matching rule support was added, so schema elements must have the correct matching rule. But we don't yet support the cert matching rules such as certificateExactMatch, etc. So we're just using octetStringMatch and related rules for the cert matching rules for now.
Created attachment 398603 [details] patch
To ssh://git.fedorahosted.org/git/389/ds.git 7c3866d..4845ffc master -> master commit 4845ffc48517bd2c938129a40c4e4f29c1efcc5a Author: Rich Megginson <rmeggins> Date: Mon Mar 8 12:36:56 2010 -0700 Reviewed by: nhosoi (Thanks!) Branch: HEAD Fix Description: Added 05rfc4523.ldif to the list of schema to upgrade. Platforms tested: RHEL5 x86_64 Flag Day: no Doc impact: no
I upgraded to 389-ds-base-1.2.6-0.3.a3.fc12.x86_64 from I think 389-ds-base-1.2.5-1.fc12.x86_64. I get this when starting the server: Shutting down dirsrv: GREYOAK-COM... [ OK ] Starting dirsrv: GREYOAK-COM...[20/Apr/2010:16:42:12 -0400] attr_syntax_create - Error: the EQUALITY matching rule [certificateExactMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.5] for the attribute [userCertificate] [20/Apr/2010:16:42:12 -0400] attr_syntax_create - Error: the EQUALITY matching rule [certificateExactMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.5] for the attribute [cACertificate] [20/Apr/2010:16:42:12 -0400] attr_syntax_create - Error: the EQUALITY matching rule [certificatePairExactMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.5] for the attribute [crossCertificatePair] [20/Apr/2010:16:42:12 -0400] attr_syntax_create - Error: the EQUALITY matching rule [certificateListExactMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.5] for the attribute [certificateRevocationList] [20/Apr/2010:16:42:12 -0400] attr_syntax_create - Error: the EQUALITY matching rule [certificateListExactMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.5] for the attribute [authorityRevocationList] [20/Apr/2010:16:42:12 -0400] attr_syntax_create - Error: the EQUALITY matching rule [certificateListExactMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.5] for the attribute [deltaRevocationList] [ OK ] I checked one attribute, cACertificate, and I have it defined in two files: # grep -i cACertificate * 05rfc4523.ldif:#attributeTypes: ( 2.5.4.37 NAME 'cACertificate' 05rfc4523.ldif:attributeTypes: ( 2.5.4.37 NAME 'cACertificate' 05rfc4523.ldif: MAY ( cACertificate $ certificateRevocationList $ 05rfc4523.ldif: certificateRevocationList $ cACertificate ) 60basev2.ldif:attributeTypes: (2.5.4.37 NAME 'cACertificate' DESC 'X.509 CA certificate' EQUALITY certificateExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 X-ORIGIN 'RFC 4523' ) 60basev2.ldif:objectClasses: (2.5.6.22 NAME 'pkiCA' DESC 'X.509 PKI Certificate Authority' SUP top AUXILIARY MAY ( cACertificate $ certificateRevocationList $ authorityRevocationList $ crossCertificatePair )
Looks like the complaint is from the entry in 60basev2.ldif
ipa will update its schema to remove the duplicated schema elements from 60basev2.ldif
Verified by following comment#7.