Hide Forgot
{{{ Description of problem: Desktop LDAP clients have trouble accessing FreeIPA via LDAP. GQ crashes when accessing objects. Can display object hierarchy and schema but fails as soon as it accesses and object (leaf). Luma can access and display objects but reports many errors: ERROR: [base.backend.ObjectClassAttributeInfo/MainThread]: Could not fetch LDAP schema from server. Reason: NAME not unique for ( 2.16.840.1.113730.3.3.2.211.1 NAME 'caseIgnoreOrderingMatch-sk' DESC 'sk' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) Version-Release number of selected component (if applicable): freeipa-admintools-4.3.1-1.fc24.noarch freeipa-common-4.3.1-1.fc24.noarch freeipa-server-common-4.3.1-1.fc24.noarch freeipa-client-common-4.3.1-1.fc24.noarch freeipa-client-4.3.1-1.fc24.x86_64 freeipa-server-4.3.1-1.fc24.x86_64 389-ds-base-libs-1.3.5.10-1.fc24.x86_64 389-ds-base-1.3.5.10-1.fc24.x86_64 How reproducible: Always. Steps to Reproduce: 1. Install freeipa and create instance. 2. Access the LDAP service using a desktop client. Actual results: See above. Expected results: Should work. Additional info: My FreeIPA instance started life some time ago and has been upgraded a number of times so I tried a new VM installation and it has exactly the same issue. That implies that it is not an upgrade issue. Since GQ can see the schema tree I used that. It shows some duplicate entries under {server}/matchingRules: Name OID ... caseIgnoreOrderingMatch-sk 2.16.840.1.113730.3.3.2.42.1 caseIgnoreOrderingMatch-sk 2.16.840.1.113730.3.3.2.211.1 caseIgnoreOrderingMatch-sl 2.16.840.1.113730.3.3.2.43.1 caseIgnoreOrderingMatch-sl 2.16.840.1.113730.3.3.2.212.1 caseIgnoreOrderingMatch-sq 2.16.840.1.113730.3.3.2.44.1 caseIgnoreOrderingMatch-sq 2.16.840.1.113730.3.3.2.213.1 ... It looks like these languages are being added twice. All other entries are unique (I think). Just guessing but the probable cause is: https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/schema/slapd-collations. conf#n58 https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/schema/slapd-collations. conf#n59 https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/schema/slapd-collations. conf#n61 then: https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/schema/slapd-collations. conf#n227 https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/schema/slapd-collations. conf#n228 https://git.fedorahosted.org/cgit/389/ds.git/tree/ldap/schema/slapd-collations. conf#n229 I think the second batch of entries is for sub-languages but they also appear to add the main language too which is defined in the first batch. Commit? https://git.fedorahosted.org/cgit/389/ds.git/commit/ldap/schema/slapd-collation s.conf?id=e0c78d5b87d4d798a936eba9c90f5db5347bcb3c }}}
How to verify: HOST=YOUR_HOST PORT=YOUR_PORT count=`ldapsearch -LLLx -h $HOST -p $PORT -D 'cn=directory manager' -W -b "cn=schema" -o ldif-wrap=no matchingRules | egrep "case" | awk '{print $5}' | sort | wc -l` uniqcount=`ldapsearch -LLLx -h $HOST -p $PORT -D 'cn=directory manager' -W -b "cn=schema" -o ldif-wrap=no matchingRules | egrep "case" | awk '{print $5}' | sort | uniq | wc -l` if [ $count -eq $uniqcount ]; then echo PASSED else echo FAILED fi
Bug Verified 389-ds-base-1.3.5.10-7.el7.x86_64 389-ds-base-libs-1.3.5.10-7.el7.x86_64 ipa-server-4.4.0-5.el7.x86_64 ipa-common-4.4.0-5.el7.noarch ipa-admintools-4.4.0-5.el7.noarch step 1) install ipa step 2) run the script HOST=test.server.rrr.com PORT=389 count=`ldapsearch -LLLx -h $HOST -p $PORT -D 'cn= Directory Manager' -w test1234 -b "cn=schema" -o ldif-wrap=no matchingRules | egrep "case" | awk '{print $5}' | sort | wc -l` uniqcount=`ldapsearch -LLLx -h $HOST -p $PORT -D 'cn= Directory Manager' -w test1234 -b "cn=schema" -o ldif-wrap=no matchingRules | egrep "case" | awk '{print $5}' | sort | uniq | wc -l` if [ $count -eq $uniqcount ]; then echo PASSED else echo FAILED fi Result "PASSED"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2594.html