That… could be possible. One key difference between testing and production is that
testing has a single master where production has a multi-master cluster. I don’t recall
setting a range in production, since I only had DNA enabled on a single member of the
cluster at that point. I’ll take a look in that direction.
Thanks,
James
On Apr 13, 2020, at 7:30 PM, William Brown <wbrown(a)suse.de>
wrote:
Could it be that the server hasn't allocated a DNA range from the DNA master?
> On 14 Apr 2020, at 05:51, CHAMBERLAIN James <James.CHAMBERLAIN(a)3ds.com>
wrote:
>
> Hi Mark,
>
> The test user I’m trying to add looks like this:
>
> dn: uid=testuser1,ou=People,dc=example,dc=com
> uid: testuser1
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> sn: Chamberlain
> gidNumber: 1000
> gecos: James Chamberlain
> cn: James Chamberlain
> homeDirectory: /home/testuser1
> givenName: James
> loginShell: /bin/bash
>
> I’ve modified nsslapd-accesslog-level and nsslapd-plugin-logging.
>
> Here’s the clip from the failed add:
>
> [13/Apr/2020:15:45:44.267195367 -0400] conn=3592 op=0 BIND dn="cn=Directory
Manager" method=128 version=3
> [13/Apr/2020:15:45:44.267289421 -0400] conn=3592 op=0 RESULT err=0 tag=97 nentries=0
etime=0.0000152598 dn="cn=Directory Manager"
> [13/Apr/2020:15:45:44.267922468 -0400] conn=3592 op=1 ADD
dn="uid=testuser1,ou=People,dc=example,dc=com"
> [13/Apr/2020:15:45:44.298730119 -0400] conn=3592 op=2 UNBIND
> [13/Apr/2020:15:45:44.298744887 -0400] conn=3592 op=2 fd=81 closed - U1
> [13/Apr/2020:15:45:44.298822076 -0400] conn=3592 op=1 RESULT err=1 tag=105 nentries=0
etime=0.0031312230
>
> Best regards,
>
> James Chamberlain
>
>
>> On Apr 13, 2020, at 2:53 PM, Mark Reynolds <mreynolds(a)redhat.com> wrote:
>>
>> Okay, so logging in DNA stinks in this scenario. It does a lot of internal
searches and if one of them "fails" you get an operations error. So we need to
enable other logging...
>>
>> First what does the entry look like that you are trying to add?
>>
>> Second, run this ldapmodify
>>
>> ldapmodify -D "cn=directory manager" -W
>> dn: cn=config
>> changetype: modify
>> replace: nsslapd-accesslog-level
>> nsslapd-acceslog-level: 260 (default level 256 plus 4 for internal
operations)
>> -
>> replace: nsslapd-plugin-logging
>> nsslapd-plugin-logging: on
>>
>>
>> Then add another user, wait 30 seconds for the access log to buffer, and then
provide the access log clip from the failed add.
>>
>> Thanks,
>> Mark
>>
>>
>> On 4/13/20 2:41 PM, CHAMBERLAIN James wrote:
>>> Hi Mark,
>>>
>>> Thanks for getting back to me. After adjusting nsslapd-errorlog-level,
here’s what I’ve got.
>>>
>>> # grep dna-plugin /var/log/dirsrv/slapd-example/errors
>>> [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - _dna_pre_op_add
- dn does not match filter
>>> [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - _dna_pre_op_add
- adding uidNumber to uid=testuser1,ou=People,dc=example,dc=com as -2
>>> [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - _dna_pre_op_add
- retrieved value 0 ret 1
>>> [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add -
Failed to allocate a new ID!! 2
>>> [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op -
Operation failure [1]
>>>
>>> And here’s the DNA config:
>>>
>>> dn: cn=UID numbers,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
>>> objectClass: top
>>> objectClass: extensibleObject
>>> cn: UID numbers
>>> dnaType: uidNumber
>>> dnamaxvalue: 100000
>>> dnamagicregen: 0
>>> dnafilter: (objectclass=posixAccount)
>>> dnascope: dc=example,dc=com
>>> dnanextvalue: 25000
>>>
>>> dn: cn=GID numbers,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
>>> objectClass: top
>>> objectClass: extensibleObject
>>> cn: GID numbers
>>> dnaType: gidNumber
>>> dnamaxvalue: 100000
>>> dnamagicregen: 0
>>> dnafilter: (objectclass=posixGroup)
>>> dnascope: dc=example,dc=com
>>> dnanextvalue: 25000
>>>
>>> Best regards,
>>>
>>> James
>>>
>>>
>>>> On Apr 13, 2020, at 2:25 PM, Mark Reynolds <mreynolds(a)redhat.com>
wrote:
>>>>
>>>> Enabling plugin logging will provide a little more detail about what is
going wrong:
>>>>
>>>> ldapmodify -D "cn=directory manager" -W
>>>> dn: cn=config
>>>> changetype: modify
>>>> replace: nsslapd-errorlog-level
>>>> nsslapd-errorlog-level: 65536
>>>>
>>>>
>>>> After running the test you can disable the debug plugin logging by
setting the log level to zero.
>>>>
>>>> Then share what information is logging when you add a new user. This is
most likely a configuration error so hopefully we can find out what went wrong in your set
up. Can you also provide the DNA config entries?
>>>>
>>>> Thanks,
>>>>
>>>> Mark
>>>>
>>>> On 4/13/20 1:50 PM, CHAMBERLAIN James wrote:
>>>>> Hi all,
>>>>>
>>>>> I’m trying to use the DNA plugin to add uidNumbers on posixAccounts.
Everything worked fine in testing, but now that it’s in production I’m seeing the
following error:
>>>>>
>>>>> ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2
>>>>>
>>>>> I’ve followed the advice in the knowledge base
(
https://access.redhat.com/solutions/875133), about adding an equality index with an
nsMatchingRule of integerOrderingMatch, but have not seen any difference in the server’s
behavior. Any ideas what I should try next?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> James
>>>>> This email and any attachments are intended solely for the use of the
individual or entity to whom it is addressed and may be confidential and/or privileged.
>>>>> If you are not one of the named recipients or have received this
email in error,
>>>>> (i) you should not read, disclose, or copy it,
>>>>> (ii) please notify sender of your receipt by reply email and delete
this email and all attachments,
>>>>> (iii) Dassault Systèmes does not accept or assume any liability or
responsibility for any use of or reliance on this email.
>>>>>
>>>>> Please be informed that your personal data are processed according to
our data privacy policy as described on our website. Should you have any questions related
to personal data protection, please contact 3DS Data Protection Officer at
3DS.compliance-privacy(a)3ds.com
>>>>>
>>>>> For other languages, go to
https://www.3ds.com/terms/email-disclaimer
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> 389-users mailing list --
>>>>> 389-users(a)lists.fedoraproject.org
>>>>>
>>>>> To unsubscribe send an email to
>>>>> 389-users-leave(a)lists.fedoraproject.org
>>>>>
>>>>> Fedora Code of Conduct:
>>>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>>
>>>>> List Guidelines:
>>>>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>>
>>>>> List Archives:
>>>>>
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
>>>> --
>>>>
>>>> 389 Directory Server Development Team
>>>>
>>> This email and any attachments are intended solely for the use of the
individual or entity to whom it is addressed and may be confidential and/or privileged.
>>>
>>> If you are not one of the named recipients or have received this email in
error,
>>>
>>> (i) you should not read, disclose, or copy it,
>>>
>>> (ii) please notify sender of your receipt by reply email and delete this
email and all attachments,
>>>
>>> (iii) Dassault Systèmes does not accept or assume any liability or
responsibility for any use of or reliance on this email.
>>>
>>>
>>> Please be informed that your personal data are processed according to our
data privacy policy as described on our website. Should you have any questions related to
personal data protection, please contact 3DS Data Protection Officer at
3DS.compliance-privacy@3ds.com<mailto:3DS.compliance-privacy@3ds.com>
>>>
>>>
>>> For other languages, go to
https://www.3ds.com/terms/email-disclaimer
>>
>> --
>>
>> 389 Directory Server Development Team
>>
>
> This email and any attachments are intended solely for the use of the individual or
entity to whom it is addressed and may be confidential and/or privileged.
>
> If you are not one of the named recipients or have received this email in error,
>
> (i) you should not read, disclose, or copy it,
>
> (ii) please notify sender of your receipt by reply email and delete this email and
all attachments,
>
> (iii) Dassault Systèmes does not accept or assume any liability or responsibility for
any use of or reliance on this email.
>
>
> Please be informed that your personal data are processed according to our data
privacy policy as described on our website. Should you have any questions related to
personal data protection, please contact 3DS Data Protection Officer at
3DS.compliance-privacy@3ds.com<mailto:3DS.compliance-privacy@3ds.com>
>
>
> For other languages, go to
https://www.3ds.com/terms/email-disclaimer
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
This email and any attachments are intended solely for the use of the individual or entity
to whom it is addressed and may be confidential and/or privileged.
If you are not one of the named recipients or have received this email in error,
(i) you should not read, disclose, or copy it,
(ii) please notify sender of your receipt by reply email and delete this email and all
attachments,
(iii) Dassault Systèmes does not accept or assume any liability or responsibility for any
use of or reliance on this email.
Please be informed that your personal data are processed according to our data privacy
policy as described on our website. Should you have any questions related to personal data
protection, please contact 3DS Data Protection Officer at
3DS.compliance-privacy@3ds.com<mailto:3DS.compliance-privacy@3ds.com>
For other languages, go to