On 04/13/2010 08:21 AM, Daniel Maher wrote: > Hello, > > First off, my apologies if this is not an appropriate forum for asking > questions related to the CentOS Directory Server. The 389-users > archives contain numerous messages related to this platform, so... > > The situation : fresh install of CentOS 5.4 x86_64, installed the DS via > yum from the standard repos : > # yum install centos-ds centos-ds-base nss_ldap > > The DS is up and running. I can create groups and users, run queries, > and so forth. I followed the following procedure to enable the DNA plugin : > > Main menu of Directory Server > TAB: Servers and Applications > <domain> -> <server> -> Server Group -> Directory Server > TAB: Configuration > <server> -> Plug-ins -> Distributed Numeric Assignment > [X] Enable plug-in > Save > > I then dutifully restarted DS afterwards. > > Finally, in the user creation menu, in the Posix User section, i checked > Enable Posix User Attributes, but none of the fields were auto-populated. > > Initially, i tried adding the following ldif (i realise this is for the > Fedora DNS, but hey, i thought it'd be worth a shot) : > http://cvs.fedoraproject.org/viewvc/ldapserver/ldap/servers/plugins/dna/posix.ldif?view=co&root=dirsec > > Unsurprisingly (?), this did not work : > ldap_add: DSA is unwilling to perform > ldap_add: additional info: Not a valid DNA configuration entry. > > I read through a number of items on the subject, including the following > notable items : > http://www.directory.fedora.redhat.com/wiki/DNA_Plugin > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/dna.html > > In section 3.6.3.1 of the Red Hat document it outlines the steps to > activate the plug-in. Steps 1 and 2 appear to have already been > executed by the graphical manager, as the necessary changes are present > in the configuration file : > /etc/dirsrv/<server>/dse.ldif > > I attempted to perform step 3 (with appropriate modifications to the > dc's). This did not work : > adding new entry cn=Account UIDs,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config > ldap_add: DSA is unwilling to perform > ldap_add: additional info: Not a valid DNA configuration entry. > > (It may be worth noting that the screenshot they include at the base of > that page bears absolutely no resemblance to that of the actual plugin.) > > My questions are : > 1. Is the expected behaviour of the DNA plug-in to auto-populate the > Posix fields ? > The DNA plugin is designed to auto-populate unique numeric values, which can be used for the uidNumber and gidNumber attributes. These fields will not be auto-populated in the Console when you are adding an entry. The Console application is not aware of DNA. When you attempt to add a new user and click on the posix tab, you are simply building the entry that you want to add. The Console then attempts to add this entry when you click OK. The DNA plug-in does not create the values until the add is received, so you will not see these fields auto-fill in Console. Assuming that you are trying to have DNA generate the uidNumber values, you can either leave the uidNumber field blank when adding a user in Console, or set it to the magic value you configure for your DNA range. > 2a. If so, how can i properly activate this functionality ? > It looks like you never successfully added a DNA configuration entry. You enabled the plug-in, but a configuration entry is necessary for DNA to know what you want it to do. The config entry that you tried to add from step 3 in the documentation has a number of attributes related to auto-transfer of ranges between masters, which you may or may not want. Are you using multi-master replication, and if so, do you need to automatically transfer ranges between the masters? My guess is that your the entry specified by the dnaSharedCfgDN attribute does not exist, as Console does not create this automatically for you. If a shared config DN is specified and it does not exist, the DNA config entry validation code will consider the config to be invalid. An alternative is to just manually assign a separate range to each master and not worry about range transfer if you don't see yourself exhausting any of the ranges. For a single master setup, you would just want to use a config entry like this: dn: cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: Account UIDs dnatype: uidNumber dnafilter: (objectclass=posixAccount) dnascope: ou=people, dc=example,dc=com dnaNextValue: 501 You would want to add a dnaMaxValue attribute to specify an end of the range if using multi-master replication. You would then specify a different range on each other master by setting dnaNextValue and dnaMaxValue appropriately > 2b. If not, does this functionality exist ? And as a corollary, what is > the DNA plug-in for, exactly ? > 3. Should i, in fact, be attempting to use the Fedora DS offering > instead of that included in CentOS ? (I.e. is it ? better ? ?) > The 389 Directory Server will generally have more features than CentOS Directory Server (which is based on Red Hat Directory Server), however some of these extra features are new and may be going through changes. There is more feature and code churn with 389. > I am happy to provide any logs, debug output, configuration elements, etc.. > I'd like to see the DNA config entry you are attempting to add. You should also check the Directory Server errors log sicne it should say why the DNA config entry you are trying to add is invalid. Look for lines containing "dna_parse_config_entry". -NGK > Thank you for your kind consideration, and keep up the great work ! > > >
