Created attachment 358288 [details] Fixed schema file. After upgrading to openldap-2.4.35, slaptest complains about syntax errors and invalid attributes in schema file /etc/openldap/rfc2307bis.schema. Manually fixing the schema file (see attached) resolved the problem. Steps to reproduce: - Emerge openldap-2.4.35 - Add rfc2307bis.schema in slapd.conf - Trying to start slapd via init-script results in the following: $ /etc/init.d/slapd restart * Stopping ldap-server ... [ ok ] AttributeTypeDescription = "(" whsp numericoid whsp ; AttributeType identifier [ "NAME" qdescrs ] ; name used in AttributeType [ "DESC" qdstring ] ; description [ "OBSOLETE" whsp ] [ "SUP" woid ] ; derived from this other ; AttributeType [ "EQUALITY" woid ] ; Matching Rule name [ "ORDERING" woid ] ; Matching Rule name [ "SUBSTR" woid ] ; Matching Rule name [ "SYNTAX" whsp noidlen whsp ] ; see section 4.3 [ "SINGLE-VALUE" whsp ] ; default multi-valued [ "COLLECTIVE" whsp ] ; default not collective [ "NO-USER-MODIFICATION" whsp ]; default user modifiable [ "USAGE" whsp AttributeUsage ]; default userApplications ; userApplications ; directoryOperation ; distributedOperation ; dSAOperation whsp ")" slaptest: bad configuration file! * There is a problem with your slapd.conf! * ERROR: slapd failed to start
Created attachment 358290 [details] emerge --config output
Same here. Using attached schema file appears to get slapd to start, no issues yet...
1. please attach patches in future, not new copies of the file. 2. Why did you remove the authPassword attribute from OC posixAccount, shadowAccount, ipHost?
(In reply to Robin Johnson from comment #3) > 1. please attach patches in future, not new copies of the file. > 2. Why did you remove the authPassword attribute from OC posixAccount, > shadowAccount, ipHost? With authPassword attribute I get the error: $ slaptest 522e04fc /etc/openldap/schema/rfc2307bis.schema: line 256 objectclass: AttributeType not found: "authPassword" slaptest: bad configuration file!
authPassword is a built-in attribute of slapd w/ SASL, per RFC3112
(In reply to Robin Johnson from comment #5) > authPassword is a built-in attribute of slapd w/ SASL, per RFC3112 Do you mean "with" or "without" SASL? SASL is enabled, see emerge --info dump attached. But the attribute is not available. Is this correct behavior?
Created attachment 358390 [details] emerge --info openldap
To explain not attaching a patch: I fixed the schema file by best knowledge of mine. I'm not an expert in LDAP schemata, so please don't use this schema in production since I don't know whether I fixed it correctly! It should be fixed by a maintainer or at least somebody that is more into that stuff ...
openldap-2.4.35/servers/slapd/schema_prep.c: #ifdef SLAPD_AUTHPASSWD { "authPassword", "( 1.3.6.1.4.1.4203.1.3.4 " "NAME 'authPassword' " "DESC 'RFC3112: authentication password attribute' " "EQUALITY 1.3.6.1.4.1.4203.1.2.2 " "SYNTAX 1.3.6.1.4.1.4203.1.1.2 )", NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, offsetof(struct slap_internal_schema, si_ad_authPassword) }, { "supportedAuthPasswordSchemes", "( 1.3.6.1.4.1.4203.1.3.3 " "NAME 'supportedAuthPasswordSchemes' " "DESC 'RFC3112: supported authPassword schemes' " "EQUALITY caseExactIA5Match " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} " "USAGE dSAOperation )", subschemaAttribute, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, offsetof(struct slap_internal_schema, si_ad_authPasswordSchemes) }, #endif
The interesting part is, where SLAPD_AUTHPASSWD is going to be defined: $ grep SLAPD_AUTHPASSWD openldap-2.4.35 -inR servers/slapd/schema_init.c:6289:#ifdef SLAPD_AUTHPASSWD servers/slapd/schema_init.c:6730:#ifdef SLAPD_AUTHPASSWD servers/slapd/schema_prep.c:972:#ifdef SLAPD_AUTHPASSWD servers/slapd/slap.h:971:#ifdef SLAPD_AUTHPASSWD No #define or similar. So I guess SLAPD_AUTHPASSWD is set from command line via make: I found that USE flag "sasl" adds "--with-cyrus-sasl" and "--enable-spasswd" to mycon. This can be proved in the configure part: --enable-ldap --enable-slapd --enable-bdb --enable-hdb --enable-dnssrv=mod --enable-ldap=mod --enable-meta=mod --enable-monitor=mod --enable-null=mod --enable-passwd=mod --enable-relay=mod --enable-shell=mod --enable-sock=mod --disable-perl --disable-sql --enable-crypt --disable-slp --disable-lmpasswd --enable-syslog --enable-aci --enable-cleartext --enable-modules --enable-rewrite --enable-rlookups --enable-slapi --enable-syncprov=yes --enable-ipv6 --with-cyrus-sasl --enable-spasswd --enable-wrappers --with-tls=openssl --enable-dynamic --enable-local --enable-proctitle --enable-shared --enable-static If I fetch the gcc calls, I should be able to see whether such a call uses "-DSLAPD_AUTHPASSWD". Unfortunately, I did not found any "SLAPD_AUTHPASSWD" expression in the compiler output. So I've no idea where SLAPD_AUTHPASSWD is defined. If it is not defined, it would explain slapd complaining about missing "authPassword" attributes. Please correct me if I'm wrong or there is any other place, SLAPD_AUTHPASSWD could be defined.
A month later and still an issue. A minor revision update today gave me the same problem after having been using the attached schema file until this point. I can get by on this in my setup because I don't use passwords in my LDAP database (everything is in kerberos), but this really should be fixed...
For me it worked after replacing rfc2307bis.schema with this one: http://svn.stylite.de/viewvc/egroupware/branches/1.6/phpgwapi/doc/ldap/rfc2307bis.schema?revision=26424&view=markup In my case this makes sense because I am using this schema only for egroupware stuff. I do not know if it is a general solution.
(In reply to Daniel Morlock from comment #10) > The interesting part is, where SLAPD_AUTHPASSWD is going to be defined: Found this (http://www.openldap.org/lists/openldap-devel/200707/msg00030.html) thread "authPassword (RFC 3112) implemented?" from 2007 stating: AFAIK, the attribute and so is recognized, but it's not implemented (nor won't, as it is no longer needed). Maybe it's still not (completely) implemented?
Created attachment 377532 [details, diff] Patch for the rfc2307bis schema This patch fixes some compatibility issues with the existing schema and corrects some fatal errors. It removes the extraneous "'" characters, replaces SUBSTRINGS with SUBSTR and adds a missing MAY section to nisObject, based on nis.schema. It also drops authPassword as it's still not supported by openldap and adds a SUBSTR matching rule for memberUid based on nis.schema. Although some preliminary support for authPassword was added to openldap as listed by Robin, it seems it was never completed. The initial commits in the openldap repository for adding authPassword support were done on Jan 10th, 2002: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=c80d93f2bb0d24da2919fa0994f7d1c4f6459897 http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=f4336c895365857bc9ba4663024af58922bb85d7
Created attachment 377534 [details, diff] Patch for the rfc2307bis schema (complete) Correct patch. The previous source file had some fixes applied already. This patch fixes some compatibility issues with the existing schema and corrects some fatal errors. It removes the extraneous "'" characters, replaces SUBSTRINGS with SUBSTR and adds a missing MAY section to nisObject, based on nis.schema. It also drops authPassword as it's still not supported by openldap and adds a SUBSTR matching rule for memberUid based on nis.schema. Although some preliminary support for authPassword was added to openldap as listed by Robin, it seems it was never completed. The initial commits in the openldap repository for adding authPassword support were done on Jan 10th, 2002: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=c80d93f2bb0d24da2919fa0994f7d1c4f6459897 http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=f4336c895365857bc9ba4663024af58922bb85d7
While testing the patch, I've noticed I added a line with white space, that broke the schema. I'm fixing it now and pushing it to mirrors again. I'll update the openldap ebuilds when the file gets mirrored.
05:03 < irker517> gentoo-x86: jmbsvicetto net-nds/openldap: Update rfc2307bis schema - fixes bug 484244. 05:03 < willikins> irker517: https://bugs.gentoo.org/484244 "net-nds/openldap-2.4.35 - rfc2307bis.schema broken?"; Gentoo Linux, Server; IN_P; daniel.morlock:ldap-bugs
Still valid with net-nds/openldap-2.4.48?
