[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: nisNetgroupTriple Question

> Hash: SHA1
> All,
> I am setting up our companies LDAP server and am working on getting
> "group" based authorization in place utilizing netgroup and
> nisNetgroupTriple.  I can create a netgroup with users already in it
> and am able to control what users access which hosts.  But, my problem
> is that when I try to modify the nisNetgroupTriple for one of the
> netgroups in question I get the following error:
> 01:54:45 PM: Failed to add 'nisNetgroupTriple' attribute for
> ldap://, ou=netgroup, dc=sample,dc=com
> Root error: [LDAP: error code 18 - modify/add: nisNetgroupTriple: no
> equality matching rule]
> Okay, this tells me that my nis.schema does not have a proper equality
> rule, or at least I think it does.  I've searched the archives, and
> google too, but am coming up blank on the proper syntax to get this
> working.

you need to delete all the values of that attribute and add
the new set because in the absence of a matching rule there
is no way to perform a "delete" on a single value; see RFC2251:

4.6. Modify Operation
   If an equality match filter has not been defined for an attribute
type, clients MUST NOT attempt to delete individual values of that
attribute from an entry using the "delete" form of a modification,
and MUST instead use the "replace" form.

OpenLDAP's slapd enforces analogous limitations on add because
in absence of an equality rule there's no way to determine
whether a new value is duplicate or not.

Note that draft-ietf-ldapbis-protocol removes this limitation:

C.1.23 Section 4.6

   - Removed restriction that required an equality match filter in
     order to perform value delete modifications. It is sufficiently
     documented that in absence of an equality matching rule, octet
     equality is used.

OpenLDAP's slapd doesn't implement this yet (because
it's still in draft form?).


Pierangelo Masarati