On 09/04/2012 04:40 PM, Rich Megginson wrote:
> On 09/03/2012 08:42 AM, Martin Kosek wrote:
>> On 08/27/2012 06:29 PM, Rich Megginson wrote:
...
>> This is the plan I plan to take:
>> 1) Add pres,eq indexes for all un-indexed attributes that we want to check:
>> sourcehost
>> memberservice
>> managedby
>> memberallowcmd
>> memberdenycmd
>> ipasudorunas
>> ipasudorunasgroup
> ok
...

Implementation of the Referential Integrity in IPA works OK so far, I just hit
a strange issue when indexing memberallowcmd and memberdenycmd attributes in 
IPA:

dirsrv errors log:
...
[11/Sep/2012:11:39:53 -0400] - The attribute [memberdenycmd] does not have a
valid     ORDERING matching rule - error 2:s
[11/Sep/2012:11:39:58 -0400] - userRoot: Indexing attribute: memberdenycmd
[11/Sep/2012:11:39:58 -0400] - userRoot: Finished indexing.
...

This cause RI to fail to handle this attribute in IPA (which is expected based
on the error message).

I checked the attributes types, they look like that:

attributetypes: ( 2.16.840.1.113730.3.8.7.1 NAME 'memberAllowCmd' DESC 'Refere
 nce to a command or group of commands that are allowed by the rule.' SUP dist
 inguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch
  SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN
 'IPA v2' )

attributetypes: ( 2.16.840.1.113730.3.8.7.2 NAME 'memberDenyCmd' DESC 'Referen
 ce to a command or group of commands that are denied by the rule.' SUP distin
 guishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch S
 UBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'I
 PA v2' )

"distinguishedNameMatch" ORDERING rule looks wrong, it is only a matching rule.
Anyone knows why it was defined that way? Or what should be a correct setting
for this attribute instead? caseIgnoreOrderingMatch seems as a logical choice...

I will have to fix the attributeTypes definition in IPA before we can enable
index & RI for them.

Thanks,
Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to