FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 07-02-2010, 09:58 AM
Daniel Maher
 
Default enabling posixGroup for a group (error : attribute "uidNumber" not allowed)

Hello,

I am trying to get system groups working on 389-ds via the addition of
"posixGroup" as a value for a given LDAP group.

Numerous posts in the archives, as well as on other forums, seem to
indicate that it should be a relatively straightforward affair. Here's
what i've tried via the console :

1. Creation of OU "systemgroups"
2. Creation of group "admin"
3. In advanced properties of group "admin", Object Class -> Add value ->
posixGroup
4. OK

However, this error appears in the log :

[02/Jul/2010:09:43:03 +0000] - Entry
"cn=admin,ou=systemgroups,dc=domain,dc=net" -- attribute "uidNumber" not
allowed

I am sure i have just missed something small, like the activation of a
plugin, or the integration of a particular schema. I can create users
with associated posix data (uid, gid, homedir, etc...), so at least that
works.

Any help, or a push in the correct direction, would be greatly
appreciated. Thank you, all.


--
Daniel Maher <dma + 389users AT witbe DOT net>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-02-2010, 02:22 PM
Daniel Maher
 
Default enabling posixGroup for a group (error : attribute "uidNumber" not allowed)

On 07/02/2010 11:58 AM, Daniel Maher wrote:

> I am trying to get system groups working on 389-ds via the addition of
> "posixGroup" as a value for a given LDAP group.

> However, this error appears in the log :
>
> [02/Jul/2010:09:43:03 +0000] - Entry
> "cn=admin,ou=systemgroups,dc=domain,dc=net" -- attribute "uidNumber" not
> allowed

Hello,

After wiping out my test instance and starting from scratch, it has
become clear that the problem is related to the DNA plugin. If i do NOT
activate / configure the DNA plugin, then i can manipulate
posixGroup-related entries as expected. As soon as the plugin is
activated and configured, the error noted above occurs.

I followed (and *cough* wrote) this document exactly :
http://directory.fedoraproject.org/wiki/HowtoNA

[root@test-dma-36 dirsrv]# /usr/lib64/mozldap/ldapsearch -h localhost -p
389 -s base -b "" "objectclass=*" | grep vendorVersion
vendorVersion: 389-Directory/1.2.5 B2010.012.2034
[root@test-dma-36 dirsrv]# cat /etc/redhat-release
CentOS release 5.4 (Final)
[root@test-dma-36 dirsrv]# uname -s -r -v -i -o
Linux 2.6.18-164.15.1.el5 #1 SMP Wed Mar 17 11:30:06 EDT 2010 x86_64
GNU/Linux

It would seem that this is either a fault in the configuration of the
plugin, or a bug with the plugin itself. Has anybody else experienced
similar behaviour ?

--
Daniel Maher <dma + 389users AT witbe DOT net>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-02-2010, 02:49 PM
Rich Megginson
 
Default enabling posixGroup for a group (error : attribute "uidNumber" not allowed)

Daniel Maher wrote:
> On 07/02/2010 11:58 AM, Daniel Maher wrote:
>
>
>> I am trying to get system groups working on 389-ds via the addition of
>> "posixGroup" as a value for a given LDAP group.
>>
>
>
>> However, this error appears in the log :
>>
>> [02/Jul/2010:09:43:03 +0000] - Entry
>> "cn=admin,ou=systemgroups,dc=domain,dc=net" -- attribute "uidNumber" not
>> allowed
>>
>
> Hello,
>
> After wiping out my test instance and starting from scratch, it has
> become clear that the problem is related to the DNA plugin. If i do NOT
> activate / configure the DNA plugin, then i can manipulate
> posixGroup-related entries as expected. As soon as the plugin is
> activated and configured, the error noted above occurs.
>
> I followed (and *cough* wrote) this document exactly :
> http://directory.fedoraproject.org/wiki/HowtoNA
>
> [root@test-dma-36 dirsrv]# /usr/lib64/mozldap/ldapsearch -h localhost -p
> 389 -s base -b "" "objectclass=*" | grep vendorVersion
> vendorVersion: 389-Directory/1.2.5 B2010.012.2034
> [root@test-dma-36 dirsrv]# cat /etc/redhat-release
> CentOS release 5.4 (Final)
> [root@test-dma-36 dirsrv]# uname -s -r -v -i -o
> Linux 2.6.18-164.15.1.el5 #1 SMP Wed Mar 17 11:30:06 EDT 2010 x86_64
> GNU/Linux
>
> It would seem that this is either a fault in the configuration of the
> plugin, or a bug with the plugin itself. Has anybody else experienced
> similar behaviour?
What platform? What is your 389-ds-base version?
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-02-2010, 02:57 PM
Daniel Maher
 
Default enabling posixGroup for a group (error : attribute "uidNumber" not allowed)

On 07/02/2010 04:49 PM, Rich Megginson wrote:

>> [root@test-dma-36 dirsrv]# /usr/lib64/mozldap/ldapsearch -h localhost -p
>> 389 -s base -b "" "objectclass=*" | grep vendorVersion
>> vendorVersion: 389-Directory/1.2.5 B2010.012.2034
>> [root@test-dma-36 dirsrv]# cat /etc/redhat-release
>> CentOS release 5.4 (Final)
>> [root@test-dma-36 dirsrv]# uname -s -r -v -i -o
>> Linux 2.6.18-164.15.1.el5 #1 SMP Wed Mar 17 11:30:06 EDT 2010 x86_64
>> GNU/Linux
>>
>> It would seem that this is either a fault in the configuration of the
>> plugin, or a bug with the plugin itself. Has anybody else experienced
>> similar behaviour?
> What platform? What is your 389-ds-base version?

Platform is addressed above already.

[root@test-dma-36 ~]# rpm -qa | grep 389-ds-base
389-ds-base-1.2.5-1.el5


--
Daniel Maher <dma + 389users AT witbe DOT net>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-06-2010, 03:31 PM
Nathan Kinder
 
Default enabling posixGroup for a group (error : attribute "uidNumber" not allowed)

On 07/02/2010 07:22 AM, Daniel Maher wrote:
> On 07/02/2010 11:58 AM, Daniel Maher wrote:
>
>
>> I am trying to get system groups working on 389-ds via the addition of
>> "posixGroup" as a value for a given LDAP group.
>>
>
>> However, this error appears in the log :
>>
>> [02/Jul/2010:09:43:03 +0000] - Entry
>> "cn=admin,ou=systemgroups,dc=domain,dc=net" -- attribute "uidNumber" not
>> allowed
>>
> Hello,
>
> After wiping out my test instance and starting from scratch, it has
> become clear that the problem is related to the DNA plugin. If i do NOT
> activate / configure the DNA plugin, then i can manipulate
> posixGroup-related entries as expected. As soon as the plugin is
> activated and configured, the error noted above occurs.
>
> I followed (and *cough* wrote) this document exactly :
> http://directory.fedoraproject.org/wiki/HowtoNA
>
> [root@test-dma-36 dirsrv]# /usr/lib64/mozldap/ldapsearch -h localhost -p
> 389 -s base -b "" "objectclass=*" | grep vendorVersion
> vendorVersion: 389-Directory/1.2.5 B2010.012.2034
> [root@test-dma-36 dirsrv]# cat /etc/redhat-release
> CentOS release 5.4 (Final)
> [root@test-dma-36 dirsrv]# uname -s -r -v -i -o
> Linux 2.6.18-164.15.1.el5 #1 SMP Wed Mar 17 11:30:06 EDT 2010 x86_64
> GNU/Linux
>
> It would seem that this is either a fault in the configuration of the
> plugin, or a bug with the plugin itself. Has anybody else experienced
> similar behaviour ?
>
The way you have DNA configured will cause it to try to add a
"uidNumber" attribute to a posixGroup entry. You should change the
"dnaFilter" attribute for your "cn=UID numbers" DNA config entry to be
"(objectClass=posixAccount)".

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-06-2010, 04:08 PM
Daniel Maher
 
Default enabling posixGroup for a group (error : attribute "uidNumber" not allowed)

On 07/06/2010 05:31 PM, Nathan Kinder wrote:

>> http://directory.fedoraproject.org/wiki/HowtoNA

> The way you have DNA configured will cause it to try to add a
> "uidNumber" attribute to a posixGroup entry. You should change the
> "dnaFilter" attribute for your "cn=UID numbers" DNA config entry to be
> "(objectClass=posixAccount)".


To clarify then, for the uids, instead of this :

dnafilter: (|(objectclass=posixAccount)(objectclass=posixGrou p))

It should be this :

dnafilter: (objectclass=posixAccount)

?

--
Daniel Maher <dma + 389users AT witbe DOT net>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-06-2010, 05:04 PM
Nathan Kinder
 
Default enabling posixGroup for a group (error : attribute "uidNumber" not allowed)

On 07/06/2010 09:08 AM, Daniel Maher wrote:
> On 07/06/2010 05:31 PM, Nathan Kinder wrote:
>
>
>>> http://directory.fedoraproject.org/wiki/HowtoNA
>>>
>
>> The way you have DNA configured will cause it to try to add a
>> "uidNumber" attribute to a posixGroup entry. You should change the
>> "dnaFilter" attribute for your "cn=UID numbers" DNA config entry to be
>> "(objectClass=posixAccount)".
>>
>
> To clarify then, for the uids, instead of this :
>
> dnafilter: (|(objectclass=posixAccount)(objectclass=posixGrou p))
>
> It should be this :
>
> dnafilter: (objectclass=posixAccount)
>
> ?
>
Yes, that is correct. The current setting you have causes DNA to add a
"uidNumber" attribute to newly created "posixAccount" and "posixGroup"
entries. You only want DNA to add the "uidNumber" attribute to
"posixAccount" entries.

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-06-2010, 05:22 PM
Daniel Maher
 
Default enabling posixGroup for a group (error : attribute "uidNumber" not allowed)

On 07/06/2010 07:04 PM, Nathan Kinder wrote:

>> To clarify then, for the uids, instead of this :
>>
>> dnafilter: (|(objectclass=posixAccount)(objectclass=posixGrou p))
>>
>> It should be this :
>>
>> dnafilter: (objectclass=posixAccount)
>>
>> ?
>>
> Yes, that is correct. The current setting you have causes DNA to add a
> "uidNumber" attribute to newly created "posixAccount" and "posixGroup"
> entries. You only want DNA to add the "uidNumber" attribute to
> "posixAccount" entries.

That makes sense. Somebody may wish to update the Howto on the
documentation site.

Thanks !


--
Daniel Maher <dma + 389users AT witbe DOT net>
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 07-06-2010, 06:28 PM
Nathan Kinder
 
Default enabling posixGroup for a group (error : attribute "uidNumber" not allowed)

On 07/06/2010 10:22 AM, Daniel Maher wrote:
> On 07/06/2010 07:04 PM, Nathan Kinder wrote:
>
>
>>> To clarify then, for the uids, instead of this :
>>>
>>> dnafilter: (|(objectclass=posixAccount)(objectclass=posixGrou p))
>>>
>>> It should be this :
>>>
>>> dnafilter: (objectclass=posixAccount)
>>>
>>> ?
>>>
>>>
>> Yes, that is correct. The current setting you have causes DNA to add a
>> "uidNumber" attribute to newly created "posixAccount" and "posixGroup"
>> entries. You only want DNA to add the "uidNumber" attribute to
>> "posixAccount" entries.
>>
> That makes sense. Somebody may wish to update the Howto on the
> documentation site.
>
I'll update the how-to.

In the upcoming 1.2.6 release, I've added support for multi-attribute
ranges, which could be used for your use-case as well (I know we've
discussed this on list a while back). Basically, you would set up a
single DNA range with multiple "dnaType" values, such as uidNumber and
gidNumber in this case. You would then set the "dnaFilter" to
"(|(objectClass=posixAccount)(objectClass=posixGro up))". With a
multi-attribute range, you must specify the magic value for any
attribute that you want DNA to generate a value for. This means you
could share a single range of values across your posixAccount and
posixGroup entries instead of having two separate ranges.
> Thanks !
>
>
>

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 09:03 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org