[Freeipa-users] unable to add user in freeIPA 4.2.3 using the web UI
Rob Crittenden
rcritten at redhat.com
Fri Jan 8 18:02:20 UTC 2016
Alexander Bokovoy wrote:
> On Fri, 08 Jan 2016, Karl Forner wrote:
>> Ok.
>>
>> I read a work-around on https://blog-rcritten.rhcloud.com/?p=50
>>
>> It says that if one has figured out a safe new range for the replica, the
>> range could be set using:
>>
>> ldapmodify -x -D 'cn=Directory Manager' -W
>> Enter LDAP Password:
>> dn: cn=Posix IDs,cn=Distributed Numeric Assignment
>> Plugin,cn=plugins,cn=config
>> changetype: modify
>> replace: dnaNextValue
>> dnaNextValue: 1689700000
>> -
>> replace: dnaMaxValue
>> dnaMaxValue: 1689799999
>> ^D
>>
>> modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment
>> Plugin,cn=plugins,cn=config"
>>
>>
>> I suppose this can be dangerous, but would you consider it as a
>> work-around, or should it be avoided at all means ?
>
> Rob is one of FreeIPA project original developers and he wrote this
> code, so he knows it well. To derive dnaMaxValue/dnaNextValue you need to
> consult older server's data, if it is still available (in
> /etc/dirsrv/slapd-INSTANCE/dse.ldif).
>
> At worst you'd need to back out the change if things would work.
I purposely used rather weak working in my blog to ensure that one
thinks carefully about making this kind of change. If your original
master can be brought back up that is definitely the best way to resolve it.
If it was nuked from orbit then yeah the you'll need to manually set it.
Note that you can use ipa-replica-manage to do this as well and it has a
much less scary syntax:
$ ipa-replica-manage dnarange-set yourhost.example.com 1689700000-1689799999
I guess the range 1689600000-1689699999 is the rest of the original
range, presumably assigned to the original master?
rob
More information about the Freeipa-users
mailing list