[Fedora-directory-users] Command line created posix user shows posix disabled in console
John A. Sullivan III
jsullivan at opensourcedevel.com
Wed Nov 26 17:25:09 UTC 2008
On Wed, 2008-11-26 at 08:27 -0700, Rich Megginson wrote:
> John A. Sullivan III wrote:
> > I've created a bash script to add ds entries for new clients as we bring
> > them on board. It automatically creates their user accounts which
> > include the posixaccount object class (as well as account (to allow the
> > host attribute) and posixgroup (to allow gidnumber for personal
> > groups)).
> >
> > They appear to be created fine. Users can login, change passwords, etc.
> > However, when I view the user in the idm-console, the posix attributes
> > are present but the enable checkbox is unchecked and the attributes are
> > greyed out and uneditable.
> >
> > If I click the enable check box, the fields are enabled but when I
> > attempt to save the change I get an error:
> > Cannot save to directory server:
> > netscape.ldap.LDAPException: error result(1): Operations error
> >
> run the console like this
> fedora-idm-console -D 9 -f console.log
> the log should contain much more detailed information
> you should also look at the directory server access log to see exactly
> what operation it is performing
> > I would not doubt this is because it's trying to add a posixaccount
> > value to objectclass when one already exists. In any event, if I enable
> > posix and change an attribute, I get the same error. However, if I go
> > to the advanced page instead, and change a posix attribute there, the
> > change saves perfectly fine.
> >
> > Any idea what is happening and what I've done wrong? In case more
> > information is needed, here are some of the gory details.
> >
> > There are attribute uniqueness constraints. uidnumber and gidnumber are
> > globally unique. uid and cn are unique within an ou within an o -
> > fairly granular. I did try disabling the global constraints but to no
> > avail.
> >
> > By the way, those users with NT attributes show up fine with the NT User
> > enabled check box checked.
> >
> > Here is a typical LDIF entry:
> >
> > dn: uid=userx,ou=Users,ou=Internal,o=a0000-0002,dc=ssiservices,dc=biz
> > changetype: add
> > objectclass: top
> > objectclass: person
> > objectclass: organizationalPerson
> > objectclass: inetOrgPerson
> > objectclass: posixaccount
> > objectclass: account
> > objectclass: posixgroup
> > uid: userx
> > cn: userx
> > userpassword: ea4cb9eedc
> > uidnumber: 2001
> > gidnumber: 2001
> > homedirectory: /data/users/userx
> > loginshell: /bin/sh
> > givenname: John A.
> > sn: Sullivan III
> > mail: userx at somecompany.biz
> > telephonenumber: +1 (207) 999-9999
> >
> > I can't imagine it is significant but, just in case, here is the LDIF creation from the script:
> > The input syntax is:
> > uid|givenname|sn|emailuser(no domain)|phone|location|W|"|" delimited attribute=value pairs
> >
> > UIDNUMBERS[$counter]=${CIDU}
> > PWS=$(echo ${CIDU}${FIRST} | md5sum)
> > PWS=${PWS:0:10}
> > echo -e "${FIRST} ${PWS}\n\n" >> ${CID}.temp
> > TEMPS="dn: uid=${FIRST},${USUFFIX}\n${ADDPERSON}uid: ${FIRST}\ncn: ${FIRST}\nuserpassword: ${PWS}\nuidnumber: ${CIDU}\ngidnumber: ${CIDU}\nhomedirectory: /data/users/${FIRST}\nloginshell: /bin/sh\n"
> > c=0
> > for var in ${REST}
> > do
> > if [ -n "${var}" ]; then
> > case ${c} in
> > 0)
> > TEMPS="${TEMPS}givenname: ${var}\n";;
> > 1)
> > TEMPS="${TEMPS}sn: ${var}\n";;
> > 2)
> > TEMPS="${TEMPS}mail: ${var}${EDOMAIN}\n";;
> > 3)
> > TEMPS="${TEMPS}telephonenumber: ${var}\n";;
> > 4)
> > TEMPS="${TEMPS}physicaldeliveryofficename: ${var}\n";;
> > 5)
> > TEMPS="${TEMPS}${ADDWIN}ntuserdomainid: ${FIRST}\nntusercreatenewaccount: true\nntuserdeleteaccount: true\n";;
> > *)
> > var=${var/=/: }
> > TEMPS="${TEMPS}${var}\n";;
> > esac
> > fi
> > ((c = c + 1))
> > done
> > TEMPS="${TEMPS}\n"
> > echo -e ${TEMPS} >> ${LDIF}
> > ((counter = counter + 1))
> > ((CIDU = CIDU + 1))
> >
> > Here are some of the variable definitions:
> > BASE="dc=ssiservices,dc=biz"
> > NEWO="o=${CID},${BASE}"
> > SYSACCOUNTS="ou=SysAccounts,${NEWO}"
> > USUFFIX="ou=Users,ou=Internal,${NEWO}"
> > ADDS="changetype: add\n"
> > TOPS="${ADDS}objectclass: top\n"
> > ADDO="${TOPS}objectclass: organization\n"
> > ADDOU="${TOPS}objectclass: organizationalUnit\n"
> > ADDSYSPERSON="${TOPS}objectclass: person\nobjectclass: organizationalPerson\nobjectclass: inetOrgPerson\n"
> > ADDPERSON="${ADDSYSPERSON}objectclass: posixaccount\nobjectclass: account\nobjectclass: posixgroup\n"
> > ADDGROUP="${TOPS}objectclass: groupofuniquenames\nobjectclass: posixgroup\n"
> > ADDWIN="objectclass: ntuser\n"
> >
> > What is going on? Thanks - John
> >
<snip>
Thanks.
This is what the console gives me when I click on the posix tab on the
left side of the edit dialog:
ResourceEditor.valueChanged:
o=com.netscape.management.client.ug.ResEditorPosixUser[,2,2,506x335,invalid,hidden,layout=java.awt.BorderLayout,alignmentX=0.0,alignmentY=0.0,border=,flags=9,maximumSize=,minimumSize=,preferredSize=]
ResourceEditor.valueChanged:
o=com.netscape.management.client.ug.ResEditorPosixUser[,2,2,506x335,layout=java.awt.BorderLayout,alignmentX=0.0,alignmentY=0.0,border=,flags=9,maximumSize=,minimumSize=,preferredSize=]
As suspected, I think the error is because it is trying to add
posixAccount to the objectClass attribute when it already exists. I am
assuming that is the action associated with checking the posix check
box. Here is the log section:
ResourcePageObservable.save: mod.rep=LDAPAttribute {type='objectclass',
values='top,person,organizationalPerson,inetOrgPerson,posixaccount,account,posixgroup,posixAccount'}
ResourcePageObservable.save: RDN=uid=jasiii
ResourcePageObservable.save: newRDN=uid=jasiii
ResourcePageObservable.java:MODIFY LDAP
ENTRY:netscape.ldap.LDAPException: error result (1); Operations error
I suppose the question is why the check box is unchecked to begin with.
I wonder if the application is case sensitive (posixAccount versus
posixaccount). I thought the attribute values were case insensitive.
Let me give that a try. That was it! Users created from the command
line with posixaccount show as posix disabled while those created with
posixAccount show as enabled. Is this a GUI bug or are they supposed to
be case sensitive? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
More information about the Fedora-directory-users
mailing list