We're trying to create accounts (with the posixaccount objectclass and so forth) via LDAP, and while we can add the objectclasses and set the attributes without error, the attributes for posixaccount don't show up on subsequent LDAP queries. Looking at the entry via the 389 Console I see that the values were set correctly but the checkbox for 'Enable Posix User Attributes' is unechecked - I had thought checking this merely added the relevant objectclass but apparently there's some other special magic occuring. How can we "enable" these attributes (so that we can than retrieve them via LDAP later) via LDAP ? Manually going in via the console and "enabling" them via the checkbox for every new account is not a "solution".

-- 389 users mailing list 389-users(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users

Oops. It looks like the results are coming back they're just getting partially eaten somewhere in our code. Still, weird that the GUI shows it all grayed out - that's what led me to believe something wasn't set right on the LDAP entry. I googled for a solution and found some ancient post where someone thought you had to restart 389ds server for it to notice the change (which seemed silly to me ... ),

hence why I came here thinking surely it can't be that... there must be a way! :D On Thu, May 16, 2013 at 9:36 PM, Rich Megginson <rmeggins(a)redhat.com <mailto:rmeggins@redhat.com>> wrote: On 05/16/2013 06:06 PM, Jonathan Vaughn wrote: > We're trying to create accounts (with the posixaccount > objectclass and so forth) via LDAP, and while we can add the > objectclasses and set the attributes without error, the > attributes for posixaccount don't show up on subsequent LDAP > queries. Looking at the entry via the 389 Console I see that the > values were set correctly but the checkbox for 'Enable Posix User > Attributes' is unechecked - I had thought checking this merely > added the relevant objectclass but apparently there's some other > special magic occuring. > > How can we "enable" these attributes (so that we can than > retrieve them via LDAP later) via LDAP ? Manually going in via > the console and "enabling" them via the checkbox for every new > account is not a "solution". Create a user in the console which you have done the 'Enable Posix User Attributes' - do an ldapsearch to see what that LDIF looks like - compare that with your script or LDIF that you are using to automate. > > > -- > 389 users mailing list > 389-users(a)lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> > https://admin.fedoraproject.org/mailman/listinfo/389-users

Yeah, it works fine. No restarts needed. TL;DR: the interface library I was writing is set up to prevent you from assigning multiple values to attributes that are SINGLE-VALUE - and I forgot that even if you only get 1 value from ldap with PHP's functions its still an array ('count' => 1, 0 => [value]) and so I was silently throwing them away (hadn't gotten around to putting in actual errors for these yet). :D Totally my fault.

On Fri, May 17, 2013 at 11:49 AM, Rich Megginson <rmeggins(a)redhat.com <mailto:rmeggins@redhat.com>> wrote: On 05/17/2013 10:40 AM, Jonathan Vaughn wrote: > Oops. It looks like the results are coming back they're just > getting partially eaten somewhere in our code. > > Still, weird that the GUI shows it all grayed out - that's what > led me to believe something wasn't set right on the LDAP entry. I > googled for a solution and found some ancient post where someone > thought you had to restart 389ds server for it to notice the > change (which seemed silly to me ... ), Should not require a restart. > hence why I came here thinking surely it can't be that... there > must be a way! :D > > On Thu, May 16, 2013 at 9:36 PM, Rich Megginson > <rmeggins(a)redhat.com <mailto:rmeggins@redhat.com>> wrote: > > On 05/16/2013 06:06 PM, Jonathan Vaughn wrote: >> We're trying to create accounts (with the posixaccount >> objectclass and so forth) via LDAP, and while we can add the >> objectclasses and set the attributes without error, the >> attributes for posixaccount don't show up on subsequent LDAP >> queries. Looking at the entry via the 389 Console I see that >> the values were set correctly but the checkbox for 'Enable >> Posix User Attributes' is unechecked - I had thought >> checking this merely added the relevant objectclass but >> apparently there's some other special magic occuring. >> >> How can we "enable" these attributes (so that we can than >> retrieve them via LDAP later) via LDAP ? Manually going in >> via the console and "enabling" them via the checkbox for >> every new account is not a "solution". > > Create a user in the console which you have done the 'Enable > Posix User Attributes' - do an ldapsearch to see what that > LDIF looks like - compare that with your script or LDIF that > you are using to automate. >> >> >> -- >> 389 users mailing list >> 389-users(a)lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> >> https://admin.fedoraproject.org/mailman/listinfo/389-users > >