Could it be that the server hasn't allocated a DNA range from the DNA master?
> On 14 Apr 2020, at 05:51, CHAMBERLAIN James <james.chamberl...@3ds.com> wrote: > > Hi Mark, > > The test user I’m trying to add looks like this: > > dn: uid=testuser1,ou=People,dc=example,dc=com > uid: testuser1 > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: top > sn: Chamberlain > gidNumber: 1000 > gecos: James Chamberlain > cn: James Chamberlain > homeDirectory: /home/testuser1 > givenName: James > loginShell: /bin/bash > > I’ve modified nsslapd-accesslog-level and nsslapd-plugin-logging. > > Here’s the clip from the failed add: > > [13/Apr/2020:15:45:44.267195367 -0400] conn=3592 op=0 BIND dn="cn=Directory > Manager" method=128 version=3 > [13/Apr/2020:15:45:44.267289421 -0400] conn=3592 op=0 RESULT err=0 tag=97 > nentries=0 etime=0.0000152598 dn="cn=Directory Manager" > [13/Apr/2020:15:45:44.267922468 -0400] conn=3592 op=1 ADD > dn="uid=testuser1,ou=People,dc=example,dc=com" > [13/Apr/2020:15:45:44.298730119 -0400] conn=3592 op=2 UNBIND > [13/Apr/2020:15:45:44.298744887 -0400] conn=3592 op=2 fd=81 closed - U1 > [13/Apr/2020:15:45:44.298822076 -0400] conn=3592 op=1 RESULT err=1 tag=105 > nentries=0 etime=0.0031312230 > > Best regards, > > James Chamberlain > > >> On Apr 13, 2020, at 2:53 PM, Mark Reynolds <mreyno...@redhat.com> wrote: >> >> Okay, so logging in DNA stinks in this scenario. It does a lot of internal >> searches and if one of them "fails" you get an operations error. So we need >> to enable other logging... >> >> First what does the entry look like that you are trying to add? >> >> Second, run this ldapmodify >> >> ldapmodify -D "cn=directory manager" -W >> dn: cn=config >> changetype: modify >> replace: nsslapd-accesslog-level >> nsslapd-acceslog-level: 260 (default level 256 plus 4 for internal >> operations) >> - >> replace: nsslapd-plugin-logging >> nsslapd-plugin-logging: on >> >> >> Then add another user, wait 30 seconds for the access log to buffer, and >> then provide the access log clip from the failed add. >> >> Thanks, >> Mark >> >> >> On 4/13/20 2:41 PM, CHAMBERLAIN James wrote: >>> Hi Mark, >>> >>> Thanks for getting back to me. After adjusting nsslapd-errorlog-level, >>> here’s what I’ve got. >>> >>> # grep dna-plugin /var/log/dirsrv/slapd-example/errors >>> [13/Apr/2020:14:30:00.480608036 -0400] - DEBUG - dna-plugin - >>> _dna_pre_op_add - dn does not match filter >>> [13/Apr/2020:14:30:00.486700059 -0400] - DEBUG - dna-plugin - >>> _dna_pre_op_add - adding uidNumber to >>> uid=testuser1,ou=People,dc=example,dc=com as -2 >>> [13/Apr/2020:14:30:00.559245389 -0400] - DEBUG - dna-plugin - >>> _dna_pre_op_add - retrieved value 0 ret 1 >>> [13/Apr/2020:14:30:00.561303217 -0400] - ERR - dna-plugin - _dna_pre_op_add >>> - Failed to allocate a new ID!! 2 >>> [13/Apr/2020:14:30:00.571360868 -0400] - DEBUG - dna-plugin - dna_pre_op - >>> Operation failure [1] >>> >>> And here’s the DNA config: >>> >>> dn: cn=UID numbers,cn=Distributed Numeric Assignment >>> Plugin,cn=plugins,cn=config >>> objectClass: top >>> objectClass: extensibleObject >>> cn: UID numbers >>> dnaType: uidNumber >>> dnamaxvalue: 100000 >>> dnamagicregen: 0 >>> dnafilter: (objectclass=posixAccount) >>> dnascope: dc=example,dc=com >>> dnanextvalue: 25000 >>> >>> dn: cn=GID numbers,cn=Distributed Numeric Assignment >>> Plugin,cn=plugins,cn=config >>> objectClass: top >>> objectClass: extensibleObject >>> cn: GID numbers >>> dnaType: gidNumber >>> dnamaxvalue: 100000 >>> dnamagicregen: 0 >>> dnafilter: (objectclass=posixGroup) >>> dnascope: dc=example,dc=com >>> dnanextvalue: 25000 >>> >>> Best regards, >>> >>> James >>> >>> >>>> On Apr 13, 2020, at 2:25 PM, Mark Reynolds <mreyno...@redhat.com> wrote: >>>> >>>> Enabling plugin logging will provide a little more detail about what is >>>> going wrong: >>>> >>>> ldapmodify -D "cn=directory manager" -W >>>> dn: cn=config >>>> changetype: modify >>>> replace: nsslapd-errorlog-level >>>> nsslapd-errorlog-level: 65536 >>>> >>>> >>>> After running the test you can disable the debug plugin logging by setting >>>> the log level to zero. >>>> >>>> Then share what information is logging when you add a new user. This is >>>> most likely a configuration error so hopefully we can find out what went >>>> wrong in your set up. Can you also provide the DNA config entries? >>>> >>>> Thanks, >>>> >>>> Mark >>>> >>>> On 4/13/20 1:50 PM, CHAMBERLAIN James wrote: >>>>> Hi all, >>>>> >>>>> I’m trying to use the DNA plugin to add uidNumbers on posixAccounts. >>>>> Everything worked fine in testing, but now that it’s in production I’m >>>>> seeing the following error: >>>>> >>>>> ERR - dna-plugin -_dna_pre_op_add - Failed to allocate a new ID!! 2 >>>>> >>>>> I’ve followed the advice in the knowledge base >>>>> (https://access.redhat.com/solutions/875133), about adding an equality >>>>> index with an nsMatchingRule of integerOrderingMatch, but have not seen >>>>> any difference in the server’s behavior. Any ideas what I should try >>>>> next? >>>>> >>>>> Thanks, >>>>> >>>>> James >>>>> This email and any attachments are intended solely for the use of the >>>>> individual or entity to whom it is addressed and may be confidential >>>>> and/or privileged. >>>>> If you are not one of the named recipients or have received this email in >>>>> error, >>>>> (i) you should not read, disclose, or copy it, >>>>> (ii) please notify sender of your receipt by reply email and delete this >>>>> email and all attachments, >>>>> (iii) Dassault Systèmes does not accept or assume any liability or >>>>> responsibility for any use of or reliance on this email. >>>>> >>>>> Please be informed that your personal data are processed according to our >>>>> data privacy policy as described on our website. Should you have any >>>>> questions related to personal data protection, please contact 3DS Data >>>>> Protection Officer at 3ds.compliance-priv...@3ds.com >>>>> >>>>> For other languages, go to https://www.3ds.com/terms/email-disclaimer >>>>> >>>>> >>>>> _______________________________________________ >>>>> 389-users mailing list -- >>>>> 389-users@lists.fedoraproject.org >>>>> >>>>> To unsubscribe send an email to >>>>> 389-users-le...@lists.fedoraproject.org >>>>> >>>>> Fedora Code of Conduct: >>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>> >>>>> List Guidelines: >>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>> >>>>> List Archives: >>>>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org >>>> -- >>>> >>>> 389 Directory Server Development Team >>>> >>> This email and any attachments are intended solely for the use of the >>> individual or entity to whom it is addressed and may be confidential and/or >>> privileged. >>> >>> If you are not one of the named recipients or have received this email in >>> error, >>> >>> (i) you should not read, disclose, or copy it, >>> >>> (ii) please notify sender of your receipt by reply email and delete this >>> email and all attachments, >>> >>> (iii) Dassault Systèmes does not accept or assume any liability or >>> responsibility for any use of or reliance on this email. >>> >>> >>> Please be informed that your personal data are processed according to our >>> data privacy policy as described on our website. Should you have any >>> questions related to personal data protection, please contact 3DS Data >>> Protection Officer at >>> 3ds.compliance-priv...@3ds.com<mailto:3ds.compliance-priv...@3ds.com> >>> >>> >>> For other languages, go to https://www.3ds.com/terms/email-disclaimer >> >> -- >> >> 389 Directory Server Development Team >> > > This email and any attachments are intended solely for the use of the > individual or entity to whom it is addressed and may be confidential and/or > privileged. > > If you are not one of the named recipients or have received this email in > error, > > (i) you should not read, disclose, or copy it, > > (ii) please notify sender of your receipt by reply email and delete this > email and all attachments, > > (iii) Dassault Systèmes does not accept or assume any liability or > responsibility for any use of or reliance on this email. > > > Please be informed that your personal data are processed according to our > data privacy policy as described on our website. Should you have any > questions related to personal data protection, please contact 3DS Data > Protection Officer at > 3ds.compliance-priv...@3ds.com<mailto:3ds.compliance-priv...@3ds.com> > > > For other languages, go to https://www.3ds.com/terms/email-disclaimer > _______________________________________________ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
