Fedora directory users - Aug 2008 - ObjectClass PosixGroup + UID/GID auto-generation

Hello All,

After spending a long weekend, configuring Fedora-DS to have central
autentication + Central home dirs, I now have two issues which I would like
to know if anyone can help me with.

1) Currently when adding a new user, I have to manually goto advanced
options and add a value called posixgroup to the object class, this is so
that groupID have a name and you dont see the error GroupID name not found
when logging onto a box. Is there anyway to update the default user
template, so that, when you enable posixaccount, posixgroup objectclass is
automatically added? thus removing the manual process?

2) Is there anyway to get the directory server generate UNIQUE UID/GID based
on last uid created. Ideally I would like the range to start from 5000 and
finish at 8000. The automatic procedure would just use the next available
uid/gid in the list, again removing the need for the user to check and make
sure the id is unique.

any help with either of these issues would be much appreciated.

Regards

Kashif

On 8/11/08, Kashif Ali <snake007uk@gmail.com>
wrote:
>
> Hello All,
>
> After spending a long weekend, configuring Fedora-DS to have central
> autentication + Central home dirs, I now have two issues which I would like
> to know if anyone can help me with.
>
> 1) Currently when adding a new user, I have to manually goto advanced
> options and add a value called posixgroup to the object class, this is so
> that groupID have a name and you dont see the error GroupID name not found
> when logging onto a box. Is there anyway to update the default user
> template, so that, when you enable posixaccount, posixgroup objectclass is
> automatically added? thus removing the manual process?
>
This is in the FDS console you are talking about right?  This would be nice
to have, but I guess unless you can change the java code, its still less
flexible in this way.  Often people will use a different front end such as
ldapadmin, while the FDS console is preferred for controlling replication,
etc.

 2) Is there anyway to get the directory server generate UNIQUE
UID/GID
> based on last uid created. Ideally I would like the range to start from
5000
> and finish at 8000. The automatic procedure would just use the next
> available uid/gid in the list, again removing the need for the user to
check
> and make sure the id is unique.
>

It looks like most front ends favour choosing a random one, then require you
to set it manually to what you want.  This is to avoid possible conflicts
without having to build in a way to check for this, I agree it should be an
available option though.
http://sourceforge.net/forum/forum.php?thread_id=1965645&forum_id=305548&abmode=1



 any help with either of these issues would be much
appreciated.
>
> Regards
>
> Kashif
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

Yes I was talking about FDS :)

Well atleast I can hope that more people want these features so they get
added in :).

I have created a wiki article on the installation if anyone is interested.

http://wiki.unixcraft.com/display/MainPage/Fedora+Directory+Server


2008/8/11 solarflow99 <solarflow99@gmail.com>
>
>
> On 8/11/08, Kashif Ali <snake007uk@gmail.com> wrote:
>>
>> Hello All,
>>
>> After spending a long weekend, configuring Fedora-DS to have central
>> autentication + Central home dirs, I now have two issues which I would
like
>> to know if anyone can help me with.
>>
>> 1) Currently when adding a new user, I have to manually goto advanced
>> options and add a value called posixgroup to the object class, this is
so
>> that groupID have a name and you dont see the error GroupID name not
found
>> when logging onto a box. Is there anyway to update the default user
>> template, so that, when you enable posixaccount, posixgroup objectclass
is
>> automatically added? thus removing the manual process?
>>
>
> This is in the FDS console you are talking about right?  This would be nice
> to have, but I guess unless you can change the java code, its still less
> flexible in this way.  Often people will use a different front end such as
> ldapadmin, while the FDS console is preferred for controlling replication,
> etc.
>
>  2) Is there anyway to get the directory server generate UNIQUE UID/GID
>> based on last uid created. Ideally I would like the range to start from
5000
>> and finish at 8000. The automatic procedure would just use the next
>> available uid/gid in the list, again removing the need for the user to
check
>> and make sure the id is unique.
>>
>
>
> It looks like most front ends favour choosing a random one, then require
> you to set it manually to what you want.  This is to avoid possible
> conflicts without having to build in a way to check for this, I agree it
> should be an available option though.
>
>
http://sourceforge.net/forum/forum.php?thread_id=1965645&forum_id=305548&abmode=1
>
>
>
>  any help with either of these issues would be much appreciated.
>>
>> Regards
>>
>> Kashif
>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

On Monday 11 August 2008 11:35, Kashif Ali wrote:

I use perl for most of my user management,  and I grabbed this idea from one 
of the samba-ldap helper scripts,  could be from idealx not too sure really.

But basically,  you just create an object that holds 2 values.  The current 
available UID and GID.  Then your perl script queries ldap for that object,  
uses the available UID,  then increments it and writes it back to ldap.

Something like

# grab it from ldap
$mesg = $ldap->search(filter=>"(objectClass=UnixIdPool)",
		      base=>"ou=Special Users,$config{BASE_DN}",
		      attrs=> [''uidNumber''],
		      );
$config{NextID} =
$mesg->entry(0)->get_value(''uidNumber'');

# update nextfreeid attribute
$mesg = $ldap->modify("cn=idPool,ou=Special
Users,$config{BASE_DN}", replace
=> { "uidNumber" => $config{NextID}+1 } );

Here is the schema I use for the object.

objectClasses: ( UnixIdPool-oid NAME ''UnixIdPool'' SUP top
STRUCTURAL MUST ( cn
  $ gidNumber $ uidNumber ) X-ORIGIN ''user defined'' )

Ryan

> Yes I was talking about FDS :)
>
> Well atleast I can hope that more people want these features so they get
> added in :).
>
> I have created a wiki article on the installation if anyone is interested.
>
> http://wiki.unixcraft.com/display/MainPage/Fedora+Directory+Server
>
>
> 2008/8/11 solarflow99 <solarflow99@gmail.com>
>
> > On 8/11/08, Kashif Ali <snake007uk@gmail.com> wrote:
> >> Hello All,
> >>
> >> After spending a long weekend, configuring Fedora-DS to have
central
> >> autentication + Central home dirs, I now have two issues which I
would
> >> like to know if anyone can help me with.
> >>
> >> 1) Currently when adding a new user, I have to manually goto
advanced
> >> options and add a value called posixgroup to the object class,
this is
> >> so that groupID have a name and you dont see the error GroupID
name not
> >> found when logging onto a box. Is there anyway to update the
default
> >> user template, so that, when you enable posixaccount, posixgroup
> >> objectclass is automatically added? thus removing the manual
process?
> >
> > This is in the FDS console you are talking about right?  This would be
> > nice to have, but I guess unless you can change the java code, its
still
> > less flexible in this way.  Often people will use a different front
end
> > such as ldapadmin, while the FDS console is preferred for controlling
> > replication, etc.
> >
> >  2) Is there anyway to get the directory server generate UNIQUE
UID/GID
> >
> >> based on last uid created. Ideally I would like the range to start
from
> >> 5000 and finish at 8000. The automatic procedure would just use
the next
> >> available uid/gid in the list, again removing the need for the
user to
> >> check and make sure the id is unique.
> >
> > It looks like most front ends favour choosing a random one, then
require
> > you to set it manually to what you want.  This is to avoid possible
> > conflicts without having to build in a way to check for this, I agree
it
> > should be an available option though.
> >
> >
http://sourceforge.net/forum/forum.php?thread_id=1965645&forum_id=305548&
> >abmode=1
> >
> >
> >
> >  any help with either of these issues would be much appreciated.
> >

Ryan Braun [ADS] wrote:
> On Monday 11 August 2008 11:35, Kashif Ali wrote:
> 
> But basically,  you just create an object that holds 2 values.  The current
> available UID and GID.  Then your perl script queries ldap for that object,
> uses the available UID,  then increments it and writes it back to ldap.
 > [..]
> $mesg = $ldap->modify("cn=idPool,ou=Special
Users,$config{BASE_DN}", replace
> => { "uidNumber" => $config{NextID}+1 } );
FWIW the original idea was different: For this to work reliably with 
multiple instances generating IDs from the same ID pool entry you have 
to explicitly delete the old value and add the new one. If the ID was 
already incremented by another process the old value was already 
replaced and the modify request fails.

Ciao, Michael.

how would you search for the next value? I.e search all UID/GID and show you
the results, I could then sort them and work out which number should be
next?

2008/8/12 Michael Ströder <michael@stroeder.com>
> Ryan Braun [ADS] wrote:
>
>> On Monday 11 August 2008 11:35, Kashif Ali wrote:
>>
>> But basically,  you just create an object that holds 2 values.  The
>> current available UID and GID.  Then your perl script queries ldap for
that
>> object,  uses the available UID,  then increments it and writes it back
to
>> ldap.
>>
> > [..]
>
>> $mesg = $ldap->modify("cn=idPool,ou=Special
Users,$config{BASE_DN}",
>> replace => { "uidNumber" => $config{NextID}+1 } );
>>
>
> FWIW the original idea was different: For this to work reliably with
> multiple instances generating IDs from the same ID pool entry you have to
> explicitly delete the old value and add the new one. If the ID was already
> incremented by another process the old value was already replaced and the
> modify request fails.
>
> Ciao, Michael.
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Kashif Ali wrote:
> how would you search for the next value? I.e search all UID/GID and show 
> you the results, I could then sort them and work out which number should 
> be next?
The idea with using a pool was to increment the ID as pointed out in the 
example code posted by Ryan.

Additionally you should have a unique constraint configured for these 
attributes.

Ciao, Michael.
> 
> 2008/8/12 Michael Ströder <michael@stroeder.com 
> <mailto:michael@stroeder.com>>
> 
>     Ryan Braun [ADS] wrote:
> 
>         On Monday 11 August 2008 11:35, Kashif Ali wrote:
> 
>         But basically,  you just create an object that holds 2 values.
>          The current available UID and GID.  Then your perl script
>         queries ldap for that object,  uses the available UID,  then
>         increments it and writes it back to ldap.
> 
>      > [..]
> 
>         $mesg = $ldap->modify("cn=idPool,ou=Special
>         Users,$config{BASE_DN}", replace => { "uidNumber"
=>
>         $config{NextID}+1 } );
> 
> 
>     FWIW the original idea was different: For this to work reliably with
>     multiple instances generating IDs from the same ID pool entry you
>     have to explicitly delete the old value and add the new one. If the
>     ID was already incremented by another process the old value was
>     already replaced and the modify request fails.
> 
>     Ciao, Michael.

Kashif Ali wrote:
> Hello All,
>
> After spending a long weekend, configuring Fedora-DS to have central 
> autentication + Central home dirs, I now have two issues which I would 
> like to know if anyone can help me with.
>
> 1) Currently when adding a new user, I have to manually goto advanced 
> options and add a value called posixgroup to the object class, this is 
> so that groupID have a name and you dont see the error GroupID name 
> not found when logging onto a box. Is there anyway to update the 
> default user template, so that, when you enable posixaccount, 
> posixgroup objectclass is automatically added? thus removing the 
> manual process?
>
> 2) Is there anyway to get the directory server generate UNIQUE UID/GID 
> based on last uid created. Ideally I would like the range to start 
> from 5000 and finish at 8000. The automatic procedure would just use 
> the next available uid/gid in the list, again removing the need for 
> the user to check and make sure the id is unique.
There is a first version of a "Distributed Numeric Assignment" plug-in
in the current Fedora Directory Server code that deals with this 
problem.  It is designed to manage a range of unique numeric values 
across multiple master FDS instances.

You can read more about the current implementation at 
http://directory.fedoraproject.org/wiki/DNA_Plugin_Implementation

I am currently doing some re-design and improvement to this plug-in to 
address some shortcomings of the current implementation.  These areas 
are pointed out at the bottom of the above page.

-NGK
>
> any help with either of these issues would be much appreciated.
>
> Regards
>
> Kashif
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>