Bug 1413805
| Summary: | bind-dyndb-ldap default schema is shipped with syntax error | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Arpit Tolani <atolani> | ||||
| Component: | bind-dyndb-ldap | Assignee: | Pavel Picka <ppicka> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Pavel Picka <ppicka> | ||||
| Severity: | high | Docs Contact: | Aneta Šteflová Petrová <apetrova> | ||||
| Priority: | high | ||||||
| Version: | 7.3 | CC: | apetrova, ipa-qe, nsoman, openstep, pspacek, pvoborni, tbordaz, tkrizek | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | bind-dyndb-ldap-11.1-1.el7 | Doc Type: | Known Issue | ||||
| Doc Text: |
Directory Server fails due to *bind-dyndb-ldap* schema errors
The version of the *bind-dyndb-ldap* LDAP schema included in Identity Management contains syntax errors and is missing a description of one attribute. If the user uses this version of the schema, the Directory Server component fails to start. Consequently, error messages are logged in the journal, informing the user about the incorrect syntax.
To work around this problem:
1. Obtain a corrected schema file from the upstream `git.fedorahosted.org` repository:
# wget https://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/plain/doc/schema.ldif?id=17711141882aca3847a5daba2292bcbcc471ec63 -O /usr/share/doc/bind-dyndb-ldap-10.0/schema.ldif
2. Copy the corrected schema file into the Directory Server's instance configuration folder.
# cp /usr/share/doc/bind-dyndb-ldap-10.0/schema.ldif /etc/dirsrv/slapd-[EXAMPLE-COM]/schema/[SCHEMA_FILE_NAME].ldif
3. Restart Directory Server:
# systemctl restart dirsrv.target
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-08-01 19:27:49 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1393889 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Arpit Tolani
2017-01-17 00:43:43 UTC
There are two errors logged while parsing the schema.ldif file: - For attribute 'idnsServerId', the caseIgnoreMatch matching rule is said to be incompatible with 'Directory String' 1.3.6.1.4.1.1466.115.121.1.15. So far, I have not explanation for this because it looks compatible for me. - The definition of idnsTemplateObject looks broken. It is likely that it is missing a ' ' (space) between 'top' and 'AUXILIARY. Does it exist a ' ' between 'top' and the end of the line ? This has already been fixed upstream: https://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/commit/?id=17711141882aca3847a5daba2292bcbcc471ec63 This is going to be fixed as a part of the rebase of bind-dyndb-lap to 11+ (bug 1393889). As a workaround, you can download the correct schema from the upstream git. See DocText for more info. The note has been published: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.3_Release_Notes/known_issues_authentication_and_interoperability.html Upstream ticket: https://pagure.io/bind-dyndb-ldap/issue/171 Created attachment 1280012 [details]
output
verified
with : bind-dyndb-ldap-11.1-3.el7.x86_64 / 389-ds-base-1.3.6.1-9.el7.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2120 Hi, could you please help me find the problem? https://bugs.centos.org/view.php?id=14475 ldapadd -Q -Y EXTERNAL -H ldapi:/// -f ldapns.ldif adding new entry "cn=ldapns,cn=schema,cn=config" ldap_add: Other (e.g., implementation specific) error (80) additional info: olcObjectClasses: ObjectClass not found: "topAUXILIARY" cat ldapns.ldif dn: cn=ldapns,cn=schema,cn=config objectClass: olcSchemaConfig cn: ldapns olcAttributeTypes: {0}( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' DESC 'IANA GSS-API authorized service name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6. 1.4.1.1466.115.121.1.15{256} ) olcAttributeTypes: {1}( 1.3.6.1.4.1.5322.17.2.2 NAME 'loginStatus' DESC 'Curre ntly logged in sessions for a user' EQUALITY caseIgnoreMatch ORDERING caseIgn oreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX OMsDirectoryString ) olcObjectClasses: {0}( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' DESC 'Auxiliary object class for adding authorizedService attribute' SUP top AUXILIARY MAY authorizedService ) olcObjectClasses: {1}( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject' DESC 'Auxilia ry object class for adding host attribute' SUP top AUXILIARY MAY host ) olcObjectClasses: {2}( 1.3.6.1.4.1.5322.17.1.3 NAME 'loginStatusObject' DESC ' Auxiliary object class for login status attribute' SUP top AUXILIARY MAY logi nStatus ) Hi,
It looks it there is a typo in the ldapns.ldif file for the definition of 'authorizedServiceObject'.
It is a missing space between between 'top' and 'AUXILIARY'. you may fix it with
olcObjectClasses: {0}( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
DESC 'Auxiliary object class for adding authorizedService attribute' SUP top
AUXILIARY MAY authorizedService )
|