Full_Name: Ivo Clarysse Version: 1.2.7 OS: RedHat Linux 6.0 URL: Submission from: (NULL) (212.8.177.25) Setting 'schemacheck on' does not prevent OpenLDAP from accepting entries with undefined ObjectClasses. Ie. in the default 1.2.7 distribution there is no 'InetOrgPerson' objectclass, nor a 'loginshell' attribute defined anywhere. Yet, slapd does not complain when adding the following entry: cn: uid=tu,ou=People,dc=starlab,dc=net objectclass: top objectclass: posixAccount objectclass: account objectclass: person objectclass: organizationalPerson objectclass: inetOrgperson ou: People o: Starlab NV/SA uid: tu cn: Test User givenname: Test sn: User userpassword: {crypt}axbljkgkwss uidnumber: 506 gidnumber: 506 gecos: Test User homedirectory: /home/tu loginshell: /bin/bash mail: tu@starlab.net c: BE telephonenumber: +32-2-7400740 facsimiletelephonenumber: +32-2-7429654 street: Sint-Michielslaan 47 l: Etterbeek postalcode: B-1040 (When for example 'cn' is omitted, slapd *does* complain, as objectclass 'person' is defined in slapd.oc.conf.) My slapd.conf: include /etc/ldap/slapd.at.conf include /etc/ldap/slapd.oc.conf pidfile /var/run/slapd.pid argsfile /var/run/slapd.args database ldbm directory /var/ldap suffix "dc=starlab, dc=net" rootdn "cn=root, dc=starlab, dc=net" rootpw {CRYPT}********* schemacheck on index cn,sn,ou pres,eq,approx defaultaccess read access to attr=userpassword by self write by * compare (slapd.at.conf and slapd.oc.conf as per 1.2.7 distribution, unchanged) This bug is also reported in ITS#101, where it is listed as Closed and believed to be fixed in 1.2.4. At least in 1.2.7, it's not fixed..
At 11:33 AM 1/27/00 GMT, soggie@starlab.net wrote: >Full_Name: Ivo Clarysse >Version: 1.2.7 >OS: RedHat Linux 6.0 >URL: >Submission from: (NULL) (212.8.177.25) > > >Setting 'schemacheck on' does not prevent OpenLDAP from accepting entries with >undefined ObjectClasses. The fact that an entry lists an objectclass not known by the server implies that the schema check itself cannot be completed. In OpenLDAP 1.x, an entry with an unknown objectclass is treated as being an extensible object, that is, all attribute types are allowed. This is primary done to support replication between servers where the slave may not have the same schema as the master. I agree that the behavior is somewhat odd and that it should be addressed in 2.x For 1.x, I can offer a patch to which after applying you can configure using: env CPPFLAGS=-DSLAPD_UNDEFINED_OC_IS_NOT_EXTENSIBLE ./configure .... to have undefined objectclasses not imply the object is extensible. The patch, however, does not disallow undefined objectclass values. http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/schema.c.diff?r1=1.4.2.2.2.1&r2=1.4.2.2.2.2 As far as ITS#101 goes... submitter was asked if problem was resolved by newer versions. As the submitter did not responded, the issue was assumed resolved and the matter closed. Thanks for pointing out that the issue is still valid. Kurt
changed state Open to Test moved from Incoming to Software Bugs
changed state Test to Release
changed state Release to Closed