Description of problem:
Upgrading from 1.2.6 to 1.2.8 leads to the following errors on service startup:
[08/Jul/2011:15:48:39 -0700] attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [184.108.40.206.4.1.14220.127.116.11.26] for the attribute [nisDomain]
[08/Jul/2011:15:48:39 -0700] attr_syntax_create - Error: the SUBSTR matching rule [caseIgnoreSubstringsMatch] is not compatible with the syntax [18.104.22.168.4.1.1422.214.171.124.26] for the attribute [nisDomain]
Fix: 60nis.ldif should be updated as follows:
DESC 'NIS domain'
I was told to report this bug by richm1 from #389 on freenode.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install 1.2.6
2. Notice that there are no errors on startup
3. Upgrade to 1.2.8
4. Notice that there are errors on startup
Service does not start up without errors.
Service should start up without errors.
The problem is that nisDomain inherits from 'name' - but name is defined as DirectoryString. I'm not sure which rfc or other doc defines nisDomain, but it is likely that the definition has changed in the meantime and we need to update our schema.
(In reply to comment #1)
> The problem is that nisDomain inherits from 'name' - but name is defined as
> DirectoryString. I'm not sure which rfc or other doc defines nisDomain, but it
> is likely that the definition has changed in the meantime and we need to update
> our schema.
It has always been a part of the 2307bis schema.
The problem is that we include an older version of the 2307 schema (60nis.ldif) which has this:
DESC 'NIS domain'
This worked fine in earlier versions, but breaks in recent versions because we now validate the syntax against the matching rules and vice versa. The defintion of 'name' is this:
attributeTypes: ( 126.96.36.199 NAME 'name'
X-ORIGIN 'RFC 4519' )
'name' is defined with DirectoryString (i.e. allows any valid utf-8 character) with appropriate equality and substring matching rules (that is, the matching rules apply only to DirectoryString and syntaxes compatible with DirectoryString).
nisDomain is defined with a different syntax IA5String (i.e. allow only 7-bit clean ASCII characters, not utf-8) - it should _not_ have SUP 'name' because it is incompatible - instead, it should define its own matching rules.
The bug here is in 60nis.ldif - we should change the definition to remove the SUP 'name' and add the IA5String compatible matching rules.
Fixed in 389-ds-base-1.2.10.rc1 now in Fedora/EPEL Testing