, and 
>> then provide the access log clip from the failed add.
>> 
>> Thanks,
>> Mark
>> 
>> 
>> On 4/13/20 2:41 PM, CHAMBERLAIN James wrote:
>>> Hi Mark,
>>> 
>>> Thanks for getting back to me.  After adjusting nsslapd-errorlog-level, 
>>> here’s what I’ve got.
>>> 
>>> # grep dna-plugin /var/log/dirsrv/slapd-example/errors
>>> [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - 
>>> _dna_pre_op_add - dn does not match filter
>>> [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - 
>>> _dna_pre_op_add - adding uidNumber to 
>>> uid=testuser1,ou=People,dc=example,dc=com as -2
>>> [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - 
>>> _dna_pre_op_add - retrieved value 0 ret 1
>>> [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add 
>>> - Failed to allocate a new ID!! 2
>>> [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - 
>>> Operation failure [1]
>>> 
>>> And here’s the DNA config:
>>> 
>>> dn: cn=UID numbers,cn=Distributed Numeric Assignment 
>>> Plugin,cn=plugins,cn=config
>>> objectClass: top
>>> objectClass: extensibleObject
>>> cn: UID numbers
>>> dnaType: uidNumber
>>> dnamaxvalue: 10
>>> dnamagicregen: 0
>>> dnafilter: (objectclass=posixAccount)
>>> dnascope: dc=example,dc=com
>>> dnanextvalue: 25000
>>> 
>>> dn: cn=GID numbers,cn=Distributed Numeric Assignment 
>>> Plugin,cn=plugins,cn=config
>>> objectClass: top
>>> objectClass: extensibleObject
>>> cn: GID numbers
>>> dnaType: gidNumber
>>> dnamaxvalue: 10
>>> dnamagicregen: 0
>>> dnafilter: (objectclass=posixGroup)
>>> dnascope: dc=example,dc=com
>>> dnanextvalue: 25000
>>> 
>>> Best regards,
>>> 
>>> James
>>> 
>>> 
 On Apr 13, 2020, at 2:25 PM, Mark Reynolds  wrote:
 
 Enabling plugin logging will provide a little more detail about what is 
 going wrong:
 
 ldapmodify -D "cn=directory manager" -W
 dn: cn=config
 changetype: modify
 replace: nsslapd-errorlog-level
 nsslapd-errorlog-level: 65536
 
 
 After running the test you can disable the debug plugin logging by setting 
 the log level to zero.
 
 Then share what information is logging when you add a new user.   This is 
 most likely a configuration error so hopefully we can find out what went 
 wrong in your set up.  Can you also provide the DNA config entries?
 
 Thanks,
 
 Mark
 
 On 4/13/20 1:50 PM, CHAMBERLAIN James wrote:
> Hi all,
> 
> I’m trying to use the DNA plugin to add uidNumbers on posixAccounts.  
> Everything worked fine in testing, but now that it’s in production I’m 
> seeing the following error:
> 
> ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2
> 
> I’ve followed the advice in the knowledge base 
> (https://access.redhat.com/solutions/875133), about adding an equality 
> index with an nsMatchingRule of

[389-users] Re: DNA plugin not working

2020-04-13 Thread CHAMBERLAIN James 
Hi Mark,

The test user I’m trying to add looks like this:

dn: uid=testuser1,ou=People,dc=example,dc=com
uid: testuser1
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
sn: Chamberlain
gidNumber: 1000
gecos: James Chamberlain
cn: James Chamberlain
homeDirectory: /home/testuser1
givenName: James
loginShell: /bin/bash

I’ve modified nsslapd-accesslog-level and nsslapd-plugin-logging.

Here’s the clip from the failed add:

[13/Apr/2020:15:45:44.267195367 -0400] conn=3592 op=0 BIND dn="cn=Directory 
Manager" method=128 version=3
[13/Apr/2020:15:45:44.267289421 -0400] conn=3592 op=0 RESULT err=0 tag=97 
nentries=0 etime=0.152598 dn="cn=Directory Manager"
[13/Apr/2020:15:45:44.267922468 -0400] conn=3592 op=1 ADD 
dn="uid=testuser1,ou=People,dc=example,dc=com"
[13/Apr/2020:15:45:44.298730119 -0400] conn=3592 op=2 UNBIND
[13/Apr/2020:15:45:44.298744887 -0400] conn=3592 op=2 fd=81 closed - U1
[13/Apr/2020:15:45:44.298822076 -0400] conn=3592 op=1 RESULT err=1 tag=105 
nentries=0 etime=0.0031312230

Best regards,

James Chamberlain


> On Apr 13, 2020, at 2:53 PM, Mark Reynolds  wrote:
>
> Okay, so logging in DNA stinks in this scenario.  It does a lot of internal 
> searches and if one of them "fails" you get an operations error.  So we need 
> to enable other logging...
>
> First what does the entry look like that you are trying to add?
>
> Second, run this ldapmodify
>
> ldapmodify -D "cn=directory manager" -W
> dn: cn=config
> changetype: modify
> replace: nsslapd-accesslog-level
> nsslapd-acceslog-level: 260   (default level 256 plus 4 for internal 
> operations)
> -
> replace: nsslapd-plugin-logging
> nsslapd-plugin-logging: on
>
>
> Then add another user, wait 30 seconds for the access log to buffer, and then 
> provide the access log clip from the failed add.
>
> Thanks,
> Mark
>
>
> On 4/13/20 2:41 PM, CHAMBERLAIN James wrote:
>> Hi Mark,
>>
>> Thanks for getting back to me.  After adjusting nsslapd-errorlog-level, 
>> here’s what I’ve got.
>>
>> # grep dna-plugin /var/log/dirsrv/slapd-example/errors
>> [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - 
>> _dna_pre_op_add - dn does not match filter
>> [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - 
>> _dna_pre_op_add - adding uidNumber to 
>> uid=testuser1,ou=People,dc=example,dc=com as -2
>> [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - 
>> _dna_pre_op_add - retrieved value 0 ret 1
>> [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add 
>> - Failed to allocate a new ID!! 2
>> [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - 
>> Operation failure [1]
>>
>> And here’s the DNA config:
>>
>> dn: cn=UID numbers,cn=Distributed Numeric Assignment 
>> Plugin,cn=plugins,cn=config
>> objectClass: top
>> objectClass: extensibleObject
>> cn: UID numbers
>> dnaType: uidNumber
>> dnamaxvalue: 10
>> dnamagicregen: 0
>> dnafilter: (objectclass=posixAccount)
>> dnascope: dc=example,dc=com
>> dnanextvalue: 25000
>>
>> dn: cn=GID numbers,cn=Distributed Numeric Assignment 
>> Plugin,cn=plugins,cn=config
>> objectClass: top
>> objectClass: extensibleObject
>> cn: GID numbers
>> dnaType: gidNumber
>> dnamaxvalue: 10
>> dnamagicregen: 0
>> dnafilter: (objectclass=posixGroup)
>> dnascope: dc=example,dc=com
>> dnanextvalue: 25000
>>
>> Best regards,
>>
>> James
>>
>>
>>> On Apr 13, 2020, at 2:25 PM, Mark Reynolds  wrote:
>>>
>>> Enabling plugin logging will provide a little more detail about what is 
>>> going wrong:
>>>
>>> ldapmodify -D "cn=directory manager" -W
>>> dn: cn=config
>>> changetype: modify
>>> replace: nsslapd-errorlog-level
>>> nsslapd-errorlog-level: 65536
>>>
>>>
>>> After running the test you can disable the debug plugin logging by setting 
>>> the log level to zero.
>>>
>>> Then share what information is logging when you add a new user.   This is 
>>> most likely a configuration error so hopefully we can find out what went 
>>> wrong in your set up.  Can you also provide the DNA config entries?
>>>
>>> Thanks,
>>>
>>> Mark
>>>
>>> On 4/13/20 1:50 PM, CHAMBERLAIN James wrote:
 Hi all,

 I’m trying to use the DNA plugin to add uidNumbers on posixAccounts.  
 Everything worked fine in testing, but now that it’s in production I’m 
 seeing the following error:

 ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2

 I’ve followed the advice in the knowledge base 
 (https://access.redhat.com/solutions/875133), about adding an equality 
 index with an nsMatchingRule of integerOrderingMatch, but have not seen 
 any difference in the server’s behavior.  Any ideas what I should try next?

 Thanks,

 James
 This email and any attachments are intended solely for the use of the 
 individual or entity to whom it is addressed and may be confidential 
 and/or privileged.
 If you are not one of the

[389-users] Re: DNA plugin not working

2020-04-13 Thread CHAMBERLAIN James 
Hi Marc,

This is 389-ds-base-1.3.7.5-28.el7_5.x86_64.

# grep number,cn=index /etc/dirsrv/slapd-example/dse.ldif
dn: cn=gidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
dn: cn=uidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config

I double-checked that I’d set up an equality index, not just presence, and made 
sure that the index was generated.

# grep -i index /var/log/messages
Apr 13 13:31:44 example ns-slapd: [13/Apr/2020:13:31:44.909683777 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexing attribute: uidnumber
Apr 13 13:31:47 example ns-slapd: [13/Apr/2020:13:31:47.011917422 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 1000 entries (54%).
Apr 13 13:31:47 example ns-slapd: [13/Apr/2020:13:31:47.756062336 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 2000 entries (72%).
Apr 13 13:31:48 example ns-slapd: [13/Apr/2020:13:31:48.844133042 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 3000 entries (74%).
Apr 13 13:31:50 example ns-slapd: [13/Apr/2020:13:31:50.152982540 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 4000 entries (77%).
Apr 13 13:31:51 example ns-slapd: [13/Apr/2020:13:31:51.199900578 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 5000 entries (79%).
Apr 13 13:31:52 example ns-slapd: [13/Apr/2020:13:31:52.271669854 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 6000 entries (81%).
Apr 13 13:31:53 example ns-slapd: [13/Apr/2020:13:31:53.397852294 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 7000 entries (83%).
Apr 13 13:31:54 example ns-slapd: [13/Apr/2020:13:31:54.446263984 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 8000 entries (86%).
Apr 13 13:31:55 example ns-slapd: [13/Apr/2020:13:31:55.569704807 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 9000 entries (88%).
Apr 13 13:31:56 example ns-slapd: [13/Apr/2020:13:31:56.610690562 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 1 entries (90%).
Apr 13 13:31:57 example ns-slapd: [13/Apr/2020:13:31:57.642493349 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 11000 entries (92%).
Apr 13 13:31:58 example ns-slapd: [13/Apr/2020:13:31:58.807418354 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 12000 entries (95%).
Apr 13 13:31:59 example ns-slapd: [13/Apr/2020:13:31:59.487828428 -0400] - INFO 
- ldbm_back_ldbm2index - userRoot: Indexed 13000 entries (97%).

Best regards,

James Chamberlain
SIMULIA Cloud Operations, Networking & Security


> On Apr 13, 2020, at 3:01 PM, Marc Sauton  wrote:
>
> verify there is an equality index for uidnumber and gidnumber, not just 
> presence, in the entries
> dn: cn=gidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> dn: cn=uidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> which version of 389-ds-base is this about?
> Thanks,
> M.
>
> On Mon, Apr 13, 2020 at 11:42 AM CHAMBERLAIN James 
>  wrote:
> Hi Mark,
>
> Thanks for getting back to me.  After adjusting nsslapd-errorlog-level, 
> here’s what I’ve got.
>
> # grep dna-plugin /var/log/dirsrv/slapd-example/errors
> [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - _dna_pre_op_add 
> - dn does not match filter
> [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - _dna_pre_op_add 
> - adding uidNumber to uid=testuser1,ou=People,dc=example,dc=com as -2
> [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - _dna_pre_op_add 
> - retrieved value 0 ret 1
> [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add - 
> Failed to allocate a new ID!! 2
> [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - 
> Operation failure [1]
>
> And here’s the DNA config:
>
> dn: cn=UID numbers,cn=Distributed Numeric Assignment 
> Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: UID numbers
> dnaType: uidNumber
> dnamaxvalue: 10
> dnamagicregen: 0
> dnafilter: (objectclass=posixAccount)
> dnascope: dc=example,dc=com
> dnanextvalue: 25000
>
> dn: cn=GID numbers,cn=Distributed Numeric Assignment 
> Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: GID numbers
> dnaType: gidNumber
> dnamaxvalue: 10
> dnamagicregen: 0
> dnafilter: (objectclass=posixGroup)
> dnascope: dc=example,dc=com
> dnanextvalue: 25000
>
> Best regards,
>
> James
>
>
> > On Apr 13, 2020, at 2:25 PM, Mark Reynolds  wrote:
> >
> > Enabling plugin logging will provide a little more detail about what is 
> > going wrong:
> >
> > ldapmodify -D "cn=directory manager" -W
> > dn: cn=config
> > changetype: modify
> > replace: nsslapd-errorlog-level
> > nsslapd-errorlog-level: 65536
> >
> >
> > After running the test you can disable the debug plugin logging by setting 
> > the log level to zero.
> >
> > Then share what information is logging when you add a new user.   This is 
> > most likely a configuration error so hopefully we can find out what went 
> >

[389-users] Re: DNA plugin not working

2020-04-13 Thread Marc Sauton 
verify there is an equality index for uidnumber and gidnumber, not just
presence, in the entries
dn: cn=gidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
dn: cn=uidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
which version of 389-ds-base is this about?
Thanks,
M.

On Mon, Apr 13, 2020 at 11:42 AM CHAMBERLAIN James <
james.chamberl...@3ds.com> wrote:

> Hi Mark,
>
> Thanks for getting back to me.  After adjusting nsslapd-errorlog-level,
> here’s what I’ve got.
>
> # grep dna-plugin /var/log/dirsrv/slapd-example/errors
> [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin -
> _dna_pre_op_add - dn does not match filter
> [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin -
> _dna_pre_op_add - adding uidNumber to
> uid=testuser1,ou=People,dc=example,dc=com as -2
> [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin -
> _dna_pre_op_add - retrieved value 0 ret 1
> [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin -
> _dna_pre_op_add - Failed to allocate a new ID!! 2
> [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op -
> Operation failure [1]
>
> And here’s the DNA config:
>
> dn: cn=UID numbers,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: UID numbers
> dnaType: uidNumber
> dnamaxvalue: 10
> dnamagicregen: 0
> dnafilter: (objectclass=posixAccount)
> dnascope: dc=example,dc=com
> dnanextvalue: 25000
>
> dn: cn=GID numbers,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: GID numbers
> dnaType: gidNumber
> dnamaxvalue: 10
> dnamagicregen: 0
> dnafilter: (objectclass=posixGroup)
> dnascope: dc=example,dc=com
> dnanextvalue: 25000
>
> Best regards,
>
> James
>
>
> > On Apr 13, 2020, at 2:25 PM, Mark Reynolds  wrote:
> >
> > Enabling plugin logging will provide a little more detail about what is
> going wrong:
> >
> > ldapmodify -D "cn=directory manager" -W
> > dn: cn=config
> > changetype: modify
> > replace: nsslapd-errorlog-level
> > nsslapd-errorlog-level: 65536
> >
> >
> > After running the test you can disable the debug plugin logging by
> setting the log level to zero.
> >
> > Then share what information is logging when you add a new user.   This
> is most likely a configuration error so hopefully we can find out what went
> wrong in your set up.  Can you also provide the DNA config entries?
> >
> > Thanks,
> >
> > Mark
> >
> > On 4/13/20 1:50 PM, CHAMBERLAIN James wrote:
> >> Hi all,
> >>
> >> I’m trying to use the DNA plugin to add uidNumbers on posixAccounts.
> Everything worked fine in testing, but now that it’s in production I’m
> seeing the following error:
> >>
> >> ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2
> >>
> >> I’ve followed the advice in the knowledge base (
> https://access.redhat.com/solutions/875133), about adding an equality
> index with an nsMatchingRule of integerOrderingMatch, but have not seen any
> difference in the server’s behavior.  Any ideas what I should try next?
> >>
> >> Thanks,
> >>
> >> James
> >> This email and any attachments are intended solely for the use of the
> individual or entity to whom it is addressed and may be confidential and/or
> privileged.
> >> If you are not one of the named recipients or have received this email
> in error,
> >> (i) you should not read, disclose, or copy it,
> >> (ii) please notify sender of your receipt by reply email and delete
> this email and all attachments,
> >> (iii) Dassault Systèmes does not accept or assume any liability or
> responsibility for any use of or reliance on this email.
> >>
> >> Please be informed that your personal data are processed according to
> our data privacy policy as described on our website. Should you have any
> questions related to personal data protection, please contact 3DS Data
> Protection Officer at 3ds.compliance-priv...@3ds.com
> >>
> >> For other languages, go to https://www.3ds.com/terms/email-disclaimer
> >>
> >>
> >> ___
> >> 389-users mailing list --
> >> 389-users@lists.fedoraproject.org
> >>
> >> To unsubscribe send an email to
> >> 389-users-le...@lists.fedoraproject.org
> >>
> >> Fedora Code of Conduct:
> >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >>
> >> List Guidelines:
> >> https://fedoraproject.org/wiki/Mailing_list_guidelines
> >>
> >> List Archives:
> >>
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> > --
> >
> > 389 Directory Server Development Team
> >
>
> This email and any attachments are intended solely for the use of the
> individual or entity to whom it is addressed and may be confidential and/or
> privileged.
>
> If you are not one of the named recipients or have received this email in
> error,
>
> (i) you should not read, disclose, or copy it,
>
> (ii) please notify sender of your receipt by reply

[389-users] Re: DNA plugin not working

2020-04-13 Thread Mark Reynolds 
Okay, so logging in DNA stinks in this scenario.  It does a lot of 
internal searches and if one of them "fails" you get an operations 
error.  So we need to enable other logging...


First what does the entry look like that you are trying to add?

Second, run this ldapmodify

ldapmodify -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-accesslog-level
nsslapd-acceslog-level: 260   (default level 256 plus 4 for internal 
operations)
-
replace: nsslapd-plugin-logging
nsslapd-plugin-logging: on


Then add another user, wait 30 seconds for the access log to buffer, and 
then provide the access log clip from the failed add.


Thanks,
Mark


On 4/13/20 2:41 PM, CHAMBERLAIN James wrote:

Hi Mark,

Thanks for getting back to me.  After adjusting nsslapd-errorlog-level, here’s 
what I’ve got.

# grep dna-plugin /var/log/dirsrv/slapd-example/errors
[13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
dn does not match filter
[13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
adding uidNumber to uid=testuser1,ou=People,dc=example,dc=com as -2
[13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
retrieved value 0 ret 1
[13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add - 
Failed to allocate a new ID!! 2
[13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - 
Operation failure [1]

And here’s the DNA config:

dn: cn=UID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: UID numbers
dnaType: uidNumber
dnamaxvalue: 10
dnamagicregen: 0
dnafilter: (objectclass=posixAccount)
dnascope: dc=example,dc=com
dnanextvalue: 25000

dn: cn=GID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: GID numbers
dnaType: gidNumber
dnamaxvalue: 10
dnamagicregen: 0
dnafilter: (objectclass=posixGroup)
dnascope: dc=example,dc=com
dnanextvalue: 25000

Best regards,

James



On Apr 13, 2020, at 2:25 PM, Mark Reynolds  wrote:

Enabling plugin logging will provide a little more detail about what is going 
wrong:

ldapmodify -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 65536


After running the test you can disable the debug plugin logging by setting the 
log level to zero.

Then share what information is logging when you add a new user.   This is most 
likely a configuration error so hopefully we can find out what went wrong in 
your set up.  Can you also provide the DNA config entries?

Thanks,

Mark

On 4/13/20 1:50 PM, CHAMBERLAIN James wrote:

Hi all,

I’m trying to use the DNA plugin to add uidNumbers on posixAccounts.  
Everything worked fine in testing, but now that it’s in production I’m seeing 
the following error:

ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2

I’ve followed the advice in the knowledge base 
(https://access.redhat.com/solutions/875133), about adding an equality index 
with an nsMatchingRule of integerOrderingMatch, but have not seen any 
difference in the server’s behavior.  Any ideas what I should try next?

Thanks,

James
This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.
If you are not one of the named recipients or have received this email in error,
(i) you should not read, disclose, or copy it,
(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,
(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.

Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
at 3ds.compliance-priv...@3ds.com

For other languages, go to https://www.3ds.com/terms/email-disclaimer


___
389-users mailing list --
389-users@lists.fedoraproject.org

To unsubscribe send an email to
389-users-le...@lists.fedoraproject.org

Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

--

389 Directory Server Development Team


This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all

[389-users] Re: DNA plugin not working

2020-04-13 Thread CHAMBERLAIN James 
Hi Mark,

Thanks for getting back to me.  After adjusting nsslapd-errorlog-level, here’s 
what I’ve got.

# grep dna-plugin /var/log/dirsrv/slapd-example/errors
[13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
dn does not match filter
[13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
adding uidNumber to uid=testuser1,ou=People,dc=example,dc=com as -2
[13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - 
retrieved value 0 ret 1
[13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add - 
Failed to allocate a new ID!! 2
[13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - 
Operation failure [1]

And here’s the DNA config:

dn: cn=UID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: UID numbers
dnaType: uidNumber
dnamaxvalue: 10
dnamagicregen: 0
dnafilter: (objectclass=posixAccount)
dnascope: dc=example,dc=com
dnanextvalue: 25000

dn: cn=GID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: GID numbers
dnaType: gidNumber
dnamaxvalue: 10
dnamagicregen: 0
dnafilter: (objectclass=posixGroup)
dnascope: dc=example,dc=com
dnanextvalue: 25000

Best regards,

James


> On Apr 13, 2020, at 2:25 PM, Mark Reynolds  wrote:
>
> Enabling plugin logging will provide a little more detail about what is going 
> wrong:
>
> ldapmodify -D "cn=directory manager" -W
> dn: cn=config
> changetype: modify
> replace: nsslapd-errorlog-level
> nsslapd-errorlog-level: 65536
>
>
> After running the test you can disable the debug plugin logging by setting 
> the log level to zero.
>
> Then share what information is logging when you add a new user.   This is 
> most likely a configuration error so hopefully we can find out what went 
> wrong in your set up.  Can you also provide the DNA config entries?
>
> Thanks,
>
> Mark
>
> On 4/13/20 1:50 PM, CHAMBERLAIN James wrote:
>> Hi all,
>>
>> I’m trying to use the DNA plugin to add uidNumbers on posixAccounts.  
>> Everything worked fine in testing, but now that it’s in production I’m 
>> seeing the following error:
>>
>> ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2
>>
>> I’ve followed the advice in the knowledge base 
>> (https://access.redhat.com/solutions/875133), about adding an equality index 
>> with an nsMatchingRule of integerOrderingMatch, but have not seen any 
>> difference in the server’s behavior.  Any ideas what I should try next?
>>
>> Thanks,
>>
>> James
>> This email and any attachments are intended solely for the use of the 
>> individual or entity to whom it is addressed and may be confidential and/or 
>> privileged.
>> If you are not one of the named recipients or have received this email in 
>> error,
>> (i) you should not read, disclose, or copy it,
>> (ii) please notify sender of your receipt by reply email and delete this 
>> email and all attachments,
>> (iii) Dassault Systèmes does not accept or assume any liability or 
>> responsibility for any use of or reliance on this email.
>>
>> Please be informed that your personal data are processed according to our 
>> data privacy policy as described on our website. Should you have any 
>> questions related to personal data protection, please contact 3DS Data 
>> Protection Officer at 3ds.compliance-priv...@3ds.com
>>
>> For other languages, go to https://www.3ds.com/terms/email-disclaimer
>>
>>
>> ___
>> 389-users mailing list --
>> 389-users@lists.fedoraproject.org
>>
>> To unsubscribe send an email to
>> 389-users-le...@lists.fedoraproject.org
>>
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>
>> List Guidelines:
>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> --
>
> 389 Directory Server Development Team
>

This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
at 3ds.compliance-priv...@3ds.com


For other languages, go to https://www.3ds.com/terms/email-disclaimer

[389-users] Re: DNA plugin not working

2020-04-13 Thread Mark Reynolds 
Enabling plugin logging will provide a little more detail about what is 
going wrong:


ldapmodify -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 65536


After running the test you can disable the debug plugin logging by 
setting the log level to zero.


Then share what information is logging when you add a new user. This is 
most likely a configuration error so hopefully we can find out what went 
wrong in your set up.  Can you also provide the DNA config entries?


Thanks,

Mark

On 4/13/20 1:50 PM, CHAMBERLAIN James wrote:

Hi all,

I’m trying to use the DNA plugin to add uidNumbers on posixAccounts. 
 Everything worked fine in testing, but now that it’s in production 
I’m seeing the following error:


ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2

I’ve followed the advice in the knowledge base 
(https://access.redhat.com/solutions/875133), about adding an equality 
index with an nsMatchingRule of integerOrderingMatch, but have not 
seen any difference in the server’s behavior.  Any ideas what I should 
try next?


Thanks,

James

This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential 
and/or privileged.


If you are not one of the named recipients or have received this email 
in error,


(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete 
this email and all attachments,


(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.



Please be informed that your personal data are processed according to 
our data privacy policy as described on our website. Should you have 
any questions related to personal data protection, please contact 3DS 
Data Protection Officer at 3ds.compliance-priv...@3ds.com 




For other languages, go to https://www.3ds.com/terms/email-disclaimer


___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org


--

389 Directory Server Development Team

___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org