Re: dsidm utility inconsistencies

Michael Starling <mlstarling31@xxxxxxxxxxx> · Thu, 23 Sep 2021 15:59:18 +0000

From: Michael Starling <mlstarling31@xxxxxxxxxxx>

Sent: Thursday, September 23, 2021 10:10 AM

To: Mark Reynolds <mreynolds@xxxxxxxxxx>; General discussion list for the 389 Directory server project. <389-users@xxxxxxxxxxxxxxxxxxxxxxx>

Subject: Re: [389-users] dsidm utility inconsistencies

From: Mark Reynolds <mreynolds@xxxxxxxxxx>

Sent: Wednesday, September 22, 2021 8:14 PM

To: Michael Starling <mlstarling31@xxxxxxxxxxx>; General discussion list for the 389 Directory server project. <389-users@xxxxxxxxxxxxxxxxxxxxxxx>

Subject: Re: [389-users] dsidm utility inconsistencies

On 9/22/21 5:11 PM, Michael Starling wrote:

From: Mark Reynolds
<mreynolds@xxxxxxxxxx>

Sent: Wednesday, September 22, 2021 3:38 PM

To: General discussion list for the 389 Directory server project. 
<389-users@xxxxxxxxxxxxxxxxxxxxxxx>; Michael Starling 
<mlstarling31@xxxxxxxxxxx>

Subject: Re: [389-users] dsidm utility inconsistencies

On 9/22/21 2:58 PM, Michael Starling wrote:

Unless I'm interpreting the man pages, and documentation wrong there seems to be some issues with the dsidm utility.  Perhaps I'm doing something wrong?

This works.

dsidm -W -D cn=manager -Z ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com account get-by-dn uid=mstarlingt,ou=People,dc=mydomain,dc=com 

dn: uid=mstarlingt,ou=People,dc=mydomain,dc=com 

cn: Mike Starling 

gecos: Mike Starling test account 

gidNumber: 100 

givenName: Mike 

homeDirectory: /home/mstarlingt 

loginShell: /bin/ksh 

mail: 
mstarling@xxxxxxxxxxxx 

objectClass: person 

objectClass: organizationalPerson 

objectClass: inetOrgPerson 

objectClass: posixAccount 

objectClass: top 

objectClass: shadowAccount 

shadowExpire: 99999 

shadowLastChange: 18857 

shadowMax: 33 

shadowWarning: 1 

sn: Starling 

uid: mstarlingt 

uidNumber: 25574 

#Password reset works

dsidm -W -D cn=manager -Z ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com account reset_password "uid=mstarlingt,ou=People,dc=mydomain,dc=com" 

Enter new password for uid=mstarlingt,ou=People,dc=mydomain,dc=com :  

CONFIRM - Enter new password for uid=mstarlingt,ou=People,dc=mydomain,dc=com :  

reset password for uid=mstarlingt,ou=People,dc=mydomain,dc=com 

#Unable to lock the account.

dsidm -W -D cn=manager -Z ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com account lock uid=mstarlingt 

Error: No such object 

I consult the help which says to specify the dn

dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com account lock -h 

usage: dsidm instance account lock [-h] [dn] 

positional arguments: 

  dn          The dn to lock 

optional arguments: 

  -h, --help  show this help message and exit 

dsidm -W -D cn=manager -Z ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com account lock uid=mstarlingt,ou=People,dc=mydomain,dc=com 

Error: search_ext() argument 1 must be str, not None 

I think this is a known bug (which was fixed).  What version of python-lib389 is installed?

Thanks Mark.

python3-lib389-1.4.3.17-1.module_el8+10764+2b5f8656.noarch is installed

Yes this is a old version, and the fix (Issue 4912) was recently made.  We will have to do new builds...

dsidm -W -D cn=manager -Z ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com account lock "uid=mstarlingt,ou=People,dc=mydomain,dc=com" 

Error: search_ext() argument 1 must be str, not None 

dsidm -W -D cn=manager -Z ldaps://labdsa101.athenahealth.com -b dc=mydomain,dc=com account lock "uid=mstarlingt"

I tried changing the base to the People OU where the account lives

dsidm -W -D cn=manager -Z ldaps://labdsa101.mydomain.com -b ou=People,dc=mydomain,dc=com account lock "uid=mstarlingt,ou=People,dc=mydomain,dc=com"

Error: search_ext() argument 1 must be str, not None

dsidm -W -D cn=manager -Z
ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com user get

Enter uid to retrieve : mstarlingt 

Error: No object exists given the filter criteria mstarlingt 

What is in the access log?

Here's what I see in the logs.

22/Sep/2021:17:09:28.515626170 -0400] conn=3947 op=2 SRCH base="ou=people,dc=mydomain,dc=com" scope=2 filter="(&(&(objectClass=nsPerson)(objectClass=nsAccount)(objectClass=nsOrgPerson)(objectClass=posixAccount))(|(uid=mstarlingt)(displayName=mstarlingt)(cn=mstarlingt)))"
 attrs="distinguishedName"

So dsidm is pretty opinionated about how it looks for users (which might need to change).  It only looks for entries that have all of these objectclasses: nsPerson, nsAccount, nsOrgPerson, posixAccount.  What objectclasses are in your user entry?

Mark

Ahh. That's it. The mstarlingt account was created with an LDIF and does not have the "ns" object classes.

I notice when I go to create an account with dsidm I have limited ability to specify attributes. 

Is the best way to create an account still with an LDIF file? When I create an account with dsidm it has no loginShell. Is there a default template dsidm pulls from that needs to be updated with the other possible user attributes that are set as the default
 and not covered by the dsidm utility?

dsidm -W  -D cn=manager -Z ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com user create --uid="dstest" --cn="Test dsidm" --gidNumber="100" --homeDirectory="/home/dstest" --displayName="Test Account" --uidnumber="25941" --mail="mstarling@xxxxxxxxxxxx"
 --loginShell="/bin/bash" 

usage: dsidm [-h] [-b BASEDN] [-v] [-D BINDDN] [-w BINDPW] [-W] [-W PWDFILE] 

             [-Z] [-j] 

             instance 

             {account,group,initialise,organizationalunit,posixgroup,user,client_config,role} 

             ... 

dsidm: error: unrecognized arguments: --uidnumber=25941 --mail=mstarling@xxxxxxxxxxxx --loginShell=/bin/bash 

dsidm -W  -D cn=manager -Z ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com user create -h 

usage: dsidm instance user create [-h] [--uid [UID]] [--cn [CN]] 

                                  [--displayName [DISPLAYNAME]] 

                                  [--uidNumber [UIDNUMBER]] 

                                  [--gidNumber [GIDNUMBER]] 

                                  [--homeDirectory [HOMEDIRECTORY]] 

optional arguments: 

  -h, --help            show this help message and exit 

  --uid [UID]           Value of uid 

  --cn [CN]             Value of cn 

  --displayName [DISPLAYNAME] 

                        Value of displayName 

  --uidNumber [UIDNUMBER] 

                        Value of uidNumber 

  --gidNumber [GIDNUMBER] 

                        Value of gidNumber 

  --homeDirectory [HOMEDIRECTORY] 

                        Value of homeDirectory 

So if I create a user with dsidm and it adds the "ns" object classes I still can't run some of the dsidm commands against that account

dsidm -W  -D cn=manager -Z ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com user get dstest 

dn: uid=dstest,ou=People,dc=mydomain,dc=com 

cn: Test Dsconf 

displayName: Test Account 

employeeNumber: 25429 

gidNumber: 100 

homeDirectory: /home/dstest 

loginShell: /bin/bash 

mail: mstarling@xxxxxxxxxxxx 

objectClass: top 

objectClass: nsPerson 

objectClass: nsAccount 

objectClass: nsOrgPerson 

objectClass: posixAccount 

uid: dstest 

uidNumber: 25941 

dsidm -W  -D cn=manager -Z ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com account lock dstest 

Error: dstest is not a valid DN

dsidm -W  -D cn=manager -Z ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com account lock uid=dstest,ou=People,dc=mydomain,dc=com 

Error: search_ext() argument 1 must be str, not None 

dsidm -W .slaplab -D cn=manager -Z ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com account entry-status uid=dstest,ou=People,dc=mydomain,dc=com 

Error: search_ext() argument 1 must be str, not None 

dsidm -W .slaplab -D cn=manager -Z ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com account entry-status dstest 

Error: dstest is not a valid DN

dsidm -W .slaplab -D cn=manager -Z ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com account entry-status 

Enter dn to check : uid=dstest,ou=People,dc=mydomain,dc=com 

Error: search_ext() argument 1 must be str, not None 

Thanks,

Mark

dsidm -W -D cn=manager -Z ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com user get 

Enter uid to retrieve : uid=mstarlingt,ou=People,dc=mydomain,dc=com 

Error: No object exists given the filter criteria uid=mstarlingt,ou=People,dc=mydomain,dc=com 

dsidm -W -D cn=manager -Z ldaps://labdsa101.mydomain.com -b dc=mydomain,dc=com user get 

Enter uid to retrieve : uid=mstarlingt 

Error: No object exists given the filter criteria uid=mstarlingt 

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

-- 
Directory Server Development Team

-- 
Directory Server Development Team

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure