I've created a bash script to add ds entries for new clients as we bring
them on board. It automatically creates their user accounts which
include the posixaccount object class (as well as account (to allow the
host attribute) and posixgroup (to allow gidnumber for personal
groups)).
They appear to be created fine. Users can login, change passwords, etc.
However, when I view the user in the idm-console, the posix attributes
are present but the enable checkbox is unchecked and the attributes are
greyed out and uneditable.
If I click the enable check box, the fields are enabled but when I
attempt to save the change I get an error:
Cannot save to directory server:
netscape.ldap.LDAPException: error result(1): Operations error
I would not doubt this is because it's trying to add a posixaccount
value to objectclass when one already exists. In any event, if I enable
posix and change an attribute, I get the same error. However, if I go
to the advanced page instead, and change a posix attribute there, the
change saves perfectly fine.
Any idea what is happening and what I've done wrong? In case more
information is needed, here are some of the gory details.
There are attribute uniqueness constraints. uidnumber and gidnumber are
globally unique. uid and cn are unique within an ou within an o -
fairly granular. I did try disabling the global constraints but to no
avail.
By the way, those users with NT attributes show up fine with the NT User
enabled check box checked.
Here is a typical LDIF entry:
dn: uid=userx,ou=Users,ou=Internal,o=a0000-0002,dc=ssiservices,dc=biz
changetype: add
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: posixaccount
objectclass: account
objectclass: posixgroup
uid: userx
cn: userx
userpassword: ea4cb9eedc
uidnumber: 2001
gidnumber: 2001
homedirectory: /data/users/userx
loginshell: /bin/sh
givenname: John A.
sn: Sullivan III
mail: userx at somecompany.biz
telephonenumber: +1 (207) 999-9999
I can't imagine it is significant but, just in case, here is the LDIF creation from the script:
The input syntax is:
uid|givenname|sn|emailuser(no domain)|phone|location|W|"|" delimited attribute=value pairs
UIDNUMBERS[$counter]=${CIDU}
PWS=$(echo ${CIDU}${FIRST} | md5sum)
PWS=${PWS:0:10}
echo -e "${FIRST} ${PWS}\n\n" >> ${CID}.temp
TEMPS="dn: uid=${FIRST},${USUFFIX}\n${ADDPERSON}uid: ${FIRST}\ncn: ${FIRST}\nuserpassword: ${PWS}\nuidnumber: ${CIDU}\ngidnumber: ${CIDU}\nhomedirectory: /data/users/${FIRST}\nloginshell: /bin/sh\n"
c=0
for var in ${REST}
do
if [ -n "${var}" ]; then
case ${c} in
0)
TEMPS="${TEMPS}givenname: ${var}\n";;
1)
TEMPS="${TEMPS}sn: ${var}\n";;
2)
TEMPS="${TEMPS}mail: ${var}${EDOMAIN}\n";;
3)
TEMPS="${TEMPS}telephonenumber: ${var}\n";;
4)
TEMPS="${TEMPS}physicaldeliveryofficename: ${var}\n";;
5)
TEMPS="${TEMPS}${ADDWIN}ntuserdomainid: ${FIRST}\nntusercreatenewaccount: true\nntuserdeleteaccount: true\n";;
*)
var=${var/=/: }
TEMPS="${TEMPS}${var}\n";;
esac
fi
((c = c + 1))
done
TEMPS="${TEMPS}\n"
echo -e ${TEMPS} >> ${LDIF}
((counter = counter + 1))
((CIDU = CIDU + 1))
Here are some of the variable definitions:
BASE="dc=ssiservices,dc=biz"
NEWO="o=${CID},${BASE}"
SYSACCOUNTS="ou=SysAccounts,${NEWO}"
USUFFIX="ou=Users,ou=Internal,${NEWO}"
ADDS="changetype: add\n"
TOPS="${ADDS}objectclass: top\n"
ADDO="${TOPS}objectclass: organization\n"
ADDOU="${TOPS}objectclass: organizationalUnit\n"
ADDSYSPERSON="${TOPS}objectclass: person\nobjectclass: organizationalPerson\nobjectclass: inetOrgPerson\n"
ADDPERSON="${ADDSYSPERSON}objectclass: posixaccount\nobjectclass: account\nobjectclass: posixgroup\n"
ADDGROUP="${TOPS}objectclass: groupofuniquenames\nobjectclass: posixgroup\n"
ADDWIN="objectclass: ntuser\n"
What is going on? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
