[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5064) Issues with openldap 2.2 (Error 34 Invalid DN syntax )
pbrinette@cc.in2p3.fr wrote:
> Openldap is used as information provider in a GRID middleware project
> (http://www.eu-egee.org/). This information provider is known as BDII.
>
> The information about grid nodes are published via openldap.
>
> Until now, the platform supported by the middleware is Scientific Linux 3 (a
> RHEL 3 clone like CentOS). The openldap version provided with this system is
> openldap 2.0.27.
>
> We updated our systems with Scientific Linux 4.4 (RHEL 4.4) for new hardware
> support. The openldap version provided is now 2.2.13.
>
> When I put the new service in production, I find some issues with some
> attributes that disappears from the directory.
>
> In our openldap schema, we have an attribute declared like this:
>
> attributetype ( 1.3.6.1.4.1.8005.100.2.2.7.1
> NAME 'GlueVOViewLocalID'
> DESC 'Local ID for this VO view'
> EQUALITY caseIgnoreIA5Match
> SUBSTR caseIgnoreIA5SubstringsMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
> SINGLE-VALUE)
>
>
> This attribute may containt string like these:
>
> GlueVOViewLocalID=dteam
> GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,
>
> It seem that theses both sample strings are IA5 compliant.
>
> When I ask the openldap server with this request, I?ve got different results
> regarding the openldap version :
>
> ------------ Openldap 2.0.27 -----------------------
>
> ldapsearch -x -P3 -H ldap://cclcgtopbdii01.in2p3.fr:2170 -b
> "GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-vo-name=local,o=grid"
> version: 2
>
> #
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # /VO=swetest/GROUP=/swetest/ROLE=swadmin, grid001.fc.up.pt:2119/jobmanager-l
> cgsge-swetest, UPorto, local, grid
> dn: GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,GlueCEUniqueID=g
> rid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-vo-name
> =local,o=grid
> objectClass: GlueCETop
> objectClass: GlueVOView
> objectClass: GlueCEInfo
> objectClass: GlueCEState
> objectClass: GlueCEAccessControlBase
> objectClass: GlueCEPolicy
> objectClass: GlueKey
> objectClass: GlueSchemaVersion
> GlueVOViewLocalID: /VO=swetest/GROUP=/swetest/ROLE=swadmin
> GlueCEAccessControlBaseRule: VOMS:/VO=swetest/GROUP=/swetest/ROLE=swadmin
> GlueCEAccessControlBaseRule: DENY:dteam
> GlueCEAccessControlBaseRule: DENY:ops
> GlueCEAccessControlBaseRule: DENY:swetest
> GlueCEAccessControlBaseRule: DENY:/VO=dteam/GROUP=/dteam/ROLE=lcgadmin
> GlueCEAccessControlBaseRule: DENY:/VO=dteam/GROUP=/dteam/ROLE=production
> GlueCEAccessControlBaseRule: DENY:/VO=ops/GROUP=/ops/ROLE=lcgadmin
> GlueCEStateRunningJobs: 0
> GlueCEStateWaitingJobs: 0
> GlueCEStateTotalJobs: 0
> GlueCEStateFreeJobSlots: 22
> GlueCEStateEstimatedResponseTime: 0
> GlueCEStateWorstResponseTime: 0
> GlueCEInfoDefaultSE: hades.up.pt
> GlueCEInfoApplicationDir: /vosoft/swetestsoft
> GlueCEInfoDataDir: unset
> GlueChunkKey: GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest
> GlueSchemaVersionMajor: 1
> GlueSchemaVersionMinor: 2
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
>
> --------------------- openldap 2.2.13 ------------------------
>
> ldapsearch -P3 -x -H ldap://cclcgtopbdii02.in2p3.fr:2170 -b
> "GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-vo-name=local,o=grid"
> version: 2
>
> #
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 34 Invalid DN syntax
> text: invalid DN
>
> # numResponses: 1
>
> ---------------------------------------------------
>
>
>
> Each time a dn contain an attribute of the following form :
> "attribute=a_string=another_string,..." (eg:
> "/VO=swetest/GROUP=/swetest/ROLE=swadmin") openldap 2.2 produce an error "could
> not parse entry"
>
> In fact, each time the attribute value contain more that one equal ("=")
> character, openldap failed to handle the string, even though this character is
> included in the IA5 table.
>
> Best regards.
>
>
1) both 2.0 and 2.2 are ancient. OpenLDAP 2.3 is mature, and 2.4 is
about to exit beta stage. Unless the problem is related to a real
software bug, and it persists either in HEAD/2.4 or in 2.3 code, this
ITS will be closed.
2) were GlueCEUniqueID and mds-vo-name declared anywhere? There seems
to be nothing wrong with your DN per se; in fact, dntest yields
$ dntest \
'GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-vo-name=local,o=grid'
ldap_rdn2str() =
"GlueVOViewLocalID=/VO\3Dswetest/GROUP\3D/swetest/ROLE\
3Dswadmin"
ldap_rdn2str() =
"GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge
-swetest"
ldap_rdn2str() = "mds-vo-name=UPorto"
ldap_rdn2str() = "mds-vo-name=local"
ldap_rdn2str() = "o=grid"
ldap_dn2str(ldap_str2dn("GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadm
in,GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UP
orto,mds-vo-name=local,o=grid"))
=
"GlueVOViewLocalID=/VO\3Dswetest/GROUP\3D/swetest/ROLE\3Dswadmin,GlueC
EUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds
-vo-name=local,o=grid"
ldap_dn2domain("GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,GlueCE
UniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-
vo-name=local,o=grid")
= ""
ldap_dn2ufn("GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,GlueCEUni
queID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-vo-
name=local,o=grid")
= "/VO\3Dswetest/GROUP\3D/swetest/ROLE\3Dswadmin,
grid001.fc.up.pt:2119/
jobmanager-lcgsge-swetest, UPorto, local, grid"
ldap_dn2dcedn("GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,GlueCEU
niqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-v
o-name=local,o=grid")
=
"/o=grid/mds-vo-name=local/mds-vo-name=UPorto/GlueCEUniqueID=grid001.f
c.up.pt:2119\/jobmanager-lcgsge-swetest/GlueVOViewLocalID=\/VO\=swetest\/GROUP\=
\/swetest\/ROLE\=swadmin"
ldap_dcedn2dn("/o=grid/mds-vo-name=local/mds-vo-name=UPorto/GlueCEUniqueID=grid0
01.fc.up.pt:2119\/jobmanager-lcgsge-swetest/GlueVOViewLocalID=\/VO\=swetest\/GRO
UP\=\/swetest\/ROLE\=swadmin")
=
"GlueVOViewLocalID=/VO\3Dswetest/GROUP\3D/swetest/ROLE\3Dswadmin,GlueC
EUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds
-vo-name=local,o=grid"
ldap_dn2ad_canonical("GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,
GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPort
o,mds-vo-name=local,o=grid")
=
"grid/local/UPorto/grid001.fc.up.pt:2119\/jobmanager-lcgsge-swetest/\/
VO\=swetest\/GROUP\=\/swetest\/ROLE\=swadmin/"
ldap_explode_dn("GlueVOViewLocalID=/VO\3Dswetest/GROUP\3D/swetest/ROLE\3Dswadmin
,GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPor
to,mds-vo-name=local,o=grid"):
"GlueVOViewLocalID=/VO\3Dswetest/GROUP\3D/swetest/ROLE\3Dswadmin"
ldap_explode_rdn("GlueVOViewLocalID=/VO\3Dswetest/GROUP\3D/swetest/ROLE\
3Dswadmin")
'GlueVOViewLocalID=/VO\3Dswetest/GROUP\3D/swetest/ROLE\3Dswadmin
'
ldap_explode_rdn("GlueVOViewLocalID=/VO\3Dswetest/GROUP\3D/swetest/ROLE\
3Dswadmin") (no types)
"/VO\3Dswetest/GROUP\3D/swetest/ROLE\3Dswadmin"
"GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest"
ldap_explode_rdn("GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge
-swetest")
'GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest'
ldap_explode_rdn("GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge
-swetest") (no types)
"grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest"
"mds-vo-name=UPorto"
ldap_explode_rdn("mds-vo-name=UPorto")
'mds-vo-name=UPorto'
ldap_explode_rdn("mds-vo-name=UPorto") (no types)
"UPorto"
"mds-vo-name=local"
ldap_explode_rdn("mds-vo-name=local")
'mds-vo-name=local'
ldap_explode_rdn("mds-vo-name=local") (no types)
"local"
"o=grid"
ldap_explode_rdn("o=grid")
'o=grid'
ldap_explode_rdn("o=grid") (no types)
"grid"
ldap_explode_dn("GlueVOViewLocalID=/VO\3Dswetest/GROUP\3D/swetest/ROLE\3Dswadmin
,GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPor
to,mds-vo-name=local,o=grid") (no types):
"/VO\3Dswetest/GROUP\3D/swetest/ROLE\3Dswadmin"
"grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest"
"UPorto"
"local"
"grid"
"GlueVOViewLocalID=/VO\3Dswetest/GROUP\3D/swetest/ROLE\3Dswadmin,GlueCEUniqueID=
grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-vo-name=l
ocal,o=grid"
==
"GlueVOViewLocalID=/VO\3Dswetest/GROUP\3D/swetest/ROLE\3Dswadmin,Glu
eCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,m
ds-vo-name=local,o=grid" ? yes
But apparently some attribute declarations are missing; in fact, slapdn
(after declaring GlueVOViewLocalID as indicated above) yields
slapdn -f testrun/slapd.1.conf
'GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-vo-name=local,o=grid'
DN:
<GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-vo-name=local,o=grid>
check failed 21 (Invalid syntax)
where the failure refers exactly to the fact that GlueCEUniqueID was not
declared.
p.
PS: don't look for those tools in ancient software; they've been
introduced only in recent times (dntest: October 2001; slapdn: March 2004).
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati@sys-net.it
---------------------------------------