[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7608) cn=config with modifiersdn outside cn=config breaks recovery using slapadd



Christian Kratzer wrote:
> Hi Howard,

Never mind, this was actually a bug in the handling of proxied attributes. 
Fixed now in master, your test case should work fine there.
>
> On Mon, 27 May 2013, hyc@symas.com wrote:
>> ck@cksoft.de wrote:
>>> Hi,
>>>
>>> Summary: it seems having a modifiersdn outside of cn=config in cn=config breaks replication once slapd is restarted.
>>
>> Yeah, using DNs other than the cn=config rootDN is frequently a problem. This
>> is why when cn=config was introduced in 2.3 only the cn=config rootDN was
>> allowed access to the tree.
>>
>> In this particular case, there's a simpler solution - add schema definitions
>> for the missing RDN attributes directly to the cn=config entry. In your case,
>> move the "ou" definition from the cn=core schema entry.
>>
>> There's nothing dirty about this solution - it has always been valid to define
>> schema elements in the top-level slapd.conf file as well as in the top
>> cn=config global config entry. The feature doesn't get used much because most
>> 3rd party schemas are distributed as their own files, so it's simpler to just
>> use the include directive to reference them. But for your current situation,
>> you need to define these schema elements as early as possible, so that they
>> can be processed as valid later on.
>
> Thanks for the feedback.
>
> As my sample had modifiersName: cn=Alice,ou=People,dc=test I added definitions for 'ou' and 'dc' to cn=config.
>
> It seems this helps for modifiersNames of entries below cn=config but not for cn=config itself.
>
> I have uploaded following three configs that illustrate the remaining problem:
>
>       http://www.cksoft.de/paste/374f18f905d53f8e6e158702e686b563/config-1-fail.ldif
>       http://www.cksoft.de/paste/374f18f905d53f8e6e158702e686b563/config-2-ok.ldif
>       http://www.cksoft.de/paste/374f18f905d53f8e6e158702e686b563/config-3-fail.ldif
>
> The original failure with config-1 because of a modifiersName on cn=module{0},cn=config:
>
>       [root@test-centos64 test]# slapadd -v -n0 -F config-1 -l config-1-fail.ldif
>       added: "cn=config" (00000001)
>       51a32d4b str2entry: invalid value for attributeType modifiersName #0 (syntax 1.3.6.1.4.1.1466.115.121.1.12)
>       slapadd: could not parse entry (line=42)
>       _#                      7.41% eta   none elapsed            none spd   1.5 M/s
>       Closing DB...
>       [root@test-centos64 test]#
>
> Workaround applied in config-2 with attribute definitions in cn=config
>
>       [root@test-centos64 test]# diff -u config-1-fail.ldif config-2-ok.ldif
>       --- config-1-fail.ldif  2013-05-27 11:50:35.368253951 +0200
>       +++ config-2-ok.ldif    2013-05-27 11:49:17.691253291 +0200
>       @@ -28,6 +28,12 @@
>        olcTLSVerifyClient: never
>        olcToolThreads: 1
>        olcWriteTimeout: 0
>       +olcAttributeTypes: ( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' ) DESC '
>       + RFC2256: organizational unit this object belongs to' SUP name )
>       +olcAttributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domainCompone
>       + nt' ) DESC 'RFC1274/2247: domain component' EQUALITY caseIgnoreIA5Match SUBST
>       + R caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VA
>       + LUE )
>        structuralObjectClass: olcGlobal
>        entryUUID: 3b1e9034-58d9-1032-8161-d3a3b8e342e7
>        creatorsName: cn=config
>       @@ -86,8 +92,6 @@
>         ubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
>        olcAttributeTypes: {7}( 2.5.4.10 NAME ( 'o' 'organizationName' ) DESC 'RFC2256
>         : organization this object belongs to' SUP name )
>       -olcAttributeTypes: {8}( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' ) DESC '
>       - RFC2256: organizational unit this object belongs to' SUP name )
>        olcAttributeTypes: {9}( 2.5.4.12 NAME 'title' DESC 'RFC2256: title associated
>         with the entity' SUP name )
>        olcAttributeTypes: {10}( 2.5.4.14 NAME 'searchGuide' DESC 'RFC2256: search gui
>       @@ -193,10 +197,6 @@
>        olcAttributeTypes: {48}( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822Mailbo
>         x' ) DESC 'RFC1274: RFC822 Mailbox'   EQUALITY caseIgnoreIA5Match   SUBSTR ca
>         seIgnoreIA5SubstringsMatch   SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
>       -olcAttributeTypes: {49}( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domainCompone
>       - nt' ) DESC 'RFC1274/2247: domain component' EQUALITY caseIgnoreIA5Match SUBST
>       - R caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VA
>       - LUE )
>        olcAttributeTypes: {50}( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain' DE
>         SC 'RFC1274: domain associated with object' EQUALITY caseIgnoreIA5Match SUBST
>         R caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>       [root@test-centos64 test]#
>
>       [root@test-centos64 test]# slapadd -v -n0 -F config-2 -l config-2-ok.ldif
>       added: "cn=config" (00000001)
>       added: "cn=module{0},cn=config" (00000001)
>       added: "cn=schema,cn=config" (00000001)
>       added: "cn={0}core,cn=schema,cn=config" (00000001)
>       added: "olcDatabase={-1}frontend,cn=config" (00000001)
>       added: "olcDatabase={0}config,cn=config" (00000001)
>       added: "olcDatabase={1}mdb,cn=config" (00000001)
>       _#################### 100.00% eta   none elapsed            none fast!
>       Closing DB...
>       [root@test-centos64 test]#
>
> Breaks again after a modifiersname is added to cn=config
>
>       [root@test-centos64 test]# diff -u config-2-ok.ldif config-3-fail.ldif
>       --- config-2-ok.ldif    2013-05-27 11:49:17.691253291 +0200
>       +++ config-3-fail.ldif  2013-05-27 11:52:57.346255334 +0200
>       @@ -42,7 +42,7 @@
>        olcLogLevel: Stats
>        olcLogLevel: Stats2
>        entryCSN: 20130524161850.764209Z#000000#000#000000
>       -modifiersName: cn=config
>       +modifiersName: cn=Alice,ou=People,dc=test
>        modifyTimestamp: 20130524161850Z
>
>        dn: cn=module{0},cn=config
>       [root@test-centos64 test]#
>
>       [root@test-centos64 test]# slapadd -v -n0 -F config-3 -l config-3-fail.ldif
>       51a32daf str2entry: invalid value for attributeType modifiersName #0 (syntax 1.3.6.1.4.1.1466.115.121.1.12)
>       slapadd: could not parse entry (line=1)
>       _#                      7.35% eta   none elapsed            none spd   3.0 M/s
>       Closing DB...
>       [root@test-centos64 test]#
>
> Sorry if I do not see the obvious.  Is there any possibility to get this to work for cn=config as well as entries below cn=config.
>
> How much freedom would we have to rearrange the entries und cn=config so we could have the schema defintions read before olcGlobal ?
>
> Greetings
> Christian
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/