[389-users] enabling posixGroup for a group (error : attribute "uidNumber" not allowed)
Nathan Kinder
nkinder at redhat.com
Tue Jul 6 15:31:21 UTC 2010
On 07/02/2010 07:22 AM, Daniel Maher wrote:
> On 07/02/2010 11:58 AM, Daniel Maher wrote:
>
>
>> I am trying to get system groups working on 389-ds via the addition of
>> "posixGroup" as a value for a given LDAP group.
>>
>
>> However, this error appears in the log :
>>
>> [02/Jul/2010:09:43:03 +0000] - Entry
>> "cn=admin,ou=systemgroups,dc=domain,dc=net" -- attribute "uidNumber" not
>> allowed
>>
> Hello,
>
> After wiping out my test instance and starting from scratch, it has
> become clear that the problem is related to the DNA plugin. If i do NOT
> activate / configure the DNA plugin, then i can manipulate
> posixGroup-related entries as expected. As soon as the plugin is
> activated and configured, the error noted above occurs.
>
> I followed (and *cough* wrote) this document exactly :
> http://directory.fedoraproject.org/wiki/Howto:DNA
>
> [root at test-dma-36 dirsrv]# /usr/lib64/mozldap/ldapsearch -h localhost -p
> 389 -s base -b "" "objectclass=*" | grep vendorVersion
> vendorVersion: 389-Directory/1.2.5 B2010.012.2034
> [root at test-dma-36 dirsrv]# cat /etc/redhat-release
> CentOS release 5.4 (Final)
> [root at test-dma-36 dirsrv]# uname -s -r -v -i -o
> Linux 2.6.18-164.15.1.el5 #1 SMP Wed Mar 17 11:30:06 EDT 2010 x86_64
> GNU/Linux
>
> It would seem that this is either a fault in the configuration of the
> plugin, or a bug with the plugin itself. Has anybody else experienced
> similar behaviour ?
>
The way you have DNA configured will cause it to try to add a
"uidNumber" attribute to a posixGroup entry. You should change the
"dnaFilter" attribute for your "cn=UID numbers" DNA config entry to be
"(objectClass=posixAccount)".
More information about the 389-users
mailing list