________________________________
From: Michael Starling <mlstarling31(a)hotmail.com>
Sent: Thursday, September 23, 2021 10:10 AM
To: Mark Reynolds <mreynolds(a)redhat.com>; General discussion list for the 389
Directory server project. <389-users(a)lists.fedoraproject.org>
Subject: Re: [389-users] dsidm utility inconsistencies
________________________________
From: Mark Reynolds <mreynolds(a)redhat.com>
Sent: Wednesday, September 22, 2021 8:14 PM
To: Michael Starling <mlstarling31(a)hotmail.com>; General discussion list for the 389
Directory server project. <389-users(a)lists.fedoraproject.org>
Subject: Re: [389-users] dsidm utility inconsistencies
On 9/22/21 5:11 PM, Michael Starling wrote:
________________________________
From: Mark Reynolds <mreynolds@redhat.com><mailto:mreynolds@redhat.com>
Sent: Wednesday, September 22, 2021 3:38 PM
To: General discussion list for the 389 Directory server project.
<389-users@lists.fedoraproject.org><mailto:389-users@lists.fedoraproject.org>;
Michael Starling <mlstarling31@hotmail.com><mailto:mlstarling31@hotmail.com>
Subject: Re: [389-users] dsidm utility inconsistencies
On 9/22/21 2:58 PM, Michael Starling wrote:
Unless I'm interpreting the man pages, and documentation wrong there seems to be some
issues with the dsidm utility. Perhaps I'm doing something wrong?
This works.
dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com account
get-by-dn uid=mstarlingt,ou=People,dc=mydomain,dc=com
dn: uid=mstarlingt,ou=People,dc=mydomain,dc=com
cn: Mike Starling
gecos: Mike Starling test account
gidNumber: 100
givenName: Mike
homeDirectory: /home/mstarlingt
loginShell: /bin/ksh
mail: mstarling@mydomain.com<mailto:mstarling@mydomain.com>
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowExpire: 99999
shadowLastChange: 18857
shadowMax: 33
shadowWarning: 1
sn: Starling
uid: mstarlingt
uidNumber: 25574
#Password reset works
dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com account
reset_password "uid=mstarlingt,ou=People,dc=mydomain,dc=com"
Enter new password for uid=mstarlingt,ou=People,dc=mydomain,dc=com :
CONFIRM - Enter new password for uid=mstarlingt,ou=People,dc=mydomain,dc=com :
reset password for uid=mstarlingt,ou=People,dc=mydomain,dc=com
#Unable to lock the account.
dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com account
lock uid=mstarlingt
Error: No such object
I consult the help which says to specify the dn
dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com account
lock -h
usage: dsidm instance account lock [-h] [dn]
positional arguments:
dn The dn to lock
optional arguments:
-h, --help show this help message and exit
dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com account
lock uid=mstarlingt,ou=People,dc=mydomain,dc=com
Error: search_ext() argument 1 must be str, not None
I think this is a known bug (which was fixed). What version of python-lib389 is
installed?
Thanks Mark.
python3-lib389-1.4.3.17-1.module_el8+10764+2b5f8656.noarch is installed
Yes this is a old version, and the fix (Issue 4912) was recently made. We will have to do
new builds...
dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com account
lock "uid=mstarlingt,ou=People,dc=mydomain,dc=com"
Error: search_ext() argument 1 must be str, not None
dsidm -W -D cn=manager -Z
ldaps://labdsa101.athenahealth.com -b dc=mydomain,dc=com account
lock "uid=mstarlingt"
I tried changing the base to the People OU where the account lives
dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b ou=People,dc=mydomain,dc=com
account lock "uid=mstarlingt,ou=People,dc=mydomain,dc=com"
Error: search_ext() argument 1 must be str, not None
dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com user get
Enter uid to retrieve : mstarlingt
Error: No object exists given the filter criteria mstarlingt
What is in the access log?
Here's what I see in the logs.
22/Sep/2021:17:09:28.515626170 -0400] conn=3947 op=2 SRCH
base="ou=people,dc=mydomain,dc=com" scope=2
filter="(&(&(objectClass=nsPerson)(objectClass=nsAccount)(objectClass=nsOrgPerson)(objectClass=posixAccount))(|(uid=mstarlingt)(displayName=mstarlingt)(cn=mstarlingt)))"
attrs="distinguishedName"
So dsidm is pretty opinionated about how it looks for users (which might need to change).
It only looks for entries that have all of these objectclasses: nsPerson, nsAccount,
nsOrgPerson, posixAccount. What objectclasses are in your user entry?
Mark
Ahh. That's it. The mstarlingt account was created with an LDIF and does not have the
"ns" object classes.
I notice when I go to create an account with dsidm I have limited ability to specify
attributes.
Is the best way to create an account still with an LDIF file? When I create an account
with dsidm it has no loginShell. Is there a default template dsidm pulls from that needs
to be updated with the other possible user attributes that are set as the default and not
covered by the dsidm utility?
dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com user
create --uid="dstest" --cn="Test dsidm" --gidNumber="100"
--homeDirectory="/home/dstest" --displayName="Test Account"
--uidnumber="25941" --mail="mstarling(a)mydomain.com"
--loginShell="/bin/bash"
usage: dsidm [-h] [-b BASEDN] [-v] [-D BINDDN] [-w BINDPW] [-W] [-W PWDFILE]
[-Z] [-j]
instance
{account,group,initialise,organizationalunit,posixgroup,user,client_config,role}
...
dsidm: error: unrecognized arguments: --uidnumber=25941 --mail=mstarling(a)mydomain.com
--loginShell=/bin/bash
dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com user
create -h
usage: dsidm instance user create [-h] [--uid [UID]] [--cn [CN]]
[--displayName [DISPLAYNAME]]
[--uidNumber [UIDNUMBER]]
[--gidNumber [GIDNUMBER]]
[--homeDirectory [HOMEDIRECTORY]]
optional arguments:
-h, --help show this help message and exit
--uid [UID] Value of uid
--cn [CN] Value of cn
--displayName [DISPLAYNAME]
Value of displayName
--uidNumber [UIDNUMBER]
Value of uidNumber
--gidNumber [GIDNUMBER]
Value of gidNumber
--homeDirectory [HOMEDIRECTORY]
Value of homeDirectory
So if I create a user with dsidm and it adds the "ns" object classes I still
can't run some of the dsidm commands against that account
dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com user get
dstest
dn: uid=dstest,ou=People,dc=mydomain,dc=com
cn: Test Dsconf
displayName: Test Account
employeeNumber: 25429
gidNumber: 100
homeDirectory: /home/dstest
loginShell: /bin/bash
mail: mstarling(a)mydomain.com
objectClass: top
objectClass: nsPerson
objectClass: nsAccount
objectClass: nsOrgPerson
objectClass: posixAccount
uid: dstest
uidNumber: 25941
dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com account
lock dstest
Error: dstest is not a valid DN
dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com account
lock uid=dstest,ou=People,dc=mydomain,dc=com
Error: search_ext() argument 1 must be str, not None
dsidm -W .slaplab -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com
account entry-status uid=dstest,ou=People,dc=mydomain,dc=com
Error: search_ext() argument 1 must be str, not None
dsidm -W .slaplab -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com
account entry-status dstest
Error: dstest is not a valid DN
dsidm -W .slaplab -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com
account entry-status
Enter dn to check : uid=dstest,ou=People,dc=mydomain,dc=com
Error: search_ext() argument 1 must be str, not None
Thanks,
Mark
dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com user get
Enter uid to retrieve : uid=mstarlingt,ou=People,dc=mydomain,dc=com
Error: No object exists given the filter criteria
uid=mstarlingt,ou=People,dc=mydomain,dc=com
dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com user get
Enter uid to retrieve : uid=mstarlingt
Error: No object exists given the filter criteria uid=mstarlingt
_______________________________________________
389-users mailing list --
389-users@lists.fedoraproject.org<mailto:389-users@lists.fedoraproject.org>
To unsubscribe send an email to
389-users-leave@lists.fedoraproject.org<mailto:389-users-leave@lists.fedoraproject.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
Directory Server Development Team
--
Directory Server Development Team