Okay, so logging in DNA stinks in this scenario. It does a lot of
internal searches and if one of them "fails" you get an operations
error. So we need to enable other logging...
First what does the entry look like that you are trying to add?
Second, run this ldapmodify
ldapmodify -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-accesslog-level
nsslapd-acceslog-level: 260 (default level 256 plus 4 for internal operations)
-
replace: nsslapd-plugin-logging
nsslapd-plugin-logging: on
Then add another user, wait 30 seconds for the access log to buffer, and
then provide the access log clip from the failed add.
Thanks,
Mark
On 4/13/20 2:41 PM, CHAMBERLAIN James wrote:
Hi Mark,
Thanks for getting back to me. After adjusting nsslapd-errorlog-level, here’s what I’ve
got.
# grep dna-plugin /var/log/dirsrv/slapd-example/errors
[13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - dn does
not match filter
[13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - adding
uidNumber to uid=testuser1,ou=People,dc=example,dc=com as -2
[13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - retrieved
value 0 ret 1
[13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add - Failed to
allocate a new ID!! 2
[13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - Operation
failure [1]
And here’s the DNA config:
dn: cn=UID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: UID numbers
dnaType: uidNumber
dnamaxvalue: 100000
dnamagicregen: 0
dnafilter: (objectclass=posixAccount)
dnascope: dc=example,dc=com
dnanextvalue: 25000
dn: cn=GID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: GID numbers
dnaType: gidNumber
dnamaxvalue: 100000
dnamagicregen: 0
dnafilter: (objectclass=posixGroup)
dnascope: dc=example,dc=com
dnanextvalue: 25000
Best regards,
James
> On Apr 13, 2020, at 2:25 PM, Mark Reynolds <mreynolds(a)redhat.com> wrote:
>
> Enabling plugin logging will provide a little more detail about what is going wrong:
>
> ldapmodify -D "cn=directory manager" -W
> dn: cn=config
> changetype: modify
> replace: nsslapd-errorlog-level
> nsslapd-errorlog-level: 65536
>
>
> After running the test you can disable the debug plugin logging by setting the log
level to zero.
>
> Then share what information is logging when you add a new user. This is most likely
a configuration error so hopefully we can find out what went wrong in your set up. Can
you also provide the DNA config entries?
>
> Thanks,
>
> Mark
>
> On 4/13/20 1:50 PM, CHAMBERLAIN James wrote:
>> Hi all,
>>
>> I’m trying to use the DNA plugin to add uidNumbers on posixAccounts. Everything
worked fine in testing, but now that it’s in production I’m seeing the following error:
>>
>> ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2
>>
>> I’ve followed the advice in the knowledge base
(
https://access.redhat.com/solutions/875133), about adding an equality index with an
nsMatchingRule of integerOrderingMatch, but have not seen any difference in the server’s
behavior. Any ideas what I should try next?
>>
>> Thanks,
>>
>> James
>> This email and any attachments are intended solely for the use of the individual
or entity to whom it is addressed and may be confidential and/or privileged.
>> If you are not one of the named recipients or have received this email in error,
>> (i) you should not read, disclose, or copy it,
>> (ii) please notify sender of your receipt by reply email and delete this email
and all attachments,
>> (iii) Dassault Systèmes does not accept or assume any liability or responsibility
for any use of or reliance on this email.
>>
>> Please be informed that your personal data are processed according to our data
privacy policy as described on our website. Should you have any questions related to
personal data protection, please contact 3DS Data Protection Officer at
3DS.compliance-privacy(a)3ds.com
>>
>> For other languages, go to
https://www.3ds.com/terms/email-disclaimer
>>
>>
>> _______________________________________________
>> 389-users mailing list --
>> 389-users(a)lists.fedoraproject.org
>>
>> To unsubscribe send an email to
>> 389-users-leave(a)lists.fedoraproject.org
>>
>> Fedora Code of Conduct:
>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>
>> List Guidelines:
>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>
>> List Archives:
>>
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
> --
>
> 389 Directory Server Development Team
>
This email and any attachments are intended solely for the use of the individual or
entity to whom it is addressed and may be confidential and/or privileged.
If you are not one of the named recipients or have received this email in error,
(i) you should not read, disclose, or copy it,
(ii) please notify sender of your receipt by reply email and delete this email and all
attachments,
(iii) Dassault Systèmes does not accept or assume any liability or responsibility for any
use of or reliance on this email.
Please be informed that your personal data are processed according to our data privacy
policy as described on our website. Should you have any questions related to personal data
protection, please contact 3DS Data Protection Officer at
3DS.compliance-privacy@3ds.com<mailto:3DS.compliance-privacy@3ds.com>
For other languages, go to
https://www.3ds.com/terms/email-disclaimer