[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: error - attribute description contains inappropriate characters

I think you should definitely reply on the openldap-software list.

> We are still having the problem mentioned below. Here is what we did:
>
> 1. Upgrade to OpenLDAP 2.2.15
>
> $ /usr/local/libexec/slapd -V
> @(#) $OpenLDAP: slapd 2.2.15 (Aug 29 2004 10:31:46) $
>         root@example.com:/usr/local/src/openldap-2.2.15/servers/slapd
>
> 2. We can connect and query OpenLDAP fine using tools like phpldapadmin
> and
> ldapsearch.
>
> 3. When we try to query a groupOfUniqueNames with a network appliance that
> we have (and it may be what is buggy, but they are sure it's fine on their
> end), we get this:
>
> conn=2 op=1 RESULT tag=111 err=17 text=AttributeDescription contains
> inappropriate characters
> daemon: select: listen=6 active_threads=0 tvp=NULL
> daemon: select: listen=7 active_threads=0 tvp=NULL
>
> If I do a slapcat everything looks just fine.
>
> Any ideas?
>
> By the way, after the upgrade we took an LDIF of our directory and added
> it
> back using ldapadd just to make sure our directory was clean. (Or clean
> enough for ldapadd to work.)
>
> I would be happy to provide an LDIF from slapcat or anything else needed
> if
> that will help resolve this problem. I'm really not sure what else to
> check.
>
> Here is the slapcat output of the groupOfUniqueNames in question:
>
> dn: cn=OurUserGroup,ou=Groups,dc=xx,dc=com
> cn: OurUserGroup
> uniqueMember: uid=abc3,ou=Accounts,dc=xx,dc=com
> objectClass: groupOfUniqueNames
> objectClass: top
> structuralObjectClass: groupOfUniqueNames
> entryUUID: 649a9790-8dd2-1028-9d51-f89f66195995
> creatorsName: cn=Manager,dc=xx,dc=com
> createTimestamp: 20040829064251Z
> entryCSN: 20040829064251Z#000017#00#000000
> modifiersName: cn=Manager,dc=xx,dc=com
> modifyTimestamp: 20040829064251Z
>
> Note that uid=abc3,ou=Accounts,dc=xx,dc=com is a valid entry and we can
> bind
> with that fine. Also, uid=abc3,ou=Accounts,dc=xx,dc=com has read access to
> the groupOfUniqueNames entry, although it appears the application/device
> is
> using just the administrative binddn that we gave it for testing.

The entry looks fine.  I am unable to reproduce the problem, i.e. wherever
I put an invalid attribute type in a search request (filter, requested
attributes) I get a success (of course, with no results or no entries
returned).  Maybe mor everbose logs could help in finding what invalid
request is being submitted, if any, or where the error is located.  I
suggest you file an ITS and provide logs at level -1 of the server.

p.


>
> ----- Original Message -----
> From: "Pierangelo Masarati" <ando@sys-net.it>
> To: "adp" <dap99@i-55.com>
> Cc: <openldap-software@OpenLDAP.org>
> Sent: Thursday, July 08, 2004 2:15 PM
> Subject: Re: error - attribute description contains inappropriate
> characters
>
>
>> 2.0 is obsolete; however, that error means that the name of an attribute
>> contains invalid chars.  I suggest you slapcat the DB, look for that
>> entry
>> and check all the attribute names for illegal chars.  If they're all ok,
>> then there might be a bug in slapd, but in that case you need to
>> upgrade.
>>
>> p.
>>
>> > We have a strange problem with an application trying to user our
> OpenLDAP
>> > directory. Basically, the application (a network appliance in fact) is
>> > trying to use the LDAP directory for user authentication and
>> > authorization.
>> > The authentication works great. However, the authorization always
>> fails.
>> > We
>> > also see "attribute description contains inappropriate characters"
>> > whenever
>> > the authorization check is done. I'm looking for help on determining
>> the
>> > cause of this problem.
>> >
>> > The authorization works by matching the authenticated user with
>> > uniqueMember
>> > attribute in a groupOfUniqueNames. We get the query and then OpenLDAP
>> > shows
>> > this:
>> >
>> > => dn2id( "CN=THEUSERS,OU=GROUPS,DC=domain,DC=COM" )
>> > => ldbm_cache_open( "dn2id.dbb", 9, 600 )
>> > <= ldbm_cache_open (cache 0)
>> > <= dn2id 455
>> > => id2entry_r( 455 )
>> > => ldbm_cache_open( "id2entry.dbb", 9, 600 )
>> > <= ldbm_cache_open (cache 1)
>> > => str2entry
>> > <= str2entry(cn=TheUsers,ou=Groups,dc=domain,dc=com) -> -1 (0x81dbd10)
>> > <= id2entry_r( 455 ) 0x81dbd10 (disk)
>> > ====> cache_return_entry_r( 455 ): created (0)
>> > send_ldap_result: conn=1 op=1 p=3
>> > send_ldap_result: 17::attribute description contains inappropriate
>> > characters
>> > send_ldap_response: msgid=2 tag=111 err=17
>> > ber_flush: ...
>> > ...
>> > conn=1 op=1 RESULT tag=111 err=17 text=attribute description contains
>> > inappropriate characters
>> > daemon: activity on 1 descriptors
>> > daemon: activity on: 14r
>> > daemon: read activity on 14
>> > connection_get(14)
>> > connection_get(14): got connid=1
>> > connection_read(14): checking for input on id=1
>> >
>> > We have completed removed CN=THEUSERS and recreated it from scratch
>> (we
>> > are
>> > using phpldapadmin), yet we get the same "attribute description "
>> error.
>> > Is
>> > this a problem with our directory, or something else? I've done a dump
> of
>> > CN=THEUSERS and it looks fine to me.
>> >
>> > Is this an error that the LDAP client sent bad information, or that
>> > something is going wrong with the server (e.g., a bad directory entry,
> or
>> > a
>> > corrupted file)?
>> >
>> > This is openldap 2.0.x (we can't currently upgrade) on RHES3.
>> >
>> >
>> >
>> >
>>
>>
>> --
>> Pierangelo Masarati
>> mailto:pierangelo.masarati@sys-net.it
>>
>>
>>     SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax:
>> +390382476497
>>
>>
>
>


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497