Bug 570297 - samba needs additional matching rule syntax support
Summary: samba needs additional matching rule syntax support
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: 389
Classification: Retired
Component: Schema
Version: 1.2.6
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 434915 389_1.2.6
TreeView+ depends on / blocked
 
Reported: 2010-03-03 19:39 UTC by Rich Megginson
Modified: 2015-01-04 23:41 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-09 16:35:45 UTC
Embargoed:

Attachments (Terms of Use)

Description Rich Megginson 2010-03-03 19:39:56 UTC 
Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1466.115.121.1.38]

- need to add OID syntax to the dirString compat syntaxes
Comment 1 Rich Megginson 2010-03-03 19:49:51 UTC 
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [numericStringMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [x121Address]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the SUBSTR matching rule [numericStringSubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [x121Address]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [transportAddressAttribute]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [systemPossSuperiors]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [systemMustContain]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [systemMayContain]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [systemAuxiliaryClass]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [subClassOf]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [structuralObjectClass]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [rDNAttID]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [possSuperiors]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [possibleInferiors]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [mustContain]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [octetStringMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [msDS-RevealedList]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [msDS-Auxiliary-Classes]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [mayContain]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [numericStringMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [internationalISDNNumber]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the SUBSTR matching rule [numericStringSubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [internationalISDNNumber]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [governsID]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [auxiliaryClass]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [attributeSyntax]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [attributeID]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [allowedChildClassesEffective]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [allowedChildClasses]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [allowedAttributesEffective]
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [allowedAttributes]
Comment 2 Endi Sukma Dewata 2010-03-03 20:00:35 UTC 
To summarize, these are the incompatible matching rules:
- EQUALITY [numericStringMatch]           Syntax: 1.3.6.1.4.1.1466.115.121.1.15
- SUBSTR   [numericStringSubstringsMatch] Syntax: 1.3.6.1.4.1.1466.115.121.1.15
- EQUALITY [caseIgnoreMatch]              Syntax: 1.3.6.1.4.1.1466.115.121.1.38
- EQUALITY [octetStringMatch]             Syntax: 1.3.6.1.4.1.1466.115.121.1.15
Comment 3 Rich Megginson 2010-03-08 17:51:21 UTC 
(In reply to comment #2)
> To summarize, these are the incompatible matching rules:
> - EQUALITY [numericStringMatch]           Syntax: 1.3.6.1.4.1.1466.115.121.1.15
> - SUBSTR   [numericStringSubstringsMatch] Syntax: 1.3.6.1.4.1.1466.115.121.1.15
> - EQUALITY [caseIgnoreMatch]              Syntax: 1.3.6.1.4.1.1466.115.121.1.38
> - EQUALITY [octetStringMatch]             Syntax: 1.3.6.1.4.1.1466.115.121.1.15    

Allowing OID to use caseIgnoreMatch - ok
Allowing dirstring to use octetStringMatch - ok

But I'm a little concerned about allowing dirstring to use numericStringMatch and numericStringSubstringsMatch since syntax validation will fail.  How are these attributes defined?  What are the valid values of these attributes?  How does this work with OpenLDAP?
Comment 4 Endi Sukma Dewata 2010-03-08 19:38:21 UTC 
There are the only two attributes that use those matching rules.
In DS they are mapped to Directory String syntax:

attributeTypes: (
  2.5.4.24
  NAME 'x121Address'
  EQUALITY numericStringMatch
  SUBSTR numericStringSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )
attributeTypes: (
  2.5.4.25
  NAME 'internationalISDNNumber'
  EQUALITY numericStringMatch
  SUBSTR numericStringSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  )

In OpenLDAP they are mapped to Numeric String syntax.

attributetype (
  2.5.4.24
  NAME 'x121Address'
  EQUALITY numericStringMatch
  SUBSTR numericStringSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.36
  )
attributetype (
  2.5.4.25
  NAME 'internationalISDNNumber'
  EQUALITY numericStringMatch
  SUBSTR numericStringSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.36
  )

Examples:
x121Address: 0000 0 122 29 00  00
internationaliSDNNumber: +SO 812467

According to DS documentation these attributes should use the IA5 String syntax (1.3.6.1.4.1.1466.115.121.1.26).
https://listman.redhat.com/docs/manuals/dir-server/8.1/schema/x121Address.html
https://listman.redhat.com/docs/manuals/dir-server/8.1/schema/internationalISDNNumber.html/internationalISDNNumber.html

Is IA5 String syntax compatible with numericStringMatch and numericStringSubstringsMatch?
Comment 5 Rich Megginson 2010-03-08 19:43:59 UTC 
Ok, I see.  That work in samba was done before 389 supported NumericString syntax.  Please change samba to use Numeric String (1.3.6.1.4.1.1466.115.121.1.36
) syntax in 389.  That should fix these two attributes.

Are there any other differences between the schema used with OpenLDAP and the schema used with 389?  It may be that, since we now support most of the standard syntaxes/matching rules in 389, we can use the same schema.
Comment 6 Endi Sukma Dewata 2010-03-08 20:08:38 UTC 
The followings are the mapping configurations used by Samba to generate DS and OL schemas:
http://gitweb.samba.org/?p=samba.git;a=blob;f=source4/setup/schema-map-fedora-ds-1.0
http://gitweb.samba.org/?p=samba.git;a=blob;f=source4/setup/schema-map-openldap-2.3

The lines with this format "<old oid/attr>:<new oid/attr>" means that it's mapping Samba OID/attribute into DS/OL OID/attribute.

I think these lines could be removed from DS mapping:
#NumbericString is not supported in Fedora DS 1.0, map to a directory string
48 1.3.6.1.4.1.1466.115.121.1.36:1.3.6.1.4.1.1466.115.121.1.15

There are apparently some other differences, I will review this separately from this bug. Thanks.
Comment 7 Rich Megginson 2010-03-09 03:45:04 UTC 
Ok.  Just let me know if there is anything I need to do for this bug.  I think if we just remove some of the mappings that are no longer needed in samba, there might not be very much to do for this bug in 389.
Comment 8 Endi Sukma Dewata 2010-03-09 16:29:36 UTC 
After changing the Samba mapping for DS to match the one for OpenLDAP all the errors no longer appear. This issue can be closed because it is not a DS bug.
Comment 9 Rich Megginson 2010-03-09 16:35:45 UTC 
Excellent.
Note You need to log in before you can comment on or make changes to this bug.