Package: krb5-kdc-ldap Version: 1.10+dfsg~beta1-2 Severity: normal File: /usr/share/doc/krb5-kdc-ldap/kerberos.ldif.gz
Dear Maintainer, I am setting up multimaster replication between ldap servers and thus I import schema definitions by using ldapadd and .ldif files instead of (the deprecated method of) including .schema files in a static config file. I looked at the kerberos.ldif.gz file and compared it to one generated by slaptest. Without even trying to import it I discovered a difference in the object class definition of krbRealmContainer. It contains ... $ krbPrincNamingAttr $krbPwdPolicyReference $ krbPrincContainerRef instead of ... $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef My ASN.1 fu is weak but this looks very much like a syntax error. It is valid ldif format but probably not a valid schema format. (My apologies if it turns out that I am more picky than an ASN.1 parser but I couldn't find an (intelligible) source online to verify this syntax against a spec. (And I currently can't hit my live server system with that file.) I wonder if there is a syntax checker for schema definitions in ldif format. (Apart from feeding it to slapd and seeing if it chokes.) Even if OpenLDAP accepts the ldif file via ldapadd, please make sure that the krbRealmContainer object indeed accepts a krbPwdPolicyReference attribute. (I don't know if Debian currently supports LDAP servers other than OpenLDAP that accept schema information in ldif format. If so their behaviour might be worth testing, too.) This is not the first time that I stumbled across an invalid .ldif file alongside a valid .schema file. See Bug#659963 Or missing ldif files altogether. See Bug#632179 In case somebody else finds this bug report due to related problems with other packages I'd like to throw in a link to an example of the "official" way to convert old style .schema configurations into the new and shiny .ldif based approach: http://www.linuxquestions.org/questions/linux-server-73/how-to-add-a-new-schema-to-openldap-2-4-11-a-700452/ The result certainly is correct but always needs some manual labour and unfortunately the output format borders on unreadable (from the wrong side ;-) ). Looking around for help I've found a perl script that seems promising here: http://drfugazi.eu.org/en/ldap/schema-conversion-ldap-ldif I didn't test it yet and apparently it needs some work, but it may be a good start for a tool that could help Debian package maintainers (and LDAP admins) to convert their schema files into a readable ldif format. cheers -henrik -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-xen-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Versions of packages krb5-kdc-ldap depends on: ii krb5-kdc 1.10+dfsg~beta1-2 ii libc6 2.13-26 ii libcomerr2 1.42-1 ii libgssapi-krb5-2 1.10+dfsg~beta1-2 ii libgssrpc4 1.10+dfsg~beta1-2 ii libk5crypto3 1.10+dfsg~beta1-2 ii libkadm5srv-mit8 1.10+dfsg~beta1-2 ii libkdb5-6 1.10+dfsg~beta1-2 ii libkeyutils1 1.5.2-2 ii libkrb5-3 1.10+dfsg~beta1-2 ii libkrb5support0 1.10+dfsg~beta1-2 ii libldap-2.4-2 2.4.28-1.1 krb5-kdc-ldap recommends no packages. krb5-kdc-ldap suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
