Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1466.115.121.1.38] - need to add OID syntax to the dirString compat syntaxes
[03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [numericStringMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [x121Address] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the SUBSTR matching rule [numericStringSubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [x121Address] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [transportAddressAttribute] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [systemPossSuperiors] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [systemMustContain] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [systemMayContain] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [systemAuxiliaryClass] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [subClassOf] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [structuralObjectClass] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [rDNAttID] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [possSuperiors] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [possibleInferiors] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [mustContain] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [octetStringMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [msDS-RevealedList] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [msDS-Auxiliary-Classes] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [mayContain] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [numericStringMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [internationalISDNNumber] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the SUBSTR matching rule [numericStringSubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.15] for the attribute [internationalISDNNumber] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [governsID] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [auxiliaryClass] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [attributeSyntax] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [attributeID] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [allowedChildClassesEffective] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [allowedChildClasses] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [allowedAttributesEffective] [03/Mar/2010:13:31:42 -0600] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.38] for the attribute [allowedAttributes]
To summarize, these are the incompatible matching rules: - EQUALITY [numericStringMatch] Syntax: 1.3.6.1.4.1.1466.115.121.1.15 - SUBSTR [numericStringSubstringsMatch] Syntax: 1.3.6.1.4.1.1466.115.121.1.15 - EQUALITY [caseIgnoreMatch] Syntax: 1.3.6.1.4.1.1466.115.121.1.38 - EQUALITY [octetStringMatch] Syntax: 1.3.6.1.4.1.1466.115.121.1.15
(In reply to comment #2) > To summarize, these are the incompatible matching rules: > - EQUALITY [numericStringMatch] Syntax: 1.3.6.1.4.1.1466.115.121.1.15 > - SUBSTR [numericStringSubstringsMatch] Syntax: 1.3.6.1.4.1.1466.115.121.1.15 > - EQUALITY [caseIgnoreMatch] Syntax: 1.3.6.1.4.1.1466.115.121.1.38 > - EQUALITY [octetStringMatch] Syntax: 1.3.6.1.4.1.1466.115.121.1.15 Allowing OID to use caseIgnoreMatch - ok Allowing dirstring to use octetStringMatch - ok But I'm a little concerned about allowing dirstring to use numericStringMatch and numericStringSubstringsMatch since syntax validation will fail. How are these attributes defined? What are the valid values of these attributes? How does this work with OpenLDAP?
There are the only two attributes that use those matching rules. In DS they are mapped to Directory String syntax: attributeTypes: ( 2.5.4.24 NAME 'x121Address' EQUALITY numericStringMatch SUBSTR numericStringSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) attributeTypes: ( 2.5.4.25 NAME 'internationalISDNNumber' EQUALITY numericStringMatch SUBSTR numericStringSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) In OpenLDAP they are mapped to Numeric String syntax. attributetype ( 2.5.4.24 NAME 'x121Address' EQUALITY numericStringMatch SUBSTR numericStringSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 ) attributetype ( 2.5.4.25 NAME 'internationalISDNNumber' EQUALITY numericStringMatch SUBSTR numericStringSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 ) Examples: x121Address: 0000 0 122 29 00 00 internationaliSDNNumber: +SO 812467 According to DS documentation these attributes should use the IA5 String syntax (1.3.6.1.4.1.1466.115.121.1.26). https://listman.redhat.com/docs/manuals/dir-server/8.1/schema/x121Address.html https://listman.redhat.com/docs/manuals/dir-server/8.1/schema/internationalISDNNumber.html/internationalISDNNumber.html Is IA5 String syntax compatible with numericStringMatch and numericStringSubstringsMatch?
Ok, I see. That work in samba was done before 389 supported NumericString syntax. Please change samba to use Numeric String (1.3.6.1.4.1.1466.115.121.1.36 ) syntax in 389. That should fix these two attributes. Are there any other differences between the schema used with OpenLDAP and the schema used with 389? It may be that, since we now support most of the standard syntaxes/matching rules in 389, we can use the same schema.
The followings are the mapping configurations used by Samba to generate DS and OL schemas: http://gitweb.samba.org/?p=samba.git;a=blob;f=source4/setup/schema-map-fedora-ds-1.0 http://gitweb.samba.org/?p=samba.git;a=blob;f=source4/setup/schema-map-openldap-2.3 The lines with this format "<old oid/attr>:<new oid/attr>" means that it's mapping Samba OID/attribute into DS/OL OID/attribute. I think these lines could be removed from DS mapping: #NumbericString is not supported in Fedora DS 1.0, map to a directory string 48 1.3.6.1.4.1.1466.115.121.1.36:1.3.6.1.4.1.1466.115.121.1.15 There are apparently some other differences, I will review this separately from this bug. Thanks.
Ok. Just let me know if there is anything I need to do for this bug. I think if we just remove some of the mappings that are no longer needed in samba, there might not be very much to do for this bug in 389.
After changing the Samba mapping for DS to match the one for OpenLDAP all the errors no longer appear. This issue can be closed because it is not a DS bug.
Excellent.