[389-users] magic numbers (DNA) : console issues & gid assignment problem

Nathan Kinder nkinder at redhat.com
Fri Apr 16 16:39:18 UTC 2010

On 04/16/2010 03:42 AM, Daniel Maher wrote:
> On 04/15/2010 05:02 PM, Nathan Kinder wrote:
>> That's why you need to set a magic value in the DNA config and use them
>> in the Console.  For example, you could configure the value "1" to be a
>> magic value for your uidNumber and gidNumber DNA ranges.  If you then
>> add a user in Console with the value of "1" for the uidNumber and
>> gidNumber fields, DNA will generate new values from the ranges and
>> overwrite the values of "1" you specified with the generated values.
>>> In other words, via the console, there is no way to have DNA generate
>>> the uidNumber and gidNumber values when creating a new user.
>> There is a way if you use magic values.
> So there is !  Unfortunately, i have encountered further issues related
> to the DNA plugin, and in particular to console interactions with said.
> Following this reference document :
> http://directory.fedoraproject.org/wiki/DNA_Plugin
> The document states :
> dnaMagicRegen - [...] It also is not required to be a numeric value, so
> you can use anything you want. [...]
> This may certainly be true ; however, since the console demands a
> numeric value for the uidNumber and gidNumber fields, using a
> non-numeric value as a magic number identifier will make it impossible
> to create users via the console.
> Furthermore, once the user has been created (assuming numeric values
> were used), if you open the user entry in the console directly after
> creating it, the magic number will be listed instead of the actual uid
> and gid values.  Completely re-starting the console « fixes » this (does
> the console use a cache ?).  It's a minor irritation, but it could cause
> mistakes to be made.
Agreed.  File a bug/enhancement request  against the 389-ds-console 
component.  I think we want Console to only allow numeric values to be 
used since many people don't use DNA and we want to prevent mistakes, 
but the caching thing can indeed cause confusion.
> Moving on, the example configuration for activating basic DNA
> functionality states :
> [...] the uidNumber and gidNumber (primary group) attributes to be
> assigned by DNA, but you also want them to be the same value. In
> addition, you want DNA to assign the gidNumber attribute from the same
> range [...]
> Sounds perfect ; however, while the expected behaviour is a (magically)
> generated value for both the uid and gid, the actual result is that only
> the uid is magically assigned.  Consider the following :
> # cat dna_conf
> dn: cn=UID and GID numbers,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: UID and GID numbers
> dnatype: uidNumber
> dnaType: gidNumber
> dnamagicregen: 99999
> dnafilter: (|(objectclass=posixAccount)(objectclass=posixGroup))
> dnascope: dc=example,dc=com
> dnanextvalue: 1000
> # /usr/lib64/mozldap/ldapmodify -v -a -D "cn=Directory Manager" -w
> managerpass -h localhost -f dna_conf
>      ...
> adding new entry cn=UID and GID numbers,cn=Distributed Numeric
> Assignment Plugin,cn=plugins,cn=config
> modify complete
> # cat add_user
> dn: uid=testuser,ou=People, dc=example,dc=com
> changetype: add
> givenName: test
> sn: user
> uidNumber: 99999
> gidNumber: 99999
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: posixAccount
> uid: testuser
> cn: test user
> homeDirectory: /home/testuser
> userPassword: {clear}testpass
> loginShell: /bin/bash
> # /usr/lib64/mozldap/ldapmodify -v -a -D "cn=Directory Manager" -w
> managerpass -h localhost -f add_user
>      ...
> adding new entry uid=testuser,ou=People, dc=example,dc=com
> modify complete
> # /usr/lib64/mozldap/ldapsearch -h localhost -b 'dc=france-ix,dc=net'
> 'uid=testuser' | egrep "(gidNumber|uidNumber)"
> gidNumber: 99999
> uidNumber: 1000
> This behaviour occurs (unsurprisingly) for users added via the console
> as well.
The document you are using off of the wiki is an feature design document 
that was used while developing DNA.  Not everything mentioned in there 
is in the plug-in.  The ability to use multiple dnaType attributes in 
the same range is one of these things that is not implemented at this time.

You can set up two separate ranges, one for the uidNumber attribute and 
another for the gidNumber attribute.  While this doesn't guarantee that 
uidNumber == gidNumber for a user, the values will indeed be the same if 
you configure the ranges the same and always let DNA generate the values 
for those attributes.  The main issue to deal with to ensure the values 
are the same would be to use a different range of gidNumbers for 
posixGroup entries.

If you don't care if your gidNumber user private groups match the user's 
uidNumber, you can just create a single gidNumber range with a filter of 
"(|(objectclass=posixAccount)(objectclass=posixGroup))" to have your 
range span your user and group entries.
> Reference :
> CentOS 5.4 x86_64
> 389-ds via EPEL (vendorVersion: 389-Directory/1.2.5 B2010.012.2034)

More information about the 389-users mailing list