LDAP user/group auto generation is busted.

Here’s the situation - customer wants to create a new virtual server. They fill in all the fields, site goes to generate LDAP uid, works. Generates LDAP gid, works, however it generates a different gid than the matching uid (despite having a box checed in the Users and Groups module stating otherwise, and telling LDAP Users and Groups to use those settings. The Virtual Server Creation fails with this error:

Failed to create virtual server : Failed to modify group in LDAP database : memberUid: value #0 invalid per syntax

The uid that was created was 1507, but the gid it tries to use is 1001. I’ve set in Users and Groups to use calculated Berkley cksum for both, but those settings are being ignored. So far as I can tell, it should at very least use 1507 for both.

Help? Customer is VERY mad at the moment. :frowning:

Is it possible this bug is coming back to bite me?


I do not have deniedssh in either /etc/group or in ldap.

I think I have it figured out. The username being used is VERY long. memberUid must have a character limit. That said, there needs to be a character counter and if it’s too long, stop the name from being used. :frowning:

I’m wrong. That’s not it either.

Creating administration group mileseq …
… done

Creating administration user mileseq …
… done

Failed to create virtual server : Failed to modify group in LDAP database : memberUid: value #0 invalid per syntax

Hi Tony,

Yeah, the current situation where user/group creation can partially fail and leave you with useless users is no good… I will fix this in the next Virtualmin release, by detecting failures and rolling them back.

Regarding the underlying problem, did you manage to figure out the cause? Was it that a user with too-long a username is being added a secondary member to the ‘deniedssh’ group?

I’m not 100% certain what happened. It looks to me like it was creating the user, but then going back and creating the element “memberUid” with a completely bogus value. It seems to be resolved now.

So far as deniedssh, the group doesn’t exist on the filesystem or in LDAP. Is that group even used for anything anymore?

The ‘deniedssh’ group is used by Virtualmin to prevent SSH logins by domain owners who don’t have an SSH-capable shell. If it doesn’t exist on your system (in LDAP or /etc/group), this feature will be effectively turned off though.

Okay…that was bizarre. :\

It was subbing in my username for the memberUid element. ???

I logged into the ldap server directly with Jexplore, cleaned out the element, and re-tried creation with a shorter username, and it worked.

Jamie, we gotta do something about failed account creations. What happens is if an error occurs, the customer goes back and tries again, and now they’re creating multiple new administrator accounts. :frowning:

We need it to track how far along in the setup process we are, and if something goes wrong, go back and undo any changes that were made. This is getting ugly.