FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 04-13-2010, 03:21 PM
Daniel Maher
 
Default DNA plugin woes on a fresh centos-DS 8.1 install

Hello,

First off, my apologies if this is not an appropriate forum for asking
questions related to the CentOS Directory Server. The 389-users
archives contain numerous messages related to this platform, so...

The situation : fresh install of CentOS 5.4 x86_64, installed the DS via
yum from the standard repos :
# yum install centos-ds centos-ds-base nss_ldap

The DS is up and running. I can create groups and users, run queries,
and so forth. I followed the following procedure to enable the DNA plugin :

Main menu of Directory Server
TAB: Servers and Applications
<domain> -> <server> -> Server Group -> Directory Server
TAB: Configuration
<server> -> Plug-ins -> Distributed Numeric Assignment
[X] Enable plug-in
Save

I then dutifully restarted DS afterwards.

Finally, in the user creation menu, in the Posix User section, i checked
Enable Posix User Attributes, but none of the fields were auto-populated.

Initially, i tried adding the following ldif (i realise this is for the
Fedora DNS, but hey, i thought it'd be worth a shot) :
http://cvs.fedoraproject.org/viewvc/ldapserver/ldap/servers/plugins/dna/posix.ldif?view=co&root=dirsec

Unsurprisingly (?), this did not work :
ldap_add: DSA is unwilling to perform
ldap_add: additional info: Not a valid DNA configuration entry.

I read through a number of items on the subject, including the following
notable items :
http://www.directory.fedora.redhat.com/wiki/DNA_Plugin
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/dna.html

In section 3.6.3.1 of the Red Hat document it outlines the steps to
activate the plug-in. Steps 1 and 2 appear to have already been
executed by the graphical manager, as the necessary changes are present
in the configuration file :
/etc/dirsrv/<server>/dse.ldif

I attempted to perform step 3 (with appropriate modifications to the
dc's). This did not work :
adding new entry cn=Account UIDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
ldap_add: DSA is unwilling to perform
ldap_add: additional info: Not a valid DNA configuration entry.

(It may be worth noting that the screenshot they include at the base of
that page bears absolutely no resemblance to that of the actual plugin.)

My questions are :
1. Is the expected behaviour of the DNA plug-in to auto-populate the
Posix fields ?
2a. If so, how can i properly activate this functionality ?
2b. If not, does this functionality exist ? And as a corollary, what is
the DNA plug-in for, exactly ?
3. Should i, in fact, be attempting to use the Fedora DS offering
instead of that included in CentOS ? (I.e. is it better ?)

I am happy to provide any logs, debug output, configuration elements, etc..

Thank you for your kind consideration, and keep up the great work !


--
Daniel Maher <dma + 389users AT witbe DOT net>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 04-13-2010, 04:40 PM
Nathan Kinder
 
Default DNA plugin woes on a fresh centos-DS 8.1 install

On 04/13/2010 08:21 AM, Daniel Maher wrote:
> Hello,
>
> First off, my apologies if this is not an appropriate forum for asking
> questions related to the CentOS Directory Server. The 389-users
> archives contain numerous messages related to this platform, so...
>
> The situation : fresh install of CentOS 5.4 x86_64, installed the DS via
> yum from the standard repos :
> # yum install centos-ds centos-ds-base nss_ldap
>
> The DS is up and running. I can create groups and users, run queries,
> and so forth. I followed the following procedure to enable the DNA plugin :
>
> Main menu of Directory Server
> TAB: Servers and Applications
> <domain> -> <server> -> Server Group -> Directory Server
> TAB: Configuration
> <server> -> Plug-ins -> Distributed Numeric Assignment
> [X] Enable plug-in
> Save
>
> I then dutifully restarted DS afterwards.
>
> Finally, in the user creation menu, in the Posix User section, i checked
> Enable Posix User Attributes, but none of the fields were auto-populated.
>
> Initially, i tried adding the following ldif (i realise this is for the
> Fedora DNS, but hey, i thought it'd be worth a shot) :
> http://cvs.fedoraproject.org/viewvc/ldapserver/ldap/servers/plugins/dna/posix.ldif?view=co&root=dirsec
>
> Unsurprisingly (?), this did not work :
> ldap_add: DSA is unwilling to perform
> ldap_add: additional info: Not a valid DNA configuration entry.
>
> I read through a number of items on the subject, including the following
> notable items :
> http://www.directory.fedora.redhat.com/wiki/DNA_Plugin
> http://www.redhat.com/docs/manuals/dir-server/8.1/admin/dna.html
>
> In section 3.6.3.1 of the Red Hat document it outlines the steps to
> activate the plug-in. Steps 1 and 2 appear to have already been
> executed by the graphical manager, as the necessary changes are present
> in the configuration file :
> /etc/dirsrv/<server>/dse.ldif
>
> I attempted to perform step 3 (with appropriate modifications to the
> dc's). This did not work :
> adding new entry cn=Account UIDs,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config
> ldap_add: DSA is unwilling to perform
> ldap_add: additional info: Not a valid DNA configuration entry.
>
> (It may be worth noting that the screenshot they include at the base of
> that page bears absolutely no resemblance to that of the actual plugin.)
>
> My questions are :
> 1. Is the expected behaviour of the DNA plug-in to auto-populate the
> Posix fields ?
>
The DNA plugin is designed to auto-populate unique numeric values, which
can be used for the uidNumber and gidNumber attributes. These fields
will not be auto-populated in the Console when you are adding an entry.
The Console application is not aware of DNA. When you attempt to add a
new user and click on the posix tab, you are simply building the entry
that you want to add. The Console then attempts to add this entry when
you click OK. The DNA plug-in does not create the values until the add
is received, so you will not see these fields auto-fill in Console.
Assuming that you are trying to have DNA generate the uidNumber values,
you can either leave the uidNumber field blank when adding a user in
Console, or set it to the magic value you configure for your DNA range.
> 2a. If so, how can i properly activate this functionality ?
>
It looks like you never successfully added a DNA configuration entry.
You enabled the plug-in, but a configuration entry is necessary for DNA
to know what you want it to do.

The config entry that you tried to add from step 3 in the documentation
has a number of attributes related to auto-transfer of ranges between
masters, which you may or may not want. Are you using multi-master
replication, and if so, do you need to automatically transfer ranges
between the masters? My guess is that your the entry specified by the
dnaSharedCfgDN attribute does not exist, as Console does not create this
automatically for you. If a shared config DN is specified and it does
not exist, the DNA config entry validation code will consider the config
to be invalid.

An alternative is to just manually assign a separate range to each
master and not worry about range transfer if you don't see yourself
exhausting any of the ranges. For a single master setup, you would just
want to use a config entry like this:

dn: cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: Account UIDs
dnatype: uidNumber
dnafilter: (objectclass=posixAccount)
dnascope: ou=people, dc=example,dc=com
dnaNextValue: 501

You would want to add a dnaMaxValue attribute to specify an end of the
range if using multi-master replication. You would then specify a
different range on each other master by setting dnaNextValue and
dnaMaxValue appropriately
> 2b. If not, does this functionality exist ? And as a corollary, what is
> the DNA plug-in for, exactly ?
> 3. Should i, in fact, be attempting to use the Fedora DS offering
> instead of that included in CentOS ? (I.e. is it better ?)
>
The 389 Directory Server will generally have more features than CentOS
Directory Server (which is based on Red Hat Directory Server), however
some of these extra features are new and may be going through changes.
There is more feature and code churn with 389.
> I am happy to provide any logs, debug output, configuration elements, etc..
>
I'd like to see the DNA config entry you are attempting to add. You
should also check the Directory Server errors log sicne it should say
why the DNA config entry you are trying to add is invalid. Look for
lines containing "dna_parse_config_entry".

-NGK
> Thank you for your kind consideration, and keep up the great work !
>
>
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 11:27 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org