On 04/16/2010 03:42 AM, Daniel Maher wrote: > On 04/15/2010 05:02 PM, Nathan Kinder wrote: > > >> That's why you need to set a magic value in the DNA config and use them >> in the Console. For example, you could configure the value "1" to be a >> magic value for your uidNumber and gidNumber DNA ranges. If you then >> add a user in Console with the value of "1" for the uidNumber and >> gidNumber fields, DNA will generate new values from the ranges and >> overwrite the values of "1" you specified with the generated values. >> >>> In other words, via the console, there is no way to have DNA generate >>> the uidNumber and gidNumber values when creating a new user. >>> >>> >> There is a way if you use magic values. >> > So there is ! Unfortunately, i have encountered further issues related > to the DNA plugin, and in particular to console interactions with said. > > > Following this reference document : > http://directory.fedoraproject.org/wiki/DNA_Plugin > > The document states : > > dnaMagicRegen - [...] It also is not required to be a numeric value, so > you can use anything you want. [...] > > This may certainly be true ; however, since the console demands a > numeric value for the uidNumber and gidNumber fields, using a > non-numeric value as a magic number identifier will make it impossible > to create users via the console. > > Furthermore, once the user has been created (assuming numeric values > were used), if you open the user entry in the console directly after > creating it, the magic number will be listed instead of the actual uid > and gid values. Completely re-starting the console ? fixes ? this (does > the console use a cache ?). It's a minor irritation, but it could cause > mistakes to be made. > Agreed. File a bug/enhancement request against the 389-ds-console component. I think we want Console to only allow numeric values to be used since many people don't use DNA and we want to prevent mistakes, but the caching thing can indeed cause confusion. > > Moving on, the example configuration for activating basic DNA > functionality states : > > [...] the uidNumber and gidNumber (primary group) attributes to be > assigned by DNA, but you also want them to be the same value. In > addition, you want DNA to assign the gidNumber attribute from the same > range [...] > > Sounds perfect ; however, while the expected behaviour is a (magically) > generated value for both the uid and gid, the actual result is that only > the uid is magically assigned. Consider the following : > > # cat dna_conf > dn: cn=UID and GID numbers,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config > objectClass: top > objectClass: extensibleObject > cn: UID and GID numbers > dnatype: uidNumber > dnaType: gidNumber > dnamagicregen: 99999 > dnafilter: (|(objectclass=posixAccount)(objectclass=posixGroup)) > dnascope: dc=example,dc=com > dnanextvalue: 1000 > > # /usr/lib64/mozldap/ldapmodify -v -a -D "cn=Directory Manager" -w > managerpass -h localhost -f dna_conf > ... > adding new entry cn=UID and GID numbers,cn=Distributed Numeric > Assignment Plugin,cn=plugins,cn=config > modify complete > > > # cat add_user > dn: uid=testuser,ou=People, dc=example,dc=com > changetype: add > givenName: test > sn: user > uidNumber: 99999 > gidNumber: 99999 > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > objectClass: posixAccount > uid: testuser > cn: test user > homeDirectory: /home/testuser > userPassword: {clear}testpass > loginShell: /bin/bash > > # /usr/lib64/mozldap/ldapmodify -v -a -D "cn=Directory Manager" -w > managerpass -h localhost -f add_user > ... > adding new entry uid=testuser,ou=People, dc=example,dc=com > modify complete > > > # /usr/lib64/mozldap/ldapsearch -h localhost -b 'dc=france-ix,dc=net' > 'uid=testuser' | egrep "(gidNumber|uidNumber)" > gidNumber: 99999 > uidNumber: 1000 > > > This behaviour occurs (unsurprisingly) for users added via the console > as well. > The document you are using off of the wiki is an feature design document that was used while developing DNA. Not everything mentioned in there is in the plug-in. The ability to use multiple dnaType attributes in the same range is one of these things that is not implemented at this time. You can set up two separate ranges, one for the uidNumber attribute and another for the gidNumber attribute. While this doesn't guarantee that uidNumber == gidNumber for a user, the values will indeed be the same if you configure the ranges the same and always let DNA generate the values for those attributes. The main issue to deal with to ensure the values are the same would be to use a different range of gidNumbers for posixGroup entries. If you don't care if your gidNumber user private groups match the user's uidNumber, you can just create a single gidNumber range with a filter of "(|(objectclass=posixAccount)(objectclass=posixGroup))" to have your range span your user and group entries. > Reference : > CentOS 5.4 x86_64 > 389-ds via EPEL (vendorVersion: 389-Directory/1.2.5 B2010.012.2034) > > >