------------------------------------------------------------------------
*From:* Michael Starling <mlstarling31(a)hotmail.com>
*Sent:* Thursday, September 23, 2021 10:10 AM
*To:* Mark Reynolds <mreynolds(a)redhat.com>; General discussion list
for the 389 Directory server project. <389-users(a)lists.fedoraproject.org>
*Subject:* Re: [389-users] dsidm utility inconsistencies
------------------------------------------------------------------------
*From:* Mark Reynolds <mreynolds(a)redhat.com>
*Sent:* Wednesday, September 22, 2021 8:14 PM
*To:* Michael Starling <mlstarling31(a)hotmail.com>; General discussion
list for the 389 Directory server project.
<389-users(a)lists.fedoraproject.org>
*Subject:* Re: [389-users] dsidm utility inconsistencies
On 9/22/21 5:11 PM, Michael Starling wrote:
>
>
> ------------------------------------------------------------------------
> *From:* Mark Reynolds <mreynolds(a)redhat.com>
> <mailto:mreynolds@redhat.com>
> *Sent:* Wednesday, September 22, 2021 3:38 PM
> *To:* General discussion list for the 389 Directory server project.
> <389-users(a)lists.fedoraproject.org>
> <mailto:389-users@lists.fedoraproject.org>; Michael Starling
> <mlstarling31(a)hotmail.com> <mailto:mlstarling31@hotmail.com>
> *Subject:* Re: [389-users] dsidm utility inconsistencies
>
>
> On 9/22/21 2:58 PM, Michael Starling wrote:
>>
>> Unless I'm interpreting the man pages, and documentation wrong there
>> seems to be some issues with the dsidm utility. Perhaps I'm doing
>> something wrong?
>>
>>
>> This works.
>>
>>
>> dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b
>> dc=mydomain,dc=com account get-by-dn
>> uid=mstarlingt,ou=People,dc=mydomain,dc=com
>>
>> dn: uid=mstarlingt,ou=People,dc=mydomain,dc=com
>>
>> cn: Mike Starling
>>
>> gecos: Mike Starling test account
>>
>> gidNumber: 100
>>
>> givenName: Mike
>>
>> homeDirectory: /home/mstarlingt
>>
>> loginShell: /bin/ksh
>>
>> mail: mstarling(a)mydomain.com <mailto:mstarling@mydomain.com>
>>
>> objectClass: person
>>
>> objectClass: organizationalPerson
>>
>> objectClass: inetOrgPerson
>>
>> objectClass: posixAccount
>>
>> objectClass: top
>>
>> objectClass: shadowAccount
>>
>> shadowExpire: 99999
>>
>> shadowLastChange: 18857
>>
>> shadowMax: 33
>>
>> shadowWarning: 1
>>
>> sn: Starling
>>
>> uid: mstarlingt
>>
>> uidNumber: 25574
>>
>>
>> #Password reset works
>>
>>
>> dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b
>> dc=mydomain,dc=com account reset_password
>> "uid=mstarlingt,ou=People,dc=mydomain,dc=com"
>>
>> Enter new password for uid=mstarlingt,ou=People,dc=mydomain,dc=com :
>>
>> CONFIRM - Enter new password for
>> uid=mstarlingt,ou=People,dc=mydomain,dc=com :
>>
>> reset password for uid=mstarlingt,ou=People,dc=mydomain,dc=com
>>
>>
>>
>> #Unable to lock the account.
>>
>>
>> dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b
>> dc=mydomain,dc=com account lock uid=mstarlingt
>>
>> *Error: No such object *
>>
>> *
>> *
>>
>> *I consult the help which says to specify the dn*
>>
>> *
>> *
>>
>> dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b
>> dc=mydomain,dc=com account lock -h
>>
>> usage: dsidm instance account lock [-h] [dn]
>>
>> positional arguments:
>>
>> dnThe dn to lock
>>
>> optional arguments:
>>
>> -h, --helpshow this help message and exit
>>
>>
>> dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b
>> dc=mydomain,dc=com account lock
>> uid=mstarlingt,ou=People,dc=mydomain,dc=com
>>
>> Error: search_ext() argument 1 must be str, not None
>>
> I think this is a known bug (which was fixed). What version of
> python-lib389 is installed?
>
>
> Thanks Mark.
>
>
> python3-lib389-1.4.3.17-1.module_el8+10764+2b5f8656.noarch is installed
Yes this is a old version, and the fix (Issue 4912) was recently
made. We will have to do new builds...
>>
>>
>> dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b
>> dc=mydomain,dc=com account lock
>> "uid=mstarlingt,ou=People,dc=mydomain,dc=com"
>>
>> Error: search_ext() argument 1 must be str, not None
>>
>>
>> dsidm -W -D cn=manager -Z
ldaps://labdsa101.athenahealth.com -b
>> dc=mydomain,dc=com account lock "uid=mstarlingt"
>>
>>
>> I tried changing the base to the People OU where the account lives
>>
>>
>> dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b
>> ou=People,dc=mydomain,dc=com account lock
>> "uid=mstarlingt,ou=People,dc=mydomain,dc=com"
>>
>> Error: search_ext() argument 1 must be str, not None
>>
>>
>> dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b
>> dc=mydomain,dc=com user get
>>
>> Enter uid to retrieve : mstarlingt
>>
>> Error: No object exists given the filter criteria mstarlingt
>>
> What is in the access log?
>
>
>
> Here's what I see in the logs.
>
>
> 22/Sep/2021:17:09:28.515626170 -0400] conn=3947 op=2 SRCH
> base="ou=people,dc=mydomain,dc=com" scope=2
>
filter="(&(&(objectClass=nsPerson)(objectClass=nsAccount)(objectClass=nsOrgPerson)(objectClass=posixAccount))(|(uid=mstarlingt)(displayName=mstarlingt)(cn=mstarlingt)))"
> attrs="distinguishedName"
So dsidm is pretty opinionated about how it looks for users (which
might need to change). It only looks for entries that have all of
these objectclasses: nsPerson, nsAccount, nsOrgPerson, posixAccount.
What objectclasses are in your user entry?
Mark
Ahh. That's it. The mstarlingt account was created with an LDIF and
does not have the "ns" object classes.
I notice when I go to create an account with dsidm I have limited
ability to specify attributes.
Is the best way to create an account still with an LDIF file? When I
create an account with dsidm it has no loginShell. Is there a default
template dsidm pulls from that needs to be updated with the other
possible user attributes that are set as the default and not covered
by the dsidm utility?
dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b
dc=mydomain,dc=com user create --uid="dstest" --cn="Test dsidm"
--gidNumber="100" --homeDirectory="/home/dstest"
--displayName="Test
Account" --uidnumber="25941" --mail="mstarling(a)mydomain.com"
--loginShell="/bin/bash"
usage: dsidm [-h] [-b BASEDN] [-v] [-D BINDDN] [-w BINDPW] [-W] [-W
PWDFILE]
[-Z] [-j]
instance
{account,group,initialise,organizationalunit,posixgroup,user,client_config,role}
...
dsidm: error: unrecognized arguments: --uidnumber=25941
--mail=mstarling(a)mydomain.com --loginShell=/bin/bash
dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b
dc=mydomain,dc=com user create -h
usage: dsidm instance user create [-h] [--uid [UID]] [--cn [CN]]
[--displayName [DISPLAYNAME]]
[--uidNumber [UIDNUMBER]]
[--gidNumber [GIDNUMBER]]
[--homeDirectory [HOMEDIRECTORY]]
optional arguments:
-h, --helpshow this help message and exit
--uid [UID]Value of uid
--cn [CN]Value of cn
--displayName [DISPLAYNAME]
Value of displayName
--uidNumber [UIDNUMBER]
Value of uidNumber
--gidNumber [GIDNUMBER]
Value of gidNumber
--homeDirectory [HOMEDIRECTORY]
Value of homeDirectory
You used the wrong argument (--uidnumber), it is case sensitive, and the
usage says to use "--uidNumber".
As for setting other attributes, dsidm can do it - after the entry is
created. Please see:
dsidm -b o=mark localhost user modify --help
So you just can't set those custom attributes at creation time :-/ But
I think that sounds like a good RFE for dsidm, something like:
--attr="attr:value"
So if I create a user with dsidm and it adds the "ns" object classes I
still can't run some of the dsidm commands against that account
dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b
dc=mydomain,dc=com user get dstest
dn: uid=dstest,ou=People,dc=mydomain,dc=com
cn: Test Dsconf
displayName: Test Account
employeeNumber: 25429
gidNumber: 100
homeDirectory: /home/dstest
loginShell: /bin/bash
mail: mstarling(a)mydomain.com
objectClass: top
objectClass: nsPerson
objectClass: nsAccount
objectClass: nsOrgPerson
objectClass: posixAccount
uid: dstest
uidNumber: 25941
dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b
dc=mydomain,dc=com account lock dstest
Error: dstest is not a valid DN
dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b
dc=mydomain,dc=com account lock uid=dstest,ou=People,dc=mydomain,dc=com
Error: search_ext() argument 1 must be str, not None
Right, like I said, this is known bug that was recently fixed, so new
builds need to done to pick that fix up. I'm not sure what platform you
are on, I know it takes time for our builds to land in other distros
like centOS, etc.
Mark
dsidm -W .slaplab -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b
dc=mydomain,dc=com account entry-status
uid=dstest,ou=People,dc=mydomain,dc=com
Error: search_ext() argument 1 must be str, not None
dsidm -W .slaplab -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b
dc=mydomain,dc=com account entry-status dstest
Error: dstest is not a valid DN
dsidm -W .slaplab -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b
dc=mydomain,dc=com account entry-status
Enter dn to check : uid=dstest,ou=People,dc=mydomain,dc=com
Error: search_ext() argument 1 must be str, not None
> Thanks,
>
> Mark
>
>>
>> dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b
>> dc=mydomain,dc=com user get
>>
>> Enter uid to retrieve : uid=mstarlingt,ou=People,dc=mydomain,dc=com
>>
>> Error: No object exists given the filter criteria
>> uid=mstarlingt,ou=People,dc=mydomain,dc=com
>>
>>
>> dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b
>> dc=mydomain,dc=com user get
>>
>> Enter uid to retrieve : uid=mstarlingt
>>
>> Error: No object exists given the filter criteria uid=mstarlingt
>>
>>
>>
>>
>> _______________________________________________
>> 389-users mailing list --389-users(a)lists.fedoraproject.org
<mailto:389-users@lists.fedoraproject.org>
>> To unsubscribe send an email to389-users-leave(a)lists.fedoraproject.org
<mailto:389-users-leave@lists.fedoraproject.org>
>> Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
<
https://docs.fedoraproject.org/en-US/project/code-of-conduct/>
>> List
Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
<
https://fedoraproject.org/wiki/Mailing_list_guidelines>
>> List
Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fe...
<
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
>> Do not reply to spam on the list, report
it:https://pagure.io/fedora-infrastructure
<
https://pagure.io/fedora-infrastructure>
> --
> Directory Server Development Team
--
Directory Server Development Team