[389-users] DNA plugin woes on a fresh centos-DS 8.1 install

Tue Apr 13 16:40:06 UTC 2010

On 04/13/2010 08:21 AM, Daniel Maher wrote:
> Hello,
>
> First off, my apologies if this is not an appropriate forum for asking
> questions related to the CentOS Directory Server.  The 389-users
> archives contain numerous messages related to this platform, so...
>
> The situation : fresh install of CentOS 5.4 x86_64, installed the DS via
> yum from the standard repos :
> # yum install centos-ds centos-ds-base nss_ldap
>
> The DS is up and running.  I can create groups and users, run queries,
> and so forth.  I followed the following procedure to enable the DNA plugin :
>
> Main menu of Directory Server
> TAB: Servers and Applications
> <domain>  ->  <server>  ->  Server Group ->  Directory Server
> TAB: Configuration
> <server>  ->  Plug-ins ->  Distributed Numeric Assignment
> [X] Enable plug-in
> Save
>
> I then dutifully restarted DS afterwards.
>
> Finally, in the user creation menu, in the Posix User section, i checked
> Enable Posix User Attributes, but none of the fields were auto-populated.
>
> Initially, i tried adding the following ldif (i realise this is for the
> Fedora DNS, but hey, i thought it'd be worth a shot) :
> http://cvs.fedoraproject.org/viewvc/ldapserver/ldap/servers/plugins/dna/posix.ldif?view=co&root=dirsec
>
> Unsurprisingly (?), this did not work :
> ldap_add: DSA is unwilling to perform
> ldap_add: additional info: Not a valid DNA configuration entry.
>
> I read through a number of items on the subject, including the following
> notable items :
> http://www.directory.fedora.redhat.com/wiki/DNA_Plugin
> http://www.redhat.com/docs/manuals/dir-server/8.1/admin/dna.html
>
> In section 3.6.3.1 of the Red Hat document it outlines the steps to
> activate the plug-in.  Steps 1 and 2 appear to have already been
> executed by the graphical manager, as the necessary changes are present
> in the configuration file :
> /etc/dirsrv/<server>/dse.ldif
>
> I attempted to perform step 3 (with appropriate modifications to the
> dc's).  This did not work :
> adding new entry cn=Account UIDs,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config
> ldap_add: DSA is unwilling to perform
> ldap_add: additional info: Not a valid DNA configuration entry.
>
> (It may be worth noting that the screenshot they include at the base of
> that page bears absolutely no resemblance to that of the actual plugin.)
>
> My questions are :
> 1. Is the expected behaviour of the DNA plug-in to auto-populate the
> Posix fields ?
>    
The DNA plugin is designed to auto-populate unique numeric values, which 
can be used for the uidNumber and gidNumber attributes.  These fields 
will not be auto-populated in the Console when you are adding an entry.  
The Console application is not aware of DNA.  When you attempt to add a 
new user and click on the posix tab, you are simply building the entry 
that you want to add.  The Console then attempts to add this entry when 
you click OK.  The DNA plug-in does not create the values until the add 
is received, so you will not see these fields auto-fill in Console.  
Assuming that you are trying to have DNA generate the uidNumber values, 
you can either leave the uidNumber field blank when adding a user in 
Console, or set it to the magic value you configure for your DNA range.
> 2a. If so, how can i properly activate this functionality ?
>    
It looks like you never successfully added a DNA configuration entry.  
You enabled the plug-in, but a configuration entry is necessary for DNA 
to know what you want it to do.

The config entry that you tried to add from step 3 in the documentation 
has a number of attributes related to auto-transfer of ranges between 
masters, which you may or may not want.  Are you using multi-master 
replication, and if so, do you need to automatically transfer ranges 
between the masters?  My guess is that your the entry specified by the 
dnaSharedCfgDN attribute does not exist, as Console does not create this 
automatically for you.  If a shared config DN is specified and it does 
not exist, the DNA config entry validation code will consider the config 
to be invalid.

An alternative is to just manually assign a separate range to each 
master and not worry about range transfer if you don't see yourself 
exhausting any of the ranges.  For a single master setup, you would just 
want to use a config entry like this:

dn: cn=Account UIDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: Account UIDs
dnatype: uidNumber
dnafilter: (objectclass=posixAccount)
dnascope: ou=people, dc=example,dc=com
dnaNextValue: 501

You would want to add a dnaMaxValue attribute to specify an end of the 
range if using multi-master replication.  You would then specify a 
different range on each other master by setting dnaNextValue and 
dnaMaxValue appropriately
> 2b. If not, does this functionality exist ?  And as a corollary, what is
> the DNA plug-in for, exactly ?
> 3. Should i, in fact, be attempting to use the Fedora DS offering
> instead of that included in CentOS ?  (I.e. is it « better » ?)
>    
The 389 Directory Server will generally have more features than CentOS 
Directory Server (which is based on Red Hat Directory Server), however 
some of these extra features are new and may be going through changes.  
There is more feature and code churn with 389.
> I am happy to provide any logs, debug output, configuration elements, etc..
>    
I'd like to see the DNA config entry you are attempting to add.  You 
should also check the Directory Server errors log sicne it should say 
why the DNA config entry you are trying to add is invalid.  Look for 
lines containing "dna_parse_config_entry".

-NGK
> Thank you for your kind consideration, and keep up the great work !
>
>
>    