Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Karl Forner 
>
> I purposely used rather weak working in my blog to ensure that one
> thinks carefully about making this kind of change. If your original
> master can be brought back up that is definitely the best way to resolve
> it.
>

ok, I'll try this first.


>
> If it was nuked from orbit then yeah the you'll need to manually set it.
>
> Note that you can use ipa-replica-manage to do this as well and it has a
> much less scary syntax:
>
> $ ipa-replica-manage dnarange-set yourhost.example.com
> 168970-168979
>

definitely less scary !


>
> I guess the range 168960-168969 is the rest of the original
> range, presumably assigned to the original master?
>

I am not sure to follow. The default used my master is 13400-13420
right ?
So I could set 13500-13520 for instance. Or did I miss something ?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Rob Crittenden 
Alexander Bokovoy wrote:
> On Fri, 08 Jan 2016, Karl Forner wrote:
>> Ok.
>>
>> I read a work-around on https://blog-rcritten.rhcloud.com/?p=50
>>
>> It says that if one has figured out a safe new range for the replica, the
>> range could be set using:
>>
>> ldapmodify -x -D 'cn=Directory Manager' -W
>> Enter LDAP Password:
>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment
>> Plugin,cn=plugins,cn=config
>> changetype: modify
>> replace: dnaNextValue
>> dnaNextValue: 168970
>> -
>> replace: dnaMaxValue
>> dnaMaxValue: 168979
>> ^D
>>
>> modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment
>> Plugin,cn=plugins,cn=config"
>>
>>
>> I suppose this can be dangerous, but would you consider it as a
>> work-around, or should it be avoided at all means ?
> 
> Rob is one of FreeIPA project original developers and he wrote this
> code, so he knows it well. To derive dnaMaxValue/dnaNextValue you need to
> consult older server's data, if it is still available (in
> /etc/dirsrv/slapd-INSTANCE/dse.ldif).
> 
> At worst you'd need to back out the change if things would work.

I purposely used rather weak working in my blog to ensure that one
thinks carefully about making this kind of change. If your original
master can be brought back up that is definitely the best way to resolve it.

If it was nuked from orbit then yeah the you'll need to manually set it.

Note that you can use ipa-replica-manage to do this as well and it has a
much less scary syntax:

$ ipa-replica-manage dnarange-set yourhost.example.com 168970-168979

I guess the range 168960-168969 is the rest of the original
range, presumably assigned to the original master?

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Rob Crittenden 
Karl Forner wrote:
> 
> 
> I purposely used rather weak working in my blog to ensure that one
> thinks carefully about making this kind of change. If your original
> master can be brought back up that is definitely the best way to
> resolve it.
> 
> 
> ok, I'll try this first.
>  
> 
> 
> If it was nuked from orbit then yeah the you'll need to manually set it.
> 
> Note that you can use ipa-replica-manage to do this as well and it has a
> much less scary syntax:
> 
> $ ipa-replica-manage dnarange-set yourhost.example.com
>  168970-168979
> 
> 
> definitely less scary !
>  
> 
> 
> I guess the range 168960-168969 is the rest of the original
> range, presumably assigned to the original master?
> 
> 
> I am not sure to follow. The default used my master is
> 13400-13420 right ?
> So I could set 13500-13520 for instance. Or did I miss something ?
>  
> 

My example was based on the ldif you proposed.

What the DNA plugin would have done is split the original range in two.
If you want to stick with that it's fine but you'll never get back
whatever was remaining of that original 100k, at least not
automatically. It all depends on what your needs are.

Using 13410-13419 is probably what you want.

Otherwise you are just picking a new range out of the blue.

There is no tie-in now between the idrange and the DNA range but there
may be at some point. At that time things could go sideways if you pick
a new DNA range that isn't reflected in the idrange.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Karl Forner 
> >
> > I am not sure to follow. The default used my master is
> > 13400-13420 right ?
> > So I could set 13500-13520 for instance. Or did I miss something
> ?
> >
> >
>
> My example was based on the ldif you proposed.
>
> What the DNA plugin would have done is split the original range in two.
> If you want to stick with that it's fine but you'll never get back
> whatever was remaining of that original 100k, at least not
> automatically. It all depends on what your needs are.
>
> Using 13410-13419 is probably what you want.
>

Ok, I get it.



> Otherwise you are just picking a new range out of the blue.
>
> There is no tie-in now between the idrange and the DNA range but there
> may be at some point. At that time things could go sideways if you pick
> a new DNA range that isn't reflected in the idrange.
>

thanks.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Alexander Bokovoy 

On Fri, 08 Jan 2016, Karl Forner wrote:

If you never added users through this IPA server, it has no subset of ID
range
allocated to IDs issued on this server. To obtain this subset, it needs
to talk back to the master on first allocation. Master is missing, thus
it couldn't talk to it.



thanks.

But if I understand, I just can not add any users from my replica ?
Does not it defeat the purpose of the replica as a failover server ?
Or obtaining the subset of IDs should be part of the process of setting-up
a replica ?

ID range is relatively scarce. We don't split it across multiple
replicas automatically because most of them will not be used to create
users and thus their sub-ranges will be wasted.

Documentation for the DNA plugin:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Configuration_Command_and_File_Reference/dna-attributes.html

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Karl Forner 
Hello,

If I go to active users, click Add, fill in log, first and last name, then
click "Add", I get the error message:
Operations error: Allocation of a new value for range cn=posix
ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed!
Unable to proceed.

I also tried to add a staged user. This works, but when I try to activate
it, I get the same error:
Operations error: Allocation of a new value for range cn=posix
ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed!
Unable to proceed.


I looked in the IPA Server -> ID Ranges tab:
first id: 13400
nb of ids: 20
type: local domain range

The freeIPA server is a CA-replica, and the main server is currently down.

What could be the problem ?

Thanks.
Karl
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Karl Forner 
> If you never added users through this IPA server, it has no subset of ID
> range
> allocated to IDs issued on this server. To obtain this subset, it needs
> to talk back to the master on first allocation. Master is missing, thus
> it couldn't talk to it.
>

thanks.

But if I understand, I just can not add any users from my replica ?
Does not it defeat the purpose of the replica as a failover server ?
Or obtaining the subset of IDs should be part of the process of setting-up
a replica ?

 Best,

>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Rob Crittenden 
Karl Forner wrote:
> Hello,
> 
> If I go to active users, click Add, fill in log, first and last name,
> then click "Add", I get the error message:
> Operations error: Allocation of a new value for range cn=posix
> ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config
> failed! Unable to proceed.
> 
> I also tried to add a staged user. This works, but when I try to
> activate it, I get the same error:
> Operations error: Allocation of a new value for range cn=posix
> ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config
> failed! Unable to proceed.
> 
> 
> I looked in the IPA Server -> ID Ranges tab:
> first id: 13400
> nb of ids: 20
> type: local domain range
> 
> The freeIPA server is a CA-replica, and the main server is currently down.
> 
> What could be the problem ?

http://blog-rcritten.rhcloud.com/?p=50

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Karl Forner 
Ok.

I read a work-around on https://blog-rcritten.rhcloud.com/?p=50

It says that if one has figured out a safe new range for the replica, the
range could be set using:

ldapmodify -x -D 'cn=Directory Manager' -W
Enter LDAP Password:
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: modify
replace: dnaNextValue
dnaNextValue: 168970
-
replace: dnaMaxValue
dnaMaxValue: 168979
^D

modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config"


I suppose this can be dangerous, but would you consider it as a
work-around, or should it be avoided at all means ?






On Fri, Jan 8, 2016 at 5:17 PM, Alexander Bokovoy 
wrote:

> On Fri, 08 Jan 2016, Karl Forner wrote:
>
>> If you never added users through this IPA server, it has no subset of ID
>>> range
>>> allocated to IDs issued on this server. To obtain this subset, it needs
>>> to talk back to the master on first allocation. Master is missing, thus
>>> it couldn't talk to it.
>>>
>>>
>> thanks.
>>
>> But if I understand, I just can not add any users from my replica ?
>> Does not it defeat the purpose of the replica as a failover server ?
>> Or obtaining the subset of IDs should be part of the process of setting-up
>> a replica ?
>>
> ID range is relatively scarce. We don't split it across multiple
> replicas automatically because most of them will not be used to create
> users and thus their sub-ranges will be wasted.
>
> Documentation for the DNA plugin:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Configuration_Command_and_File_Reference/dna-attributes.html
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Alexander Bokovoy 

On Fri, 08 Jan 2016, Karl Forner wrote:

Ok.

I read a work-around on https://blog-rcritten.rhcloud.com/?p=50

It says that if one has figured out a safe new range for the replica, the
range could be set using:

ldapmodify -x -D 'cn=Directory Manager' -W
Enter LDAP Password:
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: modify
replace: dnaNextValue
dnaNextValue: 168970
-
replace: dnaMaxValue
dnaMaxValue: 168979
^D

modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config"


I suppose this can be dangerous, but would you consider it as a
work-around, or should it be avoided at all means ?


Rob is one of FreeIPA project original developers and he wrote this
code, so he knows it well. To derive dnaMaxValue/dnaNextValue you need to
consult older server's data, if it is still available (in
/etc/dirsrv/slapd-INSTANCE/dse.ldif).

At worst you'd need to back out the change if things would work.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI

2016-01-08 Thread Alexander Bokovoy 

On Fri, 08 Jan 2016, Karl Forner wrote:

Hello,

If I go to active users, click Add, fill in log, first and last name, then
click "Add", I get the error message:
Operations error: Allocation of a new value for range cn=posix
ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed!
Unable to proceed.

I also tried to add a staged user. This works, but when I try to activate
it, I get the same error:
Operations error: Allocation of a new value for range cn=posix
ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed!
Unable to proceed.


I looked in the IPA Server -> ID Ranges tab:
first id: 13400
nb of ids: 20
type: local domain range

The freeIPA server is a CA-replica, and the main server is currently down.

What could be the problem ?

If you never added users through this IPA server, it has no subset of ID range
allocated to IDs issued on this server. To obtain this subset, it needs
to talk back to the master on first allocation. Master is missing, thus
it couldn't talk to it.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project