[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7608) cn=config with modifiersdn outside cn=config breaks recovery using slapadd
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7608) cn=config with modifiersdn outside cn=config breaks recovery using slapadd
- From: hyc@symas.com
- Date: Mon, 27 May 2013 15:59:00 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Christian Kratzer wrote:
> Hi Howard,
Never mind, this was actually a bug in the handling of proxied attributes.
Fixed now in master, your test case should work fine there.
>
> On Mon, 27 May 2013, hyc@symas.com wrote:
>> ck@cksoft.de wrote:
>>> Hi,
>>>
>>> Summary: it seems having a modifiersdn outside of cn=config in cn=config breaks replication once slapd is restarted.
>>
>> Yeah, using DNs other than the cn=config rootDN is frequently a problem. This
>> is why when cn=config was introduced in 2.3 only the cn=config rootDN was
>> allowed access to the tree.
>>
>> In this particular case, there's a simpler solution - add schema definitions
>> for the missing RDN attributes directly to the cn=config entry. In your case,
>> move the "ou" definition from the cn=core schema entry.
>>
>> There's nothing dirty about this solution - it has always been valid to define
>> schema elements in the top-level slapd.conf file as well as in the top
>> cn=config global config entry. The feature doesn't get used much because most
>> 3rd party schemas are distributed as their own files, so it's simpler to just
>> use the include directive to reference them. But for your current situation,
>> you need to define these schema elements as early as possible, so that they
>> can be processed as valid later on.
>
> Thanks for the feedback.
>
> As my sample had modifiersName: cn=Alice,ou=People,dc=test I added definitions for 'ou' and 'dc' to cn=config.
>
> It seems this helps for modifiersNames of entries below cn=config but not for cn=config itself.
>
> I have uploaded following three configs that illustrate the remaining problem:
>
> http://www.cksoft.de/paste/374f18f905d53f8e6e158702e686b563/config-1-fail.ldif
> http://www.cksoft.de/paste/374f18f905d53f8e6e158702e686b563/config-2-ok.ldif
> http://www.cksoft.de/paste/374f18f905d53f8e6e158702e686b563/config-3-fail.ldif
>
> The original failure with config-1 because of a modifiersName on cn=module{0},cn=config:
>
> [root@test-centos64 test]# slapadd -v -n0 -F config-1 -l config-1-fail.ldif
> added: "cn=config" (00000001)
> 51a32d4b str2entry: invalid value for attributeType modifiersName #0 (syntax 1.3.6.1.4.1.1466.115.121.1.12)
> slapadd: could not parse entry (line=42)
> _# 7.41% eta none elapsed none spd 1.5 M/s
> Closing DB...
> [root@test-centos64 test]#
>
> Workaround applied in config-2 with attribute definitions in cn=config
>
> [root@test-centos64 test]# diff -u config-1-fail.ldif config-2-ok.ldif
> --- config-1-fail.ldif 2013-05-27 11:50:35.368253951 +0200
> +++ config-2-ok.ldif 2013-05-27 11:49:17.691253291 +0200
> @@ -28,6 +28,12 @@
> olcTLSVerifyClient: never
> olcToolThreads: 1
> olcWriteTimeout: 0
> +olcAttributeTypes: ( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' ) DESC '
> + RFC2256: organizational unit this object belongs to' SUP name )
> +olcAttributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domainCompone
> + nt' ) DESC 'RFC1274/2247: domain component' EQUALITY caseIgnoreIA5Match SUBST
> + R caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VA
> + LUE )
> structuralObjectClass: olcGlobal
> entryUUID: 3b1e9034-58d9-1032-8161-d3a3b8e342e7
> creatorsName: cn=config
> @@ -86,8 +92,6 @@
> ubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
> olcAttributeTypes: {7}( 2.5.4.10 NAME ( 'o' 'organizationName' ) DESC 'RFC2256
> : organization this object belongs to' SUP name )
> -olcAttributeTypes: {8}( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' ) DESC '
> - RFC2256: organizational unit this object belongs to' SUP name )
> olcAttributeTypes: {9}( 2.5.4.12 NAME 'title' DESC 'RFC2256: title associated
> with the entity' SUP name )
> olcAttributeTypes: {10}( 2.5.4.14 NAME 'searchGuide' DESC 'RFC2256: search gui
> @@ -193,10 +197,6 @@
> olcAttributeTypes: {48}( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822Mailbo
> x' ) DESC 'RFC1274: RFC822 Mailbox' EQUALITY caseIgnoreIA5Match SUBSTR ca
> seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
> -olcAttributeTypes: {49}( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domainCompone
> - nt' ) DESC 'RFC1274/2247: domain component' EQUALITY caseIgnoreIA5Match SUBST
> - R caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VA
> - LUE )
> olcAttributeTypes: {50}( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain' DE
> SC 'RFC1274: domain associated with object' EQUALITY caseIgnoreIA5Match SUBST
> R caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
> [root@test-centos64 test]#
>
> [root@test-centos64 test]# slapadd -v -n0 -F config-2 -l config-2-ok.ldif
> added: "cn=config" (00000001)
> added: "cn=module{0},cn=config" (00000001)
> added: "cn=schema,cn=config" (00000001)
> added: "cn={0}core,cn=schema,cn=config" (00000001)
> added: "olcDatabase={-1}frontend,cn=config" (00000001)
> added: "olcDatabase={0}config,cn=config" (00000001)
> added: "olcDatabase={1}mdb,cn=config" (00000001)
> _#################### 100.00% eta none elapsed none fast!
> Closing DB...
> [root@test-centos64 test]#
>
> Breaks again after a modifiersname is added to cn=config
>
> [root@test-centos64 test]# diff -u config-2-ok.ldif config-3-fail.ldif
> --- config-2-ok.ldif 2013-05-27 11:49:17.691253291 +0200
> +++ config-3-fail.ldif 2013-05-27 11:52:57.346255334 +0200
> @@ -42,7 +42,7 @@
> olcLogLevel: Stats
> olcLogLevel: Stats2
> entryCSN: 20130524161850.764209Z#000000#000#000000
> -modifiersName: cn=config
> +modifiersName: cn=Alice,ou=People,dc=test
> modifyTimestamp: 20130524161850Z
>
> dn: cn=module{0},cn=config
> [root@test-centos64 test]#
>
> [root@test-centos64 test]# slapadd -v -n0 -F config-3 -l config-3-fail.ldif
> 51a32daf str2entry: invalid value for attributeType modifiersName #0 (syntax 1.3.6.1.4.1.1466.115.121.1.12)
> slapadd: could not parse entry (line=1)
> _# 7.35% eta none elapsed none spd 3.0 M/s
> Closing DB...
> [root@test-centos64 test]#
>
> Sorry if I do not see the obvious. Is there any possibility to get this to work for cn=config as well as entries below cn=config.
>
> How much freedom would we have to rearrange the entries und cn=config so we could have the schema defintions read before olcGlobal ?
>
> Greetings
> Christian
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/