John A. Sullivan III wrote:
> I've created a bash script to add ds entries for new clients as we bring
> them on board. It automatically creates their user accounts which
> include the posixaccount object class (as well as account (to allow the
> host attribute) and posixgroup (to allow gidnumber for personal
> groups)).
>
> They appear to be created fine. Users can login, change passwords, etc.
> However, when I view the user in the idm-console, the posix attributes
> are present but the enable checkbox is unchecked and the attributes are
> greyed out and uneditable.
>
> If I click the enable check box, the fields are enabled but when I
> attempt to save the change I get an error:
> Cannot save to directory server:
> netscape.ldap.LDAPException: error result(1): Operations error
>
run the console like this
fedora-idm-console -D 9 -f console.log
the log should contain much more detailed information
you should also look at the directory server access log to see exactly
what operation it is performing
> I would not doubt this is because it's trying to add a posixaccount
> value to objectclass when one already exists. In any event, if I enable
> posix and change an attribute, I get the same error. However, if I go
> to the advanced page instead, and change a posix attribute there, the
> change saves perfectly fine.
>
> Any idea what is happening and what I've done wrong? In case more
> information is needed, here are some of the gory details.
>
> There are attribute uniqueness constraints. uidnumber and gidnumber are
> globally unique. uid and cn are unique within an ou within an o -
> fairly granular. I did try disabling the global constraints but to no
> avail.
>
> By the way, those users with NT attributes show up fine with the NT User
> enabled check box checked.
>
> Here is a typical LDIF entry:
>
> dn: uid=userx,ou=Users,ou=Internal,o=a0000-0002,dc=ssiservices,dc=biz
> changetype: add
> objectclass: top
> objectclass: person
> objectclass: organizationalPerson
> objectclass: inetOrgPerson
> objectclass: posixaccount
> objectclass: account
> objectclass: posixgroup
> uid: userx
> cn: userx
> userpassword: ea4cb9eedc
> uidnumber: 2001
> gidnumber: 2001
> homedirectory: /data/users/userx
> loginshell: /bin/sh
> givenname: John A.
> sn: Sullivan III
> mail: userx at somecompany.biz
> telephonenumber: +1 (207) 999-9999
>
> I can't imagine it is significant but, just in case, here is the LDIF creation from the script:
> The input syntax is:
> uid|givenname|sn|emailuser(no domain)|phone|location|W|"|" delimited attribute=value pairs
>
> UIDNUMBERS[$counter]=${CIDU}
> PWS=$(echo ${CIDU}${FIRST} | md5sum)
> PWS=${PWS:0:10}
> echo -e "${FIRST} ${PWS}\n\n" >> ${CID}.temp
> TEMPS="dn: uid=${FIRST},${USUFFIX}\n${ADDPERSON}uid: ${FIRST}\ncn: ${FIRST}\nuserpassword: ${PWS}\nuidnumber: ${CIDU}\ngidnumber: ${CIDU}\nhomedirectory: /data/users/${FIRST}\nloginshell: /bin/sh\n"
> c=0
> for var in ${REST}
> do
> if [ -n "${var}" ]; then
> case ${c} in
> 0)
> TEMPS="${TEMPS}givenname: ${var}\n";;
> 1)
> TEMPS="${TEMPS}sn: ${var}\n";;
> 2)
> TEMPS="${TEMPS}mail: ${var}${EDOMAIN}\n";;
> 3)
> TEMPS="${TEMPS}telephonenumber: ${var}\n";;
> 4)
> TEMPS="${TEMPS}physicaldeliveryofficename: ${var}\n";;
> 5)
> TEMPS="${TEMPS}${ADDWIN}ntuserdomainid: ${FIRST}\nntusercreatenewaccount: true\nntuserdeleteaccount: true\n";;
> *)
> var=${var/=/: }
> TEMPS="${TEMPS}${var}\n";;
> esac
> fi
> ((c = c + 1))
> done
> TEMPS="${TEMPS}\n"
> echo -e ${TEMPS} >> ${LDIF}
> ((counter = counter + 1))
> ((CIDU = CIDU + 1))
>
> Here are some of the variable definitions:
> BASE="dc=ssiservices,dc=biz"
> NEWO="o=${CID},${BASE}"
> SYSACCOUNTS="ou=SysAccounts,${NEWO}"
> USUFFIX="ou=Users,ou=Internal,${NEWO}"
> ADDS="changetype: add\n"
> TOPS="${ADDS}objectclass: top\n"
> ADDO="${TOPS}objectclass: organization\n"
> ADDOU="${TOPS}objectclass: organizationalUnit\n"
> ADDSYSPERSON="${TOPS}objectclass: person\nobjectclass: organizationalPerson\nobjectclass: inetOrgPerson\n"
> ADDPERSON="${ADDSYSPERSON}objectclass: posixaccount\nobjectclass: account\nobjectclass: posixgroup\n"
> ADDGROUP="${TOPS}objectclass: groupofuniquenames\nobjectclass: posixgroup\n"
> ADDWIN="objectclass: ntuser\n"
>
> What is going on? Thanks - John
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20081126/ae744cc1/attachment.bin
