Bug 576074 - search filters with parentheses fail
Summary: search filters with parentheses fail
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: 389
Classification: Retired
Component: Database - Indexes/Searches
Version: 1.2.6
Hardware: i386
OS: Linux
high
high
Target Milestone: ---
Assignee: Rich Megginson
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks: 434914 389_1.2.6
TreeView+ depends on / blocked
 
Reported: 2010-03-23 07:25 UTC by steven_li
Modified: 2015-12-07 16:34 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-07 16:34:16 UTC


Attachments (Terms of Use)
patch (3.22 KB, patch)
2010-03-25 17:53 UTC, Rich Megginson
nhosoi: review+
Details | Diff

Description steven_li 2010-03-23 07:25:31 UTC
Description of problem:

in directory server 1.2.0
when I search with (ou=*(China)Limited*), there is no resuts.
but when I seach with (ou=*(China)*), 28 results gets out.

in directory server 1.1.0
it works correct.

Version-Release number of selected component (if applicable):
389 directory 1.2.0
fedora directory 1.1.0

How reproducible:

create any record with attribute value contains "(" or ")" and following with other characters, such as 

ou=PRC (China)Limited company
or 
ou=PRC (China) Limited company

Steps to Reproduce:
1.add a user
2. change businessCategory value to PRC (China)Limited company
3. search by filter businessCategory=*)Limited*
  
Actual results:
none
Expected results:
the record created.

Additional info:

the issue doesn't exist on older version fedora directory 1.1.0

Comment 1 steven_li 2010-03-25 05:26:37 UTC
anyone can help on this issue?

Comment 2 Rich Megginson 2010-03-25 14:52:45 UTC
What is your ldapsearch client?  Note that http://www.ietf.org/rfc/rfc4515.txt specifies that the ( and ) characters are not allowed in search filters.  For example, when I use python-ldap to try to reproduce your results, python-ldap does not even let me use those search filters, and fails with ldap.FILTER_ERROR: {'info': '', 'desc': 'Bad search filter'}

Comment 3 steven_li 2010-03-25 15:42:36 UTC
I search via JXeplore, LDAP Browser, and my customized LDAP client web app , they all has the same results.

I'm curious that it works fine for a ealirer version

Comment 4 steven_li 2010-03-25 15:57:20 UTC
also be noted that we have apply the escape special search filter. as the link

http://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java

in our developed web application.

Comment 5 Rich Megginson 2010-03-25 16:39:14 UTC
In 1.2.0 we switched to using PCRE for regular expressions instead of our old proprietary regex.  The problem is that PCRE is interpreting the ( and ) as special characters.  We need to escape them.

Comment 6 Rich Megginson 2010-03-25 17:53:05 UTC
Created attachment 402627 [details]
patch

Comment 7 Noriko Hosoi 2010-03-25 18:11:33 UTC
Comment on attachment 402627 [details]
patch

Note: It's safe to escape '(' and ')' since we have allocated the enough space here:
254     size *= 2; /* doubled in case all filter chars need escaping */

Ack.

Comment 8 Rich Megginson 2010-03-25 18:33:56 UTC
To ssh://git.fedorahosted.org/git/389/ds.git
   5db9031..41c5be0  Directory_Server_8_2_Branch -> Directory_Server_8_2_Branch
commit 41c5be046a21f06a1e743513631814186c7df79b
Author: Rich Megginson <rmeggins@redhat.com>
Date:   Thu Mar 25 11:51:26 2010 -0600

To ssh://git.fedorahosted.org/git/389/ds.git
   742032c..c1d2e74  master -> master

commit c1d2e7461ac41f39f5f27f3d9dcd6084bb4435a5
Author: Rich Megginson <rmeggins@redhat.com>
Date:   Thu Mar 25 11:51:26 2010 -0600
    Reviewed by: nhosoi (Thanks!)
    Branch: HEAD
    Fix Description: PCRE requires '(' and ')' to be escaped to match a literal
    parenthesis.  Otherwise, it thinks the parenthesis is used for grouping.
    Platforms tested: RHEL5 x86_64
    Flag Day: no
    Doc impact: no

Comment 9 steven_li 2010-03-29 02:09:00 UTC
Thanks for your help.

May I know how can I deploy the patch? or update the library.

Thanks.

Comment 10 Rich Megginson 2010-03-29 14:07:56 UTC
(In reply to comment #9)
> Thanks for your help.
> 
> May I know how can I deploy the patch? or update the library.
> 
> Thanks.    

We are going to release 1.2.6 alpha 3 shortly.  Otherwise, if you are building from source, you can just grab the patch and apply it - pretty easy with git.

Comment 11 steven_li 2010-03-30 08:07:48 UTC
Thanks for your reply.

May I know when the release will be available?

Comment 12 Rich Megginson 2010-03-30 14:10:39 UTC
(In reply to comment #11)
> Thanks for your reply.
> 
> May I know when the release will be available?    

soon

Comment 13 steven_li 2010-04-06 08:24:09 UTC
Hi Rich

I try to compile the source as 
http://directory.fedoraproject.org/wiki/Building#NSPR

when run 
./configure --prefix=/root/dev/fd12 --with-ldapsdk=/root/dev/mozldap-6.0.5/mozilla/directory/c-sdk/ldap:

I got a error :

"configure: error: The LDAPSDK version in -I/root/dev/mozldap-6.0.5/mozilla/directory/c-sdk/ldap/include/ldap-standard.h is not supported"

could you give me some more instructions about how to do the build?

I have got directory source via 389.

Comment 14 Rich Megginson 2010-04-06 14:17:43 UTC
(In reply to comment #13)
> Hi Rich
> 
> I try to compile the source as 
> http://directory.fedoraproject.org/wiki/Building#NSPR
> 
> when run 
> ./configure --prefix=/root/dev/fd12
> --with-ldapsdk=/root/dev/mozldap-6.0.5/mozilla/directory/c-sdk/ldap:
> 
> I got a error :
> 
> "configure: error: The LDAPSDK version in
> -I/root/dev/mozldap-6.0.5/mozilla/directory/c-sdk/ldap/include/ldap-standard.h
> is not supported"
> 
> could you give me some more instructions about how to do the build?
> 
> I have got directory source via 389.    

What platform?  Note that on RHEL and Fedora all of the dependencies are already provided - you just have to yum install nspr-devel nss-devel svrcore-devel mozldap-devel

Comment 15 steven_li 2010-04-07 01:57:57 UTC
Thanks for your quick response.

I use CentOS5.4. I have installed the devel package now.

and run ./configure --prefix=/root/dev/fd12.
it prompts me "configure: error: db not found, specify with --with-db.".

any idea?

Comment 16 Rich Megginson 2010-04-07 02:06:11 UTC
(In reply to comment #15)
> Thanks for your quick response.
> 
> I use CentOS5.4. I have installed the devel package now.
> 
> and run ./configure --prefix=/root/dev/fd12.
> it prompts me "configure: error: db not found, specify with --with-db.".
> 
> any idea?    

The following are the BuildRequires from the EL5 spec file:

BuildRequires:    nspr-devel
BuildRequires:    nss-devel
BuildRequires:    svrcore-devel
BuildRequires:    mozldap-devel
BuildRequires:    db4-devel
BuildRequires:    cyrus-sasl-devel
BuildRequires:    icu
BuildRequires:    libicu-devel
BuildRequires:    pcre-devel
BuildRequires:    net-snmp-devel
BuildRequires:    lm_sensors-devel
BuildRequires:    bzip2-devel
BuildRequires:    zlib-devel
BuildRequires:    openssl-devel
BuildRequires:    tcp_wrappers
BuildRequires:    checkpolicy
BuildRequires:    selinux-policy-devel
BuildRequires:    /usr/share/selinux/devel/Makefile
BuildRequires:    pam-devel

You'll need these additional packages at runtime:

Requires:         mozldap-tools
Requires:         perl-Mozilla-LDAP
Requires:         nss-tools
Requires:         cyrus-sasl-gssapi
Requires:         cyrus-sasl-md5
Requires:         db4-utils

Comment 17 steven_li 2010-04-07 09:43:16 UTC
Thanks Rich.

I have build up the directory server sucessfully!

Comment 18 steven_li 2010-04-08 03:20:56 UTC
Hi Rich

Now we are preparing to upgrade the directory server from 1.2.6 to the latest version. I'm wondering do we need to update the admin server and admin util also?

also how can I wrap the builds into a RPM file, so that we just install rpm for other systems?

Thanks.

Comment 19 steven_li 2010-04-08 10:23:59 UTC
after I install the latest directory server, I can't start the directory instance. Error is about "EQUALITY matching rule is not compatible with syntax..."

if I remove the directory server instance, and recreate a instance , got error "schema in /etc/dirsrv/slapd-xxx/schema/01common.ldif is invalid. error code 21"

it only works if I totally uninstall the previous version and reinstal .

Comment 20 Rich Megginson 2010-04-08 14:10:26 UTC
(In reply to comment #18)
> Hi Rich
> 
> Now we are preparing to upgrade the directory server from 1.2.6 to the latest
> version. I'm wondering do we need to update the admin server and admin util
> also?

Yes.
 
> also how can I wrap the builds into a RPM file, so that we just install rpm for
> other systems?

You'll first need the rpm spec files, which are here:

http://cvs.fedoraproject.org/viewvc/rpms/

There is a repo for each package - 389-ds-base, 389-admin, etc.

Under each package repo is a platform subdir - EL-5, F-12, etc.

Under each of those are the .spec files and other files you might need to build.

The best way is to use mock, the chroot build system that Fedora uses, to build rpms.

https://fedoraproject.org/wiki/Extras/MockTricks

You'll have to first use rpmbuild -bs to create a SRPM (src.rpm) file to pass to mock.

You can also use rpmbuild - rpmbuild -ba /path/to/file.spec

https://fedoraproject.org/wiki/Packaging:RPMMacros - how to set up your ~/.rpmmacros to use rpmbuild

> 
> Thanks.

Comment 21 Rich Megginson 2010-04-08 14:13:34 UTC
(In reply to comment #19)
> after I install the latest directory server, I can't start the directory
> instance. Error is about "EQUALITY matching rule is not compatible with
> syntax..."
> 
> if I remove the directory server instance, and recreate a instance , got error
> "schema in /etc/dirsrv/slapd-xxx/schema/01common.ldif is invalid. error code
> 21"
> 
> it only works if I totally uninstall the previous version and reinstal .    

RPM and setup handle this automatically.  But you can do the same:

rm -rf /etc/dirsrv/schema/*
make install # will put the new files in /etc/dirsrv/schema
setup-ds.pl -u # or setup-ds-admin.pl -u

This will make sure your existing instances are using the correct schema.

Comment 22 steven_li 2010-04-09 03:44:53 UTC
Now I following the order:
install adminutil
install admin server
install directoy server

however, when I run setup-ds.pl -u or  setup-ds-admin.pl -u
I got following error:

Error adding entry 'cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config'.  Error: Object class violation
Could not reconfigure the admin server.
Exiting . . .
Log file is '/tmp/setupYhabeS.log'

Error adding entry 'cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config'.  Error: Object class violation
Error: could not update the directory server.
Exiting . . .
Log file is '/tmp/setupe1iKdg.log

and one more question, if I update both admin server and directory server, do I need to run setup-ds.pl -u and  setup-ds-admin.pl -u two, or only need run setup-ds-admin.pl -u?

Comment 23 Rich Megginson 2010-04-09 14:13:28 UTC
You should install adminutil and directory server first - it doesn't matter which one is installed first - and admin server should be installed last.

Error adding entry - can you provide excerpts from the directory server access and error logs?

You should only need to run setup-ds-admin.pl -u - that will run setup-ds.pl -u on the directory servers.

Comment 24 steven_li 2010-04-09 15:14:19 UTC
there are also several other packages need to be install for previous version, such as admin-console, admin-console-doc, ds-console, ds-console-doc,so if I do upgrade for the issue, do I need to include these also?

Comment 25 Rich Megginson 2010-04-09 15:23:47 UTC
(In reply to comment #24)
> there are also several other packages need to be install for previous version,
> such as admin-console, admin-console-doc, ds-console, ds-console-doc,so if I do
> upgrade for the issue, do I need to include these also?    

If you want to use the console, you have to install those packages.  If you are just doing an upgrade of 389-ds-base and 389-admin, and you already have those packages installed, you don't have to do anything.

Comment 26 steven_li 2010-04-10 02:48:53 UTC
when I try to build 389-admin into a rpm file, got following error:

make[1]: Leaving directory `/usr/src/redhat/BUILD/389-admin-hwl'
+ cd selinux-built
+ cp /usr/share/dirsrv-selinux/dirsrv.if .
cp: cannot stat `/usr/share/dirsrv-selinux/dirsrv.if': No such file or directory
error: Bad exit status from /var/tmp/rpm-tmp.66667 (%build)


RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.66667 (%build)

Comment 27 steven_li 2010-04-10 04:03:35 UTC
+ make NAME=strict -f /usr/share/selinux/devel/Makefile
Compiling strict dirsrv-admin module
/usr/bin/checkmodule:  loading policy configuration from tmp/dirsrv-admin.tmp
dirsrv-admin.te:122:ERROR 'syntax error' at token 'dirsrv_pid_filetrans' on line 102154:
dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t)
 
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/dirsrv-admin.mod] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.33728 (%build)


RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.33728 (%build)

Comment 28 steven_li 2010-04-10 10:28:27 UTC
the above issue is fixed via install the 
Now I have build out the rpm file  389-ds-base-selinux-devel and 389-adminutil-devel

now, after I install the compiled 389-admin rpm file, and start it, got following error:

/usr/sbin/start-ds-admin: line 67: 13009 Segmentation fault      $SELINUX_CMD $HTTPD $OMIT_DEFLATE -k start -f /etc/dirsrv/admin-serv/httpd.conf "$@"

followin error message in /var/log/message when I install the 389-admin rpm file:

Apr 10 05:55:47 localhost kernel: security:  invalidating context system_u:object_r:dirsrv_config_t:s0
Apr 10 05:55:47 localhost kernel: security:  invalidating context system_u:object_r:dirsrv_lib_t:s0
Apr 10 05:55:47 localhost kernel: security:  invalidating context system_u:object_r:dirsrv_snmp_exec_t:s0
Apr 10 05:55:47 localhost kernel: security:  invalidating context system_u:object_r:dirsrv_exec_t:s0
Apr 10 05:55:47 localhost kernel: security:  invalidating context system_u:object_r:dirsrv_share_t:s0
Apr 10 05:55:47 localhost kernel: security:  invalidating context system_u:object_r:dirsrv_var_lib_t:s0
Apr 10 05:55:47 localhost kernel: security:  invalidating context system_u:object_r:dirsrv_var_lock_t:s0
Apr 10 05:55:47 localhost kernel: security:  invalidating context system_u:object_r:dirsrv_var_log_t:s0
Apr 10 05:55:47 localhost kernel: security:  invalidating context root:object_r:dirsrv_config_t:s0
Apr 10 05:55:47 localhost kernel: security:  invalidating context root:object_r:dirsrv_lib_t:s0
Apr 10 05:55:47 localhost kernel: security:  invalidating context root:object_r:dirsrv_share_t:s0
Apr 10 05:55:47 localhost kernel: security:  invalidating context root:object_r:dirsrv_var_log_t:s0
Apr 10 05:55:47 localhost kernel: security:  invalidating context root:object_r:dirsrv_var_lock_t:s0
Apr 10 05:55:47 localhost dbus: avc:  received policyload notice (seqno=6)
Apr 10 05:55:47 localhost kernel: security:  invalidating context root:object_r:dirsrv_var_lib_t:s0
Apr 10 05:55:47 localhost kernel: security:  invalidating context system_u:object_r:dirsrv_var_run_t:s0
Apr 10 05:55:47 localhost kernel: security:  invalidating context root:system_r:dirsrv_t:s0
Apr 10 05:55:47 localhost kernel: security:  invalidating context root:object_r:dirsrv_var_run_t:s0
Apr 10 05:55:47 localhost kernel: security:  invalidating context root:object_r:dirsrv_tmpfs_t:s0
Apr 10 06:09:35 localhost dbus: avc:  received policyload notice (seqno=7)

I work on a x86_64 CentOS5.4

Comment 29 steven_li 2010-04-10 11:05:23 UTC
also see the log when I run setup-ds-admin.pl 
[Sat Apr 10 07:02:18 2010] [notice] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0-s0:c0.c1023
[Sat Apr 10 07:02:19 2010] [error] Unable to change directory to /root/dev/rpmbuild
[Sat Apr 10 07:03:31 2010] [notice] SELinux policy enabled; httpd running as context root:system_r:httpd_t:s0
[Sat Apr 10 07:03:32 2010] [notice] Access Host filter is: *.localdomain
[Sat Apr 10 07:03:32 2010] [notice] Access Address filter is: *
[Sat Apr 10 07:03:33 2010] [notice] Apache/2.2 configured -- resuming normal operations
[Sat Apr 10 07:03:33 2010] [notice] Access Host filter is: *.localdomain
[Sat Apr 10 07:03:33 2010] [notice] Access Address filter is: *
[Sat Apr 10 07:03:34 2010] [notice] child pid 14547 exit signal Segmentation fault (11)
...

Comment 30 steven_li 2010-04-12 05:15:19 UTC
(In reply to comment #23)
> You should install adminutil and directory server first - it doesn't matter
> which one is installed first - and admin server should be installed last.
> 
> Error adding entry - can you provide excerpts from the directory server access
> and error logs?
> 
> You should only need to run setup-ds-admin.pl -u - that will run setup-ds.pl -u
> on the directory servers.    

Following is the error log:

[12/Apr/2010:01:10:49 -0400] - Entry "cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config" missing attribute "nsslapd-pluginId" required by object class "nsslapdPlugin"
[12/Apr/2010:01:10:49 -0400] - Entry "cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config" missing attribute "nsslapd-pluginVersion" required by object class "nsslapdPlugin"
[12/Apr/2010:01:10:49 -0400] - Entry "cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config" missing attribute "nsslapd-pluginVendor" required by object class "nsslapdPlugin"
[12/Apr/2010:01:10:49 -0400] - Entry "cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config" missing attribute "nsslapd-pluginDescription" required by object class "nsslapdPlugin"

the rpm file generation and install works fine on 386 machine now. just got above error when run setup-ds-admin.pl -u.

Comment 31 steven_li 2010-04-12 13:42:54 UTC
when I import via ldif2db.pl. got following error:

which violates attribute syntax, ending line 1006 of file "/home/gcdldaprw/userRoot.ldif"

which was a blank line of ldif file.

Comment 32 Rich Megginson 2010-04-12 14:14:45 UTC
(In reply to comment #31)
> when I import via ldif2db.pl. got following error:
> 
> which violates attribute syntax, ending line 1006 of file
> "/home/gcdldaprw/userRoot.ldif"
> 
> which was a blank line of ldif file.    

Can you paste the last few lines of the ldif file?  Are you sure you have no whitespace characters around the end of the file?  Note that LDIF and LDAP are very sensitive to (hidden) whitespace characters.

Comment 33 steven_li 2010-04-12 14:27:27 UTC
# entry-id: 71
dn: ou=ABC,o=GCD
nsUniqueId: 796e1646-1dd211b2-84edc18b-83080000
street: 07/09/2009 11:05:05
preferredDeliveryMethod: Mich@Group.com
description:
st: http://www.hut.com
postalCode: info@hut.com
destinationIndicator: ABC Group
businessCategory: ABC Group
objectClass: organizationalUnit
objectClass: top
facsimileTelephoneNumber:: MTDigLAxMOKAsDDigLA=
ou: HWL
physicalDeliveryOfficeName:
postalAddress: 06/05/2009 15:53:00
postOfficeBox: fx
searchGuide: HWL
seeAlso: 0
creatorsName:
modifiersName:
createTimestamp: 20091222050820Z
modifyTimestamp: 20091222050820Z

# entry-id: 72

Comment 34 steven_li 2010-04-12 14:28:51 UTC
the same ldif file works for previous version.  also when I initialize the userRoot from console, it got  "Could not open LDIf file... errno 13 (Permission denied)" prompt.

I have set the ldif file as everyone full access.

Comment 35 steven_li 2010-04-12 14:31:03 UTC
and what's the correct way to fix error:

1.cn=SMD5,cn=Password Storage
Schemes,cn=plugins,cn=config" missing attribute "nsslapd-pluginId"

2.child pid 14547 exit signal Segmentation
fault (11)

now I remove the smd5 entry and start admin server via /usr/sbin/start-ds-admin.pl to solve them temporaily.

Comment 36 Rich Megginson 2010-04-12 14:46:47 UTC
(In reply to comment #34)
> the same ldif file works for previous version.

Which previous version?  Note that syntax validation is a relatively new feature.  I notice that several of the attibutes in the entry you pasted above could potentially be causing the syntax violation - can you provide the entire error message?  The excerpt you provided: "which violates attribute syntax, ending line 1006 of file" does not provide enough information, unless one of the lines in the above paste is line 1006.


> also when I initialize the
> userRoot from console, it got  "Could not open LDIf file... errno 13
> (Permission denied)" prompt.
> 
> I have set the ldif file as everyone full access.    

It could be an SELinux problem - check /var/log/audit/audit.log

> and what's the correct way to fix error:

> 1.cn=SMD5,cn=Password Storage
> Schemes,cn=plugins,cn=config" missing attribute "nsslapd-pluginId"

Add the following lines to the entry dn: cn=SMD5,cn=Password Storage Schemes,cn=plugins,cn=config
# these will be replaced when the server loads the plugin
nsslapd-pluginId: ID
nsslapd-pluginVersion: PACKAGE_VERSION
nsslapd-pluginVendor: VENDOR
nsslapd-pluginDescription: DESC

> 2.child pid 14547 exit signal Segmentation
> fault (11)

This is from the admin server?  You could try starting the admin server with
start-ds-admin -e debug
to get more information

Comment 37 steven_li 2010-04-12 16:22:58 UTC
(In reply to comment #36)
> (In reply to comment #34)
> > the same ldif file works for previous version.
> Which previous version?  Note that syntax validation is a relatively new
> feature.  I notice that several of the attibutes in the entry you pasted above
> could potentially be causing the syntax violation - can you provide the entire
> error message?  The excerpt you provided: "which violates attribute syntax,
> ending line 1006 of file" does not provide enough information, unless one of
> the lines in the above paste is line 1006.

Yes, the line about "# entry-id: 72" is line 1006. 

> > also when I initialize the
> > userRoot from console, it got  "Could not open LDIf file... errno 13
> > (Permission denied)" prompt.
> > 
> > I have set the ldif file as everyone full access.    
> It could be an SELinux problem - check /var/log/audit/audit.log

got following information in audit.log when error occurs 

type=AVC msg=audit(1271169401.809:89): avc:  denied  { search } for  pid=12214 comm="ns-slapd" name="home" dev=dm-0 ino=196609 scontext=root:system_r:dirsrv_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1271169401.809:89): arch=40000003 syscall=5 success=no exit=-13 a0=9fb0a00 a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=12214 auid=0 uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503 sgid=503 fsgid=503 tty=(none) ses=1 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=root:system_r:dirsrv_t:s0 key=(null)


> > and what's the correct way to fix error:
> > 1.cn=SMD5,cn=Password Storage
> > Schemes,cn=plugins,cn=config" missing attribute "nsslapd-pluginId"
> Add the following lines to the entry dn: cn=SMD5,cn=Password Storage
> Schemes,cn=plugins,cn=config
> # these will be replaced when the server loads the plugin
> nsslapd-pluginId: ID
> nsslapd-pluginVersion: PACKAGE_VERSION
> nsslapd-pluginVendor: VENDOR
> nsslapd-pluginDescription: DESC

> > 2.child pid 14547 exit signal Segmentation
> > fault (11)
> This is from the admin server?  You could try starting the admin server with
> start-ds-admin -e debug
> to get more information    

the error only occurs when I start/restart admin server via service dirsrv-admin start/restart. if I start via /usr/sbin/start-ds-admin, no such error. from other's research resutl, it's said it's the open ldap library conflicts with mozldap library, not sure how to make it works for the service script also.

see debug information:
[root@agcdvldbr01 ~]# /usr/sbin/start-ds-admin -e debug
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module authz_host_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module auth_basic_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module authn_file_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module log_config_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module env_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module mime_magic_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module expires_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module deflate_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module headers_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module unique_id_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module setenvif_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module mime_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module vhost_alias_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module negotiation_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module dir_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module actions_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module alias_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module rewrite_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module cache_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module disk_cache_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module cgi_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module restartd_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module nss_module
[Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module admserv_module
[Tue Apr 13 10:31:01 2010] [debug] mod_admserv/mod_admserv.c(2506): [11719] create_server_config [0xbogus %p for (null)
[Tue Apr 13 10:31:01 2010] [debug] mod_admserv/mod_admserv.c(2494): [11719] create_config [0xbogus %p for (null)
[Tue Apr 13 10:31:01 2010] [debug] mod_admserv/mod_admserv.c(2567): [11719] Set [0xbogus %p [ADMCacheLifeTime] to 600
[Tue Apr 13 10:31:01 2010] [debug] mod_admserv/mod_admserv.c(2585): [11719] Set [0xbogus %p [ADMServerVersionString] to 389-Administrator/1.1.11.a3.git2b661e5
[Tue Apr 13 10:31:01 2010] [debug] mod_admserv/mod_admserv.c(2494): [11719] create_config [0xbogus %p for /*/[tT]asks/[Oo]peration/*
[Tue Apr 13 10:31:01 2010] [debug] mod_admserv/mod_admserv.c(2519): [11719] adminsdk [0xbogus %p flag 1
[Tue Apr 13 10:31:01 2010] [debug] mod_admserv/mod_admserv.c(2494): [11719] create_config [0xbogus %p for /*/[tT]asks/[Cc]onfiguration/*
[Tue Apr 13 10:31:01 2010] [debug] mod_admserv/mod_admserv.c(2519): [11719] adminsdk [0xbogus %p flag 1
[Tue Apr 13 10:31:01 2010] [debug] mod_admserv/mod_admserv.c(2494): [11719] create_config [0xbogus %p for /*/[tT]asks/[Oo]peration/(?i:stop|start|restart|startconfigds|create|remove)$
[Tue Apr 13 10:31:01 2010] [debug] mod_admserv/mod_admserv.c(2519): [11719] adminsdk [0xbogus %p flag 0
httpd.worker: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName

Comment 38 steven_li 2010-04-12 16:25:22 UTC
for quesiton one, it's the line above "# entry-id: 72" is line 1006

Comment 39 Rich Megginson 2010-04-12 17:22:04 UTC
(In reply to comment #37)
> (In reply to comment #36)
> > (In reply to comment #34)
> > > the same ldif file works for previous version.
> > Which previous version?  Note that syntax validation is a relatively new
> > feature.  I notice that several of the attibutes in the entry you pasted above
> > could potentially be causing the syntax violation - can you provide the entire
> > error message?  The excerpt you provided: "which violates attribute syntax,
> > ending line 1006 of file" does not provide enough information, unless one of
> > the lines in the above paste is line 1006.
> 
> Yes, the line about "# entry-id: 72" is line 1006. 

Can you provide the full error message which should include the name of the attribute?

> 
> > > also when I initialize the
> > > userRoot from console, it got  "Could not open LDIf file... errno 13
> > > (Permission denied)" prompt.
> > > 
> > > I have set the ldif file as everyone full access.    
> > It could be an SELinux problem - check /var/log/audit/audit.log
> 
> got following information in audit.log when error occurs 
> 
> type=AVC msg=audit(1271169401.809:89): avc:  denied  { search } for  pid=12214
> comm="ns-slapd" name="home" dev=dm-0 ino=196609
> scontext=root:system_r:dirsrv_t:s0 tcontext=system_u:object_r:home_root_t:s0
> tclass=dir
> type=SYSCALL msg=audit(1271169401.809:89): arch=40000003 syscall=5 success=no
> exit=-13 a0=9fb0a00 a1=8000 a2=0 a3=8000 items=0 ppid=1 pid=12214 auid=0
> uid=503 gid=503 euid=503 suid=503 fsuid=503 egid=503 sgid=503 fsgid=503
> tty=(none) ses=1 comm="ns-slapd" exe="/usr/sbin/ns-slapd"
> subj=root:system_r:dirsrv_t:s0 key=(null)

Ok - then the 13 (permission) problem is likely selinux related.

I don't think make install will properly work for selinux - you can check the 389-ds-base.spec file to see what selinux commands you should use.

> 
> 
> > > and what's the correct way to fix error:
> > > 1.cn=SMD5,cn=Password Storage
> > > Schemes,cn=plugins,cn=config" missing attribute "nsslapd-pluginId"
> > Add the following lines to the entry dn: cn=SMD5,cn=Password Storage
> > Schemes,cn=plugins,cn=config
> > # these will be replaced when the server loads the plugin
> > nsslapd-pluginId: ID
> > nsslapd-pluginVersion: PACKAGE_VERSION
> > nsslapd-pluginVendor: VENDOR
> > nsslapd-pluginDescription: DESC
> 
> > > 2.child pid 14547 exit signal Segmentation
> > > fault (11)
> > This is from the admin server?  You could try starting the admin server with
> > start-ds-admin -e debug
> > to get more information    
> 
> the error only occurs when I start/restart admin server via service
> dirsrv-admin start/restart. if I start via /usr/sbin/start-ds-admin, no such
> error. from other's research resutl, it's said it's the open ldap library
> conflicts with mozldap library, not sure how to make it works for the service
> script also.

Ok.  Then this is also likely selinux related.  selinux handles start from initscript and start from start-ds-admin differently.

> 
> see debug information:
> [root@agcdvldbr01 ~]# /usr/sbin/start-ds-admin -e debug
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module
> authz_host_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module
> auth_basic_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module
> authn_file_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module
> log_config_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module env_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module
> mime_magic_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module expires_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module deflate_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module headers_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module
> unique_id_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module setenvif_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module mime_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module
> vhost_alias_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module
> negotiation_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module dir_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module actions_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module alias_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module rewrite_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module cache_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module
> disk_cache_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module cgi_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module restartd_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module nss_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_so.c(246): loaded module admserv_module
> [Tue Apr 13 10:31:01 2010] [debug] mod_admserv/mod_admserv.c(2506): [11719]
> create_server_config [0xbogus %p for (null)
> [Tue Apr 13 10:31:01 2010] [debug] mod_admserv/mod_admserv.c(2494): [11719]
> create_config [0xbogus %p for (null)
> [Tue Apr 13 10:31:01 2010] [debug] mod_admserv/mod_admserv.c(2567): [11719] Set
> [0xbogus %p [ADMCacheLifeTime] to 600
> [Tue Apr 13 10:31:01 2010] [debug] mod_admserv/mod_admserv.c(2585): [11719] Set
> [0xbogus %p [ADMServerVersionString] to 389-Administrator/1.1.11.a3.git2b661e5
> [Tue Apr 13 10:31:01 2010] [debug] mod_admserv/mod_admserv.c(2494): [11719]
> create_config [0xbogus %p for /*/[tT]asks/[Oo]peration/*
> [Tue Apr 13 10:31:01 2010] [debug] mod_admserv/mod_admserv.c(2519): [11719]
> adminsdk [0xbogus %p flag 1
> [Tue Apr 13 10:31:01 2010] [debug] mod_admserv/mod_admserv.c(2494): [11719]
> create_config [0xbogus %p for /*/[tT]asks/[Cc]onfiguration/*
> [Tue Apr 13 10:31:01 2010] [debug] mod_admserv/mod_admserv.c(2519): [11719]
> adminsdk [0xbogus %p flag 1
> [Tue Apr 13 10:31:01 2010] [debug] mod_admserv/mod_admserv.c(2494): [11719]
> create_config [0xbogus %p for
> /*/[tT]asks/[Oo]peration/(?i:stop|start|restart|startconfigds|create|remove)$
> [Tue Apr 13 10:31:01 2010] [debug] mod_admserv/mod_admserv.c(2519): [11719]
> adminsdk [0xbogus %p flag 0
> httpd.worker: Could not reliably determine the server's fully qualified domain
> name, using 127.0.0.1 for ServerName

Comment 40 steven_li 2010-04-13 01:55:01 UTC
1. I have already get the rpm file frpm rpmbuild -ba 389-ds-base.spec. it reference the spec you mentioned above.
all the test are under the rpm installation now.

2. error about "syntax violation" is about the blank line. no attribute mentioned. line 10067 is the a line.

see error below:

[ldaprw@agcdvldbr01 slapd-agcdvldbr01]$ ./ldif2db -n userRoot -i ~/userRoot.ldif 
importing data ...
[13/Apr/2010:11:33:37 -0400] - autosize_import_cache: pagesize: 4096, pages: 193761, procpages: 6676
[13/Apr/2010:11:33:37 -0400] - cache autosizing: import cache: 204800k 
[13/Apr/2010:11:33:37 -0400] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096
[13/Apr/2010:11:33:37 -0400] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database
[13/Apr/2010:11:33:37 -0400] - autosize_import_cache: pagesize: 4096, pages: 193761, procpages: 6696
[13/Apr/2010:11:33:37 -0400] - cache autosizing: import cache: 204800k 
[13/Apr/2010:11:33:37 -0400] - li_import_cache_autosize: 50, import_pages: 51200, pagesize: 4096
[13/Apr/2010:11:33:37 -0400] - import userRoot: Beginning import job...
[13/Apr/2010:11:33:37 -0400] - import userRoot: Index buffering enabled with bucket size 62
[13/Apr/2010:11:33:37 -0400] - import userRoot: Processing file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:37 -0400] - import userRoot: WARNING: skipping entry "ou=ABC,o=GCD" which violates attribute syntax, ending line 1006 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "ABCAddressID=A01,ou=address,ou=ABC,o=GCD" which violates attribute syntax, ending line 1088 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "uid=CIM20090907110704441306901,ou=users,ou=ABC,o=GCD" which violates attribute syntax, ending line 1140 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "mail=dir.ABC.ca@abcl.com.hk,ou=PasswordServices,ou=Services,o=GCD" which violates attribute syntax, ending line 1168 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "ou=ABC_09090718134617530,ou=ABC,o=GCD" which violates attribute syntax, ending line 1202 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "ABCAddressID=AddressUID_200909071813463318285,ou=address,ou=ABC_09090718134617530,ou=ABC,o=GCD" which violates attribute syntax, ending line 1266 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "ou=HIL_09090718150344669,ou=ABC_09090718134617530,ou=ABC,o=GCD" which violates attribute syntax, ending line 1287 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "ABCAddressID=AddressUID_200909071815036026825,ou=address,ou=HIL_09090718150344669,ou=ABC_09090718134617530,ou=ABC,o=GCD" which violates attribute syntax, ending line 1353 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "ABCAddressID=AddressUID_200909071817104818356,ou=address,ou=HIL_09090718150344669,ou=ABC_09090718134617530,ou=ABC,o=GCD" which violates attribute syntax, ending line 1373 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "ou=ASW_09090719084159916,ou=ABC,o=GCD" which violates attribute syntax, ending line 1443 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "ABCAddressID=AddressUID_200909071908417553337,ou=address,ou=ASW_09090719084159916,ou=ABC,o=GCD" which violates attribute syntax, ending line 1508 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "ou=EInO_09090719123586126,ou=ABC,o=GCD" which violates attribute syntax, ending line 1528 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "ABCAddressID=AddressUID_200909071912359653499,ou=address,ou=EInO_09090719123586126,ou=ABC,o=GCD" which violates attribute syntax, ending line 1594 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "ou=CKI_09090719142667168,ou=EInO_09090719123586126,ou=ABC,o=GCD" which violates attribute syntax, ending line 1616 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "ABCAddressID=AddressUID_200909071914268277392,ou=address,ou=CKI_09090719142667168,ou=EInO_09090719123586126,ou=ABC,o=GCD" which violates attribute syntax, ending line 1684 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "ou=HUSKY_09090719180662982,ou=EInO_09090719123586126,ou=ABC,o=GCD" which violates attribute syntax, ending line 1704 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "ABCAddressID=AddressUID_200909071918067855569,ou=address,ou=HUSKY_09090719180662982,ou=EInO_09090719123586126,ou=ABC,o=GCD" which violates attribute syntax, ending line 1773 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: Skipping entry "ou=department,ou=ABC,o=GCD" which has no parent, ending at line 1017 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: Skipping entry "ABCDeptID=200905061700041718995,ou=department,ou=ABC,o=GCD" which has no parent, ending at line 1035 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: Skipping entry "ou=users,ou=ABC,o=GCD" which has no parent, ending at line 1046 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: Skipping entry "ou=distlist,ou=ABC,o=GCD" which has no parent, ending at line 1057 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: Skipping entry "ou=address,ou=ABC,o=GCD" which has no parent, ending at line 1068 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: Skipping entry "ou=department,ou=ABC_09090718134617530,ou=ABC,o=GCD" which has no parent, ending at line 1213 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: Skipping entry "ou=users,ou=ABC_09090718134617530,ou=ABC,o=GCD" which has no parent, ending at line 1224 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: Skipping entry "ou=distlist,ou=ABC_09090718134617530,ou=ABC,o=GCD" which has no parent, ending at line 1235 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "ou=HECL_09090719222376637,ou=EInO_09090719123586126,ou=ABC,o=GCD" which violates attribute syntax, ending line 1791 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: Skipping entry "ou=address,ou=ABC_09090718134617530,ou=ABC,o=GCD" which has no parent, ending at line 1246 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "ABCAddressID=AddressUID_200909071922239222221,ou=address,ou=HECL_09090719222376637,ou=EInO_09090719123586126,ou=ABC,o=GCD" which violates attribute syntax, ending line 1859 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: Skipping entry "ou=department,ou=HIL_09090718150344669,ou=ABC_09090718134617530,ou=ABC,o=GCD" which has no parent, ending at line 1299 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "ou=BigboXX_09090719271418259,ou=HECL_09090719222376637,ou=EInO_09090719123586126,ou=ABC,o=GCD" which violates attribute syntax, ending line 1880 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: Skipping entry "ou=users,ou=HIL_09090718150344669,ou=ABC_09090718134617530,ou=ABC,o=GCD" which has no parent, ending at line 1310 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "ABCAddressID=AddressUID_200909071927142864719,ou=address,ou=BigboXX_09090719271418259,ou=HECL_09090719222376637,ou=EInO_09090719123586126,ou=ABC,o=GCD" which violates attribute syntax, ending line 1950 of file "/home/gcdldaprw/use
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: Skipping entry "ou=distlist,ou=HIL_09090718150344669,ou=ABC_09090718134617530,ou=ABC,o=GCD" which has no parent, ending at line 1321 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "ou=ESD_09090719283686191,ou=HECL_09090719222376637,ou=EInO_09090719123586126,ou=ABC,o=GCD" which violates attribute syntax, ending line 1969 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: Skipping entry "ou=address,ou=HIL_09090718150344669,ou=ABC_09090718134617530,ou=ABC,o=GCD" which has no parent, ending at line 1332 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "ABCAddressID=AddressUID_200909071928369652586,ou=address,ou=ESD_09090719283686191,ou=HECL_09090719222376637,ou=EInO_09090719123586126,ou=ABC,o=GCD" which violates attribute syntax, ending line 2038 of file "/home/gcdldaprw/userRoo
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: Skipping entry "ABCDeptID=200909071818596279637,ou=department,OU=HIL_09090718150344669,OU=ABC_09090718134617530,OU=ABC,O=GCD" which has no parent, ending at line 1391 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "ou=HPHKL_09090719311707148,ou=HECL_09090719222376637,ou=EInO_09090719123586126,ou=ABC,o=GCD" which violates attribute syntax, ending line 2059 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: Skipping entry "ABCDeptID=200909071819153317957,ou=department,OU=HIL_09090718150344669,OU=ABC_09090718134617530,OU=ABC,O=GCD" which has no parent, ending at line 1407 of file "/home/gcdldaprw/userRoot.ldif"
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: bad entry: ID 70
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: bad entry: ID 70
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: bad entry: ID 70
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: bad entry: ID 70
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: bad entry: ID 70
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: bad entry: ID 70
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: bad entry: ID 70
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: bad entry: ID 70
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: bad entry: ID 70
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: bad entry: ID 70
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: bad entry: ID 70
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: bad entry: ID 70
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: bad entry: ID 70
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: bad entry: ID 70
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: bad entry: ID 70
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: bad entry: ID 70
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: bad entry: ID 70
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: bad entry: ID 70
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: bad entry: ID 70
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: bad entry: ID 70
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: bad entry: ID 70
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: skipping entry "ABCAddressID=AddressUID_200909071931172273058,ou=address,ou=KL_09090719311707148,ou=CL_09090719222376637,ou=nO_09090719123586126,ou=ABC,o=GCD" which violates attribute syntax, ending line 2129 of file "/home/gcdldaprw/userR
[13/Apr/2010:11:33:38 -0400] - import userRoot: WARNING: bad entry: ID 70

[ldaprw@agcdvldbr01 slapd-agcdvldbr01]$

Comment 41 Rich Megginson 2010-04-13 15:03:40 UTC
I'm not sure which attribute is causing problems, but I note there are several problems with entry dn: ou=ABC,o=GCD

description:

description uses DirectoryString syntax which is not allowed to be empty.

facsimileTelephoneNumber:: MTDigLAxMOKAsDDigLA=

Not sure if this is valid utf8

physicalDeliveryOfficeName:

physicalDeliveryOfficeName uses DirectoryString syntax which is not allowed to be empty.

postalAddress: 06/05/2009 15:53:00

This is not a valid postalAddress, but the syntax may allow it anyway.

postOfficeBox: fx
searchGuide: HWL

This is not a valid searchGuide

seeAlso: 0

This is not valid DN syntax

creatorsName:
modifiersName:

createTimestamp: 20091222050820Z
modifyTimestamp: 20091222050820Z

Comment 42 steven_li 2010-04-14 08:15:14 UTC
any docs to describe the attribute syntax checking? does it follow some standard?
In version 1.2.2, It seems it don't have such syntax checking, right?

The error message pointed to a blank line. that's the seperate line between two dn entry.

also it takes "# entry-id: 71" as bad entry Id.

Comment 43 Rich Megginson 2010-04-14 13:14:47 UTC
(In reply to comment #42)
> any docs to describe the attribute syntax checking? does it follow some
> standard?

Yes, RFC 4517 - http://www.ietf.org/rfc/rfc4517.txt

> In version 1.2.2, It seems it don't have such syntax checking, right?

Right.  Version 1.2.2 would allow lots of bad data to enter the database.

> The error message pointed to a blank line. that's the seperate line between two
> dn entry.

The error message just means there is something wrong with the entry that ends on that line, not that there is a problem with that line.

> 
> also it takes "# entry-id: 71" as bad entry Id.    

Not sure what it is complaining about the bad entry id, could be related to the fact that the entry did not pass syntax checking.

Comment 44 Jenny Severance 2010-05-12 20:37:16 UTC
I believe all that is needed to verify this bug is ...

[root@jgalipea-rhel4 ~]# ldapsearch -x -h hostname.example.com -p 389 -D "cn=Directory Manager" -w Secret -b "dc=example,dc=com" "(businessCategory=*\)Limited*)"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope sub
# filter: (businessCategory=*\)Limited*)
# requesting: ALL
#

# TUser, People, example.com
dn: uid=TUser,ou=People,dc=example,dc=com
uid: TUser
businessCategory: ou=PRC (China)Limited Company
givenName: Test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: User
cn: Test User
userPassword:: e1NTSEF9QjFuN3JIbld4amhWNWVGaHh4OE5BVmFjNllwNEpjQ3lUUlFvVUE9PQ=
 =

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

But want to verify because of all the other noise in this bug :-)

Comment 45 Rich Megginson 2010-05-12 21:05:27 UTC
(In reply to comment #44)
> I believe all that is needed to verify this bug is ...
> 
> [root@jgalipea-rhel4 ~]# ldapsearch -x -h hostname.example.com -p 389 -D
> "cn=Directory Manager" -w Secret -b "dc=example,dc=com"
> "(businessCategory=*\)Limited*)"
> # extended LDIF
> #
> # LDAPv3
> # base <dc=example,dc=com> with scope sub
> # filter: (businessCategory=*\)Limited*)
> # requesting: ALL
> #
> 
> # TUser, People, example.com
> dn: uid=TUser,ou=People,dc=example,dc=com
> uid: TUser
> businessCategory: ou=PRC (China)Limited Company
> givenName: Test
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> sn: User
> cn: Test User
> userPassword:: e1NTSEF9QjFuN3JIbld4amhWNWVGaHh4OE5BVmFjNllwNEpjQ3lUUlFvVUE9PQ=
>  =
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1

Correct.

> 
> But want to verify because of all the other noise in this bug :-)

Comment 46 Jenny Severance 2010-05-12 21:10:16 UTC
verified:  RHEL 4

redhat-ds-base-8.2.0-2010051204.el4dsrv

Thanks Rich


Note You need to log in before you can comment on or make changes to this bug.