Hi all, I’m trying to use the DNA plugin to add uidNumbers on posixAccounts.  Everything worked fine in testing, but now that it’s in production I’m seeing the following error: ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2 I’ve followed the advice in the knowledge base (https://access.redhat.com/solutions/875133), about adding an equality index with an nsMatchingRule of integerOrderingMatch, but have not seen any difference in the server’s behavior.  Any ideas what I should try next? Thanks, James This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged. If you are not one of the named recipients or have received this email in error, (i) you should not read, disclose, or copy it, (ii) please notify sender of your receipt by reply email and delete this email and all attachments, (iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email. Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer at 3DS.compliance-privacy(a)3ds.com <mailto:3DS.compliance-privacy@3ds.com> For other languages, go to https://www.3ds.com/terms/email-disclaimer _______________________________________________ 389-users mailing list -- 389-users(a)lists.fedoraproject.org To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...

Hi Mark, Thanks for getting back to me. After adjusting nsslapd-errorlog-level, here’s what I’ve got. # grep dna-plugin /var/log/dirsrv/slapd-example/errors [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - dn does not match filter [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - adding uidNumber to uid=testuser1,ou=People,dc=example,dc=com as -2 [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - retrieved value 0 ret 1 [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add - Failed to allocate a new ID!! 2 [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - Operation failure [1] And here’s the DNA config: dn: cn=UID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: UID numbers dnaType: uidNumber dnamaxvalue: 100000 dnamagicregen: 0 dnafilter: (objectclass=posixAccount) dnascope: dc=example,dc=com dnanextvalue: 25000 dn: cn=GID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: GID numbers dnaType: gidNumber dnamaxvalue: 100000 dnamagicregen: 0 dnafilter: (objectclass=posixGroup) dnascope: dc=example,dc=com dnanextvalue: 25000 Best regards, James > On Apr 13, 2020, at 2:25 PM, Mark Reynolds <mreynolds(a)redhat.com&gt; wrote: > > Enabling plugin logging will provide a little more detail about what is going wrong: > > ldapmodify -D "cn=directory manager" -W > dn: cn=config > changetype: modify > replace: nsslapd-errorlog-level > nsslapd-errorlog-level: 65536 > > > After running the test you can disable the debug plugin logging by setting the log level to zero. > > Then share what information is logging when you add a new user. This is most likely a configuration error so hopefully we can find out what went wrong in your set up. Can you also provide the DNA config entries? > > Thanks, > > Mark > > On 4/13/20 1:50 PM, CHAMBERLAIN James wrote: >> Hi all, >> >> I’m trying to use the DNA plugin to add uidNumbers on posixAccounts. Everything worked fine in testing, but now that it’s in production I’m seeing the following error: >> >> ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2 >> >> I’ve followed the advice in the knowledge base (https://access.redhat.com/solutions/875133), about adding an equality index with an nsMatchingRule of integerOrderingMatch, but have not seen any difference in the server’s behavior. Any ideas what I should try next? >> >> Thanks, >> >> James >> This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged. >> If you are not one of the named recipients or have received this email in error, >> (i) you should not read, disclose, or copy it, >> (ii) please notify sender of your receipt by reply email and delete this email and all attachments, >> (iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email. >> >> Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer at 3DS.compliance-privacy(a)3ds.com >> >> For other languages, go to https://www.3ds.com/terms/email-disclaimer >> >> >> _______________________________________________ >> 389-users mailing list -- >> 389-users(a)lists.fedoraproject.org >> >> To unsubscribe send an email to >> 389-users-leave(a)lists.fedoraproject.org >> >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> >> List Guidelines: >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> >> List Archives: >> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... > -- > > 389 Directory Server Development Team > This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged. If you are not one of the named recipients or have received this email in error, (i) you should not read, disclose, or copy it, (ii) please notify sender of your receipt by reply email and delete this email and all attachments, (iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email. Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer at 3DS.compliance-privacy@3ds.com<mailto:3DS.compliance-privacy@3ds.com> For other languages, go to https://www.3ds.com/terms/email-disclaimer

On 14 Apr 2020, at 05:51, CHAMBERLAIN James <James.CHAMBERLAIN(a)3ds.com&gt; wrote: Hi Mark, The test user I’m trying to add looks like this: dn: uid=testuser1,ou=People,dc=example,dc=com uid: testuser1 objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top sn: Chamberlain gidNumber: 1000 gecos: James Chamberlain cn: James Chamberlain homeDirectory: /home/testuser1 givenName: James loginShell: /bin/bash I’ve modified nsslapd-accesslog-level and nsslapd-plugin-logging. Here’s the clip from the failed add: [13/Apr/2020:15:45:44.267195367 -0400] conn=3592 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [13/Apr/2020:15:45:44.267289421 -0400] conn=3592 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000152598 dn="cn=Directory Manager" [13/Apr/2020:15:45:44.267922468 -0400] conn=3592 op=1 ADD dn="uid=testuser1,ou=People,dc=example,dc=com" [13/Apr/2020:15:45:44.298730119 -0400] conn=3592 op=2 UNBIND [13/Apr/2020:15:45:44.298744887 -0400] conn=3592 op=2 fd=81 closed - U1 [13/Apr/2020:15:45:44.298822076 -0400] conn=3592 op=1 RESULT err=1 tag=105 nentries=0 etime=0.0031312230 Best regards, James Chamberlain > On Apr 13, 2020, at 2:53 PM, Mark Reynolds <mreynolds(a)redhat.com&gt; wrote: > > Okay, so logging in DNA stinks in this scenario. It does a lot of internal searches and if one of them "fails" you get an operations error. So we need to enable other logging... > > First what does the entry look like that you are trying to add? > > Second, run this ldapmodify > > ldapmodify -D "cn=directory manager" -W > dn: cn=config > changetype: modify > replace: nsslapd-accesslog-level > nsslapd-acceslog-level: 260 (default level 256 plus 4 for internal operations) > - > replace: nsslapd-plugin-logging > nsslapd-plugin-logging: on > > > Then add another user, wait 30 seconds for the access log to buffer, and then provide the access log clip from the failed add. > > Thanks, > Mark > > > On 4/13/20 2:41 PM, CHAMBERLAIN James wrote: >> Hi Mark, >> >> Thanks for getting back to me. After adjusting nsslapd-errorlog-level, here’s what I’ve got. >> >> # grep dna-plugin /var/log/dirsrv/slapd-example/errors >> [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - dn does not match filter >> [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - adding uidNumber to uid=testuser1,ou=People,dc=example,dc=com as -2 >> [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - retrieved value 0 ret 1 >> [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add - Failed to allocate a new ID!! 2 >> [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - Operation failure [1] >> >> And here’s the DNA config: >> >> dn: cn=UID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config >> objectClass: top >> objectClass: extensibleObject >> cn: UID numbers >> dnaType: uidNumber >> dnamaxvalue: 100000 >> dnamagicregen: 0 >> dnafilter: (objectclass=posixAccount) >> dnascope: dc=example,dc=com >> dnanextvalue: 25000 >> >> dn: cn=GID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config >> objectClass: top >> objectClass: extensibleObject >> cn: GID numbers >> dnaType: gidNumber >> dnamaxvalue: 100000 >> dnamagicregen: 0 >> dnafilter: (objectclass=posixGroup) >> dnascope: dc=example,dc=com >> dnanextvalue: 25000 >> >> Best regards, >> >> James >> >> >>> On Apr 13, 2020, at 2:25 PM, Mark Reynolds <mreynolds(a)redhat.com&gt; wrote: >>> >>> Enabling plugin logging will provide a little more detail about what is going wrong: >>> >>> ldapmodify -D "cn=directory manager" -W >>> dn: cn=config >>> changetype: modify >>> replace: nsslapd-errorlog-level >>> nsslapd-errorlog-level: 65536 >>> >>> >>> After running the test you can disable the debug plugin logging by setting the log level to zero. >>> >>> Then share what information is logging when you add a new user. This is most likely a configuration error so hopefully we can find out what went wrong in your set up. Can you also provide the DNA config entries? >>> >>> Thanks, >>> >>> Mark >>> >>> On 4/13/20 1:50 PM, CHAMBERLAIN James wrote: >>>> Hi all, >>>> >>>> I’m trying to use the DNA plugin to add uidNumbers on posixAccounts. Everything worked fine in testing, but now that it’s in production I’m seeing the following error: >>>> >>>> ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2 >>>> >>>> I’ve followed the advice in the knowledge base (https://access.redhat.com/solutions/875133), about adding an equality index with an nsMatchingRule of integerOrderingMatch, but have not seen any difference in the server’s behavior. Any ideas what I should try next? >>>> >>>> Thanks, >>>> >>>> James >>>> This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged. >>>> If you are not one of the named recipients or have received this email in error, >>>> (i) you should not read, disclose, or copy it, >>>> (ii) please notify sender of your receipt by reply email and delete this email and all attachments, >>>> (iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email. >>>> >>>> Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer at 3DS.compliance-privacy(a)3ds.com >>>> >>>> For other languages, go to https://www.3ds.com/terms/email-disclaimer >>>> >>>> >>>> _______________________________________________ >>>> 389-users mailing list -- >>>> 389-users(a)lists.fedoraproject.org >>>> >>>> To unsubscribe send an email to >>>> 389-users-leave(a)lists.fedoraproject.org >>>> >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> >>>> List Guidelines: >>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> >>>> List Archives: >>>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... >>> -- >>> >>> 389 Directory Server Development Team >>> >> This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged. >> >> If you are not one of the named recipients or have received this email in error, >> >> (i) you should not read, disclose, or copy it, >> >> (ii) please notify sender of your receipt by reply email and delete this email and all attachments, >> >> (iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email. >> >> >> Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer at 3DS.compliance-privacy@3ds.com<mailto:3DS.compliance-privacy@3ds.com> >> >> >> For other languages, go to https://www.3ds.com/terms/email-disclaimer > > -- > > 389 Directory Server Development Team > This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged. If you are not one of the named recipients or have received this email in error, (i) you should not read, disclose, or copy it, (ii) please notify sender of your receipt by reply email and delete this email and all attachments, (iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email. Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer at 3DS.compliance-privacy@3ds.com<mailto:3DS.compliance-privacy@3ds.com> For other languages, go to https://www.3ds.com/terms/email-disclaimer _______________________________________________ 389-users mailing list -- 389-users(a)lists.fedoraproject.org To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...

On 14 Apr 2020, at 23:45, CHAMBERLAIN James <James.CHAMBERLAIN(a)3ds.com&gt; wrote: That… could be possible. One key difference between testing and production is that testing has a single master where production has a multi-master cluster. I don’t recall setting a range in production, since I only had DNA enabled on a single member of the cluster at that point. I’ll take a look in that direction.

Thanks, James > On Apr 13, 2020, at 7:30 PM, William Brown <wbrown(a)suse.de&gt; wrote: > > Could it be that the server hasn't allocated a DNA range from the DNA master? > >> On 14 Apr 2020, at 05:51, CHAMBERLAIN James <James.CHAMBERLAIN(a)3ds.com&gt; wrote: >> >> Hi Mark, >> >> The test user I’m trying to add looks like this: >> >> dn: uid=testuser1,ou=People,dc=example,dc=com >> uid: testuser1 >> objectClass: person >> objectClass: organizationalPerson >> objectClass: inetOrgPerson >> objectClass: posixAccount >> objectClass: top >> sn: Chamberlain >> gidNumber: 1000 >> gecos: James Chamberlain >> cn: James Chamberlain >> homeDirectory: /home/testuser1 >> givenName: James >> loginShell: /bin/bash >> >> I’ve modified nsslapd-accesslog-level and nsslapd-plugin-logging. >> >> Here’s the clip from the failed add: >> >> [13/Apr/2020:15:45:44.267195367 -0400] conn=3592 op=0 BIND dn="cn=Directory Manager" method=128 version=3 >> [13/Apr/2020:15:45:44.267289421 -0400] conn=3592 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000152598 dn="cn=Directory Manager" >> [13/Apr/2020:15:45:44.267922468 -0400] conn=3592 op=1 ADD dn="uid=testuser1,ou=People,dc=example,dc=com" >> [13/Apr/2020:15:45:44.298730119 -0400] conn=3592 op=2 UNBIND >> [13/Apr/2020:15:45:44.298744887 -0400] conn=3592 op=2 fd=81 closed - U1 >> [13/Apr/2020:15:45:44.298822076 -0400] conn=3592 op=1 RESULT err=1 tag=105 nentries=0 etime=0.0031312230 >> >> Best regards, >> >> James Chamberlain >> >> >>> On Apr 13, 2020, at 2:53 PM, Mark Reynolds <mreynolds(a)redhat.com&gt; wrote: >>> >>> Okay, so logging in DNA stinks in this scenario. It does a lot of internal searches and if one of them "fails" you get an operations error. So we need to enable other logging... >>> >>> First what does the entry look like that you are trying to add? >>> >>> Second, run this ldapmodify >>> >>> ldapmodify -D "cn=directory manager" -W >>> dn: cn=config >>> changetype: modify >>> replace: nsslapd-accesslog-level >>> nsslapd-acceslog-level: 260 (default level 256 plus 4 for internal operations) >>> - >>> replace: nsslapd-plugin-logging >>> nsslapd-plugin-logging: on >>> >>> >>> Then add another user, wait 30 seconds for the access log to buffer, and then provide the access log clip from the failed add. >>> >>> Thanks, >>> Mark >>> >>> >>> On 4/13/20 2:41 PM, CHAMBERLAIN James wrote: >>>> Hi Mark, >>>> >>>> Thanks for getting back to me. After adjusting nsslapd-errorlog-level, here’s what I’ve got. >>>> >>>> # grep dna-plugin /var/log/dirsrv/slapd-example/errors >>>> [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - dn does not match filter >>>> [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - adding uidNumber to uid=testuser1,ou=People,dc=example,dc=com as -2 >>>> [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - retrieved value 0 ret 1 >>>> [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add - Failed to allocate a new ID!! 2 >>>> [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - Operation failure [1] >>>> >>>> And here’s the DNA config: >>>> >>>> dn: cn=UID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config >>>> objectClass: top >>>> objectClass: extensibleObject >>>> cn: UID numbers >>>> dnaType: uidNumber >>>> dnamaxvalue: 100000 >>>> dnamagicregen: 0 >>>> dnafilter: (objectclass=posixAccount) >>>> dnascope: dc=example,dc=com >>>> dnanextvalue: 25000 >>>> >>>> dn: cn=GID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config >>>> objectClass: top >>>> objectClass: extensibleObject >>>> cn: GID numbers >>>> dnaType: gidNumber >>>> dnamaxvalue: 100000 >>>> dnamagicregen: 0 >>>> dnafilter: (objectclass=posixGroup) >>>> dnascope: dc=example,dc=com >>>> dnanextvalue: 25000 >>>> >>>> Best regards, >>>> >>>> James >>>> >>>> >>>>> On Apr 13, 2020, at 2:25 PM, Mark Reynolds <mreynolds(a)redhat.com&gt; wrote: >>>>> >>>>> Enabling plugin logging will provide a little more detail about what is going wrong: >>>>> >>>>> ldapmodify -D "cn=directory manager" -W >>>>> dn: cn=config >>>>> changetype: modify >>>>> replace: nsslapd-errorlog-level >>>>> nsslapd-errorlog-level: 65536 >>>>> >>>>> >>>>> After running the test you can disable the debug plugin logging by setting the log level to zero. >>>>> >>>>> Then share what information is logging when you add a new user. This is most likely a configuration error so hopefully we can find out what went wrong in your set up. Can you also provide the DNA config entries? >>>>> >>>>> Thanks, >>>>> >>>>> Mark >>>>> >>>>> On 4/13/20 1:50 PM, CHAMBERLAIN James wrote: >>>>>> Hi all, >>>>>> >>>>>> I’m trying to use the DNA plugin to add uidNumbers on posixAccounts. Everything worked fine in testing, but now that it’s in production I’m seeing the following error: >>>>>> >>>>>> ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2 >>>>>> >>>>>> I’ve followed the advice in the knowledge base (https://access.redhat.com/solutions/875133), about adding an equality index with an nsMatchingRule of integerOrderingMatch, but have not seen any difference in the server’s behavior. Any ideas what I should try next? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> James >>>>>> This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged. >>>>>> If you are not one of the named recipients or have received this email in error, >>>>>> (i) you should not read, disclose, or copy it, >>>>>> (ii) please notify sender of your receipt by reply email and delete this email and all attachments, >>>>>> (iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email. >>>>>> >>>>>> Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer at 3DS.compliance-privacy(a)3ds.com >>>>>> >>>>>> For other languages, go to https://www.3ds.com/terms/email-disclaimer >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> 389-users mailing list -- >>>>>> 389-users(a)lists.fedoraproject.org >>>>>> >>>>>> To unsubscribe send an email to >>>>>> 389-users-leave(a)lists.fedoraproject.org >>>>>> >>>>>> Fedora Code of Conduct: >>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>> >>>>>> List Guidelines: >>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>> >>>>>> List Archives: >>>>>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... >>>>> -- >>>>> >>>>> 389 Directory Server Development Team >>>>> >>>> This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged. >>>> >>>> If you are not one of the named recipients or have received this email in error, >>>> >>>> (i) you should not read, disclose, or copy it, >>>> >>>> (ii) please notify sender of your receipt by reply email and delete this email and all attachments, >>>> >>>> (iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email. >>>> >>>> >>>> Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer at 3DS.compliance-privacy@3ds.com<mailto:3DS.compliance-privacy@3ds.com> >>>> >>>> >>>> For other languages, go to https://www.3ds.com/terms/email-disclaimer >>> >>> -- >>> >>> 389 Directory Server Development Team >>> >> >> This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged. >> >> If you are not one of the named recipients or have received this email in error, >> >> (i) you should not read, disclose, or copy it, >> >> (ii) please notify sender of your receipt by reply email and delete this email and all attachments, >> >> (iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email. >> >> >> Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer at 3DS.compliance-privacy@3ds.com<mailto:3DS.compliance-privacy@3ds.com> >> >> >> For other languages, go to https://www.3ds.com/terms/email-disclaimer >> _______________________________________________ >> 389-users mailing list -- 389-users(a)lists.fedoraproject.org >> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org >> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... > > — > Sincerely, > > William Brown > > Senior Software Engineer, 389 Directory Server > SUSE Labs > _______________________________________________ > 389-users mailing list -- 389-users(a)lists.fedoraproject.org > To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged. If you are not one of the named recipients or have received this email in error, (i) you should not read, disclose, or copy it, (ii) please notify sender of your receipt by reply email and delete this email and all attachments, (iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email. Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer at 3DS.compliance-privacy@3ds.com<mailto:3DS.compliance-privacy@3ds.com> For other languages, go to https://www.3ds.com/terms/email-disclaimer _______________________________________________ 389-users mailing list -- 389-users(a)lists.fedoraproject.org To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...

On Apr 13, 2020, at 3:01 PM, Marc Sauton <msauton(a)redhat.com&gt; wrote: verify there is an equality index for uidnumber and gidnumber, not just presence, in the entries dn: cn=gidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config dn: cn=uidnumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config which version of 389-ds-base is this about? Thanks, M. On Mon, Apr 13, 2020 at 11:42 AM CHAMBERLAIN James <James.CHAMBERLAIN(a)3ds.com&gt; wrote: Hi Mark, Thanks for getting back to me. After adjusting nsslapd-errorlog-level, here’s what I’ve got. # grep dna-plugin /var/log/dirsrv/slapd-example/errors [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - dn does not match filter [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - adding uidNumber to uid=testuser1,ou=People,dc=example,dc=com as -2 [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - retrieved value 0 ret 1 [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add - Failed to allocate a new ID!! 2 [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - Operation failure [1] And here’s the DNA config: dn: cn=UID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: UID numbers dnaType: uidNumber dnamaxvalue: 100000 dnamagicregen: 0 dnafilter: (objectclass=posixAccount) dnascope: dc=example,dc=com dnanextvalue: 25000 dn: cn=GID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: GID numbers dnaType: gidNumber dnamaxvalue: 100000 dnamagicregen: 0 dnafilter: (objectclass=posixGroup) dnascope: dc=example,dc=com dnanextvalue: 25000 Best regards, James > On Apr 13, 2020, at 2:25 PM, Mark Reynolds <mreynolds(a)redhat.com&gt; wrote: > > Enabling plugin logging will provide a little more detail about what is going wrong: > > ldapmodify -D "cn=directory manager" -W > dn: cn=config > changetype: modify > replace: nsslapd-errorlog-level > nsslapd-errorlog-level: 65536 > > > After running the test you can disable the debug plugin logging by setting the log level to zero. > > Then share what information is logging when you add a new user. This is most likely a configuration error so hopefully we can find out what went wrong in your set up. Can you also provide the DNA config entries? > > Thanks, > > Mark > > On 4/13/20 1:50 PM, CHAMBERLAIN James wrote: >> Hi all, >> >> I’m trying to use the DNA plugin to add uidNumbers on posixAccounts. Everything worked fine in testing, but now that it’s in production I’m seeing the following error: >> >> ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2 >> >> I’ve followed the advice in the knowledge base (https://access.redhat.com/solutions/875133), about adding an equality index with an nsMatchingRule of integerOrderingMatch, but have not seen any difference in the server’s behavior. Any ideas what I should try next? >> >> Thanks, >> >> James >> This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged. >> If you are not one of the named recipients or have received this email in error, >> (i) you should not read, disclose, or copy it, >> (ii) please notify sender of your receipt by reply email and delete this email and all attachments, >> (iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email. >> >> Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer at 3DS.compliance-privacy(a)3ds.com >> >> For other languages, go to https://www.3ds.com/terms/email-disclaimer >> >> >> _______________________________________________ >> 389-users mailing list -- >> 389-users(a)lists.fedoraproject.org >> >> To unsubscribe send an email to >> 389-users-leave(a)lists.fedoraproject.org >> >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> >> List Guidelines: >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> >> List Archives: >> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... > -- > > 389 Directory Server Development Team > This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged. If you are not one of the named recipients or have received this email in error, (i) you should not read, disclose, or copy it, (ii) please notify sender of your receipt by reply email and delete this email and all attachments, (iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email. Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer at 3DS.compliance-privacy@3ds.com<mailto:3DS.compliance-privacy@3ds.com> For other languages, go to https://www.3ds.com/terms/email-disclaimer _______________________________________________ 389-users mailing list -- 389-users(a)lists.fedoraproject.org To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... _______________________________________________ 389-users mailing list -- 389-users(a)lists.fedoraproject.org To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...

On Apr 16, 2020, at 1:23 PM, thierry bordaz <tbordaz(a)redhat.com&gt; wrote: Hi James, I would guess that the allocated range is exhausted, means next value reached maxValue. Possibly part of the range was taken by an other replica. You can try to get more details with ldapmodify -D "cn=directory manager" -W dn: cn=config changetype: modify replace: nsslapd-accesslog-level nsslapd-acceslog-level: 260 (default level 256 plus 4 for internal operations) - replace: nsslapd-plugin-logging nsslapd-plugin-logging: on and lookup at the entry ldapsearch -D DM... -b "cn=UID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" -s base nscpentrywsi best regards thierry On 4/13/20 8:41 PM, CHAMBERLAIN James wrote: > Hi Mark, > > Thanks for getting back to me. After adjusting nsslapd-errorlog-level, here’s what I’ve got. > > # grep dna-plugin /var/log/dirsrv/slapd-example/errors > [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - dn does not match filter > [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - adding uidNumber to uid=testuser1,ou=People,dc=example,dc=com as -2 > [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - retrieved value 0 ret 1 > [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add - Failed to allocate a new ID!! 2 > [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - Operation failure [1] > > And here’s the DNA config: > > dn: cn=UID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > objectClass: top > objectClass: extensibleObject > cn: UID numbers > dnaType: uidNumber > dnamaxvalue: 100000 > dnamagicregen: 0 > dnafilter: (objectclass=posixAccount) > dnascope: dc=example,dc=com > dnanextvalue: 25000 > > dn: cn=GID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > objectClass: top > objectClass: extensibleObject > cn: GID numbers > dnaType: gidNumber > dnamaxvalue: 100000 > dnamagicregen: 0 > dnafilter: (objectclass=posixGroup) > dnascope: dc=example,dc=com > dnanextvalue: 25000 > > Best regards, > > James > > >> On Apr 13, 2020, at 2:25 PM, Mark Reynolds <mreynolds(a)redhat.com&gt; wrote: >> >> Enabling plugin logging will provide a little more detail about what is going wrong: >> >> ldapmodify -D "cn=directory manager" -W >> dn: cn=config >> changetype: modify >> replace: nsslapd-errorlog-level >> nsslapd-errorlog-level: 65536 >> >> >> After running the test you can disable the debug plugin logging by setting the log level to zero. >> >> Then share what information is logging when you add a new user. This is most likely a configuration error so hopefully we can find out what went wrong in your set up. Can you also provide the DNA config entries? >> >> Thanks, >> >> Mark >> >> On 4/13/20 1:50 PM, CHAMBERLAIN James wrote: >>> Hi all, >>> >>> I’m trying to use the DNA plugin to add uidNumbers on posixAccounts. Everything worked fine in testing, but now that it’s in production I’m seeing the following error: >>> >>> ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2 >>> >>> I’ve followed the advice in the knowledge base (https://access.redhat.com/solutions/875133), about adding an equality index with an nsMatchingRule of integerOrderingMatch, but have not seen any difference in the server’s behavior. Any ideas what I should try next? >>> >>> Thanks, >>> >>> James >>> This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged. >>> If you are not one of the named recipients or have received this email in error, >>> (i) you should not read, disclose, or copy it, >>> (ii) please notify sender of your receipt by reply email and delete this email and all attachments, >>> (iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email. >>> >>> Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer at 3DS.compliance-privacy(a)3ds.com >>> >>> For other languages, go to https://www.3ds.com/terms/email-disclaimer >>> >>> >>> _______________________________________________ >>> 389-users mailing list -- >>> 389-users(a)lists.fedoraproject.org >>> >>> To unsubscribe send an email to >>> 389-users-leave(a)lists.fedoraproject.org >>> >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> >>> List Guidelines: >>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>> >>> List Archives: >>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... >> -- >> >> 389 Directory Server Development Team >> > This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged. > > If you are not one of the named recipients or have received this email in error, > > (i) you should not read, disclose, or copy it, > > (ii) please notify sender of your receipt by reply email and delete this email and all attachments, > > (iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email. > > > Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer at 3DS.compliance-privacy@3ds.com<mailto:3DS.compliance-privacy@3ds.com> > > > For other languages, go to https://www.3ds.com/terms/email-disclaimer > _______________________________________________ > 389-users mailing list -- 389-users(a)lists.fedoraproject.org > To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... _______________________________________________ 389-users mailing list -- 389-users(a)lists.fedoraproject.org To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...

Hi all, Thank you all for your help. I’ve gotten DNA working. I’ll be doing some further work to convince myself that I understand exactly what I did that got it working and can replicate it; but in the meantime, I had a question or two. Do I correctly understand RHDS 11 Administration Guide, section 7.4.3.1, to mean that if I want to have DNA manage uidNumber and gidNumber separately using different ranges, I’ll need to create two instances of the plugin? I’m not finding dsconf on CentOS 7, including under “yum whatprovides ‘*/dsconf’”. Am I missing something? Was this tool released in something more recent than 1.3.7.5-28?

I suspect that the key differences between my original setup and what’s working now are the establishment of a dnaSharedCfgDN and non-overlapping initial ranges. My original test setup was a single master server, which didn’t need these things. It was suggested that I may need to include the attribute I wanted DNA to manage as part of creating an entry, and that I should give it dnaMagicRegen's value. However, this does not appear that it’s necessary - I was able to add a test user without specifying a uidNumber and DNA generated it for me. Thanks, James > On Apr 16, 2020, at 1:38 PM, CHAMBERLAIN James <James.CHAMBERLAIN(a)3ds.com&gt; wrote: > > Hi Thierry, > > The thing is, while this is on the production multi-master cluster, it’s not being used yet. Any new entries being added have uidNumber set explicitly, except for my test entry. I’ve been trying a few things and have a different error message now but the same result. I’ll update the thread shortly with further details. > > Best regards, > > James > > >> On Apr 16, 2020, at 1:23 PM, thierry bordaz <tbordaz(a)redhat.com&gt; wrote: >> >> Hi James, >> >> I would guess that the allocated range is exhausted, means next value reached maxValue. >> Possibly part of the range was taken by an other replica. >> >> You can try to get more details with >> >> ldapmodify -D "cn=directory manager" -W >> dn: cn=config >> changetype: modify >> replace: nsslapd-accesslog-level >> nsslapd-acceslog-level: 260 (default level 256 plus 4 for internal operations) >> - >> replace: nsslapd-plugin-logging >> nsslapd-plugin-logging: on >> >> and lookup at the entry ldapsearch -D DM... -b "cn=UID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" -s base nscpentrywsi >> >> >> best regards >> thierry >> On 4/13/20 8:41 PM, CHAMBERLAIN James wrote: >>> Hi Mark, >>> >>> Thanks for getting back to me. After adjusting nsslapd-errorlog-level, here’s what I’ve got. >>> >>> # grep dna-plugin /var/log/dirsrv/slapd-example/errors >>> [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - dn does not match filter >>> [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - adding uidNumber to uid=testuser1,ou=People,dc=example,dc=com as -2 >>> [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - _dna_pre_op_add - retrieved value 0 ret 1 >>> [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add - Failed to allocate a new ID!! 2 >>> [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - Operation failure [1] >>> >>> And here’s the DNA config: >>> >>> dn: cn=UID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config >>> objectClass: top >>> objectClass: extensibleObject >>> cn: UID numbers >>> dnaType: uidNumber >>> dnamaxvalue: 100000 >>> dnamagicregen: 0 >>> dnafilter: (objectclass=posixAccount) >>> dnascope: dc=example,dc=com >>> dnanextvalue: 25000 >>> >>> dn: cn=GID numbers,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config >>> objectClass: top >>> objectClass: extensibleObject >>> cn: GID numbers >>> dnaType: gidNumber >>> dnamaxvalue: 100000 >>> dnamagicregen: 0 >>> dnafilter: (objectclass=posixGroup) >>> dnascope: dc=example,dc=com >>> dnanextvalue: 25000 >>> >>> Best regards, >>> >>> James >>> >>> >>>> On Apr 13, 2020, at 2:25 PM, Mark Reynolds <mreynolds(a)redhat.com&gt; wrote: >>>> >>>> Enabling plugin logging will provide a little more detail about what is going wrong: >>>> >>>> ldapmodify -D "cn=directory manager" -W >>>> dn: cn=config >>>> changetype: modify >>>> replace: nsslapd-errorlog-level >>>> nsslapd-errorlog-level: 65536 >>>> >>>> >>>> After running the test you can disable the debug plugin logging by setting the log level to zero. >>>> >>>> Then share what information is logging when you add a new user. This is most likely a configuration error so hopefully we can find out what went wrong in your set up. Can you also provide the DNA config entries? >>>> >>>> Thanks, >>>> >>>> Mark >>>> >>>> On 4/13/20 1:50 PM, CHAMBERLAIN James wrote: >>>>> Hi all, >>>>> >>>>> I’m trying to use the DNA plugin to add uidNumbers on posixAccounts. Everything worked fine in testing, but now that it’s in production I’m seeing the following error: >>>>> >>>>> ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2 >>>>> >>>>> I’ve followed the advice in the knowledge base (https://access.redhat.com/solutions/875133), about adding an equality index with an nsMatchingRule of integerOrderingMatch, but have not seen any difference in the server’s behavior. Any ideas what I should try next? >>>>> >>>>> Thanks, >>>>> >>>>> James >>>>> This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged. >>>>> If you are not one of the named recipients or have received this email in error, >>>>> (i) you should not read, disclose, or copy it, >>>>> (ii) please notify sender of your receipt by reply email and delete this email and all attachments, >>>>> (iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email. >>>>> >>>>> Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer at 3DS.compliance-privacy(a)3ds.com >>>>> >>>>> For other languages, go to https://www.3ds.com/terms/email-disclaimer >>>>> >>>>> >>>>> _______________________________________________ >>>>> 389-users mailing list -- >>>>> 389-users(a)lists.fedoraproject.org >>>>> >>>>> To unsubscribe send an email to >>>>> 389-users-leave(a)lists.fedoraproject.org >>>>> >>>>> Fedora Code of Conduct: >>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>> >>>>> List Guidelines: >>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>> >>>>> List Archives: >>>>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... >>>> -- >>>> >>>> 389 Directory Server Development Team >>>> >>> This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged. >>> >>> If you are not one of the named recipients or have received this email in error, >>> >>> (i) you should not read, disclose, or copy it, >>> >>> (ii) please notify sender of your receipt by reply email and delete this email and all attachments, >>> >>> (iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email. >>> >>> >>> Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer at 3DS.compliance-privacy@3ds.com<mailto:3DS.compliance-privacy@3ds.com> >>> >>> >>> For other languages, go to https://www.3ds.com/terms/email-disclaimer >>> _______________________________________________ >>> 389-users mailing list -- 389-users(a)lists.fedoraproject.org >>> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org >>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... >> _______________________________________________ >> 389-users mailing list -- 389-users(a)lists.fedoraproject.org >> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org >> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... > This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged. > > If you are not one of the named recipients or have received this email in error, > > (i) you should not read, disclose, or copy it, > > (ii) please notify sender of your receipt by reply email and delete this email and all attachments, > > (iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email. > > > Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer at 3DS.compliance-privacy@3ds.com<mailto:3DS.compliance-privacy@3ds.com> > > > For other languages, go to https://www.3ds.com/terms/email-disclaimer > _______________________________________________ > 389-users mailing list -- 389-users(a)lists.fedoraproject.org > To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged. If you are not one of the named recipients or have received this email in error, (i) you should not read, disclose, or copy it, (ii) please notify sender of your receipt by reply email and delete this email and all attachments, (iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email. Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer at 3DS.compliance-privacy@3ds.com<mailto:3DS.compliance-privacy@3ds.com> For other languages, go to https://www.3ds.com/terms/email-disclaimer _______________________________________________ 389-users mailing list -- 389-users(a)lists.fedoraproject.org To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...

After a quick test, creating a second DNA entry under cn=plugins,cn=config was clearly not the way to go.  Adding it worked, but the test server refused to restart.  For any future reader who finds themselves in a similar situation, I got it back up and running again by removing that entry from /etc/dirsrv/slapd-<instance>/dse.ldif. Best regards, James > On May 5, 2020, at 12:45 PM, CHAMBERLAIN James > <James.CHAMBERLAIN(a)3ds.com <mailto:James.CHAMBERLAIN@3ds.com>> wrote: > > Would adding the following create the second instance of DNA so I can > manage UID and GID numbers separately, or am I overthinking this and > it’s just a separate entry under cn=Distributed Numeric Assignment? > > dn: cn=Distributed Numeric Assignment Plugin 2,cn=plugins,cn=config > objectClass: top > objectClass: nsSlapdPlugin > objectClass: extensibleObject > objectClass: nsContainer > cn: Distributed Numeric Assignment Plugin 2 > nsslapd-pluginInitfunc: dna_init > nsslapd-pluginType: bepreoperation > nsslapd-pluginEnabled: on > nsslapd-pluginPath: libdna-plugin > nsslapd-plugin-depends-on-type: database > nsslapd-pluginId: Distributed Numeric Assignment 2 > nsslapd-pluginVersion: 1.3.7.5 > nsslapd-pluginVendor: 389 Project > nsslapd-pluginDescription: Distributed Numeric Assignment plugin > > Thanks, > > James > > >> On Apr 30, 2020, at 2:25 PM, CHAMBERLAIN James >> <James.CHAMBERLAIN(a)3ds.com <mailto:James.CHAMBERLAIN@3ds.com>> wrote: >> >> Is it possible to create multiple instances of the DNA plugin on >> CentOS 7 / RHDS 10 / 389-ds-base-1.3.7.5-28.el7_5.x86_64?  The >> section on how to do this was added to the RHDS 11 documentation, >> and uses dsconf to do it.  If it is possible, could anyone >> comment on what dsconf is doing behind the scenes so I can replicate >> that? >> >> Thanks, >> >> James >> >>> On Apr 17, 2020, at 6:17 PM, Mark Reynolds <mreynolds(a)redhat.com >>> <mailto:mreynolds@redhat.com>> wrote: >>> >>> >>> On 4/17/20 5:19 PM, CHAMBERLAIN James wrote: >>>> Hi all, >>>> >>>> Thank you all for your help.  I’ve gotten DNA working.  I’ll be >>>> doing some further work to convince myself that I understand >>>> exactly what I did that got it working and can replicate it; but >>>> in the meantime, I had a question or two. >>>> >>>> Do I correctly understand RHDS 11 Administration Guide, section >>>> 7.4.3.1, to mean that if I want to have DNA manage uidNumber and >>>> gidNumber separately using different ranges, I’ll need to create >>>> two instances of the plugin? >>>> >>>> I’m not finding dsconf on CentOS 7, including under “yum >>>> whatprovides ‘*/dsconf’”.  Am I missing something?  Was this tool >>>> released in something more recent than 1.3.7.5-28? >>> >>> You need the RHDS 10 docs, only CentOS 8 has the new CLI tools >>> (389-ds-base-1.4.x) >>> >>> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ >>> >>> Sorry have to run, but I'll try and respond to your questions next >>> week... >>> >>>> >>>> I suspect that the key differences between my original setup and >>>> what’s working now are the establishment of a dnaSharedCfgDN and >>>> non-overlapping initial ranges.  My original test setup was a >>>> single master server, which didn’t need these things.  It was >>>> suggested that I may need to include the attribute I wanted DNA to >>>> manage as part of creating an entry, and that I should give it >>>> dnaMagicRegen's value. However, this does not appear that it’s >>>> necessary - I was able to add a test user without specifying a >>>> uidNumber and DNA generated it for me. >>>> >>>> Thanks, >>>> >>>> James >>>> >>>> >>>>> On Apr 16, 2020, at 1:38 PM, CHAMBERLAIN James >>>>> <James.CHAMBERLAIN(a)3ds.com <mailto:James.CHAMBERLAIN@3ds.com>> wrote: >>>>> >>>>> Hi Thierry, >>>>> >>>>> The thing is, while this is on the production multi-master >>>>> cluster, it’s not being used yet.  Any new entries being added >>>>> have uidNumber set explicitly, except for my test entry.  I’ve >>>>> been trying a few things and have a different error message now >>>>> but the same result.  I’ll update the thread shortly with further >>>>> details. >>>>> >>>>> Best regards, >>>>> >>>>> James >>>>> >>>>> >>>>>> On Apr 16, 2020, at 1:23 PM, thierry bordaz <tbordaz(a)redhat.com >>>>>> <mailto:tbordaz@redhat.com>> wrote: >>>>>> >>>>>> Hi James, >>>>>> >>>>>> I would guess that the allocated range is exhausted, means next >>>>>> value reached maxValue. >>>>>> Possibly part of the range was taken by an other replica. >>>>>> >>>>>> You can try to get more details with >>>>>> >>>>>> ldapmodify -D "cn=directory manager" -W >>>>>> dn: cn=config >>>>>> changetype: modify >>>>>> replace: nsslapd-accesslog-level >>>>>> nsslapd-acceslog-level: 260 (default level 256 plus 4 for >>>>>> internal operations) >>>>>> - >>>>>> replace: nsslapd-plugin-logging >>>>>> nsslapd-plugin-logging: on >>>>>> >>>>>> and lookup at the entry ldapsearch -D DM... -b "cn=UID >>>>>> numbers,cn=Distributed Numeric Assignment >>>>>> Plugin,cn=plugins,cn=config" -s base nscpentrywsi >>>>>> >>>>>> >>>>>> best regards >>>>>> thierry >>>>>> On 4/13/20 8:41 PM, CHAMBERLAIN James wrote: >>>>>>> Hi Mark, >>>>>>> >>>>>>> Thanks for getting back to me.  After adjusting >>>>>>> nsslapd-errorlog-level, here’s what I’ve got. >>>>>>> >>>>>>> # grep dna-plugin /var/log/dirsrv/slapd-example/errors >>>>>>> [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - >>>>>>> _dna_pre_op_add - dn does not match filter >>>>>>> [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - >>>>>>> _dna_pre_op_add - adding uidNumber to >>>>>>> uid=testuser1,ou=People,dc=example,dc=com as -2 >>>>>>> [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - >>>>>>> _dna_pre_op_add - retrieved value 0 ret 1 >>>>>>> [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - >>>>>>> _dna_pre_op_add - Failed to allocate a new ID!! 2 >>>>>>> [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - >>>>>>> dna_pre_op - Operation failure [1] >>>>>>> >>>>>>> And here’s the DNA config: >>>>>>> >>>>>>> dn: cn=UID numbers,cn=Distributed Numeric Assignment >>>>>>> Plugin,cn=plugins,cn=config >>>>>>> objectClass: top >>>>>>> objectClass: extensibleObject >>>>>>> cn: UID numbers >>>>>>> dnaType: uidNumber >>>>>>> dnamaxvalue: 100000 >>>>>>> dnamagicregen: 0 >>>>>>> dnafilter: (objectclass=posixAccount) >>>>>>> dnascope: dc=example,dc=com >>>>>>> dnanextvalue: 25000 >>>>>>> >>>>>>> dn: cn=GID numbers,cn=Distributed Numeric Assignment >>>>>>> Plugin,cn=plugins,cn=config >>>>>>> objectClass: top >>>>>>> objectClass: extensibleObject >>>>>>> cn: GID numbers >>>>>>> dnaType: gidNumber >>>>>>> dnamaxvalue: 100000 >>>>>>> dnamagicregen: 0 >>>>>>> dnafilter: (objectclass=posixGroup) >>>>>>> dnascope: dc=example,dc=com >>>>>>> dnanextvalue: 25000 >>>>>>> >>>>>>> Best regards, >>>>>>> >>>>>>> James >>>>>>> >>>>>>> >>>>>>>> On Apr 13, 2020, at 2:25 PM, Mark Reynolds >>>>>>>> <mreynolds(a)redhat.com <mailto:mreynolds@redhat.com>> wrote: >>>>>>>> >>>>>>>> Enabling plugin logging will provide a little more detail >>>>>>>> about what is going wrong: >>>>>>>> >>>>>>>> ldapmodify -D "cn=directory manager" -W >>>>>>>> dn: cn=config >>>>>>>> changetype: modify >>>>>>>> replace: nsslapd-errorlog-level >>>>>>>> nsslapd-errorlog-level: 65536 >>>>>>>> >>>>>>>> >>>>>>>> After running the test you can disable the debug plugin >>>>>>>> logging by setting the log level to zero. >>>>>>>> >>>>>>>> Then share what information is logging when you add a new >>>>>>>> user. This is most likely a configuration error so hopefully >>>>>>>> we can find out what went wrong in your set up.  Can you also >>>>>>>> provide the DNA config entries? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Mark >>>>>>>> >>>>>>>> On 4/13/20 1:50 PM, CHAMBERLAIN James wrote: >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> I’m trying to use the DNA plugin to add uidNumbers on >>>>>>>>> posixAccounts.  Everything worked fine in testing, but now >>>>>>>>> that it’s in production I’m seeing the following error: >>>>>>>>> >>>>>>>>> ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new >>>>>>>>> ID!! 2 >>>>>>>>> >>>>>>>>> I’ve followed the advice in the knowledge base >>>>>>>>> (https://access.redhat.com/solutions/875133), about adding an >>>>>>>>> equality index with an nsMatchingRule of >>>>>>>>> integerOrderingMatch, but have not seen any difference in the >>>>>>>>> server’s behavior.  Any ideas what I should try next? >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> James >>>>>>>>> This email and any attachments are intended solely for the >>>>>>>>> use of the individual or entity to whom it is addressed and >>>>>>>>> may be confidential and/or privileged. >>>>>>>>> If you are not one of the named recipients or have received >>>>>>>>> this email in error, >>>>>>>>> (i) you should not read, disclose, or copy it, >>>>>>>>> (ii) please notify sender of your receipt by reply email and >>>>>>>>> delete this email and all attachments, >>>>>>>>> (iii) Dassault Systèmes does not accept or assume any >>>>>>>>> liability or responsibility for any use of or reliance on >>>>>>>>> this email. >>>>>>>>> >>>>>>>>> Please be informed that your personal data are processed >>>>>>>>> according to our data privacy policy as described on our >>>>>>>>> website. Should you have any questions related to personal >>>>>>>>> data protection, please contact 3DS Data Protection Officer >>>>>>>>> at 3DS.compliance-privacy(a)3ds.com >>>>>>>>> <mailto:3DS.compliance-privacy@3ds.com> >>>>>>>>> >>>>>>>>> For other languages, go to >>>>>>>>> https://www.3ds.com/terms/email-disclaimer >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> 389-users mailing list -- >>>>>>>>> 389-users(a)lists.fedoraproject.org >>>>>>>>> <mailto:389-users@lists.fedoraproject.org> >>>>>>>>> >>>>>>>>> To unsubscribe send an email to >>>>>>>>> 389-users-leave(a)lists.fedoraproject.org >>>>>>>>> <mailto:389-users-leave@lists.fedoraproject.org> >>>>>>>>> >>>>>>>>> Fedora Code of Conduct: >>>>>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>>>> >>>>>>>>> List Guidelines: >>>>>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>>>> >>>>>>>>> List Archives: >>>>>>>>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... >>>>>>>> -- >>>>>>>> >>>>>>>> 389 Directory Server Development Team >>>>>>>> >>>>>>> This email and any attachments are intended solely for the use >>>>>>> of the individual or entity to whom it is addressed and may be >>>>>>> confidential and/or privileged. >>>>>>> >>>>>>> If you are not one of the named recipients or have received >>>>>>> this email in error, >>>>>>> >>>>>>> (i) you should not read, disclose, or copy it, >>>>>>> >>>>>>> (ii) please notify sender of your receipt by reply email and >>>>>>> delete this email and all attachments, >>>>>>> >>>>>>> (iii) Dassault Systèmes does not accept or assume any liability >>>>>>> or responsibility for any use of or reliance on this email. >>>>>>> >>>>>>> >>>>>>> Please be informed that your personal data are processed >>>>>>> according to our data privacy policy as described on our >>>>>>> website. Should you have any questions related to personal data >>>>>>> protection, please contact 3DS Data Protection Officer at >>>>>>> 3DS.compliance-privacy(a)3ds.com >>>>>>> <mailto:3DS.compliance-privacy@3ds.com><mailto:3DS.compliance-privacy@3ds.com> >>>>>>> >>>>>>> >>>>>>> For other languages, go to >>>>>>> https://www.3ds.com/terms/email-disclaimer >>>>>>> _______________________________________________ >>>>>>> 389-users mailing list -- 389-users(a)lists.fedoraproject.org >>>>>>> <mailto:389-users@lists.fedoraproject.org> >>>>>>> To unsubscribe send an email to >>>>>>> 389-users-leave(a)lists.fedoraproject.org >>>>>>> <mailto:389-users-leave@lists.fedoraproject.org> >>>>>>> Fedora Code of Conduct: >>>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>>> List Guidelines: >>>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>>> List Archives: >>>>>>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... >>>>>> _______________________________________________ >>>>>> 389-users mailing list -- 389-users(a)lists.fedoraproject.org >>>>>> <mailto:389-users@lists.fedoraproject.org> >>>>>> To unsubscribe send an email to >>>>>> 389-users-leave(a)lists.fedoraproject.org >>>>>> <mailto:389-users-leave@lists.fedoraproject.org> >>>>>> Fedora Code of Conduct: >>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>> List Guidelines: >>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>> List Archives: >>>>>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... >>>>> This email and any attachments are intended solely for the use of >>>>> the individual or entity to whom it is addressed and may be >>>>> confidential and/or privileged. >>>>> >>>>> If you are not one of the named recipients or have received this >>>>> email in error, >>>>> >>>>> (i) you should not read, disclose, or copy it, >>>>> >>>>> (ii) please notify sender of your receipt by reply email and >>>>> delete this email and all attachments, >>>>> >>>>> (iii) Dassault Systèmes does not accept or assume any liability >>>>> or responsibility for any use of or reliance on this email. >>>>> >>>>> >>>>> Please be informed that your personal data are processed >>>>> according to our data privacy policy as described on our website. >>>>> Should you have any questions related to personal data >>>>> protection, please contact 3DS Data Protection Officer at >>>>> 3DS.compliance-privacy(a)3ds.com >>>>> <mailto:3DS.compliance-privacy@3ds.com><mailto:3DS.compliance-privacy@3ds.com> >>>>> >>>>> >>>>> For other languages, go to https://www.3ds.com/terms/email-disclaimer >>>>> _______________________________________________ >>>>> 389-users mailing list -- 389-users(a)lists.fedoraproject.org >>>>> <mailto:389-users@lists.fedoraproject.org> >>>>> To unsubscribe send an email to >>>>> 389-users-leave(a)lists.fedoraproject.org >>>>> <mailto:389-users-leave@lists.fedoraproject.org> >>>>> Fedora Code of Conduct: >>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>> List Guidelines: >>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>> List Archives: >>>>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... >>>> This email and any attachments are intended solely for the use of >>>> the individual or entity to whom it is addressed and may be >>>> confidential and/or privileged. >>>> >>>> If you are not one of the named recipients or have received this >>>> email in error, >>>> >>>> (i) you should not read, disclose, or copy it, >>>> >>>> (ii) please notify sender of your receipt by reply email and >>>> delete this email and all attachments, >>>> >>>> (iii) Dassault Systèmes does not accept or assume any liability or >>>> responsibility for any use of or reliance on this email. >>>> >>>> >>>> Please be informed that your personal data are processed according >>>> to our data privacy policy as described on our website. Should you >>>> have any questions related to personal data protection, please >>>> contact 3DS Data Protection Officer at >>>> 3DS.compliance-privacy(a)3ds.com >>>> <mailto:3DS.compliance-privacy@3ds.com><mailto:3DS.compliance-privacy@3ds.com> >>>> >>>> >>>> For other languages, go to https://www.3ds.com/terms/email-disclaimer >>>> _______________________________________________ >>>> 389-users mailing list -- 389-users(a)lists.fedoraproject.org >>>> <mailto:389-users@lists.fedoraproject.org> >>>> To unsubscribe send an email to >>>> 389-users-leave(a)lists.fedoraproject.org >>>> <mailto:389-users-leave@lists.fedoraproject.org> >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: >>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... >>> >>> -- >>> >>> 389 Directory Server Development Team >> >> This email and any attachments are intended solely for the use of >> the individual or entity to whom it is addressed and may be >> confidential and/or privileged. >> If you are not one of the named recipients or have received this >> email in error, >> (i) you should not read, disclose, or copy it, >> (ii) please notify sender of your receipt by reply email and delete >> this email and all attachments, >> (iii) Dassault Systèmes does not accept or assume any liability or >> responsibility for any use of or reliance on this email. >> >> Please be informed that your personal data are processed according >> to our data privacy policy as described on our website. Should you >> have any questions related to personal data protection, >> please contact 3DS Data Protection Officer at >> 3DS.compliance-privacy(a)3ds.com <mailto:3DS.compliance-privacy@3ds.com> >> >> For other languages, go to >> https://www.3ds.com/terms/email-disclaimer >> <https://www.3ds.com/terms/email-disclaimer> >> _______________________________________________ >> 389-users mailing list -- 389-users(a)lists.fedoraproject.org >> <mailto:389-users@lists.fedoraproject.org> >> To unsubscribe send an email to >> 389-users-leave(a)lists.fedoraproject.org >> <mailto:389-users-leave@lists.fedoraproject.org> >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... > > This email and any attachments are intended solely for the use of the > individual or entity to whom it is addressed and may be confidential > and/or privileged. > If you are not one of the named recipients or have received this > email in error, > (i) you should not read, disclose, or copy it, > (ii) please notify sender of your receipt by reply email and delete > this email and all attachments, > (iii) Dassault Systèmes does not accept or assume any liability or > responsibility for any use of or reliance on this email. > > Please be informed that your personal data are processed according to > our data privacy policy as described on our website. Should you have > any questions related to personal data protection, please contact 3DS > Data Protection Officer at 3DS.compliance-privacy(a)3ds.com > <mailto:3DS.compliance-privacy@3ds.com> > > For other languages, go to https://www.3ds.com/terms/email-disclaimer > <https://www.3ds.com/terms/email-disclaimer> > _______________________________________________ > 389-users mailing list -- 389-users(a)lists.fedoraproject.org > <mailto:389-users@lists.fedoraproject.org> > To unsubscribe send an email to > 389-users-leave(a)lists.fedoraproject.org > <mailto:389-users-leave@lists.fedoraproject.org> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > <https://fedoraproject.org/wiki/Mailing_list_guidelines> > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje... This email and any attachments are intended solely for the use of the individual or entity to whom it is addressed and may be confidential and/or privileged. If you are not one of the named recipients or have received this email in error, (i) you should not read, disclose, or copy it, (ii) please notify sender of your receipt by reply email and delete this email and all attachments, (iii) Dassault Systèmes does not accept or assume any liability or responsibility for any use of or reliance on this email. Please be informed that your personal data are processed according to our data privacy policy as described on our website. Should you have any questions related to personal data protection, please contact 3DS Data Protection Officer at 3DS.compliance-privacy(a)3ds.com <mailto:3DS.compliance-privacy@3ds.com> For other languages, go to https://www.3ds.com/terms/email-disclaimer