Christian Kratzer wrote: > Hi Howard, Never mind, this was actually a bug in the handling of proxied attributes. Fixed now in master, your test case should work fine there. > > On Mon, 27 May 2013, [email protected] wrote: >> [email protected] wrote: >>> Hi, >>> >>> Summary: it seems having a modifiersdn outside of cn=config in cn=config >>> breaks replication once slapd is restarted. >> >> Yeah, using DNs other than the cn=config rootDN is frequently a problem. This >> is why when cn=config was introduced in 2.3 only the cn=config rootDN was >> allowed access to the tree. >> >> In this particular case, there's a simpler solution - add schema definitions >> for the missing RDN attributes directly to the cn=config entry. In your case, >> move the "ou" definition from the cn=core schema entry. >> >> There's nothing dirty about this solution - it has always been valid to >> define >> schema elements in the top-level slapd.conf file as well as in the top >> cn=config global config entry. The feature doesn't get used much because most >> 3rd party schemas are distributed as their own files, so it's simpler to just >> use the include directive to reference them. But for your current situation, >> you need to define these schema elements as early as possible, so that they >> can be processed as valid later on. > > Thanks for the feedback. > > As my sample had modifiersName: cn=Alice,ou=People,dc=test I added > definitions for 'ou' and 'dc' to cn=config. > > It seems this helps for modifiersNames of entries below cn=config but not for > cn=config itself. > > I have uploaded following three configs that illustrate the remaining problem: > > > http://www.cksoft.de/paste/374f18f905d53f8e6e158702e686b563/config-1-fail.ldif > > http://www.cksoft.de/paste/374f18f905d53f8e6e158702e686b563/config-2-ok.ldif > > http://www.cksoft.de/paste/374f18f905d53f8e6e158702e686b563/config-3-fail.ldif > > The original failure with config-1 because of a modifiersName on > cn=module{0},cn=config: > > [root@test-centos64 test]# slapadd -v -n0 -F config-1 -l > config-1-fail.ldif > added: "cn=config" (00000001) > 51a32d4b str2entry: invalid value for attributeType modifiersName #0 > (syntax 1.3.6.1.4.1.1466.115.121.1.12) > slapadd: could not parse entry (line=42) > _# 7.41% eta none elapsed none spd > 1.5 M/s > Closing DB... > [root@test-centos64 test]# > > Workaround applied in config-2 with attribute definitions in cn=config > > [root@test-centos64 test]# diff -u config-1-fail.ldif config-2-ok.ldif > --- config-1-fail.ldif 2013-05-27 11:50:35.368253951 +0200 > +++ config-2-ok.ldif 2013-05-27 11:49:17.691253291 +0200 > @@ -28,6 +28,12 @@ > olcTLSVerifyClient: never > olcToolThreads: 1 > olcWriteTimeout: 0 > +olcAttributeTypes: ( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' ) > DESC ' > + RFC2256: organizational unit this object belongs to' SUP name ) > +olcAttributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' > 'domainCompone > + nt' ) DESC 'RFC1274/2247: domain component' EQUALITY > caseIgnoreIA5Match SUBST > + R caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > SINGLE-VA > + LUE ) > structuralObjectClass: olcGlobal > entryUUID: 3b1e9034-58d9-1032-8161-d3a3b8e342e7 > creatorsName: cn=config > @@ -86,8 +92,6 @@ > ubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) > olcAttributeTypes: {7}( 2.5.4.10 NAME ( 'o' 'organizationName' ) DESC > 'RFC2256 > : organization this object belongs to' SUP name ) > -olcAttributeTypes: {8}( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' > ) DESC ' > - RFC2256: organizational unit this object belongs to' SUP name ) > olcAttributeTypes: {9}( 2.5.4.12 NAME 'title' DESC 'RFC2256: title > associated > with the entity' SUP name ) > olcAttributeTypes: {10}( 2.5.4.14 NAME 'searchGuide' DESC 'RFC2256: > search gui > @@ -193,10 +197,6 @@ > olcAttributeTypes: {48}( 0.9.2342.19200300.100.1.3 NAME ( 'mail' > 'rfc822Mailbo > x' ) DESC 'RFC1274: RFC822 Mailbox' EQUALITY caseIgnoreIA5Match > SUBSTR ca > seIgnoreIA5SubstringsMatch SYNTAX > 1.3.6.1.4.1.1466.115.121.1.26{256} ) > -olcAttributeTypes: {49}( 0.9.2342.19200300.100.1.25 NAME ( 'dc' > 'domainCompone > - nt' ) DESC 'RFC1274/2247: domain component' EQUALITY > caseIgnoreIA5Match SUBST > - R caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 > SINGLE-VA > - LUE ) > olcAttributeTypes: {50}( 0.9.2342.19200300.100.1.37 NAME > 'associatedDomain' DE > SC 'RFC1274: domain associated with object' EQUALITY > caseIgnoreIA5Match SUBST > R caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) > [root@test-centos64 test]# > > [root@test-centos64 test]# slapadd -v -n0 -F config-2 -l > config-2-ok.ldif > added: "cn=config" (00000001) > added: "cn=module{0},cn=config" (00000001) > added: "cn=schema,cn=config" (00000001) > added: "cn={0}core,cn=schema,cn=config" (00000001) > added: "olcDatabase={-1}frontend,cn=config" (00000001) > added: "olcDatabase={0}config,cn=config" (00000001) > added: "olcDatabase={1}mdb,cn=config" (00000001) > _#################### 100.00% eta none elapsed none fast! > Closing DB... > [root@test-centos64 test]# > > Breaks again after a modifiersname is added to cn=config > > [root@test-centos64 test]# diff -u config-2-ok.ldif config-3-fail.ldif > --- config-2-ok.ldif 2013-05-27 11:49:17.691253291 +0200 > +++ config-3-fail.ldif 2013-05-27 11:52:57.346255334 +0200 > @@ -42,7 +42,7 @@ > olcLogLevel: Stats > olcLogLevel: Stats2 > entryCSN: 20130524161850.764209Z#000000#000#000000 > -modifiersName: cn=config > +modifiersName: cn=Alice,ou=People,dc=test > modifyTimestamp: 20130524161850Z > > dn: cn=module{0},cn=config > [root@test-centos64 test]# > > [root@test-centos64 test]# slapadd -v -n0 -F config-3 -l > config-3-fail.ldif > 51a32daf str2entry: invalid value for attributeType modifiersName #0 > (syntax 1.3.6.1.4.1.1466.115.121.1.12) > slapadd: could not parse entry (line=1) > _# 7.35% eta none elapsed none spd > 3.0 M/s > Closing DB... > [root@test-centos64 test]# > > Sorry if I do not see the obvious. Is there any possibility to get this to > work for cn=config as well as entries below cn=config. > > How much freedom would we have to rearrange the entries und cn=config so we > could have the schema defintions read before olcGlobal ? > > Greetings > Christian >
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
