[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5064) Issues with openldap 2.2 (Error 34 Invalid DN syntax )

Full_Name: Pierre-Emmanuel Brinette
Version: 2.2.13 (openldap-2.2.13-6.4E)
OS: Scientific Linux 4.4 (RHEL 4.4 clone)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (


Openldap is used as information provider in a GRID middleware project
(http://www.eu-egee.org/). This information provider is known as BDII.

The information about grid nodes are published via openldap.

Until now, the platform supported by the middleware is Scientific Linux 3 (a
RHEL 3 clone like CentOS). The openldap version provided with this system is
openldap 2.0.27.

We updated our systems with Scientific Linux 4.4 (RHEL 4.4) for new hardware
support. The openldap version provided is now 2.2.13.

When I put the new service in production, I find some issues with some
attributes that disappears from the directory.

In our openldap schema, we have an attribute declared like this:

attributetype (
    NAME        'GlueVOViewLocalID'
    DESC        'Local ID for this VO view'
    EQUALITY    caseIgnoreIA5Match
    SUBSTR      caseIgnoreIA5SubstringsMatch

This attribute may containt string like these: 


It seem that theses both sample strings are IA5 compliant.

When I ask the openldap server with this request, I?ve got different results
regarding the openldap version : 

------------ Openldap 2.0.27 -----------------------

ldapsearch -x  -P3 -H ldap://cclcgtopbdii01.in2p3.fr:2170 -b
version: 2

# filter: (objectclass=*)
# requesting: ALL

# /VO=swetest/GROUP=/swetest/ROLE=swadmin, grid001.fc.up.pt:2119/jobmanager-l
 cgsge-swetest, UPorto, local, grid
dn: GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,GlueCEUniqueID=g
objectClass: GlueCETop
objectClass: GlueVOView
objectClass: GlueCEInfo
objectClass: GlueCEState
objectClass: GlueCEAccessControlBase
objectClass: GlueCEPolicy
objectClass: GlueKey
objectClass: GlueSchemaVersion
GlueVOViewLocalID: /VO=swetest/GROUP=/swetest/ROLE=swadmin
GlueCEAccessControlBaseRule: VOMS:/VO=swetest/GROUP=/swetest/ROLE=swadmin
GlueCEAccessControlBaseRule: DENY:dteam
GlueCEAccessControlBaseRule: DENY:ops
GlueCEAccessControlBaseRule: DENY:swetest
GlueCEAccessControlBaseRule: DENY:/VO=dteam/GROUP=/dteam/ROLE=lcgadmin
GlueCEAccessControlBaseRule: DENY:/VO=dteam/GROUP=/dteam/ROLE=production
GlueCEAccessControlBaseRule: DENY:/VO=ops/GROUP=/ops/ROLE=lcgadmin
GlueCEStateRunningJobs: 0
GlueCEStateWaitingJobs: 0
GlueCEStateTotalJobs: 0
GlueCEStateFreeJobSlots: 22
GlueCEStateEstimatedResponseTime: 0
GlueCEStateWorstResponseTime: 0
GlueCEInfoDefaultSE: hades.up.pt
GlueCEInfoApplicationDir: /vosoft/swetestsoft
GlueCEInfoDataDir: unset
GlueChunkKey: GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest
GlueSchemaVersionMajor: 1
GlueSchemaVersionMinor: 2

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


--------------------- openldap 2.2.13 ------------------------

ldapsearch -P3 -x -H ldap://cclcgtopbdii02.in2p3.fr:2170 -b
version: 2

# filter: (objectclass=*)
# requesting: ALL

# search result
search: 2
result: 34 Invalid DN syntax
text: invalid DN

# numResponses: 1


Each time a dn contain an attribute of the following form :
 "attribute=a_string=another_string,..." (eg:
"/VO=swetest/GROUP=/swetest/ROLE=swadmin") openldap 2.2 produce an error "could
not parse entry" 

In fact, each time the attribute value contain more that one equal ("=")
character, openldap failed to handle the string, even though this character is 
included in the IA5 table.

Best regards.

Pierre-Emmanuel Brinette	
Grid computing - EGEE/LCG team
IN2P3/CNRS Computing Centre - Lyon (France)
27 bd du 11 novembre, F-69622 Villeurbanne cedex
pbrinette@cc.in2p3.fr - Tél. : +33 (0) 4 78 93 08 80